@hegemonart/get-design-done 1.57.1 → 1.57.2

package/hooks/gdd-intel-trigger.js

@@ -0,0 +1,243 @@
+#!/usr/bin/env node
+'use strict';
+/**
+ * hooks/gdd-intel-trigger.js — D5 (PostToolUse on Edit|Write)
+ *
+ * On every Edit/Write that touches a design-authoritative surface
+ * (skills/**, agents/**, reference/**, source/skills/**), spawn a
+ * background, detached refresh of the .design/intel/ store so downstream
+ * consumers (router, planner, audits) see the latest extracts without the
+ * user paying for a full rebuild on the next /gdd run.
+ *
+ * Contract:
+ *   1. Read the PostToolUse payload from stdin. Tolerate snake_case and
+ *      camelCase field names (tool_name/toolName, tool_input/toolInput,
+ *      file_path/filePath/path).
+ *   2. If the edited path matches
+ *        ^(skills|agents|reference|source/skills)/.*\.(md|json)$
+ *      (path-separator-agnostic), schedule a background refresh.
+ *   3. Otherwise no-op — write {continue:true} and exit 0.
+ *   4. Always exit 0. Never block. Never surface errors. Errors only ever
+ *      land as a stderr breadcrumb (best-effort).
+ *
+ * Opt-out:
+ *   Set GDD_DISABLE_INTEL_TRIGGER=1 to silence this hook completely
+ *   (still writes {continue:true}, exits 0, spawns nothing).
+ *
+ * Dedup lock:
+ *   .design/.intel-trigger.lock — a JSON file with {ts: <epoch_ms>}.
+ *   If the lock is younger than 5 minutes, we assume a refresh is already
+ *   in flight (or recently ran) and skip spawning again. Rapid sequential
+ *   edits coalesce into one background rebuild. The lock is best-effort:
+ *   if the .design/ dir does not exist or we cannot read/write the lock,
+ *   we still proceed (or still no-op safely).
+ *
+ * Refresh path:
+ *   scripts/build-intel.cjs is the rebuilder. It has no `--incremental`
+ *   flag (incremental is its DEFAULT behavior — invoking it without
+ *   `--force` re-extracts only changed files via mtime/git-hash). The
+ *   task spec said "if --incremental exists, spawn it; else emit a
+ *   breadcrumb." Since the script DOES do incremental by default, we
+ *   spawn it as `node scripts/build-intel.cjs` (no flags) and surface
+ *   the convention in the breadcrumb so future maintainers know why
+ *   no `--incremental` was passed. If the script is ever missing, we
+ *   emit only a breadcrumb and continue.
+ *
+ * Spawn shape:
+ *   child_process.spawn('node', [script], { detached: true,
+ *     stdio: 'ignore', windowsHide: true }) followed by child.unref().
+ *   This decouples the child from our process tree so the hook returns
+ *   immediately and the rebuild happens out of band.
+ */
+
+const fs = require('node:fs');
+const path = require('node:path');
+const { spawn } = require('node:child_process');
+
+const LOCK_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const TARGET_RE = /^(?:skills|agents|reference|source\/skills)\/.*\.(?:md|json)$/;
+
+/**
+ * Extract the edited file path + tool name from a PostToolUse payload.
+ * Returns { tool, filename } or null when nothing usable was found.
+ */
+function extractTarget(payload) {
+  if (!payload || typeof payload !== 'object') return null;
+  const tool = payload.tool_name || payload.toolName;
+  if (tool !== 'Write' && tool !== 'Edit') return null;
+  const input = payload.tool_input || payload.toolInput || {};
+  const filename =
+    input.file_path ||
+    input.filePath ||
+    input.path ||
+    (payload.tool_response &&
+      (payload.tool_response.filePath || payload.tool_response.file_path)) ||
+    '';
+  if (!filename) return null;
+  return { tool, filename: String(filename) };
+}
+
+/**
+ * Decide whether the given (absolute or relative) filename, considered
+ * relative to `cwd`, lives under one of the design-authoritative roots
+ * and is .md or .json. Returns true/false. Path-separator-agnostic.
+ */
+function isDesignSurface(filename, cwd) {
+  if (!filename) return false;
+  let rel;
+  try {
+    rel = path.isAbsolute(filename)
+      ? path.relative(cwd, filename)
+      : filename;
+  } catch {
+    return false;
+  }
+  if (!rel || rel.startsWith('..')) return false;
+  const normalised = rel.replace(/\\/g, '/');
+  return TARGET_RE.test(normalised);
+}
+
+/**
+ * Best-effort: returns true if the lockfile exists AND its timestamp is
+ * younger than LOCK_TTL_MS. False on any error (missing dir, parse fail,
+ * stat fail) — fail-open so we still trigger the rebuild.
+ */
+function lockIsFresh(lockPath) {
+  try {
+    if (!fs.existsSync(lockPath)) return false;
+    const raw = fs.readFileSync(lockPath, 'utf8');
+    const parsed = JSON.parse(raw);
+    const ts = Number(parsed && parsed.ts);
+    if (!Number.isFinite(ts)) return false;
+    return Date.now() - ts < LOCK_TTL_MS;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Best-effort: write {ts: Date.now()} to the lockfile, ensuring its
+ * parent dir exists. Swallows all errors — locking is purely an
+ * optimisation; failure to lock just means the next edit may re-trigger.
+ */
+function writeLock(lockPath) {
+  try {
+    fs.mkdirSync(path.dirname(lockPath), { recursive: true });
+    fs.writeFileSync(lockPath, JSON.stringify({ ts: Date.now() }), 'utf8');
+  } catch {
+    /* swallow */
+  }
+}
+
+/**
+ * Spawn the intel rebuild as a detached background process. The child is
+ * fully decoupled (stdio:'ignore', detached:true, unref()) so the hook
+ * returns immediately. Errors are swallowed — the worst case is a stale
+ * intel store, which is no worse than the pre-hook baseline.
+ */
+function spawnRebuild(cwd, script) {
+  try {
+    const child = spawn(process.execPath, [script], {
+      cwd,
+      detached: true,
+      stdio: 'ignore',
+      windowsHide: true,
+      env: process.env,
+    });
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Core hook entry. Returns the decision object to write to stdout.
+ * Always returns {continue: true}. Exported for unit testing.
+ *
+ * Optional `opts.spawnImpl` overrides the spawn-rebuild side effect
+ * (so tests can assert it was called without forking a real node).
+ */
+function main(payload, opts = {}) {
+  // Opt-out shortcut — read here (not at module top) so tests can flip the
+  // env between calls without re-requiring the module.
+  if (process.env.GDD_DISABLE_INTEL_TRIGGER === '1') {
+    return { continue: true };
+  }
+
+  const cwd = (payload && payload.cwd) || opts.cwd || process.cwd();
+  const target = extractTarget(payload);
+  if (!target) return { continue: true };
+  if (!isDesignSurface(target.filename, cwd)) return { continue: true };
+
+  const lockPath = path.join(cwd, '.design', '.intel-trigger.lock');
+  if (lockIsFresh(lockPath)) return { continue: true };
+
+  const script = path.join(cwd, 'scripts', 'build-intel.cjs');
+  if (!fs.existsSync(script)) {
+    // Follow-up: a missing rebuilder is not this hook's problem to fix.
+    try {
+      process.stderr.write(
+        '[gdd-intel-trigger] would refresh .design/intel/ if scripts/build-intel.cjs --incremental existed\n'
+      );
+    } catch {
+      /* swallow */
+    }
+    return { continue: true };
+  }
+
+  // Lock first (idempotent if write fails), then spawn. Locking first
+  // means a sibling Edit racing this one will see a fresh lock and skip
+  // even if our spawn has not yet completed.
+  writeLock(lockPath);
+  const doSpawn = typeof opts.spawnImpl === 'function' ? opts.spawnImpl : spawnRebuild;
+  doSpawn(cwd, script);
+
+  return { continue: true };
+}
+
+/** CLI entrypoint — read JSON from stdin, decide, write {continue:true}. */
+async function run(stdin = process.stdin, stdout = process.stdout) {
+  let buf = '';
+  try {
+    for await (const chunk of stdin) buf += chunk;
+  } catch {
+    stdout.write(JSON.stringify({ continue: true }));
+    return;
+  }
+  let payload;
+  try {
+    payload = JSON.parse(buf || '{}');
+  } catch {
+    stdout.write(JSON.stringify({ continue: true }));
+    return;
+  }
+  let decision;
+  try {
+    decision = main(payload);
+  } catch {
+    decision = { continue: true };
+  }
+  stdout.write(JSON.stringify(decision || { continue: true }));
+}
+
+if (require.main === module) {
+  run().catch(() => {
+    try {
+      process.stdout.write(JSON.stringify({ continue: true }));
+    } catch {
+      /* swallow */
+    }
+  });
+}
+
+module.exports = {
+  main,
+  extractTarget,
+  isDesignSurface,
+  lockIsFresh,
+  writeLock,
+  spawnRebuild,
+  LOCK_TTL_MS,
+  TARGET_RE,
+};

package/hooks/gdd-mcp-circuit-breaker.js

@@ -40,15 +40,70 @@ function loadBudget(cwd) {
   return defaults;
 }
 
+/**
+ * Classify the outcome of an MCP tool call as 'success' | 'timeout' | 'error'.
+ *
+ * The previous implementation substring-matched 'timeout' / 'failed' against
+ * the ENTIRE JSON-stringified response. That fired false positives on legit
+ * successful payloads whose content happens to mention those words — e.g. a
+ * Figma node literally named "TimeoutBanner", or a summary line "2 of 5 nodes
+ * failed to update, retrying...". When the breaker false-positives, it
+ * advances consecutive_timeouts and eventually trips on healthy traffic.
+ *
+ * The fix: use the structured isError / is_error envelope as the primary
+ * signal. MCP tool results carry isError=true|false. Anything without an
+ * explicit error flag is treated as success — full stop. Only when the
+ * envelope says "error" do we then inspect the ERROR-message fields
+ * (content[*].text + error.message + error.code + top-level message) to
+ * decide between 'timeout' and generic 'error'. Arbitrary content text is
+ * never scanned.
+ */
 function classifyOutcome(toolResponse) {
   if (!toolResponse || typeof toolResponse !== 'object') return 'error';
-  const text = JSON.stringify(toolResponse).slice(0, 4000).toLowerCase();
-  // Check timeout FIRST — a timed-out call may also set is_error, but we want
-  // to classify it as "timeout" so consecutive_timeouts advances correctly.
-  if (text.includes('timeout') || text.includes('timed out') || text.includes('deadline exceeded')) return 'timeout';
-  if (toolResponse.is_error) return 'error';
-  if (text.includes('"error"') || text.includes('failed')) return 'error';
-  return 'success';
+
+  // MCP standard envelope: isError (camelCase). Claude Code historically
+  // passes is_error (snake_case). Accept either; treat absence as success.
+  const isError =
+    toolResponse.isError === true || toolResponse.is_error === true;
+
+  if (!isError) return 'success';
+
+  // Error path: classify timeout vs generic by reading ONLY the dedicated
+  // error-message fields, not the entire payload.
+  const messageBits = [];
+
+  // content[] may be a string (legacy) or an array of {type,text} (spec).
+  if (typeof toolResponse.content === 'string') {
+    messageBits.push(toolResponse.content);
+  } else if (Array.isArray(toolResponse.content)) {
+    for (const c of toolResponse.content) {
+      if (c && typeof c.text === 'string') messageBits.push(c.text);
+    }
+  }
+
+  if (toolResponse.error && typeof toolResponse.error === 'object') {
+    if (typeof toolResponse.error.message === 'string') {
+      messageBits.push(toolResponse.error.message);
+    }
+    if (typeof toolResponse.error.code === 'string') {
+      messageBits.push(toolResponse.error.code);
+    }
+  }
+  if (typeof toolResponse.message === 'string') {
+    messageBits.push(toolResponse.message);
+  }
+
+  const combined = messageBits.join(' ').toLowerCase();
+  // \btimeout\b matches "timeout" and "request timeout"; \btimed?\s*out\b
+  // matches "timed out"; deadline exceeded is gRPC; etimedout is Node fs.
+  if (
+    /\btimeout\b|\btimed?\s*out\b|\bdeadline\s+exceeded\b|\betimedout\b/.test(
+      combined,
+    )
+  ) {
+    return 'timeout';
+  }
+  return 'error';
 }
 
 function readJsonlTail(filePath) {

package/hooks/gdd-precompact-snapshot.js

@@ -25,14 +25,27 @@
 const fs = require('node:fs');
 const path = require('node:path');
 
-const SNAPSHOT_DIR = path.resolve(process.cwd(), '.design', 'snapshots');
-const STATE_MD_PATH = path.resolve(process.cwd(), '.design', 'STATE.md');
-const EVENTS_PATH = path.resolve(process.cwd(), '.design', 'telemetry', 'events.jsonl');
 const RETENTION_COUNT = 10;
 const EVENTS_TAIL_COUNT = 50;
 const DECISIONS_TAIL_COUNT = 10;
 const SCHEMA_VERSION = '1.0.0';
 
+/**
+ * Resolve the bundle of paths the hook reads/writes, anchored at `cwd`.
+ *
+ * Originally these resolved at module load via `process.cwd()`, which is
+ * the wrong anchor when Claude Code invokes the hook from a worktree
+ * (the harness's cwd at module load can differ from the project root).
+ * Resolving against `payload.cwd` matches how 8 sibling hooks already work.
+ */
+function computePaths(cwd) {
+  return {
+    snapshotDir: path.resolve(cwd, '.design', 'snapshots'),
+    stateMdPath: path.resolve(cwd, '.design', 'STATE.md'),
+    eventsPath: path.resolve(cwd, '.design', 'telemetry', 'events.jsonl'),
+  };
+}
+
 // ---------------------------------------------------------------------------
 // Harness detection (D-10)
 // ---------------------------------------------------------------------------
@@ -66,13 +79,13 @@ function getAppendEvent() {
 // STATE.md tolerant parser — extracts frontmatter + decisions + blockers
 // ---------------------------------------------------------------------------
 
-function readStateSections() {
-  if (!fs.existsSync(STATE_MD_PATH)) {
+function readStateSections(paths) {
+  if (!fs.existsSync(paths.stateMdPath)) {
     return { frontmatter: {}, decisions: [], blockers: [], session: '' };
   }
   let body;
   try {
-    body = fs.readFileSync(STATE_MD_PATH, 'utf8');
+    body = fs.readFileSync(paths.stateMdPath, 'utf8');
   } catch {
     return { frontmatter: {}, decisions: [], blockers: [], session: '' };
   }
@@ -124,11 +137,11 @@ function readStateSections() {
 // Events tail reader — JSONL-tolerant (malformed lines are skipped)
 // ---------------------------------------------------------------------------
 
-function readEventsTail(count) {
-  if (!fs.existsSync(EVENTS_PATH)) return [];
+function readEventsTail(paths, count) {
+  if (!fs.existsSync(paths.eventsPath)) return [];
   let body;
   try {
-    body = fs.readFileSync(EVENTS_PATH, 'utf8');
+    body = fs.readFileSync(paths.eventsPath, 'utf8');
   } catch {
     return [];
   }
@@ -149,16 +162,16 @@ function readEventsTail(count) {
 // Retention prune — LRU by mtime, keep last RETENTION_COUNT (D-08)
 // ---------------------------------------------------------------------------
 
-function pruneSnapshots() {
+function pruneSnapshots(paths) {
   let files;
   try {
-    files = fs.readdirSync(SNAPSHOT_DIR);
+    files = fs.readdirSync(paths.snapshotDir);
   } catch {
     return;
   }
   const jsonFiles = files
     .filter((f) => f.endsWith('.json') && f !== 'last-recap.json')
-    .map((f) => ({ name: f, full: path.join(SNAPSHOT_DIR, f), mtime: 0 }));
+    .map((f) => ({ name: f, full: path.join(paths.snapshotDir, f), mtime: 0 }));
 
   for (const entry of jsonFiles) {
     try {
@@ -186,35 +199,43 @@ function pruneSnapshots() {
 async function main() {
   const harness = detectHarness();
   if (harness === 'codex') {
-    // D-10: Codex has no PreCompact event; emit notice + exit. Phase 45 dep
-    // for full `pre-large-context-action` interception.
+    // D-10: Codex has no PreCompact event; emit notice + exit. Tracked in
+    // the runtime-parity matrix; full pre-large-context-action interception
+    // is on the roadmap.
     process.stderr.write(
       '[gdd-precompact-snapshot] this harness does not emit PreCompact; snapshots disabled\n',
     );
     process.exit(0);
   }
 
-  // Drain stdin (Claude Code may pipe a hook event JSON; we don't need it
-  // but draining avoids EPIPE on the parent's writer side).
+  // Drain stdin and extract payload.cwd. Claude Code pipes a hook-event JSON
+  // envelope including the project cwd; we need it to anchor SNAPSHOT_DIR and
+  // friends correctly when the harness's process.cwd() at module load may not
+  // match (e.g. when invoked from a worktree). Draining also avoids EPIPE on
+  // the writer side. Falls back to process.cwd() when stdin is empty or
+  // malformed (unit tests, direct invocation).
+  let buf = '';
   try {
-    if (!process.stdin.isTTY) {
-      // Best-effort, non-blocking — we have nothing time-sensitive in stdin.
-      process.stdin.on('error', () => {
-        /* swallow */
-      });
-      process.stdin.resume();
-    }
+    for await (const chunk of process.stdin) buf += chunk;
   } catch {
-    /* swallow */
+    /* swallow — empty stdin is fine */
+  }
+  let payload = {};
+  try {
+    payload = JSON.parse(buf || '{}');
+  } catch {
+    /* malformed stdin → fall through with empty payload */
   }
+  const cwd = (payload && typeof payload.cwd === 'string') ? payload.cwd : process.cwd();
+  const paths = computePaths(cwd);
 
   const ts = new Date().toISOString().replace(/[:.]/g, '-');
-  const snapshotPath = path.join(SNAPSHOT_DIR, ts + '.json');
+  const snapshotPath = path.join(paths.snapshotDir, ts + '.json');
   const tmpPath = snapshotPath + '.tmp';
 
   // Ensure snapshot dir exists (mkdir -p semantics).
   try {
-    fs.mkdirSync(SNAPSHOT_DIR, { recursive: true });
+    fs.mkdirSync(paths.snapshotDir, { recursive: true });
   } catch {
     /* swallow — write will fail loudly below if truly missing */
   }
@@ -240,8 +261,8 @@ async function main() {
   }
 
   try {
-    const sections = readStateSections();
-    const events = readEventsTail(EVENTS_TAIL_COUNT);
+    const sections = readStateSections(paths);
+    const events = readEventsTail(paths, EVENTS_TAIL_COUNT);
     const decisions = sections.decisions.slice(-DECISIONS_TAIL_COUNT);
     const cycleId =
       sections.frontmatter && sections.frontmatter.milestone
@@ -280,7 +301,7 @@ async function main() {
     }
 
     // Retention prune (T-27.6.05-04 DoS mitigation).
-    pruneSnapshots();
+    pruneSnapshots(paths);
 
     // Best-effort event emit.
     const appendEvent = getAppendEvent();

package/hooks/gdd-protected-paths.js

@@ -59,28 +59,160 @@ function loadProtectedPaths(cwd) {
 }
 
 /**
- * Extract a target path from a Bash command, best-effort.
- * Returns an array of candidate paths; empty if none parsed.
+ * Tokenise a string of shell-style args into individual arguments, honoring
+ * single/double quotes and basic backslash escapes. Used by the bash target
+ * extractor to get reliable arg arrays for destructive coreutils.
+ */
+function parseShellArgs(s) {
+  const args = [];
+  let current = '';
+  let inQuote = null;
+  for (let i = 0; i < s.length; i++) {
+    const ch = s[i];
+    if (inQuote) {
+      if (ch === inQuote) {
+        inQuote = null;
+        args.push(current);
+        current = '';
+      } else if (ch === '\\' && i + 1 < s.length && (s[i + 1] === inQuote || s[i + 1] === '\\')) {
+        current += s[++i];
+      } else {
+        current += ch;
+      }
+    } else if (ch === '"' || ch === "'") {
+      if (current) { args.push(current); current = ''; }
+      inQuote = ch;
+    } else if (/\s/.test(ch)) {
+      if (current) { args.push(current); current = ''; }
+    } else if (ch === '\\' && i + 1 < s.length) {
+      current += s[++i];
+    } else {
+      current += ch;
+    }
+  }
+  if (current) args.push(current);
+  return args;
+}
+
+/**
+ * Extract destructive-op file targets from one shell pipeline segment
+ * (already split on `&&`/`||`/`;`/`|`). Catches:
+ *  - rm / cp / mv / mkdir / touch / rmdir / chmod / chown / ln / tee
+ *    with ALL their non-flag args (not just the first).
+ *  - git rm / mv / restore / checkout — same treatment.
+ *  - sed -i <args> file1 [file2 ...]
+ *  - > file and >> file redirects appearing anywhere in the segment.
+ *
+ * `sudo ` prefix is stripped before dispatch.
+ */
+function extractTargetsFromSegment(seg) {
+  const targets = [];
+  const cleaned = seg.replace(/^sudo\s+/, '');
+
+  // git destructive subcommands
+  const gitMatch = cleaned.match(/^git\s+(rm|mv|restore|checkout)\b(.*)$/);
+  if (gitMatch) {
+    const args = parseShellArgs(gitMatch[2]);
+    for (const arg of args) {
+      if (!arg.startsWith('-')) targets.push(arg);
+    }
+  }
+
+  // sed -i: only treat as destructive when -i is present
+  if (/^sed\b/.test(cleaned) && /(?:^|\s)-i(?:\b|=)/.test(cleaned)) {
+    const tokens = parseShellArgs(cleaned).slice(1); // drop 'sed'
+    let i = 0;
+    while (i < tokens.length) {
+      const tok = tokens[i];
+      // BSD `sed -i ''` consumes an extra empty-string arg
+      if (tok === '-i' && i + 1 < tokens.length && tokens[i + 1] === '') {
+        i += 2;
+        continue;
+      }
+      if (tok.startsWith('-')) { i++; continue; }
+      // First non-flag arg may be either an in-line sed script or a file;
+      // path matcher will simply not match a non-path. Be permissive: queue all.
+      targets.push(tok);
+      i++;
+    }
+  }
+
+  // Coreutils destructive verbs
+  const coreutilsMatch = cleaned.match(/^(rm|cp|mv|mkdir|touch|rmdir|chmod|chown|ln|tee)\b(.*)$/);
+  if (coreutilsMatch) {
+    const args = parseShellArgs(coreutilsMatch[2]);
+    for (const arg of args) {
+      if (!arg.startsWith('-')) targets.push(arg);
+    }
+  }
+
+  // Redirect targets: > file or >> file (appear anywhere in the segment)
+  const redirects = seg.matchAll(/(?:^|[^&>])>>?\s*([^\s|;&]+)/g);
+  for (const m of redirects) targets.push(m[1]);
+
+  return targets;
+}
+
+/**
+ * Extract all candidate file paths a Bash command may mutate. Walks the
+ * command string in three passes:
+ *
+ *   1. Recursively process every `$(...)` and `\`...\`` subshell. The
+ *      subshell is evaluated by the shell and its OUTPUT substitutes into
+ *      the parent command — but the inner commands themselves ALSO run,
+ *      so anything destructive inside is a target.
+ *   2. Strip subshells from the outer command to simplify splitting.
+ *   3. Split outer command on `&&`, `||`, `;`, `|` and feed each segment
+ *      to extractTargetsFromSegment.
+ *
+ * Previous implementation called String.prototype.match() (returns only
+ * the first match) and a single regex with a `[^\\s|;&>]+` capture group.
+ * That missed:
+ *   - chained commands (`rm safe.txt && rm secret`)
+ *   - multi-arg destructive verbs (`rm a b c` — only `a` was extracted)
+ *   - subshell content (`rm $(echo secret)`)
+ *   - backtick command substitution (`rm \`echo secret\``)
+ *
+ * xargs bypass — `find protected -print0 | xargs -0 rm` — is NOT closed
+ * here, because the targets come from stdin which we can't model without
+ * a full pipeline shape analysis. The `find` segment will be checked but
+ * the subsequent xargs+rm segment carries no explicit path. Project policy
+ * should rely on `find <protected-dir>` being blocked at the upstream
+ * segment via the .git/** / reference/** globs, plus general operator
+ * caution. Future enhancement: scan pipeline for xargs-with-destructive
+ * verbs and require the upstream stage to not reference protected globs.
  */
 function extractBashTargets(command) {
   if (!command) return [];
+
   const targets = [];
-  // rm / cp / mv / mkdir trailing arg(s)
-  const rmMatch = command.match(/\b(rm|cp|mv|mkdir|touch|rmdir|chmod|chown)\s+(?:-[A-Za-z]+\s+)*([^\s|;&>]+)/);
-  if (rmMatch) targets.push(rmMatch[2]);
-  // redirect / tee
-  const redirectMatch = command.match(/[>|]\s*(?:tee\s+)?([^\s|;&]+)$/);
-  if (redirectMatch) targets.push(redirectMatch[1]);
-  // sed -i <path> (BSD and GNU variants)
-  const sedMatch = command.match(/\bsed\s+-i(?:\s*['"][^'"]*['"])?\s+(?:-[A-Za-z]+\s+)*(?:['"][^'"]*['"]\s+)?([^\s|;&]+)/);
-  if (sedMatch) targets.push(sedMatch[1]);
-  // git rm / git mv
-  const gitMatch = command.match(/\bgit\s+(rm|mv|restore|checkout)\s+(?:-[A-Za-z]+\s+)*([^\s|;&]+)/);
-  if (gitMatch) targets.push(gitMatch[2]);
-
-  return targets
-    .filter(Boolean)
-    .map(p => p.replace(/^['"]|['"]$/g, ''));
+
+  // 1. Recursive subshell scan.
+  const SUBSHELL_RE = /\$\(([^()]*)\)|`([^`]*)`/g;
+  let m;
+  while ((m = SUBSHELL_RE.exec(command)) !== null) {
+    targets.push(...extractBashTargets(m[1] !== undefined ? m[1] : m[2]));
+  }
+
+  // 2. Strip subshells from outer command.
+  const stripped = command.replace(SUBSHELL_RE, '');
+
+  // 3. Split on shell separators and process each segment.
+  const segments = stripped.split(/\s*(?:&&|\|\||;|\|)\s*/);
+  for (const segment of segments) {
+    const seg = segment.trim();
+    if (!seg) continue;
+    targets.push(...extractTargetsFromSegment(seg));
+  }
+
+  // Dedup + strip surrounding quotes.
+  return [
+    ...new Set(
+      targets
+        .filter(Boolean)
+        .map((p) => p.replace(/^['"]|['"]$/g, '')),
+    ),
+  ];
 }
 
 async function main() {