fix(engine): BUG-6 — approved writes must land, and say where (false-receipt kill)
Neuron Soul CI / build (pull_request) Successful in 6m50s
Neuron Soul CI / deploy (pull_request) Has been skipped

Two compounding defects made every pause->approve write_file report success
while writing NOTHING:

1. The naive json_get scanner matches "content" anywhere in the approve
   body — including INSIDE tool_input, which for write_file always carries
   a content field. The handler therefore treated every approved builtin
   write as already-client-executed, skipped dispatch entirely, and handed
   the model the file's own content as the 'tool result'. The model then
   narrated 'Done, created' — a false receipt with no file. Builtin tools
   now ALWAYS dispatch server-side; client content is only honored for
   non-builtin (MCP/client-executed) tools. Stricter only.

2. write_file returned {"ok":true} unconditionally — fs_write's outcome
   was never checked, so any failed write also reported success. The write
   now verifies the file landed (fs_exists) and returns the RESOLVED path
   in the ok payload; failures return a real error naming the destination.

E2E on the test brain (boot 38): approve-path write lands byte-exact and
the result carries the resolved path; auto-run writes unchanged; denied
writes execute nothing. BUG-5 (approve wire lacked tool_name) had been
masking this one — two stacked bugs on the same path.

NOTE for review: the deeper cure is a nesting-aware json reader; this fix
removes the dangerous consequence at the two spots that lie about disk.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Tim Lingo
2026-07-16 23:02:07 -05:00
parent 9a6014d65b
commit 4171aadfff
2 changed files with 17 additions and 3 deletions
+10 -2
View File
@@ -1680,8 +1680,16 @@ fn dispatch_tool(tool_name: String, tool_input: String) -> String {
if !path_within_root(path, root) {
return json_safe("denied: path is outside the agent workspace root")
}
fs_write(resolve_in_root(path, root), content)
return json_safe("{\"ok\":true}")
// BUG-6 fix (2026-07-17): never claim ok without disk truth. fs_write's result was
// never checked, so a failed write reported ok the exact false-receipt failure
// the run guards exist to kill. Verify the file landed and return the RESOLVED
// path so callers and the model can only narrate what is really on disk.
let dest: String = resolve_in_root(path, root)
fs_write(dest, content)
if !fs_exists(dest) {
return json_safe("{\"error\":\"write failed - nothing landed at " + dest + "\"}")
}
return json_safe("{\"ok\":true,\"path\":\"" + dest + "\"}")
}
if str_eq(tool_name, "web_get") {
let url: String = json_get(tool_input, "url")
+7 -1
View File
@@ -713,7 +713,13 @@ fn handle_session_approve(session_id: String, body: String) -> String {
// For builtin tools with no client-provided content: fall back to
// dispatch_tool so those tools still execute correctly.
let client_content: String = json_get(body, "content")
let use_client_content: Bool = !str_eq(client_content, "")
// BUG-6 fix (2026-07-17): the naive json_get scanner matches "content" ANYWHERE
// in the body including INSIDE tool_input so every approved write_file (whose
// input always carries a content field) was mistaken for client-executed, never
// dispatched, and narrated as done: a false receipt with no file on disk. Builtin
// tools now ALWAYS dispatch server-side; client content is only honored for
// non-builtin (MCP/client-executed) tools. Stricter only.
let use_client_content: Bool = !str_eq(client_content, "") && !is_builtin_tool(approve_tool_name)
let use_dispatch: Bool = is_builtin_tool(approve_tool_name) && !use_client_content
let raw_input: String = json_get_raw(body, "tool_input")
let eff_input: String = if str_eq(raw_input, "") { "{}" } else { raw_input }