@nathapp/nax 0.18.6 → 0.19.0

package/src/execution/runner.ts

@@ -15,6 +15,7 @@ import type { StoryMetrics } from "../metrics";
 import type { PipelineEventEmitter } from "../pipeline/events";
 import { countStories, isComplete } from "../prd";
 import type { UserStory } from "../prd";
+import { tryLlmBatchRoute } from "../routing/batch-route";
 import { clearCache as clearLlmCache, routeBatch as llmRouteBatch } from "../routing/strategies/llm";
 import { precomputeBatchPlan } from "./batching";
 import { stopHeartbeat, writeExitSummary } from "./crash-recovery";
@@ -25,25 +26,6 @@ export { resolveMaxAttemptsOutcome } from "./escalation";
 
 /** Run options */
 
-/**
- * Try LLM batch routing for ready stories. Logs and swallows errors (falls back to per-story routing).
- */
-async function tryLlmBatchRoute(config: NaxConfig, stories: UserStory[], label = "routing"): Promise<void> {
-  const mode = config.routing.llm?.mode ?? "hybrid";
-  if (config.routing.strategy !== "llm" || mode === "per-story" || stories.length === 0) return;
-  const logger = getSafeLogger();
-  try {
-    logger?.debug("routing", `LLM batch routing: ${label}`, { storyCount: stories.length, mode });
-    await llmRouteBatch(stories, { config });
-    logger?.debug("routing", "LLM batch routing complete", { label });
-  } catch (err) {
-    logger?.warn("routing", "LLM batch routing failed, falling back to individual routing", {
-      error: (err as Error).message,
-      label,
-    });
-  }
-}
-
 export interface RunOptions {
   /** Path to prd.json */
   prdPath: string;

package/src/execution/sequential-executor.ts

@@ -12,7 +12,7 @@ import type { PipelineContext, RoutingResult } from "../pipeline/types";
 import type { PluginRegistry } from "../plugins";
 import { generateHumanHaltSummary, getNextStory, isComplete, isStalled, loadPRD } from "../prd";
 import type { PRD, UserStory } from "../prd/types";
-import { routeTask } from "../routing";
+import { routeTask, tryLlmBatchRoute } from "../routing";
 import { captureGitRef } from "../utils/git";
 import type { StoryBatch } from "./batching";
 import { startHeartbeat, stopHeartbeat, writeExitSummary } from "./crash-recovery";

package/src/hooks/runner.ts

@@ -106,7 +106,7 @@ function buildEnv(ctx: HookContext): Record<string, string> {
  * @param command - Command string to check
  * @returns true if shell operators detected
  */
-function hasShellOperators(command: string): boolean {
+export function hasShellOperators(command: string): boolean {
   // Check for common shell operators that require shell interpretation
   const shellOperators = /[|&;$`<>(){}]/;
   return shellOperators.test(command);
@@ -117,7 +117,7 @@ function hasShellOperators(command: string): boolean {
  * @param command - Command string to validate
  * @throws Error if obvious injection pattern detected
  */
-function validateHookCommand(command: string): void {
+export function validateHookCommand(command: string): void {
   // Reject commands with obvious injection patterns
   const dangerousPatterns = [
     /\$\(.*\)/, // Command substitution $(...)

package/src/interaction/plugins/auto.ts

@@ -148,8 +148,8 @@ Stage: ${request.stage}
 Feature: ${request.featureName}
 ${request.storyId ? `Story: ${request.storyId}` : ""}
 
-Summary: ${request.summary}
-${request.detail ? `\nDetail: ${request.detail}` : ""}
+Summary: ${request.summary.replace(/`/g, "\\`").replace(/\$/g, "\\$")}
+${request.detail ? `\nDetail: ${request.detail.replace(/`/g, "\\`").replace(/\$/g, "\\$")}` : ""}
 `;
 
     if (request.options && request.options.length > 0) {

package/src/logger/logger.ts

@@ -1,4 +1,4 @@
-import { appendFileSync } from "node:fs";
+import { appendFileSync, mkdirSync } from "node:fs";
 import { type FormatterOptions, type VerbosityMode, formatLogEntry } from "../logging/index.js";
 import { formatConsole, formatJsonl } from "./formatters.js";
 import type { LogEntry, LogLevel, LoggerOptions, StoryLogger } from "./types.js";
@@ -64,7 +64,7 @@ export class Logger {
     try {
       const dir = this.filePath.substring(0, this.filePath.lastIndexOf("/"));
       if (dir) {
-        Bun.spawnSync(["mkdir", "-p", dir]);
+        mkdirSync(dir, { recursive: true });
       }
     } catch (error) {
       console.error(`[logger] Failed to create log directory: ${error}`);
@@ -149,9 +149,7 @@ export class Logger {
     if (!this.filePath) return;
 
     try {
-      const line = `${formatJsonl(entry)}\n`;
-      // Use Node.js fs for simple synchronous append
-      appendFileSync(this.filePath, line, "utf8");
+      appendFileSync(this.filePath, `${formatJsonl(entry)}\n`);
     } catch (error) {
       console.error(`[logger] Failed to write to log file: ${error}`);
     }

package/src/plugins/loader.ts

@@ -10,6 +10,7 @@
 import * as fs from "node:fs/promises";
 import * as path from "node:path";
 import { getSafeLogger as _getSafeLoggerFromModule } from "../logger";
+import { validateModulePath } from "../utils/path-security";
 import { PluginRegistry } from "./registry";
 import type { NaxPlugin, PluginConfigEntry } from "./types";
 import { validatePlugin } from "./validator";
@@ -78,12 +79,13 @@ export async function loadPlugins(
   projectRoot?: string,
 ): Promise<PluginRegistry> {
   const loadedPlugins: LoadedPlugin[] = [];
+  const effectiveProjectRoot = projectRoot || projectDir;
   const pluginNames = new Set<string>();
 
   // 1. Load plugins from global directory
   const globalPlugins = await discoverPlugins(globalDir);
   for (const plugin of globalPlugins) {
-    const validated = await loadAndValidatePlugin(plugin.path, {});
+    const validated = await loadAndValidatePlugin(plugin.path, {}, [globalDir]);
     if (validated) {
       if (pluginNames.has(validated.name)) {
         const logger = getSafeLogger();
@@ -100,7 +102,7 @@ export async function loadPlugins(
   // 2. Load plugins from project directory
   const projectPlugins = await discoverPlugins(projectDir);
   for (const plugin of projectPlugins) {
-    const validated = await loadAndValidatePlugin(plugin.path, {});
+    const validated = await loadAndValidatePlugin(plugin.path, {}, [projectDir]);
     if (validated) {
       if (pluginNames.has(validated.name)) {
         const logger = getSafeLogger();
@@ -116,9 +118,14 @@ export async function loadPlugins(
 
   // 3. Load plugins from config entries
   for (const entry of configPlugins) {
-    // Resolve module path relative to project root for relative paths
-    const resolvedModule = resolveModulePath(entry.module, projectRoot);
-    const validated = await loadAndValidatePlugin(resolvedModule, entry.config ?? {}, entry.module);
+    // Resolve module path relative to effective project root for relative paths
+    const resolvedModule = resolveModulePath(entry.module, effectiveProjectRoot);
+    const validated = await loadAndValidatePlugin(
+      resolvedModule,
+      entry.config ?? {},
+      [globalDir, projectDir, effectiveProjectRoot].filter(Boolean),
+      entry.module,
+    );
     if (validated) {
       if (pluginNames.has(validated.name)) {
         const logger = getSafeLogger();
@@ -228,12 +235,32 @@ function resolveModulePath(modulePath: string, projectRoot?: string): string {
  * @returns Validated plugin or null if invalid
  */
 async function loadAndValidatePlugin(
-  modulePath: string,
+  initialModulePath: string,
   config: Record<string, unknown>,
+  allowedRoots: string[] = [],
   originalPath?: string,
 ): Promise<NaxPlugin | null> {
+  let attemptedPath = initialModulePath;
   try {
+    // SEC-1: Validate module path if it's a file path (not an npm package)
+    let modulePath = initialModulePath;
+    const isFilePath = modulePath.startsWith("/") || modulePath.startsWith("./") || modulePath.startsWith("../");
+
+    if (isFilePath && allowedRoots.length > 0) {
+      const validation = validateModulePath(modulePath, allowedRoots);
+      if (!validation.valid) {
+        const logger = getSafeLogger();
+        logger?.error("plugins", `Security: ${validation.error}`);
+        _pluginErrorSink(`[plugins] Security: ${validation.error}`);
+        return null;
+      }
+      // Use the normalized absolute path from the validator
+      const validatedPath = validation.absolutePath as string;
+      modulePath = validatedPath;
+    }
+
     // Import the module
+    attemptedPath = modulePath;
     const imported = await import(modulePath);
 
     // Try default export first, then named exports
@@ -258,7 +285,7 @@ async function loadAndValidatePlugin(
 
     return validated;
   } catch (error) {
-    const displayPath = originalPath || modulePath;
+    const displayPath = originalPath || initialModulePath;
     const errorMsg = error instanceof Error ? error.message : String(error);
     const logger = getSafeLogger();
 
@@ -266,14 +293,14 @@ async function loadAndValidatePlugin(
     if (errorMsg.includes("Cannot find module") || errorMsg.includes("ENOENT")) {
       const msg = `Failed to load plugin module '${displayPath}'`;
       logger?.error("plugins", msg);
-      logger?.error("plugins", `Attempted path: ${modulePath}`);
+      logger?.error("plugins", `Attempted path: ${attemptedPath}`);
       logger?.error(
         "plugins",
         "Ensure the module exists and the path is correct (relative paths are resolved from project root)",
       );
       // Always emit to sink so tests (and headless mode without logger) can capture output
       _pluginErrorSink(`[plugins] ${msg}`);
-      _pluginErrorSink(`[plugins] Attempted path: ${modulePath}`);
+      _pluginErrorSink(`[plugins] Attempted path: ${attemptedPath}`);
       _pluginErrorSink(
         "[plugins] Ensure the module exists and the path is correct (relative paths are resolved from project root)",
       );

package/src/routing/batch-route.ts

@@ -0,0 +1,32 @@
+/**
+ * LLM Batch Routing Helper
+ */
+
+import type { NaxConfig } from "../config";
+import { getSafeLogger } from "../logger";
+import type { UserStory } from "../prd";
+import { routeBatch as llmRouteBatch } from "./strategies/llm";
+
+/**
+ * Attempt to pre-route a batch of stories using LLM to optimize cost and consistency.
+ *
+ * @param config - Global config
+ * @param stories - Stories to route
+ * @param label - Label for logging
+ */
+export async function tryLlmBatchRoute(config: NaxConfig, stories: UserStory[], label = "routing"): Promise<void> {
+  const mode = config.routing.llm?.mode ?? "hybrid";
+  if (config.routing.strategy !== "llm" || mode === "per-story" || stories.length === 0) return;
+
+  const logger = getSafeLogger();
+  try {
+    logger?.debug("routing", `LLM batch routing: ${label}`, { storyCount: stories.length, mode });
+    await llmRouteBatch(stories, { config });
+    logger?.debug("routing", "LLM batch routing complete", { label });
+  } catch (err) {
+    logger?.warn("routing", "LLM batch routing failed, falling back to individual routing", {
+      error: (err as Error).message,
+      label,
+    });
+  }
+}

package/src/routing/index.ts

@@ -14,3 +14,4 @@ export { keywordStrategy, llmStrategy, manualStrategy } from "./strategies";
 
 // Custom strategy loader
 export { loadCustomStrategy } from "./loader";
+export { tryLlmBatchRoute } from "./batch-route";

package/src/routing/loader.ts

@@ -5,6 +5,7 @@
  */
 
 import { resolve } from "node:path";
+import { validateModulePath } from "../utils/path-security";
 import type { RoutingStrategy } from "./strategy";
 
 /**
@@ -27,6 +28,12 @@ import type { RoutingStrategy } from "./strategy";
 export async function loadCustomStrategy(strategyPath: string, workdir: string): Promise<RoutingStrategy> {
   const absolutePath = resolve(workdir, strategyPath);
 
+  // SEC-2: Validate path against workdir root
+  const validation = validateModulePath(absolutePath, [workdir]);
+  if (!validation.valid) {
+    throw new Error(`Security: ${validation.error}`);
+  }
+
   try {
     // Dynamic import (works with both .ts and .js files in Bun)
     const module = await import(absolutePath);

package/src/utils/path-security.ts

@@ -0,0 +1,56 @@
+/**
+ * Path security utilities for nax (SEC-1, SEC-2).
+ */
+
+import { isAbsolute, join, normalize, resolve } from "node:path";
+
+/**
+ * Result of a path validation.
+ */
+export interface PathValidationResult {
+  /** Whether the path is valid and allowed */
+  valid: boolean;
+  /** The absolute, normalized path (if valid) */
+  absolutePath?: string;
+  /** Error message if invalid */
+  error?: string;
+}
+
+/**
+ * Validates that a module path is within an allowed root directory.
+ *
+ * @param modulePath - The user-provided path to validate (relative or absolute)
+ * @param allowedRoots - Array of absolute paths that are allowed as roots
+ * @returns Validation result
+ */
+export function validateModulePath(modulePath: string, allowedRoots: string[]): PathValidationResult {
+  if (!modulePath) {
+    return { valid: false, error: "Module path is empty" };
+  }
+
+  const normalizedRoots = allowedRoots.map((r) => resolve(r));
+
+  // If absolute, just check against roots
+  if (isAbsolute(modulePath)) {
+    const absoluteTarget = normalize(modulePath);
+    const isWithin = normalizedRoots.some((root) => {
+      return absoluteTarget.startsWith(`${root}/`) || absoluteTarget === root;
+    });
+    if (isWithin) {
+      return { valid: true, absolutePath: absoluteTarget };
+    }
+  } else {
+    // If relative, check if it's within any root when resolved relative to that root
+    for (const root of normalizedRoots) {
+      const absoluteTarget = resolve(join(root, modulePath));
+      if (absoluteTarget.startsWith(`${root}/`) || absoluteTarget === root) {
+        return { valid: true, absolutePath: absoluteTarget };
+      }
+    }
+  }
+
+  return {
+    valid: false,
+    error: `Path "${modulePath}" is outside allowed roots`,
+  };
+}

package/src/verification/executor.ts

@@ -85,15 +85,13 @@ export async function executeWithTimeout(
   });
 
   const timeoutMs = timeoutSeconds * 1000;
-  let timeoutId: Timer | null = null;
+
   let timedOut = false;
 
-  const timeoutPromise = new Promise<void>((resolve) => {
-    timeoutId = setTimeout(() => {
-      timedOut = true;
-      resolve();
-    }, timeoutMs);
-  });
+  const timeoutPromise = (async () => {
+    await Bun.sleep(timeoutMs);
+    timedOut = true;
+  })();
 
   const processPromise = proc.exited;
 
@@ -115,7 +113,7 @@ export async function executeWithTimeout(
     }
 
     // Wait for graceful shutdown
-    await new Promise((resolve) => setTimeout(resolve, gracePeriodMs));
+    await Bun.sleep(gracePeriodMs);
 
     // Force SIGKILL entire process group if still running
     try {
@@ -142,11 +140,6 @@ export async function executeWithTimeout(
     };
   }
 
-  // Clear timeout if process finished in time
-  if (timeoutId) {
-    clearTimeout(timeoutId);
-  }
-
   const exitCode = raceResult as number;
   const stdout = await new Response(proc.stdout).text();
   const stderr = await new Response(proc.stderr).text();

package/test/integration/plugins/config-resolution.test.ts

@@ -230,7 +230,7 @@ describe("Plugin config path resolution (US-007)", () => {
       expect(registry.plugins[0].name).toBe("relative-plugin");
     });
 
-    test("resolves ../relative/path from project root", async () => {
+    test("blocks ../ traversal outside project root (SEC-1/SEC-2)", async () => {
       const projectRoot = path.join(tempDir, "project");
       const pluginDir = path.join(tempDir, "shared-plugins");
       await fs.mkdir(projectRoot, { recursive: true });
@@ -271,8 +271,8 @@ describe("Plugin config path resolution (US-007)", () => {
         projectRoot,
       );
 
-      expect(registry.plugins).toHaveLength(1);
-      expect(registry.plugins[0].name).toBe("parent-relative-plugin");
+      // SEC-1/SEC-2: traversal outside project root is blocked
+      expect(registry.plugins).toHaveLength(0);
     });
   });
 

package/test/integration/plugins/loader.test.ts

@@ -379,6 +379,7 @@ describe("loadPlugins", () => {
         path.join(tempDir, "nonexistent"),
         path.join(tempDir, "nonexistent"),
         configPlugins,
+        tempDir,
       );
 
       expect(registry.plugins).toHaveLength(1);
@@ -428,6 +429,7 @@ export default {
         path.join(tempDir, "nonexistent"),
         path.join(tempDir, "nonexistent"),
         configPlugins,
+        tempDir,
       );
 
       expect(registry.plugins).toHaveLength(1);
@@ -574,7 +576,7 @@ export default {
         },
       ];
 
-      const registry = await loadPlugins(globalDir, projectDir, configPlugins);
+      const registry = await loadPlugins(globalDir, projectDir, configPlugins, tempDir);
 
       expect(registry.plugins).toHaveLength(3);
       expect(registry.plugins[0].name).toBe("global");

package/test/integration/precheck-integration.test.ts

@@ -114,21 +114,23 @@ describe("Precheck Integration with nax run", () => {
    * Helper to read JSONL log and parse precheck entry
    */
   async function readPrecheckLog(logFilePath: string): Promise<any | null> {
-    const logFile = Bun.file(logFilePath);
-    if (!(await logFile.exists())) {
-      return null;
-    }
+    const { existsSync, readFileSync } = await import("node:fs");
+    if (!existsSync(logFilePath)) return null;
 
-    const content = await logFile.text();
-    const lines = content.trim().split("\n");
+    const content = readFileSync(logFilePath, "utf8");
+    if (!content.trim()) return null;
 
+    const lines = content.trim().split("\n");
     for (const line of lines) {
-      const entry = JSON.parse(line);
-      if (entry.type === "precheck") {
-        return entry;
+      try {
+        const entry = JSON.parse(line);
+        if (entry.type === "precheck") return entry;
+      } catch {
+        // ignore
       }
     }
 
+    console.log(`[DEBUG] precheckLog not found. Content=<<<${content}>>>`);
     return null;
   }
 
@@ -183,7 +185,8 @@ describe("Precheck Integration with nax run", () => {
       expect(result.success).toBe(true);
 
       // Verify precheck was NOT logged to JSONL
-      const precheckLog = await readPrecheckLog(logFilePath);
+      console.log(`[DEBUG] TEST READING FROM: ${logFilePath}`);
+    const precheckLog = await readPrecheckLog(logFilePath);
       expect(precheckLog).toBeNull();
     } finally {
       rmSync(nonGitDir, { recursive: true, force: true });
@@ -225,6 +228,7 @@ describe("Precheck Integration with nax run", () => {
     });
 
     // Verify precheck was logged to JSONL (AC5)
+    console.log(`[DEBUG] TEST READING FROM: ${logFilePath}`);
     const precheckLog = await readPrecheckLog(logFilePath);
     expect(precheckLog).not.toBeNull();
     expect(precheckLog.type).toBe("precheck");
@@ -302,7 +306,8 @@ describe("Precheck Integration with nax run", () => {
       }
 
       // Verify precheck failure was logged (AC5)
-      const precheckLog = await readPrecheckLog(logFilePath);
+      console.log(`[DEBUG] TEST READING FROM: ${logFilePath}`);
+    const precheckLog = await readPrecheckLog(logFilePath);
       expect(precheckLog).not.toBeNull();
       expect(precheckLog.passed).toBe(false);
       expect(precheckLog.blockers.length).toBeGreaterThan(0);
@@ -355,6 +360,7 @@ describe("Precheck Integration with nax run", () => {
     expect(result.success).toBe(true);
 
     // Verify precheck passed (may have warnings)
+    console.log(`[DEBUG] TEST READING FROM: ${logFilePath}`);
     const precheckLog = await readPrecheckLog(logFilePath);
     expect(precheckLog).not.toBeNull();
     expect(precheckLog.passed).toBe(true);
@@ -396,6 +402,7 @@ describe("Precheck Integration with nax run", () => {
     });
 
     // Verify precheck entry structure
+    console.log(`[DEBUG] TEST READING FROM: ${logFilePath}`);
     const precheckLog = await readPrecheckLog(logFilePath);
     expect(precheckLog).not.toBeNull();
     expect(precheckLog.type).toBe("precheck");

package/test/integration/security-loader.test.ts

@@ -0,0 +1,83 @@
+import { describe, expect, test, beforeEach, afterEach } from "bun:test";
+import { loadPlugins, _setPluginErrorSink, _resetPluginErrorSink } from "../../src/plugins/loader";
+import { loadCustomStrategy } from "../../src/routing/loader";
+import { resolve } from "node:path";
+import * as fs from "node:fs/promises";
+
+describe("Loader Security (SEC-1, SEC-2)", () => {
+  const projectRoot = "/tmp/nax-sec-test-" + Date.now();
+  const projectPluginsDir = resolve(projectRoot, "nax/plugins");
+  const globalPluginsDir = resolve(projectRoot, ".nax/plugins");
+  
+  let capturedErrors: string[] = [];
+
+  beforeEach(async () => {
+    await fs.mkdir(projectPluginsDir, { recursive: true });
+    await fs.mkdir(globalPluginsDir, { recursive: true });
+    capturedErrors = [];
+    _setPluginErrorSink((msg: string) => capturedErrors.push(msg));
+  });
+
+  afterEach(async () => {
+    await fs.rm(projectRoot, { recursive: true, force: true });
+    _resetPluginErrorSink();
+  });
+
+  test("SEC-1: Blocks plugin load from outside allowed roots", async () => {
+    // Attempt to load from /etc/passwd (outside project/global roots)
+    const configPlugins = [{ module: "/etc/passwd", config: {} }];
+    
+    const registry = await loadPlugins(
+      globalPluginsDir,
+      projectPluginsDir,
+      configPlugins,
+      projectRoot
+    );
+
+    expect(registry.plugins).toHaveLength(0);
+    expect(capturedErrors.some(err => err.includes("Security: Path \"/etc/passwd\" is outside allowed roots"))).toBe(true);
+  });
+
+  test("SEC-1: Allows plugin load from project directory", async () => {
+    // Create a dummy plugin in project directory
+    const pluginPath = resolve(projectPluginsDir, "test-plugin.ts");
+    await fs.writeFile(pluginPath, `
+      export default {
+        name: "test-plugin",
+        version: "1.0.0",
+        provides: ["reporter"],
+        setup: async () => {},
+        extensions: {
+          reporter: {
+            name: "test-reporter",
+            description: "A test reporter",
+            onRunStart: async () => {},
+            onStoryComplete: async () => {},
+            onRunEnd: async () => {}
+          }
+        }
+      } as any;
+    `);
+
+    const registry = await loadPlugins(
+      globalPluginsDir,
+      projectPluginsDir,
+      [],
+      projectRoot
+    );
+
+    if (registry.plugins.length === 0) { console.log('Captured Errors:', capturedErrors); }
+    expect(registry.plugins).toHaveLength(1);
+    expect(registry.plugins[0].name).toBe("test-plugin");
+  });
+
+  test("SEC-2: Blocks custom routing strategy from outside project root", async () => {
+    // Attempt to load from /etc/passwd (outside project root)
+    try {
+      await loadCustomStrategy("/etc/passwd", projectRoot);
+      throw new Error("Should have failed");
+    } catch (error) {
+      expect(error.message).toContain("Security: Path \"/etc/passwd\" is outside allowed roots");
+    }
+  });
+});

package/test/unit/formatters.test.ts

@@ -44,9 +44,8 @@ describe("formatConsole", () => {
 
     const output = formatConsole(entry);
 
-    // Should not contain brackets around storyId
-    const bracketCount = (output.match(/\[/g) || []).length;
-    expect(bracketCount).toBe(2); // Only timestamp and stage
+    // Visibility test instead of raw bracket count (avoid ANSI issues)
+    expect(output).not.toContain("[user-auth-001]");
   });
 
   test("formats data as pretty JSON on new line", () => {

package/test/unit/hooks/shell-security.test.ts

@@ -0,0 +1,40 @@
+import { describe, expect, test } from "bun:test";
+// Access internal functions for testing
+// @ts-ignore
+import { hasShellOperators, validateHookCommand } from "../../../src/hooks/runner";
+
+describe("Hook Shell Security (SEC-3)", () => {
+  test("hasShellOperators detects backticks", () => {
+    // @ts-ignore
+    expect(hasShellOperators("echo `whoami`")).toBe(true);
+  });
+
+  test("hasShellOperators detects pipes and redirects", () => {
+    // @ts-ignore
+    expect(hasShellOperators("echo hi | grep h")).toBe(true);
+    // @ts-ignore
+    expect(hasShellOperators("echo hi > file.txt")).toBe(true);
+  });
+
+  test("validateHookCommand blocks backtick substitution", () => {
+    // @ts-ignore
+    expect(() => validateHookCommand("echo `whoami`")).toThrow(/dangerous pattern/);
+  });
+
+  test("validateHookCommand blocks $(...) substitution", () => {
+    // @ts-ignore
+    expect(() => validateHookCommand("echo $(whoami)")).toThrow(/dangerous pattern/);
+  });
+
+  test("validateHookCommand blocks eval", () => {
+    // @ts-ignore
+    expect(() => validateHookCommand("eval 'echo hi'")).toThrow(/dangerous pattern/);
+  });
+
+  test("allows safe commands", () => {
+    // @ts-ignore
+    expect(() => validateHookCommand("echo 'Hello World'")).not.toThrow();
+    // @ts-ignore
+    expect(() => validateHookCommand("bun test")).not.toThrow();
+  });
+});