Add low-trust review containment (#7530)
## Thinking Path > - Paperclip is a control plane for AI-agent companies, so execution policy and trust boundaries are part of the product's safety contract. > - Low-trust review work needs narrower authority than normal same-company agents because hostile PRs, comments, attachments, and generated output can carry prompt-injection payloads. > - The current V1 shape gives trusted workers broad company context, which is useful for normal execution but too permissive for a reviewer assigned to hostile content. > - This branch adds a `low_trust_review` preset, source-trust tagging, route-level containment, and quarantine handling so low-trust output does not automatically flow into higher-trust wake context. > - The branch has been rebased onto current `origin/master`, and the low-trust migration was renumbered to `0097_low_trust_source_trust.sql` to avoid collisions with existing `0091` through `0096` migrations. > - Greptile feedback was addressed by tightening low-trust detection, preserving project-level trust policy checks, fixing issue-kind promotion lookup, removing duplicate post-lease isolation assertion, documenting fail-closed source-trust behavior, bounding ancestry checks, enforcing runtime issue context for CEOs, awaiting accepted-plan monitor authorization, and making low-trust issue source-trust tagging atomic. > - The benefit is a first production slice of deny-by-default review containment with regression coverage for the main control-plane pivot surfaces. Fixes #7531. ## What Changed - Added shared trust-policy types and validators, plus database/source-trust fields for issues, comments, documents, and work products. - Implemented server enforcement for low-trust issue scope, agent self-view redaction, secret/plugin/runtime denial paths, promotion checks, and quarantined continuation/wake context. - Added focused low-trust regression tests for resolver behavior, source trust, route authorization, heartbeat preflight ordering, runtime containment, and quarantine redaction. - Added board UI affordances for selecting/reviewing the low-trust preset and surfacing source-trust badges in relevant issue views. - Added `doc/LOW-TRUST-PRESETS.md`, updated `doc/SPEC-implementation.md`, and committed the low-trust review contract plan under `doc/plans/`. - Rebasing note: the original `0097_low_trust_source_trust.sql` migration was renamed to `0097_low_trust_source_trust.sql`; the SQL uses `ADD COLUMN IF NOT EXISTS` so users who already applied the old-numbered migration are not broken by the renumbered migration. ## Verification - Rebased branch onto current `origin/master` and force-pushed with lease to `origin/PAP-10211-low-trust-agent` at head `2719f31e3`. - Confirmed the PR diff does not include `pnpm-lock.yaml` or `.github/workflows` changes. - Resolved upstream UI/comment conflicts by preserving deleted-comment tombstone behavior and low-trust source-trust badges/metadata. - Renumbered the low-trust source-trust migration to `0097_low_trust_source_trust.sql`; the SQL uses `ADD COLUMN IF NOT EXISTS` so users who already applied an old-numbered copy are not broken. - `pnpm exec vitest run ui/src/lib/issue-chat-messages.test.ts server/src/__tests__/heartbeat-workspace-session.test.ts` - `pnpm exec vitest run server/src/__tests__/source-trust.test.ts server/src/__tests__/workspace-runtime-service-authz.test.ts ui/src/lib/trust-policy-ui.test.ts ui/src/components/TrustPresetSection.test.tsx` - `pnpm run typecheck:build-gaps` - `git diff --check` - GitHub checks pass on head `2719f31e3`: build, typecheck/release registry, general tests, serialized server suites, e2e, canary, verify, policy/review, Socket, and Snyk. - Greptile Review passes with Confidence Score 5/5 and zero unresolved Greptile review threads. - No design screenshots/images were added because the task explicitly says not to add them unless they are specifically part of the work. ## Risks - Medium risk: this touches shared trust-policy contracts, server authorization paths, heartbeat context generation, migration metadata, and UI preset controls. - Low-trust containment is intentionally deny-by-default; legitimate future review workflows may need explicit allowlisted exceptions. - Plugin/runtime/security surfaces are broad, so regression tests cover the current known routes but future integrations must route through the same containment layer. - The PR is ready for review; GitHub checks are green and Greptile is 5/5. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5 coding agent, tool-enabled shell and GitHub CLI workflow. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] UI changes are covered by focused tests; no screenshots were added per task instruction not to add design images unless specifically required - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
@@ -20,6 +20,7 @@ const mockIssueService = vi.hoisted(() => ({
|
||||
getById: vi.fn(),
|
||||
getRelationSummaries: vi.fn(),
|
||||
getWakeableParentAfterChildCompletion: vi.fn(),
|
||||
list: vi.fn(),
|
||||
listAttachments: vi.fn(),
|
||||
listWakeableBlockedDependents: vi.fn(),
|
||||
remove: vi.fn(),
|
||||
@@ -68,6 +69,7 @@ const mockIssueThreadInteractionService = vi.hoisted(() => ({
|
||||
}));
|
||||
const mockIssueRecoveryActionService = vi.hoisted(() => ({
|
||||
getActiveForIssue: vi.fn(async () => null),
|
||||
listActiveForIssues: vi.fn(async () => new Map()),
|
||||
resolveActiveForIssue: vi.fn(async () => null),
|
||||
}));
|
||||
const mockHeartbeatService = vi.hoisted(() => ({
|
||||
@@ -114,8 +116,11 @@ function registerRouteMocks() {
|
||||
}));
|
||||
|
||||
vi.doMock("../services/index.js", () => ({
|
||||
ISSUE_LIST_DEFAULT_LIMIT: 100,
|
||||
ISSUE_LIST_MAX_LIMIT: 500,
|
||||
accessService: () => mockAccessService,
|
||||
agentService: () => mockAgentService,
|
||||
clampIssueListLimit: (value: number) => Math.min(Math.max(value, 1), 500),
|
||||
companyService: () => mockCompanyService,
|
||||
documentAnnotationService: () => ({ remapOpenThreadsForDocument: async () => [] }),
|
||||
documentService: () => mockDocumentService,
|
||||
@@ -194,26 +199,47 @@ function makeAgent(id: string, overrides: Record<string, unknown> = {}) {
|
||||
};
|
||||
}
|
||||
|
||||
function createRunContextDb(contextSnapshot: Record<string, unknown> = {}) {
|
||||
function createRunContextDb(
|
||||
contextSnapshot: Record<string, unknown> = {},
|
||||
runAgentId: string = ownerAgentId,
|
||||
runId: string = ownerRunId,
|
||||
) {
|
||||
return {
|
||||
transaction: async (callback: (tx: Record<string, never>) => Promise<unknown>) => callback({}),
|
||||
select: vi.fn(() => ({
|
||||
select: vi.fn((selection: Record<string, unknown> = {}) => ({
|
||||
from: vi.fn(() => ({
|
||||
where: vi.fn(() => ({
|
||||
then: async (resolve: (rows: unknown[]) => unknown) =>
|
||||
resolve([{
|
||||
id: ownerRunId,
|
||||
companyId,
|
||||
agentId: ownerAgentId,
|
||||
contextSnapshot,
|
||||
}]),
|
||||
orderBy: vi.fn(async () => []),
|
||||
then: async (resolve: (rows: unknown[]) => unknown) => {
|
||||
const keys = Object.keys(selection);
|
||||
if (keys.includes("entityId")) {
|
||||
return resolve([]);
|
||||
}
|
||||
if (keys.includes("contextSnapshot")) {
|
||||
return resolve([{
|
||||
id: runId,
|
||||
companyId,
|
||||
agentId: runAgentId,
|
||||
contextSnapshot,
|
||||
}]);
|
||||
}
|
||||
if (keys.includes("permissions")) {
|
||||
return resolve([{ id: runAgentId, companyId, permissions: {}, role: "engineer", reportsTo: null }]);
|
||||
}
|
||||
return resolve([{ id: runAgentId, companyId, permissions: {}, role: "engineer", reportsTo: null }]);
|
||||
},
|
||||
})),
|
||||
})),
|
||||
})),
|
||||
};
|
||||
}
|
||||
|
||||
async function createApp(actor: Record<string, unknown>, db: unknown = createRunContextDb()) {
|
||||
async function createApp(actor: Record<string, unknown>, db?: unknown) {
|
||||
const routeDb = db ?? createRunContextDb(
|
||||
{},
|
||||
typeof actor.agentId === "string" ? actor.agentId : ownerAgentId,
|
||||
typeof actor.runId === "string" ? actor.runId : ownerRunId,
|
||||
);
|
||||
const [{ errorHandler }, { issueRoutes }] = await Promise.all([
|
||||
vi.importActual<typeof import("../middleware/index.js")>("../middleware/index.js"),
|
||||
vi.importActual<typeof import("../routes/issues.js")>("../routes/issues.js"),
|
||||
@@ -224,7 +250,7 @@ async function createApp(actor: Record<string, unknown>, db: unknown = createRun
|
||||
(req as any).actor = actor;
|
||||
next();
|
||||
});
|
||||
app.use("/api", issueRoutes(db as any, mockStorageService as any));
|
||||
app.use("/api", issueRoutes(routeDb as any, mockStorageService as any));
|
||||
app.use(errorHandler);
|
||||
return app;
|
||||
}
|
||||
@@ -280,10 +306,26 @@ describe("agent issue mutation checkout ownership", () => {
|
||||
mockAccessService.canUser.mockReset();
|
||||
mockAccessService.decide.mockReset();
|
||||
mockAccessService.decide.mockImplementation(async (input: { action: string }) => ({
|
||||
allowed: input.action === "tasks:assign",
|
||||
allowed:
|
||||
input.action === "tasks:assign" ||
|
||||
input.action === "issue:read" ||
|
||||
input.action === "issue:mutate" ||
|
||||
input.action === "company_scope:read",
|
||||
action: input.action,
|
||||
reason: input.action === "tasks:assign" ? "allow_explicit_grant" : "deny_missing_grant",
|
||||
explanation: input.action === "tasks:assign" ? "Allowed by test assignment default." : "Missing permission.",
|
||||
reason:
|
||||
input.action === "tasks:assign" ||
|
||||
input.action === "issue:read" ||
|
||||
input.action === "issue:mutate" ||
|
||||
input.action === "company_scope:read"
|
||||
? "allow_explicit_grant"
|
||||
: "deny_missing_grant",
|
||||
explanation:
|
||||
input.action === "tasks:assign" ||
|
||||
input.action === "issue:read" ||
|
||||
input.action === "issue:mutate" ||
|
||||
input.action === "company_scope:read"
|
||||
? "Allowed by test default."
|
||||
: "Missing permission.",
|
||||
}));
|
||||
mockAccessService.hasPermission.mockReset();
|
||||
mockAgentService.getById.mockReset();
|
||||
@@ -299,10 +341,13 @@ describe("agent issue mutation checkout ownership", () => {
|
||||
mockIssueService.getById.mockReset();
|
||||
mockIssueService.getRelationSummaries.mockReset();
|
||||
mockIssueService.getWakeableParentAfterChildCompletion.mockReset();
|
||||
mockIssueService.list.mockReset();
|
||||
mockIssueService.listAttachments.mockReset();
|
||||
mockIssueService.listWakeableBlockedDependents.mockReset();
|
||||
mockIssueRecoveryActionService.getActiveForIssue.mockReset();
|
||||
mockIssueRecoveryActionService.getActiveForIssue.mockResolvedValue(null);
|
||||
mockIssueRecoveryActionService.listActiveForIssues.mockReset();
|
||||
mockIssueRecoveryActionService.listActiveForIssues.mockResolvedValue(new Map());
|
||||
mockIssueRecoveryActionService.resolveActiveForIssue.mockReset();
|
||||
mockIssueRecoveryActionService.resolveActiveForIssue.mockResolvedValue({
|
||||
id: recoveryActionId,
|
||||
@@ -370,6 +415,7 @@ describe("agent issue mutation checkout ownership", () => {
|
||||
mockCompanyService.getById.mockResolvedValue({ id: companyId, issuePrefix: "PAP" });
|
||||
mockIssueService.getById.mockResolvedValue(makeIssue());
|
||||
mockIssueService.getByIdentifier.mockResolvedValue(null);
|
||||
mockIssueService.list.mockResolvedValue([makeIssue()]);
|
||||
mockIssueService.assertCheckoutOwner.mockResolvedValue({ adoptedFromRunId: null });
|
||||
mockIssueService.create.mockImplementation(async (_companyId: string, input: Record<string, unknown>) => ({
|
||||
...makeIssue({
|
||||
@@ -476,6 +522,41 @@ describe("agent issue mutation checkout ownership", () => {
|
||||
mockStorageService.deleteObject.mockResolvedValue(undefined);
|
||||
});
|
||||
|
||||
it("uses the company-scope fast path on the issue list route", async () => {
|
||||
mockAccessService.decide.mockImplementation(async (input: { action: string }) => {
|
||||
if (input.action === "company_scope:read") {
|
||||
return {
|
||||
allowed: true,
|
||||
action: input.action,
|
||||
reason: "allow_explicit_grant",
|
||||
explanation: "Allowed by test company scope.",
|
||||
};
|
||||
}
|
||||
if (input.action === "issue:read") {
|
||||
throw new Error("issue:read should not be evaluated for company-scope readers");
|
||||
}
|
||||
return {
|
||||
allowed: true,
|
||||
action: input.action,
|
||||
reason: "allow_test_default",
|
||||
explanation: "Allowed by test default.",
|
||||
};
|
||||
});
|
||||
|
||||
const app = await createApp(boardActor());
|
||||
const res = await request(app).get(`/api/companies/${companyId}/issues`);
|
||||
|
||||
expect(res.status, JSON.stringify(res.body)).toBe(200);
|
||||
expect(res.body).toEqual([expect.objectContaining({ id: issueId })]);
|
||||
expect(mockAccessService.decide).toHaveBeenCalledWith(expect.objectContaining({
|
||||
action: "company_scope:read",
|
||||
resource: { type: "company", companyId },
|
||||
}));
|
||||
expect(mockAccessService.decide).not.toHaveBeenCalledWith(expect.objectContaining({
|
||||
action: "issue:read",
|
||||
}));
|
||||
});
|
||||
|
||||
it.each([
|
||||
["patch", (app: express.Express) => request(app).patch(`/api/issues/${issueId}`).send({ title: "Blocked" })],
|
||||
["delete", (app: express.Express) => request(app).delete(`/api/issues/${issueId}`)],
|
||||
@@ -486,6 +567,16 @@ describe("agent issue mutation checkout ownership", () => {
|
||||
request(app).put(`/api/issues/${issueId}/documents/plan`).send({ format: "markdown", body: "# blocked" }),
|
||||
],
|
||||
["work product update", (app: express.Express) => request(app).patch("/api/work-products/product-1").send({ title: "Blocked" })],
|
||||
[
|
||||
"low-trust promotion",
|
||||
(app: express.Express) =>
|
||||
request(app).post(`/api/issues/${issueId}/low-trust/promotions`).send({
|
||||
sourceArtifactKind: "comment",
|
||||
sourceArtifactId: recoveryActionId,
|
||||
title: "Promoted artifact",
|
||||
summary: "Sanitized output",
|
||||
}),
|
||||
],
|
||||
[
|
||||
"attachment upload",
|
||||
(app: express.Express) =>
|
||||
@@ -503,6 +594,7 @@ describe("agent issue mutation checkout ownership", () => {
|
||||
expect(mockIssueService.update).not.toHaveBeenCalled();
|
||||
expect(mockIssueService.addComment).not.toHaveBeenCalled();
|
||||
expect(mockDocumentService.upsertIssueDocument).not.toHaveBeenCalled();
|
||||
expect(mockWorkProductService.createForIssue).not.toHaveBeenCalled();
|
||||
expect(mockWorkProductService.update).not.toHaveBeenCalled();
|
||||
expect(mockStorageService.putFile).not.toHaveBeenCalled();
|
||||
expect(mockStorageService.deleteObject).not.toHaveBeenCalled();
|
||||
@@ -542,6 +634,16 @@ describe("agent issue mutation checkout ownership", () => {
|
||||
],
|
||||
["work product update", (app: express.Express) => request(app).patch("/api/work-products/product-1").send({ title: "Blocked" })],
|
||||
["work product delete", (app: express.Express) => request(app).delete("/api/work-products/product-1")],
|
||||
[
|
||||
"low-trust promotion",
|
||||
(app: express.Express) =>
|
||||
request(app).post(`/api/issues/${issueId}/low-trust/promotions`).send({
|
||||
sourceArtifactKind: "comment",
|
||||
sourceArtifactId: recoveryActionId,
|
||||
title: "Promoted artifact",
|
||||
summary: "Sanitized output",
|
||||
}),
|
||||
],
|
||||
[
|
||||
"attachment upload",
|
||||
(app: express.Express) =>
|
||||
@@ -693,10 +795,18 @@ describe("agent issue mutation checkout ownership", () => {
|
||||
|
||||
it("allows agents with the active-checkout management grant to mutate active checkouts", async () => {
|
||||
mockAccessService.decide.mockImplementation(async (input: { action: string }) => ({
|
||||
allowed: input.action === "tasks:manage_active_checkouts",
|
||||
allowed: input.action === "issue:mutate" || input.action === "tasks:manage_active_checkouts",
|
||||
action: input.action,
|
||||
reason: input.action === "tasks:manage_active_checkouts" ? "allow_explicit_grant" : "deny_missing_grant",
|
||||
explanation: input.action === "tasks:manage_active_checkouts" ? "Allowed by checkout management grant." : "Missing permission.",
|
||||
reason:
|
||||
input.action === "issue:mutate" || input.action === "tasks:manage_active_checkouts"
|
||||
? "allow_explicit_grant"
|
||||
: "deny_missing_grant",
|
||||
explanation:
|
||||
input.action === "tasks:manage_active_checkouts"
|
||||
? "Allowed by checkout management grant."
|
||||
: input.action === "issue:mutate"
|
||||
? "Allowed by test boundary default."
|
||||
: "Missing permission.",
|
||||
}));
|
||||
|
||||
const res = await request(await createApp(peerActor())).patch(`/api/issues/${issueId}`).send({ title: "Managed update" });
|
||||
@@ -846,6 +956,15 @@ describe("agent issue mutation checkout ownership", () => {
|
||||
reason: "deny_policy_restricted",
|
||||
explanation: "Target agent requires approval before task assignment.",
|
||||
}));
|
||||
decide.mockImplementation(async (input: { action: string }) => ({
|
||||
allowed: input.action === "issue:mutate",
|
||||
action: input.action,
|
||||
reason: input.action === "issue:mutate" ? "allow_self" : "deny_policy_restricted",
|
||||
explanation:
|
||||
input.action === "issue:mutate"
|
||||
? "Allowed because the actor owns the assigned issue."
|
||||
: "Target agent requires approval before task assignment.",
|
||||
}));
|
||||
(mockAccessService as any).decide = decide;
|
||||
mockIssueService.getById.mockResolvedValue(makeIssue({ assigneeAgentId: ownerAgentId }));
|
||||
mockAgentService.resolveByReference.mockResolvedValue({
|
||||
|
||||
Reference in New Issue
Block a user