npm - @gotgenes/pi-permission-system - Versions diffs - 5.6.1 → 5.6.3 - Mend

@gotgenes/pi-permission-system 5.6.1 → 5.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/CHANGELOG.md +24 -0
package/package.json +1 -1
package/src/bash-path-extractor.ts +518 -0
package/src/config-loader.ts +1 -29
package/src/external-directory-messages.ts +54 -0
package/src/external-directory.ts +24 -797
package/src/handlers/gates/external-directory.ts +1 -1
package/src/handlers/gates/skill-read.ts +1 -1
package/src/node-modules-discovery.ts +76 -0
package/src/path-utils.ts +155 -0
package/src/permission-manager.ts +1 -29
package/src/permission-merge.ts +30 -0
package/src/skill-prompt-sanitizer.ts +5 -39
package/tests/external-directory-messages.test.ts +137 -0
package/tests/node-modules-discovery.test.ts +97 -0
package/tests/{external-directory.test.ts → path-utils.test.ts} +124 -256
package/tests/permission-merge.test.ts +61 -0

package/src/external-directory.ts CHANGED Viewed

@@ -1,797 +1,24 @@
-import { spawnSync } from "node:child_process";
-import { existsSync } from "node:fs";
-import { createRequire } from "node:module";
-import { homedir } from "node:os";
-import { basename, dirname, join, normalize, resolve, sep } from "node:path";
-import { fileURLToPath } from "node:url";
-import { getNonEmptyString, toRecord } from "./common";
-/**
- * Walk up the directory tree from the given file URL until a directory
- * literally named `node_modules` is found.
- *
- * Returns the `node_modules` path, or `null` if the URL cannot be parsed or
- * no `node_modules` ancestor exists.
- */
-function walkUpToNodeModules(fromUrl: string): string | null {
-  try {
-    const thisFile = fileURLToPath(fromUrl);
-    let dir = dirname(thisFile);
-    while (dir !== dirname(dir)) {
-      if (basename(dir) === "node_modules") {
-        return dir;
-      }
-      dir = dirname(dir);
-    }
-    return null;
-  } catch {
-    return null;
-  }
-}
-/**
- * Run `npm root -g` synchronously and return the trimmed output, or `null` on
- * any failure (non-zero exit, ENOENT, timeout, non-existent path).
- *
- * Only called when the walk-up-from-self strategy fails (i.e. the extension is
- * running from a local development checkout, not a global install).
- */
-function discoverGlobalNodeModulesViaSubprocess(): string | null {
-  try {
-    const result = spawnSync("npm", ["root", "-g"], {
-      encoding: "utf-8",
-      timeout: 5000,
-      stdio: ["ignore", "pipe", "ignore"],
-    });
-    const root = result.stdout?.trim();
-    if (result.status === 0 && root && existsSync(root)) {
-      return root;
-    }
-    return null;
-  } catch {
-    return null;
-  }
-}
-/**
- * Discover the global node_modules root.
- *
- * Strategy 1 (zero-cost, covers all global installs): walk up from
- * `fromUrl` (defaults to this module's own `import.meta.url`) looking for a
- * directory named `node_modules`. This works whenever the extension is
- * installed inside a `node_modules` tree.
- *
- * Strategy 2 (subprocess fallback, dev checkout only): when Strategy 1 fails
- * because the extension is running from a local development checkout with no
- * `node_modules` ancestor, run `npm root -g` to discover the global root.
- * Pi installs skills and extensions via `npm` by default, so `npm root -g`
- * returns the correct root regardless of the user's own project package
- * manager.
- *
- * Returns `null` when both strategies fail — callers must degrade gracefully.
- */
-export function discoverGlobalNodeModulesRoot(
-  fromUrl = import.meta.url,
-): string | null {
-  const fromSelf = walkUpToNodeModules(fromUrl);
-  if (fromSelf) return fromSelf;
-  return discoverGlobalNodeModulesViaSubprocess();
-}
-/**
- * Paths that are universally safe and should never trigger external-directory checks.
- * These are OS device files: read returns EOF or process streams, write discards or goes to process streams.
- */
-export const SAFE_SYSTEM_PATHS: ReadonlySet<string> = new Set([
-  "/dev/null",
-  "/dev/stdin",
-  "/dev/stdout",
-  "/dev/stderr",
-]);
-/**
- * Returns true if the given normalized path is a safe OS device file
- * that should never trigger external-directory checks.
- */
-export function isSafeSystemPath(normalizedPath: string): boolean {
-  return SAFE_SYSTEM_PATHS.has(normalizedPath);
-}
-/**
- * Returns true if the given tool + normalized path combination qualifies for
- * automatic allow as a Pi infrastructure read.
- *
- * A path qualifies when:
- * 1. The tool is read-only (in READ_ONLY_PATH_BEARING_TOOLS).
- * 2. The normalized path is within one of the provided `infrastructureDirs`
- *    OR within the project-local Pi package directories
- *    (`<cwd>/.pi/npm/` or `<cwd>/.pi/git/`).
- *
- * `infrastructureDirs` should contain pre-expanded absolute paths (no `~`).
- * Project-local paths are computed fresh from `cwd` on each call so they
- * follow working-directory changes without a runtime rebuild.
- */
-export function isPiInfrastructureRead(
-  toolName: string,
-  normalizedPath: string,
-  infrastructureDirs: readonly string[],
-  cwd: string,
-): boolean {
-  if (!READ_ONLY_PATH_BEARING_TOOLS.has(toolName)) {
-    return false;
-  }
-  for (const dir of infrastructureDirs) {
-    if (isPathWithinDirectory(normalizedPath, dir)) {
-      return true;
-    }
-  }
-  // Project-local Pi packages — checked fresh every call so CWD changes work.
-  const projectNpmDir = join(cwd, ".pi", "npm");
-  const projectGitDir = join(cwd, ".pi", "git");
-  if (isPathWithinDirectory(normalizedPath, projectNpmDir)) {
-    return true;
-  }
-  if (isPathWithinDirectory(normalizedPath, projectGitDir)) {
-    return true;
-  }
-  return false;
-}
-/**
- * File tools that only read — never write — the filesystem.
- * Only these tools are eligible for the Pi infrastructure auto-allow.
- */
-export const READ_ONLY_PATH_BEARING_TOOLS: ReadonlySet<string> = new Set([
-  "read",
-  "find",
-  "grep",
-  "ls",
-]);
-export const PATH_BEARING_TOOLS = new Set([
-  "read",
-  "write",
-  "edit",
-  "find",
-  "grep",
-  "ls",
-]);
-export function normalizePathForComparison(
-  pathValue: string,
-  cwd: string,
-): string {
-  const trimmed = pathValue.trim().replace(/^['"]|['"]$/g, "");
-  if (!trimmed) {
-    return "";
-  }
-  let normalizedPath = trimmed.startsWith("@") ? trimmed.slice(1) : trimmed;
-  if (normalizedPath === "~") {
-    normalizedPath = homedir();
-  } else if (
-    normalizedPath.startsWith("~/") ||
-    normalizedPath.startsWith("~\\")
-  ) {
-    normalizedPath = join(homedir(), normalizedPath.slice(2));
-  }
-  const absolutePath = resolve(cwd, normalizedPath);
-  const normalizedAbsolutePath = normalize(absolutePath);
-  return process.platform === "win32"
-    ? normalizedAbsolutePath.toLowerCase()
-    : normalizedAbsolutePath;
-}
-export function isPathWithinDirectory(
-  pathValue: string,
-  directory: string,
-): boolean {
-  if (!pathValue || !directory) {
-    return false;
-  }
-  if (pathValue === directory) {
-    return true;
-  }
-  const prefix = directory.endsWith(sep) ? directory : `${directory}${sep}`;
-  return pathValue.startsWith(prefix);
-}
-export function getPathBearingToolPath(
-  toolName: string,
-  input: unknown,
-): string | null {
-  if (!PATH_BEARING_TOOLS.has(toolName)) {
-    return null;
-  }
-  return getNonEmptyString(toRecord(input).path);
-}
-export function isPathOutsideWorkingDirectory(
-  pathValue: string,
-  cwd: string,
-): boolean {
-  const normalizedCwd = normalizePathForComparison(cwd, cwd);
-  const normalizedPath = normalizePathForComparison(pathValue, cwd);
-  if (!normalizedCwd || !normalizedPath) {
-    return false;
-  }
-  if (isSafeSystemPath(normalizedPath)) {
-    return false;
-  }
-  return !isPathWithinDirectory(normalizedPath, normalizedCwd);
-}
-export function formatExternalDirectoryHardStopHint(): string {
-  return "Hard stop: this external directory permission denial is policy-enforced. Do not retry this path, do not attempt a filesystem bypass, and report the block to the user.";
-}
-export function formatExternalDirectoryAskPrompt(
-  toolName: string,
-  pathValue: string,
-  cwd: string,
-  agentName?: string,
-): string {
-  const subject = agentName ? `Agent '${agentName}'` : "Current agent";
-  return `${subject} requested tool '${toolName}' for path '${pathValue}' outside working directory '${cwd}'. Allow this external directory access?`;
-}
-export function formatExternalDirectoryDenyReason(
-  toolName: string,
-  pathValue: string,
-  cwd: string,
-  agentName?: string,
-): string {
-  const subject = agentName ? `Agent '${agentName}'` : "Current agent";
-  return `${subject} is not permitted to run tool '${toolName}' for path '${pathValue}' outside working directory '${cwd}'. ${formatExternalDirectoryHardStopHint()}`;
-}
-export function formatExternalDirectoryUserDeniedReason(
-  toolName: string,
-  pathValue: string,
-  denialReason?: string,
-): string {
-  const reasonSuffix = denialReason ? ` Reason: ${denialReason}.` : "";
-  return `User denied external directory access for tool '${toolName}' path '${pathValue}'.${reasonSuffix} ${formatExternalDirectoryHardStopHint()}`;
-}
-export function formatBashExternalDirectoryAskPrompt(
-  command: string,
-  externalPaths: string[],
-  cwd: string,
-  agentName?: string,
-): string {
-  const subject = agentName ? `Agent '${agentName}'` : "Current agent";
-  const pathList = externalPaths.join(", ");
-  return `${subject} requested bash command '${command}' which references path(s) outside working directory '${cwd}': ${pathList}. Allow this external directory access?`;
-}
-export function formatBashExternalDirectoryDenyReason(
-  command: string,
-  externalPaths: string[],
-  cwd: string,
-  agentName?: string,
-): string {
-  const subject = agentName ? `Agent '${agentName}'` : "Current agent";
-  const pathList = externalPaths.join(", ");
-  return `${subject} is not permitted to run bash command '${command}' which references path(s) outside working directory '${cwd}': ${pathList}. ${formatExternalDirectoryHardStopHint()}`;
-}
-// ── tree-sitter-bash lazy parser ───────────────────────────────────────────
-/**
- * Minimal subset of web-tree-sitter's SyntaxNode used by the AST walker.
- * Defined locally so callers do not need to import web-tree-sitter types.
- */
-interface TSNode {
-  readonly type: string;
-  readonly text: string;
-  readonly childCount: number;
-  child(index: number): TSNode | null;
-}
-/**
- * Minimal subset of web-tree-sitter's Parser used by this module.
- */
-interface TSParser {
-  parse(input: string): { rootNode: TSNode; delete(): void } | null;
-  delete(): void;
-}
-let parserPromise: Promise<TSParser> | null = null;
-async function initParser(): Promise<TSParser> {
-  // Use named imports — web-tree-sitter exports Parser as a named class.
-  const { Parser, Language } = await import("web-tree-sitter");
-  const req = createRequire(import.meta.url);
-  const treeSitterWasm = req.resolve("web-tree-sitter/web-tree-sitter.wasm");
-  await Parser.init({ locateFile: () => treeSitterWasm });
-  const parser = new Parser();
-  const bashWasm = req.resolve("tree-sitter-bash/tree-sitter-bash.wasm");
-  const bash = await Language.load(bashWasm);
-  parser.setLanguage(bash);
-  return parser as TSParser;
-}
-function getParser(): Promise<TSParser> {
-  if (!parserPromise) {
-    parserPromise = initParser();
-  }
-  return parserPromise;
-}
-/**
- * Reset the cached parser promise.  Only used by tests to avoid
- * cross-test pollution or to inject a mock parser.
- */
-export function resetParserForTesting(): void {
-  parserPromise = null;
-}
-// ── AST walker ─────────────────────────────────────────────────────────────
-/**
- * Node types whose subtrees must never be descended into for
- * path extraction — their text content is not a command argument.
- */
-const SKIP_SUBTREE_TYPES = new Set(["heredoc_body", "heredoc_end", "comment"]);
-/**
- * Resolve the "shell value" of an argument node — the string the shell
- * would pass to the command after quote removal.
- *
- * - `word`          → `.text` (already unquoted)
- * - `raw_string`    → strip surrounding single quotes
- * - `string`        → strip surrounding double quotes, concatenate children text
- * - `concatenation` → concatenate resolved children
- * - other           → `.text` as fallback
- */
-function resolveNodeText(node: TSNode): string {
-  switch (node.type) {
-    case "word":
-      return node.text;
-    case "raw_string": {
-      // Strip surrounding single quotes: 'content' → content
-      const t = node.text;
-      if (t.length >= 2 && t[0] === "'" && t[t.length - 1] === "'") {
-        return t.slice(1, -1);
-      }
-      return t;
-    }
-    case "string": {
-      // Double-quoted string: concatenate the resolved text of inner children,
-      // skipping the quote-delimiter nodes (literal `"`).
-      let result = "";
-      for (let i = 0; i < node.childCount; i++) {
-        const child = node.child(i);
-        if (!child) continue;
-        // Skip the literal `"` delimiters
-        if (child.type === '"') continue;
-        result += resolveNodeText(child);
-      }
-      return result;
-    }
-    case "string_content":
-    case "simple_expansion":
-    case "expansion":
-      return node.text;
-    case "concatenation": {
-      let result = "";
-      for (let i = 0; i < node.childCount; i++) {
-        const child = node.child(i);
-        if (!child) continue;
-        result += resolveNodeText(child);
-      }
-      return result;
-    }
-    default:
-      return node.text;
-  }
-}
-// ── Pattern-first command config ───────────────────────────────────────────
-interface PatternCommandConfig {
-  /** Flags that consume the next argument as a non-path value (pattern, separator, etc.) */
-  readonly argConsumingFlags: ReadonlySet<string>;
-  /** Flags that consume the next argument as a file path */
-  readonly fileConsumingFlags: ReadonlySet<string>;
-  /**
-   * Number of leading positional arguments that are patterns/scripts, not paths.
-   * Default: 1 (covers sed, awk, grep, rg).
-   * sd uses 2 (FIND and REPLACE_WITH are both non-path positionals).
-   */
-  readonly patternPositionals?: number;
-}
-/**
- * Commands whose first N positional arguments are inline patterns/scripts,
- * not filesystem paths. The map stores per-command flag configuration so
- * the walker can correctly identify which arguments are consumed by flags
- * vs. which are positional.
- */
-const PATTERN_FIRST_COMMANDS: ReadonlyMap<string, PatternCommandConfig> =
-  new Map([
-    [
-      "sed",
-      {
-        argConsumingFlags: new Set(["-e", "-i"]),
-        fileConsumingFlags: new Set(["-f"]),
-      },
-    ],
-    [
-      "awk",
-      {
-        argConsumingFlags: new Set(["-e", "-F", "-v"]),
-        fileConsumingFlags: new Set(["-f"]),
-      },
-    ],
-    [
-      "gawk",
-      {
-        argConsumingFlags: new Set(["-e", "-F", "-v"]),
-        fileConsumingFlags: new Set(["-f"]),
-      },
-    ],
-    [
-      "nawk",
-      {
-        argConsumingFlags: new Set(["-e", "-F", "-v"]),
-        fileConsumingFlags: new Set(["-f"]),
-      },
-    ],
-    [
-      "grep",
-      {
-        argConsumingFlags: new Set(["-e", "-A", "-B", "-C", "-m"]),
-        fileConsumingFlags: new Set(["-f"]),
-      },
-    ],
-    [
-      "egrep",
-      {
-        argConsumingFlags: new Set(["-e", "-A", "-B", "-C", "-m"]),
-        fileConsumingFlags: new Set(["-f"]),
-      },
-    ],
-    [
-      "fgrep",
-      {
-        argConsumingFlags: new Set(["-e", "-A", "-B", "-C", "-m"]),
-        fileConsumingFlags: new Set(["-f"]),
-      },
-    ],
-    [
-      "rg",
-      {
-        argConsumingFlags: new Set([
-          "-e",
-          "-A",
-          "-B",
-          "-C",
-          "-m",
-          "-g",
-          "-t",
-          "-T",
-          "-j",
-          "-M",
-          "-r",
-          "-E",
-        ]),
-        fileConsumingFlags: new Set(["-f"]),
-      },
-    ],
-    [
-      "sd",
-      {
-        argConsumingFlags: new Set(["-n", "-f"]),
-        fileConsumingFlags: new Set([]),
-        patternPositionals: 2,
-      },
-    ],
-  ]);
-/** Node types that represent argument values in the AST. */
-const ARG_NODE_TYPES = new Set([
-  "word",
-  "concatenation",
-  "string",
-  "raw_string",
-]);
-/**
- * Extract the command name from a `command` node.
- * Returns the basename (e.g. `/usr/bin/sed` → `sed`), or undefined
- * if the command name cannot be determined (e.g. variable expansion).
- */
-function extractCommandName(node: TSNode): string | undefined {
-  for (let i = 0; i < node.childCount; i++) {
-    const child = node.child(i);
-    if (!child) continue;
-    if (child.type === "command_name") {
-      const text = resolveNodeText(child);
-      return text ? basename(text) : undefined;
-    }
-  }
-  return undefined;
-}
-/**
- * Collect path-candidate tokens from a command known to have
- * pattern/script arguments in leading positional slots.
- *
- * Uses position-based skipping: the first N positional arguments
- * (where N = patternPositionals, default 1) are assumed to be
- * inline patterns/scripts and are skipped. Remaining positional
- * arguments are collected as path candidates.
- *
- * Flags listed in `argConsumingFlags` consume the next argument
- * (skipped). Flags in `fileConsumingFlags` consume the next
- * argument as a file path (collected). The flags `-e` and `-f`
- * additionally signal that an explicit script was provided via
- * flag, so no inline positional script is expected.
- */
-function collectPatternCommandTokens(
-  node: TSNode,
-  tokens: string[],
-  config: PatternCommandConfig,
-): void {
-  const patternPositionals = config.patternPositionals ?? 1;
-  let hasExplicitScript = false;
-  let positionalsSeen = 0;
-  let nextArgAction: "skip" | "extract" | null = null;
-  let pastEndOfFlags = false;
-  for (let i = 0; i < node.childCount; i++) {
-    const child = node.child(i);
-    if (!child) continue;
-    // Skip command_name and variable_assignment nodes.
-    if (child.type === "command_name" || child.type === "variable_assignment")
-      continue;
-    // Only process argument-like nodes; recurse into others
-    // (e.g. command_substitution) for nested commands.
-    if (!ARG_NODE_TYPES.has(child.type)) {
-      collectPathCandidateTokens(child, tokens);
-      continue;
-    }
-    const text = resolveNodeText(child);
-    // Handle consumed argument from previous flag.
-    if (nextArgAction === "skip") {
-      nextArgAction = null;
-      continue;
-    }
-    if (nextArgAction === "extract") {
-      tokens.push(text);
-      nextArgAction = null;
-      continue;
-    }
-    // Flag detection (only before "--" end-of-flags marker).
-    if (
-      !pastEndOfFlags &&
-      child.type === "word" &&
-      text.startsWith("-") &&
-      text.length > 1
-    ) {
-      if (text === "--") {
-        pastEndOfFlags = true;
-        continue;
-      }
-      if (config.argConsumingFlags.has(text)) {
-        nextArgAction = "skip";
-        if (text === "-e" || text === "-f") {
-          hasExplicitScript = true;
-        }
-        continue;
-      }
-      if (config.fileConsumingFlags.has(text)) {
-        nextArgAction = "extract";
-        hasExplicitScript = true;
-        continue;
-      }
-      // Regular flag — skip it.
-      continue;
-    }
-    // Positional argument.
-    if (!hasExplicitScript && positionalsSeen < patternPositionals) {
-      positionalsSeen++;
-      continue; // Skip: this is an inline pattern/script.
-    }
-    // File argument — collect as path candidate.
-    tokens.push(text);
-  }
-}
-/**
- * Recursively visit the AST and collect resolved text of nodes that
- * represent command arguments or redirect destinations.
- *
- * Skips `heredoc_body`, `heredoc_end`, and `comment` subtrees entirely.
- *
- * For commands in `PATTERN_FIRST_COMMANDS`, uses position-based
- * argument skipping to avoid collecting inline patterns/scripts
- * as path candidates. For all other commands, collects all
- * arguments generically.
- */
-function collectPathCandidateTokens(node: TSNode, tokens: string[]): void {
-  if (SKIP_SUBTREE_TYPES.has(node.type)) return;
-  // Extract arguments from `command` nodes.
-  if (node.type === "command") {
-    const commandName = extractCommandName(node);
-    const patternConfig = commandName
-      ? PATTERN_FIRST_COMMANDS.get(commandName)
-      : undefined;
-    if (patternConfig) {
-      collectPatternCommandTokens(node, tokens, patternConfig);
-      return;
-    }
-    // Generic extraction: collect all arguments (skip command name).
-    let seenCommandName = false;
-    for (let i = 0; i < node.childCount; i++) {
-      const child = node.child(i);
-      if (!child) continue;
-      if (child.type === "command_name") {
-        seenCommandName = true;
-        continue;
-      }
-      // Skip variable_assignment nodes (FOO=/bar)
-      if (child.type === "variable_assignment") continue;
-      // If there was no explicit command_name node, the first word-like
-      // child is the command name itself — skip it.
-      if (!seenCommandName && ARG_NODE_TYPES.has(child.type)) {
-        seenCommandName = true;
-        continue;
-      }
-      // Argument nodes: resolve their text and collect.
-      if (ARG_NODE_TYPES.has(child.type)) {
-        tokens.push(resolveNodeText(child));
-        continue;
-      }
-      // Recurse into other children (e.g. command_substitution nested in args)
-      collectPathCandidateTokens(child, tokens);
-    }
-    return;
-  }
-  // Extract redirect destinations from `file_redirect` nodes.
-  if (node.type === "file_redirect") {
-    for (let i = 0; i < node.childCount; i++) {
-      const child = node.child(i);
-      if (!child) continue;
-      if (
-        child.type === "word" ||
-        child.type === "concatenation" ||
-        child.type === "string" ||
-        child.type === "raw_string"
-      ) {
-        tokens.push(resolveNodeText(child));
-      }
-    }
-    return;
-  }
-  // For all other node types, recurse into children.
-  for (let i = 0; i < node.childCount; i++) {
-    const child = node.child(i);
-    if (!child) continue;
-    collectPathCandidateTokens(child, tokens);
-  }
-}
-/**
- * URL pattern to skip tokens that look like URLs rather than paths.
- */
-const URL_PATTERN = /^[a-z][a-z0-9+.-]*:\/\//i;
-/**
- * Regex metacharacter sequences that are never found in real filesystem paths.
- * If a token contains any of these, it is almost certainly a regex pattern
- * (e.g. a grep argument) rather than a path.
- */
-const REGEX_METACHAR_PATTERN = /\.\*|\.\+|\\\||\\\(|\\\)|\[.*?\]|\^\//;
-/**
- * Determines whether a token looks like a path candidate worth resolving.
- * Returns the raw token string if it's a candidate, or null to skip.
- */
-function classifyTokenAsPathCandidate(token: string): string | null {
-  // Skip empty tokens
-  if (!token) return null;
-  // Skip flags
-  if (token.startsWith("-")) return null;
-  // Skip env assignments (FOO=/bar)
-  const eqIndex = token.indexOf("=");
-  const slashIndex = token.indexOf("/");
-  if (eqIndex !== -1 && (slashIndex === -1 || eqIndex < slashIndex)) {
-    return null;
-  }
-  // Skip URLs
-  if (URL_PATTERN.test(token)) return null;
-  // Skip @scope/package patterns
-  if (token.startsWith("@") && !token.startsWith("@/")) return null;
-  // Skip bare-slash tokens (// JS comments, lone /, etc.) — they resolve to root
-  // and are never meaningful path arguments in practice.
-  if (/^\/+$/.test(token)) return null;
-  // Skip tokens that contain regex metacharacter sequences — these are almost
-  // certainly grep/sed/awk patterns, not filesystem paths.
-  // Matches: .*, .+, \|, \(, \), [...], or ^/ (anchored regex starting with /)
-  if (REGEX_METACHAR_PATTERN.test(token)) return null;
-  // Must look like a path: starts with /, ~/, or contains ..
-  if (token.startsWith("/")) return token;
-  if (token.startsWith("~/")) return token;
-  if (token.includes("..")) return token;
-  return null;
-}
-/**
- * Extracts paths from a bash command string that resolve outside CWD.
- * Uses tree-sitter-bash to parse the command into a full AST, then walks
- * command argument and redirect-destination nodes.  Heredoc bodies, comments,
- * and other non-argument content are skipped, eliminating false positives.
- */
-export async function extractExternalPathsFromBashCommand(
-  command: string,
-  cwd: string,
-): Promise<string[]> {
-  const parser = await getParser();
-  const tree = parser.parse(command);
-  if (!tree) return [];
-  const tokens: string[] = [];
-  try {
-    collectPathCandidateTokens(tree.rootNode, tokens);
-  } finally {
-    tree.delete();
-  }
-  const seen = new Set<string>();
-  const externalPaths: string[] = [];
-  for (const token of tokens) {
-    const candidate = classifyTokenAsPathCandidate(token);
-    if (!candidate) continue;
-    const normalized = normalizePathForComparison(candidate, cwd);
-    if (!normalized) continue;
-    if (
-      isPathOutsideWorkingDirectory(candidate, cwd) &&
-      !seen.has(normalized)
-    ) {
-      seen.add(normalized);
-      externalPaths.push(normalized);
-    }
-  }
-  return externalPaths;
-}
+export {
+  extractExternalPathsFromBashCommand,
+  resetParserForTesting,
+} from "./bash-path-extractor";
+export {
+  formatBashExternalDirectoryAskPrompt,
+  formatBashExternalDirectoryDenyReason,
+  formatExternalDirectoryAskPrompt,
+  formatExternalDirectoryDenyReason,
+  formatExternalDirectoryHardStopHint,
+  formatExternalDirectoryUserDeniedReason,
+} from "./external-directory-messages";
+export { discoverGlobalNodeModulesRoot } from "./node-modules-discovery";
+export {
+  getPathBearingToolPath,
+  isPathOutsideWorkingDirectory,
+  isPathWithinDirectory,
+  isPiInfrastructureRead,
+  isSafeSystemPath,
+  normalizePathForComparison,
+  PATH_BEARING_TOOLS,
+  READ_ONLY_PATH_BEARING_TOOLS,
+  SAFE_SYSTEM_PATHS,
+} from "./path-utils";