Commit Graph

17 Commits

Author SHA1 Message Date
a93f17010c feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability.

Core execution/security changes
- Introduce and wire a unified host sandbox runner for multi-OS execution:
  - macOS: sandbox-exec
  - Linux: bubblewrap + seccomp
  - Windows: WSL2 path
- Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution.
- Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup.

Permission mode model upgrade
- Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement:
  - readonly: run_command executes in read-only sandbox profile.
  - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call.
- Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads.
- Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details.

Path authorization system
- Add dynamic host policy module and persisted policy file.
- Support dual path classes:
  - writable_paths (read+write)
  - readable_extra_paths (read-only)
- Enforce file access in file_manager by access type (read vs write) under host mode.
- Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow.

Sub-agent and terminal alignment
- Sub-agent process launch now respects host execution mode and sandbox controls in host mode.
- Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation.

Tool surface updates
- Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility.

Docs updates
- Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md
- Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics.

Validation performed
- python unittest smoke suite passes: test.test_server_refactor_smoke
- frontend build passes: npm run build
- syntax checks for touched Python modules completed
2026-05-11 13:41:30 +08:00
8395cf8b4b fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
96d0e68347 fix: run sub-agent tools inside container 2026-03-14 21:13:27 +08:00
cd3f07bcc8 fix: enrich sub-agent results 2026-03-11 18:05:01 +08:00
ed82fc966e fix: improve sub-agent ui and state 2026-03-11 15:40:28 +08:00
f09621fd86 feat: 为子智能体添加思考模式参数
- 新增 thinking_mode 参数(fast/thinking),支持根据任务复杂度选择模式
- 优化子智能体工具说明,提供详细的使用场景示例
- 增强子智能体状态展示,添加统计信息摘要
- 完善交付目录验证,要求必须为不存在的新目录
- 优化子智能体完成/超时/失败的消息格式
- 同步更新前端和批处理相关代码

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-03-11 03:34:20 +08:00
b68dee9d98 chore: snapshot current changes 2026-03-10 23:48:40 +08:00
053db95fee feat: virtual monitor 2025-12-14 04:22:00 +08:00
71f24c2d72 fix: include completed sub agents in overview 2025-11-18 18:05:50 +08:00
1b69bc2719 fix: propagate manual termination status 2025-11-15 17:20:26 +08:00
f2bfa3f377 feat: add sub agent termination control 2025-11-15 17:10:58 +08:00
3100643534 feat: add close_sub_agent tool 2025-11-15 16:51:13 +08:00
3eec18b8a9 fix: per conversation sub agent limit and todo hints 2025-11-15 16:40:01 +08:00
1c4a7ba003 fix: isolate sub agent limits 2025-11-15 16:33:25 +08:00
01138d0881 fix: clean sub agent tooling 2025-11-15 15:51:17 +08:00
ba47147425 chore: snapshot sub agent baseline 2025-11-15 11:21:31 +08:00
0ac246c22b feat: integrate sub agent workflow 2025-11-15 02:41:13 +08:00