From d352bd050abc6d9f6d46acb65815df4020b64eec Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Tue, 31 Mar 2026 14:21:36 +0900 Subject: [PATCH] docs: fix tools-invoke default deny list (was missing 8 of 13 entries) --- docs/gateway/tools-invoke-http-api.md | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/docs/gateway/tools-invoke-http-api.md b/docs/gateway/tools-invoke-http-api.md index 5c22ee7830d..303b1094518 100644 --- a/docs/gateway/tools-invoke-http-api.md +++ b/docs/gateway/tools-invoke-http-api.md @@ -68,11 +68,19 @@ Important boundary notes: Gateway HTTP also applies a hard deny list by default (even if session policy allows the tool): -- `cron` -- `sessions_spawn` -- `sessions_send` -- `gateway` -- `whatsapp_login` +- `exec` — direct command execution (RCE surface) +- `spawn` — arbitrary child process creation (RCE surface) +- `shell` — shell command execution (RCE surface) +- `fs_write` — arbitrary file mutation on the host +- `fs_delete` — arbitrary file deletion on the host +- `fs_move` — arbitrary file move/rename on the host +- `apply_patch` — patch application can rewrite arbitrary files +- `sessions_spawn` — session orchestration; spawning agents remotely is RCE +- `sessions_send` — cross-session message injection +- `cron` — persistent automation control plane +- `gateway` — gateway control plane; prevents reconfiguration via HTTP +- `nodes` — node command relay can reach system.run on paired hosts +- `whatsapp_login` — interactive setup requiring terminal QR scan; hangs on HTTP You can customize this deny list via `gateway.tools`: