pub fn classify_line(raw: &str) -> RuleMatchExpand description
Classify a raw command line (the entry point used by tests too).
Two independent passes, worst (most severe) wins: the hand-rolled
tokenizer pass (classify_line_depth) and the bash-AST pass
(classify_ast). The AST pass parses real shell structure — so it catches
dangerous commands hidden in command substitutions $(…), here-docs,
compound commands, and unusual quoting that the tokenizer can’t see — but it
can only ever add caution: a parse failure contributes nothing, and the
tokenizer pass (plus the cautious default) still stands. This keeps the
security floor’s “no catastrophic-classified-as-safe” guarantee while making
detection strictly more robust.