fix: Preserve newlines in quoted strings for auto-approve command parsing

- Fix parseCommand() to protect newlines inside quoted strings before splitting
- Track quote state (single/double) and handle escaped quotes
- Use placeholder to preserve newlines in quotes during line splitting
- Restore actual newlines after parsing completes
- Update tests to expect newlines preserved in quoted strings
- Fixes auto-approve for multi-line git commit messages

This resolves the issue where multi-line git commit messages like:
  git commit -m "feat: title
  - point a
  - point b"
Were incorrectly split into separate commands, causing auto-approve to fail.

Author: markijbema

webview-ui/src/utils/__tests__/command-validation.spec.ts

@@ -110,15 +110,14 @@ describe("Command Validation", () => {
 				])
 			})
 
-			it("splits on actual newlines even within quotes", () => {
-				// Note: Since we split by newlines first, actual newlines in the input
-				// will split the command, even if they appear to be within quotes
+			it("preserves newlines within quotes", () => {
+				// Newlines inside quoted strings should be preserved as part of the command
 				// Using template literal to create actual newline
 				const commandWithNewlineInQuotes = `echo "Hello
 World"
 git status`
-				// The quotes get stripped because they're no longer properly paired after splitting
-				expect(parseCommand(commandWithNewlineInQuotes)).toEqual(["echo Hello", "World", "git status"])
+				// The newlines inside quotes are preserved, so we get two commands
+				expect(parseCommand(commandWithNewlineInQuotes)).toEqual(['echo "Hello\nWorld"', "git status"])
 			})
 
 			it("handles quoted strings on single line", () => {
@@ -1083,10 +1082,7 @@ describe("Unified Command Decision Functions", () => {
 			expect(getCommandDecision("dangerous", allowed, denied)).toBe("ask_user")
 			expect(getCommandDecision("npm install && dangerous", allowed, denied)).toBe("ask_user")
 		})
-		// Real-world regression: multi-line git commit message in quotes should not be treated as separate commands
-		// Current behavior splits on newlines before quote handling, which causes follow-up lines to be considered commands.
-		// This test reproduces the failure mode for visibility. A future fix could change parseCommand to preserve
-		// newlines inside quotes for specific cases (e.g., git commit -m).
+		// Real-world regression: multi-line git commit message in quotes should be treated as a single command
 		describe("real-world: multi-line git commit message", () => {
 			it("auto-approves when commit message is single-line", () => {
 				const allowed = ["cd", "git add", "git commit"]
@@ -1096,17 +1092,30 @@ describe("Unified Command Decision Functions", () => {
 				expect(getCommandDecision(command, allowed, [])).toBe("auto_approve")
 			})
 
-			it("asks user when commit message is multi-line due to newline splitting (bug reproduction)", () => {
+			it("auto-approves when commit message is multi-line (newlines preserved in quotes)", () => {
 				const allowed = ["cd", "git add", "git commit"]
 				// Simplified reproduction of the user's example: a multi-line quoted commit message
 				const command = `cd /repo && git add src/a.ts src/b.ts && git commit -m "feat: title
 
 - point a
 - point b"`
 
-				// Because parseCommand splits on actual newlines first, the lines after the first are treated as separate
-				// commands (e.g., "- point a"), which are not in the allowlist, so the overall decision becomes "ask_user".
-				expect(getCommandDecision(command, allowed, [])).toBe("ask_user")
+				// parseCommand now preserves newlines inside quotes, so the entire commit message
+				// stays as part of the git commit command and gets auto-approved
+				expect(getCommandDecision(command, allowed, [])).toBe("auto_approve")
+			})
+
+			it("preserves newlines in the parsed command", () => {
+				const command = `git commit -m "feat: title
+
+- point a
+- point b"`
+
+				const parsed = parseCommand(command)
+				expect(parsed).toHaveLength(1)
+				expect(parsed[0]).toContain("\n")
+				expect(parsed[0]).toContain("- point a")
+				expect(parsed[0]).toContain("- point b")
 			})
 		})
 	})

webview-ui/src/utils/command-validation.ts

@@ -127,18 +127,49 @@ export function containsDangerousSubstitution(source: string): boolean {
  * chaining operators (&&, ||, ;, |, or &) and newlines.
  *
  * Uses shell-quote to properly handle:
- * - Quoted strings (preserves quotes)
+ * - Quoted strings (preserves quotes and newlines within quotes)
  * - Subshell commands ($(cmd), `cmd`, <(cmd), >(cmd))
  * - PowerShell redirections (2>&1)
  * - Chain operators (&&, ||, ;, |, &)
- * - Newlines as command separators
+ * - Newlines as command separators (but not within quotes)
  */
 export function parseCommand(command: string): string[] {
 	if (!command?.trim()) return []
 
-	// Split by newlines first (handle different line ending formats)
+	// First, protect newlines inside quoted strings by replacing them with a placeholder
+	// This prevents splitting multi-line quoted strings (e.g., git commit -m "multi\nline")
+	const quotedStringPlaceholder = "___NEWLINE_IN_QUOTE___"
+	let protectedCommand = command
+
+	// Track quote state and replace newlines inside quotes
+	let inDoubleQuote = false
+	let inSingleQuote = false
+	let result = ""
+
+	for (let i = 0; i < command.length; i++) {
+		const char = command[i]
+		const prevChar = i > 0 ? command[i - 1] : ""
+
+		// Toggle quote state (ignore escaped quotes)
+		if (char === '"' && prevChar !== "\\") {
+			inDoubleQuote = !inDoubleQuote
+			result += char
+		} else if (char === "'" && prevChar !== "\\") {
+			inSingleQuote = !inSingleQuote
+			result += char
+		} else if ((char === "\n" || char === "\r") && (inDoubleQuote || inSingleQuote)) {
+			// Replace newlines inside quotes with placeholder
+			result += quotedStringPlaceholder
+		} else {
+			result += char
+		}
+	}
+
+	protectedCommand = result
+
+	// Split by newlines (handle different line ending formats)
 	// This regex splits on \r\n (Windows), \n (Unix), or \r (old Mac)
-	const lines = command.split(/\r\n|\r|\n/)
+	const lines = protectedCommand.split(/\r\n|\r|\n/)
 	const allCommands: string[] = []
 
 	for (const line of lines) {
@@ -150,7 +181,8 @@ export function parseCommand(command: string): string[] {
 		allCommands.push(...lineCommands)
 	}
 
-	return allCommands
+	// Restore newlines in quoted strings
+	return allCommands.map((cmd) => cmd.replace(new RegExp(quotedStringPlaceholder, "g"), "\n"))
 }
 
 /**