Feat/tool script safety guard 90#167
Open
wzxsdf wants to merge 5 commits into
Open
Conversation
) Static pre-execution scanner for Tool/Skill/CodeExecutor scripts. Mirrors the Go reference (trpc-agent-go/tool/safety) for rule_id prefixes and Decision/RiskLevel types, extended to issue trpc-group#90's 6 risk classes. - Python scanner: ast + import-as alias tracking (prevents rename bypass) - Bash scanner: shlex + quote-aware state machine - Conservative 3-state decision (any DENY>deny; else REVIEW>review; else ALLOW) with policy risk-threshold fallback - Two zero-core-change integrations: ToolSafetyFilter (registered tool filter) + SafetyGuardedCodeExecutor (delegating wrapper) - YAML policy (editable without code), structured report, CLI - 59 tests incl. 12 acceptance manifest samples + performance (500 lines <1s) - zh/en docs
…kflow examples/quickstart/.env was tracked at base with a placeholder. Untrack it (secrets must never be version-controlled) and ignore .env / .spec-workflow.
…c-group#90 gaps Closes the gaps flagged in the issue trpc-group#90 compliance audit: - _audit.py: JSON Lines audit record (tool_name, decision, risk_level, rule_ids, scan_duration_ms, sanitized, intercepted, timestamp, recommendation) + write_audit(); emit_otel() sets tool.safety.* span attributes when OTel is active. - ToolSafetyFilter + SafetyGuardedCodeExecutor now call record_safety_decision on every scan (allowed summarized, blocked reasoned + intercepted flag). - New resource rules tool-res-large-write (huge write / dd / truncate / head -c) and tool-res-concurrent-flood (large ThreadPool/ProcessPool); python + bash detection; 2 new manifest samples (14 total). - Example deliverables: examples/tool_safety_report.json (real CLI output), examples/tool_safety_audit.jsonl (deny/review/allow records). - zh/en docs updated (20 rules, telemetry section now describes implemented audit + OTel instead of 'reserved').
- Wire tool-fs-system-dir-write (open(...,'w') into system dirs) and tool-secret-private-key (embedded PEM literal anywhere in source) in the python scanner; these rule ids were previously defined but never fired - Add `from typing import Optional` to _shell_parse (it was referenced only inside a non-evaluated local annotation, but keep it correct/explicit) - Add manifest samples 15/16 covering the two newly wired rules - Add scripts/tool_safety_eval.py: detection / false-positive rate eval for issue trpc-group#90 acceptance trpc-group#2 (>=90% detection, <=10% FP) -> 100% / 0% on manifest All 73 safety tests pass.
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #167 +/- ##
==========================================
Coverage ? 87.63787%
==========================================
Files ? 479
Lines ? 44790
Branches ? 0
==========================================
Hits ? 39253
Misses ? 5537
Partials ? 0 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Author
|
I have read the CLA Document and I hereby sign the CLA |
CI lint job (YAPF + flake8) failed on the safety package. Fixes: - Remove unused Decision/RiskLevel imports and unused `norm` local - Reformat the package with yapf (column_limit=120, split_before_logical_operator) to match CI style exactly - Wrap an over-long ValueError message in _policy._decision flake8 + yapf now clean on all changed trpc_agent_sdk/*.py; 73 tests pass.
Rook1ex
added a commit
to trpc-group/cla-database
that referenced
this pull request
Jul 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description | 描述
构建 Tool Script Safety Guard,在 Tool / Skill / CodeExecutor 真正执行脚本前做静态安全扫描,输出
ALLOW / NEEDS_REVIEW / DENY三级决策,拦截高危脚本并产出可审计事件与 OpenTelemetry 埋点。Decision/RiskLevel对齐trpc-agent-go/tool/safety。Closes #90
Change Type | 修改类型
Features | 功能
import os as x; x.system(...)也能识别)/ Bash(shlex + 引号状态机),纯静态分析,不执行代码ToolSafetyFilter(Tool/Skill 前置拦截)/SafetyGuardedCodeExecutor(包装任意 CodeExecutor)tool_safety_policy.yaml改变白名单域名 / 禁止路径 / 允许命令 / 阈值,无需改代码tool.safety.*span 属性接入方式
Files Changed | 文件变更
trpc_agent_sdk/tools/safety/— 新包(_types/_rules/_policy/_scanner/_python_scanner/_bash_scanner/_shell_parse/_decision/_safety_filter/_code_executor_guard/_audit)trpc_agent_sdk/tools/safety/tool_safety_policy.yaml— 默认策略trpc_agent_sdk/tools/safety/examples/—tool_safety_report.json/tool_safety_audit.jsonl示例scripts/tool_safety_check.py— 独立扫描 CLIscripts/tool_safety_eval.py— 检出率 / 误报率评测tests/tools/safety/— 11 个测试文件 + 16 条样本docs/mkdocs/zh|en/tool_safety.md— 中英文档Validation | 验证
tool_safety_eval.py)Known Limitations | 已知限制
base64 -d | sh、getattr(os,"system")(...)、运行时反射等可绕过