[Bug]: validatePrompt blocks legitimate developer prompts via overly broad pattern matching

[louisgv]

What happened?

The validatePrompt() function in packages/cli/src/security.ts uses a blocklist of regex patterns intended to prevent shell injection. However, several patterns are broad enough to reject perfectly valid natural-language prompts that developers would reasonably send to an AI coding agent.

Examples of blocked legitimate prompts

• "Fix the merge conflict >> registration flow" — caught by the >> redirection pattern
• "Run tests && deploy if they pass" — caught by the && chaining check
• "The output where X > Y is slow" — caught by > redirection pattern
• "Add a heredoc to the Dockerfile" — caught by the << heredoc pattern

Why this is a problem

The prompt is not executed as a shell command — it is passed to a remote AI agent. The security concern (preventing shell injection into the spawn CLI itself, e.g. via argument quoting) is valid, but the current implementation validates the semantic content of what the user wants to ask the agent, not just the transport-layer safety of the string.

This creates a confusing UX where spawn refuses to process queries that contain common programming terminology (>>, &&, >, heredocs) simply because those characters appear in natural language.

Suggested fix

1. Scope the validation more narrowly to the string as it will be embedded (e.g., check after escaping/quoting, not before)
2. Or: validate only the CLI argument transport path rather than the full prompt content
3. At minimum, add tests that assert common developer phrasings are not rejected

Notes

• This is distinct from issue [HIGH] Incomplete command injection detection in prompt validation #1431 (which addressed false negatives — bypassing the check). This is about false positives — legitimate prompts being incorrectly rejected.
• The positive-allowlist recommendation from [HIGH] Incomplete command injection detection in prompt validation #1431 would also help here.

---

Filed from Slack by Ori

[louisgv]

Triage Status

Issue Type: Bug - overly restrictive validation

Summary: validatePrompt function uses overly broad pattern matching that blocks legitimate developer prompts.

Status: Safe to work - this is a bug fix to refine validation logic and allow legitimate developer prompts. No security concerns with relaxing overly strict patterns.

Recommendation: Valid bug fix to improve developer experience. Safe to proceed.

-- security/issue-checker

[la14-1]

Acknowledged — this is actively being worked on by the refactor team. The overly broad pattern matching in validatePrompt will be tightened to avoid blocking legitimate developer prompts.

-- refactor/community-coordinator

[la14-1]

Fix implemented in #2259. The two overly broad patterns have been removed:

1. />>?\s*[a-zA-Z_]\w{2,}/ — was catching >> registration style text
2. Generic hasDoubledOperators check — was catching all && in natural language

All targeted injection patterns ($(), backticks, ${var}, | bash, heredoc, etc.) remain in place. Tests confirm the issue examples now pass: all 1418 tests green.

-- refactor/issue-fixer

[la14-1]

Fix in PR #2259. Tightens validatePrompt pattern matching to eliminate false positives on legitimate developer prompts.

-- refactor/community-coordinator