From 0a34039a5f9278150dddd0a0bff94b012aadaa66 Mon Sep 17 00:00:00 2001 From: Vellum Assistant Date: Mon, 23 Feb 2026 21:42:36 -0500 Subject: [PATCH] fix: use double-quoted Spotlight query for mdfind app names Process.arguments bypasses the shell, so the shell-style single-quote escaping ('\'') was passed raw to mdfind, breaking Spotlight query parsing. Switch to double-quoted query values with proper double-quote escaping instead. Co-Authored-By: Claude Opus 4.6 --- .../vellum-assistant/ComputerUse/ActionExecutor.swift | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/clients/macos/vellum-assistant/ComputerUse/ActionExecutor.swift b/clients/macos/vellum-assistant/ComputerUse/ActionExecutor.swift index 3d6659048c3..1de0ff28b31 100644 --- a/clients/macos/vellum-assistant/ComputerUse/ActionExecutor.swift +++ b/clients/macos/vellum-assistant/ComputerUse/ActionExecutor.swift @@ -381,10 +381,13 @@ final class ActionExecutor: ActionExecuting { private func mdfindApp(name: String, timeout: UInt64 = 2_000_000_000) async -> URL? { let process = Process() process.executableURL = URL(fileURLWithPath: "/usr/bin/mdfind") - // Escape single quotes in the app name to prevent breaking the mdfind query - let sanitizedName = name.replacingOccurrences(of: "'", with: "'\\''") + // Use double quotes for the display-name value so we only need to escape + // double quotes. Process.arguments bypasses the shell, so shell-style + // single-quote escaping (e.g. '\'') would be passed raw to mdfind and + // break Spotlight query parsing. + let sanitizedName = name.replacingOccurrences(of: "\"", with: "\\\"") process.arguments = [ - "kMDItemKind == 'Application' && kMDItemDisplayName == '\(sanitizedName)'" + "kMDItemKind == 'Application' && kMDItemDisplayName == \"\(sanitizedName)\"" ] let stdout = Pipe()