//! The assistant's default policy hardening.
//!
//! A general assistant with a real shell + file tools needs the same
//! footgun-blocking the coder has: no git-remote mutation, no history rewrite,
//! no privilege escalation (`sudo`), no credential reads, no destructive ops or
//! writes outside its root. We reuse the coder's inspector set verbatim rather
//! than maintain a parallel one — the hardening is identical and any
//! improvement there benefits both.
//!
//! This is hardening, **not** the sandbox: in the default sandbox-first mode the
//! Docker container is the real boundary and these inspectors are
//! belt-and-suspenders; in `--local` mode they are the first line, backed by
//! permission-tier HITL on writes and shell.
use Path;
use InspectorChain;
/// Build the assistant's inspector chain rooted at `root` (the sandbox mount or
/// the local working directory). First Deny wins; the denial reason becomes the
/// tool error the model sees, so it can adapt instead of silently failing.