diff --git a/CHANGELOG.md b/CHANGELOG.md index 5111ea119..5bc5489a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,6 +67,7 @@ Docs: https://docs.clawd.bot ### Fixes - macOS: drain subprocess pipes before waiting to avoid deadlocks. (#1081) — thanks @thesash. - Verbose: wrap tool summaries/output in markdown only for markdown-capable channels. +- Tools: include provider/session context in elevated exec denial errors. - Telegram: accept tg/group/telegram prefixes + topic targets for inline button validation. (#1072) — thanks @danielz1z. - Telegram: split long captions into follow-up messages. - Config: block startup on invalid config, preserve best-effort doctor config, and keep rolling config backups. (#1083) — thanks @mukhtharcm. diff --git a/src/agents/bash-tools.exec.ts b/src/agents/bash-tools.exec.ts index 1824cf048..fdd02c5f8 100644 --- a/src/agents/bash-tools.exec.ts +++ b/src/agents/bash-tools.exec.ts @@ -75,6 +75,7 @@ export type ExecToolDefaults = { allowBackground?: boolean; scopeKey?: string; sessionKey?: string; + messageProvider?: string; notifyOnExit?: boolean; cwd?: string; }; @@ -220,6 +221,11 @@ export function createExecTool( if (!elevatedDefaults?.enabled || !elevatedDefaults.allowed) { const runtime = defaults?.sandbox ? "sandboxed" : "direct"; const gates: string[] = []; + const contextParts: string[] = []; + const provider = defaults?.messageProvider?.trim(); + const sessionKey = defaults?.sessionKey?.trim(); + if (provider) contextParts.push(`provider=${provider}`); + if (sessionKey) contextParts.push(`session=${sessionKey}`); if (!elevatedDefaults?.enabled) { gates.push("enabled (tools.elevated.enabled / agents.list[].tools.elevated.enabled)"); } else { @@ -231,12 +237,15 @@ export function createExecTool( [ `elevated is not available right now (runtime=${runtime}).`, `Failing gates: ${gates.join(", ")}`, + contextParts.length > 0 ? `Context: ${contextParts.join(" ")}` : undefined, "Fix-it keys:", "- tools.elevated.enabled", "- tools.elevated.allowFrom.", "- agents.list[].tools.elevated.enabled", "- agents.list[].tools.elevated.allowFrom.", - ].join("\n"), + ] + .filter(Boolean) + .join("\n"), ); } logInfo( diff --git a/src/agents/bash-tools.test.ts b/src/agents/bash-tools.test.ts index 198a062ca..457162ae3 100644 --- a/src/agents/bash-tools.test.ts +++ b/src/agents/bash-tools.test.ts @@ -150,6 +150,8 @@ describe("exec tool backgrounding", () => { it("rejects elevated requests when not allowed", async () => { const customBash = createExecTool({ elevated: { enabled: true, allowed: false, defaultLevel: "off" }, + messageProvider: "telegram", + sessionKey: "agent:main:main", }); await expect( @@ -157,7 +159,7 @@ describe("exec tool backgrounding", () => { command: "echo hi", elevated: true, }), - ).rejects.toThrow("tools.elevated.allowFrom."); + ).rejects.toThrow("Context: provider=telegram session=agent:main:main"); }); it("does not default to elevated when not allowed", async () => { diff --git a/src/agents/pi-tools.ts b/src/agents/pi-tools.ts index 09945897a..7bb2abebc 100644 --- a/src/agents/pi-tools.ts +++ b/src/agents/pi-tools.ts @@ -182,6 +182,7 @@ export function createClawdbotCodingTools(options?: { allowBackground, scopeKey, sessionKey: options?.sessionKey, + messageProvider: options?.messageProvider, sandbox: sandbox ? { containerName: sandbox.containerName,