will/flynn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add tool allow/deny profiles with per-agent and per-provider filtering

Browse Source 
Implements configurable tool filtering with four built-in profiles
(minimal, messaging, coding, full), global and per-agent/per-provider
allow/deny lists with glob pattern support, and defense-in-depth
enforcement at both tool listing and execution time.

New: src/tools/policy.ts (ToolPolicy engine), src/tools/policy.test.ts (37 tests)
Modified: config schema, tool registry, tool executor, NativeAgent,
AgentOrchestrator, daemon wiring, gateway tool handler, test mocks
This commit is contained in:
William Valentin
2026-02-06 15:30:34 -08:00
parent 8238d3e981
commit ee0af0cc06
13 changed files with 794 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/gateway/handlers/handlers.test.ts
+2
View File
@@ -120,6 +120,7 @@ describe('tool handlers', () => {
const mockRegistry = {
list: vi.fn(() => [mockTool]),
filteredList: vi.fn(() => [mockTool]),
get: vi.fn((name: string) => (name === 'test.tool' ? mockTool : undefined)),
register: vi.fn(),
toAnthropicFormat: vi.fn(),
@@ -138,6 +139,7 @@ describe('tool handlers', () => {
beforeEach(() => {
vi.clearAllMocks();
mockRegistry.list.mockReturnValue([mockTool]);
mockRegistry.filteredList.mockReturnValue([mockTool]);
mockRegistry.get.mockImplementation((name: string) => (name === 'test.tool' ? mockTool : undefined));
mockExecutor.execute.mockResolvedValue({ success: true, output: 'done' });
});
src/gateway/handlers/tools.ts
+3 -1
View File
@@ -11,7 +11,8 @@ export interface ToolHandlerDeps {
export function createToolHandlers(deps: ToolHandlerDeps) {
return {
'tools.list': async (request: GatewayRequest): Promise<OutboundMessage> => {
const tools = deps.toolRegistry.list().map(t => ({
// Use filteredList to respect tool policy (gateway context has no agent/provider)
const tools = deps.toolRegistry.filteredList().map(t => ({
name: t.name,
description: t.description,
inputSchema: t.inputSchema,
@@ -30,6 +31,7 @@ export function createToolHandlers(deps: ToolHandlerDeps) {
return makeError(request.id, ErrorCode.ToolNotFound, `Tool not found: ${params.tool}`);
}
// Pass no context — gateway uses global policy only
const result = await deps.toolExecutor.execute(params.tool, params.args ?? {});
return makeResponse(request.id, result);
},