≡ا¤ْ ╪│┘è╪د╪│╪ر ╪ث┘à╪د┘� CLI: ┘é┘ê╪د╪╣╪» ┘à┘�╪▓┘à╪ر ┘�╪ش┘à┘è╪╣ ╪ث┘ê╪د┘à╪▒ ╪د┘�┘â╪ز╪د╪ذ╪ر
╪ذ┘�╪د╪ة┘ï ╪╣┘�┘ë ╪ص╪د╪»╪س╪ر SI-001╪î ┘è╪ش╪ذ ╪ز╪╖╪ذ┘è┘é ╪د┘�┘é┘ê╪د╪╣╪» ╪د┘�╪ز╪د┘�┘è╪ر ╪╣┘�┘ë ┘â┘� ╪ث┘à╪▒ CLI ┘è┘â╪ز╪ذ ╪╣┘�┘ë ┘�╪╕╪د┘à ╪د┘�┘à┘�┘�╪د╪ز:
╪د┘�┘é╪د╪╣╪»╪ر 1: ┘�╪│╪« ┘é╪ذ┘� ╪د┘�╪ز╪ص┘ê┘è┘� (Copy-on-Convert)
╪ث┘è ╪ث╪»╪د╪ر ╪ز╪ص┘ê┘è┘� ┘è╪ش╪ذ ╪ث┘� ╪ز┘�╪┤╪خ ┘à╪ش┘�╪»┘ï╪د ╪ش╪»┘è╪»┘ï╪د ┘ê┘�╪د ╪ز╪╣╪»┘� ╪د┘�┘à╪╡╪»╪▒ ╪د┘�╪ث╪╡┘�┘è ╪ث╪ذ╪»╪د┘ï.
╪د┘�┘é╪د╪╣╪»╪ر 2: ┘�╪▒╪╢ ╪ص╪»┘ê╪» ╪د┘�╪╡┘�╪»┘ê┘é ╪د┘�╪▒┘à┘�┘è (Sandbox Enforcement)
╪ش┘à┘è╪╣ ╪╣┘à┘�┘è╪د╪ز ╪د┘�┘â╪ز╪د╪ذ╪ر ┘è╪ش╪ذ ╪ث┘� ╪ز┘â┘ê┘� ╪»╪د╪«┘� ProjectContext.Root.
╪د┘�┘é╪د╪╣╪»╪ر 3: ╪د┘�┘à╪╡╪»╪▒ ┘�┘�┘é╪▒╪د╪ة╪ر ┘�┘é╪╖ (Read-Only Source)
╪د┘�┘à╪┤╪▒┘ê╪╣ ╪د┘�┘à╪╡╪»╪▒ ┘è┘�┘é╪▒╪ث ┘�┘é╪╖ ظ�¤ ┘�╪د ┘è┘�┘â╪ز╪ذ ┘�┘è┘ç╪î ┘�╪د ┘è┘�┘à╪│╪ص ┘à┘�┘ç╪î ┘�╪د ┘è┘�╪╣╪»┘�.
╪د┘�┘é╪د╪╣╪»╪ر 4: ╪د┘�╪ث╪║┘�┘�╪ر ╪د┘�╪ت┘à┘�╪ر ╪ح┘�╪▓╪د┘à┘è╪ر (Safe Wrappers)
┘è┘�╪ص╪╕╪▒ ╪د╪│╪ز╪«╪»╪د┘à File.WriteAllText / File.Delete / Directory.Delete ┘à╪ذ╪د╪┤╪▒╪ر ┘�┘è ConvertCommand.
┘è╪ش╪ذ ╪د╪│╪ز╪«╪»╪د┘à SafeWriteAllText / SafeDelete / SafeDeleteDirectory.
╪د┘�┘é╪د╪╣╪»╪ر 5: ┘�╪د ╪د╪ش╪ز┘è╪د╪▓ ┘�┘�┘à╪│╪د╪▒ (No Path Traversal)
╪د┘�┘à╪│╪د╪▒╪د╪ز ╪«╪د╪▒╪ش ╪د┘�╪ش╪░╪▒ ╪ز┘�╪▒┘�╪╢ ╪ز┘�┘é╪د╪خ┘è┘ï╪د ╪╣╪ذ╪▒ IsInsideSandbox().
╪د┘�╪ز╪ص┘é┘é ╪د┘�╪ز┘�┘é╪د╪خ┘è
cli-sandbox-audit.yml ┘è╪╣┘à┘� ┘à╪╣ ┘â┘� push ┘ê pull request- ┘è┘�╪ص╪╡ ╪ش┘à┘è╪╣ ┘à┘�┘�╪د╪ز Commands/*.cs ╪ذ╪ص╪س╪د┘ï ╪╣┘�:
File.WriteAllText / File.Delete / Directory.Delete ╪║┘è╪▒ ╪د┘�┘à╪║┘�┘�╪ر- ┘à╪│╪د╪▒╪د╪ز ┘à╪╖┘�┘é╪ر ┘à╪┤┘�╪▒╪ر
- ╪╣┘à┘�┘è╪د╪ز ╪ذ╪»┘ê┘� ╪ز╪ص┘é┘é
IsInsideSandbox
- ╪د┘�┘�╪┤┘� ┘è┘â╪│╪▒ ╪د┘�╪ذ┘�╪د╪ة ظ�¤ ┘�╪د ┘è┘à┘â┘� ╪د┘�╪»┘à╪ش ╪ذ╪»┘ê┘� ╪د╪ش╪ز┘è╪د╪▓ ╪د┘�┘�╪ص╪╡
╪د┘�┘à┘�┘�╪د╪ز ╪د┘�┘à╪▒╪ش╪╣┘è╪ر
docs/SECURITY_INCIDENT_001.md ظ�¤ ╪ز┘é╪▒┘è╪▒ ╪د┘�╪ص╪د╪»╪س╪ر ╪د┘�┘â╪د┘à┘�docs/CLI_SECURITY_POLICY.md ظ�¤ ╪د┘�╪│┘è╪د╪│╪ر ╪د┘�╪ث┘à┘�┘è╪رdocs/SecurityModel.md ظ�¤ ┘é╪│┘à CLI Filesystem Security.github/workflows/cli-sandbox-audit.yml ظ�¤ ╪د┘�┘�╪ص╪╡ ╪د┘�╪ز┘�┘é╪د╪خ┘è
Migrated from: WasmMvcRuntime #34
≡ا¤ْ ╪│┘è╪د╪│╪ر ╪ث┘à╪د┘� CLI: ┘é┘ê╪د╪╣╪» ┘à┘�╪▓┘à╪ر ┘�╪ش┘à┘è╪╣ ╪ث┘ê╪د┘à╪▒ ╪د┘�┘â╪ز╪د╪ذ╪ر
╪ذ┘�╪د╪ة┘ï ╪╣┘�┘ë ╪ص╪د╪»╪س╪ر SI-001╪î ┘è╪ش╪ذ ╪ز╪╖╪ذ┘è┘é ╪د┘�┘é┘ê╪د╪╣╪» ╪د┘�╪ز╪د┘�┘è╪ر ╪╣┘�┘ë ┘â┘� ╪ث┘à╪▒ CLI ┘è┘â╪ز╪ذ ╪╣┘�┘ë ┘�╪╕╪د┘à ╪د┘�┘à┘�┘�╪د╪ز:
╪د┘�┘é╪د╪╣╪»╪ر 1: ┘�╪│╪« ┘é╪ذ┘� ╪د┘�╪ز╪ص┘ê┘è┘� (Copy-on-Convert)
╪د┘�┘é╪د╪╣╪»╪ر 2: ┘�╪▒╪╢ ╪ص╪»┘ê╪» ╪د┘�╪╡┘�╪»┘ê┘é ╪د┘�╪▒┘à┘�┘è (Sandbox Enforcement)
╪د┘�┘é╪د╪╣╪»╪ر 3: ╪د┘�┘à╪╡╪»╪▒ ┘�┘�┘é╪▒╪د╪ة╪ر ┘�┘é╪╖ (Read-Only Source)
╪د┘�┘é╪د╪╣╪»╪ر 4: ╪د┘�╪ث╪║┘�┘�╪ر ╪د┘�╪ت┘à┘�╪ر ╪ح┘�╪▓╪د┘à┘è╪ر (Safe Wrappers)
╪د┘�┘é╪د╪╣╪»╪ر 5: ┘�╪د ╪د╪ش╪ز┘è╪د╪▓ ┘�┘�┘à╪│╪د╪▒ (No Path Traversal)
╪د┘�╪ز╪ص┘é┘é ╪د┘�╪ز┘�┘é╪د╪خ┘è
cli-sandbox-audit.yml┘è╪╣┘à┘� ┘à╪╣ ┘â┘� push ┘ê pull requestFile.WriteAllText/File.Delete/Directory.Delete╪║┘è╪▒ ╪د┘�┘à╪║┘�┘�╪رIsInsideSandbox╪د┘�┘à┘�┘�╪د╪ز ╪د┘�┘à╪▒╪ش╪╣┘è╪ر
docs/SECURITY_INCIDENT_001.mdظ�¤ ╪ز┘é╪▒┘è╪▒ ╪د┘�╪ص╪د╪»╪س╪ر ╪د┘�┘â╪د┘à┘�docs/CLI_SECURITY_POLICY.mdظ�¤ ╪د┘�╪│┘è╪د╪│╪ر ╪د┘�╪ث┘à┘�┘è╪رdocs/SecurityModel.mdظ�¤ ┘é╪│┘à CLI Filesystem Security.github/workflows/cli-sandbox-audit.ymlظ�¤ ╪د┘�┘�╪ص╪╡ ╪د┘�╪ز┘�┘é╪د╪خ┘è