Better security

[themartto]

Summary by CodeRabbit

• New Features

  • Agent sandboxing with configurable work directory boundary enforcement
  • Ability to disable shell execution via allow_shell configuration and builder methods

• Documentation

  • Updated configuration and library documentation with security control options
  • Enhanced README with sandboxing feature description

[themartto]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces agent sandboxing by adding configurable work-directory boundaries and optional shell-execution gating. New work_dir and allow_shell fields in AppConfig are overridable via builder methods, validated through symlink canonicalization, and enforced via a SandboxedExecutor wrapper that intercepts tool calls during agent execution.

Changes

Agent Sandboxing Feature

Layer / File(s)	Summary
Configuration types and defaults src/config/types.rs, src/config/client.rs, src/config/config.toml.default, src/config/resolve.rs	AppConfig gains work_dir: Option<PathBuf> (resolved from config or current directory) and allow_shell: bool (defaults to true). Test fixtures and default TOML template updated to include these fields.
Builder API for security overrides src/client.rs	OpenheimBuilder adds work_dir and allow_shell optional fields with chainable .work_dir(path) and .allow_shell(bool) methods. Overrides are applied to AppConfig during build() and build_programmatic(), allowing callers to bypass or supplement config-file settings.
Path validation for sandbox boundaries src/tools/sandbox.rs	New validate_path(requested, work_dir) function canonicalizes paths, walks up to nearest existing ancestors when paths don't exist, and rejects directory traversal and paths outside the canonical work_dir. Comprehensive tests validate in-boundary files, relative paths, creation paths, and rejection of out-of-bounds and .. traversal attempts.
SandboxedExecutor wrapper implementation src/tools/sandboxed_executor.rs	New SandboxedExecutor wraps a ToolExecutor and intercepts read_file, write_file, and execute_command calls. Each uses validate_path to enforce sandbox boundaries; execute_command is additionally gated by allow_shell, and shell commands run with work_dir as the working directory. Other tools pass through unchanged.
SystemToolExecutor shell command gating src/tools/mod.rs	SystemToolExecutor::build now accepts an allow_shell: bool parameter and conditionally removes the execute_command tool from the executor when false. The sandbox module is publicly exposed and SandboxedExecutor is re-exported for external use.
Agent state and prompt execution integration src/acp/mod.rs	AgentState gains public work_dir: PathBuf and allow_shell: bool fields. AgentState::new derives allow_shell from config, resolves work_dir (config or current directory), and constructs SystemToolExecutor with the allow_shell flag. During acp_prompt, a per-call SandboxedExecutor wraps the executor and passes it to the agent runner, ensuring all tool execution respects the sandbox.
User and library documentation CHANGELOG.md, README.md, docs/configuration.md, docs/library.md	CHANGELOG documents new configuration controls, builder methods, and breaking API changes. README adds "Agent sandboxing" to features and documents work_dir and allow_shell in the example config. Configuration docs detail symlink canonicalization, path resolution, and shell execution behavior. Library docs describe the new builder methods and their override behavior.

Sequence Diagram

sequenceDiagram
  participant Client
  participant OpenheimBuilder
  participant AppConfig
  participant AgentState
  participant SandboxedExecutor
  participant ValidatePath
  
  Client->>OpenheimBuilder: .work_dir("/path").allow_shell(false)
  OpenheimBuilder->>OpenheimBuilder: store overrides
  Client->>OpenheimBuilder: build()
  OpenheimBuilder->>AppConfig: apply work_dir/allow_shell overrides
  OpenheimBuilder->>AgentState: new(app_config)
  AgentState->>AgentState: resolve work_dir, derive allow_shell
  
  Client->>AgentState: acp_prompt()
  AgentState->>SandboxedExecutor: new(executor, work_dir, allow_shell)
  
  SandboxedExecutor->>SandboxedExecutor: intercept read_file/write_file/execute_command
  SandboxedExecutor->>ValidatePath: validate requested path
  ValidatePath->>ValidatePath: canonicalize work_dir, resolve requested
  ValidatePath-->>SandboxedExecutor: validated path or error
  SandboxedExecutor-->>AgentState: tool result or sandbox violation error

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• weirdstuff-dev/openheim#32: Modifies the RAG/system identity pipeline and AgentState::new for default_skills wiring, overlapping with this PR's AgentState and prompt execution changes.
• weirdstuff-dev/openheim#19: Refactors src/acp/mod.rs prompt dispatch and executor wiring, directly intersecting with this PR's acp_prompt and AgentState integration.
• weirdstuff-dev/openheim#18: Modifies SystemToolExecutor::build for MCP-driven changes, overlapping with this PR's extended builder signature and shell gating logic.

Poem

🐰 Sandbox walls rise up so high,
Paths are checked, no escapes nearby,
Work dirs tamed, shells on/off at will,
Agents dance within their bounded hill! 🏰

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title "Better security" is vague and generic—it lacks specificity about what security features were added. While the changeset clearly implements concrete security controls (work_dir sandboxing, allow_shell gating), the title does not convey these details.	Revise the title to be more specific, e.g., "Add agent sandboxing with work_dir and allow_shell controls" or "Implement configurable work directory and shell execution restrictions."

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (2)

src/tools/sandboxed_executor.rs (1)

46-48: ⚡ Quick win

Hide execute_command from list_tools() when shell is disabled.

execute() rejects execute_command when allow_shell is false, but list_tools() still republishes whatever the inner executor advertises. Since SandboxedExecutor is public and wraps any ToolExecutor, that can present a disabled tool to the model outside the current SystemToolExecutor::build path.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/tools/sandboxed_executor.rs` around lines 46 - 48, list_tools currently
returns inner.list_tools() unchanged even when SandboxedExecutor has allow_shell
== false, exposing the execute_command tool; change
SandboxedExecutor::list_tools to call self.inner.list_tools(), then if
self.allow_shell is false filter out the tool that corresponds to the shell
command (the tool named "execute_command" or the Tool whose handler maps to
execute_command), and return the filtered Vec<Tool>; keep all other tools
unchanged so the public SandboxedExecutor does not advertise a disabled
execute_command (see methods SandboxedExecutor::execute and
SystemToolExecutor::build for how execute_command is rejected and identified).

src/tools/mod.rs (1)

119-127: ⚡ Quick win

Add a regression test for the allow_shell branch.

This is a security gate, but this file still has no test proving build(..., false) actually omits execute_command. A small async test here would make regressions obvious.

Suggested test

 #[cfg(test)]
 mod tests {
     use super::*;
+    use std::collections::BTreeMap;

     #[test]
     fn new_executor_is_empty() {
         let executor = SystemToolExecutor::new();
         assert_eq!(executor.handlers.len(), 0);
@@
     async fn executor_returns_error_for_unknown_tool() {
         let executor = SystemToolExecutor::new();
         let result = executor.execute("nonexistent_tool", "{}").await;
         assert!(result.is_err());
         assert!(result.unwrap_err().to_string().contains("Unknown tool"));
     }
+
+    #[tokio::test]
+    async fn build_omits_execute_command_when_shell_is_disabled() {
+        let (executor, _statuses) = SystemToolExecutor::build(&BTreeMap::new(), false).await;
+        assert!(!executor.handlers.contains_key("execute_command"));
+        assert!(executor.handlers.contains_key("read_file"));
+        assert!(executor.handlers.contains_key("write_file"));
+    }
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/tools/mod.rs` around lines 119 - 127, Add an async regression test that
calls tools::Executor::build(...) with allow_shell set to false and asserts the
built executor does not contain the "execute_command" handler; specifically,
invoke build (referencing the build function) after constructing minimal
mcp_configs, then inspect the returned executor.handlers (the handlers map
populated by register_builtins) and assert that the key "execute_command" is
absent when allow_shell is false to prevent regressions in that security gate.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/acp/mod.rs`:
- Around line 63-66: The code currently falls back to PathBuf::from(".") when
std::env::current_dir() fails, weakening the sandbox root; update the work_dir
resolution in mod.rs so that if app_config.work_dir is None you propagate the
current_dir() error instead of defaulting to "." — change the unwrap_or_else
that constructs work_dir to return a Result (or use ? with map/ok_or) and return
an explicit error (with context) when current_dir() fails, referencing the
work_dir variable and app_config.work_dir to locate the change.

In `@src/client.rs`:
- Around line 421-422: The builder currently sets allow_shell: true making
execute_command available by default; change the secure default by initializing
allow_shell to false in the builder/ClientBuilder (the struct field named
allow_shell) so shell access becomes explicit opt-in via .allow_shell(true);
update any related constructors or tests that assume the old default and ensure
execute_command remains gated by this field.
- Around line 369-371: In build(), resolve and validate self.work_dir before
storing it into app_config.work_dir: if let Some(wd) = self.work_dir {
canonicalize (or std::fs::canonicalize) wd to an absolute path (or join with
std::env::current_dir then canonicalize), return an error from build() on
failure, and set app_config.work_dir = Some(canonicalized_path); do not copy the
raw PathBuf. This ensures the sandbox boundary is normalized and fails early if
the path is inaccessible.

In `@src/config/types.rs`:
- Around line 49-56: The default for shell access is currently opt-out: change
the default from true to false so models must be explicitly opted in; update the
function default_allow_shell() to return false and ensure any docs/tests
referencing allow_shell reflect the new default behavior and that tools removal
logic (which checks allow_shell) still functions correctly with the new default.

In `@src/tools/sandbox.rs`:
- Around line 31-58: The code currently treats a broken symlink leaf as
non-existent because it uses Path::exists(), letting write_file follow and
overwrite outside the sandbox; fix by calling resolved.symlink_metadata()
(instead of or before exists()) to detect if the leaf is a symlink even when
broken: if symlink_metadata.file_type().is_symlink() then return
Err(Error::ToolExecutionError(...)) rejecting the dangling symlink leaf (include
requested/work_dir in the message) so write_file cannot follow it; update the
logic around resolved, canonicalize, work_dir_canonical and write_file
accordingly and add a regression test that creates a dangling symlink inside the
work_dir and verifies it is rejected.

---

Nitpick comments:
In `@src/tools/mod.rs`:
- Around line 119-127: Add an async regression test that calls
tools::Executor::build(...) with allow_shell set to false and asserts the built
executor does not contain the "execute_command" handler; specifically, invoke
build (referencing the build function) after constructing minimal mcp_configs,
then inspect the returned executor.handlers (the handlers map populated by
register_builtins) and assert that the key "execute_command" is absent when
allow_shell is false to prevent regressions in that security gate.

In `@src/tools/sandboxed_executor.rs`:
- Around line 46-48: list_tools currently returns inner.list_tools() unchanged
even when SandboxedExecutor has allow_shell == false, exposing the
execute_command tool; change SandboxedExecutor::list_tools to call
self.inner.list_tools(), then if self.allow_shell is false filter out the tool
that corresponds to the shell command (the tool named "execute_command" or the
Tool whose handler maps to execute_command), and return the filtered Vec<Tool>;
keep all other tools unchanged so the public SandboxedExecutor does not
advertise a disabled execute_command (see methods SandboxedExecutor::execute and
SystemToolExecutor::build for how execute_command is rejected and identified).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 53f622b4-837a-4662-a7af-8159db20f61b

📥 Commits

Reviewing files that changed from the base of the PR and between daabdab and b003603.

📒 Files selected for processing (13)

• CHANGELOG.md
• README.md
• docs/configuration.md
• docs/library.md
• src/acp/mod.rs
• src/client.rs
• src/config/client.rs
• src/config/config.toml.default
• src/config/resolve.rs
• src/config/types.rs
• src/tools/mod.rs
• src/tools/sandbox.rs
• src/tools/sandboxed_executor.rs

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail closed when the sandbox root cannot be resolved.

Line 66 silently falls back to "." if current_dir() fails. For a security boundary, that turns a startup/configuration error into an ambiguous relative sandbox root. Return an error here instead of weakening the sandbox.

Safer fallback

 let work_dir = app_config
     .work_dir
     .clone()
-    .unwrap_or_else(|| std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")));
+    .unwrap_or(std::env::current_dir().map_err(|e| {
+        Error::Other(format!("failed to resolve sandbox work_dir: {e}"))
+    })?);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	let work_dir = app_config
	.work_dir
	.clone()
	.unwrap_or_else(|| std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")));
	let work_dir = app_config
	.work_dir
	.clone()
	.unwrap_or(std::env::current_dir().map_err(|e| {
	Error::Other(format!("failed to resolve sandbox work_dir: {e}"))
	})?);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/acp/mod.rs` around lines 63 - 66, The code currently falls back to
PathBuf::from(".") when std::env::current_dir() fails, weakening the sandbox
root; update the work_dir resolution in mod.rs so that if app_config.work_dir is
None you propagate the current_dir() error instead of defaulting to "." — change
the unwrap_or_else that constructs work_dir to return a Result (or use ? with
map/ok_or) and return an explicit error (with context) when current_dir() fails,
referencing the work_dir variable and app_config.work_dir to locate the change.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Resolve work_dir before storing it as the sandbox boundary.

This copies the raw PathBuf into app_config, so a relative work_dir is only canonicalized later in src/tools/sandbox.rs at tool-execution time. If the host process changes cwd after build(), the effective sandbox root changes too. Normalize this to an absolute/canonical path during build and fail early if it is inaccessible.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/client.rs` around lines 369 - 371, In build(), resolve and validate
self.work_dir before storing it into app_config.work_dir: if let Some(wd) =
self.work_dir { canonicalize (or std::fs::canonicalize) wd to an absolute path
(or join with std::env::current_dir then canonicalize), return an error from
build() on failure, and set app_config.work_dir = Some(canonicalized_path); do
not copy the raw PathBuf. This ensures the sandbox boundary is normalized and
fails early if the path is inaccessible.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Programmatic builds still enable shell by default.

This keeps execute_command exposed for builder-only users unless they remember to call .allow_shell(false). That makes the safer behavior opt-out in the programmatic path as well. Align this with a secure default and require explicit opt-in for shell access here too.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/client.rs` around lines 421 - 422, The builder currently sets
allow_shell: true making execute_command available by default; change the secure
default by initializing allow_shell to false in the builder/ClientBuilder (the
struct field named allow_shell) so shell access becomes explicit opt-in via
.allow_shell(true); update any related constructors or tests that assume the old
default and ensure execute_command remains gated by this field.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Default shell access should be opt-in.

With default_allow_shell() returning true, configs that omit this field still expose execute_command to the model. Since src/tools/mod.rs only removes that tool when allow_shell == false, this keeps the riskiest capability enabled by default and weakens the security posture this PR is adding. Default this to false and require an explicit opt-in instead.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/config/types.rs` around lines 49 - 56, The default for shell access is
currently opt-out: change the default from true to false so models must be
explicitly opted in; update the function default_allow_shell() to return false
and ensure any docs/tests referencing allow_shell reflect the new default
behavior and that tools removal logic (which checks allow_shell) still functions
correctly with the new default.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Reject dangling symlink leaves before treating the path as “new.”

Path::exists() is false for a broken symlink, so a pre-existing dangling symlink inside work_dir falls into this branch and is accepted as a writable “new file.” write_file then follows that symlink and can create/overwrite a target outside the sandbox.

Suggested fix

     let check = if resolved.exists() {
         resolved.canonicalize().map_err(Error::IoError)?
     } else {
+        match std::fs::symlink_metadata(&resolved) {
+            Ok(meta) if meta.file_type().is_symlink() => {
+                return Err(Error::ToolExecutionError(format!(
+                    "path '{}' resolves through a symlink and cannot be written safely",
+                    requested
+                )));
+            }
+            Ok(_) => {}
+            Err(err) if err.kind() == std::io::ErrorKind::NotFound => {}
+            Err(err) => return Err(Error::IoError(err)),
+        }
+
         // Walk up the tree until we find an existing ancestor, canonicalize
         // that, and verify it is within the work directory.
         let mut ancestor: &Path = &resolved;
         loop {

Please add a regression test for a dangling symlink leaf under the work dir.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/tools/sandbox.rs` around lines 31 - 58, The code currently treats a
broken symlink leaf as non-existent because it uses Path::exists(), letting
write_file follow and overwrite outside the sandbox; fix by calling
resolved.symlink_metadata() (instead of or before exists()) to detect if the
leaf is a symlink even when broken: if symlink_metadata.file_type().is_symlink()
then return Err(Error::ToolExecutionError(...)) rejecting the dangling symlink
leaf (include requested/work_dir in the message) so write_file cannot follow it;
update the logic around resolved, canonicalize, work_dir_canonical and
write_file accordingly and add a regression test that creates a dangling symlink
inside the work_dir and verifies it is rejected.