pub fn execpolicy_allow_target_paths_escape( command: &str, workspace: &str, ) -> Option<String>
When execpolicy prefix-allows a command, reject path flags that escape workspace.