[Fix] monitor: restore v1.6.6 ignore_inotify regex + ignore_paths ERE; issue #484

[Fix] _monitor_load_ignore_inotify_union: emit u:/d: prefixed tuples
[Fix] monitor_cycle exclude-regex builder: per-entry semantic dispatch via
      _monitor_to_ere_entry — user entries raw ERE by default, literal:
      prefix opts into escape; defaults always escape
[Fix] _monitor_filter_events: drop ignore-file arg; ignore_paths filtering
      moves to sibling grep -E -vf stage (ERE, matches scan-mode)
[New] _monitor_to_ere_entry(): semantic dispatch helper
[Change] CHANGELOG, CHANGELOG.RELEASE: v2.0.1 [Fix] + [New] entries
[Change] tests/30-monitor-utils.bats: +10 tests (7 _monitor_to_ere_entry,
      3 union: prefix); rewrite ERE pipe test; drop stale ignore-file arg
      from 5 sibling _monitor_filter_events tests
[Change] tests/47-ignore-inotify-defaults.bats: update 4 existing union
      tests to expect u:/d: prefixed output (contract change per spec
      §11b edge case 3)

Author: rfxn

CHANGELOG

@@ -89,6 +89,8 @@ v2.0.1 | Mar 25 2026:
 
   -- Changes --
 
+[New] _monitor_to_ere_entry(): semantic dispatch helper for ignore_inotify
+      entry preparation (defaults-always-escape, user-raw-or-literal:)
 [Change] tests: prune two tautological assertions — the
          "uninstall.sh delegates service removal to pkg_service_uninstall"
          grep-for-token check in 01-install-cli.bats (string presence, not
@@ -232,6 +234,13 @@ v2.0.1 | Mar 25 2026:
 
   -- Bug Fixes --
 
+[Fix] monitor: restore v1.6.6 ERE semantics for ignore_inotify entries;
+      introduce literal: per-entry prefix for opt-in escape of paths
+      containing regex metachars; issue #484
+[Fix] monitor: ignore_paths now uses grep -E -vf (ERE) to match scan-mode
+      semantics; fixes silent regression from awk index() substring
+      filter introduced by monitor-mode redesign; issue #484
+
 [Fix] monitor: ownership filters (scan_ignore_root/user/group) unconditionally
       excluded root-owned files in monitor mode; root-owned malware drops silently
       produced 0 quarantine hits despite detection; gated behind new

CHANGELOG.RELEASE

@@ -89,6 +89,8 @@ v2.0.1 | Mar 25 2026:
 
   -- Changes --
 
+[New] _monitor_to_ere_entry(): semantic dispatch helper for ignore_inotify
+      entry preparation (defaults-always-escape, user-raw-or-literal:)
 [Change] tests: prune two tautological assertions — the
          "uninstall.sh delegates service removal to pkg_service_uninstall"
          grep-for-token check in 01-install-cli.bats (string presence, not
@@ -232,6 +234,13 @@ v2.0.1 | Mar 25 2026:
 
   -- Bug Fixes --
 
+[Fix] monitor: restore v1.6.6 ERE semantics for ignore_inotify entries;
+      introduce literal: per-entry prefix for opt-in escape of paths
+      containing regex metachars; issue #484
+[Fix] monitor: ignore_paths now uses grep -E -vf (ERE) to match scan-mode
+      semantics; fixes silent regression from awk index() substring
+      filter introduced by monitor-mode redesign; issue #484
+
 [Fix] monitor: ownership filters (scan_ignore_root/user/group) unconditionally
       excluded root-owned files in monitor mode; root-owned malware drops silently
       produced 0 quarantine hits despite detection; gated behind new

files/internals/lmd_monitor.sh

@@ -68,33 +68,39 @@ _monitor_escape_ere() {
 	echo "$_str"
 }
 
+_monitor_to_ere_entry() {
+	# Semantic dispatch for ignore_inotify entry preparation.
+	# $1=entry $2=source (user|defaults)
+	# source=defaults      → always escape (curated substrings; safe default)
+	# source=user, literal: → strip prefix, escape remainder (opt-in literal mode)
+	# source=user, no prefix → return entry unchanged (raw ERE; v1.6.6 semantics)
+	local _entry="$1" _source="$2"
+	case "$_source" in
+		defaults) _monitor_escape_ere "$_entry" ;;
+		user)
+			case "$_entry" in
+				literal:*)
+					local _lit="${_entry#literal:}"
+					[ -z "$_lit" ] && return 0  # empty after prefix — skip
+					_monitor_escape_ere "$_lit"
+					;;
+				*) printf '%s\n' "$_entry" ;;
+			esac
+			;;
+		*) return 1 ;;  # unknown source — fail loud
+	esac
+}
+
 _monitor_filter_events() {
-	# Filter inotify event lines from stdin. Extracts file paths from
-	# CREATE/MODIFY/MOVED_TO events, deduplicates, and applies
-	# substring-based ignore_paths filtering (matching current grep -vf
-	# semantics). Outputs one path per line.
-	local _ignore_file="$1"
-	awk -v ignore_file="$_ignore_file" '
-		BEGIN {
-			if (ignore_file != "" && ignore_file != "/dev/null") {
-				while ((getline line < ignore_file) > 0) {
-					if (line != "") ign[line] = 1
-				}
-				close(ignore_file)
-			}
-		}
+	# Extract + dedupe CREATE/MODIFY/MOVED_TO event paths from inotifywait
+	# stdin. Ignore-path filtering is applied downstream via grep -E -vf
+	# (see call site in monitor_cycle; matches scan-mode ERE semantics).
+	awk '
 		/ CREATE| MODIFY| MOVED_TO/ {
-			# Match the exact inotifywait trailing metadata block:
-			# [Space][Event(s)][Space][Day][Space][Month][Space][Time]$
 			if (match($0, / (CREATE|MODIFY|MOVED_TO)[^ ]* [0-9][0-9]* [A-Za-z][A-Za-z]* [0-9:][0-9:]*$/)) {
-				# Extract everything before the metadata block as the file path
 				path = substr($0, 1, RSTART - 1)
 				if (path == "" || seen[path]++) next
-			skip = 0
-			for (p in ign) {
-				if (index(path, p) > 0) { skip = 1; break }
-			}
-			if (!skip) print path
+				print path
 			}
 		}
 	'
@@ -124,17 +130,22 @@ _monitor_append_extra_paths() {
 }
 
 _monitor_load_ignore_inotify_union() {
-	# Union user ignore_inotify + ignore_inotify.defaults. Skip blanks and
-	# '#' comments, dedupe, emit one entry per line for downstream ERE
-	# escaping. See issue #480 for the two-file defaults model.
-	local _user="$1" _defaults="$2" _f _line
+	# Union user ignore_inotify + ignore_inotify.defaults. Emit prefixed
+	# tuples ("u:<entry>" / "d:<entry>") for downstream semantic dispatch.
+	# Skip blanks and '#' comments; dedupe the combined prefixed stream.
+	# See issue #480 (two-file defaults) and #484 (source-tag semantics).
+	local _user="$1" _defaults="$2" _f _prefix _line
 	for _f in "$_user" "$_defaults"; do
 		[ -f "$_f" ] && [ -s "$_f" ] || continue
+		case "$_f" in
+			"$_user")     _prefix="u:" ;;
+			"$_defaults") _prefix="d:" ;;
+		esac
 		while IFS= read -r _line || [ -n "$_line" ]; do
 			case "$_line" in
 				''|\#*) continue ;;
 			esac
-			echo "$_line"
+			printf '%s%s\n' "$_prefix" "$_line"
 		done < "$_f"
 	done | awk '!seen[$0]++'
 }
@@ -337,11 +348,17 @@ _monitor_cycle_tick() {
 	fi
 	_last_log_size="$_cur_size"
 
-	# Tier 1: event filtering
+	# Tier 1: event filtering (extraction + dedup, then ERE ignore-path filter)
 	local _event_list
 	_event_list=$(mktemp "$tmpdir/.mon_events.XXXXXX")
-	tlog_read "$inotify_log" "inotify" "$tmpdir" "bytes" | \
-		_monitor_filter_events "$ignore_paths" > "$_event_list"
+	if [ -s "$ignore_paths" ]; then
+		tlog_read "$inotify_log" "inotify" "$tmpdir" "bytes" | \
+			_monitor_filter_events | \
+			grep -E -vf "$ignore_paths" > "$_event_list"
+	else
+		tlog_read "$inotify_log" "inotify" "$tmpdir" "bytes" | \
+			_monitor_filter_events > "$_event_list"
+	fi
 
 	local _event_count
 	_event_count=$($wc -l < "$_event_list" 2>/dev/null) || _event_count=0
@@ -618,15 +635,23 @@ monitor_init() {
 	_monitor_append_extra_paths "${monitor_paths_extra:-}" "$_inotify_fpaths"
 
 	# Build inotifywait --exclude regex — union ignore_inotify + defaults (issue #480)
+	# Per-entry semantic dispatch via _monitor_to_ere_entry (issue #484)
 	_inotify_exclude=()
 	local _igregexp=""
-	while IFS= read -r igfile; do
-		local _escaped
-		_escaped=$(_monitor_escape_ere "$igfile")
+	local _src _ent _prepared
+	while IFS= read -r _line; do
+		_src="${_line:0:1}"
+		_ent="${_line:2}"
+		case "$_src" in
+			u) _prepared=$(_monitor_to_ere_entry "$_ent" "user") ;;
+			d) _prepared=$(_monitor_to_ere_entry "$_ent" "defaults") ;;
+			*) continue ;;
+		esac
+		[ -z "$_prepared" ] && continue  # literal: empty skip, etc.
 		if [ -n "$_igregexp" ]; then
-			_igregexp="$_igregexp|$_escaped"
+			_igregexp="$_igregexp|$_prepared"
 		else
-			_igregexp="($_escaped"
+			_igregexp="($_prepared"
 		fi
 	done < <(_monitor_load_ignore_inotify_union "$ignore_inotify" "${ignore_inotify_defaults:-}")
 	if [ -n "$_igregexp" ]; then

tests/30-monitor-utils.bats

@@ -140,6 +140,110 @@ _source_lmd_stack() {
     [ "$output" = "" ]
 }
 
+# --- _monitor_to_ere_entry ---
+
+# bats test_tags=monitor,unit
+@test "monitor: _monitor_to_ere_entry user entry without prefix returns raw ERE" {
+    _source_lmd_stack
+    run _monitor_to_ere_entry '^/tmp/.*scantem.*' 'user'
+    [ "$status" -eq 0 ]
+    [ "$output" = '^/tmp/.*scantem.*' ]
+}
+
+# bats test_tags=monitor,unit
+@test "monitor: _monitor_to_ere_entry strips literal: prefix and escapes" {
+    _source_lmd_stack
+    run _monitor_to_ere_entry 'literal:/tmp/app.cache' 'user'
+    [ "$status" -eq 0 ]
+    [ "$output" = '/tmp/app\.cache' ]
+}
+
+# bats test_tags=monitor,unit
+@test "monitor: _monitor_to_ere_entry defaults always escape regardless of content" {
+    _source_lmd_stack
+    run _monitor_to_ere_entry '/var/tmp/.mysql.sock' 'defaults'
+    [ "$status" -eq 0 ]
+    # Leading dots and the literal . in .sock both escaped.
+    [[ "$output" == *'\.mysql\.sock'* ]]
+}
+
+# bats test_tags=monitor,unit
+@test "monitor: _monitor_to_ere_entry user literal: with metachar-free path is idempotent after escape" {
+    _source_lmd_stack
+    run _monitor_to_ere_entry 'literal:/var/tmp/plain' 'user'
+    [ "$status" -eq 0 ]
+    [ "$output" = '/var/tmp/plain' ]
+}
+
+# bats test_tags=monitor,unit
+@test "monitor: _monitor_to_ere_entry empty literal: after prefix skipped" {
+    _source_lmd_stack
+    run _monitor_to_ere_entry 'literal:' 'user'
+    [ "$status" -eq 0 ]
+    [ -z "$output" ]
+}
+
+# bats test_tags=monitor,unit
+@test "monitor: _monitor_to_ere_entry uppercase LITERAL: not a special prefix (raw passthrough)" {
+    _source_lmd_stack
+    run _monitor_to_ere_entry 'LITERAL:/path' 'user'
+    [ "$status" -eq 0 ]
+    [ "$output" = 'LITERAL:/path' ]
+}
+
+# bats test_tags=monitor,unit
+@test "monitor: _monitor_to_ere_entry defaults ignores literal: prefix (auto-escape always)" {
+    _source_lmd_stack
+    # Defensive: if a defaults entry were to start with "literal:",
+    # defaults semantics still dominate (full escape, no prefix strip).
+    run _monitor_to_ere_entry 'literal:/x' 'defaults'
+    [ "$status" -eq 0 ]
+    [[ "$output" == *'literal:/x'* ]]  # prefix not stripped; entry fully escaped
+}
+
+# --- _monitor_load_ignore_inotify_union — source-prefix output ---
+
+# bats test_tags=monitor,unit
+@test "union: emits u: prefix for user entries" {
+    _source_lmd_stack
+    local tmpdir
+    tmpdir=$(mktemp -d)
+    printf '%s\n' '/user/one' > "$tmpdir/user"
+    printf '' > "$tmpdir/defaults"
+    run _monitor_load_ignore_inotify_union "$tmpdir/user" "$tmpdir/defaults"
+    [ "$status" -eq 0 ]
+    [ "$output" = 'u:/user/one' ]
+    rm -rf "$tmpdir"
+}
+
+# bats test_tags=monitor,unit
+@test "union: emits d: prefix for defaults entries" {
+    _source_lmd_stack
+    local tmpdir
+    tmpdir=$(mktemp -d)
+    printf '' > "$tmpdir/user"
+    printf '%s\n' 'sql-temptable-' > "$tmpdir/defaults"
+    run _monitor_load_ignore_inotify_union "$tmpdir/user" "$tmpdir/defaults"
+    [ "$status" -eq 0 ]
+    [ "$output" = 'd:sql-temptable-' ]
+    rm -rf "$tmpdir"
+}
+
+# bats test_tags=monitor,unit
+@test "union: preserves user and defaults as distinct tuples even when entry matches" {
+    _source_lmd_stack
+    local tmpdir
+    tmpdir=$(mktemp -d)
+    printf '%s\n' '/var/tmp/clamav-' > "$tmpdir/user"
+    printf '%s\n' '/var/tmp/clamav-' > "$tmpdir/defaults"
+    run _monitor_load_ignore_inotify_union "$tmpdir/user" "$tmpdir/defaults"
+    [ "$status" -eq 0 ]
+    # Both tuples survive — harmless redundancy in the OR-regex.
+    echo "$output" | grep -qxF 'u:/var/tmp/clamav-'
+    echo "$output" | grep -qxF 'd:/var/tmp/clamav-'
+    rm -rf "$tmpdir"
+}
+
 # --- _monitor_filter_events ---
 
 # bats test_tags=monitor,unit
@@ -149,7 +253,7 @@ _source_lmd_stack() {
     tmpdir=$(mktemp -d)
     echo "/home/user/public_html/shell.php CREATE 18 Mar 10:30:01" > "$tmpdir/events"
     printf '' > "$tmpdir/ignore"
-    run _monitor_filter_events "$tmpdir/ignore" < "$tmpdir/events"
+    run _monitor_filter_events < "$tmpdir/events"
     [ "$status" -eq 0 ]
     [ "$output" = "/home/user/public_html/shell.php" ]
     rm -rf "$tmpdir"
@@ -166,15 +270,15 @@ _source_lmd_stack() {
 /home/user/file.php CREATE 18 Mar 10:30:03
 EVENTS
     printf '' > "$tmpdir/ignore"
-    run _monitor_filter_events "$tmpdir/ignore" < "$tmpdir/events"
+    run _monitor_filter_events < "$tmpdir/events"
     [ "$status" -eq 0 ]
     [ "$(echo "$output" | wc -l)" -eq 1 ]
     [ "$output" = "/home/user/file.php" ]
     rm -rf "$tmpdir"
 }
 
 # bats test_tags=monitor,unit
-@test "monitor: _monitor_filter_events applies ignore_paths substring match" {
+@test "monitor: _monitor_filter_events + ignore_paths ERE filter pipe" {
     _source_lmd_stack
     local tmpdir
     tmpdir=$(mktemp -d)
@@ -183,8 +287,13 @@ EVENTS
 /home/user/.cache/bad.tmp CREATE 18 Mar 10:30:02
 /home/user/public_html/ok.js MODIFY 18 Mar 10:30:03
 EVENTS
-    echo "/home/user/.cache" > "$tmpdir/ignore"
-    run _monitor_filter_events "$tmpdir/ignore" < "$tmpdir/events"
+    # New test exercises the two-stage pipe: extraction (no ignore arg)
+    # then ERE filter via grep -E -vf. Fixture uses escaped dot to assert
+    # ERE semantics of the new filter stage.
+    # export -f required so bash -c subshell can call the function.
+    printf '/home/user/\\.cache\n' > "$tmpdir/ignore"
+    export -f _monitor_filter_events
+    run bash -c '_monitor_filter_events < "$1" | grep -E -vf "$2"' _ "$tmpdir/events" "$tmpdir/ignore"
     [ "$status" -eq 0 ]
     [ "$(echo "$output" | wc -l)" -eq 2 ]
     echo "$output" | grep -q "good.php"
@@ -204,7 +313,7 @@ EVENTS
 /home/user/new.php CREATE 18 Mar 10:30:03
 EVENTS
     printf '' > "$tmpdir/ignore"
-    run _monitor_filter_events "$tmpdir/ignore" < "$tmpdir/events"
+    run _monitor_filter_events < "$tmpdir/events"
     [ "$status" -eq 0 ]
     [ "$output" = "/home/user/new.php" ]
     rm -rf "$tmpdir"
@@ -217,7 +326,7 @@ EVENTS
     tmpdir=$(mktemp -d)
     echo "/home/user/uploaded.php MOVED_TO 18 Mar 10:30:01" > "$tmpdir/events"
     printf '' > "$tmpdir/ignore"
-    run _monitor_filter_events "$tmpdir/ignore" < "$tmpdir/events"
+    run _monitor_filter_events < "$tmpdir/events"
     [ "$status" -eq 0 ]
     [ "$output" = "/home/user/uploaded.php" ]
     rm -rf "$tmpdir"
@@ -230,7 +339,7 @@ EVENTS
     tmpdir=$(mktemp -d)
     printf '' > "$tmpdir/events"
     printf '' > "$tmpdir/ignore"
-    run _monitor_filter_events "$tmpdir/ignore" < "$tmpdir/events"
+    run _monitor_filter_events < "$tmpdir/events"
     [ "$status" -eq 0 ]
     [ -z "$output" ]
     rm -rf "$tmpdir"