[Security] Address critical host-shell escape in LocalSandboxProvider (#1547)

* fix(security): disable host bash by default in local sandbox

* fix(security): address review feedback for local bash hardening

* fix(ci): sort live test imports for lint

* style: apply backend formatter

---------

Co-authored-by: Willem Jiang <willem.jiang@gmail.com>

backend/packages/harness/deerflow/subagents/registry.py

@@ -3,6 +3,7 @@
 import logging
 from dataclasses import replace
 
+from deerflow.sandbox.security import is_host_bash_allowed
 from deerflow.subagents.builtins import BUILTIN_SUBAGENTS
 from deerflow.subagents.config import SubagentConfig
 
@@ -50,3 +51,21 @@ def get_subagent_names() -> list[str]:
         List of subagent names.
     """
     return list(BUILTIN_SUBAGENTS.keys())
+
+
+def get_available_subagent_names() -> list[str]:
+    """Get subagent names that should be exposed to the active runtime.
+
+    Returns:
+        List of subagent names visible to the current sandbox configuration.
+    """
+    names = list(BUILTIN_SUBAGENTS.keys())
+    try:
+        host_bash_allowed = is_host_bash_allowed()
+    except Exception:
+        logger.debug("Could not determine host bash availability; exposing all built-in subagents")
+        return names
+
+    if not host_bash_allowed:
+        names = [name for name in names if name != "bash"]
+    return names