Address code review feedback: refactor duplicates, enhance security, fix code quality issues

[Copilot]

Description

Addresses multiple code review comments from PR #17: extracts duplicated code to shared utilities, masks API keys in UI, adds command validation, fixes model detection patterns, and removes dead code.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring
• Performance improvement
• Test addition or update
• Dependency update

Related Issues

Changes Made

Code Quality

• Extracted duplicated isExternalPath function to src/utils/pathUtils.ts (used in 3 locations)
• Removed unreachable code after return statements in handleSettingCommand
• Simplified masked variable initialization to eliminate unused assignment
• Removed redundant resolvedBaseUrl variable in resolveLlmConfig

Security Enhancements

• Masked API keys in buildApiKeySelectOptions - now displays Use OPENAI_API_KEY (***abc123) instead of full key
• Added command validation to run_command tool blocking:
  • rm -rf / and variations
  • Direct disk writes to /dev/sda, /dev/nvme0n1p1, /dev/mmcblk0, etc.
  • Filesystem formatting (mkfs)
  • Fork bombs (:(){ :|:& };:)

// Dangerous commands now blocked before execution
const dangerousPatterns = [
  /rm\s+(-[rfRF]*\s*)*\/\s*$/,
  />\s*\/dev\/([shvx]d[a-z]\d*|nvme\d+n\d+p?\d*|mmcblk\d+p?\d*)/,
  /dd\s+.*of=\/dev\/([shvx]d[a-z]\d*|nvme\d+n\d+p?\d*|mmcblk\d+p?\d*)/,
  /mkfs/,
  /:\(\)\s*\{/,
];

• Fixed overly broad model detection: startsWith("o1") → specific matches ("o1", "o1-preview", "o1-mini") to prevent false positives on models like "o10" or "o100"

Type Safety

• Fixed potential null reference in API key masking by extracting to const variables before conditional access

Screenshots (if applicable)

Testing

Test Configuration

• OS: Ubuntu 22.04 (GitHub Actions)
• Terminal: bash
• Bun Version: N/A (tests written for bun test)

Test Cases

• Tested basic chat functionality
• Tested command system
• Tested mention system
• Tested keyboard shortcuts
• Tested with real API endpoint
• Tested error handling
• Ran type checking (bun run typecheck)
• Tested in multiple terminal emulators
• Other: Added unit tests for run_command validation (blocks dangerous commands, allows safe ones)

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings or errors
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published
• I have checked my code and corrected any misspellings
• I have updated the CHANGELOG.md file (if applicable)

Breaking Changes

None. All changes are internal refactors and security enhancements.

Additional Notes

Tool confirmation prompts already displayed arguments - no changes needed. Path validation for @file mentions already present in codebase.

Reviewer Checklist

• Code quality is acceptable
• Tests are adequate
• Documentation is updated
• No security concerns
• Performance impact is acceptable
• Breaking changes are justified and documented

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}