#23486: Tools/FS: default host-mode filesystem access to workspace-only

## Summary - harden host-mode filesystem tools (`read`/`write`/`edit`) to workspace-only by default - add explicit escape hatch `tools.fs.allowOutsideWorkspace=true` for host-mode access outside workspace - preserve existing sandbox-mounted behavior unless `tools.fs.workspaceOnly=true` - extend security signaling by flagging `tools.fs.allowOutsideWorkspace=true` as insecure/dangerous in audit output ## Testing - pnpm test src/agents/pi-tools.read.workspace-guard.test.ts src/security/audit.test.ts - pnpm test:e2e src/agents/pi-tools.workspace-paths.e2e.test.ts - pnpm check <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR hardens filesystem tool security by making host-mode sessions workspace-only by default, requiring explicit `tools.fs.allowOutsideWorkspace=true` to access paths outside the workspace. Key changes: - Host-mode `read`/`write`/`edit` tools now default to workspace-contained (blocks `/etc/passwd`, symlink escapes, etc.) - New `tools.fs.allowOutsideWorkspace` flag provides explicit escape hatch for host-mode when needed - Sandbox-mounted behavior unchanged (preserves legacy `tools.fs.workspaceOnly` semantics) - Security audit properly flags `allowOutsideWorkspace=true` as dangerous - Comprehensive test coverage for path blocking, symlink prevention, and escape hatch <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - it strengthens security defaults without breaking existing functionality. - The PR implements a well-architected security hardening with comprehensive test coverage. The logic correctly distinguishes between sandbox and host modes, preserves backward compatibility for sandboxed sessions, and provides a clear escape hatch. All filesystem tools are consistently protected, and the security audit system properly flags the dangerous config option. - No files require special attention _{Last reviewed commit: 6896b4c} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->