LAA-Software-Engineering
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎internal/cli/init_test.go‎
Lines changed: 28 additions & 0 deletions b/‎internal/cli/init_test.go‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎internal/policy/derive.go‎
Lines changed: 4 additions & 2 deletions b/‎internal/policy/derive.go‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎internal/policy/doc.go‎
Lines changed: 3 additions & 0 deletions b/‎internal/policy/doc.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎internal/policy/evaluator.go‎
Lines changed: 38 additions & 36 deletions b/‎internal/policy/evaluator.go‎
Lines changed: 38 additions & 36 deletions
diff --git a/‎internal/policy/presets_eval_test.go‎
Lines changed: 80 additions & 1 deletion b/‎internal/policy/presets_eval_test.go‎
Lines changed: 80 additions & 1 deletion
diff --git a/‎internal/policy/shell_safe.go‎
Lines changed: 2 additions & 12 deletions b/‎internal/policy/shell_safe.go‎
Lines changed: 2 additions & 12 deletions
diff --git a/‎internal/spec/kinds.go‎
Lines changed: 4 additions & 4 deletions b/‎internal/spec/kinds.go‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎internal/spec/policy_expand.go‎
Lines changed: 5 additions & 14 deletions b/‎internal/spec/policy_expand.go‎
Lines changed: 5 additions & 14 deletions
@@ -9,7 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ### Added
 
 - **Built-in policy presets** (issue #104): `strict`, `permissive`, and `shell_safe`. Select via `Project.spec.defaults.policy`, by referencing a preset name on agents/workflows, or with `Policy.spec.preset` (local rules layer on top). Presets expand during [NormalizeProjectGraph] so plan/validate show effective rules.
-- **`shell_safe` token classification** for native `command.run` / `run` / `exec` / `shell` operations: read-only tokens (`ls`, `cat`, …) run unattended; risky/unknown tokens and tools with side-effect metadata require `--approve`.
+- **`shell_safe` token classification** for native `command.run` / `run` / `exec` / `shell` operations: read-only first tokens (`ls`, `cat`, …) run unattended when the command contains no shell metacharacters (`;|&$`, newlines, `` ` ``, `$(…)`); risky tokens, unknown tokens, and side-effecting non-shell tools require `--approve`. **Heuristic only — not a sandbox.**
 - **`spec.safety` on Tool resources** (issue #103): optional `trusted`, `sideEffects`, and `requiresApproval` fields. [NormalizeProjectGraph] materializes fail-closed defaults on load.
 - **Policy safety fallback**: when no `approvals.requiredFor` entry matches the exact `uses` string, [policy.Derive] consults resolved safety metadata. Unattended mutating tools require `--approve` (exit code **5**, `approval_required`).
 - **Plan risk hints** for tools that will require approval at run, including decision source (`explicit_policy_rule`, `safety_metadata`, `fail_closed_default`).
 
@@ -35,6 +35,34 @@ func TestInit_thenValidateSucceeds(t *testing.T) {
 	}
 }
 
+func TestInit_defaultPolicyExpandsShellSafePreset(t *testing.T) {
+	parent := t.TempDir()
+	name := "shellsafe"
+
+	ResetGlobalsForTest()
+	cmd := NewRootCmd()
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+	cmd.SetArgs([]string{"init", name, "--parent-dir", parent})
+	if err := cmd.Execute(); err != nil {
+		t.Fatal(err)
+	}
+
+	ResetGlobalsForTest()
+	g := &Global{ProjectRoot: filepath.Join(parent, name)}
+	graph, _, err := prepareProjectGraph(g.ProjectRoot, g)
+	if err != nil {
+		t.Fatal(err)
+	}
+	pr, ok := graph.Policies["default"]
+	if !ok || pr == nil {
+		t.Fatal("expected default policy")
+	}
+	if pr.Spec.ResolvedPreset != "shell_safe" {
+		t.Fatalf("default policy ResolvedPreset = %q want shell_safe", pr.Spec.ResolvedPreset)
+	}
+}
+
 func TestInit_rejectsExistingDir(t *testing.T) {
 	parent := t.TempDir()
 	name := "dup"
 
@@ -50,20 +50,22 @@ func EffectiveToolDecision(graph *spec.ProjectGraph, pol *spec.PolicySpec, toolN
 	toolName = strings.TrimSpace(toolName)
 	safety := resolvedSafetyForTool(graph, toolName)
 	if pol != nil && pol.Approvals != nil {
-		if pol.Approvals.Permissive {
+		if spec.ApprovalPermissive(pol.Approvals) {
 			return ToolDecision{
 				Decision: DecisionAllow,
 				Source:   SourceExplicitPolicyRule,
 				Safety:   safety,
 			}
 		}
-		if pol.Approvals.RequireAllTools {
+		if spec.ApprovalRequireAllTools(pol.Approvals) {
 			return ToolDecision{
 				Decision: DecisionRequireApproval,
 				Source:   SourceExplicitPolicyRule,
 				Safety:   safety,
 			}
 		}
+		// shell_safe plan risk is tool-granular (conservative): side-effecting tools flag approval;
+		// runtime applies per-command token classification via shellSafeRequiresApproval.
 		if spec.ResolvedPresetName(pol) == spec.PresetShellSafe {
 			if safety.RequiresApproval || safety.SideEffects {
 				return ToolDecision{
 
@@ -9,6 +9,9 @@
 // Project.spec.defaults.policy, a Policy resource spec.preset, or by referencing a preset name
 // as the workflow/agent policy. [spec.ExpandPresetsInGraph] materializes effective rules during normalize.
 //
+// shell_safe uses first-token heuristics plus metacharacter fail-closed checks — not a sandbox.
+// Plan risk for shell_safe is tool-granular (conservative); runtime applies per-command classification.
+//
 // When no explicit approvals.requiredFor rule matches a tool call, [Derive] consults
 // [spec.ResolveToolSafety] metadata (fail-closed defaults; issue #103).
 //
 
@@ -54,60 +54,62 @@ func (e *evaluator) CheckStep(ctx context.Context, step StepContext) error {
 func (e *evaluator) CheckToolCall(ctx context.Context, call ToolCallContext) error {
 	_ = ctx
 	p := e.spec()
-	if p != nil && p.Approvals != nil && p.Approvals.Permissive {
-		if err := checkKnownTool(e.graph, call.Uses, p.Tools); err != nil {
-			return err
-		}
-		return nil
-	}
 	if p != nil {
 		if err := checkKnownTool(e.graph, call.Uses, p.Tools); err != nil {
 			return err
 		}
-		if p.Approvals != nil && p.Approvals.RequireAllTools {
-			if actionApproved(call.Uses, call.Run.ApprovedActions) {
-				return nil
-			}
-			return denied(
-				ReasonApprovalRequired,
-				"policy: action requires explicit approval (--approve)",
-				call.Uses,
-				map[string]any{"requiredFor": call.Uses, "preset": spec.PresetStrict},
-			)
-		}
-		if spec.ResolvedPresetName(p) == spec.PresetShellSafe && !shellSafeRequiresApproval(e.graph, call) {
+		if p.Approvals != nil && spec.ApprovalPermissive(p.Approvals) {
 			return nil
 		}
-		if presetRequiresApproval(p, e.graph, call) {
+	}
+	switch {
+	case p != nil && spec.ResolvedPresetName(p) == spec.PresetShellSafe:
+		if shellSafeRequiresApproval(e.graph, call) {
 			if actionApproved(call.Uses, call.Run.ApprovedActions) {
 				return nil
 			}
-			return denied(
-				ReasonApprovalRequired,
-				"policy: action requires explicit approval (--approve)",
-				call.Uses,
-				map[string]any{
-					"requiredFor": call.Uses,
-					"preset":      spec.ResolvedPresetName(p),
-				},
-			)
+			return toolCallApprovalDenied(call, p)
 		}
-		if approvalRequired(call.Uses, p.Approvals) {
-			return checkApprovalGranted(call.Uses, p.Approvals, call.Run.ApprovedActions)
+		return nil
+	case requiresToolCallApproval(e.graph, p, call):
+		if actionApproved(call.Uses, call.Run.ApprovedActions) {
+			return nil
 		}
+		return toolCallApprovalDenied(call, p)
+	}
+	if p != nil && approvalRequired(call.Uses, p.Approvals) {
+		return checkApprovalGranted(call.Uses, p.Approvals, call.Run.ApprovedActions)
 	}
 	return checkSafetyDerived(e.graph, call)
 }
 
-func presetRequiresApproval(p *spec.PolicySpec, graph *spec.ProjectGraph, call ToolCallContext) bool {
-	if p == nil || p.Approvals == nil {
+func requiresToolCallApproval(graph *spec.ProjectGraph, pol *spec.PolicySpec, call ToolCallContext) bool {
+	if pol == nil {
 		return false
 	}
-	if p.Approvals.RequireAllTools {
-		return true
-	}
-	if spec.ResolvedPresetName(p) == spec.PresetShellSafe {
+	if spec.ResolvedPresetName(pol) == spec.PresetShellSafe {
 		return shellSafeRequiresApproval(graph, call)
 	}
+	if pol.Approvals == nil {
+		return false
+	}
+	if spec.ApprovalRequireAllTools(pol.Approvals) {
+		return true
+	}
 	return false
 }
+
+func toolCallApprovalDenied(call ToolCallContext, pol *spec.PolicySpec) error {
+	extra := map[string]any{"requiredFor": call.Uses}
+	if pol != nil {
+		if preset := spec.ResolvedPresetName(pol); preset != "" {
+			extra["preset"] = preset
+		}
+	}
+	return denied(
+		ReasonApprovalRequired,
+		"policy: action requires explicit approval (--approve)",
+		call.Uses,
+		extra,
+	)
+}
@@ -57,21 +57,69 @@ func TestCheckToolCall_shellSafe_gatesRm(t *testing.T) {
 	}
 }
 
+func TestCheckToolCall_shellSafe_gatesChainedCommand(t *testing.T) {
+	pol, err := spec.BuildPreset(spec.PresetShellSafe)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ev := NewEvaluator(shellSafeGraph(), &pol)
+	err = ev.CheckToolCall(context.Background(), ToolCallContext{
+		Uses: "tool.shell.run",
+		With: map[string]any{"command": "ls; rm -rf /"},
+	})
+	if err == nil {
+		t.Fatal("expected chained command to require approval")
+	}
+}
+
+func TestCheckToolCall_shellSafe_approveGrantsRm(t *testing.T) {
+	pol, err := spec.BuildPreset(spec.PresetShellSafe)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ev := NewEvaluator(shellSafeGraph(), &pol)
+	uses := "tool.shell.command.run"
+	err = ev.CheckToolCall(context.Background(), ToolCallContext{
+		Run:  RunContext{ApprovedActions: []string{uses}},
+		Uses: uses,
+		With: map[string]any{"command": "rm -rf /tmp/x"},
+	})
+	if err != nil {
+		t.Fatalf("--approve should grant gated command: %v", err)
+	}
+}
+
 func TestCheckToolCall_shellSafe_unknownTokenGated(t *testing.T) {
 	pol, err := spec.BuildPreset(spec.PresetShellSafe)
 	if err != nil {
 		t.Fatal(err)
 	}
 	ev := NewEvaluator(shellSafeGraph(), &pol)
 	err = ev.CheckToolCall(context.Background(), ToolCallContext{
-		Uses: "tool.shell.command.run",
+		Uses: "tool.shell.exec",
 		With: map[string]any{"command": "totally-unknown"},
 	})
 	if err == nil {
 		t.Fatal("expected unknown token to gate")
 	}
 }
 
+func TestCheckToolCall_shellSafe_nonShellSideEffectToolGated(t *testing.T) {
+	g := testGraphWithTools("slack")
+	g.Tools["slack"].Spec.Safety = &spec.ToolSafety{SideEffects: spec.BoolPtr(true)}
+	pol, err := spec.BuildPreset(spec.PresetShellSafe)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ev := NewEvaluator(g, &pol)
+	err = ev.CheckToolCall(context.Background(), ToolCallContext{
+		Uses: "tool.slack.message.send",
+	})
+	if err == nil {
+		t.Fatal("side-effecting non-shell tool should gate under shell_safe")
+	}
+}
+
 func TestCheckToolCall_strict_gatesAllTools(t *testing.T) {
 	g := testGraphWithTools("helper")
 	g.Tools["helper"].Spec.Safety = &spec.ToolSafety{SideEffects: spec.BoolPtr(false)}
@@ -104,6 +152,25 @@ func TestCheckToolCall_permissive_allowsMutatingTool(t *testing.T) {
 	}
 }
 
+func TestEngine_Evaluator_resolvesBuiltinShellSafeAfterNormalize(t *testing.T) {
+	g := &spec.ProjectGraph{
+		Spec: spec.ProjectSpec{
+			Defaults: &spec.ProjectDefaults{Policy: spec.PresetShellSafe},
+		},
+		Tools: shellSafeGraph().Tools,
+	}
+	spec.NormalizeProjectGraph(g)
+	eng := NewEngine(g)
+	ev := eng.Evaluator(spec.PresetShellSafe)
+	err := ev.CheckToolCall(context.Background(), ToolCallContext{
+		Uses: "tool.shell.command.run",
+		With: map[string]any{"command": "ls"},
+	})
+	if err != nil {
+		t.Fatalf("builtin shell_safe after normalize should allow ls: %v", err)
+	}
+}
+
 func TestExpandPresetsInGraph_materializesDefault(t *testing.T) {
 	g := &spec.ProjectGraph{
 		Spec: spec.ProjectSpec{
@@ -139,3 +206,15 @@ func TestExpandPresetsInGraph_userPolicyOverridesBuiltin(t *testing.T) {
 		t.Fatal("user policy should not be replaced by builtin")
 	}
 }
+
+func TestEffectiveToolDecision_shellSafe_toolGranularPlan(t *testing.T) {
+	g := shellSafeGraph()
+	pol, err := spec.BuildPreset(spec.PresetShellSafe)
+	if err != nil {
+		t.Fatal(err)
+	}
+	td := EffectiveToolDecision(g, &pol, "shell")
+	if td.Decision != DecisionRequireApproval {
+		t.Fatalf("plan should conservatively flag side-effecting shell tool: %+v", td)
+	}
+}
@@ -12,18 +12,8 @@ func shellSafeRequiresApproval(graph *spec.ProjectGraph, call ToolCallContext) b
 		return true
 	}
 	if spec.IsShellCommandOperation(operation) {
-		cmd := spec.ExtractShellCommand(call.With)
-		token := spec.FirstShellToken(cmd)
-		switch spec.ClassifyShellToken(token) {
-		case spec.ShellTokenReadOnly:
-			return false
-		case spec.ShellTokenGate, spec.ShellTokenUnknown:
-			return true
-		}
+		return spec.ShellCommandRequiresApproval(spec.ExtractShellCommand(call.With))
 	}
 	safety := resolvedSafetyForTool(graph, toolName)
-	if safety.RequiresApproval || safety.SideEffects {
-		return true
-	}
-	return false
+	return safety.RequiresApproval || safety.SideEffects
 }
@@ -182,10 +182,10 @@ type PolicyTools struct {
 
 type PolicyApprovals struct {
 	RequiredFor []string `yaml:"requiredFor,omitempty" json:"requiredFor,omitempty"`
-	// RequireAllTools is set when the strict preset is expanded (every tool call requires approval).
-	RequireAllTools bool `yaml:"requireAllTools,omitempty" json:"requireAllTools,omitempty"`
-	// Permissive is set when the permissive preset is expanded (never gate tool calls).
-	Permissive bool `yaml:"permissive,omitempty" json:"permissive,omitempty"`
+	// RequireAllTools gates every tool call when true (strict preset). Pointer preserves tri-state merge.
+	RequireAllTools *bool `yaml:"requireAllTools,omitempty" json:"requireAllTools,omitempty"`
+	// Permissive skips tool-call approval when true (permissive preset). Pointer preserves tri-state merge.
+	Permissive *bool `yaml:"permissive,omitempty" json:"permissive,omitempty"`
 }
 
 type PolicySecurity struct {
 
@@ -19,10 +19,7 @@ func ExpandPresetsInGraph(g *ProjectGraph) {
 		if _, exists := g.Policies[name]; exists {
 			continue
 		}
-		preset, err := BuildPreset(name)
-		if err != nil {
-			continue
-		}
+		preset, _ := BuildPreset(name)
 		g.Policies[name] = &PolicyResource{
 			APIVersion: APIVersionV0,
 			Kind:       KindPolicy,
@@ -34,11 +31,9 @@ func ExpandPresetsInGraph(g *ProjectGraph) {
 		if pr == nil {
 			continue
 		}
-		resolved, err := resolvePolicyResourcePreset(&pr.Spec)
-		if err != nil || resolved == nil {
-			continue
+		if resolved, err := resolvePolicyResourcePreset(&pr.Spec); err == nil && resolved != nil {
+			pr.Spec = *resolved
 		}
-		pr.Spec = *resolved
 	}
 }
 
@@ -47,10 +42,7 @@ func resolvePolicyResourcePreset(pol *PolicySpec) (*PolicySpec, error) {
 		return nil, nil
 	}
 	presetName := strings.TrimSpace(pol.Preset)
-	if presetName == "" {
-		if pol.ResolvedPreset != "" {
-			return nil, nil
-		}
+	if presetName == "" || pol.ResolvedPreset != "" {
 		return nil, nil
 	}
 	if !IsBuiltinPreset(presetName) {
@@ -81,9 +73,8 @@ func collectReferencedPolicyNames(g *ProjectGraph) []string {
 			add(wr.Spec.Policy)
 		}
 	}
-	for name, pr := range g.Policies {
+	for name := range g.Policies {
 		add(name)
-		_ = pr
 	}
 	out := make([]string, 0, len(seen))
 	for name := range seen {
Original file line number	Diff line number	Diff line change
`@@ -19,10 +19,7 @@ func ExpandPresetsInGraph(g *ProjectGraph) {`
`19`	`19`	`if _, exists := g.Policies[name]; exists {`
`20`	`20`	`continue`
`21`	`21`	`}`
`22`		`- preset, err := BuildPreset(name)`
`23`		`- if err != nil {`
`24`		`- continue`
`25`		`- }`
	`22`	`+ preset, _ := BuildPreset(name)`
`26`	`23`	`g.Policies[name] = &PolicyResource{`
`27`	`24`	`APIVersion: APIVersionV0,`
`28`	`25`	`Kind: KindPolicy,`
`@@ -34,11 +31,9 @@ func ExpandPresetsInGraph(g *ProjectGraph) {`
`34`	`31`	`if pr == nil {`
`35`	`32`	`continue`
`36`	`33`	`}`
`37`		`- resolved, err := resolvePolicyResourcePreset(&pr.Spec)`
`38`		`- if err != nil \|\| resolved == nil {`
`39`		`- continue`
	`34`	`+ if resolved, err := resolvePolicyResourcePreset(&pr.Spec); err == nil && resolved != nil {`
	`35`	`+ pr.Spec = *resolved`
`40`	`36`	`}`
`41`		`- pr.Spec = *resolved`
`42`	`37`	`}`
`43`	`38`	`}`
`44`	`39`
`@@ -47,10 +42,7 @@ func resolvePolicyResourcePreset(pol PolicySpec) (PolicySpec, error) {`
`47`	`42`	`return nil, nil`
`48`	`43`	`}`
`49`	`44`	`presetName := strings.TrimSpace(pol.Preset)`
`50`		`- if presetName == "" {`
`51`		`- if pol.ResolvedPreset != "" {`
`52`		`- return nil, nil`
`53`		`- }`
	`45`	`+ if presetName == "" \|\| pol.ResolvedPreset != "" {`
`54`	`46`	`return nil, nil`
`55`	`47`	`}`
`56`	`48`	`if !IsBuiltinPreset(presetName) {`
`@@ -81,9 +73,8 @@ func collectReferencedPolicyNames(g *ProjectGraph) []string {`
`81`	`73`	`add(wr.Spec.Policy)`
`82`	`74`	`}`
`83`	`75`	`}`
`84`		`- for name, pr := range g.Policies {`
	`76`	`+ for name := range g.Policies {`
`85`	`77`	`add(name)`
`86`		`- _ = pr`
`87`	`78`	`}`
`88`	`79`	`out := make([]string, 0, len(seen))`
`89`	`80`	`for name := range seen {`