fix(exec): resolve remote approval regressions (#58792)

* fix(exec): restore remote approval policy defaults * fix(exec): handle headless cron approval conflicts * fix(exec): make allow-always durable * fix(exec): persist exact-command shell trust * fix(doctor): match host exec fallback * fix(exec): preserve blocked and inline approval state * Doctor: surface allow-always ask bypass * Doctor: match effective exec policy * Exec: match node durable command text * Exec: tighten durable approval security * Exec: restore owner approver fallback * Config: refresh Slack approval metadata --------- Co-authored-by: scoootscooob <zhentongfan@gmail.com>
2026-04-22 14:41:34 +00:00 · 2026-04-01 18:07:20 +09:00
parent 4ceb01f9ed
commit 2d53ffdec1
34 changed files with 1609 additions and 226 deletions
--- a/src/node-host/exec-policy.ts
+++ b/src/node-host/exec-policy.ts
@@ -54,6 +54,7 @@ export function evaluateSystemRunPolicy(params: {
  ask: ExecAsk;
  analysisOk: boolean;
  allowlistSatisfied: boolean;
+  durableApprovalSatisfied?: boolean;
  approvalDecision: ExecApprovalDecision;
  approved?: boolean;
  isWindows: boolean;
@@ -87,6 +88,7 @@ export function evaluateSystemRunPolicy(params: {
    security: params.security,
    analysisOk,
    allowlistSatisfied,
+    durableApprovalSatisfied: params.durableApprovalSatisfied,
  });
  if (requiresAsk && !approvedByAsk) {
    return {
@@ -104,6 +106,18 @@ export function evaluateSystemRunPolicy(params: {
  }

  if (params.security === "allowlist" && (!analysisOk || !allowlistSatisfied) && !approvedByAsk) {
+    if (params.durableApprovalSatisfied) {
+      return {
+        allowed: true,
+        analysisOk,
+        allowlistSatisfied,
+        shellWrapperBlocked,
+        windowsShellWrapperBlocked,
+        requiresAsk,
+        approvalDecision: params.approvalDecision,
+        approvedByAsk,
+      };
+    }
    return {
      allowed: false,
      eventReason: "allowlist-miss",