Skip to content

fix: resolve open issues #13, #14, #15 — env filter, macOS paths, changelog cleanup#18

Merged
wat-hiroaki merged 2 commits intomainfrom
fix/resolve-open-issues
Mar 31, 2026
Merged

fix: resolve open issues #13, #14, #15 — env filter, macOS paths, changelog cleanup#18
wat-hiroaki merged 2 commits intomainfrom
fix/resolve-open-issues

Conversation

@wat-hiroaki
Copy link
Copy Markdown
Owner

@wat-hiroaki wat-hiroaki commented Mar 31, 2026

Summary

Resolves all open issues from the PR #12 review.

Issue #13 — Plugin env filter hardening

  • extraEnvVars bypass fix: extraEnvVars is now filtered through filterEnvForPlugin() before merging with the plugin env, preventing denylist bypass via spread override
  • Pattern edge case: Removed $ anchor from api.?key pattern so SOME_API_KEY_FILE, API_KEY_PATH etc. are also blocked
  • PluginPermissions wired in: Added optional permissions?: PluginPermissions field to PluginManifest interface
  • New tests: 3 additional tests for API_KEY pattern variants (27 total)

Issue #14 — macOS command path support

  • Added /usr/local/bin and /opt/homebrew/bin to allowed paths on darwin
  • Added ~/Library/Application Support/claude-code-studio/plugins path
  • Updated isInstalled() and resolveCommand() to check Homebrew paths on macOS

Issue #15 — Cleanup

  • Added explanatory comment for orphaned DA response regex in utils.ts
  • Removed 5 duplicate entries from CHANGELOG v0.9.1 that already existed in v0.8.2–v0.8.4

Test plan

  • npm run lint — 0 errors
  • npx tsc --noEmit — clean
  • npm run build — clean
  • npm test — 27/27 pass (14 new for env filter pattern edge cases)

Closes #13, closes #14, closes #15

🤖 Generated with Claude Code

wat-hiroaki and others added 2 commits March 31, 2026 13:56
@wat-hiroaki @claude
fix: plugin env filter hardening — extraEnvVars validation, pattern e…
e483af7 
…dge cases

- Filter extraEnvVars through denylist before merging with plugin env
- Remove $ anchor from api.?key pattern to catch API_KEY_FILE variants
- Wire PluginPermissions into PluginManifest type

Closes #13

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@wat-hiroaki @claude
docs: cleanup utils.ts comment and changelog scope
d247ca8 
- Add explanatory comment for DA response regex in utils.ts
- Clean up CHANGELOG v0.9.1 to remove duplicate entries

Closes #15

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@wat-hiroaki wat-hiroaki merged commit 1ae69aa into main Mar 31, 2026
1 check passed
@wat-hiroaki wat-hiroaki deleted the fix/resolve-open-issues branch April 6, 2026 01:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@wat-hiroaki