Skip to content

Implement tool permission checking based on role and access level #16

Closed
#147
Closed
Implement tool permission checking based on role and access level#16
#147
Labels
prio:highImportant, should be prioritizedscope:medium1-3 days of workspec:securityDESIGN_SPEC Section 12 - Security & Approval Systemspec:toolsDESIGN_SPEC Section 11 - Tool & Capability Systemtype:featureNew feature implementation
Milestone
M3: Single Agent Execution
@Aureliolo

Description

@Aureliolo
Aureliolo
opened on Feb 27, 2026

Context

Enforce tool authorization before every tool invocation per spec 11.2. Different agents have different access levels, and the permission system ensures agents can only use tools appropriate to their role and trust level.

Acceptance Criteria

  • Permission check executed before every tool invocation
  • Access levels implemented: sandboxed, restricted, standard, elevated, custom
  • Access level determines which tools are available to an agent
  • Agent-specific allowed/denied tool lists enforced
  • Clear denial messages explaining why a tool is not available
  • Fast permission checks (no LLM calls, pure config-based logic)
  • Unit tests for all access levels
  • Unit tests for allowed/denied list enforcement
  • Integration with tool registry from Implement hierarchical delegation (task flows down, results flow up) #12

Dependencies

Design Spec Reference

Section 11.2 — Tool Access Control

Metadata

Metadata

Assignees

No one assigned

    Labels

    prio:highImportant, should be prioritizedscope:medium1-3 days of workspec:securityDESIGN_SPEC Section 12 - Security & Approval Systemspec:toolsDESIGN_SPEC Section 11 - Tool & Capability Systemtype:featureNew feature implementation

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions