Agentic.Workspace.PathValidator (agentic v0.2.2)

Copy Markdown

Validates workspace paths are within the allowed base directory.

All workspace directories must be direct children of the configured :workspace_base_dir. This prevents path traversal attacks and ensures workspaces cannot write to arbitrary filesystem locations.

Summary

Functions

base_dir()

Returns the expanded base directory for all workspaces.

from_slug(slug)

Generates a safe workspace path from a slug.

validate(path)

Validates that a workspace path is safe and within the base directory.

Functions

base_dir()

Returns the expanded base directory for all workspaces.

from_slug(slug)

Generates a safe workspace path from a slug.

The slug must match ^[a-z0-9][a-z0-9-]*$. Returns {:ok, path} or {:error, reason}.

validate(path)

Validates that a workspace path is safe and within the base directory.

Rules:

  1. Expanded path must be a direct child of base_dir
  2. Must not escape via .. traversal (checked after expansion)
  3. Must not be the base_dir itself
  4. Directory name must match ^[a-z0-9][a-z0-9-]*$

Returns {:ok, expanded_path} or {:error, reason}.