fix(tools): forward set_skill_env and set_effective_trust through CompositeExecutor#3870
Merged
Conversation
…positeExecutor The base ToolExecutor impls of set_skill_env and set_effective_trust are no-ops. CompositeExecutor relied on those defaults, so the production layered executor (agent_setup builds nested CompositeExecutor trees) silently swallowed both calls. Concrete impact: - Skill secret env injection (x-requires-secrets) never reached ShellExecutor: GITHUB_TOKEN, AWS_*, etc. were absent from bash subprocesses even though the skill was active and the secret was loaded into available_custom_secrets. - TrustGateExecutor never observed a non-Trusted level while a quarantined skill was active, leaving QUARANTINE_DENIED tools (bash, write, web_scrape, ...) reachable from quarantined contexts. Override both setters on CompositeExecutor to forward the call to first AND second; nested compositions propagate automatically. Add two regression tests using a nested composition with spy executors at every leaf. Closes #3869.
github-actions
Bot
added
bug
This was referenced May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CompositeExecutornow forwardsset_skill_envandset_effective_trustto both inner executors.ToolExecutorimpls (no-ops) were inherited, silently swallowing both calls at the very firstCompositeExecutorboundary — which in production is always the outermost layer (src/agent_setup.rs:534-541).x-requires-secretsdeclarations parsed correctly andavailable_custom_secretspopulated, butShellExecutor::skill_envstayedNone, soGITHUB_TOKEN(and any other declared secret) was never present in thebashsubprocess env. Verified live in TUI: skillgithubactive at confidence 0.98,env | grep GITHUB → NO_TOKEN.TrustGateExecutor::effective_truststayed at the initialTrustedregardless of the active skill's trust level.QUARANTINE_DENIEDtools (bash,write,web_scrape, etc.) were reachable while a quarantined skill was active.composite::tests::state_forwardingusing a nestedCompositeExecutortree and spy executors at every leaf, asserting both setters land on all leaves.Closes #3869.
Test plan
cargo +nightly fmt --checkcargo clippy --workspace --all-targets -- -D warningscargo nextest run -p zeph-tools --lib --bins→ 1174 passed (incl. 2 new regressions)cargo nextest run --workspace --lib --bins→ 9322 passedbash $ env | grep GITHUB) and confirmGITHUB_TOKENnow present whengithubskill is active.Notes
CompositeExecutor, not a behavior change in any leaf executor. The defaults in theToolExecutortrait remain no-ops — only intermediate composition no longer drops the call.