Gitpulse
Merged
Size
M
Change Breakdown
Bug Fix75%
Testing15%
Refactor10%
#66731fix(node-host): allow absolute-path native binaries through approval binder

Native binaries no longer rejected by approval binder

TM
tmimmanuel
·Apr 16, 2026

Absolute-path native binaries like /usr/bin/whoami were being incorrectly rejected by the node-host approval binder — a regression that broke agent flows using tools.exec. The fix distinguishes actual script files from native executables, allowing the latter through while keeping fail-closed behavior for the former.

Since version 2026.4.11, commands executed via tools.exec on node hosts were failing with "approval cannot safely bind this interpreter/runtime command" — even trivial commands like /usr/bin/whoami. The approval binder was rejecting every command where argv[0] resolved to an existing file, treating native binaries the same as mutable scripts.

This fix narrows the rejection surface. Native executables with known binary headers (ELF, Mach-O, PE/COFF) now pass through without triggering the stable-binding requirement. Only script-like files — those with shebang lines or unknown file types — remain fail-closed. Mutable paths (writable files or symlinks with mutable components) also still get rejected, preserving security boundaries.

Agents can now run diagnostic commands, helper scripts, and binary invocations on node hosts as intended, without workarounds like env /usr/bin/whoami.

View Original GitHub Description

Summary

Fix the node-host approval binder so absolute-path native binaries are not rejected as unsafe interpreter/runtime commands.

Before this change, tools.exec with host=node could fail for commands like /usr/bin/whoami because the shell-payload binder treated any existing file at argv[0] as requiring stable script-style binding. That was correct for mutable scripts, but wrong for native binaries.

This patch keeps the fail-closed behavior for likely script files while allowing native executables through without requiring a mutable file operand.

Fixes #66524.

What changed

  • updated src/node-host/invoke-system-run-plan.ts
  • refined shellPayloadNeedsStableBinding() to distinguish:
    • script-like file payloads that should stay fail-closed
    • native binaries that should be allowed
  • added lightweight executable header detection for ELF, Mach-O, and PE/COFF
  • added regression tests in src/node-host/invoke-system-run-plan.test.ts for:
    • /bin/sh -lc /usr/bin/whoami succeeds
    • /bin/sh -lc <script-path> still fails closed

Why

The previous logic rejected all shell payloads whose first token resolved to an existing file, which unintentionally blocked absolute-path binaries on node hosts. The env /usr/bin/whoami workaround reported in #66524 demonstrated that the rejection was overly broad.

This change narrows the rejection surface to mutable script-like targets rather than all file-backed commands.

Risk

Low to medium.

The patch only affects the shell-payload stable-binding heuristic. It preserves the existing stricter behavior for script/interpreter cases and does not change allowlist, approval, or execution policy flows.

Testing

Added regression tests for:

  • absolute-path native binary payloads
  • script-path payloads that must remain fail-closed

Local verification:

  • git diff --check passed
© 2026 · via Gitpulse