diff --git a/docs/RELEASE-MANUAL-SMOKE.md b/docs/RELEASE-MANUAL-SMOKE.md index e1f9f8700..1d687ec22 100644 --- a/docs/RELEASE-MANUAL-SMOKE.md +++ b/docs/RELEASE-MANUAL-SMOKE.md @@ -33,6 +33,8 @@ Applies to every release, all platforms. - [ ] **Accessibility permission prompt fires on first agent run** — Trigger an agent action that uses Accessibility (e.g. window-control skill). Expected: macOS prompts `OpenHuman would like to control this computer using accessibility features`. Granting it allows the action; denying it surfaces a clear in-app fallback. - [ ] **Input Monitoring prompt fires on first hotkey use** — Press the registered global hotkey for the first time. Expected: `Input Monitoring` prompt; granting it makes the hotkey trigger; denying it does not crash the app. - [ ] **Screen Recording prompt fires on first screen-share** — Use the screen-share skill or `getDisplayMedia` shim. Expected: `Screen Recording` prompt; granted → picker shows windows + screens; denied → in-app message explaining the requirement. +- [ ] **Meet "Present" surfaces the Chrome screen-picker (regression watch — see #2636)** — Open the Google Meet webview account, join a meeting, and click `Present now`. Expected: Chromium's native screen-picker UI appears (Entire screen / Window / Chrome tab tabs) and `getDisplayMedia` only resolves after the user picks a source. Hard fail mode: capture starts immediately with no picker — that means `displayCapture` was re-granted via `Browser.grantPermissions` and bypassed Chromium's transient-activation gate. +- [ ] **Slack huddle screen-share surfaces the Chrome screen-picker (regression watch — see #2636)** — Open the Slack webview account, start or join a huddle, and click the screen-share button. Expected: same Chromium native screen-picker as Meet; capture only begins after a deliberate user selection. Hard fail mode: huddle begins broadcasting immediately with no picker prompt. - [ ] **Microphone prompt fires on first voice capture** — Start a voice session. Expected: standard mic prompt; granted → capture begins; denied → fallback message, no panic. - [ ] **Bluetooth prompt fires on first Gmeet call (regression watch — see #1288)** — Open the Google Meet webview account and join a meeting from a fresh install. Expected: macOS prompts `OpenHuman would like to use Bluetooth` the first time the device picker enumerates audio peripherals; granted → AirPods/headsets appear in the picker; denied → fallback to built-in mic, no crash. Hard fail mode (key absent) is a SIGABRT before the prompt can render. - [ ] **Location prompt does not crash on Gmeet room-finder probe** — If Gmeet surfaces nearby-room suggestions, the first probe should trigger `OpenHuman would like to use your current location`; granting or denying must NOT crash the app. (Probe path is webview-driven; only verify the no-crash invariant here.) diff --git a/src/openhuman/security/policy.rs b/src/openhuman/security/policy.rs index d25c9ff52..23746cc83 100644 --- a/src/openhuman/security/policy.rs +++ b/src/openhuman/security/policy.rs @@ -191,6 +191,13 @@ impl Default for SecurityPolicy { autonomy: AutonomyLevel::Supervised, workspace_dir: PathBuf::from("."), workspace_only: true, + // When adding a new entry to this allowlist, re-audit + // `DANGEROUS_ENV_PREFIXES` (see below). Every newly-allowed binary + // may introduce its own env-driven subprocess hooks (pager, editor, + // loader override, SSH/diff helper, preprocessor) — those names + // must be added to the prefix denylist so that the + // `KEY=cmd ` shape cannot bypass allowlisting via + // `skip_env_assignments` in `is_command_allowed`. Cross-ref #2636. allowed_commands: vec![ "git".into(), "npm".into(),