feat: add per-agent elevated controls

2026-01-09 20:42:16 +00:00
parent 1a97aadb6b
commit 5fa26bfec7
13 changed files with 349 additions and 26 deletions
--- a/src/agents/agent-scope.test.ts
+++ b/src/agents/agent-scope.test.ts
@@ -85,6 +85,10 @@ describe("resolveAgentConfig", () => {
            tools: {
              allow: ["read"],
              deny: ["bash", "write", "edit"],
+              elevated: {
+                enabled: false,
+                allowFrom: { whatsapp: ["+15555550123"] },
+              },
            },
          },
        ],
@@ -94,6 +98,10 @@ describe("resolveAgentConfig", () => {
    expect(result?.tools).toEqual({
      allow: ["read"],
      deny: ["bash", "write", "edit"],
+      elevated: {
+        enabled: false,
+        allowFrom: { whatsapp: ["+15555550123"] },
+      },
    });
  });

--- a/src/agents/pi-tools-agent-config.test.ts
+++ b/src/agents/pi-tools-agent-config.test.ts
@@ -33,6 +33,40 @@ describe("Agent-specific tool filtering", () => {
    expect(toolNames).not.toContain("Bash");
  });

+  it("should keep global tool policy when agent only sets tools.elevated", () => {
+    const cfg: ClawdbotConfig = {
+      tools: {
+        deny: ["write"],
+      },
+      agents: {
+        list: [
+          {
+            id: "main",
+            workspace: "~/clawd",
+            tools: {
+              elevated: {
+                enabled: true,
+                allowFrom: { whatsapp: ["+15555550123"] },
+              },
+            },
+          },
+        ],
+      },
+    };
+
+    const tools = createClawdbotCodingTools({
+      config: cfg,
+      sessionKey: "agent:main:main",
+      workspaceDir: "/tmp/test",
+      agentDir: "/tmp/agent",
+    });
+
+    const toolNames = tools.map((t) => t.name);
+    expect(toolNames).toContain("Bash");
+    expect(toolNames).toContain("Read");
+    expect(toolNames).not.toContain("Write");
+  });
+
  it("should apply agent-specific tool policy", () => {
    const cfg: ClawdbotConfig = {
      tools: {
--- a/src/agents/pi-tools.ts
+++ b/src/agents/pi-tools.ts
@@ -348,11 +348,13 @@ function resolveEffectiveToolPolicy(params: {
    params.config && agentId
      ? resolveAgentConfig(params.config, agentId)
      : undefined;
-  const hasAgentTools = agentConfig?.tools !== undefined;
+  const agentTools = agentConfig?.tools;
+  const hasAgentToolPolicy =
+    Array.isArray(agentTools?.allow) || Array.isArray(agentTools?.deny);
  const globalTools = params.config?.tools;
  return {
    agentId,
-    policy: hasAgentTools ? agentConfig?.tools : globalTools,
+    policy: hasAgentToolPolicy ? agentTools : globalTools,
  };
 }