Skip to content

fix(command-safety): make python -m arity entries reachable in classify_command#3588

Merged
Hmbown merged 1 commit into
Hmbown:mainfrom
chatman-media:fix/python-m-arity-classify
Jun 25, 2026
Merged

fix(command-safety): make python -m arity entries reachable in classify_command#3588
Hmbown merged 1 commit into
Hmbown:mainfrom
chatman-media:fix/python-m-arity-classify

Conversation

@chatman-media

Copy link
Copy Markdown
Contributor

The COMMAND_ARITY entries ("python -m", 3) and ("python3 -m", 3) are dead — they can never match.

classify_command strips flag tokens (anything starting with -) before doing the arity lookup, so -m is gone by the time the key is compared. python -m http.server therefore collapses to the bare python prefix, losing the module-level granularity those entries were meant to provide and making python -m http.server indistinguishable from python -m pip.

Fix

Key the entries on the bare interpreter instead — matching the upstream opencode port these were ported from (python: 2 // python -m venv env). Arity 2 captures the module/script word that follows the stripped flag:

command before after
python -m http.server python python http.server
python -m pip install x python python pip
python manage.py runserver python python manage.py

Tests

Added classify_python_module_captures_module_word and classify_python_script_arity_2. Both fail on main (left: "python") and pass with the fix. Full command_safety suite (57 tests) stays green.

…fy_command

The COMMAND_ARITY entries "python -m" and "python3 -m" could never match:
classify_command strips flag tokens (those starting with -) before looking
the prefix up, so "-m" is gone by the time the lookup runs. As a result
`python -m http.server` collapsed to the bare `python` prefix, losing the
module-level granularity those entries were meant to provide (and making
`python -m http.server` indistinguishable from `python -m pip`).

Key the entries on the bare interpreter instead, matching the upstream
opencode port (`python: 2  // python -m venv env`). Arity 2 captures the
module/script word that follows the stripped flag, so `python -m http.server`
now classifies to `python http.server` and `python manage.py` to
`python manage.py`.
@chatman-media chatman-media requested a review from Hmbown as a code owner June 25, 2026 17:09
@github-actions

Copy link
Copy Markdown

Thanks @chatman-media for taking the time to contribute.

This repository is observing a maintainer-managed PR intake gate in dry-run mode, so this pull request is staying open. This note helps maintainers prepare the allowlist before any enforcement is considered.

Please read CONTRIBUTING.md for the expected contribution shape. A maintainer can grant recurring PR access by commenting /lgtm on a pull request.

@Hmbown Hmbown merged commit 21df7bc into Hmbown:main Jun 25, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants