fix: harden command auto-approval against inline JS false positives

[hannesrudolph]

Summary

Follow-up to #11365. The merged fix narrowed the zsh process-substitution regex with a negative lookbehind (?<![a-zA-Z0-9_]), but this still false-positives on inline JS expressions in node -e commands where =(...) is preceded by characters like ], ), or }.

Example command that was still blocked:

node -e "const fs=require('fs');const p=JSON.parse(fs.readFileSync('prd.json','utf8'));const allowed=new Set(['pending','in-progress','complete','blocked']);const bad=(p.items||[]).filter(i=>!allowed.has(i.status));console.log('statusCounts', (p.items||[]).reduce((a,i)=>(a[i.status]=(a[i.status]||0)+1,a),{}));if(bad.length){process.exit(2);}"

The fragment `=(a[i.status]||0)` inside the JS reducer was matching because `]` is not in `[a-zA-Z0-9_]`.

Changes

1. `src/core/auto-approval/commands.ts` — Regex refinement

Changed zsh process-substitution detector from:
```
/(?<![a-zA-Z0-9_])=\([^)]+\/

to:

/(?:(?<=^)|(?<=[\s;|&(<]))=([^)]+)/

This only matches `=(...)` when preceded by start-of-string or whitespace/shell operators — not arbitrary non-alnum characters that commonly appear in JS expressions.

**True positives preserved:** standalone `=(whoami)`, space-prefixed ` =(ls)`, `echo =(cat /etc/passwd)`, pipe-chained `cmd | =(cmd)`.

### 2. `src/core/tools/ExecuteCommandTool.ts` — Command canonicalization
Moved `unescapeHtmlEntities()` call early and unified all downstream uses (rooignore validation, approval check, timeout allowlist, terminal execution) to use the same `canonicalCommand` value. Previously, the rooignore check used the raw HTML-escaped command while approval used the unescaped form.

### 3. `src/core/auto-approval/__tests__/commands.spec.ts` — Regression tests (10→19)
Added 9 new tests:
- The exact `node -e` one-liner that triggered this investigation
- Arrow function patterns (`(b)=>b`, `(x) => x * 2`, `i=>!set.has(i)`)
- True-positive verification for all 5 dangerous substitution categories
- `getCommandDecision()` integration tests confirming auto-approve with allowlist

## Test Results
- 19/19 commands.spec.ts ✅
- 32/32 full auto-approval suite ✅
- 11/11 ExecuteCommandTool.spec.ts ✅
EOF
)
----
<!-- ELLIPSIS_HIDDEN -->


> [!IMPORTANT]
> Refines regex and command handling to prevent false positives in command auto-approval, with added tests for verification.
> 
>   - **Regex Refinement**:
>     - Updated zsh process-substitution regex in `commands.ts` to only match `=(...)` when preceded by start-of-string or whitespace/shell operators.
>   - **Command Handling**:
>     - Moved `unescapeHtmlEntities()` call earlier in `ExecuteCommandTool.ts` and unified downstream uses to use `canonicalCommand`.
>   - **Testing**:
>     - Added 9 new tests in `commands.spec.ts` for regression and true-positive verification.
>     - Tests include `node -e` one-liner, arrow functions, and dangerous substitution patterns.
> 
> <sup>This description was created by </sup>[<img alt="Ellipsis" src="https://img.shields.io/badge/Ellipsis-blue?color=175173">](https://www.ellipsis.dev?ref=RooCodeInc%2FRoo-Code&utm_source=github&utm_medium=referral)<sup> for e68f89749344662e009ac3ff7d0c171dcd801161. You can [customize](https://app.ellipsis.dev/RooCodeInc/settings/summaries) this summary. It will automatically update as commits are pushed.</sup>


<!-- ELLIPSIS_HIDDEN -->

[roomote]

Rooviewer   Follow task

Reviewing your PR now. Feedback coming soon!