will/flynn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add tool allow/deny profiles with per-agent and per-provider filtering

Browse Source 
Implements configurable tool filtering with four built-in profiles
(minimal, messaging, coding, full), global and per-agent/per-provider
allow/deny lists with glob pattern support, and defense-in-depth
enforcement at both tool listing and execution time.

New: src/tools/policy.ts (ToolPolicy engine), src/tools/policy.test.ts (37 tests)
Modified: config schema, tool registry, tool executor, NativeAgent,
AgentOrchestrator, daemon wiring, gateway tool handler, test mocks
This commit is contained in:
William Valentin
2026-02-06 15:30:34 -08:00
parent 8238d3e981
commit ee0af0cc06
13 changed files with 794 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/config/index.ts
+1 -1
View File
@@ -1,2 +1,2 @@
export { loadConfig } from './loader.js';
export { configSchema, type Config, type TelegramConfig, type ModelConfig, type CronJobConfig, type AgentsConfig, type CompactionConfig } from './schema.js';
export { configSchema, type Config, type TelegramConfig, type ModelConfig, type CronJobConfig, type AgentsConfig, type CompactionConfig, type ToolProfile, type ToolOverrideConfig, type ToolsConfig } from './schema.js';
src/config/schema.ts
+22
View File
@@ -161,6 +161,24 @@ const webSearchSchema = z.object({
max_results: z.number().min(1).max(20).default(5),
}).default({});
// ── Tool policy schemas ──────────────────────────────────────────────
const toolProfileEnum = z.enum(['minimal', 'messaging', 'coding', 'full']);
const toolOverrideSchema = z.object({
profile: toolProfileEnum.optional(),
allow: z.array(z.string()).default([]),
deny: z.array(z.string()).default([]),
}).default({});
const toolsSchema = z.object({
profile: toolProfileEnum.default('full'),
allow: z.array(z.string()).default([]),
deny: z.array(z.string()).default([]),
agents: z.record(z.string(), toolOverrideSchema).default({}),
providers: z.record(z.string(), toolOverrideSchema).default({}),
}).default({});
const promptSchema = z.object({
/** Additional directories to search for prompt template files. */
search_dirs: z.array(z.string()).default([]),
@@ -190,6 +208,7 @@ export const configSchema = z.object({
retry: retrySchema,
web_search: webSearchSchema,
prompt: promptSchema,
tools: toolsSchema,
});
export type Config = z.infer<typeof configSchema>;
@@ -206,3 +225,6 @@ export type SlackConfig = z.infer<typeof slackSchema>;
export type WhatsAppConfig = z.infer<typeof whatsappSchema>;
export type RetryPolicyConfig = z.infer<typeof retrySchema>;
export type PromptConfig = z.infer<typeof promptSchema>;
export type ToolProfile = z.infer<typeof toolProfileEnum>;
export type ToolOverrideConfig = z.infer<typeof toolOverrideSchema>;
export type ToolsConfig = z.infer<typeof toolsSchema>;