Pavan Kumar Gondhi
9ac4272b35
fix: harden safe-bin argument validation [AI] ( #80999 )
...
* fix: reject shell expansion in safe-bin tokens
* fix: complete safe-bin shell payload handling
* addressing codex review
* addressing ci
* addressing ci
* addressing codex review
* docs: add changelog entry for PR merge
2026-05-12 20:37:58 +05:30
Peter Steinberger
bd0e10a2f6
refactor: route inline eval through command analysis
2026-05-03 18:06:10 +01:00
Peter Steinberger
3f7e6eebc2
refactor: unify command analysis for exec approvals
2026-05-03 18:06:10 +01:00
Peter Steinberger
42d73fd955
refactor: remove dead private helpers
2026-05-01 06:55:26 +01:00
Peter Steinberger
53d213f9cc
perf: lazy load hot test imports
2026-04-28 01:57:22 +01:00
Peter Steinberger
7f3f108521
refactor(config): migrate plugin config access
2026-04-27 12:35:58 +01:00
Peter Steinberger
087f1584df
test: streamline system run hotspot coverage
2026-04-17 20:18:01 +01:00
Peter Steinberger
7b27d08e56
perf: lazy load system run config
2026-04-17 16:39:24 +01:00
Pavan Kumar Gondhi
8f8492d172
fix(security): broaden shell-wrapper detection and block env-argv assignment injection [AI-assisted] ( #65717 )
...
* fix: address issue
* fix: address PR review feedback
* fix: address PR review feedback
* docs: add changelog entry for PR merge
2026-04-13 11:48:42 +05:30
Nimrod Gutman
de6bac331c
fix(exec): detect cmd wrapper carriers ( #62439 )
...
* fix(exec): detect cmd wrapper carriers
* fix(exec): block env cmd wrapper carriers
* fix: keep cmd wrapper carriers approval-gated (#62439 ) (thanks @ngutman)
2026-04-07 14:27:06 +03:00
Nimrod Gutman
d008e2d015
fix(exec): align node shell allowlist wrappers ( #62401 )
...
* fix(exec): align node shell allowlist wrappers
* fix: align node shell allowlist wrappers (#62401 ) (thanks @ngutman)
2026-04-07 13:05:57 +03:00
Peter Steinberger
679a393f6d
refactor: dedupe metadata readers
2026-04-07 07:36:11 +01:00
Peter Steinberger
3e452f2671
fix: preserve strict inline-eval approval boundaries ( #59780 ) (thanks @luoyanglang)
2026-04-02 18:30:29 +01:00
Vincent Koc
990545181b
fix(ci): preserve strict inline-eval denial after durable awk trust
2026-04-03 01:55:01 +09:00
Peter Steinberger
fff6333773
fix(exec): implement Windows argPattern allowlist flow
2026-04-03 00:09:28 +09:00
Vincent Koc
2d53ffdec1
fix(exec): resolve remote approval regressions ( #58792 )
...
* fix(exec): restore remote approval policy defaults
* fix(exec): handle headless cron approval conflicts
* fix(exec): make allow-always durable
* fix(exec): persist exact-command shell trust
* fix(doctor): match host exec fallback
* fix(exec): preserve blocked and inline approval state
* Doctor: surface allow-always ask bypass
* Doctor: match effective exec policy
* Exec: match node durable command text
* Exec: tighten durable approval security
* Exec: restore owner approver fallback
* Config: refresh Slack approval metadata
---------
Co-authored-by: scoootscooob <zhentongfan@gmail.com >
2026-04-01 02:07:20 -07:00
Peter Steinberger
5e30da3cad
fix(exec): restore strict inline-eval allow-always reuse
2026-03-31 23:45:22 +09:00
Peter Steinberger
7f373823b0
refactor: separate exec policy and execution targets
2026-03-23 19:36:44 -07:00
Peter Steinberger
d8cef14eb1
fix: split exec and policy resolution for wrapper trust ( #53134 ) (thanks @vincentkoc)
2026-03-23 19:04:04 -07:00
Peter Steinberger
a94ec3b79b
fix(security): harden exec approval boundaries
2026-03-22 09:35:25 -07:00
Josh Avant
7abfff756d
Exec: harden host env override handling across gateway and node ( #51207 )
...
* Exec: harden host env override enforcement and fail closed
* Node host: enforce env override diagnostics before shell filtering
* Env overrides: align Windows key handling and mac node rejection
2026-03-20 15:44:15 -05:00
Peter Steinberger
d0337a18b6
fix: clear typecheck backlog
2026-03-13 22:09:06 +00:00
Peter Steinberger
8f852ef82f
refactor: share system run success delivery
2026-03-13 21:40:54 +00:00
Robin Waslander
b7a37c2023
fix(node-host): extend script-runner set and add fail-closed guard for mutable-file approval
...
tsx, jiti, ts-node, ts-node-esm, vite-node, and esno were not recognized
as interpreter-style script runners in invoke-system-run-plan.ts. These
runners produced mutableFileOperand: null, causing invoke-system-run.ts
to skip revalidation entirely. A mutated script payload would execute
without the approval binding check that node ./run.js already enforced.
Two-part fix:
- Add tsx, jiti, and related TypeScript/ESM loaders to the known script
runner set so they produce a valid mutableFileOperand from the planner
- Add a fail-closed runtime guard in invoke-system-run.ts that denies
execution when a script run should have a mutable-file binding but the
approval plan is missing it, preventing unknown future runners from
silently bypassing revalidation
Fixes GHSA-qc36-x95h-7j53
2026-03-12 01:34:35 +01:00
Peter Steinberger
68c674d37c
refactor(security): simplify system.run approval model
2026-03-11 01:43:06 +00:00
Harold Hunt
de49a8b72c
Telegram: exec approvals for OpenCode/Codex ( #37233 )
...
Merged via squash.
Prepared head SHA: f2433790945617868+huntharo@users.noreply.github.com >
Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com >
Reviewed-by: @huntharo
2026-03-09 23:04:35 -04:00
Peter Steinberger
c76d29208b
fix(node-host): bind approved script operands
2026-03-07 23:04:00 +00:00
Peter Steinberger
dc825e59f5
refactor: unify system.run approval cwd revalidation
2026-03-02 23:46:54 +00:00
Peter Steinberger
500d7cb107
fix: revalidate approval cwd before system.run execution
2026-03-02 23:42:10 +00:00
Peter Steinberger
9617ac9dd5
refactor: dedupe agent and reply runtimes
2026-03-02 19:57:33 +00:00
Peter Steinberger
dded569626
fix(security): preserve system.run wrapper approval semantics
2026-03-02 17:20:52 +00:00
Peter Steinberger
155118751f
refactor!: remove versioned system-run approval contract
2026-03-02 01:12:53 +00:00
Peter Steinberger
d82c042b09
refactor(node-host): split system.run plan and allowlist internals
2026-02-26 22:01:01 +01:00
Peter Steinberger
78a7ff2d50
fix(security): harden node exec approvals against symlink rebind
2026-02-26 21:47:45 +01:00
Peter Steinberger
f789f880c9
fix(security): harden approval-bound node exec cwd handling
2026-02-26 04:14:11 +01:00
Peter Steinberger
3c95f89662
refactor(exec): split system.run phases and align ts/swift validator contracts
2026-02-25 00:35:06 +00:00
Peter Steinberger
55cf92578d
fix(security): harden system.run companion command binding
2026-02-25 00:02:03 +00:00
Peter Steinberger
4355e08262
refactor: harden safe-bin trusted dir diagnostics
2026-02-24 23:29:44 +00:00
Peter Steinberger
ffd63b7a2c
fix(security): trust resolved skill-bin paths in allowlist auto-allow
2026-02-24 03:12:43 +00:00
Peter Steinberger
0026255def
refactor(security): harden system.run wrapper enforcement
2026-02-24 02:17:41 +00:00
Peter Steinberger
a1c4bf07c6
fix(security): harden exec wrapper allowlist execution parity
2026-02-24 01:52:17 +00:00
Peter Steinberger
3f0b9dbb36
fix(security): block shell-wrapper line-continuation allowlist bypass
2026-02-22 22:36:29 +01:00
Peter Steinberger
e4d67137db
fix(node): default mac headless system.run to local host
...
Co-authored-by: aethnova <262512133+aethnova@users.noreply.github.com >
2026-02-22 22:24:28 +01:00
Peter Steinberger
bbdfba5694
fix: harden connect auth flow and exec policy diagnostics
2026-02-22 20:22:00 +01:00
Peter Steinberger
0c1f491a02
fix(gateway): clarify pairing and node auth guidance
2026-02-22 19:50:29 +01:00
Peter Steinberger
0d0f4c6992
refactor(exec): centralize safe-bin policy checks
2026-02-22 13:18:25 +01:00
Peter Steinberger
47c3f742b6
fix(exec): require explicit safe-bin profiles
2026-02-22 12:58:55 +01:00
Peter Steinberger
e80c803fa8
fix(security): block shell env allowlist bypass in system.run
2026-02-22 12:47:05 +01:00
Peter Steinberger
b25fd03b8c
refactor(node-host): share invoke type definitions
2026-02-22 07:44:57 +00:00
Vignesh Natarajan
98b2b16ac3
Security/Exec: persist inner commands for shell-wrapper approvals
2026-02-21 21:26:20 -08:00
