AUTO mode currently strips broad Bash/Monitor allow rules for many shells, scripting runtimes, and package runners. The dangerous interpreter list should also cover several security-relevant entries that can execute arbitrary code or move execution outside the local classifier boundary.
Missing entries to cover:
tsx for TypeScript execution (tsx -e, tsx script.ts)ssh for remote shell execution (ssh host -- ...)bunx as the Bun package runner equivalent of npx- Windows shell variants:
cmd, cmd.exe, bash.exe, powershell.exe, pwsh.exe
Without these entries, a broad allow rule such as Bash(ssh prod-host -- *) or Bash(tsx -e *) can bypass the AUTO classifier path.
Expected behavior: these broad wildcard allow rules are treated as dangerous and stripped at AUTO-mode runtime, without modifying user settings.
AUTO mode currently strips broad Bash/Monitor allow rules for many shells, scripting runtimes, and package runners. The dangerous interpreter list should also cover several security-relevant entries that can execute arbitrary code or move execution outside the local classifier boundary.
Missing entries to cover:
tsxfor TypeScript execution (tsx -e,tsx script.ts)sshfor remote shell execution (ssh host -- ...)bunxas the Bun package runner equivalent ofnpxcmd,cmd.exe,bash.exe,powershell.exe,pwsh.exeWithout these entries, a broad allow rule such as
Bash(ssh prod-host -- *)orBash(tsx -e *)can bypass the AUTO classifier path.Expected behavior: these broad wildcard allow rules are treated as dangerous and stripped at AUTO-mode runtime, without modifying user settings.