fix: allow chained exec allowlists

Co-authored-by: Lucas Czekaj <1464539+czekaj@users.noreply.github.com>
2026-01-23 00:10:19 +00:00
parent a23e272877
commit e872f5335b
7 changed files with 500 additions and 93 deletions
--- a/docs/tools/exec-approvals.md
+++ b/docs/tools/exec-approvals.md
@@ -113,6 +113,9 @@ that can run in allowlist mode **without** explicit allowlist entries. Safe bins
 positional file args and path-like tokens, so they can only operate on the incoming stream.
 Shell chaining and redirections are not auto-allowed in allowlist mode.

+Shell chaining (`&&`, `||`, `;`) is allowed when every top-level segment satisfies the allowlist
+(including safe bins or skill auto-allow). Redirections remain unsupported in allowlist mode.
+
 Default safe bins: `jq`, `grep`, `cut`, `sort`, `uniq`, `head`, `tail`, `tr`, `wc`.

 ## Control UI editing