The run_bash static analysis checks the executable at the head of each pipe/chain segment and can't see into arguments. This means certain permissions.run grants quietly weaken or collapse the model:
- Shells and interpreters (
bash, sh, python, node, deno): granting one lets bash -c '<anything>' / python -c '...' through with the inner command carried as an opaque string. The allowlist stops meaning anything.
- Wrappers and exec flags (
env, xargs, nice, timeout, find with -exec): same effect through argument execution.
- Network-capable binaries (
curl, wget, ssh, and even gh): until per-agent egress policy lands, these are an implicit net: ["*"], since subprocess traffic bypasses permissions.net.
af validate (and startup) should surface this:
- warn, or possibly refuse, on shells/interpreters/wrappers in
permissions.run
- warn on known network-capable binaries, noting that their egress is unrestricted at the app layer
Context: gap 5 and the open questions in plans/006-security.md; user-facing notes in docs/permissions.md ("Static analysis of shell commands") and docs/permission-model.md ("Where the boundaries stop today").
The
run_bashstatic analysis checks the executable at the head of each pipe/chain segment and can't see into arguments. This means certainpermissions.rungrants quietly weaken or collapse the model:bash,sh,python,node,deno): granting one letsbash -c '<anything>'/python -c '...'through with the inner command carried as an opaque string. The allowlist stops meaning anything.env,xargs,nice,timeout,findwith-exec): same effect through argument execution.curl,wget,ssh, and evengh): until per-agent egress policy lands, these are an implicitnet: ["*"], since subprocess traffic bypassespermissions.net.af validate(and startup) should surface this:permissions.runContext: gap 5 and the open questions in
plans/006-security.md; user-facing notes indocs/permissions.md("Static analysis of shell commands") anddocs/permission-model.md("Where the boundaries stop today").