@pugi/cli 0.1.0-beta.7 → 0.1.0-beta.87

package/dist/core/permissions/auto-classifier.js

@@ -0,0 +1,124 @@
+/**
+ * Auto-mode classifier — Phase 1 (regex allowlist + denylist).
+ *
+ * `permissionMode === 'auto'` is the the upstream tool parity mode where the
+ * classifier decides safe-vs-unsafe per call. Phase 1 ships without
+ * ML — just two curated regex lists covering the 80% of "obviously
+ * safe" and "obviously catastrophic" patterns. Anything that doesn't
+ * match either list returns `ask`, so the operator stays in the loop
+ * для the ambiguous middle.
+ *
+ * Phase 2 (deferred, NOT in this PR): semantic classifier consulting
+ * the model with a tight system prompt. The interface (`AutoVerdict`)
+ * is stable so we can swap implementations without touching the gate.
+ *
+ * Design notes:
+ *
+ *  - Patterns are conservative: a read-only command is only
+ *    allow-listed когда its argv shape is unambiguous (no `-exec`,
+ *    no `--delete`, no `|` к shell). When в doubt, fall back to ask.
+ *  - The denylist matches catastrophic patterns even в auto-mode so
+ *    a misclick can't shred the workspace. The circuit-breaker
+ *    (`circuit-breaker.ts`) covers the same surface для bypass-mode;
+ *    this denylist is the auto-mode equivalent.
+ *  - All matches operate on the FULL command string, not parsed
+ *    argv. This is deliberately permissive on whitespace but strict
+ *    on operator characters (`|`, `&`, `;`, `>`, backticks) — a
+ *    pipe-into-shell или command-chain forces fallback к ask.
+ */
+/**
+ * Catastrophic patterns — the auto-mode regex denylist. Each entry
+ * carries a human-readable reason surfaced в the deny payload so the
+ * operator + audit log see why the gate refused. Order matters: most-
+ * specific первой так "rm -rf /" reports as that, не the generic
+ * "rm -rf".
+ */
+const AUTO_DENY_PATTERNS = [
+    { pattern: /\brm\s+(-[a-z]*r[a-z]*f|-[a-z]*f[a-z]*r)\b/i, reason: 'rm -rf (recursive force-delete)' },
+    { pattern: /\bgit\s+push\s+(-{1,2}force\b|\-f\b)/i, reason: 'git push --force (history rewrite)' },
+    { pattern: /\bgit\s+reset\s+--hard\b/i, reason: 'git reset --hard (uncommitted-work loss)' },
+    { pattern: /\bdd\s+if=\/(dev|)/i, reason: 'dd if=/dev/* (raw device read/write)' },
+    { pattern: /\bmkfs(\.|\s|$)/i, reason: 'mkfs (filesystem format)' },
+    { pattern: /\bchmod\s+-R\s+777\b/i, reason: 'chmod -R 777 (world-writable recursive)' },
+    { pattern: /\bchown\s+-R\b/i, reason: 'chown -R (recursive ownership change)' },
+    { pattern: /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;?\s*:/, reason: 'fork bomb signature' },
+    { pattern: /\bsudo\b/i, reason: 'sudo (privilege escalation)' },
+    { pattern: /\b(npm|pnpm|yarn)\s+publish\b/i, reason: 'package publish (irreversible npm release)' },
+    { pattern: /\b(curl|wget)\b[^|;&]*\|\s*(sh|bash|zsh)\b/i, reason: 'pipe-to-shell installer (curl … | sh)' },
+];
+/**
+ * Safe-by-default patterns — auto-mode regex allowlist. Each regex
+ * must match the FULL command (with `^…$` anchors) so a leading
+ * `sudo ls` или a trailing `; rm -rf /` does NOT slip through. The
+ * caller passes the trimmed command string; whitespace around argv
+ * tokens is tolerated.
+ */
+const AUTO_ALLOW_PATTERNS = [
+    { pattern: /^ls(\s+-[a-zA-Z]+)*(\s+[^|;&`>$()\\]+)?$/, reason: 'ls (directory listing)' },
+    { pattern: /^pwd\s*$/, reason: 'pwd (working directory)' },
+    { pattern: /^cat\s+[^|;&`>$()\\]+$/, reason: 'cat (file read)' },
+    { pattern: /^head(\s+-n?\s*\d+)?\s+[^|;&`>$()\\]+$/, reason: 'head (file preview)' },
+    { pattern: /^tail(\s+-n?\s*\d+)?\s+[^|;&`>$()\\]+$/, reason: 'tail (file preview)' },
+    { pattern: /^wc(\s+-[a-z]+)?\s+[^|;&`>$()\\]+$/, reason: 'wc (line/word count)' },
+    { pattern: /^du\s+-sh?\s+[^|;&`>$()\\]+$/, reason: 'du -sh (disk usage summary)' },
+    { pattern: /^df\s+-h\s*$/, reason: 'df -h (filesystem free space)' },
+    { pattern: /^git\s+status(\s+--short|\s+-s)?\s*$/, reason: 'git status' },
+    { pattern: /^git\s+diff(\s+[a-zA-Z0-9_./~^-]+)*\s*$/, reason: 'git diff (read-only)' },
+    { pattern: /^git\s+log(\s+[a-zA-Z0-9_./~^-]+)*\s*$/, reason: 'git log (read-only)' },
+    { pattern: /^git\s+branch(\s+-[a-z]+)?\s*$/, reason: 'git branch (read-only)' },
+    { pattern: /^git\s+remote\s+-v\s*$/, reason: 'git remote -v (read-only)' },
+    { pattern: /^pnpm\s+(typecheck|lint|test\s+--run|test\s+--watch=false)\s*$/, reason: 'pnpm read-only build check' },
+    { pattern: /^npm\s+(--version|-v|run\s+typecheck|run\s+lint)\s*$/, reason: 'npm read-only check' },
+    { pattern: /^node\s+--version\s*$/, reason: 'node --version' },
+    { pattern: /^pnpm\s+--version\s*$/, reason: 'pnpm --version' },
+    { pattern: /^which\s+[a-zA-Z0-9_-]+\s*$/, reason: 'which (command lookup)' },
+    { pattern: /^find\s+\.\s+-type\s+f(\s+-name\s+[^|;&`>$()\\]+)?\s*$/, reason: 'find -type f (read-only)' },
+    { pattern: /^(rg|ripgrep|grep)\s+(-[a-z]+\s+)*[^|;&`>$()\\]+(\s+[^|;&`>$()\\]+)?\s*$/, reason: 'grep/ripgrep (read-only search)' },
+];
+/**
+ * Classify an auto-mode command. Order:
+ *  1. Catastrophic deny patterns — surface the explicit deny reason.
+ *  2. Safe allow patterns — surface the matched reason.
+ *  3. Fallback к ask.
+ *
+ * The order matters: a destructive pattern that ALSO looks like a
+ * read-only token (e.g. `git diff ; rm -rf .`) hits deny first because
+ * the allow patterns require `^…$` anchors that the chained command
+ * fails to satisfy. Belt + suspenders.
+ */
+export function classifyAutoMode(command) {
+    const trimmed = command.trim();
+    if (trimmed.length === 0)
+        return { verdict: 'ask' };
+    for (const entry of AUTO_DENY_PATTERNS) {
+        if (entry.pattern.test(trimmed)) {
+            return {
+                verdict: 'deny',
+                reason: entry.reason,
+                pattern: entry.pattern.source,
+            };
+        }
+    }
+    for (const entry of AUTO_ALLOW_PATTERNS) {
+        if (entry.pattern.test(trimmed)) {
+            return {
+                verdict: 'allow',
+                reason: entry.reason,
+                pattern: entry.pattern.source,
+            };
+        }
+    }
+    return { verdict: 'ask' };
+}
+/**
+ * Diagnostic accessors — exposed для doctor surfaces + spec coverage.
+ * The arrays are frozen at module load so callers can iterate without
+ * mutating the source-of-truth.
+ */
+export function listAutoAllowPatterns() {
+    return AUTO_ALLOW_PATTERNS.map((e) => ({ pattern: e.pattern.source, reason: e.reason }));
+}
+export function listAutoDenyPatterns() {
+    return AUTO_DENY_PATTERNS.map((e) => ({ pattern: e.pattern.source, reason: e.reason }));
+}
+//# sourceMappingURL=auto-classifier.js.map

package/dist/core/permissions/bash-parser.js

@@ -0,0 +1,371 @@
+const WRAPPER_COMMANDS = new Set(['bash', 'sh']);
+const PIPELINE_SEPARATORS = new Set(['&&', '||', '|', ';']);
+export function parseBashCommand(cmd) {
+    const rawCommand = cmd;
+    const command = stripWrappers(cmd).trim();
+    if (command.length === 0) {
+        throw new Error('empty bash command');
+    }
+    const stageSources = splitPipeline(command);
+    const envVars = {};
+    const redirects = [];
+    const pipelineStages = [];
+    const tokens = [];
+    for (const stageSource of stageSources) {
+        const rawTokens = tokenize(stageSource);
+        const stage = normalizeStage(rawTokens, envVars, redirects);
+        if (stage.length === 0) {
+            throw new Error('pipeline stage has no command');
+        }
+        pipelineStages.push(stage);
+        tokens.push(...stage);
+    }
+    const firstStage = pipelineStages[0];
+    if (firstStage === undefined) {
+        throw new Error('bash command has no stages');
+    }
+    const firstCommand = firstStage[0];
+    if (firstCommand === undefined || firstCommand.length === 0) {
+        throw new Error('bash command has no first command');
+    }
+    return {
+        rawCommand,
+        tokens,
+        firstCommand,
+        pipelineStages,
+        envVars,
+        redirects,
+    };
+}
+export function isAllowed(cmd, allowlist) {
+    let parsed;
+    try {
+        parsed = parseBashCommand(cmd);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : 'parse failed';
+        return { allowed: false, reason: message };
+    }
+    if (parsed.firstCommand.length === 0) {
+        return { allowed: false, reason: 'missing first command' };
+    }
+    const allowedCommands = new Set(allowlist);
+    for (const stage of parsed.pipelineStages) {
+        const stageCommand = stage[0];
+        if (stageCommand === undefined || stageCommand.length === 0) {
+            return {
+                allowed: false,
+                reason: 'missing command in pipeline stage',
+                firstCommand: parsed.firstCommand,
+            };
+        }
+        if (!allowedCommands.has(stageCommand)) {
+            return {
+                allowed: false,
+                reason: `command not allowlisted: ${stageCommand}`,
+                firstCommand: parsed.firstCommand,
+            };
+        }
+    }
+    return { allowed: true, firstCommand: parsed.firstCommand };
+}
+function stripWrappers(cmd) {
+    let current = cmd.trim();
+    for (let depth = 0; depth < 8; depth += 1) {
+        const tokens = tokenize(current);
+        const first = tokens[0];
+        if (first === undefined) {
+            return current;
+        }
+        if (WRAPPER_COMMANDS.has(first)) {
+            const second = tokens[1];
+            const third = tokens[2];
+            if (second === '-c' && third !== undefined) {
+                current = third.trim();
+                continue;
+            }
+        }
+        if (first === 'eval') {
+            const inner = tokens.slice(1).join(' ').trim();
+            if (inner.length === 0) {
+                throw new Error('eval wrapper has no inner command');
+            }
+            current = inner;
+            continue;
+        }
+        return current;
+    }
+    throw new Error('too many nested shell wrappers');
+}
+function splitPipeline(command) {
+    const stages = [];
+    let current = '';
+    let quote = 'none';
+    let escaped = false;
+    for (let i = 0; i < command.length; i += 1) {
+        const ch = command[i];
+        if (ch === undefined) {
+            break;
+        }
+        if (escaped) {
+            current += ch;
+            escaped = false;
+            continue;
+        }
+        if (quote !== 'single' && ch === '\\') {
+            current += ch;
+            escaped = true;
+            continue;
+        }
+        if (quote === 'none' && ch === "'") {
+            current += ch;
+            quote = 'single';
+            continue;
+        }
+        if (quote === 'single' && ch === "'") {
+            current += ch;
+            quote = 'none';
+            continue;
+        }
+        if (quote === 'none' && ch === '"') {
+            current += ch;
+            quote = 'double';
+            continue;
+        }
+        if (quote === 'double' && ch === '"') {
+            current += ch;
+            quote = 'none';
+            continue;
+        }
+        if (quote === 'none') {
+            const next = command[i + 1];
+            const pair = next === undefined ? ch : `${ch}${next}`;
+            if (PIPELINE_SEPARATORS.has(pair)) {
+                pushStage(stages, current);
+                current = '';
+                i += 1;
+                continue;
+            }
+            if (PIPELINE_SEPARATORS.has(ch)) {
+                pushStage(stages, current);
+                current = '';
+                continue;
+            }
+        }
+        current += ch;
+    }
+    if (escaped) {
+        throw new Error('dangling escape in bash command');
+    }
+    if (quote !== 'none') {
+        throw new Error('unterminated quote in bash command');
+    }
+    pushStage(stages, current);
+    return stages;
+}
+function pushStage(stages, stage) {
+    const trimmed = stage.trim();
+    if (trimmed.length === 0) {
+        throw new Error('empty pipeline stage');
+    }
+    stages.push(trimmed);
+}
+function tokenize(input) {
+    const tokens = [];
+    let current = '';
+    let quote = 'none';
+    let escaped = false;
+    for (let i = 0; i < input.length; i += 1) {
+        const ch = input[i];
+        if (ch === undefined) {
+            break;
+        }
+        if (escaped) {
+            current += ch;
+            escaped = false;
+            continue;
+        }
+        if (quote !== 'single' && ch === '\\') {
+            escaped = true;
+            continue;
+        }
+        if (quote === 'none' && isWhitespace(ch)) {
+            pushToken(tokens, current);
+            current = '';
+            continue;
+        }
+        if (quote === 'none' && ch === "'") {
+            quote = 'single';
+            continue;
+        }
+        if (quote === 'single' && ch === "'") {
+            quote = 'none';
+            continue;
+        }
+        if (quote === 'none' && ch === '"') {
+            quote = 'double';
+            continue;
+        }
+        if (quote === 'double' && ch === '"') {
+            quote = 'none';
+            continue;
+        }
+        if (quote === 'none' && startsRedirect(input, i)) {
+            pushToken(tokens, current);
+            current = '';
+            const parsed = readRedirect(input, i);
+            tokens.push(parsed.token);
+            i = parsed.nextIndex - 1;
+            continue;
+        }
+        current += ch;
+    }
+    if (escaped) {
+        throw new Error('dangling escape in bash command');
+    }
+    if (quote !== 'none') {
+        throw new Error('unterminated quote in bash command');
+    }
+    pushToken(tokens, current);
+    return tokens;
+}
+function pushToken(tokens, token) {
+    if (token.length > 0) {
+        tokens.push(token);
+    }
+}
+function startsRedirect(input, index) {
+    const ch = input[index];
+    if (ch === undefined) {
+        return false;
+    }
+    if (ch === '>' || ch === '<') {
+        return true;
+    }
+    if (!isDigit(ch)) {
+        return false;
+    }
+    let cursor = index;
+    while (isDigit(input[cursor] ?? '')) {
+        cursor += 1;
+    }
+    const next = input[cursor];
+    return next === '>' || next === '<';
+}
+function readRedirect(input, index) {
+    let cursor = index;
+    let token = '';
+    while (isDigit(input[cursor] ?? '')) {
+        const digit = input[cursor];
+        if (digit === undefined) {
+            break;
+        }
+        token += digit;
+        cursor += 1;
+    }
+    const first = input[cursor];
+    if (first !== '>' && first !== '<') {
+        throw new Error('invalid redirect operator');
+    }
+    token += first;
+    cursor += 1;
+    const second = input[cursor];
+    const third = input[cursor + 1];
+    if (first === '>' && second === '>') {
+        token += second;
+        cursor += 1;
+    }
+    else if (first === '<' && second === '<' && third === '<') {
+        token += `${second}${third}`;
+        cursor += 2;
+    }
+    else if (first === '<' && second === '<') {
+        token += second;
+        cursor += 1;
+    }
+    else if ((first === '>' || first === '<') && second === '&') {
+        token += second;
+        cursor += 1;
+    }
+    else if (first === '>' && second === '|') {
+        token += second;
+        cursor += 1;
+    }
+    else if (first === '<' && second === '>') {
+        token += second;
+        cursor += 1;
+    }
+    while (true) {
+        const ch = input[cursor];
+        if (ch === undefined || isWhitespace(ch) || ch === '"' || ch === "'") {
+            break;
+        }
+        if (ch === '>' || ch === '<') {
+            break;
+        }
+        token += ch;
+        cursor += 1;
+    }
+    return { token, nextIndex: cursor };
+}
+function normalizeStage(rawTokens, envVars, redirects) {
+    const withoutEnv = [];
+    let commandStarted = false;
+    for (const token of rawTokens) {
+        if (!commandStarted && isEnvAssignment(token)) {
+            const parsed = parseEnvAssignment(token);
+            envVars[parsed.name] = parsed.value;
+            continue;
+        }
+        commandStarted = true;
+        withoutEnv.push(token);
+    }
+    const stage = [];
+    for (let i = 0; i < withoutEnv.length; i += 1) {
+        const token = withoutEnv[i];
+        if (token === undefined) {
+            continue;
+        }
+        if (isRedirectToken(token)) {
+            if (redirectNeedsOperand(token)) {
+                const target = withoutEnv[i + 1];
+                if (target === undefined || isRedirectToken(target)) {
+                    throw new Error('redirect missing target');
+                }
+                redirects.push(`${token} ${target}`);
+                i += 1;
+                continue;
+            }
+            redirects.push(token);
+            continue;
+        }
+        stage.push(token);
+    }
+    return stage;
+}
+function isEnvAssignment(token) {
+    return /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(token);
+}
+function parseEnvAssignment(token) {
+    const index = token.indexOf('=');
+    if (index < 1) {
+        throw new Error('invalid environment assignment');
+    }
+    return {
+        name: token.slice(0, index),
+        value: token.slice(index + 1),
+    };
+}
+function isRedirectToken(token) {
+    return /^(?:\d*)?(?:>>?|<|<<|<<<|>\||<>|>&|<&)(?:.+)?$/u.test(token);
+}
+function redirectNeedsOperand(token) {
+    return /^(?:\d*)?(?:>>?|<|<<|<<<|>\||<>|>&|<&)$/u.test(token);
+}
+function isWhitespace(ch) {
+    return ch === ' ' || ch === '\t' || ch === '\n' || ch === '\r';
+}
+function isDigit(ch) {
+    return ch >= '0' && ch <= '9';
+}
+//# sourceMappingURL=bash-parser.js.map

package/dist/core/permissions/circuit-breaker.js

@@ -0,0 +1,83 @@
+/**
+ * bypassPermissions circuit-breaker — .
+ *
+ * `bypassPermissions` is "skip ALL checks" for trusted scripted runs.
+ * Even so, certain commands are catastrophic enough that the gate
+ * MUST refuse regardless of mode. This module owns that short list.
+ *
+ * The breaker is conservative on purpose:
+ *  - rm -rf against `/`, `~`, or workspace root (`.`)
+ *  - fork bomb signature (`:(){:|:&};:`)
+ *  - dd if=/ (raw block-device read or write)
+ *
+ * False positives are acceptable here — an operator who really wants
+ * to nuke their root filesystem can switch to `dontAsk` and re-issue;
+ * the breaker is the "are you sure you typed this correctly?" guard,
+ * not a hard policy boundary.
+ *
+ * `evaluateCircuitBreaker` is pure regex matching — no IO, no state.
+ * It's called by the gate before any other routing so a bypass-mode
+ * session that types `rm -rf /` sees the deny path first.
+ */
+/**
+ * Pattern list — kept narrow on purpose. Each entry must match the
+ * canonical destructive shape; argv variants without the exact form
+ * fall through к the regular `dontAsk` / `bypassPermissions` allow
+ * path, which is what the operator opted into.
+ */
+const CIRCUIT_BREAKER_PATTERNS = [
+    // rm -rf against absolute root, $HOME, ~, $WORKSPACE_ROOT, or `.`
+    // with no further token. The negative lookahead на `[/~.]\S` makes
+    // sure `rm -rf /tmp/foo` (specific subtree) doesn't trip — only the
+    // catastrophic `rm -rf /` or `rm -rf ~` or `rm -rf .` shapes do.
+    {
+        pattern: /\brm\s+(-[a-z]*r[a-z]*f|-[a-z]*f[a-z]*r)\s+(\/|~|\$HOME|\$\{HOME\}|\.)\s*$/i,
+        reason: 'rm -rf against /, $HOME, ~, or workspace root',
+    },
+    // Fork bomb signature. Whitespace-tolerant но shape-strict.
+    {
+        pattern: /:\s*\(\s*\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;?\s*:/,
+        reason: 'fork bomb (`:(){ :|:& };:`)',
+    },
+    // dd to/from raw devices. Either direction is catastrophic enough
+    // to warrant the breaker (read of /dev/random into a workspace file
+    // can fill the disk, write to /dev/sda destroys the disk).
+    {
+        pattern: /\bdd\b[^|;&]*\b(if|of)=\/dev\//i,
+        reason: 'dd reading/writing /dev/* (catastrophic IO)',
+    },
+    // mkfs against any disk — single regex covers ext*, xfs, btrfs, vfat.
+    {
+        pattern: /\bmkfs(\.[a-z0-9]+)?\s+\/dev\//i,
+        reason: 'mkfs against /dev/* (filesystem format)',
+    },
+];
+/**
+ * Test the command against every circuit-breaker pattern. Returns the
+ * first match (most-catastrophic-first ordering is encoded в the array
+ * order); when no pattern matches, the breaker is `tripped: false` so
+ * the caller proceeds to the regular gate decision.
+ *
+ * Pure function — no IO, no module-scoped state. Safe to call from any
+ * surface (gate, doctor command, audit replay).
+ */
+export function evaluateCircuitBreaker(command) {
+    const trimmed = command.trim();
+    if (trimmed.length === 0)
+        return { tripped: false, reason: '' };
+    for (const entry of CIRCUIT_BREAKER_PATTERNS) {
+        if (entry.pattern.test(trimmed)) {
+            return { tripped: true, reason: entry.reason };
+        }
+    }
+    return { tripped: false, reason: '' };
+}
+/**
+ * Diagnostic accessor — exposed для doctor surfaces + spec coverage so
+ * the test layer can iterate the full list and assert each entry trips
+ * on representative input.
+ */
+export function listCircuitBreakerPatterns() {
+    return CIRCUIT_BREAKER_PATTERNS.map((e) => ({ pattern: e.pattern.source, reason: e.reason }));
+}
+//# sourceMappingURL=circuit-breaker.js.map

package/dist/core/permissions/constrained-edit.js

@@ -0,0 +1,91 @@
+import * as path from 'node:path';
+const REGEX_META = new Set(['.', '+', '^', '$', '(', ')', '|', '{', '}', '[', ']', '\\']);
+function globToRegExp(pattern) {
+    let re = '';
+    let i = 0;
+    while (i < pattern.length) {
+        const c = pattern[i];
+        if (c === '*') {
+            if (pattern[i + 1] === '*') {
+                re += '.*';
+                i += 2;
+                if (pattern[i] === '/')
+                    i += 1;
+            }
+            else {
+                re += '[^/]*';
+                i += 1;
+            }
+        }
+        else if (c === '?') {
+            re += '[^/]';
+            i += 1;
+        }
+        else if (REGEX_META.has(c)) {
+            re += '\\' + c;
+            i += 1;
+        }
+        else {
+            re += c;
+            i += 1;
+        }
+    }
+    return new RegExp('^' + re + '$');
+}
+function toRelPosix(absPath, repoRoot) {
+    const normRoot = path.resolve(repoRoot);
+    const normPath = path.resolve(absPath);
+    const rel = path.relative(normRoot, normPath);
+    if (rel === '' || rel.startsWith('..') || path.isAbsolute(rel)) {
+        return rel.startsWith('..') || path.isAbsolute(rel) ? null : rel;
+    }
+    return rel.split(path.sep).join('/');
+}
+export function isPathAllowed(absPath, repoRoot, allowlist) {
+    const rel = toRelPosix(absPath, repoRoot);
+    if (rel === null)
+        return false;
+    for (const pattern of allowlist) {
+        if (pattern === rel)
+            return true;
+        if (globToRegExp(pattern).test(rel))
+            return true;
+    }
+    return false;
+}
+const SHELL_OP_SPLIT = /\s*(?:&&|\|\||;|\|)\s*/;
+const ENV_ASSIGN = /^[A-Za-z_][A-Za-z0-9_]*=/;
+export function checkBashCommand(cmd, allowlist) {
+    const stages = cmd
+        .split(SHELL_OP_SPLIT)
+        .map((s) => s.trim())
+        .filter((s) => s.length > 0);
+    if (stages.length === 0) {
+        return { allowed: false, reason: 'empty command' };
+    }
+    for (const stage of stages) {
+        const tokens = stage.split(/\s+/);
+        let i = 0;
+        while (i < tokens.length && ENV_ASSIGN.test(tokens[i]))
+            i += 1;
+        const head = tokens[i];
+        if (!head) {
+            return { allowed: false, reason: `empty stage in command: '${stage}'` };
+        }
+        if (!allowlist.includes(head)) {
+            return { allowed: false, reason: `command '${head}' not in bash_allowlist` };
+        }
+    }
+    return { allowed: true };
+}
+export function verifyTouched(touchedPaths, repoRoot, allowlist) {
+    const violations = [];
+    for (const p of touchedPaths) {
+        const abs = path.isAbsolute(p) ? p : path.resolve(repoRoot, p);
+        if (!isPathAllowed(abs, repoRoot, allowlist)) {
+            violations.push(p);
+        }
+    }
+    return { ok: violations.length === 0, violations };
+}
+//# sourceMappingURL=constrained-edit.js.map