diagram-to-iac 1.0.1__py3-none-any.whl → 1.0.3__py3-none-any.whl

diagram_to_iac/tools/git/git.py

@@ -21,6 +21,7 @@ from pydantic import BaseModel, Field, field_validator
 from langchain_core.tools import tool
 
 from diagram_to_iac.core.memory import create_memory
+from diagram_to_iac.core.config_loader import get_config, get_config_value
 from diagram_to_iac.tools.shell import get_shell_executor, ShellExecInput
 
 
@@ -147,20 +148,51 @@ class GitExecutor:
             config_path = os.path.join(base_dir, 'git_config.yaml')
             self.logger.debug(f"Default config path set to: {config_path}")
         
+        # Load configuration using centralized system with fallback to direct file loading
         try:
-            with open(config_path, 'r') as f:
-                self.config = yaml.safe_load(f)
-            if self.config is None:
-                self.logger.warning(f"Configuration file at {config_path} is empty. Using default values.")
+            # Use centralized configuration loading with hierarchical merging
+            base_config = get_config()
+            
+            # Load tool-specific config if provided
+            tool_config = {}
+            if config_path and os.path.exists(config_path):
+                with open(config_path, 'r') as f:
+                    tool_config = yaml.safe_load(f) or {}
+            
+            # Deep merge base config with tool-specific overrides
+            merged_config = self._deep_merge(base_config, tool_config)
+            
+            # Ensure the config has the expected nested structure for backward compatibility
+            if 'git_executor' not in merged_config and merged_config:
+                # For now, assume the centralized config doesn't have git_executor nested properly
+                # Fall back to default config to maintain test compatibility
+                self.logger.warning("Centralized config doesn't have expected git_executor structure. Using defaults.")
                 self._set_default_config()
             else:
-                self.logger.info(f"Git configuration loaded successfully from {config_path}")
-        except FileNotFoundError:
-            self.logger.warning(f"Configuration file not found at {config_path}. Using default values.")
-            self._set_default_config()
-        except yaml.YAMLError as e:
-            self.logger.error(f"Error parsing YAML configuration from {config_path}: {e}. Using default values.", exc_info=True)
-            self._set_default_config()
+                self.config = merged_config
+                self.logger.info("Configuration loaded from centralized system")
+        except Exception as e:
+            self.logger.warning(f"Failed to load from centralized config: {e}. Falling back to direct file loading.")
+            # Fallback to direct file loading for backward compatibility
+            if config_path is None:
+                base_dir = os.path.dirname(os.path.abspath(__file__))
+                config_path = os.path.join(base_dir, 'git_config.yaml')
+                self.logger.debug(f"Default config path set to: {config_path}")
+            
+            try:
+                with open(config_path, 'r') as f:
+                    self.config = yaml.safe_load(f)
+                if self.config is None:
+                    self.logger.warning(f"Configuration file at {config_path} is empty. Using default values.")
+                    self._set_default_config()
+                else:
+                    self.logger.info(f"Git configuration loaded successfully from {config_path}")
+            except FileNotFoundError:
+                self.logger.warning(f"Configuration file not found at {config_path}. Using default values.")
+                self._set_default_config()
+            except yaml.YAMLError as e:
+                self.logger.error(f"Error parsing YAML configuration from {config_path}: {e}. Using default values.", exc_info=True)
+                self._set_default_config()
         
         # Initialize memory system following our pattern
         self.memory = create_memory(memory_type)
@@ -177,13 +209,13 @@ class GitExecutor:
         self.logger.info(f"Auth failure patterns: {len(git_config.get('auth_failure_patterns', []))}")
     
     def _set_default_config(self):
-        """Set default configuration following our established pattern."""
+        """Set default configuration using centralized system."""
         self.logger.info("Setting default configuration for GitExecutor.")
         self.config = {
             'git_executor': {
-                'default_workspace': '/workspace',
-                'default_clone_depth': 1,
-                'default_timeout': 300,
+                'default_workspace': get_config_value("system.workspace_base", '/workspace'),
+                'default_clone_depth': get_config_value("tools.git.default_clone_depth", 1),
+                'default_timeout': get_config_value("network.github_timeout", 300),
                 'auth_failure_patterns': [
                     'Authentication failed',
                     'Permission denied',
@@ -194,9 +226,9 @@ class GitExecutor:
                     'Please make sure you have the correct access rights'
                 ],
                 'repo_path_template': '{workspace}/{repo_name}',
-                'sanitize_repo_names': True,
-                'enable_detailed_logging': True,
-                'store_operations_in_memory': True
+                'sanitize_repo_names': get_config_value("tools.git.sanitize_repo_names", True),
+                'enable_detailed_logging': get_config_value("tools.git.enable_detailed_logging", True),
+                'store_operations_in_memory': get_config_value("tools.git.store_operations_in_memory", True)
             },
             'error_messages': {
                 'invalid_repo_url': "Git executor: Invalid repository URL '{repo_url}'",
@@ -221,6 +253,25 @@ class GitExecutor:
             }
         }
     
+    def _deep_merge(self, base: dict, overlay: dict) -> dict:
+        """
+        Deep merge two dictionaries, with overlay taking precedence.
+        
+        Args:
+            base: Base dictionary
+            overlay: Dictionary to overlay on base
+            
+        Returns:
+            Merged dictionary
+        """
+        result = base.copy()
+        for key, value in overlay.items():
+            if key in result and isinstance(result[key], dict) and isinstance(value, dict):
+                result[key] = self._deep_merge(result[key], value)
+            else:
+                result[key] = value
+        return result
+    
     def _extract_repo_name(self, repo_url: str) -> str:
         """Extract repository name from URL following our pattern."""
         try:

diagram_to_iac/tools/sec_utils.py

@@ -1,66 +1,279 @@
-# src/diagram_to_iac/tools/secrets.py
+# src/diagram_to_iac/tools/sec_utils.py
 
 """
-Decode /run/secrets.yaml (Base64‑encoded values) into real env vars.
+Load and decode secrets from environment variables or secrets.yaml file.
 
-Mount it into the container with:
-  docker run … -v "$PWD/config/secrets.yaml":/run/secrets.yaml:ro …
+For GitHub Actions (.github/actions/r2d/Dockerfile):
+- Secrets are expected to be provided as base64-encoded environment variables
+- Will halt execution if required secrets are missing or empty
+
+For dev containers (docker/dev/Dockerfile):  
+- First tries to load from environment variables
+- Falls back to /run/secrets.yaml file if env vars not present
+- All values (env and file) are expected to be base64 encoded
 
-If the file is missing (e.g. CI injects GitHub Secrets directly),
-load_yaml_secrets() is a no‑op.
+Mount secrets.yaml into dev container with:
+  docker run … -v "$PWD/config/secrets.yaml":/run/secrets.yaml:ro …
 """
 
 import os
+import sys
 import base64
-import yaml
 import pathlib
 import binascii
 
-# Path inside container where the encoded YAML is mounted
+# Import yaml with fallback
+try:
+    import yaml
+except ImportError:
+    yaml = None
+
+# Import typing with fallback
+try:
+    from typing import Dict, List, Optional
+except ImportError:
+    pass
+
+# Path inside container where the encoded YAML is mounted (dev only)
 _YAML_PATH = pathlib.Path("/run/secrets.yaml")
 
+# Expected secrets based on secrets_example.yaml
+EXPECTED_SECRETS = [
+    "DOCKERHUB_API_KEY",
+    "DOCKERHUB_USERNAME", 
+    "TF_API_KEY",
+    "PYPI_API_KEY",
+    "OPENAI_API_KEY",
+    "GOOGLE_API_KEY",
+    "ANTHROPIC_API_KEY", 
+    "GROK_API_KEY",
+    "REPO_API_KEY"
+]
+
+# Required secrets that must be present (others are optional)
+REQUIRED_SECRETS = [
+    "REPO_API_KEY"  # GITHUB_TOKEN is required for repo operations
+]
+
+# Optional AI API secrets (at least one should be present for AI functionality)
+AI_API_SECRETS = [
+    "OPENAI_API_KEY",
+    "GOOGLE_API_KEY", 
+    "ANTHROPIC_API_KEY",
+    "GROK_API_KEY"
+]
+
+# Map internal secret names to environment variable names
+SECRET_ENV_MAPPING = {
+    "REPO_API_KEY": "GITHUB_TOKEN",
+    "TF_API_KEY": "TFE_TOKEN",
+    "DOCKERHUB_API_KEY": "DOCKERHUB_API_KEY",
+    "DOCKERHUB_USERNAME": "DOCKERHUB_USERNAME",
+    "PYPI_API_KEY": "PYPI_API_KEY", 
+    "OPENAI_API_KEY": "OPENAI_API_KEY",
+    "GOOGLE_API_KEY": "GOOGLE_API_KEY",
+    "ANTHROPIC_API_KEY": "ANTHROPIC_API_KEY",
+    "GROK_API_KEY": "GROK_API_KEY"
+}
+
 
 def _decode_b64(enc: str) -> str:
     """Robust Base64 decode: fixes padding, falls back if invalid."""
     enc = enc.strip()
     if not enc:
         return ""
-    # Fix missing padding
-    enc += "=" * (-len(enc) % 4)
+    
+    # Fix missing padding - add only the minimum required
+    padding_needed = 4 - (len(enc) % 4)
+    if padding_needed != 4:  # 4 means no padding needed
+        enc += "=" * padding_needed
+    
     try:
-        return base64.b64decode(enc).decode("utf-8").strip()
+        decoded = base64.b64decode(enc).decode("utf-8").strip()
+        # Strip any base64 padding artifacts that might cause token corruption
+        decoded = decoded.rstrip('=')
+        return decoded
     except (binascii.Error, UnicodeDecodeError):
-        # If it isn’t valid Base64, return the raw string
+        # If it isn't valid Base64, return the raw string
         return enc
 
 
-def load_yaml_secrets() -> None:
-    """
-    Read /run/secrets.yaml, decode each *_ENCODED value, and export
-    as environment variables. Special‑case REPO_TOKEN → GITHUB_TOKEN.
-    Safe to call when the file does not exist.
-    """
+def _is_dev_environment() -> bool:
+    """Check if running in dev environment by looking for dev-specific indicators."""
+    return (
+        _YAML_PATH.exists() or 
+        os.environ.get("ENVIRONMENT") == "dev" or
+        os.path.exists("/workspace/docker/dev")
+    )
+
+
+def _get_env_secrets() -> Dict[str, Optional[str]]:
+    """Get secrets from environment variables."""
+    env_secrets = {}
+    for secret_key in EXPECTED_SECRETS:
+        env_name = SECRET_ENV_MAPPING.get(secret_key, secret_key)
+        raw_value = os.environ.get(env_name)
+        if raw_value:
+            # Check if value is already decoded, use as-is; otherwise decode it
+            if (secret_key == "TF_API_KEY" and ".atlasv1." in raw_value) or \
+               (secret_key == "REPO_API_KEY" and raw_value.startswith("ghp_")) or \
+               (secret_key == "OPENAI_API_KEY" and raw_value.startswith("sk-")) or \
+               (secret_key == "ANTHROPIC_API_KEY" and raw_value.startswith("sk-ant-")) or \
+               (secret_key == "GOOGLE_API_KEY" and not "=" in raw_value and len(raw_value) < 100) or \
+               (secret_key in ["DOCKERHUB_USERNAME"] and not "=" in raw_value):
+                env_secrets[secret_key] = raw_value
+            else:
+                env_secrets[secret_key] = _decode_b64(raw_value)
+        else:
+            env_secrets[secret_key] = None
+    return env_secrets
+
+
+def _load_secrets_from_file() -> Dict[str, str]:
+    """Load secrets from secrets.yaml file (dev environment only)."""
     if not _YAML_PATH.exists():
-        return
+        return {}
+    
+    try:
+        data: Dict[str, str] = yaml.safe_load(_YAML_PATH.read_text()) or {}
+        return {k: v for k, v in data.items() if v}
+    except Exception as e:
+        print(f"❌ Error reading secrets file {_YAML_PATH}: {e}")
+        return {}
+
 
-    data: dict[str, str] = yaml.safe_load(_YAML_PATH.read_text()) or {}
-    for key, encoded in data.items():
-        if not encoded:
+def _validate_and_set_secrets(secrets: Dict[str, str], source: str = "environment") -> None:
+    """Validate secrets and set them as environment variables."""
+    missing_required = []
+    empty_secrets = []
+    loaded_secrets = []
+    ai_secrets_available = 0
+    
+    for secret_key in EXPECTED_SECRETS:
+        secret_value = secrets.get(secret_key)
+        env_name = SECRET_ENV_MAPPING.get(secret_key, secret_key)
+        
+        if secret_value is None:
+            if secret_key in REQUIRED_SECRETS:
+                missing_required.append(secret_key)
             continue
+            
+        if not secret_value.strip():
+            empty_secrets.append(secret_key)
+            continue
+            
+        # Set environment variable (decode only if from file, not if already from env)
+        try:
+            if source == "file":
+                # File values need to be decoded
+                decoded_value = _decode_b64(secret_value)
+            else:
+                # Environment values are already decoded
+                decoded_value = secret_value
+                
+            if decoded_value:
+                os.environ[env_name] = decoded_value
+                loaded_secrets.append(env_name)
+                if secret_key in AI_API_SECRETS:
+                    ai_secrets_available += 1
+                print(f"✅ {env_name}: loaded from {source}")
+            else:
+                empty_secrets.append(secret_key)
+        except Exception as e:
+            print(f"❌ Error processing {secret_key}: {e}")
+            empty_secrets.append(secret_key)
+    
+    # Check for critical errors
+    critical_errors = []
+    
+    # Required secrets must be present
+    if missing_required:
+        critical_errors.append(f"Missing required secrets: {', '.join(missing_required)}")
+    
+    # At least one AI API key should be available for full functionality
+    if ai_secrets_available == 0:
+        available_ai_keys = [SECRET_ENV_MAPPING[k] for k in AI_API_SECRETS if k in secrets]
+        if not available_ai_keys:
+            critical_errors.append("No AI API keys available. At least one is recommended for full functionality.")
+    
+    # Handle empty secrets (warn but don't fail)
+    if empty_secrets:
+        print(f"⚠️ Warning: Empty secrets found: {', '.join(empty_secrets)}")
+    
+    # Print summary
+    if loaded_secrets:
+        print(f"✅ Successfully loaded {len(loaded_secrets)} secrets from {source}")
+        if ai_secrets_available > 0:
+            print(f"🤖 AI capabilities enabled ({ai_secrets_available} API key(s) configured)")
+    
+    # Handle critical errors
+    if critical_errors:
+        error_msg = "🔐 Secret validation failed:\n"
+        for error in critical_errors:
+            error_msg += f"❌ {error}\n"
+        
+        if _is_dev_environment():
+            error_msg += "\n💡 For dev environment:\n"
+            error_msg += f"  - Ensure {_YAML_PATH} exists with base64-encoded values\n" 
+            error_msg += f"  - Or set environment variables: {', '.join(SECRET_ENV_MAPPING.values())}\n"
+        else:
+            error_msg += "\n💡 For GitHub Actions:\n"
+            error_msg += "  - Ensure all required secrets are configured in GitHub repository settings\n"
+            error_msg += "  - Secrets should be base64-encoded\n"
+        
+        print(error_msg)
+        sys.exit(1)
 
-        # Strip the "_ENCODED" suffix
-        # base_name = key.removesuffix("_ENCODED")
 
-        # Map specific keys to their expected environment variable names
-        if key == "REPO_API_KEY":
-            env_name = "GITHUB_TOKEN"
-        elif key == "TF_API_KEY":
-            # env_name = "TF_TOKEN_APP_TERRAFORM_IO"
-            env_name = "TFE_TOKEN"
+def load_secrets() -> None:
+    """
+    Load and validate secrets from environment variables or secrets.yaml file.
+    
+    Workflow:
+    1. Check if secrets are available in environment variables
+    2. If any env secrets exist but are empty, halt execution with error
+    3. If no env secrets present and in dev environment, try loading from file
+    4. Validate all secrets are present and non-empty
+    5. Decode base64 values and set as environment variables
+    
+    Exits with error code 1 if secrets are missing or invalid.
+    """
+    print("🔐 Loading and validating secrets...")
+    
+    # First, check environment variables
+    env_secrets = _get_env_secrets()
+    env_secrets_present = any(v is not None for v in env_secrets.values())
+    
+    if env_secrets_present:
+        # Environment variables are present, validate them
+        print("🔍 Found secrets in environment variables")
+        valid_env_secrets = {k: v for k, v in env_secrets.items() if v is not None}
+        _validate_and_set_secrets(valid_env_secrets, "environment")
+        return
+    
+    # No environment secrets found
+    if _is_dev_environment():
+        print("🔍 No environment secrets found, checking secrets file...")
+        file_secrets = _load_secrets_from_file()
+        if file_secrets:
+            print(f"📁 Loading secrets from {_YAML_PATH}")
+            _validate_and_set_secrets(file_secrets, "file")
+            return
         else:
-            env_name = key
+            print(f"❌ No secrets found in {_YAML_PATH}")
+    
+    # No secrets available anywhere
+    error_msg = "🔐 No secrets available!\n"
+    if _is_dev_environment():
+        error_msg += f"💡 For dev environment, provide secrets via:\n"
+        error_msg += f"  - Environment variables: {', '.join(SECRET_ENV_MAPPING.values())}\n"
+        error_msg += f"  - Or mount secrets file to: {_YAML_PATH}\n"
+    else:
+        error_msg += "💡 For GitHub Actions, configure repository secrets\n"
+    
+    print(error_msg)
+    sys.exit(1)
+
 
-        # Decode and export
-        plain_value = _decode_b64(str(encoded))
-        os.environ[env_name] = plain_value
-        # print(f"Decoded {env_name}={plain_value}")
+# Backward compatibility alias
+load_yaml_secrets = load_secrets

diagram_to_iac/tools/shell/shell.py

@@ -10,6 +10,7 @@ from pydantic import BaseModel, Field
 from langchain_core.tools import tool
 
 from diagram_to_iac.core.memory import create_memory
+from diagram_to_iac.core.config_loader import get_config, get_config_value
 
 
 # --- Pydantic Schemas for Tool Inputs ---
@@ -60,51 +61,79 @@ class ShellExecutor:
                 datefmt='%Y-%m-%d %H:%M:%S'
             )
         
-        # Load configuration following our pattern
-        if config_path is None:
-            base_dir = os.path.dirname(os.path.abspath(__file__))
-            config_path = os.path.join(base_dir, 'shell_config.yaml')
-            self.logger.debug(f"Default config path set to: {config_path}")
-        
+        # Load configuration using centralized system with fallback to direct file loading  
         try:
-            with open(config_path, 'r') as f:
-                self.config = yaml.safe_load(f)
-            if self.config is None:
-                self.logger.warning(f"Configuration file at {config_path} is empty. Using default values.")
+            # Use centralized configuration loading
+            base_config = get_config()
+            shell_config = base_config.get('tools', {}).get('shell', {})
+            
+            # Load tool-specific config if provided
+            tool_config = {}
+            if config_path and os.path.exists(config_path):
+                with open(config_path, 'r') as f:
+                    tool_config = yaml.safe_load(f) or {}
+            
+            # Merge configurations (tool config overrides base config)
+            merged_config = self._deep_merge(shell_config, tool_config)
+            
+            if not merged_config:
+                self.logger.warning("No shell configuration found in centralized system. Using defaults.")
                 self._set_default_config()
             else:
-                self.logger.info(f"Configuration loaded successfully from {config_path}")
-        except FileNotFoundError:
-            self.logger.warning(f"Configuration file not found at {config_path}. Using default values.")
-            self._set_default_config()
-        except yaml.YAMLError as e:
-            self.logger.error(f"Error parsing YAML configuration from {config_path}: {e}. Using default values.", exc_info=True)
-            self._set_default_config()
+                # Ensure the config has the expected nested structure for backward compatibility
+                if 'shell_executor' not in merged_config and merged_config:
+                    # Wrap flat config in expected nested structure
+                    self.config = {'shell_executor': merged_config}
+                else:
+                    self.config = merged_config
+                self.logger.info("Configuration loaded from centralized system")
+        except Exception as e:
+            self.logger.warning(f"Failed to load from centralized config: {e}. Falling back to direct file loading.")
+            # Fallback to direct file loading for backward compatibility
+            if config_path is None:
+                base_dir = os.path.dirname(os.path.abspath(__file__))
+                config_path = os.path.join(base_dir, 'shell_config.yaml')
+                self.logger.debug(f"Default config path set to: {config_path}")
+            
+            try:
+                with open(config_path, 'r') as f:
+                    self.config = yaml.safe_load(f)
+                if self.config is None:
+                    self.logger.warning(f"Configuration file at {config_path} is empty. Using default values.")
+                    self._set_default_config()
+                else:
+                    self.logger.info(f"Configuration loaded successfully from {config_path}")
+            except FileNotFoundError:
+                self.logger.warning(f"Configuration file not found at {config_path}. Using default values.")
+                self._set_default_config()
+            except yaml.YAMLError as e:
+                self.logger.error(f"Error parsing YAML configuration from {config_path}: {e}. Using default values.", exc_info=True)
+                self._set_default_config()
         
         # Initialize memory system following our pattern
         self.memory = create_memory(memory_type)
         self.logger.info(f"Shell executor memory system initialized: {type(self.memory).__name__}")
         
         # Log configuration summary
-        shell_config = self.config.get('shell_executor', {})
+        shell_config = self.config.get('shell_executor', {}) or self.config  # Support both formats
         self.logger.info(f"Shell executor initialized with allowed binaries: {shell_config.get('allowed_binaries', [])}")
         self.logger.info(f"Workspace base: {shell_config.get('workspace_base', '/workspace')}")
         self.logger.info(f"Default timeout: {shell_config.get('default_timeout', 30)}s")
     
     def _set_default_config(self):
-        """Set default configuration following our established pattern."""
+        """Set default configuration using centralized system."""
         self.logger.info("Setting default configuration for ShellExecutor.")
         self.config = {
             'shell_executor': {
-                'allowed_binaries': ['git', 'bash', 'sh', 'gh', 'ls'],
-                'default_timeout': 30,
-                'max_output_size': 8192,
-                'workspace_base': '/workspace',
-                'allow_relative_paths': True,
-                'restrict_to_workspace': True,
-                'enable_detailed_logging': True,
-                'log_command_execution': True,
-                'log_output_truncation': True
+                'allowed_binaries': get_config_value("tools.shell.allowed_binaries", ['git', 'bash', 'sh', 'gh', 'ls']),
+                'default_timeout': get_config_value("network.shell_timeout", 30),
+                'max_output_size': get_config_value("tools.shell.max_output_size", 8192),
+                'workspace_base': get_config_value("system.workspace_base", '/workspace'),
+                'allow_relative_paths': get_config_value("tools.shell.allow_relative_paths", True),
+                'restrict_to_workspace': get_config_value("tools.shell.restrict_to_workspace", True),
+                'enable_detailed_logging': get_config_value("tools.shell.enable_detailed_logging", True),
+                'log_command_execution': get_config_value("tools.shell.log_command_execution", True),
+                'log_output_truncation': get_config_value("tools.shell.log_output_truncation", True)
             },
             'error_messages': {
                 'binary_not_allowed': "Shell executor: Binary '{binary}' is not allowed.",
@@ -119,6 +148,25 @@ class ShellExecutor:
             }
         }
     
+    def _deep_merge(self, base: dict, overlay: dict) -> dict:
+        """
+        Deep merge two dictionaries, with overlay taking precedence.
+        
+        Args:
+            base: Base dictionary
+            overlay: Dictionary to overlay on base
+            
+        Returns:
+            Merged dictionary
+        """
+        result = base.copy()
+        for key, value in overlay.items():
+            if key in result and isinstance(result[key], dict) and isinstance(value, dict):
+                result[key] = self._deep_merge(result[key], value)
+            else:
+                result[key] = value
+        return result
+    
     def _validate_binary(self, command: str) -> None:
         """Validate that the command uses an allowed binary."""
         try:
@@ -128,10 +176,19 @@ class ShellExecutor:
                 raise ValueError("Empty command provided")
             
             binary = cmd_parts[0]
-            allowed_binaries = self.config.get('shell_executor', {}).get('allowed_binaries', [])
+            # Try both centralized config format and legacy format
+            allowed_binaries = (
+                self.config.get('allowed_binaries', []) or  # Centralized format
+                self.config.get('shell_executor', {}).get('allowed_binaries', [])  # Legacy format
+            )
             
             if binary not in allowed_binaries:
-                error_msg = self.config.get('error_messages', {}).get(
+                # Try both centralized config format and legacy format for error messages
+                error_messages = (
+                    self.config.get('error_messages', {}) or
+                    self.config.get('shell_executor', {}).get('error_messages', {})
+                )
+                error_msg = error_messages.get(
                     'binary_not_allowed',
                     "Shell executor: Binary '{binary}' is not in the allowed list."
                 ).format(binary=binary)
@@ -146,7 +203,7 @@ class ShellExecutor:
     
     def _validate_workspace_path(self, cwd: Optional[str]) -> str:
         """Validate and resolve the working directory path."""
-        shell_config = self.config.get('shell_executor', {})
+        shell_config = self.config.get('shell_executor', {}) or self.config  # Support both formats
         workspace_base = shell_config.get('workspace_base', '/workspace')
         
         if cwd is None:
@@ -213,7 +270,7 @@ class ShellExecutor:
             resolved_cwd = self._validate_workspace_path(shell_input.cwd)
             
             # Get timeout from input or config
-            shell_config = self.config.get('shell_executor', {})
+            shell_config = self.config.get('shell_executor', {}) or self.config  # Support both formats
             timeout = shell_input.timeout or shell_config.get('default_timeout', 30)
             max_output_size = shell_config.get('max_output_size', 8192)