fix(validation): prevent validation lead from executing arbitrary local commands by ganesh47 · Pull Request #63 · ganesh47/cstack

ganesh47 · 2026-04-23T04:49:36Z

The validation lead could return arbitrary shell commands in its LLM-produced plan which were executed by runCommandSet via the system shell, creating a path for command injection and host compromise.
The intent is to remove the trust boundary that directly executes model-supplied commands while preserving the deterministic, inferred local checks used by validation.

Add selectApprovedLocalValidationCommands(requested, inferred) which dedupes and returns the intersection of the model-requested commands with the deterministic initialPlan.localValidation.commands.
Use the approved command list (approvedLocalCommands) instead of validationPlan.localValidation.commands when invoking runCommandSet and when populating the requestedCommands field for skipped runs.
Preserve existing runCommandSet behavior and tool-wrapper preparation so approved inferred commands run unchanged while any additional LLM-emitted commands are ignored.

Ran npm test -- test/validation.test.ts, which completed successfully (1 file passed, 6 tests passed).
Ran npm test -- test/deliver.test.ts; the validation/deliver scenarios executed and produced logs, but the test run output was large and truncated in the execution environment so a final summary could not be captured here.

fix(validation): restrict local commands to inferred safe set

394b9b9

ganesh47 added codex aardvark labels Apr 23, 2026 — with ChatGPT Codex Connector

ganesh47 added codex aardvark labels Apr 23, 2026

Provide feedback