[_ADMIN_TOOLS] Same-named constant with different values in agent_loop.py and tool_execution.py #681

New issue

Closed

opened 2026-06-02 23:43:29 +02:00 by sleepy · 0 comments

sleepy commented

2026-06-02 23:43:29 +02:00

Owner

_ADMIN_TOOLS set defined in two places, likely to drift

Duplicated constant

src/agent_loop.py:951-956:

_ADMIN_TOOLS = {
    "manage_session", "manage_skills", "manage_tasks",
    "manage_endpoints", "manage_mcp", "manage_webhooks", "manage_tokens",
    "manage_documents", "manage_settings", "create_session", "list_sessions",
    "send_to_session", "pipeline", "ask_teacher", "list_models",
}

src/tool_execution.py:170-180:

_ADMIN_TOOLS = {
    "manage_endpoints",
    "manage_mcp",
    "manage_webhooks",
    "manage_tokens",
    "manage_settings",
    "download_model",
    "serve_model",
    "stop_served_model",
    "cancel_download",
}

These are different sets — not just duplicated but semantically different:

agent_loop.py's version includes session/skills/tasks/pipeline/list_models but no cookbook tools
tool_execution.py's version includes cookbook tools but excludes session/skills/tasks

This looks intentional (prompt-level vs execution-level admin checks), but the same name _ADMIN_TOOLS in both files is confusing and risky. A future developer adding a tool to one and not the other creates a privilege inconsistency.

Fix

Rename to distinguish their purpose (e.g. _PROMPT_ADMIN_TOOLS vs _EXECUTION_ADMIN_TOOLS)
Or unify them into tool_security.py with clear documentation of the difference
Add a comment explaining why they differ

## _ADMIN_TOOLS set defined in two places, likely to drift ### Duplicated constant `src/agent_loop.py:951-956`: ```python _ADMIN_TOOLS = { "manage_session", "manage_skills", "manage_tasks", "manage_endpoints", "manage_mcp", "manage_webhooks", "manage_tokens", "manage_documents", "manage_settings", "create_session", "list_sessions", "send_to_session", "pipeline", "ask_teacher", "list_models", } ``` `src/tool_execution.py:170-180`: ```python _ADMIN_TOOLS = { "manage_endpoints", "manage_mcp", "manage_webhooks", "manage_tokens", "manage_settings", "download_model", "serve_model", "stop_served_model", "cancel_download", } ``` These are **different sets** — not just duplicated but semantically different: - `agent_loop.py`'s version includes session/skills/tasks/pipeline/list_models but no cookbook tools - `tool_execution.py`'s version includes cookbook tools but excludes session/skills/tasks This looks intentional (prompt-level vs execution-level admin checks), but the same name `_ADMIN_TOOLS` in both files is confusing and risky. A future developer adding a tool to one and not the other creates a privilege inconsistency. ### Fix - Rename to distinguish their purpose (e.g. `_PROMPT_ADMIN_TOOLS` vs `_EXECUTION_ADMIN_TOOLS`) - Or unify them into `tool_security.py` with clear documentation of the difference - Add a comment explaining why they differ

sleepy added the

bug

enhancement

labels

2026-06-02 23:43:29 +02:00

sleepy referenced this issue from a commit

2026-06-03 17:44:09 +02:00

[tools] Consolidate _ADMIN_TOOLS constant (#681)

sleepy referenced this issue from a pull request that will close it,

2026-06-03 17:44:37 +02:00

[tools] Consolidate _ADMIN_TOOLS constant (#681) #815

sleepy closed this issue