Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CLAUDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ src/ai_company/
providers/ # LLM provider abstraction (LiteLLM adapter)
security/ # SecOps agent, approval gates, audit
templates/ # Pre-built company templates and builder
tools/ # Tool registry, MCP integration, role-based access, sandboxing
tools/ # Tool registry, built-in git tools, MCP integration, role-based access, sandboxing
```

## Shell Usage
Expand Down
5 changes: 4 additions & 1 deletion DESIGN_SPEC.md
Original file line number Diff line number Diff line change
Expand Up @@ -1649,6 +1649,8 @@ When the LLM requests multiple tool calls in a single turn, `ToolInvoker.invoke_

The `ToolPermissionChecker` resolves permissions using a priority-based system: denied list (highest) → allowed list → access-level categories → deny (default). `AgentEngine._make_tool_invoker()` creates a permission-aware invoker from the agent's `ToolPermissions` at the start of each `run()` call. Note: M3 implements category-level gating only; the granular sub-constraints described in §11.2 (workspace scope, network mode) are planned for when sandboxing is implemented.

> **M3 implementation note — Built-in git tools:** Six workspace-scoped git tools are implemented in `tools/git_tools.py`: `GitStatusTool`, `GitLogTool`, `GitDiffTool`, `GitBranchTool`, `GitCommitTool`, and `GitCloneTool`. All share a `_BaseGitTool` base class that enforces workspace boundary security (path traversal prevention via `resolve()` + `relative_to()`) and provides a common `_run_git()` helper using `asyncio.create_subprocess_exec` (never `shell=True`). Security hardening includes: `GIT_TERMINAL_PROMPT=0` to prevent credential prompts, `GIT_CONFIG_NOSYSTEM=1` and `GIT_PROTOCOL_FROM_USER=0` to restrict config/protocol attack surfaces, rejection of flag-like ref/branch values (starting with `-`), and URL scheme validation on clone (only `https://`, `http://`, `ssh://`, `git://`, and SCP-like syntax). All tools return `ToolExecutionResult` for errors rather than raising exceptions.

Copilot AI Mar 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The DESIGN_SPEC claims GIT_PROTOCOL_FROM_USER=0 is set to restrict the protocol attack surface, but this environment variable is not actually set in the _run_git() env dict in git_tools.py (lines 182-186). Either the code or the documentation should be updated to be consistent.

Copilot uses AI. Check for mistakes.

Copilot AI Mar 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documented behavior for GitCloneTool (allowing clone URLs with any host over https://, http://, ssh://, git://, and SCP-like syntax) enables server-side request forgery (SSRF) when the URL is controlled by the tool caller. Even with scheme validation and file:///ext:: blocked, an attacker can pass URLs such as http://127.0.0.1:8080/... or http://169.254.169.254/... to make the agent issue HTTP/SSH requests to internal services from its network context. The clone tool should restrict remote hosts to a configured allowlist (or explicitly block loopback, link-local, and private network ranges) to prevent abuse for internal network probing or metadata endpoint access.

Suggested change
> **M3 implementation note — Built-in git tools:** Six workspace-scoped git tools are implemented in `tools/git_tools.py`: `GitStatusTool`, `GitLogTool`, `GitDiffTool`, `GitBranchTool`, `GitCommitTool`, and `GitCloneTool`. All share a `_BaseGitTool` base class that enforces workspace boundary security (path traversal prevention via `resolve()` + `relative_to()`) and provides a common `_run_git()` helper using `asyncio.create_subprocess_exec` (never `shell=True`). Security hardening includes: `GIT_TERMINAL_PROMPT=0` to prevent credential prompts, `GIT_CONFIG_NOSYSTEM=1` and `GIT_PROTOCOL_FROM_USER=0` to restrict config/protocol attack surfaces, rejection of flag-like ref/branch values (starting with `-`), and URL scheme validation on clone (only `https://`, `http://`, `ssh://`, `git://`, and SCP-like syntax). All tools return `ToolExecutionResult` for errors rather than raising exceptions.
> **M3 implementation note — Built-in git tools:** Six workspace-scoped git tools are implemented in `tools/git_tools.py`: `GitStatusTool`, `GitLogTool`, `GitDiffTool`, `GitBranchTool`, `GitCommitTool`, and `GitCloneTool`. All share a `_BaseGitTool` base class that enforces workspace boundary security (path traversal prevention via `resolve()` + `relative_to()`) and provides a common `_run_git()` helper using `asyncio.create_subprocess_exec` (never `shell=True`). Security hardening includes: `GIT_TERMINAL_PROMPT=0` to prevent credential prompts, `GIT_CONFIG_NOSYSTEM=1` and `GIT_PROTOCOL_FROM_USER=0` to restrict config/protocol attack surfaces, rejection of flag-like ref/branch values (starting with `-`), URL scheme validation on clone (only `https://`, `http://`, `ssh://`, `git://`, and SCP-like syntax), and host/IP validation for clone targets (enforcing a configurable allowlist and/or explicitly blocking loopback, link-local, and private network ranges such as `127.0.0.0/8`, `::1`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, and `169.254.169.254`) to prevent SSRF and internal network probing. All tools return `ToolExecutionResult` for errors rather than raising exceptions.

Copilot uses AI. Check for mistakes.

### 11.1.2 Tool Sandboxing

Tool execution requires safety boundaries proportional to the risk of each tool category. The framework uses a **layered sandboxing strategy** with a pluggable `SandboxBackend` protocol — new backends can be added without modifying existing ones. The default configuration uses lighter isolation for low-risk tools and stronger isolation for high-risk tools.
Expand Down Expand Up @@ -2299,6 +2301,7 @@ ai-company/
│ │ │ ├── budget.py # BUDGET_* constants
│ │ │ ├── config.py # CONFIG_* constants
│ │ │ ├── execution.py # EXECUTION_* constants
│ │ │ ├── git.py # GIT_* constants
│ │ │ ├── prompt.py # PROMPT_* constants
│ │ │ ├── provider.py # PROVIDER_* constants
│ │ │ ├── role.py # ROLE_* constants
Expand Down Expand Up @@ -2345,7 +2348,7 @@ ai-company/
│ │ │ ├── subprocess.py # SubprocessSandbox (default for low-risk)
│ │ │ └── docker.py # DockerSandbox (for code_runner, terminal)
│ │ ├── file_system.py # File operations (M3)
│ │ ├── git_tools.py # Git operations (M3)
│ │ ├── git_tools.py # Git operations — 6 built-in tools
│ │ ├── code_runner.py # Code execution (M3)
│ │ ├── web_tools.py # HTTP, search (M3)
│ │ └── mcp_bridge.py # MCP server integration (M7)
Expand Down
9 changes: 9 additions & 0 deletions src/ai_company/observability/events/git.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
"""Git tool event constants."""

from typing import Final

GIT_COMMAND_START: Final[str] = "git.command.start"
GIT_COMMAND_SUCCESS: Final[str] = "git.command.success"
GIT_COMMAND_FAILED: Final[str] = "git.command.failed"
GIT_COMMAND_TIMEOUT: Final[str] = "git.command.timeout"
GIT_WORKSPACE_VIOLATION: Final[str] = "git.workspace.violation"
14 changes: 14 additions & 0 deletions src/ai_company/tools/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,27 @@
ToolPermissionDeniedError,
)
from .examples.echo import EchoTool
from .git_tools import (
GitBranchTool,
GitCloneTool,
GitCommitTool,
GitDiffTool,
GitLogTool,
GitStatusTool,
)
from .invoker import ToolInvoker
from .permissions import ToolPermissionChecker
from .registry import ToolRegistry

__all__ = [
"BaseTool",
"EchoTool",
"GitBranchTool",
"GitCloneTool",
"GitCommitTool",
"GitDiffTool",
"GitLogTool",
"GitStatusTool",
"ToolError",
"ToolExecutionError",
"ToolExecutionResult",
Expand Down
Loading
Loading