Review Sprig os* functions in safe template allowlist

[lanycrost]

Problem statement

The safe Sprig function allowlist in templating/funcs.go includes filesystem path helpers: osBase, osClean, osDir, osExt, osIsAbs. These functions operate on string arguments (not the filesystem), but they could leak host path structure information if a template author passes server-side values through them.

Additionally, there is no test that fails when Sprig adds new functions in future versions, meaning new potentially dangerous functions could silently become available.

Proposed change

1. Evaluate whether osBase, osClean, osDir, osExt, osIsAbs belong in the safe list. They operate on strings only (no filesystem access), but they reveal OS-specific path semantics. Decide and document the reasoning either way.

2. Add a comprehensive Sprig function audit test that fails if unreviewed functions appear:

func TestAllSprigFunctionsExplicitlyReviewed(t *testing.T) {
    all := sprig.TxtFuncMap()
    for name := range all {
        if !isInSafeList(name) && !isInDenyList(name) {
            t.Errorf("unreviewed Sprig function: %s — add to safe or deny list", name)
        }
    }
}

This ensures any Sprig version bump forces an explicit review of new functions.

Affected area

• templating

Compatibility / migration

If any os* functions are removed from the safe list, templates using them would fail validation. This would be a minor breaking change requiring a changelog note.

Alternatives considered

• Keeping all os* functions — they are string-only and don't touch the filesystem. The risk is information leakage, not code execution.

Additional context

The existing denylist test in funcs_test.go checks env, expandenv, repeat, seq, until, untilStep, getHostByName. This issue proposes making that test exhaustive. Identified during security review.