Coding-turn foundation: cwd, env hardening, tool-use events, code/approval wire#69
Open
ankitsejwal wants to merge 1 commit into
Open
Coding-turn foundation: cwd, env hardening, tool-use events, code/approval wire#69ankitsejwal wants to merge 1 commit into
ankitsejwal wants to merge 1 commit into
Conversation
Shared wire contract: add a `code` request kind ({repoId, prompt}) + an
`approval` request/response control channel (the permission bridge); reuse
the already-reserved `tool_call` stream event.
Executor: cwd + --permission-mode/--allowedTools support; port an exec-env
injection blocklist into buildEnv (strip NODE_OPTIONS/LD_*/DYLD_*/GIT_SSH_COMMAND/
GIT_CONFIG*/NPM_CONFIG_*/PYTHONPATH… — hardens every run); emit a tool_call event
on each tool_use so the phone can show a tool-use timeline (phase:'end' is a
follow-up). Daemon forwards tool_call and rejects code requests with a clear
message until execution lands.
Backed by the #276 spike. Tests: shared 17, runtime 28, daemon 22, api 19.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
First foundation slice of M7 (Lucid works in your repos) — the pieces that are pure TS + fully unit-tested, so they land safely ahead of the on-machine execution work. Backed by the #276 spike (below).
Spike that de-risked this (#276, ran locally on a throwaway repo)
claude -p --permission-mode auto(no allowlist) edited a file with zero prompts, exit 0.--permission-prompt-toolis gone from the CLI — we won't use it.{tool_name, tool_input:{command,…}, cwd, session_id}and itsdenyblocks the tool. So auto mode handles the 99%, and a PreToolUse hook is the escalation path to the phone for the rare 1%.What's in this PR
coderequest kind ({repoId, prompt}— the phone never sends a path) added to the harness union; anapprovalrequest/response control channel for the permission bridge; reuses the already-reservedtool_callstream event.cwd+--permission-mode/--allowedToolssupport; an exec-env injection blocklist inbuildEnv()(stripsNODE_OPTIONS,LD_*,DYLD_*,GIT_SSH_COMMAND,GIT_CONFIG*,NPM_CONFIG_*,PYTHONPATH, … — ported from OpenClaw, MIT; hardens every run, not just coding); emits atool_callevent on eachtool_use(stream shapes captured from the spike).tool_call; rejectscoderequests with a clear "not enabled yet" message until execution lands (later tasks).Tests / types
shared 17 · runtime 28 · daemon 22 · api 19 — all green; check-types clean across all four.
Deferred (documented, later M7 tasks)
tool_callphase:'end'(tool_result correlation); the actual code execution (worktree + auto mode + PreToolUse→room approval bridge) is #278/#279. This PR is the contract + executor groundwork only.