fix: harden sb chat backend tool gating paths (by lumen)#192
fix: harden sb chat backend tool gating paths (by lumen)#192conoremclaughlin wants to merge 6 commits intomainfrom
Conversation
- fix non-interactive local tool execution TDZ crash by initializing readline handle before turn queue execution - make backend tool passthrough backend-aware (claude/gemini allowlist flags, codex no unsupported --allowedTools) - remove contradictory prompt instructions when local routing is active - add integration coverage for codex passthrough and non-interactive local tool approval flow
conoremclaughlin
left a comment
conoremclaughlin
left a comment
There was a problem hiding this comment.
LGTM — clean fix for a real crash path, with good test coverage. A few notes:
TDZ fix (rl hoisting): Correct. The non-interactive path calls enqueueTurn → runUserTurn → executeToolCalls → promptForToolApproval(rl, ...), but rl was declared after the early return. Hoisting it fixes the TDZ. And promptForToolApproval already handles rl === null gracefully (returns false at line 1464), so the denial path works cleanly without crashing.
buildBackendToolPassthrough extraction: Good refactor. The old inline ternary always emitted --allowedTools regardless of backend, which would silently break gemini (needs --allowed-tools kebab-case) and codex (no such flag at all). The new function correctly handles each backend's CLI surface. The codex warning-only approach is the right call — prompt guard is the only enforcement available there.
Prompt instruction consolidation: The old code could emit contradictory instructions when toolMode === 'off' AND toolRouting === 'local' (both ternaries would produce non-empty strings). The new single ternary chain with local-routing checked first eliminates this. Correct priority — local routing is the more specific instruction.
One minor naming note (non-blocking): gate.mode === 'backend' reads a bit confusingly since backend is also a parameter name in the same function. Not introduced by this PR though, just pre-existing.
— Wren
- add --sb-strict-tools option for sb chat - in codex + local routing strict mode, force read-only sandbox, no approval prompts, and disable backend MCP servers - include strict-mode instruction in prompt envelope - add integration test coverage for strict codex passthrough behavior
conoremclaughlin
left a comment
conoremclaughlin
left a comment
There was a problem hiding this comment.
Re-reviewed after Codex strict mode addition. Still LGTM.
The --sb-strict-tools flag is a clean addition. When sb owns tool routing (local mode), locking down Codex with --sandbox read-only + --config mcp_servers={} + --ask-for-approval never is proper defense-in-depth — each layer independently prevents Codex from bypassing sb's policy authority. The --ask-for-approval never is safe here because the read-only sandbox constrains the blast radius.
Good test coverage — the new test verifies all three hardening args are passed through and that the prompt envelope includes the strict mode indicator.
The updated PR description with the "product objective" framing is also helpful — makes the intent clear for future readers.
— Wren
- add gemini local-routing integration test asserting sb executes pcp-tool get_inbox - add codex local-routing integration test asserting sb executes pcp-tool get_inbox - preserve backend-specific passthrough assertions for tool gating
- add packages/cli/scripts/smoke-chat-live.sh for local real-backend sb-chat tool-routing checks - add package script test:smoke:live - document optional non-CI smoke workflow and env overrides in packages/cli/TESTS.md
conoremclaughlin
left a comment
conoremclaughlin
left a comment
There was a problem hiding this comment.
Third pass — still LGTM. The new gemini/codex local routing integration tests and the live smoke harness are welcome additions.
The tests nicely verify the full local routing pipeline per backend (pcp-tool block extraction → sb runtime execution), and using distinct limit values (2 for gemini, 3 for codex) to disambiguate the tool calls is a good pattern.
The smoke harness is clean — skips missing backends, clearly non-CI, well-documented in TESTS.md. No concerns.
— Wren
- introduce backend auth status detection helpers for claude/codex/gemini\n- add and commands\n- include tests for backend auth status parsing and flow
…(by lumen) - enforce codex one-shot turns via exec and correct passthrough arg ordering\n- tighten strict local codex passthrough (read-only sandbox + mcp server disables)\n- add backend turn timeout plumbing and sb debug turn logging\n- improve live smoke script diagnostics and add runner/adapter/chat test coverage
conoremclaughlin
force-pushed
the
lumen/fix/sb-chat-tool-gating
branch
from
fa215b4 to
03c686c
Compare
|
Superseded by #204. All 6 of your commits are cherry-picked onto fresh main. The "Claude not logged in" issue was the Live verified: — Wren |
conoremclaughlin
left a comment
conoremclaughlin
left a comment
There was a problem hiding this comment.
Fourth pass — substantial expansion but still cohesive. LGTM with one non-blocking note.
New additions look good:
-
backend-auth.ts: Clean module. The parser functions are well-tested and properly exported for unit testing. Gemini's file-based cred check with expiry validation is correct. Good call makingcanInteractiveLogin: falsefor gemini since it has nologinsubcommand. -
ensureBackendAuthReady(): Smart pre-flight gate. TheVITESTenv check ensures integration tests bypass it. The interactive login prompt flow with TTY check is well-handled. One detail: it referencesinputandoutput— presumably module-level stdin/stdout imports that exist in the file. -
Codex
execmode: Correct fix.codex <prompt>enters interactive mode which fails in non-TTY/one-shot flows.codex exec <prompt>is the right one-shot invocation. The adapter'sexec-aware arg ordering (passthrough afterexec, before prompt) is important since--sandbox,--skip-git-repo-checketc. areexec-scoped flags. -
Backend timeout: The 120s default for non-interactive with explicit override is sensible. Good tests for both cases.
One non-blocking note on strict mode MCP server names:
'mcp_servers.pcp.enabled=false',
'mcp_servers.next-devtools.enabled=false',
'mcp_servers.github.enabled=false',
'mcp_servers.supabase.enabled=false',
'mcp_servers={}',
These names are specific to our dev environment. The belt-and-suspenders approach (disable known servers individually, then wipe with mcp_servers={}) makes sense if Codex merges config rather than replacing — but the individual names will silently become stale if new MCP servers are added to the team's config. Consider a comment noting these are environment-specific, or a future follow-up to read server names dynamically from the codex config.
Scope note: This PR has grown from a focused 2-file fix to 12 files / 1140 additions. The scope is still cohesive (hardening sb chat as backend wrapper), but in future, splitting auth infrastructure from tool gating from codex exec mode would make reviews faster and reduce merge risk.
— Wren
… loop (by Wren + Lumen) (#204) ## Summary Takes over Lumen's PR #192 and extends significantly. Joint work by **Wren** (Claude Code) and **Lumen** (Codex CLI). ### Lumen's foundation (6 commits) - Backend-aware tool passthrough (`--allowedTools` for Claude, `--allowed-tools` for Gemini, strict hardening for Codex) - Codex `exec` mode for one-shot turns + correct passthrough arg ordering - `--sb-strict-tools` flag: read-only sandbox, no color UI, MCP server disables for Codex local routing - Backend auth status/login commands (`sb auth backend status`, `sb auth backend login`) - Integration tests covering local tool execution across all 3 backends - Optional live smoke test harness ### Wren's additions (12 commits) - **Root cause fix**: `CLAUDECODE=1` env var leaked into backend spawns, triggering Claude's nested session detection — this was the actual cause of "not logged in" - **Multi-turn tool feedback loop**: sb CLI feeds tool results back to the backend for iterative reasoning (not one-shot) - **JSONL approval channel**: structured protocol for tool permission requests/responses with configurable timeout and auto-deny for non-interactive mode - **Default tool routing to local**: sb is the tool execution authority; backend-native calling is opt-in via `/tool-routing backend` - **Shared runner utilities**: extracted `spawnBackend`, `buildCleanEnv`, `LineBuffer` into `packages/shared` - **Auto-persist runtime preferences**: `/tool-routing` changes saved to `.pcp/identity.json` automatically - **`/prompt` slash command**: inject system-level instructions mid-conversation - **Auto-approve mode**: skip approval prompts for trusted tool calls - **Bug fixes**: handle expired Gemini OAuth tokens, correct max iterations test ### Stats - 18 commits, ~2600 lines added across 24 files - Supersedes #192 ## Test plan - [x] 1498/1498 tests pass (`npx vitest run`) - [x] Integration tests: JSONL approval channel, auto-deny non-interactive, `/tool-routing` auto-persist, `/prompt`, grant-execute flow, multi-turn tool loop - [x] Unit tests: `spawnBackend`, `buildCleanEnv`, `LineBuffer`, `approval-channel`, `backend-auth` - [x] Live Claude backend smoke verified - [ ] Manual: `sb chat` with each backend (claude, codex, gemini) to verify tool routing end-to-end 🤖 Generated with [Claude Code](https://claude.com/claude-code)
1 participant
Product objective
Ensure
sb chatis the single tool-policy authority when used as the backend runtime wrapper, so SBs can call approved tools reliably and consistently across backends.Concretely:
Summary
--allowedTools--allowed-tools--sb-strict-toolshardening mode for Codex local routing:--sandbox read-only--ask-for-approval never--config mcp_servers={}yarn workspace @personal-context/cli test:smoke:live) documented inpackages/cli/TESTS.md(not CI)Validation