Function permission_for_shell 

pub fn permission_for_shell(
    cmd: &str,
    config: &HematiteConfig,
) -> PermissionDecision

Returns the permission decision for a shell command given the loaded config.

Priority order (highest first):

1. deny rules → always block (return true = needs approval / will be rejected)
2. allow rules → always approve (return false)
3. ask rules → always ask (return true)
4. intrinsic risk classifier