feat: add tasks:manage permission level to deny delete without blocking other writes
The consolidated manage_task tool bundles create/update/delete/move into a single tool, making it impossible to deny just the delete action via tool tiers or scope-based filtering. This adds: - A `manage` permission level for tasks (between readonly and full) - A SERVICE_DENIED_ACTIONS registry mapping (service, level) to denied actions - An is_action_denied() helper that tools call before executing actions - Guards in manage_task and manage_task_list that reject denied actions Usage: --permissions tasks:manage Allows create, update, move. Denies delete. tasks:full remains unchanged (all actions allowed). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
mickey-mikey
@@ -571,6 +571,7 @@ uv run main.py --permissions gmail:send drive:full --tool-tier core
|
||||
Granular permissions mode provides service-by-service scope control:
|
||||
- Format: `service:level` (one entry per service)
|
||||
- Gmail levels: `readonly`, `organize`, `drafts`, `send`, `full` (cumulative)
|
||||
- Tasks levels: `readonly`, `manage`, `full` (cumulative; `manage` allows create/update/move but denies delete)
|
||||
- Other services currently support: `readonly`, `full`
|
||||
- `--permissions` and `--read-only` are mutually exclusive
|
||||
- `--permissions` cannot be combined with `--tools`; enabled services are determined by the `--permissions` entries (optionally filtered by `--tool-tier`)
|
||||
|
||||
Reference in New Issue
Block a user