feat(safety): add opt-in tool script safety guard with manifest validation#121
Open
YAO-001 wants to merge 12 commits into
Open
feat(safety): add opt-in tool script safety guard with manifest validation#121YAO-001 wants to merge 12 commits into
YAO-001 wants to merge 12 commits into
Conversation
Author
|
I have read the CLA Document and I hereby sign the CLA |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #121 +/- ##
==========================================
Coverage ? 87.52665%
==========================================
Files ? 478
Lines ? 45489
Branches ? 0
==========================================
Hits ? 39815
Misses ? 5674
Partials ? 0 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
English
Summary
Addresses #90.
This PR adds an opt-in Tool Script Safety Guard for pre-execution scanning of Python and Bash-like tool scripts.
It provides static scanning, policy-based decisions, structured safety reports, sanitized audit events, OpenTelemetry-compatible attributes, and opt-in integration points for Filter/Wrapper, BashTool, and UnsafeLocalCodeExecutor.
This guard is a static pre-execution control. It is not a sandbox and does not replace process isolation, least-privilege filesystem permissions, network egress controls, resource limits, or runtime audit/monitoring.
What Changed
trpc_agent_sdk.tools.safetywithToolScriptSafetyScanner,ToolSafetyPolicy,ToolSafetyFilter,ToolSafetyWrapper, custom safety rule registration APIs, and structured report, audit, and telemetry helpers.examples/tool_safety/tool_safety_policy.yaml, strict policy validation for CI/review usage, and compatibility-preserving non-strict mode that warns and ignores invalid fields.python_code/bash_code,code_blocks,args/argv/command_args, and nested payloads such astool_input,params.arguments, andinput.BashTool(enable_safety_guard=True, ...)andUnsafeLocalCodeExecutor(enable_safety_guard=True, ...).scripts/tool_safety_check.pyandscripts/tool_safety_manifest_report.py.examples/tool_safety/samples/manifest.yamlandexamples/tool_safety/all_reports.json.Issue #90 Acceptance Mapping
trpc_agent_sdk/tools/safety/_scanner.py,trpc_agent_sdk/tools/safety/_rules.pytrpc_agent_sdk/tools/safety/_policy.py,examples/tool_safety/tool_safety_policy.yamlallow,deny,needs_human_reviewtrpc_agent_sdk/tools/safety/_filter.py,trpc_agent_sdk/tools/safety/_wrapper.pytrpc_agent_sdk/tools/safety/_extractors.py,examples/tool_safety/skill_wrapper_example.pytrpc_agent_sdk/tools/file_tools/_bash_tool.py,trpc_agent_sdk/code_executors/local/_unsafe_local_code_executor.pydecision,risk_level,rule_id,risk_type,evidence,recommendationtrpc_agent_sdk/tools/safety/_audit.py,trpc_agent_sdk/tools/safety/_telemetry.pyexamples/tool_safety/README.md,examples/tool_safety/PR_DESCRIPTION.mdSample Validation
The sample corpus is manifest-driven.
Current manifest status:
examples/tool_safety/all_reports.jsonis generated by:The committed artifact normalizes dynamic fields for deterministic review:
Compatibility
All runtime integrations are opt-in.
BashTooldoes not enable the safety guard by default.UnsafeLocalCodeExecutordoes not enable the safety guard by default.needs_human_reviewis not blocked by default unlessblock_on_review=true.This preserves existing behavior for current users.
Validation
I ran the safety-focused test and validation suite:
Expected CLI results:
dangerous_delete.sh:deny, exit code3safe_python.py:allow, exit code0I also ran the upstream lint-equivalent checks for the modified safety paths:
yapf --diffhad no output after formatting, and flake8 passed.I attempted the full repository coverage command:
In my local environment it failed during test collection before reaching the safety changes, due to existing unrelated paths:
typing.TypedDictcompatibility issue.nanobot.heartbeat.tests/test_cli.pymodule discovery hitting the same Claude/Pydantic collection error.The safety-specific tests, manifest report, CLI checks, YAPF, and flake8 validations all passed.
Limitations
This is a static pre-execution guard, not a sandbox.
It can reduce accidental and obvious risky tool execution, but it cannot guarantee protection against obfuscation, runtime-generated code, encoded payloads, interpreter-specific behavior, external binaries, or environment-dependent behavior.
Production deployments should combine this guard with sandboxing, permission isolation, network egress controls, resource limits, runtime audit logs, and monitoring.
中文
概要
解决 #90。
本 PR 新增一个默认关闭、需要显式启用的 Tool Script Safety Guard,用于在执行前静态扫描 Python 和 Bash-like 工具脚本。
它提供静态扫描、基于策略的决策、结构化安全报告、脱敏审计事件、兼容 OpenTelemetry 的属性,以及 Filter/Wrapper、BashTool、UnsafeLocalCodeExecutor 的可选集成点。
该 guard 是静态的执行前控制手段,不是沙箱,也不能替代进程隔离、最小权限文件系统权限、网络出口控制、资源限制或运行时审计/监控。
变更内容
trpc_agent_sdk.tools.safety,包含ToolScriptSafetyScanner、ToolSafetyPolicy、ToolSafetyFilter、ToolSafetyWrapper、自定义安全规则注册 API、结构化报告、审计和遥测辅助模块。examples/tool_safety/tool_safety_policy.yaml、用于 CI/review 的 strict policy 校验,以及保持兼容的非 strict 模式:对非法字段 warning 并忽略。python_code/bash_code、code_blocks、args/argv/command_args,以及tool_input、params.arguments、input等嵌套 payload。BashTool(enable_safety_guard=True, ...)和UnsafeLocalCodeExecutor(enable_safety_guard=True, ...)。scripts/tool_safety_check.py和scripts/tool_safety_manifest_report.py。examples/tool_safety/samples/manifest.yaml和examples/tool_safety/all_reports.json。Issue #90 验收映射
trpc_agent_sdk/tools/safety/_scanner.py、trpc_agent_sdk/tools/safety/_rules.pytrpc_agent_sdk/tools/safety/_policy.py、examples/tool_safety/tool_safety_policy.yamlallow、deny、needs_human_reviewtrpc_agent_sdk/tools/safety/_filter.py、trpc_agent_sdk/tools/safety/_wrapper.pytrpc_agent_sdk/tools/safety/_extractors.py、examples/tool_safety/skill_wrapper_example.pytrpc_agent_sdk/tools/file_tools/_bash_tool.py、trpc_agent_sdk/code_executors/local/_unsafe_local_code_executor.pydecision、risk_level、rule_id、risk_type、evidence、recommendationtrpc_agent_sdk/tools/safety/_audit.py、trpc_agent_sdk/tools/safety/_telemetry.pyexamples/tool_safety/README.md、examples/tool_safety/PR_DESCRIPTION.md样例校验
样例语料由 manifest 驱动。
当前 manifest 状态:
examples/tool_safety/all_reports.json由以下命令生成:提交的 artifact 会归一化动态字段,便于 deterministic review:
兼容性
所有运行时集成都需要显式启用。
BashTool默认不启用 safety guard。UnsafeLocalCodeExecutor默认不启用 safety guard。needs_human_review默认不会阻断,除非设置block_on_review=true。这会保留现有用户的默认行为。
验证
我运行了 safety 相关测试和校验命令:
CLI 预期结果:
dangerous_delete.sh:deny,退出码3safe_python.py:allow,退出码0我也运行了上游 lint 等价检查:
格式化后
yapf --diff无输出,flake8 通过。我尝试运行全仓库 coverage 命令:
在我的本地环境中,该命令在 test collection 阶段失败,尚未执行到本次 safety 相关变更。失败原因来自现有的无关路径:
typing.TypedDict兼容性问题。nanobot.heartbeat。tests/test_cli.py的模块自动发现触发同一个 Claude/Pydantic collection error。Safety 相关测试、manifest report、CLI 检查、YAPF 和 flake8 均已通过。
限制
这是静态执行前 guard,不是沙箱。
它可以减少意外或明显高风险的工具执行,但不能保证防护混淆代码、运行时生成代码、编码 payload、解释器特定行为、外部二进制行为或环境相关行为。
生产部署应将该 guard 与沙箱、权限隔离、网络出口控制、资源限制、运行时审计日志和监控结合使用。