kent/consciousness
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix tool permissions: remove global fallback in dispatch_with_agent

Browse source 
When an agent context is present, only dispatch tools in the agent's
tool list. The global fallback was bypassing per-agent tool
restrictions — a subconscious agent could call bash, edit, or any
tool even if its .agent file only allowed memory tools.

Co-Authored-By: Proof of Concept <poc@bcachefs.org>
This commit is contained in:
Kent Overstreet 2026-04-08 19:19:05 -04:00
parent d451b69196
commit 1776222b07
1 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/agent/tools/mod.rs
View file

@ -144,12 +144,13 @@ pub async fn dispatch_with_agent(
agent: Option<std::sync::Arc<super::Agent>>, agent: Option<std::sync::Arc<super::Agent>>,
) -> String { ) -> String {
let tool = if let Some(ref a) = agent { let tool = if let Some(ref a) = agent {
// Only dispatch tools the agent is allowed to use
let guard = a.state.lock().await; let guard = a.state.lock().await;
guard.tools.iter().find(|t| t.name == name).copied() guard.tools.iter().find(|t| t.name == name).copied()
} else { } else {
None // No agent context — allow all tools (CLI/MCP path)
tools().into_iter().find(|t| t.name == name)
}; };
let tool = tool.or_else(|| tools().into_iter().find(|t| t.name == name));
match tool { match tool {
Some(t) => (t.handler)(agent, args.clone()).await Some(t) => (t.handler)(agent, args.clone()).await
.unwrap_or_else(|e| format!("Error: {}", e)), .unwrap_or_else(|e| format!("Error: {}", e)),