@iaforged/context-code 1.0.72 → 1.0.74

package/dist/src/utils/bash/ast.js

@@ -0,0 +1,2590 @@
+/**
+ * AST-based bash command analysis using tree-sitter.
+ *
+ * This module replaces the shell-quote + hand-rolled char-walker approach in
+ * bashSecurity.ts / commands.ts. Instead of detecting parser differentials
+ * one-by-one, we parse with tree-sitter-bash and walk the tree with an
+ * EXPLICIT allowlist of node types. Any node type not in the allowlist causes
+ * the entire command to be classified as 'too-complex', which means it goes
+ * through the normal permission prompt flow.
+ *
+ * The key design property is FAIL-CLOSED: we never interpret structure we
+ * don't understand. If tree-sitter produces a node we haven't explicitly
+ * allowlisted, we refuse to extract argv and the caller must ask the user.
+ *
+ * This is NOT a sandbox. It does not prevent dangerous commands from running.
+ * It answers exactly one question: "Can we produce a trustworthy argv[] for
+ * each simple command in this string?" If yes, downstream code can match
+ * argv[0] against permission rules and flag allowlists. If no, ask the user.
+ */
+import { SHELL_KEYWORDS } from './bashParser.js';
+import { PARSE_ABORTED, parseCommandRaw } from './parser.js';
+/**
+ * Structural node types that represent composition of commands. We recurse
+ * through these to find the leaf `command` nodes. `program` is the root;
+ * `list` is `a && b || c`; `pipeline` is `a | b`; `redirected_statement`
+ * wraps a command with its redirects. Semicolon-separated commands appear
+ * as direct siblings under `program` (no wrapper node).
+ */
+const STRUCTURAL_TYPES = new Set([
+    'program',
+    'list',
+    'pipeline',
+    'redirected_statement',
+]);
+/**
+ * Operator tokens that separate commands. These are leaf nodes that appear
+ * between commands in `list`/`pipeline`/`program` and carry no payload.
+ */
+const SEPARATOR_TYPES = new Set(['&&', '||', '|', ';', '&', '|&', '\n']);
+/**
+ * Placeholder string used in outer argv when a $() is recursively extracted.
+ * The actual $() output is runtime-determined; the inner command(s) are
+ * checked against permission rules separately. Using a placeholder keeps
+ * the outer argv clean (no multi-line heredoc bodies polluting path
+ * extraction or triggering newline checks).
+ */
+const CMDSUB_PLACEHOLDER = '__CMDSUB_OUTPUT__';
+/**
+ * Placeholder for simple_expansion ($VAR) references to variables set earlier
+ * in the same command via variable_assignment. Since we tracked the assignment,
+ * we know the var exists and its value is either a static string or
+ * __CMDSUB_OUTPUT__ (if set via $()). Either way, safe to substitute.
+ */
+const VAR_PLACEHOLDER = '__TRACKED_VAR__';
+/**
+ * All placeholder strings. Used for defense-in-depth: if a varScope value
+ * contains ANY placeholder (exact or embedded), the value is NOT a pure
+ * literal and cannot be trusted as a bare argument. Covers composites like
+ * `VAR="prefix$(cmd)"` → `"prefix__CMDSUB_OUTPUT__"` — the substring check
+ * catches these where exact-match Set.has() would miss.
+ *
+ * Also catches user-typed literals that collide with placeholder strings:
+ * `VAR=__TRACKED_VAR__ && rm $VAR` — treated as non-literal (conservative).
+ */
+function containsAnyPlaceholder(value) {
+    return value.includes(CMDSUB_PLACEHOLDER) || value.includes(VAR_PLACEHOLDER);
+}
+/**
+ * Unquoted $VAR in bash undergoes word-splitting (on $IFS: space/tab/NL)
+ * and pathname expansion (glob matching on * ? [). Our argv stores a
+ * single string — but at runtime bash may produce MULTIPLE args, or paths
+ * matched by a glob. A value containing these metacharacters cannot be
+ * trusted as a bare arg: `VAR="-rf /" && rm $VAR` → bash runs `rm -rf /`
+ * (two args) but our argv would have `['rm', '-rf /']` (one arg). Similarly
+ * `VAR="/etc/*" && cat $VAR` → bash expands to all /etc files.
+ *
+ * Inside double-quotes ("$VAR"), neither splitting nor globbing applies —
+ * the value IS a single literal argument.
+ */
+const BARE_VAR_UNSAFE_RE = /[ \t\n*?[]/;
+// stdbuf flag forms — hoisted from the wrapper-stripping while-loop
+const STDBUF_SHORT_SEP_RE = /^-[ioe]$/;
+const STDBUF_SHORT_FUSED_RE = /^-[ioe]./;
+const STDBUF_LONG_RE = /^--(input|output|error)=/;
+/**
+ * Known-safe environment variables that bash sets automatically. Their values
+ * are controlled by the shell/OS, not arbitrary user input. Referencing these
+ * via $VAR is safe — the expansion is deterministic and doesn't introduce
+ * injection risk. Covers `$HOME`, `$PWD`, `$USER`, `$PATH`, `$SHELL`, etc.
+ * Intentionally small: only vars that are always set by bash/login and whose
+ * values are paths/names (not arbitrary content).
+ */
+const SAFE_ENV_VARS = new Set([
+    'HOME', // user's home directory
+    'PWD', // current working directory (bash maintains)
+    'OLDPWD', // previous directory
+    'USER', // current username
+    'LOGNAME', // login name
+    'SHELL', // user's login shell
+    'PATH', // executable search path
+    'HOSTNAME', // machine hostname
+    'UID', // user id
+    'EUID', // effective user id
+    'PPID', // parent process id
+    'RANDOM', // random number (bash builtin)
+    'SECONDS', // seconds since shell start
+    'LINENO', // current line number
+    'TMPDIR', // temp directory
+    // Special bash variables — always set, values are shell-controlled:
+    'BASH_VERSION', // bash version string
+    'BASHPID', // current bash process id
+    'SHLVL', // shell nesting level
+    'HISTFILE', // history file path
+    'IFS', // field separator (NOTE: only safe INSIDE strings; as bare arg
+    //       $IFS is the classic injection primitive and the insideString
+    //       gate in resolveSimpleExpansion correctly blocks it)
+]);
+/**
+ * Special shell variables ($?, $$, $!, $#, $0-$9). tree-sitter uses
+ * `special_variable_name` for these (not `variable_name`). Values are
+ * shell-controlled: exit status, PIDs, positional args. Safe to resolve
+ * ONLY inside strings (same rationale as SAFE_ENV_VARS — as bare args
+ * their value IS the argument and might be a path/flag from $1 etc.).
+ *
+ * SECURITY: '@' and '*' are NOT in this set. Inside "...", they expand to
+ * the positional params — which are EMPTY in a fresh BashTool shell (how we
+ * always spawn). Returning VAR_PLACEHOLDER would lie: `git "push$*"` gives
+ * argv ['git','push__TRACKED_VAR__'] while bash passes ['git','push']. Deny
+ * rule Bash(git push:*) fails on both .text (raw `$*`) AND rebuilt argv
+ * (placeholder). With them removed, resolveSimpleExpansion falls through to
+ * tooComplex for `$*` / `$@`. `echo "args: $*"` becomes too-complex —
+ * acceptable (rare in BashTool usage; `"$@"` even rarer).
+ */
+const SPECIAL_VAR_NAMES = new Set([
+    '?', // exit status of last command
+    '$', // current shell PID
+    '!', // last background PID
+    '#', // number of positional params
+    '0', // script name
+    '-', // shell option flags
+]);
+/**
+ * Node types that mean "this command cannot be statically analyzed." These
+ * either execute arbitrary code (substitutions, subshells, control flow) or
+ * expand to values we can't determine statically (parameter/arithmetic
+ * expansion, brace expressions).
+ *
+ * This set is not exhaustive — it documents KNOWN dangerous types. The real
+ * safety property is the allowlist in walkArgument/walkCommand: any type NOT
+ * explicitly handled there also triggers too-complex.
+ */
+const DANGEROUS_TYPES = new Set([
+    'command_substitution',
+    'process_substitution',
+    'expansion',
+    'simple_expansion',
+    'brace_expression',
+    'subshell',
+    'compound_statement',
+    'for_statement',
+    'while_statement',
+    'until_statement',
+    'if_statement',
+    'case_statement',
+    'function_definition',
+    'test_command',
+    'ansi_c_string',
+    'translated_string',
+    'herestring_redirect',
+    'heredoc_redirect',
+]);
+/**
+ * Numeric IDs for analytics (logEvent doesn't accept strings). Index into
+ * DANGEROUS_TYPES. Append new entries at the end to keep IDs stable.
+ * 0 = unknown/other, -1 = ERROR (parse failure), -2 = pre-check.
+ */
+const DANGEROUS_TYPE_IDS = [...DANGEROUS_TYPES];
+export function nodeTypeId(nodeType) {
+    if (!nodeType)
+        return -2;
+    if (nodeType === 'ERROR')
+        return -1;
+    const i = DANGEROUS_TYPE_IDS.indexOf(nodeType);
+    return i >= 0 ? i + 1 : 0;
+}
+/**
+ * Redirect operator tokens → canonical operator. tree-sitter produces these
+ * as child nodes of `file_redirect`.
+ */
+const REDIRECT_OPS = {
+    '>': '>',
+    '>>': '>>',
+    '<': '<',
+    '>&': '>&',
+    '<&': '<&',
+    '>|': '>|',
+    '&>': '&>',
+    '&>>': '&>>',
+    '<<<': '<<<',
+};
+/**
+ * Brace expansion pattern: {a,b} or {a..b}. Must have , or .. inside
+ * braces. We deliberately do NOT try to determine whether the opening brace
+ * is backslash-escaped: tree-sitter doesn't unescape backslashes, so
+ * distinguishing `\{a,b}` (escaped, literal) from `\\{a,b}` (literal
+ * backslash + expansion) would require reimplementing bash quote removal.
+ * Reject both — the escaped-brace case is rare and trivially rewritten
+ * with single quotes.
+ */
+const BRACE_EXPANSION_RE = /\{[^{}\s]*(,|\.\.)[^{}\s]*\}/;
+/**
+ * Control characters that bash silently drops but confuse static analysis.
+ * Includes CR (0x0D): tree-sitter treats CR as a word separator but bash's
+ * default IFS does not include CR, so tree-sitter and bash disagree on
+ * word boundaries.
+ */
+// eslint-disable-next-line no-control-regex
+const CONTROL_CHAR_RE = /[\x00-\x08\x0B-\x1F\x7F]/;
+/**
+ * Unicode whitespace beyond ASCII. These render invisibly (or as regular
+ * spaces) in terminals so a user reviewing the command can't see them, but
+ * bash treats them as literal word characters. Blocks NBSP, zero-width
+ * spaces, line/paragraph separators, BOM.
+ */
+const UNICODE_WHITESPACE_RE = /[\u00A0\u1680\u2000-\u200B\u2028\u2029\u202F\u205F\u3000\uFEFF]/;
+/**
+ * Backslash immediately before whitespace. bash treats `\ ` as a literal
+ * space inside the current word, but tree-sitter returns the raw text with
+ * the backslash still present. argv[0] from tree-sitter is `cat\ test`
+ * while bash runs `cat test` (with a literal space). Rather than
+ * reimplement bash's unescaping rules, we reject these — they're rare in
+ * practice and trivial to rewrite with quotes.
+ *
+ * Also matches `\` before newline (line continuation) when adjacent to a
+ * non-whitespace char. `tr\<NL>aceroute` — bash joins to `traceroute`, but
+ * tree-sitter splits into two words (differential). When `\<NL>` is preceded
+ * by whitespace (e.g. `foo && \<NL>bar`), there's no word to join — both
+ * parsers agree, so we allow it.
+ */
+const BACKSLASH_WHITESPACE_RE = /\\[ \t]|[^ \t\n\\]\\\n/;
+/**
+ * Zsh dynamic named directory expansion: ~[name]. In zsh this invokes the
+ * zsh_directory_name hook, which can run arbitrary code. bash treats it as
+ * a literal tilde followed by a glob character class. Since BashTool runs
+ * via the user's default shell (often zsh), reject conservatively.
+ */
+const ZSH_TILDE_BRACKET_RE = /~\[/;
+/**
+ * Zsh EQUALS expansion: word-initial `=cmd` expands to the absolute path of
+ * `cmd` (equivalent to `$(which cmd)`). `=curl evil.com` runs as
+ * `/usr/bin/curl evil.com`. tree-sitter parses `=curl` as a literal word, so
+ * a `Bash(curl:*)` deny rule matching on base command name won't see `curl`.
+ * Only matches word-initial `=` followed by a command-name char — `VAR=val`
+ * and `--flag=val` have `=` mid-word and are not expanded by zsh.
+ */
+const ZSH_EQUALS_EXPANSION_RE = /(?:^|[\s;&|])=[a-zA-Z_]/;
+/**
+ * Brace character combined with quote characters. Constructions like
+ * `{a'}',b}` use quoted braces inside brace expansion context to obfuscate
+ * the expansion from regex-based detection. In bash, `{a'}',b}` expands to
+ * `a} b` (the quoted `}` becomes literal inside the first alternative).
+ * These are hard to analyze correctly and have no legitimate use in
+ * commands we'd want to auto-allow.
+ *
+ * This check runs on a version of the command with `{` masked out of
+ * single-quoted and double-quoted spans, so JSON payloads like
+ * `curl -d '{"k":"v"}'` don't trigger a false positive. Brace expansion
+ * cannot occur inside quotes, so a `{` there can never start an obfuscation
+ * pattern. The quote characters themselves stay visible so `{a'}',b}` and
+ * `{@'{'0},...}` still match via the outer unquoted `{`.
+ */
+const BRACE_WITH_QUOTE_RE = /\{[^}]*['"]/;
+/**
+ * Mask `{` characters that appear inside single- or double-quoted contexts.
+ * Uses a single-pass bash-aware quote-state scanner instead of a regex.
+ *
+ * A naive regex (`/'[^']*'/g`) mis-detects spans when a `'` appears inside
+ * a double-quoted string: for `echo "it's" {a'}',b}`, it matches from the
+ * `'` in `it's` across to the `'` in `{a'}`, masking the unquoted `{` and
+ * producing a false negative. The scanner tracks actual bash quote state:
+ * `'` toggles single-quote only in unquoted context; `"` toggles
+ * double-quote only outside single quotes; `\` escapes the next char in
+ * unquoted context and escapes `"` / `\\` inside double quotes.
+ *
+ * Brace expansion is impossible in both quote contexts, so masking `{` in
+ * either is safe. Secondary defense: BRACE_EXPANSION_RE in walkArgument.
+ */
+function maskBracesInQuotedContexts(cmd) {
+    // Fast path: no `{` → nothing to mask. Skips the char-by-char scan for
+    // the >90% of commands with no braces (`ls -la`, `git status`, etc).
+    if (!cmd.includes('{'))
+        return cmd;
+    const out = [];
+    let inSingle = false;
+    let inDouble = false;
+    let i = 0;
+    while (i < cmd.length) {
+        const c = cmd[i];
+        if (inSingle) {
+            // Bash single quotes: no escapes, `'` always terminates.
+            if (c === "'")
+                inSingle = false;
+            out.push(c === '{' ? ' ' : c);
+            i++;
+        }
+        else if (inDouble) {
+            // Bash double quotes: `\` escapes `"` and `\` (also `$`, backtick,
+            // newline — but those don't affect quote state so we let them pass).
+            if (c === '\\' && (cmd[i + 1] === '"' || cmd[i + 1] === '\\')) {
+                out.push(c, cmd[i + 1]);
+                i += 2;
+            }
+            else {
+                if (c === '"')
+                    inDouble = false;
+                out.push(c === '{' ? ' ' : c);
+                i++;
+            }
+        }
+        else {
+            // Unquoted: `\` escapes any next char.
+            if (c === '\\' && i + 1 < cmd.length) {
+                out.push(c, cmd[i + 1]);
+                i += 2;
+            }
+            else {
+                if (c === "'")
+                    inSingle = true;
+                else if (c === '"')
+                    inDouble = true;
+                out.push(c);
+                i++;
+            }
+        }
+    }
+    return out.join('');
+}
+const DOLLAR = String.fromCharCode(0x24);
+/**
+ * Parse a bash command string and extract a flat list of simple commands.
+ * Returns 'too-complex' if the command uses any shell feature we can't
+ * statically analyze. Returns 'parse-unavailable' if tree-sitter WASM isn't
+ * loaded — caller should fall back to conservative behavior.
+ */
+export async function parseForSecurity(cmd) {
+    // parseCommandRaw('') returns null (falsy check), so short-circuit here.
+    // Don't use .trim() — it strips Unicode whitespace (\u00a0 etc.) which the
+    // pre-checks in parseForSecurityFromAst need to see and reject.
+    if (cmd === '')
+        return { kind: 'simple', commands: [] };
+    const root = await parseCommandRaw(cmd);
+    return root === null
+        ? { kind: 'parse-unavailable' }
+        : parseForSecurityFromAst(cmd, root);
+}
+/**
+ * Same as parseForSecurity but takes a pre-parsed AST root so callers that
+ * need the tree for other purposes can parse once and share. Pre-checks
+ * still run on `cmd` — they catch tree-sitter/bash differentials that a
+ * successful parse doesn't.
+ */
+export function parseForSecurityFromAst(cmd, root) {
+    // Pre-checks: characters that cause tree-sitter and bash to disagree on
+    // word boundaries. These run before tree-sitter because they're the known
+    // tree-sitter/bash differentials. Everything after this point trusts
+    // tree-sitter's tokenization.
+    if (CONTROL_CHAR_RE.test(cmd)) {
+        return { kind: 'too-complex', reason: 'Contains control characters' };
+    }
+    if (UNICODE_WHITESPACE_RE.test(cmd)) {
+        return { kind: 'too-complex', reason: 'Contains Unicode whitespace' };
+    }
+    if (BACKSLASH_WHITESPACE_RE.test(cmd)) {
+        return {
+            kind: 'too-complex',
+            reason: 'Contains backslash-escaped whitespace',
+        };
+    }
+    if (ZSH_TILDE_BRACKET_RE.test(cmd)) {
+        return {
+            kind: 'too-complex',
+            reason: 'Contains zsh ~[ dynamic directory syntax',
+        };
+    }
+    if (ZSH_EQUALS_EXPANSION_RE.test(cmd)) {
+        return {
+            kind: 'too-complex',
+            reason: 'Contains zsh =cmd equals expansion',
+        };
+    }
+    if (BRACE_WITH_QUOTE_RE.test(maskBracesInQuotedContexts(cmd))) {
+        return {
+            kind: 'too-complex',
+            reason: 'Contains brace with quote character (expansion obfuscation)',
+        };
+    }
+    const trimmed = cmd.trim();
+    if (trimmed === '') {
+        return { kind: 'simple', commands: [] };
+    }
+    if (root === PARSE_ABORTED) {
+        // SECURITY: module loaded but parse aborted (timeout / node budget /
+        // panic). Adversarially triggerable — `(( a[0][0]... ))` with ~2800
+        // subscripts hits PARSE_TIMEOUT_MICROS under the 10K length limit.
+        // Previously indistinguishable from module-not-loaded → routed to
+        // legacy (parse-unavailable), which lacks EVAL_LIKE_BUILTINS — `trap`,
+        // `enable`, `hash` leaked with Bash(*). Fail closed: too-complex → ask.
+        return {
+            kind: 'too-complex',
+            reason: 'Parser aborted (timeout or resource limit) — possible adversarial input',
+            nodeType: 'PARSE_ABORT',
+        };
+    }
+    return walkProgram(root);
+}
+function walkProgram(root) {
+    // ERROR-node check folded into collectCommands — any unhandled node type
+    // (including ERROR) falls through to tooComplex() in the default branch.
+    // Avoids a separate full-tree walk for error detection.
+    const commands = [];
+    // Track variables assigned earlier in the same command. When a
+    // simple_expansion ($VAR) references a tracked var, we can substitute
+    // a placeholder instead of returning too-complex. Enables patterns like
+    // `NOW=$(date) && jq --arg now "$NOW" ...` — $NOW is known to be the
+    // $(date) output (already extracted as inner command).
+    const varScope = new Map();
+    const err = collectCommands(root, commands, varScope);
+    if (err)
+        return err;
+    return { kind: 'simple', commands };
+}
+/**
+ * Recursively collect leaf `command` nodes from a structural wrapper node.
+ * Returns an error result on any disallowed node type, or null on success.
+ */
+function collectCommands(node, commands, varScope) {
+    if (node.type === 'command') {
+        // Pass `commands` as the innerCommands accumulator — any $() extracted
+        // during walkCommand gets appended alongside the outer command.
+        const result = walkCommand(node, [], commands, varScope);
+        if (result.kind !== 'simple')
+            return result;
+        commands.push(...result.commands);
+        return null;
+    }
+    if (node.type === 'redirected_statement') {
+        return walkRedirectedStatement(node, commands, varScope);
+    }
+    if (node.type === 'comment') {
+        return null;
+    }
+    if (STRUCTURAL_TYPES.has(node.type)) {
+        // SECURITY: `||`, `|`, `|&`, `&` must NOT carry varScope linearly. In bash:
+        //   `||` RHS runs conditionally → vars set there MAY not be set
+        //   `|`/`|&` stages run in subshells → vars set there are NEVER visible after
+        //   `&` LHS runs in a background subshell → same as above
+        // Flag-omission attack: `true || FLAG=--dry-run && cmd $FLAG` — bash skips
+        // the `||` RHS (FLAG unset → $FLAG empty), runs `cmd` WITHOUT --dry-run.
+        // With linear scope, our argv has ['cmd','--dry-run'] → looks SAFE → bypass.
+        //
+        // Fix: snapshot incoming scope at entry. After these separators, reset to
+        // the snapshot — vars set in clauses between separators don't leak. `scope`
+        // for clauses BETWEEN `&&`/`;` chains shares state (common `VAR=x && cmd
+        // $VAR`). `scope` crosses `||`/`|`/`&` as the pre-structure snapshot only.
+        //
+        // `&&` and `;` DO carry scope: `VAR=x && cmd $VAR` is sequential, VAR is set.
+        //
+        // NOTE: `scope` and `varScope` diverge after the first `||`/`|`/`&`. The
+        // caller's varScope is only mutated for the `&&`/`;` prefix — this is
+        // conservative (vars set in `A && B | C && D` leak A+B into caller, not
+        // C+D) but safe.
+        //
+        // Efficiency: snapshot is only needed if we hit `||`/`|`/`|&`/`&`. For
+        // the dominant case (`ls`, `git status` — no such separators), skip the
+        // Map alloc via a cheap pre-scan. For `pipeline`, node.type already tells
+        // us stages are subshells — copy once at entry, no snapshot needed (each
+        // reset uses the entry copy pattern via varScope, which is untouched).
+        const isPipeline = node.type === 'pipeline';
+        let needsSnapshot = false;
+        if (!isPipeline) {
+            for (const c of node.children) {
+                if (c && (c.type === '||' || c.type === '&')) {
+                    needsSnapshot = true;
+                    break;
+                }
+            }
+        }
+        const snapshot = needsSnapshot ? new Map(varScope) : null;
+        // For `pipeline`, ALL stages run in subshells — start with a copy so
+        // nothing mutates caller's scope. For `list`/`program`, the `&&`/`;`
+        // chain mutates caller's scope (sequential); fork only on `||`/`&`.
+        let scope = isPipeline ? new Map(varScope) : varScope;
+        for (const child of node.children) {
+            if (!child)
+                continue;
+            if (SEPARATOR_TYPES.has(child.type)) {
+                if (child.type === '||' ||
+                    child.type === '|' ||
+                    child.type === '|&' ||
+                    child.type === '&') {
+                    // For pipeline: varScope is untouched (we started with a copy).
+                    // For list/program: snapshot is non-null (pre-scan set it).
+                    // `|`/`|&` only appear under `pipeline` nodes; `||`/`&` under list.
+                    scope = new Map(snapshot ?? varScope);
+                }
+                continue;
+            }
+            const err = collectCommands(child, commands, scope);
+            if (err)
+                return err;
+        }
+        return null;
+    }
+    if (node.type === 'negated_command') {
+        // `! cmd` inverts exit code only — doesn't execute code or affect
+        // argv. Recurse into the wrapped command. Common in CI: `! grep err`,
+        // `! test -f lock`, `! git diff --quiet`.
+        for (const child of node.children) {
+            if (!child)
+                continue;
+            if (child.type === '!')
+                continue;
+            return collectCommands(child, commands, varScope);
+        }
+        return null;
+    }
+    if (node.type === 'declaration_command') {
+        // `export`/`local`/`readonly`/`declare`/`typeset`. tree-sitter emits
+        // these as declaration_command, not command, so they previously fell
+        // through to tooComplex. Values are validated via walkVariableAssignment:
+        // `$()` in the value is recursively extracted (inner command pushed to
+        // commands[], outer argv gets CMDSUB_PLACEHOLDER); other disallowed
+        // expansions still reject via walkArgument. argv[0] is the builtin name so
+        // `Bash(export:*)` rules match.
+        const argv = [];
+        for (const child of node.children) {
+            if (!child)
+                continue;
+            switch (child.type) {
+                case 'export':
+                case 'local':
+                case 'readonly':
+                case 'declare':
+                case 'typeset':
+                    argv.push(child.text);
+                    break;
+                case 'word':
+                case 'number':
+                case 'raw_string':
+                case 'string':
+                case 'concatenation': {
+                    // Flags (`declare -r`), quoted names (`export "FOO=bar"`), numbers
+                    // (`declare -i 42`). Mirrors walkCommand's argv handling — before
+                    // this, `export "FOO=bar"` hit tooComplex on the `string` child.
+                    // walkArgument validates each (expansions still reject).
+                    const arg = walkArgument(child, commands, varScope);
+                    if (typeof arg !== 'string')
+                        return arg;
+                    // SECURITY: declare/typeset/local flags that change assignment
+                    // semantics break our static model. -n (nameref): `declare -n X=Y`
+                    // then `$X` dereferences to $Y's VALUE — varScope stores 'Y'
+                    // (target NAME), argv[0] shows 'Y' while bash runs whatever $Y
+                    // holds. -i (integer): `declare -i X='a[$(cmd)]'` arithmetically
+                    // evaluates the RHS at assignment time, running $(cmd) even from
+                    // a single-quoted raw_string (same primitive walkArithmetic
+                    // guards in $((…))). -a/-A (array): subscript arithmetic on
+                    // assignment. -r/-x/-g/-p/-f/-F are inert. Check the resolved
+                    // arg (not child.text) so `\-n` and quoted `-n` are caught.
+                    // Scope to declare/typeset/local only: `export -n` means "remove
+                    // export attribute" (not nameref), and export/readonly don't
+                    // accept -i; readonly -a/-A rejects subscripted args as invalid
+                    // identifiers so subscript-arith doesn't fire.
+                    if ((argv[0] === 'declare' ||
+                        argv[0] === 'typeset' ||
+                        argv[0] === 'local') &&
+                        /^-[a-zA-Z]*[niaA]/.test(arg)) {
+                        return {
+                            kind: 'too-complex',
+                            reason: `declare flag ${arg} changes assignment semantics (nameref/integer/array)`,
+                            nodeType: 'declaration_command',
+                        };
+                    }
+                    // SECURITY: bare positional assignment with a subscript also
+                    // evaluates — no -a/-i flag needed. `declare 'x[$(id)]=val'`
+                    // implicitly creates an array element, arithmetically evaluating
+                    // the subscript and running $(id). tree-sitter delivers the
+                    // single-quoted form as a raw_string leaf so walkArgument sees
+                    // only the literal text. Scoped to declare/typeset/local:
+                    // export/readonly reject `[` in identifiers before eval.
+                    if ((argv[0] === 'declare' ||
+                        argv[0] === 'typeset' ||
+                        argv[0] === 'local') &&
+                        arg[0] !== '-' &&
+                        /^[^=]*\[/.test(arg)) {
+                        return {
+                            kind: 'too-complex',
+                            reason: `declare positional '${arg}' contains array subscript — bash evaluates $(cmd) in subscripts`,
+                            nodeType: 'declaration_command',
+                        };
+                    }
+                    argv.push(arg);
+                    break;
+                }
+                case 'variable_assignment': {
+                    const ev = walkVariableAssignment(child, commands, varScope);
+                    if ('kind' in ev)
+                        return ev;
+                    // export/declare assignments populate the scope so later $VAR refs resolve.
+                    applyVarToScope(varScope, ev);
+                    argv.push(`${ev.name}=${ev.value}`);
+                    break;
+                }
+                case 'variable_name':
+                    // `export FOO` — bare name, no assignment.
+                    argv.push(child.text);
+                    break;
+                default:
+                    return tooComplex(child);
+            }
+        }
+        commands.push({ argv, envVars: [], redirects: [], text: node.text });
+        return null;
+    }
+    if (node.type === 'variable_assignment') {
+        // Bare `VAR=value` at statement level (not a command env prefix).
+        // Sets a shell variable — no code execution, no filesystem I/O.
+        // The value is validated via walkVariableAssignment → walkArgument,
+        // so `VAR=$(evil)` still recursively extracts/rejects based on the
+        // inner command. Does NOT push to commands — a bare assignment needs
+        // no permission rule (it's inert). Common pattern: `VAR=x && cmd`
+        // where cmd references $VAR. ~35% of too-complex in top-5k ant cmds.
+        const ev = walkVariableAssignment(node, commands, varScope);
+        if ('kind' in ev)
+            return ev;
+        // Populate scope so later `$VAR` references resolve.
+        applyVarToScope(varScope, ev);
+        return null;
+    }
+    if (node.type === 'for_statement') {
+        // `for VAR in WORD...; do BODY; done` — iterate BODY once per word.
+        // Body commands extracted once; every iteration runs the same commands.
+        //
+        // SECURITY: Loop var is ALWAYS treated as unknown-value (VAR_PLACEHOLDER).
+        // Even "static" iteration words can be:
+        //  - Absolute paths: `for i in /etc/passwd; do rm $i; done` — body argv
+        //    would have placeholder, path validation never sees /etc/passwd.
+        //  - Globs: `for i in /etc/*; do rm $i; done` — `/etc/*` is a static word
+        //    at parse time but bash expands it at runtime.
+        //  - Flags: `for i in -rf /; do rm $i; done` — flag smuggling.
+        //
+        // VAR_PLACEHOLDER means bare `$i` in body → too-complex. Only
+        // string-embedding (`echo "item: $i"`) stays simple. This reverts some
+        // of the too-complex→simple rescues in the original PR — each one was a
+        // potential path-validation bypass.
+        let loopVar = null;
+        let doGroup = null;
+        for (const child of node.children) {
+            if (!child)
+                continue;
+            if (child.type === 'variable_name') {
+                loopVar = child.text;
+            }
+            else if (child.type === 'do_group') {
+                doGroup = child;
+            }
+            else if (child.type === 'for' ||
+                child.type === 'in' ||
+                child.type === 'select' ||
+                child.type === ';') {
+                continue; // structural tokens
+            }
+            else if (child.type === 'command_substitution') {
+                // `for i in $(seq 1 3)` — inner cmd IS extracted and rule-checked.
+                const err = collectCommandSubstitution(child, commands, varScope);
+                if (err)
+                    return err;
+            }
+            else {
+                // Iteration values — validated via walkArgument. Value discarded:
+                // body argv gets VAR_PLACEHOLDER regardless of the iteration words,
+                // and bare `$i` in body → too-complex (see SECURITY comment above).
+                // We still validate to reject e.g. `for i in $(cmd); do ...; done`
+                // where the iteration word itself is a disallowed expansion.
+                const arg = walkArgument(child, commands, varScope);
+                if (typeof arg !== 'string')
+                    return arg;
+            }
+        }
+        if (loopVar === null || doGroup === null)
+            return tooComplex(node);
+        // SECURITY: `for PS4 in '$(id)'; do set -x; :; done` sets PS4 directly
+        // via varScope.set below — walkVariableAssignment's PS4/IFS checks never
+        // fire. Trace-time RCE (PS4) or word-split bypass (IFS). No legit use.
+        if (loopVar === 'PS4' || loopVar === 'IFS') {
+            return {
+                kind: 'too-complex',
+                reason: `${loopVar} as loop variable bypasses assignment validation`,
+                nodeType: 'for_statement',
+            };
+        }
+        // SECURITY: Body uses a scope COPY — vars assigned inside the loop
+        // body don't leak to commands after `done`. The loop var itself is
+        // set in the REAL scope (bash semantics: $i still set after loop)
+        // and copied into the body scope. ALWAYS VAR_PLACEHOLDER — see above.
+        varScope.set(loopVar, VAR_PLACEHOLDER);
+        const bodyScope = new Map(varScope);
+        for (const c of doGroup.children) {
+            if (!c)
+                continue;
+            if (c.type === 'do' || c.type === 'done' || c.type === ';')
+                continue;
+            const err = collectCommands(c, commands, bodyScope);
+            if (err)
+                return err;
+        }
+        return null;
+    }
+    if (node.type === 'if_statement' || node.type === 'while_statement') {
+        // `if COND; then BODY; [elif...; else...;] fi`
+        // `while COND; do BODY; done`
+        // Extract condition command(s) + all branch/body commands. All get
+        // checked against permission rules. `while read VAR` tracks VAR so
+        // body can reference $VAR.
+        //
+        // SECURITY: Branch bodies use scope COPIES — vars assigned inside a
+        // conditional branch (which may not execute) must not leak to commands
+        // after fi/done. `if false; then T=safe; fi && rm $T` must reject $T.
+        // Condition commands use the REAL varScope (they always run for the
+        // check, so assignments there are unconditional — e.g., `while read V`
+        // tracking must persist to the body copy).
+        //
+        // tree-sitter if_statement children: if, COND..., then, THEN-BODY...,
+        // [elif_clause...], [else_clause], fi. We distinguish condition from
+        // then-body by tracking whether we've seen the `then` token.
+        let seenThen = false;
+        for (const child of node.children) {
+            if (!child)
+                continue;
+            if (child.type === 'if' ||
+                child.type === 'fi' ||
+                child.type === 'else' ||
+                child.type === 'elif' ||
+                child.type === 'while' ||
+                child.type === 'until' ||
+                child.type === ';') {
+                continue;
+            }
+            if (child.type === 'then') {
+                seenThen = true;
+                continue;
+            }
+            if (child.type === 'do_group') {
+                // while body: recurse with scope COPY (body assignments don't leak
+                // past done). The COPY contains any `read VAR` tracking from the
+                // condition (already in real varScope at this point).
+                const bodyScope = new Map(varScope);
+                for (const c of child.children) {
+                    if (!c)
+                        continue;
+                    if (c.type === 'do' || c.type === 'done' || c.type === ';')
+                        continue;
+                    const err = collectCommands(c, commands, bodyScope);
+                    if (err)
+                        return err;
+                }
+                continue;
+            }
+            if (child.type === 'elif_clause' || child.type === 'else_clause') {
+                // elif_clause: elif, cond, ;, then, body... / else_clause: else, body...
+                // Scope COPY — elif/else branch assignments don't leak past fi.
+                const branchScope = new Map(varScope);
+                for (const c of child.children) {
+                    if (!c)
+                        continue;
+                    if (c.type === 'elif' ||
+                        c.type === 'else' ||
+                        c.type === 'then' ||
+                        c.type === ';') {
+                        continue;
+                    }
+                    const err = collectCommands(c, commands, branchScope);
+                    if (err)
+                        return err;
+                }
+                continue;
+            }
+            // Condition (seenThen=false) or then-body (seenThen=true).
+            // Condition uses REAL varScope (always runs). Then-body uses a COPY.
+            // Special-case `while read VAR`: after condition `read VAR` is
+            // collected, track VAR in the REAL scope so the body COPY inherits it.
+            const targetScope = seenThen ? new Map(varScope) : varScope;
+            const before = commands.length;
+            const err = collectCommands(child, commands, targetScope);
+            if (err)
+                return err;
+            // If condition included `read VAR...`, track vars in REAL scope.
+            // read var value is UNKNOWN (stdin input) → use VAR_PLACEHOLDER
+            // (unknown-value sentinel, string-only).
+            if (!seenThen) {
+                for (let i = before; i < commands.length; i++) {
+                    const c = commands[i];
+                    if (c?.argv[0] === 'read') {
+                        for (const a of c.argv.slice(1)) {
+                            // Skip flags (-r, -d, etc.); track bare identifier args as var names.
+                            if (!a.startsWith('-') && /^[A-Za-z_][A-Za-z0-9_]*$/.test(a)) {
+                                // SECURITY: commands[] is a flat accumulator. `true || read
+                                // VAR` in the condition: the list handler correctly uses a
+                                // scope COPY for the ||-RHS (may not run), but `read VAR`
+                                // IS still pushed to commands[] — we can't tell it was
+                                // scope-isolated from here. Same for `echo | read VAR`
+                                // (pipeline, subshell in bash) and `(read VAR)` (subshell).
+                                // Overwriting a tracked literal with VAR_PLACEHOLDER hides
+                                // path traversal: `VAR=../../etc/passwd && if true || read
+                                // VAR; then cat "/tmp/$VAR"; fi` — parser would see
+                                // /tmp/__TRACKED_VAR__, bash reads /etc/passwd. Fail closed
+                                // when a tracked literal would be overwritten. Safe case
+                                // (no prior value or already a placeholder) → proceed.
+                                const existing = varScope.get(a);
+                                if (existing !== undefined &&
+                                    !containsAnyPlaceholder(existing)) {
+                                    return {
+                                        kind: 'too-complex',
+                                        reason: `'read ${a}' in condition may not execute (||/pipeline/subshell); cannot prove it overwrites tracked literal '${existing}'`,
+                                        nodeType: 'if_statement',
+                                    };
+                                }
+                                varScope.set(a, VAR_PLACEHOLDER);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return null;
+    }
+    if (node.type === 'subshell') {
+        // `(cmd1; cmd2)` — run commands in a subshell. Inner commands ARE
+        // executed, so extract them for permission checking. Subshell has
+        // isolated scope: vars set inside don't leak out. Use a COPY of
+        // varScope (outer vars visible, inner changes discarded).
+        const innerScope = new Map(varScope);
+        for (const child of node.children) {
+            if (!child)
+                continue;
+            if (child.type === '(' || child.type === ')')
+                continue;
+            const err = collectCommands(child, commands, innerScope);
+            if (err)
+                return err;
+        }
+        return null;
+    }
+    if (node.type === 'test_command') {
+        // `[[ EXPR ]]` or `[ EXPR ]` — conditional test. Evaluates to true/false
+        // based on file tests (-f, -d), string comparisons (==, !=), etc.
+        // No code execution (no command_substitution inside — that would be a
+        // child and we'd recurse into it via walkArgument and reject it).
+        // Push as a synthetic command with argv[0]='[[' so permission rules
+        // can match — `Bash([[ :*)` would be unusual but legal.
+        // Walk arguments to validate (no cmdsub/expansion inside operands).
+        const argv = ['[['];
+        for (const child of node.children) {
+            if (!child)
+                continue;
+            if (child.type === '[[' || child.type === ']]')
+                continue;
+            if (child.type === '[' || child.type === ']')
+                continue;
+            // Recurse into test expression structure: unary_expression,
+            // binary_expression, parenthesized_expression, negated_expression.
+            // The leaves are test_operator (-f, -d, ==) and operand words.
+            const err = walkTestExpr(child, argv, commands, varScope);
+            if (err)
+                return err;
+        }
+        commands.push({ argv, envVars: [], redirects: [], text: node.text });
+        return null;
+    }
+    if (node.type === 'unset_command') {
+        // `unset FOO BAR`, `unset -f func`. Safe: only removes shell
+        // variables/functions from the current shell — no code execution, no
+        // filesystem I/O. tree-sitter emits a dedicated node type so it
+        // previously fell through to tooComplex. Children: `unset` keyword,
+        // `variable_name` for each name, `word` for flags like `-f`/`-v`.
+        const argv = [];
+        for (const child of node.children) {
+            if (!child)
+                continue;
+            switch (child.type) {
+                case 'unset':
+                    argv.push(child.text);
+                    break;
+                case 'variable_name':
+                    argv.push(child.text);
+                    // SECURITY: unset removes the var from bash's scope. Remove from
+                    // varScope so subsequent `$VAR` references correctly reject.
+                    // `VAR=safe && unset VAR && rm $VAR` must NOT resolve $VAR.
+                    varScope.delete(child.text);
+                    break;
+                case 'word': {
+                    const arg = walkArgument(child, commands, varScope);
+                    if (typeof arg !== 'string')
+                        return arg;
+                    argv.push(arg);
+                    break;
+                }
+                default:
+                    return tooComplex(child);
+            }
+        }
+        commands.push({ argv, envVars: [], redirects: [], text: node.text });
+        return null;
+    }
+    return tooComplex(node);
+}
+/**
+ * Recursively walk a test_command expression tree (unary/binary/negated/
+ * parenthesized expressions). Leaves are test_operator tokens and operands
+ * (word/string/number/etc). Operands are validated via walkArgument.
+ */
+function walkTestExpr(node, argv, innerCommands, varScope) {
+    switch (node.type) {
+        case 'unary_expression':
+        case 'binary_expression':
+        case 'negated_expression':
+        case 'parenthesized_expression': {
+            for (const c of node.children) {
+                if (!c)
+                    continue;
+                const err = walkTestExpr(c, argv, innerCommands, varScope);
+                if (err)
+                    return err;
+            }
+            return null;
+        }
+        case 'test_operator':
+        case '!':
+        case '(':
+        case ')':
+        case '&&':
+        case '||':
+        case '==':
+        case '=':
+        case '!=':
+        case '<':
+        case '>':
+        case '=~':
+            argv.push(node.text);
+            return null;
+        case 'regex':
+        case 'extglob_pattern':
+            // RHS of =~ or ==/!= in [[ ]]. Pattern text only — no code execution.
+            // Parser emits these as leaf nodes with no children (any $(...) or ${...}
+            // inside the pattern is a sibling, not a child, and is walked separately).
+            argv.push(node.text);
+            return null;
+        default: {
+            // Operand — word, string, number, etc. Validate via walkArgument.
+            const arg = walkArgument(node, innerCommands, varScope);
+            if (typeof arg !== 'string')
+                return arg;
+            argv.push(arg);
+            return null;
+        }
+    }
+}
+/**
+ * A `redirected_statement` wraps a command (or pipeline) plus one or more
+ * `file_redirect`/`heredoc_redirect` nodes. Extract redirects, walk the
+ * inner command, attach redirects to the LAST command (the one whose output
+ * is being redirected).
+ */
+function walkRedirectedStatement(node, commands, varScope) {
+    const redirects = [];
+    let innerCommand = null;
+    for (const child of node.children) {
+        if (!child)
+            continue;
+        if (child.type === 'file_redirect') {
+            // Thread `commands` so $() in redirect targets (e.g., `> $(mktemp)`)
+            // extracts the inner command for permission checking.
+            const r = walkFileRedirect(child, commands, varScope);
+            if ('kind' in r)
+                return r;
+            redirects.push(r);
+        }
+        else if (child.type === 'heredoc_redirect') {
+            const r = walkHeredocRedirect(child);
+            if (r)
+                return r;
+        }
+        else if (child.type === 'command' ||
+            child.type === 'pipeline' ||
+            child.type === 'list' ||
+            child.type === 'negated_command' ||
+            child.type === 'declaration_command' ||
+            child.type === 'unset_command') {
+            innerCommand = child;
+        }
+        else {
+            return tooComplex(child);
+        }
+    }
+    if (!innerCommand) {
+        // `> file` alone is valid bash (truncates file). Represent as a command
+        // with empty argv so downstream sees the write.
+        commands.push({ argv: [], envVars: [], redirects, text: node.text });
+        return null;
+    }
+    const before = commands.length;
+    const err = collectCommands(innerCommand, commands, varScope);
+    if (err)
+        return err;
+    if (commands.length > before && redirects.length > 0) {
+        const last = commands[commands.length - 1];
+        if (last)
+            last.redirects.push(...redirects);
+    }
+    return null;
+}
+/**
+ * Extract operator + target from a `file_redirect` node. The target must be
+ * a static word or string.
+ */
+function walkFileRedirect(node, innerCommands, varScope) {
+    let op = null;
+    let target = null;
+    let fd;
+    for (const child of node.children) {
+        if (!child)
+            continue;
+        if (child.type === 'file_descriptor') {
+            fd = Number(child.text);
+        }
+        else if (child.type in REDIRECT_OPS) {
+            op = REDIRECT_OPS[child.type] ?? null;
+        }
+        else if (child.type === 'word' || child.type === 'number') {
+            // SECURITY: `number` nodes can contain expansion children via the
+            // `NN#<expansion>` arithmetic-base grammar quirk — same issue as
+            // walkArgument's number case. `> 10#$(cmd)` runs cmd at runtime.
+            // Plain word/number nodes have zero children.
+            if (child.children.length > 0)
+                return tooComplex(child);
+            // Symmetry with walkArgument (~608): `echo foo > {a,b}` is an
+            // ambiguous redirect in bash. tree-sitter actually emits a
+            // `concatenation` node for brace targets (caught by the default
+            // branch below), but check `word` text too for defense-in-depth.
+            if (BRACE_EXPANSION_RE.test(child.text))
+                return tooComplex(child);
+            // Unescape backslash sequences — same as walkArgument. Bash quote
+            // removal turns `\X` → `X`. Without this, `cat < /proc/self/\environ`
+            // stores target `/proc/self/\environ` which evades PROC_ENVIRON_RE,
+            // but bash reads /proc/self/environ.
+            target = child.text.replace(/\\(.)/g, '$1');
+        }
+        else if (child.type === 'raw_string') {
+            target = stripRawString(child.text);
+        }
+        else if (child.type === 'string') {
+            const s = walkString(child, innerCommands, varScope);
+            if (typeof s !== 'string')
+                return s;
+            target = s;
+        }
+        else if (child.type === 'concatenation') {
+            // `echo > "foo"bar` — tree-sitter produces a concatenation of string +
+            // word children. walkArgument already validates concatenation (rejects
+            // expansions, checks brace syntax) and returns the joined text.
+            const s = walkArgument(child, innerCommands, varScope);
+            if (typeof s !== 'string')
+                return s;
+            target = s;
+        }
+        else {
+            return tooComplex(child);
+        }
+    }
+    if (!op || target === null) {
+        return {
+            kind: 'too-complex',
+            reason: 'Unrecognized redirect shape',
+            nodeType: node.type,
+        };
+    }
+    return { op, target, fd };
+}
+/**
+ * Heredoc redirect. Only quoted-delimiter heredocs (<<'EOF') are safe —
+ * their bodies are literal text. Unquoted-delimiter heredocs (<<EOF)
+ * undergo full parameter/command/arithmetic expansion in the body.
+ *
+ * SECURITY: tree-sitter-bash has a grammar gap — backticks (`...`) inside
+ * an unquoted heredoc body are NOT parsed as command_substitution nodes
+ * (body.children is empty, backticks are in body.text). But bash DOES
+ * execute them. We cannot safely relax the quoted-delimiter requirement
+ * by checking body children for expansion nodes — we'd miss backtick
+ * substitution. Keep rejecting all unquoted heredocs. Users should use
+ * <<'EOF' to get a literal body, which the model already prefers.
+ */
+function walkHeredocRedirect(node) {
+    let startText = null;
+    let body = null;
+    for (const child of node.children) {
+        if (!child)
+            continue;
+        if (child.type === 'heredoc_start')
+            startText = child.text;
+        else if (child.type === 'heredoc_body')
+            body = child;
+        else if (child.type === '<<' ||
+            child.type === '<<-' ||
+            child.type === 'heredoc_end' ||
+            child.type === 'file_descriptor') {
+            // expected structural tokens — safe to skip. file_descriptor
+            // covers fd-prefixed heredocs (`cat 3<<'EOF'`) — walkFileRedirect
+            // already treats it as a benign structural token.
+        }
+        else {
+            // SECURITY: tree-sitter places pipeline / command / file_redirect /
+            // && / etc. as children of heredoc_redirect when they follow the
+            // delimiter on the same line (e.g. `ls <<'EOF' | rm x`). Previously
+            // these were silently skipped, hiding the piped command from
+            // permission checks. Fail closed like every other walker.
+            return tooComplex(child);
+        }
+    }
+    const isQuoted = startText !== null &&
+        ((startText.startsWith("'") && startText.endsWith("'")) ||
+            (startText.startsWith('"') && startText.endsWith('"')) ||
+            startText.startsWith('\\'));
+    if (!isQuoted) {
+        return {
+            kind: 'too-complex',
+            reason: 'Heredoc with unquoted delimiter undergoes shell expansion',
+            nodeType: 'heredoc_redirect',
+        };
+    }
+    if (body) {
+        for (const child of body.children) {
+            if (!child)
+                continue;
+            if (child.type !== 'heredoc_content') {
+                return tooComplex(child);
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Here-string redirect (`<<< content`). The content becomes stdin — not
+ * argv, not a path. Safe when content is a literal word, raw_string, or
+ * string with no expansions. Reject when content contains $()/${}/$VAR —
+ * those execute arbitrary code or inject runtime values.
+ *
+ * Reuses walkArgument for content validation: it already rejects
+ * command_substitution, expansion, and (for strings) simple_expansion
+ * unless the var is tracked/safe. The result string is discarded — we only
+ * care that it's statically resolvable.
+ *
+ * NOTE: `VAR=$(cmd) && cat <<< "$VAR"` would be safe in principle (inner
+ * cmd is extracted separately, herestring content is stdin) but is
+ * currently rejected conservatively — walkString's solo-placeholder guard
+ * fires because it has no awareness of herestring vs argv context.
+ */
+function walkHerestringRedirect(node, innerCommands, varScope) {
+    for (const child of node.children) {
+        if (!child)
+            continue;
+        if (child.type === '<<<')
+            continue;
+        // Content node: reuse walkArgument. It returns a string on success
+        // (which we discard — content is stdin, irrelevant to permissions) or
+        // a too-complex result on failure (expansion found, unresolvable var).
+        const content = walkArgument(child, innerCommands, varScope);
+        if (typeof content !== 'string')
+            return content;
+        // Herestring content is discarded (not in argv/envVars/redirects) but
+        // remains in .text via raw node.text. Scan it here so checkSemantics's
+        // NEWLINE_HASH invariant (bashPermissions.ts relies on it) still holds.
+        if (NEWLINE_HASH_RE.test(content))
+            return tooComplex(child);
+    }
+    return null;
+}
+/**
+ * Walk a `command` node and extract argv. Children appear in order:
+ * [variable_assignment...] command_name [argument...] [file_redirect...]
+ * Any child type not explicitly handled triggers too-complex.
+ */
+function walkCommand(node, extraRedirects, innerCommands, varScope) {
+    const argv = [];
+    const envVars = [];
+    const redirects = [...extraRedirects];
+    for (const child of node.children) {
+        if (!child)
+            continue;
+        switch (child.type) {
+            case 'variable_assignment': {
+                const ev = walkVariableAssignment(child, innerCommands, varScope);
+                if ('kind' in ev)
+                    return ev;
+                // SECURITY: Env-prefix assignments (`VAR=x cmd`) are command-local in
+                // bash — VAR is only visible to `cmd` as an env var, NOT to
+                // subsequent commands. Do NOT add to global varScope — that would
+                // let `VAR=safe cmd1 && rm $VAR` resolve $VAR when bash has unset it.
+                envVars.push({ name: ev.name, value: ev.value });
+                break;
+            }
+            case 'command_name': {
+                const arg = walkArgument(child.children[0] ?? child, innerCommands, varScope);
+                if (typeof arg !== 'string')
+                    return arg;
+                argv.push(arg);
+                break;
+            }
+            case 'word':
+            case 'number':
+            case 'raw_string':
+            case 'string':
+            case 'concatenation':
+            case 'arithmetic_expansion': {
+                const arg = walkArgument(child, innerCommands, varScope);
+                if (typeof arg !== 'string')
+                    return arg;
+                argv.push(arg);
+                break;
+            }
+            // NOTE: command_substitution as a BARE argument (not inside a string)
+            // is intentionally NOT handled here — the $() output IS the argument,
+            // and for path-sensitive commands (cd, rm, chmod) the placeholder would
+            // hide the real path from downstream checks. `cd $(echo /etc)` must
+            // stay too-complex so the path-check can't be bypassed. $() inside
+            // strings ("Timer: $(date)") is handled in walkString where the output
+            // is embedded in a longer string (safer).
+            case 'simple_expansion': {
+                // Bare `$VAR` as an argument. Tracked static vars return the ACTUAL
+                // value (e.g. VAR=/etc → '/etc'). Values with IFS/glob chars or
+                // placeholders reject. See resolveSimpleExpansion.
+                const v = resolveSimpleExpansion(child, varScope, false);
+                if (typeof v !== 'string')
+                    return v;
+                argv.push(v);
+                break;
+            }
+            case 'file_redirect': {
+                const r = walkFileRedirect(child, innerCommands, varScope);
+                if ('kind' in r)
+                    return r;
+                redirects.push(r);
+                break;
+            }
+            case 'herestring_redirect': {
+                // `cmd <<< "content"` — content is stdin, not argv. Validate it's
+                // literal (no expansion); discard the content string.
+                const err = walkHerestringRedirect(child, innerCommands, varScope);
+                if (err)
+                    return err;
+                break;
+            }
+            default:
+                return tooComplex(child);
+        }
+    }
+    // .text is the raw source span. Downstream (bashToolCheckPermission →
+    // splitCommand_DEPRECATED) re-tokenizes it via shell-quote. Normally .text
+    // is used unchanged — but if we resolved a $VAR into argv, .text diverges
+    // (has raw `$VAR`) and downstream RULE MATCHING would miss deny rules.
+    //
+    // SECURITY: `SUB=push && git $SUB --force` with `Bash(git push:*)` deny:
+    //   argv = ['git', 'push', '--force']  ← correct, path validation sees 'push'
+    //   .text = 'git $SUB --force'         ← deny rule 'git push:*' doesn't match
+    //
+    // Detection: any `$<identifier>` in node.text means a simple_expansion was
+    // resolved (or we'd have returned too-complex). This catches $VAR at any
+    // position — command_name, word, string interior, concatenation part.
+    // `$(...)` doesn't match (paren, not identifier start). `'$VAR'` in single
+    // quotes: tree-sitter's .text includes the quotes, so a naive check would
+    // FP on `echo '$VAR'`. But single-quoted $ is LITERAL in bash — argv has
+    // the literal `$VAR` string, so rebuilding from argv produces `'$VAR'`
+    // anyway (shell-escape wraps it). Same net .text. No rule-matching error.
+    //
+    // Rebuild .text from argv. Shell-escape each arg: single-quote wrap with
+    // `'\''` for embedded single quotes. Empty string, metacharacters, and
+    // placeholders all get quoted. Downstream shell-quote re-parse is correct.
+    //
+    // NOTE: This does NOT include redirects/envVars in the rebuilt .text —
+    // walkFileRedirect rejects simple_expansion, and envVars aren't used for
+    // rule matching. If either changes, this rebuild must include them.
+    //
+    // SECURITY: also rebuild when node.text contains a newline. Line
+    // continuations `<space>\<LF>` are invisible to argv (tree-sitter collapses
+    // them) but preserved in node.text. `timeout 5 \<LF>curl evil.com` → argv
+    // is correct, but raw .text → stripSafeWrappers matches `timeout 5 ` (the
+    // space before \), leaving `\<LF>curl evil.com` — Bash(curl:*) deny doesn't
+    // prefix-match. Rebuilt .text joins argv with ' ' → no newlines →
+    // stripSafeWrappers works. Also covers heredoc-body leakage.
+    const text = /\$[A-Za-z_]/.test(node.text) || node.text.includes('\n')
+        ? argv
+            .map(a => a === '' || /["'\\ \t\n$`;|&<>(){}*?[\]~#]/.test(a)
+            ? `'${a.replace(/'/g, "'\\''")}'`
+            : a)
+            .join(' ')
+        : node.text;
+    return {
+        kind: 'simple',
+        commands: [{ argv, envVars, redirects, text }],
+    };
+}
+/**
+ * Recurse into a command_substitution node's inner command(s). If the inner
+ * command(s) parse cleanly (simple), add them to the innerCommands
+ * accumulator and return null (success). If the inner command is itself
+ * too-complex (e.g., nested arith expansion, process sub), return the error.
+ * This enables recursive permission checking: `echo $(git rev-parse HEAD)`
+ * extracts BOTH `echo $(git rev-parse HEAD)` (outer) AND `git rev-parse HEAD`
+ * (inner) — permission rules must match BOTH for the whole command to allow.
+ */
+function collectCommandSubstitution(csNode, innerCommands, varScope) {
+    // Vars set BEFORE the $() are visible inside (bash subshell semantics),
+    // but vars set INSIDE don't leak out. Pass a COPY of the outer scope so
+    // inner assignments don't mutate the outer map.
+    const innerScope = new Map(varScope);
+    // command_substitution children: `$(` or `` ` ``, inner statement(s), `)`
+    for (const child of csNode.children) {
+        if (!child)
+            continue;
+        if (child.type === '$(' || child.type === '`' || child.type === ')') {
+            continue;
+        }
+        const err = collectCommands(child, innerCommands, innerScope);
+        if (err)
+            return err;
+    }
+    return null;
+}
+/**
+ * Convert an argument node to its literal string value. Quotes are resolved.
+ * This function implements the argument-position allowlist.
+ */
+function walkArgument(node, innerCommands, varScope) {
+    if (!node) {
+        return { kind: 'too-complex', reason: 'Null argument node' };
+    }
+    switch (node.type) {
+        case 'word': {
+            // Unescape backslash sequences. In unquoted context, bash's quote
+            // removal turns `\X` → `X` for any character X. tree-sitter preserves
+            // the raw text. Required for checkSemantics: `\eval` must match
+            // EVAL_LIKE_BUILTINS, `\zmodload` must match ZSH_DANGEROUS_BUILTINS.
+            // Also makes argv accurate: `find -exec {} \;` → argv has `;` not
+            // `\;`. (Deny-rule matching on .text already worked via downstream
+            // splitCommand_DEPRECATED unescaping — see walkCommand comment.) `\<whitespace>`
+            // is already rejected by BACKSLASH_WHITESPACE_RE.
+            if (BRACE_EXPANSION_RE.test(node.text)) {
+                return {
+                    kind: 'too-complex',
+                    reason: 'Word contains brace expansion syntax',
+                    nodeType: 'word',
+                };
+            }
+            return node.text.replace(/\\(.)/g, '$1');
+        }
+        case 'number':
+            // SECURITY: tree-sitter-bash parses `NN#<expansion>` (arithmetic base
+            // syntax) as a `number` node with the expansion as a CHILD. `10#$(cmd)`
+            // is a number node whose .text is the full literal but whose child is a
+            // command_substitution — bash runs the substitution. .text on a node
+            // with children would smuggle the expansion past permission checks.
+            // Plain numbers (`10`, `16#ff`) have zero children.
+            if (node.children.length > 0) {
+                return {
+                    kind: 'too-complex',
+                    reason: 'Number node contains expansion (NN# arithmetic base syntax)',
+                    nodeType: node.children[0]?.type,
+                };
+            }
+            return node.text;
+        case 'raw_string':
+            return stripRawString(node.text);
+        case 'string':
+            return walkString(node, innerCommands, varScope);
+        case 'concatenation': {
+            if (BRACE_EXPANSION_RE.test(node.text)) {
+                return {
+                    kind: 'too-complex',
+                    reason: 'Brace expansion',
+                    nodeType: 'concatenation',
+                };
+            }
+            let result = '';
+            for (const child of node.children) {
+                if (!child)
+                    continue;
+                const part = walkArgument(child, innerCommands, varScope);
+                if (typeof part !== 'string')
+                    return part;
+                result += part;
+            }
+            return result;
+        }
+        case 'arithmetic_expansion': {
+            const err = walkArithmetic(node);
+            if (err)
+                return err;
+            return node.text;
+        }
+        case 'simple_expansion': {
+            // `$VAR` inside a concatenation (e.g., `prefix$VAR`). Same rules
+            // as the bare case in walkCommand: must be tracked or SAFE_ENV_VARS.
+            // inside-concatenation counts as bare arg (the whole concat IS the arg)
+            return resolveSimpleExpansion(node, varScope, false);
+        }
+        // NOTE: command_substitution at arg position (bare or inside concatenation)
+        // is intentionally NOT handled — the output is/becomes-part-of a positional
+        // argument which might be a path or flag. `rm $(foo)` or `rm $(foo)bar`
+        // would hide the real path behind the placeholder. Only $() inside a
+        // `string` node (walkString) is extracted, since the output is embedded
+        // in a longer string rather than BEING the argument.
+        default:
+            return tooComplex(node);
+    }
+}
+/**
+ * Extract literal content from a double-quoted string node. A `string` node's
+ * children are `"` delimiters, `string_content` literals, and possibly
+ * expansion nodes.
+ *
+ * tree-sitter quirk: literal newlines inside double quotes are NOT included
+ * in `string_content` node text. bash preserves them. For `"a\nb"`,
+ * tree-sitter produces two `string_content` children (`"a"`, `"b"`) with the
+ * newline in neither. For `"\n#"`, it produces ONE child (`"#"`) with the
+ * leading newline eaten. Concatenating children therefore loses newlines.
+ *
+ * Fix: track child `startIndex` and insert one `\n` per index gap. The gap
+ * between children IS the dropped newline(s). This makes the argv value
+ * match what bash actually sees.
+ */
+function walkString(node, innerCommands, varScope) {
+    let result = '';
+    let cursor = -1;
+    // SECURITY: Track whether the string contains a runtime-unknown
+    // placeholder ($() output or unknown-value tracked var) vs any literal
+    // content. A string that is ONLY a placeholder (`"$(cmd)"`, `"$VAR"`
+    // where VAR holds an unknown sentinel) produces an argv element that IS
+    // the placeholder — which downstream path validation resolves as a
+    // relative filename within cwd, bypassing the check. `cd "$(echo /etc)"`
+    // would pass validation but runtime-cd into /etc. We reject
+    // solo-placeholder strings; placeholders mixed with literal content
+    // (`"prefix: $(cmd)"`) are safe — runtime value can't equal a bare path.
+    let sawDynamicPlaceholder = false;
+    let sawLiteralContent = false;
+    for (const child of node.children) {
+        if (!child)
+            continue;
+        // Index gap between this child and the previous one = dropped newline(s).
+        // Ignore the gap before the first non-delimiter child (cursor === -1).
+        // Skip gap-fill for `"` delimiters: a gap before the closing `"` is the
+        // tree-sitter whitespace-only-string quirk (space/tab, not newline) — let
+        // the Fix C check below catch it as too-complex instead of mis-filling
+        // with `\n` and diverging from bash.
+        if (cursor !== -1 && child.startIndex > cursor && child.type !== '"') {
+            result += '\n'.repeat(child.startIndex - cursor);
+            sawLiteralContent = true;
+        }
+        cursor = child.endIndex;
+        switch (child.type) {
+            case '"':
+                // Reset cursor after opening quote so the gap between `"` and the
+                // first content child is captured.
+                cursor = child.endIndex;
+                break;
+            case 'string_content':
+                // Bash double-quote escape rules (NOT the generic /\\(.)/g used for
+                // unquoted words in walkArgument): inside "...", a backslash only
+                // escapes $ ` " \ — other sequences like \n stay literal. So
+                // `"fix \"bug\""` → `fix "bug"`, but `"a\nb"` → `a\nb` (backslash
+                // kept). tree-sitter preserves the raw escapes in .text; we resolve
+                // them here so argv matches what bash actually passes.
+                result += child.text.replace(/\\([$`"\\])/g, '$1');
+                sawLiteralContent = true;
+                break;
+            case DOLLAR:
+                // A bare dollar sign before closing quote or a non-name char is
+                // literal in bash. tree-sitter emits it as a standalone node.
+                result += DOLLAR;
+                sawLiteralContent = true;
+                break;
+            case 'command_substitution': {
+                // Carve-out: `$(cat <<'EOF' ... EOF)` is safe. The quoted-delimiter
+                // heredoc body is literal (no expansion), and `cat` just prints it.
+                // The substitution result is therefore a known static string. This
+                // pattern is the idiomatic way to pass multi-line content to tools
+                // like `gh pr create --body`. We replace the substitution with a
+                // placeholder argv value — the actual content doesn't matter for
+                // permission checking, only that it IS static.
+                const heredocBody = extractSafeCatHeredoc(child);
+                if (heredocBody === 'DANGEROUS')
+                    return tooComplex(child);
+                if (heredocBody !== null) {
+                    // SECURITY: the body IS the substitution result. Previously we
+                    // dropped it → `rm "$(cat <<'EOF'\n/etc/passwd\nEOF)"` produced
+                    // argv ['rm',''] while bash runs `rm /etc/passwd`. validatePath('')
+                    // resolves to cwd → allowed. Every path-constrained command
+                    // bypassed via this. Now: append the body (trailing LF trimmed —
+                    // bash $() strips trailing newlines).
+                    //
+                    // Tradeoff: bodies with internal newlines are multi-line text
+                    // (markdown, scripts) which cannot be valid paths — safe to drop
+                    // to avoid NEWLINE_HASH_RE false positives on `## Summary`. A
+                    // single-line body (like `/etc/passwd`) MUST go into argv so
+                    // downstream path validation sees the real target.
+                    const trimmed = heredocBody.replace(/\n+$/, '');
+                    if (trimmed.includes('\n')) {
+                        sawLiteralContent = true;
+                        break;
+                    }
+                    result += trimmed;
+                    sawLiteralContent = true;
+                    break;
+                }
+                // General $() inside "...": recurse into inner command(s). If they
+                // parse cleanly, they become additional subcommands that the
+                // permission system must match rules against. The outer argv gets
+                // the original $() text as placeholder (runtime-determined value).
+                // `echo "SHA: $(git rev-parse HEAD)"` → extracts BOTH
+                // `echo "SHA: $(...)"` AND `git rev-parse HEAD` — both must match
+                // permission rules. ~27% of too-complex in top-5k ant cmds.
+                const err = collectCommandSubstitution(child, innerCommands, varScope);
+                if (err)
+                    return err;
+                result += CMDSUB_PLACEHOLDER;
+                sawDynamicPlaceholder = true;
+                break;
+            }
+            case 'simple_expansion': {
+                // `$VAR` inside "...". Tracked/safe vars resolve; untracked reject.
+                const v = resolveSimpleExpansion(child, varScope, true);
+                if (typeof v !== 'string')
+                    return v;
+                // VAR_PLACEHOLDER = runtime-unknown (loop var, read var, $() output,
+                // SAFE_ENV_VARS, special vars). Any other string = actual literal
+                // value from a tracked static var (e.g. VAR=/tmp → v='/tmp').
+                if (v === VAR_PLACEHOLDER)
+                    sawDynamicPlaceholder = true;
+                else
+                    sawLiteralContent = true;
+                result += v;
+                break;
+            }
+            case 'arithmetic_expansion': {
+                const err = walkArithmetic(child);
+                if (err)
+                    return err;
+                result += child.text;
+                // Validated to be literal-numeric — static content.
+                sawLiteralContent = true;
+                break;
+            }
+            default:
+                // expansion (${...}) inside "..."
+                return tooComplex(child);
+        }
+    }
+    // SECURITY: Reject solo-placeholder strings. `"$(cmd)"` or `"$VAR"` (where
+    // VAR holds an unknown value) would produce an argv element that IS the
+    // placeholder — which bypasses downstream path validation (validatePath
+    // resolves placeholders as relative filenames within cwd). Only allow
+    // placeholders embedded alongside literal content (`"prefix: $(cmd)"`).
+    if (sawDynamicPlaceholder && !sawLiteralContent) {
+        return tooComplex(node);
+    }
+    // SECURITY: tree-sitter-bash quirk — a double-quoted string containing
+    // ONLY whitespace (` "`, `" "`, `"\t"`) produces NO string_content child;
+    // the whitespace is attributed to the closing `"` node's text. Our loop
+    // only adds to `result` from string_content/expansion children, so we'd
+    // return "" when bash sees " ". Detect: we saw no content children
+    // (both flags false — neither literal nor placeholder added) but the
+    // source span is longer than bare `""`. Genuine `""` has text.length==2.
+    // `"$V"` with V="" doesn't hit this — the simple_expansion child sets
+    // sawLiteralContent via the `else` branch even when v is empty.
+    if (!sawLiteralContent && !sawDynamicPlaceholder && node.text.length > 2) {
+        return tooComplex(node);
+    }
+    return result;
+}
+/**
+ * Safe leaf nodes inside arithmetic expansion: integer literals (decimal,
+ * hex, octal, bash base#digits) and operator/paren tokens. Anything else at
+ * leaf position (notably variable_name that isn't a numeric literal) rejects.
+ */
+const ARITH_LEAF_RE = /^(?:[0-9]+|0[xX][0-9a-fA-F]+|[0-9]+#[0-9a-zA-Z]+|[-+*/%^&|~!<>=?:(),]+|<<|>>|\*\*|&&|\|\||[<>=!]=|\$\(\(|\)\))$/;
+/**
+ * Recursively validate an arithmetic_expansion node. Allows only literal
+ * numeric expressions — no variables, no substitutions. Returns null if
+ * safe, or a too-complex result if not.
+ *
+ * Variables are rejected because bash arithmetic recursively evaluates
+ * variable values: if x='a[$(cmd)]' then $((x)) executes cmd. See
+ * https://www.vidarholen.net/contents/blog/?p=716 (arithmetic injection).
+ *
+ * When safe, the caller puts the full `$((…))` span into argv as a literal
+ * string. bash will expand it to an integer at runtime; the static string
+ * won't match any sensitive path/deny patterns.
+ */
+function walkArithmetic(node) {
+    for (const child of node.children) {
+        if (!child)
+            continue;
+        if (child.children.length === 0) {
+            if (!ARITH_LEAF_RE.test(child.text)) {
+                return {
+                    kind: 'too-complex',
+                    reason: `Arithmetic expansion references variable or non-literal: ${child.text}`,
+                    nodeType: 'arithmetic_expansion',
+                };
+            }
+            continue;
+        }
+        switch (child.type) {
+            case 'binary_expression':
+            case 'unary_expression':
+            case 'ternary_expression':
+            case 'parenthesized_expression': {
+                const err = walkArithmetic(child);
+                if (err)
+                    return err;
+                break;
+            }
+            default:
+                return tooComplex(child);
+        }
+    }
+    return null;
+}
+/**
+ * Check if a command_substitution node is exactly `$(cat <<'DELIM'...DELIM)`
+ * and return the heredoc body if so. Any deviation (extra args to cat,
+ * unquoted delimiter, additional commands) returns null.
+ *
+ * tree-sitter structure:
+ *   command_substitution
+ *     $(
+ *     redirected_statement
+ *       command → command_name → word "cat"    (exactly one child)
+ *       heredoc_redirect
+ *         <<
+ *         heredoc_start 'DELIM'                (quoted)
+ *         heredoc_body                         (pure heredoc_content)
+ *         heredoc_end
+ *     )
+ */
+function extractSafeCatHeredoc(subNode) {
+    // Expect exactly: $( + one redirected_statement + )
+    let stmt = null;
+    for (const child of subNode.children) {
+        if (!child)
+            continue;
+        if (child.type === '$(' || child.type === ')')
+            continue;
+        if (child.type === 'redirected_statement' && stmt === null) {
+            stmt = child;
+        }
+        else {
+            return null;
+        }
+    }
+    if (!stmt)
+        return null;
+    // redirected_statement must be: command(cat) + heredoc_redirect (quoted)
+    let sawCat = false;
+    let body = null;
+    for (const child of stmt.children) {
+        if (!child)
+            continue;
+        if (child.type === 'command') {
+            // Must be bare `cat` — no args, no env vars
+            const cmdChildren = child.children.filter(c => c);
+            if (cmdChildren.length !== 1)
+                return null;
+            const nameNode = cmdChildren[0];
+            if (nameNode?.type !== 'command_name' || nameNode.text !== 'cat') {
+                return null;
+            }
+            sawCat = true;
+        }
+        else if (child.type === 'heredoc_redirect') {
+            // Reuse the existing validator: quoted delimiter, body is pure text.
+            // walkHeredocRedirect returns null on success, non-null on rejection.
+            if (walkHeredocRedirect(child) !== null)
+                return null;
+            for (const hc of child.children) {
+                if (hc?.type === 'heredoc_body')
+                    body = hc.text;
+            }
+        }
+        else {
+            return null;
+        }
+    }
+    if (!sawCat || body === null)
+        return null;
+    // SECURITY: the heredoc body becomes the outer command's argv value via
+    // substitution, so a body like `/proc/self/environ` is semantically
+    // `cat /proc/self/environ`. checkSemantics never sees the body (we drop it
+    // at the walkString call site to avoid newline+# FPs). Returning `null`
+    // here would fall through to collectCommandSubstitution in walkString,
+    // which would extract the inner `cat` via walkHeredocRedirect (body text
+    // not inspected there) — effectively bypassing this check. Return a
+    // distinct sentinel so the caller can reject instead of falling through.
+    if (PROC_ENVIRON_RE.test(body))
+        return 'DANGEROUS';
+    // Same for jq system(): checkSemantics checks argv but never sees the
+    // heredoc body. Check unconditionally (we don't know the outer command).
+    if (/\bsystem\s*\(/.test(body))
+        return 'DANGEROUS';
+    return body;
+}
+function walkVariableAssignment(node, innerCommands, varScope) {
+    let name = null;
+    let value = '';
+    let isAppend = false;
+    for (const child of node.children) {
+        if (!child)
+            continue;
+        if (child.type === 'variable_name') {
+            name = child.text;
+        }
+        else if (child.type === '=' || child.type === '+=') {
+            // `PATH+=":/new"` — tree-sitter emits `+=` as a distinct operator
+            // node. Without this case it falls through to walkArgument below
+            // → tooComplex on unknown type `+=`.
+            isAppend = child.type === '+=';
+            continue;
+        }
+        else if (child.type === 'command_substitution') {
+            // $() as the variable's value. The output becomes a STRING stored in
+            // the variable — it's NOT a positional argument (no path/flag concern).
+            // `VAR=$(date)` runs `date`, stores output. `VAR=$(rm -rf /)` runs
+            // `rm` — the inner command IS checked against permission rules, so
+            // `rm` must match a rule. The variable just holds whatever `rm` prints.
+            const err = collectCommandSubstitution(child, innerCommands, varScope);
+            if (err)
+                return err;
+            value = CMDSUB_PLACEHOLDER;
+        }
+        else if (child.type === 'simple_expansion') {
+            // `VAR=$OTHER` — assignment RHS does NOT word-split or glob-expand
+            // in bash (unlike command arguments). So `A="a b"; B=$A` sets B to
+            // the literal "a b". Resolve as if inside a string (insideString=true)
+            // so BARE_VAR_UNSAFE_RE doesn't over-reject. The resulting value may
+            // contain spaces/globs — if B is later used as a bare arg, THAT use
+            // will correctly reject via BARE_VAR_UNSAFE_RE.
+            const v = resolveSimpleExpansion(child, varScope, true);
+            if (typeof v !== 'string')
+                return v;
+            // If v is VAR_PLACEHOLDER (OTHER holds unknown), store it — combined
+            // with containsAnyPlaceholder in the caller to treat as unknown.
+            value = v;
+        }
+        else {
+            const v = walkArgument(child, innerCommands, varScope);
+            if (typeof v !== 'string')
+                return v;
+            value = v;
+        }
+    }
+    if (name === null) {
+        return {
+            kind: 'too-complex',
+            reason: 'Variable assignment without name',
+            nodeType: 'variable_assignment',
+        };
+    }
+    // SECURITY: tree-sitter-bash accepts invalid var names (e.g. `1VAR=value`)
+    // as variable_assignment. Bash only recognizes [A-Za-z_][A-Za-z0-9_]* —
+    // anything else is run as a COMMAND. `1VAR=value` → bash tries to execute
+    // `1VAR=value` from PATH. We must not treat it as an inert assignment.
+    if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(name)) {
+        return {
+            kind: 'too-complex',
+            reason: `Invalid variable name (bash treats as command): ${name}`,
+            nodeType: 'variable_assignment',
+        };
+    }
+    // SECURITY: Setting IFS changes word-splitting behavior for subsequent
+    // unquoted $VAR expansions. `IFS=: && VAR=a:b && rm $VAR` → bash splits
+    // on `:` → `rm a b`. Our BARE_VAR_UNSAFE_RE only checks default IFS
+    // chars (space/tab/NL) — we can't model custom IFS. Reject.
+    if (name === 'IFS') {
+        return {
+            kind: 'too-complex',
+            reason: 'IFS assignment changes word-splitting — cannot model statically',
+            nodeType: 'variable_assignment',
+        };
+    }
+    // SECURITY: PS4 is expanded via promptvars (default on) on every command
+    // traced after `set -x`. A raw_string value containing $(cmd) or `cmd`
+    // executes at trace time: `PS4='$(id)' && set -x && :` runs id, but our
+    // argv is only [["set","-x"],[":"]] — the payload is invisible to
+    // permission checks. PS0-3 and PROMPT_COMMAND are not expanded in
+    // non-interactive shells (BashTool).
+    //
+    // ALLOWLIST, not blocklist. 5 rounds of bypass patches taught us that a
+    // value-dependent blocklist is structurally fragile:
+    //   - `+=` effective-value computation diverges from bash in multiple
+    //     scope-model gaps: `||` reset, env-prefix chain (PS4='' && PS4='$'
+    //     PS4+='(id)' cmd reads stale parent value), subshell.
+    //   - bash's decode_prompt_string runs BEFORE promptvars, so `\044(id)`
+    //     (octal for `$`) becomes `$(id)` at trace time — any literal-char
+    //     check must model prompt-escape decoding exactly.
+    //   - assignment paths exist outside walkVariableAssignment (for_statement
+    //     sets loopVar directly, see that handler's PS4 check).
+    //
+    // Policy: (1) reject += outright — no scope-tracking dependency; user can
+    // combine into one PS4=... (2) reject placeholders — runtime unknowable.
+    // (3) allowlist remaining value: ${identifier} refs (value-read only, safe)
+    // plus [A-Za-z0-9 _+:.\/=[\]-]. No bare `$` (blocks split primitive), no
+    // `\` (blocks octal \044/\140), no backtick, no parens. Covers all known
+    // encoding vectors and future ones — anything off the allowlist fails.
+    // Legit `PS4='+${BASH_SOURCE}:${LINENO}: '` still passes.
+    if (name === 'PS4') {
+        if (isAppend) {
+            return {
+                kind: 'too-complex',
+                reason: 'PS4 += cannot be statically verified — combine into a single PS4= assignment',
+                nodeType: 'variable_assignment',
+            };
+        }
+        if (containsAnyPlaceholder(value)) {
+            return {
+                kind: 'too-complex',
+                reason: 'PS4 value derived from cmdsub/variable — runtime unknowable',
+                nodeType: 'variable_assignment',
+            };
+        }
+        if (!/^[A-Za-z0-9 _+:./=[\]-]*$/.test(value.replace(/\$\{[A-Za-z_][A-Za-z0-9_]*\}/g, ''))) {
+            return {
+                kind: 'too-complex',
+                reason: 'PS4 value outside safe charset — only ${VAR} refs and [A-Za-z0-9 _+:.=/[]-] allowed',
+                nodeType: 'variable_assignment',
+            };
+        }
+    }
+    // SECURITY: Tilde expansion in assignment RHS. `VAR=~/x` (unquoted) →
+    // bash expands `~` at ASSIGNMENT time → VAR='/home/user/x'. We see the
+    // literal `~/x`. Later `cd $VAR` → our argv `['cd','~/x']`, bash runs
+    // `cd /home/user/x`. Tilde expansion also happens after `=` and `:` in
+    // assignment values (e.g. PATH=~/bin:~/sbin). We can't model it — reject
+    // any value containing `~` that isn't already quoted-literal (where bash
+    // doesn't expand). Conservative: any `~` in value → reject.
+    if (value.includes('~')) {
+        return {
+            kind: 'too-complex',
+            reason: 'Tilde in assignment value — bash may expand at assignment time',
+            nodeType: 'variable_assignment',
+        };
+    }
+    return { name, value, isAppend };
+}
+/**
+ * Resolve a `simple_expansion` ($VAR) node. Returns VAR_PLACEHOLDER if
+ * resolvable, too-complex otherwise.
+ *
+ * @param insideString true when $VAR is inside a `string` node ("...$VAR...")
+ *   rather than a bare/concatenation argument. SAFE_ENV_VARS and unknown-value
+ *   tracked vars are only allowed inside strings — as bare args their runtime
+ *   value IS the argument and we don't know it statically.
+ *   `cd $HOME/../x` would hide the real path behind the placeholder;
+ *   `echo "Home: $HOME"` just embeds text in a string. Tracked vars holding
+ *   STATIC strings (VAR=literal) are allowed in both positions since their
+ *   value IS known.
+ */
+function resolveSimpleExpansion(node, varScope, insideString) {
+    let varName = null;
+    let isSpecial = false;
+    for (const c of node.children) {
+        if (c?.type === 'variable_name') {
+            varName = c.text;
+            break;
+        }
+        if (c?.type === 'special_variable_name') {
+            varName = c.text;
+            isSpecial = true;
+            break;
+        }
+    }
+    if (varName === null)
+        return tooComplex(node);
+    // Tracked vars: check stored value. Literal strings (VAR=/tmp) are
+    // returned DIRECTLY so downstream path validation sees the real path.
+    // Non-literal values (containing any placeholder — loop vars, $() output,
+    // read vars, composites like `VAR="prefix$(cmd)"`) are ONLY safe inside
+    // strings; as bare args they'd hide the runtime path/flag from validation.
+    //
+    // SECURITY: Returning the actual trackedValue (not a placeholder) is the
+    // critical fix. `VAR=/etc && rm $VAR` → argv ['rm', '/etc'] → validatePath
+    // correctly rejects. Previously returned a placeholder → validatePath saw
+    // '__LOOP_STATIC__', resolved as cwd-relative → PASSED → bypass.
+    const trackedValue = varScope.get(varName);
+    if (trackedValue !== undefined) {
+        if (containsAnyPlaceholder(trackedValue)) {
+            // Non-literal: bare → reject, inside string → VAR_PLACEHOLDER
+            // (walkString's solo-placeholder gate rejects `"$VAR"` alone).
+            if (!insideString)
+                return tooComplex(node);
+            return VAR_PLACEHOLDER;
+        }
+        // Pure literal (e.g. '/tmp', 'foo') — return it directly. Downstream
+        // path validation / checkSemantics operate on the REAL value.
+        //
+        // SECURITY: For BARE args (not inside a string), bash word-splits on
+        // $IFS and glob-expands the result. `VAR="-rf /" && rm $VAR` → bash
+        // runs `rm -rf /` (two args); `VAR="/etc/*" && cat $VAR` → expands to
+        // all files. Reject values containing IFS/glob chars unless in "...".
+        //
+        // SECURITY: Empty value as bare arg. Bash word-splitting on "" produces
+        // ZERO fields — the expansion disappears. `V="" && $V eval x` → bash
+        // runs `eval x` (our argv would be ["","eval","x"] with name="" —
+        // every EVAL_LIKE/ZSH/keyword check misses). `V="" && ls $V /etc` →
+        // bash runs `ls /etc`, our argv has a phantom "" shifting positions.
+        // Inside "...": `"$V"` → bash produces one empty-string arg → our ""
+        // is correct, keep allowing.
+        if (!insideString) {
+            if (trackedValue === '')
+                return tooComplex(node);
+            if (BARE_VAR_UNSAFE_RE.test(trackedValue))
+                return tooComplex(node);
+        }
+        return trackedValue;
+    }
+    // SAFE_ENV_VARS + special vars ($?, $$, $@, $1, etc.): value unknown
+    // (shell-controlled). Only safe when embedded in a string, NOT as a
+    // bare argument to a path-sensitive command.
+    if (insideString) {
+        if (SAFE_ENV_VARS.has(varName))
+            return VAR_PLACEHOLDER;
+        if (isSpecial &&
+            (SPECIAL_VAR_NAMES.has(varName) || /^[0-9]+$/.test(varName))) {
+            return VAR_PLACEHOLDER;
+        }
+    }
+    return tooComplex(node);
+}
+/**
+ * Apply a variable assignment to the scope, handling `+=` append semantics.
+ * SECURITY: If EITHER side (existing value or appended value) contains a
+ * placeholder, the result is non-literal — store VAR_PLACEHOLDER so later
+ * $VAR correctly rejects as bare arg.
+ * `VAR=/etc && VAR+=$(cmd)` must not leave VAR looking static.
+ */
+function applyVarToScope(varScope, ev) {
+    const existing = varScope.get(ev.name) ?? '';
+    const combined = ev.isAppend ? existing + ev.value : ev.value;
+    varScope.set(ev.name, containsAnyPlaceholder(combined) ? VAR_PLACEHOLDER : combined);
+}
+function stripRawString(text) {
+    return text.slice(1, -1);
+}
+function tooComplex(node) {
+    const reason = node.type === 'ERROR'
+        ? 'Parse error'
+        : DANGEROUS_TYPES.has(node.type)
+            ? `Contains ${node.type}`
+            : `Unhandled node type: ${node.type}`;
+    return { kind: 'too-complex', reason, nodeType: node.type };
+}
+// ────────────────────────────────────────────────────────────────────────────
+// Post-argv semantic checks
+//
+// Everything above answers "can we tokenize?". Everything below answers
+// "is the resulting argv dangerous in ways that don't involve parsing?".
+// These are checks on argv[0] or argv content that the old bashSecurity.ts
+// validators performed but which have nothing to do with parser
+// differentials. They're here (not in bashSecurity.ts) because they operate
+// on SimpleCommand and need to run for every extracted command.
+// ────────────────────────────────────────────────────────────────────────────
+/**
+ * Zsh module builtins. These are not binaries on PATH — they're zsh
+ * internals loaded via zmodload. Since BashTool runs via the user's default
+ * shell (often zsh), and these parse as plain `command` nodes with no
+ * distinguishing syntax, we can only catch them by name.
+ */
+const ZSH_DANGEROUS_BUILTINS = new Set([
+    'zmodload',
+    'emulate',
+    'sysopen',
+    'sysread',
+    'syswrite',
+    'sysseek',
+    'zpty',
+    'ztcp',
+    'zsocket',
+    'zf_rm',
+    'zf_mv',
+    'zf_ln',
+    'zf_chmod',
+    'zf_chown',
+    'zf_mkdir',
+    'zf_rmdir',
+    'zf_chgrp',
+]);
+/**
+ * Shell builtins that evaluate their arguments as code or otherwise escape
+ * the argv abstraction. A command like `eval "rm -rf /"` has argv
+ * ['eval', 'rm -rf /'] which looks inert to flag validation but executes
+ * the string. Treat these the same as command substitution.
+ */
+const EVAL_LIKE_BUILTINS = new Set([
+    'eval',
+    'source',
+    '.',
+    'exec',
+    'command',
+    'builtin',
+    'fc',
+    // `coproc rm -rf /` spawns rm as a coprocess. tree-sitter parses it as
+    // a plain command with argv[0]='coproc', so permission rules and path
+    // validation would check 'coproc' not 'rm'.
+    'coproc',
+    // Zsh precommand modifiers: `noglob cmd args` runs cmd with globbing off.
+    // They parse as ordinary commands (noglob is argv[0], the real command is
+    // argv[1]) so permission matching against argv[0] would see 'noglob', not
+    // the wrapped command.
+    'noglob',
+    'nocorrect',
+    // `trap 'cmd' SIGNAL` — cmd runs as shell code on signal/exit. EXIT fires
+    // at end of every BashTool invocation, so this is guaranteed execution.
+    'trap',
+    // `enable -f /path/lib.so name` — dlopen arbitrary .so as a builtin.
+    // Native code execution.
+    'enable',
+    // `mapfile -C callback -c N` / `readarray -C callback` — callback runs as
+    // shell code every N input lines.
+    'mapfile',
+    'readarray',
+    // `hash -p /path cmd` — poisons bash's command-lookup cache. Subsequent
+    // `cmd` in the same command resolves to /path instead of PATH lookup.
+    'hash',
+    // `bind -x '"key":cmd'` / `complete -C cmd` — interactive-only callbacks
+    // but still code-string arguments. Low impact in non-interactive BashTool
+    // shells, blocked for consistency. `compgen -C cmd` is NOT interactive-only:
+    // it immediately executes the -C argument to generate completions.
+    'bind',
+    'complete',
+    'compgen',
+    // `alias name='cmd'` — aliases not expanded in non-interactive bash by
+    // default, but `shopt -s expand_aliases` enables them. Also blocked as
+    // defense-in-depth (alias followed by name use in same command).
+    'alias',
+    // `let EXPR` arithmetically evaluates EXPR — identical to $(( EXPR )).
+    // Array subscripts in the expression expand $(cmd) at eval time even when
+    // the argument arrived single-quoted: `let 'x=a[$(id)]'` executes id.
+    // tree-sitter sees the raw_string as an opaque leaf. Same primitive
+    // walkArithmetic guards, but `let` is a plain command node.
+    'let',
+]);
+/**
+ * Builtins that re-parse a NAME operand internally and arithmetically
+ * evaluate `arr[EXPR]` subscripts — including $(cmd) in the subscript —
+ * even when the argv element arrived from a single-quoted raw_string.
+ * `test -v 'a[$(id)]'` → tree-sitter sees an opaque leaf, bash runs id.
+ * Maps: builtin name → set of flags whose next argument is a NAME.
+ */
+const SUBSCRIPT_EVAL_FLAGS = {
+    test: new Set(['-v', '-R']),
+    '[': new Set(['-v', '-R']),
+    '[[': new Set(['-v', '-R']),
+    printf: new Set(['-v']),
+    read: new Set(['-a']),
+    unset: new Set(['-v']),
+    // bash 5.1+: `wait -p VAR [id...]` stores the waited PID into VAR. When VAR
+    // is `arr[EXPR]`, bash arithmetically evaluates the subscript — running
+    // $(cmd) even from a single-quoted raw_string. Verified bash 5.3.9:
+    // `: & wait -p 'a[$(id)]' %1` executes id.
+    wait: new Set(['-p']),
+};
+/**
+ * `[[ ARG1 OP ARG2 ]]` where OP is an arithmetic comparison. bash manual:
+ * "When used with [[, Arg1 and Arg2 are evaluated as arithmetic
+ * expressions." Arithmetic evaluation recursively expands array subscripts,
+ * so `[[ 'a[$(id)]' -eq 0 ]]` executes `id` even though tree-sitter sees
+ * the operand as an opaque raw_string leaf. Unlike -v/-R (unary, NAME after
+ * flag), these are binary — the subscript can appear on EITHER side, so
+ * SUBSCRIPT_EVAL_FLAGS's "next arg" logic is insufficient.
+ * `[` / `test` are not vulnerable (bash errors with "integer expression
+ * expected"), but the test_command handler normalizes argv[0]='[[' for
+ * both forms, so they get this check too — mild over-blocking, safe side.
+ */
+const TEST_ARITH_CMP_OPS = new Set(['-eq', '-ne', '-lt', '-le', '-gt', '-ge']);
+/**
+ * Builtins where EVERY non-flag positional argument is a NAME that bash
+ * re-parses and arithmetically evaluates subscripts on — no flag required.
+ * `read 'a[$(id)]'` executes id: each positional is a variable name to
+ * assign into, and `arr[EXPR]` is valid syntax there. `unset NAME...` is
+ * the same (though tree-sitter's unset_command handler currently rejects
+ * raw_string children before reaching here — this is defense-in-depth).
+ * NOT printf (positional args are FORMAT/data), NOT test/[ (operands are
+ * values, only -v/-R take a NAME). declare/typeset/local handled in
+ * declaration_command since they never reach here as plain commands.
+ */
+const BARE_SUBSCRIPT_NAME_BUILTINS = new Set(['read', 'unset']);
+/**
+ * `read` flags whose NEXT argument is data (prompt/delimiter/count/fd),
+ * not a NAME. `read -p '[foo] ' var` must not trip on the `[` in the
+ * prompt string. `-a` is intentionally absent — its operand IS a NAME.
+ */
+const READ_DATA_FLAGS = new Set(['-p', '-d', '-n', '-N', '-t', '-u', '-i']);
+// SHELL_KEYWORDS imported from bashParser.ts — shell reserved words can never
+// be legitimate argv[0]; if they appear, the parser mis-parsed a compound
+// command. Reject to avoid nonsense argv reaching downstream.
+// Use `.*` not `[^/]*` — Linux resolves `..` in procfs, so
+// `/proc/self/../self/environ` works and must be caught.
+const PROC_ENVIRON_RE = /\/proc\/.*\/environ/;
+/**
+ * Newline followed by `#` in an argv element, env var value, or redirect target.
+ * Downstream stripSafeWrappers re-tokenizes .text line-by-line and treats `#`
+ * after a newline as a comment, hiding arguments that follow.
+ */
+const NEWLINE_HASH_RE = /\n[ \t]*#/;
+/**
+ * Post-argv semantic checks. Run after parseForSecurity returns 'simple' to
+ * catch commands that tokenize fine but are dangerous by name or argument
+ * content. Returns the first failure or {ok: true}.
+ */
+export function checkSemantics(commands) {
+    for (const cmd of commands) {
+        // Strip safe wrapper commands (nohup, time, timeout N, nice -n N) so
+        // `nohup eval "..."` and `timeout 5 jq 'system(...)'` are checked
+        // against the wrapped command, not the wrapper. Inlined here to avoid
+        // circular import with bashPermissions.ts.
+        let a = cmd.argv;
+        for (;;) {
+            if (a[0] === 'time' || a[0] === 'nohup') {
+                a = a.slice(1);
+            }
+            else if (a[0] === 'timeout') {
+                // `timeout 5`, `timeout 5s`, `timeout 5.5`, plus optional GNU flags
+                // preceding the duration. Long: --foreground, --kill-after=N,
+                // --signal=SIG, --preserve-status. Short: -k DUR, -s SIG, -v (also
+                // fused: -k5, -sTERM).
+                // SECURITY (SAST Mar 2026): the previous loop only skipped `--long`
+                // flags, so `timeout -k 5 10 eval ...` broke out with name='timeout'
+                // and the wrapped eval was never checked. Now handle known short
+                // flags AND fail closed on any unrecognized flag — an unknown flag
+                // means we can't locate the wrapped command, so we must not silently
+                // fall through to name='timeout'.
+                let i = 1;
+                while (i < a.length) {
+                    const arg = a[i];
+                    if (arg === '--foreground' ||
+                        arg === '--preserve-status' ||
+                        arg === '--verbose') {
+                        i++; // known no-value long flags
+                    }
+                    else if (/^--(?:kill-after|signal)=[A-Za-z0-9_.+-]+$/.test(arg)) {
+                        i++; // --kill-after=5, --signal=TERM (value fused with =)
+                    }
+                    else if ((arg === '--kill-after' || arg === '--signal') &&
+                        a[i + 1] &&
+                        /^[A-Za-z0-9_.+-]+$/.test(a[i + 1])) {
+                        i += 2; // --kill-after 5, --signal TERM (space-separated)
+                    }
+                    else if (arg.startsWith('--')) {
+                        // Unknown long flag, OR --kill-after/--signal with non-allowlisted
+                        // value (e.g. placeholder from $() substitution). Fail closed.
+                        return {
+                            ok: false,
+                            reason: `timeout with ${arg} flag cannot be statically analyzed`,
+                        };
+                    }
+                    else if (arg === '-v') {
+                        i++; // --verbose, no argument
+                    }
+                    else if ((arg === '-k' || arg === '-s') &&
+                        a[i + 1] &&
+                        /^[A-Za-z0-9_.+-]+$/.test(a[i + 1])) {
+                        i += 2; // -k DURATION / -s SIGNAL — separate value
+                    }
+                    else if (/^-[ks][A-Za-z0-9_.+-]+$/.test(arg)) {
+                        i++; // fused: -k5, -sTERM
+                    }
+                    else if (arg.startsWith('-')) {
+                        // Unknown flag OR -k/-s with non-allowlisted value — can't locate
+                        // wrapped cmd. Reject, don't fall through to name='timeout'.
+                        return {
+                            ok: false,
+                            reason: `timeout with ${arg} flag cannot be statically analyzed`,
+                        };
+                    }
+                    else {
+                        break; // non-flag — should be the duration
+                    }
+                }
+                if (a[i] && /^\d+(?:\.\d+)?[smhd]?$/.test(a[i])) {
+                    a = a.slice(i + 1);
+                }
+                else if (a[i]) {
+                    // SECURITY (PR #21503 round 3): a[i] exists but doesn't match our
+                    // duration regex. GNU timeout parses via xstrtod() (libc strtod) and
+                    // accepts `.5`, `+5`, `5e-1`, `inf`, `infinity`, hex floats — none
+                    // of which match `/^\d+(\.\d+)?[smhd]?$/`. Empirically verified:
+                    // `timeout .5 echo ok` works. Previously this branch `break`ed
+                    // (fail-OPEN) so `timeout .5 eval "id"` with `Bash(timeout:*)` left
+                    // name='timeout' and eval was never checked. Now fail CLOSED —
+                    // consistent with the unknown-FLAG handling above (lines ~1895,1912).
+                    return {
+                        ok: false,
+                        reason: `timeout duration '${a[i]}' cannot be statically analyzed`,
+                    };
+                }
+                else {
+                    break; // no more args — `timeout` alone, inert
+                }
+            }
+            else if (a[0] === 'nice') {
+                // `nice cmd`, `nice -n N cmd`, `nice -N cmd` (legacy). All run cmd
+                // at a lower priority. argv[0] check must see the wrapped cmd.
+                if (a[1] === '-n' && a[2] && /^-?\d+$/.test(a[2])) {
+                    a = a.slice(3);
+                }
+                else if (a[1] && /^-\d+$/.test(a[1])) {
+                    a = a.slice(2); // `nice -10 cmd`
+                }
+                else if (a[1] && /[$(`]/.test(a[1])) {
+                    // SECURITY: walkArgument returns node.text for arithmetic_expansion,
+                    // so `nice $((0-5)) jq ...` has a[1]='$((0-5))'. Bash expands it to
+                    // '-5' (legacy nice syntax) and execs jq; we'd slice(1) here and
+                    // set name='$((0-5))' which skips the jq system() check entirely.
+                    // Fail closed — mirrors the timeout-duration fail-closed above.
+                    return {
+                        ok: false,
+                        reason: `nice argument '${a[1]}' contains expansion — cannot statically determine wrapped command`,
+                    };
+                }
+                else {
+                    a = a.slice(1); // bare `nice cmd`
+                }
+            }
+            else if (a[0] === 'env') {
+                // `env [VAR=val...] [-i] [-0] [-v] [-u NAME...] cmd args` runs cmd.
+                // argv[0] check must see cmd, not env. Skip known-safe forms only.
+                // SECURITY: -S splits a string into argv (mini-shell) — must reject.
+                // -C/-P change cwd/PATH — wrapped cmd runs elsewhere, reject.
+                // Any OTHER flag → reject (fail-closed, not fail-open to name='env').
+                let i = 1;
+                while (i < a.length) {
+                    const arg = a[i];
+                    if (arg.includes('=') && !arg.startsWith('-')) {
+                        i++; // VAR=val assignment
+                    }
+                    else if (arg === '-i' || arg === '-0' || arg === '-v') {
+                        i++; // flags with no argument
+                    }
+                    else if (arg === '-u' && a[i + 1]) {
+                        i += 2; // -u NAME unsets; takes one arg
+                    }
+                    else if (arg.startsWith('-')) {
+                        // -S (argv splitter), -C (altwd), -P (altpath), --anything,
+                        // or unknown flag. Can't model — reject the whole command.
+                        return {
+                            ok: false,
+                            reason: `env with ${arg} flag cannot be statically analyzed`,
+                        };
+                    }
+                    else {
+                        break; // the wrapped command
+                    }
+                }
+                if (i < a.length) {
+                    a = a.slice(i);
+                }
+                else {
+                    break; // `env` alone (no wrapped cmd) — inert, name='env'
+                }
+            }
+            else if (a[0] === 'stdbuf') {
+                // `stdbuf -o0 cmd` (fused), `stdbuf -o 0 cmd` (space-separated),
+                // multiple flags (`stdbuf -o0 -eL cmd`), long forms (`--output=0`).
+                // SECURITY: previous handling only stripped ONE flag and fell through
+                // to slice(2) for anything unrecognized, so `stdbuf --output 0 eval`
+                // → ['0','eval',...] → name='0' hid eval. Now iterate all known flag
+                // forms and fail closed on any unknown flag.
+                let i = 1;
+                while (i < a.length) {
+                    const arg = a[i];
+                    if (STDBUF_SHORT_SEP_RE.test(arg) && a[i + 1]) {
+                        i += 2; // -o MODE (space-separated)
+                    }
+                    else if (STDBUF_SHORT_FUSED_RE.test(arg)) {
+                        i++; // -o0 (fused)
+                    }
+                    else if (STDBUF_LONG_RE.test(arg)) {
+                        i++; // --output=MODE (fused long)
+                    }
+                    else if (arg.startsWith('-')) {
+                        // --output MODE (space-separated long) or unknown flag. GNU
+                        // stdbuf long options use `=` syntax, but getopt_long also
+                        // accepts space-separated — we can't enumerate safely, reject.
+                        return {
+                            ok: false,
+                            reason: `stdbuf with ${arg} flag cannot be statically analyzed`,
+                        };
+                    }
+                    else {
+                        break; // the wrapped command
+                    }
+                }
+                if (i > 1 && i < a.length) {
+                    a = a.slice(i);
+                }
+                else {
+                    break; // `stdbuf` with no flags or no wrapped cmd — inert
+                }
+            }
+            else {
+                break;
+            }
+        }
+        const name = a[0];
+        if (name === undefined)
+            continue;
+        // SECURITY: Empty command name. Quoted empty (`"" cmd`) is harmless —
+        // bash tries to exec "" and fails with "command not found". But an
+        // UNQUOTED empty expansion at command position (`V="" && $V cmd`) is a
+        // bypass: bash drops the empty field and runs `cmd` as argv[0], while
+        // our name="" skips every builtin check below. resolveSimpleExpansion
+        // rejects the $V case; this catches any other path to empty argv[0]
+        // (concatenation of empties, walkString whitespace-quirk, future bugs).
+        if (name === '') {
+            return {
+                ok: false,
+                reason: 'Empty command name — argv[0] may not reflect what bash runs',
+            };
+        }
+        // Defense-in-depth: argv[0] should never be a placeholder after the
+        // var-tracking fix (static vars return real value, unknown vars reject).
+        // But if a bug upstream ever lets one through, catch it here — a
+        // placeholder-as-command-name means runtime-determined command → unsafe.
+        if (name.includes(CMDSUB_PLACEHOLDER) || name.includes(VAR_PLACEHOLDER)) {
+            return {
+                ok: false,
+                reason: 'Command name is runtime-determined (placeholder argv[0])',
+            };
+        }
+        // argv[0] starts with an operator/flag: this is a fragment, not a
+        // command. Likely a line-continuation leak or a mistake.
+        if (name.startsWith('-') || name.startsWith('|') || name.startsWith('&')) {
+            return {
+                ok: false,
+                reason: 'Command appears to be an incomplete fragment',
+            };
+        }
+        // SECURITY: builtins that re-parse a NAME operand internally. bash
+        // arithmetically evaluates `arr[EXPR]` in NAME position, running $(cmd)
+        // in the subscript even when the argv element arrived from a
+        // single-quoted raw_string (opaque leaf to tree-sitter). Two forms:
+        // separate (`printf -v NAME`) and fused (`printf -vNAME`, getopt-style).
+        // `printf '[%s]' x` stays safe — `[` in format string, not after `-v`.
+        const dangerFlags = SUBSCRIPT_EVAL_FLAGS[name];
+        if (dangerFlags !== undefined) {
+            for (let i = 1; i < a.length; i++) {
+                const arg = a[i];
+                // Separate form: `-v` then NAME in next arg.
+                if (dangerFlags.has(arg) && a[i + 1]?.includes('[')) {
+                    return {
+                        ok: false,
+                        reason: `'${name} ${arg}' operand contains array subscript — bash evaluates $(cmd) in subscripts`,
+                    };
+                }
+                // Combined short flags: `-ra` is bash shorthand for `-r -a`.
+                // Check if any danger flag character appears in a combined flag
+                // string. The danger flag's NAME operand is the next argument.
+                if (arg.length > 2 &&
+                    arg[0] === '-' &&
+                    arg[1] !== '-' &&
+                    !arg.includes('[')) {
+                    for (const flag of dangerFlags) {
+                        if (flag.length === 2 && arg.includes(flag[1])) {
+                            if (a[i + 1]?.includes('[')) {
+                                return {
+                                    ok: false,
+                                    reason: `'${name} ${flag}' (combined in '${arg}') operand contains array subscript — bash evaluates $(cmd) in subscripts`,
+                                };
+                            }
+                        }
+                    }
+                }
+                // Fused form: `-vNAME` in one arg. Only short-option flags fuse
+                // (getopt), so check -v/-a/-R. `[[` uses test_operator nodes only.
+                for (const flag of dangerFlags) {
+                    if (flag.length === 2 &&
+                        arg.startsWith(flag) &&
+                        arg.length > 2 &&
+                        arg.includes('[')) {
+                        return {
+                            ok: false,
+                            reason: `'${name} ${flag}' (fused) operand contains array subscript — bash evaluates $(cmd) in subscripts`,
+                        };
+                    }
+                }
+            }
+        }
+        // SECURITY: `[[ ARG OP ARG ]]` arithmetic comparison. bash evaluates
+        // BOTH operands as arithmetic expressions, recursively expanding
+        // `arr[$(cmd)]` subscripts even from single-quoted raw_string. Check
+        // the operand adjacent to each arith-cmp operator on BOTH sides —
+        // SUBSCRIPT_EVAL_FLAGS's "flag then next-arg" pattern can't express
+        // "either side of a binary op". String comparisons (==/!=/=~) do NOT
+        // trigger arithmetic eval — `[[ 'a[x]' == y ]]` is a literal string cmp.
+        if (name === '[[') {
+            // i starts at 2: a[0]='[[' (contains '['), a[1] is the first real
+            // operand. A binary op can't appear before index 2.
+            for (let i = 2; i < a.length; i++) {
+                if (!TEST_ARITH_CMP_OPS.has(a[i]))
+                    continue;
+                if (a[i - 1]?.includes('[') || a[i + 1]?.includes('[')) {
+                    return {
+                        ok: false,
+                        reason: `'[[ ... ${a[i]} ... ]]' operand contains array subscript — bash arithmetically evaluates $(cmd) in subscripts`,
+                    };
+                }
+            }
+        }
+        // SECURITY: `read`/`unset` treat EVERY bare positional as a NAME —
+        // no flag needed. `read 'a[$(id)]' <<< data` executes id even though
+        // argv[1] arrived from a single-quoted raw_string and no -a flag is
+        // present. Same primitive as SUBSCRIPT_EVAL_FLAGS but the trigger is
+        // positional, not flag-gated. Skip operands of read's data-taking
+        // flags (-p PROMPT etc.) to avoid blocking `read -p '[foo] ' var`.
+        if (BARE_SUBSCRIPT_NAME_BUILTINS.has(name)) {
+            let skipNext = false;
+            for (let i = 1; i < a.length; i++) {
+                const arg = a[i];
+                if (skipNext) {
+                    skipNext = false;
+                    continue;
+                }
+                if (arg[0] === '-') {
+                    if (name === 'read') {
+                        if (READ_DATA_FLAGS.has(arg)) {
+                            skipNext = true;
+                        }
+                        else if (arg.length > 2 && arg[1] !== '-') {
+                            // Combined short flag like `-rp`. Getopt-style: first
+                            // data-flag char consumes rest-of-arg as its operand
+                            // (`-p[foo]` → prompt=`[foo]`), or next-arg if last
+                            // (`-rp '[foo]'` → prompt=`[foo]`). So skipNext iff a
+                            // data-flag char appears at the END after only no-arg
+                            // flags like `-r`/`-s`.
+                            for (let j = 1; j < arg.length; j++) {
+                                if (READ_DATA_FLAGS.has('-' + arg[j])) {
+                                    if (j === arg.length - 1)
+                                        skipNext = true;
+                                    break;
+                                }
+                            }
+                        }
+                    }
+                    continue;
+                }
+                if (arg.includes('[')) {
+                    return {
+                        ok: false,
+                        reason: `'${name}' positional NAME '${arg}' contains array subscript — bash evaluates $(cmd) in subscripts`,
+                    };
+                }
+            }
+        }
+        // SECURITY: Shell reserved keywords as argv[0] indicate a tree-sitter
+        // mis-parse. `! for i in a; do :; done` parses as `command "for i in a"`
+        // + `command "do :"` + `command "done"` — tree-sitter fails to recognize
+        // `for` after `!` as a compound command start. Reject: keywords can never
+        // be legitimate command names, and argv like ['do','false'] is nonsense.
+        if (SHELL_KEYWORDS.has(name)) {
+            return {
+                ok: false,
+                reason: `Shell keyword '${name}' as command name — tree-sitter mis-parse`,
+            };
+        }
+        // Check argv (not .text) to catch both single-quote (`'\n#'`) and
+        // double-quote (`"\n#"`) variants. Env vars and redirects are also
+        // part of the .text span so the same downstream bug applies.
+        // Heredoc bodies are excluded from argv so markdown `##` headers
+        // don't trigger this.
+        // TODO: remove once downstream path validation operates on argv.
+        for (const arg of cmd.argv) {
+            if (arg.includes('\n') && NEWLINE_HASH_RE.test(arg)) {
+                return {
+                    ok: false,
+                    reason: 'Newline followed by # inside a quoted argument can hide arguments from path validation',
+                };
+            }
+        }
+        for (const ev of cmd.envVars) {
+            if (ev.value.includes('\n') && NEWLINE_HASH_RE.test(ev.value)) {
+                return {
+                    ok: false,
+                    reason: 'Newline followed by # inside an env var value can hide arguments from path validation',
+                };
+            }
+        }
+        for (const r of cmd.redirects) {
+            if (r.target.includes('\n') && NEWLINE_HASH_RE.test(r.target)) {
+                return {
+                    ok: false,
+                    reason: 'Newline followed by # inside a redirect target can hide arguments from path validation',
+                };
+            }
+        }
+        // jq's system() built-in executes arbitrary shell commands, and flags
+        // like --from-file can read arbitrary files into jq variables. On the
+        // legacy path these are caught by validateJqCommand in bashSecurity.ts,
+        // but that validator is gated behind `astSubcommands === null` and
+        // never runs when the AST parse succeeds. Mirror the checks here so
+        // the AST path has the same defence.
+        if (name === 'jq') {
+            for (const arg of a) {
+                if (/\bsystem\s*\(/.test(arg)) {
+                    return {
+                        ok: false,
+                        reason: 'jq command contains system() function which executes arbitrary commands',
+                    };
+                }
+            }
+            if (a.some(arg => /^(?:-[fL](?:$|[^A-Za-z])|--(?:from-file|rawfile|slurpfile|library-path)(?:$|=))/.test(arg))) {
+                return {
+                    ok: false,
+                    reason: 'jq command contains dangerous flags that could execute code or read arbitrary files',
+                };
+            }
+        }
+        if (ZSH_DANGEROUS_BUILTINS.has(name)) {
+            return {
+                ok: false,
+                reason: `Zsh builtin '${name}' can bypass security checks`,
+            };
+        }
+        if (EVAL_LIKE_BUILTINS.has(name)) {
+            // `command -v foo` / `command -V foo` are POSIX existence checks that
+            // only print paths — they never execute argv[1]. Bare `command foo`
+            // does bypass function/alias lookup (the concern), so keep blocking it.
+            if (name === 'command' && (a[1] === '-v' || a[1] === '-V')) {
+                // fall through to remaining checks
+            }
+            else if (name === 'fc' &&
+                !a.slice(1).some(arg => /^-[^-]*[es]/.test(arg))) {
+                // `fc -l`, `fc -ln` list history — safe. `fc -e ed` invokes an
+                // editor then executes. `fc -s [pat=rep]` RE-EXECUTES the last
+                // matching command (optionally with substitution) — as dangerous
+                // as eval. Block any short-opt containing `e` or `s`.
+                // to avoid introducing FPs for `fc -l` (list history).
+            }
+            else if (name === 'compgen' &&
+                !a.slice(1).some(arg => /^-[^-]*[CFW]/.test(arg))) {
+                // `compgen -c/-f/-v` only list completions — safe. `compgen -C cmd`
+                // immediately executes cmd; `-F func` calls a shell function; `-W list`
+                // word-expands its argument (including $(cmd) even from single-quoted
+                // raw_string). Block any short-opt containing C/F/W (case-sensitive:
+                // -c/-f are safe).
+            }
+            else {
+                return {
+                    ok: false,
+                    reason: `'${name}' evaluates arguments as shell code`,
+                };
+            }
+        }
+        // /proc/*/environ exposes env vars (including secrets) of other processes.
+        // Check argv and redirect targets — `cat /proc/self/environ` and
+        // `cat < /proc/self/environ` both read it.
+        for (const arg of cmd.argv) {
+            if (arg.includes('/proc/') && PROC_ENVIRON_RE.test(arg)) {
+                return {
+                    ok: false,
+                    reason: 'Accesses /proc/*/environ which may expose secrets',
+                };
+            }
+        }
+        for (const r of cmd.redirects) {
+            if (r.target.includes('/proc/') && PROC_ENVIRON_RE.test(r.target)) {
+                return {
+                    ok: false,
+                    reason: 'Accesses /proc/*/environ which may expose secrets',
+                };
+            }
+        }
+    }
+    return { ok: true };
+}