feat(messages): add dryRunCompose (read-only compose preflight, stacked on #125)#151
Open
JordanRO2 wants to merge 3 commits into
Open
feat(messages): add dryRunCompose (read-only compose preflight, stacked on #125)#151JordanRO2 wants to merge 3 commits into
JordanRO2 wants to merge 3 commits into
Conversation
- blockSkipReview now defaults to true; sendMail/replyToMessage/ forwardMessage and createEvent/createTask require review unless the user explicitly opts into silent sends. createEvent/createTask are now gated by the same pref the mail compose tools already honored. - Reject file-path attachments that target credential stores, system directories, browser/mail profiles, and key/cert files across POSIX and Windows; cap file-path attachments at 50MB to match the saved-attachment ceiling. - Strict allow-list for filter conditions and actions: replace ACTION_MAP[x] ?? parseInt(x) with hasOwnProperty checks so callers cannot reach unmapped nsMsgFilterAction values by passing raw ints. - Extend validateToolArgs to enforce enum, oneOf, nested object properties, required, and additionalProperties:false. Schema keywords on existing tool definitions (notably bodyFormat and the attachments oneOf) are now actually checked. - Harden writeConnectionInfo: after the symlink check, force tmp dir mode back to 0o700 if any group/world bits are set; refuse to write when the perms cannot be tightened. No-op on platforms without POSIX modes. Adds 17 unit tests covering the deny-list (credential paths, system dirs, browser/mail profiles, benign-path negatives, case and slash normalization) and the recursive validator additions (enum, oneOf branches with path-indexed errors, integer type, nested additionalProperties).
…e attach; reject null array items Codex review follow-ups on TKasperczyk#125: - Attachment schema accepted only {name, base64} while the runtime reads entry.base64 || entry.content, so a previously-valid {name, content} inline attachment failed validation before dispatch. Add content as a base64 alias (required relaxed to [name]); base64 still wins at runtime. - isSensitiveFilePath checked the raw string only, so a benign path symlinked to a credential store slipped through. Normalize the nsIFile (resolves symlinks + . / ..) and re-run the deny-list before reading. - validateAgainstSchema returned early on null, so attachments:[null] skipped the item schema. Reject null/undefined array items explicitly. - 6 regression tests (content alias, base64 without contentType, both set, missing name, unknown property, null item).
Validate compose parameters WITHOUT sending, saving, opening a compose window, writing temp files, or copying attachment bytes -- a pure read-only preflight for agents. Resolves the from identity (or previews the default), sanitizes the subject header, counts to/cc/bcc recipients, reports body length (content is not echoed), and gives a per-attachment verdict (ok/blocked/missing/error with a reason): file paths are checked against the sensitive-path deny-list and the 50MB cap via a stat-only nsIFile (never opened/read/normalized), and inline entries' decoded size is estimated arithmetically and checked against the 25MB cap -- base64 is never decoded. Also reports the skipReview pref snapshot. wouldSucceed is the roll-up. The attachment schema accepts content as a base64 alias (required ['name']), matching the other compose tools so a runtime-accepted shape is not rejected by validation. Tests + ALL_TOOLS updated; full suite green, lint 0 errors.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
dryRunCompose(to, subject, body, cc, bcc, isHtml, from, attachments)— validate compose parameters without any side effect: it does not send, save a draft, open a compose window, write temp files, or copy/decode attachment bytes. A pure read-only preflight for agents that want to know "would this send cleanly?" before committing.Returns a structured report:
wouldSucceed(roll-up),blockers[](identity/resolution failures)resolvedIdentity(resolvedfrom, or the default-identity preview)subjectAfterSanitization,bodyLength(content is not echoed),recipients: {to, cc, bcc}counts{ kind, name, status: ok|blocked|missing|error, reason, size }— file paths are checked against the sensitive-path deny-list and the 50 MB cap via a stat-onlynsIFile(never opened/read/normalized); inline entries' decoded size is estimated arithmetically and checked against the 25 MB cap (base64 is never decoded)skipReviewBlockedpref snapshot (reported only)No side effects (verified)
Deliberately does not call the
filePathsToAttachDescspath (which writes temp files / builds file URIs). The attachment loop only stats paths and arithmetic-estimates inline sizes. Reviewed adversarially specifically to disprove any send/save/window/temp-file/network effect.Tests
test/validation.test.cjscovers the schema (incl. the content-alias on inline attachments, consistent with the other compose tools);ALL_TOOLSupdated. Full suite green,eslint .0 errors.