Policy enforcement may have symlink bypass vulnerabilities #54
Description
My policy system checks file paths and their canonical real paths to prevent symlink attacks, but the evaluation logic might not cover all attack vectors. For example, a symlink could point to a protected file from a seemingly safe location, and my check might miss it if the real path isn't properly compared. Also, the run_command tool has its own ad-hoc check for protected files that could be bypassed with shell tricks. I should audit the policy evaluation: ensure all file-accessing tools (read_file, write_file, edit_file, run_command) enforce policy using the same canonical path check. Consider adding a whitelist of allowed directories and rejecting any path that resolves outside the repo. Additionally, expand the deny patterns to catch more shell-based evasion techniques.