@sdsrs/code-graph 0.68.0 → 0.70.0

package/claude-plugin/.claude-plugin/plugin.json

@@ -4,7 +4,7 @@
   "author": {
     "name": "sdsrs"
   },
-  "version": "0.68.0",
+  "version": "0.70.0",
   "keywords": [
     "code-graph",
     "ast",

package/claude-plugin/scripts/pre-grep-guide.js

@@ -65,10 +65,20 @@ const SRC_PATH = new RegExp(`(?:^|\\s|["'])(${SRC_PREFIXES})/`);
 const SRC_PATH_TOKEN = new RegExp(`^(?:\\./)?(${SRC_PREFIXES})/`);
 const PIPE_INTO_GREP = /\|\s*(?:grep|rg|ag)\b/;
 const CG_INVOKED = /\bcode-graph-mcp\b/;
-// A file argument that ends in a config/lockfile extension AND no source-tree
-// path appears elsewhere → grep is searching config, not code.
-const CONFIG_TARGET_ONLY =
-  /(?:^|\s)[^\s|<>]*\.(toml|md|json|yml|yaml|lock|txt|cfg|env|gitignore|properties)(?:\s|$)/i;
+// File argument(s) that end in a config/lockfile/data extension. If, after removing
+// ALL of them, no source-tree path remains, the grep is searching config/data not code.
+// v0.69 floor-hardening: (a) extended the extension list (ini/conf/xml/log/csv) and
+// (b) made the strip GLOBAL so multiple data files (`grep X src/a.json src/b.json`) all
+// peel off — previously only the first did, leaving the 2nd's `src/`-prefixed path to
+// false-match SRC_PATH and fire. cg has no structural answer for these, so a deny is
+// friction-without-value that teaches CODE_GRAPH_NO_BLOCK_GREP bypass (2026-06-23 reach
+// audit: the unreached ~75% of greps are genuinely non-foldable — keep precision).
+const NON_SOURCE_EXTS =
+  'toml|md|json|yml|yaml|lock|txt|cfg|env|gitignore|properties|ini|conf|xml|log|csv';
+const CONFIG_TARGET_ONLY = new RegExp(`(?:^|\\s)[^\\s|<>]*\\.(?:${NON_SOURCE_EXTS})(?:\\s|$)`, 'i');
+// Global + trailing-lookahead variant for the strip: lookahead (not consume) so adjacent
+// data-file tokens both match; global so every one is peeled before the SRC_PATH re-check.
+const CONFIG_TARGET_STRIP = new RegExp(`(?:^|\\s)[^\\s|<>]*\\.(?:${NON_SOURCE_EXTS})(?=\\s|$)`, 'gi');
 
 function shouldHint(cmd) {
   if (!cmd || typeof cmd !== 'string') return false;
@@ -79,7 +89,7 @@ function shouldHint(cmd) {
   if (!SRC_PATH.test(cmd)) return false;           // not against indexed source tree
   // If a config file appears AND no source path remains after stripping it, skip.
   if (CONFIG_TARGET_ONLY.test(cmd)) {
-    const stripped = cmd.replace(CONFIG_TARGET_ONLY, ' ');
+    const stripped = cmd.replace(CONFIG_TARGET_STRIP, ' ');
     if (!SRC_PATH.test(stripped)) return false;
   }
   return true;
@@ -156,6 +166,12 @@ function classifyBlock(cmd) {
     if (symbols.length === 0) return null;        // context read without named decls
     return { mode: 'show', symbols: symbols.slice(0, 3) };
   }
+  // v0.70 — only DENY when the inline grep answer can cover the SAME scope. It scopes to one
+  // path (extractSearchPath = first src-prefixed token), so a grep naming ≥2 file paths gets a
+  // first-path-only answer (the rest silently dropped) — an incomplete substitute that
+  // rationally teaches CODE_GRAPH_NO_BLOCK_GREP bypass. Downgrade to hint: the model's complete
+  // grep runs and the hint still nudges. (show mode above is symbol-scoped, not path → unaffected.)
+  if (countNamedPaths(cmd, patterns) >= 2) return null;
   return { mode: 'grep' };
 }
 
@@ -293,6 +309,37 @@ function extractSearchPath(cmd) {
   return undefined;
 }
 
+// v0.70 — count the explicit file/dir path arguments a grep names (excluding flags and
+// the quoted search pattern). The deny's inline answer scopes to ONE path
+// (extractSearchPath returns only the first source-prefixed token), so a grep naming ≥2
+// paths gets an answer covering only the first — an incomplete substitute that rationally
+// drives CODE_GRAPH_NO_BLOCK_GREP bypass (2026-06-23: the dominant observed bypass was a
+// multi-file named grep whose deny silently dropped the other files). classifyBlock uses
+// this to downgrade those denies to a hint (which still nudges) so the complete grep runs.
+function countNamedPaths(cmd, patterns) {
+  if (!cmd || typeof cmd !== 'string') return 0;
+  const pats = new Set(patterns || []);
+  // Only the grep's OWN path args count. Stop at the first top-level command separator so a
+  // path in a compound tail (`grep X src/a.py | sed … src/b.py`) is NOT mistaken for a second
+  // grep target — that would wrongly downgrade a complete single-file grep to a hint.
+  let seg = cmd.replace(/^\s*(?:env\s+)?(?:[A-Za-z_][A-Za-z0-9_]*=\S*\s+)*(?:grep|rg|ag)\s+/, '');
+  let quote = null;
+  for (let i = 0; i < seg.length; i++) {
+    const c = seg[i];
+    if (quote) { if (c === quote) quote = null; continue; }
+    if (c === '"' || c === "'") { quote = c; continue; }
+    if (c === ';' || c === '|' || c === '&' || c === '>' || c === '<' || c === '\n') { seg = seg.slice(0, i); break; }
+  }
+  let n = 0;
+  for (const raw of seg.split(/\s+/)) {
+    const tok = raw.replace(/^["']|["']$/g, '');
+    if (!tok || tok.startsWith('-')) continue;     // a flag
+    if (pats.has(tok)) continue;                    // the search pattern, not a path
+    if (tok.includes('/') || /\.[A-Za-z0-9]{1,6}$/.test(tok)) n++;  // dir-sep or file extension
+  }
+  return n;
+}
+
 // v0.47.0 — the pattern that justified the block: first identifier-like one.
 function pickBlockPattern(cmd) {
   return extractPatterns(cmd).find(p => IDENTIFIER_LIKE.test(p));
@@ -597,6 +644,7 @@ module.exports = {
   extractSedReadTargets, // v0.49 — sed-range reads feed the read-fanout state
   extractUnansweredTail, // v0.50 — compound-tail honesty in answered denies
   extractPatterns,    // v0.32.1 — exposed for tests
+  countNamedPaths,    // v0.70 — multi-path deny→hint downgrade
   extractSearchPath,  // v0.47.0 — deny-with-answer
   normalizeCommandPaths, // v0.47.1 — abs-path matcher fix
   resolveProjectRoot,    // v0.48 — subdir-cwd dark fix

package/claude-plugin/scripts/pre-grep-guide.test.js

@@ -5,6 +5,7 @@ const {
   shouldHint,
   shouldBlock,
   classifyBlock,
+  countNamedPaths,
   extractDeclSymbols,
   translateBreToRg,
   buildShowDenyReason,
@@ -108,6 +109,42 @@ test('shouldHint: grep on a markdown changelog', () => {
   assert.equal(shouldHint('grep "v0.24" CHANGELOG.md'), false);
 });
 
+// ── Floor (v0.69 hardening): non-foldable greps must NEVER deny/hint ──
+// cg has no structural answer for these → a deny is friction-without-value that teaches
+// CODE_GRAPH_NO_BLOCK_GREP bypass. 2026-06-23 reach audit: foldability (~24%) ≈
+// interception (24%), so the floor (precision) is the lever — not reach expansion.
+
+test('floor: grep on an external / non-indexed dir (/tmp clone) never fires', () => {
+  assert.equal(shouldHint('grep -rn "FooBar" /tmp/openwolf-analysis'), false);
+  assert.equal(shouldBlock('grep -rn "FooBar" /tmp/openwolf-analysis'), false);
+});
+
+test('floor: external path with an embedded src/ segment never fires', () => {
+  // SRC_PATH only matches a prefix at ^|\s|quote — `/tmp/clone/src/` is not a project path.
+  assert.equal(shouldHint('grep -rn "FooBar" /tmp/clone/src/'), false);
+});
+
+test('floor: a non-source data file (.log) under src/ never fires', () => {
+  assert.equal(shouldHint('grep "ErrorHandler" src/fixtures/app.log'), false);
+  assert.equal(shouldBlock('grep "ErrorHandler" src/fixtures/app.log'), false);
+});
+
+test('floor: ini/conf/xml/csv data files under src/ never fire', () => {
+  assert.equal(shouldHint('grep "FooBar" src/config.ini'), false);
+  assert.equal(shouldHint('grep "FooBar" src/app.conf'), false);
+  assert.equal(shouldHint('grep "FooBar" src/data.xml'), false);
+  assert.equal(shouldHint('grep "FooBar" src/rows.csv'), false);
+});
+
+test('floor: multiple config files under a src prefix all peel off → skip', () => {
+  // global strip (v0.69): pre-fix only the first .json peeled, the 2nd false-matched SRC_PATH.
+  assert.equal(shouldHint('grep "FooBar" src/a.json src/b.json'), false);
+});
+
+test('floor: mixed target (data file + real source file) STILL fires (no foldable miss)', () => {
+  assert.equal(shouldHint('grep -rn "FooBar" src/app.log src/handler.rs'), true);
+});
+
 // ── Should NOT fire: not search tools ───────────────────────────────
 
 test('shouldHint: ls src/', () => {
@@ -336,6 +373,45 @@ test('shouldBlock: --exclude=tests → hint only (answer cannot honor exclusion)
   assert.equal(shouldBlock('grep -rn --exclude=tests "EmbeddingModel" src/'), false);
 });
 
+// ── B (v0.70): deny only when the inline answer covers the FULL scope ──
+// The deny scopes to ONE path (extractSearchPath = first src-prefixed token). A grep naming
+// ≥2 file paths would get a first-path-only answer (the rest silently dropped) — an incomplete
+// substitute that rationally teaches CODE_GRAPH_NO_BLOCK_GREP bypass. Downgrade those to HINT;
+// single file / directory greps (which the answer fully covers) still deny.
+
+test('B: ≥2 named files downgrade deny→hint (deny would drop all but the first)', () => {
+  const cmd = 'grep -n "CLAUDE_MEM_DIR" scripts/setup.sh hook-shared.mjs';
+  assert.equal(shouldHint(cmd), true);     // still nudges
+  assert.equal(shouldBlock(cmd), false);   // but does NOT deny (answer can't cover hook-shared.mjs)
+  assert.equal(classifyBlock(cmd), null);
+});
+
+test('B: two source files also downgrade (deny would cover only the first)', () => {
+  assert.equal(shouldBlock('grep -rn "set_hook" src/main.rs src/lib.rs'), false);
+  assert.equal(shouldHint('grep -rn "set_hook" src/main.rs src/lib.rs'), true);
+});
+
+test('B: single file still DENIES (inline answer fully covers it)', () => {
+  assert.deepEqual(classifyBlock('grep -n "handleMessage" src/server.mjs'), { mode: 'grep' });
+});
+
+test('B: single directory (recursive) still DENIES (cg grep covers the whole dir)', () => {
+  assert.equal(shouldBlock('grep -rn "EmbeddingModel" src/'), true);
+});
+
+test('B: --include on a single dir still DENIES (one path, fully scoped)', () => {
+  assert.equal(shouldBlock('grep -rn --include="*.rs" "EmbeddingModel" src/'), true);
+});
+
+test('countNamedPaths: counts paths, excludes flags and the quoted pattern', () => {
+  assert.equal(countNamedPaths('grep -n "Foo" src/a.rs src/b.rs', ['Foo']), 2);
+  assert.equal(countNamedPaths('grep -rn "Foo" src/', ['Foo']), 1);
+  // a path-shaped pattern is the pattern, not a second path token
+  assert.equal(countNamedPaths('grep "config.json" src/app.rs', ['config.json']), 1);
+  // a path in a compound tail (sed/pipe target) is NOT a 2nd grep target → stays 1 (deny)
+  assert.equal(countNamedPaths("grep -n \"Foo\" src/foo.rs | head; sed -n '1,5p' src/bar.rs", ['Foo']), 1);
+});
+
 test('shouldBlock: -L / -v inverted intents → hint only', () => {
   assert.equal(shouldBlock('grep -rL "EmbeddingModel" src/'), false);
   assert.equal(shouldBlock('grep -rnv "EmbeddingModel" src/'), false);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sdsrs/code-graph",
-  "version": "0.68.0",
+  "version": "0.70.0",
   "description": "MCP server that indexes codebases into an AST knowledge graph with semantic search, call graph traversal, and HTTP route tracing",
   "license": "MIT",
   "repository": {
@@ -35,10 +35,10 @@
     "node": ">=16"
   },
   "optionalDependencies": {
-    "@sdsrs/code-graph-linux-x64": "0.68.0",
-    "@sdsrs/code-graph-linux-arm64": "0.68.0",
-    "@sdsrs/code-graph-darwin-x64": "0.68.0",
-    "@sdsrs/code-graph-darwin-arm64": "0.68.0",
-    "@sdsrs/code-graph-win32-x64": "0.68.0"
+    "@sdsrs/code-graph-linux-x64": "0.70.0",
+    "@sdsrs/code-graph-linux-arm64": "0.70.0",
+    "@sdsrs/code-graph-darwin-x64": "0.70.0",
+    "@sdsrs/code-graph-darwin-arm64": "0.70.0",
+    "@sdsrs/code-graph-win32-x64": "0.70.0"
   }
 }