refactor(exec-approvals): unify system.run binding and generate host env policy

2026-02-26 16:57:29 +01:00
parent baf1c8ea13
commit 4894d907fa
18 changed files with 858 additions and 342 deletions
--- a/src/agents/bash-tools.exec-approval-request.ts
+++ b/src/agents/bash-tools.exec-approval-request.ts
@@ -24,6 +24,52 @@ export type RequestExecApprovalDecisionParams = {
  turnSourceThreadId?: string | number;
 };

+type ExecApprovalRequestToolParams = {
+  id: string;
+  command: string;
+  commandArgv?: string[];
+  env?: Record<string, string>;
+  cwd: string;
+  nodeId?: string;
+  host: "gateway" | "node";
+  security: ExecSecurity;
+  ask: ExecAsk;
+  agentId?: string;
+  resolvedPath?: string;
+  sessionKey?: string;
+  turnSourceChannel?: string;
+  turnSourceTo?: string;
+  turnSourceAccountId?: string;
+  turnSourceThreadId?: string | number;
+  timeoutMs: number;
+  twoPhase: true;
+};
+
+function buildExecApprovalRequestToolParams(
+  params: RequestExecApprovalDecisionParams,
+): ExecApprovalRequestToolParams {
+  return {
+    id: params.id,
+    command: params.command,
+    commandArgv: params.commandArgv,
+    env: params.env,
+    cwd: params.cwd,
+    nodeId: params.nodeId,
+    host: params.host,
+    security: params.security,
+    ask: params.ask,
+    agentId: params.agentId,
+    resolvedPath: params.resolvedPath,
+    sessionKey: params.sessionKey,
+    turnSourceChannel: params.turnSourceChannel,
+    turnSourceTo: params.turnSourceTo,
+    turnSourceAccountId: params.turnSourceAccountId,
+    turnSourceThreadId: params.turnSourceThreadId,
+    timeoutMs: DEFAULT_APPROVAL_TIMEOUT_MS,
+    twoPhase: true,
+  };
+}
+
 type ParsedDecision = { present: boolean; value: string | null };

 function parseDecision(value: unknown): ParsedDecision {
@@ -65,26 +111,7 @@ export async function registerExecApprovalRequest(
  }>(
    "exec.approval.request",
    { timeoutMs: DEFAULT_APPROVAL_REQUEST_TIMEOUT_MS },
-    {
-      id: params.id,
-      command: params.command,
-      commandArgv: params.commandArgv,
-      env: params.env,
-      cwd: params.cwd,
-      nodeId: params.nodeId,
-      host: params.host,
-      security: params.security,
-      ask: params.ask,
-      agentId: params.agentId,
-      resolvedPath: params.resolvedPath,
-      sessionKey: params.sessionKey,
-      turnSourceChannel: params.turnSourceChannel,
-      turnSourceTo: params.turnSourceTo,
-      turnSourceAccountId: params.turnSourceAccountId,
-      turnSourceThreadId: params.turnSourceThreadId,
-      timeoutMs: DEFAULT_APPROVAL_TIMEOUT_MS,
-      twoPhase: true,
-    },
+    buildExecApprovalRequestToolParams(params),
    { expectFinal: false },
  );
  const decision = parseDecision(registrationResult);