vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-09 16:21:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(policy): restore additive alsoAllow semantics

Browse Source
This commit is contained in:
Agustin Rivera
2026-03-31 17:27:50 +00:00
parent 2195b304ca
commit 236a510060
2 changed files with 29 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/agents/sandbox-tool-policy.test.ts
View File

@@ -1,18 +1,21 @@
import { describe, expect, it } from "vitest";
import type { OpenClawConfig } from "../config/config.js";
import { resolveEffectiveToolPolicy } from "./pi-tools.policy.js";
import { pickSandboxToolPolicy } from "./sandbox-tool-policy.js";
import { resolveEffectiveToolFsRootExpansionAllowed } from "./tool-fs-policy.js";
describe("pickSandboxToolPolicy", () => {
it("returns undefined when neither allow nor deny is configured", () => {
expect(pickSandboxToolPolicy({})).toBeUndefined();
});
it("treats alsoAllow without allow as a restrictive allowlist", () => {
it("keeps alsoAllow without allow additive", () => {
expect(
pickSandboxToolPolicy({
alsoAllow: ["web_search"],
}),
).toEqual({
allow: ["web_search"],
allow: ["*", "web_search"],
deny: undefined,
});
});
@@ -51,4 +54,27 @@ describe("pickSandboxToolPolicy", () => {
deny: ["exec"],
});
});
it("keeps global alsoAllow additive in effective tool policy resolution", () => {
const cfg: OpenClawConfig = {
tools: {
profile: "coding",
alsoAllow: ["lobster"],
},
};
const resolved = resolveEffectiveToolPolicy({ config: cfg, agentId: "main" });
expect(resolved.globalPolicy).toEqual({ allow: ["*", "lobster"], deny: undefined });
expect(resolved.profileAlsoAllow).toEqual(["lobster"]);
});
it("does not block fs root expansion when only global alsoAllow is configured", () => {
const cfg: OpenClawConfig = {
tools: {
alsoAllow: ["lobster"],
},
};
expect(resolveEffectiveToolFsRootExpansionAllowed({ cfg, agentId: "main" })).toBe(true);
});
});

2
src/agents/sandbox-tool-policy.ts
View File

@@ -11,7 +11,7 @@ function unionAllow(base?: string[], extra?: string[]): string[] | undefined {
return base;
}
if (!Array.isArray(base)) {
return Array.from(new Set(extra));
return Array.from(new Set(["*", ...extra]));
}
if (base.length === 0) {
return base;