feat: add command timeout allowlist with IPC support

- Add commandTimeoutAllowlist configuration option to exclude specific command prefixes from timeout
- Update global settings schema to include the new allowlist setting
- Modify executeCommandTool to check allowlist before applying timeout restrictions
- Add VSCode configuration and localization support for the new setting
- Include comprehensive tests for allowlist functionality
- IPC support included through global settings integration

Author: roomote

packages/types/src/global-settings.ts

@@ -51,6 +51,7 @@ export const globalSettingsSchema = z.object({
 	allowedCommands: z.array(z.string()).optional(),
 	deniedCommands: z.array(z.string()).optional(),
 	commandExecutionTimeout: z.number().optional(),
+	commandTimeoutAllowlist: z.array(z.string()).optional(),
 	preventCompletionWithOpenTodos: z.boolean().optional(),
 	allowedMaxRequests: z.number().nullish(),
 	autoCondenseContext: z.boolean().optional(),
@@ -203,6 +204,7 @@ export const EVALS_SETTINGS: RooCodeSettings = {
 	followupAutoApproveTimeoutMs: 0,
 	allowedCommands: ["*"],
 	commandExecutionTimeout: 30_000,
+	commandTimeoutAllowlist: [],
 	preventCompletionWithOpenTodos: false,
 
 	browserToolEnabled: false,

src/core/tools/__tests__/executeCommandTimeout.integration.spec.ts

@@ -186,4 +186,139 @@ describe("Command Execution Timeout Integration", () => {
 		expect(result[0]).toBe(false) // Not rejected
 		expect(result[1]).not.toContain("terminated after exceeding")
 	})
+
+	describe("Command Timeout Allowlist", () => {
+		beforeEach(() => {
+			// Reset mocks for allowlist tests
+			vitest.clearAllMocks()
+			;(fs.access as any).mockResolvedValue(undefined)
+			;(TerminalRegistry.getOrCreateTerminal as any).mockResolvedValue(mockTerminal)
+		})
+
+		it("should skip timeout for commands in allowlist", async () => {
+			// Mock VSCode configuration with timeout and allowlist
+			const mockGetConfiguration = vitest.fn().mockReturnValue({
+				get: vitest.fn().mockImplementation((key: string) => {
+					if (key === "commandExecutionTimeout") return 1 // 1 second timeout
+					if (key === "commandTimeoutAllowlist") return ["npm", "git"]
+					return undefined
+				}),
+			})
+			;(vscode.workspace.getConfiguration as any).mockReturnValue(mockGetConfiguration())
+
+			const options: ExecuteCommandOptions = {
+				executionId: "test-execution",
+				command: "npm install",
+				// Should be overridden to 0 due to allowlist
+			}
+
+			// Create a process that would timeout if not allowlisted
+			const longRunningProcess = new Promise((resolve) => {
+				setTimeout(resolve, 2000) // 2 seconds, longer than 1 second timeout
+			})
+			mockTerminal.runCommand.mockReturnValue(longRunningProcess)
+
+			const result = await executeCommand(mockTask as Task, options)
+
+			// Should complete successfully without timeout because "npm" is in allowlist
+			expect(result[0]).toBe(false) // Not rejected
+			expect(result[1]).not.toContain("terminated after exceeding")
+		}, 3000)
+
+		it("should apply timeout for commands not in allowlist", async () => {
+			// Mock VSCode configuration with timeout and allowlist
+			const mockGetConfiguration = vitest.fn().mockReturnValue({
+				get: vitest.fn().mockImplementation((key: string) => {
+					if (key === "commandExecutionTimeout") return 1 // 1 second timeout
+					if (key === "commandTimeoutAllowlist") return ["npm", "git"]
+					return undefined
+				}),
+			})
+			;(vscode.workspace.getConfiguration as any).mockReturnValue(mockGetConfiguration())
+
+			const options: ExecuteCommandOptions = {
+				executionId: "test-execution",
+				command: "sleep 10", // Not in allowlist
+			}
+
+			// Create a process that never resolves
+			const neverResolvingProcess = new Promise(() => {})
+			;(neverResolvingProcess as any).abort = vitest.fn()
+			mockTerminal.runCommand.mockReturnValue(neverResolvingProcess)
+
+			const result = await executeCommand(mockTask as Task, options)
+
+			// Should timeout because "sleep" is not in allowlist
+			expect(result[0]).toBe(false) // Not rejected by user
+			expect(result[1]).toContain("terminated after exceeding")
+		}, 3000)
+
+		it("should handle empty allowlist", async () => {
+			// Mock VSCode configuration with timeout and empty allowlist
+			const mockGetConfiguration = vitest.fn().mockReturnValue({
+				get: vitest.fn().mockImplementation((key: string) => {
+					if (key === "commandExecutionTimeout") return 1 // 1 second timeout
+					if (key === "commandTimeoutAllowlist") return []
+					return undefined
+				}),
+			})
+			;(vscode.workspace.getConfiguration as any).mockReturnValue(mockGetConfiguration())
+
+			const options: ExecuteCommandOptions = {
+				executionId: "test-execution",
+				command: "npm install",
+			}
+
+			// Create a process that never resolves
+			const neverResolvingProcess = new Promise(() => {})
+			;(neverResolvingProcess as any).abort = vitest.fn()
+			mockTerminal.runCommand.mockReturnValue(neverResolvingProcess)
+
+			const result = await executeCommand(mockTask as Task, options)
+
+			// Should timeout because allowlist is empty
+			expect(result[0]).toBe(false) // Not rejected by user
+			expect(result[1]).toContain("terminated after exceeding")
+		}, 3000)
+
+		it("should match command prefixes correctly", async () => {
+			// Mock VSCode configuration with timeout and allowlist
+			const mockGetConfiguration = vitest.fn().mockReturnValue({
+				get: vitest.fn().mockImplementation((key: string) => {
+					if (key === "commandExecutionTimeout") return 1 // 1 second timeout
+					if (key === "commandTimeoutAllowlist") return ["git log", "npm run"]
+					return undefined
+				}),
+			})
+			;(vscode.workspace.getConfiguration as any).mockReturnValue(mockGetConfiguration())
+
+			// Test exact prefix match
+			const options1: ExecuteCommandOptions = {
+				executionId: "test-execution-1",
+				command: "git log --oneline",
+			}
+
+			// Test partial prefix match (should not match)
+			const options2: ExecuteCommandOptions = {
+				executionId: "test-execution-2",
+				command: "git status", // "git" alone is not in allowlist, only "git log"
+			}
+
+			const longRunningProcess = new Promise((resolve) => {
+				setTimeout(resolve, 2000) // 2 seconds
+			})
+			const neverResolvingProcess = new Promise(() => {})
+			;(neverResolvingProcess as any).abort = vitest.fn()
+
+			// First command should not timeout (matches "git log" prefix)
+			mockTerminal.runCommand.mockReturnValueOnce(longRunningProcess)
+			const result1 = await executeCommand(mockTask as Task, options1)
+			expect(result1[1]).not.toContain("terminated after exceeding")
+
+			// Second command should timeout (doesn't match any prefix exactly)
+			mockTerminal.runCommand.mockReturnValueOnce(neverResolvingProcess)
+			const result2 = await executeCommand(mockTask as Task, options2)
+			expect(result2[1]).toContain("terminated after exceeding")
+		}, 5000)
+	})
 })

src/core/tools/executeCommandTool.ts

@@ -70,8 +70,18 @@ export async function executeCommandTool(
 				.getConfiguration(Package.name)
 				.get<number>("commandExecutionTimeout", 0)
 
-			// Convert seconds to milliseconds for internal use
-			const commandExecutionTimeout = commandExecutionTimeoutSeconds * 1000
+			// Get command timeout allowlist from VSCode configuration
+			const commandTimeoutAllowlist = vscode.workspace
+				.getConfiguration(Package.name)
+				.get<string[]>("commandTimeoutAllowlist", [])
+
+			// Check if command matches any prefix in the allowlist
+			const isCommandAllowlisted = commandTimeoutAllowlist.some(prefix =>
+				command.startsWith(prefix.trim())
+			)
+
+			// Convert seconds to milliseconds for internal use, but skip timeout if command is allowlisted
+			const commandExecutionTimeout = isCommandAllowlisted ? 0 : commandExecutionTimeoutSeconds * 1000
 
 			const options: ExecuteCommandOptions = {
 				executionId,

src/package.json

@@ -345,6 +345,14 @@
 					"maximum": 600,
 					"description": "%commands.commandExecutionTimeout.description%"
 				},
+				"roo-cline.commandTimeoutAllowlist": {
+					"type": "array",
+					"items": {
+						"type": "string"
+					},
+					"default": [],
+					"description": "%commands.commandTimeoutAllowlist.description%"
+				},
 				"roo-cline.preventCompletionWithOpenTodos": {
 					"type": "boolean",
 					"default": false,

src/package.nls.json

@@ -29,6 +29,7 @@
 	"commands.allowedCommands.description": "Commands that can be auto-executed when 'Always approve execute operations' is enabled",
 	"commands.deniedCommands.description": "Command prefixes that will be automatically denied without asking for approval. In case of conflicts with allowed commands, the longest prefix match takes precedence. Add * to deny all commands.",
 	"commands.commandExecutionTimeout.description": "Maximum time in seconds to wait for command execution to complete before timing out (0 = no timeout, 1-600s, default: 0s)",
+	"commands.commandTimeoutAllowlist.description": "Command prefixes that are excluded from the command execution timeout. Commands matching these prefixes will run without timeout restrictions.",
 	"commands.preventCompletionWithOpenTodos.description": "Prevent task completion when there are incomplete todos in the todo list",
 	"settings.vsCodeLmModelSelector.description": "Settings for VSCode Language Model API",
 	"settings.vsCodeLmModelSelector.vendor.description": "The vendor of the language model (e.g. copilot)",