@tuent/sentinel 0.1.2 → 0.1.4

package/dist/{chunk-QIYQWOLO.js → chunk-FIEIGBYL.js}

@@ -1,15 +1,62 @@
-// src/repoSensitivityMap.ts
+import {
+  DEFAULT_DANGEROUS_SCHEMES,
+  DEFAULT_FORBIDDEN_PATTERNS,
+  DEFAULT_NETWORK_DENYLIST_CIDRS,
+  checkSaneNumber,
+  suggestKey
+} from "./chunk-KWZ7JKKO.js";
+
+// src/repoSensitivityOverlay.ts
 import * as fs from "fs/promises";
 import * as path from "path";
 import * as os from "os";
-var DEFAULT_MAP_PATH = path.join(os.homedir(), ".dahlia", "repo-sensitivity.json");
-async function saveMap(map, customPath) {
-  const target = customPath ?? DEFAULT_MAP_PATH;
+var VALID_DECISION_TYPES = /* @__PURE__ */ new Set(["reject", "accept", "override"]);
+var OVERLAY_TOP_KEYS = ["version", "repoRoot", "decisions", "updatedAt"];
+var DECISION_KEYS = [
+  "path",
+  "decision",
+  "reason",
+  "sensitivity",
+  "category",
+  "decidedAt"
+];
+function sanitizeSensitivityScore(fieldLabel, value, throwError) {
+  const violation = checkSaneNumber(value, {});
+  if (violation) {
+    throwError(`${fieldLabel} ${violation} \u2014 sensitivity must be a finite number in [0, 1]`);
+  }
+  const n = value;
+  if (n < 0 || n > 1) {
+    const clamped = Math.min(1, Math.max(0, n));
+    console.warn(
+      `[Sentinel] ${fieldLabel} is ${n}, outside [0, 1] \u2014 clamped to ${clamped}. Fix the file to silence this warning.`
+    );
+    return clamped;
+  }
+  return n;
+}
+function rejectUnknownJsonKeys(section, obj, allowed, throwError) {
+  for (const key of Object.keys(obj)) {
+    if (!allowed.includes(key)) {
+      const suggestion = suggestKey(key, allowed);
+      throwError(
+        `unknown key "${key}" in ${section}.` + (suggestion ? ` Did you mean "${suggestion}"?` : "") + ` Valid keys: ${allowed.join(", ")}`
+      );
+    }
+  }
+}
+var DEFAULT_OVERLAY_PATH = path.join(
+  os.homedir(),
+  ".dahlia",
+  "repo-sensitivity.review.json"
+);
+async function saveOverlay(overlay, customPath) {
+  const target = customPath ?? DEFAULT_OVERLAY_PATH;
   const parent = path.dirname(target);
   const tempPath = target + ".tmp";
   try {
     await fs.mkdir(parent, { recursive: true });
-    await fs.writeFile(tempPath, JSON.stringify(map, null, 2), "utf-8");
+    await fs.writeFile(tempPath, JSON.stringify(overlay, null, 2), "utf-8");
     await fs.rename(tempPath, target);
   } catch (err) {
     try {
@@ -17,13 +64,16 @@ async function saveMap(map, customPath) {
     } catch {
     }
     const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`RepoSensitivityMap.saveMap: failed to save to ${target}: ${message}`, {
+    throw new Error(`SensitivityOverlay.saveOverlay: failed to save to ${target}: ${message}`, {
       cause: err
     });
   }
 }
-async function loadMap(customPath) {
-  const target = customPath ?? DEFAULT_MAP_PATH;
+async function loadOverlay(customPath) {
+  const target = customPath ?? DEFAULT_OVERLAY_PATH;
+  const failLoad = (message) => {
+    throw new Error(`SensitivityOverlay.loadOverlay: file at ${target} is invalid: ${message}`);
+  };
   let raw;
   try {
     raw = await fs.readFile(target, "utf-8");
@@ -38,21 +88,56 @@ async function loadMap(customPath) {
     parsed = JSON.parse(raw);
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`RepoSensitivityMap.loadMap: file at ${target} is malformed: ${message}`, {
+    throw new Error(`SensitivityOverlay.loadOverlay: file at ${target} is malformed: ${message}`, {
       cause: err
     });
   }
-  const scannedAt = typeof parsed.scannedAt === "string" ? parsed.scannedAt : "unknown";
+  if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+    failLoad("top level must be a JSON object");
+  }
+  rejectUnknownJsonKeys("overlay", parsed, OVERLAY_TOP_KEYS, failLoad);
+  const version = typeof parsed.version === "string" ? parsed.version : "1.0";
   const repoRoot = typeof parsed.repoRoot === "string" ? parsed.repoRoot : "";
-  const entries = Array.isArray(parsed.entries) ? parsed.entries : [];
-  const summary = parsed.summary && typeof parsed.summary === "object" && !Array.isArray(parsed.summary) ? parsed.summary : computeSummaryFromEntries(entries);
-  return { scannedAt, repoRoot, entries, summary };
+  const rawDecisions = Array.isArray(parsed.decisions) ? parsed.decisions : [];
+  const updatedAt = typeof parsed.updatedAt === "string" ? parsed.updatedAt : "unknown";
+  const decisions = rawDecisions.map((d, i) => {
+    const prefix = `decisions[${i}]`;
+    if (typeof d !== "object" || d === null || Array.isArray(d)) {
+      failLoad(`${prefix} must be an object`);
+    }
+    const entry = d;
+    rejectUnknownJsonKeys(prefix, entry, DECISION_KEYS, failLoad);
+    if (typeof entry.path !== "string" || entry.path.length === 0) {
+      failLoad(`${prefix}.path must be a non-empty string`);
+    }
+    if (typeof entry.decision !== "string" || !VALID_DECISION_TYPES.has(entry.decision)) {
+      failLoad(
+        `${prefix}.decision is "${String(entry.decision)}" \u2014 must be one of: reject, accept, override`
+      );
+    }
+    const result = {
+      path: entry.path,
+      decision: entry.decision,
+      decidedAt: typeof entry.decidedAt === "string" ? entry.decidedAt : "unknown"
+    };
+    if (entry.reason !== void 0) result.reason = String(entry.reason);
+    if (entry.category !== void 0) result.category = String(entry.category);
+    if (entry.sensitivity !== void 0) {
+      result.sensitivity = sanitizeSensitivityScore(
+        `${prefix}.sensitivity`,
+        entry.sensitivity,
+        failLoad
+      );
+    }
+    return result;
+  });
+  return { version, repoRoot, decisions, updatedAt };
 }
-function lookupEntry(map, target, repoRoot) {
+function lookupOverlayDecision(overlay, target, repoRoot) {
   if (!target || typeof target !== "string" || target.trim() === "") {
     return null;
   }
-  const lookupRoot = repoRoot ?? map.repoRoot;
+  const lookupRoot = repoRoot ?? overlay.repoRoot;
   let canonical;
   if (path.isAbsolute(target)) {
     if (!lookupRoot) return null;
@@ -66,48 +151,76 @@ function lookupEntry(map, target, repoRoot) {
     canonical = canonical.slice(2);
   }
   canonical = canonical.replace(/\\/g, "/");
-  for (const entry of map.entries) {
-    if (entry.path === canonical) return entry;
+  for (const decision of overlay.decisions) {
+    if (decision.path === canonical) return decision;
   }
   return null;
 }
-function computeSummaryFromEntries(entries) {
-  const byCategory = {};
-  const byConfidence = {
-    low: 0,
-    medium: 0,
-    high: 0
+function applyOverlay(overlay, decisionPath, decisionType, options) {
+  let canonical = decisionPath;
+  if (canonical.startsWith("./")) {
+    canonical = canonical.slice(2);
+  }
+  canonical = canonical.replace(/\\/g, "/");
+  const newDecision = {
+    path: canonical,
+    decision: decisionType,
+    decidedAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  for (const entry of entries) {
-    byCategory[entry.category] = (byCategory[entry.category] ?? 0) + 1;
-    if (entry.confidence === "low" || entry.confidence === "medium" || entry.confidence === "high") {
-      byConfidence[entry.confidence]++;
-    }
+  if (options?.reason !== void 0) newDecision.reason = options.reason;
+  if (options?.sensitivity !== void 0) newDecision.sensitivity = options.sensitivity;
+  if (options?.category !== void 0) newDecision.category = options.category;
+  const existing = overlay.decisions.findIndex((d) => d.path === canonical);
+  const decisions = existing >= 0 ? [
+    ...overlay.decisions.slice(0, existing),
+    newDecision,
+    ...overlay.decisions.slice(existing + 1)
+  ] : [...overlay.decisions, newDecision];
+  return {
+    ...overlay,
+    decisions,
+    updatedAt: newDecision.decidedAt
+  };
+}
+function removeOverlayDecision(overlay, decisionPath) {
+  let canonical = decisionPath;
+  if (canonical.startsWith("./")) {
+    canonical = canonical.slice(2);
+  }
+  canonical = canonical.replace(/\\/g, "/");
+  const filtered = overlay.decisions.filter((d) => d.path !== canonical);
+  if (filtered.length === overlay.decisions.length) {
+    return overlay;
   }
   return {
-    totalFiles: entries.length,
-    sensitiveFiles: entries.length,
-    byCategory,
-    byConfidence
+    ...overlay,
+    decisions: filtered,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function createEmptyOverlay(repoRoot) {
+  return {
+    version: "1.0",
+    repoRoot,
+    decisions: [],
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
   };
 }
 
-// src/repoSensitivityOverlay.ts
+// src/repoSensitivityMap.ts
 import * as fs2 from "fs/promises";
 import * as path2 from "path";
 import * as os2 from "os";
-var DEFAULT_OVERLAY_PATH = path2.join(
-  os2.homedir(),
-  ".dahlia",
-  "repo-sensitivity.review.json"
-);
-async function saveOverlay(overlay, customPath) {
-  const target = customPath ?? DEFAULT_OVERLAY_PATH;
+var MAP_TOP_KEYS = ["scannedAt", "repoRoot", "entries", "summary"];
+var ENTRY_KEYS = ["path", "sensitivity", "category", "confidence", "matchedRules"];
+var DEFAULT_MAP_PATH = path2.join(os2.homedir(), ".dahlia", "repo-sensitivity.json");
+async function saveMap(map, customPath) {
+  const target = customPath ?? DEFAULT_MAP_PATH;
   const parent = path2.dirname(target);
   const tempPath = target + ".tmp";
   try {
     await fs2.mkdir(parent, { recursive: true });
-    await fs2.writeFile(tempPath, JSON.stringify(overlay, null, 2), "utf-8");
+    await fs2.writeFile(tempPath, JSON.stringify(map, null, 2), "utf-8");
     await fs2.rename(tempPath, target);
   } catch (err) {
     try {
@@ -115,13 +228,16 @@ async function saveOverlay(overlay, customPath) {
     } catch {
     }
     const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`SensitivityOverlay.saveOverlay: failed to save to ${target}: ${message}`, {
+    throw new Error(`RepoSensitivityMap.saveMap: failed to save to ${target}: ${message}`, {
       cause: err
     });
   }
 }
-async function loadOverlay(customPath) {
-  const target = customPath ?? DEFAULT_OVERLAY_PATH;
+async function loadMap(customPath) {
+  const target = customPath ?? DEFAULT_MAP_PATH;
+  const failLoad = (message) => {
+    throw new Error(`RepoSensitivityMap.loadMap: file at ${target} is invalid: ${message}`);
+  };
   let raw;
   try {
     raw = await fs2.readFile(target, "utf-8");
@@ -136,21 +252,48 @@ async function loadOverlay(customPath) {
     parsed = JSON.parse(raw);
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`SensitivityOverlay.loadOverlay: file at ${target} is malformed: ${message}`, {
+    throw new Error(`RepoSensitivityMap.loadMap: file at ${target} is malformed: ${message}`, {
       cause: err
     });
   }
-  const version = typeof parsed.version === "string" ? parsed.version : "1.0";
+  if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+    failLoad("top level must be a JSON object");
+  }
+  rejectUnknownJsonKeys("map", parsed, MAP_TOP_KEYS, failLoad);
+  const scannedAt = typeof parsed.scannedAt === "string" ? parsed.scannedAt : "unknown";
   const repoRoot = typeof parsed.repoRoot === "string" ? parsed.repoRoot : "";
-  const decisions = Array.isArray(parsed.decisions) ? parsed.decisions : [];
-  const updatedAt = typeof parsed.updatedAt === "string" ? parsed.updatedAt : "unknown";
-  return { version, repoRoot, decisions, updatedAt };
+  const rawEntries = Array.isArray(parsed.entries) ? parsed.entries : [];
+  const entries = rawEntries.map((e, i) => {
+    const prefix = `entries[${i}]`;
+    if (typeof e !== "object" || e === null || Array.isArray(e)) {
+      failLoad(`${prefix} must be an object`);
+    }
+    const entry = e;
+    rejectUnknownJsonKeys(prefix, entry, ENTRY_KEYS, failLoad);
+    if (typeof entry.path !== "string" || entry.path.length === 0) {
+      failLoad(`${prefix}.path must be a non-empty string`);
+    }
+    const sensitivity = sanitizeSensitivityScore(
+      `${prefix}.sensitivity`,
+      entry.sensitivity,
+      failLoad
+    );
+    return {
+      path: entry.path,
+      sensitivity,
+      category: typeof entry.category === "string" ? entry.category : "general",
+      confidence: entry.confidence === "low" || entry.confidence === "medium" || entry.confidence === "high" ? entry.confidence : "low",
+      matchedRules: Array.isArray(entry.matchedRules) ? entry.matchedRules.map(String) : []
+    };
+  });
+  const summary = parsed.summary && typeof parsed.summary === "object" && !Array.isArray(parsed.summary) ? parsed.summary : computeSummaryFromEntries(entries);
+  return { scannedAt, repoRoot, entries, summary };
 }
-function lookupOverlayDecision(overlay, target, repoRoot) {
+function lookupEntry(map, target, repoRoot) {
   if (!target || typeof target !== "string" || target.trim() === "") {
     return null;
   }
-  const lookupRoot = repoRoot ?? overlay.repoRoot;
+  const lookupRoot = repoRoot ?? map.repoRoot;
   let canonical;
   if (path2.isAbsolute(target)) {
     if (!lookupRoot) return null;
@@ -164,134 +307,32 @@ function lookupOverlayDecision(overlay, target, repoRoot) {
     canonical = canonical.slice(2);
   }
   canonical = canonical.replace(/\\/g, "/");
-  for (const decision of overlay.decisions) {
-    if (decision.path === canonical) return decision;
+  for (const entry of map.entries) {
+    if (entry.path === canonical) return entry;
   }
   return null;
 }
-function applyOverlay(overlay, decisionPath, decisionType, options) {
-  let canonical = decisionPath;
-  if (canonical.startsWith("./")) {
-    canonical = canonical.slice(2);
-  }
-  canonical = canonical.replace(/\\/g, "/");
-  const newDecision = {
-    path: canonical,
-    decision: decisionType,
-    decidedAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  if (options?.reason !== void 0) newDecision.reason = options.reason;
-  if (options?.sensitivity !== void 0) newDecision.sensitivity = options.sensitivity;
-  if (options?.category !== void 0) newDecision.category = options.category;
-  const existing = overlay.decisions.findIndex((d) => d.path === canonical);
-  const decisions = existing >= 0 ? [
-    ...overlay.decisions.slice(0, existing),
-    newDecision,
-    ...overlay.decisions.slice(existing + 1)
-  ] : [...overlay.decisions, newDecision];
-  return {
-    ...overlay,
-    decisions,
-    updatedAt: newDecision.decidedAt
+function computeSummaryFromEntries(entries) {
+  const byCategory = {};
+  const byConfidence = {
+    low: 0,
+    medium: 0,
+    high: 0
   };
-}
-function removeOverlayDecision(overlay, decisionPath) {
-  let canonical = decisionPath;
-  if (canonical.startsWith("./")) {
-    canonical = canonical.slice(2);
-  }
-  canonical = canonical.replace(/\\/g, "/");
-  const filtered = overlay.decisions.filter((d) => d.path !== canonical);
-  if (filtered.length === overlay.decisions.length) {
-    return overlay;
+  for (const entry of entries) {
+    byCategory[entry.category] = (byCategory[entry.category] ?? 0) + 1;
+    if (entry.confidence === "low" || entry.confidence === "medium" || entry.confidence === "high") {
+      byConfidence[entry.confidence]++;
+    }
   }
   return {
-    ...overlay,
-    decisions: filtered,
-    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-}
-function createEmptyOverlay(repoRoot) {
-  return {
-    version: "1.0",
-    repoRoot,
-    decisions: [],
-    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    totalFiles: entries.length,
+    sensitiveFiles: entries.length,
+    byCategory,
+    byConfidence
   };
 }
 
-// src/defaults.ts
-var DEFAULT_FORBIDDEN_PATTERNS = [
-  "**/.env",
-  "**/.env.*",
-  "**/.ssh/**",
-  "**/.aws/**",
-  "**/secrets/**",
-  "**/credentials/**",
-  "**/id_rsa*",
-  "**/id_dsa*",
-  "**/id_ecdsa*",
-  "**/id_ed25519*",
-  "**/*.pem",
-  "**/*.key",
-  "/etc/**",
-  // Sprint 26 FIX 1 (A) — common credential stores. DRIFT: keep in sync with
-  // STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts (template↔defaults
-  // unification tracked in a separate ticket — do not refactor here).
-  "**/.netrc",
-  "**/.npmrc",
-  "**/.git-credentials",
-  "**/.pgpass",
-  "**/.zsh_history",
-  "**/.config/gh/**",
-  "**/.docker/config.json",
-  "**/.gnupg/**",
-  "**/.config/gcloud/**",
-  "**/.kube/**",
-  "**/Library/Keychains/**",
-  // Sprint 26 FIX 1 (B) — Sentinel's own state dir (current path only; the
-  // ~/.dahlia → ~/.sentinel rename is a separate re-arch).
-  "**/.dahlia/**",
-  // Sprint 26 FIX 3 — the live policy file and cc's hook-wiring settings files.
-  // Denies the agent's own tool-writes (policy rewrite / unhook vectors); reads
-  // stay allowed via DEFAULT_POLICY_READ_EXCEPTIONS below. The settings glob
-  // covers project AND user-level (~/.claude/settings*.json) in one pattern.
-  // DRIFT: keep in sync with STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts.
-  "**/.sentinel.yaml",
-  "**/.claude/settings*.json"
-];
-var DEFAULT_POLICY_READ_EXCEPTIONS = [
-  { target: "**/.sentinel.yaml", allowedActions: ["file_read"] },
-  { target: "**/.claude/settings*.json", allowedActions: ["file_read"] }
-];
-function withPolicyReadExceptions(existing) {
-  const merged = existing ? [...existing] : [];
-  for (const exc of DEFAULT_POLICY_READ_EXCEPTIONS) {
-    if (!merged.some((e) => e.target === exc.target)) merged.push(exc);
-  }
-  return merged;
-}
-var DEFAULT_MEDIUM_DISPOSITION = {
-  network_request: "deny"
-};
-var DEFAULT_NETWORK_DENYLIST_CIDRS = [
-  "10.0.0.0/8",
-  // RFC1918 private (Class A)
-  "172.16.0.0/12",
-  // RFC1918 private (Class B)
-  "192.168.0.0/16",
-  // RFC1918 private (Class C)
-  "127.0.0.0/8",
-  // loopback v4
-  "169.254.0.0/16",
-  // link-local v4 (cloud metadata endpoints)
-  "fe80::/10",
-  // link-local v6
-  "::1/128"
-  // loopback v6
-];
-var DEFAULT_DANGEROUS_SCHEMES = ["file:", "data:", "javascript:", "vbscript:"];
-
 // src/roleValidator.ts
 import { normalize as normalize2, basename as basename2, dirname as dirname4, join as join4 } from "path";
 import { lstatSync, readdirSync, realpathSync as realpathSync2 } from "fs";
@@ -550,7 +591,7 @@ function tokenizePaths(command) {
       if (dispatch.unparseable) {
         result.unparseable = true;
       }
-    } else if (isPathShaped(token)) {
+    } else if (isPathShaped(token) && !isEnvIdentifierChain(token)) {
       const resolved = resolvePathToken(token);
       result.paths.push(resolved);
     }
@@ -558,6 +599,21 @@ function tokenizePaths(command) {
   }
   return result;
 }
+function isEnvIdentifierChain(token) {
+  if (token.includes("/") || token.startsWith(".")) return false;
+  if (!allEnvOccurrencesIdentifierEmbedded(token)) return false;
+  return !SENSITIVE_BASENAME_RE.test(token.replace(/\.env/gi, " "));
+}
+function allEnvOccurrencesIdentifierEmbedded(s) {
+  const envHits = /\.env/gi;
+  let m;
+  let any = false;
+  while ((m = envHits.exec(s)) !== null) {
+    any = true;
+    if (!/[A-Za-z0-9_$]/.test(s[m.index - 1] ?? "")) return false;
+  }
+  return any;
+}
 function isPathShaped(token) {
   if (token.includes("/")) return true;
   if (token.startsWith(".")) return true;
@@ -633,8 +689,8 @@ function scanBashCommand(command, forbiddenBasenames) {
 }
 function buildPattern(basename3) {
   const escaped = escapeRegex(basename3);
-  if (basename3.startsWith(".") && basename3.length <= 4 && !isAlphaAfterDot(basename3)) {
-    return new RegExp(`\\w${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
+  if (EXTENSION_BASENAMES.has(basename3.toLowerCase())) {
+    return new RegExp(`(?:^|\\w)${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
   }
   if (basename3.startsWith(".")) {
     return new RegExp(`(?:^|[\\s;&|<>()\\/'"=])${escaped}(?=$|[\\s;&|<>()\\/'"=.])`, "i");
@@ -653,17 +709,15 @@ function scanContentForForbiddenBasenames(content, forbiddenBasenames) {
 }
 function buildContentPattern(basename3) {
   const escaped = escapeRegex(basename3);
-  if (basename3.startsWith(".") && basename3.length <= 4 && !isAlphaAfterDot(basename3)) {
-    return new RegExp(`\\w${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
+  if (EXTENSION_BASENAMES.has(basename3.toLowerCase())) {
+    return new RegExp(`(?:^|\\w)${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
   }
   if (basename3.startsWith(".")) {
     return new RegExp(`(?:^|[\\s;&|<>()\\/'"=])${escaped}(?=$|[\\s;&|<>()\\/'"=.])`, "i");
   }
   return new RegExp(`(?<=[/\\\\]\\.?)${escaped}\\b`, "i");
 }
-function isAlphaAfterDot(s) {
-  return /^\.[a-zA-Z]+$/.test(s);
-}
+var EXTENSION_BASENAMES = /* @__PURE__ */ new Set([".pem", ".key"]);
 function escapeRegex(s) {
   return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
@@ -681,8 +735,8 @@ function scanGlobPattern(pattern, forbiddenBasenames) {
 function buildGlobContextPattern(basename3) {
   const escaped = escapeRegex(basename3);
   const GLOB_DELIM = String.raw`\s;&|<>()\\/'"=.*?{}\[\]`;
-  if (basename3.startsWith(".") && basename3.length <= 4 && !isAlphaAfterDot(basename3)) {
-    return new RegExp(`[\\w*]${escaped}(?=$|[${GLOB_DELIM}])`, "i");
+  if (EXTENSION_BASENAMES.has(basename3.toLowerCase())) {
+    return new RegExp(`(?:^|[\\w*])${escaped}(?=$|[${GLOB_DELIM}])`, "i");
   }
   if (basename3.startsWith(".")) {
     return new RegExp(`(?:^|[${GLOB_DELIM}])${escaped}(?=$|[${GLOB_DELIM}])`, "i");
@@ -816,6 +870,7 @@ function classifyDeny(command, signals) {
 }
 
 // src/roleValidator.ts
+import { parse as shellParse2 } from "shell-quote";
 var SUSPICIOUS_BASENAME_RE = /^\.|(\.env|secret|credential|key|config|token)/i;
 function resolveSymlinks(normalizedPath) {
   if (!normalizedPath || normalizedPath.includes("://")) return normalizedPath;
@@ -1148,10 +1203,26 @@ var RoleValidator = class {
         }
       }
     }
-    const safeCommandMention = event.action === "command_exec" && isPositionallySafeMention(event.primaryTarget);
+    if (event.action === "command_exec") {
+      const cmd = this.screenCommandTarget(event);
+      if (cmd) {
+        const finding = this.buildForbiddenFinding(
+          event,
+          cmd.matchedTarget,
+          cmd.matchedPattern,
+          activeTask ?? null
+        );
+        if (finding) {
+          finding.targetKey = cmd.targetKey;
+          finding.dedupKey = event.primaryTarget;
+          finding.mentionOnly = false;
+          return finding;
+        }
+      }
+    }
     for (const pattern of this.role.forbiddenTargetPatterns) {
       let matchedTargetValue = null;
-      if (!safeCommandMention && primaryTargetPaths.some((tp) => matchGlobInsensitive(pattern, tp))) {
+      if (event.action !== "command_exec" && primaryTargetPaths.some((tp) => matchGlobInsensitive(pattern, tp))) {
         matchedTargetValue = normalizedPrimaryTarget;
       }
       if (!matchedTargetValue) {
@@ -1169,57 +1240,13 @@ var RoleValidator = class {
         }
       }
       if (matchedTargetValue) {
-        const sensitivity = this.sensitivityScorer?.scoreTarget(matchedTargetValue, event.action);
-        const isCritical = sensitivity ? sensitivity.effectiveScore >= 0.9 : false;
-        const finding = this.makeFinding(event, {
-          severity: "HIGH",
-          type: "unauthorized_target",
-          description: `Agent accessed '${matchedTargetValue}' which matches forbidden pattern '${pattern}'`,
-          recommendation: getTargetRecommendation(
-            "unauthorized_target",
-            matchedTargetValue,
-            event.action
-          ),
-          matchedTarget: matchedTargetValue
-        });
-        if (!isCritical) {
-          const exception = findMatchingException(this.role.exceptions, event, activeTask ?? null);
-          if (exception) {
-            this.onAuditEntry?.({
-              type: "exception_applied",
-              timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-              agentId: event.agentId,
-              target: matchedTargetValue,
-              action: event.action,
-              exceptionTarget: exception.target,
-              taskId: activeTask?.taskId ?? null
-            });
-            if (exception.requiresApproval) {
-              const ctx = {
-                finding,
-                exception,
-                activeTask: activeTask ?? null,
-                expiresAt: exception.expiresAfter != null && activeTask ? new Date(new Date(activeTask.startedAt).getTime() + exception.expiresAfter) : null
-              };
-              const approved = this.approvalFn?.(ctx) === true;
-              if (approved) {
-                this.onAuditEntry?.({
-                  type: "exception_approved",
-                  timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-                  agentId: event.agentId,
-                  target: matchedTargetValue,
-                  action: event.action,
-                  exceptionTarget: exception.target,
-                  taskId: activeTask?.taskId ?? null
-                });
-                continue;
-              }
-            } else {
-              continue;
-            }
-          }
-        }
-        return this.enhanceWithSensitivity(finding, event);
+        const finding = this.buildForbiddenFinding(
+          event,
+          matchedTargetValue,
+          pattern,
+          activeTask ?? null
+        );
+        if (finding) return finding;
       }
     }
     if (this.sensitivityScorer && event.metadata?._mcpTool === "true") {
@@ -1238,7 +1265,7 @@ var RoleValidator = class {
         });
       }
     }
-    if (this.role.allowedTargetPatterns.length > 0) {
+    if (this.role.allowedTargetPatterns.length > 0 && event.action !== "command_exec") {
       const anchor = this.workspaceRoot !== "" && PATH_TARGET_ACTIONS.has(event.action);
       const matched = this.role.allowedTargetPatterns.some((pattern) => {
         const candidates = anchor ? [pattern, anchorAllowedPattern(pattern, this.workspaceRoot)] : [pattern];
@@ -1276,7 +1303,7 @@ var RoleValidator = class {
       }
     }
     const scopePatterns = activeTask?.scopePatterns;
-    if (scopePatterns && scopePatterns.length > 0) {
+    if (scopePatterns && scopePatterns.length > 0 && event.action !== "command_exec") {
       const anchor = this.workspaceRoot !== "" && PATH_TARGET_ACTIONS.has(event.action);
       const inScope = scopePatterns.some((pattern) => {
         const candidates = anchor ? [pattern, anchorAllowedPattern(pattern, this.workspaceRoot)] : [pattern];
@@ -1340,6 +1367,127 @@ var RoleValidator = class {
     }
     return finding;
   }
+  /**
+   * Sprint 26B B′ — scanner-authoritative forbidden screen for a command_exec
+   * PRIMARY target (the command string). Three layers, first match wins:
+   *
+   *  L1 — tokenizePaths(command): resolved path-shaped tokens (symlink-resolved,
+   *       dir-globs, F-5b's isEnvIdentifierChain guard inside) matched against the
+   *       FULL role patterns via matchGlob.
+   *  Boundary — every argv token's basename vs each pattern's basename component
+   *       via the SAME matchGlob (its `^…$` anchoring → true boundary, so
+   *       `^\.env$` rejects `process.env` and `^payroll\.csv$` rejects
+   *       `mypayroll.csv`, while a `payroll.csv` token matches a `payroll.csv`
+   *       pattern basename). Patterns whose basename is pure-wildcard (a bare
+   *       star or globstar) are dir-globs and are skipped here (L1 handles them
+   *       on resolved paths).
+   *  L2 — scanBashCommand substring net (fixed FORBIDDEN_BASENAMES) gated by
+   *       isPositionallySafeMention, for heredoc/substitution shapes tokenization
+   *       can't cleanly split.
+   *
+   * Returns the matched target + the F-5a targetKey (resolved path / token /
+   * `l2:<basenames>`, mirroring the gateway emit) + a pattern label for the
+   * finding description, or null when nothing matches.
+   */
+  screenCommandTarget(event) {
+    const command = event.primaryTarget;
+    if (isPositionallySafeMention(command)) return null;
+    const tr = tokenizePaths(command);
+    for (const p of tr.paths) {
+      for (const pattern of this.role.forbiddenTargetPatterns) {
+        if (matchGlobInsensitive(pattern, p)) {
+          return { matchedTarget: p, targetKey: p, matchedPattern: pattern };
+        }
+      }
+    }
+    let tokens;
+    try {
+      tokens = shellParse2(command);
+    } catch {
+      tokens = [];
+    }
+    for (const tok of tokens) {
+      if (typeof tok !== "string") continue;
+      const tokBase = basename2(tok);
+      if (tokBase.length === 0) continue;
+      for (const pattern of this.role.forbiddenTargetPatterns) {
+        const patBase = basename2(pattern);
+        if (patBase === "*" || patBase === "**") continue;
+        if (matchGlobInsensitive(patBase, tokBase)) {
+          return { matchedTarget: tok, targetKey: tok, matchedPattern: pattern };
+        }
+      }
+    }
+    const scan = scanBashCommand(command, FORBIDDEN_BASENAMES);
+    if (scan.matched) {
+      const hits = [...new Set(scan.hits)].sort();
+      return {
+        matchedTarget: scan.hits[0],
+        targetKey: `l2:${hits.join(",")}`,
+        matchedPattern: hits.join(", ")
+      };
+    }
+    return null;
+  }
+  /**
+   * Build the unauthorized_target finding for a matched forbidden target, applying
+   * the same exception/approval/sensitivity flow shared by Check 2's per-pattern
+   * loop and the B′ command screen. Returns the finding to emit, or null when an
+   * exception (auto, or approved) suppresses it (caller continues / falls through).
+   */
+  buildForbiddenFinding(event, matchedTargetValue, pattern, activeTask) {
+    const sensitivity = this.sensitivityScorer?.scoreTarget(matchedTargetValue, event.action);
+    const isCritical = sensitivity ? sensitivity.effectiveScore >= 0.9 : false;
+    const finding = this.makeFinding(event, {
+      severity: "HIGH",
+      type: "unauthorized_target",
+      description: `Agent accessed '${matchedTargetValue}' which matches forbidden pattern '${pattern}'`,
+      recommendation: getTargetRecommendation(
+        "unauthorized_target",
+        matchedTargetValue,
+        event.action
+      ),
+      matchedTarget: matchedTargetValue
+    });
+    if (!isCritical) {
+      const exception = findMatchingException(this.role.exceptions, event, activeTask);
+      if (exception) {
+        this.onAuditEntry?.({
+          type: "exception_applied",
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          agentId: event.agentId,
+          target: matchedTargetValue,
+          action: event.action,
+          exceptionTarget: exception.target,
+          taskId: activeTask?.taskId ?? null
+        });
+        if (exception.requiresApproval) {
+          const ctx = {
+            finding,
+            exception,
+            activeTask,
+            expiresAt: exception.expiresAfter != null && activeTask ? new Date(new Date(activeTask.startedAt).getTime() + exception.expiresAfter) : null
+          };
+          const approved = this.approvalFn?.(ctx) === true;
+          if (approved) {
+            this.onAuditEntry?.({
+              type: "exception_approved",
+              timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+              agentId: event.agentId,
+              target: matchedTargetValue,
+              action: event.action,
+              exceptionTarget: exception.target,
+              taskId: activeTask?.taskId ?? null
+            });
+            return null;
+          }
+        } else {
+          return null;
+        }
+      }
+    }
+    return this.enhanceWithSensitivity(finding, event);
+  }
   makeFinding(event, details) {
     return {
       severity: details.severity,
@@ -1759,18 +1907,15 @@ var TargetSensitivityScorer = class {
 };
 
 export {
-  DEFAULT_MAP_PATH,
-  saveMap,
-  loadMap,
   DEFAULT_OVERLAY_PATH,
   saveOverlay,
   loadOverlay,
   applyOverlay,
   removeOverlayDecision,
   createEmptyOverlay,
-  DEFAULT_FORBIDDEN_PATTERNS,
-  withPolicyReadExceptions,
-  DEFAULT_MEDIUM_DISPOSITION,
+  DEFAULT_MAP_PATH,
+  saveMap,
+  loadMap,
   TargetSensitivityScorer,
   tokenizePaths,
   FORBIDDEN_BASENAMES,
@@ -1788,4 +1933,4 @@ export {
   findMatchingException,
   RoleValidator
 };
-//# sourceMappingURL=chunk-QIYQWOLO.js.map
+//# sourceMappingURL=chunk-FIEIGBYL.js.map