Skip to content

fix: security hook cwd extraction and PATH issues (#555, #556) #587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AndyMik90 merged 5 commits into from
Jan 3, 2026
Merged

fix: security hook cwd extraction and PATH issues (#555, #556) #587

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e2ea3f0
fix(security): extract cwd from input_data instead of context
hluisi Jan 2, 2026
e15c2c1
fix(frontend): use getAugmentedEnv for PATH in agent processes
hluisi Jan 2, 2026
2ce1107
chore: pin electron version to 39.2.7
hluisi Jan 2, 2026
cde1d3c
fix: handle empty cwd fallback and add Linux .NET paths
hluisi Jan 3, 2026
aff04fe
Merge branch 'develop' into fix/security-hook-cwd-and-path-issues
AndyMik90 Jan 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 2 additions & 5 deletions apps/backend/security/hooks.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,8 @@ async def bash_security_hook(
if not command:
return {}

# Get the working directory from context or use current directory
# In the actual client, this would be set by the ClaudeSDKClient
cwd = os.getcwd()
if context and hasattr(context, "cwd"):
cwd = context.cwd
# Get the working directory from input_data (SDK passes it there, not in context)
cwd = input_data.get("cwd") or os.getcwd()

# Get or create security profile
# Note: In actual use, spec_dir would be passed through context
Expand Down
6 changes: 5 additions & 1 deletion apps/frontend/src/main/agent/agent-process.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import { buildMemoryEnvVars } from '../memory-env-builder';
import { readSettingsFile } from '../settings-utils';
import type { AppSettings } from '../../shared/types/settings';
import { getOAuthModeClearVars } from './env-utils';
import { getAugmentedEnv } from '../env-utils';

/**
* Process spawning and lifecycle management
Expand Down Expand Up @@ -55,8 +56,11 @@ export class AgentProcessManager {
extraEnv: Record<string, string>
): NodeJS.ProcessEnv {
const profileEnv = getProfileEnv();
// Use getAugmentedEnv() to ensure common tool paths (dotnet, homebrew, etc.)
// are available even when app is launched from Finder/Dock
const augmentedEnv = getAugmentedEnv();
return {
...process.env,
...augmentedEnv,
...extraEnv,
...profileEnv,
PYTHONUNBUFFERED: '1',
Expand Down
3 changes: 3 additions & 0 deletions apps/frontend/src/main/env-utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,15 +64,18 @@ const COMMON_BIN_PATHS: Record<string, string[]> = {
darwin: [
'/opt/homebrew/bin', // Apple Silicon Homebrew
'/usr/local/bin', // Intel Homebrew / system
'/usr/local/share/dotnet', // .NET SDK
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Consider adding .NET paths for Linux.

The .NET SDK and global tools paths are correctly added for macOS. However, .NET is also commonly used on Linux, where it's typically installed at:

  • /usr/share/dotnet (SDK)
  • ~/.dotnet/tools (global tools)
🔎 Proposed change to add Linux .NET support 
  linux: [
    '/usr/local/bin',
    '/usr/bin',               // System binaries (Python, etc.)
+   '/usr/share/dotnet',      // .NET SDK
    '/snap/bin',              // Snap packages
    '~/.local/bin',           // User-local binaries
+   '~/.dotnet/tools',        // .NET global tools
    '/usr/sbin',              // System admin binaries
  ],

Also applies to: 71-71

🤖 Prompt for AI Agents 
In apps/frontend/src/main/env-utils.ts around lines 67 and 71, the PATH list
includes macOS .NET locations but is missing common Linux .NET install
locations; add '/usr/share/dotnet' for the SDK and the current user's tools
folder (e.g. expand to `${HOME}/.dotnet/tools` or use os.homedir()/path.join) to
the array; if using os.homedir() or path.join, add the necessary imports and
ensure the entry only gets added when process.platform === 'linux' (or add
unconditionally if safe).

'/opt/homebrew/sbin', // Apple Silicon Homebrew sbin
'/usr/local/sbin', // Intel Homebrew sbin
'~/.local/bin', // User-local binaries (Claude CLI)
'~/.dotnet/tools', // .NET global tools
],
Comment on lines 64 to 72
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The current order of paths gives system-wide directories (like /opt/homebrew/bin and /usr/local/bin) higher priority than user-specific directories (~/.local/bin, ~/.dotnet/tools). This is unconventional and can lead to issues where a user's local installation of a tool is ignored in favor of an older system version.

It's standard practice to prepend user-specific binary paths to the PATH to allow users to override system-wide tools. I suggest reordering the darwin paths to prioritize user directories.

Suggested change
darwin: [
'/opt/homebrew/bin', // Apple Silicon Homebrew
'/usr/local/bin', // Intel Homebrew / system
'/usr/local/share/dotnet', // .NET SDK
'/opt/homebrew/sbin', // Apple Silicon Homebrew sbin
'/usr/local/sbin', // Intel Homebrew sbin
'~/.local/bin', // User-local binaries (Claude CLI)
'~/.dotnet/tools', // .NET global tools
],
darwin: [
'~/.local/bin', // User-local binaries (Claude CLI)
'~/.dotnet/tools', // .NET global tools
'/opt/homebrew/bin', // Apple Silicon Homebrew
'/usr/local/bin', // Intel Homebrew / system
'/usr/local/share/dotnet', // .NET SDK
'/opt/homebrew/sbin', // Apple Silicon Homebrew sbin
'/usr/local/sbin', // Intel Homebrew sbin
],

linux: [
'/usr/local/bin',
'/usr/bin', // System binaries (Python, etc.)
'/snap/bin', // Snap packages
'~/.local/bin', // User-local binaries
'~/.dotnet/tools', // .NET global tools
'/usr/sbin', // System admin binaries
],
win32: [
Expand Down
Loading