fix(workflows): validate requires keys and reject phantom permissions gate#3079
fix(workflows): validate requires keys and reject phantom permissions gate#3079zied-jlassi wants to merge 5 commits into
Conversation
… gate A workflow's `requires` block was parsed but its keys were never validated, so a typo or an unsupported key was silently ignored. Most importantly, authors could write `requires.permissions.shell: true` expecting a runtime capability gate — but no such gate exists: a `shell` step always runs with the user's privileges. The declaration gave a false sense of sandboxing. `validate_workflow` now accepts only the recognised keys (`speckit_version`, `integrations`, `tools`, `mcp`) and rejects anything else, with an explicit error for `requires.permissions` pointing authors to `gate` steps for approval. Docs and the model comment are updated to state that `requires` is advisory, not a security boundary. - Reject non-mapping `requires`, unknown keys, and `requires.permissions` - Clarify workflows reference + PUBLISHING.md shell-step guidance - Tests for valid keys, non-mapping, unknown key, and permissions Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com> Assisted-by: AI
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Tightens workflow validation so requires: only accepts known keys and explicitly rejects requires.permissions to avoid implying a non-existent runtime permission gate.
Changes:
- Add validation for
requirestype and allowed keys; rejectrequires.permissionswith a clear error. - Add tests covering valid/invalid
requirescases (unknown keys, non-mapping, permissions). - Update docs to clarify
shellruns with user privileges andrequiresis advisory.
Show a summary per file
| File | Description |
|---|---|
| workflows/PUBLISHING.md | Documents shell privilege model and that requires is advisory (no permissions gate). |
| tests/test_workflows.py | Adds tests for requires validation behavior (recognized keys, non-mapping, unknown key, permissions). |
| src/specify_cli/workflows/engine.py | Implements requires key/type validation and explicit rejection of requires.permissions. |
| docs/reference/workflows.md | Adds a security note about shell steps and (intended) advisory nature of requires. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 4/4 changed files
- Comments generated: 4
mnriem
left a comment
mnriem
left a comment
There was a problem hiding this comment.
Please address Copilot feedback
Follow-up to the review on github#3079: - Guard `requires` validation on `is not None` instead of truthiness so a falsy non-mapping value (e.g. `requires: []` or `requires: ''`) is reported as an error instead of being silently skipped; `requires:` (YAML null) is still treated as an omitted block. Add a regression test. - Reword the workflows security note so `requires.permissions` is shown as rejected/unsupported rather than as a valid example of `requires`. - Standardize on US spelling (`_RECOGNIZED_REQUIRES_KEYS`, "recognized") to match the surrounding code and ease searching. - Tighten the permissions-rejection test to assert on specific message markers (`requires.permissions` and the `gate` guidance) so it fails if the validation path or wording drifts. Assisted-by: AI Signed-off-by: Zied Jlassi (Architect AI) <6190550+zied-jlassi@users.noreply.github.com>
|
Please address Copilot feedback |
|
Thanks @mnriem — addressed the Copilot feedback in the latest commit:
Validation: |
|
The core fix is solid — validating One change needed before this lands: drop
So for workflows, Please:
Expanding the recognized |
…s/mcp) tools and mcp belong to the bundle manifest requires schema (bundler/models/manifest.py, resolved in bundler/services/resolver.py), not the workflow requires validated here. Drop them from _RECOGNIZED_REQUIRES_KEYS and revert the PUBLISHING.md claim that this PR had introduced, so workflow requires only recognizes speckit_version and integrations. This keeps the existing docs accurate and resolves the inline doc-consistency review comments. Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com>
|
Thanks @mnriem — agreed, and you're right about the scope. I've dropped Root cause on my side: I'd sourced those two keys from the bundle manifest Validation: |
|
Please address Copilot feedback |
…dation self.requires holds the raw parsed value, which before validate_workflow() runs may be a non-mapping (None for a bare 'requires:', a list for 'requires: []', etc.). Annotating it dict[str, Any] was misleading for editors/type-checkers; use Any and document that validate_workflow() enforces the mapping shape. Addresses Copilot review feedback on engine.py. Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com>
|
Thanks @mnriem — addressed the latest Copilot feedback:
Validation: |
| # Guard on ``is not None`` rather than truthiness: a falsy but non-mapping | ||
| # value (e.g. ``requires: []`` or ``requires: ''``) is still an authoring | ||
| # error and must surface, whereas ``requires:`` (YAML null) is treated as | ||
| # an omitted block. | ||
| if definition.requires is not None: | ||
| if not isinstance(definition.requires, dict): | ||
| errors.append( | ||
| "'requires' must be a mapping (or omitted)." | ||
| ) | ||
| else: | ||
| for key in definition.requires: | ||
| if key == "permissions": | ||
| errors.append( | ||
| "'requires.permissions' is not a recognized or " | ||
| "enforced capability gate — shell steps always run " | ||
| "with the user's privileges. Remove it and gate " | ||
| "sensitive steps with a 'gate' step instead." | ||
| ) | ||
| elif key not in _RECOGNIZED_REQUIRES_KEYS: | ||
| errors.append( | ||
| f"Unknown 'requires' key {key!r}. Recognized keys: " | ||
| f"{', '.join(sorted(_RECOGNIZED_REQUIRES_KEYS))}." | ||
| ) | ||
|
|
| def test_requires_must_be_mapping(self): | ||
| from specify_cli.workflows.engine import WorkflowDefinition, validate_workflow | ||
|
|
||
| definition = WorkflowDefinition.from_string(""" | ||
| workflow: | ||
| id: "test" | ||
| name: "Test" | ||
| version: "1.0.0" | ||
| requires: "claude" | ||
| steps: | ||
| - id: step-one | ||
| command: speckit.specify | ||
| """) | ||
| errors = validate_workflow(definition) | ||
| assert any("'requires' must be a mapping" in e for e in errors) | ||
|
|
|
Please address Copilot feedback |
Address Copilot review: validate requires the same way as inputs. A
bare requires: parses as YAML null and was previously treated as an
omitted block, which is inconsistent with inputs and lets a stray
requires: line be silently ignored.
Drop the is-not-None guard and check isinstance(..., dict) directly: an
omitted block still defaults to {} (valid), but a present-but-non-mapping
value -- YAML null, [] or '' -- is now an authoring error that surfaces.
Tests: add YAML-null rejection + an omitted-is-still-valid guard test.
Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com>
|
Thanks @mnriem — addressed the Copilot feedback in
Tests: added Verified in an isolated container against the repo's own toolchain:
|
Description
A workflow's
requires:block was parsed (WorkflowDefinition.requires) but its keys were never validated, so a typo or an unsupported key was silently ignored.Most importantly, an author could write:
expecting a runtime capability gate — but no such gate exists. A
shellstep always runs with the user's privileges, so this declaration gives a false sense of sandboxing. (This came up in #2440, where it was understandably assumed that such a declaration was already enforced.)This PR makes
validate_workflowhonest aboutrequires:speckit_version,integrations.requires.permissionsis rejected with an explicit message pointing authors at agatestep for approval, so nobody mistakes it for a security boundary.It does not add any per-step permission system or runtime prompt —
requiresstays advisory. The model comment and the docs (docs/reference/workflows.md,workflows/PUBLISHING.md) are updated to say so plainly.Testing
pytest(full suite green, no regressions)uv run specify --helprequires, unknown key, andrequires.permissionsValidation is reached on the user-facing paths (
workflow add/info/run), so the new errors actually surface.AI Disclosure
AI assistance (an AI coding agent) was used for the initial code review that surfaced the issue, and to help draft the implementation, tests, and documentation wording. All changes were reviewed and verified by me (red→green tests, full suite,
ruff) before submitting.