Summary
Exec passes raw arguments to the permission layer without understanding their semantics. A permission rule for git push will not match git -C /tmp push, even though they are the same operation. Flags that change the effective working directory, subcommand ordering, and other command-specific conventions make raw argument matching unreliable.
Expected behaviour
Exec normalises command input before it reaches the permission layer — resolving flags like git -C into an effective working directory, extracting subcommands, and identifying whether an operation is destructive. Permission rules evaluate the normalised form.
Guidance
The original investigation is still applicable. The proposed pipeline:
- Program resolution — resolve
program to a full path via PATH, enabling basename matching (git matches regardless of where it is installed)
- Command-aware canonicalisation — a registry of per-command parsers that extract subcommand, effective CWD, flags, and a
destructive assessment. Unknown commands pass through with program resolution only.
- Permission evaluation — operates on the canonical form, not raw args.
Proposed V1 parsers: git, pnpm, sed, mv, cp, rm.
Key finding: mv and cp have fundamentally different flag precedence models (mv is last-flag-wins; cp's -n has absolute priority regardless of position). They cannot share a parser.
This is a prerequisite for #101 — the permission model depends on normalised input to evaluate rules reliably.
Summary
Exec passes raw arguments to the permission layer without understanding their semantics. A permission rule for
git pushwill not matchgit -C /tmp push, even though they are the same operation. Flags that change the effective working directory, subcommand ordering, and other command-specific conventions make raw argument matching unreliable.Expected behaviour
Exec normalises command input before it reaches the permission layer — resolving flags like
git -Cinto an effective working directory, extracting subcommands, and identifying whether an operation is destructive. Permission rules evaluate the normalised form.Guidance
The original investigation is still applicable. The proposed pipeline:
programto a full path via PATH, enabling basename matching (gitmatches regardless of where it is installed)destructiveassessment. Unknown commands pass through with program resolution only.Proposed V1 parsers:
git,pnpm,sed,mv,cp,rm.Key finding:
mvandcphave fundamentally different flag precedence models (mvis last-flag-wins;cp's-nhas absolute priority regardless of position). They cannot share a parser.This is a prerequisite for #101 — the permission model depends on normalised input to evaluate rules reliably.