From 87cb643aee430c238eb254f84590766fe4010f28 Mon Sep 17 00:00:00 2001 From: Spencer Date: Fri, 6 Mar 2026 22:43:20 +0000 Subject: [PATCH] feat: restore ALWAYS_ALLOW_PRIORITY and disable autoAddToPolicyByDefault --- packages/cli/src/config/settingsSchema.ts | 2 +- packages/core/src/policy/config.ts | 20 +++++++++++++------ packages/core/src/policy/persistence.test.ts | 6 ++++-- .../core/src/policy/policy-updater.test.ts | 3 +-- packages/core/src/policy/utils.ts | 15 -------------- 5 files changed, 20 insertions(+), 26 deletions(-) diff --git a/packages/cli/src/config/settingsSchema.ts b/packages/cli/src/config/settingsSchema.ts index c9bca5f460..0e96c88b24 100644 --- a/packages/cli/src/config/settingsSchema.ts +++ b/packages/cli/src/config/settingsSchema.ts @@ -1501,7 +1501,7 @@ const SETTINGS_SCHEMA = { label: 'Auto-add to Policy by Default', category: 'Security', requiresRestart: false, - default: true, + default: false, description: oneLine` When enabled, the "Allow for all future sessions" option becomes the default choice for low-risk tools in trusted workspaces. diff --git a/packages/core/src/policy/config.ts b/packages/core/src/policy/config.ts index fc52ce8427..1336ce0bce 100644 --- a/packages/core/src/policy/config.ts +++ b/packages/core/src/policy/config.ts @@ -19,12 +19,7 @@ import { } from './types.js'; import type { PolicyEngine } from './policy-engine.js'; import { loadPoliciesFromToml, type PolicyFileError } from './toml-loader.js'; -import { - buildArgsPatterns, - isSafeRegExp, - ALWAYS_ALLOW_PRIORITY, - getAlwaysAllowPriorityFraction, -} from './utils.js'; +import { buildArgsPatterns, isSafeRegExp } from './utils.js'; import toml from '@iarna/toml'; import { MessageBusType, @@ -59,6 +54,19 @@ export const ALLOWED_TOOLS_FLAG_PRIORITY = USER_POLICY_TIER + 0.3; export const TRUSTED_MCP_SERVER_PRIORITY = USER_POLICY_TIER + 0.2; export const ALLOWED_MCP_SERVER_PRIORITY = USER_POLICY_TIER + 0.1; +// These are added to the tier base (e.g., USER_POLICY_TIER). +// Workspace tier (3) + high priority (950/1000) = ALWAYS_ALLOW_PRIORITY +export const ALWAYS_ALLOW_PRIORITY = 3.95; + +/** + * Returns the fractional priority of ALWAYS_ALLOW_PRIORITY scaled to 1000. + */ +export function getAlwaysAllowPriorityFraction(): number { + return Math.round( + (ALWAYS_ALLOW_PRIORITY - Math.floor(ALWAYS_ALLOW_PRIORITY)) * 1000, + ); +} + /** * Gets the list of directories to search for policy files, in order of increasing priority * (Default -> Extension -> Workspace -> User -> Admin). diff --git a/packages/core/src/policy/persistence.test.ts b/packages/core/src/policy/persistence.test.ts index fd445afc40..488708645c 100644 --- a/packages/core/src/policy/persistence.test.ts +++ b/packages/core/src/policy/persistence.test.ts @@ -6,8 +6,10 @@ import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'; import * as path from 'node:path'; -import { createPolicyUpdater } from './config.js'; -import { getAlwaysAllowPriorityFraction } from './utils.js'; +import { + createPolicyUpdater, + getAlwaysAllowPriorityFraction, +} from './config.js'; import { PolicyEngine } from './policy-engine.js'; import { MessageBus } from '../confirmation-bus/message-bus.js'; import { MessageBusType } from '../confirmation-bus/types.js'; diff --git a/packages/core/src/policy/policy-updater.test.ts b/packages/core/src/policy/policy-updater.test.ts index fdc65a4542..3037667949 100644 --- a/packages/core/src/policy/policy-updater.test.ts +++ b/packages/core/src/policy/policy-updater.test.ts @@ -6,8 +6,7 @@ import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'; import * as fs from 'node:fs/promises'; -import { createPolicyUpdater } from './config.js'; -import { ALWAYS_ALLOW_PRIORITY } from './utils.js'; +import { createPolicyUpdater, ALWAYS_ALLOW_PRIORITY } from './config.js'; import { PolicyEngine } from './policy-engine.js'; import { MessageBus } from '../confirmation-bus/message-bus.js'; import { MessageBusType } from '../confirmation-bus/types.js'; diff --git a/packages/core/src/policy/utils.ts b/packages/core/src/policy/utils.ts index f79e865700..266ac6820c 100644 --- a/packages/core/src/policy/utils.ts +++ b/packages/core/src/policy/utils.ts @@ -4,21 +4,6 @@ * SPDX-License-Identifier: Apache-2.0 */ -/** - * Priority used for user-defined "Always allow" rules. - * This is above extension rules but below user-defined TOML rules. - */ -export const ALWAYS_ALLOW_PRIORITY = 3.95; - -/** - * Returns the fractional priority of ALWAYS_ALLOW_PRIORITY scaled to 1000. - */ -export function getAlwaysAllowPriorityFraction(): number { - return Math.round( - (ALWAYS_ALLOW_PRIORITY - Math.floor(ALWAYS_ALLOW_PRIORITY)) * 1000, - ); -} - /** * Escapes a string for use in a regular expression. */