#20135: feat(security): RubberBand - static command pattern detection for exec pipeline

> **Replaces #8023** (auto-closed by bot due to a dirty force push — branch is now clean) ## Summary Adds a lightweight static detection layer to the exec pipeline that catches dangerous commands (credential access, exfiltration, reverse shells, persistence) as defense-in-depth against prompt injection. **RFC Discussion:** #4981 ## What it does Pre-exec hook that analyzes commands before execution: - **Credential access** - SSH keys, AWS creds, API tokens - **Data exfiltration** - outbound data transfers - **Reverse shells** - various shell callback techniques - **Config tampering** - writes to protected config files - **Memory poisoning** - writes to agent memory files - **Persistence** - scheduled task creation - **Indirect execution** - piped shell commands, eval ## Key differentiators This PR improves on prior approaches (Shield-Shell #4684, #7604 proposal) with: - **Zero external dependencies** - works fully offline, no API keys or cloud services required - **Bypass mitigations**: Unicode normalization (NFKC), URL decoding, shell escape expansion - **Context-aware scoring**: stripped content + execution pattern = higher risk - **Configurable thresholds**: alert vs block based on score - **Tested against 134 bypass techniques** (98.5% detection, 0 false positives) - **Modes**: off | log | alert | block | shadow - **Channel notifications**: Optional alerts to configured channel when commands are blocked/flagged ## Performance ~0.005ms overhead per command (effectively invisible vs 10-50ms exec spawn time). ## Configuration ```yaml tools: exec: rubberband: enabled: true mode: "alert" # off | log | alert | block | shadow notifyChannel: true thresholds: alert: 40 block: 60 ``` ## Related work - **Shield-Shell (#4684)** - Similar goal, closed during freeze. RubberBand adds bypass mitigations and broader detection categories. - **#7604** - Proposal for input/output validation. RubberBand is complementary (exec-level vs prompt-level). - **#3387** - Tool result scanning. Different layer (output content vs command execution). ## AI Disclosure Developed with Claude (Opus 4.5) running in OpenClaw. Fully tested on live fork. I understand the code and can answer questions. *Like the bands on lobster claws — keeps the agent from pinching the operator.*