[Change] tests: end-to-end ignore_inotify ERE + ignore_paths regression; issue #484

[New] tests/48-monitor-ignore-regex.bats: 11 integration tests covering
      user regex passthrough, literal: prefix escape, defaults auto-escape,
      ignore_paths ERE consistency with scan-mode, malformed-regex
      symmetry (ignore_inotify + ignore_paths), and the sentinel
      against the misleading comment at lmd_monitor.sh:74
[Change] CHANGELOG, CHANGELOG.RELEASE: v2.0.1 [Change] entry

Author: rfxn

CHANGELOG

@@ -91,6 +91,9 @@ v2.0.1 | Mar 25 2026:
 
 [New] _monitor_to_ere_entry(): semantic dispatch helper for ignore_inotify
       entry preparation (defaults-always-escape, user-raw-or-literal:)
+[Change] tests/48-monitor-ignore-regex.bats: integration coverage for
+      ignore_inotify ERE + literal: prefix + ignore_paths monitor-mode
+      consistency + malformed-regex symmetry; issue #484
 [Change] tests: prune two tautological assertions — the
          "uninstall.sh delegates service removal to pkg_service_uninstall"
          grep-for-token check in 01-install-cli.bats (string presence, not

CHANGELOG.RELEASE

@@ -91,6 +91,9 @@ v2.0.1 | Mar 25 2026:
 
 [New] _monitor_to_ere_entry(): semantic dispatch helper for ignore_inotify
       entry preparation (defaults-always-escape, user-raw-or-literal:)
+[Change] tests/48-monitor-ignore-regex.bats: integration coverage for
+      ignore_inotify ERE + literal: prefix + ignore_paths monitor-mode
+      consistency + malformed-regex symmetry; issue #484
 [Change] tests: prune two tautological assertions — the
          "uninstall.sh delegates service removal to pkg_service_uninstall"
          grep-for-token check in 01-install-cli.bats (string presence, not

tests/48-monitor-ignore-regex.bats

@@ -0,0 +1,231 @@
+#!/usr/bin/env bats
+# 48-monitor-ignore-regex.bats — end-to-end ignore_inotify ERE + ignore_paths
+# monitor-mode ERE consistency (issue #484 — v1.6.6 regex semantics restored)
+
+load '/usr/local/lib/bats/bats-support/load'
+load '/usr/local/lib/bats/bats-assert/load'
+
+LMD_INSTALL="/usr/local/maldetect"
+
+_source_lmd_stack() {
+    set +eu
+    trap - ERR
+    export inspath="$LMD_INSTALL"
+    source "$LMD_INSTALL/internals/internals.conf"
+    source "$LMD_INSTALL/conf.maldet"
+    source "$LMD_INSTALL/internals/tlog_lib.sh"
+    source "$LMD_INSTALL/internals/elog_lib.sh"
+    source "$LMD_INSTALL/internals/alert_lib.sh"
+    source "$LMD_INSTALL/internals/lmd_alert.sh"
+    source "$LMD_INSTALL/internals/lmd.lib.sh"
+    set -eu
+}
+
+# Helper: build the exclude-regex string from a fixture pair.
+#
+# Mirrors the exclude-regex builder inline block in monitor_init()
+# (lmd_monitor.sh Change E / issue #484). The builder has no callable
+# name — it is a while-read loop inline with session-scoped state —
+# so this helper is a faithful, intentional duplicate for integration
+# test isolation. If the production loop changes (prefix letters,
+# separator, parenthesis wrapping), update this helper AND the tests
+# below in the same commit.
+_build_exclude() {
+    _source_lmd_stack
+    local _user="$1" _defaults="$2"
+    local _igregexp="" _line _src _ent _prepared
+    while IFS= read -r _line; do
+        _src="${_line:0:1}"
+        _ent="${_line:2}"
+        case "$_src" in
+            u) _prepared=$(_monitor_to_ere_entry "$_ent" "user") ;;
+            d) _prepared=$(_monitor_to_ere_entry "$_ent" "defaults") ;;
+            *) continue ;;
+        esac
+        [ -z "$_prepared" ] && continue
+        [ -n "$_igregexp" ] && _igregexp="$_igregexp|$_prepared" || _igregexp="($_prepared"
+    done < <(_monitor_load_ignore_inotify_union "$_user" "$_defaults")
+    [ -n "$_igregexp" ] && printf '%s)' "$_igregexp"
+}
+
+# bats test_tags=monitor,integration,issue484
+@test "regex: ^/tmp/.*scantem.* excludes ClamAV scantemp parent directory" {
+    local tmpdir; tmpdir=$(mktemp -d)
+    printf '%s\n' '^/tmp/.*scantem.*' > "$tmpdir/user"
+    : > "$tmpdir/defaults"
+    local regex; regex=$(_build_exclude "$tmpdir/user" "$tmpdir/defaults")
+    local sample='/tmp/20260418_192807-scantemp.a96549c23f'
+    # User regex must survive unescaped; sample must match it.
+    [[ "$sample" =~ ^/tmp/.*scantem.* ]]
+    run bash -c "printf '%s\n' '$sample' | grep -E -v '$regex'"
+    [ -z "$output" ]  # excluded
+    rm -rf "$tmpdir"
+}
+
+# bats test_tags=monitor,integration,issue484
+@test "regex: ^/var/tmp/.*scantem.* excludes ClamAV scantemp (Gazoo's pattern)" {
+    local tmpdir; tmpdir=$(mktemp -d)
+    printf '%s\n' '^/var/tmp/.*scantem.*' > "$tmpdir/user"
+    : > "$tmpdir/defaults"
+    local regex; regex=$(_build_exclude "$tmpdir/user" "$tmpdir/defaults")
+    local sample='/var/tmp/20260418_192807-scantemp.a96549c23f/clamav-HASH.tmp'
+    run bash -c "printf '%s\n' '$sample' | grep -E -v '$regex'"
+    [ -z "$output" ]
+    rm -rf "$tmpdir"
+}
+
+# bats test_tags=monitor,integration,issue484
+@test "regex: Plesk vhost ^/var/www/vhosts/.*/logs/.*$ pattern works end-to-end" {
+    local tmpdir; tmpdir=$(mktemp -d)
+    printf '%s\n' '^/var/www/vhosts/.*/logs/.*$' > "$tmpdir/user"
+    : > "$tmpdir/defaults"
+    local regex; regex=$(_build_exclude "$tmpdir/user" "$tmpdir/defaults")
+    local matches='/var/www/vhosts/example.com/logs/access_log'
+    local nomatch='/var/www/vhosts/example.com/httpdocs/shell.php'
+    run bash -c "printf '%s\n' '$matches' | grep -E -v '$regex'"
+    [ -z "$output" ]  # excluded — Plesk logs
+    run bash -c "printf '%s\n' '$nomatch' | grep -E -v '$regex'"
+    [ "$output" = "$nomatch" ]  # NOT excluded — real web content
+    rm -rf "$tmpdir"
+}
+
+# bats test_tags=monitor,integration,issue484
+@test "literal: user entry 'literal:/tmp/app.cache' matches the literal path only" {
+    local tmpdir; tmpdir=$(mktemp -d)
+    printf '%s\n' 'literal:/tmp/app.cache' > "$tmpdir/user"
+    : > "$tmpdir/defaults"
+    local regex; regex=$(_build_exclude "$tmpdir/user" "$tmpdir/defaults")
+    # Literal path matches; "app.cache" substring in unrelated path does not.
+    run bash -c "printf '%s\n' '/tmp/app.cache' | grep -E -v '$regex'"
+    [ -z "$output" ]
+    run bash -c "printf '%s\n' '/tmp/appXcache' | grep -E -v '$regex'"
+    [ "$output" = "/tmp/appXcache" ]  # literal dot escape prevents .-match
+    rm -rf "$tmpdir"
+}
+
+# bats test_tags=monitor,integration,issue484
+@test "defaults: sql-temptable- from ignore_inotify.defaults excludes MySQL temp" {
+    local tmpdir; tmpdir=$(mktemp -d)
+    : > "$tmpdir/user"
+    printf '%s\n' 'sql-temptable-' > "$tmpdir/defaults"
+    local regex; regex=$(_build_exclude "$tmpdir/user" "$tmpdir/defaults")
+    local sample='/var/lib/mysql/sql-temptable-12.MAD'
+    run bash -c "printf '%s\n' '$sample' | grep -E -v '$regex'"
+    [ -z "$output" ]
+    rm -rf "$tmpdir"
+}
+
+# bats test_tags=monitor,integration,issue484
+@test "mixed: user regex + literal: entry + defaults literal all coexist in exclude group" {
+    local tmpdir; tmpdir=$(mktemp -d)
+    printf '%s\n' '^/tmp/.*scantem.*' 'literal:/var/log/foo.bar' > "$tmpdir/user"
+    printf '%s\n' '/var/tmp/systemd-private-' > "$tmpdir/defaults"
+    local regex; regex=$(_build_exclude "$tmpdir/user" "$tmpdir/defaults")
+    # All three should produce matching exclusions.
+    run bash -c "printf '%s\n' '/tmp/20260418-scantemp.X' | grep -E -v '$regex'"
+    [ -z "$output" ]
+    run bash -c "printf '%s\n' '/var/log/foo.bar' | grep -E -v '$regex'"
+    [ -z "$output" ]
+    run bash -c "printf '%s\n' '/var/tmp/systemd-private-svc-xyz' | grep -E -v '$regex'"
+    [ -z "$output" ]
+    rm -rf "$tmpdir"
+}
+
+# bats test_tags=monitor,integration,issue484
+@test "ignore_paths: monitor-mode ERE ^/var/www/vhosts/[^/]+/tmp/ pattern filters events" {
+    # Simulates the monitor-mode pipe: _monitor_filter_events extracts paths,
+    # grep -E -vf "$ignore_paths" filters them. Assert that a middle-wildcard
+    # ERE in ignore_paths works in monitor mode (matches scan-mode semantics).
+    _source_lmd_stack
+    local tmpdir; tmpdir=$(mktemp -d)
+    cat > "$tmpdir/events" <<'EVENTS'
+/var/www/vhosts/a.com/httpdocs/shell.php CREATE 18 Mar 10:30:01
+/var/www/vhosts/a.com/tmp/scratch.txt CREATE 18 Mar 10:30:02
+/home/user/public_html/index.php CREATE 18 Mar 10:30:03
+EVENTS
+    printf '%s\n' '^/var/www/vhosts/[^/]+/tmp/' > "$tmpdir/ignore"
+    # export -f required so bash -c subshell can call the function.
+    export -f _monitor_filter_events
+    run bash -c '_monitor_filter_events < "$1" | grep -E -vf "$2"' _ "$tmpdir/events" "$tmpdir/ignore"
+    [ "$status" -eq 0 ]
+    echo "$output" | grep -q "shell.php"
+    echo "$output" | grep -q "index.php"
+    ! echo "$output" | grep -q "scratch.txt"
+    rm -rf "$tmpdir"
+}
+
+# bats test_tags=monitor,integration,issue484
+@test "ignore_paths: empty file → no filter stage, all events pass" {
+    _source_lmd_stack
+    local tmpdir; tmpdir=$(mktemp -d)
+    cat > "$tmpdir/events" <<'EVENTS'
+/home/user/file.php CREATE 18 Mar 10:30:01
+EVENTS
+    : > "$tmpdir/ignore"
+    # With empty ignore file, new pipe must bypass grep -E -vf entirely.
+    # Directly exercise via bash conditional mirroring lmd_monitor.sh caller.
+    # export -f required so bash -c subshell can call the function.
+    export -f _monitor_filter_events
+    run bash -c '
+        if [ -s "$2" ]; then
+            _monitor_filter_events < "$1" | grep -E -vf "$2"
+        else
+            _monitor_filter_events < "$1"
+        fi' _ "$tmpdir/events" "$tmpdir/ignore"
+    [ "$status" -eq 0 ]
+    echo "$output" | grep -q "file.php"
+    rm -rf "$tmpdir"
+}
+
+# bats test_tags=monitor,integration,issue484
+@test "union: exclude-regex builder wraps multiple entries in single OR group" {
+    local tmpdir; tmpdir=$(mktemp -d)
+    printf '%s\n' '/a' '/b' '/c' > "$tmpdir/user"
+    : > "$tmpdir/defaults"
+    local regex; regex=$(_build_exclude "$tmpdir/user" "$tmpdir/defaults")
+    # Exactly one open-paren and one close-paren.
+    [ "$(echo "$regex" | grep -c '^(')" -eq 1 ]
+    [ "$(echo "$regex" | grep -cE '\)$')" -eq 1 ]
+    echo "$regex" | grep -qE '/a\|/b\|/c'
+    rm -rf "$tmpdir"
+}
+
+# bats test_tags=monitor,integration,issue484
+@test "regression: misleading 'matching current grep -vf semantics' comment removed" {
+    run grep -n 'matching current grep -vf' "$LMD_INSTALL/internals/lmd_monitor.sh"
+    [ "$status" -eq 1 ]  # grep exits 1 when no match — what we want
+}
+
+# bats test_tags=monitor,integration,issue484
+@test "ignore_paths: malformed regex produces grep -E error without hanging monitor pipe" {
+    # Gap-coverage: symmetric coverage for ignore_paths:
+    # a malformed ERE (unclosed bracket) causes grep -E to exit non-zero
+    # and emit to stderr; the monitor pipe returns an empty event list
+    # rather than hanging or mis-filtering. Not a silent data-loss path —
+    # next cycle catches up from the tlog cursor.
+    _source_lmd_stack
+    local tmpdir; tmpdir=$(mktemp -d)
+    cat > "$tmpdir/events" <<'EVENTS'
+/home/user/public_html/shell.php CREATE 18 Mar 10:30:01
+/home/user/public_html/ok.js MODIFY 18 Mar 10:30:02
+EVENTS
+    printf '%s\n' '[unclosed-bracket' > "$tmpdir/ignore"
+    # Invoke the production pipe conditional mirror with stderr captured.
+    # export -f required so bash -c subshell can call the function.
+    export -f _monitor_filter_events
+    local _stderr
+    _stderr=$(mktemp)
+    run bash -c '
+        if [ -s "$2" ]; then
+            _monitor_filter_events < "$1" | grep -E -vf "$2" 2>"$3"
+        else
+            _monitor_filter_events < "$1" 2>"$3"
+        fi' _ "$tmpdir/events" "$tmpdir/ignore" "$_stderr"
+    # grep emits to stderr (visible for operator diagnosis) and exits
+    # non-zero on regex compile error; empty or partial event list is
+    # acceptable. Assertion: the pipe terminates (no hang) and stderr
+    # contains evidence of the compile failure.
+    [ -s "$_stderr" ]
+    grep -qE 'regex|bracket|unmatched|Invalid' "$_stderr"
+    rm -rf "$tmpdir" "$_stderr"
+}