fix(cortex-cli): integrate allows_risk() for proper autonomy level validation

echobt · echobt · commit d3dea9c25951 · 2026-02-03T14:37:11.000Z
Address Greptile review feedback by actually calling the allows_risk() method
in the exec command approval flow. Previously, the security fix only added the
method but did not integrate it into the command execution path.

Changes:
- Replace simple AutonomyLevel::ReadOnly check with allows_risk(risk, command)
- Extract risk_level from sandbox_assessment if available
- Pass actual command string to validate read-only commands properly
- Provide clearer error messages including risk level and autonomy mode
diff --git a/src/cortex-cli/src/exec_cmd/runner.rs b/src/cortex-cli/src/exec_cmd/runner.rs
@@ -466,18 +466,29 @@ impl ExecCli {
                     }
                 }
                 EventMsg::ExecApprovalRequest(approval) => {
-                    // Check autonomy level
-                    if let Some(level) = autonomy
-                        && level == AutonomyLevel::ReadOnly
-                    {
-                        // Fail fast in read-only mode
-                        error_occurred = true;
-                        error_message = Some(
-                            "Permission denied: Command execution not allowed in read-only mode. \
-                                Use --auto low|medium|high to enable."
-                                .to_string(),
-                        );
-                        break;
+                    // Check autonomy level using allows_risk for proper validation
+                    if let Some(level) = autonomy {
+                        let command_str = approval.command.join(" ");
+                        let risk_level = approval
+                            .sandbox_assessment
+                            .as_ref()
+                            .map(|a| match a.risk_level {
+                                cortex_protocol::SandboxRiskLevel::Low => "low",
+                                cortex_protocol::SandboxRiskLevel::Medium => "medium",
+                                cortex_protocol::SandboxRiskLevel::High => "high",
+                            })
+                            .unwrap_or("low");
+
+                        if !level.allows_risk(risk_level, &command_str) {
+                            // Command not allowed at this autonomy level
+                            error_occurred = true;
+                            error_message = Some(format!(
+                                "Permission denied: Command '{}' (risk: {}) not allowed in {} mode. \
+                                Use --auto with higher autonomy level to enable.",
+                                command_str, risk_level, level
+                            ));
+                            break;
+                        }
                     }
 
                     // Auto-approve based on autonomy level (already set via approval_policy)
