Skip to content

Feature: add hardened schema helpers for agent-safe CLIs #51

Open
Open
Feature: add hardened schema helpers for agent-safe CLIs#51
@0xBigBoss

Description

@0xBigBoss
0xBigBoss
opened on Mar 6, 2026

One thing that worked well in our fork was adding first-class hardened schema helpers plus default control-character rejection for parsed strings.

The goal was to make agent-facing CLIs safer by default without requiring every command author to rediscover the same validation patterns.

The patch adds helpers like:

  • hardened.path()
  • hardened.id()
  • hardened.text()
  • hardened.url()

It also makes parser-handled z.string() inputs reject ASCII control characters by default, with an explicit opt-out via schema metadata.

That gave us:

  • safer path handling
  • safer free-form text handling
  • safer URL/id handling
  • parser-wide protection instead of per-command ad hoc checks

Reference patch:

Example from the patch:

if (typeof value !== 'string' || allowsControlChars(schema) || !hasControlChars(value)) return []

Would you be interested in upstreaming hardened input primitives like this, either as built-ins or as an optional companion export?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions