pub fn scrub_env(policy: &EnvPolicy) -> HashMap<String, String>
Build the env map a child should inherit per the declared policy.