--- name: nexus-ssh-safety description: Use when reviewing or editing Nexus code that executes commands on managed servers over SSH, including file manager, transfer, archive, agent install, and BT panel bootstrap flows. --- # Nexus SSH Safety Use for any Nexus feature that builds shell commands or transfers files over SSH. ## Command construction rules - Prefer argument arrays/local library APIs when available; otherwise quote every dynamic shell token with shlex.quote. - Insert -- before filename/path operands for commands that parse options: m, mv, cp, ar, zip, chmod, chown, etc. - Never concatenate unquoted user input into shell command strings. - Keep timeouts explicit for network/SSH work; avoid unbounded commands. - Truncate or sanitize command output before returning it to API clients. - Do not log secrets or full credential-bearing URLs. ## Path and archive rules - Normalize paths with POSIX semantics for remote Linux paths. - Reject empty paths where dangerous, root/system paths for recursive destructive operations, and traversal where the feature expects a bounded directory. - Archive creation must protect member names beginning with -. - Archive extraction must validate member names and types before extraction. - Temporary files/directories must be unique and cleaned best-effort. ## script_service exception script_service intentionally lets administrators run arbitrary shell. Treat it as a privileged admin feature, not an injection bug. Still check admin auth, audit logs, timeout, output size, and secret redaction.