sync: upstream just-bash@2.14.4 (manual resolve)

[subsetpark]

Summary

Manual upstream sync to just-bash@2.14.4 after the scheduled Sync upstream action failed:

1. First run hit gh label create → 403 against vercel-labs/just-bash (fixed in ci(sync-upstream): pin gh CLI to fork repo #6).
2. Second run made it past labels but the push was rejected by GITHUB_TOKEN because the merge contains .github/workflows/release.yml changes — a platform-level restriction that can't be granted via YAML permissions:. Pushed manually via my own creds here so we can land this tag's sync today; the workflow-permission limitation is a separate decision (PAT/App vs. excluding workflow files from sync).

Conflict resolutions

• packages/just-bash/package.json
  • build:worker script: took upstream's version. It follows the same src/ → dist/... + dist/bin/chunks/... + dist/bundle/chunks/... copy chain as the python3 and js-exec workers, and the src/commands/sqlite3/worker.js artifact is already gitignored. Flowglad's prior version (--outfile=dist/commands/sqlite3/worker.js only) wouldn't populate the bundled chunks paths.
  • files array: deduped — both sides added "dist/commands/sqlite3/worker.js", the auto-merge produced two copies. Kept one.
• packages/just-bash/src/commands/awk/lexer.ts — nextToken newline handling: took upstream's version. CONTINUES_ACROSS_NEWLINE (defined upstream at line 148) is a strict superset of HEAD's COMMA-only check, and the existing comment block at the call site already described this broader behavior (commas, {, &&, ||, ?, :, do, else, if, while).

Other notable merge content

• release.yml: upstream pinned the three third-party actions to full commit SHAs (security hardening). Auto-merge cleanly preserved flowglad's Node 24 + OIDC customizations alongside the SHA pins.
• New upstream features carried in: src/network/dns-pin*, src/commands/rg/rg-parser-threads.test.ts, src/commands/sqlite3/sqlite3.worker-resolution.test.ts + sqlite3.writeback-edge-cases.test.ts, src/commands/xan/moonblade-parser.test.ts. No flowglad-side changes touched these areas.

Validation

• pnpm install --frozen-lockfile — lockfile up to date
• pnpm --filter just-bash build — clean
• pnpm --filter just-bash typecheck — clean
• pnpm --filter just-bash exec vitest run src/commands/sqlite3/sqlite3.test.ts src/commands/python3/python3.optin.test.ts — 23/23 passed
• git add -f packages/just-bash/dist committed (worker chunks land as expected, including new sqlite3-worker.js in dist/bin/chunks/ and dist/bundle/chunks/)

After merge

Cut the next Flowglad package-root tag with pnpm flowglad:tag --tag v2.14.4-fgp.<n> --push.

🤖 Generated with Claude Code

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 3 committers have signed the CLA.

✅ subsetpark
❌ github-actions[bot]
❌ cramforce
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[flowglad-review-service]

Code Review: 3 comments

[flowglad-review-service]

Review Summary

The PR is a clean upstream sync (2.14.3 → 2.14.4) with well-handled conflict resolutions. The core feature additions — awk newline continuation, sqlite3 dot-commands, worker resolution fix, python3 - stdin support, rg -j thread-count isolation, xan partition collision-safe filenames, moonblade parser backtrack fix, and DNS rebinding protection — are all logically sound with good test coverage.

Two must-fix findings:

1. sqlite3.ts dot-command error reporting inconsistency (line 617): Dot-command errors (non-bail mode) are placed in stderr while SQL results go to stdout and inline SQL errors are appended to stdout. This channel split is surprising and will break agents that expect errors inline with output.

2. dns-pin.ts dual-stack family mismatch (line 99): The patcher pins a single {address, family}. If the preflight resolves IPv6-first and undici requests IPv4 (common on modern Linux with verbatim: true), the family-mismatch guard fires ENOTFOUND even for legitimately-allowed hostnames — silently breaking fetch on dual-stack hosts.

One should-fix finding:

3. fetch.ts addresses[0] may be IPv6 (line 183): checkAllowed returns the first resolved address to pin. On IPv6-first systems this could produce a pin that is incompatible with undici's IPv4 connect path, compounding the must-fix above.
   | Severity | Count |
   |----------|-------|
   | Must-fix | 2 |
   | Should-fix | 1 |
   | Note | 0 |

---

3 comments posted · Model: claude-sonnet-4-6 (sonnet) · Tokens: 353570 in / 7046 out · Cache: 1140133 created / 4187377 read · Context: 14 items · Review mode: agentic · Turns: 15 · Tool calls: 13 · Forced submit: yes · Tool mix: read_file=13

[flowglad-review-service]

Code Review: 1 comment

[flowglad-review-service]

[MUST FIX] packages/just-bash/src/commands/sqlite3/sqlite3.ts:614 — When dotError is set and there is SQL that runs (the non-bail, non-empty-SQL path), the dot-command error is appended to stdout after the SQL results (line ~749 in context: stdout += \${dotError}\n`). But the -bailearly-return path (line 614:return { stdout: "", stderr: `${dotError}\n`, exitCode: 1 }) puts the dot-command error in **stderr**. This means the channel where dotErroris reported is different depending on whether-bail` is active:

• With -bail: stderr contains the error, stdout is empty.
• Without -bail (non-empty SQL): stderr is empty, the error is in stdout after the SQL results.

A caller that inspects stderr to detect errors (the normal pattern) will miss dot-command errors in the non-bail case entirely, seeing only exitCode: 1 with empty stderr. The test fixtures updated in this PR already codify the stdout-based path (expect(result.stdout).toBe("Error: ...\n") with expect(result.stderr).toBe("")), which entrenches the inconsistency.

Suggestion: route dotError to stderr consistently (both bail and non-bail), matching the error channel already used for SQL errors surfaced by the worker (those go to stderr: \Error: ...`\nunder-bail, or to stdoutfor non-bail inline errors). The test expectations insqlite3.dot-commands.test.tsthat were updated in this PR to usestdoutshould be reverted to usestderr`.

Reviewed at 96ab94b

[flowglad-review-service]

Review Summary

This PR is a well-structured upstream sync of just-bash@2.14.4 with three Flowglad patches (sqlite3 worker, awk comma-continuation, jq control chars). The major upstream changes include: OSC-8 XSS fixes in the website terminal, DNS rebinding mitigation via dns-pin.ts, rg -j/--threads correctness fix, moonblade parser backtracking fix, sqlite3 dot-command support, and sqlite3 writeback for CTE-prefixed writes.

One must-fix finding: the dotError channel is inconsistent between -bail (goes to stderr) and non-bail (appended to stdout). Callers checking stderr for errors will silently miss dot-command errors in the non-bail path. The test expectations updated in this PR already encode the stdout path, which entrenches the inconsistency.

All other areas reviewed are correct: DNS-pinning (AsyncLocalStorage scoping, family filtering, dual-stack, ENOTFOUND on mismatch), rg ignored: true fix, moonblade startPos backtrack, awk CONTINUES_ACROSS_NEWLINE set, sqlite3 worker path resolution, and the XSS sanitization chain in the website terminal.

Severity	Count
Must-fix	1
Should-fix	0
Note	0

---

1 comment posted · Model: claude-sonnet-4-6 (sonnet) · Tokens: 357167 in / 4183 out · Cache: 1148956 created / 4275807 read · Context: 15 items · Review mode: agentic · Turns: 15 · Tool calls: 16 · Forced submit: yes · Tool mix: read_file=16