Adds a persistent allowlist of external paths the agent may read/write
from outside the current workspace, scoped to the workspace it was
granted in. The list lives in ~/.deepseek/workspace-trust.json with
schema {"workspaces": {"<ws>": ["<trusted>", ...]}}; canonical paths on
both sides keep symlink-aliased macOS tempdirs sane.
Surface area:
* crates/tui/src/workspace_trust.rs — new module: load_for / add /
remove plus *_at variants for tests that need an explicit file path
rather than HOME mutation.
* tools/spec.rs — ToolContext gains trusted_external_paths and
resolve_path consults it before returning PathEscape, both for the
existing-path branch and the to-be-created (parent-canonical) branch.
* core/engine.rs — build_tool_context loads the trust snapshot on every
tool dispatch so /trust mutations apply on the next call.
* commands/config.rs — /trust now takes subcommands (add, remove,
list, on, off, status) instead of being a single all-or-nothing
toggle. Tilde expansion handled in-line.
* commands/mod.rs — registry entry updated with the new usage string
and a dispatcher that forwards args.
* tools/diagnostics.rs — adds trusted_external_paths to the JSON
output so the agent and the user can see the list at a glance.
The interactive "Allow once / Always allow / Deny" prompt that the
issue describes is deferred — for v0.5.1 the workflow is "grant
ahead with /trust add". A future change will add a hook in
ToolContext::resolve_path that surfaces an ApprovalRequest when an
escape path is hit, so the slash-command remains the durable
mechanism while the prompt becomes the discovery one.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Hunter Bown
bcf6ba9a8e