From c2203f5e112ebdc463e23f1804cc93804f7f2177 Mon Sep 17 00:00:00 2001
From: grobomo <grobomo@users.noreply.github.com>
Date: Fri, 3 Apr 2026 21:15:48 -0500
Subject: [PATCH] T025: Tighten allowed-paths regex patterns

/test/i matched 'test' anywhere in path (e.g. 'contest/', directory
names containing 'test'). Same issue with /config/i and /install/i.
Tightened to require directory boundaries or file extensions.
---
 lib/allowed-paths.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/allowed-paths.js b/lib/allowed-paths.js
index 9e706d2..69906e7 100644
--- a/lib/allowed-paths.js
+++ b/lib/allowed-paths.js
@@ -8,7 +8,8 @@ const BASE = [
 ];
 
 const CODE_INFRA = [
-  /specs\//i, /test/i, /config/i, /package\.json/i, /install/i, /setup/i,
+  /specs\//i, /[\/\\]tests?[\/\\]/i, /[\/\\]config[\/\\]/i,
+  /package\.json/i, /install\.(sh|js|py)/i, /setup\.(sh|js|py)/i,
 ];
 
 // isAllowed(filePath, ...extraPatterns) — returns true if filePath matches