@synkro-sh/cli 1.5.4 → 1.5.5

package/dist/bootstrap.js

@@ -2861,28 +2861,31 @@ async function main() {
       if (tName !== 'Bash' && tName !== 'Shell' && tName !== 'terminal' &&
           tName !== 'run_terminal_cmd' && tName !== 'execute_command') return false;
       // Reject any shell metacharacter that could turn a "read" into a write
-      // or chain to an unsafe consumer: redirects, pipes, sequencing, command
-      // substitution, sudo/su.
-      if (/[>;&|\\\`]|\\$\\(|<<|\\bsudo\\b|\\bsu\\b|\\brm\\b|\\bmv\\b|\\bcp\\b|\\bchmod\\b|\\bchown\\b|\\btee\\b|\\bsed\\s+-i\\b|\\bkill\\b/.test(cmd)) return false;
+      // or chain to an unsafe consumer. Using string includes instead of a
+      // regex because escaping inside a String.raw template literal is a
+      // footgun (we got bitten by an unbalanced-paren regex once already).
+      const UNSAFE_CHARS = ['>', ';', '&', '|', '\`'];
+      for (const ch of UNSAFE_CHARS) { if (cmd.indexOf(ch) !== -1) return false; }
+      const padded = ' ' + cmd + ' ';
+      const UNSAFE_WORDS = [' sudo ', ' su ', ' rm ', ' mv ', ' cp ', ' chmod ', ' chown ', ' tee ', ' kill ', ' sed -i', ' sed --in-place', '\$('];
+      for (const w of UNSAFE_WORDS) { if (padded.indexOf(w) !== -1) return false; }
       const SAFE_VERBS = new Set([
         'cat','head','tail','less','more','grep','egrep','fgrep','rg','ag',
         'find','fd','ls','wc','cmp','diff','file','stat','which','whereis','type',
         'pwd','whoami','id','date','echo','printf','env','true','false',
         'jq','yq','awk','sort','uniq','cut','tr','xxd','hexdump','od','column',
         'node','npm','pnpm','yarn','bun','python','python3','ruby','go','rustc','cargo',
-        'git',
+        'git','sed',
       ]);
-      const tokens = cmd.trim().split(/\\s+/);
+      const tokens = cmd.trim().split(' ').filter(t => t.length > 0);
       const verb = tokens[0] || '';
       if (!SAFE_VERBS.has(verb)) return false;
-      // For multi-mode tools, only allow read subcommands / version flags.
       if (verb === 'git') {
         const SAFE_GIT = new Set(['log','show','diff','blame','status','branch','tag','remote','config','rev-parse','ls-files','ls-tree','cat-file','shortlog','reflog','describe','symbolic-ref']);
         const sub = tokens[1] || '';
         return SAFE_GIT.has(sub);
       }
       if (['npm','pnpm','yarn','bun','cargo','go'].includes(verb)) {
-        // Only allow plain version/info/list/why probes — block install/add/update/run/exec.
         const sub = tokens[1] || '';
         const SAFE_PKG = new Set(['--version','-v','version','list','ls','why','view','show','info','outdated','-h','--help','help']);
         return SAFE_PKG.has(sub);
@@ -2891,8 +2894,7 @@ async function main() {
         const sub = tokens[1] || '';
         return sub === '--version' || sub === '-v' || sub === '-V';
       }
-      // sed without -i flag is read-only by definition; we already excluded
-      // sed -i above. Anything else with a SAFE_VERB and no metachars is fine.
+      // sed: only safe without -i (we filtered that above).
       return true;
     }
 
@@ -5852,7 +5854,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.5.4")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.5.5")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -7242,7 +7244,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.5.4");
+  console.log("1.5.5");
 }
 function printHelp() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents