structure commands

Author: pgayvallet

x-pack/platform/plugins/shared/agent_builder/server/services/execution/run_agent/bash/allowed_commands.ts

@@ -10,91 +10,106 @@ import type { CommandName } from 'just-bash';
 /**
  * Explicit allowlist of just-bash built-in commands enabled in Agent Builder.
  *
+ * Organized by the same categories as just-bash's README so the list can be
+ * cross-referenced against upstream at a glance.
+ *
  * Intentionally excluded:
  *  - sqlite3 — depends on sql.js WASM (import.meta.url) which doesn't load via CJS
  *  - python, python3 — Python via CPython WASM; same WASM issue + security surface
  *  - js-exec, node — JS/TS via QuickJS; security surface, not needed
  *  - curl, html-to-markdown — network access, needs explicit security model
- *  - ln, readlink — symlinks aren't supported by workspace volume / persistence,
- *  - tar — pulls in `node-liblzma` and `@mongodb-js/zstd`for compressed-archive support. Disabled until we
+ *  - ln, readlink — symlinks aren't supported by workspace volume / persistence
+ *  - tar — pulls in `node-liblzma` (LGPL-3.0) and `@mongodb-js/zstd` for
+ *    compressed-archive support; disabled until those deps are reviewed
  */
 export const ALLOWED_BASH_COMMANDS: readonly CommandName[] = [
-  'alias',
+  // File operations
+  'cat',
+  'cp',
+  'file',
+  'ls',
+  'mkdir',
+  'mv',
+  'rm',
+  'rmdir',
+  'split',
+  'stat',
+  'touch',
+  'tree',
+
+  // Text processing
   'awk',
   'base64',
-  'basename',
-  'bash',
-  'cat',
-  'chmod',
-  'clear',
   'column',
   'comm',
-  'cp',
   'cut',
-  'date',
   'diff',
-  'dirname',
-  'du',
-  'echo',
-  'egrep',
-  'env',
   'expand',
-  'expr',
-  'false',
-  'fgrep',
-  'file',
-  'find',
   'fold',
   'grep',
-  'gunzip',
-  'gzip',
+  'egrep',
+  'fgrep',
   'head',
-  'help',
-  'history',
-  'hostname',
   'join',
-  'jq',
-  'ls',
   'md5sum',
-  'mkdir',
-  'mv',
   'nl',
   'od',
   'paste',
-  'printenv',
   'printf',
-  'pwd',
   'rev',
   'rg',
-  'rm',
-  'rmdir',
   'sed',
-  'seq',
-  'sh',
   'sha1sum',
   'sha256sum',
-  'sleep',
   'sort',
-  'split',
-  'stat',
   'strings',
   'tac',
   'tail',
-  'tee',
-  'time',
-  'timeout',
-  'touch',
   'tr',
-  'tree',
-  'true',
-  'unalias',
   'unexpand',
   'uniq',
   'wc',
-  'which',
-  'whoami',
-  'xan',
   'xargs',
+
+  // Data processing
+  'jq',
+  'xan',
   'yq',
+
+  // Compression & archives
+  'gzip',
+  'gunzip',
   'zcat',
+
+  // Navigation & environment
+  'basename',
+  'dirname',
+  'du',
+  'echo',
+  'env',
+  'find',
+  'hostname',
+  'printenv',
+  'pwd',
+  'tee',
+
+  // Shell utilities
+  'alias',
+  'bash',
+  'chmod',
+  'clear',
+  'date',
+  'expr',
+  'false',
+  'help',
+  'history',
+  'seq',
+  'sh',
+  'sleep',
+  'time',
+  'timeout',
+  'true',
+  'unalias',
+  'which',
+  'whoami',
 ] as const satisfies readonly CommandName[];