All posts
Engineering2026-06-30

How DictatorFlow Keeps Local File Editing Scoped

Giving chat the ability to edit local files should come with boundaries. DictatorFlow's first computer-use tools are scoped to a configured workspace root and tested against the most obvious escape paths.

Guardrails
  • > Absolute paths are rejected for local chat file tools.
  • > Parent traversal is rejected before a path is opened.
  • > Symlink escapes are detected after resolving the final path.
  • > Reads, writes, and searches have size and result caps.

Exact replacements first

The edit primitive favors exact replacements. That makes the model specify what text it expects to find and what text should replace it. It is a narrow operation, but narrow is useful when the assistant is operating on real files.

Commands are optional

Shell commands are useful for tests and local verification, but they are also a broader permission. DictatorFlow keeps command execution behind a separate opt-in flag and runs commands in the configured root with a timeout.

This gives users a practical ladder: start with read-only inspection, enable file edits when needed, then enable command or agent execution only for workspaces where that makes sense.