fix(rules): match flag-only negation patterns against =-joined tokens

[fohte]

Why

• from: fix(readonly-unix): exclude arbitrary execution and file write options via negation runok-presets#10
• Flag-only negation patterns like !--pre did not match =-joined arguments such as --pre=pdftotext
  • --pre=pdftotext is treated as a single raw token, so comparing it against the negation pattern --pre resulted in a mismatch, causing the negation to pass through (evaluated as allow)

What

• Also compare the flag portion (before =) of =-joined command tokens when evaluating flag-only negation patterns

---

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug in the pattern matching logic, specifically for flag-only negation rules. The change ensures that these negation patterns correctly identify and apply to command-line arguments where flags and their values are joined by an equals sign, thereby preventing unintended allowances. The update improves the robustness and predictability of rule evaluation, aligning the system's behavior with user expectations for flag negation.

Highlights

• Bug Fix: Resolved an issue where flag-only negation patterns (e.g., !--pre) failed to correctly match against command-line arguments that use an equals sign to join the flag and its value (e.g., --pre=pdftotext). Previously, such arguments were treated as a single raw token, leading to incorrect negation evaluation.
• Core Logic Update: Introduced a new internal utility function, match_flag_token_with_equals, to specifically handle the matching logic for flag-only negation patterns against =-joined command tokens. This function extracts and compares the flag portion before the equals sign.
• Documentation Enhancement: Updated the matching-behavior.md documentation to include examples and explanations of how flag-only negation patterns now correctly interact with =-joined flags, ensuring clarity for users.
• Test Coverage: Expanded both unit and integration test suites with new cases specifically designed to validate the correct behavior of flag-only negation patterns when applied to =-joined command tokens, covering various scenarios including alternative negation patterns.

Changelog

• docs/src/content/docs/pattern-syntax/matching-behavior.md
  • Added a new section explaining how flag-only negation patterns work with =-joined flags.
  • Included YAML examples and a table demonstrating matching behavior for !--pre with --pre=value.
• src/rules/pattern_matcher.rs
  • Modified match_tokens_core to use match_flag_token_with_equals for flag-only negation.
  • Modified extract_placeholder_all to use match_flag_token_with_equals for flag-only negation.
  • Introduced match_flag_token_with_equals function to handle matching flag portions of =-joined command tokens.
  • Added new #[case] attributes to the negation_matching test module to cover =-joined tokens.
• tests/integration/config_to_rule_evaluation.rs
  • Added a new test function flag_negation_equals_form with multiple #[case] scenarios.
  • Included tests for both rejected and allowed cases with =-joined flags and alternative negation patterns.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

❌ Patch coverage is 94.44444% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 89.94%. Comparing base (e4e3f50) to head (448af60).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
src/rules/pattern_matcher.rs	94.44%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #175   +/-   ##
=======================================
  Coverage   89.93%   89.94%           
=======================================
  Files          38       38           
  Lines        7232     7248   +16     
=======================================
+ Hits         6504     6519   +15     
- Misses        728      729    +1     

Flag	Coverage Δ
Linux	89.80% <94.44%> (+<0.01%)	⬆️
macOS	91.66% <94.44%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[gemini-code-assist]

Code Review

This pull request correctly fixes an issue where flag-only negation patterns did not match against =-joined tokens. The changes are well-implemented, with a new helper function to handle the matching logic and consistent application in both match_tokens_core and extract_placeholder_all. The documentation has been updated accordingly, and the new behavior is thoroughly tested with both unit and integration tests that adhere to the project's testing style guide.

_{Note: Security Review is unavailable for this PR.}