Split DANGEROUS_PATHS into two categories:
1. DANGEROUS_SYSTEM_PATHS: Block path AND all subdirectories
(e.g., /etc, /etc/passwd, /var/log/auth.log)
2. DANGEROUS_HOME_CONTAINERS: Block ONLY exact match
(e.g., /home is blocked but /home/user/project passes through)
This fixes the issue where /home/user/project was incorrectly blocked
by is_dangerous_path(). Subdirectory access control for home directories
is properly delegated to is_home_directory_root() in resolve_and_validate_path().
Addresses review feedback from @chatgpt-codex-connector about blocking
all home directory subpaths.
Replace string prefix matching with Path.is_relative_to() to correctly
handle Windows paths like "C:\" where trailing backslash caused double
separator issues (e.g., "C:\\" instead of "C:\").
Changes:
- Use Path.is_relative_to() for subdirectory detection (requires Python 3.9+)
- Add Windows path handling tests using PureWindowsPath
- Update test_utils.py to expect /etc/passwd to be blocked (security fix)
Add automatic detection for Claude CLI installed via native methods:
- curl https://claude.ai/install.sh | bash -> ~/.local/bin/claude
- brew install --cask claude-code -> /opt/homebrew/bin/claude (Apple Silicon)
- brew install --cask claude-code -> /usr/local/bin/claude (Intel Mac/Linux)
When claude is not found in PATH, the script checks these paths in order
and adds the first found to PATH, with informative log messages.
Closes#303
The is_dangerous_path() function only did exact string matching,
allowing attackers to bypass protection by accessing subdirectories:
- /etc was blocked but /etc/passwd was allowed
- C:\Windows was blocked but C:\Windows\System32\... was allowed
This minimal fix changes is_dangerous_path() to use PREFIX MATCHING:
- Now blocks dangerous directories AND all their subdirectories
- Paths like /etcbackup are still allowed (not under /etc)
- No changes to DANGEROUS_PATHS list
Security:
- Fixes CWE-22: Path Traversal vulnerability
- Reported by: Team off-course (K-Shield.Jr 15th)
Fixes#312Fixes#293
The previous fix (aceddb6) removed --search entirely, disabling web search.
This restores web search functionality using the correct --enable flag
that works with the codex exec subcommand.
Related to #338
Address review feedback:
- Add test for claude-opus alias in test_alias_resolution
- Add tests for anthropic/claude-opus-4.5 full name and opus4.5 alias
in test_registry_capabilities
- Add anthropic/claude-opus-4.5 with aliases: opus, opus4.5, claude-opus
- Set intelligence_score to 18 (matching Gemini 3 Pro)
- Update Opus 4.1 to use opus4.1 alias only
- Update tests to reflect new alias mappings
Note: supports_function_calling and supports_json_mode set to false
following existing project pattern for Claude models, despite
OpenRouter API support for these features.
The setUp method created provider instances that were never used.
Each test creates its own instance inside the patch context manager,
which is the correct pattern for property mocking.
- Remove redundant @patch.object decorators (inner context manager suffices)
- Remove try/except blocks that could hide test failures
- Tests now fail fast if mocking is insufficient
OpenRouter's /responses endpoint rejects store:true via Zod validation.
This is an endpoint-level limitation, not model-specific. The fix
conditionally omits the store parameter for OpenRouter while maintaining
it for direct OpenAI and Azure OpenAI providers.
- Add provider type check in _generate_with_responses_endpoint
- Include debug logging when store parameter is omitted
- Add regression tests for both OpenRouter and OpenAI behavior
Fixes#348
