fix: propagate bash -c recursion failures to prevent silent approval

When recursive parse_compound for bash -c inner commands fails,
the failed segment was silently dropped, potentially auto-approving
compounds with unparseable inner scripts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: oryband

approve-compound-bash.sh

@@ -205,7 +205,11 @@ parse_compound() {
     # Recursively expand bash -c / sh -c
     if [[ "$line" =~ ^(env[[:space:]]+)?(/[^[:space:]]*/)?((ba)?sh)[[:space:]]+-c[[:space:]]*[\'\"](.*)[\'\"]$ ]]; then
       debug "Recursing into shell -c: ${BASH_REMATCH[5]}"
-      parse_compound "${BASH_REMATCH[5]}"
+      if ! parse_compound "${BASH_REMATCH[5]}"; then
+        # Inner parse failed — emit wrapper as-is so it gets checked
+        # against allow/deny lists (and likely falls through)
+        printf '%s\0' "$line"
+      fi
     else
       printf '%s\0' "$line"
     fi

test/security.bats

@@ -133,6 +133,15 @@ load test_helper
   assert_denied
 }
 
+# -- bash -c recursion failure must not silently approve --
+
+@test "sec: bash -c with unparseable inner command falls through" {
+  # If inner parse fails and the segment is silently dropped, only 'ls' remains
+  # and would be approved. The fix emits the wrapper as-is, which is not allowed.
+  run_hook "bash -c '<<<invalid syntax>>>' && ls" '["Bash(ls *)"]'
+  assert_fallthrough
+}
+
 # -- eval / source --
 
 @test "sec: eval with dangerous command falls through (not in allow list)" {