@sdsrs/code-graph 0.47.0 → 0.48.0

package/claude-plugin/.claude-plugin/plugin.json

@@ -4,7 +4,7 @@
   "author": {
     "name": "sdsrs"
   },
-  "version": "0.47.0",
+  "version": "0.48.0",
   "keywords": [
     "code-graph",
     "ast",

package/claude-plugin/scripts/cg-answer.js

@@ -48,6 +48,24 @@ function truncateAtLine(text, maxBytes) {
   return { text: buf.subarray(0, maxBytes).toString('latin1'), truncated: true };
 }
 
+/**
+ * v0.48 — drop glob segments from a search path. The hook extracts path tokens
+ * verbatim from the denied command, and spawnSync runs WITHOUT a shell, so a
+ * literal `backend/…/llm_engine/*.py` reaches rg as a nonexistent file →
+ * exit 1 → `unavailable` → static deny with no answer (daagu 2026-06-11: the
+ * night's only deny failed exactly this way). Truncate at the first segment
+ * containing a glob metacharacter; widening the scope to the parent dir is
+ * always safe. A leading glob (`*.py`) drops the scope entirely (repo-wide).
+ */
+function sanitizeSearchPath(searchPath) {
+  if (!searchPath || typeof searchPath !== 'string') return undefined;
+  const segs = searchPath.split('/');
+  const i = segs.findIndex((s) => /[*?[\]{}]/.test(s));
+  if (i === -1) return searchPath;
+  const kept = segs.slice(0, i).join('/');
+  return kept || undefined;
+}
+
 /**
  * Run `code-graph-mcp grep <pattern> [searchPath]` synchronously.
  *
@@ -81,8 +99,11 @@ function runGrepAnswer(opts = {}) {
     }
     if (!binary) return { status: 'unavailable' };
 
+    // Defensive re-sanitize: callers should pass a clean path, but a glob
+    // reaching argv is a guaranteed nonzero exit (see sanitizeSearchPath).
+    const scope = sanitizeSearchPath(searchPath);
     const args = ['grep', pattern];
-    if (searchPath) args.push(searchPath);
+    if (scope) args.push(scope);
     const res = spawnSync(binary, args, {
       cwd,
       timeout: timeoutMs,
@@ -104,4 +125,4 @@ function runGrepAnswer(opts = {}) {
   }
 }
 
-module.exports = { runGrepAnswer, truncateAtLine };
+module.exports = { runGrepAnswer, truncateAtLine, sanitizeSearchPath };

package/claude-plugin/scripts/cg-answer.test.js

@@ -133,3 +133,30 @@ test('truncateAtLine: single oversized line → hard cut', () => {
   assert.equal(truncated, true);
   assert.equal(Buffer.byteLength(text, 'utf8'), 10);
 });
+
+// ── v0.48 sanitizeSearchPath: glob args reach rg literally (no shell) ──
+
+test('sanitizeSearchPath: truncates at first glob segment (daagu denied command)', () => {
+  const { sanitizeSearchPath } = require('./cg-answer');
+  assert.equal(
+    sanitizeSearchPath('backend/app/services/llm_engine/*.py'),
+    'backend/app/services/llm_engine');
+});
+
+test('sanitizeSearchPath: clean path unchanged; leading glob drops scope; falsy → undefined', () => {
+  const { sanitizeSearchPath } = require('./cg-answer');
+  assert.equal(sanitizeSearchPath('src/storage/'), 'src/storage/');
+  assert.equal(sanitizeSearchPath('*.py'), undefined);
+  assert.equal(sanitizeSearchPath('src/**/x.rs'), 'src');
+  assert.equal(sanitizeSearchPath('src/file[1].rs'), 'src');
+  assert.equal(sanitizeSearchPath(''), undefined);
+  assert.equal(sanitizeSearchPath(undefined), undefined);
+});
+
+test('runGrepAnswer: glob searchPath is truncated before spawn (defensive layer)', () => {
+  const r = runGrepAnswer({
+    cwd: stubDir, pattern: 'fts5_search', searchPath: 'src/storage/*.rs', binary: stubBinary(),
+  });
+  assert.equal(r.status, 'hits');
+  assert.match(r.text, /args=\["grep","fts5_search","src\/storage"\]/);
+});

package/claude-plugin/scripts/pre-grep-guide.js

@@ -12,7 +12,10 @@
 //   2. Args include an indexed source-tree path (src/ tests/ lib/ scripts/ ...)
 //   3. Not searching only a config/lockfile (Cargo.toml/.gitignore/*.md/*.json)
 //   4. Command doesn't already invoke code-graph-mcp (no double-suggest)
-//   5. .code-graph/index.db exists in CWD
+//   5. .code-graph/index.db exists in CWD or a parent up to $HOME (v0.48: the
+//      hook's cwd follows the persistent shell — after `cd backend/` every
+//      gate used to fail silently for the rest of the session; daagu
+//      2026-06-11 replay: 38/40 head-greps dark to this)
 //   6. Same command-hash not hinted within last 60s (per-command cooldown)
 //
 // BLOCK fires when shouldHint AND (shouldBlock):
@@ -22,19 +25,28 @@
 //   9. Pattern is not a bare marker word (TODO/FIXME/XXX/HACK/WARN/ERROR/NOTE)
 //  10. CODE_GRAPH_NO_BLOCK_GREP != "1" (block escape, independent of QUIET_HOOKS)
 //
+// A `CODE_GRAPH_NO_BLOCK_GREP=1`-prefixed grep that would otherwise hint is
+// recorded as `action:'bypass'` and allowed silently (v0.48) — previously the
+// bare KEY=VALUE prefix failed GREP_HEAD and the escape was invisible to the
+// conversion funnel (daagu 2026-06-11: 14 bypassed greps, 0 recorded).
+//
 // Exits silently otherwise — zero noise for build greps, log filters, config
 // lookups, or the rare legitimate use of raw grep on indexed source.
 
 const fs = require('fs');
+const os = require('os');
 const path = require('path');
 const crypto = require('crypto');
 const { cgTmpDir } = require('./tmp-dir');
 const { recordRecommendation } = require('./recommendation-log');
-const { runGrepAnswer } = require('./cg-answer');
+const { runGrepAnswer, sanitizeSearchPath } = require('./cg-answer');
 
 // --- Pure logic (testable) ---
 
-const GREP_HEAD = /^\s*(?:env\s+\S+=\S+\s+)*(grep|rg|ag)\b/;
+// v0.48: also match bare `KEY=VALUE grep` prefixes (no `env` verb) — the shape
+// the deny message itself teaches (`CODE_GRAPH_NO_BLOCK_GREP=1 grep …`). With
+// the old `env`-only form those commands failed gate 1 and were invisible.
+const GREP_HEAD = /^\s*(?:env\s+)?(?:[A-Za-z_][A-Za-z0-9_]*=\S*\s+)*(grep|rg|ag)\b/;
 // Source-tree prefix list. Expanded v0.27+ Phase C: original `src/tests/lib/...`
 // missed real-world backend conventions where the prefix list term is preceded
 // by something else (`backend/app/...` — `app/` doesn't match because `/` isn't
@@ -99,8 +111,8 @@ const MARKER_ONLY =
 // symbol-shaped target".
 function extractPatterns(cmd) {
   if (!cmd || typeof cmd !== 'string') return [];
-  // Strip leading verb + env prefix
-  const stripped = cmd.replace(/^\s*(?:env\s+\S+=\S+\s+)*(?:grep|rg|ag)\s+/, '');
+  // Strip leading verb + env/assignment prefix (kept in sync with GREP_HEAD)
+  const stripped = cmd.replace(/^\s*(?:env\s+)?(?:[A-Za-z_][A-Za-z0-9_]*=\S*\s+)*(?:grep|rg|ag)\s+/, '');
   // Collect every quoted argument — first one is the pattern in standard grep
   // usage; subsequent ones (e.g. `-e "second"`) are also patterns or filter
   // expressions and worth screening too.
@@ -117,6 +129,83 @@ function shouldBlock(cmd) {
   return patterns.some(p => IDENTIFIER_LIKE.test(p));
 }
 
+// v0.47.1 — CC harness steers Bash toward ABSOLUTE paths (cd in compound
+// commands triggers permission prompts), so `grep -rn "X" /abs/root/backend/…`
+// is the dominant real shape — and SRC_PATH's lookbehind (^|\s|quote) never
+// matched it (daagu 2026-06-11 replay: 42/42 head-greps absolute → 1 hint /
+// 0 block as-is vs 30 / 16 after this strip). Strip `<cwd>/` everywhere before
+// matching: the hook's cwd IS the project root, so this is exact — paths
+// outside the project stay absolute and keep not firing (conservative edge).
+// split/join, not regex: cwd may contain regex metacharacters.
+function normalizeCommandPaths(cmd, cwd) {
+  if (!cmd || typeof cmd !== 'string') return cmd;
+  if (!cwd || typeof cwd !== 'string' || cwd === '/') return cmd;
+  return cmd.split(cwd.endsWith('/') ? cwd : cwd + '/').join('');
+}
+
+// v0.48 — the hook's process.cwd() follows the PERSISTENT shell, not the
+// project root: after the model runs `cd backend/`, every later bare grep used
+// to fail the index.db gate silently for the rest of the session (daagu
+// 2026-06-11: 38/40 head-greps dark). Walk up to the nearest ancestor holding
+// `.code-graph/index.db`; stop at $HOME (checked, not crossed) and fs root.
+function resolveProjectRoot(startDir, opts = {}) {
+  const home = opts.home !== undefined ? opts.home : os.homedir();
+  const exists = opts.exists || fs.existsSync;
+  let dir = path.resolve(startDir || '.');
+  for (;;) {
+    if (exists(path.join(dir, '.code-graph', 'index.db'))) return dir;
+    if (dir === home) return null;
+    const parent = path.dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+}
+
+// v0.48 — companion to resolveProjectRoot: when the shell sits in a subdir,
+// bare relative path args (`app --include=*.py` from backend/) are
+// subdir-relative and never match the root-relative SRC_PATH prefixes. Rebase
+// each candidate token onto the project root; a token only counts as a path
+// when the rebased form EXISTS under the root — quoted patterns, flags,
+// operators, absolute and traversal tokens are never touched. Existence is the
+// workhorse gate: it keeps unquoted pattern words from masquerading as paths
+// (the exact shape that would re-create the answered:false glob failure).
+function rebaseRelativePaths(cmd, relPrefix, rootDir, exists = fs.existsSync) {
+  if (!cmd || typeof cmd !== 'string' || !relPrefix || !rootDir) return cmd;
+  const prefix = relPrefix.split(path.sep).join('/');
+  // Shell sits outside any known source dir (docs/, target/, …) — don't guess.
+  if (!SRC_PATH_TOKEN.test(prefix + '/')) return cmd;
+  let verbSeen = false;
+  return cmd.split(/(\s+)/).map((tok) => {
+    if (!tok || /^\s+$/.test(tok)) return tok;
+    if (!verbSeen) {
+      if (/^(?:env|[A-Za-z_][A-Za-z0-9_]*=\S*)$/.test(tok)) return tok;
+      verbSeen = true; // the verb itself (grep/rg/ag) — never a path
+      return tok;
+    }
+    if (/^["']/.test(tok)) return tok;          // quoted → pattern
+    if (tok.startsWith('-')) return tok;         // flag
+    if (tok.startsWith('/')) return tok;         // absolute (foreign — root strip already ran)
+    if (tok.includes('..')) return tok;          // traversal
+    if (/[|;&<>=\\$`'"]/.test(tok)) return tok;  // operators / redirects / assignments / escapes
+    const candidate = prefix + '/' + tok;
+    // Probe existence on the glob-truncated form: `app/…/llm_engine/*.py`
+    // must still rebase (its dir exists) or the deny-answer would run a
+    // subdir-relative path from the root and fail (answered:false again).
+    const probe = sanitizeSearchPath(candidate);
+    try {
+      if (!probe || !exists(path.join(rootDir, probe))) return tok;
+    } catch { return tok; }
+    return candidate;
+  }).join('');
+}
+
+// v0.48 — bypass detection on the RAW command. The deny message documents
+// `CODE_GRAPH_NO_BLOCK_GREP=1` as a per-command escape; record its use so the
+// conversion funnel can see escape adoption instead of going dark.
+function commandHasBypass(cmd) {
+  return typeof cmd === 'string' && /(?:^|\s)CODE_GRAPH_NO_BLOCK_GREP=1(?:\s|$)/.test(cmd);
+}
+
 // v0.47.0 — pull the first source-tree path token out of the denied command so
 // the inline answer can scope its search the same way the raw grep would have.
 function extractSearchPath(cmd) {
@@ -174,14 +263,18 @@ function buildBlockReason() {
     '  code-graph-mcp grep "<pattern>" <path>          # FTS + AST context per hit',
     '  code-graph-mcp ast-search "<pattern>" --type fn # filter by node type',
     '  code-graph-mcp callgraph SYMBOL                 # callers + callees',
-    'For raw-text scans (log/comment/marker), re-run with `CODE_GRAPH_NO_BLOCK_GREP=1` prepended.',
+    'If this specific search truly needs raw-text regex (log/comment scan), prepend',
+    '`CODE_GRAPH_NO_BLOCK_GREP=1` to THIS command only — a per-command escape, not a default prefix.',
   ].join('\n');
 }
 
 // v0.47.0 — deny WITH the answer inline. Hint-only had ~0% transfer and a bare
 // deny still asks the model to initiate a new tool call; embedding the actual
-// results removes that choice entirely. Keep the escape hatch line — raw-text
-// regex (BRE alternation, log scans) remains a legitimate need.
+// results removes that choice entirely.
+// v0.48 — NO escape-hatch line here: the model already has the results, and
+// advertising the bypass taught it a permanent prefix within 5 seconds (daagu
+// 2026-06-11: one deny → 14 bypassed greps). The static deny keeps a scoped
+// escape because there we give no answer.
 function buildBlockReasonWithAnswer(pattern, searchPath, answer) {
   const cmdShown = `code-graph-mcp grep "${pattern}"${searchPath ? ` ${searchPath}` : ''}`;
   const lines = [
@@ -194,7 +287,6 @@ function buildBlockReasonWithAnswer(pattern, searchPath, answer) {
   }
   lines.push(
     'Each hit shows its containing fn/module — use these results directly instead of re-running the search.',
-    'For raw-text regex (alternation, log/comment scans), re-run with `CODE_GRAPH_NO_BLOCK_GREP=1` prepended.',
   );
   return lines.join('\n');
 }
@@ -231,9 +323,11 @@ function isAnswerDisabled(env = process.env) {
 
 function runMain() {
   if (isSilenced()) return;
-  const cwd = process.cwd();
-  const dbPath = path.join(cwd, '.code-graph', 'index.db');
-  if (!fs.existsSync(dbPath)) return;  // no index — no hint
+  // v0.48 — process.cwd() follows the persistent shell; resolve the project
+  // root by walking up so `cd backend/` no longer darkens the whole session.
+  const shellCwd = process.cwd();
+  const root = resolveProjectRoot(shellCwd);
+  if (root === null) return;  // no index anywhere up to $HOME — no hint
 
   let input;
   try {
@@ -243,11 +337,26 @@ function runMain() {
     input = JSON.parse(fs.readFileSync(0, 'utf8'));
   } catch { return; }
 
-  const cmd = (input.tool_input && input.tool_input.command) || '';
+  const rawCmd = (input.tool_input && input.tool_input.command) || '';
+  // v0.47.1 — match against the root-stripped form so absolute paths under the
+  // project root behave exactly like their relative spelling. v0.48 — then
+  // rebase bare subdir-relative tokens onto the root. Cooldown stays keyed on
+  // the raw command (what Claude actually sent).
+  let cmd = normalizeCommandPaths(rawCmd, root);
+  const relPrefix = path.relative(root, shellCwd);
+  if (relPrefix) cmd = rebaseRelativePaths(cmd, relPrefix, root);
   if (!shouldHint(cmd)) return;
-  if (isOnCooldown(cmd)) return;
 
-  markCooldown(cmd);
+  // v0.48 — deliberate escape: record it (funnel visibility) and stay silent.
+  // Before GREP_HEAD accepted bare KEY=VALUE prefixes these were invisible.
+  if (commandHasBypass(rawCmd)) {
+    recordRecommendation(root, { hook: 'grep', action: 'bypass' });
+    return;
+  }
+
+  if (isOnCooldown(rawCmd)) return;
+
+  markCooldown(rawCmd);
 
   if (!isBlockDisabled() && shouldBlock(cmd)) {
     // v0.47.0 — run the AST-aware equivalent inside the hook and embed the
@@ -256,12 +365,15 @@ function runMain() {
     // (regex-dialect differences mean 0 hits ≠ proof of absence).
     let answer = { status: 'unavailable' };
     const pattern = pickBlockPattern(cmd);
+    // v0.48 — glob-truncated once, shared by the run and the deny message
+    // (a literal `dir/*.py` argv made rg exit 1 → answered:false static deny).
+    const searchPath = sanitizeSearchPath(extractSearchPath(cmd));
     if (!isAnswerDisabled() && pattern) {
-      answer = runGrepAnswer({ cwd, pattern, searchPath: extractSearchPath(cmd) });
+      answer = runGrepAnswer({ cwd: root, pattern, searchPath });
     }
 
     if (answer.status === 'no-hits') {
-      recordRecommendation(cwd, { hook: 'grep', action: 'hint', fallthrough: 'no-hits' });
+      recordRecommendation(root, { hook: 'grep', action: 'hint', fallthrough: 'no-hits' });
       process.stdout.write(buildNoHitsFyi(pattern) + '\n');
       return;
     }
@@ -271,7 +383,7 @@ function runMain() {
     // ignored by Claude Code — the grep ran anyway. The hookSpecificOutput form
     // is the documented modern path. Exit 0 — this is a routing decision, not
     // a hook failure (exit 2 would mark the tool call as "hook errored").
-    recordRecommendation(cwd, {
+    recordRecommendation(root, {
       hook: 'grep', action: 'deny', answered: answer.status === 'hits',
     });
     process.stdout.write(JSON.stringify({
@@ -279,14 +391,14 @@ function runMain() {
         hookEventName: 'PreToolUse',
         permissionDecision: 'deny',
         permissionDecisionReason: answer.status === 'hits'
-          ? buildBlockReasonWithAnswer(pattern, extractSearchPath(cmd), answer)
+          ? buildBlockReasonWithAnswer(pattern, searchPath, answer)
           : buildBlockReason(),
       },
     }) + '\n');
     return;
   }
 
-  recordRecommendation(cwd, { hook: 'grep', action: 'hint' });
+  recordRecommendation(root, { hook: 'grep', action: 'hint' });
   process.stdout.write(buildHint() + '\n');
 }
 
@@ -299,6 +411,10 @@ module.exports = {
   shouldBlock,
   extractPatterns,    // v0.32.1 — exposed for tests
   extractSearchPath,  // v0.47.0 — deny-with-answer
+  normalizeCommandPaths, // v0.47.1 — abs-path matcher fix
+  resolveProjectRoot,    // v0.48 — subdir-cwd dark fix
+  rebaseRelativePaths,   // v0.48 — subdir-cwd dark fix
+  commandHasBypass,      // v0.48 — bypass funnel visibility
   pickBlockPattern,
   buildHint,
   buildBlockReason,

package/claude-plugin/scripts/pre-grep-guide.test.js

@@ -6,6 +6,10 @@ const {
   shouldBlock,
   extractPatterns,
   extractSearchPath,
+  normalizeCommandPaths,
+  resolveProjectRoot,
+  rebaseRelativePaths,
+  commandHasBypass,
   pickBlockPattern,
   buildHint,
   buildBlockReason,
@@ -530,6 +534,74 @@ test('I4: grep -rn "fn render" src/ → BLOCK (decl anchor at start)', () => {
   assert.equal(shouldBlock('grep -rn "fn render" src/'), true);
 });
 
+// ── v0.47.1 abs-path matcher fix: normalizeCommandPaths ─────────────
+// CC harness steers Bash toward ABSOLUTE paths (cd in compound commands
+// triggers permission prompts), so `grep -rn "X" /abs/root/backend/...` is
+// the dominant real-world shape. SRC_PATH's lookbehind (^|\s|quote) never
+// matched it: daagu 2026-06-11 replay — 42/42 head-greps absolute, 1 hint /
+// 0 block as-is vs 30 hint / 16 block after cwd-strip.
+
+test('normalizeCommandPaths: strips cwd prefix from path args', () => {
+  assert.equal(
+    normalizeCommandPaths('grep -rn "X" /proj/root/src/storage/', '/proj/root'),
+    'grep -rn "X" src/storage/');
+});
+
+test('normalizeCommandPaths: strips every occurrence', () => {
+  assert.equal(
+    normalizeCommandPaths('grep -rn "X" /proj/root/src/a.rs /proj/root/tests/', '/proj/root'),
+    'grep -rn "X" src/a.rs tests/');
+});
+
+test('normalizeCommandPaths: strips inside quotes', () => {
+  assert.equal(
+    normalizeCommandPaths('grep -rn "X" "/proj/root/backend/app/"', '/proj/root'),
+    'grep -rn "X" "backend/app/"');
+});
+
+test('normalizeCommandPaths: leaves foreign absolute paths alone', () => {
+  assert.equal(
+    normalizeCommandPaths('grep -rn "X" /other/place/src/', '/proj/root'),
+    'grep -rn "X" /other/place/src/');
+});
+
+test('normalizeCommandPaths: no-op when cwd absent / falsy inputs', () => {
+  assert.equal(normalizeCommandPaths('grep -rn "X" src/', '/proj/root'), 'grep -rn "X" src/');
+  assert.equal(normalizeCommandPaths('', '/proj/root'), '');
+  assert.equal(normalizeCommandPaths('grep "X" src/', ''), 'grep "X" src/');
+});
+
+// Real daagu transcript commands (2026-06-11 session 23f149f0…), the exact
+// shape that was invisible to v0.47.0. Replay must fire post-normalization.
+const DAAGU = '/mnt/data_ssd/dev/projects/daagu';
+
+test('replay: real abs-path symbol grep → BLOCK after normalization', () => {
+  const cmd = `grep -n "_parse_finish_reason\\|_last_finish_reason\\|class OpenRouterProvider" ${DAAGU}/backend/app/services/llm_engine/openrouter.py`;
+  assert.equal(shouldHint(cmd), false);                       // documents the v0.47.0 blindspot
+  const norm = normalizeCommandPaths(cmd, DAAGU);
+  assert.equal(shouldHint(norm), true);
+  assert.equal(shouldBlock(norm), true);
+});
+
+test('replay: real abs-path -rln grep → HINT only after normalization (precision flag)', () => {
+  const cmd = `grep -rln "load_active_config_standalone" ${DAAGU}/backend/tests/ | head -5`;
+  const norm = normalizeCommandPaths(cmd, DAAGU);
+  assert.equal(shouldHint(norm), true);
+  assert.equal(shouldBlock(norm), false);                     // -l cluster disqualifies block
+});
+
+test('replay: abs-path config-only grep stays silent after normalization', () => {
+  const cmd = `grep -n '"typecheck"\\|"type-check"\\|vue-tsc' ${DAAGU}/frontend/package.json`;
+  assert.equal(shouldHint(normalizeCommandPaths(cmd, DAAGU)), false);
+});
+
+test('replay: extractSearchPath gets relative path from normalized abs command', () => {
+  const cmd = `grep -rn "config_version" ${DAAGU}/backend/app/services/stock_picker/data_providers.py 2>/dev/null | head -5`;
+  assert.equal(
+    extractSearchPath(normalizeCommandPaths(cmd, DAAGU)),
+    'backend/app/services/stock_picker/data_providers.py');
+});
+
 // ── v0.47.0 deny-with-answer: extractSearchPath / pickBlockPattern ──
 
 test('extractSearchPath: dir path after pattern', () => {
@@ -582,17 +654,30 @@ test('pickBlockPattern: no identifier-like pattern → undefined', () => {
 
 // ── v0.47.0 deny-with-answer: message builders + env gate ───────────
 
-test('buildBlockReasonWithAnswer: embeds results, command, and escape hatch', () => {
+test('buildBlockReasonWithAnswer: embeds results and command', () => {
   const reason = buildBlockReasonWithAnswer('fts5_search', 'src/storage/', {
     status: 'hits', text: 'src/storage/db.rs:42  fn fts5_search()', truncated: false,
   });
   assert.match(reason, /already ran/);
   assert.match(reason, /code-graph-mcp grep "fts5_search" src\/storage\//);
   assert.match(reason, /src\/storage\/db\.rs:42/);
-  assert.match(reason, /CODE_GRAPH_NO_BLOCK_GREP=1/);
   assert.doesNotMatch(reason, /truncated/);
 });
 
+test('buildBlockReasonWithAnswer: NEVER advertises the bypass (v0.48 — one deny taught a 14-grep permanent prefix)', () => {
+  const reason = buildBlockReasonWithAnswer('fts5_search', 'src/storage/', {
+    status: 'hits', text: 'hit', truncated: false,
+  });
+  assert.doesNotMatch(reason, /CODE_GRAPH_NO_BLOCK_GREP/);
+});
+
+test('buildBlockReason: scopes the escape to THIS command only', () => {
+  const reason = buildBlockReason();
+  assert.match(reason, /CODE_GRAPH_NO_BLOCK_GREP=1/);
+  assert.match(reason, /THIS command only/);
+  assert.match(reason, /not a default/);
+});
+
 test('buildBlockReasonWithAnswer: no searchPath → command has no path arg', () => {
   const reason = buildBlockReasonWithAnswer('fts5_search', undefined, {
     status: 'hits', text: 'hit', truncated: false,
@@ -637,9 +722,9 @@ function e2eFixture(stubBody) {
   return { dir, stub };
 }
 
-function runHook(cmd, fixture) {
+function runHook(cmd, fixture, cwdOverride) {
   const res = spawnHook(process.execPath, [pathE2e.join(__dirname, 'pre-grep-guide.js')], {
-    cwd: fixture.dir,
+    cwd: cwdOverride || fixture.dir,
     input: JSON.stringify({ tool_input: { command: cmd } }),
     encoding: 'utf8',
     env: {
@@ -724,6 +809,26 @@ test('e2e: stub fails → static deny (v0.46 fallback) + records answered:false'
   }
 });
 
+test('e2e: ABS-path grep under fixture root → deny fires, CLI argv gets relative path', () => {
+  const uniq = `StubAbs${Date.now()}`;
+  const fixture = e2eFixture(
+    `process.stdout.write('args=' + JSON.stringify(process.argv.slice(2)) + '\\n');`);
+  // fs.realpathSync: on macOS/Linux tmpdir may be a symlink; the hook sees the
+  // resolved cwd, so build the command from the same resolved form.
+  const realDir = fsE2e.realpathSync(fixture.dir);
+  const cmd = `grep -rn "${uniq}" ${realDir}/src/storage/`;
+  try {
+    const res = runHook(cmd, fixture);
+    assert.equal(res.status, 0);
+    const out = JSON.parse(res.stdout);
+    assert.equal(out.hookSpecificOutput.permissionDecision, 'deny');
+    assert.match(out.hookSpecificOutput.permissionDecisionReason,
+      /args=\["grep","StubAbs\d+","src\/storage\/"\]/);
+  } finally {
+    cleanupFixture(fixture, cmd);
+  }
+});
+
 test('e2e: CODE_GRAPH_NO_ANSWER_IN_DENY=1 → static deny even when stub would hit', () => {
   const uniq = `StubOptout${Date.now()}`;
   const fixture = e2eFixture(`process.stdout.write('src/foo.rs:7  hit\\n');`);
@@ -748,3 +853,190 @@ test('e2e: CODE_GRAPH_NO_ANSWER_IN_DENY=1 → static deny even when stub would h
     cleanupFixture(fixture, cmd);
   }
 });
+
+// ── v0.48 subdir-cwd dark fix: resolveProjectRoot / rebaseRelativePaths ──
+// daagu 2026-06-11: the persistent shell `cd backend/` darkened 38/40
+// head-greps for the rest of the night — gate 5 checked process.cwd() only.
+
+const { sanitizeSearchPath } = require('./cg-answer');
+
+test('resolveProjectRoot: index at start dir', () => {
+  const base = fsE2e.mkdtempSync(pathE2e.join(osE2e.tmpdir(), 'cg-root-'));
+  try {
+    fsE2e.mkdirSync(pathE2e.join(base, 'proj', '.code-graph'), { recursive: true });
+    fsE2e.writeFileSync(pathE2e.join(base, 'proj', '.code-graph', 'index.db'), '');
+    assert.equal(
+      resolveProjectRoot(pathE2e.join(base, 'proj'), { home: base }),
+      pathE2e.join(base, 'proj'));
+  } finally { fsE2e.rmSync(base, { recursive: true, force: true }); }
+});
+
+test('resolveProjectRoot: walks up from nested subdir to the indexed root', () => {
+  const base = fsE2e.mkdtempSync(pathE2e.join(osE2e.tmpdir(), 'cg-root-'));
+  try {
+    const proj = pathE2e.join(base, 'proj');
+    fsE2e.mkdirSync(pathE2e.join(proj, '.code-graph'), { recursive: true });
+    fsE2e.writeFileSync(pathE2e.join(proj, '.code-graph', 'index.db'), '');
+    const deep = pathE2e.join(proj, 'backend', 'app', 'services');
+    fsE2e.mkdirSync(deep, { recursive: true });
+    assert.equal(resolveProjectRoot(deep, { home: base }), proj);
+  } finally { fsE2e.rmSync(base, { recursive: true, force: true }); }
+});
+
+test('resolveProjectRoot: no index up to $HOME → null (home itself still checked)', () => {
+  const base = fsE2e.mkdtempSync(pathE2e.join(osE2e.tmpdir(), 'cg-root-'));
+  try {
+    const deep = pathE2e.join(base, 'somewhere', 'deep');
+    fsE2e.mkdirSync(deep, { recursive: true });
+    assert.equal(resolveProjectRoot(deep, { home: base }), null);
+    // home itself holding an index is honored
+    fsE2e.mkdirSync(pathE2e.join(base, '.code-graph'), { recursive: true });
+    fsE2e.writeFileSync(pathE2e.join(base, '.code-graph', 'index.db'), '');
+    assert.equal(resolveProjectRoot(deep, { home: base }), base);
+  } finally { fsE2e.rmSync(base, { recursive: true, force: true }); }
+});
+
+test('rebaseRelativePaths: daagu shape — bare `app` from backend/ cwd', () => {
+  const exists = (p) => p.endsWith(pathE2e.join('backend', 'app'));
+  const cmd = 'grep -rn "rr_source\\|max_retries" app --include=*.py';
+  const rebased = rebaseRelativePaths(cmd, 'backend', '/proj', exists);
+  assert.equal(rebased, 'grep -rn "rr_source\\|max_retries" backend/app --include=*.py');
+  assert.equal(shouldHint(rebased), true);
+  assert.equal(extractSearchPath(rebased), 'backend/app');
+});
+
+test('rebaseRelativePaths: deep relPrefix, multiple file args', () => {
+  const exists = (p) => p.endsWith('.py');
+  const rel = 'backend/app/services/scheduler/tasks';
+  const cmd = 'grep -n "except Exception" asr_preload.py xuanlun_pro_scan.py';
+  const rebased = rebaseRelativePaths(cmd, rel, '/proj', exists);
+  assert.match(rebased, /backend\/app\/services\/scheduler\/tasks\/asr_preload\.py/);
+  assert.match(rebased, /backend\/app\/services\/scheduler\/tasks\/xuanlun_pro_scan\.py/);
+  assert.equal(shouldHint(rebased), true);
+});
+
+test('rebaseRelativePaths: quoted patterns are never rebased even if a same-named path exists', () => {
+  const exists = () => true; // adversarial: everything "exists"
+  const cmd = 'grep -rn "retry" app';
+  const rebased = rebaseRelativePaths(cmd, 'backend', '/proj', exists);
+  assert.equal(rebased, 'grep -rn "retry" backend/app');
+});
+
+test('rebaseRelativePaths: flags, absolute, traversal, operators untouched', () => {
+  const exists = () => true;
+  const cmd = 'grep -rn "X" /etc/hosts ../up --include=*.py 2>/dev/null';
+  assert.equal(rebaseRelativePaths(cmd, 'backend', '/proj', exists), cmd);
+});
+
+test('rebaseRelativePaths: non-source relPrefix (docs/) → unchanged', () => {
+  const exists = () => true;
+  const cmd = 'grep -rn "X" app';
+  assert.equal(rebaseRelativePaths(cmd, 'docs', '/proj', exists), cmd);
+});
+
+test('rebaseRelativePaths: unquoted pattern word does not exist → untouched', () => {
+  const exists = (p) => p.endsWith('/backend/app');
+  const cmd = 'grep -rn retry_count app';
+  const rebased = rebaseRelativePaths(cmd, 'backend', '/proj', exists);
+  assert.equal(rebased, 'grep -rn retry_count backend/app');
+});
+
+// ── v0.48 bypass visibility: GREP_HEAD bare-prefix + commandHasBypass ──
+
+test('shouldHint: bare KEY=VALUE prefixed grep now matches GREP_HEAD', () => {
+  assert.equal(shouldHint('CODE_GRAPH_NO_BLOCK_GREP=1 grep -rn "fts5_search" src/'), true);
+});
+
+test('extractPatterns: bare KEY=VALUE prefix stripped with the verb', () => {
+  assert.deepEqual(
+    extractPatterns('CODE_GRAPH_NO_BLOCK_GREP=1 grep -rn "split_identifier" src/'),
+    ['split_identifier']);
+});
+
+test('commandHasBypass: =1 prefix detected, other values / absence are not', () => {
+  assert.equal(commandHasBypass('CODE_GRAPH_NO_BLOCK_GREP=1 grep -rn "X" src/'), true);
+  assert.equal(commandHasBypass('FOO=1 CODE_GRAPH_NO_BLOCK_GREP=1 grep "X" src/'), true);
+  assert.equal(commandHasBypass('CODE_GRAPH_NO_BLOCK_GREP=0 grep -rn "X" src/'), false);
+  assert.equal(commandHasBypass('grep -rn "CODE_GRAPH_NO_BLOCK_GREP=1" src/'), false);
+  assert.equal(commandHasBypass('grep -rn "X" src/'), false);
+});
+
+// ── v0.48 replay: the exact command behind the night's only deny ──
+// (answered:false — glob path reached rg literally and exited 1)
+
+test('replay: daagu denied glob command → block + sanitized search path', () => {
+  const cmd = 'grep -rn "async def chat\\|def chat\\|retry\\|rate.limit\\|rate-limit\\|RateLimit\\|429\\|max_retries\\|backoff\\|fallback_model\\|temporarily" backend/app/services/llm_engine/*.py | head -40';
+  assert.equal(shouldHint(cmd), true);
+  assert.equal(shouldBlock(cmd), true);
+  const raw = extractSearchPath(cmd);
+  assert.equal(raw, 'backend/app/services/llm_engine/*.py');
+  assert.equal(sanitizeSearchPath(raw), 'backend/app/services/llm_engine');
+});
+
+// ── v0.48 e2e: hook process spawned exactly as CC does ──
+
+test('e2e: subdir cwd — hook resolves root, rebases path, records at root', () => {
+  const uniq = `sub_dir_fix_${Date.now()}`;
+  const fixture = e2eFixture(
+    `process.stdout.write('backend/app/x.py:1  fn hit()\\n');`);
+  const cmd = `grep -rn "${uniq}\\|max_retries" app`;
+  try {
+    fsE2e.mkdirSync(pathE2e.join(fixture.dir, 'backend', 'app'), { recursive: true });
+    const res = runHook(cmd, fixture, pathE2e.join(fixture.dir, 'backend'));
+    const out = JSON.parse(res.stdout);
+    assert.equal(out.hookSpecificOutput.permissionDecision, 'deny');
+    const recs = fsE2e.readFileSync(
+      pathE2e.join(fixture.dir, '.code-graph', 'recommendations.jsonl'), 'utf8');
+    assert.match(recs, /"action":"deny"/);
+    // never creates .code-graph in the subdir
+    assert.equal(fsE2e.existsSync(pathE2e.join(fixture.dir, 'backend', '.code-graph')), false);
+  } finally {
+    cleanupFixture(fixture, cmd);
+  }
+});
+
+test('e2e: bypassed grep is silent but recorded as action:bypass', () => {
+  const uniq = `bypass_vis_${Date.now()}`;
+  const fixture = e2eFixture(`process.stdout.write('never called\\n');`);
+  const cmd = `CODE_GRAPH_NO_BLOCK_GREP=1 grep -rn "${uniq}\\|fts5_search" src/`;
+  try {
+    fsE2e.mkdirSync(pathE2e.join(fixture.dir, 'src'), { recursive: true });
+    const res = runHook(cmd, fixture);
+    assert.equal(res.stdout, '');
+    const recs = fsE2e.readFileSync(
+      pathE2e.join(fixture.dir, '.code-graph', 'recommendations.jsonl'), 'utf8');
+    assert.match(recs, /"action":"bypass"/);
+  } finally {
+    cleanupFixture(fixture, cmd);
+  }
+});
+
+test('e2e: glob path arg → answer runs against the glob-truncated dir', () => {
+  const uniq = `GlobTrunc${Date.now()}`;
+  const fixture = e2eFixture(
+    `process.stdout.write('args=' + JSON.stringify(process.argv.slice(2)) + '\\n');`);
+  const cmd = `grep -rn "${uniq}" src/storage/*.rs`;
+  try {
+    fsE2e.mkdirSync(pathE2e.join(fixture.dir, 'src', 'storage'), { recursive: true });
+    const res = runHook(cmd, fixture);
+    const out = JSON.parse(res.stdout);
+    assert.equal(out.hookSpecificOutput.permissionDecision, 'deny');
+    assert.match(out.hookSpecificOutput.permissionDecisionReason,
+      new RegExp(`args=\\["grep","${uniq}","src/storage"\\]`));
+  } finally {
+    cleanupFixture(fixture, cmd);
+  }
+});
+
+test('rebaseRelativePaths: glob token rebases when its glob-truncated dir exists', () => {
+  // daagu shape: shell in backend/, command scopes a glob under it. Without
+  // the truncated probe the token stayed subdir-relative while the answer ran
+  // from the root → rg ENOENT → answered:false (the original night bug).
+  const exists = (p) => p.endsWith(pathE2e.join('backend', 'app', 'services', 'llm_engine'));
+  const cmd = 'grep -rn "def chat\\|max_retries" app/services/llm_engine/*.py';
+  const rebased = rebaseRelativePaths(cmd, 'backend', '/proj', exists);
+  assert.equal(
+    extractSearchPath(rebased), 'backend/app/services/llm_engine/*.py');
+  assert.equal(
+    sanitizeSearchPath(extractSearchPath(rebased)), 'backend/app/services/llm_engine');
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sdsrs/code-graph",
-  "version": "0.47.0",
+  "version": "0.48.0",
   "description": "MCP server that indexes codebases into an AST knowledge graph with semantic search, call graph traversal, and HTTP route tracing",
   "license": "MIT",
   "repository": {
@@ -35,10 +35,10 @@
     "node": ">=16"
   },
   "optionalDependencies": {
-    "@sdsrs/code-graph-linux-x64": "0.47.0",
-    "@sdsrs/code-graph-linux-arm64": "0.47.0",
-    "@sdsrs/code-graph-darwin-x64": "0.47.0",
-    "@sdsrs/code-graph-darwin-arm64": "0.47.0",
-    "@sdsrs/code-graph-win32-x64": "0.47.0"
+    "@sdsrs/code-graph-linux-x64": "0.48.0",
+    "@sdsrs/code-graph-linux-arm64": "0.48.0",
+    "@sdsrs/code-graph-darwin-x64": "0.48.0",
+    "@sdsrs/code-graph-darwin-arm64": "0.48.0",
+    "@sdsrs/code-graph-win32-x64": "0.48.0"
   }
 }