Found in the v0.8.0 release review (deferred from the reviewer-agent P0). tool/bash.ts matches the permission pattern against the whole redirected_statement text (node.parent.text), so a write-redirect rides inside an allowed pattern (an agent allowed 'git log *' can run 'git log -p > target'). Fixed for the reviewer agent by denying bash, but any deny-by-default bash-allowlist agent is affected. Durable fix: emit the redirect target as its own permission check (or deny > and >> for deny-by-default agents). Needs design + tests; too large for the v0.8.0 patch.
Found in the v0.8.0 release review (deferred from the reviewer-agent P0). tool/bash.ts matches the permission pattern against the whole redirected_statement text (node.parent.text), so a write-redirect rides inside an allowed pattern (an agent allowed 'git log *' can run 'git log -p > target'). Fixed for the reviewer agent by denying bash, but any deny-by-default bash-allowlist agent is affected. Durable fix: emit the redirect target as its own permission check (or deny > and >> for deny-by-default agents). Needs design + tests; too large for the v0.8.0 patch.