168 lines
4.9 KiB
Markdown
168 lines
4.9 KiB
Markdown
# Sofiia Tools Audit (NODA2)
|
|
|
|
Date: 2026-03-01
|
|
Node: NODA2 (local laptop)
|
|
Scope: Router tool stack + requested integrations (AgentEmailTool, BrowserTool, SecureVault, SafeCodeExecutor, CalendarTool) + broader Sofiia tool system readiness.
|
|
|
|
## 1) Inventory and Wiring Integrity
|
|
|
|
- Tool definitions declared in router: **56 executable tools** (`services/router/tool_manager.py`)
|
|
- Tool dispatch branches in router: **56 tools**
|
|
- Dispatch-to-handler integrity check: **no missing handler definitions**
|
|
|
|
Evidence:
|
|
- Definitions source: `services/router/tool_manager.py`
|
|
- Dispatch source: `services/router/tool_manager.py`
|
|
|
|
## 2) NODA2 Infrastructure Readiness
|
|
|
|
Calendar stack is wired into NODA2 compose:
|
|
- `router` env has `CALENDAR_SERVICE_URL=http://calendar-service:8001`
|
|
- `router` mounts `./tools:/app/tools:ro` (required for local tool modules)
|
|
- `router` depends on `calendar-service`
|
|
- `calendar-service` service present and running
|
|
- `radicale` service present and running
|
|
|
|
Compose source:
|
|
- `docker-compose.node2-sofiia.yml`
|
|
|
|
## 3) Requested Tool Audit (Runtime)
|
|
|
|
### AgentEmailTool
|
|
- Route wiring: present
|
|
- RBAC mapping: present (`tools.email.use`)
|
|
- Limits: present
|
|
- Runtime check: `list_inboxes` -> `ok` (empty list expected on fresh setup)
|
|
|
|
### BrowserTool
|
|
- Route wiring: present
|
|
- RBAC mapping: present (`tools.browser.use`)
|
|
- Limits: present
|
|
- Runtime check: `start_session/goto/get_current_url/close_session` -> `ok`
|
|
- Async loop blocker resolved via thread offload in router adapter.
|
|
|
|
### SecureVault
|
|
- Route wiring: present
|
|
- RBAC mapping: present (`tools.vault.manage`)
|
|
- Limits: present
|
|
- Runtime check: `store` -> `ok`
|
|
|
|
### SafeCodeExecutor
|
|
- Route wiring: present
|
|
- RBAC mapping: present (`tools.exec.safe`)
|
|
- Limits: present
|
|
- Runtime check: `validate` -> `ok` (`python` sample valid)
|
|
|
|
### CalendarTool (Radicale/CalDAV via calendar-service)
|
|
- Route wiring: present
|
|
- RBAC mapping: present (`tools.calendar.use`)
|
|
- Limits: present
|
|
- Runtime check:
|
|
- `calendar-service /health` -> healthy
|
|
- `calendar_tool list_calendars` without `account_id` -> domain error `account_id required` (expected), proving router->service path is live.
|
|
|
|
## 4) RBAC and Governance Validation
|
|
|
|
Files present and active:
|
|
- `config/tools_rollout.yml`
|
|
- `config/rbac_tools_matrix.yml`
|
|
- `config/tool_limits.yml`
|
|
|
|
Validated outcomes:
|
|
- `sofiia` and `admin` mapped to `agent_cto` rollout
|
|
- New tools included in `cto_tools`
|
|
- Role entitlements include calendar/email/browser/executor/vault usage
|
|
- Negative check passed: `monitor` denied on `secure_vault_tool`
|
|
|
|
## 5) Sofiia CTO Access Audit (repo / notion / git / nodes)
|
|
|
|
### Repo access
|
|
- `repo_tool` available and callable
|
|
- Runtime check `repo_tool:metadata` -> `ok`
|
|
|
|
### Notion access
|
|
- `notion_tool` available and callable
|
|
- Runtime check `notion_tool:status` -> `ok` (workspace bot identity returned)
|
|
|
|
### Git/repo operational tooling
|
|
- `repo_tool`, `pr_reviewer_tool`, `contract_tool`, `kb_tool` are present in tool definitions and dispatch.
|
|
|
|
### Node visibility/control plane
|
|
- Console endpoint `GET /api/agents?nodes=NODA2` returns healthy agent registry for NODA2.
|
|
- Nodes registry file present: `config/nodes_registry.yml`
|
|
|
|
## 6) Documentation Coverage
|
|
|
|
Current docs directories found:
|
|
- `docs/tools/` (tool docs exist for key governance/ops tools)
|
|
- `docs/audit/` and `docs/audits/` (existing system audit artifacts)
|
|
|
|
Gap observed:
|
|
- Documentation depth is uneven across all 56 tools; some newer tools are wired and working but not yet fully documented in `docs/tools/`.
|
|
|
|
## 7) Current Risk Register (Audit Findings)
|
|
|
|
1. **Medium**: Calendar integration is operational, but no account bootstrap in this audit run (no connected calendar account configured yet).
|
|
2. **Low/Medium**: Tool documentation is incomplete relative to actual implemented tool surface (56 tools).
|
|
3. **Low**: Repo is in a very large dirty state; future changes should stay strictly path-scoped to avoid accidental mixed commits.
|
|
|
|
## 8) Appendix: Executable Tool Set (56)
|
|
|
|
agent_email_tool
|
|
alert_ingest_tool
|
|
architecture_pressure_tool
|
|
backlog_tool
|
|
binance_account_bots
|
|
binance_bots_top
|
|
browser_tool
|
|
calc_window_quote
|
|
calendar_tool
|
|
comfy_generate_image
|
|
comfy_generate_video
|
|
config_linter_tool
|
|
contract_tool
|
|
cost_analyzer_tool
|
|
crawl4ai_scrape
|
|
crm_create_job
|
|
crm_create_quote
|
|
crm_search_client
|
|
crm_update_quote
|
|
crm_upsert_client
|
|
crm_upsert_site
|
|
crm_upsert_window_unit
|
|
data_governance_tool
|
|
dependency_scanner_tool
|
|
docs_render_invoice_pdf
|
|
docs_render_quote_pdf
|
|
drift_analyzer_tool
|
|
file_tool
|
|
graph_query
|
|
image_generate
|
|
incident_escalation_tool
|
|
incident_intelligence_tool
|
|
job_orchestrator_tool
|
|
kb_tool
|
|
market_data
|
|
memory_search
|
|
notion_tool
|
|
observability_tool
|
|
oncall_tool
|
|
pieces_tool
|
|
pr_reviewer_tool
|
|
presentation_create
|
|
presentation_download
|
|
presentation_status
|
|
remember_fact
|
|
repo_tool
|
|
risk_engine_tool
|
|
risk_history_tool
|
|
safe_code_executor_tool
|
|
schedule_confirm_slot
|
|
schedule_propose_slots
|
|
secure_vault_tool
|
|
threatmodel_tool
|
|
tts_speak
|
|
web_extract
|
|
web_search
|
|
|