fix(security): eliminate safeBins file-existence oracle

src/infra/exec-approvals.test.ts

@@ -524,6 +524,64 @@ describe("exec approvals safe bins", () => {
     expect(defaults.has("sort")).toBe(false);
     expect(defaults.has("grep")).toBe(false);
   });
+
+  it("blocks sort output flags independent of file existence", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const cwd = makeTempDir();
+    fs.writeFileSync(path.join(cwd, "existing.txt"), "x");
+    const resolution = {
+      rawExecutable: "sort",
+      resolvedPath: "/usr/bin/sort",
+      executableName: "sort",
+    };
+    const safeBins = normalizeSafeBins(["sort"]);
+    const existing = isSafeBinUsage({
+      argv: ["sort", "-o", "existing.txt"],
+      resolution,
+      safeBins,
+      cwd,
+    });
+    const missing = isSafeBinUsage({
+      argv: ["sort", "-o", "missing.txt"],
+      resolution,
+      safeBins,
+      cwd,
+    });
+    const longFlag = isSafeBinUsage({
+      argv: ["sort", "--output=missing.txt"],
+      resolution,
+      safeBins,
+      cwd,
+    });
+    expect(existing).toBe(false);
+    expect(missing).toBe(false);
+    expect(longFlag).toBe(false);
+  });
+
+  it("does not consult file existence callbacks for safe-bin decisions", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    let checkedExists = false;
+    const ok = isSafeBinUsage({
+      argv: ["sort", "-o", "target.txt"],
+      resolution: {
+        rawExecutable: "sort",
+        resolvedPath: "/usr/bin/sort",
+        executableName: "sort",
+      },
+      safeBins: normalizeSafeBins(["sort"]),
+      cwd: "/tmp",
+      fileExists: () => {
+        checkedExists = true;
+        return true;
+      },
+    });
+    expect(ok).toBe(false);
+    expect(checkedExists).toBe(false);
+  });
 });
 
 describe("exec approvals allowlist evaluation", () => {