chore(#517): onboarding guard literal filename match (grep -Fxq)#525
Conversation
Follow-up to the #517 review (PR #522): the staged-path check used `grep -qx`, so the '.' in 'onboarding.yaml' was a regex wildcard. Switch to `grep -Fxq` (fixed string, still whole-line anchored) so it matches the literal filename only. No behaviour change in practice; removes a latent over-match. Refs #517 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
atlas-apex
left a comment
There was a problem hiding this comment.
Code Review: PR #525
Commit: bb836fc20c31a71ea8454130e908f6edc77d79f8
Summary
One-line hardening follow-up to #517 (review on merged PR #522). In .claude/hooks/block-onboarding-in-git.sh, the staged-file check changed from grep -qx 'onboarding.yaml' to grep -Fxq 'onboarding.yaml' so the . is a literal dot (fixed string, -F) rather than a regex wildcard, while -x still anchors the whole line. A clarifying comment was added. Net diff: +3/−2, single file.
Correctness verification
Verified -F + -x semantics behaviourally:
| Input | grep -Fxq 'onboarding.yaml' |
Correct? |
|---|---|---|
onboarding.yaml |
match | ✅ exact filename still matches |
onboardingXyaml |
no match | ✅ dot is literal now (old -qx matched this — the latent gap) |
path/onboarding.yaml |
no match | ✅ -x anchors whole line |
onboarding.yaml.bak |
no match | ✅ -x anchors whole line |
The change is correct: it removes the regex-wildcard over-match without narrowing the intended exact-filename behaviour.
Test + lint results
test_block_onboarding_in_git.sh(run against the PR HEAD viapull/525/head): 6 passed, 0 failed (filled-in blocked, placeholder allowed, both escape hatches, non-onboarding unaffected, non-commit ignored).bash -n: clean.shellcheck -S error: clean.
Checklist Results
- ✅ Architecture & Design: Pass (no structural change; single guard predicate hardened)
- ✅ Code Quality: Pass (correct fix, clarifying comment added)
- ✅ Testing: Pass (6/6 guard suite green against PR HEAD)
- ✅ Security: Pass (tightens the guard; reduces false-negative surface on the onboarding-leak hook)
- ✅ Performance: Pass (n/a)
- ✅ PR Description & Glossary: Pass (Glossary present; Testing + Refs #517 present)
- ✅ Summary Bullet Narrative: Pass (both bullets are what + why, bold-labelled, well over the 6-word/verb threshold)
- ✅ Technical Decisions (AgDR): N/A (
.claude/hooks/is not an AgDR-trigger path; this is a chore, Refs #517) - ✅ Adopter Handbooks: N/A
Issues Found
None.
Handbook Findings
None. Always-load handbooks reviewed: migration-safety.md (blocking — no DB schema migration in this diff, not triggered), clean-architecture-layers.md (advisory — n/a), commit-message-quality.md (advisory — n/a). No language handbooks apply (shell file, no ts/py/go/rs).
Suggestions
None — minimal, correct, well-tested.
Verdict
APPROVED
🤖 Reviewed by Rex (Code Reviewer Agent)
📌 Reviewed commit: bb836fc20c31a71ea8454130e908f6edc77d79f8
Summary
block-onboarding-in-git.shchecked the staged file list withgrep -qx 'onboarding.yaml', where the.is a regex wildcard, so it would also match an (implausible)onboardingXyaml. Switched togrep -Fxq(fixed string, still whole-line-anchored via-x) so only the literal filename matches.Testing
.claude/hooks/tests/test_block_onboarding_in_git.sh→ 6/6 pass (filled-in blocked, placeholder allowed, both escape hatches, non-onboarding unaffected, non-commit ignored).bash -n+shellcheck -S errorclean.Refs #517
Glossary
grep -Fxq-F, no regex), whole-line (-x), quiet (-q) match — the precise literal-filename form.block-onboarding-in-git.sh— blocks committing a filled-inonboarding.yaml(#517).