fix: Update shell-quote to v1.8.3 and use it for command pattern extraction

- Updated shell-quote from v1.8.2 to v1.8.3 in webview-ui
- Added shell-quote v1.8.3 to backend dependencies
- Updated shared extract-command-pattern module to use shell-quote for proper parsing
- Added @types/shell-quote for TypeScript support
- Ensures consistent command pattern extraction across frontend and backend

Author: hannesrudolph

pnpm-lock.yaml

@@ -15,85 +15,10 @@ import { ExitCodeDetails, RooTerminalCallbacks, RooTerminalProcess } from "../..
 import { TerminalRegistry } from "../../integrations/terminal/TerminalRegistry"
 import { Terminal } from "../../integrations/terminal/Terminal"
 import { t } from "../../i18n"
+import { extractCommandPattern } from "../../shared/extract-command-pattern"
 
 class ShellIntegrationError extends Error {}
 
-/**
- * Extract the base command pattern from a full command string.
- * For example: "gh pr checkout 1234" -> "gh pr checkout"
- *
- * @param command The full command string
- * @returns The base command pattern suitable for whitelisting
- */
-function extractCommandPattern(command: string): string {
-	if (!command?.trim()) return ""
-
-	// Split by whitespace, handling quoted strings
-	const parts: string[] = []
-	let current = ""
-	let inQuotes = false
-	let quoteChar = ""
-
-	for (let i = 0; i < command.length; i++) {
-		const char = command[i]
-		const prevChar = i > 0 ? command[i - 1] : ""
-
-		if ((char === '"' || char === "'") && prevChar !== "\\") {
-			if (!inQuotes) {
-				inQuotes = true
-				quoteChar = char
-			} else if (char === quoteChar) {
-				inQuotes = false
-				quoteChar = ""
-			}
-			current += char
-		} else if (char === " " && !inQuotes) {
-			if (current) {
-				parts.push(current)
-				current = ""
-			}
-		} else {
-			current += char
-		}
-	}
-
-	if (current) {
-		parts.push(current)
-	}
-
-	// Extract pattern parts, stopping at arguments
-	const patternParts: string[] = []
-
-	for (const part of parts) {
-		// Remove quotes for analysis
-		const unquoted = part.replace(/^["']|["']$/g, "")
-
-		// Stop at common argument patterns:
-		// - Pure numbers (like PR numbers, PIDs, etc.)
-		// - Flags starting with - or --
-		// - File paths or URLs
-		// - Variable assignments (KEY=VALUE)
-		// - Operators (&&, ||, |, ;, >, <, etc.)
-		if (
-			/^\d+$/.test(unquoted) ||
-			unquoted.startsWith("-") ||
-			unquoted.includes("/") ||
-			unquoted.includes("\\") ||
-			unquoted.includes("=") ||
-			unquoted.startsWith("http") ||
-			unquoted.includes(".") ||
-			["&&", "||", "|", ";", ">", "<", ">>", "<<", "&"].includes(unquoted)
-		) {
-			// Stop collecting pattern parts
-			break
-		}
-		patternParts.push(part)
-	}
-
-	// Return the base command pattern
-	return patternParts.join(" ")
-}
-
 /**
  * Adds a command pattern to the whitelist
  */

src/core/tools/executeCommandTool.ts

@@ -407,6 +407,7 @@
 		"sanitize-filename": "^1.6.3",
 		"say": "^0.16.0",
 		"serialize-error": "^12.0.0",
+		"shell-quote": "1.8.3",
 		"simple-git": "^3.27.0",
 		"sound-play": "^1.1.0",
 		"stream-json": "^1.8.0",
@@ -439,6 +440,7 @@
 		"@types/node-ipc": "^9.2.3",
 		"@types/proper-lockfile": "^4.1.4",
 		"@types/ps-tree": "^1.1.6",
+		"@types/shell-quote": "^1.7.5",
 		"@types/stream-json": "^1.7.8",
 		"@types/string-similarity": "^4.0.2",
 		"@types/tmp": "^0.2.6",

src/package.json

@@ -0,0 +1,50 @@
+import { parse } from "shell-quote"
+
+type ShellToken = string | { op: string } | { command: string }
+
+/**
+ * Extract the base command pattern from a full command string.
+ * For example: "gh pr checkout 1234" -> "gh pr checkout"
+ *
+ * Uses shell-quote v1.8.3 for proper shell parsing.
+ *
+ * @param command The full command string
+ * @returns The base command pattern suitable for whitelisting
+ */
+export function extractCommandPattern(command: string): string {
+	if (!command?.trim()) return ""
+
+	// Parse the command to get tokens
+	const tokens = parse(command.trim()) as ShellToken[]
+	const patternParts: string[] = []
+
+	for (const token of tokens) {
+		if (typeof token === "string") {
+			// Check if this token looks like an argument (number, flag, etc.)
+			// Common patterns to stop at:
+			// - Pure numbers (like PR numbers, PIDs, etc.)
+			// - Flags starting with - or --
+			// - File paths or URLs
+			// - Variable assignments (KEY=VALUE)
+			if (
+				/^\d+$/.test(token) ||
+				token.startsWith("-") ||
+				token.includes("/") ||
+				token.includes("\\") ||
+				token.includes("=") ||
+				token.startsWith("http") ||
+				token.includes(".")
+			) {
+				// Stop collecting pattern parts
+				break
+			}
+			patternParts.push(token)
+		} else if (typeof token === "object" && "op" in token) {
+			// Stop at operators
+			break
+		}
+	}
+
+	// Return the base command pattern
+	return patternParts.join(" ")
+}

src/shared/extract-command-pattern.ts

@@ -65,7 +65,7 @@
 		"remark-gfm": "^4.0.1",
 		"remark-math": "^6.0.0",
 		"remove-markdown": "^0.6.0",
-		"shell-quote": "^1.8.2",
+		"shell-quote": "^1.8.3",
 		"shiki": "^3.2.1",
 		"source-map": "^0.7.4",
 		"styled-components": "^6.1.13",

webview-ui/package.json

@@ -313,7 +313,7 @@ const ChatViewComponent: React.ForwardRefRenderFunction<ChatViewRef, ChatViewPro
 							setClineAsk("command")
 							setEnableButtons(!isPartial)
 							setPrimaryButtonText(t("chat:runCommand.title"))
-							setSecondaryButtonText("Add & Run")
+							setSecondaryButtonText(t("chat:addAndRun.title"))
 							setTertiaryButtonText(t("chat:reject.title"))
 							break
 						case "command_output":

webview-ui/src/components/chat/ChatView.tsx

@@ -46,6 +46,10 @@
 		"title": "Desar",
 		"tooltip": "Desa els canvis del fitxer"
 	},
+	"addAndRun": {
+		"title": "Add & Run",
+		"tooltip": "Add command to whitelist and run it"
+	},
 	"reject": {
 		"title": "Rebutjar",
 		"tooltip": "Rebutja aquesta acció"

webview-ui/src/i18n/locales/ca/chat.json

@@ -46,6 +46,10 @@
 		"title": "Speichern",
 		"tooltip": "Dateiänderungen speichern"
 	},
+	"addAndRun": {
+		"title": "Add & Run",
+		"tooltip": "Add command to whitelist and run it"
+	},
 	"reject": {
 		"title": "Ablehnen",
 		"tooltip": "Diese Aktion ablehnen"

webview-ui/src/i18n/locales/de/chat.json

@@ -46,6 +46,10 @@
 		"tokensUsed": "Tokens used: {{used}} of {{total}}",
 		"reservedForResponse": "Reserved for model response: {{amount}} tokens"
 	},
+	"addAndRun": {
+		"title": "Add & Run",
+		"tooltip": "Add command to whitelist and run it"
+	},
 	"reject": {
 		"title": "Reject",
 		"tooltip": "Reject this action"

webview-ui/src/i18n/locales/en/chat.json

@@ -46,6 +46,10 @@
 		"tokensUsed": "Tokens utilizados: {{used}} de {{total}}",
 		"reservedForResponse": "Reservado para respuesta del modelo: {{amount}} tokens"
 	},
+	"addAndRun": {
+		"title": "Add & Run",
+		"tooltip": "Add command to whitelist and run it"
+	},
 	"reject": {
 		"title": "Rechazar",
 		"tooltip": "Rechazar esta acción"