Se completo la capa de seguridad de ejecucion de herramientas del AI-LAB. Bash sanitizer con shlex.split(), gate de confirmacion para herramientas de escritura, auditoria por tool_call individual, presupuesto con metadatos y metricas Prometheus.

Bash sanitizer (runtime/policies/tools/bash_sanitizer.py)

Section titled “Bash sanitizer (runtime/policies/tools/bash_sanitizer.py)”
  • Token scanning con shlex.split() (no regex)
  • First token exact match, no startswith()
  • Bloquea pipes, redirects, &&, ||, ;, &, subshells, /dev/
  • echo "foo|bar" no se bloquea (la pipe esta entrecomillada)
  • ls | grep foo se bloquea (pipe real)
  • 428 Precondition Required (no 403)
  • Solo para herramientas de escritura: write, edit, rm, mv, cp, dd, tee, bash
  • Inyecta _tool_confirmation_pending: true para que OpenCode/OpenWebUI reaccionen
  • _tool_budget_original: numero original de tools
  • _tool_budget_limit: maximo permitido por politica
  • _tool_budget_exceeded: True si se truncaron

Eventos en governance_audit.jsonl:

  • tool_call_allowed → tool paso todos los filtros
  • tool_call_blocked_by_policy → tool bloqueada (con motivo)
ailab_tool_call_total{tool_name, result, policy, mode}
SubfaseCommitRiesgo
22B.1feat: audit per tool_callNulo
22B.2feat: tool call budget metadataNulo
22B.3feat: bash sanitizer with shlex.split()Medio
22B.4feat: confirmation gate 428Alto
22B.5feat: TOOL_CALL_TOTAL metricsNulo
Terminal window
# Bash con pipe → bloqueado
curl :8008 -d '{"tools":[{"function":{"name":"bash","arguments":"ls | grep foo"}}]}'
# Expected: bash eliminada
# Bash sin pipe → OK
curl :8008 -d '{"tools":[{"function":{"name":"bash","arguments":"ls -la"}}]}'
# Expected: bash preservada
# Write tool → 428
curl :8008 -d '{"tools":[{"function":{"name":"write"}}],"messages":[{"role":"user","content":"ejecuta comando"}]}'
# Expected: 428 Precondition Required
# Metricas
curl :8008/metrics | grep ailab_tool_call_total
GuardCapa
_DANGEROUS_COMMAND_MARKERSFirewall post-respuesta
tool_call_is_dangerous()Ultima linea de defensa
GOVERNANCE_BLOCKEDMetrica de seguridad
qwen2.5-coder-14b pop toolsProteccion de modelo
Terminal window
cp /opt/ai-lab/snapshots/fase22a-backup/policy_loader.py /opt/ai-lab/runtime/policies/tools/
cp /opt/ai-lab/snapshots/fase22a-backup/openai_gateway.py /opt/ai-lab/runtime/gateway/
cp /opt/ai-lab/snapshots/fase22a-backup/prometheus_metrics.py /opt/ai-lab/runtime/telemetry/
sudo systemctl restart ailab-gateway

FASE 22C — Sandbox real, seccomp, subprocess jail, rate limiting (tool_calls_per_minute).