feat: add provider-specific tool policies

2026-01-13 09:59:21 +00:00
parent 512dbedee3
commit fa8d9b9189
7 changed files with 121 additions and 16 deletions
--- a/src/agents/pi-tools.ts
+++ b/src/agents/pi-tools.ts
@@ -111,21 +111,33 @@ export function createClawdbotCodingTools(options?: {
  const sandbox = options?.sandbox?.enabled ? options.sandbox : undefined;
  const {
    agentId,
-    policy: effectiveToolsPolicy,
+    globalPolicy,
+    globalProviderPolicy,
+    agentPolicy,
+    agentProviderPolicy,
    profile,
+    providerProfile,
  } = resolveEffectiveToolPolicy({
    config: options?.config,
    sessionKey: options?.sessionKey,
+    modelProvider: options?.modelProvider,
+    modelId: options?.modelId,
  });
  const profilePolicy = resolveToolProfilePolicy(profile);
-  const scopeKey = options?.exec?.scopeKey ?? (agentId ? `agent:${agentId}` : undefined);
+  const providerProfilePolicy = resolveToolProfilePolicy(providerProfile);
+  const scopeKey =
+    options?.exec?.scopeKey ?? (agentId ? `agent:${agentId}` : undefined);
  const subagentPolicy =
    isSubagentSessionKey(options?.sessionKey) && options?.sessionKey
      ? resolveSubagentToolPolicy(options.config)
      : undefined;
  const allowBackground = isToolAllowedByPolicies("process", [
    profilePolicy,
-    effectiveToolsPolicy,
+    providerProfilePolicy,
+    globalPolicy,
+    globalProviderPolicy,
+    agentPolicy,
+    agentProviderPolicy,
    sandbox?.tools,
    subagentPolicy,
  ]);
@@ -228,11 +240,27 @@ export function createClawdbotCodingTools(options?: {
      hasRepliedRef: options?.hasRepliedRef,
    }),
  ];
-  const toolsFiltered = profilePolicy ? filterToolsByPolicy(tools, profilePolicy) : tools;
-  const policyFiltered = effectiveToolsPolicy
-    ? filterToolsByPolicy(toolsFiltered, effectiveToolsPolicy)
+  const toolsFiltered = profilePolicy
+    ? filterToolsByPolicy(tools, profilePolicy)
+    : tools;
+  const providerProfileFiltered = providerProfilePolicy
+    ? filterToolsByPolicy(toolsFiltered, providerProfilePolicy)
    : toolsFiltered;
-  const sandboxed = sandbox ? filterToolsByPolicy(policyFiltered, sandbox.tools) : policyFiltered;
+  const globalFiltered = globalPolicy
+    ? filterToolsByPolicy(providerProfileFiltered, globalPolicy)
+    : providerProfileFiltered;
+  const globalProviderFiltered = globalProviderPolicy
+    ? filterToolsByPolicy(globalFiltered, globalProviderPolicy)
+    : globalFiltered;
+  const agentFiltered = agentPolicy
+    ? filterToolsByPolicy(globalProviderFiltered, agentPolicy)
+    : globalProviderFiltered;
+  const agentProviderFiltered = agentProviderPolicy
+    ? filterToolsByPolicy(agentFiltered, agentProviderPolicy)
+    : agentFiltered;
+  const sandboxed = sandbox
+    ? filterToolsByPolicy(agentProviderFiltered, sandbox.tools)
+    : agentProviderFiltered;
  const subagentFiltered = subagentPolicy
    ? filterToolsByPolicy(sandboxed, subagentPolicy)
    : sandboxed;