Skip to content

Add locked shell environment + centralized shell dialect guard for Bash tool#281

Open
mmprotest wants to merge 22 commits into
mainfrom
mmprotest/implement-shell-normalization-for-command-execution
Open

Add locked shell environment + centralized shell dialect guard for Bash tool#281
mmprotest wants to merge 22 commits into
mainfrom
mmprotest/implement-shell-normalization-for-command-execution

Conversation

@mmprotest

Copy link
Copy Markdown
Owner

Motivation

  • Prevent the runner from emitting or executing commands that are invalid for the active shell by detecting and locking the shell once per session and enforcing a small, token-based dialect guard at execution time.
  • Implement a minimal, surgical set of high-frequency rewrites and conservative blocking to avoid broad command translation and keep behavior localized.

Description

  • Detect and lock shell environment once per Runner session via detect_shell_environment(...) and store it on Runner._shell_environment, capturing os_family, shell_family, shell_exe, and cwd.
  • Persist shell environment into session snapshots by adding shell_environment to SessionState and injecting it when SessionState is written (state_runtime._with_shell_environment).
  • Wire locked shell state through the tool execution path by passing runtime_state={"shell_environment": ...} from execute_tool_with_lifecycle(...) into execute_tool(...) and _run_bash(...) so the guard runs centrally prior to subprocess invocation.
  • Add a small shell helper layer in villani_code/shells.py providing ShellEnvironment, ShellCommandDecision, detect_shell_environment(...), and classify_and_rewrite_command(...) implementing simple token-based classification (allowed | needs_rewrite | blocked) and the minimal rewrite table:
    • cmd: rm <args> -> del /q <args>; grep pattern file -> findstr /n /c:"pattern" file; tail -n N file -> powershell -NoProfile -Command "Get-Content 'file' -Tail N".
    • powershell: grep pattern file -> Select-String -Pattern "pattern" file; tail -n N file -> Get-Content file -Tail N.
    • bash/zsh: leave native commands unchanged and conservatively block obvious cmd-only tokens.
  • Enforce the guard inside _run_bash(...) (in tools.py) so blocked commands are not executed and needs-rewrite commands are executed after rewrite; _run_bash(...) now returns structured results including classification and uses the rewritten command for execution.
  • When blocked, return compact structured payload JSON (compactness ensured via json.dumps(..., separators=(",",":"))) containing shell_family, classification=blocked, offending_pattern, short_reason, and optional suggested_equivalent.

Testing

  • Added focused tests in tests/test_shell_command_guard.py covering: env detection returns a shell_family; cmd rm rewrite; cmd grep rewrite; cmd tail rewrite; cmd heredoc is blocked; powershell grep rewrite; bash-native command allowed; blocked commands return compact structured feedback.
  • Ran python -m py_compile on the modified modules; compilation succeeded.
  • Ran pytest -q tests/test_shell_command_guard.py tests/test_villani_control_loop_fixes.py; all tests passed: 30 passed in 1.47s.

Codex Task

…command-classification

Tighten Windows cmd command guard and add short shell reminder
…covery-loop-in-runner

Bounded recovery loop for hard verification failures
…-based-completion-gating

Gate completion on active-solution validation and restrict full rewrites during recovery
…or-primary-execution-target

Pin recovery flow to a primary execution target
…-gate-for-failures

Add recovery gate: require direct validation of primary target before new executable artifacts are used
…ion-on-hard-failure

Arm live recovery on primary hard failures and block immediate sibling-target pivots
…d-detached-launch-in-cmd

Block unsafe Windows cmd detached-launch patterns and ignore errored validation artifacts
…ol-flow-for-long-tasks

Align live target/recovery control path with evidence-based execution contracts
…ts-for-runner-capability

Align live validation refresh, recovery context, and primary target contract seeding
@mmprotest mmprotest force-pushed the mmprotest/implement-shell-normalization-for-command-execution branch 2 times, most recently from d4c9f61 to a0654ac Compare April 12, 2026 04:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant