feat: Replace terminal dangerous-command block with HITL approval and add Safe Mode in Settings

[spider-yamet]

Related issue

Closes #1306

Summary

Replaces the Terminal Toolkit’s hard block of “dangerous” commands with a Human-in-the-Loop (HITL) approval flow and adds a Safe Mode setting so users can opt in.

Changes

HITL for dangerous commands

• When a dangerous command is detected and Safe Mode is on, the user is offered three choices:
  • Yes – approve this command once
  • All Yes in this task – approve all subsequent dangerous commands in the current task
  • No – reject the command
• Frontend shows the prompt and calls /chat/{id}/terminal-approval with the chosen option; backend enforces approval before running the command and supports “approve all in task” per task.

Safe Mode in Settings

• Settings → Permissions: new Safe Mode toggle with hint:
  “With Safe Mode active, Eigent will pause and seek explicit approval whenever high-risk system operations are detected.”
• Default: off. When on, the HITL flow above is used for the configured dangerous-command list.

Backend

• Dangerous command list (triggers HITL when Safe Mode is on): system (e.g. sudo, su, reboot, shutdown), file (e.g. rm, chown, mount), disk (e.g. dd, mkfs, fdisk), process (e.g. service, systemctl), network (e.g. iptables, ifconfig), cron (e.g. crontab, at), user/kernel (e.g. useradd, modprobe), and related commands as specified.
• Non-Docker mode: cd is validated so the agent cannot leave the designated working_directory.
• Task lock includes approved_all_dangerous_commands and a queue for terminal approval; reset on new task.

Frontend

• Permissions tab and Safe Mode UI; preference stored in localStorage and sent as safe_mode in the start-task request.

Other

• Pre-commit: skip backend checks when uv is not installed so commits succeed without uv (message suggests installing uv for backend checks).

Testing

• Verified Safe Mode off: dangerous commands run without approval.
• Verified Safe Mode on: dangerous commands trigger the three-option prompt; Yes / All Yes in task / No behave as described.
• Verified Permissions UI: toggle and hint render; state persists and is sent to backend.
• Verified cd outside working_directory in non-Docker mode is rejected.

[spider-yamet]

@bytecii @Wendong-Fan Could you please review my PR?

[bytecii]

IMO we can move this to camel to make a special safe mode such as strict. cc @Wendong-Fan

[Wendong-Fan]

IMO we can move this to camel to make a special safe mode such as strict. cc @Wendong-Fan

thanks @bytecii , the idea behind this issue is to implement a human-in-the-loop mechanism for safer code execution, which would involve the HumanToolkit. Since CAMEL serves more as a modular framework, it might be more appropriate to implement this feature in Eigent as an application layer. What do you think?

[spider-yamet]

@Wendong-Fan @bytecii could you please review this pr?
I see this PR remains opening for several days.

Regards