fix(gateway): block node.invoke exec approvals

2026-05-08 12:21:24 +00:00 · 2026-02-14 19:21:31 +01:00
parent d0f64c955e
commit 01b3226ecb
4 changed files with 46 additions and 8 deletions
--- a/src/gateway/server-methods/nodes.ts
+++ b/src/gateway/server-methods/nodes.ts
@@ -388,6 +388,18 @@ export const nodeHandlers: GatewayRequestHandlers = {
      );
      return;
    }
+    if (command === "system.execApprovals.get" || command === "system.execApprovals.set") {
+      respond(
+        false,
+        undefined,
+        errorShape(
+          ErrorCodes.INVALID_REQUEST,
+          "node.invoke does not allow system.execApprovals.*; use exec.approvals.node.*",
+          { details: { command } },
+        ),
+      );
+      return;
+    }

    await respondUnavailableOnThrow(respond, async () => {
      const nodeSession = context.nodeRegistry.get(nodeId);