## Summary
Fixes an issue where GPUI's handling of `WM_NCLBUTTONDOWN` prevented
Windows from processing default titlebar interactions (dragging, caption
buttons, and border resize).

## Changes
- Allow OS to handle `WM_NCLBUTTONDOWN` events for `HTCAPTION`, caption
button areas, and resize border areas (`HTLEFT`, `HTRIGHT`, `HTTOP`,
`HTBOTTOM`, `HTTOPLEFT`, `HTTOPRIGHT`, `HTBOTTOMLEFT`, `HTBOTTOMRIGHT`)
- Use current cursor position in `WM_NCHITTEST` for accurate hit-testing

## Testing
- Manual testing on Windows: titlebar dragging works
- Manual testing on Windows: minimize/maximize/close buttons work
- Manual testing on Windows: window border resize works in all
directions

Release Notes:
- N/A

Closes https://github.com/zed-industries/zed/issues/48049

Release Notes:

- Fixed init agent UI globals in visual test runner

Signed-off-by: Xiaobo Liu <cppcoffee@gmail.com>

Clean up code by pulling the project off the editor directly.

Repeat of https://github.com/zed-industries/zed/pull/48762 since
reversion happened in https://github.com/zed-industries/zed/pull/48776.

Release Notes:

- N/A

Clean up code by pulling the project off the editor directly.

Repeat of https://github.com/zed-industries/zed/pull/48762 since
reversion happened in https://github.com/zed-industries/zed/pull/48776.

Release Notes:

- N/A

Restore a call to `BlockMap::read` that went missing in #48747 

Release Notes:

- N/A

Closes #47489

The search worker pool was sized as `num_cpus - 1`, which spawned zero
workers when a devcontainer exposed only 1 CPU. All search channels
closed immediately and the search yielded zero results, while file
finder and LSP symbols worked fine.

The fix ensures at least 1 worker is always spawned: `(num_cpus -
1).max(1)`. A `num_cpus` override on `TestDispatcher` and a new test
reproduce the bug with `server_cx.executor().set_num_cpus(1)`.

## Manual testing

Add a `.devcontainer/` directory to a new project with these files:

```
// docker-compose.yml
services:
  dev:
    image: debian:bookworm-slim
    cpuset: "0"
    volumes:
      - ..:/workspace:cached
    command: sleep infinity
```

```
// devcontainer.json
{
  "name": "zed-sandbox (1 CPU)",
  "dockerComposeFile": "docker-compose.yml",
  "service": "dev",
  "workspaceFolder": "/workspace"
}
```

Build zed and point it at the new project:

```
cargo run -p zed -- ~/Repos/zed-sandbox-project
```

Open the built-in terminal, confirm `nproc` prints `1`.

Finally, run a project search (`Cmd+Shift+F`) and search for contents
that exist in it.

Results should appear 🎉 

Release Notes:

- Fixed project search returning no results in devcontainers with a
single visible CPU.

Ensure that `git_ui::stash_picker::StashList.handle_show_toast` emits a
`DismissEvent` so that, when the user confirms they wish to view a stash
entry, the modal is actually dismissed and does not block the user's
view.

Release Notes:

- Fixed issue where viewing a stash entry would not dismiss the modal

Benchmark results on 3,000 captured requests:

| Scenario          | Mean   | Savings | p95    | Savings |
|:------------------|-------:|--------:|-------:|--------:|
| Uncompressed      | 12,275 |       — | 35,896 |       — |
| zstd (no dict)    |  2,784 |  77.3%  |  7,193 |  80.0%  |
| zstd + global dict|  2,544 |  79.3%  |  6,862 |  80.9%  |
| brotli (no dict)  |  2,650 |  78.4%  |  6,857 |  80.9%  |

A trained zstd dictionary adds only 2% over plain zstd, which is not
worth added complexity.

Brotli compresses comparably but is 4 times slower.

Release Notes:

- N/A

Closes ZED-4X5

Release Notes:

- N/A *or* Added/Fixed/Improved ...

Preparing this just in case.

Release Notes:

- N/A

Closes #45550  

This fix, adds a new field to `EditState` to track and temporarily
unfold the given directory when creating files or directories in
collapsed paths.

Release Notes:

- Fixed the file and folder creation input appearing in the wrong
location when creating inside a collapsed folder path..

Recording:


https://github.com/user-attachments/assets/15e48863-26b9-4dc9-888a-b31fb3208d98

---------

Co-authored-by: Smit Barmase <heysmitbarmase@gmail.com>

With #47768, all image pills automatically got snapped to the end of the
prompt message. This behavior is unexpected as other pills (`@symbol`,
`@thread` et al) respect the cursor position.

Closes #48731.

- [ ] Tests or screenshots needed?
- [x] Code Reviewed
- [x] Manual QA

Release Notes:

- Insert images at cursor position in the Agent Panel

When saving after a streaming edit, check if format-on-save is enabled
for the buffer's language and run formatting before saving.

(No release notes because we aren't using the streaming edit tool yet.)

Release Notes:

- N/A

Move shell command parsing logic (`extract_commands` and supporting
code) from the agent crate into a new `shell_command_parser` crate so it
can be reused by `agent_servers` for ACP permission checking.

Release Notes:

- N/A

This PR adds some design refinements to the thinking effort selector (to
be generally rolled out soon):
- Improved split button UI styles and consistency with other dropdowns
in the message editor
- Stopped rendering the effort selector if thinking is turned off
- Added a keybinding to trigger the effort menu
- Added a keybinding to cycle through effort options

<img width="500" height="380" alt="Screenshot 2026-02-09 at 10  18@2x"
src="https://github.com/user-attachments/assets/48d5b65c-7256-4ceb-aab2-35869f8fbf4a"
/>

---

- [x] Code Reviewed
- [x] Manual QA

Release Notes:

- N/A

## Summary

When the v0.8.0 extension API was forked in #44025, the five DAP
dispatcher methods in `wit.rs` were not updated to handle
`Extension::V0_8_0`. Because `V0_8_0` is listed before `V0_6_0` in the
enum, the wildcard `_ =>` catch-all fires first, causing all DAP calls
to bail with `"not available prior to v0.6.0"` for any extension
targeting the v0.8.0 API.

The DAP WIT interface is identical between v0.6.0 and v0.8.0, so the
handler code is the same — this just adds the missing match arms for:

- `call_get_dap_binary`
- `call_dap_request_kind`
- `call_dap_config_to_scenario`
- `call_dap_locator_create_scenario`
- `call_run_dap_locator`

This follows the same pattern used by every other method in the
`Extension` impl block, which already handles both `V0_8_0` and
`V0_6_0`.

## Test plan

- Verified that an extension targeting `zed_extension_api` v0.8.0 with
DAP support can successfully start a debug session (previously failed
with `"dap_request_kind not available prior to v0.6.0"`)

Release Notes:

- Fixed DAP (Debug Adapter Protocol) methods failing for extensions
targeting the v0.8.0 extension API.

Follow-up to
https://github.com/zed-industries/zed/pull/48525/changes#diff-315ed179e69e42c0a098166a7faa7899838376c2649c84fa8cb66643f3813a45
which changed this

Release Notes:

- N/A

Release Notes:

- N/A

---------

Co-authored-by: MrSubidubi <finn@zed.dev>

Another follow-up to the multi workspace PR

- [X] Code Reviewed
- [X] Manual QA

Release Notes:

- N/A

- [X] Code Reviewed
- [X] Manual QA

Release Notes:

- N/A

The multi workspace refactor **completely** broke the Vim mode, saving
is not possible, and various other actions. This PR fixes this

- [X] Code Reviewed
- [X] Manual QA

Release Notes:

- N/A

Release Notes:

- Added Claude Opus 4.6 and 4.6 Thinking with Cross region inference for
US, EU, and Global endpoints.

---------

Co-authored-by: Ona <no-reply@ona.com>

The new multi workspace introduced in #47795 changed the window root
from `Workspace` to `MultiWorkspace`, which broke
`Workspace::for_window()` (assuming that was meant to). That returns
`None` now. The REPL action registration in `repl_sessions_ui.rs` used
this to check if the project was local, so when it got None, it silently
skipped registering `repl::Run` and `repl::RunInPlace` on every editor.

Luckily we can just get the project directly from the editor in order to
register actions.

Release Notes:

- N/A

Added note about suffixing theme IDs with '-theme' for clarity.

As discussed in
https://github.com/zed-industries/extensions/pull/4693#pullrequestreview-3751636461

- [ ] ~Tests or screenshots needed?~
- [x] Code Reviewed
- [ ] ~Manual QA~

Release Notes:

- Clarified theme ID suffixing in extension docs

---------

Co-authored-by: Finn Evers <finn.evers@outlook.de>

It's happeningggggg

Release Notes:

- Changed the Agent Panel so that the Active Thread is restored on
restart.

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Danilo Leal <daniloleal09@gmail.com>
Co-authored-by: Anthony Eid <anthony@zed.dev>
Co-authored-by: Danilo Leal <67129314+danilo-leal@users.noreply.github.com>
Co-authored-by: Richard Feldman <richard@zed.dev>
Co-authored-by: Zed Zippy <234243425+zed-zippy[bot]@users.noreply.github.com>

- Ensure that both sides are passed the appropriate companion data to
preserve spacers when syncing
- Remove companion handling in codepaths related to range folding, since
this isn't supported in the side-by-side diff
- Move handling of buffer folding into the block map
- Rework `set_companion` to handle both `DisplayMap`s at once
- DRY some code around block map syncing in the `DisplayMap`

TODO:

- [x] diagnose and fix issue that causes balancing blocks not to render
properly when they are adjacent to spacers (e.g. merge conflict buttons)
- [x] clear balancing blocks when clearing companion
- [x] additional tests: interaction between spacers and balancing
blocks, resizing

Release Notes:

- N/A

Closes #42888

Release Notes:

- Fixed disabled MCP servers disappearing from UI after restart

---------

Co-authored-by: MrSubidubi <finn@zed.dev>

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [git2](https://redirect.github.com/rust-lang/git2-rs) |
workspace.dependencies | patch | `0.20.2` → `0.20.4` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[GHSA-j39j-6gw9-jw6h](https://redirect.github.com/rust-lang/git2-rs/issues/1211)

If the Buf struct is dereferenced immediately after calling new() or
default() on the Buf struct, a null pointer is passed to the unsafe
function slice::from_raw_parts. According to the safety section
documentation of the function, data must be non-null and aligned even
for zero-length slices or slices of ZSTs. Thus, passing a null pointer
will lead to undefined behavior.

---

### Release Notes

<details>
<summary>rust-lang/git2-rs (git2)</summary>

###
[`v0.20.4`](https://redirect.github.com/rust-lang/git2-rs/compare/git2-0.20.3...git2-0.20.4)

[Compare
Source](https://redirect.github.com/rust-lang/git2-rs/compare/git2-0.20.3...git2-0.20.4)

###
[`v0.20.3`](https://redirect.github.com/rust-lang/git2-rs/compare/git2-0.20.2...git2-0.20.3)

[Compare
Source](https://redirect.github.com/rust-lang/git2-rs/compare/git2-0.20.2...git2-0.20.3)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone America/New_York,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

Release Notes:

- N/A

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [time](https://time-rs.github.io)
([source](https://redirect.github.com/time-rs/time)) |
workspace.dependencies | patch | `0.3.44` → `0.3.47` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2026-25727](https://redirect.github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc)

### Impact

When user-provided input is provided to any type that parses with the
RFC 2822 format, a Denial of Service attack via stack exhaustion is
possible. The attack relies on formally deprecated and rarely-used
features that are part of the RFC 2822 format used in a malicious
manner. Ordinary, non-malicious input will never encounter this
scenario.

### Patches

A limit to the depth of recursion was added in v0.3.47. From this
version, an error will be returned rather than exhausting the stack.

### Workarounds

Limiting the length of user input is the simplest way to avoid stack
exhaustion, as the amount of the stack consumed would be at most a
factor of the length of the input.

---

### Release Notes

<details>
<summary>time-rs/time (time)</summary>

###
[`v0.3.47`](https://redirect.github.com/time-rs/time/blob/HEAD/CHANGELOG.md#0347-2026-02-05)

[Compare
Source](https://redirect.github.com/time-rs/time/compare/v0.3.46...v0.3.47)

##### Security

- The possibility of a stack exhaustion denial of service attack when
parsing RFC 2822 has been
eliminated. Previously, it was possible to craft input that would cause
unbounded recursion. Now,
the depth of the recursion is tracked, causing an error to be returned
if it exceeds a reasonable
  limit.

This attack vector requires parsing user-provided input, with any type,
using the RFC 2822 format.

##### Compatibility

- Attempting to format a value with a well-known format (i.e. RFC 3339,
RFC 2822, or ISO 8601) will
error at compile time if the type being formatted does not provide
sufficient information. This
would previously fail at runtime. Similarly, attempting to format a
value with ISO 8601 that is
only configured for parsing (i.e. `Iso8601::PARSING`) will error at
compile time.

##### Added

- Builder methods for format description modifiers, eliminating the need
for verbose initialization
  when done manually.
- `date!(2026-W01-2)` is now supported. Previously, a space was required
between `W` and `01`.
- `[end]` now has a `trailing_input` modifier which can either be
`prohibit` (the default) or
`discard`. When it is `discard`, all remaining input is ignored. Note
that if there are components
after `[end]`, they will still attempt to be parsed, likely resulting in
an error.

##### Changed

- More performance gains when parsing.

##### Fixed

- If manually formatting a value, the number of bytes written was one
short for some components.
This has been fixed such that the number of bytes written is always
correct.
- The possibility of integer overflow when parsing an owned format
description has been effectively
eliminated. This would previously wrap when overflow checks were
disabled. Instead of storing the
depth as `u8`, it is stored as `u32`. This would require multiple
gigabytes of nested input to
overflow, at which point we've got other problems and trivial
mitigations are available by
  downstream users.

###
[`v0.3.46`](https://redirect.github.com/time-rs/time/blob/HEAD/CHANGELOG.md#0346-2026-01-23)

[Compare
Source](https://redirect.github.com/time-rs/time/compare/v0.3.45...v0.3.46)

##### Added

- All possible panics are now documented for the relevant methods.
- The need to use `#[serde(default)]` when using custom `serde` formats
is documented. This applies
  only when deserializing an `Option<T>`.
- `Duration::nanoseconds_i128` has been made public, mirroring
  `std::time::Duration::from_nanos_u128`.
- Various methods for truncating components have been added, avoiding
the need to call the fallible
  `replace` methods multiple times.

  For `PrimitiveDateTime`, `UtcDateTime`, and `OffsetDateTime`:

  - `truncate_to_day`

  For `Time`, `PrimitiveDateTime`, `UtcDateTime`, and `OffsetDateTime`:

  - `truncate_to_hour`
  - `truncate_to_minute`
  - `truncate_to_second`
  - `truncate_to_millisecond`
  - `truncate_to_microsecond`

##### Changed

- The minimum supported Rust version is now 1.88.0.
- Significant performance gains in numerous locations. No public APIs
were changed or removed as
  part of this.
- The size of `error::ComponentRange`, along with types that contain it,
has been significantly
  reduced.

##### Fixed

- The `PartialOrd` and `Ord` implementations of `UtcOffset` now return
the expected result.

###
[`v0.3.45`](https://redirect.github.com/time-rs/time/blob/HEAD/CHANGELOG.md#0345-2026-01-13)

[Compare
Source](https://redirect.github.com/time-rs/time/compare/v0.3.44...v0.3.45)

##### Added

- `time::format_description::StaticFormatDescription` type alias for
`&'static [BorrowedFormatItem<'static>]`. This is the type returned by
the
  `time::macros::format_description!` macro.

##### Changed

- The minimum supported Rust version is now 1.83.0.
- All floating point methods on `Duration` are now `const fn`.
- All setters on `Parsed` are now `const fn`.
- The `serde` dependency has been replaced with `serde_core`, This
reduces compile times by not
  including unused parts of `serde`.
- `Date::from_julian_day` uses a new algorithm, resulting in an
approximately 16% performance
  improvement. This method is used internally by numerous other methods.
- `util::is_leap_year` uses a new algorithm, resulting in an
approximately 8% performance
  improvement.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone America/New_York,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

Release Notes:

- N/A

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

after a successful file drag-drop, conclude_drag_operation did not reset
external_files_dragged to false. since dragging_exited (the only place
that resets this flag) is never called for successful drops (only for
cancelled ones), the flag stayed true permanently. this caused synthetic
drags (used for text selection during buffer scrolling) to be suppressed
for the lifetime of the window.

Release Notes:

- N/A

---------

Co-authored-by: MrSubidubi <finn@zed.dev>

Helps #48601

Whenever an extension is installed, we call `register_grammars` even
when the grammar list is empty. This unnecessarily increments
reload_count and notifies the LSP store, which clears all languages and
triggers a full reparse.

Clearing languages also emits `LanguageChanged` events for buffers,
causing the editor to perform expensive recomputations (like
https://github.com/zed-industries/zed/pull/48622) which can block the
main thread for large multibuffers.

This PR addresses the empty-grammar case. If an extension actually adds
a grammar, the underlying issue still exists and will require additional
fixes to fully resolve.

- [ ] Tests or screenshots needed?
- [x] Code Reviewed
- [ ] Manual QA

Release Notes:

- Fixed an issue where installing theme extensions could block the main
thread

Follow-up of https://github.com/zed-industries/zed/pull/48611

Release Notes:

- N/A

This PR updates the `GET /extensions` endpoint in Collab to proxy to
Cloud.

Release Notes:

- N/A

Release Notes:

- N/A

This PR moves the DTOs for the extension API from the `rpc` crate into
the `cloud_api_types` crate.

Release Notes:

- N/A

Release Notes:

- N/A

Follow-up of https://github.com/zed-industries/zed/pull/48581

Release Notes:

- N/A

Release Notes:

- N/A *or* Added/Fixed/Improved ...

TODO:

- [x] Review code
- [x] Decide whether to keep ignored API tests

Release Notes:

- Fixed a bug where cancelling a thread mid-thought would cause further
anthropic requests to fail
- Fixed a bug where the model configured on a thread would not be
persisted alongside that thread

The `alt-tab` keybinding doesn’t work properly under the `AgentPanel`
context on Windows and certain Linux distros, so `alt-l` is provided as
an alternative for the same action.

In my testing, I could not trigger the `AcpThread > Editor` context, but
I added the keybinding there too just in case.

Closes #48347.

Release Notes:

- Added an alternate keybinding for `agent::CycleFavoriteModels` on
Linux and Windows to prevent conflict with global app switcher

Power usage

Release Notes:

- N/A

Closes #48596

Release Notes:

- N/A

Fixes #36818

Release Notes:

- Added new `global_lsp_settings.request_timeout` setting to configure
the maximum timeout duration for LSP-related operations.

Code inspired by [prior
implementation](https://github.com/zed-industries/zed/pull/38443),
though with a few tweaks here & there (like using `serde:default` and
keeping the pre-defined constant in the LSP file).

---------

Co-authored-by: Kirill Bulatov <mail4score@gmail.com>
Co-authored-by: Kirill Bulatov <kirill@zed.dev>

re: https://github.com/zed-industries/zed/pull/48624
using the UI font could cause a visual bug when the cursor was over the
folded text
before:
<img width="191" height="48" alt="image"
src="https://github.com/user-attachments/assets/def0be7d-6fb3-4890-be47-cafee67558a3"
/>
after:
<img width="194" height="47" alt="image"
src="https://github.com/user-attachments/assets/a9b6fb8b-5646-4bd5-9108-b6f792f4571e"
/>

changing the color is of course just opinionated but i think it looks
better and makes more sense as a placeholder

Release Notes:

- N/A

This PR updates the deprecated `rootPath` field in the LSP
`InitializeParams` for backwards compatibility with language servers
that still rely on this field.

### Issue

Some language servers (notably the Salesforce Apex Language Server) only
read from the deprecated `rootPath` field in the LSP initialize request
and do not use `rootUri` or `workspaceFolders`.

When Zed sends `root_path: None`, these language servers fail to
initialize because they cannot determine the workspace root.

Example error from the Apex Language Server:
```
NullPointerException
  at apex.jorje.lsp.impl.db.nddb.NdApexIndex.getToolsStoragePath(NdApexIndex.java:723)
```

The Apex LSP's initialize handler does:
```java
serverSetup.setRootPath(params.getRootPath());
```

VSCode's LanguageClient sends both `rootPath` and `rootUri` for
backwards compatibility:

https://github.com/microsoft/vscode-languageserver-node/blob/main/client/src/common/client.ts#L1434

### Fix

Derive `rootPath` from the existing `root_uri` field when building the
initialize params. The LSP spec states that if both `rootPath` and
`rootUri` are provided, `rootUri` wins, so this change should be
backwards compatible and won't affect language servers that properly use
`rootUri`<sup>(1)</sup>.


---

(1) [LSP Specification -
InitializeParams](https://microsoft.github.io/language-server-protocol/specifications/lsp/3.17/specification/#initializeParams)
- notes that `rootPath` is deprecated in favor of `workspaceFolders`,
but for backwards compatibility it should still be provided when
possible.


Release Notes:

- Improved compatibility with legacy language servers

Follow-up of https://github.com/zed-industries/zed/pull/48611

Release Notes:

- N/A

This PR hardens the authorization flow for all file and directory tools.

## Sensitive settings protection

All file/directory tools (copy, move, create_directory, delete, save,
edit, streaming_edit) now detect and protect sensitive settings paths:
- Paths inside `.zed/` directories (local settings)
- Paths inside the global config directory (`~/.config/zed/` or
equivalent)

Even when the global default is `allow`, modifications to these paths
require explicit confirmation. The authorization dialog title is
annotated with "(local settings)" or "(settings)" to inform the user.

`sensitive_settings_kind` walks up ancestor directories to handle paths
where intermediate subdirectories don't exist yet (e.g.
`~/.config/zed/new_subdir/evil.json`).

## Deferred filesystem operations

Copy, move, create_directory, and delete tools now defer all
project/filesystem operations until after the user authorizes the
action. Previously, some tools began resolving project paths or
traversing directories before authorization.

## streaming_edit_file permissions

`streaming_edit_file` now shares `edit_file`'s tool name for permission
checks, ensuring consistent permission rules between the two edit tool
variants. The duplicated authorization logic is replaced by a shared
`authorize_file_edit` function.

## Copy/move pattern extraction

Copy and move tools now include both source and destination paths in
their permission context (`input_value`). The always-allow pattern is
extracted from the common parent directory of both paths, ensuring the
pattern covers future checks against both.

## Save tool improvements

- Authorization title now shows only the paths that need confirmation,
not all paths
- Title is annotated with "(local settings)" or "(settings)" for
sensitive paths

Release Notes:

- File and directory tool operations now require confirmation before
modifying sensitive settings paths.

Builds on top of #48620 to add explicit test coverage for the exact
bypass scenarios reported by users:

- `rm -rf /etc/../` — path traversal via single parent dir that
normalizes to `/`
- `rm -rf --no-preserve-root /` — long flag without `=value` that could
bypass the old regex
- `rm --no-preserve-root -rf /` — long flag positioned before short
flags
- `rm / -rf --no-preserve-root` — trailing long flag without `=value`
after the path operand
- `sudo rm -rf /`, `sudo rm -rf /*`, `sudo rm -rf --no-preserve-root /`
— sudo-prefixed variants

All of these cases are already correctly blocked by the hardened regex
patterns and path normalization logic added in #48620. These tests
confirm that the reported bypasses are addressed and guard against
regressions.

Release Notes:

- N/A

Release Notes:

- N/A

This PR improves the shell command parser to correctly handle I/O
redirects, here-documents, and compound command constructs. Previously,
commands hidden inside redirect targets, here-document bodies, or
function definition redirects could go undetected by the permission
system.

## Changes

- **Redirect handling**: Capture I/O redirects on simple commands,
compound commands (`if`/`while`/`for`/`case`/subshells/brace groups),
and function definitions
- **Nested command extraction**: Extract commands from redirect file
targets (e.g. `> $(dangerous_cmd)`) and here-document bodies
- **Bare redirect rejection**: Return `None` for bare redirects with no
command name (e.g. `> /etc/passwd`), which forces confirmation
- **Compound command redirects**: Apply redirects on compound commands
to their inner body commands
- **Fail-closed error handling**: `extract_commands_from_word` and
`normalize_word_piece_into` now return `None` on parse failures instead
of silently succeeding
- **Test coverage**: Extensive tests for quoted redirect targets,
no-space redirects, clobber operators, fd-to-fd redirects, pipe+redirect
combinations, function definition redirects, and more

Release Notes:

- Improved shell command parsing to correctly detect commands hidden in
I/O redirects, here-documents, and compound command constructs.