Add .loop-build harness and IntelliJ project configuration files

.loop-build/config/allowlist.txt

@@ -0,0 +1,27 @@
+ls
+ls -la
+cat
+rg
+grep
+tree
+git status
+git diff
+git rev-parse
+git log
+git show
+git branch
+git branch --show-current
+git status --short
+git blame
+sed
+awk
+head
+tail
+wc
+printf
+echo
+find
+pwd
+git restore --source
+true
+false

.loop-build/config/denylist.txt

@@ -0,0 +1,24 @@
+sudo
+rm -rf
+rm -fr
+curl
+wget
+git clone
+git push
+git pull
+git commit
+git rebase
+git reset
+npm install
+npm i
+yarn add
+yarn install
+pnpm add
+pnpm install
+pip install
+pip3 install
+composer install
+bash -c
+sh -c
+curl | bash
+wget | sh

.loop-build/config/policy.env

@@ -0,0 +1,13 @@
+# Loop Build policy toggles
+# Safe-by-default behavior:
+# - read-only commands in allowlist pass without explicit approval
+# - all other non-denylist commands can run only when the harness is in an approved execution context
+
+POLICY_SECONDARY_CONFIRM=0
+ALLOW_SUDO=0
+ALLOW_RM_RF=0
+ALLOW_NETWORK=0
+ALLOW_CURL_BASH=0
+ALLOW_INSTALL=0
+ALLOW_GIT_NETWORK=0
+ALLOW_PROFILE_MODIFY=0