Open file arguments through Casper's cap_fileargs service and enter capability mode after limiting stdio rights, so cut(1) and rev(1) run sandboxed.

cut(1) is a bootstrap tool, so the Makefile drops the Casper libraries and -DWITH_CASPER while BOOTSTRAPPING; <casper/cap_fileargs.h> then resolves fileargs_*() to plain fopen(3), matching wc(1)/head(1).