feat(sandbox): gate outside-sandbox file access through an approval modal#696
Merged
Conversation
…odal Filesystem tools now route any absolute-system path that escapes the project sandbox (`/Users/foo`, `/etc/...`, `C:\Users\...`) through a new PathConfirm modal: allow once / always allow this directory / deny. Mirrors the existing run_command flow — a shared PauseGate kind `path_access`, a per-project `pathAllowed` list persisted in ~/.reasonix/config.json, and a session-scoped run-once cache so follow-up reads under an approved directory don't re-prompt. Closes #684
esengine
added a commit
that referenced
this pull request
May 12, 2026
…il, CardStream fix (#705) npm-only release. The Tauri desktop source is in the repo and the CLI subcommand works, but installer bundles for macOS / Windows / Linux don't ship this round (separate release once signing's settled). Highlights: - Tauri desktop client with multi-tab concurrent runtimes (#689) plus a near-full polish pass: wallet balance, version chip, active- plan rail, abortable pause-gates, edit-gate pill, en + zh-CN i18n, shared pause-policy module dedup'd with the CLI TUI (#701) - checkpoint API + git-changes panel in the embedded dashboard (#682) - outside-sandbox file access approval modal (#696) - MCP loading pill + readiness gate on tool dispatch (#687) - escalate-after flag for flash → pro threshold (#699) Fixes: - CardStream Maximum-update-depth crash, quantize window so boundary cards stop oscillating (#700, #702) - `reasonix code` bridges config key to env + lazy subagent client so fresh installs can reach the setup wizard (#703) - pinned-mode scroll shrinks coalesced (#666), generic CSI key decode (#692), shell-confirm preview clamp (#691), frontmatter BOM/folded lines (#690), MCP error classification (#688), and more
ChasLui
pushed a commit
to ChasLui/DeepSeek-Reasonix
that referenced
this pull request
May 23, 2026
…odal (esengine#696) Filesystem tools now route any absolute-system path that escapes the project sandbox (`/Users/foo`, `/etc/...`, `C:\Users\...`) through a new PathConfirm modal: allow once / always allow this directory / deny. Mirrors the existing run_command flow — a shared PauseGate kind `path_access`, a per-project `pathAllowed` list persisted in ~/.reasonix/config.json, and a session-scoped run-once cache so follow-up reads under an approved directory don't re-prompt. Closes esengine#684
ChasLui
pushed a commit
to ChasLui/DeepSeek-Reasonix
that referenced
this pull request
May 23, 2026
…il, CardStream fix (esengine#705) npm-only release. The Tauri desktop source is in the repo and the CLI subcommand works, but installer bundles for macOS / Windows / Linux don't ship this round (separate release once signing's settled). Highlights: - Tauri desktop client with multi-tab concurrent runtimes (esengine#689) plus a near-full polish pass: wallet balance, version chip, active- plan rail, abortable pause-gates, edit-gate pill, en + zh-CN i18n, shared pause-policy module dedup'd with the CLI TUI (esengine#701) - checkpoint API + git-changes panel in the embedded dashboard (esengine#682) - outside-sandbox file access approval modal (esengine#696) - MCP loading pill + readiness gate on tool dispatch (esengine#687) - escalate-after flag for flash → pro threshold (esengine#699) Fixes: - CardStream Maximum-update-depth crash, quantize window so boundary cards stop oscillating (esengine#700, esengine#702) - `reasonix code` bridges config key to env + lazy subagent client so fresh installs can reach the setup wizard (esengine#703) - pinned-mode scroll shrinks coalesced (esengine#666), generic CSI key decode (esengine#692), shell-confirm preview clamp (esengine#691), frontmatter BOM/folded lines (esengine#690), MCP error classification (esengine#688), and more
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an approval-gated escape hatch from the project sandbox, so the model can read/write files outside the
reasonix code --dirroot after the user explicitly approves — mirroring whatrun_commandalready does for shell allowlists.When a filesystem tool resolves a path that escapes the sandbox:
safePathnow distinguishes "sandbox-relative model convention" (/src/foo.ts,../escape) from "absolute system path the user might actually want" (/Users/foo/...,/etc/...,C:\Users\...). The former still throws as before; the latter routes to the gate.path_accessPauseGate kind blocks the tool until the user resolves the modal.projects[root].pathAllowedin~/.reasonix/config.json. Subsequent sessions skip the prompt.user denied access to <path>(with optional context via Tab).Mirror of the shell-allowlist machinery: same
ConfirmationChoiceshape, same per-project persistence shape, same Tab-to-add-context UX, same audit semantics.Safety property preserved: without a gate listener (i.e. headless / non-interactive contexts), outside-sandbox paths still refuse rather than silently succeed.
Closes #684
Test plan
tests/filesystem-outside-sandbox.test.ts— 8 cases: gate dispatched with right payload, deny throws, run_once dedups follow-up reads, relative escape still refused,/src/foo.tsconvention preserved, write_file routes with intent=write, Windows drive-letter routing, allowlist exposed.tests/config.test.ts— pathAllowed CRUD + coexistence with shellAllowed on the same project entry.tests/filesystem-tools.test.ts— replaced the legacy "POSIX-absolute remaps into sandbox" assertion with the new "no escape without consent" one + kept the/<sandbox-relative>model-convention case.npx vitest run— 2681 passed / 2 skipped (174 → 175 files)npm run lint— cleannpm run typecheck— clean