Scott.Idem/Cortex-Inara
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: TOOL_RISK ratings for all 58 orchestrator tools

Browse Source 
Add informational security risk ratings (low/medium/high) to every tool.
Groundwork for future auto-allow tiers (max_risk + whitelist + blacklist).
Breakdown: 36 low, 12 medium, 10 high.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Idem
2026-05-11 22:32:22 -04:00
parent ac06b3bc7b
commit c9c1ca7de6
1 changed files with 100 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
cortex/tools/__init__.py
View File

@@ -227,6 +227,106 @@ CONFIRM_REQUIRED: set[str] = {
"ha_call_service",
}
# Security risk ratings — informational for now; will drive auto-allow tiers later.
# Unlisted tools default to "medium".
#
# low — read-only, sandboxed, no external side effects
# medium — writes to local/controlled data, or reads beyond project scope,
# or sends notifications to the same user
# high — affects external systems, physical devices, other users,
# or the host process/filesystem in ways that are hard to reverse
TOOL_RISK: dict[str, str] = {
# Web — read-only fetches are low; posting to external services is high
"web_search": "low",
"http_fetch": "low",
"web_read": "low",
"http_post": "high",
# Project Files — all read-only and project-sandboxed
"project_file_read": "low",
"project_file_list": "low",
"file_stat": "low",
"file_grep": "low",
"file_syntax_check": "low",
# System Files — reads beyond project scope are medium; writes are high
"file_read": "medium",
"file_list": "medium",
"file_write": "high",
"session_read": "low",
"session_search": "low",
# Shell — arbitrary execution and permission changes are high
"shell_exec": "high",
"claude_allow_dir": "high",
# System — read-only status is low; restart/update affect the live service
"cortex_logs": "low",
"cortex_status": "low",
"cortex_restart": "high",
"cortex_update": "high",
# Tasks — local persona data, all reversible
"task_list": "low",
"task_create": "low",
"task_update": "low",
"task_complete": "low",
# Cron — list is low; add/remove/toggle affect scheduled behavior
"cron_list": "low",
"cron_add": "medium",
"cron_remove": "medium",
"cron_toggle": "medium",
# Reminders — single-item ops are low; clear-all is medium
"reminders_add": "low",
"reminders_list": "low",
"reminders_remove": "low",
"reminders_clear": "medium",
# Scratchpad — local persona file, ephemeral by design
"scratch_read": "low",
"scratch_write": "low",
"scratch_append": "low",
"scratch_clear": "low",
# Notifications — push to same user is medium; external messages are high
"web_push": "medium",
"nc_talk_send": "high",
"nc_talk_history": "low",
"email_send": "high",
# Aether Journals — reads are low; writes to external DB are medium
"ae_journal_list": "low",
"ae_journal_search": "low",
"ae_journal_entries_list": "low",
"ae_journal_entry_read": "low",
"ae_journal_entry_create": "medium",
"ae_journal_entry_update": "medium",
"ae_journal_entry_disable": "medium",
"ae_journal_entry_append": "medium",
"ae_journal_entry_prepend": "medium",
# Aether Tasks
"ae_task_list": "low",
# Agent Notes — local persona file
"agent_notes_read": "low",
"agent_notes_write": "low",
"agent_notes_append": "low",
"agent_notes_clear": "low",
# Agents — spawning a subprocess with broad permissions is high
"spawn_agent": "high",
# Home Assistant — reads are low; controlling physical devices is high
"ha_get_state": "low",
"ha_get_states": "low",
"ha_call_service": "high",
}
_RISK_RANK: dict[str, int] = {"low": 0, "medium": 1, "high": 2}
_ROLE_RANK: dict[str, int] = {"user": 0, "admin": 1}