keystone-cli 2.1.3 → 2.1.5

package/README.md

@@ -447,7 +447,6 @@ Keystone supports several specialized step types:
   - `maxMessageHistory`: Number (default `50`). Max messages to retain in history before truncation/summary.
   - `contextStrategy`: `'truncate'|'summary'|'auto'` (default `truncate`). Summarizes older history into a system message when limits are exceeded.
   - `qualityGate`: Optional reviewer config `{ agent, prompt?, provider?, model?, maxAttempts? }`. If review fails, the step is refined and re-run.
-  - `allowInsecure`: Boolean (default `false`). Set `true` to allow risky tool execution.
   - `allowOutsideCwd`: Boolean (default `false`). Set `true` to allow tools to access files outside of the current working directory.
   - `handoff`: Optional engine tool definition that lets the LLM delegate work to an allowlisted external CLI with structured inputs.
 - `plan`: Create a dynamic task list for orchestration.
@@ -456,8 +455,7 @@ Keystone supports several specialized step types:
   - `prompt`: Optional override of the planning prompt.
   - Plan steps accept the same LLM options as `llm`, including tools, handoffs, and `allowedHandoffs`.
 - `request`: Make HTTP requests (GET, POST, etc.).
-  - `allowInsecure`: Boolean (default `false`). If `true`, skips SSRF protections and allows non-HTTPS/local URLs.
-  - Cross-origin redirects are blocked for non-GET/HEAD requests unless `allowInsecure: true`; on cross-origin redirects, non-essential headers are stripped.
+  - Cross-origin redirects are blocked for non-GET/HEAD requests; on cross-origin redirects, non-essential headers are stripped for security.
 - `file`: Read, write, append, or patch files.
   - `allowOutsideCwd`: Boolean (default `false`). Set `true` to allow reading/writing files outside of the current working directory.
   - `op: patch`: Apply a unified diff or search/replace blocks via `content`.
@@ -481,7 +479,7 @@ Keystone supports several specialized step types:
   - `condition`: `'all'` (default), `'any'`, or a number.
   - `target`: Reserved for future use; currently ignored.
 - `blueprint`: Generate a structured system blueprint with an agent (persisted as an artifact).
-- `script`: Run JavaScript in a sandboxed subprocess. Requires `allowInsecure: true`.
+- `script`: Run JavaScript in a sandboxed subprocess.
 - `sleep`: Pause execution for a specified duration or until a timestamp.
   - `duration`: Milliseconds (number or expression).
   - `until`: Date/time string (evaluated), parsed by `Date`.
@@ -728,8 +726,6 @@ When a step fails, the specified agent is invoked with the error details. The ag
 ```yaml
 - id: list_files
   type: shell
-  # Globbing (*) requires allowInsecure: true
-  allowInsecure: true
   run: ls *.txt
   # Post-process stdout into an array of filenames
   transform: ${{ stdout.trim().split('\n') }}
@@ -755,7 +751,6 @@ Until `strategy.matrix` is wired end-to-end, use explicit `foreach` with an arra
     { node: 22, os: "ubuntu" },
     { node: 22, os: "macos" }
   ] }}
-  allowInsecure: true # Required for '=' in arguments
   run: echo "node=${{ item.node }} os=${{ item.os }}"
 ```
 
@@ -763,7 +758,6 @@ Until `strategy.matrix` is wired end-to-end, use explicit `foreach` with an arra
 ```yaml
 - id: calculate
   type: script
-  allowInsecure: true
   run: |
     const data = steps.fetch_data.output;
     return data.map(i => i.value * 2).reduce((a, b) => a + b, 0);
@@ -862,7 +856,6 @@ Upload outputs include `artifactPath` and `files` for downstream references.
   - `message`: Commit message.
   - `cwd`: Directory to run the git command in.
   - `allowOutsideCwd`: Boolean (default `false`). Set `true` to allow operations outside the project root.
-  - `allowInsecure`: Boolean (default `false`). Set `true` to allow git commands that fail the security whitelist.
 
 ```yaml
 - id: setup_feat
@@ -1014,7 +1007,7 @@ Keystone comes with a set of **Standard Tools** that can be enabled for any agen
 - `list_files`: List files in a directory (arguments: `path`)
 - `search_files`: Search for files by glob pattern (arguments: `pattern`, `dir`)
 - `search_content`: Search for string or regex within files (arguments: `query`, `dir`, `pattern`)
-- `run_command`: Run a shell command (arguments: `command`, `dir`). Risky commands require `allowInsecure: true` on the LLM step.
+- `run_command`: Run a shell command (arguments: `command`, `dir`).
 - `ast_grep_search`: Search for structural code patterns using AST matching (arguments: `pattern`, `language`, `paths`). More precise than regex for code refactoring.
 - `ast_grep_replace`: Replace structural code patterns using AST-aware rewriting (arguments: `pattern`, `rewrite`, `language`, `paths`). Safer than regex for code refactoring.
 - `fetch`: Fetch content from a URL via GET request (arguments: `url`).
@@ -1231,40 +1224,171 @@ Input keys passed via `-i key=val` must be alphanumeric/underscore and cannot be
 
 ## <a id="security">🛡️ Security</a>
 
-### Shell Execution
-Keystone strictly enforces an allowlist of characters (`alphanumeric`, `whitespace`, and `_./:@,+=~-`) to prevent shell injection.
+### ⚠️ Security Warning
 
-- **Directory Traversal**: Commands containing `..` in a path are blocked by default for security.
-- **Denylist**: Commands like `rm`, `mkfs`, or `alias` are blocked via a configurable denylist in `config.yaml`, even if `allowInsecure: true` is set.
-- **Windows Support**: Keystone uses `cmd.exe /d /s /c` on Windows and `sh -c` on other platforms for consistent behavior.
+**Keystone workflows can execute arbitrary code on your system.** Always review and trust the source of workflows before running them. Think of YAML workflows like shell scripts - they have full access to your filesystem, environment variables, and network.
 
-To run complex commands or bypass allowlist checks, set `allowInsecure: true` on the step. Prefer `${{ escape(...) }}` when interpolating user input.
+**Key Security Principles:**
+1. **Trust the Source**: Only run workflows from trusted sources (official templates, your team, verified repositories)
+2. **Review Before Running**: Read through workflow files, especially shell commands and file operations
+3. **Isolate Sensitive Operations**: Use separate environments for production credentials
+4. **Validate Inputs**: Use input schemas to constrain user-provided values
+5. **Mark Secrets**: Use `secret: true` on sensitive inputs for automatic redaction
 
+### Runtime Security Warnings
+
+Keystone displays security warnings when running workflows:
+```
+⚠️  Security Warning: Only run workflows from trusted sources.
+   Workflows can execute arbitrary shell commands and access your environment.
+```
+
+You can suppress this warning in `.keystone/config.yaml` if needed:
+```yaml
+logging:
+  suppress_security_warning: true
+```
+
+### Shell Command Security
+
+Keystone executes shell commands using `sh -c` (POSIX) or `cmd.exe /d /s /c` (Windows). While this provides flexibility, it also means workflows can run **any command** your user can run.
+
+**Security Measures:**
+- **Command Denylist**: Dangerous commands like `rm -rf`, `dd`, `mkfs`, and `format` are blocked by default
+- **Escape Function**: Use `${{ escape(...) }}` when interpolating untrusted input into shell commands
+- **Review Commands**: Always inspect shell steps in workflows from untrusted sources
+
+**Configurable Denylist:**
+Add or remove blocked commands in `.keystone/config.yaml`:
+```yaml
+shell:
+  denylist:
+    - rm        # Block all rm commands
+    - sudo      # Block privilege escalation
+    - curl -X   # Block non-GET HTTP requests (optional)
+```
+
+**Safe Command Example:**
 ```yaml
-- id: deploy
+- id: safe_echo
   type: shell
-  run: ./deploy.sh ${{ inputs.env }}
-  # Required if inputs.env might contain special characters or for complex scripts
-  allowInsecure: true
+  # Safe: escape() prevents injection
+  run: echo ${{ escape(inputs.user_message) }}
+```
+
+**Unsafe Command Example:**
+```yaml
+- id: unsafe_echo
+  type: shell
+  # UNSAFE: Could execute arbitrary code if user_message contains "; rm -rf /"
+  run: echo ${{ inputs.user_message }}
+```
+
+### HTTP Request Security
+
+Request steps include SSRF (Server-Side Request Forgery) protection to prevent workflows from accessing internal network resources.
+
+**Blocked by Default:**
+- `localhost` and `127.0.0.1`
+- Private IP ranges (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`)
+- Link-local addresses (`169.254.0.0/16`)
+- Cloud metadata endpoints (AWS, GCP, Azure, etc.)
+
+**Note**: SSRF protection provides defense-in-depth but is **not foolproof** against DNS rebinding attacks. For high-security environments, use network-level isolation (firewalls, egress proxies).
+
+**Example:**
+```yaml
+- id: fetch_data
+  type: request
+  url: https://api.example.com/data  # OK: external HTTPS
+  # url: http://localhost:8080/admin  # BLOCKED: localhost access
+```
+
+### File Access Security
+
+File operations are restricted to the current working directory by default.
+
+**Enable External Access:**
+```yaml
+- id: read_config
+  type: file
+  op: read
+  path: /etc/app/config.yaml
+  allowOutsideCwd: true  # Required for paths outside project root
 ```
 
-#### Troubleshooting Security Errors
-If you see a `Security Error: Evaluated command contains shell metacharacters`, it means your command contains characters like `\n`, `|`, `&`, or quotes that are not in the strict allowlist.
-- **Fix 1**: Use `${{ escape(steps.id.output) }}` for any dynamic values.
-- **Fix 2**: Set `allowInsecure: true` if the command naturally uses special characters.
+### Script Execution Security
+
+Script steps run JavaScript in a subprocess. While this provides some isolation, it is **not a security sandbox**.
+
+**Risk**: Scripts have full access to Node.js APIs and can perform any action.
+
+**Example:**
+```yaml
+- id: calculate
+  type: script
+  run: |
+    const data = steps.fetch_data.output;
+    return data.map(i => i.value * 2).reduce((a, b) => a + b, 0);
+```
+
+### Secret Management
+
+Mark sensitive inputs as secrets to enable automatic redaction:
+
+```yaml
+inputs:
+  api_key:
+    type: string
+    secret: true  # Redacted in logs, UI, and database
+
+  database_password:
+    type: string
+    secret: true
+
+steps:
+  - id: deploy
+    type: shell
+    # Secrets are available but redacted in output
+    run: ./deploy.sh --api-key="${{ secrets.api_key }}"
+```
+
+**Secret Redaction:**
+- Secrets are redacted from logs and step outputs
+- Stored encrypted at rest (when `redact_secrets_at_rest: true` in config)
+- May require re-entry when resuming workflows
 
 ### Expression Safety
-Expressions `${{ }}` are evaluated using a safe AST parser (`jsep`) which:
-- Prevents arbitrary code execution (no `eval` or `Function`).
-- Whitelists safe global objects (`Math`, `JSON`, `Date`, etc.).
-- Blocks access to sensitive properties (`constructor`, `__proto__`).
-- Enforces a maximum template length to prevent ReDoS attacks.
 
-### Script Sandboxing
-Script steps run in a separate subprocess by default. This reduces risk but is **not a security boundary** for malicious code. Script steps are disabled by default; set `allowInsecure: true` to run them.
+Expressions `${{ }}` are evaluated using a safe AST parser that:
+- **Prevents arbitrary code execution** (no `eval` or `Function`)
+- **Whitelists safe globals** (`Math`, `JSON`, `Date`)
+- **Blocks dangerous properties** (`constructor`, `__proto__`, `prototype`)
+- **Enforces length limits** to prevent ReDoS attacks
+
+**Safe:**
+```yaml
+${{ steps.build.status == 'success' ? '✅' : '❌' }}
+${{ Math.max(steps.test.outputs.score, 0) }}
+${{ JSON.stringify({ result: steps.data.output }) }}
+```
+
+**Blocked:**
+```yaml
+${{ constructor.constructor('return process')().exit() }}  # ❌ Blocked
+${{ __proto__.polluted = true }}  # ❌ Blocked
+```
+
+### Best Practices Summary
 
-### HTTP Requests
-Request steps enforce SSRF protections and require HTTPS by default. Cross-origin redirects are blocked for non-GET/HEAD requests unless `allowInsecure: true`, and non-essential headers are stripped on cross-origin redirects.
+1. ✅ **Review all workflows** before running, especially from external sources
+2. ✅ **Use `escape()`** when interpolating user input in shell commands
+3. ✅ **Mark secrets** with `secret: true` on inputs
+4. ✅ **Enable `allowOutsideCwd`** only when absolutely necessary
+5. ✅ **Use input validation** with JSON Schema to constrain values
+6. ✅ **Test in isolated environments** before running in production
+7. ✅ **Keep credentials in `.env`** files, never hardcode in workflows
+8. ✅ **Use network isolation** (firewalls) for high-security deployments
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "keystone-cli",
-  "version": "2.1.3",
+  "version": "2.1.5",
   "description": "A local-first, declarative, agentic workflow orchestrator built on Bun",
   "type": "module",
   "bin": {

package/src/parser/agent-parser.test.ts

@@ -97,11 +97,11 @@ Prompt`;
     });
 
     it('should parse the real keystone-architect.md template', () => {
-        const filePath = join(process.cwd(), 'src/templates/agents/keystone-architect.md');
-        const agent = parseAgent(filePath);
-        expect(agent.name).toBe('keystone-architect');
-        // Ensure the problematic expression is escaped/spaced
-        expect(agent.systemPrompt).toContain('${ { args.paramName } }');
+      const filePath = join(process.cwd(), 'src/templates/agents/keystone-architect.md');
+      const agent = parseAgent(filePath);
+      expect(agent.name).toBe('keystone-architect');
+      // Ensure the problematic expression is escaped/spaced
+      expect(agent.systemPrompt).toContain('${ { args.paramName } }');
     });
   });
 

package/src/parser/schema.ts

@@ -152,7 +152,6 @@ const ShellStepSchema = BaseStepSchema.extend({
   dir: z.string().optional(),
   env: z.record(z.string()).optional(),
   allowOutsideCwd: z.boolean().optional(),
-  allowInsecure: z.boolean().optional(),
 });
 
 // Forward declaration for AgentToolSchema which depends on StepSchema
@@ -230,7 +229,6 @@ const LlmStepSchema = BaseStepSchema.extend({
     .optional(),
   useStandardTools: z.boolean().optional(),
   allowOutsideCwd: z.boolean().optional(),
-  allowInsecure: z.boolean().optional(),
   handoff: EngineHandoffSchema.optional(),
 });
 
@@ -270,7 +268,6 @@ const PlanStepSchema = BaseStepSchema.extend({
     .optional(),
   useStandardTools: z.boolean().optional(),
   allowOutsideCwd: z.boolean().optional(),
-  allowInsecure: z.boolean().optional(),
   handoff: EngineHandoffSchema.optional(),
 });
 
@@ -303,7 +300,6 @@ const RequestStepSchema = BaseStepSchema.extend({
   method: z.enum(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD']).default('GET'),
   body: z.any().optional(),
   headers: z.record(z.string()).optional(),
-  allowInsecure: z.boolean().optional(),
 });
 
 const HumanStepSchema = BaseStepSchema.extend({
@@ -323,7 +319,6 @@ const ScriptStepSchema = BaseStepSchema.extend({
   type: z.literal('script'),
   run: z.string(),
   allowOutsideCwd: z.boolean().optional(),
-  allowInsecure: z.boolean().optional().default(false),
 });
 
 const EngineStepSchema = BaseStepSchema.extend({
@@ -406,7 +401,6 @@ const GitStepSchema = BaseStepSchema.extend({
   cwd: z.string().optional(), // Working directory for the git command
   env: z.record(z.string()).optional(),
   allowOutsideCwd: z.boolean().optional(),
-  allowInsecure: z.boolean().optional(),
 });
 
 const WaitStepSchema = BaseStepSchema.extend({
@@ -442,7 +436,6 @@ const DynamicStepSchema = BaseStepSchema.extend({
     .optional(), // Library of pre-defined step patterns
   confirmPlan: z.boolean().optional().default(false), // Review and approve plan before execution
   maxReplans: z.number().int().nonnegative().default(3), // Max automatic recovery attempts
-  allowInsecure: z.boolean().optional(), // Allow generated steps to use insecure commands (e.g. shell redirects)
 });
 
 // Note: `as any` casts are required here because of circular type references:
@@ -478,7 +471,6 @@ const EvalSchema = z.object({
   agent: z.string().optional(),
   prompt: z.string().optional(),
   run: z.string().optional(), // for script scorer
-  allowInsecure: z.boolean().optional(),
   allowSecrets: z.boolean().optional(),
 });
 

package/src/runner/executors/dynamic-executor.ts

@@ -132,11 +132,7 @@ Return a JSON object with the steps array. Each step should be independently exe
 /**
  * Convert a generated step definition into an executable Step
  */
-function convertToExecutableStep(
-  generated: GeneratedStep,
-  parentStepId: string,
-  allowInsecure?: boolean
-): Step {
+function convertToExecutableStep(generated: GeneratedStep, parentStepId: string): Step {
   const baseProps = {
     id: `${parentStepId}_${generated.id}`,
     needs: generated.needs?.map((n) => `${parentStepId}_${n}`) || [],
@@ -157,7 +153,6 @@ function convertToExecutableStep(
         ...baseProps,
         type: 'shell' as const,
         run: generated.run || 'echo "No command specified"',
-        allowInsecure: allowInsecure ?? false,
       };
 
     case 'workflow':
@@ -181,7 +176,6 @@ function convertToExecutableStep(
       return {
         ...baseProps,
         type: 'request' as const,
-        allowInsecure: allowInsecure ?? false,
         url: generated.path || '',
         method: 'GET' as const,
       };
@@ -585,7 +579,7 @@ async function handleExecutionPhase(
           `  ⚡ [${i + 1}/${state.generatedPlan.steps.length}] Executing step: ${genStep.name}`
         );
 
-        const executableStep = convertToExecutableStep(genStep, step.id, step.allowInsecure);
+        const executableStep = convertToExecutableStep(genStep, step.id);
         const stepContext = {
           ...dynamicContext,
           steps: {

package/src/runner/executors/llm/tool-manager.ts

@@ -96,7 +96,6 @@ export class ToolManager {
           async (args) => {
             validateStandardToolSecurity(tool.name, args, {
               allowOutsideCwd: step.allowOutsideCwd,
-              allowInsecure: step.allowInsecure,
             });
             if (tool.execution) {
               // Standard tools usually have .execute method directly on them in STANDARD_TOOLS definition?

package/src/runner/executors/plan-executor.ts

@@ -80,7 +80,6 @@ export async function executePlanStep(
     mcpServers: step.mcpServers,
     useStandardTools: step.useStandardTools,
     allowOutsideCwd: step.allowOutsideCwd,
-    allowInsecure: step.allowInsecure,
     handoff: step.handoff,
     outputSchema: step.outputSchema ?? DEFAULT_PLAN_OUTPUT_SCHEMA,
     needs: [],

package/src/runner/executors/request-executor.ts

@@ -74,7 +74,7 @@ export async function executeRequestStep(
 
   try {
     // Validate URL to prevent SSRF
-    await validateRemoteUrl(url, { allowInsecure: step.allowInsecure });
+    await validateRemoteUrl(url);
 
     // Evaluate headers
     const headers: Record<string, string> = {};
@@ -171,7 +171,7 @@ export async function executeRequestStep(
         }
 
         const nextUrl = new URL(location, currentUrl).href;
-        await validateRemoteUrl(nextUrl, { allowInsecure: step.allowInsecure });
+        await validateRemoteUrl(nextUrl);
 
         let nextMethod = currentMethod;
         let nextBody = currentBody;
@@ -192,14 +192,6 @@ export async function executeRequestStep(
           removeHeader('authorization');
           removeHeader('proxy-authorization');
           removeHeader('cookie');
-          if (!step.allowInsecure) {
-            if (nextMethod !== 'GET' && nextMethod !== 'HEAD') {
-              throw new Error(
-                `Cross-origin redirect blocked for ${nextMethod} request. Set allowInsecure to true to override.`
-              );
-            }
-            stripCrossOriginHeaders();
-          }
         }
 
         currentMethod = nextMethod;

package/src/runner/executors/script-executor.ts

@@ -14,14 +14,6 @@ export async function executeScriptStep(
   logger: Logger,
   options: { sandbox?: typeof SafeSandbox; abortSignal?: AbortSignal } = {}
 ): Promise<StepResult> {
-  if (!step.allowInsecure) {
-    return {
-      status: 'failed',
-      output: null,
-      error: 'Script execution is disabled by default. Set allowInsecure: true to run scripts.',
-    };
-  }
-
   try {
     const sandbox = options.sandbox || DefaultSandbox;
     const result = await sandbox.execute(step.run, context as any, {

package/src/runner/executors/shell-executor.ts

@@ -75,34 +75,7 @@ export async function executeShellStep(
     throw new Error('Shell step must have either "run" or "args"');
   }
 
-  // Strict Mode Check: Detect unescaped expressions in the raw template
-  // We check if there are any ${{ }} blocks that don't start with escape(
-  const hasUnescapedExpr = (s: string) => {
-    // Finds ${{ ... }} blocks
-    const matches = s.match(/\${{.*?}}/g);
-    if (!matches) return false;
-
-    // Check if the expression is strictly wrapped in escape(...)
-    // Matches: ${{ escape(...) }} or ${{ escape( ... ) }}
-    // Does NOT match: ${{ "foo" + escape(...) }}
-    return matches.some((m) => {
-      const content = m.slice(3, -2).trim(); // Remove ${{ and }}
-      return !/^escape\s*\(.*\)$/.test(content);
-    });
-  };
-
-  if (!step.allowInsecure && hasUnescapedExpr(step.run)) {
-    throw new Error(
-      `Security Error: Shell command contains unescaped expressions which are vulnerable to injection.\nUse \${{ escape(...) }} to safely interpolate values, or set 'allowInsecure: true' if you trust the source.\nCommand template: ${step.run}`
-    );
-  }
-
   const command = ExpressionEvaluator.evaluateString(step.run, context);
-  if (!step.allowInsecure && detectShellInjectionRisk(command)) {
-    throw new Error(
-      `Security Error: Evaluated command contains shell metacharacters that require 'allowInsecure: true'.\n   Command: ${command.substring(0, 100)}${command.length > 100 ? '...' : ''}\n   Metacharacters detected. Please use 'allowInsecure: true' if this is intended.`
-    );
-  }
 
   const result = await executeShell(step, context, logger, abortSignal, command);
   return formatShellResult(result, logger);
@@ -246,31 +219,7 @@ export async function executeShell(
   // Evaluate the command string
   const command = commandOverride ?? ExpressionEvaluator.evaluateString(step.run, context);
 
-  // Security Check: Enforce whitelist
-  // If we haven't enabled insecure mode, we MUST be able to use spawn (no shell)
-  // or the command must be strictly composed of safe characters.
-  if (!step.allowInsecure) {
-    if (detectShellInjectionRisk(command)) {
-      throw new Error(
-        `Security Error: Command execution blocked to prevent potential shell injection.\nCommand: "${command.substring(0, 100)}${
-          command.length > 100 ? '...' : ''
-        }"\nReason: Contains characters not in the strict whitelist (alphanumeric, whitespace, and _./:@,+=~-).\nThis protects against chaining malicious commands (e.g. '; rm -rf /'). It does NOT evaluate if the command itself is destructive.\nFix: either simplify your command or set 'allowInsecure: true' in your step definition if you trust the input.`
-      );
-    }
-
-    // Additional Check: Prevent Directory Traversal in Binary Path
-    // Even if it passes the whitelist, we don't want to allow 'cat ../../../etc/passwd'
-    // or executing '../../../../bin/malice'.
-    // We check for '..' characters which might indicate directory traversal.
-    if (command.includes('..') && (command.includes('/') || command.includes('\\'))) {
-      throw new Error(
-        `Security Error: Command blocked due to potential directory traversal ('..').\nCommand: "${command.substring(0, 100)}"\nTo allow relative paths outside the current directory, set 'allowInsecure: true'.`
-      );
-    }
-  }
-
   // Security Check: Enforce Denylist (e.g. rm, mkfs, etc.)
-  // We check this even if allowInsecure is true, because these are explicitly banned by policy.
   const config = ConfigLoader.load();
   if (config.engines?.denylist && config.engines.denylist.length > 0) {
     // Robust parsing to get the command binary
@@ -322,19 +271,8 @@ export async function executeShell(
   const hostEnv = filterSensitiveEnv(Bun.env);
   const mergedEnv = Object.keys(env).length > 0 ? { ...hostEnv, ...env } : hostEnv;
 
-  // If secure (whitelist passed) OR insecure mode is explicitly allowed...
-  // We prefer direct spawn if possible, but fall back to shell if needed (e.g. for pipelines in insecure mode)
-
+  // Use 'sh -c' to execute the command
   try {
-    // If we are in secure mode (allowInsecure: false), we KNOW the command is safe.
-    // However, it might still benefit from running directly via spawn to avoid even theoretical shell issues.
-    // But simplified splitting by space might break if we allowed quotes (which we don't in the whitelist).
-
-    // For now, if insecure is allowed, we use 'sh -c'.
-    // If secure (whitelist valid), we can also use 'sh -c' relatively safely, or split and spawn.
-    // Using 'sh -c' is robust for arguments. Since we validated the string against a strict whitelist,
-    // 'sh -c' shouldn't be able to do anything funky like variable expansion or subshells because appropriate chars are banned.
-
     let stdoutString = '';
     let stderrString = '';
     let exitCode = 0;
@@ -343,8 +281,7 @@ export async function executeShell(
     const maxOutputBytes = LIMITS.MAX_PROCESS_OUTPUT_BYTES;
 
     // Use 'sh -c' (POSIX) or 'cmd.exe /d /s /c' (Windows)
-    // Security is guaranteed by the strict whitelist check above for allowInsecure: false
-    // which prevents injection of metacharacters, quotes, escapes, etc.
+    // The denylist check above prevents dangerous commands like 'rm -rf'
     const isWindows = process.platform === 'win32';
     const shellCommand = isWindows ? 'cmd.exe' : 'sh';
     const shellArgs = isWindows ? ['/d', '/s', '/c'] : ['-c'];

package/src/runner/executors/types.ts

@@ -61,7 +61,6 @@ export interface StepExecutorOptions {
   dryRun?: boolean;
   abortSignal?: AbortSignal;
   debug?: boolean;
-  allowInsecure?: boolean;
   emitEvent?: (event: WorkflowEvent) => void;
   depth?: number;
 

package/src/runner/executors/verification_fixes.test.ts

@@ -25,7 +25,6 @@ describe('Verification Fixes', () => {
         id: 'test',
         type: 'shell' as const,
         run: 'cat ../secret.txt',
-        allowInsecure: false,
       };
       // It should throw BEFORE spawning
       // The error message I added was "Directory Traversal" or similar
@@ -38,7 +37,6 @@ describe('Verification Fixes', () => {
         id: 'test',
         type: 'shell' as const,
         run: '/bin/ls ../',
-        allowInsecure: false,
       };
       await expect(executeShell(step, mockContext)).rejects.toThrow('Command blocked');
     });

package/src/runner/join-scheduling.test.ts

@@ -95,7 +95,6 @@ describe('Join Scheduling & Resume', () => {
             if [ "$val" -lt "2" ]; then exit 1; else exit 0; fi
           `,
           retry: { count: 3 },
-          allowInsecure: true,
           needs: [],
         },
         {
@@ -148,7 +147,6 @@ describe('Join Scheduling & Resume', () => {
             if [ "$val" -lt "2" ]; then exit 1; else exit 0; fi
           `,
           retry: { count: 1 },
-          allowInsecure: true,
           needs: [],
         },
         {

package/src/runner/mcp-client-audit.test.ts

@@ -139,7 +139,7 @@ describe('MCPClient SSRF Protection', () => {
       'http://api.example.com/sse',
       {},
       100, // short timeout
-      { allowInsecure: true }
+      { }
     );
     // Should NOT throw SSRF error, but will throw timeout/connection error
     await expect(promise).rejects.not.toThrow(/SSRF Protection/);

package/src/runner/mcp-client.test.ts

@@ -139,9 +139,7 @@ describe('MCPClient', () => {
         return Promise.resolve(new Response(JSON.stringify({ ok: true })));
       });
 
-      // Use allowInsecure for testing with localhost (fetch is mocked anyway)
       const clientPromise = MCPClient.createRemote('http://localhost:8080/sse', {}, 60000, {
-        allowInsecure: true,
       });
 
       const client = await clientPromise;
@@ -188,9 +186,7 @@ describe('MCPClient', () => {
         return Promise.resolve(new Response(JSON.stringify({ ok: true })));
       });
 
-      // Use allowInsecure for testing with localhost (fetch is mocked anyway)
       const client = await MCPClient.createRemote('http://localhost:8080/sse', {}, 60000, {
-        allowInsecure: true,
       });
 
       // We can't easily hook into onMessage without reaching into internals
@@ -234,9 +230,7 @@ describe('MCPClient', () => {
         )
       );
 
-      // Use allowInsecure for testing with localhost (fetch is mocked anyway)
       const clientPromise = MCPClient.createRemote('http://localhost:8080/sse', {}, 60000, {
-        allowInsecure: true,
       });
 
       await expect(clientPromise).rejects.toThrow(/SSE connection failed: 500/);