Replace substring blocked command detection with AST parsing or OS sandbox #628
Description
Parent: #618
Problem
find_blocked_command() at crates/zeph-tools/src/shell.rs:325-333 uses normalized.contains(blocked) substring matching. Bypassable via:
$IFSexpansion:cat$IFS/etc/passwd- Quoted concatenation:
cat "/etc/pass"wd - Backtick/subshell:
cat \`echo /etc/passwd\` - Base64:
$(echo c3Vkbw== | base64 -d)
extract_paths() at :389-404 splits on whitespace, also bypassable.
Solution
Option A: Use tree-sitter-bash to parse command AST and extract actual command names/paths.
Option B: Use OS-level sandbox (bubblewrap/landlock/seccomp) to restrict filesystem access.
Option C: Use env -i bash --restricted -c with restricted PATH.
Acceptance Criteria
- Blocked commands cannot be bypassed via shell metacharacters
- Path extraction handles shell expansion vectors
- Existing tests pass, new tests cover bypass vectors