Feature Request: UI for Infisical Permission Configuration

[up-guillaume]

Feature Request: UI for Infisical Permission Configuration

Summary

Add a user interface in the Clawith web UI to configure Infisical God tool permissions per agent, instead of requiring direct SQL access.

Background

The backend permission system is already implemented (commit c38b7190):

• Permissions are stored in agent_tools.config as JSON
• Supports allowed_projects and allowed_commands restrictions
• Currently configured via SQL: UPDATE agent_tools SET config = '{"allowed_projects": [...]}'::json WHERE ...

Proposed Solution

Add a configuration modal in the agent settings UI:

1. Location: Agent Settings → Tools → infisical_god → ⚙️ icon
2. Interface:
   • Checkboxes for allowed Infisical projects (fetched via API)
   • Checkboxes for allowed commands (16 total)
   • Save/Cancel buttons
3. Backend API:
   • PATCH /api/v1/agents/{agent_id}/tools/{tool_id}/config
   • GET /api/v1/infisical/projects (list available projects)

Use Cases

• Infra agents (DevOps Moiria, Clawith Maintainer): Full access to all projects
• Tenant agents (Geo Presence, Elias Bridge): Restricted to their own project vault
• Read-only agents: Limited to get-secret, list-secrets commands

Implementation Plan

See /data/workspace/PLAN_INFISICAL_UI.md for detailed implementation plan.

Estimated effort: 2-3 hours

• Phase 1: Backend API (30 min)
• Phase 2: Infisical projects API (20 min)
• Phase 3: Frontend UI (1-2h)
• Phase 4: Testing (30 min)

Priority

Medium - Current SQL-based configuration works, but UI would make it accessible to non-technical users.

Related

• Commit c38b7190: Permission system implementation
• /data/workspace/INFISICAL_GOD_BUILTIN.md: Technical documentation
• /data/workspace/PLAN_INFISICAL_UI.md: Implementation plan