fix(compound): readonly segments count as covered in compound allow matching

`go test ./... | tail -50` with user rule `^go` used to fall through to
overlay because `tail -50` had no allow rule. But tail IS readonly.

Fix: before calling match_all_segments on compound Bash commands,
pre-filter out segments that are readonly-auto-allowed (match readonly
regex + paths inside cwd/allowed_dirs). The filter is gated on
has_redirect=false so `cat file > /tmp/out && ls` still falls through
when has_redirect would have blocked the readonly step.

Also adds regression tests:
- readonly segment covers for compound allow
- filter respects has_redirect guard
- 2>&1 fd duplication does not trigger has_redirect

Author: nnemirovsky

hooks/handlers/pre-tool-use.sh

@@ -538,10 +538,42 @@ ORDERED_COUNT="$(jq -r 'if type == "array" then length else 0 end' <<<"$ORDERED"
 MATCHED=""   # "allow" | "ask" | ""
 if [ "$ORDERED_COUNT" -gt 0 ]; then
   if [ "$TOOL_NAME" = "Bash" ] && [ "$BASH_SEGMENT_COUNT" -gt 1 ]; then
-    # Compound Bash command: use per-segment matching algorithm.
+    # Compound Bash command: pre-filter readonly-auto-allowed segments
+    # before per-segment matching. A segment is "covered" if it is either
+    # readonly-auto-allowed OR matches an allow/ask rule. Filtering readonly
+    # segments out lets match_all_segments make its all-or-nothing decision
+    # on the remaining non-readonly segments.
+    #
+    # Example: `go test ./... | tail -50` with user rule `^go` and `tail`
+    # in readonly list -> without filter, tail has no rule and command
+    # falls through to overlay. With filter, tail is dropped, go matches
+    # its rule, command is allowed.
+    #
+    # Guard: only filter when the ORIGINAL command has no output redirects.
+    # If `cat file > /tmp/x` were filtered as readonly, we would mask the
+    # write. has_redirect blocks this case by keeping the full segment list.
+    _FILTERED_SEGMENTS=()
+    if ! has_redirect "$BASH_CMD"; then
+      for _seg in "${BASH_SEGMENTS[@]}"; do
+        if is_readonly_command "$_seg" \
+           && readonly_paths_allowed "$_seg" "$CC_CWD" "$ALLOWED_DIRS_JSON"; then
+          continue
+        fi
+        _FILTERED_SEGMENTS+=("$_seg")
+      done
+    else
+      _FILTERED_SEGMENTS=("${BASH_SEGMENTS[@]}")
+    fi
+
+    # If filtering left 0 segments, all were readonly and step 5b should
+    # have handled it. Defensive fallback: use the original segments.
+    if [ "${#_FILTERED_SEGMENTS[@]}" -eq 0 ]; then
+      _FILTERED_SEGMENTS=("${BASH_SEGMENTS[@]}")
+    fi
+
     _MAS_RESULT=""
     _mas_rc=0
-    _MAS_RESULT="$(match_all_segments "$ORDERED" "$TOOL_NAME" "${BASH_SEGMENTS[@]}" 2>/dev/null)" || _mas_rc=$?
+    _MAS_RESULT="$(match_all_segments "$ORDERED" "$TOOL_NAME" "${_FILTERED_SEGMENTS[@]}" 2>/dev/null)" || _mas_rc=$?
     if [ "$_mas_rc" -eq 2 ]; then
       printf '[passthru] compound allow/ask rule regex error; passing through\n' >&2
       emit_passthrough

tests/hook_handler.bats

@@ -1671,6 +1671,71 @@ EOF
   [ "$decision" = "ask" ]
 }
 
+@test "compound: readonly segment covers for compound allow (go test | tail)" {
+  # Regression: `go test ./... | tail -50` with user rule `^go` should
+  # allow the whole compound. tail is readonly; with the pre-filter it
+  # is dropped from match_all_segments and go matches its rule.
+  cat > "$USER_ROOT/.claude/passthru.json" <<'EOF'
+{
+  "version": 2,
+  "allow": [
+    { "tool": "Bash", "match": { "command": "^go(\\s|$)" }, "reason": "allow go" }
+  ],
+  "deny": []
+}
+EOF
+  run_handler '{"tool_name":"Bash","tool_input":{"command":"go test ./... -timeout 60s | tail -50"}}'
+  [ "$status" -eq 0 ]
+  decision="$(jq -r '.hookSpecificOutput.permissionDecision' <<<"$output")"
+  [ "$decision" = "allow" ]
+  reason="$(jq -r '.hookSpecificOutput.permissionDecisionReason' <<<"$output")"
+  [[ "$reason" == *"allow go"* ]]
+}
+
+@test "compound: readonly segment filter respects has_redirect guard" {
+  # `cat file > /tmp/out && ls` has an output redirect. The filter must
+  # NOT drop segments when has_redirect=true, otherwise we would mask
+  # the write. Without user rules, this should fall through to ask.
+  cat > "$USER_ROOT/.claude/passthru.json" <<'EOF'
+{
+  "version": 2,
+  "allow": [
+    { "tool": "Bash", "match": { "command": "^cat(\\s|$)" }, "reason": "allow cat" }
+  ],
+  "deny": []
+}
+EOF
+  run_handler '{"tool_name":"Bash","tool_input":{"command":"cat file > /tmp/out && ls"}}'
+  [ "$status" -eq 0 ]
+  json_line="$(printf '%s\n' "$output" | grep -o '{"hookSpecificOutput".*}' | head -n1)"
+  [ -n "$json_line" ]
+  decision="$(jq -r '.hookSpecificOutput.permissionDecision' <<<"$json_line")"
+  # ls is readonly. Without the guard, filter would drop ls leaving cat,
+  # and cat matches the rule -> allow. With the guard (has_redirect=true),
+  # both segments stay. cat matches, but ls has no allow rule -> fall
+  # through to ask. This prevents masking the write via the redirect.
+  [ "$decision" = "ask" ]
+}
+
+@test "compound: fd duplication (2>&1) does not trigger has_redirect" {
+  # `go test 2>&1 | head` has no file redirect, only fd duplication.
+  # has_redirect returns false, readonly filter applies. head is readonly,
+  # filter drops it, go matches user rule -> allow.
+  cat > "$USER_ROOT/.claude/passthru.json" <<'EOF'
+{
+  "version": 2,
+  "allow": [
+    { "tool": "Bash", "match": { "command": "^go(\\s|$)" }, "reason": "allow go" }
+  ],
+  "deny": []
+}
+EOF
+  run_handler '{"tool_name":"Bash","tool_input":{"command":"go test ./... 2>&1 | head"}}'
+  [ "$status" -eq 0 ]
+  decision="$(jq -r '.hookSpecificOutput.permissionDecision' <<<"$output")"
+  [ "$decision" = "allow" ]
+}
+
 @test "compound: allow rules covering ALL segments allows compound command" {
   # Two different rules covering two different segments: both must match
   # for the compound command to be allowed. Use non-readonly commands (make,