From 55bfccea305ffdab3a047d9a8c2cc92a4eb2d38b Mon Sep 17 00:00:00 2001
From: Axiom Bot <0xAxiom@users.noreply.github.com>
Date: Thu, 30 Apr 2026 17:03:27 -0700
Subject: [PATCH] fix(core): remove shell: true from spawn() in ralph checks

using shell: true unnecessarily expands the attack surface: if any
argument or path ever contains shell metacharacters, the shell would
interpret them. all commands in runCommand() are hardcoded (npm, npx)
with fixed arg arrays, so shell interpretation provides no benefit.

removing shell: true eliminates the vector and silences the static
analysis warning. on linux/macos npm and npx are directly executable;
if windows support is needed in future, callers can pass shell: true
explicitly or use spawn's shell option conditionally.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 core/src/ralph/checks.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/core/src/ralph/checks.ts b/core/src/ralph/checks.ts
index a719b34e..95cf33d8 100644
--- a/core/src/ralph/checks.ts
+++ b/core/src/ralph/checks.ts
@@ -22,7 +22,6 @@ async function runCommand(
   return new Promise((resolve) => {
     const proc = spawn(command, args, {
       cwd,
-      shell: true,
       stdio: ['pipe', 'pipe', 'pipe'],
     });