Skip to content

Commit 074d5a5

Browse files
committed
docs(all): expand security guides and add llm prompt
- Add llm-prompt.md safety guard for AI command execution - Expand security.md with native process hardening and defense-in-depth stack - Harden examples.md AI Agent Integration with specific allowlist - Streamline interpreter-usage.md with clearer safe execution patterns - Update configuration.md with new spawn options documentation - Update README.md with privilege dropping and Windows hardening features
1 parent 8dfafda commit 074d5a5

7 files changed

Lines changed: 490 additions & 253 deletions

File tree

README.md

Lines changed: 55 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,9 @@ Secure command sandbox preventing AI destructive code deletions
2222
- **Timeout Protection** - Automatic process termination after configurable timeout
2323
- **Argument Validation** - Limit arguments and block dangerous characters
2424
- **Real-Time Streaming** - Stream stdout/stderr with callback support
25+
- **Privilege Dropping** - Run child processes as different user/group via `uid`/`gid`
26+
- **Native AbortSignal** - Node.js built-in abort for reliable process termination
27+
- **Windows Hardening** - Hide console windows and disable argument quoting
2528

2629
## Installation
2730

@@ -63,7 +66,10 @@ Terminal.initialize({
6366
deny: ['rm *', 'sudo *'],
6467
maxArgs: 10,
6568
strictArgs: true,
66-
noShell: true
69+
noShell: true,
70+
killSignal: 'SIGTERM',
71+
windowsHide: false,
72+
windowsVerbatimArguments: false
6773
},
6874
env: {
6975
allow: ['NODE_ENV', 'PATH'],
@@ -97,7 +103,50 @@ Terminal.initialize({
97103
deny: ['rm -rf *', 'sudo *'], // Blocked patterns
98104
maxArgs: 10, // Limit argument count
99105
strictArgs: true, // Block shell metacharacters
100-
noShell: true // Direct execution, no shell
106+
noShell: true, // Direct execution, no shell
107+
killSignal: 'SIGTERM', // Signal sent on timeout/abort
108+
windowsHide: false, // Hide console window on Windows
109+
windowsVerbatimArguments: false // Disable Windows arg quoting
110+
}
111+
})
112+
```
113+
114+
### Privilege Dropping
115+
116+
Run child processes as a different user or group via `setuid`/`setgid`:
117+
118+
```typescript
119+
Terminal.initialize({
120+
workspaces: ['/safe/project'],
121+
commands: {
122+
allow: ['git *', 'npm *'],
123+
deny: ['rm *', 'sudo *'],
124+
maxArgs: 10,
125+
strictArgs: true,
126+
noShell: true
127+
},
128+
uid: 1000, // Run as user ID 1000
129+
gid: 1000 // Run as group ID 1000
130+
})
131+
```
132+
133+
> **Note**: `uid`/`gid` require the parent process to have permission to change to the target identity. Combine with OS-level unprivileged users for real isolation.
134+
135+
### Windows Hardening
136+
137+
Prevent console window pop-ups and argument injection on Windows:
138+
139+
```typescript
140+
Terminal.initialize({
141+
workspaces: ['C:\\workspace'],
142+
commands: {
143+
allow: ['echo *', 'dir *'],
144+
deny: ['del *', 'format *'],
145+
maxArgs: 5,
146+
strictArgs: true,
147+
noShell: true,
148+
windowsHide: true, // Hide console window
149+
windowsVerbatimArguments: true // Pass arguments verbatim
101150
}
102151
})
103152
```
@@ -141,7 +190,7 @@ Terminal.stream(
141190
data => console.error('stderr:', data)
142191
)
143192

144-
// Kill process (SIGTERM, then SIGKILL after 2s)
193+
// Kill process (native AbortSignal, then SIGKILL after 2s)
145194
Terminal.kill(processId)
146195
```
147196

@@ -180,6 +229,9 @@ See [full documentation](docs/README.md) for advanced configuration including:
180229
- Environment variable filtering
181230
- Process timeout policies
182231
- Workspace path validation
232+
- Privilege dropping with `uid`/`gid`
233+
- Windows hardening options
234+
- Native `AbortSignal` process termination
183235

184236
## Contributing
185237

docs/README.md

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,10 +10,11 @@ Secure command execution with Access Control Lists for AI protection.
1010
2. [Configuration](./configuration.md) - All config options explained
1111
3. [Patterns Cheatsheet](./patterns-cheatsheet.md) - Quick reference for command patterns
1212
4. [Security](./security.md) - ACL, threat model, best practices
13-
5. [Examples](./examples.md) - Real-world integration examples
14-
6. [Interpreter Usage](./interpreter-usage.md) - Running Deno, Python, Node.js safely
15-
7. [API Reference](./api-reference.md) - Complete method documentation
16-
8. [Common Errors](./common-errors.md) - Troubleshooting guide
13+
5. [LLM Prompt](./llm-prompt.md) - Safety guard for AI agents executing commands
14+
6. [Examples](./examples.md) - Real-world integration examples
15+
7. [Interpreter Usage](./interpreter-usage.md) - Running Deno, Python, Node.js safely
16+
8. [API Reference](./api-reference.md) - Complete method documentation
17+
9. [Common Errors](./common-errors.md) - Troubleshooting guide
1718

1819
## Quick Links
1920

docs/configuration.md

Lines changed: 59 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,31 @@
11
# Configuration
22

3-
Terminal uses a configuration object to define security policies. All settings are optional and merge with sensible defaults.
3+
Terminal uses a configuration object to define command filtering policies. All settings are optional and merge with sensible defaults.
4+
5+
> **Important**: Terminal is a **command string filter**, not a sandbox. It validates the command and arguments before spawning. Once a command is allowed, the OS controls what it can access. See [Security](./security.md) for OS-level hardening.
46
57
## Basic Configuration
68

79
```typescript
810
Terminal.initialize({
911
workspaces: ['/safe/project'],
1012
commands: {
11-
allow: ['cd *', 'node *', 'deno *'],
13+
allow: ['cd *', 'git *', 'npm *'],
1214
deny: ['rm *', 'sudo *'],
1315
maxArgs: 10,
1416
strictArgs: true,
15-
noShell: true
17+
noShell: true,
18+
killSignal: 'SIGTERM',
19+
windowsHide: false,
20+
windowsVerbatimArguments: false
1621
},
1722
env: {
1823
allow: ['NODE_ENV', 'PATH'],
19-
deny: ['HOME', 'SSH_*']
24+
deny: ['HOME', 'SSH_*', 'LD_PRELOAD', 'LD_LIBRARY_PATH']
2025
},
21-
timeout: 30000
26+
timeout: 30000,
27+
uid: undefined,
28+
gid: undefined
2229
})
2330
```
2431

@@ -30,7 +37,7 @@ Restrict command execution to specific directories:
3037
workspaces: ['/home/user/projects', '/tmp/builds']
3138
```
3239

33-
Commands outside these paths will be rejected.
40+
Commands outside these paths will be rejected. **Note**: This only validates `cwd`. The spawned process can still access any path the OS allows.
3441

3542
## Commands
3643

@@ -39,9 +46,11 @@ Commands outside these paths will be rejected.
3946
Pattern-based allowlist. Empty array allows all (unless denied).
4047

4148
```typescript
42-
allow: ['git *', 'npm *', 'node *.js', 'deno run *']
49+
allow: ['git *', 'npm *', 'echo *']
4350
```
4451

52+
> **Warning**: `allow: ['node *']` or `allow: ['python3 *']` effectively allows arbitrary code execution via script files. Terminal does not inspect file contents.
53+
4554
### deny - Command Blacklist
4655

4756
Pattern-based denylist. Always checked first.
@@ -60,10 +69,10 @@ maxArgs: 10 // Rejects commands with more than 10 arguments
6069

6170
### strictArgs - Strict Validation
6271

63-
Block shell metacharacters in arguments:
72+
Block shell metacharacters and path traversal in arguments:
6473

6574
```typescript
66-
strictArgs: true // Blocks ; | & ` $ ( ) { } [ ] < >
75+
strictArgs: true // Blocks ; | & ` $ ( ) { } [ ] < > and ../
6776
```
6877

6978
### noShell - Shell Control
@@ -72,20 +81,46 @@ strictArgs: true // Blocks ; | & ` $ ( ) { } [ ] < >
7281
noShell: true // Always use direct execution (recommended)
7382
```
7483

84+
### killSignal - Default Kill Signal
85+
86+
Signal sent when a process is aborted or times out. Defaults to `SIGTERM`.
87+
88+
```typescript
89+
killSignal: 'SIGKILL' // Use SIGKILL instead of SIGTERM
90+
```
91+
92+
Valid signals: `SIGTERM`, `SIGKILL`, `SIGINT`, `SIGHUP`, and all POSIX signal names.
93+
94+
### windowsHide - Hide Console Window
95+
96+
Hides the subprocess console window on Windows. Prevents UI hijacking.
97+
98+
```typescript
99+
windowsHide: true // Hide console window on Windows
100+
```
101+
102+
### windowsVerbatimArguments - Disable Argument Quoting
103+
104+
Disables Node.js quoting and escaping of arguments on Windows. Prevents command-line injection via Windows shell parsing.
105+
106+
```typescript
107+
windowsVerbatimArguments: true // Pass arguments verbatim on Windows
108+
```
109+
75110
## Environment Variables
76111

77112
### allow - Variable Whitelist
78113

79114
```typescript
80-
allow: ['NODE_ENV', 'PATH', 'HOME']
115+
allow: ['NODE_ENV', 'PATH']
81116
```
82117

83118
### deny - Variable Blacklist
84119

85-
Supports wildcards:
120+
Supports wildcards. Always deny `LD_PRELOAD` and `LD_LIBRARY_PATH`:
86121

87122
```typescript
88-
deny: ['SSH_*', 'AWS_*', 'TOKEN*']
123+
deny: ['SSH_*', 'AWS_*', 'TOKEN*', 'LD_PRELOAD', 'LD_LIBRARY_PATH']
89124
```
90125

91126
## Timeout
@@ -98,6 +133,17 @@ timeout: 30000 // 30 seconds
98133

99134
Set to `0` to disable timeouts.
100135

136+
## Privilege Dropping
137+
138+
Run spawned processes as a different user or group via `setuid`/`setgid`. Requires the parent process to have sufficient privileges.
139+
140+
```typescript
141+
uid: 1000 // Run as user ID 1000
142+
gid: 1000 // Run as group ID 1000
143+
```
144+
145+
> **Note**: `uid`/`gid` are applied at the OS level via Node.js `spawn()`. The parent process must have permission to change to the target user/group. This is a defense-in-depth layer — combine with OS-level unprivileged users for real isolation.
146+
101147
## Pattern Syntax
102148

103149
Patterns use token matching with optional wildcards:
@@ -108,5 +154,5 @@ Patterns use token matching with optional wildcards:
108154

109155
## See Also
110156

111-
- [Security](./security.md) - Deep dive into security concepts
157+
- [Security](./security.md) - OS-level hardening guide
112158
- [API Reference](./api-reference.md) - Programmatic config updates

0 commit comments

Comments
 (0)