Skip to content

fix(skills): stop shell-wrapper false exec blocks#316

Open
artemgetmann wants to merge 1 commit into
mainfrom
codex/founder-skill-guidance-main-20260404
Open

fix(skills): stop shell-wrapper false exec blocks#316
artemgetmann wants to merge 1 commit into
mainfrom
codex/founder-skill-guidance-main-20260404

Conversation

@artemgetmann
Copy link
Copy Markdown
Owner

@artemgetmann artemgetmann commented Apr 4, 2026

Summary

  • Problem: founder Jarvis was reporting fake exec allowlist blocks for wacli/starter CLIs because the skill guidance encouraged shell-chain probes that trigger policy misses.
  • Why it matters: the runtime was healthy, but the assistant narrated a policy failure and fell into sloppy node fallback instead of using the supported direct safe-bin path.
  • What changed: synced founder skill guidance for wacli, gog, and himalaya to prefer direct invocations, avoid shell wrappers/pipes/redirection for normal checks, and explain cached-vs-live WhatsApp status truthfully.
  • What did NOT change (scope boundary): no gateway/runtime policy code, no Gmail auth changes, no consumer branch changes in this PR.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Skills / tool execution
  • Integrations
  • Gateway / orchestration
  • Auth / tokens
  • Memory / storage
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

User-visible / Behavior Changes

  • Founder Jarvis should stop claiming wacli is blocked when the real issue is a self-inflicted shell-wrapper probe.
  • WhatsApp checks should now prefer direct wacli calls and explain AUTHENTICATED=true / CONNECTED=false as cached-history-only instead of an exec-policy failure.

Security Impact (required)

  • New permissions/capabilities? (No)
  • Secrets/tokens handling changed? (No)
  • New/changed network calls? (No)
  • Command/tool execution surface changed? (No)
  • Data access scope changed? (No)
  • If any Yes, explain risk + mitigation:

Repro + Verification

Environment

  • OS: macOS
  • Runtime/container: founder shared runtime on main
  • Model/provider: Anthropic Claude Sonnet 4.6 via Telegram
  • Integration/channel (if any): Telegram + founder WhatsApp skill path
  • Relevant config (redacted): founder runtime with starter CLI safe-bin defaults already merged

Steps

  1. Ask founder Jarvis to check whether wacli is working.
  2. Observe prior behavior: shell-chain probe (wacli doctor && ... | head) triggers allowlist miss and bot narrates a fake policy block.
  3. Apply guidance fix so the skill uses direct wacli doctor / wacli chats list path and truthful cached/live status language.

Expected

  • No fake allowlist blame for shell-wrapper probes.
  • Direct wacli checks and accurate status narration.

Actual

  • Before this fix, the bot self-induced the block and misreported it as runtime policy failure.

Evidence

  • Trace/log snippets
  • Failing test/log before + passing after
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

  • Verified scenarios: founder session log showed exact blocked shell-chain probe and later successful direct node-side wacli doctor with AUTHENTICATED true / CONNECTED false.
  • Edge cases checked: gog / himalaya guidance also aligned so they stop using shell-noise first.
  • What you did not verify: full Telegram re-run after this PR alone; this is guidance-only.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes)
  • Config/env changes? (No)
  • Migration needed? (No)
  • If yes, exact upgrade steps:

Failure Recovery (if this breaks)

  • How to disable/revert this change quickly: revert this PR or restore prior skills/*.SKILL.md text
  • Files/config to restore: skills/wacli/SKILL.md, skills/gog/SKILL.md, skills/himalaya/SKILL.md
  • Known bad symptoms reviewers should watch for: guidance becomes too strict and skips legitimate fallback paths

Risks and Mitigations

  • Risk: guidance-only fix may not apply if founder runtime is loading stale/cached skill content.
    • Mitigation: founder gateway was restarted after landing the live commit; if behavior persists, investigate skill cache/load path next.

@artemgetmann
fix(skills): stop shell-wrapper false exec blocks
839706c 
- what: sync founder starter-tool skills with the direct-invocation rules already present in consumer for wacli, gog, and himalaya\n- why: founder Jarvis was manufacturing fake allowlist misses by wrapping safe-bin probes in shell chains and then narrating the policy error as if the tools were blocked\n- risk: low; guidance-only change that narrows tool usage toward the already-supported safe-bin path
artemgetmann
artemgetmann commented Apr 4, 2026
View reviewed changes
Comment thread skills/wacli/SKILL.md
- In consumer chat flows, prefer the plain human-readable `wacli doctor` shape.
Do not add `--json` unless the user explicitly asked for raw machine output.
- In consumer lanes, run those as separate direct tool invocations. One command
per call. Do not chain them with shell operators like `&&`, pipes, or
Copy link
Copy Markdown
Owner Author

@artemgetmann artemgetmann Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not though?

This was referenced Apr 4, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@artemgetmann