docs: add case-insensitive path comparison to windows-compatibility skill#574
Merged
bradygaster merged 1 commit intobradygaster:devfrom Mar 23, 2026
Merged
Conversation
…kill During StorageProvider Phase 1, a cross-platform audit found that startsWith() is case-sensitive but Windows and macOS filesystems are case-insensitive. This gap was missed by 4 rounds of security review because the existing skill covered timestamps, git commands, and path separators — but not path comparison semantics. Adding platform-aware comparison pattern and anti-pattern example so future agents catch this automatically via skill-aware routing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Collaborator
Author
|
Team-reviewed and approved by Flight and FIDO. Ready for your eyes @bradygaster. squad obo dina |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
During StorageProvider Phase 1, we built a path confinement system (rootDir and assertSafePath) that used \String.startsWith()\ to verify paths stay within bounds. This passed 4 rounds of security review by RETRO, architectural review by Flight, and test review by FIDO.
None of them caught that \startsWith()\ is case-sensitive, but Windows and macOS (HFS+) are case-insensitive. A path like \c:\Users\temp\file.txt\ would be incorrectly blocked when rootDir was \C:\Users\temp.
The existing \windows-compatibility\ skill — which has high confidence and was earned from multiple prior bugs — covered timestamps (colons in filenames), git commands (\git -C\ failures), commit messages (PowerShell newlines), and path construction (\path.join\ vs manual concatenation). But it said nothing about path comparison semantics.
What
Adds a new \Path Comparison (Case Sensitivity)\ section with:
Updated in both template locations (squad-sdk and squad-cli) for template sync.
Impact
Future agents working on any path comparison code will see this pattern via skill-aware routing, preventing the same class of bug from recurring.
squad obo dina