Conversation
push_segment() incorrectly treated VAR=VALUE as the command token. Now skips leading environment variable assignments to find the real command. Adds pub is_env_assignment() helper for use by engine bypass detection. Fixes: TIRITH=0 curl evil.com now correctly identifies curl as command. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add command-aware output-flag skipping for curl (-o/--output) and wget (-O/-OFILE/--output-document). Extract URLs from command+args instead of raw segment text to avoid matching URLs in env-prefix values. Add conservative non-TLD file extensions (.png, .jpg, .mp4, etc.) to schemeless host exclusion list. Fixes issue #33. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…paths Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace `let _ =` patterns with `if let Err(e)` + eprintln in audit logging, CLI output writers, last_trigger file ops, runner permissions, and bash hook safe-mode persistence. Errors are now surfaced to stderr instead of silently swallowed.
- Run cargo fmt --all - Fix clippy lints: collapsible else-if in check.rs, uninlined_format_args - Add .cargo/audit.toml ignoring RUSTSEC-2026-0009 (time crate DoS, not exploitable in our usage, fix requires Rust 1.88) - Add same ignore to deny.toml
- Merge origin/main (glibc build fix) - Fix single & segment boundary in split_raw_words (security) - Use exact match == TIRITH=0 (prevents false bypass) - Skip flags in resolve_command_wrapper - Remove dead code in is_tirith_command Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…nd -v fix Resolves conflicts in engine.rs and tokenize.rs by taking main's improved code: quoted-value bypass detection, command-word requirement, PowerShell $env:TIRITH support, and command -v/-V lookup exclusion. Keeps PR's invisible character hardening (unicode tags, variation selectors, math operators, invisible whitespace). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Resolve conflicts in deny.toml and last_trigger.rs by taking main's versions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
🤖 Generated with Claude Code
Note
Emit Unix permission warnings in
tirith_core::runner::runand make Bash safe-mode persistence non-fatal to support invisible character hardeningAdds stderr warnings when setting cached file permissions fails in crates/tirith-core/src/runner.rs and refactors Bash safe-mode persistence to continue on mkdir/write failure in crates/tirith/assets/shell/lib/bash-hook.bash and shell/lib/bash-hook.bash.
📍Where to Start
Start with the Unix-specific block in
tirith_core::runner::runin crates/tirith-core/src/runner.rs, then review_tirith_persist_safe_modein crates/tirith/assets/shell/lib/bash-hook.bash.Macroscope summarized 9dd6468.