Strictly read-only PTC allowlist for interpreter_ptc="safe".
Limited to tools that are not in _add_interrupt_on() to begin with, so
exposing them through PTC does not introduce a new HITL bypass. Network
tools (web_search, fetch_url), subagent dispatch (task), shell
execution (execute), and file writes (write_file, edit_file, MCP
write tools) are deliberately excluded — they are HITL-gated outside the
REPL, and PTC bypasses interrupt_on, so including them would silently
escalate privileges. Users who need network or subagent access from inside
the REPL must list those tools explicitly (which signals intent at config
time) or use interpreter_ptc="all" with the unsafe acknowledgement.
