Commit Graph

18 Commits

Author SHA1 Message Date
78544cb205 refactor: remove run_python tool, consolidate all execution to run_command 2026-06-07 16:23:01 +08:00
6d5630c820 feat(file-edit): support batched replacements 2026-05-31 13:15:37 +08:00
a93f17010c feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability.

Core execution/security changes
- Introduce and wire a unified host sandbox runner for multi-OS execution:
  - macOS: sandbox-exec
  - Linux: bubblewrap + seccomp
  - Windows: WSL2 path
- Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution.
- Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup.

Permission mode model upgrade
- Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement:
  - readonly: run_command executes in read-only sandbox profile.
  - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call.
- Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads.
- Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details.

Path authorization system
- Add dynamic host policy module and persisted policy file.
- Support dual path classes:
  - writable_paths (read+write)
  - readable_extra_paths (read-only)
- Enforce file access in file_manager by access type (read vs write) under host mode.
- Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow.

Sub-agent and terminal alignment
- Sub-agent process launch now respects host execution mode and sandbox controls in host mode.
- Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation.

Tool surface updates
- Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility.

Docs updates
- Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md
- Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics.

Validation performed
- python unittest smoke suite passes: test.test_server_refactor_smoke
- frontend build passes: npm run build
- syntax checks for touched Python modules completed
2026-05-11 13:41:30 +08:00
8395cf8b4b fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
ccb7128867 feat: 实现AGENTS.md自动注入功能和根目录文件创建限制功能 2026-04-12 16:34:57 +08:00
12c7a4bdd9 fix: remove legacy file edit tags 2026-03-17 22:43:51 +08:00
89eeb449b5 chore: sync workspace updates 2026-02-23 01:20:41 +08:00
b0941a247b fix: reduce workspace scans in host mode 2026-02-06 17:09:19 +08:00
453df30f45 refactor: replace file diff tools, simplify todos, disable typewriter 2026-01-29 14:20:01 +08:00
61b6b2d492 chore: clarify /workspace path error message 2026-01-01 17:16:39 +08:00
385c8154ea chore: pause container polling when tab hidden 2025-12-16 22:27:19 +08:00
c96e99cd13 fix(ui): load folder contents in monitor and improve messages 2025-12-15 22:34:25 +08:00
51bb0f1033 fix: improve write_file_diff diagnostics 2025-12-01 23:44:56 +08:00
2847ade631 chore: log project size errors 2025-11-30 13:09:36 +08:00
7348eab83a docs: refresh readme and phase2 summary 2025-11-23 21:24:09 +08:00
b81d6760bd feat: containerize terminals and add resource controls 2025-11-23 18:49:35 +08:00
dacc68f46a feat: enhance read tool and config structure 2025-11-14 18:33:55 +08:00
fea932425a chore: initial import 2025-11-14 16:44:12 +08:00