All 3 cloud models converged on a real access-control bug; fixed it + the
other genuine findings (the false-positives were dropped):
Security (HIGH — all 3 models):
- create_file_url skipped ValidateScope: a same-skill caller could mint a
PUBLIC url for a file scoped to another user/run. Now runs ValidateScope
(admin-aware), skipped only for the descendant-grant case — mirroring the
read tools.
Other real fixes:
- ValidateScope hard-coded `false` at every call site (admin branch dead) ->
pass inv.CallerIsAdmin (the executor sets it via the host AdminPolicy; still
false/fail-closed when no admin). Stale "no admin flag" comment corrected.
- create_file_url: ExpiresInSeconds clamped BEFORE the *time.Second multiply
(huge values overflowed to a negative duration that slipped under the cap,
minting already-expired tokens); swallowed json.Marshal error now returned.
- RegisterMeta: build the default budget WITH the configured MaxPerRun (was
NewInMemorySearchBudget(nil) -> hardcoded 10, ignoring MetaDeps.MaxPerRun).
- classify: all-zero scores no longer return a false-positive top-1 winner;
coerceClassifyScore uses strconv.ParseFloat (rejects trailing garbage like
"50extra" that fmt.Sscanf silently accepted).
- file_delete: honor the descendant grant (parent can clean up a worker's
artifacts) — was the lone cross-skill-reject-outright file tool.
- meta tools: input caps truncate at a UTF-8 rune boundary (truncateUTF8), not
mid-rune.
- think: removed the dead `var _ = fmt.Errorf` import-keeper; file_save default
aligned to 16 MiB (matched RegisterStore).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Grow executus/tools into a real generic tool library:
- Register(reg): the always-available, zero-config tools — think, now (UTC
unless a CurrentTimeProvider is wired), cite (inert unless a CitationStorage
is wired). All nil-safe; a light host calls Register and is useful.
- RegisterMeta(reg, MetaDeps): the LLM-backed meta tools — classify,
extract_entities, summarize — over the llmmeta helper. Budget defaults to the
shipped in-memory per-run cap; Files optional; caps default.
- Seams moved (interface/type-only, no host coupling): research_providers.go
(CurrentTimeProvider/CitationStorage/SearchBudget/PageExtractor/PDFFetcher/…)
and file_storage.go (FileStorage + FileDomainMeta). Plus the in-memory budget
default (research_defaults.go) and scope_validate.go.
calculate deferred (drags github.com/Krognol/go-wolfram + a module-path replace
— not worth it in the lean core for one tool). Core go.sum still free of
gorm/redis/discordgo/sqlite/wolfram.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Stand up executus/tools — the generic, host-agnostic tool library — and prove
the full pattern end to end:
- tools/tools.go: Register(reg) adds the always-available zero-dependency tools
(currently `think`). A light host calls it and is immediately useful; backed
tools (web/store/meta groups) will register via grouped registrars with
nil-safe Deps as they land.
- tools/think.go: the `think` tool moved from mort (imports only executus/tool).
- tools/integration_test.go: end-to-end proof that the executor runs an agent
which CALLS a registered tool — the fake model emits a `think` tool call, the
executor dispatches it through the registry, the model finalises, and the step
instrumentation captures the `think` step. Exercises the full tool-dispatch
loop through run.Executor.
Stacked on phase-2-run-kernel (P3 needs run.Executor). Remaining P3: the
meta/web/net/store/compose groups + their Deps + default backends (splitting
mort's default.go grab-bag).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>