Problem

1. Allow Always only exempts exact command string
2. tools.exec.ask and tools.exec.security are protected paths (config.patch rejected)
3. No way to permanently allow read-only commands without per-approval clicks

Suggested fixes

1. Allow tools.exec.ask: off via config.patch (add to schema)
2. Command pattern allowlist
3. Allow Always per command prefix
4. security: allowlist mode with trusted command list

Use case

Personal Mac, single owner. Read-only commands (ls, find, date) should be auto-approved, destructive commands (rm -rf) require approval