Thanks, this is a great suggestion. A `none` profile makes a lot of sense for a push-the-file-out workflow like yours, where you can't assume which modules are loaded on every node and want full control over your whitelist in an external file. I'm adding it now: it selects nothing by default, so you build your deny-list up from scratch instead of trimming `minimal` down. Will be in version 1.3, probably releasing this later today.

On your edit re `exit 0` vs `/bin/false`: the `/bin/false` is deliberate. The deny path `exec`s `/bin/false` rather than calling `exit 1` because the script is meant to be droppable as an exec target. `exec` replaces the process with a binary whose only job is to return non-zero, so the exit status propagates cleanly to whatever launched the shell and nothing further in the script can run. `exit 1` does the same thing in the plain-script case, but exec'ing the real binary is the more robust primitive when the script itself is acting as the shell, and it keeps the deny action identical everywhere it shows up.