Thank you Helmut and Chris for the helpful discussion. I have finally found some time to review your comments and the proposed molly-guard patches. While I'm still not 100% confident I understand the problem (and the fix), the solution you have settled on makes sense to me.
With respect to the presence of the real commands in the path, I'm not too worried about it personally. I do agree it's unfortunate and it would be great if we could do this reliably without putting the diverted binary within easy reach, but at the end of the day, molly-guard will never catch all possible mistakes. As Helmut pointed out, it's already missing some cases (and it's always been possible to "init 6" as well), but I think it still provides a useful service if it catches the most common cases of accidental reboots. I had a similar dilemma for another package I maintain (safe-rm) and I've decided there to focus on the most common cases again to reduce complexity, and improve reliability. I will leave this for a few days in case others like Simó want to also chime in, but otherwise I am planning to upload to experimental this week and then unstable a few days later. Again many thanks for all of the work that has gone into solving this thorny problem. Francois