Changes based on reviewer feedback:
- Promote tree-sitter-bash to primary parser recommendation (over bash
Hex package). Battle-tested grammar, robust against adversarial input.
- Fix path matching: directory-boundary matching instead of string prefix.
reads_file("~/.ssh") no longer matches ~/.ssh_backup/key.
- Tilde expansion uses HOME from hook payload, not daemon environment.
Correct for containers, remote SSH.
- MCP parameter injection: replaced regex with McpParameterInjection
validator that runs string values through BashAnalyzer for consistency.
- Regex safety: add 1ms evaluation timeout to prevent catastrophic
backtracking. Timed-out regex falls through to AST pass.
- Document that regex rules can only deny/suspect, never allow.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
a133271a6c