From daa62f28c62d6abbabd087d44f4a1602774f5b8e Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 19:42:36 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20break=20circular=20dependency=20classify?= =?UTF-8?q?.sh=E2=86=94vault-env.sh,=20escape=20regex=20in=20formula=20gre?= =?UTF-8?q?p?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - classify.sh now sources lib/env.sh directly instead of vault-env.sh to prevent infinite recursion when VAULT_ACTION_FORMULA is exported - Escape regex metacharacters in formula name before grep Co-Authored-By: Claude Opus 4.6 (1M context) --- vault/classify.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/vault/classify.sh b/vault/classify.sh index 41e30e5..2ef2b30 100755 --- a/vault/classify.sh +++ b/vault/classify.sh @@ -7,10 +7,13 @@ # Usage: classify.sh [blast_radius_override] # Output: prints "low", "medium", or "high" to stdout; exits 0 # -# shellcheck source=vault-env.sh +# Source lib/env.sh directly (not vault-env.sh) to avoid circular dependency: +# vault-env.sh calls classify.sh, so classify.sh must not source vault-env.sh. +# The only variable needed here is OPS_REPO_ROOT, which comes from lib/env.sh. +# shellcheck source=../lib/env.sh set -euo pipefail -source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/vault-env.sh" +source "$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/lib/env.sh" formula="${1:-}" override="${2:-}" @@ -31,8 +34,10 @@ policy_file="${OPS_REPO_ROOT}/vault/policy.toml" if [ -f "$policy_file" ]; then # Parse: look for `formula_name = "tier"` under [tiers] + # Escape regex metacharacters in formula name for safe grep + escaped_formula=$(printf '%s' "$formula" | sed 's/[].[*^$\\]/\\&/g') tier=$(sed -n '/^\[tiers\]/,/^\[/{/^\[tiers\]/d;/^\[/d;p}' "$policy_file" \ - | grep -E "^${formula}[[:space:]]*=" \ + | grep -E "^${escaped_formula}[[:space:]]*=" \ | sed -E 's/^[^=]+=[[:space:]]*"([^"]+)".*/\1/' \ | head -n1)