wangjunxiao/nanoclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: per-group CLI scope (disabled/group/global)

Browse Source 
Add cli_scope column to container_configs with three levels:
- disabled: agent never learns about ncl (instructions excluded from
  CLAUDE.md) and host dispatch rejects any cli_request
- group (default): agent can only access groups, sessions, destinations,
  and members resources, scoped to its own agent group with auto-filled
  --id/--agent_group_id/--group args. Help output reflects the scope.
- global: unrestricted access (current behavior)

Enforcement is host-side only — no image rebuild or env var needed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
gavrielc
2026-05-09 20:02:31 +03:00
parent be3a8a97c6
commit aebcffe180
14 changed files with 443 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/db/container-configs.ts
View File

@@ -8,6 +8,7 @@ const SCALAR_COLUMNS = new Set([
'image_tag',
'assistant_name',
'max_messages_per_prompt',
'cli_scope',
]);
const JSON_COLUMNS = new Set(['skills', 'mcp_servers', 'packages_apt', 'packages_npm', 'additional_mounts']);
@@ -54,7 +55,7 @@ export function updateContainerConfigScalars(
updates: Partial<
Pick<
ContainerConfigRow,
'provider' | 'model' | 'effort' | 'image_tag' | 'assistant_name' | 'max_messages_per_prompt'
'provider' | 'model' | 'effort' | 'image_tag' | 'assistant_name' | 'max_messages_per_prompt' | 'cli_scope'
>
>,
): void {

10
src/db/migrations/015-cli-scope.ts Normal file
View File

@@ -0,0 +1,10 @@
import type Database from 'better-sqlite3';
import type { Migration } from './index.js';
export const migration015: Migration = {
version: 15,
name: 'cli-scope',
up(db: Database.Database) {
db.prepare("ALTER TABLE container_configs ADD COLUMN cli_scope TEXT NOT NULL DEFAULT 'group'").run();
},
};

2
src/db/migrations/index.ts
View File

@@ -11,6 +11,7 @@ import { migration011 } from './011-pending-sender-approvals.js';
import { migration012 } from './012-channel-registration.js';
import { migration013 } from './013-approval-render-metadata.js';
import { migration014 } from './014-container-configs.js';
import { migration015 } from './015-cli-scope.js';
import { moduleApprovalsPendingApprovals } from './module-approvals-pending-approvals.js';
import { moduleApprovalsTitleOptions } from './module-approvals-title-options.js';
@@ -33,6 +34,7 @@ const migrations: Migration[] = [
migration012,
migration013,
migration014,
migration015,
];
export function runMigrations(db: Database.Database): void {