feat(deepagents): add interrupt mode to filesystem permissions#589
Open
Christian Bromann (christian-bromann) wants to merge 6 commits into
Open
feat(deepagents): add interrupt mode to filesystem permissions#589Christian Bromann (christian-bromann) wants to merge 6 commits into
Christian Bromann (christian-bromann) wants to merge 6 commits into
Conversation
Port langchain-ai/deepagents#3505 to deepagentsjs. - Add mode="interrupt" to FilesystemPermission for HITL-gated access - Auto-install HumanInTheLoopMiddleware when interrupt rules are present - Merge fs-derived interruptOn configs with user interruptOn (user wins) - Scope-aware when predicates for exact and bulk filesystem tools - Security hardening: pathless grep, current-dir aliases, absolute glob patterns - Bump langchain to 1.4.5-dev-1781048185730 for when predicate support
🦋 Changeset detectedLatest commit: 94bded3 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![open-swe[bot]](https://avatars.githubusercontent.com/in/1395372?s=60&v=4){kind=small}
Bulk when predicates previously collected anchors from every interrupt rule, so allow carve-outs listed before a broader interrupt rule still triggered HITL on bulk tools like ls/glob/grep. Evaluate probe paths with decidePathAccess instead, matching exact-tool and result-filtering semantics.
Replace /\/+$/ with a linear scan in path-utils and fs-interrupt to avoid slow regex evaluation on paths with long runs of trailing slashes.
![corridor-security[bot]](https://avatars.githubusercontent.com/in/1177339?s=60&v=4){kind=small}
There was a problem hiding this comment.
Security Issues
- Glob permission bypass via absolute traversal patterns
ThebulkPatternFirespredicate infs-interrupt.tsevaluates absolute glob patterns (those starting with/) by callingglobAnchor()thenpathsOverlap(), but never checks for..segments before doing so.globAnchortreats..as a literal path component and stops at it only if a wildcard appears first — it performs no normalization. As a result, a pattern like/workspace/../secrets/**produces the anchor/workspace/../secrets, whose components (workspace,..,secrets) do not prefix-match the protected anchor/secrets, sopathsOverlapreturnsfalseand the HITL interrupt is skipped entirely. The..guard only fires on the non-absolute (else) branch at line 70, making it dead code for any absolute traversal pattern. A glob backend that resolves..(e.g., micromatch in permissive mode, or the OS filesystem) will then enumerate the protected paths without human approval.
Recommendation
- In
bulkPatternFires, check for..segments before the absolute-pattern branch (or immediately inside it), so any traversal-containing pattern unconditionally triggers the interrupt. Alternatively, normalize the raw pattern withpath.resolveor a POSIXnormalizeequivalent before callingglobAnchor, so that/workspace/../secrets/**collapses to/secrets/**and the overlap check fires correctly.
Christian Bromann (christian-bromann)
force-pushed
the
cb/fs-permissions-interrupt-9517
branch
from
7da4f29 to
8272486
Compare
deepagents-acp
deepagents
@langchain/sandbox-standard-tests
@langchain/daytona
@langchain/deno
@langchain/modal
@langchain/node-vfs
@langchain/quickjs
commit: |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
mode: "interrupt"toFilesystemPermission, pausing matching filesystem tool calls for human approval instead of denying or running silently.HumanInTheLoopMiddlewareincreateDeepAgentwhen any interrupt-mode permission rule exists; merge fs-derivedinterruptOnwith userinterruptOn(user wins per tool name) on the main agent, GP subagent, and declarative subagents.whenpredicates inmiddleware/fs-interrupt.tsso interrupts fire only when calls intersect protected paths—literal match for exact tools (read_file,write_file,edit_file) and subtree overlap for bulk tools (ls,glob,grep), including fixes for pathless calls, current-dir aliases (.,"",./), and absolute**glob patterns.langchainand@langchain/coreto1.4.5-dev-1781048185730/1.1.49-dev-1781048185730forwhenpredicate support (JS HITL uses approve / edit / reject; no Pythonresponddecision yet).