refactor(tools): centralize default policy steps

2026-03-21 16:41:56 +00:00 · 2026-02-14 14:25:21 +00:00
parent 1a4fb35030
commit 268c14f021
3 changed files with 80 additions and 64 deletions
--- a/src/agents/pi-tools.ts
+++ b/src/agents/pi-tools.ts
@@ -43,7 +43,10 @@ import {
  wrapToolParamNormalization,
 } from "./pi-tools.read.js";
 import { cleanToolSchemaForGemini, normalizeToolParameters } from "./pi-tools.schema.js";
-import { applyToolPolicyPipeline } from "./tool-policy-pipeline.js";
+import {
+  applyToolPolicyPipeline,
+  buildDefaultToolPolicyPipelineSteps,
+} from "./tool-policy-pipeline.js";
 import {
  applyOwnerOnlyToolPolicy,
  collectExplicitAllowlist,
@@ -389,37 +392,18 @@ export function createOpenClawCodingTools(options?: {
    toolMeta: (tool) => getPluginToolMeta(tool),
    warn: logWarn,
    steps: [
-      {
-        policy: profilePolicyWithAlsoAllow,
-        label: profile ? `tools.profile (${profile})` : "tools.profile",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: providerProfilePolicyWithAlsoAllow,
-        label: providerProfile
-          ? `tools.byProvider.profile (${providerProfile})`
-          : "tools.byProvider.profile",
-        stripPluginOnlyAllowlist: true,
-      },
-      { policy: globalPolicy, label: "tools.allow", stripPluginOnlyAllowlist: true },
-      {
-        policy: globalProviderPolicy,
-        label: "tools.byProvider.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: agentPolicy,
-        label: agentId ? `agents.${agentId}.tools.allow` : "agent tools.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: agentProviderPolicy,
-        label: agentId
-          ? `agents.${agentId}.tools.byProvider.allow`
-          : "agent tools.byProvider.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      { policy: groupPolicy, label: "group tools.allow", stripPluginOnlyAllowlist: true },
+      ...buildDefaultToolPolicyPipelineSteps({
+        profilePolicy: profilePolicyWithAlsoAllow,
+        profile,
+        providerProfilePolicy: providerProfilePolicyWithAlsoAllow,
+        providerProfile,
+        globalPolicy,
+        globalProviderPolicy,
+        agentPolicy,
+        agentProviderPolicy,
+        groupPolicy,
+        agentId,
+      }),
      { policy: sandbox?.tools, label: "sandbox tools.allow" },
      { policy: subagentPolicy, label: "subagent tools.allow" },
    ],
--- a/src/agents/tool-policy-pipeline.ts
+++ b/src/agents/tool-policy-pipeline.ts
@@ -14,6 +14,54 @@ export type ToolPolicyPipelineStep = {
  stripPluginOnlyAllowlist?: boolean;
 };

+export function buildDefaultToolPolicyPipelineSteps(params: {
+  profilePolicy?: ToolPolicyLike;
+  profile?: string;
+  providerProfilePolicy?: ToolPolicyLike;
+  providerProfile?: string;
+  globalPolicy?: ToolPolicyLike;
+  globalProviderPolicy?: ToolPolicyLike;
+  agentPolicy?: ToolPolicyLike;
+  agentProviderPolicy?: ToolPolicyLike;
+  groupPolicy?: ToolPolicyLike;
+  agentId?: string;
+}): ToolPolicyPipelineStep[] {
+  const agentId = params.agentId?.trim();
+  const profile = params.profile?.trim();
+  const providerProfile = params.providerProfile?.trim();
+  return [
+    {
+      policy: params.profilePolicy,
+      label: profile ? `tools.profile (${profile})` : "tools.profile",
+      stripPluginOnlyAllowlist: true,
+    },
+    {
+      policy: params.providerProfilePolicy,
+      label: providerProfile
+        ? `tools.byProvider.profile (${providerProfile})`
+        : "tools.byProvider.profile",
+      stripPluginOnlyAllowlist: true,
+    },
+    { policy: params.globalPolicy, label: "tools.allow", stripPluginOnlyAllowlist: true },
+    {
+      policy: params.globalProviderPolicy,
+      label: "tools.byProvider.allow",
+      stripPluginOnlyAllowlist: true,
+    },
+    {
+      policy: params.agentPolicy,
+      label: agentId ? `agents.${agentId}.tools.allow` : "agent tools.allow",
+      stripPluginOnlyAllowlist: true,
+    },
+    {
+      policy: params.agentProviderPolicy,
+      label: agentId ? `agents.${agentId}.tools.byProvider.allow` : "agent tools.byProvider.allow",
+      stripPluginOnlyAllowlist: true,
+    },
+    { policy: params.groupPolicy, label: "group tools.allow", stripPluginOnlyAllowlist: true },
+  ];
+}
+
 export function applyToolPolicyPipeline(params: {
  tools: AnyAgentTool[];
  toolMeta: (tool: AnyAgentTool) => { pluginId: string } | undefined;
--- a/src/gateway/tools-invoke-http.ts
+++ b/src/gateway/tools-invoke-http.ts
@@ -6,7 +6,10 @@ import {
  resolveGroupToolPolicy,
  resolveSubagentToolPolicy,
 } from "../agents/pi-tools.policy.js";
-import { applyToolPolicyPipeline } from "../agents/tool-policy-pipeline.js";
+import {
+  applyToolPolicyPipeline,
+  buildDefaultToolPolicyPipelineSteps,
+} from "../agents/tool-policy-pipeline.js";
 import { collectExplicitAllowlist, resolveToolProfilePolicy } from "../agents/tool-policy.js";
 import { ToolInputError } from "../agents/tools/common.js";
 import { loadConfig } from "../config/config.js";
@@ -259,37 +262,18 @@ export async function handleToolsInvokeHttpRequest(
    toolMeta: (tool) => getPluginToolMeta(tool as any),
    warn: logWarn,
    steps: [
-      {
-        policy: profilePolicyWithAlsoAllow,
-        label: profile ? `tools.profile (${profile})` : "tools.profile",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: providerProfilePolicyWithAlsoAllow,
-        label: providerProfile
-          ? `tools.byProvider.profile (${providerProfile})`
-          : "tools.byProvider.profile",
-        stripPluginOnlyAllowlist: true,
-      },
-      { policy: globalPolicy, label: "tools.allow", stripPluginOnlyAllowlist: true },
-      {
-        policy: globalProviderPolicy,
-        label: "tools.byProvider.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: agentPolicy,
-        label: agentId ? `agents.${agentId}.tools.allow` : "agent tools.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      {
-        policy: agentProviderPolicy,
-        label: agentId
-          ? `agents.${agentId}.tools.byProvider.allow`
-          : "agent tools.byProvider.allow",
-        stripPluginOnlyAllowlist: true,
-      },
-      { policy: groupPolicy, label: "group tools.allow", stripPluginOnlyAllowlist: true },
+      ...buildDefaultToolPolicyPipelineSteps({
+        profilePolicy: profilePolicyWithAlsoAllow,
+        profile,
+        providerProfilePolicy: providerProfilePolicyWithAlsoAllow,
+        providerProfile,
+        globalPolicy,
+        globalProviderPolicy,
+        agentPolicy,
+        agentProviderPolicy,
+        groupPolicy,
+        agentId,
+      }),
      { policy: subagentPolicy, label: "subagent tools.allow" },
    ],
  });