Terminal Tool

Execute shell commands on the host system. Commands are run via sh -c.

Parameters

Approval Logic

A command is auto-approved only if both conditions are met:

1. The command starts with a prefix in terminal.allowed_prefixes
2. The command does not contain any shell operators

Shell Operators (always require approval)

; | && || $() ` (backticks)

Default Allowed Prefixes

ls, cat, head, tail, echo, date, whoami, pwd, find, wc,
grep, tree, file, stat, uname, df, du, ps, which, env, printenv

Output

Returns stdout first, then stderr (if any). Output is truncated to terminal.max_output_chars (default 4000 characters).

Background Commands (New)

If a command exceeds the initial timeout, it moves to the background and returns a PID.

• action="check" + pid shows partial/final output
• action="kill" + pid stops a running background command
• Recent completed output is retained briefly so follow-up checks still work

Hard Safety Blocks (New)

Certain destructive patterns are now blocked before approval flow, including broad/sensitive rm -rf and find ... -delete targets.

Configuration

[terminal]
allowed_prefixes = ["ls", "cat", "head", "tail", "echo", "date"]
initial_timeout_secs = 30
max_output_chars = 4000
permission_mode = "default"

Allow Always (Persistent)

When the user clicks "Allow Always" in Telegram:

1. The first word of the command is extracted as the prefix
2. The prefix is added to the in-memory allowed list
3. The prefix is persisted to SQLite (terminal_allowed_prefixes table)
4. On restart, persisted prefixes are merged with config prefixes

This means "Allow Always" approvals survive daemon restarts without modifying config.toml.