migrate security parser to sh-syntax and async validation

2026-02-23 16:13:32 -05:00
parent 1363bceecc
commit c65b9ed007
9 changed files with 492 additions and 369 deletions
--- a/README.md
+++ b/README.md
@@ -104,7 +104,7 @@ Actors can emit events in `ActorExecutionResult.events`. Pipeline status also em

 ## Security Middleware

- Shell command parsing uses `bash-parser` AST traversal and extracts `Command`/`Word` nodes.
+- Shell command parsing uses async `sh-syntax` (WASM-backed mvdan/sh parser) with fail-closed command/redirect extraction.
 - Rules are validated with strict Zod schemas (`src/security/schemas.ts`) before execution.
 - `SecurityRulesEngine` enforces:
  - binary allowlists