fix(workflows): validate requires keys and reject phantom permissions gate#3079
fix(workflows): validate requires keys and reject phantom permissions gate#3079zied-jlassi wants to merge 3 commits into
Conversation
… gate A workflow's `requires` block was parsed but its keys were never validated, so a typo or an unsupported key was silently ignored. Most importantly, authors could write `requires.permissions.shell: true` expecting a runtime capability gate — but no such gate exists: a `shell` step always runs with the user's privileges. The declaration gave a false sense of sandboxing. `validate_workflow` now accepts only the recognised keys (`speckit_version`, `integrations`, `tools`, `mcp`) and rejects anything else, with an explicit error for `requires.permissions` pointing authors to `gate` steps for approval. Docs and the model comment are updated to state that `requires` is advisory, not a security boundary. - Reject non-mapping `requires`, unknown keys, and `requires.permissions` - Clarify workflows reference + PUBLISHING.md shell-step guidance - Tests for valid keys, non-mapping, unknown key, and permissions Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com> Assisted-by: AI
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Tightens workflow validation so requires: only accepts known keys and explicitly rejects requires.permissions to avoid implying a non-existent runtime permission gate.
Changes:
- Add validation for
requirestype and allowed keys; rejectrequires.permissionswith a clear error. - Add tests covering valid/invalid
requirescases (unknown keys, non-mapping, permissions). - Update docs to clarify
shellruns with user privileges andrequiresis advisory.
Show a summary per file
| File | Description |
|---|---|
| workflows/PUBLISHING.md | Documents shell privilege model and that requires is advisory (no permissions gate). |
| tests/test_workflows.py | Adds tests for requires validation behavior (recognized keys, non-mapping, unknown key, permissions). |
| src/specify_cli/workflows/engine.py | Implements requires key/type validation and explicit rejection of requires.permissions. |
| docs/reference/workflows.md | Adds a security note about shell steps and (intended) advisory nature of requires. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 4/4 changed files
- Comments generated: 4
mnriem
left a comment
mnriem
left a comment
There was a problem hiding this comment.
Please address Copilot feedback
Follow-up to the review on github#3079: - Guard `requires` validation on `is not None` instead of truthiness so a falsy non-mapping value (e.g. `requires: []` or `requires: ''`) is reported as an error instead of being silently skipped; `requires:` (YAML null) is still treated as an omitted block. Add a regression test. - Reword the workflows security note so `requires.permissions` is shown as rejected/unsupported rather than as a valid example of `requires`. - Standardize on US spelling (`_RECOGNIZED_REQUIRES_KEYS`, "recognized") to match the surrounding code and ease searching. - Tighten the permissions-rejection test to assert on specific message markers (`requires.permissions` and the `gate` guidance) so it fails if the validation path or wording drifts. Assisted-by: AI Signed-off-by: Zied Jlassi (Architect AI) <6190550+zied-jlassi@users.noreply.github.com>
|
Please address Copilot feedback |
|
Thanks @mnriem — addressed the Copilot feedback in the latest commit:
Validation: |
| | `fan-out` | Dispatch a step for each item in a list | | ||
| | `fan-in` | Aggregate results from a fan-out step | | ||
|
|
||
| > **Security note:** a `shell` step runs a local command with **your** privileges. There is no capability sandbox — `requires` is an advisory pre-condition block (spec-kit version, integrations), not a runtime gate, so it does **not** restrict what a step can do. In particular there is no `requires.permissions` capability gate: it is rejected by validation precisely because it would imply a sandbox that does not exist. Review any catalog or downloaded workflow before running it, and use a `gate` step to require explicit approval before sensitive or destructive shell commands. |
|
The core fix is solid — validating One change needed before this lands: drop
So for workflows, Please:
Expanding the recognized |
…s/mcp) tools and mcp belong to the bundle manifest requires schema (bundler/models/manifest.py, resolved in bundler/services/resolver.py), not the workflow requires validated here. Drop them from _RECOGNIZED_REQUIRES_KEYS and revert the PUBLISHING.md claim that this PR had introduced, so workflow requires only recognizes speckit_version and integrations. This keeps the existing docs accurate and resolves the inline doc-consistency review comments. Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com>
|
Thanks @mnriem — agreed, and you're right about the scope. I've dropped Root cause on my side: I'd sourced those two keys from the bundle manifest Validation: |
| # Advisory pre-conditions (spec-kit version / integrations a workflow | ||
| # expects). Validated by ``validate_workflow`` (recognized keys only; | ||
| # see ``_RECOGNIZED_REQUIRES_KEYS``) but NOT enforced at run time — they | ||
| # are not a security boundary. In particular there is no | ||
| # ``requires.permissions`` capability gate: shell steps always run with | ||
| # the user's privileges. | ||
| self.requires: dict[str, Any] = data.get("requires", {}) |
| # Keys accepted under a workflow's ``requires`` block: the advisory | ||
| # pre-conditions documented for workflows (``speckit_version`` and | ||
| # ``integrations``). This is the *workflow* schema only — the bundle manifest's | ||
| # ``requires`` (see ``bundler/models/manifest.py``) is a separate schema that | ||
| # also carries ``tools``/``mcp``; those are not workflow ``requires`` keys. | ||
| # Any other key — notably ``permissions`` — is rejected by ``validate_workflow`` | ||
| # so it is never mistaken for an enforced runtime control. | ||
| _RECOGNIZED_REQUIRES_KEYS = frozenset({"speckit_version", "integrations"}) |
|
Please address Copilot feedback |
Description
A workflow's
requires:block was parsed (WorkflowDefinition.requires) but its keys were never validated, so a typo or an unsupported key was silently ignored.Most importantly, an author could write:
expecting a runtime capability gate — but no such gate exists. A
shellstep always runs with the user's privileges, so this declaration gives a false sense of sandboxing. (This came up in #2440, where it was understandably assumed that such a declaration was already enforced.)This PR makes
validate_workflowhonest aboutrequires:speckit_version,integrations,tools,mcp.requires.permissionsis rejected with an explicit message pointing authors at agatestep for approval, so nobody mistakes it for a security boundary.It does not add any per-step permission system or runtime prompt —
requiresstays advisory. The model comment and the docs (docs/reference/workflows.md,workflows/PUBLISHING.md) are updated to say so plainly.Testing
pytest(full suite green, no regressions)uv run specify --helprequires, unknown key, andrequires.permissionsValidation is reached on the user-facing paths (
workflow add/info/run), so the new errors actually surface.AI Disclosure
AI assistance (an AI coding agent) was used for the initial code review that surfaced the issue, and to help draft the implementation, tests, and documentation wording. All changes were reviewed and verified by me (red→green tests, full suite,
ruff) before submitting.