Harden exec tool against command-exec bypasses

[lawyered0]

Summary

This PR hardens the exec tool to close critical command-execution bypasses.

Critical issue addressed

The previous guard validated only argv[0] against an allowlist. Some allowlisted binaries can execute arbitrary commands internally (for example, git aliases and find -exec), which bypassed the intended safety boundary.

What changed

• Updated internal/agent/tools/exec.go:
  • Enforced a stricter default safe allowlist.
  • Removed shell-capable binaries (git, find, rg) from the default allowlist.
  • Kept explicit opt-in override via PICOBOT_EXEC_ALLOW_UNSAFE=1 for trusted environments.
  • Continued blocking direct program paths and unsafe arguments.
• Updated internal/agent/loop.go:
  • Registered exec tool with workspace scoping by default.
• Added/expanded tests:
  • internal/agent/tools/exec_test.go
  • internal/agent/loop_exec_workspace_test.go
  • Includes regressions for the prior bypass payloads (git alias and find -exec) and workspace scoping behavior.

Validation

• go test ./internal/agent/tools -run Exec -count=1
• go test ./...

Risk note

Setting PICOBOT_EXEC_ALLOW_UNSAFE=1 intentionally re-enables non-allowlisted binaries and should be used only in trusted environments.