fix(security): close shell denylist bypass vectors

[GoCeylan]

📝 Description

Fixes 5 bypass patterns in the shell command deny list that could allow prompt injection attacks to execute arbitrary commands on the device.

Bypasses closed:

• Dot-sourcing: . evil.sh was not caught (only source keyword was blocked)
• Shell by path: | /bin/bash bypassed | bash check
• Source without .sh: source /etc/profile bypassed the .sh extension
  requirement
• Here-string: bash <<< "cmd" was not caught
• su -c: sudo alternative was not blocked

Adds 13 test cases covering each bypass vector.

🗣️ Type of Change

• 🐞 Bug fix (non-breaking change which fixes an issue)

🤖 AI Code Generation

• 👨‍💻 Mostly Human-written (Human lead, AI assisted or none)

🔗 Related Issue

Security audit finding, no existing issue.

📚 Technical Context (Skip for Docs)

• Reference URL: N/A
• Reasoning: The deny list is the primary guard against arbitrary shell execution triggered by prompt injection from external chat channels. Since the codebase is public, attackers can read the exact regex patterns and craft inputs that evade them.

🧪 Test Environment

• Hardware: MacBook (Apple Silicon)
• OS: macOS (Darwin 23.3.0)
• Model/Provider: N/A
• Channels: N/A

📸 Evidence (Optional)

13 new subtests in TestShellTool_DenylistBypasses covering each vector.
Run with: go test ./pkg/tools/ -run TestShellTool_DenylistBypasses -v

☑️ Checklist

• My code/docs follow the style of this project.
• I have performed a self-review of my own changes.
• I have updated the documentation accordingly.