fix: module_map.py docstring, ParseError context, and constant comment#251
Merged
fix: module_map.py docstring, ParseError context, and constant comment#251
Conversation
Three follow-up fixes from PR #250 code review -- all in module_map.py: - Update _dependency_order docstring to accurately describe slash-key tracking for subpackage entries (was incorrectly saying subpackage imports "are ignored") - Fix ParseError.module to include subpackage path context (e.g. core/broken.py instead of bare broken.py) when package_dir is provided; add test verifying two files with the same name in different subpackages produce distinct error entries - Add comment above _SUBPACKAGE_DIRS explaining why it stays in module_map.py (single consumer, encodes package layout not a tunable threshold)
fazxes
added a commit
that referenced
this pull request
Apr 9, 2026
Replace sed with awk for role extraction to eliminate metacharacter injection risk from agent-controlled log content. Add tr -cd 'a-z-' to restrict the extracted string to safe characters only, then validate against the known role list (build|review|oversee|strategize|achieve|security-check|evolve|audit|brain), defaulting to 'unknown' for any unrecognised value. Evidence of the original vulnerability: session 20260409-020609 had role '.*'"$LOG_FILE"2>/d' in the session index due to crafted ROLE DECISION content.
6 tasks
fazxes
added a commit
that referenced
this pull request
Apr 9, 2026
fix(#251): harden daemon.sh role extractor against sed metacharacters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three small follow-up fixes from the PR #250 code review, all in
nightshift/infra/module_map.py:Task oversee: triage task queue — close 16 duplicates and superseded tasks #252 (docstring): The
_dependency_orderdocstring said subpackage imports "are ignored". After PR feat: regenerate MODULE_MAP.md (stale since session #0001) #250 added subpackage scanning, this is wrong -- subpackage entries ARE tracked with slash keys (e.g.core/constants). Updated the docstring to accurately describe the current behavior.Task fix: clarify misleading comment in test_parse_error_includes_subpackage_context (#0255) #253 (ParseError context):
ParseError.modulewas usingpath.name(bare filename likeerrors.py) even for subpackage files. Two files namederrors.pyincore/andowl/would produce identical error labels. Fixed to usepath.relative_to(package_dir)whenpackage_diris provided (yieldscore/errors.py), falling back topath.namewhenpackage_diris None.Task fix(#0251): harden daemon.sh role extractor against sed metacharacters #254 (constant comment):
_SUBPACKAGE_DIRSis defined inline per CLAUDE.md's "no hardcoded data in logic files" rule. Decision: keep it in module_map.py with an explicit comment explaining the rationale (single consumer, encodes package layout not a tunable threshold/weight -- moving it to constants.py would create a cross-subpackage dependency for no benefit).Test plan
test_parse_error_includes_subpackage_contextverifies that a broken file incore/broken.pyreports ascore/broken.pyand a broken top-levelbroken.pyreports asbroken.py-- two distinct entries with no collisiontest_module_map.pytests still pass (including existing parse-error tests that rely on bare filename format for top-level files)make checkpasses: ruff, mypy, 1165 pytest tests, dry-runs, ASCII check