@in-the-loop-labs/pair-review 1.4.1 → 1.4.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@in-the-loop-labs/pair-review",
-  "version": "1.4.1",
+  "version": "1.4.2",
   "description": "Your AI-powered code review partner - Close the feedback loop with AI coding agents",
   "main": "src/server.js",
   "bin": {

package/plugin/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "pair-review",
-  "version": "1.4.1",
+  "version": "1.4.2",
   "description": "pair-review app integration — Open PRs and local changes in the pair-review web UI, run server-side AI analysis, and address review feedback. Requires the pair-review MCP server.",
   "author": {
     "name": "in-the-loop-labs",

package/plugin-code-critic/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "code-critic",
-  "version": "1.4.1",
+  "version": "1.4.2",
   "description": "AI-powered code review analysis — Run three-level AI analysis and implement-review-fix loops directly in your coding agent. Works standalone, no server required.",
   "author": {
     "name": "in-the-loop-labs",

package/public/js/index.js

@@ -460,7 +460,9 @@
   // ─── Local Review Start ─────────────────────────────────────────────────────
 
   /**
-   * Handle start local review form submission
+   * Handle start local review form submission.
+   * Navigates to the setup page which shows step-by-step progress,
+   * matching the flow used when reviews are started from the MCP/CLI.
    * @param {Event} event - Form submit event
    */
   async function handleStartLocal(event) {
@@ -479,29 +481,9 @@
       return;
     }
 
-    setFormLoading('local', true, 'Starting local review...');
-
-    try {
-      const response = await fetch('/api/local/start', {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ path: pathValue })
-      });
-
-      const data = await response.json();
-
-      if (!response.ok) {
-        throw new Error(data.error || 'Failed to start local review');
-      }
-
-      setFormLoading('local', true, 'Redirecting to review...');
-      window.location.href = data.reviewUrl;
-
-    } catch (error) {
-      console.error('Error starting local review:', error);
-      setFormLoading('local', false);
-      showError('local', error.message || 'An unexpected error occurred. Please try again.');
-    }
+    // Navigate to the setup page which shows step-by-step progress
+    // The /local?path= route serves setup.html which handles the full setup flow
+    window.location.href = '/local?path=' + encodeURIComponent(pathValue);
   }
 
   // ─── Browse Directory ──────────────────────────────────────────────────────
@@ -849,7 +831,10 @@
   }
 
   /**
-   * Handle start review form submission
+   * Handle start review form submission.
+   * Parses the PR URL, then navigates to the PR route which serves the
+   * setup page with step-by-step progress for new PRs, or the review page
+   * directly for PRs that already exist in the database.
    * @param {Event} event - Form submit event
    */
   async function handleStartReview(event) {
@@ -881,44 +866,9 @@
       return;
     }
 
-    // Update loading state
-    setFormLoading('pr', true, 'Fetching PR data from GitHub...');
-
-    try {
-      // Call the API to create the worktree
-      const response = await fetch('/api/worktrees/create', {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json'
-        },
-        body: JSON.stringify({
-          owner: parsed.owner,
-          repo: parsed.repo,
-          prNumber: parsed.prNumber
-        })
-      });
-
-      const data = await response.json();
-
-      if (!response.ok) {
-        throw new Error(data.error || 'Failed to create worktree');
-      }
-
-      if (!data.success) {
-        throw new Error(data.error || 'Failed to create worktree');
-      }
-
-      // Update loading text before redirect
-      setFormLoading('pr', true, 'Redirecting to review...');
-
-      // Redirect to the review page
-      window.location.href = data.reviewUrl;
-
-    } catch (error) {
-      console.error('Error starting review:', error);
-      setFormLoading('pr', false);
-      showError('pr', error.message || 'An unexpected error occurred. Please try again.');
-    }
+    // Navigate to the PR route which serves setup.html (with step-by-step progress)
+    // for new PRs, or pr.html directly for PRs already in the database
+    window.location.href = '/pr/' + encodeURIComponent(parsed.owner) + '/' + encodeURIComponent(parsed.repo) + '/' + encodeURIComponent(parsed.prNumber);
   }
 
   // ─── Config & Command Examples ──────────────────────────────────────────────
@@ -1068,4 +1018,17 @@
     // natively triggers form submission.
   });
 
+  // ─── bfcache Restoration ───────────────────────────────────────────────────
+
+  // When the browser restores this page from bfcache (e.g. user hits the back
+  // button after navigating away), any in-progress loading state on the forms
+  // will still be visible because the DOM snapshot is preserved as-is.  Reset
+  // both forms so the user is not stuck with a disabled input and spinner.
+  window.addEventListener('pageshow', function (event) {
+    if (event.persisted) {
+      setFormLoading('pr', false);
+      setFormLoading('local', false);
+    }
+  });
+
 })();

package/src/ai/claude-provider.js

@@ -7,7 +7,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -178,7 +178,7 @@ class ClaudeProvider extends AIProvider {
 
     if (this.useShell) {
       const allArgs = [...baseArgs, ...extraArgs];
-      this.command = `${claudeCmd} ${this._quoteShellArgs(allArgs).join(' ')}`;
+      this.command = `${claudeCmd} ${quoteShellArgs(allArgs).join(' ')}`;
       this.args = [];
     } else {
       this.command = claudeCmd;
@@ -186,28 +186,6 @@ class ClaudeProvider extends AIProvider {
     }
   }
 
-  /**
-   * Quote shell-sensitive arguments for safe shell execution.
-   * Any arg containing characters that could be interpreted by the shell
-   * (brackets, parentheses, commas, etc.) is wrapped in single quotes
-   * with internal single quotes escaped using the POSIX pattern.
-   *
-   * @param {string[]} args - Array of CLI arguments
-   * @returns {string[]} Args with shell-sensitive values quoted
-   * @private
-   */
-  _quoteShellArgs(args) {
-    return args.map((arg, i) => {
-      const prevArg = args[i - 1];
-      if (prevArg === '--allowedTools' || prevArg === '--model') {
-        if (/[][*?(){}$!&|;<>,\s']/.test(arg)) {
-          return `'${arg.replace(/'/g, "'\\''")}'`;
-        }
-      }
-      return arg;
-    });
-  }
-
   /**
    * Resolve model configuration by looking up built-in and config override definitions.
    * Consolidates the CLAUDE_MODELS.find() and configOverrides.models.find() lookups
@@ -486,7 +464,7 @@ class ClaudeProvider extends AIProvider {
     const args = ['-p', ...cliModelArgs, ...extraArgs];
 
     if (useShell) {
-      const quotedArgs = this._quoteShellArgs(args);
+      const quotedArgs = quoteShellArgs(args);
       return {
         command: `${claudeCmd} ${quotedArgs.join(' ')}`,
         args: [],

package/src/ai/codex-provider.js

@@ -8,7 +8,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -22,8 +22,8 @@ const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
  *
  * Based on OpenAI Codex Models guide (developers.openai.com/codex/models)
  * - gpt-5.1-codex-mini: Smaller, cost-effective variant for quick scans
- * - gpt-5.1-codex-max: Optimized for long-horizon agentic coding tasks
- * - gpt-5.2-codex: Most advanced agentic coding model for real-world engineering
+ * - gpt-5.2-codex: Advanced coding model for everyday reviews, good reasoning/cost balance
+ * - gpt-5.3-codex: Most capable agentic coding model with frontier performance and reasoning
  */
 const CODEX_MODELS = [
   {
@@ -36,21 +36,21 @@ const CODEX_MODELS = [
     badgeClass: 'badge-speed'
   },
   {
-    id: 'gpt-5.1-codex-max',
-    name: 'GPT-5.1 Max',
+    id: 'gpt-5.2-codex',
+    name: 'GPT-5.2 Codex',
     tier: 'balanced',
     tagline: 'Best Balance',
-    description: 'Strong everyday reviewer—quality + speed for PR-sized changes and practical suggestions.',
+    description: 'Strong everyday reviewer—good reasoning and code understanding for PR-sized changes without top-tier cost.',
     badge: 'Recommended',
     badgeClass: 'badge-recommended',
     default: true
   },
   {
-    id: 'gpt-5.2-codex',
-    name: 'GPT-5.2',
+    id: 'gpt-5.3-codex',
+    name: 'GPT-5.3 Codex',
     tier: 'thorough',
     tagline: 'Deep Review',
-    description: 'Most capable for complex diffs—finds subtle issues, reasons across files, and proposes step-by-step fixes.',
+    description: 'Most capable agentic coding model—combines frontier coding performance with stronger reasoning for deep cross-file analysis.',
     badge: 'Most Thorough',
     badgeClass: 'badge-power'
   }
@@ -65,7 +65,7 @@ class CodexProvider extends AIProvider {
    * @param {Object} configOverrides.env - Additional environment variables
    * @param {Object[]} configOverrides.models - Custom model definitions
    */
-  constructor(model = 'gpt-5.1-codex-max', configOverrides = {}) {
+  constructor(model = 'gpt-5.2-codex', configOverrides = {}) {
     super(model);
 
     // Command precedence: ENV > config > default
@@ -116,7 +116,7 @@ class CodexProvider extends AIProvider {
 
     if (this.useShell) {
       // In shell mode, build full command string with args
-      this.command = `${codexCmd} ${[...baseArgs, ...providerArgs, ...modelArgs].join(' ')}`;
+      this.command = `${codexCmd} ${quoteShellArgs([...baseArgs, ...providerArgs, ...modelArgs]).join(' ')}`;
       this.args = [];
     } else {
       this.command = codexCmd;
@@ -577,7 +577,7 @@ class CodexProvider extends AIProvider {
 
     if (useShell) {
       return {
-        command: `${codexCmd} ${args.join(' ')}`,
+        command: `${codexCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true
@@ -676,7 +676,7 @@ class CodexProvider extends AIProvider {
   }
 
   static getDefaultModel() {
-    return 'gpt-5.1-codex-max';
+    return 'gpt-5.2-codex';
   }
 
   static getInstallInstructions() {

package/src/ai/copilot-provider.js

@@ -8,7 +8,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -21,42 +21,63 @@ const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
  *
  * GitHub Copilot CLI supports multiple AI models including OpenAI,
  * Anthropic, and Google models via the --model flag.
+ * Available models (as of Feb 2026): claude-haiku-4.5, claude-sonnet-4.5,
+ * gemini-3-pro-preview, gpt-5.2-codex, claude-opus-4.5,
+ * claude-opus-4.6. Default is claude-sonnet-4.5.
  */
 const COPILOT_MODELS = [
   {
-    id: 'gpt-5.1-codex-mini',
-    name: 'GPT-5.1 Mini',
+    id: 'claude-haiku-4.5',
+    name: 'Claude Haiku 4.5',
     tier: 'fast',
     tagline: 'Quick Scan',
-    description: 'Rapid feedback for obvious issues and style checks',
+    description: 'Rapid feedback for obvious issues, style checks, and simple logic errors',
     badge: 'Speedy',
     badgeClass: 'badge-speed'
   },
   {
-    id: 'gemini-3-pro-preview',
-    name: 'Gemini 3 Pro',
+    id: 'claude-sonnet-4.5',
+    name: 'Claude Sonnet 4.5',
     tier: 'balanced',
     tagline: 'Reliable Review',
-    description: 'Solid everyday reviews with good coverage',
+    description: 'Copilot default—strong code understanding with excellent quality-to-cost ratio',
     badge: 'Recommended',
     badgeClass: 'badge-recommended',
     default: true
   },
   {
-    id: 'gpt-5.1-codex-max',
-    name: 'GPT-5.1 Max',
-    tier: 'thorough',
-    tagline: 'Deep Analysis',
-    description: 'Comprehensive reviews for complex changes',
-    badge: 'Thorough',
-    badgeClass: 'badge-power'
+    id: 'gemini-3-pro-preview',
+    name: 'Gemini 3 Pro',
+    tier: 'balanced',
+    tagline: 'Strong Alternative',
+    description: "Google's most capable model—strong reasoning for cross-file analysis",
+    badge: 'Balanced',
+    badgeClass: 'badge-balanced'
+  },
+  {
+    id: 'gpt-5.2-codex',
+    name: 'GPT-5.2 Codex',
+    tier: 'balanced',
+    tagline: 'Alternative View',
+    description: 'OpenAI code-specialized model—different perspective for cross-file analysis',
+    badge: 'Balanced',
+    badgeClass: 'badge-balanced'
   },
   {
     id: 'claude-opus-4.5',
     name: 'Claude Opus 4.5',
-    tier: 'premium',
-    tagline: 'Ultimate Review',
-    description: 'The most capable model for critical code reviews',
+    tier: 'thorough',
+    tagline: 'Deep Analysis',
+    description: 'Highly capable model for critical code reviews—strong reasoning for security and architecture',
+    badge: 'Premium',
+    badgeClass: 'badge-premium'
+  },
+  {
+    id: 'claude-opus-4.6',
+    name: 'Claude Opus 4.6',
+    tier: 'thorough',
+    tagline: 'Most Capable',
+    description: 'Most capable model for critical code reviews—deep reasoning for security and architecture',
     badge: 'Premium',
     badgeClass: 'badge-premium'
   }
@@ -71,7 +92,7 @@ class CopilotProvider extends AIProvider {
    * @param {Object} configOverrides.env - Additional environment variables
    * @param {Object[]} configOverrides.models - Custom model definitions
    */
-  constructor(model = 'gemini-3-pro-preview', configOverrides = {}) {
+  constructor(model = 'claude-sonnet-4.5', configOverrides = {}) {
     super(model);
 
     // Command precedence: ENV > config > default
@@ -191,7 +212,7 @@ class CopilotProvider extends AIProvider {
         // Escape the prompt for shell
         const escapedPrompt = prompt.replace(/'/g, "'\\''");
         // Build: copilot --model X --deny-tool ... -s -p 'prompt'
-        fullCommand = `${this.command} ${this.baseArgs.join(' ')} -p '${escapedPrompt}'`;
+        fullCommand = `${this.command} ${quoteShellArgs(this.baseArgs).join(' ')} -p '${escapedPrompt}'`;
         fullArgs = [];
       } else {
         // Build args array: --model X --deny-tool ... -s -p <prompt>
@@ -359,7 +380,7 @@ class CopilotProvider extends AIProvider {
     // Use stdin for prompt - safer than command args for arbitrary content
     if (useShell) {
       return {
-        command: `${copilotCmd} ${args.join(' ')}`,
+        command: `${copilotCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true
@@ -441,7 +462,7 @@ class CopilotProvider extends AIProvider {
   }
 
   static getDefaultModel() {
-    return 'gemini-3-pro-preview';
+    return 'claude-sonnet-4.5';
   }
 
   static getInstallInstructions() {

package/src/ai/cursor-agent-provider.js

@@ -16,7 +16,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -30,9 +30,9 @@ const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
  *
  * Tier structure:
  * - free (auto): Cursor's default auto-routing model
- * - fast (gpt-5.2-codex-fast): Quick code-specialized analysis
- * - balanced (sonnet-4.5-thinking, gemini-3-pro): Recommended for most reviews
- * - thorough (gpt-5.2-codex-high, opus-4.5-thinking): Deep analysis for complex code
+ * - fast (composer-1, gpt-5.3-codex-fast, gemini-3-flash): Quick analysis
+ * - balanced (composer-1.5, sonnet-4.5-thinking, gemini-3-pro): Recommended for most reviews
+ * - thorough (gpt-5.3-codex-high, opus-4.5-thinking, opus-4.6-thinking): Deep analysis for complex code
  */
 const CURSOR_AGENT_MODELS = [
   {
@@ -45,20 +45,47 @@ const CURSOR_AGENT_MODELS = [
     badgeClass: 'badge-speed'
   },
   {
-    id: 'gpt-5.2-codex-fast',
-    name: 'GPT-5.2 Codex Fast',
+    id: 'composer-1.5',
+    name: 'Composer 1.5',
+    tier: 'balanced',
+    tagline: 'Latest Composer',
+    description: 'Cursor Composer model—positioned between Sonnet and Opus for multi-file edits',
+    badge: 'Balanced',
+    badgeClass: 'badge-balanced'
+  },
+  {
+    id: 'composer-1',
+    name: 'Composer 1',
+    tier: 'fast',
+    tagline: 'Original Composer',
+    description: 'Cursor Composer model—good for quick multi-file editing workflows',
+    badge: 'Fast',
+    badgeClass: 'badge-speed'
+  },
+  {
+    id: 'gpt-5.3-codex-fast',
+    name: 'GPT-5.3 Codex Fast',
     tier: 'fast',
     tagline: 'Lightning Fast',
-    description: 'Quick code-specialized analysis for simple changes',
+    description: 'Latest code-specialized model optimized for speed—quick scans for obvious issues',
     badge: 'Fastest',
     badgeClass: 'badge-speed'
   },
+  {
+    id: 'gemini-3-flash',
+    name: 'Gemini 3 Flash',
+    tier: 'fast',
+    tagline: 'Fast & Capable',
+    description: 'High SWE-bench scores at a fraction of the cost—great for quick reviews',
+    badge: 'Fast',
+    badgeClass: 'badge-speed'
+  },
   {
     id: 'sonnet-4.5-thinking',
     name: 'Claude 4.5 Sonnet (Thinking)',
     tier: 'balanced',
     tagline: 'Best Balance',
-    description: 'Extended thinking for thorough analysis',
+    description: 'Extended thinking for thorough analysis with excellent quality-to-cost ratio',
     badge: 'Recommended',
     badgeClass: 'badge-recommended',
     default: true
@@ -68,16 +95,16 @@ const CURSOR_AGENT_MODELS = [
     name: 'Gemini 3 Pro',
     tier: 'balanced',
     tagline: 'Strong Alternative',
-    description: "Google's flagship model for code review",
+    description: "Google's flagship model for code review—strong agentic and vibe coding capabilities",
     badge: 'Balanced',
     badgeClass: 'badge-balanced'
   },
   {
-    id: 'gpt-5.2-codex-high',
-    name: 'GPT-5.2 Codex High',
+    id: 'gpt-5.3-codex-high',
+    name: 'GPT-5.3 Codex High',
     tier: 'thorough',
     tagline: 'Deep Code Analysis',
-    description: "OpenAI's best for complex code review",
+    description: "OpenAI's latest and most capable for complex code review with deep reasoning",
     badge: 'Thorough',
     badgeClass: 'badge-power'
   },
@@ -85,8 +112,17 @@ const CURSOR_AGENT_MODELS = [
     id: 'opus-4.5-thinking',
     name: 'Claude 4.5 Opus (Thinking)',
     tier: 'thorough',
+    tagline: 'Deep Analysis',
+    description: 'Deep analysis with extended thinking for complex code reviews',
+    badge: 'Thorough',
+    badgeClass: 'badge-power'
+  },
+  {
+    id: 'opus-4.6-thinking',
+    name: 'Claude 4.6 Opus (Thinking)',
+    tier: 'thorough',
     tagline: 'Most Capable',
-    description: 'Deep analysis with extended thinking for complex code',
+    description: 'Deep analysis with extended thinking—Cursor default for maximum review quality',
     badge: 'Most Thorough',
     badgeClass: 'badge-power'
   }
@@ -159,7 +195,7 @@ class CursorAgentProvider extends AIProvider {
 
     if (this.useShell) {
       // In shell mode, build full command string with args
-      this.command = `${agentCmd} ${[...baseArgs, ...providerArgs, ...modelArgs].join(' ')}`;
+      this.command = `${agentCmd} ${quoteShellArgs([...baseArgs, ...providerArgs, ...modelArgs]).join(' ')}`;
       this.args = [];
     } else {
       this.command = agentCmd;
@@ -662,7 +698,7 @@ class CursorAgentProvider extends AIProvider {
     // For extraction, we pass the prompt via stdin
     if (useShell) {
       return {
-        command: `${agentCmd} ${args.join(' ')}`,
+        command: `${agentCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true

package/src/ai/gemini-provider.js

@@ -7,7 +7,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -25,7 +25,7 @@ const GEMINI_MODELS = [
     name: '3.0 Flash',
     tier: 'fast',
     tagline: 'Rapid Sanity Check',
-    description: 'Best for catching syntax, typos, and simple logic errors',
+    description: 'Fast and capable at a fraction of the cost of larger models',
     badge: 'Quick Look',
     badgeClass: 'badge-speed'
   },
@@ -34,7 +34,7 @@ const GEMINI_MODELS = [
     name: '2.5 Pro',
     tier: 'balanced',
     tagline: 'Standard PR Review',
-    description: 'Reliable feedback on code style, features, and refactoring',
+    description: 'Strong reasoning with large context window—reliable for everyday code reviews',
     badge: 'Daily Driver',
     badgeClass: 'badge-recommended',
     default: true
@@ -44,7 +44,7 @@ const GEMINI_MODELS = [
     name: '3.0 Pro',
     tier: 'thorough',
     tagline: 'Architectural Audit',
-    description: 'Deep analysis for race conditions, security, and edge cases',
+    description: 'Most intelligent Gemini model—advanced reasoning for deep architectural analysis',
     badge: 'Deep Dive',
     badgeClass: 'badge-power'
   }
@@ -156,16 +156,9 @@ class GeminiProvider extends AIProvider {
 
     if (this.useShell) {
       // In shell mode, build full command string with args
-      // Quote the allowed-tools value to prevent shell interpretation of special characters
+      // Quote all args to prevent shell interpretation of special characters
       // (commas, parentheses in patterns like "run_shell_command(git diff)")
-      const quotedBaseArgs = baseArgs.map((arg, i) => {
-        // The allowed-tools value follows the --allowed-tools flag
-        if (baseArgs[i - 1] === '--allowed-tools') {
-          return `'${arg}'`;
-        }
-        return arg;
-      });
-      this.command = `${geminiCmd} ${[...quotedBaseArgs, ...providerArgs, ...modelArgs].join(' ')}`;
+      this.command = `${geminiCmd} ${quoteShellArgs([...baseArgs, ...providerArgs, ...modelArgs]).join(' ')}`;
       this.args = [];
     } else {
       this.command = geminiCmd;
@@ -616,7 +609,7 @@ class GeminiProvider extends AIProvider {
     // For extraction, we pass the prompt via stdin
     if (useShell) {
       return {
-        command: `${geminiCmd} ${args.join(' ')}`,
+        command: `${geminiCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true

package/src/ai/opencode-provider.js

@@ -13,7 +13,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -114,7 +114,7 @@ class OpenCodeProvider extends AIProvider {
       let fullArgs;
 
       if (this.useShell) {
-        fullCommand = `${this.opencodeCmd} ${this.baseArgs.join(' ')}`;
+        fullCommand = `${this.opencodeCmd} ${quoteShellArgs(this.baseArgs).join(' ')}`;
         fullArgs = [];
       } else {
         fullCommand = this.opencodeCmd;
@@ -554,7 +554,7 @@ class OpenCodeProvider extends AIProvider {
     // OpenCode reads from stdin when no positional message arguments are provided
     if (useShell) {
       return {
-        command: `${opencodeCmd} ${args.join(' ')}`,
+        command: `${opencodeCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true

package/src/ai/pi-provider.js

@@ -18,7 +18,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -253,7 +253,7 @@ class PiProvider extends AIProvider {
       let fullArgs;
 
       if (this.useShell) {
-        fullCommand = `${this.piCmd} ${this.baseArgs.join(' ')}`;
+        fullCommand = `${this.piCmd} ${quoteShellArgs(this.baseArgs).join(' ')}`;
         fullArgs = [];
       } else {
         fullCommand = this.piCmd;
@@ -745,7 +745,7 @@ class PiProvider extends AIProvider {
     // Pi reads from stdin when using -p with no positional message arguments
     if (useShell) {
       return {
-        command: `${piCmd} ${args.join(' ')}`,
+        command: `${piCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true,

package/src/ai/provider.js

@@ -14,6 +14,24 @@ const { extractJSON } = require('../utils/json-extractor');
 // Directory containing bin scripts (git-diff-lines, etc.)
 const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
 
+/**
+ * Quote shell-sensitive arguments for safe shell execution.
+ * Any arg containing characters that could be interpreted by the shell
+ * (brackets, parentheses, commas, etc.) is wrapped in single quotes
+ * with internal single quotes escaped using the POSIX pattern.
+ *
+ * @param {string[]} args - Array of CLI arguments
+ * @returns {string[]} Args with shell-sensitive values quoted
+ */
+function quoteShellArgs(args) {
+  return args.map(arg => {
+    if (/[[\]*?(){}$!&|;<>,\s'"\\`#~]/.test(arg)) {
+      return `'${arg.replace(/'/g, "'\\''")}'`;
+    }
+    return arg;
+  });
+}
+
 /**
  * Model tier definitions - provider-agnostic tiers that map to specific models
  */
@@ -639,6 +657,7 @@ async function testProviderAvailability(providerId, timeout = 10000) {
 module.exports = {
   AIProvider,
   MODEL_TIERS,
+  quoteShellArgs,
   registerProvider,
   getProviderClass,
   getRegisteredProviderIds,