Loz executes LLM-generated shell commands without validation. This adds a guardrails layer to prevent execution of destructive commands.

Changes

New guardrails module (src/guardrails/index.ts)

• enforceGuardrails() function checks commands against denylist before execution
• Blocks: rm -rf /, shutdown, reboot, fork bomb, mkfs, dd if=
• Includes bypass variants: rm -rf/*, rm -rf /.
• Case-insensitive substring matching with pre-computed patterns

Integration (src/loz.ts)

• Guardrails enforced before each command execution:

for (const cmd of commands) {
  try {
    enforceGuardrails(cmd, true);  // Blocks dangerous commands
    await runCommand(cmd);
  } catch (error) {
    console.error(error.message);  // "Command blocked by guardrails: rm -rf /"
  }
}

Tests (test/guardrails.test.ts)

• Validates dangerous command blocking
• Validates safe command pass-through
• Covers bypass attempts

Limitations

Substring matching can produce false positives (e.g., filename containing "shutdown") and can be bypassed with command variations not in the denylist. Documented for future improvement with command structure parsing or allowlist approach.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.