Skip to content

v2.10.2 — Close the Bash blind spot

Latest

Choose a tag to compare

@sravan27 sravan27 released this 28 May 09:01

A gap-closing release, motivated by a real user (me, on this user's repo) experiencing the product fail to deliver where they actually work.

What was broken

smart_read (v2.10) only intercepts the Read tool. In autonomous/agentic Claude Code sessions, Claude reaches for Bash to view files (cat/less/more/bat <bigfile>) — that bypassed smart_read entirely, the whole file dumped into context, and Receipts didn't see it. Documented honestly in v2.10.1's limitations.md, now actually closed.

What's new

smart_bash.py — PreToolUse hook on Bash. Intercepts the narrow, unambiguous case of a pure file dump and hands Claude the same outline smart_read does. The parser is the load-bearing part:

  • intercepts exactly: cat/less/more/bat <file>, single positional, no flags, zero shell metacharacters in the entire command
  • explicitly does not intercept: pipes, redirects, chains, substitutions, head/tail (their 10-line default is smaller than the outline — intercepting would be net-negative), sed, quoted args, multiple files, anything ambiguous
  • once-per-file-per-session dedupe shared with smart_read so the same file isn't double-nagged
  • slice events tagged via=bash for Receipts crediting
  • env-disable: CONTEXT_OS_SMART_BASH=0

Why "perfection" required the narrow scope

The danger isn't missing an intercept — it's blocking a legitimate complex Bash command. So the parser's invariant is: any doubt → allow. The CI gate exercises 30+ adversarial shapes (pipes, &&, ;, $(), backticks, globs, tildes, quoted args, comments, line continuations…) and asserts every one passes through.

Tests

  • python/evals/runners/savings_test.py now ~100 assertions (up from 49), covering: parser whitelist correctness, parser pass-through on every risky shape, end-to-end intercept/dedupe/disable, non-existent-file/small-file/non-Bash-tool guards.
  • ranker_floor still green; setup.sh embeds byte-identical.

Honest scope

This closes the Bash blind spot for the safe whitelist. The genuinely-ambiguous cases (sed/awk/quoted scripts/multi-file) remain invisible to Receipts — that's the right call (false-positive blocking real Bash work would be worse than missing some coverage).

Install

curl -fsSL https://raw.githubusercontent.com/sravan27/context-os/main/setup.sh | bash