coilyco-flight-deck/cli-guard
1
0
Fork 0
Code Issues 12 Pull requests Projects Releases Packages Wiki Activity Actions

lockdown: treat leading "cd <path>" as no-op for leading-token analysis #5

New issue
Open
opened 2026-05-23 20:53:52 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:53:52 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-14T19:25:41Z - https://github.com/coilysiren/cli-guard/issues/58

Problem

cli-guard's lockdown PreToolUse hook segment-splits a Bash invocation and validates each segment's leading token against the allowlist. Today, cd <path> && coily ... fails because segment 1's leading token is cd, not coily, even though cd is a shell builtin with no execve and the post-cd segment is the only thing that needs gating.

Observed today on a Mac session: harness denied cd /Users/kai/projects/coilysiren/cli-guard with no surfaced workaround. The denial fires during the exact kind of work the wrapper is meant to enable (cross-repo coily invocations bound to a specific commit-scope).

Proposed change

In the segment loop (see lockdown/hook.go segment validation), if a segment matches a bare cd <path> shape with no shell metacharacters and <path> resolves to a real directory, skip it from leading-token analysis and let the next segment speak for the chain. The chdir then happens naturally in bash when Claude runs the approved command. No hook rewrite needed.

Boundary considerations

  • Path arg must pass the existing shell-metachar reject (no $(...), backticks, globs, unescaped spaces).
  • Path must resolve to a real directory at validation time. Reject otherwise.
  • Decide multi-cd: walk all leading cd segments, or cap at one. I lean cap-at-one to keep the rule legible.
  • Post-cd segments still hit the normal allowlist. cd X && rm -rf / stays denied because rm is not allowed, not because cd is.
  • Error path: when a post-cd segment is denied, the message names that segment, not cd.

Related

  • Pairs with the --commit-scope recovery suggestion in the denial message (separate work in coily-discipline, filed in coilysiren/coily).
  • Pairs with the stale kai-coily-discipline pointer cleanup (filed in coilysiren/coilyco-ai).
_Originally filed by @coilysiren on 2026-05-14T19:25:41Z - [https://github.com/coilysiren/cli-guard/issues/58](https://github.com/coilysiren/cli-guard/issues/58)_ ## Problem cli-guard's lockdown PreToolUse hook segment-splits a Bash invocation and validates each segment's leading token against the allowlist. Today, `cd <path> && coily ...` fails because segment 1's leading token is `cd`, not `coily`, even though `cd` is a shell builtin with no execve and the post-`cd` segment is the only thing that needs gating. Observed today on a Mac session: harness denied `cd /Users/kai/projects/coilysiren/cli-guard` with no surfaced workaround. The denial fires during the exact kind of work the wrapper is meant to enable (cross-repo coily invocations bound to a specific commit-scope). ## Proposed change In the segment loop (see `lockdown/hook.go` segment validation), if a segment matches a bare `cd <path>` shape with no shell metacharacters and `<path>` resolves to a real directory, skip it from leading-token analysis and let the next segment speak for the chain. The chdir then happens naturally in bash when Claude runs the approved command. No hook rewrite needed. ## Boundary considerations - Path arg must pass the existing shell-metachar reject (no `$(...)`, backticks, globs, unescaped spaces). - Path must resolve to a real directory at validation time. Reject otherwise. - Decide multi-cd: walk all leading `cd` segments, or cap at one. I lean cap-at-one to keep the rule legible. - Post-cd segments still hit the normal allowlist. `cd X && rm -rf /` stays denied because `rm` is not allowed, not because `cd` is. - Error path: when a post-cd segment is denied, the message names that segment, not `cd`. ## Related - Pairs with the `--commit-scope` recovery suggestion in the denial message (separate work in coily-discipline, filed in coilysiren/coily). - Pairs with the stale `kai-coily-discipline` pointer cleanup (filed in coilysiren/coilyco-ai).
coilysiren added
P2
 and removed
P1
 labels 2026-05-31 07:00:16 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v0.1.0
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/cli-guard#5
No description provided.