mirror of
https://github.com/claude-code-best/claude-code.git
synced 2026-06-20 23:35:51 +00:00
5e30697950
对照 /Users/konghayao/code/knowledgebase/origin/acp 规范审计并修复 53 条合规性
发现(critical 5 / major 17 / minor 20 / nit 11),完整审计报告见
docs/acp-compliance-audit.md。
Agent 端 (src/services/acp/agent.ts):
- initialize() 补齐 authMethods,promptCapabilities.image 降级为 false(声明与
实现脱节,按 initialization.mdx 不声明的 capability 视为不支持)
- sessionCapabilities.fork 移至 _meta.claudeCode.forkSession(fork 在
meta.unstable.json 中,避免在 stable sessionCapabilities 中暴露 unstable 特性)
- unstable_resumeSession 传 replay:false,不再通过 session/update 重放历史
(session-setup.mdx:239 明确禁止)
- PromptResponse.usage 移至 _meta.claudeCode.usage
(extensibility.mdx:39 禁止在 spec 类型根添加自定义字段)
- 空字符串 prompt 改为显式 throw(不再误返 end_turn)
Bridge (src/services/acp/bridge.ts):
- 删除全部 usage_update discriminator(不在 stable v1 schema 中)
- 显式映射 refusal stop_reason(之前误报 end_turn)
- max_tokens / isError 检查互斥
- Read/Write/Edit/Glob 路径全部绝对化(协议规定路径 MUST 绝对)
- 补全 resource_link / resource ContentBlock 渲染
Permissions (src/services/acp/permissions.ts):
- 补齐 reject_always PermissionOption(schema 规定的四个 option 之一)
- checkTerminalOutput 优先检查标准 clientCapabilities.terminal,
回退到 _meta.terminal_output
- 新增 onPermissionCancelled 回调:cancelled permission outcome →
StopReason::Cancelled(schema.json:629)
- ExitPlanMode cancelled 分支补上 toolUseID 字段
PromptConversion (src/services/acp/promptConversion.ts):
- resource 分支处理 BlobResource(之前静默丢弃 blob 内容)
acp-link 代理 (packages/acp-link/src/):
- WS 协议从专有 {type, payload} 改造为标准 JSON-RPC 2.0
(transports.mdx:52 要求自定义 transport MUST 保留 JSON-RPC 消息格式),
同时向后兼容旧 envelope
- 实现 $/cancel_request 处理
- 使用 JSON-RPC 标准错误码 -32700 / -32600 / -32601 / -32602 / -32603
- capability / agentInfo / protocolVersion 完整透传
验证:bun run precheck 全部通过(tsc 零错误、biome ci 零警告、5841/5841 测试通过);
ACP 专项测试 221/221 通过。独立 verification agent 抽查全部 PASS。
已知暂缓项(审计文档附录 B/C):
- §3.5 traceparent/trace-context 传播(QueryEngine 无 header hook)
- §5.2 terminal/create 完整生命周期(P1,非阻断,需新 RPC 流程)
- §4.2 in_progress tool_call status(SHOULD 级)
- §8.8/8.9/8.14 stale types.ts(不在 owner 分配集合,runtime 已修正)
Co-Authored-By: glm-5.2 <zai-org@claude-code-best.win>
314 lines
9.3 KiB
TypeScript
314 lines
9.3 KiB
TypeScript
/**
|
|
* Permission bridge: maps Claude Code's canUseTool / PermissionDecision
|
|
* system to ACP's requestPermission() flow.
|
|
*
|
|
* Supports:
|
|
* - bypassPermissions mode (auto-allow all tools)
|
|
* - ExitPlanMode special handling (multi-option: Yes+auto/acceptEdits/default/No)
|
|
* - Always Allow
|
|
* - Standard allow_once/allow_always/reject_once
|
|
*/
|
|
import type {
|
|
AgentSideConnection,
|
|
PermissionOption,
|
|
ToolCallUpdate,
|
|
ClientCapabilities,
|
|
} from '@agentclientprotocol/sdk'
|
|
import type { CanUseToolFn } from '../../hooks/useCanUseTool.js'
|
|
import type {
|
|
PermissionAllowDecision,
|
|
PermissionAskDecision,
|
|
PermissionDenyDecision,
|
|
} from '../../types/permissions.js'
|
|
import type { Tool as ToolType, ToolUseContext } from '../../Tool.js'
|
|
import type { AssistantMessage } from '../../types/message.js'
|
|
import { hasPermissionsToUseTool } from '../../utils/permissions/permissions.js'
|
|
import { toolInfoFromToolUse } from './bridge.js'
|
|
|
|
/**
|
|
* Creates a CanUseToolFn that delegates permission decisions to the
|
|
* ACP client via requestPermission().
|
|
*/
|
|
export function createAcpCanUseTool(
|
|
conn: AgentSideConnection,
|
|
sessionId: string,
|
|
_getCurrentMode: () => string,
|
|
clientCapabilities?: ClientCapabilities,
|
|
cwd?: string,
|
|
onModeChange?: (modeId: string) => void,
|
|
isBypassModeAvailable?: () => boolean,
|
|
/**
|
|
* Invoked when the ACP client returns a `cancelled` permission outcome.
|
|
* The Agent uses this to set the session-level cancelled flag and interrupt
|
|
* the running query so session/prompt resolves with StopReason::Cancelled
|
|
* (schema.json:629) instead of treating the cancellation as a plain deny.
|
|
* Optional for backwards compatibility with callers that have not been
|
|
* wired up yet.
|
|
*/
|
|
onPermissionCancelled?: () => void,
|
|
): CanUseToolFn {
|
|
return async (
|
|
tool: ToolType,
|
|
input: Record<string, unknown>,
|
|
context: ToolUseContext,
|
|
assistantMessage: AssistantMessage,
|
|
toolUseID: string,
|
|
forceDecision?:
|
|
| PermissionAllowDecision
|
|
| PermissionAskDecision
|
|
| PermissionDenyDecision,
|
|
): Promise<
|
|
PermissionAllowDecision | PermissionAskDecision | PermissionDenyDecision
|
|
> => {
|
|
const supportsTerminalOutput = checkTerminalOutput(clientCapabilities)
|
|
|
|
// ── ExitPlanMode special handling ────────────────────────────
|
|
if (tool.name === 'ExitPlanMode') {
|
|
return handleExitPlanMode(
|
|
conn,
|
|
sessionId,
|
|
toolUseID,
|
|
input,
|
|
supportsTerminalOutput,
|
|
cwd,
|
|
onModeChange,
|
|
isBypassModeAvailable,
|
|
onPermissionCancelled,
|
|
)
|
|
}
|
|
|
|
// ── Force decision bypass (used by coordinator/swarm workers) ──
|
|
if (forceDecision !== undefined) {
|
|
return forceDecision
|
|
}
|
|
|
|
// ── Run through the normal permission pipeline ────────────────
|
|
// This handles: deny rules, allow rules, tool-specific checks,
|
|
// bypassPermissions mode, dontAsk mode, acceptEdits mode, auto mode classifier
|
|
try {
|
|
const pipelineResult = await hasPermissionsToUseTool(
|
|
tool,
|
|
input,
|
|
context,
|
|
assistantMessage,
|
|
toolUseID,
|
|
)
|
|
|
|
// If the pipeline resolved to allow or deny, return that
|
|
if (pipelineResult.behavior === 'allow') {
|
|
return pipelineResult as PermissionAllowDecision
|
|
}
|
|
if (pipelineResult.behavior === 'deny') {
|
|
return pipelineResult as PermissionDenyDecision
|
|
}
|
|
// behavior === 'ask' → fall through to client delegation
|
|
} catch (err) {
|
|
console.error('[ACP Permissions] Pipeline error:', err)
|
|
return {
|
|
behavior: 'deny',
|
|
message: 'Permission pipeline failed',
|
|
decisionReason: {
|
|
type: 'other',
|
|
reason: 'Permission pipeline failed',
|
|
},
|
|
toolUseID,
|
|
}
|
|
}
|
|
|
|
// ── Delegate to ACP client for interactive permission decision ──
|
|
const info = toolInfoFromToolUse(
|
|
{ name: tool.name, id: toolUseID, input },
|
|
supportsTerminalOutput,
|
|
cwd,
|
|
)
|
|
|
|
const toolCall: ToolCallUpdate = {
|
|
toolCallId: toolUseID,
|
|
title: info.title,
|
|
kind: info.kind,
|
|
status: 'pending',
|
|
rawInput: input,
|
|
}
|
|
|
|
const options: Array<PermissionOption> = [
|
|
{ kind: 'allow_always', name: 'Always Allow', optionId: 'allow_always' },
|
|
{ kind: 'allow_once', name: 'Allow', optionId: 'allow' },
|
|
{ kind: 'reject_once', name: 'Reject', optionId: 'reject' },
|
|
{
|
|
kind: 'reject_always',
|
|
name: 'Always Reject',
|
|
optionId: 'reject_always',
|
|
},
|
|
]
|
|
|
|
try {
|
|
const response = await conn.requestPermission({
|
|
sessionId,
|
|
toolCall,
|
|
options,
|
|
})
|
|
|
|
if (response.outcome.outcome === 'cancelled') {
|
|
// Per schema.json:629, a cancelled permission outcome means the prompt
|
|
// turn was cancelled. Signal the session so prompt() resolves with
|
|
// StopReason::Cancelled instead of treating this as a normal denial.
|
|
onPermissionCancelled?.()
|
|
return {
|
|
behavior: 'deny',
|
|
message: 'Permission request cancelled by client',
|
|
decisionReason: { type: 'mode', mode: 'default' },
|
|
toolUseID,
|
|
}
|
|
}
|
|
|
|
if (
|
|
response.outcome.outcome === 'selected' &&
|
|
'optionId' in response.outcome &&
|
|
response.outcome.optionId !== undefined
|
|
) {
|
|
const optionId = response.outcome.optionId
|
|
if (optionId === 'allow' || optionId === 'allow_always') {
|
|
return {
|
|
behavior: 'allow',
|
|
updatedInput: input,
|
|
}
|
|
}
|
|
}
|
|
|
|
// Default: deny
|
|
return {
|
|
behavior: 'deny',
|
|
message: 'Permission denied by client',
|
|
decisionReason: { type: 'mode', mode: 'default' },
|
|
}
|
|
} catch (err) {
|
|
console.error('[ACP Permissions] Client request error:', err)
|
|
return {
|
|
behavior: 'deny',
|
|
message: 'Permission request failed',
|
|
decisionReason: { type: 'mode', mode: 'default' },
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
async function handleExitPlanMode(
|
|
conn: AgentSideConnection,
|
|
sessionId: string,
|
|
toolUseID: string,
|
|
input: Record<string, unknown>,
|
|
supportsTerminalOutput: boolean,
|
|
cwd?: string,
|
|
onModeChange?: (modeId: string) => void,
|
|
isBypassModeAvailable?: () => boolean,
|
|
onPermissionCancelled?: () => void,
|
|
): Promise<PermissionAllowDecision | PermissionDenyDecision> {
|
|
const options: Array<PermissionOption> = [
|
|
{
|
|
kind: 'allow_always',
|
|
name: 'Yes, and use "auto" mode',
|
|
optionId: 'auto',
|
|
},
|
|
{
|
|
kind: 'allow_always',
|
|
name: 'Yes, and auto-accept edits',
|
|
optionId: 'acceptEdits',
|
|
},
|
|
{
|
|
kind: 'allow_once',
|
|
name: 'Yes, and manually approve edits',
|
|
optionId: 'default',
|
|
},
|
|
{ kind: 'reject_once', name: 'No, keep planning', optionId: 'plan' },
|
|
]
|
|
if (isBypassModeAvailable?.() === true) {
|
|
options.unshift({
|
|
kind: 'allow_always',
|
|
name: 'Yes, and bypass permissions',
|
|
optionId: 'bypassPermissions',
|
|
})
|
|
}
|
|
|
|
const info = toolInfoFromToolUse(
|
|
{ name: 'ExitPlanMode', id: toolUseID, input },
|
|
supportsTerminalOutput,
|
|
cwd,
|
|
)
|
|
|
|
const toolCall: ToolCallUpdate = {
|
|
toolCallId: toolUseID,
|
|
title: info.title,
|
|
kind: info.kind,
|
|
status: 'pending',
|
|
rawInput: input,
|
|
}
|
|
|
|
const response = await conn.requestPermission({
|
|
sessionId,
|
|
toolCall,
|
|
options,
|
|
})
|
|
|
|
if (response.outcome.outcome === 'cancelled') {
|
|
// Propagate cancellation so prompt() resolves with StopReason::Cancelled.
|
|
onPermissionCancelled?.()
|
|
return {
|
|
behavior: 'deny',
|
|
message: 'Tool use aborted',
|
|
decisionReason: { type: 'mode', mode: 'default' },
|
|
}
|
|
}
|
|
|
|
if (
|
|
response.outcome.outcome === 'selected' &&
|
|
'optionId' in response.outcome &&
|
|
response.outcome.optionId !== undefined
|
|
) {
|
|
const selectedOption = response.outcome.optionId
|
|
const isOfferedOption = options.some(
|
|
option => option.optionId === selectedOption,
|
|
)
|
|
if (
|
|
isOfferedOption &&
|
|
(selectedOption === 'default' ||
|
|
selectedOption === 'acceptEdits' ||
|
|
selectedOption === 'auto' ||
|
|
selectedOption === 'bypassPermissions')
|
|
) {
|
|
// Sync mode to session state and appState
|
|
onModeChange?.(selectedOption)
|
|
|
|
await conn.sessionUpdate({
|
|
sessionId,
|
|
update: {
|
|
sessionUpdate: 'current_mode_update',
|
|
currentModeId: selectedOption,
|
|
},
|
|
})
|
|
|
|
return {
|
|
behavior: 'allow',
|
|
updatedInput: input,
|
|
}
|
|
}
|
|
}
|
|
|
|
return {
|
|
behavior: 'deny',
|
|
message: 'User rejected request to exit plan mode.',
|
|
decisionReason: { type: 'mode', mode: 'plan' },
|
|
}
|
|
}
|
|
|
|
function checkTerminalOutput(clientCapabilities?: ClientCapabilities): boolean {
|
|
if (!clientCapabilities) return false
|
|
// Standard ACP v1 capability: ClientCapabilities.terminal (boolean).
|
|
if (clientCapabilities.terminal === true) return true
|
|
// Legacy Claude-Code clients advertised terminal support via _meta before
|
|
// the standard `terminal` boolean existed. `_meta` is reserved per the spec,
|
|
// but we keep this fallback for backward compatibility with older clients.
|
|
const meta = (clientCapabilities as unknown as Record<string, unknown>)._meta
|
|
if (!meta || typeof meta !== 'object') return false
|
|
return (meta as Record<string, unknown>)['terminal_output'] === true
|
|
}
|