jinzd-ai-cli 0.4.103 → 0.4.105

package/dist/{chunk-RZWWODW7.js → chunk-RFKT3T5S.js}

@@ -1,9 +1,24 @@
 #!/usr/bin/env node
+import {
+  hasSemanticIndex,
+  semanticSearch
+} from "./chunk-3BICTI5M.js";
+import {
+  runTestsTool
+} from "./chunk-LVX667WL.js";
 import {
   EnvLoader,
   NetworkError,
   ToolError
 } from "./chunk-2ZD3YTVM.js";
+import {
+  CONFIG_DIR_NAME,
+  DEFAULT_MAX_TOOL_OUTPUT_CHARS_CAP,
+  MEMORY_FILE_NAME,
+  SUBAGENT_ALLOWED_TOOLS,
+  SUBAGENT_DEFAULT_MAX_ROUNDS,
+  SUBAGENT_MAX_ROUNDS_LIMIT
+} from "./chunk-LX5FXZVP.js";
 import {
   fileCheckpoints
 } from "./chunk-4BKXL7SM.js";
@@ -14,24 +29,9 @@ import {
 import {
   indexProject
 } from "./chunk-NHNWUBXB.js";
-import {
-  hasSemanticIndex,
-  semanticSearch
-} from "./chunk-KJLJPUY2.js";
 import {
   loadIndex
 } from "./chunk-6VRJGH25.js";
-import {
-  runTestsTool
-} from "./chunk-OVYOYUP7.js";
-import {
-  CONFIG_DIR_NAME,
-  DEFAULT_MAX_TOOL_OUTPUT_CHARS_CAP,
-  MEMORY_FILE_NAME,
-  SUBAGENT_ALLOWED_TOOLS,
-  SUBAGENT_DEFAULT_MAX_ROUNDS,
-  SUBAGENT_MAX_ROUNDS_LIMIT
-} from "./chunk-JHPSWYO3.js";
 
 // src/tools/types.ts
 function isFileWriteTool(name) {
@@ -43,11 +43,17 @@ function getDangerLevel(toolName, args) {
     const cmd = String(args["command"] ?? "");
     if (/\brm\s+[^\n]*(?:-\w*[rRfF]\w*|--recursive|--force)\b/.test(cmd)) return "destructive";
     if (/\brm\s+\S/.test(cmd)) return "destructive";
-    if (/\brmdir\b|\bformat\b|\bmkfs\b/.test(cmd)) return "destructive";
-    if (/\bRemove-Item\b.*(?:-Recurse|-Force)|\bri\s+.*-(?:Recurse|Force)\b|\brd\s+\/s\b|\brmdir\s+\/s\b/i.test(cmd)) return "destructive";
+    if (/\brmdir\b|\bformat\b|\bmkfs\b|\bdd\s+if=|\bshred\b|\bfdisk\b|\bparted\b/.test(cmd)) return "destructive";
+    if (/\bshutdown\b|\breboot\b|\bhalt\b|\bpoweroff\b/.test(cmd)) return "destructive";
+    if (/\bkill\s+-9\b|\bkillall\b/.test(cmd)) return "destructive";
+    if (/\bRemove-Item\b|\bri\s+\S/i.test(cmd)) return "destructive";
+    if (/\brd\s+\/s\b|\brmdir\s+\/s\b/i.test(cmd)) return "destructive";
     if (/\bdel\s+\S/.test(cmd)) return "destructive";
-    if (/\becho\b.*>>?|\btee\b|\bcp\b|\bmv\b/.test(cmd)) return "write";
-    if (/\bSet-Content\b|\bOut-File\b|\bAdd-Content\b|\bCopy-Item\b|\bMove-Item\b/i.test(cmd)) return "write";
+    if (/\bShutdown(-Computer)?\b|\bRestart-Computer\b/i.test(cmd)) return "destructive";
+    if (/(?:^|[\s|;&])>>?\s*\S/.test(cmd)) return "write";
+    if (/\btee\b|\bcp\b|\bmv\b|\bln\s+-s/.test(cmd)) return "write";
+    if (/\bchmod\b|\bchown\b/.test(cmd)) return "write";
+    if (/\bSet-Content\b|\bOut-File\b|\bAdd-Content\b|\bCopy-Item\b|\bMove-Item\b|\bSet-ItemProperty\b|\bNew-ItemProperty\b/i.test(cmd)) return "write";
     return "safe";
   }
   if (toolName === "write_file") return "write";
@@ -662,10 +668,10 @@ function createCell(cellType, content) {
 // src/tools/builtin/read-file.ts
 var MAX_FILE_BYTES = 10 * 1024 * 1024;
 function getSensitiveWarning(normalizedPath) {
-  const home = homedir();
+  const home2 = homedir();
   const p = normalizedPath.toLowerCase();
   const base = basename(normalizedPath).toLowerCase();
-  if (normalizedPath.startsWith(home) && p.includes(".aicli") && base === "config.json") {
+  if (normalizedPath.startsWith(home2) && p.includes(".aicli") && base === "config.json") {
     return "[\u26A0 Security Warning: This file contains API keys. Be careful not to share this content.]\n\n";
   }
   if (base === ".env" || base.startsWith(".env.") || base.endsWith(".env")) {
@@ -1159,8 +1165,14 @@ function checkPermission(toolName, args, dangerLevel, rules, defaultAction = "co
     if (rule.when) {
       if (rule.when.dangerLevel && rule.when.dangerLevel !== dangerLevel) continue;
       if (rule.when.pathPattern) {
-        const path3 = String(args["path"] ?? args["command"] ?? "");
-        if (!path3.includes(rule.when.pathPattern)) continue;
+        if (toolName === "bash" && rule.action === "auto-approve") {
+          const cmd = String(args["command"] ?? "").trim();
+          if (/[;&|`$<>]/.test(cmd) || /\$\(/.test(cmd)) continue;
+          if (!cmd.startsWith(rule.when.pathPattern)) continue;
+        } else {
+          const path3 = String(args["path"] ?? args["command"] ?? "");
+          if (!path3.includes(rule.when.pathPattern)) continue;
+        }
       }
     }
     return rule.action;
@@ -1606,7 +1618,7 @@ var ToolExecutor = class {
     rl.resume();
     process.stdout.write(prompt);
     this.confirming = true;
-    return new Promise((resolve4) => {
+    return new Promise((resolve5) => {
       let completed = false;
       const cleanup = (result) => {
         if (completed) return;
@@ -1616,7 +1628,7 @@ var ToolExecutor = class {
         rl.pause();
         rlAny.output = savedOutput;
         this.confirming = false;
-        resolve4(result);
+        resolve5(result);
       };
       const onLine = (line) => {
         const trimmed = line.trim();
@@ -1786,7 +1798,7 @@ var ToolExecutor = class {
     rl.resume();
     process.stdout.write(color("Proceed? [y/N] (type y + Enter to confirm) "));
     this.confirming = true;
-    return new Promise((resolve4) => {
+    return new Promise((resolve5) => {
       let completed = false;
       const cleanup = (answer) => {
         if (completed) return;
@@ -1796,7 +1808,7 @@ var ToolExecutor = class {
         rl.pause();
         rlAny.output = savedOutput;
         this.confirming = false;
-        resolve4(answer === "y");
+        resolve5(answer === "y");
       };
       const onLine = (line) => {
         const trimmed = line.trim();
@@ -1823,6 +1835,99 @@ var ToolExecutor = class {
   }
 };
 
+// src/tools/sensitive-paths.ts
+import { resolve as resolve3, sep as sep2, basename as basename2 } from "path";
+import { homedir as homedir2 } from "os";
+var home = homedir2();
+function norm(p) {
+  const abs = resolve3(p);
+  return process.platform === "win32" ? abs.toLowerCase() : abs;
+}
+function homeRel(p) {
+  const abs = norm(p);
+  const h = norm(home);
+  if (abs === h) return ".";
+  if (abs.startsWith(h + (process.platform === "win32" ? "\\" : "/"))) {
+    return abs.slice(h.length + 1);
+  }
+  return null;
+}
+function classifyWritePath(path3) {
+  if (!path3) return { sensitive: false };
+  const abs = norm(path3);
+  const base = basename2(abs);
+  const rel = homeRel(path3);
+  if (rel) {
+    const shellRc = /* @__PURE__ */ new Set([
+      ".bashrc",
+      ".bash_profile",
+      ".bash_login",
+      ".profile",
+      ".zshrc",
+      ".zprofile",
+      ".zshenv",
+      ".zlogin",
+      ".kshrc",
+      ".cshrc",
+      ".tcshrc",
+      ".fish_config"
+    ]);
+    if (shellRc.has(base)) {
+      return { sensitive: true, reason: `shell startup file (${rel})` };
+    }
+  }
+  const sshDir = `${sep2}.ssh${sep2}`;
+  if (abs.includes(sshDir.toLowerCase()) || abs.includes(sshDir)) {
+    return { sensitive: true, reason: `SSH directory (${rel ?? abs})` };
+  }
+  const credPaths = [
+    `${sep2}.aws${sep2}credentials`,
+    `${sep2}.aws${sep2}config`,
+    `${sep2}.gcp${sep2}`,
+    `${sep2}.azure${sep2}`,
+    `${sep2}.config${sep2}gcloud${sep2}`,
+    `${sep2}.kube${sep2}config`,
+    `${sep2}.docker${sep2}config.json`,
+    `${sep2}.netrc`
+  ];
+  for (const c of credPaths) {
+    const lc = process.platform === "win32" ? c.toLowerCase() : c;
+    if (abs.includes(lc)) return { sensitive: true, reason: `cloud/auth credential file (${rel ?? abs})` };
+  }
+  if (rel && (rel === ".aicli" || rel.startsWith(".aicli" + (process.platform === "win32" ? "\\" : "/")))) {
+    if (base === "config.json" || base === "users.json") {
+      return { sensitive: true, reason: `ai-cli internal config (${rel})` };
+    }
+  }
+  if (abs.includes(`${sep2}.git${sep2}hooks${sep2}`) || abs.includes(`${sep2}.git${sep2}hooks${sep2}`.toLowerCase())) {
+    return { sensitive: true, reason: ".git/hooks/* \u2014 runs on next git operation" };
+  }
+  if (abs.includes(`${sep2}.git${sep2}config`) || abs.includes(`${sep2}.git${sep2}config`.toLowerCase())) {
+    return { sensitive: true, reason: ".git/config \u2014 repository identity" };
+  }
+  if (process.platform !== "win32") {
+    const sysPrefixes = ["/etc/", "/usr/bin/", "/usr/sbin/", "/bin/", "/sbin/", "/boot/"];
+    for (const pre of sysPrefixes) {
+      if (abs.startsWith(pre)) return { sensitive: true, reason: `system path (${pre})` };
+    }
+  } else {
+    const winSys = ["c:\\windows\\system32\\", "c:\\windows\\syswow64\\", "c:\\program files\\", "c:\\program files (x86)\\"];
+    for (const pre of winSys) {
+      if (abs.startsWith(pre)) return { sensitive: true, reason: `system path (${pre})` };
+    }
+  }
+  if (abs.includes(`${sep2}cron.d${sep2}`) || abs.startsWith("/etc/cron") || abs.startsWith("/var/spool/cron/")) {
+    return { sensitive: true, reason: "cron scheduling" };
+  }
+  if (rel && (rel.startsWith("Library/LaunchAgents/") || rel.startsWith("Library/LaunchDaemons/"))) {
+    return { sensitive: true, reason: "macOS launch agent" };
+  }
+  return { sensitive: false };
+}
+var subAgentGuard = {
+  active: false
+};
+
 // src/tools/builtin/write-file.ts
 var writeFileTool = {
   definition: {
@@ -1865,6 +1970,13 @@ Do NOT split a long document into many write_file(append=true) calls. That patte
     const encoding = args["encoding"] ?? "utf-8";
     const appendMode = String(args["append"] ?? "false").toLowerCase() === "true";
     if (!filePath) throw new ToolError("write_file", "path is required");
+    const verdict = classifyWritePath(filePath);
+    if (verdict.sensitive && subAgentGuard.active) {
+      throw new ToolError(
+        "write_file",
+        `Refused: sub-agents cannot write to sensitive paths \u2014 ${verdict.reason}. If this is genuinely needed, ask the parent agent to perform the write so the user can approve it.`
+      );
+    }
     undoStack.push(filePath, `write_file${appendMode ? " (append)" : ""}: ${filePath}`);
     fileCheckpoints.snapshot(filePath, ToolExecutor.currentMessageIndex);
     mkdirSync(dirname2(filePath), { recursive: true });
@@ -1877,7 +1989,7 @@ Do NOT split a long document into many write_file(append=true) calls. That patte
     const mode = appendMode ? "appended" : "written";
     void (async () => {
       try {
-        const { updateFile } = await import("./indexer-C7QYYHSZ.js");
+        const { updateFile } = await import("./indexer-XGY7XGJM.js");
         await updateFile(process.cwd(), filePath);
       } catch {
       }
@@ -2249,6 +2361,13 @@ Note: Path can be absolute or relative to cwd.`,
     const encoding = args["encoding"] ?? "utf-8";
     if (!filePath) throw new ToolError("edit_file", "path is required");
     if (!existsSync5(filePath)) throw new ToolError("edit_file", `File not found: ${filePath}`);
+    const verdict = classifyWritePath(filePath);
+    if (verdict.sensitive && subAgentGuard.active) {
+      throw new ToolError(
+        "edit_file",
+        `Refused: sub-agents cannot edit sensitive paths \u2014 ${verdict.reason}. If this is genuinely needed, ask the parent agent to perform the edit so the user can approve it.`
+      );
+    }
     const original = readFileSync4(filePath, encoding);
     if (args["patch"] !== void 0) {
       const patchText = String(args["patch"] ?? "");
@@ -2408,7 +2527,7 @@ function truncatePreview(str, maxLen = 80) {
 
 // src/tools/builtin/list-dir.ts
 import { readdirSync as readdirSync3, statSync as statSync3, existsSync as existsSync6 } from "fs";
-import { join, basename as basename2 } from "path";
+import { join, basename as basename3 } from "path";
 var listDirTool = {
   definition: {
     name: "list_dir",
@@ -2431,7 +2550,7 @@ var listDirTool = {
     const dirPath = String(args["path"] ?? process.cwd());
     const recursive = Boolean(args["recursive"] ?? false);
     if (!existsSync6(dirPath)) {
-      const targetName = basename2(dirPath).toLowerCase();
+      const targetName = basename3(dirPath).toLowerCase();
       const cwd = process.cwd();
       const suggestions = [];
       try {
@@ -2746,7 +2865,7 @@ function searchInFile(fullPath, displayPath, regex, contextLines, maxResults, re
 
 // src/tools/builtin/glob-files.ts
 import { readdirSync as readdirSync5, statSync as statSync5, existsSync as existsSync8 } from "fs";
-import { join as join3, relative as relative2, basename as basename3 } from "path";
+import { join as join3, relative as relative2, basename as basename4 } from "path";
 var globFilesTool = {
   definition: {
     name: "glob_files",
@@ -2862,7 +2981,7 @@ function collectMatchingFiles(dirPath, rootPath, regex, results, maxResults) {
       collectMatchingFiles(fullPath, rootPath, regex, results, maxResults);
     } else if (entry.isFile()) {
       const relPath = relative2(rootPath, fullPath).replace(/\\/g, "/");
-      if (regex.test(relPath) || regex.test(basename3(relPath))) {
+      if (regex.test(relPath) || regex.test(basename4(relPath))) {
         try {
           const stat = statSync5(fullPath);
           results.push({ relPath, absPath: fullPath, mtime: stat.mtimeMs });
@@ -2938,7 +3057,7 @@ var runInteractiveTool = {
       PYTHONDONTWRITEBYTECODE: "1"
     };
     const prefixWarnings = [argsTypeWarning, stdinTypeWarning].filter(Boolean).join("");
-    return new Promise((resolve4) => {
+    return new Promise((resolve5) => {
       const child = spawn2(executable, cmdArgs.map(String), {
         cwd: process.cwd(),
         env,
@@ -2971,22 +3090,22 @@ var runInteractiveTool = {
       setTimeout(writeNextLine, 400);
       const timer = setTimeout(() => {
         child.kill();
-        resolve4(`${prefixWarnings}[Timeout after ${timeout}ms]
+        resolve5(`${prefixWarnings}[Timeout after ${timeout}ms]
 ${buildOutput(stdout, stderr)}`);
       }, timeout);
       child.on("close", (code) => {
         clearTimeout(timer);
         const output = buildOutput(stdout, stderr);
         if (code !== 0 && code !== null) {
-          resolve4(`${prefixWarnings}Exit code ${code}:
+          resolve5(`${prefixWarnings}Exit code ${code}:
 ${output}`);
         } else {
-          resolve4(`${prefixWarnings}${output || "(no output)"}`);
+          resolve5(`${prefixWarnings}${output || "(no output)"}`);
         }
       });
       child.on("error", (err) => {
         clearTimeout(timer);
-        resolve4(
+        resolve5(
           `${prefixWarnings}Failed to start process "${executable}": ${err.message}
 Hint: On Windows, use the full path to the executable, e.g.:
   C:\\Users\\Jinzd\\anaconda3\\envs\\python312\\python.exe`
@@ -3256,9 +3375,9 @@ Any of these triggers means use save_last_response, NOT write_file:
 // src/tools/builtin/save-memory.ts
 import { existsSync as existsSync9, statSync as statSync6, appendFileSync as appendFileSync2, mkdirSync as mkdirSync3 } from "fs";
 import { join as join4 } from "path";
-import { homedir as homedir2 } from "os";
+import { homedir as homedir3 } from "os";
 function getMemoryFilePath() {
-  return join4(homedir2(), CONFIG_DIR_NAME, MEMORY_FILE_NAME);
+  return join4(homedir3(), CONFIG_DIR_NAME, MEMORY_FILE_NAME);
 }
 function formatTimestamp() {
   const now = /* @__PURE__ */ new Date();
@@ -3282,7 +3401,7 @@ var saveMemoryTool = {
     const content = String(args["content"] ?? "").trim();
     if (!content) throw new ToolError("save_memory", "content is required");
     const memoryPath = getMemoryFilePath();
-    const configDir = join4(homedir2(), CONFIG_DIR_NAME);
+    const configDir = join4(homedir3(), CONFIG_DIR_NAME);
     if (!existsSync9(configDir)) {
       mkdirSync3(configDir, { recursive: true });
     }
@@ -3337,7 +3456,7 @@ function promptUser(rl, question) {
   console.log();
   console.log(chalk4.cyan("\u2753 ") + chalk4.bold(question));
   process.stdout.write(chalk4.cyan("> "));
-  return new Promise((resolve4) => {
+  return new Promise((resolve5) => {
     let completed = false;
     const cleanup = (answer) => {
       if (completed) return;
@@ -3347,7 +3466,7 @@ function promptUser(rl, question) {
       rl.pause();
       rlAny.output = savedOutput;
       askUserContext.prompting = false;
-      resolve4(answer);
+      resolve5(answer);
     };
     const onLine = (line) => {
       cleanup(line);
@@ -3844,37 +3963,43 @@ var spawnAgentTool = {
     if (!ctx.provider) {
       throw new ToolError("spawn_agent", "provider not initialized (context not injected)");
     }
-    if (singleTask) {
-      const { content, usage } = await runSubAgent(singleTask, maxRounds, null, ctx);
-      return [
-        "## Sub-Agent Result",
-        "",
-        content,
-        "",
-        "---",
-        `Token usage: ${usage.inputTokens} input, ${usage.outputTokens} output`
-      ].join("\n");
+    const guardWasActive = subAgentGuard.active;
+    subAgentGuard.active = true;
+    try {
+      if (singleTask) {
+        const { content, usage } = await runSubAgent(singleTask, maxRounds, null, ctx);
+        return [
+          "## Sub-Agent Result",
+          "",
+          content,
+          "",
+          "---",
+          `Token usage: ${usage.inputTokens} input, ${usage.outputTokens} output`
+        ].join("\n");
+      }
+      console.log();
+      console.log(theme.toolCall(`\u{1F916} Spawning ${tasksArr.length} sub-agents in parallel...`));
+      const results = await Promise.all(
+        tasksArr.map((t, i) => runSubAgent(t, maxRounds, i + 1, ctx))
+      );
+      const totalIn = results.reduce((s, r) => s + r.usage.inputTokens, 0);
+      const totalOut = results.reduce((s, r) => s + r.usage.outputTokens, 0);
+      const lines = [`## Parallel Sub-Agent Results (${results.length} agents)`, ""];
+      results.forEach((r, i) => {
+        lines.push(`### Sub-Agent #${i + 1}`);
+        lines.push(`**Task**: ${tasksArr[i].slice(0, 200)}${tasksArr[i].length > 200 ? "..." : ""}`);
+        lines.push("");
+        lines.push(r.content);
+        lines.push("");
+        lines.push(`*Tokens: ${r.usage.inputTokens} in / ${r.usage.outputTokens} out*`);
+        lines.push("");
+      });
+      lines.push("---");
+      lines.push(`Total token usage: ${totalIn} input, ${totalOut} output`);
+      return lines.join("\n");
+    } finally {
+      subAgentGuard.active = guardWasActive;
     }
-    console.log();
-    console.log(theme.toolCall(`\u{1F916} Spawning ${tasksArr.length} sub-agents in parallel...`));
-    const results = await Promise.all(
-      tasksArr.map((t, i) => runSubAgent(t, maxRounds, i + 1, ctx))
-    );
-    const totalIn = results.reduce((s, r) => s + r.usage.inputTokens, 0);
-    const totalOut = results.reduce((s, r) => s + r.usage.outputTokens, 0);
-    const lines = [`## Parallel Sub-Agent Results (${results.length} agents)`, ""];
-    results.forEach((r, i) => {
-      lines.push(`### Sub-Agent #${i + 1}`);
-      lines.push(`**Task**: ${tasksArr[i].slice(0, 200)}${tasksArr[i].length > 200 ? "..." : ""}`);
-      lines.push("");
-      lines.push(r.content);
-      lines.push("");
-      lines.push(`*Tokens: ${r.usage.inputTokens} in / ${r.usage.outputTokens} out*`);
-      lines.push("");
-    });
-    lines.push("---");
-    lines.push(`Total token usage: ${totalIn} input, ${totalOut} output`);
-    return lines.join("\n");
   }
 };
 
@@ -4339,7 +4464,7 @@ ${commitOutput.trim()}`;
 // src/tools/builtin/notebook-edit.ts
 import { readFileSync as readFileSync6, existsSync as existsSync11 } from "fs";
 import { writeFile } from "fs/promises";
-import { resolve as resolve3, extname as extname2 } from "path";
+import { resolve as resolve4, extname as extname2 } from "path";
 var notebookEditTool = {
   definition: {
     name: "notebook_edit",
@@ -4388,7 +4513,7 @@ var notebookEditTool = {
     if (!Number.isInteger(cellIndexRaw) || cellIndexRaw < 1) {
       throw new ToolError("notebook_edit", "cell_index must be a positive integer (1-based)");
     }
-    const absPath = resolve3(filePath);
+    const absPath = resolve4(filePath);
     if (extname2(absPath).toLowerCase() !== ".ipynb") {
       throw new ToolError("notebook_edit", "path must point to a .ipynb file");
     }

package/dist/{chunk-DGXUO7D4.js → chunk-VOF6OTZB.js}

@@ -1,12 +1,12 @@
 // src/tools/builtin/run-tests.ts
-import { execSync } from "child_process";
+import { execSync, spawnSync } from "child_process";
 import { existsSync, readFileSync, readdirSync } from "fs";
 import { join } from "path";
 import { platform } from "os";
 import chalk from "chalk";
 
 // src/core/constants.ts
-var VERSION = "0.4.103";
+var VERSION = "0.4.105";
 var APP_NAME = "ai-cli";
 var CONFIG_DIR_NAME = ".aicli";
 var CONFIG_FILE_NAME = "config.json";
@@ -73,18 +73,15 @@ Once planning is complete, clearly inform the user: type \`/plan execute\` to be
 var SUBAGENT_DEFAULT_MAX_ROUNDS = 15;
 var SUBAGENT_MAX_ROUNDS_LIMIT = 30;
 var SUBAGENT_ALLOWED_TOOLS = /* @__PURE__ */ new Set([
-  "bash",
   "read_file",
   "write_file",
   "edit_file",
   "list_dir",
   "grep_files",
   "glob_files",
-  "run_interactive",
   "web_fetch",
   "google_search",
   "write_todos",
-  "run_tests",
   "find_symbol",
   "get_outline",
   "find_references",
@@ -136,6 +133,7 @@ var AUTHOR_EMAIL = "zhengdong.jin@gmail.com";
 var DESCRIPTION = "Cross-platform REPL-style AI conversation tool with multi-provider and agentic tool calling support";
 
 // src/tools/builtin/run-tests.ts
+var FILTER_WHITELIST = /^[\w.\-/:#\s*?|^()\[\]@+]{1,200}$/;
 var IS_WINDOWS = platform() === "win32";
 function detectNodeTestFramework(cwd, pkg) {
   const devDeps = pkg.devDependencies ?? {};
@@ -365,12 +363,62 @@ function renderColorReport(summary, framework) {
   }
   console.log();
 }
+function needsWindowsShell(file) {
+  if (!IS_WINDOWS) return false;
+  const lower = file.toLowerCase();
+  return lower.endsWith(".cmd") || lower.endsWith(".bat") || lower === "mvn" || lower === "gradle" || lower === "npm" || lower === "npx";
+}
+function buildArgv(detected, filter) {
+  switch (detected.type) {
+    case "java": {
+      const parts2 = detected.command.split(/\s+/);
+      const file = parts2[0];
+      const rest = parts2.slice(1);
+      const args = [...rest];
+      if (filter) {
+        args.push(detected.framework.startsWith("Maven") ? `-Dtest=${filter}` : `--tests=${filter}`);
+      }
+      return { file, args };
+    }
+    case "python":
+      return { file: "pytest", args: filter ? ["-v", "-k", filter] : ["-v"] };
+    case "rust":
+      return { file: "cargo", args: filter ? ["test", filter] : ["test"] };
+    case "go":
+      return filter ? { file: "go", args: ["test", "./...", "-run", filter] } : { file: "go", args: ["test", "./..."] };
+    case "node": {
+      if (detected.framework === "vitest") {
+        return { file: "npx", args: filter ? ["vitest", "run", "-t", filter] : ["vitest", "run"] };
+      }
+      if (detected.framework === "jest") {
+        return { file: "npx", args: filter ? ["jest", "-t", filter] : ["jest"] };
+      }
+      if (detected.framework === "mocha") {
+        return { file: "npx", args: filter ? ["mocha", "--grep", filter] : ["mocha"] };
+      }
+      if (detected.framework === "playwright") {
+        return { file: "npx", args: filter ? ["playwright", "test", "--grep", filter] : ["playwright", "test"] };
+      }
+      if (detected.framework === "ava") {
+        return { file: "npx", args: filter ? ["ava", "--match", filter] : ["ava"] };
+      }
+      return filter ? { file: "npm", args: ["test", "--", "--grep", filter] } : { file: "npm", args: ["test"] };
+    }
+  }
+  const parts = detected.command.split(/\s+/);
+  return { file: parts[0], args: parts.slice(1) };
+}
 async function executeTests(args) {
   const cwd = process.cwd();
   const customCmd = args["command"] ? String(args["command"]).trim() : "";
   const filter = args["filter"] ? String(args["filter"]).trim() : "";
+  if (filter && !FILTER_WHITELIST.test(filter)) {
+    return `Error: filter contains characters that are not allowed in test names. Allowed: word chars, dots, dashes, slashes, colons, parens, spaces, and basic glob/regex meta (* ? | ^). Rejected: quotes, semicolons, backticks, redirects, and shell metacharacters.
+Got: ${filter.slice(0, 60)}${filter.length > 60 ? "..." : ""}`;
+  }
   let command;
   let framework;
+  let argv = null;
   if (customCmd) {
     command = customCmd;
     framework = "custom";
@@ -381,50 +429,52 @@ async function executeTests(args) {
     }
     command = detected.command;
     framework = detected.framework;
-    if (filter) {
-      if (detected.type === "java" && command.includes("mvn")) {
-        command += ` -Dtest="${filter}"`;
-      } else if (detected.type === "python") {
-        command += ` -k "${filter}"`;
-      } else if (detected.type === "rust") {
-        command += ` ${filter}`;
-      } else if (detected.type === "go") {
-        command = `go test ./... -run "${filter}"`;
-      } else if (detected.type === "node") {
-        if (detected.framework === "vitest") {
-          command += ` -t "${filter}"`;
-        } else if (detected.framework === "jest") {
-          command += ` -t "${filter}"`;
-        } else if (detected.framework === "mocha") {
-          command += ` --grep "${filter}"`;
-        } else if (detected.framework === "playwright") {
-          command += ` --grep "${filter}"`;
-        } else {
-          command += ` -- --grep "${filter}"`;
-        }
-      }
-    }
+    argv = buildArgv(detected, filter);
   }
   let output;
   let exitCode = 0;
-  try {
-    const buf = execSync(command, {
+  if (argv) {
+    const r = spawnSync(argv.file, argv.args, {
       cwd,
       timeout: TEST_TIMEOUT,
-      encoding: "buffer",
       stdio: ["pipe", "pipe", "pipe"],
+      // shell:false is the default for spawnSync; on Windows .cmd/.bat
+      // requires shell:true, so we opt-in only for known wrapper names.
+      shell: needsWindowsShell(argv.file),
       env: {
         ...process.env,
         ...IS_WINDOWS ? {} : { FORCE_COLOR: "0" }
-      }
+      },
+      encoding: "utf-8",
+      maxBuffer: 64 * 1024 * 1024
     });
-    output = buf.toString("utf-8");
-  } catch (err) {
-    const e = err;
-    exitCode = e.status ?? 1;
-    const stdout = e.stdout?.toString("utf-8") ?? "";
-    const stderr = e.stderr?.toString("utf-8") ?? "";
-    output = stdout + (stderr ? "\n" + stderr : "");
+    if (r.error) {
+      output = `Failed to launch test runner: ${r.error.message}`;
+      exitCode = 1;
+    } else {
+      exitCode = r.status ?? 1;
+      output = (r.stdout ?? "") + (r.stderr ? "\n" + r.stderr : "");
+    }
+  } else {
+    try {
+      const buf = execSync(command, {
+        cwd,
+        timeout: TEST_TIMEOUT,
+        encoding: "buffer",
+        stdio: ["pipe", "pipe", "pipe"],
+        env: {
+          ...process.env,
+          ...IS_WINDOWS ? {} : { FORCE_COLOR: "0" }
+        }
+      });
+      output = buf.toString("utf-8");
+    } catch (err) {
+      const e = err;
+      exitCode = e.status ?? 1;
+      const stdout = e.stdout?.toString("utf-8") ?? "";
+      const stderr = e.stderr?.toString("utf-8") ?? "";
+      output = stdout + (stderr ? "\n" + stderr : "");
+    }
   }
   let summary = {
     tests: 0,