fix: agent transport allows cross agent approval#169
Conversation
|
Warning Review limit reached
More reviews will be available in 15 minutes and 19 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (8)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ReviewSummary: PR correctly addresses issue #168 by hiding What works
Suggestions
Verdictrequest changes — The duplicate guard in |
|
@plind-junior I am going to move current branch from main branch to test branch. |
Summary
This PR fixes #168 by disabling
kb.approveandkb.rejecton agent-facing transports by default.Previously, the JSONL/MCP tool surface exposed
kb.approveto agents. The self-approval guard blocked the sameVOUCH_AGENT, but a second agent identity could approve another agent’s proposal and land a durable claim without human CLI review.Now, decision tools are only available when the KB is explicitly configured as a trusted approval host.
Related Issue
Fixes: #168
Change Type
Real Behavior Proof
Before the fix, cross-agent approval succeeded:
After the fix, decision tools are hidden from default capabilities:
And cross-agent approval is blocked:
The proposal remains pending:
Checklist
kb.approve/kb.rejectfrom default capabilitieskb.approvecalls withmethod_not_foundSecurity Impact
This restores the intended review-gate boundary for default agent transports. Agents can still propose knowledge, but they cannot approve another agent’s proposal unless the operator explicitly enables decision tools for a trusted host.