Commit Graph

433 Commits

Author SHA1 Message Date
8d665ad6de feat(permission): add auto-approval mode with approval agent, UI flow, and docs sync
Implemented a new permission mode  between  and , including backend policy, runtime behavior, frontend display, and documentation updates.

Backend & policy changes:

- Added  to permission mode validation and persistence paths.

- Updated tool permission evaluation: workspace-local  direct pass, out-of-workspace requires approval.

- Kept  readonly-first flow and added auto-approval decision path when permission denial occurs.

- Added approval reason/decider support in tool approval manager.

- Improved rejection tool-content format to natural language: '工具调用被拒绝\n原因:...'

- Fixed permission-mode sync edge cases on conversation create/load and restart-first-switch behavior.

Approval agent subsystem:

- Added  and .

- Added lightweight auto-approval config at  (name/url/key/model/extra_params + timeouts).

- Added optional transcript debug switch in code and transcript output under logs/approval_agent.

- Aligned transcript saving toward cumulative messages format and captured reasoning/content/tool_calls/tool sequence.

Frontend changes:

- Added  option to personalization and permission menus.

- Reworked approval panel auto-review display into a dedicated block with simplified lines: start, command, final approve/reject + reason.

- Added delayed sidebar auto-close (10s) after approval resolved.

- Added stricter permission-switch verification and rollback on mismatch/error.

Docs updated:

- Synced AGENTS.md, README.md, and docs/host_sandbox_and_permission_model.md with new permission mode, approval-agent behavior, config, and current constraints (including docker caveat).
2026-05-11 17:55:27 +08:00
02d10ec7bb merge: integrate codex/mcp-workspace-path-fix (already superseded in main) 2026-05-11 13:49:37 +08:00
a93f17010c feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability.

Core execution/security changes
- Introduce and wire a unified host sandbox runner for multi-OS execution:
  - macOS: sandbox-exec
  - Linux: bubblewrap + seccomp
  - Windows: WSL2 path
- Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution.
- Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup.

Permission mode model upgrade
- Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement:
  - readonly: run_command executes in read-only sandbox profile.
  - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call.
- Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads.
- Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details.

Path authorization system
- Add dynamic host policy module and persisted policy file.
- Support dual path classes:
  - writable_paths (read+write)
  - readable_extra_paths (read-only)
- Enforce file access in file_manager by access type (read vs write) under host mode.
- Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow.

Sub-agent and terminal alignment
- Sub-agent process launch now respects host execution mode and sandbox controls in host mode.
- Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation.

Tool surface updates
- Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility.

Docs updates
- Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md
- Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics.

Validation performed
- python unittest smoke suite passes: test.test_server_refactor_smoke
- frontend build passes: npm run build
- syntax checks for touched Python modules completed
2026-05-11 13:41:30 +08:00
6ee8cda2a7 feat(security): harden host execution model with sandbox/direct controls
This commit introduces a substantial security and runtime architecture update for host mode, with three major goals: (1) enforce OS-level sandboxing by default, (2) support a controlled temporary direct-execution escape hatch for admin users, and (3) eliminate silent fallback behavior that could hide risk.

Backend/runtime changes:\n- Added a unified host sandbox runner (macOS sandbox-exec / Linux bubblewrap+seccomp / Windows WSL2).\n- Converted host terminal creation to sandboxed interactive shells by default.\n- Kept run_command/run_python on the same execution policy and added host execution mode plumbing (sandbox|direct).\n- Added session-scoped direct mode with TTL auto-revert (default 10 minutes), configurable via environment.\n- Added execution mode APIs (GET/POST /api/execution-mode), host+admin gating, status propagation, and rate limiting.\n- Added runtime refresh hooks so tool calls honor TTL expiration and mode transitions consistently.\n- Removed docker->host silent fallback paths: docker startup/runtime failures now fail fast instead of degrading silently.\n- Added host sandbox prompt injection (host-only) to guide agent behavior under permission constraints.

Configuration and policy changes:\n- Added HOST_EXECUTION_MODE_DEFAULT and HOST_EXECUTION_DIRECT_TTL_SECONDS.\n- Added HOST_SANDBOX_MACOS_WRITABLE_PATHS to support user-defined writable path allowlists.\n- Updated macOS sandbox profile generation to use minimal defaults (workspace + tmp + /dev/null) plus explicit allowlist extensions.\n- Updated .env.example documentation for new execution/sandbox controls.

Frontend changes:\n- Extended permission popover to a two-column model (Permission + Execution Environment) for host admin sessions.\n- Added execution mode state/options to app state, fetching, and status synchronization flows.\n- Added execution mode switching action and user feedback toasts.\n- Kept warning emphasis via text styling only (removed warning border per UX request).

Validation:\n- Python syntax checks passed for modified backend modules.\n- Existing smoke tests passed: python3 -m unittest test.test_server_refactor_smoke\n- Frontend production build passed: npm run build
2026-05-10 19:19:01 +08:00
71a2b4014e fix(config): restore custom_models.json 2026-05-09 19:34:31 +08:00
8395cf8b4b fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
b4f2c8f143 fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 17:17:58 +08:00
209dbf5532 fix(runtime-queue): stabilize manual send and composer growth 2026-05-07 12:04:50 +08:00
aa3b9bbfe3 feat(draft): 输入草稿后端持久化并按作用域恢复 2026-05-06 19:19:27 +08:00
91739840ee fix(composer): 断连时禁止发送并消除输入扩展迟滞 2026-05-06 19:19:08 +08:00
d036ef5ccd feat(versioning): 支持仅管理对话并兼容 docker 2026-05-06 19:18:30 +08:00
987dc822b2 feat(task): harden polling flow with diagnostics 2026-05-06 16:54:20 +08:00
66931c5caa feat(runtime): add stale-task recovery and manual stop actions 2026-05-06 16:54:04 +08:00
a86781e126 feat(tools): tighten edit_file replace rules and feedback 2026-05-06 16:53:50 +08:00
e58a962dcd chore(config): untrack local custom model secrets 2026-05-06 16:53:32 +08:00
4e7da0de23 fix(connection): use lightweight heartbeat with single-flight and fail threshold 2026-05-05 15:24:26 +08:00
971f29b059 chore(debug): add connection heartbeat diagnostics 2026-05-05 14:05:50 +08:00
8de6275912 fix(file): handle empty text segment reads 2026-05-05 13:51:52 +08:00
f198c0c63e fix(host-workspace): make config writes atomic and lock-protected 2026-05-03 15:46:34 +08:00
6aba89ae9b feat(edit-file): add replace_all for precise or global replacement 2026-05-03 15:46:16 +08:00
13689e80c2 fix(paths): stabilize workspace and MCP cwd resolution 2026-05-03 15:28:36 +08:00
d406244604 fix(style): 修复空白页欢迎文字居中与换行适配 2026-04-28 17:57:16 +08:00
8814f963f5 fix(ux): 用户发送后即时显示 assistant 头部和等待提示 2026-04-28 17:56:52 +08:00
9a5a116fd6 feat(ui): 新增欢迎文字和等待提示文案 2026-04-28 17:56:14 +08:00
b151f8ff71 feat: add host workspace manager, mcp-tool-config skill, and UI enhancements 2026-04-28 13:04:51 +08:00
cfffc8e4ef docs(agents): simplify git workflow — remove PR and review 2026-04-27 23:58:59 +08:00
54e8c8c0fb docs(agents): add CLI troubleshooting and fix cleanup commands (#2) 2026-04-27 23:48:50 +08:00
2799608051 docs(agents): add comprehensive git workflow and review spec 2026-04-27 23:31:14 +08:00
ecca5da8ab fix: harden multimodal handling and sanitize mcp action results 2026-04-27 20:11:21 +08:00
dcf5de5d03 fix: strip multimodal parts for text-only models 2026-04-27 17:12:51 +08:00
bb6bfff176 fix(ui): stabilize tool header icons and mcp completion label 2026-04-27 15:51:52 +08:00
9d8beacc8d fix: align thinking and tool status text in blocks 2026-04-27 15:35:10 +08:00
83e037c526 fix: keep intent out of mcp tool arguments 2026-04-27 14:53:39 +08:00
de15fbe970 fix: reload mcp registry before tool discovery 2026-04-27 14:37:18 +08:00
afd75b4ca9 fix: avoid fake MCP completion text for empty results 2026-04-27 13:17:22 +08:00
9dfb1567d2 fix: render user media previews from media store refs 2026-04-27 12:57:13 +08:00
727cafc370 fix: persist media via store and preserve MCP content 2026-04-27 12:21:45 +08:00
dd334549c7 fix: improve MCP compatibility with persistent sessions and server callbacks 2026-04-27 11:34:58 +08:00
e3e2d22dc4 fix(chat): restore collapse max height in block mode 2026-04-27 01:42:52 +08:00
3c1773dc01 fix(mcp): split categories by server and preserve toggle states 2026-04-27 01:42:40 +08:00
2c75bb01a0 feat(ui): cap tool toggle menu to five items with hidden scrollbar 2026-04-27 01:42:32 +08:00
3cd8bdabef feat(ui): add refresh button for showhtml cards 2026-04-27 01:42:24 +08:00
591a5e64cc fix: 修复聊天区滚动锁定与手动上滚脱锁 2026-04-27 00:13:38 +08:00
ed5315eef6 feat: add MCP management and host-only runtime policy 2026-04-26 23:49:04 +08:00
e758df767f fix: prevent show_html cards from disappearing during streaming 2026-04-26 18:38:13 +08:00
9199f5ca7c fix: unify show cards rendering and prompt constraints 2026-04-26 18:13:24 +08:00
24c702c0af fix(show_html): add js mode with sandbox iframe rendering 2026-04-26 17:13:08 +08:00
ac788daa03 fix(show_html): freeze completed card during streaming 2026-04-26 16:52:22 +08:00
383e68188c fix: stabilize show_html rendering and restore conversation mode state 2026-04-26 01:04:23 +08:00
33d270ff63 fix: stabilize show_html streaming rendering and recovery 2026-04-25 23:17:07 +08:00