The coreTools configuration was incorrectly restricting all tools including
MCP, Skill, Agent, and other dynamically discovered tools. These tools should
not be subject to the coreTools whitelist as they are either:
- Dynamically discovered from user configuration (MCP tools)
- Essential for system operation (skill, agent, exit_plan_mode, ask_user_question)
This fix introduces a CORE_TOOLS set that explicitly lists built-in tools
subject to coreTools allowlist. Tools not in this set bypass the check.
Fixes#2782
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add buildHumanReadableRuleLabel() to convert raw permission rules into
natural-language descriptions for the 'Always Allow' UI options
- Add PermissionManager.findMatchingDenyRule() to surface which deny rule
caused a tool to be blocked, improving error messages in coreToolScheduler
- Update ToolConfirmationMessage to use friendly labels with i18n support
- Add comprehensive tests for new permission features and multi-directory
search in glob, grep, and ripGrep tools
- Fix integration test for tool-control allowedTools configuration
Shell commands that are semantically equivalent to file/network tool
operations are now analyzed and matched against Read/Edit/Write/
WebFetch/ListFiles permission rules, preventing agents from bypassing
configured rules via the run_shell_command tool.
New file: packages/core/src/permissions/shell-semantics.ts
- extractShellOperations(cmd, cwd) => ShellOperation[]
- Covers 50+ commands: cat/head/tail/diff/grep/rg/ls/find/tree,
touch/mkdir/cp/mv/rm/chmod/chown/sed/awk/dd/curl/wget + redirects
- Handles transparent prefixes: sudo (-u/-g flag values), env, timeout
(skips DURATION), nohup, nice, time, etc.
- Tokenizer respects single/double quotes and backslash escapes
- Redirect extraction: >, >>, <, 2>, &>
Changes: packages/core/src/permissions/permission-manager.ts
- DECISION_PRIORITY constant for combining decisions
- evaluateSingle(): after base Bash-rule decision, evaluate virtual ops
from shell semantics and return the most restrictive result
- evaluateShellVirtualOps(): evaluate ShellOperation list via evaluateSingle
- hasRelevantRules(): also check virtual ops so confirmation dialog appears
when Read/Edit/etc. rules match equivalent shell commands
Changes: packages/core/src/permissions/index.ts
- Export extractShellOperations and ShellOperation
Tests: packages/core/src/permissions/shell-semantics.test.ts
- 52 unit tests: read/list/write/edit/web_fetch ops, redirections,
prefix commands (sudo -u, timeout DURATION), quotes, variable filtering
