feat: conectar sistema centralizado de seguridad al launcher y runtime
- Migrar admin a security/user-groups.yaml (admins group)
- agents.New() ahora acepta acl.ACL pre-resuelta como parámetro;
elimina construcción interna desde cfg.Security.Roles
- cmd/launcher: carga shellsecurity.Load("security/") al arranque;
si falla, WARN + política vacía (open access). Para cada agente
llama pksecurity.ResolveACL y pasa la ACL a agents.New()
- cmd/launcher/registry.go: stores secPolicy en launchDeps para
que reload() también resuelva ACL centralmente
- shell/matrix/listener.go: elimina invite gating y allowlist check
basados en AllowedUsers; el control de acceso lo hace el runtime
- internal/config/schema.go: depreca campos Roles y AllowedUsers
(backward compat, no eliminados)
- agents/*/config.yaml: elimina bloques security.roles y allowed_users
- dev/feature_flags.json: activa centralized-security-groups (enabled: true)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -162,7 +162,6 @@ matrix:
|
||||
dm_respond: true
|
||||
ignore_bots: true
|
||||
ignore_users: []
|
||||
allowed_users: [] # vacío = sin restricción (todos pueden hablar)
|
||||
unauthorized_response: silent # silent | explicit
|
||||
min_power_level: 0
|
||||
|
||||
@@ -208,14 +207,6 @@ ssh:
|
||||
# PERMISOS Y SEGURIDAD
|
||||
# ============================================
|
||||
security:
|
||||
roles:
|
||||
admin:
|
||||
users: ["@admin:matrix-af2f3d.organic-machine.com"]
|
||||
actions: ["*"]
|
||||
user:
|
||||
users: ["*"]
|
||||
actions: ["*"]
|
||||
|
||||
audit:
|
||||
enabled: false
|
||||
log_file: "./agents/asistente-2/data/audit.log"
|
||||
|
||||
@@ -162,10 +162,6 @@ matrix:
|
||||
dm_respond: true # responde en DMs (modo principal por ahora)
|
||||
ignore_bots: true
|
||||
ignore_users: []
|
||||
allowed_users: [] # vacío = sin restricción (todos pueden hablar)
|
||||
# allowed_users: # ejemplo con restricción:
|
||||
# - "@admin:matrix-af2f3d.organic-machine.com"
|
||||
# - "@enmanuel:matrix-af2f3d.organic-machine.com"
|
||||
unauthorized_response: silent # silent | explicit
|
||||
min_power_level: 0 # cualquiera puede hablar con el assistant
|
||||
|
||||
@@ -208,14 +204,6 @@ ssh:
|
||||
# PERMISOS Y SEGURIDAD
|
||||
# ============================================
|
||||
security:
|
||||
roles:
|
||||
admin:
|
||||
users: ["@admin:matrix-af2f3d.organic-machine.com"]
|
||||
actions: ["*"]
|
||||
user:
|
||||
users: ["*"]
|
||||
actions: ["*"]
|
||||
|
||||
audit:
|
||||
enabled: false
|
||||
log_file: "./agents/assistant-bot/data/audit.log"
|
||||
|
||||
+5
-9
@@ -115,8 +115,10 @@ func (a *Agent) ClearWindow(roomID string) {
|
||||
}
|
||||
}
|
||||
|
||||
// New assembles an Agent from its config, rules, and logger.
|
||||
func New(cfg *config.AgentConfig, rules []decision.Rule, logger *slog.Logger) (*Agent, error) {
|
||||
// New assembles an Agent from its config, rules, pre-resolved ACL, and logger.
|
||||
// The ACL is resolved externally (e.g. from security/ YAML files) and injected here.
|
||||
// Pass acl.ACL{} (empty) for open access (no restrictions).
|
||||
func New(cfg *config.AgentConfig, rules []decision.Rule, agentACL acl.ACL, logger *slog.Logger) (*Agent, error) {
|
||||
// Matrix client
|
||||
matrixClient, err := matrix.New(cfg.Matrix)
|
||||
if err != nil {
|
||||
@@ -230,14 +232,8 @@ func New(cfg *config.AgentConfig, rules []decision.Rule, logger *slog.Logger) (*
|
||||
}
|
||||
}
|
||||
|
||||
// Build ACL from security roles config
|
||||
aclRoles := make(map[string]acl.RoleDef, len(cfg.Security.Roles))
|
||||
for name, r := range cfg.Security.Roles {
|
||||
aclRoles[name] = acl.RoleDef{Users: r.Users, Actions: r.Actions}
|
||||
}
|
||||
agentACL := acl.FromMap(aclRoles)
|
||||
if !agentACL.Empty() {
|
||||
logger.Info("acl enabled", "roles", len(cfg.Security.Roles))
|
||||
logger.Info("acl enabled (centralized security policy)")
|
||||
}
|
||||
|
||||
// Tool registry — register tools enabled in config
|
||||
|
||||
Reference in New Issue
Block a user