fix: address PR review issues in interactive and local-ops

- Guard against empty multiselect options when only errorMonitoring is available
- Use purpose field for example detection in handleConfirm with string fallback
- Block glob (*, ?) and brace ({, }) expansion in shell metacharacter validation
- Improve metacharacter ordering docs and add Unix shell scope comment

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: betegon

src/lib/init/interactive.ts

@@ -96,6 +96,13 @@ async function handleMultiSelect(
 
   const optional = available.filter((f) => f !== REQUIRED_FEATURE);
 
+  if (optional.length === 0) {
+    if (hasRequired) {
+      log.info(`${featureLabel(REQUIRED_FEATURE)} is always included.`);
+    }
+    return { features: hasRequired ? [REQUIRED_FEATURE] : [] };
+  }
+
   const hints: string[] = [];
   if (hasRequired) {
     hints.push(
@@ -127,8 +134,11 @@ async function handleConfirm(
   payload: InteractivePayload,
   options: WizardOptions
 ): Promise<Record<string, unknown>> {
+  const isExample =
+    payload.purpose === "add-example" || payload.prompt.includes("example");
+
   if (options.yes) {
-    if (payload.prompt.includes("example")) {
+    if (isExample) {
       log.info("Auto-confirmed: adding example trigger");
       return { addExample: true };
     }
@@ -143,7 +153,7 @@ async function handleConfirm(
 
   const value = abortIfCancelled(confirmed);
 
-  if (payload.prompt.includes("example")) {
+  if (isExample) {
     return { addExample: value };
   }
   return { action: value ? "continue" : "stop" };

src/lib/init/local-ops.ts

@@ -27,11 +27,15 @@ import type {
 /**
  * Shell metacharacters that enable chaining, piping, substitution, or redirection.
  * All legitimate install commands are simple single commands that don't need these.
+ *
+ * Ordering matters for error-message accuracy (not correctness): multi-character
+ * operators like `&&` and `||` are checked before their single-character prefixes
+ * (`&`, `|`) so the reported label describes the actual construct the user wrote.
  */
 const SHELL_METACHARACTER_PATTERNS: Array<{ pattern: string; label: string }> =
   [
     { pattern: ";", label: "command chaining (;)" },
-    // Check multi-char operators before single `|` so labels are accurate
+    // Check multi-char operators before single `|` / `&` so labels are accurate
     { pattern: "&&", label: "command chaining (&&)" },
     { pattern: "||", label: "command chaining (||)" },
     { pattern: "|", label: "piping (|)" },
@@ -48,6 +52,12 @@ const SHELL_METACHARACTER_PATTERNS: Array<{ pattern: string; label: string }> =
     { pattern: ">", label: "redirection (>)" },
     { pattern: "<", label: "redirection (<)" },
     { pattern: "&", label: "background execution (&)" },
+    // Glob and brace expansion — brace expansion is the real risk
+    // (e.g. `npm install {evil,@sentry/node}`)
+    { pattern: "{", label: "brace expansion ({)" },
+    { pattern: "}", label: "brace expansion (})" },
+    { pattern: "*", label: "glob expansion (*)" },
+    { pattern: "?", label: "glob expansion (?)" },
   ];
 
 const WHITESPACE_RE = /\s+/;
@@ -336,6 +346,8 @@ async function runCommands(
   return { ok: true, data: { results } };
 }
 
+// Note: shell: true targets Unix shells. Windows cmd.exe metacharacters
+// (%, ^) are not blocked; the CLI assumes a Unix Node.js environment.
 function runSingleCommand(
   command: string,
   cwd: string,

test/lib/init/interactive.test.ts

@@ -252,6 +252,21 @@ describe("handleMultiSelect", () => {
     ).rejects.toThrow("Setup cancelled");
   });
 
+  test("returns required feature without calling multiselect when only errorMonitoring available", async () => {
+    const result = await handleInteractive(
+      {
+        type: "interactive",
+        prompt: "Select features",
+        kind: "multi-select",
+        availableFeatures: ["errorMonitoring"],
+      },
+      makeOptions({ yes: false })
+    );
+
+    expect(result).toEqual({ features: ["errorMonitoring"] });
+    expect(multiselectSpy).not.toHaveBeenCalled();
+  });
+
   test("excludes errorMonitoring from multiselect options (always included)", async () => {
     multiselectSpy.mockImplementation(
       () => Promise.resolve(["performanceMonitoring"]) as any
@@ -336,6 +351,49 @@ describe("handleConfirm", () => {
     ).rejects.toThrow("Setup cancelled");
   });
 
+  test("returns addExample: true via purpose field with --yes", async () => {
+    const result = await handleInteractive(
+      {
+        type: "interactive",
+        prompt: "Would you like to add a trigger?",
+        kind: "confirm",
+        purpose: "add-example",
+      },
+      makeOptions({ yes: true })
+    );
+
+    expect(result).toEqual({ addExample: true });
+  });
+
+  test("returns addExample via purpose field in interactive mode", async () => {
+    confirmSpy.mockImplementation(() => Promise.resolve(false) as any);
+
+    const result = await handleInteractive(
+      {
+        type: "interactive",
+        prompt: "Would you like to add a trigger?",
+        kind: "confirm",
+        purpose: "add-example",
+      },
+      makeOptions({ yes: false })
+    );
+
+    expect(result).toEqual({ addExample: false });
+  });
+
+  test("falls back to prompt string match when no purpose field", async () => {
+    const result = await handleInteractive(
+      {
+        type: "interactive",
+        prompt: "Add an example error trigger?",
+        kind: "confirm",
+      },
+      makeOptions({ yes: true })
+    );
+
+    expect(result).toEqual({ addExample: true });
+  });
+
   test("returns action: stop when user declines non-example prompt", async () => {
     confirmSpy.mockImplementation(() => Promise.resolve(false) as any);
 

test/lib/init/local-ops.test.ts

@@ -86,6 +86,16 @@ describe("validateCommand", () => {
     }
   });
 
+  test("blocks glob and brace expansion characters", () => {
+    for (const cmd of [
+      "npm install {evil,@sentry/node}",
+      "npm install sentry-*",
+      "npm install sentry-?.js",
+    ]) {
+      expect(validateCommand(cmd)).toContain("Blocked command");
+    }
+  });
+
   test("blocks dangerous executables", () => {
     for (const cmd of [
       "rm -rf /",