fix: tighten recursive delete policy matching#3251
Conversation
Signed-off-by: arvidpeldan <peldans@gmail.com>
Signed-off-by: arvidpeldan <peldans@gmail.com>
Signed-off-by: arvidpeldan <peldans@gmail.com>
Signed-off-by: arvidpeldan <peldans@gmail.com>
Signed-off-by: arvidpeldan <peldans@gmail.com>
Signed-off-by: arvidpeldan <peldans@gmail.com>
PR Review Summary
Verdict: AI review comments are untrusted advisory output. The summary reports workflow-generated completion status only, not model-authored pass/fail claims. |
🤖 AI Agent: contributor-guide — View details
Welcome, and thank you for your contribution! 🎉 Your detailed explanation of the problem and solution is excellent, and the added test coverage is thorough. Before merging, please ensure:
For guidance, please refer to CONTRIBUTING.md. |
|
The branch is split by surface so each package change is easy to review on its own. The first commits apply the recursive-delete fix and matching tests to OpenCode, Claude Code, Copilot CLI, and Antigravity CLI separately. There’s also a small examples commit to keep the Copilot CLI example policies in sync with the package configs. The final commit is a review follow-up across the affected parsers. It tightens the flag handling for longer Unix clusters like |
|
@microsoft-github-policy-service agree company="Regent" |
Description
The recursive-delete deny rule depended too much on narrow command regexes such as
rm -rf. Before this change, equivalent recursive-force deletes likerm -fr important-data,rm -r -f important-data,rm --recursive --force important- data,Remove-Item -Recurse -Force important-data, andrd /s /q important-datacould miss the deny rule and fall through to the normal shell-tool review path instead.One root cause was that several old rules matched text shape rather than command semantics. In the Claude Code, OpenCode, and Copilot CLI policy bundles, the Bash rule used patterns like
\brm\b[\s\S]*\b-rf\b. In JavaScript regex semantics,the
\b-rf\bpart does not match normalrm -rf targettext:\bonly matches a boundary between a word character and a non-word character, and both the space before-rfand the-are non-word characters. So the intended Bash denyrule did not fire for the canonical
rm -rf targetform in those bundles.Other package rules failed differently. Antigravity’s old pattern did match compact forms like
rm -rfandrm -fr, but missed equivalent split or reordered forms likerm -r -f target,rm --force --recursive target, andrm target -rf.Some PowerShell-oriented patterns also looked for literal compact spellings such as
-recurseor-rfwith the same text-shape assumptions rather than parsing recursive and force flags.This PR changes the regex to act only as a broad delete-command trigger. The parser now decides whether the command is actually recursive and forceful, so equivalent destructive forms are denied consistently while safe cleanup targets and
non-force/non-recursive deletes are not hard-denied by this rule.
Notable cases covered:
rm -rf,rm -fr,rm -rfvrm -r -f,rm --recursive --force,rm --force --recursiverm important-data -rfRemove-Item -Recurse -ForceRemove-Item -r -foandri -r -ford /s /qnode_modules,build, anddist-Confirmand-FilterType of Change
Package(s) Affected
Checklist
Attribution & Prior Art
AI Assistance
If AI tools materially shaped this change, briefly note what was used:
Codex helped add regression tests, find the same parser issue in sibling packages, and carry the reviewed fix across those packages. I reviewed the implementation and test coverage.
IP, Patents, and Licensing