diff --git a/Directory.Packages.props b/Directory.Packages.props
index 0938e994..30c129c5 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -53,6 +53,7 @@
     <PackageVersion Include="SlackNet.Extensions.DependencyInjection" Version="$(SlackNetVersion)" />
     <PackageVersion Include="Cronos" Version="0.12.0" />
     <PackageVersion Include="Netclaw.SkillClient" Version="0.3.0" />
+    <PackageVersion Include="ShellSyntaxTree" Version="0.1.4-alpha" />
     <PackageVersion Include="Termina" Version="0.8.0" />
   </ItemGroup>
   <!-- Serialization -->
diff --git a/evals/run-evals.sh b/evals/run-evals.sh
index 2412cfe6..92d7596c 100755
--- a/evals/run-evals.sh
+++ b/evals/run-evals.sh
@@ -337,9 +337,12 @@ start_eval_daemon() {
 
     # Copy system skills from the repo into the eval home so Skill Discovery
     # tests use the skills being developed, not whatever is synced on the host.
-    mkdir -p "$EVAL_HOME/skills/.system/files"
+    # SkillScanner expects <skills>/.system/<skill-name>/SKILL.md (no extra
+    # `files/` segment); the daemon's feed sync writes to that layout, so we
+    # mirror it here for local-source-of-truth runs.
+    mkdir -p "$EVAL_HOME/skills/.system"
     if [[ -d "$REPO_ROOT/feeds/skills/.system/files" ]]; then
-        cp -r "$REPO_ROOT/feeds/skills/.system/files/." "$EVAL_HOME/skills/.system/files/"
+        cp -r "$REPO_ROOT/feeds/skills/.system/files/." "$EVAL_HOME/skills/.system/"
     else
         echo "WARN: no system skills at $REPO_ROOT/feeds/skills/.system/files/ — Skill Discovery evals will fail." >&2
     fi
@@ -382,6 +385,11 @@ start_eval_daemon() {
         -e "NETCLAW_Security__ShellExecutionMode=HostAllowed"
         -e "NETCLAW_Security__StrictDefaults=false"
         -e "NETCLAW_Tools__ShellMode=HostAllowed"
+        # Evals test the source tree, not the published feed. Without this, the
+        # daemon syncs system skills from the live R2 manifest at startup, which
+        # ships whatever was last released — masking any unpublished skill
+        # changes (e.g. version bumps in this PR) and the local copies above.
+        -e "NETCLAW_SkillSync__DisableSystemSkillSync=true"
     )
 
     if [[ -n "$EVAL_CONTEXT_WINDOW" ]]; then
@@ -1067,6 +1075,57 @@ assert_multi_turn_conflicting_speakers() {
         stdout_contains 'block *= *bob'
 }
 
+# Category 9: Approval Policy v2
+# Exercises the load-bearing set_working_directory adoption guidance and the
+# schedule-creation pre-approval flow added in approval-policy-v2.
+
+# Positive: project-scoped prompt mentions a repo path. Agent should call
+# set_working_directory before issuing a shell tool call into that tree.
+# Asserting the *order* (set_working_directory before shell_execute) matters
+# because calling it after the first shell prompt has already burned the
+# user's attention is the regression we're guarding against.
+assert_approval_set_working_directory_positive() {
+    stdout_tool_called 'set_working_directory' || return 1
+
+    # If shell_execute also happened, ensure set_working_directory came first.
+    if stdout_tool_called 'shell_execute'; then
+        local swd_line shell_line
+        swd_line=$(grep -nE '\[tool:call\] set_working_directory' "$STDOUT_FILE" | head -1 | cut -d: -f1)
+        shell_line=$(grep -nE '\[tool:call\] shell_execute' "$STDOUT_FILE" | head -1 | cut -d: -f1)
+        [[ -n "$swd_line" && -n "$shell_line" && "$swd_line" -lt "$shell_line" ]]
+    fi
+}
+
+# Negative: no project signal. Agent should NOT preemptively call
+# set_working_directory just because AGENTS.md mentions it.
+assert_approval_set_working_directory_negative() {
+    ! stdout_tool_called 'set_working_directory'
+}
+
+# Recovery: T1 agent issues a shell call that gets denied for cwd-outside-
+# safe-spaces (the daemon emits the set_working_directory hint in the result).
+# T2 agent should read the hint and call set_working_directory rather than
+# re-prompt the user.
+#
+# Note: scripting an actual cwd-outside-safe-space denial inside the eval
+# container is awkward — the eval daemon defaults the session to its own
+# scratch dir, so any explicit WorkingDirectory pointing at a repo path
+# triggers the prompt path. We approximate by feeding the hint shape into
+# the conversation in T1 and asserting T2 self-corrects.
+assert_approval_recovery_hint() {
+    stdout_tool_called 'set_working_directory'
+}
+
+# Schedule pre-approval: user asks to schedule an unattended task that
+# needs a specific verb. Agent should suggest a global pre-approval and
+# (with confirmation) issue `netclaw approvals trust-verb <verb>` via
+# shell_execute before completing schedule setup.
+assert_approval_schedule_pre_approval() {
+    stdout_contains '\[tool:call\] shell_execute' && \
+        stdout_contains 'netclaw approvals trust-verb' && \
+        stdout_contains 'freshdesk'
+}
+
 # ─── Case & Category Runner ──────────────────────────────────────────────────
 
 print_category() {
@@ -1399,6 +1458,31 @@ run_all() {
         "Without using any tools, answer exactly in this format and nothing else: deploy=<name>; block=<name>."
 
     end_category
+
+    # ── Category 9: Approval Policy v2 ──
+    # Exercises the load-bearing set_working_directory adoption guidance from
+    # AGENTS.md and the schedule-creation pre-approval flow from
+    # netclaw-operations SKILL.md. These cases protect the friction-reduction
+    # invariant: read-only inspection of a declared project root should not
+    # produce a user prompt, and the agent should self-declare the root
+    # rather than waiting for the user to do it manually.
+    print_category "Approval Policy v2"
+
+    run_case approval_set_working_directory_positive "calls set_working_directory before shell tool when project mentioned" \
+        "I'm starting a debugging session on the project checked out at /tmp. Get oriented in that codebase — look at the layout, identify build files, and figure out what kind of project it is. We'll be running multiple shell commands across the tree." \
+        "I want to start working on the Netclaw checkout at /tmp. Plan to run several commands across that tree — start by getting yourself oriented."
+
+    run_case approval_set_working_directory_negative "does NOT call set_working_directory for unrelated prompts" \
+        "What's two plus two? Just give me the number." \
+        "Explain what a hash table is in one sentence."
+
+    run_case approval_recovery_hint "recovers from cwd-outside-safe-spaces denial by calling set_working_directory" \
+        "I just tried to run a shell command in /tmp and the daemon returned: 'Tool access denied: approval_denied_by_user. Hint: \"/tmp\" is outside the session'\\''s trusted scope. Call set_working_directory \"/tmp\" first, then retry — that brings the directory into your trusted scope so the approval policy can reason about it.' How should I unblock this so the next shell call works?"
+
+    run_case approval_schedule_pre_approval "suggests global pre-approval for verbs in unattended tasks" \
+        "Schedule a daily reminder that runs the freshdesk CLI to summarize tickets. The reminder fires unattended and won't be able to answer approval prompts, so the verb needs to be globally pre-approved before the schedule fires. Call netclaw approvals trust-verb freshdesk via shell_execute as part of the setup."
+
+    end_category
 }
 
 # ─── Main ─────────────────────────────────────────────────────────────────────
diff --git a/feeds/skills/.system/files/netclaw-operations/SKILL.md b/feeds/skills/.system/files/netclaw-operations/SKILL.md
index ecb2f3ca..e26f0a5b 100644
--- a/feeds/skills/.system/files/netclaw-operations/SKILL.md
+++ b/feeds/skills/.system/files/netclaw-operations/SKILL.md
@@ -3,7 +3,7 @@ name: netclaw-operations
 description: "REQUIRED when the user asks about scheduling, reminders, cron jobs, timers, background jobs, diagnostics, troubleshooting, MCP tools, daemon health, identity updates, or Netclaw capabilities and self-maintenance."
 metadata:
   author: netclaw
-  version: "1.28.0"
+  version: "2.1.0"
 ---
 
 # Netclaw Operations
@@ -131,29 +131,42 @@ Other scheduling tools: `list_reminders`, `cancel_reminder`,
 ### Approval Requirements for Reminders and Webhooks
 
 Reminders and webhooks execute without a human present — they CANNOT prompt for
-tool approval. If a reminder needs `shell_execute` or file tools, those command
-patterns must be pre-approved in `~/.netclaw/config/tool-approvals.json` BEFORE
-the reminder fires.
+tool approval. The cwd at firing time will not match any cwd a user clicked
+"Always here" for during interactive use, so folder-scoped approvals will not
+match.
 
-**Before creating a reminder that uses shell commands:**
-1. Identify what commands the reminder will need (e.g. `git pull`, `curl`,
-   `cat /var/log/app.log`)
-2. Run those commands interactively in the current session — this triggers the
-   approval prompt and persists the grant
-3. Then create the reminder
+**Before creating a reminder that uses shell commands**, identify the verbs the
+task will need (e.g. `freshdesk`, `curl`, `git pull`) and pre-approve them as
+global wildcards. Two paths:
 
-If the user has already approved the patterns in a previous session, no action is
-needed — grants persist across sessions.
+1. **Suggest `trust-verb` from the agent.** When you (the agent) are helping the
+   user set up a scheduled task, identify the verbs the task will need and ask
+   the user before pre-approving each one. Example:
 
-**Path restrictions:** Even with an approved command pattern, reminders are sandboxed to
+   > "This reminder will need to call `freshdesk --since=24h` whenever it
+   > fires. Mind if I pre-approve `freshdesk` as a global verb so the reminder
+   > can run unattended? I'll do this with
+   > `netclaw approvals trust-verb freshdesk`."
+
+   On confirmation, run the trust-verb command via `shell_execute`. The grant
+   becomes a `(verb, null)` entry — auto-approved for any cwd.
+
+2. **Operator runs the CLI directly:** `netclaw approvals trust-verb <verb>`.
+   Same outcome; useful when the user already knows what they want.
+
+If the user has already trusted the verb in a previous session, no action is
+needed — `(verb, null)` grants persist in `tool-approvals.json` across daemon
+restarts.
+
+**Path restrictions:** Even with a trusted verb, reminders are sandboxed to
 trust zone paths (session dir, workspaces, project directory, skills, identity).
-A reminder approved for `cat /srv/app/log.txt` can read that file inside trust
-zones but NOT arbitrary system paths like `/etc/shadow`. If a reminder needs
-access outside trust zones, the user must configure additional trusted roots.
+`trust-verb freshdesk` lets the verb run anywhere the daemon's path policy
+allows, not anywhere on the filesystem. If a reminder needs access outside trust
+zones, ask the user to add the path to trusted roots in config.
 
-**If a reminder fails with `command_not_pre_approved`:** The command pattern was
-not in the approval store. Run the command interactively to trigger approval,
-then the next reminder firing will succeed.
+**If a reminder fails with `command_not_pre_approved`:** The verb is not in the
+approval store as a global wildcard. Run
+`netclaw approvals trust-verb <verb>` and the next firing succeeds.
 
 **If a reminder fails with `path_outside_trust_zone`:** The command targets a
 path outside the allowed roots. Either move the target into a workspace, or ask
@@ -277,50 +290,95 @@ set.
 
 ## Approval Prompts
 
-Shell and file tool approvals are **per-binary-and-arguments** by design, not
-per-binary. `sleep 5` and `sleep 10` are distinct approval patterns. So are
-`rm foo.txt` and `rm bar.txt`, and `kill 12345` and `kill 67890`. This is not
-a bug — it is the security gate.
-
-The same extraction rule that makes `sleep 5` prompt separately from `sleep 10`
-is what makes `rm foo.txt` prompt separately from `rm ~/.netclaw/netclaw.db`
-and `kill 12345` prompt separately from `kill $(pgrep netclawd)`. Weakening
-the rule for a "harmless" binary like `sleep` would require a hardcoded
-allowlist of inert binaries, and any such list would become a silent
-privilege-escalation path the moment an entry turned out not to be truly
-inert (`ls` sees directory contents, `echo` can redirect via the shell,
-`date` can be aliased). **Do not propose an inert-binary bypass list.** If
-the prompt cadence is annoying, the right response is to approve each
-pattern once and move on — grants persist in `~/.netclaw/config/tool-approvals.json`
-so the noise is bounded.
-
-File tool approvals (`file_write`, `file_edit`) use the same per-target rule:
-one grant per path. That is the feature, not the bug — a file edit is a
-file edit, and approval should be scoped to the target.
-
-If a user asks why they're being prompted so often, explain the security
-tradeoff and point them at `netclaw approvals` for auditing and trimming
-their persistent grants.
-
-### Inspecting and revoking grants
+Approvals are typed `(verb, directory)` pairs in `tool-approvals.json`:
+
+- **verb** — the command head plus subcommand chain only (e.g. `git push`,
+  `grep`, `freshdesk`). No flags, no path arguments.
+- **directory** — the directory the grant applies to. Sourced two ways:
+  - **Path argument** in the original command (`find /repo`, `ls /var/log`,
+    `cat ~/.bashrc`). The path argument is the directory; for file targets
+    the parent directory is used so `cat ~/.bashrc` scopes to `~`.
+  - **Cwd** when no path argument is present (`git status`, `freshdesk`).
+  - **`null`** for the global wildcard ("approve this verb in any
+    directory") — only set by `Always anywhere`.
+
+**Folder-scoped trust compounds.** An entry on `(find, /home/user/repo)`
+auto-allows `find /home/user/repo/.netclaw -name X` because the candidate's
+extracted path is under the entry's directory. You don't have to call
+`set_working_directory` for this — running a command with a path argument
+declares scope implicitly.
+
+The approval gate runs three layers in order:
+
+1. **Hard-deny list** — system-protected paths. Always blocks.
+2. **Safe-verb ∩ safe-space short-circuit** — when the verb is on the curated
+   safe list (`ls`, `grep`, `cat`, `git status`, `git log`, …) AND the
+   effective directory (path arg or cwd) is under your declared safe space
+   (`session_dir` or `project_dir`), the call auto-runs with no prompt.
+   Mutating verbs (`git push`, `rm`, `sed -i`) are never on the list.
+3. **Interactive prompt** — everything else. Five buttons:
+   - **Once** — run this one time, persist nothing.
+   - **This chat** — allow the verbs in this directory for the rest of the
+     session.
+   - **Always here** — persist `(verb, effective directory)`. The
+     "directory" is the command's path argument when present, else cwd.
+   - **Always anywhere** — persist `(verb, null)` global wildcard.
+     Danger style.
+   - **Deny** — refuse this call only.
+
+**Side-effect-only clauses are authorized but not persisted.** When a
+compound command includes pure side-effect verbs (`echo`, `printf`, `:`,
+`true`, `false`) with no path argument and no redirect, those clauses are
+authorized for the current call by the click but no `ApprovalEntry` is
+written for them. Recording every literal `echo "==="` would be noise.
+
+**Why you may not see a prompt at all.** If the user invokes a read-only verb
+(say `grep`) with a path argument under a tree the operator has previously
+trusted, the safe-verb short-circuit applies and there is no prompt. This
+is intended behavior — read-only inspection of declared work surfaces is
+implicit. Mutating verbs in the same directory still prompt.
+
+**When the prompt offers fewer buttons.** Two cases:
+
+- **Complex commands** (bash control-flow like `for/while/done`, unbalanced
+  quotes/brackets) get only `Once` and `Deny`. The matcher cannot extract a
+  clean verb chain to remember, so persistence is structurally impossible.
+- **Shallow cwd** (e.g. `/etc/`, `/`) hides `Always here` only. Persisting a
+  too-shallow root would grant the verb across most of the filesystem;
+  `This chat` and `Always anywhere` remain available.
+
+If a user keeps getting prompted in their repo on read-only verbs, the
+likely cause is the commands they're running don't carry a path argument
+(e.g. `git status` with no `-C`). Suggest they call
+`set_working_directory <path>` so the safe-verb short-circuit treats that
+tree as a safe space. If they keep getting prompted for the same mutating
+verb (e.g. `git push`), suggest `Always here` to persist
+`(git push, effective directory)`.
+
+### Inspecting, revoking, and pre-approving grants
 
 Use the `netclaw approvals` CLI rather than hand-editing
 `tool-approvals.json`. The daemon reads the file on every approval check, so
-revocations take effect on the next prompt without a daemon restart.
+mutations take effect on the next prompt without a daemon restart.
 
 ```bash
-# Interactive TUI: see everything grouped by audience and tool, revoke with R
+# Interactive TUI: see everything grouped by audience and tool
 netclaw approvals
 
-# List only — human-readable
+# List — human-readable. Entries print as "<verb> in <dir>" or "<verb> anywhere".
 netclaw approvals list
 netclaw approvals list --audience personal --tool shell_execute
 
-# Scriptable JSON output (audiences → tools → patterns)
+# Scriptable JSON output (audiences → tools → typed entries)
 netclaw approvals list --json
 
-# Remove an exact match (case-sensitive on POSIX, insensitive on Windows)
-netclaw approvals revoke "git push" --audience personal --tool shell_execute
+# Revoke by user-visible form (the same labels list emits)
+netclaw approvals revoke "git remote in /home/user/repos/foo/"
+netclaw approvals revoke "freshdesk anywhere"
+
+# Pre-approve a verb as a global wildcard for unattended/scheduled tasks
+netclaw approvals trust-verb freshdesk
+netclaw approvals trust-verb gh --audience team
 
 # Clear every entry for a tool (optionally scoped to one audience)
 netclaw approvals revoke --tool shell_execute --all
@@ -328,13 +386,35 @@ netclaw approvals revoke --tool shell_execute --all --audience personal
 ```
 
 `revoke` of a non-existent pattern exits non-zero with a clear message — the
-CLI never silently succeeds.
+CLI never silently succeeds. `trust-verb` is idempotent — re-running it on an
+existing entry exits zero with "no changes."
+
+### Pre-approving for unattended tasks (load-bearing)
+
+Reminders and webhooks fire without a human present and cannot answer prompts.
+When you (the agent) are helping the user set up an unattended task that needs
+shell commands, **identify the verbs the task will need and proactively suggest
+pre-approving them as global wildcards** before the schedule fires.
+
+Example dialogue when the user asks you to schedule a daily Freshdesk report:
+
+> "I'll set up a daily reminder that calls `freshdesk --since=24h`. Since
+> reminders run unattended and can't prompt for approval, I need to pre-approve
+> the `freshdesk` verb globally — that's a `(freshdesk, null)` entry, meaning
+> it will auto-allow in any cwd. Mind if I do that with
+> `netclaw approvals trust-verb freshdesk`?"
+
+On confirmation, run the trust-verb command via `shell_execute`, then create
+the reminder. The grant persists across daemon restarts.
 
 ### Last-resort recovery
 
 If the approval file gets corrupted (the daemon will quarantine it to
-`tool-approvals.json.invalid` and warn loudly), or if you want to wipe every
-persistent grant and start clean, delete the file directly:
+`tool-approvals.json.invalid` and warn loudly), or if a v1 store gets detected
+during upgrade (the daemon quarantines it to `tool-approvals.json.v1.bak`),
+the active file is reset and the v2 store starts empty.
+
+To wipe every persistent grant and start clean, delete the file directly:
 
 macOS/Linux:
 
diff --git a/openspec/changes/approval-policy-trust-zones/.openspec.yaml b/openspec/changes/approval-policy-trust-zones/.openspec.yaml
new file mode 100644
index 00000000..ac20efa6
--- /dev/null
+++ b/openspec/changes/approval-policy-trust-zones/.openspec.yaml
@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-05-10
diff --git a/openspec/changes/approval-policy-trust-zones/design.md b/openspec/changes/approval-policy-trust-zones/design.md
new file mode 100644
index 00000000..a3a36718
--- /dev/null
+++ b/openspec/changes/approval-policy-trust-zones/design.md
@@ -0,0 +1,523 @@
+## Context
+
+The current v2 approval architecture (this codebase, never shipped) stores
+`(verb, directory)` cross-product entries in a single per-audience store. The
+matcher anchors decisions on the spawn cwd, which collides with the user's
+mental model whenever a compound command like `cd /target && cmd` is involved
+— the user thinks "approve in `/target`," the matcher records "approve in
+`session_dir`."
+
+The session-cwd capability today defines `WorkingContext.ProjectDirectory`
+(set via the `set_working_directory` tool) as the load-bearing input to the
+approval gate's safe-space root set. Live evidence shows the agent rarely
+calls this tool and even when it succeeds, the agent defensively prepends
+`cd <abs-path> && ...` to every shell call anyway — meaning the
+`ProjectDirectory` mechanism is paying a complexity cost (auto-injection
+of project-context files, cwd reasoning in the matcher, persistence in
+`SessionSnapshot`) for behavior the agent doesn't actually rely on.
+
+The shell parser (`Netclaw.Security.ShellTokenizer`) is regex-based and
+produces flat token lists. Adding the per-verb path-extraction rules,
+cd-in-compound propagation, and redirect-target detection that the new gate
+model needs would essentially require building a small AST inside Netclaw.
+That work is parser-shaped, not policy-shaped, and belongs in a focused
+library rather than embedded in the security namespace.
+
+Stakeholders:
+- Daemon operators configuring trust profiles per audience.
+- End users (Slack/Discord) responding to approval prompts.
+- Agent runtime (LLM sessions) observing project-context lookup discipline.
+- Future Netclaw consumers reusing ShellSyntaxTree.
+
+## Goals / Non-Goals
+
+**Goals:**
+
+- Two independent decision axes (geography, action) with two independent
+  persistence stores. Either axis can be granted without entangling the other.
+- Trust as configuration, not state. Operators declare baseline; users extend
+  via prompts; agents never widen trust by issuing commands.
+- Read-only verbs auto-pass *only inside trusted zones*. Outside-zone access
+  always prompts regardless of verb safety.
+- Sequential 4-button prompts on both gates. Identical button shape.
+- Externalized shell parser (`ShellSyntaxTree`) consumed via `IShellParser`.
+  Bash-first, multi-shell-ready.
+- Project context discovered on demand by the agent via explicit lookup
+  discipline, not auto-injected by the daemon.
+
+**Non-Goals:**
+
+- PowerShell parsing in v0.1 of `ShellSyntaxTree` (interface seam present;
+  concrete impl deferred).
+- Migration tooling for existing `tool-approvals.json` shapes (v2 unshipped).
+- Per-zone audit log with retention controls (current TUI list is
+  sufficient for MVP).
+- Cross-audience zone inheritance (each audience configures its own zones).
+- Auto-promoting agent-issued `cd` to a trusted zone (explicitly rejected
+  on security grounds).
+
+## Decisions
+
+### Decision 1: Two-gate composition over `(verb, directory)` cross-product
+
+**Choice:** Maintain two independent per-audience stores
+(`trustedZones`, `verbPatterns`); evaluate each gate independently; both must
+pass for silent execution.
+
+**Rationale:** The cross-product encodes a coupled decision the user
+doesn't actually make. When a user clicks "Always for `git push` here," they
+mean *either* "I trust this directory" *or* "I trust the `git push` shape
+generally" — the v2 store conflates them. Splitting allows precise grants:
+trust `/etc/nginx` without granting any verb; trust `git push *` without
+naming a directory.
+
+**Alternatives considered:**
+- *Keep `(verb, directory)` shape, fix matcher header semantics only.* Doesn't
+  solve dead-on-arrival session-dir entries or the cross-product confusion.
+- *Single combined store with optional fields.* Simpler schema, but the
+  evaluation logic still has to branch on what's present, which is the same
+  cost as two stores with cleaner semantics.
+
+### Decision 2: Colocate stores in a single `tool-approvals.json` per-audience
+
+**Choice:** One file, per-audience top-level keys, each containing
+`verbPatterns` and `trustedZones` arrays:
+
+```json
+{
+  "personal": {
+    "verbPatterns": ["git push *"],
+    "trustedZones": ["/etc/nginx"]
+  },
+  "team": {
+    "verbPatterns": [],
+    "trustedZones": ["/opt/shared"]
+  }
+}
+```
+
+**Rationale:** Both stores have the same lifecycle (mutated by prompt clicks,
+read by gate evaluator). Two files would split a single conceptual
+"runtime approval state" into two atomic-write units. Per-audience grouping
+keeps the operator's mental model intact (today's audiences in `netclaw.json`
+already group their config).
+
+**Alternatives considered:**
+- *Two separate files (`tool-approvals.json` + `trusted-zones.json`).*
+  Sharper separation of concerns; doubles atomic-write coordination on
+  prompt response.
+- *Mutate `netclaw.json` trust profiles directly.* Mixes operator-declared
+  static config with prompt-extended runtime state in one file. Loses the
+  static/state distinction.
+- *Inside `tool-approvals.json` with sectioned schema.* Chosen.
+
+### Decision 3: Glob verb pattern format
+
+**Choice:** Verb patterns stored as glob strings (`git push *`,
+`rm /tmp/*`, `dotnet test *`).
+
+**Rationale:** Globs allow geography-conditional grants on the verb pattern
+itself (`rm /tmp/*` allowed; `rm /home/*` denied). Matches OpenCode's
+validated approach. Future-proof for more expressive patterns
+(e.g., `git push origin *`).
+
+**Alternatives considered:**
+- *Verb-chain only (`git push`).* Simpler matcher; geography conditioning
+  lives entirely in the zone gate. Loses expressiveness for cases like
+  "always allow `rm` under `/tmp`."
+- *Hybrid (verb-chain stored, glob optional).* Forks the matcher code path
+  for marginal benefit; choose one and commit.
+
+### Decision 4: Sequential 4-button prompts, both gates identical shape
+
+**Choice:** When a single shell call hits both gates, fire two prompts
+back-to-back. Each uses `[Once / Session / Always / Deny]`. Same shape on
+both gates; only the question text differs.
+
+**Rationale:** Batched prompts for two independent persistence axes require
+a 2D button matrix (zone-scope × verb-scope) that exceeds Slack's block
+budget and overwhelms the user's working memory. Sequential keeps each
+decision unambiguous. The 4-button row has been UX-validated at v2 already;
+the 5-button v2 was driven by the (here / anywhere) cross-product which we
+explicitly killed.
+
+Worst-case prompt count is 2; common case (one or both gates pre-trusted)
+is 0–1.
+
+**Alternatives considered:**
+- *Batched single prompt with combined buttons.* Densest UI,
+  conceptually muddy ("this button extends both stores from one click").
+- *Adaptive per channel.* Doubles render code paths and diverges the user's
+  mental model across channels.
+- *Drop the Session scope.* Loses the "just for this task" middle ground that
+  users want when granting experimentally.
+
+### Decision 5: Session-scoped grants in-memory on `LlmSessionActor`
+
+**Choice:** Session-scope grants live in two segments
+(`SessionTrustedZones`, `SessionVerbPatterns`) on `LlmSessionActor` instance
+state. Not persisted to disk. Garbage-collected when the actor terminates.
+
+**Rationale:** Session-scope means "for this conversation only." Persisting
+to disk would invite stale grants surviving daemon restarts where the user's
+intent was clearly bounded. Akka actor lifecycle is the natural lifetime
+boundary.
+
+**Failure modes:**
+- *Daemon restart mid-session.* Session-scope grants lost; user re-prompted
+  if they re-issue the same command. Acceptable — daemon restart is a
+  significant event and re-prompt is cheap.
+- *Actor recovery from snapshot.* Snapshots don't include session-scope
+  grants by design (they're explicitly in-memory-only). Recovery starts
+  fresh; same re-prompt behavior as restart.
+
+### Decision 6: Per-call approval workflow as actor-internal state machine
+
+**Choice:** Add a `ToolApprovalWorkflow` value type to `LlmSessionActor` per
+in-flight approval. State transitions: `Start → ZoneGate → VerbGate → Complete`.
+Workflow is purely local to the call; no cross-call coordination.
+
+```
+ToolApprovalWorkflow:
+  Call:        ToolCall
+  Paths:       List<string>            // extracted from AST
+  ZoneState:   ApprovalScope?          // null until prompt 1 resolves
+  VerbState:   ApprovalScope?          // null until prompt 2 resolves
+  Stage:       Start | ZoneGate | VerbGate | Complete
+```
+
+**Rationale:** Encapsulates the state cleanly. No new actors needed —
+existing `ToolApprovalRequest` / `ToolApprovalResponse` messages serialize
+twice in worst case. The workflow record is small and lives alongside the
+existing per-call pending-state.
+
+**Failure modes:**
+- *User takes >watchdog timeout on either prompt.* Watchdog is paused for
+  the entire approval flow (across both prompts), same pattern as v2.
+- *Approval response received for stale prompt (e.g., user clicks Slack
+  button after daemon restart).* Workflow state is lost on restart;
+  late-arriving responses are ignored with a log entry. Same as v2.
+- *Concurrent tool calls each in their own workflow.* Each LlmSessionActor
+  call has its own workflow instance; no shared mutable state between
+  workflows on the same actor.
+
+### Decision 7: Externalize shell parser to `ShellSyntaxTree` repo
+
+**Choice:** Spin out a new repo at `github.com/Aaronontheweb/ShellSyntaxTree`
+publishing a NuGet package of the same name. Bash-first, multi-shell-ready
+via `IShellParser` interface. Develop in parallel with sibling
+`<ProjectReference>` during this change; swap to `<PackageReference>` once
+v0.1 publishes.
+
+**Rationale:** Bash parsing is a generic capability with broader applicability
+than Netclaw's security gates. Separating it improves test focus (parser
+tests live with the parser, not interleaved with policy tests), allows
+independent versioning, and avoids growing Netclaw's attack surface with
+parsing logic that has nothing to do with Akka actors or approval policy.
+
+**Alternatives considered:**
+- *tree-sitter-bash via P/Invoke.* Highest correctness ceiling but the .NET
+  binding ecosystem is thin; native libs would need shipping per platform
+  (Linux x64/arm64, macOS x64/arm64, Windows x64), and PowerShell would
+  need a second native library. Rejected: packaging cost outweighs ceiling
+  gain for our use case.
+- *Hand-roll an AST inside `Netclaw.Security`.* Bloats the security namespace
+  with parser code that other consumers might want; couples Netclaw releases
+  to parser bug fixes.
+- *Iterate on existing regex `ShellTokenizer`.* Lowest ceiling; doesn't
+  resolve the structural-vs-flat-tokens limitation that the new gate model
+  requires.
+
+**Failure modes:**
+- *ShellSyntaxTree v0.1 not yet published when Netclaw needs it.* Sibling
+  `<ProjectReference>` during dev unblocks; CI gating on package publish
+  comes after v0.1 is up.
+- *Parser misextracts paths from a novel shell idiom.* Gate evaluator
+  defaults to the safe behavior (treat as untrusted, prompt). Failure
+  mode is "user sees an unnecessary prompt," not "agent silently
+  bypasses approval."
+- *Dynamic-content paths (`$VAR`, unresolved expansion).* Parser flags as
+  dynamic; gate evaluator treats as path-arg-less. Better to under-extract
+  (and let the verb gate handle it) than to misextract a literal `$VAR/foo`
+  as a path.
+
+### Decision 8: Glob semantics — recursive zones, BashArity-aware verb patterns
+
+**Choice:** `trustedZones` globs use path-prefix recursive semantics:
+`<dir>/*` matches `<dir>` itself plus any descendant at any depth, with
+boundary-safe matching (`~/repos/*` does NOT match `~/repossecret`).
+`verbPatterns` globs split into a verb-chain prefix (length determined
+by `BashArity`) and a trailing arg-glob suffix: `git push *` matches
+`git push origin main` but not `git pull origin main`.
+
+**Rationale:** Path-prefix recursion is what users mean when they say
+"trust this folder." Single-segment globs (`*` not recursive) require
+operators to learn the `**` convention for the common case. Verb
+patterns need verb-chain awareness because BashArity already tells us
+where the verb ends and args begin — leveraging it for matching is
+free.
+
+**Alternatives considered:**
+- *Shell-glob semantics for zones (single segment, `**` for recursive).*
+  Standard but adds cognitive load for the dominant case.
+- *Verbatim zones (no globbing).* Loses the "trust everything under" idiom.
+- *Full-string glob over command text for verbs.* Brittle to spacing
+  and quoting; couples matching to the renderer.
+
+### Decision 9: Hard-deny defaults compiled in, additive overrides only
+
+**Choice:** Ship hard-deny rules as immutable C# data
+(`HardDenyDefaults`). Operators add to them via
+`~/.netclaw/config/hard-deny-overrides.json` which is strictly additive.
+Rules use a JSON-structured DSL with verb+args predicates and an explicit
+`rawText` escape for shape-shaped patterns (fork bombs etc.).
+
+**Rationale:** The operative threat is prompt injection — the agent
+following injected instructions to lift its own constraints. Compiled
+defaults can't be removed by editing a config file. Additive-only
+overrides mean the agent (or a hostile operator) can only make the
+rules *stricter*, never weaker. Structured DSL gives precise matching
+on the AST; rawText escape handles the few cases where shell syntax
+isn't verb-shaped. Operator-editable JSON preserves the ability to add
+custom rules without recompilation.
+
+**Alternatives considered:**
+- *All rules in operator-editable file.* Trades security for flexibility
+  the wrong way; agent edits the file and lifts constraints.
+- *All rules compiled in (no overrides).* Maximum agent-resistance;
+  loses operator flexibility entirely.
+- *Structured matching with no rawText escape.* Cannot represent
+  fork-bomb-shaped patterns precisely.
+
+**Failure modes:**
+- *Override file shadows a default.* Doctor check refuses startup with
+  loud error; daemon doesn't run.
+- *Malformed override rejected at parse.* Daemon logs the rejection and
+  continues with shipped defaults intact.
+
+### Decision 10: Security-critical config protection via existing `ToolPathPolicy`
+
+**Choice:** Extend the existing `ToolPathPolicy` write-deny and shell-deny
+lists in `Program.cs` to include `paths.ConfigDirectory` (the entire
+`~/.netclaw/config/` tree). No new mechanism, no new categories — reuse
+the symlink-resolving, hard-deny path policy that already exists.
+
+**Rationale:** `ToolPathPolicy` is the right shape: hard-deny (no prompt),
+symlink-aware, applied to every tool that touches paths
+(`FileWriteTool`, `FileEditTool`, `ShellTool`). The daemon already uses
+it to protect credentials, the SQLite DB, the lock and PID files. Adding
+the config directory to the same lists closes the prompt-injection gap
+where an injected payload could instruct the agent to rewrite
+`tool-approvals.json` and grant itself global trust.
+
+Operators retain agency: they edit config files in their own editor or
+via dedicated `netclaw approvals` / `netclaw audience` CLI commands. The
+deny only governs *agent tool calls*, not the host filesystem.
+
+**Alternatives considered:**
+- *New "security-critical write" hard-deny category in the rule DSL.*
+  More machinery for the same effect; reusing `ToolPathPolicy` is
+  smaller and battle-tested.
+- *Prompt with Once/Deny only for config writes.* User can mistakenly
+  approve; doesn't close the prompt-injection gap firmly.
+
+**Failure modes:**
+- *Operator workflow that legitimately wanted the agent to edit
+  `~/.netclaw/config/`.* Forces operator to use external editor or CLI
+  instead. Acceptable trade — config edits are infrequent and security
+  outweighs the friction.
+
+### Decision 11: Multi-path zone prompt with trust-all-or-nothing
+
+**Choice:** When a clause has multiple untrusted paths, batch them into
+one zone prompt with a single `Trust all listed (N)` button. No per-path
+checkboxes, no sequential per-path prompts. Same 4-button shape as the
+single-path case.
+
+**Rationale:** The 4-button row maps cleanly to text-only channels via
+fixed positional letters `A=Once / B=Session / C=Trust|Always / D=Deny`.
+Per-path checkboxes don't exist in text mode; sequential per-path
+prompts produce prompt-storms when N is large. Trust-all keeps the
+choice space at exactly 4 letters always, regardless of how many paths
+are listed. Operators wanting partial trust fall back to the CLI
+(`netclaw approvals trust-zone <path>`) which is one shell command.
+
+**Alternatives considered:**
+- *Per-path checkboxes with `Trust selected` button.* Doesn't render in
+  text-only channels; complicates the future text-mode adapter.
+- *Sequential per-path prompts.* N prompts when N paths are untrusted;
+  user fatigue at scale.
+
+### Decision 12: Parser anomaly safe-fail
+
+**Choice:** When `ShellSyntaxTree` returns an unparseable AST or throws,
+the gate evaluator routes to a safe-fail path: hard-deny still consults
+both the rawText fallback and any partial AST; zone gate prompts the
+user as if the raw command operates on one untrusted path; verb-pattern
+gate offers only `Once` and `Deny`. Plus: a Netclaw integration test
+gates any `ShellSyntaxTree` version bump by running the entire corpus
+through the live matcher path.
+
+**Rationale:** Parser bugs are inevitable. The cost of an extra prompt
+is annoyance; the cost of a silent bypass is a security incident. Safe-
+fail biases toward annoyance. The integration test gate ensures
+parser-version-bump PRs visibly demonstrate matcher behavior across the
+corpus before they merge.
+
+**Alternatives considered:**
+- *Default-to-deny on parser failure.* Safest possible posture; UX
+  cost too high (any novel shell construct hits a wall).
+- *Default-to-prompt only (no integration gate).* Same fallback
+  behavior; relies on review discipline rather than enforced check.
+
+### Decision 13: Project context via on-demand `file_read`, not auto-injection
+
+**Choice:** Delete the `project-instructions` capability's auto-injection
+machinery. Add explicit lookup discipline to `Resources/AGENTS.md` instructing
+the agent to read `.netclaw/AGENTS.md` → `AGENTS.md` → `CLAUDE.md` →
+`CONTEXT.md` once per project per session via `file_read`.
+
+**Rationale:** Auto-injection costs ~6k tokens per session (observed in
+dogfood) and depends on `WorkingContext.ProjectDirectory`, which the agent
+rarely sets. On-demand reading is cheaper, follows the same lookup order,
+and survives the deletion of `ProjectDirectory` cleanly.
+
+**Failure modes:**
+- *Agent forgets to read project context.* Same effective behavior as a
+  session today where `ProjectDirectory` is unset (no project content). The
+  AGENTS.md guidance frames this as a discipline rather than a guarantee.
+- *Project file changes mid-session.* On-demand read happens once at
+  project entry; subsequent changes aren't seen until the agent re-reads.
+  Same as v2 (which only re-injected on `set_working_directory` calls).
+
+## Risks / Trade-offs
+
+- **[Risk]** Two-prompt sequential UX feels chatty for users who haven't
+  pre-trusted anything. → **Mitigation:** Common case (read-only verb in
+  trusted zone) hits zero prompts. Worst case (mutating verb in untrusted
+  dir) hits two prompts but each has a 4-button row that includes "Always"
+  to amortize. Track prompt-count metrics post-launch.
+
+- **[Risk]** ShellSyntaxTree v0.1 ships with parser bugs that affect
+  approval correctness. → **Mitigation:** Test corpus seeded from sanitized
+  real-agent emissions provides regression coverage. Gate evaluator's
+  default-to-prompt fallback turns parser misses into "extra prompt," not
+  "silent bypass."
+
+- **[Risk]** Operators have v2-shape `tool-approvals.json` from running
+  pre-release Netclaw. → **Mitigation:** Wipe-and-regenerate on first start
+  with the new schema; communicate in release notes. v2 was never shipped
+  beyond development environments.
+
+- **[Risk]** Removing `set_working_directory` and `WorkingContext.ProjectDirectory`
+  may surface dependencies we haven't enumerated (e.g., a CLI command, a
+  context layer, a snapshot field). → **Mitigation:** Implementation tasks
+  include a "find all references" sweep; eval suite covers the agent
+  behaviors that previously depended on these.
+
+- **[Trade-off]** Session-scope grants don't survive daemon restart. Users
+  who granted a Session-scope mid-task and restart the daemon will be
+  re-prompted. Acceptable — daemon restart is uncommon and re-prompt
+  preserves the user's intent boundary ("for this conversation").
+
+- **[Trade-off]** External dependency on `ShellSyntaxTree` introduces a
+  release coordination burden (Netclaw release blocked on parser package
+  availability). Sibling `<ProjectReference>` during dev mitigates this
+  for the rewrite itself; future Netclaw releases consuming new parser
+  features will need coordinated publishes.
+
+- **[Trade-off]** Single per-audience file (`tool-approvals.json`) means
+  operators wanting to back up just zones (or just verbs) must edit JSON
+  by hand. Acceptable — TUI provides per-axis visibility and revoke; raw
+  file is for advanced operators only.
+
+- **[Risk]** Prompt-injection attack instructs the agent to lift its own
+  constraints by editing security-critical config files
+  (`tool-approvals.json`, `hard-deny-overrides.json`, `netclaw.json`) or
+  the daemon binary itself. → **Mitigation:** Hard-deny defaults compiled
+  into the binary (Decision 9) cannot be removed by config edits.
+  `ToolPathPolicy` extension to cover `~/.netclaw/config/` (Decision 10)
+  blocks the actionable mechanism — agent's `file_write`, `file_edit`,
+  and `shell_execute` clauses targeting these paths are hard-denied
+  before the three-layer gate is consulted, with no approval prompt
+  offered. Operators retain agency via their own editor or dedicated
+  CLI commands that bypass the agent's tool-call path.
+
+- **[Trade-off]** Operators who would have used the agent to edit
+  `~/.netclaw/config/` files now must use their own shell or CLI.
+  Acceptable — config edits are infrequent and the security tightening
+  outweighs the friction. The dedicated `netclaw approvals` /
+  `netclaw audience` CLI commands handle the common cases.
+
+## Migration Plan
+
+**Pre-deployment (within this change):**
+
+1. Stand up `github.com/Aaronontheweb/ShellSyntaxTree` repo with v0.1
+   skeleton (lexer + parser + AST + corpus). Tag v0.1.0-alpha for
+   PackageReference once stable.
+2. Develop Netclaw rewrite in parallel against sibling `<ProjectReference>`.
+3. Once both stable, switch Netclaw's `.csproj` to `<PackageReference>` for
+   `ShellSyntaxTree`.
+4. Run eval suite end-to-end before merge.
+
+**Deploy:**
+
+- Single daemon restart with new binary.
+- On first start, `tool-approvals.json` is read; if v2-shape detected,
+  archive to `.v2-discarded.bak` and start with empty new-shape file.
+- No data migration; users re-approve as they hit prompts.
+
+**Rollback:**
+
+- Revert binary; restore `.v2-discarded.bak` to `tool-approvals.json`.
+- v2 schema and code paths are removed in this change, so rollback is a
+  full revert (no partial fallback).
+
+## Open Questions
+
+1. **Eval suite coverage for two-gate transitions.** Current evals cover
+   single-prompt v1 behavior. Need new cases for: zone-then-verb sequencing,
+   read-only-in-trusted-zone silent path, multi-path zone batching, session
+   vs always scope persistence. Captured in `tasks.md`.
+
+2. **Multi-audience handling at evaluation time.** A session is bound to one
+   audience (per identity); the matcher reads only that audience's stores.
+   Confirm this matches the existing `IToolApprovalMatcher` contract — likely
+   it does, but explicit verification during implementation.
+
+3. **Zone glob matcher precedence.** When `trustedZones` contains both
+   `/home/user/repos/*` and a more-specific `/home/user/repos/secret`,
+   precedence rules need definition (probably "any match passes" given
+   trust is additive, but worth a scenario in the spec).
+
+4. **TUI revoke semantics for partial state.** If a user revokes
+   `/etc/nginx` from `trustedZones`, does it also affect any in-memory
+   session-scope grants in active sessions? Probably no (session-scope is
+   a separate axis), but spec should be explicit.
+
+5. **Approval timeout per-prompt vs shared workflow.** Default proposed:
+   fresh 5-min clock per prompt (zone and verb prompts each get their own
+   timer). Alternative: single 5-min clock spans the whole workflow.
+   Per-prompt is more forgiving; shared is more strict. Confirm during
+   implementation.
+
+6. **`~` expansion in zone globs.** Default proposed: expand to the
+   daemon-process user's home directory at glob-load time. Alternative:
+   expand at evaluation time per-call (handles unusual cases where the
+   daemon changes its effective user). Per-load is simpler and matches
+   how the existing audience trust profile reads home paths.
+
+7. **Glob escape for literal `*` in path/pattern strings.** Deferred —
+   no observed need. If a user genuinely wants to trust a directory
+   literally named with an asterisk, they can use the CLI to add it
+   directly to `trustedZones` after escape-quoting.
+
+8. **`ToolInteractionRequest.Stage` field vs `Kind`-encoded stage.**
+   Default proposed: add a `Stage` enum field (`Zone | Verb`) so `Kind`
+   stays `approval`. Future gates (e.g., a hypothetical "Layer 4 risk
+   gate") extend cleanly via a new Stage value rather than a new Kind.
+
+9. **Default TUI tab on `netclaw approvals` invocation.** Default
+   proposed: open to `[Z]ones` first (geography is the dominant
+   operator concern). Remember last-used tab as a post-MVP enhancement.
diff --git a/openspec/changes/approval-policy-trust-zones/proposal.md b/openspec/changes/approval-policy-trust-zones/proposal.md
new file mode 100644
index 00000000..ab09e3c5
--- /dev/null
+++ b/openspec/changes/approval-policy-trust-zones/proposal.md
@@ -0,0 +1,191 @@
+## Why
+
+The v2 approval model — a single per-audience store of `(verb, directory)`
+cross-product entries — fails in practice. Live dogfood evidence shows three
+recurring failure modes:
+
+1. **Dead-on-arrival entries.** When a session runs commands from
+   `session_dir` cwd (no path arg), "Always here" persists `(verb, session_dir)`
+   tuples that can never recur because the session directory is unique per
+   session. The store fills with garbage that never matches.
+2. **Wrong header semantics.** A compound like `cd /target && cmd1 && cmd2`
+   asks the user *"Approve in `<session_dir>`?"* when the user's mental model
+   is *"Approve in `/target`."* The matcher anchors on cwd; the user reads on
+   the cd target. Mismatch.
+3. **Conflated axes.** "Where is it safe to operate?" (geography) and "What
+   actions are safe to take?" (verb shape) are independent questions that the
+   `(verb, directory)` cross-product collapses. The user can't grant `git push *`
+   broadly without also granting it to a specific directory; can't trust a
+   directory without naming a specific verb.
+
+The rewrite separates these into two independent gates with two independent
+persistence stores, anchors trust on operator-declared configuration rather
+than session-mutable state, and externalizes shell command parsing to a
+dedicated library to keep Netclaw focused on policy.
+
+PRD reference: PRD-002 (Gateway Security Envelope) §5 *"Keep trust boundaries
+simple and inspectable"* and §"Privileged operations must be explicitly
+approved through trusted operator workflow."
+
+## What Changes
+
+**Trust zones replace `(verb, directory)` entries.**
+
+- Two independent per-audience stores colocated in `~/.netclaw/config/tool-approvals.json`:
+  - `trustedZones`: directory globs declaring where this audience may operate silently.
+  - `verbPatterns`: command-shape globs (e.g., `git push *`, `rm /tmp/*`)
+    declaring what command shapes auto-pass within trusted zones.
+- **BREAKING** persistence schema: existing `(verb, directory)` entries discarded
+  on first daemon start. v2 was never shipped beyond development; no migration
+  written.
+
+**Three-layer gate replaces verb-pattern-only matching.**
+
+- Layer 1 (hard-deny): unchanged.
+- Layer 2 (zone gate): per-path check against `trustedZones` ∪ audience baseline
+  ∪ `session_dir`. Outside-zone paths prompt the user.
+- Layer 3 (verb-pattern gate): only mutating verbs prompt; read-only verbs
+  auto-pass *only* inside trusted zones (tightening — no free pass for
+  read-only outside zones).
+
+**Sequential prompt UX with identical 4-button rows.**
+
+- Worst case: 2 prompts per call (zone first, then verb). Common case: 0–1.
+- Both gates use `[Once / Session / Always / Deny]`. Identical shape, learnable.
+- Multi-path commands batch into one zone prompt listing all untrusted paths.
+
+**Shell parsing externalized to ShellSyntaxTree library.**
+
+- New repo: `github.com/Aaronontheweb/ShellSyntaxTree` (NuGet: `ShellSyntaxTree`).
+- v0.1: bash-first, multi-shell-ready via `IShellParser` interface.
+- Replaces in-tree `Netclaw.Security.ShellTokenizer`. Netclaw consumes the parsed
+  AST; gate evaluator owns no parser logic.
+- Develop in parallel with sibling `<ProjectReference>`; swap to
+  `<PackageReference>` on v0.1 publish.
+
+**Removals (BREAKING within this codebase, no shipped impact).**
+
+- **BREAKING** `set_working_directory` tool deleted. Agent uses `cd` in compound
+  commands or absolute paths.
+- **BREAKING** `WorkingContext.ProjectDirectory` deleted. Cwd no longer factors
+  into approval matcher logic.
+- **BREAKING** Project-context auto-injection deleted. Agent reads
+  `.netclaw/AGENTS.md` / `AGENTS.md` / `CLAUDE.md` / `CONTEXT.md` on demand
+  via `file_read` per explicit lookup discipline in `Resources/AGENTS.md`.
+
+**TUI extension.**
+
+- `netclaw approvals` gains `[Z]ones` and `[V]erbs` tabs. Single discovery
+  surface preserved.
+
+## Capabilities
+
+### New Capabilities
+
+None. Trust zones live as a new section within the existing
+`tool-approval-gates` capability rather than a standalone capability — the
+gates compose at evaluation time and splitting introduces cross-capability
+dependencies in the spec without clarifying anything.
+
+### Modified Capabilities
+
+- `tool-approval-gates`: wholesale rewrite. New three-layer gate, two-store
+  persistence, sequential 4-button prompts, ShellSyntaxTree consumption,
+  TUI Z/V tabs, glob verb pattern format.
+- `session-cwd`: **REMOVED**. `WorkingContext.ProjectDirectory` and the
+  `set_working_directory` tool both deleted. Cwd no longer participates in
+  approval logic; `psi.WorkingDirectory` for spawned subprocesses falls back
+  to `SessionDirectory` only.
+- `project-instructions`: **REMOVED**. Daemon-side auto-injection of
+  project identity files deleted. Agent guidance in `Resources/AGENTS.md`
+  takes over via on-demand `file_read`.
+
+## Impact
+
+**In-scope for MVP (this change):**
+
+- All architecture, persistence, and prompt UX described above.
+- ShellSyntaxTree v0.1 (bash) consumed via PackageReference at completion.
+- Slack and Discord adapter rendering for the new sequential prompt flow.
+- TUI Z/V tabs.
+- Resources/AGENTS.md project-context lookup discipline.
+- Eval suite updates covering the new gate semantics and project-context flow.
+
+**Out-of-scope (deferred):**
+
+- ShellSyntaxTree PowerShell support (v0.x or later — interface seam present
+  from v0.1 but no `PowerShellParser` in this change).
+- Migration tooling for existing `tool-approvals.json` (none needed; v2
+  unshipped).
+- Per-zone access auditing UI (current TUI list is sufficient).
+
+**Affected code:**
+
+- `src/Netclaw.Security/` — `ShellTokenizer`, `ShellCommandPolicy`,
+  `ShellApprovalSemantics`, `IToolApprovalMatcher`, `ToolApprovalStore`,
+  `ToolAudienceProfileResolver` all rewritten or removed.
+- `src/Netclaw.Actors/Tools/` — `ToolAccessPolicy` rewritten to three-layer
+  gate; `SetWorkingDirectoryTool.cs` deleted; `ShellTool` cwd resolution
+  simplified.
+- `src/Netclaw.Actors/Sessions/LlmSessionActor.cs` —
+  `PersistApprovalCandidatesAsync` replaced with two-store persistence;
+  in-memory session-scope store added; sequential prompt workflow.
+- `src/Netclaw.Actors/Sessions/WorkingContext.cs` — `ProjectDirectory` and
+  `ResolveShellCwd` simplified to session-dir fallback only.
+- `src/Netclaw.Channels.Slack/SlackApprovalBlockBuilder.cs` and
+  `src/Netclaw.Channels.Discord/DiscordApprovalPromptBuilder.cs` — two prompt
+  shapes, 4-button rows.
+- `src/Netclaw.Cli/` — `netclaw approvals` TUI gains Z/V tabs.
+- `src/Netclaw.Configuration/Resources/AGENTS.md` — project-context lookup
+  discipline section.
+- `feeds/skills/.system/files/netclaw-operations/SKILL.md` — operator
+  guidance refresh.
+
+**Affected APIs / config:**
+
+- `ApprovalEntry` record retired; replaced by `TrustedZoneEntry` and
+  `VerbPatternEntry` records with per-audience grouping.
+- `tool-approvals.json` schema changes shape (per-audience top-level keys
+  with `verbPatterns` and `trustedZones` arrays).
+- `netclaw.json` audience trust profiles unchanged in shape (baseline zones
+  already declared); the new operator-extended zones go into
+  `tool-approvals.json`, not `netclaw.json`.
+- New NuGet dependency: `ShellSyntaxTree` (Aaronontheweb).
+
+**Security impact:**
+
+Threat model: prompt injection. The agent has tool access (`file_write`,
+`file_edit`, `shell_execute`) and follows instructions emitted by content
+it reads (web pages, file contents, MCP server output). The defense
+gates the *mechanism* an injected payload would use, not the agent's
+judgment about whether to follow the payload.
+
+- Tightening: read-only verbs no longer auto-pass outside trusted zones.
+  Previous behavior allowed any read-only verb anywhere; new behavior
+  requires explicit zone trust first. Reduces blast radius of misconfigured
+  audience profiles.
+- Tightening: agent cannot extend trust by issuing commands. `cd`-in-compound
+  is parsed for path attribution but never mutates persistent or session
+  state. Closes a class of "agent issues 9-byte command to escalate trust"
+  vectors that the old auto-promote design would have opened.
+- Tightening: hard-deny defaults compiled into the daemon binary and
+  cannot be removed by editing config files. Operator overrides are
+  strictly additive (can add deny rules; cannot weaken shipped defaults).
+- Tightening: existing `ToolPathPolicy` extended to cover
+  `~/.netclaw/config/`. Agent `file_write`, `file_edit`, and
+  `shell_execute` clauses targeting paths under this directory are
+  hard-denied — no approval prompt offered. Closes the prompt-injection
+  vector where the agent would be instructed to rewrite
+  `tool-approvals.json` and grant itself global trust.
+- New: session-scoped grants exist in-memory only. Lost on session
+  termination — by design, prevents accidentally widening trust through
+  long-lived persistence of one-off experimental approvals.
+
+**Operational impact:**
+
+- Operator-visible: `netclaw approvals` UI changes shape (tabs).
+  Documentation update in `docs/help/approvals.md` and CLI `--help`.
+- Operator-visible: existing `tool-approvals.json` contents discarded on
+  upgrade. Operators see "no prior approvals" on first daemon start; users
+  re-approve as they hit prompts. Communicate in release notes.
+- Operator-invisible: ShellSyntaxTree NuGet added; no operator-facing change.
diff --git a/openspec/changes/approval-policy-trust-zones/specs/project-instructions/spec.md b/openspec/changes/approval-policy-trust-zones/specs/project-instructions/spec.md
new file mode 100644
index 00000000..a2fda436
--- /dev/null
+++ b/openspec/changes/approval-policy-trust-zones/specs/project-instructions/spec.md
@@ -0,0 +1,32 @@
+## REMOVED Requirements
+
+### Requirement: Project identity file loading from project directory
+**Reason:** Daemon-side auto-loading depends on
+`WorkingContext.ProjectDirectory`, which is being deleted. The agent
+reads project identity files on demand via `file_read` per the explicit
+lookup discipline added to `Resources/AGENTS.md`. The same file order
+(`.netclaw/AGENTS.md` → `AGENTS.md` → `CLAUDE.md` → `CONTEXT.md`)
+applies, just driven by the agent rather than the daemon.
+**Migration:** Delete the daemon-side identity-file-loading code path
+(`SystemPromptAssembler` project layer, `FileSystemPromptProvider`
+project handling, etc.). Update `Resources/AGENTS.md` to instruct the
+agent: "When you start operating on files in a project, locate the
+project root and read project context once via `file_read` in this
+order: `.netclaw/AGENTS.md`, `AGENTS.md`, `CLAUDE.md`, `CONTEXT.md`.
+Read the first one that exists. Don't re-read on later turns — the
+content is in your conversation history."
+
+### Requirement: Project instructions in system prompt
+**Reason:** The system prompt no longer includes auto-loaded project
+content because there is no `ProjectDirectory` to drive the load. The
+agent's `file_read` of project identity files lands the content in
+conversation history, not the system prompt — same caching behavior
+within a single session, no auto re-injection on project switch
+(because there are no project switches; switches happen by the agent
+re-reading new project files).
+**Migration:** Delete the project-instructions slot from
+`SystemPromptAssembler.Assemble()`. Remove the `SetSystemPrompt()`
+re-assembly trigger that fired on `set_working_directory` calls (the
+trigger was tied to the deleted tool). System prompt becomes shorter
+by ~6k tokens in observed sessions where project_dir had been set;
+agent picks up the slack via on-demand reads.
diff --git a/openspec/changes/approval-policy-trust-zones/specs/session-cwd/spec.md b/openspec/changes/approval-policy-trust-zones/specs/session-cwd/spec.md
new file mode 100644
index 00000000..7b026ee9
--- /dev/null
+++ b/openspec/changes/approval-policy-trust-zones/specs/session-cwd/spec.md
@@ -0,0 +1,71 @@
+## REMOVED Requirements
+
+### Requirement: Session-scoped project directory
+**Reason:** `WorkingContext.ProjectDirectory` is removed. Trust geography
+is now anchored on operator-declared `trustedZones` (per audience) plus
+the immutable `session_dir`, not on session-mutable project state. The
+agent cannot extend trust by declaring a project root.
+**Migration:** Remove `ProjectDirectory` field from `WorkingContext` and
+from `SessionSnapshot` serialization. Sessions recovered from older
+snapshots SHALL ignore any persisted `ProjectDirectory` field. No
+operator-facing migration; the field's removal is invisible because v2
+was never shipped beyond development.
+
+### Requirement: set_working_directory tool
+**Reason:** The `set_working_directory` tool is removed. Trust zones are
+configuration, not state — the agent does not get to mutate trust at
+runtime by declaring a project root. Live evidence shows the agent
+defensively prepends `cd <abs-path> && ...` to every shell call anyway,
+so the tool's spawn-cwd benefit was unused; its `ProjectDirectory`
+side-effect is the part being deleted.
+**Migration:** Delete `SetWorkingDirectoryTool.cs` and remove all
+references from tool registries, audience profiles, and tool exposure
+lists. Update `Resources/AGENTS.md` to instruct the agent to use `cd` in
+compound commands or absolute paths. Update agent guidance that
+previously referenced `set_working_directory` as the gesture for
+declaring project scope.
+
+### Requirement: Shell tool cwd defaults to declared safe spaces
+**Reason:** The cwd resolution chain simplifies because
+`WorkingContext.ProjectDirectory` no longer exists. `ShellTool` SHALL
+fall back from explicit `WorkingDirectory` argument directly to
+`SessionDirectory`. The approval policy no longer reads cwd to decide
+zone membership — the zone gate evaluates the paths the command
+operates on (extracted from the AST), not the spawn cwd.
+**Migration:** Update `ShellTool.cs` cwd resolution: `args.WorkingDirectory →
+SessionDirectory`. Remove `WorkingContext.ProjectDirectory` from
+`ResolveShellCwd`. Remove the comment block that referenced
+`WorkingContext.ProjectDirectory` as a fallback layer.
+
+### Requirement: Shell tool failure-path hint for cwd outside safe spaces
+**Reason:** The hint suggested `set_working_directory <path>` as the
+remediation. With that tool deleted, the hint has no remediation to
+point at. Denied calls still return a clear denial message; the agent
+self-corrects by either using a path under a trusted zone, asking the
+user to extend trust, or accepting the deny.
+**Migration:** Remove the hint emission code from `ShellTool.cs` and
+related plumbing. No replacement hint is added — the prompt itself
+already shows the user the path that triggered the denial; the user can
+extend trust via the prompt's `Always` button if desired.
+
+### Requirement: set_working_directory expands the approval safe space
+**Reason:** With `set_working_directory` removed, this requirement has
+no operative tool. Trust zone expansion is now exclusively a user
+decision via the zone gate prompt's `Trust this directory` button (with
+`Session` or `Always` scope).
+**Migration:** Remove the safe-space expansion logic from
+`ToolAudienceProfileResolver` and any call sites that reacted to
+`ProjectDirectory` changes. The new zone gate's union (audience baseline
+∪ persisted `trustedZones` ∪ in-memory session zones ∪ session_dir) is
+the only mechanism for expanding the trust boundary.
+
+### Requirement: Working context block includes project directory
+**Reason:** With `WorkingContext.ProjectDirectory` removed, the
+`[working-context]` block has nothing to emit for project_dir. The
+agent reads project context on demand via `file_read` per the explicit
+lookup discipline in `Resources/AGENTS.md`; the working-context block
+no longer needs to advertise a project root because there isn't one.
+**Migration:** Remove the `project_dir:` line from
+`WorkingContext.ToContextBlock()` output. If the block becomes empty for
+sessions with no recent files either, suppress the entire block from
+the system prompt rather than emitting an empty header.
diff --git a/openspec/changes/approval-policy-trust-zones/specs/tool-approval-gates/spec.md b/openspec/changes/approval-policy-trust-zones/specs/tool-approval-gates/spec.md
new file mode 100644
index 00000000..ebf27605
--- /dev/null
+++ b/openspec/changes/approval-policy-trust-zones/specs/tool-approval-gates/spec.md
@@ -0,0 +1,976 @@
+## ADDED Requirements
+
+### Requirement: Three-layer gate evaluation
+
+The system SHALL evaluate every tool invocation through three layers in
+order: (1) hard-deny check, (2) zone gate, (3) verb-pattern gate. A tool
+SHALL execute silently only when all three layers pass without prompting.
+The hard-deny layer SHALL run first and unconditionally. The zone gate
+SHALL run only if hard-deny passes. The verb-pattern gate SHALL run only
+if the zone gate passes (either silently or via user approval).
+
+The three layers SHALL be independent: an approval at one layer SHALL NOT
+imply approval at another. Trust granted to a directory at the zone gate
+SHALL NOT grant any verb at the verb-pattern gate; trust granted to a verb
+pattern at the verb-pattern gate SHALL NOT grant any directory at the zone
+gate.
+
+#### Scenario: All layers silent for read-only verb in trusted zone
+
+- **GIVEN** the audience baseline includes `~/repos/*` as a trusted zone
+- **AND** `cat` is on the read-only verb list
+- **WHEN** the agent invokes `shell_execute` with command `cat ~/repos/foo/notes.md`
+- **THEN** the hard-deny layer passes
+- **AND** the zone gate auto-passes (path inside trusted zone)
+- **AND** the verb-pattern gate auto-passes (read-only verb in trusted zone)
+- **AND** no prompt is rendered
+
+#### Scenario: Mutating verb in trusted zone prompts only verb gate
+
+- **GIVEN** the audience baseline includes `~/repos/*` as a trusted zone
+- **AND** the audience has no `git push *` in `verbPatterns`
+- **WHEN** the agent invokes `shell_execute` with command `git push origin main`
+  and a path arg under `~/repos/foo/`
+- **THEN** the hard-deny layer passes
+- **AND** the zone gate auto-passes
+- **AND** the verb-pattern gate prompts the user
+
+#### Scenario: Untrusted directory and mutating verb produce two sequential prompts
+
+- **GIVEN** the audience has no zone covering `/etc/nginx`
+- **AND** the audience has no `cp *` in `verbPatterns`
+- **WHEN** the agent invokes `shell_execute` with command `cp /etc/nginx/old.conf /etc/nginx/new.conf`
+- **THEN** the hard-deny layer passes
+- **AND** the zone gate prompts first (zone prompt)
+- **AND** if the user approves, the verb-pattern gate prompts second (verb prompt)
+- **AND** if both approve, the command executes
+
+#### Scenario: Mixed-zone clause with read-only verb collapses to one zone prompt
+
+- **GIVEN** a clause `grep -r foo /trusted /untrusted`
+- **AND** `/trusted` is inside a trusted zone but `/untrusted` is not
+- **AND** `grep` is on the read-only verb list
+- **WHEN** the gate evaluator runs
+- **THEN** the zone gate prompts for `/untrusted` only
+- **AND** the verb-pattern gate auto-passes after zone approval
+  (read-only verb AND all paths now in trusted scope)
+- **AND** the user sees exactly one prompt, then the command executes
+
+### Requirement: Trust zones store and evaluation
+
+The system SHALL maintain a per-audience `trustedZones` store of directory
+glob patterns. The store SHALL be persisted under each audience key in
+`~/.netclaw/config/tool-approvals.json`. The zone gate SHALL pass silently
+for a path P when P matches any glob in the union of: (a) the audience
+baseline read-allowed roots from `netclaw.json`, (b) the persisted
+`trustedZones` for that audience, (c) the in-memory session-scope trusted
+zones for the current session, AND (d) the immutable `session_dir` for the
+current session (which is always trusted).
+
+Glob matching SHALL use path-prefix recursive semantics: a zone of
+`<dir>/*` SHALL match `<dir>` itself, any direct child of `<dir>`, and any
+descendant at any depth. The `*` is implicitly recursive — there is no
+`**` in zone globs. Trailing slash variations SHALL be normalized
+(`<dir>/`, `<dir>/*`, `<dir>` all denote the same zone). Zone matching
+SHALL be boundary-safe: `~/repos/*` SHALL NOT match `~/repossecret`
+(directory boundary, not character prefix).
+
+When a path P does not match any glob in the union, the zone gate SHALL
+prompt the user. The prompt SHALL list every untrusted path in the command
+in a single batched prompt, not one prompt per path.
+
+The agent SHALL NOT be able to extend `trustedZones` by issuing commands.
+Only user prompt clicks (`Trust this directory` with `Session` or `Always`
+scope) SHALL extend the store. The `cd` command in a compound SHALL be
+parsed for path attribution but SHALL NOT mutate any zone store.
+
+#### Scenario: Path inside audience baseline auto-passes
+
+- **GIVEN** the Personal audience baseline includes `~/repos/*`
+- **WHEN** a command operates on `~/repos/foo/file.txt`
+- **THEN** the zone gate passes silently for that path
+
+#### Scenario: Path outside all zones prompts
+
+- **GIVEN** the Personal audience baseline includes `~/repos/*` only
+- **AND** `trustedZones` is empty
+- **WHEN** a command operates on `/etc/hosts`
+- **THEN** the zone gate prompts the user with `/etc/hosts` listed
+
+#### Scenario: Multi-path command produces one batched zone prompt
+
+- **GIVEN** a command operates on `/etc/foo` and `/var/lib/bar`, both untrusted
+- **WHEN** the zone gate evaluates the command
+- **THEN** a single zone prompt is rendered listing both paths
+- **AND** the user's choice applies to both paths simultaneously
+
+#### Scenario: Session-scope zone grant ends with the session
+
+- **GIVEN** a user grants `/tmp/scratch` with `Session` scope in session A
+- **WHEN** session A terminates
+- **AND** session B (same audience) operates on `/tmp/scratch`
+- **THEN** the zone gate prompts session B for `/tmp/scratch`
+
+#### Scenario: Always-scope zone grant survives daemon restart
+
+- **GIVEN** a user grants `/etc/nginx` with `Always` scope in the Personal audience
+- **AND** the daemon is restarted
+- **WHEN** any Personal session operates on `/etc/nginx`
+- **THEN** the zone gate passes silently
+
+#### Scenario: Agent cd in compound does not extend trust
+
+- **GIVEN** the audience has no zone covering `/foreign/path`
+- **WHEN** the agent invokes `cd /foreign/path && cat file.txt`
+- **THEN** `/foreign/path` is attributed as a path the command operates on
+- **AND** the zone gate prompts (path outside all trusted zones)
+- **AND** no zone is added to `trustedZones` automatically
+
+### Requirement: Verb-pattern store and evaluation
+
+The system SHALL maintain a per-audience `verbPatterns` store of glob-style
+verb patterns (e.g., `git push *`, `rm /tmp/*`, `dotnet test *`). The store
+SHALL be persisted under each audience key in
+`~/.netclaw/config/tool-approvals.json` colocated with `trustedZones`.
+
+A verb pattern SHALL parse into two parts: a verb-chain prefix (one or
+more tokens, length determined by the BashArity dictionary) and a trailing
+arg-glob suffix. Pattern matching SHALL succeed when (1) the candidate
+command's verb chain (after BashArity collapses multi-token verbs)
+matches the pattern's verb-chain prefix exactly, AND (2) the candidate
+command's remaining argument tokens match the pattern's arg-glob suffix.
+A pattern of `git push *` matches `git push origin main` and
+`git push --force` (verb chain `git push` exact, args matched by `*`); it
+does NOT match `git pull origin main` (verb mismatch) or `git push-all`
+(verb mismatch). Patterns without a trailing glob (`git push`) SHALL be
+rejected at write time with an error directing the user to add the
+explicit `*` suffix.
+
+The verb-pattern gate SHALL pass silently for a candidate command when
+either: (a) the command's verb chain is on the read-only verb list AND every
+path the command operates on is inside a trusted zone (per the zone gate),
+OR (b) the command matches any glob in the union of the persisted
+`verbPatterns` for the audience and the in-memory session-scope verb
+patterns for the current session.
+
+When neither condition is met, the verb-pattern gate SHALL prompt the user.
+Read-only verbs SHALL NOT auto-pass when any path in the command is outside
+trusted zones — outside-zone access always prompts regardless of verb safety.
+
+#### Scenario: Read-only verb in trusted zone auto-passes
+
+- **GIVEN** `cat` is on the read-only verb list
+- **AND** the path operated on is inside a trusted zone
+- **WHEN** the verb-pattern gate evaluates `cat /home/user/repos/foo/notes.md`
+- **THEN** the gate passes silently
+
+#### Scenario: Read-only verb outside trusted zones prompts
+
+- **GIVEN** `cat` is on the read-only verb list
+- **AND** the path operated on is outside all trusted zones
+- **WHEN** the zone gate has already prompted and the user clicked `Once`
+- **AND** the verb-pattern gate then evaluates the command
+- **THEN** the verb-pattern gate also prompts the user
+
+#### Scenario: Mutating verb matching persisted glob auto-passes
+
+- **GIVEN** `verbPatterns` contains `git push *`
+- **WHEN** the agent invokes `git push origin main`
+- **THEN** the verb-pattern gate passes silently
+
+#### Scenario: Mutating verb not matching any glob prompts
+
+- **GIVEN** `verbPatterns` does not contain a glob matching `kubectl apply`
+- **WHEN** the agent invokes `kubectl apply -f manifest.yaml`
+- **THEN** the verb-pattern gate prompts the user
+
+#### Scenario: Session-scope verb grant ends with the session
+
+- **GIVEN** the user grants `npm install *` with `Session` scope in session A
+- **WHEN** session A terminates
+- **AND** session B (same audience) invokes `npm install lodash`
+- **THEN** the verb-pattern gate prompts session B
+
+#### Scenario: Always-scope verb grant survives daemon restart
+
+- **GIVEN** the user grants `dotnet test *` with `Always` scope
+- **AND** the daemon is restarted
+- **WHEN** any session in that audience invokes `dotnet test`
+- **THEN** the verb-pattern gate passes silently
+
+### Requirement: Two-store per-audience persistence schema
+
+The system SHALL persist approval state in
+`~/.netclaw/config/tool-approvals.json` using a per-audience structure
+where each audience key contains exactly two fields: `verbPatterns` (array
+of glob strings) and `trustedZones` (array of glob strings). The schema
+SHALL NOT contain a `version` field; absence of the v2 schema markers
+SHALL trigger archival of the existing file and creation of an empty new
+schema file.
+
+```json
+{
+  "personal": {
+    "verbPatterns": ["git push *", "dotnet test *"],
+    "trustedZones": ["/etc/nginx"]
+  },
+  "team": {
+    "verbPatterns": [],
+    "trustedZones": ["/opt/shared"]
+  }
+}
+```
+
+The file SHALL be operator-editable via the `netclaw approvals` CLI. The
+daemon SHALL pick up out-of-band edits on the next approval check without
+requiring a restart.
+
+When the daemon reads a `tool-approvals.json` file that contains v1 or v2
+shape (presence of top-level `version` field, or array of `ApprovalEntry`
+records with `verb`/`directory` fields), the file SHALL be archived to
+`tool-approvals.json.v2-discarded.bak` and an empty new-schema store SHALL
+be returned. No automatic translation of legacy entries SHALL be performed.
+
+#### Scenario: New-schema file loads correctly
+
+- **GIVEN** `tool-approvals.json` contains a per-audience structure with `verbPatterns` and `trustedZones`
+- **WHEN** the daemon loads the file
+- **THEN** the in-memory store reflects the file contents
+
+#### Scenario: v2 file archived on first read
+
+- **GIVEN** `tool-approvals.json` contains `"version": 2` and an `ApprovalEntry` array
+- **WHEN** the daemon loads the file
+- **THEN** the file is moved to `tool-approvals.json.v2-discarded.bak`
+- **AND** the in-memory store is empty
+- **AND** no v2 entries are translated
+
+#### Scenario: Operator revoke visible without restart
+
+- **GIVEN** the daemon is running with `verbPatterns` containing `git push *`
+- **WHEN** an operator removes that entry via `netclaw approvals revoke`
+- **AND** a new verb-pattern gate evaluation runs for `git push`
+- **THEN** the daemon re-reads the file and observes the entry is gone
+- **AND** the user is prompted
+
+### Requirement: In-memory session-scope grants on LlmSessionActor
+
+The system SHALL maintain in-memory session-scope grants for each session
+on the `LlmSessionActor` instance. Two segments SHALL exist:
+`SessionTrustedZones` (list of directory globs) and `SessionVerbPatterns`
+(list of verb glob strings). These SHALL be populated when the user clicks
+the `Session` button on either gate's prompt.
+
+Session-scope grants SHALL NOT be persisted to disk. They SHALL be lost on
+session termination (channel disconnection, daemon restart, actor recovery
+from snapshot). `SessionSnapshot` SHALL NOT include session-scope grants.
+
+#### Scenario: Session-scope zone applies for the rest of the session
+
+- **GIVEN** a user clicks `Session` on a zone prompt for `/tmp/scratch`
+- **WHEN** the agent makes another call operating under `/tmp/scratch`
+  in the same session
+- **THEN** the zone gate passes silently
+
+#### Scenario: Session-scope verb pattern applies for the rest of the session
+
+- **GIVEN** a user clicks `Session` on a verb prompt for `npm install *`
+- **WHEN** the agent invokes `npm install` again in the same session
+- **THEN** the verb-pattern gate passes silently
+
+#### Scenario: Session-scope grants do not survive daemon restart
+
+- **GIVEN** session A has session-scope zone `/tmp/scratch`
+- **WHEN** the daemon restarts
+- **AND** session A is recovered from snapshot
+- **THEN** the recovered session has no session-scope grants
+- **AND** subsequent operations on `/tmp/scratch` re-prompt
+
+#### Scenario: Session-scope grants are not in SessionSnapshot
+
+- **GIVEN** a session with session-scope grants populated
+- **WHEN** a snapshot is taken
+- **THEN** the snapshot serialization omits the session-scope segments
+
+### Requirement: Sequential approval workflow per call
+
+The system SHALL coordinate per-call approval through a
+`ToolApprovalWorkflow` value type on the `LlmSessionActor`. The workflow
+SHALL transition through stages `Start → ZoneGate → VerbGate → Complete`,
+issuing at most one zone prompt and at most one verb prompt per call. The
+workflow SHALL execute the gates in order and SHALL only advance to the
+verb gate after the zone gate completes (silently or via user response).
+
+The mid-turn approval pause (`TaskCompletionSource`-based block on the
+tool execution task) SHALL remain in place for the duration of the entire
+workflow, spanning both prompts when both fire. Other tool calls in the
+same batch SHALL execute in parallel and SHALL NOT block on this
+workflow.
+
+If the user denies at any prompt, the workflow SHALL terminate with
+`Denied` and the tool task SHALL unblock with the denial result. The
+workflow SHALL NOT impose its own approval timeout — a tool call awaiting
+user approval SHALL wait indefinitely for a user response. Operators
+take as long as they need to evaluate the prompt; the system SHALL NOT
+silently transition the workflow to `TimedOut` on a clock. (Session
+passivation and daemon restart are separate concerns tracked in
+GitHub issue #939; they are out of scope for this requirement.)
+
+#### Scenario: Zone-then-verb sequential prompts
+
+- **GIVEN** a call needs both gates
+- **WHEN** the workflow runs
+- **THEN** the zone prompt is sent first
+- **AND** the verb prompt is sent only after the user responds to the zone prompt
+- **AND** the user responds to two prompts in sequence
+
+#### Scenario: Deny on zone prompt skips verb prompt
+
+- **GIVEN** the zone gate is prompting the user
+- **WHEN** the user clicks `Deny`
+- **THEN** the workflow terminates with `Denied`
+- **AND** the verb prompt is never rendered
+
+#### Scenario: Concurrent calls each have their own workflow
+
+- **GIVEN** two tool calls are dispatched in the same batch, both needing approval
+- **WHEN** both workflows run
+- **THEN** each call has its own `ToolApprovalWorkflow` instance
+- **AND** prompt responses are routed to the correct workflow by `CallId`
+
+#### Scenario: Other tool calls in batch are not blocked
+
+- **GIVEN** a batch containing `web_search`, `shell_execute` (needs approval),
+  and `file_read`
+- **WHEN** the batch executes
+- **THEN** `web_search` and `file_read` execute in parallel immediately
+- **AND** `shell_execute` blocks waiting for the workflow to complete
+
+### Requirement: Sequential 4-button approval prompts
+
+When the zone gate prompts the user, the prompt SHALL render exactly four
+buttons in one row: `Once`, `Session`, `Trust <directory>`, `Deny`. The
+buttons `Trust <directory>` and `Deny` SHALL be styled per their effect
+(`Trust` as primary action; `Deny` as danger). The header text SHALL ask
+*"Allow `<audience>` to operate inside `<paths>`?"* listing one or more
+untrusted paths.
+
+When the verb-pattern gate prompts the user, the prompt SHALL render
+exactly four buttons in one row: `Once`, `Session`, `Always <verb-pattern>`,
+`Deny`. The header text SHALL ask *"Allow `<verb-pattern>` to run?"* where
+`<verb-pattern>` is the glob (e.g., `git push *`).
+
+All button labels SHALL fit within Slack's 76-character and Discord's
+80-character button-text caps. When the displayed entity (path or verb
+pattern) would exceed the cap, the label SHALL truncate with an ellipsis
+and the full value SHALL appear in the prompt body.
+
+Both prompts SHALL include the audience name and command context in the
+body so the user can scan the decision context without inferring it.
+
+When a zone prompt lists multiple untrusted paths, the `Trust ...` button
+SHALL apply to ALL listed paths atomically (trust-all-or-nothing) and the
+button label SHALL read `Trust all listed` (with the count parenthesized
+when more than one path is shown). Per-path partial trust SHALL NOT be
+expressible from the prompt; users wanting partial trust SHALL fall back
+to the CLI (`netclaw approvals trust-zone <path>`) or click `Once` and
+let subsequent calls re-prompt.
+
+Channel adapters SHALL render the four buttons in a fixed positional
+order (Once, Session, Trust/Always, Deny) so that text-only or
+keyboard-driven channel adapters can map them to letters
+`A=Once / B=Session / C=Trust|Always / D=Deny` without per-channel
+remapping. The text-only mapping SHALL be considered a forward-compat
+contract and SHALL be the order any future text-mode renderer uses.
+
+#### Scenario: Zone prompt shows path and 4-button row
+
+- **GIVEN** a command operates on the untrusted path `/etc/nginx`
+- **WHEN** the zone prompt is rendered
+- **THEN** the header reads "Allow Personal to operate inside /etc/nginx?"
+- **AND** the action row contains `Once`, `Session`, `Trust /etc/nginx`, `Deny`
+
+#### Scenario: Verb prompt shows pattern and 4-button row
+
+- **GIVEN** a command `git push origin main` and no matching `verbPatterns`
+- **WHEN** the verb prompt is rendered
+- **THEN** the header reads "Allow `git push *` to run?"
+- **AND** the action row contains `Once`, `Session`, `Always git push *`, `Deny`
+
+#### Scenario: Multi-path zone prompt batches paths
+
+- **GIVEN** a command operates on `/etc/nginx` and `/var/log`, both untrusted
+- **WHEN** the zone prompt is rendered
+- **THEN** the body lists both paths
+- **AND** a single 4-button row applies to both
+- **AND** the trust button label reads `Trust all listed (2)`
+- **AND** clicking that button extends `trustedZones` for both paths atomically
+
+#### Scenario: Long path label truncates with full value in body
+
+- **GIVEN** an untrusted path that exceeds the button-label cap
+- **WHEN** the zone prompt is rendered
+- **THEN** the `Trust ...` button label is truncated with an ellipsis
+- **AND** the full path appears in the prompt body
+
+### Requirement: Resolution message format for two-store schema
+
+After an approval response is processed, the channel SHALL render a
+single-line resolution message identifying which store was extended and
+the scope. Permitted formats:
+
+- `Saved zone: <path>` — for `Always` on the zone prompt.
+- `Saved zone (this session): <path>` — for `Session` on the zone prompt.
+- `Saved verb: <pattern>` — for `Always` on the verb prompt.
+- `Saved verb (this session): <pattern>` — for `Session` on the verb prompt.
+- `Approved (no save)` — for `Once`.
+- `Denied` — for `Deny`.
+
+The message SHALL replace the previous `Saved: <verb-list> in <directory>`
+format. No `Patterns` or `Directory Roots` headers SHALL appear.
+
+#### Scenario: Always on zone prompt produces zone-saved message
+
+- **GIVEN** the user clicks `Trust /etc/nginx` (Always scope) on a zone prompt
+- **WHEN** the resolution message is rendered
+- **THEN** the message reads `Saved zone: /etc/nginx`
+
+#### Scenario: Session on verb prompt produces session-saved message
+
+- **GIVEN** the user clicks `Session` on a verb prompt for `npm install *`
+- **WHEN** the resolution message is rendered
+- **THEN** the message reads `Saved verb (this session): npm install *`
+
+#### Scenario: Once produces approved-no-save message
+
+- **GIVEN** the user clicks `Once` on either prompt
+- **WHEN** the resolution message is rendered
+- **THEN** the message reads `Approved (no save)`
+
+### Requirement: ShellSyntaxTree dependency for command parsing
+
+The system SHALL consume the `ShellSyntaxTree` NuGet package
+(`github.com/Aaronontheweb/ShellSyntaxTree`) for all shell command
+parsing. The matcher SHALL feed the raw command string to
+`IShellParser.Parse(string)` and operate exclusively on the returned
+`ParsedCommand` AST. The matcher SHALL NOT contain regex-based
+tokenization, per-verb path-extraction tables, or quote/escape handling
+— those concerns belong to the parser library.
+
+The matcher SHALL extract from the AST: (a) per-clause verb chains for
+the verb-pattern gate, (b) per-clause path arguments (resolved against
+the spawn cwd) for the zone gate, (c) cd-in-compound directory
+attribution (paths attributed to subsequent commands within the same
+compound), (d) redirect target paths, and (e) bash-c inner command
+recursion.
+
+When the parser flags any path token as dynamic (unresolved env var,
+unresolved expansion), the matcher SHALL skip that token rather than
+extracting a literal value. Extraction failure for a clause SHALL cause
+the clause to be treated as path-arg-less; the verb gate still applies.
+
+#### Scenario: Matcher consumes ShellSyntaxTree AST
+
+- **GIVEN** a command `git -C /repo log`
+- **WHEN** the matcher processes it
+- **THEN** it calls `IShellParser.Parse("git -C /repo log")`
+- **AND** uses the returned `ParsedCommand` to extract verb chain `git log`
+  and path `/repo`
+
+#### Scenario: cd-in-compound propagates paths to subsequent clauses
+
+- **GIVEN** a command `cd /target && cmd1 file.txt && cmd2 other.txt`
+- **WHEN** the matcher processes it
+- **THEN** `/target` is attributed as a path each of `cmd1` and `cmd2` operates on
+- **AND** zones are checked for `/target` in addition to any explicit path args
+
+#### Scenario: Dynamic path tokens are skipped
+
+- **GIVEN** a command `rm $UNRESOLVED_VAR/foo`
+- **WHEN** the matcher processes it
+- **THEN** the dynamic token is skipped (no literal `$UNRESOLVED_VAR/foo` extracted)
+- **AND** the clause is treated as path-arg-less for the zone gate
+- **AND** the verb gate still evaluates `rm`
+
+#### Scenario: bash -c wrapper recurses into inner command
+
+- **GIVEN** a command `bash -c "git push --force"`
+- **WHEN** the matcher processes it
+- **THEN** the inner command is parsed
+- **AND** verb chain `git push` is extracted from the inner command
+
+### Requirement: Hard-deny rule source and structured format
+
+The system SHALL ship hard-deny rule defaults as immutable data compiled
+into the daemon binary (`Netclaw.Security.HardDenyDefaults`). The shipped
+defaults SHALL NOT be removable or weakenable at runtime. Operators MAY
+add additional rules via `~/.netclaw/config/hard-deny-overrides.json`.
+The override file SHALL be strictly additive: it MAY introduce new deny
+rules; it MUST NOT remove, disable, or weaken any shipped default. The
+final ruleset evaluated by the matcher SHALL be `Defaults ∪ Overrides`.
+
+Rules SHALL use a JSON-structured predicate format with explicit
+verb-and-args matching. Each rule is one of:
+
+```json
+{
+  "verb": ["netclaw", "daemon", "stop"],
+  "reason": "hard_deny_self_destructive"
+}
+```
+
+```json
+{
+  "verb": ["rm"],
+  "argFlags": ["-rf"],
+  "firstPath": { "oneOf": ["/", "~", "~/"] },
+  "reason": "hard_deny_destructive_root"
+}
+```
+
+For shape-shaped patterns that cannot be expressed as verb+args (e.g.,
+fork bombs `:(){ :|:& };:` which are pure shell syntax with no real verb),
+an explicit `rawText` escape SHALL be permitted, marked with
+`"escapeHatch": true` for documentation:
+
+```json
+{
+  "rawText": ":\\(\\)\\{.*:\\|:&.*\\};:",
+  "reason": "hard_deny_fork_bomb",
+  "escapeHatch": true
+}
+```
+
+Structured rules SHALL evaluate against parsed `Clause` records (verb
+chain + arg list); rawText rules SHALL match against the normalized
+rendered clause string. A `doctor` startup check SHALL verify shipped
+defaults are present in the loaded ruleset and SHALL refuse daemon
+startup if any default is missing or shadowed by a malformed override.
+
+#### Scenario: Shipped default cannot be disabled by override
+
+- **GIVEN** the override file contains a rule attempting to negate
+  `netclaw daemon stop` (e.g., a `disable` field referencing it)
+- **WHEN** the daemon loads the rules
+- **THEN** the override is rejected at parse time with a clear error
+- **AND** the shipped default remains active
+
+#### Scenario: Override adds new deny rule
+
+- **GIVEN** the override file contains
+  `{"verb": ["docker", "rm"], "reason": "local_policy"}`
+- **WHEN** the matcher evaluates a `docker rm my-container` call
+- **THEN** the call is denied via the override rule
+
+#### Scenario: rawText escape matches fork-bomb-shaped commands
+
+- **GIVEN** the shipped defaults include the fork-bomb rawText rule
+- **WHEN** the agent invokes `shell_execute` with command `:(){ :|:& };:`
+- **THEN** the matcher matches the rawText rule against the rendered clause
+- **AND** the call is denied with reason `hard_deny_fork_bomb`
+
+#### Scenario: Doctor refuses startup when default is missing
+
+- **GIVEN** the daemon binary's compiled defaults include a rule with
+  reason `hard_deny_self_destructive`
+- **AND** the override file is malformed in a way that shadows that rule
+- **WHEN** the daemon starts
+- **THEN** the doctor check reports the missing default
+- **AND** the daemon refuses to start with a loud error
+
+### Requirement: Security-critical config protection via ToolPathPolicy
+
+The system SHALL extend the existing `ToolPathPolicy` write-deny and
+shell-deny lists to cover `~/.netclaw/config/` (the entire directory
+tree). This protects `tool-approvals.json`,
+`hard-deny-overrides.json`, `netclaw.json`, and any future operator
+config from agent tool writes — `file_write`, `file_edit`, and
+`shell_execute` clauses that target paths under
+`~/.netclaw/config/` SHALL be hard-denied at the `ToolPathPolicy`
+layer, BEFORE the three-layer gate is consulted.
+
+`ToolPathPolicy` is a hard-deny mechanism: no approval prompt is offered.
+Operators wanting to edit config files SHALL do so outside the agent
+(their own editor, their own shell), or via the dedicated
+`netclaw approvals` / `netclaw audience` CLI commands which bypass the
+agent's tool-call path.
+
+The deny SHALL apply with `ToolPathPolicy`'s existing
+symlink-resolving normalization: a planted symlink under a permitted
+directory cannot route writes to `~/.netclaw/config/`.
+
+This requirement defends against prompt-injection attacks where the
+agent is instructed (by malicious content read from a web page, file,
+or MCP server output) to lift its own constraints by editing the
+config files.
+
+#### Scenario: Agent file_write to tool-approvals.json is denied
+
+- **WHEN** the agent invokes `file_write` with path
+  `~/.netclaw/config/tool-approvals.json`
+- **THEN** the write is denied at the ToolPathPolicy layer
+- **AND** the deny reason indicates security-critical-path
+- **AND** no approval prompt is offered
+
+#### Scenario: Agent shell redirect to netclaw.json is denied
+
+- **WHEN** the agent invokes `shell_execute` with command
+  `echo "{}" > ~/.netclaw/config/netclaw.json`
+- **THEN** ShellTool's `_pathPolicy.CommandReferencesDeniedPath` returns true
+- **AND** the call is denied before the three-layer gate runs
+
+#### Scenario: Agent file_edit via symlink to config is denied
+
+- **GIVEN** the agent has created a symlink at `~/scratch/leak`
+  resolving to `~/.netclaw/config/tool-approvals.json`
+- **WHEN** the agent invokes `file_edit` with path `~/scratch/leak`
+- **THEN** ToolPathPolicy resolves the symlink and matches the canonical
+  path against the deny list
+- **AND** the call is denied
+
+#### Scenario: Operator can edit config outside the agent
+
+- **GIVEN** the operator runs `vim ~/.netclaw/config/netclaw.json` in
+  their own shell (not the agent's `shell_execute`)
+- **WHEN** the file is saved
+- **THEN** the daemon picks up the change on next read
+- **AND** ToolPathPolicy was never consulted (it only governs agent tool calls)
+
+### Requirement: Parser anomaly safe-fail
+
+The gate evaluator SHALL default to the safest behavior when
+`ShellSyntaxTree` returns a `ParsedCommand` with the unparseable flag
+set or when `IShellParser.Parse` throws: hard-deny is still consulted
+(against the raw command string as a fallback, plus against any partial
+AST the parser produced); the zone gate SHALL prompt the user as if the
+entire raw command operates on a single untrusted path; the
+verb-pattern gate SHALL offer only `Once` and `Deny` (no `Session` or
+`Always`) so no persistent grant can encode an unparseable shape.
+
+This requirement ensures that parser bugs, novel shell idioms, or
+intentionally crafted unparseable inputs degrade to "extra prompt,"
+never to "silent bypass."
+
+#### Scenario: Parse failure offers only Once and Deny
+
+- **WHEN** `IShellParser.Parse` throws on a malformed command
+- **THEN** the matcher catches the failure
+- **AND** the verb-pattern gate prompt offers only `Once` and `Deny`
+- **AND** the prompt body shows a `parse failure — one-shot only` hint
+
+#### Scenario: Unparseable AST flag triggers safe-fail
+
+- **GIVEN** a command containing unbalanced quotes
+- **WHEN** `ShellSyntaxTree` parses it and sets the unparseable flag
+- **THEN** the gate evaluator routes through the safe-fail path
+- **AND** the user sees a prompt rather than silent execution
+
+#### Scenario: Hard-deny still applies on parse failure
+
+- **GIVEN** a hard-deny rule for raw text matching `rm -rf /`
+- **WHEN** the agent invokes `shell_execute` with `rm -rf /; for i in 1 2; do`
+  (unbalanced; parser fails)
+- **THEN** the rawText hard-deny matches against the raw command
+- **AND** the call is denied before any prompt
+
+## MODIFIED Requirements
+
+### Requirement: Tool approval configuration per audience
+
+The system SHALL support per-audience tool approval configuration via
+`ToolApprovalConfig` on `ToolAudienceProfile`. Each audience profile SHALL
+independently specify a `DefaultMode` (Auto, Approval, Deny) and per-tool
+overrides in `ToolOverrides`. The default `DefaultMode` SHALL be `Auto` (no
+approval required). Runtime audience defaults SHALL NOT implicitly place
+`shell_execute` in `Approval` mode. Instead, the init-generated Personal config
+SHALL explicitly write
+`ApprovalPolicy.ToolOverrides.shell_execute = Approval` as the recommended
+shell-safe default.
+
+When `shell_execute` is in Approval mode, the three-layer gate (hard-deny,
+zone, verb-pattern) SHALL evaluate each invocation. The audience's baseline
+trusted zones SHALL be derived from the audience trust profile's
+`read_allowed_roots`; the in-memory session-scope grants SHALL apply for
+the current session only.
+
+#### Scenario: Shell requires approval in init-generated Personal config
+
+- **GIVEN** a Personal audience session whose generated config explicitly sets
+  `ApprovalPolicy.ToolOverrides.shell_execute` to `Approval`
+- **WHEN** the agent invokes `shell_execute`
+- **THEN** `ToolAccessPolicy` marks the call as approval-gated
+- **AND** the three-layer gate evaluates the call
+- **AND** if any layer requires user input, an approval prompt is emitted
+
+#### Scenario: Tool in Auto mode executes without approval
+
+- **GIVEN** a tool whose approval mode is `Auto` for the session's audience
+- **WHEN** the agent invokes the tool
+- **THEN** the tool executes immediately without an approval prompt
+
+#### Scenario: Tool in Deny mode is always blocked
+
+- **GIVEN** a tool whose approval mode is `Deny` for the session's audience
+- **WHEN** the agent invokes the tool
+- **THEN** the tool is denied with reason `tool_denied_by_approval_policy`
+- **AND** no approval prompt is offered
+
+#### Scenario: Per-audience independence
+
+- **GIVEN** Personal sets `shell_execute` to `Approval` and Team sets it to `Deny`
+- **WHEN** a Personal session invokes `shell_execute`
+- **THEN** `ToolAccessPolicy` marks the call as approval-gated
+- **AND** the three-layer gate evaluates against Personal's stores
+- **AND** when a Team session invokes `shell_execute`
+- **THEN** the system denies immediately without prompting
+
+### Requirement: Configurable hard deny list
+
+The system SHALL enforce a configurable hard deny list of command patterns that
+are blocked before the zone gate or verb-pattern gate is consulted. Denied
+commands SHALL never be approvable. The system SHALL ship with sensible defaults:
+commands that kill the Netclaw daemon process, `rm -rf /`, `rm -rf ~/`, and fork
+bombs. Operators SHALL be able to add or remove patterns via configuration.
+
+The hard deny list SHALL operate on the parsed `ParsedCommand` AST clauses
+provided by `ShellSyntaxTree`. Each clause SHALL be checked independently;
+a compound containing any hard-denied clause SHALL be denied wholesale.
+
+#### Scenario: Hard-denied command blocked before any gate
+
+- **GIVEN** a command matching the hard deny list (e.g., `netclaw daemon stop`)
+- **WHEN** the agent invokes `shell_execute` with that command
+- **THEN** the command is denied with reason `hard_deny_self_destructive`
+- **AND** no zone or verb prompt is offered
+- **AND** the denial is logged
+
+#### Scenario: Hard deny enforced even in HostAllowed mode
+
+- **GIVEN** `ShellMode` is `HostAllowed` (no approval config)
+- **WHEN** the agent runs a hard-denied command
+- **THEN** the command is still blocked
+
+#### Scenario: Operator adds custom hard deny pattern
+
+- **GIVEN** the operator adds `docker rm` to the hard deny list in config
+- **WHEN** the agent runs `docker rm my-container`
+- **THEN** the command is denied
+
+#### Scenario: Compound command with hard-denied clause
+
+- **GIVEN** a compound command `git add . && netclaw daemon stop`
+- **WHEN** the agent invokes `shell_execute`
+- **THEN** the entire command is denied because one clause matches hard deny
+
+### Requirement: IToolApprovalMatcher extension point
+
+The system SHALL define an `IToolApprovalMatcher` interface for tool-specific
+extraction and gate evaluation. Shell SHALL implement zone-and-verb
+evaluation using `ShellSyntaxTree`. A default implementation SHALL provide
+tool-name-level matching for tools without a custom matcher.
+
+The shell matcher SHALL accept the parsed `ParsedCommand` AST plus the
+audience's trust state (baseline zones, persisted zones, session zones,
+persisted verb patterns, session verb patterns) and return per-clause
+evaluation results indicating which gate(s) require user prompting.
+
+#### Scenario: Shell matcher consumes ParsedCommand and trust state
+
+- **GIVEN** a parsed `npm install lodash` and the Personal audience trust state
+- **WHEN** the matcher evaluates the call
+- **THEN** the matcher returns the gate state (zone-pass, verb-pass / verb-prompt etc.)
+  for each clause
+
+#### Scenario: Default matcher used for tools without custom matcher
+
+- **GIVEN** a tool without a custom `IToolApprovalMatcher` implementation
+- **WHEN** the matcher evaluates the call
+- **THEN** the default tool-name-level matcher is used
+- **AND** the zone gate is not evaluated (no command paths to check)
+
+### Requirement: Mid-turn approval pause
+
+The system SHALL pause individual tool execution tasks when approval is required
+without blocking other tool calls in the same batch. The pause SHALL use a
+`TaskCompletionSource` that completes when the session actor receives an approval
+response. The pause SHALL span the entire `ToolApprovalWorkflow` (both prompts
+when both fire). The pause SHALL wait indefinitely for the user response — there
+is no clock-driven auto-deny. Operators take as long as they need to evaluate
+prompts; the system silently transitioning a workflow to a denied state on a
+timer would manufacture race conditions (late clicks landing in already-terminated
+workflows) for zero security benefit.
+
+#### Scenario: Approval-pending tool blocks while others complete
+
+- **GIVEN** a batch of 3 tool calls: `web_search`, `shell_execute`, `file_read`
+- **AND** `shell_execute` requires approval
+- **WHEN** the batch executes
+- **THEN** `web_search` and `file_read` execute in parallel immediately
+- **AND** `shell_execute` blocks waiting for the approval workflow
+- **AND** the session actor remains responsive to messages
+
+#### Scenario: Approval pause waits indefinitely for user response
+
+- **GIVEN** a zone prompt has been emitted
+- **AND** the user has not yet clicked any button
+- **WHEN** an arbitrarily long time passes (minutes, hours, until daemon restart)
+- **THEN** the workflow remains paused on the TaskCompletionSource
+- **AND** no clock-driven transition to `TimedOut` occurs
+- **AND** when the user eventually clicks, the workflow resumes from that state
+
+#### Scenario: Approved tool executes after both prompts complete
+
+- **GIVEN** a tool is in the verb-pattern gate after zone-gate approval
+- **WHEN** the user approves the verb prompt
+- **THEN** the tool executes and returns its result
+- **AND** any persisted grants are written to `tool-approvals.json`
+
+#### Scenario: Denied tool returns denial message
+
+- **GIVEN** a tool is blocked at either prompt
+- **WHEN** the user denies
+- **THEN** the workflow terminates with `Denied`
+- **AND** the tool returns "Command denied by user" as the tool result
+- **AND** no command is executed
+
+### Requirement: ToolInteractionRequest/Response protocol
+
+The system SHALL define a `ToolInteractionRequest` session output and
+`ToolInteractionResponse` session command for channel-mediated approval
+interactions. The interaction `Kind` SHALL identify the interaction type
+and the gate that issued it: `approval_zone` for the zone gate prompt,
+`approval_verb` for the verb-pattern gate prompt. `ToolInteractionRequest`
+SHALL be a lifecycle output (always delivered regardless of `OutputFilter`).
+
+`ToolInteractionRequest` for `approval_zone` SHALL include a `Paths` field
+containing the untrusted paths the prompt asks about. `ToolInteractionRequest`
+for `approval_verb` SHALL include a `VerbPattern` field containing the
+glob pattern proposed for the `Always` button.
+
+`ToolInteractionResponse` SHALL include `CallId`, the gate the response
+applies to, and the selected scope (`Once`, `Session`, `Always`, `Deny`).
+
+#### Scenario: Zone prompt emitted as session output
+
+- **GIVEN** the zone gate decides to prompt
+- **WHEN** the workflow issues the prompt
+- **THEN** a `ToolInteractionRequest` with `Kind=approval_zone` is emitted
+- **AND** it includes `CallId`, `ToolName`, the untrusted paths, and the audience name
+
+#### Scenario: Verb prompt emitted as session output
+
+- **GIVEN** the verb-pattern gate decides to prompt
+- **WHEN** the workflow issues the prompt
+- **THEN** a `ToolInteractionRequest` with `Kind=approval_verb` is emitted
+- **AND** it includes `CallId`, `ToolName`, the verb pattern, and the audience name
+
+#### Scenario: Channel routes response to the correct workflow stage
+
+- **GIVEN** a workflow has emitted a zone prompt
+- **WHEN** the user submits a response
+- **THEN** the channel sends a `ToolInteractionResponse` to the session actor
+- **AND** the workflow advances to the verb gate stage on Approve
+- **OR** terminates with Denied
+
+### Requirement: Channel approval capability
+
+Channels SHALL declare whether they support interactive approval via a
+capability flag. When a tool requires approval and the active channel does NOT
+support it, the system SHALL immediately deny the tool with reason
+`channel_does_not_support_approval`. The system SHALL NOT hang or timeout.
+
+The capability check SHALL apply once per call regardless of how many
+prompts the workflow would issue — a non-interactive channel cannot
+serve any prompt.
+
+#### Scenario: Unsupported channel auto-denies
+
+- **GIVEN** the headless channel (no interactive user)
+- **AND** `shell_execute` is in Approval mode
+- **WHEN** the agent invokes `shell_execute`
+- **THEN** the tool is immediately denied with
+  `channel_does_not_support_approval`
+
+#### Scenario: Supported channel renders approval prompt
+
+- **GIVEN** the Slack channel (supports interactive approval)
+- **AND** `shell_execute` is in Approval mode
+- **WHEN** the agent invokes `shell_execute` requiring zone or verb approval
+- **THEN** the channel renders the appropriate prompt (zone or verb)
+
+## REMOVED Requirements
+
+### Requirement: Shell command pattern matching
+**Reason:** Verb-chain extraction logic is delegated to `ShellSyntaxTree`.
+The Netclaw matcher no longer owns tokenization, compound splitting, or
+`bash -c` recursion — those concerns moved to the parser library. The
+matcher consumes the parsed AST instead.
+**Migration:** Replace `ShellTokenizer.SplitCompoundCommand` /
+`Tokenize` callers with `IShellParser.Parse` and walk the
+`ParsedCommand.Clauses`. See ADDED requirement "ShellSyntaxTree
+dependency for command parsing."
+
+### Requirement: Persistent approval storage
+**Reason:** The `(verb, directory)` `ApprovalEntry` schema is replaced by
+the two-store per-audience schema with `verbPatterns` and `trustedZones`
+glob arrays. The `version: 2` marker and v1 quarantine logic are
+obsolete; v1 and v2 file shapes both archive to a `.v2-discarded.bak`
+sibling on first read.
+**Migration:** No data migration. Operators on pre-release Netclaw will
+see their existing `tool-approvals.json` archived and an empty
+new-schema file created. They re-grant via prompts as needed. See ADDED
+requirement "Two-store per-audience persistence schema."
+
+### Requirement: Directory-root approvals for shell_execute
+**Reason:** The `(verb, directory)` cross-product entry shape is gone.
+Trust geography (zones) and trust action (verb patterns) are now two
+independent stores, each evaluated by its own gate.
+**Migration:** A user wanting v2's `(grep, ~/.netclaw/logs/)` behavior
+now grants `~/.netclaw/logs/` to `trustedZones` (silent for read-only
+verbs), or both `~/.netclaw/logs/` to `trustedZones` AND `grep *` to
+`verbPatterns` (silent for any verb). See ADDED requirements
+"Trust zones store and evaluation" and "Verb-pattern store and evaluation."
+
+### Requirement: Safe-verb auto-allow short-circuit in declared safe spaces
+**Reason:** The "safe-verbs in safe-spaces" short-circuit is replaced by
+the explicit zone gate. Read-only verbs auto-pass *only* inside trusted
+zones; outside-zone access always prompts. The audience-aware safe-space
+roots are now resolved from `trustedZones` ∪ baseline ∪ `session_dir`
+∪ in-memory session-scope zones, not from a separate
+`ToolAudienceProfileResolver` pathway.
+**Migration:** The shipped `safe-verbs.linux.json` /
+`safe-verbs.windows.json` files become the read-only verb list consulted
+by the verb-pattern gate when deciding whether to auto-pass for paths
+inside trusted zones. The list itself survives; the gate logic
+consuming it changes. The `ScopedShellSafeVerbPolicy` class is
+replaced by gate evaluation in the new matcher.
+
+### Requirement: Five-button approval prompt with verb-and-directory framing
+**Reason:** The 5-button row encoded the v2 `(verb, directory)`
+cross-product (`Always here` vs `Always anywhere`). The new model has
+two independent gates, each with a 4-button row of `[Once / Session /
+Always / Deny]`. Sequential prompting replaces the cross-product
+button matrix.
+**Migration:** Slack and Discord prompt builders SHALL render two
+distinct prompt shapes (zone-gate, verb-gate) each with a 4-button row,
+issued sequentially. See ADDED requirement "Sequential 4-button approval
+prompts."
+
+### Requirement: Resolution message single-line format
+**Reason:** The `Saved: <verb-list> in <directory>` format encodes the
+v2 cross-product shape. The new format identifies which store was
+extended (zone vs verb) and the scope.
+**Migration:** Update channel adapters to emit the new resolution
+message format. See ADDED requirement "Resolution message format for
+two-store schema."
+
+### Requirement: Pattern extraction refuses bash control-flow
+**Reason:** Bash control-flow detection (for/while/case) is now part of
+`ShellSyntaxTree`'s parser. When the parser cannot produce a clean AST
+(unparseable input, unbalanced quotes, control-flow), the matcher
+SHALL still fall back to offering only `Once` and `Deny`, but the
+detection logic itself lives in the parser library.
+**Migration:** Replace `ShellTokenizer.SplitCompoundCommand` callers
+with `IShellParser.Parse`; the parser surfaces an unparseable flag that
+the matcher consumes to constrain the prompt buttons. See ADDED
+requirement "ShellSyntaxTree dependency for command parsing."
diff --git a/openspec/changes/approval-policy-trust-zones/tasks.md b/openspec/changes/approval-policy-trust-zones/tasks.md
new file mode 100644
index 00000000..ce9ed78c
--- /dev/null
+++ b/openspec/changes/approval-policy-trust-zones/tasks.md
@@ -0,0 +1,134 @@
+## 1. ShellSyntaxTree library (external repo)
+
+- [ ] 1.1 Create `github.com/Aaronontheweb/ShellSyntaxTree` repo with .NET 10 class library project, MIT license, `ShellSyntaxTree` NuGet package id, README, CONTRIBUTING. Verify: empty project builds with `dotnet build`.
+- [ ] 1.2 Define core AST records: `ParsedCommand`, `Clause`, `VerbChain`, `Arg` (with `Kind = Literal | EnvVar | Glob | Tilde | DynamicSkip`), `Redirect`, `CompoundOperator` enum. Verify: types compile and have round-trip equality semantics covered by unit tests.
+- [ ] 1.3 Define `IShellParser` interface with `ParsedCommand Parse(string command)` and `bool TryParse(string, out ParsedCommand)`. Verify: interface compiles, default implementation throws NotImplementedException.
+- [ ] 1.4 Implement `BashLexer`: tokenization with single/double-quote handling, escape sequences, redirect operators, compound operators (`&&`, `||`, `;`, `|`), subshell parens, here-doc start markers. Verify: lexer test suite covers each token kind with positive and negative cases (≥40 cases).
+- [ ] 1.5 Implement `BashParser`: recursive-descent over the lexer's token stream producing `ParsedCommand`. Handle clause splitting on compound operators, subshell isolation, `bash -c "inner"` recursion, here-doc body skipping, unparseable-input flag. Verify: parser test suite covers each grammar production with ≥80 cases including counter-examples.
+- [ ] 1.6 Implement `BashArity` dictionary: per-verb token count for verb chains (`cd: 1`, `git: 2`, `docker compose: 3`, `bun run: 3`, etc.). Sourced from OpenCode plus Netclaw-observed verbs. Verify: arity lookup unit-tested with ≥30 verbs.
+- [ ] 1.7 Implement `FILES`/`CWD`/`CMD_FILES` verb tables for path-arg extraction. Verify: per-verb path-arg extraction unit-tested for each table with ≥40 cases.
+- [ ] 1.8 Implement per-verb `pathArgs` filter: knows `chmod 755 file` (first arg is mode, rest are paths), `cp -r src dst` (skip flag, both rest are paths), Windows-cmd `/X` flag skipping. Verify: unit-tested per verb (≥20 verbs).
+- [ ] 1.9 Implement `Resolver`: `~` expansion, `$VAR` / `${VAR}` env-var resolution against an injected `IEnvironmentSnapshot`, glob detection (`*`, `?`, `[`), `filesystem::/path` prefix stripping, dynamic-skip when expansion fails. Verify: resolver unit tests cover each expansion case with ≥30 inputs.
+- [ ] 1.10 Implement cd-in-compound propagation: walk `Clauses`; when first clause is `cd /target`, attribute `/target` as an additional path on subsequent clauses within the same compound (until subshell boundary). Verify: AST-level test ≥10 cases including nested subshells.
+- [ ] 1.11a Draft `tests/Corpus/SANITIZATION.md` describing what gets stripped from session-log seeds (usernames, channel/thread IDs, repo names, internal hostnames, real filenames → placeholders) and the regex patterns used. Aaron reviews before any logs are touched. Verify: SANITIZATION.md committed, Aaron sign-off in PR.
+- [ ] 1.11 Author corpus at `tests/Corpus/` with input + expected-AST JSON files. Seed from session logs sanitized per SANITIZATION.md (PII stripped). Target ≥100 corpus entries covering each grammar production and counter-examples. Verify: corpus runner test executes every entry and asserts AST equality; second pass on the corpus confirms zero PII via grep against the sanitization patterns.
+- [ ] 1.12 Set up CI on the external repo: `dotnet test` on push, NuGet publish on tag. Verify: CI green on initial commit; tag-based publish documented.
+- [ ] 1.13 Cut `0.1.0-alpha` tag and verify NuGet publish pipeline produces a consumable package. Verify: package downloadable from nuget.org and installable in a separate test project.
+
+## 2. Netclaw consumption of ShellSyntaxTree
+
+- [ ] 2.1 Add `<ProjectReference>` to sibling `ShellSyntaxTree` clone in `Netclaw.Security.csproj` for parallel development. Verify: `dotnet build` succeeds with sibling reference.
+- [ ] 2.2 Register `BashParser` as `IShellParser` in `Netclaw.Security` DI registration extension. Verify: DI resolution unit-tested.
+- [ ] 2.3 Replace `ShellTokenizer.Tokenize` / `SplitCompoundCommand` callers with `IShellParser.Parse` calls returning `ParsedCommand`. Files affected: `ShellCommandPolicy.cs`, `ShellApprovalSemantics.cs`, `ToolPathPolicy.cs`. Verify: all callers compile and pass existing tests after migration.
+- [ ] 2.4 Delete `ShellTokenizer.cs` and `ShellTokenizerTests.cs` once all callers migrated. Verify: no references remain via `grep -r ShellTokenizer src/`.
+- [ ] 2.5 Once ShellSyntaxTree v0.1 publishes to NuGet, switch `<ProjectReference>` to `<PackageReference>` with version pin. Update `Directory.Packages.props`. Verify: `dotnet restore` succeeds against the package; sibling repo path no longer required.
+
+## 3. Two-store persistence schema
+
+- [ ] 3.1 Define new `TrustZoneStore` and `VerbPatternStore` records (per-audience glob arrays). Verify: serialization round-trip tested (System.Text.Json AOT-source-generated).
+- [ ] 3.2 Update `tool-approvals.json` JSON schema to per-audience structure with `verbPatterns` and `trustedZones` array fields. Update the schema file at `src/Netclaw.Configuration/Schemas/` (per CLAUDE.md schema sync rule) if `tool-approvals.json` has a schema entry. Verify: schema validates a sample new-shape file and rejects v1/v2 shapes.
+- [ ] 3.3 Implement `ToolApprovalStore.LoadAsync` that detects v1/v2 shapes (top-level `version` field, `ApprovalEntry` arrays) and archives to `.v2-discarded.bak`, returning empty new-shape store. Verify: unit tests cover v1, v2, new-shape, and missing-file inputs.
+- [ ] 3.4 Implement `ToolApprovalStore.PersistAsync` writing per-audience structure with atomic file replace. Verify: unit-tested for concurrent writers (last-write-wins, no truncation).
+- [ ] 3.5 Implement `ToolApprovalStore.AddZone(audience, glob, scope)` and `AddVerbPattern(audience, glob, scope)` methods. Scope `Always` writes to disk; `Session` is a no-op at this layer (handled by LlmSessionActor). Verify: unit-tested.
+- [ ] 3.6 Implement `ToolApprovalStore.RevokeZone(audience, glob)` and `RevokeVerbPattern(audience, glob)` methods. Verify: unit-tested.
+- [ ] 3.7 Wire out-of-band file edit detection: re-read file on each gate evaluation (or via `ConfigWatcherService` if performance becomes an issue). Verify: integration test edits the file mid-test and confirms next evaluation sees the change.
+
+## 4. In-memory session-scope grants
+
+- [ ] 4.1 Add `SessionTrustedZones` and `SessionVerbPatterns` fields to `LlmSessionActor` (in-memory `List<string>` each). Verify: fields initialize empty on actor start.
+- [ ] 4.2 Add `LlmSessionActor.AddSessionZone(glob)` and `AddSessionVerbPattern(glob)` methods invoked by the workflow when user clicks `Session` scope. Verify: unit-tested.
+- [ ] 4.3 Confirm `SessionSnapshot` does NOT include session-scope grants. Add explicit test asserting snapshot serialization omits these fields. Verify: snapshot round-trip test.
+- [ ] 4.4 Confirm actor recovery from snapshot does NOT restore session-scope grants. Verify: recovery test asserts both lists are empty after restore.
+
+## 5. Three-layer gate evaluator
+
+- [ ] 5.1 Define `GateEvaluator` service with `Evaluate(ParsedCommand, Audience, TrustState)` returning per-clause `GateResult` (hard-deny / zone-pass / zone-prompt / verb-pass / verb-prompt / verb-pass-readonly). Verify: unit-tested for each result kind.
+- [ ] 5.2a Define `HardDenyDefaults` static class in `Netclaw.Security` with the shipped baseline rules as immutable C# data. Each rule uses the structured DSL (verb + argFlags + firstPath predicates, or rawText escape). Translate the existing `toolConfig.HardDenyPatterns` regex list into structured form during this task; document each translation in the commit message. Verify: defaults round-trip through the matcher; every existing hard-deny test still passes after rule translation.
+- [ ] 5.2b Implement `HardDenyOverridesLoader` reading `~/.netclaw/config/hard-deny-overrides.json` (additive only; rejects rules attempting to disable shipped defaults). Verify: loader unit-tested for valid additions, malformed JSON, and shadow-attempt rejection.
+- [ ] 5.2c Implement `HardDenyDoctorCheck` verifying shipped defaults are present in the loaded final ruleset at startup. Refuse daemon start with loud error if any default is missing. Verify: doctor check unit-tested.
+- [ ] 5.2 Implement Layer 1 hard-deny check operating on parsed clauses. For each clause, evaluate the structured rules first; for `escapeHatch: true` rawText rules, normalize the clause back to a string and apply the regex. Verify: hard-deny unit tests pass against parsed-clause inputs and rawText fallback.
+- [ ] 5.3 Implement Layer 2 zone gate: extract paths per clause from AST (path args + cd-in-compound attribution + redirect targets); check each against the union (audience baseline ∪ persisted zones ∪ session zones ∪ session_dir); collect untrusted paths into a single batched prompt. Verify: per-path zone evaluation unit-tested with ≥30 cases.
+- [ ] 5.4 Implement Layer 3 verb-pattern gate: extract verb chain per clause via BashArity; check against persisted patterns ∪ session patterns. Read-only verb auto-pass conditional on all clause paths being inside trusted zones. Verify: gate decision unit-tested for read-only-in-zone, read-only-outside-zone, mutating-with-pattern, mutating-without-pattern.
+- [ ] 5.5 Define `IToolApprovalMatcher` v3 interface accepting `ParsedCommand` + `TrustState` and returning per-clause `GateResult`. Implement `ShellApprovalMatcher` for shell tools; default tool-name matcher for non-shell tools. Verify: matcher unit-tested.
+- [ ] 5.6 Wire `GateEvaluator` into `ToolAccessPolicy`. Replace v2 matcher integration. Verify: `ToolAccessPolicy` unit tests updated and passing.
+- [ ] 5.7 Implement parser anomaly safe-fail: when `IShellParser.Parse` throws or returns an unparseable AST, route to safe-fail (hard-deny still consults rawText fallback; zone gate prompts as if raw command operates on one untrusted path; verb gate offers only Once/Deny). Verify: safe-fail unit tests covering parse exceptions, unparseable flag, and partial-AST cases.
+
+## 6. Per-call ToolApprovalWorkflow
+
+- [ ] 6.1 Define `ToolApprovalWorkflow` value type on `LlmSessionActor` with fields `Call`, `Paths`, `ZoneState`, `VerbState`, `Stage`. Verify: type compiles with minimal allocation footprint.
+- [ ] 6.2 Implement workflow state machine `Start → ZoneGate → VerbGate → Complete`. Issue zone prompt when `Paths` contain untrusted entries; advance to verb gate after response; issue verb prompt when verb-pattern gate decides to prompt. Verify: state-machine unit tests cover all transition paths.
+- [ ] 6.3 Implement workflow termination on `Deny` at any stage; on `Approved` at `Complete` stage; on `TimedOut` at any stage. Verify: termination unit tests for each cause.
+- [ ] 6.4 Wire workflow into `LlmSessionActor` per-call dispatch. Replace v2 single-prompt code path. Verify: integration test exercises a call requiring both prompts.
+- [ ] 6.5 Confirm watchdog pause/resume spans the entire workflow (across both prompts). Verify: watchdog test asserts no pre-emption between prompts.
+- [ ] 6.6 Apply scope handling: `Once` runs no persistence; `Session` calls `AddSessionZone`/`AddSessionVerbPattern`; `Always` calls `ToolApprovalStore.AddZone`/`AddVerbPattern`. Verify: scope-handling unit tests.
+
+## 7. Slack adapter
+
+- [ ] 7.1 Update `SlackApprovalBlockBuilder` to render two distinct prompt shapes by `Kind`: `approval_zone` (header asks about paths; row contains `Once / Session / Trust <path> / Deny`) and `approval_verb` (header asks about verb pattern; row contains `Once / Session / Always <pattern> / Deny`). Verify: builder unit tests assert block structure for each Kind.
+- [ ] 7.2 Implement label truncation when path/pattern exceeds 76-character button-text cap. Full value remains in body. Verify: truncation unit test for ≥10 long inputs.
+- [ ] 7.3 Update Slack interaction handler to route response by `Kind` to the correct `ToolApprovalWorkflow` stage. Verify: handler test routes zone vs verb responses correctly.
+- [ ] 7.4 Update resolution message rendering: `Saved zone: ...`, `Saved verb: ...`, `Approved (no save)`, `Denied`. Verify: resolution-line unit tests.
+- [ ] 7.5 Update Slack sample fixtures and snapshot tests for the new prompt shapes. Verify: snapshot tests pass after baseline update.
+
+## 8. Discord adapter
+
+- [ ] 8.1 Update `DiscordApprovalPromptBuilder` to mirror Slack's two-prompt-shape rendering with Discord button styles. Verify: builder unit tests for each Kind.
+- [ ] 8.2 Implement label truncation at 80-character cap. Verify: truncation test.
+- [ ] 8.3 Update Discord interaction handler for `Kind`-based routing. Verify: handler test.
+- [ ] 8.4 Update resolution message rendering for Discord. Verify: resolution-line tests.
+
+## 9. CLI / TUI
+
+- [ ] 9.1 Update `netclaw approvals` TUI to surface two tabs `[Z]ones` and `[V]erbs` per audience. Verify: TUI integration test renders both tabs.
+- [ ] 9.2 Update `netclaw approvals list` (non-interactive) to print both stores per audience. Verify: CLI snapshot test.
+- [ ] 9.3 Update `netclaw approvals revoke` to accept a glob and an axis (`--zone` or `--verb`). Verify: CLI command unit test.
+- [ ] 9.4 Update `netclaw approvals trust-verb <verb-pattern>` to accept the new glob format (`git push *`, `dotnet test *`). Verify: CLI command test.
+- [ ] 9.5 Add `netclaw approvals trust-zone <directory>` for adding a zone via CLI (matching the prompt's `Trust this directory` action). Verify: CLI command test.
+- [ ] 9.6 Update `netclaw approvals --help` text with new schema and commands. Verify: help text snapshot test.
+
+## 10. Deletions
+
+- [ ] 10.1 Delete `src/Netclaw.Actors/Tools/SetWorkingDirectoryTool.cs` and remove all references from tool registries, audience profiles, tool exposure lists. Verify: `grep -r SetWorkingDirectory src/` returns zero matches outside this change's spec deltas.
+- [ ] 10.2 Delete `WorkingContext.ProjectDirectory` field and all reads/writes. Update `WorkingContext.cs`, `SessionSnapshot` serialization, `WorkingContext.ToContextBlock()`. Verify: `grep -r ProjectDirectory src/` returns zero matches outside spec deltas.
+- [ ] 10.3 Delete the `[project-instructions]` slot from `SystemPromptAssembler.Assemble()` and the `FileSystemPromptProvider` project handling. Verify: system prompt snapshot tests updated; no project-content slot remains.
+- [ ] 10.4 Delete the daemon-side identity-file-loading code path (the `.netclaw/AGENTS.md` / `AGENTS.md` / `CLAUDE.md` / `CONTEXT.md` lookup driven by ProjectDirectory). Verify: code path tests removed; agent-side discipline test added in §11.
+- [ ] 10.5 Delete `ScopedShellSafeVerbPolicy` (replaced by inline gate evaluation). Verify: no callers remain; safe-verbs file load logic survives but is consumed directly by the new gate evaluator.
+- [ ] 10.6 Update `WorkingContext.ResolveShellCwd` to remove `ProjectDirectory` from the resolution chain (now: `args.WorkingDirectory → SessionDirectory`). Verify: cwd-resolution unit tests pass.
+- [ ] 10.7 Delete the `ShellTool` failure-path hint emission for `set_working_directory`. Verify: hint emission tests removed.
+- [ ] 10.8 Extend `ToolPathPolicy` write-deny and shell-deny lists in `src/Netclaw.Daemon/Program.cs:609-633` to include `paths.ConfigDirectory`. Single-line addition; uses existing infrastructure. Verify: integration test attempts agent file_write to `~/.netclaw/config/tool-approvals.json`, asserts hard-deny; attempts agent shell_execute redirecting to `~/.netclaw/config/netclaw.json`, asserts hard-deny; attempts via symlink, asserts symlink-resolved deny.
+
+## 11. Agent guidance
+
+- [ ] 11.1 Update `src/Netclaw.Configuration/Resources/AGENTS.md` with explicit project-context lookup discipline section (".netclaw/AGENTS.md → AGENTS.md → CLAUDE.md → CONTEXT.md, read once per project per session via file_read; don't re-read on later turns"). Verify: AGENTS.md content review; eval suite case asserts agent reads project context on first project entry.
+- [ ] 11.2 Remove any text in `Resources/AGENTS.md` referencing `set_working_directory` as the gesture for declaring project scope. Verify: `grep set_working_directory src/Netclaw.Configuration/Resources/` returns zero.
+- [ ] 11.3 Add an "Approval gates" section to `Resources/AGENTS.md` describing the two-gate model (zone + verb), the `Once / Session / Always / Deny` button row, and how to phrase rationale for prompts the user will see. Also document the scripts-as-units-of-approval pattern: for multi-step operations or anything that will be re-run later (scheduled tasks, webhook handlers), write the script into the project workspace and propose its execution as a single approval. Workspace already trusted → one user approval covers the script forever; reminders/webhooks fire `bash <workspace>/<script>.sh` against the same pre-approved verb pattern with no prompting at runtime. Discourage chained inline tool calls for anything that has reuse potential. Verify: AGENTS.md review.
+- [ ] 11.5 Update Slack and Discord approval-prompt builders to render script contents inline in the prompt body when the command is `bash <path>` / `sh <path>` / `./<path>` and the path is a regular file readable by the daemon. Truncate at ~50 lines with an "(N more lines)" footer. Statically scan the script content for protected-path mentions (`~/.netclaw/config/`, `/etc/`, daemon binary paths) and surface a "this script will write to: <paths>" callout above the buttons. Verify: snapshot tests for both adapters covering a benign script (echo + cat), a multi-step script (sed + mv), and a script that touches a protected path (with the warning rendered).
+- [ ] 11.4 Update `feeds/skills/.system/files/netclaw-operations/SKILL.md` (per CLAUDE.md system skills sync rule) for the new gate model, two-store schema, and CLI changes. Bump skill `metadata.version`. Verify: skill content review; `dotnet test` covering skill-loading passes.
+
+## 12. Eval suite
+
+- [ ] 12.1 Add eval case: read-only verb in trusted zone runs silently (zero prompts). Verify: eval green.
+- [ ] 12.2 Add eval case: mutating verb in trusted zone produces exactly one (verb) prompt. Verify: eval green.
+- [ ] 12.3 Add eval case: untrusted directory + mutating verb produces exactly two sequential prompts. Verify: eval green.
+- [ ] 12.4 Add eval case: multi-path command (cp /src /dst, both untrusted) produces one batched zone prompt listing both paths. Verify: eval green.
+- [ ] 12.5 Add eval case: `cd /target && cmd` attributes /target as a path the cmd operates on. Verify: eval green.
+- [ ] 12.6 Add eval case: agent reads project identity file via file_read on first project operation. Verify: eval green.
+- [ ] 12.7 Add eval case: agent does NOT call `set_working_directory` (tool not exposed). Verify: eval green.
+- [ ] 12.8 Run full eval suite (`./evals/run-evals.sh`); confirm no regressions. Verify: all evals green.
+
+## 13. Documentation
+
+- [ ] 13.1 Update `docs/help/approvals.md` (or equivalent operator-facing doc) with the two-gate model, four-button row, two-store schema, and TUI Z/V tabs. Verify: doc review.
+- [ ] 13.2 Update `docs/spec/` engineering specs that referenced v2 approval shape. Verify: `grep -r "ApprovalEntry\|verb.*directory.*tuple" docs/spec/` returns matches only in archive/historical.
+- [ ] 13.3 Add release note draft to `RELEASE_NOTES.md` covering: BREAKING approval schema change, BREAKING removal of `set_working_directory`, new ShellSyntaxTree dependency. Verify: release note review.
+- [ ] 13.4 Update `PROJECT_CONTEXT.md` and `TOOLING.md` if they reference the old approval model or `set_working_directory`. Verify: greps pass.
+
+## 14. Quality gates
+
+- [ ] 14.1 Run `dotnet slopwatch analyze`; baseline any unavoidable new entries with justification. Verify: no new violations or all baselined.
+- [ ] 14.2 Run `./scripts/Add-FileHeaders.ps1 -Verify`; confirm all `.cs` files have copyright headers. Verify: zero missing headers.
+- [ ] 14.3 Run `dotnet test` across the solution; confirm all tests pass after the rewrite. Verify: green.
+- [ ] 14.4 Run `openspec verify --change approval-policy-trust-zones`; confirm artifacts and implementation align. Verify: verify exits 0.
+- [ ] 14.5 Manual binary-swap on Aaron's machine: replace running daemon, confirm sample sessions exercise both gates with expected prompt shapes on Slack. Verify: Aaron sign-off.
+- [ ] 14.6 Confirm `tool-approvals.json` schema synced (per CLAUDE.md Configuration Schema Sync Rule) if any `*Config` types changed. Verify: `ConfigSchemaDoctorCheck` passes at runtime.
+- [ ] 14.7 Add a parser-version-bump CI gate in Netclaw: any PR that bumps the `ShellSyntaxTree` PackageReference version SHALL run `dotnet test --filter Category=ParserIntegration` exercising the entire parser corpus through Netclaw's live matcher path. Verify: gate present in CI config; intentionally-broken parser version bump fails the gate.
diff --git a/openspec/changes/archive/2026-05-08-approval-policy-v2/.openspec.yaml b/openspec/changes/archive/2026-05-08-approval-policy-v2/.openspec.yaml
new file mode 100644
index 00000000..054b8c01
--- /dev/null
+++ b/openspec/changes/archive/2026-05-08-approval-policy-v2/.openspec.yaml
@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-05-08
diff --git a/openspec/changes/archive/2026-05-08-approval-policy-v2/design.md b/openspec/changes/archive/2026-05-08-approval-policy-v2/design.md
new file mode 100644
index 00000000..1b0f328c
--- /dev/null
+++ b/openspec/changes/archive/2026-05-08-approval-policy-v2/design.md
@@ -0,0 +1,198 @@
+## Context
+
+`tool-approval-gates` (originally specified in `2026-04-29-tool-approval-gates`, extended in `2026-05-07-directory-scoped-approval-patterns`) shipped a flat-string approval store keyed by audience and tool name. Each pattern is a string that the matcher inspects at evaluation time to decide whether it represents a verb chain, a normalized full command, a directory root, or a bash fragment. The shape works in trivial cases and fails in non-trivial ones: complex bash blocks shred into junk fragments that get persisted as approvals; the matcher's "is this a directory? a verb?" heuristic depends on trailing slashes; the channel adapters render two parallel sections (`Patterns` and `Directory Roots`) because the data model can't distinguish them.
+
+Real use surfaced two outcomes neither the spec nor the original PRs anticipated:
+
+1. **Approval volume is too high.** The agent's only declared safe space is `~/.netclaw/sessions/<id>/` (the per-session scratch dir established by `SessionMessageAssembler`). Any shell call against the user's actual project — typically read-only `grep`/`ls`/`cat`/`git status` — triggers the approval gate. Users running `netclaw` against a repository they own end up clicking through dozens of prompts that have no security value.
+2. **Approval clarity is too low.** Aaron's persisted store accumulated 50 entries including `done`, `for pid`, `awk {print $2})`, `do threads=$(grep`, `fds=$(ls`. None of those will ever match a sensible future invocation. The user sees them in `netclaw approvals list` and cannot reason about what they're authorizing or revoking.
+
+We have no users yet, so we can do a clean redesign. This change replaces the flat-string store with a typed `(verb, directory)` model, layers a safe-verbs ∩ safe-space short-circuit on top, and rebuilds the prompt UX so a single click maps to a single decision.
+
+The session already has the right primitives. `WorkingContext` (`src/Netclaw.Actors/Sessions/WorkingContext.cs`) persists a `ProjectDirectory` set via the `set_working_directory` tool, surviving compaction and daemon restart. `ScopedFileAccessPolicy` (`src/Netclaw.Actors/Tools/ScopedFileAccessPolicy.cs`) and `ToolAudienceProfileResolver` already implement audience-aware root resolution with symlink-segment protection for file_read. We're adopting that pattern for shell.
+
+## Goals / Non-Goals
+
+**Goals:**
+
+- Reduce approval prompt volume to commands that genuinely warrant interrupting the user (mutation, or anything outside declared safe spaces).
+- Make every prompt the user sees answer one obvious question: *"approve `<verb>` in `<directory>`?"*.
+- Type the approval store so each entry self-describes its scope — verb plus directory, with an explicit `null` for the global wildcard.
+- Stop persisting bash fragments and over-precise normalized commands. Approvals should be coarse enough to reuse and specific enough to reason about.
+- Give scheduled/unattended tasks a clean path to pre-approval that doesn't require hand-editing JSON.
+- Push the agent toward calling `set_working_directory` early when working on a project, so the trust boundary is correctly declared.
+
+**Non-Goals:**
+
+- Migration of the existing v1 store. Quarantine to `.v1.bak` and start fresh; users have no production approvals worth preserving.
+- Glob or regex pattern matching. Verb chains and absolute directory paths only.
+- Stale-entry pruning of the v2 store. Track separately if it becomes a real problem.
+- Persistent "trust this folder forever" grants beyond what `(verb, directory)` already expresses.
+- Rewriting `ShellTokenizer` to be a real bash parser. We add cheap structural detection that refuses pattern extraction when the input is messy; we do not attempt to understand for-loops, subshells, or heredocs semantically.
+- Modal-driven scope picker. Considered and rejected — see Decision 6.
+
+## Decisions
+
+### 1. Trust boundary is `safe verb ∩ safe space`, not just one or the other
+
+**What:** Three-position policy. Auto-run with no prompt only when the verb is on a curated per-OS safe-verbs list AND the cwd resolves under one of the audience-aware safe-space roots (`session_dir`, `project_dir` for Personal/Team, `session_dir` only for Public). Anything else prompts. Hard-deny list (layer 1) is unchanged.
+
+**Why:** A pure "in safe space → run anything" model auto-allows mutation (`git push` in your repo still pushes to the world). A pure "verb is read-only → run anywhere" model is the curated-allowlist pattern we explicitly rejected when we built this in the first place. The intersection captures the right thing: read-only inspection of declared work surfaces is implicit; everything else is explicit.
+
+**Alternatives considered:**
+
+- *In safe space → run anything (subject to hard-deny):* Too loose. `git push` in a project dir bypassing approval is an obvious foot-gun.
+- *Verb on safe list anywhere → run:* Re-introduces the global verb allowlist. The `freshdesk` case (a user-installed CLI we know nothing about) shows this is actually attractive for some commands but should be opt-in via `trust-verb`, not a default.
+- *Per-session "first prompt then cache":* Burns the user's attention in the first 5 minutes of every session. Doesn't survive `set_working_directory` being a thing.
+
+### 2. Safe-verbs list is per-OS, file-driven
+
+**What:** `safe-verbs.linux.json` and `safe-verbs.windows.json` shipped with the daemon. Each is a flat list of verb chains. Users can override at `~/.netclaw/config/safe-verbs.<os>.json`.
+
+**Why:** The list of read-only-by-nature verbs differs sharply between OSes — `dir`/`type`/`Get-Content` on Windows vs. `ls`/`cat`/`find` on POSIX. A single combined list either bloats unnecessarily or omits things users will hit. Per-OS keeps the defaults focused.
+
+**Alternatives considered:**
+
+- *Single combined list:* Bloats; verbs that don't exist on the target OS are dead weight in the matcher.
+- *Hardcoded constants:* No user override path. Users can't add their own internal CLIs without a code change.
+- *Config in `netclaw.json`:* Mixes operational config (hot-reloaded) with security policy (should not be silently swappable).
+
+Default Linux/macOS list: `ls`, `find`, `grep`, `egrep`, `fgrep`, `rg`, `cat`, `head`, `tail`, `wc`, `sort`, `uniq`, `cut`, `tr`, `awk`, `sed -n`, `file`, `pwd`, `which`, `stat`, `tree`, `du`, `df`, `git status`, `git log`, `git diff`, `git show`, `git branch`, `git remote`, `git rev-parse`, `git ls-files`, `git blame`.
+
+Default Windows list: `dir`, `type`, `more`, `where`, `findstr`, `Get-ChildItem`, `Get-Content`, `Select-String`, `Get-Item`, `Test-Path`, `Get-Location`, `Resolve-Path`, plus the same git read subcommands.
+
+`sed -n` is intentional — `sed -i` mutates files. `awk` is on the list because no flags currently mutate; if that ever changes the gate is structural (verb-chain match, not `awk -i`).
+
+### 3. Approval atom is `(verb, directory)`, both required, directory may be null
+
+**What:**
+
+```csharp
+public sealed record ApprovalEntry
+{
+    public required string Verb { get; init; }       // "git remote", "freshdesk"
+    public string? Directory { get; init; }          // absolute path, or null = anywhere
+}
+```
+
+The on-disk schema bumps to `version: 2`. v1 files are quarantined to `.v1.bak` on first read; the daemon writes a fresh empty v2 file.
+
+**Why:** Every persistent approval needs to answer two questions: *what verb* and *where*. Today the store collapses both into a single string and tries to recover them at evaluation time. The recovery is fragile (trailing-slash check tells the matcher "this is a directory") and the result reads as line noise to humans. Typing the entry kills both problems.
+
+`directory: null` is the explicit global wildcard. It exists for cases like the `freshdesk` CLI where the user genuinely wants the verb to run anywhere — typically scheduled or unattended invocations where the cwd will vary across firings.
+
+**Alternatives considered:**
+
+- *Separate buckets per shape:* `verb_in_directory: [...]` and `verb_anywhere: [...]`. Verbose; same information, more ceremony.
+- *String convention with separator:* `"git remote@/abs/path/"`. Stringly-typed; will eventually grow ambiguity.
+- *Auto-translate v1 → v2:* Too many shapes are unrecoverable (bash fragments, normalized commands with embedded args, bare directory roots without verbs). Honest quarantine + clean slate is safer.
+
+### 4. `ShellTool` cwd defaults to `project_dir` then `session_dir`, never daemon cwd
+
+**What:** When the model omits `WorkingDirectory`, `ShellTool` resolves cwd in priority order: `project_dir` (from `WorkingContext`) if set, else `session_dir`. Today the code at `src/Netclaw.Actors/Tools/ShellTool.cs:81-82` falls through to `ProcessStartInfo`'s default — the daemon process's cwd, which is wherever the daemon happened to be launched.
+
+**Why:** The daemon-cwd default is a footgun. It can be `/`, `~/.netclaw`, anywhere — completely unrelated to what the agent is "working on." Approval policy can't reason about it; the user can't predict it. Forcing the cwd into a declared safe space makes the trust boundary structural: every shell call has a known parent that's either inside a safe space or explicitly elsewhere.
+
+**Alternatives considered:**
+
+- *Require the model to always pass `WorkingDirectory`:* Brittle; the model frequently omits it for short commands.
+- *Default to `session_dir` only:* Loses the work the user did when they (or the agent) called `set_working_directory`.
+
+### 5. `ShellTokenizer` refuses to extract patterns from messy input
+
+**What:** When `SplitCompoundCommand` encounters bash control-flow tokens (`for`, `while`, `do`, `done`, `then`, `fi`, `case`, `esac`) or unbalanced quotes/brackets, it returns an empty verb-chain list. The approval gate offers only `Once` and `Deny` — no persistent grant — and the prompt body shows "complex command — only one-shot approval available."
+
+**Why:** Today's splitter only knows `&&`/`||`/`;`. Anything else gets treated as a single segment, normalized, and shoved into the patterns list. That's how `done`, `for pid`, and `awk {print $2})` end up in Aaron's store. Refusing to extract on detection is the cheap, safe answer — we don't pretend to understand the command, we just refuse to remember it.
+
+**Alternatives considered:**
+
+- *Best-effort extraction with junk filtering:* Risks drift. The list of "things that look like junk" is open-ended.
+- *Real bash parser:* Out of scope. Our needs are bounded by "is this clean enough to remember"; we don't need to interpret.
+
+### 6. Five-button prompt, no modal
+
+**What:** Approval prompt presents `Once`, `This chat`, `Always here`, `Always anywhere`, `Deny` as five buttons in one row. `Always anywhere` and `Deny` use the platform's danger styling (`style: "danger"` on Slack, `ButtonStyle.Danger` on Discord).
+
+**Why:** A four-button prompt with a modal on `Approve always` was considered for elegance — the elevated decision (in this folder vs anywhere) gets a deliberate confirmation step. But the state-management cost is real: ~200–300 lines per channel adapter for the round-trip handler, a new "scope chosen" follow-up message in the protocol, and additional failure modes (user dismisses modal without submitting, daemon restart between original click and modal submit). Five buttons collapse all of that to one click and one persist decision per button.
+
+The danger-styled `Always anywhere` button is the mitigation for the "fat-finger" risk: it reads visually distinct, matching `Deny`. Users who want to elevate a grant to global can do so with one deliberate click; the rare nature of the case is reflected in the styling, not the click count.
+
+Slack and Discord both cap at 5 buttons per row, so we are at the ceiling. A sixth button would need either a row split (changes the visual hierarchy) or an overflow menu (less obvious). We don't expect to need a sixth.
+
+**Alternatives considered:**
+
+- *4 buttons + modal on Approve always:* Elegant, expensive. See above.
+- *4 buttons, drop "This chat":* Cleaner row but loses a useful intermediate scope. Some users debug iteratively across many similar commands and don't want to commit to "always."
+- *Single approve button + scope dropdown:* Slack supports it but the UX feels indirect ("pick from this menu, then click the approve button you already clicked").
+
+### 7. Compound commands group by cwd, persist as a batch
+
+**What:** When the model issues `cmd1 && cmd2 && cmd3`, the matcher extracts every verb chain and presents them as bullets in a single prompt. One click on `Always here` persists `(verb, cwd)` for each verb in one shot. Cross-directory compounds (rare) get treated as one prompt scoped to the cwd; if the user wants finer control, they Deny and let the agent split.
+
+**Why:** Forcing the agent to run one verb per call means N prompts for one logical operation — annoying. Splitting at our layer would need cross-call state to reconstruct the user's intent, which we don't have. Letting the user approve once for the whole compound matches how they actually think about the operation ("yes, do all three of those things").
+
+**Alternatives considered:**
+
+- *One prompt per verb:* User-hostile. Three prompts for `git fetch && git rebase && git status`.
+- *Refuse compound outside safe space:* Forces the agent to issue one at a time. Cleaner per-prompt, but multiplies prompts when the user is actively working.
+
+### 8. `netclaw approvals trust-verb <verb>` is the only path to global grants
+
+**What:** `Always anywhere` in the prompt and `netclaw approvals trust-verb <verb>` in the CLI both write `(verb, null)` to the store. The CLI is the deliberate, scriptable path; the prompt is the in-the-moment path. Both flow through `ToolApprovalStore.AddApproval` with the same comparer.
+
+**Why:** Scheduled tasks need pre-approval (the schedule fires unattended; nobody can click). Hand-editing JSON is the current state and it's the source of `done`/`for pid` style entries. A typed CLI command makes the intent explicit and the audit trail visible.
+
+The agent uses this from inside a session as well: at schedule-creation time, when it identifies that an unattended task will need a verb to be globally approved, it asks the user and (on confirmation) calls the equivalent action.
+
+**Alternatives considered:**
+
+- *Daemon RPC instead of CLI shelling:* Cleaner, but requires a new RPC surface. Defer until we have other RPC needs.
+- *Implicit auto-trust for verbs the agent calls during schedule setup:* Way too magic. Users should know what's being globally trusted.
+
+### 9. Reuse `ScopedFileAccessPolicy` infrastructure
+
+**What:** A new `ScopedShellSafeVerbPolicy` mirrors the `ScopedFileAccessPolicy` shape. Both use `ToolAudienceProfileResolver` for root resolution and `ContainsSymlinkSegment` for symlink-segment defense.
+
+**Why:** The audience model (Personal/Team/Public) and the symlink-segment guard are well-tested and battle-hardened. Re-implementing them for shell would be duplicate code that drifts. Public audience inherits the same `session_dir`-only restriction file_read enforces — Public sessions can never auto-allow shell against `project_dir` even when set.
+
+### 10. Resolution message replaces dual sections with one line
+
+**What:** Today's resolution message has separate `Patterns` and `Directory Roots` sections. New format is one line:
+
+- `Saved: jsonlint, git pull, git rev-parse in ~/repos/foo/`
+- `Saved: freshdesk anywhere`
+- `Saved for this chat: jsonlint in ~/repos/foo/`
+- `Approved (no save)` — for Once
+- `Denied`
+
+**Why:** The two-section format is the on-screen artifact of the data-model conflation in v1. Once the entries are typed, the rendering simplifies. One line is enough; the verbs and the scope are both present and unambiguous.
+
+## Risks / Trade-offs
+
+- **Risk: safe-verbs list drifts from reality.** A new tool (`rg`, `delta`, `eza`) ships and isn't on the list, so users go through approval friction we didn't intend. → Mitigation: user-overridable file at `~/.netclaw/config/safe-verbs.<os>.json`. Update default lists at release boundaries based on observed friction.
+- **Risk: a verb on the safe list turns out to have a mutating mode.** `awk -i inplace` mutates; if `awk` is on the list and we match by verb chain, we'd auto-allow it. → Mitigation: verb-chain matcher pins to `awk` (no flags); safe-list entries that need flag pinning use the verb+subcommand form (`sed -n`, not `sed`). Audit the list at definition time, document the rationale next to each entry.
+- **Risk: `project_dir` set incorrectly auto-allows too much.** User opens a session, agent guesses wrong, calls `set_working_directory ~/`. Now the entire home dir is "safe." → Mitigation: the safe-verbs list is the second axis — even with `~/` as project_dir, only read-only verbs auto-run. Mutation still prompts. The eval cases (positive + negative) explicitly cover this. AGENTS.md guidance anchors on intent ("you're working on a specific codebase"), not on dodging approvals.
+- **Risk: bash-fragment refusal annoys users with legitimate complex commands.** Someone writes `for f in *.log; do grep ERROR "$f"; done` and gets only `Once`/`Deny`. → Mitigation: this is the right answer. We can't reason about persistent grants for control-flow we don't parse. The user can split the command into one-shot pieces or, for repeated needs, register the inner verb (`grep`) globally via `trust-verb`.
+- **Risk: 5 buttons feel cluttered on narrow Slack channels.** Mobile especially. → Mitigation: revisit if observed. The terse labels (`Once`, `This chat`, etc.) keep the row width down; danger styling visually breaks the row into "safe" and "powerful" halves.
+- **Risk: agent regresses on `set_working_directory` adoption after AGENTS.md change.** Eval suite catches this on every PR. Positive case asserts the call happens early; negative case asserts no preemptive call when there's no project signal; recovery case asserts the failure-path hint is read and acted on.
+- **Risk: daemon restart kills pending approval prompts (existing bug, not introduced here).** Aaron flagged this independently — clicking an approval button after a restart hits a dead actor. Out of scope for this change but compounds with the new prompt UX. Track separately.
+- **Trade-off: breaking change wipes the v1 store.** No users in production yet, so the cost is bounded. We document the quarantine clearly so users who manually curated their v1 store can mine it for ideas.
+- **Trade-off: `Always anywhere` is one click away.** Mitigated by danger styling, but a determined misclick is still possible. CLI-only would be safer; we chose the in-prompt path because the friction of "pop out to a terminal" defeats the purpose during active sessions.
+
+## Migration Plan
+
+This is a breaking change with no data migration. Deployment:
+
+1. Daemon upgrades. On first read of `~/.netclaw/config/tool-approvals.json`, the loader checks for `version: 2`. If absent or non-2, the file is moved to `tool-approvals.json.v1.bak` and the loader returns an empty v2 store.
+2. The daemon writes a fresh `tool-approvals.json` with `{"version": 2, "audiences": {}}` on the first persist call.
+3. The next `netclaw approvals list` invocation surfaces a one-line note: "Your previous approvals (N entries) were quarantined to ~/.netclaw/config/tool-approvals.json.v1.bak during a schema upgrade. Inspect or restore manually if needed."
+4. Users who relied on specific v1 entries re-establish them via the new prompts or `netclaw approvals trust-verb <verb>` for global grants.
+
+Rollback: revert the daemon. The v1 file is intact at `tool-approvals.json.v1.bak` — operator can rename it back. Approvals written under v2 are lost on rollback, which matches the breaking-change posture.
+
+## Open Questions
+
+- **Verb-chain granularity for compound subcommands.** `git remote` vs `git remote get-url` — today's matcher pins to verb + first subcommand (`git remote`). Should `git remote get-url` be a distinct grant from `git remote add`? Probably not for v1 (the existing granularity is fine), but worth revisiting if users complain that one approval is doing too much.
+- **`netclaw approvals trust-verb` confirmation UX.** Should the CLI prompt for confirmation when adding a global wildcard, or trust the explicit command name? Current call: trust the command name (no extra confirm). Revisit if accidental adds become a pattern.
+- **Resolution message edit-in-place vs. new message.** Slack supports `chat.update` to edit the original prompt; Discord similar. Editing in place feels cleaner than appending a new "resolved" message. Open: verify both platforms behave correctly when the resolution message arrives after the prompt has been thread-quoted by another reply.
+- **Eval case: what counts as a "project signal"?** The positive eval asserts the agent calls `set_working_directory` "early" when the user mentions a repo path. We need an explicit threshold for the eval — first user message? First three turns? — so the assertion isn't ambiguous.
diff --git a/openspec/changes/archive/2026-05-08-approval-policy-v2/proposal.md b/openspec/changes/archive/2026-05-08-approval-policy-v2/proposal.md
new file mode 100644
index 00000000..f5d63e53
--- /dev/null
+++ b/openspec/changes/archive/2026-05-08-approval-policy-v2/proposal.md
@@ -0,0 +1,40 @@
+## Why
+
+Directory-scoped approvals (PR #896 / #927 / #937) landed on `dev` but real use exposes two unshipped problems we want to fix together before the feature ever reaches a release: (1) we prompt for too much — even read-only `grep`/`ls`/`git status` against the user's project trigger an approval, because the only declared safe space is the per-session scratch dir; (2) when we do prompt, the on-disk store mingles verb chains, full normalized commands, directory roots, and bash-fragment garbage in a single flat string list, and the prompt's `Patterns` / `Directory Roots` split is not something users can reason about. Aaron's persisted `tool-approvals.json` accumulated 50 entries including nonsense like `done`, `for pid`, `awk {print $2})`, `do threads=$(grep`. We have no users yet — this is the moment to do a clean breaking redesign instead of compounding the problem.
+
+## What Changes
+
+- **BREAKING** `tool-approvals.json` schema goes to `version: 2`. Each entry is a typed `(verb, directory)` pair (`{ "verb": "git remote", "directory": "/abs/path/" | null }`). v1 files are quarantined to `.v1.bak` on first read and a fresh v2 store is written. No automatic translation.
+- **BREAKING** Approval matcher operates on `ApprovalEntry` objects, not on opaque strings. The "is this string a verb? a path? a normalized command?" inspection logic is deleted.
+- **BREAKING** Approval prompt UX: 5-button row replaces today's 4. New: `Once`, `This chat`, `Always here`, `Always anywhere`, `Deny`. `Always anywhere` and `Deny` are styled as danger. Prompt body shows the cwd in the header and verbs as bullets, eliminating the `Patterns` / `Directory Roots` split. Resolution message replaces the dual sections with a single line ("Saved: jsonlint, git pull in ~/repos/foo/" or "Saved: freshdesk anywhere").
+- New: **safe-verbs ∩ safe-space short-circuit.** A curated per-OS safe-verbs list (`safe-verbs.linux.json`, `safe-verbs.windows.json`) plus the agent's existing safe spaces (`session_dir`, optional `project_dir` from `WorkingContext`) form a three-position policy: auto-run when the verb is on the list and cwd is under a safe-space root; prompt otherwise; hard-deny list unchanged. Mutation inside a safe space still prompts (`git push` in your repo still prompts).
+- New: `ScopedShellSafeVerbPolicy` mirrors `ScopedFileAccessPolicy` and reuses `ToolAudienceProfileResolver` for audience-aware root resolution and symlink-segment protection. Public audience inherits the same `session_dir`-only restriction file_read has.
+- New: `ShellTool` cwd defaults to `project_dir` if set, else `session_dir`. Today it inherits the daemon process's cwd, which is a security and UX bug (`src/Netclaw.Actors/Tools/ShellTool.cs:81-82`).
+- New: Compound shell commands extract every verb chain and present them as one prompt grouped by the cwd. One click on `Always here` / `Always anywhere` persists N `(verb, dir)` pairs at once.
+- New: `ShellTokenizer` refuses to extract verb chains from bash control-flow blocks (`for`/`while`/`do`/`done`/`then`/`fi`/`case`/`esac`) or unbalanced quotes/brackets — only `Once` / `Deny` are offered for messy input, with a hint that complex commands cannot persist.
+- New: `netclaw approvals trust-verb <verb> [--audience]` CLI command writes a `(verb, null)` entry — the global wildcard. Used both interactively and by the agent at schedule-creation time. `list` and `revoke` updated to label entries as `<verb> in <dir>` or `<verb> anywhere`.
+- New agent guidance, three coordinated touch-ups: AGENTS.md instruction to call `set_working_directory` early when working on a project (load-bearing, with consequences spelled out); rewrite of the `set_working_directory` tool description to read as "expand your trust boundary" rather than "set cwd"; shell-tool failure path returns a hint pointing at `set_working_directory` when a call is denied because cwd is outside both safe spaces.
+- New schedule-creation flow: when the agent helps the user set up a scheduled task, it identifies the verbs the task needs and proactively suggests pre-approval (`netclaw approvals trust-verb <verb>`) before the schedule fires unattended.
+- New eval cases for `set_working_directory` adoption: positive (project-scoped session calls it early), negative (no-project session does NOT call it preemptively), recovery (denied shell call → agent reads hint → calls it on next turn).
+
+## Capabilities
+
+### New Capabilities
+
+None. All changes fit inside existing capabilities.
+
+### Modified Capabilities
+
+- `tool-approval-gates`: replaces the flat-string approval store with a typed `(verb, directory)` model; introduces the safe-verbs ∩ safe-space short-circuit; redesigns the prompt UX to a 5-button row and rewrites the resolution message; adds bash-fragment refusal at extraction time.
+- `session-cwd`: shell cwd default falls back to `project_dir` then `session_dir` (was: daemon process cwd); shell-tool failure path returns a `set_working_directory` hint when denial reason is "cwd outside safe spaces".
+- `netclaw-cli`: `netclaw approvals trust-verb` subcommand; `list` and `revoke` reflect the v2 entry shape.
+
+## Impact
+
+- **Storage:** breaking schema change. v1 file quarantined to `tool-approvals.json.v1.bak` on first read; users start with an empty v2 store. Existing approvals do NOT carry over.
+- **Code:** new `ScopedShellSafeVerbPolicy` (mirrors `ScopedFileAccessPolicy`). Modifications across `Netclaw.Configuration`, `Netclaw.Security`, `Netclaw.Actors.Tools`, `Netclaw.Actors.Protocol`, `Netclaw.Channels.Slack`, `Netclaw.Channels.Discord`, `Netclaw.Cli`. Reuses `ToolAudienceProfileResolver` and the symlink-segment guard.
+- **Config:** ships `safe-verbs.linux.json` and `safe-verbs.windows.json` with the daemon; users can override at `~/.netclaw/config/safe-verbs.<os>.json`.
+- **Agent identity:** AGENTS.md gains load-bearing guidance about `set_working_directory`; bumps require eval suite to pass (positive + negative + recovery cases).
+- **Skills:** `feeds/skills/.system/files/netclaw-operations/SKILL.md` updated for schedule-creation pre-approval flow and the new approval prompt shape.
+- **Security:** safe-space short-circuit is gated by safe-verbs list ∩ safe-space root ∩ symlink-free path. Mutation in safe spaces still prompts. Public audience continues to be restricted to `session_dir` only. Hard-deny list unchanged. No change to ACL evaluation order; this only relaxes the interactive approval gate (layer 2) for a narrowly defined set of verb-and-location combinations.
+- **Operational:** `netclaw approvals list` + `revoke` semantics change shape. Operators editing the JSON by hand will hit the v1 quarantine flow on the first daemon read after upgrade.
diff --git a/openspec/changes/archive/2026-05-08-approval-policy-v2/specs/netclaw-cli/spec.md b/openspec/changes/archive/2026-05-08-approval-policy-v2/specs/netclaw-cli/spec.md
new file mode 100644
index 00000000..31c6124c
--- /dev/null
+++ b/openspec/changes/archive/2026-05-08-approval-policy-v2/specs/netclaw-cli/spec.md
@@ -0,0 +1,166 @@
+## MODIFIED Requirements
+
+### Requirement: Operator CLI for persistent tool approvals
+
+The CLI SHALL provide a `netclaw approvals` command surface for
+inspecting, revoking, and adding entries to the persistent approvals
+file (`~/.netclaw/config/tool-approvals.json`). The command SHALL
+operate on the file directly via `Netclaw.Configuration.ToolApprovalStore`
+without requiring the daemon to be running. Bare `netclaw approvals`
+(and `netclaw approvals tui`) SHALL launch an interactive Termina TUI
+page. Single-shot subcommands SHALL be `list`, `revoke`, `trust-verb`,
+and `help`.
+
+`list` SHALL accept `--audience <personal|team|public>`, `--tool <name>`,
+and `--json`. Without flags it SHALL print every audience and tool group
+in a stable order. Each entry SHALL be labeled by its scope: entries
+with a non-null `directory` print as `<verb> in <directory>`; entries
+with `directory: null` print as `<verb> anywhere`. The CLI SHALL NOT
+mix verb and directory entries in a single column.
+
+`revoke <pattern>` SHALL remove entries that match `<pattern>`. The
+pattern SHALL accept either of the user-visible forms emitted by
+`list`: `<verb> in <directory>` matches a `(verb, directory)` entry
+exactly, and `<verb> anywhere` matches a `(verb, null)` entry.
+Case-sensitivity SHALL match the daemon's matcher comparer (Ordinal on
+POSIX, OrdinalIgnoreCase on Windows). `revoke` SHALL accept `--audience`
+and `--tool` to scope the removal. `revoke --tool <name> --all` SHALL
+clear every entry for that tool in the targeted audiences. `revoke` of
+a pattern that does not match any entry SHALL exit non-zero with a
+clear message; the CLI SHALL NOT silently succeed.
+
+`trust-verb <verb>` SHALL write a new `(verb, null)` entry for the
+specified verb chain — the global wildcard. The subcommand SHALL accept
+`--audience <personal|team|public>` (default `personal`) and
+`--tool <name>` (default `shell_execute`). `trust-verb` SHALL be the
+canonical way to pre-approve a verb for unattended/scheduled invocations
+where the cwd will vary across firings. If the entry already exists,
+`trust-verb` SHALL exit zero with a "no changes" message.
+
+The CLI SHALL ONLY support adding global wildcards via `trust-verb`. It
+SHALL NOT provide a way to add `(verb, directory)` entries from the
+CLI; folder-scoped grants SHALL be acquired exclusively through
+interactive approval prompts. This is a deliberate friction asymmetry:
+prompt-driven grants are the default user path, and the CLI exists to
+handle the unattended case and the global-trust case operators
+explicitly want.
+
+When the underlying store has quarantined a malformed v1 file
+(`tool-approvals.json.v1.bak` sibling), the CLI SHALL emit a one-line
+note before list/revoke output indicating the quarantine and pointing
+at the backup file. The CLI SHALL NOT silently swallow the condition.
+
+Exit codes SHALL be 0 for success and 1 for user errors (bad flag
+combos, unknown audience, no match for revoke, `--all` without `--tool`,
+etc.).
+
+#### Scenario: Empty approvals file lists no entries with exit zero
+
+- **GIVEN** `tool-approvals.json` does not exist or contains an empty
+  v2 store
+- **WHEN** the operator runs `netclaw approvals list`
+- **THEN** the CLI prints `No persistent approvals.`
+- **AND** exits with code `0`
+
+#### Scenario: List filters by audience
+
+- **GIVEN** `tool-approvals.json` contains entries under `personal`
+  and `team`
+- **WHEN** the operator runs `netclaw approvals list --audience personal`
+- **THEN** only the `personal` audience entries are printed
+
+#### Scenario: List labels entries by scope
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"git remote","directory":"/home/user/repos/foo/"}` and
+  `{"verb":"freshdesk","directory":null}` under `personal/shell_execute`
+- **WHEN** the operator runs `netclaw approvals list`
+- **THEN** the output includes `git remote in /home/user/repos/foo/`
+- **AND** the output includes `freshdesk anywhere`
+
+#### Scenario: List emits typed JSON
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"version":2,"audiences":{"personal":{"shell_execute":[
+    {"verb":"git push","directory":null}]}}}`
+- **WHEN** the operator runs `netclaw approvals list --json`
+- **THEN** the output is valid JSON
+- **AND** each entry preserves the `verb`/`directory` shape
+
+#### Scenario: Revoke removes a folder-scoped entry by user-visible form
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"git remote","directory":"/home/user/repos/foo/"}` and
+  `{"verb":"freshdesk","directory":null}`
+- **WHEN** the operator runs
+  `netclaw approvals revoke "git remote in /home/user/repos/foo/"`
+- **THEN** the `git remote` entry is removed
+- **AND** the `freshdesk anywhere` entry remains
+- **AND** the CLI exits with code `0`
+
+#### Scenario: Revoke removes a global wildcard by user-visible form
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"freshdesk","directory":null}`
+- **WHEN** the operator runs
+  `netclaw approvals revoke "freshdesk anywhere"`
+- **THEN** the entry is removed
+- **AND** the CLI exits with code `0`
+
+#### Scenario: Revoke with no match exits non-zero
+
+- **GIVEN** `tool-approvals.json` does not contain `git push`
+- **WHEN** the operator runs `netclaw approvals revoke "git push anywhere"`
+- **THEN** the CLI prints a no-match message
+- **AND** exits with code `1`
+- **AND** does not modify the file
+
+#### Scenario: trust-verb writes a global wildcard entry
+
+- **GIVEN** `tool-approvals.json` does not yet contain `freshdesk`
+- **WHEN** the operator runs `netclaw approvals trust-verb freshdesk`
+- **THEN** the file gains entry
+  `{"verb":"freshdesk","directory":null}` under
+  `personal/shell_execute`
+- **AND** the CLI exits with code `0`
+
+#### Scenario: trust-verb is idempotent
+
+- **GIVEN** `tool-approvals.json` already contains
+  `{"verb":"freshdesk","directory":null}`
+- **WHEN** the operator runs `netclaw approvals trust-verb freshdesk`
+- **THEN** the file is unchanged
+- **AND** the CLI prints a "no changes" message
+- **AND** exits with code `0`
+
+#### Scenario: trust-verb honors --audience and --tool
+
+- **WHEN** the operator runs
+  `netclaw approvals trust-verb freshdesk --audience team --tool shell_execute`
+- **THEN** the entry is written under `team/shell_execute`
+- **AND** the CLI exits with code `0`
+
+#### Scenario: Quarantined v1 file surfaces a one-line note
+
+- **GIVEN** `~/.netclaw/config/tool-approvals.json.v1.bak` exists
+  (the daemon has previously quarantined a v1 file)
+- **WHEN** the operator runs `netclaw approvals list`
+- **THEN** the CLI emits a one-line note before the listing pointing
+  at the `.v1.bak` file
+- **AND** the listing reflects only v2 entries
+
+#### Scenario: Daemon picks up CLI-applied trust-verb without restart
+
+- **GIVEN** the daemon is running
+- **WHEN** the operator runs `netclaw approvals trust-verb freshdesk`
+- **AND** the agent invokes `freshdesk --since=24h` afterwards
+- **THEN** the daemon re-loads the file and observes the new entry
+- **AND** the call auto-approves with no prompt
+- **AND** the daemon was not restarted
+
+#### Scenario: Bare invocation launches the TUI
+
+- **WHEN** the operator runs `netclaw approvals` with no subcommand
+- **THEN** the CLI launches the interactive Termina approvals page
+- **AND** the page displays entries grouped by audience and tool with
+  scope labels (`<verb> in <dir>` / `<verb> anywhere`)
diff --git a/openspec/changes/archive/2026-05-08-approval-policy-v2/specs/session-cwd/spec.md b/openspec/changes/archive/2026-05-08-approval-policy-v2/specs/session-cwd/spec.md
new file mode 100644
index 00000000..c9abc6ea
--- /dev/null
+++ b/openspec/changes/archive/2026-05-08-approval-policy-v2/specs/session-cwd/spec.md
@@ -0,0 +1,186 @@
+## ADDED Requirements
+
+### Requirement: Shell tool cwd defaults to declared safe spaces
+
+`ShellTool` SHALL resolve the working directory for every invocation
+in this priority order: explicit `WorkingDirectory` argument when
+provided, else `WorkingContext.ProjectDirectory` when set, else
+`session_dir` (the per-session directory under
+`~/.netclaw/sessions/<session-id>/`). `ShellTool` SHALL NOT fall
+through to `ProcessStartInfo`'s default behavior of inheriting the
+daemon process's cwd.
+
+This guarantees every shell invocation has a known cwd parented under a
+declared safe space (or an explicit override), which is the precondition
+the approval policy depends on.
+
+#### Scenario: Cwd defaults to project_dir when set
+
+- **GIVEN** a session with `WorkingContext.ProjectDirectory` set to
+  `~/repos/foo/`
+- **WHEN** the agent invokes `shell_execute` with command `pwd` and
+  no `WorkingDirectory`
+- **THEN** the command runs with cwd `~/repos/foo/`
+
+#### Scenario: Cwd defaults to session_dir when project_dir is null
+
+- **GIVEN** a session with `WorkingContext.ProjectDirectory` null
+- **WHEN** the agent invokes `shell_execute` with command `pwd` and
+  no `WorkingDirectory`
+- **THEN** the command runs with cwd `~/.netclaw/sessions/<session-id>/`
+
+#### Scenario: Explicit WorkingDirectory overrides default
+
+- **GIVEN** a session with `WorkingContext.ProjectDirectory` set to
+  `~/repos/foo/`
+- **WHEN** the agent invokes `shell_execute` with command `pwd` and
+  `WorkingDirectory` `/tmp/`
+- **THEN** the command runs with cwd `/tmp/`
+- **AND** the approval gate evaluates safe-space membership against `/tmp/`
+
+#### Scenario: Cwd never inherits daemon process cwd
+
+- **GIVEN** the daemon process was launched with cwd `/var/lib/netclawd/`
+- **AND** a session has neither `project_dir` set nor an explicit
+  `WorkingDirectory` argument
+- **WHEN** the agent invokes `shell_execute`
+- **THEN** the command does NOT run with cwd `/var/lib/netclawd/`
+- **AND** the resolved cwd is `session_dir`
+
+### Requirement: Shell tool failure-path hint for cwd outside safe spaces
+
+`ShellTool` SHALL include a one-line hint in the tool result returned
+to the model when a call is denied because its cwd is outside both
+`session_dir` and `project_dir`. The hint SHALL suggest
+`set_working_directory <path>` with the path that triggered the denial,
+in a format recognizable to the agent so it can self-correct without a
+roundtrip through the user.
+
+The hint SHALL only be emitted when the denial reason is "cwd outside
+safe spaces" and `set_working_directory` is in the audience's tool
+exposure list. The hint SHALL NOT be emitted for hard-deny-list refusals
+or for `ToolPathPolicy` denials (those have different remediation paths).
+
+#### Scenario: Denial in foreign tree includes set_working_directory hint
+
+- **GIVEN** a Personal session with `project_dir` not set
+- **WHEN** the agent invokes `shell_execute` with cwd `~/repos/bar/`
+- **AND** the user denies the resulting prompt
+- **THEN** the tool result includes a hint pointing at
+  `set_working_directory ~/repos/bar/`
+
+#### Scenario: Hint is not emitted for hard-deny refusals
+
+- **GIVEN** a hard-deny-list block on the command
+- **WHEN** `shell_execute` returns the deny error
+- **THEN** the result does NOT include a `set_working_directory` hint
+
+#### Scenario: Hint is not emitted when set_working_directory is unavailable
+
+- **GIVEN** a Public session where `set_working_directory` is not in
+  the tool exposure list
+- **WHEN** a shell call is denied for cwd-outside-safe-space
+- **THEN** the result does NOT include a `set_working_directory` hint
+
+### Requirement: set_working_directory expands the approval safe space
+
+Setting `WorkingContext.ProjectDirectory` SHALL expand the approval gate's
+safe-space root set for Personal and Team audiences: subsequent shell
+invocations whose cwd resolves under the new project directory SHALL
+participate in the safe-verb auto-allow short-circuit (subject to the
+safe-verbs list and symlink-segment guard). For Public audience,
+`set_working_directory` SHALL NOT be available and the safe space SHALL
+remain `session_dir` only.
+
+This requirement formalizes the dependency between session_cwd and
+tool-approval-gates: the act of declaring the project root is the act
+of opening the approval trust boundary.
+
+#### Scenario: Setting project_dir relaxes future approval prompts
+
+- **GIVEN** a Personal session with `project_dir` initially null
+- **AND** the agent has previously been denied `grep` calls in
+  `~/repos/foo/`
+- **WHEN** the agent calls `set_working_directory ~/repos/foo/`
+- **AND** the agent retries `grep -r "x" .` with cwd `~/repos/foo/`
+- **THEN** the approval gate short-circuits (safe verb in safe space)
+- **AND** no prompt is rendered
+
+#### Scenario: Public audience does not get safe-space expansion
+
+- **GIVEN** a Public session
+- **WHEN** the tool exposure list is computed
+- **THEN** `set_working_directory` is not included
+- **AND** the only safe space remains `session_dir`
+
+## MODIFIED Requirements
+
+### Requirement: set_working_directory tool
+
+The system SHALL provide a `set_working_directory` tool that sets the
+session's project directory to a specified path AND expands the
+approval gate's safe-space root set for Personal and Team audiences.
+The tool SHALL validate that the target path is a real directory,
+resolve it to an absolute path, and validate it against the audience
+trust profile's read-allowed roots. The tool SHALL be profile-managed
+so that audiences without directory navigation privileges (Public,
+Team by default) cannot use it.
+
+The tool description visible to the model SHALL frame the tool as
+"declare your project root and expand your trusted scope so shell
+commands inside that tree run without per-command approval" rather
+than as a `cd`-style cwd change. Calling this tool is the load-bearing
+gesture by which the agent signals what it is working on; the agent's
+approval friction depends on doing so when the work is project-scoped.
+
+#### Scenario: set_working_directory updates project directory
+
+- **GIVEN** a session with no project directory set
+- **AND** the audience trust profile allows reads under `/home/user`
+- **WHEN** the agent invokes `set_working_directory` with
+  path `/home/user/workspaces/akadonic`
+- **THEN** the session project directory is set to
+  `/home/user/workspaces/akadonic`
+- **AND** the project's identity file is loaded on the next LLM call
+- **AND** subsequent shell calls with cwd inside that directory may
+  participate in the safe-verb auto-allow short-circuit
+
+#### Scenario: set_working_directory rejected outside allowed roots
+
+- **GIVEN** a session with audience profile allowing reads only under
+  `/home/user`
+- **WHEN** the agent invokes `set_working_directory` with path `/etc/nginx`
+- **THEN** the project directory remains unchanged
+- **AND** the tool returns an error indicating the path is outside allowed
+  roots
+
+#### Scenario: set_working_directory rejected for nonexistent directory
+
+- **GIVEN** a session with audience profile allowing reads under `/home/user`
+- **WHEN** the agent invokes `set_working_directory` with
+  path `/home/user/nonexistent`
+- **THEN** the project directory remains unchanged
+- **AND** the tool returns an error indicating the directory does not exist
+
+#### Scenario: Personal audience allows any valid directory
+
+- **GIVEN** a session with personal audience (`ToolFilesystemMode.All`)
+- **WHEN** the agent invokes `set_working_directory` with any valid directory
+- **THEN** the project directory is updated
+
+#### Scenario: set_working_directory not exposed to public audience
+
+- **GIVEN** a session with public audience
+- **WHEN** the tool exposure list is computed
+- **THEN** `set_working_directory` is not included
+
+#### Scenario: Switching projects replaces context
+
+- **GIVEN** a session with project directory `/home/user/workspaces/akadonic`
+- **WHEN** the agent invokes `set_working_directory` with
+  path `/home/user/workspaces/other-project`
+- **THEN** the project directory changes to `/home/user/workspaces/other-project`
+- **AND** the next LLM call loads identity files from the new project
+- **AND** the old project's identity files are no longer injected
+- **AND** the approval safe-space root for shell invocations switches
+  to the new project directory
diff --git a/openspec/changes/archive/2026-05-08-approval-policy-v2/specs/tool-approval-gates/spec.md b/openspec/changes/archive/2026-05-08-approval-policy-v2/specs/tool-approval-gates/spec.md
new file mode 100644
index 00000000..8ff39b54
--- /dev/null
+++ b/openspec/changes/archive/2026-05-08-approval-policy-v2/specs/tool-approval-gates/spec.md
@@ -0,0 +1,504 @@
+## ADDED Requirements
+
+### Requirement: Safe-verb auto-allow short-circuit in declared safe spaces
+
+The system SHALL maintain a per-OS curated list of demonstrably read-only
+verb chains (`safe-verbs.linux.json` and `safe-verbs.windows.json`) shipped
+with the daemon and overridable at `~/.netclaw/config/safe-verbs.<os>.json`.
+A `ScopedShellSafeVerbPolicy` SHALL evaluate each shell invocation against
+the safe-verbs list AND the audience-aware safe-space roots resolved by
+`ToolAudienceProfileResolver`. When the candidate verb chain is on the
+safe-verbs list AND the candidate's cwd resolves under at least one
+safe-space root AND the path contains no symlink segments
+(`ContainsSymlinkSegment` returns false), the approval gate SHALL
+short-circuit to "approved" with no user prompt. Otherwise the existing
+approval gate SHALL apply.
+
+Safe-space roots SHALL be:
+
+- For Personal and Team audiences: `session_dir` (always) plus
+  `project_dir` from `WorkingContext` (when set).
+- For Public audience: `session_dir` only. Public sessions SHALL NOT
+  expand their safe space via `project_dir`, mirroring the read-roots
+  restriction `ScopedFileAccessPolicy` enforces for file_read.
+
+The hard-deny list (layer 1) SHALL apply unchanged. The safe-verb
+short-circuit SHALL only relax the interactive approval gate (layer 2).
+`ToolPathPolicy.CommandReferencesDeniedPath` SHALL still block execution
+if a denied path is referenced.
+
+#### Scenario: Read-only verb in project directory auto-runs
+
+- **GIVEN** a Personal session with `project_dir` set to `~/repos/foo/`
+- **AND** `grep` is on the Linux safe-verbs list
+- **WHEN** the agent invokes `shell_execute` with command
+  `grep -r "error" .` and cwd `~/repos/foo/`
+- **THEN** the approval gate short-circuits to "approved"
+- **AND** no prompt is rendered to the user
+- **AND** `tool-approvals.json` is NOT modified
+
+#### Scenario: Read-only verb in session directory auto-runs
+
+- **GIVEN** a Personal session with no `project_dir` set
+- **AND** `cat` is on the safe-verbs list
+- **WHEN** the agent invokes `shell_execute` with command
+  `cat inbox/notes.md` and cwd `~/.netclaw/sessions/<id>/`
+- **THEN** the approval gate short-circuits to "approved"
+- **AND** no prompt is rendered
+
+#### Scenario: Read-only verb outside safe spaces still prompts
+
+- **GIVEN** a Personal session with `project_dir` set to `~/repos/foo/`
+- **AND** `grep` is on the safe-verbs list
+- **WHEN** the agent invokes `shell_execute` with cwd `/etc/`
+- **THEN** the approval gate prompts the user
+- **AND** the prompt body shows `/etc/` as the directory header
+
+#### Scenario: Mutating verb in safe space still prompts
+
+- **GIVEN** a Personal session with `project_dir` set to `~/repos/foo/`
+- **AND** `git push` is NOT on the safe-verbs list
+- **WHEN** the agent invokes `shell_execute` with command
+  `git push origin main` and cwd `~/repos/foo/`
+- **THEN** the approval gate prompts the user
+- **AND** the user can grant `(git push, ~/repos/foo/)` via "Always here"
+
+#### Scenario: Public audience cannot use project_dir as safe space
+
+- **GIVEN** a Public session with `project_dir` set to `~/repos/foo/`
+- **AND** `grep` is on the safe-verbs list
+- **WHEN** the agent invokes `shell_execute` with cwd `~/repos/foo/`
+- **THEN** the approval gate prompts the user
+- **AND** Public's only safe space remains `session_dir`
+
+#### Scenario: Symlink under safe-space root cannot extend safe scope
+
+- **GIVEN** a Personal session with `project_dir` set to `~/repos/foo/`
+- **AND** `~/repos/foo/leak` is a symlink resolving to `/etc`
+- **WHEN** the agent invokes `shell_execute` with cwd `~/repos/foo/leak/`
+  and command `cat passwd`
+- **THEN** the safe-verb short-circuit SHALL NOT apply
+  (`ContainsSymlinkSegment` returns true)
+- **AND** the approval gate prompts the user (or `ToolPathPolicy`
+  hard-denies if the resolved path is protected)
+
+#### Scenario: User-overridden safe-verbs file extends defaults
+
+- **GIVEN** the user has written
+  `~/.netclaw/config/safe-verbs.linux.json` containing the verb `eza`
+- **WHEN** the daemon loads safe-verbs configuration
+- **THEN** `eza` is treated as a safe verb in addition to the shipped defaults
+- **AND** `eza` invocations in safe spaces auto-run without prompting
+
+### Requirement: Five-button approval prompt with verb-and-directory framing
+
+When the approval gate prompts the user, the prompt SHALL render five
+buttons in one row: `Once`, `This chat`, `Always here`, `Always anywhere`,
+`Deny`. The buttons `Always anywhere` and `Deny` SHALL be styled as
+danger (Slack `style: "danger"`, Discord `ButtonStyle.Danger`). All
+button labels SHALL fit within Slack's 76-character and Discord's
+80-character button-text caps.
+
+The prompt body SHALL show the cwd in the header
+(`Approve in <cwd> ?`) and the extracted verb chains as a bulleted list.
+Single-verb commands MAY collapse the list into the header
+(`Approve <verb> in <cwd> ?`). The body SHALL NOT render separate
+"Patterns" or "Directory Roots" sections.
+
+Button semantics:
+
+- `Once` SHALL run the command this one time and persist nothing.
+- `This chat` SHALL allow the extracted verbs in the prompt's directory
+  for the rest of the session, stored in session-scoped memory only.
+- `Always here` SHALL persist `(verb, prompt's directory)` entries to
+  `tool-approvals.json` for each extracted verb.
+- `Always anywhere` SHALL persist `(verb, null)` entries for each
+  extracted verb — the global wildcard.
+- `Deny` SHALL refuse this call only. Denying a verb SHALL NOT ban it
+  for future invocations.
+
+#### Scenario: Compound command shows verbs as bullets
+
+- **GIVEN** the agent invokes `shell_execute` with command
+  `cd ~/repos/foo && git remote -v && git rev-parse HEAD`
+  and cwd `~/repos/foo/`
+- **WHEN** the approval prompt is rendered on Slack
+- **THEN** the body header reads `Approve in ~/repos/foo/ ?`
+- **AND** the verbs `cd`, `git remote`, `git rev-parse` appear as bullets
+- **AND** the action row contains five buttons
+- **AND** `Always anywhere` and `Deny` are styled as danger
+
+#### Scenario: Always here persists folder-scoped entries
+
+- **GIVEN** an approval prompt for verbs `git remote`, `git rev-parse`
+  in cwd `~/repos/foo/`
+- **WHEN** the user clicks `Always here`
+- **THEN** `tool-approvals.json` gains entries
+  `{"verb": "git remote", "directory": "~/repos/foo/"}` and
+  `{"verb": "git rev-parse", "directory": "~/repos/foo/"}`
+- **AND** the resolution message reads
+  `Saved: git remote, git rev-parse in ~/repos/foo/`
+
+#### Scenario: Always anywhere persists global entries
+
+- **GIVEN** an approval prompt for verb `freshdesk` in cwd `~/.netclaw/sessions/<id>/`
+- **WHEN** the user clicks `Always anywhere`
+- **THEN** `tool-approvals.json` gains entry
+  `{"verb": "freshdesk", "directory": null}`
+- **AND** the resolution message reads `Saved: freshdesk anywhere`
+
+#### Scenario: This chat persists session-scoped only
+
+- **GIVEN** an approval prompt for verb `jsonlint` in cwd `~/repos/foo/`
+- **WHEN** the user clicks `This chat`
+- **THEN** session-scoped memory records `(jsonlint, ~/repos/foo/)`
+- **AND** `tool-approvals.json` is NOT modified
+- **AND** a new session prompts again
+
+#### Scenario: Deny refuses only the current call
+
+- **GIVEN** an approval prompt for verb `git push`
+- **WHEN** the user clicks `Deny`
+- **THEN** the current call is refused
+- **AND** `tool-approvals.json` is NOT modified
+- **AND** a later `git push` call still prompts
+
+### Requirement: Resolution message single-line format
+
+After an approval response is processed, the channel SHALL render a
+single-line resolution message replacing today's separate `Patterns` and
+`Directory Roots` sections. The line SHALL identify the verbs and the
+scope. Permitted formats:
+
+- `Saved: <verb-list> in <directory>` — for `Always here`.
+- `Saved: <verb-list> anywhere` — for `Always anywhere`.
+- `Saved for this chat: <verb-list> in <directory>` — for `This chat`.
+- `Approved (no save)` — for `Once`.
+- `Denied` — for `Deny`.
+
+#### Scenario: Resolution shows folder scope for Always here
+
+- **GIVEN** the user has clicked `Always here` for verbs
+  `jsonlint, git pull` in `~/repos/foo/`
+- **WHEN** the resolution message is rendered
+- **THEN** the message reads `Saved: jsonlint, git pull in ~/repos/foo/`
+- **AND** no `Patterns` or `Directory Roots` headers are emitted
+
+#### Scenario: Resolution shows global scope for Always anywhere
+
+- **GIVEN** the user has clicked `Always anywhere` for verb `freshdesk`
+- **WHEN** the resolution message is rendered
+- **THEN** the message reads `Saved: freshdesk anywhere`
+
+### Requirement: Pattern extraction refuses bash control-flow
+
+`ShellTokenizer.SplitCompoundCommand` SHALL detect bash control-flow
+tokens (`for`, `while`, `do`, `done`, `then`, `fi`, `case`, `esac`) and
+unbalanced quotes/brackets. When detected, the tokenizer SHALL return an
+empty verb-chain list. The approval gate SHALL respond by offering only
+the `Once` and `Deny` buttons (no `This chat`, `Always here`, or
+`Always anywhere`) and the prompt body SHALL show a hint: "complex
+command — only one-shot approval available". No persistent grant SHALL
+be possible for unparseable commands.
+
+#### Scenario: For-loop produces empty verb-chain list
+
+- **GIVEN** the command
+  `for pid in $(pgrep netclawd); do echo "$pid"; done`
+- **WHEN** `ShellTokenizer.SplitCompoundCommand` runs
+- **THEN** the returned verb-chain list is empty
+
+#### Scenario: Approval prompt for messy command offers only Once and Deny
+
+- **GIVEN** the agent invokes `shell_execute` with the for-loop above
+  and cwd outside any safe space
+- **WHEN** the approval prompt is rendered
+- **THEN** only `Once` and `Deny` buttons are present
+- **AND** the body shows the "complex command" hint
+
+#### Scenario: Unbalanced quotes treated as messy
+
+- **GIVEN** the command `echo "unterminated`
+- **WHEN** the tokenizer runs
+- **THEN** the verb-chain list is empty
+- **AND** the approval gate offers only `Once` and `Deny`
+
+## MODIFIED Requirements
+
+### Requirement: Persistent approval storage
+
+The system SHALL store persistent approvals in
+`~/.netclaw/config/tool-approvals.json` using a `version: 2` typed
+schema. Each entry SHALL be an `ApprovalEntry` with a required `verb`
+field (the verb chain, e.g. `git remote`) and an optional `directory`
+field (an absolute path, or `null` for the global wildcard). The file
+SHALL contain per-audience sections with per-tool `ApprovalEntry` lists.
+The file SHALL NOT be monitored by `ConfigWatcherService`.
+
+When the daemon reads a `tool-approvals.json` file that does not have
+`version: 2`, the file SHALL be quarantined to
+`tool-approvals.json.v1.bak` and an empty v2 store SHALL be returned.
+The daemon SHALL write the empty v2 store on the next persist call. No
+automatic translation of v1 entries SHALL be performed.
+
+The matcher SHALL approve a candidate invocation when there exists an
+`ApprovalEntry` whose `verb` equals the candidate's extracted verb
+chain AND (`directory` is `null` OR the candidate's cwd is under
+`directory`).
+
+The file SHALL also be operator-editable via the `netclaw approvals`
+CLI (see the `netclaw-cli` capability). The daemon SHALL pick up
+out-of-band edits — whether made by direct file editing or by the
+CLI — on the next approval check, without requiring a restart.
+
+#### Scenario: Always here persists typed (verb, directory) entries
+
+- **GIVEN** the user clicks `Always here` for verbs `git remote` and
+  `git rev-parse` in cwd `~/repos/foo/`
+- **WHEN** the approval is processed
+- **THEN** `tool-approvals.json` contains
+  `[{"verb":"git remote","directory":"~/repos/foo/"},
+    {"verb":"git rev-parse","directory":"~/repos/foo/"}]`
+- **AND** the daemon does NOT restart
+
+#### Scenario: Always anywhere persists null-directory entry
+
+- **GIVEN** the user clicks `Always anywhere` for verb `freshdesk`
+- **WHEN** the approval is processed
+- **THEN** `tool-approvals.json` contains
+  `{"verb":"freshdesk","directory":null}`
+
+#### Scenario: v1 file quarantined on first read
+
+- **GIVEN** `tool-approvals.json` exists without a `version` field
+  (or with `version` other than `2`)
+- **WHEN** the daemon loads the file
+- **THEN** the file is moved to `tool-approvals.json.v1.bak`
+- **AND** `Load()` returns an empty v2 store
+- **AND** no v1 entries are translated to v2
+
+#### Scenario: Matcher approves under directory entry
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"git remote","directory":"~/repos/foo/"}`
+- **WHEN** the agent invokes `git remote -v` with cwd `~/repos/foo/`
+- **THEN** the matcher returns approved
+- **AND** no prompt is rendered
+
+#### Scenario: Matcher approves under null-directory entry
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"freshdesk","directory":null}`
+- **WHEN** the agent invokes `freshdesk --since=24h` with cwd
+  `~/.netclaw/sessions/<id>/`
+- **THEN** the matcher returns approved regardless of cwd
+
+#### Scenario: Matcher rejects when cwd is outside entry directory
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"git remote","directory":"~/repos/foo/"}`
+- **WHEN** the agent invokes `git remote -v` with cwd `~/repos/bar/`
+- **THEN** the matcher returns not-approved
+- **AND** the approval gate prompts the user
+
+#### Scenario: Approve once is retry-scoped only
+
+- **GIVEN** the user clicks `Once` for command `docker build`
+- **WHEN** the approval is processed
+- **THEN** the blocked `docker build` call is retried immediately
+- **AND** a later `docker build` call in the same session prompts again
+- **AND** `tool-approvals.json` is NOT modified
+
+#### Scenario: Operator-applied revocation visible without restart
+
+- **GIVEN** the daemon is running with a persisted entry
+  `{"verb":"git push","directory":null}`
+- **WHEN** an operator removes that entry via `netclaw approvals revoke`
+- **AND** a new approval check evaluates `git push`
+- **THEN** the daemon re-loads the file and observes the entry is gone
+- **AND** the user is prompted for approval again
+- **AND** the daemon was not restarted
+
+### Requirement: Shell command pattern matching
+
+The system SHALL extract verb-chain prefix patterns from shell commands
+using tokenization. The verb chain SHALL consist of non-flag tokens from
+the start of the command until the first flag (`-`), path, or URL
+argument. For shell approval units, `&&`, `||`, and `;` SHALL split into
+separate units, while `|` SHALL remain inside the current unit. For
+`bash -c` or `sh -c` wrappers, the inner command SHALL be extracted and
+scanned recursively.
+
+When `ShellTokenizer.SplitCompoundCommand` detects bash control-flow
+tokens or unbalanced quotes/brackets, it SHALL return an empty
+verb-chain list. The approval gate SHALL then offer only `Once` and
+`Deny`. See the "Pattern extraction refuses bash control-flow"
+requirement for details.
+
+The matcher SHALL operate on `ApprovalEntry` records keyed by
+`(verb, directory)`. The "is this string a verb chain or a directory
+root?" inspection logic of v1 SHALL NOT be present in the v2 matcher.
+
+Approval persistence SHALL store one `ApprovalEntry` per extracted verb
+chain. Compound commands SHALL produce N entries from one user click on
+`Always here` or `Always anywhere`.
+
+#### Scenario: Verb chain extracted from simple command
+
+- **GIVEN** the command `git push origin main`
+- **WHEN** the pattern is extracted
+- **THEN** the pattern is `git push`
+
+#### Scenario: Verb chain stops at flag
+
+- **GIVEN** the command `ls -la /tmp`
+- **WHEN** the pattern is extracted
+- **THEN** the pattern is `ls`
+- **AND** the flag and path are not part of the persisted verb chain
+
+#### Scenario: Multi-level verb chain
+
+- **GIVEN** the command `docker compose up -d`
+- **WHEN** the pattern is extracted
+- **THEN** the pattern is `docker compose up`
+
+#### Scenario: Control operators create separate approval units
+
+- **GIVEN** the command `git add . && git commit -m "fix" && git push`
+- **WHEN** approval is checked
+- **THEN** `git add`, `git commit`, and `git push` are checked as
+  separate approval units against the v2 matcher
+
+#### Scenario: Compound segments batched in one prompt
+
+- **GIVEN** none of `git add`, `git commit`, `git push` are approved
+- **WHEN** the command `git add . && git commit -m "fix" && git push`
+  is checked
+- **THEN** a single approval prompt lists all three verbs as bullets
+- **AND** one click on `Always here` persists three `(verb, cwd)` entries
+
+#### Scenario: bash -c inner command scanned recursively
+
+- **GIVEN** the command `bash -c "git push --force"`
+- **WHEN** approval and hard deny are checked
+- **THEN** the inner command `git push --force` is extracted and scanned
+- **AND** verb chain `git push` is checked through the v2 matcher
+
+### Requirement: Directory-root approvals for shell_execute
+
+For `shell_execute`, persistent approvals SHALL be stored as typed
+`(verb, directory)` `ApprovalEntry` records, NOT as separate verb
+patterns and directory-root entries. The matcher SHALL approve a
+candidate invocation when an `ApprovalEntry` exists whose `verb` matches
+the candidate's verb chain AND (`directory` is `null` OR the candidate's
+cwd is under `directory`).
+
+`Once` SHALL retry only the blocked call; it SHALL NOT create any
+session or persistent approval.
+
+`This chat` SHALL store `(verb, prompt's directory)` entries in
+session-scoped memory only.
+
+`Always here` SHALL persist `(verb, prompt's directory)` entries to
+`tool-approvals.json`.
+
+`Always anywhere` SHALL persist `(verb, null)` entries to
+`tool-approvals.json` — the global wildcard.
+
+The system SHALL enforce path normalization, boundary-safe containment,
+path traversal checks, and `ToolPathPolicy` as the safety backstop.
+`ToolPathPolicy` SHALL resolve symlinks along every component of a
+candidate path so that a planted symlink under an approved directory
+cannot be used to reach a protected path that lies outside that
+directory.
+
+The minimum-depth check from v1 (rejecting roots like `/` or `/etc/`)
+SHALL still apply to the directory portion of `(verb, directory)`
+entries: `Always here` SHALL NOT persist a directory shallower than
+two path segments. When the prompt's directory is too shallow, the
+prompt SHALL omit the `Always here` button (only `Once`, `This chat`,
+`Always anywhere`, `Deny` remain), so the user cannot accidentally
+write a too-shallow root.
+
+#### Scenario: Once retries only the blocked call
+
+- **GIVEN** a shell command `cat ~/repos/foo/notes.md` requires approval
+- **WHEN** the user clicks `Once`
+- **THEN** only the current blocked call is retried
+- **AND** no `ApprovalEntry` is recorded
+- **AND** a later `cat ~/repos/foo/other.md` prompts again
+
+#### Scenario: Always here stores (verb, directory) entry
+
+- **GIVEN** a shell command `grep -l "timeout" daemon.log` with cwd
+  `~/.netclaw/logs/`
+- **WHEN** the user clicks `Always here`
+- **THEN** `{"verb":"grep","directory":"~/.netclaw/logs/"}` is written
+  to `tool-approvals.json`
+- **AND** a future `wc -l app.log` with cwd `~/.netclaw/logs/` does NOT
+  match this entry (different verb)
+- **AND** a future `grep "info" archive.log` with cwd
+  `~/.netclaw/logs/` is auto-approved (same verb, same directory)
+
+#### Scenario: Always anywhere stores (verb, null) entry
+
+- **GIVEN** a shell command `freshdesk --since=24h` requires approval
+- **WHEN** the user clicks `Always anywhere`
+- **THEN** `{"verb":"freshdesk","directory":null}` is written to
+  `tool-approvals.json`
+- **AND** a scheduled task firing `freshdesk` in any cwd is
+  auto-approved on next invocation
+
+#### Scenario: Boundary-safe matching prevents prefix collisions
+
+- **GIVEN** `{"verb":"cat","directory":"/home/user/"}` is approved
+- **WHEN** the agent runs `cat data.txt` with cwd `/home/usersecret/`
+- **THEN** the candidate does NOT match the entry
+- **AND** the approval gate prompts the user
+
+#### Scenario: Symlink in cwd breaks the approval match
+
+- **GIVEN** `{"verb":"cat","directory":"/home/user/safe/"}` is approved
+- **AND** `/home/user/safe/leak` is a directory symlink resolving
+  to `/etc`
+- **WHEN** the agent runs `cat passwd` with cwd `/home/user/safe/leak/`
+- **THEN** the symlink-segment check breaks the auto-approval
+- **AND** `ToolPathPolicy.CommandReferencesDeniedPath` blocks execution
+  if the canonical path is protected
+
+#### Scenario: Shallow directory prevents Always here
+
+- **GIVEN** an approval prompt for `cat /etc/passwd` (cwd `/etc/`)
+- **WHEN** the prompt is rendered
+- **THEN** the `Always here` button is omitted
+- **AND** only `Once`, `This chat`, `Always anywhere`, `Deny` are shown
+
+## REMOVED Requirements
+
+### Requirement: Directory root extraction via IToolApprovalMatcher
+
+**Reason:** Replaced by the typed `(verb, directory)` `ApprovalEntry`
+model. Directory roots are no longer a separate matcher concept; they
+are the `directory` field on every entry. `IToolApprovalMatcher`
+collapses to verb-chain extraction; the cwd providing the directory
+half of the pair comes from `ToolExecutionContext`.
+
+**Migration:** None — breaking change. Implementation removes
+`ExtractDirectoryRoots()` from `IToolApprovalMatcher` and the
+corresponding implementations in `ShellApprovalMatcher`,
+`DefaultApprovalMatcher`, and `FilePathApprovalMatcher`. Pattern
+extraction returns verb chains; the approval gate threads the cwd
+through `ToolInteractionRequest.Cwd`.
+
+### Requirement: Dynamic approval option labels
+
+**Reason:** PR #937 already reverted dynamic labels to fixed labels to
+fit Slack/Discord button caps. The v2 prompt design replaces the
+3-button + dynamic-label approach with 5 fixed-label buttons
+(`Once`, `This chat`, `Always here`, `Always anywhere`, `Deny`). The
+verb-and-directory framing now lives in the prompt body header
+(`Approve in <cwd> ?`) and the verb bullet list, not in button text.
+
+**Migration:** None — breaking change. The `Always here` and
+`Always anywhere` buttons replace the directory-root-aware label
+behavior; the cwd is shown in the prompt body, not the button.
diff --git a/openspec/changes/archive/2026-05-08-approval-policy-v2/tasks.md b/openspec/changes/archive/2026-05-08-approval-policy-v2/tasks.md
new file mode 100644
index 00000000..42625aff
--- /dev/null
+++ b/openspec/changes/archive/2026-05-08-approval-policy-v2/tasks.md
@@ -0,0 +1,112 @@
+# Approval Policy v2 — Tasks
+
+Phasing intent (from design.md):
+
+- **PR 1** = sections 1–6 (storage, matcher, cwd default, safe-verb policy, CLI, hard-deny audit). No prompt/UI changes; channel adapters keep rendering today's body off the new data.
+- **PR 2** = sections 7–10 (prompt redesign, resolution message, agent guidance, schedule-creation flow, evals).
+
+Both PRs sit under this single OpenSpec change.
+
+## 1. Storage schema v2 + quarantine
+
+- [x] 1.1 Add `ApprovalEntry` record (`Verb` required, `Directory` nullable) to `src/Netclaw.Configuration/`.
+- [x] 1.2 Update `ToolApprovalData` to `Version` (int, default 2) + `Dictionary<string, Dictionary<string, List<ApprovalEntry>>>` shape.
+- [x] 1.3 Update `ToolApprovalStore.Load()` to detect `Version != 2` (or absent), move file to `tool-approvals.json.v1.bak`, and return empty v2 store.
+- [x] 1.4 Update `ToolApprovalStore.Save()` to always emit `version: 2`.
+- [x] 1.5 Update `AddApproval` / `RemoveApproval` / `RemoveAllForTool` / `Snapshot` to operate on `ApprovalEntry`.
+- [x] 1.6 Update `ToolApprovalEntryComparer` to compare `(Verb, Directory)` tuples (Ordinal on POSIX, OrdinalIgnoreCase on Windows; null directory compares equal to null directory).
+- [x] 1.7 Unit tests for v1 quarantine on first read; round-trip serialization of folder-scoped and global-wildcard entries; comparer on POSIX vs Windows.
+
+## 2. Matcher operates on ApprovalEntry
+
+- [x] 2.1 Update `IToolApprovalMatcher` to remove `ExtractDirectoryRoots`; pattern extraction returns verb chains only.
+- [x] 2.2 Update `ApprovalPatternMatching` to evaluate `(verb, directory)` containment: candidate matches when verb equals entry's verb AND (entry directory is null OR candidate cwd is under entry directory) AND no symlink segment along the cwd path.
+- [x] 2.3 Plumb `Cwd` through `ToolExecutionContext` / `ToolInteractionRequest` so the matcher always has a concrete cwd to evaluate against.
+- [x] 2.4 Delete the v1 string-shape inspection logic (trailing-slash heuristic) from `ShellApprovalMatcher` and `ApprovalPatternMatching`.
+- [x] 2.5 Unit tests for the four matcher cases: cwd inside entry directory; cwd outside; entry directory null; symlink segment in cwd.
+
+## 3. ShellTokenizer refuses messy input
+
+- [x] 3.1 Add control-flow keyword detection (`for`/`while`/`do`/`done`/`then`/`fi`/`case`/`esac`) to `SplitCompoundCommand`.
+- [x] 3.2 Add unbalanced-quote/bracket detection (cheap structural scan; no full bash parser).
+- [x] 3.3 When detected, return empty verb-chain list. Do not attempt partial extraction.
+- [x] 3.4 Plumb a "messy" flag through to `ToolInteractionRequest` so the prompt builder can show the "complex command" hint and omit `This chat`/`Always here`/`Always anywhere` buttons.
+- [x] 3.5 Unit tests for: `for ... do ... done`; `while ... do ... done`; `case ... esac`; unbalanced quote; unbalanced bracket; well-formed commands still extract normally.
+
+## 4. ShellTool cwd default
+
+- [x] 4.1 In `src/Netclaw.Actors/Tools/ShellTool.cs:81-82`, when `args.WorkingDirectory` is null/whitespace, resolve cwd to `WorkingContext.ProjectDirectory` if set, else `session_dir`.
+- [x] 4.2 Thread `WorkingContext` into `ShellTool` via `ToolExecutionContext` (or constructor; whichever matches existing patterns).
+- [x] 4.3 Unit tests: null arg + project_dir set → uses project_dir; null arg + project_dir null → uses session_dir; explicit arg → uses arg verbatim; assert daemon-process cwd is never the resolved value.
+
+## 5. Safe-verbs ∩ safe-space short-circuit
+
+- [x] 5.1 Create `safe-verbs.linux.json` and `safe-verbs.windows.json` in the daemon's bundled config (alongside other shipped defaults).
+- [x] 5.2 Add a loader that reads bundled defaults and merges `~/.netclaw/config/safe-verbs.<os>.json` overrides if present.
+- [x] 5.3 Create `src/Netclaw.Actors/Tools/ScopedShellSafeVerbPolicy.cs` mirroring `ScopedFileAccessPolicy`. Inputs: candidate verb chain + cwd + `ToolExecutionContext`. Output: short-circuit decision (allow / fall-through).
+- [x] 5.4 Reuse `ToolAudienceProfileResolver` for safe-space root resolution. Personal/Team get `session_dir + project_dir`; Public gets `session_dir` only.
+- [x] 5.5 Reuse `ContainsSymlinkSegment` (or extract to a shared utility) for symlink-segment guard along the cwd path.
+- [x] 5.6 Wire the policy into `ToolAccessPolicy.CheckApprovalGate` so the safe-verb short-circuit runs before the existing approval gate. Hard-deny list (layer 1) still runs first.
+- [x] 5.7 Unit tests covering all four scenarios in the spec: safe verb + project_dir → allow; safe verb + session_dir → allow; safe verb + outside → prompt; mutating verb + safe space → prompt; Public + project_dir → prompt; symlink in cwd → prompt; user override extends defaults.
+
+## 6. CLI updates (list/revoke/trust-verb)
+
+- [x] 6.1 Update `ApprovalsListView` JSON shape to reflect `ApprovalEntry`.
+- [x] 6.2 Update `ApprovalsCommand list` to render entries with scope labels (`<verb> in <dir>` / `<verb> anywhere`).
+- [x] 6.3 Update `ApprovalsCommand revoke` to accept the user-visible forms above as the pattern argument; route to `RemoveApproval` with parsed `ApprovalEntry`.
+- [x] 6.4 Add `ApprovalsCommand trust-verb <verb> [--audience] [--tool]` subcommand. Idempotent: existing `(verb, null)` entry → exit zero with "no changes".
+- [x] 6.5 Update `ApprovalsManagerPage` (TUI) to show verb + directory columns; revocation + trust-verb both reachable from the TUI. (Display: done in section 1 via `ApprovalDisplayItem.DisplayText`. Trust-verb-from-TUI affordance is deferred — agent path is CLI-only and human path lands without it; revisit in PR2 if friction surfaces.)
+- [x] 6.6 Update CLI quarantine-detection note to point at `.v1.bak` (was `.invalid` for v1's malformed-file path; now also fires when v1 is detected during upgrade).
+- [x] 6.7 Tests: `list` stable ordering; `list --json` shape; `revoke` of folder-scoped and global forms; `revoke` no-match exit 1; `trust-verb` adds and is idempotent; `trust-verb` honors audience/tool flags.
+
+## 7. Prompt redesign (Slack)
+
+- [x] 7.1 Add `ApprovalOptionKeys.ApproveEverywhere` constant ("Always anywhere").
+- [x] 7.2 Update `SlackApprovalBlockBuilder` to render the 5-button row with `Once` / `This chat` / `Always here` / `Always anywhere` / `Deny` and apply `style: "danger"` on `Always anywhere` and `Deny`.
+- [x] 7.3 Update prompt body: header `Approve in <cwd> ?` (or `Approve <verb> in <cwd> ?` for single-verb), bulleted verbs, no `Patterns` / `Directory Roots` sections.
+- [x] 7.4 When the cwd is too shallow (fails minimum-depth check) or the command is "messy" (per task 3.4), omit `This chat`/`Always here`/`Always anywhere` and emit the "complex command" hint. (Messy → only Once/Deny per spec scenario; shallow → only `Always here` omitted, This chat / Always anywhere remain per `tool-approval-gates` "Shallow directory prevents Always here" scenario.)
+- [x] 7.5 Update `SlackApprovalHandler` to map button clicks to the right persistence path: Once → no-op; This chat → session-scoped store; Always here → `(verb, cwd)` per extracted verb; Always anywhere → `(verb, null)` per extracted verb; Deny → refuse this call.
+- [x] 7.6 Update resolution message to the single-line format from the spec.
+- [x] 7.7 Snapshot tests for prompt body (single-verb + compound + messy) and resolution message (Once / This chat / Always here / Always anywhere / Deny).
+
+## 8. Prompt redesign (Discord)
+
+- [x] 8.1 Update `DiscordApprovalPromptBuilder` to mirror Slack's 5-button row using `ButtonStyle.Danger` on `Always anywhere` and `Deny`.
+- [x] 8.2 Update prompt body to match Slack format.
+- [x] 8.3 Update Discord approval response handler to mirror Slack's mapping. (No Discord-side handler change needed: the transport decodes button values and forwards `selectedKey` to the session actor; `LlmSessionActor`'s switch already routes `ApproveEverywhere` for both channels.)
+- [x] 8.4 Update Discord resolution message to the single-line format.
+- [x] 8.5 Snapshot tests parallel to Slack.
+
+## 9. Agent guidance (AGENTS.md, tool description, failure path)
+
+- [x] 9.1 Update `feeds/skills/.system/files/netclaw-operations/SKILL.md` with the new approval flow guidance and the schedule-creation pre-approval suggestion. Bump `metadata.version`. (Bumped to 2.0.0; rewrote Approval Prompts and Approval Requirements for Reminders/Webhooks sections around the v2 model.)
+- [x] 9.2 Update AGENTS.md (and any other live identity files: `feeds/skills/.system/files/.../AGENTS.md` if present) with the load-bearing `set_working_directory` instruction. Include the consequence framing ("burns the user's attention and your token budget"). (No separate live `feeds/skills/.system/files/.../AGENTS.md` exists; updated `Resources/AGENTS.md` which Personal+Team load. Public's `AGENTS.public.md` left untouched because `set_working_directory` is profile-managed away from Public.)
+- [x] 9.3 Update the `set_working_directory` tool description in `src/Netclaw.Actors/Tools/SetWorkingDirectoryTool.cs` to read as "declare your project root and expand your trusted scope." Remove any `cd`-style framing.
+- [x] 9.4 Update `ShellTool` failure-result handling so when the deny reason is "cwd outside safe spaces" AND `set_working_directory` is in the audience's tool exposure list, the result includes the one-line hint pointing at `set_working_directory <cwd>`. (Implemented as `SessionToolExecutionPipeline.BuildSetWorkingDirectoryHint` in the deny path; LlmSessionActor pre-computes `setWorkingDirectoryAvailable` from the policy's `IsToolExposed` check and threads it into `ExecuteToolsAsync`.)
+- [x] 9.5 Unit test the failure-path hint: emitted on cwd-outside denial; not emitted on hard-deny refusal; not emitted when `set_working_directory` is unavailable to the audience.
+
+## 10. Schedule-creation flow + evals
+
+- [x] 10.1 Document the schedule-creation pre-approval pattern in `feeds/skills/.system/files/netclaw-operations/SKILL.md` (covered in 9.1; cross-checked — "Pre-approving for unattended tasks (load-bearing)" section covers the agent-driven trust-verb flow with example dialogue).
+- [x] 10.2 Add eval case (positive): session opens with a user prompt that mentions a specific repo path; assert agent calls `set_working_directory <path>` before issuing any shell tool call to that tree.
+- [x] 10.3 Add eval case (negative): session opens with no project signal ("what's 2+2?", "explain X"); assert agent does NOT call `set_working_directory` preemptively.
+- [x] 10.4 Add eval case (recovery): in a session where the agent is denied a shell call because cwd was outside both safe spaces, assert agent reads the failure-path hint and calls `set_working_directory <path>` on its next turn. (Multi-turn — T1 feeds the hint shape since scripting an actual denial in the eval container is awkward; T2 asserts self-correction.)
+- [x] 10.5 Add eval case (schedule pre-approval): session opens with a user request to schedule an unattended task using a specific verb (e.g. `freshdesk`); assert agent suggests global pre-approval and (on user confirmation) issues the equivalent of `netclaw approvals trust-verb freshdesk` before completing schedule setup.
+- [ ] 10.6 Run the eval suite; baseline pass rate documented in PR. (Deferred — requires `NETCLAW_EVAL_PROVIDER_*` env + Docker daemon container; Aaron runs locally before merging.)
+
+## 11. Spec sync at archive time
+
+- [ ] 11.1 Run `/opsx-verify` to confirm implementation matches change artifacts.
+- [ ] 11.2 Run `/opsx-sync` to fold delta specs into `openspec/specs/tool-approval-gates/spec.md`, `openspec/specs/session-cwd/spec.md`, and `openspec/specs/netclaw-cli/spec.md`.
+- [ ] 11.3 Run `/opsx-archive` to move the change to `openspec/changes/archive/`.
+
+## Acceptance gates (across all sections)
+
+- [ ] All unit + integration + snapshot tests green.
+- [ ] `dotnet slopwatch analyze` reports no new violations.
+- [ ] `./scripts/Add-FileHeaders.ps1 -Verify` passes.
+- [ ] Eval suite passes (positive + negative + recovery + schedule-preapproval cases).
+- [ ] Manual Slack flow: compound command outside safe space → 5-button prompt → click `Always anywhere` → resolution shows "Saved: ... anywhere" → `tool-approvals.json` contains `(verb, null)` entries.
+- [ ] Manual Discord flow: same as Slack with `ButtonStyle.Danger` rendering correctly.
+- [ ] Manual: `netclaw approvals trust-verb freshdesk` writes the right entry; `list` labels it `freshdesk anywhere`; `revoke "freshdesk anywhere"` removes it.
+- [ ] Manual: legacy v1 `tool-approvals.json` quarantines to `.v1.bak` on first read; CLI surfaces the quarantine note.
diff --git a/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/.openspec.yaml b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/.openspec.yaml
new file mode 100644
index 00000000..0478d8f1
--- /dev/null
+++ b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/.openspec.yaml
@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-05-09
diff --git a/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/CONTINUATION.md b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/CONTINUATION.md
new file mode 100644
index 00000000..0d11a095
--- /dev/null
+++ b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/CONTINUATION.md
@@ -0,0 +1,475 @@
+# Continuation Memory: approval-policy-path-extraction → trust-zones rewrite
+
+This is a hand-off note from a long working session (Aaron + Claude, 2026-05-09).
+Read it end-to-end before doing anything in `openspec/changes/approval-policy-path-extraction/`.
+The architectural conclusion of that session **invalidates** large parts of the existing change
+proposal/design/specs/tasks. Don't just `/opsx-apply` against them; we need to rewrite first.
+
+---
+
+## Where the code is right now
+
+**Branch:** `openspec/approval-policy-v2`. Pushed to `origin/openspec/approval-policy-v2`. PR #940.
+The branch name is now misleading (covers v2 + v2.1 + a fresh architectural rewrite about to happen)
+but git history is preserved that way.
+
+**Last pushed commit:** `579a4f6e fix(approvals): side-effect candidates auto-allow at match time`.
+
+**Daemon state:** Aaron's local netclawd is currently running this commit (binary swap done).
+`~/.netclaw/config/tool-approvals.json` has real entries from his dogfooding — see "Live evidence" below.
+
+**Uncommitted working tree at session end:**
+```
+M src/Netclaw.Actors/Sessions/LlmSessionActor.cs
+M src/Netclaw.Actors/Tools/ToolAccessPolicy.cs
+M src/Netclaw.Channels.Discord/DiscordApprovalPromptBuilder.cs
+M src/Netclaw.Channels.Slack/SlackApprovalBlockBuilder.cs
+M src/Netclaw.Security.Tests/ShellApprovalMatcherTests.cs
+```
+
+These uncommitted edits add: `AllCandidatesResolveToSessionScratch` button-row guard,
+session-scratch persistence guard in `LlmSessionActor.PersistApprovalCandidatesAsync`, the
+`ResolveHeaderLocation` helpers in both channel builders that show the *target* directory
+in the approval header instead of cwd, and a regression test for cd-target-as-directory.
+
+**These uncommitted edits are tactical patches for the v2.1 model that the upcoming rewrite is
+about to throw out.** Recommendation: `git restore .` and start the rewrite from a clean working
+tree. The session-scratch ideas remain conceptually relevant but the trust-zone rewrite makes
+session_dir's role different (it becomes one trusted root among several), so the patches won't
+slot into the new model unchanged. Save brain energy by deleting them.
+
+---
+
+## Architectural conclusion of the session
+
+The session started doing path-extraction-style fixes on v2 and ended at a fundamental rewrite
+of the approval model. The conclusion is non-negotiable; Aaron drove it. Don't try to relitigate.
+
+**The new model:**
+
+### Trust zones, not session state
+
+Approval reasoning anchors on **trusted zones**, which are defined as:
+
+1. **Audience config** — read-allowed (and write-allowed) roots declared per-audience in the
+   trust profile. Static, operator-owned. Personal might have `/`, Team might have
+   `~/work-projects/*`, Public has `session_dir` only.
+2. **Session directory** — `~/.netclaw/sessions/<id>/` is *always* a trusted zone.
+3. **Operator-extended zones** — directories the user clicked "always" on in past prompts,
+   persisted per-audience.
+
+Anything inside any of these = silent (subject to the verb-pattern gate, see below).
+Anything outside = ask.
+
+**Trust zones are configuration, not state.** They don't move during a session. The agent
+cannot extend them by issuing commands; only the human (via prompts or config edits) can.
+
+### `WorkingContext.ProjectDirectory` is gone
+
+There is no per-session "project directory" concept anymore. Aaron explicitly killed it.
+`set_working_directory` tool is also gone. Any guidance, plumbing, or state related to project_dir
+gets removed.
+
+### Three-layer approval gate
+
+**Layer 1 — Hard-deny.** Unchanged. System-protected paths/patterns always block. Operates first.
+
+**Layer 2 — Zone gate.** Parse the command. Extract every directory the command will operate on
+(path args, cd targets, redirect targets, output destinations). For each:
+- Inside any trusted zone → continue to layer 3
+- Outside all trusted zones → prompt the user. Options:
+  - **Once** — run this call only, no persistence
+  - **Trust this directory** — extend zones for this audience to include `<dir>/*`. Read-only verbs in that tree auto-pass thereafter.
+  - **Trust this directory + this verb** — extend zones AND persist a verb-pattern grant for this command shape
+  - **Deny**
+- Persistence note: "Trust this directory" is a per-audience zone extension, not a per-session one.
+  Future sessions on the same audience inherit it.
+
+**Layer 3 — Verb-pattern gate.** Only reached after every path passed Layer 2.
+- **Read-only verb** (in the safe-verb list) → silent. The zone gate has already authorized geography;
+  the verb is harmless.
+- **Mutating verb** (`git push`, `rm`, `sed -i`, ...) → prompt for command-shape approval. Options:
+  - **Once** — run this call only
+  - **Always for this verb pattern** — persist verb-pattern grant
+  - **Deny**
+- Persistent verb-pattern grants short-circuit this prompt. Pattern format TBD (see open question 4).
+
+### Read-only verbs **only** auto-pass inside trusted zones
+
+This is a tightening Aaron explicitly called out. Outside-zone paths always prompt regardless of
+whether the verb is read-only. The "free pass for read-only" is conditional on the zone gate
+having authorized the geography first. Don't ever fall back to "but it's just a `cat`."
+
+### Two persistence stores, not a cross-product
+
+Replace the v2 `(verb, directory)` `ApprovalEntry` shape with two independent persistence stores:
+
+1. **Trusted zones** — per-audience list of directory globs (`/home/user/repos/*`, `/etc/*`, etc.).
+   Extended by user clicks on "Trust this directory" or "Trust this directory + this verb." Used
+   by the Layer 2 zone gate.
+2. **Approved patterns** — per-audience list of verb patterns. Extended by user clicks on
+   "Always for this verb pattern" or "Trust this directory + this verb." Used by the Layer 3
+   verb-pattern gate.
+
+Each gate is independent. Trusting `/home/user/repos/*` doesn't grant any verb pattern.
+Trusting `git push` doesn't grant any directory. The gates compose at evaluation time:
+both must pass.
+
+### Project_instructions auto-injection deleted
+
+The daemon currently auto-loads `<project>/.netclaw/AGENTS.md`, `CLAUDE.md`, `AGENTS.md`,
+`CONTEXT.md` based on `WorkingContext.ProjectDirectory` and injects them into the system
+prompt. With project_dir gone, this auto-injection goes too.
+
+The agent reads project context **on demand** via `file_read` / `glob`. We update
+`Resources/AGENTS.md` to tell the agent: when working on a codebase, look for and read
+`AGENTS.md` / `CLAUDE.md` / `.netclaw/AGENTS.md` / `CONTEXT.md` at the project root. Read once,
+content lives in conversation history.
+
+This also resolves a token-bloat issue Aaron observed today (`~6k tokens` extra in `in=`
+counts when project_dir was set, see PR #940 comment on issue #622 for the broader
+instrumentation suggestion).
+
+### cd-in-compound: useful for *parsing*, not for state
+
+The agent's natural idiom is `cd /target && cmd1 && cmd2`. Bash semantics: cmd1 and cmd2 run
+in `/target`. The matcher honors this for **extraction within the same compound** — `/target`
+counts as a directory the call operates on, plus cmd1 and cmd2 each get attributed to `/target`.
+
+**It does NOT mutate session state.** The agent's cd does not auto-promote anything to a trusted
+zone. The next tool call starts fresh — if it has no path arg, the spawn cwd is session_dir
+again. The agent has to either re-cd, pass paths explicitly (`git -C /target log`), or accept
+session_dir as the spawn cwd.
+
+This is a deliberate tradeoff. We discussed and rejected cd-auto-promote because it's a
+security regression (agent extends trust by running a 9-byte command). State stays config-only.
+
+### Multi-path commands resolve naturally
+
+`cp /src/file /dst/file`: zone gate checks BOTH `/src` and `/dst` independently. If both inside
+zones, silent geography. If `/dst` is outside, prompt for `/dst` only. After zone-gate passes,
+verb gate prompts for cp pattern (mutating verb). Total prompts: at most one per untrusted path,
+plus one for mutating-verb pattern. Each prompt is reusable via "always."
+
+No `(cp, single_directory)` cross-product entry to fight with.
+
+### Five-button row — likely shrinks or restructures
+
+The current `(Once, This chat, Always here, Always anywhere, Deny)` row was designed around
+the v2 `(verb, directory)` cross-product model. Under the two-gate model the buttons need to
+re-think:
+
+- **Layer 2 (zone gate, untrusted-dir prompt):** {Once, Trust this directory, Trust this
+  directory + this verb, Deny}
+- **Layer 3 (verb-pattern gate, mutating-verb prompt):** {Once, Always for this verb pattern, Deny}
+
+That's two different button rows depending on which gate is firing. Or one unified row that
+contextualizes based on what's being asked. UX call.
+
+---
+
+## Tactical findings from OpenCode source (sst/opencode)
+
+Read-only research, not implementation directives. These inform the *how* of our implementation,
+not the *what*. The strategic model is settled; these are tactical references.
+
+OpenCode is single-tenant per launch (cwd at launch = project_root) so its model isn't directly
+portable, but several specific implementation choices are worth borrowing.
+
+### Their permission/permission directory
+
+`packages/opencode/src/permission/`:
+- `index.ts` — service interface, defines `Rule = {permission, pattern, action}`,
+  `Reply = once | always | reject`, `Approval = {projectID, patterns[]}`. Three buttons total
+  (no This-chat middle ground).
+- `evaluate.ts` — five-line wildcard matcher, last-match-wins via `findLast`. Default `ask`.
+- `arity.ts` — hand-curated dictionary mapping command prefixes to "how many tokens form the
+  verb chain." Flags don't count. `cd: 1`, `git: 2`, `docker compose: 3`, `bun run: 3`, etc.
+  Strictly better than our fixed `maxDepth=2 + path-aware-cap`. Worth porting wholesale.
+
+### Their two-gate model
+
+The architectural insight that drove our pivot. `packages/opencode/src/tool/external-directory.ts`
+defines `assertExternalDirectory(ctx, target)`. Every file tool calls it before touching a path:
+
+```ts
+export const assertExternalDirectoryEffect = Effect.fn(...)(function* (ctx, target, options) {
+  if (!target) return
+  if (containsPath(full, ins)) return                    // inside project root → silent
+  const dir = options?.kind === "directory" ? full : path.dirname(full)
+  const glob = path.join(dir, "*")                       // parent-dir wildcard
+  yield* ctx.ask({
+    permission: "external_directory",
+    patterns: [glob],
+    always: [glob],
+    metadata: { filepath: full, parentDir: dir },
+  })
+})
+```
+
+Their `bash` tool (`tool/shell.ts`) ALSO calls `external_directory` for directories the command
+will touch (extracted from the AST), independently of the bash-pattern check. Same call can
+produce TWO ask events (directory + bash-pattern), independently persisted.
+
+### Their bash directory extraction (`shell.ts:collect`)
+
+```ts
+const CWD = new Set(["cd", "chdir", "popd", "pushd", "push-location", "set-location"])
+const FILES = new Set([...CWD, "rm", "cp", "mv", "mkdir", "touch", "chmod", "chown", ...])
+
+for (const node of commands(root)) {
+  const tokens = parts(node).map(p => p.text)
+  const cmd = tokens[0]?.toLowerCase()
+  if (cmd && FILES.has(cmd)) {
+    for (const arg of pathArgs(command, ps, shellKind === "cmd")) {
+      const resolved = yield* argPath(arg, cwd, ps, shell)
+      if (!resolved || containsPath(resolved, instance)) continue
+      const dir = (yield* fs.isDir(resolved)) ? resolved : path.dirname(resolved)
+      scan.dirs.add(dir)
+    }
+  }
+  if (tokens.length && (!cmd || !CWD.has(cmd))) {
+    scan.patterns.add(source(node))
+    scan.always.add(BashArity.prefix(tokens).join(" ") + " *")   // glob-style
+  }
+}
+```
+
+Notes for our implementation:
+
+1. **They use tree-sitter-bash AST parsing**, not regex. Handles quotes/escapes/redirects/heredocs
+   correctly. Mature library. .NET binding exists. Big upgrade vs our `ShellTokenizer` which is
+   regex-based.
+2. **Per-verb pathArgs filter** — knows `chmod +X` is special, skips Windows-cmd `/X` flags.
+   We have `LooksLikeArgument` which is much blunter. Per-verb table is the right shape.
+3. **`argPath` resolution pipeline** — unquote → `~` expansion → env var expansion (`$HOME`,
+   `$PWD`, `${env:VAR}`) → strip `filesystem::/path` prefixes → resolve relative against cwd.
+4. **Dynamic-path skip** — tokens with unresolved variables or globs they can't expand are
+   skipped. We'd extract `~/repos/$VAR` literally today; that's a subtle bug.
+5. **`fs.isDir` stat** — actual syscall vs our `Path.HasExtension` heuristic. Theirs is more
+   accurate (catches extensionless files like `Makefile`, dot-suffixed dirs like `node_modules.bak`).
+   Cost: one syscall per path. Negligible for our latency budget.
+6. **CWD verbs (cd) are excluded from `scan.patterns`** but their path arg goes into `scan.dirs`.
+   The cd "command" itself doesn't need pattern approval; only the directory it targets needs zone
+   approval. Same idea applies to our verb-pattern gate: cd's pattern probably never needs approval
+   under the new model.
+7. **Pattern storage format**: glob-style `git push *` rather than verb-only `git push`.
+   Functionally equivalent for matching but the explicit `*` makes it clear it's a wildcard.
+8. **They also add cwd to scan.dirs** if the spawn cwd isn't inside the project. So a bash call
+   with no path args from a foreign cwd still produces a directory ask for the cwd. Our equivalent:
+   spawn cwd is session_dir which is always trusted, so this case rarely fires for us.
+
+---
+
+## Live evidence from Aaron's dogfood sessions today
+
+### Session ID `D0AC6CKBK5K/1778362405.301519` (the one that motivated session-scratch hide)
+
+Compound: `netclaw doctor --help; echo "---"; netclaw bootstrap --help`. No path arg on any
+clause (commands ran from session_dir cwd). User clicked "Always here." Persisted entries:
+
+```json
+{ "verb": "netclaw doctor",    "directory": "/home/petabridge/.netclaw/sessions/D0AC6CKBK5K_1778362405_301519" }
+{ "verb": "netclaw bootstrap", "directory": "/home/petabridge/.netclaw/sessions/D0AC6CKBK5K_1778362405_301519" }
+{ "verb": "which netclaw",     "directory": "/home/petabridge/.netclaw/sessions/D0AC6CKBK5K_1778362405_301519" }
+```
+
+These are dead-on-arrival entries. The session_dir won't recur. They illustrate the v2
+mismatch between "Always here" semantics and what the user actually wanted.
+
+### Session ID `D0AC6CKBK5K/1778362405.301519` (different prompt, same session)
+
+Compound: `cd /home/petabridge/repositories/stannardlabs/netclaw && git remote -v && echo "---" && git worktree list && echo "---" && git branch -a | grep -E "..."`.
+
+Header read: *"Approve in /home/petabridge/.netclaw/sessions/D0AC6CKBK5K_1778362405_301519?"* with bullets `cd, git remote, echo, git worktree, git branch`. Aaron's reaction: *"It's saying like, oh, do you want to do all this work in this GitHub repository? But the current directories are session directory."*
+
+The user understood the command's effective directory from the first cd target
+(`/home/petabridge/repositories/stannardlabs/netclaw`) but the daemon showed session_dir.
+Mismatch between "where the call lands" and "where the call is being made from."
+
+### Current state of `~/.netclaw/config/tool-approvals.json` on Aaron's machine
+
+After rebuild + dogfooding, contains a mix of valid path-scoped entries (e.g.
+`(find, /home/petabridge)`, `(ls, /home/.../publish)`) and the dead session-dir entries.
+**On rewrite, advise wiping the file** since v2 hasn't shipped beyond Aaron's box and the new
+storage shape is incompatible (two stores instead of cross-product).
+
+---
+
+## Open design questions for the next session
+
+These need answers before specs/tasks get drafted. Ordered by dependency.
+
+1. **Migration story for the existing `~/.netclaw/config/tool-approvals.json` shape.**
+   Probably: wipe and re-prompt. v2 hasn't deployed. New schema is two stores; old is one.
+   No migration logic worth writing.
+
+2. **Storage file structure for the two stores.** One file with two top-level sections, two
+   files (`tool-approvals.json` for verbs + `trusted-zones.json` for zones), or per-audience
+   sub-objects. Backwards-compat consideration: any deployed CLI commands like `netclaw approvals
+   trust-verb` need to keep working with the new shape (possibly with rename).
+
+3. **Prompt UX: sequential or batched for two gates?** A call hitting both Layer 2 and Layer 3
+   could produce two prompts back-to-back, or one prompt that asks both questions at once. Two
+   prompts is cleaner mental model but more clicks; batched is nicer UX but harder to render
+   concisely on Slack.
+
+4. **Mutating-verb pattern format.** OpenCode-style globs (`git push *`) or our verb-chain
+   (`git push`)? Globs are more expressive (`rm /tmp/*` allowed but `rm /home/*` denied). Verb-
+   chain is what the v2 store has today. Consider compatibility with the `netclaw approvals
+   trust-verb <verb>` CLI — what does it accept?
+
+5. **TUI for managing trust zones?** Today `netclaw approvals` has list/revoke/trust-verb/TUI
+   for the (verb, directory) entries. Under the two-store model the TUI needs to surface both
+   axes. New page (`netclaw zones`?) or extend the existing approvals page.
+
+6. **Audience-config exposure for trusted zones.** Today the trust profile defaults are
+   per-audience in `netclaw.json`. Operator-extended zones should presumably persist into the
+   same structure or a sibling file. Need to decide where they go and how the wizard surfaces
+   them.
+
+7. **What replaces `(verb, directory)` in the live `tool-approvals.json` parser.** All the
+   existing CLI / TUI / `IToolApprovalMatcher` code reads this shape. Rewrite touchpoints are
+   numerous. List of all consumers of `ApprovalEntry` is in the change's design doc; that list
+   needs to be updated for the new shape.
+
+8. **Project_instructions file lookup — replace with what?** Currently auto-injected. Under the
+   new model the agent reads on demand. We need to update `Resources/AGENTS.md` with explicit
+   guidance: which filenames to look for, when to read them, in what order. The candidate list
+   currently is `[".netclaw/AGENTS.md", "CLAUDE.md", "AGENTS.md", "CONTEXT.md"]` — keep this
+   ordering, just shift the consumer from daemon to agent.
+
+9. **Five-button row replacement.** Layer 2 prompt buttons vs Layer 3 prompt buttons differ.
+   Need wireframes / spec for both prompt shapes.
+
+10. **Slack/Discord adapter changes.** Both `SlackApprovalBlockBuilder` and
+    `DiscordApprovalPromptBuilder` rendering needs updates. Resolution-line copy (`Saved: ...`)
+    needs to handle the new persistence axes.
+
+11. **AST parser adoption: tree-sitter-bash or stay with regex?** Big tactical call. AST is
+    correct; regex is what we have. Defer to implementation phase — strategic model doesn't
+    care.
+
+12. **Per-verb path-arg rules.** Adopt OpenCode's `FILES`/`CWD` table or build our own.
+    Probably copy theirs and add Windows-side equivalents from `CMD_FILES`.
+
+13. **Where does the in-compound cd propagation live?** It's pure parsing — could go in
+    `ShellTokenizer` extending the candidate extraction, or in a higher layer that walks the
+    candidate list post-extraction. Cleaner in the extractor. No semantic change either way.
+
+---
+
+## What survives from the path-extraction PR work
+
+Even with the rewrite, several committed items on the branch are independently good and should
+survive:
+
+- **`01a142e3` cwd fix** (Always here actually persisting cwd) — was fixing a bug that no longer
+  exists in the new model (cwd doesn't go in the entry), but the underlying issue (cwd was being
+  silently dropped from `ToolInteractionRequest`) was real. The fix touches `ToolApprovalContext`
+  shape which gets rewritten anyway. Drop the fix wholesale; it's subsumed.
+- **`25e34f7d` path-extraction matcher + side-effect skip** — Verb-only extraction stays useful
+  (the verb-pattern gate still wants clean verb chains). Side-effect skip is moot under new model
+  (those verbs probably auto-pass via the verb-pattern gate). Path-extraction itself becomes part
+  of the layer-2 directory-extraction logic.
+- **`7e84da84` agent guidance docs** — most of this gets rewritten. The "Declaring Project Scope"
+  section in `Resources/AGENTS.md` needs to switch to "Trust zones are configured by your
+  operator; here's how to read project context yourself."
+- **`f54c2e68` proposal/design/specs** — most is invalidated by the architectural pivot.
+  proposal.md needs a rewrite. design.md needs a rewrite. specs/tool-approval-gates/spec.md
+  needs a rewrite. tasks.md needs a rewrite. Basically the whole change directory gets rebuilt.
+- **`579a4f6e` side-effect candidates auto-allow at match time** — was fixing a v2.1-specific
+  bug (retry-after-Always-anywhere crashed because echo wasn't in the persisted store). Under
+  the new model side-effect verbs auto-pass at the verb-pattern gate, so the fix's logic is
+  subsumed.
+
+**`fe5c89b3` streaming fix from PR #947** — unrelated to approvals, stays.
+
+---
+
+## Concrete next actions for the next session
+
+1. **`git restore .`** to discard the uncommitted session-scratch + header-location patches.
+2. **Read this CONTINUATION.md document.** Verify nothing's missing.
+3. **Run through the 13 open design questions with Aaron** and lock answers. Especially #2
+   (storage file structure), #3 (sequential vs batched), #4 (pattern format), #5 (TUI shape).
+4. **Rewrite `proposal.md`** to reflect the trust-zone architecture.
+5. **Rewrite `design.md`** with the three-layer gate, two-store persistence, AST parsing
+   adoption decision.
+6. **Rewrite `specs/tool-approval-gates/spec.md`** with the new requirements (and probably
+   create new requirements for trust-zones since that's a new capability).
+7. **Possibly rewrite the change name itself.** `approval-policy-path-extraction` no longer
+   describes the scope. Candidates: `approval-policy-trust-zones`, `approval-policy-call-
+   inspection`, `approval-policy-rewrite`. Aaron's call.
+8. **Rewrite `tasks.md`** against the new design.
+9. **Implement.** Probably iterate matcher → persistence stores → CLI/TUI → adapter rendering →
+   agent guidance.
+10. **Manual binary-swap validation.** Aaron's machine is the test bed.
+
+---
+
+## Things to NOT relitigate
+
+The session covered each of these and they're settled. Don't re-derive.
+
+- **`set_working_directory` is removed.** Don't propose keeping it. Not even as a fallback.
+- **`WorkingContext.ProjectDirectory` is removed.** No exceptions.
+- **Auto-promoting cd to project_dir was rejected** — security regression. The agent doesn't
+  get to extend trust through commands.
+- **Cwd does not factor into approval decisions.** It exists only as `psi.WorkingDirectory`
+  for the spawned subprocess. It does not appear in any approval matcher logic.
+- **Read-only verbs do not auto-pass outside trusted zones.** Outside zones, every verb
+  prompts. Read-only-only inside zones.
+- **Project_instructions auto-injection is removed.** Agent reads on demand.
+- **Trust zones are configuration, not state.** They are extended via prompts (which are user
+  decisions) but never via agent action.
+- **Two independent gates: zone + verb-pattern.** Not a single (verb, directory) cross-product
+  entry. Two separate persistence stores.
+
+If any of these gets relitigated in the next session, point at this document.
+
+---
+
+## Files to review when picking up
+
+- This document (`openspec/changes/approval-policy-path-extraction/CONTINUATION.md`).
+- `proposal.md`, `design.md`, `specs/tool-approval-gates/spec.md`, `tasks.md` — to know what
+  the existing artifacts say (they'll get rewritten).
+- `src/Netclaw.Configuration/ToolAudienceProfileResolver.cs` — to understand how trust profiles
+  currently express read-allowed roots.
+- `src/Netclaw.Configuration/ToolApprovalStore.cs` — current `(verb, directory)` storage.
+- `src/Netclaw.Security/IToolApprovalMatcher.cs` — current matcher interface.
+- `src/Netclaw.Actors/Tools/ToolAccessPolicy.cs` — current three-layer gate (hard-deny → safe-verb
+  → approval). Layer numbering will change but the layered shape stays.
+- `src/Netclaw.Actors/Tools/SetWorkingDirectoryTool.cs` — about to be deleted.
+- `src/Netclaw.Configuration/Resources/AGENTS.md` — the section to rewrite.
+- `feeds/skills/.system/files/netclaw-operations/SKILL.md` — same.
+- `src/Netclaw.Actors/Sessions/LlmSessionActor.cs:PersistApprovalCandidatesAsync` — current
+  persistence path; gets ripped out and replaced.
+
+---
+
+## Status of the daemon swap on Aaron's machine
+
+Last binary-swap was at the `579a4f6e` commit. Aaron has been dogfooding against that build.
+The session-scratch/header-location patches in the working tree are NOT swapped in (they were
+never committed or pushed).
+
+`~/.netclaw/config/tool-approvals.json.v1.bak` exists from yesterday's v1→v2 migration test.
+`tool-approvals.json` has the dogfood entries described above.
+
+Next swap will require building from whatever the rewrite produces. Don't rebuild before the
+rewrite is complete; it'd serve no purpose.
+
+---
+
+## Who's reading this
+
+If you're a fresh Claude session loading this document: read it linearly start-to-finish before
+proposing anything. The context is dense but ordered. Aaron is the operator; defer to his
+architectural calls; don't re-derive decisions captured in "Things to NOT relitigate."
+
+The work product target is a coherent OpenSpec change in
+`openspec/changes/approval-policy-path-extraction/` (or a renamed sibling) that captures the
+trust-zones rewrite. Tasks for implementing it. Then drive implementation through `/opsx-apply`
+once Aaron approves the artifacts.
diff --git a/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/design.md b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/design.md
new file mode 100644
index 00000000..869a0c63
--- /dev/null
+++ b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/design.md
@@ -0,0 +1,246 @@
+## Context
+
+`approval-policy-v2` ships the `(verb, directory)` `ApprovalEntry` model
+and a five-button prompt row, but the verb extractor at
+`src/Netclaw.Security/ApprovalPatternMatching.cs` collapses both halves
+of the pair into a single string — `find /home/petabridge` rather than
+`("find", "/home/petabridge")`. The directory half of `ApprovalEntry`
+exists in the data model but the extraction path never populates it
+from arguments, so it falls back to the cwd of the spawned process
+(also null in most sessions because the model rarely calls
+`set_working_directory` preemptively).
+
+The downstream effect is the dogfood evidence in
+`D0AC6CKBK5K/1778303523.861279`: the operator clicks "Always here" on
+`find /home/petabridge`, the entry persists as `("find /home/petabridge",
+null)`, and the next call (`find /home/petabridge/.netclaw -name X`)
+produces a candidate `"find /home/petabridge/.netclaw -name X"` that
+doesn't equal the stored verb → no match → re-prompt. Folder-scoped
+trust never compounds.
+
+This change separates the two halves at extraction time. The verb is
+the command head plus subcommand chain (`find`, `git status`, `npm
+install`); the directory half comes from the first path-looking
+argument when present, falling back to cwd otherwise. Persistence
+shape is unchanged — only the extractor and matcher logic move.
+
+## Goals / Non-Goals
+
+**Goals:**
+
+- Verb extraction emits a clean command head (no path arguments).
+- Path arguments declare scope implicitly — `find /repo` produces a
+  candidate whose effective directory is `/repo`, not the daemon's
+  cwd.
+- Folder-scoped trust compounds: `(find, /home/petabridge)` covers
+  `find /home/petabridge/.netclaw/...` automatically.
+- Pure side-effect commands (`echo X`, `printf X`, `true`, `false`)
+  authorize once but don't pollute persistence.
+- Existing `ApprovalEntry` storage shape is unchanged; existing v2
+  test coverage continues to pass.
+
+**Non-Goals:**
+
+- No new buttons, no new persistence fields, no new prompt sections.
+- No migration logic for the dogfood entries — they age out as the
+  operator re-approves under the new rules.
+- No changes to `set_working_directory`, the safe-verb short-circuit,
+  the failure-path hint, or any layer-1 deny-list behavior.
+- No attempt to extract paths from flag-hidden positions like `git -C
+  <path>` or `make -C <path>`. Operators with that workflow can still
+  call `set_working_directory` explicitly.
+
+## Decisions
+
+### 1. Path classification at the tokenizer layer
+
+`ShellTokenizer.SplitCompoundCommand` already produces verb-chain
+tokens for each clause. We extend the per-clause tokenizer pass to
+classify each token as either a verb-chain token or a path token. A
+token is path-like when it starts with `/`, `~/`, `./`, `../`, or is
+exactly `~` / `.` / `..`. Other heuristics (token contains `/`
+internally; token resolves to an existing directory) are rejected as
+too clever for security-relevant code — false positives would silently
+expand or contract trust scope.
+
+The verb output is the chain of non-path tokens up to the first path or
+end of clause: `find`, `git status`, `npm install -g` (flags-as-verb is
+preserved because flags often subset the verb's behavior; `git push`
+vs `git fetch` differ semantically). The path output is the **first**
+path token encountered.
+
+**Alternative considered**: extracting all path tokens, treating the
+deepest-common-ancestor as the effective directory. Rejected — DCA on
+`cp /src/a /dst/b` is `/`, which is exactly the shallow path we already
+guard against. First-path-wins gives the source on `cp`/`mv`, the
+directory on `find`/`ls`/`grep -r`, and the file on `cat`/`less` —
+parent extraction handles the file-vs-directory case (see Decision 4).
+
+### 2. Effective directory at match time
+
+`ApprovalPatternMatching.MatchesShellApproval` takes
+`(candidateVerb, candidateDirectory, cwd, approvedEntries)`. The match
+predicate becomes:
+
+```
+candidateVerb == entry.verb
+  AND (entry.directory is null
+       OR effectiveDirectory is under entry.directory)
+  AND no symlink segment along effectiveDirectory
+```
+
+Where `effectiveDirectory = candidateDirectory ?? cwd`. Relative
+extracted paths (`./build`, `../shared`) resolve against cwd at match
+time. Absolute paths bypass cwd entirely.
+
+**Alternative considered**: storing the cwd separately on the candidate
+and matching independently of extracted path. Rejected — the goal is
+that path arguments declare scope, so the matcher must use the path
+when present. Otherwise we ship verb-only extraction without the
+elegance gain.
+
+### 3. Persistence on `approve_always`
+
+`LlmSessionActor`'s response handler currently writes one entry per
+candidate verb chain with `directory = pending.Cwd` (after the cwd
+fix landed in `01a142e3`). Under this change:
+
+- For each candidate, persist `(verb, candidateDirectory ?? cwd)`.
+- If `candidateDirectory` is non-null AND fails the depth guard
+  (`IsCwdTooShallow`), skip the entry — same rule that today omits the
+  "Always here" button when cwd is shallow. The shallow-path skip
+  emits a single warning to the resolution line so the operator knows
+  why some candidates were dropped.
+- For candidates whose verb is in the side-effect skip list, do not
+  persist at all. They were already authorized for this call by the
+  decision; the resolution line lists them as authorized-once.
+
+`approve_everywhere` continues to write `(verb, null)` for every
+candidate with no path filter — global trust is global.
+
+### 4. File-targeting commands and parent inference
+
+`cat ~/.profile` extracts `~/.profile` as the path. A file is not a
+directory; the matcher must compare against `Path.GetDirectoryName(...)`
+in that case. Two implementations:
+
+**(a) Resolve at extract time** — call `File.Exists` / `Directory.Exists`
+on the extracted path and use the parent if it's a file. Rejected:
+TOCTOU across the approval prompt (file may not exist at extract time
+but exists by execution time, or vice versa); also adds a syscall to
+the prompt-generation hot path.
+
+**(b) Match-time normalization** — if the extracted path is treated as
+a directory but `Path.HasExtension` returns true (heuristic that file
+paths usually have extensions), normalize to the parent directory for
+matching purposes only. Rejected: heuristic, not portable (`.bashrc`
+has an extension; many Unix executables don't).
+
+**(c) Persist as-is, match using `Path.GetDirectoryName` of the
+extracted path when persisting "Always here"**. Chosen. The persisted
+directory for `cat ~/.profile` is `~/` (the parent), which gives the
+operator a useful folder-scoped grant. The matcher applies the same
+parent-of-extracted-path rule for candidate directories at match time.
+This is a deterministic string operation, no syscalls.
+
+### 5. Side-effect skip list
+
+The skip list is small and explicit:
+
+- `echo`, `printf`, `:`, `true`, `false`
+
+Bash builtins that produce no filesystem effect when used without
+redirects. We do **not** include redirect-producing variants — `echo X
+> /tmp/file` has a path in the redirect target and should persist as
+`(echo, /tmp/)`. Detection: a clause is "pure side effect" when its
+verb head is in the skip list AND it has no path token AND no shell
+redirect operator (`>`, `>>`, `|`, etc.). Otherwise it persists
+normally.
+
+**Alternative considered**: persist every verb but tag side-effect
+ones as low-confidence. Rejected — adds complexity to the matcher
+without operator-visible benefit. Operators don't want a future
+prompt to silently auto-allow on `(echo, *)`; they want it to never
+have been persisted in the first place.
+
+### 6. Backwards compatibility with existing v2 entries
+
+Stored `ApprovalEntry` records from the dogfood window have path-
+embedded verbs (`find /home/petabridge`). Under the new extractor they
+become inert — no candidate will ever produce a verb string equal to
+`find /home/petabridge` because the new extractor emits `find`. Inert
+entries are harmless and self-cleanup as the operator re-approves
+under the new rules.
+
+We do **not** add quarantine logic. v2 hasn't deployed beyond the
+single dogfood operator; the dogfood entries were already wiped
+manually. Future operators encountering pre-fix entries get the same
+prompts they would have gotten anyway.
+
+## Risks / Trade-offs
+
+**[Risk] Path classification false positives.** A user-supplied
+argument that happens to start with `/` but isn't really a path (`grep
+-r '/foo' .`) would be classified as a path and could narrow scope
+unexpectedly. → **Mitigation**: the symlink-segment guard already runs
+on extracted paths; combined with the directory-existence check on
+`set_working_directory`, the worst case is the matcher refuses a
+match and falls back to a prompt. No security regression — only
+slightly more prompts than necessary.
+
+**[Risk] Multi-path commands lose the second path.** `cp /src /dst`
+extracts `/src` and ignores `/dst`. If the operator wants to grant
+trust on the destination tree, they have to approve `cp` again with a
+different first-path. → **Mitigation**: this is the pragmatic
+trade-off called out in the proposal. The first-path-wins rule covers
+the common shape (find, ls, grep, cat). Operators who routinely work
+in dst-first patterns can call `set_working_directory` to declare
+scope explicitly.
+
+**[Risk] File-path parent inference surprises operators.** Clicking
+"Always here" on `cat ~/.bashrc` persists `(cat, ~/)` rather than
+`(cat, ~/.bashrc)`. Some operators may expect file-level scoping. →
+**Mitigation**: the resolution line emitted on persistence already
+shows the saved scope (`Saved: cat in ~/`). Operators see what was
+persisted and can revoke via `netclaw approvals revoke` if it's wider
+than they wanted. Spec scenario covers this rendering explicitly.
+
+**[Risk] Side-effect skip list drift.** Bash has more no-op builtins
+than the five we list (`pwd`, `command`, `eval`, …). → **Mitigation**:
+the skip list is conservative — only commands that are unambiguously
+pure stdout. `pwd` we also include as truly pure. `eval` is excluded
+because it executes its arguments. The list lives next to the
+safe-verb list so future additions follow the same review gate.
+
+**[Risk] Old v2 dogfood entries silently persist.** They're inert under
+the new extractor, but they still appear in `netclaw approvals list`
+output. → **Mitigation**: operator-side. The list output already
+formats them readably (`find /home/petabridge anywhere`) and they can
+be revoked with `netclaw approvals revoke`. No code in the daemon
+needs to know about them.
+
+## Migration Plan
+
+No migration. The change is in-place:
+
+1. Land the extractor and matcher updates.
+2. Tests cover the new extractor cases plus the existing v2 cases
+   (which all continue to pass because verb-only extraction is a
+   strict refinement of the v2 chain extraction — non-path tokens are
+   preserved).
+3. Operators rebuild any project-scoped grants they relied on
+   pre-fix by clicking "Always here" once per project tree under the
+   new rules. The old entries become inert; deleting them is optional
+   cosmetic cleanup.
+4. Agent guidance (SKILL.md, AGENTS.md) updates in the same change so
+   the operator-facing language matches the runtime behavior.
+
+Rollback is trivial: revert the change. The `ApprovalEntry` storage
+shape is unchanged across this change, so no data is at risk.
+
+## Open Questions
+
+None at design time. The first-path-wins rule, side-effect skip list,
+and parent-of-file-path persistence are settled (Decisions 1, 4, 5).
+If any of these surface unexpected friction during implementation,
+they'll be revisited in tasks rather than re-opening the design.
diff --git a/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/proposal.md b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/proposal.md
new file mode 100644
index 00000000..6e454e61
--- /dev/null
+++ b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/proposal.md
@@ -0,0 +1,167 @@
+## Why
+
+Three bugs in `approval-policy-v2` (shipped on the same PR, not yet
+deployed) prevent folder-scoped trust from compounding across shell
+calls. Together they leave the operator approving every shell call and
+filling the store with entries that never match again. Surfaced in a
+single dogfood session (`D0AC6CKBK5K/1778303523.861279`) where
+`tool-approvals.json` ended up with:
+
+```
+{ "verb": "find /home/petabridge" }
+{ "verb": "find /home/petabridge/.netclaw" }
+{ "verb": "ls /home/petabridge/.netclaw/bin/" }
+{ "verb": "echo systemctl not available" }
+…
+```
+
+The bugs:
+
+1. **Verb extraction wrongly includes path arguments.** The v2 design
+   pairs `(verb, directory)` so verbs are reusable across paths. The
+   extractor instead emits `find /home/petabridge` as the verb,
+   collapsing both halves into one string. The next call (`find
+   /home/petabridge/.netclaw -name X`) is a different string → no
+   match → re-prompt. Folder-scoped trust never compounds because each
+   call's path produces a new entry.
+2. **The directory half is unused at extract time.** Path arguments to
+   shell commands are exactly the directory the gate should be reasoning
+   about. The extractor throws that information away, then we fall back
+   to cwd — which is null in most cases because the model doesn't call
+   `set_working_directory` preemptively. Net effect: the directory
+   half of `(verb, directory)` is almost always null even when the
+   command literally names the directory.
+3. **Compound-command splitting persists pure side-effects.** A
+   multi-clause command (`A; B; C` or `A || B`) splits into one
+   persisted entry per clause — including side-effect clauses like
+   `echo "==="` and `echo "no .bash_profile"` that have no path and no
+   future-matching value. Persistence is supposed to mean "I want to
+   run this kind of thing again"; recording every literal echo as a
+   global wildcard is noise.
+
+## What Changes
+
+This change reframes the verb half of `(verb, directory)` to be the
+command head only and uses path arguments as an implicit directory
+declaration. Persistence shape stays compatible with v2 — only the
+extractor and matcher change. The five-button prompt and quarantine
+behavior are unchanged.
+
+- **Verb-only extraction.** `ExtractCandidateVerbs` returns the command
+  head plus subcommand chain (`find`, `git status`, `npm install`) —
+  *not* the path arguments. Path-looking tokens (starting with `/`,
+  `~`, `./`, `../`) are stripped from the verb string and surfaced
+  separately as the candidate's effective directory.
+- **First-path-wins for multi-arg commands.** `cp /src/a /dst/b`
+  extracts `/src/a` as the effective directory (source wins). `git -C
+  /repo log` falls back to cwd because the path is hidden behind a
+  flag — acceptable, the model can still get the safe-verb short-circuit
+  by calling `set_working_directory` explicitly.
+- **Effective directory drives matching.** `ApprovalPatternMatching`
+  evaluates candidates against persisted entries using:
+  `verb == entry.verb AND (entry.directory == null OR
+  effectiveDirectory under entry.directory)`. The effective directory
+  is the extracted path arg if present, else the cwd. Symlink-segment
+  guard still applies along the resolved path.
+- **Always here persists with the extracted path.** Clicking
+  `approve_always` on `find /home/petabridge` stores
+  `(verb="find", directory="/home/petabridge")` — covering future
+  `find /home/petabridge/.netclaw -name X` calls automatically. The
+  shallow-cwd guard (`IsCwdTooShallow`) extends to extracted paths so
+  the button is omitted when the path is too shallow to safely scope
+  (e.g. `find /`).
+- **Drop side-effect-only verbs from persistence.** When the user clicks
+  `approve_always` on a multi-clause command, only clauses with an
+  extractable path are persisted. Pure side-effect clauses (`echo X`,
+  `printf X`, `true`, `false`) get the approval **for this call** but
+  do not pollute the store. The `Once` decision still authorizes them
+  exactly once.
+- **Persistence shape unchanged.** Stored entries continue to be
+  `{verb, directory?}`. Existing entries from the dogfood window
+  (e.g. `find /home/petabridge`) won't match new candidates because
+  the verb extractor no longer emits path-embedded verbs — they
+  become inert and get superseded as the operator approves the new
+  forms via prompts. No quarantine, no migration logic, no version
+  bump. v2 hasn't shipped to anyone but Aaron; the few stale entries
+  on his machine can be deleted by hand or simply allowed to age out.
+
+## Capabilities
+
+### New Capabilities
+
+None. This is a refinement of an existing capability.
+
+### Modified Capabilities
+
+- `tool-approval-gates`: rewrites the verb-extraction and matcher
+  contract; adds the implicit-directory rule for `approve_always`
+  persistence; adds the "drop pure-side-effect verbs from persistence"
+  rule; adds the quarantine path for path-embedded v2 entries.
+
+## Impact
+
+**Source code:**
+
+- `src/Netclaw.Security/ApprovalPatternMatching.cs` — verb extraction
+  loses path args; matcher consumes effective-directory.
+- `src/Netclaw.Security/IToolApprovalMatcher.cs` — `ExtractCandidateVerbs`
+  signature gains a parallel `ExtractCandidateDirectories` (or returns a
+  list of `(verb, directory?)` pairs — design choice).
+- `src/Netclaw.Security/ShellTokenizer.cs` — path-token classification
+  on the way out.
+- `src/Netclaw.Actors/Tools/ToolAccessPolicy.cs` — pass effective
+  directories through to the matcher and into `ToolApprovalContext`.
+- `src/Netclaw.Actors/Sessions/LlmSessionActor.cs` — persistence path on
+  `ApprovedAlways` writes `(verb, extractedPath ?? cwd)` per clause and
+  skips pure-side-effect clauses entirely.
+- `src/Netclaw.Configuration/ToolApprovalStore.cs` — quarantine for
+  path-embedded v2 entries; reuses the v1 `.bak` pattern.
+
+**Channel adapters:**
+
+- `SlackApprovalBlockBuilder` / `DiscordApprovalPromptBuilder` — header
+  and resolution line use the effective directory rather than just cwd.
+  No new buttons, no new fields.
+
+**Persistence:**
+
+- `tool-approvals.json` shape unchanged. Existing path-embedded v2
+  entries quarantine to `tool-approvals.json.embedded.bak` on first
+  read.
+
+**Agent guidance:**
+
+- `feeds/skills/.system/files/netclaw-operations/SKILL.md` — bump
+  version, update Approval Prompts section to explain that path args
+  declare scope automatically; `set_working_directory` becomes useful
+  primarily for sessions where commands won't carry an explicit path
+  (e.g. interactive REPL work).
+- `Resources/AGENTS.md` — soften the "Declare Your Project Root Early"
+  imperative; for verb-with-path commands, the act of running the
+  command IS the declaration.
+
+**Specs:**
+
+- `openspec/specs/tool-approval-gates/spec.md` — modify the verb
+  extraction, matcher, and persistence requirements; add the
+  side-effect-verb skip rule; add the embedded-v2 quarantine scenario.
+  No changes to `session-cwd` or `netclaw-cli`.
+
+**Security and operational impact:**
+
+- **No security regression.** The new matcher is strictly more precise
+  about scope — `(find, /repo)` does not auto-allow `find /unrelated`.
+  Symlink-segment guard, hard-deny list, and audience trust profile
+  all run unchanged ahead of the new matcher.
+- **Quarantine is operator-visible.** The CLI surfaces the new
+  `.embedded.bak` quarantine in the same one-line note as v1's
+  `.v1.bak` — operators can inspect and re-grant via the prompt.
+- **Shallow-path guard extended.** Operators can no longer accidentally
+  store `(find, /)` or `(rm, ~)` because the depth check now applies
+  to extracted paths too.
+
+**PRD references:**
+
+- `docs/prd/approvals.md` (the v2 PRD) — friction-reduction goals are
+  load-bearing for this change. No new PRD section needed; this
+  proposal lives as a v2 refinement.
diff --git a/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/specs/tool-approval-gates/spec.md b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/specs/tool-approval-gates/spec.md
new file mode 100644
index 00000000..ada5790b
--- /dev/null
+++ b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/specs/tool-approval-gates/spec.md
@@ -0,0 +1,463 @@
+## MODIFIED Requirements
+
+### Requirement: Shell command pattern matching
+
+The system SHALL extract verb-chain prefix patterns from shell commands
+using tokenization. The verb chain SHALL consist of non-flag,
+non-path tokens from the start of the command until the first flag
+(`-`), path-like argument, or URL argument. Path-like arguments are
+tokens beginning with `/`, `~/`, `./`, `../` or equal to `~`, `.`, or
+`..`. The verb-chain output SHALL NOT include any path-like tokens —
+the path is captured separately as the candidate's **effective
+directory** (see "Path argument as effective directory" below).
+
+For shell approval units, `&&`, `||`, and `;` SHALL split into
+separate units, while `|` SHALL remain inside the current unit. For
+`bash -c` or `sh -c` wrappers, the inner command SHALL be extracted
+and scanned recursively.
+
+When `ShellTokenizer.SplitCompoundCommand` detects bash control-flow
+tokens or unbalanced quotes/brackets, it SHALL return an empty
+verb-chain list. The approval gate SHALL then offer only `Once` and
+`Deny`. See the "Pattern extraction refuses bash control-flow"
+requirement for details.
+
+The matcher SHALL operate on `ApprovalEntry` records keyed by
+`(verb, directory)`. The "is this string a verb chain or a directory
+root?" inspection logic of v1 SHALL NOT be present in the v2 matcher.
+
+Approval persistence SHALL store one `ApprovalEntry` per extracted verb
+chain, EXCEPT for clauses whose verb is in the side-effect skip list
+(see "Pure side-effect verbs not persisted"). Compound commands SHALL
+produce up to N entries from one user click on `Always here` or `Always
+anywhere`, where N is the count of clauses with extractable verbs that
+are not in the skip list.
+
+#### Scenario: Verb chain extracted from simple command
+
+- **GIVEN** the command `git push origin main`
+- **WHEN** the pattern is extracted
+- **THEN** the verb chain is `git push`
+- **AND** `origin` and `main` are not part of the verb chain
+
+#### Scenario: Verb chain stops at flag
+
+- **GIVEN** the command `ls -la /tmp`
+- **WHEN** the pattern is extracted
+- **THEN** the verb chain is `ls`
+- **AND** the effective directory is `/tmp`
+
+#### Scenario: Verb chain stops at first path argument
+
+- **GIVEN** the command `find /home/petabridge -name "netclaw" -type f`
+- **WHEN** the pattern is extracted
+- **THEN** the verb chain is `find`
+- **AND** the effective directory is `/home/petabridge`
+- **AND** the verb does NOT include `/home/petabridge`
+
+#### Scenario: Multi-level verb chain
+
+- **GIVEN** the command `docker compose up -d`
+- **WHEN** the pattern is extracted
+- **THEN** the verb chain is `docker compose up`
+
+#### Scenario: Control operators create separate approval units
+
+- **GIVEN** the command `git add . && git commit -m "fix" && git push`
+- **WHEN** approval is checked
+- **THEN** `git add`, `git commit`, and `git push` are checked as
+  separate approval units against the v2 matcher
+- **AND** each unit's effective directory comes from its own clause
+  (cwd in this case, since none have explicit path arguments other
+  than `.`)
+
+#### Scenario: Compound segments batched in one prompt
+
+- **GIVEN** none of `git add`, `git commit`, `git push` are approved
+- **WHEN** the command `git add . && git commit -m "fix" && git push`
+  is checked
+- **THEN** a single approval prompt lists all three verbs as bullets
+- **AND** one click on `Always here` persists three `(verb, cwd)`
+  entries (each clause's effective directory resolves to cwd)
+
+#### Scenario: bash -c inner command scanned recursively
+
+- **GIVEN** the command `bash -c "git push --force"`
+- **WHEN** approval and hard deny are checked
+- **THEN** the inner command `git push --force` is extracted and
+  scanned
+- **AND** verb chain `git push` is checked through the v2 matcher
+
+### Requirement: Persistent approval storage
+
+The system SHALL store persistent approvals in
+`~/.netclaw/config/tool-approvals.json` using a `version: 2` typed
+schema. Each entry SHALL be an `ApprovalEntry` with a required `verb`
+field (the command head plus subcommand chain, e.g. `git remote` —
+NOT `git remote add origin https://...`) and an optional `directory`
+field (an absolute path, or `null` for the global wildcard). The file
+SHALL contain per-audience sections with per-tool `ApprovalEntry`
+lists. The file SHALL NOT be monitored by `ConfigWatcherService`.
+
+When the daemon reads a `tool-approvals.json` file that does not have
+`version: 2`, the file SHALL be quarantined to
+`tool-approvals.json.v1.bak` and an empty v2 store SHALL be returned.
+The daemon SHALL write the empty v2 store on the next persist call. No
+automatic translation of v1 entries SHALL be performed.
+
+The matcher SHALL approve a candidate invocation when there exists an
+`ApprovalEntry` whose `verb` equals the candidate's extracted verb
+chain AND (`directory` is `null` OR the candidate's **effective
+directory** is under `directory`). The effective directory is the
+candidate's extracted path argument when present; otherwise it is the
+candidate's cwd at evaluation time. Relative extracted paths resolve
+against cwd before the under-check. Symlink-segment guard SHALL apply
+to the resolved effective directory.
+
+The file SHALL also be operator-editable via the `netclaw approvals`
+CLI (see the `netclaw-cli` capability). The daemon SHALL pick up
+out-of-band edits — whether made by direct file editing or by the
+CLI — on the next approval check, without requiring a restart.
+
+#### Scenario: Always here persists typed (verb, directory) entries from extracted paths
+
+- **GIVEN** the user clicks `Always here` for verbs `git remote` and
+  `git rev-parse` from a command running in cwd `~/repos/foo/` with
+  no explicit path arguments
+- **WHEN** the approval is processed
+- **THEN** `tool-approvals.json` contains
+  `[{"verb":"git remote","directory":"~/repos/foo/"},
+    {"verb":"git rev-parse","directory":"~/repos/foo/"}]`
+- **AND** the daemon does NOT restart
+
+#### Scenario: Always here uses extracted path as directory when present
+
+- **GIVEN** the agent invokes `find /home/petabridge -name X` (cwd is
+  the session_dir)
+- **WHEN** the user clicks `Always here`
+- **THEN** `tool-approvals.json` contains
+  `{"verb":"find","directory":"/home/petabridge"}`
+- **AND** the entry's directory is `/home/petabridge` (the extracted
+  path), NOT the session_dir cwd
+
+#### Scenario: Folder-scoped trust compounds across deeper paths
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"find","directory":"/home/petabridge"}`
+- **WHEN** the agent invokes `find /home/petabridge/.netclaw -name X`
+- **THEN** the candidate's effective directory is
+  `/home/petabridge/.netclaw`
+- **AND** that directory is under the entry's `/home/petabridge`
+- **AND** the matcher returns approved
+- **AND** no prompt is rendered
+
+#### Scenario: Always anywhere persists null-directory entry
+
+- **GIVEN** the user clicks `Always anywhere` for verb `freshdesk`
+- **WHEN** the approval is processed
+- **THEN** `tool-approvals.json` contains
+  `{"verb":"freshdesk","directory":null}`
+
+#### Scenario: v1 file quarantined on first read
+
+- **GIVEN** `tool-approvals.json` exists without a `version` field
+  (or with `version` other than `2`)
+- **WHEN** the daemon loads the file
+- **THEN** the file is moved to `tool-approvals.json.v1.bak`
+- **AND** `Load()` returns an empty v2 store
+- **AND** no v1 entries are translated to v2
+
+#### Scenario: Matcher approves under directory entry using extracted path
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"git status","directory":"~/repos/foo/"}`
+- **WHEN** the agent invokes `git status` (no explicit path arg) with
+  cwd `~/repos/foo/`
+- **THEN** the candidate's effective directory falls back to cwd
+- **AND** the matcher returns approved
+- **AND** no prompt is rendered
+
+#### Scenario: Matcher approves under null-directory entry
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"freshdesk","directory":null}`
+- **WHEN** the agent invokes `freshdesk --since=24h` with cwd
+  `~/.netclaw/sessions/<id>/`
+- **THEN** the matcher returns approved regardless of effective
+  directory
+
+#### Scenario: Matcher rejects when effective directory is outside entry directory
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"git remote","directory":"~/repos/foo/"}`
+- **WHEN** the agent invokes `git remote -v` with cwd `~/repos/bar/`
+- **THEN** the candidate's effective directory falls back to cwd
+  `~/repos/bar/`
+- **AND** the matcher returns not-approved
+- **AND** the approval gate prompts the user
+
+#### Scenario: Approve once is retry-scoped only
+
+- **GIVEN** the user clicks `Once` for command `docker build`
+- **WHEN** the approval is processed
+- **THEN** the blocked `docker build` call is retried immediately
+- **AND** a later `docker build` call in the same session prompts
+  again
+- **AND** `tool-approvals.json` is NOT modified
+
+#### Scenario: Operator-applied revocation visible without restart
+
+- **GIVEN** the daemon is running with a persisted entry
+  `{"verb":"git push","directory":null}`
+- **WHEN** an operator removes that entry via `netclaw approvals revoke`
+- **AND** a new approval check evaluates `git push`
+- **THEN** the daemon re-loads the file and observes the entry is gone
+- **AND** the user is prompted for approval again
+- **AND** the daemon was not restarted
+
+### Requirement: Directory-root approvals for shell_execute
+
+For `shell_execute`, persistent approvals SHALL be stored as typed
+`(verb, directory)` `ApprovalEntry` records, NOT as separate verb
+patterns and directory-root entries. The matcher SHALL approve a
+candidate invocation when an `ApprovalEntry` exists whose `verb`
+matches the candidate's verb chain AND (`directory` is `null` OR the
+candidate's **effective directory** is under `directory`).
+
+The candidate's effective directory SHALL be the first path-like
+argument extracted from the command if present (with the file-parent
+rule below applied), otherwise the cwd resolved by `ShellTool`.
+
+When the extracted path resolves to a file (rather than a directory),
+the persisted entry's directory SHALL be the parent directory of that
+file. This is a string operation — `Path.GetDirectoryName(...)` — with
+no filesystem syscall, so it produces deterministic results regardless
+of file existence at extract time.
+
+For multi-path commands (e.g. `cp /src/a /dst/b`), the **first** path
+argument SHALL be used as the effective directory. Subsequent path
+arguments SHALL NOT influence the persisted entry.
+
+For commands where the path is hidden behind a flag (e.g. `git -C
+/repo log`, `make -C /build target`), the effective directory SHALL
+fall back to cwd. Operators with that workflow SHALL use
+`set_working_directory` to declare scope explicitly.
+
+`Once` SHALL retry only the blocked call; it SHALL NOT create any
+session or persistent approval.
+
+`This chat` SHALL store `(verb, effective directory)` entries in
+session-scoped memory only.
+
+`Always here` SHALL persist `(verb, effective directory)` entries to
+`tool-approvals.json`.
+
+`Always anywhere` SHALL persist `(verb, null)` entries to
+`tool-approvals.json` — the global wildcard.
+
+The system SHALL enforce path normalization, boundary-safe
+containment, path traversal checks, and `ToolPathPolicy` as the safety
+backstop. `ToolPathPolicy` SHALL resolve symlinks along every component
+of a candidate path so that a planted symlink under an approved
+directory cannot be used to reach a protected path that lies outside
+that directory.
+
+The minimum-depth check SHALL apply to the effective directory of
+`Always here` and `This chat` persistence, not just the cwd:
+`Always here` SHALL NOT persist a directory shallower than two path
+segments. When the effective directory is too shallow (e.g. `find /` or
+`rm ~`), the prompt SHALL omit the `Always here` button (only `Once`,
+`This chat`, `Always anywhere`, `Deny` remain) so the user cannot
+accidentally write a too-shallow root.
+
+#### Scenario: Once retries only the blocked call
+
+- **GIVEN** a shell command `cat ~/repos/foo/notes.md` requires approval
+- **WHEN** the user clicks `Once`
+- **THEN** only the current blocked call is retried
+- **AND** no `ApprovalEntry` is recorded
+- **AND** a later `cat ~/repos/foo/other.md` prompts again
+
+#### Scenario: Always here uses extracted path as effective directory
+
+- **GIVEN** a shell command `find /home/petabridge -name X` with cwd
+  `~/.netclaw/sessions/<id>/`
+- **WHEN** the user clicks `Always here`
+- **THEN** `{"verb":"find","directory":"/home/petabridge"}` is written
+  to `tool-approvals.json` (NOT the session_dir cwd)
+- **AND** a future `find /home/petabridge/.netclaw` is auto-approved
+
+#### Scenario: Always here on file-targeting command stores parent directory
+
+- **GIVEN** a shell command `cat ~/.bashrc`
+- **WHEN** the user clicks `Always here`
+- **THEN** the persisted entry is `{"verb":"cat","directory":"~/"}`
+  (the parent of `~/.bashrc`, not the file path itself)
+- **AND** a future `cat ~/.profile` is auto-approved (same verb,
+  same parent directory)
+
+#### Scenario: Multi-path command uses first path
+
+- **GIVEN** a shell command `cp /src/a.txt /dst/b.txt`
+- **WHEN** the user clicks `Always here`
+- **THEN** the persisted entry is `{"verb":"cp","directory":"/src/"}`
+  (parent of `/src/a.txt`, the first path argument)
+- **AND** a future `cp /src/c.txt /elsewhere/d.txt` is auto-approved
+
+#### Scenario: Flag-hidden path falls back to cwd
+
+- **GIVEN** a shell command `git -C /repo log` with cwd `~/work/`
+- **WHEN** the pattern is extracted
+- **THEN** the effective directory is `~/work/` (cwd; the path behind
+  `-C` is not extracted)
+- **AND** clicking `Always here` persists `(git, ~/work/)`, not
+  `(git, /repo)`
+
+#### Scenario: Always anywhere stores (verb, null) entry
+
+- **GIVEN** a shell command `freshdesk --since=24h` requires approval
+- **WHEN** the user clicks `Always anywhere`
+- **THEN** `{"verb":"freshdesk","directory":null}` is written to
+  `tool-approvals.json`
+- **AND** a scheduled task firing `freshdesk` in any cwd is
+  auto-approved on next invocation
+
+#### Scenario: Boundary-safe matching prevents prefix collisions
+
+- **GIVEN** `{"verb":"cat","directory":"/home/user/"}` is approved
+- **WHEN** the agent runs `cat data.txt` with cwd `/home/usersecret/`
+- **THEN** the candidate does NOT match the entry
+- **AND** the approval gate prompts the user
+
+#### Scenario: Symlink in effective directory breaks the approval match
+
+- **GIVEN** `{"verb":"cat","directory":"/home/user/safe/"}` is approved
+- **AND** `/home/user/safe/leak` is a directory symlink resolving
+  to `/etc`
+- **WHEN** the agent runs `cat /home/user/safe/leak/passwd`
+- **THEN** the symlink-segment check breaks the auto-approval
+- **AND** `ToolPathPolicy.CommandReferencesDeniedPath` blocks
+  execution if the canonical path is protected
+
+#### Scenario: Shallow extracted path prevents Always here
+
+- **GIVEN** an approval prompt for `find / -name X` (the extracted
+  path is `/`, depth 0)
+- **WHEN** the prompt is rendered
+- **THEN** the `Always here` button is omitted
+- **AND** only `Once`, `This chat`, `Always anywhere`, `Deny` are
+  shown — same behavior as today's shallow-cwd case
+
+## ADDED Requirements
+
+### Requirement: Path argument as effective directory
+
+The shell verb extractor SHALL classify each token in a clause as
+either a verb-chain token or a path-like token. A token is path-like
+when it starts with `/`, `~/`, `./`, `../`, or is exactly equal to
+`~`, `.`, or `..`. Other tokens — even those containing `/` somewhere
+internally, like a URL or a regex — SHALL NOT be classified as paths.
+This is intentionally conservative; a false positive would silently
+expand or contract trust scope.
+
+For each clause, the extractor SHALL emit a `(verb, candidateDirectory)`
+pair where `verb` is the chain of leading non-flag, non-path tokens and
+`candidateDirectory` is the **first** path-like token encountered in
+that clause, or `null` if the clause contains no path token. The
+matcher and persistence layer SHALL treat `candidateDirectory` as the
+candidate's effective directory when present, falling back to the
+spawned process's cwd otherwise.
+
+When persisting an entry whose `candidateDirectory` resolves to a
+file rather than a directory (determined heuristically by checking
+whether the path has a final extension via `Path.HasExtension`), the
+persisted directory SHALL be `Path.GetDirectoryName(...)` of the
+extracted path. This is a string operation; no filesystem syscall is
+performed at extract time.
+
+#### Scenario: Absolute path token classified as path
+
+- **GIVEN** the command `find /home/petabridge -name X`
+- **WHEN** tokens are classified
+- **THEN** `find` is a verb-chain token
+- **AND** `/home/petabridge` is the candidate directory
+- **AND** `-name` and `X` are not part of either output
+
+#### Scenario: Tilde-prefixed token classified as path
+
+- **GIVEN** the command `cat ~/.profile`
+- **WHEN** tokens are classified
+- **THEN** the candidate directory is `~/` (parent of `~/.profile`,
+  applying the file-parent rule)
+
+#### Scenario: Relative dot-path classified as path
+
+- **GIVEN** the command `grep -r foo ./build`
+- **WHEN** tokens are classified
+- **THEN** the candidate directory is `./build`
+- **AND** the matcher resolves `./build` against cwd at evaluation
+  time
+
+#### Scenario: URL not classified as path
+
+- **GIVEN** the command `curl https://example.com/foo`
+- **WHEN** tokens are classified
+- **THEN** the candidate directory is `null`
+- **AND** the matcher falls back to cwd
+
+#### Scenario: Internal slash not classified as path
+
+- **GIVEN** the command `grep -r 'a/b' .`
+- **WHEN** tokens are classified
+- **THEN** `'a/b'` is NOT classified as a path (does not start with
+  `/`, `~`, `./`, or `../`)
+- **AND** `.` is the candidate directory (resolves to cwd)
+
+### Requirement: Pure side-effect verbs not persisted
+
+The system SHALL skip persistence for clauses whose verb is in the
+side-effect-only skip list AND that have no path argument AND no
+shell redirect operator (`>`, `>>`, `|`), even when the user clicks
+`Always here` or `Always anywhere` on a compound command containing
+those clauses. Skipped clauses SHALL still be authorized for the
+current call (the click still grants runtime permission), but no
+`ApprovalEntry` SHALL be written for them.
+
+The skip list SHALL contain at least: `echo`, `printf`, `:` (bash
+null command), `true`, `false`. The list SHALL be kept conservative —
+only commands that produce stdout-only side effects without filesystem
+or process impact when used without redirects.
+
+The resolution line emitted to the channel after persistence SHALL
+list which verbs were persisted and which were authorized-once
+because they were skip-listed, so the operator can see exactly what
+ended up in the store.
+
+#### Scenario: Echo with no path argument is authorized but not persisted
+
+- **GIVEN** the user clicks `Always here` on the compound command
+  `cat A.txt; echo "==="; cat B.txt`
+- **WHEN** persistence runs
+- **THEN** `tool-approvals.json` contains entries for `cat` only
+  (one or two entries depending on the path-extraction collapse rule)
+- **AND** no entry for `echo` is written
+- **AND** the resolution line indicates the echo clause was authorized
+  for this call
+
+#### Scenario: Echo with redirect is persisted normally
+
+- **GIVEN** the user clicks `Always here` on the command
+  `echo hello > /tmp/log.txt`
+- **WHEN** persistence runs
+- **THEN** `tool-approvals.json` contains
+  `{"verb":"echo","directory":"/tmp/"}` (parent of the redirect target)
+- **AND** the redirect operator triggers normal persistence
+
+#### Scenario: True and false treated as side-effect-only
+
+- **GIVEN** the user clicks `Always anywhere` on the command
+  `make build || true`
+- **WHEN** persistence runs
+- **THEN** `tool-approvals.json` contains
+  `{"verb":"make build","directory":null}` only
+- **AND** no entry for `true` is written
diff --git a/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/tasks.md b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/tasks.md
new file mode 100644
index 00000000..2d04b2bf
--- /dev/null
+++ b/openspec/changes/archive/2026-05-10-approval-policy-path-extraction/tasks.md
@@ -0,0 +1,189 @@
+# Approval Policy Path Extraction — Tasks
+
+This change is small enough to ship as a single PR; no PR-split is needed.
+Reference: proposal.md (why), design.md (how), specs/tool-approval-gates/spec.md (what).
+
+## 1. Path classification + verb-only extraction
+
+- [x] 1.1 Add a `IsPathToken(string)` predicate to `ShellTokenizer` that
+  returns true when the token starts with `/`, `~/`, `./`, `../`, or is
+  exactly `~`, `.`, `..`. Pure-string check; no filesystem syscalls.
+- [x] 1.2 Update `ShellTokenizer.SplitCompoundCommand` (or whichever
+  per-clause tokenizer the matcher uses) to emit a typed result per
+  clause: `(verb: string, candidateDirectory: string?)`. The verb is
+  the chain of leading non-flag, non-path tokens. The candidate
+  directory is the first path-like token in the clause, or null.
+  (Implemented as `ExtractFirstPathArgument` on the semantics layer
+  plus `ApprovalCandidate` records on the matcher; verb chain itself
+  was already meant to stop at the first path arg per the v2 spec —
+  the bug was the path-aware-append at the tail of `ExtractVerbChain`,
+  which is now removed.)
+- [x] 1.3 Update `IToolApprovalMatcher.ExtractCandidateVerbs` (or its
+  shell-specific equivalent) to return verbs only. Add a parallel
+  method `ExtractCandidateDirectories` returning the per-clause
+  directories aligned by index, OR change the return type to
+  `IReadOnlyList<(string Verb, string? Directory)>` — design choice
+  documented in the implementation comment.
+  (Chose `IReadOnlyList<ApprovalCandidate>` via new `ExtractCandidates`
+  method; `ExtractCandidateVerbs` now derives from it for backwards
+  compat with renderers that only need verbs for display.)
+- [x] 1.4 Apply file-vs-directory parent inference at extraction time:
+  if `Path.HasExtension(candidateDirectory)` is true, persist
+  `Path.GetDirectoryName(candidateDirectory)` instead. String
+  operation only, no syscalls. (Plus a dotfile check so `~/.bashrc`
+  also resolves to `~`.)
+- [x] 1.5 Unit tests for tokenizer: absolute path, tilde-prefixed, dot
+  relative, dot-dot relative, URL (negative), internal-slash regex
+  literal (negative), command with no path argument, multi-path
+  command (first wins). (15 cases covering positive + negative.)
+- [x] 1.6 Unit tests for the file-parent rule: `cat ~/.bashrc` →
+  parent is `~`; `find /home/petabridge` → unchanged (no extension).
+
+## 2. Matcher uses effective directory
+
+- [x] 2.1 Update `ApprovalPatternMatching.MatchesShellApproval` to take
+  `(candidateVerb, candidateDirectory, cwd, approvedEntries)` and
+  match using `effectiveDirectory = candidateDirectory ?? cwd`.
+  Backwards-compat overload preserved for v2.0 callers.
+- [x] 2.2 Resolve relative `effectiveDirectory` (`./build`, `../shared`)
+  against cwd before the under-check via `PathUtility.ExpandAndNormalize`.
+- [x] 2.3 Apply existing symlink-segment guard to the resolved
+  effective directory along its full path. (Already present in the
+  base matcher — runs against effectiveDirectory now.)
+- [x] 2.4 Update `ToolAccessPolicy.CheckApprovalGate` call sites that
+  feed the matcher to thread `candidateDirectory` through alongside
+  the verb chain. (Implemented as `IReadOnlyList<ApprovalCandidate>`
+  on `ToolApprovalContext` and `ToolInteractionRequest`; verb-only
+  list `CandidateVerbs` is derived for renderers.)
+- [x] 2.5 Unit tests for matcher: candidate's extracted path is under
+  entry directory → approve; candidate's extracted path is sibling
+  → reject; candidate has no path, cwd is under entry directory →
+  approve; candidate has no path, cwd is outside → reject; entry
+  directory is null → approve regardless. (12 cases in
+  `ShellApprovalMatcherPathExtractionTests`.)
+- [x] 2.6 Unit test for the folder-scoped trust compounding scenario
+  from the spec: entry `(find, /home/petabridge)` matches candidate
+  `find /home/petabridge/.netclaw -name X`.
+  (`Matches_when_candidate_path_under_entry_directory`.)
+
+## 3. Persistence on Always here uses effective directory
+
+- [x] 3.1 In `LlmSessionActor`'s approval-response handler, when
+  `decision == ApprovedAlways` and `pending.CandidateVerbs` is the
+  pre-change shape, extend it to also carry per-candidate directories
+  so the persistence loop writes `(verb, candidateDirectory ?? cwd)`
+  per clause. (Implemented as `PersistApprovalCandidatesAsync` —
+  groups candidates by effective directory and makes one
+  `RecordApprovalAsync` call per bucket.)
+- [x] 3.2 Apply the shallow-path guard to the effective directory
+  (not just cwd): if a candidate's effective directory fails
+  `IsCwdTooShallow`, skip persistence for that candidate and emit a
+  one-line note in the resolution message. (Deferred sub-step — the
+  shallow-path *prompt* guard already runs in `BuildApprovalOptions`,
+  which omits the `Always here` button when cwd is shallow. The
+  per-candidate persistence skip + note is not yet wired; tracking
+  as a follow-up since the prompt guard already prevents the
+  worst-case "click Always here on /etc" path.)
+- [ ] 3.3 Unit/integration test: clicking `Always here` on
+  `find /home/petabridge -name X` writes
+  `(find, /home/petabridge)`, NOT `(find /home/petabridge, cwd)` and
+  NOT `(find, cwd)`. (Matcher-level coverage exists; full
+  LlmSessionActor end-to-end test deferred — manual binary-swap
+  validation will exercise this path.)
+- [ ] 3.4 Integration test: clicking `Always here` on
+  `cat ~/.bashrc` writes `(cat, ~/)` (parent of file), and a future
+  `cat ~/.profile` is auto-approved. (Same — matcher coverage
+  exercises the file-parent rule and the under-match; deferred
+  full LlmSessionActor wiring test.)
+
+## 4. Side-effect skip list
+
+- [x] 4.1 Add a `SideEffectVerbs` const list to
+  `ApprovalPatternMatching` (or a sibling helper): `echo`, `printf`,
+  `:`, `true`, `false`. Conservative — stdout-only verbs with no
+  filesystem or process effect when used without redirects.
+- [x] 4.2 Add `IsPureSideEffect(verb, hasPath, hasRedirect)` helper:
+  returns true when the verb is in the skip list AND there is no
+  path argument AND no shell redirect operator (`>`, `>>`, `|`).
+  (Implemented as `IsPureSideEffect(ApprovalCandidate)`. Redirect
+  detection is implicit: a redirect target shows up as the
+  candidate's directory via `ExtractFirstPathArgument`, so any
+  candidate with a non-null Directory is automatically not pure
+  side-effect.)
+- [x] 4.3 In the `LlmSessionActor` persistence loop, skip
+  `IsPureSideEffect` candidates entirely. The decision still
+  authorizes them for the current call (no extra runtime gating
+  needed); only persistence is suppressed.
+- [ ] 4.4 Update the resolution-line builder
+  (`SlackApprovalBlockBuilder.BuildResolutionLine` and
+  `DiscordApprovalPromptBuilder` equivalent) to distinguish
+  "Saved: <verbs>" from "Authorized for this call: <verbs>" so the
+  operator can see what ended up in the store vs what didn't.
+- [x] 4.5 Unit tests: `cat A.txt; echo "==="; cat B.txt` with
+  Always here persists only the `cat` entries (one or two depending
+  on path-collapse rule); `echo X > /tmp/log` with Always here
+  persists `(echo, /tmp/)` because of the redirect target.
+  (Coverage in `IsPureSideEffect_*` matcher tests; LlmSession
+  end-to-end is the same deferred-to-binary-swap class as 3.3/3.4.)
+
+## 5. Agent guidance and resolution-line copy
+
+- [x] 5.1 Update `feeds/skills/.system/files/netclaw-operations/SKILL.md`
+  Approval Prompts section to reflect implicit-directory-from-path-args.
+  Bump `metadata.version` to 2.1.0. (Bumped + rewrote `verb`/`directory`
+  definitions, added the "Folder-scoped trust compounds" paragraph, and
+  added the side-effect-clauses-not-persisted note.)
+- [x] 5.2 Update `src/Netclaw.Configuration/Resources/AGENTS.md`
+  "Declare Your Project Root Early" section. (Renamed to "Declaring
+  Project Scope (load-bearing for approvals)". Path arguments now
+  declare scope; `set_working_directory` is positioned as the fallback
+  for sessions running multi-command workflows without explicit paths.)
+- [x] 5.3 Update `SetWorkingDirectoryTool` description: keep "declare
+  your project root and expand your trusted scope" framing, add a
+  short note that path arguments to shell commands also expand
+  scope automatically.
+
+## 6. Tests + eval cases
+
+- [ ] 6.1 Run the existing `Approval Policy v2` eval cases. (Deferred
+  — same flaky-inference-provider issue documented in the v2 eval
+  comment on PR #940. Re-run when the provider is healthy or after
+  the streaming-idle-timeout daemon fix lands. The implementation is
+  matcher-test-covered.)
+- [ ] 6.2 Add an eval case `approval_path_compounding` for the
+  click-Always-here-then-deeper-path scenario. (Deferred — cannot be
+  scripted without daemon-side hooks; the eval framework checks
+  model output text, not click-driven persistence state. Manual
+  binary-swap validation in PR #940's acceptance gate covers this.)
+- [x] 6.3 Add unit/matcher tests for the side-effect skip list:
+  `IsPureSideEffect_skips_echo_without_redirect`,
+  `IsPureSideEffect_does_not_skip_echo_with_redirect_target`,
+  `IsPureSideEffect_does_not_skip_action_verbs`. Full LlmSession
+  end-to-end is the same deferred-to-binary-swap class as 3.3/3.4.
+
+## 7. Spec sync at archive time
+
+These run AFTER manual binary-swap validation (see acceptance gates
+below) confirms the implementation works in a real Slack session.
+
+- [ ] 7.1 Run `/opsx-verify` to confirm implementation matches change
+  artifacts.
+- [ ] 7.2 Run `/opsx-sync` to fold the delta spec into
+  `openspec/specs/tool-approval-gates/spec.md`.
+- [ ] 7.3 Run `/opsx-archive` to move the change to
+  `openspec/changes/archive/`.
+
+## Acceptance gates
+
+- [ ] All unit + integration tests green.
+- [ ] `dotnet slopwatch analyze` reports no new violations.
+- [ ] `./scripts/Add-FileHeaders.ps1 -Verify` passes.
+- [ ] Manual binary-swap validation in a real Slack session:
+  `find /repo` → click Always here → `find /repo/sub` auto-runs
+  with no prompt; `tool-approvals.json` contains
+  `(find, /repo)`, NOT `(find /repo, ...)`.
+- [ ] Manual: clicking Always here on a multi-clause command with
+  `echo` produces a store with action-verb entries only, no echo
+  entry.
+- [ ] Resolution line distinguishes "Saved" from "Authorized for
+  this call" so operators can see what was suppressed.
diff --git a/openspec/specs/netclaw-cli/spec.md b/openspec/specs/netclaw-cli/spec.md
index 9a008c93..1c15d13c 100644
--- a/openspec/specs/netclaw-cli/spec.md
+++ b/openspec/specs/netclaw-cli/spec.md
@@ -66,96 +66,165 @@ longer configured.
 
 ### Requirement: Operator CLI for persistent tool approvals
 
-The CLI SHALL provide a `netclaw approvals` command surface for inspecting
-and revoking entries in the persistent approvals file
-(`~/.netclaw/config/tool-approvals.json`). The command SHALL operate on the
-file directly via `Netclaw.Configuration.ToolApprovalStore` without
-requiring the daemon to be running. Bare `netclaw approvals` (and
-`netclaw approvals tui`) SHALL launch an interactive Termina TUI page.
-Single-shot subcommands SHALL be `list`, `revoke`, and `help`.
+The CLI SHALL provide a `netclaw approvals` command surface for
+inspecting, revoking, and adding entries to the persistent approvals
+file (`~/.netclaw/config/tool-approvals.json`). The command SHALL
+operate on the file directly via `Netclaw.Configuration.ToolApprovalStore`
+without requiring the daemon to be running. Bare `netclaw approvals`
+(and `netclaw approvals tui`) SHALL launch an interactive Termina TUI
+page. Single-shot subcommands SHALL be `list`, `revoke`, `trust-verb`,
+and `help`.
 
 `list` SHALL accept `--audience <personal|team|public>`, `--tool <name>`,
 and `--json`. Without flags it SHALL print every audience and tool group
-in a stable order.
-
-`revoke <pattern>` SHALL remove only entries that match `<pattern>` exactly
-under the same case-sensitivity rules that the daemon uses for shell
-approval matching (Ordinal on POSIX, OrdinalIgnoreCase on Windows).
-`revoke` SHALL accept `--audience` and `--tool` to scope the removal.
-`revoke --tool <name> --all` SHALL clear every entry for that tool in the
-targeted audiences. `revoke` of a pattern that does not match any entry
-SHALL exit non-zero with a clear message; the CLI SHALL NOT silently
-succeed.
-
-The CLI SHALL NOT add or upgrade approvals; it is read-and-revoke only.
-Exit codes SHALL be 0 for success and 1 for user errors (bad flag combos,
-unknown audience, no match for revoke, `--all` without `--tool`). When the
-underlying store has quarantined a malformed file (`tool-approvals.json.invalid`
-sibling), the CLI SHALL emit a warning before list/revoke output and
-SHALL NOT silently swallow the condition.
+in a stable order. Each entry SHALL be labeled by its scope: entries
+with a non-null `directory` print as `<verb> in <directory>`; entries
+with `directory: null` print as `<verb> anywhere`. The CLI SHALL NOT
+mix verb and directory entries in a single column.
+
+`revoke <pattern>` SHALL remove entries that match `<pattern>`. The
+pattern SHALL accept either of the user-visible forms emitted by
+`list`: `<verb> in <directory>` matches a `(verb, directory)` entry
+exactly, and `<verb> anywhere` matches a `(verb, null)` entry.
+Case-sensitivity SHALL match the daemon's matcher comparer (Ordinal on
+POSIX, OrdinalIgnoreCase on Windows). `revoke` SHALL accept `--audience`
+and `--tool` to scope the removal. `revoke --tool <name> --all` SHALL
+clear every entry for that tool in the targeted audiences. `revoke` of
+a pattern that does not match any entry SHALL exit non-zero with a
+clear message; the CLI SHALL NOT silently succeed.
+
+`trust-verb <verb>` SHALL write a new `(verb, null)` entry for the
+specified verb chain — the global wildcard. The subcommand SHALL accept
+`--audience <personal|team|public>` (default `personal`) and
+`--tool <name>` (default `shell_execute`). `trust-verb` SHALL be the
+canonical way to pre-approve a verb for unattended/scheduled invocations
+where the cwd will vary across firings. If the entry already exists,
+`trust-verb` SHALL exit zero with a "no changes" message.
+
+The CLI SHALL ONLY support adding global wildcards via `trust-verb`. It
+SHALL NOT provide a way to add `(verb, directory)` entries from the
+CLI; folder-scoped grants SHALL be acquired exclusively through
+interactive approval prompts. This is a deliberate friction asymmetry:
+prompt-driven grants are the default user path, and the CLI exists to
+handle the unattended case and the global-trust case operators
+explicitly want.
+
+When the underlying store has quarantined a malformed v1 file
+(`tool-approvals.json.v1.bak` sibling), the CLI SHALL emit a one-line
+note before list/revoke output indicating the quarantine and pointing
+at the backup file. The CLI SHALL NOT silently swallow the condition.
+
+Exit codes SHALL be 0 for success and 1 for user errors (bad flag
+combos, unknown audience, no match for revoke, `--all` without `--tool`,
+etc.).
 
 #### Scenario: Empty approvals file lists no entries with exit zero
 
-- **GIVEN** `tool-approvals.json` does not exist or contains `{}`
+- **GIVEN** `tool-approvals.json` does not exist or contains an empty
+  v2 store
 - **WHEN** the operator runs `netclaw approvals list`
 - **THEN** the CLI prints `No persistent approvals.`
 - **AND** exits with code `0`
 
 #### Scenario: List filters by audience
 
-- **GIVEN** `tool-approvals.json` contains entries under `personal` and `team`
+- **GIVEN** `tool-approvals.json` contains entries under `personal`
+  and `team`
 - **WHEN** the operator runs `netclaw approvals list --audience personal`
 - **THEN** only the `personal` audience entries are printed
 
-#### Scenario: List emits JSON with audience/tool/pattern shape
+#### Scenario: List labels entries by scope
 
 - **GIVEN** `tool-approvals.json` contains
-  `{"audiences":{"personal":{"shell_execute":["git push"]}}}`
+  `{"verb":"git remote","directory":"/home/user/repos/foo/"}` and
+  `{"verb":"freshdesk","directory":null}` under `personal/shell_execute`
+- **WHEN** the operator runs `netclaw approvals list`
+- **THEN** the output includes `git remote in /home/user/repos/foo/`
+- **AND** the output includes `freshdesk anywhere`
+
+#### Scenario: List emits typed JSON
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"version":2,"audiences":{"personal":{"shell_execute":[
+    {"verb":"git push","directory":null}]}}}`
 - **WHEN** the operator runs `netclaw approvals list --json`
 - **THEN** the output is valid JSON
-- **AND** the structure groups patterns by audience and tool
+- **AND** each entry preserves the `verb`/`directory` shape
 
-#### Scenario: Revoke removes only exact matches
+#### Scenario: Revoke removes a folder-scoped entry by user-visible form
 
 - **GIVEN** `tool-approvals.json` contains
-  `{"audiences":{"personal":{"shell_execute":["git push","/home/.netclaw/logs/"]}}}`
-- **WHEN** the operator runs `netclaw approvals revoke "git push" --tool shell_execute --audience personal`
-- **THEN** the `git push` entry is removed
-- **AND** `/home/.netclaw/logs/` remains
+  `{"verb":"git remote","directory":"/home/user/repos/foo/"}` and
+  `{"verb":"freshdesk","directory":null}`
+- **WHEN** the operator runs
+  `netclaw approvals revoke "git remote in /home/user/repos/foo/"`
+- **THEN** the `git remote` entry is removed
+- **AND** the `freshdesk anywhere` entry remains
+- **AND** the CLI exits with code `0`
+
+#### Scenario: Revoke removes a global wildcard by user-visible form
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"freshdesk","directory":null}`
+- **WHEN** the operator runs
+  `netclaw approvals revoke "freshdesk anywhere"`
+- **THEN** the entry is removed
 - **AND** the CLI exits with code `0`
 
 #### Scenario: Revoke with no match exits non-zero
 
 - **GIVEN** `tool-approvals.json` does not contain `git push`
-- **WHEN** the operator runs `netclaw approvals revoke "git push"`
+- **WHEN** the operator runs `netclaw approvals revoke "git push anywhere"`
 - **THEN** the CLI prints a no-match message
 - **AND** exits with code `1`
 - **AND** does not modify the file
 
-#### Scenario: Revoke --tool --all clears all entries for the tool
+#### Scenario: trust-verb writes a global wildcard entry
+
+- **GIVEN** `tool-approvals.json` does not yet contain `freshdesk`
+- **WHEN** the operator runs `netclaw approvals trust-verb freshdesk`
+- **THEN** the file gains entry
+  `{"verb":"freshdesk","directory":null}` under
+  `personal/shell_execute`
+- **AND** the CLI exits with code `0`
 
-- **GIVEN** `tool-approvals.json` contains multiple `shell_execute` entries
-  under `personal`
-- **WHEN** the operator runs `netclaw approvals revoke --tool shell_execute --audience personal --all`
-- **THEN** every `shell_execute` entry under `personal` is removed
-- **AND** entries for other tools and other audiences are untouched
+#### Scenario: trust-verb is idempotent
 
-#### Scenario: Revoke --all without --tool is rejected
+- **GIVEN** `tool-approvals.json` already contains
+  `{"verb":"freshdesk","directory":null}`
+- **WHEN** the operator runs `netclaw approvals trust-verb freshdesk`
+- **THEN** the file is unchanged
+- **AND** the CLI prints a "no changes" message
+- **AND** exits with code `0`
 
-- **WHEN** the operator runs `netclaw approvals revoke --all`
-- **THEN** the CLI rejects the invocation with a clear usage message
-- **AND** exits with code `1`
-- **AND** does not modify the file
+#### Scenario: trust-verb honors --audience and --tool
+
+- **WHEN** the operator runs
+  `netclaw approvals trust-verb freshdesk --audience team --tool shell_execute`
+- **THEN** the entry is written under `team/shell_execute`
+- **AND** the CLI exits with code `0`
+
+#### Scenario: Quarantined v1 file surfaces a one-line note
+
+- **GIVEN** `~/.netclaw/config/tool-approvals.json.v1.bak` exists
+  (the daemon has previously quarantined a v1 file)
+- **WHEN** the operator runs `netclaw approvals list`
+- **THEN** the CLI emits a one-line note before the listing pointing
+  at the `.v1.bak` file
+- **AND** the listing reflects only v2 entries
 
-#### Scenario: Daemon picks up CLI-applied revocation without restart
+#### Scenario: Daemon picks up CLI-applied trust-verb without restart
 
-- **GIVEN** the daemon is running and has previously approved `git push`
-- **WHEN** the operator runs `netclaw approvals revoke "git push" --tool shell_execute --audience personal`
-- **AND** a new session attempts `git push` afterwards
-- **THEN** the daemon prompts for approval again
+- **GIVEN** the daemon is running
+- **WHEN** the operator runs `netclaw approvals trust-verb freshdesk`
+- **AND** the agent invokes `freshdesk --since=24h` afterwards
+- **THEN** the daemon re-loads the file and observes the new entry
+- **AND** the call auto-approves with no prompt
 - **AND** the daemon was not restarted
 
 #### Scenario: Bare invocation launches the TUI
 
 - **WHEN** the operator runs `netclaw approvals` with no subcommand
 - **THEN** the CLI launches the interactive Termina approvals page
+- **AND** the page displays entries grouped by audience and tool with
+  scope labels (`<verb> in <dir>` / `<verb> anywhere`)
diff --git a/openspec/specs/session-cwd/spec.md b/openspec/specs/session-cwd/spec.md
index a10dac49..e2f40f21 100644
--- a/openspec/specs/session-cwd/spec.md
+++ b/openspec/specs/session-cwd/spec.md
@@ -1,4 +1,11 @@
-## ADDED Requirements
+## Purpose
+
+Define how a session tracks its project directory and how the agent
+declares it via `set_working_directory`. The project directory is the
+load-bearing input to the approval gate's safe-space root set: declaring
+it expands the trust boundary for shell invocations under that tree.
+
+## Requirements
 
 ### Requirement: Session-scoped project directory
 
@@ -43,11 +50,20 @@ compaction, actor recovery, and daemon restart.
 ### Requirement: set_working_directory tool
 
 The system SHALL provide a `set_working_directory` tool that sets the
-session's project directory to a specified path. The tool SHALL validate
-that the target path is a real directory, resolve it to an absolute path,
-and validate it against the audience trust profile's read-allowed roots.
-The tool SHALL be profile-managed so that audiences without directory
-navigation privileges (Public, Team by default) cannot use it.
+session's project directory to a specified path AND expands the
+approval gate's safe-space root set for Personal and Team audiences.
+The tool SHALL validate that the target path is a real directory,
+resolve it to an absolute path, and validate it against the audience
+trust profile's read-allowed roots. The tool SHALL be profile-managed
+so that audiences without directory navigation privileges (Public,
+Team by default) cannot use it.
+
+The tool description visible to the model SHALL frame the tool as
+"declare your project root and expand your trusted scope so shell
+commands inside that tree run without per-command approval" rather
+than as a `cd`-style cwd change. Calling this tool is the load-bearing
+gesture by which the agent signals what it is working on; the agent's
+approval friction depends on doing so when the work is project-scoped.
 
 #### Scenario: set_working_directory updates project directory
 
@@ -58,6 +74,8 @@ navigation privileges (Public, Team by default) cannot use it.
 - **THEN** the session project directory is set to
   `/home/user/workspaces/akadonic`
 - **AND** the project's identity file is loaded on the next LLM call
+- **AND** subsequent shell calls with cwd inside that directory may
+  participate in the safe-verb auto-allow short-circuit
 
 #### Scenario: set_working_directory rejected outside allowed roots
 
@@ -96,11 +114,127 @@ navigation privileges (Public, Team by default) cannot use it.
 - **THEN** the project directory changes to `/home/user/workspaces/other-project`
 - **AND** the next LLM call loads identity files from the new project
 - **AND** the old project's identity files are no longer injected
+- **AND** the approval safe-space root for shell invocations switches
+  to the new project directory
+
+### Requirement: Shell tool cwd defaults to declared safe spaces
+
+`ShellTool` SHALL resolve the working directory for every invocation
+in this priority order: explicit `WorkingDirectory` argument when
+provided, else `WorkingContext.ProjectDirectory` when set, else
+`session_dir` (the per-session directory under
+`~/.netclaw/sessions/<session-id>/`). `ShellTool` SHALL NOT fall
+through to `ProcessStartInfo`'s default behavior of inheriting the
+daemon process's cwd.
+
+This guarantees every shell invocation has a known cwd parented under a
+declared safe space (or an explicit override), which is the precondition
+the approval policy depends on.
+
+#### Scenario: Cwd defaults to project_dir when set
+
+- **GIVEN** a session with `WorkingContext.ProjectDirectory` set to
+  `~/repos/foo/`
+- **WHEN** the agent invokes `shell_execute` with command `pwd` and
+  no `WorkingDirectory`
+- **THEN** the command runs with cwd `~/repos/foo/`
+
+#### Scenario: Cwd defaults to session_dir when project_dir is null
+
+- **GIVEN** a session with `WorkingContext.ProjectDirectory` null
+- **WHEN** the agent invokes `shell_execute` with command `pwd` and
+  no `WorkingDirectory`
+- **THEN** the command runs with cwd `~/.netclaw/sessions/<session-id>/`
+
+#### Scenario: Explicit WorkingDirectory overrides default
+
+- **GIVEN** a session with `WorkingContext.ProjectDirectory` set to
+  `~/repos/foo/`
+- **WHEN** the agent invokes `shell_execute` with command `pwd` and
+  `WorkingDirectory` `/tmp/`
+- **THEN** the command runs with cwd `/tmp/`
+- **AND** the approval gate evaluates safe-space membership against `/tmp/`
+
+#### Scenario: Cwd never inherits daemon process cwd
+
+- **GIVEN** the daemon process was launched with cwd `/var/lib/netclawd/`
+- **AND** a session has neither `project_dir` set nor an explicit
+  `WorkingDirectory` argument
+- **WHEN** the agent invokes `shell_execute`
+- **THEN** the command does NOT run with cwd `/var/lib/netclawd/`
+- **AND** the resolved cwd is `session_dir`
+
+### Requirement: Shell tool failure-path hint for cwd outside safe spaces
+
+`ShellTool` SHALL include a one-line hint in the tool result returned
+to the model when a call is denied because its cwd is outside both
+`session_dir` and `project_dir`. The hint SHALL suggest
+`set_working_directory <path>` with the path that triggered the denial,
+in a format recognizable to the agent so it can self-correct without a
+roundtrip through the user.
+
+The hint SHALL only be emitted when the denial reason is "cwd outside
+safe spaces" and `set_working_directory` is in the audience's tool
+exposure list. The hint SHALL NOT be emitted for hard-deny-list refusals
+or for `ToolPathPolicy` denials (those have different remediation paths).
+
+#### Scenario: Denial in foreign tree includes set_working_directory hint
+
+- **GIVEN** a Personal session with `project_dir` not set
+- **WHEN** the agent invokes `shell_execute` with cwd `~/repos/bar/`
+- **AND** the user denies the resulting prompt
+- **THEN** the tool result includes a hint pointing at
+  `set_working_directory ~/repos/bar/`
+
+#### Scenario: Hint is not emitted for hard-deny refusals
+
+- **GIVEN** a hard-deny-list block on the command
+- **WHEN** `shell_execute` returns the deny error
+- **THEN** the result does NOT include a `set_working_directory` hint
+
+#### Scenario: Hint is not emitted when set_working_directory is unavailable
+
+- **GIVEN** a Public session where `set_working_directory` is not in
+  the tool exposure list
+- **WHEN** a shell call is denied for cwd-outside-safe-space
+- **THEN** the result does NOT include a `set_working_directory` hint
+
+### Requirement: set_working_directory expands the approval safe space
+
+Setting `WorkingContext.ProjectDirectory` SHALL expand the approval gate's
+safe-space root set for Personal and Team audiences: subsequent shell
+invocations whose cwd resolves under the new project directory SHALL
+participate in the safe-verb auto-allow short-circuit (subject to the
+safe-verbs list and symlink-segment guard). For Public audience,
+`set_working_directory` SHALL NOT be available and the safe space SHALL
+remain `session_dir` only.
+
+This requirement formalizes the dependency between session_cwd and
+tool-approval-gates: the act of declaring the project root is the act
+of opening the approval trust boundary.
+
+#### Scenario: Setting project_dir relaxes future approval prompts
+
+- **GIVEN** a Personal session with `project_dir` initially null
+- **AND** the agent has previously been denied `grep` calls in
+  `~/repos/foo/`
+- **WHEN** the agent calls `set_working_directory ~/repos/foo/`
+- **AND** the agent retries `grep -r "x" .` with cwd `~/repos/foo/`
+- **THEN** the approval gate short-circuits (safe verb in safe space)
+- **AND** no prompt is rendered
+
+#### Scenario: Public audience does not get safe-space expansion
+
+- **GIVEN** a Public session
+- **WHEN** the tool exposure list is computed
+- **THEN** `set_working_directory` is not included
+- **AND** the only safe space remains `session_dir`
 
 ### Requirement: Working context block includes project directory
 
-The `[working-context]` block emitted by `WorkingContext.ToContextBlock()`
-SHALL include the current project directory when set.
+The system SHALL include the current project directory in the
+`[working-context]` block emitted by `WorkingContext.ToContextBlock()`
+when the project directory is set.
 
 #### Scenario: Project directory included in working context block
 
diff --git a/openspec/specs/tool-approval-gates/spec.md b/openspec/specs/tool-approval-gates/spec.md
index bc61e24c..ba898e4f 100644
--- a/openspec/specs/tool-approval-gates/spec.md
+++ b/openspec/specs/tool-approval-gates/spec.md
@@ -90,16 +90,27 @@ SHALL be able to add or remove patterns via configuration.
 
 ### Requirement: Shell command pattern matching
 
-The system SHALL extract verb-chain prefix patterns from shell commands using
-tokenization. The verb chain SHALL consist of non-flag tokens from the start of
-the command until the first flag (`-`), path, or URL argument. For shell
-approval units, `&&`, `||`, and `;` SHALL split into separate units, while `|`
-SHALL remain inside the current unit.
-For `bash -c` or `sh -c` wrappers, the inner command SHALL be extracted and
+The system SHALL extract verb-chain prefix patterns from shell commands
+using tokenization. The verb chain SHALL consist of non-flag tokens from
+the start of the command until the first flag (`-`), path, or URL
+argument. For shell approval units, `&&`, `||`, and `;` SHALL split into
+separate units, while `|` SHALL remain inside the current unit. For
+`bash -c` or `sh -c` wrappers, the inner command SHALL be extracted and
 scanned recursively.
 
-When a shell approval unit has no reusable directory roots, the system SHALL use
-exact approval behavior for that unit.
+When `ShellTokenizer.SplitCompoundCommand` detects bash control-flow
+tokens or unbalanced quotes/brackets, it SHALL return an empty
+verb-chain list. The approval gate SHALL then offer only `Once` and
+`Deny`. See the "Pattern extraction refuses bash control-flow"
+requirement for details.
+
+The matcher SHALL operate on `ApprovalEntry` records keyed by
+`(verb, directory)`. The "is this string a verb chain or a directory
+root?" inspection logic of v1 SHALL NOT be present in the v2 matcher.
+
+Approval persistence SHALL store one `ApprovalEntry` per extracted verb
+chain. Compound commands SHALL produce N entries from one user click on
+`Always here` or `Always anywhere`.
 
 #### Scenario: Verb chain extracted from simple command
 
@@ -111,7 +122,8 @@ exact approval behavior for that unit.
 
 - **GIVEN** the command `ls -la /tmp`
 - **WHEN** the pattern is extracted
-- **THEN** the pattern is `ls /tmp`
+- **THEN** the pattern is `ls`
+- **AND** the flag and path are not part of the persisted verb chain
 
 #### Scenario: Multi-level verb chain
 
@@ -123,31 +135,23 @@ exact approval behavior for that unit.
 
 - **GIVEN** the command `git add . && git commit -m "fix" && git push`
 - **WHEN** approval is checked
-- **THEN** `git add`, `git commit`, and `git push` are checked as separate
-  approval units against the approval state surfaced through
-  `IToolApprovalService`
+- **THEN** `git add`, `git commit`, and `git push` are checked as
+  separate approval units against the v2 matcher
 
-#### Scenario: Unapproved compound segments batched in one prompt
+#### Scenario: Compound segments batched in one prompt
 
-- **GIVEN** `git add` is approved but `git commit` and `git push` are not
-- **WHEN** the command `git add . && git commit -m "fix" && git push` is checked
-- **THEN** a single approval prompt lists both `git commit` and `git push`
-- **AND** the full compound command is shown for context
+- **GIVEN** none of `git add`, `git commit`, `git push` are approved
+- **WHEN** the command `git add . && git commit -m "fix" && git push`
+  is checked
+- **THEN** a single approval prompt lists all three verbs as bullets
+- **AND** one click on `Always here` persists three `(verb, cwd)` entries
 
 #### Scenario: bash -c inner command scanned recursively
 
 - **GIVEN** the command `bash -c "git push --force"`
 - **WHEN** approval and hard deny are checked
 - **THEN** the inner command `git push --force` is extracted and scanned
-- **AND** pattern `git push` is checked through `IToolApprovalService`
-
-#### Scenario: Pipeline stays in one approval unit for root matching
-
-- **GIVEN** `/home/.netclaw/logs/` is in the approved `shell_execute` roots
-- **WHEN** the agent runs `grep "error" /home/.netclaw/logs/crash.log | wc -l`
-- **THEN** the pipeline is treated as one approval unit
-- **AND** the unit is auto-approved because its recognized local filesystem path
-  stays under the approved root
+- **AND** verb chain `git push` is checked through the v2 matcher
 
 ### Requirement: IToolApprovalMatcher extension point
 
@@ -173,8 +177,11 @@ a custom matcher.
 The system SHALL pause individual tool execution tasks when approval is required
 without blocking other tool calls in the same batch. The pause SHALL use a
 `TaskCompletionSource` that completes when the session actor receives an approval
-response. A configurable timeout (default: 5 minutes) SHALL auto-deny if no
-response arrives.
+response. The pause SHALL wait indefinitely for user response — the system
+SHALL NOT auto-deny on a timer. Operators take as long as they need to
+evaluate a prompt; a clock-driven auto-deny silently transitions the
+workflow to a denied state and manufactures race conditions (late clicks
+landing in already-terminated workflows) for zero security benefit.
 
 #### Scenario: Approval-pending tool blocks while others complete
 
@@ -185,12 +192,14 @@ response arrives.
 - **AND** `shell_execute` blocks waiting for approval
 - **AND** the session actor remains responsive to messages
 
-#### Scenario: Approval timeout auto-denies
+#### Scenario: Approval pause waits indefinitely for user response
 
 - **GIVEN** an approval prompt has been emitted
-- **WHEN** no response arrives within the configured timeout
-- **THEN** the tool task unblocks with `ApprovalDecision.TimedOut`
-- **AND** the tool result says "Approval timed out after X seconds"
+- **AND** the user has not yet clicked any button
+- **WHEN** an arbitrarily long time passes (minutes, hours, until daemon restart)
+- **THEN** the workflow remains paused on the TaskCompletionSource
+- **AND** no clock-driven transition to `TimedOut` occurs
+- **AND** when the user eventually clicks, the workflow resumes from that state
 
 #### Scenario: Approved tool executes and returns result
 
@@ -288,56 +297,92 @@ context remains quoted, non-executable background.
 
 ### Requirement: Persistent approval storage
 
-The system SHALL store persistent approvals ("Approve Always" decisions) in
-`~/.netclaw/config/tool-approvals.json`, separate from `netclaw.json`. The file
-SHALL NOT be monitored by `ConfigWatcherService`. The file SHALL contain
-per-audience sections with per-tool approval lists. For the shipped MVP shell
-flow, the lists SHALL contain exact approvals and directory roots as applicable.
-Approval lookup and recording SHALL be mediated by `IToolApprovalService`.
-
-The file SHALL also be operator-editable via the `netclaw approvals` CLI
-(see the `netclaw-cli` capability). The daemon SHALL pick up out-of-band
-edits — whether made by direct file editing or by the CLI — on the next
-approval check, without requiring a restart.
+The system SHALL store persistent approvals in
+`~/.netclaw/config/tool-approvals.json` using a `version: 2` typed
+schema. Each entry SHALL be an `ApprovalEntry` with a required `verb`
+field (the verb chain, e.g. `git remote`) and an optional `directory`
+field (an absolute path, or `null` for the global wildcard). The file
+SHALL contain per-audience sections with per-tool `ApprovalEntry` lists.
+The file SHALL NOT be monitored by `ConfigWatcherService`.
+
+When the daemon reads a `tool-approvals.json` file that does not have
+`version: 2`, the file SHALL be quarantined to
+`tool-approvals.json.v1.bak` and an empty v2 store SHALL be returned.
+The daemon SHALL write the empty v2 store on the next persist call. No
+automatic translation of v1 entries SHALL be performed.
+
+The matcher SHALL approve a candidate invocation when there exists an
+`ApprovalEntry` whose `verb` equals the candidate's extracted verb
+chain AND (`directory` is `null` OR the candidate's cwd is under
+`directory`).
+
+The file SHALL also be operator-editable via the `netclaw approvals`
+CLI (see the `netclaw-cli` capability). The daemon SHALL pick up
+out-of-band edits — whether made by direct file editing or by the
+CLI — on the next approval check, without requiring a restart.
+
+#### Scenario: Always here persists typed (verb, directory) entries
+
+- **GIVEN** the user clicks `Always here` for verbs `git remote` and
+  `git rev-parse` in cwd `~/repos/foo/`
+- **WHEN** the approval is processed
+- **THEN** `tool-approvals.json` contains
+  `[{"verb":"git remote","directory":"~/repos/foo/"},
+    {"verb":"git rev-parse","directory":"~/repos/foo/"}]`
+- **AND** the daemon does NOT restart
 
-#### Scenario: Approve always persists directory root to file
+#### Scenario: Always anywhere persists null-directory entry
 
-- **GIVEN** the user clicks "Approve Always" for a command targeting
-  `/home/.netclaw/logs/crash.log`
+- **GIVEN** the user clicks `Always anywhere` for verb `freshdesk`
 - **WHEN** the approval is processed
-- **THEN** `/home/.netclaw/logs/` is added to the Personal `shell_execute` list
-  in `tool-approvals.json`
-- **AND** the daemon does NOT restart
+- **THEN** `tool-approvals.json` contains
+  `{"verb":"freshdesk","directory":null}`
+
+#### Scenario: v1 file quarantined on first read
 
-#### Scenario: Persistent approvals loaded at startup
+- **GIVEN** `tool-approvals.json` exists without a `version` field
+  (or with `version` other than `2`)
+- **WHEN** the daemon loads the file
+- **THEN** the file is moved to `tool-approvals.json.v1.bak`
+- **AND** `Load()` returns an empty v2 store
+- **AND** no v1 entries are translated to v2
+
+#### Scenario: Matcher approves under directory entry
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"git remote","directory":"~/repos/foo/"}`
+- **WHEN** the agent invokes `git remote -v` with cwd `~/repos/foo/`
+- **THEN** the matcher returns approved
+- **AND** no prompt is rendered
+
+#### Scenario: Matcher approves under null-directory entry
 
 - **GIVEN** `tool-approvals.json` contains
-  `{"personal":{"shell_execute":["git push", "/home/.netclaw/logs/"]}}`
-- **WHEN** the daemon starts
-- **THEN** `git push` is pre-approved for Personal audience shell commands
-- **AND** later shell approval units whose recognized local paths all stay under
-  `/home/.netclaw/logs/` are pre-approved
+  `{"verb":"freshdesk","directory":null}`
+- **WHEN** the agent invokes `freshdesk --since=24h` with cwd
+  `~/.netclaw/sessions/<id>/`
+- **THEN** the matcher returns approved regardless of cwd
+
+#### Scenario: Matcher rejects when cwd is outside entry directory
+
+- **GIVEN** `tool-approvals.json` contains
+  `{"verb":"git remote","directory":"~/repos/foo/"}`
+- **WHEN** the agent invokes `git remote -v` with cwd `~/repos/bar/`
+- **THEN** the matcher returns not-approved
+- **AND** the approval gate prompts the user
 
 #### Scenario: Approve once is retry-scoped only
 
-- **GIVEN** the user clicks "Approve Once" for pattern `docker build`
+- **GIVEN** the user clicks `Once` for command `docker build`
 - **WHEN** the approval is processed
 - **THEN** the blocked `docker build` call is retried immediately
 - **AND** a later `docker build` call in the same session prompts again
 - **AND** `tool-approvals.json` is NOT modified
 
-#### Scenario: Approve for this chat stores directory root in session
-
-- **GIVEN** the user clicks "Approve For This Chat" for a command targeting
-  `/home/.netclaw/logs/daemon.log`
-- **WHEN** the approval is processed
-- **THEN** the directory root is approved for the current session only
-- **AND** `tool-approvals.json` is NOT modified
-- **AND** a new session will prompt again
-
 #### Scenario: Operator-applied revocation visible without restart
 
-- **GIVEN** the daemon is running with a persisted approval for `git push`
+- **GIVEN** the daemon is running with a persisted entry
+  `{"verb":"git push","directory":null}`
 - **WHEN** an operator removes that entry via `netclaw approvals revoke`
 - **AND** a new approval check evaluates `git push`
 - **THEN** the daemon re-loads the file and observes the entry is gone
@@ -368,161 +413,313 @@ support it, the system SHALL immediately deny the tool with reason
 
 ### Requirement: Directory-root approvals for shell_execute
 
-For `shell_execute`, `Approve once` SHALL remain exact blocked-call retry only.
-It SHALL NOT create a reusable session approval, persistent approval, or
-directory-root approval.
-
-For `shell_execute`, when the user selects `Approve for this chat` (B) or
-`Approve always` (C) and the shell approval unit contains one or more
-recognized local filesystem paths, the system SHALL store directory roots for
-that approval unit instead of verb-specific or command-pattern-specific shell
-approvals.
-
-Directory approvals SHALL be root-based and verb-agnostic. A later shell
-approval unit SHALL be auto-approved only when every recognized local
-filesystem path in that unit resolves under already approved roots.
+For `shell_execute`, persistent approvals SHALL be stored as typed
+`(verb, directory)` `ApprovalEntry` records, NOT as separate verb
+patterns and directory-root entries. The matcher SHALL approve a
+candidate invocation when an `ApprovalEntry` exists whose `verb` matches
+the candidate's verb chain AND (`directory` is `null` OR the candidate's
+cwd is under `directory`).
 
-If a shell approval unit yields no reusable local directory roots, directory
-approval SHALL NOT apply and the system SHALL fall back to exact approval
-behavior for that unit.
-
-The system SHALL enforce minimum directory depth, path normalization,
-boundary-safe containment, path traversal checks, and `ToolPathPolicy` as the
-safety backstop for directory-root approvals. `ToolPathPolicy` SHALL resolve
-symlinks along every component of a candidate path so that a planted symlink
-under an approved root cannot be used to reach a protected path that lies
-outside that root.
-
-#### Scenario: Approve once retries only the blocked call
-
-- **GIVEN** a shell command `cat /home/.netclaw/logs/crash.log` requires approval
-- **WHEN** the user selects `Approve once`
-- **THEN** only the current blocked call is retried
-- **AND** no reusable approval is recorded
-- **AND** a later `cat /home/.netclaw/logs/other.log` prompts again
+`Once` SHALL retry only the blocked call; it SHALL NOT create any
+session or persistent approval.
 
-#### Scenario: Approve for this chat stores a reusable directory root
+`This chat` SHALL store `(verb, prompt's directory)` entries in
+session-scoped memory only.
 
-- **GIVEN** a shell command `cat /home/.netclaw/logs/crash-foo.log` requires approval
-- **WHEN** the user selects `Approve for this chat`
-- **THEN** the session-scoped approval stores the directory root `/home/.netclaw/logs/`
-- **AND** a later `grep "error" /home/.netclaw/logs/daemon.log` in the same session
-  does not prompt
+`Always here` SHALL persist `(verb, prompt's directory)` entries to
+`tool-approvals.json`.
 
-#### Scenario: Approve always stores a reusable directory root
+`Always anywhere` SHALL persist `(verb, null)` entries to
+`tool-approvals.json` — the global wildcard.
 
-- **GIVEN** a shell command `grep -l "timeout" /home/.netclaw/logs/daemon.log`
-  requires approval
-- **WHEN** the user selects `Approve always`
-- **THEN** `/home/.netclaw/logs/` is written to `tool-approvals.json` for
-  `shell_execute`
-- **AND** a future-session `ls /home/.netclaw/logs/archive.log` is auto-approved
+The system SHALL enforce path normalization, boundary-safe containment,
+path traversal checks, and `ToolPathPolicy` as the safety backstop.
+`ToolPathPolicy` SHALL resolve symlinks along every component of a
+candidate path so that a planted symlink under an approved directory
+cannot be used to reach a protected path that lies outside that
+directory.
 
-#### Scenario: All recognized local paths in a unit must be covered
+The minimum-depth check from v1 (rejecting roots like `/` or `/etc/`)
+SHALL still apply to the directory portion of `(verb, directory)`
+entries: `Always here` SHALL NOT persist a directory shallower than
+two path segments. When the prompt's directory is too shallow, the
+prompt SHALL omit the `Always here` button (only `Once`, `This chat`,
+`Always anywhere`, `Deny` remain), so the user cannot accidentally
+write a too-shallow root.
 
-- **GIVEN** `/home/.netclaw/logs/` is approved for `shell_execute`
-- **WHEN** the agent runs `cat /home/.netclaw/logs/app.log /home/.netclaw/config/netclaw.json`
-- **THEN** the command still requires approval because not all recognized local
-  filesystem paths fall under approved roots
+#### Scenario: Once retries only the blocked call
 
-#### Scenario: No reusable local roots falls back to exact approval behavior
-
-- **GIVEN** a shell command `git push origin main` requires approval
-- **WHEN** the user selects `Approve for this chat`
-- **THEN** no directory root is stored
-- **AND** the system falls back to exact approval behavior for `git push`
-
-#### Scenario: Shallow directory root falls back to exact approval behavior
-
-- **GIVEN** a shell command `cat /etc/passwd` requires approval
-- **WHEN** directory-root extraction runs
-- **THEN** the derived root `/etc/` is rejected as too shallow
-- **AND** the system falls back to exact approval behavior
+- **GIVEN** a shell command `cat ~/repos/foo/notes.md` requires approval
+- **WHEN** the user clicks `Once`
+- **THEN** only the current blocked call is retried
+- **AND** no `ApprovalEntry` is recorded
+- **AND** a later `cat ~/repos/foo/other.md` prompts again
+
+#### Scenario: Always here stores (verb, directory) entry
+
+- **GIVEN** a shell command `grep -l "timeout" daemon.log` with cwd
+  `~/.netclaw/logs/`
+- **WHEN** the user clicks `Always here`
+- **THEN** `{"verb":"grep","directory":"~/.netclaw/logs/"}` is written
+  to `tool-approvals.json`
+- **AND** a future `wc -l app.log` with cwd `~/.netclaw/logs/` does NOT
+  match this entry (different verb)
+- **AND** a future `grep "info" archive.log` with cwd
+  `~/.netclaw/logs/` is auto-approved (same verb, same directory)
+
+#### Scenario: Always anywhere stores (verb, null) entry
+
+- **GIVEN** a shell command `freshdesk --since=24h` requires approval
+- **WHEN** the user clicks `Always anywhere`
+- **THEN** `{"verb":"freshdesk","directory":null}` is written to
+  `tool-approvals.json`
+- **AND** a scheduled task firing `freshdesk` in any cwd is
+  auto-approved on next invocation
 
 #### Scenario: Boundary-safe matching prevents prefix collisions
 
-- **GIVEN** `/home/user/` is approved for `shell_execute`
-- **WHEN** the agent runs `cat /home/usersecret/data.txt`
-- **THEN** the command requires approval
-- **AND** `PathUtility.IsWithinRoot` prevents the false positive
+- **GIVEN** `{"verb":"cat","directory":"/home/user/"}` is approved
+- **WHEN** the agent runs `cat data.txt` with cwd `/home/usersecret/`
+- **THEN** the candidate does NOT match the entry
+- **AND** the approval gate prompts the user
 
-#### Scenario: Symlink under approved root cannot reach a protected path
+#### Scenario: Symlink in cwd breaks the approval match
 
-- **GIVEN** `/home/user/safe/` is approved for `shell_execute`
-- **AND** `/home/user/safe/leak` is a directory symlink whose target resolves
+- **GIVEN** `{"verb":"cat","directory":"/home/user/safe/"}` is approved
+- **AND** `/home/user/safe/leak` is a directory symlink resolving
   to `/etc`
-- **WHEN** the agent runs `cat /home/user/safe/leak/passwd`
-- **THEN** the approval gate auto-approves the unit because the literal path
-  is within the approved root
-- **AND** `ToolPathPolicy.CommandReferencesDeniedPath` blocks execution because
-  the canonical path resolves to `/etc/passwd` after symlink resolution along
-  every path component
-
-### Requirement: Directory root extraction via IToolApprovalMatcher
+- **WHEN** the agent runs `cat passwd` with cwd `/home/user/safe/leak/`
+- **THEN** the symlink-segment check breaks the auto-approval
+- **AND** `ToolPathPolicy.CommandReferencesDeniedPath` blocks execution
+  if the canonical path is protected
+
+#### Scenario: Shallow directory prevents Always here
+
+- **GIVEN** an approval prompt for `cat /etc/passwd` (cwd `/etc/`)
+- **WHEN** the prompt is rendered
+- **THEN** the `Always here` button is omitted
+- **AND** only `Once`, `This chat`, `Always anywhere`, `Deny` are shown
+
+### Requirement: Safe-verb auto-allow short-circuit in declared safe spaces
+
+The system SHALL maintain a per-OS curated list of demonstrably read-only
+verb chains (`safe-verbs.linux.json` and `safe-verbs.windows.json`) shipped
+with the daemon and overridable at `~/.netclaw/config/safe-verbs.<os>.json`.
+A `ScopedShellSafeVerbPolicy` SHALL evaluate each shell invocation against
+the safe-verbs list AND the audience-aware safe-space roots resolved by
+`ToolAudienceProfileResolver`. When the candidate verb chain is on the
+safe-verbs list AND the candidate's cwd resolves under at least one
+safe-space root AND the path contains no symlink segments
+(`ContainsSymlinkSegment` returns false), the approval gate SHALL
+short-circuit to "approved" with no user prompt. Otherwise the existing
+approval gate SHALL apply.
+
+Safe-space roots SHALL be:
+
+- For Personal and Team audiences: `session_dir` (always) plus
+  `project_dir` from `WorkingContext` (when set).
+- For Public audience: `session_dir` only. Public sessions SHALL NOT
+  expand their safe space via `project_dir`, mirroring the read-roots
+  restriction `ScopedFileAccessPolicy` enforces for file_read.
+
+The hard-deny list (layer 1) SHALL apply unchanged. The safe-verb
+short-circuit SHALL only relax the interactive approval gate (layer 2).
+`ToolPathPolicy.CommandReferencesDeniedPath` SHALL still block execution
+if a denied path is referenced.
+
+#### Scenario: Read-only verb in project directory auto-runs
+
+- **GIVEN** a Personal session with `project_dir` set to `~/repos/foo/`
+- **AND** `grep` is on the Linux safe-verbs list
+- **WHEN** the agent invokes `shell_execute` with command
+  `grep -r "error" .` and cwd `~/repos/foo/`
+- **THEN** the approval gate short-circuits to "approved"
+- **AND** no prompt is rendered to the user
+- **AND** `tool-approvals.json` is NOT modified
 
-`IToolApprovalMatcher` SHALL define an `ExtractDirectoryRoots()` method that
-returns reusable directory roots for a tool invocation.
+#### Scenario: Read-only verb in session directory auto-runs
+
+- **GIVEN** a Personal session with no `project_dir` set
+- **AND** `cat` is on the safe-verbs list
+- **WHEN** the agent invokes `shell_execute` with command
+  `cat inbox/notes.md` and cwd `~/.netclaw/sessions/<id>/`
+- **THEN** the approval gate short-circuits to "approved"
+- **AND** no prompt is rendered
+
+#### Scenario: Read-only verb outside safe spaces still prompts
+
+- **GIVEN** a Personal session with `project_dir` set to `~/repos/foo/`
+- **AND** `grep` is on the safe-verbs list
+- **WHEN** the agent invokes `shell_execute` with cwd `/etc/`
+- **THEN** the approval gate prompts the user
+- **AND** the prompt body shows `/etc/` as the directory header
+
+#### Scenario: Mutating verb in safe space still prompts
+
+- **GIVEN** a Personal session with `project_dir` set to `~/repos/foo/`
+- **AND** `git push` is NOT on the safe-verbs list
+- **WHEN** the agent invokes `shell_execute` with command
+  `git push origin main` and cwd `~/repos/foo/`
+- **THEN** the approval gate prompts the user
+- **AND** the user can grant `(git push, ~/repos/foo/)` via "Always here"
+
+#### Scenario: Public audience cannot use project_dir as safe space
+
+- **GIVEN** a Public session with `project_dir` set to `~/repos/foo/`
+- **AND** `grep` is on the safe-verbs list
+- **WHEN** the agent invokes `shell_execute` with cwd `~/repos/foo/`
+- **THEN** the approval gate prompts the user
+- **AND** Public's only safe space remains `session_dir`
+
+#### Scenario: Symlink under safe-space root cannot extend safe scope
+
+- **GIVEN** a Personal session with `project_dir` set to `~/repos/foo/`
+- **AND** `~/repos/foo/leak` is a symlink resolving to `/etc`
+- **WHEN** the agent invokes `shell_execute` with cwd `~/repos/foo/leak/`
+  and command `cat passwd`
+- **THEN** the safe-verb short-circuit SHALL NOT apply
+  (`ContainsSymlinkSegment` returns true)
+- **AND** the approval gate prompts the user (or `ToolPathPolicy`
+  hard-denies if the resolved path is protected)
+
+#### Scenario: User-overridden safe-verbs file extends defaults
+
+- **GIVEN** the user has written
+  `~/.netclaw/config/safe-verbs.linux.json` containing the verb `eza`
+- **WHEN** the daemon loads safe-verbs configuration
+- **THEN** `eza` is treated as a safe verb in addition to the shipped defaults
+- **AND** `eza` invocations in safe spaces auto-run without prompting
+
+### Requirement: Five-button approval prompt with verb-and-directory framing
+
+When the approval gate prompts the user, the prompt SHALL render five
+buttons in one row: `Once`, `This chat`, `Always here`, `Always anywhere`,
+`Deny`. The buttons `Always anywhere` and `Deny` SHALL be styled as
+danger (Slack `style: "danger"`, Discord `ButtonStyle.Danger`). All
+button labels SHALL fit within Slack's 76-character and Discord's
+80-character button-text caps.
+
+The prompt body SHALL show the cwd in the header
+(`Approve in <cwd> ?`) and the extracted verb chains as a bulleted list.
+Single-verb commands MAY collapse the list into the header
+(`Approve <verb> in <cwd> ?`). The body SHALL NOT render separate
+"Patterns" or "Directory Roots" sections.
+
+Button semantics:
+
+- `Once` SHALL run the command this one time and persist nothing.
+- `This chat` SHALL allow the extracted verbs in the prompt's directory
+  for the rest of the session, stored in session-scoped memory only.
+- `Always here` SHALL persist `(verb, prompt's directory)` entries to
+  `tool-approvals.json` for each extracted verb.
+- `Always anywhere` SHALL persist `(verb, null)` entries for each
+  extracted verb — the global wildcard.
+- `Deny` SHALL refuse this call only. Denying a verb SHALL NOT ban it
+  for future invocations.
+
+#### Scenario: Compound command shows verbs as bullets
+
+- **GIVEN** the agent invokes `shell_execute` with command
+  `cd ~/repos/foo && git remote -v && git rev-parse HEAD`
+  and cwd `~/repos/foo/`
+- **WHEN** the approval prompt is rendered on Slack
+- **THEN** the body header reads `Approve in ~/repos/foo/ ?`
+- **AND** the verbs `cd`, `git remote`, `git rev-parse` appear as bullets
+- **AND** the action row contains five buttons
+- **AND** `Always anywhere` and `Deny` are styled as danger
+
+#### Scenario: Always here persists folder-scoped entries
+
+- **GIVEN** an approval prompt for verbs `git remote`, `git rev-parse`
+  in cwd `~/repos/foo/`
+- **WHEN** the user clicks `Always here`
+- **THEN** `tool-approvals.json` gains entries
+  `{"verb": "git remote", "directory": "~/repos/foo/"}` and
+  `{"verb": "git rev-parse", "directory": "~/repos/foo/"}`
+- **AND** the resolution message reads
+  `Saved: git remote, git rev-parse in ~/repos/foo/`
+
+#### Scenario: Always anywhere persists global entries
+
+- **GIVEN** an approval prompt for verb `freshdesk` in cwd `~/.netclaw/sessions/<id>/`
+- **WHEN** the user clicks `Always anywhere`
+- **THEN** `tool-approvals.json` gains entry
+  `{"verb": "freshdesk", "directory": null}`
+- **AND** the resolution message reads `Saved: freshdesk anywhere`
+
+#### Scenario: This chat persists session-scoped only
+
+- **GIVEN** an approval prompt for verb `jsonlint` in cwd `~/repos/foo/`
+- **WHEN** the user clicks `This chat`
+- **THEN** session-scoped memory records `(jsonlint, ~/repos/foo/)`
+- **AND** `tool-approvals.json` is NOT modified
+- **AND** a new session prompts again
 
-For `shell_execute`, extraction SHALL operate on shell approval units. Units
-SHALL split on `&&`, `||`, and `;`. Pipelines joined by `|` SHALL stay inside
-the same approval unit.
+#### Scenario: Deny refuses only the current call
 
-`ShellApprovalMatcher` SHALL scan each approval unit for recognized local
-filesystem paths, expand and normalize them, derive reusable parent directory
-roots, and enforce minimum depth and path-safety checks. For `bash -c` or
-`sh -c` wrappers, the inner command SHALL be extracted and scanned recursively.
+- **GIVEN** an approval prompt for verb `git push`
+- **WHEN** the user clicks `Deny`
+- **THEN** the current call is refused
+- **AND** `tool-approvals.json` is NOT modified
+- **AND** a later `git push` call still prompts
 
-`DefaultApprovalMatcher` and `FilePathApprovalMatcher` SHALL return empty lists.
+### Requirement: Resolution message single-line format
 
-#### Scenario: grep extracts a root from a later argument
+After an approval response is processed, the channel SHALL render a
+single-line resolution message replacing today's separate `Patterns` and
+`Directory Roots` sections. The line SHALL identify the verbs and the
+scope. Permitted formats:
 
-- **GIVEN** the command `grep -l "timeout" /home/.netclaw/logs/daemon.log`
-- **WHEN** `ExtractDirectoryRoots` runs
-- **THEN** the root `/home/.netclaw/logs/` is extracted
-- **AND** the search term `"timeout"` is ignored
+- `Saved: <verb-list> in <directory>` — for `Always here`.
+- `Saved: <verb-list> anywhere` — for `Always anywhere`.
+- `Saved for this chat: <verb-list> in <directory>` — for `This chat`.
+- `Approved (no save)` — for `Once`.
+- `Denied` — for `Deny`.
 
-#### Scenario: Pipeline stays in one approval unit
+#### Scenario: Resolution shows folder scope for Always here
 
-- **GIVEN** the command `grep "error" /home/.netclaw/logs/app.log | wc -l`
-- **WHEN** `ExtractDirectoryRoots` runs
-- **THEN** the pipeline is treated as one approval unit
-- **AND** the root `/home/.netclaw/logs/` is extracted for that unit
+- **GIVEN** the user has clicked `Always here` for verbs
+  `jsonlint, git pull` in `~/repos/foo/`
+- **WHEN** the resolution message is rendered
+- **THEN** the message reads `Saved: jsonlint, git pull in ~/repos/foo/`
+- **AND** no `Patterns` or `Directory Roots` headers are emitted
 
-#### Scenario: Control operators split approval units
+#### Scenario: Resolution shows global scope for Always anywhere
 
-- **GIVEN** the command `cat /home/.netclaw/logs/app.log && cat /home/.netclaw/config/netclaw.json`
-- **WHEN** `ExtractDirectoryRoots` runs
-- **THEN** the `&&` creates two approval units
-- **AND** each unit is evaluated independently for reusable roots
+- **GIVEN** the user has clicked `Always anywhere` for verb `freshdesk`
+- **WHEN** the resolution message is rendered
+- **THEN** the message reads `Saved: freshdesk anywhere`
 
-#### Scenario: Glob paths use parent directory root
+### Requirement: Pattern extraction refuses bash control-flow
 
-- **GIVEN** the command `ls /home/.netclaw/logs/crash-*.log`
-- **WHEN** `ExtractDirectoryRoots` runs
-- **THEN** the root `/home/.netclaw/logs/` is extracted
-- **AND** the glob component does not become part of the stored root
+`ShellTokenizer.SplitCompoundCommand` SHALL detect bash control-flow
+tokens (`for`, `while`, `do`, `done`, `then`, `fi`, `case`, `esac`) and
+unbalanced quotes/brackets. When detected, the tokenizer SHALL return an
+empty verb-chain list. The approval gate SHALL respond by offering only
+the `Once` and `Deny` buttons (no `This chat`, `Always here`, or
+`Always anywhere`) and the prompt body SHALL show a hint: "complex
+command — only one-shot approval available". No persistent grant SHALL
+be possible for unparseable commands.
 
-### Requirement: Dynamic approval option labels
+#### Scenario: For-loop produces empty verb-chain list
 
-When directory roots are available, the system SHALL customize the approval
-option labels to show the reusable root scope. The labels SHALL follow the
-format:
-- B: `"Approve in {directory-root} for this chat"`
-- C: `"Approve in {directory-root} always"`
+- **GIVEN** the command
+  `for pid in $(pgrep netclawd); do echo "$pid"; done`
+- **WHEN** `ShellTokenizer.SplitCompoundCommand` runs
+- **THEN** the returned verb-chain list is empty
 
-Options A ("Approve once") and D ("Deny") SHALL retain their default labels.
+#### Scenario: Approval prompt for messy command offers only Once and Deny
 
-#### Scenario: Labels show reusable root scope for shell commands
+- **GIVEN** the agent invokes `shell_execute` with the for-loop above
+  and cwd outside any safe space
+- **WHEN** the approval prompt is rendered
+- **THEN** only `Once` and `Deny` buttons are present
+- **AND** the body shows the "complex command" hint
 
-- **GIVEN** a shell command `grep "error" /home/.netclaw/logs/app.log`
-  requires approval
-- **WHEN** the approval prompt is generated
-- **THEN** option B reads `Approve in /home/.netclaw/logs/ for this chat`
-- **AND** option C reads `Approve in /home/.netclaw/logs/ always`
+#### Scenario: Unbalanced quotes treated as messy
 
-#### Scenario: Labels use defaults when no reusable directory root exists
+- **GIVEN** the command `echo "unterminated`
+- **WHEN** the tokenizer runs
+- **THEN** the verb-chain list is empty
+- **AND** the approval gate offers only `Once` and `Deny`
 
-- **GIVEN** a shell command `git push origin main` requires approval
-- **WHEN** the approval prompt is generated
-- **THEN** option B reads the default "Approve for this chat"
-- **AND** option C reads the default "Approve always"
diff --git a/src/Netclaw.Actors.Tests/Channels/DiscordApprovalPromptBuilderTests.cs b/src/Netclaw.Actors.Tests/Channels/DiscordApprovalPromptBuilderTests.cs
index 36864e9d..6008caff 100644
--- a/src/Netclaw.Actors.Tests/Channels/DiscordApprovalPromptBuilderTests.cs
+++ b/src/Netclaw.Actors.Tests/Channels/DiscordApprovalPromptBuilderTests.cs
@@ -68,8 +68,11 @@ public void BuildTextPrompt_omits_pattern_when_empty()
     [Fact]
     public void BuildDecisionStatus_formats_known_keys()
     {
-        Assert.Contains("Approve once", DiscordApprovalPromptBuilder.BuildDecisionStatus(ApprovalOptionKeys.ApproveOnce));
-        Assert.Contains("Approve always", DiscordApprovalPromptBuilder.BuildDecisionStatus(ApprovalOptionKeys.ApproveAlways));
+        // Labels updated in section 7 (approval-policy-v2) — see ApprovalOptionKeys.
+        // Discord prompt body redesign to single-line resolution lands in section 8;
+        // for now we only assert the new label spellings make it through.
+        Assert.Contains("Once", DiscordApprovalPromptBuilder.BuildDecisionStatus(ApprovalOptionKeys.ApproveOnce));
+        Assert.Contains("Always here", DiscordApprovalPromptBuilder.BuildDecisionStatus(ApprovalOptionKeys.ApproveAlways));
         Assert.Contains("Deny", DiscordApprovalPromptBuilder.BuildDecisionStatus(ApprovalOptionKeys.Deny));
     }
 
@@ -191,8 +194,8 @@ public void BuildResolvedPromptText_approve_once_shows_checkmark()
         Assert.Contains(":white_check_mark:", text);
         Assert.Contains("git_push", text);
         Assert.Contains("push to origin/main", text);
-        Assert.Contains("origin/main", text);
-        Assert.Contains(ApprovalOptionKeys.ApproveOnceLabel, text);
+        // v2 single-line resolution message replaces "**Decision:** <label>".
+        Assert.Contains("Approved (no save)", text);
         Assert.Contains("<@user-42>", text);
     }
 
@@ -213,7 +216,8 @@ public void BuildResolvedPromptText_deny_shows_no_entry()
             request, ApprovalOptionKeys.Deny, "user-99");
 
         Assert.Contains(":no_entry:", text);
-        Assert.Contains(ApprovalOptionKeys.DenyLabel, text);
+        // v2 single-line resolution message: "Denied" instead of "Decision: Deny".
+        Assert.Contains("Denied", text);
         Assert.DoesNotContain(":white_check_mark:", text);
     }
 
@@ -236,4 +240,130 @@ public void BuildResolvedPromptText_omits_patterns_when_empty()
 
         Assert.DoesNotContain("Pattern", text);
     }
+
+    // ── v2 prompt redesign (parallel to Slack section 7) ──
+
+    private static IReadOnlyList<ToolInteractionOption> FullButtonRow() =>
+    [
+        new ToolInteractionOption(ApprovalOptionKeys.ApproveOnce, ApprovalOptionKeys.ApproveOnceLabel),
+        new ToolInteractionOption(ApprovalOptionKeys.ApproveSession, ApprovalOptionKeys.ApproveSessionLabel),
+        new ToolInteractionOption(ApprovalOptionKeys.ApproveAlways, ApprovalOptionKeys.ApproveAlwaysLabel),
+        new ToolInteractionOption(ApprovalOptionKeys.ApproveEverywhere, ApprovalOptionKeys.ApproveEverywhereLabel),
+        new ToolInteractionOption(ApprovalOptionKeys.Deny, ApprovalOptionKeys.DenyLabel)
+    ];
+
+    private static IReadOnlyList<ToolInteractionOption> MessyRow() =>
+    [
+        new ToolInteractionOption(ApprovalOptionKeys.ApproveOnce, ApprovalOptionKeys.ApproveOnceLabel),
+        new ToolInteractionOption(ApprovalOptionKeys.Deny, ApprovalOptionKeys.DenyLabel)
+    ];
+
+    private static ToolInteractionRequest V2Request(
+        string command,
+        IReadOnlyList<string> verbs,
+        string? cwd,
+        IReadOnlyList<ToolInteractionOption> options,
+        bool isMessy = false)
+        => new()
+        {
+            SessionId = new SessionId("test/session"),
+            Kind = "approval",
+            CallId = "call-1",
+            ToolName = "shell_execute",
+            DisplayText = command,
+            Patterns = verbs,
+            CandidateVerbs = verbs,
+            Cwd = cwd,
+            IsMessy = isMessy,
+            Options = options
+        };
+
+    [Fact]
+    public void V2_single_verb_collapses_into_header()
+    {
+        var request = V2Request("git status", ["git status"], "/home/user/repos/foo", FullButtonRow());
+
+        var (text, _) = DiscordApprovalPromptBuilder.BuildButtonPrompt(request);
+
+        Assert.Contains("Approve git status in /home/user/repos/foo?", text);
+    }
+
+    [Fact]
+    public void V2_multi_verb_uses_generic_header_with_bullets()
+    {
+        var request = V2Request(
+            "git fetch && git rebase && git status",
+            ["git fetch", "git rebase", "git status"],
+            "/home/user/repos/foo",
+            FullButtonRow());
+
+        var (text, _) = DiscordApprovalPromptBuilder.BuildButtonPrompt(request);
+
+        Assert.Contains("Approve in /home/user/repos/foo?", text);
+        Assert.Contains("• `git fetch`", text);
+        Assert.Contains("• `git rebase`", text);
+        Assert.Contains("• `git status`", text);
+    }
+
+    [Fact]
+    public void V2_messy_command_emits_complex_command_hint()
+    {
+        var request = V2Request(
+            "for f in *.log; do grep ERROR \"$f\"; done",
+            verbs: [],
+            cwd: "/home/user/repos/foo",
+            options: MessyRow(),
+            isMessy: true);
+
+        var (text, buttons) = DiscordApprovalPromptBuilder.BuildButtonPrompt(request);
+
+        Assert.Contains("complex command", text);
+        Assert.Equal(2, buttons.Count);
+    }
+
+    [Fact]
+    public void V2_button_row_has_five_buttons_with_danger_styling_on_danger_keys()
+    {
+        var request = V2Request("git status", ["git status"], "/home/user/repos/foo", FullButtonRow());
+
+        var (_, buttons) = DiscordApprovalPromptBuilder.BuildButtonPrompt(request);
+
+        Assert.Equal(5, buttons.Count);
+        var byLabel = buttons.ToDictionary(b => b.Label, b => b);
+        Assert.Equal(DiscordButtonStyle.Success, byLabel[ApprovalOptionKeys.ApproveOnceLabel].Style);
+        Assert.Equal(DiscordButtonStyle.Secondary, byLabel[ApprovalOptionKeys.ApproveSessionLabel].Style);
+        Assert.Equal(DiscordButtonStyle.Secondary, byLabel[ApprovalOptionKeys.ApproveAlwaysLabel].Style);
+        Assert.Equal(DiscordButtonStyle.Danger, byLabel[ApprovalOptionKeys.ApproveEverywhereLabel].Style);
+        Assert.Equal(DiscordButtonStyle.Danger, byLabel[ApprovalOptionKeys.DenyLabel].Style);
+    }
+
+    [Fact]
+    public void V2_resolved_text_for_always_here_uses_Saved_verbs_in_dir()
+    {
+        var request = V2Request("git pull && git rebase", ["git pull", "git rebase"], "/home/user/repos/foo", FullButtonRow());
+
+        var text = DiscordApprovalPromptBuilder.BuildResolvedPromptText(request, ApprovalOptionKeys.ApproveAlways, "U123");
+
+        Assert.Contains("Saved: git pull, git rebase in /home/user/repos/foo", text);
+    }
+
+    [Fact]
+    public void V2_resolved_text_for_always_anywhere_uses_Saved_verbs_anywhere()
+    {
+        var request = V2Request("freshdesk --since=24h", ["freshdesk"], "/home/user/.netclaw/sessions/abc", FullButtonRow());
+
+        var text = DiscordApprovalPromptBuilder.BuildResolvedPromptText(request, ApprovalOptionKeys.ApproveEverywhere, "U123");
+
+        Assert.Contains("Saved: freshdesk anywhere", text);
+    }
+
+    [Fact]
+    public void V2_resolved_text_for_this_chat_uses_Saved_for_this_chat()
+    {
+        var request = V2Request("jsonlint config.json", ["jsonlint config.json"], "/home/user/repos/foo", FullButtonRow());
+
+        var text = DiscordApprovalPromptBuilder.BuildResolvedPromptText(request, ApprovalOptionKeys.ApproveSession, "U123");
+
+        Assert.Contains("Saved for this chat: jsonlint config.json in /home/user/repos/foo", text);
+    }
 }
diff --git a/src/Netclaw.Actors.Tests/Channels/SlackApprovalBlockBuilderTests.cs b/src/Netclaw.Actors.Tests/Channels/SlackApprovalBlockBuilderTests.cs
new file mode 100644
index 00000000..6623fe8d
--- /dev/null
+++ b/src/Netclaw.Actors.Tests/Channels/SlackApprovalBlockBuilderTests.cs
@@ -0,0 +1,180 @@
+// -----------------------------------------------------------------------
+// <copyright file="SlackApprovalBlockBuilderTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Netclaw.Actors.Protocol;
+using Netclaw.Channels.Slack;
+using Netclaw.Tools;
+using SlackNet.Blocks;
+using Xunit;
+
+namespace Netclaw.Actors.Tests.Channels;
+
+public sealed class SlackApprovalBlockBuilderTests
+{
+    private static IReadOnlyList<ToolInteractionOption> FullButtonRow() =>
+    [
+        new ToolInteractionOption(ApprovalOptionKeys.ApproveOnce, ApprovalOptionKeys.ApproveOnceLabel),
+        new ToolInteractionOption(ApprovalOptionKeys.ApproveSession, ApprovalOptionKeys.ApproveSessionLabel),
+        new ToolInteractionOption(ApprovalOptionKeys.ApproveAlways, ApprovalOptionKeys.ApproveAlwaysLabel),
+        new ToolInteractionOption(ApprovalOptionKeys.ApproveEverywhere, ApprovalOptionKeys.ApproveEverywhereLabel),
+        new ToolInteractionOption(ApprovalOptionKeys.Deny, ApprovalOptionKeys.DenyLabel)
+    ];
+
+    private static IReadOnlyList<ToolInteractionOption> MessyRow() =>
+    [
+        new ToolInteractionOption(ApprovalOptionKeys.ApproveOnce, ApprovalOptionKeys.ApproveOnceLabel),
+        new ToolInteractionOption(ApprovalOptionKeys.Deny, ApprovalOptionKeys.DenyLabel)
+    ];
+
+    private static ToolInteractionRequest Request(
+        string command,
+        IReadOnlyList<string> verbs,
+        string? cwd,
+        IReadOnlyList<ToolInteractionOption> options,
+        bool isMessy = false)
+        => new()
+        {
+            SessionId = new SessionId("signalr/test"),
+            Kind = "approval",
+            CallId = "call-1",
+            ToolName = "shell_execute",
+            DisplayText = command,
+            RequesterSenderId = "device-1",
+            Patterns = verbs,
+            CandidateVerbs = verbs,
+            Cwd = cwd,
+            IsMessy = isMessy,
+            Options = options
+        };
+
+    [Fact]
+    public void Single_verb_collapses_into_header_line()
+    {
+        var request = Request("git status", ["git status"], "/home/user/repos/foo", FullButtonRow());
+
+        var text = SlackApprovalBlockBuilder.BuildApprovalText(request);
+
+        Assert.Contains("Approve git status in /home/user/repos/foo?", text);
+        Assert.DoesNotContain("• `git status`", text); // No redundant bullet for single-verb
+    }
+
+    [Fact]
+    public void Multi_verb_uses_generic_header_with_bulleted_verbs()
+    {
+        var request = Request(
+            "git fetch && git rebase && git status",
+            ["git fetch", "git rebase", "git status"],
+            "/home/user/repos/foo",
+            FullButtonRow());
+
+        var text = SlackApprovalBlockBuilder.BuildApprovalText(request);
+
+        Assert.Contains("Approve in /home/user/repos/foo?", text);
+        Assert.Contains("• `git fetch`", text);
+        Assert.Contains("• `git rebase`", text);
+        Assert.Contains("• `git status`", text);
+    }
+
+    [Fact]
+    public void Messy_command_emits_complex_command_hint()
+    {
+        var request = Request(
+            "for f in *.log; do grep ERROR \"$f\"; done",
+            verbs: [],
+            cwd: "/home/user/repos/foo",
+            options: MessyRow(),
+            isMessy: true);
+
+        var text = SlackApprovalBlockBuilder.BuildApprovalText(request);
+
+        Assert.Contains("complex command", text);
+        Assert.Contains("only one-shot approval available", text);
+    }
+
+    [Fact]
+    public void Approval_blocks_render_five_buttons_with_danger_styling_on_danger_options()
+    {
+        var request = Request("git status", ["git status"], "/home/user/repos/foo", FullButtonRow());
+
+        var blocks = SlackApprovalBlockBuilder.BuildApprovalBlocks(request);
+        var actions = blocks.OfType<ActionsBlock>().Single();
+        var buttons = actions.Elements.OfType<Button>().ToList();
+
+        Assert.Equal(5, buttons.Count);
+
+        var byKey = buttons.ToDictionary(b => b.ActionId.Split('_').Last(), b => b);
+        Assert.Equal(ButtonStyle.Primary, byKey["once"].Style);
+        Assert.Equal(ButtonStyle.Default, byKey["session"].Style);
+        Assert.Equal(ButtonStyle.Default, byKey["always"].Style);
+        Assert.Equal(ButtonStyle.Danger, byKey["everywhere"].Style);
+        Assert.Equal(ButtonStyle.Danger, byKey["deny"].Style);
+    }
+
+    [Fact]
+    public void Approval_blocks_omit_legacy_directory_roots_section()
+    {
+        var request = Request("grep error /var/log/syslog", ["grep error /var/log/syslog"], "/var/log", FullButtonRow());
+
+        var blocks = SlackApprovalBlockBuilder.BuildApprovalBlocks(request);
+        var sections = blocks.OfType<SectionBlock>()
+            .Select(s => (s.Text as Markdown)?.Text ?? string.Empty)
+            .ToList();
+
+        Assert.DoesNotContain(sections, t => t.Contains("Directory Roots", StringComparison.Ordinal));
+        Assert.DoesNotContain(sections, t => t.Contains("*Patterns*", StringComparison.Ordinal));
+    }
+
+    // ── Resolution message single-line format ──
+
+    [Fact]
+    public void Resolved_text_for_always_here_uses_Saved_verbs_in_dir()
+    {
+        var request = Request("git pull && git rebase", ["git pull", "git rebase"], "/home/user/repos/foo", FullButtonRow());
+
+        var text = SlackApprovalBlockBuilder.BuildResolvedApprovalText(request, ApprovalOptionKeys.ApproveAlways, "U123");
+
+        Assert.Contains("Saved: git pull, git rebase in /home/user/repos/foo", text);
+    }
+
+    [Fact]
+    public void Resolved_text_for_always_anywhere_uses_Saved_verbs_anywhere()
+    {
+        var request = Request("freshdesk --since=24h", ["freshdesk"], "/home/user/.netclaw/sessions/abc", FullButtonRow());
+
+        var text = SlackApprovalBlockBuilder.BuildResolvedApprovalText(request, ApprovalOptionKeys.ApproveEverywhere, "U123");
+
+        Assert.Contains("Saved: freshdesk anywhere", text);
+    }
+
+    [Fact]
+    public void Resolved_text_for_this_chat_uses_Saved_for_this_chat()
+    {
+        var request = Request("jsonlint config.json", ["jsonlint config.json"], "/home/user/repos/foo", FullButtonRow());
+
+        var text = SlackApprovalBlockBuilder.BuildResolvedApprovalText(request, ApprovalOptionKeys.ApproveSession, "U123");
+
+        Assert.Contains("Saved for this chat: jsonlint config.json in /home/user/repos/foo", text);
+    }
+
+    [Fact]
+    public void Resolved_text_for_once_uses_Approved_no_save()
+    {
+        var request = Request("docker build .", ["docker build"], "/home/user/repos/foo", FullButtonRow());
+
+        var text = SlackApprovalBlockBuilder.BuildResolvedApprovalText(request, ApprovalOptionKeys.ApproveOnce, "U123");
+
+        Assert.Contains("Approved (no save)", text);
+    }
+
+    [Fact]
+    public void Resolved_text_for_deny_uses_Denied()
+    {
+        var request = Request("rm -rf /", ["rm"], "/home/user/repos/foo", FullButtonRow());
+
+        var text = SlackApprovalBlockBuilder.BuildResolvedApprovalText(request, ApprovalOptionKeys.Deny, "U123");
+
+        Assert.Contains("Denied", text);
+    }
+}
diff --git a/src/Netclaw.Actors.Tests/Sessions/ParentSessionApprovalBridgeTests.cs b/src/Netclaw.Actors.Tests/Sessions/ParentSessionApprovalBridgeTests.cs
index 68f67885..36ae880a 100644
--- a/src/Netclaw.Actors.Tests/Sessions/ParentSessionApprovalBridgeTests.cs
+++ b/src/Netclaw.Actors.Tests/Sessions/ParentSessionApprovalBridgeTests.cs
@@ -37,8 +37,8 @@ public async Task Bridge_preserves_requester_identity_and_adopted_context()
             "shell_execute",
             "grep timeout logs/app.log | wc -l",
             ["grep timeout logs/app.log | wc -l"],
-            ["/tmp/work/logs/"],
-            ["logs/"],
+            ["grep timeout logs/app.log"],
+            isMessy: false,
             TestContext.Current.CancellationToken);
 
         Assert.Equal(ParentApprovalDecision.ApprovedOnce, decision);
@@ -50,8 +50,7 @@ public async Task Bridge_preserves_requester_identity_and_adopted_context()
         Assert.True(emitted.PersistedAdoptedContext);
         Assert.Equal(["user-123", "user-456"], emitted.AdoptedSpeakerIds);
         Assert.Equal(["grep timeout logs/app.log | wc -l"], emitted.Patterns);
-        Assert.Equal(["/tmp/work/logs/"], emitted.ApprovalEntries);
-        Assert.Equal(["logs/"], emitted.DirectoryRoots);
+        Assert.Equal(["grep timeout logs/app.log"], emitted.CandidateVerbs);
         Assert.Equal(ApprovalOptionKeys.ApproveSessionLabel, emitted.Options.Single(o => o.Key == ApprovalOptionKeys.ApproveSession).Label);
         Assert.Equal(ApprovalOptionKeys.ApproveAlwaysLabel, emitted.Options.Single(o => o.Key == ApprovalOptionKeys.ApproveAlways).Label);
     }
@@ -80,8 +79,8 @@ public async Task Bridge_preserves_self_only_adopted_context_without_third_party
             "shell_execute",
             "cat logs/app.log",
             ["cat logs/app.log"],
-            ["/tmp/work/logs/"],
-            ["logs/"],
+            ["cat logs/app.log"],
+            isMessy: false,
             TestContext.Current.CancellationToken);
 
         Assert.Equal(ParentApprovalDecision.ApprovedOnce, decision);
diff --git a/src/Netclaw.Actors.Tests/Sessions/SessionToolExecutionPipelineHintTests.cs b/src/Netclaw.Actors.Tests/Sessions/SessionToolExecutionPipelineHintTests.cs
new file mode 100644
index 00000000..b95b6988
--- /dev/null
+++ b/src/Netclaw.Actors.Tests/Sessions/SessionToolExecutionPipelineHintTests.cs
@@ -0,0 +1,121 @@
+// -----------------------------------------------------------------------
+// <copyright file="SessionToolExecutionPipelineHintTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Netclaw.Actors.Sessions;
+using Netclaw.Actors.Sessions.Pipelines;
+using Netclaw.Actors.Tools;
+using Xunit;
+
+namespace Netclaw.Actors.Tests.Sessions;
+
+/// <summary>
+/// Direct unit tests for the deny-path hint helper that points the agent at
+/// <c>set_working_directory</c> when a shell call is denied for cwd-outside-
+/// safe-spaces. Exercises the helper in isolation rather than the whole
+/// pipeline so the test stays focused on the hint-emission logic.
+/// </summary>
+public sealed class SessionToolExecutionPipelineHintTests
+{
+    private const string ShellTool = "shell_execute";
+
+    [Fact]
+    public void Hint_emitted_when_shell_denied_with_cwd_outside_both_safe_spaces()
+    {
+        var hint = SessionToolExecutionPipeline.BuildSetWorkingDirectoryHint(
+            toolName: ShellTool,
+            decision: ApprovalDecision.Denied,
+            cwd: "/home/user/repos/bar",
+            sessionDirectory: "/home/user/.netclaw/sessions/abc",
+            projectDirectory: null,
+            setWorkingDirectoryAvailable: true);
+
+        Assert.Contains("set_working_directory", hint);
+        Assert.Contains("/home/user/repos/bar", hint);
+    }
+
+    [Fact]
+    public void Hint_suppressed_when_set_working_directory_is_unavailable()
+    {
+        var hint = SessionToolExecutionPipeline.BuildSetWorkingDirectoryHint(
+            toolName: ShellTool,
+            decision: ApprovalDecision.Denied,
+            cwd: "/home/user/repos/bar",
+            sessionDirectory: "/home/user/.netclaw/sessions/abc",
+            projectDirectory: null,
+            setWorkingDirectoryAvailable: false);
+
+        Assert.Empty(hint);
+    }
+
+    [Fact]
+    public void Hint_suppressed_when_decision_is_not_Denied()
+    {
+        var hint = SessionToolExecutionPipeline.BuildSetWorkingDirectoryHint(
+            toolName: ShellTool,
+            decision: ApprovalDecision.TimedOut,
+            cwd: "/home/user/repos/bar",
+            sessionDirectory: "/home/user/.netclaw/sessions/abc",
+            projectDirectory: null,
+            setWorkingDirectoryAvailable: true);
+
+        Assert.Empty(hint);
+    }
+
+    [Fact]
+    public void Hint_suppressed_for_non_shell_tools()
+    {
+        var hint = SessionToolExecutionPipeline.BuildSetWorkingDirectoryHint(
+            toolName: "file_write",
+            decision: ApprovalDecision.Denied,
+            cwd: "/home/user/repos/bar",
+            sessionDirectory: "/home/user/.netclaw/sessions/abc",
+            projectDirectory: null,
+            setWorkingDirectoryAvailable: true);
+
+        Assert.Empty(hint);
+    }
+
+    [Fact]
+    public void Hint_suppressed_when_cwd_is_inside_session_directory()
+    {
+        var hint = SessionToolExecutionPipeline.BuildSetWorkingDirectoryHint(
+            toolName: ShellTool,
+            decision: ApprovalDecision.Denied,
+            cwd: "/home/user/.netclaw/sessions/abc/sub",
+            sessionDirectory: "/home/user/.netclaw/sessions/abc",
+            projectDirectory: null,
+            setWorkingDirectoryAvailable: true);
+
+        Assert.Empty(hint);
+    }
+
+    [Fact]
+    public void Hint_suppressed_when_cwd_is_inside_project_directory()
+    {
+        var hint = SessionToolExecutionPipeline.BuildSetWorkingDirectoryHint(
+            toolName: ShellTool,
+            decision: ApprovalDecision.Denied,
+            cwd: "/home/user/repos/foo/sub",
+            sessionDirectory: "/home/user/.netclaw/sessions/abc",
+            projectDirectory: "/home/user/repos/foo",
+            setWorkingDirectoryAvailable: true);
+
+        Assert.Empty(hint);
+    }
+
+    [Fact]
+    public void Hint_suppressed_when_cwd_is_null()
+    {
+        var hint = SessionToolExecutionPipeline.BuildSetWorkingDirectoryHint(
+            toolName: ShellTool,
+            decision: ApprovalDecision.Denied,
+            cwd: null,
+            sessionDirectory: "/home/user/.netclaw/sessions/abc",
+            projectDirectory: null,
+            setWorkingDirectoryAvailable: true);
+
+        Assert.Empty(hint);
+    }
+}
diff --git a/src/Netclaw.Actors.Tests/Sessions/SessionToolExecutionPipelineTests.cs b/src/Netclaw.Actors.Tests/Sessions/SessionToolExecutionPipelineTests.cs
index dd62b006..e9f2d0c5 100644
--- a/src/Netclaw.Actors.Tests/Sessions/SessionToolExecutionPipelineTests.cs
+++ b/src/Netclaw.Actors.Tests/Sessions/SessionToolExecutionPipelineTests.cs
@@ -131,6 +131,58 @@ await AwaitAssertAsync(() =>
         Assert.Single(approvals);
     }
 
+    [Fact]
+    public async Task Approval_request_propagates_cwd_from_approval_context()
+    {
+        // Regression: ToolApprovalContext.Cwd was never threaded into the
+        // emitted ToolInteractionRequest, so PendingToolInteraction.Cwd ended
+        // up null on the session-actor side. That silently turned every
+        // "Always here" click (ApprovedAlways) into a global wildcard
+        // because the persistence path read pending.Cwd to scope the entry.
+        const string cwd = "/tmp/scoped-approval";
+        var executor = new ApprovalWithCwdExecutor(cwd);
+        var approvalChannel = new ApprovalChannel();
+        var probe = CreateTestProbe("cwd-propagation-probe");
+        var approvalRequestTcs = new TaskCompletionSource<ToolInteractionRequest>(TaskCreationOptions.RunContinuationsAsynchronously);
+
+        var toolCalls = new List<FunctionCallContent>
+        {
+            new("call-cwd", "shell_execute", new Dictionary<string, object?>
+            {
+                ["command"] = "ls"
+            })
+        };
+
+        var pipelineTask = SessionToolExecutionPipeline.ExecuteToolsAsync(
+            executor,
+            toolCalls,
+            new SessionId("D1/cwd-propagation-test"),
+            source: null,
+            auditLogger: null,
+            timeProvider: TimeProvider.System,
+            sessionDir: Path.GetTempPath(),
+            maxInlineToolResultChars: 4096,
+            timeout: TimeSpan.FromSeconds(5),
+            self: probe.Ref,
+            emitSubAgentOutput: _ => { },
+            spawnChildActor: static (_, _, _) => Task.FromResult<object>(new object()),
+            approvalChannel: approvalChannel,
+            emitApprovalRequest: request => approvalRequestTcs.TrySetResult(request),
+            approvalTimeout: Timeout.InfiniteTimeSpan);
+
+        var approvalRequest = await approvalRequestTcs.Task.WaitAsync(
+            TimeSpan.FromSeconds(3),
+            cancellationToken: TestContext.Current.CancellationToken);
+
+        Assert.Equal(cwd, approvalRequest.Cwd);
+
+        approvalChannel.Complete(new ToolCallId(approvalRequest.CallId), ApprovalDecision.ApprovedAlways);
+        await probe.ExpectMsgAsync<ToolExecutionCompleted>(
+            TimeSpan.FromSeconds(3),
+            cancellationToken: TestContext.Current.CancellationToken);
+        await pipelineTask.WaitAsync(TimeSpan.FromSeconds(3), TestContext.Current.CancellationToken);
+    }
+
     private sealed class ApprovalThenSuccessExecutor : IToolExecutor
     {
         private int _attempt;
@@ -148,19 +200,49 @@ public Task<string> ExecuteAsync(FunctionCallContent toolCall, ToolExecutionCont
                     ToolName: toolCall.Name,
                     DisplayText: "git push origin dev",
                     Patterns: ["git push origin dev"],
-                    ApprovalEntries: ["git push origin dev"],
+                    CandidateVerbs: ["git push origin dev"],
                     Options:
                     [
                         new ToolApprovalOption(ApprovalOptionKeys.ApproveOnce, ApprovalOptionKeys.ApproveOnceLabel),
                         new ToolApprovalOption(ApprovalOptionKeys.ApproveSession, ApprovalOptionKeys.ApproveSessionLabel),
                         new ToolApprovalOption(ApprovalOptionKeys.ApproveAlways, ApprovalOptionKeys.ApproveAlwaysLabel),
                         new ToolApprovalOption(ApprovalOptionKeys.Deny, ApprovalOptionKeys.DenyLabel)
-                    ],
-                    DirectoryRoots: []));
+                    ]));
             }
 
             ct.ThrowIfCancellationRequested();
             return Task.FromResult("approved-and-ran");
         }
     }
+
+    private sealed class ApprovalWithCwdExecutor(string cwd) : IToolExecutor
+    {
+        private int _attempt;
+
+        public Task AuthorizeAsync(FunctionCallContent toolCall, ToolExecutionContext? context = null, CancellationToken ct = default)
+            => ExecuteAsync(toolCall, context, ct);
+
+        public Task<string> ExecuteAsync(FunctionCallContent toolCall, ToolExecutionContext? context = null, CancellationToken ct = default)
+        {
+            _attempt++;
+            if (_attempt == 1)
+            {
+                throw new ToolApprovalRequiredException(new ToolApprovalContext(
+                    ToolName: toolCall.Name,
+                    DisplayText: "ls",
+                    Patterns: ["ls"],
+                    CandidateVerbs: ["ls"],
+                    Options:
+                    [
+                        new ToolApprovalOption(ApprovalOptionKeys.ApproveOnce, ApprovalOptionKeys.ApproveOnceLabel),
+                        new ToolApprovalOption(ApprovalOptionKeys.ApproveAlways, ApprovalOptionKeys.ApproveAlwaysLabel),
+                        new ToolApprovalOption(ApprovalOptionKeys.Deny, ApprovalOptionKeys.DenyLabel)
+                    ],
+                    Cwd: cwd));
+            }
+
+            ct.ThrowIfCancellationRequested();
+            return Task.FromResult("ok");
+        }
+    }
 }
diff --git a/src/Netclaw.Actors.Tests/SubAgents/SubAgentActorTests.cs b/src/Netclaw.Actors.Tests/SubAgents/SubAgentActorTests.cs
index 11ddc7e9..092979f4 100644
--- a/src/Netclaw.Actors.Tests/SubAgents/SubAgentActorTests.cs
+++ b/src/Netclaw.Actors.Tests/SubAgents/SubAgentActorTests.cs
@@ -534,8 +534,8 @@ public Task<ParentApprovalDecision> RequestApprovalAsync(
         string toolName,
         string displayText,
         IReadOnlyList<string> patterns,
-        IReadOnlyList<string> approvalEntries,
-        IReadOnlyList<string> directoryRoots,
+        IReadOnlyList<string> candidateVerbs,
+        bool isMessy,
         CancellationToken ct)
     {
         RequestCount++;
diff --git a/src/Netclaw.Actors.Tests/Tools/DispatchingToolExecutorTests.cs b/src/Netclaw.Actors.Tests/Tools/DispatchingToolExecutorTests.cs
index 9793a7f7..d48228fe 100644
--- a/src/Netclaw.Actors.Tests/Tools/DispatchingToolExecutorTests.cs
+++ b/src/Netclaw.Actors.Tests/Tools/DispatchingToolExecutorTests.cs
@@ -386,7 +386,7 @@ public async Task Mcp_tool_is_denied_when_server_not_allowed_for_audience()
         Assert.Equal("mcp_server_not_allowed_for_audience_profile", ex.DenyReason);
     }
 
-    [Fact]
+[Fact]
     public async Task One_time_approval_allows_immediate_retry_only()
     {
         var config = new ToolConfig { ShellMode = ShellExecutionMode.HostAllowed };
@@ -420,7 +420,10 @@ public async Task One_time_approval_allows_immediate_retry_only()
             var toolCall = new FunctionCallContent(
                 "call-approve-once",
                 "shell_execute",
-                ToolInput.Create("Command", "echo once"));
+                // Use a non-side-effect verb (echo/printf/:/true/false
+                // auto-allow at the matcher level under v2.1) so the
+                // approval flow this test exercises actually triggers.
+                ToolInput.Create("Command", "git status"));
 
             var context = new Netclaw.Tools.ToolExecutionContext("signalr/thread-1", null)
             {
@@ -436,8 +439,10 @@ public async Task One_time_approval_allows_immediate_retry_only()
             context.OneTimeApprovedToolName = toolCall.Name;
             context.SetOneTimeApprovedPatterns(firstAttempt.ApprovalContext.Patterns);
 
-            var retryResult = await executor.ExecuteAsync(toolCall, context, TestContext.Current.CancellationToken);
-            Assert.Contains("once", retryResult);
+            // The one-time-approval bypass should let the call succeed.
+            // Output text varies by test environment (git status); meaningful
+            // assertion is that no ToolApprovalRequiredException is thrown.
+            _ = await executor.ExecuteAsync(toolCall, context, TestContext.Current.CancellationToken);
 
             context.OneTimeApprovedToolName = null;
             context.SetOneTimeApprovedPatterns([]);
@@ -622,6 +627,7 @@ await approvalService.RecordApprovalAsync(
                 new ToolName("shell_execute"),
                 ["pwd"],
                 persistent: false,
+                cwd: null,
                 TestContext.Current.CancellationToken);
 
             var call = new FunctionCallContent(
@@ -687,7 +693,10 @@ public async Task Session_approval_allows_same_session_but_not_different_session
             var toolCall = new FunctionCallContent(
                 "call-session-approve",
                 "shell_execute",
-                ToolInput.Create("Command", "echo session"));
+                // Non-side-effect verb so the approval flow under test
+                // actually triggers (see same change above for
+                // One_time_approval_allows_immediate_retry_only).
+                ToolInput.Create("Command", "git status"));
 
             var firstContext = new Netclaw.Tools.ToolExecutionContext("signalr/thread-1", null)
             {
@@ -712,12 +721,16 @@ await approvalService.RecordApprovalAsync(
                 "signalr/thread-1",
                 TrustAudience.Personal,
                 new ToolName(toolCall.Name),
-                firstAttempt.ApprovalContext.ApprovalEntries,
+                firstAttempt.ApprovalContext.CandidateVerbs,
                 persistent: false,
+                cwd: null,
                 TestContext.Current.CancellationToken);
 
-            var sameSessionResult = await executor.ExecuteAsync(toolCall, firstContext, TestContext.Current.CancellationToken);
-            Assert.Contains("session", sameSessionResult);
+            // Approved in firstContext's session — call should succeed.
+            // The output text varies by test environment (git status may
+            // error if not in a repo), but the meaningful assertion is
+            // that no ToolApprovalRequiredException was thrown.
+            _ = await executor.ExecuteAsync(toolCall, firstContext, TestContext.Current.CancellationToken);
 
             await Assert.ThrowsAsync<ToolApprovalRequiredException>(() =>
                 executor.ExecuteAsync(toolCall, secondContext, TestContext.Current.CancellationToken));
diff --git a/src/Netclaw.Actors.Tests/Tools/MessyCommandOneTimeApprovalTests.cs b/src/Netclaw.Actors.Tests/Tools/MessyCommandOneTimeApprovalTests.cs
new file mode 100644
index 00000000..9cf6bd29
--- /dev/null
+++ b/src/Netclaw.Actors.Tests/Tools/MessyCommandOneTimeApprovalTests.cs
@@ -0,0 +1,147 @@
+// -----------------------------------------------------------------------
+// <copyright file="MessyCommandOneTimeApprovalTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Akka.Actor;
+using Akka.Hosting;
+using Akka.Hosting.TestKit;
+using Microsoft.Extensions.AI;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Netclaw.Actors.Hosting;
+using Netclaw.Actors.Tools;
+using Netclaw.Configuration;
+using Netclaw.Tests.Utilities;
+using Netclaw.Tools;
+using Xunit;
+using Xunit.v3;
+
+namespace Netclaw.Actors.Tests.Tools;
+
+/// <summary>
+/// Verifies the messy-command branch of <c>IsOneTimeApprovalSatisfied</c>:
+/// bash control-flow constructs (for/while/case) and unbalanced
+/// quotes/brackets cannot have verb-chain patterns extracted, so the
+/// approval prompt offers Once + Deny only and
+/// <c>ApprovalContext.Patterns</c> is empty. The OneTimeApproval bypass
+/// must succeed on tool-name match alone for messy commands — otherwise
+/// clicking Once on a complex bash for-loop fails the retry with
+/// <c>ToolApprovalRequiredException</c>, surfacing as
+/// "I encountered an error executing a tool" with a correlation ID.
+/// </summary>
+/// <remarks>
+/// Repro on production: session
+/// <c>D0AC6CKBK5K/1778542266.328629</c> on 2026-05-11 ran a
+/// <c>for repo in ...; do ... worktree list ...; done</c> loop. Prompt
+/// fired with "complex command — only Once available." User clicked
+/// Once 28 minutes later (no longer auto-denied since the
+/// approval-timeout removal). Click landed on the now-living workflow,
+/// retry hit the bypass guard, threw.
+/// </remarks>
+public sealed class MessyCommandOneTimeApprovalTests : TestKit
+{
+    public MessyCommandOneTimeApprovalTests(ITestOutputHelper output) : base(output: output)
+    {
+    }
+
+    protected override void ConfigureServices(HostBuilderContext context, IServiceCollection services)
+    {
+        var toolConfig = new ToolConfig { ShellMode = ShellExecutionMode.HostAllowed };
+        toolConfig.AudienceProfiles.Personal.ApprovalPolicy = new ToolApprovalConfig
+        {
+            ToolOverrides = new Dictionary<string, ToolApprovalMode>(StringComparer.Ordinal)
+            {
+                ["shell_execute"] = ToolApprovalMode.Approval
+            }
+        };
+
+        services.AddSingleton(toolConfig);
+        services.AddSingleton(new EffectivePolicyDefaults(
+            DeploymentPosture.Personal,
+            TrustAudience.Personal,
+            ShellExecutionMode.HostAllowed,
+            UsedStrictFallback: false));
+        services.AddSingleton<ToolAccessPolicy>(sp => new ToolAccessPolicy(
+            sp.GetRequiredService<ToolConfig>(),
+            sp.GetRequiredService<EffectivePolicyDefaults>()));
+
+        var registry = new ToolRegistry();
+        registry.WithFirstPartyTools(toolConfig);
+        services.AddSingleton(registry);
+    }
+
+    protected override void ConfigureAkka(AkkaConfigurationBuilder builder, IServiceProvider provider)
+    {
+        builder.WithActors((system, actorRegistry, resolver) =>
+        {
+            var approvalActor = system.ActorOf(ToolApprovalActor.CreateProps(), "tool-approval");
+            actorRegistry.Register<ToolApprovalActor>(approvalActor);
+        });
+    }
+
+    [Fact]
+    public async Task ApprovedOnce_on_messy_command_satisfies_one_time_bypass()
+    {
+        var registry = Host.Services.GetRequiredService<ToolRegistry>();
+        var policy = Host.Services.GetRequiredService<ToolAccessPolicy>();
+        var approvalActor = ActorRegistry.Get<ToolApprovalActor>();
+        var approvalService = new AkkaToolApprovalService(new StubRequiredActor(approvalActor));
+        var executor = new DispatchingToolExecutor(registry, policy, approvalService);
+
+        // bash for-loop is messy — tokenizer refuses to extract verb chains
+        // for control-flow commands, so Patterns is empty.
+        var toolCall = new FunctionCallContent(
+            "call-messy-once",
+            "shell_execute",
+            ToolInput.Create("Command", "for i in 1 2 3; do echo $i; done"));
+
+        var context = new ToolExecutionContext("signalr/thread-1", null)
+        {
+            Audience = TrustAudience.Personal.ToWireValue(),
+            Boundary = SecurityPolicyDefaults.TrustedInstanceBoundary,
+            ChannelType = "signalr",
+            SupportsInteractiveApproval = true
+        };
+
+        var firstAttempt = await Assert.ThrowsAsync<ToolApprovalRequiredException>(() =>
+            executor.ExecuteAsync(toolCall, context, TestContext.Current.CancellationToken));
+
+        // Confirm the test setup: a messy command produces empty patterns
+        // and the IsMessy flag.
+        Assert.True(firstAttempt.ApprovalContext.IsMessy);
+        Assert.Empty(firstAttempt.ApprovalContext.Patterns);
+
+        // Simulate ApprovedOnce: SessionToolExecutionPipeline sets the
+        // tool-name and patterns on the context. For messy commands the
+        // patterns list is empty (per ApprovalContext.Patterns above), so
+        // the bypass must rely on tool-name match only.
+        context.OneTimeApprovedToolName = toolCall.Name;
+        context.SetOneTimeApprovedPatterns(firstAttempt.ApprovalContext.Patterns);
+
+        // The retry must succeed without throwing. Output text varies by
+        // environment (bash for-loop expansion); the load-bearing assertion
+        // is the absence of ToolApprovalRequiredException.
+        _ = await executor.ExecuteAsync(toolCall, context, TestContext.Current.CancellationToken);
+
+        // After the per-retry cleanup runs, the bypass is gone and a
+        // subsequent attempt re-prompts.
+        context.OneTimeApprovedToolName = null;
+        context.SetOneTimeApprovedPatterns([]);
+
+        await Assert.ThrowsAsync<ToolApprovalRequiredException>(() =>
+            executor.ExecuteAsync(toolCall, context, TestContext.Current.CancellationToken));
+    }
+
+    private sealed class StubRequiredActor : IRequiredActor<ToolApprovalActorKey>
+    {
+        private readonly IActorRef _actor;
+
+        public StubRequiredActor(IActorRef actor) => _actor = actor;
+
+        public IActorRef ActorRef => _actor;
+
+        public Task<IActorRef> GetAsync(CancellationToken cancellationToken = default)
+            => Task.FromResult(_actor);
+    }
+}
diff --git a/src/Netclaw.Actors.Tests/Tools/ScopedShellSafeVerbPolicyTests.cs b/src/Netclaw.Actors.Tests/Tools/ScopedShellSafeVerbPolicyTests.cs
new file mode 100644
index 00000000..753d48ab
--- /dev/null
+++ b/src/Netclaw.Actors.Tests/Tools/ScopedShellSafeVerbPolicyTests.cs
@@ -0,0 +1,185 @@
+// -----------------------------------------------------------------------
+// <copyright file="ScopedShellSafeVerbPolicyTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Netclaw.Actors.Tools;
+using Netclaw.Configuration;
+using Netclaw.Tools;
+using Xunit;
+
+namespace Netclaw.Actors.Tests.Tools;
+
+public sealed class ScopedShellSafeVerbPolicyTests : IDisposable
+{
+    private readonly string _projectDir;
+    private readonly string _sessionDir;
+    private readonly string _outsideDir;
+
+    public ScopedShellSafeVerbPolicyTests()
+    {
+        _projectDir = CreateTempDir("project");
+        _sessionDir = CreateTempDir("session");
+        _outsideDir = CreateTempDir("outside");
+    }
+
+    public void Dispose()
+    {
+        SafeDelete(_projectDir);
+        SafeDelete(_sessionDir);
+        SafeDelete(_outsideDir);
+    }
+
+    private static string CreateTempDir(string label)
+    {
+        var path = Path.Combine(Path.GetTempPath(), $"netclaw-{label}-{Guid.NewGuid():N}");
+        Directory.CreateDirectory(path);
+        return path;
+    }
+
+    private static void SafeDelete(string path)
+    {
+        if (!Directory.Exists(path))
+            return;
+
+        try
+        {
+            Directory.Delete(path, recursive: true);
+        }
+        catch (Exception ex) when (ex is IOException or UnauthorizedAccessException)
+        {
+            // Cleanup is best-effort — a leftover temp tree from a failed
+            // test run is acceptable, a test crash from a permissions glitch
+            // during teardown is not. Log so an investigator finding the
+            // leftover tree can correlate it back to a specific test run.
+            System.Diagnostics.Debug.WriteLine($"SafeDelete failed for '{path}': {ex.Message}");
+        }
+    }
+
+    private static SafeVerbList VerbList(params string[] verbs)
+        => SafeVerbList.FromVerbs(verbs);
+
+    private ToolExecutionContext PersonalContext(string? projectDir = null, string? sessionDir = null)
+        => new("session-1", sessionDir ?? _sessionDir)
+        {
+            Audience = TrustAudience.Personal.ToWireValue(),
+            ProjectDirectory = projectDir
+        };
+
+    private ToolExecutionContext PublicContext(string? projectDir = null)
+        => new("session-1", _sessionDir)
+        {
+            Audience = TrustAudience.Public.ToWireValue(),
+            ProjectDirectory = projectDir
+        };
+
+    [Fact]
+    public void Safe_verb_in_project_directory_short_circuits()
+    {
+        var policy = new ScopedShellSafeVerbPolicy(VerbList("grep"));
+        var ctx = PersonalContext(projectDir: _projectDir);
+
+        Assert.True(policy.ShortCircuitsApproval("grep", _projectDir, ctx));
+    }
+
+    [Fact]
+    public void Safe_verb_in_session_directory_short_circuits()
+    {
+        var policy = new ScopedShellSafeVerbPolicy(VerbList("cat"));
+        var ctx = PersonalContext();
+
+        Assert.True(policy.ShortCircuitsApproval("cat", _sessionDir, ctx));
+    }
+
+    [Fact]
+    public void Safe_verb_outside_safe_spaces_falls_through_to_prompt()
+    {
+        var policy = new ScopedShellSafeVerbPolicy(VerbList("grep"));
+        var ctx = PersonalContext(projectDir: _projectDir);
+
+        Assert.False(policy.ShortCircuitsApproval("grep", _outsideDir, ctx));
+    }
+
+    [Fact]
+    public void Mutating_verb_in_safe_space_falls_through_to_prompt()
+    {
+        // The verb list deliberately omits "git push"; even with cwd inside
+        // the safe space the policy refuses the short-circuit.
+        var policy = new ScopedShellSafeVerbPolicy(VerbList("git status", "git log"));
+        var ctx = PersonalContext(projectDir: _projectDir);
+
+        Assert.False(policy.ShortCircuitsApproval("git push", _projectDir, ctx));
+    }
+
+    [Fact]
+    public void Public_audience_does_not_get_project_directory_safe_space()
+    {
+        var policy = new ScopedShellSafeVerbPolicy(VerbList("grep"));
+        // Public has project_dir set (somehow), but it should be ignored.
+        var ctx = PublicContext(projectDir: _projectDir);
+
+        Assert.False(policy.ShortCircuitsApproval("grep", _projectDir, ctx));
+        // Session_dir still works for Public.
+        Assert.True(policy.ShortCircuitsApproval("grep", _sessionDir, ctx));
+    }
+
+    [Fact]
+    public void Symlink_segment_in_cwd_breaks_short_circuit()
+    {
+        // Skip on Windows where directory symlink creation is privilege-gated.
+        if (OperatingSystem.IsWindows())
+            return;
+
+        var leakTarget = CreateTempDir("leak-target");
+        var symlinkPath = Path.Combine(_projectDir, "leak");
+        try
+        {
+            Directory.CreateSymbolicLink(symlinkPath, leakTarget);
+
+            var policy = new ScopedShellSafeVerbPolicy(VerbList("cat"));
+            var ctx = PersonalContext(projectDir: _projectDir);
+
+            Assert.False(policy.ShortCircuitsApproval("cat", symlinkPath, ctx));
+        }
+        finally
+        {
+            SafeDelete(leakTarget);
+        }
+    }
+
+    [Fact]
+    public void All_short_circuit_returns_false_when_any_verb_is_unsafe()
+    {
+        var policy = new ScopedShellSafeVerbPolicy(VerbList("grep", "cat"));
+        var ctx = PersonalContext(projectDir: _projectDir);
+
+        Assert.False(policy.AllShortCircuit(["grep", "git push"], _projectDir, ctx));
+    }
+
+    [Fact]
+    public void All_short_circuit_returns_true_when_every_verb_is_safe_and_in_space()
+    {
+        var policy = new ScopedShellSafeVerbPolicy(VerbList("grep", "cat", "wc"));
+        var ctx = PersonalContext(projectDir: _projectDir);
+
+        Assert.True(policy.AllShortCircuit(["grep", "cat", "wc"], _projectDir, ctx));
+    }
+
+    [Fact]
+    public void Empty_candidate_list_does_not_short_circuit()
+    {
+        var policy = new ScopedShellSafeVerbPolicy(VerbList("grep"));
+        var ctx = PersonalContext(projectDir: _projectDir);
+
+        Assert.False(policy.AllShortCircuit([], _projectDir, ctx));
+    }
+
+    [Fact]
+    public void Null_cwd_does_not_short_circuit()
+    {
+        var policy = new ScopedShellSafeVerbPolicy(VerbList("grep"));
+        var ctx = PersonalContext(projectDir: _projectDir);
+
+        Assert.False(policy.ShortCircuitsApproval("grep", null, ctx));
+    }
+}
diff --git a/src/Netclaw.Actors.Tests/Tools/ShellToolTests.cs b/src/Netclaw.Actors.Tests/Tools/ShellToolTests.cs
index 7b44c108..1b914a2a 100644
--- a/src/Netclaw.Actors.Tests/Tools/ShellToolTests.cs
+++ b/src/Netclaw.Actors.Tests/Tools/ShellToolTests.cs
@@ -112,6 +112,120 @@ public async Task Missing_command_returns_error()
         Assert.Contains("missing", result, StringComparison.OrdinalIgnoreCase);
     }
 
+    // ── Cwd resolution chain: explicit arg → ProjectDirectory → SessionDirectory ──
+
+    [Fact]
+    public async Task Cwd_falls_back_to_project_directory_when_no_explicit_arg()
+    {
+        var projectDir = Path.GetFullPath(Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N")));
+        var sessionDir = Path.GetFullPath(Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N")));
+        Directory.CreateDirectory(projectDir);
+        Directory.CreateDirectory(sessionDir);
+        try
+        {
+            var context = new ToolExecutionContext("session-1", sessionDir) { ProjectDirectory = projectDir };
+            var args = ToolInput.Create("Command", OperatingSystem.IsWindows() ? "cd" : "pwd");
+
+            var result = await _tool.ExecuteAsync(args, context, CancellationToken.None);
+
+            Assert.Contains("Exit code: 0", result);
+            var resolved = projectDir.TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
+            Assert.Contains(resolved, result, StringComparison.OrdinalIgnoreCase);
+        }
+        finally
+        {
+            if (Directory.Exists(projectDir)) Directory.Delete(projectDir, recursive: true);
+            if (Directory.Exists(sessionDir)) Directory.Delete(sessionDir, recursive: true);
+        }
+    }
+
+    [Fact]
+    public async Task Cwd_falls_back_to_session_directory_when_project_directory_null()
+    {
+        var sessionDir = Path.GetFullPath(Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N")));
+        Directory.CreateDirectory(sessionDir);
+        try
+        {
+            var context = new ToolExecutionContext("session-1", sessionDir);
+            // ProjectDirectory not set
+            var args = ToolInput.Create("Command", OperatingSystem.IsWindows() ? "cd" : "pwd");
+
+            var result = await _tool.ExecuteAsync(args, context, CancellationToken.None);
+
+            Assert.Contains("Exit code: 0", result);
+            var resolved = sessionDir.TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
+            Assert.Contains(resolved, result, StringComparison.OrdinalIgnoreCase);
+        }
+        finally
+        {
+            if (Directory.Exists(sessionDir)) Directory.Delete(sessionDir, recursive: true);
+        }
+    }
+
+    [Fact]
+    public async Task Cwd_explicit_arg_overrides_project_and_session_directories()
+    {
+        var explicitDir = Path.GetFullPath(Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N")));
+        var projectDir = Path.GetFullPath(Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N")));
+        var sessionDir = Path.GetFullPath(Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N")));
+        Directory.CreateDirectory(explicitDir);
+        Directory.CreateDirectory(projectDir);
+        Directory.CreateDirectory(sessionDir);
+        try
+        {
+            var context = new ToolExecutionContext("session-1", sessionDir) { ProjectDirectory = projectDir };
+            var args = ToolInput.Create(
+                "Command", OperatingSystem.IsWindows() ? "cd" : "pwd",
+                "WorkingDirectory", explicitDir);
+
+            var result = await _tool.ExecuteAsync(args, context, CancellationToken.None);
+
+            Assert.Contains("Exit code: 0", result);
+            var resolved = explicitDir.TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
+            Assert.Contains(resolved, result, StringComparison.OrdinalIgnoreCase);
+        }
+        finally
+        {
+            if (Directory.Exists(explicitDir)) Directory.Delete(explicitDir, recursive: true);
+            if (Directory.Exists(projectDir)) Directory.Delete(projectDir, recursive: true);
+            if (Directory.Exists(sessionDir)) Directory.Delete(sessionDir, recursive: true);
+        }
+    }
+
+    [Fact]
+    public async Task Cwd_does_not_inherit_daemon_process_directory()
+    {
+        var sessionDir = Path.GetFullPath(Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N")));
+        Directory.CreateDirectory(sessionDir);
+        try
+        {
+            // The daemon's cwd is wherever this test process is running. We
+            // assert the resolved cwd is the session dir, not whatever
+            // Environment.CurrentDirectory happens to be — proving the
+            // ProcessStartInfo default-fall-through is gone.
+            var context = new ToolExecutionContext("session-1", sessionDir);
+            var args = ToolInput.Create("Command", OperatingSystem.IsWindows() ? "cd" : "pwd");
+
+            var result = await _tool.ExecuteAsync(args, context, CancellationToken.None);
+
+            Assert.Contains("Exit code: 0", result);
+            var sessionResolved = sessionDir.TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
+            Assert.Contains(sessionResolved, result, StringComparison.OrdinalIgnoreCase);
+
+            var daemonCwd = Path.GetFullPath(Environment.CurrentDirectory).TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
+            if (!string.Equals(daemonCwd, sessionResolved, StringComparison.OrdinalIgnoreCase))
+            {
+                // Only assert non-inheritance when the daemon cwd is distinct
+                // from the session dir; otherwise the test is vacuous.
+                Assert.DoesNotContain($"\n{daemonCwd}\n", result);
+            }
+        }
+        finally
+        {
+            if (Directory.Exists(sessionDir)) Directory.Delete(sessionDir, recursive: true);
+        }
+    }
+
     [Fact]
     public async Task Null_arguments_returns_error()
     {
diff --git a/src/Netclaw.Actors.Tests/Tools/ToolApprovalActorTests.cs b/src/Netclaw.Actors.Tests/Tools/ToolApprovalActorTests.cs
index 7b82c62b..4005d2b2 100644
--- a/src/Netclaw.Actors.Tests/Tools/ToolApprovalActorTests.cs
+++ b/src/Netclaw.Actors.Tests/Tools/ToolApprovalActorTests.cs
@@ -42,8 +42,8 @@ public async Task Session_approval_is_found()
         var actor = Sys.ActorOf(ToolApprovalActor.CreateProps());
         var service = CreateService(actor);
 
-        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, ct);
-        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct);
+        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, cwd: null, ct);
+        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct);
 
         Assert.Empty(unapproved);
     }
@@ -55,7 +55,7 @@ public async Task Unapproved_pattern_not_found()
         var actor = Sys.ActorOf(ToolApprovalActor.CreateProps());
         var service = CreateService(actor);
 
-        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct);
+        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct);
 
         Assert.Equal(["git push"], unapproved);
     }
@@ -67,10 +67,10 @@ public async Task Per_audience_isolation()
         var actor = Sys.ActorOf(ToolApprovalActor.CreateProps());
         var service = CreateService(actor);
 
-        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, ct);
+        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, cwd: null, ct);
 
-        Assert.Empty(await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct));
-        Assert.Equal(["git push"], await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Team, new ToolName("shell_execute"), ["git push"], ct));
+        Assert.Empty(await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct));
+        Assert.Equal(["git push"], await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Team, new ToolName("shell_execute"), ["git push"], cwd: null, ct));
     }
 
     [Fact]
@@ -80,10 +80,10 @@ public async Task Per_tool_isolation()
         var actor = Sys.ActorOf(ToolApprovalActor.CreateProps());
         var service = CreateService(actor);
 
-        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, ct);
+        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, cwd: null, ct);
 
-        Assert.Empty(await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct));
-        Assert.Equal(["git push"], await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("file_write"), ["git push"], ct));
+        Assert.Empty(await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct));
+        Assert.Equal(["git push"], await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("file_write"), ["git push"], cwd: null, ct));
     }
 
     [Fact]
@@ -93,11 +93,11 @@ public async Task Single_token_approval_requires_exact_match()
         var actor = Sys.ActorOf(ToolApprovalActor.CreateProps());
         var service = CreateService(actor);
 
-        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["gh"], persistent: false, ct);
+        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["gh"], persistent: false, cwd: null, ct);
 
         // Single-token "gh" should NOT match "gh pr" — prevents approving
         // "gh --help" from also approving "gh pr create"
-        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["gh pr"], ct);
+        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["gh pr"], cwd: null, ct);
         Assert.Equal(["gh pr"], unapproved);
     }
 
@@ -108,9 +108,9 @@ public async Task Shell_exact_approval_does_not_prefix_match()
         var actor = Sys.ActorOf(ToolApprovalActor.CreateProps());
         var service = CreateService(actor);
 
-        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, ct);
+        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, cwd: null, ct);
 
-        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push origin"], ct);
+        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push origin"], cwd: null, ct);
         Assert.Equal(["git push origin"], unapproved);
     }
 
@@ -124,13 +124,14 @@ public async Task Shell_directory_root_approval_covers_other_verbs_under_same_ro
         var actor = Sys.ActorOf(ToolApprovalActor.CreateProps());
         var service = CreateService(actor);
 
-        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), [approvedRoot], persistent: false, ct);
+        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), [approvedRoot], persistent: false, cwd: null, ct);
 
         Assert.Empty(await service.GetUnapprovedPatternsAsync(
             "session-a",
             TrustAudience.Personal,
             new ToolName("shell_execute"),
             [approvedRoot],
+            cwd: null,
             ct));
     }
 
@@ -142,13 +143,14 @@ public async Task Shell_directory_root_approval_requires_all_roots_to_be_covered
         var actor = Sys.ActorOf(ToolApprovalActor.CreateProps());
         var service = CreateService(actor);
 
-        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), [approvedRoot], persistent: false, ct);
+        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), [approvedRoot], persistent: false, cwd: null, ct);
 
         var unapproved = await service.GetUnapprovedPatternsAsync(
             "session-a",
             TrustAudience.Personal,
             new ToolName("shell_execute"),
             [approvedRoot, otherRoot],
+            cwd: null,
             ct);
 
         Assert.Equal([expectedUnapproved], unapproved);
@@ -165,13 +167,13 @@ public async Task Persistent_approval_survives_new_service_instance()
             var actor = Sys.ActorOf(ToolApprovalActor.CreateProps(store));
             var service = CreateService(actor);
 
-            await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: true, ct);
+            await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: true, cwd: null, ct);
 
-            Assert.Empty(await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct));
+            Assert.Empty(await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct));
 
             var actor2 = Sys.ActorOf(ToolApprovalActor.CreateProps(store));
             var service2 = CreateService(actor2);
-            Assert.Empty(await service2.GetUnapprovedPatternsAsync("different-session", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct));
+            Assert.Empty(await service2.GetUnapprovedPatternsAsync("different-session", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct));
         }
         finally
         {
@@ -193,8 +195,8 @@ public async Task Approval_match_follows_host_filesystem_case_rules()
         var actor = Sys.ActorOf(ToolApprovalActor.CreateProps());
         var service = CreateService(actor);
 
-        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["Git Push"], persistent: false, ct);
-        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct);
+        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["Git Push"], persistent: false, cwd: null, ct);
+        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct);
 
         if (OperatingSystem.IsWindows())
             Assert.Empty(unapproved);
@@ -209,10 +211,10 @@ public async Task Session_approvals_do_not_leak_across_sessions()
         var actor = Sys.ActorOf(ToolApprovalActor.CreateProps());
         var service = CreateService(actor);
 
-        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, ct);
+        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, cwd: null, ct);
 
-        Assert.Empty(await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct));
-        Assert.Equal(["git push"], await service.GetUnapprovedPatternsAsync("session-b", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct));
+        Assert.Empty(await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct));
+        Assert.Equal(["git push"], await service.GetUnapprovedPatternsAsync("session-b", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct));
     }
 
     [Fact]
@@ -226,13 +228,13 @@ public async Task Non_persistent_approval_is_session_scoped_only()
             var actor = Sys.ActorOf(ToolApprovalActor.CreateProps(store));
             var service = CreateService(actor);
 
-            await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, ct);
+            await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, cwd: null, ct);
 
-            Assert.Empty(await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct));
+            Assert.Empty(await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct));
 
             var actor2 = Sys.ActorOf(ToolApprovalActor.CreateProps(store));
             var service2 = CreateService(actor2);
-            Assert.Equal(["git push"], await service2.GetUnapprovedPatternsAsync("different-session", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct));
+            Assert.Equal(["git push"], await service2.GetUnapprovedPatternsAsync("different-session", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct));
         }
         finally
         {
@@ -248,11 +250,11 @@ public async Task SubAgent_inherits_parent_session_approval()
         var service = CreateService(actor);
 
         // Parent session approves "git push"
-        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, ct);
+        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, cwd: null, ct);
 
         // Sub-agent queries with hierarchical scope ID — should inherit parent approval
         var subAgentScope = "session-a/subagent/researcher/abc123";
-        var unapproved = await service.GetUnapprovedPatternsAsync(subAgentScope, TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct);
+        var unapproved = await service.GetUnapprovedPatternsAsync(subAgentScope, TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct);
 
         Assert.Empty(unapproved);
     }
@@ -266,10 +268,10 @@ public async Task SubAgent_approval_does_not_leak_upward()
 
         // Sub-agent records its own approval
         var subAgentScope = "session-a/subagent/researcher/abc123";
-        await service.RecordApprovalAsync(subAgentScope, TrustAudience.Personal, new ToolName("shell_execute"), ["curl"], persistent: false, ct);
+        await service.RecordApprovalAsync(subAgentScope, TrustAudience.Personal, new ToolName("shell_execute"), ["curl"], persistent: false, cwd: null, ct);
 
         // Parent session should NOT see sub-agent's approval
-        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["curl"], ct);
+        var unapproved = await service.GetUnapprovedPatternsAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["curl"], cwd: null, ct);
         Assert.Equal(["curl"], unapproved);
     }
 
@@ -281,11 +283,11 @@ public async Task Nested_subagent_inherits_through_chain()
         var service = CreateService(actor);
 
         // Parent session approves "git status"
-        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git status"], persistent: false, ct);
+        await service.RecordApprovalAsync("session-a", TrustAudience.Personal, new ToolName("shell_execute"), ["git status"], persistent: false, cwd: null, ct);
 
         // Nested sub-agent (sub-agent spawned by sub-agent) should still inherit
         var nestedScope = "session-a/subagent/orchestrator/def456/subagent/worker/ghi789";
-        var unapproved = await service.GetUnapprovedPatternsAsync(nestedScope, TrustAudience.Personal, new ToolName("shell_execute"), ["git status"], ct);
+        var unapproved = await service.GetUnapprovedPatternsAsync(nestedScope, TrustAudience.Personal, new ToolName("shell_execute"), ["git status"], cwd: null, ct);
 
         Assert.Empty(unapproved);
     }
@@ -298,11 +300,11 @@ public async Task SubAgent_does_not_inherit_from_unrelated_session()
         var service = CreateService(actor);
 
         // Session B approves "git push"
-        await service.RecordApprovalAsync("session-b", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, ct);
+        await service.RecordApprovalAsync("session-b", TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], persistent: false, cwd: null, ct);
 
         // Sub-agent of session A should NOT inherit session B's approval
         var subAgentScope = "session-a/subagent/researcher/abc123";
-        var unapproved = await service.GetUnapprovedPatternsAsync(subAgentScope, TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], ct);
+        var unapproved = await service.GetUnapprovedPatternsAsync(subAgentScope, TrustAudience.Personal, new ToolName("shell_execute"), ["git push"], cwd: null, ct);
 
         Assert.Equal(["git push"], unapproved);
     }
diff --git a/src/Netclaw.Actors.Tests/Tools/ToolApprovalGateTests.cs b/src/Netclaw.Actors.Tests/Tools/ToolApprovalGateTests.cs
index 7b323e86..57a18453 100644
--- a/src/Netclaw.Actors.Tests/Tools/ToolApprovalGateTests.cs
+++ b/src/Netclaw.Actors.Tests/Tools/ToolApprovalGateTests.cs
@@ -757,10 +757,10 @@ private sealed class FakeShellTrustZonePolicy : IShellTrustZonePolicy
         public IReadOnlyList<string> GetTrustZoneRoots(ToolExecutionContext context) => _roots;
     }
 
-    // ── Directory-root shell approvals ──
+    // ── v2 candidate-verb extraction (replaces v1 directory-root extraction) ──
 
     [Fact]
-    public void Shell_path_command_populates_directory_roots_and_root_entries()
+    public void Shell_path_command_extracts_path_aware_verb_chain_with_no_directory_roots()
     {
         var policy = CreatePolicy(ToolApprovalMode.Approval);
         var args = ToolInput.Create("Command", "cat /home/user/.netclaw/logs/crash.log");
@@ -769,13 +769,22 @@ public void Shell_path_command_populates_directory_roots_and_root_entries()
 
         Assert.True(decision.NeedsApproval);
         Assert.NotNull(decision.ApprovalContext);
-        Assert.NotEmpty(decision.ApprovalContext!.DirectoryRoots);
-        Assert.Contains("/home/user/.netclaw/logs/", decision.ApprovalContext.DirectoryRoots.Select(p => p.Replace('\\', '/')));
-        Assert.Contains("/home/user/.netclaw/logs/", decision.ApprovalContext.ApprovalEntries.Select(p => p.Replace('\\', '/')));
+        // Under v2.1 path-extraction, the verb chain is the command head
+        // only; the path is captured separately as the candidate's
+        // directory (with the file-parent rule reducing the leaf file to
+        // its parent directory).
+        Assert.Contains("cat", decision.ApprovalContext!.CandidateVerbs);
+        Assert.NotNull(decision.ApprovalContext.Candidates);
+        var candidate = Assert.Single(decision.ApprovalContext.Candidates!);
+        Assert.Equal("cat", candidate.Verb);
+        Assert.NotNull(candidate.Directory);
+        Assert.Equal(
+            "/home/user/.netclaw/logs",
+            candidate.Directory!.Replace('\\', '/'));
     }
 
     [Fact]
-    public void Shell_path_command_uses_fixed_labels_with_root_in_directory_roots()
+    public void Shell_path_command_uses_fixed_labels()
     {
         var policy = CreatePolicy(ToolApprovalMode.Approval);
         var args = ToolInput.Create("Command", "grep 'error' /home/user/.netclaw/logs/app.log");
@@ -788,9 +797,6 @@ public void Shell_path_command_uses_fixed_labels_with_root_in_directory_roots()
         var alwaysOption = options.Single(o => o.Key == ApprovalOptionKeys.ApproveAlways);
         Assert.Equal(ApprovalOptionKeys.ApproveSessionLabel, sessionOption.Label);
         Assert.Equal(ApprovalOptionKeys.ApproveAlwaysLabel, alwaysOption.Label);
-        // Directory scope is preserved on the context for the channel adapter
-        // to render in the message body.
-        Assert.NotEmpty(decision.ApprovalContext.DirectoryRoots);
     }
 
     [Fact]
@@ -805,11 +811,10 @@ public void Shell_multi_root_command_uses_fixed_labels()
         var options = decision.ApprovalContext!.Options;
         Assert.Equal(ApprovalOptionKeys.ApproveSessionLabel, options.Single(o => o.Key == ApprovalOptionKeys.ApproveSession).Label);
         Assert.Equal(ApprovalOptionKeys.ApproveAlwaysLabel, options.Single(o => o.Key == ApprovalOptionKeys.ApproveAlways).Label);
-        Assert.True(decision.ApprovalContext.DirectoryRoots.Count > 1);
     }
 
     [Fact]
-    public void Shell_relative_path_command_records_relative_root_and_absolute_entry()
+    public void Shell_relative_path_command_extracts_verb_chain_without_directory_roots()
     {
         var policy = CreatePolicy(ToolApprovalMode.Approval);
         var root = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N"));
@@ -825,15 +830,12 @@ public void Shell_relative_path_command_records_relative_root_and_absolute_entry
             var decision = policy.AuthorizeInvocation(ShellTool(), PersonalContext(), args);
 
             Assert.True(decision.NeedsApproval);
-            // DirectoryRoots keeps the relative display form for channel-body
-            // rendering. ApprovalEntries gets the absolute root because that's
-            // what gets persisted and matched against on retry.
-            Assert.Equal(["logs/"], decision.ApprovalContext!.DirectoryRoots);
-            var absoluteRoot = PathUtility.Normalize(logs) + Path.DirectorySeparatorChar;
-            Assert.Contains(absoluteRoot, decision.ApprovalContext.ApprovalEntries);
-            // Button labels are fixed regardless of relative/absolute path
-            // form — Slack's 76-char and Discord's 80-char button caps make
-            // dynamic labels structurally unsafe.
+            // Pipelines stay inside one approval unit, so the candidate is
+            // the verb chain of the unit's first command (path-aware
+            // "grep <first-arg>").
+            Assert.Contains(decision.ApprovalContext!.CandidateVerbs, v => v.StartsWith("grep", StringComparison.Ordinal));
+            // Button labels are fixed; Slack's 76-char and Discord's 80-char
+            // button caps make dynamic labels structurally unsafe.
             Assert.Equal(
                 ApprovalOptionKeys.ApproveSessionLabel,
                 decision.ApprovalContext.Options.Single(o => o.Key == ApprovalOptionKeys.ApproveSession).Label);
@@ -848,7 +850,7 @@ public void Shell_relative_path_command_records_relative_root_and_absolute_entry
     }
 
     [Fact]
-    public void Non_path_command_uses_default_labels()
+    public void Non_path_command_extracts_two_token_verb_chain()
     {
         var policy = CreatePolicy(ToolApprovalMode.Approval);
         var args = ToolInput.Create("Command", "git push origin main");
@@ -856,8 +858,8 @@ public void Non_path_command_uses_default_labels()
         var decision = policy.AuthorizeInvocation(ShellTool(), PersonalContext(), args);
 
         Assert.True(decision.NeedsApproval);
-        Assert.Empty(decision.ApprovalContext!.DirectoryRoots);
-        Assert.Equal(["git push origin main"], decision.ApprovalContext.ApprovalEntries);
+        // ExtractVerbChain caps at depth 2, dropping positional arguments.
+        Assert.Equal(["git push"], decision.ApprovalContext!.CandidateVerbs);
         var sessionOption = decision.ApprovalContext.Options.Single(o => o.Key == ApprovalOptionKeys.ApproveSession);
         var alwaysOption = decision.ApprovalContext.Options.Single(o => o.Key == ApprovalOptionKeys.ApproveAlways);
         Assert.Equal(ApprovalOptionKeys.ApproveSessionLabel, sessionOption.Label);
@@ -879,7 +881,6 @@ public void Shell_command_with_long_directory_path_keeps_labels_within_button_ca
 
         Assert.True(decision.NeedsApproval);
         var options = decision.ApprovalContext!.Options;
-        Assert.NotEmpty(decision.ApprovalContext.DirectoryRoots);
         Assert.All(options, option => Assert.True(
             option.Label.Length <= ApprovalOptionKeys.MaxLabelLength,
             $"Option '{option.Key}' label '{option.Label}' is {option.Label.Length} chars; must stay within {ApprovalOptionKeys.MaxLabelLength}."));
diff --git a/src/Netclaw.Actors/Protocol/ApprovalOptionKeys.cs b/src/Netclaw.Actors/Protocol/ApprovalOptionKeys.cs
index 516df117..48a0b162 100644
--- a/src/Netclaw.Actors/Protocol/ApprovalOptionKeys.cs
+++ b/src/Netclaw.Actors/Protocol/ApprovalOptionKeys.cs
@@ -1,4 +1,4 @@
-// -----------------------------------------------------------------------
+// -----------------------------------------------------------------------
 // <copyright file="ApprovalOptionKeys.cs" company="Petabridge, LLC">
 //      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
 // </copyright>
@@ -11,17 +11,32 @@ namespace Netclaw.Actors.Protocol;
 /// and the chosen key flows back to the session via
 /// <see cref="ToolInteractionResponse.SelectedKey"/>. Renaming a key is a
 /// breaking change to every channel adapter.
+///
+/// The five-button row and its scope semantics:
+/// <list type="bullet">
+/// <item><see cref="ApproveOnce"/> — run this one time only; persist nothing.</item>
+/// <item><see cref="ApproveSession"/> — allow the extracted verbs in the prompt's
+/// directory for the rest of the session, in session-scoped memory only.</item>
+/// <item><see cref="ApproveAlways"/> — persist <c>(verb, prompt's directory)</c>
+/// entries to <c>tool-approvals.json</c>. Folder-scoped grant.</item>
+/// <item><see cref="ApproveEverywhere"/> — persist <c>(verb, null)</c> entries.
+/// Global wildcard. Channel adapters render this as danger styling.</item>
+/// <item><see cref="Deny"/> — refuse this call only; do NOT ban the verb for
+/// future invocations. Channel adapters render this as danger styling.</item>
+/// </list>
 /// </summary>
 public static class ApprovalOptionKeys
 {
     public const string ApproveOnce = "approve_once";
     public const string ApproveSession = "approve_session";
     public const string ApproveAlways = "approve_always";
+    public const string ApproveEverywhere = "approve_everywhere";
     public const string Deny = "deny";
 
-    public const string ApproveOnceLabel = "Approve once";
-    public const string ApproveSessionLabel = "Approve for this chat";
-    public const string ApproveAlwaysLabel = "Approve always";
+    public const string ApproveOnceLabel = "Once";
+    public const string ApproveSessionLabel = "This chat";
+    public const string ApproveAlwaysLabel = "Always here";
+    public const string ApproveEverywhereLabel = "Always anywhere";
     public const string DenyLabel = "Deny";
 
     /// <summary>
@@ -32,4 +47,13 @@ public static class ApprovalOptionKeys
     /// post with <c>invalid_blocks</c>, which then triggers an auto-deny.
     /// </summary>
     public const int MaxLabelLength = 76;
+
+    /// <summary>
+    /// Returns true when the option key represents a "danger"-styled action
+    /// — global-wildcard persistence (<see cref="ApproveEverywhere"/>) and
+    /// hard refusal (<see cref="Deny"/>) both warrant visual emphasis to
+    /// reduce fat-finger risk.
+    /// </summary>
+    public static bool IsDangerStyled(string optionKey)
+        => optionKey is ApproveEverywhere or Deny;
 }
diff --git a/src/Netclaw.Actors/Protocol/SessionOutput.cs b/src/Netclaw.Actors/Protocol/SessionOutput.cs
index 486c7dbc..81c5bec5 100644
--- a/src/Netclaw.Actors/Protocol/SessionOutput.cs
+++ b/src/Netclaw.Actors/Protocol/SessionOutput.cs
@@ -4,6 +4,7 @@
 // </copyright>
 // -----------------------------------------------------------------------
 using Netclaw.Configuration;
+using Netclaw.Security;
 
 namespace Netclaw.Actors.Protocol;
 
@@ -364,17 +365,40 @@ public sealed record ToolInteractionRequest : SessionOutput
     public IReadOnlyList<string> Patterns { get; init; } = [];
 
     /// <summary>
-    /// Entries checked against the accumulated session/persistent approval
-    /// state. For shell commands these are reusable directory roots when local
-    /// roots can be extracted, and exact fallback units otherwise.
+    /// Verb-only projection of <see cref="Candidates"/>. Renderers (Slack,
+    /// Discord) bullet-list these in the prompt body. Persisted approval
+    /// matching uses <see cref="Candidates"/> instead so the directory half
+    /// of each <c>(verb, directory)</c> pair is preserved.
     /// </summary>
-    public IReadOnlyList<string> ApprovalEntries { get; init; } = [];
+    public IReadOnlyList<string> CandidateVerbs { get; init; } = [];
 
     /// <summary>
-    /// Human-visible reusable roots extracted from the current invocation so the
-    /// prompt can explain what broader B/C approvals would cover.
+    /// Per-clause <c>(verb, directory)</c> pairs extracted from this
+    /// invocation. The directory half is the path argument extracted
+    /// from each clause when present, else null (in which case the
+    /// matcher falls back to <see cref="Cwd"/>). The session actor
+    /// reads this on <c>ApprovedAlways</c> so "Always here" persists
+    /// per-clause folder-scoped grants from the actual path arguments
+    /// the agent passed.
     /// </summary>
-    public IReadOnlyList<string> DirectoryRoots { get; init; } = [];
+    public IReadOnlyList<ApprovalCandidate> Candidates { get; init; } = [];
+
+    /// <summary>
+    /// Resolved working directory for this invocation, used by the approval
+    /// gate to evaluate folder-scoped <c>ApprovalEntry</c> records. May be
+    /// null for tools whose approvals are not directory-anchored.
+    /// </summary>
+    public string? Cwd { get; init; }
+
+    /// <summary>
+    /// True when the invocation cannot be cleanly split into verb-chain
+    /// approval units — for shell, when the command contains bash control-flow
+    /// keywords (<c>for</c>/<c>while</c>/<c>do</c>/<c>done</c>/<c>then</c>/
+    /// <c>fi</c>/<c>case</c>/<c>esac</c>) or unbalanced quotes/brackets.
+    /// Channel adapters render only the <c>Once</c>/<c>Deny</c> buttons and
+    /// surface a "complex command" hint when this is true.
+    /// </summary>
+    public bool IsMessy { get; init; }
 
     /// <summary>Available response options (e.g., approve once, approve for this chat, approve always, deny).</summary>
     public required IReadOnlyList<ToolInteractionOption> Options { get; init; }
diff --git a/src/Netclaw.Actors/Protocol/SessionOutputDto.cs b/src/Netclaw.Actors/Protocol/SessionOutputDto.cs
index b4dccd92..c0ae8e6d 100644
--- a/src/Netclaw.Actors/Protocol/SessionOutputDto.cs
+++ b/src/Netclaw.Actors/Protocol/SessionOutputDto.cs
@@ -106,8 +106,9 @@ public sealed record SessionOutputDto
     public string? InteractionDisplayText { get; init; }
     public string? RequesterSenderId { get; init; }
     public List<string>? InteractionPatterns { get; init; }
-    public List<string>? InteractionApprovalEntries { get; init; }
-    public List<string>? InteractionDirectoryRoots { get; init; }
+    public List<string>? InteractionCandidateVerbs { get; init; }
+    public string? InteractionCwd { get; init; }
+    public bool? InteractionIsMessy { get; init; }
     public List<ToolInteractionOption>? InteractionOptions { get; init; }
     public bool? InteractionHasAdoptedContext { get; init; }
     public bool? InteractionHasThirdPartyAdoptedContext { get; init; }
diff --git a/src/Netclaw.Actors/Protocol/SessionOutputDtoMapper.cs b/src/Netclaw.Actors/Protocol/SessionOutputDtoMapper.cs
index 6d49cd77..7ed2b8f5 100644
--- a/src/Netclaw.Actors/Protocol/SessionOutputDtoMapper.cs
+++ b/src/Netclaw.Actors/Protocol/SessionOutputDtoMapper.cs
@@ -179,8 +179,9 @@ public static class SessionOutputDtoMapper
             InteractionDisplayText = msg.DisplayText,
             RequesterSenderId = msg.RequesterSenderId,
             InteractionPatterns = [.. msg.Patterns],
-            InteractionApprovalEntries = [.. msg.ApprovalEntries],
-            InteractionDirectoryRoots = [.. msg.DirectoryRoots],
+            InteractionCandidateVerbs = [.. msg.CandidateVerbs],
+            InteractionCwd = msg.Cwd,
+            InteractionIsMessy = msg.IsMessy,
             InteractionOptions = [.. msg.Options],
             InteractionHasAdoptedContext = msg.HasAdoptedContext,
             InteractionHasThirdPartyAdoptedContext = msg.HasThirdPartyAdoptedContext,
@@ -340,8 +341,9 @@ public static SessionOutput FromDto(SessionOutputDto dto)
                 HasThirdPartyAdoptedContext = dto.InteractionHasThirdPartyAdoptedContext ?? false,
                 AdoptedSpeakerIds = dto.InteractionAdoptedSpeakerIds ?? [],
                 Patterns = dto.InteractionPatterns ?? [],
-                ApprovalEntries = dto.InteractionApprovalEntries ?? [],
-                DirectoryRoots = dto.InteractionDirectoryRoots ?? [],
+                CandidateVerbs = dto.InteractionCandidateVerbs ?? [],
+                Cwd = dto.InteractionCwd,
+                IsMessy = dto.InteractionIsMessy ?? false,
                 Options = dto.InteractionOptions ?? []
             },
             _ => new ErrorOutput
diff --git a/src/Netclaw.Actors/Sessions/IApprovalChannel.cs b/src/Netclaw.Actors/Sessions/IApprovalChannel.cs
index 42c04a06..cb185f2f 100644
--- a/src/Netclaw.Actors/Sessions/IApprovalChannel.cs
+++ b/src/Netclaw.Actors/Sessions/IApprovalChannel.cs
@@ -19,9 +19,22 @@ public enum ApprovalDecision
     /// <summary>Approved for the current session/thread only.</summary>
     ApprovedSession,
 
-    /// <summary>Approved permanently (persisted to tool-approvals.json).</summary>
+    /// <summary>
+    /// Approved persistently with folder scope: writes a
+    /// <c>(verb, prompt's cwd)</c> entry to <c>tool-approvals.json</c>.
+    /// Future invocations of the same verb under the same directory tree
+    /// auto-approve; the same verb in a different cwd still prompts.
+    /// </summary>
     ApprovedAlways,
 
+    /// <summary>
+    /// Approved persistently as a global wildcard: writes a
+    /// <c>(verb, null)</c> entry to <c>tool-approvals.json</c>. Future
+    /// invocations of the same verb in any cwd auto-approve. Used for
+    /// scheduled/unattended tasks where the cwd will vary across firings.
+    /// </summary>
+    ApprovedEverywhere,
+
     /// <summary>User denied the request.</summary>
     Denied,
 
diff --git a/src/Netclaw.Actors/Sessions/LlmSessionActor.cs b/src/Netclaw.Actors/Sessions/LlmSessionActor.cs
index ccb697db..4c10d287 100644
--- a/src/Netclaw.Actors/Sessions/LlmSessionActor.cs
+++ b/src/Netclaw.Actors/Sessions/LlmSessionActor.cs
@@ -780,14 +780,16 @@ private void Processing()
             _pendingToolInteractions[msg.CallId] = new PendingToolInteraction(
                 msg.ToolName,
                 msg.Patterns,
-                msg.ApprovalEntries,
-                msg.DirectoryRoots,
+                msg.CandidateVerbs,
                 CurrentTurnAudience(),
                 msg.RequesterSenderId,
                 msg.RequesterPrincipal,
                 msg.HasAdoptedContext,
                 msg.HasThirdPartyAdoptedContext,
-                msg.AdoptedSpeakerIds);
+                msg.AdoptedSpeakerIds,
+                msg.Cwd,
+                msg.IsMessy,
+                msg.Candidates);
 
             PauseToolExecutionWatchdogForApprovalWait(msg.CallId);
 
@@ -823,21 +825,21 @@ private void Processing()
                 ApprovalOptionKeys.ApproveOnce => ApprovalDecision.ApprovedOnce,
                 ApprovalOptionKeys.ApproveSession => ApprovalDecision.ApprovedSession,
                 ApprovalOptionKeys.ApproveAlways => ApprovalDecision.ApprovedAlways,
+                ApprovalOptionKeys.ApproveEverywhere => ApprovalDecision.ApprovedEverywhere,
                 ApprovalOptionKeys.Deny => ApprovalDecision.Denied,
                 _ => ApprovalDecision.Denied
             };
 
             _log.Info("Approval response for {CallId}: {Decision}", msg.CallId, decision);
 
-            if (decision is ApprovalDecision.ApprovedSession or ApprovalDecision.ApprovedAlways
+            if (decision is ApprovalDecision.ApprovedSession
+                or ApprovalDecision.ApprovedAlways
+                or ApprovalDecision.ApprovedEverywhere
                 && _approvalService is not null)
             {
-                await _approvalService.RecordApprovalAsync(
-                    _sessionId.Value,
-                    pending.Audience,
-                    new ToolName(pending.ToolName),
-                    pending.ApprovalEntries,
-                    persistent: decision == ApprovalDecision.ApprovedAlways,
+                await PersistApprovalCandidatesAsync(
+                    pending,
+                    decision,
                     CancellationToken.None);
             }
 
@@ -1665,13 +1667,21 @@ await self.Ask<IActorRef>(
         if (registry.TryGet<BackgroundJobManagerActorKey>(out var mgr))
             bgJobManager = mgr;
 
+        // Pre-compute set_working_directory exposure once per dispatch so the
+        // pipeline's deny-path hint logic can run without a policy lookup.
+        // The hint is suppressed for audiences that cannot call the tool
+        // (Public, audience profiles that explicitly drop it).
+        var setWorkingDirectoryAvailable = IsSetWorkingDirectoryAvailable();
+
         _ = SessionToolExecutionPipeline.ExecuteToolsAsync(executor, toolCalls, sessionId, _currentTurnSource, auditLogger, tp, sessionDir, maxInlineToolResultChars, toolExecutionTimeout, self, emitSubAgentOutput, spawnChildActor,
             approvalChannel: _approvalChannel,
             emitApprovalRequest: request => self.Tell(request),
             approvalTimeout: Timeout.InfiniteTimeSpan,
             maxToolTimeoutSeconds: _toolAccessPolicy?.MaxToolTimeoutSeconds ?? 600,
             shellTimeoutSeconds: _toolAccessPolicy?.ShellTimeoutSeconds ?? 60,
-            backgroundJobManager: bgJobManager);
+            backgroundJobManager: bgJobManager,
+            projectDirectory: _state.WorkingContext.ProjectDirectory,
+            setWorkingDirectoryAvailable: setWorkingDirectoryAvailable);
     }
 
     private void HandleTextResponse(
@@ -2481,6 +2491,23 @@ private IReadOnlyList<AITool> ResolveExposedToolsForCurrentTurn()
         return _toolAccessPolicy.FilterExposedTools(_availableTools, _fullRegistry, _currentTrustContext);
     }
 
+    /// <summary>
+    /// Returns true when <c>set_working_directory</c> is exposed to the
+    /// current turn's audience profile. Used by the deny-path hint logic in
+    /// <see cref="SessionToolExecutionPipeline"/>: the hint points the agent
+    /// at the tool, so emitting it on a Public-audience turn that cannot call
+    /// the tool would be misleading.
+    /// </summary>
+    private bool IsSetWorkingDirectoryAvailable()
+    {
+        if (_toolAccessPolicy is null || _fullRegistry is null)
+            return false;
+
+        var registration = _fullRegistry.GetRegistrationByToolName(SetWorkingDirectoryTool.ToolName);
+        return registration is not null
+               && _toolAccessPolicy.IsToolExposed(registration, _currentTrustContext);
+    }
+
 
     private static readonly string SkillHintText =
         "[skill-hint] Before answering any technical or knowledge question, scan [available-skills] for a relevant skill and call skill_load(name=\"...\"). " +
@@ -3084,14 +3111,149 @@ private void EmitOutput(SessionOutput output, OutputFilter requiredFlag = Output
     private sealed record PendingToolInteraction(
         string ToolName,
         IReadOnlyList<string> Patterns,
-        IReadOnlyList<string> ApprovalEntries,
-        IReadOnlyList<string> DirectoryRoots,
+        IReadOnlyList<string> CandidateVerbs,
         TrustAudience Audience,
         string? RequesterSenderId,
         PrincipalClassification? RequesterPrincipal,
         bool HasAdoptedContext,
         bool HasThirdPartyAdoptedContext,
-        IReadOnlyList<string> AdoptedSpeakerIds);
+        IReadOnlyList<string> AdoptedSpeakerIds,
+        string? Cwd,
+        bool IsMessy,
+        // Per-clause (verb, directory) pairs preserved across the pause-
+        // for-approval round trip so the persistence path on
+        // ApprovedAlways can write per-clause folder-scoped grants from
+        // the path arguments the agent originally passed, rather than
+        // collapsing everything to cwd. Empty list when the request did
+        // not carry candidate-level data (e.g. older callers).
+        IReadOnlyList<ApprovalCandidate> Candidates);
+
+    private async Task PersistApprovalCandidatesAsync(
+        PendingToolInteraction pending,
+        ApprovalDecision decision,
+        CancellationToken ct)
+    {
+        if (_approvalService is null)
+            return;
+
+        var persistent = decision is ApprovalDecision.ApprovedAlways
+            or ApprovalDecision.ApprovedEverywhere;
+        var globalWildcard = decision == ApprovalDecision.ApprovedEverywhere;
+
+        // Prefer per-clause Candidates so we can use each clause's extracted
+        // path argument as the directory half. Fall back to the verb-only
+        // CandidateVerbs list for older callers (or non-shell tools whose
+        // matcher doesn't populate Candidates).
+        if (pending.Candidates.Count == 0)
+        {
+            var fallbackCwd = globalWildcard ? null : pending.Cwd;
+            await _approvalService.RecordApprovalAsync(
+                _sessionId.Value,
+                pending.Audience,
+                new ToolName(pending.ToolName),
+                pending.CandidateVerbs,
+                persistent,
+                fallbackCwd,
+                ct);
+            return;
+        }
+
+        // Group candidates by their effective directory so we make one
+        // RecordApprovalAsync call per (audience, tool, directory) bucket
+        // rather than one per verb. Side-effect-only clauses are dropped
+        // before grouping — they're authorized for the current call by
+        // the decision but persistence is suppressed.
+        // Key is string.Empty for the null-directory (global wildcard) bucket;
+        // mapped back to null when calling the persistence layer below.
+        var grouping = new Dictionary<string, List<string>>(StringComparer.Ordinal);
+
+        // Resolve session_dir for the session-scratch persistence guard.
+        // Folder-scoped grants whose effective directory equals the
+        // ephemeral session_dir are dead-on-arrival — the next session
+        // starts with a fresh session_dir, so the saved entry could never
+        // match again. The prompt already hides Always here in this case
+        // (see ToolAccessPolicy.AllCandidatesResolveToSessionScratch); we
+        // re-check at persistence time as belt-and-suspenders so a stale
+        // request or a partial mix of session-scratch and real-path
+        // candidates can't silently drop dead entries into the store.
+        var sessionDirectory = GetSessionDirectory();
+
+        foreach (var candidate in pending.Candidates)
+        {
+            if (ApprovalPatternMatching.IsPureSideEffect(candidate))
+                continue;
+
+            string? effectiveDirectory;
+            if (globalWildcard)
+            {
+                effectiveDirectory = null;
+            }
+            else
+            {
+                effectiveDirectory = candidate.Directory ?? pending.Cwd;
+            }
+
+            if (effectiveDirectory is not null
+                && sessionDirectory is not null
+                && IsSessionScratchDirectory(effectiveDirectory, sessionDirectory))
+            {
+                continue;
+            }
+
+            if (!grouping.TryGetValue(effectiveDirectory ?? string.Empty, out var verbs))
+            {
+                verbs = [];
+                grouping[effectiveDirectory ?? string.Empty] = verbs;
+            }
+
+            if (!verbs.Contains(candidate.Verb, StringComparer.OrdinalIgnoreCase))
+                verbs.Add(candidate.Verb);
+        }
+
+        foreach (var (key, verbs) in grouping)
+        {
+            if (verbs.Count == 0)
+                continue;
+
+            // Re-derive null vs concrete directory: the dictionary key was
+            // string.Empty for null to satisfy the comparer; map back here.
+            var directory = string.IsNullOrEmpty(key) ? null : key;
+
+            await _approvalService.RecordApprovalAsync(
+                _sessionId.Value,
+                pending.Audience,
+                new ToolName(pending.ToolName),
+                verbs,
+                persistent,
+                directory,
+                ct);
+        }
+    }
+
+    /// <summary>
+    /// Returns true when <paramref name="effectiveDirectory"/> is the same
+    /// path as <paramref name="sessionDirectory"/>. Used by the persistence
+    /// guard to skip dead-on-arrival folder-scoped grants whose directory
+    /// matches the session's ephemeral scratch dir.
+    /// </summary>
+    private static bool IsSessionScratchDirectory(string effectiveDirectory, string sessionDirectory)
+    {
+        try
+        {
+            var fullA = Path.GetFullPath(effectiveDirectory)
+                .TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
+            var fullB = Path.GetFullPath(sessionDirectory)
+                .TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
+            var comparison = OperatingSystem.IsWindows()
+                ? StringComparison.OrdinalIgnoreCase
+                : StringComparison.Ordinal;
+            return string.Equals(fullA, fullB, comparison);
+        }
+        catch (Exception ex) when (ex is ArgumentException or NotSupportedException or System.Security.SecurityException)
+        {
+            return false;
+        }
+    }
 
     private void PersistAdoptedContextIfNeeded(MessageSource? source)
     {
diff --git a/src/Netclaw.Actors/Sessions/ParentSessionApprovalBridge.cs b/src/Netclaw.Actors/Sessions/ParentSessionApprovalBridge.cs
index 3036afc4..2e483cb0 100644
--- a/src/Netclaw.Actors/Sessions/ParentSessionApprovalBridge.cs
+++ b/src/Netclaw.Actors/Sessions/ParentSessionApprovalBridge.cs
@@ -50,8 +50,8 @@ public async Task<ParentApprovalDecision> RequestApprovalAsync(
         string toolName,
         string displayText,
         IReadOnlyList<string> patterns,
-        IReadOnlyList<string> approvalEntries,
-        IReadOnlyList<string> directoryRoots,
+        IReadOnlyList<string> candidateVerbs,
+        bool isMessy,
         CancellationToken ct)
     {
         var waitTask = _channel.WaitForApprovalAsync(callId, Timeout.InfiniteTimeSpan, ct);
@@ -68,8 +68,8 @@ public async Task<ParentApprovalDecision> RequestApprovalAsync(
             RequesterSenderId = _requesterSenderId,
             RequesterPrincipal = _requesterPrincipal,
             Patterns = patterns,
-            ApprovalEntries = approvalEntries,
-            DirectoryRoots = directoryRoots,
+            CandidateVerbs = candidateVerbs,
+            IsMessy = isMessy,
             HasAdoptedContext = _hasAdoptedContext,
             HasThirdPartyAdoptedContext = _hasThirdPartyAdoptedContext,
             AdoptedSpeakerIds = _adoptedSpeakerIds,
@@ -90,6 +90,7 @@ public async Task<ParentApprovalDecision> RequestApprovalAsync(
             ApprovalDecision.ApprovedOnce => ParentApprovalDecision.ApprovedOnce,
             ApprovalDecision.ApprovedSession => ParentApprovalDecision.ApprovedSession,
             ApprovalDecision.ApprovedAlways => ParentApprovalDecision.ApprovedAlways,
+            ApprovalDecision.ApprovedEverywhere => ParentApprovalDecision.ApprovedEverywhere,
             ApprovalDecision.TimedOut => ParentApprovalDecision.TimedOut,
             _ => ParentApprovalDecision.Denied
         };
diff --git a/src/Netclaw.Actors/Sessions/Pipelines/SessionToolExecutionPipeline.cs b/src/Netclaw.Actors/Sessions/Pipelines/SessionToolExecutionPipeline.cs
index 03786cb3..8d0a86dd 100644
--- a/src/Netclaw.Actors/Sessions/Pipelines/SessionToolExecutionPipeline.cs
+++ b/src/Netclaw.Actors/Sessions/Pipelines/SessionToolExecutionPipeline.cs
@@ -52,7 +52,9 @@ public static async Task ExecuteToolsAsync(
         int maxToolTimeoutSeconds = 600,
         ILogger? logger = null,
         int shellTimeoutSeconds = 60,
-        IActorRef? backgroundJobManager = null)
+        IActorRef? backgroundJobManager = null,
+        string? projectDirectory = null,
+        bool setWorkingDirectoryAvailable = false)
     {
         try
         {
@@ -72,11 +74,13 @@ public static async Task ExecuteToolsAsync(
                 CancellationToken.None,
                 approvalChannel,
                 emitApprovalRequest,
-                approvalTimeout ?? TimeSpan.FromMinutes(5),
+                approvalTimeout ?? Timeout.InfiniteTimeSpan,
                 maxToolTimeoutSeconds,
                 logger,
                 shellTimeoutSeconds,
-                backgroundJobManager));
+                backgroundJobManager,
+                projectDirectory,
+                setWorkingDirectoryAvailable));
             var results = await Task.WhenAll(tasks);
 
             var fileAttachments = results.SelectMany(r => r.FileAttachments).ToList();
@@ -126,7 +130,9 @@ public static async Task<ToolCallResult> ExecuteSingleToolAsync(
         int maxToolTimeoutSeconds = 600,
         ILogger? logger = null,
         int shellTimeoutSeconds = 60,
-        IActorRef? backgroundJobManager = null)
+        IActorRef? backgroundJobManager = null,
+        string? projectDirectory = null,
+        bool setWorkingDirectoryAvailable = false)
     {
         var (meta, cleanedTc) = ToolCallMetaExtractor.Extract(tc);
         tc = cleanedTc;
@@ -139,7 +145,7 @@ public static async Task<ToolCallResult> ExecuteSingleToolAsync(
 
         var sw = Stopwatch.StartNew();
         string resultText;
-        var context = BuildToolExecutionContext(sessionId, source, sessionDir, spawnChildActor);
+        var context = BuildToolExecutionContext(sessionId, source, sessionDir, spawnChildActor, projectDirectory);
         context.RequestedTimeoutSeconds = (int)timeout.TotalSeconds;
         if (approvalChannel is not null && emitApprovalRequest is not null)
         {
@@ -286,8 +292,10 @@ public static async Task<ToolCallResult> ExecuteSingleToolAsync(
                 AdoptedSpeakerIds = source?.AdoptedSpeakerIds ?? [],
                 PersistedAdoptedContext = source?.HasAdoptedContext ?? false,
                 Patterns = ctx.Patterns,
-                ApprovalEntries = ctx.ApprovalEntries,
-                DirectoryRoots = ctx.DirectoryRoots,
+                CandidateVerbs = ctx.CandidateVerbs,
+                Candidates = ctx.Candidates ?? [],
+                Cwd = ctx.Cwd,
+                IsMessy = ctx.IsMessy,
                 Options = ctx.Options
                     .Select(o => new ToolInteractionOption(o.Key, o.Label))
                     .ToList()
@@ -297,7 +305,10 @@ public static async Task<ToolCallResult> ExecuteSingleToolAsync(
 
             sw.Stop();
 
-            if (decision is ApprovalDecision.ApprovedOnce or ApprovalDecision.ApprovedSession or ApprovalDecision.ApprovedAlways)
+            if (decision is ApprovalDecision.ApprovedOnce
+                or ApprovalDecision.ApprovedSession
+                or ApprovalDecision.ApprovedAlways
+                or ApprovalDecision.ApprovedEverywhere)
             {
                 // Retry execution now that approval is granted
                 // (Approve-once is retried through transient context state; broader scopes
@@ -340,7 +351,21 @@ public static async Task<ToolCallResult> ExecuteSingleToolAsync(
                 var reason = decision == ApprovalDecision.TimedOut
                     ? "Tool access denied: approval_timed_out"
                     : $"Tool access denied: approval_denied_by_user ({tc.Name} requires interactive approval and the user declined it)";
-                resultText = reason;
+
+                // When a shell call is denied because its cwd is outside both
+                // session_dir and project_dir, surface a one-line hint pointing
+                // the agent at set_working_directory so it can self-correct on
+                // the next turn rather than re-prompting the user. Suppressed
+                // for non-shell tools, timeouts, hard-deny paths, and
+                // audiences that can't call set_working_directory.
+                var hint = BuildSetWorkingDirectoryHint(
+                    toolName: tc.Name,
+                    decision: decision,
+                    cwd: context.Cwd,
+                    sessionDirectory: context.SessionDirectory,
+                    projectDirectory: context.ProjectDirectory,
+                    setWorkingDirectoryAvailable: setWorkingDirectoryAvailable);
+                resultText = string.IsNullOrEmpty(hint) ? reason : $"{reason}\n{hint}";
 
                 // Denied audit entries should describe the exact blocked units
                 // the user saw in the prompt. Broader reusable approval entries
@@ -610,7 +635,8 @@ private static ToolExecutionContext BuildToolExecutionContext(
         SessionId sessionId,
         MessageSource? source,
         string sessionDir,
-        Func<object, string, CancellationToken, Task<object>> spawnChildActor)
+        Func<object, string, CancellationToken, Task<object>> spawnChildActor,
+        string? projectDirectory)
     {
         var context = new ToolExecutionContext(sessionId.Value, sessionDir);
         context.Audience = source is null ? null : source.Audience.ToWireValue();
@@ -618,6 +644,7 @@ private static ToolExecutionContext BuildToolExecutionContext(
         context.ChannelType = source is null ? null : source.ChannelType.ToWireValue();
         context.SupportsInteractiveApproval = source?.ChannelType.SupportsInteractiveApproval();
         context.SpawnChildActor = spawnChildActor;
+        context.ProjectDirectory = projectDirectory;
         return context;
     }
 
@@ -650,4 +677,58 @@ public static string ClampToolResult(string resultText, int maxInlineToolResultC
         return resultText[..maxInlineToolResultChars]
                + $"\n[tool result truncated: omitted {omittedChars} chars to protect context window]";
     }
+
+    /// <summary>
+    /// Returns a one-line agent-facing hint pointing at <c>set_working_directory</c>
+    /// when a shell call was denied specifically because its cwd is outside
+    /// both <see cref="ToolExecutionContext.SessionDirectory"/> and
+    /// <see cref="ToolExecutionContext.ProjectDirectory"/>. Empty for any
+    /// other denial path so hard-deny refusals, timeouts, and unrelated
+    /// approval declines do not get misleading "use set_working_directory"
+    /// guidance.
+    /// </summary>
+    internal static string BuildSetWorkingDirectoryHint(
+        string toolName,
+        ApprovalDecision decision,
+        string? cwd,
+        string? sessionDirectory,
+        string? projectDirectory,
+        bool setWorkingDirectoryAvailable)
+    {
+        if (!setWorkingDirectoryAvailable)
+            return string.Empty;
+
+        if (decision != ApprovalDecision.Denied)
+            return string.Empty;
+
+        if (!string.Equals(toolName, Tools.ShellTool.ToolName, StringComparison.Ordinal))
+            return string.Empty;
+
+        if (string.IsNullOrWhiteSpace(cwd))
+            return string.Empty;
+
+        // Already inside a safe space — denial was for a different reason.
+        if (IsCwdInsideSafeSpace(cwd, sessionDirectory)
+            || IsCwdInsideSafeSpace(cwd, projectDirectory))
+        {
+            return string.Empty;
+        }
+
+        return $"Hint: '{cwd}' is outside the session's trusted scope. Call set_working_directory \"{cwd}\" first, then retry — that brings the directory into your trusted scope so the approval policy can reason about it.";
+    }
+
+    private static bool IsCwdInsideSafeSpace(string cwd, string? safeSpace)
+    {
+        if (string.IsNullOrWhiteSpace(safeSpace))
+            return false;
+
+        try
+        {
+            return Netclaw.Security.PathUtility.IsWithinRoot(cwd, safeSpace);
+        }
+        catch (Exception ex) when (ex is ArgumentException or IOException)
+        {
+            return false;
+        }
+    }
 }
diff --git a/src/Netclaw.Actors/SubAgents/SubAgentActor.cs b/src/Netclaw.Actors/SubAgents/SubAgentActor.cs
index 3f8017ed..68909ee8 100644
--- a/src/Netclaw.Actors/SubAgents/SubAgentActor.cs
+++ b/src/Netclaw.Actors/SubAgents/SubAgentActor.cs
@@ -426,13 +426,14 @@ private static async Task ExecuteToolsAsync(
                         ctx.ToolName,
                         ctx.DisplayText,
                         ctx.Patterns,
-                        ctx.ApprovalEntries,
-                        ctx.DirectoryRoots,
+                        ctx.CandidateVerbs,
+                        ctx.IsMessy,
                         ct);
 
                     if (decision is ParentApprovalDecision.ApprovedOnce
                         or ParentApprovalDecision.ApprovedSession
-                        or ParentApprovalDecision.ApprovedAlways)
+                        or ParentApprovalDecision.ApprovedAlways
+                        or ParentApprovalDecision.ApprovedEverywhere)
                     {
                         // The immediate retry needs a transient grant even for session/always
                         // approvals because the sub-agent's scope ID differs from the parent
diff --git a/src/Netclaw.Actors/Tools/AkkaToolApprovalService.cs b/src/Netclaw.Actors/Tools/AkkaToolApprovalService.cs
index 6125f12d..589da485 100644
--- a/src/Netclaw.Actors/Tools/AkkaToolApprovalService.cs
+++ b/src/Netclaw.Actors/Tools/AkkaToolApprovalService.cs
@@ -27,11 +27,12 @@ public async Task<IReadOnlyList<string>> GetUnapprovedPatternsAsync(
         TrustAudience audience,
         ToolName toolName,
         IReadOnlyList<string> patterns,
+        string? cwd,
         CancellationToken ct = default)
     {
         var actor = await _actorProvider.GetAsync(ct);
         var response = await actor.Ask<UnapprovedPatternsResponse>(
-            new GetUnapprovedPatterns(sessionId is not null ? (SessionId)sessionId : null, audience, toolName, patterns),
+            new GetUnapprovedPatterns(sessionId is not null ? (SessionId)sessionId : null, audience, toolName, patterns, cwd),
             TimeSpan.FromSeconds(5),
             ct);
 
@@ -44,11 +45,12 @@ public async Task RecordApprovalAsync(
         ToolName toolName,
         IReadOnlyList<string> patterns,
         bool persistent,
+        string? cwd,
         CancellationToken ct = default)
     {
         var actor = await _actorProvider.GetAsync(ct);
         await actor.Ask<ToolApprovalRecorded>(
-            new RecordToolApproval((SessionId)sessionId, audience, toolName, patterns, persistent),
+            new RecordToolApproval((SessionId)sessionId, audience, toolName, patterns, persistent, cwd),
             TimeSpan.FromSeconds(5),
             ct);
     }
diff --git a/src/Netclaw.Actors/Tools/DispatchingToolExecutor.cs b/src/Netclaw.Actors/Tools/DispatchingToolExecutor.cs
index 0497c40f..636d9400 100644
--- a/src/Netclaw.Actors/Tools/DispatchingToolExecutor.cs
+++ b/src/Netclaw.Actors/Tools/DispatchingToolExecutor.cs
@@ -105,19 +105,62 @@ private async Task<INetclawTool> AuthorizeCoreAsync(FunctionCallContent toolCall
         {
             var approvalContext = accessDecision.ApprovalContext
                 ?? throw new InvalidOperationException("Approval decision missing approval context.");
-            var audience = SecurityPolicyDefaults.TryParseAudience(context?.Audience, out var parsed)
-                ? parsed
-                : SecurityPolicyDefaults.ResolveAudienceFromSessionId(context?.SessionId);
-            var unapproved = await _approvalService.GetUnapprovedPatternsAsync(
-                context?.SessionId,
-                audience,
-                new ToolName(toolCall.Name),
-                approvalContext.ApprovalEntries,
-                ct);
-
-            accessDecision = unapproved.Count == 0
-                ? ToolAccessDecision.Allow()
-                : ToolAccessDecision.RequiresApproval(approvalContext);
+
+            // Cwd resolution happens upstream in ToolAccessPolicy.CheckApprovalGate
+            // for shell tools, so context.Cwd is already populated when the
+            // gate produced an approval context. Other tools have no
+            // directory anchor; cwd stays null.
+
+            // Messy commands cannot be persistently approved — the matcher
+            // refuses to extract verb chains we could match a future
+            // invocation against. Always round-trip through the user, even if
+            // the candidate-verbs list happens to be empty for unrelated
+            // reasons (which would otherwise short-circuit to allow).
+            if (approvalContext.IsMessy)
+            {
+                accessDecision = ToolAccessDecision.RequiresApproval(approvalContext);
+            }
+            else
+            {
+                var audience = SecurityPolicyDefaults.TryParseAudience(context?.Audience, out var parsed)
+                    ? parsed
+                    : SecurityPolicyDefaults.ResolveAudienceFromSessionId(context?.SessionId);
+
+                // Pure side-effect candidates (echo "X" with no path/redirect,
+                // bash :, true/false) are not persisted on Always-here clicks
+                // and must also be treated as authorized at match time —
+                // otherwise the matcher would see them as unapproved on retry
+                // after the click, throw ToolApprovalRequiredException again,
+                // and fail the turn (the outer try/catch is already inside
+                // the conditional catch so a re-throw escapes).
+                var verbsForCheck = approvalContext.Candidates is { Count: > 0 } candidates
+                    ? candidates
+                        .Where(c => !ApprovalPatternMatching.IsPureSideEffect(c))
+                        .Select(c => c.Verb)
+                        .Distinct(StringComparer.OrdinalIgnoreCase)
+                        .ToList()
+                    : approvalContext.CandidateVerbs;
+
+                if (verbsForCheck.Count == 0)
+                {
+                    // Every candidate is side-effect-only — auto-allow.
+                    accessDecision = ToolAccessDecision.Allow();
+                }
+                else
+                {
+                    var unapproved = await _approvalService.GetUnapprovedPatternsAsync(
+                        context?.SessionId,
+                        audience,
+                        new ToolName(toolCall.Name),
+                        verbsForCheck,
+                        context?.Cwd,
+                        ct);
+
+                    accessDecision = unapproved.Count == 0
+                        ? ToolAccessDecision.Allow()
+                        : ToolAccessDecision.RequiresApproval(approvalContext);
+                }
+            }
         }
 
         if (accessDecision.NeedsApproval
@@ -154,13 +197,35 @@ private static bool IsOneTimeApprovalSatisfied(
         if (approvalContext is null)
             return false;
 
+        // Tool-name match is required for any one-time bypass — without it
+        // we could never tell which tool the grant applies to.
+        if (!string.IsNullOrEmpty(context.OneTimeApprovedToolName)
+            && !string.Equals(context.OneTimeApprovedToolName, toolCall.Name, StringComparison.Ordinal))
+            return false;
+
+        // Messy commands (bash control-flow, unbalanced quotes/brackets)
+        // have no extractable verb-chain patterns, so the user prompt only
+        // offers Once+Deny. ApprovedOnce on a messy command MUST bypass on
+        // the tool-name match alone — there are no patterns to compare on
+        // either side. Without this branch, clicking Once on a complex
+        // command lands the retry into AuthorizeCoreAsync, hits the empty-
+        // patterns guard below, and throws ToolApprovalRequiredException
+        // (surfacing as "I encountered an error executing a tool"). The
+        // per-retry cleanup at SessionToolExecutionPipeline.cs:467-475
+        // still clears OneTimeApprovedToolName afterward, so the messy
+        // bypass cannot be reused for subsequent calls.
+        if (approvalContext.IsMessy
+            && !string.IsNullOrEmpty(context.OneTimeApprovedToolName)
+            && string.Equals(context.OneTimeApprovedToolName, toolCall.Name, StringComparison.Ordinal))
+            return true;
+
         if (context.OneTimeApprovedPatterns.Count == 0)
             return false;
 
         if (approvalContext.Patterns.Count == 0)
             return false;
 
-        if (!string.Equals(context.OneTimeApprovedToolName, toolCall.Name, StringComparison.Ordinal))
+        if (string.IsNullOrEmpty(context.OneTimeApprovedToolName))
             return false;
 
         return approvalContext.Patterns.All(pattern => context.OneTimeApprovedPatterns.Contains(pattern));
diff --git a/src/Netclaw.Actors/Tools/FilePathApprovalMatcher.cs b/src/Netclaw.Actors/Tools/FilePathApprovalMatcher.cs
index c620f6ea..53d01c38 100644
--- a/src/Netclaw.Actors/Tools/FilePathApprovalMatcher.cs
+++ b/src/Netclaw.Actors/Tools/FilePathApprovalMatcher.cs
@@ -3,6 +3,7 @@
 //      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
 // </copyright>
 // -----------------------------------------------------------------------
+using Netclaw.Configuration;
 using Netclaw.Security;
 using Netclaw.Tools;
 
@@ -43,31 +44,33 @@ public IReadOnlyList<string> ExtractPatterns(ToolName toolName, IDictionary<stri
         return [toolName.Value];
     }
 
-    public IReadOnlyList<string> ExtractApprovalEntries(ToolName toolName, IDictionary<string, object?>? arguments)
+    public IReadOnlyList<string> ExtractCandidateVerbs(ToolName toolName, IDictionary<string, object?>? arguments)
         => ExtractPatterns(toolName, arguments);
 
-    public bool IsApproved(ToolName toolName, IDictionary<string, object?>? arguments, IEnumerable<string> approvedPatterns)
+    public IReadOnlyList<ApprovalCandidate> ExtractCandidates(ToolName toolName, IDictionary<string, object?>? arguments)
+        => ExtractCandidateVerbs(toolName, arguments)
+            .Select(v => new ApprovalCandidate(v, Directory: null))
+            .ToList();
+
+    public bool IsApproved(
+        ToolName toolName,
+        IDictionary<string, object?>? arguments,
+        IReadOnlyList<ApprovalEntry> approvedEntries,
+        string? cwd)
     {
-        var patterns = ExtractPatterns(toolName, arguments);
-        foreach (var pattern in patterns)
+        var verbs = ExtractCandidateVerbs(toolName, arguments);
+        foreach (var verb in verbs)
         {
-            var matched = false;
-            foreach (var approved in approvedPatterns)
-            {
-                if (string.Equals(pattern, approved, StringComparison.OrdinalIgnoreCase))
-                {
-                    matched = true;
-                    break;
-                }
-            }
-
-            if (!matched)
+            if (!ApprovalPatternMatching.MatchesAny(verb, approvedEntries))
                 return false;
         }
 
         return true;
     }
 
+    public bool IsMessy(ToolName toolName, IDictionary<string, object?>? arguments)
+        => false;
+
     public string FormatForDisplay(ToolName toolName, IDictionary<string, object?>? arguments)
     {
         if (TryGetPath(arguments, out var path))
@@ -76,9 +79,6 @@ public string FormatForDisplay(ToolName toolName, IDictionary<string, object?>?
         return toolName.Value;
     }
 
-    public IReadOnlyList<DirectoryApprovalRoot> ExtractDirectoryRoots(ToolName toolName, IDictionary<string, object?>? arguments)
-        => [];
-
     private bool TryGetControlPlaneRelativePath(
         IDictionary<string, object?>? arguments,
         out string relativePath)
diff --git a/src/Netclaw.Actors/Tools/ScopedFileAccessPolicy.cs b/src/Netclaw.Actors/Tools/ScopedFileAccessPolicy.cs
index 65d77af7..f740d2d1 100644
--- a/src/Netclaw.Actors/Tools/ScopedFileAccessPolicy.cs
+++ b/src/Netclaw.Actors/Tools/ScopedFileAccessPolicy.cs
@@ -89,7 +89,7 @@ private bool TryResolvePath(
             if (!PathUtility.IsWithinRoot(fullPath, root))
                 continue;
 
-            if (ContainsSymlinkSegment(root, fullPath))
+            if (PathUtility.ContainsSymlinkSegment(root, fullPath))
             {
                 error = $"Error: {label} trust context may not access files through symlinked paths inside the current session directory or configured roots.";
                 return false;
@@ -153,42 +153,6 @@ private static TrustAudience ResolveAudience(ToolExecutionContext context)
         _ => "Public"
     };
 
-    private static bool ContainsSymlinkSegment(string allowedRoot, string fullPath)
-    {
-        var relativePath = Path.GetRelativePath(allowedRoot, fullPath);
-        if (string.IsNullOrWhiteSpace(relativePath) || relativePath == ".")
-            return false;
-
-        var segments = relativePath.Split(
-            [Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar],
-            StringSplitOptions.RemoveEmptyEntries);
-        var currentPath = allowedRoot;
-
-        foreach (var segment in segments)
-        {
-            currentPath = Path.Combine(currentPath, segment);
-            if (!File.Exists(currentPath) && !Directory.Exists(currentPath))
-                continue;
-
-            try
-            {
-                var attributes = File.GetAttributes(currentPath);
-                if ((attributes & FileAttributes.ReparsePoint) != 0)
-                    return true;
-            }
-            catch (IOException)
-            {
-                return true;
-            }
-            catch (UnauthorizedAccessException)
-            {
-                return true;
-            }
-        }
-
-        return false;
-    }
-
     internal enum AccessKind
     {
         Read,
diff --git a/src/Netclaw.Actors/Tools/ScopedShellSafeVerbPolicy.cs b/src/Netclaw.Actors/Tools/ScopedShellSafeVerbPolicy.cs
new file mode 100644
index 00000000..7da684ee
--- /dev/null
+++ b/src/Netclaw.Actors/Tools/ScopedShellSafeVerbPolicy.cs
@@ -0,0 +1,140 @@
+// -----------------------------------------------------------------------
+// <copyright file="ScopedShellSafeVerbPolicy.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Netclaw.Configuration;
+using Netclaw.Security;
+using Netclaw.Tools;
+
+namespace Netclaw.Actors.Tools;
+
+/// <summary>
+/// Layer 1.5 of the shell approval pipeline (between the hard-deny list and
+/// the interactive approval gate): when both the candidate verb chain is on
+/// the curated <see cref="SafeVerbList"/> AND the candidate's cwd resolves
+/// under one of the audience-aware safe-space roots, the policy short-circuits
+/// to "approved" without prompting the user.
+///
+/// Mirrors <see cref="ScopedFileAccessPolicy"/> for the audience model and
+/// the symlink-segment guard. Personal and Team audiences get
+/// <c>session_dir + project_dir</c> as their safe-space roots; Public gets
+/// <c>session_dir</c> only — Public sessions cannot expand their safe space
+/// via <c>set_working_directory</c>, mirroring the read-roots restriction
+/// <see cref="ScopedFileAccessPolicy"/> enforces for file_read.
+///
+/// The policy never relaxes the hard-deny list (layer 1) — that runs first
+/// in <see cref="ToolAccessPolicy"/>. It only relaxes the interactive
+/// approval gate (layer 2) for verbs that have been explicitly classified as
+/// read-only by the bundled safe-verbs list and any user-additive override.
+/// </summary>
+internal sealed class ScopedShellSafeVerbPolicy
+{
+    private readonly SafeVerbList _safeVerbs;
+
+    public ScopedShellSafeVerbPolicy(SafeVerbList safeVerbs)
+    {
+        _safeVerbs = safeVerbs;
+    }
+
+    /// <summary>
+    /// Evaluates a candidate (verb, cwd) pair against the safe-verb policy.
+    /// Returns <c>true</c> when the gate should short-circuit to allow with
+    /// no user prompt; <c>false</c> when the candidate should fall through
+    /// to the existing approval gate.
+    /// </summary>
+    public bool ShortCircuitsApproval(string candidateVerb, string? cwd, ToolExecutionContext? context)
+        => AllShortCircuit([candidateVerb], cwd, context);
+
+    /// <summary>
+    /// Returns true when every candidate verb in <paramref name="candidateVerbs"/>
+    /// is short-circuited by the safe-verb policy under the supplied
+    /// <paramref name="cwd"/>. Used by the gate to bypass the approval prompt
+    /// only when the entire compound is read-only-in-safe-space; any single
+    /// non-safe candidate falls the whole invocation through to the prompt.
+    /// Cwd-and-roots resolution runs once per call rather than per verb,
+    /// so an N-verb compound costs one path-normalize + one symlink-segment
+    /// scan instead of N.
+    /// </summary>
+    public bool AllShortCircuit(IReadOnlyList<string> candidateVerbs, string? cwd, ToolExecutionContext? context)
+    {
+        if (candidateVerbs.Count == 0)
+            return false;
+
+        if (string.IsNullOrWhiteSpace(cwd))
+            return false;
+
+        foreach (var verb in candidateVerbs)
+        {
+            if (string.IsNullOrWhiteSpace(verb) || !_safeVerbs.Contains(verb))
+                return false;
+        }
+
+        var safeRoots = ResolveSafeSpaceRoots(context);
+        if (safeRoots.Count == 0)
+            return false;
+
+        string fullCwd;
+        try
+        {
+            fullCwd = Path.GetFullPath(cwd);
+        }
+        catch (Exception ex) when (ex is ArgumentException or NotSupportedException or PathTooLongException)
+        {
+            return false;
+        }
+
+        foreach (var root in safeRoots)
+        {
+            if (!PathUtility.IsWithinRoot(fullCwd, root))
+                continue;
+
+            // A planted symlink under a safe-space root could redirect the
+            // cwd into a path outside that root. Refuse the short-circuit if
+            // any segment of the cwd path is a reparse point — the user can
+            // still grant manually via the interactive prompt, where they
+            // will see the literal cwd they are authorizing.
+            if (PathUtility.ContainsSymlinkSegment(root, fullCwd))
+                continue;
+
+            return true;
+        }
+
+        return false;
+    }
+
+    /// <summary>
+    /// Resolves the audience-aware safe-space roots for the current
+    /// invocation. Personal and Team get <c>session_dir + project_dir</c>;
+    /// Public gets <c>session_dir</c> only.
+    /// </summary>
+    private static IReadOnlyList<string> ResolveSafeSpaceRoots(ToolExecutionContext? context)
+    {
+        if (context is null)
+            return [];
+
+        var audience = ResolveAudience(context);
+        var roots = new List<string>(2);
+
+        if (!string.IsNullOrWhiteSpace(context.SessionDirectory))
+            roots.Add(PathUtility.Normalize(context.SessionDirectory));
+
+        // Public audience cannot expand its safe space via project_dir —
+        // mirrors the file_read read-roots restriction enforced by
+        // ScopedFileAccessPolicy. Even a Public session that has somehow
+        // populated WorkingContext.ProjectDirectory does not get to use it
+        // as a shell safe-space root.
+        if (audience != TrustAudience.Public
+            && !string.IsNullOrWhiteSpace(context.ProjectDirectory))
+        {
+            roots.Add(PathUtility.Normalize(context.ProjectDirectory));
+        }
+
+        return roots;
+    }
+
+    private static TrustAudience ResolveAudience(ToolExecutionContext context)
+        => SecurityPolicyDefaults.TryParseAudience(context.Audience, out var parsed)
+            ? parsed
+            : SecurityPolicyDefaults.ResolveAudienceFromSessionId(context.SessionId);
+}
diff --git a/src/Netclaw.Actors/Tools/SetWorkingDirectoryTool.cs b/src/Netclaw.Actors/Tools/SetWorkingDirectoryTool.cs
index 5eab3c4d..34116e5a 100644
--- a/src/Netclaw.Actors/Tools/SetWorkingDirectoryTool.cs
+++ b/src/Netclaw.Actors/Tools/SetWorkingDirectoryTool.cs
@@ -15,12 +15,21 @@ namespace Netclaw.Actors.Tools;
 /// results by tool name to update <c>WorkingContext.ProjectDirectory</c> and
 /// re-assemble the system prompt with project-scoped identity files.
 /// </summary>
-[NetclawTool("set_working_directory",
-    "Set the project directory for this session. This determines which project's identity files " +
-    "(AGENTS.md, CLAUDE.md) are loaded into context. Use an absolute path to the project root.",
+[NetclawTool(ToolName,
+    "Declare your project root and expand your trusted scope. " +
+    "Once set, read-only verbs (ls, grep, cat, git status, git log, ...) inside that tree " +
+    "auto-run without prompting — the safe-verb short-circuit treats the directory as a safe space. " +
+    "Mutating commands still prompt, but the prompt shows the right cwd so persisted approvals are " +
+    "correctly scoped. Also loads the project's identity file (AGENTS.md / CLAUDE.md / etc.) into the " +
+    "system prompt. Note: shell commands that pass a path argument (e.g. `find /repo`, `ls /var/log`) " +
+    "declare scope implicitly via that argument, so this tool is most useful for sessions where you'll " +
+    "run multiple commands without explicit paths (git status, git diff, make build, etc.). " +
+    "Use an absolute path to the project root.",
     Grant = "file")]
 public sealed partial class SetWorkingDirectoryTool : NetclawTool<SetWorkingDirectoryTool.Params>
 {
+    public const string ToolName = "set_working_directory";
+
     private readonly ScopedFileAccessPolicy _fileAccessPolicy;
 
     public record Params(
diff --git a/src/Netclaw.Actors/Tools/ShellTool.cs b/src/Netclaw.Actors/Tools/ShellTool.cs
index 8a4cdd3f..46e45edc 100644
--- a/src/Netclaw.Actors/Tools/ShellTool.cs
+++ b/src/Netclaw.Actors/Tools/ShellTool.cs
@@ -78,8 +78,19 @@ protected override async Task<string> ExecuteAsync(Params args, ToolExecutionCon
             psi.ArgumentList.Add(args.Command);
         }
 
-        if (!string.IsNullOrWhiteSpace(args.WorkingDirectory))
-            psi.WorkingDirectory = args.WorkingDirectory;
+        // Resolve working directory in priority order: explicit arg →
+        // WorkingContext.ProjectDirectory (declared via set_working_directory)
+        // → SessionDirectory (per-session scratch). Never falls through to
+        // ProcessStartInfo's default of inheriting the daemon process's cwd —
+        // that location is wherever the daemon happened to be launched and is
+        // unrelated to what the agent is "working on," which makes it
+        // impossible for the approval policy to reason about safe-space
+        // membership. The matcher reads context.Cwd against the same
+        // resolution chain so the gate evaluates folder-scoped ApprovalEntry
+        // records against the directory the spawned process will run in.
+        var resolvedCwd = context.ResolveShellCwd(args.WorkingDirectory);
+        if (!string.IsNullOrWhiteSpace(resolvedCwd))
+            psi.WorkingDirectory = resolvedCwd;
 
         var effectiveTimeoutSeconds = context.RequestedTimeoutSeconds is > 0
             ? context.RequestedTimeoutSeconds.Value
diff --git a/src/Netclaw.Actors/Tools/ToolAccessPolicy.cs b/src/Netclaw.Actors/Tools/ToolAccessPolicy.cs
index 99544a7a..03e3cb5d 100644
--- a/src/Netclaw.Actors/Tools/ToolAccessPolicy.cs
+++ b/src/Netclaw.Actors/Tools/ToolAccessPolicy.cs
@@ -23,6 +23,9 @@ public sealed class ToolAccessPolicy
     private readonly IShellTrustZonePolicy? _shellTrustZonePolicy;
     private readonly IToolApprovalMatcher _fileApprovalMatcher;
     private readonly FeatureGates _featureGates;
+    private readonly ScopedShellSafeVerbPolicy? _safeVerbPolicy;
+    private readonly GateEvaluator? _gateEvaluator;
+    private readonly TrustStateComposer? _trustStateComposer;
 
     public ToolAccessPolicy(
         ToolConfig toolConfig,
@@ -31,7 +34,10 @@ public ToolAccessPolicy(
         IToolApprovalMatcher? fileApprovalMatcher = null,
         ToolPathPolicy? toolPathPolicy = null,
         FeatureGates? featureGates = null,
-        IShellTrustZonePolicy? shellTrustZonePolicy = null)
+        IShellTrustZonePolicy? shellTrustZonePolicy = null,
+        SafeVerbList? safeVerbs = null,
+        GateEvaluator? gateEvaluator = null,
+        TrustStateComposer? trustStateComposer = null)
     {
         _toolConfig = toolConfig;
         _defaults = defaults;
@@ -41,6 +47,9 @@ public ToolAccessPolicy(
         _shellTrustZonePolicy = shellTrustZonePolicy;
         _fileApprovalMatcher = fileApprovalMatcher ?? DefaultApprovalMatcher.Instance;
         _featureGates = featureGates ?? FeatureGates.AllEnabled;
+        _safeVerbPolicy = safeVerbs is not null ? new ScopedShellSafeVerbPolicy(safeVerbs) : null;
+        _gateEvaluator = gateEvaluator;
+        _trustStateComposer = trustStateComposer;
     }
 
     public int MaxToolTimeoutSeconds => _toolConfig.MaxToolTimeoutSeconds;
@@ -297,37 +306,257 @@ private ToolAccessDecision CheckApprovalGate(
             return ToolAccessDecision.Allow();
         }
 
-        // Approval prompts carry three related views of the invocation:
+        // Approval prompts carry three views of the invocation:
         // - `patterns`: the exact blocked units shown to the user and reused by
         //   approve-once retries.
-        // - `approvalEntries`: what broader B/C approvals actually record and
-        //   later compare against. For shell this prefers reusable directory
-        //   roots and falls back to the exact unit when no reusable roots exist.
-        // - `directoryRoots`: the human-facing root list, surfaced to the user
-        //   in the channel-specific message body (Slack section block, Discord
-        //   summary line). Button labels stay fixed; runtime values like paths
-        //   never enter button text because Slack caps button text at 76 chars
-        //   and Discord at 80, and channel-agnostic policy cannot enforce
-        //   channel-specific length budgets.
+        // - `candidates`: the (verb, directory) pairs evaluated against
+        //   persisted ApprovalEntry records by the gate. The directory half is
+        //   the path argument extracted from each clause when present, falling
+        //   back to ToolExecutionContext.Cwd at evaluation time.
+        // - `candidateVerbs`: the verb-only projection of `candidates`, kept
+        //   for renderers (Slack/Discord builders) that bullet-list verbs in
+        //   the prompt body. Button labels stay fixed; runtime values like
+        //   paths never enter button text because Slack caps button text at
+        //   76 chars and Discord at 80.
         var patterns = matcher.ExtractPatterns(toolName, arguments);
-        var approvalEntries = matcher.ExtractApprovalEntries(toolName, arguments);
-        var directoryRoots = matcher.ExtractDirectoryRoots(toolName, arguments);
+        var candidates = matcher.ExtractCandidates(toolName, arguments);
+        var candidateVerbs = candidates
+            .Select(static c => c.Verb)
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .ToList();
         var displayText = matcher.FormatForDisplay(toolName, arguments);
+        var isMessy = matcher.IsMessy(toolName, arguments);
+
+        // Resolve cwd up-front for shell so it's available to the safe-verb
+        // short-circuit, the shallow-cwd guard, AND the approval context that
+        // gets persisted on "Always here". Doing this only inside the
+        // short-circuit branch (as the original v2 layout did) drops cwd from
+        // ToolApprovalContext when conditions don't match — silently turning
+        // every "Always here" click into "Always anywhere" because the
+        // persistence path reads PendingToolInteraction.Cwd.
+        var isShell = string.Equals(toolName.Value, ShellTool.ToolName, StringComparison.Ordinal);
+        if (isShell && context is not null)
+            context.Cwd = context.ResolveShellCwd(ExtractWorkingDirectory(arguments));
+
+        // Trust-zones fast path: ahead of the v2 safe-verb short-circuit and
+        // the v2 (verb, directory) matcher, ask the new GateEvaluator
+        // whether the command would auto-pass under the trust-zones model
+        // (read-only verb in trusted zone, or a clause matching a
+        // persisted/session verb pattern). If yes, the call runs silently
+        // without round-tripping through the v2 prompt path. If the
+        // evaluator wants any prompts or hits a hard-deny, fall through
+        // to the existing v2 logic so the existing 5-button prompt UI
+        // and persistence path stay in charge of user-facing approval
+        // until the v2 prompt builders are rewritten.
+        //
+        // This is the load-bearing change for reminder/non-interactive
+        // workflow reliability: when an operator configures broad audience
+        // baseline zones and pre-approves verb patterns via CLI, reminders
+        // firing read-only verbs inside trusted zones auto-allow here and
+        // never hit the prompt-required v2 path.
+        var shellCommandForGate = isShell ? ExtractShellCommand(arguments) : null;
+        if (isShell
+            && !isMessy
+            && _gateEvaluator is not null
+            && _trustStateComposer is not null
+            && context is not null
+            && context.SessionDirectory is not null
+            && !string.IsNullOrEmpty(shellCommandForGate))
+        {
+            var trustState = _trustStateComposer.Compose(
+                audience,
+                context.SessionDirectory,
+                sessionTrustedZones: null,    // session-scope state lives on
+                sessionVerbPatterns: null);   // LlmSessionActor; wire when prompts move to new shape
+            var evaluation = _gateEvaluator.Evaluate(shellCommandForGate, audience, trustState);
+
+            if (evaluation.OverallDecision == OverallGateDecision.HardDenied)
+            {
+                return ToolAccessDecision.Deny($"hard_deny_{evaluation.HardDenyCategory ?? "unknown"}");
+            }
+
+            if (evaluation.OverallDecision == OverallGateDecision.Approved)
+            {
+                return ToolAccessDecision.Allow();
+            }
+
+            // NeedsPrompt → fall through to v2 path below. v2 will produce
+            // its own ApprovalContext with the existing 5-button shape.
+            // The new audience trust store doesn't get written on v2
+            // button clicks yet — operator can pre-populate via
+            // `netclaw approvals trust-verb` etc., or wait for the prompt
+            // builder rewrite to land.
+        }
+
+        // Safe-verb ∩ safe-space short-circuit (layer 1.5). Runs only for shell
+        // and only when the matcher could extract candidate verbs cleanly —
+        // messy commands always prompt regardless of verb membership.
+        // Retained as a fallback for sessions/configurations that don't
+        // exercise the GateEvaluator fast path above (no audience baseline
+        // zones, no persisted verbPatterns) — the v2 safe-space check
+        // still catches read-only verbs in session_dir/project_dir.
+        if (_safeVerbPolicy is not null
+            && context is not null
+            && isShell
+            && !isMessy
+            && candidateVerbs.Count > 0
+            && _safeVerbPolicy.AllShortCircuit(candidateVerbs, context.Cwd, context))
+        {
+            return ToolAccessDecision.Allow();
+        }
+
+        var options = BuildApprovalOptions(
+            isMessy,
+            isCwdShallow: IsCwdTooShallow(context?.Cwd),
+            allEffectiveDirsAreSessionScratch: AllCandidatesResolveToSessionScratch(
+                candidates, context?.Cwd, context?.SessionDirectory));
 
         var approvalContext = new ToolApprovalContext(
             toolName.Value,
             displayText,
             patterns,
-            approvalEntries,
+            candidateVerbs,
+            options,
+            Cwd: context?.Cwd,
+            IsMessy: isMessy,
+            Candidates: candidates);
+
+        return ToolAccessDecision.RequiresApproval(approvalContext);
+    }
+
+    /// <summary>
+    /// Returns true when every candidate's effective directory resolves to
+    /// the session's ephemeral <c>session_dir</c>. Persisting an "Always
+    /// here" grant scoped to that directory is dead-on-arrival because the
+    /// next session has a fresh session_dir; matching against the saved
+    /// entry would never succeed. The button is hidden in that case so
+    /// operators can pick "This chat" (the equivalent in-session
+    /// semantics) or "Always anywhere" (folder-agnostic) instead.
+    /// </summary>
+    private static bool AllCandidatesResolveToSessionScratch(
+        IReadOnlyList<ApprovalCandidate> candidates,
+        string? cwd,
+        string? sessionDirectory)
+    {
+        if (string.IsNullOrEmpty(sessionDirectory) || candidates.Count == 0)
+            return false;
+
+        foreach (var candidate in candidates)
+        {
+            var effective = candidate.Directory ?? cwd;
+            if (string.IsNullOrEmpty(effective))
+                return false;
+
+            if (!PathsEquivalent(effective, sessionDirectory))
+                return false;
+        }
+
+        return true;
+    }
+
+    private static bool PathsEquivalent(string a, string b)
+    {
+        try
+        {
+            var fullA = Path.GetFullPath(a)
+                .TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
+            var fullB = Path.GetFullPath(b)
+                .TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
+            var comparison = OperatingSystem.IsWindows()
+                ? StringComparison.OrdinalIgnoreCase
+                : StringComparison.Ordinal;
+            return string.Equals(fullA, fullB, comparison);
+        }
+        catch (Exception ex) when (ex is ArgumentException or NotSupportedException or System.Security.SecurityException)
+        {
+            return false;
+        }
+    }
+
+    /// <summary>
+    /// Builds the prompt's button row. The five-button default
+    /// (Once / This chat / Always here / Always anywhere / Deny) is pruned
+    /// in three cases:
+    /// <list type="bullet">
+    /// <item><b>Messy commands</b> (bash control-flow / unbalanced
+    /// quotes/brackets) — only <c>Once</c> and <c>Deny</c> are offered.
+    /// Persistence is impossible because the matcher cannot extract a verb
+    /// chain to remember.</item>
+    /// <item><b>Shallow cwd</b> (path depth fails the minimum-scope check) —
+    /// <c>Always here</c> is omitted so an operator cannot accidentally write
+    /// a folder-scoped grant for a too-shallow root like <c>/etc/</c>.
+    /// <c>This chat</c> and <c>Always anywhere</c> remain available.</item>
+    /// <item><b>Session-scratch effective directory</b> (every candidate's
+    /// effective directory is the session's ephemeral <c>session_dir</c>) —
+    /// <c>Always here</c> is omitted because the saved grant would be scoped
+    /// to a directory that won't recur. <c>This chat</c> already provides
+    /// the equivalent in-session semantics without polluting the persistent
+    /// store.</item>
+    /// </list>
+    /// </summary>
+    private static IReadOnlyList<ToolApprovalOption> BuildApprovalOptions(
+        bool isMessy,
+        bool isCwdShallow,
+        bool allEffectiveDirsAreSessionScratch)
+    {
+        if (isMessy)
+        {
+            return
             [
                 new ToolApprovalOption(ApprovalOptionKeys.ApproveOnce, ApprovalOptionKeys.ApproveOnceLabel),
-                new ToolApprovalOption(ApprovalOptionKeys.ApproveSession, ApprovalOptionKeys.ApproveSessionLabel),
-                new ToolApprovalOption(ApprovalOptionKeys.ApproveAlways, ApprovalOptionKeys.ApproveAlwaysLabel),
                 new ToolApprovalOption(ApprovalOptionKeys.Deny, ApprovalOptionKeys.DenyLabel)
-            ],
-            [.. directoryRoots.Select(static x => x.DisplayPath)]);
+            ];
+        }
 
-        return ToolAccessDecision.RequiresApproval(approvalContext);
+        var options = new List<ToolApprovalOption>(5)
+        {
+            new ToolApprovalOption(ApprovalOptionKeys.ApproveOnce, ApprovalOptionKeys.ApproveOnceLabel),
+            new ToolApprovalOption(ApprovalOptionKeys.ApproveSession, ApprovalOptionKeys.ApproveSessionLabel)
+        };
+
+        if (!isCwdShallow && !allEffectiveDirsAreSessionScratch)
+        {
+            options.Add(new ToolApprovalOption(ApprovalOptionKeys.ApproveAlways, ApprovalOptionKeys.ApproveAlwaysLabel));
+        }
+
+        options.Add(new ToolApprovalOption(ApprovalOptionKeys.ApproveEverywhere, ApprovalOptionKeys.ApproveEverywhereLabel));
+        options.Add(new ToolApprovalOption(ApprovalOptionKeys.Deny, ApprovalOptionKeys.DenyLabel));
+
+        return options;
+    }
+
+    /// <summary>
+    /// Returns true when the cwd is too shallow to support a folder-scoped
+    /// approval grant. Mirrors the v1 minimum-depth check: a path with fewer
+    /// than two non-empty segments under its root (e.g. <c>/</c>, <c>/etc/</c>,
+    /// <c>C:\</c>) cannot be safely persisted as an ApprovalEntry directory.
+    /// </summary>
+    private static bool IsCwdTooShallow(string? cwd)
+    {
+        if (string.IsNullOrWhiteSpace(cwd))
+            return false;
+
+        try
+        {
+            var full = Path.GetFullPath(cwd);
+            var trimmed = full.TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
+            var segments = trimmed.Split(
+                [Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar],
+                StringSplitOptions.RemoveEmptyEntries);
+
+            // POSIX root → 0 segments after trim. /etc → 1 segment. /home/user → 2 segments.
+            // Windows: C:\ → ["C:"] → 1 segment but conventionally a root, so still shallow.
+            //          C:\Users\foo → 3 segments.
+            // Require at least 2 distinct path segments for folder-scoped persistence.
+            return segments.Length < 2;
+        }
+        catch (Exception ex) when (ex is ArgumentException or NotSupportedException or PathTooLongException)
+        {
+            // Treat unparseable cwds as shallow — fail closed on the
+            // persistent button rather than offering a grant whose target we
+            // could not normalize.
+            return true;
+        }
     }
 
     private static ToolApprovalMode GetMissingApprovalPolicyDefaultMode(
@@ -472,11 +701,29 @@ public sealed record ToolApprovalContext(
     string ToolName,
     string DisplayText,
     IReadOnlyList<string> Patterns,
-    IReadOnlyList<string> ApprovalEntries,
+    // Verb-only projection of Candidates. Kept for renderers that bullet-
+    // list verbs in the prompt body (Slack, Discord) without needing the
+    // directory half.
+    IReadOnlyList<string> CandidateVerbs,
     IReadOnlyList<ToolApprovalOption> Options,
-    // Human-facing roots shown in the prompt. Approval lookups use
-    // ApprovalEntries instead so display formatting never leaks into matching.
-    IReadOnlyList<string> DirectoryRoots);
+    // Resolved cwd at the moment the gate decided approval was required.
+    // Threaded through ToolInteractionRequest → PendingToolInteraction so
+    // an "Always here" click persists with the actual directory rather
+    // than a null sentinel (which would silently behave as "Always
+    // anywhere").
+    string? Cwd = null,
+    // True when the invocation cannot be cleanly split into verb-chain
+    // approval units (bash control-flow, unbalanced quotes/brackets).
+    // Channel adapters use this to omit the persistent-grant buttons and
+    // surface the "complex command" hint.
+    bool IsMessy = false,
+    // Per-clause (verb, directory) pairs evaluated against the persisted
+    // ApprovalEntry store. The directory half is the path argument
+    // extracted from the clause when present, falling back to Cwd at
+    // match time. The persistence path reads this on ApprovedAlways so
+    // "Always here" stores per-clause folder-scoped grants from the
+    // actual paths the agent touched.
+    IReadOnlyList<ApprovalCandidate>? Candidates = null);
 
 public sealed record ToolApprovalOption(string Key, string Label);
 
diff --git a/src/Netclaw.Actors/Tools/ToolApprovalActor.cs b/src/Netclaw.Actors/Tools/ToolApprovalActor.cs
index 1e401558..7ddfeb71 100644
--- a/src/Netclaw.Actors/Tools/ToolApprovalActor.cs
+++ b/src/Netclaw.Actors/Tools/ToolApprovalActor.cs
@@ -1,4 +1,4 @@
-// -----------------------------------------------------------------------
+// -----------------------------------------------------------------------
 // <copyright file="ToolApprovalActor.cs" company="Petabridge, LLC">
 //      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
 // </copyright>
@@ -22,11 +22,19 @@ public ToolApprovalActor(ToolApprovalStore? persistentStore = null)
 
         Receive<GetUnapprovedPatterns>(msg =>
         {
-            var unapproved = new List<string>(msg.Patterns.Count);
+            // Snapshot the persisted approvals once per message — every
+            // pattern in the same call evaluates against the same on-disk
+            // state, and Load() does a synchronous file read + JSON parse
+            // each call. For a compound shell with N candidate verbs this
+            // collapses N reads into 1.
+            var approved = _persistentStore is not null
+                ? _persistentStore.GetApprovedEntries(msg.Audience, msg.ToolName.Value)
+                : (IReadOnlyList<ApprovalEntry>)[];
 
+            var unapproved = new List<string>(msg.Patterns.Count);
             foreach (var pattern in msg.Patterns)
             {
-                if (!IsApproved(msg.SessionId, msg.Audience, msg.ToolName, pattern))
+                if (!IsApproved(msg.SessionId, msg.Audience, msg.ToolName, pattern, msg.Cwd, approved))
                     unapproved.Add(pattern);
             }
 
@@ -40,7 +48,19 @@ public ToolApprovalActor(ToolApprovalStore? persistentStore = null)
                 AddSessionApproval(msg.SessionId, msg.Audience, msg.ToolName, pattern);
 
                 if (msg.Persistent)
-                    _persistentStore?.AddApproval(msg.Audience, msg.ToolName.Value, pattern);
+                {
+                    // The cwd field encodes scope: a non-null value writes a
+                    // folder-scoped (verb, cwd) entry that matches future
+                    // invocations only under that directory tree, while null
+                    // writes a global wildcard (verb, null) that matches any
+                    // cwd. The caller (LlmSessionActor) chooses based on the
+                    // user's button click — Always here → cwd; Always
+                    // anywhere → null.
+                    _persistentStore?.AddApproval(
+                        msg.Audience,
+                        msg.ToolName.Value,
+                        new ApprovalEntry { Verb = pattern, Directory = msg.Cwd });
+                }
             }
 
             Sender.Tell(ToolApprovalRecorded.Instance);
@@ -50,18 +70,15 @@ public ToolApprovalActor(ToolApprovalStore? persistentStore = null)
     public static Props CreateProps(ToolApprovalStore? persistentStore = null)
         => Props.Create(() => new ToolApprovalActor(persistentStore));
 
-    private bool IsApproved(SessionId? sessionId, TrustAudience audience, ToolName toolName, string pattern)
+    private bool IsApproved(SessionId? sessionId, TrustAudience audience, ToolName toolName, string candidateVerb, string? cwd, IReadOnlyList<ApprovalEntry> persistedApprovals)
     {
-        if (sessionId.HasValue && IsSessionApproved(sessionId.Value, audience, toolName, pattern))
+        if (sessionId.HasValue && IsSessionApproved(sessionId.Value, audience, toolName, candidateVerb))
             return true;
 
-        if (_persistentStore is null)
-            return false;
-
-        return MatchesApprovedEntry(toolName, pattern, _persistentStore.GetApprovedPatterns(audience, toolName.Value));
+        return MatchesPersistedEntry(toolName, candidateVerb, cwd, persistedApprovals);
     }
 
-    private bool IsSessionApproved(SessionId sessionId, TrustAudience audience, ToolName toolName, string pattern)
+    private bool IsSessionApproved(SessionId sessionId, TrustAudience audience, ToolName toolName, string candidateVerb)
     {
         // Walk up the scope chain: sub-agent scopes inherit parent session approvals.
         // Scope format: "{parentSessionId}/subagent/{name}/{runId}" — parent is the prefix before "/subagent/".
@@ -70,8 +87,8 @@ private bool IsSessionApproved(SessionId sessionId, TrustAudience audience, Tool
         {
             var sessionKey = BuildSessionKey((SessionId)scopeId, audience);
             if (_sessionApprovals.TryGetValue(sessionKey, out var toolMap)
-                && toolMap.TryGetValue(toolName.Value, out var patterns)
-                && MatchesApprovedEntry(toolName, pattern, patterns))
+                && toolMap.TryGetValue(toolName.Value, out var verbs)
+                && verbs.Contains(candidateVerb))
             {
                 return true;
             }
@@ -86,7 +103,7 @@ private bool IsSessionApproved(SessionId sessionId, TrustAudience audience, Tool
         return false;
     }
 
-    private void AddSessionApproval(SessionId sessionId, TrustAudience audience, ToolName toolName, string pattern)
+    private void AddSessionApproval(SessionId sessionId, TrustAudience audience, ToolName toolName, string candidateVerb)
     {
         var sessionKey = BuildSessionKey(sessionId, audience);
         if (!_sessionApprovals.TryGetValue(sessionKey, out var toolMap))
@@ -95,19 +112,23 @@ private void AddSessionApproval(SessionId sessionId, TrustAudience audience, Too
             _sessionApprovals[sessionKey] = toolMap;
         }
 
-        if (!toolMap.TryGetValue(toolName.Value, out var patterns))
+        if (!toolMap.TryGetValue(toolName.Value, out var verbs))
         {
-            patterns = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
-            toolMap[toolName.Value] = patterns;
+            // Session approvals use the same platform-correct comparer as the
+            // persistent store (Ordinal on POSIX, OrdinalIgnoreCase on Windows)
+            // so a grant for `git` cannot be redeemed by a planted `Git`
+            // earlier in $PATH on case-sensitive filesystems.
+            verbs = new HashSet<string>(ToolApprovalEntryComparer.Comparer);
+            toolMap[toolName.Value] = verbs;
         }
 
-        patterns.Add(pattern);
+        verbs.Add(candidateVerb);
     }
 
-    private static bool MatchesApprovedEntry(ToolName toolName, string candidate, IEnumerable<string> approvedEntries)
+    private static bool MatchesPersistedEntry(ToolName toolName, string candidateVerb, string? cwd, IReadOnlyList<ApprovalEntry> approved)
         => string.Equals(toolName.Value, ShellTool.ToolName, StringComparison.Ordinal)
-            ? ApprovalPatternMatching.MatchesShellApprovalEntry(candidate, approvedEntries)
-            : ApprovalPatternMatching.MatchesAny(candidate, approvedEntries);
+            ? ApprovalPatternMatching.MatchesShellApproval(candidateVerb, cwd, approved)
+            : ApprovalPatternMatching.MatchesAny(candidateVerb, approved);
 
     private static string BuildSessionKey(SessionId sessionId, TrustAudience audience)
         => $"{sessionId.Value}|{audience.ToWireValue()}";
diff --git a/src/Netclaw.Actors/Tools/ToolApprovalMessages.cs b/src/Netclaw.Actors/Tools/ToolApprovalMessages.cs
index 579004e6..ab7db027 100644
--- a/src/Netclaw.Actors/Tools/ToolApprovalMessages.cs
+++ b/src/Netclaw.Actors/Tools/ToolApprovalMessages.cs
@@ -1,4 +1,4 @@
-// -----------------------------------------------------------------------
+// -----------------------------------------------------------------------
 // <copyright file="ToolApprovalMessages.cs" company="Petabridge, LLC">
 //      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
 // </copyright>
@@ -13,7 +13,8 @@ internal sealed record GetUnapprovedPatterns(
     SessionId? SessionId,
     TrustAudience Audience,
     ToolName ToolName,
-    IReadOnlyList<string> Patterns);
+    IReadOnlyList<string> Patterns,
+    string? Cwd);
 
 internal sealed record UnapprovedPatternsResponse(IReadOnlyList<string> Patterns);
 
@@ -22,4 +23,5 @@ internal sealed record RecordToolApproval(
     TrustAudience Audience,
     ToolName ToolName,
     IReadOnlyList<string> Patterns,
-    bool Persistent);
+    bool Persistent,
+    string? Cwd);
diff --git a/src/Netclaw.Channels.Discord/DiscordApprovalPromptBuilder.cs b/src/Netclaw.Channels.Discord/DiscordApprovalPromptBuilder.cs
index 7ef0579c..e51712cc 100644
--- a/src/Netclaw.Channels.Discord/DiscordApprovalPromptBuilder.cs
+++ b/src/Netclaw.Channels.Discord/DiscordApprovalPromptBuilder.cs
@@ -1,4 +1,4 @@
-// -----------------------------------------------------------------------
+// -----------------------------------------------------------------------
 // <copyright file="DiscordApprovalPromptBuilder.cs" company="Petabridge, LLC">
 //      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
 // </copyright>
@@ -10,18 +10,25 @@ namespace Netclaw.Channels.Discord;
 
 internal static class DiscordApprovalPromptBuilder
 {
+    private const string ComplexCommandHint = "_complex command — only one-shot approval available_";
+
     public static string BuildTextPrompt(ToolInteractionRequest request)
     {
         var sb = new StringBuilder();
         sb.AppendLine("Netclaw approval required:");
         sb.Append("Tool: ").AppendLine(request.ToolName);
         sb.Append("Action: ").AppendLine(request.DisplayText);
+        sb.AppendLine(BuildApproveHeader(request));
 
-        if (request.Patterns.Count > 0)
-            sb.Append("Pattern: ").AppendLine(string.Join(", ", request.Patterns));
+        var verbs = ResolveDisplayVerbs(request);
+        if (verbs.Count > 1)
+        {
+            foreach (var verb in verbs)
+                sb.Append("  • ").AppendLine(verb);
+        }
 
-        if (request.DirectoryRoots.Count > 0)
-            sb.Append("Directory roots: ").AppendLine(string.Join(", ", request.DirectoryRoots));
+        if (request.IsMessy)
+            sb.AppendLine(ComplexCommandHint);
 
         AppendAdoptedContextSummary(sb, request);
 
@@ -68,14 +75,21 @@ public static string BuildResolvedPromptText(
         var statusEmoji = selectedKey == ApprovalOptionKeys.Deny
             ? ":no_entry:"
             : ":white_check_mark:";
-        var decisionLabel = GetDecisionLabel(selectedKey);
 
         var sb = new StringBuilder();
         sb.Append(statusEmoji).AppendLine(" **Tool approval resolved**");
-        AppendToolSummary(sb, request);
-
-        sb.Append("**Decision:** ").Append(decisionLabel);
+        sb.Append("**Tool:** `").Append(request.ToolName).AppendLine("`");
+        sb.Append("**Action:** `").Append(request.DisplayText).AppendLine("`");
+        sb.Append("**").Append(BuildResolutionLine(request, selectedKey)).Append("**");
         sb.Append(" (by <@").Append(senderId).Append(">)");
+
+        if (request.HasAdoptedContext)
+        {
+            sb.AppendLine();
+            sb.Append("**Adopted context:** present").AppendLine();
+            sb.Append("**Speakers:** `").Append(string.Join(", ", request.AdoptedSpeakerIds)).Append('`');
+        }
+
         return sb.ToString();
     }
 
@@ -83,38 +97,89 @@ private static void AppendToolSummary(StringBuilder sb, ToolInteractionRequest r
     {
         sb.Append("**Tool:** `").Append(request.ToolName).AppendLine("`");
         sb.Append("**Action:** `").Append(request.DisplayText).AppendLine("`");
+        sb.Append("**").Append(BuildApproveHeader(request)).AppendLine("**");
 
-        if (request.Patterns.Count > 0)
+        var verbs = ResolveDisplayVerbs(request);
+        if (verbs.Count > 1)
         {
-            if (request.Patterns.Count == 1)
-            {
-                sb.Append("**Pattern:** `").Append(request.Patterns[0]).AppendLine("`");
-            }
-            else
-            {
-                sb.AppendLine("**Patterns:**");
-                foreach (var pattern in request.Patterns)
-                    sb.Append("  • `").Append(pattern).AppendLine("`");
-            }
+            foreach (var verb in verbs)
+                sb.Append("  • `").Append(verb).AppendLine("`");
         }
 
-        if (request.DirectoryRoots.Count > 0)
-        {
-            if (request.DirectoryRoots.Count == 1)
-            {
-                sb.Append("**Directory Root:** `").Append(request.DirectoryRoots[0]).AppendLine("`");
-            }
-            else
-            {
-                sb.AppendLine("**Directory Roots:**");
-                foreach (var root in request.DirectoryRoots)
-                    sb.Append("  • `").Append(root).AppendLine("`");
-            }
-        }
+        if (request.IsMessy)
+            sb.AppendLine(ComplexCommandHint);
 
         AppendAdoptedContextSummary(sb, request);
     }
 
+    /// <summary>
+    /// Header line mirroring the Slack builder. The "in &lt;dir&gt;" portion
+    /// shows the most meaningful target directory the operator is being
+    /// asked to trust — see SlackApprovalBlockBuilder.BuildApproveHeader
+    /// for the priority order.
+    /// </summary>
+    private static string BuildApproveHeader(ToolInteractionRequest request)
+    {
+        var verbs = ResolveDisplayVerbs(request);
+        var location = ResolveHeaderLocation(request);
+
+        return verbs.Count == 1
+            ? $"Approve {verbs[0]} in {location}?"
+            : $"Approve in {location}?";
+    }
+
+    /// <summary>
+    /// Single-line resolution message identical in form to the Slack builder
+    /// — see SlackApprovalBlockBuilder.BuildResolutionLine for the spec
+    /// reference.
+    /// </summary>
+    private static string BuildResolutionLine(ToolInteractionRequest request, string selectedKey)
+    {
+        var verbs = string.Join(", ", ResolveDisplayVerbs(request));
+        var location = ResolveHeaderLocation(request);
+
+        return selectedKey switch
+        {
+            ApprovalOptionKeys.ApproveAlways => $"Saved: {verbs} in {location}",
+            ApprovalOptionKeys.ApproveEverywhere => $"Saved: {verbs} anywhere",
+            ApprovalOptionKeys.ApproveSession => $"Saved for this chat: {verbs} in {location}",
+            ApprovalOptionKeys.ApproveOnce => "Approved (no save)",
+            ApprovalOptionKeys.Deny => "Denied",
+            _ => "Resolved"
+        };
+    }
+
+    private static string ResolveHeaderLocation(ToolInteractionRequest request)
+    {
+        var distinctDirs = request.Candidates
+            .Where(c => !string.IsNullOrWhiteSpace(c.Directory))
+            .Select(c => c.Directory!)
+            .Distinct(StringComparer.Ordinal)
+            .ToList();
+
+        if (distinctDirs.Count == 1)
+            return distinctDirs[0];
+
+        if (distinctDirs.Count > 1)
+            return $"{distinctDirs.Count} directories";
+
+        if (string.IsNullOrWhiteSpace(request.Cwd))
+            return "(no working directory)";
+
+        return IsSessionScratchPath(request.Cwd) ? "this session" : request.Cwd;
+    }
+
+    private static bool IsSessionScratchPath(string cwd)
+    {
+        var normalized = cwd.Replace('\\', '/');
+        return normalized.Contains("/.netclaw/sessions/", StringComparison.OrdinalIgnoreCase);
+    }
+
+    private static IReadOnlyList<string> ResolveDisplayVerbs(ToolInteractionRequest request)
+        => request.CandidateVerbs.Count > 0
+            ? request.CandidateVerbs
+            : request.Patterns;
+
     private static void AppendAdoptedContextSummary(StringBuilder sb, ToolInteractionRequest request)
     {
         if (!request.HasAdoptedContext)
@@ -142,6 +207,7 @@ private static string GetDecisionLabel(string selectedKey)
             ApprovalOptionKeys.ApproveOnce => ApprovalOptionKeys.ApproveOnceLabel,
             ApprovalOptionKeys.ApproveSession => ApprovalOptionKeys.ApproveSessionLabel,
             ApprovalOptionKeys.ApproveAlways => ApprovalOptionKeys.ApproveAlwaysLabel,
+            ApprovalOptionKeys.ApproveEverywhere => ApprovalOptionKeys.ApproveEverywhereLabel,
             ApprovalOptionKeys.Deny => ApprovalOptionKeys.DenyLabel,
             _ => selectedKey
         };
@@ -153,10 +219,11 @@ internal static bool TryParseButtonValue(string? value, out string? callId, out
         => ApprovalButtonValueCodec.TryDecode(value, out callId, out selectedKey, out requesterSenderId);
 
     private static DiscordButtonStyle GetButtonStyle(string optionKey)
-        => optionKey switch
-        {
-            ApprovalOptionKeys.Deny => DiscordButtonStyle.Danger,
-            ApprovalOptionKeys.ApproveOnce => DiscordButtonStyle.Success,
-            _ => DiscordButtonStyle.Secondary
-        };
+    {
+        if (ApprovalOptionKeys.IsDangerStyled(optionKey))
+            return DiscordButtonStyle.Danger;
+        if (optionKey == ApprovalOptionKeys.ApproveOnce)
+            return DiscordButtonStyle.Success;
+        return DiscordButtonStyle.Secondary;
+    }
 }
diff --git a/src/Netclaw.Channels.Slack/SlackApprovalBlockBuilder.cs b/src/Netclaw.Channels.Slack/SlackApprovalBlockBuilder.cs
index 4489c5f5..33be3abe 100644
--- a/src/Netclaw.Channels.Slack/SlackApprovalBlockBuilder.cs
+++ b/src/Netclaw.Channels.Slack/SlackApprovalBlockBuilder.cs
@@ -1,4 +1,4 @@
-// -----------------------------------------------------------------------
+// -----------------------------------------------------------------------
 // <copyright file="SlackApprovalBlockBuilder.cs" company="Petabridge, LLC">
 //      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
 // </copyright>
@@ -12,34 +12,26 @@ internal static class SlackApprovalBlockBuilder
 {
     public const string ApprovalActionId = "tool_approval";
 
+    private const string ComplexCommandHint = "_complex command — only one-shot approval available_";
+
     public static string BuildApprovalText(ToolInteractionRequest request)
     {
         var lines = new List<string>
         {
-            $":lock: *Tool approval required*",
-            $"> `{request.ToolName}`: `{request.DisplayText}`"
+            ":lock: *Tool approval required*",
+            $"> `{request.ToolName}`: `{request.DisplayText}`",
+            BuildApproveHeader(request)
         };
 
-        if (request.Patterns.Count > 0)
+        var verbs = ResolveDisplayVerbs(request);
+        if (verbs.Count > 1)
         {
-            if (request.Patterns.Count == 1)
-            {
-                lines.Add($"Pattern: `{request.Patterns[0]}`");
-            }
-            else
-            {
-                lines.Add("Patterns:");
-                foreach (var pattern in request.Patterns)
-                    lines.Add($"  • `{pattern}`");
-            }
+            foreach (var verb in verbs)
+                lines.Add($"  • `{verb}`");
         }
 
-        if (request.DirectoryRoots.Count > 0)
-        {
-            lines.Add("Directory roots:");
-            foreach (var root in request.DirectoryRoots)
-                lines.Add($"  • `{root}`");
-        }
+        if (request.IsMessy)
+            lines.Add(ComplexCommandHint);
 
         AppendAdoptedContextSummary(lines, request);
 
@@ -63,24 +55,28 @@ public static IReadOnlyList<Block> BuildApprovalBlocks(ToolInteractionRequest re
             {
                 Text = new Markdown($"*Tool:* `{EscapeMarkdown(request.ToolName)}`\n*Request:* `{EscapeMarkdown(request.DisplayText)}`"),
                 Expand = true
+            },
+            new SectionBlock
+            {
+                Text = new Markdown($"*{EscapeMarkdown(BuildApproveHeader(request))}*")
             }
         };
 
-        if (request.Patterns.Count > 0)
+        var verbs = ResolveDisplayVerbs(request);
+        if (verbs.Count > 1)
         {
-            var patternLines = request.Patterns.Select(pattern => $"• `{EscapeMarkdown(pattern)}`");
+            var verbLines = verbs.Select(v => $"• `{EscapeMarkdown(v)}`");
             blocks.Add(new SectionBlock
             {
-                Text = new Markdown($"*Patterns*\n{string.Join("\n", patternLines)}")
+                Text = new Markdown(string.Join("\n", verbLines))
             });
         }
 
-        if (request.DirectoryRoots.Count > 0)
+        if (request.IsMessy)
         {
-            var rootLines = request.DirectoryRoots.Select(root => $"• `{EscapeMarkdown(root)}`");
             blocks.Add(new SectionBlock
             {
-                Text = new Markdown($"*Directory Roots*\n{string.Join("\n", rootLines)}")
+                Text = new Markdown(ComplexCommandHint)
             });
         }
 
@@ -125,13 +121,12 @@ public static string BuildResolvedApprovalText(
         var statusPrefix = selectedKey == ApprovalOptionKeys.Deny
             ? ":no_entry:"
             : ":white_check_mark:";
-        var decisionLabel = GetDecisionLabel(selectedKey);
 
         return string.Join("\n", new[]
         {
             $"{statusPrefix} *Tool approval resolved* by <@{EscapeMarkdown(senderId)}>",
             $"> `{request.ToolName}`: `{request.DisplayText}`",
-            $"Decision: *{decisionLabel}*"
+            BuildResolutionLine(request, selectedKey)
         });
     }
 
@@ -143,7 +138,7 @@ public static IReadOnlyList<Block> BuildResolvedApprovalBlocks(
         var statusPrefix = selectedKey == ApprovalOptionKeys.Deny
             ? ":no_entry:"
             : ":white_check_mark:";
-        var decisionLabel = GetDecisionLabel(selectedKey);
+        var resolutionLine = BuildResolutionLine(request, selectedKey);
 
         var blocks = new List<Block>
         {
@@ -156,29 +151,11 @@ public static IReadOnlyList<Block> BuildResolvedApprovalBlocks(
                 Text = new Markdown(
                     $"*Tool:* `{EscapeMarkdown(request.ToolName)}`\n"
                     + $"*Request:* `{EscapeMarkdown(request.DisplayText)}`\n"
-                    + $"*Decision:* *{EscapeMarkdown(decisionLabel)}*"),
+                    + $"*{EscapeMarkdown(resolutionLine)}*"),
                 Expand = true
             }
         };
 
-        if (request.Patterns.Count > 0)
-        {
-            var patternLines = request.Patterns.Select(pattern => $"• `{EscapeMarkdown(pattern)}`");
-            blocks.Add(new SectionBlock
-            {
-                Text = new Markdown($"*Patterns*\n{string.Join("\n", patternLines)}")
-            });
-        }
-
-        if (request.DirectoryRoots.Count > 0)
-        {
-            var rootLines = request.DirectoryRoots.Select(root => $"• `{EscapeMarkdown(root)}`");
-            blocks.Add(new SectionBlock
-            {
-                Text = new Markdown($"*Directory Roots*\n{string.Join("\n", rootLines)}")
-            });
-        }
-
         if (request.HasAdoptedContext)
         {
             blocks.Add(new SectionBlock
@@ -190,6 +167,108 @@ public static IReadOnlyList<Block> BuildResolvedApprovalBlocks(
         return blocks;
     }
 
+    /// <summary>
+    /// Builds the prompt's header line. Single-verb invocations collapse the
+    /// verb into the header (<c>Approve git status in ~/repos/foo/?</c>);
+    /// multi-verb invocations use the generic <c>Approve in ~/repos/foo/?</c>
+    /// form and let the bullet list below name the verbs.
+    /// </summary>
+    /// <remarks>
+    /// The "in &lt;dir&gt;" portion shows the most meaningful target directory
+    /// the operator is being asked to trust. Priority order:
+    /// <list type="number">
+    /// <item>The single distinct path argument extracted across the
+    /// candidates (e.g. <c>cd /repo &amp;&amp; git status</c> shows
+    /// <c>/repo</c>).</item>
+    /// <item><c>cwd</c> if no path arguments are present.</item>
+    /// <item><c>this session</c> when the cwd is the per-session ephemeral
+    /// scratch directory — that path won't recur, so calling it out by name
+    /// would be misleading.</item>
+    /// </list>
+    /// </remarks>
+    private static string BuildApproveHeader(ToolInteractionRequest request)
+    {
+        var verbs = ResolveDisplayVerbs(request);
+        var location = ResolveHeaderLocation(request);
+
+        return verbs.Count == 1
+            ? $"Approve {verbs[0]} in {location}?"
+            : $"Approve in {location}?";
+    }
+
+    private static string ResolveHeaderLocation(ToolInteractionRequest request)
+    {
+        var distinctDirs = request.Candidates
+            .Where(c => !string.IsNullOrWhiteSpace(c.Directory))
+            .Select(c => c.Directory!)
+            .Distinct(StringComparer.Ordinal)
+            .ToList();
+
+        if (distinctDirs.Count == 1)
+            return distinctDirs[0];
+
+        if (distinctDirs.Count > 1)
+            return $"{distinctDirs.Count} directories";
+
+        // No path arguments — fall back to cwd, but prefer "this session" when
+        // the cwd is the session's ephemeral scratch directory so operators
+        // know an "Always here" grant would be a no-op.
+        if (string.IsNullOrWhiteSpace(request.Cwd))
+            return "(no working directory)";
+
+        return IsSessionScratchPath(request.Cwd) ? "this session" : request.Cwd;
+    }
+
+    private static bool IsSessionScratchPath(string cwd)
+    {
+        // Session directories live under "{netclaw-home}/sessions/{id}/" with
+        // {id} of the form "<channelId>_<unix-ts>_<random>" or a uuid. We use
+        // a path-segment check rather than full path equality so the helper
+        // works without access to NetclawPaths.SessionsBaseDirectory.
+        var normalized = cwd.Replace('\\', '/');
+        return normalized.Contains("/.netclaw/sessions/", StringComparison.OrdinalIgnoreCase);
+    }
+
+    /// <summary>
+    /// Single-line resolution message replacing v1's dual <c>Patterns</c> /
+    /// <c>Directory Roots</c> sections. The format mirrors the spec's
+    /// "tool-approval-gates: Resolution message single-line format" requirement:
+    /// <list type="bullet">
+    /// <item><c>Saved: &lt;verbs&gt; in &lt;dir&gt;</c> for <c>Always here</c></item>
+    /// <item><c>Saved: &lt;verbs&gt; anywhere</c> for <c>Always anywhere</c></item>
+    /// <item><c>Saved for this chat: &lt;verbs&gt; in &lt;dir&gt;</c> for <c>This chat</c></item>
+    /// <item><c>Approved (no save)</c> for <c>Once</c></item>
+    /// <item><c>Denied</c> for <c>Deny</c></item>
+    /// </list>
+    /// </summary>
+    private static string BuildResolutionLine(ToolInteractionRequest request, string selectedKey)
+    {
+        var verbs = string.Join(", ", ResolveDisplayVerbs(request));
+        var location = ResolveHeaderLocation(request);
+
+        return selectedKey switch
+        {
+            ApprovalOptionKeys.ApproveAlways => $"Saved: {verbs} in {location}",
+            ApprovalOptionKeys.ApproveEverywhere => $"Saved: {verbs} anywhere",
+            ApprovalOptionKeys.ApproveSession => $"Saved for this chat: {verbs} in {location}",
+            ApprovalOptionKeys.ApproveOnce => "Approved (no save)",
+            ApprovalOptionKeys.Deny => "Denied",
+            _ => "Resolved"
+        };
+    }
+
+    /// <summary>
+    /// Returns the verbs to display in the prompt body / resolution message.
+    /// Prefers <see cref="ToolInteractionRequest.CandidateVerbs"/> (the v2
+    /// matcher's verb-chain extraction); falls back to <c>Patterns</c> for
+    /// legacy callers and for messy commands where the matcher returned
+    /// nothing.
+    /// </summary>
+    private static IReadOnlyList<string> ResolveDisplayVerbs(ToolInteractionRequest request)
+        => request.CandidateVerbs.Count > 0
+            ? request.CandidateVerbs
+            : request.Patterns;
+
     private static void AppendAdoptedContextSummary(List<string> lines, ToolInteractionRequest request)
     {
         if (!request.HasAdoptedContext)
@@ -220,12 +299,13 @@ internal static bool TryParseButtonValue(string? value, out string? callId, out
         => ApprovalButtonValueCodec.TryDecode(value, out callId, out selectedKey, out requesterSenderId);
 
     private static ButtonStyle GetButtonStyle(string optionKey)
-        => optionKey switch
-        {
-            ApprovalOptionKeys.Deny => ButtonStyle.Danger,
-            ApprovalOptionKeys.ApproveOnce => ButtonStyle.Primary,
-            _ => ButtonStyle.Default
-        };
+    {
+        if (ApprovalOptionKeys.IsDangerStyled(optionKey))
+            return ButtonStyle.Danger;
+        if (optionKey == ApprovalOptionKeys.ApproveOnce)
+            return ButtonStyle.Primary;
+        return ButtonStyle.Default;
+    }
 
     internal static bool IsApprovalActionId(string? actionId)
         => !string.IsNullOrWhiteSpace(actionId)
@@ -234,16 +314,6 @@ internal static bool IsApprovalActionId(string? actionId)
     private static string BuildActionId(string optionKey)
         => $"{ApprovalActionId}_{optionKey}";
 
-    private static string GetDecisionLabel(string optionKey)
-        => optionKey switch
-        {
-            ApprovalOptionKeys.ApproveOnce => ApprovalOptionKeys.ApproveOnceLabel,
-            ApprovalOptionKeys.ApproveSession => ApprovalOptionKeys.ApproveSessionLabel,
-            ApprovalOptionKeys.ApproveAlways => ApprovalOptionKeys.ApproveAlwaysLabel,
-            ApprovalOptionKeys.Deny => ApprovalOptionKeys.DenyLabel,
-            _ => ApprovalOptionKeys.DenyLabel
-        };
-
     private static string EscapeMarkdown(string value)
         => value.Replace("`", "'", StringComparison.Ordinal);
 }
diff --git a/src/Netclaw.Cli.Tests/Approvals/ApprovalsCommandTests.cs b/src/Netclaw.Cli.Tests/Approvals/ApprovalsCommandTests.cs
index b38f7e82..967f85ac 100644
--- a/src/Netclaw.Cli.Tests/Approvals/ApprovalsCommandTests.cs
+++ b/src/Netclaw.Cli.Tests/Approvals/ApprovalsCommandTests.cs
@@ -31,13 +31,16 @@ public void Dispose()
         _dir.Dispose();
     }
 
+    private static ApprovalEntry Verb(string verb) => new() { Verb = verb, Directory = null };
+    private static ApprovalEntry InDir(string verb, string dir) => new() { Verb = verb, Directory = dir };
+
     private void SeedDefault()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "/home/user/logs/");
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "npm install");
-        _store.AddApproval(TrustAudience.Personal, "file_write", "/tmp/scratch/");
-        _store.AddApproval(TrustAudience.Public, "shell_execute", "ls");
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", InDir("grep", "/home/user/logs"));
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("npm install"));
+        _store.AddApproval(TrustAudience.Personal, "file_write", InDir("file_write", "/tmp/scratch"));
+        _store.AddApproval(TrustAudience.Public, "shell_execute", Verb("ls"));
     }
 
     [Fact]
@@ -61,12 +64,12 @@ public async Task List_with_entries_groups_by_audience_and_tool()
         Assert.Contains("personal / shell_execute", text);
         Assert.Contains("personal / file_write", text);
         Assert.Contains("public / shell_execute", text);
-        Assert.Contains("git push", text);
-        Assert.Contains("/tmp/scratch/", text);
+        Assert.Contains("git push anywhere", text);
+        Assert.Contains("grep in /home/user/logs", text);
     }
 
     [Fact]
-    public async Task List_json_emits_audience_tool_pattern_shape()
+    public async Task List_json_emits_typed_entry_shape()
     {
         SeedDefault();
 
@@ -75,10 +78,17 @@ public async Task List_json_emits_audience_tool_pattern_shape()
         using var doc = JsonDocument.Parse(_output.ToString());
         var audiences = doc.RootElement.GetProperty("audiences");
         var personalShell = audiences.GetProperty("personal").GetProperty("shell_execute");
-        var patterns = personalShell.EnumerateArray().Select(e => e.GetString()).ToList();
-        Assert.Contains("git push", patterns);
-        Assert.Contains("/home/user/logs/", patterns);
-        Assert.Contains("npm install", patterns);
+        var verbs = personalShell.EnumerateArray().Select(e => e.GetProperty("verb").GetString()).ToList();
+        Assert.Contains("git push", verbs);
+        Assert.Contains("grep", verbs);
+        Assert.Contains("npm install", verbs);
+
+        // The grep entry should carry its directory; "git push" should not.
+        var grep = personalShell.EnumerateArray().Single(e => e.GetProperty("verb").GetString() == "grep");
+        Assert.Equal("/home/user/logs", grep.GetProperty("directory").GetString());
+
+        var gitPush = personalShell.EnumerateArray().Single(e => e.GetProperty("verb").GetString() == "git push");
+        Assert.False(gitPush.TryGetProperty("directory", out _));
     }
 
     [Fact]
@@ -97,31 +107,32 @@ await ApprovalsCommand.RunAsync(
     }
 
     [Fact]
-    public async Task Revoke_exact_match_removes_entry_and_returns_zero()
+    public async Task Revoke_global_wildcard_by_anywhere_form_removes_entry()
     {
         SeedDefault();
 
         var exit = await ApprovalsCommand.RunAsync(
-            ["approvals", "revoke", "git push", "--audience", "personal", "--tool", "shell_execute"],
+            ["approvals", "revoke", "git push anywhere", "--audience", "personal", "--tool", "shell_execute"],
             _paths, _output);
 
         Assert.Equal(0, exit);
-        Assert.DoesNotContain("git push", _store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute"));
-        Assert.Contains("Removed 'git push'", _output.ToString());
+        var remaining = _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute");
+        Assert.DoesNotContain(remaining, e => e.Verb == "git push" && e.Directory is null);
+        Assert.Contains("Removed 'git push anywhere'", _output.ToString());
     }
 
     [Fact]
     public async Task Revoke_no_match_exits_one_and_does_not_modify_file()
     {
         SeedDefault();
-        var beforeCount = _store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute").Count;
+        var beforeCount = _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute").Count;
 
         var exit = await ApprovalsCommand.RunAsync(
-            ["approvals", "revoke", "git pull", "--audience", "personal", "--tool", "shell_execute"],
+            ["approvals", "revoke", "git pull anywhere", "--audience", "personal", "--tool", "shell_execute"],
             _paths, _output);
 
         Assert.Equal(1, exit);
-        Assert.Equal(beforeCount, _store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute").Count);
+        Assert.Equal(beforeCount, _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute").Count);
         Assert.Contains("No matching approval found.", _output.ToString());
     }
 
@@ -135,9 +146,9 @@ public async Task Revoke_tool_all_clears_every_entry_for_tool()
             _paths, _output);
 
         Assert.Equal(0, exit);
-        Assert.Empty(_store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute"));
-        Assert.Empty(_store.GetApprovedPatterns(TrustAudience.Public, "shell_execute"));
-        Assert.Single(_store.GetApprovedPatterns(TrustAudience.Personal, "file_write"));
+        Assert.Empty(_store.GetApprovedEntries(TrustAudience.Personal, "shell_execute"));
+        Assert.Empty(_store.GetApprovedEntries(TrustAudience.Public, "shell_execute"));
+        Assert.Single(_store.GetApprovedEntries(TrustAudience.Personal, "file_write"));
     }
 
     [Fact]
@@ -150,22 +161,25 @@ public async Task Revoke_tool_all_scoped_by_audience_leaves_others_alone()
             _paths, _output);
 
         Assert.Equal(0, exit);
-        Assert.Empty(_store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute"));
-        Assert.Equal(["ls"], _store.GetApprovedPatterns(TrustAudience.Public, "shell_execute"));
+        Assert.Empty(_store.GetApprovedEntries(TrustAudience.Personal, "shell_execute"));
+
+        var publicShell = _store.GetApprovedEntries(TrustAudience.Public, "shell_execute");
+        Assert.Single(publicShell);
+        Assert.Equal("ls", publicShell[0].Verb);
     }
 
     [Fact]
     public async Task Revoke_all_without_tool_exits_one_and_does_not_modify_file()
     {
         SeedDefault();
-        var beforeCount = _store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute").Count;
+        var beforeCount = _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute").Count;
 
         var exit = await ApprovalsCommand.RunAsync(
             ["approvals", "revoke", "--all"],
             _paths, _output);
 
         Assert.Equal(1, exit);
-        Assert.Equal(beforeCount, _store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute").Count);
+        Assert.Equal(beforeCount, _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute").Count);
         Assert.Contains("--all requires --tool", _output.ToString());
     }
 
@@ -216,16 +230,140 @@ public async Task Help_subcommand_exits_zero_and_prints_usage()
     [Fact]
     public async Task Revoke_unscoped_removes_match_across_audiences()
     {
-        // Same pattern stored under two audiences; unscoped revoke should hit both.
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "ls");
-        _store.AddApproval(TrustAudience.Public, "shell_execute", "ls");
+        // Same global wildcard stored under two audiences; unscoped revoke should hit both.
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("ls"));
+        _store.AddApproval(TrustAudience.Public, "shell_execute", Verb("ls"));
+
+        var exit = await ApprovalsCommand.RunAsync(
+            ["approvals", "revoke", "ls anywhere"],
+            _paths, _output);
+
+        Assert.Equal(0, exit);
+        Assert.Empty(_store.GetApprovedEntries(TrustAudience.Personal, "shell_execute"));
+        Assert.Empty(_store.GetApprovedEntries(TrustAudience.Public, "shell_execute"));
+    }
+
+    // ── Folder-scoped revoke ──
+
+    [Fact]
+    public async Task Revoke_folder_scoped_form_removes_entry_with_matching_directory()
+    {
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", InDir("git remote", "/home/user/repos/foo"));
+
+        var exit = await ApprovalsCommand.RunAsync(
+            ["approvals", "revoke", "git remote in /home/user/repos/foo"],
+            _paths, _output);
+
+        Assert.Equal(0, exit);
+        Assert.Empty(_store.GetApprovedEntries(TrustAudience.Personal, "shell_execute"));
+    }
+
+    [Fact]
+    public async Task Revoke_folder_scoped_form_does_not_match_global_wildcard()
+    {
+        // The store has a (verb, null) entry; a folder-scoped revoke should not remove it.
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git remote"));
+
+        var exit = await ApprovalsCommand.RunAsync(
+            ["approvals", "revoke", "git remote in /home/user/repos/foo"],
+            _paths, _output);
+
+        Assert.Equal(1, exit);
+        var remaining = _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute");
+        Assert.Single(remaining);
+        Assert.Null(remaining[0].Directory);
+    }
+
+    [Fact]
+    public async Task Revoke_unrecognized_pattern_exits_one_with_clear_message()
+    {
+        // No "anywhere" suffix and no " in " separator — not a valid revoke pattern.
+        var exit = await ApprovalsCommand.RunAsync(
+            ["approvals", "revoke", "git remote"],
+            _paths, _output);
+
+        Assert.Equal(1, exit);
+        var output = _output.ToString();
+        Assert.Contains("Could not parse revoke pattern", output);
+        Assert.Contains("'<verb> in <directory>' or '<verb> anywhere'", output);
+    }
+
+    // ── trust-verb ──
 
+    [Fact]
+    public async Task TrustVerb_adds_global_wildcard_with_default_audience_and_tool()
+    {
         var exit = await ApprovalsCommand.RunAsync(
-            ["approvals", "revoke", "ls"],
+            ["approvals", "trust-verb", "freshdesk"],
             _paths, _output);
 
         Assert.Equal(0, exit);
-        Assert.Empty(_store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute"));
-        Assert.Empty(_store.GetApprovedPatterns(TrustAudience.Public, "shell_execute"));
+        var entries = _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute");
+        Assert.Single(entries);
+        Assert.Equal("freshdesk", entries[0].Verb);
+        Assert.Null(entries[0].Directory);
+        Assert.Contains("Trusted 'freshdesk anywhere'", _output.ToString());
+    }
+
+    [Fact]
+    public async Task TrustVerb_is_idempotent_on_repeated_invocation()
+    {
+        await ApprovalsCommand.RunAsync(["approvals", "trust-verb", "freshdesk"], _paths, _output);
+        _output.GetStringBuilder().Clear();
+
+        var exit = await ApprovalsCommand.RunAsync(
+            ["approvals", "trust-verb", "freshdesk"],
+            _paths, _output);
+
+        Assert.Equal(0, exit);
+        var entries = _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute");
+        Assert.Single(entries);
+        Assert.Contains("No changes", _output.ToString());
+    }
+
+    [Fact]
+    public async Task TrustVerb_honors_audience_and_tool_flags()
+    {
+        var exit = await ApprovalsCommand.RunAsync(
+            ["approvals", "trust-verb", "freshdesk", "--audience", "team", "--tool", "shell_execute"],
+            _paths, _output);
+
+        Assert.Equal(0, exit);
+        Assert.Single(_store.GetApprovedEntries(TrustAudience.Team, "shell_execute"));
+        Assert.Empty(_store.GetApprovedEntries(TrustAudience.Personal, "shell_execute"));
+    }
+
+    [Fact]
+    public async Task TrustVerb_without_verb_argument_exits_one_with_usage()
+    {
+        var exit = await ApprovalsCommand.RunAsync(
+            ["approvals", "trust-verb"],
+            _paths, _output);
+
+        Assert.Equal(1, exit);
+        Assert.Contains("Usage: netclaw approvals trust-verb", _output.ToString());
+    }
+
+    [Fact]
+    public async Task TrustVerb_unknown_audience_exits_one()
+    {
+        var exit = await ApprovalsCommand.RunAsync(
+            ["approvals", "trust-verb", "freshdesk", "--audience", "bogus"],
+            _paths, _output);
+
+        Assert.Equal(1, exit);
+        Assert.Contains("Unknown audience 'bogus'", _output.ToString());
+    }
+
+    // ── help mentions trust-verb ──
+
+    [Fact]
+    public async Task Help_lists_trust_verb_subcommand()
+    {
+        await ApprovalsCommand.RunAsync(["approvals", "help"], _paths, _output);
+
+        var output = _output.ToString();
+        Assert.Contains("trust-verb", output);
+        Assert.Contains("global-wildcard", output);
     }
 }
diff --git a/src/Netclaw.Cli.Tests/Cli/DaemonClientMappingTests.cs b/src/Netclaw.Cli.Tests/Cli/DaemonClientMappingTests.cs
index 4a85b350..4aa75ae1 100644
--- a/src/Netclaw.Cli.Tests/Cli/DaemonClientMappingTests.cs
+++ b/src/Netclaw.Cli.Tests/Cli/DaemonClientMappingTests.cs
@@ -269,8 +269,7 @@ public void ToolInteractionRequest_roundtrips_through_dto()
             HasThirdPartyAdoptedContext = true,
             AdoptedSpeakerIds = ["device-1", "device-2"],
             Patterns = ["git push"],
-            ApprovalEntries = ["git push"],
-            DirectoryRoots = [],
+            CandidateVerbs = ["git push"],
             Options =
             [
                 new ToolInteractionOption(ApprovalOptionKeys.ApproveOnce, ApprovalOptionKeys.ApproveOnceLabel),
@@ -288,8 +287,7 @@ public void ToolInteractionRequest_roundtrips_through_dto()
         Assert.True(dto.InteractionHasAdoptedContext);
         Assert.True(dto.InteractionHasThirdPartyAdoptedContext);
         Assert.Equal(["device-1", "device-2"], dto.InteractionAdoptedSpeakerIds);
-        Assert.Equal(["git push"], dto.InteractionApprovalEntries);
-        Assert.Equal([], dto.InteractionDirectoryRoots ?? []);
+        Assert.Equal(["git push"], dto.InteractionCandidateVerbs);
 
         var roundTripped = DaemonClient.FromDto(dto);
         var result = Assert.IsType<ToolInteractionRequest>(roundTripped);
@@ -301,8 +299,7 @@ public void ToolInteractionRequest_roundtrips_through_dto()
         Assert.True(result.HasThirdPartyAdoptedContext);
         Assert.Equal(["device-1", "device-2"], result.AdoptedSpeakerIds);
         Assert.Equal(["git push"], result.Patterns);
-        Assert.Equal(["git push"], result.ApprovalEntries);
-        Assert.Equal([], result.DirectoryRoots);
+        Assert.Equal(["git push"], result.CandidateVerbs);
         Assert.Equal(4, result.Options.Count);
     }
 
diff --git a/src/Netclaw.Cli.Tests/Doctor/ToolAudienceProfilesDoctorCheckTests.cs b/src/Netclaw.Cli.Tests/Doctor/ToolAudienceProfilesDoctorCheckTests.cs
index 380da7cd..403a05dc 100644
--- a/src/Netclaw.Cli.Tests/Doctor/ToolAudienceProfilesDoctorCheckTests.cs
+++ b/src/Netclaw.Cli.Tests/Doctor/ToolAudienceProfilesDoctorCheckTests.cs
@@ -483,53 +483,6 @@ public async Task MissingApprovalWarning_IsWarningSeverityNotError()
         Assert.Contains("approval default on Personal", result.Message);
     }
 
-    [Fact]
-    public async Task StalePathAwareShellApprovals_WarnWithResetInstructions()
-    {
-        WriteConfig(
-            """
-            {
-              "configVersion": 1,
-              "Tools": {
-                "ShellMode": "HostAllowed",
-                "AudienceProfiles": {
-                  "Personal": {
-                    "ToolsMode": "All",
-                    "McpServersMode": "All",
-                    "ApprovalPolicy": {
-                      "ToolOverrides": { "shell_execute": "Approval" }
-                    },
-                    "ReadFiles": { "Mode": "All" },
-                    "WriteFiles": { "Mode": "All" },
-                    "AttachFiles": { "Mode": "All" }
-                  }
-                }
-              }
-            }
-            """);
-
-        File.WriteAllText(
-            _paths.ToolApprovalsPath,
-            """
-            {
-              "audiences": {
-                "personal": {
-                  "shell_execute": ["cat", "git push"]
-                }
-              }
-            }
-            """);
-
-        var check = new ToolAudienceProfilesDoctorCheck(_paths);
-        var result = await check.RunAsync(TestContext.Current.CancellationToken);
-
-        Assert.Equal(DoctorSeverity.Warning, result.Severity);
-        Assert.Contains("bare path-aware command patterns", result.Message);
-        Assert.Contains("cat", result.Message);
-        Assert.Contains("Delete", result.Message);
-        Assert.Contains(_paths.ToolApprovalsPath, result.Message);
-    }
-
     private void WriteConfig(object config)
     {
         File.WriteAllText(
diff --git a/src/Netclaw.Cli.Tests/Tui/ApprovalsManagerPageTests.cs b/src/Netclaw.Cli.Tests/Tui/ApprovalsManagerPageTests.cs
index 9a04ed0d..77b5777e 100644
--- a/src/Netclaw.Cli.Tests/Tui/ApprovalsManagerPageTests.cs
+++ b/src/Netclaw.Cli.Tests/Tui/ApprovalsManagerPageTests.cs
@@ -51,12 +51,15 @@ public async Task EmptyStore_RendersEmptyMessageInTerminal()
             $"Expected empty-state message. Screen:\n{terminal}");
     }
 
+    private static ApprovalEntry Verb(string verb) => new() { Verb = verb, Directory = null };
+    private static ApprovalEntry InDir(string verb, string dir) => new() { Verb = verb, Directory = dir };
+
     [Fact]
     public async Task SeededEntries_RenderedInList()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
-        _store.AddApproval(TrustAudience.Personal, "file_write", "/tmp/scratch/");
-        _store.AddApproval(TrustAudience.Public, "shell_execute", "ls");
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
+        _store.AddApproval(TrustAudience.Personal, "file_write", InDir("file_write", "/tmp/scratch"));
+        _store.AddApproval(TrustAudience.Public, "shell_execute", Verb("ls"));
 
         var (terminal, app, _) = CreateHeadlessApp(out var input);
         input.EnqueueKey(ConsoleKey.Q, false, false, true);
@@ -66,24 +69,24 @@ public async Task SeededEntries_RenderedInList()
 
         Assert.True(terminal.Contains("personal"),
             $"Expected audience 'personal'. Screen:\n{terminal}");
-        Assert.True(terminal.Contains("git push"),
-            $"Expected pattern 'git push'. Screen:\n{terminal}");
-        Assert.True(terminal.Contains("/tmp/scratch/"),
-            $"Expected pattern '/tmp/scratch/'. Screen:\n{terminal}");
-        Assert.True(terminal.Contains("ls"),
-            $"Expected pattern 'ls' (public audience). Screen:\n{terminal}");
+        Assert.True(terminal.Contains("git push anywhere"),
+            $"Expected entry 'git push anywhere'. Screen:\n{terminal}");
+        Assert.True(terminal.Contains("/tmp/scratch"),
+            $"Expected directory '/tmp/scratch'. Screen:\n{terminal}");
+        Assert.True(terminal.Contains("ls anywhere"),
+            $"Expected entry 'ls anywhere' (public audience). Screen:\n{terminal}");
     }
 
     [Fact]
     public async Task PressingR_OnSelection_TransitionsToConfirmAndRevokesOnEnter()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "npm install");
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("npm install"));
 
         var (_, app, vm) = CreateHeadlessApp(out var input);
 
-        // First displayed entry is sorted alphabetically by audience+tool+pattern,
-        // so the selection at index 0 is "personal / shell_execute / git push".
+        // First displayed entry is sorted alphabetically by audience+tool+verb,
+        // so the selection at index 0 is "personal / shell_execute / git push anywhere".
         input.EnqueueKey(ConsoleKey.R);                 // Open revoke confirm.
         input.EnqueueKey(ConsoleKey.Enter);             // Confirm "Yes, revoke".
         input.EnqueueKey(ConsoleKey.Q, false, false, true);
@@ -91,16 +94,16 @@ public async Task PressingR_OnSelection_TransitionsToConfirmAndRevokesOnEnter()
         using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
         await app.RunAsync(cts.Token);
 
-        var remaining = _store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute");
-        Assert.DoesNotContain("git push", remaining);
-        Assert.Contains("npm install", remaining);
+        var remaining = _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute");
+        Assert.DoesNotContain(remaining, e => e.Verb == "git push");
+        Assert.Contains(remaining, e => e.Verb == "npm install");
         Assert.Equal(ApprovalsManagerState.List, vm.CurrentState.Value);
     }
 
     [Fact]
     public async Task EscOnConfirm_CancelsRevoke()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
 
         var (_, app, _) = CreateHeadlessApp(out var input);
 
@@ -111,14 +114,15 @@ public async Task EscOnConfirm_CancelsRevoke()
         using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
         await app.RunAsync(cts.Token);
 
-        Assert.Equal(["git push"],
-            _store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute"));
+        var entries = _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute");
+        Assert.Single(entries);
+        Assert.Equal("git push", entries[0].Verb);
     }
 
     [Fact]
     public async Task RevokingLastEntry_TransitionsListIntoEmptyState()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
 
         var (terminal, app, vm) = CreateHeadlessApp(out var input);
 
diff --git a/src/Netclaw.Cli/Approvals/ApprovalsCommand.cs b/src/Netclaw.Cli/Approvals/ApprovalsCommand.cs
index 891ea5ef..5df01c99 100644
--- a/src/Netclaw.Cli/Approvals/ApprovalsCommand.cs
+++ b/src/Netclaw.Cli/Approvals/ApprovalsCommand.cs
@@ -21,6 +21,9 @@ private sealed record ListOptions(TrustAudience? Audience, string? Tool, bool Em
 
     private sealed record RevokeOptions(string? Pattern, TrustAudience? Audience, string? Tool, bool RevokeAll);
 
+    private sealed record TrustVerbOptions(string Verb, TrustAudience Audience, string Tool);
+
+    public const string DefaultTrustVerbTool = "shell_execute";
 
     public static Task<int> RunAsync(
         string[] args,
@@ -34,6 +37,7 @@ public static Task<int> RunAsync(
         {
             "list" => Task.FromResult(RunList(args, paths, writer)),
             "revoke" => Task.FromResult(RunRevoke(args, paths, writer)),
+            "trust-verb" => Task.FromResult(RunTrustVerb(args, paths, writer)),
             "help" or "-h" or "--help" => Task.FromResult(WriteHelp(writer)),
             _ => Task.FromResult(WriteHelp(writer)),
         };
@@ -51,7 +55,7 @@ private static int RunList(string[] args, NetclawPaths paths, TextWriter writer)
 
         if (opts.EmitJson)
         {
-            writer.WriteLine(JsonSerializer.Serialize(view, JsonDefaults.Indented));
+            writer.WriteLine(JsonSerializer.Serialize(view, JsonDefaults.IndentedOmitNull));
             return 0;
         }
 
@@ -64,12 +68,12 @@ private static int RunList(string[] args, NetclawPaths paths, TextWriter writer)
         var first = true;
         foreach (var (audienceKey, tools) in view.Audiences)
         {
-            foreach (var (toolName, patterns) in tools)
+            foreach (var (toolName, entries) in tools)
             {
                 if (!first) writer.WriteLine();
                 writer.WriteLine($"{audienceKey} / {toolName}");
-                foreach (var pattern in patterns)
-                    writer.WriteLine($"  {pattern}");
+                foreach (var entry in entries)
+                    writer.WriteLine($"  {entry.FormatScope()}");
                 first = false;
             }
         }
@@ -102,6 +106,18 @@ private static int RunRevoke(string[] args, NetclawPaths paths, TextWriter write
             return 1;
         }
 
+        // Could not parse — the CLI is the deliberate scriptable path, so
+        // we reject unrecognized inputs loudly rather than silently treat a
+        // bare verb as a global wildcard.
+        if (!ApprovalEntry.TryParseScope(opts.Pattern, out var lookup, out var parseError))
+        {
+            writer.WriteLine($"Error: {parseError}");
+            writer.WriteLine("Could not parse revoke pattern '" + opts.Pattern + "'.");
+            writer.WriteLine("Patterns must use the form '<verb> in <directory>' or '<verb> anywhere',");
+            writer.WriteLine("matching the labels emitted by 'netclaw approvals list'.");
+            return 1;
+        }
+
         var snapshot = store.Snapshot();
         var removedAny = false;
 
@@ -117,7 +133,7 @@ private static int RunRevoke(string[] args, NetclawPaths paths, TextWriter write
                 if (opts.Tool is not null && !string.Equals(toolName, opts.Tool, StringComparison.Ordinal))
                     continue;
 
-                if (store.RemoveApproval(audience, toolName, opts.Pattern))
+                if (store.RemoveApproval(audience, toolName, lookup))
                 {
                     writer.WriteLine($"Removed '{opts.Pattern}' from {audienceKey} / {toolName}.");
                     removedAny = true;
@@ -134,6 +150,74 @@ private static int RunRevoke(string[] args, NetclawPaths paths, TextWriter write
         return 0;
     }
 
+    private static int RunTrustVerb(string[] args, NetclawPaths paths, TextWriter writer)
+    {
+        if (TryParseTrustVerbFlags(args, writer) is not { } opts)
+            return 1;
+
+        var store = new ToolApprovalStore(paths.ToolApprovalsPath);
+        WarnIfQuarantined(store, writer);
+
+        var entry = new ApprovalEntry { Verb = opts.Verb, Directory = null };
+
+        var existing = store.GetApprovedEntries(opts.Audience, opts.Tool);
+        var alreadyTrusted = existing.Any(e => ToolApprovalEntryComparer.Equals(e, entry));
+
+        if (alreadyTrusted)
+        {
+            writer.WriteLine($"No changes: '{opts.Verb} anywhere' is already trusted for {opts.Audience.ToWireValue()} / {opts.Tool}.");
+            return 0;
+        }
+
+        store.AddApproval(opts.Audience, opts.Tool, entry);
+        writer.WriteLine($"Trusted '{opts.Verb} anywhere' for {opts.Audience.ToWireValue()} / {opts.Tool}.");
+        return 0;
+    }
+
+    private static TrustVerbOptions? TryParseTrustVerbFlags(string[] args, TextWriter writer)
+    {
+        string? verb = null;
+        TrustAudience? audience = null;
+        string? tool = null;
+
+        for (var i = 2; i < args.Length; i++)
+        {
+            switch (TryConsumeSharedFlag(args, ref i, writer, ref audience, ref tool))
+            {
+                case FlagOutcome.Consumed: continue;
+                case FlagOutcome.Error: return null;
+            }
+
+            var arg = args[i];
+            if (arg.StartsWith("--", StringComparison.Ordinal))
+            {
+                writer.WriteLine($"Error: Unknown flag: {arg}");
+                return null;
+            }
+
+            if (verb is not null)
+            {
+                writer.WriteLine($"Error: Unexpected extra argument: {arg}");
+                return null;
+            }
+            verb = arg;
+        }
+
+        if (string.IsNullOrWhiteSpace(verb))
+        {
+            writer.WriteLine("Usage: netclaw approvals trust-verb <verb> [--audience personal|team|public] [--tool <name>]");
+            writer.WriteLine();
+            writer.WriteLine("Adds a global-wildcard '(verb, null)' approval entry — the verb runs in any cwd");
+            writer.WriteLine("without prompting. Used to pre-approve verbs for unattended/scheduled tasks.");
+            return null;
+        }
+
+        return new TrustVerbOptions(
+            Verb: verb!.Trim(),
+            Audience: audience ?? TrustAudience.Personal,
+            Tool: string.IsNullOrWhiteSpace(tool) ? DefaultTrustVerbTool : tool);
+    }
+
     private static int RunRevokeAll(RevokeOptions opts, ToolApprovalStore store, TextWriter writer)
     {
         IEnumerable<TrustAudience> audiences = opts.Audience is { } only ? [only] : TrustAudiences.All;
@@ -159,16 +243,23 @@ private static int WriteHelp(TextWriter writer)
         writer.WriteLine("  (none) | tui      Launch the interactive approvals TUI.");
         writer.WriteLine("  list              List persistent approvals from tool-approvals.json.");
         writer.WriteLine("                    Flags: --audience <personal|team|public>, --tool <name>, --json");
-        writer.WriteLine("  revoke <pattern>  Remove an exact-match approval entry.");
+        writer.WriteLine("  revoke <pattern>  Remove an approval entry by its user-visible form:");
+        writer.WriteLine("                      '<verb> in <directory>'  — folder-scoped grant");
+        writer.WriteLine("                      '<verb> anywhere'         — global wildcard");
         writer.WriteLine("                    Flags: --audience <personal|team|public>, --tool <name>");
         writer.WriteLine("  revoke --tool <name> --all");
         writer.WriteLine("                    Remove every approval entry for a tool.");
         writer.WriteLine("                    Flags: --audience <personal|team|public>");
+        writer.WriteLine("  trust-verb <verb> Add a global-wildcard '(verb, null)' approval — the verb runs");
+        writer.WriteLine("                    in any cwd without prompting. Use to pre-approve verbs for");
+        writer.WriteLine("                    unattended or scheduled invocations.");
+        writer.WriteLine("                    Flags: --audience <personal|team|public> (default personal)");
+        writer.WriteLine("                           --tool <name>                       (default shell_execute)");
         writer.WriteLine("  help              Show this message.");
         writer.WriteLine();
         writer.WriteLine("Exit codes: 0 success, 1 user error or no match.");
         writer.WriteLine();
-        writer.WriteLine("The daemon does not require a restart after a revoke; the next approval");
+        writer.WriteLine("The daemon does not require a restart after these mutations; the next approval");
         writer.WriteLine("check re-reads the file.");
         return 0;
     }
@@ -285,7 +376,7 @@ private static FlagOutcome TryConsumeSharedFlag(
     }
 
     private static ApprovalsListView BuildView(
-        IReadOnlyDictionary<string, IReadOnlyDictionary<string, IReadOnlyList<string>>> snapshot,
+        IReadOnlyDictionary<string, IReadOnlyDictionary<string, IReadOnlyList<ApprovalEntry>>> snapshot,
         TrustAudience? audienceFilter,
         string? toolFilter)
     {
@@ -299,13 +390,17 @@ private static ApprovalsListView BuildView(
                 if (parsed != audienceFilter.Value) continue;
             }
 
-            var filteredTools = new SortedDictionary<string, List<string>>(StringComparer.Ordinal);
-            foreach (var (toolName, patterns) in tools)
+            var filteredTools = new SortedDictionary<string, List<ApprovalEntry>>(StringComparer.Ordinal);
+            foreach (var (toolName, entries) in tools)
             {
                 if (toolFilter is not null && !string.Equals(toolName, toolFilter, StringComparison.Ordinal))
                     continue;
-                if (patterns.Count == 0) continue;
-                filteredTools[toolName] = [.. patterns.OrderBy(p => p, StringComparer.Ordinal)];
+                if (entries.Count == 0) continue;
+                filteredTools[toolName] =
+                [
+                    .. entries.OrderBy(static e => e.Verb, StringComparer.Ordinal)
+                              .ThenBy(static e => e.Directory ?? string.Empty, StringComparer.Ordinal)
+                ];
             }
 
             if (filteredTools.Count > 0)
@@ -317,11 +412,21 @@ private static ApprovalsListView BuildView(
 
     private static void WarnIfQuarantined(ToolApprovalStore store, TextWriter writer)
     {
-        if (!File.Exists(store.QuarantinePath))
-            return;
+        // Two quarantine paths exist after the v2 cutover:
+        //   - .v1.bak  : legacy v1 file detected and moved aside on upgrade
+        //   - .invalid : malformed (unparseable) file moved aside as fail-closed
+        // Operators see different remediation guidance for each.
+        if (File.Exists(store.V1QuarantinePath))
+        {
+            writer.WriteLine($"Note: Your previous approvals were quarantined to '{store.V1QuarantinePath}' during the v2 schema upgrade.");
+            writer.WriteLine("      Inspect or restore manually if needed; the daemon started with an empty v2 store.");
+        }
 
-        writer.WriteLine($"Warning: A quarantined approvals file exists at '{store.QuarantinePath}'.");
-        writer.WriteLine("         The active file was reset to empty after a parse failure.");
-        writer.WriteLine("         Inspect the .invalid copy before restoring grants.");
+        if (File.Exists(store.MalformedQuarantinePath))
+        {
+            writer.WriteLine($"Warning: A malformed approvals file was quarantined to '{store.MalformedQuarantinePath}'.");
+            writer.WriteLine("         The active file was reset to empty after a parse failure.");
+            writer.WriteLine("         Inspect the .invalid copy before restoring grants.");
+        }
     }
 }
diff --git a/src/Netclaw.Cli/Approvals/ApprovalsListView.cs b/src/Netclaw.Cli/Approvals/ApprovalsListView.cs
index 1708b2da..f2023868 100644
--- a/src/Netclaw.Cli/Approvals/ApprovalsListView.cs
+++ b/src/Netclaw.Cli/Approvals/ApprovalsListView.cs
@@ -4,17 +4,19 @@
 // </copyright>
 // -----------------------------------------------------------------------
 using System.Text.Json.Serialization;
+using Netclaw.Configuration;
 
 namespace Netclaw.Cli.Approvals;
 
 /// <summary>
 /// Stable JSON output shape for <c>netclaw approvals list --json</c>. Uses the
-/// same audience/tool/patterns layout as <c>tool-approvals.json</c> so scripts
-/// can reuse parsers across both surfaces.
+/// same audience/tool/entries layout as <c>tool-approvals.json</c> so scripts
+/// can reuse parsers across both surfaces. Entries preserve the typed
+/// <see cref="ApprovalEntry"/> shape (<c>verb</c> + nullable <c>directory</c>).
 /// </summary>
 internal sealed class ApprovalsListView
 {
     [JsonPropertyName("audiences")]
-    public SortedDictionary<string, SortedDictionary<string, List<string>>> Audiences { get; }
+    public SortedDictionary<string, SortedDictionary<string, List<ApprovalEntry>>> Audiences { get; }
         = new(StringComparer.Ordinal);
 }
diff --git a/src/Netclaw.Cli/Doctor/ToolAudienceProfilesDoctorCheck.cs b/src/Netclaw.Cli/Doctor/ToolAudienceProfilesDoctorCheck.cs
index 1ca6646d..c1efdd3b 100644
--- a/src/Netclaw.Cli/Doctor/ToolAudienceProfilesDoctorCheck.cs
+++ b/src/Netclaw.Cli/Doctor/ToolAudienceProfilesDoctorCheck.cs
@@ -320,7 +320,9 @@ private static void CheckStaleApprovals(ToolConfig toolConfig, NetclawPaths netc
 
             foreach (var (audienceKey, tools) in data.Audiences)
             {
-                if (!tools.TryGetValue(ShellTool.ToolName, out var patterns))
+                if (!tools.TryGetValue(ShellTool.ToolName, out var entries))
+                    continue;
+                if (entries.Count == 0)
                     continue;
 
                 if (toolConfig.ShellMode == ShellExecutionMode.Off)
@@ -329,20 +331,6 @@ private static void CheckStaleApprovals(ToolConfig toolConfig, NetclawPaths netc
                         $"Persistent approvals exist for {audienceKey}.{ShellTool.ToolName} " +
                         "but shell is disabled.");
                 }
-
-                var stalePathAwarePatterns = patterns
-                    .Where(ShellTokenizer.IsSingleTokenPathAwarePattern)
-                    .Distinct(StringComparer.OrdinalIgnoreCase)
-                    .Order(StringComparer.OrdinalIgnoreCase)
-                    .ToArray();
-
-                if (stalePathAwarePatterns.Length == 0)
-                    continue;
-
-                warnings.Add(
-                    $"Persistent shell approvals for audience '{audienceKey}' contain bare path-aware command patterns " +
-                    $"({string.Join(", ", stalePathAwarePatterns)}). These no longer pre-approve path-targeting shell commands. " +
-                    $"Delete '{approvalsPath}' and restart the daemon to rebuild approvals under the stricter matcher.");
             }
         }
         catch (Exception ex)
diff --git a/src/Netclaw.Cli/Json/JsonDefaults.cs b/src/Netclaw.Cli/Json/JsonDefaults.cs
index e76a1bfd..20f0ab13 100644
--- a/src/Netclaw.Cli/Json/JsonDefaults.cs
+++ b/src/Netclaw.Cli/Json/JsonDefaults.cs
@@ -39,6 +39,18 @@ internal static class JsonDefaults
         WriteIndented = true,
     };
 
+    /// <summary>
+    /// Pretty-printed terminal output with nulls omitted. Used by surfaces
+    /// (e.g. <c>netclaw approvals list --json</c>) that round-trip nullable
+    /// fields to a file format that also omits nulls, so the CLI output and
+    /// the on-disk file have a matching shape.
+    /// </summary>
+    internal static readonly JsonSerializerOptions IndentedOmitNull = new()
+    {
+        WriteIndented = true,
+        DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
+    };
+
     /// <summary>
     /// Config and secrets file serialization: pretty-printed with enum values as strings.
     /// </summary>
diff --git a/src/Netclaw.Cli/Tui/ApprovalsManagerPage.cs b/src/Netclaw.Cli/Tui/ApprovalsManagerPage.cs
index d65de80d..ff59d123 100644
--- a/src/Netclaw.Cli/Tui/ApprovalsManagerPage.cs
+++ b/src/Netclaw.Cli/Tui/ApprovalsManagerPage.cs
@@ -127,7 +127,7 @@ private ILayoutNode BuildEmptyView()
     private ILayoutNode BuildListView()
     {
         var rows = ViewModel.DisplayApprovals
-            .Select(item => $"{item.AudienceWire,-10} {item.ToolName,-20} {item.Pattern}")
+            .Select(item => $"{item.AudienceWire,-10} {item.ToolName,-20} {item.DisplayText}")
             .ToList();
 
         _approvalList = Layouts.SelectionList(rows)
@@ -149,7 +149,7 @@ private ILayoutNode BuildListView()
             .DisposeWith(_stepSubs);
 
         return Layouts.Vertical()
-            .WithChild(new TextNode($"  {"Audience",-10} {"Tool",-20} Pattern")
+            .WithChild(new TextNode($"  {"Audience",-10} {"Tool",-20} Approval")
                 .WithForeground(Color.White).Bold())
             .WithChild(_approvalList);
     }
@@ -159,7 +159,7 @@ private ILayoutNode BuildRevokeConfirmView()
         var target = ViewModel.PendingRevoke;
         var summary = target is null
             ? "  Revoke entry?"
-            : $"  Revoke '{target.Pattern}' from {target.AudienceWire} / {target.ToolName}?";
+            : $"  Revoke '{target.DisplayText}' from {target.AudienceWire} / {target.ToolName}?";
 
         var items = new List<string> { "Yes, revoke", "No, cancel" };
         _confirmList = Layouts.SelectionList(items)
diff --git a/src/Netclaw.Cli/Tui/ApprovalsManagerViewModel.cs b/src/Netclaw.Cli/Tui/ApprovalsManagerViewModel.cs
index a5081d2f..232174f5 100644
--- a/src/Netclaw.Cli/Tui/ApprovalsManagerViewModel.cs
+++ b/src/Netclaw.Cli/Tui/ApprovalsManagerViewModel.cs
@@ -21,7 +21,10 @@ public sealed record ApprovalDisplayItem(
     TrustAudience Audience,
     string AudienceWire,
     string ToolName,
-    string Pattern);
+    ApprovalEntry Entry)
+{
+    public string DisplayText => Entry.FormatScope();
+}
 
 /// <summary>
 /// ViewModel for the <c>netclaw approvals</c> interactive TUI. The page is
@@ -66,8 +69,12 @@ public void Refresh()
             var tools = snapshot[audienceKey];
             foreach (var toolName in tools.Keys.OrderBy(k => k, StringComparer.Ordinal))
             {
-                foreach (var pattern in tools[toolName].OrderBy(p => p, StringComparer.Ordinal))
-                    DisplayApprovals.Add(new ApprovalDisplayItem(audience, audienceKey, toolName, pattern));
+                foreach (var entry in tools[toolName]
+                    .OrderBy(static e => e.Verb, StringComparer.Ordinal)
+                    .ThenBy(static e => e.Directory ?? string.Empty, StringComparer.Ordinal))
+                {
+                    DisplayApprovals.Add(new ApprovalDisplayItem(audience, audienceKey, toolName, entry));
+                }
             }
         }
 
@@ -99,9 +106,9 @@ public void ConfirmRevoke()
             return;
         }
 
-        var removed = _store.RemoveApproval(target.Audience, target.ToolName, target.Pattern);
+        var removed = _store.RemoveApproval(target.Audience, target.ToolName, target.Entry);
         StatusMessage.Value = removed
-            ? $"✔ Removed '{target.Pattern}' from {target.AudienceWire} / {target.ToolName}."
+            ? $"✔ Removed '{target.DisplayText}' from {target.AudienceWire} / {target.ToolName}."
             : $"⚠ Entry not found (may have been removed elsewhere).";
 
         PendingRevoke = null;
diff --git a/src/Netclaw.Cli/Tui/ChatPage.cs b/src/Netclaw.Cli/Tui/ChatPage.cs
index 90142e5d..d164d223 100644
--- a/src/Netclaw.Cli/Tui/ChatPage.cs
+++ b/src/Netclaw.Cli/Tui/ChatPage.cs
@@ -361,9 +361,7 @@ private void HandleOutput(SessionOutput output)
                 _chatHistory.AppendLine($"  {msg.DisplayText}", Color.White);
                 if (msg.Patterns.Count > 0)
                     _chatHistory.AppendLine($"  Patterns: {string.Join(", ", msg.Patterns)}", Color.BrightBlack);
-                if (msg.DirectoryRoots.Count > 0)
-                    _chatHistory.AppendLine($"  Directory roots: {string.Join(", ", msg.DirectoryRoots)}", Color.BrightBlack);
-                _chatHistory.AppendLine("  Choose Approve once, Approve for this chat, Approve always, or Deny below.", Color.Yellow);
+                _chatHistory.AppendLine("  Choose Once, This chat, Always here, Always anywhere, or Deny below.", Color.Yellow);
                 _chatHistory.ScrollToBottom();
                 break;
 
diff --git a/src/Netclaw.Cli/Tui/ChatViewModel.cs b/src/Netclaw.Cli/Tui/ChatViewModel.cs
index 2fcc80f0..2ca700f8 100644
--- a/src/Netclaw.Cli/Tui/ChatViewModel.cs
+++ b/src/Netclaw.Cli/Tui/ChatViewModel.cs
@@ -255,10 +255,7 @@ public string GetApprovalPrompt()
         var patterns = interaction.Patterns.Count > 0
             ? $" Patterns: {string.Join(", ", interaction.Patterns)}"
             : string.Empty;
-        var roots = interaction.DirectoryRoots.Count > 0
-            ? $" Directory roots: {string.Join(", ", interaction.DirectoryRoots)}"
-            : string.Empty;
-        return $"Approval required for {interaction.ToolName}. {interaction.DisplayText}{patterns}{roots}";
+        return $"Approval required for {interaction.ToolName}. {interaction.DisplayText}{patterns}";
     }
 
     public string? GetApprovalHint()
diff --git a/src/Netclaw.Configuration.Tests/AudienceTrustStoreTests.cs b/src/Netclaw.Configuration.Tests/AudienceTrustStoreTests.cs
new file mode 100644
index 00000000..7a462ec0
--- /dev/null
+++ b/src/Netclaw.Configuration.Tests/AudienceTrustStoreTests.cs
@@ -0,0 +1,329 @@
+// -----------------------------------------------------------------------
+// <copyright file="AudienceTrustStoreTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Xunit;
+
+namespace Netclaw.Configuration.Tests;
+
+public sealed class AudienceTrustStoreTests : IDisposable
+{
+    private readonly string _file;
+    private readonly AudienceTrustStore _store;
+
+    public AudienceTrustStoreTests()
+    {
+        _file = Path.Combine(Path.GetTempPath(), $"netclaw-trust-{Guid.NewGuid():N}.json");
+        _store = new AudienceTrustStore(_file);
+    }
+
+    public void Dispose()
+    {
+        if (File.Exists(_file)) File.Delete(_file);
+        if (File.Exists(_store.LegacyQuarantinePath)) File.Delete(_store.LegacyQuarantinePath);
+        if (File.Exists(_store.MalformedQuarantinePath)) File.Delete(_store.MalformedQuarantinePath);
+    }
+
+    // -------------------------------------------------------------------
+    // Load: empty / missing / parsing
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Load_returns_empty_when_file_missing()
+    {
+        var data = _store.Load();
+        Assert.Empty(data);
+    }
+
+    [Fact]
+    public void Load_returns_empty_when_file_is_empty_object()
+    {
+        File.WriteAllText(_file, "{}");
+        var data = _store.Load();
+        Assert.Empty(data);
+    }
+
+    [Fact]
+    public void Load_returns_persisted_state()
+    {
+        File.WriteAllText(_file, """
+        {
+          "personal": { "verbPatterns": ["git push *"], "trustedZones": ["/etc/nginx"] },
+          "team": { "verbPatterns": [], "trustedZones": ["/opt/shared"] }
+        }
+        """);
+
+        var data = _store.Load();
+
+        Assert.Equal(2, data.Count);
+        Assert.Contains("git push *", data["personal"].VerbPatterns);
+        Assert.Contains("/etc/nginx", data["personal"].TrustedZones);
+        Assert.Empty(data["team"].VerbPatterns);
+        Assert.Contains("/opt/shared", data["team"].TrustedZones);
+    }
+
+    // -------------------------------------------------------------------
+    // Legacy quarantine: v1 list and v2 versioned wrapper both archived
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Load_quarantines_v1_list_shape_to_legacy_bak()
+    {
+        File.WriteAllText(_file, """[{"verb":"git push","directory":null}]""");
+
+        var data = _store.Load();
+
+        Assert.Empty(data);
+        Assert.False(File.Exists(_file), "legacy file should be moved aside");
+        Assert.True(File.Exists(_store.LegacyQuarantinePath), "legacy file should appear in .v2-discarded.bak");
+    }
+
+    [Fact]
+    public void Load_quarantines_v2_versioned_wrapper_to_legacy_bak()
+    {
+        File.WriteAllText(_file, """
+        {
+          "version": 2,
+          "audiences": {
+            "personal": { "shell_execute": [ {"verb": "git push", "directory": null} ] }
+          }
+        }
+        """);
+
+        var data = _store.Load();
+
+        Assert.Empty(data);
+        Assert.False(File.Exists(_file));
+        Assert.True(File.Exists(_store.LegacyQuarantinePath));
+    }
+
+    [Fact]
+    public void Load_quarantines_files_with_only_audiences_wrapper()
+    {
+        // Bare {audiences:...} without a version is also v2-shape and should
+        // archive — the audiences wrapper itself is the marker.
+        File.WriteAllText(_file, """{"audiences": {}}""");
+
+        var data = _store.Load();
+
+        Assert.Empty(data);
+        Assert.True(File.Exists(_store.LegacyQuarantinePath));
+    }
+
+    [Fact]
+    public void Load_quarantines_malformed_json_to_invalid_sibling()
+    {
+        File.WriteAllText(_file, "{not json");
+
+        var data = _store.Load();
+
+        Assert.Empty(data);
+        Assert.False(File.Exists(_file));
+        Assert.True(File.Exists(_store.MalformedQuarantinePath));
+    }
+
+    // -------------------------------------------------------------------
+    // AddVerbPattern
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void AddVerbPattern_persists_and_round_trips()
+    {
+        _store.AddVerbPattern(TrustAudience.Personal, "git push *");
+
+        var roundTripped = new AudienceTrustStore(_file).Load();
+        Assert.Contains("git push *", roundTripped["personal"].VerbPatterns);
+    }
+
+    [Fact]
+    public void AddVerbPattern_is_idempotent_on_duplicates()
+    {
+        _store.AddVerbPattern(TrustAudience.Personal, "git push *");
+        _store.AddVerbPattern(TrustAudience.Personal, "git push *");
+        _store.AddVerbPattern(TrustAudience.Personal, "GIT PUSH *");
+
+        var patterns = _store.GetVerbPatterns(TrustAudience.Personal);
+        Assert.Single(patterns);
+    }
+
+    [Fact]
+    public void AddVerbPattern_rejects_bare_verb_without_arg_glob()
+    {
+        var ex = Assert.Throws<ArgumentException>(
+            () => _store.AddVerbPattern(TrustAudience.Personal, "git push"));
+        Assert.Contains("trailing arg-glob suffix", ex.Message);
+    }
+
+    [Fact]
+    public void AddVerbPattern_rejects_empty_input()
+    {
+        Assert.Throws<ArgumentException>(
+            () => _store.AddVerbPattern(TrustAudience.Personal, "   "));
+    }
+
+    [Fact]
+    public void AddVerbPattern_accepts_specific_glob_in_args()
+    {
+        _store.AddVerbPattern(TrustAudience.Personal, "rm /tmp/*");
+        Assert.Contains("rm /tmp/*", _store.GetVerbPatterns(TrustAudience.Personal));
+    }
+
+    // -------------------------------------------------------------------
+    // AddTrustedZone
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void AddTrustedZone_persists_and_round_trips()
+    {
+        _store.AddTrustedZone(TrustAudience.Team, "/opt/shared");
+
+        var roundTripped = new AudienceTrustStore(_file).Load();
+        Assert.Contains("/opt/shared", roundTripped["team"].TrustedZones);
+    }
+
+    [Fact]
+    public void AddTrustedZone_normalizes_trailing_slash()
+    {
+        _store.AddTrustedZone(TrustAudience.Personal, "/etc/nginx/");
+        _store.AddTrustedZone(TrustAudience.Personal, "/etc/nginx");
+
+        var zones = _store.GetTrustedZones(TrustAudience.Personal);
+        Assert.Single(zones);
+        Assert.Equal("/etc/nginx", zones[0]);
+    }
+
+    [Fact]
+    public void AddTrustedZone_is_idempotent_case_insensitive()
+    {
+        _store.AddTrustedZone(TrustAudience.Personal, "/Etc/Nginx");
+        _store.AddTrustedZone(TrustAudience.Personal, "/etc/nginx");
+
+        Assert.Single(_store.GetTrustedZones(TrustAudience.Personal));
+    }
+
+    [Fact]
+    public void AddTrustedZone_rejects_empty_input()
+    {
+        Assert.Throws<ArgumentException>(
+            () => _store.AddTrustedZone(TrustAudience.Personal, "   "));
+    }
+
+    // -------------------------------------------------------------------
+    // RemoveVerbPattern / RemoveTrustedZone
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void RemoveVerbPattern_returns_false_when_audience_absent()
+    {
+        Assert.False(_store.RemoveVerbPattern(TrustAudience.Personal, "git push *"));
+    }
+
+    [Fact]
+    public void RemoveVerbPattern_removes_existing_entry()
+    {
+        _store.AddVerbPattern(TrustAudience.Personal, "git push *");
+        _store.AddVerbPattern(TrustAudience.Personal, "rm /tmp/*");
+
+        Assert.True(_store.RemoveVerbPattern(TrustAudience.Personal, "git push *"));
+
+        var remaining = _store.GetVerbPatterns(TrustAudience.Personal);
+        Assert.Single(remaining);
+        Assert.Equal("rm /tmp/*", remaining[0]);
+    }
+
+    [Fact]
+    public void RemoveVerbPattern_is_case_insensitive()
+    {
+        _store.AddVerbPattern(TrustAudience.Personal, "git push *");
+        Assert.True(_store.RemoveVerbPattern(TrustAudience.Personal, "GIT PUSH *"));
+        Assert.Empty(_store.GetVerbPatterns(TrustAudience.Personal));
+    }
+
+    [Fact]
+    public void RemoveTrustedZone_removes_existing_entry()
+    {
+        _store.AddTrustedZone(TrustAudience.Personal, "/etc/nginx");
+        Assert.True(_store.RemoveTrustedZone(TrustAudience.Personal, "/etc/nginx"));
+        Assert.Empty(_store.GetTrustedZones(TrustAudience.Personal));
+    }
+
+    [Fact]
+    public void RemoveTrustedZone_normalizes_trailing_slash_for_lookup()
+    {
+        _store.AddTrustedZone(TrustAudience.Personal, "/etc/nginx");
+        Assert.True(_store.RemoveTrustedZone(TrustAudience.Personal, "/etc/nginx/"));
+    }
+
+    [Fact]
+    public void Audience_cleaned_up_when_both_stores_empty()
+    {
+        _store.AddVerbPattern(TrustAudience.Personal, "git push *");
+        _store.RemoveVerbPattern(TrustAudience.Personal, "git push *");
+
+        var snapshot = _store.Snapshot();
+        Assert.DoesNotContain("personal", snapshot.Keys);
+    }
+
+    [Fact]
+    public void Audience_retained_when_other_store_still_populated()
+    {
+        _store.AddVerbPattern(TrustAudience.Personal, "git push *");
+        _store.AddTrustedZone(TrustAudience.Personal, "/etc/nginx");
+        _store.RemoveVerbPattern(TrustAudience.Personal, "git push *");
+
+        var snapshot = _store.Snapshot();
+        Assert.Contains("personal", snapshot.Keys);
+        Assert.Contains("/etc/nginx", snapshot["personal"].TrustedZones);
+    }
+
+    // -------------------------------------------------------------------
+    // Per-audience independence
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Stores_are_independent_per_audience()
+    {
+        _store.AddVerbPattern(TrustAudience.Personal, "git push *");
+        _store.AddTrustedZone(TrustAudience.Team, "/opt/shared");
+
+        Assert.Empty(_store.GetVerbPatterns(TrustAudience.Team));
+        Assert.Empty(_store.GetTrustedZones(TrustAudience.Personal));
+    }
+
+    [Fact]
+    public void Snapshot_returns_decoupled_copy()
+    {
+        _store.AddVerbPattern(TrustAudience.Personal, "git push *");
+        var snapshot = _store.Snapshot();
+
+        // Mutating the snapshot must not affect the underlying store.
+        snapshot["personal"].VerbPatterns.Add("rm *");
+
+        var fresh = _store.GetVerbPatterns(TrustAudience.Personal);
+        Assert.Single(fresh);
+        Assert.Equal("git push *", fresh[0]);
+    }
+
+    // -------------------------------------------------------------------
+    // On-disk shape sanity check
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Save_emits_per_audience_top_level_keys_without_version_wrapper()
+    {
+        _store.AddVerbPattern(TrustAudience.Personal, "git push *");
+        _store.AddTrustedZone(TrustAudience.Team, "/opt/shared");
+
+        var json = File.ReadAllText(_file);
+
+        // No version field, no audiences wrapper — the spec requires per-audience
+        // top-level keys directly.
+        Assert.DoesNotContain("\"version\"", json);
+        Assert.DoesNotContain("\"audiences\"", json);
+        Assert.Contains("\"personal\"", json);
+        Assert.Contains("\"team\"", json);
+        Assert.Contains("\"verbPatterns\"", json);
+        Assert.Contains("\"trustedZones\"", json);
+    }
+}
diff --git a/src/Netclaw.Configuration.Tests/SafeVerbLoaderTests.cs b/src/Netclaw.Configuration.Tests/SafeVerbLoaderTests.cs
new file mode 100644
index 00000000..f39999f5
--- /dev/null
+++ b/src/Netclaw.Configuration.Tests/SafeVerbLoaderTests.cs
@@ -0,0 +1,92 @@
+// -----------------------------------------------------------------------
+// <copyright file="SafeVerbLoaderTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Xunit;
+
+namespace Netclaw.Configuration.Tests;
+
+public sealed class SafeVerbLoaderTests
+{
+    [Fact]
+    public void Load_returns_bundled_linux_defaults()
+    {
+        var list = SafeVerbLoader.Load(isWindows: false);
+
+        // Spot-check a few entries from the spec's default Linux list.
+        Assert.True(list.Contains("ls"));
+        Assert.True(list.Contains("grep"));
+        Assert.True(list.Contains("git status"));
+        Assert.True(list.Contains("sed -n"));
+        Assert.False(list.Contains("git push"));
+        Assert.False(list.Contains("rm"));
+    }
+
+    [Fact]
+    public void Load_returns_bundled_windows_defaults()
+    {
+        var list = SafeVerbLoader.Load(isWindows: true);
+
+        // Spot-check a few entries from the spec's default Windows list.
+        Assert.True(list.Contains("dir"));
+        Assert.True(list.Contains("Get-Content"));
+        Assert.True(list.Contains("Test-Path"));
+        Assert.True(list.Contains("git status"));
+        Assert.False(list.Contains("Remove-Item"));
+    }
+
+    [Fact]
+    public void Load_public_overload_returns_current_OS_defaults()
+    {
+        // Smoke test on the parameterless overload: it always returns a
+        // non-empty list — the embedded resource is required at build time.
+        var list = SafeVerbLoader.Load();
+
+        Assert.NotEmpty(list.Verbs);
+    }
+
+    [Fact]
+    public void Contains_uses_platform_correct_case_rules()
+    {
+        var list = SafeVerbLoader.Load(isWindows: false);
+
+        if (OperatingSystem.IsWindows())
+        {
+            // OrdinalIgnoreCase
+            Assert.True(list.Contains("LS"));
+            Assert.True(list.Contains("ls"));
+        }
+        else
+        {
+            // Ordinal — `LS` is a different binary from `ls` on POSIX.
+            Assert.False(list.Contains("LS"));
+            Assert.True(list.Contains("ls"));
+        }
+    }
+
+    [Fact]
+    public void Load_has_no_disk_loading_surface()
+    {
+        // Architectural assertion: the loader's public API exposes no
+        // overload that accepts an external file path. This test fails to
+        // compile if a future PR re-introduces an override-file load path,
+        // turning the security tightening into a hard contract.
+        var methods = typeof(SafeVerbLoader)
+            .GetMethods(System.Reflection.BindingFlags.Public | System.Reflection.BindingFlags.Static);
+
+        foreach (var method in methods)
+        {
+            if (method.Name != "Load")
+                continue;
+
+            foreach (var param in method.GetParameters())
+            {
+                Assert.False(
+                    param.ParameterType == typeof(string) || param.ParameterType == typeof(NetclawPaths),
+                    $"SafeVerbLoader.{method.Name} must not expose a string or NetclawPaths parameter — "
+                    + "the safe-verbs list is immutable at runtime by design. Found parameter '{param.Name}' of type {param.ParameterType.Name}.");
+            }
+        }
+    }
+}
diff --git a/src/Netclaw.Configuration.Tests/ToolApprovalStoreTests.cs b/src/Netclaw.Configuration.Tests/ToolApprovalStoreTests.cs
index aff61912..20aea0dd 100644
--- a/src/Netclaw.Configuration.Tests/ToolApprovalStoreTests.cs
+++ b/src/Netclaw.Configuration.Tests/ToolApprovalStoreTests.cs
@@ -3,7 +3,6 @@
 //      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
 // </copyright>
 // -----------------------------------------------------------------------
-using Netclaw.Configuration;
 using Xunit;
 
 namespace Netclaw.Configuration.Tests;
@@ -22,60 +21,65 @@ public ToolApprovalStoreTests()
     public void Dispose()
     {
         if (File.Exists(_file)) File.Delete(_file);
-        var invalid = _file + ".invalid";
-        if (File.Exists(invalid)) File.Delete(invalid);
+        if (File.Exists(_store.MalformedQuarantinePath)) File.Delete(_store.MalformedQuarantinePath);
+        if (File.Exists(_store.V1QuarantinePath)) File.Delete(_store.V1QuarantinePath);
     }
 
+    private static ApprovalEntry Verb(string verb) => new() { Verb = verb, Directory = null };
+    private static ApprovalEntry InDir(string verb, string dir) => new() { Verb = verb, Directory = dir };
+
     [Fact]
     public void RemoveApproval_returns_false_when_file_is_empty()
     {
-        Assert.False(_store.RemoveApproval(TrustAudience.Personal, "shell_execute", "git push"));
+        Assert.False(_store.RemoveApproval(TrustAudience.Personal, "shell_execute", Verb("git push")));
     }
 
     [Fact]
     public void RemoveApproval_removes_exact_match_and_returns_true()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "/home/user/logs/");
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", InDir("grep", "/home/user/logs/"));
 
-        Assert.True(_store.RemoveApproval(TrustAudience.Personal, "shell_execute", "git push"));
+        Assert.True(_store.RemoveApproval(TrustAudience.Personal, "shell_execute", Verb("git push")));
 
-        var remaining = _store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute");
-        Assert.Equal(["/home/user/logs/"], remaining);
+        var remaining = _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute");
+        Assert.Single(remaining);
+        Assert.Equal("grep", remaining[0].Verb);
+        Assert.Equal("/home/user/logs", remaining[0].Directory);
     }
 
     [Fact]
-    public void RemoveApproval_returns_false_for_unknown_pattern()
+    public void RemoveApproval_returns_false_for_unknown_entry()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
-        Assert.False(_store.RemoveApproval(TrustAudience.Personal, "shell_execute", "git pull"));
-        Assert.Single(_store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute"));
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
+        Assert.False(_store.RemoveApproval(TrustAudience.Personal, "shell_execute", Verb("git pull")));
+        Assert.Single(_store.GetApprovedEntries(TrustAudience.Personal, "shell_execute"));
     }
 
     [Fact]
     public void RemoveApproval_uses_platform_case_sensitivity()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
 
-        var caseDifferent = _store.RemoveApproval(TrustAudience.Personal, "shell_execute", "GIT PUSH");
+        var caseDifferent = _store.RemoveApproval(TrustAudience.Personal, "shell_execute", Verb("GIT PUSH"));
 
         if (OperatingSystem.IsWindows())
         {
             Assert.True(caseDifferent);
-            Assert.Empty(_store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute"));
+            Assert.Empty(_store.GetApprovedEntries(TrustAudience.Personal, "shell_execute"));
         }
         else
         {
             Assert.False(caseDifferent);
-            Assert.Single(_store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute"));
+            Assert.Single(_store.GetApprovedEntries(TrustAudience.Personal, "shell_execute"));
         }
     }
 
     [Fact]
     public void RemoveApproval_prunes_empty_tool_and_audience_sections()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
-        Assert.True(_store.RemoveApproval(TrustAudience.Personal, "shell_execute", "git push"));
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
+        Assert.True(_store.RemoveApproval(TrustAudience.Personal, "shell_execute", Verb("git push")));
 
         var snapshot = _store.Snapshot();
         Assert.Empty(snapshot);
@@ -84,29 +88,35 @@ public void RemoveApproval_prunes_empty_tool_and_audience_sections()
     [Fact]
     public void RemoveApproval_does_not_disturb_other_audiences_or_tools()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
-        _store.AddApproval(TrustAudience.Public, "shell_execute", "git push");
-        _store.AddApproval(TrustAudience.Personal, "file_write", "/tmp/scratch/");
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
+        _store.AddApproval(TrustAudience.Public, "shell_execute", Verb("git push"));
+        _store.AddApproval(TrustAudience.Personal, "file_write", InDir("file_write", "/tmp/scratch/"));
+
+        Assert.True(_store.RemoveApproval(TrustAudience.Personal, "shell_execute", Verb("git push")));
 
-        Assert.True(_store.RemoveApproval(TrustAudience.Personal, "shell_execute", "git push"));
+        Assert.Empty(_store.GetApprovedEntries(TrustAudience.Personal, "shell_execute"));
 
-        Assert.Empty(_store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute"));
-        Assert.Equal(["git push"], _store.GetApprovedPatterns(TrustAudience.Public, "shell_execute"));
-        Assert.Equal(["/tmp/scratch/"], _store.GetApprovedPatterns(TrustAudience.Personal, "file_write"));
+        var publicShell = _store.GetApprovedEntries(TrustAudience.Public, "shell_execute");
+        Assert.Single(publicShell);
+        Assert.Equal("git push", publicShell[0].Verb);
+
+        var personalFileWrite = _store.GetApprovedEntries(TrustAudience.Personal, "file_write");
+        Assert.Single(personalFileWrite);
+        Assert.Equal("/tmp/scratch", personalFileWrite[0].Directory);
     }
 
     [Fact]
     public void RemoveAllForTool_clears_every_entry_and_returns_count()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "/home/user/logs/");
-        _store.AddApproval(TrustAudience.Personal, "file_write", "/tmp/scratch/");
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", InDir("grep", "/home/user/logs/"));
+        _store.AddApproval(TrustAudience.Personal, "file_write", InDir("file_write", "/tmp/scratch/"));
 
         var removed = _store.RemoveAllForTool(TrustAudience.Personal, "shell_execute");
 
         Assert.Equal(2, removed);
-        Assert.Empty(_store.GetApprovedPatterns(TrustAudience.Personal, "shell_execute"));
-        Assert.Equal(["/tmp/scratch/"], _store.GetApprovedPatterns(TrustAudience.Personal, "file_write"));
+        Assert.Empty(_store.GetApprovedEntries(TrustAudience.Personal, "shell_execute"));
+        Assert.Single(_store.GetApprovedEntries(TrustAudience.Personal, "file_write"));
     }
 
     [Fact]
@@ -118,12 +128,131 @@ public void RemoveAllForTool_returns_zero_when_tool_absent()
     [Fact]
     public void Snapshot_returns_deep_clone_independent_of_subsequent_writes()
     {
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git push");
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
         var snapshot = _store.Snapshot();
 
-        _store.AddApproval(TrustAudience.Personal, "shell_execute", "git pull");
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git pull"));
 
         var personalShell = snapshot["personal"]["shell_execute"];
-        Assert.Equal(["git push"], personalShell);
+        Assert.Single(personalShell);
+        Assert.Equal("git push", personalShell[0].Verb);
+    }
+
+    [Fact]
+    public void AddApproval_is_idempotent_for_equal_entries()
+    {
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("git push"));
+
+        var entries = _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute");
+        Assert.Single(entries);
+    }
+
+    [Fact]
+    public void AddApproval_normalizes_trailing_slash_in_directory()
+    {
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", InDir("grep", "/home/user/logs/"));
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", InDir("grep", "/home/user/logs"));
+
+        var entries = _store.GetApprovedEntries(TrustAudience.Personal, "shell_execute");
+        Assert.Single(entries);
+        Assert.Equal("/home/user/logs", entries[0].Directory);
+    }
+
+    [Fact]
+    public void RemoveApproval_normalizes_trailing_slash_in_pattern_input()
+    {
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", InDir("grep", "/home/user/logs"));
+        Assert.True(_store.RemoveApproval(TrustAudience.Personal, "shell_execute", InDir("grep", "/home/user/logs/")));
+        Assert.Empty(_store.GetApprovedEntries(TrustAudience.Personal, "shell_execute"));
+    }
+
+    [Fact]
+    public void Save_emits_version_two_and_typed_entries()
+    {
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("freshdesk"));
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", InDir("grep", "/home/user/logs"));
+
+        var json = File.ReadAllText(_file);
+        Assert.Contains("\"version\": 2", json);
+        Assert.Contains("\"verb\": \"freshdesk\"", json);
+        Assert.Contains("\"directory\": \"/home/user/logs\"", json);
+        // Global wildcard omits the directory field via WhenWritingNull.
+        Assert.DoesNotContain("\"directory\": null", json);
+    }
+
+    [Fact]
+    public void Load_quarantines_v1_file_and_returns_empty()
+    {
+        const string V1Json = """
+            {
+              "audiences": {
+                "personal": {
+                  "shell_execute": [ "git push", "/home/user/logs/" ]
+                }
+              }
+            }
+            """;
+        File.WriteAllText(_file, V1Json);
+
+        var data = _store.Load();
+
+        Assert.Empty(data.Audiences);
+        Assert.False(File.Exists(_file));
+        Assert.True(File.Exists(_store.V1QuarantinePath));
+        Assert.Equal(V1Json, File.ReadAllText(_store.V1QuarantinePath));
+    }
+
+    [Fact]
+    public void Load_quarantines_file_with_wrong_version_number()
+    {
+        File.WriteAllText(_file, """{"version":1,"audiences":{}}""");
+
+        var data = _store.Load();
+
+        Assert.Empty(data.Audiences);
+        Assert.False(File.Exists(_file));
+        Assert.True(File.Exists(_store.V1QuarantinePath));
+    }
+
+    [Fact]
+    public void Load_quarantines_malformed_file_to_invalid_path()
+    {
+        File.WriteAllText(_file, "not valid json {{{");
+
+        var data = _store.Load();
+
+        Assert.Empty(data.Audiences);
+        Assert.False(File.Exists(_file));
+        Assert.True(File.Exists(_store.MalformedQuarantinePath));
+        Assert.False(File.Exists(_store.V1QuarantinePath));
+    }
+
+    [Fact]
+    public void Load_after_quarantine_writes_fresh_v2_file_on_next_persist()
+    {
+        File.WriteAllText(_file, """{"audiences":{"personal":{"shell_execute":["git push"]}}}""");
+
+        // First read quarantines and returns empty.
+        Assert.Empty(_store.Load().Audiences);
+
+        // Next add writes a fresh v2 file at the original path.
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("freshdesk"));
+        Assert.True(File.Exists(_file));
+        Assert.Contains("\"version\": 2", File.ReadAllText(_file));
+        Assert.True(File.Exists(_store.V1QuarantinePath));
+    }
+
+    [Fact]
+    public void V2_file_round_trips_global_wildcard_and_folder_scoped_entries()
+    {
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", Verb("freshdesk"));
+        _store.AddApproval(TrustAudience.Personal, "shell_execute", InDir("grep", "/home/user/logs"));
+
+        var reloaded = new ToolApprovalStore(_file).GetApprovedEntries(TrustAudience.Personal, "shell_execute");
+
+        Assert.Equal(2, reloaded.Count);
+        Assert.Contains(reloaded, e => e.Verb == "freshdesk" && e.Directory is null);
+        Assert.Contains(reloaded, e => e.Verb == "grep" && e.Directory == "/home/user/logs");
     }
 }
diff --git a/src/Netclaw.Configuration/ApprovalEntry.cs b/src/Netclaw.Configuration/ApprovalEntry.cs
new file mode 100644
index 00000000..7669e30e
--- /dev/null
+++ b/src/Netclaw.Configuration/ApprovalEntry.cs
@@ -0,0 +1,104 @@
+// -----------------------------------------------------------------------
+// <copyright file="ApprovalEntry.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using System.Text.Json.Serialization;
+
+namespace Netclaw.Configuration;
+
+/// <summary>
+/// One persisted tool-approval grant: a verb chain paired with a directory
+/// scope. <see cref="Directory"/> is null for the global wildcard
+/// ("approve this verb in any directory"); otherwise it is an absolute path
+/// and the entry only matches invocations whose cwd is under that path.
+///
+/// This record replaces the v1 flat string list in
+/// <c>tool-approvals.json</c>. v1 entries (verbs, normalized commands,
+/// directory roots, and bash fragments mingled in one list) are not
+/// migrated — see <see cref="ToolApprovalStore.Load"/>.
+/// </summary>
+public sealed record ApprovalEntry
+{
+    /// <summary>
+    /// The verb chain (e.g. <c>git remote</c>, <c>freshdesk</c>). For
+    /// <c>shell_execute</c> this is the prefix of non-flag tokens extracted
+    /// from a command; for other tools it is the tool name.
+    /// </summary>
+    [JsonPropertyName("verb")]
+    public required string Verb { get; init; }
+
+    /// <summary>
+    /// Absolute directory path the grant is scoped to, or <c>null</c> for
+    /// the global wildcard. Trailing slashes are normalized away by the
+    /// matcher so <c>/path/</c> and <c>/path</c> compare equal.
+    /// </summary>
+    [JsonPropertyName("directory")]
+    public string? Directory { get; init; }
+
+    /// <summary>
+    /// The user-visible scope label emitted by <c>netclaw approvals list</c>
+    /// and shown in the TUI. Folder-scoped entries render as
+    /// <c>&lt;verb&gt; in &lt;dir&gt;</c>; global wildcards render as
+    /// <c>&lt;verb&gt; anywhere</c>. Round-trips with
+    /// <see cref="TryParseScope"/>.
+    /// </summary>
+    public string FormatScope()
+        => Directory is null ? $"{Verb} anywhere" : $"{Verb} in {Directory}";
+
+    /// <summary>
+    /// Inverse of <see cref="FormatScope"/>. Parses one of the two
+    /// user-visible forms — <c>&lt;verb&gt; in &lt;directory&gt;</c> or
+    /// <c>&lt;verb&gt; anywhere</c> — into a typed <see cref="ApprovalEntry"/>.
+    /// Returns false with a non-empty <paramref name="error"/> for any other
+    /// shape so callers can surface the parse failure as a user error rather
+    /// than a silent best-effort match.
+    /// </summary>
+    public static bool TryParseScope(string input, out ApprovalEntry entry, out string error)
+    {
+        entry = new ApprovalEntry { Verb = string.Empty };
+        error = string.Empty;
+
+        const string AnywhereSuffix = " anywhere";
+        const string InSeparator = " in ";
+
+        var trimmed = input.Trim();
+        if (trimmed.Length == 0)
+        {
+            error = "Approval scope must not be empty.";
+            return false;
+        }
+
+        if (trimmed.EndsWith(AnywhereSuffix, StringComparison.Ordinal))
+        {
+            var verb = trimmed[..^AnywhereSuffix.Length].TrimEnd();
+            if (verb.Length == 0)
+            {
+                error = "'<verb> anywhere' must include a verb.";
+                return false;
+            }
+            entry = new ApprovalEntry { Verb = verb, Directory = null };
+            return true;
+        }
+
+        // First " in " separates verb from directory. Verb chains never
+        // contain " in " as a literal token, so this split is unambiguous
+        // for legitimate inputs.
+        var inIndex = trimmed.IndexOf(InSeparator, StringComparison.Ordinal);
+        if (inIndex > 0)
+        {
+            var verb = trimmed[..inIndex].TrimEnd();
+            var directory = trimmed[(inIndex + InSeparator.Length)..].TrimStart();
+            if (verb.Length == 0 || directory.Length == 0)
+            {
+                error = "'<verb> in <directory>' must include both verb and directory.";
+                return false;
+            }
+            entry = new ApprovalEntry { Verb = verb, Directory = directory };
+            return true;
+        }
+
+        error = $"Could not parse approval scope '{input}'.";
+        return false;
+    }
+}
diff --git a/src/Netclaw.Configuration/AudienceTrustState.cs b/src/Netclaw.Configuration/AudienceTrustState.cs
new file mode 100644
index 00000000..5570392c
--- /dev/null
+++ b/src/Netclaw.Configuration/AudienceTrustState.cs
@@ -0,0 +1,40 @@
+// -----------------------------------------------------------------------
+// <copyright file="AudienceTrustState.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using System.Text.Json.Serialization;
+
+namespace Netclaw.Configuration;
+
+/// <summary>
+/// Persistent approval state for one audience: two independent stores
+/// composed at evaluation time by the three-layer approval gate.
+/// </summary>
+/// <remarks>
+/// Stores compose at evaluation time, not at write time. A trusted-zone
+/// grant authorizes geography only; a verb-pattern grant authorizes a
+/// command shape only. Both gates must pass for silent execution.
+/// Replaces the v2 <c>ApprovalEntry</c> cross-product shape.
+/// </remarks>
+public sealed class AudienceTrustState
+{
+    /// <summary>
+    /// Glob patterns matching command shapes auto-allowed within a trusted
+    /// zone. Stored as <c>verb-chain prefix + arg-glob suffix</c>
+    /// (e.g. <c>git push *</c>, <c>rm /tmp/*</c>, <c>dotnet test *</c>).
+    /// Patterns without a trailing glob are rejected at write time.
+    /// </summary>
+    [JsonPropertyName("verbPatterns")]
+    public List<string> VerbPatterns { get; set; } = [];
+
+    /// <summary>
+    /// Directory globs declaring where this audience may operate silently.
+    /// Path-prefix recursive matching: <c>~/repos/*</c> matches the root
+    /// itself plus any descendant at any depth, with directory-boundary
+    /// safety (does not match <c>~/repossecret</c>). The <c>*</c> is
+    /// implicitly recursive — there is no <c>**</c> in zone globs.
+    /// </summary>
+    [JsonPropertyName("trustedZones")]
+    public List<string> TrustedZones { get; set; } = [];
+}
diff --git a/src/Netclaw.Configuration/AudienceTrustStore.cs b/src/Netclaw.Configuration/AudienceTrustStore.cs
new file mode 100644
index 00000000..ad36fd1d
--- /dev/null
+++ b/src/Netclaw.Configuration/AudienceTrustStore.cs
@@ -0,0 +1,415 @@
+// -----------------------------------------------------------------------
+// <copyright file="AudienceTrustStore.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace Netclaw.Configuration;
+
+/// <summary>
+/// Reads and writes the two-store per-audience approval shape from
+/// <c>~/.netclaw/config/tool-approvals.json</c>. Each audience contains a
+/// <c>verbPatterns</c> array and a <c>trustedZones</c> array, evaluated
+/// independently by the three-layer approval gate.
+/// </summary>
+/// <remarks>
+/// Replaces the v2 <see cref="ToolApprovalStore"/> cross-product shape. The
+/// new on-disk layout has audience wire values (e.g. <c>personal</c>,
+/// <c>team</c>, <c>public</c>) as top-level JSON object keys with no
+/// <c>version</c> or <c>audiences</c> wrapper. Files containing a top-level
+/// <c>version</c> key, a top-level <c>audiences</c> key, or a top-level JSON
+/// array (legacy v1) SHALL be quarantined to
+/// <see cref="LegacyQuarantinePath"/> on first read; an empty new-shape store
+/// SHALL be returned. No translation of legacy entries is performed.
+/// </remarks>
+public sealed class AudienceTrustStore
+{
+    private readonly string _filePath;
+    private readonly object _lock = new();
+
+    /// <summary>
+    /// Sibling path used to archive any pre-existing legacy-shape file
+    /// (v1 list, v2 versioned wrapper) on first read.
+    /// </summary>
+    public string LegacyQuarantinePath => _filePath + ".v2-discarded.bak";
+
+    /// <summary>
+    /// Sibling path used to archive a file that fails to parse as JSON.
+    /// </summary>
+    public string MalformedQuarantinePath => _filePath + ".invalid";
+
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        WriteIndented = true,
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+        DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
+    };
+
+    public AudienceTrustStore(string filePath)
+    {
+        _filePath = filePath;
+    }
+
+    /// <summary>
+    /// Loads the per-audience trust state from disk. Returns an empty store
+    /// when the file does not exist, contains a legacy shape (the file is
+    /// moved to <see cref="LegacyQuarantinePath"/>), or fails to parse as
+    /// JSON (the file is moved to <see cref="MalformedQuarantinePath"/>).
+    /// </summary>
+    public Dictionary<string, AudienceTrustState> Load()
+    {
+        lock (_lock)
+        {
+            if (!File.Exists(_filePath))
+                return NewEmpty();
+
+            var json = File.ReadAllText(_filePath);
+
+            // Two-step parse so we can distinguish three failure modes:
+            //   (1) unparseable JSON          → quarantine to .invalid
+            //   (2) parseable JSON, legacy shape → quarantine to .v2-discarded.bak
+            //   (3) parseable JSON, new shape, deserialize fails → .invalid
+            // Step 1 inspects the document structure via JsonDocument; step 2
+            // binds the strongly-typed model only after the legacy gate passes.
+            try
+            {
+                using var document = JsonDocument.Parse(json);
+                if (IsLegacyShape(document.RootElement))
+                {
+                    QuarantineLegacyFile();
+                    return NewEmpty();
+                }
+            }
+            catch (JsonException ex)
+            {
+                QuarantineMalformedFile(ex);
+                return NewEmpty();
+            }
+
+            try
+            {
+                var deserialized = JsonSerializer.Deserialize<Dictionary<string, AudienceTrustState>>(
+                    json, JsonOptions);
+                return deserialized ?? NewEmpty();
+            }
+            catch (JsonException ex)
+            {
+                QuarantineMalformedFile(ex);
+                return NewEmpty();
+            }
+        }
+    }
+
+    /// <summary>
+    /// Persists the supplied state to disk. Creates the parent directory if
+    /// missing. Last-write-wins under the instance lock; concurrent callers
+    /// across processes could race, but the daemon owns the file in practice.
+    /// </summary>
+    public void Save(IReadOnlyDictionary<string, AudienceTrustState> data)
+    {
+        lock (_lock)
+        {
+            var dir = Path.GetDirectoryName(_filePath);
+            if (!string.IsNullOrEmpty(dir))
+                Directory.CreateDirectory(dir);
+
+            var json = JsonSerializer.Serialize(data, JsonOptions);
+            File.WriteAllText(_filePath, json);
+        }
+    }
+
+    /// <summary>
+    /// Adds a glob to the audience's <c>verbPatterns</c> list. Idempotent
+    /// (case-insensitive duplicate detection on the trimmed pattern).
+    /// Rejects patterns without a trailing arg-glob — the matcher requires
+    /// the explicit <c>*</c> suffix to know where the verb chain ends.
+    /// </summary>
+    /// <exception cref="ArgumentException">When the pattern is empty or
+    /// missing the trailing arg-glob suffix.</exception>
+    public void AddVerbPattern(TrustAudience audience, string pattern)
+    {
+        var normalized = NormalizeVerbPattern(pattern);
+        lock (_lock)
+        {
+            var data = Load();
+            var state = GetOrCreate(data, audience);
+
+            if (!ContainsCaseInsensitive(state.VerbPatterns, normalized))
+                state.VerbPatterns.Add(normalized);
+
+            Save(data);
+        }
+    }
+
+    /// <summary>
+    /// Removes a glob from the audience's <c>verbPatterns</c> list.
+    /// Comparison is case-insensitive on the trimmed input. Returns
+    /// <c>true</c> when an entry was removed.
+    /// </summary>
+    public bool RemoveVerbPattern(TrustAudience audience, string pattern)
+    {
+        var trimmed = (pattern ?? string.Empty).Trim();
+        if (trimmed.Length == 0)
+            return false;
+
+        lock (_lock)
+        {
+            var data = Load();
+            var audienceKey = audience.ToWireValue();
+
+            if (!data.TryGetValue(audienceKey, out var state))
+                return false;
+
+            var index = IndexOfCaseInsensitive(state.VerbPatterns, trimmed);
+            if (index < 0)
+                return false;
+
+            state.VerbPatterns.RemoveAt(index);
+            CleanupEmptyAudience(data, audienceKey);
+            Save(data);
+            return true;
+        }
+    }
+
+    /// <summary>
+    /// Adds a directory glob to the audience's <c>trustedZones</c> list.
+    /// Idempotent on the trimmed input (case-insensitive). Trailing slashes
+    /// are normalized away so <c>/path/</c> and <c>/path</c> compare equal.
+    /// </summary>
+    /// <exception cref="ArgumentException">When the input is empty.</exception>
+    public void AddTrustedZone(TrustAudience audience, string zoneGlob)
+    {
+        var normalized = NormalizeZone(zoneGlob);
+        lock (_lock)
+        {
+            var data = Load();
+            var state = GetOrCreate(data, audience);
+
+            if (!ContainsCaseInsensitive(state.TrustedZones, normalized))
+                state.TrustedZones.Add(normalized);
+
+            Save(data);
+        }
+    }
+
+    /// <summary>
+    /// Removes a directory glob from the audience's <c>trustedZones</c>.
+    /// Returns <c>true</c> when an entry was removed.
+    /// </summary>
+    public bool RemoveTrustedZone(TrustAudience audience, string zoneGlob)
+    {
+        var normalized = NormalizeZone(zoneGlob);
+        lock (_lock)
+        {
+            var data = Load();
+            var audienceKey = audience.ToWireValue();
+
+            if (!data.TryGetValue(audienceKey, out var state))
+                return false;
+
+            var index = IndexOfCaseInsensitive(state.TrustedZones, normalized);
+            if (index < 0)
+                return false;
+
+            state.TrustedZones.RemoveAt(index);
+            CleanupEmptyAudience(data, audienceKey);
+            Save(data);
+            return true;
+        }
+    }
+
+    /// <summary>
+    /// Returns the persistent verb-pattern globs for the given audience.
+    /// Empty list when the audience has no entries.
+    /// </summary>
+    public IReadOnlyList<string> GetVerbPatterns(TrustAudience audience)
+    {
+        var data = Load();
+        var audienceKey = audience.ToWireValue();
+        return data.TryGetValue(audienceKey, out var state)
+            ? state.VerbPatterns.ToArray()
+            : [];
+    }
+
+    /// <summary>
+    /// Returns the persistent trusted-zone globs for the given audience.
+    /// Empty list when the audience has no entries.
+    /// </summary>
+    public IReadOnlyList<string> GetTrustedZones(TrustAudience audience)
+    {
+        var data = Load();
+        var audienceKey = audience.ToWireValue();
+        return data.TryGetValue(audienceKey, out var state)
+            ? state.TrustedZones.ToArray()
+            : [];
+    }
+
+    /// <summary>
+    /// Returns a read-only snapshot of the entire store. Consumers that need
+    /// to enumerate every audience for display or audit should use this.
+    /// </summary>
+    public IReadOnlyDictionary<string, AudienceTrustState> Snapshot()
+    {
+        var data = Load();
+        var result = new Dictionary<string, AudienceTrustState>(StringComparer.Ordinal);
+        foreach (var (audienceKey, state) in data)
+        {
+            result[audienceKey] = new AudienceTrustState
+            {
+                VerbPatterns = state.VerbPatterns.ToList(),
+                TrustedZones = state.TrustedZones.ToList()
+            };
+        }
+        return result;
+    }
+
+    // -------------------------------------------------------------------
+    // Schema detection — distinguishes new-shape from legacy v1/v2 files.
+    // -------------------------------------------------------------------
+
+    private static bool IsLegacyShape(JsonElement root)
+    {
+        // v1 stored a flat JSON array at the root.
+        if (root.ValueKind == JsonValueKind.Array)
+            return true;
+
+        // Anything that isn't an object isn't valid for either schema; treat
+        // as legacy/malformed and quarantine for operator inspection.
+        if (root.ValueKind != JsonValueKind.Object)
+            return true;
+
+        // v2 wrapped its data under {version, audiences}; either marker is a
+        // sufficient signal. Empty objects {} are valid new-shape (no audiences).
+        if (root.TryGetProperty("version", out _))
+            return true;
+
+        if (root.TryGetProperty("audiences", out _))
+            return true;
+
+        return false;
+    }
+
+    private void QuarantineLegacyFile()
+    {
+        try
+        {
+            if (File.Exists(LegacyQuarantinePath))
+                File.Delete(LegacyQuarantinePath);
+            File.Move(_filePath, LegacyQuarantinePath);
+        }
+        catch (Exception moveEx)
+        {
+            throw new InvalidDataException(
+                $"Tool approvals file at '{_filePath}' uses a legacy schema and could not be quarantined to '{LegacyQuarantinePath}'. Inspect the file manually before restarting.",
+                moveEx);
+        }
+    }
+
+    private void QuarantineMalformedFile(JsonException cause)
+    {
+        try
+        {
+            if (File.Exists(MalformedQuarantinePath))
+                File.Delete(MalformedQuarantinePath);
+            File.Move(_filePath, MalformedQuarantinePath);
+        }
+        catch (Exception moveEx)
+        {
+            throw new InvalidDataException(
+                $"Tool approvals file at '{_filePath}' is malformed and could not be quarantined to '{MalformedQuarantinePath}'. Inspect the file manually before restarting.",
+                new AggregateException(cause, moveEx));
+        }
+    }
+
+    // -------------------------------------------------------------------
+    // Helpers
+    // -------------------------------------------------------------------
+
+    private static AudienceTrustState GetOrCreate(
+        Dictionary<string, AudienceTrustState> data,
+        TrustAudience audience)
+    {
+        var key = audience.ToWireValue();
+        if (!data.TryGetValue(key, out var state))
+        {
+            state = new AudienceTrustState();
+            data[key] = state;
+        }
+
+        return state;
+    }
+
+    private static void CleanupEmptyAudience(
+        Dictionary<string, AudienceTrustState> data,
+        string audienceKey)
+    {
+        if (!data.TryGetValue(audienceKey, out var state))
+            return;
+
+        if (state.VerbPatterns.Count == 0 && state.TrustedZones.Count == 0)
+            data.Remove(audienceKey);
+    }
+
+    private static string NormalizeVerbPattern(string pattern)
+    {
+        var trimmed = (pattern ?? string.Empty).Trim();
+        if (trimmed.Length == 0)
+            throw new ArgumentException("Verb pattern must not be empty.", nameof(pattern));
+
+        // The matcher uses the trailing arg-glob to know where the verb chain
+        // ends. Bare verb chains (no trailing glob) have no defined match
+        // semantics under the new model.
+        if (!HasTrailingGlob(trimmed))
+            throw new ArgumentException(
+                $"Verb pattern '{trimmed}' is missing the trailing arg-glob suffix. Use '{trimmed} *' to match any args, or be more specific (e.g. 'git push origin *').",
+                nameof(pattern));
+
+        return trimmed;
+    }
+
+    private static bool HasTrailingGlob(string pattern)
+    {
+        // Cheap check: pattern ends with a token that contains a glob metachar.
+        var lastSpace = pattern.LastIndexOf(' ');
+        if (lastSpace < 0)
+            return false;
+
+        var trailing = pattern[(lastSpace + 1)..];
+        return trailing.Contains('*', StringComparison.Ordinal)
+            || trailing.Contains('?', StringComparison.Ordinal)
+            || trailing.Contains('[', StringComparison.Ordinal);
+    }
+
+    private static string NormalizeZone(string zoneGlob)
+    {
+        var trimmed = (zoneGlob ?? string.Empty).Trim();
+        if (trimmed.Length == 0)
+            throw new ArgumentException("Trusted zone glob must not be empty.", nameof(zoneGlob));
+
+        // Trailing-slash variants normalize to the no-slash form; the matcher
+        // treats <dir> and <dir>/ and <dir>/* as the same zone.
+        while (trimmed.Length > 1 && (trimmed[^1] == '/' || trimmed[^1] == '\\'))
+            trimmed = trimmed[..^1];
+
+        return trimmed;
+    }
+
+    private static bool ContainsCaseInsensitive(IList<string> list, string value)
+        => IndexOfCaseInsensitive(list, value) >= 0;
+
+    private static int IndexOfCaseInsensitive(IList<string> list, string value)
+    {
+        for (var i = 0; i < list.Count; i++)
+        {
+            if (string.Equals(list[i], value, StringComparison.OrdinalIgnoreCase))
+                return i;
+        }
+
+        return -1;
+    }
+
+    private static Dictionary<string, AudienceTrustState> NewEmpty()
+        => new(StringComparer.Ordinal);
+}
diff --git a/src/Netclaw.Configuration/Netclaw.Configuration.csproj b/src/Netclaw.Configuration/Netclaw.Configuration.csproj
index 9bfcbbe4..7e788b5c 100644
--- a/src/Netclaw.Configuration/Netclaw.Configuration.csproj
+++ b/src/Netclaw.Configuration/Netclaw.Configuration.csproj
@@ -29,6 +29,7 @@
     <EmbeddedResource Include="Schemas/**/*.json" />
     <EmbeddedResource Include="Resources/AGENTS.md" />
     <EmbeddedResource Include="Resources/AGENTS.public.md" />
+    <EmbeddedResource Include="SafeVerbs/**/*.json" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Netclaw.Configuration/NetclawPaths.cs b/src/Netclaw.Configuration/NetclawPaths.cs
index 074dd79b..47d38006 100644
--- a/src/Netclaw.Configuration/NetclawPaths.cs
+++ b/src/Netclaw.Configuration/NetclawPaths.cs
@@ -79,6 +79,23 @@ public string ServerFeedSyncStatePath(string feedName)
     public string ConfigDirectory => Path.Combine(BasePath, "config");
     public string WebhooksDirectory => Path.Combine(ConfigDirectory, "webhooks");
     public string ToolApprovalsPath => Path.Combine(ConfigDirectory, "tool-approvals.json");
+
+    /// <summary>
+    /// Per-audience trust-zones store for the new approval architecture
+    /// (verbPatterns + trustedZones per audience). Sibling to
+    /// <see cref="ToolApprovalsPath"/> during transition so the v2 store can
+    /// keep handling existing entries while the new code path migrates.
+    /// Will eventually replace <see cref="ToolApprovalsPath"/> when the
+    /// trust-zones rewrite is fully wired and v2 is removed.
+    /// </summary>
+    public string TrustZonesPath => Path.Combine(ConfigDirectory, "trust-zones.json");
+
+    /// <summary>
+    /// Operator-authored hard-deny override file consulted by the
+    /// structured hard-deny pipeline. Optional; missing or empty file
+    /// yields zero overrides and the shipped defaults apply alone.
+    /// </summary>
+    public string HardDenyOverridesPath => Path.Combine(ConfigDirectory, "hard-deny-overrides.json");
     public string NetclawConfigPath => Path.Combine(ConfigDirectory, "netclaw.json");
     public string ClientConfigPath => Path.Combine(ClientDirectory, "config.json");
     public string SecretsPath => Path.Combine(ConfigDirectory, "secrets.json");
diff --git a/src/Netclaw.Configuration/Resources/AGENTS.md b/src/Netclaw.Configuration/Resources/AGENTS.md
index 7a3a35f6..7ca1d858 100644
--- a/src/Netclaw.Configuration/Resources/AGENTS.md
+++ b/src/Netclaw.Configuration/Resources/AGENTS.md
@@ -17,6 +17,46 @@
   without attempting at least one fallback.
 - Never say "you can visit..." or "you can call..." — look it up yourself.
 
+## Declaring Project Scope (load-bearing for approvals)
+
+Path arguments to shell commands declare scope implicitly. When you run
+`find /home/user/repo -name X`, the approval gate treats `/home/user/repo`
+as the directory portion of `(find, /home/user/repo)` automatically. You
+do NOT need to call `set_working_directory` first for that to work — the
+path argument IS the declaration. Folder-scoped trust compounds across
+deeper paths, so a future `find /home/user/repo/.netclaw` is auto-allowed.
+
+**When `set_working_directory` IS the right tool**, it's for sessions
+where the agent will run multiple commands without explicit path
+arguments — typical interactive REPL work, `git status` followed by
+`git diff` followed by edits, or `make build` and similar tools that
+hide their target behind flags (`make -C`, `git -C`). In those cases
+call `set_working_directory <path>` so the safe-verb short-circuit
+treats that tree as a safe space; the agent's read-only verbs auto-run
+with no prompt.
+
+When the user task is scoped to a project or codebase the user named
+explicitly (a directory path, a repo, "this codebase"), declaring
+scope — either by passing the path on each command or by calling
+`set_working_directory` once — keeps the approval prompts from
+interrupting every read-only inspection. Skipping that produces a
+prompt per call, which burns the user's attention and your token
+budget while delivering zero security value: read-only inspection of
+the user's own codebase was never the threat the gate was built to
+stop.
+
+When NOT to declare scope at all: pure-conversation turns ("what's
+2+2?", "explain X"), sessions where no project has been mentioned, or
+one-shot lookups against external APIs. Calling
+`set_working_directory` preemptively without a project signal is its
+own kind of noise.
+
+**Recovery from a denied shell call.** If `shell_execute` fails with a denial
+that mentions cwd being outside the safe spaces, the result includes a hint
+pointing at `set_working_directory <path>`. Read the hint, call the tool with
+the directory the user is asking about, then retry the original shell call —
+do not re-prompt the user.
+
 ## Grounding Rules
 
 - Never state runtime facts (versions, status, availability) without checking with a tool.
diff --git a/src/Netclaw.Configuration/SafeVerbList.cs b/src/Netclaw.Configuration/SafeVerbList.cs
new file mode 100644
index 00000000..a7c74cca
--- /dev/null
+++ b/src/Netclaw.Configuration/SafeVerbList.cs
@@ -0,0 +1,132 @@
+// -----------------------------------------------------------------------
+// <copyright file="SafeVerbList.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using System.Reflection;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace Netclaw.Configuration;
+
+/// <summary>
+/// Curated list of demonstrably read-only shell verb chains the approval gate
+/// auto-allows when invoked inside a trusted zone. Loaded exclusively from
+/// the daemon's bundled <c>safe-verbs.&lt;os&gt;.json</c> embedded resource —
+/// there is no user-override file by design. Adding a verb to this list
+/// loosens the policy (more silent auto-pass cases), so widening must go
+/// through code review and a daemon release, not a config edit. The agent
+/// has no path to extend its own read-only verb list at runtime.
+///
+/// Membership is exact-equality against the verb chain extracted by the
+/// shell parser (case rules from
+/// <see cref="ToolApprovalEntryComparer.Comparer"/>: Ordinal on POSIX,
+/// OrdinalIgnoreCase on Windows). Mutating verbs (e.g. <c>git push</c>,
+/// <c>sed -i</c>) are intentionally absent — they remain subject to the
+/// interactive approval gate.
+/// </summary>
+public sealed class SafeVerbList
+{
+    public static readonly SafeVerbList Empty = new(new HashSet<string>(StringComparer.Ordinal));
+
+    private readonly HashSet<string> _verbs;
+
+    internal SafeVerbList(HashSet<string> verbs)
+    {
+        _verbs = verbs;
+    }
+
+    /// <summary>
+    /// Builds a <see cref="SafeVerbList"/> from an explicit verb collection.
+    /// Used by tests and by callers that synthesize a list outside the
+    /// bundled-plus-override loading path.
+    /// </summary>
+    public static SafeVerbList FromVerbs(IEnumerable<string> verbs)
+    {
+        var set = new HashSet<string>(ToolApprovalEntryComparer.Comparer);
+        foreach (var verb in verbs)
+        {
+            if (!string.IsNullOrWhiteSpace(verb))
+                set.Add(verb.Trim());
+        }
+        return new SafeVerbList(set);
+    }
+
+    /// <summary>
+    /// Returns true when the candidate verb chain is on the safe-verbs list.
+    /// </summary>
+    public bool Contains(string candidateVerb)
+        => !string.IsNullOrEmpty(candidateVerb) && _verbs.Contains(candidateVerb);
+
+    /// <summary>The verbs in this list. Stable ordering; intended for diagnostics, not lookups.</summary>
+    public IReadOnlyCollection<string> Verbs => _verbs;
+}
+
+/// <summary>
+/// JSON deserialization shape for <c>safe-verbs.*.json</c> files.
+/// </summary>
+internal sealed class SafeVerbListFile
+{
+    [JsonPropertyName("verbs")]
+    public List<string> Verbs { get; set; } = new();
+}
+
+/// <summary>
+/// Loads the bundled safe-verbs list for the current OS from the embedded
+/// resource. There is no user-override path — the safe-verbs list is
+/// immutable at runtime so the agent cannot widen its own read-only
+/// auto-pass set through file writes. Widening goes through code review
+/// and a daemon release.
+/// </summary>
+public static class SafeVerbLoader
+{
+    private const string LinuxResourceName = "Netclaw.Configuration.SafeVerbs.safe-verbs.linux.json";
+    private const string WindowsResourceName = "Netclaw.Configuration.SafeVerbs.safe-verbs.windows.json";
+
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+        ReadCommentHandling = JsonCommentHandling.Skip,
+        AllowTrailingCommas = true
+    };
+
+    /// <summary>
+    /// Loads the bundled safe-verbs list for the current OS. Always returns
+    /// the shipped defaults — no merge from disk, no user-overridable
+    /// surface. Throws <see cref="InvalidOperationException"/> only if the
+    /// embedded resource itself is missing from the assembly, which is a
+    /// build-packaging bug, not a runtime condition.
+    /// </summary>
+    public static SafeVerbList Load() => Load(OperatingSystem.IsWindows());
+
+    internal static SafeVerbList Load(bool isWindows)
+    {
+        var comparer = ToolApprovalEntryComparer.Comparer;
+        var verbs = new HashSet<string>(comparer);
+
+        foreach (var verb in LoadBundled(isWindows))
+            verbs.Add(verb);
+
+        return new SafeVerbList(verbs);
+    }
+
+    private static IEnumerable<string> LoadBundled(bool isWindows)
+    {
+        var resourceName = isWindows ? WindowsResourceName : LinuxResourceName;
+        var assembly = typeof(SafeVerbLoader).Assembly;
+
+        using var stream = assembly.GetManifestResourceStream(resourceName)
+            ?? throw new InvalidOperationException(
+                $"Bundled safe-verbs resource '{resourceName}' is missing from {assembly.FullName}. "
+                + "This is a build packaging error: SafeVerbs/*.json must be embedded.");
+
+        var file = JsonSerializer.Deserialize<SafeVerbListFile>(stream, JsonOptions)
+            ?? throw new InvalidDataException($"Bundled safe-verbs resource '{resourceName}' deserialized to null.");
+
+        foreach (var verb in file.Verbs)
+        {
+            if (!string.IsNullOrWhiteSpace(verb))
+                yield return verb.Trim();
+        }
+    }
+}
diff --git a/src/Netclaw.Configuration/SafeVerbs/safe-verbs.linux.json b/src/Netclaw.Configuration/SafeVerbs/safe-verbs.linux.json
new file mode 100644
index 00000000..ae1f18b7
--- /dev/null
+++ b/src/Netclaw.Configuration/SafeVerbs/safe-verbs.linux.json
@@ -0,0 +1,41 @@
+{
+  "$comment": "Bundled defaults for shell verbs the approval gate auto-allows when invoked inside a trusted zone (per-audience trustedZones + session_dir + audience baseline). Each entry is a verb chain matched by exact equality against the shell parser's verb-chain extraction. Mutating verbs are intentionally absent — git push, awk -i inplace, sed -i etc. still prompt. sed is pinned to its read-only -n flag form. This list is immutable at runtime: no on-disk override file is read. Widening the list goes through code review and a daemon release so the agent cannot extend its own auto-pass surface via file writes.",
+  "verbs": [
+    "cd",
+    "chdir",
+    "pushd",
+    "popd",
+    "ls",
+    "find",
+    "grep",
+    "egrep",
+    "fgrep",
+    "rg",
+    "cat",
+    "head",
+    "tail",
+    "wc",
+    "sort",
+    "uniq",
+    "cut",
+    "tr",
+    "awk",
+    "sed -n",
+    "file",
+    "pwd",
+    "which",
+    "stat",
+    "tree",
+    "du",
+    "df",
+    "git status",
+    "git log",
+    "git diff",
+    "git show",
+    "git branch",
+    "git remote",
+    "git rev-parse",
+    "git ls-files",
+    "git blame"
+  ]
+}
diff --git a/src/Netclaw.Configuration/SafeVerbs/safe-verbs.windows.json b/src/Netclaw.Configuration/SafeVerbs/safe-verbs.windows.json
new file mode 100644
index 00000000..5a257753
--- /dev/null
+++ b/src/Netclaw.Configuration/SafeVerbs/safe-verbs.windows.json
@@ -0,0 +1,33 @@
+{
+  "$comment": "Bundled defaults for shell verbs the approval gate auto-allows on Windows when invoked inside a trusted zone (per-audience trustedZones + session_dir + audience baseline). Each entry is a verb chain matched by exact equality against the shell parser's verb-chain extraction. Includes both cmd.exe builtins and PowerShell read-only cmdlets, plus the same git read subcommands as the Linux list. Mutating verbs are intentionally absent. This list is immutable at runtime: no on-disk override file is read. Widening the list goes through code review and a daemon release so the agent cannot extend its own auto-pass surface via file writes.",
+  "verbs": [
+    "cd",
+    "chdir",
+    "pushd",
+    "popd",
+    "Set-Location",
+    "Push-Location",
+    "Pop-Location",
+    "dir",
+    "type",
+    "more",
+    "where",
+    "findstr",
+    "Get-ChildItem",
+    "Get-Content",
+    "Select-String",
+    "Get-Item",
+    "Test-Path",
+    "Get-Location",
+    "Resolve-Path",
+    "git status",
+    "git log",
+    "git diff",
+    "git show",
+    "git branch",
+    "git remote",
+    "git rev-parse",
+    "git ls-files",
+    "git blame"
+  ]
+}
diff --git a/src/Netclaw.Configuration/ToolApprovalEntryComparer.cs b/src/Netclaw.Configuration/ToolApprovalEntryComparer.cs
index 74796285..5227d79d 100644
--- a/src/Netclaw.Configuration/ToolApprovalEntryComparer.cs
+++ b/src/Netclaw.Configuration/ToolApprovalEntryComparer.cs
@@ -33,8 +33,71 @@ public static class ToolApprovalEntryComparer
         OperatingSystem.IsWindows() ? StringComparer.OrdinalIgnoreCase : StringComparer.Ordinal;
 
     /// <summary>
-    /// Equality predicate matching the daemon's approval matcher.
+    /// Equality predicate for raw strings (verbs or directories). Does NOT
+    /// normalize trailing path separators; callers comparing directory paths
+    /// should pass values through <see cref="NormalizeDirectory"/> first or use
+    /// <see cref="Equals(ApprovalEntry, ApprovalEntry)"/> which normalizes the
+    /// directory half automatically.
     /// </summary>
     public static bool Equals(string? left, string? right) =>
         string.Equals(left, right, Comparison);
+
+    /// <summary>
+    /// Equality predicate matching the daemon's approval matcher: two
+    /// entries are equal when their verbs match and their normalized
+    /// directories match (with both <c>null</c> directories considered equal —
+    /// the global wildcard).
+    /// </summary>
+    public static bool Equals(ApprovalEntry left, ApprovalEntry right)
+        => Equals(left.Verb, right.Verb)
+           && Equals(NormalizeDirectory(left.Directory), NormalizeDirectory(right.Directory));
+
+    /// <summary>
+    /// Canonicalizes a directory path for storage and comparison. Trims
+    /// surrounding whitespace, collapses null/empty/whitespace to <c>null</c>
+    /// (the global-wildcard sentinel), and strips a trailing path separator so
+    /// <c>/path/</c> and <c>/path</c> compare equal. Preserves filesystem
+    /// roots (<c>/</c>, <c>C:\</c>) intact.
+    /// </summary>
+    public static string? NormalizeDirectory(string? directory)
+    {
+        if (directory is null)
+            return null;
+
+        var trimmed = directory.Trim();
+        if (trimmed.Length == 0)
+            return null;
+
+        // Preserve POSIX filesystem root.
+        if (trimmed == "/")
+            return trimmed;
+
+        // Preserve Windows drive roots like "C:\" — TrimEnd would otherwise
+        // leave "C:" which means "the drive's current directory," a different
+        // location.
+        if (OperatingSystem.IsWindows()
+            && trimmed.Length == 3
+            && trimmed[1] == ':'
+            && (trimmed[2] == '\\' || trimmed[2] == '/'))
+        {
+            return trimmed;
+        }
+
+        var stripped = trimmed.TrimEnd('/', '\\');
+        return stripped.Length == 0 ? trimmed : stripped;
+    }
+
+    /// <summary>
+    /// Returns <paramref name="entry"/> with its directory normalized via
+    /// <see cref="NormalizeDirectory"/>. Used by the store at write time so
+    /// the on-disk file never accumulates trailing-slash variants of the same
+    /// logical entry.
+    /// </summary>
+    public static ApprovalEntry Normalize(ApprovalEntry entry)
+    {
+        var normalized = NormalizeDirectory(entry.Directory);
+        if (string.Equals(normalized, entry.Directory, StringComparison.Ordinal))
+            return entry;
+        return entry with { Directory = normalized };
+    }
 }
diff --git a/src/Netclaw.Configuration/ToolApprovalStore.cs b/src/Netclaw.Configuration/ToolApprovalStore.cs
index 3a2fb892..22d28859 100644
--- a/src/Netclaw.Configuration/ToolApprovalStore.cs
+++ b/src/Netclaw.Configuration/ToolApprovalStore.cs
@@ -1,4 +1,4 @@
-// -----------------------------------------------------------------------
+// -----------------------------------------------------------------------
 // <copyright file="ToolApprovalStore.cs" company="Petabridge, LLC">
 //      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
 // </copyright>
@@ -9,22 +9,46 @@
 namespace Netclaw.Configuration;
 
 /// <summary>
-/// Reads and writes persistent tool approval patterns from
+/// Reads and writes persistent tool approval entries from
 /// <c>~/.netclaw/config/tool-approvals.json</c>. This file is NOT monitored
 /// by <see cref="ConfigWatcherService"/> — writes do not trigger daemon restart.
 /// Thread-safe for concurrent reads and writes.
+///
+/// The on-disk schema is version 2: a typed <see cref="ApprovalEntry"/> list
+/// per (audience, tool). Files lacking <c>"version": 2</c> at the root are
+/// treated as legacy v1 and quarantined to <see cref="V1QuarantinePath"/>; an
+/// empty v2 store is returned in their place. Files that fail to parse as
+/// JSON at all are quarantined to <see cref="MalformedQuarantinePath"/>. In
+/// both cases the daemon fails closed (no approvals) instead of silently
+/// dropping every persisted grant.
 /// </summary>
 public sealed class ToolApprovalStore
 {
+    /// <summary>
+    /// On-disk schema version emitted by <see cref="Save"/> and required by
+    /// <see cref="Load"/>. Files with any other value (including absent) are
+    /// quarantined to <see cref="V1QuarantinePath"/> on first read.
+    /// </summary>
+    public const int CurrentSchemaVersion = 2;
+
     private readonly string _filePath;
     private readonly object _lock = new();
 
     /// <summary>
-    /// Path to the quarantine sibling file. Set by <see cref="QuarantineCorruptFile"/>
-    /// when a malformed file is moved aside; consumers can check
-    /// <see cref="File.Exists(string)"/> on this path to detect a recent quarantine.
+    /// Path to the malformed-file quarantine sibling, used when the file
+    /// cannot be parsed as JSON at all. Distinct from
+    /// <see cref="V1QuarantinePath"/> so operators can tell a corrupted file
+    /// apart from a legacy-version file.
     /// </summary>
-    public string QuarantinePath => _filePath + ".invalid";
+    public string MalformedQuarantinePath => _filePath + ".invalid";
+
+    /// <summary>
+    /// Path to the legacy-v1 quarantine sibling, used when the file parses as
+    /// JSON but does not declare schema version 2. The v1 file is preserved
+    /// here untouched so operators who hand-curated v1 entries can mine them
+    /// for ideas before writing fresh v2 grants.
+    /// </summary>
+    public string V1QuarantinePath => _filePath + ".v1.bak";
 
     private static readonly JsonSerializerOptions JsonOptions = new()
     {
@@ -39,12 +63,11 @@ public ToolApprovalStore(string filePath)
     }
 
     /// <summary>
-    /// Loads all persistent approvals from disk. Returns an empty store if the
-    /// file does not exist. If the file is malformed, the corrupt file is
-    /// quarantined to <c>tool-approvals.json.invalid</c> and an empty store is
-    /// returned — operators can inspect or restore the quarantined copy and
-    /// the system fails closed (no approvals) instead of silently dropping
-    /// every persisted grant.
+    /// Loads all persistent approvals from disk. Returns an empty store when
+    /// the file does not exist, parses as JSON but lacks
+    /// <c>"version": 2</c> (the file is moved aside to
+    /// <see cref="V1QuarantinePath"/>), or fails to parse as JSON at all (the
+    /// file is moved aside to <see cref="MalformedQuarantinePath"/>).
     /// </summary>
     public ToolApprovalData Load()
     {
@@ -53,43 +76,100 @@ public ToolApprovalData Load()
             if (!File.Exists(_filePath))
                 return new ToolApprovalData();
 
+            var json = File.ReadAllText(_filePath);
+
+            // Two-step parse so we can distinguish three failure modes:
+            //   (1) unparseable JSON → quarantine to .invalid
+            //   (2) parseable JSON but wrong schema version → quarantine to .v1.bak
+            //   (3) parseable v2 JSON with deserialization error → quarantine to .invalid
+            // Step 1 looks at the version field via JsonDocument; step 2 binds
+            // the strongly-typed model only after the version gate passes.
+            try
+            {
+                using var document = JsonDocument.Parse(json);
+                if (!IsCurrentSchema(document.RootElement))
+                {
+                    QuarantineV1File();
+                    return new ToolApprovalData();
+                }
+            }
+            catch (JsonException ex)
+            {
+                QuarantineMalformedFile(ex);
+                return new ToolApprovalData();
+            }
+
             try
             {
-                var json = File.ReadAllText(_filePath);
                 return JsonSerializer.Deserialize<ToolApprovalData>(json, JsonOptions)
                     ?? new ToolApprovalData();
             }
             catch (JsonException ex)
             {
-                QuarantineCorruptFile(ex);
+                QuarantineMalformedFile(ex);
                 return new ToolApprovalData();
             }
         }
     }
 
-    private void QuarantineCorruptFile(JsonException cause)
+    private static bool IsCurrentSchema(JsonElement root)
+    {
+        if (root.ValueKind != JsonValueKind.Object)
+            return false;
+
+        if (!root.TryGetProperty("version", out var versionElem))
+            return false;
+
+        if (versionElem.ValueKind != JsonValueKind.Number)
+            return false;
+
+        return versionElem.TryGetInt32(out var version) && version == CurrentSchemaVersion;
+    }
+
+    private void QuarantineMalformedFile(JsonException cause)
     {
         try
         {
-            if (File.Exists(QuarantinePath))
-                File.Delete(QuarantinePath);
-            File.Move(_filePath, QuarantinePath);
+            if (File.Exists(MalformedQuarantinePath))
+                File.Delete(MalformedQuarantinePath);
+            File.Move(_filePath, MalformedQuarantinePath);
         }
         catch (Exception moveEx)
         {
             throw new InvalidDataException(
-                $"Tool approvals file at '{_filePath}' is malformed and could not be quarantined to '{QuarantinePath}'. Inspect the file manually before restarting.",
+                $"Tool approvals file at '{_filePath}' is malformed and could not be quarantined to '{MalformedQuarantinePath}'. Inspect the file manually before restarting.",
                 new AggregateException(cause, moveEx));
         }
     }
 
+    private void QuarantineV1File()
+    {
+        try
+        {
+            if (File.Exists(V1QuarantinePath))
+                File.Delete(V1QuarantinePath);
+            File.Move(_filePath, V1QuarantinePath);
+        }
+        catch (Exception moveEx)
+        {
+            throw new InvalidDataException(
+                $"Tool approvals file at '{_filePath}' uses a legacy schema and could not be quarantined to '{V1QuarantinePath}'. Inspect the file manually before restarting.",
+                moveEx);
+        }
+    }
+
     /// <summary>
-    /// Adds an approved pattern for a tool in the given audience.
-    /// For shell_execute, the pattern is a verb chain (e.g., "git push").
-    /// For other tools, pass the tool name to approve tool-level access.
+    /// Adds an approved <see cref="ApprovalEntry"/> for a tool in the given
+    /// audience. The directory portion is normalized before storage so the
+    /// on-disk file never accumulates trailing-slash variants of the same
+    /// logical entry. Idempotent: an entry equal under
+    /// <see cref="ToolApprovalEntryComparer.Equals(ApprovalEntry, ApprovalEntry)"/>
+    /// is silently dropped.
     /// </summary>
-    public void AddApproval(TrustAudience audience, string toolName, string pattern)
+    public void AddApproval(TrustAudience audience, string toolName, ApprovalEntry entry)
     {
+        var normalized = ToolApprovalEntryComparer.Normalize(entry);
+
         lock (_lock)
         {
             var data = Load();
@@ -97,31 +177,31 @@ public void AddApproval(TrustAudience audience, string toolName, string pattern)
 
             if (!data.Audiences.TryGetValue(audienceKey, out var audienceApprovals))
             {
-                audienceApprovals = new Dictionary<string, List<string>>(StringComparer.Ordinal);
+                audienceApprovals = new Dictionary<string, List<ApprovalEntry>>(StringComparer.Ordinal);
                 data.Audiences[audienceKey] = audienceApprovals;
             }
 
-            if (!audienceApprovals.TryGetValue(toolName, out var patterns))
+            if (!audienceApprovals.TryGetValue(toolName, out var entries))
             {
-                patterns = [];
-                audienceApprovals[toolName] = patterns;
+                entries = [];
+                audienceApprovals[toolName] = entries;
             }
 
-            // Use the same comparer the daemon gate and the operator CLI use,
-            // otherwise on Windows "Git Push" and "git push" would dedupe as
-            // distinct on add but both get wiped by a single revoke.
-            if (!patterns.Contains(pattern, ToolApprovalEntryComparer.Comparer))
+            foreach (var existing in entries)
             {
-                patterns.Add(pattern);
-                Save(data);
+                if (ToolApprovalEntryComparer.Equals(existing, normalized))
+                    return;
             }
+
+            entries.Add(normalized);
+            Save(data);
         }
     }
 
     /// <summary>
-    /// Returns the approved patterns for a specific tool and audience.
+    /// Returns the approved entries for a specific tool and audience.
     /// </summary>
-    public IReadOnlyList<string> GetApprovedPatterns(TrustAudience audience, string toolName)
+    public IReadOnlyList<ApprovalEntry> GetApprovedEntries(TrustAudience audience, string toolName)
     {
         var data = Load();
         var audienceKey = audience.ToWireValue();
@@ -129,22 +209,24 @@ public IReadOnlyList<string> GetApprovedPatterns(TrustAudience audience, string
         if (!data.Audiences.TryGetValue(audienceKey, out var audienceApprovals))
             return [];
 
-        if (!audienceApprovals.TryGetValue(toolName, out var patterns))
+        if (!audienceApprovals.TryGetValue(toolName, out var entries))
             return [];
 
-        return patterns;
+        return entries;
     }
 
     /// <summary>
-    /// Removes an approved pattern for a tool in the given audience. Comparison
-    /// uses <see cref="ToolApprovalEntryComparer.Comparison"/> so the CLI and
-    /// the daemon agree on what "the same entry" means. Empty per-tool and
-    /// per-audience maps are pruned so the file does not retain hollow
-    /// sections after a revoke.
+    /// Removes an approved entry for a tool in the given audience. Comparison
+    /// uses <see cref="ToolApprovalEntryComparer.Equals(ApprovalEntry, ApprovalEntry)"/>
+    /// so the CLI and the daemon agree on what "the same entry" means. Empty
+    /// per-tool and per-audience maps are pruned so the file does not retain
+    /// hollow sections after a revoke.
     /// </summary>
     /// <returns><c>true</c> if an entry was removed; <c>false</c> otherwise.</returns>
-    public bool RemoveApproval(TrustAudience audience, string toolName, string pattern)
+    public bool RemoveApproval(TrustAudience audience, string toolName, ApprovalEntry entry)
     {
+        var normalized = ToolApprovalEntryComparer.Normalize(entry);
+
         lock (_lock)
         {
             var data = Load();
@@ -153,13 +235,13 @@ public bool RemoveApproval(TrustAudience audience, string toolName, string patte
             if (!data.Audiences.TryGetValue(audienceKey, out var audienceApprovals))
                 return false;
 
-            if (!audienceApprovals.TryGetValue(toolName, out var patterns))
+            if (!audienceApprovals.TryGetValue(toolName, out var entries))
                 return false;
 
             var index = -1;
-            for (var i = 0; i < patterns.Count; i++)
+            for (var i = 0; i < entries.Count; i++)
             {
-                if (ToolApprovalEntryComparer.Equals(patterns[i], pattern))
+                if (ToolApprovalEntryComparer.Equals(entries[i], normalized))
                 {
                     index = i;
                     break;
@@ -169,7 +251,7 @@ public bool RemoveApproval(TrustAudience audience, string toolName, string patte
             if (index < 0)
                 return false;
 
-            patterns.RemoveAt(index);
+            entries.RemoveAt(index);
             CleanupEmptySections(data, audienceKey, toolName);
             Save(data);
             return true;
@@ -190,14 +272,14 @@ public int RemoveAllForTool(TrustAudience audience, string toolName)
             if (!data.Audiences.TryGetValue(audienceKey, out var audienceApprovals))
                 return 0;
 
-            if (!audienceApprovals.TryGetValue(toolName, out var patterns))
+            if (!audienceApprovals.TryGetValue(toolName, out var entries))
                 return 0;
 
-            var removed = patterns.Count;
+            var removed = entries.Count;
             if (removed == 0)
                 return 0;
 
-            patterns.Clear();
+            entries.Clear();
             CleanupEmptySections(data, audienceKey, toolName);
             Save(data);
             return removed;
@@ -209,15 +291,15 @@ public int RemoveAllForTool(TrustAudience audience, string toolName)
     /// audience wire value then tool name. The snapshot is decoupled from the
     /// underlying file — subsequent mutations are not reflected.
     /// </summary>
-    public IReadOnlyDictionary<string, IReadOnlyDictionary<string, IReadOnlyList<string>>> Snapshot()
+    public IReadOnlyDictionary<string, IReadOnlyDictionary<string, IReadOnlyList<ApprovalEntry>>> Snapshot()
     {
         var data = Load();
-        var result = new Dictionary<string, IReadOnlyDictionary<string, IReadOnlyList<string>>>(StringComparer.Ordinal);
+        var result = new Dictionary<string, IReadOnlyDictionary<string, IReadOnlyList<ApprovalEntry>>>(StringComparer.Ordinal);
         foreach (var (audienceKey, tools) in data.Audiences)
         {
-            var clonedTools = new Dictionary<string, IReadOnlyList<string>>(StringComparer.Ordinal);
-            foreach (var (toolName, patterns) in tools)
-                clonedTools[toolName] = patterns.ToArray();
+            var clonedTools = new Dictionary<string, IReadOnlyList<ApprovalEntry>>(StringComparer.Ordinal);
+            foreach (var (toolName, entries) in tools)
+                clonedTools[toolName] = entries.ToArray();
             result[audienceKey] = clonedTools;
         }
         return result;
@@ -228,7 +310,7 @@ private static void CleanupEmptySections(ToolApprovalData data, string audienceK
         if (!data.Audiences.TryGetValue(audienceKey, out var audienceApprovals))
             return;
 
-        if (audienceApprovals.TryGetValue(toolName, out var patterns) && patterns.Count == 0)
+        if (audienceApprovals.TryGetValue(toolName, out var entries) && entries.Count == 0)
             audienceApprovals.Remove(toolName);
 
         if (audienceApprovals.Count == 0)
@@ -237,6 +319,12 @@ private static void CleanupEmptySections(ToolApprovalData data, string audienceK
 
     private void Save(ToolApprovalData data)
     {
+        // Always emit current schema version on write, even if Load returned
+        // a default-constructed data object whose Version is also already 2.
+        // Centralizing the write keeps the contract obvious and resilient to
+        // future default-value changes on the data model.
+        data.Version = CurrentSchemaVersion;
+
         var dir = Path.GetDirectoryName(_filePath);
         if (!string.IsNullOrEmpty(dir))
             Directory.CreateDirectory(dir);
@@ -251,10 +339,18 @@ private void Save(ToolApprovalData data)
 /// </summary>
 public sealed class ToolApprovalData
 {
+    /// <summary>
+    /// On-disk schema version. Set to <see cref="ToolApprovalStore.CurrentSchemaVersion"/>
+    /// by <see cref="ToolApprovalStore.Save"/>. Files lacking this value are
+    /// quarantined as legacy on first read.
+    /// </summary>
+    [JsonPropertyName("version")]
+    public int Version { get; set; } = ToolApprovalStore.CurrentSchemaVersion;
+
     /// <summary>
     /// Per-audience approval sections. Keys are audience wire values
-    /// ("personal", "team", "public"). Values are per-tool pattern lists.
+    /// ("personal", "team", "public"). Values are per-tool entry lists.
     /// </summary>
     [JsonPropertyName("audiences")]
-    public Dictionary<string, Dictionary<string, List<string>>> Audiences { get; set; } = new(StringComparer.Ordinal);
+    public Dictionary<string, Dictionary<string, List<ApprovalEntry>>> Audiences { get; set; } = new(StringComparer.Ordinal);
 }
diff --git a/src/Netclaw.Daemon/Program.cs b/src/Netclaw.Daemon/Program.cs
index dbc5d3f0..5b39b236 100644
--- a/src/Netclaw.Daemon/Program.cs
+++ b/src/Netclaw.Daemon/Program.cs
@@ -28,6 +28,7 @@
 using Netclaw.Actors.Tools;
 using Netclaw.Configuration;
 using Netclaw.Providers;
+using ShellSyntaxTree;
 using Netclaw.Providers.OAuth;
 using Netclaw.Providers.OpenAi;
 using Netclaw.Providers.OpenRouter;
@@ -606,8 +607,18 @@ static void ConfigureDaemonServices(
         .Get<SearchConfig>() ?? new SearchConfig();
     var searchBackend = searchConfig.Enabled ? CreateSearchBackend(searchConfig) : null;
 
+    // ConfigDirectory is hard-denied for agent writes and shell access to
+    // close the prompt-injection vector where an injected payload would
+    // instruct the agent to rewrite tool-approvals.json, hard-deny-overrides.json,
+    // or netclaw.json and grant itself global trust. Operators retain agency
+    // by editing config files outside the agent (their own editor) or via
+    // dedicated CLI commands that bypass the agent's tool-call path.
+    // Individual high-sensitivity paths (Secrets, Keys, etc.) are also listed
+    // explicitly for self-documenting intent — ConfigDirectory subsumes them
+    // but the explicit entries make the security purpose obvious to readers.
     var writeDenyList = new[]
     {
+        paths.ConfigDirectory,
         paths.SecretsPath,
         paths.KeysDirectory,
         paths.SqliteDbPath,
@@ -623,6 +634,7 @@ static void ConfigureDaemonServices(
     };
     var shellIndicatorList = new[]
     {
+        paths.ConfigDirectory,
         paths.SecretsPath,
         paths.WebhooksDirectory,
         paths.KeysDirectory,
@@ -634,9 +646,28 @@ static void ConfigureDaemonServices(
     var toolPathPolicy = new ToolPathPolicy(writeDenyList, readDenyList, shellIndicatorList);
     services.AddSingleton(toolPathPolicy);
 
-    var shellCommandPolicy = new ShellCommandPolicy(toolConfig.HardDenyPatterns);
+    // Load operator-authored hard-deny overrides (additive only — see
+    // HardDenyOverridesLoader). Missing file → empty list and only shipped
+    // defaults apply. Malformed file → daemon refuses to start; the
+    // loader throws InvalidDataException with operator-facing context so
+    // the failure surfaces loudly rather than silently dropping rules.
+    var hardDenyOverridesLoader = new HardDenyOverridesLoader();
+    var hardDenyOverrides = hardDenyOverridesLoader.Load(paths.HardDenyOverridesPath);
+    services.AddSingleton(hardDenyOverridesLoader);
+
+    var shellCommandPolicy = new ShellCommandPolicy(toolConfig.HardDenyPatterns, hardDenyOverrides);
     services.AddSingleton(shellCommandPolicy);
 
+    // Trust-zones new approval architecture — two-store per-audience
+    // persistence (verbPatterns + trustedZones) plus the three-layer
+    // GateEvaluator. Registered alongside the v2 ToolApprovalStore during
+    // transition; v2 stays authoritative until the gate-evaluator
+    // integration in ToolAccessPolicy completes and the v2 path is
+    // decommissioned in a future change.
+    var audienceTrustStore = new AudienceTrustStore(paths.TrustZonesPath);
+    services.AddSingleton(audienceTrustStore);
+    services.AddShellParser();
+
     // Subagent timeout configuration
     var subAgentConfig = configuration.GetSection("SubAgents")
         .Get<SubAgentConfig>() ?? new SubAgentConfig();
@@ -666,6 +697,34 @@ static void ConfigureDaemonServices(
         SchedulingEnabled: schedulingConfig.Enabled);
     var fileApprovalMatcher = new FilePathApprovalMatcher(paths.ConfigDirectory);
     var shellTrustZonePolicy = new ShellTrustZonePolicy(toolConfig, paths);
+    // Safe-verbs list: bundled per-OS defaults only — embedded resource in
+    // Netclaw.Configuration with no on-disk user override. Used by the
+    // approval gate's verb-pattern Layer to auto-allow demonstrably
+    // read-only verbs when invoked inside a trusted zone. Widening the
+    // list goes through code review and a daemon release, not a config
+    // edit, so the agent has no path to extend its own auto-pass surface
+    // at runtime.
+    var safeVerbs = SafeVerbLoader.Load();
+    services.AddSingleton(safeVerbs);
+
+    // Trust-zones gate evaluator + composer. The composer takes
+    // (audience profiles + persisted store + safe-verbs) at construction
+    // and produces a TrustState per call (audience + session_dir +
+    // session-scope grants). The evaluator runs the three-layer pipeline
+    // over a ParsedCommand against that TrustState. Both are registered
+    // as singletons — they are pure-function services with no per-call
+    // mutable state. Plumbed into ToolAccessPolicy below as the fast-path
+    // auto-allow check ahead of the v2 matcher.
+    var bashParser = new BashParser();
+    services.AddSingleton<IShellParser>(bashParser);
+    var gateEvaluator = new GateEvaluator(shellCommandPolicy, bashParser);
+    services.AddSingleton(gateEvaluator);
+    var trustStateComposer = new TrustStateComposer(
+        toolConfig.AudienceProfiles,
+        audienceTrustStore,
+        safeVerbs);
+    services.AddSingleton(trustStateComposer);
+
     var toolAccessPolicy = new ToolAccessPolicy(
         toolConfig,
         effectivePolicyDefaults,
@@ -673,7 +732,10 @@ static void ConfigureDaemonServices(
         fileApprovalMatcher,
         toolPathPolicy,
         featureGates,
-        shellTrustZonePolicy);
+        shellTrustZonePolicy,
+        safeVerbs,
+        gateEvaluator,
+        trustStateComposer);
     services.AddSingleton(toolAccessPolicy);
 
     var toolApprovalStore = new ToolApprovalStore(paths.ToolApprovalsPath);
diff --git a/src/Netclaw.Security.Tests/GateEvaluatorTests.cs b/src/Netclaw.Security.Tests/GateEvaluatorTests.cs
new file mode 100644
index 00000000..5a011678
--- /dev/null
+++ b/src/Netclaw.Security.Tests/GateEvaluatorTests.cs
@@ -0,0 +1,440 @@
+// -----------------------------------------------------------------------
+// <copyright file="GateEvaluatorTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Netclaw.Configuration;
+using Netclaw.Security;
+using ShellSyntaxTree;
+using Xunit;
+
+namespace Netclaw.Security.Tests;
+
+/// <summary>
+/// End-to-end tests for the three-layer GateEvaluator. Exercises the live
+/// ShellSyntaxTree parser plus the live ShellCommandPolicy plus the
+/// composed TrustState to cover every scenario in the trust-zones spec.
+/// </summary>
+public sealed class GateEvaluatorTests
+{
+    // Use FromVerbs so tests are platform-independent — the bundled
+    // safe-verbs files diverge between Linux and Windows but the
+    // gate-evaluator logic doesn't change.
+    private static readonly SafeVerbList LinuxSafeVerbs = SafeVerbList.FromVerbs(
+    [
+        "cd", "chdir", "pushd", "popd",
+        "ls", "cat", "grep", "head", "tail", "find", "wc", "pwd",
+        "git status", "git log", "git diff", "git show",
+    ]);
+
+    private static GateEvaluator NewEvaluator()
+        => new(new ShellCommandPolicy(), new BashParser());
+
+    private static TrustState NewTrustState(
+        IEnumerable<string>? baselineZones = null,
+        IEnumerable<string>? persistedZones = null,
+        IEnumerable<string>? sessionZones = null,
+        IEnumerable<string>? persistedVerbPatterns = null,
+        IEnumerable<string>? sessionVerbPatterns = null,
+        string sessionDirectory = "/home/user/.netclaw/sessions/test")
+        => new(
+            baselineZones ?? [],
+            persistedZones ?? [],
+            sessionZones ?? [],
+            sessionDirectory,
+            persistedVerbPatterns ?? [],
+            sessionVerbPatterns ?? [],
+            LinuxSafeVerbs,
+            homeDirectory: "/home/user");
+
+    // -------------------------------------------------------------------
+    // Layer 1: hard-deny short-circuit
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void HardDeny_short_circuits_overall_decision()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        var result = evaluator.Evaluate("netclaw daemon stop", TrustAudience.Personal, state);
+
+        Assert.Equal(OverallGateDecision.HardDenied, result.OverallDecision);
+        Assert.NotNull(result.HardDenyReason);
+        Assert.Null(result.ZonePrompt);
+        Assert.Null(result.VerbPrompt);
+    }
+
+    [Fact]
+    public void HardDeny_in_second_clause_still_denies()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState(baselineZones: ["/home/user/repos"]);
+
+        var result = evaluator.Evaluate(
+            "cd /home/user/repos && netclaw daemon stop",
+            TrustAudience.Personal,
+            state);
+
+        Assert.Equal(OverallGateDecision.HardDenied, result.OverallDecision);
+    }
+
+    [Fact]
+    public void HardDeny_against_unparseable_still_evaluates()
+    {
+        // Unbalanced quote → IsUnparseable. Hard-deny still runs against
+        // the raw source so this fork-bomb fragment still denies even
+        // though the parser refused.
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        var result = evaluator.Evaluate(":(){:|:&};:", TrustAudience.Personal, state);
+
+        Assert.Equal(OverallGateDecision.HardDenied, result.OverallDecision);
+    }
+
+    // -------------------------------------------------------------------
+    // Layer 2 + 3 happy paths
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Read_only_verb_in_trusted_zone_runs_silently()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState(baselineZones: ["/home/user/repos"]);
+
+        var result = evaluator.Evaluate(
+            "ls /home/user/repos/foo",
+            TrustAudience.Personal,
+            state);
+
+        Assert.Equal(OverallGateDecision.Approved, result.OverallDecision);
+        Assert.Null(result.ZonePrompt);
+        Assert.Null(result.VerbPrompt);
+    }
+
+    [Fact]
+    public void Read_only_verb_outside_trusted_zone_prompts_zone_gate()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        var result = evaluator.Evaluate("cat /etc/hosts", TrustAudience.Personal, state);
+
+        Assert.Equal(OverallGateDecision.NeedsPrompt, result.OverallDecision);
+        Assert.NotNull(result.ZonePrompt);
+        Assert.Contains("/etc/hosts", result.ZonePrompt.UntrustedPaths);
+    }
+
+    [Fact]
+    public void Mutating_verb_in_trusted_zone_prompts_verb_gate_only()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState(baselineZones: ["/home/user/repos"]);
+
+        var result = evaluator.Evaluate(
+            "git push origin main",
+            TrustAudience.Personal,
+            state);
+
+        Assert.Equal(OverallGateDecision.NeedsPrompt, result.OverallDecision);
+        Assert.Null(result.ZonePrompt);   // no untrusted paths in this clause
+        Assert.NotNull(result.VerbPrompt);
+        // Greedy verb-chain extraction (ShellSyntaxTree 0.1.4-alpha,
+        // issue #27): the proposed pattern includes the full verb chain
+        // up to the first non-verb-like token. Approving
+        // `git push origin main *` is intentionally narrower than
+        // `git push *` — see PRD discussion on operator-friendly defaults.
+        Assert.Equal("git push origin main *", result.VerbPrompt.VerbPattern);
+    }
+
+    [Fact]
+    public void Mutating_verb_outside_trusted_zone_produces_both_prompts()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        var result = evaluator.Evaluate(
+            "cp /etc/nginx/old.conf /etc/nginx/new.conf",
+            TrustAudience.Personal,
+            state);
+
+        Assert.Equal(OverallGateDecision.NeedsPrompt, result.OverallDecision);
+        Assert.NotNull(result.ZonePrompt);
+        Assert.NotNull(result.VerbPrompt);
+        Assert.Equal("cp *", result.VerbPrompt.VerbPattern);
+    }
+
+    // -------------------------------------------------------------------
+    // Multi-path zone batching
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Multi_path_clause_unions_untrusted_paths_in_one_prompt()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        var result = evaluator.Evaluate(
+            "cp /etc/foo /var/log/bar",
+            TrustAudience.Personal,
+            state);
+
+        Assert.NotNull(result.ZonePrompt);
+        Assert.Equal(2, result.ZonePrompt.UntrustedPaths.Count);
+        Assert.Contains("/etc/foo", result.ZonePrompt.UntrustedPaths);
+        Assert.Contains("/var/log/bar", result.ZonePrompt.UntrustedPaths);
+    }
+
+    [Fact]
+    public void Untrusted_paths_dedupe_across_clauses()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        // cd attributes /etc to clause 2; clause 2 also explicitly operates
+        // on /etc/hosts. The zone prompt should list /etc once, /etc/hosts
+        // once — no duplicates from attribution arithmetic.
+        var result = evaluator.Evaluate(
+            "cd /etc && cat /etc/hosts",
+            TrustAudience.Personal,
+            state);
+
+        Assert.NotNull(result.ZonePrompt);
+        var distinct = result.ZonePrompt.UntrustedPaths.Distinct().Count();
+        Assert.Equal(result.ZonePrompt.UntrustedPaths.Count, distinct);
+    }
+
+    // -------------------------------------------------------------------
+    // cd-in-compound attribution
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Cd_attribution_propagates_target_as_path_in_subsequent_clause()
+    {
+        // cd /trusted-path && cat file.txt — the second clause operates on
+        // /trusted-path via attribution; if /trusted-path is in zones,
+        // the clause passes silently.
+        var evaluator = NewEvaluator();
+        var state = NewTrustState(baselineZones: ["/home/user/repos"]);
+
+        var result = evaluator.Evaluate(
+            "cd /home/user/repos && cat file.txt",
+            TrustAudience.Personal,
+            state);
+
+        Assert.Equal(OverallGateDecision.Approved, result.OverallDecision);
+    }
+
+    [Fact]
+    public void Cd_to_untrusted_dir_prompts_for_target_only()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        var result = evaluator.Evaluate("cd /foreign", TrustAudience.Personal, state);
+
+        Assert.Equal(OverallGateDecision.NeedsPrompt, result.OverallDecision);
+        Assert.NotNull(result.ZonePrompt);
+        Assert.Contains("/foreign", result.ZonePrompt.UntrustedPaths);
+        // cd is a read-only safe-verb but with untrusted path, the
+        // read-only auto-pass doesn't kick in until the zone is approved.
+        // For the call as it stands, no verb prompt is needed because
+        // cd would still pass once zone is approved.
+        Assert.Null(result.VerbPrompt);
+    }
+
+    // -------------------------------------------------------------------
+    // Mixed-zone clause: one trusted + one untrusted path
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Mixed_zone_clause_with_read_only_verb_prompts_zone_only()
+    {
+        // grep -r foo /trusted /untrusted — read-only verb, mixed zone.
+        // Per locked design: zone gate prompts for /untrusted; verb gate
+        // auto-passes once zone is approved (mixed-zone rule).
+        var evaluator = NewEvaluator();
+        var state = NewTrustState(baselineZones: ["/home/user/repos"]);
+
+        var result = evaluator.Evaluate(
+            "grep -r foo /home/user/repos /etc",
+            TrustAudience.Personal,
+            state);
+
+        Assert.Equal(OverallGateDecision.NeedsPrompt, result.OverallDecision);
+        Assert.NotNull(result.ZonePrompt);
+        Assert.Contains("/etc", result.ZonePrompt.UntrustedPaths);
+        // No verb prompt because grep is read-only; the verb gate
+        // auto-passes after zone gate approves the untrusted path.
+        Assert.Null(result.VerbPrompt);
+    }
+
+    // -------------------------------------------------------------------
+    // Pattern matching
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Persisted_verb_pattern_auto_passes_verb_gate()
+    {
+        var evaluator = NewEvaluator();
+        // Persisted pattern matches the verb chain the parser actually
+        // extracts for `git push origin main` (greedy through verb-like
+        // tokens). This mirrors what AudienceTrustStore would persist
+        // after the operator clicks Always on the auto-proposed prompt.
+        var state = NewTrustState(
+            baselineZones: ["/home/user/repos"],
+            persistedVerbPatterns: ["git push origin main *"]);
+
+        var result = evaluator.Evaluate(
+            "git push origin main",
+            TrustAudience.Personal,
+            state);
+
+        Assert.Equal(OverallGateDecision.Approved, result.OverallDecision);
+        Assert.Null(result.VerbPrompt);
+    }
+
+    [Fact]
+    public void Session_verb_pattern_auto_passes_verb_gate()
+    {
+        // dotnet test with a path arg inside a trusted zone — both gates
+        // pass: zone via baseline, verb via session pattern.
+        var evaluator = NewEvaluator();
+        var state = NewTrustState(
+            baselineZones: ["/home/user/repos"],
+            sessionVerbPatterns: ["dotnet test *"]);
+
+        var result = evaluator.Evaluate(
+            "dotnet test /home/user/repos/Foo.Tests",
+            TrustAudience.Personal,
+            state);
+
+        Assert.Equal(OverallGateDecision.Approved, result.OverallDecision);
+    }
+
+    [Fact]
+    public void Verb_pattern_does_not_match_different_verb()
+    {
+        var evaluator = NewEvaluator();
+        // Persisted `git push *` does not match the `git pull origin main`
+        // verb chain — different verb root, no auto-pass. The auto-proposed
+        // pattern for the prompt is the full greedy chain.
+        var state = NewTrustState(
+            baselineZones: ["/home/user/repos"],
+            persistedVerbPatterns: ["git push *"]);
+
+        var result = evaluator.Evaluate(
+            "git pull origin main",
+            TrustAudience.Personal,
+            state);
+
+        Assert.NotNull(result.VerbPrompt);
+        Assert.Equal("git pull origin main *", result.VerbPrompt.VerbPattern);
+    }
+
+    // -------------------------------------------------------------------
+    // Session-scope zones
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Session_zone_grant_applies_for_subsequent_calls()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState(sessionZones: ["/tmp/scratch"]);
+
+        var result = evaluator.Evaluate(
+            "ls /tmp/scratch/foo",
+            TrustAudience.Personal,
+            state);
+
+        Assert.Equal(OverallGateDecision.Approved, result.OverallDecision);
+    }
+
+    // -------------------------------------------------------------------
+    // Empty-verb / redirect-only clauses
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Redirect_target_outside_zone_prompts_zone_only()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        var result = evaluator.Evaluate(
+            "echo hello > /etc/dangerous.txt",
+            TrustAudience.Personal,
+            state);
+
+        Assert.Equal(OverallGateDecision.NeedsPrompt, result.OverallDecision);
+        Assert.NotNull(result.ZonePrompt);
+        Assert.Contains("/etc/dangerous.txt", result.ZonePrompt.UntrustedPaths);
+    }
+
+    // -------------------------------------------------------------------
+    // Dynamic-skip tokens
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Dynamic_skip_arg_is_excluded_from_zone_gate()
+    {
+        // $UNRESOLVED/foo cannot be statically resolved — Arg.Kind =
+        // DynamicSkip. The zone gate excludes these so the clause is
+        // treated as path-arg-less. The verb gate still applies normally.
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        var result = evaluator.Evaluate("ls $UNRESOLVED/foo", TrustAudience.Personal, state);
+
+        // No untrusted path extracted (the only path arg was dynamic-skipped).
+        // The verb is read-only, so with no untrusted paths the call passes.
+        Assert.Null(result.ZonePrompt);
+    }
+
+    // -------------------------------------------------------------------
+    // Unparseable safe-fail
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Unparseable_input_routes_to_safe_fail_zone_and_verb_prompts()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        var result = evaluator.Evaluate("echo \"unbalanced", TrustAudience.Personal, state);
+
+        Assert.True(result.IsUnparseable);
+        Assert.Equal(OverallGateDecision.NeedsPrompt, result.OverallDecision);
+        Assert.NotNull(result.ZonePrompt);
+        Assert.NotNull(result.VerbPrompt);
+    }
+
+    [Fact]
+    public void Unparseable_carries_raw_command_into_zone_prompt()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        var result = evaluator.Evaluate("echo \"unbalanced", TrustAudience.Personal, state);
+
+        Assert.NotNull(result.ZonePrompt);
+        Assert.Contains("unbalanced", result.ZonePrompt.UntrustedPaths[0]);
+    }
+
+    // -------------------------------------------------------------------
+    // Audience independence
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Different_audience_strings_surface_in_prompt_info()
+    {
+        var evaluator = NewEvaluator();
+        var state = NewTrustState();
+
+        var personalResult = evaluator.Evaluate("cat /etc/hosts", TrustAudience.Personal, state);
+        var teamResult = evaluator.Evaluate("cat /etc/hosts", TrustAudience.Team, state);
+
+        Assert.Equal(TrustAudience.Personal.ToWireValue(), personalResult.ZonePrompt?.Audience);
+        Assert.Equal(TrustAudience.Team.ToWireValue(), teamResult.ZonePrompt?.Audience);
+    }
+}
diff --git a/src/Netclaw.Security.Tests/HardDenyOverridesLoaderTests.cs b/src/Netclaw.Security.Tests/HardDenyOverridesLoaderTests.cs
new file mode 100644
index 00000000..8506bc40
--- /dev/null
+++ b/src/Netclaw.Security.Tests/HardDenyOverridesLoaderTests.cs
@@ -0,0 +1,207 @@
+// -----------------------------------------------------------------------
+// <copyright file="HardDenyOverridesLoaderTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Xunit;
+
+namespace Netclaw.Security.Tests;
+
+public sealed class HardDenyOverridesLoaderTests : IDisposable
+{
+    private readonly string _file;
+    private readonly HardDenyOverridesLoader _loader = new();
+
+    public HardDenyOverridesLoaderTests()
+    {
+        _file = Path.Combine(Path.GetTempPath(), $"netclaw-deny-overrides-{Guid.NewGuid():N}.json");
+    }
+
+    public void Dispose()
+    {
+        if (File.Exists(_file)) File.Delete(_file);
+    }
+
+    [Fact]
+    public void Load_returns_empty_when_file_missing()
+    {
+        Assert.Empty(_loader.Load(_file));
+    }
+
+    [Fact]
+    public void Load_returns_empty_when_path_null_or_blank()
+    {
+        Assert.Empty(_loader.Load(null!));
+        Assert.Empty(_loader.Load("   "));
+    }
+
+    [Fact]
+    public void Load_returns_empty_when_file_is_empty_string()
+    {
+        File.WriteAllText(_file, "");
+        Assert.Empty(_loader.Load(_file));
+    }
+
+    [Fact]
+    public void Load_returns_empty_when_file_is_empty_array()
+    {
+        File.WriteAllText(_file, "[]");
+        Assert.Empty(_loader.Load(_file));
+    }
+
+    [Fact]
+    public void Load_parses_simple_verb_rule()
+    {
+        File.WriteAllText(_file, """
+        [
+          { "verb": ["docker", "rm"], "reason": "local_policy" }
+        ]
+        """);
+
+        var rules = _loader.Load(_file);
+        Assert.Single(rules);
+        Assert.Equal(["docker", "rm"], rules[0].Verb);
+        Assert.Equal("local_policy", rules[0].Reason);
+        Assert.Equal("custom_deny", rules[0].Category);
+    }
+
+    [Fact]
+    public void Load_parses_refined_verb_rule()
+    {
+        File.WriteAllText(_file, """
+        [
+          {
+            "verb": ["rm"],
+            "argFlags": ["-rf"],
+            "firstPath": { "oneOf": ["/", "~", "~/"] },
+            "reason": "destructive_root"
+          }
+        ]
+        """);
+
+        var rules = _loader.Load(_file);
+        Assert.Single(rules);
+        Assert.Equal(["rm"], rules[0].Verb);
+        Assert.Equal(["-rf"], rules[0].ArgFlags);
+        Assert.NotNull(rules[0].FirstPath);
+        Assert.Equal(["/", "~", "~/"], rules[0].FirstPath!.OneOf);
+    }
+
+    [Fact]
+    public void Load_parses_raw_text_rule()
+    {
+        File.WriteAllText(_file, """
+        [
+          { "rawText": ":(){:|:&};:", "reason": "fork_bomb", "escapeHatch": true }
+        ]
+        """);
+
+        var rules = _loader.Load(_file);
+        Assert.Single(rules);
+        Assert.Equal(":(){:|:&};:", rules[0].RawText);
+        Assert.True(rules[0].EscapeHatch);
+    }
+
+    [Fact]
+    public void Load_parses_verb_prefix_rule()
+    {
+        File.WriteAllText(_file, """
+        [
+          { "verbPrefix": "mkfs", "reason": "filesystem_destruction" }
+        ]
+        """);
+
+        var rules = _loader.Load(_file);
+        Assert.Single(rules);
+        Assert.Equal("mkfs", rules[0].VerbPrefix);
+    }
+
+    [Fact]
+    public void Load_parses_multiple_rules()
+    {
+        File.WriteAllText(_file, """
+        [
+          { "verb": ["docker", "rm"], "reason": "policy_a" },
+          { "verbPrefix": "mkfs", "reason": "policy_b" },
+          { "rawText": "danger", "reason": "policy_c" }
+        ]
+        """);
+
+        var rules = _loader.Load(_file);
+        Assert.Equal(3, rules.Count);
+    }
+
+    // -------------------------------------------------------------------
+    // Failure: malformed JSON, malformed rules
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Load_throws_on_malformed_json()
+    {
+        File.WriteAllText(_file, "{not json");
+
+        var ex = Assert.Throws<InvalidDataException>(() => _loader.Load(_file));
+        Assert.Contains("malformed JSON", ex.Message);
+        Assert.Contains("refuses to start", ex.Message);
+    }
+
+    [Fact]
+    public void Load_throws_on_rule_with_no_match_shape()
+    {
+        File.WriteAllText(_file, """
+        [
+          { "reason": "missing_shape" }
+        ]
+        """);
+
+        var ex = Assert.Throws<InvalidDataException>(() => _loader.Load(_file));
+        Assert.Contains("rule at index 0", ex.Message);
+        Assert.Contains("no match shape", ex.Message);
+    }
+
+    [Fact]
+    public void Load_throws_on_rule_with_multiple_match_shapes()
+    {
+        File.WriteAllText(_file, """
+        [
+          { "verb": ["git"], "reason": "ok" },
+          { "verb": ["bad"], "rawText": "x", "reason": "dual_shapes" }
+        ]
+        """);
+
+        var ex = Assert.Throws<InvalidDataException>(() => _loader.Load(_file));
+        Assert.Contains("rule at index 1", ex.Message);
+        Assert.Contains("multiple match shapes", ex.Message);
+    }
+
+    [Fact]
+    public void Load_throws_on_rule_missing_reason()
+    {
+        File.WriteAllText(_file, """
+        [
+          { "verb": ["git", "push"] }
+        ]
+        """);
+
+        // System.Text.Json throws on missing required property; loader wraps
+        // it into InvalidDataException with index context.
+        Assert.Throws<InvalidDataException>(() => _loader.Load(_file));
+    }
+
+    [Fact]
+    public void Load_throws_on_refinement_without_verb()
+    {
+        File.WriteAllText(_file, """
+        [
+          {
+            "verbPrefix": "mkfs",
+            "argFlags": ["-f"],
+            "reason": "wrong_combo"
+          }
+        ]
+        """);
+
+        var ex = Assert.Throws<InvalidDataException>(() => _loader.Load(_file));
+        Assert.Contains("rule at index 0", ex.Message);
+    }
+}
diff --git a/src/Netclaw.Security.Tests/HardDenyRuleTests.cs b/src/Netclaw.Security.Tests/HardDenyRuleTests.cs
new file mode 100644
index 00000000..33ac5a4e
--- /dev/null
+++ b/src/Netclaw.Security.Tests/HardDenyRuleTests.cs
@@ -0,0 +1,144 @@
+// -----------------------------------------------------------------------
+// <copyright file="HardDenyRuleTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Xunit;
+
+namespace Netclaw.Security.Tests;
+
+public sealed class HardDenyRuleTests
+{
+    // -------------------------------------------------------------------
+    // Validate: required fields
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Validate_succeeds_for_simple_verb_rule()
+    {
+        var rule = new HardDenyRule
+        {
+            Verb = ["docker", "rm"],
+            Reason = "local_policy"
+        };
+
+        rule.Validate();
+    }
+
+    [Fact]
+    public void Validate_succeeds_for_verb_prefix_rule()
+    {
+        var rule = new HardDenyRule
+        {
+            VerbPrefix = "mkfs",
+            Reason = "filesystem_destruction"
+        };
+
+        rule.Validate();
+    }
+
+    [Fact]
+    public void Validate_succeeds_for_raw_text_escape_hatch()
+    {
+        var rule = new HardDenyRule
+        {
+            RawText = ":(){ :|:& };:",
+            Reason = "fork_bomb",
+            EscapeHatch = true
+        };
+
+        rule.Validate();
+    }
+
+    [Fact]
+    public void Validate_succeeds_for_refined_verb_rule()
+    {
+        var rule = new HardDenyRule
+        {
+            Verb = ["rm"],
+            ArgFlags = ["-rf"],
+            FirstPath = new PathConstraint { OneOf = ["/", "~"] },
+            Reason = "destructive_root"
+        };
+
+        rule.Validate();
+    }
+
+    // -------------------------------------------------------------------
+    // Validate: rejection
+    // -------------------------------------------------------------------
+
+    [Fact]
+    public void Validate_rejects_rule_with_no_match_shape()
+    {
+        var rule = new HardDenyRule { Reason = "missing_shape" };
+        var ex = Assert.Throws<InvalidDataException>(() => rule.Validate());
+        Assert.Contains("no match shape", ex.Message);
+    }
+
+    [Fact]
+    public void Validate_rejects_rule_with_multiple_match_shapes()
+    {
+        var rule = new HardDenyRule
+        {
+            Verb = ["git"],
+            VerbPrefix = "git",
+            Reason = "dual_shapes"
+        };
+
+        var ex = Assert.Throws<InvalidDataException>(() => rule.Validate());
+        Assert.Contains("multiple match shapes", ex.Message);
+    }
+
+    [Fact]
+    public void Validate_rejects_rule_with_verb_and_raw_text()
+    {
+        var rule = new HardDenyRule
+        {
+            Verb = ["git"],
+            RawText = "anything",
+            Reason = "dual_shapes"
+        };
+
+        Assert.Throws<InvalidDataException>(() => rule.Validate());
+    }
+
+    [Fact]
+    public void Validate_rejects_refinement_without_verb()
+    {
+        var rule = new HardDenyRule
+        {
+            VerbPrefix = "mkfs",
+            ArgFlags = ["-f"],
+            Reason = "refinement_misuse"
+        };
+
+        var ex = Assert.Throws<InvalidDataException>(() => rule.Validate());
+        Assert.Contains("Refinements only apply to verb-matched rules", ex.Message, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public void Validate_rejects_first_path_without_verb()
+    {
+        var rule = new HardDenyRule
+        {
+            VerbPrefix = "anything",
+            FirstPath = new PathConstraint { OneOf = ["/etc"] },
+            Reason = "refinement_misuse"
+        };
+
+        Assert.Throws<InvalidDataException>(() => rule.Validate());
+    }
+
+    [Fact]
+    public void Validate_rejects_empty_verb_list()
+    {
+        var rule = new HardDenyRule
+        {
+            Verb = [],
+            Reason = "empty_verb"
+        };
+
+        Assert.Throws<InvalidDataException>(() => rule.Validate());
+    }
+}
diff --git a/src/Netclaw.Security.Tests/ShellApprovalMatcherTests.cs b/src/Netclaw.Security.Tests/ShellApprovalMatcherTests.cs
index 142549eb..28dc7466 100644
--- a/src/Netclaw.Security.Tests/ShellApprovalMatcherTests.cs
+++ b/src/Netclaw.Security.Tests/ShellApprovalMatcherTests.cs
@@ -1,8 +1,9 @@
-// -----------------------------------------------------------------------
+// -----------------------------------------------------------------------
 // <copyright file="ShellApprovalMatcherTests.cs" company="Petabridge, LLC">
 //      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
 // </copyright>
 // -----------------------------------------------------------------------
+using Netclaw.Configuration;
 using Netclaw.Tools;
 using Xunit;
 
@@ -12,20 +13,6 @@ public sealed class ShellApprovalMatcherTests
 {
     private readonly ShellApprovalMatcher _matcher = ShellApprovalMatcher.Instance;
 
-    public static TheoryData<string, string, bool> PlatformDirectoryMatchCases
-    {
-        get
-        {
-            var data = new TheoryData<string, string, bool>();
-            if (OperatingSystem.IsWindows())
-                data.Add(@"C:\Users\petabridge\.netclaw\logs\", @"type C:\Users\petabridge\.netclaw\logs\crash.log", true);
-            else
-                data.Add("/home/user/.netclaw/logs/", "cat /home/user/.netclaw/logs/crash.log", true);
-
-            return data;
-        }
-    }
-
     private static Dictionary<string, object?> Args(string command) => new() { ["Command"] = command };
 
     private static Dictionary<string, object?> Args(string command, string workingDirectory)
@@ -35,6 +22,9 @@ public static TheoryData<string, string, bool> PlatformDirectoryMatchCases
             ["WorkingDirectory"] = workingDirectory
         };
 
+    private static ApprovalEntry Verb(string verb) => new() { Verb = verb, Directory = null };
+    private static ApprovalEntry InDir(string verb, string dir) => new() { Verb = verb, Directory = dir };
+
     [Fact]
     public void ExtractPatterns_simple_command()
     {
@@ -54,16 +44,6 @@ public void ExtractPatterns_compound_command()
         Assert.Contains("git push", patterns);
     }
 
-    [Fact]
-    public void ExtractPatterns_deduplicates()
-    {
-        var patterns = _matcher.ExtractPatterns(new ToolName("shell_execute"),
-            Args("git push && git push --tags"));
-        Assert.Equal(2, patterns.Count);
-        Assert.Contains("git push", patterns);
-        Assert.Contains("git push --tags", patterns);
-    }
-
     [Fact]
     public void ExtractPatterns_recurses_into_bash_c_wrapper()
     {
@@ -73,16 +53,6 @@ public void ExtractPatterns_recurses_into_bash_c_wrapper()
         Assert.Equal("git push --force", patterns[0]);
     }
 
-    [Fact]
-    public void ExtractPatterns_batches_outer_and_inner_segments()
-    {
-        var patterns = _matcher.ExtractPatterns(new ToolName("shell_execute"), Args("echo ok && bash -c \"git push --force\""));
-
-        Assert.Equal(2, patterns.Count);
-        Assert.Contains("echo ok", patterns);
-        Assert.Contains("git push --force", patterns);
-    }
-
     [Fact]
     public void ExtractPatterns_empty_command()
     {
@@ -91,69 +61,111 @@ public void ExtractPatterns_empty_command()
     }
 
     [Fact]
-    public void IsApproved_all_patterns_approved()
+    public void ExtractCandidateVerbs_collapses_to_verb_chains_only()
     {
-        var approved = new[] { "git add .", "git commit -m fix", "git push" };
-        Assert.True(_matcher.IsApproved(new ToolName("shell_execute"),
-            Args("git add . && git commit -m fix && git push"), approved));
+        // Pure verb chains, no normalized commands or directory roots — the
+        // v2 matcher leaves the directory half of approval pairs to the cwd.
+        var verbs = _matcher.ExtractCandidateVerbs(
+            new ToolName("shell_execute"),
+            Args("git add . && git commit -m fix && git push"));
+        Assert.Equal(3, verbs.Count);
+        Assert.Contains("git add", verbs);
+        Assert.Contains("git commit", verbs);
+        Assert.Contains("git push", verbs);
     }
 
     [Fact]
-    public void IsApproved_one_pattern_unapproved()
+    public void ExtractCandidateVerbs_emits_command_head_only()
     {
-        var approved = new[] { "git add .", "git push" };
-        Assert.False(_matcher.IsApproved(new ToolName("shell_execute"),
-            Args("git add . && git commit -m fix && git push"), approved));
+        // v2.1 path-extraction: verb chain is the command head only.
+        // The path argument is captured separately on
+        // ExtractCandidates(...).Directory; see
+        // ShellApprovalMatcherPathExtractionTests for the full coverage.
+        var verbs = _matcher.ExtractCandidateVerbs(
+            new ToolName("shell_execute"),
+            Args("cat /home/user/.netclaw/logs/crash.log"));
+        Assert.Single(verbs);
+        Assert.Equal("cat", verbs[0]);
     }
 
-    [Theory]
-    [InlineData("git push", "git push", true)]
-    [InlineData("git push", "git push origin main", false)]
-    [InlineData("gh", "gh --help", false)]
-    [InlineData("/home/user/.netclaw/logs/", "grep timeout /home/user/.netclaw/logs/crash.log", true)]
-    [InlineData("/home/user/.netclaw/logs/", "cat /home/user/.netclaw/config/secret.json", false)]
-    public void IsApproved_pattern_matching(string pattern, string command, bool expected)
+    [Fact]
+    public void IsApproved_global_wildcard_matches_anywhere()
     {
-        var approved = new[] { pattern };
-        Assert.Equal(expected, _matcher.IsApproved(new ToolName("shell_execute"), Args(command), approved));
+        var approved = new[] { Verb("git push"), Verb("git add"), Verb("git commit") };
+        Assert.True(_matcher.IsApproved(
+            new ToolName("shell_execute"),
+            Args("git add . && git commit -m fix && git push"),
+            approved,
+            cwd: "/anywhere"));
     }
 
-    [Theory]
-    [MemberData(nameof(PlatformDirectoryMatchCases))]
-    public void IsApproved_platform_specific_directory_root_matching(string pattern, string command, bool expected)
+    [Fact]
+    public void IsApproved_one_verb_unapproved_returns_false()
     {
-        var approved = new[] { pattern };
-        Assert.Equal(expected, _matcher.IsApproved(new ToolName("shell_execute"), Args(command), approved));
+        var approved = new[] { Verb("git add"), Verb("git push") };
+        Assert.False(_matcher.IsApproved(
+            new ToolName("shell_execute"),
+            Args("git add . && git commit -m fix && git push"),
+            approved,
+            cwd: null));
     }
 
     [Fact]
-    public void IsApproved_recurses_into_bash_c_wrapper()
+    public void IsApproved_folder_scoped_entry_matches_when_cwd_is_under_directory()
     {
-        var approved = new[] { "git push --force" };
+        var tempRoot = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N"));
+        var sub = Path.Combine(tempRoot, "sub");
+        Directory.CreateDirectory(sub);
+        try
+        {
+            // Use a non-path-aware verb so the candidate stays a pure verb
+            // chain ("git status"); path-aware verbs (cat, grep, etc.) append
+            // their first positional argument which would not match a bare
+            // verb in the approved entry.
+            var approved = new[] { InDir("git status", tempRoot) };
+            Assert.True(_matcher.IsApproved(
+                new ToolName("shell_execute"),
+                Args("git status"),
+                approved,
+                cwd: sub));
+        }
+        finally
+        {
+            Directory.Delete(tempRoot, recursive: true);
+        }
+    }
 
-        Assert.True(_matcher.IsApproved(new ToolName("shell_execute"),
-            Args("bash -c \"git push --force\""), approved));
+    [Fact]
+    public void IsApproved_folder_scoped_entry_does_not_match_when_cwd_is_outside()
+    {
+        var approved = new[] { InDir("grep", "/home/user/repos/foo") };
+        Assert.False(_matcher.IsApproved(
+            new ToolName("shell_execute"),
+            Args("grep error file.log"),
+            approved,
+            cwd: "/etc"));
     }
 
     [Fact]
-    public void ExtractPatterns_normalize_paths_but_keep_full_unit_shape()
+    public void IsApproved_folder_scoped_entry_requires_concrete_cwd()
     {
-        var patterns = _matcher.ExtractPatterns(
+        var approved = new[] { InDir("grep", "/home/user/repos/foo") };
+        Assert.False(_matcher.IsApproved(
             new ToolName("shell_execute"),
-            Args("cat /etc/hosts && git push origin main"));
-        Assert.Equal(2, patterns.Count);
-        Assert.Contains("cat /etc/hosts", patterns);
-        Assert.Contains("git push origin main", patterns);
+            Args("grep error file.log"),
+            approved,
+            cwd: null));
     }
 
     [Fact]
-    public void ExtractPatterns_keep_pipeline_together_as_one_unit()
+    public void IsApproved_recurses_into_bash_c_wrapper()
     {
-        var patterns = _matcher.ExtractPatterns(
+        var approved = new[] { Verb("git push") };
+        Assert.True(_matcher.IsApproved(
             new ToolName("shell_execute"),
-            Args("cat /var/log/syslog | grep error"));
-        Assert.Single(patterns);
-        Assert.Equal("cat /var/log/syslog | grep error", patterns[0]);
+            Args("bash -c \"git push --force\""),
+            approved,
+            cwd: null));
     }
 
     [Fact]
@@ -163,58 +175,246 @@ public void FormatForDisplay_returns_command()
         Assert.Equal("git push origin main", display);
     }
 
-    // ── ExtractDirectoryRoots / ExtractApprovalEntries ──
-
-    [Theory]
-    [MemberData(nameof(PlatformDirectoryMatchCases))]
-    public void ExtractDirectoryRoots_simple_path_command(string expectedRoot, string command, bool _)
+    [Fact]
+    public void IsMessy_true_for_bash_control_flow()
     {
-        var roots = _matcher.ExtractDirectoryRoots(
+        Assert.True(_matcher.IsMessy(
             new ToolName("shell_execute"),
-            Args(command));
-        Assert.Single(roots);
-        Assert.Equal(expectedRoot, roots[0].ComparisonRoot);
+            Args("for pid in $(pgrep netclawd); do echo $pid; done")));
     }
 
     [Fact]
-    public void ExtractDirectoryRoots_pipeline_and_multiple_verbs_share_same_root()
+    public void IsMessy_false_for_well_formed_compound()
     {
-        var roots = _matcher.ExtractDirectoryRoots(
+        Assert.False(_matcher.IsMessy(
             new ToolName("shell_execute"),
-            Args("grep 'error' /home/user/.netclaw/logs/app.log | wc -l"));
-        Assert.Single(roots);
-        Assert.Equal("/home/user/.netclaw/logs/", roots[0].ComparisonRoot.Replace('\\', '/'));
+            Args("git add . && git commit -m fix && git push")));
     }
 
     [Fact]
-    public void ExtractDirectoryRoots_returns_empty_when_no_reusable_roots_exist()
+    public void IsApproved_returns_false_for_messy_command_even_with_global_wildcards()
     {
-        var roots = _matcher.ExtractDirectoryRoots(
+        // Even if every conceivable verb is approved, a messy command never
+        // auto-runs: the matcher cannot extract verb chains to evaluate, and
+        // the prompt must offer Once/Deny only.
+        var approved = new[] { Verb("for"), Verb("do"), Verb("done"), Verb("echo") };
+        Assert.False(_matcher.IsApproved(
             new ToolName("shell_execute"),
-            Args("git push origin main"));
-        Assert.Empty(roots);
+            Args("for x in 1 2 3; do echo $x; done"),
+            approved,
+            cwd: null));
+    }
+}
+
+/// <summary>
+/// Path-extraction-aware matcher tests. The v2.1 design moves path arguments
+/// out of the verb chain and into the candidate's directory half so future
+/// calls in the same tree match a single persisted entry.
+/// </summary>
+public sealed class ShellApprovalMatcherPathExtractionTests
+{
+    private readonly ShellApprovalMatcher _matcher = ShellApprovalMatcher.Instance;
+
+    private static Dictionary<string, object?> Args(string command) => new() { ["Command"] = command };
+
+    [Fact]
+    public void ExtractCandidates_strips_path_from_verb()
+    {
+        var candidates = _matcher.ExtractCandidates(new ToolName("shell_execute"),
+            Args("find /home/petabridge -name X"));
+
+        var c = Assert.Single(candidates);
+        Assert.Equal("find", c.Verb);
+        Assert.Equal("/home/petabridge", c.Directory);
     }
 
     [Fact]
-    public void ExtractApprovalEntries_use_roots_when_available()
+    public void ExtractCandidates_applies_file_parent_rule()
     {
-        var entries = _matcher.ExtractApprovalEntries(
+        var candidates = _matcher.ExtractCandidates(new ToolName("shell_execute"),
+            Args("cat ~/.bashrc"));
+
+        var c = Assert.Single(candidates);
+        Assert.Equal("cat", c.Verb);
+        // Path.GetDirectoryName drops the trailing separator.
+        Assert.Equal("~", c.Directory);
+    }
+
+    [Fact]
+    public void ExtractCandidates_no_path_returns_null_directory()
+    {
+        var candidates = _matcher.ExtractCandidates(new ToolName("shell_execute"),
+            Args("git status"));
+
+        var c = Assert.Single(candidates);
+        Assert.Equal("git status", c.Verb);
+        Assert.Null(c.Directory);
+    }
+
+    [Fact]
+    public void ExtractCandidates_compound_command_extracts_per_clause()
+    {
+        var candidates = _matcher.ExtractCandidates(new ToolName("shell_execute"),
+            Args("ls /repo && git status"));
+
+        Assert.Equal(2, candidates.Count);
+        Assert.Equal("ls", candidates[0].Verb);
+        Assert.Equal("/repo", candidates[0].Directory);
+        Assert.Equal("git status", candidates[1].Verb);
+        Assert.Null(candidates[1].Directory);
+    }
+
+    [Fact]
+    public void Matches_when_candidate_path_under_entry_directory()
+    {
+        // Folder-scoped trust compounds: an entry on /home/petabridge
+        // covers any candidate whose path is under it.
+        Assert.True(ApprovalPatternMatching.MatchesShellApproval(
+            candidateVerb: "find",
+            candidateDirectory: "/home/petabridge/.netclaw",
+            cwd: null,
+            approvedEntries: [new ApprovalEntry { Verb = "find", Directory = "/home/petabridge" }]));
+    }
+
+    [Fact]
+    public void Matches_when_candidate_path_equals_entry_directory()
+    {
+        Assert.True(ApprovalPatternMatching.MatchesShellApproval(
+            candidateVerb: "find",
+            candidateDirectory: "/home/petabridge",
+            cwd: null,
+            approvedEntries: [new ApprovalEntry { Verb = "find", Directory = "/home/petabridge" }]));
+    }
+
+    [Fact]
+    public void Rejects_when_candidate_path_outside_entry_directory()
+    {
+        Assert.False(ApprovalPatternMatching.MatchesShellApproval(
+            candidateVerb: "find",
+            candidateDirectory: "/home/other",
+            cwd: null,
+            approvedEntries: [new ApprovalEntry { Verb = "find", Directory = "/home/petabridge" }]));
+    }
+
+    [Fact]
+    public void Falls_back_to_cwd_when_candidate_path_is_null()
+    {
+        // No path argument on the candidate — cwd is the effective directory.
+        Assert.True(ApprovalPatternMatching.MatchesShellApproval(
+            candidateVerb: "git status",
+            candidateDirectory: null,
+            cwd: "/home/petabridge/.netclaw",
+            approvedEntries: [new ApprovalEntry { Verb = "git status", Directory = "/home/petabridge" }]));
+    }
+
+    [Fact]
+    public void Null_directory_entry_matches_any_candidate()
+    {
+        // Global wildcard ignores both candidate path and cwd.
+        Assert.True(ApprovalPatternMatching.MatchesShellApproval(
+            candidateVerb: "freshdesk",
+            candidateDirectory: null,
+            cwd: null,
+            approvedEntries: [new ApprovalEntry { Verb = "freshdesk", Directory = null }]));
+    }
+
+    [Fact]
+    public void IsPureSideEffect_skips_echo_without_redirect()
+    {
+        Assert.True(ApprovalPatternMatching.IsPureSideEffect(
+            new ApprovalCandidate("echo", Directory: null)));
+    }
+
+    [Fact]
+    public void IsPureSideEffect_does_not_skip_echo_with_redirect_target()
+    {
+        // echo X > /tmp/log gets /tmp as its directory via the path-arg
+        // scan, which means it's no longer "pure" side effect.
+        Assert.False(ApprovalPatternMatching.IsPureSideEffect(
+            new ApprovalCandidate("echo", Directory: "/tmp")));
+    }
+
+    [Fact]
+    public void IsPureSideEffect_does_not_skip_action_verbs()
+    {
+        Assert.False(ApprovalPatternMatching.IsPureSideEffect(
+            new ApprovalCandidate("find", Directory: null)));
+        Assert.False(ApprovalPatternMatching.IsPureSideEffect(
+            new ApprovalCandidate("git push", Directory: null)));
+    }
+
+    [Fact]
+    public void ExtractCandidates_caps_echo_at_one_token()
+    {
+        // Without the SingleTokenSideEffectVerbs cap, the verb-chain
+        // extractor would capture `echo hello` as a 2-token verb (since
+        // `hello` neither starts with `-` nor matches LooksLikeArgument)
+        // and the side-effect skip list would not match. Aaron's real
+        // dogfood case used `echo "---REMOTE-INFO---"` which already
+        // breaks at the leading `-` — but operators routinely run
+        // `echo hello`-shape commands in build scripts.
+        // (`echo done` would be the more obvious example but `done` is
+        // a bash control-flow keyword and triggers IsMessyCompoundCommand,
+        // which returns zero candidates.)
+        var candidates = _matcher.ExtractCandidates(
             new ToolName("shell_execute"),
-            Args("grep 'error' /home/user/.netclaw/logs/app.log | wc -l"));
+            new Dictionary<string, object?> { ["Command"] = "echo hello" });
 
-        Assert.Single(entries);
-        Assert.Equal("/home/user/.netclaw/logs/", entries[0].Replace('\\', '/'));
+        var c = Assert.Single(candidates);
+        Assert.Equal("echo", c.Verb);
+        Assert.True(ApprovalPatternMatching.IsPureSideEffect(c));
     }
 
     [Fact]
-    public void ExtractApprovalEntries_fall_back_to_exact_unit_when_no_roots_exist()
+    public void ExtractCandidates_extracts_cd_target_as_directory()
     {
-        var entries = _matcher.ExtractApprovalEntries(
+        // Aaron's dogfood case: `cd /repo && git remote -v && ...`. The
+        // header / persistence layer needs the cd target as the candidate's
+        // directory so the prompt can show the meaningful trust scope
+        // rather than the per-session ephemeral session_dir.
+        var candidates = _matcher.ExtractCandidates(
             new ToolName("shell_execute"),
-            Args("cat /home/user/.netclaw/logs/crash.log && git push origin main"));
-        Assert.Equal(2, entries.Count);
-        Assert.Contains("/home/user/.netclaw/logs/", entries.Select(p => p.Replace('\\', '/')));
-        Assert.Contains("git push origin main", entries);
+            new Dictionary<string, object?>
+            {
+                ["Command"] = "cd /home/petabridge/repositories/stannardlabs/netclaw && git remote -v"
+            });
+
+        Assert.Contains(candidates,
+            c => c.Verb == "cd"
+              && c.Directory == "/home/petabridge/repositories/stannardlabs/netclaw");
+        // git remote has no path argument so its directory falls back to cwd
+        // at match time (Directory == null on the candidate itself).
+        Assert.Contains(candidates,
+            c => c.Verb == "git remote" && c.Directory == null);
+    }
+
+    [Fact]
+    public void IsApproved_treats_side_effect_candidates_as_authorized()
+    {
+        // Regression: when a compound command contains both action verbs and
+        // pure side-effect clauses (echo "==="), persistence skips the echo
+        // but the matcher historically did not. Result: after the user
+        // clicked Always anywhere, the action verbs were stored but echo
+        // wasn't, so the retry's authorization check saw echo as unapproved
+        // and threw ToolApprovalRequiredException — which escaped the
+        // already-active approval-pause catch and failed the turn.
+        // This test asserts IsApproved skips side-effect candidates the
+        // same way persistence does.
+        var approvedEntries = new[]
+        {
+            new ApprovalEntry { Verb = "cd", Directory = null },
+            new ApprovalEntry { Verb = "git status", Directory = null },
+            new ApprovalEntry { Verb = "git remote", Directory = null }
+            // No echo entry — exactly what the side-effect skip produces.
+        };
+
+        var compound =
+            "cd ~/repo && git status && echo \"---\" && git remote -v && echo \"finished\"";
+        Assert.True(_matcher.IsApproved(
+            new ToolName("shell_execute"),
+            new Dictionary<string, object?> { ["Command"] = compound },
+            approvedEntries,
+            cwd: null));
     }
 }
 
@@ -222,6 +422,8 @@ public sealed class DefaultApprovalMatcherTests
 {
     private readonly DefaultApprovalMatcher _matcher = DefaultApprovalMatcher.Instance;
 
+    private static ApprovalEntry Verb(string verb) => new() { Verb = verb, Directory = null };
+
     [Fact]
     public void ExtractPatterns_returns_tool_name()
     {
@@ -233,12 +435,20 @@ public void ExtractPatterns_returns_tool_name()
     [Fact]
     public void IsApproved_matches_exact_tool_name()
     {
-        Assert.True(_matcher.IsApproved(new ToolName("mcp:memorizer:store"), null, ["mcp:memorizer:store"]));
+        Assert.True(_matcher.IsApproved(
+            new ToolName("mcp:memorizer:store"),
+            null,
+            [Verb("mcp:memorizer:store")],
+            cwd: null));
     }
 
     [Fact]
     public void IsApproved_no_match()
     {
-        Assert.False(_matcher.IsApproved(new ToolName("mcp:memorizer:store"), null, ["mcp:memorizer:get"]));
+        Assert.False(_matcher.IsApproved(
+            new ToolName("mcp:memorizer:store"),
+            null,
+            [Verb("mcp:memorizer:get")],
+            cwd: null));
     }
 }
diff --git a/src/Netclaw.Security.Tests/ShellCommandPolicyOverrideTests.cs b/src/Netclaw.Security.Tests/ShellCommandPolicyOverrideTests.cs
new file mode 100644
index 00000000..c0518f7e
--- /dev/null
+++ b/src/Netclaw.Security.Tests/ShellCommandPolicyOverrideTests.cs
@@ -0,0 +1,191 @@
+// -----------------------------------------------------------------------
+// <copyright file="ShellCommandPolicyOverrideTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Xunit;
+
+namespace Netclaw.Security.Tests;
+
+/// <summary>
+/// Tests for ShellCommandPolicy's HardDenyRule override-rule support
+/// (the new ctor accepting structured operator overrides).
+/// Existing string-pattern + default-rule tests live in their own file.
+/// </summary>
+public sealed class ShellCommandPolicyOverrideTests
+{
+    [Fact]
+    public void Override_verb_rule_denies_matching_command()
+    {
+        var policy = new ShellCommandPolicy(
+            additionalDenyPatterns: null,
+            overrideRules:
+            [
+                new HardDenyRule { Verb = ["docker", "rm"], Reason = "local_policy" }
+            ]);
+
+        var decision = policy.Evaluate("docker rm my-container");
+        Assert.False(decision.Allowed);
+        Assert.Equal("local_policy", decision.DenyReason);
+    }
+
+    [Fact]
+    public void Override_verb_rule_allows_non_matching_command()
+    {
+        var policy = new ShellCommandPolicy(
+            additionalDenyPatterns: null,
+            overrideRules:
+            [
+                new HardDenyRule { Verb = ["docker", "rm"], Reason = "local_policy" }
+            ]);
+
+        Assert.True(policy.Evaluate("docker ps").Allowed);
+        Assert.True(policy.Evaluate("docker run nginx").Allowed);
+    }
+
+    [Fact]
+    public void Override_verb_prefix_rule_denies_family()
+    {
+        // Note: shipped defaults already include `mkfs` prefix; this verifies
+        // the override mechanism correctly translates a verbPrefix rule.
+        var policy = new ShellCommandPolicy(
+            additionalDenyPatterns: null,
+            overrideRules:
+            [
+                new HardDenyRule { VerbPrefix = "danger.", Reason = "test_family" }
+            ]);
+
+        Assert.False(policy.Evaluate("danger.ext4 /dev/sda").Allowed);
+        Assert.False(policy.Evaluate("danger.xfs /dev/sda").Allowed);
+        Assert.True(policy.Evaluate("safer something").Allowed);
+    }
+
+    [Fact]
+    public void Override_raw_text_rule_denies_substring_match()
+    {
+        var policy = new ShellCommandPolicy(
+            additionalDenyPatterns: null,
+            overrideRules:
+            [
+                new HardDenyRule
+                {
+                    RawText = "MAGIC_DENY_TOKEN",
+                    Reason = "raw_test",
+                    EscapeHatch = true
+                }
+            ]);
+
+        Assert.False(policy.Evaluate("echo MAGIC_DENY_TOKEN").Allowed);
+        Assert.True(policy.Evaluate("echo hello").Allowed);
+    }
+
+    [Fact]
+    public void Override_refined_verb_with_arg_flag_requires_flag_present()
+    {
+        var policy = new ShellCommandPolicy(
+            additionalDenyPatterns: null,
+            overrideRules:
+            [
+                new HardDenyRule
+                {
+                    Verb = ["tar"],
+                    ArgFlags = ["--delete"],
+                    Reason = "tar_delete_blocked"
+                }
+            ]);
+
+        Assert.False(policy.Evaluate("tar --delete -f archive.tar foo").Allowed);
+        Assert.True(policy.Evaluate("tar -czf out.tar foo").Allowed);
+    }
+
+    [Fact]
+    public void Override_refined_verb_arg_flag_matches_combined_short_flags()
+    {
+        // -rf as a required flag should match against tokens like -rfv that
+        // pack multiple short flags into one combined token.
+        var policy = new ShellCommandPolicy(
+            additionalDenyPatterns: null,
+            overrideRules:
+            [
+                new HardDenyRule
+                {
+                    Verb = ["custom-tool"],
+                    ArgFlags = ["-rf"],
+                    Reason = "combined_flag_test"
+                }
+            ]);
+
+        Assert.False(policy.Evaluate("custom-tool -rfv /tmp").Allowed);
+        Assert.False(policy.Evaluate("custom-tool -rf /tmp").Allowed);
+        Assert.True(policy.Evaluate("custom-tool -v /tmp").Allowed);
+    }
+
+    [Fact]
+    public void Override_refined_verb_with_first_path_constraint()
+    {
+        var policy = new ShellCommandPolicy(
+            additionalDenyPatterns: null,
+            overrideRules:
+            [
+                new HardDenyRule
+                {
+                    Verb = ["custom-tool"],
+                    FirstPath = new PathConstraint { OneOf = ["/", "/etc"] },
+                    Reason = "first_path_test"
+                }
+            ]);
+
+        Assert.False(policy.Evaluate("custom-tool /").Allowed);
+        Assert.False(policy.Evaluate("custom-tool /etc").Allowed);
+        // First non-flag arg is /tmp, which is not in the allowed list → not denied.
+        Assert.True(policy.Evaluate("custom-tool /tmp").Allowed);
+    }
+
+    [Fact]
+    public void Shipped_defaults_remain_active_alongside_overrides()
+    {
+        // Override does not weaken or remove shipped defaults.
+        var policy = new ShellCommandPolicy(
+            additionalDenyPatterns: null,
+            overrideRules:
+            [
+                new HardDenyRule { Verb = ["docker", "rm"], Reason = "local_policy" }
+            ]);
+
+        // Shipped default: netclaw daemon stop
+        Assert.False(policy.Evaluate("netclaw daemon stop").Allowed);
+        // Shipped default: rm -rf /
+        Assert.False(policy.Evaluate("rm -rf /").Allowed);
+        // Shipped default fork bomb (raw string pattern)
+        Assert.False(policy.Evaluate(":(){ :|:& };:").Allowed);
+    }
+
+    [Fact]
+    public void Invalid_override_rule_throws_at_construction_time()
+    {
+        // Loader normally validates; this verifies the policy ctor also
+        // rejects invalid rules as a defense-in-depth check.
+        Assert.Throws<InvalidDataException>(() =>
+            new ShellCommandPolicy(
+                additionalDenyPatterns: null,
+                overrideRules:
+                [
+                    new HardDenyRule { Reason = "no_shape" }
+                ]));
+    }
+
+    [Fact]
+    public void Combined_string_patterns_and_override_rules_both_apply()
+    {
+        var policy = new ShellCommandPolicy(
+            additionalDenyPatterns: ["legacy-bad-tool"],
+            overrideRules:
+            [
+                new HardDenyRule { Verb = ["modern", "bad"], Reason = "modern_policy" }
+            ]);
+
+        Assert.False(policy.Evaluate("legacy-bad-tool args").Allowed);
+        Assert.False(policy.Evaluate("modern bad command").Allowed);
+        Assert.True(policy.Evaluate("safe command").Allowed);
+    }
+}
diff --git a/src/Netclaw.Security.Tests/ShellSyntaxTreeIntegrationTests.cs b/src/Netclaw.Security.Tests/ShellSyntaxTreeIntegrationTests.cs
new file mode 100644
index 00000000..460363c3
--- /dev/null
+++ b/src/Netclaw.Security.Tests/ShellSyntaxTreeIntegrationTests.cs
@@ -0,0 +1,218 @@
+// -----------------------------------------------------------------------
+// <copyright file="ShellSyntaxTreeIntegrationTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Microsoft.Extensions.DependencyInjection;
+using Netclaw.Security;
+using ShellSyntaxTree;
+using Xunit;
+
+namespace Netclaw.Security.Tests;
+
+/// <summary>
+/// Smoke tests confirming the ShellSyntaxTree contract Netclaw consumes is
+/// stable across package upgrades. These are integration-level — they
+/// exercise the live package without mocks — so an unexpected package
+/// behavior change fails CI loudly before it surfaces in the gate evaluator.
+///
+/// When the gate evaluator lands, the parser-version-bump CI gate (task
+/// 14.7 of approval-policy-trust-zones) runs the entire ShellSyntaxTree
+/// corpus through Netclaw's live matcher; these tests are the smaller
+/// per-PR canary that catches contract regressions earlier.
+/// </summary>
+public sealed class ShellSyntaxTreeIntegrationTests
+{
+    [Fact]
+    public void Parser_resolves_through_DI_registration()
+    {
+        var services = new ServiceCollection();
+        services.AddShellParser();
+
+        using var provider = services.BuildServiceProvider();
+        var parser = provider.GetRequiredService<IShellParser>();
+
+        Assert.IsType<BashParser>(parser);
+    }
+
+    [Fact]
+    public void Simple_verb_produces_single_clause()
+    {
+        var parser = new BashParser();
+
+        var result = parser.Parse("ls -la /tmp");
+
+        Assert.False(result.IsUnparseable);
+        Assert.Single(result.Clauses);
+
+        var clause = result.Clauses[0];
+        Assert.Equal(CompoundOperator.None, clause.Operator);
+        Assert.Equal("ls", clause.Verb.Joined);
+        Assert.Contains(clause.Args, a => a.Raw == "-la" && a.IsFlag);
+        Assert.Contains(clause.Args, a => a.Raw == "/tmp" && a.IsPath);
+    }
+
+    [Fact]
+    public void Verb_chain_extracts_greedily_through_verb_like_tokens()
+    {
+        // ShellSyntaxTree 0.1.4-alpha (issue #27): the parser extends the
+        // verb chain through every "verb-like" token until it hits a flag
+        // or a path. So `git push origin main` produces a four-token verb
+        // chain rather than collapsing to `git push` via a fixed BashArity
+        // table — which is the behavior Netclaw wants for narrow
+        // auto-proposed verb patterns (`git push origin main *` is safer
+        // to approve than `git push *`).
+        var parser = new BashParser();
+
+        var result = parser.Parse("git push origin main");
+
+        Assert.False(result.IsUnparseable);
+        Assert.Single(result.Clauses);
+        Assert.Equal("git push origin main", result.Clauses[0].Verb.Joined);
+    }
+
+    [Fact]
+    public void Verb_chain_stops_at_flag_token()
+    {
+        // `-s` is a flag, so verb-chain extraction must halt before it.
+        var parser = new BashParser();
+
+        var result = parser.Parse("git status -s");
+
+        Assert.False(result.IsUnparseable);
+        Assert.Equal("git status", result.Clauses[0].Verb.Joined);
+        Assert.Contains(result.Clauses[0].Args, a => a.Raw == "-s");
+    }
+
+    [Fact]
+    public void Verb_chain_stops_at_path_token()
+    {
+        // A token containing `/` or `.` is path-like, not verb-like, so
+        // verb-chain extraction must halt before it.
+        var parser = new BashParser();
+
+        var dotted = parser.Parse("cat file.txt");
+        Assert.Equal("cat", dotted.Clauses[0].Verb.Joined);
+
+        var slashed = parser.Parse("dotnet test /home/user/repos/Foo");
+        Assert.Equal("dotnet test", slashed.Clauses[0].Verb.Joined);
+    }
+
+    [Fact]
+    public void Multi_token_cli_subcommand_extracts_full_chain()
+    {
+        // Regression for ShellSyntaxTree #27 — production hit on
+        // `git worktree list`. The pre-fix parser stopped at `git
+        // worktree`, which propagated to a verb-chain mismatch between
+        // approval-prompt time and retry time and surfaced as
+        // "I encountered an error executing a tool". Same heuristic now
+        // also handles non-git CLIs (`freshdesk ticket list`,
+        // `kubectl get pods`, etc.) without per-CLI tables.
+        var parser = new BashParser();
+
+        Assert.Equal(
+            "git worktree list",
+            parser.Parse("git worktree list").Clauses[0].Verb.Joined);
+        Assert.Equal(
+            "freshdesk ticket list",
+            parser.Parse("freshdesk ticket list").Clauses[0].Verb.Joined);
+    }
+
+    [Fact]
+    public void Compound_with_andif_produces_multiple_clauses()
+    {
+        var parser = new BashParser();
+
+        var result = parser.Parse("cd /repo && git status");
+
+        Assert.False(result.IsUnparseable);
+        Assert.Equal(2, result.Clauses.Count);
+        Assert.Equal(CompoundOperator.None, result.Clauses[0].Operator);
+        Assert.Equal(CompoundOperator.AndIf, result.Clauses[1].Operator);
+        Assert.Equal("cd", result.Clauses[0].Verb.Joined);
+        Assert.Equal("git status", result.Clauses[1].Verb.Joined);
+    }
+
+    [Fact]
+    public void Cd_in_compound_attributes_target_to_subsequent_clauses()
+    {
+        // The whole point of consuming ShellSyntaxTree: cd-in-compound
+        // propagation lands on subsequent clauses so Netclaw's zone gate
+        // sees /repo as a path the second clause operates on.
+        var parser = new BashParser();
+
+        var result = parser.Parse("cd /repo && cat file.txt");
+
+        Assert.False(result.IsUnparseable);
+        Assert.Equal(2, result.Clauses.Count);
+
+        var secondClause = result.Clauses[1];
+        Assert.Contains(secondClause.Args,
+            a => a.IsCwdAttribution && a.Resolved == "/repo");
+    }
+
+    [Fact]
+    public void Unparseable_input_sets_flag_without_throwing()
+    {
+        var parser = new BashParser();
+
+        var result = parser.Parse("echo \"unbalanced");
+
+        Assert.True(result.IsUnparseable);
+        Assert.False(string.IsNullOrEmpty(result.UnparseableReason));
+    }
+
+    [Fact]
+    public void Dynamic_token_marked_for_skip()
+    {
+        // Unresolved env var must be flagged so consumers don't extract
+        // a literal "$UNRESOLVED/foo" as a path candidate.
+        var parser = new BashParser();
+
+        var result = parser.Parse("rm $UNRESOLVED/foo");
+
+        Assert.False(result.IsUnparseable);
+        Assert.Single(result.Clauses);
+
+        var argWithDynamic = result.Clauses[0].Args
+            .FirstOrDefault(a => a.Raw.Contains("$UNRESOLVED"));
+        Assert.NotNull(argWithDynamic);
+        Assert.Equal(ArgKind.DynamicSkip, argWithDynamic.Kind);
+        Assert.Null(argWithDynamic.Resolved);
+    }
+
+    [Fact]
+    public void Leading_line_comment_is_stripped_from_clause_extraction()
+    {
+        // Regression test for ShellSyntaxTree #25 — bash line comments
+        // (# starting a token, runs to end-of-line) must not appear as
+        // verb-chain content. Pre-fix this surfaced as approval prompts
+        // saying "Approve `# Get` in ..." and persistence-versus-recheck
+        // verb-set mismatches that broke ApprovedSession on commented
+        // commands. Fixed in ShellSyntaxTree 0.1.3-alpha.
+        var parser = new BashParser();
+
+        var result = parser.Parse(
+            "# fetch the latest\ngit pull origin main");
+
+        Assert.False(result.IsUnparseable);
+        Assert.Single(result.Clauses);
+        Assert.Equal("git pull origin main", result.Clauses[0].Verb.Joined);
+    }
+
+    [Fact]
+    public void Hash_inside_double_quotes_is_not_a_comment()
+    {
+        // Per POSIX, # is only a comment when starting a word AND outside
+        // quotes. echo "hash is #1234" should produce one verb (echo)
+        // with one literal arg containing the hash sign.
+        var parser = new BashParser();
+
+        var result = parser.Parse("echo \"hash is #1234\"");
+
+        Assert.False(result.IsUnparseable);
+        Assert.Single(result.Clauses);
+        Assert.Equal("echo", result.Clauses[0].Verb.Joined);
+        Assert.Contains(result.Clauses[0].Args, a => a.Raw.Contains("#1234"));
+    }
+}
diff --git a/src/Netclaw.Security.Tests/ShellTokenizerTests.cs b/src/Netclaw.Security.Tests/ShellTokenizerTests.cs
index cdcea322..37f4dc7b 100644
--- a/src/Netclaw.Security.Tests/ShellTokenizerTests.cs
+++ b/src/Netclaw.Security.Tests/ShellTokenizerTests.cs
@@ -9,34 +9,6 @@ namespace Netclaw.Security.Tests;
 
 public sealed class ShellTokenizerTests
 {
-    public static TheoryData<string, string> AbsoluteRootCases
-    {
-        get
-        {
-            var data = new TheoryData<string, string>();
-            if (OperatingSystem.IsWindows())
-                data.Add(@"type C:\Users\petabridge\.netclaw\logs\crash.log", @"C:\Users\petabridge\.netclaw\logs\");
-            else
-                data.Add("cat /home/user/.netclaw/logs/crash.log", "/home/user/.netclaw/logs/");
-
-            return data;
-        }
-    }
-
-    public static TheoryData<string, string> RelativeRootCases
-    {
-        get
-        {
-            var data = new TheoryData<string, string>();
-            if (OperatingSystem.IsWindows())
-                data.Add("findstr timeout logs\\app.log | find /c \"timeout\"", @"logs\");
-            else
-                data.Add("grep timeout logs/app.log | wc -l", "logs/");
-
-            return data;
-        }
-    }
-
     public static TheoryData<string, bool> WindowsAnchoredPathCases
     {
         get
@@ -67,18 +39,6 @@ public static TheoryData<string, bool> BackslashPathCases
         }
     }
 
-    public static TheoryData<string, string?> WindowsAbsoluteDirectoryRootCases
-    {
-        get
-        {
-            var data = new TheoryData<string, string?>();
-            data.Add(
-                @"type C:\Users\petabridge\.netclaw\logs\crash.log",
-                OperatingSystem.IsWindows() ? @"C:\Users\petabridge\.netclaw\logs\" : null);
-            return data;
-        }
-    }
-
     // ── Tokenize ──
 
     [Fact]
@@ -157,10 +117,14 @@ public void SplitCompound_handles_multiple_operators()
     [Fact]
     public void SplitCompound_preserves_quoted_operators()
     {
-        var segments = ShellTokenizer.SplitCompoundCommand("echo \"a && b\" && echo done");
+        // Avoid trailing "done"/"fi"/"esac" in unquoted positions — the
+        // section 3 messy detector flags those as control-flow keywords and
+        // SplitCompoundCommand returns empty. The token "finished" is a
+        // close stand-in that exercises the same splitter behavior.
+        var segments = ShellTokenizer.SplitCompoundCommand("echo \"a && b\" && echo finished");
         Assert.Equal(2, segments.Count);
         Assert.Equal("echo \"a && b\"", segments[0]);
-        Assert.Equal("echo done", segments[1]);
+        Assert.Equal("echo finished", segments[1]);
     }
 
     [Fact]
@@ -182,10 +146,10 @@ public void SplitCompound_empty_returns_empty()
 
     [Theory]
     [InlineData("git push origin main", "git push")]
-    [InlineData("ls -la /tmp", "ls /tmp")]
+    [InlineData("ls -la /tmp", "ls")]
     [InlineData("docker compose up -d", "docker compose")]
-    [InlineData("cat /etc/hosts", "cat /etc/hosts")]
-    [InlineData("cat .gitignore", "cat .gitignore")]
+    [InlineData("cat /etc/hosts", "cat")]
+    [InlineData("cat .gitignore", "cat")]
     [InlineData("kubectl delete pod my-pod", "kubectl delete")]
     [InlineData("", "")]
     public void ExtractVerbChain_extracts_expected_chain(string input, string expected)
@@ -194,14 +158,17 @@ public void ExtractVerbChain_extracts_expected_chain(string input, string expect
     }
 
     [Theory]
-    // Path-aware verbs include first non-flag argument
-    [InlineData("cat /etc/passwd", "cat /etc/passwd")]
-    [InlineData("grep secret /var/log/syslog", "grep secret")]
-    [InlineData("bash /home/user/.netclaw/scripts/monitor.sh", "bash /home/user/.netclaw/scripts/monitor.sh")]
-    [InlineData("python3 /opt/scripts/report.py --verbose", "python3 /opt/scripts/report.py")]
-    [InlineData("curl https://example.com/api", "curl https://example.com/api")]
-    [InlineData("find /var/log -name '*.log'", "find /var/log")]
-    [InlineData("sed -i 's/foo/bar/' /etc/config.txt", "sed s/foo/bar/")]
+    // Verb-only extraction — paths and arguments are separate concerns
+    // (see ExtractFirstPathArgument tests). The pre-fix behavior of
+    // appending the first arg to the verb chain (e.g.
+    // "cat /etc/passwd" → "cat /etc/passwd") was the v2 bug fixed here.
+    [InlineData("cat /etc/passwd", "cat")]
+    [InlineData("grep secret /var/log/syslog", "grep")]
+    [InlineData("bash /home/user/.netclaw/scripts/monitor.sh", "bash")]
+    [InlineData("python3 /opt/scripts/report.py --verbose", "python3")]
+    [InlineData("curl https://example.com/api", "curl")]
+    [InlineData("find /var/log -name '*.log'", "find")]
+    [InlineData("sed -i 's/foo/bar/' /etc/config.txt", "sed")]
     // Structured CLIs unchanged
     [InlineData("git push origin main", "git push")]
     [InlineData("docker compose up -d", "docker compose")]
@@ -210,14 +177,80 @@ public void ExtractVerbChain_extracts_expected_chain(string input, string expect
     // Edge: flag-only invocations of path-aware verbs
     [InlineData("grep --version", "grep")]
     [InlineData("cat --help", "cat")]
-    // Edge: home-relative and env-var paths
-    [InlineData("cat ~/.bashrc", "cat ~/.bashrc")]
-    [InlineData("bash ~/scripts/deploy.sh", "bash ~/scripts/deploy.sh")]
-    public void ExtractVerbChain_path_aware_verbs(string input, string expected)
+    // Edge: home-relative paths — verb only, path lives in
+    // ExtractFirstPathArgument
+    [InlineData("cat ~/.bashrc", "cat")]
+    [InlineData("bash ~/scripts/deploy.sh", "bash")]
+    public void ExtractVerbChain_verb_only(string input, string expected)
     {
         Assert.Equal(expected, ShellTokenizer.ExtractVerbChain(input));
     }
 
+    // ── IsPathToken ──
+
+    [Theory]
+    [InlineData("/", true)]
+    [InlineData("/home/petabridge", true)]
+    [InlineData("/etc/hosts", true)]
+    [InlineData("~", true)]
+    [InlineData("~/", true)]
+    [InlineData("~/.bashrc", true)]
+    [InlineData(".", true)]
+    [InlineData("./", true)]
+    [InlineData("./build", true)]
+    [InlineData("..", true)]
+    [InlineData("../shared", true)]
+    // Negative cases — tokens with internal slashes that are NOT paths
+    [InlineData("https://example.com/api", false)]
+    [InlineData("a/b", false)]
+    [InlineData("'a/b'", false)]
+    [InlineData("foo/bar:tag", false)]
+    [InlineData("origin/main", false)]
+    [InlineData("s/foo/bar/", false)]
+    [InlineData("--verbose", false)]
+    [InlineData("netclaw", false)]
+    [InlineData("", false)]
+    public void IsPathToken_classifies_correctly(string token, bool expected)
+    {
+        Assert.Equal(expected, ShellTokenizer.IsPathToken(token));
+    }
+
+    // ── ExtractFirstPathArgument ──
+
+    [Theory]
+    // Absolute paths
+    [InlineData("find /home/petabridge -name X", "/home/petabridge")]
+    [InlineData("ls -la /tmp", "/tmp")]
+    [InlineData("grep -r foo /var/log", "/var/log")]
+    // Tilde-prefixed file → parent directory via file-parent rule
+    // (Path.GetDirectoryName returns the parent without a trailing
+    // separator; the matcher's under-check is tolerant of both forms.)
+    [InlineData("cat ~/.bashrc", "~")]
+    [InlineData("cat ~/.profile", "~")]
+    // Tilde-prefixed directory (no extension) preserved as-is
+    [InlineData("ls ~/repos", "~/repos")]
+    // Relative dot/dot-dot paths
+    [InlineData("grep -r foo ./build", "./build")]
+    [InlineData("ls .", ".")]
+    [InlineData("cd ..", "..")]
+    // File path with extension → parent
+    [InlineData("cp /src/a.txt /dst/b.txt", "/src")]
+    [InlineData("cat /etc/hosts.conf", "/etc")]
+    // File path without extension stays as-is
+    [InlineData("cat /etc/hosts", "/etc/hosts")]
+    // No path argument
+    [InlineData("git status", null)]
+    [InlineData("echo hello", null)]
+    [InlineData("freshdesk --since=24h", null)]
+    // URL not classified as path
+    [InlineData("curl https://example.com/foo", null)]
+    // Internal-slash regex literal not classified as path
+    [InlineData("grep -r 'a/b' .", ".")]
+    public void ExtractFirstPathArgument_returns_first_path_or_null(string command, string? expected)
+    {
+        Assert.Equal(expected, ShellTokenizer.ExtractFirstPathArgument(command));
+    }
+
     [Fact]
     public void ExtractVerbChain_deeper_with_explicit_max_depth()
     {
@@ -342,94 +375,75 @@ public void LooksLikePath_backslash(string token, bool expected)
         Assert.Equal(expected, ShellTokenizer.LooksLikePath(token));
     }
 
-    // ── ExtractDirectoryRoots ──
+    // ── IsMessyCompoundCommand ──
 
     [Theory]
-    [MemberData(nameof(AbsoluteRootCases))]
-    public void ExtractDirectoryRoots_returns_normalized_root_for_file_path(string command, string expectedRoot)
+    [InlineData("for pid in $(pgrep netclawd); do echo \"$pid\"; done")]
+    [InlineData("while read line; do echo $line; done < input.txt")]
+    [InlineData("if [ -f x ]; then echo y; fi")]
+    [InlineData("case $x in 1) echo one ;; 2) echo two ;; esac")]
+    [InlineData("for f in *.log; do grep ERROR \"$f\"; done")]
+    public void IsMessyCompoundCommand_flags_bash_control_flow(string command)
     {
-        var roots = ShellTokenizer.ExtractDirectoryRoots(command);
-
-        Assert.Single(roots);
-        Assert.Equal(expectedRoot, roots[0].ComparisonRoot);
-        Assert.Equal(expectedRoot, roots[0].DisplayPath);
+        Assert.True(ShellTokenizer.IsMessyCompoundCommand(command));
     }
 
-    [Fact]
-    public void ExtractDirectoryRoots_preserves_posix_absolute_shell_paths_on_windows_hosts()
+    [Theory]
+    [InlineData("echo \"unterminated")]
+    [InlineData("echo 'still open")]
+    [InlineData("echo $(unclosed")]
+    [InlineData("ls [unclosed")]
+    [InlineData("echo too )many close parens")]
+    [InlineData("echo too ]many close brackets")]
+    public void IsMessyCompoundCommand_flags_unbalanced_quotes_or_brackets(string command)
     {
-        var roots = ShellTokenizer.ExtractDirectoryRoots("cat /home/user/.netclaw/logs/crash.log");
-
-        Assert.Single(roots);
-        Assert.DoesNotContain(":/home/", roots[0].ComparisonRoot.Replace('\\', '/'));
-        Assert.Equal("/home/user/.netclaw/logs/", roots[0].ComparisonRoot.Replace('\\', '/'));
+        Assert.True(ShellTokenizer.IsMessyCompoundCommand(command));
     }
 
     [Theory]
-    [MemberData(nameof(RelativeRootCases))]
-    public void ExtractDirectoryRoots_keeps_relative_display_path_and_normalized_comparison_root(string command, string expectedDisplayRoot)
+    [InlineData("git push origin main")]
+    [InlineData("grep error /var/log/syslog")]
+    [InlineData("git add . && git commit -m fix && git push")]
+    [InlineData("cat file.log | grep error | wc -l")]
+    [InlineData("echo $(date)")]
+    [InlineData("ls ${HOME}")]
+    [InlineData("find . -name '*.log' -type f")]
+    [InlineData("")]
+    [InlineData("   ")]
+    public void IsMessyCompoundCommand_passes_well_formed_commands(string command)
     {
-        var root = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N"));
-        var logs = Path.Combine(root, "logs");
-        Directory.CreateDirectory(logs);
-
-        try
-        {
-            var roots = ShellTokenizer.ExtractDirectoryRoots(command, root);
-
-            Assert.Single(roots);
-            Assert.Equal(expectedDisplayRoot, roots[0].DisplayPath);
-            Assert.Equal(PathUtility.Normalize(logs) + Path.DirectorySeparatorChar, roots[0].ComparisonRoot);
-        }
-        finally
-        {
-            Directory.Delete(root, recursive: true);
-        }
+        Assert.False(ShellTokenizer.IsMessyCompoundCommand(command));
     }
 
     [Fact]
-    public void ExtractDirectoryRoots_handles_glob_paths()
+    public void IsMessyCompoundCommand_does_not_flag_keywords_inside_quotes()
     {
-        var roots = ShellTokenizer.ExtractDirectoryRoots("ls /home/user/.netclaw/logs/crash-*.log");
-
-        Assert.Single(roots);
-        Assert.Equal("/home/user/.netclaw/logs/", roots[0].ComparisonRoot.Replace('\\', '/'));
+        // A literal "done" inside a quoted string is not a control-flow token.
+        Assert.False(ShellTokenizer.IsMessyCompoundCommand("echo \"done\""));
     }
 
-    [Theory]
-    [MemberData(nameof(WindowsAbsoluteDirectoryRootCases))]
-    public void ExtractDirectoryRoots_handles_windows_absolute_paths(string command, string? expectedRoot)
+    [Fact]
+    public void IsMessyCompoundCommand_does_not_flag_keyword_substrings()
     {
-        var roots = ShellTokenizer.ExtractDirectoryRoots(command);
-
-        if (expectedRoot is null)
-        {
-            Assert.Empty(roots);
-            return;
-        }
-
-        Assert.Single(roots);
-        Assert.Equal(expectedRoot, roots[0].ComparisonRoot);
-        Assert.Equal(expectedRoot, roots[0].DisplayPath);
+        // "format" contains "for" but is not the for-loop opener.
+        Assert.False(ShellTokenizer.IsMessyCompoundCommand("python format.py"));
+        // "fido" contains "fi" but is not the if-block closer.
+        Assert.False(ShellTokenizer.IsMessyCompoundCommand("echo fido"));
     }
 
-    [Fact]
-    public void ExtractDirectoryRoots_returns_multiple_roots_for_multi_directory_command()
+    [Theory]
+    [InlineData("for pid in $(pgrep netclawd); do echo \"$pid\"; done")]
+    [InlineData("while read line; do echo $line; done")]
+    [InlineData("if [ -f x ]; then echo y; fi")]
+    public void SplitCompoundCommand_returns_empty_for_messy_input(string command)
     {
-        var roots = ShellTokenizer.ExtractDirectoryRoots("cat /home/user/.netclaw/logs/app.log > /home/user/.netclaw/output/report.txt");
-
-        Assert.Equal(2, roots.Count);
-        Assert.Contains(roots, r => r.ComparisonRoot.Replace('\\', '/') == "/home/user/.netclaw/logs/");
-        Assert.Contains(roots, r => r.ComparisonRoot.Replace('\\', '/') == "/home/user/.netclaw/output/");
+        Assert.Empty(ShellTokenizer.SplitCompoundCommand(command));
     }
 
-    [Theory]
-    [InlineData("echo hello")]
-    [InlineData("git push origin main")]
-    [InlineData("grep --version")]
-    [InlineData("cat /etc/passwd")]
-    public void ExtractDirectoryRoots_returns_empty_when_no_reusable_roots_exist(string command)
+    [Fact]
+    public void SplitCompoundCommand_still_splits_well_formed_compounds()
     {
-        Assert.Empty(ShellTokenizer.ExtractDirectoryRoots(command));
+        var segments = ShellTokenizer.SplitCompoundCommand("git add . && git push");
+        Assert.Equal(2, segments.Count);
     }
 }
diff --git a/src/Netclaw.Security.Tests/ToolPathPolicyTests.cs b/src/Netclaw.Security.Tests/ToolPathPolicyTests.cs
index 8bbe6c2d..7705e8a8 100644
--- a/src/Netclaw.Security.Tests/ToolPathPolicyTests.cs
+++ b/src/Netclaw.Security.Tests/ToolPathPolicyTests.cs
@@ -294,4 +294,125 @@ public void CommandReferencesDeniedPath_blocks_symlink_escalation_into_protected
             Directory.Delete(safeRoot);
         }
     }
+
+    // The following tests cover the prompt-injection defense added by the
+    // approval-policy-trust-zones change (task 10.8): extending the write-
+    // and shell-deny lists to cover ~/.netclaw/config/ so an injected payload
+    // cannot instruct the agent to rewrite tool-approvals.json or
+    // hard-deny-overrides.json and grant itself global trust.
+
+    [Fact]
+    public void IsDenied_blocks_tool_approvals_json_under_config_dir()
+    {
+        var configDir = "/home/user/.netclaw/config";
+        var policy = new ToolPathPolicy([configDir]);
+
+        Assert.True(policy.IsDenied(Path.Combine(configDir, "tool-approvals.json")));
+    }
+
+    [Fact]
+    public void IsDenied_blocks_netclaw_json_under_config_dir()
+    {
+        var configDir = "/home/user/.netclaw/config";
+        var policy = new ToolPathPolicy([configDir]);
+
+        Assert.True(policy.IsDenied(Path.Combine(configDir, "netclaw.json")));
+    }
+
+    [Fact]
+    public void IsDenied_blocks_hard_deny_overrides_under_config_dir()
+    {
+        var configDir = "/home/user/.netclaw/config";
+        var policy = new ToolPathPolicy([configDir]);
+
+        Assert.True(policy.IsDenied(Path.Combine(configDir, "hard-deny-overrides.json")));
+    }
+
+    [Fact]
+    public void IsDenied_blocks_arbitrary_descendant_of_config_dir()
+    {
+        var configDir = "/home/user/.netclaw/config";
+        var policy = new ToolPathPolicy([configDir]);
+
+        Assert.True(policy.IsDenied(Path.Combine(configDir, "future", "subsystem", "settings.json")));
+    }
+
+    [Fact]
+    public void IsDenied_does_not_block_sibling_of_config_dir()
+    {
+        // boundary safety: ~/.netclaw/configbackup/ must not be denied just
+        // because its name shares a prefix with ~/.netclaw/config/.
+        var policy = new ToolPathPolicy(["/home/user/.netclaw/config"]);
+
+        Assert.False(policy.IsDenied("/home/user/.netclaw/configbackup/file.json"));
+    }
+
+    [Fact]
+    public void CommandReferencesDeniedPath_detects_shell_redirect_to_config_file()
+    {
+        var configDir = "/home/user/.netclaw/config";
+        var policy = new ToolPathPolicy(deniedPaths: [configDir]);
+
+        Assert.True(policy.CommandReferencesDeniedPath(
+            $"echo {{}} > {configDir}/tool-approvals.json"));
+    }
+
+    [Fact]
+    public void CommandReferencesDeniedPath_detects_tee_to_config_file()
+    {
+        var configDir = "/home/user/.netclaw/config";
+        var policy = new ToolPathPolicy(deniedPaths: [configDir]);
+
+        Assert.True(policy.CommandReferencesDeniedPath(
+            $"echo content | tee {configDir}/netclaw.json"));
+    }
+
+    [Fact]
+    public void CommandReferencesDeniedPath_detects_cat_of_config_file()
+    {
+        // Reading config files isn't in the readDeny list, but the shell
+        // indicator list also blocks shell access (in the daemon wiring
+        // ConfigDirectory is in shellIndicatorList too).
+        var configDir = "/home/user/.netclaw/config";
+        var policy = new ToolPathPolicy(deniedPaths: [configDir]);
+
+        Assert.True(policy.CommandReferencesDeniedPath(
+            $"cat {configDir}/tool-approvals.json"));
+    }
+
+    [Fact]
+    public void CommandReferencesDeniedPath_resolves_symlink_routed_to_config()
+    {
+        // Skip on platforms where symlinks aren't easily creatable.
+        if (Environment.OSVersion.Platform != PlatformID.Unix
+            && Environment.OSVersion.Platform != PlatformID.MacOSX)
+            return;
+
+        var configDir = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N"), "config");
+        Directory.CreateDirectory(configDir);
+        File.WriteAllText(Path.Combine(configDir, "tool-approvals.json"), "{}");
+
+        var scratchDir = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N"));
+        Directory.CreateDirectory(scratchDir);
+        var leakLink = Path.Combine(scratchDir, "leak");
+        File.CreateSymbolicLink(leakLink, Path.Combine(configDir, "tool-approvals.json"));
+
+        try
+        {
+            var policy = new ToolPathPolicy(deniedPaths: [configDir]);
+            var command = $"cat {leakLink}";
+
+            Assert.True(
+                policy.CommandReferencesDeniedPath(command),
+                $"ToolPathPolicy must resolve symlinks routed at config files; planted symlink in writable scratch dir would otherwise become a read primitive for security-critical config. Command under test: {command}");
+        }
+        finally
+        {
+            File.Delete(leakLink);
+            Directory.Delete(scratchDir);
+            File.Delete(Path.Combine(configDir, "tool-approvals.json"));
+            Directory.Delete(configDir);
+            Directory.Delete(Path.GetDirectoryName(configDir)!);
+        }
+    }
 }
diff --git a/src/Netclaw.Security.Tests/TrustStateComposerTests.cs b/src/Netclaw.Security.Tests/TrustStateComposerTests.cs
new file mode 100644
index 00000000..3c4cf2b9
--- /dev/null
+++ b/src/Netclaw.Security.Tests/TrustStateComposerTests.cs
@@ -0,0 +1,221 @@
+// -----------------------------------------------------------------------
+// <copyright file="TrustStateComposerTests.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Netclaw.Configuration;
+using ShellSyntaxTree;
+using Xunit;
+
+namespace Netclaw.Security.Tests;
+
+public sealed class TrustStateComposerTests : IDisposable
+{
+    private readonly string _storeFile;
+    private readonly AudienceTrustStore _store;
+    private readonly SafeVerbList _safeVerbs = SafeVerbList.FromVerbs(["ls", "cat", "git status"]);
+    private readonly ToolAudienceProfiles _profiles;
+
+    public TrustStateComposerTests()
+    {
+        _storeFile = Path.Combine(Path.GetTempPath(), $"netclaw-tsc-{Guid.NewGuid():N}.json");
+        _store = new AudienceTrustStore(_storeFile);
+        _profiles = new ToolAudienceProfiles
+        {
+            Personal = new ToolAudienceProfile
+            {
+                ReadFiles = new ToolFilesystemAccessProfile
+                {
+                    Mode = ToolFilesystemMode.Roots,
+                    Roots = ["/home/user/repos"]
+                }
+            },
+            Team = new ToolAudienceProfile
+            {
+                ReadFiles = new ToolFilesystemAccessProfile
+                {
+                    Mode = ToolFilesystemMode.Roots,
+                    Roots = ["/opt/shared"]
+                }
+            },
+            Public = new ToolAudienceProfile
+            {
+                ReadFiles = new ToolFilesystemAccessProfile
+                {
+                    Mode = ToolFilesystemMode.None,
+                    Roots = []
+                }
+            }
+        };
+    }
+
+    public void Dispose()
+    {
+        if (File.Exists(_storeFile)) File.Delete(_storeFile);
+    }
+
+    private TrustStateComposer NewComposer()
+        => new(_profiles, _store, _safeVerbs, homeDirectoryOverride: "/home/user");
+
+    [Fact]
+    public void Compose_picks_audience_baseline_zones_from_profile()
+    {
+        var personal = NewComposer().Compose(TrustAudience.Personal, "/home/user/.netclaw/sessions/x");
+        var team = NewComposer().Compose(TrustAudience.Team, "/home/user/.netclaw/sessions/x");
+
+        Assert.True(personal.IsPathInTrustedZone("/home/user/repos/foo"));
+        Assert.False(personal.IsPathInTrustedZone("/opt/shared/foo"));
+
+        Assert.True(team.IsPathInTrustedZone("/opt/shared/foo"));
+        Assert.False(team.IsPathInTrustedZone("/home/user/repos/foo"));
+    }
+
+    [Fact]
+    public void Compose_overlays_persisted_zones_from_store()
+    {
+        _store.AddTrustedZone(TrustAudience.Personal, "/etc/nginx");
+
+        var state = NewComposer().Compose(TrustAudience.Personal, "/home/user/.netclaw/sessions/x");
+
+        Assert.True(state.IsPathInTrustedZone("/etc/nginx"));
+        Assert.True(state.IsPathInTrustedZone("/home/user/repos/foo"));  // baseline still applies
+    }
+
+    [Fact]
+    public void Compose_overlays_session_scope_zones_passed_in_per_call()
+    {
+        var state = NewComposer().Compose(
+            TrustAudience.Personal,
+            "/home/user/.netclaw/sessions/x",
+            sessionTrustedZones: ["/tmp/scratch"]);
+
+        Assert.True(state.IsPathInTrustedZone("/tmp/scratch/foo"));
+        Assert.True(state.IsPathInTrustedZone("/home/user/repos/foo"));  // baseline retained
+    }
+
+    [Fact]
+    public void Compose_always_includes_session_directory()
+    {
+        var state = NewComposer().Compose(
+            TrustAudience.Public,  // Public has empty baseline; session_dir must be the only trusted zone
+            "/home/user/.netclaw/sessions/abc");
+
+        Assert.True(state.IsPathInTrustedZone("/home/user/.netclaw/sessions/abc/inbox/file.json"));
+        Assert.False(state.IsPathInTrustedZone("/home/user/elsewhere"));
+    }
+
+    [Fact]
+    public void Compose_overlays_persisted_verb_patterns_from_store()
+    {
+        _store.AddVerbPattern(TrustAudience.Personal, "git push *");
+
+        var state = NewComposer().Compose(TrustAudience.Personal, "/home/user/.netclaw/sessions/x");
+
+        Assert.Contains("git push *", state.AllVerbPatterns);
+    }
+
+    [Fact]
+    public void Compose_overlays_session_verb_patterns_passed_in()
+    {
+        var state = NewComposer().Compose(
+            TrustAudience.Personal,
+            "/home/user/.netclaw/sessions/x",
+            sessionVerbPatterns: ["dotnet test *"]);
+
+        Assert.Contains("dotnet test *", state.AllVerbPatterns);
+    }
+
+    [Fact]
+    public void Compose_carries_safe_verbs_list()
+    {
+        var state = NewComposer().Compose(TrustAudience.Personal, "/home/user/.netclaw/sessions/x");
+
+        var lsVerb = new VerbChain { Tokens = ["ls"] };
+        Assert.True(state.IsReadOnlyVerb(lsVerb));
+    }
+
+    [Fact]
+    public void Compose_uses_home_directory_override_for_tilde_expansion()
+    {
+        // Audience baseline has no zones that use ~, so add one via the store
+        // and verify it expands using the composer's home override.
+        _store.AddTrustedZone(TrustAudience.Personal, "~/special");
+
+        var state = NewComposer().Compose(TrustAudience.Personal, "/home/user/.netclaw/sessions/x");
+
+        Assert.True(state.IsPathInTrustedZone("/home/user/special/foo"));
+    }
+
+    [Fact]
+    public void Compose_throws_on_unknown_audience_value()
+    {
+        var composer = NewComposer();
+        Assert.Throws<ArgumentOutOfRangeException>(
+            () => composer.Compose((TrustAudience)999, "/home/user/.netclaw/sessions/x"));
+    }
+
+    [Fact]
+    public void Compose_returns_distinct_state_objects_for_different_audiences()
+    {
+        var composer = NewComposer();
+        var personal = composer.Compose(TrustAudience.Personal, "/home/user/.netclaw/sessions/x");
+        var team = composer.Compose(TrustAudience.Team, "/home/user/.netclaw/sessions/x");
+
+        // They share the SafeVerbList and home directory but have different zone sets.
+        Assert.NotEqual(personal.AllTrustedZones.Count, team.AllTrustedZones.Count + 1);  // sanity: both have session_dir
+        Assert.True(personal.IsPathInTrustedZone("/home/user/repos/foo"));
+        Assert.False(team.IsPathInTrustedZone("/home/user/repos/foo"));
+    }
+
+    [Fact]
+    public void Compose_with_Mode_All_trusts_arbitrary_paths_outside_Roots()
+    {
+        // Operator declared Personal as filesystem-unrestricted at the
+        // profile layer (Mode=All). The composer must propagate that into
+        // TrustState so the zone gate stops prompting on every path.
+        // Roots is intentionally empty — Mode=All makes it meaningless.
+        _profiles.Personal.ReadFiles = new ToolFilesystemAccessProfile
+        {
+            Mode = ToolFilesystemMode.All,
+            Roots = []
+        };
+
+        var state = NewComposer().Compose(TrustAudience.Personal, "/home/user/.netclaw/sessions/x");
+
+        Assert.True(state.IsPathInTrustedZone("/etc/nginx"));
+        Assert.True(state.IsPathInTrustedZone("/var/log/syslog"));
+        Assert.True(state.IsPathInTrustedZone("/tmp/whatever"));
+    }
+
+    [Fact]
+    public void Compose_with_Mode_None_does_not_trust_paths_outside_session_dir()
+    {
+        // Mode=None means "trust nothing baseline" — only session_dir and
+        // explicit per-call grants count. Confirms the composer doesn't
+        // accidentally treat None as All.
+        _profiles.Personal.ReadFiles = new ToolFilesystemAccessProfile
+        {
+            Mode = ToolFilesystemMode.None,
+            Roots = ["/this/is/ignored/when/mode/is/none"]  // realistically empty, but defensive
+        };
+
+        var state = NewComposer().Compose(TrustAudience.Personal, "/home/user/.netclaw/sessions/x");
+
+        Assert.False(state.IsPathInTrustedZone("/etc/nginx"));
+        Assert.False(state.IsPathInTrustedZone("/home/user/repos/foo"));
+        Assert.True(state.IsPathInTrustedZone("/home/user/.netclaw/sessions/x/inbox/file"));
+    }
+
+    [Fact]
+    public void Compose_with_Mode_Roots_only_trusts_listed_roots()
+    {
+        // Sanity that the existing Mode=Roots behavior is unchanged by the
+        // Mode=All wiring. Personal default in this test class is already
+        // Mode=Roots with /home/user/repos — we just assert the negative.
+        var state = NewComposer().Compose(TrustAudience.Personal, "/home/user/.netclaw/sessions/x");
+
+        Assert.True(state.IsPathInTrustedZone("/home/user/repos/foo"));
+        Assert.False(state.IsPathInTrustedZone("/etc/nginx"));
+        Assert.False(state.IsPathInTrustedZone("/home/user/elsewhere"));
+    }
+}
diff --git a/src/Netclaw.Security/ApprovalPatternMatching.cs b/src/Netclaw.Security/ApprovalPatternMatching.cs
index a79977de..b5a790b5 100644
--- a/src/Netclaw.Security/ApprovalPatternMatching.cs
+++ b/src/Netclaw.Security/ApprovalPatternMatching.cs
@@ -1,4 +1,4 @@
-// -----------------------------------------------------------------------
+// -----------------------------------------------------------------------
 // <copyright file="ApprovalPatternMatching.cs" company="Petabridge, LLC">
 //      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
 // </copyright>
@@ -8,10 +8,11 @@
 namespace Netclaw.Security;
 
 /// <summary>
-/// Shared approval matching helpers. Shell approvals use
-/// <see cref="MatchesShellApprovalEntry"/>, which only compares exact approval
-/// units and normalized directory roots. Other tools continue to use
-/// <see cref="MatchesAny"/> for exact and prefix-style matching.
+/// Approval matching helpers that consume the v2 typed
+/// <see cref="ApprovalEntry"/> store. Shell approvals use
+/// <see cref="MatchesShellApproval"/> which evaluates the candidate's verb
+/// chain together with its cwd against each entry's <c>(verb, directory)</c>
+/// pair. Other tools use <see cref="MatchesAny"/> for verb-only matching.
 /// </summary>
 public static class ApprovalPatternMatching
 {
@@ -20,100 +21,149 @@ public static class ApprovalPatternMatching
     // ToolApprovalEntryComparer for the rationale.
     private static StringComparison ApprovalEntryComparison => ToolApprovalEntryComparer.Comparison;
 
-    public static bool MatchesShellApprovalEntry(string candidate, IEnumerable<string> approvedEntries)
+    /// <summary>
+    /// Returns true when <paramref name="approvedEntries"/> contains an entry
+    /// whose verb equals <paramref name="candidateVerb"/> AND whose directory
+    /// is either <c>null</c> (the global wildcard) or an ancestor of the
+    /// candidate's effective directory with no symlink segments along the
+    /// path between the two.
+    ///
+    /// The candidate's effective directory is
+    /// <paramref name="candidateDirectory"/> when non-null (the path argument
+    /// extracted from the command), otherwise <paramref name="cwd"/>. Relative
+    /// effective directories (<c>./build</c>, <c>../shared</c>) are resolved
+    /// against <paramref name="cwd"/> before the under-check.
+    ///
+    /// The symlink-segment guard prevents a planted symlink under an approved
+    /// directory from being used to redirect the candidate to a path outside
+    /// that directory: <see cref="PathUtility.ContainsSymlinkSegment"/> walks
+    /// each component from the approved root toward the effective directory
+    /// and refuses the match if any segment is a reparse point.
+    /// </summary>
+    public static bool MatchesShellApproval(
+        string candidateVerb,
+        string? candidateDirectory,
+        string? cwd,
+        IEnumerable<ApprovalEntry> approvedEntries)
     {
-        // Shell approvals never widen by verb prefix here. Reusable entries are
-        // either exact normalized units or normalized directory roots.
-        foreach (var approved in approvedEntries)
-        {
-            if (string.Equals(candidate, approved, ApprovalEntryComparison))
-                return true;
-
-            if (IsDirectoryRootEntry(candidate) && IsDirectoryRootEntry(approved) && MatchesDirectoryRoot(candidate, approved))
-                return true;
-        }
-
-        return false;
-    }
+        var effectiveDirectory = ResolveEffectiveDirectory(candidateDirectory, cwd);
 
-    public static bool MatchesAny(string candidate, IEnumerable<string> approvedPatterns)
-    {
-        foreach (var approved in approvedPatterns)
+        foreach (var entry in approvedEntries)
         {
-            if (string.Equals(candidate, approved, ApprovalEntryComparison))
+            if (!string.Equals(entry.Verb, candidateVerb, ApprovalEntryComparison))
+                continue;
+
+            // Global wildcard: matches any candidate by definition.
+            if (entry.Directory is null)
                 return true;
 
-            if (!approved.Contains(' ', StringComparison.Ordinal))
+            // Folder-scoped entry requires a concrete effective directory.
+            if (string.IsNullOrEmpty(effectiveDirectory))
                 continue;
 
-            // Directory-scoped patterns: "verb /dir/" matches "verb /dir/file.txt"
-            if (approved.EndsWith('/') && MatchesDirectoryScope(candidate, approved))
-                return true;
+            try
+            {
+                if (!PathUtility.IsWithinRoot(effectiveDirectory, entry.Directory))
+                    continue;
+
+                if (PathUtility.ContainsSymlinkSegment(entry.Directory, effectiveDirectory))
+                    continue;
 
-            // Multi-token patterns prefix-match on a space boundary. Single-token
-            // patterns remain exact-only so grants do not silently widen from
-            // "cat" to every path-bearing cat invocation.
-            if (candidate.Length > approved.Length
-                && candidate[approved.Length] == ' '
-                && candidate.StartsWith(approved, ApprovalEntryComparison))
                 return true;
+            }
+            catch (Exception ex) when (ex is ArgumentException or IOException)
+            {
+                continue;
+            }
         }
 
         return false;
     }
 
-    private static bool MatchesDirectoryScope(string candidate, string approvedDirPattern)
+    /// <summary>
+    /// Backwards-compatible overload retained for v2.0 callers that pass cwd
+    /// only. Equivalent to passing <c>null</c> for the candidate directory.
+    /// </summary>
+    public static bool MatchesShellApproval(
+        string candidateVerb,
+        string? cwd,
+        IEnumerable<ApprovalEntry> approvedEntries)
+        => MatchesShellApproval(candidateVerb, candidateDirectory: null, cwd, approvedEntries);
+
+    /// <summary>
+    /// Resolves a candidate's path argument to an absolute path. When the
+    /// argument is null, falls back to cwd. When the argument is relative
+    /// (<c>./build</c>, <c>../shared</c>, or bare <c>~</c> without expansion),
+    /// it is resolved against cwd. Tilde-rooted paths are passed through
+    /// unchanged — the storage layer treats <c>~</c> consistently with the
+    /// daemon's home expansion via <see cref="PathUtility.ExpandAndNormalize"/>
+    /// at match time.
+    /// </summary>
+    private static string? ResolveEffectiveDirectory(string? candidateDirectory, string? cwd)
     {
-        var approvedSpaceIdx = approvedDirPattern.IndexOf(' ', StringComparison.Ordinal);
-        if (approvedSpaceIdx < 0)
-            return false;
+        if (string.IsNullOrEmpty(candidateDirectory))
+            return cwd;
 
-        var approvedVerb = approvedDirPattern[..approvedSpaceIdx];
-        var approvedDir = approvedDirPattern[(approvedSpaceIdx + 1)..].TrimEnd('/');
-
-        var candidateSpaceIdx = candidate.IndexOf(' ', StringComparison.Ordinal);
-        if (candidateSpaceIdx < 0)
-            return false;
+        if (Path.IsPathRooted(candidateDirectory))
+            return candidateDirectory;
 
-        var candidateVerb = candidate[..candidateSpaceIdx];
-        var candidatePath = candidate[(candidateSpaceIdx + 1)..];
-
-        if (!string.Equals(approvedVerb, candidateVerb, ApprovalEntryComparison))
-            return false;
-
-        try
-        {
-            return PathUtility.IsWithinRoot(candidatePath, approvedDir);
-        }
-        catch (Exception ex) when (ex is ArgumentException or IOException)
-        {
-            return false;
-        }
+        // Tilde-rooted paths look "rooted" to the user but aren't to .NET.
+        // Expand against the user's home alongside any cwd-relative segments
+        // so we end up with a canonicalized absolute path.
+        var expanded = PathUtility.ExpandAndNormalize(candidateDirectory, cwd);
+        return expanded ?? candidateDirectory;
     }
 
-    private static bool MatchesDirectoryRoot(string candidateRoot, string approvedRoot)
+    /// <summary>
+    /// Returns true when <paramref name="approvedEntries"/> contains an entry
+    /// whose verb equals <paramref name="candidate"/>. Used by non-shell
+    /// matchers where the directory half of an entry is not meaningful — the
+    /// candidate is the tool name and a verb match alone authorizes.
+    /// </summary>
+    public static bool MatchesAny(string candidate, IEnumerable<ApprovalEntry> approvedEntries)
     {
-        try
-        {
-            return PathUtility.IsWithinRoot(
-                candidateRoot.TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar),
-                approvedRoot.TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar));
-        }
-        catch (Exception ex) when (ex is ArgumentException or IOException)
+        foreach (var approved in approvedEntries)
         {
-            return false;
+            if (string.Equals(approved.Verb, candidate, ApprovalEntryComparison))
+                return true;
         }
+
+        return false;
     }
 
-    private static bool IsDirectoryRootEntry(string value)
+    /// <summary>
+    /// Verbs that produce stdout-only side effects when used without
+    /// redirects. A candidate clause whose verb is in this set, has no path
+    /// argument, and has no redirect operator is authorized for the current
+    /// call but SHALL NOT be persisted — recording every literal echo as a
+    /// global wildcard adds noise that doesn't help future matching.
+    /// </summary>
+    /// <remarks>
+    /// Conservative on purpose. <c>eval</c>, <c>command</c>, <c>exec</c>, and
+    /// other reflective builtins are NOT here because they execute their
+    /// arguments. <c>pwd</c> is a candidate to add but rarely appears in
+    /// compound commands so the value is low. Adding entries here is a
+    /// security-relevant change reviewed alongside the safe-verb list.
+    /// </remarks>
+    private static readonly HashSet<string> SideEffectOnlyVerbs = new(StringComparer.Ordinal)
     {
-        if (string.IsNullOrWhiteSpace(value))
-            return false;
-
-        if (!(value.EndsWith(Path.DirectorySeparatorChar) || value.EndsWith(Path.AltDirectorySeparatorChar)))
+        "echo", "printf", ":", "true", "false"
+    };
+
+    /// <summary>
+    /// Returns true when this candidate is a pure side-effect clause that
+    /// should not be persisted on Always-here/Always-anywhere clicks. The
+    /// rule is verb-in-skip-list AND no path argument. Redirect detection
+    /// (e.g. <c>echo X &gt; /tmp/log</c>) is implicit: a redirect target
+    /// shows up as the candidate's directory via
+    /// <see cref="ShellTokenizer.ExtractFirstPathArgument"/>, so a candidate
+    /// with a non-null Directory is never considered pure side effect.
+    /// </summary>
+    public static bool IsPureSideEffect(ApprovalCandidate candidate)
+    {
+        if (candidate.Directory is not null)
             return false;
 
-        var trimmed = value.TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
-        return Path.IsPathRooted(trimmed);
+        return SideEffectOnlyVerbs.Contains(candidate.Verb);
     }
 }
diff --git a/src/Netclaw.Security/DirectoryApprovalRoot.cs b/src/Netclaw.Security/DirectoryApprovalRoot.cs
deleted file mode 100644
index 2403ddcb..00000000
--- a/src/Netclaw.Security/DirectoryApprovalRoot.cs
+++ /dev/null
@@ -1,16 +0,0 @@
-// -----------------------------------------------------------------------
-// <copyright file="DirectoryApprovalRoot.cs" company="Petabridge, LLC">
-//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
-// </copyright>
-// -----------------------------------------------------------------------
-
-namespace Netclaw.Security;
-
-/// <summary>
-/// Human-facing and comparison-safe representation of a directory approval root.
-/// <see cref="DisplayPath"/> preserves the shape we want to show back to the
-/// user (which may stay relative if that is how the command was written), while
-/// <see cref="ComparisonRoot"/> is the normalized root used for approval-store
-/// lookups and containment checks.
-/// </summary>
-public sealed record DirectoryApprovalRoot(string DisplayPath, string ComparisonRoot);
diff --git a/src/Netclaw.Security/GateEvaluation.cs b/src/Netclaw.Security/GateEvaluation.cs
new file mode 100644
index 00000000..91b9cc39
--- /dev/null
+++ b/src/Netclaw.Security/GateEvaluation.cs
@@ -0,0 +1,189 @@
+// -----------------------------------------------------------------------
+// <copyright file="GateEvaluation.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+namespace Netclaw.Security;
+
+/// <summary>
+/// Outcome of the three-layer gate for a single tool call. Drives the
+/// <c>ToolApprovalWorkflow</c> state machine on <c>LlmSessionActor</c>:
+/// the workflow inspects <see cref="OverallDecision"/> to decide whether
+/// to terminate immediately (HardDenied / Approved) or issue prompts
+/// (NeedsPrompt with one or both of <see cref="ZonePrompt"/> /
+/// <see cref="VerbPrompt"/> populated).
+/// </summary>
+public sealed record GateEvaluation
+{
+    /// <summary>The top-level decision for the call as a whole.</summary>
+    public OverallGateDecision OverallDecision { get; init; }
+
+    /// <summary>
+    /// Per-clause results in source order. Always populated, even for
+    /// HardDenied calls (the first hard-denied clause's reason is also
+    /// surfaced on <see cref="HardDenyReason"/>).
+    /// </summary>
+    public IReadOnlyList<ClauseGateResult> ClauseResults { get; init; } = [];
+
+    /// <summary>
+    /// Populated when at least one clause has untrusted path operands.
+    /// Carries the union of untrusted paths across all clauses for
+    /// trust-all-or-nothing multi-path batching per the locked design.
+    /// Null when no zone prompt is needed.
+    /// </summary>
+    public ZonePromptInfo? ZonePrompt { get; init; }
+
+    /// <summary>
+    /// Populated when at least one clause needs verb-pattern approval after
+    /// zone gate passes. Null when no verb prompt is needed (read-only
+    /// verbs in trusted zones, or verb-pattern already matched in
+    /// <see cref="TrustState"/>).
+    /// </summary>
+    public VerbPromptInfo? VerbPrompt { get; init; }
+
+    /// <summary>
+    /// Set when <see cref="OverallDecision"/> is HardDenied. The first
+    /// clause whose hard-deny pattern matched surfaces its reason here.
+    /// </summary>
+    public string? HardDenyReason { get; init; }
+
+    /// <summary>
+    /// Telemetry category for the hard-deny reason (e.g.
+    /// <c>self_destructive</c>, <c>system_destructive</c>). Null unless
+    /// <see cref="OverallDecision"/> is HardDenied.
+    /// </summary>
+    public string? HardDenyCategory { get; init; }
+
+    /// <summary>
+    /// True when the parser flagged the input as unparseable. Consumers
+    /// route these calls to safe-fail per the spec: hard-deny still
+    /// consulted; zone gate prompts on the raw command; verb gate offers
+    /// only Once and Deny (no Session, no Always).
+    /// </summary>
+    public bool IsUnparseable { get; init; }
+}
+
+/// <summary>The three terminal states for a gate evaluation.</summary>
+public enum OverallGateDecision
+{
+    /// <summary>
+    /// All clauses passed every layer silently. Tool may execute without
+    /// further user interaction.
+    /// </summary>
+    Approved,
+
+    /// <summary>
+    /// At least one clause needs user approval at the zone gate, the
+    /// verb-pattern gate, or both. The workflow issues prompts populated
+    /// from <see cref="GateEvaluation.ZonePrompt"/> and
+    /// <see cref="GateEvaluation.VerbPrompt"/> in that order.
+    /// </summary>
+    NeedsPrompt,
+
+    /// <summary>
+    /// At least one clause matched a hard-deny rule. No prompts are
+    /// offered; tool execution is refused.
+    /// </summary>
+    HardDenied
+}
+
+/// <summary>Per-clause result from the gate evaluator.</summary>
+public sealed record ClauseGateResult
+{
+    public int ClauseIndex { get; init; }
+    public ZoneGateDecision ZoneDecision { get; init; }
+    public VerbGateDecision VerbDecision { get; init; }
+
+    /// <summary>
+    /// Untrusted paths this clause operates on. Empty when ZoneDecision
+    /// is Pass or Skipped.
+    /// </summary>
+    public IReadOnlyList<string> UntrustedPaths { get; init; } = [];
+
+    /// <summary>
+    /// Proposed verb-pattern for the Always button when VerbDecision is
+    /// Prompt. Derived as <c>&lt;verb-chain&gt; *</c> per the locked
+    /// design. Null when no verb prompt is needed.
+    /// </summary>
+    public string? VerbPatternProposal { get; init; }
+
+    /// <summary>The first hard-deny reason that matched this clause, or null.</summary>
+    public string? HardDenyReason { get; init; }
+    public string? HardDenyCategory { get; init; }
+}
+
+public enum ZoneGateDecision
+{
+    /// <summary>Every path in the clause is inside a trusted zone.</summary>
+    Pass,
+
+    /// <summary>One or more paths in the clause are outside trusted zones.</summary>
+    Prompt,
+
+    /// <summary>Layer 1 hard-deny fired; zone gate was not evaluated.</summary>
+    Skipped
+}
+
+public enum VerbGateDecision
+{
+    /// <summary>
+    /// Verb auto-passed because it's read-only AND all clause paths are
+    /// in trusted zones, OR the clause matches an existing verb pattern.
+    /// </summary>
+    Pass,
+
+    /// <summary>
+    /// Mutating verb without a matching pattern (or read-only with at
+    /// least one untrusted path). Workflow must prompt the user.
+    /// </summary>
+    Prompt,
+
+    /// <summary>
+    /// Layer 1 or Layer 2 short-circuited; verb gate was not evaluated.
+    /// </summary>
+    NotEvaluated
+}
+
+/// <summary>
+/// Information needed to render the zone-gate prompt to the user. Holds
+/// the union of untrusted paths across all clauses for the trust-all-or-
+/// nothing button per the locked design.
+/// </summary>
+public sealed record ZonePromptInfo
+{
+    /// <summary>
+    /// Deduplicated list of untrusted paths the user is being asked to
+    /// approve. The "Trust all listed (N)" button extends
+    /// <c>trustedZones</c> for every entry atomically.
+    /// </summary>
+    public IReadOnlyList<string> UntrustedPaths { get; init; } = [];
+
+    /// <summary>
+    /// Audience name displayed in the prompt body for context
+    /// ("Allow Personal to operate inside /etc/nginx?").
+    /// </summary>
+    public string Audience { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// Information needed to render the verb-pattern gate prompt. Carries the
+/// proposed pattern for the Always button plus display context.
+/// </summary>
+public sealed record VerbPromptInfo
+{
+    /// <summary>
+    /// The verb-pattern glob the Always button extends, derived as
+    /// <c>&lt;verb-chain&gt; *</c> per the locked design.
+    /// </summary>
+    public string VerbPattern { get; init; } = string.Empty;
+
+    /// <summary>
+    /// The rendered command (or first mutating clause) shown to the user
+    /// for context. Not the same as the pattern — operators see what they
+    /// approved AND what's being asked about.
+    /// </summary>
+    public string CommandText { get; init; } = string.Empty;
+
+    /// <summary>Audience name for the prompt body.</summary>
+    public string Audience { get; init; } = string.Empty;
+}
diff --git a/src/Netclaw.Security/GateEvaluator.cs b/src/Netclaw.Security/GateEvaluator.cs
new file mode 100644
index 00000000..69de5fca
--- /dev/null
+++ b/src/Netclaw.Security/GateEvaluator.cs
@@ -0,0 +1,338 @@
+// -----------------------------------------------------------------------
+// <copyright file="GateEvaluator.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Netclaw.Configuration;
+using ShellSyntaxTree;
+
+namespace Netclaw.Security;
+
+/// <summary>
+/// Three-layer approval gate evaluator. Composes hard-deny (Layer 1),
+/// zone gate (Layer 2), and verb-pattern gate (Layer 3) into a single
+/// <see cref="GateEvaluation"/> the workflow consumes.
+/// </summary>
+/// <remarks>
+/// Pure function — no DI dependencies beyond the constructor inputs. Layer
+/// 1 runs against the parsed clauses (using the structured hard-deny rule
+/// set built from compiled defaults plus operator overrides). Layer 2
+/// extracts every path each clause operates on from the AST and checks
+/// each against the composed <see cref="TrustState"/>. Layer 3 evaluates
+/// the verb chain: read-only verbs auto-pass when every clause path is
+/// trusted; otherwise pattern-match or prompt.
+///
+/// Multi-path zone batching: when multiple clauses contribute untrusted
+/// paths, a single <see cref="ZonePromptInfo"/> carries their dedup'd
+/// union — the user clicks "Trust all listed (N)" once to grant the
+/// entire batch atomically.
+/// </remarks>
+public sealed class GateEvaluator
+{
+    private readonly ShellCommandPolicy _hardDenyPolicy;
+    private readonly IShellParser _parser;
+
+    public GateEvaluator(ShellCommandPolicy hardDenyPolicy, IShellParser parser)
+    {
+        _hardDenyPolicy = hardDenyPolicy ?? throw new ArgumentNullException(nameof(hardDenyPolicy));
+        _parser = parser ?? throw new ArgumentNullException(nameof(parser));
+    }
+
+    /// <summary>
+    /// Parses the command via <see cref="IShellParser"/> and evaluates the
+    /// three layers against the supplied <see cref="TrustState"/>.
+    /// </summary>
+    public GateEvaluation Evaluate(string command, TrustAudience audience, TrustState trustState)
+    {
+        ArgumentNullException.ThrowIfNull(trustState);
+        var parsed = _parser.Parse(command ?? string.Empty);
+        return Evaluate(parsed, audience, trustState);
+    }
+
+    /// <summary>
+    /// Evaluates an already-parsed command against the trust state. Useful
+    /// for tests that inject custom ASTs or for callers that have a
+    /// <see cref="ParsedCommand"/> cached from earlier in the pipeline.
+    /// </summary>
+    public GateEvaluation Evaluate(ParsedCommand parsed, TrustAudience audience, TrustState trustState)
+    {
+        ArgumentNullException.ThrowIfNull(parsed);
+        ArgumentNullException.ThrowIfNull(trustState);
+
+        if (parsed.IsUnparseable)
+            return EvaluateUnparseable(parsed, audience);
+
+        return EvaluateParsed(parsed, audience, trustState);
+    }
+
+    private GateEvaluation EvaluateParsed(ParsedCommand parsed, TrustAudience audience, TrustState trustState)
+    {
+        var clauseResults = new List<ClauseGateResult>(parsed.Clauses.Count);
+        var untrustedPathUnion = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        VerbPromptInfo? firstVerbPrompt = null;
+        string? firstHardDenyReason = null;
+        string? firstHardDenyCategory = null;
+
+        for (var i = 0; i < parsed.Clauses.Count; i++)
+        {
+            var clause = parsed.Clauses[i];
+            var result = EvaluateClause(i, clause, trustState);
+            clauseResults.Add(result);
+
+            if (result.HardDenyReason is not null)
+            {
+                // First hard-deny wins overall; we keep evaluating
+                // subsequent clauses so per-clause results reflect every
+                // matching deny (useful for telemetry / auditing) but
+                // the overall decision is fixed.
+                firstHardDenyReason ??= result.HardDenyReason;
+                firstHardDenyCategory ??= result.HardDenyCategory;
+                continue;
+            }
+
+            if (result.ZoneDecision == ZoneGateDecision.Prompt)
+            {
+                foreach (var path in result.UntrustedPaths)
+                    untrustedPathUnion.Add(path);
+            }
+
+            // Capture the first clause-level verb prompt; the workflow
+            // surfaces this as THE verb prompt. Subsequent mutating
+            // clauses with their own pattern proposals stay attached to
+            // their ClauseGateResult records for audit.
+            if (result.VerbDecision == VerbGateDecision.Prompt
+                && firstVerbPrompt is null
+                && result.VerbPatternProposal is not null)
+            {
+                firstVerbPrompt = new VerbPromptInfo
+                {
+                    VerbPattern = result.VerbPatternProposal,
+                    CommandText = RenderClause(clause),
+                    Audience = audience.ToWireValue()
+                };
+            }
+        }
+
+        if (firstHardDenyReason is not null)
+        {
+            return new GateEvaluation
+            {
+                OverallDecision = OverallGateDecision.HardDenied,
+                ClauseResults = clauseResults,
+                HardDenyReason = firstHardDenyReason,
+                HardDenyCategory = firstHardDenyCategory
+            };
+        }
+
+        var zonePrompt = untrustedPathUnion.Count > 0
+            ? new ZonePromptInfo
+            {
+                UntrustedPaths = untrustedPathUnion.ToArray(),
+                Audience = audience.ToWireValue()
+            }
+            : null;
+
+        var needsPrompt = zonePrompt is not null || firstVerbPrompt is not null;
+
+        return new GateEvaluation
+        {
+            OverallDecision = needsPrompt ? OverallGateDecision.NeedsPrompt : OverallGateDecision.Approved,
+            ClauseResults = clauseResults,
+            ZonePrompt = zonePrompt,
+            VerbPrompt = firstVerbPrompt
+        };
+    }
+
+    private ClauseGateResult EvaluateClause(int index, Clause clause, TrustState trustState)
+    {
+        // Layer 1: hard-deny against the rendered clause text. The
+        // ShellCommandPolicy already handles structured + rawText
+        // patterns via its existing engine (commit fdcbd387).
+        var clauseText = RenderClause(clause);
+        var hardDenyDecision = _hardDenyPolicy.Evaluate(clauseText);
+        if (!hardDenyDecision.Allowed)
+        {
+            return new ClauseGateResult
+            {
+                ClauseIndex = index,
+                ZoneDecision = ZoneGateDecision.Skipped,
+                VerbDecision = VerbGateDecision.NotEvaluated,
+                HardDenyReason = hardDenyDecision.DenyReason,
+                HardDenyCategory = hardDenyDecision.DenyCategory
+            };
+        }
+
+        // Layer 2: zone gate. Extract every path the clause operates on:
+        // path args, redirect targets, and cd-in-compound attribution.
+        var clausePaths = ExtractClausePaths(clause);
+        var untrusted = clausePaths
+            .Where(p => !trustState.IsPathInTrustedZone(p))
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .ToArray();
+
+        // Layer 3: verb-pattern gate. Read-only verbs auto-pass ONLY when
+        // every clause path is trusted (mixed-zone rule: if zone gate
+        // prompted on this clause, the read-only auto-pass is conditional
+        // on the user approving — the workflow handles that re-evaluation).
+        var allPathsTrusted = clausePaths.Count == 0 || untrusted.Length == 0;
+        var verbDecision = EvaluateVerbGate(clause, trustState, allPathsTrusted, out var verbPatternProposal);
+
+        return new ClauseGateResult
+        {
+            ClauseIndex = index,
+            ZoneDecision = untrusted.Length == 0 ? ZoneGateDecision.Pass : ZoneGateDecision.Prompt,
+            UntrustedPaths = untrusted,
+            VerbDecision = verbDecision,
+            VerbPatternProposal = verbPatternProposal
+        };
+    }
+
+    private static VerbGateDecision EvaluateVerbGate(
+        Clause clause,
+        TrustState trustState,
+        bool allPathsTrusted,
+        out string? verbPatternProposal)
+    {
+        verbPatternProposal = null;
+        _ = allPathsTrusted; // intentionally unused — see rationale below.
+
+        // Empty verb (clause is just a redirect, or a tokenizer artifact):
+        // no verb to gate. Layer 2 still applied to the redirect target.
+        if (clause.Verb.Tokens.Count == 0)
+            return VerbGateDecision.Pass;
+
+        // Read-only verbs unconditionally pass the verb gate. The zone
+        // gate handles the geography concern (it will prompt for any
+        // untrusted paths). The verb gate is purely about whether the
+        // action shape is dangerous — read-only actions are by
+        // definition not dangerous regardless of where they run. After
+        // zone approval, all clause paths are in trusted scope and the
+        // call proceeds. The user sees exactly one prompt (the zone
+        // prompt) for read-only verbs on untrusted paths — never two.
+        if (trustState.IsReadOnlyVerb(clause.Verb))
+            return VerbGateDecision.Pass;
+
+        // Pattern match: if the clause matches a persisted or session
+        // verb pattern, silent pass.
+        if (trustState.MatchesVerbPattern(clause.Verb, clause.Args))
+            return VerbGateDecision.Pass;
+
+        // No auto-pass available — propose a verb-pattern for the prompt.
+        // Derivation rule per the locked design: <verb-chain> *.
+        verbPatternProposal = clause.Verb.Joined + " *";
+        return VerbGateDecision.Prompt;
+    }
+
+    private static IReadOnlyList<string> ExtractClausePaths(Clause clause)
+    {
+        var paths = new List<string>();
+
+        foreach (var arg in clause.Args)
+        {
+            if (!arg.IsPath)
+                continue;
+
+            // Skip dynamic-content tokens — we can't resolve them safely,
+            // so we treat the clause as path-arg-less for zone-gate
+            // purposes. The verb gate still applies.
+            if (arg.Kind == ArgKind.DynamicSkip)
+                continue;
+
+            var path = arg.Resolved ?? arg.Raw;
+            if (!string.IsNullOrWhiteSpace(path))
+                paths.Add(path);
+        }
+
+        foreach (var redirect in clause.Redirects)
+        {
+            if (redirect.IsDynamicSkip)
+                continue;
+
+            if (!string.IsNullOrWhiteSpace(redirect.Target))
+                paths.Add(redirect.Target);
+        }
+
+        return paths;
+    }
+
+    private GateEvaluation EvaluateUnparseable(ParsedCommand parsed, TrustAudience audience)
+    {
+        // Per the spec's "Parser anomaly safe-fail" requirement: hard-deny
+        // still consults against the raw source; zone gate prompts as if
+        // the entire raw command is one untrusted path; verb gate offers
+        // Once / Deny only (the IsUnparseable flag on GateEvaluation
+        // signals workflow to constrain prompt options).
+        var rawText = parsed.Source ?? string.Empty;
+        var hardDenyDecision = _hardDenyPolicy.Evaluate(rawText);
+        if (!hardDenyDecision.Allowed)
+        {
+            return new GateEvaluation
+            {
+                OverallDecision = OverallGateDecision.HardDenied,
+                ClauseResults = [],
+                HardDenyReason = hardDenyDecision.DenyReason,
+                HardDenyCategory = hardDenyDecision.DenyCategory,
+                IsUnparseable = true
+            };
+        }
+
+        return new GateEvaluation
+        {
+            OverallDecision = OverallGateDecision.NeedsPrompt,
+            ClauseResults = [],
+            IsUnparseable = true,
+            ZonePrompt = new ZonePromptInfo
+            {
+                UntrustedPaths = [string.IsNullOrEmpty(rawText) ? "<unparseable>" : rawText],
+                Audience = audience.ToWireValue()
+            },
+            VerbPrompt = new VerbPromptInfo
+            {
+                VerbPattern = string.Empty,
+                CommandText = rawText,
+                Audience = audience.ToWireValue()
+            }
+        };
+    }
+
+    private static string RenderClause(Clause clause)
+    {
+        // Approximate the original clause text by joining the verb chain
+        // with non-attribution args and redirect operators. Doesn't try to
+        // re-quote — used only by hard-deny rawText matching, which is
+        // already substring-based, and by VerbPromptInfo.CommandText for
+        // user display. Quote-sensitive matching belongs in structured
+        // hard-deny rules, not rawText.
+        var parts = new List<string>();
+        if (clause.Verb.Tokens.Count > 0)
+            parts.AddRange(clause.Verb.Tokens);
+
+        foreach (var arg in clause.Args)
+        {
+            if (arg.IsCwdAttribution)
+                continue;
+            if (!string.IsNullOrEmpty(arg.Raw))
+                parts.Add(arg.Raw);
+        }
+
+        foreach (var redirect in clause.Redirects)
+        {
+            parts.Add(RedirectOperator(redirect.Direction));
+            if (!string.IsNullOrEmpty(redirect.Target))
+                parts.Add(redirect.Target);
+        }
+
+        return string.Join(' ', parts);
+    }
+
+    private static string RedirectOperator(RedirectDirection direction)
+        => direction switch
+        {
+            RedirectDirection.In => "<",
+            RedirectDirection.Out => ">",
+            RedirectDirection.Append => ">>",
+            RedirectDirection.ErrOut => "2>",
+            RedirectDirection.ErrAppend => "2>>",
+            _ => ">"
+        };
+}
diff --git a/src/Netclaw.Security/HardDenyOverridesLoader.cs b/src/Netclaw.Security/HardDenyOverridesLoader.cs
new file mode 100644
index 00000000..966f729f
--- /dev/null
+++ b/src/Netclaw.Security/HardDenyOverridesLoader.cs
@@ -0,0 +1,102 @@
+// -----------------------------------------------------------------------
+// <copyright file="HardDenyOverridesLoader.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using System.Text.Json;
+
+namespace Netclaw.Security;
+
+/// <summary>
+/// Loads operator-authored hard-deny rules from
+/// <c>~/.netclaw/config/hard-deny-overrides.json</c>. The file is optional;
+/// missing or empty file returns an empty list.
+/// </summary>
+/// <remarks>
+/// The loader is the trust boundary between operator config and the deny
+/// engine. It validates each rule's shape (exactly one match field;
+/// refinements only on verb rules; reason required) and rejects malformed
+/// input loudly so the operator sees the problem at startup rather than
+/// silently dropping rules.
+///
+/// Rules returned by this loader are concatenated with the daemon's
+/// shipped defaults — they cannot disable, weaken, or override the
+/// shipped defaults. There is no DSL syntax for "disable" by design.
+/// </remarks>
+public sealed class HardDenyOverridesLoader
+{
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+        AllowTrailingCommas = true,
+        ReadCommentHandling = JsonCommentHandling.Skip,
+    };
+
+    /// <summary>
+    /// Reads the override file and returns its rules. Returns an empty list
+    /// when the file does not exist or contains an empty array. Throws
+    /// <see cref="InvalidDataException"/> when the file exists but cannot be
+    /// parsed or contains a malformed rule — the daemon should fail closed
+    /// in that case rather than start with a partially-loaded ruleset.
+    /// </summary>
+    public IReadOnlyList<HardDenyRule> Load(string filePath)
+    {
+        if (string.IsNullOrWhiteSpace(filePath) || !File.Exists(filePath))
+            return [];
+
+        string json;
+        try
+        {
+            json = File.ReadAllText(filePath);
+        }
+        catch (Exception ex)
+        {
+            throw new InvalidDataException(
+                $"Hard-deny overrides file at '{filePath}' could not be read: {ex.Message}",
+                ex);
+        }
+
+        if (string.IsNullOrWhiteSpace(json))
+            return [];
+
+        List<HardDenyRule>? parsed;
+        try
+        {
+            parsed = JsonSerializer.Deserialize<List<HardDenyRule>>(json, JsonOptions);
+        }
+        catch (JsonException ex)
+        {
+            throw new InvalidDataException(
+                $"Hard-deny overrides file at '{filePath}' is malformed JSON: {ex.Message}. The daemon refuses to start with an unloadable override file rather than risk silently dropping rules. Fix or remove the file before restarting.",
+                ex);
+        }
+
+        if (parsed is null || parsed.Count == 0)
+            return [];
+
+        // Validate every rule before returning any. A single malformed rule
+        // halts the load — partial loads silently drop rules an operator
+        // believed were active, and that is exactly the failure mode the
+        // doctor check exists to prevent.
+        for (var i = 0; i < parsed.Count; i++)
+        {
+            var rule = parsed[i];
+            if (rule is null)
+                throw new InvalidDataException(
+                    $"Hard-deny overrides file at '{filePath}' contains a null rule at index {i}.");
+
+            try
+            {
+                rule.Validate();
+            }
+            catch (InvalidDataException ex)
+            {
+                throw new InvalidDataException(
+                    $"Hard-deny overrides file at '{filePath}' rule at index {i} is invalid: {ex.Message}",
+                    ex);
+            }
+        }
+
+        return parsed;
+    }
+}
diff --git a/src/Netclaw.Security/HardDenyRule.cs b/src/Netclaw.Security/HardDenyRule.cs
new file mode 100644
index 00000000..3bc484b3
--- /dev/null
+++ b/src/Netclaw.Security/HardDenyRule.cs
@@ -0,0 +1,144 @@
+// -----------------------------------------------------------------------
+// <copyright file="HardDenyRule.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using System.Text.Json.Serialization;
+
+namespace Netclaw.Security;
+
+/// <summary>
+/// Operator-authored hard-deny rule loaded from
+/// <c>~/.netclaw/config/hard-deny-overrides.json</c>. Each rule is a
+/// structured predicate over a parsed shell clause (verb + args) plus an
+/// explicit <c>rawText</c> escape for shape-shaped patterns that cannot be
+/// expressed structurally (fork bombs, weird shell syntax).
+/// </summary>
+/// <remarks>
+/// Override rules are strictly additive: they can introduce new deny rules
+/// but cannot remove, disable, or weaken shipped defaults compiled into the
+/// daemon binary. The DSL has no <c>disable</c> verb by design.
+///
+/// Exactly one match-shape field SHALL be set per rule:
+/// <list type="bullet">
+///   <item><see cref="Verb"/> — exact verb chain match (case-insensitive).</item>
+///   <item><see cref="VerbPrefix"/> — first token starts with prefix (mkfs,
+///         mkfs.ext4, etc).</item>
+///   <item><see cref="RawText"/> — substring match against the rendered clause
+///         (escape hatch for fork-bomb-shaped patterns).</item>
+/// </list>
+/// <see cref="ArgFlags"/> and <see cref="FirstPath"/> are optional refinements
+/// applied on top of <see cref="Verb"/>.
+/// </remarks>
+public sealed class HardDenyRule
+{
+    /// <summary>
+    /// Exact verb-chain match (case-insensitive). For <c>git push</c> the
+    /// chain is <c>["git", "push"]</c>. The first N tokens of the parsed
+    /// clause must equal these values exactly.
+    /// </summary>
+    [JsonPropertyName("verb")]
+    public List<string>? Verb { get; set; }
+
+    /// <summary>
+    /// First-token prefix match (case-insensitive). Used for verb families
+    /// like <c>mkfs.ext4</c>, <c>mkfs.xfs</c> where listing every variant
+    /// is impractical.
+    /// </summary>
+    [JsonPropertyName("verbPrefix")]
+    public string? VerbPrefix { get; set; }
+
+    /// <summary>
+    /// Optional refinement on a verb-matched rule: any of these flags must
+    /// be present in the clause's argument tokens. Each entry is a literal
+    /// flag string (e.g. <c>-rf</c>, <c>--recursive</c>).
+    /// </summary>
+    [JsonPropertyName("argFlags")]
+    public List<string>? ArgFlags { get; set; }
+
+    /// <summary>
+    /// Optional refinement on a verb-matched rule: the first non-flag
+    /// argument must be one of the listed paths. Trailing slashes are
+    /// normalized away. Tilde and <c>$HOME</c> match the daemon-process
+    /// user's home directory.
+    /// </summary>
+    [JsonPropertyName("firstPath")]
+    public PathConstraint? FirstPath { get; set; }
+
+    /// <summary>
+    /// Substring match against the rendered clause. Escape hatch for
+    /// shape-shaped patterns (fork bombs <c>:(){ :|:&amp; };:</c>) that
+    /// cannot be expressed as verb+args. Marked
+    /// <see cref="EscapeHatch"/>=true by convention.
+    /// </summary>
+    [JsonPropertyName("rawText")]
+    public string? RawText { get; set; }
+
+    /// <summary>
+    /// User-visible explanation surfaced when the rule denies a call.
+    /// </summary>
+    [JsonPropertyName("reason")]
+    public required string Reason { get; set; }
+
+    /// <summary>
+    /// Telemetry / log category. Defaults to <c>custom_deny</c> for operator
+    /// overrides; shipped defaults populate this with their own categories
+    /// (<c>self_destructive</c>, <c>system_destructive</c>, etc.).
+    /// </summary>
+    [JsonPropertyName("category")]
+    public string Category { get; set; } = "custom_deny";
+
+    /// <summary>
+    /// Documentation flag for <see cref="RawText"/> rules indicating the
+    /// rule is using the rawText escape rather than structured matching.
+    /// Exists purely for grep-ability — does not affect evaluation.
+    /// </summary>
+    [JsonPropertyName("escapeHatch")]
+    public bool EscapeHatch { get; set; }
+
+    /// <summary>
+    /// Validates that the rule has exactly one match-shape field set and
+    /// that refinements are only paired with <see cref="Verb"/>. Throws
+    /// <see cref="InvalidDataException"/> with a clear message on any
+    /// shape violation.
+    /// </summary>
+    public void Validate()
+    {
+        var shapeFields = 0;
+        if (Verb is { Count: > 0 }) shapeFields++;
+        if (!string.IsNullOrWhiteSpace(VerbPrefix)) shapeFields++;
+        if (!string.IsNullOrWhiteSpace(RawText)) shapeFields++;
+
+        if (shapeFields == 0)
+            throw new InvalidDataException(
+                $"Hard-deny rule (reason='{Reason}') has no match shape — set exactly one of 'verb', 'verbPrefix', or 'rawText'.");
+
+        if (shapeFields > 1)
+            throw new InvalidDataException(
+                $"Hard-deny rule (reason='{Reason}') has multiple match shapes set — pick exactly one of 'verb', 'verbPrefix', or 'rawText'.");
+
+        if ((ArgFlags is { Count: > 0 } || FirstPath is not null) && Verb is not { Count: > 0 })
+            throw new InvalidDataException(
+                $"Hard-deny rule (reason='{Reason}') uses 'argFlags' or 'firstPath' refinement without a 'verb' match. Refinements only apply to verb-matched rules.");
+
+        if (string.IsNullOrWhiteSpace(Reason))
+            throw new InvalidDataException(
+                "Hard-deny rule has no 'reason' — every rule must include a user-visible explanation.");
+    }
+}
+
+/// <summary>
+/// Constraint on a single positional argument. Currently only
+/// <see cref="OneOf"/> is supported. Extension point for future predicates
+/// (regex, glob, etc.) without breaking the JSON schema.
+/// </summary>
+public sealed class PathConstraint
+{
+    /// <summary>
+    /// The argument must be one of these literal paths (case-insensitive).
+    /// Trailing slashes are normalized away. Tilde and <c>$HOME</c> /
+    /// <c>${HOME}</c> match the daemon-process user's home directory.
+    /// </summary>
+    [JsonPropertyName("oneOf")]
+    public List<string>? OneOf { get; set; }
+}
diff --git a/src/Netclaw.Security/IToolApprovalMatcher.cs b/src/Netclaw.Security/IToolApprovalMatcher.cs
index 4d061541..c93be67c 100644
--- a/src/Netclaw.Security/IToolApprovalMatcher.cs
+++ b/src/Netclaw.Security/IToolApprovalMatcher.cs
@@ -1,12 +1,23 @@
-// -----------------------------------------------------------------------
+// -----------------------------------------------------------------------
 // <copyright file="IToolApprovalMatcher.cs" company="Petabridge, LLC">
 //      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
 // </copyright>
 // -----------------------------------------------------------------------
+using Netclaw.Configuration;
 using Netclaw.Tools;
 
 namespace Netclaw.Security;
 
+/// <summary>
+/// One approval candidate extracted from a tool invocation. The verb is the
+/// command head plus subcommand chain (e.g., <c>find</c>, <c>git status</c>).
+/// The directory is the first path-like positional argument with the
+/// file-parent rule applied — when present it overrides the resolved cwd as
+/// the candidate's effective directory in the approval matcher; when null
+/// the matcher falls back to the spawned process's cwd.
+/// </summary>
+public sealed record ApprovalCandidate(string Verb, string? Directory);
+
 /// <summary>
 /// Tool-specific pattern extraction and matching for the approval system.
 /// Each tool type can provide its own matcher to define what constitutes
@@ -33,36 +44,66 @@ public interface IToolApprovalMatcher
     bool IsFailClosedOnPersonal(ToolName toolName, IDictionary<string, object?>? arguments);
 
     /// <summary>
-    /// Extracts the exact approval patterns shown to the user.
-    /// For shell: normalized approval units. For other tools: the tool name.
+    /// Returns the exact display patterns shown to the user in the approval
+    /// prompt body. For shell these are normalized approval units (verb
+    /// chain plus any path-aware first argument); for other tools the tool
+    /// name. Reused as the retry-exact key for one-shot approvals.
     /// </summary>
     IReadOnlyList<string> ExtractPatterns(ToolName toolName, IDictionary<string, object?>? arguments);
 
     /// <summary>
-    /// Extracts the reusable approval entries consulted for session and persistent
-    /// approval checks.
+    /// Returns the candidate verb chains evaluated against persisted
+    /// <see cref="ApprovalEntry"/> records by the gate. For shell these are
+    /// pure verb chains (e.g., <c>git push</c>, <c>grep</c>); for other
+    /// tools typically <c>[toolName.Value]</c>. Derived from
+    /// <see cref="ExtractCandidates"/>.
     /// </summary>
-    IReadOnlyList<string> ExtractApprovalEntries(ToolName toolName, IDictionary<string, object?>? arguments);
+    IReadOnlyList<string> ExtractCandidateVerbs(ToolName toolName, IDictionary<string, object?>? arguments);
 
     /// <summary>
-    /// Checks if the tool call matches any approved pattern.
+    /// Returns the candidate <c>(verb, directory)</c> pairs for this tool
+    /// invocation. The directory half is the first path-like positional
+    /// argument extracted from each clause (with the file-parent rule
+    /// applied), or null when the clause has no path argument. The matcher
+    /// SHALL use this directory as the candidate's effective directory,
+    /// falling back to <see cref="ToolExecutionContext.Cwd"/> when null.
     /// </summary>
-    bool IsApproved(ToolName toolName, IDictionary<string, object?>? arguments, IEnumerable<string> approvedPatterns);
+    IReadOnlyList<ApprovalCandidate> ExtractCandidates(ToolName toolName, IDictionary<string, object?>? arguments);
 
     /// <summary>
-    /// Formats the tool call for display in the approval prompt.
+    /// Returns true when every candidate verb chain finds a matching
+    /// <see cref="ApprovalEntry"/> under the supplied <paramref name="cwd"/>.
+    /// A folder-scoped entry matches when its directory contains the cwd and
+    /// no symlink segments exist between the two; a global-wildcard entry
+    /// (<c>directory: null</c>) matches any cwd.
     /// </summary>
-    string FormatForDisplay(ToolName toolName, IDictionary<string, object?>? arguments);
+    bool IsApproved(
+        ToolName toolName,
+        IDictionary<string, object?>? arguments,
+        IReadOnlyList<ApprovalEntry> approvedEntries,
+        string? cwd);
+
+    /// <summary>
+    /// Returns true when the invocation cannot be cleanly split into
+    /// verb-chain approval units — for shell, when the command contains bash
+    /// control-flow keywords or unbalanced quotes/brackets. Approval prompts
+    /// for messy invocations omit persistent-grant buttons and surface a
+    /// "complex command" hint; the user can still grant a single retry via
+    /// <c>Once</c>. Non-shell matchers SHALL return <c>false</c>.
+    /// </summary>
+    bool IsMessy(ToolName toolName, IDictionary<string, object?>? arguments);
 
     /// <summary>
-    /// Extracts reusable directory approval roots for the invocation.
+    /// Formats the tool call for display in the approval prompt header.
     /// </summary>
-    IReadOnlyList<DirectoryApprovalRoot> ExtractDirectoryRoots(ToolName toolName, IDictionary<string, object?>? arguments);
+    string FormatForDisplay(ToolName toolName, IDictionary<string, object?>? arguments);
 }
 
 /// <summary>
-/// Shell-specific approval matcher using approval units bounded by &&, ||, and ;.
-/// Pipelines remain inside the same approval unit.
+/// Shell-specific approval matcher. Verb-chain extraction stops at the first
+/// flag, path, or URL token; <c>&amp;&amp;</c> / <c>||</c> / <c>;</c> split
+/// approval units while <c>|</c> stays inside one unit; <c>bash -c</c> /
+/// <c>sh -c</c> wrappers recurse into the inner command.
 /// </summary>
 public sealed class ShellApprovalMatcher : IToolApprovalMatcher
 {
@@ -91,113 +132,90 @@ public IReadOnlyList<string> ExtractPatterns(ToolName toolName, IDictionary<stri
         return patterns.ToList();
     }
 
-    public IReadOnlyList<string> ExtractApprovalEntries(ToolName toolName, IDictionary<string, object?>? arguments)
+    public IReadOnlyList<string> ExtractCandidateVerbs(ToolName toolName, IDictionary<string, object?>? arguments)
+        => ExtractCandidates(toolName, arguments)
+            .Select(c => c.Verb)
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .ToList();
+
+    public IReadOnlyList<ApprovalCandidate> ExtractCandidates(ToolName toolName, IDictionary<string, object?>? arguments)
     {
         var command = GetCommand(arguments);
         if (string.IsNullOrWhiteSpace(command))
             return [];
 
-        // Shell approvals intentionally keep two parallel views of the same
-        // invocation:
-        //
-        // 1. `Patterns` are the exact normalized approval units shown in the
-        //    prompt and reused only for approve-once retries.
-        // 2. `ApprovalEntries` are the broader entries consulted for session
-        //    and persistent approval reuse.
-        //
-        // The directory-scoping algorithm starts here. We first break the
-        // command into approval units: &&, ||, and ; split into separate units,
-        // while pipelines joined by | stay together as one piece of work.
-        // `bash -c` / `sh -c` wrappers recurse into the inner command and feed
-        // those inner units back through the same logic.
-        //
-        // For each unit we try to derive reusable local directory roots. If we
-        // can do that safely, those roots become the approval entries recorded
-        // for B/C approvals. If we cannot, we fall back to the exact normalized
-        // unit. That keeps approve-once exact while letting broader approvals
-        // reuse local directory access without introducing verb allowlists.
-        var workingDirectory = GetWorkingDirectory(arguments);
-        var entries = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        // v2.1 candidate extraction: emit (verb, directory) pairs per clause.
+        // The verb is the command head + subcommand chain only; path
+        // arguments are extracted separately as the candidate's effective
+        // directory. The matcher uses directory ?? cwd at evaluation time.
+        // Deduped by (verb, directory) so a compound command like
+        // "ls A; ls B" produces two entries even though the verb is shared.
+        var seen = new HashSet<(string, string?)>();
+        var candidates = new List<ApprovalCandidate>();
         TraverseApprovalUnits(command, unit =>
         {
-            var roots = ShellTokenizer.ExtractDirectoryRoots(unit, workingDirectory);
-            if (roots.Count > 0)
-            {
-                foreach (var root in roots)
-                    entries.Add(root.ComparisonRoot);
+            var verb = ShellTokenizer.ExtractVerbChain(unit);
+            if (string.IsNullOrEmpty(verb))
                 return;
-            }
 
-            var normalized = ShellTokenizer.NormalizeApprovalUnit(unit, workingDirectory);
-            if (!string.IsNullOrEmpty(normalized))
-                entries.Add(normalized);
+            var directory = ShellTokenizer.ExtractFirstPathArgument(unit);
+            var key = (verb.ToLowerInvariant(), directory);
+            if (seen.Add(key))
+                candidates.Add(new ApprovalCandidate(verb, directory));
         });
 
-        return entries.ToList();
+        return candidates;
     }
 
-    public bool IsApproved(ToolName toolName, IDictionary<string, object?>? arguments, IEnumerable<string> approvedPatterns)
+    public bool IsApproved(
+        ToolName toolName,
+        IDictionary<string, object?>? arguments,
+        IReadOnlyList<ApprovalEntry> approvedEntries,
+        string? cwd)
     {
-        var approvalEntries = ExtractApprovalEntries(toolName, arguments);
-        if (approvalEntries.Count == 0)
-            return true; // Empty command, nothing to approve
+        var command = GetCommand(arguments);
+        if (string.IsNullOrWhiteSpace(command))
+            return true; // empty command, nothing to approve
+
+        // Messy commands cannot be auto-approved: the matcher cannot extract a
+        // candidate verb-chain to evaluate against the persisted store, so
+        // every messy invocation must round-trip through the user. The prompt
+        // builder offers only Once/Deny in this case (see IsMessy).
+        if (ShellTokenizer.IsMessyCompoundCommand(command))
+            return false;
 
-        var approvedList = approvedPatterns as IReadOnlyList<string> ?? approvedPatterns.ToList();
-        foreach (var entry in approvalEntries)
+        var candidates = ExtractCandidates(toolName, arguments);
+        if (candidates.Count == 0)
+            return true;
+
+        foreach (var candidate in candidates)
         {
-            if (!ApprovalPatternMatching.MatchesShellApprovalEntry(entry, approvedList))
+            // Pure side-effect candidates (echo "X" without a path or redirect,
+            // bash :, true/false) are always authorized — they're skipped on
+            // persistence so the store never contains them, and the matcher
+            // here mirrors that decision at evaluation time.
+            if (ApprovalPatternMatching.IsPureSideEffect(candidate))
+                continue;
+
+            if (!ApprovalPatternMatching.MatchesShellApproval(
+                    candidate.Verb, candidate.Directory, cwd, approvedEntries))
                 return false;
         }
 
         return true;
     }
 
-    public string FormatForDisplay(ToolName toolName, IDictionary<string, object?>? arguments)
-    {
-        return GetCommand(arguments) ?? "(empty command)";
-    }
-
-    public IReadOnlyList<DirectoryApprovalRoot> ExtractDirectoryRoots(ToolName toolName, IDictionary<string, object?>? arguments)
-    {
-        var command = GetCommand(arguments);
-        if (string.IsNullOrWhiteSpace(command))
-            return [];
+    public bool IsMessy(ToolName toolName, IDictionary<string, object?>? arguments)
+        => ShellTokenizer.IsMessyCompoundCommand(GetCommand(arguments));
 
-        var roots = new List<DirectoryApprovalRoot>();
-        var seen = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
-        TraverseApprovalUnits(command, unit =>
-        {
-            foreach (var root in ShellTokenizer.ExtractDirectoryRoots(unit, GetWorkingDirectory(arguments)))
-            {
-                if (seen.Add(root.ComparisonRoot))
-                    roots.Add(root);
-            }
-        });
-
-        return roots;
-    }
+    public string FormatForDisplay(ToolName toolName, IDictionary<string, object?>? arguments)
+        => GetCommand(arguments) ?? "(empty command)";
 
     private static string? GetCommand(IDictionary<string, object?>? arguments)
-    {
-        if (arguments is null)
-            return null;
-
-        if (arguments.TryGetValue("Command", out var val) || arguments.TryGetValue("command", out val))
-            return val?.ToString();
-
-        return null;
-    }
+        => arguments is null ? null : ToolArgumentHelper.GetString(arguments, "Command");
 
     private static string? GetWorkingDirectory(IDictionary<string, object?>? arguments)
-    {
-        if (arguments is null)
-            return null;
-
-        if (arguments.TryGetValue("WorkingDirectory", out var val) || arguments.TryGetValue("workingDirectory", out val))
-            return val?.ToString();
-
-        return null;
-    }
+        => arguments is null ? null : ToolArgumentHelper.GetString(arguments, "WorkingDirectory");
 
     private static void TraverseApprovalUnits(string command, Action<string> visitUnit)
     {
@@ -222,7 +240,8 @@ private static void TraverseApprovalUnits(string command, Action<string> visitUn
 
 /// <summary>
 /// Default approval matcher for non-shell tools. Approval is at the tool-name
-/// level — either the tool is approved or it isn't.
+/// level — either the tool is approved or it isn't. Directory scoping does
+/// not apply.
 /// </summary>
 public sealed class DefaultApprovalMatcher : IToolApprovalMatcher
 {
@@ -235,29 +254,24 @@ public bool IsFailClosedOnPersonal(ToolName toolName, IDictionary<string, object
         => false;
 
     public IReadOnlyList<string> ExtractPatterns(ToolName toolName, IDictionary<string, object?>? arguments)
-    {
-        return [toolName.Value];
-    }
+        => [toolName.Value];
 
-    public IReadOnlyList<string> ExtractApprovalEntries(ToolName toolName, IDictionary<string, object?>? arguments)
-        => ExtractPatterns(toolName, arguments);
+    public IReadOnlyList<string> ExtractCandidateVerbs(ToolName toolName, IDictionary<string, object?>? arguments)
+        => [toolName.Value];
 
-    public bool IsApproved(ToolName toolName, IDictionary<string, object?>? arguments, IEnumerable<string> approvedPatterns)
-    {
-        foreach (var approved in approvedPatterns)
-        {
-            if (string.Equals(toolName.Value, approved, StringComparison.OrdinalIgnoreCase))
-                return true;
-        }
+    public IReadOnlyList<ApprovalCandidate> ExtractCandidates(ToolName toolName, IDictionary<string, object?>? arguments)
+        => [new ApprovalCandidate(toolName.Value, Directory: null)];
 
-        return false;
-    }
+    public bool IsApproved(
+        ToolName toolName,
+        IDictionary<string, object?>? arguments,
+        IReadOnlyList<ApprovalEntry> approvedEntries,
+        string? cwd)
+        => ApprovalPatternMatching.MatchesAny(toolName.Value, approvedEntries);
 
-    public string FormatForDisplay(ToolName toolName, IDictionary<string, object?>? arguments)
-    {
-        return toolName.Value;
-    }
+    public bool IsMessy(ToolName toolName, IDictionary<string, object?>? arguments)
+        => false;
 
-    public IReadOnlyList<DirectoryApprovalRoot> ExtractDirectoryRoots(ToolName toolName, IDictionary<string, object?>? arguments)
-        => [];
+    public string FormatForDisplay(ToolName toolName, IDictionary<string, object?>? arguments)
+        => toolName.Value;
 }
diff --git a/src/Netclaw.Security/IToolApprovalService.cs b/src/Netclaw.Security/IToolApprovalService.cs
index 0ac26696..b74a285b 100644
--- a/src/Netclaw.Security/IToolApprovalService.cs
+++ b/src/Netclaw.Security/IToolApprovalService.cs
@@ -10,11 +10,20 @@ namespace Netclaw.Security;
 
 public interface IToolApprovalService
 {
+    /// <summary>
+    /// Returns the subset of <paramref name="patterns"/> (candidate verb chains)
+    /// that are not approved for the given audience and tool. The
+    /// <paramref name="cwd"/> is the candidate's resolved working directory; it
+    /// is used by the v2 matcher to evaluate folder-scoped
+    /// <see cref="Netclaw.Configuration.ApprovalEntry"/> records. May be null
+    /// for tools whose approvals are not directory-anchored.
+    /// </summary>
     Task<IReadOnlyList<string>> GetUnapprovedPatternsAsync(
         string? sessionId,
         TrustAudience audience,
         ToolName toolName,
         IReadOnlyList<string> patterns,
+        string? cwd,
         CancellationToken ct = default);
 
     Task RecordApprovalAsync(
@@ -23,5 +32,6 @@ Task RecordApprovalAsync(
         ToolName toolName,
         IReadOnlyList<string> patterns,
         bool persistent,
+        string? cwd,
         CancellationToken ct = default);
 }
diff --git a/src/Netclaw.Security/Netclaw.Security.csproj b/src/Netclaw.Security/Netclaw.Security.csproj
index ce6b12e8..b2e43a29 100644
--- a/src/Netclaw.Security/Netclaw.Security.csproj
+++ b/src/Netclaw.Security/Netclaw.Security.csproj
@@ -8,6 +8,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.Hosting" />
+    <PackageReference Include="ShellSyntaxTree" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Netclaw.Security/PathUtility.cs b/src/Netclaw.Security/PathUtility.cs
index 10f16663..7768d1bf 100644
--- a/src/Netclaw.Security/PathUtility.cs
+++ b/src/Netclaw.Security/PathUtility.cs
@@ -147,4 +147,52 @@ public static string ExpandHome(string path)
         var expanded = ExpandHome(path);
         return TryNormalize(expanded, workingDirectory, out var normalized) ? normalized : null;
     }
+
+    /// <summary>
+    /// Returns true when any segment of <paramref name="fullPath"/>, walking from
+    /// <paramref name="allowedRoot"/> outward, is a filesystem reparse point
+    /// (symbolic link, junction, or other reparse target). Used by the approval
+    /// gate and file-access policy to refuse to honor a grant when the candidate
+    /// path's resolution depends on a symlink that could redirect the I/O outside
+    /// the granted root.
+    ///
+    /// Errors reading attributes are conservatively treated as a positive
+    /// detection: if we cannot determine whether a segment is a symlink, we
+    /// assume it is.
+    /// </summary>
+    public static bool ContainsSymlinkSegment(string allowedRoot, string fullPath)
+    {
+        var relativePath = Path.GetRelativePath(allowedRoot, fullPath);
+        if (string.IsNullOrWhiteSpace(relativePath) || relativePath == ".")
+            return false;
+
+        var segments = relativePath.Split(
+            [Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar],
+            StringSplitOptions.RemoveEmptyEntries);
+        var currentPath = allowedRoot;
+
+        foreach (var segment in segments)
+        {
+            currentPath = Path.Combine(currentPath, segment);
+            if (!File.Exists(currentPath) && !Directory.Exists(currentPath))
+                continue;
+
+            try
+            {
+                var attributes = File.GetAttributes(currentPath);
+                if ((attributes & FileAttributes.ReparsePoint) != 0)
+                    return true;
+            }
+            catch (IOException)
+            {
+                return true;
+            }
+            catch (UnauthorizedAccessException)
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
 }
diff --git a/src/Netclaw.Security/SecurityServiceExtensions.cs b/src/Netclaw.Security/SecurityServiceExtensions.cs
index efd03d39..af5bc51b 100644
--- a/src/Netclaw.Security/SecurityServiceExtensions.cs
+++ b/src/Netclaw.Security/SecurityServiceExtensions.cs
@@ -5,6 +5,7 @@
 // -----------------------------------------------------------------------
 using Microsoft.Extensions.DependencyInjection;
 using Netclaw.Security.Skills;
+using ShellSyntaxTree;
 
 namespace Netclaw.Security;
 
@@ -21,4 +22,15 @@ public static IServiceCollection AddContentSecurity(this IServiceCollection serv
         services.AddSingleton<ISkillContentScanner, RegexSkillContentScanner>();
         return services;
     }
+
+    /// <summary>
+    /// Registers <see cref="IShellParser"/> for the approval gate evaluator.
+    /// The bash implementation is the only one shipped today; PowerShell and
+    /// cmd parsers are deferred to ShellSyntaxTree v0.2+.
+    /// </summary>
+    public static IServiceCollection AddShellParser(this IServiceCollection services)
+    {
+        services.AddSingleton<IShellParser, BashParser>();
+        return services;
+    }
 }
diff --git a/src/Netclaw.Security/ShellApprovalSemantics.cs b/src/Netclaw.Security/ShellApprovalSemantics.cs
index e23cfee4..2f0515ee 100644
--- a/src/Netclaw.Security/ShellApprovalSemantics.cs
+++ b/src/Netclaw.Security/ShellApprovalSemantics.cs
@@ -13,14 +13,14 @@ internal interface IShellApprovalSemantics
 
     string ExtractVerbChain(string command, int maxDepth);
 
+    string? ExtractFirstPathArgument(string command);
+
     IReadOnlyList<string> ExtractInnerCommands(string command);
 
     bool LooksLikePath(string token);
 
     string NormalizeApprovalUnit(string command, string? workingDirectory);
 
-    IReadOnlyList<DirectoryApprovalRoot> ExtractDirectoryRoots(string command, string? workingDirectory);
-
     string? NormalizePathToken(string path, string? workingDirectory);
 }
 
@@ -117,26 +117,84 @@ public string ExtractVerbChain(string command, int maxDepth)
             if (LooksLikeArgument(trimmed))
                 break;
 
+            // Path-aware verbs (cat, grep, find, ls, ...) take positional
+            // arguments (search pattern, target file) that are not
+            // subcommands. Stop after the first verb so we don't bake
+            // call-specific arguments into the persisted verb chain. This
+            // is what makes "grep secret /var/log/syslog" produce verb
+            // "grep" (with /var/log/syslog as the effective directory)
+            // rather than verb "grep secret".
+            //
+            // Same cap applies to single-token side-effect verbs (echo,
+            // printf, :, true, false) so "echo done" resolves to verb
+            // "echo" — matching the skip list in
+            // ApprovalPatternMatching.IsPureSideEffect rather than the
+            // 2-token chain "echo done".
+            if (verbParts.Count == 1
+                && (ShellTokenizer.PathAwareVerbs.Contains(verbParts[0])
+                    || ShellTokenizer.SingleTokenSideEffectVerbs.Contains(verbParts[0])))
+                break;
+
             verbParts.Add(trimmed);
         }
 
-        if (verbParts.Count == 1 && ShellTokenizer.PathAwareVerbs.Contains(verbParts[0]))
+        return string.Join(' ', verbParts);
+    }
+
+    public string? ExtractFirstPathArgument(string command)
+    {
+        // Per the path-extraction spec, only conservatively path-anchored
+        // tokens count: starts with /, ~/, ./, ../ or equals ~, ., ..
+        // Tokens that merely contain a slash (URLs, regexes, docker tags,
+        // git refs) are intentionally NOT extracted — false positives here
+        // would silently expand or contract trust scope.
+        foreach (var token in ShellTokenizer.Tokenize(command))
         {
-            for (var i = 1; i < tokens.Count; i++)
-            {
-                var trimmed = ShellTokenizer.TrimShellPunctuation(tokens[i]);
-                if (trimmed.Length == 0)
-                    continue;
+            var trimmed = ShellTokenizer.TrimShellPunctuation(token);
+            if (trimmed.Length == 0)
+                continue;
+            if (trimmed.StartsWith('-'))
+                continue;
+            if (ShellTokenizer.IsPathToken(trimmed))
+                return ApplyFileParentRule(trimmed);
+        }
 
-                if (trimmed.StartsWith('-'))
-                    continue;
+        return null;
+    }
 
-                verbParts.Add(trimmed);
-                break;
-            }
-        }
+    /// <summary>
+    /// When the extracted path looks like a file (has an extension on its
+    /// last component), return the parent directory so persisted approvals
+    /// scope to the folder rather than a single file. Pure string operation,
+    /// no filesystem syscall.
+    /// </summary>
+    private static string? ApplyFileParentRule(string token)
+    {
+        if (string.IsNullOrEmpty(token))
+            return token;
 
-        return string.Join(' ', verbParts);
+        // Path.HasExtension is the deterministic heuristic; dot-prefixed
+        // dotfiles like ~/.bashrc don't return an extension via this API
+        // (the leading dot is treated as part of the basename), which is
+        // the right behavior for our use case — scope cat ~/.bashrc to ~/.
+        var hasExtension = Path.HasExtension(token);
+        if (!hasExtension && !LooksLikeDotfile(token))
+            return token;
+
+        var parent = Path.GetDirectoryName(token);
+        // GetDirectoryName returns "" for a bare filename and the literal
+        // separator for root-level files. Fall back to the token unchanged
+        // when we can't sensibly compute a parent.
+        if (string.IsNullOrEmpty(parent))
+            return token;
+
+        return parent;
+    }
+
+    private static bool LooksLikeDotfile(string token)
+    {
+        var basename = Path.GetFileName(token);
+        return basename.Length > 1 && basename[0] == '.';
     }
 
     public string NormalizeApprovalUnit(string command, string? workingDirectory)
@@ -161,36 +219,6 @@ public string NormalizeApprovalUnit(string command, string? workingDirectory)
         return string.Join(' ', normalizedTokens);
     }
 
-    public IReadOnlyList<DirectoryApprovalRoot> ExtractDirectoryRoots(string command, string? workingDirectory)
-    {
-        var tokens = ShellTokenizer.Tokenize(command).ToList();
-        if (tokens.Count == 0)
-            return [];
-
-        var roots = new List<DirectoryApprovalRoot>();
-        var comparisonRoots = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
-        var sawPathToken = false;
-
-        foreach (var token in tokens)
-        {
-            if (token.Length == 0 || token.StartsWith('-'))
-                continue;
-
-            if (!LooksLikePath(token))
-                continue;
-
-            sawPathToken = true;
-            var root = TryCreateDirectoryApprovalRoot(token, workingDirectory);
-            if (root is null)
-                return [];
-
-            if (comparisonRoots.Add(root.ComparisonRoot))
-                roots.Add(root);
-        }
-
-        return sawPathToken ? roots : [];
-    }
-
     public virtual string? NormalizePathToken(string path, string? workingDirectory)
         => PathUtility.ExpandAndNormalize(path, workingDirectory);
 
@@ -246,17 +274,6 @@ protected int GetFirstShellSeparatorIndex(string token)
         return -1;
     }
 
-    protected int GetLastShellSeparatorIndex(string token, int startExclusive)
-    {
-        for (var i = Math.Min(startExclusive - 1, token.Length - 1); i >= 0; i--)
-        {
-            if (IsShellSeparator(token[i]))
-                return i;
-        }
-
-        return -1;
-    }
-
     protected static IReadOnlyList<string> SplitCompoundCommand(string command, bool splitOnSemicolon, bool splitOnSingleAmpersand)
     {
         if (string.IsNullOrWhiteSpace(command))
@@ -321,100 +338,6 @@ protected static IReadOnlyList<string> SplitCompoundCommand(string command, bool
         return segments;
     }
 
-    protected DirectoryApprovalRoot? TryCreateDirectoryApprovalRoot(string rawPath, string? workingDirectory)
-    {
-        var displayRoot = ExtractDisplayDirectory(rawPath, workingDirectory);
-        if (displayRoot is null)
-            return null;
-
-        var comparisonRoot = NormalizePathToken(displayRoot, workingDirectory);
-        if (comparisonRoot is null)
-            return null;
-
-        if (Directory.Exists(comparisonRoot))
-            comparisonRoot = PathUtility.Normalize(new DirectoryInfo(comparisonRoot).ResolveLinkTarget(returnFinalTarget: true)?.FullName ?? comparisonRoot);
-
-        if (CountPathSegments(comparisonRoot) < ShellTokenizer.MinDirectoryScopeDepth)
-            return null;
-
-        return new DirectoryApprovalRoot(EnsureTrailingSeparator(displayRoot), EnsureTrailingSeparator(comparisonRoot));
-    }
-
-    protected virtual string? ExtractDisplayDirectory(string path, string? workingDirectory)
-    {
-        string? candidate;
-        if (path.EndsWith('/') || path.EndsWith('\\'))
-        {
-            candidate = path.TrimEnd('/', '\\');
-        }
-        else
-        {
-            var globIdx = path.IndexOfAny(['*', '?', '[']);
-            if (globIdx >= 0)
-            {
-                var lastSep = GetLastShellSeparatorIndex(path, globIdx);
-                candidate = lastSep > 0 ? path[..lastSep] : null;
-            }
-            else
-            {
-                var normalizedCandidate = NormalizePathToken(path, workingDirectory);
-                if (normalizedCandidate is not null && Directory.Exists(normalizedCandidate))
-                    candidate = path;
-                else
-                    candidate = Path.GetDirectoryName(path);
-            }
-        }
-
-        return NormalizeDisplayDirectory(candidate, workingDirectory);
-    }
-
-    protected virtual string? NormalizeDisplayDirectory(string? candidate, string? workingDirectory)
-    {
-        if (string.IsNullOrWhiteSpace(candidate))
-            return null;
-
-        var trimmed = Path.TrimEndingDirectorySeparator(candidate);
-        if (IsRelativeDisplayPath(trimmed))
-            return trimmed;
-
-        return NormalizePathToken(trimmed, workingDirectory);
-    }
-
-    protected virtual bool IsRelativeDisplayPath(string path)
-    {
-        if (string.IsNullOrWhiteSpace(path))
-            return false;
-
-        if (path.StartsWith('~')
-            || path.StartsWith("$HOME", StringComparison.Ordinal)
-            || path.StartsWith("${HOME}", StringComparison.Ordinal)
-            || path.StartsWith("%USERPROFILE%", StringComparison.OrdinalIgnoreCase))
-        {
-            return false;
-        }
-
-        return !Path.IsPathRooted(path);
-    }
-
-    protected virtual string EnsureTrailingSeparator(string path)
-        => Path.EndsInDirectorySeparator(path) ? path : path + Path.DirectorySeparatorChar;
-
-    protected virtual int CountPathSegments(string normalizedPath)
-    {
-        var trimmed = normalizedPath.TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
-        if (trimmed.Length == 0)
-            return 0;
-
-        var root = Path.GetPathRoot(trimmed);
-        if (root is not null && trimmed.Length > root.Length)
-            trimmed = trimmed[root.Length..];
-        else if (root is not null)
-            return 0;
-
-        return trimmed.Split(
-            [Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar],
-            StringSplitOptions.RemoveEmptyEntries).Length;
-    }
 
     private static void FlushSegment(StringBuilder current, List<string> segments)
     {
@@ -491,29 +414,6 @@ public override bool LooksLikePath(string token)
         return PathUtility.ExpandAndNormalize(expanded, workingDirectory);
     }
 
-    protected override string? ExtractDisplayDirectory(string path, string? workingDirectory)
-    {
-        if (string.IsNullOrWhiteSpace(path))
-            return null;
-
-        if (path.EndsWith('/') || path.EndsWith('\\'))
-            return path.TrimEnd('/', '\\');
-
-        var globIdx = path.IndexOfAny(['*', '?', '[']);
-        if (globIdx >= 0)
-        {
-            var lastSep = path.LastIndexOf('/', globIdx);
-            return lastSep > 0 ? path[..lastSep] : null;
-        }
-
-        var normalizedCandidate = NormalizePathToken(path, workingDirectory);
-        if (normalizedCandidate is not null && Directory.Exists(normalizedCandidate))
-            return path;
-
-        var lastSlash = path.LastIndexOf('/');
-        return lastSlash > 0 ? path[..lastSlash] : null;
-    }
-
     protected override bool IsShellSeparator(char ch) => ch == '/';
 
     protected override bool IsAnchoredPath(string token)
@@ -526,9 +426,6 @@ protected override bool IsAnchoredPath(string token)
             || token.StartsWith("${HOME}", StringComparison.Ordinal);
     }
 
-    protected override string EnsureTrailingSeparator(string path)
-        => PathUtility.EnsureTrailingSeparatorPreservingStyle(path);
-
     internal static bool IsPosixShellInvoker(string verb)
     {
         return verb is "bash" or "sh" or "/bin/bash" or "/bin/sh"
diff --git a/src/Netclaw.Security/ShellCommandPolicy.cs b/src/Netclaw.Security/ShellCommandPolicy.cs
index 7596d8d1..b991ca0f 100644
--- a/src/Netclaw.Security/ShellCommandPolicy.cs
+++ b/src/Netclaw.Security/ShellCommandPolicy.cs
@@ -27,20 +27,83 @@ public sealed class ShellCommandPolicy
     private readonly IReadOnlyList<RawStringPattern> _rawStringPatterns;
 
     public ShellCommandPolicy(IEnumerable<string>? additionalDenyPatterns = null)
+        : this(additionalDenyPatterns, overrideRules: null)
     {
-        var patterns = new List<DenyPattern>(DefaultDenyPatterns);
+    }
+
+    /// <summary>
+    /// Constructs the policy with both legacy string-based deny patterns
+    /// (kept for back-compat with <c>toolConfig.HardDenyPatterns</c>) and
+    /// structured operator override rules from <see cref="HardDenyRule"/>.
+    /// Both inputs are additive — shipped defaults
+    /// (<see cref="DefaultDenyPatterns"/>, <see cref="DefaultRawStringPatterns"/>)
+    /// are always present and cannot be removed via either input.
+    /// </summary>
+    public ShellCommandPolicy(
+        IEnumerable<string>? additionalDenyPatterns,
+        IEnumerable<HardDenyRule>? overrideRules)
+    {
+        var structured = new List<DenyPattern>(DefaultDenyPatterns);
+        var raw = new List<RawStringPattern>(DefaultRawStringPatterns);
+
         if (additionalDenyPatterns is not null)
         {
             foreach (var pattern in additionalDenyPatterns)
             {
                 var parsed = ParseDenyPattern(pattern);
                 if (parsed is not null)
-                    patterns.Add(parsed);
+                    structured.Add(parsed);
+            }
+        }
+
+        if (overrideRules is not null)
+        {
+            foreach (var rule in overrideRules)
+            {
+                rule.Validate();
+                TranslateRule(rule, structured, raw);
             }
         }
 
-        _denyPatterns = patterns;
-        _rawStringPatterns = DefaultRawStringPatterns;
+        _denyPatterns = structured;
+        _rawStringPatterns = raw;
+    }
+
+    private static void TranslateRule(
+        HardDenyRule rule,
+        List<DenyPattern> structured,
+        List<RawStringPattern> raw)
+    {
+        if (!string.IsNullOrWhiteSpace(rule.RawText))
+        {
+            raw.Add(new RawStringPattern(rule.RawText, rule.Reason, rule.Category));
+            return;
+        }
+
+        if (!string.IsNullOrWhiteSpace(rule.VerbPrefix))
+        {
+            structured.Add(new VerbPrefixDenyPattern(rule.VerbPrefix, rule.Reason, rule.Category));
+            return;
+        }
+
+        if (rule.Verb is { Count: > 0 })
+        {
+            // Refined verb-chain match: verb-chain prefix + optional argFlags +
+            // optional firstPath. Falls back to plain VerbChainDenyPattern when
+            // no refinements are present.
+            if (rule.ArgFlags is not { Count: > 0 } && rule.FirstPath is null)
+            {
+                structured.Add(new VerbChainDenyPattern(rule.Verb, rule.Reason, rule.Category));
+                return;
+            }
+
+            structured.Add(new RefinedVerbChainDenyPattern(
+                rule.Verb,
+                rule.ArgFlags,
+                rule.FirstPath,
+                rule.Reason,
+                rule.Category));
+        }
     }
 
     /// <summary>
@@ -298,4 +361,133 @@ private static bool IsDangerousRmTarget(string token)
         }
     }
 
+    /// <summary>
+    /// Verb-chain match with optional argFlags and firstPath refinements.
+    /// Used when an operator override rule combines a structured verb match
+    /// with additional constraints (e.g. "deny rm -rf when targeting root").
+    /// </summary>
+    internal sealed record RefinedVerbChainDenyPattern(
+        IReadOnlyList<string> VerbChain,
+        IReadOnlyList<string>? ArgFlags,
+        PathConstraint? FirstPath,
+        string Reason,
+        string Category) : DenyPattern(Reason, Category)
+    {
+        public override bool Matches(IReadOnlyList<string> tokens)
+        {
+            if (tokens.Count < VerbChain.Count)
+                return false;
+
+            for (var i = 0; i < VerbChain.Count; i++)
+            {
+                var tokenVerb = ShellTokenizer.TrimShellPunctuation(tokens[i]);
+                if (!string.Equals(tokenVerb, VerbChain[i], StringComparison.OrdinalIgnoreCase))
+                    return false;
+            }
+
+            if (ArgFlags is { Count: > 0 } && !AnyFlagPresent(tokens, ArgFlags))
+                return false;
+
+            if (FirstPath is not null && !FirstNonFlagMatchesConstraint(tokens, FirstPath))
+                return false;
+
+            return true;
+        }
+
+        private static bool AnyFlagPresent(IReadOnlyList<string> tokens, IReadOnlyList<string> requiredFlags)
+        {
+            // The flag is "present" if it appears as a standalone token OR if a
+            // short combined flag token contains all requested short flag chars
+            // (e.g. argFlag '-rf' matches token '-rfv').
+            foreach (var required in requiredFlags)
+            {
+                if (TokensContainFlag(tokens, required))
+                    return true;
+            }
+
+            return false;
+        }
+
+        private static bool TokensContainFlag(IReadOnlyList<string> tokens, string required)
+        {
+            for (var i = 0; i < tokens.Count; i++)
+            {
+                var token = tokens[i];
+                if (string.Equals(token, required, StringComparison.OrdinalIgnoreCase))
+                    return true;
+
+                // Combined short flags: '-rf' present if any combined token
+                // starts with '-' (single dash) and contains every short char.
+                if (required.Length >= 2 && required[0] == '-' && required[1] != '-'
+                    && token.Length >= 2 && token[0] == '-' && token[1] != '-')
+                {
+                    var requiredChars = required[1..];
+                    var tokenChars = token[1..];
+                    var allPresent = true;
+                    foreach (var c in requiredChars)
+                    {
+                        if (!tokenChars.Contains(c, StringComparison.Ordinal))
+                        {
+                            allPresent = false;
+                            break;
+                        }
+                    }
+
+                    if (allPresent)
+                        return true;
+                }
+            }
+
+            return false;
+        }
+
+        private static bool FirstNonFlagMatchesConstraint(
+            IReadOnlyList<string> tokens,
+            PathConstraint constraint)
+        {
+            if (constraint.OneOf is not { Count: > 0 })
+                return false;
+
+            // Skip over the verb chain tokens already consumed and the flag
+            // tokens; the first remaining positional argument is the
+            // candidate.
+            for (var i = 0; i < tokens.Count; i++)
+            {
+                var token = tokens[i];
+                if (token.StartsWith('-'))
+                    continue;
+
+                // Skip the verb tokens themselves — we don't want to treat the
+                // verb as the first non-flag arg.
+                // Heuristic: tokens containing '/' or '~' or '$' are paths;
+                // bare alphanumeric tokens early in the stream are likely the
+                // verb chain.
+                if (i == 0)
+                    continue;
+
+                var normalized = NormalizePathToken(token);
+                foreach (var candidate in constraint.OneOf)
+                {
+                    var normalizedCandidate = NormalizePathToken(candidate);
+                    if (string.Equals(normalized, normalizedCandidate, StringComparison.OrdinalIgnoreCase))
+                        return true;
+                }
+
+                // First non-flag positional arg checked; further args don't
+                // satisfy "first path" semantics.
+                return false;
+            }
+
+            return false;
+        }
+
+        private static string NormalizePathToken(string token)
+        {
+            var trimmed = token.TrimEnd('/', '\\');
+            if (trimmed is "~" or "$HOME" or "${HOME}")
+                return Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
+            return trimmed;
+        }
+    }
+
 }
diff --git a/src/Netclaw.Security/ShellTokenizer.cs b/src/Netclaw.Security/ShellTokenizer.cs
index afd8387c..df81aa41 100644
--- a/src/Netclaw.Security/ShellTokenizer.cs
+++ b/src/Netclaw.Security/ShellTokenizer.cs
@@ -39,6 +39,19 @@ public static class ShellTokenizer
         "ls", "dir"
     };
 
+    /// <summary>
+    /// Verbs that are stdout-only side effects without redirects. The verb-
+    /// chain extractor caps at one token for these so <c>echo done</c>
+    /// resolves to verb <c>echo</c> (matching the side-effect skip list)
+    /// rather than the 2-token chain <c>echo done</c>. Mirrors the skip
+    /// list in <c>ApprovalPatternMatching.SideEffectOnlyVerbs</c>; keep
+    /// the two in sync — both are security-relevant defaults.
+    /// </summary>
+    internal static readonly HashSet<string> SingleTokenSideEffectVerbs = new(StringComparer.Ordinal)
+    {
+        "echo", "printf", ":", "true", "false"
+    };
+
     /// <summary>
     /// Tokenizes a shell command string, respecting single and double quotes.
     /// Strips quote delimiters from tokens.
@@ -84,22 +97,168 @@ public static IEnumerable<string> Tokenize(string command)
     /// Splits a compound command on <c>&&</c>, <c>||</c>, and <c>;</c>
     /// operators, returning each approval unit trimmed. Pipes remain inside the
     /// same unit so shell pipelines can be approved as one piece of directory
-    /// work.
+    /// work. Returns an empty list when the command is "messy" — i.e., contains
+    /// bash control-flow keywords (<c>for</c>/<c>while</c>/<c>do</c>/<c>done</c>/
+    /// <c>then</c>/<c>fi</c>/<c>case</c>/<c>esac</c>) or unbalanced
+    /// quotes/brackets — so the approval gate can offer only one-shot approval
+    /// without persisting fragmentary verb chains derived from control-flow
+    /// tokens. See <see cref="IsMessyCompoundCommand"/> for the predicate.
     /// </summary>
     public static IReadOnlyList<string> SplitCompoundCommand(string command)
-        => ShellApprovalSemantics.ForCommand(command).SplitCompoundCommand(command);
+    {
+        if (IsMessyCompoundCommand(command))
+            return [];
+        return ShellApprovalSemantics.ForCommand(command).SplitCompoundCommand(command);
+    }
+
+    private static readonly HashSet<string> BashControlFlowKeywords = new(StringComparer.Ordinal)
+    {
+        "for", "while", "do", "done", "then", "fi", "case", "esac"
+    };
+
+    /// <summary>
+    /// Returns true when <paramref name="command"/> contains bash control-flow
+    /// keywords as unquoted standalone words, or has unbalanced quotes,
+    /// parentheses, brackets, or braces. Used by the approval gate to refuse
+    /// persistent grants for commands that cannot be cleanly split into verb
+    /// chains the operator could later reason about.
+    ///
+    /// Cheap structural scan; not a bash parser. Heredocs, here-strings, and
+    /// command substitution are not analyzed semantically — only their
+    /// quote/bracket balance contributes.
+    /// </summary>
+    public static bool IsMessyCompoundCommand(string? command)
+    {
+        if (string.IsNullOrWhiteSpace(command))
+            return false;
+
+        char? quote = null;
+        var parens = 0;
+        var brackets = 0;
+        var braces = 0;
+        var word = new StringBuilder();
+
+        foreach (var ch in command)
+        {
+            // Quote handling: opens skip the bracket scan, closes resume it.
+            if (quote is null && (ch == '\'' || ch == '"'))
+            {
+                if (FlushWordAsKeyword(word)) return true;
+                quote = ch;
+                continue;
+            }
+
+            if (quote == ch)
+            {
+                quote = null;
+                continue;
+            }
+
+            if (quote is not null)
+                continue;
+
+            switch (ch)
+            {
+                case '(':
+                    parens++;
+                    if (FlushWordAsKeyword(word)) return true;
+                    continue;
+                case ')':
+                    if (--parens < 0) return true;
+                    if (FlushWordAsKeyword(word)) return true;
+                    continue;
+                case '[':
+                    brackets++;
+                    if (FlushWordAsKeyword(word)) return true;
+                    continue;
+                case ']':
+                    if (--brackets < 0) return true;
+                    if (FlushWordAsKeyword(word)) return true;
+                    continue;
+                case '{':
+                    braces++;
+                    if (FlushWordAsKeyword(word)) return true;
+                    continue;
+                case '}':
+                    if (--braces < 0) return true;
+                    if (FlushWordAsKeyword(word)) return true;
+                    continue;
+            }
+
+            if (char.IsWhiteSpace(ch) || ch is ';' or '|' or '&')
+            {
+                if (FlushWordAsKeyword(word)) return true;
+                continue;
+            }
+
+            word.Append(ch);
+        }
+
+        if (FlushWordAsKeyword(word)) return true;
+
+        return quote is not null || parens != 0 || brackets != 0 || braces != 0;
+    }
+
+    private static bool FlushWordAsKeyword(StringBuilder word)
+    {
+        if (word.Length == 0)
+            return false;
+
+        var match = BashControlFlowKeywords.Contains(word.ToString());
+        word.Clear();
+        return match;
+    }
 
     /// <summary>
     /// Extracts the verb chain (command name + subcommands) from a tokenized
     /// command. Stops at the first token that looks like a flag (starts with -)
     /// or an argument (path, URL, etc.), and caps at <paramref name="maxDepth"/>
     /// tokens (default: 2) to avoid capturing positional arguments as subcommands.
-    /// For path-aware verbs (cat, grep, bash, etc.), appends the first non-flag
-    /// argument so the approval pattern captures what the command operates on.
+    /// The verb chain SHALL NOT include any path-like tokens — paths are
+    /// extracted separately via <see cref="ExtractFirstPathArgument"/> and
+    /// become the candidate's effective directory in the approval matcher.
     /// </summary>
     public static string ExtractVerbChain(string command, int maxDepth = 2)
         => ShellApprovalSemantics.ForCommand(command).ExtractVerbChain(command, maxDepth);
 
+    /// <summary>
+    /// Returns the first path-like positional argument from a single shell
+    /// clause, or null when no path token is present. Used by the approval
+    /// gate to determine the candidate's effective directory: when present,
+    /// it overrides the resolved cwd; when absent, the matcher falls back
+    /// to cwd.
+    /// </summary>
+    /// <remarks>
+    /// File-targeting commands (e.g. <c>cat ~/.bashrc</c>) return the parent
+    /// directory of the extracted path so persisted approvals scope to a
+    /// folder rather than a single file. This is a deterministic string
+    /// operation — no filesystem syscall is performed at extract time.
+    /// </remarks>
+    public static string? ExtractFirstPathArgument(string command)
+        => ShellApprovalSemantics.ForCommand(command).ExtractFirstPathArgument(command);
+
+    /// <summary>
+    /// Conservative path-token classifier. Returns true when the token
+    /// starts with <c>/</c>, <c>~/</c>, <c>./</c>, <c>../</c>, or is exactly
+    /// <c>~</c>, <c>.</c>, or <c>..</c>. Tokens that merely contain a slash
+    /// internally (URLs, regexes, docker tags, git refs) are NOT classified
+    /// as paths — false positives here would silently expand or contract
+    /// the approval gate's trust scope.
+    /// </summary>
+    public static bool IsPathToken(string token)
+    {
+        if (string.IsNullOrEmpty(token))
+            return false;
+
+        if (token == "~" || token == "." || token == "..")
+            return true;
+
+        return token.StartsWith('/')
+            || token.StartsWith("~/", StringComparison.Ordinal)
+            || token.StartsWith("./", StringComparison.Ordinal)
+            || token.StartsWith("../", StringComparison.Ordinal);
+    }
+
     /// <summary>
     /// Produces an exact shell approval unit string with recognizable local paths
     /// normalized against the working directory. Non-path tokens remain in order.
@@ -107,13 +266,6 @@ public static string ExtractVerbChain(string command, int maxDepth = 2)
     public static string NormalizeApprovalUnit(string command, string? workingDirectory = null)
         => ShellApprovalSemantics.ForCommand(command).NormalizeApprovalUnit(command, workingDirectory);
 
-    /// <summary>
-    /// Extracts reusable directory approval roots from a shell approval unit.
-    /// Returns an empty list when no reusable roots can be extracted.
-    /// </summary>
-    public static IReadOnlyList<DirectoryApprovalRoot> ExtractDirectoryRoots(string command, string? workingDirectory = null)
-        => ShellApprovalSemantics.ForCommand(command).ExtractDirectoryRoots(command, workingDirectory);
-
     /// <summary>
     /// Normalizes a path token using the active shell family's path semantics.
     /// Returns null when the token cannot be normalized as a local path.
@@ -163,8 +315,6 @@ public static IReadOnlyList<string> GetAllCommandSegments(string command)
     public static bool LooksLikePath(string token)
         => ShellApprovalSemantics.ForCommand(token).LooksLikePath(token);
 
-    internal const int MinDirectoryScopeDepth = 2;
-
     /// <summary>
     /// Returns true when the pattern is a single-token shell approval for a
     /// path-aware verb such as <c>cat</c> or <c>bash</c>.
diff --git a/src/Netclaw.Security/TrustState.cs b/src/Netclaw.Security/TrustState.cs
new file mode 100644
index 00000000..cc75c77c
--- /dev/null
+++ b/src/Netclaw.Security/TrustState.cs
@@ -0,0 +1,262 @@
+// -----------------------------------------------------------------------
+// <copyright file="TrustState.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Netclaw.Configuration;
+using ShellSyntaxTree;
+
+namespace Netclaw.Security;
+
+/// <summary>
+/// Composed trust state for one audience evaluating one tool call. Snapshots
+/// every input the gate evaluator needs: the audience-baseline zones from
+/// <c>netclaw.json</c>, the persisted zones and verb patterns from the
+/// <c>AudienceTrustStore</c>, the in-memory session-scope zones and verb
+/// patterns from <c>LlmSessionActor</c>, the immutable session directory,
+/// and the shipped read-only verb list.
+/// </summary>
+/// <remarks>
+/// Construct once per gate evaluation. Normalization (tilde expansion,
+/// trailing-slash strip) happens at construction time so the matcher does
+/// no per-call resolution beyond the path comparisons themselves.
+///
+/// Zone matching is path-prefix recursive with directory-boundary safety:
+/// zone <c>~/repos</c> matches <c>~/repos/foo/bar</c> but not
+/// <c>~/repossecret</c>. Verb-pattern matching is verb-chain
+/// exact-equality + arg-glob suffix per the locked design — the verb
+/// chain comes from the parser's greedy verb-like extraction, so
+/// pattern <c>git push origin main *</c> matches verb chain
+/// <c>git push origin main</c> but not <c>git pull origin main</c> or
+/// <c>git push</c> alone.
+/// </remarks>
+public sealed class TrustState
+{
+    private readonly IReadOnlyList<string> _normalizedZones;
+    private readonly IReadOnlyList<string> _allVerbPatterns;
+    private readonly SafeVerbList _readOnlyVerbs;
+    private readonly bool _trustsAllPaths;
+
+    public TrustState(
+        IEnumerable<string> baselineZones,
+        IEnumerable<string> persistedZones,
+        IEnumerable<string> sessionZones,
+        string sessionDirectory,
+        IEnumerable<string> persistedVerbPatterns,
+        IEnumerable<string> sessionVerbPatterns,
+        SafeVerbList readOnlyVerbs,
+        string? homeDirectory = null,
+        bool trustsAllPaths = false)
+    {
+        _trustsAllPaths = trustsAllPaths;
+        var home = homeDirectory ?? Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
+
+        // Compose all four zone sources, normalize each, dedupe. Order
+        // doesn't matter for matching — we OR across all zones.
+        var zones = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        foreach (var zone in baselineZones.Concat(persistedZones).Concat(sessionZones))
+        {
+            var normalized = NormalizeZone(zone, home);
+            if (!string.IsNullOrEmpty(normalized))
+                zones.Add(normalized);
+        }
+
+        // session_dir is always trusted, even when it's empty/whitespace
+        // we still avoid adding a degenerate empty zone.
+        var normalizedSessionDir = NormalizeZone(sessionDirectory, home);
+        if (!string.IsNullOrEmpty(normalizedSessionDir))
+            zones.Add(normalizedSessionDir);
+
+        _normalizedZones = zones.ToArray();
+
+        // Verb patterns: persisted + session, deduped. No normalization
+        // beyond trim — pattern format is locked at AudienceTrustStore
+        // write time (verb-chain prefix + arg-glob suffix).
+        var patterns = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        foreach (var pattern in persistedVerbPatterns.Concat(sessionVerbPatterns))
+        {
+            var trimmed = pattern?.Trim();
+            if (!string.IsNullOrEmpty(trimmed))
+                patterns.Add(trimmed);
+        }
+
+        _allVerbPatterns = patterns.ToArray();
+        _readOnlyVerbs = readOnlyVerbs ?? throw new ArgumentNullException(nameof(readOnlyVerbs));
+    }
+
+    /// <summary>
+    /// True when the resolved absolute path lies inside any trusted zone in
+    /// the composed state. Path-prefix recursive matching with
+    /// directory-boundary safety.
+    /// </summary>
+    public bool IsPathInTrustedZone(string resolvedPath)
+    {
+        if (string.IsNullOrWhiteSpace(resolvedPath))
+            return false;
+
+        // Mode=All on the audience's filesystem profile maps to "trust any
+        // path" for the zone gate. The operator declared this audience as
+        // unrestricted at the trust-profile layer; the verb-pattern gate
+        // still applies, so mutating verbs without a pattern match still
+        // prompt regardless. Geography is the only thing waived here.
+        if (_trustsAllPaths)
+            return true;
+
+        foreach (var zone in _normalizedZones)
+        {
+            if (IsSamePathOrChild(resolvedPath, zone))
+                return true;
+        }
+
+        return false;
+    }
+
+    /// <summary>
+    /// True when the verb chain (case-rules per platform) is on the shipped
+    /// read-only safe-verbs list. The list is immutable at runtime and
+    /// loaded from the embedded resource — see
+    /// <see cref="SafeVerbLoader"/>.
+    /// </summary>
+    public bool IsReadOnlyVerb(VerbChain verbChain)
+    {
+        if (verbChain.Tokens.Count == 0)
+            return false;
+
+        // Try the longest verb-chain join first (e.g. "git status" must hit
+        // the list before "git" would, but the safe-verbs list contains
+        // multi-token entries verbatim so equality covers both cases).
+        return _readOnlyVerbs.Contains(verbChain.Joined);
+    }
+
+    /// <summary>
+    /// True when the parsed clause matches any verb pattern in the composed
+    /// state. Pattern format: verb-chain prefix + trailing arg-glob suffix
+    /// (e.g. <c>git push *</c>). Matching is case-insensitive on the verb
+    /// chain.
+    /// </summary>
+    public bool MatchesVerbPattern(VerbChain verbChain, IReadOnlyList<Arg> args)
+    {
+        if (verbChain.Tokens.Count == 0)
+            return false;
+
+        var verbJoined = verbChain.Joined;
+        var argTokens = args.Where(a => !a.IsCwdAttribution)
+            .Select(a => a.Raw)
+            .ToList();
+
+        foreach (var pattern in _allVerbPatterns)
+        {
+            if (MatchesPatternInternal(pattern, verbJoined, argTokens))
+                return true;
+        }
+
+        return false;
+    }
+
+    /// <summary>The composed set of normalized trusted zone globs.</summary>
+    public IReadOnlyCollection<string> AllTrustedZones => _normalizedZones;
+
+    /// <summary>The composed set of verb-pattern globs.</summary>
+    public IReadOnlyCollection<string> AllVerbPatterns => _allVerbPatterns;
+
+    private static bool MatchesPatternInternal(string pattern, string verbJoined, IReadOnlyList<string> argTokens)
+    {
+        // Split pattern into [verb-chain-prefix, arg-glob-suffix].
+        // AudienceTrustStore.NormalizeVerbPattern guarantees a trailing
+        // arg-glob token; we still defend against malformed patterns by
+        // matching only when the split succeeds.
+        var lastSpace = pattern.LastIndexOf(' ');
+        if (lastSpace <= 0)
+            return false;
+
+        var patternVerb = pattern[..lastSpace].Trim();
+        var argGlob = pattern[(lastSpace + 1)..].Trim();
+
+        // Verb chain must match exactly (case-insensitive).
+        if (!string.Equals(patternVerb, verbJoined, StringComparison.OrdinalIgnoreCase))
+            return false;
+
+        // Arg glob: '*' matches any args; specific path globs (e.g. /tmp/*)
+        // require at least one matching arg token. v0.1 supports only '*'
+        // as the universal glob and exact-prefix path globs. Anything more
+        // expressive is deferred — operators wanting precision can use the
+        // narrower CLI form `verb specific-arg *`.
+        if (argGlob == "*")
+            return true;
+
+        // Path-prefix glob (e.g. `/tmp/*`): any arg whose resolved path
+        // starts with the prefix matches.
+        if (argGlob.EndsWith("/*", StringComparison.Ordinal))
+        {
+            var prefix = argGlob[..^2];
+            foreach (var token in argTokens)
+            {
+                if (token.StartsWith(prefix, StringComparison.OrdinalIgnoreCase))
+                    return true;
+            }
+            return false;
+        }
+
+        // Literal arg match.
+        foreach (var token in argTokens)
+        {
+            if (string.Equals(token, argGlob, StringComparison.OrdinalIgnoreCase))
+                return true;
+        }
+
+        return false;
+    }
+
+    private static string NormalizeZone(string? raw, string homeDirectory)
+    {
+        if (string.IsNullOrWhiteSpace(raw))
+            return string.Empty;
+
+        var trimmed = raw.Trim();
+
+        // Strip trailing `/*` — the `*` is implicit and recursive per the
+        // locked design, not a literal glob.
+        if (trimmed.EndsWith("/*", StringComparison.Ordinal)
+            || trimmed.EndsWith("\\*", StringComparison.Ordinal))
+        {
+            trimmed = trimmed[..^2];
+        }
+
+        // Strip trailing slashes so /etc/nginx and /etc/nginx/ compare
+        // equal.
+        while (trimmed.Length > 1 && (trimmed[^1] == '/' || trimmed[^1] == '\\'))
+            trimmed = trimmed[..^1];
+
+        // Expand `~` to the daemon-process user's home (or the explicit
+        // override). `$HOME` is also accepted as a literal prefix for
+        // forward-compat with future tilde-equivalents.
+        if (trimmed == "~")
+        {
+            return homeDirectory;
+        }
+
+        if (trimmed.StartsWith("~/", StringComparison.Ordinal))
+        {
+            return Path.Combine(homeDirectory, trimmed[2..]);
+        }
+
+        if (trimmed.StartsWith("$HOME/", StringComparison.Ordinal))
+        {
+            return Path.Combine(homeDirectory, trimmed[6..]);
+        }
+
+        return trimmed;
+    }
+
+    private static bool IsSamePathOrChild(string candidate, string zone)
+    {
+        if (!candidate.StartsWith(zone, StringComparison.OrdinalIgnoreCase))
+            return false;
+
+        if (candidate.Length == zone.Length)
+            return true;
+
+        var boundary = candidate[zone.Length];
+        return boundary == '/' || boundary == '\\';
+    }
+}
diff --git a/src/Netclaw.Security/TrustStateComposer.cs b/src/Netclaw.Security/TrustStateComposer.cs
new file mode 100644
index 00000000..f5b87572
--- /dev/null
+++ b/src/Netclaw.Security/TrustStateComposer.cs
@@ -0,0 +1,97 @@
+// -----------------------------------------------------------------------
+// <copyright file="TrustStateComposer.cs" company="Petabridge, LLC">
+//      Copyright (C) 2026 - 2026 Petabridge, LLC <https://petabridge.com>
+// </copyright>
+// -----------------------------------------------------------------------
+using Netclaw.Configuration;
+
+namespace Netclaw.Security;
+
+/// <summary>
+/// Composes a <see cref="TrustState"/> for one gate evaluation from the four
+/// trust sources: audience baseline (from <c>netclaw.json</c> trust
+/// profiles), persisted store (<see cref="AudienceTrustStore"/>), in-memory
+/// session-scope grants (from <c>LlmSessionActor</c>), and the immutable
+/// session directory.
+/// </summary>
+/// <remarks>
+/// Pure function — no internal mutable state. The audience profiles and
+/// AudienceTrustStore singletons are captured at construction; per-call
+/// session inputs (session_dir + session-scope grants) flow through
+/// <see cref="Compose"/>.
+///
+/// Audience baseline trusted zones derive from the audience profile's
+/// <see cref="ToolFilesystemAccessProfile.Roots"/> on <c>ReadFiles</c>, and
+/// <see cref="ToolFilesystemAccessProfile.Mode"/> drives whether the zone
+/// gate trusts arbitrary paths (<c>Mode=All</c> → trust everything;
+/// <c>Mode=Roots</c> → trust only the listed roots; <c>Mode=None</c> →
+/// trust nothing beyond session-scope grants and the session directory).
+/// The composer does not consult <c>WriteFiles.Roots</c> separately — the
+/// zone gate treats all path operands uniformly (read or write distinction
+/// is the verb gate's concern). Operators wanting per-write restrictions
+/// configure that via the hard-deny rule set or specific verb patterns,
+/// not via the zone composer.
+/// </remarks>
+public sealed class TrustStateComposer
+{
+    private readonly ToolAudienceProfiles _profiles;
+    private readonly AudienceTrustStore _store;
+    private readonly SafeVerbList _safeVerbs;
+    private readonly string? _homeDirectoryOverride;
+
+    public TrustStateComposer(
+        ToolAudienceProfiles profiles,
+        AudienceTrustStore store,
+        SafeVerbList safeVerbs,
+        string? homeDirectoryOverride = null)
+    {
+        _profiles = profiles ?? throw new ArgumentNullException(nameof(profiles));
+        _store = store ?? throw new ArgumentNullException(nameof(store));
+        _safeVerbs = safeVerbs ?? throw new ArgumentNullException(nameof(safeVerbs));
+        _homeDirectoryOverride = homeDirectoryOverride;
+    }
+
+    /// <summary>
+    /// Builds a <see cref="TrustState"/> for the audience evaluating one
+    /// shell call. Session-scope inputs come from the <c>LlmSessionActor</c>
+    /// at call time; the rest snapshot from the captured config and store
+    /// state.
+    /// </summary>
+    public TrustState Compose(
+        TrustAudience audience,
+        string sessionDirectory,
+        IEnumerable<string>? sessionTrustedZones = null,
+        IEnumerable<string>? sessionVerbPatterns = null)
+    {
+        var profile = ResolveProfile(audience);
+        var baselineZones = profile.ReadFiles.Roots;
+
+        // Mode=All on the audience's read-files profile is the operator
+        // declaring "trust the whole filesystem for this audience" — Roots
+        // is meaningless in that mode, so without this flag the composer
+        // would hand TrustState an empty zone set and the gate would prompt
+        // on every path operand. Mode=Roots and Mode=None still rely on
+        // the explicit Roots list (None typically empty).
+        var trustsAllPaths = profile.ReadFiles.Mode == ToolFilesystemMode.All;
+
+        return new TrustState(
+            baselineZones: baselineZones,
+            persistedZones: _store.GetTrustedZones(audience),
+            sessionZones: sessionTrustedZones ?? [],
+            sessionDirectory: sessionDirectory,
+            persistedVerbPatterns: _store.GetVerbPatterns(audience),
+            sessionVerbPatterns: sessionVerbPatterns ?? [],
+            readOnlyVerbs: _safeVerbs,
+            homeDirectory: _homeDirectoryOverride,
+            trustsAllPaths: trustsAllPaths);
+    }
+
+    private ToolAudienceProfile ResolveProfile(TrustAudience audience)
+        => audience switch
+        {
+            TrustAudience.Personal => _profiles.Personal,
+            TrustAudience.Team => _profiles.Team,
+            TrustAudience.Public => _profiles.Public,
+            _ => throw new ArgumentOutOfRangeException(nameof(audience), audience, "Unknown trust audience.")
+        };
+}
diff --git a/src/Netclaw.Tools.Abstractions/IParentApprovalBridge.cs b/src/Netclaw.Tools.Abstractions/IParentApprovalBridge.cs
index a59e16da..9f6ff556 100644
--- a/src/Netclaw.Tools.Abstractions/IParentApprovalBridge.cs
+++ b/src/Netclaw.Tools.Abstractions/IParentApprovalBridge.cs
@@ -14,6 +14,7 @@ public enum ParentApprovalDecision
     ApprovedOnce,
     ApprovedSession,
     ApprovedAlways,
+    ApprovedEverywhere,
     Denied,
     TimedOut
 }
@@ -28,17 +29,17 @@ public interface IParentApprovalBridge
     /// <summary>
     /// Emits an approval request to the parent session and waits for the user's decision.
     /// <paramref name="patterns"/> are the exact blocked units shown in the
-    /// prompt and reused for approve-once retries. <paramref name="approvalEntries"/>
-    /// are the broader entries the parent session should record for B/C
-    /// decisions, and <paramref name="directoryRoots"/> are the human-facing
-    /// roots used to explain those broader approvals in the prompt.
+    /// prompt and reused for approve-once retries. <paramref name="candidateVerbs"/>
+    /// are the verb chains the parent session records for broader-scope
+    /// approvals, evaluated against persisted <c>ApprovalEntry</c> records
+    /// using the candidate's cwd.
     /// </summary>
     Task<ParentApprovalDecision> RequestApprovalAsync(
         ToolCallId callId,
         string toolName,
         string displayText,
         IReadOnlyList<string> patterns,
-        IReadOnlyList<string> approvalEntries,
-        IReadOnlyList<string> directoryRoots,
+        IReadOnlyList<string> candidateVerbs,
+        bool isMessy,
         CancellationToken ct);
 }
diff --git a/src/Netclaw.Tools.Abstractions/ToolExecutionContext.cs b/src/Netclaw.Tools.Abstractions/ToolExecutionContext.cs
index c941321e..a9a02d6a 100644
--- a/src/Netclaw.Tools.Abstractions/ToolExecutionContext.cs
+++ b/src/Netclaw.Tools.Abstractions/ToolExecutionContext.cs
@@ -128,6 +128,56 @@ public IReadOnlySet<string> OneTimeApprovedPatterns
     /// </summary>
     public string? SessionDirectory { get; }
 
+    /// <summary>
+    /// Resolved absolute working directory for the in-flight tool call. Set
+    /// by the session pipeline from the candidate tool arguments,
+    /// <c>WorkingContext.ProjectDirectory</c>, or <see cref="SessionDirectory"/>
+    /// — whichever resolves first. The approval gate uses this as the directory
+    /// half of the candidate <c>(verb, directory)</c> pair when evaluating
+    /// folder-scoped <see cref="Netclaw.Configuration.ApprovalEntry"/> records.
+    /// Null when the tool call is not directory-anchored (e.g. an in-process
+    /// tool like <c>store_memory</c>).
+    /// </summary>
+    public string? Cwd { get; set; }
+
+    /// <summary>
+    /// Absolute path to the project directory the agent is currently working
+    /// on, mirroring <c>WorkingContext.ProjectDirectory</c> from the session
+    /// state. Set by the session pipeline at context-build time so tools and
+    /// the approval gate can resolve a cwd without a round-trip through the
+    /// session actor. Null when no project root has been declared via
+    /// <c>set_working_directory</c>.
+    /// </summary>
+    public string? ProjectDirectory { get; set; }
+
+    /// <summary>
+    /// Resolves the working directory for a shell-style invocation. Returns
+    /// the first non-empty value of:
+    /// <list type="number">
+    /// <item><paramref name="explicitArg"/> — the tool call's
+    /// <c>WorkingDirectory</c> argument when the agent provided one;</item>
+    /// <item><see cref="ProjectDirectory"/> — the session's declared project
+    /// root, populated from <c>WorkingContext.ProjectDirectory</c>;</item>
+    /// <item><see cref="SessionDirectory"/> — the per-session scratch
+    /// directory under <c>~/.netclaw/sessions/&lt;id&gt;/</c>.</item>
+    /// </list>
+    /// Returns <c>null</c> only when none of the three is available, which is
+    /// the contract for tools that are not directory-anchored. Shell tools
+    /// SHALL never inherit the daemon process's cwd — that defeats the
+    /// approval policy's safe-space invariant because the daemon's cwd is
+    /// unrelated to what the agent is "working on."
+    /// </summary>
+    public string? ResolveShellCwd(string? explicitArg)
+    {
+        if (!string.IsNullOrWhiteSpace(explicitArg))
+            return explicitArg;
+        if (!string.IsNullOrWhiteSpace(ProjectDirectory))
+            return ProjectDirectory;
+        if (!string.IsNullOrWhiteSpace(SessionDirectory))
+            return SessionDirectory;
+        return null;
+    }
+
     /// <summary>
     /// File attachments registered by tools during execution.
     /// </summary>