rubino-agent 0.3.0

data/lib/rubino/run/session_approval_cache.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+module Rubino
+  module Run
+    # Remembers approval decisions that should survive past the current
+    # call so the agent doesn't re-prompt the user for the same operation
+    # in the same session.
+    #
+    # Granularity: a decision is stored as a DERIVED RULE, not the exact
+    # "<tool>:<command>" string. The caller still passes a scope shaped like
+    # "shell:rm -rf /tmp/cache" or "write:report.md"; the cache splits it into
+    # (tool, command) and asks Security::PrefixDeriver for the rule to remember.
+    # This mirrors the reference, which keys session approvals on a PATTERN KEY rather
+    # than the raw command (approve_session / is_approved). The practical effect for S3:
+    #   - a DANGEROUS command remembers its pattern CLASS, so approving e.g.
+    #     `git push --force origin main` once also covers `git push -f other`
+    #     in the same session (same "git force push" class);
+    #   - a PLAIN command still remembers only the exact command, so approving
+    #     `git status` does NOT auto-approve `git diff` (narrow for S3; the
+    #     broad prefix rule is derived but wired into a decision only in S5).
+    #
+    # A scope with no ":" (a tool-wide scope like "shell") has no command to
+    # derive from and is stored/matched verbatim.
+    #
+    # Persistence: in-memory, process-lifetime. "session" decisions die with
+    # the process; "always" would deserve disk persistence but isn't wired up
+    # yet (S5), so we treat both as session-scoped for now.
+    #
+    # Thread-safe: every read/write goes through @mutex.
+    class SessionApprovalCache
+      # Singleton accessor. We don't use Dry::Container or similar here
+      # because the cache is process-global state that the runner needs
+      # to inject into per-run UI::API instances; one shared object is
+      # the simplest expression of "remember across runs of the same
+      # session".
+      def self.instance
+        @instance ||= new
+      end
+
+      # Resets the singleton — used by tests that need a clean slate.
+      # Avoids hidden cross-test leakage when specs share the process.
+      def self.reset_singleton!
+        @instance = nil
+      end
+
+      # Decisions that should be persisted on approval.
+      REMEMBERED_DECISIONS = %w[session always].freeze
+
+      def initialize
+        @data = Hash.new { |h, k| h[k] = [] } # session_id => [Rule, ...]
+        @mutex = Mutex.new
+      end
+
+      # Records a decision for (session_id, scope) as a derived rule. No-op
+      # when either value is blank, or the decision isn't a remembered kind.
+      def remember(session_id, scope, decision)
+        return unless session_id && scope
+        return unless REMEMBERED_DECISIONS.include?(decision.to_s.downcase)
+
+        rule = rule_for_scope(scope)
+        @mutex.synchronize do
+          rules = @data[session_id.to_s]
+          rules << rule unless rules.any? { |r| r == rule }
+        end
+      end
+
+      # True when a prior decision for this session already covers the command
+      # carried by `scope` — pattern-class membership, prefix start_with?, or an
+      # exact-command match, per the stored rule kinds.
+      def allowed?(session_id, scope)
+        return false unless session_id && scope
+
+        command = scope_command(scope)
+        @mutex.synchronize do
+          @data[session_id.to_s].any? { |rule| rule.covers?(command) }
+        end
+      end
+
+      # Drops every cached decision for one session (e.g. after a
+      # session is deleted). Pass nil to wipe every session.
+      def forget!(session_id = nil)
+        @mutex.synchronize do
+          if session_id
+            @data.delete(session_id.to_s)
+          else
+            @data.clear
+          end
+        end
+      end
+
+      private
+
+      # Splits a "<tool>:<command>" scope into the rule to remember. A scope
+      # without a ":" is tool-wide (no command) — remember it verbatim as an
+      # exact rule so the tool-scope short-circuit in UI::CLI keeps working.
+      def rule_for_scope(scope)
+        tool, command = split_scope(scope)
+        return Security::PrefixDeriver::Rule.new(kind: :command, value: scope.to_s) if command.nil?
+
+        Security::PrefixDeriver.narrow_rule_for(tool: tool, command: command)
+      end
+
+      # The command a query scope refers to: the part after the first ":",
+      # or the whole scope when there is none (tool-wide scope matched verbatim).
+      def scope_command(scope)
+        _tool, command = split_scope(scope)
+        command.nil? ? scope.to_s : command
+      end
+
+      def split_scope(scope)
+        str = scope.to_s
+        return [str, nil] unless str.include?(":")
+
+        str.split(":", 2)
+      end
+    end
+  end
+end

data/lib/rubino/security/allowlist_persister.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Rubino
+  module Security
+    # Persists an approved rule value to `security.command_allowlist` so it
+    # survives a process restart and pre-approves future sibling commands
+    # through the existing CommandAllowlist (prefix start_with?) path.
+    #
+    # Mirrors the reference save_permanent_allowlist,
+    # which writes pattern keys to `command_allowlist` in config.yaml, and the
+    # resolve-time persistence on the gateway path (:1342-1351).
+    #
+    # Append-unique: an already-listed value is a no-op (no duplicate rows, no
+    # rewrite). The write goes through Config::Writer (dot-notation -> YAML) and
+    # ALSO updates the live Rubino.configuration so a CommandAllowlist built
+    # in the same process immediately sees the new prefix without a reload.
+    #
+    # SCOPING NOTE: Config::Writer writes the process-global config.yml. This
+    # assumes a single-process / single-home deployment, so process-global ==
+    # per-user here — acceptable. For any SHARED-server deployment, `always_*`
+    # persistence would need per-user config scoping (or web `always` treated as
+    # session-only); do NOT rely on this writer as-is in a multi-user process.
+    module AllowlistPersister
+      KEY = "security.command_allowlist"
+
+      module_function
+
+      # Appends `value` to security.command_allowlist (unique). Returns the
+      # resulting allowlist array. A blank value is a no-op.
+      def persist(value, config: nil, config_path: nil)
+        rule_value = value.to_s.strip
+        return current_allowlist(config) if rule_value.empty?
+
+        config ||= Rubino.configuration
+        existing = current_allowlist(config)
+        return existing if existing.include?(rule_value)
+
+        updated = existing + [rule_value]
+        Config::Writer.new(config_path: config_path || default_config_path).set(KEY, updated)
+        # Keep the live config in sync so a CommandAllowlist built this process
+        # sees the new prefix immediately (the writer only touches disk).
+        config.set("security", "command_allowlist", updated)
+        updated
+      end
+
+      def current_allowlist(config)
+        (config || Rubino.configuration).security_command_allowlist.dup
+      end
+
+      def default_config_path
+        Config::Loader.new.config_path
+      end
+    end
+  end
+end

data/lib/rubino/security/approval_policy.rb

@@ -0,0 +1,227 @@
+# frozen_string_literal: true
+
+module Rubino
+  module Security
+    # Determines whether a tool execution requires user approval.
+    # Uses pattern-based rules, tool risk levels, and doom loop detection.
+    #
+    # Config example:
+    #   approvals:
+    #     mode: "manual"  # manual | auto | skip
+    #   permissions:
+    #     "git *": "allow"
+    #     "shell rm *": "deny"
+    #     "shell bundle *": "allow"
+    #     "file_system write ~/.env": "deny"
+    class ApprovalPolicy
+      MODES = %w[manual auto skip].freeze
+
+      # Why the most recent #decide returned :deny — :hardline (the
+      # non-bypassable floor), :permission_rule (an explicit permissions deny
+      # rule), or :doom_loop (the repeated-identical-call guard). nil when the
+      # last decision wasn't a deny. ToolExecutor reads this right after
+      # #decide to build a reason-specific model-facing denial message, so a
+      # policy denial is never reported as "denied by user" (#143).
+      attr_reader :last_deny_reason
+
+      def initialize(config: nil, agent_overrides: nil)
+        @config = config || Rubino.configuration
+        @mode = @config.approvals_mode
+        # Effective shell prompt policy (:confirm_all | :dangerous_only).
+        # Derived from security.confirm_policy, with security.require_confirmation_for_shell
+        # as a back-compat alias (see Configuration#confirm_policy). Older config
+        # objects that predate the accessor fall back to :confirm_all.
+        @confirm_policy =
+          @config.respond_to?(:confirm_policy) ? @config.confirm_policy : :confirm_all
+        @pattern_matcher = PatternMatcher.new(
+          rules: load_permission_rules(agent_overrides)
+        )
+        @doom_detector = DoomLoopDetector.new
+      end
+
+      # Returns the decision for a tool call: :allow, :ask, :deny
+      #
+      # CANONICAL DECISION ORDER (deny-class checks precede every allow path).
+      # Mirrors the reconciled reference ordering:
+      #
+      #   1. hardline(:deny)            non-bypassable floor BELOW yolo
+      #   2. permissions:deny           an explicit deny rule also beats yolo
+      #   3. yolo / skip-approvals      allow-exit (doom still guards it)
+      #   4. doom loop                  break a stuck autopilot
+      #   5. permissions:allow / :ask   remaining explicit rules
+      #   6. command_allowlist (prefix) pre-approved commands -> :allow
+      #   6b. readonly auto-allow       parse-validated read-only shell -> :allow
+      #   7-8. confirm_policy shell gate  confirm_all -> :ask; dangerous_only
+      #                                 -> :ask only if dangerous?, else :allow
+      #   9. mode fallback
+      #
+      # The invariant that makes this slice worth doing: HARDLINE and an
+      # explicit permissions:deny BOTH run before any allow path (yolo,
+      # permissions:allow, command_allowlist), so neither can be overridden
+      # by a fast-path the way yolo used to override deny rules.
+      def decide(tool, arguments: {})
+        @last_deny_reason = nil
+        command_str = self.class.command_string(tool, arguments)
+
+        # 1. Hardline floor — a floor BELOW yolo. Catastrophic, unrecoverable
+        #    commands (rm -rf /, mkfs, dd to a raw device, fork bomb,
+        #    shutdown/reboot, sudo -S password guessing) are denied
+        #    UNCONDITIONALLY: before yolo/skip, before doom, before any
+        #    permissions:allow rule or command_allowlist entry. Opting into
+        #    yolo trusts the agent with your files, NOT to wipe the disk.
+        #    Mirrors the reference approval module (enforced first).
+        blocked, = HardlineGuard.detect(command_str)
+        return deny_with(:hardline) if blocked
+
+        # 2. Explicit permissions:deny — like hardline, a deny rule is a
+        #    deny-class check and must beat every allow path. We evaluate the
+        #    pattern rules ONCE here and reuse the result below; only the :deny
+        #    verdict short-circuits before yolo. allow/ask wait until after the
+        #    yolo allow-exit and the doom guard (steps 3-4) so they keep their
+        #    original precedence. Mirrors the deny-before-allow ordering in the
+        #    plan (hardline -> permissions:deny -> yolo -> doom -> allow/ask).
+        pattern_result = @pattern_matcher.match(tool.name, command_str)
+        return deny_with(:permission_rule) if pattern_result == :deny
+
+        # 3. Modes.yolo short-circuits the remaining allow/ask logic. We still
+        #    run the doom detector AFTER, because an autopilot stuck in a loop
+        #    is the one thing yolo isn't supposed to license.
+        if Rubino::Modes.skip_approvals?
+          return deny_with(:doom_loop) if @doom_detector.record(tool_name: tool.name, arguments: arguments)
+
+          return :allow
+        end
+
+        # 4. Doom loop guard.
+        if @doom_detector.record(tool_name: tool.name, arguments: arguments)
+          return deny_with(:doom_loop) # Break the loop
+        end
+
+        # 5. Remaining explicit pattern rules (allow / ask). deny was already
+        #    handled in step 2.
+        return pattern_result if pattern_result
+
+        # 6. Config allowlist of pre-approved commands. Checked AFTER deny
+        #    patterns (deny always wins) but BEFORE mode-based decision so a
+        #    listed command never triggers a manual prompt.
+        return :allow if command_pre_approved?(command_str)
+
+        # 6b. Built-in read-only auto-allow — the same allowlist seam as
+        #    step 6, just with a parse-validated built-in set instead of
+        #    user-configured prefixes. Runs BELOW the hardline floor (step 1)
+        #    and permissions:deny (step 2), so the floor always wins even for
+        #    commands added via approvals.readonly_commands. A line the
+        #    validator cannot prove read-only falls through to the prompt.
+        return :allow if readonly_auto_allowed?(tool, command_str)
+
+        # 7-8. confirm_policy gate for a shell command not otherwise resolved.
+        #    NOT under config "skip" (nor runtime yolo, handled at step 3) —
+        #    those are the explicit operator overrides that mean "stop
+        #    prompting me".
+        #
+        #    confirm_all (DEFAULT, == legacy require_confirmation_for_shell:true)
+        #      every such shell command -> :ask. shell is :high risk so manual
+        #      mode would ask anyway; this also keeps it gated under auto mode.
+        #
+        #    dangerous_only (reference-faithful, == legacy alias:false)
+        #      prompt ONLY when the command matches a DangerousPattern
+        #      (git push --force, curl|sh, recursive rm of a non-root path,
+        #      ...). Safe commands run unprompted. Mirrors approval.py:475
+        #      where detect_dangerous_command is the sole prompt trigger.
+        #      The hardline floor (step 1) and permissions:deny (step 2) already
+        #      ran, so dangerous_only NEVER weakens the non-bypassable floor.
+        if tool.name == "shell" && @mode != "skip"
+          case @confirm_policy
+          when :dangerous_only
+            return :ask if dangerous?(command_str)
+
+            return :allow
+          else # :confirm_all
+            return :ask
+          end
+        end
+
+        # 9. Fall back to mode-based decision
+        mode_based_decision(tool)
+      end
+
+      # True when a command matches a recoverable-but-risky DangerousPattern
+      # (distinct from the hardline floor). Computed signal for the structured
+      # ask context and for S4's dangerous_only confirm policy; #decide does
+      # not yet branch on it (see step 7). Mirrors detect_dangerous_command.
+      def dangerous?(command)
+        DangerousPatterns.dangerous?(command)
+      end
+
+      # Returns true if a specific command is pre-approved by the config
+      # allowlist. An empty allowlist pre-approves NOTHING.
+      def command_pre_approved?(command)
+        CommandAllowlist.new(config: @config).allowed?(command)
+      end
+
+      # True when the shell command is provably read-only and the
+      # approvals.auto_allow_readonly gate (default ON) is open. Shell-only:
+      # for every other tool the "command" is a path or argument fragment.
+      def readonly_auto_allowed?(tool, command)
+        return false unless tool.name == "shell"
+        return false unless @config.auto_allow_readonly?
+
+        ReadonlyCommands.auto_allowed?(command, extra: @config.approvals_readonly_commands)
+      end
+
+      # Builds the string representation of a tool call used both for
+      # pattern-rule matching here and for the UI's session-approval scope
+      # in ToolExecutor. One builder so the granularity stays identical:
+      # approving `shell ls` never auto-approves `shell rm -rf /`.
+      def self.command_string(tool, arguments)
+        args = arguments || {}
+        case tool.name
+        when "shell"
+          (args["command"] || args[:command]).to_s
+        when "read", "write", "edit", "multi_edit", "attach_file"
+          (args["file_path"] || args[:file_path]).to_s
+        when "shell_output", "shell_kill", "shell_input"
+          (args["run_id"] || args[:run_id]).to_s
+        else
+          args.values.first.to_s
+        end
+      end
+
+      # Resets doom loop detector (call on new user input)
+      def reset_turn!
+        @doom_detector.reset!
+      end
+
+      private
+
+      # Records WHY this deny fired before returning it (see #last_deny_reason).
+      def deny_with(reason)
+        @last_deny_reason = reason
+        :deny
+      end
+
+      def mode_based_decision(tool)
+        case @mode
+        when "skip"
+          :allow
+        when "auto"
+          tool.risk_level == :high ? :ask : :allow
+        when "manual"
+          tool.risky? ? :ask : :allow
+        else
+          tool.risky? ? :ask : :allow
+        end
+      end
+
+      def load_permission_rules(agent_overrides)
+        base_rules = @config.dig("permissions") || {}
+
+        if agent_overrides.is_a?(Hash)
+          base_rules.merge(agent_overrides)
+        else
+          base_rules
+        end
+      end
+    end
+  end
+end

data/lib/rubino/security/command_allowlist.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Rubino
+  module Security
+    # Manages a whitelist of shell commands that can be executed without confirmation.
+    class CommandAllowlist
+      def initialize(config: nil)
+        @config = config || Rubino.configuration
+        @allowlist = @config.security_command_allowlist
+      end
+
+      # Returns true if the command matches an entry in the allowlist.
+      # An EMPTY allowlist matches NOTHING — pre-approval is opt-in, so an
+      # unconfigured allowlist must never auto-approve everything.
+      def allowed?(command)
+        return false if @allowlist.empty?
+
+        @allowlist.any? do |allowed|
+          command.strip.start_with?(allowed.strip)
+        end
+      end
+    end
+  end
+end

data/lib/rubino/security/dangerous_patterns.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+module Rubino
+  module Security
+    # Dangerous (recoverable-but-risky) command patterns — the layer ABOVE the
+    # hardline floor. These are operations that can lose work, rewrite shared
+    # history, escalate privilege, or touch system/credential files, but which
+    # a user might legitimately want to run with confirmation. Unlike
+    # HardlineGuard (catastrophic, no recovery path, never runs), a dangerous
+    # match is meant to drive an :ask — yolo/approval CAN pass it through.
+    #
+    # This is deliberately DISTINCT from HardlineGuard: there is NO overlap.
+    # Hardline owns "rm -rf /", "mkfs", "dd to /dev/sd*", shutdown/reboot,
+    # fork bomb, kill-all, sudo -S guessing. DangerousPatterns owns the
+    # recoverable cousins: recursive rm of NON-root paths, git force-push /
+    # reset --hard, curl|sh, broad chmod/chown, writes into /etc, sudo with
+    # privilege flags, find -delete, etc.
+    #
+    # Mirrors the reference approval module: DANGEROUS_PATTERNS and
+    # detect_dangerous_command. A faithful CORE subset of the reference ~47
+    # patterns — the important risk classes, not an exhaustive copy.
+    module DangerousPatterns
+      # Sensitive write targets (system config, block devices, ssh/credential
+      # files). Mirrors approval.py:_SENSITIVE_WRITE_TARGET (:152) in spirit,
+      # kept compact. /etc plus its macOS /private/etc mirror.
+      SYSTEM_CONFIG_PATH = %r{(?:/etc/|/private/(?:etc|var|tmp)/)}.source.freeze
+      SENSITIVE_WRITE_TARGET =
+        %r{(?:#{SYSTEM_CONFIG_PATH}|/dev/sd|(?:~|\$home)/\.ssh/|(?:~|\$home)/\.(?:netrc|pgpass|npmrc|pypirc)\b)}.source.freeze
+
+      # [regex, human description "pattern key"]. Matched against the
+      # lowercased, whitespace-normalized command. The description doubles as
+      # the persisted approval key in later slices (mirrors the reference pattern_key).
+      PATTERNS = [
+        # --- Recursive / forced delete of NON-root paths (root is hardline).
+        #     -\S*r catches both -rf and the long --recursive form. ---
+        [/\brm\s+-\S*r/, "recursive delete"],
+
+        # --- Broad permission / ownership changes ---
+        [/\bchmod\s+(?:-\S*\s+)*(?:777|666|o\+[rwx]*w|a\+[rwx]*w)\b/, "world/other-writable permissions"],
+        [/\bchown\s+(?:-\S*)?r\s+root/, "recursive chown to root"],
+
+        # --- Privilege escalation: sudo with non-interactive privilege flags ---
+        # Plain `sudo cmd` is TTY-bound and excluded; these flags (stdin/
+        # askpass/shell/list) are the agent-reachable escalation forms.
+        # (sudo -S WITHOUT a configured password is hardline; this is the
+        # broader, recoverable privilege-flag class.)
+        [/\bsudo\b[^;|&\n]*?\s+(?:--stdin\b|-a\b|--askpass\b|-s\b)/,
+         "sudo with privilege flag (stdin/askpass/shell/list)"],
+
+        # --- Pipe remote content to a shell (curl|sh, wget|bash) ---
+        [%r{\b(?:curl|wget)\b.*\|\s*(?:[/\w]*/)?(?:ba)?sh(?:\s|$|-c)}, "pipe remote content to shell"],
+        [/\b(?:bash|sh|zsh|ksh)\s+<\s*<?\s*\(\s*(?:curl|wget)\b/, "execute remote script via process substitution"],
+
+        # --- Write / overwrite into system or credential files ---
+        [/>>?\s*["']?#{SENSITIVE_WRITE_TARGET}/, "overwrite system file via redirection"],
+        [/\btee\b.*["']?#{SENSITIVE_WRITE_TARGET}/, "overwrite system file via tee"],
+        [/\b(?:cp|mv|install)\b.*\s#{SYSTEM_CONFIG_PATH}/, "copy/move file into system config path"],
+        [/\bsed\s+-\S*i.*\s#{SYSTEM_CONFIG_PATH}/, "in-place edit of system config"],
+
+        # --- Service control ---
+        [/\bsystemctl\s+(?:-\S+\s+)*(?:stop|restart|disable|mask)\b/, "stop/restart system service"],
+
+        # --- Force-kill process sweeps (kill-all -1 is hardline) ---
+        [/\bpkill\s+-9\b/, "force kill processes"],
+        [/\bkillall\s+(?:-\S*\s+)*-(?:9|kill|sigkill)\b/, "force kill processes (killall -KILL)"],
+        [/\bkillall\s+(?:-\S*\s+)*-r\b/, "kill processes by regex (killall -r)"],
+
+        # --- find that deletes ---
+        [%r{\bfind\b.*-exec(?:dir)?\s+(?:/\S*/)?rm\b}, "find -exec/-execdir rm"],
+        [/\bfind\b.*-delete\b/, "find -delete"],
+        [/\bxargs\s+.*\brm\b/, "xargs with rm"],
+
+        # --- Git destructive / history-rewriting operations ---
+        [/\bgit\s+reset\s+--hard\b/, "git reset --hard (destroys uncommitted changes)"],
+        [/\bgit\s+push\b.*--force\b/, "git force push (rewrites remote history)"],
+        [/\bgit\s+push\b.*\s-f\b/, "git force push short flag (rewrites remote history)"],
+        [/\bgit\s+clean\s+-\S*f/, "git clean with force (deletes untracked files)"],
+        [/\bgit\s+branch\s+-d\b/, "git branch force delete"],
+
+        # --- Filesystem format / raw disk copy (the recoverable framings;
+        #     mkfs and dd-to-/dev/sd* themselves are hardline) ---
+        [/\bdd\s+.*if=/, "disk copy"],
+
+        # --- Destructive SQL ---
+        [/\bdrop\s+(?:table|database)\b/, "SQL DROP"],
+        [/\bdelete\s+from\b(?![^\n]*\bwhere\b)/, "SQL DELETE without WHERE"],
+        [/\btruncate\s+(?:table)?\s*\w/, "SQL TRUNCATE"]
+      ].freeze
+
+      module_function
+
+      # Returns [true, pattern_key, description] when the command matches a
+      # dangerous pattern, else [false, nil, nil]. The pattern_key and
+      # description are the same string (the human-readable key) — the tuple
+      # arity mirrors the reference detect_dangerous_command so later slices
+      # can persist the key.
+      def detect(command)
+        normalized = normalize(command)
+        PATTERNS.each do |regex, description|
+          return [true, description, description] if normalized.match?(regex)
+        end
+        [false, nil, nil]
+      end
+
+      # Convenience predicate: true when the command hits a dangerous pattern.
+      def dangerous?(command)
+        detect(command).first
+      end
+
+      # Same normalization idiom as HardlineGuard: collapse spaces/tabs (keep
+      # newlines so separator anchors fire), trim, lowercase. Trivial
+      # obfuscation (extra spaces, case) doesn't slip through.
+      def normalize(command)
+        command.to_s.gsub(/[ \t]+/, " ").strip.downcase
+      end
+    end
+  end
+end

data/lib/rubino/security/deny_persister.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module Rubino
+  module Security
+    # Persists an explicit "deny always" verdict to the `permissions` map so it
+    # survives a process restart and auto-denies future sibling commands through
+    # ApprovalPolicy#decide, which evaluates a permissions:deny rule FIRST (before
+    # any allow path — see approval_policy.rb step 2).
+    #
+    # The DENY counterpart to AllowlistPersister: same Config::Writer (dot-notation
+    # -> YAML) + live-config sync, but it writes into `permissions` instead of
+    # `security.command_allowlist`, and the value is the verdict "deny" keyed by a
+    # PatternMatcher-format pattern ("<tool> <glob>") rather than a bare prefix.
+    #
+    # The pattern is derived from the SAME PrefixDeriver rule the allow side uses,
+    # so "deny always" is scoped consistently with "always allow":
+    #   :prefix  -> "<tool> <head>*"     (e.g. "shell git*"  — denies every sibling)
+    #   :command -> "<tool> <command>"   (e.g. "shell rm -rf /tmp/x" — exact)
+    #   :pattern -> "<tool> <command>"   (a dangerous-pattern description is not a
+    #                                     command glob, so deny the exact command)
+    #
+    # Append-unique: an already-present "<pattern>": "deny" entry is a no-op.
+    #
+    # SCOPING NOTE: identical to AllowlistPersister — Config::Writer writes the
+    # process-global config.yml. Fine for a single-process / single-home setup; a
+    # shared-server deployment would need per-user config scoping.
+    module DenyPersister
+      KEY = "permissions"
+      DENY = "deny"
+
+      module_function
+
+      # Persists a permissions:deny rule for `pattern` (unique). Returns the
+      # resulting permissions hash. A blank pattern is a no-op.
+      def persist(pattern, config: nil, config_path: nil)
+        key = pattern.to_s.strip
+        return current_permissions(config) if key.empty?
+
+        config ||= Rubino.configuration
+        existing = current_permissions(config)
+        return existing if existing[key] == DENY
+
+        updated = existing.merge(key => DENY)
+        Config::Writer.new(config_path: config_path || default_config_path).set(KEY, updated)
+        # Keep the live config in sync so an ApprovalPolicy built this process
+        # sees the new deny rule immediately (the writer only touches disk).
+        config.set(KEY, updated)
+        updated
+      end
+
+      # The PatternMatcher-format key a (tool, rule, command) "deny always"
+      # persists as. Mirrors the allow side's scoping: a derivable :prefix denies
+      # the whole prefix class ("<tool> <head>*"); everything else denies the
+      # exact command ("<tool> <command>"). Nil when there is nothing to key on.
+      def pattern_for(tool:, rule:, command:)
+        cmd = command.to_s.strip
+        if rule&.kind == :prefix && !rule.value.to_s.strip.empty?
+          "#{tool} #{rule.value.strip}*"
+        elsif !cmd.empty?
+          "#{tool} #{cmd}"
+        end
+      end
+
+      def current_permissions(config)
+        ((config || Rubino.configuration).dig("permissions") || {}).dup
+      end
+
+      def default_config_path
+        Config::Loader.new.config_path
+      end
+    end
+  end
+end

data/lib/rubino/security/doom_loop_detector.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Rubino
+  module Security
+    # Detects when the agent enters a doom loop - repeatedly calling
+    # the same tool with identical arguments without progress.
+    class DoomLoopDetector
+      DEFAULT_THRESHOLD = 3
+
+      def initialize(threshold: DEFAULT_THRESHOLD)
+        @threshold = threshold
+        @history = []
+      end
+
+      # Records a tool call and returns true if a doom loop is detected
+      def record(tool_name:, arguments:)
+        signature = generate_signature(tool_name, arguments)
+        @history << signature
+
+        # Check if the last N calls are identical
+        if @history.size >= @threshold
+          recent = @history.last(@threshold)
+          return true if recent.uniq.size == 1
+        end
+
+        false
+      end
+
+      # Resets the detector (e.g., when user provides new input)
+      def reset!
+        @history.clear
+      end
+
+      private
+
+      def generate_signature(tool_name, arguments)
+        # Create a deterministic signature from tool name + sorted arguments
+        args_str = arguments.sort_by { |k, _| k.to_s }.map { |k, v| "#{k}=#{v}" }.join("&")
+        "#{tool_name}:#{args_str}"
+      end
+    end
+  end
+end