fix(recipe): improve allowed shell command validation

Update the command matching logic to require an exact match or the command followed by a space and arguments. Also normalize case and trim whitespace for safe commands to prevent loose prefix matches that could allow unintended commands.

internal/recipe/loader.go

@@ -75,9 +75,13 @@ func Load(path string, userParams map[string]any) (*Recipe, error) {
 	safeMap := safeCommands()
 	for _, cmd := range r.AllowedShellCommands {
 		trimmed := strings.ToLower(strings.TrimSpace(cmd))
+
 		allowed := false
 		for safe := range safeMap {
-			if strings.HasPrefix(trimmed, safe) {
+			safeTrim := strings.ToLower(strings.TrimSpace(safe))
+
+			// Match exact command OR command followed by space + arguments
+			if trimmed == safeTrim || strings.HasPrefix(trimmed, safeTrim+" ") {
 				allowed = true
 				break
 			}