fix(interpreter): bound arithmetic variable expansion

[chaliy]

Motivation

• Prevent exponential/stack DoS from recursive arithmetic variable expansion and array-index evaluation by bounding expansion work and detecting cycles.

Description

• Add ArithmeticExpansionState to track active variable names and a shared fuel budget for a single arithmetic evaluation session.
• Introduce MAX_ARITHMETIC_EXPANSION_FUEL and MAX_ARITHMETIC_EXPANSION_BYTES and short-circuit expansion when fuel or generated bytes are exhausted.
• Thread the shared expansion state through arithmetic evaluation paths (evaluate_arithmetic_depth_state, expand_arithmetic_vars_depth_state, resolve_arith_var, expand_brace_expr_in_arithmetic) so nested arr[index] and brace/index evaluations share depth/fuel.
• Detect variable cycles via enter_var/exit_var and return 0 for recursive cycles; add resolve_arith_named_var helper to do this safely.
• Add regression tests covering a='a+a'; echo $((a)) and arr[0]=1; i='arr[i]'; echo $((arr[i])) and update the TM-DOS-026 threat-model notes.

Testing

• Ran cargo fmt --check which passed.
• Ran unit tests covering the new regressions via cargo test -p bashkit for the added tests which passed.
• Ran cargo clippy -p bashkit --all-targets -- -D warnings which completed without warnings.

---

Codex Task

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	bashkit	61719fd	Commit Preview URL	Jun 02 2026, 09:29 AM