fix(tools): allow paths within routed workspace in exec guard

drpedapati · claude · drpedapati · commit af0a603e83db · 2026-02-27T14:25:32.000-05:00
The exec safety guard was blocking commands containing absolute paths
to routed workspaces (e.g., /home/ernie/Dropbox/sciclaw/project) when
the shared workspace was different (e.g., ~/sciclaw).

The guard only checked if paths were within:
1. The current working directory (cwd)
2. The shared workspace

But not the tool's configured workspace (t.workingDir), which is set
to the routed workspace for channel-specific routing.

This caused legitimate commands like:
  cd /routed/workspace/subdir &amp;&amp; git commit -m "message"
to be blocked with "path outside working dir".

Fix: Also add t.workingDir to allowedRoots when it differs from both
cwd and sharedWorkspace.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/pkg/tools/shell.go b/pkg/tools/shell.go
@@ -686,6 +686,12 @@ func (t *ExecTool) guardCommand(command, cwd string) string {
 		if sharedRoot != "" && !isWithinWorkspace(cwdPath, sharedRoot) {
 			allowedRoots = append(allowedRoots, guardRoot{path: sharedRoot, readOnly: t.sharedWorkspaceReadOnly})
 		}
+		// Also allow paths within the tool's configured workspace (for routed workspaces
+		// that differ from the shared workspace).
+		wsRoot := absCleanPath(t.workingDir)
+		if wsRoot != "" && wsRoot != cwdPath && wsRoot != sharedRoot && !isWithinWorkspace(wsRoot, sharedRoot) {
+			allowedRoots = append(allowedRoots, guardRoot{path: wsRoot, readOnly: false})
+		}
 
 		for _, raw := range matches {
 			p, err := filepath.Abs(raw)
diff --git a/pkg/tools/shell_test.go b/pkg/tools/shell_test.go
@@ -2,6 +2,7 @@ package tools
 
 import (
 	"context"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -455,6 +456,32 @@ func TestShellTool_AllowsDirectPubMedCLI(t *testing.T) {
 	}
 }
 
+func TestShellTool_AllowsRoutedWorkspacePathInCommand(t *testing.T) {
+	// Simulate a routed workspace that differs from the shared workspace.
+	// This tests the bug where commands containing absolute paths to the routed
+	// workspace were blocked because only sharedWorkspace was in allowedRoots.
+	routedWorkspace := t.TempDir()
+	sharedWorkspace := t.TempDir()
+	subdir := filepath.Join(routedWorkspace, "vecflow")
+	os.MkdirAll(subdir, 0755)
+
+	tool := NewExecTool(routedWorkspace, false)
+	tool.SetRestrictToWorkspace(true)
+	tool.SetSharedWorkspacePolicy(sharedWorkspace, false)
+
+	// Command that contains an absolute path to the routed workspace
+	cmd := fmt.Sprintf("cd %s && git status", subdir)
+	if blocked := tool.guardCommand(cmd, routedWorkspace); blocked != "" {
+		t.Fatalf("expected routed workspace path to pass guard, got: %q", blocked)
+	}
+
+	// Also test with working_dir pointing to routed workspace
+	cmd2 := fmt.Sprintf("cat %s/file.txt", subdir)
+	if blocked := tool.guardCommand(cmd2, routedWorkspace); blocked != "" {
+		t.Fatalf("expected routed workspace subdir path to pass guard, got: %q", blocked)
+	}
+}
+
 func TestShouldApplyNIHPandocTemplate(t *testing.T) {
 	cases := []struct {
 		name string
