feat(security): grow Yerin's toolset (pending_review, resource_exposure, token_audit)

Three more read-only tools on securityRegistry: - pending_review: agent-proposed changes awaiting approval (injection surface) - resource_exposure: host/url/status attack-surface inventory (resources.listExposure, scalar cols only — no monitoring/metadata/credentials) - token_audit: token label/last_used/revoked, never the hash Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-02 00:17:45 +10:00
parent aa9cf0917e
commit c45246b918
6 changed files with 118 additions and 0 deletions
--- a/lib/ai/agent/tools/security/pending_review.js
+++ b/lib/ai/agent/tools/security/pending_review.js
@@ -0,0 +1,20 @@
+import * as pendingChanges from '../../../../db/repos/pending_changes.js';
+
+// The queue of agent-proposed mutations awaiting owner approval. This is exactly
+// where a prompt-injected or misbehaving agent's intent surfaces, so it's a
+// primary security-review surface.
+export const pendingReviewTool = {
+  name: 'pending_review',
+  description: 'List pending (unapproved) agent-proposed changes awaiting owner approval — the queue where a misbehaving or injected agent\'s intent shows up. Review these for anything unexpected.',
+  input_schema: {
+    type: 'object',
+    properties: {
+      limit: { type: 'integer', description: 'max rows (default 50, max 200)' }
+    }
+  },
+  async handler({ limit } = {}, _ctx) {
+    const capped = Math.min(Math.max(Number(limit) || 50, 1), 200);
+    const pending = await pendingChanges.listPending({ limit: capped });
+    return { pending };
+  }
+};