Skip to content

Security: verify worklist guard coverage for file edits across agents #119

Description

@marcello-tk

Parent security issue: #109
Umbrella: #108

Problem / exposed surface

The worklist approval model depends on agents being blocked from editing arbitrary project files unless a proposed or applied worklist item covers the path. Bram currently has provider-specific guard paths for Claude and Codex, plus setup code that installs or updates those hooks.

If a guard is missing, stale, not executable, misconfigured, or bypassed by a new tool shape, the worklist becomes advisory rather than enforced. The README already notes one important failure mode: if Python is missing, Claude hook execution may be inert.

Relevant surfaces:

  • .claude/hooks/worklist-guard.py
  • app/__shell/worklist-guard.py
  • ~/.bram/codex-worklist-guard.py
  • .claude/settings.json
  • ~/.codex/config.toml PreToolUse hook registration
  • Setup / enhance status checks
  • hook handling for apply_patch, Bash, Write, Edit, and MCP filesystem tools

Proposed change

Turn guard coverage into an explicit security check:

  • Inventory which mutation tools each provider can use.
  • Confirm the guard blocks file writes outside proposed/applied worklist scope.
  • Confirm direct worklist status changes and item removals are rejected unless authorized.
  • Surface guard health clearly in Setup or Context views: installed, registered, executable, and able to run.
  • Add a small self-test route or diagnostic action that exercises allow and deny cases without changing project files.

Acceptance criteria

  • Both Claude and Codex guard paths have documented coverage for their mutation tools.
  • Missing or nonfunctional guard state is visible to the user.
  • A new agent/tool integration has a checklist for joining the same enforcement model.
  • Security docs explain that the worklist is enforced by host state plus provider hooks, not by agent obedience alone.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions