Skip to content

feat(runner): fail-closed security parity on the pi backend (#525)#697

Closed
gewenyu99 wants to merge 1 commit into
pi/03-wizard-tools-on-pifrom
pi/sec-fence
Closed

feat(runner): fail-closed security parity on the pi backend (#525)#697
gewenyu99 wants to merge 1 commit into
pi/03-wizard-tools-on-pifrom
pi/sec-fence

Conversation

@gewenyu99

@gewenyu99 gewenyu99 commented Jun 20, 2026

Copy link
Copy Markdown
Collaborator

Epic #520 · implements #525.

Problem

  • pi tool execution had no fail-closed gating — it must match the anthropic path (canUseTool allowlist + YARA).

Changes

  • Fail-closed security fence on pi tool execution: allowlist check + YARA hooks.
  • A denied command is blocked; a YARA violation terminates the run.

Test plan

  • Denied command is blocked; YARA violation terminates the run; gating is unit-tested.
  • Build + tests green.

@github-actions

Copy link
Copy Markdown

🧙 Wizard CI

Run the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands:

Test all apps:

  • /wizard-ci all

Test all apps in a directory:

  • /wizard-ci basic-integration
  • /wizard-ci error-tracking-upload-source-maps
  • /wizard-ci misc
  • /wizard-ci revenue

Test an individual app:

  • /wizard-ci basic-integration/android
  • /wizard-ci basic-integration/angular
  • /wizard-ci basic-integration/astro
Show more apps
  • /wizard-ci basic-integration/django
  • /wizard-ci basic-integration/fastapi
  • /wizard-ci basic-integration/flask
  • /wizard-ci basic-integration/javascript-node
  • /wizard-ci basic-integration/javascript-web
  • /wizard-ci basic-integration/laravel
  • /wizard-ci basic-integration/next-js
  • /wizard-ci basic-integration/nuxt
  • /wizard-ci basic-integration/python
  • /wizard-ci basic-integration/rails
  • /wizard-ci basic-integration/react-native
  • /wizard-ci basic-integration/react-router
  • /wizard-ci basic-integration/sveltekit
  • /wizard-ci basic-integration/swift
  • /wizard-ci basic-integration/tanstack-router
  • /wizard-ci basic-integration/tanstack-start
  • /wizard-ci basic-integration/vue
  • /wizard-ci error-tracking-upload-source-maps/android
  • /wizard-ci error-tracking-upload-source-maps/cicd-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-nested-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-gitlab-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-ssh-vps-node-raw
  • /wizard-ci error-tracking-upload-source-maps/flutter
  • /wizard-ci error-tracking-upload-source-maps/ios
  • /wizard-ci error-tracking-upload-source-maps/next
  • /wizard-ci error-tracking-upload-source-maps/next-no-posthog
  • /wizard-ci error-tracking-upload-source-maps/node-raw
  • /wizard-ci error-tracking-upload-source-maps/node-rollup
  • /wizard-ci error-tracking-upload-source-maps/node-rollup-typescript-plugin
  • /wizard-ci error-tracking-upload-source-maps/node-webpack
  • /wizard-ci error-tracking-upload-source-maps/nuxt-3-6
  • /wizard-ci error-tracking-upload-source-maps/nuxt-4-3
  • /wizard-ci error-tracking-upload-source-maps/react-native
  • /wizard-ci error-tracking-upload-source-maps/react-vite
  • /wizard-ci error-tracking-upload-source-maps/rust
  • /wizard-ci misc/quack-quack
  • /wizard-ci revenue/stripe

Results will be posted here when complete.

gewenyu99 commented Jun 20, 2026

Copy link
Copy Markdown
Collaborator Author

Port the wizard's canUseTool + YARA fail-closed boundary to pi via a tool-execution
extension (pi-security), reusing the shared policy and the wizard-doc PII
suppression (isWizardDocumentationPath, now exported). Brings yara-scanner.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@gewenyu99 gewenyu99 force-pushed the pi/03-wizard-tools-on-pi branch from bbb2215 to 9fc690c Compare June 30, 2026 19:13
@gewenyu99

Copy link
Copy Markdown
Collaborator Author

Superseded — this landed on main in the harness/switchboard shape via #780 and #701.

@gewenyu99 gewenyu99 closed this Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants