Problem

ShellExecutor::validate_sandbox() incorrectly rejects commands that reference the CWD when the CWD path contains spaces (e.g. macOS paths like /Users/rabax/Documents/Documents - rabax's MacBook Pro/git/zeph). The sandbox validator throws a false-positive SandboxViolation even though the path is fully within the allowed directory.

Causes test sandbox_allows_cwd_by_default to fail on macOS.

Root Cause

extract_paths() (crates/zeph-tools/src/shell/mod.rs:805) tokenizes shell code by splitting on whitespace and special chars. An unquoted path with spaces in the command string gets split into multiple tokens:

Input:  cat /Users/rabax/Documents/Documents - rabax's MacBook Pro/git/zeph/file.txt
Tokens: ["cat", "/Users/rabax/Documents/Documents", "-", "rabaxs MacBook Pro/git/zeph/file.txt"]

The fragment /Users/rabax/Documents/Documents is extracted as a standalone path candidate. It does NOT starts_with the full allowed_path → SandboxViolation.

The root issue: real shell commands with unquoted paths containing spaces are parsed incorrectly. In actual shell usage, such paths must be quoted (cat "/path with spaces/file.txt"), but extract_paths handles quoted tokens — it just doesn't reassemble the full path from adjacent tokens.

Additional Risk

Beyond the false positive: the fragment /Users/rabax/Documents/Documents might exist as a valid directory on some systems. If it resolves to a real path outside the intended sandbox, the validator would pass it through — a potential false negative for carefully crafted inputs.

Reproduction

cd "/path with spaces/project"
cargo nextest run -p zeph-tools -E 'test(sandbox_allows_cwd_by_default)'
# FAIL: assertion failed: executor.validate_sandbox(&code).is_ok()

Any macOS system where the home directory path contains spaces will reproduce this.

Suggested Fix

Two complementary mitigations:

1. extract_paths should not split on spaces inside unquoted path tokens — paths starting with /, ./, or ../ should consume the entire non-whitespace + contiguous path-like run, or at minimum skip tokens that arise from splitting a longer path.

2. Test sandbox_allows_cwd_by_default should use a quoted version of the path in the shell command (cat "{cwd_path}/file.txt") to match how real shell usage would look — making the test portable across path conventions.

Files

• crates/zeph-tools/src/shell/mod.rs:805 — extract_paths()
• crates/zeph-tools/src/shell/mod.rs:428 — validate_sandbox()
• crates/zeph-tools/src/shell/tests.rs:514 — sandbox_allows_cwd_by_default test