bug: cmdEvaluate silently ignores JSON unmarshal error — governance bypass

[jpleva91]

Bug: Silent JSON Unmarshal Error in cmdEvaluate

File: cmd/shellforge/main.go, cmdEvaluate()

The cmdEvaluate function reads JSON from stdin and evaluates it against governance policy. However, the json.Unmarshal error is silently discarded:

var input struct {
    Tool   string `json:"tool"`
    Action string `json:"action"`
    Path   string `json:"path"`
}
json.Unmarshal(data, &input)  // ← error ignored

If the caller (e.g., govern-shell.sh) sends malformed JSON, the struct fields will be zero-valued (""). This causes engine.Evaluate("", map[string]string{...}) to be called, which matches no policy and defaults to allow.

Consequence: Governance bypass — a malformed or crafted JSON payload can cause all commands to pass the governance check unchecked.

Fix: Fail-closed on malformed input:

if err := json.Unmarshal(data, &input); err != nil {
    json.NewEncoder(os.Stdout).Encode(map[string]any{
        "allowed": false,
        "reason":  "malformed governance request: " + err.Error(),
    })
    return
}

Severity: Medium — requires malformed JSON to trigger; the primary caller (govern-shell.sh) uses printf formatting that may not always produce valid JSON for commands containing quotes or backslashes.