From 746d7f5415b424ba9736e411b78c34e9ba6bc0d2 Mon Sep 17 00:00:00 2001
From: angleyanalbedo <100198247+angleyanalbedo@users.noreply.github.com>
Date: Tue, 10 Mar 2026 15:10:09 +0800
Subject: [PATCH] feat(tools): enhance ExecTool with enable flag and custom
 deny_patterns

- Add `enable` flag to `ExecToolConfig` to conditionally register the tool.
- Add `deny_patterns` to allow users to override the default command blacklist.
- Remove `allow_patterns` (whitelist) to maintain tool flexibility.
- Fix initialization logic to properly handle empty list (`[]`), allowing users to completely clear the default blacklist.
---
 nanobot/agent/loop.py    | 14 ++++++++------
 nanobot/config/schema.py |  3 ++-
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/nanobot/agent/loop.py b/nanobot/agent/loop.py
index ca9a06e..bf40214 100644
--- a/nanobot/agent/loop.py
+++ b/nanobot/agent/loop.py
@@ -117,12 +117,14 @@ class AgentLoop:
         allowed_dir = self.workspace if self.restrict_to_workspace else None
         for cls in (ReadFileTool, WriteFileTool, EditFileTool, ListDirTool):
             self.tools.register(cls(workspace=self.workspace, allowed_dir=allowed_dir))
-        self.tools.register(ExecTool(
-            working_dir=str(self.workspace),
-            timeout=self.exec_config.timeout,
-            restrict_to_workspace=self.restrict_to_workspace,
-            path_append=self.exec_config.path_append,
-        ))
+        if self.exec_config.enable:
+            self.tools.register(ExecTool(
+                working_dir=str(self.workspace),
+                timeout=self.exec_config.timeout,
+                restrict_to_workspace=self.restrict_to_workspace,
+                path_append=self.exec_config.path_append,
+                deny_patterns=self.exec_config.deny_patterns,
+            ))
         self.tools.register(WebSearchTool(api_key=self.brave_api_key, proxy=self.web_proxy))
         self.tools.register(WebFetchTool(proxy=self.web_proxy))
         self.tools.register(MessageTool(send_callback=self.bus.publish_outbound))
diff --git a/nanobot/config/schema.py b/nanobot/config/schema.py
index 8cfcad6..a1d6ed4 100644
--- a/nanobot/config/schema.py
+++ b/nanobot/config/schema.py
@@ -305,9 +305,10 @@ class WebToolsConfig(Base):
 class ExecToolConfig(Base):
     """Shell exec tool configuration."""
 
+    enable: bool = True
     timeout: int = 60
     path_append: str = ""
-
+    deny_patterns: list[str] | None = None
 
 class MCPServerConfig(Base):
     """MCP server connection configuration (stdio or HTTP)."""