fix: harden explore agent permissions and bash tool validation

[antigremlin]

Summary

This PR addresses security and scope concerns with the Explore agent by implementing stricter permission controls and better path validation in the Bash tool.

Changes

• Harden BashTool: Expanded the list of commands that trigger path validation in bash.ts to include common exploration commands like ls, find, grep, cat, etc. This ensures that commands targeting external directories (e.g., ls /) correctly trigger the external_directory permission check.
• Restrict Explore Agent: Changed the default bash permission for the Explore agent from allow to ask in agent.ts. This ensures users are prompted before the agent executes shell commands, preventing unmonitored system exploration.
• Update Explore Prompt: Refined the system prompt in explore.txt to explicitly instruct the agent to stay within the project directory and warn about permission prompts for bash commands.

Testing

• Ran existing tests (npm run test) to ensure no regressions.
• Verified that the changes compile and typecheck.

[github-actions]

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

1. Open an issue describing the bug/feature (if one doesn't exist)
2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

[github-actions]

The following comment was made by an LLM, it may be inaccurate:

Potential Duplicate Found

PR #6073: refactor(agent): set Explore subagent bash permissions to read-only
#6073

This PR appears to be directly related to the current PR #7881. Both PRs address hardening the Explore agent's bash permissions. PR #6073 specifically sets bash permissions to read-only, which aligns with the current PR's goal of changing the bash permission from allow to ask for the Explore agent. You should check if PR #6073 was already merged or if there's additional work needed beyond what it implemented.

Related PRs (similar scope but different focus):

• PR fix: address external_directory gaps and improve symlink checks #7515: fix: address external_directory gaps and improve symlink checks - Related to external directory permission validation
• PR feat: add granular external_directory permission configuration #5905: feat: add granular external_directory permission configuration - Related to permission controls
• PR Improve permission request messages; add external directory check for write tool #6714: Improve permission request messages; add external directory check for write tool - Related to permission checks
• PR core: add cwd parameter to bash tool for better directory control #3588: core: add cwd parameter to bash tool for better directory control - Related to bash tool improvements