Initializes the ToolPermissionManager with its specific configuration and any necessary service dependencies (like authentication or subscription services). This method must be called successfully before the manager can process permission checks.
The configuration object for the permission manager, defining its operational parameters and rules.
Optional authService: IAuthServiceOptional. An instance of the authentication service. This might be used for more complex permission rules based on user roles, identity verification status, or other authentication attributes.
Optional subscriptionService: ISubscriptionServiceOptional. An instance of the subscription service. This is
crucial if tool access is tied to user subscription tiers or specific feature flags defined in ToolPermissionManagerConfig.
A promise that resolves upon successful initialization of the manager.
If initialization fails due to invalid configuration or issues with dependencies.
Checks if the execution of a given tool is permitted based on the comprehensive context provided. This is the primary method for authorizing tool calls. It should consolidate all relevant checks, including:
tool.requiredCapabilities.config.toolToSubscriptionFeatures.The context object containing all necessary information for the permission decision (the tool instance, persona details, user context, etc.).
A promise that resolves with a PermissionCheckResult object,
which includes a boolean isAllowed flag and an optional reason and details for the decision.
const permissionContext = {
tool: myCalculatorTool,
personaId: "calculator-persona",
personaCapabilities: ["execute_basic_math"],
userContext: { userId: "user-test-123" }
};
const result = await permissionManager.isExecutionAllowed(permissionContext);
if (result.isAllowed) {
console.log("Calculator tool execution permitted.");
} else {
console.warn(`Calculator tool execution denied: ${result.reason}`, result.details);
}
Performs a specific check to determine if a Persona possesses all the capabilities explicitly listed as required by a tool.
An array of capability strings currently held by the Persona.
An array of capability strings defined as required by the tool.
If undefined or empty, this check inherently passes (tool requires no specific capabilities).
true if the Persona possesses all capabilities required by the tool, false otherwise.
Performs a specific check to determine if a user's subscription plan includes the
necessary features or flags that are configured as prerequisites for using a particular tool.
This relies on the ISubscriptionService and the toolToSubscriptionFeatures mapping
in the ToolPermissionManagerConfig.
The ID of the user whose subscription is being checked.
The unique ID (ITool.id) or functional name (ITool.name) of the tool.
An object indicating if access is allowed by subscription. If isAllowed is false,
missingFeatures (if applicable) will list the specific subscription features the user lacks,
and reason may provide additional context.
If the ISubscriptionService is not configured but this check is invoked
for a tool that has required features (GMIErrorCode.CONFIGURATION_ERROR or EXTERNAL_SERVICE_ERROR).
Retrieves the list of FeatureFlags that are configured as being required for a specific tool.
This information is sourced from the toolToSubscriptionFeatures mapping in the manager's configuration.
The ID or name of the tool.
An array of FeatureFlag objects required for the tool,
or undefined if no specific features are mapped as required for this tool.
IToolPermissionManager
Description
Defines the contract for a service responsible for managing and enforcing permissions related to tool execution within the AgentOS ecosystem. Implementations of this interface will centralize the logic for checking Persona capabilities, user subscription features, and any other custom authorization rules before a tool is allowed to execute.