@aitne/daemon 0.1.4 → 0.1.7

package/dist/core/backends/claude-tool-collection.js

@@ -31,7 +31,7 @@ import { dirname, resolve as resolvePath, isAbsolute } from "node:path";
 import { getContextDir } from "../../config.js";
 import { readIntegrations } from "../../db/integrations-store.js";
 import { recordAbsoluteBlockAudit } from "../../safety/absolute-block-audit.js";
-import { classifyAbsoluteBlock } from "../../safety/always-disallowed.js";
+import { classifyAbsoluteBlock, stripBashHeredocs, stripBashStringContent, } from "../../safety/always-disallowed.js";
 import { createLogger } from "../../logging.js";
 import { computeDelegatedClaudeTools, computeNativeClaudeTools } from "./claude-probe.js";
 import { isPathInsideOrEqual, shellPathForms } from "../path-compat.js";
@@ -107,6 +107,66 @@ function expandHomeForms(token, home) {
         return home;
     return token;
 }
+/**
+ * Decide whether a shell token (after `expandHomeForms` normalisation)
+ * resembles a filesystem path argument. Replaces the older "contains
+ * `/` or `\`" filter, which false-positived on quoted JSON bodies and
+ * HTTP header values whenever the session cwd was inside the data dir
+ * (production cwd is `<dataDir>/agent-sessions/<id>`):
+ *
+ *   - `Content-Type: application/json` → `/` inside `application/json`
+ *     was treated as a path separator, the token was resolved relative
+ *     to the (data-dir-internal) cwd, the resulting candidate landed
+ *     inside `absDataDir`, and the hook blocked an otherwise benign
+ *     `curl -X PATCH -H '...'` invocation.
+ *   - `'{"content":"line1\nline2"}'` → the literal `\` in `\n` triggered
+ *     the same data-dir resolution path even though the token is a JSON
+ *     payload, not a filename.
+ *
+ * The shape rules below are deliberately positive (a token must look
+ * like a path) rather than negative (skip if it contains JSON chars):
+ *
+ *   1. Absolute on POSIX (`/foo`) — also catches tokens that
+ *      `expandHomeForms` rewrote from `~` / `$HOME` / `${HOME}` forms.
+ *   2. Explicit relative anchor (`./foo`, `../foo`, exactly `.` / `..`).
+ *   3. Unresolved home / env-var prefix that survived `expandHomeForms`
+ *      (e.g. `~user/foo`, `$OTHER/foo` when the variable is unknown).
+ *      Treating these as path candidates is a defensive belt — the
+ *      static analysis can't know what they expand to at runtime, so
+ *      err on the side of forwarding them through the data-dir check.
+ *   4. Bare multi-segment path made of filename-safe characters
+ *      (`context/today.md`, `agent-sessions/foo/bar`). The character
+ *      class deliberately excludes whitespace, `:`, `=`, `{`, `}`,
+ *      `"`, `'`, `` ` ``, `?`, `*`, `<`, `>` — all of which appear in
+ *      header values, JSON bodies, and query strings but never in
+ *      well-formed filename segments.
+ *
+ * URL-shaped tokens (`http://...`) are filtered by the caller before
+ * this helper runs, so rule 1 / rule 4 cannot misfire on them.
+ */
+function looksLikePathArg(token) {
+    if (token.length === 0)
+        return false;
+    // Rules 1 + 2 — POSIX-absolute or anchored-relative.
+    if (token.startsWith("/"))
+        return true;
+    if (token === "." || token === ".." || token.startsWith("./") || token.startsWith("../")) {
+        return true;
+    }
+    // Rule 3 — unresolved home / env-var prefix.
+    if (token.startsWith("~") || token.startsWith("$"))
+        return true;
+    // Rule 4 — bare relative path with filename-safe segments only.
+    // `[A-Za-z0-9_.\-+@]` is the segment alphabet — broad enough to
+    // cover typical project filenames (dashes, underscores, dots,
+    // version suffixes, `@scope/pkg` style) without admitting tokens
+    // that came from a JSON body or header value. The trailing `/?`
+    // tolerates a directory-shape suffix (`context/`).
+    if (/^[A-Za-z0-9_.\-+@]+(?:\/[A-Za-z0-9_.\-+@]+)+\/?$/.test(token)) {
+        return true;
+    }
+    return false;
+}
 const logger = createLogger("claude-tool-collection");
 /** Default allowed-tools list when the dashboard override is unset. */
 export const CLAUDE_DEFAULT_ALLOWED_TOOLS = [
@@ -141,16 +201,56 @@ export const CLAUDE_DEFAULT_ALLOWED_TOOLS = [
  * `delegatedToolCount` and `nativeToolCount` makes a misconfigured flip
  * diagnosable without re-running the resolver.
  */
-export function getAllowedTools(config, webSearchEnabled, delegatedTools = [], nativeTools = []) {
+export function getAllowedTools(config, webSearchEnabled, delegatedTools = [], nativeTools = [], 
+// WIKI_BUILDER_DESIGN.md §4.3 — wiki.ingest_url turns need WebFetch on
+// top of the default surface to read external pages (the `Bash(curl *)`
+// PreToolUse hook keeps curl restricted to localhost). Gated on the
+// same `!allowedToolsOverride` clause as `webSearchEnabled` so a user
+// who configured a custom override gets the override verbatim — they
+// are expected to add `WebFetch` themselves if they need it (matches
+// the WebSearch contract; documented in /settings/wiki).
+wikiUrlFetchEnabled = false, 
+// Wiki sessions must write only through the daemon Wiki API
+// (`POST /api/wiki/<ws>/files/...`) — every wiki.* process key has a
+// skill body and the wiki-agent profile both stating "no `Write` /
+// `Edit` against the vault." Skill frontmatter `allowed-tools` is
+// human-facing metadata and does NOT propagate into the SDK's
+// session-level allowlist, so without this hard strip a wiki turn
+// can bypass the API path-classifier, the agent_actions audit row,
+// and the result-processor's write-verifier by Writing a vault
+// path directly. Pass true for any `processKey.startsWith("wiki.")`.
+wikiApiOnlyWrites = false) {
     const base = config.allowedToolsOverride ?? [...CLAUDE_DEFAULT_ALLOWED_TOOLS];
     const merged = new Set(base);
     if (!config.allowedToolsOverride && webSearchEnabled) {
         merged.add("WebSearch");
     }
+    if (!config.allowedToolsOverride && wikiUrlFetchEnabled) {
+        merged.add("WebFetch");
+    }
     for (const tool of delegatedTools)
         merged.add(tool);
     for (const tool of nativeTools)
         merged.add(tool);
+    // Claude Code 2.1+ defers large MCP manifests (`mcp__claude_ai_*`) behind
+    // `ToolSearch` — the tools appear by name but their schemas are not
+    // loaded until the agent calls `ToolSearch select:<name>`. Without
+    // ToolSearch allowed, the model cannot invoke any unioned MCP tool and
+    // silently falls back to denied surfaces (raw Bash, WebFetch), surfacing
+    // as "Bash and WebFetch denied" failure DMs from native/delegated-same
+    // routines. Mirrors the same widening already applied by
+    // `composePrePassAllowedTools` (pre-pass), `CLAUDE_PROBE_TOOLS_PROMPT`
+    // (probe), and `claude-delegated.ts` (cross-backend proxy). Unioned even
+    // under `allowedToolsOverride` for the same orthogonality reason the
+    // MCP tools themselves bypass the override above — silently dropping
+    // ToolSearch while keeping the MCP names defeats the widening.
+    if (delegatedTools.length > 0 || nativeTools.length > 0) {
+        merged.add("ToolSearch");
+    }
+    if (wikiApiOnlyWrites) {
+        merged.delete("Write");
+        merged.delete("Edit");
+    }
     return Array.from(merged);
 }
 /**
@@ -239,9 +339,60 @@ export function getSessionDeniedTools(mcpContext) {
  */
 export function buildSecurityHooks(deps, allowMode = false) {
     const { config, writeTracker, getMcpContext } = deps;
+    // Per-Bash-hook block logging. The SDK's `dontAsk` mode silently
+    // denies any Bash command that doesn't match an allowed prefix —
+    // no tool_result, no error feedback — and PreToolUse hooks that
+    // return `block` emit a generic reason that the agent often
+    // misinterprets as "Bash is blocked entirely." Without this log,
+    // diagnosing a failed wiki / context update means guessing at the
+    // command the model produced. The line is logged at warn level
+    // (one per actual block, not per call) so steady-state cost is
+    // negligible; the cmd is truncated to 400 chars to keep secrets
+    // out of logs and the entry parseable.
+    const wrapBashHook = (hookName, inner) => async (input) => {
+        const result = await inner(input);
+        if (result && result.decision === "block") {
+            const toolInput = input.tool_input;
+            const cmd = toolInput?.command ?? "";
+            logger.warn({
+                hook: hookName,
+                reason: result.reason,
+                cmd: cmd.slice(0, 400),
+            }, "Bash hook block");
+        }
+        return result;
+    };
     const bashCurlHook = async (input) => {
         const toolInput = input.tool_input;
         const cmd = toolInput?.command ?? "";
+        // Three views of the command, each used by a different class of check:
+        //
+        // - `cmd` (raw)         — the initial `\bcurl\b` keyword presence test.
+        //                          Must see literal token text so a `-d
+        //                          '{"text":"see curl docs"}'` body doesn't
+        //                          suppress the hook entirely.
+        // - `scan`              — substring scans for flag PRESENCE (chained
+        //                          curl, --next, --proxy, -L, -o, -c, -b, etc.).
+        //                          Strips single-quoted strings AND heredoc
+        //                          bodies so prose inside a JSON payload like
+        //                          "set -o pipefail in scripts" cannot trip
+        //                          the flag detectors.
+        // - `tokenizable`       — tokenizer walks and value extractors
+        //                          (top-level URL collection, `-d @file` arg
+        //                          walker, `-o <file>` path capture). Strips
+        //                          ONLY heredoc bodies (which are stdin
+        //                          payload, never shell argv) and PRESERVES
+        //                          quoted strings so the value extractors can
+        //                          still recognise quoted URL targets and
+        //                          quoted file paths.
+        //
+        // The wiki.ingest_url skill is the canonical case where this matters:
+        // it POSTs an article body via `-d @- <<'JSON' … JSON`, and the body
+        // routinely contains the source URL ("Source: https://news.example.com/…").
+        // Before this layered design the URL extractor scanned `cmd`, found
+        // the body URL, and falsely blocked with "Multiple URL targets".
+        const scan = stripBashStringContent(cmd);
+        const tokenizable = stripBashHeredocs(cmd);
         if (/\bcurl\b/.test(cmd)) {
             // ── Multi-request defenses (run BEFORE host/port loop) ─────────
             // The SDK `allowedTools` glob is a prefix match against the full
@@ -260,7 +411,7 @@ export function buildSecurityHooks(deps, allowMode = false) {
             //    pipeline counts as ONE curl (only the `curl` token itself
             //    is matched; the leading `jq` is not). Two or more anchored
             //    `curl` tokens → chained invocation → block.
-            const chainedCurlMatches = cmd.match(/(?:^|[;&|`\n]|\$\()\s*curl\b/g) ?? [];
+            const chainedCurlMatches = scan.match(/(?:^|[;&|`\n]|\$\()\s*curl\b/g) ?? [];
             if (chainedCurlMatches.length > 1) {
                 return {
                     decision: "block",
@@ -275,8 +426,8 @@ export function buildSecurityHooks(deps, allowMode = false) {
             //    because both URLs hit the same host:port, but curl issues
             //    one HTTP request per `--next` separator. Same exfil shape
             //    as chained curl, different syntax.
-            if (/(?:^|\s)--next(?:[\s=]|$)/.test(cmd)
-                || /(?:^|\s)-:(?:\s|$)/.test(cmd)) {
+            if (/(?:^|\s)--next(?:[\s=]|$)/.test(scan)
+                || /(?:^|\s)-:(?:\s|$)/.test(scan)) {
                 return {
                     decision: "block",
                     reason: "curl --next / -: (URL multiplexing) is not allowed "
@@ -285,29 +436,40 @@ export function buildSecurityHooks(deps, allowMode = false) {
             }
             // 3. Multi-positional URL targets — `curl URL1 URL2 -X PUT -d
             //    @body` sends the same options to BOTH URLs sequentially,
-            //    which `--next` blocking above does not catch. Tokenize at
-            //    the top level (outside paired single / double quotes) and
-            //    collect tokens whose payload starts with `http://` or
-            //    `https://`. URLs embedded inside `-d '…'` / `-H "…"`
-            //    strings are NOT counted because their token starts with
-            //    the quote, not with `http`.
+            //    which `--next` blocking above does not catch. Tokenize the
+            //    heredoc-stripped command and collect tokens that are URLs:
+            //
+            //      - Bare URL token: `curl http://localhost:8321/api/x`
+            //      - Fully single-quoted URL: `curl 'http://localhost:8321/api/x'`
+            //      - Fully double-quoted URL: `curl "http://localhost:8321/api/x"`
+            //
+            //    URLs that appear INSIDE a quoted body / header value
+            //    (e.g. `-d '{"link":"https://example.com"}'` or
+            //    `-H "X-Source: https://example.com"`) are NOT counted: the
+            //    surrounding quoted token carries other characters, so the
+            //    "entire content is the URL" patterns below do not match.
             //
-            //    This also becomes the *only* set of URLs the host/port
-            //    check below runs against — URLs that legitimately appear
-            //    inside JSON / markdown bodies (e.g. an architecture-section
-            //    description referencing `https://github.com/foo/bar`) are
-            //    NOT host-checked. The previous broad regex
-            //    `cmd.match(/https?:\/\/[^\s'"]+/g)` would reject such
-            //    requests because the body URL was non-localhost. Heuristic
-            //    limitation: URL strings unquoted as data values are a rare
-            //    false-positive surface and would be host-checked; the
-            //    alternative is full shell tokenization (out of scope).
+            //    Heredoc bodies (`<<'JSON' … JSON`) are stripped from
+            //    `tokenizable` above because they are stdin payload, never
+            //    shell argv — without that strip, the routine wiki.ingest_url
+            //    shape of "store an article body that mentions other URLs"
+            //    would trip this multi-URL rule on the body URL.
             const topLevelTokenRe = /'[^']*'|"[^"]*"|[^'"\s]+/g;
             const topLevelUrls = [];
             let tokenMatch;
-            while ((tokenMatch = topLevelTokenRe.exec(cmd)) !== null) {
-                if (/^https?:\/\//.test(tokenMatch[0])) {
-                    topLevelUrls.push(tokenMatch[0]);
+            while ((tokenMatch = topLevelTokenRe.exec(tokenizable)) !== null) {
+                const token = tokenMatch[0];
+                if (/^https?:\/\//.test(token)) {
+                    topLevelUrls.push(token);
+                    continue;
+                }
+                // Fully-quoted URL token: the WHOLE content between matching
+                // single or double quotes must be the URL — anything else
+                // (JSON body, header value) starts with non-URL characters
+                // after the quote.
+                const quoted = /^(['"])(https?:\/\/[^'"\s]+)\1$/.exec(token);
+                if (quoted) {
+                    topLevelUrls.push(quoted[2]);
                 }
             }
             if (topLevelUrls.length > 1) {
@@ -351,7 +513,7 @@ export function buildSecurityHooks(deps, allowMode = false) {
             // Connection-override flags — host/proxy/socket redirection that
             // would let curl reach something other than the configured loopback
             // HTTP endpoint.
-            if (/--connect-to|--resolve|--config\b|(?:^|\s)-[a-zA-Z]*K|--proxy\b|(?:^|\s)-[a-zA-Z]*x|--socks|--unix-socket|--abstract-unix-socket|--interface\b|--local-port\b/.test(cmd)) {
+            if (/--connect-to|--resolve|--config\b|(?:^|\s)-[a-zA-Z]*K|--proxy\b|(?:^|\s)-[a-zA-Z]*x|--socks|--unix-socket|--abstract-unix-socket|--interface\b|--local-port\b/.test(scan)) {
                 return {
                     decision: "block",
                     reason: "curl connection override flags not allowed " +
@@ -381,7 +543,7 @@ export function buildSecurityHooks(deps, allowMode = false) {
             // `-L`. Same shape applied to every short-flag below — without it
             // an attacker can stuff the dangerous letter into a benign-looking
             // flag bundle like `-fs<X>` and bypass the deny rule entirely.
-            if (/(?:^|\s)(?:--upload-file\b|-[a-zA-Z]*T(?:\s|=|$))/.test(cmd)) {
+            if (/(?:^|\s)(?:--upload-file\b|-[a-zA-Z]*T(?:\s|=|$))/.test(scan)) {
                 return {
                     decision: "block",
                     reason: "curl --upload-file / -T not allowed — would read arbitrary files",
@@ -391,24 +553,89 @@ export function buildSecurityHooks(deps, allowMode = false) {
             // from stdin, used by pipelines like `echo $body | curl ... -d @-`).
             // Block `@<anything-other-than-stdin-marker>`. The lookahead
             // `(?!-["']?(?:\s|$))` lets `@-`, `@-"`, `@-'`, `@- ` through.
-            if (/(?:^|\s)(?:--data(?:-binary|-raw|-urlencode|-ascii)?|--data|-d)\s+["']?@(?!-["']?(?:\s|$))/.test(cmd)) {
-                return {
-                    decision: "block",
-                    reason: "curl -d/--data with `@file` syntax not allowed — reads local files",
-                };
-            }
-            // Same for the `=` separator form: `-d=@/path`, `--data-binary=@/path`.
-            if (/(?:^|\s)(?:--data(?:-binary|-raw|-urlencode|-ascii)?|--data|-d)=["']?@(?!-["']?(?:\s|$))/.test(cmd)) {
-                return {
-                    decision: "block",
-                    reason: "curl -d=/--data= with `@file` syntax not allowed — reads local files",
-                };
+            // `-d / --data* / -F / --form` value-content checks. The previous
+            // regex `(?:^|\s)…\s+["']?@(?!-…)` matched the @-file syntax with
+            // the value attached, which meant a JSON BODY containing literal
+            // text like ` -d @<chars>` (an agent journal entry that quotes a
+            // shell example) also tripped it. Conversely, switching to the
+            // `scan` form alone loses single-quoted attack content (the
+            // legitimate `-d '@/etc/passwd'` form): scan strips the body and
+            // the regex no longer sees the `@`.
+            //
+            // The walker below is value-aware: tokenize the command (already
+            // quote-aware via the same regex used for URL extraction), find
+            // every `-d` / `--data*` / `-F` / `--form` flag token, recover the
+            // unquoted value (either after `=` in the same token or in the
+            // adjacent token), and reject if the value's FIRST CHARACTER is
+            // `@` (with the canonical stdin marker `@-` excluded). That
+            // discriminates:
+            //   - `-d '@/etc/passwd'` → value starts with `@` and is not `@-`
+            //     → block (matches the original protection).
+            //   - `-d '{"content":"a -d @x b"}'` → value starts with `{` →
+            //     allow (the body contains @ but is not an @-file argument).
+            //
+            // For `-F`/`--form`, the file-read syntax is `name=@file` /
+            // `name=<file` (first `=` in the value followed by `@` or `<`),
+            // which the same walker can test in the value once recovered.
+            // Adjacent-token merge: bash treats `-d='value'` as the SINGLE
+            // argument `-d=value` (the quote is stripped, the bare prefix and
+            // the quoted body are joined when there is no whitespace between
+            // them). The regex pass below splits the two pieces — track each
+            // match's start vs. the previous match's end and concatenate any
+            // pair with no whitespace gap. A composite token is treated as
+            // "effectively bare" if either constituent was bare, so the flag
+            // walker still recognises `-d='@/path'` as a `-d=` flag carrying
+            // the value `@/path` (which the regex form `["']?@` used to catch).
+            const argRe = /'([^']*)'|"([^"]*)"|`([^`]*)`|([^\s'"`]+)/g;
+            const argList = [];
+            let am;
+            let lastEnd = -1;
+            // Walks `tokenizable` (heredoc-stripped) so a body line like
+            // `prose mentioning -d @/etc/passwd` cannot be parsed as a real
+            // `-d` flag carrying an `@file` value. Single / double quotes are
+            // preserved so the `quoted` discriminator still tracks user intent
+            // correctly for the dataFlag / formFlag checks below.
+            while ((am = argRe.exec(tokenizable)) !== null) {
+                const value = am[1] ?? am[2] ?? am[3] ?? am[4] ?? "";
+                const quoted = am[4] === undefined;
+                if (am.index === lastEnd && argList.length > 0) {
+                    const prev = argList[argList.length - 1];
+                    prev.value = prev.value + value;
+                    prev.quoted = prev.quoted && quoted;
+                }
+                else {
+                    argList.push({ value, quoted });
+                }
+                lastEnd = argRe.lastIndex;
             }
-            if (/(?:^|\s)(?:-F|--form)\s+\S*=[@<]/.test(cmd)) {
-                return {
-                    decision: "block",
-                    reason: "curl -F/--form with `=@file` or `=<file` syntax not allowed — reads local files",
-                };
+            const dataFlag = /^(?:--data(?:-binary|-raw|-urlencode|-ascii)?|--data|-d)(?:=(.*))?$/;
+            const formFlag = /^(?:--form|-F)(?:=(.*))?$/;
+            for (let i = 0; i < argList.length; i++) {
+                const tok = argList[i];
+                if (!tok || tok.quoted)
+                    continue;
+                const dm = tok.value.match(dataFlag);
+                if (dm) {
+                    const value = dm[1] ?? argList[i + 1]?.value ?? "";
+                    if (value.length > 0 && value[0] === "@" && value !== "@-") {
+                        return {
+                            decision: "block",
+                            reason: "curl -d/--data with `@file` syntax not allowed — reads local files",
+                        };
+                    }
+                    continue;
+                }
+                const fm = tok.value.match(formFlag);
+                if (fm) {
+                    const value = fm[1] ?? argList[i + 1]?.value ?? "";
+                    // `name=@path` / `name=<path`: first `=` then `@` or `<`.
+                    if (/^[^=\s]*=[@<]/.test(value)) {
+                        return {
+                            decision: "block",
+                            reason: "curl -F/--form with `=@file` or `=<file` syntax not allowed — reads local files",
+                        };
+                    }
+                }
             }
             // File-write flags. The agent can land bytes anywhere on disk —
             // overwriting shims, ssh keys, shell rc files, etc. Daemon API is
@@ -433,11 +660,18 @@ export function buildSecurityHooks(deps, allowMode = false) {
             // containment. Quoted paths with spaces (`-o "my file"`) are
             // ALSO rejected so a denylist regex that stops at the space
             // inside the quotes cannot be smuggled past.
-            const hasOutputFlag = /(?:^|\s)(?:--output(?:\b|=)|-[a-zA-Z]*o(?:\s|=|$))/.test(cmd);
+            // Flag PRESENCE detection runs on the scan (quote-stripped) command
+            // so a body containing prose like "set -o pipefail" does not falsely
+            // claim there is an output flag. The subsequent VALUE extraction
+            // reads `tokenizable` (heredoc-stripped, quotes preserved) so an
+            // earlier heredoc-body occurrence of `-o /etc/passwd` cannot be
+            // captured ahead of the real flag — while quoted paths like
+            // `-o "my file.pdf"` are still readable.
+            const hasOutputFlag = /(?:^|\s)(?:--output(?:\b|=)|-[a-zA-Z]*o(?:\s|=|$))/.test(scan);
             if (hasOutputFlag) {
                 // Three capture-group alternatives so quoted paths with spaces
                 // are caught — `[^\s'"]+` alone fails on `"my file"`.
-                const valueMatch = cmd.match(/(?:^|\s)(?:--output(?:\s+|=)|-o(?:\s+|=))(?:"([^"]*)"|'([^']*)'|([^\s'"]+))/);
+                const valueMatch = tokenizable.match(/(?:^|\s)(?:--output(?:\s+|=)|-o(?:\s+|=))(?:"([^"]*)"|'([^']*)'|([^\s'"]+))/);
                 const target = valueMatch?.[1] ?? valueMatch?.[2] ?? valueMatch?.[3] ?? "";
                 const isSafeRelative = target.length > 0 &&
                     !target.startsWith("/") &&
@@ -454,19 +688,19 @@ export function buildSecurityHooks(deps, allowMode = false) {
                     };
                 }
             }
-            if (/(?:^|\s)(?:--remote-name(?:-all)?\b|-[a-zA-Z]*O(?:\s|=|$))/.test(cmd)) {
+            if (/(?:^|\s)(?:--remote-name(?:-all)?\b|-[a-zA-Z]*O(?:\s|=|$))/.test(scan)) {
                 return {
                     decision: "block",
                     reason: "curl --remote-name/-O not allowed — would write to URL-derived path",
                 };
             }
-            if (/(?:^|\s)(?:--dump-header\b|-[a-zA-Z]*D(?:\s|=|$))/.test(cmd)) {
+            if (/(?:^|\s)(?:--dump-header\b|-[a-zA-Z]*D(?:\s|=|$))/.test(scan)) {
                 return {
                     decision: "block",
                     reason: "curl --dump-header/-D not allowed — writes response headers to disk",
                 };
             }
-            if (/(?:^|\s)(?:--cookie-jar\b|-[a-zA-Z]*c(?:\s|=|$))/.test(cmd)) {
+            if (/(?:^|\s)(?:--cookie-jar\b|-[a-zA-Z]*c(?:\s|=|$))/.test(scan)) {
                 return {
                     decision: "block",
                     reason: "curl --cookie-jar/-c not allowed — writes cookie state to disk",
@@ -479,20 +713,20 @@ export function buildSecurityHooks(deps, allowMode = false) {
             // `-b name=value` would require parsing the value; the simpler
             // safe stance is to refuse the flag outright since the daemon
             // API uses bearer tokens, not cookies.
-            if (/(?:^|\s)(?:--cookie\b|-[a-zA-Z]*b(?:\s|=|$))/.test(cmd)) {
+            if (/(?:^|\s)(?:--cookie\b|-[a-zA-Z]*b(?:\s|=|$))/.test(scan)) {
                 return {
                     decision: "block",
                     reason: "curl --cookie/-b not allowed — when the value is a path, " +
                         "the file contents are sent as the Cookie header (file read).",
                 };
             }
-            if (/(?:^|\s)--trace(?:-ascii)?\b/.test(cmd)) {
+            if (/(?:^|\s)--trace(?:-ascii)?\b/.test(scan)) {
                 return {
                     decision: "block",
                     reason: "curl --trace / --trace-ascii not allowed — writes protocol trace to disk",
                 };
             }
-            if (/(?:^|\s)(?:--write-out\b|-[a-zA-Z]*w(?:\s|=|$))/.test(cmd)) {
+            if (/(?:^|\s)(?:--write-out\b|-[a-zA-Z]*w(?:\s|=|$))/.test(scan)) {
                 return {
                     decision: "block",
                     reason: "curl --write-out/-w not allowed — format strings include file/stderr sinks",
@@ -501,7 +735,7 @@ export function buildSecurityHooks(deps, allowMode = false) {
             // Cert / key file references. The daemon API is plain HTTP on
             // loopback; none of these flags are needed for legitimate
             // operation and they all read arbitrary files from disk.
-            if (/(?:^|\s)(?:--cert\b|--key\b|--cacert\b|--capath\b|-[a-zA-Z]*E(?:\s|=|$))/.test(cmd)) {
+            if (/(?:^|\s)(?:--cert\b|--key\b|--cacert\b|--capath\b|-[a-zA-Z]*E(?:\s|=|$))/.test(scan)) {
                 return {
                     decision: "block",
                     reason: "curl --cert/--key/--cacert/--capath/-E not allowed — read arbitrary files",
@@ -514,7 +748,7 @@ export function buildSecurityHooks(deps, allowMode = false) {
             // Combined-short-flag forms (`-fsSL`, `-vL`) are caught by the
             // `[a-zA-Z]*L` alternation; the literal `--location` and
             // `--location-trusted` long forms are matched explicitly.
-            if (/(?:^|\s)(?:-[a-zA-Z]*L(?:\s|=|$)|--location(?:-trusted)?\b)/.test(cmd)) {
+            if (/(?:^|\s)(?:-[a-zA-Z]*L(?:\s|=|$)|--location(?:-trusted)?\b)/.test(scan)) {
                 return {
                     decision: "block",
                     reason: "curl -L / --location not allowed — would follow redirects off localhost",
@@ -531,6 +765,14 @@ export function buildSecurityHooks(deps, allowMode = false) {
         // Narrow to THIS jq invocation's own args (up to the next pipe / chain op)
         // so that later pipeline stages are not inspected by the jq rules.
         //
+        // The match runs against `stripBashHeredocs(cmd)` so that prose inside
+        // a heredoc body (e.g. a wiki article that mentions "the jq env
+        // filter") cannot trip the env / -L / --slurpfile checks below.
+        // Quoted strings remain intact because the env-filter detector
+        // intentionally peers inside the single-quoted jq filter argument
+        // (jq syntax lives inside shell quotes, so blanket quote-stripping
+        // would lose the very thing we need to inspect).
+        //
         // Known approximation: `[^|;&]*` does not respect shell quoting, so a
         // jq filter with a `|` INSIDE a quoted expression (e.g. `jq 'env | keys'`)
         // will truncate `jqPart` at the first `|` regardless of whether that `|`
@@ -540,7 +782,7 @@ export function buildSecurityHooks(deps, allowMode = false) {
         // payloads are still blocked. The downside is slightly reduced precision
         // on benign expressions containing the jq `|` operator — those get
         // scanned only up to the first pipe, not their full extent.
-        const jqMatch = cmd.match(/\bjq\b([^|;&]*)/);
+        const jqMatch = stripBashHeredocs(cmd).match(/\bjq\b([^|;&]*)/);
         if (!jqMatch)
             return { continue: true };
         const jqPart = jqMatch[0];
@@ -629,10 +871,17 @@ export function buildSecurityHooks(deps, allowMode = false) {
         // API is the sanctioned write channel.
         const absDataDir = resolvePath(config.dataDir);
         const realDataDir = realpathLenient(absDataDir);
+        // Use the quote/heredoc-stripped form for Layer 1 (substring) and
+        // Layer 3 (interpreter regex) so a JSON body or heredoc payload that
+        // legitimately contains the absolute context-dir path string, or the
+        // literal text `bash -c …`, does not trip these layers. Layer 2
+        // still uses `cmd` because its tokenizer is already quote-aware via
+        // `looksLikePathArg`.
+        const scan = stripBashStringContent(cmd);
         // ── Layer 1: substring match against well-known path forms ──
         const pathForms = shellPathForms(absContextDir, home);
         for (const form of pathForms) {
-            if (cmd.includes(form)) {
+            if (scan.includes(form)) {
                 return blockContextWrite(absContextDir, `substring match: ${form}`);
             }
         }
@@ -645,11 +894,21 @@ export function buildSecurityHooks(deps, allowMode = false) {
         const tokens = tokenizeShellCommand(cmd);
         for (const rawTok of tokens) {
             const tok = expandHomeForms(rawTok, home);
-            if (!tok.includes("/") && !tok.includes("\\"))
-                continue;
-            // Skip URL-shaped tokens; they are not filesystem paths.
+            // Skip URL-shaped tokens; they are not filesystem paths. Must
+            // come before `looksLikePathArg` because `http://localhost/...`
+            // satisfies the "starts with `/`" rule once the scheme prefix
+            // is removed — and the bare-path rule too — but is never a
+            // filesystem reference.
             if (/^[a-z][a-z0-9+.-]*:\/\//i.test(tok))
                 continue;
+            // The old filter (`!tok.includes("/") && !tok.includes("\\")`)
+            // forwarded any quoted token with a `/` or `\` into the data-dir
+            // resolution branch, which produced false positives on JSON
+            // bodies (`{"content":"a\nb"}`) and header values (`Content-Type:
+            // application/json`) whenever cwd lived under the data dir. See
+            // `looksLikePathArg` for the replacement rules.
+            if (!looksLikePathArg(tok))
+                continue;
             const candidate = isAbsolute(tok) ? tok : resolvePath(cwd, tok);
             const real = realpathLenient(candidate);
             const landsInsideContext = isPathInsideOrEqual(absContextDir, candidate) ||
@@ -671,8 +930,8 @@ export function buildSecurityHooks(deps, allowMode = false) {
         // SDK Write/Edit tools and the daemon API cover legitimate
         // file-touching use cases. Blocking the patterns themselves is the
         // only way to keep this hook's guarantees meaningful.
-        if (/(?:^|[\s|;&])(?:bash|sh|zsh|ksh|dash|busybox)\s+-c\b/.test(cmd) ||
-            /(?:^|[\s|;&])(?:python3?|node|ruby|perl|php|deno|bun)\s+-[ce]\b/.test(cmd)) {
+        if (/(?:^|[\s|;&])(?:bash|sh|zsh|ksh|dash|busybox)\s+-c\b/.test(scan) ||
+            /(?:^|[\s|;&])(?:python3?|node|ruby|perl|php|deno|bun)\s+-[ce]\b/.test(scan)) {
             return {
                 decision: "block",
                 reason: `Bash commands that invoke an interpreter with -c / -e are not ` +
@@ -814,12 +1073,15 @@ export function buildSecurityHooks(deps, allowMode = false) {
             {
                 matcher: "Bash",
                 hooks: allowMode
-                    ? [bashContextWriteHook, bashAbsoluteBlockHook]
+                    ? [
+                        wrapBashHook("bashContextWriteHook", bashContextWriteHook),
+                        wrapBashHook("bashAbsoluteBlockHook", bashAbsoluteBlockHook),
+                    ]
                     : [
-                        bashCurlHook,
-                        bashJqHook,
-                        bashContextWriteHook,
-                        bashAbsoluteBlockHook,
+                        wrapBashHook("bashCurlHook", bashCurlHook),
+                        wrapBashHook("bashJqHook", bashJqHook),
+                        wrapBashHook("bashContextWriteHook", bashContextWriteHook),
+                        wrapBashHook("bashAbsoluteBlockHook", bashAbsoluteBlockHook),
                     ],
             },
             { matcher: "Write", hooks: [fileWriteHook, writeAbsoluteBlockHook] },