feat(core): use shell for file operations under sandboxing

When `security.toolSandboxing` is enabled, the CLI now excludes the lower-fidelity
tools (`grep_search`, `replace`, `write_file`, `read_file`) from the main agent.
Instead, it relies on `run_shell_command` (e.g. `sed`, `grep`, `cat`, `echo >`)
to perform these actions.

To maintain UX and telemetry parity, `run_shell_command` now infers common file
operations. When detected:
- The UI title is updated to a high-fidelity display (e.g. "Shell (Read File)",
  "Shell (Replace)").
- File editing/writing commands (like `sed -i` or `echo >`) generate a predicted
  diff view for the user during confirmation.
- The execution emits the standard `FileOperationEvent` telemetry using the
  canonical tool names, ensuring metrics consistency.
This commit is contained in:
Christian Gunderman
2026-04-13 19:23:50 -07:00
parent 9cf410478c
commit 44d8db20c8
9 changed files with 523 additions and 7 deletions
+1 -1
View File
@@ -42,7 +42,7 @@ export function mapToDisplay(
if (call.status === CoreToolCallStatus.Error) {
description = JSON.stringify(call.request.args);
} else {
description = call.invocation.getDescription();
description = typeof call.invocation.getDisplayTitle === 'function' ? call.invocation.getDisplayTitle() : call.invocation.getDescription();
renderOutputAsMarkdown = call.tool.isOutputMarkdown;
}