sanook-cli 0.5.1 → 0.5.5

package/dist/tools/permission.js

@@ -1,21 +1,103 @@
 import { homedir } from 'node:os';
-import { realpath, stat } from 'node:fs/promises';
-import { basename, dirname, resolve, join, sep } from 'node:path';
+import { realpath, stat, lstat, readlink } from 'node:fs/promises';
+import { dirname, resolve, join, sep } from 'node:path';
 import { getBrainPath } from '../memory.js';
 import { BRAND_ENV, envFlag } from '../brand.js';
 import { agentCwd } from '../agentContext.js';
 // Permission gate (M1): ก่อนมี interactive ask (M4) — hard-deny อันตราย, allow ที่เหลือ
 // คำสั่ง shell ที่ทำลายล้าง irreversible
 const DESTRUCTIVE_CMD = /(\bgit\s+reset\s+--hard\b|\bgit\s+push\b.*--force|\bmkfs\b|\bdd\s+if=|:\(\)\s*\{|\bchmod\s+-R\s+777\b|>\s*\/dev\/sd|\bsudo\b|\bcrontab\b)/i;
-const PROTECTED_CMD_PATH = /(\$HOME|~)?\/?(\.ssh|\.aws|\.gnupg|\.sanook)(\/|\b)|(^|\s)(cat|less|more|sed|awk|tail|head)\s+[^|;&]*\.env(\.|\b)/i;
+const PROTECTED_CMD_PATH = /(\$HOME|~)?\/?(\.ssh|\.aws|\.gnupg|\.sanook)(\/|\b)/i;
+const ENV_READ_CMD = /(?:^|[\r\n;&|]\s*|\$\(\s*|[<>]\(\s*|`\s*)(?:(?:if|then|elif|while|until|do|time|command|builtin|exec)\s+)*(?:env\s+(?:-\S+\s+)*(?:[A-Za-z_][A-Za-z0-9_]*=\S+\s+)*)?(?:[A-Za-z_][A-Za-z0-9_]*=\S+\s+)*(cat|less|more|sed|awk|tail|head|grep|rg)\b/gi;
+const ENV_SOURCE_CMD = /(?:^|[\r\n;&|]\s*|\$\(\s*|[<>]\(\s*|`\s*)(?:(?:if|then|elif|while|until|do|time|command|builtin|exec)\s+)*(source\b|\.)/gi;
+const ENV_WRITE_CMD = /(?:^|[\r\n;&|]\s*|\$\(\s*|[<>]\(\s*|`\s*)(?:(?:if|then|elif|while|until|do|time|command|builtin|exec)\s+)*(?:env\s+(?:-\S+\s+)*(?:[A-Za-z_][A-Za-z0-9_]*=\S+\s+)*)?(?:[A-Za-z_][A-Za-z0-9_]*=\S+\s+)*(tee)\b/gi;
+const NESTED_SHELL_CMD = /(?:^|[\r\n;&|]\s*|\$\(\s*|[<>]\(\s*|`\s*)(?:(?:if|then|elif|while|until|do|time|command|builtin|exec)\s+)*(?:env\s+(?:-\S+\s+)*(?:[A-Za-z_][A-Za-z0-9_]*=\S+\s+)*)?(?:[A-Za-z_][A-Za-z0-9_]*=\S+\s+)*(sh|bash|zsh|dash|ksh|fish|csh|tcsh)\b/gi;
+const ENV_CMD = /(?:^|[\r\n;&|]\s*|\$\(\s*|[<>]\(\s*|`\s*)(?:(?:if|then|elif|while|until|do|time|command|builtin|exec)\s+)*(env)\b/gi;
 const HOME = homedir();
 // ไฟล์ที่ห้ามเขียน (persistence backdoor): shell rc, git/npm config, ~/.sanook (token/mcp/hooks)
 const PROTECTED_EXACT = new Set(['.gitconfig', '.zshrc', '.bashrc', '.bash_profile', '.profile', '.zprofile', '.npmrc'].map((f) => join(HOME, f)));
 // โฟลเดอร์ที่ห้ามเขียนเข้าไป (credentials + sanook internal)
 const PROTECTED_DIRS = ['.ssh', '.aws', '.gnupg', '.sanook'].map((d) => join(HOME, d));
 const PROTECTED_SEGMENTS = new Set(['.git', 'node_modules', '.ssh', '.aws', '.gnupg', '.sanook']);
+const ENV_OPTIONS_WITH_VALUE = new Set(['-C', '--chdir', '-S', '--split-string', '-u', '--unset']);
+const GIT_OPTIONS_WITH_VALUE = new Set([
+    '-C',
+    '-c',
+    '--config-env',
+    '--exec-path',
+    '--git-dir',
+    '--namespace',
+    '--super-prefix',
+    '--work-tree',
+]);
+const SHELL_OPTIONS_WITH_VALUE = new Set(['--init-file', '--rcfile']);
+const SEARCH_COMMANDS_WITH_LITERAL_PATTERN = new Set(['grep', 'rg']);
+const SEARCH_SHORT_OPTIONS_WITHOUT_VALUE = new Map([
+    ['grep', new Set(['E', 'F', 'G', 'P', 'R', 'r', 'I', 'i', 'v', 'w', 'x', 'c', 'l', 'L', 'n', 'H', 'h', 'o', 'q', 's', 'a', 'b', 'U', 'Z', 'z'])],
+    ['rg', new Set(['F', 'H', 'I', 'L', 'N', 'P', 'S', 'T', 'U', 'V', 'a', 'b', 'c', 'h', 'i', 'l', 'n', 'p', 'q', 's', 'u', 'v', 'w', 'x', 'z'])],
+]);
+const SEARCH_OPTIONS_WITH_VALUE = new Map([
+    [
+        'grep',
+        new Set([
+            '-A',
+            '-B',
+            '-C',
+            '-D',
+            '-d',
+            '-m',
+            '--after-context',
+            '--before-context',
+            '--binary-files',
+            '--context',
+            '--devices',
+            '--directories',
+            '--exclude',
+            '--exclude-dir',
+            '--include',
+            '--label',
+            '--max-count',
+        ]),
+    ],
+    [
+        'rg',
+        new Set([
+            '-A',
+            '-B',
+            '-C',
+            '-E',
+            '-M',
+            '-g',
+            '-m',
+            '-t',
+            '-T',
+            '--after-context',
+            '--before-context',
+            '--context',
+            '--encoding',
+            '--engine',
+            '--glob',
+            '--iglob',
+            '--max-columns',
+            '--max-count',
+            '--max-depth',
+            '--path-separator',
+            '--pre',
+            '--pre-glob',
+            '--regex-size-limit',
+            '--sort',
+            '--sortr',
+            '--type',
+            '--type-not',
+        ]),
+    ],
+]);
+const SHELL_COMMAND_PREFIXES = new Set(['if', 'then', 'elif', 'while', 'until', 'do', 'time', 'command', 'builtin', 'exec']);
 function hasRmRecursiveForce(cmd) {
+    const literalPatternRanges = literalSearchPatternRanges(cmd);
     for (const match of cmd.matchAll(/\brm\b([^;&|]*)/gi)) {
+        if (match.index !== undefined && inRanges(match.index, literalPatternRanges))
+            continue;
         const parts = match[1].split(/\s+/).filter(Boolean);
         const shortFlags = parts.filter((part) => /^-[^-]/.test(part)).join('');
         const recursive = /r/i.test(shortFlags) || parts.includes('--recursive') || parts.includes('--dir');
@@ -25,12 +107,881 @@ function hasRmRecursiveForce(cmd) {
     }
     return false;
 }
-export function checkBash(cmd) {
-    if (hasRmRecursiveForce(cmd) || DESTRUCTIVE_CMD.test(cmd)) {
-        return { ok: false, reason: `คำสั่งทำลายล้าง/irreversible ถูกปฏิเสธ: "${cmd}"` };
+function hasDestructiveCommand(cmd) {
+    const literalPatternRanges = literalSearchPatternRanges(cmd);
+    const destructive = new RegExp(DESTRUCTIVE_CMD.source, 'gi');
+    for (const match of cmd.matchAll(destructive)) {
+        if (match.index !== undefined && inRanges(match.index, literalPatternRanges))
+            continue;
+        return true;
+    }
+    return false;
+}
+function inRanges(index, ranges) {
+    return ranges.some(({ start, end }) => index >= start && index < end);
+}
+function isLiteralSingleQuotedToken(raw) {
+    const token = raw.trim();
+    return /^'(?:[^']*)'$/.test(token) || /^\$'(?:\\.|[^'])*'$/.test(token);
+}
+function literalSearchPatternRanges(cmd) {
+    const ranges = [];
+    const bySegment = new Map();
+    for (const entry of shellishTokenEntries(cmd)) {
+        const segment = bySegment.get(entry.segment);
+        if (segment)
+            segment.push(entry);
+        else
+            bySegment.set(entry.segment, [entry]);
+    }
+    for (const entries of bySegment.values()) {
+        const commandIndex = shellSegmentCommandIndex(entries);
+        if (commandIndex < 0)
+            continue;
+        const command = cleanShellToken(entries[commandIndex].raw).toLowerCase();
+        if (!SEARCH_COMMANDS_WITH_LITERAL_PATTERN.has(command))
+            continue;
+        let patternSourceSeen = false;
+        let optionsDone = false;
+        for (let j = commandIndex + 1; j < entries.length; j += 1) {
+            const clean = cleanShellToken(entries[j].raw);
+            if (!optionsDone) {
+                if (clean === '--') {
+                    optionsDone = true;
+                    continue;
+                }
+                if (searchPatternOptionConsumesNext(clean)) {
+                    const value = entries[j + 1];
+                    if (value && isLiteralSingleQuotedToken(value.raw))
+                        ranges.push({ start: value.start, end: value.end });
+                    patternSourceSeen = true;
+                    j += 1;
+                    continue;
+                }
+                const attachedPattern = attachedLiteralSearchPatternOption(command, entries[j].raw);
+                if (attachedPattern !== undefined) {
+                    if (attachedPattern)
+                        ranges.push({ start: entries[j].start, end: entries[j].end });
+                    patternSourceSeen = true;
+                    continue;
+                }
+                if (searchPatternFileOptionConsumesNext(clean)) {
+                    patternSourceSeen = true;
+                    j += 1;
+                    continue;
+                }
+                if (attachedSearchPatternFileOption(clean)) {
+                    patternSourceSeen = true;
+                    continue;
+                }
+                if (searchOptionConsumesNext(command, clean)) {
+                    j += 1;
+                    continue;
+                }
+                if (clean.startsWith('-'))
+                    continue;
+            }
+            if (patternSourceSeen)
+                break;
+            if (isLiteralSingleQuotedToken(entries[j].raw))
+                ranges.push({ start: entries[j].start, end: entries[j].end });
+            break;
+        }
+    }
+    return ranges;
+}
+function searchPatternOptionConsumesNext(clean) {
+    return clean === '-e' || clean === '--regexp';
+}
+function searchPatternFileOptionConsumesNext(clean) {
+    return clean === '-f' || clean === '--file';
+}
+function attachedLiteralSearchPatternOption(command, raw) {
+    const token = raw.trim();
+    if (token.startsWith('-e') && token.length > 2)
+        return isLiteralSingleQuotedToken(token.slice(2));
+    const longRegexp = token.match(/^--regexp=(.*)$/);
+    if (longRegexp)
+        return isLiteralSingleQuotedToken(longRegexp[1]);
+    return attachedShortLiteralSearchPatternOption(command, token);
+}
+function attachedShortLiteralSearchPatternOption(command, token) {
+    if (!token.startsWith('-') || token.startsWith('--'))
+        return undefined;
+    const patternOptionIndex = token.indexOf('e', 1);
+    if (patternOptionIndex <= 1 || patternOptionIndex === token.length - 1)
+        return undefined;
+    const prefix = token.slice(1, patternOptionIndex);
+    const optionsWithoutValue = SEARCH_SHORT_OPTIONS_WITHOUT_VALUE.get(command);
+    if (!optionsWithoutValue || [...prefix].some((option) => !optionsWithoutValue.has(option)))
+        return undefined;
+    return isLiteralSingleQuotedToken(token.slice(patternOptionIndex + 1));
+}
+function attachedSearchPatternFileOption(clean) {
+    return /^-f.+/.test(clean) || clean.startsWith('--file=');
+}
+function searchOptionConsumesNext(command, clean) {
+    return SEARCH_OPTIONS_WITH_VALUE.get(command)?.has(clean) ?? false;
+}
+function shellSegmentCommandIndex(entries) {
+    let envMode = false;
+    let envOptionsDone = false;
+    for (let i = 0; i < entries.length; i += 1) {
+        const clean = cleanShellToken(entries[i].raw);
+        if (!clean)
+            continue;
+        if (!envMode && shellEnvAssignment(clean))
+            continue;
+        if (!envMode && SHELL_COMMAND_PREFIXES.has(clean))
+            continue;
+        if (!envMode && clean === 'env') {
+            envMode = true;
+            envOptionsDone = false;
+            continue;
+        }
+        if (envMode) {
+            if (!envOptionsDone && clean === '--') {
+                envOptionsDone = true;
+                continue;
+            }
+            if (!envOptionsDone && envOptionConsumesNext(clean)) {
+                i += 1;
+                continue;
+            }
+            if (!envOptionsDone && clean.startsWith('-'))
+                continue;
+            if (shellEnvAssignment(clean))
+                continue;
+            return i;
+        }
+        return i;
+    }
+    return -1;
+}
+function hasDangerousGitOperation(cmd) {
+    const literalPatternRanges = literalSearchPatternRanges(cmd);
+    for (const match of cmd.matchAll(/\bgit\b/gi)) {
+        if (match.index !== undefined && inRanges(match.index, literalPatternRanges))
+            continue;
+        const args = shellishArgsAfter(cmd, match.index + match[0].length).map(cleanShellToken);
+        const envAssignments = shellEnvAssignmentsBeforeCommand(cmd, match.index);
+        const { aliases, unknownAliases } = gitAliasesFromEnvConfig(envAssignments);
+        for (let i = 0; i < args.length; i += 1) {
+            const arg = args[i];
+            if (arg === '--')
+                break;
+            const configValue = gitInlineConfigValue(arg, args[i + 1]);
+            if (configValue) {
+                const alias = gitAliasFromConfig(configValue.value);
+                if (alias)
+                    aliases.set(alias.name, alias.command);
+                if (configValue.consumesNext)
+                    i += 1;
+                continue;
+            }
+            const configEnvValue = gitConfigEnvValue(arg, args[i + 1]);
+            if (configEnvValue) {
+                const alias = gitAliasFromConfigEnv(configEnvValue.value, envAssignments);
+                if (alias) {
+                    if (alias.command === undefined) {
+                        aliases.delete(alias.name);
+                        unknownAliases.add(alias.name);
+                    }
+                    else {
+                        unknownAliases.delete(alias.name);
+                        aliases.set(alias.name, alias.command);
+                    }
+                }
+                if (configEnvValue.consumesNext)
+                    i += 1;
+                continue;
+            }
+            if (arg === 'push') {
+                if (gitPushHasDeniedOperation(args.slice(i + 1)))
+                    return true;
+                break;
+            }
+            if (arg === 'reset') {
+                if (gitResetHasHardFlag(args.slice(i + 1)))
+                    return true;
+                break;
+            }
+            if (arg === 'clean') {
+                if (gitCleanHasForceFlag(args.slice(i + 1)))
+                    return true;
+                break;
+            }
+            const aliasCommand = aliases.get(arg);
+            if (aliasCommand) {
+                if (gitAliasHasDeniedOperation(aliasCommand, args.slice(i + 1)))
+                    return true;
+                break;
+            }
+            if (unknownAliases.has(arg))
+                return true;
+            if (gitOptionConsumesNext(arg)) {
+                i += 1;
+                continue;
+            }
+            if (arg.startsWith('-'))
+                continue;
+            break;
+        }
+    }
+    return false;
+}
+function gitInlineConfigValue(arg, next) {
+    if (arg === '-c')
+        return next ? { value: next, consumesNext: true } : undefined;
+    if (arg.startsWith('-c') && arg.length > 2)
+        return { value: arg.slice(2), consumesNext: false };
+    return undefined;
+}
+function gitConfigEnvValue(arg, next) {
+    if (arg === '--config-env')
+        return next ? { value: next, consumesNext: true } : undefined;
+    if (arg.startsWith('--config-env='))
+        return { value: arg.slice('--config-env='.length), consumesNext: false };
+    return undefined;
+}
+function gitAliasFromConfig(config) {
+    const match = config.match(/^alias\.([^=\s]+)=(.+)$/i);
+    return match ? { name: match[1], command: match[2] } : undefined;
+}
+function gitAliasFromConfigEnv(configEnv, envAssignments) {
+    const match = configEnv.match(/^alias\.([^=\s]+)=([A-Za-z_][A-Za-z0-9_]*)$/i);
+    if (!match)
+        return undefined;
+    return { name: match[1], command: envAssignments.get(match[2]) };
+}
+function gitAliasesFromEnvConfig(envAssignments) {
+    const aliases = new Map();
+    const unknownAliases = new Set();
+    const countValue = envAssignments.get('GIT_CONFIG_COUNT');
+    if (!countValue || !/^\d+$/.test(countValue))
+        return { aliases, unknownAliases };
+    const count = Number.parseInt(countValue, 10);
+    const entries = [];
+    for (const [name, key] of envAssignments) {
+        const match = name.match(/^GIT_CONFIG_KEY_(\d+)$/);
+        if (!match)
+            continue;
+        const index = Number.parseInt(match[1], 10);
+        if (index >= count)
+            continue;
+        entries.push({ index, key });
+    }
+    entries.sort((a, b) => a.index - b.index);
+    for (const { index, key } of entries) {
+        const alias = key.match(/^alias\.([^=\s]+)$/i);
+        if (!alias)
+            continue;
+        const command = envAssignments.get(`GIT_CONFIG_VALUE_${index}`);
+        if (command === undefined) {
+            aliases.delete(alias[1]);
+            unknownAliases.add(alias[1]);
+        }
+        else {
+            unknownAliases.delete(alias[1]);
+            aliases.set(alias[1], command);
+        }
+    }
+    return { aliases, unknownAliases };
+}
+function gitOptionConsumesNext(arg) {
+    return GIT_OPTIONS_WITH_VALUE.has(arg);
+}
+function gitAliasHasDeniedOperation(command, remainingArgs) {
+    const aliasArgs = shellishArgsAfter(command, 0).map(cleanShellToken);
+    if (aliasArgs.length === 0)
+        return false;
+    if (aliasArgs[0].startsWith('!')) {
+        const shellCommand = [aliasArgs[0].slice(1), ...aliasArgs.slice(1), ...remainingArgs].join(' ');
+        return hasRmRecursiveForce(shellCommand) || hasDangerousGitOperation(shellCommand) || hasDestructiveCommand(shellCommand);
+    }
+    return gitExpandedArgsHaveDeniedOperation([...aliasArgs, ...remainingArgs]);
+}
+function gitExpandedArgsHaveDeniedOperation(args) {
+    for (let i = 0; i < args.length; i += 1) {
+        const arg = args[i];
+        if (arg === '--')
+            break;
+        if (arg === 'push')
+            return gitPushHasDeniedOperation(args.slice(i + 1));
+        if (arg === 'reset')
+            return gitResetHasHardFlag(args.slice(i + 1));
+        if (arg === 'clean')
+            return gitCleanHasForceFlag(args.slice(i + 1));
+        if (gitOptionConsumesNext(arg)) {
+            i += 1;
+            continue;
+        }
+        if (arg.startsWith('-'))
+            continue;
+        break;
+    }
+    return false;
+}
+function gitResetHasHardFlag(args) {
+    for (const arg of args) {
+        if (arg === '--')
+            break;
+        if (arg === '--hard')
+            return true;
+    }
+    return false;
+}
+function gitCleanHasForceFlag(args) {
+    let force = false;
+    let dryRun = false;
+    for (const arg of args) {
+        if (arg === '--')
+            break;
+        if (arg === '--dry-run')
+            dryRun = true;
+        if (arg === '--force' || /^-[^-]*f/.test(arg))
+            force = true;
+        if (/^-[^-]*n/.test(arg))
+            dryRun = true;
+    }
+    return force && !dryRun;
+}
+function gitPushHasDeniedOperation(args) {
+    let optionsDone = false;
+    for (const arg of args) {
+        if (arg === '--') {
+            optionsDone = true;
+            continue;
+        }
+        if (/^\+.+/.test(arg))
+            return true;
+        if (/^\+?:[^:]/.test(arg))
+            return true;
+        if (optionsDone)
+            continue;
+        if (/^--force(?:$|[=-])/.test(arg) || /^-[^-]*f/.test(arg))
+            return true;
+        if (arg === '--delete' || /^-[^-]*d/.test(arg) || arg === '--mirror' || arg === '--prune')
+            return true;
+    }
+    return false;
+}
+function protectedEnvToken(token) {
+    const clean = cleanShellToken(token);
+    if (!clean || clean.startsWith('-'))
+        return false;
+    return hasProtectedEnvSegment(clean);
+}
+function decodeEscapedCodePoint(match, value, radix) {
+    const codePoint = Number.parseInt(value, radix);
+    return codePoint >= 0 && codePoint <= 0x10ffff ? String.fromCodePoint(codePoint) : match;
+}
+function decodeAnsiCQuoteBody(body) {
+    return body
+        .replace(/\\x([0-9a-fA-F]{1,2})/g, (match, hex) => decodeEscapedCodePoint(match, hex, 16))
+        .replace(/\\u([0-9a-fA-F]{1,4})/g, (match, hex) => decodeEscapedCodePoint(match, hex, 16))
+        .replace(/\\U([0-9a-fA-F]{1,8})/g, (match, hex) => decodeEscapedCodePoint(match, hex, 16))
+        .replace(/\\([0-7]{1,3})/g, (match, octal) => decodeEscapedCodePoint(match, octal, 8))
+        .replace(/\\([abefnrtv\\'"])/g, (_match, escaped) => {
+        const mapped = {
+            a: '\x07',
+            b: '\b',
+            e: '\x1b',
+            f: '\f',
+            n: '\n',
+            r: '\r',
+            t: '\t',
+            v: '\v',
+            '\\': '\\',
+            "'": "'",
+            '"': '"',
+        };
+        return mapped[escaped] ?? escaped;
+    });
+}
+function expandAnsiCQuotes(token) {
+    return token.replace(/\$'((?:\\.|[^'])*)'/g, (_match, body) => decodeAnsiCQuoteBody(body));
+}
+function cleanShellToken(token) {
+    return expandAnsiCQuotes(token)
+        .trim()
+        .replace(/\$(['"])/g, '$1')
+        .replace(/^['"`]+|['"`]+$/g, '')
+        .replace(/['"`]/g, '')
+        .replace(/\\(.)/g, '$1')
+        .replace(/^\d*(?:<|>)+/, '')
+        .replace(/[),\]}]+$/g, '');
+}
+function cleanRedirectionToken(token) {
+    return token
+        .trim()
+        .replace(/^['"`]+|['"`]+$/g, '')
+        .replace(/\\(.)/g, '$1')
+        .replace(/[),\]}]+$/g, '');
+}
+function cleanCommandPayloadToken(token) {
+    return expandAnsiCQuotes(token)
+        .trim()
+        .replace(/[),\]}]+$/g, '')
+        .replace(/\$(['"])/g, '$1')
+        .replace(/^['"`]+|['"`]+$/g, '')
+        .replace(/\\(.)/g, '$1');
+}
+function readerOptionReadsProtectedEnv(command, token) {
+    if (!['awk', 'grep', 'rg', 'sed'].includes(command))
+        return false;
+    const clean = cleanShellToken(token);
+    const longFile = clean.match(/^--file=(.+)$/);
+    if (longFile)
+        return optionValueHasProtectedEnvSegment(longFile[1]);
+    const shortFile = clean.match(/^-f(.+)$/);
+    if (shortFile)
+        return optionValueHasProtectedEnvSegment(shortFile[1]);
+    if (command === 'grep') {
+        const include = clean.match(/^--include=(.+)$/);
+        return include ? optionValueHasProtectedEnvSegment(include[1]) : false;
+    }
+    if (command === 'rg') {
+        const glob = clean.match(/^--i?glob=(.+)$/);
+        if (glob)
+            return rgGlobReadsProtectedEnv(glob[1]);
+        const shortGlob = clean.match(/^-g(.+)$/);
+        return shortGlob ? rgGlobReadsProtectedEnv(shortGlob[1]) : false;
+    }
+    return false;
+}
+function optionValueHasProtectedEnvSegment(value) {
+    return hasProtectedEnvSegment(cleanShellToken(value));
+}
+function rgGlobReadsProtectedEnv(value) {
+    const clean = cleanShellToken(value);
+    return !clean.startsWith('!') && hasProtectedEnvSegment(clean);
+}
+function hasProtectedEnvSegment(path) {
+    return path.split(/[\\/]+/).some((part) => part.startsWith('.env') && part !== '.env.example');
+}
+function shellTokenExcludesProtectedEnvPath(token) {
+    const clean = cleanShellToken(token);
+    return /^(?:--exclude|--exclude-dir)=/.test(clean) && clean.split('=').slice(1).every(optionValueHasProtectedEnvSegment);
+}
+function mentionsProtectedEnvPath(cmd) {
+    return shellishTokens(cmd).some((token) => {
+        if (shellTokenExcludesProtectedEnvPath(token))
+            return false;
+        return cleanShellToken(token)
+            .split(/[=$(){}\[\],;<>|&]+/)
+            .some((part) => hasProtectedEnvSegment(cleanShellToken(part)));
+    });
+}
+function shellishArgsAfter(cmd, start) {
+    const args = [];
+    let token = '';
+    let quote = '';
+    let escaping = false;
+    for (let i = start; i < cmd.length; i += 1) {
+        const ch = cmd[i];
+        if (escaping) {
+            token += ch;
+            escaping = false;
+            continue;
+        }
+        if (ch === '\\' && quote !== "'") {
+            escaping = true;
+            token += ch;
+            continue;
+        }
+        if (quote) {
+            token += ch;
+            if (ch === quote)
+                quote = '';
+            continue;
+        }
+        if (ch === "'" || ch === '"') {
+            quote = ch;
+            token += ch;
+            continue;
+        }
+        if (ch === '`' || ch === ';' || ch === '&' || ch === '|')
+            break;
+        if (/\s/.test(ch)) {
+            if (token) {
+                args.push(token);
+                token = '';
+            }
+            continue;
+        }
+        token += ch;
+    }
+    if (token)
+        args.push(token);
+    return args;
+}
+function shellishTokens(cmd) {
+    const args = [];
+    let token = '';
+    let quote = '';
+    let escaping = false;
+    for (let i = 0; i < cmd.length; i += 1) {
+        const ch = cmd[i];
+        if (escaping) {
+            token += ch;
+            escaping = false;
+            continue;
+        }
+        if (ch === '\\' && quote !== "'") {
+            escaping = true;
+            token += ch;
+            continue;
+        }
+        if (quote) {
+            token += ch;
+            if (ch === quote)
+                quote = '';
+            continue;
+        }
+        if (ch === "'" || ch === '"') {
+            quote = ch;
+            token += ch;
+            continue;
+        }
+        if (/[\s;|&]/.test(ch)) {
+            if (token) {
+                args.push(token);
+                token = '';
+            }
+            continue;
+        }
+        token += ch;
+    }
+    if (token)
+        args.push(token);
+    return args;
+}
+function shellishTokenEntries(cmd) {
+    const entries = [];
+    let token = '';
+    let tokenStart = 0;
+    let segment = 0;
+    let quote = '';
+    let escaping = false;
+    const flush = (end) => {
+        if (!token)
+            return;
+        entries.push({ raw: token, start: tokenStart, end, segment });
+        token = '';
+    };
+    const append = (ch, index) => {
+        if (!token)
+            tokenStart = index;
+        token += ch;
+    };
+    for (let i = 0; i < cmd.length; i += 1) {
+        const ch = cmd[i];
+        if (escaping) {
+            append(ch, i);
+            escaping = false;
+            continue;
+        }
+        if (ch === '\\' && quote !== "'") {
+            escaping = true;
+            append(ch, i);
+            continue;
+        }
+        if (quote) {
+            append(ch, i);
+            if (ch === quote)
+                quote = '';
+            continue;
+        }
+        if (ch === "'" || ch === '"') {
+            quote = ch;
+            append(ch, i);
+            continue;
+        }
+        if (/[;|&\n\r]/.test(ch)) {
+            flush(i);
+            segment += 1;
+            continue;
+        }
+        if (/\s/.test(ch)) {
+            flush(i);
+            continue;
+        }
+        append(ch, i);
+    }
+    flush(cmd.length);
+    return entries;
+}
+function shellCommandSegmentStart(cmd, end) {
+    let start = 0;
+    let quote = '';
+    let escaping = false;
+    for (let i = 0; i < end; i += 1) {
+        const ch = cmd[i];
+        if (escaping) {
+            escaping = false;
+            continue;
+        }
+        if (ch === '\\' && quote !== "'") {
+            escaping = true;
+            continue;
+        }
+        if (quote) {
+            if (ch === quote)
+                quote = '';
+            continue;
+        }
+        if (ch === "'" || ch === '"') {
+            quote = ch;
+            continue;
+        }
+        if (ch === '`' || ch === ';' || ch === '&' || ch === '|' || ch === '\n' || ch === '\r')
+            start = i + 1;
+    }
+    return start;
+}
+function shellEnvAssignment(clean) {
+    const match = clean.match(/^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/);
+    return match ? { name: match[1], value: match[2] } : undefined;
+}
+function shellEnvAssignmentsBeforeCommand(cmd, commandStart) {
+    const segmentStart = shellCommandSegmentStart(cmd, commandStart);
+    const tokens = shellishTokens(cmd.slice(segmentStart, commandStart));
+    const assignments = new Map();
+    let envMode = false;
+    let envOptionsDone = false;
+    let commandSeen = false;
+    for (let i = 0; i < tokens.length; i += 1) {
+        const clean = cleanShellToken(tokens[i]);
+        const assignment = shellEnvAssignment(clean);
+        if (assignment && (!commandSeen || envMode)) {
+            assignments.set(assignment.name, assignment.value);
+            continue;
+        }
+        if (!commandSeen && clean === 'env') {
+            envMode = true;
+            envOptionsDone = false;
+            commandSeen = true;
+            continue;
+        }
+        if (envMode) {
+            if (!envOptionsDone && clean === '--') {
+                envOptionsDone = true;
+                continue;
+            }
+            if (!envOptionsDone && envOptionConsumesNext(clean)) {
+                i += 1;
+                continue;
+            }
+            if (!envOptionsDone && clean.startsWith('-'))
+                continue;
+        }
+        commandSeen = true;
+        envMode = false;
+    }
+    return assignments;
+}
+function inlineRedirectionTarget(token) {
+    const clean = cleanRedirectionToken(token);
+    const match = clean.match(/^(?:\d*|&)(?:<>|>>|>|<)(?![<(])(.+)$/);
+    return match?.[1];
+}
+function standaloneRedirection(token) {
+    return /^(?:\d*|&)(?:<>|>>|>|<)$/.test(cleanRedirectionToken(token));
+}
+function commandSubstitutionTouchesProtectedEnv(cmd) {
+    for (const match of cmd.matchAll(/\$\(\s*(?:\d*|&)(?:<>|>>|>|<)\s*([^\s)]+)/g)) {
+        if (optionValueHasProtectedEnvSegment(match[1]))
+            return true;
+    }
+    return false;
+}
+function redirectionTouchesProtectedEnv(cmd) {
+    if (commandSubstitutionTouchesProtectedEnv(cmd))
+        return true;
+    const tokens = shellishTokens(cmd);
+    for (let i = 0; i < tokens.length; i += 1) {
+        const inlineTarget = inlineRedirectionTarget(tokens[i]);
+        if (inlineTarget && optionValueHasProtectedEnvSegment(inlineTarget))
+            return true;
+        if (standaloneRedirection(tokens[i]) && protectedEnvToken(tokens[i + 1] ?? ''))
+            return true;
     }
-    if (PROTECTED_CMD_PATH.test(cmd)) {
-        return { ok: false, reason: `คำสั่งที่อ่าน/แตะ path ลับถูกปฏิเสธ: "${cmd}"` };
+    return false;
+}
+function writerArgsTouchProtectedEnv(args) {
+    let optionsDone = false;
+    for (const arg of args) {
+        const clean = cleanShellToken(arg);
+        if (!optionsDone) {
+            if (clean === '--') {
+                optionsDone = true;
+                continue;
+            }
+            if (clean.startsWith('-'))
+                continue;
+        }
+        if (protectedEnvToken(arg))
+            return true;
+    }
+    return false;
+}
+function shellOptionConsumesNext(clean) {
+    return SHELL_OPTIONS_WITH_VALUE.has(clean) || /^[-+]o$/i.test(clean);
+}
+function envOptionConsumesNext(clean) {
+    return ENV_OPTIONS_WITH_VALUE.has(clean);
+}
+function inlineEnvSplitStringPayload(clean) {
+    return clean.match(/^-S(.+)$/)?.[1] ?? clean.match(/^--split-string=(.+)$/)?.[1];
+}
+function envWrappedCommandDenied(cmd, depth) {
+    if (depth >= 4)
+        return false;
+    for (const match of cmd.matchAll(ENV_CMD)) {
+        const args = shellishArgsAfter(cmd, match.index + match[0].length);
+        let commandIndex = -1;
+        for (let i = 0; i < args.length; i += 1) {
+            const clean = cleanShellToken(args[i]);
+            if (clean === '--') {
+                commandIndex = i + 1;
+                break;
+            }
+            const inlineSplitPayload = inlineEnvSplitStringPayload(clean);
+            if (inlineSplitPayload !== undefined) {
+                const payload = [inlineSplitPayload, ...args.slice(i + 1)].join(' ');
+                if (payload && !checkBash(cleanCommandPayloadToken(payload), depth + 1).ok)
+                    return true;
+                break;
+            }
+            if (clean === '-S' || clean === '--split-string') {
+                const payload = args.slice(i + 1).join(' ');
+                if (payload && !checkBash(cleanCommandPayloadToken(payload), depth + 1).ok)
+                    return true;
+                break;
+            }
+            if (envOptionConsumesNext(clean)) {
+                i += 1;
+                continue;
+            }
+            if (/^[A-Za-z_][A-Za-z0-9_]*=/.test(clean))
+                continue;
+            if (clean.startsWith('-'))
+                continue;
+            commandIndex = i;
+            break;
+        }
+        if (commandIndex >= 0) {
+            const payload = args.slice(commandIndex).join(' ');
+            if (payload && !checkBash(payload, depth + 1).ok)
+                return true;
+        }
+    }
+    return false;
+}
+function nestedShellCommandDenied(cmd, depth) {
+    if (depth >= 4)
+        return false;
+    for (const match of cmd.matchAll(NESTED_SHELL_CMD)) {
+        const args = shellishArgsAfter(cmd, match.index + match[0].length);
+        for (let i = 0; i < args.length; i += 1) {
+            const clean = cleanShellToken(args[i]);
+            if (clean === '--')
+                break;
+            if (shellOptionConsumesNext(clean)) {
+                i += 1;
+                continue;
+            }
+            if (clean.startsWith('--'))
+                continue;
+            if (!clean.startsWith('-'))
+                break;
+            const inlineCommand = clean.match(/^-[^-]*?c(.+)$/);
+            if (inlineCommand || /^-[^-]*?c$/.test(clean)) {
+                const payload = inlineCommand?.[1] || args[i + 1];
+                if (payload && !checkBash(cleanCommandPayloadToken(payload), depth + 1).ok)
+                    return true;
+                break;
+            }
+        }
+    }
+    return false;
+}
+function readsProtectedEnvFile(cmd) {
+    for (const match of cmd.matchAll(ENV_READ_CMD)) {
+        const args = shellishArgsAfter(cmd, match.index + match[0].length);
+        const command = match[1].toLowerCase();
+        if (args.some((arg) => protectedEnvToken(arg) || readerOptionReadsProtectedEnv(command, arg)))
+            return true;
+    }
+    for (const match of cmd.matchAll(ENV_SOURCE_CMD)) {
+        const args = shellishArgsAfter(cmd, match.index + match[0].length);
+        if (protectedEnvToken(args[0] ?? ''))
+            return true;
+    }
+    for (const match of cmd.matchAll(ENV_WRITE_CMD)) {
+        const args = shellishArgsAfter(cmd, match.index + match[0].length);
+        if (writerArgsTouchProtectedEnv(args))
+            return true;
+    }
+    if (redirectionTouchesProtectedEnv(cmd))
+        return true;
+    return false;
+}
+// Rebuild `cmd` with each segment's COMMAND token de-quoted/de-escaped (e.g. `r\m`, `'rm'`, `g\it`
+// → `rm`, `git`), leaving every other token byte-identical so the literal-search-pattern exemption
+// (e.g. `grep 'rm -rf'`) still holds. Lets the matchers below see the real command name.
+function deobfuscateCommandTokens(cmd) {
+    const entries = shellishTokenEntries(cmd);
+    if (entries.length === 0)
+        return cmd;
+    const bySegment = new Map();
+    for (const entry of entries) {
+        const seg = bySegment.get(entry.segment);
+        if (seg)
+            seg.push(entry);
+        else
+            bySegment.set(entry.segment, [entry]);
+    }
+    const replacements = [];
+    for (const segEntries of bySegment.values()) {
+        const ci = shellSegmentCommandIndex(segEntries);
+        if (ci < 0)
+            continue;
+        const entry = segEntries[ci];
+        const cleaned = cleanShellToken(entry.raw);
+        if (cleaned && cleaned !== entry.raw)
+            replacements.push({ start: entry.start, end: entry.end, text: cleaned });
+    }
+    if (replacements.length === 0)
+        return cmd;
+    replacements.sort((a, b) => b.start - a.start); // right-to-left so offsets stay valid
+    let out = cmd;
+    for (const r of replacements)
+        out = out.slice(0, r.start) + r.text + out.slice(r.end);
+    return out;
+}
+export function checkBash(cmd, depth = 0) {
+    // Also test a de-obfuscated copy so a backslash/quote-mangled command name can't slip past.
+    const deob = deobfuscateCommandTokens(cmd);
+    const variants = deob === cmd ? [cmd] : [cmd, deob];
+    for (const c of variants) {
+        if (hasRmRecursiveForce(c) || hasDangerousGitOperation(c) || hasDestructiveCommand(c)) {
+            return { ok: false, reason: `คำสั่งทำลายล้าง/irreversible ถูกปฏิเสธ: "${cmd}"` };
+        }
+    }
+    for (const c of variants) {
+        if (PROTECTED_CMD_PATH.test(c) || mentionsProtectedEnvPath(c) || readsProtectedEnvFile(c)) {
+            return { ok: false, reason: `คำสั่งที่อ่าน/แตะ path ลับถูกปฏิเสธ: "${cmd}"` };
+        }
+    }
+    for (const c of variants) {
+        if (nestedShellCommandDenied(c, depth)) {
+            return { ok: false, reason: `คำสั่ง nested shell ที่อันตรายถูกปฏิเสธ: "${cmd}"` };
+        }
+        if (envWrappedCommandDenied(c, depth)) {
+            return { ok: false, reason: `คำสั่ง env wrapper ที่อันตรายถูกปฏิเสธ: "${cmd}"` };
+        }
     }
     return { ok: true };
 }
@@ -42,6 +993,21 @@ async function canonicalExisting(path) {
         return resolve(path);
     }
 }
+// If `path`'s leaf is a symlink, return where it actually points (resolved against its
+// dir). A DANGLING leaf symlink (target missing, parent present) otherwise slips past
+// existingAncestor (which stat()s through the link, fails, and falls back to the parent),
+// letting a write follow the link outside the workspace.
+async function symlinkLeafTarget(path) {
+    try {
+        const st = await lstat(path);
+        if (!st.isSymbolicLink())
+            return null;
+        return resolve(dirname(path), await readlink(path));
+    }
+    catch {
+        return null;
+    }
+}
 async function existingAncestor(path) {
     let dir = resolve(path);
     for (;;) {
@@ -75,8 +1041,7 @@ function protectedSegment(abs) {
     const parts = abs.split(/[\\/]+/);
     if (parts.some((p) => PROTECTED_SEGMENTS.has(p)))
         return true;
-    const base = basename(abs);
-    return base.startsWith('.env') && base !== '.env.example';
+    return hasProtectedEnvSegment(abs);
 }
 async function checkPathScope(path, intent) {
     const abs = intent === 'write' ? await existingAncestor(path) : await canonicalExisting(path);
@@ -100,12 +1065,27 @@ export async function checkReadPath(path) {
 /** กันเขียนทับ secrets/shell-rc/.sanook + กันเขียนนอก workspace/brain */
 export async function checkWritePath(path) {
     const abs = resolve(path);
-    const inProtectedDir = PROTECTED_DIRS.some((d) => abs === d || abs.startsWith(d + sep));
-    if (PROTECTED_EXACT.has(abs) || inProtectedDir || protectedSegment(abs)) {
+    const canonical = await existingAncestor(path);
+    // Where a symlinked leaf would actually write (closes the dangling-leaf-symlink escape).
+    const linkTarget = await symlinkLeafTarget(path);
+    const targetReal = linkTarget ? await existingAncestor(linkTarget) : null;
+    const candidates = [abs, canonical, ...(linkTarget ? [linkTarget, targetReal] : [])];
+    const inProtectedDir = (p) => PROTECTED_DIRS.some((d) => p === d || p.startsWith(d + sep));
+    if (candidates.some((p) => PROTECTED_EXACT.has(p) || inProtectedDir(p) || protectedSegment(p))) {
         return {
             ok: false,
             reason: `path ที่ป้องกันถูกปฏิเสธ: "${path}" (secrets / shell-rc / .sanook / .git / .env / node_modules)`,
         };
     }
+    // A symlinked leaf must resolve INSIDE the workspace/brain, not just sit there as a link.
+    if (linkTarget) {
+        const roots = await allowedRoots();
+        if (!roots.some((root) => inside(targetReal, root))) {
+            return {
+                ok: false,
+                reason: `symlink ชี้ออกนอก workspace/brain ที่อนุญาต: "${path}" → "${linkTarget}" (ตั้ง ${BRAND_ENV.allowOutsideWorkspace}=1 เพื่อ opt-in)`,
+            };
+        }
+    }
     return checkPathScope(path, 'write');
 }