fix: BSD grep symlink detection, safety constants, stronger injection blocking, adversarial test improvements

[Copilot]

Addresses several hardening gaps in codebase.py and the injection defense layer, plus improves test quality in the adversarial suite.

Summary

Resolves DEBT-INT-009 (BSD grep -r follows symlinks), extracts hardcoded safety limits to named constants, strengthens the injection-blocking regex set with three new patterns, and replaces fragile source-inspection tests with behavioral assertions.

Changes

src/grippy/codebase.py

• Replaces hardcoded -rn grep flag with runtime GNU/BSD detection: runs grep --version, adds -S only on non-GNU implementations to prevent symlink traversal. Logs debug if detection fails.
• Extracts _MAX_FILE_SIZE = 1_000_000 constant (used in _make_read_file)
• Extracts _GLOB_TIMEOUT_SECONDS = 5.0 constant (used in _make_list_files)

src/grippy/injection_patterns.py

• Adds three new [BLOCKED] patterns covering paraphrased confidence/bypass injections:
  • set confidence of all findings to N
  • low confidence only
  • bypass (all) security check(s)

tests/test_hostile_environment.py

• test_natural_language_injection_neutralized: adds semantic variant assertions with a clarifying comment (variants are absent because they were never injected — confirms data-fence doesn't manufacture content)
• test_confidence_manipulation_neutralized: expands from one scenario to three paraphrase variants
• test_system_update_injection_neutralized: adds verbatim sub-string check on Skip security analysis + a paraphrased variant exercising the new bypass security checks pattern
• test_glob_has_timeout_protection: replaces inspect.getsource() string-match with a behavioral call that asserts the tool returns an error-class string

Test Plan

• Tests pass (uv run pytest tests/ -v)
• Lint passes (uv run ruff check src/grippy/ tests/)
• Types pass (uv run mypy src/grippy/)

Notes

The semantic-variant assertions in test_natural_language_injection_neutralized are vacuously true today (those strings are never inserted into the diff). They document the intent — the data-fence boundary should not introduce attacker-controlled text — and serve as regression guards if the prompt composition changes.

The glob behavioral test calls list_files("**/*.py") (path arg, not glob arg), which returns "Directory not found: **/*.py". The assertion accepts "not found" as a valid error-class response alongside "timeout", "error", etc.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/test/repo
  • Triggering command: /home/REDACTED/work/grippy-code-review/grippy-code-review/.venv/bin/pytest pytest tests/test_grippy_codebase.py -v (http block)
  • Triggering command: /home/REDACTED/work/grippy-code-review/grippy-code-review/.venv/bin/pytest pytest tests/test_grippy_codebase.py::TestMainWiring::test_codebase_index_wired_in_main -v git conf�� get --local uname credential.helpegit (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Please apply the following diffs and create a pull request.
Once the PR is ready, give it a title based on the messages of the fixes being applied.

[{"message":"The comment acknowledges that BSD grep's `-r` follows symlinks (a security risk), but the code doesn't detect the grep implementation or add `-S` on BSD systems. CLAUDE.md references DEBT-INT-009 for this limitation. Consider adding runtime detection (`grep --version`) to conditionally add `-S` on BSD systems, or document the limitation in the docstring itself.","fixFiles":[{"filePath":"src/grippy/codebase.py","diff":"diff --git a/src/grippy/codebase.py b/src/grippy/codebase.py\n--- a/src/grippy/codebase.py\n+++ b/src/grippy/codebase.py\n@@ -690,13 +690,31 @@\n             return f\"Invalid regex: {e}\"\n \n         try:\n-            # Use -r (not -R) to prevent following symlinks on GNU grep.\n-            # On BSD grep, -r follows symlinks; -S is needed to prevent it,\n-            # but -S is not recognised by GNU grep.  Since CI targets Linux\n-            # (GNU grep), -r alone is sufficient.\n+            # Prefer not to follow symlinks:\n+            # - On GNU grep, -r does not follow symlinks, so -r alone is fine.\n+            # - On BSD grep, -r follows symlinks; -S is needed to prevent it,\n+            #   but -S is not recognised by GNU grep.\n+            # We therefore try to detect GNU grep via `grep --version` and\n+            # only add -S when we don't see a GNU signature.\n+            grep_flags = [\"-r\", \"-n\"]\n+            try:\n+                version_check = subprocess.run(\n+                    [\"grep\", \"--version\"],\n+                    capture_output=True,\n+                    text=True,\n+                    timeout=1,\n+                )\n+                version_text = (version_check.stdout or \"\") + (version_check.stderr or \"\")\n+                if \"GNU grep\" not in version_text:\n+                    # Likely BSD or other implementation; avoid following symlinks.\n+                    grep_flags.insert(1, \"-S\")\n+            except (subprocess.SubprocessError, OSError, ValueError):\n+                # If version detection fails for any reason, fall back to default flags.\n+                pass\n+\n             cmd = [\n                 \"grep\",\n-                \"-rn\",\n+                *grep_flags,\n                 \"--max-count=50\",\n                 f\"--include={glob}\",\n                 f\"-C{context_lines}\",\n"}]},{"message":"The 1 MB file size limit is hardcoded in `_make_read_file()`. Consider extracting to a module-level constant `_MAX_FILE_SIZE = 1_000_000` for consistency with other safety limits (`_MAX_RESULT_CHARS`, `_MAX_GLOB_RESULTS`) and easier tuning.","fixFiles":[{"filePath":"src/grippy/codebase.py","diff":"diff --git a/src/grippy/codebase.py b/src/grippy/codebase.py\n--- a/src/grippy/codebase.py\n+++ b/src/grippy/codebase.py\n@@ -27,6 +27,10 @@\n \n log = logging.getLogger(__name__)\n \n+# Maximum file size (in bytes) that read_file will return.\n+# Kept as a module-level constant for consistency with other safety limits.\n+_MAX_FILE_SIZE = 1_000_000\n+\n # --- Constants ---\n \n _DEFAULT_EXTENSIONS = frozenset({\".py\", \".md\", \".yaml\", \".yml\", \".toml\"})\n@@ -783,8 +787,10 @@\n             file_size = target.stat().st_size\n         except OSError as e:\n             return f\"Error reading file: {e}\"\n-        if file_size > 1_000_000:\n-            return f\"Error: file too large ({file_size} bytes, limit 1 MB).\"\n+        if file_size > _MAX_FILE_SIZE:\n+            return (\n+                f\"Error: file too large ({file_size} bytes, limit {_MAX_FILE_SIZE} bytes).\"\n+            )\n \n         try:\n             lines = target.read_text(encoding=\"utf-8\", errors=\"replace\").splitlines()\n"}]},{"message":"The 5-second timeout is hardcoded in `_make_list_files()` but should potentially be a module-level constant (similar to `_MAX_GLOB_RESULTS`). Consider extracting to `_GLOB_TIMEOUT_SECONDS = 5.0` for consistency with other safety limits.","fixFiles":[{"filePath":"src/grippy/codebase.py","diff":"diff --git a/src/grippy/codebase.py b/src/grippy/codebase.py\n--- a/src/grippy/codebase.py\n+++ b/src/grippy/codebase.py\n@@ -810,6 +810,9 @@\n     return read_file\n \n \n+_GLOB_TIMEOUT_SECONDS = 5.0\n+\n+\n def _make_list_files(repo_root: Path) -> Any:\n     \"\"\"Create a list_files tool function bound to a repo root.\"\"\"\n \n@@ -843,7 +846,7 @@\n             truncated = False\n             glob_start = time.monotonic()\n             for entry in target.glob(glob_pattern):\n-                if time.monotonic() - glob_start > 5.0:\n+                if time.monotonic() - glob_start > _GLOB_TIMEOUT_SECONDS:\n                     return \"Error: glob timeout — use a more specific pattern.\"\n                 if entry.resolve().is_relative_to(resolved_root):\n                     collected.append(entry)\n"}]},{"message":"The comment states \"NL in...