fix(mcp): treat copies-from-sensitive-source as exfiltration

Codex P1 on #495 (round 9): copy_file(source=".env", destination="/tmp/x") read a credentials file and duplicated its contents into a non-sensitive location. With my round-7 model, copy emitted FileWrite(dst) - WRITE risk - which auto-approves in accept-edits mode. Pre-#495 MCP tools prompted via the EXECUTE fallback, so this was a regression specifically introduced by the CapabilityAware migration. Re-classify copies-from-sensitive-source as FileDelete(src). The op doesn't actually delete the source; the classification is intentionally over-conservative so the structural denial layer refuses the operation regardless of where it lands. Audit log shows @type=FileDelete for what is technically a read+write; the toolName field still carries mcp__<server>__copy_file so operators can correlate. Unified disambiguation order for move/copy ops: 1. dst sensitive -> FileWrite(dst), denied 2. src present AND (isMove OR src sensitive) -> FileDelete(src) - moves (any src): DANGEROUS prompt for the delete - copies from sensitive src: structurally denied as exfil 3. dst present (safe + safe copy) -> FileWrite(dst), WRITE risk OK Two existing tests retargeted - their old assertions pinned the wrong behaviour: - copyFromSensitiveSourceDoesNotInferDelete (was: expect McpInvoke) -> copyFromSensitiveSourceWithoutDestinationInfersFileDelete - copyFromSensitiveSourceWithSafeDestinationStaysAsFileWrite -> copyFromSensitiveSourceToSafeDestinationIsStructurallyDeniedAsExfil (plus an end-to-end assertion that DefaultPermissionPolicy denies the resulting FileDelete in auto-accept mode) 38 tests pass in McpToolBridgeTest. Full build green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
xinhuagu · xinhuagu · May 23, 2026 · May 17, 2026 · May 17, 2026 · May 17, 2026
commit a00b9ab1a1bdad9a1e66b120ed54557287c14110
diff --git a/aceclaw-mcp/src/main/java/dev/aceclaw/mcp/McpToolBridge.java b/aceclaw-mcp/src/main/java/dev/aceclaw/mcp/McpToolBridge.java
@@ -254,30 +254,38 @@ private Capability inferFileCapability(JsonNode args) {
             // "delete" target (for moves only — copies leave the source).
             // Disambiguation order:
             //   1. dst is sensitive → FileWrite(dst). Catches "move/copy to
-            //      .env" — destination-write attack.
-            //   2. Op is a move (not copy) and src resolves → FileDelete(src).
-            //      Two purposes:
-            //        a. Catches "move .env away" — source-delete attack the
-            //           destination-first model missed (Codex P1 follow-up #2
+            //      .env" — the destination-write attack.
+            //   2. src resolves AND (op is a move OR src is sensitive) →
+            //      FileDelete(src). Two distinct purposes folded together:
+            //        a. For MOVES (regardless of src sensitivity): the
+            //           source really is removed, and FileDelete's DANGEROUS
+            //           risk prompts in accept-edits where FileWrite would
+            //           auto-approve. Pre-#495 MCP moves prompted via
+            //           EXECUTE risk; this preserves that floor (Codex P2
             //           on #495).
-            //        b. Preserves DANGEROUS risk on the move semantics so even
-            //           benign moves don't auto-approve in accept-edits mode.
-            //           Pre-#495 MCP moves prompted via EXECUTE risk; FileWrite
-            //           is WRITE which IS auto-approved in accept-edits — that
-            //           would silently delete the source. FileDelete is
-            //           DANGEROUS, which is the closest match (Codex P2
-            //           on #495).
-            //   3. Pure copies (no source side-effect) → FileWrite(dst). Risk
-            //      is the genuine WRITE risk; auto-approval in accept-edits
-            //      is fine because the source is intact.
+            //        b. For COPIES from a sensitive source: copies don't
+            //           actually delete the source, but duplicating a
+            //           credentials file to a non-sensitive location IS
+            //           exfiltration. Pre-#495 the same call prompted via
+            //           the EXECUTE fallback; emitting FileDelete here
+            //           triggers the structural denial via the sensitive
+            //           source path (Codex P1 on #495 — "preserve prompts
+            //           for copies from sensitive sources"). Audit log
+            //           shows @type=FileDelete for a copy — slightly
+            //           misleading but safer than missing the denial; the
+            //           toolName field still carries
+            //           mcp__<server>__copy_file so operators can correlate.
+            //   3. Pure copy with non-sensitive src (dst is safe per step 1)
+            //      → FileWrite(dst). Genuine WRITE risk; auto-approval in
+            //      accept-edits is fine.
             Path dst = safePath(extractField(args, DESTINATION_FIELDS));
             Path src = safePath(extractField(args, SOURCE_FIELDS));
             boolean isMove = !COPY_VERB.matcher(name).matches();
 
             if (dst != null && DefaultPermissionPolicy.isSensitivePath(dst)) {
                 return new Capability.FileWrite(dst, WriteMode.OVERWRITE);
             }
-            if (isMove && src != null) {
+            if (src != null && (isMove || DefaultPermissionPolicy.isSensitivePath(src))) {
                 return new Capability.FileDelete(src);
             }
             if (dst != null) return new Capability.FileWrite(dst, WriteMode.OVERWRITE);

diff --git a/aceclaw-mcp/src/test/java/dev/aceclaw/mcp/McpToolBridgeTest.java b/aceclaw-mcp/src/test/java/dev/aceclaw/mcp/McpToolBridgeTest.java
@@ -305,17 +305,22 @@ void moveFromSensitiveSourceInfersFileDelete() {
     }
 
     @Test
-    void copyFromSensitiveSourceDoesNotInferDelete() {
-        // Copies leave the source intact — no FileDelete inferred.
+    void copyFromSensitiveSourceWithoutDestinationInfersFileDelete() {
+        // Codex P1 follow-up on #495 (round-9): copies from sensitive sources
+        // re-classify as FileDelete(src) so the structural denial fires --
+        // duplicating credentials anywhere is exfiltration regardless of
+        // destination. The op doesn't actually delete the source; the
+        // classification is intentionally over-conservative (audit log shows
+        // FileDelete but toolName=mcp__<server>__copy_file keeps it
+        // traceable).
         var tool = McpToolBridge.create("fs", mcpTool("copy_file", "desc"), client);
 
         var args = new ObjectMapper().createObjectNode()
                 .put("source", "/repo/.env");
         var cap = tool.toCapability(args);
 
-        // No destination resolved; not a delete (copy doesn't delete source).
-        // Falls through to McpInvoke.
-        assertThat(cap).isInstanceOf(Capability.McpInvoke.class);
+        assertThat(cap).isInstanceOf(Capability.FileDelete.class);
+        assertThat(((Capability.FileDelete) cap).path()).isEqualTo(Path.of("/repo/.env"));
     }
 
     @Test
@@ -339,20 +344,28 @@ void moveFromSensitiveSourceWithSafeDestinationInfersFileDelete() {
     }
 
     @Test
-    void copyFromSensitiveSourceWithSafeDestinationStaysAsFileWrite() {
-        // Copies don't delete the source - the source-sensitivity probe only
-        // kicks in for moves. A copy from .env to safe-dest still emits
-        // FileWrite(safe-dest) (the destination side), gets the standard
-        // prompt - no source-side denial because the source is left intact.
+    void copyFromSensitiveSourceToSafeDestinationIsStructurallyDeniedAsExfil() {
+        // Codex P1 on #495 (round-9): copy_file(.env, /tmp/env-copy) reads
+        // sensitive content and duplicates it to a non-sensitive location --
+        // a credential-exfiltration vector. Pre-fix this auto-approved in
+        // accept-edits because FileWrite(safe-dst) has WRITE risk. Re-classify
+        // copies-from-sensitive-src as FileDelete(src) so the structural
+        // denial layer refuses them regardless of destination, matching the
+        // pre-#495 EXECUTE-prompt behaviour for MCP tools.
         var tool = McpToolBridge.create("fs", mcpTool("copy_file", "desc"), client);
 
         var args = new ObjectMapper().createObjectNode()
                 .put("source", "/repo/.env")
                 .put("destination", "/tmp/env-copy.txt");
         var cap = tool.toCapability(args);
 
-        assertThat(cap).isInstanceOf(Capability.FileWrite.class);
-        assertThat(((Capability.FileWrite) cap).path()).isEqualTo(Path.of("/tmp/env-copy.txt"));
+        assertThat(cap)
+                .as("copy from sensitive src must be classified as FileDelete to trigger denial")
+                .isInstanceOf(Capability.FileDelete.class);
+        var decision = new DefaultPermissionPolicy("auto-accept").evaluateStructural(cap);
+        assertThat(decision)
+                .as("structural denial fires even in auto-accept mode")
+                .isNotNull();
     }
 
     @Test