Expand description
Shell allowlist with AST-based command parsing.
Security model (Information Bottleneck principle):
- When allowlist is set: ALL segments of a compound command must be allowed (deny-by-default)
- When empty: all commands pass (backwards-compatible blocklist-only mode)
- Dangerous patterns (subshells, eval, backticks) are blocked in restricted mode
Functions§
- check_
shell_ allowlist - Checks if a command is allowed by the shell allowlist.
Returns
Ok(())if allowed,Err(message)if blocked. - extract_
all_ commands_ pub - Public accessor for extracting all command segments.
- extract_
base_ command - shell_
tokenize - Tokenize a shell command segment respecting single/double quotes and backslash escapes.
Returns tokens with outer quotes stripped, matching how the shell would parse them.
E.g.
git -C "Program Files" status→["git", "-C", "Program Files", "status"]