fix(agent-sdk): stop pausing file_editor for workspace access

[smolpaws]

Summary

• make confirmation policy the single approval mechanism for tool execution
• remove the separate workspace-access approval path that could pause file_editor even when the user chose NeverConfirm
• stop treating out-of-workspace paths as a second policy layer; if the user disables confirmations, the SDK should just execute
• keep low-level filesystem safety checks (for example symlink/race protections) without layering a second user-facing approval model on top

Desired Behavior

There should be one policy for whether the agent pauses for approval, and it is chosen by the user via Confirmation Policy.

• NeverConfirm: never ask for confirmation
• other confirmation policies: pause according to that policy

The SDK should not have an overlapping workspace-access confirmation policy trying to answer the same question differently.

Testing

• npm test -- --run src/sdk/__tests__/agent.loop.test.ts src/sdk/__tests__/persistence.test.ts src/workspace/__tests__/local.workspace.test.ts src/workspace/__tests__/local.workspace.vscodeRemoteRoots.test.ts src/workspace/__tests__/remote.workspace.test.ts
• npm run build

---

[coderabbitai]

Warning

Rate limit exceeded

@enyst has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 56 minutes and 55 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aa464086-0adb-428a-be48-015e17e7bb67

📥 Commits

Reviewing files that changed from the base of the PR and between 3d121d8 and a9d34ad.

📒 Files selected for processing (10)

• packages/agent-sdk/src/sdk/runtime/Agent.ts
• packages/agent-sdk/src/tools/__tests__/ApplyPatchTool.test.ts
• packages/agent-sdk/src/tools/__tests__/tools.test.ts
• packages/agent-sdk/src/workspace/LocalWorkspace.ts
• packages/agent-sdk/src/workspace/RemoteWorkspace.ts
• packages/agent-sdk/src/workspace/__tests__/local.workspace.pathPolicy.test.ts
• packages/agent-sdk/src/workspace/__tests__/local.workspace.test.ts
• packages/agent-sdk/src/workspace/__tests__/local.workspace.vscodeRemoteRoots.test.ts
• packages/agent-sdk/src/workspace/__tests__/remote.workspace.test.ts
• packages/agent-sdk/src/workspace/localWorkspacePathPolicy.ts

📝 Walkthrough

Walkthrough

The agent now automatically allows file_editor access to external paths instead of pausing for confirmation. Runtime changes in Agent.ts replace pauseForConfirmation with direct workspace.allowPath() calls; tests verify no pause events occur and files are accessed immediately.

Changes

Workspace Access Auto-Allow Behavior

Layer / File(s)	Summary
Auto-allow external workspace paths in tool execution packages/agent-sdk/src/sdk/runtime/Agent.ts	When workspaceAccess paths are present in a file_editor tool call, the agent directly calls workspace.allowPath() for each path instead of pausing for confirmation.
External file operations in agent loop packages/agent-sdk/src/sdk/__tests__/agent.loop.test.ts	Three test cases updated: viewing external files, creating external files, and sequential external operations now expect zero pause events and verify observation events contain the expected file contents.
External file access with persistence packages/agent-sdk/src/sdk/__tests__/persistence.test.ts	After restoration, external file_editor calls no longer trigger WAITING_FOR_CONFIRMATION state; files are created immediately and observation events are emitted during the initial run instead of requiring approveAction().

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• enyst/OpenHands-Tab#233: Modifies the same file_editor workspace access confirmation flow, effectively inverting its confirmation/auto-allow behavior.

Suggested labels

codex

Suggested reviewers

• enyst

Poem

🐰 Workspace paths, they run so free,
No pause, no wait—approve with glee!
External files in one swift bound,
The agent's speed has come around. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(agent-sdk): stop pausing file_editor for workspace access' directly and specifically describes the main change in the pull request, which is to prevent pausing during file_editor operations on out-of-workspace paths by auto-allowing them instead.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch gpt/remove-file-editor-workspace-confirmation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/agent-sdk/src/sdk/runtime/Agent.ts (1)

823-835: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Defer allowPath() until after confirmation is approved.

workspace.allowPath() runs before the confirmation gate. With a confirming policy (e.g., always), a user can reject the tool call but the external path remains allowlisted, which widens access without approval.

Suggested fix

       const workspaceAccess = this.getRequiredWorkspaceAccess(toolCall.function.name, actionArgs);
-      if (workspaceAccess) {
-        // File-editor paths outside the current workspace are still real SDK use cases
-        // (for example, SmolPaws skills under ~/.openhands). Auto-allow the exact path
-        // instead of forcing a separate workspace-access confirmation stop here.
-        for (const p of workspaceAccess.paths) {
-          this.workspace.allowPath(p);
-        }
-      }
-
       if (this.requiresConfirmation(recordedAction)) {
-        this.pauseForConfirmation({ toolCall, actionEvent: recordedAction, args: actionArgs });
+        this.pauseForConfirmation(
+          { toolCall, actionEvent: recordedAction, args: actionArgs },
+          workspaceAccess,
+        );
         return 'paused';
       }
+      if (workspaceAccess) {
+        // Auto-allow when no confirmation pause is required.
+        for (const p of workspaceAccess.paths) {
+          this.workspace.allowPath(p);
+        }
+      }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/agent-sdk/src/sdk/runtime/Agent.ts` around lines 823 - 835, The code
currently calls workspace.allowPath(...) inside the block after
getRequiredWorkspaceAccess(...) before checking requiresConfirmation(...), which
allowlists external paths even when the user later rejects the confirmation;
move the allowPath calls so they only run after confirmation is granted: remove
or skip the for-loop that calls this.workspace.allowPath(p) prior to the
requiresConfirmation check and instead invoke those same allowPath calls in the
confirmation-success path (e.g., after pauseForConfirmation returns approval or
in the continuation that handles confirmed tool execution), preserving use of
the same symbols (getRequiredWorkspaceAccess, workspace.allowPath,
requiresConfirmation, pauseForConfirmation, recordedAction, toolCall,
actionArgs) so no allowlisting happens while paused.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/agent-sdk/src/sdk/runtime/Agent.ts`:
- Around line 823-835: The code currently calls workspace.allowPath(...) inside
the block after getRequiredWorkspaceAccess(...) before checking
requiresConfirmation(...), which allowlists external paths even when the user
later rejects the confirmation; move the allowPath calls so they only run after
confirmation is granted: remove or skip the for-loop that calls
this.workspace.allowPath(p) prior to the requiresConfirmation check and instead
invoke those same allowPath calls in the confirmation-success path (e.g., after
pauseForConfirmation returns approval or in the continuation that handles
confirmed tool execution), preserving use of the same symbols
(getRequiredWorkspaceAccess, workspace.allowPath, requiresConfirmation,
pauseForConfirmation, recordedAction, toolCall, actionArgs) so no allowlisting
happens while paused.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3e2e4981-744f-46c6-a856-10966f798fd6

📥 Commits

Reviewing files that changed from the base of the PR and between 82f0b59 and 3d121d8.

📒 Files selected for processing (3)

• packages/agent-sdk/src/sdk/__tests__/agent.loop.test.ts
• packages/agent-sdk/src/sdk/__tests__/persistence.test.ts
• packages/agent-sdk/src/sdk/runtime/Agent.ts

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

[github-actions]

🔧 VSCode Extension Built Successfully

• File: openhands-tab-0.9.4.vsix (548 KB)
• Download: https://github.com/enyst/OpenHands-Tab/actions/runs/26060202179

To install:

1. Download the artifact from the run page above
2. VS Code → Command Palette → "Extensions: Install from VSIX..."
3. Select the downloaded .vsix

Built with Node 22. Commit bfcdf82.