feat: 添加 LocalMemoryRecallTool 和 VaultHttpFetchTool

- LocalMemoryRecallTool: 跨会话本地笔记召回，权限门控，大小限制 - VaultHttpFetchTool: 使用 vault 密钥的认证 HTTP 请求，ACL 规则 - agentToolFilter: 子 agent 工具继承过滤层 - ALL_AGENT_DISALLOWED_TOOLS 白名单更新 Co-Authored-By: glm-5-turbo <zai-org@claude-code-best.win>
2026-06-22 16:25:51 +00:00 · 2026-05-09 23:04:12 +08:00
parent a2ea69c05e
commit 5bb0306da6
18 changed files with 3815 additions and 0 deletions
--- a/packages/builtin-tools/src/tools/VaultHttpFetchTool/prompt.ts
+++ b/packages/builtin-tools/src/tools/VaultHttpFetchTool/prompt.ts
@@ -0,0 +1,38 @@
+export const DESCRIPTION =
+  "Make an authenticated HTTPS request using a secret stored in the user's " +
+  'encrypted local vault (~/.claude/local-vault/). You only specify the vault ' +
+  'key NAME — never the secret value. The tool framework injects the secret ' +
+  'directly into a request header and the secret is NEVER returned in tool_result, ' +
+  'NEVER logged, NEVER passed to a shell. ' +
+  'Each vault key requires user pre-approval via permissions.allow: ' +
+  "['VaultHttpFetch(key-name)']. Whole-tool allow ('VaultHttpFetch' without " +
+  'parentheses) is rejected at settings parse time.'
+
+export const PROMPT = `VaultHttpFetch — authenticated HTTPS request with a vault-stored secret.
+
+Use for: HTTP API calls that need a Bearer token, Basic auth, X-Api-Key, or
+custom auth header. GitHub API, Stripe API, internal service auth, etc.
+
+Do NOT use for: shell commands needing secrets (git push, npm publish, ssh,
+docker login). Those are out of scope; the user must handle them externally.
+
+Request schema:
+  url             https:// only (HTTP/file/ftp rejected)
+  method          GET (default), POST, PUT, PATCH, DELETE
+  vault_auth_key  the vault key name (the secret value is fetched by the tool)
+  auth_scheme     bearer (default), basic, header_x_api_key, custom
+  auth_header_name when auth_scheme=custom, the HTTP header to use
+  body            request body (string; sent as-is)
+  body_content_type  defaults to application/json when body is set
+  reason          why you need this — appears in the user's permission prompt
+
+Response: { status, statusText, responseHeaders (sensitive headers redacted),
+  body (scrubbed of any secret-derived strings), or error }
+
+Permission model:
+  Default: ask (user prompt). Approving once for a key sets a per-key allow
+  the user can persist via the prompt UI. Whole-tool allow is forbidden.
+
+Always pass \`reason\` truthfully. The secret never appears in your context;
+the URL, method, key NAME, and reason all do appear in the transcript.
+`