@pugi/cli 0.1.0-beta.99 → 1.0.0-alpha.1

package/dist/core/bash-classifier.js

@@ -1,1397 +0,0 @@
-/**
- * Bash command classifier — Sprint .
- *
- * Splits a shell command into a 7-class taxonomy so the permission
- * engine can apply class-aware policy instead of the prior bool gate
- * (`destructiveBashPatterns ? deny : ask`).
- *
- * Design notes:
- *  - The classifier is a conservative pattern matcher, not a full
- *    bash AST parser. M2 will replace it with a real parser (see
- *    bash-security.md §4). For M1 the rules are explicit-substring +
- *    simple tokenization, which is good enough to gate every command
- *    the engine loop currently emits.
- *  - Compound commands (`a && b`, `a || b`, `a ; b`, `a | b`) are
- *    split on the four separators and every component is classified
- *    individually. The overall class is the most dangerous component.
- *  - The `destructive` patterns originally lived in
- *    `permission.ts::destructiveBashPatterns`. They are now the
- *    single source of truth here; `permission.ts` re-exports the
- *    hard-deny check through `classifyBash`.
- *  - The `unknown` class fires on parse failure (`eval`, deep
- *    `$(...)` nesting, `curl | sh` install pipes) so the permission
- *    engine can fail closed in interactive modes.
- */
-/**
- * Class rank for worst-component reduction in compound commands.
- *
- * `unknown` ranks ABOVE `read` and `build_test` so that a chain like
- * `pwd && bash ./payload.sh` does not silently disarm the fail-closed
- * unknown gate when the worst-component loop reduces over the
- * components. The matrix in `permission.ts` treats `unknown` as
- * `deny` in `plan`/`dontAsk` and `ask` everywhere else; this rank
- * placement preserves that fail-closed posture for compounds while
- * still letting genuine `write_workspace`, `network`, `write_protected`
- * and `destructive` components win when they appear.
- *
- * Code Reviewer P0 retro: previously `unknown: 0` meant
- * `read` (rank 1) won over `unknown` (rank 0) in the worst-component
- * reduction. That bypassed the file-level promise of fail-closed on
- * parse failure.
- */
-const CLASS_RANK = {
-    destructive: 7,
-    write_protected: 6,
-    write_workspace: 5,
-    network: 4,
-    unknown: 3,
-    build_test: 2,
-    read: 1,
-};
-const DESTRUCTIVE_PATTERNS = [
-    // Filesystem wipe
-    { pattern: 'rm -rf /' },
-    { pattern: 'rm -rf ~' },
-    { pattern: 'rm -rf .' },
-    { pattern: 'rm -rf *' },
-    { pattern: 'rm -rf "/' },
-    { pattern: 'rm -rf "~' },
-    { pattern: 'rm -rf .git' },
-    { pattern: 'rm -r /' },
-    { pattern: 'rm -r ~' },
-    { pattern: 'rm -r .git' },
-    { pattern: 'sudo rm -rf' },
-    { pattern: 'sudo rm -r' },
-    { pattern: 'dd if=/dev/zero' },
-    { pattern: 'dd if=/dev/random' },
-    { pattern: 'dd of=/dev/' },
-    { pattern: 'mkfs' },
-    { pattern: 'shred ' },
-    { pattern: 'wipefs' },
-    { pattern: '> /dev/sda' },
-    { pattern: '> /dev/disk' },
-    // Permission wipe
-    { pattern: 'chmod 777 /' },
-    { pattern: 'chmod -R 777 /' },
-    { pattern: 'chmod -R 777 ~' },
-    { pattern: 'chown -R root /' },
-    { pattern: 'chown -R / ' },
-    // Shell tricks
-    { pattern: ':(){ :|:& };:' },
-    { pattern: 'eval "$' },
-    { pattern: "eval '$" },
-    // Git history loss
-    { pattern: 'git reset --hard' },
-    { pattern: 'git clean -fdx' },
-    { pattern: 'git push --force origin main' },
-    { pattern: 'git push -f origin main' },
-    { pattern: 'git push --force origin master' },
-    { pattern: 'git push -f origin master' },
-    { pattern: 'git push --force origin production' },
-    { pattern: 'git push -f origin production' },
-    // Container / infra
-    { pattern: 'docker system prune' },
-    { pattern: 'docker rm -f $(docker' },
-    { pattern: 'kubectl delete --all' },
-    { pattern: 'kubectl delete namespace' },
-    { pattern: 'terraform destroy' },
-    // SQL destructive (case-insensitive — model can emit any case).
-    { pattern: 'DROP DATABASE', caseInsensitive: true },
-    { pattern: 'DROP TABLE', caseInsensitive: true },
-    { pattern: 'TRUNCATE TABLE', caseInsensitive: true },
-    // Firewall / network
-    { pattern: 'ufw disable' },
-    { pattern: 'iptables -F' },
-    { pattern: 'iptables --flush' },
-    // Credential exfil
-    { pattern: 'cat ~/.ssh/id_rsa' },
-    { pattern: 'cat ~/.ssh/id_ed25519' },
-    { pattern: 'gpg --export-secret' },
-    // SSH config write paths (reads are OK; only redirections/tee block)
-    { pattern: '> sshd_config' },
-    { pattern: '>> sshd_config' },
-    { pattern: '> /etc/ssh/sshd_config' },
-    { pattern: '>> /etc/ssh/sshd_config' },
-    { pattern: 'tee sshd_config' },
-    { pattern: 'tee /etc/ssh/sshd_config' },
-    { pattern: 'tee -a sshd_config' },
-    { pattern: 'tee -a /etc/ssh/sshd_config' },
-    // History destruction
-    { pattern: 'history -c' },
-    { pattern: ' >/dev/null 2>&1; rm' },
-    // ---------------------------------------------------------------
-    // Patterns ported from external utility (Apache-2.0)
-    // and `safety-guard.sh` BLOCKED_PATTERNS array. Upstream source:
-    //  external hooks/destructive-guard.sh (lines 7-13)
-    //  external hooks/safety-guard.sh      (lines 14-50)
-    // 
-    //
-    // The patterns below need word-boundary matching because their
-    // tokens (kill, halt, reboot, ...) appear as substrings of common
-    // unrelated words (skills, default, chrooted-rebooter, etc.).
-    // Substring `.includes` cannot express that — `regex` is required.
-    // ---------------------------------------------------------------
-    // Process termination — `kill`, `pkill`, `killall` at command head
-    // or after `sudo`. Matches `kill 1234`, `kill -9 $$`, `sudo killall
-    // node`, but NOT `skill issue` (no leading boundary) or
-    // `git commit -m "skill kill story"` (the kill is inside a quoted
-    // string — quote-aware split handled upstream; here we still need
-    // the boundary). Anchored to start-of-component or `sudo ` prefix.
-    {
-        pattern: 'kill',
-        regex: /^(?:sudo\s+)?(?:pkill|killall|kill)\b/,
-    },
-    // System power state — reboot / shutdown / halt / poweroff / init 0
-    // / init 6. External tooling matches these anywhere in the command; we
-    // tighten to start-of-component or `sudo ` prefix to avoid FPs on
-    // file paths or variable names containing the substring.
-    {
-        pattern: 'reboot',
-        regex: /^(?:sudo\s+)?reboot\b/,
-    },
-    {
-        pattern: 'shutdown',
-        regex: /^(?:sudo\s+)?shutdown\b/,
-    },
-    {
-        pattern: 'halt',
-        regex: /^(?:sudo\s+)?halt\b/,
-    },
-    {
-        pattern: 'poweroff',
-        regex: /^(?:sudo\s+)?poweroff\b/,
-    },
-    {
-        pattern: 'init 0',
-        regex: /^(?:sudo\s+)?init\s+0\b/,
-    },
-    {
-        pattern: 'init 6',
-        regex: /^(?:sudo\s+)?init\s+6\b/,
-    },
-    // `git clean -f` (without -dx) — External tooling lists this as destructive
-    // because it still deletes untracked files. Pugi previously only
-    // gated `git clean -fdx`; broaden to any `-f` variant.
-    {
-        pattern: 'git clean -f',
-        regex: /\bgit\s+clean\s+-[A-Za-z]*f/,
-    },
-];
-/**
- * Compound separators. We split on `&&`, `||`, `;`, `|` to classify
- * each component, then pick the most dangerous. `&` (background fork)
- * is intentionally NOT a separator — backgrounding does not change
- * what runs, only when.
- */
-const COMPOUND_SEPARATORS = /\s*(?:&&|\|\||;|\|)\s*/;
-/**
- * Split a shell command on compound separators (`&&`, `||`, `;`, `|`)
- * while RESPECTING quoted strings (`'...'`, `"..."`, `` `...` ``) so
- * that script bodies passed to `awk`, `sed`, `perl`, `python -c` are
- * not mis-split when they contain bare `;` or `|` glyphs.
- *
- * Code Reviewer P0 retro: a naive regex split on
- * `awk 'BEGIN { for (i=0;i<5000;i++) ... }'` produces 3 components
- * (the awk script header + two for-loop fragments) that get
- * classified as `unknown` each and — with the unknown:3 rank above
- * read:1 — escalate the overall verdict to `unknown`, breaking
- * legitimate read-class scripts.
- */
-function splitCompoundRespectingQuotes(cmd) {
-    const out = [];
-    let buf = '';
-    let inSingle = false;
-    let inDouble = false;
-    let inBacktick = false;
-    for (let i = 0; i < cmd.length; i += 1) {
-        const ch = cmd[i];
-        const prev = i > 0 ? cmd[i - 1] : '';
-        if (ch === '\\') {
-            buf += ch;
-            if (i + 1 < cmd.length) {
-                buf += cmd[i + 1];
-                i += 1;
-            }
-            continue;
-        }
-        if (!inDouble && !inBacktick && ch === "'") {
-            inSingle = !inSingle;
-            buf += ch;
-            continue;
-        }
-        if (!inSingle && !inBacktick && ch === '"') {
-            inDouble = !inDouble;
-            buf += ch;
-            continue;
-        }
-        if (!inSingle && !inDouble && ch === '`') {
-            inBacktick = !inBacktick;
-            buf += ch;
-            continue;
-        }
-        if (!inSingle && !inDouble && !inBacktick) {
-            // `&&`
-            if (ch === '&' && cmd[i + 1] === '&') {
-                out.push(buf.trim());
-                buf = '';
-                i += 1;
-                continue;
-            }
-            // `||`
-            if (ch === '|' && cmd[i + 1] === '|') {
-                out.push(buf.trim());
-                buf = '';
-                i += 1;
-                continue;
-            }
-            // `;` (single semicolon, not part of `;;`)
-            if (ch === ';' && cmd[i + 1] !== ';' && prev !== ';') {
-                out.push(buf.trim());
-                buf = '';
-                continue;
-            }
-            // bare `|` (single pipe, not `||` and not `|&`)
-            if (ch === '|' && cmd[i + 1] !== '|' && cmd[i + 1] !== '&') {
-                out.push(buf.trim());
-                buf = '';
-                continue;
-            }
-        }
-        buf += ch;
-    }
-    const tail = buf.trim();
-    if (tail !== '')
-        out.push(tail);
-    return out.filter((s) => s !== '');
-}
-/** Network commands. */
-const NETWORK_TOKENS = new Set([
-    'curl',
-    'wget',
-    'ssh',
-    'scp',
-    'rsync',
-    'nc',
-    'netcat',
-]);
-const NETWORK_PREFIXES = [
-    'git clone',
-    'git fetch',
-    'git pull',
-    'git push',
-    'npm install',
-    'npm i ',
-    'npm ci',
-    'pnpm install',
-    'pnpm i ',
-    'pnpm add',
-    'yarn install',
-    'yarn add',
-    'pip install',
-    'pip3 install',
-    'brew install',
-    'brew upgrade',
-    'apt-get',
-    'apt install',
-    'yum install',
-    'dnf install',
-    'docker pull',
-    'docker push',
-    'cargo install',
-    'go get',
-    'go install',
-];
-/**
- * Build / test prefixes. These are common enough that the permission
- * engine grants them auto in `acceptEdits`/`auto` modes (the rule of
- * thumb is "ask first time, then allow rule" per bash-security.md §3).
- *
- * IMPORTANT: every prefix here must NOT also match a network installer
- * (we handle `npm install` / `pnpm install` before this list).
- */
-const BUILD_TEST_PREFIXES = [
-    'pnpm test',
-    'pnpm build',
-    'pnpm typecheck',
-    'pnpm lint',
-    'pnpm run test',
-    'pnpm run build',
-    'pnpm run typecheck',
-    'pnpm run lint',
-    'npm test',
-    'npm run build',
-    'npm run lint',
-    'npm run typecheck',
-    'npm run test',
-    'yarn test',
-    'yarn build',
-    'yarn lint',
-    'cargo test',
-    'cargo build',
-    'cargo check',
-    'go test',
-    'go build',
-    'go vet',
-    'pytest',
-    'jest',
-    'vitest',
-    'make test',
-    'make build',
-    'make check',
-    'mvn test',
-    'mvn package',
-    'gradle test',
-    'gradle build',
-    'tsc --noEmit',
-    'tsc -p',
-    'eslint',
-    'prettier --check',
-    // P0 fix (#37 CRITICAL): customer-blocking gap surfaced
-    // during dogfood. Engine emitted `chmod +x build.sh`, `node script.js`,
-    // `python3 -m pytest`, `git status`, `pnpm build`, `docker ps`, etc.
-    // and the classifier returned `unknown` → permission matrix denied
-    // в bypassPermissions mode (which the customer expected to auto-allow
-    // basic dev tools). Customers could not run ANY real build/test/git
-    // workflow through Pugi.
-    //
-    // The prefixes below cover three classes of developer tooling that
-    // are always allowed in `auto`/`dontAsk`/`bypassPermissions` modes,
-    // `ask` in interactive modes, and `deny` in `plan` (read-only) mode:
-    //  - Language runtimes: `node`, `python`, `python3`, `ruby`, etc.
-    //  - Native build chains: `gcc`, `clang`, `cmake`, `rustc`, etc.
-    //  - Container/k8s read-class: `docker ps/inspect/logs`, `kubectl get`.
-    //
-    // Destructive variants are already gated upstream by DESTRUCTIVE_PATTERNS
-    // (e.g. `docker system prune`, `kubectl delete --all`). The first-token
-    // gate in classifyComponent runs THIS list before the unknown fallback.
-    //
-    // Language runtime invocations (first-token match, with or without args).
-    'node',
-    'python',
-    'python3',
-    'ruby',
-    'perl',
-    'php',
-    'deno',
-    'bun',
-    'tsx',
-    'ts-node',
-    // Native build chains.
-    'gcc',
-    'g++',
-    'clang',
-    'clang++',
-    'cmake',
-    'rustc',
-    'javac',
-    'java',
-    // Container/k8s read-class (the destructive subcommands are pre-empted
-    // by DESTRUCTIVE_PATTERNS: `docker system prune`, `kubectl delete --all`,
-    // `kubectl delete namespace`).
-    'docker ps',
-    'docker images',
-    'docker inspect',
-    'docker logs',
-    'docker version',
-    'docker info',
-    'docker exec',
-    'docker run',
-    'docker stop',
-    'docker start',
-    'docker restart',
-    'docker rm',
-    'docker rmi',
-    'docker build',
-    'docker tag',
-    'docker compose',
-    'docker-compose',
-    'kubectl get',
-    'kubectl describe',
-    'kubectl logs',
-    'kubectl exec',
-    'kubectl apply',
-    'kubectl create',
-    'kubectl rollout',
-    'kubectl port-forward',
-    'kubectl config',
-    // Git read+write surface (network ops already handled by NETWORK_PREFIXES;
-    // destructive ops `reset --hard`/`clean -fdx`/`push --force` blocked above).
-    // Note: WRITE_WORKSPACE_PREFIXES already covers `git commit/add/checkout/...`.
-    // These entries handle plain `git rev-list`, `git cherry-pick`, `git worktree`,
-    // `git submodule`, etc that customer scripts commonly invoke.
-    'git rev-list',
-    'git cherry-pick',
-    'git worktree',
-    'git submodule',
-    'git blame',
-    'git describe',
-    'git tag --list',
-    'git tag -l',
-    'git for-each-ref',
-    'git ls-remote',
-    // gh CLI (GitHub). `gh repo delete` / `gh release delete` reach into
-    // network operations but are non-destructive for the local workspace.
-    // Permission matrix asks before allowing in auto.
-    'gh',
-];
-/** Single-token read-only commands. Argument-free entries match exact. */
-const READ_TOKENS = new Set([
-    'pwd',
-    'ls',
-    'cat',
-    'head',
-    'tail',
-    'wc',
-    'which',
-    'whereis',
-    'file',
-    'stat',
-    'du',
-    'df',
-    'echo',
-    'printenv',
-    'env',
-    'date',
-    'uname',
-    'hostname',
-    'id',
-    'whoami',
-    'true',
-    'false',
-    'basename',
-    'dirname',
-    'realpath',
-    // `sleep` has no FS/network/proc impact beyond a timer; treated as
-    // read so background jobs can use it without tripping the unknown
-    // gate. Same logic for the no-op coreutils below.
-    'sleep',
-    'yes',
-    'seq',
-    'tr',
-    'cut',
-    'sort',
-    'uniq',
-    // P0 fix (#37 CRITICAL): structured-data inspection tools
-    // are pure stdin/stdout transformers (no FS write, no network) when
-    // не paired с `>` redirection (the redirection branch above promotes
-    // к write_workspace independently). Common в dev scripts for parsing
-    // package.json, tsconfig.json, Helm values.yaml, etc.
-    // `tee` is INTENTIONALLY excluded — it writes by definition, even
-    // в protected paths (`tee /etc/...` is already in DESTRUCTIVE_PATTERNS).
-    'jq',
-    'yq',
-    'column',
-]);
-const READ_PREFIXES = [
-    'git status',
-    'git log',
-    'git diff',
-    'git show',
-    'git branch',
-    'git remote',
-    'git rev-parse',
-    'git ls-files',
-    'git config --get',
-    'less ',
-    'more ',
-    'grep ',
-    'rg ',
-    'fd ',
-    'tree',
-];
-/** Write_workspace prefixes. Destination boundary is checked separately. */
-const WRITE_WORKSPACE_PREFIXES = [
-    'mkdir',
-    'touch',
-    'cp ',
-    'mv ',
-    'ln ',
-    'git commit',
-    'git add',
-    'git checkout',
-    'git switch',
-    'git restore',
-    'git stash',
-    'git tag',
-    'git rebase',
-    'git merge',
-    // P0 fix (#37 CRITICAL): file-permission ops are common
-    // в build scripts (`chmod +x build.sh`, `chown $USER file`). The
-    // destructive variants (`chmod 777 /`, `chmod -R 777 /`, `chmod -R
-    // 777 ~`, `chown -R root /`, `chown -R / ...`) are pre-empted by
-    // DESTRUCTIVE_PATTERNS which runs BEFORE this list — safe to add
-    // here for the non-destructive path. detectProtectedWrite's `\bchmod\b`
-    // / `\bchown\b` regex also catches writes into protected paths
-    // regardless of this list.
-    'chmod ',
-    'chown ',
-];
-/**
- * Protected-write triggers. If a command writes to any of these paths
- * the class is `write_protected` regardless of the operation type.
- *
- * Wildcards are handled as substring matches (e.g. `/.ssh/` matches
- * `~/.ssh/foo` and `[HOME]/USER/.ssh/bar`).
- */
-const PROTECTED_PATH_SUBSTRINGS = [
-    '/.ssh/',
-    '/.aws/',
-    '/.gnupg/',
-    '/.config/',
-    '~/.ssh/',
-    '~/.aws/',
-    '~/.gnupg/',
-    '~/.config/',
-    '~/.npmrc',
-    '~/.pypirc',
-    '~/.bashrc',
-    '~/.zshrc',
-    '~/.profile',
-    '~/.bash_profile',
-    '/etc/',
-    '/usr/',
-    '/var/',
-];
-/**
- * Protected basename triggers — files whose CONTENT must never leak
- * through the bash surface, even when the literal path is workspace-
- * local. Mirrors `permission.ts::protectedBasenames` and `.env.*`
- * pattern so the read-tool gate (which fires on `read .env`) and the
- * bash gate (which fires on `cat .env`) stay symmetric.
- *
- * P0 fix (Codex audit): before this list existed, the
- * engine model could circumvent the `read` tool's `protectedTargetReason`
- * check by emitting `bash cat .env` — the classifier saw `cat` (read
- * token) + `.env` (not in PROTECTED_PATH_SUBSTRINGS) and returned class
- * `read`, which the permission matrix allows under every mode. The
- * `local-first-invariants` spec proved the leak: `pugi explain .env`
- * surfaced `SECRET=should_never_leak` in the engine summary.
- *
- * Match shape: the substring must touch a `.` boundary (`/.env`,
- * ` .env`, `.env\b`) or appear as the full token so a path like
- * `apps/codeforge/file.env-template` (no real secret) does not
- * over-trigger.
- */
-const PROTECTED_BASENAME_PATTERNS = [
-    // `.env`, `.env.production`, `.env.local` — anywhere in the command.
-    // Boundary on the left is start/whitespace/quote/`/`, on the right
-    // start/whitespace/end/quote/`>`/`|`/`;`.
-    /(^|[\s'"\/=])\.env(\.[A-Za-z0-9_-]+)?($|[\s'"<>|;&])/,
-    // SSH key basenames (covers both `id_rsa` and `id_ed25519` even
-    // outside `~/.ssh/`). The `/.ssh/` substring above gates the
-    // directory case; this catches a key file copied to the workspace.
-    /(^|[\s'"\/])id_(rsa|ed25519|ecdsa|dsa)(\.pub)?($|[\s'"<>|;&])/,
-    // Other credential basenames mirrored from permission.ts.
-    /(^|[\s'"\/])\.npmrc($|[\s'"<>|;&])/,
-    /(^|[\s'"\/])\.pypirc($|[\s'"<>|;&])/,
-    /(^|[\s'"\/])\.gitconfig($|[\s'"<>|;&])/,
-];
-/**
- * Obfuscation triggers — any of these forces the `unknown` class so
- * the permission engine can fail closed.
- */
-const OBFUSCATION_TRIGGERS = [
-    { needle: 'curl', reason: 'curl piped into shell installer' },
-    { needle: 'wget', reason: 'wget piped into shell installer' },
-];
-/**
- * Classify a single (non-compound) command component.
- *
- * Order of checks (most-specific first):
- *  1. destructive substring (hard deny path)
- *  2. obfuscation (curl|sh, deep $() nesting, raw eval)
- *  3. cd-escape (covered by classifyBash for the overall command;
- *     single-component cd is handled here too)
- *  4. protected-write (redirection or write op into a protected path)
- *  5. write_workspace (mkdir/touch/cp/mv/git-write etc)
- *  6. network (curl/wget/ssh/installers)
- *  7. build_test (pnpm test, cargo build, ...)
- *  8. read (pwd, ls, cat, ...)
- *  9. unknown (default)
- */
-function classifyComponent(cmd, ctx) {
-    const trimmed = cmd.trim();
-    if (trimmed === '') {
-        return { class: 'unknown', reason: 'empty component', matched: '' };
-    }
-    // 1. Destructive hard-deny patterns.
-    const destructive = findDestructiveMatch(trimmed);
-    if (destructive) {
-        return {
-            class: 'destructive',
-            reason: `Destructive command pattern matched: ${destructive}`,
-            matched: destructive,
-        };
-    }
-    // 2. Obfuscation — curl|sh, wget|bash, deep $() nesting, raw eval.
-    const obfuscation = detectObfuscation(trimmed);
-    if (obfuscation) {
-        return {
-            class: 'unknown',
-            reason: obfuscation.reason,
-            matched: obfuscation.matched,
-        };
-    }
-    // 3. find with -delete / -exec is destructive-adjacent.
-    if (/\bfind\b[^|;]*\s-(?:delete|exec\b)/.test(trimmed)) {
-        return {
-            class: 'destructive',
-            reason: 'find with -delete or -exec is treated as destructive',
-            matched: 'find ... -delete|-exec',
-        };
-    }
-    // 4. Protected-write check (redirection OR write op into protected path).
-    const protectedWrite = detectProtectedWrite(trimmed, ctx);
-    if (protectedWrite) {
-        return {
-            class: 'write_protected',
-            reason: protectedWrite.reason,
-            matched: protectedWrite.matched,
-        };
-    }
-    // 4a. Protected-read check. Reads from credential / config paths
-    // (`cat ~/.aws/credentials`, `head ~/.npmrc`, `grep . ~/.ssh/id_ed25519`,
-    // `tail -f ~/.bash_history`) classify as `write_protected` so the
-    // permission matrix gates them in plan/dontAsk and asks elsewhere.
-    // The hard-coded DESTRUCTIVE entries for `cat ~/.ssh/id_rsa` /
-    // `cat ~/.ssh/id_ed25519` still win when matched (they run before
-    // this check).
-    //
-    // Code Reviewer P0 retro: previously these reads fell
-    // through to READ_TOKENS and were allowed in every mode.
-    const protectedRead = detectProtectedRead(trimmed);
-    if (protectedRead) {
-        return {
-            class: 'write_protected',
-            reason: protectedRead.reason,
-            matched: protectedRead.matched,
-        };
-    }
-    // 4a-bis. Parent-traversal in read arguments. The file-tools layer
-    // refuses `..` segments via `resolveWorkspacePath`, but the bash
-    // surface had no equivalent gate — the engine could emit
-    // `cat ../README.md` or `ls ..` to enumerate / read outside the
-    // workspace, sidestepping the path-security check that the `read`
-    // and `glob` tools enforce.
-    //
-    // P0 fix (Codex audit): treat `..` as a path segment
-    // (`../`, ` ..`, `..\n`) in any read-class command as a workspace
-    // escape. We classify it as `write_protected` so the auto/dontAsk
-    // modes refuse, mirroring the `Path escapes workspace` semantics
-    // the file-tools layer already provides.
-    const traversal = detectParentTraversalRead(trimmed);
-    if (traversal) {
-        return {
-            class: 'write_protected',
-            reason: traversal.reason,
-            matched: traversal.matched,
-        };
-    }
-    // 4b. .env writes are always protected, even inside the workspace
-    // (CEO directive feedback_never_delete_untracked_env.md).
-    const envWrite = detectEnvWrite(trimmed);
-    if (envWrite) {
-        return {
-            class: 'write_protected',
-            reason: envWrite.reason,
-            matched: envWrite.matched,
-        };
-    }
-    // 5. Write_workspace ops (mkdir / touch / cp / mv / git commit / etc).
-    for (const prefix of WRITE_WORKSPACE_PREFIXES) {
-        if (trimmed.startsWith(prefix)) {
-            return {
-                class: 'write_workspace',
-                reason: `Workspace write op: ${prefix.trim()}`,
-                matched: prefix.trim(),
-            };
-        }
-    }
-    // 5b. Shell redirection (`>`/`>>`) without a protected target →
-    // workspace write. Pipes (`|`) are not redirections. The regex
-    // allows optional whitespace around `>` (catches `>file`, `> file`,
-    // `>>file`, `>> file`) and skips file-descriptor redirects
-    // (`>&1`, `2>&1`, `>&2`).
-    if (/(^|[^0-9&])>>?\s*[^&\s|;<>]/.test(trimmed) &&
-        !trimmed.includes('/dev/null')) {
-        return {
-            class: 'write_workspace',
-            reason: 'Shell redirection into a workspace target',
-            matched: '>',
-        };
-    }
-    // 6. Network commands.
-    const network = detectNetwork(trimmed);
-    if (network) {
-        return {
-            class: 'network',
-            reason: network.reason,
-            matched: network.matched,
-        };
-    }
-    // 7. Build/test runners.
-    for (const prefix of BUILD_TEST_PREFIXES) {
-        if (trimmed === prefix || trimmed.startsWith(`${prefix} `)) {
-            return {
-                class: 'build_test',
-                reason: `Build/test runner: ${prefix}`,
-                matched: prefix,
-            };
-        }
-    }
-    // 7b. Bare `make` (no subcommand) is build-class.
-    if (trimmed === 'make' || trimmed.startsWith('make ')) {
-        return { class: 'build_test', reason: 'make runner', matched: 'make' };
-    }
-    // 7c. Operator-override safe tokens (P0 fix #37).
-    // `PUGI_CLASSIFIER_EXTRA_SAFE=tool1,tool2,...` extends the BUILD_TEST
-    // first-token list at runtime. This is a security-sensitive escape
-    // hatch — operators can add their custom build tools without a
-    // recompile. Destructive patterns ALREADY ran above (step 1) so this
-    // cannot whitelist `rm`, `mkfs`, `git push --force`, etc. The match
-    // is strict first-token equality — not substring — and the env var
-    // is read fresh on every classify call so tests can mutate it.
-    const extraSafe = readExtraSafeTokens();
-    if (extraSafe.size > 0) {
-        const firstTokenForExtraSafe = trimmed.split(/\s+/)[0] ?? '';
-        if (extraSafe.has(firstTokenForExtraSafe)) {
-            return {
-                class: 'build_test',
-                reason: `PUGI_CLASSIFIER_EXTRA_SAFE override: ${firstTokenForExtraSafe}`,
-                matched: firstTokenForExtraSafe,
-            };
-        }
-    }
-    // 7c. Bare `cd <path>` (inside workspace — the cwd-escape detector
-    // upgrades the class to write_protected when the target is
-    // outside). Standalone `cd` (HOME) is escape, also handled by the
-    // cwd-escape detector.
-    if (/^cd(\s+\S+)?\s*$/.test(trimmed)) {
-        return { class: 'read', reason: 'cd inside workspace', matched: 'cd' };
-    }
-    // 8. Read-only commands.
-    const firstToken = trimmed.split(/\s+/)[0] ?? '';
-    if (READ_TOKENS.has(firstToken)) {
-        // `sed` and `awk` are allowed only without `>` (already gated by
-        // step 5b above) — they fall through to here when they are pure
-        // reads. We list them explicitly for clarity even though set
-        // membership is the source of truth.
-        return { class: 'read', reason: `Read-only command: ${firstToken}`, matched: firstToken };
-    }
-    for (const prefix of READ_PREFIXES) {
-        if (trimmed === prefix.trim() || trimmed.startsWith(prefix)) {
-            return {
-                class: 'read',
-                reason: `Read-only command: ${prefix.trim()}`,
-                matched: prefix.trim(),
-            };
-        }
-    }
-    // sed/awk: read-only when no `>` redirect (the redirect branch above
-    // catches the write case).
-    if (firstToken === 'sed' || firstToken === 'awk') {
-        return { class: 'read', reason: `Stream editor as read: ${firstToken}`, matched: firstToken };
-    }
-    // `find` without -delete / -exec is a read.
-    if (firstToken === 'find') {
-        return { class: 'read', reason: 'find (no -delete/-exec)', matched: 'find' };
-    }
-    // 9. Default: unknown.
-    return {
-        class: 'unknown',
-        reason: `Unrecognized command: ${firstToken || trimmed}`,
-        matched: firstToken || trimmed,
-    };
-}
-function findDestructiveMatch(cmd) {
-    const upper = cmd.toUpperCase();
-    for (const { pattern, caseInsensitive, regex } of DESTRUCTIVE_PATTERNS) {
-        if (regex) {
-            // Word-boundary regex form (external-derived patterns). Match
-            // against the trimmed component so `^` anchors to command head,
-            // not surrounding whitespace from the compound split.
-            if (regex.test(cmd.trim()))
-                return pattern;
-            continue;
-        }
-        if (caseInsensitive) {
-            if (upper.includes(pattern))
-                return pattern;
-        }
-        else if (cmd.includes(pattern)) {
-            return pattern;
-        }
-    }
-    return null;
-}
-function detectObfuscation(cmd) {
-    // Raw `eval` with shell expansion. (`eval "$VAR"` is already in
-    // DESTRUCTIVE_PATTERNS — this catches the more general case of
-    // `eval $(...)`, `eval `...``, etc.)
-    if (/(^|\s)eval\s+[`$"']/.test(cmd)) {
-        return { reason: 'eval with shell expansion is treated as unknown', matched: 'eval' };
-    }
-    // `bash -c '...base64-decoded...'` — base64-decoded payloads are
-    // a common obfuscation. We trigger on the substring `base64 -d`
-    // anywhere in the command.
-    if (/\bbase64\s+-d\b/.test(cmd) || /\bbase64\s+--decode\b/.test(cmd)) {
-        return { reason: 'base64 decode pipeline is treated as unknown', matched: 'base64 -d' };
-    }
-    // Deep nested `$(...)` — more than 3 levels of nesting is treated
-    // as obfuscation.
-    if (nestingDepth(cmd, '$(', ')') > 3) {
-        return { reason: 'deeply nested command substitution', matched: '$(...)' };
-    }
-    if (nestingDepth(cmd, '`', '`') > 3) {
-        return { reason: 'deeply nested backtick substitution', matched: '`...`' };
-    }
-    // `curl ... | sh`, `wget ... | bash` — remote installer pipe.
-    // We require the entire command (including pipes) to contain both
-    // the network fetcher and the shell receiver.
-    for (const trigger of OBFUSCATION_TRIGGERS) {
-        if (cmd.includes(trigger.needle) && /\|\s*(?:sh|bash|zsh|fish)\b/.test(cmd)) {
-            return {
-                reason: `${trigger.reason}: ${trigger.needle} | <shell>`,
-                matched: `${trigger.needle} | sh`,
-            };
-        }
-    }
-    return null;
-}
-function nestingDepth(cmd, open, close) {
-    if (open === close) {
-        // Backtick pair — count occurrences / 2 for matched pairs and
-        // approximate "depth" as `pairs > 3` triggers.
-        const count = (cmd.match(new RegExp(escapeRegex(open), 'g')) ?? []).length;
-        return Math.floor(count / 2);
-    }
-    let depth = 0;
-    let max = 0;
-    for (let i = 0; i < cmd.length; i += 1) {
-        if (cmd.startsWith(open, i)) {
-            depth += 1;
-            max = Math.max(max, depth);
-            i += open.length - 1;
-        }
-        else if (cmd.startsWith(close, i) && depth > 0) {
-            depth -= 1;
-        }
-    }
-    return max;
-}
-function escapeRegex(s) {
-    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
-/**
- * Operator-override safe tokens. Read from `PUGI_CLASSIFIER_EXTRA_SAFE`
- * (comma-separated). Allows operators to extend the BUILD_TEST first-
- * token list at runtime for site-specific tooling без recompile.
- *
- * Security note: destructive substring patterns run BEFORE this gate
- * (step 1 in classifyComponent), so this cannot whitelist `rm`, `mkfs`,
- * `git push --force`, etc. The env var only adds tools to the benign
- * build_test class. Invalid entries (empty strings, тokens containing
- * shell metas) are silently dropped to avoid surprising classifications.
- *
- * Read fresh on every call so per-test mutations work и so operators
- * can update without restarting the agent loop. The cost (one env var
- * read + Set construction per call) is negligible for the classifier's
- * call frequency.
- */
-function readExtraSafeTokens() {
-    const raw = process.env.PUGI_CLASSIFIER_EXTRA_SAFE;
-    if (!raw || raw.trim() === '')
-        return new Set();
-    const tokens = new Set();
-    for (const candidate of raw.split(',')) {
-        const trimmed = candidate.trim();
-        if (trimmed === '')
-            continue;
-        // Reject anything containing shell metas or whitespace — only bare
-        // tool names allowed. Defends against accidental
-        // `PUGI_CLASSIFIER_EXTRA_SAFE='rm -rf /'` smuggling.
-        if (/[\s;|&<>$`(){}\[\]'"\\]/.test(trimmed))
-            continue;
-        tokens.add(trimmed);
-    }
-    return tokens;
-}
-function detectProtectedWrite(cmd, ctx) {
-    // Surface every write target this command produces so we can both
-    // protected-path-check and outside-workspace-check them uniformly.
-    // Captures `sort -o`, `uniq <in> <out>`, `sed -i` files, `awk '... > "file"'`,
-    // and `>` / `>>` redirections without surrounding whitespace.
-    const writeTargets = extractWriteTargets(cmd);
-    // Strip heredoc bodies before substring scan. Heredoc payloads are
-    // DATA (file contents the script writes), not commands the shell
-    // executes — a `package.json` body containing `/usr/local/bin/...`
-    // would FP as "Write into protected path: /usr/" under the broad
-    // includes() scan below. The per-target check at the bottom of this
-    // function still catches real `cat > /usr/file << EOF` attempts
-    // because extractWriteTargets reads the redirection target, not the
-    // heredoc body. CEO dogfood (#28 follow-up).
-    const cmdForScan = stripHeredocBodies(cmd);
-    for (const needle of PROTECTED_PATH_SUBSTRINGS) {
-        if (!cmdForScan.includes(needle))
-            continue;
-        // Reading from a protected path is allowed at the classifier
-        // layer (the permission engine still gates `read`); writing is
-        // the trigger here. We say it is a write if any of: `>`, `>>`,
-        // `tee`, `cp`, `mv`, `mkdir`, `touch`, `chmod`, `chown`,
-        // `ln`, `rm`, `rsync`, `scp` appears in the same component, or
-        // if any of the structured write targets (sort -o, uniq two-arg,
-        // sed -i, awk-redirect) was extracted above.
-        if (writeTargets.length > 0 ||
-            /(^|\s)>>?\s*\S/.test(cmd) ||
-            /\btee\b/.test(cmd) ||
-            /\bcp\b/.test(cmd) ||
-            /\bmv\b/.test(cmd) ||
-            /\bmkdir\b/.test(cmd) ||
-            /\btouch\b/.test(cmd) ||
-            /\bchmod\b/.test(cmd) ||
-            /\bchown\b/.test(cmd) ||
-            /\bln\b/.test(cmd) ||
-            /\brm\b/.test(cmd) ||
-            /\brsync\b/.test(cmd) ||
-            /\bscp\b/.test(cmd)) {
-            return {
-                reason: `Write into protected path: ${needle}`,
-                matched: needle,
-            };
-        }
-    }
-    // Per-target protected-path / outside-workspace check. Catches both
-    // `sort -o ~/.ssh/config` and `echo x > /tmp/other` even when the
-    // target was not a substring of the raw command (e.g. quoted paths).
-    for (const target of writeTargets) {
-        for (const needle of PROTECTED_PATH_SUBSTRINGS) {
-            if (target.includes(needle)) {
-                return {
-                    reason: `Write into protected path: ${needle}`,
-                    matched: target,
-                };
-            }
-        }
-        if (looksAbsoluteOutsideWorkspace(target, ctx)) {
-            return {
-                reason: `Write target outside workspace: ${target}`,
-                matched: target,
-            };
-        }
-    }
-    return null;
-}
-/**
- * Extract every write-target path the command produces. Covers:
- *  - shell redirection `> file`, `>> file` (with optional whitespace,
- *    skipping `>&1`, `>&2`, etc.)
- *  - `sort -o file`
- *  - `uniq <input> <output>` (the two-arg form)
- *  - `sed -i <file>...` (in-place edit treats every trailing file as a
- *    write target)
- *  - `awk '... > "file"'` (quoted redirection inside an awk script)
- *
- * Conservative — we do not try to resolve shell vars or globs; the
- * caller still gates absolute paths via `looksAbsoluteOutsideWorkspace`.
- */
-/**
- * Strip heredoc bodies so substring scans (e.g. `cmd.includes('/usr/')`)
- * do not false-positive on file content the script is *writing*. A
- * heredoc starts с `<< 'WORD'` (or `<< WORD` / `<<-WORD`) and ends на a
- * line containing only WORD. The body between is DATA, not commands.
- *
- * Best-effort: handles single-heredoc-per-command (the common case)
- * AND multiple sequential heredocs. Nested heredocs (heredoc-inside-
- * heredoc) are rare and out of scope — the substring scan still gates
- * the outer command, just без stripping the nested body. Per-target
- * detection at detectProtectedWrite's tail loop catches real
- * `cat > /usr/file << EOF` attacks regardless of body content.
- *
- * CEO dogfood : `cat > package.json << 'EOF'\n{"bin":
- * "/usr/local/bin/foo"}\nEOF` was rejected as "Write into protected
- * path: /usr/" because the broad substring scan saw `/usr/` in the
- * JSON body. With heredoc-body stripping, the scan now sees only
- * `cat > package.json << 'EOF' EOF` which contains no protected path.
- */
-function stripHeredocBodies(cmd) {
-    // Match `<< [-]'WORD'` or `<< [-]"WORD"` or `<< [-]WORD` (quoted form
-    // disables variable expansion in real bash; we treat all three the
-    // same for stripping). Capture the WORD so we can find the close
-    // marker.
-    const heredocStart = /<<-?\s*(['"]?)([A-Za-z_][A-Za-z0-9_]*)\1/g;
-    let out = cmd;
-    let safetyLoops = 0;
-    let match;
-    while ((match = heredocStart.exec(out)) !== null) {
-        if (++safetyLoops > 16)
-            break;
-        const word = match[2];
-        if (!word)
-            continue;
-        const headEnd = match.index + match[0].length;
-        // Find the close-marker line: `\n<optional indent>WORD<\n|$>`.
-        const closeRegex = new RegExp(`\\n\\s*${word}(?:\\n|$)`);
-        closeRegex.lastIndex = headEnd;
-        const closeMatch = closeRegex.exec(out.slice(headEnd));
-        if (!closeMatch)
-            break;
-        const closeStart = headEnd + closeMatch.index;
-        const closeEnd = closeStart + closeMatch[0].length;
-        // Replace heredoc body + close marker с single space so the regex
-        // iterator's lastIndex stays meaningful.
-        out = out.slice(0, headEnd) + ' ' + out.slice(closeEnd);
-        heredocStart.lastIndex = headEnd + 1;
-    }
-    return out;
-}
-function extractWriteTargets(cmd) {
-    const targets = [];
-    // Shell redirection (`>`, `>>`) with optional whitespace. Skip
-    // file-descriptor redirects (`>&1`, `>&2`, `2>&1`).
-    const redirRegex = /(^|[^0-9&])>>?\s*([^\s|;&<>]+)/g;
-    let match;
-    while ((match = redirRegex.exec(cmd)) !== null) {
-        const candidate = match[2];
-        if (!candidate || candidate.startsWith('&'))
-            continue;
-        if (candidate === '/dev/null')
-            continue;
-        targets.push(stripQuotes(candidate));
-    }
-    // sort -o <file>
-    const sortMatch = cmd.match(/\bsort\b[^|;]*\s-o\s+(\S+)/);
-    if (sortMatch && sortMatch[1]) {
-        targets.push(stripQuotes(sortMatch[1]));
-    }
-    // uniq <input> <output> (two-arg form). Three-arg uniq does not exist
-    // in POSIX, so the second non-flag arg is the output file.
-    const uniqMatch = cmd.match(/\buniq\b(?:\s+-[^\s]+)*\s+(\S+)\s+(\S+)/);
-    if (uniqMatch && uniqMatch[2] && !uniqMatch[2].startsWith('-')) {
-        targets.push(stripQuotes(uniqMatch[2]));
-    }
-    // sed -i [SUFFIX] <expr> <file>... — every trailing positional is a
-    // write target. We capture the tail after `-i` and treat each
-    // whitespace-delimited token that is not a flag as a target.
-    const sedMatch = cmd.match(/\bsed\b[^|;]*\s-i\b([^|;]*)/);
-    if (sedMatch && sedMatch[1]) {
-        const tail = sedMatch[1].trim().split(/\s+/);
-        for (const token of tail) {
-            if (token === '' || token.startsWith('-'))
-                continue;
-            if (token.startsWith("'") || token.startsWith('"'))
-                continue;
-            targets.push(stripQuotes(token));
-        }
-    }
-    // awk '... > "file"' or awk "... > \"file\""
-    const awkQuoteRegex = /\bawk\b[^|;]*?['"][^'"]*?>\s*['"]([^'"]+)['"]/g;
-    while ((match = awkQuoteRegex.exec(cmd)) !== null) {
-        if (match[1])
-            targets.push(stripQuotes(match[1]));
-    }
-    return targets;
-}
-function stripQuotes(s) {
-    return s.replace(/^["']|["']$/g, '');
-}
-/**
- * Detect READ operations targeted at protected paths. Runs after
- * `detectProtectedWrite` and before the READ_TOKENS fallback. The leading
- * token must be in READ_TOKENS so that we do not double-flag writes
- * (which `detectProtectedWrite` already covers).
- *
- * Re-uses the `write_protected` class to keep the permission matrix
- * simple — the matrix already gates that class as deny in plan/dontAsk
- * and ask elsewhere, which is the intended fail-closed posture for
- * unrestricted credential reads.
- */
-const READ_PREFIX_TOKENS = new Set(['grep', 'rg', 'less', 'more', 'fd', 'tree']);
-function detectProtectedRead(cmd) {
-    const firstToken = cmd.split(/\s+/)[0] ?? '';
-    const isReadTool = READ_TOKENS.has(firstToken) ||
-        READ_PREFIX_TOKENS.has(firstToken) ||
-        firstToken === 'sed' ||
-        firstToken === 'awk' ||
-        firstToken === 'find';
-    if (!isReadTool)
-        return null;
-    // Strip heredoc bodies so `cat > config << 'EOF'\n... /etc/... \nEOF`
-    // does not FP as "Read from protected path" when first-token=`cat` +
-    // redirection writes к workspace-local file. Heredoc payload is data.
-    // CEO dogfood .
-    const cmdForScan = stripHeredocBodies(cmd);
-    for (const needle of PROTECTED_PATH_SUBSTRINGS) {
-        if (cmdForScan.includes(needle)) {
-            return {
-                reason: `Read from protected path: ${needle}`,
-                matched: needle,
-            };
-        }
-    }
-    // P0 fix: extend protected-read detection to credential
-    // basenames (`cat .env`, `head id_rsa`, `grep TOKEN .env.production`).
-    // Without this branch, the engine model can bypass the `read` tool's
-    // `protectedTargetReason` gate by emitting a bash `cat` — the read
-    // tool refuses, the model falls back to bash, and the classifier
-    // (which only knew about full-path substrings) classified `cat .env`
-    // as benign `read`. The `local-first-invariants` spec proved the leak.
-    for (const pattern of PROTECTED_BASENAME_PATTERNS) {
-        const match = cmd.match(pattern);
-        if (match) {
-            return {
-                reason: `Read from protected basename: ${match[0].trim()}`,
-                matched: match[0].trim(),
-            };
-        }
-    }
-    return null;
-}
-/**
- * Detect parent-traversal segments (`..`) inside read-class commands.
- * The file-tools layer (`resolveWorkspacePath`) refuses these for the
- * `read`/`glob`/`grep` tools, but bash had no equivalent gate. We
- * trigger on the SAME shape `path-security.ts` rejects: a `..` segment
- * separated by `/` or whitespace. Quoted/escaped variants get the same
- * treatment.
- *
- * Returns null on the safe path (no `..` segment) so the caller falls
- * through to the regular read classification.
- */
-function detectParentTraversalRead(cmd) {
-    const firstToken = cmd.split(/\s+/)[0] ?? '';
-    const isReadTool = READ_TOKENS.has(firstToken) ||
-        READ_PREFIX_TOKENS.has(firstToken) ||
-        firstToken === 'sed' ||
-        firstToken === 'awk' ||
-        firstToken === 'find';
-    if (!isReadTool)
-        return null;
-    // Match `..` as a path segment: preceded by start/whitespace/quote/`/`
-    // and followed by `/`, end-of-string, whitespace, or shell metas.
-    // Avoids over-matching `v1..v2` (range syntax inside a single token)
-    // and `1..5` (numeric ranges) because those lack the path boundary.
-    const traversalPattern = /(^|[\s'"\/])\.\.(\/|$|[\s'"<>|;&])/;
-    const m = cmd.match(traversalPattern);
-    if (m) {
-        return {
-            reason: 'Read command escapes workspace via parent traversal',
-            matched: '..',
-        };
-    }
-    // Absolute path read of /etc, /usr, /var, etc is already covered by
-    // PROTECTED_PATH_SUBSTRINGS in detectProtectedRead — no extra branch
-    // needed here.
-    return null;
-}
-function detectEnvWrite(cmd) {
-    // .env / .env.<suffix> writes — match `\.env\b` adjacent to a write
-    // op (redirection, tee, cp, mv into) or `rm`. Reading .env in shell
-    // (`cat .env`) is gated by the permission engine, not classified
-    // here.
-    const envHit = /(^|\s|\/)\.env(\.[a-zA-Z0-9_-]+)?(\s|$|[>])/m.test(cmd);
-    if (!envHit)
-        return null;
-    if (/>>?\s/.test(cmd) ||
-        /\btee\b/.test(cmd) ||
-        /\bcp\b.*\.env/.test(cmd) ||
-        /\bmv\b.*\.env/.test(cmd) ||
-        /\brm\b.*\.env/.test(cmd)) {
-        return { reason: 'Write touches .env file', matched: '.env' };
-    }
-    return null;
-}
-function looksAbsoluteOutsideWorkspace(target, ctx) {
-    // Strip surrounding quotes and shell expansion artifacts.
-    const cleaned = target.replace(/^["']|["']$/g, '');
-    if (cleaned.startsWith('~')) {
-        // Home-relative path; treat as outside unless it explicitly
-        // re-enters an allowed dir (we are conservative — `~/foo` is
-        // outside).
-        return true;
-    }
-    if (!cleaned.startsWith('/')) {
-        // Workspace-relative path (or shell var); allowed at this layer.
-        // The path-security layer in `path-security.ts` already gates
-        // traversal escapes for the file tools; the bash classifier
-        // cannot resolve shell vars so we trust them.
-        return false;
-    }
-    const allowedRoots = [ctx.workspaceRoot, ...ctx.additionalDirectories].map((p) => p.endsWith('/') ? p : `${p}/`);
-    const cleanedWithSlash = cleaned.endsWith('/') ? cleaned : `${cleaned}/`;
-    return !allowedRoots.some((root) => cleanedWithSlash === root || cleanedWithSlash.startsWith(root));
-}
-function detectNetwork(cmd) {
-    for (const prefix of NETWORK_PREFIXES) {
-        if (cmd.startsWith(prefix) || cmd.includes(` ${prefix}`)) {
-            return { reason: `Network operation: ${prefix.trim()}`, matched: prefix.trim() };
-        }
-    }
-    const firstToken = cmd.split(/\s+/)[0] ?? '';
-    if (NETWORK_TOKENS.has(firstToken)) {
-        return { reason: `Network tool: ${firstToken}`, matched: firstToken };
-    }
-    return null;
-}
-/**
- * Normalize a POSIX-ish path without resolving symlinks. Used by the
- * `cd ... && rest` boundary check so we can decide whether the
- * destination is inside `workspaceRoot ∪ additionalDirectories`
- * before we ever spawn /bin/sh.
- */
-function normalizePosix(input, baseDir) {
-    const cleaned = input.replace(/^["']|["']$/g, '');
-    const expanded = cleaned.startsWith('~') ? cleaned : cleaned;
-    // ~ expansion is intentionally not done (it would force HOME read);
-    // a `cd ~/...` is treated as outside-workspace by default since the
-    // home directory is generally outside the workspace.
-    const isAbsolute = expanded.startsWith('/') || expanded.startsWith('~');
-    const start = isAbsolute ? expanded : `${baseDir.replace(/\/$/, '')}/${expanded}`;
-    const parts = start.split('/');
-    const stack = [];
-    for (const part of parts) {
-        if (part === '' || part === '.')
-            continue;
-        if (part === '..') {
-            if (stack.length > 0)
-                stack.pop();
-            continue;
-        }
-        stack.push(part);
-    }
-    return `/${stack.join('/')}`;
-}
-function isInsideAllowedRoot(absPath, ctx) {
-    const allowedRoots = [ctx.workspaceRoot, ...ctx.additionalDirectories];
-    for (const rootRaw of allowedRoots) {
-        const root = rootRaw.endsWith('/') ? rootRaw.slice(0, -1) : rootRaw;
-        if (absPath === root || absPath.startsWith(`${root}/`))
-            return true;
-    }
-    return false;
-}
-/**
- * Detect `cd <path>` at the head of a component and decide whether
- * the destination escapes the workspace boundary. Returns a
- * classification when an escape is detected; otherwise null.
- *
- * Per spec: a command of shape `cd <path> && <rest>` should classify
- * the cwd target — if `<path>` resolves outside the workspace, the
- * overall class becomes `write_protected` regardless of `<rest>`.
- *
- * We treat `cd -` (last-dir) and `cd` (HOME) as escapes since the
- * resulting cwd is not under our control.
- */
-function detectCwdEscape(components, ctx) {
-    if (components.length === 0)
-        return null;
-    // Walk every component, threading a simulated cwd through the chain.
-    // Pure `cd <path>` components update the simulated cwd; anything
-    // else leaves it untouched. If any hop lands outside
-    // `workspaceRoot ∪ additionalDirectories`, the overall classification
-    // upgrades to write_protected. Subshells (`(cd foo && rest)`) are
-    // out of scope for M1 — the parent cwd is unaffected there, and the
-    // classifier already treats parentheses as part of the component.
-    let cwd = ctx.workspaceRoot;
-    for (let i = 0; i < components.length; i += 1) {
-        const trimmed = components[i]?.trim() ?? '';
-        const cdMatch = trimmed.match(/^cd(?:\s+(\S+))?\s*$/);
-        if (!cdMatch)
-            continue;
-        const target = cdMatch[1];
-        if (target === undefined || target === '-' || target === '~') {
-            return {
-                class: 'write_protected',
-                reason: `cd chain escapes workspace boundary at hop ${i + 1}`,
-                matched: `cd${target ? ` ${target}` : ''}`,
-            };
-        }
-        cwd = normalizePosix(target, cwd);
-        if (!isInsideAllowedRoot(cwd, ctx)) {
-            return {
-                class: 'write_protected',
-                reason: `cd chain escapes workspace boundary at hop ${i + 1}`,
-                matched: `cd ${target}`,
-            };
-        }
-    }
-    return null;
-}
-export function classifyBash(cmd, ctx) {
-    const normalized = cmd.trim();
-    if (normalized === '') {
-        return { class: 'unknown', reason: 'empty command', matched: '' };
-    }
-    // Full-command destructive check first. Patterns like the fork bomb
-    // (`:(){ :|:& };:`) and SQL-in-pipe (`echo X | mysql -e 'DROP ...'`)
-    // would otherwise split on `|` or `;` and the components would each
-    // look benign. We catch them by matching the destructive substrings
-    // against the raw command before splitting.
-    const fullDestructive = findDestructiveMatch(normalized);
-    if (fullDestructive) {
-        return {
-            class: 'destructive',
-            reason: `Destructive command pattern matched: ${fullDestructive}`,
-            matched: fullDestructive,
-        };
-    }
-    // Full-command obfuscation check. `curl ... | sh` splits into two
-    // benign-looking components (`curl ...` is network; `sh` is unknown)
-    // but the pipeline together is the remote-installer pattern we want
-    // to flag as unknown so the engine can fail closed.
-    const fullObfuscation = detectObfuscation(normalized);
-    if (fullObfuscation) {
-        return {
-            class: 'unknown',
-            reason: fullObfuscation.reason,
-            matched: fullObfuscation.matched,
-        };
-    }
-    // Compound-command split. We classify each component, then pick
-    // the most dangerous one as the overall class.
-    const components = splitCompoundRespectingQuotes(normalized);
-    // Cwd-escape check runs over the raw component list so the `cd`
-    // verdict trumps the `<rest>` classification even when `<rest>` is
-    // a benign `ls`.
-    const cwdEscape = detectCwdEscape(components, ctx);
-    const classified = components.map((c) => classifyComponent(c, ctx));
-    // Pick the worst component.
-    let worst;
-    for (const candidate of classified) {
-        if (!worst || CLASS_RANK[candidate.class] > CLASS_RANK[worst.class]) {
-            worst = candidate;
-        }
-    }
-    if (!worst) {
-        return {
-            class: 'unknown',
-            reason: 'no recognizable component',
-            matched: normalized,
-        };
-    }
-    // Cwd escape upgrades the class to at least `write_protected`. A
-    // destructive component still wins (the user might be trying to
-    // wipe a protected path AND escape cwd — we report the worse one).
-    if (cwdEscape && CLASS_RANK[cwdEscape.class] > CLASS_RANK[worst.class]) {
-        return {
-            class: cwdEscape.class,
-            reason: cwdEscape.reason,
-            matched: cwdEscape.matched,
-            components: classified,
-        };
-    }
-    if (classified.length === 1) {
-        return worst;
-    }
-    return { ...worst, components: classified };
-}
-/**
- * Re-exported destructive-pattern source. The permission engine used
- * to maintain its own `destructiveBashPatterns` array; that array
- * now lives here as the single source of truth. Callers that need to
- * audit the list (e.g. doctor output) read this export instead of
- * duplicating the regex set.
- */
-export function listDestructivePatterns() {
-    return DESTRUCTIVE_PATTERNS.map((p) => p.pattern);
-}
-//# sourceMappingURL=bash-classifier.js.map