npm - @codyswann/lisa - Versions diffs - 2.163.3 → 2.163.5 - Mend

@codyswann/lisa 2.163.3 → 2.163.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (70) hide show

package/plugins/src/base/hooks/block-no-verify.agy.sh CHANGED Viewed

@@ -3,8 +3,9 @@
 # git quality gates (exact parity with the Claude block-no-verify.sh): the
 # `--no-verify` long flag, `HUSKY=0`/`HUSKY_SKIP_HOOKS=` (disables husky hooks),
 # and `core.hooksPath` pointed at /dev/null or set empty (disables all git
-# hooks). The short `-n` form is intentionally NOT matched, to avoid false
-# positives (see the matching block below).
+# hooks). Shell-token matching avoids false positives from issue bodies,
+# heredocs, and commit-message prose while still catching quoted real argv
+# values such as `git -c "core.hooksPath=/dev/null"`.
 #
 # agy protocol (distinct from the Claude block-no-verify.sh exit-code protocol):
 #   - stdin  = JSON: { "toolCall": { "name": "run_command",
@@ -34,17 +35,65 @@ input="$(cat 2>/dev/null || true)"
 command_str="$(printf '%s' "$input" | jq -r '.toolCall.args.CommandLine // empty' 2>/dev/null || true)"
 [ -z "$command_str" ] && allow
-# Each pattern is bounded so longer flags (--no-verify-ssl) and legit values
-# (core.hooksPath=.husky, HUSKY=1) don't match, while every syntactic position
-# is caught (incl. subshells). Exact parity with the Claude block-no-verify.sh.
-# The short `-n` form is intentionally NOT matched — `-n` appears in commit
-# message prose (`git commit -m "fix -n flag"`) and unrelated piped commands
-# (`sort -n x; git commit`), so guarding it false-positives on valid work.
-if printf '%s' "$command_str" | grep -Eq '(^|[^[:alnum:]_-])--no-verify($|[^[:alnum:]_-])' \
-  || printf '%s' "$command_str" | grep -Eq '(^|[^[:alnum:]_-])HUSKY=0($|[^[:alnum:]])' \
-  || printf '%s' "$command_str" | grep -Eq '(^|[^[:alnum:]_-])HUSKY_SKIP_HOOKS=' \
-  || printf '%s' "$command_str" | grep -Eq 'core\.hooksPath([[:space:]]*=)?[[:space:]]*/dev/null' \
-  || printf '%s' "$command_str" | grep -Eq 'core\.hooksPath[[:space:]]*=[[:space:]]*($|[[:space:];&|"'\''])'; then
+command -v python3 >/dev/null 2>&1 || allow
+if ! BLOCK_NO_VERIFY_COMMAND="$command_str" python3 - <<'PY'
+import os
+import re
+import shlex
+import sys
+command = os.environ.get("BLOCK_NO_VERIFY_COMMAND", "")
+def strip_heredocs(text: str) -> str:
+    lines = text.splitlines()
+    output = []
+    pending = []
+    marker_pattern = re.compile(
+        r"<<-?\s*(?:'([^']+)'|\"([^\"]+)\"|([A-Za-z_][A-Za-z0-9_]*))"
+    )
+    index = 0
+    while index < len(lines):
+        line = lines[index]
+        output.append(line)
+        pending.extend(
+            next(group for group in match.groups() if group)
+            for match in marker_pattern.finditer(line)
+        )
+        index += 1
+        while pending and index < len(lines):
+            if lines[index].strip() == pending[0]:
+                output.append(lines[index])
+                pending.pop(0)
+                index += 1
+                break
+            index += 1
+    return "\n".join(output)
+try:
+    tokens = shlex.split(strip_heredocs(command), posix=True)
+except ValueError:
+    sys.exit(0)
+normalized_tokens = [token.strip("();|&") for token in tokens]
+for i, token in enumerate(normalized_tokens):
+    if token == "--no-verify":
+        sys.exit(1)
+    if token == "HUSKY=0" or token.startswith("HUSKY_SKIP_HOOKS="):
+        sys.exit(1)
+    if token.startswith("core.hooksPath="):
+        value = token.split("=", 1)[1]
+        if value in ("", "/dev/null"):
+            sys.exit(1)
+    if token == "core.hooksPath" and i + 1 < len(normalized_tokens) and normalized_tokens[i + 1] in ("", "/dev/null"):
+        sys.exit(1)
+sys.exit(0)
+PY
+then
   deny
 fi

package/plugins/src/base/hooks/block-no-verify.sh CHANGED Viewed

@@ -9,8 +9,9 @@
 #   2. HUSKY=0 / HUSKY_SKIP_HOOKS=... — disables husky-managed git hooks;
 #   3. core.hooksPath pointed at /dev/null or set empty — disables ALL git hooks.
 #
-# Word-boundary matching avoids false positives on longer flags (--no-verify-ssl,
-# --no-verify-host) and on a legit custom hooks path (core.hooksPath=.husky).
+# Shell-token matching avoids false positives from issue bodies, heredocs, and
+# commit-message prose while still catching quoted real argv values such as
+# `git -c "core.hooksPath=/dev/null"`.
 #
 # The short `-n` form is intentionally NOT matched (see block-no-verify.agy.sh):
 # grep cannot distinguish a real -n option from -n in commit-message prose or an
@@ -29,14 +30,65 @@ if [ -z "$command_str" ]; then
   exit 0
 fi
-# Each pattern is bounded by non-token characters so longer flags
-# (--no-verify-ssl) and legit values (core.hooksPath=.husky, HUSKY=1) don't match,
-# while every syntactic position is caught (incl. subshells, e.g. `(git commit --no-verify)`).
-if printf '%s' "$command_str" | grep -Eq '(^|[^[:alnum:]_-])--no-verify($|[^[:alnum:]_-])' \
-  || printf '%s' "$command_str" | grep -Eq '(^|[^[:alnum:]_-])HUSKY=0($|[^[:alnum:]])' \
-  || printf '%s' "$command_str" | grep -Eq '(^|[^[:alnum:]_-])HUSKY_SKIP_HOOKS=' \
-  || printf '%s' "$command_str" | grep -Eq 'core\.hooksPath([[:space:]]*=)?[[:space:]]*/dev/null' \
-  || printf '%s' "$command_str" | grep -Eq 'core\.hooksPath[[:space:]]*=[[:space:]]*($|[[:space:];&|"'\''])'; then
+command -v python3 >/dev/null 2>&1 || exit 0
+if ! BLOCK_NO_VERIFY_COMMAND="$command_str" python3 - <<'PY'
+import os
+import re
+import shlex
+import sys
+command = os.environ.get("BLOCK_NO_VERIFY_COMMAND", "")
+def strip_heredocs(text: str) -> str:
+    lines = text.splitlines()
+    output = []
+    pending = []
+    marker_pattern = re.compile(
+        r"<<-?\s*(?:'([^']+)'|\"([^\"]+)\"|([A-Za-z_][A-Za-z0-9_]*))"
+    )
+    index = 0
+    while index < len(lines):
+        line = lines[index]
+        output.append(line)
+        pending.extend(
+            next(group for group in match.groups() if group)
+            for match in marker_pattern.finditer(line)
+        )
+        index += 1
+        while pending and index < len(lines):
+            if lines[index].strip() == pending[0]:
+                output.append(lines[index])
+                pending.pop(0)
+                index += 1
+                break
+            index += 1
+    return "\n".join(output)
+try:
+    tokens = shlex.split(strip_heredocs(command), posix=True)
+except ValueError:
+    sys.exit(0)
+normalized_tokens = [token.strip("();|&") for token in tokens]
+for i, token in enumerate(normalized_tokens):
+    if token == "--no-verify":
+        sys.exit(1)
+    if token == "HUSKY=0" or token.startswith("HUSKY_SKIP_HOOKS="):
+        sys.exit(1)
+    if token.startswith("core.hooksPath="):
+        value = token.split("=", 1)[1]
+        if value in ("", "/dev/null"):
+            sys.exit(1)
+    if token == "core.hooksPath" and i + 1 < len(normalized_tokens) and normalized_tokens[i + 1] in ("", "/dev/null"):
+        sys.exit(1)
+sys.exit(0)
+PY
+then
   cat >&2 <<'EOF'
 Blocked: this command bypasses pre-commit/pre-push hooks (--no-verify, HUSKY=0,
 or core.hooksPath disabling). Fix the underlying issue (lint error, failing