Add cross-platform temporary_home() context manager to handle
environment variable differences between Unix and Windows systems.
Changes:
- Add temporary_home() context manager that handles both HOME (Unix)
and USERPROFILE/HOMEDRIVE/HOMEPATH (Windows) environment variables
- Update test_org_config_loading() to use temporary_home()
- Update test_hierarchy_resolution() to use temporary_home()
- Update test_org_blocklist_enforcement() to use temporary_home()
- Add missing imports: os, contextmanager
Why: The unit tests for org config loading were failing on Windows
because they only set the HOME environment variable, but Windows
uses USERPROFILE instead. The integration tests already had this
fix via a similar context manager.
Result: All 148 unit tests now pass on both Windows and Unix systems.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changes:
- Support path patterns without ./ prefix (e.g., 'scripts/test.sh')
- Reject non-string or empty command names in org config
- Add 8 new test cases (5 for path patterns, 3 for validation)
Details:
- matches_pattern() now treats any pattern with '/' as a path pattern
- load_org_config() validates that cmd['name'] is a non-empty string
- All 148 unit tests + 9 integration tests passing
Security hardening: Prevents invalid command names from reaching
pattern matching logic, reducing attack surface.
Changes:
- Increase command limit from 50 to 100 per project
- Add examples/OPTIMIZE_CONFIG.md with optimization strategies
- Update all documentation references (50 → 100)
- Update tests for new limit
Rationale:
- 50 was too restrictive for projects with many tools (Flutter, etc.)
- Users were unknowingly exceeding limit by listing subcommands
- 100 provides headroom while maintaining security
- New guide teaches wildcard optimization (flutter* vs listing each subcommand)
UI feedback idea: Show command count and optimization suggestions
(tracked for Phase 3 or future enhancement)
Add validation to reject bare wildcards for security:
- matches_pattern(): return False if pattern == '*'
- validate_project_command(): reject name == '*' with clear error
- Added 4 new tests for bare wildcard rejection
This prevents a config with from matching every command,
which would be a major security risk.
Tests: 140 unit tests passing (added 4 bare wildcard tests)
The test_hook helper function was being incorrectly interpreted by pytest
as a test function due to the 'test_' prefix. Pytest attempted to inject
fixtures for its parameters (command, should_block), causing an error.
Changes:
- Renamed test_hook() to check_hook() in test_security.py
- Updated all call sites (lines 206 and 276)
- Updated docstring to clarify it's a helper function
This fixes the "fixture 'command' not found" error when running pytest.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CI workflow with Python (ruff lint, security tests) and UI (ESLint, TypeScript, build) jobs
- Add ruff, mypy, pytest to requirements.txt
- Add pyproject.toml with ruff configuration
- Fix import sorting across Python files (ruff --fix)
- Fix test_security.py expectations to match actual security policy
- Remove invalid 'eof' command from ALLOWED_COMMANDS
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
