framework.approval.PythonExecutionApprovalEvaluator#

class framework.approval.PythonExecutionApprovalEvaluator(config)[source]#

Bases: object

Business logic evaluator for Python code execution approval decisions.

Implements capability-specific rules for determining when Python code execution requires human approval. The evaluator supports multiple approval modes ranging from disabled (no approval) to all_code (approval for everything).

The evaluation logic considers both the configured approval mode and the specific characteristics of the code being evaluated, such as EPICS operations. This provides granular control over approval requirements based on operational risk assessment.

Supported Approval Modes:

  • DISABLED: No approval required regardless of code content

  • EPICS_WRITES: Approval required only for code with EPICS write operations

  • ALL_CODE: Approval required for all Python code execution

Parameters:

config (PythonExecutionApprovalConfig) – Configuration object containing approval settings

Examples

Create evaluator with EPICS writes mode:

>>> config = PythonExecutionApprovalConfig(
...     enabled=True,
...     mode=ApprovalMode.EPICS_WRITES
... )
>>> evaluator = PythonExecutionApprovalEvaluator(config)

Evaluate code with EPICS writes:

>>> decision = evaluator.evaluate(
...     has_epics_writes=True,
...     has_epics_reads=False
... )
>>> print(f"Approval needed: {decision.needs_approval}")
>>> print(f"Reason: {decision.reasoning}")

Note

The evaluator is stateless and can be reused for multiple evaluations with the same configuration settings.

See also

PythonExecutionApprovalConfig : Configuration model used by this evaluator ApprovalDecision : Decision model returned by evaluation methods ApprovalManager : Manager that creates instances of this evaluator evaluate() : Main evaluation method of this class

Initialize evaluator with Python execution approval configuration.

Parameters:

config (PythonExecutionApprovalConfig) – Configuration object containing approval mode and settings

__init__(config)[source]#

Initialize evaluator with Python execution approval configuration.

Parameters:

config (PythonExecutionApprovalConfig) – Configuration object containing approval mode and settings

evaluate(has_epics_writes, has_epics_reads)[source]#

Evaluate whether Python code execution requires human approval.

Applies configured approval rules to determine if the given code characteristics require human approval before execution. The evaluation considers both global settings and code-specific risk factors.

The evaluation logic follows this hierarchy: 1. Check if approval is globally disabled 2. Apply mode-specific rules (disabled, epics_writes, all_code) 3. Fall back to secure default (approval required) for unknown modes

Parameters:

  • has_epics_writes (bool) – Whether code contains EPICS write operations

  • has_epics_reads (bool) – Whether code contains EPICS read operations

Returns:

Decision object with approval requirement and reasoning

Return type:

ApprovalDecision

Examples

Evaluate read-only EPICS code:

>>> decision = evaluator.evaluate(
...     has_epics_writes=False,
...     has_epics_reads=True
... )
>>> # Result depends on configured mode

Evaluate code with EPICS writes:

>>> decision = evaluator.evaluate(
...     has_epics_writes=True,
...     has_epics_reads=True
... )
>>> # Will require approval in EPICS_WRITES or ALL_CODE modes

Evaluate pure Python code:

>>> decision = evaluator.evaluate(
...     has_epics_writes=False,
...     has_epics_reads=False
... )
>>> # Requires approval only in ALL_CODE mode

Note

Unknown approval modes default to requiring approval for security.

See also

ApprovalDecision : Decision structure returned by this method ApprovalMode : Enum values processed by this evaluation logic PythonExecutionApprovalConfig : Configuration that controls evaluation framework.approval.create_code_approval_interrupt() : Uses evaluation results