fix(security): expand default allowed_commands and auto_approve (#2486)

[YellowSnnowmann]

Summary

• Expands default_allowed_commands from 18 → 40 entries: adds build tools (pnpm, yarn, make, cmake), read-only inspection tools (sort, uniq, diff, which, uname, basename, dirname, tr, cut, realpath, readlink, stat, file), and workspace mutation tools (mkdir, touch, cp, mv, ln).
• Expands default_auto_approve from 5 → 9 tools: adds glob, grep (read-only search), file_write, edit_file (workspace-scoped writes).
• Adds schema v3→v4 migration that merges new commands/tools into existing user configs (additive-only, preserves customizations). Also bumps max_actions_per_hour from the old hard-coded 20 to u32::MAX for users still on that default (code default was changed to unlimited in feat(app): UI control for max_actions_per_hour (#2486) #2500 but persisted configs kept 20).

No high-risk commands (python, node, bash, curl, sed, awk, xargs) were added. Filesystem mutation commands (mkdir, touch, cp, mv, ln) are classified as medium-risk and require approval in Supervised mode.

Test plan

• cargo test --lib openhuman::security::policy — 112 pass
• cargo test --lib openhuman::migrations — 51 pass
• cargo fmt --check — clean
• RPC-verified: openhuman.security_policy_info shows allowed_cmds=40, max_actions/hr=4294967295
• RPC-verified: openhuman.config_get shows migration applied to real user config (commands_added=28 tools_added=4 max_actions_bumped=true)
• Confirmed high-risk commands (python, curl, bash) remain blocked

Closes #2486

Summary by CodeRabbit

• New Features

  • Expanded default security policy to allow more package/build tools, additional read/inspection utilities, and select filesystem mutation commands; auto-approve list extended with workspace-scoped search/read tools.

• Configuration Updates

  • On upgrade, existing workspaces are migrated to merge these expanded defaults and advance the schema while preserving user customizations.

• Behavior Changes

  • Default action rate limit raised from a small cap to effectively unlimited unless overridden.

• Tests

  • Added unit and integration tests for migrations, defaults, preservation, and idempotency.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Expands default allowed commands and auto-approve lists, raises default max_actions_per_hour to unlimited, adds a v3→v4 migration to merge new defaults and conditionally bump the action limit, adds a v4→v5 migration to remove write tools from auto-approve, updates migration runner to CURRENT_SCHEMA_VERSION = 5, and adds tests.

Changes

Autonomy defaults expansion and migration

Layer / File(s)	Summary
Expanded autonomy schema defaults src/openhuman/config/schema/autonomy.rs, src/openhuman/security/policy.rs, src/openhuman/security/policy_tests.rs	Adds package/build tool basenames (pnpm, yarn, make, cmake), inspection utilities (sort,uniq,diff,which,uname,basename,dirname,tr,cut,realpath,readlink,stat,file), and selected filesystem mutations (mkdir,touch,cp,mv,ln) to default_allowed_commands; expands default_auto_approve with workspace-scoped tools (glob,grep,file_write,edit_file); updates tests to assert defaults and risk levels; changes policy default max_actions_per_hour from 20 to u32::MAX.
Migration implementation: expand_autonomy_defaults (v3→v4) src/openhuman/migrations/expand_autonomy_defaults.rs	New migration that additively merges fixed command and auto-approve lists into persisted configs when missing, conditionally bumps max_actions_per_hour from 20 → u32::MAX only if the persisted value equals the legacy sentinel, logs MigrationStats, and contains unit tests for insertion, preservation, deduplication, idempotency, and conditional bumping.
Migration orchestration and schema upgrades src/openhuman/migrations/mod.rs	Registers expand_autonomy_defaults and remove_write_auto_approve, bumps CURRENT_SCHEMA_VERSION to 5, and adds gated run_pending steps: v3→run expand → persist v4 (rollback on save failure), then v4→run remove → persist v5 (rollback on save failure).
Migration tests and runner expectations src/openhuman/migrations/mod_tests.rs	Adds simulate_v3_autonomy helper, updates run_pending tests to expect CURRENT_SCHEMA_VERSION persisted (5), strengthens idempotency assertions (file mtime unchanged), and adds integration tests verifying v3→current expansion (including max_actions bump), preservation of custom max_actions_per_hour, and v4→v5 auto_approve removals while preserving always_ask.
Migration: remove_write_auto_approve (v4→v5) src/openhuman/migrations/remove_write_auto_approve.rs	New migration that removes file_write and edit_file from persisted config.autonomy.auto_approve, returns removed-count stats, and includes unit tests validating removals and preservation of always_ask.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• tinyhumansai/openhuman#2399: Overlapping allowlist extension work touching default_allowed_commands and SecurityPolicy allowlists.
• tinyhumansai/openhuman#2534: Related default allowlist update (adds date) and adjustments to argument safety checks.
• tinyhumansai/openhuman#2500: Changes affecting max_actions_per_hour defaults which interact with UI/RPC assumptions about default limits.

Suggested reviewers

• senamakel
• graycyrus

🐰 I hopped through defaults under moonlit code,
I added tools and commands along the road.
A two-step migration — bump then prune — done neat,
Tests guard the hop, so configs stay complete.
🥕✨ The rabbit’s migration dance is sweet.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: expanding default allowed_commands and auto_approve security policy allowlists.
Linked Issues check	✅ Passed	The PR comprehensively addresses all coding-related requirements from issue #2486: expands allowed_commands with 22 new entries (build tools, inspection tools, filesystem mutations), broadens auto_approve with new tools, bumps max_actions_per_hour to u32::MAX via migration, and implements additive-only migration logic that preserves user customizations.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to expanding autonomy defaults and implementing the required migration infrastructure; no unrelated modifications to other systems or features are present.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/openhuman/security/policy.rs (1)

179-179: ⚠️ Potential issue | 🔴 Critical | 💤 Low value

Fix rate-limit default mismatch: tool paths using SecurityPolicy::default() still cap at 20/hr

SecurityPolicy::default() sets max_actions_per_hour: 20, but AutonomyConfig’s default (default_max_actions_per_hour() in autonomy.rs) is u32::MAX (effectively unlimited). Production code also constructs the policy from SecurityPolicy::default() instead of config-layer defaults:

• src/openhuman/tools/schemas.rs (polymarket_execute) passes SecurityPolicy::default() into PolymarketTool, and PolymarketTool::execute enforces rate limiting via security.is_rate_limited() / security.record_action().
• src/openhuman/composio/client.rs (direct mode) passes SecurityPolicy::default() into ComposioTool, and ComposioTool calls security.enforce_tool_operation(...), which rate-limits via record_action().

Use SecurityPolicy::from_config(&config.autonomy, &config.workspace_dir) (or equivalent) in these production call sites, or update SecurityPolicy::default() to match the config default if that’s the intended global default.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/security/policy.rs` at line 179, SecurityPolicy::default()
currently sets max_actions_per_hour to 20 whereas
AutonomyConfig::default_max_actions_per_hour() uses u32::MAX, causing production
call sites to be unintentionally rate-limited; fix by replacing uses of
SecurityPolicy::default() in the production tool instantiations with
SecurityPolicy::from_config(&config.autonomy, &config.workspace_dir) (or
otherwise constructing from the AutonomyConfig) so PolymarketTool
(polymarket_execute) and ComposioTool (composio client direct mode) receive
policy values that match AutonomyConfig defaults, or alternatively update
SecurityPolicy::default() to return the same default as
default_max_actions_per_hour if a global default change is intended.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/openhuman/security/policy.rs`:
- Line 179: SecurityPolicy::default() currently sets max_actions_per_hour to 20
whereas AutonomyConfig::default_max_actions_per_hour() uses u32::MAX, causing
production call sites to be unintentionally rate-limited; fix by replacing uses
of SecurityPolicy::default() in the production tool instantiations with
SecurityPolicy::from_config(&config.autonomy, &config.workspace_dir) (or
otherwise constructing from the AutonomyConfig) so PolymarketTool
(polymarket_execute) and ComposioTool (composio client direct mode) receive
policy values that match AutonomyConfig defaults, or alternatively update
SecurityPolicy::default() to return the same default as
default_max_actions_per_hour if a global default change is intended.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2201ad39-da37-4dea-ae7b-b34f49f51556

📥 Commits

Reviewing files that changed from the base of the PR and between de2a78a and 086befe.

📒 Files selected for processing (6)

• src/openhuman/config/schema/autonomy.rs
• src/openhuman/migrations/expand_autonomy_defaults.rs
• src/openhuman/migrations/mod.rs
• src/openhuman/migrations/mod_tests.rs
• src/openhuman/security/policy.rs
• src/openhuman/security/policy_tests.rs

[M3gA-Mind]

Solid migration work and good test coverage overall. One security-design decision needs explicit maintainer sign-off before merge; a couple of smaller items to address.

Security concern — file_write and edit_file in auto_approve

ApprovalManager::needs_approval() (src/openhuman/approval/ops.rs:92) is the gating function:

// ReadOnly blocks everything — handled elsewhere; no prompt needed.
if self.autonomy_level == AutonomyLevel::ReadOnly { return false; }

// auto_approve skips the prompt.
if self.auto_approve.contains(tool_name) { return false; }

// Default: supervised mode requires approval.
true

Adding file_write and edit_file to auto_approve means Supervised mode no longer prompts for file writes. ReadOnly mode is unaffected (writes are blocked at the tool layer, not the approval gate — the comment on line 82 confirms this). But Supervised mode's documented contract is "ask before edit" — that contract is broken for these two tools.

The PR description explicitly argues this is acceptable ("workspace boundary already constrains the blast radius"), but that's a design decision that changes user-visible behaviour for everyone in Supervised mode. It deserves explicit maintainer sign-off in the PR, not just a comment in the diff.

Suggested resolution: either (a) keep file_write/edit_file off auto_approve for now and file a separate PR documenting the change to Supervised mode semantics, or (b) add a note to the PR body confirming the intentional Supervised-mode behaviour change and have a maintainer explicitly approve it.

make in allowed_commands

make is a command runner, not just a build tool — a make target can shell out to anything. On the allowed list it isn't classified as Install, so a compromised or malicious Makefile can run arbitrary commands (including network calls) without triggering the always-ask Install gate. This is qualitatively different from pnpm/yarn/cmake, which install packages or configure build graphs.

Not a blocker, but worth a doc comment next to the make entry explaining the deliberate trade-off (e.g. "common development workflow; targets must be approved in Supervised mode as medium-risk writes").

Minor — cp/mv/ln classification confirmed correct

policy.rs:536 already has "touch" | "mkdir" | "mv" | "cp" | "ln" => true for medium-risk. The command_risk_level test in policy_tests.rs pins that. ✓

Minor — NEW_COMMANDS comment inaccuracy

/// These were added to the code default in PR #2500 but are absent from any
/// `config.toml` written before that change.
const NEW_COMMANDS: &[&str] = &[
    ..., "date", "dir", "type", "where", "findstr", "more",
];

date, dir, type, where, findstr, more appear without + in the autonomy.rs diff, meaning they were present before this PR. If they pre-date PR #2500 too, the comment is inaccurate. Functionally harmless (the additive guard prevents duplicates), but the comment will mislead future readers. Worth a quick git log -S '"date".into()' to verify — if they were there before PR #2500, update the comment to name the correct PR or say "may already be present in older configs; merge is a no-op if so."

What's correct

• Migration is additive-only (contains-check before every push) and fully idempotent. ✓
• Save-failure rollback (config.schema_version = previous_version; return;) prevents a half-applied migration from persisting a bumped version. ✓
• max_actions_per_hour bump is gated on exact equality with OLD_DEFAULT_MAX_ACTIONS_PER_HOUR = 20, so any deliberate customisation is preserved. ✓
• no_op_on_fresh_install_defaults correctly fires !stats.max_actions_bumped because Config::default() now initialises max_actions_per_hour = u32::MAX, not 20. ✓
• Migration integration tests (run_pending_expands_autonomy_defaults_from_v3, run_pending_v3_to_v4_preserves_custom_max_actions) confirm the end-to-end path including config.save(). ✓
• supervised_still_enforces_command_allowlist updated to reflect mkdir now being allow-listed. ✓
• CI green, no merge conflicts.

Resolve the file_write/edit_file auto-approve question and this is ready.

[YellowSnnowmann]

Solid migration work and good test coverage overall. One security-design decision needs explicit maintainer sign-off before merge; a couple of smaller items to address.

Security concern — file_write and edit_file in auto_approve

ApprovalManager::needs_approval() (src/openhuman/approval/ops.rs:92) is the gating function:

// ReadOnly blocks everything — handled elsewhere; no prompt needed.
if self.autonomy_level == AutonomyLevel::ReadOnly { return false; }

// auto_approve skips the prompt.
if self.auto_approve.contains(tool_name) { return false; }

// Default: supervised mode requires approval.
true

Adding file_write and edit_file to auto_approve means Supervised mode no longer prompts for file writes. ReadOnly mode is unaffected (writes are blocked at the tool layer, not the approval gate — the comment on line 82 confirms this). But Supervised mode's documented contract is "ask before edit" — that contract is broken for these two tools.

The PR description explicitly argues this is acceptable ("workspace boundary already constrains the blast radius"), but that's a design decision that changes user-visible behaviour for everyone in Supervised mode. It deserves explicit maintainer sign-off in the PR, not just a comment in the diff.

Suggested resolution: either (a) keep file_write/edit_file off auto_approve for now and file a separate PR documenting the change to Supervised mode semantics, or (b) add a note to the PR body confirming the intentional Supervised-mode behaviour change and have a maintainer explicitly approve it.

make in allowed_commands

make is a command runner, not just a build tool — a make target can shell out to anything. On the allowed list it isn't classified as Install, so a compromised or malicious Makefile can run arbitrary commands (including network calls) without triggering the always-ask Install gate. This is qualitatively different from pnpm/yarn/cmake, which install packages or configure build graphs.

Not a blocker, but worth a doc comment next to the make entry explaining the deliberate trade-off (e.g. "common development workflow; targets must be approved in Supervised mode as medium-risk writes").

Minor — cp/mv/ln classification confirmed correct

policy.rs:536 already has "touch" | "mkdir" | "mv" | "cp" | "ln" => true for medium-risk. The command_risk_level test in policy_tests.rs pins that. ✓

Minor — NEW_COMMANDS comment inaccuracy

/// These were added to the code default in PR #2500 but are absent from any
/// `config.toml` written before that change.
const NEW_COMMANDS: &[&str] = &[
    ..., "date", "dir", "type", "where", "findstr", "more",
];

date, dir, type, where, findstr, more appear without + in the autonomy.rs diff, meaning they were present before this PR. If they pre-date PR #2500 too, the comment is inaccurate. Functionally harmless (the additive guard prevents duplicates), but the comment will mislead future readers. Worth a quick git log -S '"date".into()' to verify — if they were there before PR #2500, update the comment to name the correct PR or say "may already be present in older configs; merge is a no-op if so."

What's correct

• Migration is additive-only (contains-check before every push) and fully idempotent. ✓
• Save-failure rollback (config.schema_version = previous_version; return;) prevents a half-applied migration from persisting a bumped version. ✓
• max_actions_per_hour bump is gated on exact equality with OLD_DEFAULT_MAX_ACTIONS_PER_HOUR = 20, so any deliberate customisation is preserved. ✓
• no_op_on_fresh_install_defaults correctly fires !stats.max_actions_bumped because Config::default() now initialises max_actions_per_hour = u32::MAX, not 20. ✓
• Migration integration tests (run_pending_expands_autonomy_defaults_from_v3, run_pending_v3_to_v4_preserves_custom_max_actions) confirm the end-to-end path including config.save(). ✓
• supervised_still_enforces_command_allowlist updated to reflect mkdir now being allow-listed. ✓
• CI green, no merge conflicts.

Resolve the file_write/edit_file auto-approve question and this is ready.

Resolved the issue : 9922974

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/openhuman/migrations/expand_autonomy_defaults.rs`:
- Line 49: The change in expand_autonomy_defaults.rs only stops adding
file-write tools for new migrations but does not remove previously-granted
file_write/edit_file from workspaces already at schema_version == 4; add a new
migration (4→5) that scans workspaces with schema_version == 4 and removes or
re-gates the write-capability entries (file_write, edit_file) from their
autonomy/tool lists, implement this in the new migration module (e.g.,
migrate_v4_to_v5 with an apply_migration or run function) and ensure it targets
the same data structures modified by expand_autonomy_defaults.rs (autonomy/tool
config fields and any constants like NEW_AUTO_APPROVE_TOOLS), then add an
integration test that creates a workspace at schema_version 4 with
file_write/edit_file present and verifies the new migration strips them and
bumps schema_version to 5.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0c9bef80-eaae-4d67-bbc2-1457c5f13d67

📥 Commits

Reviewing files that changed from the base of the PR and between 89a18fc and 9922974.

📒 Files selected for processing (3)

• src/openhuman/config/schema/autonomy.rs
• src/openhuman/migrations/expand_autonomy_defaults.rs
• src/openhuman/migrations/mod_tests.rs

💤 Files with no reviewable changes (1)

• src/openhuman/config/schema/autonomy.rs

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/openhuman/migrations/expand_autonomy_defaults.rs (1)

80-102: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't widen intentionally restrictive v3 configs.

These loops add missing entries for every schema_version == 3 config, so a user who deliberately kept a narrower allowed_commands or auto_approve list still gets extra permissions here. That also changes prompt behavior for glob/grep, because ApprovalManager::needs_approval() skips prompts for anything in auto_approve. Please only expand when the persisted lists still match the legacy defaults (or at least haven't removed legacy entries), and add a regression test for a narrowed v3 config.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/migrations/expand_autonomy_defaults.rs` around lines 80 - 102,
The migration currently unconditionally adds NEW_COMMANDS and
NEW_AUTO_APPROVE_TOOLS to every schema_version == 3 config; change it to only
merge when the persisted lists still equal the legacy v3 defaults (or at least
contain all legacy entries) so deliberately-narrowed v3 configs are not
widened—check config.autonomy.allowed_commands and config.autonomy.auto_approve
against the legacy default sets before pushing NEW_* items, and leave them
untouched if the user removed legacy entries; update the migration logic around
the loops that reference NEW_COMMANDS/NEW_AUTO_APPROVE_TOOLS and
config.autonomy.allowed_commands/auto_approve, and add a regression test that
loads a narrowed v3 config (missing legacy defaults) and asserts the migration
does not add the new entries and that ApprovalManager::needs_approval() behavior
remains unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/openhuman/migrations/expand_autonomy_defaults.rs`:
- Around line 80-102: The migration currently unconditionally adds NEW_COMMANDS
and NEW_AUTO_APPROVE_TOOLS to every schema_version == 3 config; change it to
only merge when the persisted lists still equal the legacy v3 defaults (or at
least contain all legacy entries) so deliberately-narrowed v3 configs are not
widened—check config.autonomy.allowed_commands and config.autonomy.auto_approve
against the legacy default sets before pushing NEW_* items, and leave them
untouched if the user removed legacy entries; update the migration logic around
the loops that reference NEW_COMMANDS/NEW_AUTO_APPROVE_TOOLS and
config.autonomy.allowed_commands/auto_approve, and add a regression test that
loads a narrowed v3 config (missing legacy defaults) and asserts the migration
does not add the new entries and that ApprovalManager::needs_approval() behavior
remains unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7ac96ede-dbf1-4b20-b418-b0c95624e73e

📥 Commits

Reviewing files that changed from the base of the PR and between 9922974 and 61fea55.

📒 Files selected for processing (5)

• src/openhuman/config/schema/autonomy.rs
• src/openhuman/migrations/expand_autonomy_defaults.rs
• src/openhuman/migrations/mod.rs
• src/openhuman/migrations/mod_tests.rs
• src/openhuman/migrations/remove_write_auto_approve.rs

[graycyrus]

Review — expand default allowed_commands and auto_approve (#2486)

Solid migration work. The additive-only merge logic is correct, idempotency is well-tested, and the v4→v5 rollback for write tools shows good follow-through on the CodeRabbit feedback.

One issue needs fixing before this can land.

Area	Files	Verdict
Config defaults	autonomy.rs	Clean — glob/grep additions are safe
Migration v3→v4	expand_autonomy_defaults.rs	Clean — additive merge, good guards
Migration v4→v5	remove_write_auto_approve.rs	Clean — strips write tools correctly
Migration wiring	mod.rs	Clean — sequential gating, proper rollback on save failure
Integration tests	mod_tests.rs	Clean — good coverage of v3→v5 path
Security policy	policy.rs	Clean — mirrors autonomy defaults correctly
Policy tests	policy_tests.rs	Bug — stale assertion, see inline

PR description also says "5 → 9 tools" but code shows 5 → 7 (glob + grep only). Worth updating to match.

done