Use pathrestriction by default for writes in cwd instead of approval=always

Author: ndeodhar

sdk/python/polos/execution/sandbox_tools.py

@@ -118,16 +118,31 @@ async def get_env() -> ExecutionEnvironment:
     else:
         effective_exec_config = config.exec if config else None
 
-    # For local mode, default file-mutating tools (write, edit) to approval-always
-    file_approval = (config.file_approval if config else None) or (
-        "always" if env_type == "local" else None
-    )
-
-    # Path restriction for read-only tools (read, glob, grep) -- approval gate
+    # Path restriction -- used by read, write, edit, glob, grep for approval gating
     path_config: PathRestrictionConfig | None = None
     if config and config.local and config.local.path_restriction:
         path_config = PathRestrictionConfig(path_restriction=config.local.path_restriction)
 
+    # file_approval overrides path-restriction behavior for write/edit.
+    # 'always' = approve every write/edit regardless of path.
+    # 'none' = never approve (skip path restriction too).
+    # None = use path restriction (approve only outside cwd).
+    file_approval = config.file_approval if config else None
+
+    # Build write/edit config: explicit approval overrides path restriction
+    from .tools.write import WriteToolConfig
+    from .tools.edit import EditToolConfig
+
+    if file_approval:
+        write_edit_config_w = WriteToolConfig(approval=file_approval)
+        write_edit_config_e = EditToolConfig(approval=file_approval)
+    elif path_config:
+        write_edit_config_w = WriteToolConfig(path_config=path_config)
+        write_edit_config_e = EditToolConfig(path_config=path_config)
+    else:
+        write_edit_config_w = None
+        write_edit_config_e = None
+
     # Determine which tools to include
     include = set(
         (config.tools if config and config.tools else None)
@@ -141,9 +156,9 @@ async def get_env() -> ExecutionEnvironment:
     if "read" in include:
         tools.append(create_read_tool(get_env, path_config))
     if "write" in include:
-        tools.append(create_write_tool(get_env, file_approval))
+        tools.append(create_write_tool(get_env, write_edit_config_w))
     if "edit" in include:
-        tools.append(create_edit_tool(get_env, file_approval))
+        tools.append(create_edit_tool(get_env, write_edit_config_e))
     if "glob" in include:
         tools.append(create_glob_tool(get_env, path_config))
     if "grep" in include:

sdk/python/polos/execution/tools/edit.py

@@ -1,7 +1,14 @@
-"""Edit tool -- find-and-replace text in files in the execution environment."""
+"""Edit tool -- find-and-replace text in files in the execution environment.
+
+When path_restriction is set, edits within the restriction proceed
+without approval. Edits outside the restriction suspend for user approval.
+Set approval to 'always' to require approval for every edit, or 'none'
+to skip approval entirely (overrides path restriction).
+"""
 
 from __future__ import annotations
 
+import os
 from collections.abc import Awaitable, Callable
 from typing import Any, Literal
 
@@ -10,6 +17,7 @@
 from ...core.context import WorkflowContext
 from ...tools.tool import Tool
 from ..environment import ExecutionEnvironment
+from .path_approval import PathRestrictionConfig, is_path_allowed, require_path_approval
 
 
 class EditInput(BaseModel):
@@ -20,22 +28,43 @@ class EditInput(BaseModel):
     new_text: str = Field(description="Text to replace the old_text with")
 
 
+class EditToolConfig(BaseModel):
+    """Configuration for the edit tool."""
+
+    approval: Literal["always", "none"] | None = None
+    path_config: PathRestrictionConfig | None = None
+
+
 def create_edit_tool(
     get_env: Callable[[], Awaitable[ExecutionEnvironment]],
-    approval: Literal["always", "none"] | None = None,
+    config: EditToolConfig | None = None,
 ) -> Tool:
     """Create the edit tool for find-and-replace in files.
 
     Args:
         get_env: Async callable that returns the shared ExecutionEnvironment.
-        approval: Optional approval mode ('always' requires user approval before edit).
+        config: Optional configuration with approval mode and/or path restriction.
 
     Returns:
         A Tool instance for edit.
     """
 
     async def handler(ctx: WorkflowContext, input: EditInput) -> dict[str, Any]:
         env = await get_env()
+
+        # Path-restricted approval: approve if outside cwd, skip if inside
+        if (
+            not (config and config.approval)
+            and config
+            and config.path_config
+            and config.path_config.path_restriction
+        ):
+            resolved = os.path.abspath(os.path.join(env.get_cwd(), input.path))
+            if not is_path_allowed(resolved, config.path_config.path_restriction):
+                await require_path_approval(
+                    ctx, "edit", resolved, config.path_config.path_restriction
+                )
+
         content = await env.read_file(input.path)
 
         if input.old_text not in content:
@@ -65,7 +94,7 @@ async def wrapped_func(ctx: WorkflowContext, payload: dict[str, Any] | None):
         ),
         parameters=EditInput.model_json_schema(),
         func=wrapped_func,
-        approval=approval,
+        approval="always" if config and config.approval == "always" else None,
     )
     tool._input_schema_class = EditInput
     return tool

sdk/python/polos/execution/tools/write.py

@@ -1,7 +1,14 @@
-"""Write tool -- create or overwrite files in the execution environment."""
+"""Write tool -- create or overwrite files in the execution environment.
+
+When path_restriction is set, writes within the restriction proceed
+without approval. Writes outside the restriction suspend for user approval.
+Set approval to 'always' to require approval for every write, or 'none'
+to skip approval entirely (overrides path restriction).
+"""
 
 from __future__ import annotations
 
+import os
 from collections.abc import Awaitable, Callable
 from typing import Any, Literal
 
@@ -10,6 +17,7 @@
 from ...core.context import WorkflowContext
 from ...tools.tool import Tool
 from ..environment import ExecutionEnvironment
+from .path_approval import PathRestrictionConfig, is_path_allowed, require_path_approval
 
 
 class WriteInput(BaseModel):
@@ -19,22 +27,43 @@ class WriteInput(BaseModel):
     content: str = Field(description="Content to write to the file")
 
 
+class WriteToolConfig(BaseModel):
+    """Configuration for the write tool."""
+
+    approval: Literal["always", "none"] | None = None
+    path_config: PathRestrictionConfig | None = None
+
+
 def create_write_tool(
     get_env: Callable[[], Awaitable[ExecutionEnvironment]],
-    approval: Literal["always", "none"] | None = None,
+    config: WriteToolConfig | None = None,
 ) -> Tool:
     """Create the write tool for writing file contents.
 
     Args:
         get_env: Async callable that returns the shared ExecutionEnvironment.
-        approval: Optional approval mode ('always' requires user approval before write).
+        config: Optional configuration with approval mode and/or path restriction.
 
     Returns:
         A Tool instance for write.
     """
 
     async def handler(ctx: WorkflowContext, input: WriteInput) -> dict[str, Any]:
         env = await get_env()
+
+        # Path-restricted approval: approve if outside cwd, skip if inside
+        if (
+            not (config and config.approval)
+            and config
+            and config.path_config
+            and config.path_config.path_restriction
+        ):
+            resolved = os.path.abspath(os.path.join(env.get_cwd(), input.path))
+            if not is_path_allowed(resolved, config.path_config.path_restriction):
+                await require_path_approval(
+                    ctx, "write", resolved, config.path_config.path_restriction
+                )
+
         await env.write_file(input.path, input.content)
         return {"success": True, "path": input.path}
 
@@ -52,7 +81,7 @@ async def wrapped_func(ctx: WorkflowContext, payload: dict[str, Any] | None):
         ),
         parameters=WriteInput.model_json_schema(),
         func=wrapped_func,
-        approval=approval,
+        approval="always" if config and config.approval == "always" else None,
     )
     tool._input_schema_class = WriteInput
     return tool

sdk/typescript/src/execution/sandbox-tools.ts

@@ -103,14 +103,24 @@ export function sandboxTools(config?: SandboxToolsConfig): ToolWorkflow[] {
       ? { ...config?.exec, security: 'approval-always' }
       : config?.exec;
 
-  // For local mode, default file-mutating tools (write, edit) to approval-always
-  const fileApproval = config?.fileApproval ?? (envType === 'local' ? 'always' : undefined);
-
-  // Path restriction for read-only tools (read, glob, grep) — approval gate
+  // Path restriction — used by read, write, edit, glob, grep for approval gating
   const pathConfig = config?.local?.pathRestriction
     ? { pathRestriction: config.local.pathRestriction }
     : undefined;
 
+  // fileApproval overrides path-restriction behavior for write/edit.
+  // 'always' = approve every write/edit regardless of path.
+  // 'none' = never approve (skip path restriction too).
+  // undefined = use path restriction (approve only outside cwd).
+  const fileApproval = config?.fileApproval;
+
+  // Build write/edit config: explicit approval overrides path restriction
+  const writeEditConfig = fileApproval
+    ? { approval: fileApproval }
+    : pathConfig
+      ? { pathConfig }
+      : undefined;
+
   // Determine which tools to include
   const include = new Set(
     config?.tools ?? (['exec', 'read', 'write', 'edit', 'glob', 'grep'] as const)
@@ -120,8 +130,8 @@ export function sandboxTools(config?: SandboxToolsConfig): ToolWorkflow[] {
 
   if (include.has('exec')) tools.push(createExecTool(getEnv, effectiveExecConfig));
   if (include.has('read')) tools.push(createReadTool(getEnv, pathConfig));
-  if (include.has('write')) tools.push(createWriteTool(getEnv, fileApproval));
-  if (include.has('edit')) tools.push(createEditTool(getEnv, fileApproval));
+  if (include.has('write')) tools.push(createWriteTool(getEnv, writeEditConfig));
+  if (include.has('edit')) tools.push(createEditTool(getEnv, writeEditConfig));
   if (include.has('glob')) tools.push(createGlobTool(getEnv, pathConfig));
   if (include.has('grep')) tools.push(createGrepTool(getEnv, pathConfig));
 

sdk/typescript/src/execution/tools/edit.ts

@@ -1,18 +1,33 @@
 /**
  * Edit tool — find-and-replace text in files in the execution environment.
+ *
+ * When pathRestriction is set, edits within the restriction proceed
+ * without approval. Edits outside the restriction suspend for user approval.
+ * Set approval to 'always' to require approval for every edit, or 'none'
+ * to skip approval entirely (overrides path restriction).
  */
 
+import { resolve } from 'node:path';
 import { z } from 'zod';
 import { defineTool } from '../../core/tool.js';
 import type { ToolWorkflow, ToolApproval } from '../../core/tool.js';
 import type { ExecutionEnvironment } from '../types.js';
+import type { PathRestrictionConfig } from './path-approval.js';
+import { isPathAllowed, requirePathApproval } from './path-approval.js';
+
+export interface EditToolConfig {
+  /** Explicit approval override. 'always' = approve every edit, 'none' = never approve. */
+  approval?: ToolApproval;
+  /** Path restriction config — edits inside are allowed, outside require approval. */
+  pathConfig?: PathRestrictionConfig;
+}
 
 /**
  * Create the edit tool for find-and-replace in files.
  */
 export function createEditTool(
   getEnv: () => Promise<ExecutionEnvironment>,
-  approval?: ToolApproval
+  config?: EditToolConfig
 ): ToolWorkflow {
   return defineTool(
     {
@@ -25,10 +40,20 @@ export function createEditTool(
         old_text: z.string().describe('Exact text to find and replace'),
         new_text: z.string().describe('Text to replace the old_text with'),
       }),
-      approval,
+      // Only use blanket approval if explicitly set to 'always'
+      approval: config?.approval === 'always' ? 'always' : undefined,
     },
-    async (_ctx, input) => {
+    async (ctx, input) => {
       const env = await getEnv();
+
+      // Path-restricted approval: approve if outside cwd, skip if inside
+      if (!config?.approval && config?.pathConfig?.pathRestriction) {
+        const resolved = resolve(env.getCwd(), input.path);
+        if (!isPathAllowed(resolved, config.pathConfig.pathRestriction)) {
+          await requirePathApproval(ctx, 'edit', resolved, config.pathConfig.pathRestriction);
+        }
+      }
+
       const content = await env.readFile(input.path);
 
       if (!content.includes(input.old_text)) {

sdk/typescript/src/execution/tools/path-approval.ts

@@ -1,7 +1,7 @@
 /**
- * Path-based approval for read-only sandbox tools.
+ * Path-based approval for sandbox tools.
  *
- * When pathRestriction is set, read-only tools (read, glob, grep) allow
+ * When pathRestriction is set, tools (read, write, edit, glob, grep) allow
  * operations within the restricted path without approval. Operations
  * outside the restriction suspend for user approval.
  */

sdk/typescript/src/execution/tools/write.ts

@@ -1,18 +1,33 @@
 /**
  * Write tool — create or overwrite files in the execution environment.
+ *
+ * When pathRestriction is set, writes within the restriction proceed
+ * without approval. Writes outside the restriction suspend for user approval.
+ * Set approval to 'always' to require approval for every write, or 'none'
+ * to skip approval entirely (overrides path restriction).
  */
 
+import { resolve } from 'node:path';
 import { z } from 'zod';
 import { defineTool } from '../../core/tool.js';
 import type { ToolWorkflow, ToolApproval } from '../../core/tool.js';
 import type { ExecutionEnvironment } from '../types.js';
+import type { PathRestrictionConfig } from './path-approval.js';
+import { isPathAllowed, requirePathApproval } from './path-approval.js';
+
+export interface WriteToolConfig {
+  /** Explicit approval override. 'always' = approve every write, 'none' = never approve. */
+  approval?: ToolApproval;
+  /** Path restriction config — writes inside are allowed, outside require approval. */
+  pathConfig?: PathRestrictionConfig;
+}
 
 /**
  * Create the write tool for writing file contents.
  */
 export function createWriteTool(
   getEnv: () => Promise<ExecutionEnvironment>,
-  approval?: ToolApproval
+  config?: WriteToolConfig
 ): ToolWorkflow {
   return defineTool(
     {
@@ -24,10 +39,20 @@ export function createWriteTool(
         path: z.string().describe('Path to the file to write'),
         content: z.string().describe('Content to write to the file'),
       }),
-      approval,
+      // Only use blanket approval if explicitly set to 'always'
+      approval: config?.approval === 'always' ? 'always' : undefined,
     },
-    async (_ctx, input) => {
+    async (ctx, input) => {
       const env = await getEnv();
+
+      // Path-restricted approval: approve if outside cwd, skip if inside
+      if (!config?.approval && config?.pathConfig?.pathRestriction) {
+        const resolved = resolve(env.getCwd(), input.path);
+        if (!isPathAllowed(resolved, config.pathConfig.pathRestriction)) {
+          await requirePathApproval(ctx, 'write', resolved, config.pathConfig.pathRestriction);
+        }
+      }
+
       await env.writeFile(input.path, input.content);
       return { success: true, path: input.path };
     }

server/src/commands/dev.rs

@@ -151,9 +151,9 @@ pub async fn run(worker_port: u16) -> Result<()> {
                     }
 
                     if let Ok(Ok(events)) = fs_rx.try_recv() {
-                        let has_relevant = events.iter().any(|e| {
-                            e.kind == DebouncedEventKind::Any && is_source_file(&e.path)
-                        });
+                        let has_relevant = events
+                            .iter()
+                            .any(|e| e.kind == DebouncedEventKind::Any && is_source_file(&e.path));
                         if has_relevant {
                             println!("File change detected. Restarting worker...");
                             match spawn_worker(&cmd, &args, &worker_env) {