Add ability to block commands

internal/sandbox/manager.go

@@ -94,6 +94,7 @@ func (m *Manager) Initialize() error {
 }
 
 // WrapCommand wraps a command with sandbox restrictions.
+// Returns an error if the command is blocked by policy.
 func (m *Manager) WrapCommand(command string) (string, error) {
 	if !m.initialized {
 		if err := m.Initialize(); err != nil {
@@ -101,6 +102,11 @@ func (m *Manager) WrapCommand(command string) (string, error) {
 		}
 	}
 
+	// Check if command is blocked by policy
+	if err := CheckCommand(command, m.config); err != nil {
+		return "", err
+	}
+
 	plat := platform.Detect()
 	switch plat {
 	case platform.MacOS: