The current command review path catches several risky patterns, but it mostly treats the submitted command as one string. A useful next leftover is to make the guard more reliable for compound shell input before expanding the rule set too far.
Scope:
- Parse or segment common shell operators such as
&&, ||, ;, pipes, subshells, and redirections enough to review each meaningful command segment.
- Preserve current JSON schema behavior while adding clearer matched rules and reasons for compound input.
- Add regression tests for mixed safe and risky commands, for example inspect-then-delete, chained install commands, redirection to sensitive paths, and commands hidden behind
sh -c or bash -c where feasible.
- Keep the implementation local and deterministic.
Acceptance criteria:
check and review still return the existing schema versions.- Risk from any dangerous segment raises the overall decision appropriately.
- Tests cover at least chained commands, pipes, redirection, and shell-wrapper commands.
Out of scope for this issue:
- Full shell execution, auto-fixing commands, cloud safety services, MCP integration, or a complete POSIX shell parser unless a small dependency is explicitly chosen later.
The current command review path catches several risky patterns, but it mostly treats the submitted command as one string. A useful next leftover is to make the guard more reliable for compound shell input before expanding the rule set too far.
Scope:
&&,||,;, pipes, subshells, and redirections enough to review each meaningful command segment.sh -corbash -cwhere feasible.Acceptance criteria:
checkandreviewstill return the existing schema versions.Out of scope for this issue: