shared

This spec describes a reasonable validation framework but contains high-risk operational patterns: it runs arbitrary shell commands supplied in task/plan metadata using subprocess.run(..., shell=True) and reads arbitrary file paths supplied by metadata. If untrusted actors can control TaskCreate metadata or plan 'Always' boundaries, they can execute arbitrary commands, exfiltrate data, or cause destructive actions on the validation host. The document does not specify mitigations (sandboxing, command whitelists, input sanitization, least-privilege execution), so using an implementation that follows this spec without additional protections is dangerous. Recommend treating metadata.command/tests/lint/custom/cross_cutting.command as untrusted input and implementing strict mitigations (no shell=True, command whitelists or explicit allowed tools, containerized/sandboxed validation runners, path sanitization, output redaction in retry contexts).