@oked/sdk 0.1.5 → 0.1.7

package/dist/classify.d.ts

@@ -8,10 +8,14 @@ export interface ShellWriteOp {
     content?: string;
 }
 /**
- * Detects shell idioms that mutate the filesystem. Used by classify (to
- * choose tier) and describe (to render the operation as a Create/Append/
- * Copy/etc. sentence rather than as a shell command).
- *
- * Skips /dev/null and bare-digit FD duplicates (2>&1).
+ * Removes heredoc *bodies* unless they're fed to an interpreter/DB/shell that
+ * executes them. The default is to strip: `cat >> file <<'EOF'`, `git commit -F
+ * - <<'MSG'`, `gh pr create --body "$(cat <<'BODY')"`, `mail <<'EOF'` and the
+ * like all treat the body as literal DATA, which must not be parsed as shell
+ * (a commit message with `->` or a PR body mentioning "TRUNCATE"/"rm -rf" would
+ * otherwise wreck classification). Only heredocs whose opener line invokes an
+ * interpreter (`psql <<EOF`, `node - <<EOF`, `cat <<EOF | bash`) keep their
+ * body, so SQL/code detection still runs. The opener line is always preserved.
  */
+export declare function stripHeredocBodies(command: string): string;
 export declare function extractShellWriteOps(command: string): ShellWriteOp[];

package/dist/classify.js

@@ -1,4 +1,5 @@
 import path from "path";
+import os from "os";
 import { findSqlInCommand } from "./describe.js";
 import { TIER_ORDER } from "./degraded.js";
 // Tier 1 - safe: auto-allow, no notification (Read, Glob, ls, git status, etc.)
@@ -62,7 +63,8 @@ const SAFE_COMMANDS = [
     /^node\s+(-v|--version)/,
     /^npm\s+(list|ls|--version|-v|view|info|outdated|audit)\b/,
     /^npx\s+-v/,
-    /^git\s+(status|log|diff|branch|remote|show|tag|stash list)\b/,
+    /^git\s+(status|log|diff|branch|remote|show|tag|stash\s+list|ls-files|ls-tree|ls-remote|check-ignore|check-attr|rev-parse|rev-list|describe|cat-file|blame|shortlog|reflog|name-rev|whatchanged|for-each-ref|symbolic-ref|merge-base|var|grep|count-objects|show-ref|cherry|verify-commit|fsck)\b/,
+    /^git\s+config\s+(--get|--get-all|--get-regexp|--list|-l)\b/,
     /^docker\s+(ps|images|inspect|logs)\b/,
     /^docker\s+compose\s+(ps|logs)\b/,
     /^tree\b/,
@@ -78,6 +80,27 @@ const SAFE_COMMANDS = [
     // `message delete` / `folder delete|expunge|purge` matter; those land in
     // the review/high-stakes paths.
     /^himalaya\s+(account|folder|envelope|message\s+(?:read|export|search|copy|move)|attachment\s+(?:download|list)|template|search)\b/,
+    // cd just changes directory — no side effect of its own. Any dangerous
+    // command chained after it (`cd x && rm -rf`) is caught per-stage.
+    /^cd\b/,
+    // sed without -i / --in-place only prints to stdout (read-only). In-place
+    // edits are detected as a write op (below) before this is reached.
+    /^sed\b/,
+    // gh read-only subcommands — listing/viewing PRs, issues, runs, etc.
+    /^gh\s+(pr|issue|repo|run|workflow|release|api)\s+(list|view|status|diff|checks)\b/,
+    // Test runners — running the project's own tests is part of the dev loop.
+    // (Arbitrary node/npx/python execution is `warning`, see WARNING_COMMANDS.)
+    /^npm\s+(test|t)\b/,
+    /^npx\s+(tsx|ts-node|jest|vitest|mocha|ava|cypress|playwright|tsc)\b/,
+    /^(jest|vitest|mocha|pytest|ava)\b/,
+    /^python3?\s+-m\s+pytest\b/,
+    // Shell control-flow keywords. A compound like `for f in *; do cmd; done`
+    // is split on `;` into stages; these keyword stages carry no risk of their
+    // own, and any real command in the body is classified per-stage. Dangerous
+    // commands hidden in a $(...) on a keyword line are still caught by the
+    // high-stakes scan, which runs on the full command first.
+    /^(for|while|until|do|done|then|else|elif|fi|case|esac|if|select)\b/,
+    /^(done|fi|esac|\}|\{|:|true|false)\s*$/,
 ];
 // Bash commands classified as high stakes (destructive, irreversible, external)
 const HIGH_STAKES_COMMANDS = [
@@ -93,9 +116,11 @@ const HIGH_STAKES_COMMANDS = [
     /\bgit\s+clean\s+-f/,
     /\bgit\s+checkout\s+--\s+\./,
     /\bgit\s+restore\s+--staged\s+\./,
-    /\bDROP\s+(TABLE|DATABASE|INDEX|VIEW)\b/i,
-    /\bDELETE\s+FROM\b/i,
-    /\bTRUNCATE\b/i,
+    // NOTE: SQL severity (DROP/DELETE FROM/TRUNCATE/…) is intentionally NOT matched
+    // here. Raw word patterns fire on ordinary text — `grep truncate`, `echo "drop
+    // table"` — producing false high_stakes. SQL is handled by findSqlInCommand,
+    // which only extracts statements from real SQL contexts (psql/mysql/sqlite3
+    // -c/-e, interpreter -e/-c bodies, heredocs), then classifySqlSeverity.
     /\bdocker\s+(rm|rmi|system\s+prune)\b/,
     /\bdocker\s+compose\s+down\b/,
     /\bkill\b/,
@@ -128,29 +153,99 @@ const HIGH_STAKES_COMMANDS = [
     /\bhimalaya\s+folder\s+(delete|expunge|purge)\b/,
     /\bhimalaya\s+account\s+delete\b/,
 ];
+// Commands that auto-allow without a phone prompt but are logged (warning):
+// reversible/local actions where an audit line is enough.
+const WARNING_COMMANDS = [
+    // Local, reversible git ops — branch/stage/commit/stash/switch. They touch
+    // only the local repo and can be undone (amend, reset, checkout).
+    // Destructive/remote git (push, reset --hard, clean, checkout -- .) is matched
+    // by HIGH_STAKES_COMMANDS above and wins first. `git stash drop|clear` is
+    // excluded — those discard stashed work — so it stays `review`.
+    /^git\s+add\b/,
+    /^git\s+commit\b/,
+    /^git\s+checkout\s+-b\b/,
+    /^git\s+switch\b/,
+    /^git\s+stash\b(?!\s+(?:drop|clear))/,
+    // PR creation is reversible (a PR can be closed); the underlying branch push
+    // is separately high_stakes.
+    /^gh\s+pr\s+create\b/,
+    // Arbitrary code execution (node/npx/python/npm run/bun/deno). The spawned
+    // process can do anything and its syscalls don't pass back through OKed, so
+    // we don't prompt but keep a local trail. Known test runners and read-only
+    // version flags are handled as `safe` (SAFE_COMMANDS) before reaching here.
+    /^node\b/,
+    /^npx\b/,
+    /^python3?\b/,
+    /^npm\s+run\b/,
+    /^bun\b/,
+    /^deno\b/,
+    // Package installs run dependency postinstall scripts (code execution), so
+    // they're not "safe" — but they're a constant part of the dev loop, so log
+    // (warning) rather than prompt.
+    /^npm\s+(install|ci|i|update|upgrade|rebuild|prune|dedupe)\b/,
+    /^(pnpm|yarn)\s+(install|add|ci|up|upgrade)\b/,
+];
 // Ephemeral filesystem locations. Writes here have no lasting effect on
 // their own — what matters is whatever subsequent command CONSUMES the file
 // (e.g. `himalaya message send < /tmp/draft.eml`). Without this carve-out,
 // every multi-step skill that drafts a temp file generates two approval
 // prompts (the temp write + the real send) instead of one.
-const EPHEMERAL_PATH_RE = /^(?:\/tmp\/|\/var\/tmp\/|\/private\/tmp\/|[A-Za-z]:[\\/](?:Windows[\\/]Temp|Users[\\/][^\\/]+[\\/]AppData[\\/]Local[\\/]Temp)[\\/])/i;
+const EPHEMERAL_PATH_RE = /^(?:\/tmp\/|\/var\/tmp\/|\/var\/folders\/|\/private\/tmp\/|\/private\/var\/folders\/|[A-Za-z]:[\\/](?:Windows[\\/]Temp|Users[\\/][^\\/]+[\\/]AppData[\\/]Local[\\/]Temp)[\\/])/i;
+// A temp-dir env var (the conventional output of `mktemp -d` etc.): $TMPDIR,
+// $TMP, $TEMP, ${TMPDIR}, and paths beneath them. Treated as ephemeral since
+// we can't resolve the value but the intent is unambiguous.
+const TEMP_VAR_RE = /^\$\{?(?:TMPDIR|TMP|TEMP)\}?(?:\/|$)/;
 function isEphemeralPath(filePath) {
     if (!filePath)
         return false;
-    return EPHEMERAL_PATH_RE.test(filePath);
+    return TEMP_VAR_RE.test(filePath) || EPHEMERAL_PATH_RE.test(filePath);
 }
-function isInsideProject(filePath) {
+// Paths where a write/edit is genuinely dangerous and must stay `review`:
+// system directories, credential/secret stores, shell startup files (a
+// persistence vector), and OKed's own config (so an agent can't disable its
+// guardrails). Everything else — project files, sibling repos, scratch — is
+// treated as `warning` (a file write can't act on its own; whatever later
+// executes it is classified separately).
+function isSensitiveWritePath(filePath) {
     if (!filePath)
-        return false;
+        return true; // unknown target → err toward review
+    let resolved;
     try {
-        const projectRoot = path.resolve(process.cwd());
-        const resolved = path.resolve(filePath);
-        const relative = path.relative(projectRoot, resolved);
-        return relative === "" || (!!relative && !relative.startsWith("..") && !path.isAbsolute(relative));
+        resolved = path.resolve(filePath);
     }
     catch {
-        return false;
+        return true;
     }
+    const home = os.homedir();
+    const underHome = (rel) => {
+        const base = path.join(home, rel);
+        return resolved === base || resolved.startsWith(base + path.sep);
+    };
+    // OKed self-config — never let an agent edit its own hook config silently.
+    if (resolved === path.join(home, ".claude", "settings.json") ||
+        resolved === path.join(home, ".claude", "settings.local.json"))
+        return true;
+    // Credential / secret stores.
+    for (const d of [".ssh", ".aws", ".gnupg", ".kube", ".docker", path.join(".config", "gcloud")]) {
+        if (underHome(d))
+            return true;
+    }
+    // Sensitive dotfiles directly in $HOME (creds + shell startup persistence).
+    const sensitiveHomeFiles = new Set([
+        ".netrc", ".npmrc", ".pypirc", ".git-credentials", ".bash_history", ".zsh_history",
+        ".bashrc", ".zshrc", ".bash_profile", ".zprofile", ".profile", ".zshenv", ".zlogin",
+    ]);
+    if (path.dirname(resolved) === home && sensitiveHomeFiles.has(path.basename(resolved)))
+        return true;
+    // System directories.
+    if (/^\/(etc|usr|bin|sbin|boot|sys|proc|opt|Library|System)(\/|$)/.test(resolved))
+        return true;
+    if (/^\/private\/etc(\/|$)/.test(resolved))
+        return true;
+    // /var, except the ephemeral temp subtrees.
+    if (/^\/var(\/|$)/.test(resolved) && !/^\/var\/(tmp|folders)(\/|$)/.test(resolved))
+        return true;
+    return false;
 }
 export function classify(toolName, toolInput) {
     // Check tool-level classification first
@@ -162,18 +257,21 @@ export function classify(toolName, toolInput) {
         return "high_stakes";
     if (REVIEW_TOOLS.has(toolName))
         return "review";
-    // File-editing tools: warning if inside project or an ephemeral temp dir,
-    // review otherwise. Temp-dir writes are "warning" because the file itself
-    // can't do harm — only what consumes it can.
+    // File-editing tools: a write/edit can't act on its own — whatever later
+    // executes it is classified separately — so it's `warning` (logged, no
+    // prompt) everywhere EXCEPT sensitive targets (system dirs, secret stores,
+    // shell startup files, OKed's own config), which stay `review`.
     if (toolName === "Write" || toolName === "Edit" || toolName === "NotebookEdit") {
         const filePath = toolInput.file_path;
-        if (isEphemeralPath(filePath) || isInsideProject(filePath))
-            return "warning";
-        return "review";
+        return isSensitiveWritePath(filePath) ? "review" : "warning";
     }
-    // Agent tool - review (spawns subagent, not directly destructive)
+    // Agent tool - safe. Launching a sub-agent is not itself a side effect, and
+    // the sub-agent's own tool calls (Bash/Write/Edit/MCP) each fire their own
+    // PreToolUse hook and get classified independently. Gating the launch on top
+    // of that just double-prompts — once for the spawn, again for every real
+    // action the sub-agent takes — so the launch auto-allows.
     if (toolName === "Agent")
-        return "review";
+        return "safe";
     // Bash commands need deeper analysis
     if (toolName === "Bash") {
         return classifyBashCommand(toolInput.command);
@@ -195,9 +293,7 @@ export function classify(toolName, toolInput) {
     const writePath = (toolInput.file_path ?? toolInput.path);
     const writeContent = (toolInput.content ?? toolInput.data ?? toolInput.body);
     if (typeof writePath === "string" && typeof writeContent === "string") {
-        if (isEphemeralPath(writePath) || isInsideProject(writePath))
-            return "warning";
-        return "review";
+        return isSensitiveWritePath(writePath) ? "review" : "warning";
     }
     // Unknown tool - default to review (require approval)
     return "review";
@@ -205,79 +301,135 @@ export function classify(toolName, toolInput) {
 function maxTier(a, b) {
     return TIER_ORDER[a] >= TIER_ORDER[b] ? a : b;
 }
-/** Split a shell command on top-level pipe characters, ignoring `||` and
- * pipes inside quoted strings. Returns trimmed segments. */
-function splitOnPipe(cmd) {
+/** Split a shell command into top-level segments on the operators that
+ * sequence separate commands: `|`, `||`, `&&`, `;`. Operators inside quoted
+ * strings — including the `"$(cat <<'EOF' … )"` heredoc form used for commit
+ * messages — are kept intact so message text isn't split. Returns trimmed,
+ * non-empty segments. */
+function splitTopLevel(cmd) {
     const out = [];
     let cur = "";
     let quote = null;
-    for (let i = 0; i < cmd.length; i++) {
+    let i = 0;
+    while (i < cmd.length) {
         const ch = cmd[i];
         if (quote) {
             cur += ch;
             if (ch === quote)
                 quote = null;
+            i++;
+            continue;
         }
-        else if (ch === '"' || ch === "'") {
+        if (ch === '"' || ch === "'") {
             cur += ch;
             quote = ch;
+            i++;
+            continue;
+        }
+        // Heredoc: consume the opener and the entire body (up to the closing
+        // delimiter line) as part of the current segment, so operators inside a
+        // heredoc fed to an interpreter (psql/node/…) aren't treated as separators.
+        const hd = cmd.slice(i).match(/^<<-?\s*(["']?)([A-Za-z_][A-Za-z0-9_]*)\1/);
+        if (hd) {
+            cur += hd[0];
+            i += hd[0].length;
+            const close = cmd.slice(i).match(new RegExp(`\\n[ \\t]*${hd[2]}\\b`));
+            if (close) {
+                const end = i + (close.index ?? 0) + close[0].length;
+                cur += cmd.slice(i, end);
+                i = end;
+            }
+            else {
+                cur += cmd.slice(i);
+                i = cmd.length;
+            }
+            continue;
         }
-        else if (ch === "|" && cmd[i + 1] !== "|" && cmd[i - 1] !== "|") {
+        const next = cmd[i + 1];
+        if ((ch === "&" && next === "&") || (ch === "|" && next === "|")) {
             out.push(cur.trim());
             cur = "";
+            i += 2; // consume both operator chars
+            continue;
         }
-        else {
-            cur += ch;
+        if (ch === "|" || ch === ";") {
+            out.push(cur.trim());
+            cur = "";
+            i++;
+            continue;
         }
+        cur += ch;
+        i++;
     }
     if (cur.trim())
         out.push(cur.trim());
-    return out;
+    return out.filter(Boolean);
+}
+// rm/rmdir/trash whose every target is an ephemeral temp path (/tmp, %TEMP%,
+// …). Deleting throwaway temp files is low-risk, so it downgrades to warning.
+// Any non-temp target (or deleting a temp ROOT like `/tmp` itself, which isn't
+// an ephemeral *path*) means this returns false and the deletion stays
+// high_stakes.
+function isEphemeralOnlyDeletion(command) {
+    const m = command.match(/^(?:sudo\s+)?(?:rm|rmdir|trash|trash-put)\b\s+(.+)$/s);
+    if (!m)
+        return false;
+    const targets = splitArgs(m[1]).filter((a) => !a.startsWith("-"));
+    if (targets.length === 0)
+        return false;
+    return targets.every((a) => isEphemeralPath(unquote(a)));
 }
 function classifyBashCommand(command) {
     if (!command)
         return "safe";
-    const trimmed = command.trim();
-    // Pipelines: classify each stage and take the highest tier. Without this,
-    // `cat /tmp/draft.eml | himalaya message send` would match `^cat\b` first
-    // and silently allow the email send. The right-hand stage is what matters.
-    // Only split when there are 2+ stages so single commands don't recurse.
-    const stages = splitOnPipe(trimmed);
+    // Strip heredoc bodies up front: their contents are literal data, not shell,
+    // and must not be scanned for high-stakes tokens, operators, or redirects.
+    const trimmed = stripHeredocBodies(command).trim();
+    // rm/trash of only ephemeral temp files → warning (before the high-stakes
+    // scan, which would otherwise match the bare `rm`).
+    if (isEphemeralOnlyDeletion(trimmed))
+        return "warning";
+    // High-stakes scan on the FULL command, before any splitting. These patterns
+    // use \b and several intentionally span an operator (e.g. `curl … | bash`,
+    // `wget … | sh` — download-and-execute), so they have to be matched against
+    // the whole string. Most-restrictive-wins: a high-stakes match anywhere in a
+    // compound command takes the whole command to high_stakes.
+    for (const pattern of HIGH_STAKES_COMMANDS) {
+        if (pattern.test(trimmed))
+            return "high_stakes";
+    }
+    // Compound commands: split on top-level `|`, `||`, `&&`, `;` and take the
+    // highest tier. Without this, `cat /tmp/draft.eml | himalaya message send`
+    // would match `^cat\b` and silently allow the send, and `git add … && git
+    // commit …` couldn't be recognized as the local git ops they are. Only
+    // recurse when there are 2+ stages so single commands don't loop.
+    const stages = splitTopLevel(trimmed);
     if (stages.length > 1) {
         return stages.reduce((worst, stage) => maxTier(worst, classifyBashCommand(stage)), "safe");
     }
-    // sudo: classify based on the inner command, not sudo itself
-    if (/^sudo\s/.test(trimmed)) {
-        const inner = trimmed.replace(/^sudo\s+/, "");
-        for (const pattern of HIGH_STAKES_COMMANDS) {
-            if (pattern.test(inner))
-                return "high_stakes";
-        }
+    // sudo: privilege escalation. A high-stakes inner command was already caught
+    // by the full-string scan above (\b patterns match through the `sudo` prefix);
+    // anything else still warrants review.
+    if (/^sudo\s/.test(trimmed))
         return "review";
-    }
     // SQL hidden inside an interpreter wrapper (python -c, node -e, heredoc),
     // a DB CLI (psql -c, sqlite3 db "...", mysql -e), or at the top of the
-    // command. Severity comes from the statement, not the wrapper.
+    // command. Severity comes from the statement, not the wrapper. (High-stakes
+    // SQL — DROP/TRUNCATE/DELETE FROM — is already covered by the scan above.)
     const sql = findSqlInCommand(trimmed);
     if (sql)
         return classifySqlSeverity(sql);
-    // Check high stakes first (most restrictive wins)
-    for (const pattern of HIGH_STAKES_COMMANDS) {
-        if (pattern.test(trimmed))
-            return "high_stakes";
-    }
     // File-mutating shell patterns. Content-creation idioms (echo > X, tee,
-    // dd of=, touch, sed -i, heredoc) require approval — they're exactly the
-    // bypass route from a denied Write. cp/mv just rearrange existing bytes
-    // and stay safe. Writes to ephemeral temp dirs (/tmp, %TEMP%) downgrade
-    // to warning: the temp file alone can't do harm, only what consumes it.
+    // dd of=, touch, sed -i) are the bypass route from a denied Write, so they're
+    // classified exactly like the Write/Edit tool: `warning` unless a target is a
+    // sensitive path (system dir, secret store, shell rc, OKed config), which
+    // stays `review`. cp/mv (which can clobber/relocate existing files) stay
+    // review.
     const ops = extractShellWriteOps(trimmed);
     if (ops.length > 0) {
         const creates = ops.filter((o) => o.kind !== "copy" && o.kind !== "move");
         if (creates.length > 0) {
-            if (creates.every((o) => isEphemeralPath(o.target)))
-                return "warning";
-            return "review";
+            return creates.some((o) => isSensitiveWritePath(o.target)) ? "review" : "warning";
         }
         return "review";
     }
@@ -286,6 +438,13 @@ function classifyBashCommand(command) {
         if (pattern.test(trimmed))
             return "safe";
     }
+    // Reversible/local commands (local git, gh pr create, code execution) →
+    // warning: logged, no phone approval. Checked after SAFE so read-only git
+    // (status/log/`stash list`) and known test runners stay fully silent.
+    for (const pattern of WARNING_COMMANDS) {
+        if (pattern.test(trimmed))
+            return "warning";
+    }
     // Default: review (require approval for unknown commands)
     return "review";
 }
@@ -316,20 +475,105 @@ function classifySqlSeverity(sql) {
  *
  * Skips /dev/null and bare-digit FD duplicates (2>&1).
  */
+// Commands that EXECUTE a heredoc body fed to their stdin — a SQL CLI, a code
+// interpreter, or a shell. Their heredoc bodies are code/SQL and must stay
+// scannable. Detected as a command word at the start of the opener line or
+// after a pipe / `&&` / `;` / `$(` / backtick.
+const HEREDOC_INTERPRETER_RE = /(?:^|\||&&|;|\$\(|`)\s*(?:\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|mariadb|sqlite3?|node|python\d?|ruby|perl|deno|bun|bash|sh|zsh|ksh|fish)\b/;
+function openerFeedsInterpreter(line) {
+    return HEREDOC_INTERPRETER_RE.test(line);
+}
+/**
+ * Removes heredoc *bodies* unless they're fed to an interpreter/DB/shell that
+ * executes them. The default is to strip: `cat >> file <<'EOF'`, `git commit -F
+ * - <<'MSG'`, `gh pr create --body "$(cat <<'BODY')"`, `mail <<'EOF'` and the
+ * like all treat the body as literal DATA, which must not be parsed as shell
+ * (a commit message with `->` or a PR body mentioning "TRUNCATE"/"rm -rf" would
+ * otherwise wreck classification). Only heredocs whose opener line invokes an
+ * interpreter (`psql <<EOF`, `node - <<EOF`, `cat <<EOF | bash`) keep their
+ * body, so SQL/code detection still runs. The opener line is always preserved.
+ */
+export function stripHeredocBodies(command) {
+    const lines = command.split("\n");
+    const out = [];
+    let i = 0;
+    while (i < lines.length) {
+        const line = lines[i];
+        out.push(line);
+        // Heredoc openers: <<DELIM, <<'DELIM', <<"DELIM", <<-DELIM (with optional
+        // space). Require a word-char delimiter so numeric left-shifts ($((1<<2)))
+        // don't match. Use the last opener on the line as the active delimiter.
+        const openers = [...line.matchAll(/<<-?\s*(["']?)([A-Za-z_][A-Za-z0-9_]*)\1/g)];
+        if (openers.length > 0 && !openerFeedsInterpreter(line)) {
+            const delim = openers[openers.length - 1][2];
+            i++;
+            while (i < lines.length && lines[i].trim() !== delim)
+                i++; // drop body
+            if (i < lines.length)
+                i++; // drop the closing delimiter line
+            continue;
+        }
+        i++;
+    }
+    return out.join("\n");
+}
+/** Find output redirects (`>`, `>>`, `&>`, `2>`, …) outside quoted strings.
+ * The target token may itself be quoted. Skips `2>&1`-style FD dups, bare
+ * digits, and /dev/null. Heredoc `<<` is ignored (only `>` is a write). */
+function findRedirects(cmd) {
+    const res = [];
+    let quote = null;
+    let i = 0;
+    while (i < cmd.length) {
+        const ch = cmd[i];
+        if (quote) {
+            if (ch === quote)
+                quote = null;
+            i++;
+            continue;
+        }
+        if (ch === '"' || ch === "'") {
+            quote = ch;
+            i++;
+            continue;
+        }
+        const op = cmd.slice(i).match(/^([12]?>>?|&>>?)/);
+        if (op && cmd[i - 1] !== ">") {
+            let j = i + op[1].length;
+            while (j < cmd.length && /\s/.test(cmd[j]))
+                j++;
+            let target = "";
+            if (cmd[j] === '"' || cmd[j] === "'") {
+                const q = cmd[j];
+                j++;
+                while (j < cmd.length && cmd[j] !== q)
+                    target += cmd[j++];
+                if (j < cmd.length)
+                    j++; // closing quote
+            }
+            else {
+                while (j < cmd.length && !/[\s>|&;]/.test(cmd[j]))
+                    target += cmd[j++];
+            }
+            if (target && !/^\d+$/.test(target) && !isDevNullish(target)) {
+                res.push({ append: op[1] === ">>" || op[1] === "&>>", target });
+            }
+            i = j;
+            continue;
+        }
+        i++;
+    }
+    return res;
+}
 export function extractShellWriteOps(command) {
-    const cmd = command.trim();
+    const cmd = stripHeredocBodies(command).trim();
     const ops = [];
-    // Output redirects: > path, >> path, &> path, 2> path. Try to pull the
-    // literal content when the LHS is echo/printf.
-    const redirRe = /(?:^|[^>])([12]?>>?|&>>?)\s*([^\s>|&;]+)/g;
-    for (const m of cmd.matchAll(redirRe)) {
-        const op = m[1];
-        const target = unquote(m[2]);
-        if (!target || /^\d+$/.test(target) || isDevNullish(target))
-            continue;
-        const append = op === ">>" || op === "&>>";
+    // Output redirects: > path, >> path, &> path, 2> path. Quote-aware so a `>`
+    // inside a quoted argument (e.g. a grep pattern `"echo > x"`) isn't mistaken
+    // for a redirect. The target token itself may be quoted (`> "my file"`).
+    for (const r of findRedirects(cmd)) {
         const content = extractEchoContent(cmd);
-        ops.push({ kind: append ? "append" : "create", target, content });
+        ops.push({ kind: r.append ? "append" : "create", target: r.target, content });
     }
     // tee [-a] path
     const teeM = cmd.match(/\btee\b\s+(-[aA]\s+)?([^\s|;&]+)/);
@@ -355,8 +599,8 @@ export function extractShellWriteOps(command) {
             ops.push({ kind: "move", target: unquote(args[args.length - 1]), source: unquote(args[0]) });
         }
     }
-    // sed -i
-    if (/\bsed\b/.test(cmd) && /-i(?:\.\w+)?\b/.test(cmd)) {
+    // sed -i / --in-place
+    if (/\bsed\b/.test(cmd) && (/-i(?:\.\w+)?\b/.test(cmd) || /--in-place\b/.test(cmd))) {
         const sedM = cmd.match(/^\s*sed\b\s+(.+)$/);
         if (sedM) {
             const args = splitArgs(sedM[1]);

package/dist/describe.js

@@ -121,13 +121,17 @@ function summarizeBash(command, sizeBytes) {
         };
     }
     // git
-    if (/\bgit\s+push\s+(?:--force|-f)\b/.test(cmd)) {
-        const m = cmd.match(/git\s+push\s+(?:--force|-f)\s+(\S+)\s+(\S+)/);
-        return { title: "Force push", target: m ? `${m[2]} → ${m[1]}` : "current branch", kind: "git_force_push" };
-    }
     if (/\bgit\s+push\b/.test(cmd)) {
-        const m = cmd.match(/git\s+push\s+(\S+)\s+(\S+)/);
-        return { title: "Push", target: m ? `${m[2]} → ${m[1]}` : "current branch", kind: "git_push" };
+        // Parse the remote + branch ignoring flags (-u, --force, --set-upstream, …)
+        // so `git push -u origin feat` renders "feat → origin", not "origin → -u".
+        const after = cmd.match(/\bgit\s+push\b(.*)$/s)?.[1] ?? "";
+        const args = after.split(/\s+/).filter((a) => a && !a.startsWith("-"));
+        const [remote, branch] = args;
+        const target = remote && branch ? `${branch} → ${remote}` : remote || "current branch";
+        const forced = /\bgit\s+push\b[^\n]*\s(?:--force(?:-with-lease)?|-f)\b/.test(cmd);
+        return forced
+            ? { title: "Force push", target, kind: "git_force_push" }
+            : { title: "Push", target, kind: "git_push" };
     }
     if (/\bgit\s+reset\s+--hard\b/.test(cmd))
         return { title: "Hard reset — discard all local changes", kind: "git_reset_hard" };
@@ -138,8 +142,11 @@ function summarizeBash(command, sizeBytes) {
     if (/\bgit\s+restore\s+--staged\s+\./.test(cmd))
         return { title: "Unstage all staged changes", kind: "git_restore" };
     if (/\bgit\s+commit\b/.test(cmd)) {
-        const m = cmd.match(/-m\s+["']([^"']+)["']/);
-        return m ? { title: `Git commit "${m[1]}"`, kind: "git_commit" } : { title: "Git commit", kind: "git_commit" };
+        // Pull a simple quoted -m message. Bail (show plain "Git commit") when the
+        // message is a command substitution / heredoc — `-m "$(cat <<'EOF' … )"` —
+        // since that has no clean inline title to extract.
+        const m = cmd.match(/-m\s+["']([^"'$]+)["']/);
+        return m ? { title: `Git commit "${truncate(m[1], 60)}"`, kind: "git_commit" } : { title: "Git commit", kind: "git_commit" };
     }
     // gh pr create — reversible (PRs can be closed). Extract --title when present.
     if (/\bgh\s+pr\s+create\b/.test(cmd)) {
@@ -286,12 +293,16 @@ function extractSqlFromScriptBody(body) {
     }
     return sqls.length > 0 ? sqls.join("\n") : null;
 }
+// A SQL CLI or code interpreter as a command word — at the start of the command
+// (allowing env=val / sudo prefixes) or after a pipe / `&&` / `;` / `$(`. Used
+// to gate SQL extraction so SQL words appearing in *argument data* (a `gh pr
+// create --body` mentioning "TRUNCATE", a path like `better-sqlite3`) don't get
+// misread as a statement to run.
+const SQL_CONSUMER_RE = /(?:^|\||&&|;|\$\(|`)\s*(?:\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|mariadb|sqlite3?|node|python\d?|ruby|perl|deno|bun)\b/;
 export function findSqlInCommand(cmd) {
-    // Inline interpreter flags: node -e, python -c, ruby -e, perl -e. Checked
-    // before the SQL-CLI prefix matchers below because those prefixes (e.g.
-    // `sqlite3`) can appear as substrings inside the interpreter body (e.g.
-    // `require('better-sqlite3')`) and would extract the wrong fragment.
-    const inline = cmd.match(/\b(?:node|python\d?|ruby|perl|deno|bun)\s+-[ec]\s+(?:"([\s\S]+?)"|'([\s\S]+?)')\s*$/);
+    // Inline interpreter flags: node -e, python -c, ruby -e, perl -e. Anchored to
+    // a command position so a SQL-looking string elsewhere doesn't match.
+    const inline = cmd.match(/(?:^|\||&&|;|\$\()\s*(?:\w+=\S+\s+)*(?:sudo\s+)?(?:node|python\d?|ruby|perl|deno|bun)\s+-[ec]\s+(?:"([\s\S]+?)"|'([\s\S]+?)')\s*$/);
     if (inline) {
         const body = inline[1] ?? inline[2];
         if (body && SQL_KEYWORDS_RE.test(body)) {
@@ -299,19 +310,23 @@ export function findSqlInCommand(cmd) {
         }
     }
     // psql -c "..." / mysql -e "..." / sqlite3 db "..." — outer-quoted statement.
-    const dq = cmd.match(/(?:psql|mysql|sqlite3?|mariadb)\b[^"]*"([\s\S]+?)"\s*$/i);
+    // Anchored to the start of the command so "psql"/"mysql" appearing inside an
+    // argument (another tool's --body, etc.) can't trigger a false SQL match.
+    const dq = cmd.match(/^(?:\s*\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|sqlite3?|mariadb)\b[^"]*"([\s\S]+?)"\s*$/i);
     if (dq)
         return dq[1];
-    const sq = cmd.match(/(?:psql|mysql|sqlite3?|mariadb)\b[^']*'([\s\S]+?)'\s*$/i);
+    const sq = cmd.match(/^(?:\s*\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|sqlite3?|mariadb)\b[^']*'([\s\S]+?)'\s*$/i);
     if (sq)
         return sq[1];
-    // Heredoc-piped script: <<EOF / <<'EOF' / <<"EOF" / <<-EOF.
-    // Single capture for the delimiter (quote-stripped) lets the closing
-    // anchor reference it without going through alternation.
+    // Heredoc-piped script: <<EOF / <<'EOF' / <<"EOF" / <<-EOF. Only when the
+    // command (outside the body) actually feeds the heredoc to a SQL CLI or
+    // interpreter — otherwise a `gh`/`cat`/`mail` heredoc whose body merely
+    // mentions SQL words would be misclassified as a statement to run.
     const hd = cmd.match(/<<-?\s*['"]?(\w+)['"]?[ \t]*\r?\n([\s\S]*?)\r?\n[ \t]*\1\b/);
     if (hd) {
         const body = hd[2];
-        if (body && SQL_KEYWORDS_RE.test(body)) {
+        const context = cmd.slice(0, hd.index) + cmd.slice((hd.index ?? 0) + hd[0].length);
+        if (body && SQL_CONSUMER_RE.test(context) && SQL_KEYWORDS_RE.test(body)) {
             return extractSqlFromScriptBody(body) ?? body;
         }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oked/sdk",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "description": "OKed SDK - human approval layer for AI agents",
   "type": "module",
   "main": "dist/index.js",