Fix scope guard false positives on system paths

Scope guard now only enforces isolation between workspace projects.
Paths outside the workspace (e.g. /dev/null, /usr/, /etc/) are not
this guard's jurisdiction — other guards handle system-level security.
Removes the complex system-command exemption logic that was insufficient
and fragile.

Author: AnExiledDev

container/.devcontainer/CHANGELOG.md

@@ -1,5 +1,17 @@
 # CodeForge Devcontainer Changelog
 
+## Unreleased
+
+### Scope Guard
+
+- Fix false positives blocking writes to system paths (`/dev/null`, `/usr/`, `/etc/`, `$HOME/`) — scope guard now only enforces isolation between workspace projects
+- Remove complex system-command exemption logic (no longer needed)
+
+### CLI Integration
+
+- Add codeforge-cli devcontainer feature — installs the CodeForge CLI (`codeforge` command) globally via npm
+- Remove dead `codeforge` alias from setup-aliases.sh (was pointing to obsolete `setup.js`)
+
 ## v2.0.3 — 2026-03-03
 
 ### Workspace Scope Guard

container/.devcontainer/plugins/devs-marketplace/plugins/workspace-scope-guard/scripts/guard-workspace-scope.py

@@ -22,20 +22,13 @@
 # ---------------------------------------------------------------------------
 # BLACKLIST — checked FIRST, overrides everything.
 # Nothing touches these paths. Ever. No exceptions.
-# Checked before allowlist, before scope check, before cwd bypass.
+# Checked before scope check, before cwd bypass.
 # ---------------------------------------------------------------------------
 BLACKLISTED_PREFIXES = [
     "/workspaces/.devcontainer/",
     "/workspaces/.devcontainer",  # exact match (no trailing slash)
 ]
 
-# Paths always allowed regardless of working directory
-_home = os.environ.get("HOME", "/home/vscode")
-ALLOWED_PREFIXES = [
-    f"{_home}/.claude/",  # Claude config, plans, rules
-    "/tmp/",  # System scratch
-]
-
 WRITE_TOOLS = {"Write", "Edit", "NotebookEdit"}
 READ_TOOLS = {"Read", "Glob", "Grep"}
 ALL_FILE_TOOLS = WRITE_TOOLS | READ_TOOLS
@@ -85,47 +78,6 @@
 # ---------------------------------------------------------------------------
 WORKSPACE_PATH_RE = re.compile(r'/workspaces/[^\s;|&>)<\'"]+')
 
-# ---------------------------------------------------------------------------
-# System command exemption (Layer 1 only)
-# ---------------------------------------------------------------------------
-SYSTEM_COMMANDS = frozenset(
-    {
-        "git",
-        "pip",
-        "pip3",
-        "npm",
-        "npx",
-        "yarn",
-        "pnpm",
-        "apt-get",
-        "apt",
-        "cargo",
-        "go",
-        "docker",
-        "make",
-        "cmake",
-        "node",
-        "python3",
-        "python",
-        "ruby",
-        "gem",
-        "bundle",
-    }
-)
-
-SYSTEM_PATH_PREFIXES = (
-    "/usr/",
-    "/bin/",
-    "/sbin/",
-    "/lib/",
-    "/opt/",
-    "/proc/",
-    "/sys/",
-    "/dev/",
-    "/var/",
-    "/etc/",
-)
-
 
 # ---------------------------------------------------------------------------
 # Core check functions
@@ -145,9 +97,15 @@ def is_in_scope(resolved_path: str, cwd: str) -> bool:
     return resolved_path == cwd or resolved_path.startswith(cwd_prefix)
 
 
-def is_allowlisted(resolved_path: str) -> bool:
-    """Check if resolved_path falls under an allowed prefix."""
-    return any(resolved_path.startswith(prefix) for prefix in ALLOWED_PREFIXES)
+def is_outside_workspace(resolved_path: str) -> bool:
+    """Check if resolved_path is outside /workspaces/.
+
+    Paths outside the workspace are not this guard's jurisdiction —
+    system paths (/dev/, /usr/, /tmp/, $HOME/) are handled by other guards.
+    """
+    return not (
+        resolved_path == "/workspaces" or resolved_path.startswith("/workspaces/")
+    )
 
 
 # Worktree path segment used to detect worktree CWDs
@@ -295,45 +253,23 @@ def check_bash_scope(command: str, cwd: str) -> None:
         return
 
     # --- Layer 1: Write target scope check ---
-    if write_targets:
-        primary_cmd = extract_primary_command(command)
-        is_system_cmd = primary_cmd in SYSTEM_COMMANDS
-
-        resolved_targets = [
-            (t, os.path.realpath(t.strip("'\""))) for t in write_targets
-        ]
-
-        # System command exemption: skip Layer 1 ONLY if ALL targets are system paths
-        skip_layer1 = False
-        if is_system_cmd:
-            skip_layer1 = all(
-                any(r.startswith(sp) for sp in SYSTEM_PATH_PREFIXES)
-                for _, r in resolved_targets
+    for target in write_targets:
+        resolved = os.path.realpath(target.strip("'\""))
+        if is_outside_workspace(resolved):
+            continue  # Not under /workspaces/ — not this guard's jurisdiction
+        if not is_in_scope(resolved, cwd):
+            detail = f" (resolved: {resolved})" if resolved != target else ""
+            print(
+                f"Blocked: Bash command writes to '{target}'{detail} which is "
+                f"outside the working directory ({cwd}).",
+                file=sys.stderr,
             )
-            # Override: if ANY target is under /workspaces/ outside cwd → NOT exempt
-            if skip_layer1:
-                for _, resolved in resolved_targets:
-                    if resolved.startswith("/workspaces/") and not is_in_scope(
-                        resolved, cwd
-                    ):
-                        skip_layer1 = False
-                        break
-
-        if not skip_layer1:
-            for target, resolved in resolved_targets:
-                if not is_in_scope(resolved, cwd) and not is_allowlisted(resolved):
-                    detail = f" (resolved: {resolved})" if resolved != target else ""
-                    print(
-                        f"Blocked: Bash command writes to '{target}'{detail} which is "
-                        f"outside the working directory ({cwd}).",
-                        file=sys.stderr,
-                    )
-                    sys.exit(2)
+            sys.exit(2)
 
     # --- Layer 2: Workspace path scan (ALWAYS runs, never exempt) ---
     for path_str in workspace_paths:
         resolved = os.path.realpath(path_str)
-        if not is_in_scope(resolved, cwd) and not is_allowlisted(resolved):
+        if not is_in_scope(resolved, cwd):
             detail = f" (resolved: {resolved})" if resolved != path_str else ""
             print(
                 f"Blocked: Bash command references '{path_str}'{detail} which is "
@@ -398,8 +334,8 @@ def main():
         if is_in_scope(resolved, scope_root):
             sys.exit(0)
 
-        # Allowlist check
-        if is_allowlisted(resolved):
+        # Outside workspace — not this guard's jurisdiction
+        if is_outside_workspace(resolved):
             sys.exit(0)
 
         # Out of scope — BLOCK for ALL tools

container/tests/plugins/test_guard_workspace_scope.py

@@ -1,6 +1,6 @@
 """Tests for workspace scope guard plugin.
 
-Covers: is_blacklisted, is_in_scope, is_allowlisted, get_target_path,
+Covers: is_blacklisted, is_in_scope, is_outside_workspace, get_target_path,
         extract_primary_command, extract_write_targets, check_bash_scope,
         resolve_scope_root.
 """
@@ -117,26 +117,32 @@ def test_in_scope(self, resolved_path, cwd, expected):
 
 
 # ---------------------------------------------------------------------------
-# is_allowlisted
+# is_outside_workspace
 # ---------------------------------------------------------------------------
-class TestIsAllowlisted:
+class TestIsOutsideWorkspace:
     @pytest.mark.parametrize(
         "path, expected",
         [
-            (f"{guard_workspace_scope._home}/.claude/rules/foo.md", True),
-            ("/tmp/scratch.txt", True),
+            ("/dev/null", True),
+            ("/usr/lib/node_modules/foo", True),
+            ("/home/vscode/.config/foo", True),
+            ("/tmp/scratch", True),
             ("/workspaces/proj/file", False),
-            (f"{guard_workspace_scope._home}/.ssh/id_rsa", False),
+            ("/workspaces", False),
+            ("/workspaces/.devcontainer/foo", False),
         ],
         ids=[
-            "claude_config_dir",
-            "tmp_file",
-            "project_file",
-            "ssh_key",
+            "dev_null",
+            "usr_lib",
+            "home_config",
+            "tmp_scratch",
+            "workspace_project_file",
+            "workspaces_root_exact",
+            "devcontainer_under_workspace",
         ],
     )
-    def test_allowlisted(self, path, expected):
-        assert guard_workspace_scope.is_allowlisted(path) is expected
+    def test_outside_workspace(self, path, expected):
+        assert guard_workspace_scope.is_outside_workspace(path) is expected
 
 
 # ---------------------------------------------------------------------------
@@ -265,7 +271,8 @@ def test_blocked(self, command, cwd):
             ("echo x > /workspaces/proj/out.txt", "/workspaces/proj"),
             ("echo hello", "/workspaces/proj"),
             ("echo x > /workspaces/other/file", "/workspaces"),
-            ("echo x > /tmp/scratch", "/workspaces/proj"),
+            ("command 2>/dev/null", "/workspaces/proj"),
+            ("echo x > /usr/local/bin/foo", "/workspaces/proj"),
             ("", "/workspaces/proj"),
             ("ls /workspaces/proj/other-dir", "/workspaces/proj"),
             ("cat /workspaces/proj/README.md", "/workspaces/proj"),
@@ -274,7 +281,8 @@ def test_blocked(self, command, cwd):
             "write_inside_scope",
             "no_paths",
             "cwd_is_workspaces_bypass",
-            "allowlisted_tmp",
+            "redirect_to_dev_null",
+            "write_to_system_path",
             "empty_command",
             "sibling_dir_in_scope",
             "project_root_file_in_scope",