clay-server 2.40.0-beta.3 → 2.40.0

package/lib/public/modules/sidebar-sessions.js

@@ -292,96 +292,24 @@ function appendSessionCloseButton(el, session) {
   el.appendChild(closeBtn);
 }
 
-// Dropdown anchored to the Claude split-button chevron. Renders two
-// explicit choices (TUI / GUI) and dismisses on click-outside, Escape,
-// or window blur. Kept local to this module since it's the only caller.
-var _claudeModeMenu = null;
-function closeClaudeModeMenu() {
-  if (_claudeModeMenu && _claudeModeMenu.parentNode) {
-    _claudeModeMenu.parentNode.removeChild(_claudeModeMenu);
-  }
-  _claudeModeMenu = null;
-}
-function openClaudeModeMenu(x, y) {
-  closeClaudeModeMenu();
-  var menu = document.createElement("div");
-  menu.className = "claude-mode-menu";
-  // CLI sessions (created by the `claude` CLI outside Clay) are now
-  // auto-adopted into the regular session list on server start, so no
-  // separate "Import CLI" entry is needed. Users see all sessions as one
-  // list and click renders per their claudeOpenMode pref.
-  var items = [
-    { label: "Start as TUI", hint: "Real claude terminal", action: "new", mode: "tui" },
-    { label: "Start as GUI", hint: "Clay chat UI",         action: "new", mode: "gui" },
-  ];
-  for (var i = 0; i < items.length; i++) {
-    (function (it) {
-      var b = document.createElement("button");
-      b.type = "button";
-      b.className = "claude-mode-menu-item";
-      b.innerHTML = '<span class="claude-mode-menu-label">' + it.label + '</span>' +
-                    '<span class="claude-mode-menu-hint">' + it.hint + '</span>';
-      b.addEventListener("click", function (e) {
-        e.stopPropagation();
-        closeClaudeModeMenu();
-        if (getWs() && store.get('connected')) {
-          getWs().send(JSON.stringify({ type: "new_session", vendor: "claude", mode: it.mode }));
-        }
-      });
-      menu.appendChild(b);
-    })(items[i]);
-  }
-  document.body.appendChild(menu);
-  // Clamp to viewport.
-  var rect = menu.getBoundingClientRect();
-  var px = x, py = y;
-  if (px + rect.width > window.innerWidth - 4) px = window.innerWidth - rect.width - 4;
-  if (py + rect.height > window.innerHeight - 4) py = window.innerHeight - rect.height - 4;
-  menu.style.left = px + "px";
-  menu.style.top = py + "px";
-  _claudeModeMenu = menu;
-}
-document.addEventListener("click", function () { closeClaudeModeMenu(); });
-document.addEventListener("keydown", function (e) { if (e.key === "Escape") closeClaudeModeMenu(); });
-window.addEventListener("blur", function () { closeClaudeModeMenu(); });
-window.addEventListener("resize", function () { closeClaudeModeMenu(); });
-
 function renderSessionTopActions() {
   var wrap = document.createElement("div");
   wrap.className = "session-top-actions";
 
-  // Claude: split button. Default click starts a TUI session (the path
-  // most users want post 2026-06-15 Agent SDK billing split). The small
-  // chevron on the right opens a dropdown that lets the user explicitly
-  // pick TUI or GUI for this one session, bypassing the saved pref.
-  var claudeWrap = document.createElement("div");
-  claudeWrap.className = "session-top-action session-top-action-split";
-
-  var claudeMain = document.createElement("button");
-  claudeMain.className = "session-top-action-main";
-  claudeMain.type = "button";
-  claudeMain.title = "New Claude session (TUI)";
-  claudeMain.innerHTML = '<img src="/claude-code-avatar.png" class="session-top-action-icon" alt=""><span>Claude</span>';
-  claudeMain.addEventListener("click", function () {
+  // Claude: single button. TUI vs GUI is the user's claudeOpenMode pref
+  // (set in user settings), so we send no explicit mode and let the server
+  // apply it - no per-click chevron/menu needed.
+  var claudeBtn = document.createElement("button");
+  claudeBtn.className = "session-top-action";
+  claudeBtn.type = "button";
+  claudeBtn.title = "New Claude session";
+  claudeBtn.innerHTML = '<img src="/claude-code-avatar.png" class="session-top-action-icon" alt=""><span>Claude</span>';
+  claudeBtn.addEventListener("click", function () {
     if (getWs() && store.get('connected')) {
-      getWs().send(JSON.stringify({ type: "new_session", vendor: "claude", mode: "tui" }));
+      getWs().send(JSON.stringify({ type: "new_session", vendor: "claude" }));
     }
   });
-  claudeWrap.appendChild(claudeMain);
-
-  var claudeChevron = document.createElement("button");
-  claudeChevron.className = "session-top-action-chevron";
-  claudeChevron.type = "button";
-  claudeChevron.title = "Choose session mode";
-  claudeChevron.innerHTML = iconHtml("chevron-down");
-  claudeChevron.addEventListener("click", function (e) {
-    e.stopPropagation();
-    var rect = claudeWrap.getBoundingClientRect();
-    openClaudeModeMenu(rect.left, rect.bottom + 4);
-  });
-  claudeWrap.appendChild(claudeChevron);
-
-  wrap.appendChild(claudeWrap);
+  wrap.appendChild(claudeBtn);
 
   // Codex: always GUI (no TUI adapter for Codex).
   var codexBtn = document.createElement("button");

package/lib/public/modules/terminal-toolbar.js

@@ -0,0 +1,129 @@
+// terminal-toolbar.js
+//
+// Reusable mobile control-key bar (Tab / Ctrl / Esc / arrows / Alt / pipe /
+// slash / tilde) for any xterm-backed terminal. Soft keyboards lack these
+// keys, so both the bottom-panel shell (terminal.js) and the embedded TUI
+// session view (session-tui-view.js) mount this bar on touch devices.
+//
+// The caller owns the toolbar element and how bytes reach its terminal; this
+// module owns the key sequences, the sticky Ctrl/Alt modifiers, and applying
+// Ctrl to a soft-keyboard letter via xterm's custom key handler.
+
+export var TERMINAL_TOOLBAR_HTML =
+  '<button class="term-key" data-key="tab">Tab</button>' +
+  '<button class="term-key term-key-toggle" data-key="ctrl">Ctrl</button>' +
+  '<button class="term-key" data-key="esc">Esc</button>' +
+  '<span class="term-key-spacer"></span>' +
+  '<button class="term-key term-key-arrow" data-key="up">&#9650;</button>' +
+  '<button class="term-key term-key-arrow" data-key="down">&#9660;</button>' +
+  '<button class="term-key term-key-arrow" data-key="left">&#9664;</button>' +
+  '<button class="term-key term-key-arrow" data-key="right">&#9654;</button>' +
+  '<span class="term-key-spacer"></span>' +
+  '<button class="term-key term-key-toggle" data-key="alt">Alt</button>' +
+  '<button class="term-key" data-key="pipe">|</button>' +
+  '<button class="term-key" data-key="slash">/</button>' +
+  '<button class="term-key" data-key="tilde">~</button>';
+
+var KEY_MAP = {
+  tab: "\t",
+  esc: "\x1b",
+  up: "\x1b[A",
+  down: "\x1b[B",
+  right: "\x1b[C",
+  left: "\x1b[D",
+  pipe: "|",
+  slash: "/",
+  tilde: "~",
+};
+
+// Wire a toolbar element to a terminal.
+//   opts.toolbar : the container element holding the .term-key buttons.
+//   opts.send    : function(data) that writes the bytes to the live PTY.
+// Returns { bindXterm(xterm), reset() }:
+//   bindXterm - (re)attach the Ctrl-letter handler to the active xterm; call
+//               whenever the active terminal changes.
+//   reset     - clear sticky Ctrl/Alt state (call when hiding the bar).
+export function createKeyToolbar(opts) {
+  var toolbar = opts && opts.toolbar;
+  var send = opts && opts.send;
+  if (!toolbar || typeof send !== "function") return { bindXterm: function () {}, reset: function () {} };
+
+  var ctrlActive = false;
+  var altActive = false;
+
+  function clearModifier(key) {
+    var btn = toolbar.querySelector("[data-key='" + key + "']");
+    if (btn) btn.classList.remove("active");
+  }
+  function reset() {
+    ctrlActive = false;
+    altActive = false;
+    clearModifier("ctrl");
+    clearModifier("alt");
+  }
+
+  // Bind the click handler once.
+  if (!toolbar._keyToolbarBound) {
+    toolbar._keyToolbarBound = true;
+    // Keep focus on the terminal so the soft keyboard doesn't dismiss.
+    toolbar.addEventListener("mousedown", function (e) { e.preventDefault(); });
+    toolbar.addEventListener("click", function (e) {
+      var btn = e.target.closest(".term-key");
+      if (!btn) return;
+      var key = btn.dataset.key;
+      if (!key) return;
+
+      if (key === "ctrl") {
+        ctrlActive = !ctrlActive;
+        btn.classList.toggle("active", ctrlActive);
+        return;
+      }
+      if (key === "alt") {
+        altActive = !altActive;
+        btn.classList.toggle("active", altActive);
+        return;
+      }
+
+      var seq = KEY_MAP[key];
+      if (!seq) return;
+      if (altActive) {
+        seq = "\x1b" + seq;
+        altActive = false;
+        clearModifier("alt");
+      }
+      send(seq);
+      if (ctrlActive) {
+        ctrlActive = false;
+        clearModifier("ctrl");
+      }
+    });
+  }
+
+  return {
+    bindXterm: function (xterm) {
+      if (!xterm || typeof xterm.attachCustomKeyEventHandler !== "function") return;
+      xterm.attachCustomKeyEventHandler(function (ev) {
+        if (ctrlActive && ev.type === "keydown" && ev.key && ev.key.length === 1) {
+          var charCode = ev.key.toUpperCase().charCodeAt(0);
+          if (charCode >= 65 && charCode <= 90) {
+            send(String.fromCharCode(charCode - 64));
+            ctrlActive = false;
+            clearModifier("ctrl");
+            return false;
+          }
+        }
+        return true;
+      });
+    },
+    // If Ctrl is armed, disarm it and return true. Lets a separate input
+    // surface (e.g. the mobile TUI entry bar, where soft-keyboard letters
+    // don't reach xterm) apply the Ctrl modifier to the next typed letter.
+    takeCtrl: function () {
+      if (!ctrlActive) return false;
+      ctrlActive = false;
+      clearModifier("ctrl");
+      return true;
+    },
+    reset: reset,
+  };
+}

package/lib/public/modules/terminal.js

@@ -4,13 +4,13 @@ import { closeFileViewer } from './filebrowser.js';
 import { copyToClipboard } from './utils.js';
 import { getTerminalTheme } from './theme.js';
 import { getTerminalFontFamily, getTerminalFontSize, onTerminalFontChange } from './terminal-prefs.js';
+import { createKeyToolbar } from './terminal-toolbar.js';
 
 var ctx;
 var tabs = new Map(); // termId -> { id, title, exited, xterm, fitAddon, bodyEl }
 var activeTabId = null;
 var isOpen = false;
-var ctrlActive = false;
-var altActive = false;
+var keyToolbar = null;
 var isTouchDevice = "ontouchstart" in window;
 var viewportHandler = null;
 var resizeObserver = null;
@@ -30,7 +30,6 @@ function disposeTab(tab) {
     tab.bodyEl = null;
   }
 }
-var toolbarBound = false;
 var termCtxMenu = null;
 
 // --- Multi-line link provider ---
@@ -242,15 +241,8 @@ export function closeTerminal() {
 
   // Hide toolbar
   var toolbar = document.getElementById("terminal-toolbar");
-  if (toolbar) {
-    toolbar.classList.add("hidden");
-    var ctrlBtn = toolbar.querySelector("[data-key='ctrl']");
-    if (ctrlBtn) ctrlBtn.classList.remove("active");
-    var altBtn = toolbar.querySelector("[data-key='alt']");
-    if (altBtn) altBtn.classList.remove("active");
-  }
-  ctrlActive = false;
-  altActive = false;
+  if (toolbar) toolbar.classList.add("hidden");
+  if (keyToolbar) keyToolbar.reset();
 
   // Mobile: restore tab bar
   var mTabBar = document.getElementById("mobile-tab-bar");
@@ -327,7 +319,17 @@ function activateTab(termId) {
   var toolbar = document.getElementById("terminal-toolbar");
   if (toolbar && isTouchDevice) {
     toolbar.classList.remove("hidden");
-    initToolbar(toolbar);
+    if (!keyToolbar) {
+      keyToolbar = createKeyToolbar({
+        toolbar: toolbar,
+        send: function (data) {
+          if (activeTabId && ctx.ws && ctx.connected) {
+            ctx.ws.send(JSON.stringify({ type: "term_input", id: activeTabId, data: data }));
+          }
+        },
+      });
+    }
+    if (tab.xterm) keyToolbar.bindXterm(tab.xterm);
   }
 
   // Mobile viewport handling
@@ -962,89 +964,3 @@ function showTermCtxMenu(e, tab) {
     document.addEventListener("click", closeTermCtxMenu, { once: true });
   }, 0);
 }
-
-// --- Mobile toolbar ---
-var KEY_MAP = {
-  tab: "\t",
-  esc: "\x1b",
-  up: "\x1b[A",
-  down: "\x1b[B",
-  right: "\x1b[C",
-  left: "\x1b[D",
-  pipe: "|",
-  slash: "/",
-  tilde: "~",
-};
-
-function initToolbar(toolbar) {
-  if (!toolbarBound) {
-    toolbarBound = true;
-
-    toolbar.addEventListener("mousedown", function (e) { e.preventDefault(); });
-
-    toolbar.addEventListener("click", function (e) {
-      var btn = e.target.closest(".term-key");
-      if (!btn) return;
-
-      var tab = activeTabId ? tabs.get(activeTabId) : null;
-      if (!tab || !tab.xterm) return;
-
-      var key = btn.dataset.key;
-      if (!key) return;
-
-      if (key === "ctrl") {
-        ctrlActive = !ctrlActive;
-        btn.classList.toggle("active", ctrlActive);
-        return;
-      }
-
-      if (key === "alt") {
-        altActive = !altActive;
-        btn.classList.toggle("active", altActive);
-        return;
-      }
-
-      var seq = KEY_MAP[key];
-      if (!seq) return;
-
-      // Alt prefix: send ESC before the character
-      if (altActive) {
-        seq = "\x1b" + seq;
-        altActive = false;
-        var altBtn = toolbar.querySelector("[data-key='alt']");
-        if (altBtn) altBtn.classList.remove("active");
-      }
-
-      if (ctx.ws && ctx.connected) {
-        ctx.ws.send(JSON.stringify({ type: "term_input", id: activeTabId, data: seq }));
-      }
-
-      if (ctrlActive) {
-        ctrlActive = false;
-        var ctrlBtn = toolbar.querySelector("[data-key='ctrl']");
-        if (ctrlBtn) ctrlBtn.classList.remove("active");
-      }
-    });
-  }
-
-  // Attach Ctrl handler to active terminal
-  var tab = activeTabId ? tabs.get(activeTabId) : null;
-  if (tab && tab.xterm) {
-    tab.xterm.attachCustomKeyEventHandler(function (ev) {
-      if (ctrlActive && ev.type === "keydown" && ev.key.length === 1) {
-        var charCode = ev.key.toUpperCase().charCodeAt(0);
-        if (charCode >= 65 && charCode <= 90) {
-          var ctrlChar = String.fromCharCode(charCode - 64);
-          if (ctx.ws && ctx.connected) {
-            ctx.ws.send(JSON.stringify({ type: "term_input", id: activeTabId, data: ctrlChar }));
-          }
-          ctrlActive = false;
-          var ctrlBtn = document.querySelector("#terminal-toolbar [data-key='ctrl']");
-          if (ctrlBtn) ctrlBtn.classList.remove("active");
-          return false;
-        }
-      }
-      return true;
-    });
-  }
-}

package/lib/safe-bash-commands.js

@@ -0,0 +1,171 @@
+// safe-bash-commands.js
+//
+// Single source of truth for the Bash commands Clay auto-approves without
+// prompting. BOTH auto-approval paths derive from here so they can never
+// drift apart again:
+//   - sdk-bridge.js `checkToolWhitelist`  -> SDK / GUI sessions (uses
+//     isSafeBashSegment on each operator-split segment).
+//   - claude-hook-installer.js `CLAY_MANAGED_ALLOW` -> TUI sessions, via the
+//     `Bash(...)` patterns buildClayBashAllowPatterns() emits into
+//     ~/.claude/settings.json `permissions.allow`.
+//
+// Policy:
+//   - STANDALONE: read-only / inspection / navigation / text commands that
+//     stay safe regardless of arguments. Auto-approved as a whole word.
+//   - SUBCOMMAND: binaries that are NOT blanket-safe (git, npm, ...) but
+//     whose listed read-only subcommands are. Write subcommands (git push,
+//     npm install, ...) are intentionally absent so they still prompt.
+//   - EXACT: full command strings safe verbatim (version probes). Language
+//     runtimes (node, python, ruby, go, ...) live here as `--version` only:
+//     `node script.js` executes arbitrary code, so it is NOT auto-approved.
+//
+// Safety note: a few STANDALONE entries (env, command, xargs, time, tee,
+// find, sed, awk) can execute or write given hostile arguments
+// (`env rm -rf /`, `find . -exec ...`, `tee /etc/x`). They are kept to match
+// Clay's long-standing read-only-convenience posture; this is the one place
+// to tighten if that tradeoff ever changes.
+
+var STANDALONE = [
+  // Navigation
+  "cd", "pushd", "popd",
+  // File / dir inspection
+  "ls", "cat", "head", "tail", "wc", "file", "stat", "find", "tree", "du", "df",
+  "readlink", "realpath", "basename", "dirname",
+  // Search
+  "grep", "rg", "ag", "ack", "fgrep", "egrep",
+  // Lookup
+  "which", "type", "whereis", "command", "hash",
+  // Environment / system info
+  "echo", "printf", "env", "printenv", "pwd", "whoami", "id", "groups",
+  "date", "uname", "hostname", "uptime", "arch", "nproc", "free",
+  "lsb_release", "sw_vers", "locale", "timedatectl",
+  // Text processing (stdin / stdout)
+  "jq", "yq", "sort", "uniq", "cut", "tr", "awk", "sed", "paste", "column",
+  "fold", "rev", "tac", "nl", "expand", "unexpand", "fmt", "pr", "csplit",
+  "comm", "join",
+  // Comparison / hashing
+  "diff", "cmp", "md5sum", "sha256sum", "sha1sum", "shasum", "cksum", "sum",
+  "b2sum", "base64", "xxd", "od", "hexdump",
+  // Misc read-only
+  "test", "true", "false", "seq", "yes", "sleep", "tee", "xargs", "time",
+  "man", "help", "info", "apropos", "cal", "bc", "expr", "factor",
+  // ACL / attribute inspection
+  "getfacl", "getfattr", "namei",
+  // Process / network introspection
+  "lsof", "ps", "top", "htop", "pgrep", "netstat", "ss", "ifconfig", "ip",
+  "dig", "nslookup", "host", "ping", "traceroute", "curl", "wget", "http",
+];
+
+// binary -> read-only subcommands. Each generates `Bash(bin sub)` and
+// `Bash(bin sub *)`. Multi-word keys (e.g. "config --get") are supported.
+var SUBCOMMAND = {
+  git: [
+    "status", "log", "diff", "show", "branch", "tag", "remote",
+    "rev-parse", "ls-files", "blame", "describe", "config --get",
+  ],
+  npm: ["list", "ls", "view", "outdated", "config get"],
+  yarn: ["list"],
+  pnpm: ["list"],
+};
+
+// Full command strings safe verbatim. `*`-suffixed args are allowed after
+// them (e.g. `node --version` plus any trailing flags) but the prefix must
+// match exactly so `node server.js` does not slip through.
+var EXACT = [
+  "node --version", "npm --version", "python --version",
+  "python3 --version", "go version", "ruby --version",
+];
+
+var STANDALONE_SET = {};
+for (var i = 0; i < STANDALONE.length; i++) STANDALONE_SET[STANDALONE[i]] = true;
+
+// Strip leading env assignments (FOO=bar cmd) and an optional sudo prefix so
+// the real command word is what we test. Returns the cleaned segment.
+function stripLeadingNoise(seg) {
+  var out = seg.replace(/^(?:\w+=\S*\s+)*/, "");
+  if (/^sudo(?:\s|$)/.test(out)) {
+    out = out.replace(/^sudo\s+(?:-\S+\s+)*/, "");
+  }
+  return out;
+}
+
+// True if a single shell segment (already split on &&, ||, ;, |) is safe to
+// auto-approve. Empty segments (trailing operators) are treated as safe.
+function isSafeBashSegment(seg) {
+  seg = (seg || "").trim();
+  if (!seg) return true;
+  var cleaned = stripLeadingNoise(seg);
+  var firstWord = cleaned.split(/\s+/)[0];
+  if (!firstWord) return false;
+  if (STANDALONE_SET[firstWord]) return true;
+  if (SUBCOMMAND[firstWord]) {
+    var subs = SUBCOMMAND[firstWord];
+    for (var i = 0; i < subs.length; i++) {
+      var prefix = firstWord + " " + subs[i];
+      if (cleaned === prefix || cleaned.indexOf(prefix + " ") === 0) return true;
+    }
+    return false;
+  }
+  for (var j = 0; j < EXACT.length; j++) {
+    if (cleaned === EXACT[j] || cleaned.indexOf(EXACT[j] + " ") === 0) return true;
+  }
+  return false;
+}
+
+// Emit the `Bash(...)` permission patterns for ~/.claude/settings.json. Each
+// standalone command gets a bare form (zero-arg) and a space-wildcard form
+// (claude 2.x prefix matching); subcommands and exact commands likewise.
+function buildClayBashAllowPatterns() {
+  var patterns = [];
+  for (var i = 0; i < STANDALONE.length; i++) {
+    patterns.push("Bash(" + STANDALONE[i] + ")");
+    patterns.push("Bash(" + STANDALONE[i] + " *)");
+  }
+  var bins = Object.keys(SUBCOMMAND);
+  for (var b = 0; b < bins.length; b++) {
+    var subs = SUBCOMMAND[bins[b]];
+    for (var s = 0; s < subs.length; s++) {
+      var base = bins[b] + " " + subs[s];
+      patterns.push("Bash(" + base + ")");
+      patterns.push("Bash(" + base + " *)");
+    }
+  }
+  for (var e = 0; e < EXACT.length; e++) {
+    patterns.push("Bash(" + EXACT[e] + ")");
+    patterns.push("Bash(" + EXACT[e] + " *)");
+  }
+  return patterns;
+}
+
+var GENERATED_SET = {};
+(function () {
+  var p = buildClayBashAllowPatterns();
+  for (var i = 0; i < p.length; i++) GENERATED_SET[p[i]] = true;
+})();
+
+// Recognize a `permissions.allow` entry that Clay owns, so the installer can
+// strip stale variants on upgrade (including shapes a previous version wrote)
+// WITHOUT clobbering user-authored patterns. Rules:
+//   - Standalone commands: own every shape of `Bash(ls ...)` (any args), since
+//     a user pattern for a command we manage is redundant with our broad one.
+//   - Subcommand binaries (git, npm, ...) and exact commands: only strip the
+//     precise patterns we generate, so a user's `Bash(git push)` survives.
+// Legacy colon shapes are handled separately by the installer.
+function isClayManagedBashPattern(p) {
+  if (typeof p !== "string") return false;
+  if (p.indexOf("Bash(") !== 0 || p.charAt(p.length - 1) !== ")") return false;
+  if (GENERATED_SET[p]) return true;
+  var inner = p.slice(5, -1).trim();
+  if (!inner) return false;
+  var word = inner.split(/[\s:]/)[0];
+  return STANDALONE_SET[word] === true;
+}
+
+module.exports = {
+  STANDALONE: STANDALONE,
+  SUBCOMMAND: SUBCOMMAND,
+  EXACT: EXACT,
+  isSafeBashSegment: isSafeBashSegment,
+  buildClayBashAllowPatterns: buildClayBashAllowPatterns,
+  isClayManagedBashPattern: isClayManagedBashPattern,
+};

package/lib/sdk-bridge.js

@@ -6,6 +6,7 @@ var execFileSync = require("child_process").execFileSync;
 var usersModule = require("./users");
 var { getCodexConfig } = require("./codex-defaults");
 var { splitShellSegments, attachSkillDiscovery } = require("./sdk-skill-discovery");
+var { isSafeBashSegment } = require("./safe-bash-commands");
 var { createMessageQueue } = require("./sdk-message-queue");
 var { attachMessageProcessor } = require("./sdk-message-processor");
 
@@ -516,61 +517,15 @@ function createSDKBridge(opts) {
     // Read/Glob/Grep built-in tools which are already auto-approved.
     if (toolName === "Bash" && input && input.command) {
       var cmd = input.command.trim();
-      var safeBashCommands = {
-        // Navigation (harmless on its own, checked in compound commands below)
-        cd: true, pushd: true, popd: true,
-        // File/dir inspection
-        ls: true, cat: true, head: true, tail: true, wc: true, file: true,
-        stat: true, find: true, tree: true, du: true, df: true,
-        readlink: true, realpath: true, basename: true, dirname: true,
-        // Search
-        grep: true, rg: true, ag: true, ack: true, fgrep: true, egrep: true,
-        // Lookup
-        which: true, type: true, whereis: true, command: true, hash: true,
-        // Environment/system info
-        echo: true, printf: true, env: true, printenv: true, pwd: true,
-        whoami: true, id: true, groups: true,
-        date: true, uname: true, hostname: true, uptime: true, arch: true,
-        nproc: true, free: true, lsb_release: true, sw_vers: true,
-        locale: true, timedatectl: true,
-        // Version checks (--version only, but first-word check is sufficient
-        // since these never take destructive subcommands as first arg)
-        git: true, node: true, npm: true, npx: true, python: true, python3: true, pip: true,
-        dotnet: true, ruby: true, java: true, javac: true,
-        rustc: true, cargo: true, gcc: true, clang: true, cmake: true,
-        go: true, deno: true, bun: true,
-        // Text processing (pure stdin/stdout, no side effects)
-        jq: true, yq: true, sort: true, uniq: true, cut: true, tr: true,
-        awk: true, sed: true, paste: true, column: true, fold: true,
-        rev: true, tac: true, nl: true, expand: true, unexpand: true,
-        fmt: true, pr: true, csplit: true, comm: true, join: true,
-        // Comparison/hashing
-        diff: true, cmp: true, md5sum: true, sha256sum: true, sha1sum: true,
-        shasum: true, cksum: true, sum: true, b2sum: true, base64: true,
-        xxd: true, od: true, hexdump: true,
-        // Misc read-only
-        test: true, true: true, false: true, seq: true, yes: true,
-        sleep: true, tee: true, xargs: true, time: true,
-        man: true, help: true, info: true, apropos: true,
-        cal: true, bc: true, expr: true, factor: true,
-        lsof: true, ps: true, top: true, htop: true, pgrep: true,
-        netstat: true, ss: true, ifconfig: true, ip: true, dig: true,
-        nslookup: true, host: true, ping: true, traceroute: true,
-        curl: true, wget: true, http: true,
-      };
       // Split compound commands on operators (&&, ||, ;, |) while respecting
-      // quoted strings and subshells so that e.g. grep -E "(a|b)" is not split
+      // quoted strings and subshells (so grep -E "(a|b)" is not split), then
+      // require every segment to pass the shared safe-command policy. The
+      // policy lives in safe-bash-commands.js so the TUI allow-list
+      // (claude-hook-installer.js) stays in lockstep with this path.
       var segments = splitShellSegments(cmd);
       var allSafe = true;
       for (var si = 0; si < segments.length; si++) {
-        var seg = segments[si].trim();
-        if (!seg) continue;
-        // Strip leading env assignments (FOO=bar cmd) and sudo
-        var firstWord = seg.replace(/^(?:\w+=\S*\s+)*/, "").split(/\s/)[0];
-        if (firstWord === "sudo") {
-          firstWord = seg.replace(/^(?:\w+=\S*\s+)*sudo\s+(?:-\S+\s+)*/, "").split(/\s/)[0];
-        }
-        if (!safeBashCommands[firstWord]) { allSafe = false; break; }
+        if (!isSafeBashSegment(segments[si])) { allSafe = false; break; }
       }
       if (allSafe) {
         return { behavior: "allow", updatedInput: input };

package/lib/sessions.js

@@ -581,7 +581,7 @@ function createSessionManager(opts) {
     var _capsByVendor = capabilitiesByVendor || {};
     var _sessionVendor = session.vendor || defaultVendor || "claude";
     var _vendorCaps = _capsByVendor[_sessionVendor] || {};
-    _send({ type: "session_switched", id: localId, cliSessionId: session.cliSessionId || null, loop: session.loop || null, vendor: session.vendor || null, hasHistory: (session.history && session.history.length > 0), capabilities: _vendorCaps, isProcessing: !!session.isProcessing, mode: session.mode || "gui", terminalId: typeof session.terminalId === "number" ? session.terminalId : null, runtimeMode: session.runtimeMode || null, runtimeTerminalId: typeof session.runtimeTerminalId === "number" ? session.runtimeTerminalId : null });
+    _send({ type: "session_switched", id: localId, cliSessionId: session.cliSessionId || null, loop: session.loop || null, vendor: session.vendor || null, hasHistory: (session.history && session.history.length > 0), capabilities: _vendorCaps, isProcessing: !!session.isProcessing, mode: session.mode || "gui", terminalId: typeof session.terminalId === "number" ? session.terminalId : null, runtimeMode: session.runtimeMode || null, runtimeTerminalId: typeof session.runtimeTerminalId === "number" ? session.runtimeTerminalId : null, tuiSuspended: !!session.tuiSuspended });
     // Send vendor-specific slash commands
     var _vendorCmds = slashCommandsByVendor[_sessionVendor] || slashCommands || [];
     _send({ type: "slash_commands", commands: _vendorCmds, vendor: _sessionVendor });