feat(security): bash command security + auto-allow hardening

Compound command splitting: add split_bash_command() in Perl that
tokenizes Bash commands respecting quotes, subshells, and backticks,
then splits by unquoted |, &&, ||, ;, & operators. Redirections are
stripped from each segment. For deny rules, ANY segment match denies the
whole command. For allow rules, ALL segments must be covered.

Read-only auto-allow: mirror CC's readonly command list and safety regex
pattern. Simple commands (cat, head, tail, wc, stat, etc.) and custom
regex commands (echo, ls, find, cd, jq, etc.) are auto-allowed when all
path arguments resolve inside cwd or allowed directories.

Internal tool auto-allow: Agent, Skill, and Glob now get explicit allow
decisions (permissionDecision: allow) instead of passthrough, preventing
CC's native confirmation dialogs.

Overlay proposal anchoring: Bash proposals changed from ^<cmd>\s to
^<cmd>(\s[safe-chars]*)?$ using CC's safe character class to block
compound operator injection in proposed rules.

Additional allowed directories: new optional allowed_dirs field in
passthru.json v2. Bootstrap imports additionalAllowedWorkingDirs from
CC settings. Path validation for Read/Edit/Write/Grep auto-allow and
readonly Bash commands checks cwd plus all allowed dirs.

Author: nnemirovsky

docs/rule-format.md

@@ -53,6 +53,24 @@ Use `ask[]` when you want explicit prompts for a tool call rather than either si
 
 All of `allow`, `deny`, and `ask` default to empty arrays when missing.
 
+### `allowed_dirs` (array, optional)
+
+Array of absolute directory paths that extend the set of trusted locations for path-based auto-allow checks. When present, Read/Edit/Write/Grep/Glob/LS tools operating on files inside any `allowed_dirs` entry are treated the same as files inside the working directory for mode-based auto-allow. Read-only Bash commands (`cat`, `head`, `ls`, etc.) also check `allowed_dirs` when validating absolute path arguments.
+
+```json
+{
+  "version": 2,
+  "allowed_dirs": ["/opt/shared-data", "/home/user/reference"],
+  "allow": [],
+  "deny": [],
+  "ask": []
+}
+```
+
+Both authored and imported rule files may declare `allowed_dirs`. During loading, arrays from all four rule files are concatenated and deduplicated. Bootstrap imports Claude Code's `additionalAllowedWorkingDirs` from `settings.json` and writes them to `allowed_dirs` in `passthru.imported.json`.
+
+Each entry must be a non-empty string. Paths containing `/../` (path traversal) are rejected by the verifier. Files without `allowed_dirs` are backward compatible (treated as an empty array).
+
 ## Rule object fields
 
 Each entry in `allow[]`, `deny[]`, or `ask[]` is an object with these fields. At least one of `tool` or `match` is required.