fix(security): require explicit approval for shell redirection/background in command auto-approve

[0xMink]

Refs #11095

Summary

• Command auto-approval could approve an allowlisted prefix while shell operators (redirection/background) alter execution semantics under shell: true. For example, auto-approving git show would also auto-approve git show > out.txt, allowing writes to an arbitrary file.
• Commands containing file redirection (<, >, >>, <<, etc.) now require explicit approval (ask_user).
  • Safe fd-to-fd duplication is excluded (for example 2>&1, >&2, <&3, 0<&4).
• Commands containing a standalone background operator (&) now require explicit approval.
• fd-to-fd stripping now uses a token-boundary lookahead (?=$|\s|[;&|()<>]) to avoid false negatives such as >&2file and <&3in, where the redirection target is a word and therefore represents file redirection, not fd-to-fd duplication.

Test plan

• containsShellFileRedirection() — 21 cases: detects output/input/append/here-doc/stderr/mixed redirections (9), excludes safe fd-to-fd like 2>&1, >&2, <&3, 0<&4 (5), token-boundary edge cases — >&2file, <&3in, 2>&1&&, 2>&1>out.txt, 0<&4| (5), general sanity checks (2)
• containsBackgroundOperator() — 8 cases: detects standalone &, excludes &&, &>, >&, <&
• getCommandDecision() — 15 integration cases: redirection forces ask_user, fd-to-fd preserves auto_approve, background forces ask_user, token-boundary edge cases, denylist regression
• Existing regression coverage for containsDangerousSubstitution, findLongestPrefixMatch, getSingleCommandDecision — 11 cases
• Total: 55 tests, all passing

[roomote]

Rooviewer   See task

All issues from previous reviews have been addressed. Quote-aware operator detection via stripQuotedSegments is correctly implemented. No new issues found.

• containsShellFileRedirection strips output fd-to-fd (>&N) but not input fd-to-fd (<&N), producing false positives for commands like cmd <&3. Very low severity.

Previous reviews

• 0d2a949: Review #1
• 2ab6380: Review #2
• cf5084f: Review #3
• 4c99f4f: Review #4

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

[0xMink]

Addressed the review feedback:

• Fixed false negative: Added token-boundary lookahead to fd-to-fd stripping so >&2file and <&3in are correctly treated as file redirection (not fd-to-fd). The boundary (?=$|\s|[;&|()<>]) ensures stripping only when the fd target is purely numeric and token-delimited.
• Added input fd-to-fd support: <&N and 0<&N patterns are now stripped alongside >&N, and excluded from background operator detection.
• Kept correct behavior: 2>&1&& still strips; 0<&4| still strips; >&2 at end-of-string still strips.
• Consistent stripping: Both containsShellFileRedirection() and the sub-command normalization in getCommandDecision() use the same boundary-aware regex.
• Tests: 55/55 passing (up from 44). Added regression tests for >&2file, <&3in, operator-adjacent fd-to-fd, and input fd duplication at both unit and integration levels.

[0xMink]

@roomote Could you please re-review? I addressed your <&N note, and also tightened fd-to-fd stripping with a token-boundary lookahead to avoid false negatives like >&2file / <&3in. Tests expanded from 44 to 55 and I force-pushed the update. Thanks.

[roomote]

Fixaroo   See task

No outstanding issues to fix. The reviewer has confirmed all previous issues are addressed, and all 55 tests pass locally.

[0xMink]

Rebased onto main, resolved add/add in commands.spec.ts with #11365 / #11382, and made redirection/background detection quote-aware to avoid false positives in quoted payloads (e.g. node -e "const f=(a)=>a"). All CI checks are green.

@roomote please re-review.

[roomote]

Fixaroo   See task

Verified the latest state of the PR. The reviewer confirmed all previous issues are resolved and no new issues were found. All 79 tests pass locally. No code changes needed.