fix(permissions): align monitor + propagate warnings to ACP/non-interactive (#4386 review)

LaZzyMan · LaZzyMan · commit 7bb420562221 · 2026-05-21T19:52:51.000+08:00
Addresses round-2 review findings from wenshao on PR #4386. Four related findings, all about sibling drift from the original #4093 fix: either the same hard-deny-on-substitution pattern in a sibling tool, or downstream consumers that don't propagate the new warnings field. 1. monitor.ts: `MonitorToolInvocation.getDefaultPermission()` had the identical `detectCommandSubstitution → 'deny'` pattern that the original PR removed from `PermissionManager.resolveDefaultPermission` — sibling drift the original audit missed. Same UX problems apply (YOLO unbypassable, opaque deny). Removed the deny branch, added the substitution warning in `getConfirmationDetails` (mirroring ShellToolInvocation), updated the 5 existing tests that asserted the old 'deny' to assert 'ask', and added a confirmation-warning test for the issue #4093 mirror case. Monitor still maintains its separate permission boundary (Monitor(...) rules don't share with Bash(...) — documented in the unchanged comment at the top of getConfirmationDetails); only the substitution-deny half is removed. 2. ACP `buildPermissionRequestContent` (permissionUtils.ts): had no `exec` branch, so the new `warnings` field never reached ACP clients (IDE integrations etc.). Added an `exec` branch that emits one `⚠ <warning>` text content per warning, alongside the existing `edit` (diff) and `plan` (text) branches. Two regression tests added: warning present → ⚠ content entry; no warnings → empty. 3. Non-interactive `permissionController.buildPermissionSuggestions`: the `case 'exec'` description string didn't read `warnings`, so daemon/API consumers that delegate the approval decision back to a user lost the substitution context. Appended warnings as a parenthesized `⚠ ...` suffix to the description string. (No test file exists for this controller — change is small and verifiable by inspection; adding test scaffolding is out of scope for this round.) 4. Test coverage: the `command substitution (issue #4093)` describe blocks in `shell.test.ts` and `permission-manager.test.ts` covered `$()`, backticks, and `<()` but not `>()` — even though `detectCommandSubstitution` and the warning text both list it. Added a `>()` case to each block to close the regression gap.
diff --git a/packages/cli/src/acp-integration/session/permissionUtils.test.ts b/packages/cli/src/acp-integration/session/permissionUtils.test.ts
@@ -6,7 +6,10 @@
 
 import { describe, expect, it } from 'vitest';
 import { ToolConfirmationOutcome } from '@qwen-code/qwen-code-core';
-import { toPermissionOptions } from './permissionUtils.js';
+import {
+  buildPermissionRequestContent,
+  toPermissionOptions,
+} from './permissionUtils.js';
 
 describe('permissionUtils', () => {
   describe('toPermissionOptions', () => {
@@ -94,4 +97,46 @@ describe('permissionUtils', () => {
       );
     });
   });
+
+  // Regression coverage for #4386 review: shell commands flagged with a
+  // command-substitution warning should propagate that warning into the
+  // ACP content channel so IDE clients can surface it. Without this,
+  // IDE users approving substitution commands would see no hint.
+  describe('buildPermissionRequestContent', () => {
+    it('emits ⚠ content entries for each exec warning', () => {
+      const content = buildPermissionRequestContent({
+        type: 'exec',
+        title: 'Confirm Shell Command',
+        command: 'python3 -c "print($(echo hello))"',
+        rootCommand: 'python3',
+        warnings: [
+          'Contains command substitution ($(...), backticks, <(...), or >(...)).',
+        ],
+        onConfirm: async () => undefined,
+      });
+
+      expect(content).toHaveLength(1);
+      expect(content[0]).toMatchObject({
+        type: 'content',
+        content: { type: 'text' },
+      });
+      const node = content[0] as {
+        type: 'content';
+        content: { type: 'text'; text: string };
+      };
+      expect(node.content.text).toMatch(/^⚠ .*command substitution/);
+    });
+
+    it('emits no content for exec confirmations without warnings', () => {
+      const content = buildPermissionRequestContent({
+        type: 'exec',
+        title: 'Confirm Shell Command',
+        command: 'npm install',
+        rootCommand: 'npm',
+        onConfirm: async () => undefined,
+      });
+
+      expect(content).toEqual([]);
+    });
+  });
 });
diff --git a/packages/cli/src/acp-integration/session/permissionUtils.ts b/packages/cli/src/acp-integration/session/permissionUtils.ts
@@ -92,6 +92,22 @@ export function buildPermissionRequestContent(
     });
   }
 
+  // Propagate informational warnings (e.g. command substitution detected
+  // in a shell command — see #4093) so ACP clients can surface them when
+  // prompting the user for approval. The tool input itself is already
+  // visible to the host, so we only emit the new warning channel here.
+  if (confirmation.type === 'exec' && confirmation.warnings?.length) {
+    for (const warning of confirmation.warnings) {
+      content.push({
+        type: 'content',
+        content: {
+          type: 'text',
+          text: `⚠ ${warning}`,
+        },
+      });
+    }
+  }
+
   return content;
 }
 
diff --git a/packages/cli/src/nonInteractive/control/controllers/permissionController.ts b/packages/cli/src/nonInteractive/control/controllers/permissionController.ts
@@ -263,19 +263,36 @@ export class PermissionController extends BaseController {
     const confirmationType = type as ToolConfirmationType;
 
     switch (confirmationType) {
-      case 'exec': // ToolExecuteConfirmationDetails
+      case 'exec': {
+        // ToolExecuteConfirmationDetails. Propagate any informational
+        // warnings (e.g. command substitution flagged by the shell tool
+        // — see #4093) into the suggestion description so daemon/API
+        // consumers can surface them to the end-user when prompting
+        // for approval. Mitigated by auto-deny in non-interactive
+        // default mode, but matters for hosts that delegate the choice
+        // back to a user.
+        const warnings = Array.isArray(details['warnings'])
+          ? (details['warnings'] as unknown[]).filter(
+              (w): w is string => typeof w === 'string',
+            )
+          : [];
+        const warningSuffix =
+          warnings.length > 0
+            ? ` (${warnings.map((w) => `⚠ ${w}`).join('; ')})`
+            : '';
         return [
           {
             type: 'allow',
             label: 'Allow Command',
-            description: `Execute: ${details['command']}`,
+            description: `Execute: ${details['command']}${warningSuffix}`,
           },
           {
             type: 'deny',
             label: 'Deny',
             description: 'Block this command execution',
           },
         ];
+      }
 
       case 'edit': // ToolEditConfirmationDetails
         return [
diff --git a/packages/core/src/permissions/permission-manager.test.ts b/packages/core/src/permissions/permission-manager.test.ts
@@ -1058,6 +1058,15 @@ describe('PermissionManager', () => {
         ).toBe('ask');
       });
 
+      it('returns ask for >() output process substitution', async () => {
+        expect(
+          await pm.evaluate({
+            toolName: 'run_shell_command',
+            command: 'echo data > >(tee log.txt)',
+          }),
+        ).toBe('ask');
+      });
+
       it('still honors explicit deny rules over substitution-bearing commands', async () => {
         // The 'ask' from substitution must never downgrade a real deny rule.
         expect(
diff --git a/packages/core/src/tools/monitor.test.ts b/packages/core/src/tools/monitor.test.ts
@@ -416,44 +416,49 @@ describe('MonitorTool', () => {
   });
 
   describe('getDefaultPermission', () => {
-    it('denies command substitution before confirmation', async () => {
+    // Command substitution previously returned 'deny' here. Per #4093 it
+    // now falls through to 'ask' (matching ShellToolInvocation and
+    // PermissionManager.resolveDefaultPermission); the substitution
+    // warning is surfaced via getConfirmationDetails. YOLO mode can now
+    // override the prompt; before this change it could not.
+    it('asks for command substitution before confirmation', async () => {
       const invocation = createInvocation({
         command: 'echo $(cat secret.txt)',
       });
 
-      await expect(invocation.getDefaultPermission()).resolves.toBe('deny');
+      await expect(invocation.getDefaultPermission()).resolves.toBe('ask');
     });
 
-    it('denies command substitution inside explicit shell wrappers', async () => {
+    it('asks for command substitution inside explicit shell wrappers', async () => {
       const invocation = createInvocation({
         command: `/bin/bash -c 'echo $(cat secret.txt)'`,
       });
 
-      await expect(invocation.getDefaultPermission()).resolves.toBe('deny');
+      await expect(invocation.getDefaultPermission()).resolves.toBe('ask');
     });
 
-    it('denies command substitution inside wrapped scripts with argv suffixes', async () => {
+    it('asks for command substitution inside wrapped scripts with argv suffixes', async () => {
       const invocation = createInvocation({
         command: `/bin/bash -c 'echo $(cat secret.txt)' ignored`,
       });
 
-      await expect(invocation.getDefaultPermission()).resolves.toBe('deny');
+      await expect(invocation.getDefaultPermission()).resolves.toBe('ask');
     });
 
-    it('denies command substitution inside quoted env-prefixed wrappers', async () => {
+    it('asks for command substitution inside quoted env-prefixed wrappers', async () => {
       const invocation = createInvocation({
         command: `FOO="bar baz" /bin/bash -c 'echo $(cat secret.txt)'`,
       });
 
-      await expect(invocation.getDefaultPermission()).resolves.toBe('deny');
+      await expect(invocation.getDefaultPermission()).resolves.toBe('ask');
     });
 
-    it('denies command substitution inside env-prefix assignments', async () => {
+    it('asks for command substitution inside env-prefix assignments', async () => {
       const invocation = createInvocation({
         command: `FOO=$(cat secret.txt) /bin/bash -c 'echo ok'`,
       });
 
-      await expect(invocation.getDefaultPermission()).resolves.toBe('deny');
+      await expect(invocation.getDefaultPermission()).resolves.toBe('ask');
     });
 
     it('allows read-only monitor commands by default', async () => {
@@ -464,6 +469,17 @@ describe('MonitorTool', () => {
 
       await expect(invocation.getDefaultPermission()).resolves.toBe('allow');
     });
+
+    it('surfaces a command-substitution warning via getConfirmationDetails (issue #4093)', async () => {
+      const invocation = createInvocation({
+        command: 'echo $(cat secret.txt)',
+      });
+      const details = (await invocation.getConfirmationDetails(
+        new AbortController().signal,
+      )) as { warnings?: string[] };
+
+      expect(details.warnings?.[0]).toMatch(/command substitution/i);
+    });
   });
 
   describe('validation', () => {
diff --git a/packages/core/src/tools/monitor.ts b/packages/core/src/tools/monitor.ts
@@ -171,10 +171,18 @@ class MonitorToolInvocation extends BaseToolInvocation<
       this.params.command,
     ).safetyCommand;
 
-    if (detectCommandSubstitution(command)) {
-      return 'deny';
-    }
-
+    // Command substitution ($(), ``, <(), >()) is NOT a hard deny here —
+    // it falls through to 'ask' along with every other non-read-only
+    // command, so the user (or YOLO mode) can decide. The user-facing
+    // warning is surfaced by getConfirmationDetails below so the
+    // confirmation prompt still flags the substitution clearly. This
+    // mirrors the same reasoning applied to ShellToolInvocation and
+    // PermissionManager.resolveDefaultPermission in #4093: a hard deny
+    // here (a) cannot be overridden by YOLO and (b) was inconsistent
+    // with the shell-tool path. Monitor still maintains a separate
+    // permission boundary (Monitor(...) rules don't share with
+    // Bash(...) — see comment in getConfirmationDetails); only the
+    // substitution-deny half is removed.
     try {
       const isReadOnly = await isShellCommandReadOnlyAST(command);
       if (isReadOnly) {
@@ -246,7 +254,24 @@ class MonitorToolInvocation extends BaseToolInvocation<
       permissionRules = [`Monitor(${normalized.safetyCommand})`];
     }
 
-    return {
+    // Flag command substitution ($(), backticks, <(), >()) so the user
+    // sees a visible warning in the confirmation dialog. Mirrors the
+    // pattern in ShellToolInvocation.getConfirmationDetails — see #4093
+    // for why we surface this as a warning rather than denying outright.
+    // Checked against both the normalized safety command and the
+    // original params.command so wrappers like `bash -c "..."` still
+    // trigger the warning.
+    const warnings: string[] = [];
+    if (
+      detectCommandSubstitution(normalized.safetyCommand) ||
+      detectCommandSubstitution(this.params.command)
+    ) {
+      warnings.push(
+        'Contains command substitution ($(...), backticks, <(...), or >(...)).',
+      );
+    }
+
+    const confirmationDetails: ToolExecuteConfirmationDetails = {
       type: 'exec',
       title: 'Monitor',
       command: normalized.spawnCommand,
@@ -258,7 +283,11 @@ class MonitorToolInvocation extends BaseToolInvocation<
         _outcome: ToolConfirmationOutcome,
         _payload?: ToolConfirmationPayload,
       ) => {},
-    } satisfies ToolExecuteConfirmationDetails;
+    };
+    if (warnings.length > 0) {
+      confirmationDetails.warnings = warnings;
+    }
+    return confirmationDetails;
   }
 
   async execute(_signal: AbortSignal): Promise<ToolResult> {
diff --git a/packages/core/src/tools/shell.test.ts b/packages/core/src/tools/shell.test.ts
@@ -5011,6 +5011,18 @@ describe('ShellTool', () => {
         expect(details.warnings?.[0]).toMatch(/command substitution/i);
       });
 
+      it('surfaces a warning for >() output process substitution', async () => {
+        const invocation = shellTool.build({
+          command: 'echo data > >(tee log.txt)',
+          is_background: false,
+        });
+        const details = (await invocation.getConfirmationDetails(
+          new AbortController().signal,
+        )) as { warnings?: string[] };
+
+        expect(details.warnings?.[0]).toMatch(/command substitution/i);
+      });
+
       it('does not set warnings on commands without substitution', async () => {
         const invocation = shellTool.build({
           command: 'npm install',
