fix: align agent exec config

src/agents/bash-tools.exec.ts

@@ -343,10 +343,7 @@ export function createExecTool(
 
       const configuredSecurity = defaults?.security ?? "deny";
       const requestedSecurity = normalizeExecSecurity(params.security);
-      let security = minSecurity(
+      let security = minSecurity(configuredSecurity, requestedSecurity ?? configuredSecurity);
-        configuredSecurity,
-        requestedSecurity ?? configuredSecurity,
-      );
       if (elevatedRequested) {
         security = "full";
       }

src/agents/pi-tools.ts

@@ -213,7 +213,6 @@ export function createClawdbotCodingTools(options?: {
     messageProvider: options?.messageProvider,
     backgroundMs: options?.exec?.backgroundMs ?? execConfig.backgroundMs,
     timeoutSec: options?.exec?.timeoutSec ?? execConfig.timeoutSec,
-    cleanupMs: options?.exec?.cleanupMs ?? execConfig.cleanupMs,
     notifyOnExit: options?.exec?.notifyOnExit ?? execConfig.notifyOnExit,
     sandbox: sandbox
       ? {

src/config/types.tools.ts

@@ -120,6 +120,35 @@ export type ToolPolicyConfig = {
   profile?: ToolProfileId;
 };
 
+export type ExecToolConfig = {
+  /** Exec host routing (default: sandbox). */
+  host?: "sandbox" | "gateway" | "node";
+  /** Exec security mode (default: deny). */
+  security?: "deny" | "allowlist" | "full";
+  /** Exec ask mode (default: on-miss). */
+  ask?: "off" | "on-miss" | "always";
+  /** Default node binding for exec.host=node (node id/name). */
+  node?: string;
+  /** Default time (ms) before an exec command auto-backgrounds. */
+  backgroundMs?: number;
+  /** Default timeout (seconds) before auto-killing exec commands. */
+  timeoutSec?: number;
+  /** How long to keep finished sessions in memory (ms). */
+  cleanupMs?: number;
+  /** Emit a system event and heartbeat when a backgrounded exec exits. */
+  notifyOnExit?: boolean;
+  /** apply_patch subtool configuration (experimental). */
+  applyPatch?: {
+    /** Enable apply_patch for OpenAI models (default: false). */
+    enabled?: boolean;
+    /**
+     * Optional allowlist of model ids that can use apply_patch.
+     * Accepts either raw ids (e.g. "gpt-5.2") or full ids (e.g. "openai/gpt-5.2").
+     */
+    allowModels?: string[];
+  };
+};
+
 export type AgentToolsConfig = {
   /** Base tool profile applied before allow/deny lists. */
   profile?: ToolProfileId;
@@ -134,6 +163,8 @@ export type AgentToolsConfig = {
     /** Approved senders for /elevated (per-provider allowlists). */
     allowFrom?: AgentElevatedAllowFromConfig;
   };
+  /** Exec tool defaults for this agent. */
+  exec?: ExecToolConfig;
   sandbox?: {
     tools?: {
       allow?: string[];
@@ -338,34 +369,7 @@ export type ToolsConfig = {
     allowFrom?: AgentElevatedAllowFromConfig;
   };
   /** Exec tool defaults. */
-  exec?: {
+  exec?: ExecToolConfig;
-    /** Exec host routing (default: sandbox). */
-    host?: "sandbox" | "gateway" | "node";
-    /** Exec security mode (default: deny). */
-    security?: "deny" | "allowlist" | "full";
-    /** Exec ask mode (default: on-miss). */
-    ask?: "off" | "on-miss" | "always";
-    /** Default node binding for exec.host=node (node id/name). */
-    node?: string;
-    /** Default time (ms) before an exec command auto-backgrounds. */
-    backgroundMs?: number;
-    /** Default timeout (seconds) before auto-killing exec commands. */
-    timeoutSec?: number;
-    /** How long to keep finished sessions in memory (ms). */
-    cleanupMs?: number;
-    /** Emit a system event and heartbeat when a backgrounded exec exits. */
-    notifyOnExit?: boolean;
-    /** apply_patch subtool configuration (experimental). */
-    applyPatch?: {
-      /** Enable apply_patch for OpenAI models (default: false). */
-      enabled?: boolean;
-      /**
-       * Optional allowlist of model ids that can use apply_patch.
-       * Accepts either raw ids (e.g. "gpt-5.2") or full ids (e.g. "openai/gpt-5.2").
-       */
-      allowModels?: string[];
-    };
-  };
   /** Sub-agent tool policy defaults (deny wins). */
   subagents?: {
     /** Default model selection for spawned sub-agents (string or {primary,fallbacks}). */

src/gateway/server-bridge-events.ts

@@ -192,7 +192,9 @@ export const handleBridgeEvent = async (
       const runId = typeof obj.runId === "string" ? obj.runId.trim() : "";
       const command = typeof obj.command === "string" ? obj.command.trim() : "";
       const exitCode =
-        typeof obj.exitCode === "number" && Number.isFinite(obj.exitCode) ? obj.exitCode : undefined;
+        typeof obj.exitCode === "number" && Number.isFinite(obj.exitCode)
+          ? obj.exitCode
+          : undefined;
       const timedOut = obj.timedOut === true;
       const success = obj.success === true;
       const output = typeof obj.output === "string" ? obj.output.trim() : "";

src/infra/exec-approvals.ts

@@ -185,7 +185,7 @@ function parseFirstToken(command: string): string | null {
   const trimmed = command.trim();
   if (!trimmed) return null;
   const first = trimmed[0];
-  if (first === "\"" || first === "'") {
+  if (first === '"' || first === "'") {
     const end = trimmed.indexOf(first, 1);
     if (end > 1) return trimmed.slice(1, end);
     return trimmed.slice(1);