feat: remote device connection as tool (#2506)

* feat: remote device connection as tool

* fix: test

* fix: fix issues

* fix: ruff

* fix: mini issues

* fix: bugs

* fix: tests and mini issues

Author: dartpain

.gitignore

@@ -107,6 +107,8 @@ celerybeat.pid
 
 # Environments
 .env
+.env.local
+.env.*.local
 .venv
 # Machine-specific Claude Code guidance (see CLAUDE.md preamble)
 CLAUDE.md

application/agents/tool_executor.py

@@ -403,10 +403,30 @@ def check_pause(
                 {},
             )
 
-        if action_data.get("require_approval"):
+        require_approval = bool(action_data.get("require_approval"))
+        # ``denylist_forced`` marks a prompt the hard denylist mandates; a
+        # headless allowlist must never bypass it (see below).
+        denylist_forced = False
+        # ``remote_device`` decides per-invocation based on the live device
+        # state (``approval_mode``, sticky patterns, allow/denylist). The
+        # cached ``user_tools.actions[].require_approval`` snapshot does
+        # not reflect later approval-mode changes nor command-level
+        # heuristics, so consult the tool directly.
+        if tool_data.get("name") == "remote_device":
+            require_approval, denylist_forced = (
+                self._remote_device_requires_approval(
+                    tool_data, action_name, arguments,
+                )
+            )
+
+        if require_approval:
             if self.headless:
                 tool_row_id = str(tool_data.get("id") or tool_id)
-                if tool_row_id in self.tool_allowlist:
+                # A denylist-forced prompt is never pre-authorizable: a
+                # scheduled/headless run with the device allowlisted must
+                # still be denied a denylisted command. Only non-forced
+                # approvals honor the allowlist bypass.
+                if tool_row_id in self.tool_allowlist and not denylist_forced:
                     # Pre-authorized for headless execution — fall through.
                     return None
                 return {
@@ -425,7 +445,7 @@ def check_pause(
                     "error_type": "tool_not_allowed",
                     "thought_signature": getattr(call, "thought_signature", None),
                 }
-            return {
+            payload = {
                 "call_id": call_id,
                 "name": llm_name,
                 "tool_name": tool_data.get("name", "unknown"),
@@ -436,9 +456,42 @@ def check_pause(
                 "pause_type": "awaiting_approval",
                 "thought_signature": getattr(call, "thought_signature", None),
             }
+            # Surface the device id so the approval UI can offer a
+            # "don't ask again" sticky-pattern action for remote devices.
+            if tool_data.get("name") == "remote_device":
+                config = tool_data.get("config") or {}
+                if config.get("device_id"):
+                    payload["device_id"] = config["device_id"]
+            return payload
 
         return None
 
+    def _remote_device_requires_approval(
+        self, tool_data: Dict, action_name: str, arguments: Dict,
+    ) -> tuple[bool, bool]:
+        """Live approval decision for a ``remote_device`` invocation.
+
+        Instantiates ``RemoteDeviceTool`` with the cached config and the
+        executor's user context, then asks it to evaluate the command.
+        Returns ``(requires_approval, denylist_forced)``. Falls back to a
+        denylist-forced prompt on any error so a misconfigured device never
+        silently bypasses the prompt — not even via the headless allowlist.
+        """
+        try:
+            from application.agents.tools.remote_device import RemoteDeviceTool
+
+            tool = RemoteDeviceTool(
+                config=tool_data.get("config") or {},
+                user_id=self.user,
+            )
+            return tool.preview_decision(action_name, arguments)
+        except Exception:
+            logger.exception(
+                "remote_device preview_decision failed; defaulting to a "
+                "forced prompt",
+            )
+            return True, True
+
     def execute(self, tools_dict: Dict, call, llm_class_name: str):
         """Execute a tool call. Yields status events, returns (result, call_id)."""
         parser = ToolActionParser(llm_class_name, name_mapping=self._name_to_tool)
@@ -499,6 +552,12 @@ def execute(self, tools_dict: Dict, call, llm_class_name: str):
             "arguments": call_args,
         }
         tool_data = tools_dict[tool_id]
+        # Surface the device id on remote_device tool-call events so the
+        # approval UI can wire up the sticky "don't ask again" button.
+        if tool_data.get("name") == "remote_device":
+            config = tool_data.get("config") or {}
+            if config.get("device_id"):
+                tool_call_data["device_id"] = config["device_id"]
         # Journal first so the reconciler sees malformed calls and any
         # subsequent ``_mark_failed`` actually updates a real row.
         proposed_ok = _record_proposed(

application/agents/tools/remote_device.py

@@ -0,0 +1,282 @@
+"""Remote Device tool.
+
+Run shell commands on a paired remote device via the DeviceBroker.
+"""
+
+from __future__ import annotations
+
+import logging
+import time
+import uuid
+from datetime import datetime, timezone
+from typing import Any, Dict, Optional
+
+from application.agents.tools.base import Tool
+from application.devices.broker import get_broker
+from application.devices.denylist import check_denylist
+from application.devices.normalizer import normalize_command
+from application.storage.db.repositories.device_audit_log import (
+    DeviceAuditLogRepository,
+)
+from application.storage.db.repositories.device_auto_approve_patterns import (
+    DeviceAutoApprovePatternsRepository,
+)
+from application.storage.db.repositories.devices import DevicesRepository
+from application.storage.db.session import db_readonly, db_session
+
+
+logger = logging.getLogger(__name__)
+
+
+_DEFAULT_TIMEOUT_MS = 30_000
+_MAX_TIMEOUT_MS = 600_000
+
+
+class RemoteDeviceTool(Tool):
+    """Remote Device
+    Run shell commands on a paired remote machine via docsgpt-cli host.
+    """
+
+    def __init__(self, config: Optional[dict] = None, user_id: Optional[str] = None):
+        self.config = config or {}
+        self.user_id = user_id
+        self.device_id = self.config.get("device_id") or ""
+        self._device: Optional[dict] = None
+        if self.device_id and self.user_id:
+            self._device = self._load_device()
+
+    def _load_device(self) -> Optional[dict]:
+        try:
+            with db_readonly() as conn:
+                return DevicesRepository(conn).get(self.device_id, user_id=self.user_id)
+        except Exception:
+            logger.exception("failed to load device %s", self.device_id)
+            return None
+
+    # ------------------------------------------------------------------
+    # Tool ABC
+    # ------------------------------------------------------------------
+    def get_actions_metadata(self):
+        device = self._device or {}
+        device_name = device.get("name") or "remote device"
+        description = device.get("description") or ""
+        approval_mode = device.get("approval_mode") or "ask"
+        return [
+            {
+                "name": "run_command",
+                "description": (
+                    f"Execute a shell command on the remote device "
+                    f"'{device_name}'. {description}".strip()
+                ),
+                "active": True,
+                "require_approval": approval_mode != "full",
+                "parameters": {
+                    "type": "object",
+                    "properties": {
+                        "command": {
+                            "type": "string",
+                            "description": "Shell command to run.",
+                            "filled_by_llm": True,
+                            "value": "",
+                        },
+                        "working_directory": {
+                            "type": "string",
+                            "description": "Working directory on the remote.",
+                            "filled_by_llm": True,
+                            "value": "",
+                        },
+                        "timeout_ms": {
+                            "type": "integer",
+                            "description": "Timeout in milliseconds (max 600000).",
+                            "filled_by_llm": True,
+                            "value": "",
+                        },
+                    },
+                    "required": ["command"],
+                },
+            }
+        ]
+
+    def get_config_requirements(self):
+        return {
+            "device_id": {
+                "type": "string",
+                "label": "Device",
+                "description": "Paired remote device id.",
+                "required": True,
+                "source": "devices",
+            }
+        }
+
+    def preview_requires_approval(self, action_name: str, params: dict) -> bool:
+        """Live approval decision for a specific invocation.
+
+        The tool_executor gate calls this for ``remote_device`` so the
+        decision considers the device's current ``approval_mode``, sticky
+        patterns, and the denylist — rather than trusting the static
+        ``user_tools.actions[].require_approval`` snapshot stored at pair
+        time. Returns ``True`` when a prompt is required.
+        """
+        requires_approval, _denylist_forced = self.preview_decision(
+            action_name, params,
+        )
+        return requires_approval
+
+    def preview_decision(
+        self, action_name: str, params: dict,
+    ) -> tuple[bool, bool]:
+        """Live approval decision plus whether it's a denylist-forced prompt.
+
+        Returns ``(requires_approval, denylist_forced)``. ``denylist_forced``
+        is True only when the prompt is mandated by the hard denylist, which
+        a headless allowlist must never bypass. Unknown / inactive devices
+        and missing commands require approval but are NOT denylist-forced.
+        """
+        if action_name != "run_command":
+            return True, False
+        if not self.device_id or not self.user_id:
+            return True, False
+        if self._device is None:
+            self._device = self._load_device()
+        device = self._device
+        if device is None or device.get("status") != "active":
+            # Don't bypass the prompt for an unknown / inactive device;
+            # execute_action will surface the error.
+            return True, False
+        command = ((params or {}).get("command") or "").strip()
+        if not command:
+            return True, False
+        reason, effective_mode = self._decide_approval(device, command)
+        denylist_forced = reason == "denylist_forced_prompt"
+        return effective_mode != "full", denylist_forced
+
+    def execute_action(self, action_name: str, **kwargs):
+        if action_name != "run_command":
+            return {"error": f"unknown action: {action_name}"}
+        if not self.device_id or not self.user_id:
+            return {"error": "device_id and user_id required"}
+        if self._device is None:
+            self._device = self._load_device()
+        device = self._device
+        if device is None:
+            return {"error": "device not found"}
+        if device.get("status") != "active":
+            return {"error": f"device status: {device.get('status')}"}
+
+        command = (kwargs.get("command") or "").strip()
+        if not command:
+            return {"error": "command is required"}
+        working_directory = kwargs.get("working_directory") or ""
+        timeout_ms = kwargs.get("timeout_ms")
+        try:
+            timeout_ms = int(timeout_ms) if timeout_ms else _DEFAULT_TIMEOUT_MS
+        except (TypeError, ValueError):
+            timeout_ms = _DEFAULT_TIMEOUT_MS
+        timeout_ms = min(max(timeout_ms, 1), _MAX_TIMEOUT_MS)
+
+        decision_reason, effective_mode = self._decide_approval(device, command)
+        denied = self._denylist_label(command)
+
+        envelope = {
+            "invocation_id": "inv_" + uuid.uuid4().hex,
+            "action": "run_command",
+            "params": {
+                "command": command,
+                "working_directory": working_directory,
+                "timeout_ms": timeout_ms,
+            },
+            "approval_mode": effective_mode,
+            "issued_at": datetime.now(timezone.utc).isoformat(),
+        }
+        broker = get_broker()
+        inv = broker.dispatch_invocation(self.device_id, self.user_id, envelope)
+
+        try:
+            with db_session() as conn:
+                DeviceAuditLogRepository(conn).record_dispatch(
+                    device_id=self.device_id,
+                    user_id=self.user_id,
+                    invocation_id=inv.invocation_id,
+                    command=command,
+                    working_dir=working_directory,
+                    approval_mode=effective_mode,
+                    decision="dispatched",
+                    decision_reason=decision_reason or ("denylist:" + denied if denied else None),
+                    issued_at=datetime.now(timezone.utc),
+                )
+        except Exception:
+            logger.exception("audit record_dispatch failed for %s", inv.invocation_id)
+
+        return self._collect_result(broker, inv, device, timeout_ms)
+
+    # ------------------------------------------------------------------
+    # Internals
+    # ------------------------------------------------------------------
+    def _decide_approval(self, device: dict, command: str) -> tuple[Optional[str], str]:
+        """Resolve the effective approval mode + a short audit reason.
+
+        Effective mode is ``full`` (auto-run, no prompt) or ``ask`` (prompt).
+        """
+        mode = device.get("approval_mode") or "ask"
+        # Denylist forces a prompt on every path — full access and the
+        # ask-mode sticky auto-approve alike.
+        if check_denylist(command):
+            return ("denylist_forced_prompt", "ask")
+        if mode == "full":
+            return ("full_access_passthrough", "full")
+        # mode == "ask"
+        if self._matches_sticky(command):
+            return ("sticky_auto_approve", "full")
+        return ("user_approval_required", "ask")
+
+    def _denylist_label(self, command: str) -> Optional[str]:
+        return check_denylist(command)
+
+    def _matches_sticky(self, command: str) -> bool:
+        pattern = normalize_command(command)
+        if not pattern:
+            return False
+        try:
+            with db_readonly() as conn:
+                return DeviceAutoApprovePatternsRepository(conn).has_pattern(
+                    self.device_id, self.user_id, pattern,
+                )
+        except Exception:
+            logger.exception("sticky lookup failed")
+            return False
+
+    def _collect_result(self, broker, inv, device: dict, timeout_ms: int) -> Dict[str, Any]:
+        """Drain output from the broker until the control chunk arrives."""
+        deadline = time.time() + (timeout_ms / 1000.0) + 5.0
+        stdout = []
+        stderr = []
+        try:
+            for chunk in broker.drain_output(
+                inv.invocation_id, timeout=1.0, deadline=deadline
+            ):
+                if time.time() > deadline:
+                    break
+                stream = chunk.get("stream")
+                if stream == "stdout":
+                    stdout.append(chunk.get("chunk", ""))
+                elif stream == "stderr":
+                    stderr.append(chunk.get("chunk", ""))
+                elif stream == "control":
+                    # control chunks include exit_code; drain loop will stop next iter
+                    pass
+        finally:
+            broker.cleanup_invocation(inv.invocation_id)
+
+        # Deadline hit with no control chunk: the device never connected or
+        # never finished. Surface a clear timeout instead of empty success.
+        if not inv.completed.is_set() and inv.exit_code is None and not inv.error:
+            inv.error = "device did not respond (timed out)"
+
+        return {
+            "exit_code": inv.exit_code,
+            "stdout": "".join(stdout) if stdout else "".join(inv.stdout_parts),
+            "stderr": "".join(stderr) if stderr else "".join(inv.stderr_parts),
+            "duration_ms": inv.duration_ms,
+            "device_name": device.get("name"),
+            "error": inv.error,
+        }