Skip to content

security: authorize create_agent host-side (approval for confined groups)#2720

Merged
gavrielc merged 1 commit into
mainfrom
security/authorize-create-agent
Jun 9, 2026
Merged

security: authorize create_agent host-side (approval for confined groups)#2720
gavrielc merged 1 commit into
mainfrom
security/authorize-create-agent

Conversation

@gavrielc

@gavrielc gavrielc commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator

Adds a host-side authorization check for the create_agent system action, which creates persistent agent groups and writes routing/ACL rows. Previously this was gated only inside the container; the host applied it without re-checking.

Authorization is by CLI scope:

  • trusted owner agent groups (global scope) create sub-agents directly;
  • other (confined) groups require admin approval via the existing approval flow;
  • unknown/missing config fails closed to approval.

Includes regression tests for the branch (global → direct; group/disabled/missing → approval). Corrects the stale container-side comments that claimed the host already re-checked permission.

This is an approval-based alternative to #2383, which denies confined groups outright. Co-authored from that work — thanks @Hinotoi-agent.

🤖 Generated with Claude Code

…ups)

create_agent writes central-DB state (agent_groups, container_configs,
agent_destinations) and scaffolds host filesystem state, but the only
gate lived inside the untrusted container and is bypassed by writing the
outbound system row directly (the "host re-checks permission" comment was
false). Authorize host-side by CLI scope: trusted owner agent groups
(global scope) create sub-agents directly; confined groups require admin
approval via requestApproval. Adds regression tests for the branch.

Alternative to #2383 (which denies confined groups outright); co-authored
from that work.

Co-Authored-By: hinotoi-agent <[email protected]>
Co-Authored-By: Claude Fable 5 <[email protected]>
@gavrielc gavrielc requested a review from gabi-simons as a code owner June 9, 2026 19:30
@gavrielc gavrielc merged commit ac37ecb into main Jun 9, 2026
2 checks passed
javexed added a commit to javexed/nanoclaw that referenced this pull request Jun 16, 2026
Channels-webchat overlay rebuilt on current upstream (was 123 behind).
Webchat-owned files copied wholesale; HOOK_FILES re-authored onto upstream:
- approvals: kept upstream's new ApprovalResolved handler API, grafted
  webchat's in-room ApprovalRequested system; dropped webchat's superseded
  resolve() (response-handler) — upstream adopted the same intent.
- create-agent: dropped webchat's gating (upstream nanocoai#2720 adopted it).
- delivery: re-authored sender-tracking onto upstream's
  createChannelDeliveryAdapter factory; channel-registry.ts is now a hook.
- poll-loop: re-authored terminal-error self-heal + empty-turn detector
  onto upstream's refactored processQuery.
- migration: webchat drop-rooms insert now sets the new instance column.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
javexed added a commit to javexed/nanoclaw that referenced this pull request Jun 19, 2026
Channels-webchat overlay rebuilt on current upstream (was 123 behind).
Webchat-owned files copied wholesale; HOOK_FILES re-authored onto upstream:
- approvals: kept upstream's new ApprovalResolved handler API, grafted
  webchat's in-room ApprovalRequested system; dropped webchat's superseded
  resolve() (response-handler) — upstream adopted the same intent.
- create-agent: dropped webchat's gating (upstream nanocoai#2720 adopted it).
- delivery: re-authored sender-tracking onto upstream's
  createChannelDeliveryAdapter factory; channel-registry.ts is now a hook.
- poll-loop: re-authored terminal-error self-heal + empty-turn detector
  onto upstream's refactored processQuery.
- migration: webchat drop-rooms insert now sets the new instance column.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant