vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): bind system.run approvals to exact argv text

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-11 01:25:19 +00:00
parent 8eac939417
commit 7289c19f1a
17 changed files with 241 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -222,6 +222,7 @@ Docs: https://docs.openclaw.ai
- Onboarding/API key input hardening: strip non-Latin1 Unicode artifacts from normalized secret input (while preserving Latin-1 content and internal spaces) so malformed copied API keys cannot trigger HTTP header `ByteString` construction crashes; adds regression coverage for shared normalization and MiniMax auth header usage. (#24496) Thanks @fa6maalassaf.
- Kimi Coding/Anthropic tools compatibility: normalize `anthropic-messages` tool payloads to OpenAI-style `tools[].function` + compatible `tool_choice` when targeting Kimi Coding endpoints, restoring tool-call workflows that regressed after v2026.3.2. (#37038) Thanks @mochimochimochi-hub.
- Heartbeat/workspace-path guardrails: append explicit workspace `HEARTBEAT.md` path guidance (and `docs/heartbeat.md` avoidance) to heartbeat prompts so heartbeat runs target workspace checklists reliably across packaged install layouts. (#37037) Thanks @stofancy.
- Node/system.run approvals: bind approval prompts to the exact executed argv text and show shell payload only as a secondary preview, closing basename-spoofed wrapper approval mismatches. Thanks @tdjackey.
- Subagents/kill-complete announce race: when a late `subagent-complete` lifecycle event arrives after an earlier kill marker, clear stale kill suppression/cleanup flags and re-run announce cleanup so finished runs no longer get silently swallowed. (#37024) Thanks @cmfinlan.
- Agents/tool-result cleanup timeout hardening: on embedded runner teardown idle timeouts, clear pending tool-call state without persisting synthetic `missing tool result` entries, preventing timeout cleanups from poisoning follow-up turns; adds regression coverage for timeout clear-vs-flush behavior. (#37081) Thanks @Coyote-Den.
- Agents/openai-completions stream timeout hardening: ensure runtime undici global dispatchers use extended streaming body/header timeouts (including env-proxy dispatcher mode) before embedded runs, reducing forced mid-stream `terminated` failures on long generations; adds regression coverage for dispatcher selection and idempotent reconfiguration. (#9708) Thanks @scottchguard.

10
src/cli/nodes-cli.coverage.test.ts
View File

@@ -174,7 +174,7 @@ describe("nodes-cli coverage", () => {
expect(invoke?.params?.command).toBe("system.run");
expect(invoke?.params?.params).toEqual({
command: ["echo", "hi"],
rawCommand: null,
rawCommand: "echo hi",
cwd: "/tmp",
env: { FOO: "bar" },
timeoutMs: 1200,
@@ -190,7 +190,8 @@ describe("nodes-cli coverage", () => {
expect(approval?.params?.["systemRunPlan"]).toEqual({
argv: ["echo", "hi"],
cwd: "/tmp",
rawCommand: null,
rawCommand: "echo hi",
commandPreview: null,
agentId: "main",
sessionKey: null,
});
@@ -213,7 +214,7 @@ describe("nodes-cli coverage", () => {
expect(invoke?.params?.command).toBe("system.run");
expect(invoke?.params?.params).toMatchObject({
command: ["/bin/sh", "-lc", "echo hi"],
rawCommand: "echo hi",
rawCommand: '/bin/sh -lc "echo hi"',
agentId: "main",
approved: true,
approvalDecision: "allow-once",
@@ -224,7 +225,8 @@ describe("nodes-cli coverage", () => {
expect(approval?.params?.["systemRunPlan"]).toEqual({
argv: ["/bin/sh", "-lc", "echo hi"],
cwd: null,
rawCommand: "echo hi",
rawCommand: '/bin/sh -lc "echo hi"',
commandPreview: "echo hi",
agentId: "main",
sessionKey: null,
});

31
src/discord/monitor/exec-approvals.ts
View File

@@ -105,6 +105,7 @@ type ExecApprovalContainerParams = {
title: string;
description?: string;
commandPreview: string;
commandSecondaryPreview?: string | null;
metadataLines?: string[];
actionRow?: Row<Button>;
footer?: string;
@@ -121,6 +122,11 @@ class ExecApprovalContainer extends DiscordUiContainer {
}
components.push(new Separator({ divider: true, spacing: "small" }));
components.push(new TextDisplay(`### Command\n\`\`\`\n${params.commandPreview}\n\`\`\``));
if (params.commandSecondaryPreview) {
components.push(
new TextDisplay(`### Shell Preview\n\`\`\`\n${params.commandSecondaryPreview}\n\`\`\``),
);
}
if (params.metadataLines?.length) {
components.push(new TextDisplay(params.metadataLines.join("\n")));
}
@@ -235,6 +241,16 @@ function formatCommandPreview(commandText: string, maxChars: number): string {
return commandRaw.replace(/`/g, "\u200b`");
}
function formatOptionalCommandPreview(
commandText: string | null | undefined,
maxChars: number,
): string | null {
if (!commandText) {
return null;
}
return formatCommandPreview(commandText, maxChars);
}
function createExecApprovalRequestContainer(params: {
request: ExecApprovalRequest;
cfg: OpenClawConfig;
@@ -243,6 +259,10 @@ function createExecApprovalRequestContainer(params: {
}): ExecApprovalContainer {
const commandText = params.request.request.command;
const commandPreview = formatCommandPreview(commandText, 1000);
const commandSecondaryPreview = formatOptionalCommandPreview(
params.request.request.commandPreview,
500,
);
const expiresAtSeconds = Math.max(0, Math.floor(params.request.expiresAtMs / 1000));
return new ExecApprovalContainer({
@@ -251,6 +271,7 @@ function createExecApprovalRequestContainer(params: {
title: "Exec Approval Required",
description: "A command needs your approval.",
commandPreview,
commandSecondaryPreview,
metadataLines: buildExecApprovalMetadataLines(params.request),
actionRow: params.actionRow,
footer: `Expires <t:${expiresAtSeconds}:R> · ID: ${params.request.id}`,
@@ -267,6 +288,10 @@ function createResolvedContainer(params: {
}): ExecApprovalContainer {
const commandText = params.request.request.command;
const commandPreview = formatCommandPreview(commandText, 500);
const commandSecondaryPreview = formatOptionalCommandPreview(
params.request.request.commandPreview,
300,
);
const decisionLabel =
params.decision === "allow-once"
@@ -288,6 +313,7 @@ function createResolvedContainer(params: {
title: `Exec Approval: ${decisionLabel}`,
description: params.resolvedBy ? `Resolved by ${params.resolvedBy}` : "Resolved",
commandPreview,
commandSecondaryPreview,
footer: `ID: ${params.request.id}`,
accentColor,
});
@@ -300,6 +326,10 @@ function createExpiredContainer(params: {
}): ExecApprovalContainer {
const commandText = params.request.request.command;
const commandPreview = formatCommandPreview(commandText, 500);
const commandSecondaryPreview = formatOptionalCommandPreview(
params.request.request.commandPreview,
300,
);
return new ExecApprovalContainer({
cfg: params.cfg,
@@ -307,6 +337,7 @@ function createExpiredContainer(params: {
title: "Exec Approval: Expired",
description: "This approval request has expired.",
commandPreview,
commandSecondaryPreview,
footer: `ID: ${params.request.id}`,
accentColor: "#99AAB5",
});

10
src/gateway/node-invoke-system-run-approval.test.ts
View File

@@ -278,7 +278,15 @@ describe("sanitizeSystemRunParamsForForwarding", () => {
const forwarded = result.params as Record<string, unknown>;
expect(forwarded.command).toEqual(["/usr/bin/echo", "SAFE"]);
expect(forwarded.rawCommand).toBe("/usr/bin/echo SAFE");
expect(forwarded.systemRunPlan).toEqual(record.request.systemRunPlan);
expect(forwarded.systemRunPlan).toEqual(
expect.objectContaining({
argv: ["/usr/bin/echo", "SAFE"],
cwd: "/real/cwd",
rawCommand: "/usr/bin/echo SAFE",
agentId: "main",
sessionKey: "agent:main:main",
}),
);
expect(forwarded.cwd).toBe("/real/cwd");
expect(forwarded.agentId).toBe("main");
expect(forwarded.sessionKey).toBe("agent:main:main");

1
src/gateway/protocol/schema/exec-approvals.ts
View File

@@ -96,6 +96,7 @@ export const ExecApprovalRequestParamsSchema = Type.Object(
argv: Type.Array(Type.String()),
cwd: Type.Union([Type.String(), Type.Null()]),
rawCommand: Type.Union([Type.String(), Type.Null()]),
commandPreview: Type.Optional(Type.Union([Type.String(), Type.Null()])),
agentId: Type.Union([Type.String(), Type.Null()]),
sessionKey: Type.Union([Type.String(), Type.Null()]),
mutableFileOperand: Type.Optional(

2
src/gateway/server-methods/exec-approval.ts
View File

@@ -75,6 +75,7 @@ export function createExecApprovalHandlers(
const effectiveAgentId = approvalContext.agentId;
const effectiveSessionKey = approvalContext.sessionKey;
const effectiveCommandText = approvalContext.commandText;
const effectiveCommandPreview = approvalContext.commandPreview;
if (host === "node" && !nodeId) {
respond(
false,
@@ -122,6 +123,7 @@ export function createExecApprovalHandlers(
}
const request = {
command: effectiveCommandText,
commandPreview: effectiveCommandPreview,
commandArgv: effectiveCommandArgv,
envKeys: systemRunBinding?.envKeys?.length ? systemRunBinding.envKeys : undefined,
systemRunBinding: systemRunBinding?.binding ?? null,

29
src/gateway/server-methods/server-methods.test.ts
View File

@@ -587,6 +587,7 @@ describe("exec approval handlers", () => {
argv: ["/usr/bin/echo", "ok"],
cwd: "/real/cwd",
rawCommand: "/usr/bin/echo ok",
commandPreview: "echo ok",
agentId: "main",
sessionKey: "agent:main:main",
},
@@ -596,6 +597,7 @@ describe("exec approval handlers", () => {
expect(requested).toBeTruthy();
const request = (requested?.payload as { request?: Record<string, unknown> })?.request ?? {};
expect(request["command"]).toBe("/usr/bin/echo ok");
expect(request["commandPreview"]).toBe("echo ok");
expect(request["commandArgv"]).toEqual(["/usr/bin/echo", "ok"]);
expect(request["cwd"]).toBe("/real/cwd");
expect(request["agentId"]).toBe("main");
@@ -604,11 +606,38 @@ describe("exec approval handlers", () => {
argv: ["/usr/bin/echo", "ok"],
cwd: "/real/cwd",
rawCommand: "/usr/bin/echo ok",
commandPreview: "echo ok",
agentId: "main",
sessionKey: "agent:main:main",
});
});
it("derives a command preview from the fallback command for older node plans", async () => {
const { handlers, broadcasts, respond, context } = createExecApprovalFixture();
await requestExecApproval({
handlers,
respond,
context,
params: {
timeoutMs: 10,
command: "jq --version",
commandArgv: ["./env", "sh", "-c", "jq --version"],
systemRunPlan: {
argv: ["./env", "sh", "-c", "jq --version"],
cwd: "/real/cwd",
rawCommand: './env sh -c "jq --version"',
agentId: "main",
sessionKey: "agent:main:main",
},
},
});
const requested = broadcasts.find((entry) => entry.event === "exec.approval.requested");
expect(requested).toBeTruthy();
const request = (requested?.payload as { request?: Record<string, unknown> })?.request ?? {};
expect(request["command"]).toBe('./env sh -c "jq --version"');
expect(request["commandPreview"]).toBe("jq --version");
});
it("accepts resolve during broadcast", async () => {
const manager = new ExecApprovalManager();
const handlers = createExecApprovalHandlers(manager);

2
src/infra/exec-approvals.ts
View File

@@ -53,6 +53,7 @@ export type SystemRunApprovalPlan = {
argv: string[];
cwd: string | null;
rawCommand: string | null;
commandPreview?: string | null;
agentId: string | null;
sessionKey: string | null;
mutableFileOperand?: SystemRunApprovalFileOperand | null;
@@ -60,6 +61,7 @@ export type SystemRunApprovalPlan = {
export type ExecApprovalRequestPayload = {
command: string;
commandPreview?: string | null;
commandArgv?: string[];
// Optional UI-safe env key preview for approval prompts.
envKeys?: string[];

1
src/infra/system-run-approval-binding.ts
View File

@@ -54,6 +54,7 @@ export function normalizeSystemRunApprovalPlan(value: unknown): SystemRunApprova
argv,
cwd: normalizeNonEmptyString(candidate.cwd),
rawCommand: normalizeNonEmptyString(candidate.rawCommand),
commandPreview: normalizeNonEmptyString(candidate.commandPreview),
agentId: normalizeNonEmptyString(candidate.agentId),
sessionKey: normalizeNonEmptyString(candidate.sessionKey),
mutableFileOperand: mutableFileOperand ?? undefined,

40
src/infra/system-run-approval-context.test.ts Normal file
View File

@@ -0,0 +1,40 @@
import { describe, expect, test } from "vitest";
import { resolveSystemRunApprovalRequestContext } from "./system-run-approval-context.js";
describe("resolveSystemRunApprovalRequestContext", () => {
test("uses full approval text and separate preview for node system.run plans", () => {
const context = resolveSystemRunApprovalRequestContext({
host: "node",
command: "jq --version",
systemRunPlan: {
argv: ["./env", "sh", "-c", "jq --version"],
cwd: "/tmp",
rawCommand: './env sh -c "jq --version"',
commandPreview: "jq --version",
agentId: "main",
sessionKey: "agent:main:main",
},
});
expect(context.commandText).toBe('./env sh -c "jq --version"');
expect(context.commandPreview).toBe("jq --version");
expect(context.commandArgv).toEqual(["./env", "sh", "-c", "jq --version"]);
});
test("derives preview from fallback command for older node plans", () => {
const context = resolveSystemRunApprovalRequestContext({
host: "node",
command: "jq --version",
systemRunPlan: {
argv: ["./env", "sh", "-c", "jq --version"],
cwd: "/tmp",
rawCommand: './env sh -c "jq --version"',
agentId: "main",
sessionKey: "agent:main:main",
},
});
expect(context.commandText).toBe('./env sh -c "jq --version"');
expect(context.commandPreview).toBe("jq --version");
});
});

18
src/infra/system-run-approval-context.ts
View File

@@ -12,6 +12,7 @@ type SystemRunApprovalRequestContext = {
plan: SystemRunApprovalPlan | null;
commandArgv: string[] | undefined;
commandText: string;
commandPreview: string | null;
cwd: string | null;
agentId: string | null;
sessionKey: string | null;
@@ -37,6 +38,17 @@ function normalizeCommandText(value: unknown): string {
return typeof value === "string" ? value : "";
}
function normalizeCommandPreview(
value: string | null | undefined,
authoritative: string,
): string | null {
const preview = normalizeNonEmptyString(value);
if (!preview || preview === authoritative) {
return null;
}
return preview;
}
export function parsePreparedSystemRunPayload(payload: unknown): PreparedRunPayload | null {
if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
return null;
@@ -63,10 +75,14 @@ export function resolveSystemRunApprovalRequestContext(params: {
const plan = host === "node" ? normalizeSystemRunApprovalPlan(params.systemRunPlan) : null;
const fallbackArgv = normalizeStringArray(params.commandArgv);
const fallbackCommand = normalizeCommandText(params.command);
const commandText = plan ? (plan.rawCommand ?? formatExecCommand(plan.argv)) : fallbackCommand;
return {
plan,
commandArgv: plan?.argv ?? (fallbackArgv.length > 0 ? fallbackArgv : undefined),
commandText: plan ? (plan.rawCommand ?? formatExecCommand(plan.argv)) : fallbackCommand,
commandText,
commandPreview: plan
? normalizeCommandPreview(plan.commandPreview ?? fallbackCommand, commandText)
: null,
cwd: plan?.cwd ?? normalizeNonEmptyString(params.cwd),
agentId: plan?.agentId ?? normalizeNonEmptyString(params.agentId),
sessionKey: plan?.sessionKey ?? normalizeNonEmptyString(params.sessionKey),

38
src/infra/system-run-command.test.ts
View File

@@ -106,6 +106,10 @@ describe("system run command helpers", () => {
rawCommand: "echo hi",
});
expect(res.ok).toBe(true);
if (!res.ok) {
throw new Error("unreachable");
}
expect(res.previewText).toBe("echo hi");
});
test("validateSystemRunCommandConsistency rejects shell-only rawCommand for positional-argv carrier wrappers", () => {
@@ -121,6 +125,10 @@ describe("system run command helpers", () => {
rawCommand: "echo hi",
});
expect(res.ok).toBe(true);
if (!res.ok) {
throw new Error("unreachable");
}
expect(res.previewText).toBe("echo hi");
});
test("validateSystemRunCommandConsistency rejects shell-only rawCommand for env assignment prelude", () => {
@@ -142,6 +150,7 @@ describe("system run command helpers", () => {
}
expect(res.shellCommand).toBe("echo hi");
expect(res.cmdText).toBe(raw);
expect(res.previewText).toBe(null);
});
test("validateSystemRunCommandConsistency rejects cmd.exe /c trailing-arg smuggling", () => {
@@ -180,6 +189,7 @@ describe("system run command helpers", () => {
expect(res.argv).toEqual(["cmd.exe", "/d", "/s", "/c", "echo", "SAFE&&whoami"]);
expect(res.shellCommand).toBe("echo SAFE&&whoami");
expect(res.cmdText).toBe("echo SAFE&&whoami");
expect(res.previewText).toBe("echo SAFE&&whoami");
});
test("resolveSystemRunCommand binds cmdText to full argv for shell-wrapper positional-argv carriers", () => {
@@ -192,6 +202,7 @@ describe("system run command helpers", () => {
}
expect(res.shellCommand).toBe('$0 "$1"');
expect(res.cmdText).toBe('/bin/sh -lc "$0 \\"$1\\"" /usr/bin/touch /tmp/marker');
expect(res.previewText).toBe(null);
});
test("resolveSystemRunCommand binds cmdText to full argv when env prelude modifies shell wrapper", () => {
@@ -204,5 +215,32 @@ describe("system run command helpers", () => {
}
expect(res.shellCommand).toBe("echo hi");
expect(res.cmdText).toBe('/usr/bin/env BASH_ENV=/tmp/payload.sh bash -lc "echo hi"');
expect(res.previewText).toBe(null);
});
test("resolveSystemRunCommand keeps wrapper preview separate from approval text", () => {
const res = resolveSystemRunCommand({
command: ["./env", "sh", "-c", "jq --version"],
});
expect(res.ok).toBe(true);
if (!res.ok) {
throw new Error("unreachable");
}
expect(res.cmdText).toBe("jq --version");
expect(res.previewText).toBe("jq --version");
});
test("resolveSystemRunCommand accepts canonical full argv text for wrapper approvals", () => {
const res = resolveSystemRunCommand({
command: ["./env", "sh", "-c", "jq --version"],
rawCommand: './env sh -c "jq --version"',
});
expect(res.ok).toBe(true);
if (!res.ok) {
throw new Error("unreachable");
}
expect(res.cmdText).toBe('./env sh -c "jq --version"');
expect(res.previewText).toBe("jq --version");
expect(res.shellCommand).toBe("jq --version");
});
});

50
src/infra/system-run-command.ts
View File

@@ -16,6 +16,7 @@ export type SystemRunCommandValidation =
ok: true;
shellCommand: string | null;
cmdText: string;
previewText: string | null;
}
| {
ok: false;
@@ -30,6 +31,7 @@ export type ResolvedSystemRunCommand =
rawCommand: string | null;
shellCommand: string | null;
cmdText: string;
previewText: string | null;
}
| {
ok: false;
@@ -112,35 +114,35 @@ export function validateSystemRunCommandConsistency(params: {
const envManipulationBeforeShellWrapper =
shellWrapperResolution.isWrapper && hasEnvManipulationBeforeShellWrapper(params.argv);
const mustBindDisplayToFullArgv = envManipulationBeforeShellWrapper || shellWrapperPositionalArgv;
const inferred =
shellCommand !== null && !mustBindDisplayToFullArgv
? shellCommand.trim()
: formatExecCommand(params.argv);
const formattedArgv = formatExecCommand(params.argv);
const legacyShellText =
shellCommand !== null && !mustBindDisplayToFullArgv ? shellCommand.trim() : null;
const previewText = legacyShellText;
const cmdText = raw ?? legacyShellText ?? formattedArgv;
if (raw && raw !== inferred) {
return {
ok: false,
message: "INVALID_REQUEST: rawCommand does not match command",
details: {
code: "RAW_COMMAND_MISMATCH",
rawCommand: raw,
inferred,
},
};
if (raw) {
const matchesCanonicalArgv = raw === formattedArgv;
const matchesLegacyShellText = legacyShellText !== null && raw === legacyShellText;
if (!matchesCanonicalArgv && !matchesLegacyShellText) {
return {
ok: false,
message: "INVALID_REQUEST: rawCommand does not match command",
details: {
code: "RAW_COMMAND_MISMATCH",
rawCommand: raw,
inferred: legacyShellText ?? formattedArgv,
formattedArgv,
},
};
}
}
return {
ok: true,
// Only treat this as a shell command when argv is a recognized shell wrapper.
// For direct argv execution and shell wrappers with env prelude modifiers,
// rawCommand is purely display/approval text and must match the formatted argv.
shellCommand:
shellCommand !== null
? envManipulationBeforeShellWrapper
? shellCommand
: (raw ?? shellCommand)
: null,
cmdText: raw ?? inferred,
shellCommand: shellCommand !== null ? shellCommand : null,
cmdText,
previewText,
};
}
@@ -167,6 +169,7 @@ export function resolveSystemRunCommand(params: {
rawCommand: null,
shellCommand: null,
cmdText: "",
previewText: null,
};
}
@@ -189,5 +192,6 @@ export function resolveSystemRunCommand(params: {
rawCommand: raw,
shellCommand: validation.shellCommand,
cmdText: validation.cmdText,
previewText: validation.previewText,
};
}

15
src/node-host/invoke-system-run-plan.test.ts
View File

@@ -22,6 +22,7 @@ type HardeningCase = {
expectedArgvChanged?: boolean;
expectedCmdText?: string;
checkRawCommandMatchesArgv?: boolean;
expectedCommandPreview?: string | null;
};
type ScriptOperandFixture = {
@@ -101,6 +102,7 @@ describe("hardenApprovedExecutionPaths", () => {
argv: ["env", "sh", "-c", "echo SAFE"],
expectedArgv: () => ["env", "sh", "-c", "echo SAFE"],
expectedCmdText: "echo SAFE",
expectedCommandPreview: "echo SAFE",
},
{
name: "preserves dispatch-wrapper argv during approval hardening",
@@ -135,6 +137,16 @@ describe("hardenApprovedExecutionPaths", () => {
withPathToken: true,
expectedArgv: ({ pathToken }) => [pathToken!.expected, "hello"],
checkRawCommandMatchesArgv: true,
expectedCommandPreview: null,
},
{
name: "stores full approval text and preview for path-qualified env wrappers",
mode: "build-plan",
argv: ["./env", "sh", "-c", "echo SAFE"],
expectedArgv: () => ["./env", "sh", "-c", "echo SAFE"],
expectedCmdText: "echo SAFE",
checkRawCommandMatchesArgv: true,
expectedCommandPreview: "echo SAFE",
},
];
@@ -168,6 +180,9 @@ describe("hardenApprovedExecutionPaths", () => {
if (testCase.checkRawCommandMatchesArgv) {
expect(prepared.plan.rawCommand).toBe(formatExecCommand(prepared.plan.argv));
}
if ("expectedCommandPreview" in testCase) {
expect(prepared.plan.commandPreview ?? null).toBe(testCase.expectedCommandPreview);
}
return;
}

11
src/node-host/invoke-system-run-plan.ts
View File

@@ -650,9 +650,11 @@ export function buildSystemRunApprovalPlan(params: {
if (!hardening.ok) {
return { ok: false, message: hardening.message };
}
const rawCommand = hardening.argvChanged
? formatExecCommand(hardening.argv) || null
: command.cmdText.trim() || null;
const rawCommand = formatExecCommand(hardening.argv) || null;
const commandPreview =
command.previewText?.trim() && command.previewText.trim() !== rawCommand
? command.previewText.trim()
: null;
const mutableFileOperand = resolveMutableFileOperandSnapshotSync({
argv: hardening.argv,
cwd: hardening.cwd,
@@ -666,10 +668,11 @@ export function buildSystemRunApprovalPlan(params: {
argv: hardening.argv,
cwd: hardening.cwd ?? null,
rawCommand,
commandPreview,
agentId: normalizeString(params.agentId),
sessionKey: normalizeString(params.sessionKey),
mutableFileOperand: mutableFileOperand.snapshot ?? undefined,
},
cmdText: rawCommand ?? formatExecCommand(hardening.argv),
cmdText: commandPreview ?? rawCommand ?? formatExecCommand(hardening.argv),
};
}

7
src/test-utils/system-run-prepare-payload.ts
View File

@@ -1,3 +1,5 @@
import { formatExecCommand } from "../infra/system-run-command.js";
type SystemRunPrepareInput = {
command?: unknown;
rawCommand?: unknown;
@@ -12,13 +14,16 @@ export function buildSystemRunPreparePayload(params: SystemRunPrepareInput) {
typeof params.rawCommand === "string" && params.rawCommand.trim().length > 0
? params.rawCommand
: null;
const formattedArgv = formatExecCommand(argv) || null;
const commandPreview = rawCommand && rawCommand !== formattedArgv ? rawCommand : null;
return {
payload: {
cmdText: rawCommand ?? argv.join(" "),
plan: {
argv,
cwd: typeof params.cwd === "string" ? params.cwd : null,
rawCommand,
rawCommand: formattedArgv,
commandPreview,
agentId: typeof params.agentId === "string" ? params.agentId : null,
sessionKey: typeof params.sessionKey === "string" ? params.sessionKey : null,
},

9
test/fixtures/system-run-command-contract.json vendored
View File

@@ -53,6 +53,15 @@
"displayCommand": "echo hi"
}
},
{
"name": "env wrapper accepts canonical full argv raw command",
"command": ["/usr/bin/env", "bash", "-lc", "echo hi"],
"rawCommand": "/usr/bin/env bash -lc \"echo hi\"",
"expected": {
"valid": true,
"displayCommand": "/usr/bin/env bash -lc \"echo hi\""
}
},
{
"name": "env assignment prelude requires full argv display binding",
"command": ["/usr/bin/env", "BASH_ENV=/tmp/payload.sh", "bash", "-lc", "echo hi"],