implement command safety for PowerShell commands

[iceweasel-oai]

Implement command safety for PowerShell commands on Windows

This change adds a new Windows-specific command-safety module under codex-rs/core/src/command_safety/windows_safe_commands.rs to strictly sanitise PowerShell invocations. Key points:

• Introduce is_safe_command_windows() to only allow explicitly read-only PowerShell calls.
• Parse and split PowerShell invocations (including inline -Command scripts and pipelines).
• Block unsafe switches (-File, -EncodedCommand, -ExecutionPolicy, unknown flags, call operators, redirections, separators).
• Whitelist only read-only cmdlets (Get-ChildItem, Get-Content, Select-Object, etc.), safe Git subcommands (status, log, show, diff, cat-file), and ripgrep without unsafe options.
• Add comprehensive unit tests covering allowed and rejected command patterns (nested calls, side effects, chaining, redirections).

This ensures Codex on Windows can safely execute discover-only PowerShell workflows without risking destructive operations.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[bolinfest]

I was never really clear how well this applies to Windows, particularly PowerShell?

[iceweasel-oai]

by the time we call shlex_split on a powershell command, the "powershell" part of it has been stripped out and we just call this on the raw command (e.g. Get-Content core/src/safety.rs | Select-Object -First 220) which gets split into ["Get-Content", "code/src/safety.rs", "|", "Select-Object", "-First", "220"]