fix(tools): propagate claim_source in gate audit and detect relative paths (#2539)

bug-ops · web-flow · commit 9108e1e57911 · 2026-03-31T17:50:41.000Z
Fixes #2535: AdversarialPolicyGateExecutor.write_audit() now accepts an explicit claim_source parameter. After successful inner execution, claim_source is copied from ToolOutput. Blocked/denied calls pass None. Fixes #2536: extract_paths() now detects relative path tokens without a ./ prefix (e.g. src/main.rs, .local/foo/bar). Added is_relative_path_token() helper that excludes URLs and env assignments.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ### Fixed
 
+- fix(tools): propagate `claim_source` from `ToolOutput` into the post-execution audit entry in `AdversarialPolicyGateExecutor`; `write_audit` now accepts an explicit `claim_source` parameter so the field is no longer hardcoded to `None` for successful executions (closes #2535)
+- fix(tools): `extract_paths` now detects relative path tokens that contain `/` but do not start with `/` or `./` (e.g. `src/main.rs`, `.local/foo/bar`); URL schemes (`://`) and shell variable assignments (`KEY=value`) are excluded from matching (closes #2536)
+
 - fix(mcp): replace unbounded elicitation mpsc channel with a bounded channel (default capacity 16) to prevent memory exhaustion from misbehaving MCP servers; requests that arrive when the queue is full are auto-declined with a warning log instead of accumulating indefinitely; capacity is configurable via `[mcp] elicitation_queue_capacity` (closes #2524)
 - fix(mcp): pre-existing `clippy::non_exhaustive_omitted_patterns`, `match_single_binding`, and `uninlined_format_args` warnings in elicitation CLI prompt builder and test code (caught while adding bounded-channel support)
 
diff --git a/crates/zeph-tools/src/adversarial_gate.rs b/crates/zeph-tools/src/adversarial_gate.rs
@@ -18,7 +18,7 @@ use std::sync::Arc;
 
 use crate::adversarial_policy::{PolicyDecision, PolicyLlmClient, PolicyValidator};
 use crate::audit::{AuditEntry, AuditLogger, AuditResult, chrono_now};
-use crate::executor::{ToolCall, ToolError, ToolExecutor, ToolOutput};
+use crate::executor::{ClaimSource, ToolCall, ToolError, ToolExecutor, ToolOutput};
 use crate::registry::ToolDef;
 
 /// Wraps an inner `ToolExecutor`, running an LLM-based adversarial policy check
@@ -75,7 +75,8 @@ impl<T: ToolExecutor> AdversarialPolicyGateExecutor<T> {
         match decision {
             PolicyDecision::Allow => {
                 tracing::debug!(tool = %call.tool_id, "adversarial policy: allow");
-                self.write_audit(call, "allow", AuditResult::Success).await;
+                self.write_audit(call, "allow", AuditResult::Success, None)
+                    .await;
                 Ok(())
             }
             PolicyDecision::Deny { reason } => {
@@ -90,6 +91,7 @@ impl<T: ToolExecutor> AdversarialPolicyGateExecutor<T> {
                     AuditResult::Blocked {
                         reason: reason.clone(),
                     },
+                    None,
                 )
                 .await;
                 // MED-03: do NOT surface the LLM reason to the main LLM.
@@ -105,8 +107,13 @@ impl<T: ToolExecutor> AdversarialPolicyGateExecutor<T> {
                     "adversarial policy: LLM error"
                 );
                 if self.validator.fail_open() {
-                    self.write_audit(call, &format!("error:{message}"), AuditResult::Success)
-                        .await;
+                    self.write_audit(
+                        call,
+                        &format!("error:{message}"),
+                        AuditResult::Success,
+                        None,
+                    )
+                    .await;
                     Ok(())
                 } else {
                     self.write_audit(
@@ -115,6 +122,7 @@ impl<T: ToolExecutor> AdversarialPolicyGateExecutor<T> {
                         AuditResult::Blocked {
                             reason: "adversarial policy LLM error (fail-closed)".to_owned(),
                         },
+                        None,
                     )
                     .await;
                     Err(ToolError::Blocked {
@@ -125,7 +133,13 @@ impl<T: ToolExecutor> AdversarialPolicyGateExecutor<T> {
         }
     }
 
-    async fn write_audit(&self, call: &ToolCall, decision: &str, result: AuditResult) {
+    async fn write_audit(
+        &self,
+        call: &ToolCall,
+        decision: &str,
+        result: AuditResult,
+        claim_source: Option<ClaimSource>,
+    ) {
         let Some(audit) = &self.audit else { return };
         let entry = AuditEntry {
             timestamp: chrono_now(),
@@ -136,7 +150,7 @@ impl<T: ToolExecutor> AdversarialPolicyGateExecutor<T> {
             error_category: None,
             error_domain: None,
             error_phase: None,
-            claim_source: None,
+            claim_source,
             mcp_server_id: None,
             injection_flagged: false,
             embedding_anomalous: false,
@@ -166,7 +180,17 @@ impl<T: ToolExecutor> ToolExecutor for AdversarialPolicyGateExecutor<T> {
 
     async fn execute_tool_call(&self, call: &ToolCall) -> Result<Option<ToolOutput>, ToolError> {
         self.check_policy(call).await?;
-        self.inner.execute_tool_call(call).await
+        let output = self.inner.execute_tool_call(call).await?;
+        if let Some(ref out) = output {
+            self.write_audit(
+                call,
+                "allow:executed",
+                AuditResult::Success,
+                out.claim_source,
+            )
+            .await;
+        }
+        Ok(output)
     }
 
     // MED-04: policy also enforced on confirmed calls.
@@ -175,7 +199,17 @@ impl<T: ToolExecutor> ToolExecutor for AdversarialPolicyGateExecutor<T> {
         call: &ToolCall,
     ) -> Result<Option<ToolOutput>, ToolError> {
         self.check_policy(call).await?;
-        self.inner.execute_tool_call_confirmed(call).await
+        let output = self.inner.execute_tool_call_confirmed(call).await?;
+        if let Some(ref out) = output {
+            self.write_audit(
+                call,
+                "allow:executed",
+                AuditResult::Success,
+                out.claim_source,
+            )
+            .await;
+        }
+        Ok(output)
     }
 
     fn set_skill_env(&self, env: Option<std::collections::HashMap<String, String>>) {
@@ -530,4 +564,64 @@ mod tests {
             "deny decision must be recorded in audit"
         );
     }
+
+    #[tokio::test]
+    async fn audit_entry_propagates_claim_source() {
+        use tempfile::TempDir;
+
+        #[derive(Debug)]
+        struct InnerWithClaimSource;
+
+        impl ToolExecutor for InnerWithClaimSource {
+            async fn execute(&self, _: &str) -> Result<Option<ToolOutput>, ToolError> {
+                Ok(None)
+            }
+
+            async fn execute_tool_call(
+                &self,
+                call: &ToolCall,
+            ) -> Result<Option<ToolOutput>, ToolError> {
+                Ok(Some(ToolOutput {
+                    tool_name: call.tool_id.clone(),
+                    summary: "ok".into(),
+                    blocks_executed: 1,
+                    filter_stats: None,
+                    diff: None,
+                    streamed: false,
+                    terminal_id: None,
+                    locations: None,
+                    raw_response: None,
+                    claim_source: Some(crate::executor::ClaimSource::Shell),
+                }))
+            }
+        }
+
+        let dir = TempDir::new().unwrap();
+        let log_path = dir.path().join("audit.log");
+        let audit_config = crate::config::AuditConfig {
+            enabled: true,
+            destination: log_path.display().to_string(),
+        };
+        let audit_logger = Arc::new(
+            crate::audit::AuditLogger::from_config(&audit_config)
+                .await
+                .unwrap(),
+        );
+
+        let (_, llm) = MockLlm::new("ALLOW");
+        let gate = AdversarialPolicyGateExecutor::new(
+            InnerWithClaimSource,
+            make_validator(false),
+            Arc::new(llm),
+        )
+        .with_audit(Arc::clone(&audit_logger));
+
+        gate.execute_tool_call(&make_call("shell")).await.unwrap();
+
+        let content = tokio::fs::read_to_string(&log_path).await.unwrap();
+        assert!(
+            content.contains("\"shell\""),
+            "claim_source must be propagated into the post-execution audit entry"
+        );
+    }
 }
diff --git a/crates/zeph-tools/src/shell/mod.rs b/crates/zeph-tools/src/shell/mod.rs
@@ -1008,13 +1008,44 @@ fn extract_paths(code: &str) -> Vec<String> {
             || trimmed.starts_with("./")
             || trimmed.starts_with("../")
             || trimmed == ".."
+            || (trimmed.starts_with('.') && trimmed.contains('/'))
+            || is_relative_path_token(&trimmed)
         {
             result.push(trimmed);
         }
     }
     result
 }
 
+/// Returns `true` if `token` looks like a relative path of the form `word/more`
+/// (contains `/` but does not start with `/` or `.`).
+///
+/// Excluded:
+/// - URL schemes (`scheme://`)
+/// - Shell variable assignments (`KEY=value`)
+fn is_relative_path_token(token: &str) -> bool {
+    // Must contain a slash but not start with `/` (absolute) or `.` (handled above).
+    if !token.contains('/') || token.starts_with('/') || token.starts_with('.') {
+        return false;
+    }
+    // Reject URLs: anything with `://`
+    if token.contains("://") {
+        return false;
+    }
+    // Reject shell variable assignments: `IDENTIFIER=...`
+    if let Some(eq_pos) = token.find('=') {
+        let key = &token[..eq_pos];
+        if key.chars().all(|c| c.is_ascii_alphanumeric() || c == '_') {
+            return false;
+        }
+    }
+    // First character must be an identifier-start (letter, digit, or `_`).
+    token
+        .chars()
+        .next()
+        .is_some_and(|c| c.is_ascii_alphanumeric() || c == '_')
+}
+
 /// Classify shell exit codes and stderr patterns into `ToolErrorCategory`.
 ///
 /// Returns `Some(category)` only for well-known failure modes that benefit from
diff --git a/crates/zeph-tools/src/shell/tests.rs b/crates/zeph-tools/src/shell/tests.rs
@@ -979,6 +979,42 @@ fn extract_paths_empty() {
     assert!(extract_paths("").is_empty());
 }
 
+#[test]
+fn extract_paths_relative_without_prefix() {
+    let paths = extract_paths("cargo build src/main.rs");
+    assert!(
+        paths.contains(&"src/main.rs".to_owned()),
+        "src/main.rs must be detected"
+    );
+}
+
+#[test]
+fn extract_paths_relative_nested() {
+    let paths = extract_paths("cat .local/foo/bar");
+    assert!(
+        paths.contains(&".local/foo/bar".to_owned()),
+        ".local/foo/bar must be detected"
+    );
+}
+
+#[test]
+fn extract_paths_does_not_match_urls() {
+    let paths = extract_paths("curl https://example.com/file");
+    assert!(
+        !paths.contains(&"https://example.com/file".to_owned()),
+        "URLs must not be matched as paths"
+    );
+}
+
+#[test]
+fn extract_paths_does_not_match_env_assignments() {
+    let paths = extract_paths("KEY=some/value cargo build");
+    assert!(
+        !paths.contains(&"KEY=some/value".to_owned()),
+        "env assignments must not be matched as paths"
+    );
+}
+
 #[tokio::test]
 async fn policy_deny_blocks_command() {
     let policy = PermissionPolicy::from_legacy(&["forbidden".to_owned()], &[]);
