fix: default exec security to allowlist

2026-01-21 03:40:21 +00:00
parent 026e6c4df4
commit 28c49db494
5 changed files with 44 additions and 17 deletions
--- a/docs/tools/exec.md
+++ b/docs/tools/exec.md
@@ -39,7 +39,7 @@ Notes:

 - `tools.exec.notifyOnExit` (default: true): when true, backgrounded exec sessions enqueue a system event and request a heartbeat on exit.
 - `tools.exec.host` (default: `sandbox`)
- `tools.exec.security` (default: `deny`)
+- `tools.exec.security` (default: `deny` for sandbox, `allowlist` for gateway + node when unset)
 - `tools.exec.ask` (default: `on-miss`)
 - `tools.exec.node` (default: unset)
 - `tools.exec.pathPrepend`: list of directories to prepend to `PATH` for exec runs.