e8c8ef1142
Close two ways the permission system could be bypassed: - Workspace path traversal: normalize `.`/`..` lexically before the boundary prefix comparison so paths like `/workspace/../../etc` can no longer escape the sandbox. Fixed in both the runtime enforcer and the duplicate check in the tools PowerShell path classifier. - read-only mode no longer trusts the leading token alone: reject shell metacharacters (chaining/substitution/redirect/pipe/subshell), drop interpreters and build drivers (python/node/ruby/cargo/rustc) from the allow-list, gate `git` to non-mutating subcommands, and reject `find` actions that execute or delete. Adds regression tests for both holes. The pre-existing, unrelated worker_boot git-metadata test failure is not affected by this change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| api | ||
| claw-analog | ||
| claw-rag-service | ||
| commands | ||
| compat-harness | ||
| mock-anthropic-service | ||
| plugins | ||
| runtime | ||
| rusty-claude-cli | ||
| telemetry | ||
| tools | ||