feat(tools): pre-execution action verification plugin hook in tool pipeline (#1630)#1881
Merged
feat(tools): pre-execution action verification plugin hook in tool pipeline (#1630)#1881
Conversation
…Bench pattern, #1630) Add PreExecutionVerifier trait to zeph-tools with two concrete verifiers integrated into the tool execution pipeline via ToolOrchestrator. - PreExecutionVerifier trait with VerificationResult (Allow/Block/Warn) - DestructiveCommandVerifier: blocks rm -rf /, dd, mkfs, fork bombs and similar commands; configurable shell_tools list (bash/shell/terminal); lexical path normalization for allowed_paths (no canonicalize needed); recursive sh -c unwrapping (max 8 levels) with env/exec prefix stripping; NFKC unicode normalization against homoglyph bypasses - InjectionPatternVerifier: field-aware matching (skips query/text/content fields to prevent false positives); host-extracted SSRF detection via extract_url_host(); blocks SQL injection, command injection, path traversal - Verifiers stored on ToolOrchestrator (not SecurityState); first Block wins - Config: [security.pre_execution_verify] TOML section with enabled flag, per-verifier enable/disable, allowed_paths, shell_tools, extra_patterns - CLI: --no-pre-execution-verify escape hatch with audit-level tracing log - Metrics: pre_execution_blocks + pre_execution_warnings in MetricsSnapshot; SecurityEventCategory::PreExecutionBlock/Warn variants - TUI: security panel shows verifier status and block/warn counters - 37 unit tests covering all verifier scenarios and security fix regressions
github-actions
bot
added
documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the PreExecutionVerifier plugin architecture from the TrustBench pattern (arXiv:2603.09157), extending Zeph's existing security pipeline with pre-execution tool call interception.
VerificationResult(Allow / Block / Warn) stored onToolOrchestratorrm -rf /,dd,mkfs, fork bombs, and other destructive shell commands; configurableshell_toolslist andallowed_paths; recursive shell wrapper unwrapping (up to 8 levels); NFKC unicode normalization against homoglyph bypasses; lexical path normalization for..traversal preventionquery/text/contentfields; host-extracted SSRF detection; blocks SQL injection, command injection, path traversal patterns[security.pre_execution_verify]TOML section with per-verifier enable/disable,allowed_paths,shell_tools,extra_patterns--no-pre-execution-verifyescape hatchpre_execution_blocks/pre_execution_warningscounters, two newSecurityEventCategoryvariantsKnown limitations (follow-up issues filed)
handle_native_tool_calls()pathTest plan
cargo +nightly fmt --check— cleancargo clippy --workspace --features full -- -D warnings— 0 warningscargo nextest run --workspace --features full --lib --bins— 5877/5877 passed