everything-claude-code

zsp/everything-claude-code

Fork 0

mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-06-11 10:43:10 +08:00

Commit Graph

Author	SHA1	Message	Date
Jamkris	4f4654bf21	test(hooks): regression coverage for dev-server-block subshell bypass Lock in the behavior added by the previous commit. Each new case was verified to fail before the fix and pass after. Bypasses now blocked (exit 2): - \$(npm run dev) command substitution - \`npm run dev\` backtick substitution - echo \$(npm run dev) substitution inside an argument - (npm run dev) plain subshell group - \$(echo a; npm run dev) substitution containing a sequenced segment - (pnpm dev) plain subshell group, alt package manager Allow cases — explicitly proven NOT to regress so the fix doesn't over-block legitimate uses: - (tmux new-session -d -s dev "npm run dev") tmux launcher inside () - git commit -m '(npm run dev)' literal in single quotes - echo "(npm run dev)" literal in double quotes (bash does NOT subshell () inside double quotes) - git commit -m '\$(npm run dev) fix' literal in single quotes Single- and double-quote allow cases are important: they distinguish a real subshell construct from one that's just text inside a string, which is what `extractSubshellGroups` / `extractCommandSubstitutions` quote-awareness is for.	2026-05-14 11:22:44 +09:00
Affaan Mustafa	b6595974c2	feat: add C++ language support and hook tests (#539 ) - agents: cpp-build-resolver, cpp-reviewer - commands: cpp-build, cpp-review, cpp-test - rules: cpp/ (coding-style, hooks, patterns, security, testing) - tests: 9 new hook test files with comprehensive coverage Cherry-picked from PR #436.	2026-03-16 14:31:49 -07:00

Author

SHA1

Message

Date

Jamkris

4f4654bf21

test(hooks): regression coverage for dev-server-block subshell bypass

Lock in the behavior added by the previous commit. Each new case was
verified to fail before the fix and pass after.

Bypasses now blocked (exit 2):
- \$(npm run dev)              command substitution
- \`npm run dev\`              backtick substitution
- echo \$(npm run dev)         substitution inside an argument
- (npm run dev)               plain subshell group
- \$(echo a; npm run dev)      substitution containing a sequenced segment
- (pnpm dev)                  plain subshell group, alt package manager

Allow cases — explicitly proven NOT to regress so the fix doesn't
over-block legitimate uses:
- (tmux new-session -d -s dev "npm run dev")   tmux launcher inside ()
- git commit -m '(npm run dev)'                literal in single quotes
- echo "(npm run dev)"                         literal in double quotes
  (bash does NOT subshell () inside double quotes)
- git commit -m '\$(npm run dev) fix'          literal in single quotes

Single- and double-quote allow cases are important: they distinguish a
real subshell construct from one that's just text inside a string,
which is what `extractSubshellGroups` / `extractCommandSubstitutions`
quote-awareness is for.

2026-05-14 11:22:44 +09:00

Affaan Mustafa

b6595974c2

feat: add C++ language support and hook tests (#539 )

- agents: cpp-build-resolver, cpp-reviewer
- commands: cpp-build, cpp-review, cpp-test
- rules: cpp/ (coding-style, hooks, patterns, security, testing)
- tests: 9 new hook test files with comprehensive coverage

Cherry-picked from PR #436.

2026-03-16 14:31:49 -07:00

2 Commits