Skip to content

feat: implement core tool categories and granular sub-constraints#1101

Merged
Aureliolo merged 18 commits intomainfrom
feat/tool-system
Apr 7, 2026
Merged

feat: implement core tool categories and granular sub-constraints#1101
Aureliolo merged 18 commits intomainfrom
feat/tool-system

Conversation

@Aureliolo
Copy link
Copy Markdown
Owner

@Aureliolo Aureliolo commented Apr 6, 2026

Summary

Implements #1034 (core tool categories) and #220 (granular tool access sub-constraints) as a single cohesive change. Adds 6 new tools across 3 categories, a shared SSRF prevention layer, and a granular sub-constraint enforcement pipeline integrated into the existing tool invoker.

Tool Categories (#1034)

Web tools (tools/web/)

  • HttpRequestTool: GET/POST/PUT/DELETE via httpx with SSRF prevention (shared NetworkPolicy, IP blocklist, DNS validation). Redirects disabled to prevent SSRF bypass. Response truncation at configurable max bytes.
  • WebSearchTool: Vendor-agnostic search via WebSearchProvider protocol -- no concrete implementation shipped (inject via MCP bridge or custom provider).
  • HtmlParserTool: Text/links/metadata extraction via stdlib html.parser. Strips script/style tags. Operates on pre-fetched content (no HTTP).

Database tools (tools/database/)

  • SqlQueryTool: Parameterized SQL execution via aiosqlite. Read-only by default with defense-in-depth: statement keyword classification AND SQLite URI-based ?mode=ro. Query timeout via asyncio.wait_for. Table name validation regex for PRAGMA queries.
  • SchemaInspectTool: list_tables (sqlite_master) + describe_table (PRAGMA table_info with safe identifier validation).

Terminal tools (tools/terminal/)

  • ShellCommandTool: Sandboxed command execution via SandboxBackend delegation. Command allow/blocklist. Working directory support. Output truncation. Returns error when no sandbox configured.

Shared infrastructure

  • network_validator.py: Extracted SSRF blocklist and DNS validation from git_url_validator (backward compatible). NetworkPolicy model reusable across tool categories. Case-insensitive scheme validation.

Granular Sub-Constraints (#220)

Models (sub_constraints.py)

  • Five constraint dimension enums: FileSystemScope, NetworkMode, GitAccess, CodeExecutionIsolation, TerminalAccess
  • ToolSubConstraints frozen Pydantic model with per-level defaults matching operations.md section 11.2
  • get_sub_constraints() resolution with custom override support

Enforcement (sub_constraint_enforcer.py)

  • SubConstraintEnforcer checks network (blocks WEB when NONE), terminal (blocks TERMINAL when NONE), git (blocks push for LOCAL_ONLY/READ_AND_BRANCH, blocks clone for LOCAL_ONLY), and requires_approval (escalation for matching action type prefixes)
  • Integrated into ToolPermissionChecker (optional sub_constraints param)
  • Wired into ToolInvoker pipeline between permission check and param validation

Agent model

  • ToolPermissions gains sub_constraints: ToolSubConstraints | None field for per-agent overrides

Integration

  • Tool factory extended with _build_web/database/terminal_tools builders
  • RootConfig gains optional web, database, terminal config fields
  • Event constants for web, database, terminal, sub_constraint domains
  • New dependency: httpx==0.28.1 (async HTTP client)

Security Highlights

  • SSRF: shared IP blocklist (IPv4+IPv6), DNS resolution validation, scheme restriction, redirect disabled, fail-closed on unparseable IPs
  • SQL injection: parameterized queries + table name regex + SQLite read-only URI mode
  • Command injection: sandbox delegation + allow/blocklist (documented as best-effort safety net, sandbox is primary defense)
  • Sub-constraints: network=NONE blocks web tools, terminal=NONE blocks shell tools, git=LOCAL_ONLY blocks clone+push

Test Plan

  • 170+ new unit tests across 22 test files
  • All 14,827 existing unit tests continue to pass
  • Pre-reviewed by 10 agents, 25 findings addressed (security fixes, conventions, docs)

Review Coverage

  • code-reviewer, security-reviewer, type-design-analyzer, silent-failure-hunter, pr-test-analyzer, async-concurrency-reviewer, conventions-enforcer, logging-audit, issue-resolution-verifier, docs-consistency

Closes #1034
Closes #220

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] requested changes

+2 more reviewers

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: implement core tool categories -- web, database, terminal/shell feat: implement granular tool access sub-constraints

3 participants

@Aureliolo @github-advanced-security