Add ncl groups config add-mount / remove-mount#2432
Open
jumprope-jesse wants to merge 4 commits into
Open
Conversation
Channel-adapter installs from the channels branch: - src/channels/telegram.ts (+ markdown sanitizer + pairing helper, with tests) - src/channels/slack.ts - Wire both into src/channels/index.ts - Add @chat-adapter/telegram + @chat-adapter/slack deps; bump chat to 4.27.0 Also drop the legacy groups/global/CLAUDE.md and groups/main/CLAUDE.md (replaced by per-group CLAUDE.local.md under the new convention). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds the local monitoring dashboard installed via /add-dashboard: - src/dashboard-pusher.ts collects agent-group / session / channel / user / token / context-window / activity / messages snapshots and POSTs them to the dashboard, plus tails logs/nanoclaw.log. - Optional dashboard block in src/index.ts boots both the dashboard HTTP server and the pusher when DASHBOARD_SECRET is set. - Imports use the actual repo paths (modules/agent-to-agent, modules/permissions) rather than the skill recipe's assumed src/db/ shortcuts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Patterned on add-mcp-server / add-package. Validation delegated to validateMount (modules/mount-security) — the same function the runner uses at spawn time — so operators get the accept/reject decision at approval time instead of silently at next restart. Read-only by default; --writable opts into RW (subject to the host-allowlist root's allowReadWrite).
This was referenced May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two CLI verbs —
ncl groups config add-mountandncl groups config remove-mount— so additional bind mounts can be managed through the standard approval flow instead of requiring direct edits tocontainer.jsonor thecontainer_configsDB row.Patterned on the existing
config add-mcp-server/config add-packagehandlers. Validation is delegated tovalidateMountfromsrc/modules/mount-security/index.ts— the same function the container runner uses at spawn time — so operators get the accept/reject decision (and reason string) at approval time instead of silently at next restart.--writableopts into RW (subject to the host-allowlist root'sallowReadWrite).containerPathis a hard error (explicit beats silent replace).effective_readonly,resolved_host_path, and the fullmountsarray for parity withadd-mcp-server.Test plan
ncl groups config add-mount --id <group> --host-path <allowlisted-path> --container-path foo— succeeds;config getshows the new mount.--writableon a root that allows RW —effective_readonly: falsein response.--writableon a root that disallows RW — stored asreadonly: falsebuteffective_readonly: truereturned.--container-path /workspace/agent/foo— rejected byvalidateMount(absolute path).--container-path ../foo— rejected (..).--host-path /nonexistent— rejected with allowlist/existence reason.--container-path— rejected with clear message.remove-mountwith unknowncontainerPath— rejected.ncl groups restart, the mount appears in the running container at/workspace/extra/<containerPath>.