@mingxy/cerebro 1.20.4 → 1.20.6

package/src/tools.test.ts

@@ -0,0 +1,508 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+// ─── Hoisted mock functions ────────────────────────────────────
+
+const { mockResolve, mockIsEnabled, mockSetEnabled } = vi.hoisted(() => ({
+  mockResolve: vi.fn<() => string>().mockReturnValue("readwrite"),
+  mockIsEnabled: vi.fn<() => boolean>().mockReturnValue(true),
+  mockSetEnabled: vi.fn(),
+}));
+
+// ─── Module mocks ──────────────────────────────────────────────
+
+vi.mock("@opencode-ai/plugin", () => {
+  function sb() {
+    const b = { describe() { return b; }, optional() { return b; } };
+    return b;
+  }
+  return {
+    tool: Object.assign((def: any) => def, {
+      schema: { string: sb, number: sb, array: sb, enum: sb, object: sb },
+    }),
+  };
+});
+
+vi.mock("./config.js", () => ({ resolveAgentPolicy: mockResolve }));
+vi.mock("./index.js", () => ({
+  isAutoStoreEnabled: mockIsEnabled,
+  setAutoStoreEnabled: mockSetEnabled,
+}));
+
+// ─── Imports ───────────────────────────────────────────────────
+
+import { buildTools, type ToolContext } from "./tools.js";
+
+// ─── Constants ─────────────────────────────────────────────────
+
+const ALL_TOOLS = [
+  "memory_store", "memory_search", "memory_get", "memory_update",
+  "memory_profile", "memory_profile_stats", "memory_list", "memory_ingest",
+  "memory_stats", "memory_delete", "space_create", "space_list",
+  "space_add_member", "memory_share", "memory_pull", "memory_reshare",
+  "memory_toggle",
+] as const;
+
+type TN = typeof ALL_TOOLS[number];
+
+const READ_TOOLS: readonly TN[] = [
+  "memory_search", "memory_get", "memory_profile", "memory_profile_stats",
+  "memory_list", "memory_stats", "space_list",
+];
+
+const WRITE_TOOLS: readonly TN[] = [
+  "memory_store", "memory_update", "memory_ingest", "memory_delete",
+  "space_create", "space_add_member", "memory_share", "memory_pull",
+  "memory_reshare", "memory_toggle",
+];
+
+const A: Record<TN, any> = {
+  memory_store:       { content: "c", source: "s", tags: ["t1"] },
+  memory_search:      { query: "q" },
+  memory_get:         { id: "m1" },
+  memory_update:      { id: "m1", content: "up" },
+  memory_profile:     {},
+  memory_profile_stats: {},
+  memory_list:        {},
+  memory_ingest:      { messages: [{ role: "user", content: "hi" }] },
+  memory_stats:       {},
+  memory_delete:      { id: "m1" },
+  space_create:       { name: "sp", space_type: "team" },
+  space_list:         {},
+  space_add_member:   { space_id: "s1", user_id: "u1", role: "admin" },
+  memory_share:       { memory_id: "m1", target_space: "s1" },
+  memory_pull:        { memory_id: "m1", source_space: "s1" },
+  memory_reshare:     { memory_id: "m1" },
+  memory_toggle:      { state: "on" },
+};
+
+// ─── Helpers ───────────────────────────────────────────────────
+
+function mkClient() {
+  return {
+    createMemory:     vi.fn().mockResolvedValue({ id: "m-new", tags: ["t1"] }),
+    searchMemories:   vi.fn().mockResolvedValue([{ memory: { id: "m1", content: "hello world" }, score: 0.9 }]),
+    getMemory:        vi.fn().mockResolvedValue({ id: "m1", content: "full content", tags: ["t"] }),
+    updateMemory:     vi.fn().mockResolvedValue({ id: "m1" }),
+    getProfile:       vi.fn().mockResolvedValue([{ slot: "lang", value: "ts" }]),
+    getProfileStats:  vi.fn().mockResolvedValue({ total: 5 }),
+    listRecent:       vi.fn().mockResolvedValue([{ id: "m1", content: "recent", category: "cases", tags: ["t"] }]),
+    ingestMessages:   vi.fn().mockResolvedValue({ created: 1 }),
+    getStats:         vi.fn().mockResolvedValue({ total: 100 }),
+    deleteMemory:     vi.fn().mockResolvedValue(undefined),
+    createSpace:      vi.fn().mockResolvedValue({ id: "s-new", name: "sp" }),
+    listSpaces:       vi.fn().mockResolvedValue([{ id: "s1" }]),
+    addSpaceMember:   vi.fn().mockResolvedValue({ ok: true }),
+    shareMemory:      vi.fn().mockResolvedValue({ ok: true }),
+    pullMemory:       vi.fn().mockResolvedValue({ ok: true }),
+    reshareMemory:    vi.fn().mockResolvedValue({ ok: true }),
+  };
+}
+
+function mkCtx(p?: Partial<ToolContext>): ToolContext {
+  return {
+    agentId: "test-agent",
+    getSessionId: () => "sess-1",
+    getAgentName: () => "test-agent",
+    getProjectPath: () => "/test",
+    config: {},
+    ...p,
+  };
+}
+
+/** Parse the JSON string returned by execute() */
+async function exec(tools: ReturnType<typeof buildTools>, name: TN, args?: any) {
+  return JSON.parse(await tools[name].execute(args ?? A[name]));
+}
+
+// ─── Tests ─────────────────────────────────────────────────────
+
+describe("buildTools", () => {
+  let client: ReturnType<typeof mkClient>;
+  let tools: ReturnType<typeof buildTools>;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockResolve.mockReturnValue("readwrite");
+    client = mkClient();
+    tools = buildTools(client, ["user:x", "project:y"], mkCtx());
+  });
+
+  // ────────────────── Definitions ──────────────────
+
+  describe("tool definitions", () => {
+    it("returns all defined tools with description + execute", () => {
+      expect(Object.keys(tools)).toHaveLength(ALL_TOOLS.length);
+      for (const name of ALL_TOOLS) {
+        expect(typeof tools[name].description).toBe("string");
+        expect(typeof tools[name].execute).toBe("function");
+      }
+    });
+  });
+
+  // ────────────────── Backward compat ──────────────────
+
+  describe("backward compat: no agentId / no config → allow all", () => {
+    it("allows WRITE when agentId is undefined", async () => {
+      tools = buildTools(client, [], mkCtx({ agentId: undefined, getAgentName: () => undefined }));
+      expect((await exec(tools, "memory_store")).ok).toBe(true);
+    });
+
+    it("allows READ when config is undefined", async () => {
+      tools = buildTools(client, [], mkCtx({ config: undefined }));
+      expect((await exec(tools, "memory_search")).ok).toBe(true);
+    });
+  });
+
+  // ────────────────── Permission: none ──────────────────
+
+  describe("policy 'none' → deny all 16 tools", () => {
+    beforeEach(() => { mockResolve.mockReturnValue("none"); });
+
+    it.each([...READ_TOOLS, ...WRITE_TOOLS] as unknown as string[])(
+      "denies %s", async (name: string) => {
+        const r = await exec(tools, name as TN);
+        expect(r).toMatchObject({ ok: false });
+        expect(r.error).toContain("Permission denied");
+        expect(r.error).toContain("'none'");
+      },
+    );
+  });
+
+  // ────────────────── Permission: readonly ──────────────────
+
+  describe("policy 'readonly'", () => {
+    beforeEach(() => { mockResolve.mockReturnValue("readonly"); });
+
+    it.each(READ_TOOLS as unknown as string[])("allows READ %s", async (name) => {
+      expect((await exec(tools, name as TN)).ok).toBe(true);
+    });
+
+    it.each(WRITE_TOOLS as unknown as string[])("denies WRITE %s", async (name) => {
+      const r = await exec(tools, name as TN);
+      expect(r).toMatchObject({ ok: false });
+      expect(r.error).toContain("Permission denied");
+      expect(r.error).toContain("'readonly'");
+      expect(r.error).toContain("'write'");
+    });
+  });
+
+  // ────────────────── Permission: readwrite ──────────────────
+
+  describe("policy 'readwrite' → allow all", () => {
+    it.each(ALL_TOOLS as unknown as string[])("allows %s", async (name) => {
+      expect((await exec(tools, name as TN)).ok).toBe(true);
+    });
+  });
+
+  // ────────────────── memory_store ──────────────────
+
+  describe("memory_store", () => {
+    it("success: returns id and merged tags", async () => {
+      const r = await exec(tools, "memory_store");
+      expect(r).toMatchObject({ ok: true, id: "m-new" });
+      expect(client.createMemory).toHaveBeenCalledWith(
+        "c", ["user:x", "project:y", "t1"], "s", "project",
+        "test-agent", "sess-1", undefined, undefined, "/test",
+      );
+    });
+
+    it("failure: returns error when client returns null", async () => {
+      client.createMemory.mockResolvedValue(null);
+      const r = await exec(tools, "memory_store");
+      expect(r).toMatchObject({ ok: false });
+      expect(r.error).toContain("unavailable");
+    });
+
+    it("passes scope, visibility, category when provided", async () => {
+      await tools.memory_store.execute({
+        content: "c", source: "s", tags: [], scope: "global",
+        visibility: "private", category: "preferences",
+      });
+      expect(client.createMemory).toHaveBeenCalledWith(
+        "c", ["user:x", "project:y"], "s", "global",
+        "test-agent", "sess-1", "private", "preferences", "/test",
+      );
+    });
+  });
+
+  // ────────────────── memory_search ──────────────────
+
+  describe("memory_search", () => {
+    it("success: returns results with truncated content", async () => {
+      const r = await exec(tools, "memory_search");
+      expect(r).toMatchObject({ ok: true, count: 1 });
+      expect(r.results[0]).toMatchObject({ id: "m1", score: 0.9 });
+    });
+
+    it("empty: returns ok with count 0", async () => {
+      client.searchMemories.mockResolvedValue([]);
+      const r = await exec(tools, "memory_search");
+      expect(r).toMatchObject({ ok: true, count: 0, results: [] });
+    });
+
+    it("passes limit and scope to client", async () => {
+      await tools.memory_search.execute({ query: "q", limit: 5, scope: "global" });
+      expect(client.searchMemories).toHaveBeenCalledWith("q", 5, "global", ["user:x", "project:y"], "/test");
+    });
+  });
+
+  // ────────────────── memory_get ──────────────────
+
+  describe("memory_get", () => {
+    it("success: returns full memory object", async () => {
+      const r = await exec(tools, "memory_get");
+      expect(r).toMatchObject({ ok: true, memory: { id: "m1" } });
+    });
+
+    it("not found: returns error when null", async () => {
+      client.getMemory.mockResolvedValue(null);
+      const r = await exec(tools, "memory_get");
+      expect(r).toMatchObject({ ok: false, error: "not found" });
+    });
+  });
+
+  // ────────────────── memory_update ──────────────────
+
+  describe("memory_update", () => {
+    it("success: returns ok with id", async () => {
+      const r = await exec(tools, "memory_update");
+      expect(r).toMatchObject({ ok: true, id: "m1" });
+    });
+
+    it("failure: returns error when client returns null", async () => {
+      client.updateMemory.mockResolvedValue(null);
+      const r = await exec(tools, "memory_update");
+      expect(r).toMatchObject({ ok: false });
+      expect(r.error).toContain("Failed to update");
+    });
+  });
+
+  // ────────────────── memory_profile ──────────────────
+
+  describe("memory_profile", () => {
+    it("success: returns preferences", async () => {
+      const r = await exec(tools, "memory_profile");
+      expect(r).toMatchObject({ ok: true, count: 1 });
+    });
+
+    it("empty: returns ok with empty array", async () => {
+      client.getProfile.mockResolvedValue([]);
+      const r = await exec(tools, "memory_profile");
+      expect(r).toMatchObject({ ok: true, count: 0, preferences: [] });
+    });
+  });
+
+  // ────────────────── memory_profile_stats ──────────────────
+
+  describe("memory_profile_stats", () => {
+    it("success: returns stats object", async () => {
+      const r = await exec(tools, "memory_profile_stats");
+      expect(r).toMatchObject({ ok: true, stats: { total: 5 } });
+    });
+  });
+
+  // ────────────────── memory_list ──────────────────
+
+  describe("memory_list", () => {
+    it("success: returns memories with truncated content", async () => {
+      const r = await exec(tools, "memory_list");
+      expect(r).toMatchObject({ ok: true, count: 1 });
+      expect(r.memories[0].id).toBe("m1");
+    });
+
+    it("empty: returns ok with empty array", async () => {
+      client.listRecent.mockResolvedValue([]);
+      const r = await exec(tools, "memory_list");
+      expect(r).toMatchObject({ ok: true, count: 0, memories: [] });
+    });
+
+    it("passes limit to client", async () => {
+      await tools.memory_list.execute({ limit: 5 });
+      expect(client.listRecent).toHaveBeenCalledWith(5);
+    });
+  });
+
+  // ────────────────── memory_ingest ──────────────────
+
+  describe("memory_ingest", () => {
+    it("success: returns ingestion result", async () => {
+      const r = await exec(tools, "memory_ingest");
+      expect(r).toMatchObject({ ok: true, result: { created: 1 } });
+    });
+
+    it("failure: returns error when client returns null", async () => {
+      client.ingestMessages.mockResolvedValue(null);
+      const r = await exec(tools, "memory_ingest");
+      expect(r).toMatchObject({ ok: false, error: "Ingestion failed" });
+    });
+  });
+
+  // ────────────────── memory_stats ──────────────────
+
+  describe("memory_stats", () => {
+    it("success: returns stats", async () => {
+      const r = await exec(tools, "memory_stats");
+      expect(r).toMatchObject({ ok: true, stats: { total: 100 } });
+    });
+
+    it("failure: returns error when client returns null", async () => {
+      client.getStats.mockResolvedValue(null);
+      const r = await exec(tools, "memory_stats");
+      expect(r).toMatchObject({ ok: false });
+      expect(r.error).toContain("Failed to get stats");
+    });
+  });
+
+  // ────────────────── memory_delete ──────────────────
+
+  describe("memory_delete", () => {
+    it("success: returns ok with id", async () => {
+      const r = await exec(tools, "memory_delete");
+      expect(r).toMatchObject({ ok: true, id: "m1" });
+    });
+
+    it("failure: catches error and returns failure", async () => {
+      client.deleteMemory.mockRejectedValue(new Error("boom"));
+      const r = await exec(tools, "memory_delete");
+      expect(r).toMatchObject({ ok: false });
+      expect(r.error).toContain("Failed to delete");
+    });
+  });
+
+  // ────────────────── space_create ──────────────────
+
+  describe("space_create", () => {
+    it("success: returns space object", async () => {
+      const r = await exec(tools, "space_create");
+      expect(r).toMatchObject({ ok: true, space: { id: "s-new" } });
+    });
+
+    it("failure: returns error when null", async () => {
+      client.createSpace.mockResolvedValue(null);
+      const r = await exec(tools, "space_create");
+      expect(r).toMatchObject({ ok: false, error: "Failed to create space" });
+    });
+  });
+
+  // ────────────────── space_list ──────────────────
+
+  describe("space_list", () => {
+    it("success: returns spaces array", async () => {
+      const r = await exec(tools, "space_list");
+      expect(r).toMatchObject({ ok: true, spaces: [{ id: "s1" }] });
+    });
+  });
+
+  // ────────────────── space_add_member ──────────────────
+
+  describe("space_add_member", () => {
+    it("success: returns result", async () => {
+      const r = await exec(tools, "space_add_member");
+      expect(r).toMatchObject({ ok: true, result: { ok: true } });
+    });
+
+    it("failure: returns error when null", async () => {
+      client.addSpaceMember.mockResolvedValue(null);
+      const r = await exec(tools, "space_add_member");
+      expect(r).toMatchObject({ ok: false, error: "Failed to add member" });
+    });
+  });
+
+  // ────────────────── memory_share ──────────────────
+
+  describe("memory_share", () => {
+    it("success: returns result", async () => {
+      const r = await exec(tools, "memory_share");
+      expect(r).toMatchObject({ ok: true, result: { ok: true } });
+    });
+
+    it("failure: returns error when null", async () => {
+      client.shareMemory.mockResolvedValue(null);
+      const r = await exec(tools, "memory_share");
+      expect(r).toMatchObject({ ok: false, error: "Failed to share memory" });
+    });
+  });
+
+  // ────────────────── memory_pull ──────────────────
+
+  describe("memory_pull", () => {
+    it("success: returns result", async () => {
+      const r = await exec(tools, "memory_pull");
+      expect(r).toMatchObject({ ok: true, result: { ok: true } });
+    });
+
+    it("failure: returns error when null", async () => {
+      client.pullMemory.mockResolvedValue(null);
+      const r = await exec(tools, "memory_pull");
+      expect(r).toMatchObject({ ok: false, error: "Failed to pull memory" });
+    });
+  });
+
+  // ────────────────── memory_reshare ──────────────────
+
+  describe("memory_reshare", () => {
+    it("success: returns result", async () => {
+      const r = await exec(tools, "memory_reshare");
+      expect(r).toMatchObject({ ok: true, result: { ok: true } });
+    });
+
+    it("failure: returns error when null", async () => {
+      client.reshareMemory.mockResolvedValue(null);
+      const r = await exec(tools, "memory_reshare");
+      expect(r).toMatchObject({ ok: false, error: "Failed to reshare memory" });
+    });
+  });
+
+  // ────────────────── memory_toggle ──────────────────
+
+  describe("memory_toggle", () => {
+    it("state='on': sets auto-store ON", async () => {
+      const r = await exec(tools, "memory_toggle", { state: "on" });
+      expect(r).toMatchObject({ ok: true, auto_store: true });
+      expect(mockSetEnabled).toHaveBeenCalledWith("sess-1", true);
+    });
+
+    it("state='off': sets auto-store OFF", async () => {
+      const r = await exec(tools, "memory_toggle", { state: "off" });
+      expect(r).toMatchObject({ ok: true, auto_store: false });
+      expect(mockSetEnabled).toHaveBeenCalledWith("sess-1", false);
+    });
+
+    it("state='ON' (uppercase): still recognized as on", async () => {
+      const r = await exec(tools, "memory_toggle", { state: "ON" });
+      expect(r).toMatchObject({ ok: true, auto_store: true });
+    });
+
+    it("no state: queries current status (true)", async () => {
+      mockIsEnabled.mockReturnValue(true);
+      const r = await exec(tools, "memory_toggle", {});
+      expect(r).toMatchObject({ ok: true, auto_store: true });
+      expect(mockIsEnabled).toHaveBeenCalledWith("sess-1");
+    });
+
+    it("no state: queries current status (false)", async () => {
+      mockIsEnabled.mockReturnValue(false);
+      const r = await exec(tools, "memory_toggle", {});
+      expect(r).toMatchObject({ ok: true, auto_store: false });
+    });
+
+    it("returns error when no session", async () => {
+      tools = buildTools(client, [], mkCtx({ getSessionId: () => undefined }));
+      const r = await exec(tools, "memory_toggle", { state: "on" });
+      expect(r).toMatchObject({ ok: false });
+      expect(r.error).toContain("No active session");
+    });
+  });
+
+  // ────────────────── JSON output format ──────────────────
+
+  describe("JSON output format", () => {
+    it("all tools return valid JSON with ok boolean", async () => {
+      for (const name of ALL_TOOLS) {
+        const raw = await tools[name].execute(A[name]);
+        const parsed = JSON.parse(raw);
+        expect(typeof parsed.ok).toBe("boolean");
+      }
+    });
+  });
+});

package/src/tools.ts

@@ -1,5 +1,6 @@
 import { tool } from "@opencode-ai/plugin";
 import type { CerebroClient } from "./client.js";
+import { type CerebroPluginConfig, resolveAgentPolicy } from "./config.js";
 import { isAutoStoreEnabled, setAutoStoreEnabled } from "./index.js";
 
 export interface ToolContext {
@@ -7,9 +8,25 @@ export interface ToolContext {
   getSessionId: () => string | undefined;
   getAgentName?: () => string;
   getProjectPath?: () => string | undefined;
+  config?: Partial<CerebroPluginConfig>;
 }
 
 export function buildTools(client: CerebroClient, containerTags: string[], context: ToolContext) {
+  function checkPermission(required: "read" | "write"): boolean {
+    const agentId = context.getAgentName?.() || context.agentId;
+    if (!agentId || !context.config) return true; // no policy configured → allow
+    const policy = resolveAgentPolicy(agentId, context.config);
+    if (policy === "none") return false;
+    if (policy === "readonly") return required === "read";
+    return true; // readwrite
+  }
+
+  function denyMessage(required: "read" | "write"): string {
+    const agentId = context.getAgentName?.() || context.agentId || "unknown";
+    const policy = (agentId && context.config) ? resolveAgentPolicy(agentId, context.config) : "readwrite";
+    return `Permission denied: agent '${agentId}' has '${policy}' policy, but this operation requires '${required}' access`;
+  }
+
   return {
     memory_store: tool({
       description:
@@ -70,6 +87,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
           ),
       },
       async execute(args) {
+        if (!checkPermission("write")) return JSON.stringify({ ok: false, error: denyMessage("write") });
         const allTags = [...containerTags, ...(args.tags ?? [])];
         const effectiveAgentId = context.getAgentName?.() || context.agentId;
         const result = await client.createMemory(
@@ -107,6 +125,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
           .describe("Optional scope filter"),
       },
       async execute(args) {
+        if (!checkPermission("read")) return JSON.stringify({ ok: false, error: denyMessage("read") });
         const results = await client.searchMemories(
           args.query,
           args.limit ?? 10,
@@ -134,6 +153,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
         id: tool.schema.string().describe("Memory ID"),
       },
       async execute(args) {
+        if (!checkPermission("read")) return JSON.stringify({ ok: false, error: denyMessage("read") });
         const memory = await client.getMemory(args.id);
         if (!memory) return JSON.stringify({ ok: false, error: "not found" });
         return JSON.stringify({ ok: true, memory });
@@ -153,6 +173,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
           .describe("Replacement tags"),
       },
       async execute(args) {
+        if (!checkPermission("write")) return JSON.stringify({ ok: false, error: denyMessage("write") });
         const result = await client.updateMemory(
           args.id,
           args.content,
@@ -168,6 +189,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
         "Get the user profile synthesized from stored memories. Shows preferences, patterns, and key information.",
       args: {},
       async execute() {
+        if (!checkPermission("read")) return JSON.stringify({ ok: false, error: denyMessage("read") });
         const preferences = await client.getProfile();
         if (preferences.length === 0) return JSON.stringify({ ok: true, count: 0, preferences: [] });
         return JSON.stringify({ ok: true, count: preferences.length, preferences });
@@ -179,6 +201,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
         "View user profile statistics — total preferences, slot distribution, induction run counts, etc.",
       args: {},
       async execute() {
+        if (!checkPermission("read")) return JSON.stringify({ ok: false, error: denyMessage("read") });
         const stats = await client.getProfileStats();
         return JSON.stringify({ ok: true, stats });
       },
@@ -194,6 +217,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
           .describe("Max memories to return (default: 20)"),
       },
       async execute(args) {
+        if (!checkPermission("read")) return JSON.stringify({ ok: false, error: denyMessage("read") });
         const memories = await client.listRecent(args.limit ?? 20);
         if (memories.length === 0) return JSON.stringify({ ok: true, count: 0, memories: [] });
         const items = memories.map((m) => ({
@@ -234,6 +258,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
           .describe("Session ID to associate with the ingestion"),
       },
       async execute(args) {
+        if (!checkPermission("write")) return JSON.stringify({ ok: false, error: denyMessage("write") });
         const effectiveAgentId = context.getAgentName?.() || context.agentId;
         const result = await client.ingestMessages(args.messages, {
           mode: args.mode ?? "smart",
@@ -252,6 +277,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
         "Get statistics about stored memories — counts by category, type, tier, and timeline.",
       args: {},
       async execute() {
+        if (!checkPermission("read")) return JSON.stringify({ ok: false, error: denyMessage("read") });
         const stats = await client.getStats();
         if (!stats) return JSON.stringify({ ok: false, error: "Failed to get stats" });
         return JSON.stringify({ ok: true, stats });
@@ -265,6 +291,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
         id: tool.schema.string().describe("Memory ID to delete"),
       },
       async execute(args) {
+        if (!checkPermission("write")) return JSON.stringify({ ok: false, error: denyMessage("write") });
         try {
           await client.deleteMemory(args.id);
           return JSON.stringify({ ok: true, id: args.id });
@@ -293,6 +320,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
           .describe("Initial members to add"),
       },
       async execute(args) {
+        if (!checkPermission("write")) return JSON.stringify({ ok: false, error: denyMessage("write") });
         const result = await client.createSpace(
           args.name,
           args.space_type,
@@ -308,6 +336,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
         "List all spaces you own or are a member of.",
       args: {},
       async execute() {
+        if (!checkPermission("read")) return JSON.stringify({ ok: false, error: denyMessage("read") });
         const spaces = await client.listSpaces();
         return JSON.stringify({ ok: true, spaces });
       },
@@ -322,6 +351,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
         role: tool.schema.string().describe("Role: admin, member, or reader"),
       },
       async execute(args) {
+        if (!checkPermission("write")) return JSON.stringify({ ok: false, error: denyMessage("write") });
         const result = await client.addSpaceMember(
           args.space_id,
           args.user_id,
@@ -340,6 +370,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
         target_space: tool.schema.string().describe("Target space ID"),
       },
       async execute(args) {
+        if (!checkPermission("write")) return JSON.stringify({ ok: false, error: denyMessage("write") });
         const result = await client.shareMemory(
           args.memory_id,
           args.target_space,
@@ -361,6 +392,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
           .describe("Visibility of the pulled copy"),
       },
       async execute(args) {
+        if (!checkPermission("write")) return JSON.stringify({ ok: false, error: denyMessage("write") });
         const result = await client.pullMemory(
           args.memory_id,
           args.source_space,
@@ -382,6 +414,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
           .describe("Target space containing the copy (optional)"),
       },
       async execute(args) {
+        if (!checkPermission("write")) return JSON.stringify({ ok: false, error: denyMessage("write") });
         const result = await client.reshareMemory(
           args.memory_id,
           args.target_space,
@@ -401,6 +434,7 @@ export function buildTools(client: CerebroClient, containerTags: string[], conte
           .describe("Set to 'on' or 'off'. Omit to check current status."),
       },
       async execute(args) {
+        if (!checkPermission("write")) return JSON.stringify({ ok: false, error: denyMessage("write") });
         const sessionId = context.getSessionId();
         if (!sessionId) return JSON.stringify({ ok: false, error: "No active session" });