Skip to content

feat(safety): add pre-execution tool safety scanner#126

Open
coder-mtj wants to merge 8 commits into
trpc-group:mainfrom
coder-mtj:feat/tool-safety-scanner-python
Open

feat(safety): add pre-execution tool safety scanner#126
coder-mtj wants to merge 8 commits into
trpc-group:mainfrom
coder-mtj:feat/tool-safety-scanner-python

Conversation

@coder-mtj

Copy link
Copy Markdown

Description | 描述

构建 Tool 执行安全扫描器,对 workspace_exec / exec_command / execute_code
工具调用进行前置命令扫描。对齐 trpc-agent-go/tool/safety/ 参考实现。

Closes #90

Change Type | 修改类型

  • New feature | 新功能

Features

  • 策略驱动扫描 — DeniedCommands / DeniedPaths / NetworkAllowlist / ReviewCommands
  • 6 大风险类别 — 危险命令、网络外连、Shell 绕过、依赖变更、资源滥用、敏感信息泄漏
  • Shell 命令解析 — 纯 Python 静态分析(不调 subprocess)
  • Secret 脱敏 — 自动检测并替换 API key / token / credential
  • Code Block 安全检查 — bash + python subprocess 检测
  • Filter 集成ToolSafetyFilter(FilterABC 子类)
  • OTel span attributestool.safety.* 属性预留

Files Changed

  • trpc_agent_sdk/tools/safety/ — 新包
    • _types.py — Decision/RiskLevel/Policy/Request/Report/Finding/AuditEvent
    • _policy.py — default_policy() + load_policy(YAML/JSON)
    • _shell_parse.py — 命令名/管道/URL/Shell绕过 检测
    • _redactor.py — Secret 脱敏引擎
    • _scanner.py — 核心扫描引擎 scan(request, policy) → Report
    • _permission.py — ToolSafetyFilter(FilterABC 集成)
  • tests/tools/safety/test_types.py — 16 个类型测试
  • tests/tools/safety/test_scanner.py — 18 个扫描测试

Test Coverage | 测试覆盖

  • 34 passed
  • 12 core scan cases — 对齐 Go 参考实现(go test, rm -rf, curl, bash -c, pipeline, sleep, ...)
  • 500-line batch scan — < 1s performance verified
  • 6 edge cases — empty command, denied CWD, chmod, unicode, nil policy, secret leak

Self-test Checklist | 自测清单

  • Verified locally | 本地验证通过
  • No existing features affected | 无影响现有功能
  • 12 core cases match Go reference decisions
  • 500-line scan completes under 1 second

coder-mtj added 3 commits July 6, 2026 09:00
16 tests covering Decision, RiskLevel, Finding, Report, AuditEvent,
Policy, Request, and CodeBlock types. Enums with rank ordering.

Mirrors trpc-agent-go/tool/safety/safety.go types.

Signed-off-by: coder-mtj <coder-mtj@users.noreply.github.com>
Core scanner engine with:
- Policy-driven scanning (DeniedCommands/DeniedPaths/NetworkAllowlist/ReviewCommands)
- Shell command analysis (pipeline detection, secret redaction, shell bypass)
- Code block safety checks (bash, python with subprocess detection)
- 12 core test cases aligned with Go reference implementation
- 500-line batch scan verified < 1s
- Filter integration via ToolSafetyFilter (FilterABC subclass)

34 tests passed. Mirrors trpc-agent-go/tool/safety/.

Signed-off-by: coder-mtj <coder-mtj@users.noreply.github.com>
Signed-off-by: coder-mtj <coder-mtj@users.noreply.github.com>
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 81.79724% with 79 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@099b571). Learn more about missing BASE report.

Files with missing lines Patch % Lines
trpc_agent_sdk/tools/safety/_permission.py 31.25000% 44 Missing ⚠️
trpc_agent_sdk/tools/safety/_policy.py 40.00000% 12 Missing ⚠️
trpc_agent_sdk/tools/safety/_scanner.py 93.68421% 12 Missing ⚠️
trpc_agent_sdk/tools/safety/_shell_parse.py 79.48718% 8 Missing ⚠️
trpc_agent_sdk/tools/safety/_redactor.py 85.00000% 3 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main        #126   +/-   ##
==========================================
  Coverage        ?   87.45950%           
==========================================
  Files           ?         474           
  Lines           ?       44440           
  Branches        ?           0           
==========================================
  Hits            ?       38867           
  Misses          ?        5573           
  Partials        ?           0           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

flake8 fixes:
- _policy.py: remove unused 'os' import (F401)
- _scanner.py: replace f-string with regular string (F541)

Signed-off-by: coder-mtj <coder-mtj@users.noreply.github.com>
@raychen911

raychen911 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

建议补充一下设计文档,包含中英文版本,方便理解设计,如果是ai编写的代码,给出相关的提示词,提示词如果不方便展示可以邮件发送

- design-en.md: English architecture design document
- usage.md: Usage guide with reproduction steps
- ai-prompts.md: AI-assisted development prompts (4 rounds)
- Include existing design.md, test-plan.md, summary.md

Response to reviewer feedback from raychen911.
@coder-mtj

Copy link
Copy Markdown
Author

建议补充一下设计文档,包含中英文版本,方便理解设计,如果是ai编写的代码,给出相关的提示词,提示词如果不方便展示可以邮件发送

@raychen911 感谢 review!已补充设计文档和 AI 提示词:

新增文档(docs/issue-90-tool-safety/)

文件 说明
design.md 中文架构设计文档(模块划分、扫描流程、6 大风险类别)
design-en.md English architecture design document
usage.md 使用说明 + 快速开始 + 复现步骤
test-plan.md 测试计划(4 维度,34 个测试用例)
summary.md 实现总结(含 Go vs Python 对比表)
ai-prompts.md AI 辅助开发提示词(4 轮完整对话)

AI 提示词要点

架构设计(模块划分、类型系统、扫描流程、6 大风险类别、12 个核心测试用例)均由我亲自设计,AI 仅执行编码。4 轮对话:

  1. 类型系统设计 → AI 实现 _types.py(对齐 Go 参考实现)
  2. 策略+Shell解析+脱敏 → AI 实现 _policy.py + _shell_parse.py + _redactor.py
  3. 核心扫描引擎 → AI 实现 _scanner.py(5 步扫描流程)
  4. Filter 集成 → AI 实现 _permission.py(FilterABC + ToolSafetyFilter)

每个技术决策(为什么选纯 Python regex 而非 subprocess、为什么选 FilterABC 而非 decorator)均来自本人设计。AI 只负责 TDD 执行:先写测试→实现→yapf/flake8 修复。

完整提示词见 PR 中的 docs/issue-90-tool-safety/ai-prompts.md。

@coder-mtj

Copy link
Copy Markdown
Author

I have read the CLA Document and I hereby sign the CLA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

构建 Tool 执行脚本安全扫描、Filter 拦截与监控机制

2 participants