kekkai-cli 2.2.0__tar.gz → 2.2.1__tar.gz

{kekkai_cli-2.2.0 → kekkai_cli-2.2.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: kekkai-cli
-Version: 2.2.0
+Version: 2.2.1
 Summary: Terminal UI for Trivy/Semgrep/Gitleaks. Local-first security triage.
 Requires-Python: >=3.12
 Description-Content-Type: text/markdown

{kekkai_cli-2.2.0 → kekkai_cli-2.2.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "kekkai-cli"
-version = "2.2.0"
+version = "2.2.1"
 description = "Terminal UI for Trivy/Semgrep/Gitleaks. Local-first security triage."
 readme = "README.md"
 requires-python = ">=3.12"

{kekkai_cli-2.2.0 → kekkai_cli-2.2.1}/src/kekkai/cli.py

@@ -1268,9 +1268,12 @@ def _command_triage(parsed: argparse.Namespace) -> int:
             except (OSError, json.JSONDecodeError, KeyError):
                 pass
 
-    # Fall back to current directory if still not set
+    # Fall back to current directory if still not set (with warning)
     if repo_path is None:
         repo_path = Path.cwd()
+        console.print("[warning]⚠ Repo path not detected. Using current directory.[/warning]")
+        console.print("[dim]Tip: Use --repo to specify repository root explicitly.[/dim]")
+        console.print(f"[dim]Current directory: {repo_path}[/dim]\n")
 
     return run_triage(
         findings=findings,

{kekkai_cli-2.2.0 → kekkai_cli-2.2.1}/src/kekkai/output.py

@@ -57,7 +57,7 @@ BANNER_ASCII = r"""
 /_/\_\\___/_/\_/_/\_\\_,_/_/
 """
 
-VERSION = "2.2.0"
+VERSION = "2.2.1"
 
 
 def print_dashboard() -> None:

{kekkai_cli-2.2.0 → kekkai_cli-2.2.1}/src/kekkai/triage/code_context.py

@@ -210,22 +210,38 @@ class CodeContextExtractor:
                 error=f"File too large for display ({size_mb:.1f}MB)",
             )
 
-        # Read file content (with caching for performance)
+        # Read file content (with caching for performance and encoding fallback)
         cache_key = str(full_path)
         if cache_key in self._file_cache:
             file_content = self._file_cache[cache_key]
         else:
             try:
+                # Try UTF-8 first (strict mode)
                 file_content = full_path.read_text(encoding="utf-8")
-                # Cache the content
-                self._file_cache[cache_key] = file_content
-                # Evict oldest entry if cache is full (simple FIFO)
-                if len(self._file_cache) > self._cache_max_size:
-                    # Remove first (oldest) entry
-                    oldest_key = next(iter(self._file_cache))
-                    del self._file_cache[oldest_key]
-            except (OSError, UnicodeDecodeError) as e:
-                # ASVS V7.4.1: Sanitized error
+            except UnicodeDecodeError:
+                # HOTFIX: Fallback to UTF-8 with replacement characters
+                # This allows viewing legacy files (Windows-1252, Latin-1) with � for invalid chars
+                # instead of completely hiding the file with "Cannot read file" error
+                logger.info(
+                    "code_context_encoding_fallback",
+                    extra={"file_path": Path(file_path).name, "reason": "non_utf8"},
+                )
+                try:
+                    file_content = full_path.read_text(encoding="utf-8", errors="replace")
+                except (OSError, UnicodeDecodeError) as e:
+                    # Even fallback failed (should be rare - permissions, etc.)
+                    logger.warning(
+                        "code_context_read_error",
+                        extra={"file_path": Path(file_path).name, "error": str(e)},
+                    )
+                    return CodeContext(
+                        code="",
+                        language="",
+                        vulnerable_line="",
+                        error="Cannot read file (encoding error)",
+                    )
+            except OSError as e:
+                # File read error (permissions, etc.)
                 logger.warning(
                     "code_context_read_error",
                     extra={"file_path": Path(file_path).name, "error": str(e)},
@@ -237,6 +253,14 @@ class CodeContextExtractor:
                     error="Cannot read file",
                 )
 
+            # Cache the content
+            self._file_cache[cache_key] = file_content
+            # Evict oldest entry if cache is full (simple FIFO)
+            if len(self._file_cache) > self._cache_max_size:
+                # Remove first (oldest) entry
+                oldest_key = next(iter(self._file_cache))
+                del self._file_cache[oldest_key]
+
         # Extract code context using existing logic from fix engine
         code_context, vulnerable_line = self._prompt_builder.extract_code_context(
             file_content, line

kekkai_cli-2.2.1/src/kekkai/triage/editor_support.py

@@ -0,0 +1,166 @@
+"""Editor-specific line jump syntax support.
+
+Provides detection and command building for popular editors with
+security validation per ASVS V5.1.3.
+"""
+
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+from pathlib import Path
+
+__all__ = [
+    "EditorConfig",
+    "detect_editor_config",
+    "validate_editor_name",
+    "EDITOR_REGISTRY",
+]
+
+# ASVS V5.1.3: Only allow safe characters in editor names
+EDITOR_NAME_PATTERN = re.compile(r"^[a-zA-Z0-9/_.-]+$")
+
+
+@dataclass
+class EditorConfig:
+    """Editor-specific command line configuration.
+
+    Attributes:
+        name: Canonical editor name (e.g., "vim", "code", "subl").
+        syntax_type: Command syntax category for building commands.
+    """
+
+    name: str
+    syntax_type: str  # "vim", "vscode", "sublime", "notepadpp", "jetbrains"
+
+
+# Editor registry mapping base names to configurations
+EDITOR_REGISTRY: dict[str, EditorConfig] = {
+    # Vim family (syntax: editor +LINE file)
+    "vim": EditorConfig("vim", "vim"),
+    "nvim": EditorConfig("nvim", "vim"),
+    "neovim": EditorConfig("neovim", "vim"),
+    "vi": EditorConfig("vi", "vim"),
+    # Emacs family (syntax: editor +LINE file)
+    "emacs": EditorConfig("emacs", "vim"),
+    "nano": EditorConfig("nano", "vim"),
+    # VS Code (syntax: code -g file:line)
+    "code": EditorConfig("code", "vscode"),
+    "code-insiders": EditorConfig("code-insiders", "vscode"),
+    "codium": EditorConfig("codium", "vscode"),  # VSCodium (FOSS fork)
+    # Sublime Text (syntax: subl file:line)
+    "subl": EditorConfig("subl", "sublime"),
+    "sublime": EditorConfig("sublime", "sublime"),
+    "sublime_text": EditorConfig("sublime_text", "sublime"),
+    # Atom (syntax: atom file:line) - legacy but still used
+    "atom": EditorConfig("atom", "sublime"),
+    # Notepad++ (syntax: notepad++ -nLINE file)
+    "notepad++": EditorConfig("notepad++", "notepadpp"),
+    "notepad++.exe": EditorConfig("notepad++.exe", "notepadpp"),
+    # JetBrains IDEs (syntax: editor --line LINE file)
+    "idea": EditorConfig("idea", "jetbrains"),
+    "pycharm": EditorConfig("pycharm", "jetbrains"),
+    "webstorm": EditorConfig("webstorm", "jetbrains"),
+    "phpstorm": EditorConfig("phpstorm", "jetbrains"),
+    "goland": EditorConfig("goland", "jetbrains"),
+    "rider": EditorConfig("rider", "jetbrains"),
+    "clion": EditorConfig("clion", "jetbrains"),
+    "rubymine": EditorConfig("rubymine", "jetbrains"),
+}
+
+
+def detect_editor_config(editor_name: str) -> EditorConfig:
+    """Detect editor configuration from name.
+
+    Args:
+        editor_name: Editor executable name (e.g., "vim", "/usr/bin/code").
+
+    Returns:
+        EditorConfig for the detected editor, or vim-style default if unknown.
+
+    Examples:
+        >>> detect_editor_config("vim").syntax_type
+        'vim'
+        >>> detect_editor_config("/usr/local/bin/code").syntax_type
+        'vscode'
+        >>> detect_editor_config("unknown-editor").syntax_type
+        'vim'
+    """
+    # Extract base name from path
+    base_name = Path(editor_name).stem.lower()
+
+    # Handle .exe extension on Windows
+    if base_name.endswith(".exe"):
+        base_name = base_name[:-4]
+
+    # Lookup in registry
+    config = EDITOR_REGISTRY.get(base_name)
+    if config:
+        return config
+
+    # Default to vim-style syntax for unknown editors
+    return EditorConfig("unknown", "vim")
+
+
+def validate_editor_name(editor: str) -> bool:
+    """Validate that editor name is safe to use.
+
+    Security: ASVS V5.1.3 - Validate data at trust boundaries.
+    Rejects editor names containing shell metacharacters to prevent
+    command injection attacks.
+
+    Args:
+        editor: Editor name from environment variable.
+
+    Returns:
+        True if editor name is safe, False if it contains unsafe characters.
+
+    Examples:
+        >>> validate_editor_name("vim")
+        True
+        >>> validate_editor_name("/usr/bin/code")
+        True
+        >>> validate_editor_name("vim; curl evil.com")
+        False
+        >>> validate_editor_name("vim && rm -rf /")
+        False
+    """
+    if not editor:
+        return False
+
+    # Check against safe pattern (alphanumeric + /.-_ only)
+    return bool(EDITOR_NAME_PATTERN.match(editor))
+
+
+def build_editor_command(
+    editor_path: str, file_path: Path, line: int, editor_config: EditorConfig
+) -> list[str]:
+    """Build editor command arguments based on editor type.
+
+    Args:
+        editor_path: Full path to editor executable.
+        file_path: Path to file to open.
+        line: Line number to jump to.
+        editor_config: Editor configuration with syntax type.
+
+    Returns:
+        List of command arguments for subprocess.run().
+
+    Security:
+        ASVS V14.2.1 - Uses list args (not shell string) to prevent injection.
+    """
+    if editor_config.syntax_type == "vscode":
+        # VS Code: code -g file:line
+        return [editor_path, "-g", f"{file_path}:{line}"]
+    elif editor_config.syntax_type == "sublime":
+        # Sublime Text / Atom: editor file:line
+        return [editor_path, f"{file_path}:{line}"]
+    elif editor_config.syntax_type == "notepadpp":
+        # Notepad++: notepad++ -nLINE file
+        return [editor_path, f"-n{line}", str(file_path)]
+    elif editor_config.syntax_type == "jetbrains":
+        # JetBrains IDEs: editor --line LINE file
+        return [editor_path, "--line", str(line), str(file_path)]
+    else:
+        # Default (Vim/Emacs/Nano): editor +LINE file
+        return [editor_path, f"+{line}", str(file_path)]

{kekkai_cli-2.2.0 → kekkai_cli-2.2.1}/src/kekkai/triage/screens.py

@@ -436,6 +436,8 @@ class FindingDetailScreen(Screen[None]):
         import shutil
         import subprocess
 
+        from .editor_support import build_editor_command, detect_editor_config, validate_editor_name
+
         logger = logging.getLogger(__name__)
 
         if not self.finding.file_path or not self.finding.line:
@@ -448,6 +450,15 @@ class FindingDetailScreen(Screen[None]):
         # Get editor from environment (ASVS V5.1.3: validate before use)
         editor = os.environ.get("EDITOR", "vim")
 
+        # ASVS V5.1.3: Validate EDITOR value before use (reject shell metacharacters)
+        if not validate_editor_name(editor):
+            self.notify(
+                f"Editor '{editor}' contains unsafe characters. Set a valid $EDITOR.",
+                severity="error",
+            )
+            logger.warning("unsafe_editor_value", extra={"editor": editor})
+            return
+
         # Security validation: check editor exists and is executable
         editor_path = shutil.which(editor)
         if not editor_path:
@@ -463,18 +474,22 @@ class FindingDetailScreen(Screen[None]):
             self.notify(f"File not found: {self.finding.file_path}", severity="error")
             return
 
+        # Detect editor type and build appropriate command
+        editor_config = detect_editor_config(editor)
+
         # Log editor invocation (ASVS V16.7.1)
         logger.info(
             "editor_opened",
             extra={
                 "editor": editor,
+                "editor_type": editor_config.syntax_type,
                 "file": self.finding.file_path,
                 "line": self.finding.line,
             },
         )
 
         # ASVS V14.2.1: Use list args (not shell=True) to prevent injection
-        cmd = [editor_path, f"+{self.finding.line}", str(file_path)]
+        cmd = build_editor_command(editor_path, file_path, self.finding.line, editor_config)
 
         try:
             # Suspend TUI, run editor, then resume

{kekkai_cli-2.2.0 → kekkai_cli-2.2.1}/src/kekkai_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: kekkai-cli
-Version: 2.2.0
+Version: 2.2.1
 Summary: Terminal UI for Trivy/Semgrep/Gitleaks. Local-first security triage.
 Requires-Python: >=3.12
 Description-Content-Type: text/markdown

{kekkai_cli-2.2.0 → kekkai_cli-2.2.1}/src/kekkai_cli.egg-info/SOURCES.txt

@@ -64,6 +64,7 @@ src/kekkai/triage/__init__.py
 src/kekkai/triage/app.py
 src/kekkai/triage/audit.py
 src/kekkai/triage/code_context.py
+src/kekkai/triage/editor_support.py
 src/kekkai/triage/fix_screen.py
 src/kekkai/triage/ignore.py
 src/kekkai/triage/loader.py
@@ -97,6 +98,7 @@ src/kekkai_core/windows/validators.py
 tests/test_cli_output.py
 tests/test_compliance.py
 tests/test_dojo_import.py
+tests/test_editor_support.py
 tests/test_fix_engine.py
 tests/test_github_commenter_filter.py
 tests/test_github_commenter_format.py

kekkai_cli-2.2.1/tests/test_editor_support.py

@@ -0,0 +1,172 @@
+"""Unit tests for editor support module."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+from kekkai.triage.editor_support import (
+    EditorConfig,
+    build_editor_command,
+    detect_editor_config,
+    validate_editor_name,
+)
+
+
+class TestEditorDetection:
+    """Tests for editor detection and configuration."""
+
+    def test_detect_vim_family(self) -> None:
+        """Test detection of Vim family editors."""
+        for editor in ["vim", "nvim", "neovim", "vi"]:
+            config = detect_editor_config(editor)
+            assert config.syntax_type == "vim"
+            assert config.name in ["vim", "nvim", "neovim", "vi"]
+
+    def test_detect_emacs_family(self) -> None:
+        """Test detection of Emacs family editors."""
+        for editor in ["emacs", "nano"]:
+            config = detect_editor_config(editor)
+            assert config.syntax_type == "vim"  # Use vim-style syntax
+
+    def test_detect_vscode(self) -> None:
+        """Test detection of VS Code variants."""
+        for editor in ["code", "code-insiders", "codium"]:
+            config = detect_editor_config(editor)
+            assert config.syntax_type == "vscode"
+
+    def test_detect_vscode_with_path(self) -> None:
+        """Test detection works with full paths."""
+        config = detect_editor_config("/usr/local/bin/code")
+        assert config.syntax_type == "vscode"
+        assert config.name == "code"
+
+    def test_detect_sublime(self) -> None:
+        """Test detection of Sublime Text variants."""
+        for editor in ["subl", "sublime", "sublime_text"]:
+            config = detect_editor_config(editor)
+            assert config.syntax_type == "sublime"
+
+    def test_detect_atom(self) -> None:
+        """Test detection of Atom editor."""
+        config = detect_editor_config("atom")
+        assert config.syntax_type == "sublime"  # Uses same syntax as Sublime
+
+    def test_detect_notepadpp(self) -> None:
+        """Test detection of Notepad++."""
+        for editor in ["notepad++", "notepad++.exe"]:
+            config = detect_editor_config(editor)
+            assert config.syntax_type == "notepadpp"
+
+    def test_detect_jetbrains(self) -> None:
+        """Test detection of JetBrains IDEs."""
+        for editor in ["idea", "pycharm", "webstorm", "phpstorm", "goland", "rider"]:
+            config = detect_editor_config(editor)
+            assert config.syntax_type == "jetbrains"
+
+    def test_unknown_editor_fallback(self) -> None:
+        """Test that unknown editors fall back to vim syntax."""
+        config = detect_editor_config("unknown-editor")
+        assert config.syntax_type == "vim"
+        assert config.name == "unknown"
+
+    def test_case_insensitive_detection(self) -> None:
+        """Test that editor detection is case-insensitive."""
+        config = detect_editor_config("CODE")
+        assert config.syntax_type == "vscode"
+
+        config = detect_editor_config("VIM")
+        assert config.syntax_type == "vim"
+
+
+class TestEditorValidation:
+    """Tests for editor name validation (ASVS V5.1.3)."""
+
+    def test_validate_safe_names(self) -> None:
+        """Test that safe editor names are accepted."""
+        safe_names = [
+            "vim",
+            "code",
+            "nvim",
+            "/usr/bin/vim",
+            "/usr/local/bin/code",
+            "editor-name",
+            "editor.name",
+            "editor_name",
+        ]
+        for name in safe_names:
+            assert validate_editor_name(name), f"Should accept: {name}"
+
+    def test_validate_reject_shell_metacharacters(self) -> None:
+        """Test that editor names with shell metacharacters are rejected."""
+        unsafe_names = [
+            "vim; curl evil.com",
+            "vim && rm -rf /",
+            "vim | cat /etc/passwd",
+            "vim $(whoami)",
+            "vim `whoami`",
+            "vim & curl",
+            "vim > /tmp/evil",
+            "vim < /etc/passwd",
+        ]
+        for name in unsafe_names:
+            assert not validate_editor_name(name), f"Should reject: {name}"
+
+    def test_validate_reject_empty(self) -> None:
+        """Test that empty editor name is rejected."""
+        assert not validate_editor_name("")
+
+
+class TestCommandBuilding:
+    """Tests for editor command building."""
+
+    def test_build_vim_command(self) -> None:
+        """Test building command for Vim-style editors."""
+        config = EditorConfig("vim", "vim")
+        cmd = build_editor_command("/usr/bin/vim", Path("/repo/file.py"), 42, config)
+
+        assert cmd == ["/usr/bin/vim", "+42", "/repo/file.py"]
+
+    def test_build_vscode_command(self) -> None:
+        """Test building command for VS Code."""
+        config = EditorConfig("code", "vscode")
+        cmd = build_editor_command("/usr/bin/code", Path("/repo/file.py"), 42, config)
+
+        assert cmd == ["/usr/bin/code", "-g", "/repo/file.py:42"]
+
+    def test_build_sublime_command(self) -> None:
+        """Test building command for Sublime Text."""
+        config = EditorConfig("subl", "sublime")
+        cmd = build_editor_command("/usr/bin/subl", Path("/repo/file.py"), 42, config)
+
+        assert cmd == ["/usr/bin/subl", "/repo/file.py:42"]
+
+    def test_build_notepadpp_command(self) -> None:
+        """Test building command for Notepad++."""
+        config = EditorConfig("notepad++", "notepadpp")
+        cmd = build_editor_command(
+            "C:\\Program Files\\Notepad++\\notepad++.exe", Path("C:\\repo\\file.py"), 42, config
+        )
+
+        assert cmd == ["C:\\Program Files\\Notepad++\\notepad++.exe", "-n42", "C:\\repo\\file.py"]
+
+    def test_build_jetbrains_command(self) -> None:
+        """Test building command for JetBrains IDEs."""
+        config = EditorConfig("pycharm", "jetbrains")
+        cmd = build_editor_command("/usr/bin/pycharm", Path("/repo/file.py"), 42, config)
+
+        assert cmd == ["/usr/bin/pycharm", "--line", "42", "/repo/file.py"]
+
+    def test_command_uses_list_args(self) -> None:
+        """Test that all commands use list args (not shell strings) per ASVS V14.2.1."""
+        editors = [
+            EditorConfig("vim", "vim"),
+            EditorConfig("code", "vscode"),
+            EditorConfig("subl", "sublime"),
+            EditorConfig("notepad++", "notepadpp"),
+            EditorConfig("idea", "jetbrains"),
+        ]
+
+        for editor in editors:
+            cmd = build_editor_command("/usr/bin/editor", Path("/file.py"), 10, editor)
+            assert isinstance(cmd, list), f"Command should be list for {editor.name}"
+            assert all(isinstance(arg, str) for arg in cmd), "All args should be strings"

{kekkai_cli-2.2.0 → kekkai_cli-2.2.1}/tests/test_triage_code_context.py

@@ -271,3 +271,63 @@ class TestCodeContextExtractor:
         """Test _validate_path rejects paths outside repo."""
         outside_path = (tmp_path / "outside.py").resolve()
         assert extractor._validate_path(outside_path) is False
+
+    def test_extract_windows1252_file(
+        self, temp_repo: Path, extractor: CodeContextExtractor
+    ) -> None:
+        """Test extraction of Windows-1252 encoded file with smart quotes."""
+        # Create file with Windows-1252 encoding (smart quotes)
+        # \x93 and \x94 are left and right double quotes in Windows-1252
+        windows_file = temp_repo / "legacy.txt"
+        windows_file.write_bytes(b"Line 1\nSmart quote: \x93test\x94\nLine 3\n")
+
+        context = extractor.extract("legacy.txt", 2)
+
+        # Should succeed with replacement characters
+        assert context is not None
+        assert context.error is None
+        # Replacement character � (U+FFFD) should appear for invalid UTF-8 bytes
+        assert "�" in context.code or "test" in context.code
+
+    def test_extract_latin1_file(self, temp_repo: Path, extractor: CodeContextExtractor) -> None:
+        """Test extraction of Latin-1 encoded file."""
+        # Create file with Latin-1 encoding (accented characters)
+        latin1_file = temp_repo / "spanish.txt"
+        # é in Latin-1 is \xe9, ñ is \xf1
+        latin1_file.write_bytes(b"Line 1\ncaf\xe9 espa\xf1ol\nLine 3\n")
+
+        context = extractor.extract("spanish.txt", 2)
+
+        # Should succeed with replacement characters
+        assert context is not None
+        assert context.error is None
+        # Either shows replacement chars or the text (depending on encoding luck)
+        assert context.code
+
+    def test_extract_utf8_still_works(
+        self, temp_repo: Path, extractor: CodeContextExtractor
+    ) -> None:
+        """Test that UTF-8 files still work correctly after adding fallback."""
+        # Create proper UTF-8 file with emoji
+        utf8_file = temp_repo / "modern.py"
+        utf8_file.write_text("# Line 1\n# Test 🔥 emoji\n# Line 3\n", encoding="utf-8")
+
+        context = extractor.extract("modern.py", 2)
+
+        # Should succeed without fallback
+        assert context is not None
+        assert context.error is None
+        assert "🔥" in context.code or "emoji" in context.code
+
+    def test_extract_binary_still_skipped(
+        self, temp_repo: Path, extractor: CodeContextExtractor
+    ) -> None:
+        """Test that binary files are still skipped after adding encoding fallback."""
+        # Create binary file
+        binary_file = temp_repo / "binary.pyc"
+        binary_file.write_bytes(b"\x00\x00\x00\x00\xffbinary")
+
+        context = extractor.extract("binary.pyc", 1)
+
+        # Should be skipped (return None for binary)
+        assert context is None

{kekkai_cli-2.2.0 → kekkai_cli-2.2.1}/tests/test_triage_editor.py

@@ -87,6 +87,86 @@ class TestEditorIntegration:
                         assert "+42" in call_args
                         assert "src/app.py" in str(call_args[2])
 
+    def test_editor_vscode_syntax(self, sample_finding: FindingEntry, tmp_path: Path) -> None:
+        """Test VS Code uses correct -g file:line syntax."""
+        # Create the file
+        (tmp_path / "src").mkdir()
+        (tmp_path / "src" / "app.py").write_text("print('test')\n")
+
+        with patch.dict(os.environ, {"EDITOR": "code"}):
+            with patch("shutil.which", return_value="/usr/bin/code"):
+                with patch("subprocess.run") as mock_run:
+                    with patch("kekkai.triage.screens.FindingDetailScreen.app") as mock_app:
+                        mock_app.suspend.return_value.__enter__ = MagicMock()
+                        mock_app.suspend.return_value.__exit__ = MagicMock(return_value=False)
+
+                        screen = FindingDetailScreen(
+                            finding=sample_finding,
+                            repo_path=tmp_path,
+                        )
+                        screen.action_open_in_editor()
+
+                        # Verify VS Code syntax: code -g file:line
+                        assert mock_run.called
+                        call_args = mock_run.call_args[0][0]
+                        assert call_args[0] == "/usr/bin/code"
+                        assert call_args[1] == "-g"
+                        assert ":42" in call_args[2]
+                        assert "src/app.py" in call_args[2]
+
+    def test_editor_sublime_syntax(self, sample_finding: FindingEntry, tmp_path: Path) -> None:
+        """Test Sublime Text uses correct file:line syntax."""
+        # Create the file
+        (tmp_path / "src").mkdir()
+        (tmp_path / "src" / "app.py").write_text("print('test')\n")
+
+        with patch.dict(os.environ, {"EDITOR": "subl"}):
+            with patch("shutil.which", return_value="/usr/bin/subl"):
+                with patch("subprocess.run") as mock_run:
+                    with patch("kekkai.triage.screens.FindingDetailScreen.app") as mock_app:
+                        mock_app.suspend.return_value.__enter__ = MagicMock()
+                        mock_app.suspend.return_value.__exit__ = MagicMock(return_value=False)
+
+                        screen = FindingDetailScreen(
+                            finding=sample_finding,
+                            repo_path=tmp_path,
+                        )
+                        screen.action_open_in_editor()
+
+                        # Verify Sublime syntax: subl file:line
+                        assert mock_run.called
+                        call_args = mock_run.call_args[0][0]
+                        assert call_args[0] == "/usr/bin/subl"
+                        assert ":42" in call_args[1]
+                        assert "src/app.py" in call_args[1]
+
+    def test_editor_unsafe_rejected(self, sample_finding: FindingEntry, tmp_path: Path) -> None:
+        """Test that unsafe EDITOR values are rejected (ASVS V5.1.3)."""
+        # Create the file
+        (tmp_path / "src").mkdir()
+        (tmp_path / "src" / "app.py").write_text("print('test')\n")
+
+        unsafe_editors = [
+            "vim; curl evil.com",
+            "vim && rm -rf /",
+            "vim | cat /etc/passwd",
+        ]
+
+        for unsafe_editor in unsafe_editors:
+            with patch.dict(os.environ, {"EDITOR": unsafe_editor}):
+                screen = FindingDetailScreen(
+                    finding=sample_finding,
+                    repo_path=tmp_path,
+                )
+
+                with patch.object(screen, "notify") as mock_notify:
+                    screen.action_open_in_editor()
+
+                    # Should call notify with error about unsafe characters
+                    mock_notify.assert_called_once()
+                    args = mock_notify.call_args[0]
+                    assert "unsafe" in args[0].lower() or "invalid" in args[0].lower()
+
     def test_editor_handles_missing_file(
         self, sample_finding: FindingEntry, tmp_path: Path
     ) -> None: