fix(security): allow Windows read commands

[YOMXXX]

Summary

• Adds Windows read-only command equivalents to the default security policy allowlist: dir, type, where, findstr, and more.
• Adds the same Windows-safe read commands to AutonomyConfig::default() without broadening config-derived policy to allow mutating date usage.
• Adds regression tests for default policy and config-derived policy behavior.
• Complements fix(tools): preserve Windows process env #2382, which covers the Windows child-process env allowlist portion of Windows 11 bug #2379.

Problem

• Windows 11 bug #2379 reports that the tool defaults are POSIX-only on Windows: commands like ls, cat, grep, and which do not map to native Windows read/lookup workflows.
• fix(tools): preserve Windows process env #2382 addresses the env propagation half of the bug, but does not update the policy/config command defaults.
• Without this companion change, Windows users can still be blocked from basic read-only inspection commands even after subprocess env propagation is fixed.

Solution

• Extend the default SecurityPolicy allowlist with native Windows read/lookup equivalents.
• Extend AutonomyConfig::default_allowed_commands() with the same Windows read/lookup entries, while leaving date out of config defaults because mutating forms can change the system clock.
• Cover both direct default policy and config-derived policy paths in Rust tests, including a guard against config-derived date 2026-05-21 being allowed.
• Deliberately leaves shell runtime selection unchanged here; switching native Windows shell semantics also touches node_exec/npm_exec quoting and should be handled as a separate, targeted follow-up if needed.

Submission Checklist

If a section does not apply to this change, mark the item as N/A with a one-line reason. Do not delete items.

• Tests added or updated (happy path + at least one failure / edge case) per Testing Strategy
• Diff coverage ≥ 80% — CI Coverage Gate passed.
• Coverage matrix updated — N/A: small behavior-only security default change, no feature row added/removed/renamed.
• All affected feature IDs from the matrix are listed in the PR description under ## Related — N/A: no matrix feature ID applies.
• No new external network dependencies introduced (mock backend used per Testing Strategy)
• Manual smoke checklist updated if this touches release-cut surfaces (docs/RELEASE-MANUAL-SMOKE.md) — N/A: no release-cut surface changed.
• Linked issue closed via Closes #NNN in the ## Related section — N/A: this complements fix(tools): preserve Windows process env #2382 for Windows 11 bug #2379 and should not close the issue alone.

Impact

• Runtime/platform impact: Windows users get native read-only inspection commands admitted by default policy/config.
• Security impact: added commands are read/lookup oriented and parallel existing POSIX defaults (ls, cat, grep, which, paged output). Config defaults intentionally do not add date.
• No migration or external dependency impact.

Related

• Closes: N/A: companion PR for Windows 11 bug #2379; fix(tools): preserve Windows process env #2382 covers the env propagation half.
• Follow-up PR(s)/TODOs: fix(tools): preserve Windows process env #2382 should land with this to cover both env and default allowlist facets.

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Keep this section for AI-authored PRs. For human-only PRs, mark each field N/A.

Linear Issue

• Key: N/A
• URL: N/A

Commit & Branch

• Branch: codex/GH-2379-windows-tool-env
• Commit SHA: 05e8203aacce2b99d68465d113018863c97c5b09

Validation Run

• pnpm --filter openhuman-app format:check — passed via pre-push hook.
• pnpm typecheck — passed via pre-push hook (pnpm compile).
• Focused tests:
  • GGML_NATIVE=OFF pnpm debug rust allowed_commands_include_windows_read_equivalents — log confirms 1 passed.
  • GGML_NATIVE=OFF pnpm debug rust config_default_policy_includes_windows_read_equivalents — log confirms 1 passed.
• Rust fmt/check (if changed):
  • cargo fmt --manifest-path Cargo.toml --all
  • cargo fmt --manifest-path Cargo.toml --all --check
  • GGML_NATIVE=OFF cargo check --manifest-path Cargo.toml
• Tauri fmt/check (if changed): pnpm rust:check passed via pre-push hook.
• Additional validation:
  • git diff --check
  • node scripts/codex-pr-preflight.mjs --lightweight
  • pre-push hook also ran pnpm lint and pnpm lint:commands-tokens successfully; lint emitted existing warnings only.

Validation Blocked

• command: N/A
• error: N/A
• impact: N/A

Behavior Changes

• Intended behavior change: default policies now allow Windows-native read/lookup commands.
• User-visible effect: Windows shell-tool users can perform basic directory listing, file display, command lookup, and text search without custom allowlist config.

Parity Contract

• Legacy behavior preserved: existing POSIX defaults remain unchanged.
• Guard/fallback/dispatch parity checks: SecurityPolicy::default() and AutonomyConfig::default() both include the Windows read/lookup command set; config-derived policy does not add date.

Duplicate / Superseded PR Handling

• Duplicate PR(s): N/A
• Canonical PR: fix(tools): preserve Windows process env #2382 for the env propagation portion of Windows 11 bug #2379.
• Resolution (closed/superseded/updated): this PR is intentionally non-overlapping and complements fix(tools): preserve Windows process env #2382 by covering the default command allowlist gap.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds Windows read-equivalent commands (dir, type, where, findstr, more) to the default allowed_commands in AutonomyConfig and SecurityPolicy, and adds tests verifying both the direct defaults and the config-derived policy include these commands.

Changes

Windows Command Allowlisting

Layer / File(s)	Summary
Default allowed commands in configuration and policy src/openhuman/config/schema/autonomy.rs, src/openhuman/security/policy.rs	AutonomyConfig::default_allowed_commands() and SecurityPolicy defaults now include Windows read-equivalent commands: dir, type, where, findstr, more.
Test coverage for Windows command allowlisting src/openhuman/security/policy_tests.rs	Two new tests assert the default SecurityPolicy and a policy from AutonomyConfig::default() include the Windows read-equivalent commands and assert a non-allowed date invocation is not permitted.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• senamakel
• graycyrus

Poem

🐰 I hopped through configs, light and spry,

Added dir, type, where to try,
findstr, more join the inspection crew,
Tests nod softly — the list is true,
A tiny hop for cross-platform view.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'fix(security): allow Windows read commands' directly and clearly summarizes the main change: extending the SecurityPolicy allowlist with Windows read-only commands (dir, type, where, findstr, more).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/openhuman/config/schema/autonomy.rs`:
- Line 60: The entry "date" in the default allowlist is unsafe because it
permits clock changes; remove the "date".into() element from the default list in
autonomy.rs or alternatively update the risk-classification path that handles
command risk so that any invocation of "date" is treated as medium/high risk
(and requires approval or blocking) and ensure argument checks detect mutating
forms (e.g., non-empty args like "date 2026-05-21") in the command-arg gating
logic; locate the string "date" in the defaults and either delete that element
or add an explicit rule mapping "date" to elevated risk in the
risk-classification function used by your policy enforcement.

In `@src/openhuman/security/policy_tests.rs`:
- Around line 98-116: Expand both tests to assert the full newly-expanded
Windows read-only allowlist (including "more" and "date" in addition to "dir",
"type README.md", "where node", "findstr pattern file.txt") so we cover all
commands; update the unnamed loop test to include "more" and "date" in the
command array checked with p.is_command_allowed(command), and update
config_default_policy_includes_windows_read_equivalents to assert
p.is_command_allowed for each of those same commands created via
SecurityPolicy::from_config(&AutonomyConfig::default(),
std::path::Path::new(".")), using the existing is_command_allowed checks to
prevent partial regressions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 80c18006-fb09-41bd-b8cb-6b8e1243e593

📥 Commits

Reviewing files that changed from the base of the PR and between 369a392 and 2467e36.

📒 Files selected for processing (3)

• src/openhuman/config/schema/autonomy.rs
• src/openhuman/security/policy.rs
• src/openhuman/security/policy_tests.rs

[YOMXXX]

@graycyrus @senamakel This PR is ready for human review/merge as well. It is a small Windows read-command allowlist hardening change; latest checks are green and CodeRabbit approved. The CodeRabbit docstring note is advisory in the walkthrough, not a failing status check.

[graycyrus]

Looks good, nice work!