← Back to PRs

#23783: Tools: add strict allowlist mode and fail closed on unknown entries

by bmendonca3 open 2026-02-22 17:54 View on GitHub →
agents size: S trusted-contributor
Cluster: Tool and Plugin Enhancements
## Summary - add `tools.allowMode` with two modes: `strict` (default) and `compat` - fail closed when any `tools.allow` policy contains unknown tool/group entries in strict mode - keep legacy warning-only behavior when `tools.allowMode="compat"` - thread the mode through tool policy pipeline resolution ## Why This removes a hardening foot-gun where restrictive-looking allowlists containing unknown plugin tools could silently degrade into broader core-tool access. ## Tests - `pnpm vitest run src/agents/tool-policy-pipeline.test.ts src/config/config.tools-allow-mode.test.ts src/config/config.tools-alsoAllow.test.ts src/agents/pi-tools.policy.test.ts` - `pnpm lint` <!-- greptile_comment --> <h3>Greptile Summary</h3> Added `tools.allowMode` configuration with two modes: `strict` (default) and `compat`. In strict mode, unknown tool/group entries in allowlists now cause an error instead of just a warning, preventing a security foot-gun where restrictive-looking allowlists containing unknown plugin tools could silently degrade into broader core-tool access. **Key changes:** - New `tools.allowMode` config field with `strict` (default) and `compat` modes - `strict` mode throws error on unknown allowlist entries with clear remediation message - `compat` mode preserves legacy warning-only behavior - Mode threaded through tool policy pipeline from config to `applyToolPolicyPipeline` - Comprehensive test coverage including validation tests - Documentation added to schema help and labels <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The implementation is well-designed with proper error handling, backwards compatibility via `compat` mode, comprehensive test coverage, and clear documentation. The default behavior (strict mode) improves security by failing closed on unknown allowlist entries, while the compat mode provides an escape hatch for existing configurations. - No files require special attention <sub>Last reviewed commit: ae17ee8</sub> <!-- greptile_other_comments_section --> <!-- /greptile_comment -->

Most Similar PRs

#12665: fix(tools): recognise tool groups that expand to plugin tools in al...
by mcaxtr · 2026-02-09
75.7%
#23582: fix(tool-policy): add group:fs and group:runtime to group:openclaw
by arosstale · 2026-02-22
75.6%
#14734: test(agents): guard against stale allowAgents in existing sessions
by davidahmann · 2026-02-12
75.4%
#22873: fix(tools): enforce global inline-secret blocking for tool inputs
by Kansodata · 2026-02-21
75.1%
#16064: feat: add contact-based tool permissions with verification
by jamiequint · 2026-02-14
74.6%
#23743: Auto-reply: enforce tools.allow/tools.deny on deterministic skill t...
by bmendonca3 · 2026-02-22
74.1%
#23486: Tools/FS: default host-mode filesystem access to workspace-only
by bmendonca3 · 2026-02-22
74.0%
#21136: fix(security): harden agent autonomy controls
by novalis133 · 2026-02-19
73.7%
#9339: fix: enhance OpenAI compatibility for tool calling
by 0xrushi · 2026-02-05
73.4%
#19042: Security: add URL allowlist for web_search and web_fetch
by smartprogrammer93 · 2026-02-17
73.4%