Commit Graph

170 Commits

Author SHA1 Message Date
67fdb715f5 refactor(messages): 统一运行期消息插入为 [系统通知|source] 前缀的 user 消息
- 新增 server/chat_flow_task_support.inject_runtime_user_message 作为唯一入口,
  统一处理 add_conversation + messages.insert + sender(user_message) 三件事
- 子智能体 / 后台 run_command / runtime_guidance / mode notice 全部走该入口,
  role 一律 user,inline 仅作 metadata 标记,不再复用 system role 表达语义
- inline poll 移出 tool 执行循环,改为整轮 tool 完成后批量注入,
  避免在 assistant.tool_calls 与 tool 序列之间插入 user 导致 API 报错
- 删除 _insert_completion_notice_message / _record_sub_agent_message
  以及 build_messages 中 system→user 的回转分支
- 移除已废弃的 wait_sub_agent 工具残留(后端注册、前端图标/动画、
  prompts、SKILL 文档;保留 sleep 的 wait_sub_agent_ids 参数)
- 前端取消对 is_auto_generated/auto_message_type 的过滤,
  让运行期注入的 user 消息在历史和实时推送中正常渲染

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-23 02:01:36 +08:00
e2bbd767f7 feat(host-security+ui): unify host execution/approval behavior, runtime notices, and approval overlay UX
This commit consolidates a large set of host-mode security and UX fixes across backend and frontend.

Security / execution model:
- Make permission/execution mode switches apply immediately (no deferred pending-only behavior).
- Keep runtime mode change notices durable and visible via user-message guidance path.
- Add explicit runtime message source taxonomy support and persistence:
  user / presend / guidance / notify / sub_agent / background_command.
- Ensure guidance/notify insertion is batched per tool-cycle so mid-run inserts are committed together.
- Separate notify from guidance semantics for mode-change notices.
- Add direct-mode auto-fallback handling visibility on frontend.

Approval and command gating:
- Align run_command approval pre-check logic with docker behavior for approval/auto_approval modes in host execution paths.
- Keep approval retry flow and final-result semantics intact when permission errors trigger approval.
- Externalize forbidden command keyword list into JSON config:
  config/forbidden_commands.json.
- Update forbidden command rejection message to user-facing wording:
  用户不允许执行包含“... ”的指令.

Prompt/runtime guidance:
- Refine execution-mode runtime rule text to avoid endless workaround loops:
  one safe alternative first, then request switching to direct mode when truly required.

Chat rendering / message UX:
- Prevent injected guidance/notify user-messages from incorrectly triggering assistant work header/timer chain.
- Restore correct visibility after history reload while preserving runtime-source behavior.
- Update user-header icon/label rendering by message source:
  - guidance -> 引导 + navigation icon
  - notify/sub_agent/background_command -> 通知 + bell icon
  - user/presend -> keep normal user header.
- Add new icons: static/icons/navigation.svg, static/icons/bell.svg.

Approval panel UX:
- Convert desktop approval panel from layout-compress sidebar to overlay + blur sheet.
- Fix panel transition behavior (remove unintended vertical motion; use dedicated desktop overlay transition).
- Improve approval result display:
  - decision and reason split lines,
  - green/red status styling,
  - multiline reason rendering,
  - auto-collapse delay adjusted to 3s.

Execution mode TTL feedback:
- When direct mode auto-expires to sandbox, frontend menu state is updated from status snapshot.
- Show non-auto-dismiss warning toast to explicitly notify auto-fallback.

Misc consistency updates:
- Execution mode label text cleanup in composer.
- Runtime notice wording normalization (权限模式修改为..., 执行环境修改为...).

Build/test notes:
- Frontend rebuilt after UI changes.
- Smoke tests passed for server refactor path.
2026-05-12 19:16:38 +08:00
2ec226b5eb fix(permission,docker): enforce docker-specific approval flow and polish permission menu layout
- Add docker risk markers config (config/docker_risk_markers.json) and load it in tools permission evaluation.

- In docker mode, pre-evaluate run_command/terminal_input: readonly-safe and no-risk -> direct run; otherwise require approval/auto-approval.

- Keep docker write_file/edit_file behavior aligned with agreed policy: approval requires review, auto_approval passes directly.

- Pass risk markers into auto approval payload and include current working directory context for approval agent.

- Fix permission dropdown layout: only use split two-column menu when execution mode section is enabled; remove empty right blank area in docker mode.

- Center mobile approval overlay to prevent sheet overflow on small screens.
2026-05-11 22:56:10 +08:00
8d665ad6de feat(permission): add auto-approval mode with approval agent, UI flow, and docs sync
Implemented a new permission mode  between  and , including backend policy, runtime behavior, frontend display, and documentation updates.

Backend & policy changes:

- Added  to permission mode validation and persistence paths.

- Updated tool permission evaluation: workspace-local  direct pass, out-of-workspace requires approval.

- Kept  readonly-first flow and added auto-approval decision path when permission denial occurs.

- Added approval reason/decider support in tool approval manager.

- Improved rejection tool-content format to natural language: '工具调用被拒绝\n原因:...'

- Fixed permission-mode sync edge cases on conversation create/load and restart-first-switch behavior.

Approval agent subsystem:

- Added  and .

- Added lightweight auto-approval config at  (name/url/key/model/extra_params + timeouts).

- Added optional transcript debug switch in code and transcript output under logs/approval_agent.

- Aligned transcript saving toward cumulative messages format and captured reasoning/content/tool_calls/tool sequence.

Frontend changes:

- Added  option to personalization and permission menus.

- Reworked approval panel auto-review display into a dedicated block with simplified lines: start, command, final approve/reject + reason.

- Added delayed sidebar auto-close (10s) after approval resolved.

- Added stricter permission-switch verification and rollback on mismatch/error.

Docs updated:

- Synced AGENTS.md, README.md, and docs/host_sandbox_and_permission_model.md with new permission mode, approval-agent behavior, config, and current constraints (including docker caveat).
2026-05-11 17:55:27 +08:00
a93f17010c feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability.

Core execution/security changes
- Introduce and wire a unified host sandbox runner for multi-OS execution:
  - macOS: sandbox-exec
  - Linux: bubblewrap + seccomp
  - Windows: WSL2 path
- Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution.
- Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup.

Permission mode model upgrade
- Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement:
  - readonly: run_command executes in read-only sandbox profile.
  - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call.
- Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads.
- Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details.

Path authorization system
- Add dynamic host policy module and persisted policy file.
- Support dual path classes:
  - writable_paths (read+write)
  - readable_extra_paths (read-only)
- Enforce file access in file_manager by access type (read vs write) under host mode.
- Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow.

Sub-agent and terminal alignment
- Sub-agent process launch now respects host execution mode and sandbox controls in host mode.
- Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation.

Tool surface updates
- Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility.

Docs updates
- Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md
- Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics.

Validation performed
- python unittest smoke suite passes: test.test_server_refactor_smoke
- frontend build passes: npm run build
- syntax checks for touched Python modules completed
2026-05-11 13:41:30 +08:00
6ee8cda2a7 feat(security): harden host execution model with sandbox/direct controls
This commit introduces a substantial security and runtime architecture update for host mode, with three major goals: (1) enforce OS-level sandboxing by default, (2) support a controlled temporary direct-execution escape hatch for admin users, and (3) eliminate silent fallback behavior that could hide risk.

Backend/runtime changes:\n- Added a unified host sandbox runner (macOS sandbox-exec / Linux bubblewrap+seccomp / Windows WSL2).\n- Converted host terminal creation to sandboxed interactive shells by default.\n- Kept run_command/run_python on the same execution policy and added host execution mode plumbing (sandbox|direct).\n- Added session-scoped direct mode with TTL auto-revert (default 10 minutes), configurable via environment.\n- Added execution mode APIs (GET/POST /api/execution-mode), host+admin gating, status propagation, and rate limiting.\n- Added runtime refresh hooks so tool calls honor TTL expiration and mode transitions consistently.\n- Removed docker->host silent fallback paths: docker startup/runtime failures now fail fast instead of degrading silently.\n- Added host sandbox prompt injection (host-only) to guide agent behavior under permission constraints.

Configuration and policy changes:\n- Added HOST_EXECUTION_MODE_DEFAULT and HOST_EXECUTION_DIRECT_TTL_SECONDS.\n- Added HOST_SANDBOX_MACOS_WRITABLE_PATHS to support user-defined writable path allowlists.\n- Updated macOS sandbox profile generation to use minimal defaults (workspace + tmp + /dev/null) plus explicit allowlist extensions.\n- Updated .env.example documentation for new execution/sandbox controls.

Frontend changes:\n- Extended permission popover to a two-column model (Permission + Execution Environment) for host admin sessions.\n- Added execution mode state/options to app state, fetching, and status synchronization flows.\n- Added execution mode switching action and user feedback toasts.\n- Kept warning emphasis via text styling only (removed warning border per UX request).

Validation:\n- Python syntax checks passed for modified backend modules.\n- Existing smoke tests passed: python3 -m unittest test.test_server_refactor_smoke\n- Frontend production build passed: npm run build
2026-05-10 19:19:01 +08:00
8395cf8b4b fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
b151f8ff71 feat: add host workspace manager, mcp-tool-config skill, and UI enhancements 2026-04-28 13:04:51 +08:00
de15fbe970 fix: reload mcp registry before tool discovery 2026-04-27 14:37:18 +08:00
afd75b4ca9 fix: avoid fake MCP completion text for empty results 2026-04-27 13:17:22 +08:00
727cafc370 fix: persist media via store and preserve MCP content 2026-04-27 12:21:45 +08:00
dd334549c7 fix: improve MCP compatibility with persistent sessions and server callbacks 2026-04-27 11:34:58 +08:00
3c1773dc01 fix(mcp): split categories by server and preserve toggle states 2026-04-27 01:42:40 +08:00
ed5315eef6 feat: add MCP management and host-only runtime policy 2026-04-26 23:49:04 +08:00
d541d9bd30 fix: extend run_command foreground timeout limit to 120s 2026-04-25 16:34:56 +08:00
916f68e8e9 feat: 添加智能体交流风格选项
- 将"模型行为"标签改为"智能体行为"
- 新增"智能体交流风格"二选一选项(默认/拟人)
- 拟人风格会注入human_like_style.txt提示词
- manage_personalization工具支持communication_style字段
- 添加user-pen.svg图标用于个性化工具和分类
2026-04-14 01:47:06 +08:00
13400f62d5 feat: add manage_personalization tool and fix personalization sync 2026-04-13 20:22:06 +08:00
757718c492 feat: add user turn tool protection to shallow compression
- Add shallow_compress_keep_user_turn_tools config (default: 3)
- Add is_auto_generated metadata to system messages (sub_agent/background_command)
- Fix sub_agent notification path to include auto_message marker
- Frontend: add input field in PersonalizationDrawer
- Backend: implement protection logic in _run_auto_shallow_compression
2026-04-12 18:48:08 +08:00
ccb7128867 feat: 实现AGENTS.md自动注入功能和根目录文件创建限制功能 2026-04-12 16:34:57 +08:00
aeb3fb1285 feat: 添加个性化配置字段 - AGENTS.md自动注入和根目录文件创建开关 2026-04-12 16:34:00 +08:00
eba36c46da fix(versioning): 压缩继承版本控制并忽略系统目录 2026-04-11 17:02:39 +08:00
6379f8c729 feat: complete conversation versioning UX and restore workflow 2026-04-11 16:16:40 +08:00
e814e89e32 feat: add conversation-bound permission modes and tool approval flow 2026-04-11 04:07:28 +08:00
90233690ad feat: add json-based extensible model registry and dynamic model UI 2026-04-09 20:56:54 +08:00
a04eca3aab fix: unify background run_command notifications with sub-agent flow 2026-04-08 16:13:40 +08:00
d798d39da3 fix: persist onboarding prompt status and bump android app to 1.0.20 2026-04-07 20:08:33 +08:00
9a2bae04b5 fix: repair admin monitor auth and add invite CRUD 2026-04-07 18:23:09 +08:00
3ae5be47d9 feat: add per-skill strict read-before-tool enforcement 2026-04-07 11:50:38 +08:00
bc939a0098 feat: make context compression policy configurable and stabilize compression UX 2026-04-06 16:51:43 +08:00
7e03e3cd5f feat: stabilize context compression and deep-compact flow 2026-04-06 15:12:25 +08:00
5f6622a212 chore: add docs and remove sub_agent 2026-03-17 22:46:43 +08:00
12c7a4bdd9 fix: remove legacy file edit tags 2026-03-17 22:43:51 +08:00
5ab3acef9c feat: 添加 terminal-guide 和 sub-agent-guide skills
- 新增 terminal-guide skill: 持久化终端使用指南
- 新增 sub-agent-guide skill: 子智能体使用指南
- 优化终端工具定义和执行逻辑
- 更新系统提示词以引用新 skills
- 添加 utils/__init__.py 模块初始化文件

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-03-16 21:17:02 +08:00
96d0e68347 fix: run sub-agent tools inside container 2026-03-14 21:13:27 +08:00
f3179e2a97 feat: 优化滚动锁定和个性化称呼功能
滚动锁定优化:
- 滚动锁定默认始终启用,不再根据输出状态自动解锁
- 深色模式下锁定图标显示为白色,与箭头图标保持一致

个性化称呼功能:
- AI 助手名称根据个性化设置中的"自称"动态显示
- 用户名称根据个性化设置中的"称呼"动态显示
- 页面初始化时自动加载个性化设置,无需打开个人空间
- 在"模型行为"中新增"使用自定义称呼"开关
- 开关关闭时显示默认的"AI Assistant"和"用户"
- 修复保存后开关状态被重置的问题

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-03-13 12:10:08 +08:00
cd3f07bcc8 fix: enrich sub-agent results 2026-03-11 18:05:01 +08:00
ed82fc966e fix: improve sub-agent ui and state 2026-03-11 15:40:28 +08:00
f09621fd86 feat: 为子智能体添加思考模式参数
- 新增 thinking_mode 参数(fast/thinking),支持根据任务复杂度选择模式
- 优化子智能体工具说明,提供详细的使用场景示例
- 增强子智能体状态展示,添加统计信息摘要
- 完善交付目录验证,要求必须为不存在的新目录
- 优化子智能体完成/超时/失败的消息格式
- 同步更新前端和批处理相关代码

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-03-11 03:34:20 +08:00
b68dee9d98 chore: snapshot current changes 2026-03-10 23:48:40 +08:00
43409c523e fix: 移除错误的对话切换跳转逻辑并修复工具执行返回值问题
主要修复:
1. 移除前端"取消跳转到正在运行的对话"的错误逻辑
   - 删除 switchConversation 中的任务检查和确认提示
   - 删除 createNewConversation 中的跳转回运行对话逻辑
   - 删除 loadConversation 中对未定义变量 hasActiveTask 的引用

2. 修复后端工具执行返回值问题
   - 修复 execute_tool_calls 在用户停止时返回 None 的 bug
   - 确保所有返回路径都返回包含 stopped 和 last_tool_call_time 的字典

3. 其他改进
   - 添加代码复制功能 (handleCopyCodeClick)
   - 移除 FocusPanel 相关代码
   - 更新个性化配置 (enhanced_tool_display)
   - 样式和主题优化

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-03-08 17:42:07 +08:00
823b1e105e feat: implement graceful tool cancellation on stop request
- Add stop flag monitoring loop (checks every 100ms during tool execution)
- Cancel tool task immediately when stop flag is detected
- Return cancellation message to conversation history with role=tool
- Save cancellation result: '命令执行被用户取消'
- Clean up pending tasks to prevent 'Task was destroyed but it is pending' warnings
- Fix terminal_ops.py to properly cancel stdout/stderr read tasks

Known issue: Tool result display in frontend still shows arguments instead of cancellation message when expanded

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-03-08 04:12:50 +08:00
c067df4e1b feat: add include_domains search filter and UI display 2026-03-07 17:50:35 +08:00
877bcc2fad fix: improve api error diagnostics and raise model quotas 2026-03-06 17:02:19 +08:00
4be61fe76e feat: unify terminal session controls 2026-03-04 23:49:10 +08:00
12047ce237 feat: add terminal_input timeout hints 2026-02-25 15:21:35 +08:00
08bc08b35f feat: update model support and multimodal 2026-02-25 01:41:05 +08:00
89eeb449b5 chore: sync workspace updates 2026-02-23 01:20:41 +08:00
7472028997 feat: add skills framework and controls 2026-02-07 00:20:35 +08:00
b0941a247b fix: reduce workspace scans in host mode 2026-02-06 17:09:19 +08:00
55ef45e04d feat: add silent disable option and workspace prompt split 2026-02-03 23:11:15 +08:00
9ded11de7a feat: support batch todo updates 2026-01-30 18:50:02 +08:00
7890926c3d fix: improve cancellation flow and api error tracing 2026-01-30 15:36:44 +08:00
453df30f45 refactor: replace file diff tools, simplify todos, disable typewriter 2026-01-29 14:20:01 +08:00
6f8c1b36cc feat: add image compression preference for uploads 2026-01-28 11:43:09 +08:00
60d27e9c1c fix: refine host mode controls and kimi-k2.5 support 2026-01-28 11:19:50 +08:00
8a7cc5d9c6 feat: support kimi-k2.5 with multimodal thinking 2026-01-28 10:34:27 +08:00
d0197c38c3 fix: expand workspace file access and paginate convo index 2026-01-25 16:13:32 +08:00
51f61b04d2 feat: add api admin ui and container status fix 2026-01-25 10:49:52 +08:00
6e0df78fef feat(api): multi-workspace endpoints and container cleanup 2026-01-24 18:29:30 +08:00
82e7d0680a feat: add api v1 bearer auth and polling docs 2026-01-24 02:35:07 +08:00
d6fb59e1d8 refactor: split web_server into modular architecture
- Refactor 6000+ line web_server.py into server/ module
- Create separate modules: auth, chat, conversation, files, admin, etc.
- Keep web_server.py as backward-compatible entry point
- Add container running status field in user_container_manager
- Improve admin dashboard API with credentials and debug support

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-22 09:21:53 +08:00
c787df2cef fix: reuse terminal container for command exec 2026-01-20 21:08:39 +08:00
aacdfc78eb fix: fallback timeout wrapper for terminal commands 2026-01-19 21:57:59 +08:00
026588bba3 fix: align toolbox python env for run_command 2026-01-19 20:58:38 +08:00
60e63595a6 chore: sync pending changes 2026-01-05 21:48:55 +08:00
5c7cdd72c9 feat: add custom tools guide and id validation 2026-01-05 21:46:55 +08:00
4cfd0ef090 fix: stop converting Kimi balance and switch Qwen endpoint to business.aliyuncs.com 2026-01-05 14:22:06 +08:00
1cf8bd7014 fix: use Kimi base URL from env to avoid 401 2026-01-05 14:19:37 +08:00
5fd2739878 fix: align qwen balance signing/query encoding to avoid 400 2026-01-05 14:18:41 +08:00
2d17143d72 fix: fallback to existing kimi/deepseek key names in balance fetch 2026-01-05 14:17:43 +08:00
e58936bf05 chore: read balance creds from .env by default 2026-01-05 14:13:51 +08:00
cec28df931 feat: add manual balance checker for admin monitor 2026-01-05 14:10:19 +08:00
99cbea30da feat: polish admin policy UI and tool selection 2026-01-05 13:34:00 +08:00
f9b5aa2af9 fix: reset defaults for new conversations 2026-01-03 16:46:33 +08:00
7853830624 feat: improve vlm workflow and workspace image serving 2026-01-01 18:56:29 +08:00
61b6b2d492 chore: clarify /workspace path error message 2026-01-01 17:16:39 +08:00
4262922694 fix: intent streaming defaults and UI stability 2026-01-01 05:48:13 +08:00
5bdbfa138e feat: auto-generate chat titles with personalization toggle 2025-12-30 09:43:53 +08:00
385c8154ea chore: pause container polling when tab hidden 2025-12-16 22:27:19 +08:00
c96e99cd13 fix(ui): load folder contents in monitor and improve messages 2025-12-15 22:34:25 +08:00
4617e00693 fix: improve terminal timeouts and clean outputs 2025-12-15 18:13:53 +08:00
b78921b1ca fix: correct terminal_input error reporting 2025-12-15 16:04:47 +08:00
8fe06753bb fix: stabilize terminal tool timeouts 2025-12-15 15:15:03 +08:00
ca8f65fe35 feat: index-based memory tool with append/replace/delete 2025-12-14 17:56:18 +08:00
8755688c8e feat: enhance virtual monitor command/python playback 2025-12-14 17:38:03 +08:00
053db95fee feat: virtual monitor 2025-12-14 04:22:00 +08:00
2f75c1c8bb feat: stable version before virtual monitor timing fix
Current status includes:
- Virtual monitor surface and components
- Monitor store for state management
- Tool call animations and transitions
- Liquid glass shader integration

Known issue to fix: Tool status display timing - "正在xx" appears
after tool execution completes instead of when tool call starts.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-13 17:12:12 +08:00
eb7ccf1dd2 feat: restore run mode personalization 2025-12-02 19:03:33 +08:00
51bb0f1033 fix: improve write_file_diff diagnostics 2025-12-01 23:44:56 +08:00
02ab023ad7 feat: persist behavior preferences 2025-11-30 13:11:04 +08:00
2847ade631 chore: log project size errors 2025-11-30 13:09:36 +08:00
b39d7cc795 chore: snapshot before tool ui fix 2025-11-26 18:07:52 +08:00
7cc91571de feat: modularize frontend layout 2025-11-25 22:41:15 +08:00
75a7febcd1 feat: add upload quarantine scanning and ui toasts 2025-11-24 14:31:13 +08:00
7c7038b5c9 fix: delay quota window start until first use 2025-11-24 01:38:24 +08:00
8c8b2d3a20 chore: snapshot before usage menu update 2025-11-24 00:47:17 +08:00
7348eab83a docs: refresh readme and phase2 summary 2025-11-23 21:24:09 +08:00
b81d6760bd feat: containerize terminals and add resource controls 2025-11-23 18:49:35 +08:00
089a3ad0c9 feat: update prompts and backend 2025-11-22 18:17:24 +08:00
d0af9755c6 feat: enhance personal space experience 2025-11-22 18:14:23 +08:00