Add input validation and audit logging to shell tool

Validate that the command is not empty before execution, and add
debug-level logging for native (non-sandboxed) shell command execution
to improve auditability.

Fixes #1717

Assisted-By: cagent

Author: dgageot

pkg/tools/builtin/shell.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"log/slog"
 	"os"
 	"os/exec"
 	"runtime"
@@ -137,6 +138,10 @@ func statusToString(status int32) string {
 }
 
 func (h *shellHandler) RunShell(ctx context.Context, params RunShellArgs) (*tools.ToolCallResult, error) {
+	if strings.TrimSpace(params.Cmd) == "" {
+		return tools.ResultError("Error: empty command"), nil
+	}
+
 	timeout := h.timeout
 	if params.Timeout > 0 {
 		timeout = time.Duration(params.Timeout) * time.Second
@@ -152,6 +157,8 @@ func (h *shellHandler) RunShell(ctx context.Context, params RunShellArgs) (*tool
 		return h.sandbox.runCommand(timeoutCtx, ctx, params.Cmd, cwd, timeout), nil
 	}
 
+	slog.Debug("Executing native shell command", "command", params.Cmd, "cwd", cwd)
+
 	return h.runNativeCommand(timeoutCtx, ctx, params.Cmd, cwd, timeout), nil
 }