NAME

echo - audited passthrough wrapper around /bin/echo

SYNOPSIS

echo

DESCRIPTION

Audited pass-through wrapper around /bin/echo. Any argv after echo is forwarded to the binary after policy.ValidateArg rejection of shell metacharacters. Every call lands a JSONL row in the audit log with timestamp, full argv, cwd, exit code.

Examples:

# forward to /bin/echo
passthrough-demo -- echo hello world
# hello world
# audit log: $TMPDIR/cli-guard-passthrough.jsonl

# rejected by policy
passthrough-demo -- echo 'hello; rm -rf /'
# rejected by policy: shell metacharacter in argv

# SkipFlagParsing means flags after the binary name go straight
# through. -n is a real /bin/echo flag, not a coily flag.
passthrough-demo -- echo -n no-newline

What the wrapper does NOT do: validate semantics. -- echo --version runs echo --version, which prints "--version" because /bin/echo ignores unknown flags. coily does not parse the wrapped tool's flag syntax. Choosing safe binaries is part of the integration design.

Agent behavior: surface rejection errors verbatim; do not retry with quoted/escaped variants. If a binary's legitimate use requires shell metacharacters in argv (rare), the right answer is a coily-side wrapper script that pre-tokenizes the input, not a runtime escape.

Usage:

echo [GLOBAL OPTIONS] [command [COMMAND OPTIONS]] [ARGUMENTS...]

echo - cli-guard examples/passthrough

NAME

SYNOPSIS

DESCRIPTION