Commit Graph

86 Commits

Author SHA1 Message Date
692748d567 fix(multi-agent): 修复消息渲染、分类、存储与滚动抖动
- 子智能体消息渲染为左侧对话气泡
- 多智能体通知细分为进度/完成/提问三类
- 修复多智能体会话存储到 mutiagents 目录并迁移数据
- 修复 token-statistics API 支持多智能体会话
- 修复 ma_debug 未定义报错
- 移除 .message-block content-visibility 修复滚动抖动
2026-07-12 23:09:56 +08:00
9ed956518c refactor(sub_agent): 子智能体从 Node.js 子进程改为主进程内 Python 协程
- 重写子智能体执行核心,不再启动 easyagent Node.js 子进程
- 新增 modules/sub_agent/ 包集中管理子智能体逻辑
- 工具调用复用主进程 WebTerminal.handle_tool_call,自然经过沙箱/容器链路
- 子智能体模型独立读取 ~/.agents/<mode>/config/sub_agent_models.json
- 支持 8 个工具:read_file/write_file/edit_file(replacements+replace_all)/run_command/web_search/extract_webpage/search_workspace/read_mediafile
- 修复子智能体进度弹窗:标题颜色、write_file 显示、过滤非 progress 条目、统一滚动条样式
- 更新 AGENTS.md / CLAUDE.md 子智能体描述
- 新增 test/test_sub_agent_regression.py 回归测试
2026-06-20 00:26:45 +08:00
56882f3169 fix: 新建对话后切换执行环境 prompt 未更新
根因:frozen_permission_prompt / frozen_execution_prompt 在对话创建时就被
提前构建并缓存到 conversation_metadata,后续切换模式后 build_messages 直接
返回旧缓存,不会根据当前模式重建。

修复:
- 删除 _ensure_conversation / create_new_conversation 中提前预置冻结 prompt
- conversation_manager 默认值从 '' 改为 None(空字符串会被误判为已缓存)
- _get_or_init_frozen_prompt 增加非空判断(防御性加固)

冻结时机改为第一次 build_messages 懒加载,确保首次发消息前任意模式切换都生效。
2026-06-19 17:33:52 +08:00
c2d460a706 feat: 宿主机模式网络沙箱
- macOS sandbox-exec profile 支持 network_permission 参数 (restricted/full/none)
- backend: 透传网络权限至 run_command / terminal_session / sub_agent / background_command
- 后台 run_command 接入沙箱执行
- 自动审核模式兼容网络权限报错 markers
- 运行时切换网络权限通过 pending 机制 + user 消息通知
- 提示词注入网络状态 (仅沙箱模式)
- 前端权限菜单新增网络权限组 (受限/完全开放)
- direct 模式下网络权限组变灰禁用
- settings.json 默认 HOST_SANDBOX_NETWORK_PERMISSION=restricted
2026-06-19 00:22:30 +08:00
78544cb205 refactor: remove run_python tool, consolidate all execution to run_command 2026-06-07 16:23:01 +08:00
be08026fca fix(runtime): preserve mode change notice source 2026-06-01 00:02:43 +08:00
eb00a3522a refactor(models): use dynamic api model registry 2026-05-29 00:20:54 +08:00
398ee6e760 feat(memory): refactor proactive memory and conversation recall
Refactor conversation persistence into workspace-scoped storage with host workspace legacy migration, current workspace filtering, and active host workspace state protection.

Add proactive recent-conversation prompt injection with personal-space controls, configurable item count, empty-conversation filtering, and frozen per-conversation prompt metadata to keep request caches stable.

Introduce conversation_search and conversation_review tools for current-workspace history: multi-keyword search, list mode, current conversation exclusion, message/tool counts, formatted model output, read/save review modes, long-review fallback, and .agents/review storage.

Move internal workspace artifacts under .agents, including uploads, skills, compact results, and reviews; update prompt file-tree visibility, compression output, upload paths, and hidden versioning exclusions.

Add create_skill workflow and a Skills tool category, move read_skill into Skills, validate/归档 skill folders, support host global skills and Docker/API private skills, and sync private skills into .agents/skills and skill prompts.

Update frontend tool icons, statuses, and expanded renderers for conversation recall and skills workflows; add workspace conversation and skills-manager tests.
2026-05-27 03:09:42 +08:00
e2bbd767f7 feat(host-security+ui): unify host execution/approval behavior, runtime notices, and approval overlay UX
This commit consolidates a large set of host-mode security and UX fixes across backend and frontend.

Security / execution model:
- Make permission/execution mode switches apply immediately (no deferred pending-only behavior).
- Keep runtime mode change notices durable and visible via user-message guidance path.
- Add explicit runtime message source taxonomy support and persistence:
  user / presend / guidance / notify / sub_agent / background_command.
- Ensure guidance/notify insertion is batched per tool-cycle so mid-run inserts are committed together.
- Separate notify from guidance semantics for mode-change notices.
- Add direct-mode auto-fallback handling visibility on frontend.

Approval and command gating:
- Align run_command approval pre-check logic with docker behavior for approval/auto_approval modes in host execution paths.
- Keep approval retry flow and final-result semantics intact when permission errors trigger approval.
- Externalize forbidden command keyword list into JSON config:
  config/forbidden_commands.json.
- Update forbidden command rejection message to user-facing wording:
  用户不允许执行包含“... ”的指令.

Prompt/runtime guidance:
- Refine execution-mode runtime rule text to avoid endless workaround loops:
  one safe alternative first, then request switching to direct mode when truly required.

Chat rendering / message UX:
- Prevent injected guidance/notify user-messages from incorrectly triggering assistant work header/timer chain.
- Restore correct visibility after history reload while preserving runtime-source behavior.
- Update user-header icon/label rendering by message source:
  - guidance -> 引导 + navigation icon
  - notify/sub_agent/background_command -> 通知 + bell icon
  - user/presend -> keep normal user header.
- Add new icons: static/icons/navigation.svg, static/icons/bell.svg.

Approval panel UX:
- Convert desktop approval panel from layout-compress sidebar to overlay + blur sheet.
- Fix panel transition behavior (remove unintended vertical motion; use dedicated desktop overlay transition).
- Improve approval result display:
  - decision and reason split lines,
  - green/red status styling,
  - multiline reason rendering,
  - auto-collapse delay adjusted to 3s.

Execution mode TTL feedback:
- When direct mode auto-expires to sandbox, frontend menu state is updated from status snapshot.
- Show non-auto-dismiss warning toast to explicitly notify auto-fallback.

Misc consistency updates:
- Execution mode label text cleanup in composer.
- Runtime notice wording normalization (权限模式修改为..., 执行环境修改为...).

Build/test notes:
- Frontend rebuilt after UI changes.
- Smoke tests passed for server refactor path.
2026-05-12 19:16:38 +08:00
a93f17010c feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability.

Core execution/security changes
- Introduce and wire a unified host sandbox runner for multi-OS execution:
  - macOS: sandbox-exec
  - Linux: bubblewrap + seccomp
  - Windows: WSL2 path
- Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution.
- Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup.

Permission mode model upgrade
- Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement:
  - readonly: run_command executes in read-only sandbox profile.
  - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call.
- Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads.
- Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details.

Path authorization system
- Add dynamic host policy module and persisted policy file.
- Support dual path classes:
  - writable_paths (read+write)
  - readable_extra_paths (read-only)
- Enforce file access in file_manager by access type (read vs write) under host mode.
- Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow.

Sub-agent and terminal alignment
- Sub-agent process launch now respects host execution mode and sandbox controls in host mode.
- Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation.

Tool surface updates
- Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility.

Docs updates
- Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md
- Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics.

Validation performed
- python unittest smoke suite passes: test.test_server_refactor_smoke
- frontend build passes: npm run build
- syntax checks for touched Python modules completed
2026-05-11 13:41:30 +08:00
6ee8cda2a7 feat(security): harden host execution model with sandbox/direct controls
This commit introduces a substantial security and runtime architecture update for host mode, with three major goals: (1) enforce OS-level sandboxing by default, (2) support a controlled temporary direct-execution escape hatch for admin users, and (3) eliminate silent fallback behavior that could hide risk.

Backend/runtime changes:\n- Added a unified host sandbox runner (macOS sandbox-exec / Linux bubblewrap+seccomp / Windows WSL2).\n- Converted host terminal creation to sandboxed interactive shells by default.\n- Kept run_command/run_python on the same execution policy and added host execution mode plumbing (sandbox|direct).\n- Added session-scoped direct mode with TTL auto-revert (default 10 minutes), configurable via environment.\n- Added execution mode APIs (GET/POST /api/execution-mode), host+admin gating, status propagation, and rate limiting.\n- Added runtime refresh hooks so tool calls honor TTL expiration and mode transitions consistently.\n- Removed docker->host silent fallback paths: docker startup/runtime failures now fail fast instead of degrading silently.\n- Added host sandbox prompt injection (host-only) to guide agent behavior under permission constraints.

Configuration and policy changes:\n- Added HOST_EXECUTION_MODE_DEFAULT and HOST_EXECUTION_DIRECT_TTL_SECONDS.\n- Added HOST_SANDBOX_MACOS_WRITABLE_PATHS to support user-defined writable path allowlists.\n- Updated macOS sandbox profile generation to use minimal defaults (workspace + tmp + /dev/null) plus explicit allowlist extensions.\n- Updated .env.example documentation for new execution/sandbox controls.

Frontend changes:\n- Extended permission popover to a two-column model (Permission + Execution Environment) for host admin sessions.\n- Added execution mode state/options to app state, fetching, and status synchronization flows.\n- Added execution mode switching action and user feedback toasts.\n- Kept warning emphasis via text styling only (removed warning border per UX request).

Validation:\n- Python syntax checks passed for modified backend modules.\n- Existing smoke tests passed: python3 -m unittest test.test_server_refactor_smoke\n- Frontend production build passed: npm run build
2026-05-10 19:19:01 +08:00
8395cf8b4b fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
b151f8ff71 feat: add host workspace manager, mcp-tool-config skill, and UI enhancements 2026-04-28 13:04:51 +08:00
ed5315eef6 feat: add MCP management and host-only runtime policy 2026-04-26 23:49:04 +08:00
ccb7128867 feat: 实现AGENTS.md自动注入功能和根目录文件创建限制功能 2026-04-12 16:34:57 +08:00
e814e89e32 feat: add conversation-bound permission modes and tool approval flow 2026-04-11 04:07:28 +08:00
90233690ad feat: add json-based extensible model registry and dynamic model UI 2026-04-09 20:56:54 +08:00
a04eca3aab fix: unify background run_command notifications with sub-agent flow 2026-04-08 16:13:40 +08:00
3ae5be47d9 feat: add per-skill strict read-before-tool enforcement 2026-04-07 11:50:38 +08:00
96d0e68347 fix: run sub-agent tools inside container 2026-03-14 21:13:27 +08:00
dcba8d9d76 refactor: split terminal and server chat flow modules 2026-03-07 18:38:30 +08:00
c067df4e1b feat: add include_domains search filter and UI display 2026-03-07 17:50:35 +08:00
4be61fe76e feat: unify terminal session controls 2026-03-04 23:49:10 +08:00
dc6d998afb fix: reduce prompt time precision 2026-02-25 17:56:05 +08:00
08bc08b35f feat: update model support and multimodal 2026-02-25 01:41:05 +08:00
89eeb449b5 chore: sync workspace updates 2026-02-23 01:20:41 +08:00
a013abb3c4 fix: improve terminal timeout messaging 2026-02-12 11:55:15 +08:00
7472028997 feat: add skills framework and controls 2026-02-07 00:20:35 +08:00
b0941a247b fix: reduce workspace scans in host mode 2026-02-06 17:09:19 +08:00
55ef45e04d feat: add silent disable option and workspace prompt split 2026-02-03 23:11:15 +08:00
406e777e22 feat: improve compression and context budgeting 2026-01-31 10:30:00 +08:00
9ded11de7a feat: support batch todo updates 2026-01-30 18:50:02 +08:00
bb91d22631 feat: add video send/view flow and guard model constraints 2026-01-30 17:04:33 +08:00
7890926c3d fix: improve cancellation flow and api error tracing 2026-01-30 15:36:44 +08:00
453df30f45 refactor: replace file diff tools, simplify todos, disable typewriter 2026-01-29 14:20:01 +08:00
e5c2943cb2 fix: refine title prompt and sandbox config 2026-01-29 11:54:24 +08:00
6f8c1b36cc feat: add image compression preference for uploads 2026-01-28 11:43:09 +08:00
60d27e9c1c fix: refine host mode controls and kimi-k2.5 support 2026-01-28 11:19:50 +08:00
8a7cc5d9c6 feat: support kimi-k2.5 with multimodal thinking 2026-01-28 10:34:27 +08:00
d0197c38c3 fix: expand workspace file access and paginate convo index 2026-01-25 16:13:32 +08:00
6e0df78fef feat(api): multi-workspace endpoints and container cleanup 2026-01-24 18:29:30 +08:00
9f7b443268 feat: add prompt/personalization selection and conversation APIs 2026-01-24 13:33:50 +08:00
c787df2cef fix: reuse terminal container for command exec 2026-01-20 21:08:39 +08:00
a089cdd853 fix: update prompt timeouts and pip mirror 2026-01-06 16:35:11 +08:00
5c7cdd72c9 feat: add custom tools guide and id validation 2026-01-05 21:46:55 +08:00
99cbea30da feat: polish admin policy UI and tool selection 2026-01-05 13:34:00 +08:00
3540fa8e4b feat: conversation review flow and token fixes 2026-01-05 00:59:35 +08:00
f9b5aa2af9 fix: reset defaults for new conversations 2026-01-03 16:46:33 +08:00
e2ba632ac8 feat: expand model support and qwen-vl ux 2026-01-03 07:01:24 +08:00
7853830624 feat: improve vlm workflow and workspace image serving 2026-01-01 18:56:29 +08:00