security: remove bash_execute, harden code-agent skill

docs/skills.md

@@ -403,7 +403,7 @@ This registers eight tools:
 | `glob_search` | Find files by name pattern |
 | `directory_tree` | Show project directory tree |
 
-The skill uses **denied tools** (`bash_execute`, `file_write`, `file_edit`, `file_patch`, `file_read`, `schedule_*`) to ensure the LLM uses the skill's own tool wrappers instead of raw builtins. All file operations are confined to the agent's working directory via `PathValidator`.
+The skill uses **denied tools** (`file_write`, `file_edit`, `file_patch`, `file_read`, `schedule_*`) to ensure the LLM uses the skill's own tool wrappers instead of raw builtins. All file operations are confined to the agent's working directory via `PathValidator`.
 
 Requires: `bash`, `jq`. Egress: `registry.npmjs.org`, `cdn.tailwindcss.com`, `pypi.org`, `files.pythonhosted.org`, `proxy.golang.org`, `sum.golang.org`, `storage.googleapis.com`, `repo.maven.apache.org`, `repo1.maven.org`.
 

docs/tools.md

@@ -44,7 +44,6 @@ All code-agent tools use a `PathValidator` that confines resolved paths within t
 
 | Tool | Description |
 |------|-------------|
-| `bash_execute` | Execute bash commands with pipes, redirection, and shell features |
 | `file_read` | Read file contents with optional line offset/limit, or list directory entries |
 | `file_write` | Create or overwrite files in the project directory |
 | `file_edit` | Edit files by exact string matching with unified diff output |
@@ -61,18 +60,9 @@ Code-agent tools are registered in layered groups, allowing skills to request on
 |-------|-------|---------|
 | `CodeAgentSearchTools` | `grep_search`, `glob_search`, `directory_tree` | Read-only exploration |
 | `CodeAgentReadTools` | `file_read` + search tools | Safe reading |
-| `CodeAgentWriteTools` | `file_write`, `file_edit`, `file_patch`, `bash_execute` | Modification + execution |
+| `CodeAgentWriteTools` | `file_write`, `file_edit`, `file_patch` | Modification |
 | `CodeAgentTools` | All read + write tools | Full code-agent capability |
 
-### bash_execute Security
-
-| Layer | Detail |
-|-------|--------|
-| **Dangerous command denylist** | Blocks `rm -rf /`, `mkfs`, `dd`, fork bombs, and similar destructive patterns |
-| **sudo/su blocked** | Privilege escalation prefixes are rejected |
-| **Timeout** | Default 120s, configurable per invocation |
-| **Output cap** | Maximum 1MB output to prevent memory exhaustion |
-
 ### Path Validation
 
 All file tools use `PathValidator` (from `pathutil.go`):

forge-core/runtime/loop.go

@@ -593,7 +593,7 @@ func isWriteActionTool(name string) bool {
 	case "code_agent_edit", "code_agent_write", "code_agent_patch",
 		"github_commit", "github_push", "github_create_pr",
 		"github_checkout", "github_create_issue",
-		"file_create", "bash_execute", "code_agent_run":
+		"file_create", "code_agent_run":
 		return true
 	}
 	// Catch any tool with "edit", "write", "commit", "push" in the name.
@@ -674,7 +674,7 @@ func toolPhase(name string) workflowPhase {
 		return phaseSetup
 	case "code_agent_read", "grep_search", "glob_search", "directory_tree", "read_skill", "github_status":
 		return phaseExplore
-	case "code_agent_edit", "code_agent_write", "code_agent_patch", "bash_execute", "file_create", "code_agent_run":
+	case "code_agent_edit", "code_agent_write", "code_agent_patch", "file_create", "code_agent_run":
 		return phaseEdit
 	case "github_commit", "github_push", "github_create_pr":
 		return phaseGitOps

forge-core/runtime/loop_test.go

@@ -371,7 +371,6 @@ func TestToolPhaseClassification(t *testing.T) {
 		{"code_agent_edit", phaseEdit},
 		{"code_agent_write", phaseEdit},
 		{"code_agent_patch", phaseEdit},
-		{"bash_execute", phaseEdit},
 		{"file_create", phaseEdit},
 		{"code_agent_run", phaseEdit},
 		{"github_commit", phaseGitOps},