diff --git a/cortex/tools/__init__.py b/cortex/tools/__init__.py index 11f8dac..3e12925 100644 --- a/cortex/tools/__init__.py +++ b/cortex/tools/__init__.py @@ -227,6 +227,106 @@ CONFIRM_REQUIRED: set[str] = { "ha_call_service", } +# Security risk ratings — informational for now; will drive auto-allow tiers later. +# Unlisted tools default to "medium". +# +# low — read-only, sandboxed, no external side effects +# medium — writes to local/controlled data, or reads beyond project scope, +# or sends notifications to the same user +# high — affects external systems, physical devices, other users, +# or the host process/filesystem in ways that are hard to reverse +TOOL_RISK: dict[str, str] = { + # Web — read-only fetches are low; posting to external services is high + "web_search": "low", + "http_fetch": "low", + "web_read": "low", + "http_post": "high", + + # Project Files — all read-only and project-sandboxed + "project_file_read": "low", + "project_file_list": "low", + "file_stat": "low", + "file_grep": "low", + "file_syntax_check": "low", + + # System Files — reads beyond project scope are medium; writes are high + "file_read": "medium", + "file_list": "medium", + "file_write": "high", + "session_read": "low", + "session_search": "low", + + # Shell — arbitrary execution and permission changes are high + "shell_exec": "high", + "claude_allow_dir": "high", + + # System — read-only status is low; restart/update affect the live service + "cortex_logs": "low", + "cortex_status": "low", + "cortex_restart": "high", + "cortex_update": "high", + + # Tasks — local persona data, all reversible + "task_list": "low", + "task_create": "low", + "task_update": "low", + "task_complete": "low", + + # Cron — list is low; add/remove/toggle affect scheduled behavior + "cron_list": "low", + "cron_add": "medium", + "cron_remove": "medium", + "cron_toggle": "medium", + + # Reminders — single-item ops are low; clear-all is medium + "reminders_add": "low", + "reminders_list": "low", + "reminders_remove": "low", + "reminders_clear": "medium", + + # Scratchpad — local persona file, ephemeral by design + "scratch_read": "low", + "scratch_write": "low", + "scratch_append": "low", + "scratch_clear": "low", + + # Notifications — push to same user is medium; external messages are high + "web_push": "medium", + "nc_talk_send": "high", + "nc_talk_history": "low", + "email_send": "high", + + # Aether Journals — reads are low; writes to external DB are medium + "ae_journal_list": "low", + "ae_journal_search": "low", + "ae_journal_entries_list": "low", + "ae_journal_entry_read": "low", + "ae_journal_entry_create": "medium", + "ae_journal_entry_update": "medium", + "ae_journal_entry_disable": "medium", + "ae_journal_entry_append": "medium", + "ae_journal_entry_prepend": "medium", + + # Aether Tasks + "ae_task_list": "low", + + # Agent Notes — local persona file + "agent_notes_read": "low", + "agent_notes_write": "low", + "agent_notes_append": "low", + "agent_notes_clear": "low", + + # Agents — spawning a subprocess with broad permissions is high + "spawn_agent": "high", + + # Home Assistant — reads are low; controlling physical devices is high + "ha_get_state": "low", + "ha_get_states": "low", + "ha_call_service": "high", +} + +_RISK_RANK: dict[str, int] = {"low": 0, "medium": 1, "high": 2} + _ROLE_RANK: dict[str, int] = {"user": 0, "admin": 1}