feat: Add configuration schema for safety features

[Corlzee]

PR 1: Configuration Schema

Title: feat: Add configuration schema for safety features

Description:
This PR adds the foundation for safety features without changing any existing behavior.

What this adds:

• readOnlyDirectories configuration option (empty by default)
• requireExplicitPermission flag for destructive commands (false by default)
• allowedSudoCommands array for sudo whitelist (empty by default)

Why this matters:

Sets up the configuration structure needed for safety features while maintaining 100% backward compatibility.

Testing:

• ✅ Builds successfully with TypeScript
• ✅ All existing functionality unchanged
• ✅ Configuration loads with defaults

Breaking changes:

None - all new options have safe defaults that maintain current behavior.

---

Summary by CodeRabbit

• New Features
  • Enhanced server safety controls in settings:
    • Mark specific directories as read-only to prevent accidental modifications.
    • Option to require explicit confirmation for destructive commands.
    • Define an allowlist of permitted sudo commands (supports patterns) for tighter control.
  • Defaults preserve existing behavior: no read-only directories, confirmation off, and sudo commands blocked unless explicitly allowed.
  • Admins can tailor these settings to match organizational policies and reduce operational risk.

[coderabbitai]

Walkthrough

Added three optional properties to ServerConfig in src/config-manager.ts and initialized corresponding defaults: readOnlyDirectories (string[]), requireExplicitPermission (boolean), and allowedSudoCommands (string[]).

Changes

Cohort / File(s)	Summary
Config schema updates src/config-manager.ts	Extended ServerConfig with optional properties: readOnlyDirectories?: string[], requireExplicitPermission?: boolean, allowedSudoCommands?: string[]. Set default config values: readOnlyDirectories: [], requireExplicitPermission: false, allowedSudoCommands: [].

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I twitch my whiskers, configs anew,
Read-only burrows, clear paths to pursue.
A nod for permission, before I hop through,
Sudo’s whitelist—just a select few.
In clover of defaults, I chew and review.
Thump-thump: changes crisp as morning dew.

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 218531b and 94d8e73.

📒 Files selected for processing (1)

• src/config-manager.ts (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/config-manager.ts (2)

src/tools/filesystem.ts (1)

• getAllowedDirs (108-128)

src/tools/config.ts (1)

• setConfigValue (55-142)

🔇 Additional comments (1)

src/config-manager.ts (1)

136-140: Incorrect interpretation of default allowedDirectories—no change needed

The current logic in getAllowedDirs() returns an empty array ([]) when the default config is used. In isPathAllowed(), there is an explicit check:

const allowedDirectories = await getAllowedDirs();
if (allowedDirectories.includes('/') || allowedDirectories.length === 0) {
  return true;
}

Because allowedDirectories.length === 0 evaluates to true, all filesystem paths remain allowed by default—preserving the original, unrestricted behavior on fresh installs. The reviewer’s concern that [] would lock out FS access overlooks this secondary fallback in isPathAllowed.

No modifications to the defaults or filesystem utils are required.

Likely an incorrect or invalid review comment.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Safety config keys: good foundation; wire up parsing and enforcement semantics next

• These optional props keep backwards compatibility. Good.
• Ensure the CLI/tooling can set these array-typed keys from string inputs. In src/tools/config.ts, setConfigValue currently special-cases only 'allowedDirectories' and 'blockedCommands'. Please include 'readOnlyDirectories' and 'allowedSudoCommands' to avoid storing a single string when a user passes JSON or a comma-separated string.

Example adjustment in src/tools/config.ts (illustrative; outside this diff):

// Extend the known array keys set
const arrayKeys = new Set([
  'allowedDirectories',
  'blockedCommands',
  'readOnlyDirectories',
  'allowedSudoCommands',
]);

// Then use: if (arrayKeys.has(parsed.data.key) && !Array.isArray(valueToStore)) { ... }

• Define precedence now to avoid ambiguity later: if a path appears in both allowedDirectories and readOnlyDirectories, writes must be denied. Document and enforce this in the file ops layer.
• “Pattern support” for allowedSudoCommands: specify the dialect (glob vs regex), anchoring rules, and escaping to prevent surprising matches.

To verify coverage now, run:

---

🏁 Script executed:

#!/bin/bash
# Find usages of the new keys to ensure setter/parsing/enforcement exists
rg -n -C2 -g '!**/dist/**' -e '\breadOnlyDirectories\b|\brequireExplicitPermission\b|\ballowedSudoCommands\b' src

Length of output: 1477

---

#!/bin/bash
# Inspect setConfigValue implementation and array key handling
echo "---- Searching for setConfigValue declaration ----"
rg -n -C3 "setConfigValue" -g 'src/tools/config.ts'

echo -e "\n---- Checking arrayKeys or similar handling ----"
rg -n -C3 "allowedDirectories" -g 'src/tools/config.ts'
rg -n -C3 "blockedCommands" -g 'src/tools/config.ts'
rg -n -C3 "readOnlyDirectories" -g 'src/tools/config.ts'
rg -n -C3 "allowedSudoCommands" -g 'src/tools/config.ts'

---

#!/bin/bash
# Locate and inspect the setConfigValue implementation
echo "---- Finding setConfigValue definition ----"
rg -n -C5 "function setConfigValue" -g 'src/tools/config.ts'

echo -e "\n---- Showing 20 lines around setConfigValue ----"
rg -n -C10 "setConfigValue" -g 'src/tools/config.ts'

echo -e "\n---- Searching for multi-value or array key handling ----"
rg -n -C5 "arrayKeys" -g 'src/tools/config.ts'
rg -n -C5 "multiValue" -g 'src/tools/config.ts'
rg -n -C5 "split" -g 'src/tools/config.ts'

---

#!/bin/bash
# Locate and inspect setConfigValue implementation in src/tools/config.ts
echo "---- setConfigValue definition and context ----"
rg -n -C5 "function setConfigValue" -g 'src/tools/config.ts'

echo -e "\n---- References to array key handling ----"
rg -n -C5 "new Set" -g 'src/tools/config.ts'
rg -n -C5 "allowedDirectories" -g 'src/tools/config.ts'

---

🏁 Script executed:

#!/bin/bash
# Inspect setConfigValue in src/tools/config.ts for array key parsing
rg -n -C5 "function setConfigValue" src/tools/config.ts
rg -n -C5 "switch (key)" src/tools/config.ts
rg -n -C5 "allowedDirectories" src/tools/config.ts
rg -n -C5 "blockedCommands" src/tools/config.ts
rg -n -C5 "readOnlyDirectories" src/tools/config.ts
rg -n -C5 "allowedSudoCommands" src/tools/config.ts

Length of output: 1669

---

Handle new config keys in setConfigValue and enforce semantics

The special-case logic in src/tools/config.ts currently only parses JSON/comma-lists for allowedDirectories and blockedCommands. We need to extend it to cover both readOnlyDirectories and allowedSudoCommands, and then implement the enforcement semantics you outlined.

• In src/tools/config.ts:setConfigValue(), update the array-key check to include the two new keys (and ensure requireExplicitPermission stays boolean-only).

- if ((parsed.data.key === 'allowedDirectories' || parsed.data.key === 'blockedCommands') && !Array.isArray(valueToStore)) {
+ const arrayKeys = new Set([
+   'allowedDirectories',
+   'blockedCommands',
+   'readOnlyDirectories',
+   'allowedSudoCommands',
+ ]);
+ if (arrayKeys.has(parsed.data.key) && !Array.isArray(valueToStore)) {

• Define and document precedence in your file-operations layer:
– If a path appears in both allowedDirectories and readOnlyDirectories, forbid write operations (read-only wins).
– If requireExplicitPermission is true, any destructive command (e.g., rm, mv) must be gated behind an explicit flag.

• For allowedSudoCommands, specify the pattern dialect and matching rules in comments and/or schema:
– Glob vs. regex? Anchoring (full-match vs. substring)?
– How to escape metacharacters?
– Reject/escape invalid patterns at set time.

Please update the code and documentation accordingly before merging.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In src/config-manager.ts around lines 13 to 15: extend setConfigValue handling
so array-parsing includes readOnlyDirectories and allowedSudoCommands while
keeping requireExplicitPermission treated only as a boolean; update
src/tools/config.ts:setConfigValue() to treat allowedDirectories,
blockedCommands, readOnlyDirectories, and allowedSudoCommands as array-keys
(parse JSON or comma-lists) and validate/normalize values on set (reject invalid
types). In the file-operations layer implement and document precedence: if a
path is in both allowedDirectories and readOnlyDirectories, consider it
read-only and block write operations; if requireExplicitPermission is true, gate
destructive commands (e.g., rm, mv, rmdir, truncate) behind an explicit
permission flag check. For allowedSudoCommands add clear schema comments stating
the pattern dialect (use anchored glob patterns, full-match semantics, e.g.,
bash-style globs, not regex), document how to escape metacharacters, validate
patterns at set time (reject malformed globs) and implement matching as a
full-match glob against the entire command string; log or surface invalid
patterns when set. Ensure docs/comments reflect precedence and enforcement rules
and that invalid config values produce clear errors when set.