Title: Disable restricted imports immediately on exception in executor
Summary
- Restricted import mode remains enabled through the except/finally block if a contract call raises, causing cleanup to run under the restricted importer and risking sticky state if another error occurs before disable.
Problem
- Potential DoS if restricted importer remains active globally after a fault.
- Import-hook abuse window during cleanup.
Proposed Fix
- Call disable_restricted_imports() in the except block immediately after catching, before any further cleanup, and keep a final guard in finally.
- Ensure tracer.stop() is called once to avoid secondary exceptions blocking the disable.
Acceptance Criteria
- Tests simulate contract exceptions and verify restricted imports are disabled before cleanup runs.
- No double tracer.stop() calls remain.
Title: Disable restricted imports immediately on exception in executor
Summary
Problem
Proposed Fix
Acceptance Criteria