Harden shell command safety guards and add tests for root-path rm variants

[YspCoder]

Motivation

• Strengthen the command guard to prevent destructive rm invocations that are semantically equivalent to rm -rf / but use different flags or argument forms.
• Make allow/deny pattern matching case-insensitive and preallocate pattern slices for correctness and minor performance improvement.
• Add regression tests to ensure these safety behaviors do not regress.

Description

• Enhanced the root-wipe detection regex in pkg/tools/shell.go from a narrow rm -rf / match to a broader pattern that catches rm ... / forms targeting the root path, and updated the guard message to removing root path / is forbidden.
• Made denyPatterns and allowPatterns case-insensitive by compiling patterns with (?i) and preallocated the slices using len(cfg.*) capacity; ensured allowPatterns are created and used in NewExecTool.
• Adjusted guard matching to test compiled regexes against the original command string (not the lowercased string) for correctness.
• Improved risk handling logic in applyRiskGate and moved git clean into destructive patterns in pkg/tools/risk.go so git clean is treated as destructive.
• Added comprehensive unit tests in pkg/tools/shell_test.go, including TestGuardCommand_BlocksRootWipeVariants and other tests verifying allow/deny case insensitivity and risk-gate behavior.

Testing

• Ran go test ./pkg/tools -run 'TestGuardCommand_BlocksRootWipeVariants|TestGuardCommand_DenylistIsCaseInsensitive' -v and the selected tests passed.
• Ran the full package tests with go test ./pkg/tools -v and go test ./... and they passed for tested packages.
• Ran static checks with go vet ./... and concurrency checks with go test -race ./..., which completed without failures.

---

Codex Task