v0.44.0: role-aware drive management — protected lockout + customer type-to-confirm wipe + drive-list restyle

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

controller/internal/web/agent_disk_handlers.go

@@ -139,8 +139,10 @@ func (s *Server) agentDiskEjectHandler(w http.ResponseWriter, r *http.Request) {
 // can show "operator authorization required".
 func (s *Server) agentDiskFormatHandler(w http.ResponseWriter, r *http.Request) {
 	var req struct {
-		Device string `json:"device"`
-		FSType string `json:"fstype"`
+		Device    string `json:"device"`
+		FSType    string `json:"fstype"`
+		Confirmed bool   `json:"confirmed"`
+		DurableID string `json:"durable_id"`
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		writeDiskJSON(w, http.StatusBadRequest, false, "invalid request body", nil)
@@ -155,9 +157,14 @@ func (s *Server) agentDiskFormatHandler(w http.ResponseWriter, r *http.Request)
 		writeDiskJSON(w, http.StatusServiceUnavailable, false, err.Error(), nil)
 		return
 	}
-	resp, err := client.FormatDisk(r.Context(), req.Device, req.FSType)
+	resp, err := client.FormatDisk(r.Context(), req.Device, req.FSType, req.Confirmed, req.DurableID)
+	if errors.Is(err, agentapi.ErrNeedsConfirmation) {
+		s.logger.Printf("[INFO] [web] disk format needs customer confirmation (user-data): %s", req.Device)
+		writeDiskJSON(w, http.StatusConflict, false, "customer confirmation required", resp)
+		return
+	}
 	if errors.Is(err, agentapi.ErrFormatRefused) {
-		s.logger.Printf("[WARN] [web] disk format refused by agent (data-bearing): %s", req.Device)
+		s.logger.Printf("[WARN] [web] disk format refused by agent (system/backup-protected): %s", req.Device)
 		writeDiskJSON(w, http.StatusConflict, false, "operator authorization required", resp)
 		return
 	}