fix: honor computer_use_require_admin in shipyard_neo tools

[1zzxy1]

Summary

• reuse the shared check_admin_permission helper for shipyard_neo browser tools
• reuse the same helper for Neo skill lifecycle tools
• add regression tests covering non-admin access when computer_use_require_admin=false

Testing

• uv run --group dev pytest tests/test_computer_tool_permissions.py tests/test_neo_skill_tools.py tests/test_profile_aware_tools.py -q
• uv run --group dev ruff check astrbot/core/computer/tools/browser.py astrbot/core/computer/tools/neo_skills.py tests/test_computer_tool_permissions.py tests/test_neo_skill_tools.py
• uv run --group dev ruff format --check astrbot/core/computer/tools/browser.py astrbot/core/computer/tools/neo_skills.py tests/test_computer_tool_permissions.py tests/test_neo_skill_tools.py

Closes #6916

Summary by Sourcery

Honor the configurable computer_use_require_admin setting for browser and Neo skill lifecycle tools while centralizing permission checks and adding regression coverage.

Enhancements:

• Use the shared check_admin_permission helper for browser and Neo skill lifecycle tools instead of local admin checks.

Tests:

• Add regression tests ensuring browser and Neo skill tools respect the computer_use_require_admin flag for admin and non-admin users.
• Update existing Neo skill tool tests to provide config and sender metadata required by the shared permission helper.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the permission handling for browser and Neo skill lifecycle tools. It replaces duplicated, custom admin checks with a centralized check_admin_permission helper, ensuring consistent enforcement of the computer_use_require_admin configuration. This change allows non-admin users to utilize these tools when the admin requirement is explicitly disabled, and it includes new tests to validate this behavior.

Highlights

• Permission Refactoring: Replaced custom admin permission checks in shipyard_neo browser tools with a shared check_admin_permission helper.
• Unified Skill Lifecycle Permissions: Applied the same shared check_admin_permission helper to Neo skill lifecycle tools.
• Enhanced Test Coverage: Added new regression tests to ensure correct behavior for non-admin access when computer_use_require_admin is set to false.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sourcery-ai]

Hey - I've left some high level feedback:

• The test fixtures in test_computer_tool_permissions.py (e.g., get_config lambdas inside SimpleNamespace) duplicate the configuration mocking already used in test_neo_skill_tools.py; consider extracting a shared helper for building ContextWrapper instances to keep the test setup consistent and easier to maintain.
• The error message passed to check_admin_permission (e.g., "Using browser tools", "Using skill lifecycle tools") is now user-facing; if these phrases are meant to align with existing error text elsewhere, consider centralizing them as constants or reusing previous wording to keep messages consistent across tools.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The test fixtures in `test_computer_tool_permissions.py` (e.g., `get_config` lambdas inside `SimpleNamespace`) duplicate the configuration mocking already used in `test_neo_skill_tools.py`; consider extracting a shared helper for building `ContextWrapper` instances to keep the test setup consistent and easier to maintain.
- The error message passed to `check_admin_permission` (e.g., `"Using browser tools"`, `"Using skill lifecycle tools"`) is now user-facing; if these phrases are meant to align with existing error text elsewhere, consider centralizing them as constants or reusing previous wording to keep messages consistent across tools.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request refactors the admin permission checking logic for browser and Neo skill tools. The previously duplicated _ensure_admin function has been removed from astrbot/core/computer/tools/browser.py and astrbot/core/computer/tools/neo_skills.py, and replaced with a centralized check_admin_permission function. New unit tests have been added in tests/test_computer_tool_permissions.py to verify the behavior of this new permission system under various configurations, and an existing test in tests/test_neo_skill_tools.py was updated to properly configure the context for the new permission checks. There is no feedback to provide.

[dosubot]

Documentation Updates

1 document(s) were updated by changes in this PR:

pr4697的改动

View Changes

@@ -253,6 +253,7 @@
 权限控制行为：
 - 非管理员用户尝试使用这些工具时，会收到权限拒绝错误，并提示联系管理员或使用 `/sid` 命令查看自己的用户 ID
 - 该修复确保所有 Computer Use 操作（Shell、Python、文件传输）受到统一的权限管理，防止非管理员用户在 Computer Use 工具可用时执行任何 sandbox 或本地环境操作
+- 若设置 `computer_use_require_admin: false`，则允许非管理员用户使用这些工具
 
 **Docker Compose 配置优化（PR #6191）**
 
@@ -661,13 +662,23 @@
 
 > ⚠️ **REVERTED**: 本节描述的所有 Neo 技能生命周期管理工具和功能已在 [PR #5624](https://github.com/AstrBotDevs/AstrBot/pull/5624) 中被完全移除，以下内容仅供历史参考。
 
-[PR #5028](https://github.com/AstrBotDevs/AstrBot/pull/5028) 新增了一套技能生命周期管理工具，支持在 `shipyard_neo` 运行时下进行技能自迭代闭环（执行取证 → payload/candidate → evaluate → promote → stable 回写本地 `SKILL.md`）。这些工具仅在使用 `shipyard_neo` 运行时且用户为管理员时可用。
+[PR #5028](https://github.com/AstrBotDevs/AstrBot/pull/5028) 新增了一套技能生命周期管理工具，支持在 `shipyard_neo` 运行时下进行技能自迭代闭环（执行取证 → payload/candidate → evaluate → promote → stable 回写本地 `SKILL.md`）。这些工具的管理员权限要求遵循 `computer_use_require_admin` 配置（默认为 `true`），启用时仅管理员用户可用。
 
 **浏览器自动化工具**：
 
 - `astrbot_execute_browser`：在沙盒中执行单条浏览器自动化命令
 - `astrbot_execute_browser_batch`：批量执行浏览器命令
 - `astrbot_run_browser_skill`：运行已发布的浏览器技能（通过 skill_key 调用）
+
+这些浏览器工具的管理员权限要求同样遵循 `computer_use_require_admin` 配置。当设置为 `true`（默认）时仅管理员用户可用，设置为 `false` 时允许非管理员用户访问。
+
+**权限控制实现改进（PR #6951）**：
+
+[PR #6951](https://github.com/AstrBotDevs/AstrBot/pull/6951) 改进了浏览器工具和 Neo 技能生命周期工具的权限控制实现，统一使用共享的 `check_admin_permission` 辅助函数，确保权限检查正确遵循 `computer_use_require_admin` 配置，替代了原有的硬编码管理员检查。
+
+- **重构前**：`browser.py` 和 `neo_skills.py` 各自实现了 `_ensure_admin()` 本地函数，硬编码检查 `context.context.event.role != "admin"`，不考虑 `computer_use_require_admin` 配置
+- **重构后**：两个模块统一调用 `check_admin_permission(context, "<action_name>")` 辅助函数，该函数会读取 `computer_use_require_admin` 配置，仅在配置启用时执行权限检查
+- **回归测试覆盖**：新增 `test_computer_tool_permissions.py` 测试文件，验证在 `computer_use_require_admin=false` 时非管理员用户可以正常访问浏览器工具和 Neo 技能工具，确保权限控制逻辑正确生效
 
 **执行历史与标注**：
 

^{How did I do? Any feedback?}