security: authorize create_agent host-side (approval for confined groups)#2720
Merged
Conversation
…ups) create_agent writes central-DB state (agent_groups, container_configs, agent_destinations) and scaffolds host filesystem state, but the only gate lived inside the untrusted container and is bypassed by writing the outbound system row directly (the "host re-checks permission" comment was false). Authorize host-side by CLI scope: trusted owner agent groups (global scope) create sub-agents directly; confined groups require admin approval via requestApproval. Adds regression tests for the branch. Alternative to #2383 (which denies confined groups outright); co-authored from that work. Co-Authored-By: hinotoi-agent <[email protected]> Co-Authored-By: Claude Fable 5 <[email protected]>
11 tasks
javexed
added a commit
to javexed/nanoclaw
that referenced
this pull request
Jun 16, 2026
Channels-webchat overlay rebuilt on current upstream (was 123 behind). Webchat-owned files copied wholesale; HOOK_FILES re-authored onto upstream: - approvals: kept upstream's new ApprovalResolved handler API, grafted webchat's in-room ApprovalRequested system; dropped webchat's superseded resolve() (response-handler) — upstream adopted the same intent. - create-agent: dropped webchat's gating (upstream nanocoai#2720 adopted it). - delivery: re-authored sender-tracking onto upstream's createChannelDeliveryAdapter factory; channel-registry.ts is now a hook. - poll-loop: re-authored terminal-error self-heal + empty-turn detector onto upstream's refactored processQuery. - migration: webchat drop-rooms insert now sets the new instance column. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
javexed
added a commit
to javexed/nanoclaw
that referenced
this pull request
Jun 19, 2026
Channels-webchat overlay rebuilt on current upstream (was 123 behind). Webchat-owned files copied wholesale; HOOK_FILES re-authored onto upstream: - approvals: kept upstream's new ApprovalResolved handler API, grafted webchat's in-room ApprovalRequested system; dropped webchat's superseded resolve() (response-handler) — upstream adopted the same intent. - create-agent: dropped webchat's gating (upstream nanocoai#2720 adopted it). - delivery: re-authored sender-tracking onto upstream's createChannelDeliveryAdapter factory; channel-registry.ts is now a hook. - poll-loop: re-authored terminal-error self-heal + empty-turn detector onto upstream's refactored processQuery. - migration: webchat drop-rooms insert now sets the new instance column. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a host-side authorization check for the
create_agentsystem action, which creates persistent agent groups and writes routing/ACL rows. Previously this was gated only inside the container; the host applied it without re-checking.Authorization is by CLI scope:
globalscope) create sub-agents directly;Includes regression tests for the branch (global → direct; group/disabled/missing → approval). Corrects the stale container-side comments that claimed the host already re-checked permission.
This is an approval-based alternative to #2383, which denies confined groups outright. Co-authored from that work — thanks @Hinotoi-agent.
🤖 Generated with Claude Code