Bash boundary check doesn't catch `cd` in chained commands

[RichardAtCT]

Context

check_bash_directory_boundary() in src/claude/monitor.py validates filesystem-modifying bash commands against the approved directory. However, cd is not in _FS_MODIFYING_COMMANDS or _READ_ONLY_COMMANDS, so it falls through as "allowed."

This means a chained command like:

cd /tmp && touch malicious_file

...would have cd /tmp pass through unchecked. The touch malicious_file would also pass because malicious_file is relative and resolves against working_directory (not /tmp — the boundary checker doesn't simulate shell state).

Mitigations already in place

• Sandbox (sandbox_enabled=True by default) blocks filesystem writes outside the sandbox at the OS level
• Absolute paths in modifying commands are caught (e.g., touch /tmp/file would be denied)
• The cwd option scopes the CLI process to the project directory

Risk

Low when sandbox is enabled (default). Higher in trusted environments where sandbox_enabled=False.

Possible fixes

1. Add cd to a new category and validate its target path stays within approved_directory
2. Detect &&, ||, ; command chaining and validate each sub-command independently
3. Accept the current behavior and document that sandbox is the primary enforcement for this case

Spun off from discussion in #64.