fix(security): add optional workspace-only path guards for fs tools

src/config/types.tools.ts

@@ -187,6 +187,11 @@ export type ExecToolConfig = {
   applyPatch?: {
     /** Enable apply_patch for OpenAI models (default: false). */
     enabled?: boolean;
+    /**
+     * Restrict apply_patch paths to the workspace directory.
+     * Default: true (safer; does not affect read/write/edit).
+     */
+    workspaceOnly?: boolean;
     /**
      * Optional allowlist of model ids that can use apply_patch.
      * Accepts either raw ids (e.g. "gpt-5.2") or full ids (e.g. "openai/gpt-5.2").
@@ -195,6 +200,14 @@ export type ExecToolConfig = {
   };
 };
 
+export type FsToolsConfig = {
+  /**
+   * Restrict filesystem tools (read/write/edit/apply_patch) to the agent workspace directory.
+   * Default: false (unrestricted, matches legacy behavior).
+   */
+  workspaceOnly?: boolean;
+};
+
 export type AgentToolsConfig = {
   /** Base tool profile applied before allow/deny lists. */
   profile?: ToolProfileId;
@@ -213,6 +226,8 @@ export type AgentToolsConfig = {
   };
   /** Exec tool defaults for this agent. */
   exec?: ExecToolConfig;
+  /** Filesystem tool path guards. */
+  fs?: FsToolsConfig;
   sandbox?: {
     tools?: {
       allow?: string[];
@@ -442,6 +457,8 @@ export type ToolsConfig = {
   };
   /** Exec tool defaults. */
   exec?: ExecToolConfig;
+  /** Filesystem tool path guards. */
+  fs?: FsToolsConfig;
   /** Sub-agent tool policy defaults (deny wins). */
   subagents?: {
     /** Default model selection for spawned sub-agents (string or {primary,fallbacks}). */