feat(review): enforce reviewer read-only via tool allowlist#2194
Open
neversettle17-101 wants to merge 1 commit into
Open
feat(review): enforce reviewer read-only via tool allowlist#2194neversettle17-101 wants to merge 1 commit into
neversettle17-101 wants to merge 1 commit into
Conversation
The reviewer's read-only guarantee was enforced only by the prompt. Add AllowedTools/DisallowedTools to ports.LaunchConfig and plumb them through the claude-code agent adapter to --allowedTools/--disallowedTools (each list comma-joined into one value so a rule containing spaces like "Bash(git diff:*)" is not split into separate tool names). Empty lists emit nothing, so worker sessions are unaffected. Launch the reviewer off bypassPermissions (which skips the permission system and ignores allow/deny rules) in the default auto mode, with an allowlist scoped to Read/Grep/Glob and the few Bash commands a reviewer needs (gh, git diff/log/show/status, ao review submit) and an explicit deny list for Edit/Write/NotebookEdit/git push/git commit as defense in depth. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ported from aoagents/ReverbCode#278.
Summary
The reviewer's read-only guarantee was enforced only by the prompt. This makes it an enforced sandbox by launching the reviewer off
bypassPermissions(which skips the permission system and ignores allow/deny rules) with a scoped tool allowlist.ports.LaunchConfiggainsAllowedTools []string/DisallowedTools []string. Empty = unrestricted, so worker sessions are unaffected.--allowedTools/--disallowedTools. Each list is comma-joined into one value so a rule containing spaces (e.g.Bash(git diff:*)) is not split into separate tool names.Read,Grep,Glob,Bash(gh:*),Bash(git diff:*),Bash(git log:*),Bash(git show:*),Bash(git status:*),Bash(ao review submit:*)Edit,Write,NotebookEdit,Bash(git push:*),Bash(git commit:*)Port note
ReverbCode#278 also added
ao review submit --body-textand rewrote the reviewer prompt so the verdict was recorded inline rather than written toreview.md(to avoid grantingWrite). This repo already solves that differently —ao review submit --body -reads the body from stdin and the prompt already instructs the reviewer to stay read-only — so those two files are intentionally not ported. Only the tool-allowlist enforcement is brought over.Test
go build ./...,go vet,gofmt— all clean.go test ./internal/adapters/agent/claudecode/... ./internal/adapters/reviewer/claudecode/... ./internal/cli/...— pass.claudebinary needed).Notes
cat,rg,ls) would stall. Worth an end-to-end review run to confirm the allowlist is permissive enough.🤖 Generated with Claude Code