A 300e2fc221 fix(security): shellQuote cmd in runServer() across all cloud providers (#2862) ... Defense-in-depth: explicitly shellQuote(cmd) inside runServer() so the cmd parameter is always protected by single-quote escaping, regardless of how the surrounding command string is constructed. Previously, cmd was interpolated raw into fullCmd before the outer shellQuote() wrapper. While the outer wrapper did protect it, this made the safety non-obvious and fragile against future refactors. The new pattern matches interactiveSession() where cmd gets its own shellQuote() call. Fixes #2859 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>		2026-03-21 14:48:37 -07:00
..
cli	fix(security): shellQuote cmd in runServer() across all cloud providers (#2862)	2026-03-21 14:48:37 -07:00
shared	feat: enforce CI coverage thresholds + colocate billing guidance (#2811)	2026-03-19 22:52:45 -07:00