Execution & Terminal Control

Key facts

• StageControlled Execution — stage 4 of the pipeline.
• PTYReal PTY (node-pty), scoped to project root, runs under user UID — not OS-sandboxed.
• GuardDestructive-command denylist + binary allowlist + cwd guard + shell:false.

What it does

• Multi-terminal real PTY

  node-pty + xterm.js, multi-tab, branch-aware labels, shell from $SHELL or /bin/zsh, resize + dispose handled. The user has full control here and bears responsibility — the embedded PTY does not filter.

  evidence · electron/ipc/terminal.ts · src/components/TerminalTabs.tsx

• Destructive-command refusal

  proc:spawn refuses rm -rf, git reset --hard, git clean -fd, git push --force, drop table|database, supabase db reset — at the spawn boundary, before execution.

  evidence · electron/ipc/process.ts:18-35

• Agent exec allowlist

  agent:exec is read-oriented: git status|diff|log|show|branch|remote, npm run typecheck|test|lint|build:renderer, tsc, eslint, ruff, rg, grep, find, ls, cat. Hard-deny regex blocks shell metacharacters, sudo, chmod 777.

  evidence · electron/ipc/agentTools.ts:11-54

• Verb auto-continue

  Depth ≤ 3. <<read>>, <<grep>>, <<symbol>>, <<exec>>, <<pw:smoke>>, <<pw:steps>> run against existing IPC and inject results as synthetic role:tool followups that re-stream.

  evidence · electron/chat/coordinator.ts · verbs.ts

• Process-tree cleanup

  Spawned children launch detached; the negative-PID signal kills the whole group (Vite + esbuild + Next children) on SIGINT/SIGTERM/SIGHUP and app quit.

  evidence · electron/ipc/process.ts · electron/main.ts

Surfaces

Screenshots captured in a later phase. Frame names + intended dimensions shown today.