The risk classifier is the approval gate's first line of defense, so it
must assume a prompt-injected agent is actively trying to disguise a
dangerous command as harmless. A review surfaced several bypasses where
a destructive/exfiltrating command under-classified to safe/local_write
(i.e. ran without a prompt). This closes them in layers:

Tokenizer
- Quote boundaries are no longer word boundaries: r""m, "rm", r''m all
  resolve to `rm` again (empty/adjacent quotes used to split the verb).

Structural decomposition
- Every pipe stage is classified, not just the head command, so
  `true | dd of=/dev/sda`, `: | wget … -O /tmp/x` and
  `echo x | sudo rm -rf /home` are seen for what their later stages do.

Wrapper unwrapping
- Leading exec wrappers (env, xargs, nohup, nice, setsid, timeout, …)
  are stripped so the real command is classified; sudo/doas/pkexec set a
  system_write floor and let the inner command escalate (sudo rm -rf /var
  → destructive, instead of being masked as system_write).

Verb-independent resource scanning
- /dev/tcp and /dev/udp (reverse-shell channels) → network_egress.
- Reads/writes of sensitive credential paths (~/.ssh, /etc/shadow,
  ~/.aws/credentials, /proc/self/environ, …) → system_write.

Payload re-classification & normalisation
- bash/sh -c '…' payloads and <(…)/>(…) process substitutions are
  re-classified (a shell given anything to execute → code_execution).
- New normalisation passes: ANSI-C $'\x72\x6d', brace expansion {rm,-rf,/}.

Detection coverage
- rm: robust recursive/force flag parsing (-rfv, -Rf, --recursive
  --force) and relative wipe targets (~, $HOME, *, ., ..).
- dd: broadened raw block-device list (vd/hd/xvd/mmcblk/disk/loop/dm).
- network: socat, rclone, dig/nslookup/host/drill, aria2c/axel/httpie.
- code exec: source/., npx/bunx/uvx/pipx, pnpm|yarn dlx, uv run,
  find -exec.
- install: pnpm/yarn/bun/apk add|install.

The package doc now states the threat model, the layered design, and the
explicit limitations (variable indirection, dynamic construction,
non-enumerated transforms) — this is defence-in-depth, not a sandbox, so
it errs toward over-classification (an extra prompt) over silent misses.

One existing expectation updated: `sudo rm -rf /var/log` is now
destructive (was system_write) — the more accurate, more secure class.
New hardening_test.go pins each closed vector and guards benign commands
against over-classification. Full suite green; go vet clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Previously the classifier fell through to Safe (allow) for any command it
didn't recognise, so the whole gate was fail-open: a novel or obfuscated
verb that dodged every known-dangerous check ran unprompted.

Flip it to fail-closed:

- New Unknown risk class, default action Deny (same as Destructive),
  ranked just below Destructive so a single unknown stage dominates
  benign siblings in a pipeline/compound command.
- classifyCommand now returns Safe only for a recognised command used
  benignly, and Unknown otherwise.
- safeCommands: an explicit read-only/no-op allowlist (ls, cat, grep,
  sort, jq, stat, ps, git via existing prefixes, cd/export and other
  benign builtins, …) so ordinary inspection still classifies Safe.
  Mutating/code-executing tools are deliberately excluded — they must be
  allowlisted, not slip through unclassified. A safe command given a
  write redirect or system/sensitive path is still escalated first.
- Leading VAR=val assignments are unwrapped (FOO=bar rm -rf / → rm), and
  an assignment-only command is a no-op (Safe).

Side benefit: the variable-indirection limitation now denies rather than
silently allows — `$X -rf /` reads as an Unknown verb.

Configurable like any class: set "unknown": "prompt" for a softer
profile, or use the allowlist for specific trusted tools. Godmode
(action: allow) still allows it, exactly like Destructive.

Docs and tests updated (rank/ActionFor expectations; new fail-closed,
assignment-unwrap, and safe-allowlist coverage). Full suite green; vet clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

…wn class

Extend the user-facing guide for setting up the "dangerous" approval
policy, and bring the security/CLI/dev docs in line with the new 9-class
model (adds the fail-closed `unknown` class).

DOCKER_COMPOSE_USER_GUIDE.md §5a now has a full field-by-field setup
guide for the restricted profile:
- what each key does (sandbox/action/non_interactive/classes/allow/deny)
- the 9-class table with built-in vs profile actions
- the action-resolution precedence (allowlist → denylist → classes →
  blocked → action → built-in default → non_interactive)
- a gotcha: a global "action" overrides EVERY unlisted class, so the
  shipped restricted profile prompts even on `safe` (`ls`) unless you
  add "safe": "allow" or omit "action" — both shown
- customisation recipes (tighten / loosen / allowlist one tool / lockdown)

CLI.md, SECURITY.md, DEVELOPMENT.md: add the `unknown` class, state the
fail-closed default, refresh the evasion list and regression-suite
pointers. No code changes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Self-review of the fail-closed change surfaced consumers that enumerate
risk classes but were never taught about the new Unknown class, plus two
classifier correctness bugs. Fixes:

1. Sub-agent risk caps ignored Unknown (cmd/odek/subagent.go). The mirror
   riskRank() had no Unknown case (returned 0) and the untrusted + maxRisk
   clamp loops didn't list it. Result: max_risk="unknown" denied even Safe,
   and a capped/untrusted sub-agent never force-denied Unknown when the
   inherited config loosened it. Root cause was the duplicated ranking, so
   export danger.Rank as the single source of truth (rank→Rank) and have
   subagent.go use it; add danger.Unknown to both clamp loops.

2. Trust-class shortcut allowed Unknown (internal/danger/approver.go,
   cmd/odek/wsapprover.go). "Trust class for session" was disabled only for
   Destructive/Blocked, so a single grant could blanket-approve every future
   unrecognised verb — the exact approval-fatigue attack the exclusion
   exists to stop. Exclude Unknown too.

3. dd to a character device misclassified destructive (classifier.go).
   isDestructive's of= branch matched any "/dev/" substring, so the common
   `dd ... of=/dev/null` / `of=/dev/stdout` idioms were denied. Use the
   precise containsBlockDevice matcher (also dedupes the device logic).

4. ANSI-C octal over-read (classifier.go decodeEscape). The loop consumed
   up to 4 octal digits; bash takes at most 3. `$'\1551'` now decodes to
   "m1" (octal 155 + literal 1), matching the shell, not a single byte.

Regression tests added for each; rank→Rank rename propagated through the
danger package and its tests. Full suite green; go vet clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Follow-up to the Unknown-class fixes — the lower-severity review items:

5. shell tool description (cmd/odek/shell.go): add the `unknown` class and
   state the fail-closed default, so the model driving the tool can reason
   about why an unrecognised command was denied.

6. sensitivePathFragments (classifier.go): document why it is deliberately
   separate from ClassifyPath's home-sensitive-dir list (token-substring,
   credential reads vs absolute-path write-risk) so the overlap doesn't get
   "deduped" into a behavior change, and so a maintainer updating one
   considers the other.

7. safeCommands (classifier.go): extend the read-only allowlist with common
   modern CLIs (fd, eza/exa/lsd, htop/btop/glances, pstree/procs, duf, dust,
   delta, hexyl, glow) so fail-closed doesn't deny routine inspection.

8. classifyStage (classifier.go): pass a pipedInto flag instead of having
   classifyPipeline re-run unwrapWrappers on each non-head stage purely to
   read the head command — one unwrap per stage now.

9. hasSystemRedirectTarget → touchesSystemPath (classifier.go): the function
   flags ANY system-path token, not just redirect targets, and is NOT
   redundant with isSystemWrite (verified: it catches `cat /etc/foo` and
   unknown tools pointed at /usr, and runs after isLocalWrite). Renamed for
   accuracy with a comment on why both checks exist.

Behavior change is limited to #7 (more tools classify Safe). Regression test
for the new safe tools added. Full suite green; go vet clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>