…mmand detection

DANGEROUS_PATTERNS ran against the literal command string, so four shell
tokenization tricks that the shell strips or substitutes at exec time would
silently bypass every detection rule. Reported in GHSA-xvmp-c27r-qw3c and
GHSA-pwx6-3q74-cxwr.

Bypasses closed:
1. Empty quote pairs: `r""m -rf /tmp` → shell collapses `r""m` to `rm`
2. ${IFS} / $IFS: `rm${IFS}-rf${IFS}/tmp` → expands to `rm -rf /tmp`
3. $(cmd) / `cmd` command substitution: `$(echo rm) -rf /tmp` → runs rm
4. ANSI-C quoting: `$'\\x72\\x6d' -rf /tmp` → decodes to `rm -rf /tmp`

Implementation: split normalization into two complementary passes.
_normalize_command_for_detection keeps the literal form (needed for
structural patterns like `kill $(pgrep ...)` that target the substitution
idiom itself). _expand_shell_obfuscations reverses the four tokenization
tricks. detect_dangerous_command matches every DANGEROUS_PATTERNS entry
against both forms and flags on either match.

Also strips quoted single-identifier tokens after command substitution
inlining so `$(echo 'rm') -rf` resolves correctly. The strip only fires
for shell-safe identifier content (no spaces, no metacharacters), so
legitimate quoted strings like `echo "hello world"` or
`git commit -m 'fix: update'` are unaffected.

Tests: 19 new regression tests covering all four bypass classes plus
false-positive guards for quoted log messages, grep patterns, commit
messages, curl headers, and \${PATH}-style variable expansion. The
structural `kill $(pgrep ...)` pattern added in aedf6c7 continues to
fire on the literal form.