Skip to content

Runtime settings: admin-gate config writes + confirm destructive tool-reset#18

Merged
Codename-11 merged 1 commit into
mainfrom
worktree-runtime-perms-gating
Jul 8, 2026
Merged

Runtime settings: admin-gate config writes + confirm destructive tool-reset#18
Codename-11 merged 1 commit into
mainfrom
worktree-runtime-perms-gating

Conversation

@Codename-11

Copy link
Copy Markdown
Owner

Two fixes from auditing the runtimes settings surface (found while fixing rt_hermes_gateway's empty RESEARCH/REVIEW tool profiles).

1. Admin-gate runtime config writes (privilege boundary)

runtime.create / runtime.update were workspaceProcedure (any workspace member), but they write config — the host tool policy (modeToolProfiles / localWorkspaceTools) that decides whether an agent gets terminal/filesystem/git on the host. Meanwhile the same runtime's secrets, repos, and GitHub link are adminProcedure, the MCP runtimes.configure mirror is ADMIN-scoped, and the /settings layout has no role gate — so a non-admin member could reach Settings → Runtimes and widen an agent's host access.

  • create / updateadminProcedure
  • Daemon self-registration (register) stays workspaceProcedure (local-daemon onboarding uses an agent-linked member key)
  • Read/diagnostic paths (list, heartbeat, verifyConnection, runSelfTest) unchanged

2. Confirm before the destructive "Local workspace tools" toggle

Switching the Local workspace tools enabled master checkbox OFF wiped toolCapabilities[] and reset every modeToolProfiles entry to empty — silently dropping RESEARCH/REVIEW read grants, no confirm. Now wrapped in useConfirm() (destructive variant) when there's a non-empty policy to lose. On-path unchanged; the controlled checkbox reverts on cancel.

Verification

  • typecheck + lint clean
  • New runtime-admin-gating.test.ts: OWNER can update; MEMBER gets FORBIDDEN on create + update; row untouched
  • Green: runtime-admin-gating (2) · runtime-secrets (5) · runtime-github-app (8) · runtime-dispatch-contract (10) · action-request-accept (15) · mcp (120)
  • UI confirm is typecheck-verified and follows the established useConfirm pattern; not live-clicked (no prod login from this runtime). Happy to Playwright-verify against dev:local if wanted.

Deploy held per request — more changes coming before any deploy.

🤖 Generated with Claude Code

…eset

runtime.create/update write `config` — the host tool policy (modeToolProfiles /
localWorkspaceTools) that decides whether an agent gets terminal/filesystem/git
on the host. They were `workspaceProcedure` (any member) while the same
runtime's secrets/repos/githubApp and the MCP `runtimes.configure` mirror are
ADMIN, and `/settings` has no role gate — so a non-admin member could widen an
agent's host access from Settings → Runtimes. Gate both at `adminProcedure`.
Daemon self-registration (`register`) and read/diagnostic paths are unchanged.

Also wrap the "Local workspace tools enabled" master toggle's OFF path in
`useConfirm()` — it silently wiped `toolCapabilities` and every
`modeToolProfiles` entry (incl. RESEARCH/REVIEW read grants). On-path unchanged;
controlled checkbox reverts on cancel.

Regression: runtime-admin-gating.test.ts — OWNER can update; MEMBER gets
FORBIDDEN on create + update; row untouched. typecheck + lint clean; runtime +
dispatch + mcp suites green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Codename-11 Codename-11 marked this pull request as ready for review July 8, 2026 14:43
@Codename-11 Codename-11 merged commit 392dbe2 into main Jul 8, 2026
3 checks passed
@Codename-11 Codename-11 deleted the worktree-runtime-perms-gating branch July 8, 2026 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant