vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 01:20:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d0cf6731aa4e6328f1b2441ecb2fea4e03e77836
openclaw/src/agents/tools/sessions-access.test.ts
Tak Hoffman 2c1d16e261 fix: drop spawned visibility list caps
2026-03-24 20:52:05 -05:00

177 lines
6.2 KiB
TypeScript
Raw Blame History

import { describe, expect, it, vi } from "vitest";
import type { OpenClawConfig } from "../../config/config.js";
import {
createAgentToAgentPolicy,
createSessionVisibilityGuard,
resolveEffectiveSessionToolsVisibility,
resolveSandboxSessionToolsVisibility,
resolveSandboxedSessionToolContext,
resolveSessionToolsVisibility,
} from "./sessions-access.js";
import { __testing as sessionsResolutionTesting } from "./sessions-resolution.js";
describe("resolveSessionToolsVisibility", () => {
it("defaults to tree when unset or invalid", () => {
expect(resolveSessionToolsVisibility({} as unknown as OpenClawConfig)).toBe("tree");
expect(
resolveSessionToolsVisibility({
tools: { sessions: { visibility: "invalid" } },
} as unknown as OpenClawConfig),
).toBe("tree");
});
it("accepts known visibility values case-insensitively", () => {
expect(
resolveSessionToolsVisibility({
tools: { sessions: { visibility: "ALL" } },
} as unknown as OpenClawConfig),
).toBe("all");
});
});
describe("resolveEffectiveSessionToolsVisibility", () => {
it("clamps to tree in sandbox when sandbox visibility is spawned", () => {
const cfg = {
tools: { sessions: { visibility: "all" } },
agents: { defaults: { sandbox: { sessionToolsVisibility: "spawned" } } },
} as unknown as OpenClawConfig;
expect(resolveEffectiveSessionToolsVisibility({ cfg, sandboxed: true })).toBe("tree");
});
it("preserves visibility when sandbox clamp is all", () => {
const cfg = {
tools: { sessions: { visibility: "all" } },
agents: { defaults: { sandbox: { sessionToolsVisibility: "all" } } },
} as unknown as OpenClawConfig;
expect(resolveEffectiveSessionToolsVisibility({ cfg, sandboxed: true })).toBe("all");
});
});
describe("sandbox session-tools context", () => {
it("defaults sandbox visibility clamp to spawned", () => {
expect(resolveSandboxSessionToolsVisibility({} as unknown as OpenClawConfig)).toBe("spawned");
});
it("restricts non-subagent sandboxed sessions to spawned visibility", () => {
const cfg = {
tools: { sessions: { visibility: "all" } },
agents: { defaults: { sandbox: { sessionToolsVisibility: "spawned" } } },
} as unknown as OpenClawConfig;
const context = resolveSandboxedSessionToolContext({
cfg,
agentSessionKey: "agent:main:main",
sandboxed: true,
});
expect(context.restrictToSpawned).toBe(true);
expect(context.requesterInternalKey).toBe("agent:main:main");
expect(context.effectiveRequesterKey).toBe("agent:main:main");
});
it("does not restrict subagent sessions in sandboxed mode", () => {
const cfg = {
tools: { sessions: { visibility: "all" } },
agents: { defaults: { sandbox: { sessionToolsVisibility: "spawned" } } },
} as unknown as OpenClawConfig;
const context = resolveSandboxedSessionToolContext({
cfg,
agentSessionKey: "agent:main:subagent:abc",
sandboxed: true,
});
expect(context.restrictToSpawned).toBe(false);
expect(context.requesterInternalKey).toBe("agent:main:subagent:abc");
});
});
describe("createAgentToAgentPolicy", () => {
it("denies cross-agent access when disabled", () => {
const policy = createAgentToAgentPolicy({} as unknown as OpenClawConfig);
expect(policy.enabled).toBe(false);
expect(policy.isAllowed("main", "main")).toBe(true);
expect(policy.isAllowed("main", "ops")).toBe(false);
});
it("honors allow patterns when enabled", () => {
const policy = createAgentToAgentPolicy({
tools: {
agentToAgent: {
enabled: true,
allow: ["ops-*", "main"],
},
},
} as unknown as OpenClawConfig);
expect(policy.isAllowed("ops-a", "ops-b")).toBe(true);
expect(policy.isAllowed("main", "ops-a")).toBe(true);
expect(policy.isAllowed("guest", "ops-a")).toBe(false);
});
});
describe("createSessionVisibilityGuard", () => {
it("does not block exact same-agent spawned targets that fall past the spawned list cap", async () => {
sessionsResolutionTesting.setDepsForTest({
callGateway: vi.fn(async (request: { method?: string; params?: { key?: string } }) => {
if (request.method === "sessions.resolve") {
return { key: request.params?.key };
}
if (request.method === "sessions.list") {
return {
sessions: [
...Array.from({ length: 500 }, (_, index) => ({
key: `agent:main:subagent:worker-${index}`,
})),
{ key: "agent:main:subagent:worker-999" },
],
};
}
return {};
}) as never,
});
const guard = await createSessionVisibilityGuard({
action: "history",
requesterSessionKey: "agent:main:main",
visibility: "tree",
a2aPolicy: createAgentToAgentPolicy({} as unknown as OpenClawConfig),
});
expect(guard.check("agent:main:subagent:worker-999")).toEqual({ allowed: true });
sessionsResolutionTesting.setDepsForTest();
});
it("blocks cross-agent send when agent-to-agent is disabled", async () => {
const guard = await createSessionVisibilityGuard({
action: "send",
requesterSessionKey: "agent:main:main",
visibility: "all",
a2aPolicy: createAgentToAgentPolicy({} as unknown as OpenClawConfig),
});
expect(guard.check("agent:ops:main")).toEqual({
allowed: false,
status: "forbidden",
error:
"Agent-to-agent messaging is disabled. Set tools.agentToAgent.enabled=true to allow cross-agent sends.",
});
});
it("enforces self visibility for same-agent sessions", async () => {
const guard = await createSessionVisibilityGuard({
action: "history",
requesterSessionKey: "agent:main:main",
visibility: "self",
a2aPolicy: createAgentToAgentPolicy({} as unknown as OpenClawConfig),
});
expect(guard.check("agent:main:main")).toEqual({ allowed: true });
expect(guard.check("agent:main:telegram:group:1")).toEqual({
allowed: false,
status: "forbidden",
error:
"Session history visibility is restricted to the current session (tools.sessions.visibility=self).",
});
});
});
Reference in New Issue View Git Blame Copy Permalink