@poolzin/pool-bot 2026.2.24 → 2026.2.25

package/CHANGELOG.md

@@ -1,3 +1,24 @@
+## v2026.2.25 (2026-02-22)
+
+### Features
+- **Upstream Port (OpenClaw):** ported 26 files from OpenClaw upstream covering agents, auto-reply, browser, gateway, hooks, plugins, config, and CLI
+  - **Agent tooling:** sandbox filesystem bridge, host sandbox bridge helpers, workspace sandbox integration, model fallback provider updates (openai/gpt-4.1-mini default)
+  - **Auto-reply:** commands registry extensions, templating updates, agent runner execution improvements, verbose-gated session notices
+  - **Browser:** config updates, agent act/snapshot/storage routes, tabs route enhancements, form layout contract tests
+  - **Gateway:** hook token extraction with query-string fallback, normalized agent payload with auto-generated session keys, HTTP server integration
+  - **Plugins:** plugin discovery and loading aligned with upstream patterns
+  - **Config:** browser config, CLI config, and schema updates
+
+### Fixes
+- **Tests:** fixed 9 pre-existing test failures across 6 test files (52 tests total)
+  - `model-fallback.test.ts`: updated expectations for openai/gpt-4.1-mini default
+  - `image-tool.test.ts`: aligned sandbox parameter structure with new bridge API
+  - `hooks.test.ts`: updated for new `extractHookToken` and `normalizeAgentPayload` signatures
+  - `poolbot-tools.sessions.test.ts`: added mock sessions.list handler for spawned sessions
+  - `reply.media-note.test.ts` / `reply.raw-body.test.ts`: verbose-gated session notice, rebranded env vars and paths
+
+---
+
 ## v2026.2.24 (2026-02-19)
 
 ### Fixes

package/dist/acp/client.js

@@ -1,11 +1,187 @@
 import { spawn } from "node:child_process";
+import fs from "node:fs";
+import path from "node:path";
 import * as readline from "node:readline";
 import { Readable, Writable } from "node:stream";
+import { fileURLToPath } from "node:url";
 import { ClientSideConnection, PROTOCOL_VERSION, ndJsonStream, } from "@agentclientprotocol/sdk";
 import { ensurePoolbotCliOnPath } from "../infra/path-env.js";
+import { DANGEROUS_ACP_TOOLS } from "../security/dangerous-tools.js";
+const SAFE_AUTO_APPROVE_KINDS = new Set(["read", "search"]);
+function asRecord(value) {
+    return value && typeof value === "object" && !Array.isArray(value)
+        ? value
+        : undefined;
+}
+function readFirstStringValue(source, keys) {
+    if (!source) {
+        return undefined;
+    }
+    for (const key of keys) {
+        const value = source[key];
+        if (typeof value === "string" && value.trim()) {
+            return value.trim();
+        }
+    }
+    return undefined;
+}
+function normalizeToolName(value) {
+    const normalized = value.trim().toLowerCase();
+    if (!normalized) {
+        return undefined;
+    }
+    return normalized;
+}
+function parseToolNameFromTitle(title) {
+    if (!title) {
+        return undefined;
+    }
+    const head = title.split(":", 1)[0]?.trim();
+    if (!head || !/^[a-zA-Z0-9._-]+$/.test(head)) {
+        return undefined;
+    }
+    return normalizeToolName(head);
+}
+function resolveToolKindForPermission(params, toolName) {
+    const toolCall = params.toolCall;
+    const kindRaw = typeof toolCall?.kind === "string" ? toolCall.kind.trim().toLowerCase() : "";
+    if (kindRaw) {
+        return kindRaw;
+    }
+    const name = toolName ??
+        parseToolNameFromTitle(typeof toolCall?.title === "string" ? toolCall.title : undefined);
+    if (!name) {
+        return undefined;
+    }
+    const normalized = name.toLowerCase();
+    const hasToken = (token) => {
+        // Tool names tend to be snake_case. Avoid substring heuristics (ex: "thread" contains "read").
+        const re = new RegExp(`(?:^|[._-])${token}(?:$|[._-])`);
+        return re.test(normalized);
+    };
+    // Prefer a conservative classifier: only classify safe kinds when confident.
+    if (normalized === "read" || hasToken("read")) {
+        return "read";
+    }
+    if (normalized === "search" || hasToken("search") || hasToken("find")) {
+        return "search";
+    }
+    if (normalized.includes("fetch") || normalized.includes("http")) {
+        return "fetch";
+    }
+    if (normalized.includes("write") || normalized.includes("edit") || normalized.includes("patch")) {
+        return "edit";
+    }
+    if (normalized.includes("delete") || normalized.includes("remove")) {
+        return "delete";
+    }
+    if (normalized.includes("move") || normalized.includes("rename")) {
+        return "move";
+    }
+    if (normalized.includes("exec") || normalized.includes("run") || normalized.includes("bash")) {
+        return "execute";
+    }
+    return "other";
+}
+function resolveToolNameForPermission(params) {
+    const toolCall = params.toolCall;
+    const toolMeta = asRecord(toolCall?._meta);
+    const rawInput = asRecord(toolCall?.rawInput);
+    const fromMeta = readFirstStringValue(toolMeta, ["toolName", "tool_name", "name"]);
+    const fromRawInput = readFirstStringValue(rawInput, ["tool", "toolName", "tool_name", "name"]);
+    const fromTitle = parseToolNameFromTitle(toolCall?.title);
+    return normalizeToolName(fromMeta ?? fromRawInput ?? fromTitle ?? "");
+}
+function pickOption(options, kinds) {
+    for (const kind of kinds) {
+        const match = options.find((option) => option.kind === kind);
+        if (match) {
+            return match;
+        }
+    }
+    return undefined;
+}
+function selectedPermission(optionId) {
+    return { outcome: { outcome: "selected", optionId } };
+}
+function cancelledPermission() {
+    return { outcome: { outcome: "cancelled" } };
+}
+function promptUserPermission(toolName, toolTitle) {
+    if (!process.stdin.isTTY || !process.stderr.isTTY) {
+        console.error(`[permission denied] ${toolName ?? "unknown"}: non-interactive terminal`);
+        return Promise.resolve(false);
+    }
+    return new Promise((resolve) => {
+        let settled = false;
+        const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stderr,
+        });
+        const finish = (approved) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            clearTimeout(timeout);
+            rl.close();
+            resolve(approved);
+        };
+        const timeout = setTimeout(() => {
+            console.error(`\n[permission timeout] denied: ${toolName ?? "unknown"}`);
+            finish(false);
+        }, 30_000);
+        const label = toolTitle
+            ? toolName
+                ? `${toolTitle} (${toolName})`
+                : toolTitle
+            : (toolName ?? "unknown tool");
+        rl.question(`\n[permission] Allow "${label}"? (y/N) `, (answer) => {
+            const approved = answer.trim().toLowerCase() === "y";
+            console.error(`[permission ${approved ? "approved" : "denied"}] ${toolName ?? "unknown"}`);
+            finish(approved);
+        });
+    });
+}
+export async function resolvePermissionRequest(params, deps = {}) {
+    const log = deps.log ?? ((line) => console.error(line));
+    const prompt = deps.prompt ?? promptUserPermission;
+    const options = params.options ?? [];
+    const toolTitle = params.toolCall?.title ?? "tool";
+    const toolName = resolveToolNameForPermission(params);
+    const toolKind = resolveToolKindForPermission(params, toolName);
+    if (options.length === 0) {
+        log(`[permission cancelled] ${toolName ?? "unknown"}: no options available`);
+        return cancelledPermission();
+    }
+    const allowOption = pickOption(options, ["allow_once", "allow_always"]);
+    const rejectOption = pickOption(options, ["reject_once", "reject_always"]);
+    const isSafeKind = Boolean(toolKind && SAFE_AUTO_APPROVE_KINDS.has(toolKind));
+    const promptRequired = !toolName || !isSafeKind || DANGEROUS_ACP_TOOLS.has(toolName);
+    if (!promptRequired) {
+        const option = allowOption ?? options[0];
+        if (!option) {
+            log(`[permission cancelled] ${toolName}: no selectable options`);
+            return cancelledPermission();
+        }
+        log(`[permission auto-approved] ${toolName} (${toolKind ?? "unknown"})`);
+        return selectedPermission(option.optionId);
+    }
+    log(`\n[permission requested] ${toolTitle}${toolName ? ` (${toolName})` : ""}${toolKind ? ` [${toolKind}]` : ""}`);
+    const approved = await prompt(toolName, toolTitle);
+    if (approved && allowOption) {
+        return selectedPermission(allowOption.optionId);
+    }
+    if (!approved && rejectOption) {
+        return selectedPermission(rejectOption.optionId);
+    }
+    log(`[permission cancelled] ${toolName ?? "unknown"}: missing ${approved ? "allow" : "reject"} option`);
+    return cancelledPermission();
+}
 function toArgs(value) {
-    if (!value)
+    if (!value) {
         return [];
+    }
     return Array.isArray(value) ? value : [value];
 }
 function buildServerArgs(opts) {
@@ -15,10 +191,29 @@ function buildServerArgs(opts) {
     }
     return args;
 }
+function resolveSelfEntryPath() {
+    // Prefer a path relative to the built module location (dist/acp/client.js -> dist/entry.js).
+    try {
+        const here = fileURLToPath(import.meta.url);
+        const candidate = path.resolve(path.dirname(here), "..", "entry.js");
+        if (fs.existsSync(candidate)) {
+            return candidate;
+        }
+    }
+    catch {
+        // ignore
+    }
+    const argv1 = process.argv[1]?.trim();
+    if (argv1) {
+        return path.isAbsolute(argv1) ? argv1 : path.resolve(process.cwd(), argv1);
+    }
+    return null;
+}
 function printSessionUpdate(notification) {
     const update = notification.update;
-    if (!("sessionUpdate" in update))
+    if (!("sessionUpdate" in update)) {
         return;
+    }
     switch (update.sessionUpdate) {
         case "agent_message_chunk": {
             if (update.content?.type === "text") {
@@ -38,8 +233,9 @@ function printSessionUpdate(notification) {
         }
         case "available_commands_update": {
             const names = update.availableCommands?.map((cmd) => `/${cmd.name}`).join(" ");
-            if (names)
+            if (names) {
                 console.log(`\n[commands] ${names}`);
+            }
             return;
         }
         default:
@@ -50,11 +246,13 @@ export async function createAcpClient(opts = {}) {
     const cwd = opts.cwd ?? process.cwd();
     const verbose = Boolean(opts.verbose);
     const log = verbose ? (msg) => console.error(`[acp-client] ${msg}`) : () => { };
-    ensurePoolbotCliOnPath({ cwd });
-    const serverCommand = opts.serverCommand ?? "poolbot";
+    ensurePoolbotCliOnPath();
     const serverArgs = buildServerArgs(opts);
-    log(`spawning: ${serverCommand} ${serverArgs.join(" ")}`);
-    const agent = spawn(serverCommand, serverArgs, {
+    const entryPath = resolveSelfEntryPath();
+    const serverCommand = opts.serverCommand ?? (entryPath ? process.execPath : "poolbot");
+    const effectiveArgs = opts.serverCommand || !entryPath ? serverArgs : [entryPath, ...serverArgs];
+    log(`spawning: ${serverCommand} ${effectiveArgs.join(" ")}`);
+    const agent = spawn(serverCommand, effectiveArgs, {
         stdio: ["pipe", "pipe", "inherit"],
         cwd,
     });
@@ -69,16 +267,7 @@ export async function createAcpClient(opts = {}) {
             printSessionUpdate(params);
         },
         requestPermission: async (params) => {
-            console.log("\n[permission requested]", params.toolCall?.title ?? "tool");
-            const options = params.options ?? [];
-            const allowOnce = options.find((option) => option.kind === "allow_once");
-            const fallback = options[0];
-            return {
-                outcome: {
-                    outcome: "selected",
-                    optionId: allowOnce?.optionId ?? fallback?.optionId ?? "allow",
-                },
-            };
+            return resolvePermissionRequest(params);
         },
     }), stream);
     log("initializing");
@@ -107,7 +296,7 @@ export async function runAcpClientInteractive(opts = {}) {
         input: process.stdin,
         output: process.stdout,
     });
-    console.log("Poolbot ACP client");
+    console.log("Pool Bot ACP client");
     console.log(`Session: ${sessionId}`);
     console.log('Type a prompt, or "exit" to quit.\n');
     const prompt = () => {

package/dist/acp/secret-file.js

@@ -0,0 +1,22 @@
+import fs from "node:fs";
+import { resolveUserPath } from "../utils.js";
+export function readSecretFromFile(filePath, label) {
+    const resolvedPath = resolveUserPath(filePath.trim());
+    if (!resolvedPath) {
+        throw new Error(`${label} file path is empty.`);
+    }
+    let raw = "";
+    try {
+        raw = fs.readFileSync(resolvedPath, "utf8");
+    }
+    catch (err) {
+        throw new Error(`Failed to read ${label} file at ${resolvedPath}: ${String(err)}`, {
+            cause: err,
+        });
+    }
+    const secret = raw.trim();
+    if (!secret) {
+        throw new Error(`${label} file at ${resolvedPath} is empty.`);
+    }
+    return secret;
+}

package/dist/agents/agent-scope.js

@@ -98,6 +98,16 @@ export function resolveAgentModelFallbacksOverride(cfg, agentId) {
         return undefined;
     return Array.isArray(raw.fallbacks) ? raw.fallbacks : undefined;
 }
+export function resolveEffectiveModelFallbacks(params) {
+    const agentFallbacksOverride = resolveAgentModelFallbacksOverride(params.cfg, params.agentId);
+    if (!params.hasSessionModelOverride) {
+        return agentFallbacksOverride;
+    }
+    const defaultFallbacks = typeof params.cfg.agents?.defaults?.model === "object"
+        ? (params.cfg.agents.defaults.model.fallbacks ?? [])
+        : [];
+    return agentFallbacksOverride ?? defaultFallbacks;
+}
 export function resolveAgentWorkspaceDir(cfg, agentId) {
     const id = normalizeAgentId(agentId);
     const configured = resolveAgentConfig(cfg, id)?.workspace?.trim();

package/dist/agents/bash-process-registry.test-helpers.js

@@ -0,0 +1,29 @@
+export function createProcessSessionFixture(params) {
+    const session = {
+        id: params.id,
+        command: params.command ?? "test",
+        startedAt: params.startedAt ?? Date.now(),
+        cwd: params.cwd ?? "/tmp",
+        maxOutputChars: params.maxOutputChars ?? 10_000,
+        pendingMaxOutputChars: params.pendingMaxOutputChars ?? 30_000,
+        totalOutputChars: 0,
+        pendingStdout: [],
+        pendingStderr: [],
+        pendingStdoutChars: 0,
+        pendingStderrChars: 0,
+        aggregated: "",
+        tail: "",
+        exited: false,
+        exitCode: undefined,
+        exitSignal: undefined,
+        truncated: false,
+        backgrounded: params.backgrounded ?? false,
+    };
+    if (params.pid !== undefined) {
+        session.pid = params.pid;
+    }
+    if (params.child) {
+        session.child = params.child;
+    }
+    return session;
+}

package/dist/agents/bash-tools.exec-approval-request.js

@@ -0,0 +1,20 @@
+import { DEFAULT_APPROVAL_REQUEST_TIMEOUT_MS, DEFAULT_APPROVAL_TIMEOUT_MS, } from "./bash-tools.exec-runtime.js";
+import { callGatewayTool } from "./tools/gateway.js";
+export async function requestExecApprovalDecision(params) {
+    const decisionResult = await callGatewayTool("exec.approval.request", { timeoutMs: DEFAULT_APPROVAL_REQUEST_TIMEOUT_MS }, {
+        id: params.id,
+        command: params.command,
+        cwd: params.cwd,
+        host: params.host,
+        security: params.security,
+        ask: params.ask,
+        agentId: params.agentId,
+        resolvedPath: params.resolvedPath,
+        sessionKey: params.sessionKey,
+        timeoutMs: DEFAULT_APPROVAL_TIMEOUT_MS,
+    });
+    const decisionValue = decisionResult && typeof decisionResult === "object"
+        ? decisionResult.decision
+        : undefined;
+    return typeof decisionValue === "string" ? decisionValue : null;
+}

package/dist/agents/bash-tools.exec-host-gateway.js

@@ -0,0 +1,230 @@
+import crypto from "node:crypto";
+import { addAllowlistEntry, buildSafeBinsShellCommand, buildSafeShellCommand, evaluateShellAllowlist, maxAsk, minSecurity, recordAllowlistUse, requiresExecApproval, resolveExecApprovals, } from "../infra/exec-approvals.js";
+import { markBackgrounded, tail } from "./bash-process-registry.js";
+import { requestExecApprovalDecision } from "./bash-tools.exec-approval-request.js";
+import { DEFAULT_APPROVAL_TIMEOUT_MS, DEFAULT_NOTIFY_TAIL_CHARS, createApprovalSlug, emitExecSystemEvent, normalizeNotifyOutput, runExecProcess, } from "./bash-tools.exec-runtime.js";
+export async function processGatewayAllowlist(params) {
+    const approvals = resolveExecApprovals(params.agentId, {
+        security: params.security,
+        ask: params.ask,
+    });
+    const hostSecurity = minSecurity(params.security, approvals.agent.security);
+    const hostAsk = maxAsk(params.ask, approvals.agent.ask);
+    const askFallback = approvals.agent.askFallback;
+    if (hostSecurity === "deny") {
+        throw new Error("exec denied: host=gateway security=deny");
+    }
+    const allowlistEval = evaluateShellAllowlist({
+        command: params.command,
+        allowlist: approvals.allowlist,
+        safeBins: params.safeBins,
+        cwd: params.workdir,
+        env: params.env,
+        platform: process.platform,
+        trustedSafeBinDirs: params.trustedSafeBinDirs,
+    });
+    const allowlistMatches = allowlistEval.allowlistMatches;
+    const analysisOk = allowlistEval.analysisOk;
+    const allowlistSatisfied = hostSecurity === "allowlist" && analysisOk ? allowlistEval.allowlistSatisfied : false;
+    const requiresAsk = requiresExecApproval({
+        ask: hostAsk,
+        security: hostSecurity,
+        analysisOk,
+        allowlistSatisfied,
+    });
+    if (requiresAsk) {
+        const approvalId = crypto.randomUUID();
+        const approvalSlug = createApprovalSlug(approvalId);
+        const expiresAtMs = Date.now() + DEFAULT_APPROVAL_TIMEOUT_MS;
+        const contextKey = `exec:${approvalId}`;
+        const resolvedPath = allowlistEval.segments[0]?.resolution?.resolvedPath;
+        const noticeSeconds = Math.max(1, Math.round(params.approvalRunningNoticeMs / 1000));
+        const effectiveTimeout = typeof params.timeoutSec === "number" ? params.timeoutSec : params.defaultTimeoutSec;
+        const warningText = params.warnings.length ? `${params.warnings.join("\n")}\n\n` : "";
+        void (async () => {
+            let decision = null;
+            try {
+                decision = await requestExecApprovalDecision({
+                    id: approvalId,
+                    command: params.command,
+                    cwd: params.workdir,
+                    host: "gateway",
+                    security: hostSecurity,
+                    ask: hostAsk,
+                    agentId: params.agentId,
+                    resolvedPath,
+                    sessionKey: params.sessionKey,
+                });
+            }
+            catch {
+                emitExecSystemEvent(`Exec denied (gateway id=${approvalId}, approval-request-failed): ${params.command}`, {
+                    sessionKey: params.notifySessionKey,
+                    contextKey,
+                });
+                return;
+            }
+            let approvedByAsk = false;
+            let deniedReason = null;
+            if (decision === "deny") {
+                deniedReason = "user-denied";
+            }
+            else if (!decision) {
+                if (askFallback === "full") {
+                    approvedByAsk = true;
+                }
+                else if (askFallback === "allowlist") {
+                    if (!analysisOk || !allowlistSatisfied) {
+                        deniedReason = "approval-timeout (allowlist-miss)";
+                    }
+                    else {
+                        approvedByAsk = true;
+                    }
+                }
+                else {
+                    deniedReason = "approval-timeout";
+                }
+            }
+            else if (decision === "allow-once") {
+                approvedByAsk = true;
+            }
+            else if (decision === "allow-always") {
+                approvedByAsk = true;
+                if (hostSecurity === "allowlist") {
+                    for (const segment of allowlistEval.segments) {
+                        const pattern = segment.resolution?.resolvedPath ?? "";
+                        if (pattern) {
+                            addAllowlistEntry(approvals.file, params.agentId, pattern);
+                        }
+                    }
+                }
+            }
+            if (hostSecurity === "allowlist" && (!analysisOk || !allowlistSatisfied) && !approvedByAsk) {
+                deniedReason = deniedReason ?? "allowlist-miss";
+            }
+            if (deniedReason) {
+                emitExecSystemEvent(`Exec denied (gateway id=${approvalId}, ${deniedReason}): ${params.command}`, {
+                    sessionKey: params.notifySessionKey,
+                    contextKey,
+                });
+                return;
+            }
+            if (allowlistMatches.length > 0) {
+                const seen = new Set();
+                for (const match of allowlistMatches) {
+                    if (seen.has(match.pattern)) {
+                        continue;
+                    }
+                    seen.add(match.pattern);
+                    recordAllowlistUse(approvals.file, params.agentId, match, params.command, resolvedPath ?? undefined);
+                }
+            }
+            let run = null;
+            try {
+                run = await runExecProcess({
+                    command: params.command,
+                    workdir: params.workdir,
+                    env: params.env,
+                    sandbox: undefined,
+                    containerWorkdir: null,
+                    usePty: params.pty,
+                    warnings: params.warnings,
+                    maxOutput: params.maxOutput,
+                    pendingMaxOutput: params.pendingMaxOutput,
+                    notifyOnExit: false,
+                    notifyOnExitEmptySuccess: false,
+                    scopeKey: params.scopeKey,
+                    sessionKey: params.notifySessionKey,
+                    timeoutSec: effectiveTimeout,
+                });
+            }
+            catch {
+                emitExecSystemEvent(`Exec denied (gateway id=${approvalId}, spawn-failed): ${params.command}`, {
+                    sessionKey: params.notifySessionKey,
+                    contextKey,
+                });
+                return;
+            }
+            markBackgrounded(run.session);
+            let runningTimer = null;
+            if (params.approvalRunningNoticeMs > 0) {
+                runningTimer = setTimeout(() => {
+                    emitExecSystemEvent(`Exec running (gateway id=${approvalId}, session=${run?.session.id}, >${noticeSeconds}s): ${params.command}`, { sessionKey: params.notifySessionKey, contextKey });
+                }, params.approvalRunningNoticeMs);
+            }
+            const outcome = await run.promise;
+            if (runningTimer) {
+                clearTimeout(runningTimer);
+            }
+            const output = normalizeNotifyOutput(tail(outcome.aggregated || "", DEFAULT_NOTIFY_TAIL_CHARS));
+            const exitLabel = outcome.timedOut ? "timeout" : `code ${outcome.exitCode ?? "?"}`;
+            const summary = output
+                ? `Exec finished (gateway id=${approvalId}, session=${run.session.id}, ${exitLabel})\n${output}`
+                : `Exec finished (gateway id=${approvalId}, session=${run.session.id}, ${exitLabel})`;
+            emitExecSystemEvent(summary, { sessionKey: params.notifySessionKey, contextKey });
+        })();
+        return {
+            pendingResult: {
+                content: [
+                    {
+                        type: "text",
+                        text: `${warningText}Approval required (id ${approvalSlug}). ` +
+                            "Approve to run; updates will arrive after completion.",
+                    },
+                ],
+                details: {
+                    status: "approval-pending",
+                    approvalId,
+                    approvalSlug,
+                    expiresAtMs,
+                    host: "gateway",
+                    command: params.command,
+                    cwd: params.workdir,
+                },
+            },
+        };
+    }
+    if (hostSecurity === "allowlist" && (!analysisOk || !allowlistSatisfied)) {
+        throw new Error("exec denied: allowlist miss");
+    }
+    let execCommandOverride;
+    // If allowlist uses safeBins, sanitize only those stdin-only segments:
+    // disable glob/var expansion by forcing argv tokens to be literal via single-quoting.
+    if (hostSecurity === "allowlist" &&
+        analysisOk &&
+        allowlistSatisfied &&
+        allowlistEval.segmentSatisfiedBy.some((by) => by === "safeBins")) {
+        const safe = buildSafeBinsShellCommand({
+            command: params.command,
+            segments: allowlistEval.segments,
+            segmentSatisfiedBy: allowlistEval.segmentSatisfiedBy,
+            platform: process.platform,
+        });
+        if (!safe.ok || !safe.command) {
+            // Fallback: quote everything (safe, but may change glob behavior).
+            const fallback = buildSafeShellCommand({
+                command: params.command,
+                platform: process.platform,
+            });
+            if (!fallback.ok || !fallback.command) {
+                throw new Error(`exec denied: safeBins sanitize failed (${safe.reason ?? "unknown"})`);
+            }
+            params.warnings.push("Warning: safeBins hardening used fallback quoting due to parser mismatch.");
+            execCommandOverride = fallback.command;
+        }
+        else {
+            params.warnings.push("Warning: safeBins hardening disabled glob/variable expansion for stdin-only segments.");
+            execCommandOverride = safe.command;
+        }
+    }
+    if (allowlistMatches.length > 0) {
+        const seen = new Set();
+        for (const match of allowlistMatches) {
+            if (seen.has(match.pattern)) {
+                continue;
+            }
+            seen.add(match.pattern);
+            recordAllowlistUse(approvals.file, params.agentId, match, params.command, allowlistEval.segments[0]?.resolution?.resolvedPath);
+        }
+    }
+    return { execCommandOverride };
+}