@xelauvas/xela-cli 0.1.0

package/src/tools/BashTool/bashPermissions.ts

@@ -0,0 +1,2621 @@
+import { feature } from 'bun:bundle'
+import { APIUserAbortError } from '@anthropic-ai/sdk'
+import type { z } from 'zod/v4'
+import { getFeatureValue_CACHED_MAY_BE_STALE } from '../../services/analytics/growthbook.js'
+import {
+  type AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS,
+  logEvent,
+} from '../../services/analytics/index.js'
+import type { ToolPermissionContext, ToolUseContext } from '../../Tool.js'
+import type { PendingClassifierCheck } from '../../types/permissions.js'
+import { count } from '../../utils/array.js'
+import {
+  checkSemantics,
+  nodeTypeId,
+  type ParseForSecurityResult,
+  parseForSecurityFromAst,
+  type Redirect,
+  type SimpleCommand,
+} from '../../utils/bash/ast.js'
+import {
+  type CommandPrefixResult,
+  extractOutputRedirections,
+  getCommandSubcommandPrefix,
+  splitCommand_DEPRECATED,
+} from '../../utils/bash/commands.js'
+import { parseCommandRaw } from '../../utils/bash/parser.js'
+import { tryParseShellCommand } from '../../utils/bash/shellQuote.js'
+import { getCwd } from '../../utils/cwd.js'
+import { logForDebugging } from '../../utils/debug.js'
+import { isEnvTruthy } from '../../utils/envUtils.js'
+import { AbortError } from '../../utils/errors.js'
+import type {
+  ClassifierBehavior,
+  ClassifierResult,
+} from '../../utils/permissions/bashClassifier.js'
+import {
+  classifyBashCommand,
+  getBashPromptAllowDescriptions,
+  getBashPromptAskDescriptions,
+  getBashPromptDenyDescriptions,
+  isClassifierPermissionsEnabled,
+} from '../../utils/permissions/bashClassifier.js'
+import type {
+  PermissionDecisionReason,
+  PermissionResult,
+} from '../../utils/permissions/PermissionResult.js'
+import type {
+  PermissionRule,
+  PermissionRuleValue,
+} from '../../utils/permissions/PermissionRule.js'
+import { extractRules } from '../../utils/permissions/PermissionUpdate.js'
+import type { PermissionUpdate } from '../../utils/permissions/PermissionUpdateSchema.js'
+import { permissionRuleValueToString } from '../../utils/permissions/permissionRuleParser.js'
+import {
+  createPermissionRequestMessage,
+  getRuleByContentsForTool,
+} from '../../utils/permissions/permissions.js'
+import {
+  parsePermissionRule,
+  type ShellPermissionRule,
+  matchWildcardPattern as sharedMatchWildcardPattern,
+  permissionRuleExtractPrefix as sharedPermissionRuleExtractPrefix,
+  suggestionForExactCommand as sharedSuggestionForExactCommand,
+  suggestionForPrefix as sharedSuggestionForPrefix,
+} from '../../utils/permissions/shellRuleMatching.js'
+import { getPlatform } from '../../utils/platform.js'
+import { SandboxManager } from '../../utils/sandbox/sandbox-adapter.js'
+import { jsonStringify } from '../../utils/slowOperations.js'
+import { windowsPathToPosixPath } from '../../utils/windowsPaths.js'
+import { BashTool } from './BashTool.js'
+import { checkCommandOperatorPermissions } from './bashCommandHelpers.js'
+import {
+  bashCommandIsSafeAsync_DEPRECATED,
+  stripSafeHeredocSubstitutions,
+} from './bashSecurity.js'
+import { checkPermissionMode } from './modeValidation.js'
+import { checkPathConstraints } from './pathValidation.js'
+import { checkSedConstraints } from './sedValidation.js'
+import { shouldUseSandbox } from './shouldUseSandbox.js'
+
+// DCE cliff: Bun's feature() evaluator has a per-function complexity budget.
+// bashToolHasPermission is right at the limit. `import { X as Y }` aliases
+// inside the import block count toward this budget; when they push it over
+// the threshold Bun can no longer prove feature('BASH_CLASSIFIER') is a
+// constant and silently evaluates the ternaries to `false`, dropping every
+// pendingClassifierCheck spread. Keep aliases as top-level const rebindings
+// instead. (See also the comment on checkSemanticsDeny below.)
+const bashCommandIsSafeAsync = bashCommandIsSafeAsync_DEPRECATED
+const splitCommand = splitCommand_DEPRECATED
+
+// Env-var assignment prefix (VAR=value). Shared across three while-loops that
+// skip safe env vars before extracting the command name.
+const ENV_VAR_ASSIGN_RE = /^[A-Za-z_]\w*=/
+
+// CC-643: On complex compound commands, splitCommand_DEPRECATED can produce a
+// very large subcommands array (possible exponential growth; #21405's ReDoS fix
+// may have been incomplete). Each subcommand then runs tree-sitter parse +
+// ~20 validators + logEvent (bashSecurity.ts), and with memoized metadata the
+// resulting microtask chain starves the event loop — REPL freeze at 100% CPU,
+// strace showed /proc/self/stat reads at ~127Hz with no epoll_wait. Fifty is
+// generous: legitimate user commands don't split that wide. Above the cap we
+// fall back to 'ask' (safe default — we can't prove safety, so we prompt).
+export const MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50
+
+// GH#11380: Cap the number of per-subcommand rules suggested for compound
+// commands. Beyond this, the "Yes, and don't ask again for X, Y, Z…" label
+// degrades to "similar commands" anyway, and saving 10+ rules from one prompt
+// is more likely noise than intent. Users chaining this many write commands
+// in one && list are rare; they can always approve once and add rules manually.
+export const MAX_SUGGESTED_RULES_FOR_COMPOUND = 5
+
+/**
+ * [ANT-ONLY] Log classifier evaluation results for analysis.
+ * This helps us understand which classifier rules are being evaluated
+ * and how the classifier is deciding on commands.
+ */
+function logClassifierResultForAnts(
+  command: string,
+  behavior: ClassifierBehavior,
+  descriptions: string[],
+  result: ClassifierResult,
+): void {
+  if (process.env.USER_TYPE !== 'ant') {
+    return
+  }
+
+  logEvent('tengu_internal_bash_classifier_result', {
+    behavior:
+      behavior as AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS,
+    descriptions: jsonStringify(
+      descriptions,
+    ) as AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS,
+    matches: result.matches,
+    matchedDescription: (result.matchedDescription ??
+      '') as AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS,
+    confidence:
+      result.confidence as AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS,
+    reason:
+      result.reason as AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS,
+    // Note: command contains code/filepaths - this is ANT-ONLY so it's OK
+    command:
+      command as AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS,
+  })
+}
+
+/**
+ * Extract a stable command prefix (command + subcommand) from a raw command string.
+ * Skips leading env var assignments only if they are in SAFE_ENV_VARS (or
+ * ANT_ONLY_SAFE_ENV_VARS for ant users). Returns null if a non-safe env var is
+ * encountered (to fall back to exact match), or if the second token doesn't look
+ * like a subcommand (lowercase alphanumeric, e.g., "commit", "run").
+ *
+ * Examples:
+ *   'git commit -m "fix typo"' → 'git commit'
+ *   'NODE_ENV=prod npm run build' → 'npm run' (NODE_ENV is safe)
+ *   'MY_VAR=val npm run build' → null (MY_VAR is not safe)
+ *   'ls -la' → null (flag, not a subcommand)
+ *   'cat file.txt' → null (filename, not a subcommand)
+ *   'chmod 755 file' → null (number, not a subcommand)
+ */
+export function getSimpleCommandPrefix(command: string): string | null {
+  const tokens = command.trim().split(/\s+/).filter(Boolean)
+  if (tokens.length === 0) return null
+
+  // Skip env var assignments (VAR=value) at the start, but only if they are
+  // in SAFE_ENV_VARS (or ANT_ONLY_SAFE_ENV_VARS for ant users). If a non-safe
+  // env var is encountered, return null to fall back to exact match. This
+  // prevents generating prefix rules like Bash(npm run:*) that can never match
+  // at allow-rule check time, because stripSafeWrappers only strips safe vars.
+  let i = 0
+  while (i < tokens.length && ENV_VAR_ASSIGN_RE.test(tokens[i]!)) {
+    const varName = tokens[i]!.split('=')[0]!
+    const isAntOnlySafe =
+      process.env.USER_TYPE === 'ant' && ANT_ONLY_SAFE_ENV_VARS.has(varName)
+    if (!SAFE_ENV_VARS.has(varName) && !isAntOnlySafe) {
+      return null
+    }
+    i++
+  }
+
+  const remaining = tokens.slice(i)
+  if (remaining.length < 2) return null
+  const subcmd = remaining[1]!
+  // Second token must look like a subcommand (e.g., "commit", "run", "compose"),
+  // not a flag (-rf), filename (file.txt), path (/tmp), URL, or number (755).
+  if (!/^[a-z][a-z0-9]*(-[a-z0-9]+)*$/.test(subcmd)) return null
+  return remaining.slice(0, 2).join(' ')
+}
+
+// Bare-prefix suggestions like `bash:*` or `sh:*` would allow arbitrary code
+// via `-c`. Wrapper suggestions like `env:*` or `sudo:*` would do the same:
+// `env` is NOT in SAFE_WRAPPER_PATTERNS, so `env bash -c "evil"` survives
+// stripSafeWrappers unchanged and hits the startsWith("env ") check at
+// the prefix-rule matcher. Shell list mirrors DANGEROUS_SHELL_PREFIXES in
+// src/utils/shell/prefix.ts which guarded the old Haiku extractor.
+const BARE_SHELL_PREFIXES = new Set([
+  'sh',
+  'bash',
+  'zsh',
+  'fish',
+  'csh',
+  'tcsh',
+  'ksh',
+  'dash',
+  'cmd',
+  'powershell',
+  'pwsh',
+  // wrappers that exec their args as a command
+  'env',
+  'xargs',
+  // SECURITY: checkSemantics (ast.ts) strips these wrappers to check the
+  // wrapped command. Suggesting `Bash(nice:*)` would be ≈ `Bash(*)` — users
+  // would add it after a prompt, then `nice rm -rf /` passes semantics while
+  // deny/cd+git gates see 'nice' (SAFE_WRAPPER_PATTERNS below didn't strip
+  // bare `nice` until this fix). Block these from ever being suggested.
+  'nice',
+  'stdbuf',
+  'nohup',
+  'timeout',
+  'time',
+  // privilege escalation — sudo:* from `sudo -u foo ...` would auto-approve
+  // any future sudo invocation
+  'sudo',
+  'doas',
+  'pkexec',
+])
+
+/**
+ * UI-only fallback: extract the first word alone when getSimpleCommandPrefix
+ * declines. In external builds TREE_SITTER_BASH is off, so the async
+ * tree-sitter refinement in BashPermissionRequest never fires — without this,
+ * pipes and compounds (`python3 file.py 2>&1 | tail -20`) dump into the
+ * editable field verbatim.
+ *
+ * Deliberately not used by suggestionForExactCommand: a backend-suggested
+ * `Bash(rm:*)` is too broad to auto-generate, but as an editable starting
+ * point it's what users expect (Slack C07VBSHV7EV/p1772670433193449).
+ *
+ * Reuses the same SAFE_ENV_VARS gate as getSimpleCommandPrefix — a rule like
+ * `Bash(python3:*)` can never match `RUN=/path python3 ...` at check time
+ * because stripSafeWrappers won't strip RUN.
+ */
+export function getFirstWordPrefix(command: string): string | null {
+  const tokens = command.trim().split(/\s+/).filter(Boolean)
+
+  let i = 0
+  while (i < tokens.length && ENV_VAR_ASSIGN_RE.test(tokens[i]!)) {
+    const varName = tokens[i]!.split('=')[0]!
+    const isAntOnlySafe =
+      process.env.USER_TYPE === 'ant' && ANT_ONLY_SAFE_ENV_VARS.has(varName)
+    if (!SAFE_ENV_VARS.has(varName) && !isAntOnlySafe) {
+      return null
+    }
+    i++
+  }
+
+  const cmd = tokens[i]
+  if (!cmd) return null
+  // Same shape check as the subcommand regex in getSimpleCommandPrefix:
+  // rejects paths (./script.sh, /usr/bin/python), flags, numbers, filenames.
+  if (!/^[a-z][a-z0-9]*(-[a-z0-9]+)*$/.test(cmd)) return null
+  if (BARE_SHELL_PREFIXES.has(cmd)) return null
+  return cmd
+}
+
+function suggestionForExactCommand(command: string): PermissionUpdate[] {
+  // Heredoc commands contain multi-line content that changes each invocation,
+  // making exact-match rules useless (they'll never match again). Extract a
+  // stable prefix before the heredoc operator and suggest a prefix rule instead.
+  const heredocPrefix = extractPrefixBeforeHeredoc(command)
+  if (heredocPrefix) {
+    return sharedSuggestionForPrefix(BashTool.name, heredocPrefix)
+  }
+
+  // Multiline commands without heredoc also make poor exact-match rules.
+  // Saving the full multiline text can produce patterns containing `:*` in
+  // the middle, which fails permission validation and corrupts the settings
+  // file. Use the first line as a prefix rule instead.
+  if (command.includes('\n')) {
+    const firstLine = command.split('\n')[0]!.trim()
+    if (firstLine) {
+      return sharedSuggestionForPrefix(BashTool.name, firstLine)
+    }
+  }
+
+  // Single-line commands: extract a 2-word prefix for reusable rules.
+  // Without this, exact-match rules are saved that never match future
+  // invocations with different arguments.
+  const prefix = getSimpleCommandPrefix(command)
+  if (prefix) {
+    return sharedSuggestionForPrefix(BashTool.name, prefix)
+  }
+
+  return sharedSuggestionForExactCommand(BashTool.name, command)
+}
+
+/**
+ * If the command contains a heredoc (<<), extract the command prefix before it.
+ * Returns the first word(s) before the heredoc operator as a stable prefix,
+ * or null if the command doesn't contain a heredoc.
+ *
+ * Examples:
+ *   'git commit -m "$(cat <<\'EOF\'\n...\nEOF\n)"' → 'git commit'
+ *   'cat <<EOF\nhello\nEOF' → 'cat'
+ *   'echo hello' → null (no heredoc)
+ */
+function extractPrefixBeforeHeredoc(command: string): string | null {
+  if (!command.includes('<<')) return null
+
+  const idx = command.indexOf('<<')
+  if (idx <= 0) return null
+
+  const before = command.substring(0, idx).trim()
+  if (!before) return null
+
+  const prefix = getSimpleCommandPrefix(before)
+  if (prefix) return prefix
+
+  // Fallback: skip safe env var assignments and take up to 2 tokens.
+  // This preserves flag tokens (e.g., "python3 -c" stays "python3 -c",
+  // not just "python3") and skips safe env var prefixes like "NODE_ENV=test".
+  // If a non-safe env var is encountered, return null to avoid generating
+  // prefix rules that can never match (same rationale as getSimpleCommandPrefix).
+  const tokens = before.split(/\s+/).filter(Boolean)
+  let i = 0
+  while (i < tokens.length && ENV_VAR_ASSIGN_RE.test(tokens[i]!)) {
+    const varName = tokens[i]!.split('=')[0]!
+    const isAntOnlySafe =
+      process.env.USER_TYPE === 'ant' && ANT_ONLY_SAFE_ENV_VARS.has(varName)
+    if (!SAFE_ENV_VARS.has(varName) && !isAntOnlySafe) {
+      return null
+    }
+    i++
+  }
+  if (i >= tokens.length) return null
+  return tokens.slice(i, i + 2).join(' ') || null
+}
+
+function suggestionForPrefix(prefix: string): PermissionUpdate[] {
+  return sharedSuggestionForPrefix(BashTool.name, prefix)
+}
+
+/**
+ * Extract prefix from legacy :* syntax (e.g., "npm:*" -> "npm")
+ * Delegates to shared implementation.
+ */
+export const permissionRuleExtractPrefix = sharedPermissionRuleExtractPrefix
+
+/**
+ * Match a command against a wildcard pattern (case-sensitive for Bash).
+ * Delegates to shared implementation.
+ */
+export function matchWildcardPattern(
+  pattern: string,
+  command: string,
+): boolean {
+  return sharedMatchWildcardPattern(pattern, command)
+}
+
+/**
+ * Parse a permission rule into a structured rule object.
+ * Delegates to shared implementation.
+ */
+export const bashPermissionRule: (
+  permissionRule: string,
+) => ShellPermissionRule = parsePermissionRule
+
+/**
+ * Whitelist of environment variables that are safe to strip from commands.
+ * These variables CANNOT execute code or load libraries.
+ *
+ * SECURITY: These must NEVER be added to the whitelist:
+ * - PATH, LD_PRELOAD, LD_LIBRARY_PATH, DYLD_* (execution/library loading)
+ * - PYTHONPATH, NODE_PATH, CLASSPATH, RUBYLIB (module loading)
+ * - GOFLAGS, RUSTFLAGS, NODE_OPTIONS (can contain code execution flags)
+ * - HOME, TMPDIR, SHELL, BASH_ENV (affect system behavior)
+ */
+const SAFE_ENV_VARS = new Set([
+  // Go - build/runtime settings only
+  'GOEXPERIMENT', // experimental features
+  'GOOS', // target OS
+  'GOARCH', // target architecture
+  'CGO_ENABLED', // enable/disable CGO
+  'GO111MODULE', // module mode
+
+  // Rust - logging/debugging only
+  'RUST_BACKTRACE', // backtrace verbosity
+  'RUST_LOG', // logging filter
+
+  // Node - environment name only (not NODE_OPTIONS!)
+  'NODE_ENV',
+
+  // Python - behavior flags only (not PYTHONPATH!)
+  'PYTHONUNBUFFERED', // disable buffering
+  'PYTHONDONTWRITEBYTECODE', // no .pyc files
+
+  // Pytest - test configuration
+  'PYTEST_DISABLE_PLUGIN_AUTOLOAD', // disable plugin loading
+  'PYTEST_DEBUG', // debug output
+
+  // API keys and authentication
+  'ANTHROPIC_API_KEY', // API authentication
+
+  // Locale and character encoding
+  'LANG', // default locale
+  'LANGUAGE', // language preference list
+  'LC_ALL', // override all locale settings
+  'LC_CTYPE', // character classification
+  'LC_TIME', // time format
+  'CHARSET', // character set preference
+
+  // Terminal and display
+  'TERM', // terminal type
+  'COLORTERM', // color terminal indicator
+  'NO_COLOR', // disable color output (universal standard)
+  'FORCE_COLOR', // force color output
+  'TZ', // timezone
+
+  // Color configuration for various tools
+  'LS_COLORS', // colors for ls (GNU)
+  'LSCOLORS', // colors for ls (BSD/macOS)
+  'GREP_COLOR', // grep match color (deprecated)
+  'GREP_COLORS', // grep color scheme
+  'GCC_COLORS', // GCC diagnostic colors
+
+  // Display formatting
+  'TIME_STYLE', // time display format for ls
+  'BLOCK_SIZE', // block size for du/df
+  'BLOCKSIZE', // alternative block size
+])
+
+/**
+ * ANT-ONLY environment variables that are safe to strip from commands.
+ * These are only enabled when USER_TYPE === 'ant'.
+ *
+ * SECURITY: These env vars are stripped before permission-rule matching, which
+ * means `DOCKER_HOST=tcp://evil.com docker ps` matches a `Bash(docker ps:*)`
+ * rule after stripping. This is INTENTIONALLY ANT-ONLY (gated at line ~380)
+ * and MUST NEVER ship to external users. DOCKER_HOST redirects the Docker
+ * daemon endpoint — stripping it defeats prefix-based permission restrictions
+ * by hiding the network endpoint from the permission check. KUBECONFIG
+ * similarly controls which cluster kubectl talks to. These are convenience
+ * strippings for internal power users who accept the risk.
+ *
+ * Based on analysis of 30 days of tengu_internal_bash_tool_use_permission_request events.
+ */
+const ANT_ONLY_SAFE_ENV_VARS = new Set([
+  // Kubernetes and container config (config file pointers, not execution)
+  'KUBECONFIG', // kubectl config file path — controls which cluster kubectl uses
+  'DOCKER_HOST', // Docker daemon socket/endpoint — controls which daemon docker talks to
+
+  // Cloud provider project/profile selection (just names/identifiers)
+  'AWS_PROFILE', // AWS profile name selection
+  'CLOUDSDK_CORE_PROJECT', // GCP project ID
+  'CLUSTER', // generic cluster name
+
+  // Anthropic internal cluster selection (just names/identifiers)
+  'COO_CLUSTER', // coo cluster name
+  'COO_CLUSTER_NAME', // coo cluster name (alternate)
+  'COO_NAMESPACE', // coo namespace
+  'COO_LAUNCH_YAML_DRY_RUN', // dry run mode
+
+  // Feature flags (boolean/string flags only)
+  'SKIP_NODE_VERSION_CHECK', // skip version check
+  'EXPECTTEST_ACCEPT', // accept test expectations
+  'CI', // CI environment indicator
+  'GIT_LFS_SKIP_SMUDGE', // skip LFS downloads
+
+  // GPU/Device selection (just device IDs)
+  'CUDA_VISIBLE_DEVICES', // GPU device selection
+  'JAX_PLATFORMS', // JAX platform selection
+
+  // Display/terminal settings
+  'COLUMNS', // terminal width
+  'TMUX', // TMUX socket info
+
+  // Test/debug configuration
+  'POSTGRESQL_VERSION', // postgres version string
+  'FIRESTORE_EMULATOR_HOST', // emulator host:port
+  'HARNESS_QUIET', // quiet mode flag
+  'TEST_CROSSCHECK_LISTS_MATCH_UPDATE', // test update flag
+  'DBT_PER_DEVELOPER_ENVIRONMENTS', // DBT config
+  'STATSIG_FORD_DB_CHECKS', // statsig DB check flag
+
+  // Build configuration
+  'ANT_ENVIRONMENT', // Anthropic environment name
+  'ANT_SERVICE', // Anthropic service name
+  'MONOREPO_ROOT_DIR', // monorepo root path
+
+  // Version selectors
+  'PYENV_VERSION', // Python version selection
+
+  // Credentials (approved subset - these don't change exfil risk)
+  'PGPASSWORD', // Postgres password
+  'GH_TOKEN', // GitHub token
+  'GROWTHBOOK_API_KEY', // self-hosted growthbook
+])
+
+/**
+ * Strips full-line comments from a command.
+ * This handles cases where Claude adds comments in bash commands, e.g.:
+ *   "# Check the logs directory\nls /home/user/logs"
+ * Should be stripped to: "ls /home/user/logs"
+ *
+ * Only strips full-line comments (lines where the entire line is a comment),
+ * not inline comments that appear after a command on the same line.
+ */
+function stripCommentLines(command: string): string {
+  const lines = command.split('\n')
+  const nonCommentLines = lines.filter(line => {
+    const trimmed = line.trim()
+    // Keep lines that are not empty and don't start with #
+    return trimmed !== '' && !trimmed.startsWith('#')
+  })
+
+  // If all lines were comments/empty, return original
+  if (nonCommentLines.length === 0) {
+    return command
+  }
+
+  return nonCommentLines.join('\n')
+}
+
+export function stripSafeWrappers(command: string): string {
+  // SECURITY: Use [ \t]+ not \s+ — \s matches \n/\r which are command
+  // separators in bash. Matching across a newline would strip the wrapper from
+  // one line and leave a different command on the next line for bash to execute.
+  //
+  // SECURITY: `(?:--[ \t]+)?` consumes the wrapper's own `--` so
+  // `nohup -- rm -- -/../foo` strips to `rm -- -/../foo` (not `-- rm ...`
+  // which would skip path validation with `--` as an unknown baseCmd).
+  const SAFE_WRAPPER_PATTERNS = [
+    // timeout: enumerate GNU long flags — no-value (--foreground,
+    // --preserve-status, --verbose), value-taking in both =fused and
+    // space-separated forms (--kill-after=5, --kill-after 5, --signal=TERM,
+    // --signal TERM). Short: -v (no-arg), -k/-s with separate or fused value.
+    // SECURITY: flag VALUES use allowlist [A-Za-z0-9_.+-] (signals are
+    // TERM/KILL/9, durations are 5/5s/10.5). Previously [^ \t]+ matched
+    // $ ( ) ` | ; & — `timeout -k$(id) 10 ls` stripped to `ls`, matched
+    // Bash(ls:*), while bash expanded $(id) during word splitting BEFORE
+    // timeout ran. Contrast ENV_VAR_PATTERN below which already allowlists.
+    /^timeout[ \t]+(?:(?:--(?:foreground|preserve-status|verbose)|--(?:kill-after|signal)=[A-Za-z0-9_.+-]+|--(?:kill-after|signal)[ \t]+[A-Za-z0-9_.+-]+|-v|-[ks][ \t]+[A-Za-z0-9_.+-]+|-[ks][A-Za-z0-9_.+-]+)[ \t]+)*(?:--[ \t]+)?\d+(?:\.\d+)?[smhd]?[ \t]+/,
+    /^time[ \t]+(?:--[ \t]+)?/,
+    // SECURITY: keep in sync with checkSemantics wrapper-strip (ast.ts
+    // ~:1990-2080) AND stripWrappersFromArgv (pathValidation.ts ~:1260).
+    // Previously this pattern REQUIRED `-n N`; checkSemantics already handled
+    // bare `nice` and legacy `-N`. Asymmetry meant checkSemantics exposed the
+    // wrapped command to semantic checks but deny-rule matching and the cd+git
+    // gate saw the wrapper name. `nice rm -rf /` with Bash(rm:*) deny became
+    // ask instead of deny; `cd evil && nice git status` skipped the bare-repo
+    // RCE gate. PR #21503 fixed stripWrappersFromArgv; this was missed.
+    // Now matches: `nice cmd`, `nice -n N cmd`, `nice -N cmd` (all forms
+    // checkSemantics strips).
+    /^nice(?:[ \t]+-n[ \t]+-?\d+|[ \t]+-\d+)?[ \t]+(?:--[ \t]+)?/,
+    // stdbuf: fused short flags only (-o0, -eL). checkSemantics handles more
+    // (space-separated, long --output=MODE), but we fail-closed on those
+    // above so not over-stripping here is safe. Main need: `stdbuf -o0 cmd`.
+    /^stdbuf(?:[ \t]+-[ioe][LN0-9]+)+[ \t]+(?:--[ \t]+)?/,
+    /^nohup[ \t]+(?:--[ \t]+)?/,
+  ] as const
+
+  // Pattern for environment variables:
+  // ^([A-Za-z_][A-Za-z0-9_]*)  - Variable name (standard identifier)
+  // =                           - Equals sign
+  // ([A-Za-z0-9_./:-]+)         - Value: alphanumeric + safe punctuation only
+  // [ \t]+                      - Required HORIZONTAL whitespace after value
+  //
+  // SECURITY: Only matches unquoted values with safe characters (no $(), `, $var, ;|&).
+  //
+  // SECURITY: Trailing whitespace MUST be [ \t]+ (horizontal only), NOT \s+.
+  // \s matches \n/\r. If reconstructCommand emits an unquoted newline between
+  // `TZ=UTC` and `echo`, \s+ would match across it and strip `TZ=UTC<NL>`,
+  // leaving `echo curl evil.com` to match Bash(echo:*). But bash treats the
+  // newline as a command separator. Defense-in-depth with needsQuoting fix.
+  const ENV_VAR_PATTERN = /^([A-Za-z_][A-Za-z0-9_]*)=([A-Za-z0-9_./:-]+)[ \t]+/
+
+  let stripped = command
+  let previousStripped = ''
+
+  // Phase 1: Strip leading env vars and comments only.
+  // In bash, env var assignments before a command (VAR=val cmd) are genuine
+  // shell-level assignments. These are safe to strip for permission matching.
+  while (stripped !== previousStripped) {
+    previousStripped = stripped
+    stripped = stripCommentLines(stripped)
+
+    const envVarMatch = stripped.match(ENV_VAR_PATTERN)
+    if (envVarMatch) {
+      const varName = envVarMatch[1]!
+      const isAntOnlySafe =
+        process.env.USER_TYPE === 'ant' && ANT_ONLY_SAFE_ENV_VARS.has(varName)
+      if (SAFE_ENV_VARS.has(varName) || isAntOnlySafe) {
+        stripped = stripped.replace(ENV_VAR_PATTERN, '')
+      }
+    }
+  }
+
+  // Phase 2: Strip wrapper commands and comments only. Do NOT strip env vars.
+  // Wrapper commands (timeout, time, nice, nohup) use execvp to run their
+  // arguments, so VAR=val after a wrapper is treated as the COMMAND to execute,
+  // not as an env var assignment. Stripping env vars here would create a
+  // mismatch between what the parser sees and what actually executes.
+  // (HackerOne #3543050)
+  previousStripped = ''
+  while (stripped !== previousStripped) {
+    previousStripped = stripped
+    stripped = stripCommentLines(stripped)
+
+    for (const pattern of SAFE_WRAPPER_PATTERNS) {
+      stripped = stripped.replace(pattern, '')
+    }
+  }
+
+  return stripped.trim()
+}
+
+// SECURITY: allowlist for timeout flag VALUES (signals are TERM/KILL/9,
+// durations are 5/5s/10.5). Rejects $ ( ) ` | ; & and newlines that
+// previously matched via [^ \t]+ — `timeout -k$(id) 10 ls` must NOT strip.
+const TIMEOUT_FLAG_VALUE_RE = /^[A-Za-z0-9_.+-]+$/
+
+/**
+ * Parse timeout's GNU flags (long + short, fused + space-separated) and
+ * return the argv index of the DURATION token, or -1 if flags are unparseable.
+ * Enumerates: --foreground/--preserve-status/--verbose (no value),
+ * --kill-after/--signal (value, both =fused and space-separated), -v (no
+ * value), -k/-s (value, both fused and space-separated).
+ *
+ * Extracted from stripWrappersFromArgv to keep bashToolHasPermission under
+ * Bun's feature() DCE complexity threshold — inlining this breaks
+ * feature('BASH_CLASSIFIER') evaluation in classifier tests.
+ */
+function skipTimeoutFlags(a: readonly string[]): number {
+  let i = 1
+  while (i < a.length) {
+    const arg = a[i]!
+    const next = a[i + 1]
+    if (
+      arg === '--foreground' ||
+      arg === '--preserve-status' ||
+      arg === '--verbose'
+    )
+      i++
+    else if (/^--(?:kill-after|signal)=[A-Za-z0-9_.+-]+$/.test(arg)) i++
+    else if (
+      (arg === '--kill-after' || arg === '--signal') &&
+      next &&
+      TIMEOUT_FLAG_VALUE_RE.test(next)
+    )
+      i += 2
+    else if (arg === '--') {
+      i++
+      break
+    } // end-of-options marker
+    else if (arg.startsWith('--')) return -1
+    else if (arg === '-v') i++
+    else if (
+      (arg === '-k' || arg === '-s') &&
+      next &&
+      TIMEOUT_FLAG_VALUE_RE.test(next)
+    )
+      i += 2
+    else if (/^-[ks][A-Za-z0-9_.+-]+$/.test(arg)) i++
+    else if (arg.startsWith('-')) return -1
+    else break
+  }
+  return i
+}
+
+/**
+ * Argv-level counterpart to stripSafeWrappers. Strips the same wrapper
+ * commands (timeout, time, nice, nohup) from AST-derived argv. Env vars
+ * are already separated into SimpleCommand.envVars so no env-var stripping.
+ *
+ * KEEP IN SYNC with SAFE_WRAPPER_PATTERNS above — if you add a wrapper
+ * there, add it here too.
+ */
+export function stripWrappersFromArgv(argv: string[]): string[] {
+  // SECURITY: Consume optional `--` after wrapper options, matching what the
+  // wrapper does. Otherwise `['nohup','--','rm','--','-/../foo']` yields `--`
+  // as baseCmd and skips path validation. See SAFE_WRAPPER_PATTERNS comment.
+  let a = argv
+  for (;;) {
+    if (a[0] === 'time' || a[0] === 'nohup') {
+      a = a.slice(a[1] === '--' ? 2 : 1)
+    } else if (a[0] === 'timeout') {
+      const i = skipTimeoutFlags(a)
+      if (i < 0 || !a[i] || !/^\d+(?:\.\d+)?[smhd]?$/.test(a[i]!)) return a
+      a = a.slice(i + 1)
+    } else if (
+      a[0] === 'nice' &&
+      a[1] === '-n' &&
+      a[2] &&
+      /^-?\d+$/.test(a[2])
+    ) {
+      a = a.slice(a[3] === '--' ? 4 : 3)
+    } else {
+      return a
+    }
+  }
+}
+
+/**
+ * Env vars that make a *different binary* run (injection or resolution hijack).
+ * Heuristic only — export-&& form bypasses this, and excludedCommands isn't a
+ * security boundary anyway.
+ */
+export const BINARY_HIJACK_VARS = /^(LD_|DYLD_|PATH$)/
+
+/**
+ * Strip ALL leading env var prefixes from a command, regardless of whether the
+ * var name is in the safe-list.
+ *
+ * Used for deny/ask rule matching: when a user denies `claude` or `rm`, the
+ * command should stay blocked even if prefixed with arbitrary env vars like
+ * `FOO=bar claude`. The safe-list restriction in stripSafeWrappers is correct
+ * for allow rules (prevents `DOCKER_HOST=evil docker ps` from auto-matching
+ * `Bash(docker ps:*)`), but deny rules must be harder to circumvent.
+ *
+ * Also used for sandbox.excludedCommands matching (not a security boundary —
+ * permission prompts are), with BINARY_HIJACK_VARS as a blocklist.
+ *
+ * SECURITY: Uses a broader value pattern than stripSafeWrappers. The value
+ * pattern excludes only actual shell injection characters ($, backtick, ;, |,
+ * &, parens, redirects, quotes, backslash) and whitespace. Characters like
+ * =, +, @, ~, , are harmless in unquoted env var assignment position and must
+ * be matched to prevent trivial bypass via e.g. `FOO=a=b denied_command`.
+ *
+ * @param blocklist - optional regex tested against each var name; matching vars
+ *   are NOT stripped (and stripping stops there). Omit for deny rules; pass
+ *   BINARY_HIJACK_VARS for excludedCommands.
+ */
+export function stripAllLeadingEnvVars(
+  command: string,
+  blocklist?: RegExp,
+): string {
+  // Broader value pattern for deny-rule stripping. Handles:
+  //
+  // - Standard assignment (FOO=bar), append (FOO+=bar), array (FOO[0]=bar)
+  // - Single-quoted values: '[^'\n\r]*' — bash suppresses all expansion
+  // - Double-quoted values with backslash escapes: "(?:\\.|[^"$`\\\n\r])*"
+  //   In bash double quotes, only \$, \`, \", \\, and \newline are special.
+  //   Other \x sequences are harmless, so we allow \. inside double quotes.
+  //   We still exclude raw $ and ` (without backslash) to block expansion.
+  // - Unquoted values: excludes shell metacharacters, allows backslash escapes
+  // - Concatenated segments: FOO='x'y"z" — bash concatenates adjacent segments
+  //
+  // SECURITY: Trailing whitespace MUST be [ \t]+ (horizontal only), NOT \s+.
+  //
+  // The outer * matches one atomic unit per iteration: a complete quoted
+  // string, a backslash-escape pair, or a single unquoted safe character.
+  // The inner double-quote alternation (?:...|...)* is bounded by the
+  // closing ", so it cannot interact with the outer * for backtracking.
+  //
+  // Note: $ is excluded from unquoted/double-quoted value classes to block
+  // dangerous forms like $(cmd), ${var}, and $((expr)). This means
+  // FOO=$VAR is not stripped — adding $VAR matching creates ReDoS risk
+  // (CodeQL #671) and $VAR bypasses are low-priority.
+  const ENV_VAR_PATTERN =
+    /^([A-Za-z_][A-Za-z0-9_]*(?:\[[^\]]*\])?)\+?=(?:'[^'\n\r]*'|"(?:\\.|[^"$`\\\n\r])*"|\\.|[^ \t\n\r$`;|&()<>\\\\'"])*[ \t]+/
+
+  let stripped = command
+  let previousStripped = ''
+
+  while (stripped !== previousStripped) {
+    previousStripped = stripped
+    stripped = stripCommentLines(stripped)
+
+    const m = stripped.match(ENV_VAR_PATTERN)
+    if (!m) continue
+    if (blocklist?.test(m[1]!)) break
+    stripped = stripped.slice(m[0].length)
+  }
+
+  return stripped.trim()
+}
+
+function filterRulesByContentsMatchingInput(
+  input: z.infer<typeof BashTool.inputSchema>,
+  rules: Map<string, PermissionRule>,
+  matchMode: 'exact' | 'prefix',
+  {
+    stripAllEnvVars = false,
+    skipCompoundCheck = false,
+  }: { stripAllEnvVars?: boolean; skipCompoundCheck?: boolean } = {},
+): PermissionRule[] {
+  const command = input.command.trim()
+
+  // Strip output redirections for permission matching
+  // This allows rules like Bash(python:*) to match "python script.py > output.txt"
+  // Security validation of redirection targets happens separately in checkPathConstraints
+  const commandWithoutRedirections =
+    extractOutputRedirections(command).commandWithoutRedirections
+
+  // For exact matching, try both the original command (to preserve quotes)
+  // and the command without redirections (to allow rules without redirections to match)
+  // For prefix matching, only use the command without redirections
+  const commandsForMatching =
+    matchMode === 'exact'
+      ? [command, commandWithoutRedirections]
+      : [commandWithoutRedirections]
+
+  // Strip safe wrapper commands (timeout, time, nice, nohup) and env vars for matching
+  // This allows rules like Bash(npm install:*) to match "timeout 10 npm install foo"
+  // or "GOOS=linux go build"
+  const commandsToTry = commandsForMatching.flatMap(cmd => {
+    const strippedCommand = stripSafeWrappers(cmd)
+    return strippedCommand !== cmd ? [cmd, strippedCommand] : [cmd]
+  })
+
+  // SECURITY: For deny/ask rules, also try matching after stripping ALL leading
+  // env var prefixes. This prevents bypass via `FOO=bar denied_command` where
+  // FOO is not in the safe-list. The safe-list restriction in stripSafeWrappers
+  // is intentional for allow rules (see HackerOne #3543050), but deny rules
+  // must be harder to circumvent — a denied command should stay denied
+  // regardless of env var prefixes.
+  //
+  // We iteratively apply both stripping operations to all candidates until no
+  // new candidates are produced (fixed-point). This handles interleaved patterns
+  // like `nohup FOO=bar timeout 5 claude` where:
+  //   1. stripSafeWrappers strips `nohup` → `FOO=bar timeout 5 claude`
+  //   2. stripAllLeadingEnvVars strips `FOO=bar` → `timeout 5 claude`
+  //   3. stripSafeWrappers strips `timeout 5` → `claude` (deny match)
+  //
+  // Without iteration, single-pass compositions miss multi-layer interleaving.
+  if (stripAllEnvVars) {
+    const seen = new Set(commandsToTry)
+    let startIdx = 0
+
+    // Iterate until no new candidates are produced (fixed-point)
+    while (startIdx < commandsToTry.length) {
+      const endIdx = commandsToTry.length
+      for (let i = startIdx; i < endIdx; i++) {
+        const cmd = commandsToTry[i]
+        if (!cmd) {
+          continue
+        }
+        // Try stripping env vars
+        const envStripped = stripAllLeadingEnvVars(cmd)
+        if (!seen.has(envStripped)) {
+          commandsToTry.push(envStripped)
+          seen.add(envStripped)
+        }
+        // Try stripping safe wrappers
+        const wrapperStripped = stripSafeWrappers(cmd)
+        if (!seen.has(wrapperStripped)) {
+          commandsToTry.push(wrapperStripped)
+          seen.add(wrapperStripped)
+        }
+      }
+      startIdx = endIdx
+    }
+  }
+
+  // Precompute compound-command status for each candidate to avoid re-parsing
+  // inside the rule filter loop (which would scale splitCommand calls with
+  // rules.length × commandsToTry.length). The compound check only applies to
+  // prefix/wildcard matching in 'prefix' mode, and only for allow rules.
+  // SECURITY: deny/ask rules must match compound commands so they can't be
+  // bypassed by wrapping a denied command in a compound expression.
+  const isCompoundCommand = new Map<string, boolean>()
+  if (matchMode === 'prefix' && !skipCompoundCheck) {
+    for (const cmd of commandsToTry) {
+      if (!isCompoundCommand.has(cmd)) {
+        isCompoundCommand.set(cmd, splitCommand(cmd).length > 1)
+      }
+    }
+  }
+
+  return Array.from(rules.entries())
+    .filter(([ruleContent]) => {
+      const bashRule = bashPermissionRule(ruleContent)
+
+      return commandsToTry.some(cmdToMatch => {
+        switch (bashRule.type) {
+          case 'exact':
+            return bashRule.command === cmdToMatch
+          case 'prefix':
+            switch (matchMode) {
+              // In 'exact' mode, only return true if the command exactly matches the prefix rule
+              case 'exact':
+                return bashRule.prefix === cmdToMatch
+              case 'prefix': {
+                // SECURITY: Don't allow prefix rules to match compound commands.
+                // e.g., Bash(cd:*) must NOT match "cd /path && python3 evil.py".
+                // In the normal flow commands are split before reaching here, but
+                // shell escaping can defeat the first splitCommand pass — e.g.,
+                //   cd src\&\& python3 hello.py  →  splitCommand  →  ["cd src&& python3 hello.py"]
+                // which then looks like a single command that starts with "cd ".
+                // Re-splitting the candidate here catches those cases.
+                if (isCompoundCommand.get(cmdToMatch)) {
+                  return false
+                }
+                // Ensure word boundary: prefix must be followed by space or end of string
+                // This prevents "ls:*" from matching "lsof" or "lsattr"
+                if (cmdToMatch === bashRule.prefix) {
+                  return true
+                }
+                if (cmdToMatch.startsWith(bashRule.prefix + ' ')) {
+                  return true
+                }
+                // Also match "xargs <prefix>" for bare xargs with no flags.
+                // This allows Bash(grep:*) to match "xargs grep pattern",
+                // and deny rules like Bash(rm:*) to block "xargs rm file".
+                // Natural word-boundary: "xargs -n1 grep" does NOT start with
+                // "xargs grep " so flagged xargs invocations are not matched.
+                const xargsPrefix = 'xargs ' + bashRule.prefix
+                if (cmdToMatch === xargsPrefix) {
+                  return true
+                }
+                return cmdToMatch.startsWith(xargsPrefix + ' ')
+              }
+            }
+            break
+          case 'wildcard':
+            // SECURITY FIX: In exact match mode, wildcards must NOT match because we're
+            // checking the full unparsed command. Wildcard matching on unparsed commands
+            // allows "foo *" to match "foo arg && curl evil.com" since .* matches operators.
+            // Wildcards should only match after splitting into individual subcommands.
+            if (matchMode === 'exact') {
+              return false
+            }
+            // SECURITY: Same as for prefix rules, don't allow wildcard rules to match
+            // compound commands in prefix mode. e.g., Bash(cd *) must not match
+            // "cd /path && python3 evil.py" even though "cd *" pattern would match it.
+            if (isCompoundCommand.get(cmdToMatch)) {
+              return false
+            }
+            // In prefix mode (after splitting), wildcards can safely match subcommands
+            return matchWildcardPattern(bashRule.pattern, cmdToMatch)
+        }
+      })
+    })
+    .map(([, rule]) => rule)
+}
+
+function matchingRulesForInput(
+  input: z.infer<typeof BashTool.inputSchema>,
+  toolPermissionContext: ToolPermissionContext,
+  matchMode: 'exact' | 'prefix',
+  { skipCompoundCheck = false }: { skipCompoundCheck?: boolean } = {},
+) {
+  const denyRuleByContents = getRuleByContentsForTool(
+    toolPermissionContext,
+    BashTool,
+    'deny',
+  )
+  // SECURITY: Deny/ask rules use aggressive env var stripping so that
+  // `FOO=bar denied_command` still matches a deny rule for `denied_command`.
+  const matchingDenyRules = filterRulesByContentsMatchingInput(
+    input,
+    denyRuleByContents,
+    matchMode,
+    { stripAllEnvVars: true, skipCompoundCheck: true },
+  )
+
+  const askRuleByContents = getRuleByContentsForTool(
+    toolPermissionContext,
+    BashTool,
+    'ask',
+  )
+  const matchingAskRules = filterRulesByContentsMatchingInput(
+    input,
+    askRuleByContents,
+    matchMode,
+    { stripAllEnvVars: true, skipCompoundCheck: true },
+  )
+
+  const allowRuleByContents = getRuleByContentsForTool(
+    toolPermissionContext,
+    BashTool,
+    'allow',
+  )
+  const matchingAllowRules = filterRulesByContentsMatchingInput(
+    input,
+    allowRuleByContents,
+    matchMode,
+    { skipCompoundCheck },
+  )
+
+  return {
+    matchingDenyRules,
+    matchingAskRules,
+    matchingAllowRules,
+  }
+}
+
+/**
+ * Checks if the subcommand is an exact match for a permission rule
+ */
+export const bashToolCheckExactMatchPermission = (
+  input: z.infer<typeof BashTool.inputSchema>,
+  toolPermissionContext: ToolPermissionContext,
+): PermissionResult => {
+  const command = input.command.trim()
+  const { matchingDenyRules, matchingAskRules, matchingAllowRules } =
+    matchingRulesForInput(input, toolPermissionContext, 'exact')
+
+  // 1. Deny if exact command was denied
+  if (matchingDenyRules[0] !== undefined) {
+    return {
+      behavior: 'deny',
+      message: `Permission to use ${BashTool.name} with command ${command} has been denied.`,
+      decisionReason: {
+        type: 'rule',
+        rule: matchingDenyRules[0],
+      },
+    }
+  }
+
+  // 2. Ask if exact command was in ask rules
+  if (matchingAskRules[0] !== undefined) {
+    return {
+      behavior: 'ask',
+      message: createPermissionRequestMessage(BashTool.name),
+      decisionReason: {
+        type: 'rule',
+        rule: matchingAskRules[0],
+      },
+    }
+  }
+
+  // 3. Allow if exact command was allowed
+  if (matchingAllowRules[0] !== undefined) {
+    return {
+      behavior: 'allow',
+      updatedInput: input,
+      decisionReason: {
+        type: 'rule',
+        rule: matchingAllowRules[0],
+      },
+    }
+  }
+
+  // 4. Otherwise, passthrough
+  const decisionReason = {
+    type: 'other' as const,
+    reason: 'This command requires approval',
+  }
+  return {
+    behavior: 'passthrough',
+    message: createPermissionRequestMessage(BashTool.name, decisionReason),
+    decisionReason,
+    // Suggest exact match rule to user
+    // this may be overridden by prefix suggestions in `checkCommandAndSuggestRules()`
+    suggestions: suggestionForExactCommand(command),
+  }
+}
+
+export const bashToolCheckPermission = (
+  input: z.infer<typeof BashTool.inputSchema>,
+  toolPermissionContext: ToolPermissionContext,
+  compoundCommandHasCd?: boolean,
+  astCommand?: SimpleCommand,
+): PermissionResult => {
+  const command = input.command.trim()
+
+  // 1. Check exact match first
+  const exactMatchResult = bashToolCheckExactMatchPermission(
+    input,
+    toolPermissionContext,
+  )
+
+  // 1a. Deny/ask if exact command has a rule
+  if (
+    exactMatchResult.behavior === 'deny' ||
+    exactMatchResult.behavior === 'ask'
+  ) {
+    return exactMatchResult
+  }
+
+  // 2. Find all matching rules (prefix or exact)
+  // SECURITY FIX: Check Bash deny/ask rules BEFORE path constraints to prevent bypass
+  // via absolute paths outside the project directory (HackerOne report)
+  // When AST-parsed, the subcommand is already atomic — skip the legacy
+  // splitCommand re-check that misparses mid-word # as compound.
+  const { matchingDenyRules, matchingAskRules, matchingAllowRules } =
+    matchingRulesForInput(input, toolPermissionContext, 'prefix', {
+      skipCompoundCheck: astCommand !== undefined,
+    })
+
+  // 2a. Deny if command has a deny rule
+  if (matchingDenyRules[0] !== undefined) {
+    return {
+      behavior: 'deny',
+      message: `Permission to use ${BashTool.name} with command ${command} has been denied.`,
+      decisionReason: {
+        type: 'rule',
+        rule: matchingDenyRules[0],
+      },
+    }
+  }
+
+  // 2b. Ask if command has an ask rule
+  if (matchingAskRules[0] !== undefined) {
+    return {
+      behavior: 'ask',
+      message: createPermissionRequestMessage(BashTool.name),
+      decisionReason: {
+        type: 'rule',
+        rule: matchingAskRules[0],
+      },
+    }
+  }
+
+  // 3. Check path constraints
+  // This check comes after deny/ask rules so explicit rules take precedence.
+  // SECURITY: When AST-derived argv is available for this subcommand, pass
+  // it through so checkPathConstraints uses it directly instead of re-parsing
+  // with shell-quote (which has a single-quote backslash bug that causes
+  // parseCommandArguments to return [] and silently skip path validation).
+  const pathResult = checkPathConstraints(
+    input,
+    getCwd(),
+    toolPermissionContext,
+    compoundCommandHasCd,
+    astCommand?.redirects,
+    astCommand ? [astCommand] : undefined,
+  )
+  if (pathResult.behavior !== 'passthrough') {
+    return pathResult
+  }
+
+  // 4. Allow if command had an exact match allow
+  if (exactMatchResult.behavior === 'allow') {
+    return exactMatchResult
+  }
+
+  // 5. Allow if command has an allow rule
+  if (matchingAllowRules[0] !== undefined) {
+    return {
+      behavior: 'allow',
+      updatedInput: input,
+      decisionReason: {
+        type: 'rule',
+        rule: matchingAllowRules[0],
+      },
+    }
+  }
+
+  // 5b. Check sed constraints (blocks dangerous sed operations before mode auto-allow)
+  const sedConstraintResult = checkSedConstraints(input, toolPermissionContext)
+  if (sedConstraintResult.behavior !== 'passthrough') {
+    return sedConstraintResult
+  }
+
+  // 6. Check for mode-specific permission handling
+  const modeResult = checkPermissionMode(input, toolPermissionContext)
+  if (modeResult.behavior !== 'passthrough') {
+    return modeResult
+  }
+
+  // 7. Check read-only rules
+  if (BashTool.isReadOnly(input)) {
+    return {
+      behavior: 'allow',
+      updatedInput: input,
+      decisionReason: {
+        type: 'other',
+        reason: 'Read-only command is allowed',
+      },
+    }
+  }
+
+  // 8. Passthrough since no rules match, will trigger permission prompt
+  const decisionReason = {
+    type: 'other' as const,
+    reason: 'This command requires approval',
+  }
+  return {
+    behavior: 'passthrough',
+    message: createPermissionRequestMessage(BashTool.name, decisionReason),
+    decisionReason,
+    // Suggest exact match rule to user
+    // this may be overridden by prefix suggestions in `checkCommandAndSuggestRules()`
+    suggestions: suggestionForExactCommand(command),
+  }
+}
+
+/**
+ * Processes an individual subcommand and applies prefix checks & suggestions
+ */
+export async function checkCommandAndSuggestRules(
+  input: z.infer<typeof BashTool.inputSchema>,
+  toolPermissionContext: ToolPermissionContext,
+  commandPrefixResult: CommandPrefixResult | null | undefined,
+  compoundCommandHasCd?: boolean,
+  astParseSucceeded?: boolean,
+): Promise<PermissionResult> {
+  // 1. Check exact match first
+  const exactMatchResult = bashToolCheckExactMatchPermission(
+    input,
+    toolPermissionContext,
+  )
+  if (exactMatchResult.behavior !== 'passthrough') {
+    return exactMatchResult
+  }
+
+  // 2. Check the command prefix
+  const permissionResult = bashToolCheckPermission(
+    input,
+    toolPermissionContext,
+    compoundCommandHasCd,
+  )
+  // 2a. Deny/ask if command was explictly denied/asked
+  if (
+    permissionResult.behavior === 'deny' ||
+    permissionResult.behavior === 'ask'
+  ) {
+    return permissionResult
+  }
+
+  // 3. Ask for permission if command injection is detected. Skip when the
+  // AST parse already succeeded — tree-sitter has verified there are no
+  // hidden substitutions or structural tricks, so the legacy regex-based
+  // validators (backslash-escaped operators, etc.) would only add FPs.
+  if (
+    !astParseSucceeded &&
+    !isEnvTruthy(process.env.CLAUDE_CODE_DISABLE_COMMAND_INJECTION_CHECK)
+  ) {
+    const safetyResult = await bashCommandIsSafeAsync(input.command)
+
+    if (safetyResult.behavior !== 'passthrough') {
+      const decisionReason: PermissionDecisionReason = {
+        type: 'other' as const,
+        reason:
+          safetyResult.behavior === 'ask' && safetyResult.message
+            ? safetyResult.message
+            : 'This command contains patterns that could pose security risks and requires approval',
+      }
+
+      return {
+        behavior: 'ask',
+        message: createPermissionRequestMessage(BashTool.name, decisionReason),
+        decisionReason,
+        suggestions: [], // Don't suggest saving a potentially dangerous command
+      }
+    }
+  }
+
+  // 4. Allow if command was allowed
+  if (permissionResult.behavior === 'allow') {
+    return permissionResult
+  }
+
+  // 5. Suggest prefix if available, otherwise exact command
+  const suggestedUpdates = commandPrefixResult?.commandPrefix
+    ? suggestionForPrefix(commandPrefixResult.commandPrefix)
+    : suggestionForExactCommand(input.command)
+
+  return {
+    ...permissionResult,
+    suggestions: suggestedUpdates,
+  }
+}
+
+/**
+ * Checks if a command should be auto-allowed when sandboxed.
+ * Returns early if there are explicit deny/ask rules that should be respected.
+ *
+ * NOTE: This function should only be called when sandboxing and auto-allow are enabled.
+ *
+ * @param input - The bash tool input
+ * @param toolPermissionContext - The permission context
+ * @returns PermissionResult with:
+ *   - deny/ask if explicit rule exists (exact or prefix)
+ *   - allow if no explicit rules (sandbox auto-allow applies)
+ *   - passthrough should not occur since we're in auto-allow mode
+ */
+function checkSandboxAutoAllow(
+  input: z.infer<typeof BashTool.inputSchema>,
+  toolPermissionContext: ToolPermissionContext,
+): PermissionResult {
+  const command = input.command.trim()
+
+  // Check for explicit deny/ask rules on the full command (exact + prefix)
+  const { matchingDenyRules, matchingAskRules } = matchingRulesForInput(
+    input,
+    toolPermissionContext,
+    'prefix',
+  )
+
+  // Return immediately if there's an explicit deny rule on the full command
+  if (matchingDenyRules[0] !== undefined) {
+    return {
+      behavior: 'deny',
+      message: `Permission to use ${BashTool.name} with command ${command} has been denied.`,
+      decisionReason: {
+        type: 'rule',
+        rule: matchingDenyRules[0],
+      },
+    }
+  }
+
+  // SECURITY: For compound commands, check each subcommand against deny/ask
+  // rules. Prefix rules like Bash(rm:*) won't match the full compound command
+  // (e.g., "echo hello && rm -rf /" doesn't start with "rm"), so we must
+  // check each subcommand individually.
+  // IMPORTANT: Subcommand deny checks must run BEFORE full-command ask returns.
+  // Otherwise a wildcard ask rule matching the full command (e.g., Bash(*echo*))
+  // would return 'ask' before a prefix deny rule on a subcommand (e.g., Bash(rm:*))
+  // gets checked, downgrading a deny to an ask.
+  const subcommands = splitCommand(command)
+  if (subcommands.length > 1) {
+    let firstAskRule: PermissionRule | undefined
+    for (const sub of subcommands) {
+      const subResult = matchingRulesForInput(
+        { command: sub },
+        toolPermissionContext,
+        'prefix',
+      )
+      // Deny takes priority — return immediately
+      if (subResult.matchingDenyRules[0] !== undefined) {
+        return {
+          behavior: 'deny',
+          message: `Permission to use ${BashTool.name} with command ${command} has been denied.`,
+          decisionReason: {
+            type: 'rule',
+            rule: subResult.matchingDenyRules[0],
+          },
+        }
+      }
+      // Stash first ask match; don't return yet (deny across all subs takes priority)
+      firstAskRule ??= subResult.matchingAskRules[0]
+    }
+    if (firstAskRule) {
+      return {
+        behavior: 'ask',
+        message: createPermissionRequestMessage(BashTool.name),
+        decisionReason: {
+          type: 'rule',
+          rule: firstAskRule,
+        },
+      }
+    }
+  }
+
+  // Full-command ask check (after all deny sources have been exhausted)
+  if (matchingAskRules[0] !== undefined) {
+    return {
+      behavior: 'ask',
+      message: createPermissionRequestMessage(BashTool.name),
+      decisionReason: {
+        type: 'rule',
+        rule: matchingAskRules[0],
+      },
+    }
+  }
+  // No explicit rules, so auto-allow with sandbox
+
+  return {
+    behavior: 'allow',
+    updatedInput: input,
+    decisionReason: {
+      type: 'other',
+      reason: 'Auto-allowed with sandbox (autoAllowBashIfSandboxed enabled)',
+    },
+  }
+}
+
+/**
+ * Filter out `cd ${cwd}` prefix subcommands, keeping astCommands aligned.
+ * Extracted to keep bashToolHasPermission under Bun's feature() DCE
+ * complexity threshold — inlining this breaks pendingClassifierCheck
+ * attachment in ~10 classifier tests.
+ */
+function filterCdCwdSubcommands(
+  rawSubcommands: string[],
+  astCommands: SimpleCommand[] | undefined,
+  cwd: string,
+  cwdMingw: string,
+): { subcommands: string[]; astCommandsByIdx: (SimpleCommand | undefined)[] } {
+  const subcommands: string[] = []
+  const astCommandsByIdx: (SimpleCommand | undefined)[] = []
+  for (let i = 0; i < rawSubcommands.length; i++) {
+    const cmd = rawSubcommands[i]!
+    if (cmd === `cd ${cwd}` || cmd === `cd ${cwdMingw}`) continue
+    subcommands.push(cmd)
+    astCommandsByIdx.push(astCommands?.[i])
+  }
+  return { subcommands, astCommandsByIdx }
+}
+
+/**
+ * Early-exit deny enforcement for the AST too-complex and checkSemantics
+ * paths. Returns the exact-match result if non-passthrough (deny/ask/allow),
+ * then checks prefix/wildcard deny rules. Returns null if neither matched,
+ * meaning the caller should fall through to ask. Extracted to keep
+ * bashToolHasPermission under Bun's feature() DCE complexity threshold.
+ */
+function checkEarlyExitDeny(
+  input: z.infer<typeof BashTool.inputSchema>,
+  toolPermissionContext: ToolPermissionContext,
+): PermissionResult | null {
+  const exactMatchResult = bashToolCheckExactMatchPermission(
+    input,
+    toolPermissionContext,
+  )
+  if (exactMatchResult.behavior !== 'passthrough') {
+    return exactMatchResult
+  }
+  const denyMatch = matchingRulesForInput(
+    input,
+    toolPermissionContext,
+    'prefix',
+  ).matchingDenyRules[0]
+  if (denyMatch !== undefined) {
+    return {
+      behavior: 'deny',
+      message: `Permission to use ${BashTool.name} with command ${input.command} has been denied.`,
+      decisionReason: { type: 'rule', rule: denyMatch },
+    }
+  }
+  return null
+}
+
+/**
+ * checkSemantics-path deny enforcement. Calls checkEarlyExitDeny (exact-match
+ * + full-command prefix deny), then checks each individual SimpleCommand .text
+ * span against prefix deny rules. The per-subcommand check is needed because
+ * filterRulesByContentsMatchingInput has a compound-command guard
+ * (splitCommand().length > 1 → prefix rules return false) that defeats
+ * `Bash(eval:*)` matching against a full pipeline like `echo foo | eval rm`.
+ * Each SimpleCommand span is a single command, so the guard doesn't fire.
+ *
+ * Separate helper (not folded into checkEarlyExitDeny or inlined at the call
+ * site) because bashToolHasPermission is tight against Bun's feature() DCE
+ * complexity threshold — adding even ~5 lines there breaks
+ * feature('BASH_CLASSIFIER') evaluation and drops pendingClassifierCheck.
+ */
+function checkSemanticsDeny(
+  input: z.infer<typeof BashTool.inputSchema>,
+  toolPermissionContext: ToolPermissionContext,
+  commands: readonly { text: string }[],
+): PermissionResult | null {
+  const fullCmd = checkEarlyExitDeny(input, toolPermissionContext)
+  if (fullCmd !== null) return fullCmd
+  for (const cmd of commands) {
+    const subDeny = matchingRulesForInput(
+      { ...input, command: cmd.text },
+      toolPermissionContext,
+      'prefix',
+    ).matchingDenyRules[0]
+    if (subDeny !== undefined) {
+      return {
+        behavior: 'deny',
+        message: `Permission to use ${BashTool.name} with command ${input.command} has been denied.`,
+        decisionReason: { type: 'rule', rule: subDeny },
+      }
+    }
+  }
+  return null
+}
+
+/**
+ * Builds the pending classifier check metadata if classifier is enabled and has allow descriptions.
+ * Returns undefined if classifier is disabled, in auto mode, or no allow descriptions exist.
+ */
+function buildPendingClassifierCheck(
+  command: string,
+  toolPermissionContext: ToolPermissionContext,
+): { command: string; cwd: string; descriptions: string[] } | undefined {
+  if (!isClassifierPermissionsEnabled()) {
+    return undefined
+  }
+  // Skip in auto mode - auto mode classifier handles all permission decisions
+  if (feature('TRANSCRIPT_CLASSIFIER') && toolPermissionContext.mode === 'auto')
+    return undefined
+  if (toolPermissionContext.mode === 'bypassPermissions') return undefined
+
+  const allowDescriptions = getBashPromptAllowDescriptions(
+    toolPermissionContext,
+  )
+  if (allowDescriptions.length === 0) return undefined
+
+  return {
+    command,
+    cwd: getCwd(),
+    descriptions: allowDescriptions,
+  }
+}
+
+const speculativeChecks = new Map<string, Promise<ClassifierResult>>()
+
+/**
+ * Start a speculative bash allow classifier check early, so it runs in
+ * parallel with pre-tool hooks, deny/ask classifiers, and permission dialog setup.
+ * The result can be consumed later by executeAsyncClassifierCheck via
+ * consumeSpeculativeClassifierCheck.
+ */
+export function peekSpeculativeClassifierCheck(
+  command: string,
+): Promise<ClassifierResult> | undefined {
+  return speculativeChecks.get(command)
+}
+
+export function startSpeculativeClassifierCheck(
+  command: string,
+  toolPermissionContext: ToolPermissionContext,
+  signal: AbortSignal,
+  isNonInteractiveSession: boolean,
+): boolean {
+  // Same guards as buildPendingClassifierCheck
+  if (!isClassifierPermissionsEnabled()) return false
+  if (feature('TRANSCRIPT_CLASSIFIER') && toolPermissionContext.mode === 'auto')
+    return false
+  if (toolPermissionContext.mode === 'bypassPermissions') return false
+  const allowDescriptions = getBashPromptAllowDescriptions(
+    toolPermissionContext,
+  )
+  if (allowDescriptions.length === 0) return false
+
+  const cwd = getCwd()
+  const promise = classifyBashCommand(
+    command,
+    cwd,
+    allowDescriptions,
+    'allow',
+    signal,
+    isNonInteractiveSession,
+  )
+  // Prevent unhandled rejection if the signal aborts before this promise is consumed.
+  // The original promise (which may reject) is still stored in the Map for consumers to await.
+  promise.catch(() => {})
+  speculativeChecks.set(command, promise)
+  return true
+}
+
+/**
+ * Consume a speculative classifier check result for the given command.
+ * Returns the promise if one exists (and removes it from the map), or undefined.
+ */
+export function consumeSpeculativeClassifierCheck(
+  command: string,
+): Promise<ClassifierResult> | undefined {
+  const promise = speculativeChecks.get(command)
+  if (promise) {
+    speculativeChecks.delete(command)
+  }
+  return promise
+}
+
+export function clearSpeculativeChecks(): void {
+  speculativeChecks.clear()
+}
+
+/**
+ * Await a pending classifier check and return a PermissionDecisionReason if
+ * high-confidence allow, or undefined otherwise.
+ *
+ * Used by swarm agents (both tmux and in-process) to gate permission
+ * forwarding: run the classifier first, and only escalate to the leader
+ * if the classifier doesn't auto-approve.
+ */
+export async function awaitClassifierAutoApproval(
+  pendingCheck: PendingClassifierCheck,
+  signal: AbortSignal,
+  isNonInteractiveSession: boolean,
+): Promise<PermissionDecisionReason | undefined> {
+  const { command, cwd, descriptions } = pendingCheck
+  const speculativeResult = consumeSpeculativeClassifierCheck(command)
+  const classifierResult = speculativeResult
+    ? await speculativeResult
+    : await classifyBashCommand(
+        command,
+        cwd,
+        descriptions,
+        'allow',
+        signal,
+        isNonInteractiveSession,
+      )
+
+  logClassifierResultForAnts(command, 'allow', descriptions, classifierResult)
+
+  if (
+    feature('BASH_CLASSIFIER') &&
+    classifierResult.matches &&
+    classifierResult.confidence === 'high'
+  ) {
+    return {
+      type: 'classifier',
+      classifier: 'bash_allow',
+      reason: `Allowed by prompt rule: "${classifierResult.matchedDescription}"`,
+    }
+  }
+  return undefined
+}
+
+type AsyncClassifierCheckCallbacks = {
+  shouldContinue: () => boolean
+  onAllow: (decisionReason: PermissionDecisionReason) => void
+  onComplete?: () => void
+}
+
+/**
+ * Execute the bash allow classifier check asynchronously.
+ * This runs in the background while the permission prompt is shown.
+ * If the classifier allows with high confidence and the user hasn't interacted, auto-approves.
+ *
+ * @param pendingCheck - Classifier check metadata from bashToolHasPermission
+ * @param signal - Abort signal
+ * @param isNonInteractiveSession - Whether this is a non-interactive session
+ * @param callbacks - Callbacks to check if we should continue and handle approval
+ */
+export async function executeAsyncClassifierCheck(
+  pendingCheck: { command: string; cwd: string; descriptions: string[] },
+  signal: AbortSignal,
+  isNonInteractiveSession: boolean,
+  callbacks: AsyncClassifierCheckCallbacks,
+): Promise<void> {
+  const { command, cwd, descriptions } = pendingCheck
+  const speculativeResult = consumeSpeculativeClassifierCheck(command)
+
+  let classifierResult: ClassifierResult
+  try {
+    classifierResult = speculativeResult
+      ? await speculativeResult
+      : await classifyBashCommand(
+          command,
+          cwd,
+          descriptions,
+          'allow',
+          signal,
+          isNonInteractiveSession,
+        )
+  } catch (error: unknown) {
+    // When the coordinator session is cancelled, the abort signal fires and the
+    // classifier API call rejects with APIUserAbortError. This is expected and
+    // should not surface as an unhandled promise rejection.
+    if (error instanceof APIUserAbortError || error instanceof AbortError) {
+      callbacks.onComplete?.()
+      return
+    }
+    callbacks.onComplete?.()
+    throw error
+  }
+
+  logClassifierResultForAnts(command, 'allow', descriptions, classifierResult)
+
+  // Don't auto-approve if user already made a decision or has interacted
+  // with the permission dialog (e.g., arrow keys, tab, typing)
+  if (!callbacks.shouldContinue()) return
+
+  if (
+    feature('BASH_CLASSIFIER') &&
+    classifierResult.matches &&
+    classifierResult.confidence === 'high'
+  ) {
+    callbacks.onAllow({
+      type: 'classifier',
+      classifier: 'bash_allow',
+      reason: `Allowed by prompt rule: "${classifierResult.matchedDescription}"`,
+    })
+  } else {
+    // No match — notify so the checking indicator is cleared
+    callbacks.onComplete?.()
+  }
+}
+
+/**
+ * The main implementation to check if we need to ask for user permission to call BashTool with a given input
+ */
+export async function bashToolHasPermission(
+  input: z.infer<typeof BashTool.inputSchema>,
+  context: ToolUseContext,
+  getCommandSubcommandPrefixFn = getCommandSubcommandPrefix,
+): Promise<PermissionResult> {
+  let appState = context.getAppState()
+
+  // 0. AST-based security parse. This replaces both tryParseShellCommand
+  // (the shell-quote pre-check) and the bashCommandIsSafe misparsing gate.
+  // tree-sitter produces either a clean SimpleCommand[] (quotes resolved,
+  // no hidden substitutions) or 'too-complex' — which is exactly the signal
+  // we need to decide whether splitCommand's output can be trusted.
+  //
+  // When tree-sitter WASM is unavailable OR the injection check is disabled
+  // via env var, we fall back to the old path (legacy gate at ~1370 runs).
+  const injectionCheckDisabled = isEnvTruthy(
+    process.env.CLAUDE_CODE_DISABLE_COMMAND_INJECTION_CHECK,
+  )
+  // GrowthBook killswitch for shadow mode — when off, skip the native parse
+  // entirely. Computed once; feature() must stay inline in the ternary below.
+  const shadowEnabled = feature('TREE_SITTER_BASH_SHADOW')
+    ? getFeatureValue_CACHED_MAY_BE_STALE('tengu_birch_trellis', true)
+    : false
+  // Parse once here; the resulting AST feeds both parseForSecurityFromAst
+  // and bashToolCheckCommandOperatorPermissions.
+  let astRoot = injectionCheckDisabled
+    ? null
+    : feature('TREE_SITTER_BASH_SHADOW') && !shadowEnabled
+      ? null
+      : await parseCommandRaw(input.command)
+  let astResult: ParseForSecurityResult = astRoot
+    ? parseForSecurityFromAst(input.command, astRoot)
+    : { kind: 'parse-unavailable' }
+  let astSubcommands: string[] | null = null
+  let astRedirects: Redirect[] | undefined
+  let astCommands: SimpleCommand[] | undefined
+  let shadowLegacySubs: string[] | undefined
+
+  // Shadow-test tree-sitter: record its verdict, then force parse-unavailable
+  // so the legacy path stays authoritative. parseCommand stays gated on
+  // TREE_SITTER_BASH (not SHADOW) so legacy internals remain pure regex.
+  // One event per bash call captures both divergence AND unavailability
+  // reasons; module-load failures are separately covered by the
+  // session-scoped tengu_tree_sitter_load event.
+  if (feature('TREE_SITTER_BASH_SHADOW')) {
+    const available = astResult.kind !== 'parse-unavailable'
+    let tooComplex = false
+    let semanticFail = false
+    let subsDiffer = false
+    if (available) {
+      tooComplex = astResult.kind === 'too-complex'
+      semanticFail =
+        astResult.kind === 'simple' && !checkSemantics(astResult.commands).ok
+      const tsSubs =
+        astResult.kind === 'simple'
+          ? astResult.commands.map(c => c.text)
+          : undefined
+      const legacySubs = splitCommand(input.command)
+      shadowLegacySubs = legacySubs
+      subsDiffer =
+        tsSubs !== undefined &&
+        (tsSubs.length !== legacySubs.length ||
+          tsSubs.some((s, i) => s !== legacySubs[i]))
+    }
+    logEvent('tengu_tree_sitter_shadow', {
+      available,
+      astTooComplex: tooComplex,
+      astSemanticFail: semanticFail,
+      subsDiffer,
+      injectionCheckDisabled,
+      killswitchOff: !shadowEnabled,
+      cmdOverLength: input.command.length > 10000,
+    })
+    // Always force legacy — shadow mode is observational only.
+    astResult = { kind: 'parse-unavailable' }
+    astRoot = null
+  }
+
+  if (astResult.kind === 'too-complex') {
+    // Parse succeeded but found structure we can't statically analyze
+    // (command substitution, expansion, control flow, parser differential).
+    // Respect exact-match deny/ask/allow, then prefix/wildcard deny. Only
+    // fall through to ask if no deny matched — don't downgrade deny to ask.
+    const earlyExit = checkEarlyExitDeny(input, appState.toolPermissionContext)
+    if (earlyExit !== null) return earlyExit
+    const decisionReason: PermissionDecisionReason = {
+      type: 'other' as const,
+      reason: astResult.reason,
+    }
+    logEvent('tengu_bash_ast_too_complex', {
+      nodeTypeId: nodeTypeId(astResult.nodeType),
+    })
+    return {
+      behavior: 'ask',
+      decisionReason,
+      message: createPermissionRequestMessage(BashTool.name, decisionReason),
+      suggestions: [],
+      ...(feature('BASH_CLASSIFIER')
+        ? {
+            pendingClassifierCheck: buildPendingClassifierCheck(
+              input.command,
+              appState.toolPermissionContext,
+            ),
+          }
+        : {}),
+    }
+  }
+
+  if (astResult.kind === 'simple') {
+    // Clean parse: check semantic-level concerns (zsh builtins, eval, etc.)
+    // that tokenize fine but are dangerous by name.
+    const sem = checkSemantics(astResult.commands)
+    if (!sem.ok) {
+      // Same deny-rule enforcement as the too-complex path: a user with
+      // `Bash(eval:*)` deny expects `eval "rm"` blocked, not downgraded.
+      const earlyExit = checkSemanticsDeny(
+        input,
+        appState.toolPermissionContext,
+        astResult.commands,
+      )
+      if (earlyExit !== null) return earlyExit
+      const decisionReason: PermissionDecisionReason = {
+        type: 'other' as const,
+        reason: sem.reason,
+      }
+      return {
+        behavior: 'ask',
+        decisionReason,
+        message: createPermissionRequestMessage(BashTool.name, decisionReason),
+        suggestions: [],
+      }
+    }
+    // Stash the tokenized subcommands for use below. Downstream code (rule
+    // matching, path extraction, cd detection) still operates on strings, so
+    // we pass the original source span for each SimpleCommand. Downstream
+    // processing (stripSafeWrappers, parseCommandArguments) re-tokenizes
+    // these spans — that re-tokenization has known bugs (stripCommentLines
+    // mishandles newlines inside quotes), but checkSemantics already caught
+    // any argv element containing a newline, so those bugs can't bite here.
+    // Migrating downstream to operate on argv directly is a later commit.
+    astSubcommands = astResult.commands.map(c => c.text)
+    astRedirects = astResult.commands.flatMap(c => c.redirects)
+    astCommands = astResult.commands
+  }
+
+  // Legacy shell-quote pre-check. Only reached on 'parse-unavailable'
+  // (tree-sitter not loaded OR TREE_SITTER_BASH feature gated off). Falls
+  // through to the full legacy path below.
+  if (astResult.kind === 'parse-unavailable') {
+    logForDebugging(
+      'bashToolHasPermission: tree-sitter unavailable, using legacy shell-quote path',
+    )
+    const parseResult = tryParseShellCommand(input.command)
+    if (!parseResult.success) {
+      const decisionReason = {
+        type: 'other' as const,
+        reason: `Command contains malformed syntax that cannot be parsed: ${parseResult.error}`,
+      }
+      return {
+        behavior: 'ask',
+        decisionReason,
+        message: createPermissionRequestMessage(BashTool.name, decisionReason),
+      }
+    }
+  }
+
+  // Check sandbox auto-allow (which respects explicit deny/ask rules)
+  // Only call this if sandboxing and auto-allow are both enabled
+  if (
+    SandboxManager.isSandboxingEnabled() &&
+    SandboxManager.isAutoAllowBashIfSandboxedEnabled() &&
+    shouldUseSandbox(input)
+  ) {
+    const sandboxAutoAllowResult = checkSandboxAutoAllow(
+      input,
+      appState.toolPermissionContext,
+    )
+    if (sandboxAutoAllowResult.behavior !== 'passthrough') {
+      return sandboxAutoAllowResult
+    }
+  }
+
+  // Check exact match first
+  const exactMatchResult = bashToolCheckExactMatchPermission(
+    input,
+    appState.toolPermissionContext,
+  )
+
+  // Exact command was denied
+  if (exactMatchResult.behavior === 'deny') {
+    return exactMatchResult
+  }
+
+  // Check Bash prompt deny and ask rules in parallel (both use Haiku).
+  // Deny takes precedence over ask, and both take precedence over allow rules.
+  // Skip when in auto mode - auto mode classifier handles all permission decisions
+  if (
+    isClassifierPermissionsEnabled() &&
+    !(
+      feature('TRANSCRIPT_CLASSIFIER') &&
+      appState.toolPermissionContext.mode === 'auto'
+    )
+  ) {
+    const denyDescriptions = getBashPromptDenyDescriptions(
+      appState.toolPermissionContext,
+    )
+    const askDescriptions = getBashPromptAskDescriptions(
+      appState.toolPermissionContext,
+    )
+    const hasDeny = denyDescriptions.length > 0
+    const hasAsk = askDescriptions.length > 0
+
+    if (hasDeny || hasAsk) {
+      const [denyResult, askResult] = await Promise.all([
+        hasDeny
+          ? classifyBashCommand(
+              input.command,
+              getCwd(),
+              denyDescriptions,
+              'deny',
+              context.abortController.signal,
+              context.options.isNonInteractiveSession,
+            )
+          : null,
+        hasAsk
+          ? classifyBashCommand(
+              input.command,
+              getCwd(),
+              askDescriptions,
+              'ask',
+              context.abortController.signal,
+              context.options.isNonInteractiveSession,
+            )
+          : null,
+      ])
+
+      if (context.abortController.signal.aborted) {
+        throw new AbortError()
+      }
+
+      if (denyResult) {
+        logClassifierResultForAnts(
+          input.command,
+          'deny',
+          denyDescriptions,
+          denyResult,
+        )
+      }
+      if (askResult) {
+        logClassifierResultForAnts(
+          input.command,
+          'ask',
+          askDescriptions,
+          askResult,
+        )
+      }
+
+      // Deny takes precedence
+      if (denyResult?.matches && denyResult.confidence === 'high') {
+        return {
+          behavior: 'deny',
+          message: `Denied by Bash prompt rule: "${denyResult.matchedDescription}"`,
+          decisionReason: {
+            type: 'other',
+            reason: `Denied by Bash prompt rule: "${denyResult.matchedDescription}"`,
+          },
+        }
+      }
+
+      if (askResult?.matches && askResult.confidence === 'high') {
+        // Skip the Haiku call — the UI computes the prefix locally
+        // and lets the user edit it. Still call the injected function
+        // when tests override it.
+        let suggestions: PermissionUpdate[]
+        if (getCommandSubcommandPrefixFn === getCommandSubcommandPrefix) {
+          suggestions = suggestionForExactCommand(input.command)
+        } else {
+          const commandPrefixResult = await getCommandSubcommandPrefixFn(
+            input.command,
+            context.abortController.signal,
+            context.options.isNonInteractiveSession,
+          )
+          if (context.abortController.signal.aborted) {
+            throw new AbortError()
+          }
+          suggestions = commandPrefixResult?.commandPrefix
+            ? suggestionForPrefix(commandPrefixResult.commandPrefix)
+            : suggestionForExactCommand(input.command)
+        }
+        return {
+          behavior: 'ask',
+          message: createPermissionRequestMessage(BashTool.name),
+          decisionReason: {
+            type: 'other',
+            reason: `Required by Bash prompt rule: "${askResult.matchedDescription}"`,
+          },
+          suggestions,
+          ...(feature('BASH_CLASSIFIER')
+            ? {
+                pendingClassifierCheck: buildPendingClassifierCheck(
+                  input.command,
+                  appState.toolPermissionContext,
+                ),
+              }
+            : {}),
+        }
+      }
+    }
+  }
+
+  // Check for non-subcommand Bash operators like `>`, `|`, etc.
+  // This must happen before dangerous path checks so that piped commands
+  // are handled by the operator logic (which generates "multiple operations" messages)
+  const commandOperatorResult = await checkCommandOperatorPermissions(
+    input,
+    (i: z.infer<typeof BashTool.inputSchema>) =>
+      bashToolHasPermission(i, context, getCommandSubcommandPrefixFn),
+    { isNormalizedCdCommand, isNormalizedGitCommand },
+    astRoot,
+  )
+  if (commandOperatorResult.behavior !== 'passthrough') {
+    // SECURITY FIX: When pipe segment processing returns 'allow', we must still validate
+    // the ORIGINAL command. The pipe segment processing strips redirections before
+    // checking each segment, so commands like:
+    //   echo 'x' | xargs printf '%s' >> /tmp/file
+    // would have both segments allowed (echo and xargs printf) but the >> redirection
+    // would bypass validation. We must check:
+    // 1. Path constraints for output redirections
+    // 2. Command safety for dangerous patterns (backticks, etc.) in redirect targets
+    if (commandOperatorResult.behavior === 'allow') {
+      // Check for dangerous patterns (backticks, $(), etc.) in the original command
+      // This catches cases like: echo x | xargs echo > `pwd`/evil.txt
+      // where the backtick is in the redirect target (stripped from segments)
+      // Gate on AST: when astSubcommands is non-null, tree-sitter already
+      // validated structure (backticks/$() in redirect targets would have
+      // returned too-complex). Matches gating at ~1481, ~1706, ~1755.
+      // Avoids FP: `find -exec {} \; | grep x` tripping on backslash-;.
+      // bashCommandIsSafe runs the full legacy regex battery (~20 patterns) —
+      // only call it when we'll actually use the result.
+      const safetyResult =
+        astSubcommands === null
+          ? await bashCommandIsSafeAsync(input.command)
+          : null
+      if (
+        safetyResult !== null &&
+        safetyResult.behavior !== 'passthrough' &&
+        safetyResult.behavior !== 'allow'
+      ) {
+        // Attach pending classifier check - may auto-approve before user responds
+        appState = context.getAppState()
+        return {
+          behavior: 'ask',
+          message: createPermissionRequestMessage(BashTool.name, {
+            type: 'other',
+            reason:
+              safetyResult.message ??
+              'Command contains patterns that require approval',
+          }),
+          decisionReason: {
+            type: 'other',
+            reason:
+              safetyResult.message ??
+              'Command contains patterns that require approval',
+          },
+          ...(feature('BASH_CLASSIFIER')
+            ? {
+                pendingClassifierCheck: buildPendingClassifierCheck(
+                  input.command,
+                  appState.toolPermissionContext,
+                ),
+              }
+            : {}),
+        }
+      }
+
+      appState = context.getAppState()
+      // SECURITY: Compute compoundCommandHasCd from the full command, NOT
+      // hardcode false. The pipe-handling path previously passed `false` here,
+      // disabling the cd+redirect check at pathValidation.ts:821. Appending
+      // `| echo done` to `cd .claude && echo x > settings.json` routed through
+      // this path with compoundCommandHasCd=false, letting the redirect write
+      // to .claude/settings.json without the cd+redirect block firing.
+      const pathResult = checkPathConstraints(
+        input,
+        getCwd(),
+        appState.toolPermissionContext,
+        commandHasAnyCd(input.command),
+        astRedirects,
+        astCommands,
+      )
+      if (pathResult.behavior !== 'passthrough') {
+        return pathResult
+      }
+    }
+
+    // When pipe segments return 'ask' (individual segments not allowed by rules),
+    // attach pending classifier check - may auto-approve before user responds.
+    if (commandOperatorResult.behavior === 'ask') {
+      appState = context.getAppState()
+      return {
+        ...commandOperatorResult,
+        ...(feature('BASH_CLASSIFIER')
+          ? {
+              pendingClassifierCheck: buildPendingClassifierCheck(
+                input.command,
+                appState.toolPermissionContext,
+              ),
+            }
+          : {}),
+      }
+    }
+
+    return commandOperatorResult
+  }
+
+  // SECURITY: Legacy misparsing gate. Only runs when the tree-sitter module
+  // is not loaded. Timeout/abort is fail-closed via too-complex (returned
+  // early above), not routed here. When the AST parse succeeded,
+  // astSubcommands is non-null and we've already validated structure; this
+  // block is skipped entirely. The AST's 'too-complex' result subsumes
+  // everything isBashSecurityCheckForMisparsing covered — both answer the
+  // same question: "can splitCommand be trusted on this input?"
+  if (
+    astSubcommands === null &&
+    !isEnvTruthy(process.env.CLAUDE_CODE_DISABLE_COMMAND_INJECTION_CHECK)
+  ) {
+    const originalCommandSafetyResult = await bashCommandIsSafeAsync(
+      input.command,
+    )
+    if (
+      originalCommandSafetyResult.behavior === 'ask' &&
+      originalCommandSafetyResult.isBashSecurityCheckForMisparsing
+    ) {
+      // Compound commands with safe heredoc patterns ($(cat <<'EOF'...EOF))
+      // trigger the $() check on the unsplit command. Strip the safe heredocs
+      // and re-check the remainder — if other misparsing patterns exist
+      // (e.g. backslash-escaped operators), they must still block.
+      const remainder = stripSafeHeredocSubstitutions(input.command)
+      const remainderResult =
+        remainder !== null ? await bashCommandIsSafeAsync(remainder) : null
+      if (
+        remainder === null ||
+        (remainderResult?.behavior === 'ask' &&
+          remainderResult.isBashSecurityCheckForMisparsing)
+      ) {
+        // Allow if the exact command has an explicit allow permission — the user
+        // made a conscious choice to permit this specific command.
+        appState = context.getAppState()
+        const exactMatchResult = bashToolCheckExactMatchPermission(
+          input,
+          appState.toolPermissionContext,
+        )
+        if (exactMatchResult.behavior === 'allow') {
+          return exactMatchResult
+        }
+        // Attach pending classifier check - may auto-approve before user responds
+        const decisionReason: PermissionDecisionReason = {
+          type: 'other' as const,
+          reason: originalCommandSafetyResult.message,
+        }
+        return {
+          behavior: 'ask',
+          message: createPermissionRequestMessage(
+            BashTool.name,
+            decisionReason,
+          ),
+          decisionReason,
+          suggestions: [], // Don't suggest saving a potentially dangerous command
+          ...(feature('BASH_CLASSIFIER')
+            ? {
+                pendingClassifierCheck: buildPendingClassifierCheck(
+                  input.command,
+                  appState.toolPermissionContext,
+                ),
+              }
+            : {}),
+        }
+      }
+    }
+  }
+
+  // Split into subcommands. Prefer the AST-extracted spans; fall back to
+  // splitCommand only when tree-sitter was unavailable. The cd-cwd filter
+  // strips the `cd ${cwd}` prefix that models like to prepend.
+  const cwd = getCwd()
+  const cwdMingw =
+    getPlatform() === 'windows' ? windowsPathToPosixPath(cwd) : cwd
+  const rawSubcommands =
+    astSubcommands ?? shadowLegacySubs ?? splitCommand(input.command)
+  const { subcommands, astCommandsByIdx } = filterCdCwdSubcommands(
+    rawSubcommands,
+    astCommands,
+    cwd,
+    cwdMingw,
+  )
+
+  // CC-643: Cap subcommand fanout. Only the legacy splitCommand path can
+  // explode — the AST path returns a bounded list (astSubcommands !== null)
+  // or short-circuits to 'too-complex' for structures it can't represent.
+  if (
+    astSubcommands === null &&
+    subcommands.length > MAX_SUBCOMMANDS_FOR_SECURITY_CHECK
+  ) {
+    logForDebugging(
+      `bashPermissions: ${subcommands.length} subcommands exceeds cap (${MAX_SUBCOMMANDS_FOR_SECURITY_CHECK}) — returning ask`,
+      { level: 'debug' },
+    )
+    const decisionReason = {
+      type: 'other' as const,
+      reason: `Command splits into ${subcommands.length} subcommands, too many to safety-check individually`,
+    }
+    return {
+      behavior: 'ask',
+      message: createPermissionRequestMessage(BashTool.name, decisionReason),
+      decisionReason,
+    }
+  }
+
+  // Ask if there are multiple `cd` commands
+  const cdCommands = subcommands.filter(subCommand =>
+    isNormalizedCdCommand(subCommand),
+  )
+  if (cdCommands.length > 1) {
+    const decisionReason = {
+      type: 'other' as const,
+      reason:
+        'Multiple directory changes in one command require approval for clarity',
+    }
+    return {
+      behavior: 'ask',
+      decisionReason,
+      message: createPermissionRequestMessage(BashTool.name, decisionReason),
+    }
+  }
+
+  // Track if compound command contains cd for security validation
+  // This prevents bypassing path checks via: cd .claude/ && mv test.txt settings.json
+  const compoundCommandHasCd = cdCommands.length > 0
+
+  // SECURITY: Block compound commands that have both cd AND git
+  // This prevents sandbox escape via: cd /malicious/dir && git status
+  // where the malicious directory contains a bare git repo with core.fsmonitor.
+  // This check must happen HERE (before subcommand-level permission checks)
+  // because bashToolCheckPermission checks each subcommand independently via
+  // BashTool.isReadOnly(), which would re-derive compoundCommandHasCd=false
+  // from just "git status" alone, bypassing the readOnlyValidation.ts check.
+  if (compoundCommandHasCd) {
+    const hasGitCommand = subcommands.some(cmd =>
+      isNormalizedGitCommand(cmd.trim()),
+    )
+    if (hasGitCommand) {
+      const decisionReason = {
+        type: 'other' as const,
+        reason:
+          'Compound commands with cd and git require approval to prevent bare repository attacks',
+      }
+      return {
+        behavior: 'ask',
+        decisionReason,
+        message: createPermissionRequestMessage(BashTool.name, decisionReason),
+      }
+    }
+  }
+
+  appState = context.getAppState() // re-compute the latest in case the user hit shift+tab
+
+  // SECURITY FIX: Check Bash deny/ask rules BEFORE path constraints
+  // This ensures that explicit deny rules like Bash(ls:*) take precedence over
+  // path constraint checks that return 'ask' for paths outside the project.
+  // Without this ordering, absolute paths outside the project (e.g., ls /home)
+  // would bypass deny rules because checkPathConstraints would return 'ask' first.
+  //
+  // Note: bashToolCheckPermission calls checkPathConstraints internally, which handles
+  // output redirection validation on each subcommand. However, since splitCommand strips
+  // redirections before we get here, we MUST validate output redirections on the ORIGINAL
+  // command AFTER checking deny rules but BEFORE returning results.
+  const subcommandPermissionDecisions = subcommands.map((command, i) =>
+    bashToolCheckPermission(
+      { command },
+      appState.toolPermissionContext,
+      compoundCommandHasCd,
+      astCommandsByIdx[i],
+    ),
+  )
+
+  // Deny if any subcommands are denied
+  const deniedSubresult = subcommandPermissionDecisions.find(
+    _ => _.behavior === 'deny',
+  )
+  if (deniedSubresult !== undefined) {
+    return {
+      behavior: 'deny',
+      message: `Permission to use ${BashTool.name} with command ${input.command} has been denied.`,
+      decisionReason: {
+        type: 'subcommandResults',
+        reasons: new Map(
+          subcommandPermissionDecisions.map((result, i) => [
+            subcommands[i]!,
+            result,
+          ]),
+        ),
+      },
+    }
+  }
+
+  // Validate output redirections on the ORIGINAL command (before splitCommand stripped them)
+  // This must happen AFTER checking deny rules but BEFORE returning results.
+  // Output redirections like "> /etc/passwd" are stripped by splitCommand, so the per-subcommand
+  // checkPathConstraints calls won't see them. We validate them here on the original input.
+  // SECURITY: When AST data is available, pass AST-derived redirects so
+  // checkPathConstraints uses them directly instead of re-parsing with
+  // shell-quote (which has a known single-quote backslash misparsing bug
+  // that can silently hide redirect operators).
+  const pathResult = checkPathConstraints(
+    input,
+    getCwd(),
+    appState.toolPermissionContext,
+    compoundCommandHasCd,
+    astRedirects,
+    astCommands,
+  )
+  if (pathResult.behavior === 'deny') {
+    return pathResult
+  }
+
+  const askSubresult = subcommandPermissionDecisions.find(
+    _ => _.behavior === 'ask',
+  )
+  const nonAllowCount = count(
+    subcommandPermissionDecisions,
+    _ => _.behavior !== 'allow',
+  )
+
+  // SECURITY (GH#28784): Only short-circuit on a path-constraint 'ask' when no
+  // subcommand independently produced an 'ask'. checkPathConstraints re-runs the
+  // path-command loop on the full input, so `cd <outside-project> && python3 foo.py`
+  // produces an ask with ONLY a Read(<dir>/**) suggestion — the UI renders it as
+  // "Yes, allow reading from <dir>/" and picking that option silently approves
+  // python3. When a subcommand has its own ask (e.g. the cd subcommand's own
+  // path-constraint ask), fall through: either the askSubresult short-circuit
+  // below fires (single non-allow subcommand) or the merge flow collects Bash
+  // rule suggestions for every non-allow subcommand. The per-subcommand
+  // checkPathConstraints call inside bashToolCheckPermission already captures
+  // the Read rule for the cd target in that path.
+  //
+  // When no subcommand asked (all allow, or all passthrough like `printf > file`),
+  // pathResult IS the only ask — return it so redirection checks surface.
+  if (pathResult.behavior === 'ask' && askSubresult === undefined) {
+    return pathResult
+  }
+
+  // Ask if any subcommands require approval (e.g., ls/cd outside boundaries).
+  // Only short-circuit when exactly ONE subcommand needs approval — if multiple
+  // do (e.g. cd-outside-project ask + python3 passthrough), fall through to the
+  // merge flow so the prompt surfaces Bash rule suggestions for all of them
+  // instead of only the first ask's Read rule (GH#28784).
+  if (askSubresult !== undefined && nonAllowCount === 1) {
+    return {
+      ...askSubresult,
+      ...(feature('BASH_CLASSIFIER')
+        ? {
+            pendingClassifierCheck: buildPendingClassifierCheck(
+              input.command,
+              appState.toolPermissionContext,
+            ),
+          }
+        : {}),
+    }
+  }
+
+  // Allow if exact command was allowed
+  if (exactMatchResult.behavior === 'allow') {
+    return exactMatchResult
+  }
+
+  // If all subcommands are allowed via exact or prefix match, allow the
+  // command — but only if no command injection is possible. When the AST
+  // parse succeeded, each subcommand is already known-safe (no hidden
+  // substitutions, no structural tricks); the per-subcommand re-check is
+  // redundant. When on the legacy path, re-run bashCommandIsSafeAsync per sub.
+  let hasPossibleCommandInjection = false
+  if (
+    astSubcommands === null &&
+    !isEnvTruthy(process.env.CLAUDE_CODE_DISABLE_COMMAND_INJECTION_CHECK)
+  ) {
+    // CC-643: Batch divergence telemetry into a single logEvent. The per-sub
+    // logEvent was the hot-path syscall driver (each call → /proc/self/stat
+    // via process.memoryUsage()). Aggregate count preserves the signal.
+    let divergenceCount = 0
+    const onDivergence = () => {
+      divergenceCount++
+    }
+    const results = await Promise.all(
+      subcommands.map(c => bashCommandIsSafeAsync(c, onDivergence)),
+    )
+    hasPossibleCommandInjection = results.some(
+      r => r.behavior !== 'passthrough',
+    )
+    if (divergenceCount > 0) {
+      logEvent('tengu_tree_sitter_security_divergence', {
+        quoteContextDivergence: true,
+        count: divergenceCount,
+      })
+    }
+  }
+  if (
+    subcommandPermissionDecisions.every(_ => _.behavior === 'allow') &&
+    !hasPossibleCommandInjection
+  ) {
+    return {
+      behavior: 'allow',
+      updatedInput: input,
+      decisionReason: {
+        type: 'subcommandResults',
+        reasons: new Map(
+          subcommandPermissionDecisions.map((result, i) => [
+            subcommands[i]!,
+            result,
+          ]),
+        ),
+      },
+    }
+  }
+
+  // Query Haiku for command prefixes
+  // Skip the Haiku call — the UI computes the prefix locally and
+  // lets the user edit it. Still call when a custom fn is injected (tests).
+  let commandSubcommandPrefix: Awaited<
+    ReturnType<typeof getCommandSubcommandPrefixFn>
+  > = null
+  if (getCommandSubcommandPrefixFn !== getCommandSubcommandPrefix) {
+    commandSubcommandPrefix = await getCommandSubcommandPrefixFn(
+      input.command,
+      context.abortController.signal,
+      context.options.isNonInteractiveSession,
+    )
+    if (context.abortController.signal.aborted) {
+      throw new AbortError()
+    }
+  }
+
+  // If there is only one command, no need to process subcommands
+  appState = context.getAppState() // re-compute the latest in case the user hit shift+tab
+  if (subcommands.length === 1) {
+    const result = await checkCommandAndSuggestRules(
+      { command: subcommands[0]! },
+      appState.toolPermissionContext,
+      commandSubcommandPrefix,
+      compoundCommandHasCd,
+      astSubcommands !== null,
+    )
+    // If command wasn't allowed, attach pending classifier check.
+    // At this point, 'ask' can only come from bashCommandIsSafe (security check inside
+    // checkCommandAndSuggestRules), NOT from explicit ask rules - those were already
+    // filtered out at step 13 (askSubresult check). The classifier can bypass security.
+    if (result.behavior === 'ask' || result.behavior === 'passthrough') {
+      return {
+        ...result,
+        ...(feature('BASH_CLASSIFIER')
+          ? {
+              pendingClassifierCheck: buildPendingClassifierCheck(
+                input.command,
+                appState.toolPermissionContext,
+              ),
+            }
+          : {}),
+      }
+    }
+    return result
+  }
+
+  // Check subcommand permission results
+  const subcommandResults: Map<string, PermissionResult> = new Map()
+  for (const subcommand of subcommands) {
+    subcommandResults.set(
+      subcommand,
+      await checkCommandAndSuggestRules(
+        {
+          // Pass through input params like `sandbox`
+          ...input,
+          command: subcommand,
+        },
+        appState.toolPermissionContext,
+        commandSubcommandPrefix?.subcommandPrefixes.get(subcommand),
+        compoundCommandHasCd,
+        astSubcommands !== null,
+      ),
+    )
+  }
+
+  // Allow if all subcommands are allowed
+  // Note that this is different than 6b because we are checking the command injection results.
+  if (
+    subcommands.every(subcommand => {
+      const permissionResult = subcommandResults.get(subcommand)
+      return permissionResult?.behavior === 'allow'
+    })
+  ) {
+    // Keep subcommandResults as PermissionResult for decisionReason
+    return {
+      behavior: 'allow',
+      updatedInput: input,
+      decisionReason: {
+        type: 'subcommandResults',
+        reasons: subcommandResults,
+      },
+    }
+  }
+
+  // Otherwise, ask for permission
+  const collectedRules: Map<string, PermissionRuleValue> = new Map()
+
+  for (const [subcommand, permissionResult] of subcommandResults) {
+    if (
+      permissionResult.behavior === 'ask' ||
+      permissionResult.behavior === 'passthrough'
+    ) {
+      const updates =
+        'suggestions' in permissionResult
+          ? permissionResult.suggestions
+          : undefined
+
+      const rules = extractRules(updates)
+      for (const rule of rules) {
+        // Use string representation as key for deduplication
+        const ruleKey = permissionRuleValueToString(rule)
+        collectedRules.set(ruleKey, rule)
+      }
+
+      // GH#28784 follow-up: security-check asks (compound-cd+write, process
+      // substitution, etc.) carry no suggestions. In a compound command like
+      // `cd ~/out && rm -rf x`, that means only cd's Read rule gets collected
+      // and the UI labels the prompt "Yes, allow reading from <dir>/" — never
+      // mentioning rm. Synthesize a Bash(exact) rule so the UI shows the
+      // chained command. Skip explicit ask rules (decisionReason.type 'rule')
+      // where the user deliberately wants to review each time.
+      if (
+        permissionResult.behavior === 'ask' &&
+        rules.length === 0 &&
+        permissionResult.decisionReason?.type !== 'rule'
+      ) {
+        for (const rule of extractRules(
+          suggestionForExactCommand(subcommand),
+        )) {
+          const ruleKey = permissionRuleValueToString(rule)
+          collectedRules.set(ruleKey, rule)
+        }
+      }
+      // Note: We only collect rules, not other update types like mode changes
+      // This is appropriate for bash subcommands which primarily need rule suggestions
+    }
+  }
+
+  const decisionReason = {
+    type: 'subcommandResults' as const,
+    reasons: subcommandResults,
+  }
+
+  // GH#11380: Cap at MAX_SUGGESTED_RULES_FOR_COMPOUND. Map preserves insertion
+  // order (subcommand order), so slicing keeps the leftmost N.
+  const cappedRules = Array.from(collectedRules.values()).slice(
+    0,
+    MAX_SUGGESTED_RULES_FOR_COMPOUND,
+  )
+  const suggestedUpdates: PermissionUpdate[] | undefined =
+    cappedRules.length > 0
+      ? [
+          {
+            type: 'addRules',
+            rules: cappedRules,
+            behavior: 'allow',
+            destination: 'localSettings',
+          },
+        ]
+      : undefined
+
+  // Attach pending classifier check - may auto-approve before user responds.
+  // Behavior is 'ask' if any subcommand was 'ask' (e.g., path constraint or ask
+  // rule) — before the GH#28784 fix, ask subresults always short-circuited above
+  // so this path only saw 'passthrough' subcommands and hardcoded that.
+  return {
+    behavior: askSubresult !== undefined ? 'ask' : 'passthrough',
+    message: createPermissionRequestMessage(BashTool.name, decisionReason),
+    decisionReason,
+    suggestions: suggestedUpdates,
+    ...(feature('BASH_CLASSIFIER')
+      ? {
+          pendingClassifierCheck: buildPendingClassifierCheck(
+            input.command,
+            appState.toolPermissionContext,
+          ),
+        }
+      : {}),
+  }
+}
+
+/**
+ * Checks if a subcommand is a git command after normalizing away safe wrappers
+ * (env vars, timeout, etc.) and shell quotes.
+ *
+ * SECURITY: Must normalize before matching to prevent bypasses like:
+ *   'git' status    — shell quotes hide the command from a naive regex
+ *   NO_COLOR=1 git status — env var prefix hides the command
+ */
+export function isNormalizedGitCommand(command: string): boolean {
+  // Fast path: catch the most common case before any parsing
+  if (command.startsWith('git ') || command === 'git') {
+    return true
+  }
+  const stripped = stripSafeWrappers(command)
+  const parsed = tryParseShellCommand(stripped)
+  if (parsed.success && parsed.tokens.length > 0) {
+    // Direct git command
+    if (parsed.tokens[0] === 'git') {
+      return true
+    }
+    // "xargs git ..." — xargs runs git in the current directory,
+    // so it must be treated as a git command for cd+git security checks.
+    // This matches the xargs prefix handling in filterRulesByContentsMatchingInput.
+    if (parsed.tokens[0] === 'xargs' && parsed.tokens.includes('git')) {
+      return true
+    }
+    return false
+  }
+  return /^git(?:\s|$)/.test(stripped)
+}
+
+/**
+ * Checks if a subcommand is a cd command after normalizing away safe wrappers
+ * (env vars, timeout, etc.) and shell quotes.
+ *
+ * SECURITY: Must normalize before matching to prevent bypasses like:
+ *   FORCE_COLOR=1 cd sub — env var prefix hides the cd from a naive /^cd / regex
+ *   This mirrors isNormalizedGitCommand to ensure symmetric normalization.
+ *
+ * Also matches pushd/popd — they change cwd just like cd, so
+ *   pushd /tmp/bare-repo && git status
+ * must trigger the same cd+git guard. Mirrors PowerShell's
+ * DIRECTORY_CHANGE_ALIASES (src/utils/powershell/parser.ts).
+ */
+export function isNormalizedCdCommand(command: string): boolean {
+  const stripped = stripSafeWrappers(command)
+  const parsed = tryParseShellCommand(stripped)
+  if (parsed.success && parsed.tokens.length > 0) {
+    const cmd = parsed.tokens[0]
+    return cmd === 'cd' || cmd === 'pushd' || cmd === 'popd'
+  }
+  return /^(?:cd|pushd|popd)(?:\s|$)/.test(stripped)
+}
+
+/**
+ * Checks if a compound command contains any cd command,
+ * using normalized detection that handles env var prefixes and shell quotes.
+ */
+export function commandHasAnyCd(command: string): boolean {
+  return splitCommand(command).some(subcmd =>
+    isNormalizedCdCommand(subcmd.trim()),
+  )
+}