Add security allowlist for command execution and update copilot instructions

- Add security.ts with allowlist configuration for shell commands - Update command-executor.ts to enforce security policy (exit code 126 for blocked commands) - Update copilot instructions to clarify builtin tools vs shell commands - Document that builtin tools (deleteFile, createFile, etc.) bypass security filtering - Only executeCommand (shell commands) requires security.json allowlist entries
2026-06-15 20:05:16 +02:00 · 2025-11-18 20:42:11 +05:30 · 2025-11-18 20:42:11 +05:30 · 28488d5fd1
commit 28488d5fd1
parent 570543e1c7
4 changed files with 183 additions and 1 deletions
--- a/apps/cli/src/application/assistant/instructions.ts
+++ b/apps/cli/src/application/assistant/instructions.ts
@ -26,4 +26,19 @@ Always consult this catalog first so you load the right skills before taking act
 - Explore existing files and structure before creating new assets.
 - Use relative paths (no \${BASE_DIR} prefixes) when running commands or referencing files.
 - Keep user data safe—double-check before editing or deleting important resources.
+
+## Builtin Tools vs Shell Commands
+
+**IMPORTANT**: Rowboat provides builtin tools that are internal and do NOT require security allowlist entries:
+- \`deleteFile\`, \`createFile\`, \`updateFile\`, \`readFile\` - File operations
+- \`listFiles\`, \`exploreDirectory\` - Directory exploration
+- \`analyzeAgent\` - Agent analysis
+- \`listMcpServers\`, \`listMcpTools\` - MCP server management
+- \`loadSkill\` - Skill loading
+
+These tools work directly and are NOT filtered by \`.rowboat/config/security.json\`.
+
+**Only \`executeCommand\` (shell/bash commands) is filtered** by the security allowlist. If you need to delete a file, use the \`deleteFile\` builtin tool, not \`executeCommand\` with \`rm\`. If you need to create a file, use \`createFile\`, not \`executeCommand\` with \`touch\` or \`echo >\`.
+
+The security allowlist in \`security.json\` only applies to shell commands executed via \`executeCommand\`, not to Rowboat's internal builtin tools.
 `;
--- a/apps/cli/src/application/assistant/skills/builtin-tools/skill.ts
+++ b/apps/cli/src/application/assistant/skills/builtin-tools/skill.ts
@ -10,6 +10,8 @@ Agents can use builtin tools by declaring them in the \`"tools"\` object with \`
 ### executeCommand
 **The most powerful and versatile builtin tool** - Execute any bash/shell command and get the output.

+**Security note:** Commands are filtered through \`.rowboat/config/security.json\`. Populate this file with allowed command names (array or dictionary entries). Any command not present is blocked and returns exit code 126 so the agent knows it violated the policy.
+
 **Agent tool declaration:**
 \`\`\`json
 "tools": {
@ -176,4 +178,3 @@ There are no separate "workflow" files - everything is an agent!
 `;

 export default skill;
-