feat(arcan-aios-adapters): shell gating utilities and binary capability extraction (BRO-216)

[broomva]

Summary

• Binary extraction for exec:cmd: capabilities: capabilities_for_tool("bash", {"command": "ls -la"}) now returns exec:cmd:ls (binary only) instead of exec:cmd:ls -la. This enables precise per-command whitelisting — the exec:cmd:ls token matches exactly against exec:cmd:ls in PolicySet::free().allow_capabilities
• New shell_gate module: Documents and tests the two-layer shell enforcement model with ShellPolicy enum, shell_policy_for(), validate_shell_command(), and FREE_TIER_ALLOWED_COMMANDS constant

Architecture

Shell enforcement runs at two complementary layers:

1. PolicySet / capability evaluation (aios-protocol + aios-policy): capabilities_for_tool("bash", input) returns exec:cmd:<binary>. The StaticPolicyEngine evaluates this against the session's policy — anonymous: immediately denied (no approval ticket); free: only whitelisted binaries allowed; pro/enterprise: all allowed via "*" wildcard
2. Tier catalog filtering (BRO-214): The bash tool is hidden from the LLM's tool list for anonymous/free tiers

New exports

pub use shell_gate::{ShellPolicy, FREE_TIER_ALLOWED_COMMANDS, shell_policy_for, validate_shell_command};

Test plan

• shell_derives_exec_cmd_binary_capability: "ls -la" → exec:cmd:ls
• shell_strips_path_prefix_from_binary: /usr/bin/python3 script.py → exec:cmd:python3
• shell_cap_is_denied_by_anonymous_policy: exec:cmd:* NOT in anonymous gate
• All shell_gate tests: tier mapping, command validation, path stripping, end-to-end denial
• All 79 tests pass: cargo test -p arcan-aios-adapters

Depends on: broomva/aiOS#3

Closes BRO-216

🤖 Generated with Claude Code

[linear]

BRO-216 [Arcan] Shell/bash execution gating — blocked for anonymous, sandboxed for free, full for pro

[coderabbitai]

Warning

Rate limit exceeded

@broomva has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 53 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 876976fa-e913-417f-994a-0a875711a165

📥 Commits

Reviewing files that changed from the base of the PR and between f454575 and 81a9ee4.

📒 Files selected for processing (3)

• crates/arcan-aios-adapters/src/capability_map.rs
• crates/arcan-aios-adapters/src/lib.rs
• crates/arcan-aios-adapters/src/shell_gate.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/bro-216-shell-gating

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}