Skip to content

feat(modes): add regex scoped read permissions per mode + orchestrator skills read allowlist #10411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hannesrudolph wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat(modes): add regex scoped read permissions per mode + orchestrator skills read allowlist #10411

hannesrudolph wants to merge 6 commits into from
+479 −33

Conversation

@hannesrudolph
Copy link
Collaborator

@hannesrudolph hannesrudolph commented Dec 30, 2025
edited
Loading

Summary

  • Enforce fileRegex on the read group for the read_file tool (native { files: [...] } payloads).
  • Update FileRestrictionError to support read vs edit wording.
  • Restrict built-in Orchestrator mode so it can only read skill definition SKILL.md files, supporting both:
    • workspace-relative: .roo/skills(-<mode>)/<skill>/SKILL.md
    • absolute/global paths (and Windows-style separators): /Users/<user>/.roo/skills(-<mode>)/<skill>/SKILL.md / C:\\Users\\<user>\\.roo\\skills(-<mode>)\\<skill>\\SKILL.md

Key changes

  • Native args used for tool validation: src/core/assistant-message/presentAssistantMessage.ts
  • Read restriction enforcement: src/core/tools/validateToolUse.ts
  • Skills <location> uses absolute paths: src/core/prompts/sections/skills.ts
  • Orchestrator allowlist (absolute + relative): packages/types/src/mode.ts

Tests

  • cd src && npx vitest run shared/__tests__/modes.spec.ts

Notes

  • Behavior is unchanged unless a mode sets fileRegex on the read group.
  • Orchestrator remains constrained to skill definition reads only; this update makes the allowlist compatible with absolute skill paths.

@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. Enhancement New feature or request labels Dec 30, 2025
@roomote
Copy link
Contributor

roomote bot commented Dec 30, 2025
edited
Loading

Oroocle Clock   See task on Roo Cloud

Status: All previously flagged items are resolved in 43f2fa4.

  • When a read-group fileRegex is configured, ensure search_files / codebase_search / list_files do not accept path: "" as an unrestricted workspace-root search (either enforce as "." or reject empty path).
Previous reviews

Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.

@hannesrudolph hannesrudolph added the Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. label Dec 30, 2025
roomote[bot]
roomote bot reviewed Dec 30, 2025
View reviewed changes
@hannesrudolph
Copy link
Collaborator Author

hannesrudolph commented Dec 30, 2025

Fixed: read_file fileRegex enforcement now also validates when toolParams.files is a JSON string. Added tests for both allowed/blocked JSON-string payloads.\n\nChanges:\n- src/core/tools/validateToolUse.ts\n- src/core/tools/tests/validateToolUse.spec.ts

@hannesrudolph hannesrudolph force-pushed the feat/mode-read-regex-skills branch from 4e46243 to 2490135 Compare December 30, 2025 22:41
@hannesrudolph hannesrudolph changed the title feat(modes): restrict read_file with fileRegex + orchestrator skills read allowlist feat(modes): add regex scoped read permissions per mode + orchestrator skills read allowlist Dec 30, 2025
mrubens
mrubens reviewed Dec 30, 2025
View reviewed changes
@hannesrudolph
fix: extend read group fileRegex enforcement to search_files, codebas…
ac0f7fe 
…e_search, list_files

The read group's fileRegex restriction was only enforced on read_file, allowing
orchestrator mode to bypass read restrictions via other tools that access paths.

Changes:
- Extended validateToolUse to restrict path param of search_files, codebase_search,
  and list_files when read group has fileRegex
- Added tests verifying orchestrator mode cannot access arbitrary directories
- Tests pass for both allowed (.roo/skills) and restricted (src, node_modules) paths
roomote[bot]
roomote bot reviewed Dec 31, 2025
View reviewed changes
src/core/tools/validateToolUse.ts Outdated
// These tools operate on directories, so we derive a directory pattern from the fileRegex
if (["search_files", "codebase_search", "list_files"].includes(tool)) {
const pathParam = toolParams?.path
if (typeof pathParam === "string" && pathParam.trim().length > 0) {
Copy link
Contributor

@roomote roomote bot Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When a read-group fileRegex is present, the path restriction for search_files/codebase_search/list_files is skipped for empty string paths, which effectively allows Orchestrator to search from workspace root (and read non-skill files) by passing path: "". If the intent is that Orchestrator is constrained to skills only, consider validating empty paths too (e.g., treat "" as "." and enforce) or rejecting empty path when fileRegex is set.

Fix it with Roo Code or mention @roomote and request a fix.

@dosubot dosubot bot added size:XL This PR changes 500-999 lines, ignoring generated files. and removed size:L This PR changes 100-499 lines, ignoring generated files. labels Dec 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens mrubens left review comments

@roomote roomote[bot] roomote[bot] approved these changes

@cte cte Awaiting requested review from cte cte is a code owner

@jr jr Awaiting requested review from jr jr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Enhancement New feature or request Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. size:XL This PR changes 500-999 lines, ignoring generated files.

Projects

Roo Code Roadmap
Status: Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hannesrudolph @mrubens @roomote