proposal: enhance AI functionalities

lib/app.dart

@@ -9,6 +9,7 @@ import 'package:server_box/data/res/build_data.dart';
 import 'package:server_box/data/res/store.dart';
 import 'package:server_box/generated/l10n/l10n.dart';
 import 'package:server_box/view/page/home.dart';
+import 'package:server_box/view/widget/ai/ai_fab_overlay.dart';
 
 part 'intro.dart';
 
@@ -108,7 +109,10 @@ class _MyAppState extends State<MyApp> {
     return MaterialApp(
       key: ValueKey(locale),
       navigatorKey: AppNavigator.key,
-      builder: ResponsivePoints.builder,
+      builder: (context, child) {
+        final responsiveChild = ResponsivePoints.builder(context, child);
+        return AiFabOverlay(child: responsiveChild);
+      },
       locale: locale,
       localizationsDelegates: const [LibLocalizations.delegate, ...AppLocalizations.localizationsDelegates],
       supportedLocales: AppLocalizations.supportedLocales,

lib/data/model/ai/ask_ai_models.dart

@@ -30,11 +30,27 @@ class AskAiCommand {
     required this.command,
     this.description = '',
     this.toolName,
+    this.risk,
+    this.needsConfirmation,
+    this.why,
+    this.prechecks,
   });
 
   final String command;
   final String description;
   final String? toolName;
+
+  /// Optional risk hint returned by the model/tool, e.g. `low|medium|high`.
+  final String? risk;
+
+  /// Optional explicit confirmation requirement returned by the model/tool.
+  final bool? needsConfirmation;
+
+  /// Optional explanation for why this command is suggested.
+  final String? why;
+
+  /// Optional pre-check commands / steps.
+  final List<String>? prechecks;
 }
 
 @immutable

lib/data/model/app/menu/container.dart

@@ -8,7 +8,8 @@ enum ContainerMenu {
   restart,
   rm,
   logs,
-  terminal
+  terminal,
+  askAi
   //stats,
   ;
 
@@ -20,10 +21,11 @@ enum ContainerMenu {
         rm,
         logs,
         terminal,
+        askAi,
         //stats,
       ];
     }
-    return [start, rm, logs];
+    return [start, rm, logs, askAi];
   }
 
   IconData get icon => switch (this) {
@@ -33,6 +35,7 @@ enum ContainerMenu {
     ContainerMenu.rm => Icons.delete,
     ContainerMenu.logs => Icons.logo_dev,
     ContainerMenu.terminal => Icons.terminal,
+    ContainerMenu.askAi => Icons.smart_toy_outlined,
     // DockerMenuType.stats => Icons.bar_chart,
   };
 
@@ -43,6 +46,7 @@ enum ContainerMenu {
     ContainerMenu.rm => libL10n.delete,
     ContainerMenu.logs => libL10n.log,
     ContainerMenu.terminal => l10n.terminal,
+    ContainerMenu.askAi => l10n.askAi,
     // DockerMenuType.stats => s.stats,
   };
 }

lib/data/provider/ai/ai_context.dart

@@ -0,0 +1,64 @@
+import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:meta/meta.dart';
+
+@immutable
+class AiContextSnapshot {
+  const AiContextSnapshot({
+    required this.title,
+    required this.scenario,
+    required this.blocks,
+    this.spiId,
+    this.updatedAtMs,
+  });
+
+  final String title;
+  final String scenario;
+  final List<String> blocks;
+  final String? spiId;
+  final int? updatedAtMs;
+
+  AiContextSnapshot copyWith({
+    String? title,
+    String? scenario,
+    List<String>? blocks,
+    String? spiId,
+    int? updatedAtMs,
+  }) {
+    return AiContextSnapshot(
+      title: title ?? this.title,
+      scenario: scenario ?? this.scenario,
+      blocks: blocks ?? this.blocks,
+      spiId: spiId ?? this.spiId,
+      updatedAtMs: updatedAtMs ?? this.updatedAtMs,
+    );
+  }
+}
+
+final aiContextProvider = NotifierProvider<AiContextNotifier, AiContextSnapshot>(AiContextNotifier.new);
+
+class AiContextNotifier extends Notifier<AiContextSnapshot> {
+  @override
+  AiContextSnapshot build() {
+    return const AiContextSnapshot(
+      title: 'Ask AI',
+      scenario: 'general',
+      blocks: [],
+      updatedAtMs: 0,
+    );
+  }
+
+  void setContext({
+    required String title,
+    required String scenario,
+    required List<String> blocks,
+    String? spiId,
+  }) {
+    state = AiContextSnapshot(
+      title: title,
+      scenario: scenario,
+      blocks: blocks,
+      spiId: spiId,
+      updatedAtMs: DateTime.now().millisecondsSinceEpoch,
+    );
+  }
+}

lib/data/provider/ai/ai_safety.dart

@@ -0,0 +1,186 @@
+import 'package:meta/meta.dart';
+import 'package:server_box/data/model/server/server_private_info.dart';
+
+@immutable
+enum AiRedactionMode {
+  placeholder,
+  none,
+}
+
+@immutable
+enum AiCommandRisk {
+  low,
+  medium,
+  high,
+}
+
+extension AiCommandRiskX on AiCommandRisk {
+  static AiCommandRisk? tryParse(Object? raw) {
+    if (raw is! String) return null;
+    final s = raw.trim().toLowerCase();
+    return switch (s) {
+      'low' => AiCommandRisk.low,
+      'medium' => AiCommandRisk.medium,
+      'high' => AiCommandRisk.high,
+      _ => null,
+    };
+  }
+
+  AiCommandRisk max(AiCommandRisk other) => index >= other.index ? this : other;
+}
+
+abstract final class AiSafety {
+  const AiSafety._();
+
+  static String redact(
+    String input, {
+    AiRedactionMode mode = AiRedactionMode.placeholder,
+    Spi? spi,
+  }) {
+    if (mode == AiRedactionMode.none) return input;
+    if (input.isEmpty) return input;
+
+    var out = input;
+
+    out = _redactPrivateKeyBlocks(out);
+    out = _redactBearerTokens(out);
+    out = _redactApiKeys(out);
+
+    if (spi != null) {
+      out = _redactSpiIdentity(out, spi);
+    }
+
+    return out;
+  }
+
+  static List<String> redactBlocks(
+    List<String> blocks, {
+    AiRedactionMode mode = AiRedactionMode.placeholder,
+    Spi? spi,
+  }) {
+    if (blocks.isEmpty) return const [];
+    return [
+      for (final b in blocks) redact(b, mode: mode, spi: spi),
+    ];
+  }
+
+  static AiCommandRisk classifyRisk(String command) {
+    final raw = command.trim();
+    if (raw.isEmpty) return AiCommandRisk.low;
+
+    final s = raw.toLowerCase();
+
+    // High-risk destructive patterns.
+    if (_rxForkBomb.hasMatch(s)) return AiCommandRisk.high;
+    if (_rxMkfs.hasMatch(s)) return AiCommandRisk.high;
+    if (_rxDdToBlockDevice.hasMatch(s)) return AiCommandRisk.high;
+    if (_rxRmRf.hasMatch(s)) return AiCommandRisk.high;
+    if (_rxChmodChownRoot.hasMatch(s)) return AiCommandRisk.high;
+    if (_rxIptablesFlush.hasMatch(s) || _rxNftFlush.hasMatch(s)) return AiCommandRisk.high;
+    if (_rxDockerSystemPruneAll.hasMatch(s) || _rxPodmanSystemPruneAll.hasMatch(s)) return AiCommandRisk.high;
+
+    // Medium-risk operational patterns.
+    if (_rxRebootShutdown.hasMatch(s)) return AiCommandRisk.medium;
+    if (_rxSystemctlStopRestart.hasMatch(s)) return AiCommandRisk.medium;
+    if (_rxKill.hasMatch(s)) return AiCommandRisk.medium;
+    if (_rxDockerStopRm.hasMatch(s) || _rxPodmanStopRm.hasMatch(s)) return AiCommandRisk.medium;
+
+    return AiCommandRisk.low;
+  }
+
+  static String _redactPrivateKeyBlocks(String input) {
+    return input.replaceAllMapped(_rxPrivateKeyBlock, (_) => '<PRIVATE_KEY_BLOCK>');
+  }
+
+  static String _redactBearerTokens(String input) {
+    var out = input;
+    out = out.replaceAllMapped(
+      _rxAuthorizationBearer,
+      (m) => '${m.group(1)}Bearer <TOKEN>',
+    );
+    out = out.replaceAllMapped(
+      _rxBearerInline,
+      (m) => 'Bearer <TOKEN>',
+    );
+    return out;
+  }
+
+  static String _redactApiKeys(String input) {
+    // Keep it conservative; only match common patterns with clear prefixes.
+    var out = input;
+    out = out.replaceAllMapped(_rxOpenAiKey, (_) => '<API_KEY>');
+    out = out.replaceAllMapped(_rxAwsAccessKeyId, (_) => '<AWS_ACCESS_KEY_ID>');
+    return out;
+  }
+
+  static String _redactSpiIdentity(String input, Spi spi) {
+    var out = input;
+
+    final ip = spi.ip;
+    final user = spi.user;
+    final port = spi.port;
+
+    if (user.isNotEmpty && ip.isNotEmpty) {
+      out = out.replaceAll('$user@$ip:$port', '<USER_AT_HOST_PORT>');
+      out = out.replaceAll('$user@$ip', '<USER_AT_HOST>');
+    }
+
+    if (ip.isNotEmpty) {
+      out = out.replaceAll(ip, '<IP>');
+    }
+
+    if (user.isNotEmpty) {
+      out = out.replaceAll(user, '<USER>');
+    }
+
+    return out;
+  }
+}
+
+final _rxPrivateKeyBlock = RegExp(
+  r'-----BEGIN [A-Z0-9 ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z0-9 ]*PRIVATE KEY-----',
+  multiLine: true,
+);
+
+final _rxAuthorizationBearer = RegExp(
+  r'(authorization\s*:\s*)bearer\s+[^\s\n\r]+',
+  multiLine: true,
+  caseSensitive: false,
+);
+
+final _rxBearerInline = RegExp(
+  r'\bbearer\s+[^\s\n\r]+',
+  caseSensitive: false,
+);
+
+final _rxOpenAiKey = RegExp(r'\bsk-[A-Za-z0-9]{16,}\b');
+
+final _rxAwsAccessKeyId = RegExp(r'\bAKIA[0-9A-Z]{16}\b');
+
+final _rxForkBomb = RegExp(r':\s*\(\s*\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:');
+
+final _rxMkfs = RegExp(r'\bmkfs(\.[a-z0-9_-]+)?\b');
+
+final _rxDdToBlockDevice = RegExp(r'\bdd\b[^\n\r]*\bof\s*=\s*/dev/');
+
+final _rxRmRf = RegExp(r'\brm\b[^\n\r]*\s-[a-z-]*r[a-z-]*f[a-z-]*\b');
+
+final _rxChmodChownRoot = RegExp(r'\b(chmod|chown)\b[^\n\r]*\s-\w*r\w*\b[^\n\r]*\s/\b');
+
+final _rxIptablesFlush = RegExp(r'\biptables\b[^\n\r]*(\s-(f|x)\b|\s--flush\b)');
+
+final _rxNftFlush = RegExp(r'\bnft\b[^\n\r]*\bflush\s+ruleset\b');
+
+final _rxDockerSystemPruneAll = RegExp(r'\bdocker\b[^\n\r]*\bsystem\s+prune\b[^\n\r]*\s-a\b');
+
+final _rxPodmanSystemPruneAll = RegExp(r'\bpodman\b[^\n\r]*\bsystem\s+prune\b[^\n\r]*\s-a\b');
+
+final _rxRebootShutdown = RegExp(r'\b(reboot|poweroff|halt|shutdown)\b');
+
+final _rxSystemctlStopRestart = RegExp(r'\bsystemctl\b[^\n\r]*\b(stop|restart)\b');
+
+final _rxKill = RegExp(r'\b(kill|killall|pkill)\b');
+
+final _rxDockerStopRm = RegExp(r'\bdocker\b[^\n\r]*\b(stop|rm)\b');
+
+final _rxPodmanStopRm = RegExp(r'\bpodman\b[^\n\r]*\b(stop|rm)\b');