spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00

History

A 50397f19a3 fix: narrow validatePrompt patterns to prevent false positives on developer phrases (#2259 ) Fixes #2249 The overly broad `>>? word` pattern and generic doubled-operator check were blocking legitimate natural-language developer prompts like: - "Fix the merge conflict >> registration flow" - "Run tests && deploy if they pass" Root cause: `validatePrompt` is called before the prompt is set as the `SPAWN_PROMPT` env var. Inside double-quoted shell arguments, `>>` and `&&` are not interpreted as shell operators, so blocking them provided no real security benefit while creating confusing UX rejections. Changes: - Remove `/>>?\s*[a-zA-Z_]\w{2,}/` pattern (false-positive on >> in English) - Remove generic `hasDoubledOperators` check (false-positive on && in English) - Keep all targeted patterns: $(cmd), backticks, ${var}, \| bash/sh, ; rm -rf, fd redirections, heredoc, process substitution, path redirects - Update tests: split broad && / \|\| tests into "commands" vs "natural language" - Add tests asserting all issue #2249 example prompts are now accepted Agent: issue-fixer Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-03-06 15:20:39 -08:00
..
cli	fix: narrow validatePrompt patterns to prevent false positives on developer phrases (#2259 )	2026-03-06 15:20:39 -08:00
shared	refactor: remove dead code (parseJsonRaw, stale re-exports) (#2246 )	2026-03-06 11:49:26 -05:00

fix: narrow validatePrompt patterns to prevent false positives on developer phrases (#2259 )

Fixes #2249

The overly broad `>>? word` pattern and generic doubled-operator check
were blocking legitimate natural-language developer prompts like:
- "Fix the merge conflict >> registration flow"
- "Run tests && deploy if they pass"

Root cause: `validatePrompt` is called before the prompt is set as the
`SPAWN_PROMPT` env var. Inside double-quoted shell arguments, `>>` and
`&&` are not interpreted as shell operators, so blocking them provided
no real security benefit while creating confusing UX rejections.

Changes:
- Remove `/>>?\s*[a-zA-Z_]\w{2,}/` pattern (false-positive on >> in English)
- Remove generic `hasDoubledOperators` check (false-positive on && in English)
- Keep all targeted patterns: $(cmd), backticks, ${var}, | bash/sh,
  ; rm -rf, fd redirections, heredoc, process substitution, path redirects
- Update tests: split broad && / || tests into "commands" vs "natural language"
- Add tests asserting all issue #2249 example prompts are now accepted

Agent: issue-fixer

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-03-06 15:20:39 -08:00

cli

fix: narrow validatePrompt patterns to prevent false positives on developer phrases (#2259 )

2026-03-06 15:20:39 -08:00

shared

refactor: remove dead code (parseJsonRaw, stale re-exports) (#2246 )

2026-03-06 11:49:26 -05:00