mstro-app 0.3.6 → 0.3.8

package/server/mcp/bouncer-integration.ts

@@ -38,6 +38,7 @@ import { captureException } from '../services/sentry.js';
 import {
   CRITICAL_THREATS,
   matchesPattern,
+  normalizeOperation,
   requiresAIReview,
   SAFE_OPERATIONS
 } from './security-patterns.js';
@@ -68,6 +69,11 @@ function getCachedDecision(operation: string): BouncerDecision | null {
   return entry.decision;
 }
 
+/** Clear the decision cache. Exposed for testing statistical reliability (multiple runs per operation). */
+export function clearDecisionCache(): void {
+  decisionCache.clear();
+}
+
 function cacheDecision(operation: string, decision: BouncerDecision): void {
   // Don't cache low-confidence or error-fallback decisions
   if (decision.confidence < 50) return;
@@ -304,13 +310,54 @@ function finalizeDecision(
   return decision;
 }
 
+/**
+ * Layer 2: Haiku AI analysis with timeout/error handling.
+ */
+async function runHaikuAnalysis(
+  request: BouncerReviewRequest,
+  operation: string,
+  startTime: number,
+  fin: (d: BouncerDecision, layer: string, opts?: Parameters<typeof finalizeDecision>[6]) => BouncerDecision,
+): Promise<BouncerDecision> {
+  if (process.env.BOUNCER_USE_AI === 'false') {
+    console.error('[Bouncer] AI analysis disabled (BOUNCER_USE_AI=false)');
+    return fin({ decision: 'warn_allow', confidence: 60, reasoning: 'Operation requires review but AI analysis is disabled. Proceeding with caution.', threatLevel: 'medium' }, 'ai-disabled', { skipCache: true, skipAnalytics: true });
+  }
+
+  console.error('[Bouncer] 🤖 Invoking Haiku for AI analysis...');
+  trackEvent(AnalyticsEvents.BOUNCER_HAIKU_REVIEW, { operation_length: operation.length });
+
+  const claudeCommand = process.env.CLAUDE_COMMAND || 'claude';
+  const workingDir = request.context?.workingDirectory || process.cwd();
+
+  try {
+    const decision = await analyzeWithHaiku(request, claudeCommand, workingDir);
+    console.error(`[Bouncer] ✓ Haiku decision: ${decision.decision} (${decision.confidence}% confidence) [${Math.round(performance.now() - startTime)}ms]`);
+    console.error(`[Bouncer] Reasoning: ${decision.reasoning}`);
+    return fin(decision, 'haiku-ai');
+  } catch (error: unknown) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+
+    if (errorMessage.includes('timed out')) {
+      console.error(`[Bouncer] ⚠️  Haiku analysis timed out after ${HAIKU_TIMEOUT_MS}ms — defaulting to ALLOW`);
+      captureException(error, { context: 'bouncer.haiku_timeout', operation });
+      return fin({ decision: 'allow', confidence: 50, reasoning: `Security analysis timed out after ${HAIKU_TIMEOUT_MS}ms. Defaulting to allow — user initiated the action.`, threatLevel: 'medium' }, 'haiku-timeout', { skipCache: true });
+    }
+
+    console.error(`[Bouncer] ⚠️  Haiku analysis failed: ${errorMessage}`);
+    captureException(error, { context: 'bouncer.haiku_analysis', operation });
+    return fin({ decision: 'deny', confidence: 0, reasoning: `Security analysis failed: ${errorMessage}. Denying for safety.`, threatLevel: 'critical' }, 'ai-error', { skipCache: true, skipAnalytics: true, error: errorMessage });
+  }
+}
+
 /**
  * Main bouncer review function - 2-layer hybrid system
  */
 export async function reviewOperation(request: BouncerReviewRequest): Promise<BouncerDecision> {
   const { logBouncerDecision } = await import('./security-audit.js');
   const startTime = performance.now();
-  const { operation } = request;
+  const { operation: rawOperation } = request;
+  const operation = normalizeOperation(rawOperation);
   const fin = (d: BouncerDecision, layer: string, opts?: Parameters<typeof finalizeDecision>[6]) =>
     finalizeDecision(operation, d, layer, startTime, request.context, logBouncerDecision, opts);
 
@@ -336,15 +383,9 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
 
   // LAYER 1: Pattern-Based Fast Path (< 5ms)
 
-  // Check safe operations FIRST — allows trusted sources (e.g., brew, rustup)
-  // to pass before hitting critical threat patterns like curl|bash
-  const safeOperation = matchesPattern(operation, SAFE_OPERATIONS);
-  if (safeOperation) {
-    console.error('[Bouncer] ⚡ Fast path: Safe operation approved');
-    return fin({ decision: 'allow', confidence: 95, reasoning: 'Operation matches known-safe patterns. No security concerns detected.', threatLevel: 'low' }, 'pattern-safe');
-  }
-
-  // Critical threats (rm -rf /, fork bombs) — ALWAYS denied
+  // Critical threats (rm -rf /, fork bombs) — ALWAYS denied, checked first
+  // to prevent chained commands (e.g., "echo hello; rm -rf /") from bypassing
+  // via a safe prefix match.
   const criticalThreat = matchesPattern(operation, CRITICAL_THREATS);
   if (criticalThreat) {
     console.error('[Bouncer] ⚡ Fast path: CRITICAL THREAT detected');
@@ -355,43 +396,24 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
     }, 'pattern-critical');
   }
 
-  // LAYER 2: Haiku AI Analysis (~200-500ms)
-
-  // Default allow for operations that don't need AI review
+  // Use requiresAIReview() for nuanced routing — handles sensitive paths,
+  // safe operations with guards (chain operators, pipes, expansion), and
+  // exfiltration patterns in a single consistent check.
   if (!requiresAIReview(operation)) {
-    console.error('[Bouncer] ⚡ Fast path: No concerning patterns, allowing');
-    return fin({ decision: 'allow', confidence: 80, reasoning: 'Operation appears safe based on pattern analysis. No obvious threats detected.', threatLevel: 'low' }, 'pattern-default');
-  }
-
-  if (process.env.BOUNCER_USE_AI === 'false') {
-    console.error('[Bouncer] AI analysis disabled (BOUNCER_USE_AI=false)');
-    return fin({ decision: 'warn_allow', confidence: 60, reasoning: 'Operation requires review but AI analysis is disabled. Proceeding with caution.', threatLevel: 'medium' }, 'ai-disabled', { skipCache: true, skipAnalytics: true });
+    const isSafe = matchesPattern(operation, SAFE_OPERATIONS);
+    console.error(`[Bouncer] ⚡ Fast path: ${isSafe ? 'Safe operation approved' : 'No concerning patterns, allowing'}`);
+    return fin({
+      decision: 'allow',
+      confidence: isSafe ? 95 : 80,
+      reasoning: isSafe
+        ? 'Operation matches known-safe patterns. No security concerns detected.'
+        : 'Operation appears safe based on pattern analysis. No obvious threats detected.',
+      threatLevel: 'low'
+    }, isSafe ? 'pattern-safe' : 'pattern-default');
   }
 
-  console.error('[Bouncer] 🤖 Invoking Haiku for AI analysis...');
-  trackEvent(AnalyticsEvents.BOUNCER_HAIKU_REVIEW, { operation_length: operation.length });
-
-  const claudeCommand = process.env.CLAUDE_COMMAND || 'claude';
-  const workingDir = request.context?.workingDirectory || process.cwd();
-
-  try {
-    const decision = await analyzeWithHaiku(request, claudeCommand, workingDir);
-    console.error(`[Bouncer] ✓ Haiku decision: ${decision.decision} (${decision.confidence}% confidence) [${Math.round(performance.now() - startTime)}ms]`);
-    console.error(`[Bouncer] Reasoning: ${decision.reasoning}`);
-    return fin(decision, 'haiku-ai');
-  } catch (error: unknown) {
-    const errorMessage = error instanceof Error ? error.message : String(error);
-
-    if (errorMessage.includes('timed out')) {
-      console.error(`[Bouncer] ⚠️  Haiku analysis timed out after ${HAIKU_TIMEOUT_MS}ms — defaulting to ALLOW`);
-      captureException(error, { context: 'bouncer.haiku_timeout', operation });
-      return fin({ decision: 'allow', confidence: 50, reasoning: `Security analysis timed out after ${HAIKU_TIMEOUT_MS}ms. Defaulting to allow — user initiated the action.`, threatLevel: 'medium' }, 'haiku-timeout', { skipCache: true });
-    }
-
-    console.error(`[Bouncer] ⚠️  Haiku analysis failed: ${errorMessage}`);
-    captureException(error, { context: 'bouncer.haiku_analysis', operation });
-    return fin({ decision: 'deny', confidence: 0, reasoning: `Security analysis failed: ${errorMessage}. Denying for safety.`, threatLevel: 'critical' }, 'ai-error', { skipCache: true, skipAnalytics: true, error: errorMessage });
-  }
+  // LAYER 2: Haiku AI Analysis (~200-500ms)
+  return runHaikuAnalysis(request, operation, startTime, fin);
 }
 
 /**

package/server/mcp/bouncer-sandbox.ts

@@ -0,0 +1,214 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+
+/**
+ * Sandbox Harness for Bouncer Testing
+ *
+ * Wraps command execution in Anthropic's sandbox-runtime (bubblewrap on Linux,
+ * sandbox-exec on macOS) to safely test what happens when the bouncer FAILS —
+ * i.e., when a malicious tool call gets through.
+ *
+ * Usage in tests:
+ *   const harness = new BouncerSandboxHarness();
+ *   await harness.initialize();
+ *   const result = await harness.executeInSandbox('rm -rf /tmp/test-canary');
+ *   expect(result.violations).toContain(...)
+ *   await harness.cleanup();
+ */
+
+import { execSync } from 'node:child_process';
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+export interface SandboxExecResult {
+  /** The sandboxed command that was actually run */
+  wrappedCommand: string;
+  /** Whether sandbox-runtime is available on this platform */
+  sandboxAvailable: boolean;
+  /** Whether the sandbox contained the operation (no violations) */
+  contained: boolean;
+  /** List of violation descriptions if any escaped the sandbox */
+  violations: string[];
+}
+
+export interface CanaryCheckResult {
+  /** Whether the canary file still exists (should be true if sandbox contained the write) */
+  canaryIntact: boolean;
+  /** Whether a file was written outside the sandbox (should be false) */
+  escapeDetected: boolean;
+}
+
+/**
+ * Test harness that wraps command execution in sandbox-runtime.
+ * Provides canary files and violation tracking to verify containment.
+ */
+export class BouncerSandboxHarness {
+  private sandboxManager: Awaited<typeof import('@anthropic-ai/sandbox-runtime')>['SandboxManager'] | null = null;
+  private sandboxAvailable = false;
+  private tempDir: string;
+  private canaryDir: string;
+
+  constructor() {
+    this.tempDir = mkdtempSync(join(tmpdir(), 'bouncer-sandbox-'));
+    this.canaryDir = join(this.tempDir, 'canaries');
+    mkdirSync(this.canaryDir, { recursive: true });
+  }
+
+  /**
+   * Initialize the sandbox. Falls back gracefully if bwrap/sandbox-exec not available.
+   */
+  async initialize(): Promise<{ available: boolean; reason?: string }> {
+    try {
+      const { SandboxManager } = await import('@anthropic-ai/sandbox-runtime');
+
+      if (!SandboxManager.isSupportedPlatform()) {
+        return { available: false, reason: 'Platform not supported by sandbox-runtime' };
+      }
+
+      const deps = SandboxManager.checkDependencies();
+      if (deps.errors.length > 0) {
+        return {
+          available: false,
+          reason: `Missing dependencies: ${deps.errors.join(', ')}`,
+        };
+      }
+
+      await SandboxManager.initialize({
+        network: {
+          allowedDomains: [], // Block ALL network access
+          deniedDomains: ['*'],
+        },
+        filesystem: {
+          denyRead: [
+            '/home/*/.ssh',
+            '/home/*/.aws',
+            '/home/*/.gnupg',
+            '/etc/shadow',
+            '/etc/passwd',
+          ],
+          allowWrite: [this.tempDir], // Only allow writes to our temp dir
+          denyWrite: [
+            '/',
+            '/home',
+            '/etc',
+            '/usr',
+            '/var',
+          ],
+        },
+      });
+
+      this.sandboxManager = SandboxManager;
+      this.sandboxAvailable = true;
+      return { available: true };
+    } catch (error: unknown) {
+      const msg = error instanceof Error ? error.message : String(error);
+      return { available: false, reason: `Failed to initialize sandbox: ${msg}` };
+    }
+  }
+
+  /**
+   * Execute a command inside the sandbox. Returns containment results.
+   * If sandbox is not available, validates the bouncer decision only (no actual execution).
+   */
+  async executeInSandbox(command: string): Promise<SandboxExecResult> {
+    if (!this.sandboxAvailable || !this.sandboxManager) {
+      return {
+        wrappedCommand: command,
+        sandboxAvailable: false,
+        contained: true,
+        violations: ['Sandbox not available — decision-only testing mode'],
+      };
+    }
+
+    const violations: string[] = [];
+    try {
+      const wrappedCommand = await this.sandboxManager.wrapWithSandbox(command);
+
+      // Execute the wrapped command and capture violations
+      try {
+        execSync(wrappedCommand, {
+          timeout: 5000,
+          stdio: 'pipe',
+          cwd: this.tempDir,
+        });
+      } catch {
+        // Command failure inside sandbox is expected for malicious ops
+      }
+
+      // Check violation store
+      const stderr = this.sandboxManager.annotateStderrWithSandboxFailures(command, '');
+      if (stderr) {
+        violations.push(stderr);
+      }
+
+      this.sandboxManager.cleanupAfterCommand();
+
+      return {
+        wrappedCommand,
+        sandboxAvailable: true,
+        contained: violations.length === 0,
+        violations,
+      };
+    } catch (error: unknown) {
+      const msg = error instanceof Error ? error.message : String(error);
+      violations.push(`Sandbox execution error: ${msg}`);
+      return {
+        wrappedCommand: command,
+        sandboxAvailable: true,
+        contained: true, // Error means the command didn't execute
+        violations,
+      };
+    }
+  }
+
+  /**
+   * Place a canary file and return a checker to verify containment.
+   * If a sandboxed command can delete or modify the canary, containment failed.
+   */
+  placeCanary(name: string): { path: string; check: () => CanaryCheckResult } {
+    const canaryPath = join(this.canaryDir, name);
+    const escapePath = join(this.canaryDir, `${name}.escaped`);
+    writeFileSync(canaryPath, `canary-${Date.now()}`, 'utf-8');
+
+    return {
+      path: canaryPath,
+      check: () => ({
+        canaryIntact: existsSync(canaryPath),
+        escapeDetected: existsSync(escapePath),
+      }),
+    };
+  }
+
+  /**
+   * Get the temp directory where sandboxed commands can write.
+   */
+  getSandboxWriteDir(): string {
+    return this.tempDir;
+  }
+
+  /**
+   * Whether the sandbox is actually available and initialized.
+   */
+  isAvailable(): boolean {
+    return this.sandboxAvailable;
+  }
+
+  /**
+   * Clean up temp dirs and reset sandbox state.
+   */
+  async cleanup(): Promise<void> {
+    try {
+      if (this.sandboxManager) {
+        await this.sandboxManager.reset();
+      }
+    } catch {
+      // Ignore cleanup errors
+    }
+    try {
+      rmSync(this.tempDir, { recursive: true, force: true });
+    } catch {
+      // Ignore cleanup errors
+    }
+  }
+}

package/server/mcp/security-patterns.ts

@@ -14,6 +14,8 @@
  * - The question is: "Does this operation make sense given user intent?"
  */
 
+import { resolve } from 'node:path';
+
 export interface SecurityPattern {
   pattern: RegExp;
   reason?: string;
@@ -83,7 +85,16 @@ export const CRITICAL_THREATS: SecurityPattern[] = [
   {
     pattern: /chmod\s+000\s+\//i,
     reason: 'Attempting to make system directories inaccessible'
-  }
+  },
+  // Reverse shells - never legitimate in a dev workflow
+  {
+    pattern: /\/dev\/tcp\//i,
+    reason: 'Reverse shell via /dev/tcp - classic backdoor technique'
+  },
+  {
+    pattern: /\bnc\b.*-[elp].*\b\d+\b/i,
+    reason: 'Netcat listener/reverse shell - common backdoor technique'
+  },
   // NOTE: curl|bash is NOT here - it goes to Haiku for context review
   // The question is "did a bad actor inject this?" not "is curl|bash dangerous?"
 ];
@@ -158,12 +169,104 @@ export const NEEDS_AI_REVIEW: SecurityPattern[] = [
     reason: 'Recursive deletion - verify target matches user intent'
   },
 
+  // Data exfiltration patterns — piping data to network tools
+  {
+    pattern: /\|\s*(nc|netcat|ncat)\b/i,
+    reason: 'Pipe to netcat - potential data exfiltration'
+  },
+  {
+    pattern: /\bscp\b.*@/i,
+    reason: 'SCP to remote host - potential data exfiltration'
+  },
+  {
+    pattern: /\|\s*curl\b/i,
+    reason: 'Pipe to curl - potential data exfiltration'
+  },
+  {
+    pattern: /curl\b.*-d\s*@/i,
+    reason: 'Curl with file upload - potential data exfiltration'
+  },
+
   // ALL Write/Edit operations that aren't to /tmp go through context review
   // This is the key change: we review based on context, not blanket allow/deny
   {
     pattern: /^(Write|Edit):\s*(?!\/tmp\/|\/var\/tmp\/)/i,
     reason: 'File modification - verify aligns with user request'
   },
+
+  // Reverse shells and bind shells — network-connected interactive shells
+  {
+    pattern: /\/dev\/tcp\//i,
+    reason: 'Potential reverse shell via /dev/tcp'
+  },
+  {
+    pattern: /\b(nc|netcat|ncat)\b.*-e\s/i,
+    reason: 'Netcat with -e flag - potential reverse shell'
+  },
+  {
+    pattern: /\bsocket\b.*\bconnect\b.*\b(dup2|subprocess|exec)\b/i,
+    reason: 'Programmatic reverse shell pattern (socket+connect+exec)'
+  },
+  {
+    pattern: /\bperl\b.*\bsocket\b.*\bexec\b/i,
+    reason: 'Perl reverse shell pattern'
+  },
+
+  // Encoded/obfuscated payloads piped to shell or eval
+  {
+    pattern: /\b(base64|base32)\b.*-d.*\|\s*(bash|sh)\b/i,
+    reason: 'Decoded payload piped to shell - obfuscated command execution'
+  },
+  {
+    pattern: /\\x[0-9a-f]{2}.*\|\s*(bash|sh)\b/i,
+    reason: 'Hex-encoded payload piped to shell'
+  },
+  {
+    pattern: /\bexec\b.*\b(base64|b64decode)\b/i,
+    reason: 'Exec with base64 decoding - obfuscated code execution'
+  },
+  {
+    pattern: /\bprintf\b.*\\x[0-9a-f].*\|\s*(bash|sh)\b/i,
+    reason: 'Printf hex payload piped to shell'
+  },
+
+  // Cloud metadata / SSRF — accessing cloud instance credentials
+  {
+    pattern: /169\.254\.169\.254/i,
+    reason: 'AWS/Azure IMDS access - potential credential theft'
+  },
+  {
+    pattern: /metadata\.google\.internal/i,
+    reason: 'GCP metadata access - potential credential theft'
+  },
+
+  // Persistence — writing to shell profiles, cron, authorized_keys via echo/append
+  {
+    pattern: />>\s*~?\/?.*\/(authorized_keys|\.bashrc|\.bash_profile|\.zshrc|\.profile)/i,
+    reason: 'Appending to sensitive file - potential persistence mechanism'
+  },
+  {
+    pattern: /\bld\.so\.preload\b/i,
+    reason: 'LD_PRELOAD injection - shared library hijacking'
+  },
+
+  // wget with file upload
+  {
+    pattern: /wget\b.*--post-file/i,
+    reason: 'wget file upload - potential data exfiltration'
+  },
+
+  // pip install from custom index (supply chain attack)
+  {
+    pattern: /pip\b.*--index-url\s+https?:\/\/(?!pypi\.org)/i,
+    reason: 'pip install from non-PyPI index - potential supply chain attack'
+  },
+
+  // MCP server manipulation
+  {
+    pattern: /\bclaude\b.*\bmcp\b.*\badd\b/i,
+    reason: 'Adding MCP server - verify source is trusted'
+  },
 ];
 
 /**
@@ -178,11 +281,70 @@ export function matchesPattern(operation: string, patterns: SecurityPattern[]):
   return null;
 }
 
+/**
+ * Normalize file paths in Write/Edit/Read operations to resolve .. traversal.
+ * Prevents path traversal attacks like "Write: /home/user/../../etc/passwd"
+ * from matching safe home-directory patterns.
+ */
+export function normalizeOperation(operation: string): string {
+  const match = operation.match(/^(Write|Edit|Read):\s*(\S+)/i);
+  if (match?.[2].includes('..')) {
+    const [, tool, rawPath] = match;
+    const normalizedPath = resolve(rawPath);
+    return `${tool}: ${normalizedPath}`;
+  }
+  return operation;
+}
+
+/** Check if a Bash command contains chain operators that could hide dangerous ops after a safe prefix. */
+function containsChainOperators(operation: string): boolean {
+  const commandPart = operation.replace(/^Bash:\s*/i, '');
+  return /;|&&|\|\||\n/.test(commandPart);
+}
+
+/** Check if a Bash command pipes output to known exfiltration/network tools or shells. */
+function containsDangerousPipe(operation: string): boolean {
+  const commandPart = operation.replace(/^Bash:\s*/i, '');
+  return /\|\s*(nc|netcat|ncat|curl|wget|scp|bash|sh)\b/i.test(commandPart);
+}
+
+/** Check if a Bash command redirects output to sensitive paths (append or overwrite). */
+function containsSensitiveRedirect(operation: string): boolean {
+  const commandPart = operation.replace(/^Bash:\s*/i, '');
+  return />>?\s*~?\/?.*\/(authorized_keys|\.bashrc|\.bash_profile|\.zshrc|\.profile|\.ssh\/|\.aws\/|\.gnupg\/|ld\.so\.preload|crontab|sudoers)/i.test(commandPart)
+    || />>?\s*\/etc\//i.test(commandPart);
+}
+
+/** Check if a Bash command contains subshell or backtick expansion (not simple ${VAR}). */
+function containsBashExpansion(operation: string): boolean {
+  const commandPart = operation.replace(/^Bash:\s*/i, '');
+  return /`[^`]+`/.test(commandPart) || /\$\([^)]+\)/.test(commandPart);
+}
+
+/** Check if a Bash command contains any form of shell expansion: ${VAR}, $(...), or backticks. */
+function containsAnyExpansion(operation: string): boolean {
+  const cmd = operation.replace(/^Bash:\s*/i, '');
+  return /\$\{[^}]+\}/.test(cmd) || /\$\([^)]+\)/.test(cmd) || /`[^`]+`/.test(cmd);
+}
+
+/** Check if expansion is safely used as an argument to a known-safe command prefix.
+ *  e.g., "echo ${HOME}" or "cat ${FILE}" — the expansion can't change the command itself. */
+function isSafeExpansionUse(operation: string): boolean {
+  const cmd = operation.replace(/^Bash:\s*/i, '').trim();
+  // If the expansion IS the command (first token), it's never safe
+  if (/^(\$\{|\$\(|`)/.test(cmd)) return false;
+  // Safe command prefixes where expansion as an argument is harmless
+  const safePrefix = /^(echo|printf|cat|ls|pwd|whoami|date|env|printenv|test|true|false)\s/i;
+  return safePrefix.test(cmd);
+}
+
 /**
  * Determine if operation requires AI context review
  *
  * The philosophy here is:
- * - SAFE_OPERATIONS: No review needed (read-only, temp files, build artifact cleanup)
+ * - SENSITIVE_PATHS: Always require review (credentials, system configs)
+ * - SAFE_OPERATIONS: No review needed, UNLESS the bash command contains
+ *   chain operators, dangerous pipes, or subshell/backtick expansion
  * - CRITICAL_THREATS: Auto-deny, no review (catastrophic operations)
  * - Everything else: AI reviews context to determine if it matches user intent
  */
@@ -197,17 +359,48 @@ const SAFE_RM_PATTERNS = [
 ];
 
 export function requiresAIReview(operation: string): boolean {
-  if (matchesPattern(operation, SAFE_OPERATIONS)) return false;
-  if (matchesPattern(operation, CRITICAL_THREATS)) return false;
+  // Normalize paths to prevent .. traversal bypass
+  const op = normalizeOperation(operation);
+
+  // Check sensitive paths BEFORE safe operations — prevents home-dir
+  // safe pattern from masking .ssh, .aws, .bashrc, etc.
+  if (matchesPattern(op, SENSITIVE_PATHS)) return true;
+
+  // Bash commands with any shell expansion (${VAR}, $(...), backticks) are
+  // opaque — the bouncer can't predict what they expand to at runtime.
+  // Route to AI review BEFORE checking CRITICAL_THREATS or SAFE_OPERATIONS,
+  // UNLESS the command is clearly safe (expansion is just an argument to a
+  // known-safe prefix like "echo ${HOME}").
+  if (/^Bash:/i.test(op) && containsAnyExpansion(op) && !isSafeExpansionUse(op)) {
+    return true;
+  }
+
+  if (matchesPattern(op, SAFE_OPERATIONS)) {
+    // Safe bash commands must not contain chain operators, dangerous pipes,
+    // or subshell/backtick expansion that could hide dangerous operations.
+    // A safe prefix (e.g., "git clone") with chain operators (&&, ;, ||)
+    // means the full command isn't necessarily safe — route to AI review.
+    if (/^Bash:/i.test(op) && (
+      containsChainOperators(op) ||
+      containsDangerousPipe(op) ||
+      containsBashExpansion(op) ||
+      containsSensitiveRedirect(op)
+    )) {
+      return true;
+    }
+    return false;
+  }
+
+  if (matchesPattern(op, CRITICAL_THREATS)) return false;
 
-  if (matchesPattern(operation, NEEDS_AI_REVIEW)) {
-    return !SAFE_RM_PATTERNS.some(p => p.test(operation));
+  if (matchesPattern(op, NEEDS_AI_REVIEW)) {
+    return !SAFE_RM_PATTERNS.some(p => p.test(op));
   }
 
-  // Variable expansion and glob patterns are only concerning in Bash commands
-  if (/^Bash:/.test(operation)) {
-    if (/\$\{.*\}|\$\(.*\)/.test(operation) || /\*\*?/.test(operation)) return true;
-    if (/^Bash:\s*\.\//.test(operation)) return true;
+  // Glob patterns and script execution are concerning in Bash commands
+  if (/^Bash:/.test(op)) {
+    if (/\*\*?/.test(op)) return true;
+    if (/^Bash:\s*\.\//.test(op)) return true;
   }
 
   return false;
@@ -262,6 +455,9 @@ export function classifyRisk(operation: string): {
     { pattern: /chmod\s+777/i, reason: 'Dangerous permissions' },
     { pattern: /(curl|wget).*\|.*(bash|sh)/i, reason: 'Remote code execution' },
     { pattern: /pkill|killall/i, reason: 'Process termination' },
+    { pattern: /\|\s*(nc|netcat|ncat)\b/i, reason: 'Data exfiltration via netcat' },
+    { pattern: /\bscp\b.*@/i, reason: 'Data exfiltration via SCP' },
+    { pattern: /curl\b.*-d\s*@/i, reason: 'Data exfiltration via curl file upload' },
   ];
 
   for (const pattern of elevatedPatterns) {