cc-safety-net 1.0.0 → 1.0.2

package/README.md

@@ -237,6 +237,25 @@ Install CC Safety Net with OpenCode's native plugin command:
 opencode plugin -g cc-safety-net
 ```
 
+> [!NOTE]
+> OpenCode can sometimes keep using a stale cached plugin version. See
+> anomalyco/opencode#25293 for the current tracking issue.
+>
+> To force OpenCode to reinstall `cc-safety-net`, remove its cached package and
+> install the version you want:
+>
+> ```sh
+> rm -rf ~/.cache/opencode/packages/cc-safety-net@latest
+> opencode plugin -g -f cc-safety-net@latest
+>
+> If you prefer pinning a specific version:
+>
+> rm -rf ~/.cache/opencode/packages/cc-safety-net@latest
+> opencode plugin -g -f cc-safety-net@<version>
+>
+> Restart OpenCode after updating so the plugin is loaded from the refreshed
+> cache.
+
 ---
 
 ### Pi Installation

package/dist/bin/cc-safety-net.js

@@ -338,6 +338,10 @@ function dangerousInText(text) {
   return null;
 }
 
+// src/core/analyze/segment.ts
+import { realpathSync as realpathSync6 } from "node:fs";
+import { normalize as normalize3 } from "node:path";
+
 // src/core/analyze/awk.ts
 var AWK_INTERPRETERS = new Set(["awk", "gawk", "nawk", "mawk"]);
 var REASON_AWK_SYSTEM_DYNAMIC = "Detected awk system() call with dynamic command that cannot be safely analyzed.";
@@ -4143,8 +4147,7 @@ function analyzeParallelCommand(context) {
 }
 var CWD_CHANGE_REGEX = /^\s*(?:\$\(\s*)?[({]*\s*(?:command\s+|builtin\s+)?(?:cd|pushd|popd)(?:\s|$)/;
 function segmentChangesCwd(segment) {
-  const stripped = stripLeadingGrouping(segment);
-  const unwrapped = stripWrappers([...stripped]);
+  const unwrapped = getCwdChangeTokens(segment);
   if (unwrapped.length === 0) {
     return false;
   }
@@ -4163,6 +4166,32 @@ function segmentChangesCwd(segment) {
   const joined = segment.join(" ");
   return CWD_CHANGE_REGEX.test(joined);
 }
+function resolveCwdAfterSegment(segment, cwd) {
+  if (!segmentChangesCwd(segment)) {
+    return;
+  }
+  if (!cwd) {
+    return null;
+  }
+  const unwrapped = getCwdChangeTokens(segment, cwd);
+  const cdIndex = getCdCommandIndex(unwrapped);
+  if (cdIndex === -1 || unwrapped[cdIndex] !== "cd") {
+    return null;
+  }
+  const target = unwrapped[cdIndex + 1];
+  if (!target || target === "-" || target.includes("$") || target.includes("`")) {
+    return null;
+  }
+  try {
+    const resolved = resolveChdirTarget(cwd, target);
+    if (samePath(resolved, cwd)) {
+      return cwd;
+    }
+  } catch {
+    return null;
+  }
+  return null;
+}
 function getHeadAfterTimePrefix(tokens, startIndex) {
   let i = startIndex;
   while (tokens[i]?.startsWith("-")) {
@@ -4170,6 +4199,31 @@ function getHeadAfterTimePrefix(tokens, startIndex) {
   }
   return tokens[i] ?? "";
 }
+function getCdCommandIndex(tokens) {
+  let headIndex = 0;
+  if (tokens[0] === "builtin" && tokens.length > 1) {
+    headIndex = 1;
+  }
+  if (tokens[headIndex] !== "time") {
+    return headIndex;
+  }
+  let i = headIndex + 1;
+  while (tokens[i]?.startsWith("-")) {
+    i++;
+  }
+  return i;
+}
+function getCwdChangeTokens(segment, cwd) {
+  const stripped = stripLeadingGrouping(segment);
+  return stripWrappers([...stripped], cwd);
+}
+function samePath(a, b) {
+  try {
+    return normalize3(realpathSync6(a)) === normalize3(realpathSync6(b));
+  } catch {
+    return normalize3(a) === normalize3(b);
+  }
+}
 function stripLeadingGrouping(tokens) {
   let i = 0;
   while (i < tokens.length) {
@@ -4520,8 +4574,9 @@ function analyzeCommandInternal(command2, depth, options2) {
       if (textReason) {
         return { reason: textReason, segment: segmentStr };
       }
-      if (segmentChangesCwd(segment)) {
-        effectiveCwd = null;
+      const nextCwd2 = resolveCwdAfterSegment(segment, effectiveCwd);
+      if (nextCwd2 !== undefined) {
+        effectiveCwd = nextCwd2;
       }
       continue;
     }
@@ -4543,8 +4598,9 @@ function analyzeCommandInternal(command2, depth, options2) {
     if (reason) {
       return { reason, segment: segmentStr };
     }
-    if (segmentChangesCwd(segment)) {
-      effectiveCwd = null;
+    const nextCwd = resolveCwdAfterSegment(segment, effectiveCwd);
+    if (nextCwd !== undefined) {
+      effectiveCwd = nextCwd;
     }
     applyShellGitContextEnvSegment(segment, shellGitContextState);
   }
@@ -7830,7 +7886,7 @@ import { existsSync as existsSync14 } from "node:fs";
 import { mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
 import { tmpdir as tmpdir4 } from "node:os";
 import { delimiter, extname, join as join11 } from "node:path";
-var CURRENT_VERSION = "1.0.0";
+var CURRENT_VERSION = "1.0.2";
 var VERSION_FETCH_TIMEOUT_MS = 2000;
 var PI_PROBE_TIMEOUT_MS = 5000;
 var PI_SENTINEL_COMMAND = "cc-safety-net";
@@ -8882,12 +8938,14 @@ function explainCommand2(command2, options2) {
         token: redactEnvAssignmentsInString(segment[0]),
         matched: false
       });
-      if (segmentChangesCwd(segment)) {
-        segmentSteps.push({
-          type: "cwd-change",
-          segment: redactEnvAssignmentsInString(segment.join(" ")),
-          effectiveCwdNowUnknown: true
-        });
+      const nextCwd2 = resolveCwdAfterSegment(segment, effectiveCwd);
+      if (nextCwd2 !== undefined) {
+        if (nextCwd2 !== null) {
+          effectiveCwd = nextCwd2;
+          trace.segments.push({ index: i, steps: segmentSteps });
+          continue;
+        }
+        segmentSteps.push(cwdChangeStep(segment));
         effectiveCwd = null;
       }
       trace.segments.push({ index: i, steps: segmentSteps });
@@ -8903,12 +8961,15 @@ function explainCommand2(command2, options2) {
       blockReason = result.reason;
       blockSegment = redactEnvAssignmentsInString(segment.join(" "));
     }
-    if (segmentChangesCwd(segment)) {
-      segmentSteps.push({
-        type: "cwd-change",
-        segment: redactEnvAssignmentsInString(segment.join(" ")),
-        effectiveCwdNowUnknown: true
-      });
+    const nextCwd = resolveCwdAfterSegment(segment, effectiveCwd);
+    if (nextCwd !== undefined) {
+      if (nextCwd !== null) {
+        effectiveCwd = nextCwd;
+        applyShellGitContextEnvSegment(segment, shellGitContextState);
+        trace.segments.push({ index: i, steps: segmentSteps });
+        continue;
+      }
+      segmentSteps.push(cwdChangeStep(segment));
       effectiveCwd = null;
     }
     applyShellGitContextEnvSegment(segment, shellGitContextState);
@@ -8924,6 +8985,13 @@ function explainCommand2(command2, options2) {
     configValid
   };
 }
+function cwdChangeStep(segment) {
+  return {
+    type: "cwd-change",
+    segment: redactEnvAssignmentsInString(segment.join(" ")),
+    effectiveCwdNowUnknown: true
+  };
+}
 function getCustomRuleMetadata(reason, options2, cwd) {
   const id = reason?.match(/^\[([^\]]+)]/)?.[1];
   if (!id)
@@ -9327,7 +9395,7 @@ function formatTraceJson(result) {
   return JSON.stringify(result, null, 2);
 }
 // src/bin/help.ts
-var version = "1.0.0";
+var version = "1.0.2";
 var INDENT = "  ";
 var PROGRAM_NAME = "cc-safety-net";
 function formatOptionFlags(option) {

package/dist/bin/hook/common.d.ts

@@ -11,10 +11,8 @@ type ConfiguredHookAdapter<T> = Omit<HookAdapter<T>, 'outputDeny'> & {
     createDenyOutput: (message: string) => object;
     getManualPermissionAdvice?: (reason: string) => boolean | undefined;
 };
-export declare function outputHookDeny(createDenyOutput: (message: string) => object, reason: string, command?: string, segment?: string, manualPermissionAdvice?: boolean): void;
-export declare function readHookInput<T>(outputDeny: (reason: string) => void): Promise<T | null>;
 export declare function parseHookJson<T>(inputText: string, outputDeny: (reason: string) => void, strictReason: string): T | null;
+/** @internal - exported for direct test coverage */
 export declare function handleBlockedHookCommand(command: string, cwd: string, sessionId: string | undefined, outputDeny: (reason: string, command?: string, segment?: string) => void): void;
-export declare function runHookAdapter<T>(adapter: HookAdapter<T>): Promise<void>;
 export declare function runConfiguredHookAdapter<T>(adapter: ConfiguredHookAdapter<T>): Promise<void>;
 export {};

package/dist/bin/rule/format.d.ts

@@ -1,10 +1,4 @@
 import { type LoadedRulesPolicy, type RulebookLockEntryWithStats } from '@/core/rules/policy';
-export declare function printSyncResult(result: {
-    ok: boolean;
-    errors: string[];
-    warnings?: string[];
-    entries: RulebookLockEntryWithStats[];
-}): void;
 export declare function printRuleChangeResult(result: {
     ok: boolean;
     errors: string[];
@@ -18,4 +12,3 @@ export declare function printRulesTestResult(result: {
     entries: RulebookLockEntryWithStats[];
 }, sourceDisplayMap?: Map<string, string>): void;
 export declare function printRulesListReport(policy: LoadedRulesPolicy, sourceDisplayMaps: Record<'user' | 'project', Map<string, string>>): void;
-export declare function relativeDisplay(cwd: string, path: string): string;

package/dist/core/analyze/parallel.d.ts

@@ -9,4 +9,5 @@ export interface ParallelAnalyzeContext {
     analyzeNested: (command: string, overrides?: AnalyzeNestedOverrides) => string | null;
 }
 export declare function analyzeParallel(tokens: readonly string[], context: ParallelAnalyzeContext): string | null;
+/** @internal - exported for test coverage */
 export declare function extractParallelChildCommand(tokens: readonly string[]): string[];

package/dist/core/analyze/segment.d.ts

@@ -8,3 +8,4 @@ export type InternalOptions = AnalyzeOptions & {
 };
 export declare function analyzeSegment(tokens: string[], depth: number, options: InternalOptions): string | null;
 export declare function segmentChangesCwd(segment: readonly string[]): boolean;
+export declare function resolveCwdAfterSegment(segment: readonly string[], cwd: string | null | undefined): string | null | undefined;

package/dist/core/analyze/xargs.d.ts

@@ -11,5 +11,6 @@ interface XargsParseResult {
     childTokens: string[];
     replacementToken: string | null;
 }
+/** @internal - exported for test coverage */
 export declare function extractXargsChildCommandWithInfo(tokens: readonly string[]): XargsParseResult;
 export {};

package/dist/core/git/env.d.ts

@@ -1,6 +1,9 @@
 export declare const GIT_CONTEXT_ENV_OVERRIDES: readonly ["GIT_DIR", "GIT_WORK_TREE", "GIT_COMMON_DIR", "GIT_INDEX_FILE"];
+/** @internal - exported for test coverage */
 export declare const GIT_CONFIG_AFFECTING_ENV_NAMES: ReadonlySet<string>;
+/** @internal - exported for test coverage */
 export declare const GIT_SSH_ENV_NAMES: ReadonlySet<string>;
+/** @internal - exported for test coverage */
 export declare function isGitContextEnvOverrideName(name: string): boolean;
 export declare function isGitConfigEnvName(name: string): boolean;
 export declare function isTrackedGitEnvName(name: string): boolean;

package/dist/core/rules/policy/index.d.ts

@@ -1,6 +1,5 @@
-export { readRulesConfig, validateRulesConfig, writeDefaultRulesConfig, writeStarterRulebook, } from './config-file';
-export { getLegacyUserRulesConfigPath, getProjectRulesConfigPath, getProjectRulesDir, getProjectRulesLockPath, getRulebookCachePath, getRulebookDisplaySource, getRulesLockPathForConfigPath, getUserRulesConfigPath, getUserRulesDir, getUserRulesLockPath, RULES_DIR, } from './paths';
-export { getRulebookMigratedFrom, getRulesConfigRuntimeErrorsForConfig, getRulesConfigSourceDisplayMap, getUnknownOverrideErrorsForConfig, loadRulesPolicy, rulesPolicyToConfig, } from './scope-policy';
-export { parseGitHubSource } from './sources';
-export { addRulebookSource, removeRulebookSource, repairLocalRulesPolicy, syncRulesConfig, testRulebookSources, } from './sync';
-export type { LoadedRulebookInfo, LoadedRulesPolicy, RulebookLockEntry, RulebookLockEntryWithStats, RulebookSourceKind, RuleOverride, RulesConfig, RulesLockfile, RulesPolicyOptions, SyncRulesConfigOptions, SyncRulesConfigResult, } from './types';
+export { readRulesConfig, writeDefaultRulesConfig, writeStarterRulebook, } from './config-file';
+export { getLegacyUserRulesConfigPath, getProjectRulesConfigPath, getProjectRulesDir, getRulebookDisplaySource, getRulesLockPathForConfigPath, getUserRulesConfigPath, getUserRulesDir, getUserRulesLockPath, RULES_DIR, } from './paths';
+export { getRulebookMigratedFrom, getRulesConfigRuntimeErrorsForConfig, getRulesConfigSourceDisplayMap, loadRulesPolicy, } from './scope-policy';
+export { addRulebookSource, removeRulebookSource, syncRulesConfig, testRulebookSources, } from './sync';
+export type { LoadedRulesPolicy, RulebookLockEntryWithStats, RuleOverride, SyncRulesConfigOptions, } from './types';

package/dist/core/rules/policy/paths.d.ts

@@ -17,6 +17,7 @@ export interface ScopePaths {
 }
 export declare function getProjectRulesDir(cwd?: string): string;
 export declare function getProjectRulesConfigPath(cwd?: string): string;
+/** @internal - exported for test coverage */
 export declare function getProjectRulesLockPath(cwd?: string): string;
 export declare function getUserRulesDir(options?: RulesPolicyOptions): string;
 export declare function getUserRulesConfigPath(options?: RulesPolicyOptions): string;

package/dist/core/rules/policy/scope-policy.d.ts

@@ -11,6 +11,7 @@ interface ScopePolicy {
 export declare function loadRulesPolicy(options?: RulesPolicyOptions): LoadedRulesPolicy;
 export declare function getRulesConfigSourceDisplayMap(configPath: string): Map<string, string>;
 export declare function getRulesConfigRuntimeErrorsForConfig(configPath: string, lockPath: string, options: RulesPolicyOptions): string[];
+/** @internal - exported for test coverage */
 export declare function getUnknownOverrideErrorsForConfig(configPath: string, lockPath: string, options: RulesPolicyOptions): string[];
 export declare function loadScopePolicy(config: RulesConfig, lockPath: string, configDir: string, options: RulesPolicyOptions, source: 'user' | 'project'): ScopePolicy;
 export declare function rulesPolicyToConfig(policy: LoadedRulesPolicy): Config;

package/dist/core/rules/policy/types.d.ts

@@ -2,7 +2,6 @@ import type { CustomRule } from '@/types';
 export type RuleOverride = 'off' | {
     reason: string;
 };
-export type RulebookSourceKind = RulebookLockEntry['kind'];
 export interface RulesConfig {
     version: 1;
     rules: string[];

package/dist/core/rules/rulebook.d.ts

@@ -14,6 +14,7 @@ export interface Rulebook {
     rules: CustomRule[];
     tests: RulebookFixture[];
 }
+/** @internal - exported for test coverage */
 export interface RulebookFixtureFailure {
     command: string;
     message: string;
@@ -23,6 +24,7 @@ export interface RulebookFixtureResult {
     ok: boolean;
     failures: RulebookFixtureFailure[];
 }
+/** @internal - exported for test coverage */
 export declare function validateRulebook(rulebook: unknown): ValidationResult;
 export declare function runRulebookFixtures(rulebook: Rulebook): RulebookFixtureResult;
 export declare function assertValidRulebook(rulebook: unknown): Rulebook;

package/dist/index.js

@@ -282,6 +282,10 @@ function dangerousInText(text) {
   return null;
 }
 
+// src/core/analyze/segment.ts
+import { realpathSync as realpathSync6 } from "node:fs";
+import { normalize as normalize3 } from "node:path";
+
 // src/core/analyze/awk.ts
 var AWK_INTERPRETERS = new Set(["awk", "gawk", "nawk", "mawk"]);
 var REASON_AWK_SYSTEM_DYNAMIC = "Detected awk system() call with dynamic command that cannot be safely analyzed.";
@@ -4087,8 +4091,7 @@ function analyzeParallelCommand(context) {
 }
 var CWD_CHANGE_REGEX = /^\s*(?:\$\(\s*)?[({]*\s*(?:command\s+|builtin\s+)?(?:cd|pushd|popd)(?:\s|$)/;
 function segmentChangesCwd(segment) {
-  const stripped = stripLeadingGrouping(segment);
-  const unwrapped = stripWrappers([...stripped]);
+  const unwrapped = getCwdChangeTokens(segment);
   if (unwrapped.length === 0) {
     return false;
   }
@@ -4107,6 +4110,32 @@ function segmentChangesCwd(segment) {
   const joined = segment.join(" ");
   return CWD_CHANGE_REGEX.test(joined);
 }
+function resolveCwdAfterSegment(segment, cwd) {
+  if (!segmentChangesCwd(segment)) {
+    return;
+  }
+  if (!cwd) {
+    return null;
+  }
+  const unwrapped = getCwdChangeTokens(segment, cwd);
+  const cdIndex = getCdCommandIndex(unwrapped);
+  if (cdIndex === -1 || unwrapped[cdIndex] !== "cd") {
+    return null;
+  }
+  const target = unwrapped[cdIndex + 1];
+  if (!target || target === "-" || target.includes("$") || target.includes("`")) {
+    return null;
+  }
+  try {
+    const resolved = resolveChdirTarget(cwd, target);
+    if (samePath(resolved, cwd)) {
+      return cwd;
+    }
+  } catch {
+    return null;
+  }
+  return null;
+}
 function getHeadAfterTimePrefix(tokens, startIndex) {
   let i = startIndex;
   while (tokens[i]?.startsWith("-")) {
@@ -4114,6 +4143,31 @@ function getHeadAfterTimePrefix(tokens, startIndex) {
   }
   return tokens[i] ?? "";
 }
+function getCdCommandIndex(tokens) {
+  let headIndex = 0;
+  if (tokens[0] === "builtin" && tokens.length > 1) {
+    headIndex = 1;
+  }
+  if (tokens[headIndex] !== "time") {
+    return headIndex;
+  }
+  let i = headIndex + 1;
+  while (tokens[i]?.startsWith("-")) {
+    i++;
+  }
+  return i;
+}
+function getCwdChangeTokens(segment, cwd) {
+  const stripped = stripLeadingGrouping(segment);
+  return stripWrappers([...stripped], cwd);
+}
+function samePath(a, b) {
+  try {
+    return normalize3(realpathSync6(a)) === normalize3(realpathSync6(b));
+  } catch {
+    return normalize3(a) === normalize3(b);
+  }
+}
 function stripLeadingGrouping(tokens) {
   let i = 0;
   while (i < tokens.length) {
@@ -4464,8 +4518,9 @@ function analyzeCommandInternal(command2, depth, options2) {
       if (textReason) {
         return { reason: textReason, segment: segmentStr };
       }
-      if (segmentChangesCwd(segment)) {
-        effectiveCwd = null;
+      const nextCwd2 = resolveCwdAfterSegment(segment, effectiveCwd);
+      if (nextCwd2 !== undefined) {
+        effectiveCwd = nextCwd2;
       }
       continue;
     }
@@ -4487,8 +4542,9 @@ function analyzeCommandInternal(command2, depth, options2) {
     if (reason) {
       return { reason, segment: segmentStr };
     }
-    if (segmentChangesCwd(segment)) {
-      effectiveCwd = null;
+    const nextCwd = resolveCwdAfterSegment(segment, effectiveCwd);
+    if (nextCwd !== undefined) {
+      effectiveCwd = nextCwd;
     }
     applyShellGitContextEnvSegment(segment, shellGitContextState);
   }

package/dist/pi/builtin-commands/commands.d.ts

@@ -11,5 +11,6 @@ type PiCommandContext = {
     isIdle: () => boolean;
 };
 export declare function registerBuiltinCommands(pi: PiCommandApi): void;
+/** @internal - exported for test coverage */
 export declare function buildSafetyNetCommandPrompt(args: string): string;
 export {};

package/dist/pi/index.d.ts

@@ -1,5 +1,5 @@
 import { registerBuiltinCommands } from '@/pi/builtin-commands';
-import { registerToolUseEvent } from '@/pi/tool-use';
-type PiExtensionApi = Parameters<typeof registerBuiltinCommands>[0] & Parameters<typeof registerToolUseEvent>[0];
+import { registerToolCallEvent } from '@/pi/tool-call';
+type PiExtensionApi = Parameters<typeof registerBuiltinCommands>[0] & Parameters<typeof registerToolCallEvent>[0];
 export default function ccSafetyNetPiExtension(pi: PiExtensionApi): void;
 export {};

package/dist/pi/index.js

@@ -275,6 +275,9 @@ function buildSafetyNetCommandPrompt(args) {
 
 ${args.trim() || DEFAULT_USER_REQUEST}`;
 }
+// src/pi/tool-call.ts
+import { resolve as resolve8 } from "node:path";
+
 // src/core/analyze/dangerous-text.ts
 function dangerousInText(text) {
   const t = text.toLowerCase();
@@ -343,6 +346,10 @@ function dangerousInText(text) {
   return null;
 }
 
+// src/core/analyze/segment.ts
+import { realpathSync as realpathSync6 } from "node:fs";
+import { normalize as normalize3 } from "node:path";
+
 // src/core/analyze/awk.ts
 var AWK_INTERPRETERS = new Set(["awk", "gawk", "nawk", "mawk"]);
 var REASON_AWK_SYSTEM_DYNAMIC = "Detected awk system() call with dynamic command that cannot be safely analyzed.";
@@ -4148,8 +4155,7 @@ function analyzeParallelCommand(context) {
 }
 var CWD_CHANGE_REGEX = /^\s*(?:\$\(\s*)?[({]*\s*(?:command\s+|builtin\s+)?(?:cd|pushd|popd)(?:\s|$)/;
 function segmentChangesCwd(segment) {
-  const stripped = stripLeadingGrouping(segment);
-  const unwrapped = stripWrappers([...stripped]);
+  const unwrapped = getCwdChangeTokens(segment);
   if (unwrapped.length === 0) {
     return false;
   }
@@ -4168,6 +4174,32 @@ function segmentChangesCwd(segment) {
   const joined = segment.join(" ");
   return CWD_CHANGE_REGEX.test(joined);
 }
+function resolveCwdAfterSegment(segment, cwd) {
+  if (!segmentChangesCwd(segment)) {
+    return;
+  }
+  if (!cwd) {
+    return null;
+  }
+  const unwrapped = getCwdChangeTokens(segment, cwd);
+  const cdIndex = getCdCommandIndex(unwrapped);
+  if (cdIndex === -1 || unwrapped[cdIndex] !== "cd") {
+    return null;
+  }
+  const target = unwrapped[cdIndex + 1];
+  if (!target || target === "-" || target.includes("$") || target.includes("`")) {
+    return null;
+  }
+  try {
+    const resolved = resolveChdirTarget(cwd, target);
+    if (samePath(resolved, cwd)) {
+      return cwd;
+    }
+  } catch {
+    return null;
+  }
+  return null;
+}
 function getHeadAfterTimePrefix(tokens, startIndex) {
   let i = startIndex;
   while (tokens[i]?.startsWith("-")) {
@@ -4175,6 +4207,31 @@ function getHeadAfterTimePrefix(tokens, startIndex) {
   }
   return tokens[i] ?? "";
 }
+function getCdCommandIndex(tokens) {
+  let headIndex = 0;
+  if (tokens[0] === "builtin" && tokens.length > 1) {
+    headIndex = 1;
+  }
+  if (tokens[headIndex] !== "time") {
+    return headIndex;
+  }
+  let i = headIndex + 1;
+  while (tokens[i]?.startsWith("-")) {
+    i++;
+  }
+  return i;
+}
+function getCwdChangeTokens(segment, cwd) {
+  const stripped = stripLeadingGrouping(segment);
+  return stripWrappers([...stripped], cwd);
+}
+function samePath(a, b) {
+  try {
+    return normalize3(realpathSync6(a)) === normalize3(realpathSync6(b));
+  } catch {
+    return normalize3(a) === normalize3(b);
+  }
+}
 function stripLeadingGrouping(tokens) {
   let i = 0;
   while (i < tokens.length) {
@@ -4525,8 +4582,9 @@ function analyzeCommandInternal(command2, depth, options2) {
       if (textReason) {
         return { reason: textReason, segment: segmentStr };
       }
-      if (segmentChangesCwd(segment)) {
-        effectiveCwd = null;
+      const nextCwd2 = resolveCwdAfterSegment(segment, effectiveCwd);
+      if (nextCwd2 !== undefined) {
+        effectiveCwd = nextCwd2;
       }
       continue;
     }
@@ -4548,8 +4606,9 @@ function analyzeCommandInternal(command2, depth, options2) {
     if (reason) {
       return { reason, segment: segmentStr };
     }
-    if (segmentChangesCwd(segment)) {
-      effectiveCwd = null;
+    const nextCwd = resolveCwdAfterSegment(segment, effectiveCwd);
+    if (nextCwd !== undefined) {
+      effectiveCwd = nextCwd;
     }
     applyShellGitContextEnvSegment(segment, shellGitContextState);
   }
@@ -6331,22 +6390,34 @@ async function runConfiguredHookAdapter(adapter) {
   });
 }
 
-// src/pi/tool-use.ts
-function registerToolUseEvent(pi) {
-  pi.on("tool_call", handlePiToolUse);
+// src/pi/tool-call.ts
+var PI_SHELL_TOOL_ADAPTERS = {
+  bash: {
+    commandField: "command"
+  },
+  Shell: {
+    commandField: "command",
+    cwdField: "working_directory"
+  }
+};
+function registerToolCallEvent(pi) {
+  pi.on("tool_call", handlePiToolCall);
 }
-function handlePiToolUse(event, ctx) {
-  if (!isPiBashToolUseEvent(event))
+function handlePiToolCall(event, ctx) {
+  const shellToolCall = getPiShellToolCall(event, ctx);
+  if (!shellToolCall)
     return;
-  if (typeof event.input.command !== "string") {
-    return blockPiToolUse(REASON_SAFETY_NET_FAILED_CLOSED);
+  if ("malformed" in shellToolCall) {
+    return blockPiToolCall(REASON_SAFETY_NET_FAILED_CLOSED);
   }
+  const command2 = shellToolCall.command;
+  const cwd = shellToolCall.cwd;
   const modes = getCCSafetyNetEnvModes();
   let result;
   try {
-    result = (ctx.safetyNetAnalyzeCommand ?? analyzeCommand)(event.input.command, {
-      cwd: ctx.cwd,
-      config: loadConfig(ctx.cwd, {
+    result = (ctx.safetyNetAnalyzeCommand ?? analyzeCommand)(command2, {
+      cwd,
+      config: loadConfig(cwd, {
         repairLocalRulebooks: true,
         ...ctx.safetyNetConfigOptions
       }),
@@ -6357,14 +6428,14 @@ function handlePiToolUse(event, ctx) {
     });
   } catch (error) {
     if (envTruthy(ENV_FLAGS.debug)) {
-      console.error(`CC Safety Net debug: pi tool_use analysis failed: ${redactSecrets(error instanceof Error ? error.message : String(error))}`);
+      console.error(`CC Safety Net debug: pi tool_call analysis failed: ${redactSecrets(error instanceof Error ? error.message : String(error))}`);
     }
-    return blockPiToolUse(REASON_SAFETY_NET_FAILED_CLOSED, event.input.command, event.input.command);
+    return blockPiToolCall(REASON_SAFETY_NET_FAILED_CLOSED, command2, command2);
   }
   if (!result) {
     const sessionId2 = ctx.sessionManager.getSessionFile();
     if (sessionId2 && envTruthy(ENV_FLAGS.debug)) {
-      writeAuditLog(sessionId2, event.input.command, event.input.command, "allowed", ctx.cwd, {
+      writeAuditLog(sessionId2, command2, command2, "allowed", cwd, {
         decision: "allow"
       });
     }
@@ -6372,17 +6443,29 @@ function handlePiToolUse(event, ctx) {
   }
   const sessionId = ctx.sessionManager.getSessionFile();
   if (sessionId) {
-    writeAuditLog(sessionId, event.input.command, result.segment, result.reason, ctx.cwd);
+    writeAuditLog(sessionId, command2, result.segment, result.reason, cwd);
   }
-  return blockPiToolUse(result.reason, event.input.command, result.segment, result.manualPermissionAdvice);
+  return blockPiToolCall(result.reason, command2, result.segment, result.manualPermissionAdvice);
 }
-function isPiBashToolUseEvent(event) {
+function getPiShellToolCall(event, ctx) {
   if (!event || typeof event !== "object")
-    return false;
-  const toolUse = event;
-  return toolUse.toolName === "bash" && !!toolUse.input;
-}
-function blockPiToolUse(reason, command2, segment, manualPermissionAdvice) {
+    return;
+  const toolCall = event;
+  if (typeof toolCall.toolName !== "string")
+    return;
+  const adapter = PI_SHELL_TOOL_ADAPTERS[toolCall.toolName];
+  if (!adapter)
+    return;
+  if (!toolCall.input || typeof toolCall.input !== "object")
+    return { malformed: true };
+  const command2 = toolCall.input[adapter.commandField];
+  if (typeof command2 !== "string")
+    return { malformed: true };
+  const cwdInput = adapter.cwdField ? toolCall.input[adapter.cwdField] : undefined;
+  const cwd = typeof cwdInput === "string" ? resolve8(ctx.cwd, cwdInput) : ctx.cwd;
+  return { command: command2, cwd };
+}
+function blockPiToolCall(reason, command2, segment, manualPermissionAdvice) {
   return {
     block: true,
     reason: formatBlockedMessage({
@@ -6397,7 +6480,7 @@ function blockPiToolUse(reason, command2, segment, manualPermissionAdvice) {
 
 // src/pi/index.ts
 function ccSafetyNetPiExtension(pi) {
-  registerToolUseEvent(pi);
+  registerToolCallEvent(pi);
   registerBuiltinCommands(pi);
 }
 export {

package/dist/pi/{tool-use.d.ts → tool-call.d.ts}

@@ -1,9 +1,9 @@
 import { analyzeCommand } from '@/core/analyze';
 import type { LoadConfigOptions } from '@/core/config';
 type PiApi = {
-    on: (event: 'tool_call', handler: (event: unknown, ctx: PiToolUseContext) => PiToolUseResult) => void;
+    on: (event: 'tool_call', handler: (event: unknown, ctx: PiToolCallContext) => PiToolCallResult) => void;
 };
-type PiToolUseContext = {
+type PiToolCallContext = {
     cwd: string;
     sessionManager: {
         getSessionFile: () => string | undefined;
@@ -11,10 +11,11 @@ type PiToolUseContext = {
     safetyNetAnalyzeCommand?: typeof analyzeCommand;
     safetyNetConfigOptions?: LoadConfigOptions;
 };
-type PiToolUseResult = {
+type PiToolCallResult = {
     block: true;
     reason: string;
 } | undefined;
-export declare function registerToolUseEvent(pi: PiApi): void;
-export declare function handlePiToolUse(event: unknown, ctx: PiToolUseContext): PiToolUseResult;
+export declare function registerToolCallEvent(pi: PiApi): void;
+/** @internal - exported for test coverage */
+export declare function handlePiToolCall(event: unknown, ctx: PiToolCallContext): PiToolCallResult;
 export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safety-net",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "A coding agent CLI hook - block destructive git and filesystem commands before execution",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",