From 73f2b39f7e0963b91342a4b8dd775ca744e57fcb Mon Sep 17 00:00:00 2001
From: Junho Yeo <i@junho.io>
Date: Mon, 15 Dec 2025 04:31:36 +0900
Subject: [PATCH] fix(interactive-bash-blocker): prevent false positives on
 partial word matches

Changed STDIN_REQUIRING_COMMANDS from string .includes() to regex patterns

with word boundaries for accurate command detection.
---
 src/hooks/interactive-bash-blocker/constants.ts | 12 ++++++------
 src/hooks/interactive-bash-blocker/index.ts     | 10 +++++-----
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/hooks/interactive-bash-blocker/constants.ts b/src/hooks/interactive-bash-blocker/constants.ts
index 157a0e9..6cbda31 100644
--- a/src/hooks/interactive-bash-blocker/constants.ts
+++ b/src/hooks/interactive-bash-blocker/constants.ts
@@ -52,12 +52,12 @@ export const INTERACTIVE_FLAG_PATTERNS = [
   /\bselect\b.*\bin\b/,
 ]
 
-export const STDIN_REQUIRING_COMMANDS = [
-  "passwd",
-  "su",
-  "sudo -S",
-  "gpg --gen-key",
-  "ssh-keygen",
+export const STDIN_REQUIRING_PATTERNS = [
+  /\bpasswd\b/,
+  /\bsu\b(?!\s*[|&;]|\s+-c)/,
+  /\bsudo\s+-S\b/,
+  /\bgpg\s+--gen-key\b/,
+  /\bssh-keygen\b(?!\s+.*-[fNPqy])/,
 ]
 
 export const TMUX_SUGGESTION = `
diff --git a/src/hooks/interactive-bash-blocker/index.ts b/src/hooks/interactive-bash-blocker/index.ts
index a2338ec..6964a90 100644
--- a/src/hooks/interactive-bash-blocker/index.ts
+++ b/src/hooks/interactive-bash-blocker/index.ts
@@ -2,7 +2,7 @@ import type { PluginInput } from "@opencode-ai/plugin"
 import {
   HOOK_NAME,
   INTERACTIVE_FLAG_PATTERNS,
-  STDIN_REQUIRING_COMMANDS,
+  STDIN_REQUIRING_PATTERNS,
   TMUX_SUGGESTION,
 } from "./constants"
 import type { BlockResult } from "./types"
@@ -25,13 +25,13 @@ function checkInteractiveCommand(command: string): BlockResult {
     }
   }
 
-  for (const cmd of STDIN_REQUIRING_COMMANDS) {
-    if (normalizedCmd.includes(cmd)) {
+  for (const pattern of STDIN_REQUIRING_PATTERNS) {
+    if (pattern.test(normalizedCmd)) {
       return {
         blocked: true,
-        reason: `Command requires stdin interaction: ${cmd}`,
+        reason: `Command requires stdin interaction`,
         command: normalizedCmd,
-        matchedPattern: cmd,
+        matchedPattern: pattern.source,
       }
     }
   }