Set policies from the tools tree

[RhysSullivan]

Summary

• Tools page (and source-detail) gain a hover-revealed action menu on each tree row: Always run / Require approval / Block / Clear. Leaf rows submit the canonical tool id (stripe_api.account.getAccount); group rows submit the category wildcard (stripe_api.account.*). The detail-pane policy badge is also clickable and opens the same menu.
• New usePolicyActions(scopeId) hook centralizes the create/update/clear flow and auto-places new rules by specificity (longer/exact patterns sit above shorter wildcards) so a freshly-added group rule never silently shadows an existing leaf rule.
• ToolsPage rewritten to the same tree+detail layout source-detail uses; "Manage policies" link in the header for review/reorder.
• tools.list API now returns requiresApproval and includes blocked tools, mirroring sources.tools so the cross-source view can render plugin-default indicators.
• Shared display strings/colors moved to lib/policy-display.ts (used by tool-tree, tool-detail, policies page) so the action labels rename in one place.

Follow-up to #470 (now merged) — adds the actual UX so users can set policies from the tools view instead of having to type patterns into the policies page.

Test plan

• On /tools: hover a row → "..." trigger → pick Block → row's indicator dot turns red, tool fades.
• Set a leaf to Always run under a group that's blocked → confirm the leaf rule is auto-placed above the group rule on /policies (first-match-wins keeps the leaf precedent).
• Click "Manage policies" → policies show in expected order, badges display the same labels (Blocked / Always run / Require approval).
• On a source-detail page: same hover-menu works; same auto-placement.
• bun run --filter @executor-js/sdk test passes (no behavior change in the matcher).

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	executor-marketing	d1b0ddb	Commit Preview URL Branch Preview URL	May 02 2026, 05:17 AM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	executor-cloud	d1b0ddb	May 02 2026, 05:17 AM

[pkg-pr-new]

Open in StackBlitz

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@472

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@472

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@472

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@472

@executor-js/storage-core

npm i https://pkg.pr.new/@executor-js/storage-core@472

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@472

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@472

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@472

@executor-js/plugin-google-discovery

npm i https://pkg.pr.new/@executor-js/plugin-google-discovery@472

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@472

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@472

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@472

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@472

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@472

executor

npm i https://pkg.pr.new/executor@472

commit: d1b0ddb