fix(tools): offer == authorized — persona never shown a tool it can't run#1725
Merged
Merged
Conversation
…n't run Offering a tool and then having the ACL deny it (the live "I tried ping but got a policy error" lameness) is bad design. The persona's tool surface now DERIVES from the same gate the executor enforces: authorized_tool_specs(trust) = command_registry.filter(is_command_authorized(cmd, trust)) So offer == authorized by construction — the two can't drift, and opening a command to a trust level auto-adds it to the surface (no second list to maintain). The live persona offers `authorized_tool_specs(Provisional)` (its airc trust). This is the coherence fix. WIDENING what personas can do (the surface is still thin — "pretty poor") is the next slice: open more of the ~250-command catalog to personas (broad for trusted local citizens, gate only the sensitive/destructive), surfacing the breadth unsloth-style gateways expose. With this change, that widening is purely "authorize more at Provisional" → the offer follows automatically. `ai_safe_tool_specs` retained for diagnostics. persona_tools tests green; binary compiles. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Offering a tool then having the ACL deny it (the live "I tried ping but got a policy
error" lameness) is bad design. The persona's tool surface now derives from the
same gate the executor enforces:
Offer == authorized, by construction — they can't drift, and opening a command to
a trust level auto-adds it to the surface (no second list). The live persona offers
authorized_tool_specs(Provisional)(its airc trust).Next (the real ask)
This is the coherence fix. Widening what personas can do (the surface is still
thin) is the next slice: open more of the ~250-command catalog to personas — broad
for trusted local citizens, gate only the sensitive/destructive. With this change,
widening = "authorize more at Provisional" and the offer follows automatically.
persona_tools tests green; binary compiles.
🤖 Generated with Claude Code