feat(tools): add per-turn ExecutionContext to ShellExecutor#3589
Merged
feat(tools): add per-turn ExecutionContext to ShellExecutor#3589
Conversation
Add optional execution context (named environment, cwd, env overrides) to ToolCall so orchestrator DAG nodes can target different working directories and environment variable sets per turn without restarting a session. Key changes: - New ExecutionContext type (trusted/untrusted, name, cwd, env_overrides) - ShellExecutor::resolve_context chokepoint with precedence: call-site > named registry > skill env > process default - validate_sandbox_with_cwd: ancestor-walk for non-existent paths, rejects traversal without std::path::absolute fallback - Speculative cache HandleKey gains context_hash to prevent cross-env result reuse in parallel subagent scenarios - TaskNode::execution_environment wired through scheduler_loop to native tool dispatch - Background path uses spawn_background_with_context with pre-resolved env - AuditEntry::resolved_cwd changed to Option<String> (BREAKING) - env_blocklist applied to final merged env for untrusted contexts - Tracing spans: tools.shell.resolve_context, tool.shell.execute_block, tool.shell.execute_tool_call - New [execution] config section with [[execution.environments]] registry - 18 unit tests covering CWD resolution, sandbox, blocklist, trust model Closes #3572
fcc96c5 to
4fd2d47
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ExecutionContext(named environment, cwd, env_overrides, trusted flag) toToolCallso each DAG subtask can target a different working directory and env set without restarting the sessionShellExecutor::resolve_contextis the single dispatch chokepoint with explicit precedence: call-site > named registry > skill env > process defaultHandleKeygainscontext_hashto prevent cross-environment result reuse in parallel subagent scenariosvalidate_sandbox_with_cwduses ancestor-walk for not-yet-created paths and rejects..traversal without unsafestd::path::absolutefallback (security fix)env_blocklistapplied to final merged env for untrusted contexts (prefix-match, not exact-match)[execution]config section with[[execution.environments]]named registryBreaking changes
AuditEntry::resolved_cwdchanged fromStringtoOption<String>withskip_serializing_if— non-shell tool producers now emitnullinstead of""Test plan
cargo +nightly fmt --check— cleancargo clippy --all-targets --workspace -- -D warnings— cleancargo nextest run --config-file .github/nextest.toml --workspace --lib --bins— 8719 passedallowed/../../etc/shadowrejected)cargo run --features full -- --config .local/config/testing.toml(LLM serialization gate — required before merge per branching.md)Closes #3572