feat(agent): add constrained allowed action surface for Agent#176
Conversation
|
@codex review |
|
Codex Review: Didn't find any major issues. What shall we delve into next? ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
|
Hi @ranjan42 thanks for contributing! |
…ist and shell integration
|
@codex help to review again - the new commit |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f7ca1f9de7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
This PR restricts the Agent runtime in
go-dav-osto operate through a constrained action surface (allowlist) and ensures safety validations are enforced securely, implementing the requirements for Issue #158 (parent: #150).Key Changes
Fixed Allowlist Enforcement:
ActionKind.Valid()inagent/types.goto act as the fixed allowlist.ActionListFiles,ActionReadFile,ActionStatFile,ActionShowHelp,ActionShowHistory,ActionShowVersion,ActionShowTicks,ActionShowMemoryMap,ActionSetMode.ActionDeleteFile,ActionWriteFile.Explicit Risk Level Validation:
ExpectedRisk()toActionKindto map each allowed action to its expected risk (RiskRiskyforActionDeleteFileandActionWriteFile, andRiskSafefor others).validatePlaninsideagent/runtime.gothataction.Riskmust matchaction.Kind.ExpectedRisk(). This prevents planners (including LLM-backed ones) from bypassing the confirmation safety gate by marking a risky action like delete or write as safe.Fail-Closed Executor:
executor.goandruntime.goto ensure only allowlisted actions are executed.Testing and Verification:
agent/agent_test.goto adapt to the allowlist.TestValidatorRejectsRiskyActionMarkedAsSafe) and allowlist enforcement (TestValidatorAcceptsWriteFileAction).make test) compile and pass successfully.