Expand description
Shell allowlist with AST-based command parsing.
Security model (Information Bottleneck principle):
- When allowlist is set: ALL segments of a compound command must be allowed (deny-by-default)
- When empty: all commands pass (backwards-compatible blocklist-only mode)
- Dangerous patterns (subshells, eval, backticks) are blocked in restricted mode
Functions§
- check_
shell_ allowlist - Checks if a command is allowed by the shell allowlist.
Returns
Ok(())if allowed,Err(message)if blocked. - effective_
allowlist_ pub - Public accessor: the fully-resolved allowlist actually enforced by the MCP tools
(base
shell_allowlist+ additiveshell_allowlist_extra+ env), deduplicated. Empty means blocklist-only mode (all commands pass). Used bylean-ctx allowandlean-ctx doctorto show users exactly what the runtime sees. - extract_
all_ commands_ pub - Public accessor for extracting all command segments.
- extract_
base_ command - shell_
tokenize - Tokenize a shell command segment respecting single/double quotes and backslash escapes.
Returns tokens with outer quotes stripped, matching how the shell would parse them.
E.g.
git -C "Program Files" status→["git", "-C", "Program Files", "status"]