From 57237d9faac3c75fbeb4950306478c53f9a9a281 Mon Sep 17 00:00:00 2001
From: Lawrence Chen <54008264+lawrencecchen@users.noreply.github.com>
Date: Wed, 25 Mar 2026 00:28:30 -0700
Subject: [PATCH] Sanitize command before execution, not just display (#2122)

The confirm dialog showed a sanitized command (BiDi/zero-width stripped)
but executed the raw string, creating a display/consent mismatch.
Now the command is sanitized once and the same string is used for both
display and execution.

Co-authored-by: Lawrence Chen <lawrencecchen@users.noreply.github.com>
---
 Sources/CmuxConfigExecutor.swift | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Sources/CmuxConfigExecutor.swift b/Sources/CmuxConfigExecutor.swift
index 070e57d7..df727615 100644
--- a/Sources/CmuxConfigExecutor.swift
+++ b/Sources/CmuxConfigExecutor.swift
@@ -13,7 +13,8 @@ struct CmuxConfigExecutor {
     ) {
         if let workspace = command.workspace {
             executeWorkspaceCommand(command: command, workspace: workspace, tabManager: tabManager, baseCwd: baseCwd)
-        } else if let shellCommand = command.command {
+        } else if let rawCommand = command.command {
+            let shellCommand = sanitizeForDisplay(rawCommand)
             let needsConfirm = command.confirm ?? false
             if needsConfirm, let sourcePath = configSourcePath {
                 let trusted = CmuxDirectoryTrust.shared.isTrusted(