fix(ci): sandbox coreutils drift generation

[chaliy]

What

Hardens the coreutils argument-drift path so third-party generated Rust is not executed with repository write credentials.

Why

The weekly/manual drift workflow consumes uutils/coreutils, generates Rust from uu_app(), then builds and tests bashkit. A malicious upstream uu_app() could previously preserve executable statements in generated command builders and run them in a job with contents: write and pull-requests: write.

How

• Add args-mode validation in bashkit-coreutils-port so uu_app() must be a single clap Command::new(...) builder chain and rejects executable prefix statements/block control flow before emission.
• Add regression fixtures proving a write+abort payload is rejected and a normal builder expression is accepted.
• Split .github/workflows/coreutils-args-drift.yml into read-only regeneration/test and write-scoped PR creation jobs; read-only checkouts disable persisted credentials.
• Document TM-INF-025 in the threat model and coreutils args-port spec.

Risk

• Low / Medium / High: Medium
• What can break: future upstream uutils uu_app() shapes that are not simple builder chains will fail codegen and require an explicit generator update instead of silently emitting executable Rust.

Checklist

• Tests added or updated
• Backward compatibility considered

Verified:

• cargo test -p bashkit-coreutils-port
• cargo test -p bashkit --test spec_tests bash_spec_tests
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/coreutils-args-drift.yml"); puts "ok"'
• git diff --check
• just pre-pr

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	bashkit	5bb0602	Commit Preview URL	May 08 2026, 07:57 PM