@poolzin/pool-bot 2026.2.24 → 2026.2.26

package/dist/agents/auth-profiles/oauth.js

@@ -1,12 +1,37 @@
-import { getOAuthApiKey } from "@mariozechner/pi-ai";
-import lockfile from "proper-lockfile";
-import { refreshChutesTokens } from "../chutes-oauth.js";
+import { getOAuthApiKey, getOAuthProviders, } from "@mariozechner/pi-ai";
+import { withFileLock } from "../../infra/file-lock.js";
 import { refreshQwenPortalCredentials } from "../../providers/qwen-portal-oauth.js";
+import { refreshChutesTokens } from "../chutes-oauth.js";
 import { AUTH_STORE_LOCK_OPTIONS, log } from "./constants.js";
 import { formatAuthDoctorHint } from "./doctor.js";
 import { ensureAuthStoreFile, resolveAuthStorePath } from "./paths.js";
 import { suggestOAuthProfileIdForLegacyDefault } from "./repair.js";
 import { ensureAuthProfileStore, saveAuthProfileStore } from "./store.js";
+const OAUTH_PROVIDER_IDS = new Set(getOAuthProviders().map((provider) => provider.id));
+const isOAuthProvider = (provider) => OAUTH_PROVIDER_IDS.has(provider);
+const resolveOAuthProvider = (provider) => isOAuthProvider(provider) ? provider : null;
+/** Bearer-token auth modes that are interchangeable (oauth tokens and raw tokens). */
+const BEARER_AUTH_MODES = new Set(["oauth", "token"]);
+const isCompatibleModeType = (mode, type) => {
+    if (!mode || !type) {
+        return false;
+    }
+    if (mode === type) {
+        return true;
+    }
+    // Both token and oauth represent bearer-token auth paths — allow bidirectional compat.
+    return BEARER_AUTH_MODES.has(mode) && BEARER_AUTH_MODES.has(type);
+};
+function isProfileConfigCompatible(params) {
+    const profileConfig = params.cfg?.auth?.profiles?.[params.profileId];
+    if (profileConfig && profileConfig.provider !== params.provider) {
+        return false;
+    }
+    if (profileConfig && !isCompatibleModeType(profileConfig.mode, params.mode)) {
+        return false;
+    }
+    return true;
+}
 function buildOAuthApiKey(provider, credentials) {
     const needsProjectId = provider === "google-gemini-cli" || provider === "google-antigravity";
     return needsProjectId
@@ -16,18 +41,62 @@ function buildOAuthApiKey(provider, credentials) {
         })
         : credentials.access;
 }
+function buildApiKeyProfileResult(params) {
+    return {
+        apiKey: params.apiKey,
+        provider: params.provider,
+        email: params.email,
+    };
+}
+function buildOAuthProfileResult(params) {
+    return buildApiKeyProfileResult({
+        apiKey: buildOAuthApiKey(params.provider, params.credentials),
+        provider: params.provider,
+        email: params.email,
+    });
+}
+function isExpiredCredential(expires) {
+    return (typeof expires === "number" && Number.isFinite(expires) && expires > 0 && Date.now() >= expires);
+}
+function adoptNewerMainOAuthCredential(params) {
+    if (!params.agentDir) {
+        return null;
+    }
+    try {
+        const mainStore = ensureAuthProfileStore(undefined);
+        const mainCred = mainStore.profiles[params.profileId];
+        if (mainCred?.type === "oauth" &&
+            mainCred.provider === params.cred.provider &&
+            Number.isFinite(mainCred.expires) &&
+            (!Number.isFinite(params.cred.expires) || mainCred.expires > params.cred.expires)) {
+            params.store.profiles[params.profileId] = { ...mainCred };
+            saveAuthProfileStore(params.store, params.agentDir);
+            log.info("adopted newer OAuth credentials from main agent", {
+                profileId: params.profileId,
+                agentDir: params.agentDir,
+                expires: new Date(mainCred.expires).toISOString(),
+            });
+            return mainCred;
+        }
+    }
+    catch (err) {
+        // Best-effort: don't crash if main agent store is missing or unreadable.
+        log.debug("adoptNewerMainOAuthCredential failed", {
+            profileId: params.profileId,
+            error: err instanceof Error ? err.message : String(err),
+        });
+    }
+    return null;
+}
 async function refreshOAuthTokenWithLock(params) {
     const authPath = resolveAuthStorePath(params.agentDir);
     ensureAuthStoreFile(authPath);
-    let release;
-    try {
-        release = await lockfile.lock(authPath, {
-            ...AUTH_STORE_LOCK_OPTIONS,
-        });
+    return await withFileLock(authPath, AUTH_STORE_LOCK_OPTIONS, async () => {
         const store = ensureAuthProfileStore(params.agentDir);
         const cred = store.profiles[params.profileId];
-        if (!cred || cred.type !== "oauth")
+        if (!cred || cred.type !== "oauth") {
             return null;
+        }
         if (Date.now() < cred.expires) {
             return {
                 apiKey: buildOAuthApiKey(cred.provider, cred),
@@ -49,9 +118,16 @@ async function refreshOAuthTokenWithLock(params) {
                     const newCredentials = await refreshQwenPortalCredentials(cred);
                     return { apiKey: newCredentials.access, newCredentials };
                 })()
-                : await getOAuthApiKey(cred.provider, oauthCreds);
-        if (!result)
+                : await (async () => {
+                    const oauthProvider = resolveOAuthProvider(cred.provider);
+                    if (!oauthProvider) {
+                        return null;
+                    }
+                    return await getOAuthApiKey(oauthProvider, oauthCreds);
+                })();
+        if (!result) {
             return null;
+        }
         store.profiles[params.profileId] = {
             ...cred,
             ...result.newCredentials,
@@ -59,104 +135,111 @@ async function refreshOAuthTokenWithLock(params) {
         };
         saveAuthProfileStore(store, params.agentDir);
         return result;
-    }
-    finally {
-        if (release) {
-            try {
-                await release();
-            }
-            catch {
-                // ignore unlock errors
-            }
-        }
-    }
+    });
 }
 async function tryResolveOAuthProfile(params) {
     const { cfg, store, profileId } = params;
     const cred = store.profiles[profileId];
-    if (!cred || cred.type !== "oauth")
-        return null;
-    const profileConfig = cfg?.auth?.profiles?.[profileId];
-    if (profileConfig && profileConfig.provider !== cred.provider)
+    if (!cred || cred.type !== "oauth") {
         return null;
-    if (profileConfig && profileConfig.mode !== cred.type)
+    }
+    if (!isProfileConfigCompatible({
+        cfg,
+        profileId,
+        provider: cred.provider,
+        mode: cred.type,
+    })) {
         return null;
+    }
     if (Date.now() < cred.expires) {
-        return {
-            apiKey: buildOAuthApiKey(cred.provider, cred),
+        return buildOAuthProfileResult({
             provider: cred.provider,
+            credentials: cred,
             email: cred.email,
-        };
+        });
     }
     const refreshed = await refreshOAuthTokenWithLock({
         profileId,
         agentDir: params.agentDir,
     });
-    if (!refreshed)
+    if (!refreshed) {
         return null;
-    return {
+    }
+    return buildApiKeyProfileResult({
         apiKey: refreshed.apiKey,
         provider: cred.provider,
         email: cred.email,
-    };
+    });
 }
 export async function resolveApiKeyForProfile(params) {
     const { cfg, store, profileId } = params;
     const cred = store.profiles[profileId];
-    if (!cred)
-        return null;
-    const profileConfig = cfg?.auth?.profiles?.[profileId];
-    if (profileConfig && profileConfig.provider !== cred.provider)
+    if (!cred) {
         return null;
-    if (profileConfig && profileConfig.mode !== cred.type) {
+    }
+    if (!isProfileConfigCompatible({
+        cfg,
+        profileId,
+        provider: cred.provider,
+        mode: cred.type,
         // Compatibility: treat "oauth" config as compatible with stored token profiles.
-        if (!(profileConfig.mode === "oauth" && cred.type === "token"))
-            return null;
+        allowOAuthTokenCompatibility: true,
+    })) {
+        return null;
     }
     if (cred.type === "api_key") {
-        return { apiKey: cred.key, provider: cred.provider, email: cred.email };
+        const key = cred.key?.trim();
+        if (!key) {
+            return null;
+        }
+        return buildApiKeyProfileResult({ apiKey: key, provider: cred.provider, email: cred.email });
     }
     if (cred.type === "token") {
         const token = cred.token?.trim();
-        if (!token)
+        if (!token) {
             return null;
-        if (typeof cred.expires === "number" &&
-            Number.isFinite(cred.expires) &&
-            cred.expires > 0 &&
-            Date.now() >= cred.expires) {
+        }
+        if (isExpiredCredential(cred.expires)) {
             return null;
         }
-        return { apiKey: token, provider: cred.provider, email: cred.email };
+        return buildApiKeyProfileResult({ apiKey: token, provider: cred.provider, email: cred.email });
     }
-    if (Date.now() < cred.expires) {
-        return {
-            apiKey: buildOAuthApiKey(cred.provider, cred),
-            provider: cred.provider,
-            email: cred.email,
-        };
+    const oauthCred = adoptNewerMainOAuthCredential({
+        store,
+        profileId,
+        agentDir: params.agentDir,
+        cred,
+    }) ?? cred;
+    if (Date.now() < oauthCred.expires) {
+        return buildOAuthProfileResult({
+            provider: oauthCred.provider,
+            credentials: oauthCred,
+            email: oauthCred.email,
+        });
     }
     try {
         const result = await refreshOAuthTokenWithLock({
             profileId,
             agentDir: params.agentDir,
         });
-        if (!result)
+        if (!result) {
             return null;
-        return {
+        }
+        return buildApiKeyProfileResult({
             apiKey: result.apiKey,
             provider: cred.provider,
             email: cred.email,
-        };
+        });
     }
     catch (error) {
         const refreshedStore = ensureAuthProfileStore(params.agentDir);
         const refreshed = refreshedStore.profiles[profileId];
         if (refreshed?.type === "oauth" && Date.now() < refreshed.expires) {
-            return {
-                apiKey: buildOAuthApiKey(refreshed.provider, refreshed),
+            return buildOAuthProfileResult({
                 provider: refreshed.provider,
+                credentials: refreshed,
                 email: refreshed.email ?? cred.email,
-            };
+            });
         }
         const fallbackProfileId = suggestOAuthProfileIdForLegacyDefault({
             cfg,
@@ -172,8 +255,9 @@ export async function resolveApiKeyForProfile(params) {
                     profileId: fallbackProfileId,
                     agentDir: params.agentDir,
                 });
-                if (fallbackResolved)
+                if (fallbackResolved) {
                     return fallbackResolved;
+                }
             }
             catch {
                 // keep original error
@@ -193,11 +277,11 @@ export async function resolveApiKeyForProfile(params) {
                         agentDir: params.agentDir,
                         expires: new Date(mainCred.expires).toISOString(),
                     });
-                    return {
-                        apiKey: buildOAuthApiKey(mainCred.provider, mainCred),
+                    return buildOAuthProfileResult({
                         provider: mainCred.provider,
+                        credentials: mainCred,
                         email: mainCred.email,
-                    };
+                    });
                 }
             }
             catch {
@@ -213,6 +297,6 @@ export async function resolveApiKeyForProfile(params) {
         });
         throw new Error(`OAuth token refresh failed for ${cred.provider}: ${message}. ` +
             "Please try again or re-authenticate." +
-            (hint ? `\n\n${hint}` : ""));
+            (hint ? `\n\n${hint}` : ""), { cause: error });
     }
 }

package/dist/agents/auth-profiles/session-override.js

@@ -1,10 +1,11 @@
 import { updateSessionStore } from "../../config/sessions.js";
-import { normalizeProviderId } from "../model-selection.js";
 import { ensureAuthProfileStore, isProfileInCooldown, resolveAuthProfileOrder, } from "../auth-profiles.js";
+import { normalizeProviderId } from "../model-selection.js";
 function isProfileForProvider(params) {
     const entry = params.store.profiles[params.profileId];
-    if (!entry?.provider)
+    if (!entry?.provider) {
         return false;
+    }
     return normalizeProviderId(entry.provider) === normalizeProviderId(params.provider);
 }
 export async function clearSessionAuthProfileOverride(params) {
@@ -22,8 +23,9 @@ export async function clearSessionAuthProfileOverride(params) {
 }
 export async function resolveSessionAuthProfileOverride(params) {
     const { cfg, provider, agentDir, sessionEntry, sessionStore, sessionKey, storePath, isNewSession, } = params;
-    if (!sessionEntry || !sessionStore || !sessionKey)
+    if (!sessionEntry || !sessionStore || !sessionKey) {
         return sessionEntry?.authProfileOverride;
+    }
     const store = ensureAuthProfileStore(agentDir, { allowKeychainPrompt: false });
     const order = resolveAuthProfileOrder({ cfg, store, provider });
     let current = sessionEntry.authProfileOverride?.trim();
@@ -39,17 +41,20 @@ export async function resolveSessionAuthProfileOverride(params) {
         await clearSessionAuthProfileOverride({ sessionEntry, sessionStore, sessionKey, storePath });
         current = undefined;
     }
-    if (order.length === 0)
+    if (order.length === 0) {
         return undefined;
+    }
     const pickFirstAvailable = () => order.find((profileId) => !isProfileInCooldown(store, profileId)) ?? order[0];
     const pickNextAvailable = (active) => {
         const startIndex = order.indexOf(active);
-        if (startIndex < 0)
+        if (startIndex < 0) {
             return pickFirstAvailable();
+        }
         for (let offset = 1; offset <= order.length; offset += 1) {
             const candidate = order[(startIndex + offset) % order.length];
-            if (!isProfileInCooldown(store, candidate))
+            if (!isProfileInCooldown(store, candidate)) {
                 return candidate;
+            }
         }
         return order[startIndex] ?? order[0];
     };
@@ -76,8 +81,9 @@ export async function resolveSessionAuthProfileOverride(params) {
     else if (!current || isProfileInCooldown(store, current)) {
         next = pickFirstAvailable();
     }
-    if (!next)
+    if (!next) {
         return current;
+    }
     const shouldPersist = next !== sessionEntry.authProfileOverride ||
         sessionEntry.authProfileOverrideSource !== "auto" ||
         sessionEntry.authProfileOverrideCompactionCount !== compactionCount;

package/dist/agents/bash-process-registry.test-helpers.js

@@ -0,0 +1,29 @@
+export function createProcessSessionFixture(params) {
+    const session = {
+        id: params.id,
+        command: params.command ?? "test",
+        startedAt: params.startedAt ?? Date.now(),
+        cwd: params.cwd ?? "/tmp",
+        maxOutputChars: params.maxOutputChars ?? 10_000,
+        pendingMaxOutputChars: params.pendingMaxOutputChars ?? 30_000,
+        totalOutputChars: 0,
+        pendingStdout: [],
+        pendingStderr: [],
+        pendingStdoutChars: 0,
+        pendingStderrChars: 0,
+        aggregated: "",
+        tail: "",
+        exited: false,
+        exitCode: undefined,
+        exitSignal: undefined,
+        truncated: false,
+        backgrounded: params.backgrounded ?? false,
+    };
+    if (params.pid !== undefined) {
+        session.pid = params.pid;
+    }
+    if (params.child) {
+        session.child = params.child;
+    }
+    return session;
+}

package/dist/agents/bash-tools.exec-approval-request.js

@@ -0,0 +1,20 @@
+import { DEFAULT_APPROVAL_REQUEST_TIMEOUT_MS, DEFAULT_APPROVAL_TIMEOUT_MS, } from "./bash-tools.exec-runtime.js";
+import { callGatewayTool } from "./tools/gateway.js";
+export async function requestExecApprovalDecision(params) {
+    const decisionResult = await callGatewayTool("exec.approval.request", { timeoutMs: DEFAULT_APPROVAL_REQUEST_TIMEOUT_MS }, {
+        id: params.id,
+        command: params.command,
+        cwd: params.cwd,
+        host: params.host,
+        security: params.security,
+        ask: params.ask,
+        agentId: params.agentId,
+        resolvedPath: params.resolvedPath,
+        sessionKey: params.sessionKey,
+        timeoutMs: DEFAULT_APPROVAL_TIMEOUT_MS,
+    });
+    const decisionValue = decisionResult && typeof decisionResult === "object"
+        ? decisionResult.decision
+        : undefined;
+    return typeof decisionValue === "string" ? decisionValue : null;
+}

package/dist/agents/bash-tools.exec-host-gateway.js

@@ -0,0 +1,240 @@
+import crypto from "node:crypto";
+import { addAllowlistEntry, buildSafeBinsShellCommand, buildSafeShellCommand, evaluateShellAllowlist, maxAsk, minSecurity, recordAllowlistUse, requiresExecApproval, resolveAllowAlwaysPatterns, resolveExecApprovals, } from "../infra/exec-approvals.js";
+import { markBackgrounded, tail } from "./bash-process-registry.js";
+import { requestExecApprovalDecision } from "./bash-tools.exec-approval-request.js";
+import { DEFAULT_APPROVAL_TIMEOUT_MS, DEFAULT_NOTIFY_TAIL_CHARS, createApprovalSlug, emitExecSystemEvent, normalizeNotifyOutput, runExecProcess, } from "./bash-tools.exec-runtime.js";
+export async function processGatewayAllowlist(params) {
+    const approvals = resolveExecApprovals(params.agentId, {
+        security: params.security,
+        ask: params.ask,
+    });
+    const hostSecurity = minSecurity(params.security, approvals.agent.security);
+    const hostAsk = maxAsk(params.ask, approvals.agent.ask);
+    const askFallback = approvals.agent.askFallback;
+    if (hostSecurity === "deny") {
+        throw new Error("exec denied: host=gateway security=deny");
+    }
+    const allowlistEval = evaluateShellAllowlist({
+        command: params.command,
+        allowlist: approvals.allowlist,
+        safeBins: params.safeBins,
+        cwd: params.workdir,
+        env: params.env,
+        platform: process.platform,
+        trustedSafeBinDirs: params.trustedSafeBinDirs,
+    });
+    const allowlistMatches = allowlistEval.allowlistMatches;
+    const analysisOk = allowlistEval.analysisOk;
+    const allowlistSatisfied = hostSecurity === "allowlist" && analysisOk ? allowlistEval.allowlistSatisfied : false;
+    const hasHeredocSegment = allowlistEval.segments.some((segment) => segment.argv.some((token) => token.startsWith("<<")));
+    const requiresHeredocApproval = hostSecurity === "allowlist" && analysisOk && allowlistSatisfied && hasHeredocSegment;
+    const requiresAsk = requiresExecApproval({
+        ask: hostAsk,
+        security: hostSecurity,
+        analysisOk,
+        allowlistSatisfied,
+    }) || requiresHeredocApproval;
+    if (requiresHeredocApproval) {
+        params.warnings.push("Warning: heredoc execution requires explicit approval in allowlist mode.");
+    }
+    if (requiresAsk) {
+        const approvalId = crypto.randomUUID();
+        const approvalSlug = createApprovalSlug(approvalId);
+        const expiresAtMs = Date.now() + DEFAULT_APPROVAL_TIMEOUT_MS;
+        const contextKey = `exec:${approvalId}`;
+        const resolvedPath = allowlistEval.segments[0]?.resolution?.resolvedPath;
+        const noticeSeconds = Math.max(1, Math.round(params.approvalRunningNoticeMs / 1000));
+        const effectiveTimeout = typeof params.timeoutSec === "number" ? params.timeoutSec : params.defaultTimeoutSec;
+        const warningText = params.warnings.length ? `${params.warnings.join("\n")}\n\n` : "";
+        void (async () => {
+            let decision = null;
+            try {
+                decision = await requestExecApprovalDecision({
+                    id: approvalId,
+                    command: params.command,
+                    cwd: params.workdir,
+                    host: "gateway",
+                    security: hostSecurity,
+                    ask: hostAsk,
+                    agentId: params.agentId,
+                    resolvedPath,
+                    sessionKey: params.sessionKey,
+                });
+            }
+            catch {
+                emitExecSystemEvent(`Exec denied (gateway id=${approvalId}, approval-request-failed): ${params.command}`, {
+                    sessionKey: params.notifySessionKey,
+                    contextKey,
+                });
+                return;
+            }
+            let approvedByAsk = false;
+            let deniedReason = null;
+            if (decision === "deny") {
+                deniedReason = "user-denied";
+            }
+            else if (!decision) {
+                if (askFallback === "full") {
+                    approvedByAsk = true;
+                }
+                else if (askFallback === "allowlist") {
+                    if (!analysisOk || !allowlistSatisfied) {
+                        deniedReason = "approval-timeout (allowlist-miss)";
+                    }
+                    else {
+                        approvedByAsk = true;
+                    }
+                }
+                else {
+                    deniedReason = "approval-timeout";
+                }
+            }
+            else if (decision === "allow-once") {
+                approvedByAsk = true;
+            }
+            else if (decision === "allow-always") {
+                approvedByAsk = true;
+                if (hostSecurity === "allowlist") {
+                    const patterns = resolveAllowAlwaysPatterns({
+                        segments: allowlistEval.segments,
+                        cwd: params.workdir,
+                        env: params.env,
+                        platform: process.platform,
+                    });
+                    for (const pattern of patterns) {
+                        if (pattern) {
+                            addAllowlistEntry(approvals.file, params.agentId, pattern);
+                        }
+                    }
+                }
+            }
+            if (hostSecurity === "allowlist" && (!analysisOk || !allowlistSatisfied) && !approvedByAsk) {
+                deniedReason = deniedReason ?? "allowlist-miss";
+            }
+            if (deniedReason) {
+                emitExecSystemEvent(`Exec denied (gateway id=${approvalId}, ${deniedReason}): ${params.command}`, {
+                    sessionKey: params.notifySessionKey,
+                    contextKey,
+                });
+                return;
+            }
+            if (allowlistMatches.length > 0) {
+                const seen = new Set();
+                for (const match of allowlistMatches) {
+                    if (seen.has(match.pattern)) {
+                        continue;
+                    }
+                    seen.add(match.pattern);
+                    recordAllowlistUse(approvals.file, params.agentId, match, params.command, resolvedPath ?? undefined);
+                }
+            }
+            let run = null;
+            try {
+                run = await runExecProcess({
+                    command: params.command,
+                    workdir: params.workdir,
+                    env: params.env,
+                    sandbox: undefined,
+                    containerWorkdir: null,
+                    usePty: params.pty,
+                    warnings: params.warnings,
+                    maxOutput: params.maxOutput,
+                    pendingMaxOutput: params.pendingMaxOutput,
+                    notifyOnExit: false,
+                    notifyOnExitEmptySuccess: false,
+                    scopeKey: params.scopeKey,
+                    sessionKey: params.notifySessionKey,
+                    timeoutSec: effectiveTimeout,
+                });
+            }
+            catch {
+                emitExecSystemEvent(`Exec denied (gateway id=${approvalId}, spawn-failed): ${params.command}`, {
+                    sessionKey: params.notifySessionKey,
+                    contextKey,
+                });
+                return;
+            }
+            markBackgrounded(run.session);
+            let runningTimer = null;
+            if (params.approvalRunningNoticeMs > 0) {
+                runningTimer = setTimeout(() => {
+                    emitExecSystemEvent(`Exec running (gateway id=${approvalId}, session=${run?.session.id}, >${noticeSeconds}s): ${params.command}`, { sessionKey: params.notifySessionKey, contextKey });
+                }, params.approvalRunningNoticeMs);
+            }
+            const outcome = await run.promise;
+            if (runningTimer) {
+                clearTimeout(runningTimer);
+            }
+            const output = normalizeNotifyOutput(tail(outcome.aggregated || "", DEFAULT_NOTIFY_TAIL_CHARS));
+            const exitLabel = outcome.timedOut ? "timeout" : `code ${outcome.exitCode ?? "?"}`;
+            const summary = output
+                ? `Exec finished (gateway id=${approvalId}, session=${run.session.id}, ${exitLabel})\n${output}`
+                : `Exec finished (gateway id=${approvalId}, session=${run.session.id}, ${exitLabel})`;
+            emitExecSystemEvent(summary, { sessionKey: params.notifySessionKey, contextKey });
+        })();
+        return {
+            pendingResult: {
+                content: [
+                    {
+                        type: "text",
+                        text: `${warningText}Approval required (id ${approvalSlug}). ` +
+                            "Approve to run; updates will arrive after completion.",
+                    },
+                ],
+                details: {
+                    status: "approval-pending",
+                    approvalId,
+                    approvalSlug,
+                    expiresAtMs,
+                    host: "gateway",
+                    command: params.command,
+                    cwd: params.workdir,
+                },
+            },
+        };
+    }
+    if (hostSecurity === "allowlist" && (!analysisOk || !allowlistSatisfied)) {
+        throw new Error("exec denied: allowlist miss");
+    }
+    let execCommandOverride;
+    // If allowlist uses safeBins, sanitize only those stdin-only segments:
+    // disable glob/var expansion by forcing argv tokens to be literal via single-quoting.
+    if (hostSecurity === "allowlist" &&
+        analysisOk &&
+        allowlistSatisfied &&
+        allowlistEval.segmentSatisfiedBy.some((by) => by === "safeBins")) {
+        const safe = buildSafeBinsShellCommand({
+            command: params.command,
+            segments: allowlistEval.segments,
+            segmentSatisfiedBy: allowlistEval.segmentSatisfiedBy,
+            platform: process.platform,
+        });
+        if (!safe.ok || !safe.command) {
+            // Fallback: quote everything (safe, but may change glob behavior).
+            const fallback = buildSafeShellCommand({
+                command: params.command,
+                platform: process.platform,
+            });
+            if (!fallback.ok || !fallback.command) {
+                throw new Error(`exec denied: safeBins sanitize failed (${safe.reason ?? "unknown"})`);
+            }
+            params.warnings.push("Warning: safeBins hardening used fallback quoting due to parser mismatch.");
+            execCommandOverride = fallback.command;
+        }
+        else {
+            params.warnings.push("Warning: safeBins hardening disabled glob/variable expansion for stdin-only segments.");
+            execCommandOverride = safe.command;
+        }
+    }
+    if (allowlistMatches.length > 0) {
+        const seen = new Set();
+        for (const match of allowlistMatches) {
+            if (seen.has(match.pattern)) {
+                continue;
+            }
+            seen.add(match.pattern);
+            recordAllowlistUse(approvals.file, params.agentId, match, params.command, allowlistEval.segments[0]?.resolution?.resolvedPath);
+        }
+    }
+    return { execCommandOverride };
+}