Colin McDonnell
2017922780
Improve delegate ( #377 )
...
* Improve delegate
* fix stale log regexes in delegate tests and add test-coupling comments
Co-authored-by: Cursor <cursoragent@cursor.com >
---------
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-02-23 23:41:27 +00:00
Colin McDonnell
a7bd746f21
Restructure dash ( #372 )
...
* Restructure dash
* WIP
* WIP
* refactor trigger UI: extract PR summary card, add mentions section, rename labels
Co-authored-by: Cursor <cursoragent@cursor.com >
* clean up console UI: remove info icons from section descriptions, rename mentions trigger
Co-authored-by: Cursor <cursoragent@cursor.com >
* fix review feedback: layout, terminology, form scope
- extract console sidebar sections to module-level constant
- align three-column layout breakpoints to xl (match sidebar visibility)
- fix mixed shell/bash terminology in beta page
- scope FormProvider to trigger sections only, restore autoComplete="off"
Co-authored-by: Cursor <cursoragent@cursor.com >
* Bump
---------
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-02-23 23:34:29 +00:00
Colin McDonnell
9a1f3bdb0a
relax filesystem permissions: reads allow temp dir, writes conditional on bash ( #308 )
...
reads (file_read, list_directory) now allow paths within the repo OR
PULLFROG_TEMP_DIR. this fixes the bug where agents with full permissions
couldn't read PR diffs, CI logs, review threads, or background bash
output because those files live under /tmp/pullfrog-xxx/.
writes (file_write, file_edit, file_delete) now only enforce repo-scoping
when bash !== "enabled". when bash=enabled the agent can write anywhere
via native bash, so restricting file_write was security theater. .git/
stays blocked in all modes as defense-in-depth.
replaced the conflated resolveAndValidatePath/validateWritePath helpers
with separate resolveReadPath and resolveWritePath functions that cleanly
separate path resolution from permission enforcement.
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-02-14 04:02:45 +00:00
David Blass
bc28c658f2
harden sandbox escape vectors for bash disabled/restricted modes ( #257 )
...
* harden sandbox escape vectors for bash disabled/restricted modes
block git config injection (-c flag as subcommand), dangerous subcommands
(config, submodule, rebase, bisect), code-executing arg flags (--exec,
--extcmd), .gitattributes/.gitmodules writes, and package lifecycle scripts.
add retry logic to test runner for transient failures. add security unit
tests and adhoc attack tests.
Co-authored-by: Cursor <cursoragent@cursor.com >
* only filter subcommands in nobash, remove nobash from ui
* use regex matching
* iterate on tests
* simplify githooks
---------
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-02-11 02:02:41 +00:00
David Blass
19df8372cd
add file_read/file_write tools, sandbox tests, CI improvements ( #239 )
...
* migrate to flags
* init
* iterate on file write lockdown tests
* improve ci
* fix lockfile
* fix typecheck
* fix lint
* improve pushRestricted
* ok
* fix more
* ok
* remove process.env spreading rule
Co-authored-by: Cursor <cursoragent@cursor.com >
* enhanced fs rw tools
---------
Co-authored-by: Cursor <cursoragent@cursor.com >
Co-authored-by: Colin McDonnell <colinmcd94@gmail.com >
2026-02-10 06:35:47 +00:00