fix(core): invert requires_confirmation_erased default to prevent unsafe speculative dispatch

[bug-ops]

Description

Security audit of PR #3640 found that ErasedToolExecutor::requires_confirmation_erased has a default implementation returning false (line 738 of executor.rs). The speculation engine's try_dispatch uses this method as a gate: if requires_confirmation_erased returns false, the tool is allowed to dispatch speculatively without confirmation.

This is an unsafe-by-default pattern: future executors that opt into is_tool_speculatable_erased (return true) but forget to also implement requires_confirmation_erased will silently bypass the confirmation policy.

Current Risk

Low — no executor currently returns true for is_tool_speculatable_erased for destructive tools. The risk is forward-looking.

Recommended Fix

Option A: Invert the default — requires_confirmation_erased defaults to true, requiring executors to explicitly opt out.

Option B: Add a trait-level contract in the doc comment: implementors that return true for is_tool_speculatable_erased MUST explicitly implement requires_confirmation_erased.

Option A is safer and preferred.

Files

• crates/zeph-tools/src/executor.rs — ErasedToolExecutor trait default impl

Depends on

#3636 (merged in PR #3640)

[bug-ops]

Static Analysis — CI-700 Security Deep-Dive

Analyst: rust-live-tester (CI-700, 2026-05-06)
HEAD: 02a6f354

---

Finding Summary

The issue description is accurate. ErasedToolExecutor::requires_confirmation_erased defaults to false at line 738 of crates/zeph-tools/src/executor.rs. The speculation engine's try_dispatch (line 213 of crates/zeph-core/src/agent/speculative/mod.rs) uses this as a gate: when the method returns false, the tool is dispatched speculatively without user confirmation.

How the gate works today (code trace)

SpeculationEngine::try_dispatch (speculative/mod.rs:197)
  ├─ guard 1: trust_level != Trusted → return false  (line 198)
  ├─ guard 2: !is_tool_speculatable_erased(tool_id) → return false  (line 203)
  └─ guard 3: requires_confirmation_erased(&call) → return false  (line 213)
              if guard 3 passes (returns false) → dispatch executes

Which executors currently implement requires_confirmation / is_tool_speculatable?

Searching the entire workspace for fn requires_confirmation (non-erased variant on ToolExecutor) yields zero results. Only the erased default exists.

Searching for fn is_tool_speculatable (non-erased, on ToolExecutor) yields these explicit overrides returning true:

• crates/zeph-tools/src/compression/decorator.rs:238 — test mock, _tool_id: &str → true
• crates/zeph-core/src/agent/speculative/mod.rs:358 — test mock AlwaysOkExecutor, _: &str → true

Neither test mock implements requires_confirmation. They both fall through to the default (false), so they are pre-approved for speculative dispatch. For test executors that only return Ok(None) this is harmless. However, the pattern demonstrates the problem: a real executor could do the same inadvertently.

The TrustGateExecutor (the only production executor with a confirmation concept — it raises ToolError::ConfirmationRequired at runtime) also does not override requires_confirmation (trust_gate.rs lines 146–236). It only enforces confirmation at execution time, not at query time. This means:

1. requires_confirmation_erased returns false for TrustGateExecutor<T>.
2. is_tool_speculatable_erased returns false for TrustGateExecutor<T> (inherited default).
3. Therefore today, TrustGateExecutor-wrapped tools are already protected from speculation — but only because they do not opt into speculatability, not because the confirmation gate fires.

Actual security gap

The gap is forward-looking (confirmed by the issue author). The scenario:

struct MyReadOnlyExecutor { /* read-only, but also enforces confirm_patterns */ }

impl ToolExecutor for MyReadOnlyExecutor {
    fn is_tool_speculatable(&self, _: &str) -> bool { true }   // author remembers this
    // fn requires_confirmation(&self, call: &ToolCall) -> bool — FORGOTTEN
    // → defaults to false → speculation bypasses the confirmation check
}

A future author who implements a speculatable executor and forgets requires_confirmation will silently allow speculative dispatch of tools that should prompt the user. The current default of false is an unsafe-by-default posture.

Recommended fix (Option A from issue)

Invert the default in ErasedToolExecutor:

// executor.rs:738 — CHANGE from false to true
fn requires_confirmation_erased(&self, _call: &ToolCall) -> bool {
    true   // safe-by-default: callers must opt out, not opt in
}

Also invert the corresponding default in the ToolExecutor trait if one exists (confirm: searching the trait… the ToolExecutor trait does not have a requires_confirmation method — it only exists on ErasedToolExecutor). Adding a mirrored method with a safe default to ToolExecutor as well would make the API self-consistent and allow the blanket impl to forward it.

Cascading impact of inverting the default:

If default becomes true, the two test mocks (AlwaysOkExecutor in speculative/mod.rs, compression/decorator.rs mock) that currently pass the confirmation gate will now fail it. Their try_dispatch will return false (skipped_confirmation) instead of dispatching. Tests that assert dispatched == true will break. These test executors must add:

fn requires_confirmation(&self, _call: &ToolCall) -> bool { false }

This is intentional and desirable: it forces every is_tool_speculatable = true implementation to explicitly declare its confirmation policy.

Affected files

File	Line	Change needed
crates/zeph-tools/src/executor.rs	738	Invert default to true; update doc comment
crates/zeph-core/src/agent/speculative/mod.rs	358	Add fn requires_confirmation(&self, _: &ToolCall) -> bool { false } to AlwaysOkExecutor
crates/zeph-tools/src/compression/decorator.rs	238	Same for test mock if is_tool_speculatable returns true

Test coverage gap

There is no test that verifies try_dispatch returns false when requires_confirmation_erased returns true for a speculatable executor. The existing test dispatch_and_commit_succeeds exercises the happy path but not the confirmation gate. A dedicated test should be added:

#[tokio::test]
async fn speculative_skip_when_confirmation_required() {
    struct ConfirmationRequiredExecutor;
    impl ToolExecutor for ConfirmationRequiredExecutor {
        // ...
        fn is_tool_speculatable(&self, _: &str) -> bool { true }
        fn requires_confirmation(&self, _: &ToolCall) -> bool { true }
    }
    // assert engine.try_dispatch returns false
}

Severity assessment

• Current risk: Low — as stated in the issue, no production executor currently returns true for is_tool_speculatable while relying on the default false for confirmation.
• Forward risk: High — the pattern is a trap that will silently bypass the confirmation policy for the next developer who adds a speculatable executor without reading the full ErasedToolExecutor trait docs.
• Fix cost: Minimal — 1 line change + 2–3 test executor additions + 1 new test case.
• Recommendation: P2 priority stands; fix before next speculatable executor is added to production.