@oked/sdk 0.1.6 → 0.1.8

package/dist/classify.d.ts

@@ -8,14 +8,14 @@ export interface ShellWriteOp {
     content?: string;
 }
 /**
- * Removes heredoc *bodies* that are being written to a file, so their contents
- * aren't parsed as shell. `cat >> file <<'EOF' … EOF` is a common file-writing
- * idiom; the body is literal data, not commands, and must not be scanned for
- * operators, redirects, or risky tokens (a config/test file full of `;`, `&&`,
- * or even the literal text "rm -rf" would otherwise wreck classification). The
- * opener line — with its redirect and target — is preserved; only the body and
- * closing delimiter are dropped. Heredocs fed to an interpreter (no file
- * redirect on the opener line) are left intact so SQL/code detection still runs.
+ * Removes heredoc *bodies* unless they're fed to an interpreter/DB/shell that
+ * executes them. The default is to strip: `cat >> file <<'EOF'`, `git commit -F
+ * - <<'MSG'`, `gh pr create --body "$(cat <<'BODY')"`, `mail <<'EOF'` and the
+ * like all treat the body as literal DATA, which must not be parsed as shell
+ * (a commit message with `->` or a PR body mentioning "TRUNCATE"/"rm -rf" would
+ * otherwise wreck classification). Only heredocs whose opener line invokes an
+ * interpreter (`psql <<EOF`, `node - <<EOF`, `cat <<EOF | bash`) keep their
+ * body, so SQL/code detection still runs. The opener line is always preserved.
  */
 export declare function stripHeredocBodies(command: string): string;
 export declare function extractShellWriteOps(command: string): ShellWriteOp[];

package/dist/classify.js

@@ -63,7 +63,8 @@ const SAFE_COMMANDS = [
     /^node\s+(-v|--version)/,
     /^npm\s+(list|ls|--version|-v|view|info|outdated|audit)\b/,
     /^npx\s+-v/,
-    /^git\s+(status|log|diff|branch|remote|show|tag|stash list)\b/,
+    /^git\s+(status|log|diff|branch|remote|show|tag|stash\s+list|ls-files|ls-tree|ls-remote|check-ignore|check-attr|rev-parse|rev-list|describe|cat-file|blame|shortlog|reflog|name-rev|whatchanged|for-each-ref|symbolic-ref|merge-base|var|grep|count-objects|show-ref|cherry|verify-commit|fsck)\b/,
+    /^git\s+config\s+(--get|--get-all|--get-regexp|--list|-l)\b/,
     /^docker\s+(ps|images|inspect|logs)\b/,
     /^docker\s+compose\s+(ps|logs)\b/,
     /^tree\b/,
@@ -100,16 +101,34 @@ const SAFE_COMMANDS = [
     // high-stakes scan, which runs on the full command first.
     /^(for|while|until|do|done|then|else|elif|fi|case|esac|if|select)\b/,
     /^(done|fi|esac|\}|\{|:|true|false)\s*$/,
+    // Inert shell builtins / flow helpers with no side effects.
+    /^sleep\b/,
+    /^exit\b/,
+    /^return\b/,
+    /^seq\b/,
+    /^test\b/,
+    /^\[\[?\s/, // [ ... ]  and  [[ ... ]]  conditionals
+    // `<cmd> --help` / `--version` just prints usage. (Dangerous verbs like
+    // `git push` are matched by HIGH_STAKES on the full command first.)
+    /\s--(help|version)\b/,
+    // Read-only npm subcommands beyond the install/version ones above.
+    /^npm\s+(prefix|root|bin|whoami|ping|docs|repo|why|explain|pkg\s+get|config\s+get)\b/,
 ];
-// Bash commands classified as high stakes (destructive, irreversible, external)
-const HIGH_STAKES_COMMANDS = [
+// File deletion (rm/rmdir/trash). Checked PER-STAGE (not on the full command)
+// so the ephemeral-temp downgrade can run first: `something; rm /tmp/x` must be
+// warning, but `rm /tmp/x` mixed with a non-temp delete in another stage stays
+// high_stakes. Matching the bare word also catches it inside a loop body or a
+// $(...) substitution stage.
+const DELETE_PATTERNS = [
     /\brm\b/,
-    /\brm\b\s+(?:-[^\s]*[rf][^\s]*\s+)*-[^\s]*[rf][^\s]*\b/,
-    /\brm\s+--recursive\b/,
-    /\brm\b.*\s+\//, // rm with absolute path
     /\brmdir\b/,
     /\btrash\b/,
     /\btrash-put\b/,
+];
+// Bash commands classified as high stakes (destructive, irreversible, external).
+// Scanned on the FULL command (some patterns, e.g. download|shell, span a pipe).
+// File deletion lives in DELETE_PATTERNS (per-stage) instead, see above.
+const HIGH_STAKES_COMMANDS = [
     /\bgit\s+push\b/,
     /\bgit\s+reset\s+--hard\b/,
     /\bgit\s+clean\s+-f/,
@@ -178,56 +197,73 @@ const WARNING_COMMANDS = [
     /^npm\s+run\b/,
     /^bun\b/,
     /^deno\b/,
+    // Package installs run dependency postinstall scripts (code execution), so
+    // they're not "safe" — but they're a constant part of the dev loop, so log
+    // (warning) rather than prompt.
+    /^npm\s+(install|ci|i|update|upgrade|rebuild|prune|dedupe)\b/,
+    /^(pnpm|yarn)\s+(install|add|ci|up|upgrade)\b/,
 ];
 // Ephemeral filesystem locations. Writes here have no lasting effect on
 // their own — what matters is whatever subsequent command CONSUMES the file
 // (e.g. `himalaya message send < /tmp/draft.eml`). Without this carve-out,
 // every multi-step skill that drafts a temp file generates two approval
 // prompts (the temp write + the real send) instead of one.
-const EPHEMERAL_PATH_RE = /^(?:\/tmp\/|\/var\/tmp\/|\/private\/tmp\/|[A-Za-z]:[\\/](?:Windows[\\/]Temp|Users[\\/][^\\/]+[\\/]AppData[\\/]Local[\\/]Temp)[\\/])/i;
+const EPHEMERAL_PATH_RE = /^(?:\/tmp\/|\/var\/tmp\/|\/var\/folders\/|\/private\/tmp\/|\/private\/var\/folders\/|[A-Za-z]:[\\/](?:Windows[\\/]Temp|Users[\\/][^\\/]+[\\/]AppData[\\/]Local[\\/]Temp)[\\/])/i;
+// A temp-dir env var (the conventional output of `mktemp -d` etc.): $TMPDIR,
+// $TMP, $TEMP, ${TMPDIR}, and paths beneath them. Treated as ephemeral since
+// we can't resolve the value but the intent is unambiguous.
+const TEMP_VAR_RE = /^\$\{?(?:TMPDIR|TMP|TEMP)\}?(?:\/|$)/;
 function isEphemeralPath(filePath) {
     if (!filePath)
         return false;
-    return EPHEMERAL_PATH_RE.test(filePath);
+    return TEMP_VAR_RE.test(filePath) || EPHEMERAL_PATH_RE.test(filePath);
 }
-// Claude Code's own plan-mode and todo scratch files live under
-// ~/.claude/plans and ~/.claude/todos. They're agent bookkeeping, not project
-// changes, and have no side effects of their own. Writes there downgrade to
-// `warning`. This is deliberately narrow: the rest of ~/.claude (notably
-// settings.json, which holds the OKed hook config) is NOT covered, so an agent
-// can't silently rewrite its own guardrails without an approval.
-const AGENT_SCRATCH_DIRS = [
-    path.join(".claude", "plans"),
-    path.join(".claude", "todos"),
-];
-function isAgentScratchPath(filePath) {
+// Paths where a write/edit is genuinely dangerous and must stay `review`:
+// system directories, credential/secret stores, shell startup files (a
+// persistence vector), and OKed's own config (so an agent can't disable its
+// guardrails). Everything else — project files, sibling repos, scratch — is
+// treated as `warning` (a file write can't act on its own; whatever later
+// executes it is classified separately).
+function isSensitiveWritePath(filePath) {
     if (!filePath)
-        return false;
+        return true; // unknown target → err toward review
+    let resolved;
     try {
-        const resolved = path.resolve(filePath);
-        const home = os.homedir();
-        return AGENT_SCRATCH_DIRS.some((dir) => {
-            const base = path.join(home, dir);
-            const relative = path.relative(base, resolved);
-            return relative !== "" && !relative.startsWith("..") && !path.isAbsolute(relative);
-        });
+        resolved = path.resolve(filePath);
     }
     catch {
-        return false;
-    }
-}
-function isInsideProject(filePath) {
-    if (!filePath)
-        return false;
-    try {
-        const projectRoot = path.resolve(process.cwd());
-        const resolved = path.resolve(filePath);
-        const relative = path.relative(projectRoot, resolved);
-        return relative === "" || (!!relative && !relative.startsWith("..") && !path.isAbsolute(relative));
+        return true;
     }
-    catch {
-        return false;
+    const home = os.homedir();
+    const underHome = (rel) => {
+        const base = path.join(home, rel);
+        return resolved === base || resolved.startsWith(base + path.sep);
+    };
+    // OKed self-config — never let an agent edit its own hook config silently.
+    if (resolved === path.join(home, ".claude", "settings.json") ||
+        resolved === path.join(home, ".claude", "settings.local.json"))
+        return true;
+    // Credential / secret stores.
+    for (const d of [".ssh", ".aws", ".gnupg", ".kube", ".docker", path.join(".config", "gcloud")]) {
+        if (underHome(d))
+            return true;
     }
+    // Sensitive dotfiles directly in $HOME (creds + shell startup persistence).
+    const sensitiveHomeFiles = new Set([
+        ".netrc", ".npmrc", ".pypirc", ".git-credentials", ".bash_history", ".zsh_history",
+        ".bashrc", ".zshrc", ".bash_profile", ".zprofile", ".profile", ".zshenv", ".zlogin",
+    ]);
+    if (path.dirname(resolved) === home && sensitiveHomeFiles.has(path.basename(resolved)))
+        return true;
+    // System directories.
+    if (/^\/(etc|usr|bin|sbin|boot|sys|proc|opt|Library|System)(\/|$)/.test(resolved))
+        return true;
+    if (/^\/private\/etc(\/|$)/.test(resolved))
+        return true;
+    // /var, except the ephemeral temp subtrees.
+    if (/^\/var(\/|$)/.test(resolved) && !/^\/var\/(tmp|folders)(\/|$)/.test(resolved))
+        return true;
+    return false;
 }
 export function classify(toolName, toolInput) {
     // Check tool-level classification first
@@ -239,14 +275,13 @@ export function classify(toolName, toolInput) {
         return "high_stakes";
     if (REVIEW_TOOLS.has(toolName))
         return "review";
-    // File-editing tools: warning if inside project or an ephemeral temp dir,
-    // review otherwise. Temp-dir writes are "warning" because the file itself
-    // can't do harm — only what consumes it can.
+    // File-editing tools: a write/edit can't act on its own — whatever later
+    // executes it is classified separately — so it's `warning` (logged, no
+    // prompt) everywhere EXCEPT sensitive targets (system dirs, secret stores,
+    // shell startup files, OKed's own config), which stay `review`.
     if (toolName === "Write" || toolName === "Edit" || toolName === "NotebookEdit") {
         const filePath = toolInput.file_path;
-        if (isEphemeralPath(filePath) || isInsideProject(filePath) || isAgentScratchPath(filePath))
-            return "warning";
-        return "review";
+        return isSensitiveWritePath(filePath) ? "review" : "warning";
     }
     // Agent tool - safe. Launching a sub-agent is not itself a side effect, and
     // the sub-agent's own tool calls (Bash/Write/Edit/MCP) each fire their own
@@ -276,9 +311,7 @@ export function classify(toolName, toolInput) {
     const writePath = (toolInput.file_path ?? toolInput.path);
     const writeContent = (toolInput.content ?? toolInput.data ?? toolInput.body);
     if (typeof writePath === "string" && typeof writeContent === "string") {
-        if (isEphemeralPath(writePath) || isInsideProject(writePath) || isAgentScratchPath(writePath))
-            return "warning";
-        return "review";
+        return isSensitiveWritePath(writePath) ? "review" : "warning";
     }
     // Unknown tool - default to review (require approval)
     return "review";
@@ -295,6 +328,7 @@ function splitTopLevel(cmd) {
     const out = [];
     let cur = "";
     let quote = null;
+    let subDepth = 0; // depth inside $( ... ) / `...` command substitutions
     let i = 0;
     while (i < cmd.length) {
         const ch = cmd[i];
@@ -311,6 +345,31 @@ function splitTopLevel(cmd) {
             i++;
             continue;
         }
+        // Command substitution: keep `$( ... )` / backticks intact so a pipe or `;`
+        // inside (e.g. `V=$(curl … | sed …)`) isn't treated as a top-level operator.
+        if (ch === "$" && cmd[i + 1] === "(") {
+            subDepth++;
+            cur += "$(";
+            i += 2;
+            continue;
+        }
+        if (subDepth > 0 && ch === "(") {
+            subDepth++;
+            cur += ch;
+            i++;
+            continue;
+        }
+        if (subDepth > 0 && ch === ")") {
+            subDepth--;
+            cur += ch;
+            i++;
+            continue;
+        }
+        if (subDepth > 0) {
+            cur += ch;
+            i++;
+            continue;
+        }
         // Heredoc: consume the opener and the entire body (up to the closing
         // delimiter line) as part of the current segment, so operators inside a
         // heredoc fed to an interpreter (psql/node/…) aren't treated as separators.
@@ -364,21 +423,86 @@ function isEphemeralOnlyDeletion(command) {
         return false;
     return targets.every((a) => isEphemeralPath(unquote(a)));
 }
+/**
+ * Classifies a single stage that begins with one or more `NAME=value`
+ * assignments (a pure assignment like `TARGET=abc`, an env prefix like
+ * `FOO=bar cmd`, or a capture like `V=$(cmd)`). Strips the leading assignments,
+ * then takes the worst tier of: each command-substitution inner found in the
+ * values, plus any trailing command. A purely literal assignment is `safe`.
+ * Returns null if the stage is not assignment-prefixed.
+ */
+function classifyAssignmentStage(stage) {
+    if (!/^\w+=/.test(stage))
+        return null;
+    const inners = [];
+    let i = 0;
+    while (i < stage.length) {
+        const m = stage.slice(i).match(/^(\w+)=/);
+        if (!m)
+            break; // next token isn't an assignment → it's the command
+        i += m[0].length;
+        let quote = null;
+        while (i < stage.length) {
+            const ch = stage[i];
+            if (quote) {
+                if (ch === quote)
+                    quote = null;
+                i++;
+                continue;
+            }
+            if (ch === '"' || ch === "'") {
+                quote = ch;
+                i++;
+                continue;
+            }
+            if (ch === "$" && stage[i + 1] === "(") {
+                let d = 1, j = i + 2;
+                while (j < stage.length && d > 0) {
+                    if (stage[j] === "(")
+                        d++;
+                    else if (stage[j] === ")")
+                        d--;
+                    j++;
+                }
+                inners.push(stage.slice(i + 2, j - 1));
+                i = j;
+                continue;
+            }
+            if (ch === "`") {
+                let j = i + 1;
+                while (j < stage.length && stage[j] !== "`")
+                    j++;
+                inners.push(stage.slice(i + 1, j));
+                i = j + 1;
+                continue;
+            }
+            if (/\s/.test(ch))
+                break; // end of this value
+            i++;
+        }
+        while (i < stage.length && /\s/.test(stage[i]))
+            i++;
+    }
+    const rest = stage.slice(i).trim();
+    let tier = "safe";
+    for (const inner of inners)
+        tier = maxTier(tier, classifyBashCommand(inner));
+    if (rest)
+        tier = maxTier(tier, classifyBashCommand(rest));
+    return tier;
+}
 function classifyBashCommand(command) {
     if (!command)
         return "safe";
     // Strip heredoc bodies up front: their contents are literal data, not shell,
     // and must not be scanned for high-stakes tokens, operators, or redirects.
     const trimmed = stripHeredocBodies(command).trim();
-    // rm/trash of only ephemeral temp files → warning (before the high-stakes
-    // scan, which would otherwise match the bare `rm`).
-    if (isEphemeralOnlyDeletion(trimmed))
-        return "warning";
     // High-stakes scan on the FULL command, before any splitting. These patterns
     // use \b and several intentionally span an operator (e.g. `curl … | bash`,
     // `wget … | sh` — download-and-execute), so they have to be matched against
     // the whole string. Most-restrictive-wins: a high-stakes match anywhere in a
-    // compound command takes the whole command to high_stakes.
+    // compound command takes the whole command to high_stakes. (File deletion is
+    // NOT here — it's per-stage below so the ephemeral-temp downgrade can run.)
     for (const pattern of HIGH_STAKES_COMMANDS) {
         if (pattern.test(trimmed))
             return "high_stakes";
@@ -392,6 +516,23 @@ function classifyBashCommand(command) {
     if (stages.length > 1) {
         return stages.reduce((worst, stage) => maxTier(worst, classifyBashCommand(stage)), "safe");
     }
+    // ---- single stage from here ----
+    // File deletion, per-stage so the ephemeral-temp carve-out can win: deleting
+    // only throwaway temp files (/tmp, $TMPDIR, /var/folders, …) → warning; any
+    // non-temp target (or the temp root itself) → high_stakes.
+    if (isEphemeralOnlyDeletion(trimmed))
+        return "warning";
+    for (const pattern of DELETE_PATTERNS) {
+        if (pattern.test(trimmed))
+            return "high_stakes";
+    }
+    // Variable assignments: `NAME=value` (pure) or `NAME=$(cmd) rest` (env prefix
+    // / capture). Classify the command-substitution inners and any trailing
+    // command; a purely literal assignment is safe. Dangerous substitutions were
+    // already caught by the high-stakes/delete scans above.
+    const assignTier = classifyAssignmentStage(trimmed);
+    if (assignTier !== null)
+        return assignTier;
     // sudo: privilege escalation. A high-stakes inner command was already caught
     // by the full-string scan above (\b patterns match through the `sudo` prefix);
     // anything else still warrants review.
@@ -406,16 +547,15 @@ function classifyBashCommand(command) {
         return classifySqlSeverity(sql);
     // File-mutating shell patterns. Content-creation idioms (echo > X, tee,
     // dd of=, touch, sed -i) are the bypass route from a denied Write, so they're
-    // classified like the Write/Edit tool: writes inside the project, an
-    // ephemeral temp dir (/tmp, %TEMP%), or an agent scratch dir downgrade to
-    // warning; writes elsewhere stay review. cp/mv (rearranging existing bytes)
-    // stay review.
+    // classified exactly like the Write/Edit tool: `warning` unless a target is a
+    // sensitive path (system dir, secret store, shell rc, OKed config), which
+    // stays `review`. cp/mv (which can clobber/relocate existing files) stay
+    // review.
     const ops = extractShellWriteOps(trimmed);
     if (ops.length > 0) {
         const creates = ops.filter((o) => o.kind !== "copy" && o.kind !== "move");
         if (creates.length > 0) {
-            const allLocal = creates.every((o) => isEphemeralPath(o.target) || isInsideProject(o.target) || isAgentScratchPath(o.target));
-            return allLocal ? "warning" : "review";
+            return creates.some((o) => isSensitiveWritePath(o.target)) ? "review" : "warning";
         }
         return "review";
     }
@@ -461,29 +601,23 @@ function classifySqlSeverity(sql) {
  *
  * Skips /dev/null and bare-digit FD duplicates (2>&1).
  */
-// True when the opener line sends the heredoc to a FILE (a `>`/`>>` redirect to
-// a real path, or `tee`). Those bodies are literal data; bodies fed to an
-// interpreter/DB instead (`psql <<EOF`, `node - <<EOF`, `bash <<EOF`) are
-// executed and must NOT be stripped — they still need to be classified.
-function openerWritesToFile(line) {
-    if (/\btee\b/.test(line))
-        return true;
-    for (const m of line.matchAll(/(?:^|[^>])([12]?>>?|&>>?)\s*([^\s>|&;]+)/g)) {
-        const target = unquote(m[2]);
-        if (target && !/^\d+$/.test(target) && !isDevNullish(target))
-            return true;
-    }
-    return false;
+// Commands that EXECUTE a heredoc body fed to their stdin — a SQL CLI, a code
+// interpreter, or a shell. Their heredoc bodies are code/SQL and must stay
+// scannable. Detected as a command word at the start of the opener line or
+// after a pipe / `&&` / `;` / `$(` / backtick.
+const HEREDOC_INTERPRETER_RE = /(?:^|\||&&|;|\$\(|`)\s*(?:\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|mariadb|sqlite3?|node|python\d?|ruby|perl|deno|bun|bash|sh|zsh|ksh|fish)\b/;
+function openerFeedsInterpreter(line) {
+    return HEREDOC_INTERPRETER_RE.test(line);
 }
 /**
- * Removes heredoc *bodies* that are being written to a file, so their contents
- * aren't parsed as shell. `cat >> file <<'EOF' … EOF` is a common file-writing
- * idiom; the body is literal data, not commands, and must not be scanned for
- * operators, redirects, or risky tokens (a config/test file full of `;`, `&&`,
- * or even the literal text "rm -rf" would otherwise wreck classification). The
- * opener line — with its redirect and target — is preserved; only the body and
- * closing delimiter are dropped. Heredocs fed to an interpreter (no file
- * redirect on the opener line) are left intact so SQL/code detection still runs.
+ * Removes heredoc *bodies* unless they're fed to an interpreter/DB/shell that
+ * executes them. The default is to strip: `cat >> file <<'EOF'`, `git commit -F
+ * - <<'MSG'`, `gh pr create --body "$(cat <<'BODY')"`, `mail <<'EOF'` and the
+ * like all treat the body as literal DATA, which must not be parsed as shell
+ * (a commit message with `->` or a PR body mentioning "TRUNCATE"/"rm -rf" would
+ * otherwise wreck classification). Only heredocs whose opener line invokes an
+ * interpreter (`psql <<EOF`, `node - <<EOF`, `cat <<EOF | bash`) keep their
+ * body, so SQL/code detection still runs. The opener line is always preserved.
  */
 export function stripHeredocBodies(command) {
     const lines = command.split("\n");
@@ -496,7 +630,7 @@ export function stripHeredocBodies(command) {
         // space). Require a word-char delimiter so numeric left-shifts ($((1<<2)))
         // don't match. Use the last opener on the line as the active delimiter.
         const openers = [...line.matchAll(/<<-?\s*(["']?)([A-Za-z_][A-Za-z0-9_]*)\1/g)];
-        if (openers.length > 0 && openerWritesToFile(line)) {
+        if (openers.length > 0 && !openerFeedsInterpreter(line)) {
             const delim = openers[openers.length - 1][2];
             i++;
             while (i < lines.length && lines[i].trim() !== delim)

package/dist/describe.js

@@ -7,7 +7,7 @@
  * from the `fields` payload. `describe()` returns just the title for
  * backwards-compatible single-line consumers (audit logs, SMS).
  */
-import { extractShellWriteOps, stripHeredocBodies } from "./classify.js";
+import { extractShellWriteOps } from "./classify.js";
 const BODY_PREVIEW_MAX = 200;
 const COMMAND_INLINE_MAX = 50;
 const DIFF_HUNK_MAX_LINES = 10;
@@ -84,9 +84,7 @@ function summarize(toolName, toolInput) {
 // Bash / shell — semantic rerendering
 // ───────────────────────────────────────────────────────────────────────
 function summarizeBash(command, sizeBytes) {
-    // Strip heredoc bodies so a file's literal contents aren't parsed as shell
-    // (and don't bloat the card) — the redirect/target on the opener line stays.
-    const cmd = stripHeredocBodies(command || "").trim();
+    const cmd = (command || "").trim();
     if (!cmd)
         return { title: "Run empty command", kind: "unknown_bash" };
     // SQL detection runs before shell-write detection so that inline-interpreter
@@ -123,13 +121,17 @@ function summarizeBash(command, sizeBytes) {
         };
     }
     // git
-    if (/\bgit\s+push\s+(?:--force|-f)\b/.test(cmd)) {
-        const m = cmd.match(/git\s+push\s+(?:--force|-f)\s+(\S+)\s+(\S+)/);
-        return { title: "Force push", target: m ? `${m[2]} → ${m[1]}` : "current branch", kind: "git_force_push" };
-    }
     if (/\bgit\s+push\b/.test(cmd)) {
-        const m = cmd.match(/git\s+push\s+(\S+)\s+(\S+)/);
-        return { title: "Push", target: m ? `${m[2]} → ${m[1]}` : "current branch", kind: "git_push" };
+        // Parse the remote + branch ignoring flags (-u, --force, --set-upstream, …)
+        // so `git push -u origin feat` renders "feat → origin", not "origin → -u".
+        const after = cmd.match(/\bgit\s+push\b(.*)$/s)?.[1] ?? "";
+        const args = after.split(/\s+/).filter((a) => a && !a.startsWith("-"));
+        const [remote, branch] = args;
+        const target = remote && branch ? `${branch} → ${remote}` : remote || "current branch";
+        const forced = /\bgit\s+push\b[^\n]*\s(?:--force(?:-with-lease)?|-f)\b/.test(cmd);
+        return forced
+            ? { title: "Force push", target, kind: "git_force_push" }
+            : { title: "Push", target, kind: "git_push" };
     }
     if (/\bgit\s+reset\s+--hard\b/.test(cmd))
         return { title: "Hard reset — discard all local changes", kind: "git_reset_hard" };
@@ -291,12 +293,16 @@ function extractSqlFromScriptBody(body) {
     }
     return sqls.length > 0 ? sqls.join("\n") : null;
 }
+// A SQL CLI or code interpreter as a command word — at the start of the command
+// (allowing env=val / sudo prefixes) or after a pipe / `&&` / `;` / `$(`. Used
+// to gate SQL extraction so SQL words appearing in *argument data* (a `gh pr
+// create --body` mentioning "TRUNCATE", a path like `better-sqlite3`) don't get
+// misread as a statement to run.
+const SQL_CONSUMER_RE = /(?:^|\||&&|;|\$\(|`)\s*(?:\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|mariadb|sqlite3?|node|python\d?|ruby|perl|deno|bun)\b/;
 export function findSqlInCommand(cmd) {
-    // Inline interpreter flags: node -e, python -c, ruby -e, perl -e. Checked
-    // before the SQL-CLI prefix matchers below because those prefixes (e.g.
-    // `sqlite3`) can appear as substrings inside the interpreter body (e.g.
-    // `require('better-sqlite3')`) and would extract the wrong fragment.
-    const inline = cmd.match(/\b(?:node|python\d?|ruby|perl|deno|bun)\s+-[ec]\s+(?:"([\s\S]+?)"|'([\s\S]+?)')\s*$/);
+    // Inline interpreter flags: node -e, python -c, ruby -e, perl -e. Anchored to
+    // a command position so a SQL-looking string elsewhere doesn't match.
+    const inline = cmd.match(/(?:^|\||&&|;|\$\()\s*(?:\w+=\S+\s+)*(?:sudo\s+)?(?:node|python\d?|ruby|perl|deno|bun)\s+-[ec]\s+(?:"([\s\S]+?)"|'([\s\S]+?)')\s*$/);
     if (inline) {
         const body = inline[1] ?? inline[2];
         if (body && SQL_KEYWORDS_RE.test(body)) {
@@ -304,19 +310,23 @@ export function findSqlInCommand(cmd) {
         }
     }
     // psql -c "..." / mysql -e "..." / sqlite3 db "..." — outer-quoted statement.
-    const dq = cmd.match(/(?:psql|mysql|sqlite3?|mariadb)\b[^"]*"([\s\S]+?)"\s*$/i);
+    // Anchored to the start of the command so "psql"/"mysql" appearing inside an
+    // argument (another tool's --body, etc.) can't trigger a false SQL match.
+    const dq = cmd.match(/^(?:\s*\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|sqlite3?|mariadb)\b[^"]*"([\s\S]+?)"\s*$/i);
     if (dq)
         return dq[1];
-    const sq = cmd.match(/(?:psql|mysql|sqlite3?|mariadb)\b[^']*'([\s\S]+?)'\s*$/i);
+    const sq = cmd.match(/^(?:\s*\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|sqlite3?|mariadb)\b[^']*'([\s\S]+?)'\s*$/i);
     if (sq)
         return sq[1];
-    // Heredoc-piped script: <<EOF / <<'EOF' / <<"EOF" / <<-EOF.
-    // Single capture for the delimiter (quote-stripped) lets the closing
-    // anchor reference it without going through alternation.
+    // Heredoc-piped script: <<EOF / <<'EOF' / <<"EOF" / <<-EOF. Only when the
+    // command (outside the body) actually feeds the heredoc to a SQL CLI or
+    // interpreter — otherwise a `gh`/`cat`/`mail` heredoc whose body merely
+    // mentions SQL words would be misclassified as a statement to run.
     const hd = cmd.match(/<<-?\s*['"]?(\w+)['"]?[ \t]*\r?\n([\s\S]*?)\r?\n[ \t]*\1\b/);
     if (hd) {
         const body = hd[2];
-        if (body && SQL_KEYWORDS_RE.test(body)) {
+        const context = cmd.slice(0, hd.index) + cmd.slice((hd.index ?? 0) + hd[0].length);
+        if (body && SQL_CONSUMER_RE.test(context) && SQL_KEYWORDS_RE.test(body)) {
             return extractSqlFromScriptBody(body) ?? body;
         }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oked/sdk",
-  "version": "0.1.6",
+  "version": "0.1.8",
   "description": "OKed SDK - human approval layer for AI agents",
   "type": "module",
   "main": "dist/index.js",