dataforge/agents_and_robots
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

feat: conectar sistema centralizado de seguridad al launcher y runtime

Browse Source 
- Migrar admin a security/user-groups.yaml (admins group)
- agents.New() ahora acepta acl.ACL pre-resuelta como parámetro;
  elimina construcción interna desde cfg.Security.Roles
- cmd/launcher: carga shellsecurity.Load("security/") al arranque;
  si falla, WARN + política vacía (open access). Para cada agente
  llama pksecurity.ResolveACL y pasa la ACL a agents.New()
- cmd/launcher/registry.go: stores secPolicy en launchDeps para
  que reload() también resuelva ACL centralmente
- shell/matrix/listener.go: elimina invite gating y allowlist check
  basados en AllowedUsers; el control de acceso lo hace el runtime
- internal/config/schema.go: depreca campos Roles y AllowedUsers
  (backward compat, no eliminados)
- agents/*/config.yaml: elimina bloques security.roles y allowed_users
- dev/feature_flags.json: activa centralized-security-groups (enabled: true)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Enmanuel
2026-03-08 20:56:21 +00:00
parent ebd8ea3789
commit 8811d45fd1
9 changed files with 50 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/launcher/registry.go
+10 -6
View File
@@ -12,6 +12,7 @@ import (
"github.com/enmanuel/agents/internal/config"
"github.com/enmanuel/agents/pkg/decision"
"github.com/enmanuel/agents/pkg/orchestration"
pksecurity "github.com/enmanuel/agents/pkg/security"
"github.com/enmanuel/agents/shell/bus"
agentlog "github.com/enmanuel/agents/shell/logger"
)
@@ -27,11 +28,12 @@ type runningAgent struct {
// launchDeps holds shared resources needed to start/reload agents.
type launchDeps struct {
agentBus *bus.Bus
orch *orchHandle
logDir string
logLevel slog.Level
parentCtx context.Context
agentBus *bus.Bus
orch *orchHandle
logDir string
logLevel slog.Level
parentCtx context.Context
secPolicy pksecurity.SecurityPolicy // centralized security policy loaded from security/
}
// agentRegistry tracks all running agents by ID, enabling individual hot-reload.
@@ -133,7 +135,9 @@ func (r *agentRegistry) reload(id string, rulesFor func(string, *slog.Logger) []
// 5. Create new agent (validates config before discarding the old one).
rules := rulesFor(cfg.Agent.ID, newLogger)
newAgent, err := agents.New(cfg, rules, newLogger)
agentACL := pksecurity.ResolveACL(cfg.Agent.ID, r.deps.secPolicy)
newLogger.Debug("resolved acl for agent (reload)", "agent", cfg.Agent.ID, "acl_empty", agentACL.Empty())
newAgent, err := agents.New(cfg, rules, agentACL, newLogger)
if err != nil {
newLogger.Error("reload: failed to create agent", "id", id, "err", err)
newCleanup()