feat(gates): opt-in to re-enable BASH-PARSER-COMPOUND deny

[elijahr]

What does this PR do?

Adds an opt-in to re-enable BASH-PARSER-COMPOUND deny findings, restoring the pre-0.63.2 policy for operators with stricter threat models. Default behavior is unchanged: with neither opt-in active, the bash gate still allows benign compound commands like ls | head and wc -l file && ls.

Two opt-in paths:

• Environment variable SPELLBOOK_BASH_DENY_COMPOUND=1 (truthy values: 1, true, yes, case-insensitive, whitespace-tolerant).
• Passing security_mode="paranoid" to spellbook.gates.bash_parser.parse_and_check (call-site control).

Either path re-emits BASH-PARSER-COMPOUND for list/pipeline nodes AND for if/for/while/until/case/function control-flow constructs.

Implementation notes

• New _compound_deny_enabled(security_mode) helper centralizes the truthy-env-var parse and the paranoid-mode check.
• security_mode is threaded through private _walk, _classify_node, and _classify_compound. Public parse_and_check signature is unchanged.
• function added to the control-flow kind set in _classify_node for symmetry with the other control-flow kinds.
• CHANGELOG [Unreleased] section documents the opt-in; the 0.63.2 entry gets a back-reference framing the prior change as a deliberate policy relaxation.
• Version is intentionally not bumped on this branch; the [Unreleased] section will be promoted in the next chore(release): commit.

Tests

• 7 new tests in TestCompoundDenyOptIn cover env-var truthy values, case/whitespace tolerance, paranoid mode, control-flow node coverage, and default-off behavior.
• New autouse fixture _scrub_compound_deny_env prevents env-var pollution from breaking unrelated tests.
• Full suite: 132 passed in tests/gates/test_bash_parser.py (verified both with and without SPELLBOOK_BASH_DENY_COMPOUND=1 set in the parent process).

Related issue

None.

Checklist

• Tests pass locally
• Documentation updated (if applicable)

[axiomantic-momus]

❌ Momus review failed — phase phase2 failed: provider error: 402 This request requires more credits, or fewer max_tokens. You requested up to 8192 tokens, but can only afford 5957. To increase, visit https://openrouter.ai/settings/keys and create a key with a h...

run log

[gemini-code-assist]

Code Review

This pull request introduces an opt-in mechanism to re-enable BASH-PARSER-COMPOUND deny findings for Bash control-flow constructs and pipelines, controllable via the SPELLBOOK_BASH_DENY_COMPOUND environment variable or a security_mode="paranoid" parameter. Feedback correctly identifies that the current default security_mode="paranoid" in parse_and_check inadvertently enables these denials by default, contradicting the PR's stated intent. Additionally, improvements were suggested for the operator extraction logic in _classify_compound to correctly handle pipe nodes and deduplicate operators in finding messages. Finally, the PR is missing a required version bump in the .version file, which is a high-severity violation of the repository style guide.

[gemini-code-assist]

The parse_and_check function (at line 362) defaults security_mode to "paranoid". Since _compound_deny_enabled now returns True for "paranoid", this change effectively enables compound-command denial by default for direct callers of this function, which contradicts the PR description's claim that default behavior is unchanged. Additionally, the docstring at line 367 is now inaccurate as it states the modes are treated equally. Consider changing the default to "standard" and updating the docstring.

[gemini-code-assist]

The current implementation only extracts operators from operator nodes, which means pipeline nodes (using pipe nodes in bashlex) always fall back to the default |. Additionally, the finding message can contain redundant operators if the same one is used multiple times (e.g., Compound command (&&, &&) is not allowed). Deduplicating while preserving order and explicitly handling pipe nodes would be more robust.

    parts = getattr(node, "parts", ()) or ()
    operators = [
        getattr(p, "op", "|") if getattr(p, "kind", None) == "pipe" else getattr(p, "op", None)
        for p in parts
        if getattr(p, "kind", None) in {"operator", "pipe"}
    ]
    op_text = ", ".join(dict.fromkeys(op for op in operators if op)) or "|"

[elijahr]

@gemini-code-assist @axiomantic-momus please re-review.

New commits on this branch since the last pass (push c3325d0d..11a10c3f):

• Merge of fix-t2-ask-prompt (PR fix(hooks): emit permissionDecision "ask" for T2 findings #285's branch — T2 ask-verdict + verdict field plumbing)
• Gemini's PR fix(hooks): emit permissionDecision "ask" for T2 findings #285 suggestions applied here (str() removals on rule_id)
• CI fixes: tests/unit/test_stint_hooks.py switched to proc.stderr (per Claude Code hook protocol); docstring on _gate_bash updated to match
• Reconciled fix-t2-ask-prompt's verdict tests with the new compound-allow default introduced earlier on this branch (tests now opt into compound-deny via env var or use a non-compound CRITICAL trigger, depending on intent)
• Merge of origin/main (resolved CHANGELOG stacking and the duplicate stint-hook stderr fix)

/ai-review

[gemini-code-assist]

Code Review

This pull request introduces an opt-in mechanism to re-enable BASH-PARSER-COMPOUND security findings using either the SPELLBOOK_BASH_DENY_COMPOUND environment variable or a "paranoid" security mode. It also implements a new "ask" verdict across the security gates, enabling interactive permission prompts for specific actions like git push. Feedback suggests refactoring the repetitive result-handling logic within the hook gate functions into a shared helper to improve maintainability and reduce redundancy.

[gemini-code-assist]

This new logic, combined with the following if not result["safe"] block, creates a pattern that is duplicated across _gate_bash, _gate_spawn, and _gate_state_sanitize. To improve maintainability and avoid redundancy, consider extracting the entire logical block into a shared helper function.

For example, you could create a helper like this:

def _handle_check_result(result: dict) -> None:
    """Process the result from check_tool_input, exiting if necessary."""
    if result.get("verdict") == "ask":
        _emit_ask_and_exit(result["findings"])
    if not result["safe"]:
        reasons = "; ".join(f["message"] for f in result["findings"])
        print(json.dumps({"error": f"Security check failed: {reasons}"}), file=sys.stderr)
        sys.exit(2)

Then, _gate_bash and the other gate functions can be simplified to call this helper:

def _gate_bash(data: dict) -> None:
    # ... (try/except and tool_input check)
    result = check_tool_input("Bash", tool_input)
    _handle_check_result(result)

[elijahr]

@gemini-code-assist @axiomantic-momus please re-review.

Addressed all three findings from the previous gemini pass (commit f5bb726c):

• HIGH parse_and_check default mode → changed from "paranoid" to "standard" so direct callers get the same default as the public check_tool_input API. Docstring updated.
• MEDIUM _classify_compound operator extraction → now also inspects kind == "pipe" nodes (pipelines previously always defaulted to |) and dedupes via dict.fromkeys (no more (&&, &&)). Two new tests added.
• MEDIUM Extracted _handle_check_result helper from _gate_bash / _gate_spawn / _gate_state_sanitize.

Local suite: 915 passing across tests/test_security/, tests/gates/test_bash_parser.py, tests/unit/test_stint_hooks.py.

/ai-review

[gemini-code-assist]

Code Review

This pull request introduces a 'verdict' system for security gates, allowing the harness to distinguish between allowing, denying, or asking for user permission (TIER-ASK). It refactors the bash parser to support an opt-in for compound command restrictions and updates the hook logic to handle these new states. A review comment suggests improving error message clarity by filtering out low-severity findings. Additionally, the PR is missing the mandatory version bump in the .version file as specified in the repository style guide.

[gemini-code-assist]

The reasons string is constructed from the messages of all findings in the result, which can include LOW severity findings. Since a block is triggered only by non-LOW severity findings, including messages from LOW severity findings could add noise to the error message.

To make the error message more precise, consider filtering for non-LOW severity findings when building the reasons string.

Suggested change

	reasons = "; ".join(f["message"] for f in result["findings"])
	reasons = "; ".join(f["message"] for f in result["findings"] if f.get("severity") != "LOW")

[elijahr]

@gemini-code-assist @axiomantic-momus please re-review.

Addressed the MEDIUM finding from your last pass on 593698cb (commit 14218241):

• MEDIUM _handle_check_result was joining ALL finding messages into the gate's error reason, including LOW-severity ones that should not surface as errors. Now filtered to severity != LOW (matches the existing safe flag's "above LOW" logic in check.py).

Note on the version-bump question raised in the last review: deferring that decision to the merge step — happy to bump if you (or the operator) consider it a hard block on this PR.

Local suite: 781 passing across tests/test_security/, tests/gates/test_bash_parser.py, tests/unit/test_stint_hooks.py.

/ai-review

[gemini-code-assist]

Thanks for the update, @elijahr. I've reviewed the changes in commit 14218241 and the updated test suite. The logic in _handle_check_result now correctly filters out LOW severity findings, ensuring that only relevant security issues surface as gate errors. This aligns with the existing behavior in check.py and addresses the previous concern. The implementation looks solid and the test coverage is comprehensive. I have no further findings on this PR.