@xelauvas/xela-cli 0.1.0

package/src/utils/bash/ast.ts

@@ -0,0 +1,2679 @@
+/**
+ * AST-based bash command analysis using tree-sitter.
+ *
+ * This module replaces the shell-quote + hand-rolled char-walker approach in
+ * bashSecurity.ts / commands.ts. Instead of detecting parser differentials
+ * one-by-one, we parse with tree-sitter-bash and walk the tree with an
+ * EXPLICIT allowlist of node types. Any node type not in the allowlist causes
+ * the entire command to be classified as 'too-complex', which means it goes
+ * through the normal permission prompt flow.
+ *
+ * The key design property is FAIL-CLOSED: we never interpret structure we
+ * don't understand. If tree-sitter produces a node we haven't explicitly
+ * allowlisted, we refuse to extract argv and the caller must ask the user.
+ *
+ * This is NOT a sandbox. It does not prevent dangerous commands from running.
+ * It answers exactly one question: "Can we produce a trustworthy argv[] for
+ * each simple command in this string?" If yes, downstream code can match
+ * argv[0] against permission rules and flag allowlists. If no, ask the user.
+ */
+
+import { SHELL_KEYWORDS } from './bashParser.js'
+import type { Node } from './parser.js'
+import { PARSE_ABORTED, parseCommandRaw } from './parser.js'
+
+export type Redirect = {
+  op: '>' | '>>' | '<' | '<<' | '>&' | '>|' | '<&' | '&>' | '&>>' | '<<<'
+  target: string
+  fd?: number
+}
+
+export type SimpleCommand = {
+  /** argv[0] is the command name, rest are arguments with quotes already resolved */
+  argv: string[]
+  /** Leading VAR=val assignments */
+  envVars: { name: string; value: string }[]
+  /** Output/input redirects */
+  redirects: Redirect[]
+  /** Original source span for this command (for UI display) */
+  text: string
+}
+
+export type ParseForSecurityResult =
+  | { kind: 'simple'; commands: SimpleCommand[] }
+  | { kind: 'too-complex'; reason: string; nodeType?: string }
+  | { kind: 'parse-unavailable' }
+
+/**
+ * Structural node types that represent composition of commands. We recurse
+ * through these to find the leaf `command` nodes. `program` is the root;
+ * `list` is `a && b || c`; `pipeline` is `a | b`; `redirected_statement`
+ * wraps a command with its redirects. Semicolon-separated commands appear
+ * as direct siblings under `program` (no wrapper node).
+ */
+const STRUCTURAL_TYPES = new Set([
+  'program',
+  'list',
+  'pipeline',
+  'redirected_statement',
+])
+
+/**
+ * Operator tokens that separate commands. These are leaf nodes that appear
+ * between commands in `list`/`pipeline`/`program` and carry no payload.
+ */
+const SEPARATOR_TYPES = new Set(['&&', '||', '|', ';', '&', '|&', '\n'])
+
+/**
+ * Placeholder string used in outer argv when a $() is recursively extracted.
+ * The actual $() output is runtime-determined; the inner command(s) are
+ * checked against permission rules separately. Using a placeholder keeps
+ * the outer argv clean (no multi-line heredoc bodies polluting path
+ * extraction or triggering newline checks).
+ */
+const CMDSUB_PLACEHOLDER = '__CMDSUB_OUTPUT__'
+
+/**
+ * Placeholder for simple_expansion ($VAR) references to variables set earlier
+ * in the same command via variable_assignment. Since we tracked the assignment,
+ * we know the var exists and its value is either a static string or
+ * __CMDSUB_OUTPUT__ (if set via $()). Either way, safe to substitute.
+ */
+const VAR_PLACEHOLDER = '__TRACKED_VAR__'
+
+/**
+ * All placeholder strings. Used for defense-in-depth: if a varScope value
+ * contains ANY placeholder (exact or embedded), the value is NOT a pure
+ * literal and cannot be trusted as a bare argument. Covers composites like
+ * `VAR="prefix$(cmd)"` → `"prefix__CMDSUB_OUTPUT__"` — the substring check
+ * catches these where exact-match Set.has() would miss.
+ *
+ * Also catches user-typed literals that collide with placeholder strings:
+ * `VAR=__TRACKED_VAR__ && rm $VAR` — treated as non-literal (conservative).
+ */
+function containsAnyPlaceholder(value: string): boolean {
+  return value.includes(CMDSUB_PLACEHOLDER) || value.includes(VAR_PLACEHOLDER)
+}
+
+/**
+ * Unquoted $VAR in bash undergoes word-splitting (on $IFS: space/tab/NL)
+ * and pathname expansion (glob matching on * ? [). Our argv stores a
+ * single string — but at runtime bash may produce MULTIPLE args, or paths
+ * matched by a glob. A value containing these metacharacters cannot be
+ * trusted as a bare arg: `VAR="-rf /" && rm $VAR` → bash runs `rm -rf /`
+ * (two args) but our argv would have `['rm', '-rf /']` (one arg). Similarly
+ * `VAR="/etc/*" && cat $VAR` → bash expands to all /etc files.
+ *
+ * Inside double-quotes ("$VAR"), neither splitting nor globbing applies —
+ * the value IS a single literal argument.
+ */
+const BARE_VAR_UNSAFE_RE = /[ \t\n*?[]/
+
+// stdbuf flag forms — hoisted from the wrapper-stripping while-loop
+const STDBUF_SHORT_SEP_RE = /^-[ioe]$/
+const STDBUF_SHORT_FUSED_RE = /^-[ioe]./
+const STDBUF_LONG_RE = /^--(input|output|error)=/
+
+/**
+ * Known-safe environment variables that bash sets automatically. Their values
+ * are controlled by the shell/OS, not arbitrary user input. Referencing these
+ * via $VAR is safe — the expansion is deterministic and doesn't introduce
+ * injection risk. Covers `$HOME`, `$PWD`, `$USER`, `$PATH`, `$SHELL`, etc.
+ * Intentionally small: only vars that are always set by bash/login and whose
+ * values are paths/names (not arbitrary content).
+ */
+const SAFE_ENV_VARS = new Set([
+  'HOME', // user's home directory
+  'PWD', // current working directory (bash maintains)
+  'OLDPWD', // previous directory
+  'USER', // current username
+  'LOGNAME', // login name
+  'SHELL', // user's login shell
+  'PATH', // executable search path
+  'HOSTNAME', // machine hostname
+  'UID', // user id
+  'EUID', // effective user id
+  'PPID', // parent process id
+  'RANDOM', // random number (bash builtin)
+  'SECONDS', // seconds since shell start
+  'LINENO', // current line number
+  'TMPDIR', // temp directory
+  // Special bash variables — always set, values are shell-controlled:
+  'BASH_VERSION', // bash version string
+  'BASHPID', // current bash process id
+  'SHLVL', // shell nesting level
+  'HISTFILE', // history file path
+  'IFS', // field separator (NOTE: only safe INSIDE strings; as bare arg
+  //       $IFS is the classic injection primitive and the insideString
+  //       gate in resolveSimpleExpansion correctly blocks it)
+])
+
+/**
+ * Special shell variables ($?, $$, $!, $#, $0-$9). tree-sitter uses
+ * `special_variable_name` for these (not `variable_name`). Values are
+ * shell-controlled: exit status, PIDs, positional args. Safe to resolve
+ * ONLY inside strings (same rationale as SAFE_ENV_VARS — as bare args
+ * their value IS the argument and might be a path/flag from $1 etc.).
+ *
+ * SECURITY: '@' and '*' are NOT in this set. Inside "...", they expand to
+ * the positional params — which are EMPTY in a fresh BashTool shell (how we
+ * always spawn). Returning VAR_PLACEHOLDER would lie: `git "push$*"` gives
+ * argv ['git','push__TRACKED_VAR__'] while bash passes ['git','push']. Deny
+ * rule Bash(git push:*) fails on both .text (raw `$*`) AND rebuilt argv
+ * (placeholder). With them removed, resolveSimpleExpansion falls through to
+ * tooComplex for `$*` / `$@`. `echo "args: $*"` becomes too-complex —
+ * acceptable (rare in BashTool usage; `"$@"` even rarer).
+ */
+const SPECIAL_VAR_NAMES = new Set([
+  '?', // exit status of last command
+  '$', // current shell PID
+  '!', // last background PID
+  '#', // number of positional params
+  '0', // script name
+  '-', // shell option flags
+])
+
+/**
+ * Node types that mean "this command cannot be statically analyzed." These
+ * either execute arbitrary code (substitutions, subshells, control flow) or
+ * expand to values we can't determine statically (parameter/arithmetic
+ * expansion, brace expressions).
+ *
+ * This set is not exhaustive — it documents KNOWN dangerous types. The real
+ * safety property is the allowlist in walkArgument/walkCommand: any type NOT
+ * explicitly handled there also triggers too-complex.
+ */
+const DANGEROUS_TYPES = new Set([
+  'command_substitution',
+  'process_substitution',
+  'expansion',
+  'simple_expansion',
+  'brace_expression',
+  'subshell',
+  'compound_statement',
+  'for_statement',
+  'while_statement',
+  'until_statement',
+  'if_statement',
+  'case_statement',
+  'function_definition',
+  'test_command',
+  'ansi_c_string',
+  'translated_string',
+  'herestring_redirect',
+  'heredoc_redirect',
+])
+
+/**
+ * Numeric IDs for analytics (logEvent doesn't accept strings). Index into
+ * DANGEROUS_TYPES. Append new entries at the end to keep IDs stable.
+ * 0 = unknown/other, -1 = ERROR (parse failure), -2 = pre-check.
+ */
+const DANGEROUS_TYPE_IDS = [...DANGEROUS_TYPES]
+export function nodeTypeId(nodeType: string | undefined): number {
+  if (!nodeType) return -2
+  if (nodeType === 'ERROR') return -1
+  const i = DANGEROUS_TYPE_IDS.indexOf(nodeType)
+  return i >= 0 ? i + 1 : 0
+}
+
+/**
+ * Redirect operator tokens → canonical operator. tree-sitter produces these
+ * as child nodes of `file_redirect`.
+ */
+const REDIRECT_OPS: Record<string, Redirect['op']> = {
+  '>': '>',
+  '>>': '>>',
+  '<': '<',
+  '>&': '>&',
+  '<&': '<&',
+  '>|': '>|',
+  '&>': '&>',
+  '&>>': '&>>',
+  '<<<': '<<<',
+}
+
+/**
+ * Brace expansion pattern: {a,b} or {a..b}. Must have , or .. inside
+ * braces. We deliberately do NOT try to determine whether the opening brace
+ * is backslash-escaped: tree-sitter doesn't unescape backslashes, so
+ * distinguishing `\{a,b}` (escaped, literal) from `\\{a,b}` (literal
+ * backslash + expansion) would require reimplementing bash quote removal.
+ * Reject both — the escaped-brace case is rare and trivially rewritten
+ * with single quotes.
+ */
+const BRACE_EXPANSION_RE = /\{[^{}\s]*(,|\.\.)[^{}\s]*\}/
+
+/**
+ * Control characters that bash silently drops but confuse static analysis.
+ * Includes CR (0x0D): tree-sitter treats CR as a word separator but bash's
+ * default IFS does not include CR, so tree-sitter and bash disagree on
+ * word boundaries.
+ */
+// eslint-disable-next-line no-control-regex
+const CONTROL_CHAR_RE = /[\x00-\x08\x0B-\x1F\x7F]/
+
+/**
+ * Unicode whitespace beyond ASCII. These render invisibly (or as regular
+ * spaces) in terminals so a user reviewing the command can't see them, but
+ * bash treats them as literal word characters. Blocks NBSP, zero-width
+ * spaces, line/paragraph separators, BOM.
+ */
+const UNICODE_WHITESPACE_RE =
+  /[\u00A0\u1680\u2000-\u200B\u2028\u2029\u202F\u205F\u3000\uFEFF]/
+
+/**
+ * Backslash immediately before whitespace. bash treats `\ ` as a literal
+ * space inside the current word, but tree-sitter returns the raw text with
+ * the backslash still present. argv[0] from tree-sitter is `cat\ test`
+ * while bash runs `cat test` (with a literal space). Rather than
+ * reimplement bash's unescaping rules, we reject these — they're rare in
+ * practice and trivial to rewrite with quotes.
+ *
+ * Also matches `\` before newline (line continuation) when adjacent to a
+ * non-whitespace char. `tr\<NL>aceroute` — bash joins to `traceroute`, but
+ * tree-sitter splits into two words (differential). When `\<NL>` is preceded
+ * by whitespace (e.g. `foo && \<NL>bar`), there's no word to join — both
+ * parsers agree, so we allow it.
+ */
+const BACKSLASH_WHITESPACE_RE = /\\[ \t]|[^ \t\n\\]\\\n/
+
+/**
+ * Zsh dynamic named directory expansion: ~[name]. In zsh this invokes the
+ * zsh_directory_name hook, which can run arbitrary code. bash treats it as
+ * a literal tilde followed by a glob character class. Since BashTool runs
+ * via the user's default shell (often zsh), reject conservatively.
+ */
+const ZSH_TILDE_BRACKET_RE = /~\[/
+
+/**
+ * Zsh EQUALS expansion: word-initial `=cmd` expands to the absolute path of
+ * `cmd` (equivalent to `$(which cmd)`). `=curl evil.com` runs as
+ * `/usr/bin/curl evil.com`. tree-sitter parses `=curl` as a literal word, so
+ * a `Bash(curl:*)` deny rule matching on base command name won't see `curl`.
+ * Only matches word-initial `=` followed by a command-name char — `VAR=val`
+ * and `--flag=val` have `=` mid-word and are not expanded by zsh.
+ */
+const ZSH_EQUALS_EXPANSION_RE = /(?:^|[\s;&|])=[a-zA-Z_]/
+
+/**
+ * Brace character combined with quote characters. Constructions like
+ * `{a'}',b}` use quoted braces inside brace expansion context to obfuscate
+ * the expansion from regex-based detection. In bash, `{a'}',b}` expands to
+ * `a} b` (the quoted `}` becomes literal inside the first alternative).
+ * These are hard to analyze correctly and have no legitimate use in
+ * commands we'd want to auto-allow.
+ *
+ * This check runs on a version of the command with `{` masked out of
+ * single-quoted and double-quoted spans, so JSON payloads like
+ * `curl -d '{"k":"v"}'` don't trigger a false positive. Brace expansion
+ * cannot occur inside quotes, so a `{` there can never start an obfuscation
+ * pattern. The quote characters themselves stay visible so `{a'}',b}` and
+ * `{@'{'0},...}` still match via the outer unquoted `{`.
+ */
+const BRACE_WITH_QUOTE_RE = /\{[^}]*['"]/
+
+/**
+ * Mask `{` characters that appear inside single- or double-quoted contexts.
+ * Uses a single-pass bash-aware quote-state scanner instead of a regex.
+ *
+ * A naive regex (`/'[^']*'/g`) mis-detects spans when a `'` appears inside
+ * a double-quoted string: for `echo "it's" {a'}',b}`, it matches from the
+ * `'` in `it's` across to the `'` in `{a'}`, masking the unquoted `{` and
+ * producing a false negative. The scanner tracks actual bash quote state:
+ * `'` toggles single-quote only in unquoted context; `"` toggles
+ * double-quote only outside single quotes; `\` escapes the next char in
+ * unquoted context and escapes `"` / `\\` inside double quotes.
+ *
+ * Brace expansion is impossible in both quote contexts, so masking `{` in
+ * either is safe. Secondary defense: BRACE_EXPANSION_RE in walkArgument.
+ */
+function maskBracesInQuotedContexts(cmd: string): string {
+  // Fast path: no `{` → nothing to mask. Skips the char-by-char scan for
+  // the >90% of commands with no braces (`ls -la`, `git status`, etc).
+  if (!cmd.includes('{')) return cmd
+  const out: string[] = []
+  let inSingle = false
+  let inDouble = false
+  let i = 0
+  while (i < cmd.length) {
+    const c = cmd[i]!
+    if (inSingle) {
+      // Bash single quotes: no escapes, `'` always terminates.
+      if (c === "'") inSingle = false
+      out.push(c === '{' ? ' ' : c)
+      i++
+    } else if (inDouble) {
+      // Bash double quotes: `\` escapes `"` and `\` (also `$`, backtick,
+      // newline — but those don't affect quote state so we let them pass).
+      if (c === '\\' && (cmd[i + 1] === '"' || cmd[i + 1] === '\\')) {
+        out.push(c, cmd[i + 1]!)
+        i += 2
+      } else {
+        if (c === '"') inDouble = false
+        out.push(c === '{' ? ' ' : c)
+        i++
+      }
+    } else {
+      // Unquoted: `\` escapes any next char.
+      if (c === '\\' && i + 1 < cmd.length) {
+        out.push(c, cmd[i + 1]!)
+        i += 2
+      } else {
+        if (c === "'") inSingle = true
+        else if (c === '"') inDouble = true
+        out.push(c)
+        i++
+      }
+    }
+  }
+  return out.join('')
+}
+
+const DOLLAR = String.fromCharCode(0x24)
+
+/**
+ * Parse a bash command string and extract a flat list of simple commands.
+ * Returns 'too-complex' if the command uses any shell feature we can't
+ * statically analyze. Returns 'parse-unavailable' if tree-sitter WASM isn't
+ * loaded — caller should fall back to conservative behavior.
+ */
+export async function parseForSecurity(
+  cmd: string,
+): Promise<ParseForSecurityResult> {
+  // parseCommandRaw('') returns null (falsy check), so short-circuit here.
+  // Don't use .trim() — it strips Unicode whitespace (\u00a0 etc.) which the
+  // pre-checks in parseForSecurityFromAst need to see and reject.
+  if (cmd === '') return { kind: 'simple', commands: [] }
+  const root = await parseCommandRaw(cmd)
+  return root === null
+    ? { kind: 'parse-unavailable' }
+    : parseForSecurityFromAst(cmd, root)
+}
+
+/**
+ * Same as parseForSecurity but takes a pre-parsed AST root so callers that
+ * need the tree for other purposes can parse once and share. Pre-checks
+ * still run on `cmd` — they catch tree-sitter/bash differentials that a
+ * successful parse doesn't.
+ */
+export function parseForSecurityFromAst(
+  cmd: string,
+  root: Node | typeof PARSE_ABORTED,
+): ParseForSecurityResult {
+  // Pre-checks: characters that cause tree-sitter and bash to disagree on
+  // word boundaries. These run before tree-sitter because they're the known
+  // tree-sitter/bash differentials. Everything after this point trusts
+  // tree-sitter's tokenization.
+  if (CONTROL_CHAR_RE.test(cmd)) {
+    return { kind: 'too-complex', reason: 'Contains control characters' }
+  }
+  if (UNICODE_WHITESPACE_RE.test(cmd)) {
+    return { kind: 'too-complex', reason: 'Contains Unicode whitespace' }
+  }
+  if (BACKSLASH_WHITESPACE_RE.test(cmd)) {
+    return {
+      kind: 'too-complex',
+      reason: 'Contains backslash-escaped whitespace',
+    }
+  }
+  if (ZSH_TILDE_BRACKET_RE.test(cmd)) {
+    return {
+      kind: 'too-complex',
+      reason: 'Contains zsh ~[ dynamic directory syntax',
+    }
+  }
+  if (ZSH_EQUALS_EXPANSION_RE.test(cmd)) {
+    return {
+      kind: 'too-complex',
+      reason: 'Contains zsh =cmd equals expansion',
+    }
+  }
+  if (BRACE_WITH_QUOTE_RE.test(maskBracesInQuotedContexts(cmd))) {
+    return {
+      kind: 'too-complex',
+      reason: 'Contains brace with quote character (expansion obfuscation)',
+    }
+  }
+
+  const trimmed = cmd.trim()
+  if (trimmed === '') {
+    return { kind: 'simple', commands: [] }
+  }
+
+  if (root === PARSE_ABORTED) {
+    // SECURITY: module loaded but parse aborted (timeout / node budget /
+    // panic). Adversarially triggerable — `(( a[0][0]... ))` with ~2800
+    // subscripts hits PARSE_TIMEOUT_MICROS under the 10K length limit.
+    // Previously indistinguishable from module-not-loaded → routed to
+    // legacy (parse-unavailable), which lacks EVAL_LIKE_BUILTINS — `trap`,
+    // `enable`, `hash` leaked with Bash(*). Fail closed: too-complex → ask.
+    return {
+      kind: 'too-complex',
+      reason:
+        'Parser aborted (timeout or resource limit) — possible adversarial input',
+      nodeType: 'PARSE_ABORT',
+    }
+  }
+
+  return walkProgram(root)
+}
+
+function walkProgram(root: Node): ParseForSecurityResult {
+  // ERROR-node check folded into collectCommands — any unhandled node type
+  // (including ERROR) falls through to tooComplex() in the default branch.
+  // Avoids a separate full-tree walk for error detection.
+  const commands: SimpleCommand[] = []
+  // Track variables assigned earlier in the same command. When a
+  // simple_expansion ($VAR) references a tracked var, we can substitute
+  // a placeholder instead of returning too-complex. Enables patterns like
+  // `NOW=$(date) && jq --arg now "$NOW" ...` — $NOW is known to be the
+  // $(date) output (already extracted as inner command).
+  const varScope = new Map<string, string>()
+  const err = collectCommands(root, commands, varScope)
+  if (err) return err
+  return { kind: 'simple', commands }
+}
+
+/**
+ * Recursively collect leaf `command` nodes from a structural wrapper node.
+ * Returns an error result on any disallowed node type, or null on success.
+ */
+function collectCommands(
+  node: Node,
+  commands: SimpleCommand[],
+  varScope: Map<string, string>,
+): ParseForSecurityResult | null {
+  if (node.type === 'command') {
+    // Pass `commands` as the innerCommands accumulator — any $() extracted
+    // during walkCommand gets appended alongside the outer command.
+    const result = walkCommand(node, [], commands, varScope)
+    if (result.kind !== 'simple') return result
+    commands.push(...result.commands)
+    return null
+  }
+
+  if (node.type === 'redirected_statement') {
+    return walkRedirectedStatement(node, commands, varScope)
+  }
+
+  if (node.type === 'comment') {
+    return null
+  }
+
+  if (STRUCTURAL_TYPES.has(node.type)) {
+    // SECURITY: `||`, `|`, `|&`, `&` must NOT carry varScope linearly. In bash:
+    //   `||` RHS runs conditionally → vars set there MAY not be set
+    //   `|`/`|&` stages run in subshells → vars set there are NEVER visible after
+    //   `&` LHS runs in a background subshell → same as above
+    // Flag-omission attack: `true || FLAG=--dry-run && cmd $FLAG` — bash skips
+    // the `||` RHS (FLAG unset → $FLAG empty), runs `cmd` WITHOUT --dry-run.
+    // With linear scope, our argv has ['cmd','--dry-run'] → looks SAFE → bypass.
+    //
+    // Fix: snapshot incoming scope at entry. After these separators, reset to
+    // the snapshot — vars set in clauses between separators don't leak. `scope`
+    // for clauses BETWEEN `&&`/`;` chains shares state (common `VAR=x && cmd
+    // $VAR`). `scope` crosses `||`/`|`/`&` as the pre-structure snapshot only.
+    //
+    // `&&` and `;` DO carry scope: `VAR=x && cmd $VAR` is sequential, VAR is set.
+    //
+    // NOTE: `scope` and `varScope` diverge after the first `||`/`|`/`&`. The
+    // caller's varScope is only mutated for the `&&`/`;` prefix — this is
+    // conservative (vars set in `A && B | C && D` leak A+B into caller, not
+    // C+D) but safe.
+    //
+    // Efficiency: snapshot is only needed if we hit `||`/`|`/`|&`/`&`. For
+    // the dominant case (`ls`, `git status` — no such separators), skip the
+    // Map alloc via a cheap pre-scan. For `pipeline`, node.type already tells
+    // us stages are subshells — copy once at entry, no snapshot needed (each
+    // reset uses the entry copy pattern via varScope, which is untouched).
+    const isPipeline = node.type === 'pipeline'
+    let needsSnapshot = false
+    if (!isPipeline) {
+      for (const c of node.children) {
+        if (c && (c.type === '||' || c.type === '&')) {
+          needsSnapshot = true
+          break
+        }
+      }
+    }
+    const snapshot = needsSnapshot ? new Map(varScope) : null
+    // For `pipeline`, ALL stages run in subshells — start with a copy so
+    // nothing mutates caller's scope. For `list`/`program`, the `&&`/`;`
+    // chain mutates caller's scope (sequential); fork only on `||`/`&`.
+    let scope = isPipeline ? new Map(varScope) : varScope
+    for (const child of node.children) {
+      if (!child) continue
+      if (SEPARATOR_TYPES.has(child.type)) {
+        if (
+          child.type === '||' ||
+          child.type === '|' ||
+          child.type === '|&' ||
+          child.type === '&'
+        ) {
+          // For pipeline: varScope is untouched (we started with a copy).
+          // For list/program: snapshot is non-null (pre-scan set it).
+          // `|`/`|&` only appear under `pipeline` nodes; `||`/`&` under list.
+          scope = new Map(snapshot ?? varScope)
+        }
+        continue
+      }
+      const err = collectCommands(child, commands, scope)
+      if (err) return err
+    }
+    return null
+  }
+
+  if (node.type === 'negated_command') {
+    // `! cmd` inverts exit code only — doesn't execute code or affect
+    // argv. Recurse into the wrapped command. Common in CI: `! grep err`,
+    // `! test -f lock`, `! git diff --quiet`.
+    for (const child of node.children) {
+      if (!child) continue
+      if (child.type === '!') continue
+      return collectCommands(child, commands, varScope)
+    }
+    return null
+  }
+
+  if (node.type === 'declaration_command') {
+    // `export`/`local`/`readonly`/`declare`/`typeset`. tree-sitter emits
+    // these as declaration_command, not command, so they previously fell
+    // through to tooComplex. Values are validated via walkVariableAssignment:
+    // `$()` in the value is recursively extracted (inner command pushed to
+    // commands[], outer argv gets CMDSUB_PLACEHOLDER); other disallowed
+    // expansions still reject via walkArgument. argv[0] is the builtin name so
+    // `Bash(export:*)` rules match.
+    const argv: string[] = []
+    for (const child of node.children) {
+      if (!child) continue
+      switch (child.type) {
+        case 'export':
+        case 'local':
+        case 'readonly':
+        case 'declare':
+        case 'typeset':
+          argv.push(child.text)
+          break
+        case 'word':
+        case 'number':
+        case 'raw_string':
+        case 'string':
+        case 'concatenation': {
+          // Flags (`declare -r`), quoted names (`export "FOO=bar"`), numbers
+          // (`declare -i 42`). Mirrors walkCommand's argv handling — before
+          // this, `export "FOO=bar"` hit tooComplex on the `string` child.
+          // walkArgument validates each (expansions still reject).
+          const arg = walkArgument(child, commands, varScope)
+          if (typeof arg !== 'string') return arg
+          // SECURITY: declare/typeset/local flags that change assignment
+          // semantics break our static model. -n (nameref): `declare -n X=Y`
+          // then `$X` dereferences to $Y's VALUE — varScope stores 'Y'
+          // (target NAME), argv[0] shows 'Y' while bash runs whatever $Y
+          // holds. -i (integer): `declare -i X='a[$(cmd)]'` arithmetically
+          // evaluates the RHS at assignment time, running $(cmd) even from
+          // a single-quoted raw_string (same primitive walkArithmetic
+          // guards in $((…))). -a/-A (array): subscript arithmetic on
+          // assignment. -r/-x/-g/-p/-f/-F are inert. Check the resolved
+          // arg (not child.text) so `\-n` and quoted `-n` are caught.
+          // Scope to declare/typeset/local only: `export -n` means "remove
+          // export attribute" (not nameref), and export/readonly don't
+          // accept -i; readonly -a/-A rejects subscripted args as invalid
+          // identifiers so subscript-arith doesn't fire.
+          if (
+            (argv[0] === 'declare' ||
+              argv[0] === 'typeset' ||
+              argv[0] === 'local') &&
+            /^-[a-zA-Z]*[niaA]/.test(arg)
+          ) {
+            return {
+              kind: 'too-complex',
+              reason: `declare flag ${arg} changes assignment semantics (nameref/integer/array)`,
+              nodeType: 'declaration_command',
+            }
+          }
+          // SECURITY: bare positional assignment with a subscript also
+          // evaluates — no -a/-i flag needed. `declare 'x[$(id)]=val'`
+          // implicitly creates an array element, arithmetically evaluating
+          // the subscript and running $(id). tree-sitter delivers the
+          // single-quoted form as a raw_string leaf so walkArgument sees
+          // only the literal text. Scoped to declare/typeset/local:
+          // export/readonly reject `[` in identifiers before eval.
+          if (
+            (argv[0] === 'declare' ||
+              argv[0] === 'typeset' ||
+              argv[0] === 'local') &&
+            arg[0] !== '-' &&
+            /^[^=]*\[/.test(arg)
+          ) {
+            return {
+              kind: 'too-complex',
+              reason: `declare positional '${arg}' contains array subscript — bash evaluates $(cmd) in subscripts`,
+              nodeType: 'declaration_command',
+            }
+          }
+          argv.push(arg)
+          break
+        }
+        case 'variable_assignment': {
+          const ev = walkVariableAssignment(child, commands, varScope)
+          if ('kind' in ev) return ev
+          // export/declare assignments populate the scope so later $VAR refs resolve.
+          applyVarToScope(varScope, ev)
+          argv.push(`${ev.name}=${ev.value}`)
+          break
+        }
+        case 'variable_name':
+          // `export FOO` — bare name, no assignment.
+          argv.push(child.text)
+          break
+        default:
+          return tooComplex(child)
+      }
+    }
+    commands.push({ argv, envVars: [], redirects: [], text: node.text })
+    return null
+  }
+
+  if (node.type === 'variable_assignment') {
+    // Bare `VAR=value` at statement level (not a command env prefix).
+    // Sets a shell variable — no code execution, no filesystem I/O.
+    // The value is validated via walkVariableAssignment → walkArgument,
+    // so `VAR=$(evil)` still recursively extracts/rejects based on the
+    // inner command. Does NOT push to commands — a bare assignment needs
+    // no permission rule (it's inert). Common pattern: `VAR=x && cmd`
+    // where cmd references $VAR. ~35% of too-complex in top-5k ant cmds.
+    const ev = walkVariableAssignment(node, commands, varScope)
+    if ('kind' in ev) return ev
+    // Populate scope so later `$VAR` references resolve.
+    applyVarToScope(varScope, ev)
+    return null
+  }
+
+  if (node.type === 'for_statement') {
+    // `for VAR in WORD...; do BODY; done` — iterate BODY once per word.
+    // Body commands extracted once; every iteration runs the same commands.
+    //
+    // SECURITY: Loop var is ALWAYS treated as unknown-value (VAR_PLACEHOLDER).
+    // Even "static" iteration words can be:
+    //  - Absolute paths: `for i in /etc/passwd; do rm $i; done` — body argv
+    //    would have placeholder, path validation never sees /etc/passwd.
+    //  - Globs: `for i in /etc/*; do rm $i; done` — `/etc/*` is a static word
+    //    at parse time but bash expands it at runtime.
+    //  - Flags: `for i in -rf /; do rm $i; done` — flag smuggling.
+    //
+    // VAR_PLACEHOLDER means bare `$i` in body → too-complex. Only
+    // string-embedding (`echo "item: $i"`) stays simple. This reverts some
+    // of the too-complex→simple rescues in the original PR — each one was a
+    // potential path-validation bypass.
+    let loopVar: string | null = null
+    let doGroup: Node | null = null
+    for (const child of node.children) {
+      if (!child) continue
+      if (child.type === 'variable_name') {
+        loopVar = child.text
+      } else if (child.type === 'do_group') {
+        doGroup = child
+      } else if (
+        child.type === 'for' ||
+        child.type === 'in' ||
+        child.type === 'select' ||
+        child.type === ';'
+      ) {
+        continue // structural tokens
+      } else if (child.type === 'command_substitution') {
+        // `for i in $(seq 1 3)` — inner cmd IS extracted and rule-checked.
+        const err = collectCommandSubstitution(child, commands, varScope)
+        if (err) return err
+      } else {
+        // Iteration values — validated via walkArgument. Value discarded:
+        // body argv gets VAR_PLACEHOLDER regardless of the iteration words,
+        // and bare `$i` in body → too-complex (see SECURITY comment above).
+        // We still validate to reject e.g. `for i in $(cmd); do ...; done`
+        // where the iteration word itself is a disallowed expansion.
+        const arg = walkArgument(child, commands, varScope)
+        if (typeof arg !== 'string') return arg
+      }
+    }
+    if (loopVar === null || doGroup === null) return tooComplex(node)
+    // SECURITY: `for PS4 in '$(id)'; do set -x; :; done` sets PS4 directly
+    // via varScope.set below — walkVariableAssignment's PS4/IFS checks never
+    // fire. Trace-time RCE (PS4) or word-split bypass (IFS). No legit use.
+    if (loopVar === 'PS4' || loopVar === 'IFS') {
+      return {
+        kind: 'too-complex',
+        reason: `${loopVar} as loop variable bypasses assignment validation`,
+        nodeType: 'for_statement',
+      }
+    }
+    // SECURITY: Body uses a scope COPY — vars assigned inside the loop
+    // body don't leak to commands after `done`. The loop var itself is
+    // set in the REAL scope (bash semantics: $i still set after loop)
+    // and copied into the body scope. ALWAYS VAR_PLACEHOLDER — see above.
+    varScope.set(loopVar, VAR_PLACEHOLDER)
+    const bodyScope = new Map(varScope)
+    for (const c of doGroup.children) {
+      if (!c) continue
+      if (c.type === 'do' || c.type === 'done' || c.type === ';') continue
+      const err = collectCommands(c, commands, bodyScope)
+      if (err) return err
+    }
+    return null
+  }
+
+  if (node.type === 'if_statement' || node.type === 'while_statement') {
+    // `if COND; then BODY; [elif...; else...;] fi`
+    // `while COND; do BODY; done`
+    // Extract condition command(s) + all branch/body commands. All get
+    // checked against permission rules. `while read VAR` tracks VAR so
+    // body can reference $VAR.
+    //
+    // SECURITY: Branch bodies use scope COPIES — vars assigned inside a
+    // conditional branch (which may not execute) must not leak to commands
+    // after fi/done. `if false; then T=safe; fi && rm $T` must reject $T.
+    // Condition commands use the REAL varScope (they always run for the
+    // check, so assignments there are unconditional — e.g., `while read V`
+    // tracking must persist to the body copy).
+    //
+    // tree-sitter if_statement children: if, COND..., then, THEN-BODY...,
+    // [elif_clause...], [else_clause], fi. We distinguish condition from
+    // then-body by tracking whether we've seen the `then` token.
+    let seenThen = false
+    for (const child of node.children) {
+      if (!child) continue
+      if (
+        child.type === 'if' ||
+        child.type === 'fi' ||
+        child.type === 'else' ||
+        child.type === 'elif' ||
+        child.type === 'while' ||
+        child.type === 'until' ||
+        child.type === ';'
+      ) {
+        continue
+      }
+      if (child.type === 'then') {
+        seenThen = true
+        continue
+      }
+      if (child.type === 'do_group') {
+        // while body: recurse with scope COPY (body assignments don't leak
+        // past done). The COPY contains any `read VAR` tracking from the
+        // condition (already in real varScope at this point).
+        const bodyScope = new Map(varScope)
+        for (const c of child.children) {
+          if (!c) continue
+          if (c.type === 'do' || c.type === 'done' || c.type === ';') continue
+          const err = collectCommands(c, commands, bodyScope)
+          if (err) return err
+        }
+        continue
+      }
+      if (child.type === 'elif_clause' || child.type === 'else_clause') {
+        // elif_clause: elif, cond, ;, then, body... / else_clause: else, body...
+        // Scope COPY — elif/else branch assignments don't leak past fi.
+        const branchScope = new Map(varScope)
+        for (const c of child.children) {
+          if (!c) continue
+          if (
+            c.type === 'elif' ||
+            c.type === 'else' ||
+            c.type === 'then' ||
+            c.type === ';'
+          ) {
+            continue
+          }
+          const err = collectCommands(c, commands, branchScope)
+          if (err) return err
+        }
+        continue
+      }
+      // Condition (seenThen=false) or then-body (seenThen=true).
+      // Condition uses REAL varScope (always runs). Then-body uses a COPY.
+      // Special-case `while read VAR`: after condition `read VAR` is
+      // collected, track VAR in the REAL scope so the body COPY inherits it.
+      const targetScope = seenThen ? new Map(varScope) : varScope
+      const before = commands.length
+      const err = collectCommands(child, commands, targetScope)
+      if (err) return err
+      // If condition included `read VAR...`, track vars in REAL scope.
+      // read var value is UNKNOWN (stdin input) → use VAR_PLACEHOLDER
+      // (unknown-value sentinel, string-only).
+      if (!seenThen) {
+        for (let i = before; i < commands.length; i++) {
+          const c = commands[i]
+          if (c?.argv[0] === 'read') {
+            for (const a of c.argv.slice(1)) {
+              // Skip flags (-r, -d, etc.); track bare identifier args as var names.
+              if (!a.startsWith('-') && /^[A-Za-z_][A-Za-z0-9_]*$/.test(a)) {
+                // SECURITY: commands[] is a flat accumulator. `true || read
+                // VAR` in the condition: the list handler correctly uses a
+                // scope COPY for the ||-RHS (may not run), but `read VAR`
+                // IS still pushed to commands[] — we can't tell it was
+                // scope-isolated from here. Same for `echo | read VAR`
+                // (pipeline, subshell in bash) and `(read VAR)` (subshell).
+                // Overwriting a tracked literal with VAR_PLACEHOLDER hides
+                // path traversal: `VAR=../../etc/passwd && if true || read
+                // VAR; then cat "/tmp/$VAR"; fi` — parser would see
+                // /tmp/__TRACKED_VAR__, bash reads /etc/passwd. Fail closed
+                // when a tracked literal would be overwritten. Safe case
+                // (no prior value or already a placeholder) → proceed.
+                const existing = varScope.get(a)
+                if (
+                  existing !== undefined &&
+                  !containsAnyPlaceholder(existing)
+                ) {
+                  return {
+                    kind: 'too-complex',
+                    reason: `'read ${a}' in condition may not execute (||/pipeline/subshell); cannot prove it overwrites tracked literal '${existing}'`,
+                    nodeType: 'if_statement',
+                  }
+                }
+                varScope.set(a, VAR_PLACEHOLDER)
+              }
+            }
+          }
+        }
+      }
+    }
+    return null
+  }
+
+  if (node.type === 'subshell') {
+    // `(cmd1; cmd2)` — run commands in a subshell. Inner commands ARE
+    // executed, so extract them for permission checking. Subshell has
+    // isolated scope: vars set inside don't leak out. Use a COPY of
+    // varScope (outer vars visible, inner changes discarded).
+    const innerScope = new Map(varScope)
+    for (const child of node.children) {
+      if (!child) continue
+      if (child.type === '(' || child.type === ')') continue
+      const err = collectCommands(child, commands, innerScope)
+      if (err) return err
+    }
+    return null
+  }
+
+  if (node.type === 'test_command') {
+    // `[[ EXPR ]]` or `[ EXPR ]` — conditional test. Evaluates to true/false
+    // based on file tests (-f, -d), string comparisons (==, !=), etc.
+    // No code execution (no command_substitution inside — that would be a
+    // child and we'd recurse into it via walkArgument and reject it).
+    // Push as a synthetic command with argv[0]='[[' so permission rules
+    // can match — `Bash([[ :*)` would be unusual but legal.
+    // Walk arguments to validate (no cmdsub/expansion inside operands).
+    const argv: string[] = ['[[']
+    for (const child of node.children) {
+      if (!child) continue
+      if (child.type === '[[' || child.type === ']]') continue
+      if (child.type === '[' || child.type === ']') continue
+      // Recurse into test expression structure: unary_expression,
+      // binary_expression, parenthesized_expression, negated_expression.
+      // The leaves are test_operator (-f, -d, ==) and operand words.
+      const err = walkTestExpr(child, argv, commands, varScope)
+      if (err) return err
+    }
+    commands.push({ argv, envVars: [], redirects: [], text: node.text })
+    return null
+  }
+
+  if (node.type === 'unset_command') {
+    // `unset FOO BAR`, `unset -f func`. Safe: only removes shell
+    // variables/functions from the current shell — no code execution, no
+    // filesystem I/O. tree-sitter emits a dedicated node type so it
+    // previously fell through to tooComplex. Children: `unset` keyword,
+    // `variable_name` for each name, `word` for flags like `-f`/`-v`.
+    const argv: string[] = []
+    for (const child of node.children) {
+      if (!child) continue
+      switch (child.type) {
+        case 'unset':
+          argv.push(child.text)
+          break
+        case 'variable_name':
+          argv.push(child.text)
+          // SECURITY: unset removes the var from bash's scope. Remove from
+          // varScope so subsequent `$VAR` references correctly reject.
+          // `VAR=safe && unset VAR && rm $VAR` must NOT resolve $VAR.
+          varScope.delete(child.text)
+          break
+        case 'word': {
+          const arg = walkArgument(child, commands, varScope)
+          if (typeof arg !== 'string') return arg
+          argv.push(arg)
+          break
+        }
+        default:
+          return tooComplex(child)
+      }
+    }
+    commands.push({ argv, envVars: [], redirects: [], text: node.text })
+    return null
+  }
+
+  return tooComplex(node)
+}
+
+/**
+ * Recursively walk a test_command expression tree (unary/binary/negated/
+ * parenthesized expressions). Leaves are test_operator tokens and operands
+ * (word/string/number/etc). Operands are validated via walkArgument.
+ */
+function walkTestExpr(
+  node: Node,
+  argv: string[],
+  innerCommands: SimpleCommand[],
+  varScope: Map<string, string>,
+): ParseForSecurityResult | null {
+  switch (node.type) {
+    case 'unary_expression':
+    case 'binary_expression':
+    case 'negated_expression':
+    case 'parenthesized_expression': {
+      for (const c of node.children) {
+        if (!c) continue
+        const err = walkTestExpr(c, argv, innerCommands, varScope)
+        if (err) return err
+      }
+      return null
+    }
+    case 'test_operator':
+    case '!':
+    case '(':
+    case ')':
+    case '&&':
+    case '||':
+    case '==':
+    case '=':
+    case '!=':
+    case '<':
+    case '>':
+    case '=~':
+      argv.push(node.text)
+      return null
+    case 'regex':
+    case 'extglob_pattern':
+      // RHS of =~ or ==/!= in [[ ]]. Pattern text only — no code execution.
+      // Parser emits these as leaf nodes with no children (any $(...) or ${...}
+      // inside the pattern is a sibling, not a child, and is walked separately).
+      argv.push(node.text)
+      return null
+    default: {
+      // Operand — word, string, number, etc. Validate via walkArgument.
+      const arg = walkArgument(node, innerCommands, varScope)
+      if (typeof arg !== 'string') return arg
+      argv.push(arg)
+      return null
+    }
+  }
+}
+
+/**
+ * A `redirected_statement` wraps a command (or pipeline) plus one or more
+ * `file_redirect`/`heredoc_redirect` nodes. Extract redirects, walk the
+ * inner command, attach redirects to the LAST command (the one whose output
+ * is being redirected).
+ */
+function walkRedirectedStatement(
+  node: Node,
+  commands: SimpleCommand[],
+  varScope: Map<string, string>,
+): ParseForSecurityResult | null {
+  const redirects: Redirect[] = []
+  let innerCommand: Node | null = null
+
+  for (const child of node.children) {
+    if (!child) continue
+    if (child.type === 'file_redirect') {
+      // Thread `commands` so $() in redirect targets (e.g., `> $(mktemp)`)
+      // extracts the inner command for permission checking.
+      const r = walkFileRedirect(child, commands, varScope)
+      if ('kind' in r) return r
+      redirects.push(r)
+    } else if (child.type === 'heredoc_redirect') {
+      const r = walkHeredocRedirect(child)
+      if (r) return r
+    } else if (
+      child.type === 'command' ||
+      child.type === 'pipeline' ||
+      child.type === 'list' ||
+      child.type === 'negated_command' ||
+      child.type === 'declaration_command' ||
+      child.type === 'unset_command'
+    ) {
+      innerCommand = child
+    } else {
+      return tooComplex(child)
+    }
+  }
+
+  if (!innerCommand) {
+    // `> file` alone is valid bash (truncates file). Represent as a command
+    // with empty argv so downstream sees the write.
+    commands.push({ argv: [], envVars: [], redirects, text: node.text })
+    return null
+  }
+
+  const before = commands.length
+  const err = collectCommands(innerCommand, commands, varScope)
+  if (err) return err
+  if (commands.length > before && redirects.length > 0) {
+    const last = commands[commands.length - 1]
+    if (last) last.redirects.push(...redirects)
+  }
+  return null
+}
+
+/**
+ * Extract operator + target from a `file_redirect` node. The target must be
+ * a static word or string.
+ */
+function walkFileRedirect(
+  node: Node,
+  innerCommands: SimpleCommand[],
+  varScope: Map<string, string>,
+): Redirect | ParseForSecurityResult {
+  let op: Redirect['op'] | null = null
+  let target: string | null = null
+  let fd: number | undefined
+
+  for (const child of node.children) {
+    if (!child) continue
+    if (child.type === 'file_descriptor') {
+      fd = Number(child.text)
+    } else if (child.type in REDIRECT_OPS) {
+      op = REDIRECT_OPS[child.type] ?? null
+    } else if (child.type === 'word' || child.type === 'number') {
+      // SECURITY: `number` nodes can contain expansion children via the
+      // `NN#<expansion>` arithmetic-base grammar quirk — same issue as
+      // walkArgument's number case. `> 10#$(cmd)` runs cmd at runtime.
+      // Plain word/number nodes have zero children.
+      if (child.children.length > 0) return tooComplex(child)
+      // Symmetry with walkArgument (~608): `echo foo > {a,b}` is an
+      // ambiguous redirect in bash. tree-sitter actually emits a
+      // `concatenation` node for brace targets (caught by the default
+      // branch below), but check `word` text too for defense-in-depth.
+      if (BRACE_EXPANSION_RE.test(child.text)) return tooComplex(child)
+      // Unescape backslash sequences — same as walkArgument. Bash quote
+      // removal turns `\X` → `X`. Without this, `cat < /proc/self/\environ`
+      // stores target `/proc/self/\environ` which evades PROC_ENVIRON_RE,
+      // but bash reads /proc/self/environ.
+      target = child.text.replace(/\\(.)/g, '$1')
+    } else if (child.type === 'raw_string') {
+      target = stripRawString(child.text)
+    } else if (child.type === 'string') {
+      const s = walkString(child, innerCommands, varScope)
+      if (typeof s !== 'string') return s
+      target = s
+    } else if (child.type === 'concatenation') {
+      // `echo > "foo"bar` — tree-sitter produces a concatenation of string +
+      // word children. walkArgument already validates concatenation (rejects
+      // expansions, checks brace syntax) and returns the joined text.
+      const s = walkArgument(child, innerCommands, varScope)
+      if (typeof s !== 'string') return s
+      target = s
+    } else {
+      return tooComplex(child)
+    }
+  }
+
+  if (!op || target === null) {
+    return {
+      kind: 'too-complex',
+      reason: 'Unrecognized redirect shape',
+      nodeType: node.type,
+    }
+  }
+  return { op, target, fd }
+}
+
+/**
+ * Heredoc redirect. Only quoted-delimiter heredocs (<<'EOF') are safe —
+ * their bodies are literal text. Unquoted-delimiter heredocs (<<EOF)
+ * undergo full parameter/command/arithmetic expansion in the body.
+ *
+ * SECURITY: tree-sitter-bash has a grammar gap — backticks (`...`) inside
+ * an unquoted heredoc body are NOT parsed as command_substitution nodes
+ * (body.children is empty, backticks are in body.text). But bash DOES
+ * execute them. We cannot safely relax the quoted-delimiter requirement
+ * by checking body children for expansion nodes — we'd miss backtick
+ * substitution. Keep rejecting all unquoted heredocs. Users should use
+ * <<'EOF' to get a literal body, which the model already prefers.
+ */
+function walkHeredocRedirect(node: Node): ParseForSecurityResult | null {
+  let startText: string | null = null
+  let body: Node | null = null
+
+  for (const child of node.children) {
+    if (!child) continue
+    if (child.type === 'heredoc_start') startText = child.text
+    else if (child.type === 'heredoc_body') body = child
+    else if (
+      child.type === '<<' ||
+      child.type === '<<-' ||
+      child.type === 'heredoc_end' ||
+      child.type === 'file_descriptor'
+    ) {
+      // expected structural tokens — safe to skip. file_descriptor
+      // covers fd-prefixed heredocs (`cat 3<<'EOF'`) — walkFileRedirect
+      // already treats it as a benign structural token.
+    } else {
+      // SECURITY: tree-sitter places pipeline / command / file_redirect /
+      // && / etc. as children of heredoc_redirect when they follow the
+      // delimiter on the same line (e.g. `ls <<'EOF' | rm x`). Previously
+      // these were silently skipped, hiding the piped command from
+      // permission checks. Fail closed like every other walker.
+      return tooComplex(child)
+    }
+  }
+
+  const isQuoted =
+    startText !== null &&
+    ((startText.startsWith("'") && startText.endsWith("'")) ||
+      (startText.startsWith('"') && startText.endsWith('"')) ||
+      startText.startsWith('\\'))
+
+  if (!isQuoted) {
+    return {
+      kind: 'too-complex',
+      reason: 'Heredoc with unquoted delimiter undergoes shell expansion',
+      nodeType: 'heredoc_redirect',
+    }
+  }
+
+  if (body) {
+    for (const child of body.children) {
+      if (!child) continue
+      if (child.type !== 'heredoc_content') {
+        return tooComplex(child)
+      }
+    }
+  }
+  return null
+}
+
+/**
+ * Here-string redirect (`<<< content`). The content becomes stdin — not
+ * argv, not a path. Safe when content is a literal word, raw_string, or
+ * string with no expansions. Reject when content contains $()/${}/$VAR —
+ * those execute arbitrary code or inject runtime values.
+ *
+ * Reuses walkArgument for content validation: it already rejects
+ * command_substitution, expansion, and (for strings) simple_expansion
+ * unless the var is tracked/safe. The result string is discarded — we only
+ * care that it's statically resolvable.
+ *
+ * NOTE: `VAR=$(cmd) && cat <<< "$VAR"` would be safe in principle (inner
+ * cmd is extracted separately, herestring content is stdin) but is
+ * currently rejected conservatively — walkString's solo-placeholder guard
+ * fires because it has no awareness of herestring vs argv context.
+ */
+function walkHerestringRedirect(
+  node: Node,
+  innerCommands: SimpleCommand[],
+  varScope: Map<string, string>,
+): ParseForSecurityResult | null {
+  for (const child of node.children) {
+    if (!child) continue
+    if (child.type === '<<<') continue
+    // Content node: reuse walkArgument. It returns a string on success
+    // (which we discard — content is stdin, irrelevant to permissions) or
+    // a too-complex result on failure (expansion found, unresolvable var).
+    const content = walkArgument(child, innerCommands, varScope)
+    if (typeof content !== 'string') return content
+    // Herestring content is discarded (not in argv/envVars/redirects) but
+    // remains in .text via raw node.text. Scan it here so checkSemantics's
+    // NEWLINE_HASH invariant (bashPermissions.ts relies on it) still holds.
+    if (NEWLINE_HASH_RE.test(content)) return tooComplex(child)
+  }
+  return null
+}
+
+/**
+ * Walk a `command` node and extract argv. Children appear in order:
+ * [variable_assignment...] command_name [argument...] [file_redirect...]
+ * Any child type not explicitly handled triggers too-complex.
+ */
+function walkCommand(
+  node: Node,
+  extraRedirects: Redirect[],
+  innerCommands: SimpleCommand[],
+  varScope: Map<string, string>,
+): ParseForSecurityResult {
+  const argv: string[] = []
+  const envVars: { name: string; value: string }[] = []
+  const redirects: Redirect[] = [...extraRedirects]
+
+  for (const child of node.children) {
+    if (!child) continue
+
+    switch (child.type) {
+      case 'variable_assignment': {
+        const ev = walkVariableAssignment(child, innerCommands, varScope)
+        if ('kind' in ev) return ev
+        // SECURITY: Env-prefix assignments (`VAR=x cmd`) are command-local in
+        // bash — VAR is only visible to `cmd` as an env var, NOT to
+        // subsequent commands. Do NOT add to global varScope — that would
+        // let `VAR=safe cmd1 && rm $VAR` resolve $VAR when bash has unset it.
+        envVars.push({ name: ev.name, value: ev.value })
+        break
+      }
+      case 'command_name': {
+        const arg = walkArgument(
+          child.children[0] ?? child,
+          innerCommands,
+          varScope,
+        )
+        if (typeof arg !== 'string') return arg
+        argv.push(arg)
+        break
+      }
+      case 'word':
+      case 'number':
+      case 'raw_string':
+      case 'string':
+      case 'concatenation':
+      case 'arithmetic_expansion': {
+        const arg = walkArgument(child, innerCommands, varScope)
+        if (typeof arg !== 'string') return arg
+        argv.push(arg)
+        break
+      }
+      // NOTE: command_substitution as a BARE argument (not inside a string)
+      // is intentionally NOT handled here — the $() output IS the argument,
+      // and for path-sensitive commands (cd, rm, chmod) the placeholder would
+      // hide the real path from downstream checks. `cd $(echo /etc)` must
+      // stay too-complex so the path-check can't be bypassed. $() inside
+      // strings ("Timer: $(date)") is handled in walkString where the output
+      // is embedded in a longer string (safer).
+      case 'simple_expansion': {
+        // Bare `$VAR` as an argument. Tracked static vars return the ACTUAL
+        // value (e.g. VAR=/etc → '/etc'). Values with IFS/glob chars or
+        // placeholders reject. See resolveSimpleExpansion.
+        const v = resolveSimpleExpansion(child, varScope, false)
+        if (typeof v !== 'string') return v
+        argv.push(v)
+        break
+      }
+      case 'file_redirect': {
+        const r = walkFileRedirect(child, innerCommands, varScope)
+        if ('kind' in r) return r
+        redirects.push(r)
+        break
+      }
+      case 'herestring_redirect': {
+        // `cmd <<< "content"` — content is stdin, not argv. Validate it's
+        // literal (no expansion); discard the content string.
+        const err = walkHerestringRedirect(child, innerCommands, varScope)
+        if (err) return err
+        break
+      }
+      default:
+        return tooComplex(child)
+    }
+  }
+
+  // .text is the raw source span. Downstream (bashToolCheckPermission →
+  // splitCommand_DEPRECATED) re-tokenizes it via shell-quote. Normally .text
+  // is used unchanged — but if we resolved a $VAR into argv, .text diverges
+  // (has raw `$VAR`) and downstream RULE MATCHING would miss deny rules.
+  //
+  // SECURITY: `SUB=push && git $SUB --force` with `Bash(git push:*)` deny:
+  //   argv = ['git', 'push', '--force']  ← correct, path validation sees 'push'
+  //   .text = 'git $SUB --force'         ← deny rule 'git push:*' doesn't match
+  //
+  // Detection: any `$<identifier>` in node.text means a simple_expansion was
+  // resolved (or we'd have returned too-complex). This catches $VAR at any
+  // position — command_name, word, string interior, concatenation part.
+  // `$(...)` doesn't match (paren, not identifier start). `'$VAR'` in single
+  // quotes: tree-sitter's .text includes the quotes, so a naive check would
+  // FP on `echo '$VAR'`. But single-quoted $ is LITERAL in bash — argv has
+  // the literal `$VAR` string, so rebuilding from argv produces `'$VAR'`
+  // anyway (shell-escape wraps it). Same net .text. No rule-matching error.
+  //
+  // Rebuild .text from argv. Shell-escape each arg: single-quote wrap with
+  // `'\''` for embedded single quotes. Empty string, metacharacters, and
+  // placeholders all get quoted. Downstream shell-quote re-parse is correct.
+  //
+  // NOTE: This does NOT include redirects/envVars in the rebuilt .text —
+  // walkFileRedirect rejects simple_expansion, and envVars aren't used for
+  // rule matching. If either changes, this rebuild must include them.
+  //
+  // SECURITY: also rebuild when node.text contains a newline. Line
+  // continuations `<space>\<LF>` are invisible to argv (tree-sitter collapses
+  // them) but preserved in node.text. `timeout 5 \<LF>curl evil.com` → argv
+  // is correct, but raw .text → stripSafeWrappers matches `timeout 5 ` (the
+  // space before \), leaving `\<LF>curl evil.com` — Bash(curl:*) deny doesn't
+  // prefix-match. Rebuilt .text joins argv with ' ' → no newlines →
+  // stripSafeWrappers works. Also covers heredoc-body leakage.
+  const text =
+    /\$[A-Za-z_]/.test(node.text) || node.text.includes('\n')
+      ? argv
+          .map(a =>
+            a === '' || /["'\\ \t\n$`;|&<>(){}*?[\]~#]/.test(a)
+              ? `'${a.replace(/'/g, "'\\''")}'`
+              : a,
+          )
+          .join(' ')
+      : node.text
+  return {
+    kind: 'simple',
+    commands: [{ argv, envVars, redirects, text }],
+  }
+}
+
+/**
+ * Recurse into a command_substitution node's inner command(s). If the inner
+ * command(s) parse cleanly (simple), add them to the innerCommands
+ * accumulator and return null (success). If the inner command is itself
+ * too-complex (e.g., nested arith expansion, process sub), return the error.
+ * This enables recursive permission checking: `echo $(git rev-parse HEAD)`
+ * extracts BOTH `echo $(git rev-parse HEAD)` (outer) AND `git rev-parse HEAD`
+ * (inner) — permission rules must match BOTH for the whole command to allow.
+ */
+function collectCommandSubstitution(
+  csNode: Node,
+  innerCommands: SimpleCommand[],
+  varScope: Map<string, string>,
+): ParseForSecurityResult | null {
+  // Vars set BEFORE the $() are visible inside (bash subshell semantics),
+  // but vars set INSIDE don't leak out. Pass a COPY of the outer scope so
+  // inner assignments don't mutate the outer map.
+  const innerScope = new Map(varScope)
+  // command_substitution children: `$(` or `` ` ``, inner statement(s), `)`
+  for (const child of csNode.children) {
+    if (!child) continue
+    if (child.type === '$(' || child.type === '`' || child.type === ')') {
+      continue
+    }
+    const err = collectCommands(child, innerCommands, innerScope)
+    if (err) return err
+  }
+  return null
+}
+
+/**
+ * Convert an argument node to its literal string value. Quotes are resolved.
+ * This function implements the argument-position allowlist.
+ */
+function walkArgument(
+  node: Node | null,
+  innerCommands: SimpleCommand[],
+  varScope: Map<string, string>,
+): string | ParseForSecurityResult {
+  if (!node) {
+    return { kind: 'too-complex', reason: 'Null argument node' }
+  }
+
+  switch (node.type) {
+    case 'word': {
+      // Unescape backslash sequences. In unquoted context, bash's quote
+      // removal turns `\X` → `X` for any character X. tree-sitter preserves
+      // the raw text. Required for checkSemantics: `\eval` must match
+      // EVAL_LIKE_BUILTINS, `\zmodload` must match ZSH_DANGEROUS_BUILTINS.
+      // Also makes argv accurate: `find -exec {} \;` → argv has `;` not
+      // `\;`. (Deny-rule matching on .text already worked via downstream
+      // splitCommand_DEPRECATED unescaping — see walkCommand comment.) `\<whitespace>`
+      // is already rejected by BACKSLASH_WHITESPACE_RE.
+      if (BRACE_EXPANSION_RE.test(node.text)) {
+        return {
+          kind: 'too-complex',
+          reason: 'Word contains brace expansion syntax',
+          nodeType: 'word',
+        }
+      }
+      return node.text.replace(/\\(.)/g, '$1')
+    }
+
+    case 'number':
+      // SECURITY: tree-sitter-bash parses `NN#<expansion>` (arithmetic base
+      // syntax) as a `number` node with the expansion as a CHILD. `10#$(cmd)`
+      // is a number node whose .text is the full literal but whose child is a
+      // command_substitution — bash runs the substitution. .text on a node
+      // with children would smuggle the expansion past permission checks.
+      // Plain numbers (`10`, `16#ff`) have zero children.
+      if (node.children.length > 0) {
+        return {
+          kind: 'too-complex',
+          reason: 'Number node contains expansion (NN# arithmetic base syntax)',
+          nodeType: node.children[0]?.type,
+        }
+      }
+      return node.text
+
+    case 'raw_string':
+      return stripRawString(node.text)
+
+    case 'string':
+      return walkString(node, innerCommands, varScope)
+
+    case 'concatenation': {
+      if (BRACE_EXPANSION_RE.test(node.text)) {
+        return {
+          kind: 'too-complex',
+          reason: 'Brace expansion',
+          nodeType: 'concatenation',
+        }
+      }
+      let result = ''
+      for (const child of node.children) {
+        if (!child) continue
+        const part = walkArgument(child, innerCommands, varScope)
+        if (typeof part !== 'string') return part
+        result += part
+      }
+      return result
+    }
+
+    case 'arithmetic_expansion': {
+      const err = walkArithmetic(node)
+      if (err) return err
+      return node.text
+    }
+
+    case 'simple_expansion': {
+      // `$VAR` inside a concatenation (e.g., `prefix$VAR`). Same rules
+      // as the bare case in walkCommand: must be tracked or SAFE_ENV_VARS.
+      // inside-concatenation counts as bare arg (the whole concat IS the arg)
+      return resolveSimpleExpansion(node, varScope, false)
+    }
+
+    // NOTE: command_substitution at arg position (bare or inside concatenation)
+    // is intentionally NOT handled — the output is/becomes-part-of a positional
+    // argument which might be a path or flag. `rm $(foo)` or `rm $(foo)bar`
+    // would hide the real path behind the placeholder. Only $() inside a
+    // `string` node (walkString) is extracted, since the output is embedded
+    // in a longer string rather than BEING the argument.
+
+    default:
+      return tooComplex(node)
+  }
+}
+
+/**
+ * Extract literal content from a double-quoted string node. A `string` node's
+ * children are `"` delimiters, `string_content` literals, and possibly
+ * expansion nodes.
+ *
+ * tree-sitter quirk: literal newlines inside double quotes are NOT included
+ * in `string_content` node text. bash preserves them. For `"a\nb"`,
+ * tree-sitter produces two `string_content` children (`"a"`, `"b"`) with the
+ * newline in neither. For `"\n#"`, it produces ONE child (`"#"`) with the
+ * leading newline eaten. Concatenating children therefore loses newlines.
+ *
+ * Fix: track child `startIndex` and insert one `\n` per index gap. The gap
+ * between children IS the dropped newline(s). This makes the argv value
+ * match what bash actually sees.
+ */
+function walkString(
+  node: Node,
+  innerCommands: SimpleCommand[],
+  varScope: Map<string, string>,
+): string | ParseForSecurityResult {
+  let result = ''
+  let cursor = -1
+  // SECURITY: Track whether the string contains a runtime-unknown
+  // placeholder ($() output or unknown-value tracked var) vs any literal
+  // content. A string that is ONLY a placeholder (`"$(cmd)"`, `"$VAR"`
+  // where VAR holds an unknown sentinel) produces an argv element that IS
+  // the placeholder — which downstream path validation resolves as a
+  // relative filename within cwd, bypassing the check. `cd "$(echo /etc)"`
+  // would pass validation but runtime-cd into /etc. We reject
+  // solo-placeholder strings; placeholders mixed with literal content
+  // (`"prefix: $(cmd)"`) are safe — runtime value can't equal a bare path.
+  let sawDynamicPlaceholder = false
+  let sawLiteralContent = false
+  for (const child of node.children) {
+    if (!child) continue
+    // Index gap between this child and the previous one = dropped newline(s).
+    // Ignore the gap before the first non-delimiter child (cursor === -1).
+    // Skip gap-fill for `"` delimiters: a gap before the closing `"` is the
+    // tree-sitter whitespace-only-string quirk (space/tab, not newline) — let
+    // the Fix C check below catch it as too-complex instead of mis-filling
+    // with `\n` and diverging from bash.
+    if (cursor !== -1 && child.startIndex > cursor && child.type !== '"') {
+      result += '\n'.repeat(child.startIndex - cursor)
+      sawLiteralContent = true
+    }
+    cursor = child.endIndex
+    switch (child.type) {
+      case '"':
+        // Reset cursor after opening quote so the gap between `"` and the
+        // first content child is captured.
+        cursor = child.endIndex
+        break
+      case 'string_content':
+        // Bash double-quote escape rules (NOT the generic /\\(.)/g used for
+        // unquoted words in walkArgument): inside "...", a backslash only
+        // escapes $ ` " \ — other sequences like \n stay literal. So
+        // `"fix \"bug\""` → `fix "bug"`, but `"a\nb"` → `a\nb` (backslash
+        // kept). tree-sitter preserves the raw escapes in .text; we resolve
+        // them here so argv matches what bash actually passes.
+        result += child.text.replace(/\\([$`"\\])/g, '$1')
+        sawLiteralContent = true
+        break
+      case DOLLAR:
+        // A bare dollar sign before closing quote or a non-name char is
+        // literal in bash. tree-sitter emits it as a standalone node.
+        result += DOLLAR
+        sawLiteralContent = true
+        break
+      case 'command_substitution': {
+        // Carve-out: `$(cat <<'EOF' ... EOF)` is safe. The quoted-delimiter
+        // heredoc body is literal (no expansion), and `cat` just prints it.
+        // The substitution result is therefore a known static string. This
+        // pattern is the idiomatic way to pass multi-line content to tools
+        // like `gh pr create --body`. We replace the substitution with a
+        // placeholder argv value — the actual content doesn't matter for
+        // permission checking, only that it IS static.
+        const heredocBody = extractSafeCatHeredoc(child)
+        if (heredocBody === 'DANGEROUS') return tooComplex(child)
+        if (heredocBody !== null) {
+          // SECURITY: the body IS the substitution result. Previously we
+          // dropped it → `rm "$(cat <<'EOF'\n/etc/passwd\nEOF)"` produced
+          // argv ['rm',''] while bash runs `rm /etc/passwd`. validatePath('')
+          // resolves to cwd → allowed. Every path-constrained command
+          // bypassed via this. Now: append the body (trailing LF trimmed —
+          // bash $() strips trailing newlines).
+          //
+          // Tradeoff: bodies with internal newlines are multi-line text
+          // (markdown, scripts) which cannot be valid paths — safe to drop
+          // to avoid NEWLINE_HASH_RE false positives on `## Summary`. A
+          // single-line body (like `/etc/passwd`) MUST go into argv so
+          // downstream path validation sees the real target.
+          const trimmed = heredocBody.replace(/\n+$/, '')
+          if (trimmed.includes('\n')) {
+            sawLiteralContent = true
+            break
+          }
+          result += trimmed
+          sawLiteralContent = true
+          break
+        }
+        // General $() inside "...": recurse into inner command(s). If they
+        // parse cleanly, they become additional subcommands that the
+        // permission system must match rules against. The outer argv gets
+        // the original $() text as placeholder (runtime-determined value).
+        // `echo "SHA: $(git rev-parse HEAD)"` → extracts BOTH
+        // `echo "SHA: $(...)"` AND `git rev-parse HEAD` — both must match
+        // permission rules. ~27% of too-complex in top-5k ant cmds.
+        const err = collectCommandSubstitution(child, innerCommands, varScope)
+        if (err) return err
+        result += CMDSUB_PLACEHOLDER
+        sawDynamicPlaceholder = true
+        break
+      }
+      case 'simple_expansion': {
+        // `$VAR` inside "...". Tracked/safe vars resolve; untracked reject.
+        const v = resolveSimpleExpansion(child, varScope, true)
+        if (typeof v !== 'string') return v
+        // VAR_PLACEHOLDER = runtime-unknown (loop var, read var, $() output,
+        // SAFE_ENV_VARS, special vars). Any other string = actual literal
+        // value from a tracked static var (e.g. VAR=/tmp → v='/tmp').
+        if (v === VAR_PLACEHOLDER) sawDynamicPlaceholder = true
+        else sawLiteralContent = true
+        result += v
+        break
+      }
+      case 'arithmetic_expansion': {
+        const err = walkArithmetic(child)
+        if (err) return err
+        result += child.text
+        // Validated to be literal-numeric — static content.
+        sawLiteralContent = true
+        break
+      }
+      default:
+        // expansion (${...}) inside "..."
+        return tooComplex(child)
+    }
+  }
+  // SECURITY: Reject solo-placeholder strings. `"$(cmd)"` or `"$VAR"` (where
+  // VAR holds an unknown value) would produce an argv element that IS the
+  // placeholder — which bypasses downstream path validation (validatePath
+  // resolves placeholders as relative filenames within cwd). Only allow
+  // placeholders embedded alongside literal content (`"prefix: $(cmd)"`).
+  if (sawDynamicPlaceholder && !sawLiteralContent) {
+    return tooComplex(node)
+  }
+  // SECURITY: tree-sitter-bash quirk — a double-quoted string containing
+  // ONLY whitespace (` "`, `" "`, `"\t"`) produces NO string_content child;
+  // the whitespace is attributed to the closing `"` node's text. Our loop
+  // only adds to `result` from string_content/expansion children, so we'd
+  // return "" when bash sees " ". Detect: we saw no content children
+  // (both flags false — neither literal nor placeholder added) but the
+  // source span is longer than bare `""`. Genuine `""` has text.length==2.
+  // `"$V"` with V="" doesn't hit this — the simple_expansion child sets
+  // sawLiteralContent via the `else` branch even when v is empty.
+  if (!sawLiteralContent && !sawDynamicPlaceholder && node.text.length > 2) {
+    return tooComplex(node)
+  }
+  return result
+}
+
+/**
+ * Safe leaf nodes inside arithmetic expansion: integer literals (decimal,
+ * hex, octal, bash base#digits) and operator/paren tokens. Anything else at
+ * leaf position (notably variable_name that isn't a numeric literal) rejects.
+ */
+const ARITH_LEAF_RE =
+  /^(?:[0-9]+|0[xX][0-9a-fA-F]+|[0-9]+#[0-9a-zA-Z]+|[-+*/%^&|~!<>=?:(),]+|<<|>>|\*\*|&&|\|\||[<>=!]=|\$\(\(|\)\))$/
+
+/**
+ * Recursively validate an arithmetic_expansion node. Allows only literal
+ * numeric expressions — no variables, no substitutions. Returns null if
+ * safe, or a too-complex result if not.
+ *
+ * Variables are rejected because bash arithmetic recursively evaluates
+ * variable values: if x='a[$(cmd)]' then $((x)) executes cmd. See
+ * https://www.vidarholen.net/contents/blog/?p=716 (arithmetic injection).
+ *
+ * When safe, the caller puts the full `$((…))` span into argv as a literal
+ * string. bash will expand it to an integer at runtime; the static string
+ * won't match any sensitive path/deny patterns.
+ */
+function walkArithmetic(node: Node): ParseForSecurityResult | null {
+  for (const child of node.children) {
+    if (!child) continue
+    if (child.children.length === 0) {
+      if (!ARITH_LEAF_RE.test(child.text)) {
+        return {
+          kind: 'too-complex',
+          reason: `Arithmetic expansion references variable or non-literal: ${child.text}`,
+          nodeType: 'arithmetic_expansion',
+        }
+      }
+      continue
+    }
+    switch (child.type) {
+      case 'binary_expression':
+      case 'unary_expression':
+      case 'ternary_expression':
+      case 'parenthesized_expression': {
+        const err = walkArithmetic(child)
+        if (err) return err
+        break
+      }
+      default:
+        return tooComplex(child)
+    }
+  }
+  return null
+}
+
+/**
+ * Check if a command_substitution node is exactly `$(cat <<'DELIM'...DELIM)`
+ * and return the heredoc body if so. Any deviation (extra args to cat,
+ * unquoted delimiter, additional commands) returns null.
+ *
+ * tree-sitter structure:
+ *   command_substitution
+ *     $(
+ *     redirected_statement
+ *       command → command_name → word "cat"    (exactly one child)
+ *       heredoc_redirect
+ *         <<
+ *         heredoc_start 'DELIM'                (quoted)
+ *         heredoc_body                         (pure heredoc_content)
+ *         heredoc_end
+ *     )
+ */
+function extractSafeCatHeredoc(subNode: Node): string | 'DANGEROUS' | null {
+  // Expect exactly: $( + one redirected_statement + )
+  let stmt: Node | null = null
+  for (const child of subNode.children) {
+    if (!child) continue
+    if (child.type === '$(' || child.type === ')') continue
+    if (child.type === 'redirected_statement' && stmt === null) {
+      stmt = child
+    } else {
+      return null
+    }
+  }
+  if (!stmt) return null
+
+  // redirected_statement must be: command(cat) + heredoc_redirect (quoted)
+  let sawCat = false
+  let body: string | null = null
+  for (const child of stmt.children) {
+    if (!child) continue
+    if (child.type === 'command') {
+      // Must be bare `cat` — no args, no env vars
+      const cmdChildren = child.children.filter(c => c)
+      if (cmdChildren.length !== 1) return null
+      const nameNode = cmdChildren[0]
+      if (nameNode?.type !== 'command_name' || nameNode.text !== 'cat') {
+        return null
+      }
+      sawCat = true
+    } else if (child.type === 'heredoc_redirect') {
+      // Reuse the existing validator: quoted delimiter, body is pure text.
+      // walkHeredocRedirect returns null on success, non-null on rejection.
+      if (walkHeredocRedirect(child) !== null) return null
+      for (const hc of child.children) {
+        if (hc?.type === 'heredoc_body') body = hc.text
+      }
+    } else {
+      return null
+    }
+  }
+
+  if (!sawCat || body === null) return null
+  // SECURITY: the heredoc body becomes the outer command's argv value via
+  // substitution, so a body like `/proc/self/environ` is semantically
+  // `cat /proc/self/environ`. checkSemantics never sees the body (we drop it
+  // at the walkString call site to avoid newline+# FPs). Returning `null`
+  // here would fall through to collectCommandSubstitution in walkString,
+  // which would extract the inner `cat` via walkHeredocRedirect (body text
+  // not inspected there) — effectively bypassing this check. Return a
+  // distinct sentinel so the caller can reject instead of falling through.
+  if (PROC_ENVIRON_RE.test(body)) return 'DANGEROUS'
+  // Same for jq system(): checkSemantics checks argv but never sees the
+  // heredoc body. Check unconditionally (we don't know the outer command).
+  if (/\bsystem\s*\(/.test(body)) return 'DANGEROUS'
+  return body
+}
+
+function walkVariableAssignment(
+  node: Node,
+  innerCommands: SimpleCommand[],
+  varScope: Map<string, string>,
+): { name: string; value: string; isAppend: boolean } | ParseForSecurityResult {
+  let name: string | null = null
+  let value = ''
+  let isAppend = false
+
+  for (const child of node.children) {
+    if (!child) continue
+    if (child.type === 'variable_name') {
+      name = child.text
+    } else if (child.type === '=' || child.type === '+=') {
+      // `PATH+=":/new"` — tree-sitter emits `+=` as a distinct operator
+      // node. Without this case it falls through to walkArgument below
+      // → tooComplex on unknown type `+=`.
+      isAppend = child.type === '+='
+      continue
+    } else if (child.type === 'command_substitution') {
+      // $() as the variable's value. The output becomes a STRING stored in
+      // the variable — it's NOT a positional argument (no path/flag concern).
+      // `VAR=$(date)` runs `date`, stores output. `VAR=$(rm -rf /)` runs
+      // `rm` — the inner command IS checked against permission rules, so
+      // `rm` must match a rule. The variable just holds whatever `rm` prints.
+      const err = collectCommandSubstitution(child, innerCommands, varScope)
+      if (err) return err
+      value = CMDSUB_PLACEHOLDER
+    } else if (child.type === 'simple_expansion') {
+      // `VAR=$OTHER` — assignment RHS does NOT word-split or glob-expand
+      // in bash (unlike command arguments). So `A="a b"; B=$A` sets B to
+      // the literal "a b". Resolve as if inside a string (insideString=true)
+      // so BARE_VAR_UNSAFE_RE doesn't over-reject. The resulting value may
+      // contain spaces/globs — if B is later used as a bare arg, THAT use
+      // will correctly reject via BARE_VAR_UNSAFE_RE.
+      const v = resolveSimpleExpansion(child, varScope, true)
+      if (typeof v !== 'string') return v
+      // If v is VAR_PLACEHOLDER (OTHER holds unknown), store it — combined
+      // with containsAnyPlaceholder in the caller to treat as unknown.
+      value = v
+    } else {
+      const v = walkArgument(child, innerCommands, varScope)
+      if (typeof v !== 'string') return v
+      value = v
+    }
+  }
+
+  if (name === null) {
+    return {
+      kind: 'too-complex',
+      reason: 'Variable assignment without name',
+      nodeType: 'variable_assignment',
+    }
+  }
+  // SECURITY: tree-sitter-bash accepts invalid var names (e.g. `1VAR=value`)
+  // as variable_assignment. Bash only recognizes [A-Za-z_][A-Za-z0-9_]* —
+  // anything else is run as a COMMAND. `1VAR=value` → bash tries to execute
+  // `1VAR=value` from PATH. We must not treat it as an inert assignment.
+  if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(name)) {
+    return {
+      kind: 'too-complex',
+      reason: `Invalid variable name (bash treats as command): ${name}`,
+      nodeType: 'variable_assignment',
+    }
+  }
+  // SECURITY: Setting IFS changes word-splitting behavior for subsequent
+  // unquoted $VAR expansions. `IFS=: && VAR=a:b && rm $VAR` → bash splits
+  // on `:` → `rm a b`. Our BARE_VAR_UNSAFE_RE only checks default IFS
+  // chars (space/tab/NL) — we can't model custom IFS. Reject.
+  if (name === 'IFS') {
+    return {
+      kind: 'too-complex',
+      reason: 'IFS assignment changes word-splitting — cannot model statically',
+      nodeType: 'variable_assignment',
+    }
+  }
+  // SECURITY: PS4 is expanded via promptvars (default on) on every command
+  // traced after `set -x`. A raw_string value containing $(cmd) or `cmd`
+  // executes at trace time: `PS4='$(id)' && set -x && :` runs id, but our
+  // argv is only [["set","-x"],[":"]] — the payload is invisible to
+  // permission checks. PS0-3 and PROMPT_COMMAND are not expanded in
+  // non-interactive shells (BashTool).
+  //
+  // ALLOWLIST, not blocklist. 5 rounds of bypass patches taught us that a
+  // value-dependent blocklist is structurally fragile:
+  //   - `+=` effective-value computation diverges from bash in multiple
+  //     scope-model gaps: `||` reset, env-prefix chain (PS4='' && PS4='$'
+  //     PS4+='(id)' cmd reads stale parent value), subshell.
+  //   - bash's decode_prompt_string runs BEFORE promptvars, so `\044(id)`
+  //     (octal for `$`) becomes `$(id)` at trace time — any literal-char
+  //     check must model prompt-escape decoding exactly.
+  //   - assignment paths exist outside walkVariableAssignment (for_statement
+  //     sets loopVar directly, see that handler's PS4 check).
+  //
+  // Policy: (1) reject += outright — no scope-tracking dependency; user can
+  // combine into one PS4=... (2) reject placeholders — runtime unknowable.
+  // (3) allowlist remaining value: ${identifier} refs (value-read only, safe)
+  // plus [A-Za-z0-9 _+:.\/=[\]-]. No bare `$` (blocks split primitive), no
+  // `\` (blocks octal \044/\140), no backtick, no parens. Covers all known
+  // encoding vectors and future ones — anything off the allowlist fails.
+  // Legit `PS4='+${BASH_SOURCE}:${LINENO}: '` still passes.
+  if (name === 'PS4') {
+    if (isAppend) {
+      return {
+        kind: 'too-complex',
+        reason:
+          'PS4 += cannot be statically verified — combine into a single PS4= assignment',
+        nodeType: 'variable_assignment',
+      }
+    }
+    if (containsAnyPlaceholder(value)) {
+      return {
+        kind: 'too-complex',
+        reason: 'PS4 value derived from cmdsub/variable — runtime unknowable',
+        nodeType: 'variable_assignment',
+      }
+    }
+    if (
+      !/^[A-Za-z0-9 _+:./=[\]-]*$/.test(
+        value.replace(/\$\{[A-Za-z_][A-Za-z0-9_]*\}/g, ''),
+      )
+    ) {
+      return {
+        kind: 'too-complex',
+        reason:
+          'PS4 value outside safe charset — only ${VAR} refs and [A-Za-z0-9 _+:.=/[]-] allowed',
+        nodeType: 'variable_assignment',
+      }
+    }
+  }
+  // SECURITY: Tilde expansion in assignment RHS. `VAR=~/x` (unquoted) →
+  // bash expands `~` at ASSIGNMENT time → VAR='/home/user/x'. We see the
+  // literal `~/x`. Later `cd $VAR` → our argv `['cd','~/x']`, bash runs
+  // `cd /home/user/x`. Tilde expansion also happens after `=` and `:` in
+  // assignment values (e.g. PATH=~/bin:~/sbin). We can't model it — reject
+  // any value containing `~` that isn't already quoted-literal (where bash
+  // doesn't expand). Conservative: any `~` in value → reject.
+  if (value.includes('~')) {
+    return {
+      kind: 'too-complex',
+      reason: 'Tilde in assignment value — bash may expand at assignment time',
+      nodeType: 'variable_assignment',
+    }
+  }
+  return { name, value, isAppend }
+}
+
+/**
+ * Resolve a `simple_expansion` ($VAR) node. Returns VAR_PLACEHOLDER if
+ * resolvable, too-complex otherwise.
+ *
+ * @param insideString true when $VAR is inside a `string` node ("...$VAR...")
+ *   rather than a bare/concatenation argument. SAFE_ENV_VARS and unknown-value
+ *   tracked vars are only allowed inside strings — as bare args their runtime
+ *   value IS the argument and we don't know it statically.
+ *   `cd $HOME/../x` would hide the real path behind the placeholder;
+ *   `echo "Home: $HOME"` just embeds text in a string. Tracked vars holding
+ *   STATIC strings (VAR=literal) are allowed in both positions since their
+ *   value IS known.
+ */
+function resolveSimpleExpansion(
+  node: Node,
+  varScope: Map<string, string>,
+  insideString: boolean,
+): string | ParseForSecurityResult {
+  let varName: string | null = null
+  let isSpecial = false
+  for (const c of node.children) {
+    if (c?.type === 'variable_name') {
+      varName = c.text
+      break
+    }
+    if (c?.type === 'special_variable_name') {
+      varName = c.text
+      isSpecial = true
+      break
+    }
+  }
+  if (varName === null) return tooComplex(node)
+  // Tracked vars: check stored value. Literal strings (VAR=/tmp) are
+  // returned DIRECTLY so downstream path validation sees the real path.
+  // Non-literal values (containing any placeholder — loop vars, $() output,
+  // read vars, composites like `VAR="prefix$(cmd)"`) are ONLY safe inside
+  // strings; as bare args they'd hide the runtime path/flag from validation.
+  //
+  // SECURITY: Returning the actual trackedValue (not a placeholder) is the
+  // critical fix. `VAR=/etc && rm $VAR` → argv ['rm', '/etc'] → validatePath
+  // correctly rejects. Previously returned a placeholder → validatePath saw
+  // '__LOOP_STATIC__', resolved as cwd-relative → PASSED → bypass.
+  const trackedValue = varScope.get(varName)
+  if (trackedValue !== undefined) {
+    if (containsAnyPlaceholder(trackedValue)) {
+      // Non-literal: bare → reject, inside string → VAR_PLACEHOLDER
+      // (walkString's solo-placeholder gate rejects `"$VAR"` alone).
+      if (!insideString) return tooComplex(node)
+      return VAR_PLACEHOLDER
+    }
+    // Pure literal (e.g. '/tmp', 'foo') — return it directly. Downstream
+    // path validation / checkSemantics operate on the REAL value.
+    //
+    // SECURITY: For BARE args (not inside a string), bash word-splits on
+    // $IFS and glob-expands the result. `VAR="-rf /" && rm $VAR` → bash
+    // runs `rm -rf /` (two args); `VAR="/etc/*" && cat $VAR` → expands to
+    // all files. Reject values containing IFS/glob chars unless in "...".
+    //
+    // SECURITY: Empty value as bare arg. Bash word-splitting on "" produces
+    // ZERO fields — the expansion disappears. `V="" && $V eval x` → bash
+    // runs `eval x` (our argv would be ["","eval","x"] with name="" —
+    // every EVAL_LIKE/ZSH/keyword check misses). `V="" && ls $V /etc` →
+    // bash runs `ls /etc`, our argv has a phantom "" shifting positions.
+    // Inside "...": `"$V"` → bash produces one empty-string arg → our ""
+    // is correct, keep allowing.
+    if (!insideString) {
+      if (trackedValue === '') return tooComplex(node)
+      if (BARE_VAR_UNSAFE_RE.test(trackedValue)) return tooComplex(node)
+    }
+    return trackedValue
+  }
+  // SAFE_ENV_VARS + special vars ($?, $$, $@, $1, etc.): value unknown
+  // (shell-controlled). Only safe when embedded in a string, NOT as a
+  // bare argument to a path-sensitive command.
+  if (insideString) {
+    if (SAFE_ENV_VARS.has(varName)) return VAR_PLACEHOLDER
+    if (
+      isSpecial &&
+      (SPECIAL_VAR_NAMES.has(varName) || /^[0-9]+$/.test(varName))
+    ) {
+      return VAR_PLACEHOLDER
+    }
+  }
+  return tooComplex(node)
+}
+
+/**
+ * Apply a variable assignment to the scope, handling `+=` append semantics.
+ * SECURITY: If EITHER side (existing value or appended value) contains a
+ * placeholder, the result is non-literal — store VAR_PLACEHOLDER so later
+ * $VAR correctly rejects as bare arg.
+ * `VAR=/etc && VAR+=$(cmd)` must not leave VAR looking static.
+ */
+function applyVarToScope(
+  varScope: Map<string, string>,
+  ev: { name: string; value: string; isAppend: boolean },
+): void {
+  const existing = varScope.get(ev.name) ?? ''
+  const combined = ev.isAppend ? existing + ev.value : ev.value
+  varScope.set(
+    ev.name,
+    containsAnyPlaceholder(combined) ? VAR_PLACEHOLDER : combined,
+  )
+}
+
+function stripRawString(text: string): string {
+  return text.slice(1, -1)
+}
+
+function tooComplex(node: Node): ParseForSecurityResult {
+  const reason =
+    node.type === 'ERROR'
+      ? 'Parse error'
+      : DANGEROUS_TYPES.has(node.type)
+        ? `Contains ${node.type}`
+        : `Unhandled node type: ${node.type}`
+  return { kind: 'too-complex', reason, nodeType: node.type }
+}
+
+// ────────────────────────────────────────────────────────────────────────────
+// Post-argv semantic checks
+//
+// Everything above answers "can we tokenize?". Everything below answers
+// "is the resulting argv dangerous in ways that don't involve parsing?".
+// These are checks on argv[0] or argv content that the old bashSecurity.ts
+// validators performed but which have nothing to do with parser
+// differentials. They're here (not in bashSecurity.ts) because they operate
+// on SimpleCommand and need to run for every extracted command.
+// ────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Zsh module builtins. These are not binaries on PATH — they're zsh
+ * internals loaded via zmodload. Since BashTool runs via the user's default
+ * shell (often zsh), and these parse as plain `command` nodes with no
+ * distinguishing syntax, we can only catch them by name.
+ */
+const ZSH_DANGEROUS_BUILTINS = new Set([
+  'zmodload',
+  'emulate',
+  'sysopen',
+  'sysread',
+  'syswrite',
+  'sysseek',
+  'zpty',
+  'ztcp',
+  'zsocket',
+  'zf_rm',
+  'zf_mv',
+  'zf_ln',
+  'zf_chmod',
+  'zf_chown',
+  'zf_mkdir',
+  'zf_rmdir',
+  'zf_chgrp',
+])
+
+/**
+ * Shell builtins that evaluate their arguments as code or otherwise escape
+ * the argv abstraction. A command like `eval "rm -rf /"` has argv
+ * ['eval', 'rm -rf /'] which looks inert to flag validation but executes
+ * the string. Treat these the same as command substitution.
+ */
+const EVAL_LIKE_BUILTINS = new Set([
+  'eval',
+  'source',
+  '.',
+  'exec',
+  'command',
+  'builtin',
+  'fc',
+  // `coproc rm -rf /` spawns rm as a coprocess. tree-sitter parses it as
+  // a plain command with argv[0]='coproc', so permission rules and path
+  // validation would check 'coproc' not 'rm'.
+  'coproc',
+  // Zsh precommand modifiers: `noglob cmd args` runs cmd with globbing off.
+  // They parse as ordinary commands (noglob is argv[0], the real command is
+  // argv[1]) so permission matching against argv[0] would see 'noglob', not
+  // the wrapped command.
+  'noglob',
+  'nocorrect',
+  // `trap 'cmd' SIGNAL` — cmd runs as shell code on signal/exit. EXIT fires
+  // at end of every BashTool invocation, so this is guaranteed execution.
+  'trap',
+  // `enable -f /path/lib.so name` — dlopen arbitrary .so as a builtin.
+  // Native code execution.
+  'enable',
+  // `mapfile -C callback -c N` / `readarray -C callback` — callback runs as
+  // shell code every N input lines.
+  'mapfile',
+  'readarray',
+  // `hash -p /path cmd` — poisons bash's command-lookup cache. Subsequent
+  // `cmd` in the same command resolves to /path instead of PATH lookup.
+  'hash',
+  // `bind -x '"key":cmd'` / `complete -C cmd` — interactive-only callbacks
+  // but still code-string arguments. Low impact in non-interactive BashTool
+  // shells, blocked for consistency. `compgen -C cmd` is NOT interactive-only:
+  // it immediately executes the -C argument to generate completions.
+  'bind',
+  'complete',
+  'compgen',
+  // `alias name='cmd'` — aliases not expanded in non-interactive bash by
+  // default, but `shopt -s expand_aliases` enables them. Also blocked as
+  // defense-in-depth (alias followed by name use in same command).
+  'alias',
+  // `let EXPR` arithmetically evaluates EXPR — identical to $(( EXPR )).
+  // Array subscripts in the expression expand $(cmd) at eval time even when
+  // the argument arrived single-quoted: `let 'x=a[$(id)]'` executes id.
+  // tree-sitter sees the raw_string as an opaque leaf. Same primitive
+  // walkArithmetic guards, but `let` is a plain command node.
+  'let',
+])
+
+/**
+ * Builtins that re-parse a NAME operand internally and arithmetically
+ * evaluate `arr[EXPR]` subscripts — including $(cmd) in the subscript —
+ * even when the argv element arrived from a single-quoted raw_string.
+ * `test -v 'a[$(id)]'` → tree-sitter sees an opaque leaf, bash runs id.
+ * Maps: builtin name → set of flags whose next argument is a NAME.
+ */
+const SUBSCRIPT_EVAL_FLAGS: Record<string, Set<string>> = {
+  test: new Set(['-v', '-R']),
+  '[': new Set(['-v', '-R']),
+  '[[': new Set(['-v', '-R']),
+  printf: new Set(['-v']),
+  read: new Set(['-a']),
+  unset: new Set(['-v']),
+  // bash 5.1+: `wait -p VAR [id...]` stores the waited PID into VAR. When VAR
+  // is `arr[EXPR]`, bash arithmetically evaluates the subscript — running
+  // $(cmd) even from a single-quoted raw_string. Verified bash 5.3.9:
+  // `: & wait -p 'a[$(id)]' %1` executes id.
+  wait: new Set(['-p']),
+}
+
+/**
+ * `[[ ARG1 OP ARG2 ]]` where OP is an arithmetic comparison. bash manual:
+ * "When used with [[, Arg1 and Arg2 are evaluated as arithmetic
+ * expressions." Arithmetic evaluation recursively expands array subscripts,
+ * so `[[ 'a[$(id)]' -eq 0 ]]` executes `id` even though tree-sitter sees
+ * the operand as an opaque raw_string leaf. Unlike -v/-R (unary, NAME after
+ * flag), these are binary — the subscript can appear on EITHER side, so
+ * SUBSCRIPT_EVAL_FLAGS's "next arg" logic is insufficient.
+ * `[` / `test` are not vulnerable (bash errors with "integer expression
+ * expected"), but the test_command handler normalizes argv[0]='[[' for
+ * both forms, so they get this check too — mild over-blocking, safe side.
+ */
+const TEST_ARITH_CMP_OPS = new Set(['-eq', '-ne', '-lt', '-le', '-gt', '-ge'])
+
+/**
+ * Builtins where EVERY non-flag positional argument is a NAME that bash
+ * re-parses and arithmetically evaluates subscripts on — no flag required.
+ * `read 'a[$(id)]'` executes id: each positional is a variable name to
+ * assign into, and `arr[EXPR]` is valid syntax there. `unset NAME...` is
+ * the same (though tree-sitter's unset_command handler currently rejects
+ * raw_string children before reaching here — this is defense-in-depth).
+ * NOT printf (positional args are FORMAT/data), NOT test/[ (operands are
+ * values, only -v/-R take a NAME). declare/typeset/local handled in
+ * declaration_command since they never reach here as plain commands.
+ */
+const BARE_SUBSCRIPT_NAME_BUILTINS = new Set(['read', 'unset'])
+
+/**
+ * `read` flags whose NEXT argument is data (prompt/delimiter/count/fd),
+ * not a NAME. `read -p '[foo] ' var` must not trip on the `[` in the
+ * prompt string. `-a` is intentionally absent — its operand IS a NAME.
+ */
+const READ_DATA_FLAGS = new Set(['-p', '-d', '-n', '-N', '-t', '-u', '-i'])
+
+// SHELL_KEYWORDS imported from bashParser.ts — shell reserved words can never
+// be legitimate argv[0]; if they appear, the parser mis-parsed a compound
+// command. Reject to avoid nonsense argv reaching downstream.
+
+// Use `.*` not `[^/]*` — Linux resolves `..` in procfs, so
+// `/proc/self/../self/environ` works and must be caught.
+const PROC_ENVIRON_RE = /\/proc\/.*\/environ/
+
+/**
+ * Newline followed by `#` in an argv element, env var value, or redirect target.
+ * Downstream stripSafeWrappers re-tokenizes .text line-by-line and treats `#`
+ * after a newline as a comment, hiding arguments that follow.
+ */
+const NEWLINE_HASH_RE = /\n[ \t]*#/
+
+export type SemanticCheckResult = { ok: true } | { ok: false; reason: string }
+
+/**
+ * Post-argv semantic checks. Run after parseForSecurity returns 'simple' to
+ * catch commands that tokenize fine but are dangerous by name or argument
+ * content. Returns the first failure or {ok: true}.
+ */
+export function checkSemantics(commands: SimpleCommand[]): SemanticCheckResult {
+  for (const cmd of commands) {
+    // Strip safe wrapper commands (nohup, time, timeout N, nice -n N) so
+    // `nohup eval "..."` and `timeout 5 jq 'system(...)'` are checked
+    // against the wrapped command, not the wrapper. Inlined here to avoid
+    // circular import with bashPermissions.ts.
+    let a = cmd.argv
+    for (;;) {
+      if (a[0] === 'time' || a[0] === 'nohup') {
+        a = a.slice(1)
+      } else if (a[0] === 'timeout') {
+        // `timeout 5`, `timeout 5s`, `timeout 5.5`, plus optional GNU flags
+        // preceding the duration. Long: --foreground, --kill-after=N,
+        // --signal=SIG, --preserve-status. Short: -k DUR, -s SIG, -v (also
+        // fused: -k5, -sTERM).
+        // SECURITY (SAST Mar 2026): the previous loop only skipped `--long`
+        // flags, so `timeout -k 5 10 eval ...` broke out with name='timeout'
+        // and the wrapped eval was never checked. Now handle known short
+        // flags AND fail closed on any unrecognized flag — an unknown flag
+        // means we can't locate the wrapped command, so we must not silently
+        // fall through to name='timeout'.
+        let i = 1
+        while (i < a.length) {
+          const arg = a[i]!
+          if (
+            arg === '--foreground' ||
+            arg === '--preserve-status' ||
+            arg === '--verbose'
+          ) {
+            i++ // known no-value long flags
+          } else if (/^--(?:kill-after|signal)=[A-Za-z0-9_.+-]+$/.test(arg)) {
+            i++ // --kill-after=5, --signal=TERM (value fused with =)
+          } else if (
+            (arg === '--kill-after' || arg === '--signal') &&
+            a[i + 1] &&
+            /^[A-Za-z0-9_.+-]+$/.test(a[i + 1]!)
+          ) {
+            i += 2 // --kill-after 5, --signal TERM (space-separated)
+          } else if (arg.startsWith('--')) {
+            // Unknown long flag, OR --kill-after/--signal with non-allowlisted
+            // value (e.g. placeholder from $() substitution). Fail closed.
+            return {
+              ok: false,
+              reason: `timeout with ${arg} flag cannot be statically analyzed`,
+            }
+          } else if (arg === '-v') {
+            i++ // --verbose, no argument
+          } else if (
+            (arg === '-k' || arg === '-s') &&
+            a[i + 1] &&
+            /^[A-Za-z0-9_.+-]+$/.test(a[i + 1]!)
+          ) {
+            i += 2 // -k DURATION / -s SIGNAL — separate value
+          } else if (/^-[ks][A-Za-z0-9_.+-]+$/.test(arg)) {
+            i++ // fused: -k5, -sTERM
+          } else if (arg.startsWith('-')) {
+            // Unknown flag OR -k/-s with non-allowlisted value — can't locate
+            // wrapped cmd. Reject, don't fall through to name='timeout'.
+            return {
+              ok: false,
+              reason: `timeout with ${arg} flag cannot be statically analyzed`,
+            }
+          } else {
+            break // non-flag — should be the duration
+          }
+        }
+        if (a[i] && /^\d+(?:\.\d+)?[smhd]?$/.test(a[i]!)) {
+          a = a.slice(i + 1)
+        } else if (a[i]) {
+          // SECURITY (PR #21503 round 3): a[i] exists but doesn't match our
+          // duration regex. GNU timeout parses via xstrtod() (libc strtod) and
+          // accepts `.5`, `+5`, `5e-1`, `inf`, `infinity`, hex floats — none
+          // of which match `/^\d+(\.\d+)?[smhd]?$/`. Empirically verified:
+          // `timeout .5 echo ok` works. Previously this branch `break`ed
+          // (fail-OPEN) so `timeout .5 eval "id"` with `Bash(timeout:*)` left
+          // name='timeout' and eval was never checked. Now fail CLOSED —
+          // consistent with the unknown-FLAG handling above (lines ~1895,1912).
+          return {
+            ok: false,
+            reason: `timeout duration '${a[i]}' cannot be statically analyzed`,
+          }
+        } else {
+          break // no more args — `timeout` alone, inert
+        }
+      } else if (a[0] === 'nice') {
+        // `nice cmd`, `nice -n N cmd`, `nice -N cmd` (legacy). All run cmd
+        // at a lower priority. argv[0] check must see the wrapped cmd.
+        if (a[1] === '-n' && a[2] && /^-?\d+$/.test(a[2])) {
+          a = a.slice(3)
+        } else if (a[1] && /^-\d+$/.test(a[1])) {
+          a = a.slice(2) // `nice -10 cmd`
+        } else if (a[1] && /[$(`]/.test(a[1])) {
+          // SECURITY: walkArgument returns node.text for arithmetic_expansion,
+          // so `nice $((0-5)) jq ...` has a[1]='$((0-5))'. Bash expands it to
+          // '-5' (legacy nice syntax) and execs jq; we'd slice(1) here and
+          // set name='$((0-5))' which skips the jq system() check entirely.
+          // Fail closed — mirrors the timeout-duration fail-closed above.
+          return {
+            ok: false,
+            reason: `nice argument '${a[1]}' contains expansion — cannot statically determine wrapped command`,
+          }
+        } else {
+          a = a.slice(1) // bare `nice cmd`
+        }
+      } else if (a[0] === 'env') {
+        // `env [VAR=val...] [-i] [-0] [-v] [-u NAME...] cmd args` runs cmd.
+        // argv[0] check must see cmd, not env. Skip known-safe forms only.
+        // SECURITY: -S splits a string into argv (mini-shell) — must reject.
+        // -C/-P change cwd/PATH — wrapped cmd runs elsewhere, reject.
+        // Any OTHER flag → reject (fail-closed, not fail-open to name='env').
+        let i = 1
+        while (i < a.length) {
+          const arg = a[i]!
+          if (arg.includes('=') && !arg.startsWith('-')) {
+            i++ // VAR=val assignment
+          } else if (arg === '-i' || arg === '-0' || arg === '-v') {
+            i++ // flags with no argument
+          } else if (arg === '-u' && a[i + 1]) {
+            i += 2 // -u NAME unsets; takes one arg
+          } else if (arg.startsWith('-')) {
+            // -S (argv splitter), -C (altwd), -P (altpath), --anything,
+            // or unknown flag. Can't model — reject the whole command.
+            return {
+              ok: false,
+              reason: `env with ${arg} flag cannot be statically analyzed`,
+            }
+          } else {
+            break // the wrapped command
+          }
+        }
+        if (i < a.length) {
+          a = a.slice(i)
+        } else {
+          break // `env` alone (no wrapped cmd) — inert, name='env'
+        }
+      } else if (a[0] === 'stdbuf') {
+        // `stdbuf -o0 cmd` (fused), `stdbuf -o 0 cmd` (space-separated),
+        // multiple flags (`stdbuf -o0 -eL cmd`), long forms (`--output=0`).
+        // SECURITY: previous handling only stripped ONE flag and fell through
+        // to slice(2) for anything unrecognized, so `stdbuf --output 0 eval`
+        // → ['0','eval',...] → name='0' hid eval. Now iterate all known flag
+        // forms and fail closed on any unknown flag.
+        let i = 1
+        while (i < a.length) {
+          const arg = a[i]!
+          if (STDBUF_SHORT_SEP_RE.test(arg) && a[i + 1]) {
+            i += 2 // -o MODE (space-separated)
+          } else if (STDBUF_SHORT_FUSED_RE.test(arg)) {
+            i++ // -o0 (fused)
+          } else if (STDBUF_LONG_RE.test(arg)) {
+            i++ // --output=MODE (fused long)
+          } else if (arg.startsWith('-')) {
+            // --output MODE (space-separated long) or unknown flag. GNU
+            // stdbuf long options use `=` syntax, but getopt_long also
+            // accepts space-separated — we can't enumerate safely, reject.
+            return {
+              ok: false,
+              reason: `stdbuf with ${arg} flag cannot be statically analyzed`,
+            }
+          } else {
+            break // the wrapped command
+          }
+        }
+        if (i > 1 && i < a.length) {
+          a = a.slice(i)
+        } else {
+          break // `stdbuf` with no flags or no wrapped cmd — inert
+        }
+      } else {
+        break
+      }
+    }
+    const name = a[0]
+    if (name === undefined) continue
+
+    // SECURITY: Empty command name. Quoted empty (`"" cmd`) is harmless —
+    // bash tries to exec "" and fails with "command not found". But an
+    // UNQUOTED empty expansion at command position (`V="" && $V cmd`) is a
+    // bypass: bash drops the empty field and runs `cmd` as argv[0], while
+    // our name="" skips every builtin check below. resolveSimpleExpansion
+    // rejects the $V case; this catches any other path to empty argv[0]
+    // (concatenation of empties, walkString whitespace-quirk, future bugs).
+    if (name === '') {
+      return {
+        ok: false,
+        reason: 'Empty command name — argv[0] may not reflect what bash runs',
+      }
+    }
+
+    // Defense-in-depth: argv[0] should never be a placeholder after the
+    // var-tracking fix (static vars return real value, unknown vars reject).
+    // But if a bug upstream ever lets one through, catch it here — a
+    // placeholder-as-command-name means runtime-determined command → unsafe.
+    if (name.includes(CMDSUB_PLACEHOLDER) || name.includes(VAR_PLACEHOLDER)) {
+      return {
+        ok: false,
+        reason: 'Command name is runtime-determined (placeholder argv[0])',
+      }
+    }
+
+    // argv[0] starts with an operator/flag: this is a fragment, not a
+    // command. Likely a line-continuation leak or a mistake.
+    if (name.startsWith('-') || name.startsWith('|') || name.startsWith('&')) {
+      return {
+        ok: false,
+        reason: 'Command appears to be an incomplete fragment',
+      }
+    }
+
+    // SECURITY: builtins that re-parse a NAME operand internally. bash
+    // arithmetically evaluates `arr[EXPR]` in NAME position, running $(cmd)
+    // in the subscript even when the argv element arrived from a
+    // single-quoted raw_string (opaque leaf to tree-sitter). Two forms:
+    // separate (`printf -v NAME`) and fused (`printf -vNAME`, getopt-style).
+    // `printf '[%s]' x` stays safe — `[` in format string, not after `-v`.
+    const dangerFlags = SUBSCRIPT_EVAL_FLAGS[name]
+    if (dangerFlags !== undefined) {
+      for (let i = 1; i < a.length; i++) {
+        const arg = a[i]!
+        // Separate form: `-v` then NAME in next arg.
+        if (dangerFlags.has(arg) && a[i + 1]?.includes('[')) {
+          return {
+            ok: false,
+            reason: `'${name} ${arg}' operand contains array subscript — bash evaluates $(cmd) in subscripts`,
+          }
+        }
+        // Combined short flags: `-ra` is bash shorthand for `-r -a`.
+        // Check if any danger flag character appears in a combined flag
+        // string. The danger flag's NAME operand is the next argument.
+        if (
+          arg.length > 2 &&
+          arg[0] === '-' &&
+          arg[1] !== '-' &&
+          !arg.includes('[')
+        ) {
+          for (const flag of dangerFlags) {
+            if (flag.length === 2 && arg.includes(flag[1]!)) {
+              if (a[i + 1]?.includes('[')) {
+                return {
+                  ok: false,
+                  reason: `'${name} ${flag}' (combined in '${arg}') operand contains array subscript — bash evaluates $(cmd) in subscripts`,
+                }
+              }
+            }
+          }
+        }
+        // Fused form: `-vNAME` in one arg. Only short-option flags fuse
+        // (getopt), so check -v/-a/-R. `[[` uses test_operator nodes only.
+        for (const flag of dangerFlags) {
+          if (
+            flag.length === 2 &&
+            arg.startsWith(flag) &&
+            arg.length > 2 &&
+            arg.includes('[')
+          ) {
+            return {
+              ok: false,
+              reason: `'${name} ${flag}' (fused) operand contains array subscript — bash evaluates $(cmd) in subscripts`,
+            }
+          }
+        }
+      }
+    }
+
+    // SECURITY: `[[ ARG OP ARG ]]` arithmetic comparison. bash evaluates
+    // BOTH operands as arithmetic expressions, recursively expanding
+    // `arr[$(cmd)]` subscripts even from single-quoted raw_string. Check
+    // the operand adjacent to each arith-cmp operator on BOTH sides —
+    // SUBSCRIPT_EVAL_FLAGS's "flag then next-arg" pattern can't express
+    // "either side of a binary op". String comparisons (==/!=/=~) do NOT
+    // trigger arithmetic eval — `[[ 'a[x]' == y ]]` is a literal string cmp.
+    if (name === '[[') {
+      // i starts at 2: a[0]='[[' (contains '['), a[1] is the first real
+      // operand. A binary op can't appear before index 2.
+      for (let i = 2; i < a.length; i++) {
+        if (!TEST_ARITH_CMP_OPS.has(a[i]!)) continue
+        if (a[i - 1]?.includes('[') || a[i + 1]?.includes('[')) {
+          return {
+            ok: false,
+            reason: `'[[ ... ${a[i]} ... ]]' operand contains array subscript — bash arithmetically evaluates $(cmd) in subscripts`,
+          }
+        }
+      }
+    }
+
+    // SECURITY: `read`/`unset` treat EVERY bare positional as a NAME —
+    // no flag needed. `read 'a[$(id)]' <<< data` executes id even though
+    // argv[1] arrived from a single-quoted raw_string and no -a flag is
+    // present. Same primitive as SUBSCRIPT_EVAL_FLAGS but the trigger is
+    // positional, not flag-gated. Skip operands of read's data-taking
+    // flags (-p PROMPT etc.) to avoid blocking `read -p '[foo] ' var`.
+    if (BARE_SUBSCRIPT_NAME_BUILTINS.has(name)) {
+      let skipNext = false
+      for (let i = 1; i < a.length; i++) {
+        const arg = a[i]!
+        if (skipNext) {
+          skipNext = false
+          continue
+        }
+        if (arg[0] === '-') {
+          if (name === 'read') {
+            if (READ_DATA_FLAGS.has(arg)) {
+              skipNext = true
+            } else if (arg.length > 2 && arg[1] !== '-') {
+              // Combined short flag like `-rp`. Getopt-style: first
+              // data-flag char consumes rest-of-arg as its operand
+              // (`-p[foo]` → prompt=`[foo]`), or next-arg if last
+              // (`-rp '[foo]'` → prompt=`[foo]`). So skipNext iff a
+              // data-flag char appears at the END after only no-arg
+              // flags like `-r`/`-s`.
+              for (let j = 1; j < arg.length; j++) {
+                if (READ_DATA_FLAGS.has('-' + arg[j])) {
+                  if (j === arg.length - 1) skipNext = true
+                  break
+                }
+              }
+            }
+          }
+          continue
+        }
+        if (arg.includes('[')) {
+          return {
+            ok: false,
+            reason: `'${name}' positional NAME '${arg}' contains array subscript — bash evaluates $(cmd) in subscripts`,
+          }
+        }
+      }
+    }
+
+    // SECURITY: Shell reserved keywords as argv[0] indicate a tree-sitter
+    // mis-parse. `! for i in a; do :; done` parses as `command "for i in a"`
+    // + `command "do :"` + `command "done"` — tree-sitter fails to recognize
+    // `for` after `!` as a compound command start. Reject: keywords can never
+    // be legitimate command names, and argv like ['do','false'] is nonsense.
+    if (SHELL_KEYWORDS.has(name)) {
+      return {
+        ok: false,
+        reason: `Shell keyword '${name}' as command name — tree-sitter mis-parse`,
+      }
+    }
+
+    // Check argv (not .text) to catch both single-quote (`'\n#'`) and
+    // double-quote (`"\n#"`) variants. Env vars and redirects are also
+    // part of the .text span so the same downstream bug applies.
+    // Heredoc bodies are excluded from argv so markdown `##` headers
+    // don't trigger this.
+    // TODO: remove once downstream path validation operates on argv.
+    for (const arg of cmd.argv) {
+      if (arg.includes('\n') && NEWLINE_HASH_RE.test(arg)) {
+        return {
+          ok: false,
+          reason:
+            'Newline followed by # inside a quoted argument can hide arguments from path validation',
+        }
+      }
+    }
+    for (const ev of cmd.envVars) {
+      if (ev.value.includes('\n') && NEWLINE_HASH_RE.test(ev.value)) {
+        return {
+          ok: false,
+          reason:
+            'Newline followed by # inside an env var value can hide arguments from path validation',
+        }
+      }
+    }
+    for (const r of cmd.redirects) {
+      if (r.target.includes('\n') && NEWLINE_HASH_RE.test(r.target)) {
+        return {
+          ok: false,
+          reason:
+            'Newline followed by # inside a redirect target can hide arguments from path validation',
+        }
+      }
+    }
+
+    // jq's system() built-in executes arbitrary shell commands, and flags
+    // like --from-file can read arbitrary files into jq variables. On the
+    // legacy path these are caught by validateJqCommand in bashSecurity.ts,
+    // but that validator is gated behind `astSubcommands === null` and
+    // never runs when the AST parse succeeds. Mirror the checks here so
+    // the AST path has the same defence.
+    if (name === 'jq') {
+      for (const arg of a) {
+        if (/\bsystem\s*\(/.test(arg)) {
+          return {
+            ok: false,
+            reason:
+              'jq command contains system() function which executes arbitrary commands',
+          }
+        }
+      }
+      if (
+        a.some(arg =>
+          /^(?:-[fL](?:$|[^A-Za-z])|--(?:from-file|rawfile|slurpfile|library-path)(?:$|=))/.test(
+            arg,
+          ),
+        )
+      ) {
+        return {
+          ok: false,
+          reason:
+            'jq command contains dangerous flags that could execute code or read arbitrary files',
+        }
+      }
+    }
+
+    if (ZSH_DANGEROUS_BUILTINS.has(name)) {
+      return {
+        ok: false,
+        reason: `Zsh builtin '${name}' can bypass security checks`,
+      }
+    }
+
+    if (EVAL_LIKE_BUILTINS.has(name)) {
+      // `command -v foo` / `command -V foo` are POSIX existence checks that
+      // only print paths — they never execute argv[1]. Bare `command foo`
+      // does bypass function/alias lookup (the concern), so keep blocking it.
+      if (name === 'command' && (a[1] === '-v' || a[1] === '-V')) {
+        // fall through to remaining checks
+      } else if (
+        name === 'fc' &&
+        !a.slice(1).some(arg => /^-[^-]*[es]/.test(arg))
+      ) {
+        // `fc -l`, `fc -ln` list history — safe. `fc -e ed` invokes an
+        // editor then executes. `fc -s [pat=rep]` RE-EXECUTES the last
+        // matching command (optionally with substitution) — as dangerous
+        // as eval. Block any short-opt containing `e` or `s`.
+        // to avoid introducing FPs for `fc -l` (list history).
+      } else if (
+        name === 'compgen' &&
+        !a.slice(1).some(arg => /^-[^-]*[CFW]/.test(arg))
+      ) {
+        // `compgen -c/-f/-v` only list completions — safe. `compgen -C cmd`
+        // immediately executes cmd; `-F func` calls a shell function; `-W list`
+        // word-expands its argument (including $(cmd) even from single-quoted
+        // raw_string). Block any short-opt containing C/F/W (case-sensitive:
+        // -c/-f are safe).
+      } else {
+        return {
+          ok: false,
+          reason: `'${name}' evaluates arguments as shell code`,
+        }
+      }
+    }
+
+    // /proc/*/environ exposes env vars (including secrets) of other processes.
+    // Check argv and redirect targets — `cat /proc/self/environ` and
+    // `cat < /proc/self/environ` both read it.
+    for (const arg of cmd.argv) {
+      if (arg.includes('/proc/') && PROC_ENVIRON_RE.test(arg)) {
+        return {
+          ok: false,
+          reason: 'Accesses /proc/*/environ which may expose secrets',
+        }
+      }
+    }
+    for (const r of cmd.redirects) {
+      if (r.target.includes('/proc/') && PROC_ENVIRON_RE.test(r.target)) {
+        return {
+          ok: false,
+          reason: 'Accesses /proc/*/environ which may expose secrets',
+        }
+      }
+    }
+  }
+  return { ok: true }
+}