hooks: strip heredoc bodies before dangerous-command scan

Closes #100.

The dangerous-command blocker regex-matches against the raw `command`
string. Bodies of bash heredocs (cat > note.md <<EOF ... EOF) are data,
not commands, so a journal entry or repro that quotes a forbidden
phrase like "git push --force" or the docker-compose teardown invocation
was tripping the blocker and refusing benign Bash invocations.

Strip heredoc bodies from the scannable text before the pattern loop:

  /<<-?\s*['"]?(\w+)['"]?\n[\s\S]*?\n[ \t]*\1\s*$/gm

Handles `<<DELIM`, `<<-DELIM`, `<<"DELIM"`, `<<'DELIM'`. The `[ \t]*`
before the closing delimiter covers `<<-` heredocs where bash strips
leading tabs from the terminator line. Real destructive commands
outside the heredoc still match (verified by test).

Tests added (hooks.test.ts):
- allows heredoc body that names a forbidden phrase as data
- allows heredoc with quoted delimiter and dangerous-looking body
- blocks real dangerous command outside the heredoc
- blocks dash-stripped heredoc opener with real dangerous trailing command

Stash-bisect: 13/2 fail without the fix, 15/0 pass with the fix.

This is option 2 from #100 (heredoc-strip, no new dep). Echo/printf
false-positives still exist; the long-term option 1 (shell-token-aware
scan) is left for a future, larger PR. This narrow patch addresses the
highest-frequency case.

Author: truffle-dev

src/agent/__tests__/hooks.test.ts

@@ -210,4 +210,81 @@ describe("createDangerousCommandBlocker", () => {
 
 		expect(result).toEqual({ continue: true });
 	});
+
+	test("allows heredoc body that names a forbidden phrase as data", async () => {
+		const hook = createDangerousCommandBlocker();
+		const callback = hook.hooks[0];
+
+		const result = await callback(
+			makeHookInput({
+				hook_event_name: "PreToolUse",
+				tool_name: "Bash",
+				tool_input: {
+					command: "cat > note.md <<EOF\nReminder: git push --force is forbidden\nEOF",
+				},
+			}),
+			undefined,
+			{ signal: new AbortController().signal },
+		);
+
+		expect(result).toEqual({ continue: true });
+	});
+
+	test("allows heredoc with quoted delimiter and dangerous-looking body", async () => {
+		const hook = createDangerousCommandBlocker();
+		const callback = hook.hooks[0];
+
+		const result = await callback(
+			makeHookInput({
+				hook_event_name: "PreToolUse",
+				tool_name: "Bash",
+				tool_input: {
+					command:
+						"node <<'NODEEOF'\n// repro: docker compose down should not be triggered\nconsole.log('ok');\nNODEEOF",
+				},
+			}),
+			undefined,
+			{ signal: new AbortController().signal },
+		);
+
+		expect(result).toEqual({ continue: true });
+	});
+
+	test("blocks real dangerous command outside the heredoc", async () => {
+		const hook = createDangerousCommandBlocker();
+		const callback = hook.hooks[0];
+
+		const result = await callback(
+			makeHookInput({
+				hook_event_name: "PreToolUse",
+				tool_name: "Bash",
+				tool_input: {
+					command: "cat > note.md <<EOF\nharmless body\nEOF\ngit push --force origin main",
+				},
+			}),
+			undefined,
+			{ signal: new AbortController().signal },
+		);
+
+		expect(result).toHaveProperty("decision", "block");
+	});
+
+	test("blocks dash-stripped heredoc opener with real dangerous trailing command", async () => {
+		const hook = createDangerousCommandBlocker();
+		const callback = hook.hooks[0];
+
+		const result = await callback(
+			makeHookInput({
+				hook_event_name: "PreToolUse",
+				tool_name: "Bash",
+				tool_input: {
+					command: "cat <<-EOF\n\tharmless body\n\tEOF\nrm -rf /",
+				},
+			}),
+			undefined,
+			{ signal: new AbortController().signal },
+		);
+
+		expect(result).toHaveProperty("decision", "block");
+	});
 });

src/agent/hooks.ts

@@ -25,6 +25,19 @@ const DANGEROUS_COMMANDS: { pattern: RegExp; label: string }[] = [
 	{ pattern: /kill\s+-9\s+1(\s|$)/, label: "kill init" },
 ];
 
+// Heredoc bodies are data, not commands. Stripping them before the
+// dangerous-command scan prevents prose, repros, and journal entries
+// that quote a forbidden phrase from tripping the blocker.
+// Matches `<<DELIM`, `<<-DELIM`, `<<"DELIM"`, `<<'DELIM'`; replaces the
+// payload (and the closing delimiter line) with an empty string and
+// keeps the surrounding command text so a real destructive command
+// outside the heredoc still matches. The optional `[ \t]*` before the
+// closing delimiter handles `<<-` heredocs where Bash strips leading
+// tabs from the terminator at parse time.
+function stripHeredocBodies(command: string): string {
+	return command.replace(/<<-?\s*['"]?(\w+)['"]?\n[\s\S]*?\n[ \t]*\1\s*$/gm, "");
+}
+
 export function createFileTracker(): {
 	hook: HookCallbackMatcher;
 	getTrackedFiles: () => string[];
@@ -59,8 +72,9 @@ export function createDangerousCommandBlocker(): HookCallbackMatcher {
 				if (input.hook_event_name !== "PreToolUse") return { continue: true };
 				const command = (input.tool_input as Record<string, unknown>)?.command;
 				if (typeof command === "string") {
+					const scannable = stripHeredocBodies(command);
 					for (const { pattern, label } of DANGEROUS_COMMANDS) {
-						if (pattern.test(command)) {
+						if (pattern.test(scannable)) {
 							return {
 								decision: "block",
 								reason: `Blocked dangerous command: "${label}"`,