Module safety 

Hard safety checks that the user’s TOML configuration cannot override.

Two layers live here:

1. Syntactic rejection of shell metacharacters (;, &&, ||, |, backticks, $(), >, <, >>). v0.1 takes the position that composite shell pipelines must be expressed as scripts and the script itself allowlisted.
2. A hard denylist of token patterns that no allowlist can re-enable (sudo, rm -rf /, classic fork bombs).

Working-directory containment lives here as well: every command must resolve to a path inside the launch root.

These checks run before allowlist matching so that the user can never accidentally write a TOML rule that lets a dangerous command through.

Enums

Rejection

Why a command was refused.

RejectionKind

Stable categorisation suitable for serialising into MCP tool responses.

Functions

check_hard_denylist

Walk the parsed tokens looking for any hard-denied subsequence.

check_metacharacters

Reject any command containing the v0.1 metacharacter set.

resolve_cwd

Resolve requested against root, ensuring the result stays inside root.

tokenize

Tokenize the command using POSIX shell quoting rules so that quoted arguments survive (git commit -m "fix: thing" becomes four tokens).