refactor(core): resolve permission rules internally

Author: thdxr

packages/core/src/agent.ts

@@ -3,7 +3,7 @@ export * as AgentV2 from "./agent"
 import { Array, Context, Effect, Layer, Schema, Scope } from "effect"
 import { castDraft, enableMapSet, type Draft } from "immer"
 import { ModelV2 } from "./model"
-import { PermissionV2 } from "./permission"
+import { PermissionSchema } from "./permission/schema"
 import { ProviderV2 } from "./provider"
 import { PositiveInt } from "./schema"
 import { State } from "./state"
@@ -26,7 +26,7 @@ export class Info extends Schema.Class<Info>("AgentV2.Info")({
   hidden: Schema.Boolean,
   color: Color.pipe(Schema.optional),
   steps: PositiveInt.pipe(Schema.optional),
-  permissions: PermissionV2.Ruleset,
+  permissions: PermissionSchema.Ruleset,
 }) {
   static empty(id: ID) {
     return new Info({

packages/core/src/location-layer.ts

@@ -15,6 +15,7 @@ import { AppFileSystem } from "./filesystem"
 import { Global } from "./global"
 import { Database } from "./database/database"
 import { PermissionV2 } from "./permission"
+import { SessionV2 } from "./session"
 
 export class LocationServiceMap extends LayerMap.Service<LocationServiceMap>()("@opencode/example/LocationServiceMap", {
   lookup: (ref: Location.Ref) => {
@@ -40,5 +41,6 @@ export class LocationServiceMap extends LayerMap.Service<LocationServiceMap>()("
     AppFileSystem.defaultLayer,
     Global.defaultLayer,
     Database.defaultLayer,
+    SessionV2.defaultLayer,
   ],
 }) {}

packages/core/src/permission.ts

@@ -5,31 +5,25 @@ import { eq } from "drizzle-orm"
 import { Database } from "./database/database"
 import { EventV2 } from "./event"
 import { Location } from "./location"
+import { AgentV2 } from "./agent"
 import { SessionV2 } from "./session"
 import { withStatics } from "./schema"
 import { Identifier } from "./util/identifier"
 import { Wildcard } from "./util/wildcard"
 import { PermissionTable } from "./permission/sql"
+import { PermissionSchema } from "./permission/schema"
+
+export { Effect, Rule, Ruleset } from "./permission/schema"
+type Effect = PermissionSchema.Effect
+type Rule = PermissionSchema.Rule
+type Ruleset = PermissionSchema.Ruleset
 
 export const ID = Schema.String.check(Schema.isStartsWith("per")).pipe(
   Schema.brand("PermissionV2.ID"),
   withStatics((schema) => ({ create: (id?: string) => schema.make(id ?? "per_" + Identifier.ascending()) })),
 )
 export type ID = typeof ID.Type
 
-export const Effect = Schema.Literals(["allow", "deny", "ask"]).annotate({ identifier: "PermissionV2.Effect" })
-export type Effect = typeof Effect.Type
-
-export const Rule = Schema.Struct({
-  action: Schema.String,
-  resource: Schema.String,
-  effect: Effect,
-}).annotate({ identifier: "PermissionV2.Rule" })
-export type Rule = typeof Rule.Type
-
-export const Ruleset = Schema.Array(Rule).annotate({ identifier: "PermissionV2.Ruleset" })
-export type Ruleset = typeof Ruleset.Type
-
 export const Source = Schema.Union([
   Schema.Struct({
     type: Schema.Literal("tool"),
@@ -61,7 +55,6 @@ export const AssertInput = Schema.Struct({
   remember: Schema.Array(Schema.String).pipe(Schema.optional),
   metadata: Schema.Record(Schema.String, Schema.Unknown).pipe(Schema.optional),
   source: Source.pipe(Schema.optional),
-  rules: Ruleset,
 }).annotate({ identifier: "PermissionV2.AssertInput" })
 export type AssertInput = typeof AssertInput.Type
 
@@ -72,6 +65,12 @@ export const ReplyInput = Schema.Struct({
 }).annotate({ identifier: "PermissionV2.ReplyInput" })
 export type ReplyInput = typeof ReplyInput.Type
 
+export const AskResult = Schema.Struct({
+  id: ID,
+  effect: PermissionSchema.Effect,
+}).annotate({ identifier: "PermissionV2.AskResult" })
+export type AskResult = typeof AskResult.Type
+
 export const Event = {
   Asked: EventV2.define({ type: "permission.v2.asked", schema: Request.fields }),
   Replied: EventV2.define({
@@ -91,7 +90,7 @@ export class CorrectedError extends Schema.TaggedErrorClass<CorrectedError>()("P
 }) {}
 
 export class DeniedError extends Schema.TaggedErrorClass<DeniedError>()("PermissionV2.DeniedError", {
-  rules: Ruleset,
+  rules: PermissionSchema.Ruleset,
 }) {}
 
 export class NotFoundError extends Schema.TaggedErrorClass<NotFoundError>()("PermissionV2.NotFoundError", {
@@ -117,8 +116,8 @@ export function merge(...rulesets: Ruleset[]): Ruleset {
 }
 
 export interface Interface {
-  readonly ask: (input: AssertInput) => EffectRuntime.Effect<Request>
-  readonly assert: (input: AssertInput) => EffectRuntime.Effect<void, Error>
+  readonly ask: (input: AssertInput) => EffectRuntime.Effect<AskResult, SessionV2.NotFoundError>
+  readonly assert: (input: AssertInput) => EffectRuntime.Effect<void, Error | SessionV2.NotFoundError>
   readonly reply: (input: ReplyInput) => EffectRuntime.Effect<void, NotFoundError>
   readonly get: (id: ID) => EffectRuntime.Effect<Request | undefined>
   readonly forSession: (sessionID: SessionV2.ID) => EffectRuntime.Effect<ReadonlyArray<Request>>
@@ -129,7 +128,6 @@ export class Service extends Context.Service<Service, Interface>()("@opencode/v2
 
 interface Pending {
   readonly request: Request
-  readonly rules: Ruleset
   readonly deferred: Deferred.Deferred<void, RejectedError | CorrectedError>
 }
 
@@ -139,6 +137,8 @@ export const layer = Layer.effect(
     const { db } = yield* Database.Service
     const events = yield* EventV2.Service
     const location = yield* Location.Service
+    const agents = yield* AgentV2.Service
+    const sessions = yield* SessionV2.Service
     const pending = new Map<ID, Pending>()
 
     yield* EffectRuntime.addFinalizer(() =>
@@ -163,15 +163,31 @@ export const layer = Layer.effect(
       return rows.map((row): Rule => ({ action: row.action, resource: row.resource, effect: "allow" }))
     })
 
+    const configured = EffectRuntime.fn("PermissionV2.configured")(function* (sessionID: SessionV2.ID) {
+      const session = yield* sessions.get(sessionID)
+      if (!session.agent) return []
+      return (yield* agents.get(AgentV2.ID.make(session.agent)))?.permissions ?? []
+    })
+
+    function denied(input: AssertInput, rules: Ruleset) {
+      return input.resources.some((resource) => evaluate(input.action, resource, rules).effect === "deny")
+    }
+
+    function relevant(input: AssertInput, rules: Ruleset) {
+      return rules.filter((rule) => Wildcard.match(input.action, rule.action))
+    }
+
     const evaluateInput = EffectRuntime.fnUntraced(function* (input: AssertInput) {
-      const rules = [...input.rules, ...(yield* remembered())]
-      const effects = input.resources.map((resource) => evaluate(input.action, resource, rules).effect)
+      const rules = yield* configured(input.sessionID)
+      if (denied(input, rules)) return { effect: "deny" as const, rules }
+      const all = [...rules, ...(yield* remembered())]
+      const effects = input.resources.map((resource) => evaluate(input.action, resource, all).effect)
       const effect: Effect = effects.includes("deny") ? "deny" : effects.includes("ask") ? "ask" : "allow"
-      return { effect, rules }
+      return { effect, rules: all }
     })
 
-    const create = EffectRuntime.fnUntraced(function* (input: AssertInput) {
-      const request: Request = {
+    function request(input: AssertInput): Request {
+      return {
         id: input.id ?? ID.create(),
         sessionID: input.sessionID,
         action: input.action,
@@ -180,27 +196,32 @@ export const layer = Layer.effect(
         metadata: input.metadata,
         source: input.source,
       }
+    }
+
+    const create = EffectRuntime.fnUntraced(function* (request: Request) {
       const deferred = yield* Deferred.make<void, RejectedError | CorrectedError>()
-      const item = { request, rules: input.rules, deferred }
+      const item = { request, deferred }
       pending.set(request.id, item)
       yield* events.publish(Event.Asked, request)
       return item
     })
 
     const ask = EffectRuntime.fn("PermissionV2.ask")(function* (input: AssertInput) {
-      const pending = yield* create(input)
-      return pending.request
+      const result = yield* evaluateInput(input)
+      const value = request(input)
+      if (result.effect === "ask") yield* create(value)
+      return { id: value.id, effect: result.effect }
     })
 
     const assert = EffectRuntime.fn("PermissionV2.assert")(function* (input: AssertInput) {
       const result = yield* evaluateInput(input)
       if (result.effect === "deny") {
         return yield* new DeniedError({
-          rules: result.rules.filter((candidate) => Wildcard.match(input.action, candidate.action)),
+          rules: relevant(input, result.rules),
         })
       }
       if (result.effect === "allow") return
-      const item = yield* create(input)
+      const item = yield* create(request(input))
       return yield* Deferred.await(item.deferred).pipe(
         EffectRuntime.ensuring(
           EffectRuntime.sync(() => {
@@ -257,9 +278,15 @@ export const layer = Layer.effect(
 
       const rememberedRules = yield* remembered()
       for (const [id, item] of pending) {
-        const rules = [...item.rules, ...rememberedRules]
+        const input = { ...item.request }
+        const rules = yield* configured(item.request.sessionID).pipe(
+          EffectRuntime.catchTag("Session.NotFoundError", () => EffectRuntime.succeed(undefined)),
+        )
+        if (!rules) continue
+        if (denied(input, rules)) continue
+        const effective = [...rules, ...rememberedRules]
         if (
-          !item.request.resources.every((resource) => evaluate(item.request.action, resource, rules).effect === "allow")
+          !item.request.resources.every((resource) => evaluate(item.request.action, resource, effective).effect === "allow")
         )
           continue
         pending.delete(id)
@@ -288,4 +315,4 @@ export const layer = Layer.effect(
   }),
 )
 
-export const locationLayer = layer
+export const locationLayer = layer.pipe(Layer.provideMerge(AgentV2.locationLayer))

packages/core/src/permission/schema.ts

@@ -0,0 +1,16 @@
+export * as PermissionSchema from "./schema"
+
+import { Schema } from "effect"
+
+export const Effect = Schema.Literals(["allow", "deny", "ask"]).annotate({ identifier: "PermissionV2.Effect" })
+export type Effect = typeof Effect.Type
+
+export const Rule = Schema.Struct({
+  action: Schema.String,
+  resource: Schema.String,
+  effect: Effect,
+}).annotate({ identifier: "PermissionV2.Rule" })
+export type Rule = typeof Rule.Type
+
+export const Ruleset = Schema.Array(Rule).annotate({ identifier: "PermissionV2.Ruleset" })
+export type Ruleset = typeof Ruleset.Type

packages/core/test/permission.test.ts

@@ -1,5 +1,6 @@
 import { describe, expect } from "bun:test"
 import { Deferred, Effect, Fiber, Layer } from "effect"
+import { AgentV2 } from "@opencode-ai/core/agent"
 import { Database } from "@opencode-ai/core/database/database"
 import { EventV2 } from "@opencode-ai/core/event"
 import { Location } from "@opencode-ai/core/location"
@@ -9,6 +10,7 @@ import { Project } from "@opencode-ai/core/project"
 import { ProjectTable } from "@opencode-ai/core/project/sql"
 import { AbsolutePath } from "@opencode-ai/core/schema"
 import { SessionV2 } from "@opencode-ai/core/session"
+import { SessionTable } from "@opencode-ai/core/session/sql"
 import { eq } from "drizzle-orm"
 import { location } from "./fixture/location"
 import { testEffect } from "./lib/effect"
@@ -19,10 +21,16 @@ const current = Layer.succeed(
   Location.Service.of(location({ directory: AbsolutePath.make("project") })),
 )
 const events = EventV2.layer.pipe(Layer.provide(database))
-const layer = PermissionV2.locationLayer.pipe(Layer.provideMerge(database), Layer.provideMerge(events), Layer.provideMerge(current))
+const sessions = SessionV2.layer.pipe(Layer.provide(database))
+const layer = PermissionV2.locationLayer.pipe(
+  Layer.provideMerge(database),
+  Layer.provideMerge(events),
+  Layer.provideMerge(current),
+  Layer.provideMerge(sessions),
+)
 const it = testEffect(layer)
 
-function project() {
+function setup(rules: PermissionV2.Ruleset = []) {
   return Effect.gen(function* () {
     const { db } = yield* Database.Service
     yield* db
@@ -31,6 +39,33 @@ function project() {
       .onConflictDoNothing()
       .run()
       .pipe(Effect.orDie)
+    yield* db
+      .insert(SessionTable)
+      .values({
+        id: SessionV2.ID.make("ses_test"),
+        project_id: Project.ID.global,
+        slug: "test",
+        directory: "project",
+        title: "test",
+        version: "test",
+        agent: "test",
+      })
+      .onConflictDoNothing()
+      .run()
+      .pipe(Effect.orDie)
+    yield* setRules(rules)
+  })
+}
+
+function setRules(rules: PermissionV2.Ruleset) {
+  return Effect.gen(function* () {
+    const agents = yield* AgentV2.Service
+    const update = yield* agents.transform()
+    yield* update((editor) =>
+      editor.update(AgentV2.ID.make("test"), (agent) => {
+        agent.permissions = [...rules]
+      }),
+    )
   })
 }
 
@@ -40,7 +75,6 @@ function assertion(input: Partial<PermissionV2.AssertInput> = {}) {
     sessionID: SessionV2.ID.make("ses_test"),
     action: "read",
     resources: ["src/index.ts"],
-    rules: [],
     ...input,
   } satisfies PermissionV2.AssertInput
 }
@@ -63,32 +97,36 @@ function waitForRequest() {
 }
 
 describe("PermissionV2", () => {
-  it.effect("asks without evaluating configured rules or blocking", () =>
+  it.effect("returns the evaluated effect and only queues prompts", () =>
     Effect.gen(function* () {
+      yield* setup([{ action: "read", resource: "*", effect: "allow" }])
       const service = yield* PermissionV2.Service
-      const request = yield* service.ask(assertion({ rules: [{ action: "read", resource: "*", effect: "allow" }] }))
-      expect(yield* service.get(request.id)).toEqual(request)
-      yield* service.reply({ requestID: request.id, reply: "once" })
-      expect(yield* service.get(request.id)).toBeUndefined()
+      expect(yield* service.ask(assertion())).toEqual({ id: PermissionV2.ID.create("per_test"), effect: "allow" })
+      expect(yield* service.list()).toEqual([])
+      yield* setRules([{ action: "read", resource: "*", effect: "deny" }])
+      expect(yield* service.ask(assertion())).toEqual({ id: PermissionV2.ID.create("per_test"), effect: "deny" })
+      expect(yield* service.list()).toEqual([])
+      yield* setRules([])
+      expect(yield* service.ask(assertion())).toEqual({ id: PermissionV2.ID.create("per_test"), effect: "ask" })
+      expect(yield* service.get(PermissionV2.ID.create("per_test"))).toBeDefined()
     }),
   )
 
   it.effect("allows and denies from explicit rules without asking", () =>
     Effect.gen(function* () {
+      yield* setup([{ action: "read", resource: "*", effect: "allow" }])
       const service = yield* PermissionV2.Service
-      yield* service.assert(
-        assertion({ rules: [{ action: "read", resource: "*", effect: "allow" }] }),
-      )
-      const denied = yield* service
-        .assert(assertion({ rules: [{ action: "read", resource: "*", effect: "deny" }] }))
-        .pipe(Effect.flip)
+      yield* service.assert(assertion())
+      yield* setRules([{ action: "read", resource: "*", effect: "deny" }])
+      const denied = yield* service.assert(assertion()).pipe(Effect.flip)
       expect(denied).toBeInstanceOf(PermissionV2.DeniedError)
       expect(yield* service.list()).toEqual([])
     }),
   )
 
   it.effect("resolves an asked permission once", () =>
     Effect.gen(function* () {
+      yield* setup()
       const { service, fiber, request } = yield* waitForRequest()
       expect(yield* service.list()).toEqual([request])
       expect(yield* service.forSession(request.sessionID)).toEqual([request])
@@ -103,7 +141,7 @@ describe("PermissionV2", () => {
 
   it.effect("stores remembered resources for the location project", () =>
     Effect.gen(function* () {
-      yield* project()
+      yield* setup()
       const service = yield* PermissionV2.Service
       const asked = yield* Deferred.make<PermissionV2.Request>()
       const events = yield* EventV2.Service