configorama 0.11.2 → 1.0.0

package/src/utils/requirements/serializeRequirements.test.js

@@ -0,0 +1,211 @@
+/* eslint-disable no-template-curly-in-string */
+const { test } = require('uvu')
+const assert = require('uvu/assert')
+const configorama = require('../../index')
+const {
+  getHow,
+  serializeRequirements,
+  shouldAsk,
+} = require('./serializeRequirements')
+
+test('serializeRequirements emits stable top-level contract', async () => {
+  delete process.env.CONFIGORAMA_REQUIREMENTS_API_KEY
+  const analysis = await configorama.analyze({
+    apiKey: '${env:CONFIGORAMA_REQUIREMENTS_API_KEY | help("API key")}',
+    stage: '${opt:stage}',
+    region: '${env:CONFIGORAMA_REQUIREMENTS_REGION, "us-east-1"}',
+  }, { options: {} })
+
+  const result = serializeRequirements(analysis, { configPathOrObject: null })
+
+  assert.is(result.schemaVersion, 1)
+  assert.is(result.config, null)
+  assert.equal(result.summary, {
+    total: 3,
+    required: 2,
+    optional: 1,
+    sensitive: 1,
+  })
+  assert.equal(result.ask.map(item => item.variable), [
+    'env:CONFIGORAMA_REQUIREMENTS_API_KEY',
+    'opt:stage',
+  ])
+  assert.equal(result.ask.map(item => item.how), [
+    'Set environment variable CONFIGORAMA_REQUIREMENTS_API_KEY',
+    'Pass --stage on the CLI',
+  ])
+})
+
+test('analyze instructions mode returns requirements JSON', async () => {
+  delete process.env.CONFIGORAMA_REQUIREMENTS_TOKEN
+  const result = await configorama.analyze({
+    token: '${env:CONFIGORAMA_REQUIREMENTS_TOKEN}',
+  }, {
+    instructions: true,
+  })
+
+  assert.is(result.schemaVersion, 1)
+  assert.is(result.summary.total, 1)
+  assert.equal(result.ask.map(item => item.variable), ['env:CONFIGORAMA_REQUIREMENTS_TOKEN'])
+})
+
+test('ask is environment-aware for env variables', async () => {
+  const envName = 'CONFIGORAMA_REQUIREMENTS_PRESENT'
+  const previous = process.env[envName]
+  process.env[envName] = 'available'
+
+  try {
+    const result = await configorama.analyze({
+      present: '${env:CONFIGORAMA_REQUIREMENTS_PRESENT}',
+    }, {
+      instructions: true,
+    })
+
+    assert.equal(result.ask, [])
+    assert.is(result.requirements[0].default, 'available')
+    assert.is(result.requirements[0].required, false)
+  } finally {
+    if (previous === undefined) delete process.env[envName]
+    else process.env[envName] = previous
+  }
+})
+
+test('ask includes concrete missing files and excludes dynamic unresolved files', () => {
+  const result = serializeRequirements({
+    uniqueVariables: {
+      'file(./missing.yml)': {
+        variable: 'file(./missing.yml)',
+        variableType: 'file',
+        variableSourceType: 'config',
+        fileExists: false,
+        occurrences: [{ path: 'config', isRequired: true }]
+      },
+      'file(./missing-${opt:stage}.yml)': {
+        variable: 'file(./missing-${opt:stage}.yml)',
+        variableType: 'file',
+        variableSourceType: 'config',
+        innerVariables: [{ variable: 'opt:stage' }],
+        occurrences: [{ path: 'dynamicConfig', isRequired: true }]
+      }
+    }
+  })
+
+  assert.equal(result.ask.map(item => item.variable), ['file(./missing.yml)'])
+  assert.is(result.ask[0].how, 'Provide file at path ./missing.yml')
+})
+
+test('how strings are derived from variableType', () => {
+  assert.is(getHow({ variableType: 'env', name: 'TOKEN' }), 'Set environment variable TOKEN')
+  assert.is(getHow({ variableType: 'option', name: 'stage' }), 'Pass --stage on the CLI')
+  assert.is(getHow({ variableType: 'param', name: 'domain' }), 'Pass --param domain=<value>')
+  assert.is(getHow({ variableType: 'file', name: './secrets.yml' }), 'Provide file at path ./secrets.yml')
+  assert.is(getHow({ variableType: 'git', name: 'sha' }), null)
+})
+
+test('readonly derived sources are excluded from ask', () => {
+  assert.is(shouldAsk({
+    variableType: 'git',
+    required: true,
+    default: null,
+    sourceClass: 'config',
+  }), false)
+})
+
+test('serializer hard-errors on model conflicts', () => {
+  assert.throws(() => serializeRequirements({
+    uniqueVariables: {
+      'opt:stage': {
+        variable: 'opt:stage',
+        variableType: 'options',
+        variableSourceType: 'user',
+        occurrences: [
+          { path: 'stage', type: 'String', isRequired: true },
+          { path: 'provider.stage', type: 'Number', isRequired: true },
+        ]
+      }
+    }
+  }), /opt:stage type conflict at stage, provider.stage/)
+})
+
+test('serializeRequirements includes annotation fields in requirements and ask', () => {
+  const result = serializeRequirements({
+    uniqueVariables: {
+      'env:STRIPE_SECRET_KEY': {
+        variable: 'env:STRIPE_SECRET_KEY',
+        variableType: 'env',
+        variableSourceType: 'user',
+        occurrences: [
+          {
+            path: 'secrets.stripeSecret',
+            description: 'Stripe live secret key',
+            descriptionSource: 'commentTag',
+            obtainHint: 'Stripe dashboard > Developers > API keys',
+            examples: ['sk_live_...'],
+            defaultHint: 'Set in CI',
+            group: 'Payments',
+            deprecationMessage: 'Use STRIPE_RESTRICTED_KEY instead',
+            sensitive: true,
+            sensitiveSource: 'commentTag',
+            isRequired: true,
+          }
+        ]
+      }
+    }
+  })
+
+  const requirement = result.requirements[0]
+  assert.is(requirement.description, 'Stripe live secret key')
+  assert.is(requirement.descriptionSource, 'commentTag')
+  assert.is(requirement.obtainHint, 'Stripe dashboard > Developers > API keys')
+  assert.equal(requirement.examples, ['sk_live_...'])
+  assert.is(requirement.defaultHint, 'Set in CI')
+  assert.is(requirement.group, 'Payments')
+  assert.is(requirement.deprecationMessage, 'Use STRIPE_RESTRICTED_KEY instead')
+  assert.is(requirement.sensitive, true)
+  assert.is(requirement.sensitiveSource, 'commentTag')
+
+  assert.equal(result.ask, [
+    {
+      name: 'STRIPE_SECRET_KEY',
+      variable: 'env:STRIPE_SECRET_KEY',
+      variableType: 'env',
+      type: 'string',
+      sensitive: true,
+      description: 'Stripe live secret key',
+      obtainHint: 'Stripe dashboard > Developers > API keys',
+      examples: ['sk_live_...'],
+      defaultHint: 'Set in CI',
+      group: 'Payments',
+      deprecationMessage: 'Use STRIPE_RESTRICTED_KEY instead',
+      paths: ['secrets.stripeSecret'],
+      how: 'Set environment variable STRIPE_SECRET_KEY',
+    }
+  ])
+  assert.is(Object.prototype.hasOwnProperty.call(result.ask[0], 'sensitiveSource'), false)
+})
+
+test('serializer hard-errors on annotation conflicts', () => {
+  assert.throws(() => serializeRequirements({
+    uniqueVariables: {
+      'env:PAYMENT_TOKEN': {
+        variable: 'env:PAYMENT_TOKEN',
+        variableType: 'env',
+        variableSourceType: 'user',
+        occurrences: [
+          {
+            path: 'stripe.token',
+            obtainHint: 'Stripe dashboard',
+            isRequired: true,
+          },
+          {
+            path: 'github.token',
+            obtainHint: 'GitHub settings',
+            isRequired: true,
+          },
+        ]
+      }
+    }
+  }), /env:PAYMENT_TOKEN obtainHint conflict at stripe.token, github.token: "Stripe dashboard", "GitHub settings"/)
+})
+
+test.run()

package/src/utils/security/evalSafety.js

@@ -0,0 +1,86 @@
+// Blocks prototype-chain escapes in ${eval(...)} / ${if(...)} expressions.
+// Literals like "" or [] expose .constructor, which reaches the Function
+// constructor and arbitrary code execution. We reject access to those property
+// names (statically or via dynamic computed keys) before any evaluation runs.
+
+// Property names that walk the prototype chain toward the Function constructor.
+const FORBIDDEN_KEYS = new Set([
+  'constructor',
+  'prototype',
+  '__proto__',
+  '__defineGetter__',
+  '__defineSetter__',
+  '__lookupGetter__',
+  '__lookupSetter__',
+])
+
+// Fast pre-filter on the raw source. Catches the dotted / literal-bracket forms
+// directly; the AST walk below also catches concatenated keys it cannot see.
+const SOURCE_ESCAPE_PATTERN = /\b(?:constructor|prototype|__proto__|__define[GS]etter__|__lookup[GS]etter__)\b/
+
+/**
+ * Walk a subscript/justin AST and return the first disallowed access found.
+ * Node shapes: [null, literal] | ['.', obj, propName] | ['[]', obj, keyNode] |
+ * [op, ...children]; bare identifiers are plain strings.
+ * @param {*} node - a subscript AST node
+ * @returns {string|null} the offending key (or '<computed-key>'), else null
+ */
+function findForbiddenAccess(node) {
+  if (!Array.isArray(node)) return null
+  const op = node[0]
+  // Literal nodes are [<hole>, value]; the hole reads back as undefined.
+  if (op == null) return null
+
+  // Static and optional member access: ['.', obj, name] / ['?.', obj, name]
+  if (op === '.' || op === '?.') {
+    const prop = node[2]
+    if (typeof prop === 'string' && FORBIDDEN_KEYS.has(prop)) return prop
+    return findForbiddenAccess(node[1])
+  }
+
+  if (op === '[]') {
+    const key = node[2]
+    if (Array.isArray(key) && key[0] == null) {
+      const value = key[1]
+      if (typeof value === 'string' && FORBIDDEN_KEYS.has(value)) return value
+    } else {
+      // Non-literal key (e.g. "con" + "structor"); cannot be verified statically.
+      return '<computed-key>'
+    }
+    return findForbiddenAccess(node[1])
+  }
+
+  for (let i = 1; i < node.length; i++) {
+    const found = findForbiddenAccess(node[i])
+    if (found) return found
+  }
+  return null
+}
+
+/**
+ * Throw if an eval expression attempts a prototype-chain escape.
+ * @param {string} expression - the raw expression inside eval(...)
+ * @param {*} [ast] - the parsed subscript AST, when available
+ */
+function assertSafeEvalExpression(expression, ast) {
+  if (ast) {
+    // Precise: walk the parsed AST so literal strings like "constructor" used as
+    // data are allowed, while actual member access to them is blocked.
+    const bad = findForbiddenAccess(ast)
+    if (bad) {
+      throw new Error(`Blocked eval expression "${expression}": disallowed member access (${bad}).`)
+    }
+    return
+  }
+  // Fallback when the expression could not be parsed: blunt source scan.
+  if (SOURCE_ESCAPE_PATTERN.test(String(expression))) {
+    throw new Error(`Blocked eval expression "${expression}": access to constructor/prototype is not allowed.`)
+  }
+}
+
+module.exports = {
+  FORBIDDEN_KEYS,
+  SOURCE_ESCAPE_PATTERN,
+  findForbiddenAccess,
+  assertSafeEvalExpression,
+}

package/src/utils/security/evalSafety.test.js

@@ -0,0 +1,61 @@
+const { test } = require('uvu')
+const assert = require('uvu/assert')
+const { findForbiddenAccess, assertSafeEvalExpression } = require('./evalSafety')
+
+let parse
+test.before(async () => {
+  await import('subscript/justin') // registers operators on the shared parser
+  const mod = await import('subscript/parse')
+  parse = mod.default
+})
+
+function check(expression) {
+  let ast = null
+  try { ast = parse(expression) } catch (e) { ast = null }
+  let caught
+  try { assertSafeEvalExpression(expression, ast) } catch (e) { caught = e }
+  return caught
+}
+
+test('allows arithmetic and comparison expressions', () => {
+  assert.is(check('1 + 1'), undefined)
+  assert.is(check('"yes" === "yes"'), undefined)
+  assert.is(check('true ? 1 : 2'), undefined)
+})
+
+test('allows safe static member access on context values', () => {
+  assert.is(check('provider.stage === "prod"'), undefined)
+  assert.is(check('custom.nullValue === null'), undefined)
+})
+
+test('allows literal-key index access', () => {
+  assert.is(check('a[0]'), undefined)
+  assert.is(check('obj["key"]'), undefined)
+})
+
+test('blocks static constructor access', () => {
+  assert.ok(check('"".constructor.constructor("return 1")()'))
+  assert.ok(check('[].constructor'))
+  assert.ok(check('x.__proto__'))
+})
+
+test('blocks optional-chaining constructor access', () => {
+  assert.ok(check('a?.constructor'))
+  assert.ok(check('a?.["constructor"]'))
+})
+
+test('blocks literal-bracket constructor access', () => {
+  assert.ok(check('(0)["constructor"]["constructor"]("return 1")()'))
+})
+
+test('blocks concatenated computed-key escape', () => {
+  assert.ok(check('(0)["con" + "structor"]'))
+})
+
+test('findForbiddenAccess flags a hand-built dynamic key', () => {
+  // ['[]', 'obj', ['+', [null,'con'], [null,'structor']]]
+  const ast = ['[]', 'obj', ['+', [null, 'con'], [null, 'structor']]]
+  assert.is(findForbiddenAccess(ast), '<computed-key>')
+})
+
+test.run()

package/src/utils/security/safetyPolicy.js

@@ -0,0 +1,110 @@
+const fs = require('fs')
+const path = require('path')
+const { ConfigoramaError } = require('../../errors')
+
+const EXECUTABLE_EXTENSIONS = new Set(['.js', '.cjs', '.mjs', '.esm', '.ts', '.tsx', '.mts', '.cts'])
+
+function asArray(value) {
+  if (value === undefined || value === null || value === false) return []
+  return Array.isArray(value) ? value : [value]
+}
+
+function resolveRoot(root, baseDir) {
+  if (!root) return null
+  return path.resolve(baseDir || process.cwd(), String(root))
+}
+
+function normalizeSafetyPolicy(settings = {}, context = {}) {
+  const configDir = context.configDir || settings.configDir || process.cwd()
+  const safeMode = settings.safeMode === true || settings.safe === true
+  const restrictFileRoots = settings.restrictFileRoots === true || safeMode
+  const configuredRoots = asArray(settings.allowedFileRoots || settings.fileRoots || settings.safeRoots)
+  const roots = configuredRoots.length
+    ? configuredRoots.map(root => resolveRoot(root, configDir)).filter(Boolean)
+    : (restrictFileRoots ? [path.resolve(configDir)] : [])
+
+  return {
+    safeMode,
+    blockExecutableFiles: settings.blockExecutableFiles !== false && safeMode,
+    blockCustomResolvers: settings.blockCustomResolvers !== false && safeMode,
+    blockCustomFunctions: settings.blockCustomFunctions !== false && safeMode,
+    blockDotEnv: settings.blockDotEnv !== false && safeMode,
+    restrictFileRoots,
+    allowedFileRoots: roots,
+  }
+}
+
+function realPathIfExists(value) {
+  try {
+    return fs.realpathSync(value)
+  } catch (error) {
+    return path.resolve(value)
+  }
+}
+
+function isPathInsideRoot(filePath, rootPath) {
+  const fileReal = realPathIfExists(filePath)
+  const rootReal = realPathIfExists(rootPath)
+  const relative = path.relative(rootReal, fileReal)
+  return relative === '' || (!!relative && !relative.startsWith('..') && !path.isAbsolute(relative))
+}
+
+function checkFileAccess(filePath, policy, context = {}) {
+  const ext = path.extname(filePath).toLowerCase()
+  if (policy.blockExecutableFiles && EXECUTABLE_EXTENSIONS.has(ext)) {
+    throw new ConfigoramaError('blocked_by_safe_mode', `Blocked executable config reference in safe mode: ${filePath}`, {
+      surface: 'executable_file',
+      filePath,
+      variable: context.variableString,
+    })
+  }
+
+  if (policy.restrictFileRoots && policy.allowedFileRoots.length) {
+    const allowed = policy.allowedFileRoots.some(root => isPathInsideRoot(filePath, root))
+    if (!allowed) {
+      throw new ConfigoramaError('file_root_forbidden', `File reference is outside allowed roots: ${filePath}`, {
+        filePath,
+        allowedRoots: policy.allowedFileRoots,
+        variable: context.variableString,
+      })
+    }
+  }
+}
+
+function assertSafeConfigInput(filePath, policy) {
+  if (!filePath || !policy.safeMode) return
+  const ext = path.extname(filePath).toLowerCase()
+  if (EXECUTABLE_EXTENSIONS.has(ext)) {
+    throw new ConfigoramaError('blocked_by_safe_mode', `Blocked executable config file in safe mode: ${filePath}`, {
+      surface: 'executable_config',
+      filePath,
+    })
+  }
+}
+
+function assertCustomResolversAllowed(variableSources, policy) {
+  if (policy.blockCustomResolvers && Array.isArray(variableSources) && variableSources.length > 0) {
+    throw new ConfigoramaError('blocked_by_safe_mode', 'Custom variable resolvers are blocked in safe mode', {
+      surface: 'custom_resolver',
+      count: variableSources.length,
+    })
+  }
+}
+
+function assertCustomFunctionsAllowed(functions, policy) {
+  if (policy.blockCustomFunctions && functions && Object.keys(functions).length > 0) {
+    throw new ConfigoramaError('blocked_by_safe_mode', 'Custom functions are blocked in safe mode', {
+      surface: 'custom_function',
+      names: Object.keys(functions).sort(),
+    })
+  }
+}
+
+module.exports = {
+  EXECUTABLE_EXTENSIONS,
+  assertCustomFunctionsAllowed,
+  assertCustomResolversAllowed,
+  assertSafeConfigInput,
+  checkFileAccess,
+  normalizeSafetyPolicy,
+}

package/src/utils/security/safetyPolicy.test.js

@@ -0,0 +1,29 @@
+const { test } = require('uvu')
+const assert = require('uvu/assert')
+const path = require('path')
+const {
+  checkFileAccess,
+  normalizeSafetyPolicy,
+} = require('./safetyPolicy')
+
+test('safe mode blocks executable file references', () => {
+  const policy = normalizeSafetyPolicy({ safeMode: true }, { configDir: __dirname })
+
+  assert.throws(() => {
+    checkFileAccess(path.join(__dirname, 'config.js'), policy, { variableString: 'file(./config.js)' })
+  }, /Blocked executable config reference/)
+})
+
+test('safe mode allows data file references inside config root', () => {
+  const policy = normalizeSafetyPolicy({ safeMode: true }, { configDir: __dirname })
+  checkFileAccess(path.join(__dirname, 'fixture.yml'), policy, { variableString: 'file(./fixture.yml)' })
+})
+
+test('safe mode blocks traversal outside allowed roots', () => {
+  const policy = normalizeSafetyPolicy({ safeMode: true }, { configDir: __dirname })
+  assert.throws(() => {
+    checkFileAccess(path.resolve(__dirname, '../../../package.json'), policy, { variableString: 'file(../../../package.json)' })
+  }, /outside allowed roots/)
+})
+
+test.run()

package/src/utils/strings/didYouMean.js

@@ -0,0 +1,70 @@
+// Suggests the closest known string to a possibly-misspelled input.
+// Used for command and flag "did you mean ...?" hints in the CLI.
+
+/**
+ * Optimal string alignment (Damerau) edit distance between two strings.
+ * Counts an adjacent transposition (e.g. "fromat" -> "format") as one edit,
+ * which keeps real single typos close while keeping unrelated words far apart.
+ * @param {string} a
+ * @param {string} b
+ * @returns {number} minimum edits (insert/delete/substitute/transpose)
+ */
+function editDistance(a, b) {
+  a = String(a)
+  b = String(b)
+  if (a === b) return 0
+  const m = a.length
+  const n = b.length
+  if (!m) return n
+  if (!n) return m
+
+  const d = Array.from({ length: m + 1 }, () => new Array(n + 1).fill(0))
+  for (let i = 0; i <= m; i++) d[i][0] = i
+  for (let j = 0; j <= n; j++) d[0][j] = j
+
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1
+      d[i][j] = Math.min(
+        d[i - 1][j] + 1,        // deletion
+        d[i][j - 1] + 1,        // insertion
+        d[i - 1][j - 1] + cost  // substitution
+      )
+      if (i > 1 && j > 1 && a[i - 1] === b[j - 2] && a[i - 2] === b[j - 1]) {
+        d[i][j] = Math.min(d[i][j], d[i - 2][j - 2] + 1) // transposition
+      }
+    }
+  }
+
+  return d[m][n]
+}
+
+/**
+ * Returns the candidate closest to input within an edit-distance threshold.
+ * Defaults to threshold 1 so only near-certain typos are suggested; this avoids
+ * hijacking legitimate passthrough options (e.g. `--stage`) that happen to sit a
+ * couple of edits away from a known flag.
+ * @param {string} input - the user-provided (possibly misspelled) token
+ * @param {string[]} candidates - known valid strings
+ * @param {{ threshold?: number }} [options]
+ * @returns {string|null} closest candidate, or null if none is close enough
+ */
+function didYouMean(input, candidates, options = {}) {
+  const threshold = options.threshold === undefined ? 1 : options.threshold
+  const value = String(input)
+  let best = null
+  let bestDist = Infinity
+
+  for (const candidate of candidates) {
+    const dist = editDistance(value, candidate)
+    if (dist < bestDist) {
+      bestDist = dist
+      best = candidate
+    }
+  }
+
+  if (best === null || bestDist > threshold) return null
+  return best
+}
+
+module.exports = { editDistance, didYouMean }

package/src/utils/strings/didYouMean.test.js

@@ -0,0 +1,52 @@
+const { test } = require('uvu')
+const assert = require('uvu/assert')
+const { editDistance, didYouMean } = require('./didYouMean')
+
+const COMMANDS = ['requirements', 'audit', 'graph', 'inspect', 'setup', 'capabilities']
+
+test('editDistance - identical strings are distance 0', () => {
+  assert.is(editDistance('graph', 'graph'), 0)
+})
+
+test('editDistance - single edit is distance 1', () => {
+  assert.is(editDistance('grph', 'graph'), 1)
+  assert.is(editDistance('audi', 'audit'), 1)
+})
+
+test('editDistance - adjacent transposition counts as one edit', () => {
+  assert.is(editDistance('fromat', 'format'), 1)
+  assert.is(editDistance('setpu', 'setup'), 1)
+})
+
+test('didYouMean - suggests closest command for a near typo', () => {
+  assert.is(didYouMean('inspekt', COMMANDS), 'inspect')
+  assert.is(didYouMean('audi', COMMANDS), 'audit')
+  assert.is(didYouMean('grph', COMMANDS), 'graph')
+  assert.is(didYouMean('capabilites', COMMANDS), 'capabilities')
+})
+
+test('didYouMean - returns null when nothing is close enough', () => {
+  assert.is(didYouMean('myconfig', COMMANDS), null)
+  assert.is(didYouMean('config.yml', COMMANDS), null)
+})
+
+test('didYouMean - exact match returns the candidate itself', () => {
+  assert.is(didYouMean('audit', COMMANDS), 'audit')
+})
+
+test('didYouMean - respects a custom threshold', () => {
+  assert.is(didYouMean('frmt', ['format'], { threshold: 2 }), 'format')
+  assert.is(didYouMean('frmt', ['format'], { threshold: 1 }), null)
+})
+
+test('didYouMean - flag typos resolve, passthrough options do not', () => {
+  const FLAGS = ['format', 'view', 'output', 'safe', 'help']
+  assert.is(didYouMean('fromat', FLAGS), 'format')
+  assert.is(didYouMean('veiw', FLAGS), 'view')
+  // common Serverless-style passthrough options must NOT be hijacked
+  assert.is(didYouMean('stage', FLAGS), null)
+  assert.is(didYouMean('domain', FLAGS), null)
+  assert.is(didYouMean('region', FLAGS), null)
+})
+
+test.run()

package/src/utils/strings/formatFunctionArgs.js

@@ -1,8 +1,13 @@
 const { trim } = require('../lodash')
 const { trimSurroundingQuotes } = require('./quoteUtils')
+const { decodeFilterArg, isEncodedFilterArg } = require('../filters/filterArgs')
 
 function formatArg(arg) {
-  const cleanArg = trimSurroundingQuotes(trim(arg), false)
+  const trimmed = trim(arg)
+  if (isEncodedFilterArg(trimmed)) {
+    return decodeFilterArg(trimmed)
+  }
+  const cleanArg = trimSurroundingQuotes(trimmed, false)
   if (cleanArg.match(/^{([^}]+)}$/)) {
     return JSON.parse(cleanArg)
   }

package/src/utils/strings/splitByComma.js

@@ -21,6 +21,11 @@ function splitByComma(string, regexPattern) {
     return [""]
   }
 
+  // No comma anywhere means no split, regardless of quotes/brackets/placeholders.
+  if (string.indexOf(",") === -1) {
+    return [string.trim()]
+  }
+
   // Extract regex patterns to protect them
   const placeholders = []
   let protectedString = string