Implement working directory scope locking for ADF agents #690
Description
Context
ADF agents currently have unrestricted filesystem access on bigbox. There is no mechanism to prevent an agent from reading or writing files outside its assigned working directory. Piwork (ferologics/Piwork) implements a robust scope locking model: one-time bind of working folder per task, traversal/symlink escape blocking, and a dedicated scope-negative test suite.
Proposal
Scope Locking
- One-time bind: once an agent is assigned a
working_dir, it is locked for the session - Record
scope_locked: boolinManagedAgent - Reject any attempt to change working directory after binding
Escape Prevention
- Block
..path traversal in file operation arguments - Block symlink escapes (symlinks pointing outside scope)
- Log violations to NightwatchMonitor as security events
Scope-Negative Test Suite
- Attempt traversal:
../../../etc/passwd-- must fail - Attempt symlink escape: create symlink pointing outside scope -- must fail
- Attempt working_dir change after lock -- must fail
- All tests must pass as prerequisites for agent deployment
Integration
- With Agent SDK (Epic: Migrate ADF Claude agents to Agent SDK #689):
PostToolUsehook inspects file paths - With subprocess model: parse file paths from structured envelope (Implement JSONL RPC envelope for agent-orchestrator communication #688)
- NightwatchMonitor: new signal type for scope violations (alongside drift and error rate)
References
- Piwork permissions model: https://github.com/ferologics/Piwork/blob/main/docs/permissions-model.md
- Piwork scope-negative tests:
mise run test-scope-negative - KB article:
cto-executive-system/knowledge/external/context-engineering/piwork-desktop-ui-for-pi-agent.md - Plan:
cto-executive-system/plans/adf-architecture-improvements.md(item 2.2) - Depends on: Implement JSONL RPC envelope for agent-orchestrator communication #688 (RPC envelope) or Epic: Migrate ADF Claude agents to Agent SDK #689 (Agent SDK)