singularity/singularity-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

fix(wiggums): permission level — "normal" + default fallback to "medium"

Browse source 
legacyPermissionLevelForProfile had a switch with cases for
restricted/trusted/unrestricted only, no case for "normal" (the
DEFAULT autonomous session profile per auto/session.js:377). "normal"
fell through to default → "low" — too restrictive for autonomous work.

Witnessed M010/S04/T01: solver note "TypeScript compilation and git
diff blocked by low permission level" — SF couldn't verify its own
deliverable because permissions were locked down despite running in
autonomous mode.

Fix:
- "normal" → "medium" (allows tsc, git, npm test)
- default → "medium" (was "low"); unknown profiles shouldn't cripple
  autonomous executors. Operators wanting strict mode set
  profile: "restricted" explicitly.

Per operator intent 2026-05-17: "SF should have permission even if
it can limit its agents and only allow orchestrator or whatever."

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mikael Hugo 2026-05-17 08:38:10 +02:00
parent 02bac88a63
commit 9bd7067b69
1 changed files with 20 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
src/resources/extensions/sf/auto/run-unit.js
View file

@ -241,15 +241,34 @@ function deriveWorkMode(unitType) {
* Consumer: runUnitViaSwarm dispatch envelopes.
*/
function legacyPermissionLevelForProfile(profile) {
// #wiggums: SF orchestrator runs autonomous work that requires running
// tsc / git diff / npm test for self-verification. Default "low" was
// too restrictive — executors couldn't verify their own deliverables.
// Per operator intent (2026-05-17): "SF should have permission even
// if it can limit its agents and only allow orchestrator or whatever."
// The parent SF process running the autonomous loop deserves enough
// permission to verify its work; sub-agents can still be further
// restricted via explicit envelope.executorPermissionLevel.
switch (profile) {
case "restricted":
return "minimal";
case "normal":
// DEFAULT autonomous session profile (auto/session.js:377).
// Witnessed M010/S04/T01: "TypeScript compilation and git diff
// blocked by low permission level" even though autonomous was
// running with the normal profile. "medium" allows common
// verification shell commands.
return "medium";
case "trusted":
return "medium";
case "unrestricted":
return "bypassed";
default:
return "low";
// Unknown profile: default to "medium" (was "low"). Autonomous
// work needs to run verification commands; an undefined profile
// shouldn't cripple the executor. Operators who want a
// restricted setup can set profile: "restricted" explicitly.
return "medium";
}
}