feat(odin): say 'no permission' instead of 'missing feature' for denied areas

The system prompt now lists the data areas the caller's permissions filtered
out, so the model tells the user explicitly they lack rights to that module
(and can ask the admin) instead of guessing the feature does not exist or
pointing them at a module they cannot open. Tool-less users get the same
explicit phrasing.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-06-11 08:07:52 +02:00
parent 302a0f8b3f
commit 4deabbfcc0
2 changed files with 39 additions and 1 deletions

View File

@@ -604,6 +604,29 @@ describe("agenticChat loop (SDK mocked)", () => {
});
});
it("names the denied areas in the system prompt for a limited user", async () => {
createMock.mockReset();
createMock.mockResolvedValueOnce({
stop_reason: "end_turn",
content: [{ type: "text", text: "Ok." }],
usage: { input_tokens: 10, output_tokens: 5 },
});
await agenticChat(
[{ role: "user", content: "Projekty?" }],
VIEWER_INVOICES,
);
const system: string = createMock.mock.calls[0][0].system;
// invoices.view grants the three invoice tools — everything else is
// listed as explicitly denied so the model says "no permission".
expect(system).toContain("NEMÁ v systému oprávnění");
expect(system).toContain("Projekty");
expect(system).toContain("Kniha jízd");
expect(system).not.toContain("Faktury vydané");
await prisma.ai_usage.deleteMany({
where: { user_id: VIEWER_INVOICES.userId, kind: "agent" },
});
});
it("a user without permissions gets NO tools passed to the model", async () => {
createMock.mockReset();
createMock.mockResolvedValueOnce({