Two critical gaps in a2a_tools.py let any tenant workspace poison org-wide
(GLOBAL) memory and bypass all RBAC enforcement:
1. tool_commit_memory had no RBAC check — any agent could write any scope.
2. tool_commit_memory had no root-workspace enforcement for GLOBAL scope —
Tenant A could POST scope=GLOBAL and pollute the shared memory store
that Tenant B's agent reads as trusted context.
Fix adds:
- _ROLE_PERMISSIONS table (mirrors builtin_tools/audit.py) so a2a_tools
has isolated RBAC logic without depending on memory.py.
- _check_memory_write_permission() / _check_memory_read_permission() helpers:
evaluate RBAC roles from WorkspaceConfig; fail closed (deny) on errors.
- _is_root_workspace() / _get_workspace_tier(): read WorkspaceConfig.tier
(0 = root/org, 1+ = tenant) from config.yaml; fall back to
WORKSPACE_TIER env var.
- tool_commit_memory now (a) checks memory.write RBAC, (b) rejects
GLOBAL scope for non-root workspaces, (c) embeds workspace_id in the
POST body so the platform can namespace-isolate and audit cross-workspace
writes.
- tool_recall_memory now checks memory.read RBAC before any HTTP call,
and always sends workspace_id as a GET param for platform cross-validation.
Security regression tests added:
- GLOBAL scope denied for non-root (tier>0) workspaces.
- RBAC denial blocks all scope levels (including LOCAL) on write.
- RBAC denial blocks recall entirely.
- workspace_id present in POST body and GET params.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
e00797ba35