fix: add workspace path sandboxing and UWF_BUILTIN_ALLOW_SHELL check

- Add resolvePathInWorkspace() to reject paths escaping workspace root
- Apply sandboxing to read_file, write_file, and run_command tools
- Gate run_command behind UWF_BUILTIN_ALLOW_SHELL=1 env var
- Add tests for resolvePathInWorkspace escape detection

packages/workflow-agent-builtin/__tests__/path.test.ts

@@ -1,6 +1,6 @@
 import { describe, expect, test } from "bun:test";
-import { resolvePath } from "../src/tools/path.js";
 import { resolve } from "node:path";
+import { resolvePath, resolvePathInWorkspace } from "../src/tools/path.js";
 
 describe("resolvePath", () => {
   test("resolves relative paths against cwd", () => {
@@ -19,3 +19,25 @@ describe("resolvePath", () => {
     expect(resolved).toBe(resolve("/workspace/project", "../other/file.ts"));
   });
 });
+
+describe("resolvePathInWorkspace", () => {
+  test("allows relative paths within workspace", () => {
+    const resolved = resolvePathInWorkspace("/workspace", "src/foo.ts");
+    expect(resolved).toBe(resolve("/workspace", "src/foo.ts"));
+  });
+
+  test("rejects path that escapes workspace root", () => {
+    const resolved = resolvePathInWorkspace("/workspace", "../etc/passwd");
+    expect(resolved).toBeNull();
+  });
+
+  test("rejects absolute path escape via double-dot", () => {
+    const resolved = resolvePathInWorkspace("/workspace/project", "../../outside");
+    expect(resolved).toBeNull();
+  });
+
+  test("allows deep nested path", () => {
+    const resolved = resolvePathInWorkspace("/workspace", "a/b/c/file.txt");
+    expect(resolved).toBe(resolve("/workspace", "a/b/c/file.txt"));
+  });
+});

packages/workflow-agent-builtin/src/tools/path.ts

@@ -1,6 +1,17 @@
-import { resolve } from "node:path";
+import { isAbsolute, relative, resolve } from "node:path";
 
 /** Resolve a path relative to the working directory. */
 export function resolvePath(cwd: string, inputPath: string): string {
   return resolve(cwd, inputPath);
 }
+
+/** Reject paths that escape the workspace root via `..` segments. */
+export function resolvePathInWorkspace(cwd: string, inputPath: string): string | null {
+  const root = resolve(cwd);
+  const target = resolve(root, inputPath);
+  const rel = relative(root, target);
+  if (rel.startsWith("..") || isAbsolute(rel)) {
+    return null;
+  }
+  return target;
+}

packages/workflow-agent-builtin/src/tools/read-file.ts

@@ -1,5 +1,5 @@
 import { readFile, stat } from "node:fs/promises";
-import { resolvePath } from "./path.js";
+import { resolvePathInWorkspace } from "./path.js";
 import type { BuiltinTool } from "./types.js";
 
 const MAX_READ_BYTES = 512 * 1024;
@@ -23,7 +23,10 @@ export const readFileTool: BuiltinTool = {
     if (!isRecord(args) || typeof args.path !== "string") {
       return "Error: path must be a string";
     }
-    const resolved = resolvePath(ctx.cwd, args.path);
+    const resolved = resolvePathInWorkspace(ctx.cwd, args.path);
+    if (resolved === null) {
+      return "Error: path escapes workspace root";
+    }
     try {
       const info = await stat(resolved);
       if (!info.isFile()) {

packages/workflow-agent-builtin/src/tools/run-command.ts

@@ -1,5 +1,5 @@
 import { spawn } from "node:child_process";
-import { resolvePath } from "./path.js";
+import { resolvePathInWorkspace } from "./path.js";
 import type { BuiltinTool } from "./types.js";
 
 const COMMAND_TIMEOUT_MS = 60_000;
@@ -57,7 +57,7 @@ function runShell(
 export const runCommandTool: BuiltinTool = {
   name: "run_command",
   description:
-    "Run a shell command. Output is truncated to 32KB.",
+    "Run a shell command in the workspace. Requires UWF_BUILTIN_ALLOW_SHELL=1. Output is truncated.",
   parameters: {
     type: "object",
     required: ["command"],
@@ -71,6 +71,9 @@ export const runCommandTool: BuiltinTool = {
     additionalProperties: false,
   },
   execute: async (args, ctx) => {
+    if (process.env.UWF_BUILTIN_ALLOW_SHELL !== "1") {
+      return "Error: run_command disabled. Set UWF_BUILTIN_ALLOW_SHELL=1 to enable.";
+    }
     if (!isRecord(args) || typeof args.command !== "string") {
       return "Error: command must be a string";
     }
@@ -79,7 +82,11 @@ export const runCommandTool: BuiltinTool = {
       if (typeof args.cwd !== "string") {
         return "Error: cwd must be a string";
       }
-      workDir = resolvePath(ctx.cwd, args.cwd);
+      const resolved = resolvePathInWorkspace(ctx.cwd, args.cwd);
+      if (resolved === null) {
+        return "Error: cwd escapes workspace root";
+      }
+      workDir = resolved;
     }
     try {
       const { stdout, stderr, code } = await runShell(args.command, workDir);

packages/workflow-agent-builtin/src/tools/write-file.ts

@@ -1,6 +1,6 @@
 import { mkdir, writeFile } from "node:fs/promises";
 import { dirname } from "node:path";
-import { resolvePath } from "./path.js";
+import { resolvePathInWorkspace } from "./path.js";
 import type { BuiltinTool } from "./types.js";
 
 function isRecord(value: unknown): value is Record<string, unknown> {
@@ -23,7 +23,10 @@ export const writeFileTool: BuiltinTool = {
     if (!isRecord(args) || typeof args.path !== "string" || typeof args.content !== "string") {
       return "Error: path and content must be strings";
     }
-    const resolved = resolvePath(ctx.cwd, args.path);
+    const resolved = resolvePathInWorkspace(ctx.cwd, args.path);
+    if (resolved === null) {
+      return "Error: path escapes workspace root";
+    }
     try {
       await mkdir(dirname(resolved), { recursive: true });
       await writeFile(resolved, args.content, "utf8");