@nathapp/nax 0.18.6 → 0.20.0

package/docs/ROADMAP.md

@@ -224,6 +224,8 @@
 - [x] **BUG-032:** Routing stage overrides escalated `modelTier` with complexity-derived tier. `src/pipeline/stages/routing.ts:43` always runs `complexityToModelTier(routing.complexity, config)` even when `story.routing.modelTier` was explicitly set by `handleTierEscalation()`. BUG-026 was escalated to `balanced` (logged in iteration header), but `Task classified` shows `modelTier=fast` because `complexityToModelTier("simple", config)` → `"fast"`. Related to BUG-013 (escalation routing not applied) which was marked fixed, but the fix in `applyCachedRouting()` in `pipeline-result-handler.ts:295-310` runs **after** the routing stage — too late. **Location:** `src/pipeline/stages/routing.ts:43`. **Fix:** When `story.routing.modelTier` is explicitly set (by escalation), skip `complexityToModelTier()` and use the cached tier directly. Only derive from complexity when `story.routing.modelTier` is absent.
 - [x] **BUG-033:** LLM routing has no retry on timeout — single attempt with hardcoded 15s default. All 5 LLM routing attempts in the v0.18.3 run timed out at 15s, forcing keyword fallback every time. `src/routing/strategies/llm.ts:63` reads `llmConfig?.timeoutMs ?? 15000` but there's no retry logic — one timeout = immediate fallback. **Location:** `src/routing/strategies/llm.ts:callLlm()`. **Fix:** Add `routing.llm.retries` config (default: 1) with backoff. Also surface `routing.llm.timeoutMs` in `nax config --explain` and consider raising default to 30s for batch routing which processes multiple stories.
 
+- [ ] **BUG-037:** Test output summary (verify stage) captures precheck boilerplate instead of actual `bun test` failure. **Symptom:** Logs show successful prechecks (Head) instead of failed tests (Tail). **Fix:** Change `Test output preview` log to tail the last 20 lines of output instead of heading the first 10.
+- [ ] **BUG-038:** `smart-runner` over-matching when global defaults change. **Symptom:** Changing `DEFAULT_CONFIG` matches broad integration tests that fail due to environment/precheck side effects, obscuring targeted results. **Fix:** Refine path mapping to prioritize direct unit tests and exclude known heavy integration tests from default smart-runner matches unless explicitly relevant.
 ### Features
 - [x] ~~`nax unlock` command~~
 - [x] ~~Constitution file support~~

package/nax/config.json

@@ -59,7 +59,7 @@
     "maxIterations": 6,
     "iterationDelayMs": 2000,
     "costLimit": 8.0,
-    "sessionTimeoutSeconds": 600,
+    "sessionTimeoutSeconds": 7200,
     "verificationTimeoutSeconds": 300,
     "maxStoriesPerFeature": 15,
     "rectification": {
@@ -147,4 +147,4 @@
       "scopeToStory": true
     }
   }
-}
+}

package/nax/features/nax-compliance/prd.json

@@ -0,0 +1,52 @@
+{
+  "project": "@nathapp/nax",
+  "feature": "nax-compliance",
+  "branchName": "feat/v0.19.0-sec",
+  "createdAt": "2026-03-05T02:37:00Z",
+  "updatedAt": "2026-03-05T02:38:46.450Z",
+  "userStories": [
+    {
+      "id": "US-001",
+      "title": "Node.js API Removal",
+      "description": "Replace all forbidden Node.js APIs (readFileSync, appendFileSync, existsSync, setTimeout) with Bun-native equivalents (Bun.file().text(), Bun.write, Bun.file().exists(), Bun.sleep) across the codebase as per the v0.19.0 roadmap. Refer to .claude/rules/04-forbidden-patterns.md.",
+      "acceptanceCriteria": [
+        "No occurrences of readFileSync or appendFileSync remain in src/",
+        "No occurrences of existsSync remain in src/ (unless performance critical)",
+        "No occurrences of setTimeout remain in src/",
+        "Codebase passes typecheck and lint after changes"
+      ],
+      "status": "failed",
+      "passes": false,
+      "attempts": 1,
+      "routing": {
+        "complexity": "simple",
+        "modelTier": "powerful",
+        "testStrategy": "test-after"
+      },
+      "priorErrors": [
+        "Attempt 1 failed with model tier: fast: Stage requested escalation to higher tier",
+        "Attempt 1 failed with model tier: balanced: Stage requested escalation to higher tier"
+      ],
+      "priorFailures": [
+        {
+          "attempt": 1,
+          "modelTier": "fast",
+          "stage": "escalation",
+          "summary": "Failed with tier fast, escalating to next tier",
+          "timestamp": "2026-03-05T02:37:41.586Z"
+        },
+        {
+          "attempt": 1,
+          "modelTier": "balanced",
+          "stage": "escalation",
+          "summary": "Failed with tier balanced, escalating to next tier",
+          "timestamp": "2026-03-05T02:38:14.713Z"
+        }
+      ],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "storyPoints": 1
+    }
+  ]
+}

package/nax/features/nax-compliance/progress.txt

@@ -0,0 +1 @@
+[2026-03-05T02:38:46.450Z] US-001 — FAILED — Node.js API Removal — Execution failed

package/nax/features/v0.19.0-hardening/plan.md

@@ -0,0 +1,7 @@
+# Plan: v0.19.0-hardening
+
+## Architecture
+
+## Phases
+
+## Dependencies

package/nax/features/v0.19.0-hardening/prd.json

@@ -0,0 +1,84 @@
+{
+  "project": "@nathapp/nax",
+  "feature": "v0.19.0-hardening",
+  "branchName": "feat/v0.19.0-sec",
+  "createdAt": "2026-03-05T02:58:00Z",
+  "updatedAt": "2026-03-05T03:13:29.408Z",
+  "userStories": [
+    {
+      "id": "US-001",
+      "title": "Security P0 Hardening",
+      "description": "Implement path validation for loaders (SEC-1, SEC-2), fix shell injection vectors (SEC-3, SEC-4), and respect dangerouslySkipPermissions config (SEC-5).",
+      "status": "passed",
+      "passes": true,
+      "attempts": 1,
+      "priorErrors": [],
+      "priorFailures": [],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "acceptanceCriteria": [],
+      "storyPoints": 1
+    },
+    {
+      "id": "US-002",
+      "title": "BUG-1 Parallel Race Condition",
+      "description": "Replace Promise.race loop with proper concurrency control in parallel executor.",
+      "status": "passed",
+      "passes": true,
+      "attempts": 1,
+      "priorErrors": [],
+      "priorFailures": [],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "acceptanceCriteria": [],
+      "storyPoints": 1
+    },
+    {
+      "id": "US-003",
+      "title": "Node.js API Removal",
+      "description": "Replace readFileSync, appendFileSync, existsSync, and setTimeout with Bun-native equivalents.",
+      "status": "passed",
+      "passes": true,
+      "attempts": 1,
+      "priorErrors": [],
+      "priorFailures": [],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "acceptanceCriteria": [],
+      "storyPoints": 1
+    },
+    {
+      "id": "US-004",
+      "title": "Type Fixes (v0.19.0)",
+      "description": "Fix the 18 type errors introduced during the Node.js API removal and security hardening in the src/ directory. Ensure all Bun-native APIs (Bun.file, Bun.write) are used correctly with valid types. Fix variable scopes and missing imports.",
+      "status": "failed",
+      "passes": false,
+      "attempts": 1,
+      "routing": {
+        "complexity": "medium",
+        "modelTier": "powerful",
+        "testStrategy": "test-after"
+      },
+      "priorErrors": [
+        "Attempt 1 failed with model tier: balanced: Stage requested escalation to higher tier"
+      ],
+      "priorFailures": [
+        {
+          "attempt": 1,
+          "modelTier": "balanced",
+          "stage": "escalation",
+          "summary": "Failed with tier balanced, escalating to next tier",
+          "timestamp": "2026-03-05T03:12:59.254Z"
+        }
+      ],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "acceptanceCriteria": [],
+      "storyPoints": 1
+    }
+  ]
+}

package/nax/features/v0.19.0-hardening/progress.txt

@@ -0,0 +1,7 @@
+# Progress: v0.19.0-hardening
+
+Created: 2026-03-05T02:58:51.347Z
+
+---
+[2026-03-05T03:01:55.028Z] US-003 — FAILED — Node.js API Removal — Execution failed
+[2026-03-05T03:13:29.408Z] US-004 — FAILED — Type Fixes (v0.19.0) — Execution failed

package/nax/features/v0.19.0-hardening/spec.md

@@ -0,0 +1,18 @@
+# v0.19.0 Hardening & Compliance
+
+Address Security, Reliability, and Technical Debt findings from the 2026-03-04 audit.
+
+## Goals
+- SEC-1 to SEC-5: Complete security hardening (RCE, Shell, Permissions).
+- BUG-1: Fix parallel concurrency race condition.
+- BUG-3, BUG-5, MEM-2: Reliability fixes (metrics, mutation, memory leak).
+- Technical Debt: Replace forbidden Node.js APIs (readFileSync, etc.) with Bun-native equivalents.
+- Architecture: Split 400-line files and cleanup dead code.
+
+## Acceptance Criteria
+- SEC-1/2: Dynamic imports restricted to allowed roots.
+- SEC-3/4: Shell injection via backticks/dollar-signs blocked.
+- SEC-5: --dangerously-skip-permissions respects config.
+- BUG-1: Parallel execution respects maxConcurrency exactly.
+- Node.js APIs: All readFileSync/appendFileSync/setTimeout replaced with Bun equivalents.
+- Files: cli/config.ts split below 400 lines.

package/nax/features/v0.19.0-hardening/tasks.md

@@ -0,0 +1,8 @@
+# Tasks: v0.19.0-hardening
+
+## US-001: [Title]
+
+### Description
+
+### Acceptance Criteria
+- [ ] Criterion 1

package/nax/features/verify-v2/prd.json

@@ -0,0 +1,79 @@
+{
+  "project": "nax",
+  "branchName": "feat/v0.20.0-verify-v2",
+  "feature": "verify-v2",
+  "userStories": [
+    {
+      "id": "US-001",
+      "title": "Remove test from review defaults",
+      "description": "Change review.checks default from ['typecheck', 'lint', 'test'] to ['typecheck', 'lint'] in src/config/defaults.ts. The test check in review duplicates the pipeline verify stage. Keep 'test' as a valid enum value in the schema for backwards compatibility but remove it from the default config. Update any tests that assert on the default review checks array.",
+      "complexity": "simple",
+      "status": "passed",
+      "attempts": 0,
+      "priorErrors": [
+        "Attempt 1 failed with model tier: balanced: Stage requested escalation to higher tier"
+      ],
+      "priorFailures": [
+        {
+          "attempt": 1,
+          "modelTier": "balanced",
+          "stage": "escalation",
+          "summary": "Failed with tier balanced, escalating to next tier",
+          "timestamp": "2026-03-05T11:14:42.773Z"
+        }
+      ],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "acceptanceCriteria": [],
+      "storyPoints": 1,
+      "routing": {
+        "complexity": "simple",
+        "modelTier": "powerful",
+        "testStrategy": "test-after",
+        "reasoning": "override: simple config default change, tests already exist"
+      },
+      "passes": true
+    },
+    {
+      "id": "US-002",
+      "title": "Remove post-verify scoped duplicate",
+      "description": "In src/execution/post-verify.ts, remove the scoped verification logic (getChangedTestFiles + runVerification for scoped tests) from runPostAgentVerification(). The pipeline verify stage already runs Smart Test Runner scoped tests. post-verify should ONLY run the regression gate (full suite) and handle failure revert with StructuredFailure. Remove getChangedTestFiles() and scopeTestCommand() helper functions. Remove the scoped rectification loop call. Update the function signature to no longer need storyGitRef. Update all tests for post-verify accordingly.",
+      "complexity": "medium",
+      "status": "passed",
+      "attempts": 0,
+      "priorErrors": [],
+      "priorFailures": [],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "acceptanceCriteria": [],
+      "storyPoints": 1,
+      "passes": true
+    },
+    {
+      "id": "US-003",
+      "title": "Deferred regression gate",
+      "description": "Create new src/execution/lifecycle/run-regression.ts that implements a deferred regression gate. Instead of running the full test suite after every story, run it once after all stories complete. Steps: (1) Add 'mode' field to RegressionGateConfigSchema with values 'deferred' | 'per-story' | 'disabled' (default: 'deferred'). (2) Add 'maxRectificationAttempts' field (default: 2). (3) In run-regression.ts: run full suite once, parse failures, use reverse Smart Test Runner mapping (test file -> source file -> responsible story via git log), attempt targeted rectification per responsible story, re-run full suite to confirm. (4) Call deferred regression from run-completion.ts before final metrics, only when mode is 'deferred'. (5) When mode is 'deferred', skip the per-story regression gate in post-verify.ts. (6) Add reverseMapTestToSource() to smart-runner.ts. (7) Handle edge cases: partial completion (only check passed stories), overlapping file changes (try last story first), unmapped tests (warn and mark all passed stories for re-verification).",
+      "complexity": "complex",
+      "status": "passed",
+      "attempts": 0,
+      "priorErrors": [],
+      "priorFailures": [],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "acceptanceCriteria": [],
+      "storyPoints": 1,
+      "routing": {
+        "complexity": "complex",
+        "modelTier": "balanced",
+        "testStrategy": "three-session-tdd-lite",
+        "reasoning": "override: complex new file + schema changes, needs powerful model"
+      },
+      "failureCategory": "session-failure",
+      "passes": true
+    }
+  ],
+  "updatedAt": "2026-03-05T11:58:46.858Z"
+}

package/nax/features/verify-v2/progress.txt

@@ -0,0 +1,3 @@
+[2026-03-05T07:05:07.935Z] US-002 — PASSED — Remove post-verify scoped duplicate — Cost: $0.1170
+[2026-03-05T08:08:59.656Z] US-003 — FAILED — Deferred regression gate — Execution failed
+[2026-03-05T08:13:50.586Z] US-001 — FAILED — Remove test from review defaults — Execution failed

package/nax/status.json

@@ -0,0 +1,27 @@
+{
+  "version": 1,
+  "run": {
+    "id": "run-2026-03-05T02-37-04-540Z",
+    "feature": "nax-compliance",
+    "startedAt": "2026-03-05T02:37:04.540Z",
+    "status": "stalled",
+    "dryRun": false,
+    "pid": 814245
+  },
+  "progress": {
+    "total": 1,
+    "passed": 0,
+    "failed": 1,
+    "paused": 0,
+    "blocked": 0,
+    "pending": 0
+  },
+  "cost": {
+    "spent": 0,
+    "limit": 8
+  },
+  "current": null,
+  "iterations": 3,
+  "updatedAt": "2026-03-05T02:38:46.469Z",
+  "durationMs": 101929
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nathapp/nax",
-  "version": "0.18.6",
+  "version": "0.20.0",
   "description": "AI Coding Agent Orchestrator \u2014 loops until done",
   "type": "module",
   "bin": {
@@ -44,4 +44,4 @@
     "tdd",
     "coding"
   ]
-}
+}

package/src/acceptance/fix-generator.ts

@@ -6,7 +6,7 @@
  */
 
 import type { AgentAdapter } from "../agents/types";
-import type { ModelDef } from "../config/schema";
+import type { ModelDef, NaxConfig } from "../config/schema";
 import { getLogger } from "../logger";
 import type { PRD, UserStory } from "../prd/types";
 
@@ -70,6 +70,8 @@ export interface GenerateFixStoriesOptions {
   workdir: string;
   /** Model definition for LLM call */
   modelDef: ModelDef;
+  /** Global config */
+  config: NaxConfig;
 }
 
 /**
@@ -224,7 +226,9 @@ export async function generateFixStories(
 
     try {
       // Call agent to generate fix description
-      const cmd = [adapter.binary, "--model", modelDef.model, "--dangerously-skip-permissions", "-p", prompt];
+      const skipPerms = options.config.quality?.dangerouslySkipPermissions ?? true;
+      const permArgs = skipPerms ? ["--dangerously-skip-permissions"] : [];
+      const cmd = [adapter.binary, "--model", modelDef.model, ...permArgs, "-p", prompt];
 
       const proc = Bun.spawn(cmd, {
         cwd: workdir,

package/src/acceptance/generator.ts

@@ -178,7 +178,9 @@ export async function generateAcceptanceTests(
 
   try {
     // Call agent to generate tests (using decompose as pattern)
-    const cmd = [adapter.binary, "--model", options.modelDef.model, "--dangerously-skip-permissions", "-p", prompt];
+    const skipPerms = options.config.quality?.dangerouslySkipPermissions ?? true;
+    const permArgs = skipPerms ? ["--dangerously-skip-permissions"] : [];
+    const cmd = [adapter.binary, "--model", options.modelDef.model, ...permArgs, "-p", prompt];
 
     const proc = Bun.spawn(cmd, {
       cwd: options.workdir,

package/src/acceptance/types.ts

@@ -4,7 +4,7 @@
  * Types for generating acceptance tests from spec.md acceptance criteria.
  */
 
-import type { ModelDef, ModelTier } from "../config/schema";
+import type { ModelDef, ModelTier, NaxConfig } from "../config/schema";
 
 /**
  * A single acceptance criterion extracted from spec.md.
@@ -55,6 +55,8 @@ export interface GenerateAcceptanceTestsOptions {
   modelTier: ModelTier;
   /** Resolved model definition */
   modelDef: ModelDef;
+  /** Global config for quality settings */
+  config: NaxConfig;
 }
 
 /**

package/src/agents/claude-plan.ts

@@ -1,3 +1,6 @@
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
 /**
  * Claude Code Plan Logic
  *
@@ -96,9 +99,7 @@ export async function runPlan(
   }
 
   // Non-interactive: redirect stdout to temp file via Bun.file()
-  const { join } = require("node:path");
-  const { mkdtempSync, readFileSync, rmSync } = require("node:fs");
-  const { tmpdir } = require("node:os");
+
   const tempDir = mkdtempSync(join(tmpdir(), "nax-plan-"));
   const outFile = join(tempDir, "stdout.txt");
   const errFile = join(tempDir, "stderr.txt");
@@ -120,8 +121,8 @@ export async function runPlan(
     // Unregister PID after exit
     await pidRegistry.unregister(proc.pid);
 
-    const specContent = readFileSync(outFile, "utf-8");
-    const conversationLog = readFileSync(errFile, "utf-8");
+    const specContent = await Bun.file(outFile).text();
+    const conversationLog = await Bun.file(errFile).text();
 
     if (exitCode !== 0) {
       throw new Error(`Plan mode failed with exit code ${exitCode}: ${conversationLog || "unknown error"}`);

package/src/cli/analyze.ts

@@ -193,6 +193,7 @@ async function generateAcceptanceTestsForFeature(
       codebaseContext,
       modelTier,
       modelDef,
+      config,
     });
 
     const acceptanceTestPath = join(featureDir, config.acceptance.testPath);

package/src/cli/init.ts

@@ -4,7 +4,8 @@
  * Initializes nax configuration directories and files.
  */
 
-import { existsSync, mkdirSync, readFileSync } from "node:fs";
+import { existsSync } from "node:fs";
+import { mkdir } from "node:fs/promises";
 import { join } from "node:path";
 import { globalConfigDir, projectConfigDir } from "../config/paths";
 import { DEFAULT_CONFIG } from "../config/schema";
@@ -34,7 +35,7 @@ async function updateGitignore(projectRoot: string): Promise<void> {
 
   let existing = "";
   if (existsSync(gitignorePath)) {
-    existing = readFileSync(gitignorePath, "utf-8");
+    existing = await Bun.file(gitignorePath).text();
   }
 
   const missingEntries = NAX_GITIGNORE_ENTRIES.filter((entry) => !existing.includes(entry));
@@ -95,7 +96,7 @@ async function initGlobal(): Promise<void> {
 
   // Create ~/.nax if it doesn't exist
   if (!existsSync(globalDir)) {
-    mkdirSync(globalDir, { recursive: true });
+    await mkdir(globalDir, { recursive: true });
     logger.info("init", "Created global config directory", { path: globalDir });
   }
 
@@ -120,7 +121,7 @@ async function initGlobal(): Promise<void> {
   // Create ~/.nax/hooks/ directory if it doesn't exist
   const hooksDir = join(globalDir, "hooks");
   if (!existsSync(hooksDir)) {
-    mkdirSync(hooksDir, { recursive: true });
+    await mkdir(hooksDir, { recursive: true });
     logger.info("init", "Created global hooks directory", { path: hooksDir });
   } else {
     logger.info("init", "Global hooks directory already exists", { path: hooksDir });
@@ -138,7 +139,7 @@ async function initProject(projectRoot: string): Promise<void> {
 
   // Create nax/ directory if it doesn't exist
   if (!existsSync(projectDir)) {
-    mkdirSync(projectDir, { recursive: true });
+    await mkdir(projectDir, { recursive: true });
     logger.info("init", "Created project config directory", { path: projectDir });
   }
 
@@ -163,7 +164,7 @@ async function initProject(projectRoot: string): Promise<void> {
   // Create nax/hooks/ directory if it doesn't exist
   const hooksDir = join(projectDir, "hooks");
   if (!existsSync(hooksDir)) {
-    mkdirSync(hooksDir, { recursive: true });
+    await mkdir(hooksDir, { recursive: true });
     logger.info("init", "Created project hooks directory", { path: hooksDir });
   } else {
     logger.info("init", "Project hooks directory already exists", { path: hooksDir });

package/src/config/defaults.ts

@@ -67,6 +67,7 @@ export const DEFAULT_CONFIG: NaxConfig = {
       enabled: true,
       timeoutSeconds: 120,
       acceptOnTimeout: true,
+      maxRectificationAttempts: 2,
     },
     contextProviderTokenBudget: 2000,
     smartTestRunner: true,
@@ -80,6 +81,7 @@ export const DEFAULT_CONFIG: NaxConfig = {
     detectOpenHandles: true,
     detectOpenHandlesRetries: 1,
     gracePeriodMs: 5000,
+    dangerouslySkipPermissions: true,
     drainTimeoutMs: 2000,
     shell: "/bin/sh",
     stripEnvVars: ["CLAUDECODE", "REPL_ID", "AGENT"],
@@ -112,7 +114,7 @@ export const DEFAULT_CONFIG: NaxConfig = {
   },
   review: {
     enabled: true,
-    checks: ["typecheck", "lint", "test"],
+    checks: ["typecheck", "lint"],
     commands: {},
   },
   plan: {

package/src/config/schemas.ts

@@ -63,6 +63,8 @@ const RegressionGateConfigSchema = z.object({
   enabled: z.boolean().default(true),
   timeoutSeconds: z.number().int().min(10).max(600).default(120),
   acceptOnTimeout: z.boolean().default(true),
+  mode: z.enum(["deferred", "per-story", "disabled"]).default("deferred"),
+  maxRectificationAttempts: z.number().int().min(1).default(2),
 });
 
 const SmartTestRunnerConfigSchema = z.object({

package/src/config/types.ts

@@ -78,6 +78,10 @@ export interface RegressionGateConfig {
   timeoutSeconds: number;
   /** Accept timeout as pass instead of failing (BUG-026, default: true) */
   acceptOnTimeout?: boolean;
+  /** Mode of regression gate: 'deferred' (run once after all stories), 'per-story' (run after each story), 'disabled' (default: 'deferred') */
+  mode?: "deferred" | "per-story" | "disabled";
+  /** Max rectification attempts for deferred regression gate (default: 2) */
+  maxRectificationAttempts?: number;
 }
 
 /** Smart test runner configuration (STR-007) */
@@ -145,6 +149,8 @@ export interface QualityConfig {
   detectOpenHandlesRetries: number;
   /** Grace period in ms after SIGTERM before sending SIGKILL (default: 5000) */
   gracePeriodMs: number;
+  /** Use --dangerously-skip-permissions for agent sessions (default: false) */
+  dangerouslySkipPermissions: boolean;
   /** Deadline in ms to drain stdout/stderr after killing process (Bun stream workaround, default: 2000) */
   drainTimeoutMs: number;
   /** Shell to use for running verification commands (default: /bin/sh) */