@aitne/daemon 0.1.3 → 0.1.4

package/dist/core/backends/claude-tool-collection.js

@@ -0,0 +1,831 @@
+/**
+ * Claude tool surface — pure helpers split out of `claude-code-core.ts` as
+ * part of the file-split plan (Tier 2, §8). Owns five responsibilities:
+ *
+ *  - `getAllowedTools` — assemble the SDK `allowedTools` list from the
+ *    configured default + the runtime override + any delegated- and native-
+ *    integration tools the registry exposes.
+ *  - `getDelegatedClaudeTools` — read the current `integrations` registry
+ *    state and project it through `computeDelegatedClaudeTools`. Returns
+ *    `[]` when the MCP context is not yet wired or on DB read failure.
+ *  - `getNativeClaudeTools` — same shape as `getDelegatedClaudeTools` but
+ *    projects through `computeNativeClaudeTools` (native-mode parallel).
+ *  - `getSessionDeniedTools` — DELEGATED-MODE-V2-DESIGN.md §4.3.3 — expand
+ *    per-integration `deniedTools` into namespaced tool names that the SDK
+ *    rejects via `disallowedTools` regardless of the allow list.
+ *  - `buildSecurityHooks` — build the PreToolUse hook record that enforces
+ *    curl localhost-only, jq env/file-flag denials, context-dir chokepoint,
+ *    vault write attribution, and the absolute-block audit layer.
+ *
+ * Pattern A (file-split-plan §5): each function reads its dependencies via
+ * an explicit argument record rather than `this.<field>`. The pure shape
+ * means these can be unit tested without instantiating `ClaudeCodeCore`,
+ * and lets tests inspect the hook closures directly. Thin shims on
+ * `ClaudeCodeCore` (`private getAllowedTools(...) { return ... }`) remain
+ * for the transitional period (file-split-plan §15).
+ */
+import { collectSessionDeniedTools } from "@aitne/shared";
+import { realpathSync } from "node:fs";
+import { homedir } from "node:os";
+import { dirname, resolve as resolvePath, isAbsolute } from "node:path";
+import { getContextDir } from "../../config.js";
+import { readIntegrations } from "../../db/integrations-store.js";
+import { recordAbsoluteBlockAudit } from "../../safety/absolute-block-audit.js";
+import { classifyAbsoluteBlock } from "../../safety/always-disallowed.js";
+import { createLogger } from "../../logging.js";
+import { computeDelegatedClaudeTools, computeNativeClaudeTools } from "./claude-probe.js";
+import { isPathInsideOrEqual, shellPathForms } from "../path-compat.js";
+/**
+ * Resolve a path through symlinks, even when the leaf does not yet exist.
+ *
+ * `fs.realpathSync` throws ENOENT on a non-existent leaf, which is the
+ * common case for a Write hook (the target file is the *next* write).
+ * Walk upwards until an existing ancestor is found, realpath that, then
+ * rejoin the missing suffix. Used by both `fileWriteHook` and
+ * `bashContextWriteHook` to defeat symlink-based bypasses that point
+ * back into the context dir.
+ */
+function realpathLenient(absPath) {
+    const segments = [];
+    let current = absPath;
+    // Hard ceiling on iterations so a pathological path never spins forever.
+    for (let i = 0; i < 64; i++) {
+        try {
+            const real = realpathSync(current);
+            return segments.length === 0
+                ? real
+                : resolvePath(real, ...segments.reverse());
+        }
+        catch {
+            const parent = dirname(current);
+            if (parent === current)
+                return absPath;
+            segments.push(current.slice(parent.length).replace(/^[/\\]+/, ""));
+            current = parent;
+        }
+    }
+    return absPath;
+}
+/**
+ * Best-effort shell tokenizer for path-token scanning. Splits on
+ * whitespace while honouring single, double, and back-tick quotes; ignores
+ * shell operators (`|`, `;`, `&`, `<`, `>`, parentheses). Returns tokens
+ * with their quote wrappers stripped.
+ *
+ * Not a full shell parser — it cannot resolve variable expansions,
+ * subshells, or function definitions. Exists to surface *literal* path
+ * arguments so that an obvious form like
+ * `echo > /Users/shuto/.personal-agent/context/today.md` is caught. The
+ * absolute-block layer is the authoritative defence for the things this
+ * heuristic misses.
+ */
+function tokenizeShellCommand(cmd) {
+    const tokens = [];
+    const re = /"([^"]*)"|'([^']*)'|`([^`]*)`|\$\(([^)]*)\)|([^\s|;&<>()]+)/g;
+    let match;
+    while ((match = re.exec(cmd)) !== null) {
+        const tok = match[1] ?? match[2] ?? match[3] ?? match[4] ?? match[5] ?? "";
+        if (tok.length > 0)
+            tokens.push(tok);
+    }
+    return tokens;
+}
+/**
+ * Expand the leading `~`, `$HOME`, and `${HOME}` segments of a token
+ * to the supplied home directory. No other shell expansion is performed.
+ */
+function expandHomeForms(token, home) {
+    if (token === "~")
+        return home;
+    if (token.startsWith("~/"))
+        return home + token.slice(1);
+    if (token.startsWith("$HOME/"))
+        return home + token.slice(5);
+    if (token.startsWith("${HOME}/"))
+        return home + token.slice(7);
+    if (token === "$HOME" || token === "${HOME}")
+        return home;
+    return token;
+}
+const logger = createLogger("claude-tool-collection");
+/** Default allowed-tools list when the dashboard override is unset. */
+export const CLAUDE_DEFAULT_ALLOWED_TOOLS = [
+    "Read",
+    "Glob",
+    "Grep",
+    "Write",
+    "Edit",
+    "Skill", // user skills (external-services, obsidian-*, observations, ...)
+    "Bash(curl *)", // curl broadly allowed; hooks restrict to localhost
+    "Bash(git *)", // Git operations
+    "Bash(jq *)", // safe JSON post-processor for curl pipelines
+];
+/**
+ * Allowed tools whitelist for dontAsk permission mode.
+ *
+ * `delegatedTools` and `nativeTools` are UNION'd onto the returned list —
+ * even when `allowedToolsOverride` is set. This is a deliberate deviation
+ * from the override's otherwise-absolute "replace everything" contract (see
+ * `CRITICAL_OVERRIDE_TOOLS` in `claude-code-core.ts`, which warns but does
+ * not union). Rationale: delegated / native modes are runtime-configurable
+ * axes orthogonal to the dashboard's tool-customization override. If a user
+ * set the override before flipping an integration, silently dropping the
+ * registry-declared connector tools would break mail/calendar with a
+ * misleading "permission denied" DM. Union semantics keep the override's
+ * curation intent while letting either mode widen the surface to whatever
+ * the registry already advertised.
+ *
+ * Native and delegated lists are accepted separately (rather than a single
+ * `extraMcpTools` parameter) so callers — and tests — surface the
+ * provenance of every widening: an audit log entry with
+ * `delegatedToolCount` and `nativeToolCount` makes a misconfigured flip
+ * diagnosable without re-running the resolver.
+ */
+export function getAllowedTools(config, webSearchEnabled, delegatedTools = [], nativeTools = []) {
+    const base = config.allowedToolsOverride ?? [...CLAUDE_DEFAULT_ALLOWED_TOOLS];
+    const merged = new Set(base);
+    if (!config.allowedToolsOverride && webSearchEnabled) {
+        merged.add("WebSearch");
+    }
+    for (const tool of delegatedTools)
+        merged.add(tool);
+    for (const tool of nativeTools)
+        merged.add(tool);
+    return Array.from(merged);
+}
+/**
+ * Read the integrations record from the wired MCP context and project it
+ * through the `computeDelegatedClaudeTools` allowlist computation. Returns
+ * `[]` when the context is not yet wired (tests / startup ordering) or on
+ * DB read failure — the latter is logged as a warning so a corrupt
+ * integrations table is visible without halting the session.
+ */
+export function getDelegatedClaudeTools(mcpContext) {
+    if (!mcpContext)
+        return [];
+    try {
+        const integrations = readIntegrations(mcpContext.db);
+        return computeDelegatedClaudeTools(integrations);
+    }
+    catch (err) {
+        logger.warn({ err }, "Failed to read integrations for delegated-tool allowlist — proceeding without delegated tools");
+        return [];
+    }
+}
+/**
+ * Sibling of `getDelegatedClaudeTools` — projects integrations record
+ * through `computeNativeClaudeTools`. Returns `[]` when the context is
+ * not yet wired or on DB read failure, matching the conservative pattern
+ * used by the delegated counterpart.
+ *
+ * Required because the SDK's `dontAsk` permission mode silently denies
+ * tools not in `allowedTools`. Native-mode skill bodies instruct the
+ * agent to call connector MCP tools directly (e.g.
+ * `mcp__claude_ai_Gmail__search_threads`), so the registry-declared tool
+ * names for every `mode === "native" && nativeBackend === "claude"` row
+ * must be pre-authorized.
+ */
+export function getNativeClaudeTools(mcpContext) {
+    if (!mcpContext)
+        return [];
+    try {
+        const integrations = readIntegrations(mcpContext.db);
+        return computeNativeClaudeTools(integrations);
+    }
+    catch (err) {
+        logger.warn({ err }, "Failed to read integrations for native-tool allowlist — proceeding without native tools");
+        return [];
+    }
+}
+/**
+ * DELEGATED-MODE-V2-DESIGN.md §4.3.3 — same-backend deny enforcement at
+ * the SDK boundary. For every integration whose `delegatedBackend === "claude"`,
+ * expand `state.deniedTools` against the connector's known tools and emit
+ * the namespaced names (`mcp__claude_ai_<X>__<tool>`). The SDK refuses any
+ * tool listed in `disallowedTools` regardless of `allowedTools` — hard
+ * enforcement.
+ *
+ * Returns `[]` when context isn't wired (tests / pre-startup) and on read
+ * failures, matching the conservative pattern used by
+ * `getDelegatedClaudeTools`.
+ */
+export function getSessionDeniedTools(mcpContext) {
+    if (!mcpContext)
+        return [];
+    try {
+        const integrations = readIntegrations(mcpContext.db);
+        const map = collectSessionDeniedTools(integrations, "claude");
+        const out = [];
+        for (const names of map.values()) {
+            for (const n of names)
+                out.push(n);
+        }
+        return out;
+    }
+    catch (err) {
+        logger.warn({ err }, "Failed to read integrations for same-backend denied-tools — proceeding without per-integration deny");
+        return [];
+    }
+}
+/**
+ * Security hooks:
+ *   1. Bash(curl *) — restrict to localhost Daemon API, block connection-override flags. (strict only)
+ *   2. Bash(jq *)  — block file-access flags and the `env` filter (process env exfiltration). (strict only)
+ *   3. Write/Edit  — block writes into the session helper dir and context dir, mark vault writes.
+ *
+ * In allow mode the curl and jq hooks are dropped, but the Write/Edit hook
+ * stays: the context-dir chokepoint exists for memory integrity (today-write
+ * lock, md_file_snapshots, CONTEXT_WRITE_PERMISSIONS), not permissions.
+ */
+export function buildSecurityHooks(deps, allowMode = false) {
+    const { config, writeTracker, getMcpContext } = deps;
+    const bashCurlHook = async (input) => {
+        const toolInput = input.tool_input;
+        const cmd = toolInput?.command ?? "";
+        if (/\bcurl\b/.test(cmd)) {
+            // ── Multi-request defenses (run BEFORE host/port loop) ─────────
+            // The SDK `allowedTools` glob is a prefix match against the full
+            // command, so a permitted `Bash(curl http://localhost:<port>/api/x/*)`
+            // entry still matches a chained `curl http://localhost/api/x/y ;
+            // curl http://localhost/api/notify -d @evil`. The URL host/port
+            // loop below validates every URL but does NOT count invocations
+            // or request transactions, so a second HTTP request slips through.
+            // The three rules below cap a curl-bearing command to a single
+            // HTTP request.
+            //
+            // 1. Chained curl invocations — mirrors the `cmdStart` anchor
+            //    pattern in `safety/always-disallowed.ts`. Count `curl`
+            //    tokens at start-of-string / after `;` / `&&` / `||` / `|` /
+            //    newline / backtick / `$(`. A single `jq -n '…' | curl URL`
+            //    pipeline counts as ONE curl (only the `curl` token itself
+            //    is matched; the leading `jq` is not). Two or more anchored
+            //    `curl` tokens → chained invocation → block.
+            const chainedCurlMatches = cmd.match(/(?:^|[;&|`\n]|\$\()\s*curl\b/g) ?? [];
+            if (chainedCurlMatches.length > 1) {
+                return {
+                    decision: "block",
+                    reason: `Chained curl invocations are not allowed `
+                        + `(detected ${chainedCurlMatches.length} curl commands; `
+                        + `one curl per Bash invocation).`,
+                };
+            }
+            // 2. `--next` / `-:` URL multiplexing — curl's `--next` (short
+            //    form `-:`) starts a new transaction with reset option state
+            //    inside the same invocation. The URL loop below still passes
+            //    because both URLs hit the same host:port, but curl issues
+            //    one HTTP request per `--next` separator. Same exfil shape
+            //    as chained curl, different syntax.
+            if (/(?:^|\s)--next(?:[\s=]|$)/.test(cmd)
+                || /(?:^|\s)-:(?:\s|$)/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl --next / -: (URL multiplexing) is not allowed "
+                        + "— one HTTP request per Bash invocation.",
+                };
+            }
+            // 3. Multi-positional URL targets — `curl URL1 URL2 -X PUT -d
+            //    @body` sends the same options to BOTH URLs sequentially,
+            //    which `--next` blocking above does not catch. Tokenize at
+            //    the top level (outside paired single / double quotes) and
+            //    collect tokens whose payload starts with `http://` or
+            //    `https://`. URLs embedded inside `-d '…'` / `-H "…"`
+            //    strings are NOT counted because their token starts with
+            //    the quote, not with `http`.
+            //
+            //    This also becomes the *only* set of URLs the host/port
+            //    check below runs against — URLs that legitimately appear
+            //    inside JSON / markdown bodies (e.g. an architecture-section
+            //    description referencing `https://github.com/foo/bar`) are
+            //    NOT host-checked. The previous broad regex
+            //    `cmd.match(/https?:\/\/[^\s'"]+/g)` would reject such
+            //    requests because the body URL was non-localhost. Heuristic
+            //    limitation: URL strings unquoted as data values are a rare
+            //    false-positive surface and would be host-checked; the
+            //    alternative is full shell tokenization (out of scope).
+            const topLevelTokenRe = /'[^']*'|"[^"]*"|[^'"\s]+/g;
+            const topLevelUrls = [];
+            let tokenMatch;
+            while ((tokenMatch = topLevelTokenRe.exec(cmd)) !== null) {
+                if (/^https?:\/\//.test(tokenMatch[0])) {
+                    topLevelUrls.push(tokenMatch[0]);
+                }
+            }
+            if (topLevelUrls.length > 1) {
+                return {
+                    decision: "block",
+                    reason: `Multiple URL targets in a single curl invocation are not allowed `
+                        + `(detected ${topLevelUrls.length} top-level URL tokens; quote `
+                        + `body URLs inside -d/-H string args).`,
+                };
+            }
+            if (topLevelUrls.length === 0) {
+                return {
+                    decision: "block",
+                    reason: "curl command must contain an explicit localhost URL",
+                };
+            }
+            for (const url of topLevelUrls) {
+                try {
+                    const parsed = new URL(url);
+                    if (parsed.hostname !== "localhost" && parsed.hostname !== "127.0.0.1") {
+                        return {
+                            decision: "block",
+                            reason: `curl target not allowed: ${url} (host: ${parsed.hostname})`,
+                        };
+                    }
+                    const effectivePort = parsed.port || (parsed.protocol === "https:" ? "443" : "80");
+                    if (effectivePort !== String(config.apiPort)) {
+                        return {
+                            decision: "block",
+                            reason: `curl target port not allowed: ${effectivePort}`,
+                        };
+                    }
+                }
+                catch {
+                    return {
+                        decision: "block",
+                        reason: `curl target URL is malformed: ${url}`,
+                    };
+                }
+            }
+            // Connection-override flags — host/proxy/socket redirection that
+            // would let curl reach something other than the configured loopback
+            // HTTP endpoint.
+            if (/--connect-to|--resolve|--config\b|(?:^|\s)-[a-zA-Z]*K|--proxy\b|(?:^|\s)-[a-zA-Z]*x|--socks|--unix-socket|--abstract-unix-socket|--interface\b|--local-port\b/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl connection override flags not allowed " +
+                        "(--connect-to, --resolve, --config, --proxy, " +
+                        "--unix-socket, --abstract-unix-socket, " +
+                        "--interface, --local-port)",
+                };
+            }
+            // File-read exfil flags. curl can read arbitrary files into the
+            // request body via `@<path>` in -d / --data / --form, or via the
+            // upload-file flag. The daemon API is loopback so the request
+            // body would land in `agent_actions` / notification surfaces that
+            // the agent reads back — a confused-deputy exfil.
+            //
+            //   --upload-file / -T          — PUT a local file as the body
+            //   -d @path  /  --data @path   — body literal from file
+            //   --data-binary @path         — same, raw bytes
+            //   --data-raw @path            — same, no escape
+            //   --data-urlencode @path      — same, urlencoded
+            //   --data-ascii @path          — same, ascii
+            //   -F name=@path / --form …=@  — multipart file part
+            //   -F name=<path / --form …=<  — multipart text from file
+            // Short-flag combined forms (`curl -fsT /etc/passwd`) must be
+            // caught alongside the single-flag form (`curl -T /etc/passwd`).
+            // The leading `-[a-zA-Z]*` permits zero-or-more other short flags
+            // before the dangerous letter, mirroring the pattern proven for
+            // `-L`. Same shape applied to every short-flag below — without it
+            // an attacker can stuff the dangerous letter into a benign-looking
+            // flag bundle like `-fs<X>` and bypass the deny rule entirely.
+            if (/(?:^|\s)(?:--upload-file\b|-[a-zA-Z]*T(?:\s|=|$))/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl --upload-file / -T not allowed — would read arbitrary files",
+                };
+            }
+            // `@-` is curl's stdin marker (canonical: `-d @-` reads the body
+            // from stdin, used by pipelines like `echo $body | curl ... -d @-`).
+            // Block `@<anything-other-than-stdin-marker>`. The lookahead
+            // `(?!-["']?(?:\s|$))` lets `@-`, `@-"`, `@-'`, `@- ` through.
+            if (/(?:^|\s)(?:--data(?:-binary|-raw|-urlencode|-ascii)?|--data|-d)\s+["']?@(?!-["']?(?:\s|$))/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl -d/--data with `@file` syntax not allowed — reads local files",
+                };
+            }
+            // Same for the `=` separator form: `-d=@/path`, `--data-binary=@/path`.
+            if (/(?:^|\s)(?:--data(?:-binary|-raw|-urlencode|-ascii)?|--data|-d)=["']?@(?!-["']?(?:\s|$))/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl -d=/--data= with `@file` syntax not allowed — reads local files",
+                };
+            }
+            if (/(?:^|\s)(?:-F|--form)\s+\S*=[@<]/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl -F/--form with `=@file` or `=<file` syntax not allowed — reads local files",
+                };
+            }
+            // File-write flags. The agent can land bytes anywhere on disk —
+            // overwriting shims, ssh keys, shell rc files, etc. Daemon API is
+            // the sole sanctioned write path; Bash curl writes are denied.
+            //
+            //   -o / --output FILE          — write response to FILE
+            //   -O / --remote-name          — write to basename-of-URL
+            //   --remote-name-all           — same, for every URL
+            //   -D / --dump-header FILE     — write response headers
+            //   -c / --cookie-jar FILE      — write Set-Cookie state
+            //   --trace / --trace-ascii F   — write protocol trace
+            //   -w / --write-out FORMAT     — format-string output
+            //                                  (`%{stderr}` writes to stderr;
+            //                                  combined with shell redirect
+            //                                  it's another write channel)
+            // `-o <file>` / `--output <file>` — used to download binary
+            // payloads from the daemon API (e.g. `curl -o receipt.pdf
+            // /api/receipts/1/download`). Permit only simple relative
+            // filenames so absolute (`-o /etc/passwd`) and parent-escape
+            // (`-o ../../foo`) forms are still blocked. Tilde / env-var
+            // prefixes are likewise refused because they bypass cwd
+            // containment. Quoted paths with spaces (`-o "my file"`) are
+            // ALSO rejected so a denylist regex that stops at the space
+            // inside the quotes cannot be smuggled past.
+            const hasOutputFlag = /(?:^|\s)(?:--output(?:\b|=)|-[a-zA-Z]*o(?:\s|=|$))/.test(cmd);
+            if (hasOutputFlag) {
+                // Three capture-group alternatives so quoted paths with spaces
+                // are caught — `[^\s'"]+` alone fails on `"my file"`.
+                const valueMatch = cmd.match(/(?:^|\s)(?:--output(?:\s+|=)|-o(?:\s+|=))(?:"([^"]*)"|'([^']*)'|([^\s'"]+))/);
+                const target = valueMatch?.[1] ?? valueMatch?.[2] ?? valueMatch?.[3] ?? "";
+                const isSafeRelative = target.length > 0 &&
+                    !target.startsWith("/") &&
+                    !target.startsWith("~") &&
+                    !target.startsWith("$") &&
+                    !target.split("/").includes("..") &&
+                    !target.split("\\").includes("..");
+                if (!isSafeRelative) {
+                    return {
+                        decision: "block",
+                        reason: `curl --output/-o target must be a simple relative path; ` +
+                            `got: ${target || "<unparseable>"} ` +
+                            `(no absolute paths, parent-dir escapes, or shell expansions).`,
+                    };
+                }
+            }
+            if (/(?:^|\s)(?:--remote-name(?:-all)?\b|-[a-zA-Z]*O(?:\s|=|$))/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl --remote-name/-O not allowed — would write to URL-derived path",
+                };
+            }
+            if (/(?:^|\s)(?:--dump-header\b|-[a-zA-Z]*D(?:\s|=|$))/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl --dump-header/-D not allowed — writes response headers to disk",
+                };
+            }
+            if (/(?:^|\s)(?:--cookie-jar\b|-[a-zA-Z]*c(?:\s|=|$))/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl --cookie-jar/-c not allowed — writes cookie state to disk",
+                };
+            }
+            // `--cookie` / `-b` reads cookies from a file when the value
+            // is a filename (curl's documented semantics: `-b "FILE"` if
+            // the value has no `=`). Same exfil shape as `-d @file` — the
+            // file content is sent in the request header. Allowing
+            // `-b name=value` would require parsing the value; the simpler
+            // safe stance is to refuse the flag outright since the daemon
+            // API uses bearer tokens, not cookies.
+            if (/(?:^|\s)(?:--cookie\b|-[a-zA-Z]*b(?:\s|=|$))/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl --cookie/-b not allowed — when the value is a path, " +
+                        "the file contents are sent as the Cookie header (file read).",
+                };
+            }
+            if (/(?:^|\s)--trace(?:-ascii)?\b/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl --trace / --trace-ascii not allowed — writes protocol trace to disk",
+                };
+            }
+            if (/(?:^|\s)(?:--write-out\b|-[a-zA-Z]*w(?:\s|=|$))/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl --write-out/-w not allowed — format strings include file/stderr sinks",
+                };
+            }
+            // Cert / key file references. The daemon API is plain HTTP on
+            // loopback; none of these flags are needed for legitimate
+            // operation and they all read arbitrary files from disk.
+            if (/(?:^|\s)(?:--cert\b|--key\b|--cacert\b|--capath\b|-[a-zA-Z]*E(?:\s|=|$))/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl --cert/--key/--cacert/--capath/-E not allowed — read arbitrary files",
+                };
+            }
+            // Follow-redirect flags. The localhost URL check above is
+            // bypass-able if curl follows a 3xx off-localhost. The daemon
+            // never emits redirects so this flag has no legitimate use.
+            //
+            // Combined-short-flag forms (`-fsSL`, `-vL`) are caught by the
+            // `[a-zA-Z]*L` alternation; the literal `--location` and
+            // `--location-trusted` long forms are matched explicitly.
+            if (/(?:^|\s)(?:-[a-zA-Z]*L(?:\s|=|$)|--location(?:-trusted)?\b)/.test(cmd)) {
+                return {
+                    decision: "block",
+                    reason: "curl -L / --location not allowed — would follow redirects off localhost",
+                };
+            }
+        }
+        return { continue: true };
+    };
+    const bashJqHook = async (input) => {
+        const toolInput = input.tool_input;
+        const cmd = toolInput?.command ?? "";
+        if (!/\bjq\b/.test(cmd))
+            return { continue: true };
+        // Narrow to THIS jq invocation's own args (up to the next pipe / chain op)
+        // so that later pipeline stages are not inspected by the jq rules.
+        //
+        // Known approximation: `[^|;&]*` does not respect shell quoting, so a
+        // jq filter with a `|` INSIDE a quoted expression (e.g. `jq 'env | keys'`)
+        // will truncate `jqPart` at the first `|` regardless of whether that `|`
+        // is a jq pipe inside quotes or an actual shell pipeline break. This is
+        // intentionally conservative on the safe side: the env-filter check
+        // below still fires on the truncated left half (`jq 'env `), so attack
+        // payloads are still blocked. The downside is slightly reduced precision
+        // on benign expressions containing the jq `|` operator — those get
+        // scanned only up to the first pipe, not their full extent.
+        const jqMatch = cmd.match(/\bjq\b([^|;&]*)/);
+        if (!jqMatch)
+            return { continue: true };
+        const jqPart = jqMatch[0];
+        // (a) Block file-access flags — --slurpfile / --rawfile read arbitrary
+        // files, which would bypass the Read deny list (~/.ssh/**, .env, etc.).
+        if (/(?:^|\s)--slurpfile\b/.test(jqPart) || /(?:^|\s)--rawfile\b/.test(jqPart)) {
+            return {
+                decision: "block",
+                reason: "jq --slurpfile and --rawfile are not allowed " +
+                    "(would bypass Read(.env) / Read(~/.ssh/**) disallow rules).",
+            };
+        }
+        // (b) Block module loading — -L <dir> + import can load filter code from
+        // the filesystem, effectively RCE inside the jq process.
+        if (/(?:^|\s)-L(?:\s|=|$)/.test(jqPart)) {
+            return {
+                decision: "block",
+                reason: "jq -L (module load path) is not allowed.",
+            };
+        }
+        // (c) Block the `env` filter. `jq env`, `jq -n env`, `jq 'env.FOO'`,
+        // `jq '. , env'` all dump the daemon's process.env to stdout. Process.env
+        // on this daemon is expected to be clean (secrets live in the keychain),
+        // but defense-in-depth: if OPENAI_API_KEY or similar is ever exported at
+        // launch, the env filter is the shortest exfil path.
+        //
+        // Heuristic: match bare `env` NOT preceded by a field-access dot or word
+        // char, and NOT followed by a word char. This matches jq's env filter
+        // (`env`, `env.HOME`, `(env)`, `env|keys`) while leaving field access
+        // like `.env`, `.env_var`, `.data.environments` untouched.
+        if (/(?:^|[^\w.])env(?!\w)/.test(jqPart)) {
+            return {
+                decision: "block",
+                reason: "jq env filter is not allowed — it dumps the daemon process " +
+                    "environment, which is a known exfiltration vector for any " +
+                    "secrets loaded via .env at startup.",
+            };
+        }
+        return { continue: true };
+    };
+    /**
+     * Block any Bash command that references the context-directory path.
+     *
+     * Rationale: the daemon API is the ONLY sanctioned write channel for
+     * context files — it enforces today-write-lock, md_file_snapshots,
+     * CONTEXT_WRITE_PERMISSIONS, and onPromptContextChanged. In strict mode,
+     * the allowlist (Bash narrowed to curl/git/jq) + fileWriteHook keeps
+     * this chokepoint intact. In allow mode Bash is unrestricted, so an
+     * agent could bypass via `echo > today.md`, `tee`, `python -c 'open…'`,
+     * `git log … > context/…`, etc. The defence here is layered:
+     *
+     *   1. Original substring match against `shellPathForms`. Cheap and
+     *      catches the obvious literal form an honest model would emit.
+     *   2. Best-effort shell tokenizer + `~`/`$HOME` expansion + symlink
+     *      realpath. Catches `cd ~/.personal-agent && echo > ./context/X`
+     *      (the `./context/X` token, once joined to the cwd or after a
+     *      separate `cd` token is detected, lands in the context dir),
+     *      `ln -s ~/.personal-agent/context /tmp/x` followed by writes
+     *      to `/tmp/x/today.md`, and `~/.personal-agent/./context/X`.
+     *   3. Hard block on interpreter escape hatches (`python -c`, `node
+     *      -e`, `bash -c`, etc.). Static analysis cannot see what these
+     *      will do; in allow-mode Bash they are the most direct route
+     *      around the chokepoint.
+     *
+     * Defence-in-depth, not authoritative: a prompt-injection-driven
+     * variable-construction attack (`P=context; D=today; cd ~/.personal-agent;
+     * echo > "$P/$D.md"`) can still slip past static analysis. The static
+     * absolute-block layer covers the highest-risk patterns; if a new
+     * shape of bypass is observed in audit, codify it here.
+     */
+    const bashContextWriteHook = async (input) => {
+        const hookInput = input;
+        const toolInput = hookInput.tool_input;
+        const cmd = toolInput?.command ?? "";
+        if (typeof cmd !== "string" || cmd.length === 0)
+            return { continue: true };
+        const absContextDir = resolvePath(getContextDir(config));
+        const home = homedir();
+        const realContextDir = realpathLenient(absContextDir);
+        // The data dir is the context dir's parent. `cd ~/.personal-agent`
+        // followed by `echo > context/today.md` lands in context via a
+        // post-cd relative path that Layer 2 cannot resolve (the hook only
+        // sees the *initial* cwd). Treating any reference to the data dir
+        // as out-of-bounds preempts that bypass — the agent has no
+        // legitimate reason to touch the data dir directly when the daemon
+        // API is the sanctioned write channel.
+        const absDataDir = resolvePath(config.dataDir);
+        const realDataDir = realpathLenient(absDataDir);
+        // ── Layer 1: substring match against well-known path forms ──
+        const pathForms = shellPathForms(absContextDir, home);
+        for (const form of pathForms) {
+            if (cmd.includes(form)) {
+                return blockContextWrite(absContextDir, `substring match: ${form}`);
+            }
+        }
+        // ── Layer 2: tokenized realpath check ──
+        //
+        // Resolve every path-looking token to its absolute form (relative
+        // to the hook-provided cwd) and to its realpath. If either lands
+        // inside the context dir OR the data dir, block.
+        const cwd = hookInput.cwd ?? "/";
+        const tokens = tokenizeShellCommand(cmd);
+        for (const rawTok of tokens) {
+            const tok = expandHomeForms(rawTok, home);
+            if (!tok.includes("/") && !tok.includes("\\"))
+                continue;
+            // Skip URL-shaped tokens; they are not filesystem paths.
+            if (/^[a-z][a-z0-9+.-]*:\/\//i.test(tok))
+                continue;
+            const candidate = isAbsolute(tok) ? tok : resolvePath(cwd, tok);
+            const real = realpathLenient(candidate);
+            const landsInsideContext = isPathInsideOrEqual(absContextDir, candidate) ||
+                isPathInsideOrEqual(realContextDir, real);
+            const landsInsideData = isPathInsideOrEqual(absDataDir, candidate) ||
+                isPathInsideOrEqual(realDataDir, real);
+            if (landsInsideContext || landsInsideData) {
+                return blockContextWrite(absContextDir, landsInsideContext
+                    ? `path token resolves into context dir: ${rawTok} → ${real}`
+                    : `path token resolves into the data dir (${absDataDir}); ` +
+                        `the agent should never reference the data dir directly: ${rawTok} → ${real}`);
+            }
+        }
+        // ── Layer 3: interpreter escape hatches ──
+        //
+        // `bash -c "..."`, `python -c "..."`, etc. tunnel arbitrary code
+        // through an opaque argument that static analysis cannot see into.
+        // Even in allow-mode Bash the agent should never need these — the
+        // SDK Write/Edit tools and the daemon API cover legitimate
+        // file-touching use cases. Blocking the patterns themselves is the
+        // only way to keep this hook's guarantees meaningful.
+        if (/(?:^|[\s|;&])(?:bash|sh|zsh|ksh|dash|busybox)\s+-c\b/.test(cmd) ||
+            /(?:^|[\s|;&])(?:python3?|node|ruby|perl|php|deno|bun)\s+-[ce]\b/.test(cmd)) {
+            return {
+                decision: "block",
+                reason: `Bash commands that invoke an interpreter with -c / -e are not ` +
+                    `allowed. Their argument is opaque to static analysis, which ` +
+                    `defeats the context-write chokepoint. Use the Write/Edit tools ` +
+                    `or the daemon API at http://localhost:${config.apiPort}/api/context/.`,
+            };
+        }
+        return { continue: true };
+    };
+    function blockContextWrite(absContextDir, reasonDetail) {
+        return {
+            decision: "block",
+            reason: `Bash commands that reference the context directory (${absContextDir}) are ` +
+                `not allowed. Use the daemon API: ` +
+                `GET/PUT/PATCH http://localhost:${config.apiPort}/api/context/<path>. ` +
+                `The API enforces today-write-lock, md_file_snapshots, CONTEXT_WRITE_PERMISSIONS, ` +
+                `and onPromptContextChanged — bypassing it via shell redirects or script ` +
+                `engines leaves the memory layer inconsistent. ${reasonDetail}.`,
+        };
+    }
+    const fileWriteHook = async (input) => {
+        const hookInput = input;
+        const toolInput = hookInput.tool_input;
+        const rawFilePath = toolInput?.file_path;
+        if (typeof rawFilePath !== "string" || rawFilePath.length === 0) {
+            return { continue: true };
+        }
+        const filePath = rawFilePath;
+        const cwd = hookInput.cwd;
+        if (!cwd && !isAbsolute(filePath))
+            return { continue: true };
+        const absFile = resolvePath(cwd ?? "/", filePath);
+        // Resolve symlinks. A lexical containment check accepts a symlink
+        // whose target lives inside a forbidden dir, because the link
+        // itself sits outside. The kernel write follows the link, so the
+        // forbidden bytes land anyway. Realpath both sides of every
+        // comparison closes that bypass.
+        const realFile = realpathLenient(absFile);
+        // (a) Block writes into the session-local helper dir. The `curl` shim in
+        // `.pa/bin/` carries daemon-auth env at execution time; letting the model
+        // rewrite it would turn the helper into a secret exfiltration vector.
+        const absHelperDir = resolvePath(cwd ?? "/", ".pa");
+        const realHelperDir = realpathLenient(absHelperDir);
+        const withinHelperDir = isPathInsideOrEqual(absHelperDir, absFile) ||
+            isPathInsideOrEqual(realHelperDir, realFile);
+        if (withinHelperDir) {
+            return {
+                decision: "block",
+                reason: "Direct Write/Edit to .pa is forbidden. " +
+                    "Session helper binaries are managed by the daemon.",
+            };
+        }
+        // (b) Block writes into the context dir.
+        const contextDir = getContextDir(config);
+        const absContextDir = resolvePath(contextDir);
+        const realContextDir = realpathLenient(absContextDir);
+        const withinContext = isPathInsideOrEqual(absContextDir, absFile) ||
+            isPathInsideOrEqual(realContextDir, realFile);
+        if (withinContext) {
+            return {
+                decision: "block",
+                reason: `Direct Write/Edit to context dir is forbidden. ` +
+                    `Use the daemon API instead: ` +
+                    `PUT http://localhost:${config.apiPort}/api/context/<path> (full replace) or ` +
+                    `PATCH http://localhost:${config.apiPort}/api/context/<path> (section op). ` +
+                    `The API enforces CONTEXT_WRITE_PERMISSIONS, morningRoutineLock, md_file_snapshots, ` +
+                    `onPromptContextChanged, and expectedMtime concurrency. Path: ${absFile}` +
+                    (realFile !== absFile ? ` (realpath: ${realFile})` : ""),
+            };
+        }
+        // (c) Mark vault-scoped writes for observer attribution.
+        // Targets the EXTERNAL Obsidian vault; the ObsidianWatcher observer
+        // watches that path and would otherwise misattribute agent writes
+        // as user writes.
+        if (!writeTracker)
+            return { continue: true };
+        const vaultPath = config.externalObsidianVaultPath;
+        if (!vaultPath)
+            return { continue: true };
+        const absVault = resolvePath(vaultPath);
+        const realVault = realpathLenient(absVault);
+        const withinVault = isPathInsideOrEqual(absVault, absFile) ||
+            isPathInsideOrEqual(realVault, realFile);
+        if (!withinVault)
+            return { continue: true };
+        // Mark BOTH paths so the observer can match whichever form the
+        // ObsidianWatcher emits. Most filesystems report the lexical path;
+        // the realpath form is belt-and-braces.
+        writeTracker.markWriting(absFile);
+        if (realFile !== absFile)
+            writeTracker.markWriting(realFile);
+        logger.debug({ filePath: absFile, realPath: realFile }, "vault write pre-marked for observer attribution");
+        return { continue: true };
+    };
+    // EXECUTION-MODE-DESIGN.md §6 — absolute-block audit hook. Runs ahead
+    // of every other Bash/Read/Write/Edit hook in both modes. The SDK-level
+    // `disallowedTools` rejection is the authoritative block; this hook is
+    // redundant defense-in-depth that also writes the `blocked_absolute`
+    // audit row so the owner can see the layer is active.
+    const makeAbsoluteBlockHook = (toolName, argField) => async (input) => {
+        const toolInput = input.tool_input;
+        const raw = toolInput?.[argField];
+        if (typeof raw !== "string")
+            return { continue: true };
+        const match = classifyAbsoluteBlock(toolName, raw);
+        if (!match)
+            return { continue: true };
+        recordAbsoluteBlockAudit({
+            db: getMcpContext?.()?.db,
+            backend: "claude",
+            mode: config.claudeExecutionPermissionMode,
+            match,
+            toolName,
+        });
+        return {
+            decision: "block",
+            reason: `Absolute-block layer denied this ${toolName} call ` +
+                `(category: ${match.category}). This rule holds in both Safe ` +
+                `and Allow modes — see EXECUTION-MODE-DESIGN.md §6.`,
+        };
+    };
+    const bashAbsoluteBlockHook = makeAbsoluteBlockHook("Bash", "command");
+    const readAbsoluteBlockHook = makeAbsoluteBlockHook("Read", "file_path");
+    const writeAbsoluteBlockHook = makeAbsoluteBlockHook("Write", "file_path");
+    const editAbsoluteBlockHook = makeAbsoluteBlockHook("Edit", "file_path");
+    // The context-write hook is always attached to Bash — it is the only
+    // guarantee that the daemon-API chokepoint for memory files survives
+    // allow mode (where curl/jq restrictions are dropped and Bash can
+    // otherwise redirect into context/*.md freely).
+    //
+    // The absolute-block audit hook is appended LAST on every matcher
+    // (§6.3). Appended rather than prepended so existing per-index hook
+    // tests keep pointing at the same functions; semantically it is a
+    // fallback defense whose practical effect is duplicating the SDK's
+    // `disallowedTools` rejection into an `agent_actions` row.
+    return {
+        PreToolUse: [
+            {
+                matcher: "Bash",
+                hooks: allowMode
+                    ? [bashContextWriteHook, bashAbsoluteBlockHook]
+                    : [
+                        bashCurlHook,
+                        bashJqHook,
+                        bashContextWriteHook,
+                        bashAbsoluteBlockHook,
+                    ],
+            },
+            { matcher: "Write", hooks: [fileWriteHook, writeAbsoluteBlockHook] },
+            { matcher: "Edit", hooks: [fileWriteHook, editAbsoluteBlockHook] },
+            { matcher: "Read", hooks: [readAbsoluteBlockHook] },
+        ],
+    };
+}
+//# sourceMappingURL=claude-tool-collection.js.map