Module user_command 

Spawn a user-supplied command (e.g. publisher.cmd) with a clean, whitelisted environment.

Centralised here so the Command::new(<arbitrary>) shell-out lives inside the module-boundaries allow-list (.claude/rules/module-boundaries.md). Inlining this in the CLI crate would put Command::new outside the allow-list and counts as a boundary violation.

Constants

ENV_WHITELIST

Environment variables that are inherited from the parent process when constructing a sandboxed Command. Anything else must be explicitly added via Command::env.

Functions

whitelisted

Construct a Command whose argv is argv and whose environment is reset to the ENV_WHITELIST subset of the parent’s env. The first element of argv is the program; the rest are arguments. The caller is responsible for adding any further env vars / cwd / I/O config before invoking output().