From 22aabf7d4fc2e3ea7cb84810e60ab5609986ff1a Mon Sep 17 00:00:00 2001
From: Affaan Mustafa <affaan@dcube.ai>
Date: Tue, 12 May 2026 01:02:56 -0400
Subject: [PATCH] test: harden InsAIts wrapper fake Python shim

---
 tests/hooks/insaits-security-wrapper.test.js | 72 ++++++++------------
 1 file changed, 29 insertions(+), 43 deletions(-)

diff --git a/tests/hooks/insaits-security-wrapper.test.js b/tests/hooks/insaits-security-wrapper.test.js
index 17b5a4b0..98930d89 100644
--- a/tests/hooks/insaits-security-wrapper.test.js
+++ b/tests/hooks/insaits-security-wrapper.test.js
@@ -20,33 +20,38 @@ function cleanup(dirPath) {
   fs.rmSync(dirPath, { recursive: true, force: true });
 }
 
+function shellQuote(value) {
+  return `'${String(value).replace(/'/g, "'\\''")}'`;
+}
+
 function writeFakePython(binDir) {
   fs.mkdirSync(binDir, { recursive: true });
+  const fakePythonJs = path.join(binDir, 'fake-python.js');
+  fs.writeFileSync(fakePythonJs, [
+    "'use strict';",
+    "const fs = require('fs');",
+    "const mode = process.env.FAKE_INSAITS_MODE || 'clean';",
+    "if (mode === 'clean') {",
+    "  fs.readFileSync(0, 'utf8');",
+    "  process.exit(0);",
+    "}",
+    "if (mode === 'echo') {",
+    "  process.stdout.write(fs.readFileSync(0, 'utf8'));",
+    "  process.exit(0);",
+    "}",
+    "if (mode === 'block') {",
+    "  process.stdout.write('blocked by monitor\\n');",
+    "  process.stderr.write('monitor warning\\n');",
+    "  process.exit(2);",
+    "}",
+    "if (mode === 'error') {",
+    "  process.stderr.write('spawned but failed\\n');",
+    "  process.exit(1);",
+    "}",
+  ].join('\n'), 'utf8');
+
   if (process.platform === 'win32') {
-    const fakePythonJs = path.join(binDir, 'fake-python.js');
     const fakePythonCmd = path.join(binDir, 'python3.cmd');
-    fs.writeFileSync(fakePythonJs, [
-      "'use strict';",
-      "const fs = require('fs');",
-      "const mode = process.env.FAKE_INSAITS_MODE || 'clean';",
-      "if (mode === 'clean') {",
-      "  fs.readFileSync(0, 'utf8');",
-      "  process.exit(0);",
-      "}",
-      "if (mode === 'echo') {",
-      "  process.stdout.write(fs.readFileSync(0, 'utf8'));",
-      "  process.exit(0);",
-      "}",
-      "if (mode === 'block') {",
-      "  process.stdout.write('blocked by monitor\\n');",
-      "  process.stderr.write('monitor warning\\n');",
-      "  process.exit(2);",
-      "}",
-      "if (mode === 'error') {",
-      "  process.stderr.write('spawned but failed\\n');",
-      "  process.exit(1);",
-      "}",
-    ].join('\n'), 'utf8');
     fs.writeFileSync(fakePythonCmd, [
       '@echo off',
       `"${process.execPath}" "%~dp0fake-python.js" %*`,
@@ -57,26 +62,7 @@ function writeFakePython(binDir) {
   const fakePython = path.join(binDir, 'python3');
   fs.writeFileSync(fakePython, [
     '#!/bin/sh',
-    'mode="${FAKE_INSAITS_MODE:-clean}"',
-    'case "$mode" in',
-    '  clean)',
-    '    cat >/dev/null',
-    '    exit 0',
-    '    ;;',
-    '  echo)',
-    '    cat',
-    '    exit 0',
-    '    ;;',
-    '  block)',
-    '    printf "blocked by monitor\\n"',
-    '    printf "monitor warning\\n" >&2',
-    '    exit 2',
-    '    ;;',
-    '  error)',
-    '    printf "spawned but failed\\n" >&2',
-    '    exit 1',
-    '    ;;',
-    'esac',
+    `exec ${shellQuote(process.execPath)} ${shellQuote(fakePythonJs)} "$@"`,
   ].join('\n'), 'utf8');
   fs.chmodSync(fakePython, 0o755);
 }