Related issue

Closes #1306

Summary

Replaces the Terminal Toolkit’s hard block of “dangerous” commands with a Human-in-the-Loop (HITL) approval flow and adds a Safe Mode setting so users can opt in.

Changes

HITL for dangerous commands

• When a dangerous command is detected and Safe Mode is on, the user is offered three choices:
  • Yes – approve this command once
  • All Yes in this task – approve all subsequent dangerous commands in the current task
  • No – reject the command
• Frontend shows the prompt and calls /chat/{id}/terminal-approval with the chosen option; backend enforces approval before running the command and supports “approve all in task” per task.

Safe Mode in Settings

• Settings → Permissions: new Safe Mode toggle with hint:
  “With Safe Mode active, Eigent will pause and seek explicit approval whenever high-risk system operations are detected.”
• Default: off. When on, the HITL flow above is used for the configured dangerous-command list.

Backend

• Dangerous command list (triggers HITL when Safe Mode is on): system (e.g. sudo, su, reboot, shutdown), file (e.g. rm, chown, mount), disk (e.g. dd, mkfs, fdisk), process (e.g. service, systemctl), network (e.g. iptables, ifconfig), cron (e.g. crontab, at), user/kernel (e.g. useradd, modprobe), and related commands as specified.
• Non-Docker mode: cd is validated so the agent cannot leave the designated working_directory.
• Task lock includes approved_all_dangerous_commands and a queue for terminal approval; reset on new task.

Frontend

• Permissions tab and Safe Mode UI; preference stored in localStorage and sent as safe_mode in the start-task request.

Other

• Pre-commit: skip backend checks when uv is not installed so commits succeed without uv (message suggests installing uv for backend checks).

Testing

• Verified Safe Mode off: dangerous commands run without approval.
• Verified Safe Mode on: dangerous commands trigger the three-option prompt; Yes / All Yes in task / No behave as described.
• Verified Permissions UI: toggle and hint render; state persists and is sent to backend.
• Verified cd outside working_directory in non-Docker mode is rejected.