fix(exec): require explicit safe-bin profiles

2026-05-08 06:31:24 +00:00 · 2026-02-22 12:57:53 +01:00
parent d055b948fb
commit 47c3f742b6
15 changed files with 226 additions and 9 deletions
--- a/src/agents/bash-tools.exec-host-gateway.ts
+++ b/src/agents/bash-tools.exec-host-gateway.ts
@@ -14,6 +14,7 @@ import {
  resolveAllowAlwaysPatterns,
  resolveExecApprovals,
 } from "../infra/exec-approvals.js";
+import type { SafeBinProfile } from "../infra/exec-safe-bin-policy.js";
 import { markBackgrounded, tail } from "./bash-process-registry.js";
 import { requestExecApprovalDecision } from "./bash-tools.exec-approval-request.js";
 import {
@@ -36,6 +37,7 @@ export type ProcessGatewayAllowlistParams = {
  security: ExecSecurity;
  ask: ExecAsk;
  safeBins: Set<string>;
+  safeBinProfiles: Readonly<Record<string, SafeBinProfile>>;
  agentId?: string;
  sessionKey?: string;
  scopeKey?: string;
@@ -69,6 +71,7 @@ export async function processGatewayAllowlist(
    command: params.command,
    allowlist: approvals.allowlist,
    safeBins: params.safeBins,
+    safeBinProfiles: params.safeBinProfiles,
    cwd: params.workdir,
    env: params.env,
    platform: process.platform,