fix(irm): accept bare filenames in path extraction

Also defer git host IP DNS checks until after cache hit checks in hush-cli remote extends, with regression coverage for offline cached git policy resolution.

Author: bb-connor

crates/libs/clawdstrike/src/irm/fs.rs

@@ -135,17 +135,24 @@ impl FilesystemIrm {
 
     /// Extract path from host call arguments
     fn extract_path(&self, call: &HostCall) -> Option<String> {
+        let allow_bare_string_paths = call.function.contains("path");
+
         for arg in &call.args {
             if let Some(s) = arg.as_str() {
-                if self.looks_like_path(s) {
+                if self.looks_like_path(s)
+                    || (allow_bare_string_paths && self.looks_like_bare_filename(s))
+                {
                     return Some(s.to_string());
                 }
             }
 
             if let Some(obj) = arg.as_object() {
                 for key in ["path", "file_path", "target_path"] {
                     if let Some(path) = obj.get(key).and_then(|value| value.as_str()) {
-                        if self.looks_like_path(path) || self.has_parent_traversal(path) {
+                        if self.looks_like_path(path)
+                            || self.has_parent_traversal(path)
+                            || self.looks_like_bare_filename(path)
+                        {
                             return Some(path.to_string());
                         }
                     }
@@ -176,6 +183,31 @@ impl FilesystemIrm {
         value.contains('/') && !value.contains("://")
     }
 
+    fn looks_like_bare_filename(&self, value: &str) -> bool {
+        let value = value.trim();
+        if value.is_empty() {
+            return false;
+        }
+
+        if value.contains("://") {
+            return false;
+        }
+
+        if value == "." || value == ".." {
+            return false;
+        }
+
+        if value.contains('/') || value.contains('\\') {
+            return false;
+        }
+
+        if value.bytes().all(|b| b.is_ascii_digit()) {
+            return false;
+        }
+
+        !value.chars().any(|ch| ch.is_control())
+    }
+
     fn has_parent_traversal(&self, path: &str) -> bool {
         path.replace('\\', "/").split('/').any(|seg| seg == "..")
     }
@@ -346,10 +378,32 @@ mod tests {
             Some("../../etc/passwd".to_string())
         );
 
+        let call = HostCall::new("path_open", vec![serde_json::json!("README.md")]);
+        assert_eq!(irm.extract_path(&call), Some("README.md".to_string()));
+
+        let call = HostCall::new(
+            "fd_write",
+            vec![serde_json::json!({"target_path": "config.json"})],
+        );
+        assert_eq!(irm.extract_path(&call), Some("config.json".to_string()));
+
         let call = HostCall::new("fd_read", vec![serde_json::json!(123)]);
         assert_eq!(irm.extract_path(&call), None);
     }
 
+    #[tokio::test]
+    async fn filesystem_irm_allows_bare_filename_for_path_style_calls() {
+        let irm = FilesystemIrm::new();
+        let policy = Policy::default();
+        let call = HostCall::new("path_open", vec![serde_json::json!("README.md")]);
+        let decision = irm.evaluate(&call, &policy).await;
+
+        assert!(
+            decision.is_allowed(),
+            "bare filename should be treated as a valid filesystem path in path-style calls"
+        );
+    }
+
     #[tokio::test]
     async fn filesystem_irm_denies_parent_traversal_relative_paths() {
         let irm = FilesystemIrm::new();

crates/services/hush-cli/src/remote_extends.rs

@@ -375,7 +375,6 @@ impl RemotePolicyResolver {
 
         let repo_host = parse_git_remote_host(repo, self.cfg.https_only)?;
         self.ensure_host_allowed(&repo_host)?;
-        self.ensure_git_host_ip_policy(&repo_host)?;
 
         if !self.cfg.remote_enabled() {
             return Err(Error::ConfigError(
@@ -403,6 +402,7 @@ impl RemotePolicyResolver {
             let _ = std::fs::remove_file(&cache_path);
         }
 
+        self.ensure_git_host_ip_policy(&repo_host)?;
         let bytes = self.git_show_file(repo, commit, path)?;
         verify_sha256_pin(&bytes, expected_sha)?;
         self.write_cache(&cache_path, &bytes)?;

crates/services/hush-cli/src/tests.rs

@@ -3143,6 +3143,46 @@ extends: {}#sha256={}
         );
     }
 
+    #[test]
+    fn remote_extends_git_cache_hit_does_not_require_dns_resolution() {
+        let cache_dir = std::env::temp_dir().join(format!(
+            "hush-cli-remote-extends-test-{}",
+            uuid::Uuid::new_v4()
+        ));
+        std::fs::create_dir_all(&cache_dir).expect("create cache dir");
+
+        let repo = "https://offline-cache.example.invalid/org/repo.git";
+        let commit = "deadbeef";
+        let path = "policy.yaml";
+        let yaml_bytes = br#"
+version: "1.1.0"
+name: cached
+settings:
+  fail_fast: true
+"#;
+        let expected_sha = sha256(yaml_bytes).to_hex();
+        let key = format!("git:{}@{}:{}#sha256={}", repo, commit, path, expected_sha);
+        let digest = sha256(key.as_bytes()).to_hex();
+        let cache_path = cache_dir.join(format!("{}.yaml", digest));
+        std::fs::write(&cache_path, yaml_bytes).expect("write cached bytes");
+
+        let cfg = RemoteExtendsConfig::new(["offline-cache.example.invalid".to_string()])
+            .with_cache_dir(&cache_dir)
+            .with_allow_private_ips(false);
+        let resolver = RemotePolicyResolver::new(cfg).expect("resolver");
+        let reference = format!("git+{}@{}:{}#sha256={}", repo, commit, path, expected_sha);
+
+        let resolved = resolver
+            .resolve(&reference, &PolicyLocation::None)
+            .expect("cached git policy should resolve without DNS");
+        assert!(
+            resolved.yaml.contains("name: cached"),
+            "expected cached YAML payload"
+        );
+
+        let _ = std::fs::remove_dir_all(&cache_dir);
+    }
+
     #[test]
     fn remote_extends_resolves_relative_urls() {
         let nested = br#"