Fix terminal command substitution quote handling

[pragnyanramtha]

Description

Fixes command-substitution scanning in @continuedev/terminal-security so it follows shell quoting rules more closely:

• ignores $() and backticks when they are literal text inside single quotes
• keeps command-substitution detection active inside double quotes
• evaluates nested commands inside process substitutions such as <(...)
• treats process-substitution-looking text inside double quotes as literal text

This avoids unnecessary permission prompts for safe commands like echo 'literal $(name)' while preserving and tightening detection for executable substitutions.

AI Code Review

• Team members only: AI review runs automatically when PR is opened or marked ready for review
• Team members can also trigger a review by commenting @continue-review

Checklist

• I've read the contributing guide
• The relevant docs, if any, have been updated or created
• The relevant tests, if any, have been updated or created

Screen recording or screenshot

N/A - terminal-security unit test coverage only.

Tests

• npx vitest run test/terminalCommandSecurity.test.ts -t "Subshell and Command Substitution"
• npm test
• npm run build
• git diff --check

---

Summary by cubic

Fixes command-substitution detection in @continuedev/terminal-security to follow shell quoting rules. Reduces false permission prompts while tightening detection for nested and process substitutions.

• Bug Fixes

  • Ignore $() and backticks inside single quotes; keep detection inside double quotes.
  • Detect nested substitutions and process substitutions like <(...)/>(...), but treat them as literal inside double quotes.
  • Add quote/escape-aware parsing via scanCommandSubstitutions, findClosingBacktick, and findClosingParen, plus tests for single vs. double quotes and process substitutions.

• CI

  • Increase VSIX upload workflow timeout to 15 minutes to reduce upload flakiness.

^{Written for commit 520941b. Summary will update on new commits. Review in cubic}

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[cubic-dev-ai]

No issues found across 2 files

_{Re-trigger cubic}

[pragnyanramtha]

I have read the CLA Document and I hereby sign the CLA

[pragnyanramtha]

Pushed 520941bfe to address the Windows VSIX check cancellation.

The previous Windows job had already packaged the extension and uploaded both artifacts, then hit the workflow timeout-minutes: 10 during post-job cleanup/cache saving. This raises that job timeout to 15 minutes so the Windows runner can finish cleanup like the Linux/macOS jobs.

Validation run locally on the touched area:

• git diff --check
• npm ci in packages/terminal-security
• npm test -- --run test/terminalCommandSecurity.test.ts -t "Subshell and Command Substitution"
• npm run build in packages/terminal-security

The new GitHub checks are running on head 520941bfe.

[pragnyanramtha]

All standard GitHub checks on the current head are green, including CLA, PR Checks, CLI PR Checks, VSIX packaging, GitGuardian, and Cubic.

The only remaining status blockers I can see are the Continuous AI contexts, which have been pending since 2026-05-19 02:13 UTC:

• Continuous AI: Anti-slop
• Continuous AI: Breaking Change Detector
• Continuous AI: Dependency Security Review
• Continuous AI: Error Message Quality
• Continuous AI: Input Validation
• Continuous AI: React Best Practices
• Continuous AI: Security Audit
• Continuous AI: Setup Scripts
• Continuous AI: Stale & Misleading Comments
• Continuous AI: Test Coverage
• Continuous AI: Update AGENTS.md
• Continuous AI: Update Continue Docs

Could a maintainer rerun or clear those stale Continuous AI statuses if they are still required for merge?