feat: hardening de tools — deny-by-default, SSRF, path traversal, allowlists

Cambios de seguridad en las 4 herramientas de agentes:

- tools/file: deny-by-default (AllowedPaths vacío = todo denegado),
  resolución de symlinks con EvalSymlinks, protección contra path
  traversal (../) y confusión de prefijos (/opt vs /opt1234)
- tools/ssh: nuevo AllowedCommands allowlist (complementa ForbiddenCommands),
  validación de sintaxis shell (bloquea pipes, subshells, redirects, chains)
- tools/http: protección SSRF bloqueando IPs privadas, loopback, link-local,
  metadata (169.254.169.254). Validación de dominio case-insensitive.
- tools/matrix: nuevo parámetro AllowedRooms para restringir rooms destino
- internal/config/schema: AllowedCommands en SSHToolCfg, MatrixToolCfg nueva
- agents/runtime: pasa MatrixToolCfg al constructor de matrix_send

Parte de issue 0019 (prompt injection hardening). Feature flag OFF.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tools/ssh/ssh.go

@@ -12,7 +12,9 @@ import (
 )
 
 // NewSSHCommand creates an ssh_command tool that executes remote commands via SSH.
-// Validates targets against cfg.AllowedTargets and commands against cfg.ForbiddenCommands.
+// Validates targets against AllowedTargets (deny-by-default if non-empty),
+// commands against AllowedCommands allowlist (if non-empty, only those prefixes permitted),
+// and against ForbiddenCommands blocklist as a second defense layer.
 func NewSSHCommand(cfg config.SSHToolCfg, exec *shellssh.Executor) tools.Tool {
 	return tools.Tool{
 		Def: tools.Def{
@@ -33,7 +35,13 @@ func NewSSHCommand(cfg config.SSHToolCfg, exec *shellssh.Executor) tools.Tool {
 			if err := validateTarget(target, cfg.AllowedTargets); err != nil {
 				return tools.Result{Err: err}
 			}
-			if err := validateCommand(command, cfg.ForbiddenCommands); err != nil {
+			if err := validateAllowedCommand(command, cfg.AllowedCommands); err != nil {
+				return tools.Result{Err: err}
+			}
+			if err := validateForbiddenCommand(command, cfg.ForbiddenCommands); err != nil {
+				return tools.Result{Err: err}
+			}
+			if err := validateCommandSyntax(command); err != nil {
 				return tools.Result{Err: err}
 			}
 
@@ -73,7 +81,23 @@ func validateTarget(target string, allowed []string) error {
 	return fmt.Errorf("ssh target %q not in allowed list", target)
 }
 
-func validateCommand(command string, forbidden []string) error {
+// validateAllowedCommand checks that the command starts with one of the allowed prefixes.
+// If the allowlist is empty, all commands pass this check (blocklist still applies).
+func validateAllowedCommand(command string, allowed []string) error {
+	if len(allowed) == 0 {
+		return nil
+	}
+	lower := strings.ToLower(command)
+	for _, a := range allowed {
+		if strings.HasPrefix(lower, strings.ToLower(a)) {
+			return nil
+		}
+	}
+	return fmt.Errorf("ssh command not in allowed commands list")
+}
+
+// validateForbiddenCommand checks that the command does not contain any forbidden patterns.
+func validateForbiddenCommand(command string, forbidden []string) error {
 	lower := strings.ToLower(command)
 	for _, f := range forbidden {
 		if strings.Contains(lower, strings.ToLower(f)) {
@@ -82,3 +106,25 @@ func validateCommand(command string, forbidden []string) error {
 	}
 	return nil
 }
+
+// validateCommandSyntax rejects commands with suspicious shell constructs
+// that could be used to bypass restrictions: pipes to external services,
+// subshells, and output redirection.
+func validateCommandSyntax(command string) error {
+	suspicious := []string{
+		"|",  // pipe (can exfiltrate output)
+		"$(", // command substitution
+		"`",  // backtick substitution
+		">>", // append redirection
+		">",  // output redirection
+		"&&", // command chaining
+		"||", // command chaining
+		";",  // command separator
+	}
+	for _, s := range suspicious {
+		if strings.Contains(command, s) {
+			return fmt.Errorf("ssh command contains disallowed shell syntax %q", s)
+		}
+	}
+	return nil
+}