feat(agent): add tool policy session boundary

[YOMXXX]

Summary

• Adds a new agent_tool_policy core domain for per-session task profiles and tool decisions.
• Aligns prompt-visible tool schemas with runtime tool execution so restricted tools are both hidden from the model and blocked at call time.
• Adds a compact Tool Policy Boundary prompt section only when a configured channel policy actually restricts tools.
• Preserves legacy behavior when channel_permissions is empty; once configured, unknown channels fall back to readonly.
• Adds focused Rust tests for policy resolution, prompt rendering, runtime denial, and the Composio config-reload CI blocker.

Problem

• Agent sessions already had tool permission metadata and channel permissions, but there was no single session-level boundary tying agent identity, channel, entrypoint, prompt-visible tools, and runtime execution together.
• That left a gap for Hermes-style task profiling: prompts could describe one tool surface while runtime enforcement depended on separate visibility checks.

Solution

• Introduce ToolPolicyEngine and ToolPolicySession to resolve allowed/blocked tools from channel policy, visible-tool allowlists, and each tool's PermissionLevel.
• Store the resolved policy on Agent and rebuild it when event context or visible tool names change.
• Filter provider tool specs and prompt tool lists through the same policy snapshot.
• Block disallowed tool calls in execute_tool_call before invoking the tool, returning a structured failure message.
• Render a bounded prompt boundary for restricted sessions while keeping unrestricted legacy sessions prompt-compatible.
• Anchor Composio agent-tool config reloads to the tool snapshot config path so coverage tests and runtime sessions do not follow unrelated OPENHUMAN_WORKSPACE mutations.

Submission Checklist

If a section does not apply to this change, mark the item as N/A with a one-line reason. Do not delete items.

• Tests added or updated (happy path + at least one failure / edge case) per Testing Strategy
• Diff coverage >= 80% — local merged diff coverage was not generated; Rust-only changed lines are covered by focused tests and pnpm test:rust, and CI coverage remains the merge gate.
• Coverage matrix updated — N/A: no coverage-matrix feature row was added, removed, or renamed.
• All affected feature IDs from the matrix are listed in the PR description under ## Related — N/A: no feature ID applies.
• No new external network dependencies introduced (mock backend used per Testing Strategy)
• Manual smoke checklist updated if this touches release-cut surfaces (docs/RELEASE-MANUAL-SMOKE.md) — N/A: core policy guard only, no release manual smoke surface changed.
• Linked issue closed via Closes #NNN in the ## Related section — N/A: no GitHub issue was provided for this B1 follow-up.

Impact

• Runtime/platform impact: Rust core agent runtime only; no frontend, Tauri shell, or external API changes.
• Security: improves least-privilege enforcement for configured channel policies.
• Compatibility: empty channel_permissions preserves the legacy unrestricted tool surface and does not inject a policy prompt boundary.
• Migration: none.

Related

• Closes: N/A
• Follow-up PR(s)/TODOs: B2 can layer richer Hermes-style task planning/approval UX on top of this session policy primitive.

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Keep this section for AI-authored PRs. For human-only PRs, mark each field N/A.

Linear Issue

• Key: N/A
• URL: N/A

Commit & Branch

• Branch: feat/agent-tool-policy-layer
• Commit SHA: 8604c3bd3f9ab042289b84e6d30ae20c79a34025

Validation Run

• pnpm --filter openhuman-app format:check — N/A: no frontend/app TypeScript files changed.
• pnpm typecheck — N/A: no frontend/app TypeScript files changed.
• Focused tests:
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml agent_tool_policy --lib
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml execute_tool_call --lib
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml system_prompt_includes_tool_policy_boundary --lib
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml set_agent_definition_name_refreshes_tool_policy_identity --lib
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml factory_routes_through_direct_when_mode_is_direct --lib -- --nocapture
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml composio::action_tool --lib
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml composio::tools::tests --lib
• Rust fmt/check (if changed):
  • cargo fmt --manifest-path Cargo.toml --all --check
  • GGML_NATIVE=OFF cargo check --manifest-path Cargo.toml
  • pnpm test:rust (passed; emitted existing Rust warnings and a local Node engine warning: repo wants Node >=24, current v22.14.0)
  • git diff --check
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml composio::action_tool --lib
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml agent_tool_policy --lib
  • GGML_NATIVE=OFF cargo check --manifest-path Cargo.toml
  • cargo fmt --manifest-path Cargo.toml --all --check (after merge from upstream/main)
• Tauri fmt/check (if changed): N/A: Tauri shell untouched.

Validation Blocked

• command: N/A
• error: N/A
• impact: N/A

Behavior Changes

• Intended behavior change: configured channel permissions now create a session tool boundary that filters prompt-visible tools and blocks disallowed runtime tool calls.
• User-visible effect: restricted channels avoid exposing or executing tools above their configured permission level.

Parity Contract

• Legacy behavior preserved: empty channel_permissions keeps the previous unrestricted tool surface and omits the new prompt boundary.
• Guard/fallback/dispatch parity checks: unknown channels fall back to readonly only after at least one channel policy is configured; hidden or denied tools fail before execution.

Duplicate / Superseded PR Handling

• Duplicate PR(s): N/A
• Canonical PR: this PR
• Resolution (closed/superseded/updated): N/A

Summary by CodeRabbit

• New Features

  • Per-session tool policy enforces which tools are visible/executable; blocked calls return clear "blocked by tool policy" results.
  • System prompts can include a compact "Tool Policy Boundary" summarizing allowed/restricted tools and agent identity (byte-limited).
  • Dispatchers can render tool-specific prompt instructions from the filtered tool list.
  • Agents rebuild policy when context/name/visibility changes; agent tools reload live config on each invocation.

• Documentation

  • Clarified channel-permissions behavior and defaults when the permission map is empty.

• Tests

  • Added tests for policy enforcement, prompt rendering, decision messages, and execution counting.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 293f0c5c-ebc1-47d0-91fb-3ccf80fc5375

📥 Commits

Reviewing files that changed from the base of the PR and between d57d5bf and 8604c3b.

📒 Files selected for processing (2)

• src/openhuman/agent/harness/session/builder.rs
• src/openhuman/agent/harness/session/runtime.rs

💤 Files with no reviewable changes (2)

• src/openhuman/agent/harness/session/runtime.rs
• src/openhuman/agent/harness/session/builder.rs

---

📝 Walkthrough

Walkthrough

Adds a per-session tool policy subsystem (types, engine, prompt renderer), integrates policy snapshots into Agent build and runtime, enforces per-tool decisions at execution, updates prompt generation and dispatcher hook, and moves composio/config loads to per-tool live-config reloads with normalization and tests.

Changes

Tool Policy System

Layer / File(s)	Summary
Module and crate exports src/openhuman/agent_tool_policy/mod.rs, src/openhuman/mod.rs	Adds agent_tool_policy module and re-exports engine, prompt renderer, and core policy types; exposes module from crate root.
Dispatcher prompt hook and XML rendering src/openhuman/agent/dispatcher.rs	Adds prompt_instructions_for_specs hook to ToolDispatcher and implements XmlToolDispatcher::prompt_instructions_from_specs to render XML instructions from a ToolSpec list.
Policy types and session snapshot src/openhuman/agent_tool_policy/types.rs	Defines policy types: TaskRiskLevel, TaskProfile, ToolPolicyAction/ToolPolicyDecision, ToolCapability, and ToolPolicySession with query helpers.
Policy engine and permission parsing src/openhuman/agent_tool_policy/engine.rs	Implements ToolPolicyEngine::build_session to derive TaskProfile, classify tools as allowed/blocked/hidden using visible_names and channel permissions; adds permission resolution and parsing helpers plus tests.
Policy boundary rendering src/openhuman/agent_tool_policy/prompt.rs	Adds TOOL_POLICY_BOUNDARY_HEADING and render_tool_policy_boundary(session,max_bytes) with UTF-8-safe truncation and unit tests.
Agent struct policy field src/openhuman/agent/harness/session/types.rs	Adds pub(super) tool_policy: ToolPolicySession to Agent session state.
AgentBuilder: build policy session and filter specs src/openhuman/agent/harness/session/builder.rs	Adds visible_tool_specs_for_policy() and refactors AgentBuilder::build() to precompute config/ids, call ToolPolicyEngine::build_session(...), filter ToolSpec entries by allowlist+policy, set tool_policy and resolved config/ids on constructed Agent, and update session_key sanitization and filter logging.
Agent runtime: rebuild policy session src/openhuman/agent/harness/session/runtime.rs	Adds rebuild_tool_policy_session() and triggers it from set_event_context, set_visible_tool_names, and set_agent_definition_name to refresh ToolPolicySession and visible_tool_specs.
Execution-time enforcement and prompt updates src/openhuman/agent/harness/session/turn.rs	execute_tool_call consults tool_policy.decision_for and blocks denied tools with a formatted error; refresh_delegation_tools calls rebuild; build_system_prompt uses tool_policy.visible_tool_names_for_prompt and conditionally prefixes the prompt with render_tool_policy_boundary.
Tests and docs src/openhuman/agent/harness/session/turn_tests.rs, src/openhuman/config/schema/agent.rs	Adds CountingWriteTool and tests asserting policy blocks write operations under read_only, that prompts contain Tool Policy Boundary and updated agent identity; updates AgentConfig::channel_permissions doc comment for empty/default behavior.
Live config reload (Composio & action tool) src/openhuman/composio/action_tool.rs, src/openhuman/composio/tools.rs	Switches Composio tools and action tool to per-call reloads from tool-scoped snapshot paths (reload_config_snapshot_with_timeout(self.config.as_ref())) with scoped warnings and ToolResult::error on failure; updates related test comments.
Config normalization and targeted load src/openhuman/config/ops.rs, src/openhuman/config/schema/load.rs	Centralizes normalize_loaded_config used by load_config_with_timeout and reload_config_snapshot_with_timeout; adds ProcessEnvWithoutWorkspace and Config::load_from_config_path(config_path, workspace_dir) for workspace-suppressed reloads.

Sequence Diagrams

sequenceDiagram
  participant AgentBuilder
  participant ToolPolicyEngine
  participant ToolPolicySession
  participant Agent
  AgentBuilder->>AgentBuilder: derive config, agent_definition_name, event_channel
  AgentBuilder->>ToolPolicyEngine: build_session(channel, permissions, tools, visible_names)
  ToolPolicyEngine->>ToolPolicySession: return session snapshot
  AgentBuilder->>AgentBuilder: filter specs via visible_tool_specs_for_policy
  AgentBuilder->>Agent: construct Agent with tool_policy, config, agent_definition_name, session_key

Loading

sequenceDiagram
  participant Agent
  participant ToolPolicySession
  participant Tool
  Agent->>Agent: execute_tool_call(call)
  Agent->>ToolPolicySession: decision_for(call.name)
  alt Decision Denied
    ToolPolicySession-->>Agent: ToolPolicyDecision(denied)
    Agent-->>Agent: return "blocked by tool policy" error (success=false)
  else Decision Allowed
    ToolPolicySession-->>Agent: ToolPolicyDecision(allowed)
    Agent->>Tool: execute_with_options(...)
    Tool-->>Agent: ToolResult
  end

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• tinyhumansai/openhuman#2137: Both PRs wire a per-tool authorization gate into session/turn.rs::Agent::execute_tool_call and update session/builder wiring.

Suggested reviewers

• senamakel
• graycyrus

🐰 I counted tools, and named the ones we keep,
I wrapped the prompt with a polite policy leap,
When write is blocked, I nudge with a beep,
Safe tools hop forward while the risky ones sleep.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(agent): add tool policy session boundary' accurately reflects the primary change: introducing a new tool policy session feature with boundary enforcement for the agent module.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

src/openhuman/agent/harness/session/turn.rs (1)

978-991: ⚡ Quick win

Log the resolved policy denial.

This branch returns a blocked-tool result but leaves no structured trace of why the call was denied. A debug!/trace! with tool, channel, required_permission, and allowed_permission would make policy decisions auditable when a session starts failing tool calls.

As per coding guidelines "Use log / tracing at debug or trace level on RPC entry and exit, error paths, state transitions, and any branch that is hard to infer from tests alone."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/agent/harness/session/turn.rs` around lines 978 - 991, Add a
debug/trace log when a tool call is denied in the branch that checks
self.tool_policy.decision_for(&call.name) and decision.is_denied(); log the tool
name (call.name), the event channel (self.event_channel), the resolved required
permission (decision.required_permission mapped to string or "unknown"), and the
allowed permission (decision.allowed_permission) before returning the blocked
result so policy decisions are auditable and follow the project's logging
guideline.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/openhuman/agent_tool_policy/engine.rs`:
- Around line 58-67: The match arm in engine.rs that handles ToolPolicyAction
currently treats HideFromPrompt the same as Deny/RequireApproval by inserting
name.clone() into blocked_tool_names; change this so HideFromPrompt is not added
to blocked_tool_names — either remove HideFromPrompt from that arm and simply
skip inserting it, or add a separate hidden_tool_names set and insert into that
(while leaving RequireApproval and Deny inserting into blocked_tool_names); keep
allowed_tool_names behavior unchanged and update any downstream checks to
consult hidden_tool_names if you add it.
- Around line 15-119: Add structured debug/trace logging to trace policy
resolution: in permission_for_channel log the incoming channel and whether
channel_permissions was empty, the raw permission string looked up, and when
parse_permission_level returns None (the fallback to PermissionLevel::ReadOnly);
in parse_permission_level log the normalized input and when it fails to match
any case; and in build_session log per-tool decisions (tool.name(),
required_permission, allowed_permission, explicitly_hidden, exceeds_permission,
and the resulting ToolPolicyAction) before inserting into decisions/capabilities
so you can see state transitions for ToolPolicyDecision and ToolCapability. Use
the existing function names (build_session, permission_for_channel,
parse_permission_level) and enums (ToolPolicyAction, ToolPolicyDecision,
ToolCapability) and emit logs at debug/trace level via the project's
logging/tracing crate.

In `@src/openhuman/agent_tool_policy/prompt.rs`:
- Around line 39-49: The current prompt code writes out
session.blocked_tool_names into rendered (the writeln call that prints "-
Blocked tools: {}" using session.blocked_tool_names.iter()...), which exposes
restricted tool names to the model; change that write to emit a generic summary
instead (e.g. "- Some tools are blocked" or "- Blocked tools: <redacted> (N
tools)") and stop iterating/printing the actual names, leaving
session.blocked_tool_names only for internal logic and not for prompt text.

In `@src/openhuman/agent/harness/session/builder.rs`:
- Around line 357-371: The policy snapshot created by
ToolPolicyEngine::build_session is only used to filter provider tool specs via
visible_tool_specs_for_policy, but the earlier prompt builder still uses the
original static visible set and freezes that into ContextManager (so
set_visible_tool_names or a stricter channel policy won't prevent the model
being prompted to use disallowed tools); update the prompt assembly and
ContextManager initialization to consume the policy-derived visibility (use the
tool_policy / visible_tool_specs_unfiltered result instead of the original
visible_names when building tool-specific guidance and when calling
ContextManager constructors or setters like set_visible_tool_names), and ensure
any function that assembles prompt guidance (the prompt builder code path)
filters tool guidance through the same tool_policy before freezing state.

In `@src/openhuman/agent/harness/session/runtime.rs`:
- Around line 222-236: The session's tool policy isn't recomputed when the agent
identity is renamed because set_agent_definition_name() doesn't refresh the
snapshot taken by ToolPolicyEngine::build_session; update
set_agent_definition_name to call the existing rebuild_tool_policy_session()
after assigning self.agent_definition_name so self.tool_policy (and derived
values like self.visible_tool_specs based on self.visible_tool_names) are
rebuilt to reflect the new agent identity.

In `@src/openhuman/config/schema/agent.rs`:
- Around line 198-203: The docs and tests disagree on the permission token
spelling ("readonly" vs "read_only"); pick one canonical token and make the code
and docs consistent, or accept both by normalizing at parse time. Update the
documentation comment under "Per-channel maximum permission level" to use the
chosen canonical value (or list both as aliases), and add normalization in the
permission parsing logic (e.g., the function/method that parses per-channel
permission strings—implement a normalize_permission_level or map in the parser
that treats "read_only" and "readonly" as equivalent and converts to the
canonical internal value). Ensure any enum/variant names and tests/policy
fixtures use the same canonical token.

---

Nitpick comments:
In `@src/openhuman/agent/harness/session/turn.rs`:
- Around line 978-991: Add a debug/trace log when a tool call is denied in the
branch that checks self.tool_policy.decision_for(&call.name) and
decision.is_denied(); log the tool name (call.name), the event channel
(self.event_channel), the resolved required permission
(decision.required_permission mapped to string or "unknown"), and the allowed
permission (decision.allowed_permission) before returning the blocked result so
policy decisions are auditable and follow the project's logging guideline.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 098b86d4-8d50-4b66-a14c-a15ed941a162

📥 Commits

Reviewing files that changed from the base of the PR and between a719d78 and 55868df.

📒 Files selected for processing (11)

• src/openhuman/agent/harness/session/builder.rs
• src/openhuman/agent/harness/session/runtime.rs
• src/openhuman/agent/harness/session/turn.rs
• src/openhuman/agent/harness/session/turn_tests.rs
• src/openhuman/agent/harness/session/types.rs
• src/openhuman/agent_tool_policy/engine.rs
• src/openhuman/agent_tool_policy/mod.rs
• src/openhuman/agent_tool_policy/prompt.rs
• src/openhuman/agent_tool_policy/types.rs
• src/openhuman/config/schema/agent.rs
• src/openhuman/mod.rs

[YOMXXX]

Current state after the latest update:

• CI is green; CodeRabbit is SUCCESS and approved the latest head.
• All prior review threads are resolved.
• The branch was updated from main in d57d5bf3, so there is no known code/review blocker from my side.

Ready for human maintainer review/merge.

[YOMXXX]

@senamakel Updated #2166 with latest upstream/main and resolved the merge conflict in src/openhuman/agent/harness/session/builder.rs.

Conflict resolution kept both sides: explicit_preferences_enabled from current main, plus the tool-policy branch’s precomputed event_session_id / event_channel / agent_definition_name values used by ToolPolicyEngine.

Local validation on b616bbcf:

• cargo fmt --manifest-path Cargo.toml -- --check
• GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml tool_policy --lib -q (11 passed)
• GGML_NATIVE=OFF cargo check --manifest-path Cargo.toml -q

PR is mergeable again; CI and CodeRabbit are rerunning on the new head. Please take another look when checks settle.

[coderabbitai]

🧹 Nitpick comments (1)

src/openhuman/agent/harness/session/runtime.rs (1)

223-238: ⚡ Quick win

Add a structured debug/trace log for policy rebuilds.

This helper is now the central state-transition point for tool_policy and visible_tool_specs, but the rebuild is silent. A single structured breadcrumb here would make later policy denials or prompt/spec mismatches much easier to trace.

Suggested diff

 pub(super) fn rebuild_tool_policy_session(&mut self) {
     self.tool_policy = ToolPolicyEngine::build_session(
         &self.agent_definition_name,
         &self.event_channel,
         "session",
         &self.config.channel_permissions,
         self.tools.as_slice(),
         &self.visible_tool_names,
     );
     let visible_specs = super::builder::visible_tool_specs_for_policy(
         self.tool_specs.as_slice(),
         &self.visible_tool_names,
         &self.tool_policy,
     );
     self.visible_tool_specs = Arc::new(super::builder::dedup_visible_tool_specs(visible_specs));
+    log::debug!(
+        target: "agent",
+        "[agent.tool_policy] rebuilt agent_definition_name={} channel={} visible_name_count={} visible_spec_count={} restricted_tool_count={}",
+        self.agent_definition_name,
+        self.event_channel,
+        self.visible_tool_names.len(),
+        self.visible_tool_specs.len(),
+        self.tool_policy.restricted_tool_count(),
+    );
 }

As per coding guidelines, "Use log / tracing at debug or trace level on RPC entry and exit, error paths, state transitions, and any branch that is hard to infer from tests alone. Use structured, grep-friendly context with stable prefixes."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/agent/harness/session/runtime.rs` around lines 223 - 238, Add a
structured debug/trace log entry to rebuild_tool_policy_session to record the
policy rebuild event and key state before/after the change: log at debug or
trace level inside rebuild_tool_policy_session (around the call to
ToolPolicyEngine::build_session and after computing visible_tool_specs via
visible_tool_specs_for_policy and dedup_visible_tool_specs) including stable
fields like agent_definition_name, channel (string "session"), count/list of
visible_tool_names, a short identifier or summary of the previous
self.tool_policy and new tool_policy (or a hash/ID), and the lengths of previous
and new self.visible_tool_specs; ensure the log uses structured key/value fields
and runs both on entry and after successful rebuild to make policy denials and
spec mismatches traceable.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/openhuman/agent/harness/session/runtime.rs`:
- Around line 223-238: Add a structured debug/trace log entry to
rebuild_tool_policy_session to record the policy rebuild event and key state
before/after the change: log at debug or trace level inside
rebuild_tool_policy_session (around the call to ToolPolicyEngine::build_session
and after computing visible_tool_specs via visible_tool_specs_for_policy and
dedup_visible_tool_specs) including stable fields like agent_definition_name,
channel (string "session"), count/list of visible_tool_names, a short identifier
or summary of the previous self.tool_policy and new tool_policy (or a hash/ID),
and the lengths of previous and new self.visible_tool_specs; ensure the log uses
structured key/value fields and runs both on entry and after successful rebuild
to make policy denials and spec mismatches traceable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1e57aa08-5ac1-4237-a503-5e1d7e770946

📥 Commits

Reviewing files that changed from the base of the PR and between d57d5bf and b616bbc.

📒 Files selected for processing (6)

• src/openhuman/agent/harness/session/builder.rs
• src/openhuman/agent/harness/session/runtime.rs
• src/openhuman/agent/harness/session/turn.rs
• src/openhuman/agent/harness/session/turn_tests.rs
• src/openhuman/agent/harness/session/types.rs
• src/openhuman/config/schema/load.rs

🚧 Files skipped from review as they are similar to previous changes (5)

• src/openhuman/agent/harness/session/types.rs
• src/openhuman/agent/harness/session/turn_tests.rs
• src/openhuman/agent/harness/session/turn.rs
• src/openhuman/config/schema/load.rs
• src/openhuman/agent/harness/session/builder.rs

[YOMXXX]

@senamakel CI is green on b616bbcf now. CodeRabbit is SUCCESS, all GitHub checks are SUCCESS or platform skips, and there are 0 unresolved review threads. GitHub reports mergeable=MERGEABLE; mergeStateStatus=BLOCKED appears to be the remaining human review/merge gate.

[YOMXXX]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[YOMXXX]

@senamakel #2166 已同步最新 main 并解决冲突；当前 head 8604c3bd3f9ab042289b84e6d30ae20c79a34025，GitHub checks 24 success / 2 skipped / 0 pending / 0 failure，CodeRabbit 最新 review approved，review threads 0 unresolved。麻烦再看一下。