fix(exec): harden safe-bin trust and add explicit trusted dirs

2026-05-02 06:28:34 +00:00 · 2026-02-22 22:42:29 +01:00
parent 08fb38f729
commit 64b273a71c
18 changed files with 123 additions and 55 deletions
--- a/src/config/schema.help.ts
+++ b/src/config/schema.help.ts
@@ -418,6 +418,8 @@ export const FIELD_HELP: Record<string, string> = {
  "tools.exec.pathPrepend": "Directories to prepend to PATH for exec runs (gateway/sandbox).",
  "tools.exec.safeBins":
    "Allow stdin-only safe binaries to run without explicit allowlist entries.",
+  "tools.exec.safeBinTrustedDirs":
+    "Additional explicit directories trusted for safe-bin path checks (PATH entries are never auto-trusted).",
  "tools.exec.safeBinProfiles":
    "Optional per-binary safe-bin profiles (positional limits + allowed/denied flags).",
  "tools.profile":