Bash line comments not recognized — verb chain extracted from comment text

[Aaronontheweb]

Observed

When the input contains a bash line comment (# starting a token, comment runs to end-of-line per POSIX), the parser appears to treat the comment text as regular tokens. The verb chain extracted from a multi-line script with a leading comment is the comment text rather than the actual command.

Repro from production (Netclaw consumer)

The agent issued a shell_execute call with this command body (from a real Slack session, 2026-05-12):

# Extract all unique branch names from worktrees
git -C ~/repositories/stannardlabs/netclaw worktree list | awk '{print $NF}' | tr -d '[]' | sort -u

The downstream approval prompt rendered as:

Approve # Extract in ~/repositories/stannardlabs/netclaw?

The displayed verb is # Extract — the first two whitespace-separated tokens of the comment line. The expected verb is git worktree list (BashArity collapses git to a 2-token verb, plus the actual worktree subcommand following the -C <path> flag-with-value).

Note: this specific report was traced through Netclaw's v2 ShellTokenizer (the legacy parser still consulted by the prompt builder), but ShellSyntaxTree's BashLexer would have the same gap if comments aren't handled — and consumers migrating to ShellSyntaxTree as the primary parser need this fixed.

Expected behavior

Per POSIX (and bash) shell grammar:

• A # outside of single quotes, double quotes, or word characters starts a comment that runs to the next newline.
• Comments produce no tokens — the lexer should skip them entirely.
• A multi-line input where the first non-comment statement is git -C <path> worktree list | awk ... should parse as that statement (with the pipe-chained awk/tr/sort clauses), with no influence from the preceding comment.

What this affects

• BashLexer token output: comment text should not produce WORD tokens.
• BashParser: should not see comment content as part of any clause.
• ParsedCommand.Source should retain the original input verbatim per the existing contract; it's only the structured AST that excludes comment content.
• Consumers that walk ParsedCommand.Clauses to extract verb chains for security gates or audit logs get the wrong verb chain when the input has a leading or interleaved comment.

Suggested test cases for the corpus

# Leading line comment, single command
input:    "# fetch the latest\ngit pull"
expected: one clause with verb [git, pull]

# Inline mid-line comment (after whitespace, before newline)
input:    "git pull   # update local"
expected: one clause with verb [git, pull]; comment after the command is dropped

# Comment-only input
input:    "# just a note"
expected: zero clauses (or IsUnparseable=true with reason "no executable statements")

# Comment between commands in a script
input:    "git pull\n# now build\ndotnet build"
expected: two clauses with verbs [git, pull] and [dotnet, build]

# `#` inside double quotes — NOT a comment
input:    "echo \"hash is #1234\""
expected: one clause with verb [echo], one literal arg \"hash is #1234\"

# `#` inside single quotes — NOT a comment
input:    "echo 'use #foo'"
expected: one clause with verb [echo], one literal arg 'use #foo'

# `#` at start of a token mid-command (not preceded by whitespace) — debatable
# but bash treats this as a comment iff `#` is the first character of a "word"
# AND it's preceded by whitespace OR start-of-input.
# e.g. "echo abc#def" → echo gets one arg "abc#def" (no comment)
# e.g. "echo abc #def" → echo gets one arg "abc", "#def" starts comment

SPEC.md gap

SPEC.md §5 (Tokenization Rules) doesn't currently mention comments. The fix should:

1. Add a "Comment handling" subsection to §5 documenting the rule (# starting a word and not inside quotes begins a comment to end-of-line; comments produce no tokens).
2. Update the BNF in §4 to be explicit that comments are whitespace-equivalent at the lexer level (don't appear in the grammar).
3. Add the test cases above to tests/Corpus/bash/.

Severity

Low for parser correctness (comments are degenerate input), but medium for downstream consumers — agents naturally include explanatory comments in scripts they author for human review (especially scripts they propose to run via a single approval per the scripts-as-units-of-approval pattern), and surfacing comment text in approval prompts confuses the user about what they're actually approving.

[Aaronontheweb]

Additional symptom — cascade into approval-state desync

A second consumer-side failure surfaced from the same root cause. Documenting here because the cascade is the actual user-visible failure mode (the misleading prompt text in the original report was cosmetic; this one is a hard error that fails the tool call).

Repro

A tool call carrying a leading line comment plus an ||-fallback compound:

# Get open PRs from the upstream repo
curl -s "https://api.github.com/repos/example-org/example-repo/pulls?state=open" | jq -r '.[] | "\(.head.ref) | PR #\(.number)"' 2>/dev/null || echo "API failed, trying alternative..."

User clicks the equivalent of "approve in this chat / for this session" on the prompt. Tool fails on retry with Tool 'shell_execute' requires approval (surfacing as "I encountered an error executing a tool" with a correlation ID).

Why it happens

Two extraction passes over the same input produce different verb sets because comment tokens are not stripped:

Pass 1 — at session-scope persistence time (when the user clicks the approval button):

The compound splitter sees only || as a clause boundary, so the input becomes two clauses:

• Clause A: # Get open PRs ... \n curl -s ... | jq -r ... 2>/dev/null
• Clause B: echo "API failed..."

Per-clause verb-chain extraction picks the first non-flag tokens. For Clause A this becomes # Get (the comment leading the clause is treated as the verb). For Clause B: echo. Persisted: [# Get, echo].

Pass 2 — at retry-authorization time (after the user's click resumes the watchdog):

A finer-grained candidate extraction runs per-pipeline-segment within each clause. Clause A now decomposes into three candidates: # Get (the comment-led "verb"), curl, jq. Plus Clause B: echo. After filtering pure side-effects (echo), the unapproved-patterns check looks up [# Get, curl, jq] against session memory.

# Get is found, curl and jq are not (they were absorbed into Clause A's leading verb during Pass 1). Returned as unapproved → ToolApprovalRequiredException is thrown → turn fails.

Net effect

The mismatch makes the session-scope grant useless on retry. Every approval click on a command containing a leading comment fails the same way. Operators see "I encountered an error executing a tool" immediately after clicking what they thought was a successful approval.

Why the spec fix to comment handling fixes this

Once BashLexer strips comments at lex time per the proposed fix:

• Clause A becomes just curl -s ... | jq -r ... 2>/dev/null — verb chain is curl, pipeline contains curl and jq.
• Pass 1 persists [curl, echo] (with echo filtered as side-effect at persist time per the consumer's policy).
• Pass 2 checks [curl, jq]. curl is in session memory ✓. jq is also matched if the consumer's per-pipeline-segment extraction includes it — and even if not, the verb sets in pass 1 and pass 2 now agree on curl because both see the same clause structure.

Both pass 1 and pass 2 see the same clauses with the same leading verbs because no phantom comment-text "verb" exists. The asymmetry disappears.

Why this matters for v0.2 prioritization

Comment-handling looks like a degenerate-input edge case but in practice it cascades into approval-flow correctness for any consumer that uses extracted verb chains as cache keys or persistence keys. Agents authoring multi-step shell snippets naturally include explanatory comments (especially in the "scripts as approvable units" pattern that's common for AI-emitted scripts where a human is going to read the script before approving). Without comment handling, every such script becomes a roulette spin on whether persistence and re-check agree.

Suggested priority bump: this is a blocker for any consumer that does asymmetric extraction passes against the AST. The spec-level fix is small (3-5 LOC in the lexer + the test cases listed in the original report); the consumer-side workarounds are not.