Description
Block script payload staging (e.g., cat > /tmp/impl.ts with workspace writes) and unify shell write classification. Ensure all framework file modifications go through backup-aware tools.
Code References (§6 Phase D)
Files to Modify
.opencode/lib/tool-scope.ts.opencode/lib/safe-bash-core.ts.opencode/plugins/scope-before.ts.opencode/lib/backup-manager.ts.opencode/lib/__tests__/safe-bash-core.test.ts
Changes
-
Add shared shell write classifier — return read_only, known_write, opaque_write, or script_payload_write.
-
Heredoc/stdin inspection — for cat > / <<EOF redirections, capture or inspect payload before allowing. If content contains writes to workspace paths, block at payload creation time.
-
Temp script scanning — for /tmp/*.ts, /tmp/*.js, /tmp/*.py, /tmp/*.sh, scan content and target writes before execution. Extend script scanning from node *.ts/*.js to bun, python3, bash, sh, tsx, and /tmp/*.
-
Block payload creation if it stages writes to workspace files (.opencode/**, booking-backend/**, booking-frontend/**).
-
Remove path-aware eval allowance for framework writes — only .task_temp/_logs diagnostics can be written by shell. Remove // safe_bash: allow-write bypass; convert to "must use backup-aware repair wrapper."
-
Add backup_uuid requirement — before any framework file write, verify a backup_log row exists or create one atomically. Record backup_uuid on write audit events.
-
Remove broad "trusted script path" bypasses unless script is signed by config and declared in a DB-backed allowlist.
Acceptance Criteria
cat > /tmp/impl.ts <<EOF with writeFileSync(".opencode/...") is blocked at creationbun /tmp/impl.ts is blocked even if creation happened before the fixpython3 <<EOF open(".opencode/...","w") is blockedsafe_edit still succeeds and creates a backup_log row- Today's log evidence (scope-before-runtime.log:4214, 4481) of payload staging is prevented
Testing
bun test .opencode/lib/__tests__/safe-bash-core.test.ts
Description
Block script payload staging (e.g.,
cat > /tmp/impl.tswith workspace writes) and unify shell write classification. Ensure all framework file modifications go through backup-aware tools.Code References (§6 Phase D)
Files to Modify
.opencode/lib/tool-scope.ts.opencode/lib/safe-bash-core.ts.opencode/plugins/scope-before.ts.opencode/lib/backup-manager.ts.opencode/lib/__tests__/safe-bash-core.test.tsChanges
Add shared shell write classifier — return
read_only,known_write,opaque_write, orscript_payload_write.Heredoc/stdin inspection — for
cat >/<<EOFredirections, capture or inspect payload before allowing. If content contains writes to workspace paths, block at payload creation time.Temp script scanning — for
/tmp/*.ts,/tmp/*.js,/tmp/*.py,/tmp/*.sh, scan content and target writes before execution. Extend script scanning fromnode *.ts/*.jstobun,python3,bash,sh,tsx, and/tmp/*.Block payload creation if it stages writes to workspace files (
.opencode/**,booking-backend/**,booking-frontend/**).Remove path-aware eval allowance for framework writes — only
.task_temp/_logsdiagnostics can be written by shell. Remove// safe_bash: allow-writebypass; convert to "must use backup-aware repair wrapper."Add
backup_uuidrequirement — before any framework file write, verify abackup_logrow exists or create one atomically. Recordbackup_uuidon write audit events.Remove broad "trusted script path" bypasses unless script is signed by config and declared in a DB-backed allowlist.
Acceptance Criteria
cat > /tmp/impl.ts <<EOFwithwriteFileSync(".opencode/...")is blocked at creationbun /tmp/impl.tsis blocked even if creation happened before the fixpython3 <<EOF open(".opencode/...","w")is blockedsafe_editstill succeeds and creates abackup_logrowTesting
bun test .opencode/lib/__tests__/safe-bash-core.test.ts