ENG-320/Auto-approve controls to restrict Cline actions outside of workspace (RooCodeInc#2779)

* initial- buttons

* more buttons

* incremental

* increment

* Renamed old auto approve name

* comments

* started read options

* paused here

* cleanup

* de-duplication and renames

* renames

* restored unrelated test file

* labels and semantics

* fixed labels issue

* cleanup/dedup

* minor semantics

* cleanup

* changeset

* one line

* ellipsis-dev changes

* reverting settings names

* made new settings optional

* Update webview-ui/src/components/chat/AutoApproveMenu.tsx

Co-authored-by: ellipsis-dev[bot] <65095814+ellipsis-dev[bot]@users.noreply.github.com>

* testserver fix

* testserver.ts fix / prettier

* testserver.ts fix / prettier

* Delete src/services/test/TestServer.ts

* restored testserver.ts

---------

Co-authored-by: ellipsis-dev[bot] <65095814+ellipsis-dev[bot]@users.noreply.github.com>

Author: canvrno

.changeset/cuddly-scissors-reflect.md

@@ -0,0 +1,5 @@
+---
+"claude-dev": minor
+---
+
+Added auto-approve options for edits/reads outside of the users workspace

src/core/task/index.ts

@@ -1189,22 +1189,28 @@ export class Task {
 	}
 
 	// Check if the tool should be auto-approved based on the settings
-	// Returns bool for most tools, tuple for execute_command (and future nested auto appoved settings)
+	// Returns bool for most tools, and tuple for tools with nested settings
 	shouldAutoApproveTool(toolName: ToolUseName): boolean | [boolean, boolean] {
 		if (this.autoApprovalSettings.enabled) {
 			switch (toolName) {
 				case "read_file":
 				case "list_files":
 				case "list_code_definition_names":
 				case "search_files":
-					return this.autoApprovalSettings.actions.readFiles
+					return [
+						this.autoApprovalSettings.actions.readFiles,
+						this.autoApprovalSettings.actions.readFilesExternally ?? false,
+					]
 				case "write_to_file":
 				case "replace_in_file":
-					return this.autoApprovalSettings.actions.editFiles
+					return [
+						this.autoApprovalSettings.actions.editFiles,
+						this.autoApprovalSettings.actions.editFilesExternally ?? false,
+					]
 				case "execute_command":
 					return [
 						this.autoApprovalSettings.actions.executeSafeCommands,
-						this.autoApprovalSettings.actions.executeAllCommands,
+						this.autoApprovalSettings.actions.executeAllCommands ?? false,
 					]
 				case "browser_action":
 					return this.autoApprovalSettings.actions.useBrowser
@@ -1216,6 +1222,32 @@ export class Task {
 		return false
 	}
 
+	// Check if the tool should be auto-approved based on the settings
+	// and the path of the action. Returns true if the tool should be auto-approved
+	// based on the user's settings and the path of the action.
+	shouldAutoApproveToolWithPath(blockname: ToolUseName, autoApproveActionpath: string | undefined): boolean {
+		let isLocalRead: boolean = false
+		if (autoApproveActionpath) {
+			const absolutePath = path.resolve(cwd, autoApproveActionpath)
+			isLocalRead = absolutePath.startsWith(cwd)
+		} else {
+			// If we do not get a path for some reason, default to a (safer) false return
+			isLocalRead = false
+		}
+
+		// Get auto-approve settings for local and external edits
+		const autoApproveResult = this.shouldAutoApproveTool(blockname)
+		const [autoApproveLocal, autoApproveExternal] = Array.isArray(autoApproveResult)
+			? autoApproveResult
+			: [autoApproveResult, false]
+
+		if ((isLocalRead && autoApproveLocal) || (!isLocalRead && autoApproveLocal && autoApproveExternal)) {
+			return true
+		} else {
+			return false
+		}
+	}
+
 	private formatErrorWithStatusCode(error: any): string {
 		const statusCode = error.status || error.statusCode || (error.response && error.response.status)
 		const message = error.message ?? JSON.stringify(serializeError(error), null, 2)
@@ -1754,7 +1786,8 @@ export class Task {
 							if (block.partial) {
 								// update gui message
 								const partialMessage = JSON.stringify(sharedMessageProps)
-								if (this.shouldAutoApproveTool(block.name)) {
+
+								if (this.shouldAutoApproveToolWithPath(block.name, relPath)) {
 									this.removeLastPartialMessageIfExistsWithType("ask", "tool") // in case the user changes auto-approval settings mid stream
 									await this.say("tool", partialMessage, undefined, block.partial)
 								} else {
@@ -1818,8 +1851,7 @@ export class Task {
 									// 	)
 									// : undefined,
 								} satisfies ClineSayTool)
-
-								if (this.shouldAutoApproveTool(block.name)) {
+								if (this.shouldAutoApproveToolWithPath(block.name, relPath)) {
 									this.removeLastPartialMessageIfExistsWithType("ask", "tool")
 									await this.say("tool", completeMessage, undefined, false)
 									this.consecutiveAutoApprovedRequestsCount++
@@ -1941,7 +1973,7 @@ export class Task {
 									...sharedMessageProps,
 									content: undefined,
 								} satisfies ClineSayTool)
-								if (this.shouldAutoApproveTool(block.name)) {
+								if (this.shouldAutoApproveToolWithPath(block.name, block.params.path)) {
 									this.removeLastPartialMessageIfExistsWithType("ask", "tool")
 									await this.say("tool", partialMessage, undefined, block.partial)
 								} else {
@@ -1971,7 +2003,7 @@ export class Task {
 									...sharedMessageProps,
 									content: absolutePath,
 								} satisfies ClineSayTool)
-								if (this.shouldAutoApproveTool(block.name)) {
+								if (this.shouldAutoApproveToolWithPath(block.name, block.params.path)) {
 									this.removeLastPartialMessageIfExistsWithType("ask", "tool")
 									await this.say("tool", completeMessage, undefined, false) // need to be sending partialValue bool, since undefined has its own purpose in that the message is treated neither as a partial or completion of a partial, but as a single complete message
 									this.consecutiveAutoApprovedRequestsCount++
@@ -2019,7 +2051,7 @@ export class Task {
 									...sharedMessageProps,
 									content: "",
 								} satisfies ClineSayTool)
-								if (this.shouldAutoApproveTool(block.name)) {
+								if (this.shouldAutoApproveToolWithPath(block.name, block.params.path)) {
 									this.removeLastPartialMessageIfExistsWithType("ask", "tool")
 									await this.say("tool", partialMessage, undefined, block.partial)
 								} else {
@@ -2050,7 +2082,7 @@ export class Task {
 									...sharedMessageProps,
 									content: result,
 								} satisfies ClineSayTool)
-								if (this.shouldAutoApproveTool(block.name)) {
+								if (this.shouldAutoApproveToolWithPath(block.name, block.params.path)) {
 									this.removeLastPartialMessageIfExistsWithType("ask", "tool")
 									await this.say("tool", completeMessage, undefined, false)
 									this.consecutiveAutoApprovedRequestsCount++
@@ -2090,7 +2122,7 @@ export class Task {
 									...sharedMessageProps,
 									content: "",
 								} satisfies ClineSayTool)
-								if (this.shouldAutoApproveTool(block.name)) {
+								if (this.shouldAutoApproveToolWithPath(block.name, block.params.path)) {
 									this.removeLastPartialMessageIfExistsWithType("ask", "tool")
 									await this.say("tool", partialMessage, undefined, block.partial)
 								} else {
@@ -2118,7 +2150,7 @@ export class Task {
 									...sharedMessageProps,
 									content: result,
 								} satisfies ClineSayTool)
-								if (this.shouldAutoApproveTool(block.name)) {
+								if (this.shouldAutoApproveToolWithPath(block.name, block.params.path)) {
 									this.removeLastPartialMessageIfExistsWithType("ask", "tool")
 									await this.say("tool", completeMessage, undefined, false)
 									this.consecutiveAutoApprovedRequestsCount++
@@ -2162,7 +2194,7 @@ export class Task {
 									...sharedMessageProps,
 									content: "",
 								} satisfies ClineSayTool)
-								if (this.shouldAutoApproveTool(block.name)) {
+								if (this.shouldAutoApproveToolWithPath(block.name, block.params.path)) {
 									this.removeLastPartialMessageIfExistsWithType("ask", "tool")
 									await this.say("tool", partialMessage, undefined, block.partial)
 								} else {
@@ -2198,7 +2230,7 @@ export class Task {
 									...sharedMessageProps,
 									content: results,
 								} satisfies ClineSayTool)
-								if (this.shouldAutoApproveTool(block.name)) {
+								if (this.shouldAutoApproveToolWithPath(block.name, block.params.path)) {
 									this.removeLastPartialMessageIfExistsWithType("ask", "tool")
 									await this.say("tool", completeMessage, undefined, false)
 									this.consecutiveAutoApprovedRequestsCount++

src/services/test/TestServer.ts

@@ -23,7 +23,9 @@ async function updateAutoApprovalSettings(context: vscode.ExtensionContext, prov
 			enabled: true,
 			actions: {
 				readFiles: true,
+				readFilesExternally: true,
 				editFiles: true,
+				editFilesExternally: true,
 				executeSafeCommands: true,
 				executeAllCommands: true,
 				useBrowser: false, // Keep browser disabled for tests

src/shared/AutoApprovalSettings.ts

@@ -3,8 +3,10 @@ export interface AutoApprovalSettings {
 	enabled: boolean
 	// Individual action permissions
 	actions: {
-		readFiles: boolean // Read files and directories
-		editFiles: boolean // Edit files
+		readFiles: boolean // Read files and directories in the working directory
+		readFilesExternally: boolean // Read files and directories outside of the working directory
+		editFiles: boolean // Edit files in the working directory
+		editFilesExternally: boolean // Edit files outside of the working directory
 		executeSafeCommands: boolean // Execute safe commands
 		executeAllCommands: boolean // Execute all commands
 		useBrowser: boolean // Use browser
@@ -19,7 +21,9 @@ export const DEFAULT_AUTO_APPROVAL_SETTINGS: AutoApprovalSettings = {
 	enabled: false,
 	actions: {
 		readFiles: false,
+		readFilesExternally: false,
 		editFiles: false,
+		editFilesExternally: false,
 		executeSafeCommands: false,
 		executeAllCommands: false,
 		useBrowser: false,

webview-ui/src/components/chat/AutoApproveMenu.tsx

@@ -27,40 +27,52 @@ const ACTION_METADATA: {
 }[] = [
 	{
 		id: "readFiles",
-		label: "Read files and directories",
-		shortName: "Read",
-		description: "Allows access to read any file on your computer.",
+		label: "Read local files and directories",
+		shortName: "Read Local",
+		description: "Allows Cline to read files within your workspace.",
+	},
+	{
+		id: "readFilesExternally",
+		label: "Read files and directories anywhere",
+		shortName: "Read (all)",
+		description: "Allows Cline to read any file on your computer.",
 	},
 	{
 		id: "editFiles",
-		label: "Edit files",
+		label: "Edit local files",
 		shortName: "Edit",
-		description: "Allows modification of any files on your computer.",
+		description: "Allows Cline to modify files within your workspace.",
+	},
+	{
+		id: "editFilesExternally",
+		label: "Edit files anywhere",
+		shortName: "Edit (all)",
+		description: "Allows Cline to modify any file on your computer.",
 	},
 	{
 		id: "executeSafeCommands",
 		label: "Execute safe commands",
 		shortName: "Safe Commands",
 		description:
-			"Allows execution of safe terminal commands. If the model determines a command is potentially destructive, it will still require approval.",
+			"Allows Cline to execute of safe terminal commands. If the model determines a command is potentially destructive, it will still require approval.",
 	},
 	{
 		id: "executeAllCommands",
 		label: "Execute all commands",
 		shortName: "All Commands",
-		description: "Allows execution of all terminal commands. Use at your own risk.",
+		description: "Allows Cline to execute all terminal commands. Use at your own risk.",
 	},
 	{
 		id: "useBrowser",
 		label: "Use the browser",
 		shortName: "Browser",
-		description: "Allows ability to launch and interact with any website in a headless browser.",
+		description: "Allows Cline to launch and interact with any website in a browser.",
 	},
 	{
 		id: "useMcp",
 		label: "Use MCP servers",
 		shortName: "MCP",
-		description: "Allows use of configured MCP servers which may modify filesystem or interact with APIs.",
+		description: "Allows Cline to use configured MCP servers which may modify filesystem or interact with APIs.",
 	},
 ]
 
@@ -72,21 +84,53 @@ const AutoApproveMenu = ({ style }: AutoApproveMenuProps) => {
 
 	const enabledActions = ACTION_METADATA.filter((action) => autoApprovalSettings.actions[action.id])
 	const enabledActionsList = (() => {
-		// "All Commands" is the only label displayed if both are set
-		const safeCommandsEnabled = enabledActions.some((action) => action.id === "executeSafeCommands")
-		const allCommandsEnabled = enabledActions.some((action) => action.id === "executeAllCommands")
+		// When nested auto-approve options are used, display the more permissive one (file reads, edits, and commands)
+		const readFilesEnabled = enabledActions.some((action) => action.id === "readFiles")
+		const readFilesExternallyEnabled = enabledActions.some((action) => action.id === "readFilesExternally")
+
+		const editFilesEnabled = enabledActions.some((action) => action.id === "editFiles")
+		const editFilesExternallyEnabled = enabledActions.some((action) => action.id === "editFilesExternally") ?? false
 
+		const safeCommandsEnabled = enabledActions.some((action) => action.id === "executeSafeCommands")
+		const allCommandsEnabled = enabledActions.some((action) => action.id === "executeAllCommands") ?? false
+		// Filter out the potentially nested options so we don't display them twice
 		const otherActions = enabledActions
-			.filter((action) => action.id !== "executeSafeCommands" && action.id !== "executeAllCommands")
+			.filter(
+				(action) =>
+					action.id !== "readFiles" &&
+					action.id !== "readFilesExternally" &&
+					action.id !== "editFiles" &&
+					action.id !== "editFilesExternally" &&
+					action.id !== "executeSafeCommands" &&
+					action.id !== "executeAllCommands",
+			)
 			.map((action) => action.shortName)
 
-		if (allCommandsEnabled) {
-			return ["All Commands", ...otherActions].join(", ")
+		const labels = []
+
+		// Handle read editing labels
+		if ((readFilesExternallyEnabled ?? false) && readFilesEnabled) {
+			labels.push("Read (All)")
+		} else if (readFilesEnabled) {
+			labels.push("Read")
+		}
+
+		// Handle file editing labels
+		if ((editFilesExternallyEnabled ?? false) && editFilesEnabled) {
+			labels.push("Edit (All)")
+		} else if (editFilesEnabled) {
+			labels.push("Edit")
+		}
+
+		// Handle command execution labels
+		if ((allCommandsEnabled ?? false) && safeCommandsEnabled) {
+			labels.push("All Commands")
 		} else if (safeCommandsEnabled) {
-			return ["Safe Commands", ...otherActions].join(", ")
-		} else {
-			return otherActions.join(", ")
+			labels.push("Safe Commands")
 		}
+
+		// Add remaining actions
+		return [...labels, ...otherActions].join(", ")
 	})()
 	const hasEnabledActions = enabledActions.length > 0
 
@@ -251,13 +295,23 @@ const AutoApproveMenu = ({ style }: AutoApproveMenuProps) => {
 						caution and only enable if you understand the risks.
 					</div>
 					{ACTION_METADATA.map((action) => {
-						if (action.id === "executeAllCommands") {
+						// Handle readFilesExternally, editFilesExternally, and executeAllCommands as animated sub-options
+						if (
+							action.id === "executeAllCommands" ||
+							action.id === "editFilesExternally" ||
+							action.id === "readFilesExternally"
+						) {
+							const parentAction =
+								action.id === "executeAllCommands"
+									? "executeSafeCommands"
+									: action.id === "readFilesExternally"
+										? "readFiles"
+										: "editFiles"
 							return (
-								// Option to make the "Approve All" option animate into the menu when "Approve Safe" is enabled
-								<SubOptionAnimateIn key={action.id} show={autoApprovalSettings.actions.executeSafeCommands}>
+								<SubOptionAnimateIn key={action.id} show={autoApprovalSettings.actions[parentAction]}>
 									<div
 										style={{
-											margin: "6px 0",
+											margin: "3px 0",
 											marginLeft: "28px",
 										}}>
 										<VSCodeCheckbox