From 66a5bc64db92996f86674e5d4d5fc71ccb08dc3e Mon Sep 17 00:00:00 2001
From: teknium1 <teknium1@gmail.com>
Date: Fri, 27 Feb 2026 22:50:26 -0800
Subject: [PATCH] fix(process): use shlex to safely quote commands in
 bg_command for improved security

---
 tools/process_registry.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tools/process_registry.py b/tools/process_registry.py
index b04188d28..bfdb8cd1d 100644
--- a/tools/process_registry.py
+++ b/tools/process_registry.py
@@ -32,6 +32,7 @@ Usage:
 import json
 import logging
 import os
+import shlex
 import shutil
 import signal
 import subprocess
@@ -247,9 +248,9 @@ class ProcessRegistry:
         # Run the command in the sandbox with output capture
         log_path = f"/tmp/hermes_bg_{session.id}.log"
         pid_path = f"/tmp/hermes_bg_{session.id}.pid"
-        safe_command = command.replace("'", "'\''")
+        quoted_command = shlex.quote(command)
         bg_command = (
-            f"nohup bash -c '{safe_command}' > {log_path} 2>&1 & "
+            f"nohup bash -c {quoted_command} > {log_path} 2>&1 & "
             f"echo $! > {pid_path} && cat {pid_path}"
         )