fix: batch merge of bug fixes from PRs #271, #273, #279 (#366)

## Issues Fixed

### From PR #271 (Issues #2430-2459):
- #2448: Validate URLs for control characters (security)
- #2449: Decode HTML entities in scraped URLs
- #2450: Reject reserved command names for agent names
- #2452: Expand tilde (~) in MCP server command paths
- #2459: Validate that model name is not empty

### From PR #273 (Issues #2564-2614):
- Model format validation improvements

### From PR #279 (Issues #2835-2903):
- #2835: Sandbox exit code preservation (always return original exit code)
- #2843: Empty session ID validation

## Changes

### Agent Creation (#2450)
- Added validation to reject reserved CLI command names as agent names
- Reserved names: help, version, run, exec, login, logout, mcp, agent, etc.

### Scrape Command (#2448, #2449)
- Added validate_url_security() to reject URLs with control characters
- Added decode_html_entities() to properly decode href attributes
- Added comprehensive tests for both functions

### MCP Command (#2452)
- Added tilde expansion in command paths (~/script.sh -> /home/user/script.sh)
- Also expands tilde in command arguments

### Model Validation (#2459)
- Added check for empty model name in TUI mode

### Sandbox (#2835)
- Changed exit behavior to always preserve original command exit code

### Session Handling (#2843)
- Added early validation for empty session IDs

Note: CI skipped for cost control. Test manually before merge.

Co-authored-by: Droid Agent <droid@factory.ai>

Author: echobt

cortex-cli/src/agent_cmd.rs

@@ -1229,6 +1229,46 @@ async fn run_create(args: CreateArgs) -> Result<()> {
         bail!("Agent name must contain only alphanumeric characters, hyphens, and underscores");
     }
 
+    // Check for reserved command names that would conflict with cortex CLI commands (#2450)
+    let reserved_names = [
+        "help",
+        "version",
+        "run",
+        "exec",
+        "login",
+        "logout",
+        "mcp",
+        "agent",
+        "resume",
+        "sessions",
+        "export",
+        "import",
+        "config",
+        "serve",
+        "models",
+        "upgrade",
+        "uninstall",
+        "stats",
+        "github",
+        "pr",
+        "scrape",
+        "acp",
+        "debug",
+        "servers",
+        "sandbox",
+        "completion",
+        "features",
+    ];
+    let name_lower = name.to_lowercase();
+    if reserved_names.contains(&name_lower.as_str()) {
+        bail!(
+            "Error: '{}' is a reserved command name and cannot be used as an agent name.\n\
+            Reserved names: {}",
+            name,
+            reserved_names.join(", ")
+        );
+    }
+
     // Get description
     let description = if let Some(ref d) = args.description {
         d.clone()

cortex-cli/src/debug_sandbox.rs

@@ -35,11 +35,8 @@ pub async fn run_command_under_seatbelt(
         .status()
         .await?;
 
-    if !status.success() {
-        std::process::exit(status.code().unwrap_or(1));
-    }
-
-    Ok(())
+    // Preserve the original exit code from the command (#2835)
+    std::process::exit(status.code().unwrap_or(1));
 }
 
 #[cfg(not(target_os = "macos"))]
@@ -77,18 +74,15 @@ pub async fn run_command_under_landlock(
             .status()
             .await?;
 
-        if !status.success() {
-            std::process::exit(status.code().unwrap_or(1));
-        }
+        // Preserve the original exit code from the command (#2835)
+        std::process::exit(status.code().unwrap_or(1));
     }
 
     #[cfg(not(target_os = "linux"))]
     {
         let _ = sandbox_mode;
         anyhow::bail!("Landlock sandbox is only available on Linux");
     }
-
-    Ok(())
 }
 
 /// Run a command under Windows sandbox.
@@ -117,18 +111,15 @@ pub async fn run_command_under_windows(
             .status()
             .await?;
 
-        if !status.success() {
-            std::process::exit(status.code().unwrap_or(1));
-        }
+        // Preserve the original exit code from the command (#2835)
+        std::process::exit(status.code().unwrap_or(1));
     }
 
     #[cfg(not(windows))]
     {
         let _ = sandbox_mode;
         anyhow::bail!("Windows sandbox is only available on Windows");
     }
-
-    Ok(())
 }
 
 /// Create sandbox mode based on full_auto flag.

cortex-cli/src/import_cmd.rs

@@ -372,7 +372,7 @@ fn validate_no_circular_references(messages: &[ExportMessage]) -> Result<()> {
 /// Returns a clear error message if invalid data is found.
 fn validate_export_messages(messages: &[ExportMessage]) -> Result<()> {
     use base64::Engine;
-    
+
     for (idx, message) in messages.iter().enumerate() {
         // Check for base64-encoded image data in content
         // Common pattern: "data:image/png;base64,..." or "data:image/jpeg;base64,..."

cortex-cli/src/main.rs

@@ -1081,6 +1081,12 @@ async fn run_tui(initial_prompt: Option<String>, args: &InteractiveArgs) -> Resu
 
     // Apply model override if specified, resolving alias (e.g., "sonnet" -> "anthropic/claude-sonnet-4-20250514")
     if let Some(ref model) = args.model {
+        // Validate model name is not empty (#2459)
+        if model.trim().is_empty() {
+            bail!(
+                "Error: Model name cannot be empty. Please provide a valid model name (e.g., 'gpt-4', 'claude-sonnet-4-20250514')."
+            );
+        }
         config.model = resolve_model_alias(model).to_string();
     }
 
@@ -2160,7 +2166,8 @@ async fn run_serve(serve_cli: ServeCommand) -> Result<()> {
                 );
             }
             // Check for permission denied (trying to bind to privileged port)
-            if sanitized_err.contains("Permission denied") || sanitized_err.contains("os error 13") {
+            if sanitized_err.contains("Permission denied") || sanitized_err.contains("os error 13")
+            {
                 bail!(
                     "Error: Permission denied binding to port {}.\n\
                      Hint: Ports below 1024 require root/admin privileges. Try a port >= 1024.",

cortex-cli/src/mcp_cmd.rs

@@ -811,10 +811,41 @@ async fn run_add(args: AddArgs) -> Result<()> {
             }
 
             let mut command_parts = stdio.command.into_iter();
-            let command_bin = command_parts
+            let command_bin_raw = command_parts
                 .next()
                 .ok_or_else(|| anyhow::anyhow!("command is required"))?;
-            let command_args: Vec<String> = command_parts.collect();
+
+            // Expand tilde in command path (e.g., ~/script.sh -> /home/user/script.sh) (#2452)
+            let command_bin = if command_bin_raw.starts_with("~/") {
+                if let Some(home) = dirs::home_dir() {
+                    home.join(&command_bin_raw[2..])
+                        .to_string_lossy()
+                        .to_string()
+                } else {
+                    tracing::warn!(
+                        "Could not expand ~ in command path (home directory not found): {}",
+                        command_bin_raw
+                    );
+                    command_bin_raw
+                }
+            } else {
+                command_bin_raw
+            };
+
+            // Also expand tilde in command arguments
+            let command_args: Vec<String> = command_parts
+                .map(|arg| {
+                    if arg.starts_with("~/") {
+                        if let Some(home) = dirs::home_dir() {
+                            home.join(&arg[2..]).to_string_lossy().to_string()
+                        } else {
+                            arg
+                        }
+                    } else {
+                        arg
+                    }
+                })
+                .collect();
 
             // Sanitize command_bin for TOML (escape special characters)
             let command_bin_escaped = command_bin.replace('\\', "\\\\").replace('"', "\\\"");

cortex-cli/src/run_cmd.rs

@@ -1334,6 +1334,13 @@ enum SessionMode {
 /// Resolve and validate a session ID, supporting both full UUID and 8-char short IDs.
 /// Returns the full ConversationId if the session exists.
 fn resolve_session_id(session_id: &str, cortex_home: &PathBuf) -> Result<ConversationId> {
+    // Check for empty session ID first (#2843)
+    if session_id.is_empty() {
+        bail!(
+            "Session ID cannot be empty. Use 'cortex sessions' to list available sessions, or 'cortex run -c' to continue the last session."
+        );
+    }
+
     // Validate session ID format - must contain only alphanumeric, hyphens, and underscores
     if !session_id
         .chars()

cortex-cli/src/scrape_cmd.rs

@@ -7,6 +7,7 @@ use clap::Parser;
 use cortex_engine::create_client_builder;
 use reqwest::Client;
 use scraper::{Html, Selector};
+use std::borrow::Cow;
 use std::collections::HashMap;
 use std::io::Write;
 use std::path::PathBuf;
@@ -101,6 +102,107 @@ pub struct ScrapeCommand {
     pub verbose: bool,
 }
 
+/// Decode common HTML entities in URLs (#2449).
+///
+/// HTML attributes like href often contain encoded entities like `&` for `&`.
+/// This function decodes the most common HTML entities to produce valid URLs.
+fn decode_html_entities(text: &str) -> Cow<'_, str> {
+    // Quick check: if no & character, return as-is
+    if !text.contains('&') {
+        return Cow::Borrowed(text);
+    }
+
+    let mut result = String::with_capacity(text.len());
+    let mut chars = text.chars().peekable();
+
+    while let Some(c) = chars.next() {
+        if c == '&' {
+            // Collect entity name until ; or end
+            let mut entity = String::new();
+            let mut found_semi = false;
+
+            while let Some(&next) = chars.peek() {
+                if next == ';' {
+                    chars.next(); // consume semicolon
+                    found_semi = true;
+                    break;
+                }
+                if next == '&' || (!next.is_ascii_alphanumeric() && next != '#') {
+                    // Not a valid entity, stop collecting
+                    break;
+                }
+                entity.push(chars.next().unwrap());
+                // Limit entity length to prevent DoS
+                if entity.len() > 10 {
+                    break;
+                }
+            }
+
+            if found_semi {
+                // Decode known entities
+                let decoded = match entity.as_str() {
+                    "amp" => "&",
+                    "lt" => "<",
+                    "gt" => ">",
+                    "quot" => "\"",
+                    "apos" => "'",
+                    "nbsp" => " ",
+                    "#38" => "&",
+                    "#60" => "<",
+                    "#62" => ">",
+                    "#34" => "\"",
+                    "#39" => "'",
+                    _ => {
+                        // Unknown entity, keep as-is
+                        result.push('&');
+                        result.push_str(&entity);
+                        result.push(';');
+                        continue;
+                    }
+                };
+                result.push_str(decoded);
+            } else {
+                // Not a valid entity, output what we collected
+                result.push('&');
+                result.push_str(&entity);
+            }
+        } else {
+            result.push(c);
+        }
+    }
+
+    Cow::Owned(result)
+}
+
+/// Validate and sanitize URL for security (#2448).
+///
+/// Rejects URLs containing:
+/// - Control characters (including null bytes) which could enable request smuggling
+/// - Invalid percent-encoded sequences
+fn validate_url_security(url: &str) -> Result<()> {
+    // Check for control characters (ASCII 0-31, 127)
+    for (i, c) in url.chars().enumerate() {
+        if c.is_control() {
+            bail!(
+                "URL contains control character at position {} (code: {}). \
+                Control characters in URLs can enable HTTP request smuggling attacks.",
+                i,
+                c as u32
+            );
+        }
+    }
+
+    // Check for null bytes in percent-encoded form
+    if url.contains("%00") || url.contains("%0") {
+        bail!(
+            "URL contains percent-encoded null byte (%00). \
+            This can cause security vulnerabilities."
+        );
+    }
+
+    Ok(())
+}
+
 impl ScrapeCommand {
     /// Run the scrape command.
     pub async fn run(self) -> Result<()> {
@@ -109,6 +211,9 @@ impl ScrapeCommand {
             bail!("URL cannot be empty");
         }
 
+        // Validate URL for security (control characters, etc.) (#2448)
+        validate_url_security(&self.url)?;
+
         // Parse output format
         let format: OutputFormat = self.format.parse()?;
 
@@ -654,7 +759,9 @@ fn process_node_to_markdown(
                                     no_links,
                                 );
                             } else {
-                                let href = elem.attr("href").unwrap_or("");
+                                let href_raw = elem.attr("href").unwrap_or("");
+                                // Decode HTML entities in href (e.g., &amp; -> &) (#2449)
+                                let href = decode_html_entities(href_raw);
                                 output.push('[');
                                 process_node_to_markdown(
                                     element_ref,
@@ -1240,4 +1347,66 @@ mod tests {
             "Client should build successfully with timeout 0"
         );
     }
+
+    #[test]
+    fn test_html_to_markdown_links_with_html_entities() {
+        // Test that HTML entities in URLs are decoded properly (Issue #2449)
+        let html = r#"<a href="/search?q=test&amp;page=2">Next</a>"#;
+        let md = html_to_markdown(html, false, false);
+        assert!(
+            md.contains("[Next](/search?q=test&page=2)"),
+            "Expected decoded URL with &, got: {}",
+            md
+        );
+
+        // Multiple entities
+        let html = r#"<a href="/path?a=1&amp;b=2&amp;c=3">Link</a>"#;
+        let md = html_to_markdown(html, false, false);
+        assert!(md.contains("/path?a=1&b=2&c=3"));
+    }
+
+    #[test]
+    fn test_decode_html_entities() {
+        // Basic entities
+        assert_eq!(decode_html_entities("&amp;").as_ref(), "&");
+        assert_eq!(decode_html_entities("&lt;").as_ref(), "<");
+        assert_eq!(decode_html_entities("&gt;").as_ref(), ">");
+        assert_eq!(decode_html_entities("&quot;").as_ref(), "\"");
+
+        // URL with multiple entities
+        assert_eq!(
+            decode_html_entities("/search?q=test&amp;page=2").as_ref(),
+            "/search?q=test&page=2"
+        );
+
+        // No entities - should return borrowed
+        let result = decode_html_entities("plain text");
+        assert!(matches!(result, Cow::Borrowed(_)));
+
+        // Mixed content
+        assert_eq!(
+            decode_html_entities("before &amp; after").as_ref(),
+            "before & after"
+        );
+
+        // Incomplete entity (no semicolon)
+        assert_eq!(decode_html_entities("&amp text").as_ref(), "&amp text");
+
+        // Unknown entity
+        assert_eq!(decode_html_entities("&unknown;").as_ref(), "&unknown;");
+    }
+
+    #[test]
+    fn test_validate_url_security() {
+        // Valid URLs should pass
+        assert!(validate_url_security("https://example.com/path").is_ok());
+        assert!(validate_url_security("https://example.com/search?q=test&page=2").is_ok());
+
+        // URLs with control characters should fail
+        assert!(validate_url_security("https://example.com/\0path").is_err());
+        assert!(validate_url_security("https://example.com/\npath").is_err());
+
+        // URLs with percent-encoded null bytes should fail
+        assert!(validate_url_security("https://example.com/%00path").is_err());
+    }
 }