mixdog 0.7.1

package/src/agent/orchestrator/tools/cwd-tool.mjs

@@ -0,0 +1,298 @@
+// cwd-tool.mjs — session-cwd management MCP tool.
+//
+// Backs the `cwd` tool exposed via tools.json. Three actions:
+//
+//   get   — report the current effective cwd (pwd()) plus its resolved
+//           project_id (via resolveProjectId).
+//   set   — validate `args.path` against the filesystem and stash the
+//           canonical absolute form into process.env.MIXDOG_SESSION_CWD.
+//           captureOriginalUserCwd() consults that env var first, so
+//           every downstream tool (read/grep/glob/find_symbol/bash/...)
+//           picks up the change without a per-tool plumbing change.
+//   list  — comprehensive `.git` repository scan rooted at $HOME and
+//           the rawUserCwd() session sentinel. Cached in-process; pass
+//           `refresh:true` to force a rebuild.
+//
+// list policy:
+//   - depth-bounded walk (maxDepth 4) using the shared walkDir helper.
+//   - prunes NOISE_DIR_NAMES + a small AppData cache-dir set to keep
+//     the scan responsive on Windows.
+//   - once a directory is identified as a `.git`-bearing repo, it is
+//     recorded and its children are NOT descended (no nested worktree
+//     scans, no submodule recursion).
+
+import { resolve as pathResolve, join as pathJoin } from 'path'
+import { homedir } from 'os'
+import { existsSync, statSync, readFileSync, writeFileSync } from 'fs'
+import { execFileSync } from 'child_process'
+import { pwd, rawUserCwd, writeLastSessionCwd } from '../../../shared/user-cwd.mjs'
+import { resolveOptionalCwd } from './builtin/cwd-utils.mjs'
+import { walkDir, NOISE_DIR_NAMES } from './builtin/glob-walk.mjs'
+import { resolveProjectId } from '../../../memory/lib/project-id-resolver.mjs'
+import { resolvePluginData } from '../../../shared/plugin-paths.mjs'
+
+// Canonical absolute-path form. Mirrors code-graph's `_canonicalGraphCwd`:
+// resolve to absolute, lower-case on win32 so case drift in user input
+// does not produce duplicate session-cwd values.
+function _canonicalSessionCwd(cwd) {
+  const full = pathResolve(cwd)
+  return process.platform === 'win32' ? full.toLowerCase() : full
+}
+
+// Extra AppData cache dir names commonly found under %USERPROFILE% on
+// Windows. They are not in NOISE_DIR_NAMES because they're user-data
+// roots elsewhere, but we never want to spider them during a repo scan.
+const EXTRA_NOISE_DIR_NAMES = new Set([
+  'AppData', 'Application Data', 'Local Settings',
+  '.npm', '.yarn', '.pnpm-store', '.nuget', '.cargo', '.rustup',
+  '.gradle', '.m2', '.ivy2', '.android', '.docker', '.vscode',
+  '.cursor', 'Library',
+  // NOTE: do NOT prune '.claude' — the mixdog repo lives under
+  // ~/.claude/plugins/marketplaces/trib-plugin (depth 4 from home), so
+  // pruning it would hide the user's primary project from `list`. The
+  // maxDepth:4 cap + stop-at-.git keep the deep version cache
+  // (~/.claude/plugins/cache/.../0.5.x = depth 6) out of the scan.
+])
+
+const PRUNED_DIR_NAMES = new Set([...NOISE_DIR_NAMES, ...EXTRA_NOISE_DIR_NAMES])
+
+let _listCache = null
+
+// Per-scan set used by the visitor to mark repos whose subtree must not
+// be descended. walkDir does not natively support "stop descent into
+// this dir but keep the walk going", so we approximate by checking
+// ancestry on every visit and bailing early when the entry lives under
+// a previously-recorded repo.
+const _recordedRepos = new Set()
+
+function _scanReposUnderFiltered(root) {
+  _recordedRepos.clear()
+  const repos = []
+  if (!root || !existsSync(root)) return repos
+  try {
+    const st = statSync(root)
+    if (!st.isDirectory()) return repos
+  } catch { return repos }
+
+  if (existsSync(`${root}/.git`)) {
+    repos.push(root)
+    return repos
+  }
+
+  walkDir(root, {
+    hidden: true,
+    maxDepth: 4,
+    excludeDirNames: PRUNED_DIR_NAMES,
+    visit: (ent, entPath) => {
+      if (!ent.isDirectory()) return
+      // Skip subtree of a previously-recorded repo. walkDir invokes
+      // visit before recursing, so flipping ent.isDirectory() here
+      // would not stop descent. Instead, check ancestry on every
+      // visit and bail early.
+      for (const recorded of _recordedRepos) {
+        if (entPath === recorded || entPath.startsWith(recorded + '/') || entPath.startsWith(recorded + '\\')) {
+          return
+        }
+      }
+      try {
+        if (existsSync(`${entPath}/.git`)) {
+          repos.push(entPath)
+          _recordedRepos.add(entPath)
+        }
+      } catch { /* ignore stat races */ }
+    },
+  })
+
+  return repos
+}
+
+// ── Owned-project filtering (config: `cwd` section) ──────────────────
+// `cwd list` scans ONLY under the session entry directory (rawUserCwd) plus
+// any extraRoots — never $HOME. Claude-Code-managed plugin clones live under
+// ~/.claude/plugins (i.e. $HOME), so they fall outside the scan with no
+// manifest/path heuristic. Repos are then kept by ONE explicit signal:
+//   - identityEmails: a repo is kept only when >=1 commit is authored by one
+//     of these. Empty set = no filter (fail open) so the list never silently
+//     goes blank.
+// extraRoots widens the scan beyond the session cwd.
+function _cwdConfig() {
+  // Read the `cwd` section directly (no config.mjs import: its module-load
+  // resolvePluginData() throws when CLAUDE_PLUGIN_DATA is unset, which would
+  // break tool-manifest builds that merely import this file for its defs).
+  let raw = {}
+  try {
+    const all = JSON.parse(readFileSync(pathJoin(resolvePluginData(), 'mixdog-config.json'), 'utf8'))
+    if (all && typeof all.cwd === 'object' && all.cwd) raw = all.cwd
+  } catch { raw = {} }
+  const identityEmails = Array.isArray(raw.identityEmails)
+    ? raw.identityEmails.filter(e => typeof e === 'string' && e.trim()).map(e => e.trim())
+    : []
+  const extraRoots = Array.isArray(raw.extraRoots)
+    ? raw.extraRoots.filter(r => typeof r === 'string' && r.trim()).map(r => r.trim())
+    : []
+  return { identityEmails, extraRoots }
+}
+
+function _escapeRe(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+}
+
+// True when >=1 commit across all refs is authored by one of the identity
+// emails. One git spawn per repo; multiple --author flags are OR-combined
+// by git, and -1 exits on the first match.
+function _authoredByIdentity(repoPath, emails) {
+  try {
+    const args = ['-C', repoPath, 'log', '--all', '-1', '--format=%H']
+    for (const e of emails) { args.push('--author', _escapeRe(e)) }
+    const out = execFileSync('git', args, { encoding: 'utf8', timeout: 5000, stdio: ['ignore', 'pipe', 'ignore'], windowsHide: true })
+    return out.trim().length > 0
+  } catch {
+    return false
+  }
+}
+
+function _buildRepoList(includeAll = false) {
+  const cfg = _cwdConfig()
+  const user = rawUserCwd()
+  const roots = []
+  const seen = new Set()
+  // Scan ONLY the session entry dir (+ extraRoots), never $HOME — this keeps
+  // Claude-Code-managed plugin clones under ~/.claude/plugins out of the scan
+  // entirely, with no manifest/path heuristic needed.
+  for (const r of [user, ...cfg.extraRoots]) {
+    if (!r) continue
+    const key = _canonicalSessionCwd(r)
+    if (seen.has(key)) continue
+    seen.add(key)
+    roots.push(r)
+  }
+
+  const repoSet = new Map() // canonical → original path
+  for (const root of roots) {
+    for (const repo of _scanReposUnderFiltered(root)) {
+      const key = _canonicalSessionCwd(repo)
+      if (!repoSet.has(key)) repoSet.set(key, repo)
+    }
+  }
+
+  let paths = [...repoSet.values()]
+  // Keep only repos the user has actually committed to (identityEmails). Empty
+  // set = no filter (fail open). No plugin filtering needed — plugin clones
+  // live under $HOME, which is no longer scanned.
+  if (!includeAll && cfg.identityEmails.length) {
+    paths = paths.filter(p => _authoredByIdentity(p, cfg.identityEmails))
+  }
+
+  const out = paths.map(repoPath => ({ path: repoPath, projectId: resolveProjectId(repoPath) }))
+  // Stable ordering: alphabetical by path.
+  out.sort((a, b) => a.path.localeCompare(b.path))
+  // Persist the filtered list so the SessionStart hook can inject a
+  // "## Projects" block without re-running the scan. Best-effort.
+  if (!includeAll) {
+    try { writeFileSync(pathJoin(resolvePluginData(), 'cwd-projects.json'), JSON.stringify({ projects: out })) } catch { /* best-effort */ }
+  }
+  return out
+}
+
+function _formatList(entries) {
+  if (entries.length === 0) return '[cwd] no .git repositories found under home / user-cwd roots'
+  const lines = entries.map(e => {
+    const pid = e.projectId ? `  project=${e.projectId}` : '  project=<unset>'
+    return `${e.path}${pid}`
+  })
+  return `[cwd] ${entries.length} repo${entries.length === 1 ? '' : 's'}:\n` + lines.join('\n')
+}
+
+/**
+ * MCP entry point. Returns a plain string; the server wraps it into the
+ * standard `{content:[{type:'text',text:...}]}` envelope.
+ */
+export async function executeCwdTool(name, args, callerCwd, opts = {}) {
+  const action = (typeof args?.action === 'string' && args.action) || 'get'
+
+  if (action === 'get') {
+    const effective = opts.session ? opts.session.resolveCwd() : pwd()
+    const projectId = resolveProjectId(effective)
+    return `[cwd] effective=${effective}\nproject=${projectId || '<unset>'}`
+  }
+
+  if (action === 'set') {
+    const baseCwd = (typeof callerCwd === 'string' && callerCwd) ? callerCwd : pwd()
+    const resolved = resolveOptionalCwd(args?.path, baseCwd)
+    if (resolved.error) {
+      return resolved.error
+    }
+    // resolveOptionalCwd returns baseCwd when args.path is empty/missing;
+    // that is an explicit "no path provided" failure for set.
+    if (!args?.path || (typeof args.path === 'string' && args.path.trim() === '')) {
+      return '[cwd] set requires a non-empty `path` argument'
+    }
+    const canonical = _canonicalSessionCwd(resolved.cwd)
+    // Per-session cwd write. In daemon mode opts.session stores it on the
+    // session (no cross-session leak); otherwise fall back to the global env.
+    if (opts.session) opts.session.setCwd(canonical)
+    else process.env.MIXDOG_SESSION_CWD = canonical
+    // Key the per-terminal sentinel by THIS connection's leadPid so a shared
+    // daemon (one process, N terminals) keeps each terminal's `cwd set` in its
+    // own session-cwd-<leadPid>.txt. Falls back to MIXDOG_SUPERVISOR_PID when
+    // no session leadPid is present (boot/stdio path — behaviour-identical).
+    writeLastSessionCwd(canonical, opts.session?.leadPid)
+    // ③ Fire-and-forget code-graph prewarm for the new cwd so the first
+    // unscoped find_symbol/references/callers hits a warm cache instead of the
+    // cold build on the query's critical path. Guarded inside
+    // prewarmCodeGraphIfProject: only validated project roots are prewarmed
+    // (arbitrary trees skipped), and it prewarms the detected ROOT — matching
+    // the re-root executeCodeGraphTool applies. Dynamic import avoids a static
+    // dependency on the heavy code-graph module; never blocks or fails the set.
+    import('./code-graph.mjs')
+      .then((m) => { try { m.prewarmCodeGraphIfProject?.(canonical) } catch { /* best-effort */ } })
+      .catch(() => { /* code-graph unavailable — skip prewarm */ })
+    // Invalidate the in-process repo list — set() typically follows a
+    // list() call when the user picks one of its entries.
+    _listCache = null
+    const projectId = resolveProjectId(canonical)
+    return `[cwd] set effective=${canonical}\nproject=${projectId || '<unset>'}`
+  }
+
+  if (action === 'list') {
+    // `all:true` bypasses the owned-project filter and transient prune — a
+    // raw scan of every .git repo under the roots. Not cached (rare).
+    if (args?.all === true) return _formatList(_buildRepoList(true))
+    if (args?.refresh === true) _listCache = null
+    if (!_listCache) _listCache = _buildRepoList(false)
+    return _formatList(_listCache)
+  }
+
+  return `[cwd] unknown action="${action}" (expected get|set|list)`
+}
+
+// Canonical tool definition consumed by dev/scripts/build-tools-manifest.mjs.
+// The handler lives above; this array is the source for the `cwd` entry in
+// tools.json. The `module: 'cwd'` field is injected at build time, so it is
+// intentionally absent here (mirrors every other module's source array).
+export const CWD_TOOL_DEFS = [
+  {
+    name: 'cwd',
+    title: 'Session CWD',
+    annotations: { title: 'Session CWD', readOnlyHint: false, destructiveHint: false, idempotentHint: true, openWorldHint: false },
+    description: 'Session cwd for relative paths (not a sandbox): get/set/list. set updates session-wide cwd for tools and bridge workers — set on project switch. list: repos you commit to (cwd.identityEmails), minus plugin-cache/codex; all:true for full scan.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        action: { type: 'string', enum: ['get', 'set', 'list'] },
+        path: { type: 'string' },
+        refresh: { type: 'boolean' },
+        all: { type: 'boolean' },
+      },
+    },
+  },
+]
+
+// Background-warm the default (filtered) repo list shortly after module
+// load so the first `cwd list` returns an already-built cache. Deferred
+// and unref'd so it never blocks startup or keeps the process alive.
+try {
+  setTimeout(() => {
+    try { if (!_listCache) _listCache = _buildRepoList(false) } catch { /* best-effort */ }
+  }, 1000).unref?.()
+} catch { /* environments without setTimeout */ }

package/src/agent/orchestrator/tools/destructive-warning.mjs

@@ -0,0 +1,323 @@
+'use strict';
+// Destructive command detector.
+//
+// Returns a short human-readable warning string when the command matches
+// a known data-loss / hard-to-reverse pattern. Purely informational —
+// the caller (case 'bash' in builtin.mjs) prepends the warning to the result
+// envelope so the agent sees the risk inline. Does NOT block execution;
+// hard blocks remain in BLOCKED_PATTERNS in builtin.mjs / bash-session.mjs.
+
+import { SHELL_NAMES as _SHELL_NAMES, WRAPPER_NAMES as _WRAPPER_NAMES } from './shell-policy.mjs';
+import { extractPowerShellCommandInner } from './shell-command.mjs';
+
+export function stripQuotedAndHeredoc(s) { return _stripQuotedSpans(s); }
+export function extractShellCInner(s) { return _extractShellCInner(s); }
+
+function _stripQuotedSpans(s) {
+  return String(s || '')
+    .replace(/<<-?\s*['"]?(\w+)['"]?[\s\S]*?\n\1\b/g, '<<HEREDOC>>')
+    .replace(/'[^']*'/g, "''")
+    .replace(/"(?:[^"\\]|\\.)*"/g, '""')
+    .replace(/#[^\n]*/g, '');
+}
+
+// Heredoc bodies (shell-exec contexts route the body through scanning).
+function _extractHeredocBodies(s) {
+  const out = [];
+  const re = /<<-?\s*['"]?(\w+)['"]?([\s\S]*?)\n\1\b/g;
+  let m;
+  while ((m = re.exec(String(s || ''))) !== null) out.push(m[2]);
+  return out;
+}
+
+// Shell-aware tokenizer. Quoted spans stay intact; separators become
+// their own token so callers can split pipeline segments cleanly.
+function _tokenize(s) {
+  const t = [], src = String(s || '');
+  let cur = '', i = 0;
+  while (i < src.length) {
+    const c = src[i];
+    if (c === "'") { const e = src.indexOf("'", i + 1); if (e === -1) { cur += src.slice(i); break; } cur += src.slice(i, e + 1); i = e + 1; continue; }
+    if (c === '"') { let j = i + 1; while (j < src.length) { if (src[j] === '\\' && j + 1 < src.length) { j += 2; continue; } if (src[j] === '"') break; j++; } if (j >= src.length) { cur += src.slice(i); break; } cur += src.slice(i, j + 1); i = j + 1; continue; }
+    if (c === '\\' && i + 1 < src.length) { cur += src[i] + src[i + 1]; i += 2; continue; }
+    if (c === ' ' || c === '\t') { if (cur) { t.push(cur); cur = ''; } i++; continue; }
+    if (c === '\n' || c === ';') { if (cur) { t.push(cur); cur = ''; } t.push(c); i++; continue; }
+    if (c === '&' || c === '|') { if (cur) { t.push(cur); cur = ''; } if (src[i + 1] === c) { t.push(c + c); i += 2; } else { t.push(c); i++; } continue; }
+    cur += c; i++;
+  }
+  if (cur) t.push(cur);
+  return t;
+}
+
+function _splitSegments(tokens) {
+  const segs = [], SEP = new Set([';', '&', '&&', '|', '||', '\n']);
+  let cur = [];
+  for (const t of tokens) { if (SEP.has(t)) { if (cur.length) segs.push(cur); cur = []; } else cur.push(t); }
+  if (cur.length) segs.push(cur);
+  return segs;
+}
+
+function _stripQuotes(t) {
+  if (t.length >= 2) { const a = t[0], b = t[t.length - 1]; if ((a === "'" && b === "'") || (a === '"' && b === '"')) return t.slice(1, -1); }
+  return t;
+}
+
+// Skip env-var assignments and known wrapper commands (with their
+// option arguments) so the underlying program reaches classification.
+function _peelWrappers(tokens) {
+  let i = 0;
+  while (i < tokens.length) {
+    const t = tokens[i];
+    if (/^[A-Za-z_][A-Za-z0-9_]*=/.test(t)) { i++; continue; }
+    if (_WRAPPER_NAMES.has(t)) {
+      i++;
+      while (i < tokens.length && (/^[-+]/.test(tokens[i]) || /^\d+[smhd]?$/.test(tokens[i]) || /^\d+m\d+s?$/.test(tokens[i]))) {
+        // Long option `--key value` — consume the value too when not `=`-joined and the value is non-flag / non-assignment.
+        if (/^--[A-Za-z0-9][\w-]*$/.test(tokens[i]) && i + 1 < tokens.length && !/^[-+]/.test(tokens[i + 1]) && !/^[A-Za-z_][A-Za-z0-9_]*=/.test(tokens[i + 1])) { i += 2; continue; }
+        i++;
+      }
+      continue;
+    }
+    break;
+  }
+  return tokens.slice(i);
+}
+
+// Extract `-c <payload>` (and `--command <payload>`) for shell invocations.
+// Walks options including combined short flags like `-lc`, `-ic`, `-ec`.
+function _extractShellCInner(s) {
+  const out = [];
+  const tokens = _tokenize(s);
+  const segs = _splitSegments(tokens);
+  for (const seg of segs) {
+    const peeled = _peelWrappers(seg);
+    if (!peeled.length) continue;
+    if (!_SHELL_NAMES.has(peeled[0])) {
+      // Extended: leaf commands that embed an inner command/payload.
+      // The caller re-scans each entry via isBlockedCommand, so we just
+      // surface the payload as a synthetic command string.
+      const leaf = peeled[0];
+      if (leaf === 'xargs' || leaf === 'parallel') {
+        let j = 1;
+        while (j < peeled.length && /^[-+]/.test(peeled[j])) {
+          if (/^--[A-Za-z0-9][\w-]*$/.test(peeled[j]) && j + 1 < peeled.length && !/^[-+]/.test(peeled[j + 1])) { j += 2; continue; }
+          j++;
+        }
+        if (j < peeled.length) out.push(peeled.slice(j).map(_stripQuotes).join(' '));
+      } else if (leaf === 'find') {
+        for (let j = 1; j < peeled.length; j++) {
+          if (peeled[j] === '-exec' || peeled[j] === '-execdir') {
+            const cmd = [];
+            let k = j + 1;
+            while (k < peeled.length && peeled[k] !== ';' && peeled[k] !== '\\;' && peeled[k] !== '+') { cmd.push(_stripQuotes(peeled[k])); k++; }
+            if (cmd.length) out.push(cmd.join(' '));
+            j = k;
+          }
+        }
+      } else if (leaf === 'awk') {
+        for (let j = 1; j < peeled.length; j++) {
+          const t = peeled[j];
+          if (t === '-f' || t === '-v' || t === '-F') { j++; continue; }
+          if (t.startsWith('-')) continue;
+          const body = _stripQuotes(t);
+          const m = body.match(/system\s*\(\s*(['"])([\s\S]*?)\1\s*\)/);
+          if (m) out.push(m[2]);
+          break;
+        }
+      } else if (leaf === 'perl' || leaf === 'node' || leaf === 'python' || leaf === 'python3') {
+        const flag = (leaf === 'python' || leaf === 'python3') ? '-c' : '-e';
+        for (let j = 1; j < peeled.length; j++) {
+          const t = peeled[j];
+          if (t === flag || (leaf === 'perl' && t === '-E')) { const arg = peeled[j + 1]; if (arg) out.push(_stripQuotes(arg)); break; }
+          if (t.startsWith('-')) continue;
+          break;
+        }
+      }
+      continue;
+    }
+    for (let i = 1; i < peeled.length; i++) {
+      const t = peeled[i];
+      if (t === '-c' || t === '--command' || /^-[a-zA-Z]+c$/.test(t)) {
+        const arg = peeled[i + 1];
+        if (arg) out.push(_stripQuotes(arg));
+        break;
+      }
+      if (t === '--rcfile' || t === '--init-file' || t === '-O' || t === '+O') { i++; continue; }
+      if (t.startsWith('-') || t.startsWith('+')) continue;
+      break;
+    }
+  }
+  return out;
+}
+
+// rm: detect -r/-R/--recursive AND -f/--force across split or combined
+// short-flag tokens.
+function _classifyRm(args) {
+  let r = false, f = false;
+  for (const t of args) {
+    if (t === '--') break;
+    if (t === '--recursive' || t === '-r' || t === '-R') { r = true; continue; }
+    if (t === '--force' || t === '-f') { f = true; continue; }
+    if (/^-[a-zA-Z]+$/.test(t)) { if (/[rR]/.test(t)) r = true; if (/f/.test(t)) f = true; continue; }
+    if (t.startsWith('-')) continue;
+    break;
+  }
+  if (r && f) return 'may recursively force-remove files';
+  if (r) return 'may recursively remove files';
+  if (f) return 'may force-remove files';
+  return null;
+}
+
+// PowerShell Remove-Item (and aliases): -Recurse/-Force, including :$true forms.
+// Parity with shell-policy.mjs _removeItemRecursiveForceUnsafe switch matching.
+const _PS_REMOVE_CMDS = new Set(['remove-item', 'ri', 'del', 'erase', 'rd', 'rmdir']);
+
+function _classifyRemoveItem(args) {
+  let r = false, f = false;
+  for (const t of args) {
+    if (t === '--') break;
+    const low = String(t).toLowerCase();
+    if (low.startsWith('-')) {
+      if (/^-r(ec(urse)?)?$/.test(low) || /^-r(ec(urse)?)?:\$true$/i.test(low)) { r = true; continue; }
+      if (/^-fo(rce)?$/.test(low) || /^-fo(rce)?:\$true$/i.test(low)) { f = true; continue; }
+      if (low === '-recurse' || low === '-recursive') { r = true; continue; }
+      if (low === '-force') { f = true; continue; }
+      continue;
+    }
+    break;
+  }
+  if (r && f) return 'may recursively force-remove files';
+  if (r) return 'may recursively remove files';
+  if (f) return 'may force-remove files';
+  return null;
+}
+
+// git: skip global options (-C path, -c key=val, --git-dir=..., --no-pager
+// etc.) before reading the subcommand.
+function _classifyGit(args) {
+  let i = 0;
+  while (i < args.length) {
+    const t = args[i];
+    if (t === '-C' || t === '-c') { i += 2; continue; }
+    if (/^--(git-dir|work-tree|namespace)(=|$)/.test(t)) { i += t.includes('=') ? 1 : 2; continue; }
+    if (t === '--no-pager' || t === '--paginate' || t === '--bare' || t === '--exec-path' || /^--literal-pathspecs|--glob-pathspecs|--noglob-pathspecs|--icase-pathspecs$/.test(t)) { i++; continue; }
+    if (/^--exec-path=|^--list-cmds=/.test(t)) { i++; continue; }
+    break;
+  }
+  const sub = args[i]; if (!sub) return null;
+  const rest = args.slice(i + 1);
+  if (sub === 'reset' && rest.includes('--hard')) return 'may discard uncommitted changes';
+  if (sub === 'push' && rest.some(t => t === '--force' || t === '-f' || t === '--force-with-lease' || t.startsWith('--force-with-lease=') || /^\+[\w/.-]+/.test(t))) return 'may overwrite remote history';
+  if (sub === 'clean') {
+    const dry = rest.some(t => t === '-n' || t === '--dry-run' || /^-[a-zA-Z]*n[a-zA-Z]*$/.test(t));
+    const force = rest.some(t => t === '-f' || t === '--force' || /^-[a-zA-Z]*f[a-zA-Z]*$/.test(t));
+    if (!dry && force) return 'may permanently delete untracked files';
+  }
+  if ((sub === 'checkout' || sub === 'restore') && rest.includes('.')) return 'may discard all working tree changes';
+  if (sub === 'stash' && (rest[0] === 'drop' || rest[0] === 'clear')) return 'may permanently remove stashed changes';
+  if (sub === 'branch' && (rest.includes('-D') || (rest.includes('--delete') && rest.includes('--force')))) return 'may force-delete a branch';
+  if ((sub === 'commit' || sub === 'push' || sub === 'merge') && rest.includes('--no-verify')) return 'may skip safety hooks';
+  if (sub === 'commit' && rest.includes('--amend')) return 'may rewrite the last commit';
+  return null;
+}
+
+const _KUBECTL_VAL = new Set(['--context','--cluster','--namespace','-n','--user','--kubeconfig','--token','--server','--as','--as-group','--certificate-authority','--client-certificate','--client-key','--request-timeout','--cache-dir','--v','-v','--profile','--profile-output']);
+
+function _classifyKubectl(args) {
+  let i = 0;
+  while (i < args.length) {
+    const t = args[i];
+    if (_KUBECTL_VAL.has(t)) { i += 2; continue; }
+    if (t.startsWith('--') && t.includes('=')) { i++; continue; }
+    if (t.startsWith('-')) { i++; continue; }
+    break;
+  }
+  return args[i] === 'delete' ? 'may delete Kubernetes resources' : null;
+}
+
+function _classifyTerraform(args) {
+  let i = 0;
+  while (i < args.length) {
+    const t = args[i];
+    if (/^-chdir=/.test(t) || t === '-help' || t === '-version' || t === '-h') { i++; continue; }
+    break;
+  }
+  return args[i] === 'destroy' ? 'may destroy Terraform infrastructure' : null;
+}
+
+function _classifyDd(args) {
+  for (const t of args) {
+    if (/^if=\/dev\//.test(t)) return 'may read from a raw device';
+    if (/^of=\/dev\//.test(t)) return 'may write to a raw device';
+  }
+  return null;
+}
+
+// DB destructive pattern baseline — security policy, not a heuristic
+// classifier. DROP/TRUNCATE/DELETE without WHERE are unambiguously
+// data-destructive regardless of context; this list is a floor, not a
+// complete SQL auditor.
+const _DB_PATTERNS = [
+  [/\b(DROP|TRUNCATE)\s+(TABLE|DATABASE|SCHEMA)\b/i, 'may drop or truncate database objects'],
+  [/\bDELETE\s+FROM\s+\w+[ \t]*(;|"|'|\n|$)/i, 'may delete all rows from a database table'],
+];
+
+function _classifySegment(tokens) {
+  const peeled = _peelWrappers(tokens);
+  if (!peeled.length) return null;
+  const cmd = peeled[0], rest = peeled.slice(1);
+  const cmdLow = cmd.toLowerCase();
+  if (cmd === 'rm') return _classifyRm(rest);
+  if (_PS_REMOVE_CMDS.has(cmdLow)) {
+    const w = _classifyRemoveItem(rest);
+    if (w) return w;
+  }
+  if (cmd === 'git') return _classifyGit(rest);
+  if (cmd === 'kubectl') return _classifyKubectl(rest);
+  if (cmd === 'terraform') return _classifyTerraform(rest);
+  if (cmd === 'dd') return _classifyDd(rest);
+  if (cmd === 'rmdir' || cmd === 'rd') {
+    const hasS = rest.some(t => /^\/s$/i.test(t));
+    const hasDriveRoot = rest.some(t => /^[A-Za-z]:\\?$/.test(t));
+    if (hasS && hasDriveRoot) return 'may recursively remove a drive root';
+  }
+  return null;
+}
+
+export function getDestructiveCommandWarning(command) {
+  const raw = String(command || '');
+  // Per-statement DB scan (split on `;`, `&&`, `||`, `|`, `\n`) so a
+  // destructive statement past a separator still surfaces.
+  const cleaned = _stripQuotedSpans(raw);
+  for (const stmt of cleaned.split(/[;&|\n]+/)) {
+    for (const [re, warning] of _DB_PATTERNS) if (re.test(stmt)) return warning;
+  }
+  // Tokenized walk per pipeline segment.
+  const segs = _splitSegments(_tokenize(raw));
+  for (const seg of segs) {
+    const peeled = _peelWrappers(seg);
+    if (!peeled.length) continue;
+    if (_SHELL_NAMES.has(peeled[0])) {
+      for (const inner of _extractShellCInner(seg.join(' '))) {
+        const w = getDestructiveCommandWarning(inner);
+        if (w) return w;
+      }
+      for (const body of _extractHeredocBodies(raw)) {
+        const w = getDestructiveCommandWarning(body);
+        if (w) return w;
+      }
+      continue;
+    }
+    const w = _classifySegment(seg);
+    if (w) return w;
+  }
+  for (const inner of _extractShellCInner(raw)) {
+    const w = getDestructiveCommandWarning(inner);
+    if (w) return w;
+  }
+  for (const inner of extractPowerShellCommandInner(raw)) {
+    const w = getDestructiveCommandWarning(inner);
+    if (w) return w;
+  }
+  return null;
+}