cc-safety-net 1.0.1 → 1.0.2

package/dist/bin/cc-safety-net.js

@@ -338,6 +338,10 @@ function dangerousInText(text) {
   return null;
 }
 
+// src/core/analyze/segment.ts
+import { realpathSync as realpathSync6 } from "node:fs";
+import { normalize as normalize3 } from "node:path";
+
 // src/core/analyze/awk.ts
 var AWK_INTERPRETERS = new Set(["awk", "gawk", "nawk", "mawk"]);
 var REASON_AWK_SYSTEM_DYNAMIC = "Detected awk system() call with dynamic command that cannot be safely analyzed.";
@@ -4143,8 +4147,7 @@ function analyzeParallelCommand(context) {
 }
 var CWD_CHANGE_REGEX = /^\s*(?:\$\(\s*)?[({]*\s*(?:command\s+|builtin\s+)?(?:cd|pushd|popd)(?:\s|$)/;
 function segmentChangesCwd(segment) {
-  const stripped = stripLeadingGrouping(segment);
-  const unwrapped = stripWrappers([...stripped]);
+  const unwrapped = getCwdChangeTokens(segment);
   if (unwrapped.length === 0) {
     return false;
   }
@@ -4163,6 +4166,32 @@ function segmentChangesCwd(segment) {
   const joined = segment.join(" ");
   return CWD_CHANGE_REGEX.test(joined);
 }
+function resolveCwdAfterSegment(segment, cwd) {
+  if (!segmentChangesCwd(segment)) {
+    return;
+  }
+  if (!cwd) {
+    return null;
+  }
+  const unwrapped = getCwdChangeTokens(segment, cwd);
+  const cdIndex = getCdCommandIndex(unwrapped);
+  if (cdIndex === -1 || unwrapped[cdIndex] !== "cd") {
+    return null;
+  }
+  const target = unwrapped[cdIndex + 1];
+  if (!target || target === "-" || target.includes("$") || target.includes("`")) {
+    return null;
+  }
+  try {
+    const resolved = resolveChdirTarget(cwd, target);
+    if (samePath(resolved, cwd)) {
+      return cwd;
+    }
+  } catch {
+    return null;
+  }
+  return null;
+}
 function getHeadAfterTimePrefix(tokens, startIndex) {
   let i = startIndex;
   while (tokens[i]?.startsWith("-")) {
@@ -4170,6 +4199,31 @@ function getHeadAfterTimePrefix(tokens, startIndex) {
   }
   return tokens[i] ?? "";
 }
+function getCdCommandIndex(tokens) {
+  let headIndex = 0;
+  if (tokens[0] === "builtin" && tokens.length > 1) {
+    headIndex = 1;
+  }
+  if (tokens[headIndex] !== "time") {
+    return headIndex;
+  }
+  let i = headIndex + 1;
+  while (tokens[i]?.startsWith("-")) {
+    i++;
+  }
+  return i;
+}
+function getCwdChangeTokens(segment, cwd) {
+  const stripped = stripLeadingGrouping(segment);
+  return stripWrappers([...stripped], cwd);
+}
+function samePath(a, b) {
+  try {
+    return normalize3(realpathSync6(a)) === normalize3(realpathSync6(b));
+  } catch {
+    return normalize3(a) === normalize3(b);
+  }
+}
 function stripLeadingGrouping(tokens) {
   let i = 0;
   while (i < tokens.length) {
@@ -4520,8 +4574,9 @@ function analyzeCommandInternal(command2, depth, options2) {
       if (textReason) {
         return { reason: textReason, segment: segmentStr };
       }
-      if (segmentChangesCwd(segment)) {
-        effectiveCwd = null;
+      const nextCwd2 = resolveCwdAfterSegment(segment, effectiveCwd);
+      if (nextCwd2 !== undefined) {
+        effectiveCwd = nextCwd2;
       }
       continue;
     }
@@ -4543,8 +4598,9 @@ function analyzeCommandInternal(command2, depth, options2) {
     if (reason) {
       return { reason, segment: segmentStr };
     }
-    if (segmentChangesCwd(segment)) {
-      effectiveCwd = null;
+    const nextCwd = resolveCwdAfterSegment(segment, effectiveCwd);
+    if (nextCwd !== undefined) {
+      effectiveCwd = nextCwd;
     }
     applyShellGitContextEnvSegment(segment, shellGitContextState);
   }
@@ -7830,7 +7886,7 @@ import { existsSync as existsSync14 } from "node:fs";
 import { mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
 import { tmpdir as tmpdir4 } from "node:os";
 import { delimiter, extname, join as join11 } from "node:path";
-var CURRENT_VERSION = "1.0.1";
+var CURRENT_VERSION = "1.0.2";
 var VERSION_FETCH_TIMEOUT_MS = 2000;
 var PI_PROBE_TIMEOUT_MS = 5000;
 var PI_SENTINEL_COMMAND = "cc-safety-net";
@@ -8882,12 +8938,14 @@ function explainCommand2(command2, options2) {
         token: redactEnvAssignmentsInString(segment[0]),
         matched: false
       });
-      if (segmentChangesCwd(segment)) {
-        segmentSteps.push({
-          type: "cwd-change",
-          segment: redactEnvAssignmentsInString(segment.join(" ")),
-          effectiveCwdNowUnknown: true
-        });
+      const nextCwd2 = resolveCwdAfterSegment(segment, effectiveCwd);
+      if (nextCwd2 !== undefined) {
+        if (nextCwd2 !== null) {
+          effectiveCwd = nextCwd2;
+          trace.segments.push({ index: i, steps: segmentSteps });
+          continue;
+        }
+        segmentSteps.push(cwdChangeStep(segment));
         effectiveCwd = null;
       }
       trace.segments.push({ index: i, steps: segmentSteps });
@@ -8903,12 +8961,15 @@ function explainCommand2(command2, options2) {
       blockReason = result.reason;
       blockSegment = redactEnvAssignmentsInString(segment.join(" "));
     }
-    if (segmentChangesCwd(segment)) {
-      segmentSteps.push({
-        type: "cwd-change",
-        segment: redactEnvAssignmentsInString(segment.join(" ")),
-        effectiveCwdNowUnknown: true
-      });
+    const nextCwd = resolveCwdAfterSegment(segment, effectiveCwd);
+    if (nextCwd !== undefined) {
+      if (nextCwd !== null) {
+        effectiveCwd = nextCwd;
+        applyShellGitContextEnvSegment(segment, shellGitContextState);
+        trace.segments.push({ index: i, steps: segmentSteps });
+        continue;
+      }
+      segmentSteps.push(cwdChangeStep(segment));
       effectiveCwd = null;
     }
     applyShellGitContextEnvSegment(segment, shellGitContextState);
@@ -8924,6 +8985,13 @@ function explainCommand2(command2, options2) {
     configValid
   };
 }
+function cwdChangeStep(segment) {
+  return {
+    type: "cwd-change",
+    segment: redactEnvAssignmentsInString(segment.join(" ")),
+    effectiveCwdNowUnknown: true
+  };
+}
 function getCustomRuleMetadata(reason, options2, cwd) {
   const id = reason?.match(/^\[([^\]]+)]/)?.[1];
   if (!id)
@@ -9327,7 +9395,7 @@ function formatTraceJson(result) {
   return JSON.stringify(result, null, 2);
 }
 // src/bin/help.ts
-var version = "1.0.1";
+var version = "1.0.2";
 var INDENT = "  ";
 var PROGRAM_NAME = "cc-safety-net";
 function formatOptionFlags(option) {

package/dist/core/analyze/segment.d.ts

@@ -8,3 +8,4 @@ export type InternalOptions = AnalyzeOptions & {
 };
 export declare function analyzeSegment(tokens: string[], depth: number, options: InternalOptions): string | null;
 export declare function segmentChangesCwd(segment: readonly string[]): boolean;
+export declare function resolveCwdAfterSegment(segment: readonly string[], cwd: string | null | undefined): string | null | undefined;

package/dist/index.js

@@ -282,6 +282,10 @@ function dangerousInText(text) {
   return null;
 }
 
+// src/core/analyze/segment.ts
+import { realpathSync as realpathSync6 } from "node:fs";
+import { normalize as normalize3 } from "node:path";
+
 // src/core/analyze/awk.ts
 var AWK_INTERPRETERS = new Set(["awk", "gawk", "nawk", "mawk"]);
 var REASON_AWK_SYSTEM_DYNAMIC = "Detected awk system() call with dynamic command that cannot be safely analyzed.";
@@ -4087,8 +4091,7 @@ function analyzeParallelCommand(context) {
 }
 var CWD_CHANGE_REGEX = /^\s*(?:\$\(\s*)?[({]*\s*(?:command\s+|builtin\s+)?(?:cd|pushd|popd)(?:\s|$)/;
 function segmentChangesCwd(segment) {
-  const stripped = stripLeadingGrouping(segment);
-  const unwrapped = stripWrappers([...stripped]);
+  const unwrapped = getCwdChangeTokens(segment);
   if (unwrapped.length === 0) {
     return false;
   }
@@ -4107,6 +4110,32 @@ function segmentChangesCwd(segment) {
   const joined = segment.join(" ");
   return CWD_CHANGE_REGEX.test(joined);
 }
+function resolveCwdAfterSegment(segment, cwd) {
+  if (!segmentChangesCwd(segment)) {
+    return;
+  }
+  if (!cwd) {
+    return null;
+  }
+  const unwrapped = getCwdChangeTokens(segment, cwd);
+  const cdIndex = getCdCommandIndex(unwrapped);
+  if (cdIndex === -1 || unwrapped[cdIndex] !== "cd") {
+    return null;
+  }
+  const target = unwrapped[cdIndex + 1];
+  if (!target || target === "-" || target.includes("$") || target.includes("`")) {
+    return null;
+  }
+  try {
+    const resolved = resolveChdirTarget(cwd, target);
+    if (samePath(resolved, cwd)) {
+      return cwd;
+    }
+  } catch {
+    return null;
+  }
+  return null;
+}
 function getHeadAfterTimePrefix(tokens, startIndex) {
   let i = startIndex;
   while (tokens[i]?.startsWith("-")) {
@@ -4114,6 +4143,31 @@ function getHeadAfterTimePrefix(tokens, startIndex) {
   }
   return tokens[i] ?? "";
 }
+function getCdCommandIndex(tokens) {
+  let headIndex = 0;
+  if (tokens[0] === "builtin" && tokens.length > 1) {
+    headIndex = 1;
+  }
+  if (tokens[headIndex] !== "time") {
+    return headIndex;
+  }
+  let i = headIndex + 1;
+  while (tokens[i]?.startsWith("-")) {
+    i++;
+  }
+  return i;
+}
+function getCwdChangeTokens(segment, cwd) {
+  const stripped = stripLeadingGrouping(segment);
+  return stripWrappers([...stripped], cwd);
+}
+function samePath(a, b) {
+  try {
+    return normalize3(realpathSync6(a)) === normalize3(realpathSync6(b));
+  } catch {
+    return normalize3(a) === normalize3(b);
+  }
+}
 function stripLeadingGrouping(tokens) {
   let i = 0;
   while (i < tokens.length) {
@@ -4464,8 +4518,9 @@ function analyzeCommandInternal(command2, depth, options2) {
       if (textReason) {
         return { reason: textReason, segment: segmentStr };
       }
-      if (segmentChangesCwd(segment)) {
-        effectiveCwd = null;
+      const nextCwd2 = resolveCwdAfterSegment(segment, effectiveCwd);
+      if (nextCwd2 !== undefined) {
+        effectiveCwd = nextCwd2;
       }
       continue;
     }
@@ -4487,8 +4542,9 @@ function analyzeCommandInternal(command2, depth, options2) {
     if (reason) {
       return { reason, segment: segmentStr };
     }
-    if (segmentChangesCwd(segment)) {
-      effectiveCwd = null;
+    const nextCwd = resolveCwdAfterSegment(segment, effectiveCwd);
+    if (nextCwd !== undefined) {
+      effectiveCwd = nextCwd;
     }
     applyShellGitContextEnvSegment(segment, shellGitContextState);
   }

package/dist/pi/index.js

@@ -346,6 +346,10 @@ function dangerousInText(text) {
   return null;
 }
 
+// src/core/analyze/segment.ts
+import { realpathSync as realpathSync6 } from "node:fs";
+import { normalize as normalize3 } from "node:path";
+
 // src/core/analyze/awk.ts
 var AWK_INTERPRETERS = new Set(["awk", "gawk", "nawk", "mawk"]);
 var REASON_AWK_SYSTEM_DYNAMIC = "Detected awk system() call with dynamic command that cannot be safely analyzed.";
@@ -4151,8 +4155,7 @@ function analyzeParallelCommand(context) {
 }
 var CWD_CHANGE_REGEX = /^\s*(?:\$\(\s*)?[({]*\s*(?:command\s+|builtin\s+)?(?:cd|pushd|popd)(?:\s|$)/;
 function segmentChangesCwd(segment) {
-  const stripped = stripLeadingGrouping(segment);
-  const unwrapped = stripWrappers([...stripped]);
+  const unwrapped = getCwdChangeTokens(segment);
   if (unwrapped.length === 0) {
     return false;
   }
@@ -4171,6 +4174,32 @@ function segmentChangesCwd(segment) {
   const joined = segment.join(" ");
   return CWD_CHANGE_REGEX.test(joined);
 }
+function resolveCwdAfterSegment(segment, cwd) {
+  if (!segmentChangesCwd(segment)) {
+    return;
+  }
+  if (!cwd) {
+    return null;
+  }
+  const unwrapped = getCwdChangeTokens(segment, cwd);
+  const cdIndex = getCdCommandIndex(unwrapped);
+  if (cdIndex === -1 || unwrapped[cdIndex] !== "cd") {
+    return null;
+  }
+  const target = unwrapped[cdIndex + 1];
+  if (!target || target === "-" || target.includes("$") || target.includes("`")) {
+    return null;
+  }
+  try {
+    const resolved = resolveChdirTarget(cwd, target);
+    if (samePath(resolved, cwd)) {
+      return cwd;
+    }
+  } catch {
+    return null;
+  }
+  return null;
+}
 function getHeadAfterTimePrefix(tokens, startIndex) {
   let i = startIndex;
   while (tokens[i]?.startsWith("-")) {
@@ -4178,6 +4207,31 @@ function getHeadAfterTimePrefix(tokens, startIndex) {
   }
   return tokens[i] ?? "";
 }
+function getCdCommandIndex(tokens) {
+  let headIndex = 0;
+  if (tokens[0] === "builtin" && tokens.length > 1) {
+    headIndex = 1;
+  }
+  if (tokens[headIndex] !== "time") {
+    return headIndex;
+  }
+  let i = headIndex + 1;
+  while (tokens[i]?.startsWith("-")) {
+    i++;
+  }
+  return i;
+}
+function getCwdChangeTokens(segment, cwd) {
+  const stripped = stripLeadingGrouping(segment);
+  return stripWrappers([...stripped], cwd);
+}
+function samePath(a, b) {
+  try {
+    return normalize3(realpathSync6(a)) === normalize3(realpathSync6(b));
+  } catch {
+    return normalize3(a) === normalize3(b);
+  }
+}
 function stripLeadingGrouping(tokens) {
   let i = 0;
   while (i < tokens.length) {
@@ -4528,8 +4582,9 @@ function analyzeCommandInternal(command2, depth, options2) {
       if (textReason) {
         return { reason: textReason, segment: segmentStr };
       }
-      if (segmentChangesCwd(segment)) {
-        effectiveCwd = null;
+      const nextCwd2 = resolveCwdAfterSegment(segment, effectiveCwd);
+      if (nextCwd2 !== undefined) {
+        effectiveCwd = nextCwd2;
       }
       continue;
     }
@@ -4551,8 +4606,9 @@ function analyzeCommandInternal(command2, depth, options2) {
     if (reason) {
       return { reason, segment: segmentStr };
     }
-    if (segmentChangesCwd(segment)) {
-      effectiveCwd = null;
+    const nextCwd = resolveCwdAfterSegment(segment, effectiveCwd);
+    if (nextCwd !== undefined) {
+      effectiveCwd = nextCwd;
     }
     applyShellGitContextEnvSegment(segment, shellGitContextState);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safety-net",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "A coding agent CLI hook - block destructive git and filesystem commands before execution",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",