@poolzin/pool-bot 2026.2.21 → 2026.2.23

package/dist/agents/pi-tools.js

@@ -1,30 +1,36 @@
 import { codingTools, createEditTool, createReadTool, createWriteTool, readTool, } from "@mariozechner/pi-coding-agent";
+import { logWarn } from "../logger.js";
+import { getPluginToolMeta } from "../plugins/tools.js";
 import { isSubagentSessionKey } from "../routing/session-key.js";
 import { resolveGatewayMessageChannel } from "../utils/message-channel.js";
+import { resolveAgentConfig } from "./agent-scope.js";
 import { createApplyPatchTool } from "./apply-patch.js";
 import { createExecTool, createProcessTool, } from "./bash-tools.js";
 import { listChannelAgentTools } from "./channel-tools.js";
+import { resolveImageSanitizationLimits } from "./image-sanitization.js";
 import { createPoolBotTools } from "./poolbot-tools.js";
-import { resolveAgentConfig } from "./agent-scope.js";
 import { wrapToolWithAbortSignal } from "./pi-tools.abort.js";
 import { wrapToolWithBeforeToolCallHook } from "./pi-tools.before-tool-call.js";
-import { filterToolsByPolicy, isToolAllowedByPolicies, resolveEffectiveToolPolicy, resolveGroupToolPolicy, resolveSubagentToolPolicy, } from "./pi-tools.policy.js";
-import { assertRequiredParams, CLAUDE_PARAM_GROUPS, createPoolbotReadTool, createSandboxedEditTool, createSandboxedReadTool, createSandboxedWriteTool, normalizeToolParams, patchToolSchemaForClaudeCompatibility, wrapToolParamNormalization, } from "./pi-tools.read.js";
+import { isToolAllowedByPolicies, resolveEffectiveToolPolicy, resolveGroupToolPolicy, resolveSubagentToolPolicy, } from "./pi-tools.policy.js";
+import { assertRequiredParams, CLAUDE_PARAM_GROUPS, createPoolbotReadTool, createSandboxedEditTool, createSandboxedReadTool, createSandboxedWriteTool, normalizeToolParams, patchToolSchemaForClaudeCompatibility, wrapToolWorkspaceRootGuard, wrapToolParamNormalization, } from "./pi-tools.read.js";
 import { cleanToolSchemaForGemini, normalizeToolParameters } from "./pi-tools.schema.js";
-import { buildPluginToolGroups, collectExplicitAllowlist, expandPolicyWithPluginGroups, mergeAlsoAllowPolicy, normalizeToolName, resolveToolProfilePolicy, stripPluginOnlyAllowlist, applyOwnerOnlyToolPolicy, } from "./tool-policy.js";
-import { getPluginToolMeta } from "../plugins/tools.js";
-import { logWarn } from "../logger.js";
+import { getSubagentDepthFromSessionStore } from "./subagent-depth.js";
+import { applyToolPolicyPipeline, buildDefaultToolPolicyPipelineSteps, } from "./tool-policy-pipeline.js";
+import { applyOwnerOnlyToolPolicy, collectExplicitAllowlist, mergeAlsoAllowPolicy, resolveToolProfilePolicy, } from "./tool-policy.js";
+import { resolveWorkspaceRoot } from "./workspace-dir.js";
 function isOpenAIProvider(provider) {
     const normalized = provider?.trim().toLowerCase();
     return normalized === "openai" || normalized === "openai-codex";
 }
 function isApplyPatchAllowedForModel(params) {
     const allowModels = Array.isArray(params.allowModels) ? params.allowModels : [];
-    if (allowModels.length === 0)
+    if (allowModels.length === 0) {
         return true;
+    }
     const modelId = params.modelId?.trim();
-    if (!modelId)
+    if (!modelId) {
         return false;
+    }
     const normalizedModelId = modelId.toLowerCase();
     const provider = params.modelProvider?.trim().toLowerCase();
     const normalizedFull = provider && !normalizedModelId.includes("/")
@@ -32,26 +38,38 @@ function isApplyPatchAllowedForModel(params) {
         : normalizedModelId;
     return allowModels.some((entry) => {
         const normalized = entry.trim().toLowerCase();
-        if (!normalized)
+        if (!normalized) {
             return false;
+        }
         return normalized === normalizedModelId || normalized === normalizedFull;
     });
 }
-function resolveExecConfig(cfg) {
+function resolveExecConfig(params) {
+    const cfg = params.cfg;
     const globalExec = cfg?.tools?.exec;
+    const agentExec = cfg && params.agentId ? resolveAgentConfig(cfg, params.agentId)?.tools?.exec : undefined;
+    return {
+        host: agentExec?.host ?? globalExec?.host,
+        security: agentExec?.security ?? globalExec?.security,
+        ask: agentExec?.ask ?? globalExec?.ask,
+        node: agentExec?.node ?? globalExec?.node,
+        pathPrepend: agentExec?.pathPrepend ?? globalExec?.pathPrepend,
+        safeBins: agentExec?.safeBins ?? globalExec?.safeBins,
+        backgroundMs: agentExec?.backgroundMs ?? globalExec?.backgroundMs,
+        timeoutSec: agentExec?.timeoutSec ?? globalExec?.timeoutSec,
+        approvalRunningNoticeMs: agentExec?.approvalRunningNoticeMs ?? globalExec?.approvalRunningNoticeMs,
+        cleanupMs: agentExec?.cleanupMs ?? globalExec?.cleanupMs,
+        notifyOnExit: agentExec?.notifyOnExit ?? globalExec?.notifyOnExit,
+        notifyOnExitEmptySuccess: agentExec?.notifyOnExitEmptySuccess ?? globalExec?.notifyOnExitEmptySuccess,
+        applyPatch: agentExec?.applyPatch ?? globalExec?.applyPatch,
+    };
+}
+function resolveFsConfig(params) {
+    const cfg = params.cfg;
+    const globalFs = cfg?.tools?.fs;
+    const agentFs = cfg && params.agentId ? resolveAgentConfig(cfg, params.agentId)?.tools?.fs : undefined;
     return {
-        host: globalExec?.host,
-        security: globalExec?.security,
-        ask: globalExec?.ask,
-        node: globalExec?.node,
-        pathPrepend: globalExec?.pathPrepend,
-        safeBins: globalExec?.safeBins,
-        backgroundMs: globalExec?.backgroundMs,
-        timeoutSec: globalExec?.timeoutSec,
-        approvalRunningNoticeMs: globalExec?.approvalRunningNoticeMs,
-        cleanupMs: globalExec?.cleanupMs,
-        notifyOnExit: globalExec?.notifyOnExit,
-        applyPatch: globalExec?.applyPatch,
+        workspaceOnly: agentFs?.workspaceOnly ?? globalFs?.workspaceOnly,
     };
 }
 export function resolveToolLoopDetectionConfig(params) {
@@ -81,8 +99,6 @@ export const __testing = {
     wrapToolParamNormalization,
     assertRequiredParams,
 };
-/** Alias for upstream compatibility — callers importing the upstream name get the pool-bot version. */
-export const createOpenClawCodingTools = createPoolbotCodingTools;
 export function createPoolbotCodingTools(options) {
     const execToolName = "exec";
     const sandbox = options?.sandbox?.enabled ? options.sandbox : undefined;
@@ -110,9 +126,11 @@ export function createPoolbotCodingTools(options) {
     const providerProfilePolicy = resolveToolProfilePolicy(providerProfile);
     const profilePolicyWithAlsoAllow = mergeAlsoAllowPolicy(profilePolicy, profileAlsoAllow);
     const providerProfilePolicyWithAlsoAllow = mergeAlsoAllowPolicy(providerProfilePolicy, providerProfileAlsoAllow);
-    const scopeKey = options?.exec?.scopeKey ?? (agentId ? `agent:${agentId}` : undefined);
+    // Prefer sessionKey for process isolation scope to prevent cross-session process visibility/killing.
+    // Fallback to agentId if no sessionKey is available (e.g. legacy or global contexts).
+    const scopeKey = options?.exec?.scopeKey ?? options?.sessionKey ?? (agentId ? `agent:${agentId}` : undefined);
     const subagentPolicy = isSubagentSessionKey(options?.sessionKey) && options?.sessionKey
-        ? resolveSubagentToolPolicy(options.config)
+        ? resolveSubagentToolPolicy(options.config, getSubagentDepthFromSessionStore(options.sessionKey, { cfg: options.config }))
         : undefined;
     const allowBackground = isToolAllowedByPolicies("process", [
         profilePolicyWithAlsoAllow,
@@ -125,11 +143,17 @@ export function createPoolbotCodingTools(options) {
         sandbox?.tools,
         subagentPolicy,
     ]);
-    const execConfig = resolveExecConfig(options?.config);
+    const execConfig = resolveExecConfig({ cfg: options?.config, agentId });
+    const fsConfig = resolveFsConfig({ cfg: options?.config, agentId });
     const sandboxRoot = sandbox?.workspaceDir;
+    const sandboxFsBridge = sandbox?.fsBridge;
     const allowWorkspaceWrites = sandbox?.workspaceAccess !== "ro";
-    const workspaceRoot = options?.workspaceDir ?? process.cwd();
-    const applyPatchConfig = options?.config?.tools?.exec?.applyPatch;
+    const workspaceRoot = resolveWorkspaceRoot(options?.workspaceDir);
+    const workspaceOnly = fsConfig.workspaceOnly === true;
+    const applyPatchConfig = execConfig.applyPatch;
+    // Secure by default: apply_patch is workspace-contained unless explicitly disabled.
+    // (tools.fs.workspaceOnly is a separate umbrella flag for read/write/edit/apply_patch.)
+    const applyPatchWorkspaceOnly = workspaceOnly || applyPatchConfig?.workspaceOnly !== false;
     const applyPatchEnabled = !!applyPatchConfig?.enabled &&
         isOpenAIProvider(options?.modelProvider) &&
         isApplyPatchAllowedForModel({
@@ -137,29 +161,46 @@ export function createPoolbotCodingTools(options) {
             modelId: options?.modelId,
             allowModels: applyPatchConfig?.allowModels,
         });
+    if (sandboxRoot && !sandboxFsBridge) {
+        throw new Error("Sandbox filesystem bridge is unavailable.");
+    }
+    const imageSanitization = resolveImageSanitizationLimits(options?.config);
     const base = codingTools.flatMap((tool) => {
         if (tool.name === readTool.name) {
             if (sandboxRoot) {
-                return [createSandboxedReadTool(sandboxRoot)];
+                const sandboxed = createSandboxedReadTool({
+                    root: sandboxRoot,
+                    bridge: sandboxFsBridge,
+                    modelContextWindowTokens: options?.modelContextWindowTokens,
+                    imageSanitization,
+                });
+                return [workspaceOnly ? wrapToolWorkspaceRootGuard(sandboxed, sandboxRoot) : sandboxed];
             }
             const freshReadTool = createReadTool(workspaceRoot);
-            return [createPoolbotReadTool(freshReadTool)];
+            const wrapped = createPoolbotReadTool(freshReadTool, {
+                modelContextWindowTokens: options?.modelContextWindowTokens,
+                imageSanitization,
+            });
+            return [workspaceOnly ? wrapToolWorkspaceRootGuard(wrapped, workspaceRoot) : wrapped];
         }
-        if (tool.name === "bash" || tool.name === execToolName)
+        if (tool.name === "bash" || tool.name === execToolName) {
             return [];
+        }
         if (tool.name === "write") {
-            if (sandboxRoot)
+            if (sandboxRoot) {
                 return [];
+            }
             // Wrap with param normalization for Claude Code compatibility
-            return [
-                wrapToolParamNormalization(createWriteTool(workspaceRoot), CLAUDE_PARAM_GROUPS.write),
-            ];
+            const wrapped = wrapToolParamNormalization(createWriteTool(workspaceRoot), CLAUDE_PARAM_GROUPS.write);
+            return [workspaceOnly ? wrapToolWorkspaceRootGuard(wrapped, workspaceRoot) : wrapped];
         }
         if (tool.name === "edit") {
-            if (sandboxRoot)
+            if (sandboxRoot) {
                 return [];
+            }
             // Wrap with param normalization for Claude Code compatibility
-            return [wrapToolParamNormalization(createEditTool(workspaceRoot), CLAUDE_PARAM_GROUPS.edit)];
+            const wrapped = wrapToolParamNormalization(createEditTool(workspaceRoot), CLAUDE_PARAM_GROUPS.edit);
+            return [workspaceOnly ? wrapToolWorkspaceRootGuard(wrapped, workspaceRoot) : wrapped];
         }
         return [tool];
     });
@@ -173,7 +214,7 @@ export function createPoolbotCodingTools(options) {
         pathPrepend: options?.exec?.pathPrepend ?? execConfig.pathPrepend,
         safeBins: options?.exec?.safeBins ?? execConfig.safeBins,
         agentId,
-        cwd: options?.workspaceDir,
+        cwd: workspaceRoot,
         allowBackground,
         scopeKey,
         sessionKey: options?.sessionKey,
@@ -182,6 +223,7 @@ export function createPoolbotCodingTools(options) {
         timeoutSec: options?.exec?.timeoutSec ?? execConfig.timeoutSec,
         approvalRunningNoticeMs: options?.exec?.approvalRunningNoticeMs ?? execConfig.approvalRunningNoticeMs,
         notifyOnExit: options?.exec?.notifyOnExit ?? execConfig.notifyOnExit,
+        notifyOnExitEmptySuccess: options?.exec?.notifyOnExitEmptySuccess ?? execConfig.notifyOnExitEmptySuccess,
         sandbox: sandbox
             ? {
                 containerName: sandbox.containerName,
@@ -199,13 +241,23 @@ export function createPoolbotCodingTools(options) {
         ? null
         : createApplyPatchTool({
             cwd: sandboxRoot ?? workspaceRoot,
-            sandboxRoot: sandboxRoot && allowWorkspaceWrites ? sandboxRoot : undefined,
+            sandbox: sandboxRoot && allowWorkspaceWrites
+                ? { root: sandboxRoot, bridge: sandboxFsBridge }
+                : undefined,
+            workspaceOnly: applyPatchWorkspaceOnly,
         });
     const tools = [
         ...base,
         ...(sandboxRoot
             ? allowWorkspaceWrites
-                ? [createSandboxedEditTool(sandboxRoot), createSandboxedWriteTool(sandboxRoot)]
+                ? [
+                    workspaceOnly
+                        ? wrapToolWorkspaceRootGuard(createSandboxedEditTool({ root: sandboxRoot, bridge: sandboxFsBridge }), sandboxRoot)
+                        : createSandboxedEditTool({ root: sandboxRoot, bridge: sandboxFsBridge }),
+                    workspaceOnly
+                        ? wrapToolWorkspaceRootGuard(createSandboxedWriteTool({ root: sandboxRoot, bridge: sandboxFsBridge }), sandboxRoot)
+                        : createSandboxedWriteTool({ root: sandboxRoot, bridge: sandboxFsBridge }),
+                ]
                 : []
             : []),
         ...(applyPatchTool ? [applyPatchTool] : []),
@@ -226,7 +278,8 @@ export function createPoolbotCodingTools(options) {
             agentGroupSpace: options?.groupSpace ?? null,
             agentDir: options?.agentDir,
             sandboxRoot,
-            workspaceDir: options?.workspaceDir,
+            sandboxFsBridge,
+            workspaceDir: workspaceRoot,
             sandboxed: !!sandbox,
             config: options?.config,
             pluginToolAllowlist: collectExplicitAllowlist([
@@ -253,61 +306,27 @@ export function createPoolbotCodingTools(options) {
     // Security: treat unknown/undefined as unauthorized (opt-in, not opt-out)
     const senderIsOwner = options?.senderIsOwner === true;
     const toolsByAuthorization = applyOwnerOnlyToolPolicy(tools, senderIsOwner);
-    const coreToolNames = new Set(toolsByAuthorization
-        .filter((tool) => !getPluginToolMeta(tool))
-        .map((tool) => normalizeToolName(tool.name))
-        .filter(Boolean));
-    const pluginGroups = buildPluginToolGroups({
+    const subagentFiltered = applyToolPolicyPipeline({
         tools: toolsByAuthorization,
         toolMeta: (tool) => getPluginToolMeta(tool),
+        warn: logWarn,
+        steps: [
+            ...buildDefaultToolPolicyPipelineSteps({
+                profilePolicy: profilePolicyWithAlsoAllow,
+                profile,
+                providerProfilePolicy: providerProfilePolicyWithAlsoAllow,
+                providerProfile,
+                globalPolicy,
+                globalProviderPolicy,
+                agentPolicy,
+                agentProviderPolicy,
+                groupPolicy,
+                agentId,
+            }),
+            { policy: sandbox?.tools, label: "sandbox tools.allow" },
+            { policy: subagentPolicy, label: "subagent tools.allow" },
+        ],
     });
-    const resolvePolicy = (policy, label) => {
-        const resolved = stripPluginOnlyAllowlist(policy, pluginGroups, coreToolNames);
-        if (resolved.unknownAllowlist.length > 0) {
-            const entries = resolved.unknownAllowlist.join(", ");
-            const suffix = resolved.strippedAllowlist
-                ? "Ignoring allowlist so core tools remain available. Use tools.alsoAllow for additive plugin tool enablement."
-                : "These entries won't match any tool unless the plugin is enabled.";
-            logWarn(`tools: ${label} allowlist contains unknown entries (${entries}). ${suffix}`);
-        }
-        return expandPolicyWithPluginGroups(resolved.policy, pluginGroups);
-    };
-    const profilePolicyExpanded = resolvePolicy(profilePolicyWithAlsoAllow, profile ? `tools.profile (${profile})` : "tools.profile");
-    const providerProfileExpanded = resolvePolicy(providerProfilePolicyWithAlsoAllow, providerProfile ? `tools.byProvider.profile (${providerProfile})` : "tools.byProvider.profile");
-    const globalPolicyExpanded = resolvePolicy(globalPolicy, "tools.allow");
-    const globalProviderExpanded = resolvePolicy(globalProviderPolicy, "tools.byProvider.allow");
-    const agentPolicyExpanded = resolvePolicy(agentPolicy, agentId ? `agents.${agentId}.tools.allow` : "agent tools.allow");
-    const agentProviderExpanded = resolvePolicy(agentProviderPolicy, agentId ? `agents.${agentId}.tools.byProvider.allow` : "agent tools.byProvider.allow");
-    const groupPolicyExpanded = resolvePolicy(groupPolicy, "group tools.allow");
-    const sandboxPolicyExpanded = expandPolicyWithPluginGroups(sandbox?.tools, pluginGroups);
-    const subagentPolicyExpanded = expandPolicyWithPluginGroups(subagentPolicy, pluginGroups);
-    const toolsFiltered = profilePolicyExpanded
-        ? filterToolsByPolicy(toolsByAuthorization, profilePolicyExpanded)
-        : toolsByAuthorization;
-    const providerProfileFiltered = providerProfileExpanded
-        ? filterToolsByPolicy(toolsFiltered, providerProfileExpanded)
-        : toolsFiltered;
-    const globalFiltered = globalPolicyExpanded
-        ? filterToolsByPolicy(providerProfileFiltered, globalPolicyExpanded)
-        : providerProfileFiltered;
-    const globalProviderFiltered = globalProviderExpanded
-        ? filterToolsByPolicy(globalFiltered, globalProviderExpanded)
-        : globalFiltered;
-    const agentFiltered = agentPolicyExpanded
-        ? filterToolsByPolicy(globalProviderFiltered, agentPolicyExpanded)
-        : globalProviderFiltered;
-    const agentProviderFiltered = agentProviderExpanded
-        ? filterToolsByPolicy(agentFiltered, agentProviderExpanded)
-        : agentFiltered;
-    const groupFiltered = groupPolicyExpanded
-        ? filterToolsByPolicy(agentProviderFiltered, groupPolicyExpanded)
-        : agentProviderFiltered;
-    const sandboxed = sandboxPolicyExpanded
-        ? filterToolsByPolicy(groupFiltered, sandboxPolicyExpanded)
-        : groupFiltered;
-    const subagentFiltered = subagentPolicyExpanded
-        ? filterToolsByPolicy(sandboxed, subagentPolicyExpanded)
-        : sandboxed;
     // Always normalize tool JSON Schemas before handing them to pi-agent/pi-ai.
     // Without this, some providers (notably OpenAI) will reject root-level union schemas.
     // Provider-specific cleaning: Gemini needs constraint keywords stripped, but Anthropic expects them.