neuron-technologies/neuron
2
0
Fork 0
Code Issues 2 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

feat(agentic): scope file/command tools to an agent workspace root #23

Open
tim.lingo wants to merge 1 commits from feat/agent-tool-workspace-scope into main
pull from: feat/agent-tool-workspace-scope
merge into: :main
Conversation 1 Commits 1 Files Changed 1
+77 -5
tim.lingo commented 2026-06-18 04:49:24 +00:00
Member
Copy Link
Copy Source

What

Scopes the agentic file/command tools to a configurable agent workspace root:

  • read_file, write_file, list_files, grep — confined to the root subtree by a lexical path check (rejects .., ~, and absolute paths outside root; resolves relative paths against root).
  • run_command — executes with cwd set to the root (cd <root> && ( ... )).
  • Root resolves from state key agent_workspace_root, else env NEURON_AGENT_ROOT.
  • No root set → behavior unchanged (unscoped) for backward compatibility.

Why

dispatch_tool ran every file/command tool with no path scopingrun_command → exec_capture(cmd), write_file → fs_write(path), etc. The agent-workspace feature (Copilot-style, user-chosen folder) needs the agent's file actions to stay inside the chosen folder.

⚠️ FLAGGED FOR WILL — please review the design decision

This is defense-in-depth, not a hard boundary, and I want it checked against your intended sandbox/runtime design before merge:

  1. Lexical only — does not resolve symlinks, and an arbitrary shell command in run_command can still cd out of the root. Real confinement needs runtime support (cwd-locked exec / sandbox-exec / chroot) in el_runtime.c, which is your domain. Is that the right split, or do you want the enforcement to live entirely in the runtime?
  2. Default-allow-when-unset — chosen for backward compatibility. Do you instead want default-deny (no file tools until a root is configured)?
  3. Config sourceagent_workspace_root state key / NEURON_AGENT_ROOT env. Aligns with how config should flow?
  4. The cd <root> && (...) wrapping for run_command — acceptable as the .el-layer mitigation, or should run_command be runtime-scoped only?

Verification status (honest)

  • Compile-checked with elc (darwin arm64), exit 0.
  • NOT link/run-gated locally — darwin elb is unavailable here (wrong arch); same toolchain state that's currently reddening CI at elb: link failed. Needs a soul build + smoke test before merge.

🤖 Generated with Claude Code

## What Scopes the agentic **file/command tools** to a configurable **agent workspace root**: - `read_file`, `write_file`, `list_files`, `grep` — confined to the root subtree by a lexical path check (rejects `..`, `~`, and absolute paths outside root; resolves relative paths against root). - `run_command` — executes with cwd set to the root (`cd <root> && ( ... )`). - Root resolves from state key `agent_workspace_root`, else env `NEURON_AGENT_ROOT`. - **No root set → behavior unchanged (unscoped)** for backward compatibility. ## Why `dispatch_tool` ran every file/command tool with **no path scoping** — `run_command → exec_capture(cmd)`, `write_file → fs_write(path)`, etc. The agent-workspace feature (Copilot-style, user-chosen folder) needs the agent's file actions to stay inside the chosen folder. ## ⚠️ FLAGGED FOR WILL — please review the design decision This is **defense-in-depth, not a hard boundary**, and I want it checked against your intended sandbox/runtime design before merge: 1. **Lexical only** — does not resolve symlinks, and an arbitrary shell command in `run_command` can still `cd` out of the root. Real confinement needs runtime support (cwd-locked exec / `sandbox-exec` / chroot) in `el_runtime.c`, which is your domain. Is that the right split, or do you want the enforcement to live entirely in the runtime? 2. **Default-allow-when-unset** — chosen for backward compatibility. Do you instead want default-deny (no file tools until a root is configured)? 3. **Config source** — `agent_workspace_root` state key / `NEURON_AGENT_ROOT` env. Aligns with how config should flow? 4. The `cd <root> && (...)` wrapping for `run_command` — acceptable as the `.el`-layer mitigation, or should run_command be runtime-scoped only? ## Verification status (honest) - ✅ **Compile-checked** with `elc` (darwin arm64), exit 0. - ❌ **NOT link/run-gated locally** — darwin `elb` is unavailable here (wrong arch); same toolchain state that's currently reddening CI at `elb: link failed`. **Needs a soul build + smoke test before merge.** 🤖 Generated with [Claude Code](https://claude.com/claude-code)
tim.lingo added 1 commit 2026-06-18 04:49:25 +00:00
feat(agentic): scope file/command tools to an agent workspace root
Neuron Soul CI / build (pull_request) Failing after 5m7s
Details
071c0eeb9f 
Confine the agentic file tools (read_file, write_file, list_files, grep)
to a configured workspace subtree via a lexical path check, and run
run_command with its cwd set to that root. Root comes from state key
"agent_workspace_root" or env NEURON_AGENT_ROOT. When no root is set,
behavior is unchanged (unscoped) for backward compatibility.

Defense-in-depth, NOT a hard boundary: the lexical guard does not resolve
symlinks and cannot stop an arbitrary shell command from cd-ing out of the
root. Real confinement needs runtime support (cwd-locked exec / sandbox-exec
/ chroot) in el_runtime.c.

Compile-checked with elc (darwin arm64); not link/run-gated locally
(darwin elb unavailable). Needs a soul build + smoke test before merge.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
tim.lingo commented 2026-06-18 04:59:44 +00:00
Author
Member
Copy Link
Copy Source

@will.anderson - review request. Scopes the agentic file/command tools (read_file, write_file, list_files, grep, run_command) to a configurable workspace root (state key agent_workspace_root or env NEURON_AGENT_ROOT). IMPORTANT: this is a lexical .el guard, defense-in-depth, NOT a hard boundary - no symlink resolution, and an arbitrary shell command can still cd out of the root. Your design call: (1) keep enforcement at the .el layer vs. move it into el_runtime.c (cwd-locked exec / sandbox-exec) which is your domain; (2) default-allow-when-unset (current, backward-compatible) vs. default-deny; (3) config source. Compile-checked with elc (exit 0); NOT link/run-gated locally (darwin elb is wrong-arch here) - needs your build + smoke test before merge.

@will.anderson - review request. Scopes the agentic file/command tools (read_file, write_file, list_files, grep, run_command) to a configurable workspace root (state key agent_workspace_root or env NEURON_AGENT_ROOT). IMPORTANT: this is a lexical .el guard, defense-in-depth, NOT a hard boundary - no symlink resolution, and an arbitrary shell command can still cd out of the root. Your design call: (1) keep enforcement at the .el layer vs. move it into el_runtime.c (cwd-locked exec / sandbox-exec) which is your domain; (2) default-allow-when-unset (current, backward-compatible) vs. default-deny; (3) config source. Compile-checked with elc (exit 0); NOT link/run-gated locally (darwin elb is wrong-arch here) - needs your build + smoke test before merge.
Some required checks failed
Neuron Soul CI / build (pull_request) Failing after 5m7s
Details
You are not authorized to merge this pull request.
This pull request can be merged automatically.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin feat/agent-tool-workspace-scope:feat/agent-tool-workspace-scope
git checkout feat/agent-tool-workspace-scope
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Assignees
Clear assignees
tim.lingo (Tim Lingo) will.anderson (Will Anderson)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: neuron-technologies/neuron#23
Delete Branch "feat/agent-tool-workspace-scope"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?