feat(runner): fail-closed security parity on the pi backend (#525)#695
Draft
gewenyu99 wants to merge 2 commits into
Draft
feat(runner): fail-closed security parity on the pi backend (#525)#695gewenyu99 wants to merge 2 commits into
gewenyu99 wants to merge 2 commits into
Conversation
pi has no permission layer, so attach an extension that intercepts EVERY tool call — built-in (bash/read/edit/write/grep) and custom — via pi's tool_call hook and reuses the exact anthropic policy: wizardCanUseTool (bash allowlist + .env fencing + disallowedTools) plus the YARA content scan (bash command, written content with the same wizard-doc posthog_pii suppression). A tool_result hook post-scans read/bash output for prompt injection. Everything fails closed: a scanner error blocks, and a critical post-scan violation latches so every later call is blocked and the run ends as AgentErrorType.YARA_VIOLATION. Plus a runaway tool-call cap. extensionFactories load even with noExtensions:true, so the fence is always on while the target project can't inject its own extensions. Subagents reuse the same factory so a child can't escape it. Proven by unit test (no live key needed): the blocked-action corpus (cat .env, rm -rf, curl exfil, shell operators, direct .env read/write/edit/grep) is blocked; install/build + source edits + the sanctioned env tools are allowed; the post-scan latch and runaway guard fire. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…#526) Task/todo (#526): TaskCreate/Update/Get/List as pi tools backed by a shared store; every mutation pushes the list to the TUI via getUI().syncTodos, so the todo panel updates live under pi — the parity that was missing. Controlled subagents (#526): pi has no native subagents, so dispatch_agent spawns a nested createAgentSession WE construct, which closes the leak the claude-agent-sdk path warns about. Every child inherits: the SAME security extension (canUseTool + YARA, shared cap + violation latch); a read-only built-in toolset (read/grep/find/ls + allowlisted bash) — no write/edit; and no custom tools, so no .env writes and no dispatch_agent (depth hard-capped at 1). A child can research but never mutate the project or escape the fence. Logging parity: log assistant turns ([pi] assistant: …) on message_end and tool I/O on tool_execution_*, and drive the single run spinner with one stable status at a time (no overlapping/garbled messages). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
🧙 Wizard CIRun the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands: Test all apps:
Test all apps in a directory:
Test an individual app:
Show more apps
Results will be posted here when complete. |
This was referenced Jun 19, 2026
Collaborator
Author
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Epic #520 · implements #525 (fail-closed security parity) + #526 (Task/todo + controlled subagents). Top of the pi stack (#692 ← #693 ← #694 ← #695).
Done in this stack:
wizard-runnerflag (01 — Runner seam + multivariatewizard-runnerflag (anthropic | pi) #521 · feat(runner): agent-backend seam + multivariate wizard-runner flag (#521) #692)pi) #524 · feat(runner): pi.dev backend behind wizard-runner=pi (#524) #693)canUseToolallowlist + YARA, fence inherited by subagents; unit-tested + verified blocking live (05 — Security parity (canUseTool + YARA, fail-closed) forpi#525)pi#526)Open parity gaps (tracked, not yet done):
[STATUS]/[DASHBOARD_URL]/[NOTEBOOK_URL]marker parsing (outro link)wizard_ask(interactive questions)bash ls/find→ slow runs)