Skip to content

fix: handle denied web tools in kiro permissions#1534

Merged
dyoshikawa merged 2 commits intomainfrom
codex/fix-issue-1421-on-rulesync
Apr 22, 2026
Merged

fix: handle denied web tools in kiro permissions#1534
dyoshikawa merged 2 commits intomainfrom
codex/fix-issue-1421-on-rulesync

Conversation

@dyoshikawa
Copy link
Copy Markdown
Owner

@dyoshikawa dyoshikawa commented Apr 21, 2026

Motivation

  • Kiro agent configs previously only added web_fetch/web_search when Rulesync permissions used "*": "allow", but did not remove those tools when "*": "deny", causing regenerated .kiro/agents/default.json to retain denied web tool entries.

Description

  • Update buildKiroPermissionsFromRulesync in src/features/permissions/kiro-permissions.ts to remove web_fetch/web_search from allowedTools when the corresponding Rulesync permission is deny and keep existing allow behavior.
  • Add a unit test should remove web tools from allowedTools when denied to src/features/permissions/kiro-permissions.test.ts that verifies an existing default.json loses web_fetch/web_search when Rulesync permissions deny them.
  • Commit message: fix: handle denied web tools in kiro permissions and PR created to close the issue.

Testing

  • Ran the focused unit tests with pnpm vitest run src/features/permissions/kiro-permissions.test.ts, all tests passed (4 tests).
  • Ran full repository checks with pnpm cicheck, which completed successfully including formatting, linting, typecheck and the full test suite (190 test files, 5013 tests passed).

Codex Task

Copilot AI review requested due to automatic review settings April 21, 2026 13:57
Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes Kiro permissions regeneration so that Rulesync "*": "deny" for webfetch/websearch actively removes web_fetch/web_search from .kiro/agents/default.json, preventing previously-allowed web tools from lingering in allowedTools.

Changes:

  • Update buildKiroPermissionsFromRulesync to delete web_fetch/web_search from allowedTools when the corresponding Rulesync permission action is deny.
  • Add a unit test ensuring existing default.json entries for web tools are removed when Rulesync denies them.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/features/permissions/kiro-permissions.ts Implements deny semantics by removing web_fetch/web_search from allowedTools when Rulesync denies web permissions.
src/features/permissions/kiro-permissions.test.ts Adds coverage to verify regeneration removes denied web tools while preserving unrelated existing tools.

@dyoshikawa dyoshikawa merged commit 13abd91 into main Apr 22, 2026
9 checks passed
@dyoshikawa dyoshikawa deleted the codex/fix-issue-1421-on-rulesync branch April 22, 2026 03:43
@dyoshikawa
Copy link
Copy Markdown
Owner Author

dyoshikawa commented Apr 22, 2026

@dyoshikawa Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dyoshikawa