Fail closed on unsafe code execution without explicit policy and pre-execution confirmation#4596
Conversation
|
Implemented unsafe code execution fail-closed defaults by requiring explicit unsafe policy opt-in and task-level human confirmation before unsafe code tools are injected. This contribution was informed by patterns from Wrkr. Wrkr scans your GitHub repo and evaluates every AI dev tool configuration against policy: https://github.com/Clyra-AI/wrkr |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9400f82055
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if not getattr(task, "human_input", False): | ||
| raise ValueError( | ||
| "Unsafe code execution requires task.human_input=True " | ||
| "for explicit operator confirmation." |
There was a problem hiding this comment.
This gate treats task.human_input=True as an execution-time confirmation, but human_input is only processed after the agent loop completes (CrewAgentExecutor.invoke runs _invoke_loop() first and only then _handle_human_feedback), so unsafe tool calls can still execute before any operator approval. In practice, a task that passes this check can run unsafe code non-interactively and only ask for feedback afterward, which does not satisfy the fail-closed safety guarantee this change is trying to introduce.
Useful? React with 👍 / 👎.
|
You have run out of free Bugbot PR reviews for this billing cycle. This will reset on February 28. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
davidahmann
force-pushed
the
codex/issue-4593-unsafe-tool-fail-closed
branch
from
9400f82 to
ec24a66
Compare
davidahmann
changed the title
|
This PR is stale because it has been open for 45 days with no activity. |
1 participant
Problem
Unsafe code execution can be routed into crew task execution without strict, pre-execution confirmation guarantees, creating permissive high-risk tool behavior.
Why now
Issue #4593 asks for fail-closed unsafe tool execution defaults as crew autonomy scales and safety boundaries must be explicit.
What changed
allow_unsafe_code_execution(defaultFalse).unsafe_code_execution_confirmationcallable.allow_unsafe_code_execution=True, andunsafe_code_execution_confirmationis callable and returnsTruebefore tool injection.Validation
uv run ruff format lib/crewai/src/crewai/agent/core.py lib/crewai/src/crewai/crew.py lib/crewai/src/crewai/project/crew_base.py lib/crewai/tests/test_crew.py(pass)uv run ruff check lib/crewai/src/crewai/agent/core.py lib/crewai/src/crewai/crew.py lib/crewai/src/crewai/project/crew_base.py lib/crewai/tests/test_crew.py(pass)uv run pytest lib/crewai/tests/test_crew.py -k 'code_execution_flag_adds_code_tool_upon_kickoff or unsafe_code_execution_requires_explicit_allow_policy or unsafe_code_execution_requires_confirmation_setting or unsafe_code_execution_requires_positive_confirmation or unsafe_code_execution_allowed_with_policy_and_confirmation_gate'(pass)Refs #4593