From 1415acfca2701ff95463f330f39b2148c26d68f8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 28 Feb 2026 19:33:04 +0000
Subject: [PATCH 1/2] Initial plan


From 357b74e9e6b85ad83ee5b62f6eb0c37cf376cbe6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 28 Feb 2026 19:35:49 +0000
Subject: [PATCH 2/2] Remove toLowerCase from normalizeCommand to prevent
 case-based command bypass

Co-authored-by: NoahCardoza <10343470+NoahCardoza@users.noreply.github.com>
---
 src/__tests__/command-hash.test.ts | 12 ++++--------
 src/core/command-hash.ts           |  2 +-
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/src/__tests__/command-hash.test.ts b/src/__tests__/command-hash.test.ts
index a933401..184b24b 100644
--- a/src/__tests__/command-hash.test.ts
+++ b/src/__tests__/command-hash.test.ts
@@ -10,12 +10,8 @@ describe('normalizeCommand', () => {
     expect(normalizeCommand('echo   hello\t\tworld')).toBe('echo hello world')
   })
 
-  it('lowercases the entire string', () => {
-    expect(normalizeCommand('ECHO HELLO')).toBe('echo hello')
-  })
-
-  it('handles combined: "  FOO   BAR  " → "foo bar"', () => {
-    expect(normalizeCommand('  FOO   BAR  ')).toBe('foo bar')
+  it('handles combined: "  FOO   BAR  " → "FOO BAR"', () => {
+    expect(normalizeCommand('  FOO   BAR  ')).toBe('FOO BAR')
   })
 
   it('throws on empty string', () => {
@@ -47,10 +43,10 @@ describe('hashCommand', () => {
   })
 
   it('round-trip: normalizeCommand then hashCommand is stable across calls', () => {
-    const input = '  ECHO   Hello World  '
+    const input = '  echo   Hello World  '
     const hash1 = hashCommand(normalizeCommand(input))
     const hash2 = hashCommand(normalizeCommand(input))
     expect(hash1).toBe(hash2)
-    expect(hash1).toBe(hashCommand('echo hello world'))
+    expect(hash1).toBe(hashCommand('echo Hello World'))
   })
 })
diff --git a/src/core/command-hash.ts b/src/core/command-hash.ts
index 62ffb16..71faef4 100644
--- a/src/core/command-hash.ts
+++ b/src/core/command-hash.ts
@@ -1,7 +1,7 @@
 import { createHash } from 'node:crypto'
 
 export function normalizeCommand(cmd: string): string {
-  const normalized = cmd.trim().replace(/\s+/g, ' ').toLowerCase()
+  const normalized = cmd.trim().replace(/\s+/g, ' ')
   if (normalized.length === 0) {
     throw new Error('command must not be empty')
   }