Stage D: ask before reading outside the workspace (session read grants)#6
Closed
Anmolnoor wants to merge 1 commit into
Closed
Stage D: ask before reading outside the workspace (session read grants)#6Anmolnoor wants to merge 1 commit into
Anmolnoor wants to merge 1 commit into
Conversation
Out-of-scope file reads previously hard-blocked silently. Now an out-of-scope read of a typed file capability asks the user for permission and, on approval, grants read access to that directory for the rest of the session. - New ScopeGrantStore (in-memory, read-only) shared between the guardrail policy engine and the file service so one grant unblocks both layers. - Guardrails: an out-of-scope path on builtin.file.read / read_chunk with read-only side effects yields a REQUIRE_APPROVAL verdict tagged PolicyReasonCode.SCOPE_ESCALATION instead of a BLOCK; a granted root counts as in-scope so repeat reads don't re-prompt. Writes, shell, and discovery stay hard-blocked. - PolicyDecision carries reason_codes so the executor can distinguish a scope escalation from a normal approval. - Executor: on a scope-escalation decision it prompts (Allow for this session / Deny) via the Stage C question callback, grants the path's directory on approval, then proceeds; denial (or no interactive prompt) blocks. Never silent-allows, regardless of approval mode. - FileService: reads consult the grant store via _resolve_read_path; writes remain workspace-confined. Tests: granted session read + sibling read without re-prompt; denial blocks; out-of-scope write is never escalated and stays blocked; FileService read-grant boundary (granted read ok, non-granted blocked, write still blocked). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 27, 2026
Owner
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
The final stage of the "make fcli ask me" feature, and the security-sensitive one. Out-of-scope file reads previously hard-blocked silently (the same boundary that blocked reading the beekeeper repo). Now an out-of-scope read asks the user, and on approval grants read-only access to that directory for the rest of the session.
Design (scoped to stay safe)
Out-of-scope reads are blocked at two layers — the guardrail policy and the FileService's own path confinement — so a grant has to be honored by both. A shared
ScopeGrantStore(in-memory, read-only) does that.builtin.file.read/builtin.file.read_chunkwith read-only side effects now yields aREQUIRE_APPROVALverdict taggedPolicyReasonCode.SCOPE_ESCALATIONinstead ofBLOCK. A granted root counts as in-scope, so repeat reads under it don't re-prompt. Writes, shell, and discovery stay hard-blocked — escalation is deliberately limited to typed file reads where a grant can actually be honored.reason_codesso the executor distinguishes a scope escalation from a normal approval._resolve_read_path; writes stay workspace-confined.Tests
4 new (397 total, ruff clean): granted session read + a sibling read under the same root without re-prompting; denial blocks; an out-of-scope write is never escalated and stays blocked; and a FileService-level boundary test (granted read ok, non-granted blocked, write-to-granted-root still blocked).
Sequencing
Final stage of A→B→C→D. With all four merged, fcli no longer crashes on large writes and pauses to ask you — both for genuine ambiguity and before stepping outside the workspace.
🤖 Generated with Claude Code