refactor(security): share sandbox tool policy picker

2026-05-08 13:01:25 +00:00 · 2026-02-15 13:10:07 +00:00
parent 428b6e0dee
commit d7079b5578
3 changed files with 37 additions and 64 deletions
--- a/src/security/audit-tool-policy.ts
+++ b/src/security/audit-tool-policy.ts
@@ -0,0 +1,31 @@
+import type { SandboxToolPolicy } from "../agents/sandbox/types.js";
+
+function unionAllow(base?: string[], extra?: string[]): string[] | undefined {
+  if (!Array.isArray(extra) || extra.length === 0) {
+    return base;
+  }
+  if (!Array.isArray(base) || base.length === 0) {
+    return Array.from(new Set(["*", ...extra]));
+  }
+  return Array.from(new Set([...base, ...extra]));
+}
+
+export function pickSandboxToolPolicy(config?: {
+  allow?: string[];
+  alsoAllow?: string[];
+  deny?: string[];
+}): SandboxToolPolicy | undefined {
+  if (!config) {
+    return undefined;
+  }
+  const allow = Array.isArray(config.allow)
+    ? unionAllow(config.allow, config.alsoAllow)
+    : Array.isArray(config.alsoAllow) && config.alsoAllow.length > 0
+      ? unionAllow(undefined, config.alsoAllow)
+      : undefined;
+  const deny = Array.isArray(config.deny) ? config.deny : undefined;
+  if (!allow && !deny) {
+    return undefined;
+  }
+  return { allow, deny };
+}