Problem

The is_dangerous_rm_command() function in pre_tool_use.py falsely blocks safe rm commands when directory names contain flag-like substrings. For example:

rm /tmp/soft-hold-enrollment  # BLOCKED - because "enrollment" contains "-r" pattern
rm /tmp/feature-refactor      # BLOCKED - same reason

The regex r'\brm\s+.*-[a-z]*r' matches these because .* greedily eats the whole path, then -enrollment matches -[a-z]*r (the r at the end of "enrollment").

I hit this exact problem when Claude tried to clean up a temp directory with - in the name and the hook kept blocking it.

Fix

Replaced the regex approach with proper shlex.split() tokenization. The new function:

1. Tokenizes the command into actual shell words (respecting quotes and escapes)
2. Separates flags (-r, -f, --recursive, etc.) from path operands
3. Respects the -- separator (everything after -- is a path, not a flag)
4. Checks flag combinations: blocks rm -rf (recursive + force together) and rm -r targeting dangerous paths (/, ~, ., .., $HOME)

This means rm /tmp/soft-hold-enrollment is correctly recognized as having zero flags and just a path operand, so it passes.

Test results

rm /tmp/soft-hold-enrollment        -> ALLOWED (was: blocked)
rm soft-hold-enrollment/file.txt    -> ALLOWED (was: blocked)
rm -rf /                            -> BLOCKED (unchanged)
rm -rf ~                            -> BLOCKED (unchanged)
rm -r -f .                          -> BLOCKED (unchanged)
rm --recursive --force /            -> BLOCKED (unchanged)
rm -r /tmp/build                    -> ALLOWED (unchanged)

Closes #28