fix(security): extend MCP env var blocklist with PATH, proxy, and language-specific vars

[bug-ops]

Context

PR #2436 added env var sanitization for MCP stdio child processes, filtering LD_PRELOAD, LD_LIBRARY_PATH, DYLD_INSERT_LIBRARIES, DYLD_LIBRARY_PATH, _RLD_LIST, and SHLIB_PATH.

Gap

The following dangerous env vars are NOT currently filtered:

• PATH — can redirect binary execution to attacker-controlled paths
• HTTP_PROXY, HTTPS_PROXY, ALL_PROXY, NO_PROXY — can redirect network traffic through attacker-controlled proxies
• BASH_ENV, ENV — executed by bash/sh on startup
• PYTHONPATH, NODE_PATH, RUBYLIB — can inject attacker-controlled modules into interpreted runtimes

Fix

Add these vars to the is_dangerous_env_var() blocklist in crates/zeph-acp/src/mcp_bridge.rs.

For PATH: either strip entirely and pass a minimal safe PATH, or allowlist known-safe system paths.

Related

• research(security): confused-deputy analysis for ACP+MCP passthrough — privilege boundary audit (arXiv:2603.12230) #2427 — confused-deputy analysis (parent issue)
• PR feat(security): MCP→ACP confused-deputy boundary enforcement and security model audit #2436 — initial env var sanitization