Epic: #520 · Behavior change: none (default-off) · Depends on: #524
Summary
Port the wizard's fail-closed security boundary to the pi runner. anthropic already enforces it via
canUseTool + YARA Pre/PostToolUse hooks; pi must match before any non-zero ramp. (This is per-tool
execution gating inside the runner — orthogonal to runner selection in #521.)
Scope
- Shared policy: reuse
wizardCanUseTool + the YARA pre/post scan (yara-hooks.ts). Scanner error = block.
- pi — gate at Pi's tool-execution boundary: pre-scan tool input → run → post-scan output; deny → tool
error / abort.
- A critical YARA violation terminates the run with
AgentErrorType.YARA_VIOLATION.
.env fencing parity (wizard-tools) holds on pi.
Acceptance criteria
Files
src/lib/agent/runner/shared/security.ts, runner/backends/pi/
Epic: #520 · Behavior change: none (default-off) · Depends on: #524
Summary
Port the wizard's fail-closed security boundary to the
pirunner.anthropicalready enforces it viacanUseTool+ YARA Pre/PostToolUse hooks;pimust match before any non-zero ramp. (This is per-toolexecution gating inside the runner — orthogonal to runner selection in #521.)
Scope
wizardCanUseTool+ the YARA pre/post scan (yara-hooks.ts). Scanner error = block.error / abort.
AgentErrorType.YARA_VIOLATION..envfencing parity (wizard-tools) holds onpi.Acceptance criteria
anthropicblocks is also blocked underpi.pi..envfencing parity (wizard-tools) holds.Files
src/lib/agent/runner/shared/security.ts,runner/backends/pi/