Skip to content
runok runok runok

v0.1.5

Released on 2026-03-12. Full changelog

Bug Fixes

Section titled “Bug Fixes”

=-joined flags now match flag patterns correctly (#196)

Section titled “=-joined flags now match flag patterns correctly (#196)”

Flag patterns with wildcard values like curl * --output * did not match =-joined flag tokens such as --output=file.txt. This meant security rules could be bypassed by using the = form:

runok.yml
rules:
  - deny: 'curl * --output *'
Terminal window
# Before: bypassed the deny rule
curl https://example.com --output=malicious.sh


# After: correctly denied
curl https://example.com --output=malicious.sh

Flag negation no longer consumed as preceding flag’s value (#191)

Section titled “Flag negation no longer consumed as preceding flag’s value (#191)”

In patterns like git interpret-trailers --parse !--in-place *, the negation !--in-place was incorrectly parsed as the value of --parse, making the negation ineffective:

runok.yml
rules:
  - allow: 'git interpret-trailers --parse !--in-place *'
Terminal window
# Before: !--in-place was consumed as --parse's value,
#   so --in-place was not blocked
git interpret-trailers --parse --in-place file.txt  # → allow (wrong)


# After: negation works correctly
git interpret-trailers --parse --in-place file.txt  # → no match (correct)