test: fix no-isolate canvas and timer regressions

2026-04-28 08:52:45 +00:00 · 2026-03-22 12:09:32 -07:00
parent e80d456608
commit aef2c60aa5
3 changed files with 29 additions and 6 deletions
--- a/docs/tools/exec-approvals.md
+++ b/docs/tools/exec-approvals.md
@@ -179,14 +179,14 @@ Long options are validated fail-closed in safe-bin mode: unknown flags and ambig
 abbreviations are rejected.
 Denied flags by safe-bin profile:

-<!-- SAFE_BIN_DENIED_FLAGS:START -->
+[//]: # "SAFE_BIN_DENIED_FLAGS:START"

 - `grep`: `--dereference-recursive`, `--directories`, `--exclude-from`, `--file`, `--recursive`, `-R`, `-d`, `-f`, `-r`
 - `jq`: `--argfile`, `--from-file`, `--library-path`, `--rawfile`, `--slurpfile`, `-L`, `-f`
 - `sort`: `--compress-program`, `--files0-from`, `--output`, `--random-source`, `--temporary-directory`, `-T`, `-o`
 - `wc`: `--files0-from`

-<!-- SAFE_BIN_DENIED_FLAGS:END -->
+[//]: # "SAFE_BIN_DENIED_FLAGS:END"

 Safe bins also force argv tokens to be treated as **literal text** at execution time (no globbing
 and no `$VARS` expansion) for stdin-only segments, so patterns like `*` or `$HOME/...` cannot be
@@ -217,11 +217,11 @@ If you allowlist interpreters like `python3` or `node`, prefer `tools.exec.stric

 Default safe bins:

-<!-- SAFE_BIN_DEFAULTS:START -->
+[//]: # "SAFE_BIN_DEFAULTS:START"

 `cut`, `uniq`, `head`, `tail`, `tr`, `wc`

-<!-- SAFE_BIN_DEFAULTS:END -->
+[//]: # "SAFE_BIN_DEFAULTS:END"

 `grep` and `sort` are not in the default list. If you opt in, keep explicit allowlist entries for
 their non-stdin workflows.