Skip to content

05 — Security parity (canUseTool + YARA, fail-closed) for pi #525

Description

@gewenyu99

Epic: #520 · Behavior change: none (default-off) · Depends on: #524

Summary

Port the wizard's fail-closed security boundary to the pi runner. anthropic already enforces it via
canUseTool + YARA Pre/PostToolUse hooks; pi must match before any non-zero ramp. (This is per-tool
execution gating inside the runner — orthogonal to runner selection in #521.)

Scope

  • Shared policy: reuse wizardCanUseTool + the YARA pre/post scan (yara-hooks.ts). Scanner error = block.
  • pi — gate at Pi's tool-execution boundary: pre-scan tool input → run → post-scan output; deny → tool
    error / abort.
  • A critical YARA violation terminates the run with AgentErrorType.YARA_VIOLATION.
  • .env fencing parity (wizard-tools) holds on pi.

Acceptance criteria

  • A blocked-action corpus that anthropic blocks is also blocked under pi.
  • Scanner-error-means-block proven by test on pi.
  • .env fencing parity (wizard-tools) holds.

Files

  • src/lib/agent/runner/shared/security.ts, runner/backends/pi/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions