dataforge/agents_and_robots
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

feat: conectar sistema centralizado de seguridad al launcher y runtime

Browse Source 
- Migrar admin a security/user-groups.yaml (admins group)
- agents.New() ahora acepta acl.ACL pre-resuelta como parámetro;
  elimina construcción interna desde cfg.Security.Roles
- cmd/launcher: carga shellsecurity.Load("security/") al arranque;
  si falla, WARN + política vacía (open access). Para cada agente
  llama pksecurity.ResolveACL y pasa la ACL a agents.New()
- cmd/launcher/registry.go: stores secPolicy en launchDeps para
  que reload() también resuelva ACL centralmente
- shell/matrix/listener.go: elimina invite gating y allowlist check
  basados en AllowedUsers; el control de acceso lo hace el runtime
- internal/config/schema.go: depreca campos Roles y AllowedUsers
  (backward compat, no eliminados)
- agents/*/config.yaml: elimina bloques security.roles y allowed_users
- dev/feature_flags.json: activa centralized-security-groups (enabled: true)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Enmanuel
2026-03-08 20:56:21 +00:00
parent ebd8ea3789
commit 8811d45fd1
9 changed files with 50 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files
agents/runtime.go
+5 -9
View File
@@ -115,8 +115,10 @@ func (a *Agent) ClearWindow(roomID string) {
}
}
// New assembles an Agent from its config, rules, and logger.
func New(cfg *config.AgentConfig, rules []decision.Rule, logger *slog.Logger) (*Agent, error) {
// New assembles an Agent from its config, rules, pre-resolved ACL, and logger.
// The ACL is resolved externally (e.g. from security/ YAML files) and injected here.
// Pass acl.ACL{} (empty) for open access (no restrictions).
func New(cfg *config.AgentConfig, rules []decision.Rule, agentACL acl.ACL, logger *slog.Logger) (*Agent, error) {
// Matrix client
matrixClient, err := matrix.New(cfg.Matrix)
if err != nil {
@@ -230,14 +232,8 @@ func New(cfg *config.AgentConfig, rules []decision.Rule, logger *slog.Logger) (*
}
}
// Build ACL from security roles config
aclRoles := make(map[string]acl.RoleDef, len(cfg.Security.Roles))
for name, r := range cfg.Security.Roles {
aclRoles[name] = acl.RoleDef{Users: r.Users, Actions: r.Actions}
}
agentACL := acl.FromMap(aclRoles)
if !agentACL.Empty() {
logger.Info("acl enabled", "roles", len(cfg.Security.Roles))
logger.Info("acl enabled (centralized security policy)")
}
// Tool registry — register tools enabled in config