Allowlisted execution

Allowlisted execution bounds what an agent can run on its own. The allowlist is read-oriented — status and diff commands, type checks, tests, linters, search — so the agent can gather evidence and validate without arbitrary shell access.

This is a scoped control, not a sandbox. Terminals run under the user's own account; the allowlist plus a destructive-command guard narrows what the agent reaches, while the user keeps full control of the embedded terminal.