Skip to content

Commit 268c14f

Browse files
steipetesteipete
committed
refactor(tools): centralize default policy steps
1 parent 1a4fb35 commit 268c14f

3 files changed

Lines changed: 80 additions & 64 deletions

File tree

src/agents/pi-tools.ts

Lines changed: 16 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,10 @@ import {
4343
wrapToolParamNormalization,
4444
} from "./pi-tools.read.js";
4545
import { cleanToolSchemaForGemini, normalizeToolParameters } from "./pi-tools.schema.js";
46-
import { applyToolPolicyPipeline } from "./tool-policy-pipeline.js";
46+
import {
47+
applyToolPolicyPipeline,
48+
buildDefaultToolPolicyPipelineSteps,
49+
} from "./tool-policy-pipeline.js";
4750
import {
4851
applyOwnerOnlyToolPolicy,
4952
collectExplicitAllowlist,
@@ -389,37 +392,18 @@ export function createOpenClawCodingTools(options?: {
389392
toolMeta: (tool) => getPluginToolMeta(tool),
390393
warn: logWarn,
391394
steps: [
392-
{
393-
policy: profilePolicyWithAlsoAllow,
394-
label: profile ? `tools.profile (${profile})` : "tools.profile",
395-
stripPluginOnlyAllowlist: true,
396-
},
397-
{
398-
policy: providerProfilePolicyWithAlsoAllow,
399-
label: providerProfile
400-
? `tools.byProvider.profile (${providerProfile})`
401-
: "tools.byProvider.profile",
402-
stripPluginOnlyAllowlist: true,
403-
},
404-
{ policy: globalPolicy, label: "tools.allow", stripPluginOnlyAllowlist: true },
405-
{
406-
policy: globalProviderPolicy,
407-
label: "tools.byProvider.allow",
408-
stripPluginOnlyAllowlist: true,
409-
},
410-
{
411-
policy: agentPolicy,
412-
label: agentId ? `agents.${agentId}.tools.allow` : "agent tools.allow",
413-
stripPluginOnlyAllowlist: true,
414-
},
415-
{
416-
policy: agentProviderPolicy,
417-
label: agentId
418-
? `agents.${agentId}.tools.byProvider.allow`
419-
: "agent tools.byProvider.allow",
420-
stripPluginOnlyAllowlist: true,
421-
},
422-
{ policy: groupPolicy, label: "group tools.allow", stripPluginOnlyAllowlist: true },
395+
...buildDefaultToolPolicyPipelineSteps({
396+
profilePolicy: profilePolicyWithAlsoAllow,
397+
profile,
398+
providerProfilePolicy: providerProfilePolicyWithAlsoAllow,
399+
providerProfile,
400+
globalPolicy,
401+
globalProviderPolicy,
402+
agentPolicy,
403+
agentProviderPolicy,
404+
groupPolicy,
405+
agentId,
406+
}),
423407
{ policy: sandbox?.tools, label: "sandbox tools.allow" },
424408
{ policy: subagentPolicy, label: "subagent tools.allow" },
425409
],

src/agents/tool-policy-pipeline.ts

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,54 @@ export type ToolPolicyPipelineStep = {
1414
stripPluginOnlyAllowlist?: boolean;
1515
};
1616

17+
export function buildDefaultToolPolicyPipelineSteps(params: {
18+
profilePolicy?: ToolPolicyLike;
19+
profile?: string;
20+
providerProfilePolicy?: ToolPolicyLike;
21+
providerProfile?: string;
22+
globalPolicy?: ToolPolicyLike;
23+
globalProviderPolicy?: ToolPolicyLike;
24+
agentPolicy?: ToolPolicyLike;
25+
agentProviderPolicy?: ToolPolicyLike;
26+
groupPolicy?: ToolPolicyLike;
27+
agentId?: string;
28+
}): ToolPolicyPipelineStep[] {
29+
const agentId = params.agentId?.trim();
30+
const profile = params.profile?.trim();
31+
const providerProfile = params.providerProfile?.trim();
32+
return [
33+
{
34+
policy: params.profilePolicy,
35+
label: profile ? `tools.profile (${profile})` : "tools.profile",
36+
stripPluginOnlyAllowlist: true,
37+
},
38+
{
39+
policy: params.providerProfilePolicy,
40+
label: providerProfile
41+
? `tools.byProvider.profile (${providerProfile})`
42+
: "tools.byProvider.profile",
43+
stripPluginOnlyAllowlist: true,
44+
},
45+
{ policy: params.globalPolicy, label: "tools.allow", stripPluginOnlyAllowlist: true },
46+
{
47+
policy: params.globalProviderPolicy,
48+
label: "tools.byProvider.allow",
49+
stripPluginOnlyAllowlist: true,
50+
},
51+
{
52+
policy: params.agentPolicy,
53+
label: agentId ? `agents.${agentId}.tools.allow` : "agent tools.allow",
54+
stripPluginOnlyAllowlist: true,
55+
},
56+
{
57+
policy: params.agentProviderPolicy,
58+
label: agentId ? `agents.${agentId}.tools.byProvider.allow` : "agent tools.byProvider.allow",
59+
stripPluginOnlyAllowlist: true,
60+
},
61+
{ policy: params.groupPolicy, label: "group tools.allow", stripPluginOnlyAllowlist: true },
62+
];
63+
}
64+
1765
export function applyToolPolicyPipeline(params: {
1866
tools: AnyAgentTool[];
1967
toolMeta: (tool: AnyAgentTool) => { pluginId: string } | undefined;

src/gateway/tools-invoke-http.ts

Lines changed: 16 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,10 @@ import {
66
resolveGroupToolPolicy,
77
resolveSubagentToolPolicy,
88
} from "../agents/pi-tools.policy.js";
9-
import { applyToolPolicyPipeline } from "../agents/tool-policy-pipeline.js";
9+
import {
10+
applyToolPolicyPipeline,
11+
buildDefaultToolPolicyPipelineSteps,
12+
} from "../agents/tool-policy-pipeline.js";
1013
import { collectExplicitAllowlist, resolveToolProfilePolicy } from "../agents/tool-policy.js";
1114
import { ToolInputError } from "../agents/tools/common.js";
1215
import { loadConfig } from "../config/config.js";
@@ -259,37 +262,18 @@ export async function handleToolsInvokeHttpRequest(
259262
toolMeta: (tool) => getPluginToolMeta(tool as any),
260263
warn: logWarn,
261264
steps: [
262-
{
263-
policy: profilePolicyWithAlsoAllow,
264-
label: profile ? `tools.profile (${profile})` : "tools.profile",
265-
stripPluginOnlyAllowlist: true,
266-
},
267-
{
268-
policy: providerProfilePolicyWithAlsoAllow,
269-
label: providerProfile
270-
? `tools.byProvider.profile (${providerProfile})`
271-
: "tools.byProvider.profile",
272-
stripPluginOnlyAllowlist: true,
273-
},
274-
{ policy: globalPolicy, label: "tools.allow", stripPluginOnlyAllowlist: true },
275-
{
276-
policy: globalProviderPolicy,
277-
label: "tools.byProvider.allow",
278-
stripPluginOnlyAllowlist: true,
279-
},
280-
{
281-
policy: agentPolicy,
282-
label: agentId ? `agents.${agentId}.tools.allow` : "agent tools.allow",
283-
stripPluginOnlyAllowlist: true,
284-
},
285-
{
286-
policy: agentProviderPolicy,
287-
label: agentId
288-
? `agents.${agentId}.tools.byProvider.allow`
289-
: "agent tools.byProvider.allow",
290-
stripPluginOnlyAllowlist: true,
291-
},
292-
{ policy: groupPolicy, label: "group tools.allow", stripPluginOnlyAllowlist: true },
265+
...buildDefaultToolPolicyPipelineSteps({
266+
profilePolicy: profilePolicyWithAlsoAllow,
267+
profile,
268+
providerProfilePolicy: providerProfilePolicyWithAlsoAllow,
269+
providerProfile,
270+
globalPolicy,
271+
globalProviderPolicy,
272+
agentPolicy,
273+
agentProviderPolicy,
274+
groupPolicy,
275+
agentId,
276+
}),
293277
{ policy: subagentPolicy, label: "subagent tools.allow" },
294278
],
295279
});

0 commit comments

Comments
 (0)