Skip to content

Add external file read with tilde expansion and user approval flow #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MichaelAnders wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add external file read with tilde expansion and user approval flow #40

MichaelAnders wants to merge 1 commit into from

Conversation

@MichaelAnders
Copy link
Contributor

@MichaelAnders MichaelAnders commented Feb 10, 2026

Summary

  • Enable fs_read to handle paths outside the workspace (~/... and absolute paths)
  • Two-phase approval flow: tool returns 403 asking LLM to get user confirmation, then reads on second call with user_approved=true
  • Write/edit operations remain workspace-only

Problem

The fs_read tool could only read files inside the workspace directory. Users working with external configuration files, documentation, or system files had no way to read them through the tool interface.

Changes

  • src/workspace/index.js: Added expandTilde(), isExternalPath(), and readExternalFile() utility functions
  • src/tools/workspace.js: Added external path detection with 403 approval gate before allowing external reads
  • src/clients/standard-tools.js: Updated Read tool schema with user_approved parameter and expanded file_path description

Testing

  • Workspace-relative reads continue to work unchanged
  • ~/Documents/file.txt correctly resolves and reads after user approval
  • Absolute paths like /etc/hosts work with approval flow
  • Write and edit operations remain workspace-only (no external writes)
  • npm run test:unit passes with no regressions

@MichaelAnders
Add external file read with tilde expansion and user approval flow
3b8068b 
Problem: The fs_read tool could only read files inside the workspace directory.
Users working with external configuration files, documentation, or system files
had no way to read them through the tool interface, forcing manual workarounds.

Changes implemented:

1. External path detection and tilde expansion (src/workspace/index.js)
   - Added expandTilde() to resolve ~/... paths to the user's home directory
   - Added isExternalPath() to detect when a path resolves outside the workspace
   - Added readExternalFile() to safely read files at absolute/external paths
   - Only regular files are readable (directories, symlinks rejected)

2. Two-phase approval flow (src/tools/workspace.js)
   - When fs_read receives an external path, it returns a 403 with a structured
     error asking the LLM to get explicit user confirmation first
   - On a second call with user_approved=true, the file is read and returned
   - Normal workspace reads are completely unchanged

3. Tool schema update (src/clients/standard-tools.js)
   - Updated Read tool description to document external file support
   - Added user_approved boolean parameter to the input schema
   - Updated file_path description to explain path formats (relative, absolute, ~)

Testing:
- Workspace-relative reads continue to work unchanged
- ~/Documents/file.txt correctly resolves and reads after user approval
- Absolute paths like /etc/hosts work with approval flow
- Paths inside workspace still use the fast path (no approval needed)
- Write and edit operations remain workspace-only (no external writes)
- npm run test:unit passes with no regressions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MichaelAnders