refactor(security): lift restrictToWorkspace to tools level

2026-02-06 09:28:08 +00:00
parent b1782814fa
commit 943579b96a
6 changed files with 24 additions and 6 deletions
--- a/nanobot/agent/loop.py
+++ b/nanobot/agent/loop.py
@@ -44,6 +44,7 @@ class AgentLoop:
        brave_api_key: str | None = None,
        exec_config: "ExecToolConfig | None" = None,
        cron_service: "CronService | None" = None,
+        restrict_to_workspace: bool = False,
    ):
        from nanobot.config.schema import ExecToolConfig
        from nanobot.cron.service import CronService
@@ -55,6 +56,7 @@ class AgentLoop:
        self.brave_api_key = brave_api_key
        self.exec_config = exec_config or ExecToolConfig()
        self.cron_service = cron_service
+        self.restrict_to_workspace = restrict_to_workspace
        
        self.context = ContextBuilder(workspace)
        self.sessions = SessionManager(workspace)
@@ -66,6 +68,7 @@ class AgentLoop:
            model=self.model,
            brave_api_key=brave_api_key,
            exec_config=self.exec_config,
+            restrict_to_workspace=restrict_to_workspace,
        )
        
        self._running = False
@@ -74,7 +77,7 @@ class AgentLoop:
    def _register_default_tools(self) -> None:
        """Register the default set of tools."""
        # File tools (restrict to workspace if configured)
-        allowed_dir = self.workspace if self.exec_config.restrict_to_workspace else None
+        allowed_dir = self.workspace if self.restrict_to_workspace else None
        self.tools.register(ReadFileTool(allowed_dir=allowed_dir))
        self.tools.register(WriteFileTool(allowed_dir=allowed_dir))
        self.tools.register(EditFileTool(allowed_dir=allowed_dir))
@@ -84,7 +87,7 @@ class AgentLoop:
        self.tools.register(ExecTool(
            working_dir=str(self.workspace),
            timeout=self.exec_config.timeout,
-            restrict_to_workspace=self.exec_config.restrict_to_workspace,
+            restrict_to_workspace=self.restrict_to_workspace,
        ))
        
        # Web tools
--- a/nanobot/agent/subagent.py
+++ b/nanobot/agent/subagent.py
@@ -34,6 +34,7 @@ class SubagentManager:
        model: str | None = None,
        brave_api_key: str | None = None,
        exec_config: "ExecToolConfig | None" = None,
+        restrict_to_workspace: bool = False,
    ):
        from nanobot.config.schema import ExecToolConfig
        self.provider = provider
@@ -42,6 +43,7 @@ class SubagentManager:
        self.model = model or provider.get_default_model()
        self.brave_api_key = brave_api_key
        self.exec_config = exec_config or ExecToolConfig()
+        self.restrict_to_workspace = restrict_to_workspace
        self._running_tasks: dict[str, asyncio.Task[None]] = {}
    
    async def spawn(
@@ -96,14 +98,14 @@ class SubagentManager:
        try:
            # Build subagent tools (no message tool, no spawn tool)
            tools = ToolRegistry()
-            allowed_dir = self.workspace if self.exec_config.restrict_to_workspace else None
+            allowed_dir = self.workspace if self.restrict_to_workspace else None
            tools.register(ReadFileTool(allowed_dir=allowed_dir))
            tools.register(WriteFileTool(allowed_dir=allowed_dir))
            tools.register(ListDirTool(allowed_dir=allowed_dir))
            tools.register(ExecTool(
                working_dir=str(self.workspace),
                timeout=self.exec_config.timeout,
-                restrict_to_workspace=self.exec_config.restrict_to_workspace,
+                restrict_to_workspace=self.restrict_to_workspace,
            ))
            tools.register(WebSearchTool(api_key=self.brave_api_key))
            tools.register(WebFetchTool())