pub fn is_default_safe_fix(patch: &FixPatch) -> boolExpand description
Audit #7: default safelist for FixPatch::RunCommand.
Sensors emitting RunCommand patches would otherwise be a silent
arbitrary-code-execution channel. We restrict the program by name to a
short list of well-known, side-effect-bounded formatters/fixers. Anything
else returns false and the patch is rejected (write your own PreAutoFix
hook returning HookOutcome::Allow to widen the policy).
ReplaceFile and UnifiedDiff are not restricted here — they only touch
files inside the workspace and are covered by the symlink-safe path
resolution in harness-tools-fs.