feat: validate visible_skills field at config load time

This commit is contained in:
2026-06-04 13:43:40 -06:00
parent 7b320e08c4
commit 84dcb3078b
6 changed files with 82 additions and 42 deletions
+20 -2
View File
@@ -3,7 +3,7 @@ use crate::render::{MarkdownRender, RenderOptions};
use crate::utils::{IS_STDOUT_TERMINAL, NO_COLOR, decode_bin, get_env_name}; use crate::utils::{IS_STDOUT_TERMINAL, NO_COLOR, decode_bin, get_env_name};
use super::paths; use super::paths;
use anyhow::{Context, Result, anyhow}; use anyhow::{Context, Result, anyhow, bail};
use gman::providers::SupportedProvider; use gman::providers::SupportedProvider;
use indexmap::IndexMap; use indexmap::IndexMap;
use serde::Deserialize; use serde::Deserialize;
@@ -216,6 +216,7 @@ impl AppConfig {
clients: config.clients, clients: config.clients,
}; };
app_config.load_envs(); app_config.load_envs();
app_config.validate_visible_skills()?;
if let Some(wrap) = app_config.wrap.clone() { if let Some(wrap) = app_config.wrap.clone() {
app_config.set_wrap(&wrap)?; app_config.set_wrap(&wrap)?;
} }
@@ -225,11 +226,28 @@ impl AppConfig {
Ok(app_config) Ok(app_config)
} }
fn validate_visible_skills(&self) -> Result<()> {
let Some(skills) = self.visible_skills.as_ref() else {
return Ok(());
};
for name in skills {
paths::validate_skill_name(name)
.map_err(|e| anyhow!("invalid entry in visible_skills: {e}"))?;
if !paths::has_skill(name) {
bail!("visible_skills references skill '{name}' which is not installed");
}
}
Ok(())
}
pub fn resolve_model(&mut self) -> Result<()> { pub fn resolve_model(&mut self) -> Result<()> {
if self.model_id.is_empty() { if self.model_id.is_empty() {
let models = list_models(self, crate::client::ModelType::Chat); let models = list_models(self, crate::client::ModelType::Chat);
if models.is_empty() { if models.is_empty() {
anyhow::bail!("No available model"); bail!("No available model");
} }
self.model_id = models[0].id(); self.model_id = models[0].id();
} }
-11
View File
@@ -289,17 +289,6 @@ pub fn has_skill(name: &str) -> bool {
skill_file(name).is_file() skill_file(name).is_file()
} }
pub fn list_visible_skills(visible: Option<&[String]>) -> Vec<String> {
let installed = list_skills();
match visible {
None => installed,
Some(allow) => installed
.into_iter()
.filter(|name| allow.iter().any(|v| v == name))
.collect(),
}
}
pub fn local_models_override() -> Result<Vec<ProviderModels>> { pub fn local_models_override() -> Result<Vec<ProviderModels>> {
let model_override_path = models_override_file(); let model_override_path = models_override_file();
let err = || { let err = || {
+14 -6
View File
@@ -1738,14 +1738,22 @@ impl RequestContext {
let raw: Option<String> = super::parse_value(value)?; let raw: Option<String> = super::parse_value(value)?;
let parsed: Option<Vec<String>> = raw.map(|s| super::csv_to_vec(&s)); let parsed: Option<Vec<String>> = raw.map(|s| super::csv_to_vec(&s));
if let Some(names) = parsed.as_ref() { if let Some(names) = parsed.as_ref() {
let visible = let visible = self.app.config.visible_skills.as_deref();
paths::list_visible_skills(self.app.config.visible_skills.as_deref());
for name in names { for name in names {
paths::validate_skill_name(name)?; paths::validate_skill_name(name)?;
if !visible.iter().any(|s| s == name) { match visible {
bail!( Some(vs) => {
"enabled_skills references skill '{name}' which is not visible (check global 'visible_skills' and that the skill is installed)" if !vs.iter().any(|s| s == name) {
); bail!(
"skill '{name}' is not in the global 'visible_skills' allow-list"
);
}
}
None => {
if !paths::has_skill(name) {
bail!("skill '{name}' is not installed");
}
}
} }
} }
} }
+19 -11
View File
@@ -4,7 +4,7 @@ use super::paths;
use super::role::Role; use super::role::Role;
use super::session::Session; use super::session::Session;
use anyhow::{Result, bail}; use anyhow::{Result, anyhow, bail};
use std::collections::HashSet; use std::collections::HashSet;
#[derive(Debug)] #[derive(Debug)]
@@ -76,16 +76,24 @@ impl SkillPolicy {
Some(explicit) => { Some(explicit) => {
let set: HashSet<String> = explicit.into_iter().collect(); let set: HashSet<String> = explicit.into_iter().collect();
for name in &set { for name in &set {
if !skill_exists(name) { paths::validate_skill_name(name).map_err(|e| {
bail!("enabled_skills references skill '{name}' which is not installed"); anyhow!("enabled_skills contains invalid name '{name}': {e}")
} })?;
match &visible {
if let Some(vs) = &visible Some(vs) => {
&& !vs.contains(name) if !vs.contains(name) {
{ bail!(
bail!( "enabled_skills references skill '{name}' which is not in the global 'visible_skills' allow-list"
"enabled_skills references skill '{name}' which is not in visible_skills" );
); }
}
None => {
if !skill_exists(name) {
bail!(
"enabled_skills references skill '{name}' which is not installed"
);
}
}
} }
} }
set set
+6 -1
View File
@@ -104,8 +104,13 @@ pub async fn handle_skill_tool(
fn handle_list(ctx: &RequestContext, policy: &SkillPolicy) -> Result<Value> { fn handle_list(ctx: &RequestContext, policy: &SkillPolicy) -> Result<Value> {
let mcp_on = ctx.app.config.mcp_server_support; let mcp_on = ctx.app.config.mcp_server_support;
let visible_names: Vec<String> = match ctx.app.config.visible_skills.as_deref() {
Some(list) => list.to_vec(),
None => paths::list_skills(),
};
let mut entries = Vec::new(); let mut entries = Vec::new();
for name in paths::list_visible_skills(ctx.app.config.visible_skills.as_deref()) { for name in visible_names {
if !policy.allows(&name) { if !policy.allows(&name) {
continue; continue;
} }
+23 -11
View File
@@ -196,9 +196,25 @@ impl GraphValidator {
.as_ref() .as_ref()
.and_then(|c| c.app_config.visible_skills.as_deref()); .and_then(|c| c.app_config.visible_skills.as_deref());
let is_visible = |name: &str| match visible_skills { let check_visibility = |name: &str| -> Option<String> {
None => true, match visible_skills {
Some(list) => list.iter().any(|s| s == name), Some(list) => {
if !list.iter().any(|s| s == name) {
Some(format!(
"'{name}' is not in the global 'visible_skills' allow-list"
))
} else {
None
}
}
None => {
if !paths::has_skill(name) {
Some(format!("'{name}' is not installed"))
} else {
None
}
}
}
}; };
if let Some(graph_skills) = &graph.enabled_skills { if let Some(graph_skills) = &graph.enabled_skills {
@@ -209,10 +225,9 @@ impl GraphValidator {
)); ));
continue; continue;
} }
if let Some(reason) = check_visibility(name) {
if !is_visible(name) {
result.error(ValidationError::new(format!( result.error(ValidationError::new(format!(
"graph 'enabled_skills' references '{name}' which is not in global 'visible_skills'" "graph 'enabled_skills': {reason}"
))); )));
} }
} }
@@ -234,13 +249,10 @@ impl GraphValidator {
)); ));
continue; continue;
} }
if let Some(reason) = check_visibility(name) {
if !is_visible(name) {
result.error(ValidationError::with_node( result.error(ValidationError::with_node(
node_id, node_id,
format!( format!("llm node 'enabled_skills': {reason}"),
"llm node 'enabled_skills' references '{name}' which is not in global 'visible_skills'"
),
)); ));
continue; continue;
} }