Why
An audit of Forge's builtin toolset against what a general coding/assistant agent needs surfaced a cluster of gaps. Individually they're small; together they're the difference between "runs pre-scripted skills" and "can take on an open-ended task." This epic tracks them as one line item and, crucially, pins the shared security model so each tool lands consistently rather than bolting on its own execution/approval path.
Tracked issues
#
Gap
Notes
#265
Sandboxed shell/command runner
Controlled general execution above cli_execute's allowlist; sandbox-only, gated off by default
#266
web_fetch builtin
Fetch a URL → cleaned, LLM-readable content (fills the gap between web_search results and http_request raw bytes)
#267
Subagent delegation tool
Let an agent spawn a capability-scoped sub-agent (child tools/egress ⊆ parent)
#268
Wire up dormant file_read / file_write / file_edit / file_patch
Fully-built, tested builtins the runtime never registers; general R/W/edit surface
#255
Multimodal (image/document) input
Already tracked separately — the tool-side of general "read this file"; listed here for completeness
Shared model (the reason this is an epic, not 5 unrelated issues)
These aren't independent — they must share Forge's governed-execution posture so the safe default stays safe:
Suggested sequencing
[ASI02/ASI09] Action-level approval + dry-run diff for destructive tool calls — close ASI02 #2 / ASI09 #1,#7 #223 (approval keystone) + feat(tools): wire up dormant file_read / file_write / file_edit / file_patch builtins for general agents #268 (file tools) — highest leverage; feat(tools): wire up dormant file_read / file_write / file_edit / file_patch builtins for general agents #268 's write/edit is the first real consumer of [ASI02/ASI09] Action-level approval + dry-run diff for destructive tool calls — close ASI02 #2 / ASI09 #1,#7 #223 's dry-run diff, and the builtins already exist.
feat(tools): web_fetch builtin — fetch a URL and return cleaned, LLM-readable content #266 (web_fetch) — low-risk, self-contained, no new trust tier.
feat(tools): sandboxed shell/command runner — controlled general execution beyond cli_execute's allowlist #265 (shell runner) — depends on [ASI02/ASI09] Action-level approval + dry-run diff for destructive tool calls — close ASI02 #2 / ASI09 #1,#7 #223 + [ASI02] cli_execute workDir path confinement — reads escape to /etc/passwd (GAP-PATH) #235 + [ASI02] Platform-layer denied_command_patterns — operator-authored, org-wide command denial across all skills #238 + the [Bug]: Phase 5 — Container Sandbox Supervisor: Kernel-Level Network Isolation, Seccomp, DNS Proxy, Policy Engine #35 sandbox supervisor.
feat(tools): subagent delegation tool — let an agent spawn a scoped sub-agent for a subtask #267 (subagent) — depends on [ASI08] Blast-radius quotas + circuit breaker (planner/executor) — close ASI08 #7 #233 + [ASI08/ASI09/ASI10] Tamper-evident (hash-chained + signed) audit stream — close ASI10 #1 / ASI09 #2 / ASI08 #10 #224 .
Done when
Related security work: #211 , #223 , #233 , #235 , #238 , #224
Why
An audit of Forge's builtin toolset against what a general coding/assistant agent needs surfaced a cluster of gaps. Individually they're small; together they're the difference between "runs pre-scripted skills" and "can take on an open-ended task." This epic tracks them as one line item and, crucially, pins the shared security model so each tool lands consistently rather than bolting on its own execution/approval path.
Tracked issues
cli_execute's allowlist; sandbox-only, gated off by defaultweb_fetchbuiltinweb_searchresults andhttp_requestraw bytes)file_read/file_write/file_edit/file_patchShared model (the reason this is an epic, not 5 unrelated issues)
These aren't independent — they must share Forge's governed-execution posture so the safe default stays safe:
NewPathValidatorconfinement the search tools already use; must not regress [ASI02] cli_execute workDir path confinement — reads escape to /etc/passwd (GAP-PATH) #235 (cli_execute/etc/passwdescape).http_request's egress-controlled path; no new network bypass.Suggested sequencing
web_fetch) — low-risk, self-contained, no new trust tier.Done when
code_agent_*specializationRelated security work: #211, #223, #233, #235, #238, #224