fix(pattern-matcher): skip flag-starting token sequences in <cmd> placeholder matching

[fohte]

Why

• The <cmd> placeholder matched token sequences starting with flags (- prefixed tokens), causing explicitly allowed commands to be downgraded to ask through wrapper evaluation
  • Example: command -v|-V * is allowed, but the command <cmd> wrapper matched command -v a, capturing [-v, a] as <cmd>. The inner command -v a matched no rules and defaulted to Ask, which merge_results picked as the more restrictive final result

What

• <cmd> placeholder rejects capture of token sequences whose first token starts with -. <cmd> represents "a command to execute", so flags should be treated as wrapper options rather than command names.

Example:

definitions:
  wrappers:
    - 'command <cmd>'
rules:
  - allow: 'command -v|-V *'

# Before: command -v a → <cmd> captures [-v, a] → Ask
# After:  command -v a → <cmd> does not match → direct rule allow applies → Allow

---

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical issue in the pattern matching engine where the <cmd> placeholder was inadvertently capturing command-line flags as part of the wrapped command. This led to incorrect rule evaluations, potentially causing allowed commands to be blocked or downgraded. The changes prevent <cmd> from matching flag-starting tokens, ensuring that command wrappers behave as intended and improving the overall accuracy and reliability of the rule evaluation system.

Highlights

• Fixes incorrect command evaluation: The <cmd> placeholder no longer captures token sequences that start with a flag (e.g., -v, --help). Previously, this could lead to explicitly allowed commands being incorrectly downgraded to 'ask' due to the wrapper evaluating a flag as the command itself.
• Improved pattern matching accuracy: The change ensures that the <cmd> placeholder accurately represents 'a command to execute' by treating flags as wrapper options rather than part of the command name, leading to more precise rule application.
• Updated documentation: The documentation for pattern syntax and placeholders has been updated to clearly state that <cmd> will not match token sequences whose first token is a flag.

Changelog

• docs/src/content/docs/pattern-syntax/placeholders.md
  • Added a new sentence to the <cmd> placeholder description clarifying that it does not match flag-starting tokens.
  • Updated the 'Restrictions' section for <cmd> to include the condition that its first token must not be a flag.
• src/rules/pattern_matcher/mod.rs
  • Modified the match_engine function to prevent <cmd> from capturing empty token sequences or sequences where the first token starts with a hyphen.
  • Introduced a break condition within the for take loop to ensure <cmd> does not capture sequences starting with a flag.
  • Updated existing test cases (wildcard_before_cmd, negation_before_cmd) to reflect the new behavior where flag-starting tokens are rejected.
  • Added new test cases (cmd_rejects_flag_start, cmd_accepts_non_flag) to explicitly verify the <cmd> placeholder's behavior with and without flag-starting tokens.
• tests/integration/wrapper_recursive_evaluation.rs
  • Added a new test function cmd_placeholder_skips_flag_starting_tokens to verify that the <cmd> placeholder correctly ignores flag-starting tokens in wrapper evaluations, ensuring direct rules are applied.

Activity

• No human activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 89.56%. Comparing base (a513e1b) to head (909a40b).

Files with missing lines	Patch %	Lines
src/rules/pattern_matcher/mod.rs	75.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #206      +/-   ##
==========================================
- Coverage   89.57%   89.56%   -0.02%     
==========================================
  Files          49       49              
  Lines        9808     9811       +3     
==========================================
+ Hits         8786     8787       +1     
- Misses       1022     1024       +2     

Flag	Coverage Δ
Linux	89.46% <75.00%> (+<0.01%)	⬆️
macOS	90.77% <75.00%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

This pull request refines the behavior of the <cmd> placeholder in pattern matching by preventing it from capturing token sequences that start with a flag (i.e., tokens beginning with '-'). The changes include updating the documentation to reflect this new restriction, modifying the match_engine logic in src/rules/pattern_matcher/mod.rs to implement this check, and updating existing unit tests while adding new unit and integration tests to thoroughly verify this corrected behavior.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.