huqiantao
75593a0eac
fix: address security review comments
1. Fix whitespace bypass in normalize_command (execpolicy/lib.rs:446)
- Collapse internal whitespace to prevent 'git status' bypassing 'git status'
- split_whitespace().join(' ') normalizes all whitespace
2. Fix 'never'/'deny' approval mapping (app-server/lib.rs:287)
- Map to AskForApproval::Never instead of OnRequest
- 'never'/'deny' should forbid commands, not prompt for approval
3. Optimize prefix matching (execpolicy/lib.rs:355, bash_arity.rs:375)
- Avoid format! allocation on every check
- Use byte comparison for space boundary check