`4472f8b`

Normalize safe shell probes

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 1 week ago

SHA: 4472f8b05b8449ace32dec2e172932f31bab7e03
Parents: fd483bf
Tree: a9ef64d

2 changed files

Status	File	+	-
M	`src/loader/runtime/executor.py`	95	0
M	`tests/test_permissions.py`	33	0

src/loader/runtime/executor.pymodified

  from __future__ import annotations
  import inspect
 +import shlex
  from collections.abc import Awaitable, Callable
  from dataclasses import dataclass
  from enum import StrEnum
 +from pathlib import Path
  from typing import Any
  from ..llm.base import Message, ToolCall
  def _normalize_tool_call_arguments(tool_call: ToolCall) -> ToolCall:
      """Accept narrow, unambiguous argument aliases from local models."""
 +    shell_alias = _normalize_shell_probe_tool_call(tool_call)
 +    if shell_alias is not None:
 +        return shell_alias
++
      if tool_call.name != "edit":
          return tool_call
              arguments=arguments,
+         )
      return tool_call
++
++
 +_SHELL_PROBE_TOOL_ALIASES = frozenset(
 +    {"cat", "find", "head", "ls", "pwd", "stat", "tail"}
 +)
 +_SHELL_PROBE_TARGET_KEYS = (
 +    "path",
 +    "directory",
 +    "dir",
 +    "folder",
 +    "file_path",
 +    "file",
 +    "target",
 +)
 +_SHELL_PROBE_OPTION_KEYS = ("flags", "options", "args")
 +_SHELL_PROBE_PASSTHROUGH_KEYS = ("cwd", "timeout", "background")
++
++
 +def _normalize_shell_probe_tool_call(tool_call: ToolCall) -> ToolCall | None:
 +    """Map hallucinated native shell-probe tools to the real bash tool safely."""
++
 +    command_name = tool_call.name.strip().lower()
 +    if command_name not in _SHELL_PROBE_TOOL_ALIASES:
 +        return None
++
 +    arguments = dict(tool_call.arguments)
 +    parts = [command_name]
 +    parts.extend(_quote_option_tokens(arguments))
 +    parts.extend(_quote_target_tokens(arguments))
++
 +    bash_arguments: dict[str, Any] = {"command": " ".join(parts)}
 +    for key in _SHELL_PROBE_PASSTHROUGH_KEYS:
 +        if key in arguments:
 +            bash_arguments[key] = arguments[key]
++
 +    return ToolCall(
 +        id=tool_call.id,
 +        name="bash",
 +        arguments=bash_arguments,
 +    )
++
++
 +def _quote_option_tokens(arguments: dict[str, Any]) -> list[str]:
 +    quoted: list[str] = []
 +    for key in _SHELL_PROBE_OPTION_KEYS:
 +        value = arguments.get(key)
 +        if value is None:
 +            continue
 +        quoted.extend(shlex.quote(token) for token in _split_shell_probe_options(value))
 +    return quoted
++
++
 +def _quote_target_tokens(arguments: dict[str, Any]) -> list[str]:
 +    quoted: list[str] = []
 +    for key in _SHELL_PROBE_TARGET_KEYS:
 +        value = arguments.get(key)
 +        if value is None:
 +            continue
 +        quoted.extend(
 +            shlex.quote(_expand_shell_probe_target(token))
 +            for token in _as_tokens(value)
 +        )
 +        break
 +    return quoted
++
++
 +def _split_shell_probe_options(value: Any) -> list[str]:
 +    if isinstance(value, (list, tuple)):
 +        return [str(item).strip() for item in value if str(item).strip()]
 +    text = str(value).strip()
 +    if not text:
 +        return []
 +    try:
 +        return [token for token in shlex.split(text) if token.strip()]
 +    except ValueError:
 +        return [text]
++
++
 +def _as_tokens(value: Any) -> list[str]:
 +    if isinstance(value, (list, tuple)):
 +        return [str(item).strip() for item in value if str(item).strip()]
 +    text = str(value).strip()
 +    return [text] if text else []
++
++
 +def _expand_shell_probe_target(value: str) -> str:
 +    if value == "~" or value.startswith("~/"):
 +        return str(Path(value).expanduser())
 +    return value

tests/test_permissions.pymodified

      assert outcome.tool_call.arguments["new_string"] == "<h1>New</h1>"
 +@pytest.mark.asyncio
 +async def test_executor_maps_native_ls_alias_to_read_only_bash(
 +    temp_dir: Path,
 +    monkeypatch: pytest.MonkeyPatch,
 +) -> None:
 +    monkeypatch.setenv("HOME", str(temp_dir))
 +    target_dir = temp_dir / "Loader"
 +    target_dir.mkdir()
 +    (target_dir / "notes.txt").write_text("details\n")
 +    registry = create_default_registry(temp_dir)
 +    policy = build_permission_policy(
 +        active_mode=PermissionMode.WORKSPACE_WRITE,
 +        workspace_root=temp_dir,
 +        tool_requirements=registry.get_tool_requirements(),
 +    )
 +    executor = ToolExecutor(registry, RuntimeTracer(), policy)
++
 +    outcome = await executor.execute_tool_call(
 +        ToolCall(
 +            id="ls-1",
 +            name="ls",
 +            arguments={"path": "~/Loader"},
 +        ),
 +        source="native",
 +    )
++
 +    assert outcome.state == ToolExecutionState.EXECUTED
 +    assert outcome.tool_call.name == "bash"
 +    assert outcome.tool_call.arguments["command"] == f"ls {target_dir}"
 +    assert outcome.required_permission == PermissionMode.READ_ONLY
 +    assert "notes.txt" in outcome.result_output
++
++
  @pytest.mark.asyncio
  async def test_ask_rule_prompts_even_when_allow_mode(temp_dir: Path) -> None:
      prompts: list[str] = []