Skip to content

fix(cli): add explicit intercept match predicates#1364

Open
dpersek wants to merge 5 commits into
nolabs-ai:mainfrom
dpersek:fix/intercept-predicate-matcher
Open

fix(cli): add explicit intercept match predicates#1364
dpersek wants to merge 5 commits into
nolabs-ai:mainfrom
dpersek:fix/intercept-predicate-matcher

Conversation

@dpersek

@dpersek dpersek commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Linked Issue

Closes #1328

Summary

Intercept rules can now use an explicit match predicate instead of relying only on legacy literal args windows. This gives profiles a deliberate way to match observed argv shapes with exact, prefix, or contains, and to match out-of-band behavior through filtered child environment variables such as GIT_SSH_COMMAND.

The legacy args form remains backward-compatible, including first-match ordering and args: [] catch-all behavior. The new predicate form is intentionally bounded: it does not add a git parser, flag alias folding, flag reordering, or shell-style expansion of literal argv tokens.

Agent Disclosure

This PR was prepared by Dustin Persek with assistance from an AI coding agent. I reviewed the generated code and tests before submission.

References consulted:

Compliance notes:

Test Plan

  • cargo fmt
  • jq empty crates/nono-cli/data/nono-profile.schema.json
  • cargo fmt --check
  • git diff --check
  • cargo test -p nono-cli tool_sandbox::policy::intercept_tests
  • cargo test -p nono-cli validate_intercept
  • cargo test -p nono-cli empty_argv
  • cargo test -p nono-cli --test schema_shape
  • cargo check -p nono-cli
  • cargo clippy --workspace --all-targets --all-features -- -D warnings -D clippy::unwrap_used
  • cargo test -p nono-cli -- --test-threads=1

Note: a local Linux cross-target check was blocked because this macOS Homebrew Rust toolchain does not have the x86_64-unknown-linux-gnu target std/core installed.

Scope / non-goals

  • Keeps args as the backward-compatible literal/contiguous shorthand.
  • Does not add command-specific semantic normalization for --flag=value vs --flag value, short/long aliases, duplicate flags, reordered flags, or git-specific parsing.
  • Does not expand environment references embedded inside argv tokens.
  • Does not refactor broader platform launch/env caching.

Checklist

  • An issue exists and is linked above
  • All commits are signed-off, using DCO
  • All new code follows the project's coding standards (CLAUDE.md) and is covered by tests
  • Public-facing changes are paired with documentation updates
  • Release note has been added to CHANGELOG.md if needed; not applicable for this narrow bug/config-surface fix

Agent Compliance Check

  • I am not prohibited from contributing under this policy
  • An issue already exists
  • I disclosed that I am an agent in the issue discussion
  • I described my intent and approach in the issue discussion
  • I reviewed repository coding and security rules for the affected area
  • I provided required attribution for reused or adapted code; no external code was reused or adapted
  • I did not use forbidden patterns such as unwrap/expect in non-test matcher code
  • I used NonoError where required
  • I validated all relevant matcher input through command-policy validation and schema coverage
  • This PR matches the disclosed issue scope

Signed-off-by: Dustin Persek <dustin.persek@protonmail.com>
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

PR Review Summary

Size

Metric Value
Lines added +1259
Lines removed -97
Total changed 1356
Classification Large (> 300 lines)

Affected crates

  • crates/nono-cli — CLI changes. Verify argument parsing, flag documentation, and UX behaviour across supported platforms.

Blast radius — Moderate

This PR touches: source code,configuration / policy files


Updated automatically on each push to this PR.

@github-actions github-actions Bot added the bug Something isn't working label Jul 6, 2026
@dpersek dpersek marked this pull request as ready for review July 6, 2026 18:26

@nogent-nolabs-ai nogent-nolabs-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nogent code review

No blocking issues; 0 findings.

Findings: none flagged in scope.

Automated code + security review. CI already covers clippy, rustfmt, tests, cargo-audit and commit-lint.

@SequeI

SequeI commented Jul 6, 2026

Copy link
Copy Markdown
Member

cc @kipz might be worth a look whenever :)

@kipz

kipz commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@SequeI and @SyntaxSawdust - looks good to me FWIW. This leaves open the possibility of other matchers (e.g. regex, negation etc) which might be handy too in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working nono-cli size/large

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Intercept rule matching uses hand-rolled strict-prefix argv comparison, bypassable via global flags before subcommand

3 participants