Se completo la capa de seguridad de ejecucion de herramientas del AI-LAB. Bash sanitizer con shlex.split(), gate de confirmacion para herramientas de escritura, auditoria por tool_call individual, presupuesto con metadatos y metricas Prometheus.
Componentes
Section titled “Componentes”Bash sanitizer (runtime/policies/tools/bash_sanitizer.py)
Section titled “Bash sanitizer (runtime/policies/tools/bash_sanitizer.py)”- Token scanning con
shlex.split()(no regex) - First token exact match, no
startswith() - Bloquea pipes, redirects,
&&,||,;,&, subshells,/dev/ echo "foo|bar"no se bloquea (la pipe esta entrecomillada)ls | grep foose bloquea (pipe real)
Confirmation gate (openai_gateway.py)
Section titled “Confirmation gate (openai_gateway.py)”- 428 Precondition Required (no 403)
- Solo para herramientas de escritura:
write,edit,rm,mv,cp,dd,tee,bash - Inyecta
_tool_confirmation_pending: truepara que OpenCode/OpenWebUI reaccionen
Presupuesto de tool_calls
Section titled “Presupuesto de tool_calls”_tool_budget_original: numero original de tools_tool_budget_limit: maximo permitido por politica_tool_budget_exceeded: True si se truncaron
Auditoria por tool_call
Section titled “Auditoria por tool_call”Eventos en governance_audit.jsonl:
tool_call_allowed→ tool paso todos los filtrostool_call_blocked_by_policy→ tool bloqueada (con motivo)
Metricas Prometheus
Section titled “Metricas Prometheus”ailab_tool_call_total{tool_name, result, policy, mode}Subfases
Section titled “Subfases”| Subfase | Commit | Riesgo |
|---|---|---|
| 22B.1 | feat: audit per tool_call | Nulo |
| 22B.2 | feat: tool call budget metadata | Nulo |
| 22B.3 | feat: bash sanitizer with shlex.split() | Medio |
| 22B.4 | feat: confirmation gate 428 | Alto |
| 22B.5 | feat: TOOL_CALL_TOTAL metrics | Nulo |
Validacion
Section titled “Validacion”# Bash con pipe → bloqueadocurl :8008 -d '{"tools":[{"function":{"name":"bash","arguments":"ls | grep foo"}}]}'# Expected: bash eliminada
# Bash sin pipe → OKcurl :8008 -d '{"tools":[{"function":{"name":"bash","arguments":"ls -la"}}]}'# Expected: bash preservada
# Write tool → 428curl :8008 -d '{"tools":[{"function":{"name":"write"}}],"messages":[{"role":"user","content":"ejecuta comando"}]}'# Expected: 428 Precondition Required
# Metricascurl :8008/metrics | grep ailab_tool_call_totalGuards preservados
Section titled “Guards preservados”| Guard | Capa |
|---|---|
_DANGEROUS_COMMAND_MARKERS | Firewall post-respuesta |
tool_call_is_dangerous() | Ultima linea de defensa |
GOVERNANCE_BLOCKED | Metrica de seguridad |
qwen2.5-coder-14b pop tools | Proteccion de modelo |
Rollback
Section titled “Rollback”cp /opt/ai-lab/snapshots/fase22a-backup/policy_loader.py /opt/ai-lab/runtime/policies/tools/cp /opt/ai-lab/snapshots/fase22a-backup/openai_gateway.py /opt/ai-lab/runtime/gateway/cp /opt/ai-lab/snapshots/fase22a-backup/prometheus_metrics.py /opt/ai-lab/runtime/telemetry/sudo systemctl restart ailab-gatewaySiguiente fase
Section titled “Siguiente fase”FASE 22C — Sandbox real, seccomp, subprocess jail, rate limiting (tool_calls_per_minute).