Harden runtime system path policy

[Mr-Lucky]

Summary

Harden runtime system path policy handling by adding shared system path utilities, tightening exec/runtime evaluation for protected path writes, and extending action/runtime cloud test coverage.

Type

• Bug fix
• New feature / detection rule
• Refactoring
• Documentation

Testing

• npm run build passes
• npm test passes (377 tests)
• Manually tested the change

Related Issues

Closes #

[github-actions]

AgentGuard PR Review

1. high — src/utils/system-paths.ts / src/runtime/evaluator.ts / src/action/detectors/exec.ts
   The new system-path classifier only handles a small set of exact/prefix cases and can be bypassed with common path tricks or alternative path forms. For example, shell commands like rm -rf /etc/.., /etc//passwd, symlinked paths, ./../etc/passwd, or file-tool inputs using relative paths from a sensitive working directory may not classify as protected. This can let destructive or sensitive operations through without block/approval.
   Fix: resolve and normalize paths against the relevant working directory/root before classification, and reject/approve on canonicalized paths rather than raw strings. Add tests for .., duplicate slashes, relative paths, and symlink-like traversal cases.

2. medium — src/action/detectors/exec.ts (redirectionFindings, shellCommandSegments, shellTokens)
   The shell parsing logic is incomplete and can miss protected-path writes or hidden network commands in realistic shell syntax. It does not fully handle command substitution nesting, here-docs, process substitution, subshells, or redirections with spaces/quoting variations, so dangerous writes such as printf x > "$TARGET" or cmd > /etc/passwd 2>&1-style forms may not be detected consistently.
   Fix: either use a shell parser or add explicit handling for more shell constructs and redirection forms, with regression tests for quoted variables, command substitution, heredocs, and mixed redirections.

3. medium — src/utils/system-paths.ts (normalizeSystemPath)
   normalizeSystemPath strips trailing ),.; and wildcard suffixes from any path string. That can misclassify valid paths (or hide dangerous ones) and cause false negatives/positives, especially for filenames that legitimately end with those characters or for globbed paths where the base directory should still be protected.
   Fix: remove ad hoc suffix stripping and instead parse path segments more conservatively; if glob support is needed, classify the parent directory while preserving the original path semantics.

4. low — src/runtime/evaluator.ts (matchesPattern / isRootRmRfCommand)
   The special-case root rm -rf / detection appears to depend on exact normalization of the whole command and does not account for shell wrappers like sudo sh -c 'rm -rf /', environment prefixes, or alias/function indirection. That can allow a root-delete policy pattern to be bypassed if any enforcement relies on this matcher.
   Fix: evaluate the underlying command after stripping common wrappers (sudo, sh -c, bash -c, env assignments) or apply the root-delete check during command analysis on the effective command segment.