@qduc/term2 0.1.0

package/dist/utils/command-safety/index.d.ts

@@ -0,0 +1,14 @@
+import { SafetyStatus } from './constants.js';
+import type { ILoggingService } from '../../services/service-interfaces.js';
+/**
+ * Classify command into a SafetyStatus (GREEN/YELLOW/RED)
+ */
+export declare function classifyCommand(commandString: string, loggingService?: ILoggingService): SafetyStatus;
+/**
+ * Validate command safety using an AST parser.
+ * Returns true when a command requires user approval.
+ * Throws for invalid/empty inputs OR hard-blocked RED classifications.
+ */
+export declare function validateCommandSafety(command: string, loggingService?: ILoggingService): boolean;
+export { SafetyStatus } from './constants.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/utils/command-safety/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../source/utils/command-safety/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,YAAY,EAAqC,MAAM,gBAAgB,CAAC;AAShF,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,sCAAsC,CAAC;AAiB1E;;GAEG;AACH,wBAAgB,eAAe,CAC3B,aAAa,EAAE,MAAM,EACrB,cAAc,CAAC,EAAE,eAAe,GACjC,YAAY,CA0Jd;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CACjC,OAAO,EAAE,MAAM,EACf,cAAc,CAAC,EAAE,eAAe,GACjC,OAAO,CA0BT;AAGD,OAAO,EAAC,YAAY,EAAC,MAAM,gBAAgB,CAAC"}

package/dist/utils/command-safety/index.js

@@ -0,0 +1,183 @@
+import parse from 'bash-parser';
+import { SafetyStatus, ALLOWED_COMMANDS, BLOCKED_COMMANDS } from './constants.js';
+import { extractWordText } from './utils.js';
+import { hasFindDangerousExecution, hasFindSuspiciousFlags, } from './find-helpers.js';
+import { analyzePathRisk } from './path-analysis.js';
+import { getCommandHandler } from './handlers/index.js';
+const nullLoggingService = {
+    info: () => { },
+    warn: () => { },
+    error: () => { },
+    debug: () => { },
+    security: () => { },
+    setCorrelationId: () => { },
+    getCorrelationId: () => undefined,
+    clearCorrelationId: () => { },
+};
+function getLogger(loggingService) {
+    return loggingService ?? nullLoggingService;
+}
+/**
+ * Classify command into a SafetyStatus (GREEN/YELLOW/RED)
+ */
+export function classifyCommand(commandString, loggingService) {
+    try {
+        const reasons = [];
+        const truncatedCommand = commandString.substring(0, 200);
+        const logger = getLogger(loggingService);
+        logger.security('Classifying command safety', {
+            command: truncatedCommand,
+        });
+        const ast = parse(commandString, { mode: 'bash' });
+        let worstStatus = SafetyStatus.GREEN;
+        const analyzePathRiskWithLogger = (p) => analyzePathRisk(p, logger);
+        function upgradeStatus(s, reason) {
+            if (worstStatus === SafetyStatus.RED)
+                return;
+            if (s === SafetyStatus.RED)
+                worstStatus = SafetyStatus.RED;
+            else if (s === SafetyStatus.YELLOW &&
+                worstStatus === SafetyStatus.GREEN)
+                worstStatus = SafetyStatus.YELLOW;
+            if (reason)
+                reasons.push(`${s}: ${reason}`);
+        }
+        function traverse(node) {
+            if (!node)
+                return;
+            if (Array.isArray(node))
+                return node.forEach(traverse);
+            if (node.type === 'Command') {
+                const name = node.name?.text ||
+                    (node.name &&
+                        node.name.parts &&
+                        node.name.parts.map((p) => p.text).join(''));
+                if (typeof name === 'string') {
+                    if (BLOCKED_COMMANDS.has(name)) {
+                        upgradeStatus(SafetyStatus.RED, `blocked command: ${name}`);
+                        return;
+                    }
+                    if (!ALLOWED_COMMANDS.has(name)) {
+                        upgradeStatus(SafetyStatus.YELLOW, `unknown or unlisted command: ${name}`);
+                    }
+                }
+                const cmdName = typeof name === 'string' ? name : undefined;
+                // Check if there's a specialized handler for this command
+                if (cmdName) {
+                    const handler = getCommandHandler(cmdName);
+                    if (handler) {
+                        const helpers = {
+                            extractWordText,
+                            analyzePathRisk: analyzePathRiskWithLogger,
+                            hasFindDangerousExecution,
+                            hasFindSuspiciousFlags,
+                        };
+                        const result = handler.handle(node, helpers);
+                        upgradeStatus(result.status, result.reasons.join('; '));
+                        return;
+                    }
+                }
+                // Generic argument processing for commands without specialized handlers
+                if (node.suffix) {
+                    for (const arg of node.suffix) {
+                        // Handle redirects
+                        if (arg?.type === 'Redirect') {
+                            const fileText = extractWordText(arg.file ?? arg);
+                            const pathStatus = analyzePathRiskWithLogger(fileText);
+                            upgradeStatus(pathStatus, `redirect to ${fileText ?? '<unknown>'}`);
+                            continue;
+                        }
+                        const argText = extractWordText(arg);
+                        // Skip flags (generic commands don't have special flag handling)
+                        if (argText && argText.startsWith('-')) {
+                            continue;
+                        }
+                        // Analyze path arguments
+                        const pathStatus = analyzePathRiskWithLogger(argText);
+                        // Unknown/opaque args fall back to YELLOW
+                        if (!argText)
+                            upgradeStatus(SafetyStatus.YELLOW, 'opaque or unparseable argument');
+                        else
+                            upgradeStatus(pathStatus, `argument ${argText}`);
+                    }
+                }
+            }
+            // recurse common shapes
+            if (node.type === 'LogicalExpression') {
+                traverse(node.left);
+                traverse(node.right);
+                return;
+            }
+            if (node.type === 'Pipeline') {
+                (node.commands || []).forEach(traverse);
+                return;
+            }
+            if (node.type === 'Subshell') {
+                traverse(node.list);
+                return;
+            }
+            if (node.type === 'CommandSubstitution') {
+                (node.commands || []).forEach(traverse);
+                return;
+            }
+            if (node.type === 'Script' || node.type === 'Program') {
+                (node.commands || []).forEach(traverse);
+                return;
+            }
+            for (const k of Object.keys(node)) {
+                const v = node[k];
+                if (v && typeof v === 'object')
+                    traverse(v);
+            }
+        }
+        if (ast && ast.commands) {
+            ast.commands.forEach(traverse);
+        }
+        logger.security('Command classification result', {
+            command: truncatedCommand,
+            status: worstStatus,
+            reasons,
+        });
+        return worstStatus;
+    }
+    catch (e) {
+        // Fail-safe: unparsable -> audit
+        const logger = getLogger(loggingService);
+        logger.warn('Failed to parse command, classifying as YELLOW', {
+            command: commandString.substring(0, 200),
+            error: e instanceof Error ? e.message : String(e),
+        });
+        return SafetyStatus.YELLOW;
+    }
+}
+/**
+ * Validate command safety using an AST parser.
+ * Returns true when a command requires user approval.
+ * Throws for invalid/empty inputs OR hard-blocked RED classifications.
+ */
+export function validateCommandSafety(command, loggingService) {
+    if (!command ||
+        typeof command !== 'string' ||
+        command.trim().length === 0) {
+        throw new Error('Command cannot be empty');
+    }
+    const logger = getLogger(loggingService);
+    logger.security('Validating command safety', {
+        command: command.substring(0, 200),
+    });
+    const status = classifyCommand(command, logger);
+    if (status === SafetyStatus.RED) {
+        logger.security('Command validation failed: RED (forbidden)', {
+            command: command.substring(0, 200),
+        });
+        throw new Error('Command classified as RED (forbidden)');
+    }
+    logger.security('Validation result', {
+        command: command.substring(0, 200),
+        status,
+    });
+    return status === SafetyStatus.YELLOW;
+}
+// Re-export types and constants for convenience
+export { SafetyStatus } from './constants.js';
+//# sourceMappingURL=index.js.map

package/dist/utils/command-safety/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../source/utils/command-safety/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,aAAa,CAAC;AAChC,OAAO,EAAC,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,gBAAgB,CAAC;AAChF,OAAO,EAAC,eAAe,EAAC,MAAM,YAAY,CAAC;AAC3C,OAAO,EACH,yBAAyB,EACzB,sBAAsB,GACzB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAC,eAAe,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAC,iBAAiB,EAAC,MAAM,qBAAqB,CAAC;AAItD,MAAM,kBAAkB,GAAoB;IACxC,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;IACf,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;IACf,QAAQ,EAAE,GAAG,EAAE,GAAE,CAAC;IAClB,gBAAgB,EAAE,GAAG,EAAE,GAAE,CAAC;IAC1B,gBAAgB,EAAE,GAAG,EAAE,CAAC,SAAS;IACjC,kBAAkB,EAAE,GAAG,EAAE,GAAE,CAAC;CAC/B,CAAC;AAEF,SAAS,SAAS,CAAC,cAAgC;IAC/C,OAAO,cAAc,IAAI,kBAAkB,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC3B,aAAqB,EACrB,cAAgC;IAEhC,IAAI,CAAC;QACD,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,MAAM,gBAAgB,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACzD,MAAM,MAAM,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;QAEzC,MAAM,CAAC,QAAQ,CAAC,4BAA4B,EAAE;YAC1C,OAAO,EAAE,gBAAgB;SAC5B,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,KAAK,CAAC,aAAa,EAAE,EAAC,IAAI,EAAE,MAAM,EAAC,CAAC,CAAC;QACjD,IAAI,WAAW,GAAiB,YAAY,CAAC,KAAK,CAAC;QAEnD,MAAM,yBAAyB,GAAG,CAAC,CAAqB,EAAE,EAAE,CACxD,eAAe,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QAE/B,SAAS,aAAa,CAAC,CAAe,EAAE,MAAe;YACnD,IAAI,WAAW,KAAK,YAAY,CAAC,GAAG;gBAAE,OAAO;YAC7C,IAAI,CAAC,KAAK,YAAY,CAAC,GAAG;gBAAE,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC;iBACtD,IACD,CAAC,KAAK,YAAY,CAAC,MAAM;gBACzB,WAAW,KAAK,YAAY,CAAC,KAAK;gBAElC,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC;YACtC,IAAI,MAAM;gBAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC;QAChD,CAAC;QAED,SAAS,QAAQ,CAAC,IAAS;YACvB,IAAI,CAAC,IAAI;gBAAE,OAAO;YAElB,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;gBAAE,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAEvD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC1B,MAAM,IAAI,GACN,IAAI,CAAC,IAAI,EAAE,IAAI;oBACf,CAAC,IAAI,CAAC,IAAI;wBACN,IAAI,CAAC,IAAI,CAAC,KAAK;wBACf,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;gBAC1D,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC3B,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7B,aAAa,CACT,YAAY,CAAC,GAAG,EAChB,oBAAoB,IAAI,EAAE,CAC7B,CAAC;wBACF,OAAO;oBACX,CAAC;oBACD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC9B,aAAa,CACT,YAAY,CAAC,MAAM,EACnB,gCAAgC,IAAI,EAAE,CACzC,CAAC;oBACN,CAAC;gBACL,CAAC;gBAED,MAAM,OAAO,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;gBAE5D,0DAA0D;gBAC1D,IAAI,OAAO,EAAE,CAAC;oBACV,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;oBAC3C,IAAI,OAAO,EAAE,CAAC;wBACV,MAAM,OAAO,GAA0B;4BACnC,eAAe;4BACf,eAAe,EAAE,yBAAyB;4BAC1C,yBAAyB;4BACzB,sBAAsB;yBACzB,CAAC;wBACF,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;wBAC7C,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;wBACxD,OAAO;oBACX,CAAC;gBACL,CAAC;gBAED,wEAAwE;gBACxE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;oBACd,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;wBAC5B,mBAAmB;wBACnB,IAAI,GAAG,EAAE,IAAI,KAAK,UAAU,EAAE,CAAC;4BAC3B,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC;4BAClD,MAAM,UAAU,GACZ,yBAAyB,CAAC,QAAQ,CAAC,CAAC;4BACxC,aAAa,CACT,UAAU,EACV,eAAe,QAAQ,IAAI,WAAW,EAAE,CAC3C,CAAC;4BACF,SAAS;wBACb,CAAC;wBAED,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;wBACrC,iEAAiE;wBACjE,IAAI,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;4BACrC,SAAS;wBACb,CAAC;wBAED,yBAAyB;wBACzB,MAAM,UAAU,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;wBACtD,0CAA0C;wBAC1C,IAAI,CAAC,OAAO;4BACR,aAAa,CACT,YAAY,CAAC,MAAM,EACnB,gCAAgC,CACnC,CAAC;;4BACD,aAAa,CAAC,UAAU,EAAE,YAAY,OAAO,EAAE,CAAC,CAAC;oBAC1D,CAAC;gBACL,CAAC;YACL,CAAC;YAED,wBAAwB;YACxB,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACpC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACpB,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBACrB,OAAO;YACX,CAAC;YACD,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;gBAC3B,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;gBACxC,OAAO;YACX,CAAC;YACD,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;gBAC3B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACpB,OAAO;YACX,CAAC;YACD,IAAI,IAAI,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;gBACtC,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;gBACxC,OAAO;YACX,CAAC;YACD,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACpD,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;gBACxC,OAAO;YACX,CAAC;YAED,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,QAAQ,CAAC,CAAC,CAAC,CAAC;YAChD,CAAC;QACL,CAAC;QAED,IAAI,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YACrB,GAAG,CAAC,QAAkB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,CAAC,QAAQ,CAAC,+BAA+B,EAAE;YAC7C,OAAO,EAAE,gBAAgB;YACzB,MAAM,EAAE,WAAW;YACnB,OAAO;SACV,CAAC,CAAC;QAEH,OAAO,WAAW,CAAC;IACvB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACT,iCAAiC;QACjC,MAAM,MAAM,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,gDAAgD,EAAE;YAC1D,OAAO,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;YACxC,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;SACpD,CAAC,CAAC;QACH,OAAO,YAAY,CAAC,MAAM,CAAC;IAC/B,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CACjC,OAAe,EACf,cAAgC;IAEhC,IACI,CAAC,OAAO;QACR,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAC7B,CAAC;QACC,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC/C,CAAC;IACD,MAAM,MAAM,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;IACzC,MAAM,CAAC,QAAQ,CAAC,2BAA2B,EAAE;QACzC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;KACrC,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAEhD,IAAI,MAAM,KAAK,YAAY,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,CAAC,QAAQ,CAAC,4CAA4C,EAAE;YAC1D,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;SACrC,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,mBAAmB,EAAE;QACjC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;QAClC,MAAM;KACT,CAAC,CAAC;IACH,OAAO,MAAM,KAAK,YAAY,CAAC,MAAM,CAAC;AAC1C,CAAC;AAED,gDAAgD;AAChD,OAAO,EAAC,YAAY,EAAC,MAAM,gBAAgB,CAAC"}

package/dist/utils/command-safety/path-analysis.d.ts

@@ -0,0 +1,4 @@
+import type { ILoggingService } from '../../services/service-interfaces.js';
+import { SafetyStatus } from './constants.js';
+export declare function analyzePathRisk(inputPath: string | undefined, loggingService?: ILoggingService): SafetyStatus;
+//# sourceMappingURL=path-analysis.d.ts.map

package/dist/utils/command-safety/path-analysis.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-analysis.d.ts","sourceRoot":"","sources":["../../../source/utils/command-safety/path-analysis.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,sCAAsC,CAAC;AAC1E,OAAO,EACH,YAAY,EAOf,MAAM,gBAAgB,CAAC;AAiBxB,wBAAgB,eAAe,CAC3B,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,cAAc,CAAC,EAAE,eAAe,GACjC,YAAY,CAuKd"}

package/dist/utils/command-safety/path-analysis.js

@@ -0,0 +1,153 @@
+import path from 'path';
+import { SafetyStatus, SYSTEM_PATHS, SENSITIVE_EXTENSIONS, HOME_PATTERNS, SENSITIVE_PATHS, SAFE_JSON_FILES, SUSPICIOUS_JSON_PATTERNS, } from './constants.js';
+const nullLoggingService = {
+    info: () => { },
+    warn: () => { },
+    error: () => { },
+    debug: () => { },
+    security: () => { },
+    setCorrelationId: () => { },
+    getCorrelationId: () => undefined,
+    clearCorrelationId: () => { },
+};
+function getLogger(loggingService) {
+    return loggingService ?? nullLoggingService;
+}
+export function analyzePathRisk(inputPath, loggingService) {
+    const logger = getLogger(loggingService);
+    const candidate = inputPath?.trim();
+    if (!candidate)
+        return SafetyStatus.GREEN;
+    // GREEN: Safe pseudo-devices
+    const safeDevices = new Set([
+        '/dev/null',
+        '/dev/stdout',
+        '/dev/stderr',
+        '/dev/zero',
+        '/dev/random',
+        '/dev/urandom',
+    ]);
+    if (safeDevices.has(candidate)) {
+        return SafetyStatus.GREEN;
+    }
+    const cwd = process.cwd();
+    // Pre-calculate project membership for absolute paths
+    const isAbsolute = path.isAbsolute(candidate);
+    const normalizedCandidate = path.normalize(candidate);
+    const normalizedCwd = path.normalize(cwd);
+    const isWithinProject = isAbsolute &&
+        (normalizedCandidate.startsWith(normalizedCwd + path.sep) ||
+            normalizedCandidate === normalizedCwd);
+    // RED: Home directory and sensitive paths
+    // Check for various home directory representations
+    const isHomeRelated = HOME_PATTERNS.some(pattern => pattern.test(candidate));
+    if (isHomeRelated && !isWithinProject) {
+        // Extract the path after home prefix for further analysis
+        const sliced = candidate
+            .replace(/^~/, '')
+            .replace(/^\$\{?HOME\}?/, '')
+            .replace(/^\$\{?USER\}?/, '')
+            .replace(/^\$\{?LOGNAME\}?/, '')
+            .replace(/^\/home\/[^/]+/, '')
+            .replace(/^\/Users\/[^/]+/, '')
+            .replace(/^\/root/, '');
+        // Plain home directory access without any suffix is RED
+        if (sliced === '' || sliced === '/') {
+            logger.security('Path risk: home directory access', {
+                path: candidate,
+            });
+            return SafetyStatus.RED;
+        }
+        // Check for sensitive dotfiles and directories
+        if (/^\/\.\w+/.test(sliced) ||
+            SENSITIVE_PATHS.some(sensitive => sliced.includes(sensitive))) {
+            logger.security('Path risk: home dotfile or config', {
+                path: candidate,
+            });
+            return SafetyStatus.RED;
+        }
+        // Check if filename in home directory is suspicious (credentials, secrets, etc.)
+        const filename = path.basename(candidate);
+        if (/\.json$/i.test(filename) &&
+            SUSPICIOUS_JSON_PATTERNS.some(pattern => pattern.test(filename))) {
+            logger.security('Path risk: suspicious JSON file in home directory', { path: candidate });
+            return SafetyStatus.RED;
+        }
+        // Check for other sensitive extensions in home directory
+        if (SENSITIVE_EXTENSIONS.some(ext => filename.endsWith(ext))) {
+            logger.security('Path risk: sensitive file in home directory', {
+                path: candidate,
+            });
+            return SafetyStatus.RED;
+        }
+    }
+    // RED: Absolute System Paths
+    if (path.isAbsolute(candidate)) {
+        if (SYSTEM_PATHS.some(sys => candidate.startsWith(sys))) {
+            logger.security('Path risk: absolute system path', {
+                path: candidate,
+            });
+            return SafetyStatus.RED;
+        }
+        // Home dotfiles when absolute
+        if (/^\/(home|Users)\/[^/]+\/\.\w+/.test(candidate) ||
+            candidate.includes('/.ssh') ||
+            candidate.includes('/.gitconfig')) {
+            logger.security('Path risk: absolute home dotfile', {
+                path: candidate,
+            });
+            return SafetyStatus.RED;
+        }
+        // Check if absolute path is within current project directory
+        if (!isWithinProject) {
+            // Absolute paths outside project are suspicious -> audit
+            logger.security('Path risk: absolute non-system path', {
+                path: candidate,
+            });
+            return SafetyStatus.YELLOW;
+        }
+        // If within project, continue with normal flow (treat like relative path)
+        // Fall through to continue checking for sensitive files, hidden files, etc.
+    }
+    // RED: Directory Traversal
+    if (candidate.includes('..')) {
+        logger.security('Path risk: directory traversal detected', {
+            path: candidate,
+        });
+        return SafetyStatus.RED;
+    }
+    const filename = path.basename(candidate);
+    // JSON files: check allowlist and suspicious patterns BEFORE hidden file check
+    // This ensures safe JSON files like .eslintrc.json are GREEN
+    // Use case-insensitive check for .json extension
+    if (/\.json$/i.test(filename)) {
+        // Safe project config files are always GREEN
+        // Check case-insensitively by converting to lowercase
+        if (SAFE_JSON_FILES.has(filename.toLowerCase())) {
+            return SafetyStatus.GREEN;
+        }
+        // Check for suspicious credential/token patterns
+        if (SUSPICIOUS_JSON_PATTERNS.some(pattern => pattern.test(filename))) {
+            logger.security('Path risk: suspicious JSON filename', {
+                path: candidate,
+            });
+            return SafetyStatus.YELLOW;
+        }
+        // Other JSON files are GREEN by default (permissive)
+        return SafetyStatus.GREEN;
+    }
+    // Hidden files -> YELLOW
+    if (filename.startsWith('.')) {
+        logger.security('Path risk: hidden file', { path: candidate });
+        return SafetyStatus.YELLOW;
+    }
+    // Sensitive extensions
+    if (SENSITIVE_EXTENSIONS.some(ext => filename.endsWith(ext))) {
+        logger.security('Path risk: sensitive extension', {
+            path: candidate,
+        });
+        return SafetyStatus.YELLOW;
+    }
+    return SafetyStatus.GREEN;
+}
+//# sourceMappingURL=path-analysis.js.map

package/dist/utils/command-safety/path-analysis.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-analysis.js","sourceRoot":"","sources":["../../../source/utils/command-safety/path-analysis.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EACH,YAAY,EACZ,YAAY,EACZ,oBAAoB,EACpB,aAAa,EACb,eAAe,EACf,eAAe,EACf,wBAAwB,GAC3B,MAAM,gBAAgB,CAAC;AAExB,MAAM,kBAAkB,GAAoB;IACxC,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;IACf,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;IACf,QAAQ,EAAE,GAAG,EAAE,GAAE,CAAC;IAClB,gBAAgB,EAAE,GAAG,EAAE,GAAE,CAAC;IAC1B,gBAAgB,EAAE,GAAG,EAAE,CAAC,SAAS;IACjC,kBAAkB,EAAE,GAAG,EAAE,GAAE,CAAC;CAC/B,CAAC;AAEF,SAAS,SAAS,CAAC,cAAgC;IAC/C,OAAO,cAAc,IAAI,kBAAkB,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,eAAe,CAC3B,SAA6B,EAC7B,cAAgC;IAEhC,MAAM,MAAM,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,SAAS,EAAE,IAAI,EAAE,CAAC;IACpC,IAAI,CAAC,SAAS;QAAE,OAAO,YAAY,CAAC,KAAK,CAAC;IAE1C,6BAA6B;IAC7B,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;QACxB,WAAW;QACX,aAAa;QACb,aAAa;QACb,WAAW;QACX,aAAa;QACb,cAAc;KACjB,CAAC,CAAC;IACH,IAAI,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7B,OAAO,YAAY,CAAC,KAAK,CAAC;IAC9B,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAE1B,sDAAsD;IACtD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IAC9C,MAAM,mBAAmB,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACtD,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,eAAe,GACjB,UAAU;QACV,CAAC,mBAAmB,CAAC,UAAU,CAAC,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC;YACrD,mBAAmB,KAAK,aAAa,CAAC,CAAC;IAE/C,0CAA0C;IAC1C,mDAAmD;IACnD,MAAM,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAC/C,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAC1B,CAAC;IAEF,IAAI,aAAa,IAAI,CAAC,eAAe,EAAE,CAAC;QACpC,0DAA0D;QAC1D,MAAM,MAAM,GAAG,SAAS;aACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;aACjB,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC;aAC5B,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC;aAC5B,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC;aAC/B,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC;aAC7B,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC;aAC9B,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAE5B,wDAAwD;QACxD,IAAI,MAAM,KAAK,EAAE,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;YAClC,MAAM,CAAC,QAAQ,CAAC,kCAAkC,EAAE;gBAChD,IAAI,EAAE,SAAS;aAClB,CAAC,CAAC;YACH,OAAO,YAAY,CAAC,GAAG,CAAC;QAC5B,CAAC;QAED,+CAA+C;QAC/C,IACI,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC;YACvB,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAC/D,CAAC;YACC,MAAM,CAAC,QAAQ,CAAC,mCAAmC,EAAE;gBACjD,IAAI,EAAE,SAAS;aAClB,CAAC,CAAC;YACH,OAAO,YAAY,CAAC,GAAG,CAAC;QAC5B,CAAC;QAED,iFAAiF;QACjF,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC1C,IACI,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC;YACzB,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAClE,CAAC;YACC,MAAM,CAAC,QAAQ,CACX,mDAAmD,EACnD,EAAC,IAAI,EAAE,SAAS,EAAC,CACpB,CAAC;YACF,OAAO,YAAY,CAAC,GAAG,CAAC;QAC5B,CAAC;QAED,yDAAyD;QACzD,IAAI,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC3D,MAAM,CAAC,QAAQ,CAAC,6CAA6C,EAAE;gBAC3D,IAAI,EAAE,SAAS;aAClB,CAAC,CAAC;YACH,OAAO,YAAY,CAAC,GAAG,CAAC;QAC5B,CAAC;IACL,CAAC;IAED,6BAA6B;IAC7B,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7B,IAAI,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YACtD,MAAM,CAAC,QAAQ,CAAC,iCAAiC,EAAE;gBAC/C,IAAI,EAAE,SAAS;aAClB,CAAC,CAAC;YACH,OAAO,YAAY,CAAC,GAAG,CAAC;QAC5B,CAAC;QACD,8BAA8B;QAC9B,IACI,+BAA+B,CAAC,IAAI,CAAC,SAAS,CAAC;YAC/C,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC3B,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,EACnC,CAAC;YACC,MAAM,CAAC,QAAQ,CAAC,kCAAkC,EAAE;gBAChD,IAAI,EAAE,SAAS;aAClB,CAAC,CAAC;YACH,OAAO,YAAY,CAAC,GAAG,CAAC;QAC5B,CAAC;QAED,6DAA6D;QAC7D,IAAI,CAAC,eAAe,EAAE,CAAC;YACnB,yDAAyD;YACzD,MAAM,CAAC,QAAQ,CAAC,qCAAqC,EAAE;gBACnD,IAAI,EAAE,SAAS;aAClB,CAAC,CAAC;YACH,OAAO,YAAY,CAAC,MAAM,CAAC;QAC/B,CAAC;QAED,0EAA0E;QAC1E,4EAA4E;IAChF,CAAC;IAED,2BAA2B;IAC3B,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,CAAC,QAAQ,CAAC,yCAAyC,EAAE;YACvD,IAAI,EAAE,SAAS;SAClB,CAAC,CAAC;QACH,OAAO,YAAY,CAAC,GAAG,CAAC;IAC5B,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAE1C,+EAA+E;IAC/E,6DAA6D;IAC7D,iDAAiD;IACjD,IAAI,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,6CAA6C;QAC7C,sDAAsD;QACtD,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC9C,OAAO,YAAY,CAAC,KAAK,CAAC;QAC9B,CAAC;QAED,iDAAiD;QACjD,IAAI,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,qCAAqC,EAAE;gBACnD,IAAI,EAAE,SAAS;aAClB,CAAC,CAAC;YACH,OAAO,YAAY,CAAC,MAAM,CAAC;QAC/B,CAAC;QAED,qDAAqD;QACrD,OAAO,YAAY,CAAC,KAAK,CAAC;IAC9B,CAAC;IAED,yBAAyB;IACzB,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,CAAC,QAAQ,CAAC,wBAAwB,EAAE,EAAC,IAAI,EAAE,SAAS,EAAC,CAAC,CAAC;QAC7D,OAAO,YAAY,CAAC,MAAM,CAAC;IAC/B,CAAC;IAED,uBAAuB;IACvB,IAAI,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QAC3D,MAAM,CAAC,QAAQ,CAAC,gCAAgC,EAAE;YAC9C,IAAI,EAAE,SAAS;SAClB,CAAC,CAAC;QACH,OAAO,YAAY,CAAC,MAAM,CAAC;IAC/B,CAAC;IAED,OAAO,YAAY,CAAC,KAAK,CAAC;AAC9B,CAAC"}

package/dist/utils/command-safety/utils.d.ts

@@ -0,0 +1,2 @@
+export declare function extractWordText(word: any): string | undefined;
+//# sourceMappingURL=utils.d.ts.map

package/dist/utils/command-safety/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../source/utils/command-safety/utils.ts"],"names":[],"mappings":"AACA,wBAAgB,eAAe,CAAC,IAAI,EAAE,GAAG,GAAG,MAAM,GAAG,SAAS,CAa7D"}

package/dist/utils/command-safety/utils.js

@@ -0,0 +1,22 @@
+// Extract a best-effort string for a word/arg node, including expansions.
+export function extractWordText(word) {
+    if (!word)
+        return undefined;
+    if (typeof word === 'string')
+        return word;
+    if (typeof word.text === 'string')
+        return word.text;
+    if (typeof word.value === 'string')
+        return word.value;
+    if (typeof word.content === 'string')
+        return word.content;
+    if (word.parameter)
+        return `$${word.parameter}`;
+    if (Array.isArray(word.parts)) {
+        return word.parts
+            .map((part) => extractWordText(part) ?? '')
+            .join('');
+    }
+    return undefined;
+}
+//# sourceMappingURL=utils.js.map

package/dist/utils/command-safety/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../source/utils/command-safety/utils.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,MAAM,UAAU,eAAe,CAAC,IAAS;IACrC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,IAAI,CAAC;IACpD,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC;IACtD,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC;IAC1D,IAAI,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;IAChD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC,KAAK;aACZ,GAAG,CAAC,CAAC,IAAS,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;aAC/C,IAAI,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,SAAS,CAAC;AACrB,CAAC"}

package/dist/utils/command-safety.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Validate command safety using an AST parser.
+ * Returns true when a command requires user approval.
+ * Throws for invalid/empty inputs.
+ */
+export declare enum SafetyStatus {
+    GREEN = "GREEN",
+    YELLOW = "YELLOW",
+    RED = "RED"
+}
+/**
+ * Classify command into a SafetyStatus (GREEN/YELLOW/RED)
+ */
+export declare function classifyCommand(commandString: string): SafetyStatus;
+/**
+ * Validate command safety using an AST parser.
+ * Returns true when a command requires user approval.
+ * Throws for invalid/empty inputs OR hard-blocked RED classifications.
+ */
+export declare function validateCommandSafety(command: string): boolean;
+//# sourceMappingURL=command-safety.d.ts.map

package/dist/utils/command-safety.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-safety.d.ts","sourceRoot":"","sources":["../../source/utils/command-safety.ts"],"names":[],"mappings":"AAwDA;;;;GAIG;AACH,oBAAY,YAAY;IACpB,KAAK,UAAU;IACf,MAAM,WAAW;IACjB,GAAG,QAAQ;CACd;AAgZD;;GAEG;AACH,wBAAgB,eAAe,CAAC,aAAa,EAAE,MAAM,GAAG,YAAY,CA4UnE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAyB9D"}

package/dist/utils/command-safety.find.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=command-safety.find.test.d.ts.map

package/dist/utils/command-safety.find.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-safety.find.test.d.ts","sourceRoot":"","sources":["../../source/utils/command-safety.find.test.ts"],"names":[],"mappings":""}