Analyzed: March 31, 2026 leak snapshot

INTERNAL_ONLY_COMMANDS registrations

src/commands.ts defines INTERNAL_ONLY_COMMANDS and injects them into COMMANDS() only when:
  • process.env.USER_TYPE === 'ant'
  • !process.env.IS_DEMO
Documented internal-only command names in this snapshot: /backfill-sessions, /break-cache, /bughunter, /commit, /commit-push-pr, /ctx_viz, /goodClaude, /issue, /init-verifiers, /force-snip (when enabled), /mock-limits, /bridge-kick, /version, /ultraplan (when enabled), /subscribe-pr (when enabled), /reset-limits, /reset-limits-noninteractive, /onboarding, /share, /summary, /teleport, /ant-trace, /perf-issue, /env, /oauth-refresh, /debug-tool-call, /agents-platform, /autofix-pr

Additional command sources merged by getCommands()

Beyond built-ins, getCommands(cwd) also merges command-like entries from:
  • skill directory commands
  • plugin skills
  • bundled skills
  • builtin plugin skill commands
  • plugin commands
  • workflow commands
  • dynamic skills discovered during file operations
This means the command palette is a composed surface, not just COMMANDS().

Bridge and remote safety notes

src/commands.ts also exports safety filters used in restricted contexts:
  • REMOTE_SAFE_COMMANDS
  • BRIDGE_SAFE_COMMANDS
  • isBridgeSafeCommand()
These are the command-level controls that prevent unsafe command types in remote/bridge execution paths.