refactor(security): extract safeBins trust resolver

2026-03-21 16:41:56 +00:00 · 2026-02-18 05:01:25 +01:00
parent e8154c12e6
commit ac0db68235
5 changed files with 221 additions and 81 deletions
--- a/docs/tools/exec.md
+++ b/docs/tools/exec.md
@@ -51,7 +51,7 @@ Notes:
 - `tools.exec.ask` (default: `on-miss`)
 - `tools.exec.node` (default: unset)
 - `tools.exec.pathPrepend`: list of directories to prepend to `PATH` for exec runs (gateway + sandbox only).
- `tools.exec.safeBins`: stdin-only safe binaries that can run without explicit allowlist entries (resolved path must come from trusted binary directories).
+- `tools.exec.safeBins`: stdin-only safe binaries that can run without explicit allowlist entries. For behavior details, see [Safe bins](/tools/exec-approvals#safe-bins-stdin-only).

 Example: