feat: conectar sistema centralizado de seguridad al launcher y runtime
- Migrar admin a security/user-groups.yaml (admins group)
- agents.New() ahora acepta acl.ACL pre-resuelta como parámetro;
elimina construcción interna desde cfg.Security.Roles
- cmd/launcher: carga shellsecurity.Load("security/") al arranque;
si falla, WARN + política vacía (open access). Para cada agente
llama pksecurity.ResolveACL y pasa la ACL a agents.New()
- cmd/launcher/registry.go: stores secPolicy en launchDeps para
que reload() también resuelva ACL centralmente
- shell/matrix/listener.go: elimina invite gating y allowlist check
basados en AllowedUsers; el control de acceso lo hace el runtime
- internal/config/schema.go: depreca campos Roles y AllowedUsers
(backward compat, no eliminados)
- agents/*/config.yaml: elimina bloques security.roles y allowed_users
- dev/feature_flags.json: activa centralized-security-groups (enabled: true)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+29
-6
@@ -26,9 +26,11 @@ import (
|
||||
"github.com/enmanuel/agents/internal/config"
|
||||
"github.com/enmanuel/agents/pkg/decision"
|
||||
"github.com/enmanuel/agents/pkg/orchestration"
|
||||
pksecurity "github.com/enmanuel/agents/pkg/security"
|
||||
"github.com/enmanuel/agents/shell/bus"
|
||||
agentlog "github.com/enmanuel/agents/shell/logger"
|
||||
orchshell "github.com/enmanuel/agents/shell/orchestration"
|
||||
shellsecurity "github.com/enmanuel/agents/shell/security"
|
||||
)
|
||||
|
||||
// rulesRegistry maps agent IDs to their rule factories.
|
||||
@@ -81,6 +83,19 @@ func main() {
|
||||
ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
|
||||
defer stop()
|
||||
|
||||
// ── Load centralized security policy ──
|
||||
secPolicy, secErr := shellsecurity.Load("security/")
|
||||
if secErr != nil {
|
||||
logger.Warn("security policy load failed, using empty policy (open access)", "err", secErr)
|
||||
secPolicy = pksecurity.SecurityPolicy{}
|
||||
} else {
|
||||
logger.Info("security policy loaded",
|
||||
"user_groups", len(secPolicy.UserGroups),
|
||||
"agent_groups", len(secPolicy.AgentGroups),
|
||||
"policies", len(secPolicy.Policies),
|
||||
)
|
||||
}
|
||||
|
||||
// ── Shared bus for inter-agent communication ──
|
||||
agentBus := bus.New(logger)
|
||||
|
||||
@@ -95,11 +110,12 @@ func main() {
|
||||
|
||||
// ── Shared dependencies for agent registry ──
|
||||
deps := &launchDeps{
|
||||
agentBus: agentBus,
|
||||
orch: orch,
|
||||
logDir: logDir,
|
||||
logLevel: lvl,
|
||||
parentCtx: ctx,
|
||||
agentBus: agentBus,
|
||||
orch: orch,
|
||||
logDir: logDir,
|
||||
logLevel: lvl,
|
||||
parentCtx: ctx,
|
||||
secPolicy: secPolicy,
|
||||
}
|
||||
registry := newAgentRegistry(deps)
|
||||
|
||||
@@ -158,7 +174,14 @@ func main() {
|
||||
agentCleanup = func() {}
|
||||
}
|
||||
|
||||
a, err := agents.New(cfg, rules, agentLogger)
|
||||
// Resolve centralized ACL for this agent
|
||||
agentACL := pksecurity.ResolveACL(cfg.Agent.ID, deps.secPolicy)
|
||||
agentLogger.Debug("resolved acl for agent",
|
||||
"agent", cfg.Agent.ID,
|
||||
"acl_empty", agentACL.Empty(),
|
||||
)
|
||||
|
||||
a, err := agents.New(cfg, rules, agentACL, agentLogger)
|
||||
if err != nil {
|
||||
logger.Error("failed to create agent", "id", cfg.Agent.ID, "err", err)
|
||||
agentCleanup()
|
||||
|
||||
@@ -12,6 +12,7 @@ import (
|
||||
"github.com/enmanuel/agents/internal/config"
|
||||
"github.com/enmanuel/agents/pkg/decision"
|
||||
"github.com/enmanuel/agents/pkg/orchestration"
|
||||
pksecurity "github.com/enmanuel/agents/pkg/security"
|
||||
"github.com/enmanuel/agents/shell/bus"
|
||||
agentlog "github.com/enmanuel/agents/shell/logger"
|
||||
)
|
||||
@@ -27,11 +28,12 @@ type runningAgent struct {
|
||||
|
||||
// launchDeps holds shared resources needed to start/reload agents.
|
||||
type launchDeps struct {
|
||||
agentBus *bus.Bus
|
||||
orch *orchHandle
|
||||
logDir string
|
||||
logLevel slog.Level
|
||||
parentCtx context.Context
|
||||
agentBus *bus.Bus
|
||||
orch *orchHandle
|
||||
logDir string
|
||||
logLevel slog.Level
|
||||
parentCtx context.Context
|
||||
secPolicy pksecurity.SecurityPolicy // centralized security policy loaded from security/
|
||||
}
|
||||
|
||||
// agentRegistry tracks all running agents by ID, enabling individual hot-reload.
|
||||
@@ -133,7 +135,9 @@ func (r *agentRegistry) reload(id string, rulesFor func(string, *slog.Logger) []
|
||||
|
||||
// 5. Create new agent (validates config before discarding the old one).
|
||||
rules := rulesFor(cfg.Agent.ID, newLogger)
|
||||
newAgent, err := agents.New(cfg, rules, newLogger)
|
||||
agentACL := pksecurity.ResolveACL(cfg.Agent.ID, r.deps.secPolicy)
|
||||
newLogger.Debug("resolved acl for agent (reload)", "agent", cfg.Agent.ID, "acl_empty", agentACL.Empty())
|
||||
newAgent, err := agents.New(cfg, rules, agentACL, newLogger)
|
||||
if err != nil {
|
||||
newLogger.Error("reload: failed to create agent", "id", id, "err", err)
|
||||
newCleanup()
|
||||
|
||||
Reference in New Issue
Block a user