(root: Node)
| 460 | } |
| 461 | |
| 462 | function walkProgram(root: Node): ParseForSecurityResult { |
| 463 | // ERROR-node check folded into collectCommands — any unhandled node type |
| 464 | // (including ERROR) falls through to tooComplex() in the default branch. |
| 465 | // Avoids a separate full-tree walk for error detection. |
| 466 | const commands: SimpleCommand[] = [] |
| 467 | // Track variables assigned earlier in the same command. When a |
| 468 | // simple_expansion ($VAR) references a tracked var, we can substitute |
| 469 | // a placeholder instead of returning too-complex. Enables patterns like |
| 470 | // `NOW=$(date) && jq --arg now "$NOW" ...` — $NOW is known to be the |
| 471 | // $(date) output (already extracted as inner command). |
| 472 | const varScope = new Map<string, string>() |
| 473 | const err = collectCommands(root, commands, varScope) |
| 474 | if (err) return err |
| 475 | return { kind: 'simple', commands } |
| 476 | } |
| 477 | |
| 478 | /** |
| 479 | * Recursively collect leaf `command` nodes from a structural wrapper node. |
no test coverage detected