Split DANGEROUS_PATHS into two categories:
1. DANGEROUS_SYSTEM_PATHS: Block path AND all subdirectories
(e.g., /etc, /etc/passwd, /var/log/auth.log)
2. DANGEROUS_HOME_CONTAINERS: Block ONLY exact match
(e.g., /home is blocked but /home/user/project passes through)
This fixes the issue where /home/user/project was incorrectly blocked
by is_dangerous_path(). Subdirectory access control for home directories
is properly delegated to is_home_directory_root() in resolve_and_validate_path().
Addresses review feedback from @chatgpt-codex-connector about blocking
all home directory subpaths.
Replace string prefix matching with Path.is_relative_to() to correctly
handle Windows paths like "C:\" where trailing backslash caused double
separator issues (e.g., "C:\\" instead of "C:\").
Changes:
- Use Path.is_relative_to() for subdirectory detection (requires Python 3.9+)
- Add Windows path handling tests using PureWindowsPath
- Update test_utils.py to expect /etc/passwd to be blocked (security fix)
The is_dangerous_path() function only did exact string matching,
allowing attackers to bypass protection by accessing subdirectories:
- /etc was blocked but /etc/passwd was allowed
- C:\Windows was blocked but C:\Windows\System32\... was allowed
This minimal fix changes is_dangerous_path() to use PREFIX MATCHING:
- Now blocks dangerous directories AND all their subdirectories
- Paths like /etcbackup are still allowed (not under /etc)
- No changes to DANGEROUS_PATHS list
Security:
- Fixes CWE-22: Path Traversal vulnerability
- Reported by: Team off-course (K-Shield.Jr 15th)
Fixes#312Fixes#293
The previous fix (aceddb6) removed --search entirely, disabling web search.
This restores web search functionality using the correct --enable flag
that works with the codex exec subcommand.
Related to #338
Address review feedback:
- Add test for claude-opus alias in test_alias_resolution
- Add tests for anthropic/claude-opus-4.5 full name and opus4.5 alias
in test_registry_capabilities
- Add anthropic/claude-opus-4.5 with aliases: opus, opus4.5, claude-opus
- Set intelligence_score to 18 (matching Gemini 3 Pro)
- Update Opus 4.1 to use opus4.1 alias only
- Update tests to reflect new alias mappings
Note: supports_function_calling and supports_json_mode set to false
following existing project pattern for Claude models, despite
OpenRouter API support for these features.
The setUp method created provider instances that were never used.
Each test creates its own instance inside the patch context manager,
which is the correct pattern for property mocking.
- Remove redundant @patch.object decorators (inner context manager suffices)
- Remove try/except blocks that could hide test failures
- Tests now fail fast if mocking is insufficient
OpenRouter's /responses endpoint rejects store:true via Zod validation.
This is an endpoint-level limitation, not model-specific. The fix
conditionally omits the store parameter for OpenRouter while maintaining
it for direct OpenAI and Azure OpenAI providers.
- Add provider type check in _generate_with_responses_endpoint
- Include debug logging when store parameter is omitted
- Add regression tests for both OpenRouter and OpenAI behavior
Fixes#348
fix: working directory should exist, raise error and not try and create one
docs: improved API Lookup instructions
* test added to confirm failures
* chat schema more explicit about file paths
Stay in codex, plan review and fix complicated bugs, then ask it to spawn claude code and implement the plan.
This uses your current subscription instead of API tokens.
The previous commit (f98046c) added shutil.which() to resolve executables,
which broke two tests that only mocked subprocess execution. This commit
adds shutil.which() mocking to both test files to restore test compatibility.
Co-authored-by: Claude <noreply@anthropic.com>
model definitions now support a new `allow_code_generation` flag, only to be used with higher reasoning models such as GPT-5-Pro and-Gemini 2.5-Pro
When `true`, the `chat` tool can now request the external model to generate a full implementation / update / instructions etc and then share the implementation with the calling agent.
This effectively allows us to utilize more powerful models such as GPT-5-Pro to generate code for us or entire implementations (which are either API-only or part of the $200 Pro plan from within the ChatGPT app)
Zen now allows you to define `roles` for an external CLI and delegate work to another CLI via the new `clink` tool (short for `CLI + Link`). Gemini, for instance, offers 1000 free requests a day - this means you can save on tokens and your weekly limits within Claude Code by delegating work to another entirely capable CLI agent!
Define your own system prompts as `roles` and make another CLI do anything you'd like. Like the current tool you're connected to, the other CLI has complete access to your files and the current context. This also works incredibly well with Zen's `conversation continuity`.
feat: Azure OpenAI / Azure AI Foundry support. Models should be defined in conf/azure_models.json (or a custom path). See .env.example for environment variables or see readme. https://github.com/BeehiveInnovations/zen-mcp-server/issues/265
feat: OpenRouter / Custom Models / Azure can separately also use custom config paths now (see .env.example )
refactor: Model registry class made abstract, OpenRouter / Custom Provider / Azure OpenAI now subclass these
refactor: breaking change: `is_custom` property has been removed from model_capabilities.py (and thus custom_models.json) given each models are now read from separate configuration files
fix: restrictions should resolve canonical names for openrouter
fix: tools now correctly return restricted list by presenting model names in schema
fix: tests updated to ensure these manage their expected env vars properly
perf: cache model alias resolution to avoid repeated checks
