github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 23:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: guard tool allowlists with warnings

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-24 07:38:15 +00:00
parent ad7fc4964a
commit 15620b1092
5 changed files with 98 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
src/agents/tool-policy.plugin-only-allowlist.test.ts
View File

@@ -6,20 +6,46 @@ const pluginGroups: PluginToolGroups = {
all: ["lobster", "workflow_tool"],
byPlugin: new Map([["lobster", ["lobster", "workflow_tool"]]]),
};
const coreTools = new Set(["read", "write", "exec", "session_status"]);
describe("stripPluginOnlyAllowlist", () => {
it("strips allowlist when it only targets plugin tools", () => {
const policy = stripPluginOnlyAllowlist({ allow: ["lobster"] }, pluginGroups);
expect(policy?.allow).toBeUndefined();
const policy = stripPluginOnlyAllowlist({ allow: ["lobster"] }, pluginGroups, coreTools);
expect(policy.policy?.allow).toBeUndefined();
expect(policy.unknownAllowlist).toEqual([]);
});
it("strips allowlist when it only targets plugin groups", () => {
const policy = stripPluginOnlyAllowlist({ allow: ["group:plugins"] }, pluginGroups);
expect(policy?.allow).toBeUndefined();
const policy = stripPluginOnlyAllowlist({ allow: ["group:plugins"] }, pluginGroups, coreTools);
expect(policy.policy?.allow).toBeUndefined();
expect(policy.unknownAllowlist).toEqual([]);
});
it("keeps allowlist when it mixes plugin and core entries", () => {
const policy = stripPluginOnlyAllowlist({ allow: ["lobster", "read"] }, pluginGroups);
expect(policy?.allow).toEqual(["lobster", "read"]);
const policy = stripPluginOnlyAllowlist(
{ allow: ["lobster", "read"] },
pluginGroups,
coreTools,
);
expect(policy.policy?.allow).toEqual(["lobster", "read"]);
expect(policy.unknownAllowlist).toEqual([]);
});
it("strips allowlist with unknown entries when no core tools match", () => {
const emptyPlugins: PluginToolGroups = { all: [], byPlugin: new Map() };
const policy = stripPluginOnlyAllowlist({ allow: ["lobster"] }, emptyPlugins, coreTools);
expect(policy.policy?.allow).toBeUndefined();
expect(policy.unknownAllowlist).toEqual(["lobster"]);
});
it("keeps allowlist with core tools and reports unknown entries", () => {
const emptyPlugins: PluginToolGroups = { all: [], byPlugin: new Map() };
const policy = stripPluginOnlyAllowlist(
{ allow: ["read", "lobster"] },
emptyPlugins,
coreTools,
);
expect(policy.policy?.allow).toEqual(["read", "lobster"]);
expect(policy.unknownAllowlist).toEqual(["lobster"]);
});
});