@tuent/sentinel 0.1.0 → 0.1.2

package/dist/{chunk-6MHWJATS.js → chunk-QIYQWOLO.js}

@@ -234,8 +234,43 @@ var DEFAULT_FORBIDDEN_PATTERNS = [
   "**/id_ed25519*",
   "**/*.pem",
   "**/*.key",
-  "/etc/**"
+  "/etc/**",
+  // Sprint 26 FIX 1 (A) — common credential stores. DRIFT: keep in sync with
+  // STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts (template↔defaults
+  // unification tracked in a separate ticket — do not refactor here).
+  "**/.netrc",
+  "**/.npmrc",
+  "**/.git-credentials",
+  "**/.pgpass",
+  "**/.zsh_history",
+  "**/.config/gh/**",
+  "**/.docker/config.json",
+  "**/.gnupg/**",
+  "**/.config/gcloud/**",
+  "**/.kube/**",
+  "**/Library/Keychains/**",
+  // Sprint 26 FIX 1 (B) — Sentinel's own state dir (current path only; the
+  // ~/.dahlia → ~/.sentinel rename is a separate re-arch).
+  "**/.dahlia/**",
+  // Sprint 26 FIX 3 — the live policy file and cc's hook-wiring settings files.
+  // Denies the agent's own tool-writes (policy rewrite / unhook vectors); reads
+  // stay allowed via DEFAULT_POLICY_READ_EXCEPTIONS below. The settings glob
+  // covers project AND user-level (~/.claude/settings*.json) in one pattern.
+  // DRIFT: keep in sync with STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts.
+  "**/.sentinel.yaml",
+  "**/.claude/settings*.json"
 ];
+var DEFAULT_POLICY_READ_EXCEPTIONS = [
+  { target: "**/.sentinel.yaml", allowedActions: ["file_read"] },
+  { target: "**/.claude/settings*.json", allowedActions: ["file_read"] }
+];
+function withPolicyReadExceptions(existing) {
+  const merged = existing ? [...existing] : [];
+  for (const exc of DEFAULT_POLICY_READ_EXCEPTIONS) {
+    if (!merged.some((e) => e.target === exc.target)) merged.push(exc);
+  }
+  return merged;
+}
 var DEFAULT_MEDIUM_DISPOSITION = {
   network_request: "deny"
 };
@@ -258,23 +293,543 @@ var DEFAULT_NETWORK_DENYLIST_CIDRS = [
 var DEFAULT_DANGEROUS_SCHEMES = ["file:", "data:", "javascript:", "vbscript:"];
 
 // src/roleValidator.ts
-import { normalize, basename, dirname as dirname3, join as join3 } from "path";
-import { lstatSync, readdirSync, realpathSync } from "fs";
+import { normalize as normalize2, basename as basename2, dirname as dirname4, join as join4 } from "path";
+import { lstatSync, readdirSync, realpathSync as realpathSync2 } from "fs";
 import { homedir as homedir3 } from "os";
+
+// src/gateway/bashScanner.ts
+import { parse as shellParse } from "shell-quote";
+import { realpathSync } from "fs";
+import { dirname as dirname3, join as join3, basename, normalize } from "path";
+var BRACE_PATTERN_RE = /\{[^}]*,[^}]*\}/;
+var MAX_BRACE_EXPANSION = 64;
+function fnmatchBasename(pattern, candidate) {
+  if (pattern.length !== candidate.length) return false;
+  for (let i = 0; i < pattern.length; i++) {
+    const p = pattern[i].toLowerCase();
+    const c = candidate[i].toLowerCase();
+    if (p === "?") continue;
+    if (p !== c) return false;
+  }
+  return true;
+}
+function bracketTokenMatchesForbidden(token, forbiddenBasenames) {
+  const literals = [];
+  let current = "";
+  let inBracket = false;
+  for (let i = 0; i < token.length; i++) {
+    if (token[i] === "[" && !inBracket) {
+      if (current) literals.push(current);
+      current = "";
+      inBracket = true;
+    } else if (token[i] === "]" && inBracket) {
+      inBracket = false;
+    } else if (!inBracket) {
+      current += token[i];
+    }
+  }
+  if (current) literals.push(current);
+  for (const forbidden of forbiddenBasenames) {
+    const fl = forbidden.toLowerCase();
+    for (const lit of literals) {
+      if (lit.length === 0) continue;
+      if (fl.includes(lit.toLowerCase())) return forbidden;
+    }
+  }
+  return null;
+}
+function resolveBraceExpansion(token) {
+  const match = token.match(/^(.*?)\{([^}]*,[^}]*)\}(.*)$/);
+  if (!match) return null;
+  const [, prefix, alternatives, suffix] = match;
+  const parts = alternatives.split(",");
+  if (parts.length > MAX_BRACE_EXPANSION) return null;
+  return parts.map((p) => prefix + p + suffix);
+}
+function wildcardDispatch(token, forbiddenBasenames, metadataField) {
+  const result = {
+    resolvedBasenames: [],
+    unparseable: false,
+    metadata: {}
+  };
+  if (token === "*" || token === "**" || token === "?") {
+    return result;
+  }
+  if (BRACE_PATTERN_RE.test(token)) {
+    const expanded = resolveBraceExpansion(token);
+    if (expanded === null) {
+      result.unparseable = true;
+      return result;
+    }
+    for (const alt of expanded) {
+      const hasWildcard = /[?*[]/.test(alt);
+      if (hasWildcard) {
+        const sub = wildcardDispatch(alt, forbiddenBasenames, metadataField);
+        if (sub.resolvedBasenames.length > 0) {
+          result.resolvedBasenames.push(...sub.resolvedBasenames);
+          result.metadata["resolvedFromBrace"] = token;
+          Object.assign(result.metadata, sub.metadata);
+        }
+        if (sub.unparseable) result.unparseable = true;
+      } else {
+        const altLower = alt.toLowerCase();
+        for (const forbidden of forbiddenBasenames) {
+          if (altLower === forbidden.toLowerCase()) {
+            result.resolvedBasenames.push(forbidden);
+            result.metadata["resolvedFromBrace"] = token;
+            break;
+          }
+        }
+      }
+    }
+    return result;
+  }
+  const hasStar = token.includes("*");
+  const hasQuestion = token.includes("?");
+  const hasBracket = token.includes("[");
+  if (hasBracket) {
+    const matched = bracketTokenMatchesForbidden(token, forbiddenBasenames);
+    if (matched) {
+      result.resolvedBasenames.push(matched);
+      result.metadata["resolvedFromBracket"] = token;
+    } else {
+      result.unparseable = true;
+    }
+    return result;
+  }
+  if (hasStar && !hasQuestion) {
+    const matched = starLiteralSubstringCheck(token, forbiddenBasenames);
+    if (matched) {
+      result.resolvedBasenames.push(matched);
+      result.metadata[metadataField] = token;
+    }
+    return result;
+  }
+  if (hasQuestion && !hasStar) {
+    for (const forbidden of forbiddenBasenames) {
+      if (fnmatchBasename(token, forbidden)) {
+        result.resolvedBasenames.push(forbidden);
+        result.metadata[metadataField] = token;
+        break;
+      }
+    }
+    return result;
+  }
+  if (hasStar && hasQuestion) {
+    const starMatch = starLiteralSubstringCheck(token, forbiddenBasenames);
+    if (starMatch) {
+      result.resolvedBasenames.push(starMatch);
+      result.metadata[metadataField] = token;
+      return result;
+    }
+    const segments = token.split("*").filter((s) => s.includes("?"));
+    for (const seg of segments) {
+      for (const forbidden of forbiddenBasenames) {
+        if (fnmatchBasename(seg, forbidden)) {
+          result.resolvedBasenames.push(forbidden);
+          result.metadata[metadataField] = token;
+          return result;
+        }
+      }
+    }
+    return result;
+  }
+  return result;
+}
+function starLiteralSubstringCheck(token, forbiddenBasenames) {
+  const literals = token.split("*").filter((s) => s.length > 0);
+  for (const forbidden of forbiddenBasenames) {
+    const fl = forbidden.toLowerCase();
+    for (const lit of literals) {
+      if (fl.includes(lit.toLowerCase())) return forbidden;
+    }
+  }
+  return null;
+}
+function shouldDispatchWildcard(token) {
+  const hasMetachar = /[?*[{]/.test(token);
+  if (!hasMetachar) return false;
+  if (isPathShaped(token)) return true;
+  if (token.includes("[")) return true;
+  if (BRACE_PATTERN_RE.test(token)) return true;
+  return false;
+}
+var SENSITIVE_BASENAME_RE = /(?:\.env|\.ssh|secrets|credentials|id_rsa|id_dsa|id_ecdsa|id_ed25519|\.pem|\.key|\.netrc|\.npmrc|\.pgpass|\.zsh_history|\.gnupg|\.kube|\.dahlia)/i;
+var DANGEROUS_COMMAND_TOKENS = /* @__PURE__ */ new Set(["eval"]);
+var COMMAND_SUBSTITUTION_RE = /\$\(|`/;
+var DANGEROUS_RAW_RE = /<<<|<\(|>\(/;
+function isVarMarker(token) {
+  return typeof token === "object" && token !== null && "__sentinel_var" in token && typeof token.__sentinel_var === "string";
+}
+function tokenizePaths(command) {
+  const result = {
+    paths: [],
+    unparseable: false,
+    hasDangerousConstruct: false
+  };
+  if (DANGEROUS_RAW_RE.test(command)) {
+    result.hasDangerousConstruct = true;
+  }
+  if (COMMAND_SUBSTITUTION_RE.test(command)) {
+    result.hasDangerousConstruct = true;
+  }
+  let tokens;
+  try {
+    tokens = shellParse(command, (key) => ({ __sentinel_var: key }));
+  } catch {
+    result.unparseable = true;
+    return result;
+  }
+  if (!Array.isArray(tokens)) {
+    result.unparseable = true;
+    return result;
+  }
+  let prevToken = null;
+  for (let i = 0; i < tokens.length; i++) {
+    const token = tokens[i];
+    if (isVarMarker(token)) {
+      const nextToken = tokens[i + 1];
+      const nextIsPathRelevant = nextToken === void 0 || // end of tokens — var is complete argument
+      typeof nextToken === "object" && nextToken !== null && "op" in nextToken || // followed by operator — var is complete argument
+      typeof nextToken === "string" && isPathShaped(nextToken);
+      const prevIsPathRelevant = prevToken !== null && isPathShaped(prevToken);
+      if (nextIsPathRelevant || prevIsPathRelevant) {
+        result.unparseable = true;
+      }
+      prevToken = null;
+      continue;
+    }
+    if (typeof token === "object" && token !== null) {
+      if ("pattern" in token) {
+        const globPattern = token.pattern;
+        const lastSlash = globPattern.lastIndexOf("/");
+        const dispatchTarget = lastSlash >= 0 ? globPattern.slice(lastSlash + 1) : globPattern;
+        const dispatch = wildcardDispatch(dispatchTarget, FORBIDDEN_BASENAMES, "resolvedFromGlob");
+        if (dispatch.resolvedBasenames.length > 0) {
+          for (const resolved of dispatch.resolvedBasenames) {
+            result.paths.push(resolved);
+          }
+        }
+        if (dispatch.unparseable) {
+          result.unparseable = true;
+        }
+        if (SENSITIVE_BASENAME_RE.test(globPattern)) {
+          result.unparseable = true;
+        }
+        prevToken = null;
+        continue;
+      }
+      if ("op" in token) {
+        if (token.op === "<(") {
+          result.hasDangerousConstruct = true;
+        }
+        prevToken = null;
+        continue;
+      }
+      prevToken = null;
+      continue;
+    }
+    if (typeof token !== "string") {
+      prevToken = null;
+      continue;
+    }
+    if (DANGEROUS_COMMAND_TOKENS.has(token.toLowerCase())) {
+      result.hasDangerousConstruct = true;
+    }
+    if ((prevToken === "sh" || prevToken === "bash" || prevToken === "/bin/sh" || prevToken === "/bin/bash") && token === "-c") {
+      result.hasDangerousConstruct = true;
+    }
+    if (shouldDispatchWildcard(token)) {
+      const metaField = "resolvedFromQuotedGlob";
+      const dispatch = wildcardDispatch(token, FORBIDDEN_BASENAMES, metaField);
+      if (dispatch.resolvedBasenames.length > 0) {
+        for (const resolved of dispatch.resolvedBasenames) {
+          result.paths.push(resolved);
+        }
+      }
+      if (dispatch.unparseable) {
+        result.unparseable = true;
+      }
+    } else if (isPathShaped(token)) {
+      const resolved = resolvePathToken(token);
+      result.paths.push(resolved);
+    }
+    prevToken = token;
+  }
+  return result;
+}
+function isPathShaped(token) {
+  if (token.includes("/")) return true;
+  if (token.startsWith(".")) return true;
+  if (SENSITIVE_BASENAME_RE.test(token)) return true;
+  return false;
+}
+function resolvePathToken(token) {
+  const normalized = normalize(token);
+  try {
+    return realpathSync(normalized);
+  } catch (err) {
+    const code = err.code;
+    if (code === "ENOENT") {
+      return resolveNonexistentPathToken(normalized);
+    }
+    return normalized;
+  }
+}
+function resolveNonexistentPathToken(normalizedPath) {
+  let current = normalizedPath;
+  let suffix = "";
+  for (let i = 0; i < 50; i++) {
+    const parent = dirname3(current);
+    if (parent === current) {
+      return normalizedPath;
+    }
+    if (parent === ".") {
+      return normalizedPath;
+    }
+    suffix = suffix ? join3(basename(current), suffix) : basename(current);
+    current = parent;
+    try {
+      const resolved = realpathSync(current);
+      if (resolved !== current) {
+        return join3(resolved, suffix);
+      }
+      return join3(resolved, suffix);
+    } catch {
+      continue;
+    }
+  }
+  return normalizedPath;
+}
+var FORBIDDEN_BASENAMES = [
+  ".env",
+  ".ssh",
+  ".aws",
+  "secrets",
+  "credentials",
+  "id_rsa",
+  "id_dsa",
+  "id_ecdsa",
+  "id_ed25519",
+  ".pem",
+  ".key",
+  // Sprint 26 FIX 1 (A) — credential-store file basenames (L2 bash deny).
+  // `.git-credentials` is already covered by the "credentials" entry above.
+  ".netrc",
+  ".npmrc",
+  ".pgpass",
+  ".zsh_history"
+];
+function scanBashCommand(command, forbiddenBasenames) {
+  const basenames = forbiddenBasenames ?? FORBIDDEN_BASENAMES;
+  const hits = [];
+  for (const basename3 of basenames) {
+    const pattern = buildPattern(basename3);
+    if (pattern.test(command)) {
+      hits.push(basename3);
+    }
+  }
+  return { matched: hits.length > 0, hits };
+}
+function buildPattern(basename3) {
+  const escaped = escapeRegex(basename3);
+  if (basename3.startsWith(".") && basename3.length <= 4 && !isAlphaAfterDot(basename3)) {
+    return new RegExp(`\\w${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
+  }
+  if (basename3.startsWith(".")) {
+    return new RegExp(`(?:^|[\\s;&|<>()\\/'"=])${escaped}(?=$|[\\s;&|<>()\\/'"=.])`, "i");
+  }
+  return new RegExp(`\\b${escaped}\\b`, "i");
+}
+function scanContentForForbiddenBasenames(content, forbiddenBasenames) {
+  const hits = [];
+  for (const basename3 of forbiddenBasenames) {
+    const pattern = buildContentPattern(basename3);
+    if (pattern.test(content)) {
+      hits.push(basename3);
+    }
+  }
+  return { matched: hits.length > 0, hits };
+}
+function buildContentPattern(basename3) {
+  const escaped = escapeRegex(basename3);
+  if (basename3.startsWith(".") && basename3.length <= 4 && !isAlphaAfterDot(basename3)) {
+    return new RegExp(`\\w${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
+  }
+  if (basename3.startsWith(".")) {
+    return new RegExp(`(?:^|[\\s;&|<>()\\/'"=])${escaped}(?=$|[\\s;&|<>()\\/'"=.])`, "i");
+  }
+  return new RegExp(`(?<=[/\\\\]\\.?)${escaped}\\b`, "i");
+}
+function isAlphaAfterDot(s) {
+  return /^\.[a-zA-Z]+$/.test(s);
+}
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function scanGlobPattern(pattern, forbiddenBasenames) {
+  const basenames = forbiddenBasenames ?? FORBIDDEN_BASENAMES;
+  const hits = [];
+  for (const basename3 of basenames) {
+    const re = buildGlobContextPattern(basename3);
+    if (re.test(pattern)) {
+      hits.push(basename3);
+    }
+  }
+  return { matched: hits.length > 0, hits };
+}
+function buildGlobContextPattern(basename3) {
+  const escaped = escapeRegex(basename3);
+  const GLOB_DELIM = String.raw`\s;&|<>()\\/'"=.*?{}\[\]`;
+  if (basename3.startsWith(".") && basename3.length <= 4 && !isAlphaAfterDot(basename3)) {
+    return new RegExp(`[\\w*]${escaped}(?=$|[${GLOB_DELIM}])`, "i");
+  }
+  if (basename3.startsWith(".")) {
+    return new RegExp(`(?:^|[${GLOB_DELIM}])${escaped}(?=$|[${GLOB_DELIM}])`, "i");
+  }
+  return new RegExp(`\\b${escaped}\\b`, "i");
+}
+var SAFE_VERBS = /* @__PURE__ */ new Set(["echo", "printf", ":", "true"]);
+var SEGMENT_OPS = /* @__PURE__ */ new Set([";", "&&", "||", "|", "&", "\n"]);
+var REDIRECT_OPS = /* @__PURE__ */ new Set([">", ">>", "<", "&>", ">&", "<&"]);
+function positionallySafeBasenames(command) {
+  const safe = /* @__PURE__ */ new Set();
+  if (typeof command !== "string" || command.length === 0) return safe;
+  if (COMMAND_SUBSTITUTION_RE.test(command) || DANGEROUS_RAW_RE.test(command) || command.includes("<<")) {
+    return safe;
+  }
+  let tokens;
+  try {
+    tokens = shellParse(command, (key) => ({ __sentinel_var: key }));
+  } catch {
+    return safe;
+  }
+  if (!Array.isArray(tokens)) return safe;
+  const tally = /* @__PURE__ */ new Map();
+  const mark = (hits, isSafe) => {
+    for (const b of hits) {
+      const e = tally.get(b) ?? { safe: 0, unsafe: 0 };
+      if (isSafe) e.safe++;
+      else e.unsafe++;
+      tally.set(b, e);
+    }
+  };
+  let verb = null;
+  let expectVerb = true;
+  let prevRedirect = false;
+  for (const tok of tokens) {
+    if (tok && typeof tok === "object") {
+      if (isVarMarker(tok)) {
+        if (expectVerb) {
+          verb = null;
+          expectVerb = false;
+        }
+        prevRedirect = false;
+        continue;
+      }
+      if ("comment" in tok) {
+        const hits2 = scanBashCommand(
+          String(tok.comment),
+          FORBIDDEN_BASENAMES
+        ).hits;
+        if (hits2.length) mark(hits2, true);
+        continue;
+      }
+      if ("pattern" in tok) {
+        const hits2 = scanGlobPattern(
+          String(tok.pattern),
+          FORBIDDEN_BASENAMES
+        ).hits;
+        if (hits2.length) mark(hits2, false);
+        prevRedirect = false;
+        continue;
+      }
+      if ("op" in tok) {
+        const op = String(tok.op);
+        prevRedirect = REDIRECT_OPS.has(op);
+        if (SEGMENT_OPS.has(op)) {
+          expectVerb = true;
+          verb = null;
+        }
+        continue;
+      }
+      prevRedirect = false;
+      continue;
+    }
+    if (typeof tok !== "string") {
+      prevRedirect = false;
+      continue;
+    }
+    const isRedirectTarget = prevRedirect;
+    prevRedirect = false;
+    const hits = scanBashCommand(tok, FORBIDDEN_BASENAMES).hits;
+    if (expectVerb) {
+      verb = tok;
+      expectVerb = false;
+      if (hits.length) mark(hits, false);
+      continue;
+    }
+    if (hits.length) {
+      const safeVerb = verb !== null && SAFE_VERBS.has(verb);
+      mark(hits, safeVerb && !isRedirectTarget);
+    }
+  }
+  for (const [b, e] of tally) {
+    if (e.unsafe === 0 && e.safe > 0) safe.add(b);
+  }
+  return safe;
+}
+function isPositionallySafeMention(command) {
+  const hits = scanBashCommand(command, FORBIDDEN_BASENAMES).hits;
+  if (hits.length === 0) return false;
+  const safe = positionallySafeBasenames(command);
+  return hits.every((h) => safe.has(h));
+}
+function classifyDeny(command, signals) {
+  const { l2Hits, hasL1Hit, unparseable, hasDangerousConstruct } = signals;
+  if (hasL1Hit || unparseable || hasDangerousConstruct) return { mentionOnly: false };
+  if (l2Hits.length === 0) return { mentionOnly: false };
+  let tokens;
+  try {
+    tokens = shellParse(command, (key) => ({ __sentinel_var: key }));
+  } catch {
+    return { mentionOnly: false };
+  }
+  if (!Array.isArray(tokens)) return { mentionOnly: false };
+  if (tokens.some((t) => isVarMarker(t))) return { mentionOnly: false };
+  const strTokens = tokens.filter((t) => typeof t === "string");
+  for (const hit of l2Hits) {
+    const h = hit.toLowerCase();
+    const confident = strTokens.some((tok) => {
+      const low = tok.toLowerCase();
+      if (!low.includes(h)) return false;
+      if (low.length === h.length) return false;
+      const reHits = scanBashCommand(tok, FORBIDDEN_BASENAMES).hits;
+      if (reHits.some((rh) => tok.length === rh.length)) return false;
+      const reTok = tokenizePaths(tok);
+      if (reTok.unparseable || reTok.hasDangerousConstruct) return false;
+      return true;
+    });
+    if (!confident) return { mentionOnly: false };
+  }
+  return { mentionOnly: true };
+}
+
+// src/roleValidator.ts
 var SUSPICIOUS_BASENAME_RE = /^\.|(\.env|secret|credential|key|config|token)/i;
 function resolveSymlinks(normalizedPath) {
   if (!normalizedPath || normalizedPath.includes("://")) return normalizedPath;
   if (normalizedPath.includes("node_modules/") || normalizedPath.includes("node_modules\\")) {
     return normalizedPath;
   }
-  const base = basename(normalizedPath);
+  const base = basename2(normalizedPath);
   const needsRealpath = SUSPICIOUS_BASENAME_RE.test(base);
   if (!needsRealpath) {
     try {
       const stat = lstatSync(normalizedPath);
       if (!stat.isSymbolicLink()) {
         try {
-          const resolved = realpathSync(normalizedPath);
+          const resolved = realpathSync2(normalizedPath);
           return resolved === normalizedPath ? normalizedPath : resolved;
         } catch {
           return normalizedPath;
@@ -289,7 +844,7 @@ function resolveSymlinks(normalizedPath) {
     }
   }
   try {
-    return realpathSync(normalizedPath);
+    return realpathSync2(normalizedPath);
   } catch (err) {
     const code = err.code;
     if (code === "ENOENT") {
@@ -302,19 +857,19 @@ function resolveNonexistentPath(normalizedPath) {
   let current = normalizedPath;
   let suffix = "";
   for (let i = 0; i < 50; i++) {
-    const parent = dirname3(current);
+    const parent = dirname4(current);
     if (parent === current) {
       return normalizedPath;
     }
     if (parent === ".") {
       return normalizedPath;
     }
-    suffix = suffix ? join3(basename(current), suffix) : basename(current);
+    suffix = suffix ? join4(basename2(current), suffix) : basename2(current);
     current = parent;
     try {
-      const resolved = realpathSync(current);
+      const resolved = realpathSync2(current);
       if (resolved !== current) {
-        return join3(resolved, suffix);
+        return join4(resolved, suffix);
       }
       return normalizedPath;
     } catch {
@@ -347,7 +902,12 @@ function normalizeForbiddenPattern(pattern) {
   if (pattern.startsWith("**/") || pattern.startsWith("/")) return pattern;
   return "**/" + pattern;
 }
-function isPathShaped(value) {
+function unionWithDefaultForbiddenPatterns(supplied) {
+  return [
+    ...new Set([...supplied ?? [], ...DEFAULT_FORBIDDEN_PATTERNS].map(normalizeForbiddenPattern))
+  ];
+}
+function isPathShaped2(value) {
   if (value.length === 0 || value.length > 4096) return false;
   if (/\s/.test(value)) return false;
   if (value.includes("/") || value.includes("\\")) return true;
@@ -465,7 +1025,7 @@ function walkForbiddenInodeRoots(forbiddenPatterns, cwd) {
   collectForbiddenInodes(home, deepPatterns, inodes, false);
   const sensitiveDirs = [".ssh", ".aws", ".gnupg", ".config"];
   for (const dir of sensitiveDirs) {
-    collectForbiddenInodes(join3(home, dir), deepPatterns, inodes, true);
+    collectForbiddenInodes(join4(home, dir), deepPatterns, inodes, true);
   }
   collectForbiddenInodes(cwd, deepPatterns, inodes, true, true);
   return inodes;
@@ -479,7 +1039,7 @@ function collectForbiddenInodes(dirPath, forbiddenPatterns, inodes, recursive, s
   }
   for (const entry of entries) {
     if (skipNodeModules && entry === "node_modules") continue;
-    const fullPath = join3(dirPath, entry);
+    const fullPath = join4(dirPath, entry);
     let stat;
     try {
       stat = lstatSync(fullPath);
@@ -547,7 +1107,7 @@ var RoleValidator = class {
   }
   validateEvent(event, activeTask) {
     const eventTarget = event.primaryTarget;
-    const pathNormalized = isUrlShaped(eventTarget) ? eventTarget : normalize(eventTarget);
+    const pathNormalized = isUrlShaped(eventTarget) ? eventTarget : normalize2(eventTarget);
     const resolvedTarget = resolveSymlinks(pathNormalized);
     const normalizedPrimaryTarget = resolvedTarget;
     const primaryTargetPaths = pathNormalized !== resolvedTarget ? [resolvedTarget, pathNormalized] : [resolvedTarget];
@@ -570,7 +1130,7 @@ var RoleValidator = class {
         for (let i = 1; i < event.targets.length; i++) {
           const st = event.targets[i];
           if (!isUrlShaped(st)) {
-            const stNorm = normalize(st);
+            const stNorm = normalize2(st);
             inodeTargets.push(resolveSymlinks(stNorm));
           }
         }
@@ -588,9 +1148,10 @@ var RoleValidator = class {
         }
       }
     }
+    const safeCommandMention = event.action === "command_exec" && isPositionallySafeMention(event.primaryTarget);
     for (const pattern of this.role.forbiddenTargetPatterns) {
       let matchedTargetValue = null;
-      if (primaryTargetPaths.some((tp) => matchGlobInsensitive(pattern, tp))) {
+      if (!safeCommandMention && primaryTargetPaths.some((tp) => matchGlobInsensitive(pattern, tp))) {
         matchedTargetValue = normalizedPrimaryTarget;
       }
       if (!matchedTargetValue) {
@@ -598,7 +1159,7 @@ var RoleValidator = class {
         for (let i = 1; i < event.targets.length; i++) {
           const st = event.targets[i];
           if (mcpTool && /\s/.test(st)) continue;
-          const stNorm = isUrlShaped(st) ? st : normalize(st);
+          const stNorm = isUrlShaped(st) ? st : normalize2(st);
           const stResolved = resolveSymlinks(stNorm);
           const stPaths = stNorm !== stResolved ? [stResolved, stNorm] : [stResolved];
           if (stPaths.some((tp) => matchGlobInsensitive(pattern, tp))) {
@@ -664,7 +1225,7 @@ var RoleValidator = class {
     if (this.sensitivityScorer && event.metadata?._mcpTool === "true") {
       for (let i = 1; i < event.targets.length; i++) {
         const val = event.targets[i];
-        if (!(isUrlShaped(val) || isPathShaped(val))) continue;
+        if (!(isUrlShaped(val) || isPathShaped2(val))) continue;
         const sens = this.sensitivityScorer.scoreTarget(val, event.action);
         if (sens.effectiveScore < 0.6) continue;
         return this.makeFinding(event, {
@@ -1208,14 +1769,23 @@ export {
   removeOverlayDecision,
   createEmptyOverlay,
   DEFAULT_FORBIDDEN_PATTERNS,
+  withPolicyReadExceptions,
   DEFAULT_MEDIUM_DISPOSITION,
   TargetSensitivityScorer,
+  tokenizePaths,
+  FORBIDDEN_BASENAMES,
+  scanBashCommand,
+  scanContentForForbiddenBasenames,
+  scanGlobPattern,
+  isPositionallySafeMention,
+  classifyDeny,
   matchGlob,
   normalizeForbiddenPattern,
+  unionWithDefaultForbiddenPatterns,
   matchGlobInsensitive,
   getTargetRecommendation,
   walkForbiddenInodeRoots,
   findMatchingException,
   RoleValidator
 };
-//# sourceMappingURL=chunk-6MHWJATS.js.map
+//# sourceMappingURL=chunk-QIYQWOLO.js.map