@librechat/agents 3.1.77-dev.1 → 3.1.78-dev.0

package/dist/esm/hooks/createWorkspacePolicyHook.mjs

@@ -0,0 +1,289 @@
+import { homedir } from 'os';
+import { resolve, isAbsolute, relative } from 'path';
+import { realpath } from 'fs/promises';
+import { Constants } from '../common/enum.mjs';
+
+/**
+ * Workspace boundary policy as a `PreToolUse` hook.
+ *
+ * Local-engine file tools enforce a hard workspace boundary at the
+ * tool implementation layer (`resolveWorkspacePathSafe`). This hook
+ * adds a complementary, host-controlled layer on top that uses the
+ * standard PreToolUse / HITL machinery to *negotiate* access to
+ * paths outside the workspace — instead of just throwing.
+ *
+ * The host opts in by registering this hook on a `HookRegistry`; the
+ * hook inspects each tool call's input, extracts the file paths it
+ * mentions via per-tool extractors, and returns:
+ *
+ *   - `allow`               — every path is inside `workspace.root`
+ *                              (or `additionalRoots`)
+ *   - `deny`                — at least one path is outside, and the
+ *                              configured outside-policy is `'deny'`
+ *   - `ask`                 — at least one path is outside, and the
+ *                              outside-policy is `'ask'` (default).
+ *                              When `humanInTheLoop.enabled` is true,
+ *                              the existing PreToolUse `'ask'` flow
+ *                              raises a tool_approval interrupt the
+ *                              host UI can render. When HITL is off,
+ *                              `'ask'` collapses to `deny` (matches
+ *                              the rest of the SDK's default).
+ *
+ * Default per-tool path extractors cover the local-engine coding
+ * suite (`read_file`, `write_file`, `edit_file`, `grep_search`,
+ * `glob_search`, `list_directory`, `compile_check`). The host can
+ * override or extend via `pathExtractors`. Bash/code paths are not
+ * extracted by default — bash command parsing is its own concern, and
+ * the existing `bashAst` validator + sandbox-runtime fs allowlist are
+ * the right gates for those.
+ *
+ * Important: this hook does NOT replace `resolveWorkspacePathSafe`.
+ * Even if the hook returns `allow`, the file tool still enforces its
+ * own clamp unless `workspace.allowReadOutside` /
+ * `workspace.allowWriteOutside` (or the legacy
+ * `allowOutsideWorkspace`) is set. The recommended composition for
+ * "ask the user" semantics is:
+ *
+ *   workspace: {
+ *     root,
+ *     allowReadOutside: true,
+ *     allowWriteOutside: true,
+ *   },
+ *   // …with the hook installed and humanInTheLoop.enabled = true.
+ */
+const READ_TOOLS = new Set([
+    Constants.READ_FILE,
+    Constants.GREP_SEARCH,
+    Constants.GLOB_SEARCH,
+    Constants.LIST_DIRECTORY,
+    Constants.COMPILE_CHECK,
+]);
+const WRITE_TOOLS = new Set([
+    Constants.WRITE_FILE,
+    Constants.EDIT_FILE,
+]);
+/**
+ * Best-effort extractor for `compile_check` — pulls absolute and `~/`
+ * path tokens out of the `command` string so the workspace boundary
+ * sees them. Without this, a model could ship `command: 'cat
+ * /etc/passwd'` and the policy hook would short-circuit to `allow`
+ * (Codex P1 #26 — the prior `() => []` made the hook a no-op for
+ * compile_check). Conservative by design:
+ *
+ *   - Matches `/foo`, `~/foo`, `$HOME/foo`, `${HOME}/foo` followed by
+ *     non-shell-special chars. Stops at whitespace, quotes, redirect
+ *     operators, pipes, semicolons.
+ *   - Strips a leading `--flag=` so `--out=/etc/foo` extracts as
+ *     `/etc/foo` (the path the agent's actually trying to write).
+ *   - Misses relative paths (intended — those resolve under cwd
+ *     anyway), and shell-substituted paths whose final form isn't
+ *     visible at extract time. Hosts that need bulletproof gating
+ *     should pair this with a `bash_tool`-level policy.
+ */
+// `["']?` slots before AND after the captured path cover quoted
+// forms like `cat "/etc/passwd"` and `--out='/tmp/x'`. Codex P1 #31
+// — the previous regex only matched unquoted tokens, so a model
+// could trivially bypass the workspace policy by quoting any
+// destination path. The path content character class still excludes
+// quotes/whitespace/shell-specials so we don't over-extract; that's
+// the defensive trade we want for fallback-grep style matching.
+//
+// The `\.\.(?:\/[^…]*)?` alternation covers parent-traversal forms
+// (`..`, `../secrets.txt`, `../foo/bar`). Without it, a model could
+// exfiltrate parent-directory files via `cat ../secrets` and the
+// hook would short-circuit to `allow` because the extractor saw no
+// "absolute" token. The boundary check at the call site resolves
+// non-absolute extracted tokens against `root`, so `../secrets`
+// becomes `<parent-of-workspace>/secrets` which the boundary then
+// correctly flags as outside. Codex P2 #35.
+const PATH_TOKEN = /(?:^|[\s=])(?:--[^\s=]+=)?["']?(\/[^\s'"|;&<>()`]+|~\/[^\s'"|;&<>()`]+|\$\{?HOME\}?\/[^\s'"|;&<>()`]+|\.\.(?:\/[^\s'"|;&<>()`]*)?)["']?/g;
+// Back-compat alias kept for any downstream import.
+const ABSOLUTE_PATH_TOKEN = PATH_TOKEN;
+function expandHomeRelative(token) {
+    // Expand ~/foo and $HOME/foo and ${HOME}/foo to absolute. The
+    // workspace boundary check resolves non-absolute paths against the
+    // workspace root, which would silently treat `~/secret` as
+    // `<workspace>/~/secret` — exactly the bypass the codex flagged.
+    const home = homedir();
+    if (token.startsWith('~/'))
+        return `${home}/${token.slice(2)}`;
+    if (token.startsWith('${HOME}/'))
+        return `${home}/${token.slice(8)}`;
+    if (token.startsWith('$HOME/'))
+        return `${home}/${token.slice(6)}`;
+    return token;
+}
+function extractCompileCheckPaths(input) {
+    const command = typeof input.command === 'string' ? input.command : '';
+    if (command === '')
+        return [];
+    const out = [];
+    for (const match of command.matchAll(ABSOLUTE_PATH_TOKEN)) {
+        out.push(expandHomeRelative(match[1]));
+    }
+    return out;
+}
+const DEFAULT_EXTRACTORS = {
+    [Constants.READ_FILE]: (i) => typeof i.file_path === 'string' ? [i.file_path] : [],
+    [Constants.WRITE_FILE]: (i) => typeof i.file_path === 'string' ? [i.file_path] : [],
+    [Constants.EDIT_FILE]: (i) => typeof i.file_path === 'string' ? [i.file_path] : [],
+    [Constants.GREP_SEARCH]: (i) => typeof i.path === 'string' && i.path !== '' ? [i.path] : [],
+    [Constants.GLOB_SEARCH]: (i) => typeof i.path === 'string' && i.path !== '' ? [i.path] : [],
+    [Constants.LIST_DIRECTORY]: (i) => typeof i.path === 'string' && i.path !== '' ? [i.path] : [],
+    [Constants.COMPILE_CHECK]: extractCompileCheckPaths,
+};
+function isInsideAnyRoot(absolutePath, roots) {
+    for (const root of roots) {
+        if (absolutePath === root)
+            return true;
+        const rel = relative(root, absolutePath);
+        if (!rel.startsWith('..') && !isAbsolute(rel))
+            return true;
+    }
+    return false;
+}
+/**
+ * Symlink-aware variant: realpaths the candidate AND the roots before
+ * comparing. Without this, a symlink inside the workspace pointing
+ * outside (e.g. `workspace/link → /etc/passwd`) compares as
+ * "in-workspace" lexically, but actually grants the agent reach
+ * outside the boundary. Critical when this hook is the primary gate
+ * (i.e. the host opted into `workspace.allowReadOutside: true` /
+ * `allowWriteOutside: true` so the file tools' own clamp is off).
+ *
+ * Handles paths that don't yet exist (e.g. `write_file` to a brand
+ * new path) by walking up to the nearest existing ancestor and
+ * realpathing that, then re-attaching the unresolved suffix. Mirrors
+ * `resolveWorkspacePathSafe`'s approach in LocalExecutionEngine.
+ */
+async function realpathOrSelf(absolutePath) {
+    try {
+        return await realpath(absolutePath);
+    }
+    catch {
+        return absolutePath;
+    }
+}
+async function realpathOfPathOrAncestor(absolutePath) {
+    let current = absolutePath;
+    let suffix = '';
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+    while (true) {
+        try {
+            const real = await realpath(current);
+            return suffix === '' ? real : resolve(real, suffix);
+        }
+        catch {
+            const parent = resolve(current, '..');
+            if (parent === current) {
+                return absolutePath;
+            }
+            const base = current.slice(parent.length + 1);
+            suffix = suffix === '' ? base : `${base}/${suffix}`;
+            current = parent;
+        }
+    }
+}
+async function isInsideAnyRootRealpath(absolutePath, realRoots) {
+    const real = await realpathOfPathOrAncestor(absolutePath);
+    return isInsideAnyRoot(real, [...realRoots]);
+}
+function formatReason(template, toolName, outsidePaths) {
+    const fallback = `Tool "${toolName}" wants to touch ${outsidePaths.length} path(s) outside the workspace: ${outsidePaths.join(', ')}`;
+    if (template == null)
+        return fallback;
+    return template
+        .replace(/\{tool\}/g, toolName)
+        .replace(/\{paths\}/g, outsidePaths.join(', '));
+}
+/**
+ * Build a `PreToolUse` callback that enforces the workspace policy.
+ * Register it on a `HookRegistry`:
+ *
+ * ```ts
+ * registry.register('PreToolUse', {
+ *   hooks: [createWorkspacePolicyHook({ root, outsideWrite: 'ask' })],
+ * });
+ * ```
+ *
+ * The hook is composable with `createToolPolicyHook` — register both;
+ * `executeHooks` precedence (`deny > ask > allow`) sorts out which
+ * decision wins per call.
+ */
+function createWorkspacePolicyHook(config) {
+    const root = resolve(config.root);
+    // Relative `additionalRoots` entries are anchored to `root` so a
+    // monorepo config like `additionalRoots: ['../shared']` resolves
+    // to a sibling of `root`, not of process.cwd. Matches
+    // `getWorkspaceRoots` in LocalExecutionEngine.
+    const additionalRoots = (config.additionalRoots ?? []).map((p) => isAbsolute(p) ? resolve(p) : resolve(root, p));
+    const allRoots = [root, ...additionalRoots];
+    // Pre-realpath the roots once at construction — these are stable
+    // per Run. The candidate paths get realpath'd lazily inside the
+    // hook callback. Cached so the per-call cost is just one realpath.
+    let realRootsPromise;
+    const getRealRoots = () => {
+        if (realRootsPromise == null) {
+            realRootsPromise = Promise.all(allRoots.map(realpathOrSelf));
+        }
+        return realRootsPromise;
+    };
+    const readPolicy = config.outsideRead ?? 'ask';
+    const writePolicy = config.outsideWrite ?? 'ask';
+    const extractors = {
+        ...DEFAULT_EXTRACTORS,
+        ...(config.pathExtractors ?? {}),
+    };
+    return async (input) => {
+        const extractor = extractors[input.toolName];
+        if (extractor == null)
+            return { decision: 'allow' };
+        const paths = extractor((input.toolInput ?? {}));
+        if (paths.length === 0)
+            return { decision: 'allow' };
+        // Two-stage check:
+        //   1. Lexical fast path — anything that's lexically inside the
+        //      workspace AND doesn't get redirected by realpath stays
+        //      allow-able without paying the realpath cost on every call.
+        //   2. For paths that look outside lexically OR look inside but
+        //      may have been routed through a symlink, realpath both the
+        //      candidate and the roots and compare. This catches the
+        //      `workspace/link → /etc/passwd` escape that lexical-only
+        //      checks miss.
+        const outside = [];
+        const realRoots = await getRealRoots();
+        for (const p of paths) {
+            const abs = isAbsolute(p) ? resolve(p) : resolve(root, p);
+            // Realpath is the source of truth — it catches both the
+            // symlink-escape case (lexically-inside path that resolves
+            // outside) and the alternate-mount case (lexically-outside
+            // path that resolves back inside the workspace). The lexical
+            // check alone gives the wrong answer for either, so we don't
+            // bother computing it.
+            const realInside = await isInsideAnyRootRealpath(abs, realRoots);
+            if (!realInside) {
+                outside.push(p);
+            }
+        }
+        if (outside.length === 0)
+            return { decision: 'allow' };
+        const policy = WRITE_TOOLS.has(input.toolName)
+            ? writePolicy
+            : READ_TOOLS.has(input.toolName)
+                ? readPolicy
+                : writePolicy; // unknown tools — treat as write (stricter)
+        if (policy === 'allow')
+            return { decision: 'allow' };
+        const decision = policy === 'deny' ? 'deny' : 'ask';
+        return {
+            decision,
+            reason: formatReason(config.reason, input.toolName, outside),
+            ...(decision === 'ask'
+                ? { allowedDecisions: ['approve', 'reject'] }
+                : {}),
+        };
+    };
+}
+
+export { createWorkspacePolicyHook };
+//# sourceMappingURL=createWorkspacePolicyHook.mjs.map

package/dist/esm/hooks/createWorkspacePolicyHook.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"createWorkspacePolicyHook.mjs","sources":["../../../src/hooks/createWorkspacePolicyHook.ts"],"sourcesContent":["/**\n * Workspace boundary policy as a `PreToolUse` hook.\n *\n * Local-engine file tools enforce a hard workspace boundary at the\n * tool implementation layer (`resolveWorkspacePathSafe`). This hook\n * adds a complementary, host-controlled layer on top that uses the\n * standard PreToolUse / HITL machinery to *negotiate* access to\n * paths outside the workspace — instead of just throwing.\n *\n * The host opts in by registering this hook on a `HookRegistry`; the\n * hook inspects each tool call's input, extracts the file paths it\n * mentions via per-tool extractors, and returns:\n *\n *   - `allow`               — every path is inside `workspace.root`\n *                              (or `additionalRoots`)\n *   - `deny`                — at least one path is outside, and the\n *                              configured outside-policy is `'deny'`\n *   - `ask`                 — at least one path is outside, and the\n *                              outside-policy is `'ask'` (default).\n *                              When `humanInTheLoop.enabled` is true,\n *                              the existing PreToolUse `'ask'` flow\n *                              raises a tool_approval interrupt the\n *                              host UI can render. When HITL is off,\n *                              `'ask'` collapses to `deny` (matches\n *                              the rest of the SDK's default).\n *\n * Default per-tool path extractors cover the local-engine coding\n * suite (`read_file`, `write_file`, `edit_file`, `grep_search`,\n * `glob_search`, `list_directory`, `compile_check`). The host can\n * override or extend via `pathExtractors`. Bash/code paths are not\n * extracted by default — bash command parsing is its own concern, and\n * the existing `bashAst` validator + sandbox-runtime fs allowlist are\n * the right gates for those.\n *\n * Important: this hook does NOT replace `resolveWorkspacePathSafe`.\n * Even if the hook returns `allow`, the file tool still enforces its\n * own clamp unless `workspace.allowReadOutside` /\n * `workspace.allowWriteOutside` (or the legacy\n * `allowOutsideWorkspace`) is set. The recommended composition for\n * \"ask the user\" semantics is:\n *\n *   workspace: {\n *     root,\n *     allowReadOutside: true,\n *     allowWriteOutside: true,\n *   },\n *   // …with the hook installed and humanInTheLoop.enabled = true.\n */\n\nimport { homedir } from 'os';\nimport { isAbsolute, relative, resolve } from 'path';\nimport { realpath } from 'fs/promises';\nimport { Constants } from '@/common';\nimport type {\n  HookCallback,\n  PreToolUseHookInput,\n  PreToolUseHookOutput,\n  ToolDecision,\n} from './types';\n\n/**\n * What to do when a tool call references a path outside the workspace.\n *\n *   - `'ask'`    : default. Raise a PreToolUse `ask` (host UI prompts\n *                  via the HITL interrupt path).\n *   - `'allow'`  : let the call through (use the existing tool clamp\n *                  to actually enforce — the hook is purely advisory).\n *   - `'deny'`   : block the call with an error ToolMessage.\n */\nexport type OutsideAccessPolicy = 'ask' | 'allow' | 'deny';\n\nexport interface WorkspacePolicyConfig {\n  /** Canonical workspace root. Required. */\n  root: string;\n  /** Sibling roots that count as inside-workspace. */\n  additionalRoots?: readonly string[];\n  /** Policy applied to read-only file tools. Defaults to `'ask'`. */\n  outsideRead?: OutsideAccessPolicy;\n  /** Policy applied to write-shaped file tools. Defaults to `'ask'`. */\n  outsideWrite?: OutsideAccessPolicy;\n  /**\n   * Optional reason template surfaced in the `ask`/`deny` decision.\n   * Supports `{tool}` and `{paths}` substitution.\n   */\n  reason?: string;\n  /**\n   * Per-tool path extractors. Defaults cover the local-engine coding\n   * suite. Returning an empty array opts that tool out of policy.\n   */\n  pathExtractors?: Record<string, PathExtractor>;\n}\n\nexport type PathExtractor = (\n  toolInput: Record<string, unknown>\n) => readonly string[];\n\nconst READ_TOOLS = new Set<string>([\n  Constants.READ_FILE,\n  Constants.GREP_SEARCH,\n  Constants.GLOB_SEARCH,\n  Constants.LIST_DIRECTORY,\n  Constants.COMPILE_CHECK,\n]);\n\nconst WRITE_TOOLS = new Set<string>([\n  Constants.WRITE_FILE,\n  Constants.EDIT_FILE,\n]);\n\n/**\n * Best-effort extractor for `compile_check` — pulls absolute and `~/`\n * path tokens out of the `command` string so the workspace boundary\n * sees them. Without this, a model could ship `command: 'cat\n * /etc/passwd'` and the policy hook would short-circuit to `allow`\n * (Codex P1 #26 — the prior `() => []` made the hook a no-op for\n * compile_check). Conservative by design:\n *\n *   - Matches `/foo`, `~/foo`, `$HOME/foo`, `${HOME}/foo` followed by\n *     non-shell-special chars. Stops at whitespace, quotes, redirect\n *     operators, pipes, semicolons.\n *   - Strips a leading `--flag=` so `--out=/etc/foo` extracts as\n *     `/etc/foo` (the path the agent's actually trying to write).\n *   - Misses relative paths (intended — those resolve under cwd\n *     anyway), and shell-substituted paths whose final form isn't\n *     visible at extract time. Hosts that need bulletproof gating\n *     should pair this with a `bash_tool`-level policy.\n */\n// `[\"']?` slots before AND after the captured path cover quoted\n// forms like `cat \"/etc/passwd\"` and `--out='/tmp/x'`. Codex P1 #31\n// — the previous regex only matched unquoted tokens, so a model\n// could trivially bypass the workspace policy by quoting any\n// destination path. The path content character class still excludes\n// quotes/whitespace/shell-specials so we don't over-extract; that's\n// the defensive trade we want for fallback-grep style matching.\n//\n// The `\\.\\.(?:\\/[^…]*)?` alternation covers parent-traversal forms\n// (`..`, `../secrets.txt`, `../foo/bar`). Without it, a model could\n// exfiltrate parent-directory files via `cat ../secrets` and the\n// hook would short-circuit to `allow` because the extractor saw no\n// \"absolute\" token. The boundary check at the call site resolves\n// non-absolute extracted tokens against `root`, so `../secrets`\n// becomes `<parent-of-workspace>/secrets` which the boundary then\n// correctly flags as outside. Codex P2 #35.\nconst PATH_TOKEN =\n  /(?:^|[\\s=])(?:--[^\\s=]+=)?[\"']?(\\/[^\\s'\"|;&<>()`]+|~\\/[^\\s'\"|;&<>()`]+|\\$\\{?HOME\\}?\\/[^\\s'\"|;&<>()`]+|\\.\\.(?:\\/[^\\s'\"|;&<>()`]*)?)[\"']?/g;\n// Back-compat alias kept for any downstream import.\nconst ABSOLUTE_PATH_TOKEN = PATH_TOKEN;\nfunction expandHomeRelative(token: string): string {\n  // Expand ~/foo and $HOME/foo and ${HOME}/foo to absolute. The\n  // workspace boundary check resolves non-absolute paths against the\n  // workspace root, which would silently treat `~/secret` as\n  // `<workspace>/~/secret` — exactly the bypass the codex flagged.\n  const home = homedir();\n  if (token.startsWith('~/')) return `${home}/${token.slice(2)}`;\n  if (token.startsWith('${HOME}/')) return `${home}/${token.slice(8)}`;\n  if (token.startsWith('$HOME/')) return `${home}/${token.slice(6)}`;\n  return token;\n}\nfunction extractCompileCheckPaths(input: Record<string, unknown>): string[] {\n  const command = typeof input.command === 'string' ? input.command : '';\n  if (command === '') return [];\n  const out: string[] = [];\n  for (const match of command.matchAll(ABSOLUTE_PATH_TOKEN)) {\n    out.push(expandHomeRelative(match[1]));\n  }\n  return out;\n}\n\nconst DEFAULT_EXTRACTORS: Record<string, PathExtractor> = {\n  [Constants.READ_FILE]: (i) =>\n    typeof i.file_path === 'string' ? [i.file_path] : [],\n  [Constants.WRITE_FILE]: (i) =>\n    typeof i.file_path === 'string' ? [i.file_path] : [],\n  [Constants.EDIT_FILE]: (i) =>\n    typeof i.file_path === 'string' ? [i.file_path] : [],\n  [Constants.GREP_SEARCH]: (i) =>\n    typeof i.path === 'string' && i.path !== '' ? [i.path] : [],\n  [Constants.GLOB_SEARCH]: (i) =>\n    typeof i.path === 'string' && i.path !== '' ? [i.path] : [],\n  [Constants.LIST_DIRECTORY]: (i) =>\n    typeof i.path === 'string' && i.path !== '' ? [i.path] : [],\n  [Constants.COMPILE_CHECK]: extractCompileCheckPaths,\n};\n\nfunction isInsideAnyRoot(absolutePath: string, roots: string[]): boolean {\n  for (const root of roots) {\n    if (absolutePath === root) return true;\n    const rel = relative(root, absolutePath);\n    if (!rel.startsWith('..') && !isAbsolute(rel)) return true;\n  }\n  return false;\n}\n\n/**\n * Symlink-aware variant: realpaths the candidate AND the roots before\n * comparing. Without this, a symlink inside the workspace pointing\n * outside (e.g. `workspace/link → /etc/passwd`) compares as\n * \"in-workspace\" lexically, but actually grants the agent reach\n * outside the boundary. Critical when this hook is the primary gate\n * (i.e. the host opted into `workspace.allowReadOutside: true` /\n * `allowWriteOutside: true` so the file tools' own clamp is off).\n *\n * Handles paths that don't yet exist (e.g. `write_file` to a brand\n * new path) by walking up to the nearest existing ancestor and\n * realpathing that, then re-attaching the unresolved suffix. Mirrors\n * `resolveWorkspacePathSafe`'s approach in LocalExecutionEngine.\n */\nasync function realpathOrSelf(absolutePath: string): Promise<string> {\n  try {\n    return await realpath(absolutePath);\n  } catch {\n    return absolutePath;\n  }\n}\n\nasync function realpathOfPathOrAncestor(\n  absolutePath: string\n): Promise<string> {\n  let current = absolutePath;\n  let suffix = '';\n  // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition\n  while (true) {\n    try {\n      const real = await realpath(current);\n      return suffix === '' ? real : resolve(real, suffix);\n    } catch {\n      const parent = resolve(current, '..');\n      if (parent === current) {\n        return absolutePath;\n      }\n      const base = current.slice(parent.length + 1);\n      suffix = suffix === '' ? base : `${base}/${suffix}`;\n      current = parent;\n    }\n  }\n}\n\nasync function isInsideAnyRootRealpath(\n  absolutePath: string,\n  realRoots: readonly string[]\n): Promise<boolean> {\n  const real = await realpathOfPathOrAncestor(absolutePath);\n  return isInsideAnyRoot(real, [...realRoots]);\n}\n\nfunction formatReason(\n  template: string | undefined,\n  toolName: string,\n  outsidePaths: readonly string[]\n): string {\n  const fallback = `Tool \"${toolName}\" wants to touch ${outsidePaths.length} path(s) outside the workspace: ${outsidePaths.join(', ')}`;\n  if (template == null) return fallback;\n  return template\n    .replace(/\\{tool\\}/g, toolName)\n    .replace(/\\{paths\\}/g, outsidePaths.join(', '));\n}\n\n/**\n * Build a `PreToolUse` callback that enforces the workspace policy.\n * Register it on a `HookRegistry`:\n *\n * ```ts\n * registry.register('PreToolUse', {\n *   hooks: [createWorkspacePolicyHook({ root, outsideWrite: 'ask' })],\n * });\n * ```\n *\n * The hook is composable with `createToolPolicyHook` — register both;\n * `executeHooks` precedence (`deny > ask > allow`) sorts out which\n * decision wins per call.\n */\nexport function createWorkspacePolicyHook(\n  config: WorkspacePolicyConfig\n): HookCallback<'PreToolUse'> {\n  const root = resolve(config.root);\n  // Relative `additionalRoots` entries are anchored to `root` so a\n  // monorepo config like `additionalRoots: ['../shared']` resolves\n  // to a sibling of `root`, not of process.cwd. Matches\n  // `getWorkspaceRoots` in LocalExecutionEngine.\n  const additionalRoots = (config.additionalRoots ?? []).map((p) =>\n    isAbsolute(p) ? resolve(p) : resolve(root, p)\n  );\n  const allRoots = [root, ...additionalRoots];\n\n  // Pre-realpath the roots once at construction — these are stable\n  // per Run. The candidate paths get realpath'd lazily inside the\n  // hook callback. Cached so the per-call cost is just one realpath.\n  let realRootsPromise: Promise<string[]> | undefined;\n  const getRealRoots = (): Promise<string[]> => {\n    if (realRootsPromise == null) {\n      realRootsPromise = Promise.all(allRoots.map(realpathOrSelf));\n    }\n    return realRootsPromise;\n  };\n\n  const readPolicy: OutsideAccessPolicy = config.outsideRead ?? 'ask';\n  const writePolicy: OutsideAccessPolicy = config.outsideWrite ?? 'ask';\n\n  const extractors: Record<string, PathExtractor> = {\n    ...DEFAULT_EXTRACTORS,\n    ...(config.pathExtractors ?? {}),\n  };\n\n  return async (input: PreToolUseHookInput): Promise<PreToolUseHookOutput> => {\n    const extractor = extractors[input.toolName];\n    if (extractor == null) return { decision: 'allow' };\n\n    const paths = extractor(\n      (input.toolInput ?? {}) as Record<string, unknown>\n    );\n    if (paths.length === 0) return { decision: 'allow' };\n\n    // Two-stage check:\n    //   1. Lexical fast path — anything that's lexically inside the\n    //      workspace AND doesn't get redirected by realpath stays\n    //      allow-able without paying the realpath cost on every call.\n    //   2. For paths that look outside lexically OR look inside but\n    //      may have been routed through a symlink, realpath both the\n    //      candidate and the roots and compare. This catches the\n    //      `workspace/link → /etc/passwd` escape that lexical-only\n    //      checks miss.\n    const outside: string[] = [];\n    const realRoots = await getRealRoots();\n    for (const p of paths) {\n      const abs = isAbsolute(p) ? resolve(p) : resolve(root, p);\n      // Realpath is the source of truth — it catches both the\n      // symlink-escape case (lexically-inside path that resolves\n      // outside) and the alternate-mount case (lexically-outside\n      // path that resolves back inside the workspace). The lexical\n      // check alone gives the wrong answer for either, so we don't\n      // bother computing it.\n      const realInside = await isInsideAnyRootRealpath(abs, realRoots);\n      if (!realInside) {\n        outside.push(p);\n      }\n    }\n    if (outside.length === 0) return { decision: 'allow' };\n\n    const policy = WRITE_TOOLS.has(input.toolName)\n      ? writePolicy\n      : READ_TOOLS.has(input.toolName)\n        ? readPolicy\n        : writePolicy; // unknown tools — treat as write (stricter)\n    if (policy === 'allow') return { decision: 'allow' };\n\n    const decision: ToolDecision = policy === 'deny' ? 'deny' : 'ask';\n    return {\n      decision,\n      reason: formatReason(config.reason, input.toolName, outside),\n      ...(decision === 'ask'\n        ? { allowedDecisions: ['approve', 'reject'] as const }\n        : {}),\n    };\n  };\n}\n"],"names":[],"mappings":";;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+CG;AAiDH,MAAM,UAAU,GAAG,IAAI,GAAG,CAAS;AACjC,IAAA,SAAS,CAAC,SAAS;AACnB,IAAA,SAAS,CAAC,WAAW;AACrB,IAAA,SAAS,CAAC,WAAW;AACrB,IAAA,SAAS,CAAC,cAAc;AACxB,IAAA,SAAS,CAAC,aAAa;AACxB,CAAA,CAAC;AAEF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAS;AAClC,IAAA,SAAS,CAAC,UAAU;AACpB,IAAA,SAAS,CAAC,SAAS;AACpB,CAAA,CAAC;AAEF;;;;;;;;;;;;;;;;;AAiBG;AACH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAM,UAAU,GACd,0IAA0I;AAC5I;AACA,MAAM,mBAAmB,GAAG,UAAU;AACtC,SAAS,kBAAkB,CAAC,KAAa,EAAA;;;;;AAKvC,IAAA,MAAM,IAAI,GAAG,OAAO,EAAE;AACtB,IAAA,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA,CAAE;AAC9D,IAAA,IAAI,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA,CAAE;AACpE,IAAA,IAAI,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA,CAAE;AAClE,IAAA,OAAO,KAAK;AACd;AACA,SAAS,wBAAwB,CAAC,KAA8B,EAAA;AAC9D,IAAA,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,GAAG,KAAK,CAAC,OAAO,GAAG,EAAE;IACtE,IAAI,OAAO,KAAK,EAAE;AAAE,QAAA,OAAO,EAAE;IAC7B,MAAM,GAAG,GAAa,EAAE;IACxB,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE;QACzD,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACxC;AACA,IAAA,OAAO,GAAG;AACZ;AAEA,MAAM,kBAAkB,GAAkC;IACxD,CAAC,SAAS,CAAC,SAAS,GAAG,CAAC,CAAC,KACvB,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE;IACtD,CAAC,SAAS,CAAC,UAAU,GAAG,CAAC,CAAC,KACxB,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE;IACtD,CAAC,SAAS,CAAC,SAAS,GAAG,CAAC,CAAC,KACvB,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE;AACtD,IAAA,CAAC,SAAS,CAAC,WAAW,GAAG,CAAC,CAAC,KACzB,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;AAC7D,IAAA,CAAC,SAAS,CAAC,WAAW,GAAG,CAAC,CAAC,KACzB,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;AAC7D,IAAA,CAAC,SAAS,CAAC,cAAc,GAAG,CAAC,CAAC,KAC5B,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;AAC7D,IAAA,CAAC,SAAS,CAAC,aAAa,GAAG,wBAAwB;CACpD;AAED,SAAS,eAAe,CAAC,YAAoB,EAAE,KAAe,EAAA;AAC5D,IAAA,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE;QACxB,IAAI,YAAY,KAAK,IAAI;AAAE,YAAA,OAAO,IAAI;QACtC,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;AACxC,QAAA,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;AAAE,YAAA,OAAO,IAAI;IAC5D;AACA,IAAA,OAAO,KAAK;AACd;AAEA;;;;;;;;;;;;;AAaG;AACH,eAAe,cAAc,CAAC,YAAoB,EAAA;AAChD,IAAA,IAAI;AACF,QAAA,OAAO,MAAM,QAAQ,CAAC,YAAY,CAAC;IACrC;AAAE,IAAA,MAAM;AACN,QAAA,OAAO,YAAY;IACrB;AACF;AAEA,eAAe,wBAAwB,CACrC,YAAoB,EAAA;IAEpB,IAAI,OAAO,GAAG,YAAY;IAC1B,IAAI,MAAM,GAAG,EAAE;;IAEf,OAAO,IAAI,EAAE;AACX,QAAA,IAAI;AACF,YAAA,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC;AACpC,YAAA,OAAO,MAAM,KAAK,EAAE,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;QACrD;AAAE,QAAA,MAAM;YACN,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC;AACrC,YAAA,IAAI,MAAM,KAAK,OAAO,EAAE;AACtB,gBAAA,OAAO,YAAY;YACrB;AACA,YAAA,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;AAC7C,YAAA,MAAM,GAAG,MAAM,KAAK,EAAE,GAAG,IAAI,GAAG,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,MAAM,EAAE;YACnD,OAAO,GAAG,MAAM;QAClB;IACF;AACF;AAEA,eAAe,uBAAuB,CACpC,YAAoB,EACpB,SAA4B,EAAA;AAE5B,IAAA,MAAM,IAAI,GAAG,MAAM,wBAAwB,CAAC,YAAY,CAAC;IACzD,OAAO,eAAe,CAAC,IAAI,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC;AAC9C;AAEA,SAAS,YAAY,CACnB,QAA4B,EAC5B,QAAgB,EAChB,YAA+B,EAAA;AAE/B,IAAA,MAAM,QAAQ,GAAG,CAAA,MAAA,EAAS,QAAQ,CAAA,iBAAA,EAAoB,YAAY,CAAC,MAAM,CAAA,gCAAA,EAAmC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;IACrI,IAAI,QAAQ,IAAI,IAAI;AAAE,QAAA,OAAO,QAAQ;AACrC,IAAA,OAAO;AACJ,SAAA,OAAO,CAAC,WAAW,EAAE,QAAQ;SAC7B,OAAO,CAAC,YAAY,EAAE,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACnD;AAEA;;;;;;;;;;;;;AAaG;AACG,SAAU,yBAAyB,CACvC,MAA6B,EAAA;IAE7B,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC;;;;;AAKjC,IAAA,MAAM,eAAe,GAAG,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC,KAC3D,UAAU,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAC9C;IACD,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,GAAG,eAAe,CAAC;;;;AAK3C,IAAA,IAAI,gBAA+C;IACnD,MAAM,YAAY,GAAG,MAAwB;AAC3C,QAAA,IAAI,gBAAgB,IAAI,IAAI,EAAE;AAC5B,YAAA,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC9D;AACA,QAAA,OAAO,gBAAgB;AACzB,IAAA,CAAC;AAED,IAAA,MAAM,UAAU,GAAwB,MAAM,CAAC,WAAW,IAAI,KAAK;AACnE,IAAA,MAAM,WAAW,GAAwB,MAAM,CAAC,YAAY,IAAI,KAAK;AAErE,IAAA,MAAM,UAAU,GAAkC;AAChD,QAAA,GAAG,kBAAkB;AACrB,QAAA,IAAI,MAAM,CAAC,cAAc,IAAI,EAAE,CAAC;KACjC;AAED,IAAA,OAAO,OAAO,KAA0B,KAAmC;QACzE,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC5C,IAAI,SAAS,IAAI,IAAI;AAAE,YAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE;AAEnD,QAAA,MAAM,KAAK,GAAG,SAAS,EACpB,KAAK,CAAC,SAAS,IAAI,EAAE,EACvB;AACD,QAAA,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;AAAE,YAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE;;;;;;;;;;QAWpD,MAAM,OAAO,GAAa,EAAE;AAC5B,QAAA,MAAM,SAAS,GAAG,MAAM,YAAY,EAAE;AACtC,QAAA,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE;YACrB,MAAM,GAAG,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;;;;;;;YAOzD,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAAC,GAAG,EAAE,SAAS,CAAC;YAChE,IAAI,CAAC,UAAU,EAAE;AACf,gBAAA,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YACjB;QACF;AACA,QAAA,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;AAAE,YAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE;QAEtD,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ;AAC3C,cAAE;cACA,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ;AAC7B,kBAAE;AACF,kBAAE,WAAW,CAAC;QAClB,IAAI,MAAM,KAAK,OAAO;AAAE,YAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE;AAEpD,QAAA,MAAM,QAAQ,GAAiB,MAAM,KAAK,MAAM,GAAG,MAAM,GAAG,KAAK;QACjE,OAAO;YACL,QAAQ;AACR,YAAA,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,QAAQ,EAAE,OAAO,CAAC;YAC5D,IAAI,QAAQ,KAAK;kBACb,EAAE,gBAAgB,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAU;kBAClD,EAAE,CAAC;SACR;AACH,IAAA,CAAC;AACH;;;;"}