[Feature Request] Replace strict command prohibition in Terminal Toolkit with structured Human-in-the-Loop verification

[Pakchoioioi]

Motivation

Currently, the Terminal Toolkit hard-blocks certain “dangerous” commands, which causes some tasks to fail completely. We need to remove this strict prohibition and replace it with a Human-in-the-Loop (HITL) approval mechanism.

Solution

The HITL: When any of the following dangerous commands is detected, the system should return three options for the user to choose from:

Yes (approve this command once)

All Yes in this task (approve all subsequent dangerous commands within the current task)

No (reject the command)

These options should be displayed and handled by the frontend.

very important!!!
Do NOT directly reuse the previous human_toolkit activation mechanism that waits for user input and automatically skips after 30 seconds.

Enable HITL Mechanism via System Settings

Location: System Settings >> Permissions
In System Settings Homepage >> Settings >> Permissions : in Permissions page add a new "Safe Mode" toggle with the following hint ⬇️ .
With Safe Mode active, Eigent will pause and seek explicit approval whenever high-risk system operations are detected.
This should be disabled by default. When enabled by the user, it activates the Human-in-the-Loop (HITL) approval mechanism.

Additional context

Dangerous Command List (Triggers HITL):

• System Administration: sudo, su, reboot, shutdown, halt, poweroff, init
• File System: rm, chown, chgrp, umount, mount
• Disk Operations: dd, mkfs, fdisk, parted, fsck, mkswap, swapon, swapoff
• Process Management: service, systemctl, systemd
• Network Configuration: iptables, ip6tables, ifconfig, route, iptables-save
• Cron/Scheduling: crontab, at, batch
• User/Kernel Management: useradd, userdel, usermod, passwd, chpasswd, newgrp, modprobe, rmmod, insmod, lsmod

Additional Safety Constraint:
Non-Docker Mode: If the environment is running outside of Docker, the system must validate cd commands. Ensure the agent cannot traverse outside the designated working_directory.

[spider-yamet]

@Pakchoioioi @Wendong-Fan
Let me resolve this issue,

Regards

[Pakchoioioi]

@spider-yamet Please check this feature request.

In System Settings Homepage >> Settings >> Permissions (add this tab on the left) : in Permissions page add a new "Safe Mode" toggle with the following hint ⬇️ .
With Safe Mode active, Eigent will pause and seek explicit approval whenever high-risk system operations are detected.

This should be disabled by default. When enabled by the user, it activates the Human-in-the-Loop (HITL) approval mechanism.

[dataCenter430]

Hi, @Pakchoioioi Thanks for the clarification, adding a “Safe Mode” toggle makes perfect sense.

I’d like to take this issue. My implementation plan:

• Safe Mode Toggle:

  • Add a Safe Mode option in System Settings (disabled by default).
  • When enabled, activate the Human-in-the-Loop (HITL) approval mechanism for dangerous commands.

• HITL Command Handling:

  • Detect commands matching the provided dangerous command list.
  • Return structured options to the frontend:
    • Yes (approve once)
    • All Yes in this task (approve all subsequent dangerous commands in the current task)
    • No (reject)
  • Maintain task-scoped state for “All Yes in this task” to skip repeated prompts within the same task.
  • Important: Do not reuse the previous human_toolkit mechanism — no blocking wait loop or 30s auto-skip.

• Non-Docker Mode Safety:

  • Intercept and validate cd commands.
  • Prevent traversal outside the allowed working_directory using strict path resolution (block .., symlinks, absolute paths, etc.).

• Testing Plan:

  • Single approval flow
  • Task-wide approval flow
  • Rejection flow
  • Non-Docker cd traversal attempts
  • Mixed safe/dangerous command sequences
  • Safe Mode toggled on/off

Once assigned, I’ll open a draft PR with the architecture and tests for review before finalizing the implementation.

[Pakchoioioi]

@spider-yamet thanks for taking this! Looking forward to seeing the new feature.

[Pakchoioioi]

We need to discuss and confirm the existing security restriction mechanisms within the Terminal Toolkit of both Eigent and Camel before proceeding with the implementation.

Specifically, we need to verify whether the list of 'dangerous commands' I provided is exhaustive.

Once these mechanisms are clarified, we can design the HITL (Human-in-the-Loop) workflow and the Global Safe Mode management system.

[spider-yamet]

@dataCenter430 I am already implementing this feature, and also @Pakchoioioi assigned me this issue.
You can consider other issues