Skip to content

feat(acp): add BUZZ_ACP_ALLOWED_RESPOND_TO and BUZZ_ALLOWED_CHANNEL_ADD_POLICIES gates#1304

Merged
wpfleger96 merged 4 commits into
mainfrom
duncan/acp-agent-sharing-config
Jun 26, 2026
Merged

feat(acp): add BUZZ_ACP_ALLOWED_RESPOND_TO and BUZZ_ALLOWED_CHANNEL_ADD_POLICIES gates#1304
wpfleger96 merged 4 commits into
mainfrom
duncan/acp-agent-sharing-config

Conversation

@wpfleger96

@wpfleger96 wpfleger96 commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Adds two deployment-level gates to restrict agent sharing configuration in internal Block releases without affecting OSS users.

What this does

BUZZ_ACP_ALLOWED_RESPOND_TO (crates/buzz-acp/src/config.rs): comma-separated list of permitted respond_to modes. When set, startup fails with a clear error if the configured mode is not in the list. Internal release sets this to owner-only,allowlist to exclude anyone. Default: empty (no restriction).

BUZZ_ALLOWED_CHANNEL_ADD_POLICIES (crates/buzz-cli/src/commands/channels.rs): comma-separated list of permitted channel_add_policy values. When set, buzz channels set-add-policy returns a user error if the requested policy is not in the list. Internal release sets this to owner_only,nobody to exclude anyone. Default: empty (no restriction).

Note: buzz channels set-add-policy is the only enforcement point — a client that submits a kind:10100 event directly to the relay bypasses this check. Full enforcement would require relay-side validation, which is intentionally out of scope (no relay-side changes in this arc).

Files changed

  • crates/buzz-acp/src/config.rsBUZZ_ACP_ALLOWED_RESPOND_TO in CliArgs, Config, from_args(), summary(); from_cli() refactored to call from_args(); integration tests
  • crates/buzz-acp/src/lib.rs — two test Config initializers updated with new field
  • crates/buzz-cli/src/commands/channels.rsBUZZ_ALLOWED_CHANNEL_ADD_POLICIES gate in cmd_set_add_policy; bypass comment; integration test

Behavior when flags are unset (default)

No behavior change. OSS deployments are unaffected.

Related

npub1mn7jgtj4w2pd0g0zeuhxsa6jy6p0rewxz4kujt98my82ahfmp72sxjexk7 and others added 4 commits June 26, 2026 12:01
…DD_POLICIES gates

Adds two deployment-level gates to restrict agent sharing configuration
in internal Block releases without affecting OSS users.

BUZZ_ACP_ALLOWED_RESPOND_TO (buzz-acp harness): comma-separated list of
permitted respond_to modes. When set, startup fails with a clear error if
the configured mode is not in the list. Internal release sets this to
owner-only,allowlist to exclude anyone. Default: empty (no restriction).

BUZZ_ALLOWED_CHANNEL_ADD_POLICIES (buzz-cli): comma-separated list of
permitted channel_add_policy values. When set, buzz channels set-add-policy
returns a user error if the requested policy is not in the list. Internal
release sets this to owner_only,nobody to exclude anyone. Default: empty
(no restriction).

Migration 0005 tightens the channel_add_policy column default from anyone
to owner_only so new agents start safe on all relays without operator action.
Updates migration count test and test_set_agent_owner_and_get_policy to
reflect the new default.

Co-authored-by: Will Pfleger <pfleger.will@gmail.com>
Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
Add Config::from_args() split from from_cli() so tests can exercise the
full CliArgs → validation path without process args. Three new integration
tests call Config::from_args() directly via CliArgs::try_parse_from,
verifying the BUZZ_ACP_ALLOWED_RESPOND_TO gate end-to-end.

Add cmd_set_add_policy integration test that calls the function directly
with BUZZ_ALLOWED_CHANNEL_ADD_POLICIES set, confirming the gate fires
before any network call.

Simplify Config::allowed_respond_to from HashSet<RespondTo> to Vec<String>
since the field is only used in summary() — removes the Eq+Hash dependency
from the validation path.

Add comment to cmd_set_add_policy documenting that the gate covers only
the CLI path; direct kind:10100 relay submission bypasses it (intentional
per team decision).

Co-authored-by: Will Pfleger <pfleger.will@gmail.com>
Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
Remove migration 0005 (channel_add_policy default tightening) per
team decision to keep relay-side changes out of scope. Revert
associated test assertions in migration.rs and user.rs.

Also run cargo fmt to fix formatting diffs caught by CI lint check.

Co-authored-by: Will Pfleger <pfleger.will@gmail.com>
Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
…D_CHANNEL_ADD_POLICIES

Align with the ACP prefix convention used by BUZZ_ACP_ALLOWED_RESPOND_TO.

Co-authored-by: Will Pfleger <pfleger.will@gmail.com>
Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
@wpfleger96 wpfleger96 enabled auto-merge (squash) June 26, 2026 17:13
@wpfleger96 wpfleger96 merged commit 1a61d78 into main Jun 26, 2026
29 checks passed
@wpfleger96 wpfleger96 deleted the duncan/acp-agent-sharing-config branch June 26, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants