agent policy: allow sub-agent (Kiln Task as Tool) creation with approval#1380
Conversation
WalkthroughThis PR updates the agent access control policy for two Kiln task tool endpoints. The endpoints transition from denying agent access entirely ( ChangesAgent Access Policy Relaxation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the agent policy for the tool registration and editing endpoints. Specifically, it replaces the DENY_AGENT policy with agent_policy_require_approval for both the POST and PATCH methods related to Kiln task tools, and updates the corresponding JSON annotation files to reflect that these actions are now allowed with required approval and descriptive text. I have no feedback to provide.
📊 Coverage ReportOverall Coverage: 92% Diff: origin/main...HEAD
Summary
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
app/desktop/studio_server/tool_api.py (1)
771-790: Consider whetherarchive_tool_servershould also allow agent access with approval for kiln-task tools.An agent can now create and edit sub-agents (kiln task tools) with approval, but the
archive_tool_serverendpoint remainsDENY_AGENT. This means an agent that registers a sub-agent on a user's behalf has no way to deactivate it without the user navigating through the UI. Whether this gap is intentional (keeping destructive/lifecycle-ending operations human-only) is worth a deliberate decision.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@app/desktop/studio_server/tool_api.py` around lines 771 - 790, The archive_tool_server endpoint is currently marked DENY_AGENT so agents cannot archive kiln-task sub-agents; update it to permit agent-initiated archival with approval for kiln-task tools by replacing or augmenting the DENY_AGENT restriction and adding a runtime approval check: allow agent access when the target tool_server (from tool_server_from_id) has type 'kiln-task' or equivalent property and the incoming ToolServerArchiveRequest carries the required agent approval flag/consent, otherwise keep DENY_AGENT for other tool types; ensure you reference archive_tool_server, tool_server_from_id, ToolServerArchiveRequest and the is_archived property when implementing the conditional permission/approval logic.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@app/desktop/studio_server/tool_api.py`:
- Around line 771-790: The archive_tool_server endpoint is currently marked
DENY_AGENT so agents cannot archive kiln-task sub-agents; update it to permit
agent-initiated archival with approval for kiln-task tools by replacing or
augmenting the DENY_AGENT restriction and adding a runtime approval check: allow
agent access when the target tool_server (from tool_server_from_id) has type
'kiln-task' or equivalent property and the incoming ToolServerArchiveRequest
carries the required agent approval flag/consent, otherwise keep DENY_AGENT for
other tool types; ensure you reference archive_tool_server, tool_server_from_id,
ToolServerArchiveRequest and the is_archived property when implementing the
conditional permission/approval logic.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 96cb9e9b-7f50-40f8-997d-5613754b916e
📒 Files selected for processing (3)
app/desktop/studio_server/tool_api.pylibs/server/kiln_server/utils/agent_checks/annotations/patch_api_projects_project_id_edit_kiln_task_tool_tool_server_id.jsonlibs/server/kiln_server/utils/agent_checks/annotations/post_api_projects_project_id_kiln_task_tool.json
What does this PR do?
Flip the agent policy on the two Kiln-task-as-tool mutation endpoints from
DENY_AGENTtoagent_policy_require_approval(...), so the chat agent can register / edit sub-agents on the user's behalf instead of falling back to a UI deep-link workaround.POST /api/projects/{project_id}/kiln_task_tool(add_kiln_task_tool)PATCH /api/projects/{project_id}/edit_kiln_task_tool/{tool_server_id}(edit_kiln_task_tool)Both routes are now
permission: allow+requires_approval: true. The user sees a description of the action and explicitly accepts before the agent'scall_kiln_apiinvocation runs. This matches the pattern already used by the fine-tune POST/PATCH and other state-changing endpoints. Approval descriptions name the feature as both "Kiln task tool" and "sub-agent" so the chat surface vocabulary matches what users actually say.Annotation JSONs under
libs/server/kiln_server/utils/agent_checks/annotations/regenerated viadump_annotationsagainst the live OpenAPI spec.Checklists