@gotgenes/pi-permission-system 4.0.1 → 4.1.0

package/CHANGELOG.md

@@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.1.0](https://github.com/gotgenes/pi-permission-system/compare/v4.0.1...v4.1.0) (2026-05-04)
+
+
+### Features
+
+* replace regex tokenizer with shell-quote ([#72](https://github.com/gotgenes/pi-permission-system/issues/72)) ([1568992](https://github.com/gotgenes/pi-permission-system/commit/1568992fb82b45c84b10e3cc9c50777f42d30dfa))
+
+
+### Documentation
+
+* plan shell-quote tokenizer migration ([#72](https://github.com/gotgenes/pi-permission-system/issues/72)) ([0390e06](https://github.com/gotgenes/pi-permission-system/commit/0390e06de5ca0e5cc79e438f2a94db610ca90289))
+* **retro:** add retro notes for issue [#68](https://github.com/gotgenes/pi-permission-system/issues/68) ([4775453](https://github.com/gotgenes/pi-permission-system/commit/47754539806fbe15f739ea0eaa4a100a69db82ef))
+
 ## [4.0.1](https://github.com/gotgenes/pi-permission-system/compare/v4.0.0...v4.0.1) (2026-05-04)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "4.0.1",
+  "version": "4.1.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "files": [
@@ -56,10 +56,14 @@
     "@mariozechner/pi-coding-agent": "^0.72.1",
     "@mariozechner/pi-tui": "^0.72.1",
     "@types/node": "^25.6.0",
+    "@types/shell-quote": "^1.7.5",
     "markdownlint-cli2": "^0.22.1",
     "typescript": "6.0.3",
     "vitest": "^4.1.5"
   },
+  "dependencies": {
+    "shell-quote": "^1.8.3"
+  },
   "scripts": {
     "build": "tsc -p tsconfig.json",
     "lint": "biome check .",

package/src/external-directory.ts

@@ -1,6 +1,8 @@
 import { homedir } from "node:os";
 import { join, normalize, resolve, sep } from "node:path";
 
+import { parse } from "shell-quote";
+
 import { getNonEmptyString, toRecord } from "./common";
 
 /**
@@ -196,27 +198,20 @@ function classifyTokenAsPathCandidate(token: string): string | null {
   return null;
 }
 
-/**
- * Strips content inside single and double quotes from a command string.
- * Replaces quoted segments with empty string so paths inside quotes are not tokenized.
- * This is a simple regex approach — it cannot handle escaped quotes within strings.
- */
-function stripQuotedStrings(command: string): string {
-  return command.replace(/"[^"]*"/g, "").replace(/'[^']*'/g, "");
-}
-
 /**
  * Extracts paths from a bash command string that resolve outside CWD.
- * This is a best-effort heuristic (token splitting, not full shell parsing).
+ * Uses shell-quote to tokenize so that quoted strings, operators, and comments
+ * are handled correctly, eliminating false positives from the old regex approach.
  */
 export function extractExternalPathsFromBashCommand(
   command: string,
   cwd: string,
 ): string[] {
-  // Strip quoted strings to avoid false positives on paths in messages
-  const unquoted = stripQuotedStrings(command);
-  // Split on shell metacharacters to isolate tokens
-  const tokens = unquoted.split(/[|;&><\s]+/).filter(Boolean);
+  // shell-quote parse() returns strings (resolved arguments), operator objects,
+  // glob objects, and comment objects. Only string entries are path candidates.
+  const tokens = parse(command).filter(
+    (entry): entry is string => typeof entry === "string",
+  );
   const seen = new Set<string>();
   const externalPaths: string[] = [];
 

package/tests/bash-external-directory.test.ts

@@ -213,8 +213,9 @@ describe("extractExternalPathsFromBashCommand", () => {
       expect(result).toContain("/etc/hosts");
     });
 
-    test.fails("escaped quotes inside strings cause false positive (known limitation)", () => {
-      // The regex-based quote stripping can't handle escaped quotes
+    test("does not flag path when adjacent quoted segments form one word", () => {
+      // shell-quote concatenates adjacent quoted/unquoted segments into one word:
+      // '"path is "/etc/hosts""' → 'path is /etc/hosts' (one token, not a path candidate).
       const result = extractExternalPathsFromBashCommand(
         'echo "path is "/etc/hosts""',
         cwd,
@@ -300,6 +301,15 @@ describe("extractExternalPathsFromBashCommand", () => {
       expect(result).toHaveLength(0);
     });
 
+    test("bare-slash guard is still needed: shell-quote emits / as a string token", () => {
+      // shell-quote.parse('echo /') returns ['echo', '/'] — the bare slash IS a string
+      // token, not an operator. classifyTokenAsPathCandidate must still reject it.
+      // This test documents that the /^\/+$/ guard remains a necessary
+      // defense-in-depth layer even with shell-quote as the tokenizer.
+      const result = extractExternalPathsFromBashCommand("echo /", cwd);
+      expect(result).toHaveLength(0);
+    });
+
     test("still flags real external path alongside //", () => {
       const result = extractExternalPathsFromBashCommand(
         "cat /etc/hosts; echo //",
@@ -310,6 +320,70 @@ describe("extractExternalPathsFromBashCommand", () => {
     });
   });
 
+  describe("node -e and multi-line commands", () => {
+    test("does not flag path inside single-quoted string in node -e argument", () => {
+      const result = extractExternalPathsFromBashCommand(
+        "node -e \"const p = '/etc/hosts'; console.log(p);\"",
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("does not flag path inside multi-line node -e argument", () => {
+      // Actual newlines inside the double-quoted -e argument.
+      const cmd =
+        "node -e \"\nimport('x').then(() => {\n  console.log('/etc/hosts');\n});\n\"";
+      const result = extractExternalPathsFromBashCommand(cmd, cwd);
+      expect(result).toHaveLength(0);
+    });
+
+    test("does not flag path that appears after escaped quote in multi-line node -e argument", () => {
+      // This is the shape of the command that triggered a prompt during dog-fooding.
+      // The outer \"...\" arg contains both actual newlines and \\" escape sequences,
+      // with /etc/hosts appearing after a \\" boundary.
+      const cmd = [
+        'node -e "',
+        "import('shell-quote').then(({ parse }) => {",
+        "  const cmd = \\\"cat << 'EOF'\\n/etc/hosts\\nsome content\\nEOF\\\";",
+        "  console.log(JSON.stringify(parse(cmd)));",
+        "});",
+        '"',
+      ].join("\n");
+      const result = extractExternalPathsFromBashCommand(cmd, cwd);
+      expect(result).toHaveLength(0);
+    });
+  });
+
+  describe("shell-quote tokenizer edge cases", () => {
+    test("does not flag path inside string when escaped quote is present", () => {
+      // stripQuotedStrings regex breaks at \" — content after it leaks into the token stream.
+      // shell-quote correctly parses the escaped quote and keeps the path inside the string.
+      const result = extractExternalPathsFromBashCommand(
+        'git commit -m "fix: update \\"the /etc/hosts\\" handler"',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("does not flag path appearing only in a shell comment", () => {
+      const result = extractExternalPathsFromBashCommand(
+        "echo hello # /etc/shadow",
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("flags real path before comment but not path inside comment", () => {
+      const result = extractExternalPathsFromBashCommand(
+        "cat /etc/hosts # see also /etc/shadow",
+        cwd,
+      );
+      expect(result).toContain("/etc/hosts");
+      expect(result).not.toContain("/etc/shadow");
+      expect(result).toHaveLength(1);
+    });
+  });
+
   describe("deduplication", () => {
     test("returns deduplicated paths", () => {
       const result = extractExternalPathsFromBashCommand(