From 185ed4e3d823a5fae66deb95023ec188fe715ea1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 7 Apr 2026 02:10:15 +0000
Subject: [PATCH] Further tighten regex: stricter version pattern, no
 underscores in name segments, precise trailing-dot strip

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/d75fe7da-369a-40e9-913e-7dba45de21c3

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
---
 app/sovran_systemsos_web/server.py | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/app/sovran_systemsos_web/server.py b/app/sovran_systemsos_web/server.py
index ea57798..bb72721 100644
--- a/app/sovran_systemsos_web/server.py
+++ b/app/sovran_systemsos_web/server.py
@@ -1508,12 +1508,13 @@ _BTC_VERSION_CACHE_TTL = 60  # seconds — version doesn't change at runtime
 # Regex to extract the version from a Nix store ExecStart path.
 # Pattern:  /nix/store/<32-char-hash>-<name-segments>-<version>/...
 # Name segments may begin with a letter or digit (e.g. 'python3', 'gtk3',
-# 'lib32-foo') so each segment allows [a-zA-Z0-9] as the leading character.
+# 'lib32-foo') and consist of alphanumeric characters only (no underscores,
+# since Nix store paths use hyphens as separators).
 # The version is identified as the first token starting with digit.digit.
 _NIX_STORE_VERSION_RE = re.compile(
-    r"/nix/store/[a-z0-9]{32}-"                               # hash prefix
-    r"(?:[a-zA-Z0-9][a-zA-Z0-9_]*(?:-[a-zA-Z0-9][a-zA-Z0-9_]*)*)+"  # package name
-    r"-(\d+\.\d+[a-zA-Z0-9._+-]*)/"                           # version (group 1)
+    r"/nix/store/[a-z0-9]{32}-"                                         # hash prefix
+    r"(?:[a-zA-Z0-9][a-zA-Z0-9]*(?:-[a-zA-Z0-9][a-zA-Z0-9]*)*)+"      # package name
+    r"-(\d+\.\d+(?:\.\d+)*(?:[+-][a-zA-Z0-9]+(?:\.[a-zA-Z0-9]+)*)?)/"  # version (group 1)
 )
 
 # Nix path suffixes that indicate a wrapper environment, not a real package version.
@@ -1554,7 +1555,9 @@ def _get_service_version(unit: str) -> str | None:
         if result.returncode == 0 and result.stdout.strip():
             m = _NIX_STORE_VERSION_RE.search(result.stdout)
             if m:
-                ver = m.group(1).rstrip(".")
+                ver = m.group(1)
+                # Strip a single trailing period (defensive; shouldn't appear in store paths)
+                ver = ver[:-1] if ver.endswith(".") else ver
                 # Skip Nix environment/wrapper suffixes that are not real versions
                 if not _NIX_WRAPPER_SUFFIX_RE.search(ver):
                     version = ver if ver.startswith("v") else f"v{ver}"