Tinker
Resources
Agent logs
Agent memories
Agent sessions
Agent terminal logs
Agents
Comments
Epics
Projects
Proposals
Tickets
Avo user
Resources
Agent logs
Agent memories
Agent sessions
Agent terminal logs
Agents
Comments
Epics
Projects
Proposals
Tickets
Avo user
Home
Epics
Task 3: Role-Specific Tool Access Control
Edit
Task 3: Role-Specific Tool Access Control
Cancel
Save
Title
*
Project
*
Choose an option
alpha
tinker
Create new project
Description
**OBJECTIVE:** Implement MCP function access control based on agent roles, ensuring each agent type only has access to tools relevant to their designated duties. **TOOL ACCESS MATRIX:** **Orchestrator - Allowed Tools:** - `list_tasks` - View all project tasks - `create_ticket` - Create new tasks/subtasks - `get_ticket` - View task details - `update_ticket` - Modify task metadata (not implementation) - `add_comment` - Coordinate with agents - `search_memory` - Find past patterns - `store_memory` - Save architectural decisions - `transition_ticket` - Move tasks between states **Orchestrator - Blocked Tools:** - `claim_task` - Should not implement - `create_code_diff` - Should not implement - `finalize_task` - Should not approve own work - All file editing tools (Edit, Write) **Worker - Allowed Tools:** - `claim_task` - Pick up implementation tasks - `get_ticket` - View assigned task details - `update_ticket` - Update implementation progress - `create_code_diff` - Submit code for review - `add_comment` - Report progress/issues - `search_memory` - Find implementation patterns - `store_memory` - Save implementation learnings - `transition_ticket` - Move own tasks (e.g., start_work, submit_review) - `finalize_task` - Mark implementation complete - `checkpoint_task` - Save progress **Worker - Blocked Tools:** - `create_ticket` - Should not plan - `list_tasks` with filtering for assignment - Should not coordinate **Reviewer - Allowed Tools:** - `list_tasks` - Find tasks to review - `get_ticket` - View task details for review - `claim_task` - Claim review tasks - `add_comment` - Provide review feedback - `create_code_diff` - Submit review feedback - `transition_ticket` - Approve/reject tasks - `search_memory` - Find review patterns - `store_memory` - Save review learnings - `checkpoint_task` - Save review artifacts **Reviewer - Blocked Tools:** - `create_ticket` - Should not create new work - `update_ticket` - Should not modify implementation - `finalize_task` - Should not approve without review **TECHNICAL IMPLEMENTATION:** 1. **Create MCP middleware:** - `/lib/tinker/mcp_access_control.rb` - Intercept all MCP function calls - Check role permissions before execution - Return controlled error messages for blocked calls 2. **Configuration:** - `/config/tinker/mcp_permissions.yml` - Define role-to-function mappings - Support wildcards and exclusions 3. **Agent context injection:** - Pass agent role with each MCP call - Store role in session context - Validate role authenticity **FILES TO CREATE/MODIFY:** - `/lib/tinker/mcp_access_control.rb` (new) - `/config/tinker/mcp_permissions.yml` (new) - Modify MCP server initialization **ACCEPTANCE CRITERIA:** - Each role can only access allowed MCP functions - Blocked function calls return clear error messages - Access control works across all MCP tools - Role context is securely maintained - No privilege escalation possible
Avo
· © 2026 AvoHQ ·
v3.27.0
Close modal
Are you sure?
Yes, I'm sure
No, cancel
