Skip to content

Messaging security: restricted default tool set and input sanitization #690

Description

@kovtcharov

Problem

Messaging adapters introduce untrusted external input from potentially hostile users. This is fundamentally different from the desktop UI where the local user is trusted.

Default Tool Set (read-only)

Messaging users get a restricted tool set by default:

  • query_documents, search_indexed_chunks, list_indexed_documents, summarize_document, search_web

Opt-in tools (require explicit config per adapter):

  • read_file, write_file, edit_file, run_shell_command, search_code, list_files

Input Sanitization

  • Strip platform-specific formatting from messages
  • Enforce message length limits (4096 chars)
  • Filter injection patterns
  • Validate message encoding

Acceptance Criteria

  • Default tool set is read-only for all messaging adapters
  • Tool set configurable per-adapter in messaging.yaml
  • Input sanitized before reaching the agent
  • Message length enforced
  • write_file and shell NEVER available over messaging unless explicitly enabled

Dependencies

Metadata

Metadata

Assignees

No one assigned

    Labels

    agentdomain:automationScheduler, autonomy, RAG, web search, watchers, researchenhancementNew feature or requestp1medium prioritysecuritySecurity-sensitive changestrack:consumer-appConsumer product track — mobile-first: voice + messaging + memory + skills

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions