refactor(core): dedupe tool policy and IPv4 matcher logic

2026-05-09 17:54:32 +00:00 · 2026-02-16 16:14:54 +00:00
parent 110b1cf46f
commit df6d0ee92b
4 changed files with 54 additions and 87 deletions
--- a/src/agents/sandbox-tool-policy.ts
+++ b/src/agents/sandbox-tool-policy.ts
@@ -0,0 +1,37 @@
+import type { SandboxToolPolicy } from "./sandbox/types.js";
+
+type SandboxToolPolicyConfig = {
+  allow?: string[];
+  alsoAllow?: string[];
+  deny?: string[];
+};
+
+function unionAllow(base?: string[], extra?: string[]): string[] | undefined {
+  if (!Array.isArray(extra) || extra.length === 0) {
+    return base;
+  }
+  // If the user is using alsoAllow without an allowlist, treat it as additive on top of
+  // an implicit allow-all policy.
+  if (!Array.isArray(base) || base.length === 0) {
+    return Array.from(new Set(["*", ...extra]));
+  }
+  return Array.from(new Set([...base, ...extra]));
+}
+
+export function pickSandboxToolPolicy(
+  config?: SandboxToolPolicyConfig,
+): SandboxToolPolicy | undefined {
+  if (!config) {
+    return undefined;
+  }
+  const allow = Array.isArray(config.allow)
+    ? unionAllow(config.allow, config.alsoAllow)
+    : Array.isArray(config.alsoAllow) && config.alsoAllow.length > 0
+      ? unionAllow(undefined, config.alsoAllow)
+      : undefined;
+  const deny = Array.isArray(config.deny) ? config.deny : undefined;
+  if (!allow && !deny) {
+    return undefined;
+  }
+  return { allow, deny };
+}