+ iL@aROtC0tRt^RIt^RIt^RIt^RIt^RIt^RIt^RIt^RI H t ]P!] 4t ]P!RRR7t]^kRRltRR ltRR R lltR tR tR] R] R2t.RPNRQNRRNRSNRTNRUNRVNRWNRXNRYNRZNR[NR\NR]NR^NR_NR`NRaNRbNRcNRdNReNR] 2R3NR] 2R3NRfNRgNRhNRiNRjNRkNRlNRmNRnNtRRlt/t]^k]F`wtt]!]4t]t]P;]]!44P?]]04]P;]]!44P?]]04Kb RRlt RRlt!RRlt"]PF!4t$/t%]^k/t&]^k]!4t']^k!RR4t(/t)]^k/t*]^kRR lt+R!R"lt,RoR#R$llt-R%R&lt.R'R(lt/R)R*lt0R+R,lt1R-R.lt2R/R0lt3R1R2lt4R3R4lt5R5R6lt6R7R8lt7R9R:lt8R;R<lt9RpR=R>llt:R?R@lt;RARBltRGRHlt?RqRIRJllt@RKRLltARqRMRNlltBR#)raDangerous command approval -- detection, prompting, and per-session state. This module is the single source of truth for the dangerous command system: - Pattern detection (DANGEROUS_PATTERNS, detect_dangerous_command) - Per-session approval state (thread-safe, keyed by session_key) - Approval prompting (CLI interactive + gateway async) - Smart approval via auxiliary LLM (auto-approve low-risk commands) - Permanent allowlist persistence (config.yaml) N)Optionalapproval_session_key)defaultcZV^8dQhR\R\P\,/# session_keyreturn)str contextvarsToken)formats"+/home/ubuntu/hermes-agent/tools/approval.py __annotate__r s%8881B1B31G8c@\PT;'gR4#)zReturn the active session key, preferring context-local state.HERMES_SESSION_KEY)rgetosgetenv)rr s& rget_current_session_keyr#*s+'++-K 99)7 33rz$(?:~|\$home|\$\{home\})/\.ssh(?:/|$)z\(?:~\/\.hermes/|(?:\$home|\$\{home\})/\.hermes/|(?:\$hermes_home|\$\{hermes_home\})/)\.env\bz(?:/etc/|/dev/sd||)z\btee\b.*["\']?zoverwrite system file via teez >>?\s*["\']?z%overwrite system file via redirectionc0V^8dQhR\R\/#)rpatternr r)rs"rrrmsIIIIrcRRV9dVPR4^,#VR,#)zIReproduce the old regex-derived approval key for backwards compatibility.z\b:NN)split)r's&r_legacy_pattern_keyr+ms&&+w&67==  "HGCLHrcFV^8dQhR\R\\,/#)r pattern_keyr )r r)rs"rrrzs"@@s@s3x@rc.\PW04#)zReturn all approval keys that should match this pattern. New approvals use the human-readable description string, but older command_allowlist entries and session approvals may still contain the historical regex-derived key. )_PATTERN_KEY_ALIASESr r-s&r_approval_key_aliasesr1zs # #K ??rc0V^8dQhR\R\/#rcommandr r)rs"rrrsccrct^RIHpV!V4pVPRR4p\P!RV4pV#)aNormalize a command string before dangerous-pattern matching. Strips ANSI escape sequences (full ECMA-48 via tools.ansi_strip), null bytes, and normalizes Unicode fullwidth characters so that obfuscation techniques cannot bypass the pattern-based detection. ) strip_ansirNFKC)tools.ansi_stripr6replace unicodedata normalize)r4r6s& r _normalize_command_for_detectionr=s:,!Goofb)G##FG4G Nrc0V^8dQhR\R\/#r3)r tuple)rs"rrrs  c e rc\V4P4p\FMwr#\P!W!\P \P ,4'gKGTpRWC3u# R#)zCheck if a command matches any dangerous patterns. Returns: (is_dangerous, pattern_key, description) or (False, None, None) T)FNN)r=lowerDANGEROUS_PATTERNSresearch IGNORECASEDOTALL)r4 command_lowerr' descriptionr-s& rdetect_dangerous_commandrIsZ 5W=CCEM 2 99WR]]RYY-F G G%K+3 3!3 rc:a]tRt^toRtRtV3RlRltRtVtR#)_ApprovalEntryz@One pending dangerous-command approval inside a gateway session.c <V^8dQhRS[/#)rdatadict)r __classdict__s"rr_ApprovalEntry.__annotate__s**T*rcT\P!4VnWnRVnR#N) threadingEventeventrMresult)selfrMs&&r__init___ApprovalEntry.__init__s__&  %) r)rMrVrWN)rVrMrW) __name__ __module__ __qualname____firstlineno____doc__ __slots__rY__static_attributes____classdictcell__)rPs@rrKrKsJ+I**rrKc(V^8dQhR\RR/#rr r Nr)rs"rrrs . . .T .rcn\;_uu_4V\V&RRR4R# +'giR#;i)uMRegister a per-session callback for sending approval requests to the user. The callback signature is ``cb(approval_data: dict) -> None`` where *approval_data* contains ``command``, ``description``, and ``pattern_keys``. The callback bridges sync→async (runs in the agent thread, must schedule the actual send on the event loop). N)_lock_gateway_notify_cbs)r cbs&&rregister_gateway_notifyris  +-K(  # 4 c(V^8dQhR\RR/#rdr)rs"rrrs  3 4 rc\;_uu_4\PVR4\PV.4pVFpVPP 4K RRR4R# +'giR#;i)zUnregister the per-session gateway approval callback. Signals ALL blocked threads for this session so they don't hang forever (e.g. when the agent run finishes or is interrupted). N)rfrgpop_gateway_queuesrVrr entriesentrys& runregister_gateway_notifyrrsO  T2!%%k26E KKOO  s AA)) A: cHV^8dQhR\R\R\R\/#)rr choice resolve_allr )r boolint)rs"rrrs*#s*.;>rc\;_uu_4\PV4pV'g RRR4^#V'd\V4pVP 4MVP ^4.pV'g\P VR4RRR4XF#pWnVPP4K% \V4# +'giLD;i)a<Called by the gateway's /approve or /deny handler to unblock waiting agent thread(s). When *resolve_all* is True every pending approval in the session is resolved at once (``/approve all``). Otherwise only the oldest one is resolved (FIFO). Returns the number of approvals resolved (0 means nothing was pending). N) rfrnr listclearrmrWrVrlen)r rtruqueuetargetsrqs&&& rresolve_gateway_approvalr~s ##K0  5kG KKMyy|nG    T 2    w< sCC5C6C C c0V^8dQhR\R\/#rr rv)rs"rrrs66s6t6rc\;_uu_4\\PV44uuRRR4# +'giR#;i)zFCheck if a session has one or more blocking gateway approvals waiting.N)rfrvrnr rs&rhas_blocking_approvalrs& O'' 45 s 8 A c0V^8dQhR\R\/#r)r rw)rs"rrrs9999rc\;_uu_4\\PV.44uuRRR4# +'giR#;i)z>Return the number of pending blocking approvals for a session.N)rfr{rnr rs&rpending_approval_countrs( ?&&{B78 s 9 A c0V^8dQhR\R\/#)rr approvalr rO)rs"rrr s)))t)rcn\;_uu_4V\V&RRR4R# +'giR#;i)z/Store a pending approval request for a session.Nrf_pending)r rs&&rsubmit_pendingr s  ( rjcFV^8dQhR\R\\,/#r)r rrO)rs"rrrs//S/Xd^/rc\;_uu_4\PVR4uuRRR4# +'giR#;i)z5Retrieve and remove a pending approval for a session.N)rfrrmrs&r pop_pendingrs! ||K. s 0 A c0V^8dQhR\R\/#rr)rs"rrrs''S'T'rcn\;_uu_4V\9uuRRR4# +'giR#;i)z2Check if a session has a pending approval request.Nrrs&r has_pendingrs h& s # 4 c0V^8dQhR\R\/#)rr r-r)rs"rrrsJJJ3Jrc\;_uu_4\PV\44P V4RRR4R# +'giR#;i)z(Approve a pattern for this session only.N)rf_session_approved setdefaultradd)r r-s&&rapprove_sessionrs0 $$[#%8<<[I s .A A c<V^8dQhR\R\R\/#)rr r-r r)rs"rrr"s& D DS Ds Dt Drca\V4p\;_uu_4\;QJdRV4F 'gK RM RM !RV44'd RRR4R#\P V\ 44o\;QJdV3RlV4F 'gK RM RM!V3RlV44uuRRR4# +'giR#;i)zCheck if a pattern is approved (session-scoped or permanent). Accept both the current canonical key and the legacy regex-derived key so existing command_allowlist entries continue to work after key migrations. c32"TF q\9xK R#5irS)_permanent_approved).0aliass& r is_approved..*sA++sTFNc3,<"TF qS9xK R#5irS)rrsession_approvalss& rrr-sC7%--7s)r1rfanyrr r)r r-aliasesrs&& @r is_approvedr"s $K0G  3AA333AA A A .11+suEsC7CsssC7CC s"CCC!=C!C C c$V^8dQhR\/#)rr-r)rs"rrr0s--3-rc\;_uu_4\PV4RRR4R# +'giR#;i)z)Add a pattern to the permanent allowlist.N)rfrrr0s&rapprove_permanentr0s!  ,  / A c$V^8dQhR\/#rpatternsr)rs"rrr6s--S-rc\;_uu_4\PV4RRR4R# +'giR#;i)z2Bulk-load permanent allowlist entries from config.N)rfrupdate)rs&rload_permanentr6s! ""8, rc$V^8dQhR\/#)rr r)rs"rrr<s  s rcR\;_uu_4\PVR4\PVR4\PVR4\ PV.4pVFpVP P4K RRR4R# +'giR#;i)z7Clear all approvals and pending requests for a session.N)rfrrmrrgrnrVrros& r clear_sessionr<sk k40 [$' T2!%%k26E KKOO  s A&*8n"#F :5q99:s%) AAAc bV^8dQhR\R\R\R,R\R\/#)rr4rHtimeout_secondsNallow_permanentr )r rwrv)rs"rrrls?QQsQQ/2TzQ/3Q:=QrcVaaVf \4pVe V!WSR7#R\PR&\ 4\ RV 24\ RV 24\ 4S'd \ R4M \ R 4\ 4\ P P4R R /oVV3R lp\P!VRR 7pVP4VPVR7VP4'd]\ R4R\P9d\PR\ 4\ P P4R#SR ,pVR9d]\ R4R\P9d\PR\ 4\ P P4R#VR9d]\ R4R\P9d\PR\ 4\ P P4R#VR9dS'g]\ R4R\P9d\PR\ 4\ P P4R#\ R4R\P9d\PR\ 4\ P P4R#\ R4R\P9d\PR\ 4\ P P4R# \dR#i;i \\3d^\ R4R\P9d\PR\ 4\ P P4R#i;i R\P9d\PR\ 4\ P P4i;i)aPrompt the user to approve a dangerous command (CLI only). Args: allow_permanent: When False, hide the [a]lways option (used when tirith warnings are present, since broad permanent allowlisting is inappropriate for content-level security findings). approval_callback: Optional callback registered by the CLI for prompt_toolkit integration. Signature: (command, description, *, allow_permanent=True) -> str. Returns: 'once', 'session', 'always', or 'deny' )rdeny1HERMES_SPINNER_PAUSETu ⚠️ DANGEROUS COMMAND: z z2 [o]nce | [s]ession | [a]lways | [d]enyz% [o]nce | [s]ession | [d]enyrtrc<S'dRMRp\V4P4P4SR&R# \\3d RSR&R#i;i)z Choice [o/s/a/D]: z Choice [o/s/D]: rtrN)inputstriprAEOFErrorOSError)promptrrWs r get_input,prompt_dangerous_approval..get_inputsQ*;J7PhF',V}':':'<'B'B'DF8$ '**')F8$*s;.;AA)targetdaemontimeoutu$ ⏱ Timeout - denying commandonceu ✓ Allowed oncesessionu" ✓ Allowed for this sessionalwaysu& ✓ Added to permanent allowlistu ✗ Deniedu ✗ Cancelled)or)sr)ar)_get_approval_timeoutrr!environprintsysstdoutflushrTThreadstartjoinis_aliverKeyboardInterrupt) r4rHrrapproval_callbackrthreadrtrWs &&&f& @rprompt_dangerous_approvalrls /1$ $W5DF F *-BJJ%&6 G 1+? @ F7)$ % GJK=> G JJ   ^F *%%YtDF LLN KKK 0  =>. "RZZ / 12  1H%F&./$ "RZZ / 12  )++:;  "RZZ / 12  #?*&>?$ "RZZ / 12  >? "RZZ / 12  () "RZZ / 12  u  f ' ( %& !RZZ / 12   "RZZ / 12  sZ MCM'#M'M'2M' M' M'9 M' M$#M$'OOOOAP(c$V^8dQhR\/#rr)rs"rrrs  c rc\V\4'd VRJdR#R#\V\4'd+VP4P 4pT;'gR#R#)aNormalize approval mode values loaded from YAML/config. YAML 1.1 treats bare words like `off` as booleans, so a config entry like `approvals: mode: off` is parsed as False unless quoted. Treat that as the intended string mode instead of falling back to manual approvals. Foffmanual) isinstancervr rrA)mode normalizeds& r_normalize_approval_modersT$ u383$ZZ\'') %%X% rc$V^8dQhR\/#rrN)rs"rrrsdrc|^RIHpV!4pVPR/4;'g/# \d/u#i;i)zLRead the approvals config block. Returns a dict with 'mode', 'timeout', etc.r approvals)rrr r)rrs r_get_approval_configrs>1zz+r*00b0  s%++ ;;c$V^8dQhR\/#rr)rs"rrrs**C*rcL\4PRR4p\V4#)zHRead the approval mode from config. Returns 'manual', 'smart', or 'off'.rr)rr r)rs r_get_approval_moders"  ! % %fh 7D #D ))rc$V^8dQhR\/#r)rw)rs"rrrssrcz\\4PR^<44# \\3d^<#i;i)z>Read the approval timeout from config. Defaults to 60 seconds.r)rwrr ValueError TypeErrorrrrrrs:')--i<==  "s "%::c<V^8dQhR\R\R\/#)rr4rHr r)rs"rrrs!11C1c1c1rc ^RIHpHpV!RR7wrEV'd V'g\P R4R#RV RV R2pVP P P!RR VR R R R V/./V!^4BR^/BpVP^,PP;'gRP4P4pRV9dR#RV9dR#R# \d"p \P RT 4Rp ? R#Rp ? ii;i)aUse the auxiliary LLM to assess risk and decide approval. Returns 'approve' if the LLM determines the command is safe, 'deny' if genuinely dangerous, or 'escalate' if uncertain. Inspired by OpenAI Codex's Smart Approvals guardian subagent (openai/codex#13860). )get_text_auxiliary_clientauxiliary_max_tokens_paramr)taskz4Smart approvals: no aux client available, escalatingescalatezYou are a security reviewer for an AI coding agent. A terminal command was flagged by pattern matching as potentially dangerous. Command: z Flagged reason: ul Assess the ACTUAL risk of this command. Many flagged commands are false positives — for example, `python -c "print('hello')"` is flagged as "script execution via -c flag" but is completely harmless. Rules: - APPROVE if the command is clearly safe (benign script execution, safe file operations, development tools, package installs, git operations, etc.) - DENY if the command could genuinely damage the system (recursive delete of important paths, overwriting system files, fork bombs, wiping disks, dropping databases, etc.) - ESCALATE if you're uncertain Respond with exactly one word: APPROVE, DENY, or ESCALATEmodelmessagesroleusercontent temperaturerAPPROVEapproveDENYrz1Smart approvals: LLM call failed (%s), escalatingNr)agent.auxiliary_clientrrrdebugchat completionscreatechoicesmessager rupperr) r4rHrrclientrrresponseanswerrs && r_smart_approvers(`1zB U LLO P  : =;;**11  vy&9: ),   ""1%--55;;BBDJJL   v   H!Ls."CCA/C,&CC D *DD c<V^8dQhR\R\R\/#rr4env_typer r)rs"rrrs'H/H/SH/CH/7;H/rcVR9dRRRR/#\P!R4'dRRRR/#\V4wr4pV'gRRRR/#\4p\ Wd4'dRRRR/#\P!R4p\P!R4pV'gV'gRRRR/#V'g\P!R4'd(\ VR VR VR V/4RR R VR RR VR VRRV RV R2/#\ WVR7p V R8XdRR RRV R2R VR V/#V R8Xd \Wd4M,V R8Xd&\Wd4\V4\\4RRRR/#)aCheck if a command is dangerous and handle approval. This is the main entry point called by terminal_tool before executing any command. It orchestrates detection, session checks, and prompting. Args: command: The shell command to check. env_type: Terminal backend type ('local', 'ssh', 'docker', etc.). approval_callback: Optional CLI callback for interactive prompts. Returns: {"approved": True/False, "message": str or None, ...} approvedTrNHERMES_YOLO_MODEHERMES_INTERACTIVEHERMES_GATEWAY_SESSIONHERMES_EXEC_ASKr4r-rHFstatusapproval_requiredu.⚠️ This command is potentially dangerous (z3). Asking the user for approval. **Command:** ```  ```)rrzBBLOCKED: User denied this potentially dangerous command (matched 'zL' pattern). Do NOT retry this command - the user has explicitly rejected it.rrdocker singularitymodaldaytona) r!r"rIr#rrrrrrr) r4rr is_dangerousr-rHr is_cli is_gatewayrts &&& rcheck_dangerous_commandr/s@@D)T22 yy#$$D)T22-Eg-N*L{ D)T22)+K;,,D)T22 YY+ ,F34J *D)T22RYY011{ w ; ;%   ; ) w ; @ NGGNiuV  'w9JLF  [\g[hiuv ; ;    1 8  1+& !45 i ..rc0V^8dQhR\R\/#)r tirith_resultr )rOr )rs"rrrjs33d3s3rc VVPR4;'g.pV'g!VPR4;'gRpRV 2#.pVFpVPRR4pVPRR4pVPRR4pV'd4V'd,TPV'd R V R V R V 2MV R V 24KtV'gK~TPV'd R V R V 2MT4K V'g!VPR4;'gRpRV 2#R R PV4,#)zBuild a human-readable description from tirith findings. Includes severity, title, and description for each finding so users can make an informed approval decision. findingssummaryzsecurity issue detectedzSecurity scan: severityrtitlerH[z] z: uSecurity scan — ; )r appendr)r1r3r4partsfr5r6descs& r_format_tirith_descriptionr=js   ,22H ##I.KK2K  ** E 55R(gr"uu]B' T LLH1XJbr$8UGSUVZU[J\ ] U LLH1XJb0% H ##I.KK2K  ** $))E"2 22rc<V^8dQhR\R\R\/#rr)rs"rrrs,dAdAcdASdA8<dArc VR99dRRRR/#\4p\P!R4'gVR8XdRRRR/#\P!R4p\P!R4p\P!R 4pV'gV'gV'gRRRR/#R R R .R R/p^RIHpV!V4p\ V4wrp .p \4p VR ,R:9duVPR 4;'g.pV'dV^,PRR4MRpRV 2p\V4p\V V4'gV PVVR34V 'd%\W4'gV PWR34V 'gRRRR/#VR8XdRPRV 44p\VV4pVR8XdBV Fwpp\V V4K \P!RVR,V4RRRRRRRV/#VR8Xd%RPRV 44pRRRRV R2R R/#RPR!V 44pV ^,^,pV UUu.uF wppVNK ppp\";QJdR"V 4F 'gK RM RM !R"V 44pV'g V'EdRp\$;_uu_4\&PV 4pRRR4VEeR#VR$VR%VRV/p\)V4p\$;_uu_4\*P-V .4PV4RRR4V!V4\74PR(R)4p\9T4pTP>PATR*7p \$;_uu_4\*PT .4pTT9dTP3T4T'g\*P5T R4RRR4TPBp!T 'd T!eT!R8XdT 'gR+MR,p"RRRR-T" R.2R$TRT/#T FZwppp#T!R/8XgT!R08XdT#'d\T T4K+T!R08XgK4\T T4\ET4\G\H4K\ RRRRR1RRT/#\KV R#VR$VR%VRV/4RRR$VR2R3R#VRVRR4V R5V R62/#\MVVV'*VR77p!V!R8Xd RRRR8R$VRV/#V FZwppp#V!R/8XgV!R08XdV#'d\V V4K+V!R08XgK4\V V4\EV4\G\H4K\ RRRRR1RRV/# \ dELi;iuuppi +'giEL;i +'giELF;i \.dp\P1R&T4\$;_uu_4\*PT .4pTT9dTP3T4T'g\*P5T R4RRR4M +'giM;iRRRR'R$TRT/uRp?#Rp?ii;i \:\<3dR)pELi;i +'giELu;i);a/Run all pre-exec security checks and return a single approval decision. Gathers findings from tirith and dangerous-command detection, then presents them as a single combined approval request. This prevents a gateway force=True replay from bypassing one check when only the other was shown to the user. rTrNr rr!r"r#actionallowr3r4r)check_command_securityrule_idunknownztirith:Fsmartr8c3*"TF wrqxK R#5irSrr_r<s& rr+check_all_command_guards..s)J:1A$r z'Smart approval: auto-approved '%s' (%s):N<Nsmart_approvedrHrc3*"TF wrqxK R#5irSrrGs& rrrIs-NXzqdXrJzBLOCKED by smart approval: z@. The command was assessed as genuinely dangerous. Do NOT retry. smart_deniedc3*"TF wrqxK R#5irSrrGs& rrrIs>XzqdXrJc3,"TF wrVxK R#5irSr)rrHis_ts& rrrIs5HjaTHsr4r- pattern_keysz"Gateway approval notify failed: %sz?BLOCKED: Failed to send approval request to user. Do NOT retry.gateway_timeouti,rz timed outzdenied by userzBLOCKED: Command z. Do NOT retry this command.rr user_approvedr$r%u⚠️ z2. Asking the user for approval. **Command:** ``` r&)rrz#BLOCKED: User denied. Do NOT retry.r')blockwarn)'rr!r"tools.tirith_securityrB ImportErrorrIr#r r=rr9rrrrrrrfrgrKrnrrrremovermrrwrrrVwaitrWrrrrr)$r4rr approval_moder-r.is_askr1rBr,r-rHwarningsr r3rC tirith_key tirith_desccombined_desc_for_llmverdictkeyrH combined_desc primary_keyall_keys has_tirith notify_cb approval_datarqexcr|rresolvedrtreason is_tiriths$&&& rcheck_all_command_guardsrmsm@@D)T22'(M yy#$$ (>D)T22 YY+ ,F34J YY( )F *VD)T22 w B 2FM @.w7 .Fg-N*L{ H)+K X"33 $$Z066B;C(1+//)Y7wi( 0? ; 33 OOZd; <;44 OO[u= > D)T22  $ )J)J J *?@ i % Q S1& LLB '< >i$d!#8: : $(II-NX-N$N !E89N8OP\\  II>X>>M1+a.K%-.X QXH.5H55H55J VV U+// LL'#'' T: \\Fv~61A,4:J!26(:VW!;!= &.!Q Y&6X+=)#K5x'#K5%c*,-@A &.i#T=-I I { w ; H = %    ; ) w = -(^_f^gglm  'w ;E~9JLF  < ; =   &Q Y 6X#5) K - x  K - c " $%8 9& i T=- AAA    @/UU  CSIU+// R@E~ U+ '++K> UUU`!;!=  & *   s*T=UU&U)5U= X, 6YY= U  U  U& ) U: = X)$X$,6X#X9 X$ X X$X)$X),YY Y cV^8dQh/^\9d\P\,;R&^\9d&\\\ \,3,;R&^\9d\\\3,;R&^\9d\\\ 3,;R&^\9d \ ;R&^\9d\\\ 3,;R&^\9d\\\3,;R&#)rrr/rrrrnrg)__conditional_annotations__r ContextVarr rOrryobject)rs"rrrs2{--c23b/.d3C=).cX$sDy/YZ'&4S>&[\! S ]F&%c4i%GH,+T#v+&+Ir)z\brm\s+(-[^\s]*\s+)*/zdelete in root path)z\brm\s+-[^\s]*rzrecursive delete)z\brm\s+--recursive\bzrecursive delete (long flag))z8\bchmod\s+(-[^\s]*\s+)*(777|666|o\+[rwx]*w|a\+[rwx]*w)\bz world/other-writable permissions)z8\bchmod\s+--recursive\b.*(777|666|o\+[rwx]*w|a\+[rwx]*w)z*recursive world/other-writable (long flag))z\bchown\s+(-[^\s]*)?R\s+rootzrecursive chown to root)z\bchown\s+--recursive\b.*rootz#recursive chown to root (long flag))z\bmkfs\bzformat filesystem)z \bdd\s+.*if=z disk copy)z >\s*/dev/sdzwrite to block device)z\bDROP\s+(TABLE|DATABASE)\bzSQL DROP)z \bDELETE\s+FROM\b(?!.*\bWHERE\b)zSQL DELETE without WHERE)z\bTRUNCATE\s+(TABLE)?\s*\wz SQL TRUNCATE)z >\s*/etc/zoverwrite system config)z#\bsystemctl\s+(stop|disable|mask)\bzstop/disable system service)z\bkill\s+-9\s+-1\bzkill all processes)z\bpkill\s+-9\bzforce kill processes)z(:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:z fork bomb)z%\b(bash|sh|zsh|ksh)\s+-[^\s]*c(\s+|$)zshell command via -c/-lc flag)z)\b(python[23]?|perl|ruby|node)\s+-[ec]\s+zscript execution via -e/-c flag)z\b(curl|wget)\b.*\|\s*(ba)?sh\bzpipe remote content to shell)z1\b(bash|sh|zsh|ksh)\s+<\s*r~sl    8 $ 6A5K5K 6 8 ' 4>A&5&,&>&f & p & A &N&'&#&.&1&F&4&.&L& 2!&"0#&$?%&(P)&*V+&,I-&.m/&0 /013RS1&2 ,-.0WX3&4-5&697&8-9&<O=&>u?&BmC&FCG&HEI&JUK&RI -/.0Hl%h/K!N##NCE:AA>S^B_`##K7>> ^?\] 1@$ $ $&&5 **$&%)++ . :6 9 ) / ' J D- -  ":Qh * 1hH/^36dAdAr