pdd sync silently runs pip install for missing packages without user consent

[Serhan-Asad]

Summary

During pdd sync, when a PDD-generated example file crashes with a ModuleNotFoundError, the function _try_auto_fix_import_error() automatically runs pip install <package_name> for any package name extracted from the error message — with no user confirmation, no allowlist, and no logging of what was installed.

Reproduction

1. Create a prompt that causes the LLM to generate an example importing a package not in your environment (this happens naturally ~5-15% of the time when LLMs hallucinate imports)
2. Run pdd sync <basename>
3. During the crash operation, if the example has a ModuleNotFoundError, PDD silently runs pip install for the missing package name

Affected Code

The vulnerable pattern exists in two files:

sync_orchestration.py lines 519-532:

# It's an external package - try pip install
try:
    result = subprocess.run(
        [sys.executable, '-m', 'pip', 'install', top_level_package],
        capture_output=True,
        text=True,
        timeout=120
    )

pin_example_hack.py lines 561-574: (identical copy)

Impact

• Environment contamination: pdd sync installs packages the user never asked for. These don't appear in requirements.txt or pyproject.toml, making environments non-reproducible.
• User surprise: No developer expects a code generation tool to modify their Python environment. Violates the principle of least astonishment.
• CI/CD pollution: Teams running pdd sync --force in CI get phantom dependencies that aren't tracked in lockfiles. Builds work today, break tomorrow when recreated from scratch.
• Security (low probability): Since the package name comes from LLM-generated code, hallucinated package names could theoretically match typosquat packages on PyPI, though this is unlikely in practice.

Suggested Fix

At minimum, add a click.confirm() prompt before running pip install:

if click.confirm(f"Install missing package '{ top_level_package}'?", default=False):
    subprocess.run([sys.executable, '-m', 'pip', 'install', top_level_package], ...)

Better options:

• Add an --allow-install CLI flag (off by default)
• Maintain an allowlist of common safe packages for --force mode
• Log what was installed so users can review and uninstall

[Serhan-Asad]

Step 1: Duplicate Check

Status: No duplicates found

Search Performed

• Searched for: "pip install silent", "auto install package", "ModuleNotFoundError", "_try_auto_fix_import_error"
• Issues reviewed: ~30 (open and closed)

Findings

Issue #7 ("verify requires new package install: stuck in endless loop") touches on related behavior (LLM-generated code needing missing packages), but addresses a different problem (endless verify loop) and does not mention the silent pip install behavior. No other issues address the unauthorized package installation concern.

This is a new issue with no duplicates.

---

Proceeding to Step 2: Documentation Check

[Serhan-Asad]

Step 2: Documentation Check

Status: Confirmed Bug

Documentation Reviewed

• CLAUDE.md (full project documentation)
• README.md
• CONTRIBUTING.md
• docs/ directory
• CHANGELOG.md
• Inline code comments in sync_orchestration.py and pin_example_hack.py

Findings

The automatic pip install behavior in _try_auto_fix_import_error() is not documented anywhere — not in the README, not in CLAUDE.md's sync command reference, not in the changelog, and not in any configuration guide. There is no CLI flag (--allow-install, --no-auto-install, etc.) to control this behavior, and no environment variable to disable it.

The pdd sync documentation describes operations like auto-deps, generate, example, crash, verify, test, and fix — but never mentions that it may install Python packages into the user's environment. Users have no way to know this will happen, no way to prevent it, and no way to review what was installed after the fact.

This is a clear case of undocumented side effects that modify the user's environment without consent.

---

Proceeding to Step 3: Triage

[Serhan-Asad]

Step 3: Triage

Status: Proceed

Summary

This issue has excellent reproduction context:

• Expected behavior: pdd sync should not modify the user's Python environment without consent
• Actual behavior: _try_auto_fix_import_error() silently runs pip install for any package name extracted from ModuleNotFoundError output
• Code locations confirmed: pdd/sync_orchestration.py and pdd/pin_example_hack.py both contain the pip install pattern
• Reproduction path: Clear — any pdd sync that triggers a ModuleNotFoundError in the example/crash step will auto-install packages

No additional information needed from the issue author. The affected code, behavior, and impact are all well-documented.

---

Proceeding to Step 4: Reproduction

[Serhan-Asad]

Step 4: Reproduction

Status: Reproduced (via code inspection)

Environment

• macOS Darwin 24.3.0
• Python 3.11+
• PDD v0.0.144 (main branch, commit 629588f)

Steps Taken

1. Located _try_auto_fix_import_error() in both pdd/sync_orchestration.py:451 and pdd/pin_example_hack.py (identical copies)
2. Verified the pip install call at sync_orchestration.py:523-528 and pin_example_hack.py:563-568
3. Traced the call site at sync_orchestration.py:1446 — called directly when crash log contains ModuleNotFoundError, with no confirmation gate
4. Searched for any click.confirm, allowlist, or --allow-install flag — none exist

Observed Behavior

The code path is deterministic and unconditional:

crash log contains "ModuleNotFoundError" 
→ extract package name from error message
→ check if it's a local module (sys.path fix) or external
→ if external: subprocess.run([sys.executable, '-m', 'pip', 'install', top_level_package])

No user prompt, no flag check, no allowlist, no logging. The capture_output=True flag means the installation is completely silent — the user sees only "Installed missing package: X" in the sync output after the fact.

Affected Files

• pdd/sync_orchestration.py:520-534 - silent pip install in _try_auto_fix_import_error()
• pdd/pin_example_hack.py:560-574 - identical copy of the same pattern
• pdd/sync_orchestration.py:1446 - call site with no confirmation gate

Notes

• Both files contain identical copies of _try_auto_fix_import_error() — this is also a DRY violation that should be addressed in the fix
• The top_level_package variable comes from parsing LLM-generated error output, making it attacker/hallucination-controlled input to pip install
• --force mode makes this worse since it skips all interactive prompts, but even without --force, this specific pip install has no prompt

---

Proceeding to Step 5: Root Cause Analysis

[Serhan-Asad]

Step 5: Root Cause Analysis

Root Cause Identified: Yes

Summary

The function _try_auto_fix_import_error() in both sync_orchestration.py and pin_example_hack.py unconditionally runs subprocess.run([sys.executable, '-m', 'pip', 'install', top_level_package]) when it detects a ModuleNotFoundError for an external package. The function has no force parameter, no click.confirm() gate, and no allowlist — it simply installs whatever package name is extracted from the error message. The callers at sync_orchestration.py:1446 and pin_example_hack.py:1364 invoke it without any user consent check either.

Technical Details

• Location: pdd/sync_orchestration.py:520-534 and pdd/pin_example_hack.py:560-574 (identical code)
• Problematic Code:

# It's an external package - try pip install
try:
    result = subprocess.run(
        [sys.executable, '-m', 'pip', 'install', top_level_package],
        capture_output=True,
        text=True,
        timeout=120
    )

• Why it fails: The function signature (error_output, code_file, example_file) has no force parameter and no way to prompt the user. The sync orchestrator at line 1446 calls it unconditionally when has_crash is True and the error contains a ModuleNotFoundError. No confirmation is requested in any mode (interactive or --force).

External Research

• Search terms: "pip install without consent", "auto install packages security"
• Relevant findings: This is a well-known anti-pattern. Build tools that silently install packages violate the principle of least surprise and can introduce supply chain risks via typosquatting.

Repository History

• Introduced in: commit 88a37d5d (version bump that included the auto-fix feature)
• Related patterns: The codebase already uses click.confirm() for destructive/surprising actions in 6+ locations (e.g., firecrawl.py:94, sessions.py:254, sync_orchestration.py:1063). The force flag bypasses these confirmations. This function was written without following that established pattern.

Experiments Performed

1. Traced the call chain: sync() → crash detection → _try_auto_fix_import_error() → unconditional pip install. Confirmed no gate exists at any level.
2. Confirmed the force parameter exists on the sync() function (line 939) but is never passed to or checked by _try_auto_fix_import_error().

Fix Location

• File(s) to modify: pdd/sync_orchestration.py (lines 451-534) and pdd/pin_example_hack.py (lines 491-574)
• Why this location: This is the root cause — the function itself lacks any consent mechanism. The callers correctly delegate to it, so the fix belongs in the function (or its signature).
• Existing pattern: click.confirm() gated by the force flag, used throughout the codebase (e.g., sync_orchestration.py:1063, construct_paths.py:1220). When force=True, the action proceeds without prompting; when force=False, the user is asked.
• Fix approach: Add a force: bool parameter to _try_auto_fix_import_error(). Before running pip install, call click.confirm(f"Install missing package '{top_level_package}'?", default=False) unless force=True. Update callers to pass through the force flag. This follows the exact same pattern used elsewhere in sync_orchestration.py.

---

Proceeding to Step 5.5: Prompt Classification

[Serhan-Asad]

Step 5: Root Cause Analysis

Root Cause Identified: Yes

Summary

The function _try_auto_fix_import_error() in both sync_orchestration.py and pin_example_hack.py unconditionally runs subprocess.run([sys.executable, "-m", "pip", "install", top_level_package]) when it detects a ModuleNotFoundError for an external package. The function has no force parameter, no click.confirm() gate, and no allowlist. The callers at sync_orchestration.py:1446 and pin_example_hack.py:1364 invoke it without any user consent check either.

Technical Details

• Location: pdd/sync_orchestration.py:520-534 and pdd/pin_example_hack.py:560-574 (identical code)
• Why it fails: The function signature (error_output, code_file, example_file) has no force parameter and no way to prompt the user. The sync orchestrator at line 1446 calls it unconditionally when has_crash is True and the error contains a ModuleNotFoundError. No confirmation is requested in any mode.

Repository History

• Introduced in: commit 88a37d5d
• Related patterns: The codebase already uses click.confirm() gated by force flag in 6+ locations (e.g., firecrawl.py:94, sessions.py:254, sync_orchestration.py:1063). This function was written without following that established pattern.

Experiments Performed

1. Traced call chain: sync() -> crash detection -> _try_auto_fix_import_error() -> unconditional pip install. No gate at any level.
2. Confirmed force param exists on sync() (line 939) but is never passed to _try_auto_fix_import_error().

Fix Location

• File(s) to modify: pdd/sync_orchestration.py (lines 451-534) and pdd/pin_example_hack.py (lines 491-574)
• Why this location: Root cause is the function itself lacking any consent mechanism.
• Existing pattern: click.confirm() gated by force flag, used throughout the codebase. When force=True, action proceeds; when force=False, user is asked.
• Fix approach: Add force: bool param to _try_auto_fix_import_error(). Before pip install, call click.confirm() unless force=True. Update callers to pass through force. Follows exact same pattern used elsewhere.

---

Proceeding to Step 5.5: Prompt Classification

[Serhan-Asad]

Step 5.5: Prompt Classification

Classification: Code Bug

DEFECT_TYPE: code

Analysis

The _try_auto_fix_import_error() function in both sync_orchestration.py and pin_example_hack.py runs pip install unconditionally without user confirmation. No prompt file specifies this auto-install behavior — the relevant prompt files (sync_analysis_LLM.prompt, agentic_bug_orchestrator_python.prompt) contain no mention of automatic package installation or import error auto-fixing.

Evidence

• Prompt specifies: No prompt file specifies the auto-install behavior. The function was added as an implementation detail without prompt-level specification.
• Code implements: Unconditional pip install with no consent gate, no force parameter, no allowlist.
• User expects: At minimum a confirmation prompt before installing packages, consistent with the codebase's established click.confirm() pattern used in 6+ other locations for surprising/destructive actions.

Conclusion

The code does not follow the codebase's established consent pattern for surprising actions. This is a code bug — the implementation lacks the user confirmation gate that the codebase convention requires. Proceeding with test generation.

---

Proceeding to Step 6: Test Plan

[Serhan-Asad]

Step 6: Test Plan

Existing Test Coverage

• Test file: tests/test_sync_orchestration.py
• Current coverage: test_auto_fix_success_saves_complete_metadata() tests that when auto-fix succeeds, metadata is saved correctly — but it mocks out _try_auto_fix_import_error entirely, so it never tests the function's internal behavior.
• Gap: No test actually exercises _try_auto_fix_import_error() directly. No test verifies that pip install is or isn't called. No test for pin_example_hack.py's duplicate copy.

Proposed Tests

Test 1: External package triggers pip install without user consent (primary bug)

• Input: error_output = "ModuleNotFoundError: No module named 'pandas'" with a code_file whose stem differs from 'pandas'
• Expected (after fix): Function calls click.confirm() before running subprocess.run(['pip', 'install', ...]). When confirm returns False, pip install is NOT called and function returns (False, ...)
• Actual (before fix): subprocess.run is called unconditionally — no confirmation prompt

Test 2: External package install proceeds when user confirms

• Input: Same as Test 1, but click.confirm returns True
• Expected: subprocess.run IS called with the correct pip install command, function returns (True, "Installed missing package: pandas")

Test 3: Force mode skips confirmation

• Input: Same as Test 1, but force=True parameter is passed
• Expected: subprocess.run is called without click.confirm(), matching the codebase's established force pattern

Test 4: Local module import error does NOT trigger pip install

• Input: error_output = "ModuleNotFoundError: No module named 'calculator'" where code_file.stem == 'calculator'
• Expected: sys.path fix is attempted, subprocess.run with pip is never called

Test 5: Same tests for pin_example_hack.py copy

• Input: Same inputs as Tests 1-3
• Expected: Same behavior — both copies must have the consent gate

Test Location

• File: tests/test_sync_orchestration.py (append) — for sync_orchestration tests
• Additional tests in: tests/test_pin_example_hack.py (if exists) or new file — for pin_example_hack tests
• Framework: pytest with unittest.mock.patch

Notes

• All tests mock subprocess.run to prevent actual pip installs during testing
• Tests should use tmp_path fixture for code_file and example_file
• The force parameter doesn't exist yet on _try_auto_fix_import_error — the fix must add it, and tests should verify it works
• Both files must be tested since they contain duplicate implementations

---

Proceeding to Step 7: Generate Test

[Serhan-Asad]

Step 7: Generated Test

Test File

tests/test_auto_fix_import_no_consent.py

Test Code

"""Tests for issue #494: _try_auto_fix_import_error must require user consent before pip install."""

import pytest
from pathlib import Path
from unittest.mock import patch, MagicMock


@pytest.fixture
def import_error_setup(tmp_path):
    code_file = tmp_path / "calculator.py"
    code_file.write_text("# code file\n")
    example_file = tmp_path / "example_calculator.py"
    example_file.write_text("import numpy\nprint('hello')\n")
    error_output = "ModuleNotFoundError: No module named 'numpy'"
    return code_file, example_file, error_output


class TestSyncOrchestrationAutoFixConsent:
    def test_pip_install_requires_user_confirmation(self, import_error_setup):
        # FAILS: click.confirm is never called before pip install
        ...

    def test_pip_install_skipped_when_user_declines(self, import_error_setup):
        # FAILS: pip install runs unconditionally, ignoring user declining
        ...

    def test_function_accepts_force_parameter(self):
        # FAILS: no force parameter exists
        ...


class TestPinExampleHackAutoFixConsent:
    def test_pip_install_requires_user_confirmation(self, import_error_setup):
        # FAILS: same bug in duplicate function
        ...

    def test_function_accepts_force_parameter(self):
        # FAILS: no force parameter in duplicate either
        ...

What This Test Verifies

5 tests assert the correct behavior (user consent before pip install) and fail on the current buggy code:

1. click.confirm() must be called before pip install (sync_orchestration.py) — fails because confirm is never called
2. pip install must not run when user declines — fails because there's no confirmation gate
3. Function must accept force parameter — fails because parameter doesn't exist
   4-5. Same checks for the duplicate in pin_example_hack.py

Running the Test

pytest tests/test_auto_fix_import_no_consent.py -v

All 5 tests fail: ✅

---

Proceeding to Step 8: Verification

[Serhan-Asad]

Step 8: Verification Complete

Test Execution

tests/test_auto_fix_import_no_consent.py::TestSyncOrchestrationAutoFixConsent::test_pip_install_requires_user_confirmation FAILED
tests/test_auto_fix_import_no_consent.py::TestSyncOrchestrationAutoFixConsent::test_pip_install_skipped_when_user_declines FAILED
tests/test_auto_fix_import_no_consent.py::TestSyncOrchestrationAutoFixConsent::test_function_accepts_force_parameter FAILED
tests/test_auto_fix_import_no_consent.py::TestPinExampleHackAutoFixConsent::test_pip_install_requires_user_confirmation FAILED
tests/test_auto_fix_import_no_consent.py::TestPinExampleHackAutoFixConsent::test_function_accepts_force_parameter FAILED

5 failed in 1.80s

All 5 tests fail for the correct reasons:

• Tests 1 & 4: click.confirm is never called (0 times) — confirms no user consent is requested
• Test 2: subprocess.run is called even when user would decline — confirms unconditional pip install
• Tests 3 & 5: Function signature lacks force parameter — confirms no way to control behavior

Verification Status

PASS: Test correctly detects the bug

Summary

Step	Result
Duplicate Check	✅ New issue
Documentation	✅ Undocumented behavior
Triage	✅ Proceed
Reproduction	✅ Confirmed
Root Cause	✅ Identified
Prompt Classification	✅ Code defect
Test Plan	✅ 5 test cases
Test Generation	✅ All tests written
Verification	✅ All 5 tests fail correctly

Bug Details

• Location: pdd/sync_orchestration.py:520-534 and pdd/pin_example_hack.py:560-574
• Root Cause: _try_auto_fix_import_error() runs pip install unconditionally with no click.confirm() gate and no force parameter, violating the codebase's established consent pattern
• Test File: tests/test_auto_fix_import_no_consent.py

Next Steps

1. Fix the bug: add force parameter and click.confirm() gate to _try_auto_fix_import_error() in both files
2. Run the test to confirm the fix
3. Run full test suite to check for regressions
4. Submit PR with fix and test

---

Proceeding to Step 9: E2E Tests

[Serhan-Asad]

Step 9: E2E Test

Environment Discovery

• Repository language: Python
• Test framework: pytest
• Existing E2E tests found: Yes — 32 files matching test_e2e_*.py in tests/
• Test configuration: pyproject.toml (pytest settings)
• Fixtures/helpers used: conftest.py fixtures (runner, preserve_pdd_path, restore_standard_streams)
• Environment variables required: None for this test
• Auth/credentials: N/A

E2E Test File

tests/test_e2e_issue_494_auto_fix_no_consent.py

Test Type

CLI (exercises the full _try_auto_fix_import_error → subprocess call chain, mocking only at the OS boundary)

What This Test Verifies

When pdd sync encounters a ModuleNotFoundError in an example file, the auto-fix function must call click.confirm() before running pip install. Currently it installs packages silently without any user consent.

3 tests cover:

1. Consent required — click.confirm() must be called before pip install (sync_orchestration.py)
2. Decline blocks install — when user says no, pip install must NOT run
3. Duplicate in pin_example_hack.py — same consent requirement applies

Test Execution Result

FAILED test_full_chain_pip_install_runs_without_consent - AssertionError: BUG: pip install ran without calling click.confirm() first.
FAILED test_full_chain_pip_install_blocked_when_declined - AssertionError: BUG: pip install ran even though user confirmation was not given. (1 pip call found)
FAILED test_pin_example_hack_same_bug - AssertionError: BUG: pin_example_hack.py's _try_auto_fix_import_error also runs pip install without calling click.confirm().

============================== 3 failed in 1.56s ===============================

E2E Test Status

PASS: E2E test correctly detects the bug — all 3 tests fail because click.confirm() is never called before pip install. Tests will pass once the consent gate is added.

---

Proceeding to Step 10: Create Draft PR

[Serhan-Asad]

Step 10: Draft PR Created

Pull Request

PR #121: Add failing tests for #494: silent pip install without consent

Branch

fix/issue-494

What's Included

• Failing unit tests at tests/test_auto_fix_import_no_consent.py (5 tests)
• Failing E2E tests at tests/test_e2e_issue_494_auto_fix_no_consent.py (3 tests)
• Commits: 1

Next Steps for Maintainers

1. Review the failing tests to understand the expected behavior
2. Implement the fix at the identified locations (sync_orchestration.py:520-534 and pin_example_hack.py:560-574)
3. Verify both unit and E2E tests pass with your fix
4. Run full test suite to check for regressions
5. Mark the PR as ready for review

PDD Fix Command

To auto-fix this bug using PDD:

pdd fix https://github.com/promptdriven/pdd/issues/494

Tip: Use --protect-tests if the tests are known to be correct, or --max-cycles N to limit fix attempts.

---

Investigation complete. A draft PR with failing tests has been created and linked to this issue.

[Serhan-Asad]

Step 1: Unit Test Execution (Cycle 1)

Status: All Tests Pass

Unit Tests Identified

• tests/test_auto_fix_import_no_consent.py::TestSyncOrchestrationAutoFixConsent::test_pip_install_requires_user_confirmation
• tests/test_auto_fix_import_no_consent.py::TestSyncOrchestrationAutoFixConsent::test_pip_install_skipped_when_user_declines
• tests/test_auto_fix_import_no_consent.py::TestSyncOrchestrationAutoFixConsent::test_function_accepts_force_parameter
• tests/test_auto_fix_import_no_consent.py::TestPinExampleHackAutoFixConsent::test_pip_install_requires_user_confirmation
• tests/test_auto_fix_import_no_consent.py::TestPinExampleHackAutoFixConsent::test_function_accepts_force_parameter

Initial Test Results

• Passed: 0
• Failed: 5

Fix Applied

Added force: bool = False parameter to _try_auto_fix_import_error() in both pdd/sync_orchestration.py and pdd/pin_example_hack.py. Before running pip install, the function now calls click.confirm() unless force=True. Updated callers in both files to pass through the force flag from the parent sync() function.

pdd fix Runs

Dev Unit	Result
sync_orchestration	Fixed (manual edit — no prompt file exists)
pin_example_hack	Fixed (manual edit — no prompt file exists)

Final Test Results

• Passed: 5
• Failed: 0

---

Proceeding to Step 2: E2E Test Check