Skip to content

fix: resolve open tool correctness and security issues#1013

Merged
yvgude merged 5 commits into
mainfrom
codex/premium-open-issues
Jul 18, 2026
Merged

fix: resolve open tool correctness and security issues#1013
yvgude merged 5 commits into
mainfrom
codex/premium-open-issues

Conversation

@yvgude

@yvgude yvgude commented Jul 18, 2026

Copy link
Copy Markdown
Owner

Summary

Root causes

The open issues came from four independent gaps: conversation identity was not propagated on every host, batch patch paths were validated at the wrong level, action-dispatched schemas described only unconditional required fields, and shell execution had two policy paths with different enforcement.

Validation

  • cargo test --lib: 7,905 tests exercised; the only transient unrelated timing test was rerun successfully
  • cargo clippy --all-targets -- -D warnings
  • generated MCP documentation check
  • core tool token-budget regression test
  • push preflight CI-parity gate

Closes #1003
Closes #1004
Closes #1005
Closes #1008
Closes #1010
Closes #1011

andig and others added 5 commits July 18, 2026 10:58
…1004)

ctx_read(mode=full) could serve an [unchanged] stub on the first read of a
file in a new session, pointing the model at content that session never
received. The conversation-scope gate already re-delivers full content to a
different conversation, but only Cursor supplied a scope id (conversation_id).
Claude Code / Codex / CodeBuddy send session_id and no conversation_id, so
current_conversation_id() resolved None and the gate fell through to the
legacy "allow stub" path — a new session inherited the prior one's stubs.

Persist session_id into active_transcript.json and use it as the scope-id
fallback (conversation_id.or(session_id)). This reuses the existing
warm/cold/concurrency/subagent gate, so every tool that funnels through the
shared read cache is covered. New session -> new id -> full re-read; resume
-> same id -> stub valid; /clear -> new id -> re-read.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…path (#1005)

ctx_patch rejected valid batch calls with `-32602: path is required`. The
schema declared `required: ["path"]` and the handler called
require_resolved_path unconditionally, so a documented batch
(`ops:[{op, path, ...}]`) was refused before execution. The impl also only
ever applied ops to one shared `params.path`, so the advertised cross-file
batch never actually worked.

Fixes:
- Schema: drop `path` from `required`; top-level `path` is optional when `ops`
  is present.
- Handler: `plan_groups` groups batch ops by each op's own `path` (falling
  back to the top-level `path`), resolves+write-gates each file, and applies
  them per file via the shared `apply_one` (extracted from the old inline
  body, reused by the single-op path too). A batch may now span files.

Also softens ctx_read's `mode` docs, which overclaimed "REQUIRED" though the
param is optional and defaults to auto (#1005 item 2).

Item 3 (modeling action-conditional requirements across ctx_execute /
ctx_search with oneOf/if-then) is left as a follow-up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@yvgude
yvgude merged commit f6374f7 into main Jul 18, 2026
26 checks passed
@yvgude
yvgude deleted the codex/premium-open-issues branch July 18, 2026 10:51
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 18, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.