From c9c6b30fbf3591c2336082e939eba0ae5ddb543e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=86=A0=E8=BE=B0?= Date: Tue, 26 May 2026 23:36:12 +0800 Subject: [PATCH 1/2] docs(release-smoke): add Meet + Slack screen-share gesture-gate smoke MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Capture the post-#2636 expectation that `displayCapture` is no longer pre-granted via `Browser.grantPermissions` in `cdp::session`: clicking Meet's "Present" or Slack's huddle screen-share must surface Chromium's native screen-picker. Capture starting immediately with no picker is a regression — `displayCapture` got re-added to the granted set and the transient-activation gate was bypassed. Refs #2636. --- docs/RELEASE-MANUAL-SMOKE.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/RELEASE-MANUAL-SMOKE.md b/docs/RELEASE-MANUAL-SMOKE.md index e1f9f87008..1d687ec22c 100644 --- a/docs/RELEASE-MANUAL-SMOKE.md +++ b/docs/RELEASE-MANUAL-SMOKE.md @@ -33,6 +33,8 @@ Applies to every release, all platforms. - [ ] **Accessibility permission prompt fires on first agent run** — Trigger an agent action that uses Accessibility (e.g. window-control skill). Expected: macOS prompts `OpenHuman would like to control this computer using accessibility features`. Granting it allows the action; denying it surfaces a clear in-app fallback. - [ ] **Input Monitoring prompt fires on first hotkey use** — Press the registered global hotkey for the first time. Expected: `Input Monitoring` prompt; granting it makes the hotkey trigger; denying it does not crash the app. - [ ] **Screen Recording prompt fires on first screen-share** — Use the screen-share skill or `getDisplayMedia` shim. Expected: `Screen Recording` prompt; granted → picker shows windows + screens; denied → in-app message explaining the requirement. +- [ ] **Meet "Present" surfaces the Chrome screen-picker (regression watch — see #2636)** — Open the Google Meet webview account, join a meeting, and click `Present now`. Expected: Chromium's native screen-picker UI appears (Entire screen / Window / Chrome tab tabs) and `getDisplayMedia` only resolves after the user picks a source. Hard fail mode: capture starts immediately with no picker — that means `displayCapture` was re-granted via `Browser.grantPermissions` and bypassed Chromium's transient-activation gate. +- [ ] **Slack huddle screen-share surfaces the Chrome screen-picker (regression watch — see #2636)** — Open the Slack webview account, start or join a huddle, and click the screen-share button. Expected: same Chromium native screen-picker as Meet; capture only begins after a deliberate user selection. Hard fail mode: huddle begins broadcasting immediately with no picker prompt. - [ ] **Microphone prompt fires on first voice capture** — Start a voice session. Expected: standard mic prompt; granted → capture begins; denied → fallback message, no panic. - [ ] **Bluetooth prompt fires on first Gmeet call (regression watch — see #1288)** — Open the Google Meet webview account and join a meeting from a fresh install. Expected: macOS prompts `OpenHuman would like to use Bluetooth` the first time the device picker enumerates audio peripherals; granted → AirPods/headsets appear in the picker; denied → fallback to built-in mic, no crash. Hard fail mode (key absent) is a SIGABRT before the prompt can render. - [ ] **Location prompt does not crash on Gmeet room-finder probe** — If Gmeet surfaces nearby-room suggestions, the first probe should trigger `OpenHuman would like to use your current location`; granting or denying must NOT crash the app. (Probe path is webview-driven; only verify the no-crash invariant here.) From 432ba542d54b2659629d9fc71073db36d0979c74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=86=A0=E8=BE=B0?= Date: Tue, 26 May 2026 23:36:18 +0800 Subject: [PATCH 2/2] docs(security): cross-reference allowed_commands and DANGEROUS_ENV_PREFIXES Adding a binary to the `allowed_commands` allowlist without auditing `DANGEROUS_ENV_PREFIXES` reopens the `KEY=cmd ` prefix bypass: `skip_env_assignments` strips the leading env block before allowlisting runs, so any new binary's pager/editor/loader/SSH hook must be denylisted in the prefix set or the shell evaluates an attacker-supplied command before the allowlist ever sees it. Drop an inline comment at the allowlist literal so future reviewers see the dependency and visit the prefix set in the same diff. Refs #2636. --- src/openhuman/security/policy.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/openhuman/security/policy.rs b/src/openhuman/security/policy.rs index d25c9ff526..23746cc83b 100644 --- a/src/openhuman/security/policy.rs +++ b/src/openhuman/security/policy.rs @@ -191,6 +191,13 @@ impl Default for SecurityPolicy { autonomy: AutonomyLevel::Supervised, workspace_dir: PathBuf::from("."), workspace_only: true, + // When adding a new entry to this allowlist, re-audit + // `DANGEROUS_ENV_PREFIXES` (see below). Every newly-allowed binary + // may introduce its own env-driven subprocess hooks (pager, editor, + // loader override, SSH/diff helper, preprocessor) — those names + // must be added to the prefix denylist so that the + // `KEY=cmd ` shape cannot bypass allowlisting via + // `skip_env_assignments` in `is_command_allowed`. Cross-ref #2636. allowed_commands: vec![ "git".into(), "npm".into(),