feat(tools): enhance ExecTool with enable flag and custom deny_patterns

- Add `enable` flag to `ExecToolConfig` to conditionally register the tool.
- Add `deny_patterns` to allow users to override the default command blacklist.
- Remove `allow_patterns` (whitelist) to maintain tool flexibility.
- Fix initialization logic to properly handle empty list (`[]`), allowing users to completely clear the default blacklist.

nanobot/agent/loop.py

@@ -117,12 +117,14 @@ class AgentLoop:
         allowed_dir = self.workspace if self.restrict_to_workspace else None
         for cls in (ReadFileTool, WriteFileTool, EditFileTool, ListDirTool):
             self.tools.register(cls(workspace=self.workspace, allowed_dir=allowed_dir))
-        self.tools.register(ExecTool(
-            working_dir=str(self.workspace),
-            timeout=self.exec_config.timeout,
-            restrict_to_workspace=self.restrict_to_workspace,
-            path_append=self.exec_config.path_append,
-        ))
+        if self.exec_config.enable:
+            self.tools.register(ExecTool(
+                working_dir=str(self.workspace),
+                timeout=self.exec_config.timeout,
+                restrict_to_workspace=self.restrict_to_workspace,
+                path_append=self.exec_config.path_append,
+                deny_patterns=self.exec_config.deny_patterns,
+            ))
         self.tools.register(WebSearchTool(api_key=self.brave_api_key, proxy=self.web_proxy))
         self.tools.register(WebFetchTool(proxy=self.web_proxy))
         self.tools.register(MessageTool(send_callback=self.bus.publish_outbound))

nanobot/config/schema.py

@@ -305,9 +305,10 @@ class WebToolsConfig(Base):
 class ExecToolConfig(Base):
     """Shell exec tool configuration."""
 
+    enable: bool = True
     timeout: int = 60
     path_append: str = ""
-
+    deny_patterns: list[str] | None = None
 
 class MCPServerConfig(Base):
     """MCP server connection configuration (stdio or HTTP)."""