PermissionPolicy
Class: PermissionPolicy
Defined in: src/security/PermissionPolicy.ts:86
Data-driven role-based permission policy. Satisfies the v2.4
PermissionChecker interface AND exposes a sync isAllowed method
for use with gatedTools from agentfootprint/tool-providers.
Implements
Properties
name
readonlyname:"PermissionPolicy"='PermissionPolicy'
Defined in: src/security/PermissionPolicy.ts:87
Implementation of
Accessors
activeRole
Get Signature
get activeRole():
string
Defined in: src/security/PermissionPolicy.ts:159
The role name currently active. Useful for observability.
Returns
string
roles
Get Signature
get roles(): readonly
string[]
Defined in: src/security/PermissionPolicy.ts:164
All defined role names. Stable order = registration order.
Returns
readonly string[]
Methods
allowedToolIds()
allowedToolIds(): readonly
string[]
Defined in: src/security/PermissionPolicy.ts:169
All tool ids allowed under the current active role.
Returns
readonly string[]
check()
check(
request):Promise<PermissionDecision>
Defined in: src/security/PermissionPolicy.ts:132
Async check matching the PermissionChecker interface — consumed
by Agent.create({ permissionChecker }). Wraps isAllowed with
the structured PermissionDecision envelope (allow / deny + a
policyRuleId so observability can trace which role decided).
Today the policy only checks the tool name (request.target). Future work: also gate by capability ('memory_write', etc.) when the role allowlist is widened to capability-by-id.
Parameters
request
Returns
Promise<PermissionDecision>
Implementation of
fromRoles()
staticfromRoles(roles,activeRole):PermissionPolicy
Defined in: src/security/PermissionPolicy.ts:106
Factory: build a role-based policy from a role → tool-ids map and the role active for this instance.
Throws if activeRole isn't a key in roles — fail loud at
config time, not at first denied call.
Parameters
roles
activeRole
string
Returns
PermissionPolicy
isAllowed()
isAllowed(
toolId):boolean
Defined in: src/security/PermissionPolicy.ts:118
Sync allowlist check. Use as a predicate with gatedTools:
gatedTools(staticTools(allTools), (toolId) => policy.isAllowed(toolId))
Returns true iff toolId is in the active role's allowlist.
Closes-fail by design: missing role membership = denied.
Parameters
toolId
string
Returns
boolean
withActiveRole()
withActiveRole(
activeRole):PermissionPolicy
Defined in: src/security/PermissionPolicy.ts:154
Derive a sibling policy with a different active role. Same role map; different active role. Useful for per-identity routing (one policy instance per request, varying active role per caller).
Returns a NEW PermissionPolicy — original is unchanged.
Parameters
activeRole
string
Returns
PermissionPolicy