2026-02-19 15:06:28 +01:00
|
|
|
import { OWNER_ONLY_TOOL_ERROR, type AnyAgentTool } from "./tools/common.js";
|
2026-02-04 19:49:36 -05:00
|
|
|
|
2026-01-13 06:28:15 +00:00
|
|
|
export type ToolProfileId = "minimal" | "coding" | "messaging" | "full";
|
|
|
|
|
|
|
|
|
|
type ToolProfilePolicy = {
|
|
|
|
|
allow?: string[];
|
|
|
|
|
deny?: string[];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const TOOL_NAME_ALIASES: Record<string, string> = {
|
|
|
|
|
bash: "exec",
|
|
|
|
|
"apply-patch": "apply_patch",
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
export const TOOL_GROUPS: Record<string, string[]> = {
|
|
|
|
|
// NOTE: Keep canonical (lowercase) tool names here.
|
|
|
|
|
"group:memory": ["memory_search", "memory_get"],
|
2026-01-15 04:07:29 +00:00
|
|
|
"group:web": ["web_search", "web_fetch"],
|
2026-01-13 06:28:15 +00:00
|
|
|
// Basic workspace/file tools
|
|
|
|
|
"group:fs": ["read", "write", "edit", "apply_patch"],
|
|
|
|
|
// Host/runtime execution tools
|
2026-01-24 01:21:50 -06:00
|
|
|
"group:runtime": ["exec", "process"],
|
2026-01-13 06:28:15 +00:00
|
|
|
// Session management tools
|
|
|
|
|
"group:sessions": [
|
|
|
|
|
"sessions_list",
|
|
|
|
|
"sessions_history",
|
|
|
|
|
"sessions_send",
|
|
|
|
|
"sessions_spawn",
|
Agents: add nested subagent orchestration controls and reduce subagent token waste (#14447)
* Agents: add subagent orchestration controls
* Agents: add subagent orchestration controls (WIP uncommitted changes)
* feat(subagents): add depth-based spawn gating for sub-sub-agents
* feat(subagents): tool policy, registry, and announce chain for nested agents
* feat(subagents): system prompt, docs, changelog for nested sub-agents
* fix(subagents): prevent model fallback override, show model during active runs, and block context overflow fallback
Bug 1: When a session has an explicit model override (e.g., gpt/openai-codex),
the fallback candidate logic in resolveFallbackCandidates silently appended the
global primary model (opus) as a backstop. On reinjection/steer with a transient
error, the session could fall back to opus which has a smaller context window
and crash. Fix: when storedModelOverride is set, pass fallbacksOverride ?? []
instead of undefined, preventing the implicit primary backstop.
Bug 2: Active subagents showed 'model n/a' in /subagents list because
resolveModelDisplay only read entry.model/modelProvider (populated after run
completes). Fix: fall back to modelOverride/providerOverride fields which are
populated at spawn time via sessions.patch.
Bug 3: Context overflow errors (prompt too long, context_length_exceeded) could
theoretically escape runEmbeddedPiAgent and be treated as failover candidates
in runWithModelFallback, causing a switch to a model with a smaller context
window. Fix: in runWithModelFallback, detect context overflow errors via
isLikelyContextOverflowError and rethrow them immediately instead of trying the
next model candidate.
* fix(subagents): track spawn depth in session store and fix announce routing for nested agents
* Fix compaction status tracking and dedupe overflow compaction triggers
* fix(subagents): enforce depth block via session store and implement cascade kill
* fix: inject group chat context into system prompt
* fix(subagents): always write model to session store at spawn time
* Preserve spawnDepth when agent handler rewrites session entry
* fix(subagents): suppress announce on steer-restart
* fix(subagents): fallback spawned session model to runtime default
* fix(subagents): enforce spawn depth when caller key resolves by sessionId
* feat(subagents): implement active-first ordering for numeric targets and enhance task display
- Added a test to verify that subagents with numeric targets follow an active-first list ordering.
- Updated `resolveSubagentTarget` to sort subagent runs based on active status and recent activity.
- Enhanced task display in command responses to prevent truncation of long task descriptions.
- Introduced new utility functions for compacting task text and managing subagent run states.
* fix(subagents): show model for active runs via run record fallback
When the spawned model matches the agent's default model, the session
store's override fields are intentionally cleared (isDefault: true).
The model/modelProvider fields are only populated after the run
completes. This left active subagents showing 'model n/a'.
Fix: store the resolved model on SubagentRunRecord at registration
time, and use it as a fallback in both display paths (subagents tool
and /subagents command) when the session store entry has no model info.
Changes:
- SubagentRunRecord: add optional model field
- registerSubagentRun: accept and persist model param
- sessions-spawn-tool: pass resolvedModel to registerSubagentRun
- subagents-tool: pass run record model as fallback to resolveModelDisplay
- commands-subagents: pass run record model as fallback to resolveModelDisplay
* feat(chat): implement session key resolution and reset on sidebar navigation
- Added functions to resolve the main session key and reset chat state when switching sessions from the sidebar.
- Updated the `renderTab` function to handle session key changes when navigating to the chat tab.
- Introduced a test to verify that the session resets to "main" when opening chat from the sidebar navigation.
* fix: subagent timeout=0 passthrough and fallback prompt duplication
Bug 1: runTimeoutSeconds=0 now means 'no timeout' instead of applying 600s default
- sessions-spawn-tool: default to undefined (not 0) when neither timeout param
is provided; use != null check so explicit 0 passes through to gateway
- agent.ts: accept 0 as valid timeout (resolveAgentTimeoutMs already handles
0 → MAX_SAFE_TIMEOUT_MS)
Bug 2: model fallback no longer re-injects the original prompt as a duplicate
- agent.ts: track fallback attempt index; on retries use a short continuation
message instead of the full original prompt since the session file already
contains it from the first attempt
- Also skip re-sending images on fallback retries (already in session)
* feat(subagents): truncate long task descriptions in subagents command output
- Introduced a new utility function to format task previews, limiting their length to improve readability.
- Updated the command handler to use the new formatting function, ensuring task descriptions are truncated appropriately.
- Adjusted related tests to verify that long task descriptions are now truncated in the output.
* refactor(subagents): update subagent registry path resolution and improve command output formatting
- Replaced direct import of STATE_DIR with a utility function to resolve the state directory dynamically.
- Enhanced the formatting of command output for active and recent subagents, adding separators for better readability.
- Updated related tests to reflect changes in command output structure.
* fix(subagent): default sessions_spawn to no timeout when runTimeoutSeconds omitted
The previous fix (75a791106) correctly handled the case where
runTimeoutSeconds was explicitly set to 0 ("no timeout"). However,
when models omit the parameter entirely (which is common since the
schema marks it as optional), runTimeoutSeconds resolved to undefined.
undefined flowed through the chain as:
sessions_spawn → timeout: undefined (since undefined != null is false)
→ gateway agent handler → agentCommand opts.timeout: undefined
→ resolveAgentTimeoutMs({ overrideSeconds: undefined })
→ DEFAULT_AGENT_TIMEOUT_SECONDS (600s = 10 minutes)
This caused subagents to be killed at exactly 10 minutes even though
the user's intent (via TOOLS.md) was for subagents to run without a
timeout.
Fix: default runTimeoutSeconds to 0 (no timeout) when neither
runTimeoutSeconds nor timeoutSeconds is provided by the caller.
Subagent spawns are long-running by design and should not inherit the
600s agent-command default timeout.
* fix(subagent): accept timeout=0 in agent-via-gateway path (second 600s default)
* fix: thread timeout override through getReplyFromConfig dispatch path
getReplyFromConfig called resolveAgentTimeoutMs({ cfg }) with no override,
always falling back to the config default (600s). Add timeoutOverrideSeconds
to GetReplyOptions and pass it through as overrideSeconds so callers of the
dispatch chain can specify a custom timeout (0 = no timeout).
This complements the existing timeout threading in agentCommand and the
cron isolated-agent runner, which already pass overrideSeconds correctly.
* feat(model-fallback): normalize OpenAI Codex model references and enhance fallback handling
- Added normalization for OpenAI Codex model references, specifically converting "gpt-5.3-codex" to "openai-codex" before execution.
- Updated the `resolveFallbackCandidates` function to utilize the new normalization logic.
- Enhanced tests to verify the correct behavior of model normalization and fallback mechanisms.
- Introduced a new test case to ensure that the normalization process works as expected for various input formats.
* feat(tests): add unit tests for steer failure behavior in openclaw-tools
- Introduced a new test file to validate the behavior of subagents when steer replacement dispatch fails.
- Implemented tests to ensure that the announce behavior is restored correctly and that the suppression reason is cleared as expected.
- Enhanced the subagent registry with a new function to clear steer restart suppression.
- Updated related components to support the new test scenarios.
* fix(subagents): replace stop command with kill in slash commands and documentation
- Updated the `/subagents` command to replace `stop` with `kill` for consistency in controlling sub-agent runs.
- Modified related documentation to reflect the change in command usage.
- Removed legacy timeoutSeconds references from the sessions-spawn-tool schema and tests to streamline timeout handling.
- Enhanced tests to ensure correct behavior of the updated commands and their interactions.
* feat(tests): add unit tests for readLatestAssistantReply function
- Introduced a new test file for the `readLatestAssistantReply` function to validate its behavior with various message scenarios.
- Implemented tests to ensure the function correctly retrieves the latest assistant message and handles cases where the latest message has no text.
- Mocked the gateway call to simulate different message histories for comprehensive testing.
* feat(tests): enhance subagent kill-all cascade tests and announce formatting
- Added a new test to verify that the `kill-all` command cascades through ended parents to active descendants in subagents.
- Updated the subagent announce formatting tests to reflect changes in message structure, including the replacement of "Findings:" with "Result:" and the addition of new expectations for message content.
- Improved the handling of long findings and stats in the announce formatting logic to ensure concise output.
- Refactored related functions to enhance clarity and maintainability in the subagent registry and tools.
* refactor(subagent): update announce formatting and remove unused constants
- Modified the subagent announce formatting to replace "Findings:" with "Result:" and adjusted related expectations in tests.
- Removed constants for maximum announce findings characters and summary words, simplifying the announcement logic.
- Updated the handling of findings to retain full content instead of truncating, ensuring more informative outputs.
- Cleaned up unused imports in the commands-subagents file to enhance code clarity.
* feat(tests): enhance billing error handling in user-facing text
- Added tests to ensure that normal text mentioning billing plans is not rewritten, preserving user context.
- Updated the `isBillingErrorMessage` and `sanitizeUserFacingText` functions to improve handling of billing-related messages.
- Introduced new test cases for various scenarios involving billing messages to ensure accurate processing and output.
- Enhanced the subagent announce flow to correctly manage active descendant runs, preventing premature announcements.
* feat(subagent): enhance workflow guidance and auto-announcement clarity
- Added a new guideline in the subagent system prompt to emphasize trust in push-based completion, discouraging busy polling for status updates.
- Updated documentation to clarify that sub-agents will automatically announce their results, improving user understanding of the workflow.
- Enhanced tests to verify the new guidance on avoiding polling loops and to ensure the accuracy of the updated prompts.
* fix(cron): avoid announcing interim subagent spawn acks
* chore: clean post-rebase imports
* fix(cron): fall back to child replies when parent stays interim
* fix(subagents): make active-run guidance advisory
* fix(subagents): update announce flow to handle active descendants and enhance test coverage
- Modified the announce flow to defer announcements when active descendant runs are present, ensuring accurate status reporting.
- Updated tests to verify the new behavior, including scenarios where no fallback requester is available and ensuring proper handling of finished subagents.
- Enhanced the announce formatting to include an `expectFinal` flag for better clarity in the announcement process.
* fix(subagents): enhance announce flow and formatting for user updates
- Updated the announce flow to provide clearer instructions for user updates based on active subagent runs and requester context.
- Refactored the announcement logic to improve clarity and ensure internal context remains private.
- Enhanced tests to verify the new message expectations and formatting, including updated prompts for user-facing updates.
- Introduced a new function to build reply instructions based on session context, improving the overall announcement process.
* fix: resolve prep blockers and changelog placement (#14447) (thanks @tyler6204)
* fix: restore cron delivery-plan import after rebase (#14447) (thanks @tyler6204)
* fix: resolve test failures from rebase conflicts (#14447) (thanks @tyler6204)
* fix: apply formatting after rebase (#14447) (thanks @tyler6204)
2026-02-14 22:03:45 -08:00
|
|
|
"subagents",
|
2026-01-13 06:28:15 +00:00
|
|
|
"session_status",
|
|
|
|
|
],
|
|
|
|
|
// UI helpers
|
|
|
|
|
"group:ui": ["browser", "canvas"],
|
|
|
|
|
// Automation + infra
|
|
|
|
|
"group:automation": ["cron", "gateway"],
|
|
|
|
|
// Messaging surface
|
|
|
|
|
"group:messaging": ["message"],
|
|
|
|
|
// Nodes + device tools
|
|
|
|
|
"group:nodes": ["nodes"],
|
2026-01-30 03:15:10 +01:00
|
|
|
// All OpenClaw native tools (excludes provider plugins).
|
|
|
|
|
"group:openclaw": [
|
2026-01-13 06:28:15 +00:00
|
|
|
"browser",
|
|
|
|
|
"canvas",
|
|
|
|
|
"nodes",
|
|
|
|
|
"cron",
|
|
|
|
|
"message",
|
|
|
|
|
"gateway",
|
|
|
|
|
"agents_list",
|
|
|
|
|
"sessions_list",
|
|
|
|
|
"sessions_history",
|
|
|
|
|
"sessions_send",
|
|
|
|
|
"sessions_spawn",
|
Agents: add nested subagent orchestration controls and reduce subagent token waste (#14447)
* Agents: add subagent orchestration controls
* Agents: add subagent orchestration controls (WIP uncommitted changes)
* feat(subagents): add depth-based spawn gating for sub-sub-agents
* feat(subagents): tool policy, registry, and announce chain for nested agents
* feat(subagents): system prompt, docs, changelog for nested sub-agents
* fix(subagents): prevent model fallback override, show model during active runs, and block context overflow fallback
Bug 1: When a session has an explicit model override (e.g., gpt/openai-codex),
the fallback candidate logic in resolveFallbackCandidates silently appended the
global primary model (opus) as a backstop. On reinjection/steer with a transient
error, the session could fall back to opus which has a smaller context window
and crash. Fix: when storedModelOverride is set, pass fallbacksOverride ?? []
instead of undefined, preventing the implicit primary backstop.
Bug 2: Active subagents showed 'model n/a' in /subagents list because
resolveModelDisplay only read entry.model/modelProvider (populated after run
completes). Fix: fall back to modelOverride/providerOverride fields which are
populated at spawn time via sessions.patch.
Bug 3: Context overflow errors (prompt too long, context_length_exceeded) could
theoretically escape runEmbeddedPiAgent and be treated as failover candidates
in runWithModelFallback, causing a switch to a model with a smaller context
window. Fix: in runWithModelFallback, detect context overflow errors via
isLikelyContextOverflowError and rethrow them immediately instead of trying the
next model candidate.
* fix(subagents): track spawn depth in session store and fix announce routing for nested agents
* Fix compaction status tracking and dedupe overflow compaction triggers
* fix(subagents): enforce depth block via session store and implement cascade kill
* fix: inject group chat context into system prompt
* fix(subagents): always write model to session store at spawn time
* Preserve spawnDepth when agent handler rewrites session entry
* fix(subagents): suppress announce on steer-restart
* fix(subagents): fallback spawned session model to runtime default
* fix(subagents): enforce spawn depth when caller key resolves by sessionId
* feat(subagents): implement active-first ordering for numeric targets and enhance task display
- Added a test to verify that subagents with numeric targets follow an active-first list ordering.
- Updated `resolveSubagentTarget` to sort subagent runs based on active status and recent activity.
- Enhanced task display in command responses to prevent truncation of long task descriptions.
- Introduced new utility functions for compacting task text and managing subagent run states.
* fix(subagents): show model for active runs via run record fallback
When the spawned model matches the agent's default model, the session
store's override fields are intentionally cleared (isDefault: true).
The model/modelProvider fields are only populated after the run
completes. This left active subagents showing 'model n/a'.
Fix: store the resolved model on SubagentRunRecord at registration
time, and use it as a fallback in both display paths (subagents tool
and /subagents command) when the session store entry has no model info.
Changes:
- SubagentRunRecord: add optional model field
- registerSubagentRun: accept and persist model param
- sessions-spawn-tool: pass resolvedModel to registerSubagentRun
- subagents-tool: pass run record model as fallback to resolveModelDisplay
- commands-subagents: pass run record model as fallback to resolveModelDisplay
* feat(chat): implement session key resolution and reset on sidebar navigation
- Added functions to resolve the main session key and reset chat state when switching sessions from the sidebar.
- Updated the `renderTab` function to handle session key changes when navigating to the chat tab.
- Introduced a test to verify that the session resets to "main" when opening chat from the sidebar navigation.
* fix: subagent timeout=0 passthrough and fallback prompt duplication
Bug 1: runTimeoutSeconds=0 now means 'no timeout' instead of applying 600s default
- sessions-spawn-tool: default to undefined (not 0) when neither timeout param
is provided; use != null check so explicit 0 passes through to gateway
- agent.ts: accept 0 as valid timeout (resolveAgentTimeoutMs already handles
0 → MAX_SAFE_TIMEOUT_MS)
Bug 2: model fallback no longer re-injects the original prompt as a duplicate
- agent.ts: track fallback attempt index; on retries use a short continuation
message instead of the full original prompt since the session file already
contains it from the first attempt
- Also skip re-sending images on fallback retries (already in session)
* feat(subagents): truncate long task descriptions in subagents command output
- Introduced a new utility function to format task previews, limiting their length to improve readability.
- Updated the command handler to use the new formatting function, ensuring task descriptions are truncated appropriately.
- Adjusted related tests to verify that long task descriptions are now truncated in the output.
* refactor(subagents): update subagent registry path resolution and improve command output formatting
- Replaced direct import of STATE_DIR with a utility function to resolve the state directory dynamically.
- Enhanced the formatting of command output for active and recent subagents, adding separators for better readability.
- Updated related tests to reflect changes in command output structure.
* fix(subagent): default sessions_spawn to no timeout when runTimeoutSeconds omitted
The previous fix (75a791106) correctly handled the case where
runTimeoutSeconds was explicitly set to 0 ("no timeout"). However,
when models omit the parameter entirely (which is common since the
schema marks it as optional), runTimeoutSeconds resolved to undefined.
undefined flowed through the chain as:
sessions_spawn → timeout: undefined (since undefined != null is false)
→ gateway agent handler → agentCommand opts.timeout: undefined
→ resolveAgentTimeoutMs({ overrideSeconds: undefined })
→ DEFAULT_AGENT_TIMEOUT_SECONDS (600s = 10 minutes)
This caused subagents to be killed at exactly 10 minutes even though
the user's intent (via TOOLS.md) was for subagents to run without a
timeout.
Fix: default runTimeoutSeconds to 0 (no timeout) when neither
runTimeoutSeconds nor timeoutSeconds is provided by the caller.
Subagent spawns are long-running by design and should not inherit the
600s agent-command default timeout.
* fix(subagent): accept timeout=0 in agent-via-gateway path (second 600s default)
* fix: thread timeout override through getReplyFromConfig dispatch path
getReplyFromConfig called resolveAgentTimeoutMs({ cfg }) with no override,
always falling back to the config default (600s). Add timeoutOverrideSeconds
to GetReplyOptions and pass it through as overrideSeconds so callers of the
dispatch chain can specify a custom timeout (0 = no timeout).
This complements the existing timeout threading in agentCommand and the
cron isolated-agent runner, which already pass overrideSeconds correctly.
* feat(model-fallback): normalize OpenAI Codex model references and enhance fallback handling
- Added normalization for OpenAI Codex model references, specifically converting "gpt-5.3-codex" to "openai-codex" before execution.
- Updated the `resolveFallbackCandidates` function to utilize the new normalization logic.
- Enhanced tests to verify the correct behavior of model normalization and fallback mechanisms.
- Introduced a new test case to ensure that the normalization process works as expected for various input formats.
* feat(tests): add unit tests for steer failure behavior in openclaw-tools
- Introduced a new test file to validate the behavior of subagents when steer replacement dispatch fails.
- Implemented tests to ensure that the announce behavior is restored correctly and that the suppression reason is cleared as expected.
- Enhanced the subagent registry with a new function to clear steer restart suppression.
- Updated related components to support the new test scenarios.
* fix(subagents): replace stop command with kill in slash commands and documentation
- Updated the `/subagents` command to replace `stop` with `kill` for consistency in controlling sub-agent runs.
- Modified related documentation to reflect the change in command usage.
- Removed legacy timeoutSeconds references from the sessions-spawn-tool schema and tests to streamline timeout handling.
- Enhanced tests to ensure correct behavior of the updated commands and their interactions.
* feat(tests): add unit tests for readLatestAssistantReply function
- Introduced a new test file for the `readLatestAssistantReply` function to validate its behavior with various message scenarios.
- Implemented tests to ensure the function correctly retrieves the latest assistant message and handles cases where the latest message has no text.
- Mocked the gateway call to simulate different message histories for comprehensive testing.
* feat(tests): enhance subagent kill-all cascade tests and announce formatting
- Added a new test to verify that the `kill-all` command cascades through ended parents to active descendants in subagents.
- Updated the subagent announce formatting tests to reflect changes in message structure, including the replacement of "Findings:" with "Result:" and the addition of new expectations for message content.
- Improved the handling of long findings and stats in the announce formatting logic to ensure concise output.
- Refactored related functions to enhance clarity and maintainability in the subagent registry and tools.
* refactor(subagent): update announce formatting and remove unused constants
- Modified the subagent announce formatting to replace "Findings:" with "Result:" and adjusted related expectations in tests.
- Removed constants for maximum announce findings characters and summary words, simplifying the announcement logic.
- Updated the handling of findings to retain full content instead of truncating, ensuring more informative outputs.
- Cleaned up unused imports in the commands-subagents file to enhance code clarity.
* feat(tests): enhance billing error handling in user-facing text
- Added tests to ensure that normal text mentioning billing plans is not rewritten, preserving user context.
- Updated the `isBillingErrorMessage` and `sanitizeUserFacingText` functions to improve handling of billing-related messages.
- Introduced new test cases for various scenarios involving billing messages to ensure accurate processing and output.
- Enhanced the subagent announce flow to correctly manage active descendant runs, preventing premature announcements.
* feat(subagent): enhance workflow guidance and auto-announcement clarity
- Added a new guideline in the subagent system prompt to emphasize trust in push-based completion, discouraging busy polling for status updates.
- Updated documentation to clarify that sub-agents will automatically announce their results, improving user understanding of the workflow.
- Enhanced tests to verify the new guidance on avoiding polling loops and to ensure the accuracy of the updated prompts.
* fix(cron): avoid announcing interim subagent spawn acks
* chore: clean post-rebase imports
* fix(cron): fall back to child replies when parent stays interim
* fix(subagents): make active-run guidance advisory
* fix(subagents): update announce flow to handle active descendants and enhance test coverage
- Modified the announce flow to defer announcements when active descendant runs are present, ensuring accurate status reporting.
- Updated tests to verify the new behavior, including scenarios where no fallback requester is available and ensuring proper handling of finished subagents.
- Enhanced the announce formatting to include an `expectFinal` flag for better clarity in the announcement process.
* fix(subagents): enhance announce flow and formatting for user updates
- Updated the announce flow to provide clearer instructions for user updates based on active subagent runs and requester context.
- Refactored the announcement logic to improve clarity and ensure internal context remains private.
- Enhanced tests to verify the new message expectations and formatting, including updated prompts for user-facing updates.
- Introduced a new function to build reply instructions based on session context, improving the overall announcement process.
* fix: resolve prep blockers and changelog placement (#14447) (thanks @tyler6204)
* fix: restore cron delivery-plan import after rebase (#14447) (thanks @tyler6204)
* fix: resolve test failures from rebase conflicts (#14447) (thanks @tyler6204)
* fix: apply formatting after rebase (#14447) (thanks @tyler6204)
2026-02-14 22:03:45 -08:00
|
|
|
"subagents",
|
2026-01-13 06:28:15 +00:00
|
|
|
"session_status",
|
|
|
|
|
"memory_search",
|
|
|
|
|
"memory_get",
|
2026-01-15 04:07:29 +00:00
|
|
|
"web_search",
|
|
|
|
|
"web_fetch",
|
2026-01-13 06:28:15 +00:00
|
|
|
"image",
|
|
|
|
|
],
|
|
|
|
|
};
|
|
|
|
|
|
2026-02-19 14:37:56 +01:00
|
|
|
const OWNER_ONLY_TOOL_NAMES = new Set<string>(["whatsapp_login", "cron", "gateway"]);
|
2026-02-04 19:49:36 -05:00
|
|
|
|
2026-01-13 06:28:15 +00:00
|
|
|
const TOOL_PROFILES: Record<ToolProfileId, ToolProfilePolicy> = {
|
|
|
|
|
minimal: {
|
|
|
|
|
allow: ["session_status"],
|
|
|
|
|
},
|
|
|
|
|
coding: {
|
2026-01-14 14:31:43 +00:00
|
|
|
allow: ["group:fs", "group:runtime", "group:sessions", "group:memory", "image"],
|
2026-01-13 06:28:15 +00:00
|
|
|
},
|
|
|
|
|
messaging: {
|
|
|
|
|
allow: [
|
|
|
|
|
"group:messaging",
|
|
|
|
|
"sessions_list",
|
|
|
|
|
"sessions_history",
|
|
|
|
|
"sessions_send",
|
|
|
|
|
"session_status",
|
|
|
|
|
],
|
|
|
|
|
},
|
|
|
|
|
full: {},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
export function normalizeToolName(name: string) {
|
|
|
|
|
const normalized = name.trim().toLowerCase();
|
|
|
|
|
return TOOL_NAME_ALIASES[normalized] ?? normalized;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-04 19:49:36 -05:00
|
|
|
export function isOwnerOnlyToolName(name: string) {
|
|
|
|
|
return OWNER_ONLY_TOOL_NAMES.has(normalizeToolName(name));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function applyOwnerOnlyToolPolicy(tools: AnyAgentTool[], senderIsOwner: boolean) {
|
|
|
|
|
const withGuard = tools.map((tool) => {
|
|
|
|
|
if (!isOwnerOnlyToolName(tool.name)) {
|
|
|
|
|
return tool;
|
|
|
|
|
}
|
|
|
|
|
if (senderIsOwner || !tool.execute) {
|
|
|
|
|
return tool;
|
|
|
|
|
}
|
|
|
|
|
return {
|
|
|
|
|
...tool,
|
|
|
|
|
execute: async () => {
|
2026-02-19 15:06:28 +01:00
|
|
|
throw new Error(OWNER_ONLY_TOOL_ERROR);
|
2026-02-04 19:49:36 -05:00
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
if (senderIsOwner) {
|
|
|
|
|
return withGuard;
|
|
|
|
|
}
|
|
|
|
|
return withGuard.filter((tool) => !isOwnerOnlyToolName(tool.name));
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-13 06:28:15 +00:00
|
|
|
export function normalizeToolList(list?: string[]) {
|
2026-01-31 16:19:20 +09:00
|
|
|
if (!list) {
|
|
|
|
|
return [];
|
|
|
|
|
}
|
2026-01-13 06:28:15 +00:00
|
|
|
return list.map(normalizeToolName).filter(Boolean);
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-18 04:18:32 +00:00
|
|
|
export type ToolPolicyLike = {
|
|
|
|
|
allow?: string[];
|
|
|
|
|
deny?: string[];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
export type PluginToolGroups = {
|
|
|
|
|
all: string[];
|
|
|
|
|
byPlugin: Map<string, string[]>;
|
|
|
|
|
};
|
|
|
|
|
|
2026-01-24 07:38:15 +00:00
|
|
|
export type AllowlistResolution = {
|
|
|
|
|
policy: ToolPolicyLike | undefined;
|
|
|
|
|
unknownAllowlist: string[];
|
|
|
|
|
strippedAllowlist: boolean;
|
|
|
|
|
};
|
|
|
|
|
|
2026-01-13 06:28:15 +00:00
|
|
|
export function expandToolGroups(list?: string[]) {
|
|
|
|
|
const normalized = normalizeToolList(list);
|
|
|
|
|
const expanded: string[] = [];
|
|
|
|
|
for (const value of normalized) {
|
|
|
|
|
const group = TOOL_GROUPS[value];
|
|
|
|
|
if (group) {
|
|
|
|
|
expanded.push(...group);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
expanded.push(value);
|
|
|
|
|
}
|
|
|
|
|
return Array.from(new Set(expanded));
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-18 04:24:16 +00:00
|
|
|
export function collectExplicitAllowlist(policies: Array<ToolPolicyLike | undefined>): string[] {
|
2026-01-18 04:18:32 +00:00
|
|
|
const entries: string[] = [];
|
|
|
|
|
for (const policy of policies) {
|
2026-01-31 16:19:20 +09:00
|
|
|
if (!policy?.allow) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2026-01-18 04:18:32 +00:00
|
|
|
for (const value of policy.allow) {
|
2026-01-31 16:19:20 +09:00
|
|
|
if (typeof value !== "string") {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2026-01-18 04:18:32 +00:00
|
|
|
const trimmed = value.trim();
|
2026-01-31 16:19:20 +09:00
|
|
|
if (trimmed) {
|
|
|
|
|
entries.push(trimmed);
|
|
|
|
|
}
|
2026-01-18 04:18:32 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return entries;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-18 04:24:16 +00:00
|
|
|
export function buildPluginToolGroups<T extends { name: string }>(params: {
|
|
|
|
|
tools: T[];
|
|
|
|
|
toolMeta: (tool: T) => { pluginId: string } | undefined;
|
2026-01-18 04:18:32 +00:00
|
|
|
}): PluginToolGroups {
|
|
|
|
|
const all: string[] = [];
|
|
|
|
|
const byPlugin = new Map<string, string[]>();
|
|
|
|
|
for (const tool of params.tools) {
|
|
|
|
|
const meta = params.toolMeta(tool);
|
2026-01-31 16:19:20 +09:00
|
|
|
if (!meta) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2026-01-18 04:18:32 +00:00
|
|
|
const name = normalizeToolName(tool.name);
|
|
|
|
|
all.push(name);
|
|
|
|
|
const pluginId = meta.pluginId.toLowerCase();
|
|
|
|
|
const list = byPlugin.get(pluginId) ?? [];
|
|
|
|
|
list.push(name);
|
|
|
|
|
byPlugin.set(pluginId, list);
|
|
|
|
|
}
|
|
|
|
|
return { all, byPlugin };
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function expandPluginGroups(
|
|
|
|
|
list: string[] | undefined,
|
|
|
|
|
groups: PluginToolGroups,
|
|
|
|
|
): string[] | undefined {
|
2026-01-31 16:19:20 +09:00
|
|
|
if (!list || list.length === 0) {
|
|
|
|
|
return list;
|
|
|
|
|
}
|
2026-01-18 04:18:32 +00:00
|
|
|
const expanded: string[] = [];
|
|
|
|
|
for (const entry of list) {
|
|
|
|
|
const normalized = normalizeToolName(entry);
|
|
|
|
|
if (normalized === "group:plugins") {
|
|
|
|
|
if (groups.all.length > 0) {
|
|
|
|
|
expanded.push(...groups.all);
|
|
|
|
|
} else {
|
|
|
|
|
expanded.push(normalized);
|
|
|
|
|
}
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
const tools = groups.byPlugin.get(normalized);
|
|
|
|
|
if (tools && tools.length > 0) {
|
|
|
|
|
expanded.push(...tools);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
expanded.push(normalized);
|
|
|
|
|
}
|
|
|
|
|
return Array.from(new Set(expanded));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function expandPolicyWithPluginGroups(
|
|
|
|
|
policy: ToolPolicyLike | undefined,
|
|
|
|
|
groups: PluginToolGroups,
|
|
|
|
|
): ToolPolicyLike | undefined {
|
2026-01-31 16:19:20 +09:00
|
|
|
if (!policy) {
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
2026-01-18 04:18:32 +00:00
|
|
|
return {
|
|
|
|
|
allow: expandPluginGroups(policy.allow, groups),
|
|
|
|
|
deny: expandPluginGroups(policy.deny, groups),
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-23 09:01:41 +00:00
|
|
|
export function stripPluginOnlyAllowlist(
|
|
|
|
|
policy: ToolPolicyLike | undefined,
|
|
|
|
|
groups: PluginToolGroups,
|
2026-01-24 07:38:15 +00:00
|
|
|
coreTools: Set<string>,
|
|
|
|
|
): AllowlistResolution {
|
|
|
|
|
if (!policy?.allow || policy.allow.length === 0) {
|
|
|
|
|
return { policy, unknownAllowlist: [], strippedAllowlist: false };
|
|
|
|
|
}
|
2026-01-23 09:01:41 +00:00
|
|
|
const normalized = normalizeToolList(policy.allow);
|
2026-01-24 07:38:15 +00:00
|
|
|
if (normalized.length === 0) {
|
|
|
|
|
return { policy, unknownAllowlist: [], strippedAllowlist: false };
|
|
|
|
|
}
|
2026-01-23 09:01:41 +00:00
|
|
|
const pluginIds = new Set(groups.byPlugin.keys());
|
|
|
|
|
const pluginTools = new Set(groups.all);
|
2026-01-24 07:38:15 +00:00
|
|
|
const unknownAllowlist: string[] = [];
|
|
|
|
|
let hasCoreEntry = false;
|
|
|
|
|
for (const entry of normalized) {
|
2026-02-02 08:45:47 +00:00
|
|
|
if (entry === "*") {
|
|
|
|
|
hasCoreEntry = true;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2026-01-24 07:38:15 +00:00
|
|
|
const isPluginEntry =
|
|
|
|
|
entry === "group:plugins" || pluginIds.has(entry) || pluginTools.has(entry);
|
|
|
|
|
const expanded = expandToolGroups([entry]);
|
|
|
|
|
const isCoreEntry = expanded.some((tool) => coreTools.has(tool));
|
2026-01-31 16:19:20 +09:00
|
|
|
if (isCoreEntry) {
|
|
|
|
|
hasCoreEntry = true;
|
|
|
|
|
}
|
|
|
|
|
if (!isCoreEntry && !isPluginEntry) {
|
|
|
|
|
unknownAllowlist.push(entry);
|
|
|
|
|
}
|
2026-01-24 07:38:15 +00:00
|
|
|
}
|
|
|
|
|
const strippedAllowlist = !hasCoreEntry;
|
2026-01-25 00:40:13 -08:00
|
|
|
// When an allowlist contains only plugin tools, we strip it to avoid accidentally
|
|
|
|
|
// disabling core tools. Users who want additive behavior should prefer `tools.alsoAllow`.
|
|
|
|
|
if (strippedAllowlist) {
|
|
|
|
|
// Note: logging happens in the caller (pi-tools/tools-invoke) after this function returns.
|
|
|
|
|
// We keep this note here for future maintainers.
|
|
|
|
|
}
|
2026-01-24 07:38:15 +00:00
|
|
|
return {
|
|
|
|
|
policy: strippedAllowlist ? { ...policy, allow: undefined } : policy,
|
|
|
|
|
unknownAllowlist: Array.from(new Set(unknownAllowlist)),
|
|
|
|
|
strippedAllowlist,
|
|
|
|
|
};
|
2026-01-23 09:01:41 +00:00
|
|
|
}
|
|
|
|
|
|
2026-01-14 14:31:43 +00:00
|
|
|
export function resolveToolProfilePolicy(profile?: string): ToolProfilePolicy | undefined {
|
2026-01-31 16:19:20 +09:00
|
|
|
if (!profile) {
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
2026-01-13 06:28:15 +00:00
|
|
|
const resolved = TOOL_PROFILES[profile as ToolProfileId];
|
2026-01-31 16:19:20 +09:00
|
|
|
if (!resolved) {
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
if (!resolved.allow && !resolved.deny) {
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
2026-01-13 06:28:15 +00:00
|
|
|
return {
|
|
|
|
|
allow: resolved.allow ? [...resolved.allow] : undefined,
|
|
|
|
|
deny: resolved.deny ? [...resolved.deny] : undefined,
|
|
|
|
|
};
|
|
|
|
|
}
|
2026-02-15 16:52:02 +00:00
|
|
|
|
|
|
|
|
export function mergeAlsoAllowPolicy<TPolicy extends { allow?: string[] }>(
|
|
|
|
|
policy: TPolicy | undefined,
|
|
|
|
|
alsoAllow?: string[],
|
|
|
|
|
): TPolicy | undefined {
|
|
|
|
|
if (!policy?.allow || !Array.isArray(alsoAllow) || alsoAllow.length === 0) {
|
|
|
|
|
return policy;
|
|
|
|
|
}
|
|
|
|
|
return { ...policy, allow: Array.from(new Set([...policy.allow, ...alsoAllow])) };
|
|
|
|
|
}
|