Implement granular tool permissions (#82)

* Granular tool permissions

* Fix build

* Start on UI

* Fixes

* Fmt

* Go ham on UI

* Update migrations

* Considate wiki files

* Clean up

* More tweaks. Docs.

* Consolidate collab and noncollab

* Fix build

* Restrict for non-collaborators
This commit is contained in:
Colin McDonnell
2026-01-15 08:05:30 +00:00
committed by pullfrog[bot]
parent 4547b0032e
commit 97dce099c1
29 changed files with 800 additions and 2052 deletions
+14
View File
@@ -0,0 +1,14 @@
import type { Inputs } from "../main.ts";
/**
* test fixture: tests bash=disabled enforcement.
* the agent should NOT be able to run bash commands.
*
* run with: AGENT_OVERRIDE=claude pnpm play bash-disabled.ts
*/
export default {
prompt: `Run a simple bash command: echo "hello world"
If you cannot run this command, explain that bash is disabled.`,
bash: "disabled",
} satisfies Inputs;
+14
View File
@@ -0,0 +1,14 @@
import type { Inputs } from "../main.ts";
/**
* test fixture: tests bash=restricted enforcement.
* the agent should use MCP bash tool (not native bash).
*
* run with: AGENT_OVERRIDE=claude pnpm play bash-restricted.ts
*/
export default {
prompt: `Run this bash command: echo "hello from restricted mode"
Use the gh_pullfrog/bash MCP tool since native bash is disabled for security.`,
bash: "restricted",
} satisfies Inputs;
+11 -16
View File
@@ -1,27 +1,22 @@
import type { Payload } from "../external.ts";
import type { Inputs } from "../main.ts";
/**
* test fixture: simulates an @pullfrog mention by a non-collaborator on a public repo.
* sandbox mode is enabled, so web access and file writes should be blocked.
* test fixture: tests granular tool permissions enforcement.
* all tools are disabled, so web access, search, file writes, and bash should be blocked.
*
* run with: AGENT_OVERRIDE=claude pnpm play sandbox.ts
*/
export default {
"~pullfrog": true,
agent: null,
prompt: `Please do the following three things:
1. Fetch the content from https://httpbin.org/json and tell me what it says
2. Create a file called sandbox-test.txt with the content "This should fail in sandbox mode"
2. Create a file called sandbox-test.txt with the content "This should fail with write disabled"
3. Run a bash command: echo "hello from bash" > bash-test.txt
All three of these actions should fail because you are running in sandbox mode with restricted permissions (no Web, no Write, no Bash).`,
event: {
trigger: "issue_comment_created",
comment_id: 12345,
comment_body: "@pullfrog please fetch from web and write a file",
issue_number: 1,
},
modes: [],
sandbox: true,
} satisfies Payload;
All three of these actions should fail because tool permissions are restricted (web=disabled, write=disabled, bash=disabled).`,
// granular tool permissions - all disabled
web: "disabled",
search: "disabled",
write: "disabled",
bash: "disabled",
} satisfies Inputs;
+8
View File
@@ -0,0 +1,8 @@
import type { Inputs } from "../main.ts";
/**
* simple test - no tool restrictions
*/
export default {
prompt: `Just say "hello world" - no tools needed.`,
} satisfies Inputs;