@poolzin/pool-bot 2026.2.24 → 2026.2.26

package/dist/security/audit-extra.js

@@ -1,2 +1,12 @@
-export { collectAttackSurfaceSummaryFindings, collectExposureMatrixFindings, collectHooksHardeningFindings, collectModelHygieneFindings, collectSecretsInConfigFindings, collectSmallModelRiskFindings, collectSyncedFolderFindings, } from "./audit-extra.sync.js";
-export { collectIncludeFilePermFindings, collectInstalledSkillsCodeSafetyFindings, collectPluginsCodeSafetyFindings, collectPluginsTrustFindings, collectStateDeepFilesystemFindings, readConfigSnapshotForAudit, } from "./audit-extra.async.js";
+/**
+ * Re-export barrel for security audit collector functions.
+ *
+ * Maintains backward compatibility with existing imports from audit-extra.
+ * Implementation split into:
+ * - audit-extra.sync.ts: Config-based checks (no I/O)
+ * - audit-extra.async.ts: Filesystem/plugin checks (async I/O)
+ */
+// Sync collectors
+export { collectAttackSurfaceSummaryFindings, collectExposureMatrixFindings, collectGatewayHttpNoAuthFindings, collectGatewayHttpSessionKeyOverrideFindings, collectHooksHardeningFindings, collectMinimalProfileOverrideFindings, collectModelHygieneFindings, collectNodeDenyCommandPatternFindings, collectSandboxDangerousConfigFindings, collectSandboxDockerNoopFindings, collectSecretsInConfigFindings, collectSmallModelRiskFindings, collectSyncedFolderFindings, } from "./audit-extra.sync.js";
+// Async collectors
+export { collectSandboxBrowserHashLabelFindings, collectIncludeFilePermFindings, collectInstalledSkillsCodeSafetyFindings, collectPluginsCodeSafetyFindings, collectPluginsTrustFindings, collectStateDeepFilesystemFindings, readConfigSnapshotForAudit, } from "./audit-extra.async.js";

package/dist/security/audit-extra.sync.js

@@ -1,9 +1,13 @@
 import { isToolAllowedByPolicies } from "../agents/pi-tools.policy.js";
 import { resolveSandboxConfigForAgent, resolveSandboxToolPolicyForAgent, } from "../agents/sandbox.js";
+import { getBlockedBindReason } from "../agents/sandbox/validate-sandbox-security.js";
 import { resolveToolProfilePolicy } from "../agents/tool-policy.js";
 import { resolveBrowserConfig } from "../browser/config.js";
 import { formatCliCommand } from "../cli/command-format.js";
 import { resolveGatewayAuth } from "../gateway/auth.js";
+import { resolveNodeCommandAllowlist } from "../gateway/node-command-policy.js";
+import { inferParamBFromIdOrName } from "../shared/model-param-b.js";
+import { pickSandboxToolPolicy } from "./audit-tool-policy.js";
 const SMALL_MODEL_PARAM_B_MAX = 300;
 // --------------------------------------------------------------------------
 // Helpers
@@ -46,6 +50,14 @@ function looksLikeEnvRef(value) {
     const v = value.trim();
     return v.startsWith("${") && v.endsWith("}");
 }
+function isGatewayRemotelyExposed(cfg) {
+    const bind = typeof cfg.gateway?.bind === "string" ? cfg.gateway.bind : "loopback";
+    if (bind !== "loopback") {
+        return true;
+    }
+    const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
+    return tailscaleMode === "serve" || tailscaleMode === "funnel";
+}
 function addModel(models, raw, source) {
     if (typeof raw !== "string") {
         return;
@@ -96,25 +108,6 @@ const LEGACY_MODEL_PATTERNS = [
 const WEAK_TIER_MODEL_PATTERNS = [
     { id: "anthropic.haiku", re: /\bhaiku\b/i, label: "Haiku tier (smaller model)" },
 ];
-function inferParamBFromIdOrName(text) {
-    const raw = text.toLowerCase();
-    const matches = raw.matchAll(/(?:^|[^a-z0-9])[a-z]?(\d+(?:\.\d+)?)b(?:[^a-z0-9]|$)/g);
-    let best = null;
-    for (const match of matches) {
-        const numRaw = match[1];
-        if (!numRaw) {
-            continue;
-        }
-        const value = Number(numRaw);
-        if (!Number.isFinite(value) || value <= 0) {
-            continue;
-        }
-        if (best === null || value > best) {
-            best = value;
-        }
-    }
-    return best;
-}
 function isGptModel(id) {
     return /\bgpt-/i.test(id);
 }
@@ -132,16 +125,52 @@ function extractAgentIdFromSource(source) {
     const match = source.match(/^agents\.list\.([^.]*)\./);
     return match?.[1] ?? null;
 }
-function pickToolPolicy(config) {
-    if (!config) {
-        return null;
+function hasConfiguredDockerConfig(docker) {
+    if (!docker || typeof docker !== "object") {
+        return false;
     }
-    const allow = Array.isArray(config.allow) ? config.allow : undefined;
-    const deny = Array.isArray(config.deny) ? config.deny : undefined;
-    if (!allow && !deny) {
-        return null;
+    return Object.values(docker).some((value) => value !== undefined);
+}
+function normalizeNodeCommand(value) {
+    return typeof value === "string" ? value.trim() : "";
+}
+function listKnownNodeCommands(cfg) {
+    const baseCfg = {
+        ...cfg,
+        gateway: {
+            ...cfg.gateway,
+            nodes: {
+                ...cfg.gateway?.nodes,
+                denyCommands: [],
+            },
+        },
+    };
+    const out = new Set();
+    for (const platform of ["ios", "android", "macos", "linux", "windows", "unknown"]) {
+        const allow = resolveNodeCommandAllowlist(baseCfg, { platform });
+        for (const cmd of allow) {
+            const normalized = normalizeNodeCommand(cmd);
+            if (normalized) {
+                out.add(normalized);
+            }
+        }
     }
-    return { allow, deny };
+    return out;
+}
+function looksLikeNodeCommandPattern(value) {
+    if (!value) {
+        return false;
+    }
+    if (/[?*[\]{}(),|]/.test(value)) {
+        return true;
+    }
+    if (value.startsWith("/") ||
+        value.endsWith("/") ||
+        value.startsWith("^") ||
+        value.endsWith("$")) {
+        return true;
+    }
+    return /\s/.test(value) || value.includes("group:");
 }
 function resolveToolPolicies(params) {
     const policies = [];
@@ -150,11 +179,11 @@ function resolveToolPolicies(params) {
     if (profilePolicy) {
         policies.push(profilePolicy);
     }
-    const globalPolicy = pickToolPolicy(params.cfg.tools ?? undefined);
+    const globalPolicy = pickSandboxToolPolicy(params.cfg.tools ?? undefined);
     if (globalPolicy) {
         policies.push(globalPolicy);
     }
-    const agentPolicy = pickToolPolicy(params.agentTools);
+    const agentPolicy = pickSandboxToolPolicy(params.agentTools);
     if (agentPolicy) {
         policies.push(agentPolicy);
     }
@@ -232,13 +261,16 @@ function listGroupPolicyOpen(cfg) {
 export function collectAttackSurfaceSummaryFindings(cfg) {
     const group = summarizeGroupPolicy(cfg);
     const elevated = cfg.tools?.elevated?.enabled !== false;
-    const hooksEnabled = cfg.hooks?.enabled === true;
+    const webhooksEnabled = cfg.hooks?.enabled === true;
+    const internalHooksEnabled = cfg.hooks?.internal?.enabled === true;
     const browserEnabled = cfg.browser?.enabled ?? true;
     const detail = `groups: open=${group.open}, allowlist=${group.allowlist}` +
         `\n` +
         `tools.elevated: ${elevated ? "enabled" : "disabled"}` +
         `\n` +
-        `hooks: ${hooksEnabled ? "enabled" : "disabled"}` +
+        `hooks.webhooks: ${webhooksEnabled ? "enabled" : "disabled"}` +
+        `\n` +
+        `hooks.internal: ${internalHooksEnabled ? "enabled" : "disabled"}` +
         `\n` +
         `browser control: ${browserEnabled ? "enabled" : "disabled"}`;
     return [
@@ -258,7 +290,7 @@ export function collectSyncedFolderFindings(params) {
             severity: "warn",
             title: "State/config path looks like a synced folder",
             detail: `stateDir=${params.stateDir}, configPath=${params.configPath}. Synced folders (iCloud/Dropbox/OneDrive/Google Drive) can leak tokens and transcripts onto other devices.`,
-            remediation: `Keep CLAWDBOT_STATE_DIR on a local-only volume and re-run "${formatCliCommand("poolbot security audit --fix")}".`,
+            remediation: `Keep POOLBOT_STATE_DIR on a local-only volume and re-run "${formatCliCommand("poolbot security audit --fix")}".`,
         });
     }
     return findings;
@@ -286,7 +318,7 @@ export function collectSecretsInConfigFindings(cfg) {
     }
     return findings;
 }
-export function collectHooksHardeningFindings(cfg) {
+export function collectHooksHardeningFindings(cfg, env = process.env) {
     const findings = [];
     if (cfg.hooks?.enabled !== true) {
         return findings;
@@ -303,16 +335,22 @@ export function collectHooksHardeningFindings(cfg) {
     const gatewayAuth = resolveGatewayAuth({
         authConfig: cfg.gateway?.auth,
         tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
+        env,
     });
+    const poolbotGatewayToken = typeof env.POOLBOT_GATEWAY_TOKEN === "string" && env.POOLBOT_GATEWAY_TOKEN.trim()
+        ? env.POOLBOT_GATEWAY_TOKEN.trim()
+        : null;
     const gatewayToken = gatewayAuth.mode === "token" &&
         typeof gatewayAuth.token === "string" &&
         gatewayAuth.token.trim()
         ? gatewayAuth.token.trim()
-        : null;
+        : poolbotGatewayToken
+            ? poolbotGatewayToken
+            : null;
     if (token && gatewayToken && token === gatewayToken) {
         findings.push({
             checkId: "hooks.token_reuse_gateway_token",
-            severity: "warn",
+            severity: "critical",
             title: "Hooks token reuses the Gateway token",
             detail: "hooks.token matches gateway.auth token; compromise of hooks expands blast radius to the Gateway API.",
             remediation: "Use a separate hooks.token dedicated to hook ingress.",
@@ -328,6 +366,309 @@ export function collectHooksHardeningFindings(cfg) {
             remediation: "Use a dedicated path like '/hooks'.",
         });
     }
+    const allowRequestSessionKey = cfg.hooks?.allowRequestSessionKey === true;
+    const defaultSessionKey = typeof cfg.hooks?.defaultSessionKey === "string" ? cfg.hooks.defaultSessionKey.trim() : "";
+    const allowedPrefixes = Array.isArray(cfg.hooks?.allowedSessionKeyPrefixes)
+        ? cfg.hooks.allowedSessionKeyPrefixes
+            .map((prefix) => prefix.trim())
+            .filter((prefix) => prefix.length > 0)
+        : [];
+    const remoteExposure = isGatewayRemotelyExposed(cfg);
+    if (!defaultSessionKey) {
+        findings.push({
+            checkId: "hooks.default_session_key_unset",
+            severity: "warn",
+            title: "hooks.defaultSessionKey is not configured",
+            detail: "Hook agent runs without explicit sessionKey use generated per-request keys. Set hooks.defaultSessionKey to keep hook ingress scoped to a known session.",
+            remediation: 'Set hooks.defaultSessionKey (for example, "hook:ingress").',
+        });
+    }
+    if (allowRequestSessionKey) {
+        findings.push({
+            checkId: "hooks.request_session_key_enabled",
+            severity: remoteExposure ? "critical" : "warn",
+            title: "External hook payloads may override sessionKey",
+            detail: "hooks.allowRequestSessionKey=true allows `/hooks/agent` callers to choose the session key. Treat hook token holders as full-trust unless you also restrict prefixes.",
+            remediation: "Set hooks.allowRequestSessionKey=false (recommended) or constrain hooks.allowedSessionKeyPrefixes.",
+        });
+    }
+    if (allowRequestSessionKey && allowedPrefixes.length === 0) {
+        findings.push({
+            checkId: "hooks.request_session_key_prefixes_missing",
+            severity: remoteExposure ? "critical" : "warn",
+            title: "Request sessionKey override is enabled without prefix restrictions",
+            detail: "hooks.allowRequestSessionKey=true and hooks.allowedSessionKeyPrefixes is unset/empty, so request payloads can target arbitrary session key shapes.",
+            remediation: 'Set hooks.allowedSessionKeyPrefixes (for example, ["hook:"]) or disable request overrides.',
+        });
+    }
+    return findings;
+}
+export function collectGatewayHttpSessionKeyOverrideFindings(cfg) {
+    const findings = [];
+    const chatCompletionsEnabled = cfg.gateway?.http?.endpoints?.chatCompletions?.enabled === true;
+    const responsesEnabled = cfg.gateway?.http?.endpoints?.responses?.enabled === true;
+    if (!chatCompletionsEnabled && !responsesEnabled) {
+        return findings;
+    }
+    const enabledEndpoints = [
+        chatCompletionsEnabled ? "/v1/chat/completions" : null,
+        responsesEnabled ? "/v1/responses" : null,
+    ].filter((entry) => Boolean(entry));
+    findings.push({
+        checkId: "gateway.http.session_key_override_enabled",
+        severity: "info",
+        title: "HTTP API session-key override is enabled",
+        detail: `${enabledEndpoints.join(", ")} accept x-poolbot-session-key for per-request session routing. ` +
+            "Treat API credential holders as trusted principals.",
+    });
+    return findings;
+}
+export function collectGatewayHttpNoAuthFindings(cfg, env) {
+    const findings = [];
+    const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
+    const auth = resolveGatewayAuth({ authConfig: cfg.gateway?.auth, tailscaleMode, env });
+    if (auth.mode !== "none") {
+        return findings;
+    }
+    const chatCompletionsEnabled = cfg.gateway?.http?.endpoints?.chatCompletions?.enabled === true;
+    const responsesEnabled = cfg.gateway?.http?.endpoints?.responses?.enabled === true;
+    const enabledEndpoints = [
+        "/tools/invoke",
+        chatCompletionsEnabled ? "/v1/chat/completions" : null,
+        responsesEnabled ? "/v1/responses" : null,
+    ].filter((entry) => Boolean(entry));
+    const remoteExposure = isGatewayRemotelyExposed(cfg);
+    findings.push({
+        checkId: "gateway.http.no_auth",
+        severity: remoteExposure ? "critical" : "warn",
+        title: "Gateway HTTP APIs are reachable without auth",
+        detail: `gateway.auth.mode="none" leaves ${enabledEndpoints.join(", ")} callable without a shared secret. ` +
+            "Treat this as trusted-local only and avoid exposing the gateway beyond loopback.",
+        remediation: "Set gateway.auth.mode to token/password (recommended). If you intentionally keep mode=none, keep gateway.bind=loopback and disable optional HTTP endpoints.",
+    });
+    return findings;
+}
+export function collectSandboxDockerNoopFindings(cfg) {
+    const findings = [];
+    const configuredPaths = [];
+    const agents = Array.isArray(cfg.agents?.list) ? cfg.agents.list : [];
+    const defaultsSandbox = cfg.agents?.defaults?.sandbox;
+    const hasDefaultDocker = hasConfiguredDockerConfig(defaultsSandbox?.docker);
+    const defaultMode = defaultsSandbox?.mode ?? "off";
+    const hasAnySandboxEnabledAgent = agents.some((entry) => {
+        if (!entry || typeof entry !== "object" || typeof entry.id !== "string") {
+            return false;
+        }
+        return resolveSandboxConfigForAgent(cfg, entry.id).mode !== "off";
+    });
+    if (hasDefaultDocker && defaultMode === "off" && !hasAnySandboxEnabledAgent) {
+        configuredPaths.push("agents.defaults.sandbox.docker");
+    }
+    for (const entry of agents) {
+        if (!entry || typeof entry !== "object" || typeof entry.id !== "string") {
+            continue;
+        }
+        if (!hasConfiguredDockerConfig(entry.sandbox?.docker)) {
+            continue;
+        }
+        if (resolveSandboxConfigForAgent(cfg, entry.id).mode === "off") {
+            configuredPaths.push(`agents.list.${entry.id}.sandbox.docker`);
+        }
+    }
+    if (configuredPaths.length === 0) {
+        return findings;
+    }
+    findings.push({
+        checkId: "sandbox.docker_config_mode_off",
+        severity: "warn",
+        title: "Sandbox docker settings configured while sandbox mode is off",
+        detail: "These docker settings will not take effect until sandbox mode is enabled:\n" +
+            configuredPaths.map((entry) => `- ${entry}`).join("\n"),
+        remediation: 'Enable sandbox mode (`agents.defaults.sandbox.mode="non-main"` or `"all"`) where needed, or remove unused docker settings.',
+    });
+    return findings;
+}
+export function collectSandboxDangerousConfigFindings(cfg) {
+    const findings = [];
+    const agents = Array.isArray(cfg.agents?.list) ? cfg.agents.list : [];
+    const configs = [];
+    const defaultDocker = cfg.agents?.defaults?.sandbox?.docker;
+    if (defaultDocker && typeof defaultDocker === "object") {
+        configs.push({
+            source: "agents.defaults.sandbox.docker",
+            docker: defaultDocker,
+        });
+    }
+    for (const entry of agents) {
+        if (!entry || typeof entry !== "object" || typeof entry.id !== "string") {
+            continue;
+        }
+        const agentDocker = entry.sandbox?.docker;
+        if (agentDocker && typeof agentDocker === "object") {
+            configs.push({
+                source: `agents.list.${entry.id}.sandbox.docker`,
+                docker: agentDocker,
+            });
+        }
+    }
+    for (const { source, docker } of configs) {
+        const binds = Array.isArray(docker.binds) ? docker.binds : [];
+        for (const bind of binds) {
+            if (typeof bind !== "string") {
+                continue;
+            }
+            const blocked = getBlockedBindReason(bind);
+            if (!blocked) {
+                continue;
+            }
+            if (blocked.kind === "non_absolute") {
+                findings.push({
+                    checkId: "sandbox.bind_mount_non_absolute",
+                    severity: "warn",
+                    title: "Sandbox bind mount uses a non-absolute source path",
+                    detail: `${source}.binds contains "${bind}" which uses source path "${blocked.sourcePath}". ` +
+                        "Non-absolute bind sources are hard to validate safely and may resolve unexpectedly.",
+                    remediation: `Rewrite "${bind}" to use an absolute host path (for example: /home/user/project:/project:ro).`,
+                });
+                continue;
+            }
+            const verb = blocked.kind === "covers" ? "covers" : "targets";
+            findings.push({
+                checkId: "sandbox.dangerous_bind_mount",
+                severity: "critical",
+                title: "Dangerous bind mount in sandbox config",
+                detail: `${source}.binds contains "${bind}" which ${verb} blocked path "${blocked.blockedPath}". ` +
+                    "This can expose host system directories or the Docker socket to sandbox containers.",
+                remediation: `Remove "${bind}" from ${source}.binds. Use project-specific paths instead.`,
+            });
+        }
+        const network = typeof docker.network === "string" ? docker.network : undefined;
+        if (network && network.trim().toLowerCase() === "host") {
+            findings.push({
+                checkId: "sandbox.dangerous_network_mode",
+                severity: "critical",
+                title: "Network host mode in sandbox config",
+                detail: `${source}.network is "host" which bypasses container network isolation entirely.`,
+                remediation: `Set ${source}.network to "bridge" or "none".`,
+            });
+        }
+        const seccompProfile = typeof docker.seccompProfile === "string" ? docker.seccompProfile : undefined;
+        if (seccompProfile && seccompProfile.trim().toLowerCase() === "unconfined") {
+            findings.push({
+                checkId: "sandbox.dangerous_seccomp_profile",
+                severity: "critical",
+                title: "Seccomp unconfined in sandbox config",
+                detail: `${source}.seccompProfile is "unconfined" which disables syscall filtering.`,
+                remediation: `Remove ${source}.seccompProfile or use a custom seccomp profile file.`,
+            });
+        }
+        const apparmorProfile = typeof docker.apparmorProfile === "string" ? docker.apparmorProfile : undefined;
+        if (apparmorProfile && apparmorProfile.trim().toLowerCase() === "unconfined") {
+            findings.push({
+                checkId: "sandbox.dangerous_apparmor_profile",
+                severity: "critical",
+                title: "AppArmor unconfined in sandbox config",
+                detail: `${source}.apparmorProfile is "unconfined" which disables AppArmor enforcement.`,
+                remediation: `Remove ${source}.apparmorProfile or use a named AppArmor profile.`,
+            });
+        }
+    }
+    const browserExposurePaths = [];
+    const defaultBrowser = resolveSandboxConfigForAgent(cfg).browser;
+    if (defaultBrowser.enabled &&
+        defaultBrowser.network.trim().toLowerCase() === "bridge" &&
+        !defaultBrowser.cdpSourceRange?.trim()) {
+        browserExposurePaths.push("agents.defaults.sandbox.browser");
+    }
+    for (const entry of agents) {
+        if (!entry || typeof entry !== "object" || typeof entry.id !== "string") {
+            continue;
+        }
+        const browser = resolveSandboxConfigForAgent(cfg, entry.id).browser;
+        if (!browser.enabled) {
+            continue;
+        }
+        if (browser.network.trim().toLowerCase() !== "bridge") {
+            continue;
+        }
+        if (browser.cdpSourceRange?.trim()) {
+            continue;
+        }
+        browserExposurePaths.push(`agents.list.${entry.id}.sandbox.browser`);
+    }
+    if (browserExposurePaths.length > 0) {
+        findings.push({
+            checkId: "sandbox.browser_cdp_bridge_unrestricted",
+            severity: "warn",
+            title: "Sandbox browser CDP may be reachable by peer containers",
+            detail: "These sandbox browser configs use Docker bridge networking with no CDP source restriction:\n" +
+                browserExposurePaths.map((entry) => `- ${entry}`).join("\n"),
+            remediation: "Set sandbox.browser.network to a dedicated bridge network (recommended default: poolbot-sandbox-browser), " +
+                "or set sandbox.browser.cdpSourceRange (for example 172.21.0.1/32) to restrict container-edge CDP ingress.",
+        });
+    }
+    return findings;
+}
+export function collectNodeDenyCommandPatternFindings(cfg) {
+    const findings = [];
+    const denyListRaw = cfg.gateway?.nodes?.denyCommands;
+    if (!Array.isArray(denyListRaw) || denyListRaw.length === 0) {
+        return findings;
+    }
+    const denyList = denyListRaw.map(normalizeNodeCommand).filter(Boolean);
+    if (denyList.length === 0) {
+        return findings;
+    }
+    const knownCommands = listKnownNodeCommands(cfg);
+    const patternLike = denyList.filter((entry) => looksLikeNodeCommandPattern(entry));
+    const unknownExact = denyList.filter((entry) => !looksLikeNodeCommandPattern(entry) && !knownCommands.has(entry));
+    if (patternLike.length === 0 && unknownExact.length === 0) {
+        return findings;
+    }
+    const detailParts = [];
+    if (patternLike.length > 0) {
+        detailParts.push(`Pattern-like entries (not supported by exact matching): ${patternLike.join(", ")}`);
+    }
+    if (unknownExact.length > 0) {
+        detailParts.push(`Unknown command names (not in defaults/allowCommands): ${unknownExact.join(", ")}`);
+    }
+    const examples = Array.from(knownCommands).slice(0, 8);
+    findings.push({
+        checkId: "gateway.nodes.deny_commands_ineffective",
+        severity: "warn",
+        title: "Some gateway.nodes.denyCommands entries are ineffective",
+        detail: "gateway.nodes.denyCommands uses exact command-name matching only.\n" +
+            detailParts.map((entry) => `- ${entry}`).join("\n"),
+        remediation: `Use exact command names (for example: ${examples.join(", ")}). ` +
+            "If you need broader restrictions, remove risky commands from allowCommands/default workflows.",
+    });
+    return findings;
+}
+export function collectMinimalProfileOverrideFindings(cfg) {
+    const findings = [];
+    if (cfg.tools?.profile !== "minimal") {
+        return findings;
+    }
+    const overrides = (cfg.agents?.list ?? [])
+        .filter((entry) => {
+        return Boolean(entry &&
+            typeof entry === "object" &&
+            typeof entry.id === "string" &&
+            entry.tools?.profile &&
+            entry.tools.profile !== "minimal");
+    })
+        .map((entry) => `${entry.id}=${entry.tools?.profile}`);
+    if (overrides.length === 0) {
+        return findings;
+    }
+    findings.push({
+        checkId: "tools.profile_minimal_overridden",
+        severity: "warn",
+        title: "Global tools.profile=minimal is overridden by agent profiles",
+        detail: "Global minimal profile is set, but these agent profiles take precedence:\n" +
+            overrides.map((entry) => `- agents.list.${entry}`).join("\n"),
+        remediation: 'Set those agents to `tools.profile="minimal"` (or remove the agent override) if you want minimal tools enforced globally.',
+    });
     return findings;
 }
 export function collectModelHygieneFindings(cfg) {
@@ -501,5 +842,50 @@ export function collectExposureMatrixFindings(cfg) {
             remediation: `Set groupPolicy="allowlist" and keep elevated allowlists extremely tight.`,
         });
     }
+    const contexts = [{ label: "agents.defaults" }];
+    for (const agent of cfg.agents?.list ?? []) {
+        if (!agent || typeof agent !== "object" || typeof agent.id !== "string") {
+            continue;
+        }
+        contexts.push({
+            label: `agents.list.${agent.id}`,
+            agentId: agent.id,
+            tools: agent.tools,
+        });
+    }
+    const riskyContexts = [];
+    let hasRuntimeRisk = false;
+    for (const context of contexts) {
+        const sandboxMode = resolveSandboxConfigForAgent(cfg, context.agentId).mode;
+        const policies = resolveToolPolicies({
+            cfg,
+            agentTools: context.tools,
+            sandboxMode,
+            agentId: context.agentId ?? null,
+        });
+        const runtimeTools = ["exec", "process"].filter((tool) => isToolAllowedByPolicies(tool, policies));
+        const fsTools = ["read", "write", "edit", "apply_patch"].filter((tool) => isToolAllowedByPolicies(tool, policies));
+        const fsWorkspaceOnly = context.tools?.fs?.workspaceOnly ?? cfg.tools?.fs?.workspaceOnly;
+        const runtimeUnguarded = runtimeTools.length > 0 && sandboxMode !== "all";
+        const fsUnguarded = fsTools.length > 0 && sandboxMode !== "all" && fsWorkspaceOnly !== true;
+        if (!runtimeUnguarded && !fsUnguarded) {
+            continue;
+        }
+        if (runtimeUnguarded) {
+            hasRuntimeRisk = true;
+        }
+        riskyContexts.push(`${context.label} (sandbox=${sandboxMode}; runtime=[${runtimeTools.join(", ") || "off"}]; fs=[${fsTools.join(", ") || "off"}]; fs.workspaceOnly=${fsWorkspaceOnly === true ? "true" : "false"})`);
+    }
+    if (riskyContexts.length > 0) {
+        findings.push({
+            checkId: "security.exposure.open_groups_with_runtime_or_fs",
+            severity: hasRuntimeRisk ? "critical" : "warn",
+            title: "Open groupPolicy with runtime/filesystem tools exposed",
+            detail: `Found groupPolicy="open" at:\n${openGroups.map((p) => `- ${p}`).join("\n")}\n` +
+                `Risky tool exposure contexts:\n${riskyContexts.map((line) => `- ${line}`).join("\n")}\n` +
+                "Prompt injection in open groups can trigger command/file actions in these contexts.",
+            remediation: 'For open groups, prefer tools.profile="messaging" (or deny group:runtime/group:fs), set tools.fs.workspaceOnly=true, and use agents.defaults.sandbox.mode="all" for exposed agents.',
+        });
+    }
     return findings;
 }

package/dist/security/audit-fs.js

@@ -41,7 +41,19 @@ export async function inspectPathPermissions(targetPath, opts) {
             error: st.error,
         };
     }
-    const bits = modeBits(st.mode);
+    let effectiveMode = st.mode;
+    let effectiveIsDir = st.isDir;
+    if (st.isSymlink) {
+        try {
+            const target = await fs.stat(targetPath);
+            effectiveMode = typeof target.mode === "number" ? target.mode : st.mode;
+            effectiveIsDir = target.isDirectory();
+        }
+        catch {
+            // Keep lstat-derived metadata when target lookup fails.
+        }
+    }
+    const bits = modeBits(effectiveMode);
     const platform = opts?.platform ?? process.platform;
     if (platform === "win32") {
         const acl = await inspectWindowsAcl(targetPath, { env: opts?.env, exec: opts?.exec });
@@ -49,8 +61,8 @@ export async function inspectPathPermissions(targetPath, opts) {
             return {
                 ok: true,
                 isSymlink: st.isSymlink,
-                isDir: st.isDir,
-                mode: st.mode,
+                isDir: effectiveIsDir,
+                mode: effectiveMode,
                 bits,
                 source: "unknown",
                 worldWritable: false,
@@ -63,8 +75,8 @@ export async function inspectPathPermissions(targetPath, opts) {
         return {
             ok: true,
             isSymlink: st.isSymlink,
-            isDir: st.isDir,
-            mode: st.mode,
+            isDir: effectiveIsDir,
+            mode: effectiveMode,
             bits,
             source: "windows-acl",
             worldWritable: acl.untrustedWorld.some((entry) => entry.canWrite),
@@ -77,8 +89,8 @@ export async function inspectPathPermissions(targetPath, opts) {
     return {
         ok: true,
         isSymlink: st.isSymlink,
-        isDir: st.isDir,
-        mode: st.mode,
+        isDir: effectiveIsDir,
+        mode: effectiveMode,
         bits,
         source: "posix",
         worldWritable: isWorldWritable(bits),
@@ -102,32 +114,38 @@ export function formatPermissionRemediation(params) {
     return `chmod ${mode} ${params.targetPath}`;
 }
 export function modeBits(mode) {
-    if (mode == null)
+    if (mode == null) {
         return null;
+    }
     return mode & 0o777;
 }
 export function formatOctal(bits) {
-    if (bits == null)
+    if (bits == null) {
         return "unknown";
+    }
     return bits.toString(8).padStart(3, "0");
 }
 export function isWorldWritable(bits) {
-    if (bits == null)
+    if (bits == null) {
         return false;
+    }
     return (bits & 0o002) !== 0;
 }
 export function isGroupWritable(bits) {
-    if (bits == null)
+    if (bits == null) {
         return false;
+    }
     return (bits & 0o020) !== 0;
 }
 export function isWorldReadable(bits) {
-    if (bits == null)
+    if (bits == null) {
         return false;
+    }
     return (bits & 0o004) !== 0;
 }
 export function isGroupReadable(bits) {
-    if (bits == null)
+    if (bits == null) {
         return false;
+    }
     return (bits & 0o040) !== 0;
 }