feat: tighten exec allowlist gating

src/config/types.tools.ts

@@ -131,6 +131,8 @@ export type ExecToolConfig = {
   node?: string;
   /** Directories to prepend to PATH when running exec (gateway/sandbox). */
   pathPrepend?: string[];
+  /** Safe stdin-only binaries that can run without allowlist entries. */
+  safeBins?: string[];
   /** Default time (ms) before an exec command auto-backgrounds. */
   backgroundMs?: number;
   /** Default timeout (seconds) before auto-killing exec commands. */