daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(node2): wire calendar-service and core automation tools in router

Browse Source
This commit is contained in:
Apple
2026-03-01 01:37:13 -08:00
parent 9a36020316
commit de234112f3
11 changed files with 2226 additions and 378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

507
config/rbac_tools_matrix.yml Normal file
View File

@@ -0,0 +1,507 @@
# RBAC Tools Matrix
# Maps tool → action → entitlements required
# Enforced by tool_governance.py in gateway dispatch
#
# Entitlement format: tools.<tool_short>.<scope>
# Agents/users must have ALL listed entitlements to perform an action.
tools:
repo_tool:
actions:
tree:
entitlements: ["tools.repo.read"]
read:
entitlements: ["tools.repo.read"]
search:
entitlements: ["tools.repo.read"]
metadata:
entitlements: ["tools.repo.read"]
kb_tool:
actions:
search:
entitlements: ["tools.kb.read"]
snippets:
entitlements: ["tools.kb.read"]
open:
entitlements: ["tools.kb.read"]
sources:
entitlements: ["tools.kb.read"]
oncall_tool:
actions:
services_list:
entitlements: ["tools.oncall.read"]
service_health:
entitlements: ["tools.oncall.read"]
service_status:
entitlements: ["tools.oncall.read"]
runbook_search:
entitlements: ["tools.oncall.read"]
runbook_read:
entitlements: ["tools.oncall.read"]
deployments_recent:
entitlements: ["tools.oncall.read"]
incident_list:
entitlements: ["tools.oncall.read"]
incident_get:
entitlements: ["tools.oncall.read"]
incident_create:
entitlements: ["tools.oncall.incident_write"]
incident_close:
entitlements: ["tools.oncall.incident_write"]
incident_append_event:
entitlements: ["tools.oncall.incident_write"]
incident_attach_artifact:
entitlements: ["tools.oncall.incident_write"]
incident_followups_summary:
entitlements: ["tools.oncall.read"]
alert_to_incident:
entitlements: ["tools.oncall.incident_write", "tools.alerts.read", "tools.alerts.ack"]
incident_escalation_tool:
actions:
evaluate:
entitlements: ["tools.oncall.incident_write"]
auto_resolve_candidates:
entitlements: ["tools.oncall.incident_write"]
risk_engine_tool:
actions:
service:
entitlements: ["tools.risk.read"]
dashboard:
entitlements: ["tools.risk.read"]
policy:
entitlements: ["tools.risk.read"]
risk_history_tool:
actions:
snapshot:
entitlements: ["tools.risk.write"]
cleanup:
entitlements: ["tools.risk.write"]
series:
entitlements: ["tools.risk.read"]
digest:
entitlements: ["tools.risk.write"]
backlog_tool:
actions:
list:
entitlements: ["tools.backlog.read"]
get:
entitlements: ["tools.backlog.read"]
dashboard:
entitlements: ["tools.backlog.read"]
create:
entitlements: ["tools.backlog.write"]
upsert:
entitlements: ["tools.backlog.write"]
set_status:
entitlements: ["tools.backlog.write"]
add_comment:
entitlements: ["tools.backlog.write"]
close:
entitlements: ["tools.backlog.write"]
auto_generate_weekly:
entitlements: ["tools.backlog.admin"]
cleanup:
entitlements: ["tools.backlog.admin"]
architecture_pressure_tool:
actions:
service:
entitlements: ["tools.pressure.read"]
dashboard:
entitlements: ["tools.pressure.read"]
digest:
entitlements: ["tools.pressure.write"]
incident_intelligence_tool:
actions:
correlate:
entitlements: ["tools.oncall.read"]
recurrence:
entitlements: ["tools.oncall.read"]
buckets:
entitlements: ["tools.oncall.read"]
weekly_digest:
entitlements: ["tools.oncall.incident_write"] # writes FS artifacts + autofollowups
alert_ingest_tool:
actions:
ingest:
entitlements: ["tools.alerts.ingest"]
list:
entitlements: ["tools.alerts.read"]
get:
entitlements: ["tools.alerts.read"]
ack:
entitlements: ["tools.alerts.ack"]
claim:
entitlements: ["tools.alerts.claim"]
fail:
entitlements: ["tools.alerts.ack"]
observability_tool:
actions:
metrics_query:
entitlements: ["tools.observability.read"]
metrics_range:
entitlements: ["tools.observability.read"]
logs_query:
entitlements: ["tools.observability.read"]
traces_query:
entitlements: ["tools.observability.traces"]
service_overview:
entitlements: ["tools.observability.read"]
slo_snapshot:
entitlements: ["tools.observability.read"]
monitor_tool:
actions:
status:
entitlements: ["tools.monitor.read"]
pr_reviewer_tool:
actions:
review:
entitlements: ["tools.pr_review.use"]
gate:
entitlements: ["tools.pr_review.gate"]
contract_tool:
actions:
lint_openapi:
entitlements: ["tools.contract.use"]
diff_openapi:
entitlements: ["tools.contract.use"]
generate_client_stub:
entitlements: ["tools.contract.use"]
gate:
entitlements: ["tools.contract.gate"]
config_linter_tool:
actions:
lint:
entitlements: ["tools.config_lint.use"]
gate:
entitlements: ["tools.config_lint.gate"]
threatmodel_tool:
actions:
analyze_service:
entitlements: ["tools.threatmodel.use"]
analyze_diff:
entitlements: ["tools.threatmodel.use"]
generate_checklist:
entitlements: ["tools.threatmodel.use"]
gate:
entitlements: ["tools.threatmodel.gate"]
job_orchestrator_tool:
actions:
list_tasks:
entitlements: ["tools.jobs.use"]
start_task:
entitlements: ["tools.jobs.use"]
get_job:
entitlements: ["tools.jobs.use"]
cancel_job:
entitlements: ["tools.jobs.cancel"]
memory_search:
actions:
_default:
entitlements: ["tools.memory.read"]
graph_query:
actions:
_default:
entitlements: ["tools.memory.read"]
remember_fact:
actions:
_default:
entitlements: ["tools.memory.write"]
web_search:
actions:
_default:
entitlements: ["tools.web.read"]
web_extract:
actions:
_default:
entitlements: ["tools.web.read"]
crawl4ai_scrape:
actions:
_default:
entitlements: ["tools.web.read"]
image_generate:
actions:
_default:
entitlements: ["tools.media.generate"]
comfy_generate_image:
actions:
_default:
entitlements: ["tools.media.generate"]
comfy_generate_video:
actions:
_default:
entitlements: ["tools.media.generate"]
tts_speak:
actions:
_default:
entitlements: ["tools.media.generate"]
presentation_create:
actions:
_default:
entitlements: ["tools.docs.create"]
presentation_status:
actions:
_default:
entitlements: ["tools.docs.create"]
presentation_download:
actions:
_default:
entitlements: ["tools.docs.create"]
file_tool:
actions:
_default:
entitlements: ["tools.docs.create"]
market_data:
actions:
_default:
entitlements: ["tools.market.read"]
data_governance_tool:
actions:
digest_audit:
entitlements: ["tools.data_gov.read"]
scan_repo:
entitlements: ["tools.data_gov.read"]
scan_audit:
entitlements: ["tools.data_gov.read"]
retention_check:
entitlements: ["tools.data_gov.read"]
policy:
entitlements: ["tools.data_gov.read"]
gate:
entitlements: ["tools.data_gov.gate"]
cost_analyzer_tool:
actions:
digest:
entitlements: ["tools.cost.read"]
report:
entitlements: ["tools.cost.read"]
top:
entitlements: ["tools.cost.read"]
anomalies:
entitlements: ["tools.cost.read"]
weights:
entitlements: ["tools.cost.read"]
gate:
entitlements: ["tools.cost.gate"]
dependency_scanner_tool:
actions:
scan:
entitlements: ["tools.deps.read"]
gate:
entitlements: ["tools.deps.gate"]
drift_analyzer_tool:
actions:
analyze:
entitlements: ["tools.drift.read"]
gate:
entitlements: ["tools.drift.gate"]
calendar_tool:
actions:
connect:
entitlements: ["tools.calendar.use"]
list_calendars:
entitlements: ["tools.calendar.use"]
list_events:
entitlements: ["tools.calendar.use"]
get_event:
entitlements: ["tools.calendar.use"]
create_event:
entitlements: ["tools.calendar.use"]
update_event:
entitlements: ["tools.calendar.use"]
delete_event:
entitlements: ["tools.calendar.use"]
set_reminder:
entitlements: ["tools.calendar.use"]
agent_email_tool:
actions:
create_inbox:
entitlements: ["tools.email.use"]
list_inboxes:
entitlements: ["tools.email.use"]
delete_inbox:
entitlements: ["tools.email.use"]
send:
entitlements: ["tools.email.use"]
receive:
entitlements: ["tools.email.use"]
analyze_email:
entitlements: ["tools.email.use"]
browser_tool:
actions:
_default:
entitlements: ["tools.browser.use"]
safe_code_executor_tool:
actions:
_default:
entitlements: ["tools.exec.safe"]
secure_vault_tool:
actions:
_default:
entitlements: ["tools.vault.manage"]
# ─── Role → Entitlements ─────────────────────────────────────────────────────
# Lists which entitlements each role has.
# Used by tool_governance.py to resolve agent role → entitlement set.
role_entitlements:
agent_default:
- tools.repo.read
- tools.kb.read
- tools.oncall.read
- tools.observability.read
- tools.memory.read
- tools.memory.write
- tools.web.read
- tools.media.generate
- tools.docs.create
- tools.jobs.use
agent_cto:
- tools.repo.read
- tools.kb.read
- tools.oncall.read
- tools.oncall.incident_write
- tools.alerts.ingest
- tools.alerts.read
- tools.alerts.ack
- tools.alerts.claim
- tools.observability.read
- tools.observability.traces
- tools.monitor.read
- tools.memory.read
- tools.memory.write
- tools.web.read
- tools.media.generate
- tools.docs.create
- tools.pr_review.use
- tools.pr_review.gate
- tools.contract.use
- tools.contract.gate
- tools.config_lint.use
- tools.config_lint.gate
- tools.threatmodel.use
- tools.threatmodel.gate
- tools.jobs.use
- tools.jobs.cancel
- tools.jobs.run.smoke
- tools.jobs.run.drift
- tools.jobs.run.backup
- tools.jobs.run.migrate
- tools.jobs.run.deploy
- tools.jobs.run.ops
- tools.deps.read
- tools.deps.gate
- tools.cost.read
- tools.cost.gate
- tools.data_gov.read
- tools.data_gov.gate
- tools.drift.read
- tools.drift.gate
- tools.risk.read
- tools.risk.write
- tools.pressure.read
- tools.pressure.write
- tools.backlog.read
- tools.backlog.write
- tools.backlog.admin
- tools.calendar.use
- tools.email.use
- tools.browser.use
- tools.exec.safe
- tools.vault.manage
agent_oncall:
- tools.repo.read
- tools.kb.read
- tools.oncall.read
- tools.oncall.incident_write
- tools.alerts.read
- tools.alerts.ack
- tools.alerts.claim
- tools.observability.read
- tools.monitor.read
- tools.memory.read
- tools.web.read
- tools.jobs.use
- tools.jobs.run.smoke
- tools.jobs.run.drift
- tools.jobs.run.ops
- tools.deps.read
- tools.drift.read
- tools.cost.read
- tools.data_gov.read
- tools.risk.read
- tools.risk.write
- tools.pressure.read
- tools.backlog.read
- tools.backlog.write
agent_media:
- tools.repo.read
- tools.kb.read
- tools.oncall.read
- tools.observability.read
- tools.memory.read
- tools.memory.write
- tools.web.read
- tools.media.generate
- tools.docs.create
- tools.jobs.use
agent_monitor:
# Read-only: observability, health, KB — no incident write, no jobs
# Can INGEST alerts (detect → alert), but NOT create incidents
- tools.oncall.read
- tools.observability.read
- tools.monitor.read
- tools.kb.read
- tools.alerts.ingest
- tools.risk.read
agent_interface:
# Minimal: KB + incident list/get + alert list/get + backlog read (read-only)
- tools.kb.read
- tools.oncall.read
- tools.alerts.read
- tools.backlog.read