Skip to content

fix(ai): warn 'missing shfmt/safecmd' instead of 'Missing ai addon' + ship shfmt via the ai addon#1274

Merged
ocervell merged 1 commit into
ai-resiliencyfrom
fix/ai-guardrail-shfmt-warning
Jul 4, 2026
Merged

fix(ai): warn 'missing shfmt/safecmd' instead of 'Missing ai addon' + ship shfmt via the ai addon#1274
ocervell merged 1 commit into
ai-resiliencyfrom
fix/ai-guardrail-shfmt-warning

Conversation

@ocervell

@ocervell ocervell commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Problem (hit during CLI testing)

In attack mode every shell command the LLM issues hit the guardrail shell parser, which printed:

[ERR] Missing ai addon: please run "secator install addons ai".

…even though the ai addon was installed. _parse_subcommands (guardrails.py) shells out to shfmt via safecmd; the misleading message came from its ImportError branch. The env had litellm (so ADDONS_ENABLED['ai']=True) but not safecmd/shfmt — a partial ai install. Worse, the other failure mode (safecmd present, shfmt binary not on PATH) was silent (FileNotFoundError swallowed by except Exception: return []).

Fix

  1. Message — replace the Error("Missing ai addon") with a one-shot Warning that names the real gap: "Missing safecmd shell parser" (ImportError) or "Missing shfmt binary" (FileNotFoundError). Both fall back to the non-shfmt path — an empty sub-command list, so _check_action_type asks the user to approve the whole command (safe, just coarser). Warn once per process (no per-command spam).
  2. Install — add shfmt-py explicitly to the ai extra so secator install addons ai (pip install secator[ai]) always ships the shfmt binary, not just the safecmd Python package (which only pulled it transitively).

Tests

TestShellParserFallback: safecmd-missing → Warning naming safecmd, never "ai addon"; shfmt-binary-missing → Warning naming shfmt; warn-once across multiple commands. Full AI suite: no new failures vs branch baseline.

Found while testing ai-testing; targets ai-resiliency (#1241).

🤖 Generated with Claude Code

…ia addon

The guardrail shell parser (_parse_subcommands) shells out to shfmt via safecmd.
When either was absent it printed a misleading Error "Missing ai addon" (the ai
addon = litellm, which can be present without the shell parser) on the ImportError
path, and was SILENT on the shfmt-binary-missing path (FileNotFoundError swallowed
by `except Exception`). Both left the user confused while the guardrail quietly
fell back to whole-command approval.

- Emit a clear one-shot Warning naming the actual missing piece — "Missing safecmd
  shell parser" (ImportError) or "Missing shfmt binary" (FileNotFoundError) — and
  fall back to the non-shfmt path (empty sub-command list -> caller asks for
  whole-command approval). Warn once per process, no per-command spam.
- Make shfmt an explicit ai-addon dependency (`shfmt-py` in the `ai` extra) so
  `secator install addons ai` always ships the binary, not just the safecmd package.

Also fixes the ADDONS_ENABLED['ai'] blind spot in practice: a litellm-only install
no longer masquerades as a fully-working ai addon at the guardrail layer.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01NNjPggRSVZ2xnLb7ZxWP5H
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7ffbc07e-11c7-4ccd-af9f-992209057189

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/ai-guardrail-shfmt-warning

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@ocervell ocervell merged commit 3d06851 into ai-resiliency Jul 4, 2026
1 check passed
@ocervell ocervell deleted the fix/ai-guardrail-shfmt-warning branch July 4, 2026 18:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant