Module shell 

Shell executor that parses and runs bash blocks from LLM responses.

ShellExecutor is the primary tool backend for Zeph. It handles both legacy fenced bash blocks and structured bash tool calls. Security controls enforced before every command:

• Blocklist — commands matching any entry in blocked_commands (or the built-in DEFAULT_BLOCKED_COMMANDS) are rejected with ToolError::Blocked.
• Subshell metacharacters — $(, `, <(, and >( are always blocked because nested evaluation cannot be safely analysed statically.
• Path sandbox — the working directory and any file arguments must reside under the configured allowed_paths.
• Confirmation gate — commands matching confirm_patterns are held for user approval before execution (bypassed by execute_confirmed).
• Environment blocklist — variables in env_blocklist are stripped from the subprocess environment before launch.
• Transactional rollback — when enabled, file snapshots are taken before execution and restored on failure or on non-zero exit codes in auto_rollback_exit_codes.

Structs

ShellExecutor

Bash block extraction and execution via tokio::process::Command.

ShellOutputEnvelope

Structured output from a shell command execution.

Constants

DEFAULT_BLOCKED_COMMANDS

The default list of blocked command patterns used by ShellExecutor.

SHELL_INTERPRETERS

Shell interpreters that may execute arbitrary code via -c or positional args.

Functions

check_blocklist

Check if command matches any pattern in blocklist.

effective_shell_command

Build the effective command string for blocklist evaluation when the binary is a shell interpreter (bash, sh, zsh, etc.) and args contains a -c script.