Skip to content

feat(cli): enforce /add-dir via sandbox writable roots (⚠ security — please review)#166

Open
oratis wants to merge 1 commit into
mainfrom
feat/cli-add-dir-enforce
Open

feat(cli): enforce /add-dir via sandbox writable roots (⚠ security — please review)#166
oratis wants to merge 1 commit into
mainfrom
feat/cli-add-dir-enforce

Conversation

@oratis

@oratis oratis commented Jun 7, 2026

Copy link
Copy Markdown
Owner

Security-sensitive — opening for review, not auto-merging.

/add-dir only printed a message; settings.permissions.additionalDirectories was declared but consumed nowhere. Now:

  • /add-dir <path> validates the path is an existing directory and persists it to permissions.additionalDirectories (deduped) in the user settings; with no args it lists the current set.
  • New core helper withAdditionalWritableDirs(sandbox, dirs) folds those dirs into the sandbox's filesystem.allowWrite. The REPL + headless build their sandboxConfig through it, so the sandboxed Bash tool can write to added dirs (beyond cwd). No-op when the sandbox is off; never mutates input.

Why this is the right boundary

The file tools (Read/Write/Edit/Glob/Grep) already accept any absolute path () — there's no cwd containment to "enforce". The only thing that restricts writes is the sandbox (for Bash). So /add-dir enforcement = expanding the sandbox's writable roots, which is exactly the user's intent. That's the security-relevant change — hence review.

Tests

withAdditionalWritableDirs (add / dedup / undefined-safe / seeds empty) + /add-dir (persist validated dir / reject missing / list). core 646 · cli 143, typecheck + format:check clean.

🤖 Generated with Claude Code

…itive)

/add-dir only printed a message; the settings.permissions.additionalDirectories
field was declared but consumed nowhere. Now:

- /add-dir validates the path is an existing directory and PERSISTS it to
  permissions.additionalDirectories (dedup) in the user settings; with no args
  it lists the current set.
- New core helper withAdditionalWritableDirs(sandbox, dirs) folds those dirs
  into the sandbox's filesystem.allowWrite. The REPL + headless build their
  sandboxConfig through it, so the sandboxed Bash tool can write to added dirs
  (beyond cwd). No-op when the sandbox is off; never mutates input.

The file tools (Read/Write/Edit/Glob/Grep) already accept any absolute path, so
this only changes the SANDBOX boundary for Bash — which is the security-relevant
surface. Holding this PR for review rather than auto-merging.

Tests: withAdditionalWritableDirs (add/dedup/undefined-safe) + /add-dir
(persist / reject-missing / list). core 646 · cli 143.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant