Expose Workspace clone as a restricted chat tool for repo onboarding #2
Description
Summary
Expose workspace cloning as an optional chat tool for agent onboarding workflows, with strict policy controls.
Why
workspace-clone already exists in CLI and is useful, but occasionally we want agent-assisted repo onboarding from chat/system contexts.
This should be treated differently from normal read/write/publish operations because clone is higher risk and less frequent.
Proposed behavior
- Add chat tool:
workspace_clone - Keep default disabled behind a setting/feature flag
- Tool inputs:
repo_url(orowner/reposhorthand)- optional
name
- Use existing workspace clone ability under the hood
Security requirements
- Host/org allowlist (e.g.
github.com/Extra-Chill/*) - Deny arbitrary protocols and non-allowlisted hosts
- Rate limit clone actions
- Log actor + repo URL + resulting workspace path
- Keep out of global pipeline toolset by default (chat/system only)
Acceptance criteria
- Chat tool implemented and disabled by default
- Allowlist enforcement with clear error messages
- Security/audit logging for every clone action
- Tests for URL validation + allowlist behavior
- Docs for onboarding workflow and safe defaults