Enhancement: Unified Script Safety Policy & Trust Management Framework

[vraj826]

Description

DevShell allows users to execute local scripts, import scripts from external sources, replay executions, restore workspaces, and share portable workspace configurations. However, script trust and execution safety are currently handled in a fragmented manner across the platform.

As DevShell grows into a long-running automation and DevOps workspace, a centralized script safety and trust framework would improve security, transparency, and user confidence without compromising the filesystem-first architecture.

Current limitations:

• No unified script trust model
• No execution risk visibility before running scripts
• No centralized trust decisions for imported scripts
• No script provenance tracking
• No workspace-level trust diagnostics
• No policy enforcement for high-risk execution patterns
• Trust state is not surfaced consistently across replay/workspace/reliability systems

Proposed Enhancement

Implement a lightweight Script Safety Policy & Trust Management Framework that provides:

• Script trust classification
• Import provenance tracking
• Execution risk warnings
• Workspace trust diagnostics
• Policy-based execution confirmations
• Trust-aware recovery and replay workflows

The goal is to improve execution safety while preserving DevShell’s lightweight, filesystem-only design.

Suggested Areas

Backend

• app.py
• trust policy evaluation
• provenance metadata
• execution policy validation

Frontend

• ui/app.js
• ui/index.html
• ui/style.css

Proposed Approach

+ Introduce centralized script trust metadata
+ Add import provenance tracking
+ Implement execution risk classification
+ Add trust-aware execution confirmations
+ Surface trust diagnostics in workspace and replay flows
+ Add policy evaluation before high-risk actions
+ Preserve filesystem-only architecture
+ Maintain Electron compatibility

[vraj826]

@siddu-k I'll like to work on this issue under GSSoC'26, kindly assign this to me!