[P7.0.1] Workspace path allowlist — prevent authenticated cross-tenant RCE (M1)

[frankbria]

Problem (gates hosted / multi-tenant — NOT a single-user beta blocker)

get_v2_workspace resolves workspace_path from a client-supplied query parameter and only checks workspace_exists(path) — there is no allowlist of permitted roots. Because the ReAct agent exposes run_command (arbitrary shell=True execution) and file create/edit tools scoped only to the chosen workspace, an authenticated user can point operations at any directory on the host and effectively gains arbitrary code execution / host filesystem read-write.

Acceptable-by-design for a single-operator local tool (the operator already owns the box). It becomes authenticated RCE across tenant boundaries the moment the server is exposed to more than one user or run in DeploymentMode.HOSTED.

Evidence

• codeframe/ui/dependencies.py:38-97 — get_v2_workspace resolves arbitrary workspace_path, checks only .codeframe marker
• codeframe/core/tools.py:760-810 — _execute_run_command (shell=True)

Fix

• Introduce a configurable allowlist of permitted workspace roots (e.g. WORKSPACE_ROOT); reject any resolved workspace_path not contained within an allowed root.
• In HOSTED mode, bind every workspace to the authenticated user. Do not treat the .codeframe marker as authorization.

Acceptance criteria

• Workspace paths outside the allowlist are rejected.
• In multi-user/HOSTED mode, a user cannot operate on another user's / arbitrary host paths.

Source: release-readiness audit 2026-06-13 (security agent, finding M1). Gate any hosted offering on this.