refactor(modules): re-tier approvals as default; extract self-mod as optional

Promotes approvals to the default tier with a public API (requestApproval + registerApprovalHandler) that other modules consume. Self-modification (install_packages / request_rebuild / add_mcp_server) moves into a new optional module that registers delivery actions + matching approval handlers via the new API. ## Approvals (default tier) - Adds `src/modules/approvals/primitive.ts` exporting `requestApproval`, `registerApprovalHandler`, `notifyAgent`. Absorbs `pickApprover` / `pickApprovalDelivery` / `channelTypeOf` from the deleted `src/access.ts`. - Rewrites `response-handler.ts` to dispatch to registered approval handlers on approve (action-keyed Map). Reject path is centralized. - Drops the three self-mod-specific delivery-action registrations from `approvals/index.ts`; they belong to self-mod now. - `onecli-approvals.ts` now imports picks from the primitive instead of `src/access.ts`. ## Self-mod (optional tier) - New `src/modules/self-mod/` with request handlers (validate input + call requestApproval) and apply handlers (orchestration on approve). - `apply.ts` owns updateContainerConfig + buildAgentGroupImage + killContainer calls. Self-mod depends on approvals (via registerApprovalHandler + requestApproval + notifyAgent) and on core (container-runner, container-config). - Registers 3 delivery actions + 3 approval handlers at import time. ## Other changes - `src/access.ts` and `src/access.test.ts` deleted. Tests split across `src/modules/approvals/picks.test.ts` (approver selection) and `src/modules/permissions/permissions.test.ts` (access + roles + DM). - `src/modules/index.ts` barrel: approvals loads before self-mod so registerApprovalHandler is bound when self-mod registers at import time. ## Validation - `pnpm run build` clean - `pnpm test` — 137 host tests pass - `bun test` in container/agent-runner — 17 tests pass - Service starts; boot log shows `OneCLI approval handler started`, `NanoClaw running`; clean SIGTERM shutdown Resolves the transitional tier violation flagged in PR #5 where core imported from the permissions optional module via `src/access.ts`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 19:41:26 +03:00
parent 1f179e07f2
commit 95fdec335a
14 changed files with 715 additions and 484 deletions
--- a/src/modules/self-mod/apply.ts
+++ b/src/modules/self-mod/apply.ts
@@ -0,0 +1,89 @@
+/**
+ * Approval handlers for self-modification actions.
+ *
+ * The approvals module calls these when an admin clicks Approve on a
+ * pending_approvals row whose action matches. Each handler mutates the
+ * container config, rebuilds/kills the container as needed, and lets the
+ * host sweep respawn it on the new image on the next message.
+ */
+import { updateContainerConfig } from '../../container-config.js';
+import { buildAgentGroupImage, killContainer } from '../../container-runner.js';
+import { getAgentGroup } from '../../db/agent-groups.js';
+import { log } from '../../log.js';
+import { writeSessionMessage } from '../../session-manager.js';
+import type { ApprovalHandler } from '../approvals/index.js';
+
+export const applyInstallPackages: ApprovalHandler = async ({ session, payload, userId, notify }) => {
+  const agentGroup = getAgentGroup(session.agent_group_id);
+  if (!agentGroup) {
+    notify('install_packages approved but agent group missing.');
+    return;
+  }
+  updateContainerConfig(agentGroup.folder, (cfg) => {
+    if (payload.apt) cfg.packages.apt.push(...(payload.apt as string[]));
+    if (payload.npm) cfg.packages.npm.push(...(payload.npm as string[]));
+  });
+
+  const pkgs = [...((payload.apt as string[] | undefined) || []), ...((payload.npm as string[] | undefined) || [])].join(', ');
+  log.info('Package install approved', { agentGroupId: session.agent_group_id, userId });
+  try {
+    await buildAgentGroupImage(session.agent_group_id);
+    killContainer(session.id, 'rebuild applied');
+    // Schedule a follow-up prompt a few seconds after kill so the host sweep
+    // respawns the container on the new image and the agent verifies + reports.
+    writeSessionMessage(session.agent_group_id, session.id, {
+      id: `appr-note-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      kind: 'chat',
+      timestamp: new Date().toISOString(),
+      platformId: session.agent_group_id,
+      channelType: 'agent',
+      threadId: null,
+      content: JSON.stringify({
+        text: `Packages installed (${pkgs}) and container rebuilt. Verify the new packages are available (e.g. run them or check versions) and report the result to the user.`,
+        sender: 'system',
+        senderId: 'system',
+      }),
+      processAfter: new Date(Date.now() + 5000)
+        .toISOString()
+        .replace('T', ' ')
+        .replace(/\.\d+Z$/, ''),
+    });
+    log.info('Container rebuild completed (bundled with install)', { agentGroupId: session.agent_group_id });
+  } catch (e) {
+    notify(
+      `Packages added to config (${pkgs}) but rebuild failed: ${e instanceof Error ? e.message : String(e)}. Call request_rebuild to retry.`,
+    );
+    log.error('Bundled rebuild failed after install approval', { agentGroupId: session.agent_group_id, err: e });
+  }
+};
+
+export const applyRequestRebuild: ApprovalHandler = async ({ session, userId, notify }) => {
+  try {
+    await buildAgentGroupImage(session.agent_group_id);
+    killContainer(session.id, 'rebuild applied');
+    notify('Container image rebuilt. Your container will restart with the new image on the next message.');
+    log.info('Container rebuild approved and completed', { agentGroupId: session.agent_group_id, userId });
+  } catch (e) {
+    notify(`Rebuild failed: ${e instanceof Error ? e.message : String(e)}`);
+    log.error('Container rebuild failed', { agentGroupId: session.agent_group_id, err: e });
+  }
+};
+
+export const applyAddMcpServer: ApprovalHandler = async ({ session, payload, userId, notify }) => {
+  const agentGroup = getAgentGroup(session.agent_group_id);
+  if (!agentGroup) {
+    notify('add_mcp_server approved but agent group missing.');
+    return;
+  }
+  updateContainerConfig(agentGroup.folder, (cfg) => {
+    cfg.mcpServers[payload.name as string] = {
+      command: payload.command as string,
+      args: (payload.args as string[]) || [],
+      env: (payload.env as Record<string, string>) || {},
+    };
+  });
+
+  killContainer(session.id, 'mcp server added');
+  notify(`MCP server "${payload.name}" added. Your container will restart with it on the next message.`);
+  log.info('MCP server add approved', { agentGroupId: session.agent_group_id, userId });
+};