Proposal (re security): Require manual approval to access files outside of project directory

[dkamins]

Currently the auto-approval options for file access are essentially granting access to read and write any files on our computers and attached network drives. You can test this by asking the AI to read a file elsewhere on your disk, and while it may initially think it is not able to, it definitely is.

So activating auto-approval requires a tremendous amount of trust in not only the extension but more importantly various cloud-hosted LLMs with their own potential quirks and vulnerabilities.

I believe one of the goals of the project is to be able to sit back and let the agent(s) do the work, watching them search, read files, make changes, hand off control between each other, etc. It's a fantastic vision. But it doesn't really work smoothly if we have to click to approve each file access.

So I am proposing new sub-options under the "Auto-Approve Settings" panel, like here (the ... lines are the new sub-options):

[x] Always approve read-only operations
When enabled, Roo will automatically view directory contents and read files without requiring you to click the Approve button.
... [x] Require manual approval for access outside of project directory

[x] Always approve write operations
Automatically create and edit files without requiring approval
... [x] Require manual approval for access outside of project directory

These would appear when the respective option was selected, and ideally default to checked (requiring manual approval).

This would allow many more users in more sensitive environments to use these tools and new models with comfort and confidence, and hopefully be easy and self-explanatory.

There may be better ways of exposing this, there may be edge cases (eg it could still run a command that reads an outside file), maybe this should be an option elsewhere not even related to auto-approval, or maybe something like this already exists... I'm posting this to open the discussion.

--

(Side note: A possible hacky workaround I rejected was related to seeing the "Edit Files" tool support of manually setting a fileRegex which controls which files it has access to. But this is a bit awkward and more suited for specifying "Markdown files only" or "CSS files only" etc. It shouldn't be hijacked for security purposes. Plus the other tools including "Read Files" don't even have this fileRegex mode support.)

P.S. Just started using Roo and it's fantastic so far!