feat(policy): OPA policy template for destructive command chaining prevention

[travisbreaks]

Problem Statement

Agents that execute shell commands can chain destructive operations in a single exec: rm -rf /data && dd if=/dev/zero of=/dev/sda. Sandbox policies today enforce at the binary level (Seccomp, Landlock), but there is no policy template for detecting destructive command chaining within a single command string.

This is an observed failure mode. An agent composing a shell string that combines filesystem mutation (rm, shred), block-level overwrite (dd, mkfs), or partition operations (diskutil, fdisk) can cause irreversible data loss inside a well-configured sandbox. Each binary may be individually permitted; the dangerous pattern is their combination in a single exec via &&, ;, |, $(), or backtick subshells.

Gap: Binary-level allow/deny cannot distinguish "the agent ran rm (legitimate)" from "the agent ran rm chained with three other destructive primitives in one command string (catastrophic)."

Proposed Solution

A loadable OPA/Rego policy template that:

1. Detect destructive chaining in shell arguments passed to exec calls. Deny when two or more destructive primitives appear within the same argv/command string, connected by chaining operators (&&, ;, |) or subshell constructs ($(), backticks).

2. Enforce single destructive primitive per exec for a configurable set of dangerous binaries (rm, dd, mkfs, shred, fdisk, diskutil). Pattern matching includes flags (e.g., rm -rf matches the rm class).

3. Ship as a loadable template that operators can include and customize, consistent with how network egress policy templates work in the sandbox policy system today.

Threshold behavior: Deny by default when chaining is detected. Operators can configure scoped exemptions for workflows that legitimately require chained destructive operations.

Why This Matters

The proxy denial logging work (#704, silent egress denials at default log level) and security layer visibility (#745, Landlock degradation surfacing) address observability of enforcement. This issue addresses a gap in what gets enforced at the semantic level, where the full command string is available for inspection before execution.

On false positives: This should inspect raw shell strings, not attempt full AST parsing. Raw string detection with operator-aware splitting covers the high-severity chaining patterns without the complexity and brittleness of shell parsing. Scoped allow-overrides handle legitimate edge cases.