Commit Graph

77 Commits

Author SHA1 Message Date
a93f17010c feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability.

Core execution/security changes
- Introduce and wire a unified host sandbox runner for multi-OS execution:
  - macOS: sandbox-exec
  - Linux: bubblewrap + seccomp
  - Windows: WSL2 path
- Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution.
- Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup.

Permission mode model upgrade
- Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement:
  - readonly: run_command executes in read-only sandbox profile.
  - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call.
- Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads.
- Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details.

Path authorization system
- Add dynamic host policy module and persisted policy file.
- Support dual path classes:
  - writable_paths (read+write)
  - readable_extra_paths (read-only)
- Enforce file access in file_manager by access type (read vs write) under host mode.
- Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow.

Sub-agent and terminal alignment
- Sub-agent process launch now respects host execution mode and sandbox controls in host mode.
- Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation.

Tool surface updates
- Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility.

Docs updates
- Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md
- Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics.

Validation performed
- python unittest smoke suite passes: test.test_server_refactor_smoke
- frontend build passes: npm run build
- syntax checks for touched Python modules completed
2026-05-11 13:41:30 +08:00
6ee8cda2a7 feat(security): harden host execution model with sandbox/direct controls
This commit introduces a substantial security and runtime architecture update for host mode, with three major goals: (1) enforce OS-level sandboxing by default, (2) support a controlled temporary direct-execution escape hatch for admin users, and (3) eliminate silent fallback behavior that could hide risk.

Backend/runtime changes:\n- Added a unified host sandbox runner (macOS sandbox-exec / Linux bubblewrap+seccomp / Windows WSL2).\n- Converted host terminal creation to sandboxed interactive shells by default.\n- Kept run_command/run_python on the same execution policy and added host execution mode plumbing (sandbox|direct).\n- Added session-scoped direct mode with TTL auto-revert (default 10 minutes), configurable via environment.\n- Added execution mode APIs (GET/POST /api/execution-mode), host+admin gating, status propagation, and rate limiting.\n- Added runtime refresh hooks so tool calls honor TTL expiration and mode transitions consistently.\n- Removed docker->host silent fallback paths: docker startup/runtime failures now fail fast instead of degrading silently.\n- Added host sandbox prompt injection (host-only) to guide agent behavior under permission constraints.

Configuration and policy changes:\n- Added HOST_EXECUTION_MODE_DEFAULT and HOST_EXECUTION_DIRECT_TTL_SECONDS.\n- Added HOST_SANDBOX_MACOS_WRITABLE_PATHS to support user-defined writable path allowlists.\n- Updated macOS sandbox profile generation to use minimal defaults (workspace + tmp + /dev/null) plus explicit allowlist extensions.\n- Updated .env.example documentation for new execution/sandbox controls.

Frontend changes:\n- Extended permission popover to a two-column model (Permission + Execution Environment) for host admin sessions.\n- Added execution mode state/options to app state, fetching, and status synchronization flows.\n- Added execution mode switching action and user feedback toasts.\n- Kept warning emphasis via text styling only (removed warning border per UX request).

Validation:\n- Python syntax checks passed for modified backend modules.\n- Existing smoke tests passed: python3 -m unittest test.test_server_refactor_smoke\n- Frontend production build passed: npm run build
2026-05-10 19:19:01 +08:00
8395cf8b4b fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
b151f8ff71 feat: add host workspace manager, mcp-tool-config skill, and UI enhancements 2026-04-28 13:04:51 +08:00
ed5315eef6 feat: add MCP management and host-only runtime policy 2026-04-26 23:49:04 +08:00
ccb7128867 feat: 实现AGENTS.md自动注入功能和根目录文件创建限制功能 2026-04-12 16:34:57 +08:00
e814e89e32 feat: add conversation-bound permission modes and tool approval flow 2026-04-11 04:07:28 +08:00
90233690ad feat: add json-based extensible model registry and dynamic model UI 2026-04-09 20:56:54 +08:00
a04eca3aab fix: unify background run_command notifications with sub-agent flow 2026-04-08 16:13:40 +08:00
3ae5be47d9 feat: add per-skill strict read-before-tool enforcement 2026-04-07 11:50:38 +08:00
96d0e68347 fix: run sub-agent tools inside container 2026-03-14 21:13:27 +08:00
dcba8d9d76 refactor: split terminal and server chat flow modules 2026-03-07 18:38:30 +08:00
c067df4e1b feat: add include_domains search filter and UI display 2026-03-07 17:50:35 +08:00
4be61fe76e feat: unify terminal session controls 2026-03-04 23:49:10 +08:00
dc6d998afb fix: reduce prompt time precision 2026-02-25 17:56:05 +08:00
08bc08b35f feat: update model support and multimodal 2026-02-25 01:41:05 +08:00
89eeb449b5 chore: sync workspace updates 2026-02-23 01:20:41 +08:00
a013abb3c4 fix: improve terminal timeout messaging 2026-02-12 11:55:15 +08:00
7472028997 feat: add skills framework and controls 2026-02-07 00:20:35 +08:00
b0941a247b fix: reduce workspace scans in host mode 2026-02-06 17:09:19 +08:00
55ef45e04d feat: add silent disable option and workspace prompt split 2026-02-03 23:11:15 +08:00
406e777e22 feat: improve compression and context budgeting 2026-01-31 10:30:00 +08:00
9ded11de7a feat: support batch todo updates 2026-01-30 18:50:02 +08:00
bb91d22631 feat: add video send/view flow and guard model constraints 2026-01-30 17:04:33 +08:00
7890926c3d fix: improve cancellation flow and api error tracing 2026-01-30 15:36:44 +08:00
453df30f45 refactor: replace file diff tools, simplify todos, disable typewriter 2026-01-29 14:20:01 +08:00
e5c2943cb2 fix: refine title prompt and sandbox config 2026-01-29 11:54:24 +08:00
6f8c1b36cc feat: add image compression preference for uploads 2026-01-28 11:43:09 +08:00
60d27e9c1c fix: refine host mode controls and kimi-k2.5 support 2026-01-28 11:19:50 +08:00
8a7cc5d9c6 feat: support kimi-k2.5 with multimodal thinking 2026-01-28 10:34:27 +08:00
d0197c38c3 fix: expand workspace file access and paginate convo index 2026-01-25 16:13:32 +08:00
6e0df78fef feat(api): multi-workspace endpoints and container cleanup 2026-01-24 18:29:30 +08:00
9f7b443268 feat: add prompt/personalization selection and conversation APIs 2026-01-24 13:33:50 +08:00
c787df2cef fix: reuse terminal container for command exec 2026-01-20 21:08:39 +08:00
a089cdd853 fix: update prompt timeouts and pip mirror 2026-01-06 16:35:11 +08:00
5c7cdd72c9 feat: add custom tools guide and id validation 2026-01-05 21:46:55 +08:00
99cbea30da feat: polish admin policy UI and tool selection 2026-01-05 13:34:00 +08:00
3540fa8e4b feat: conversation review flow and token fixes 2026-01-05 00:59:35 +08:00
f9b5aa2af9 fix: reset defaults for new conversations 2026-01-03 16:46:33 +08:00
e2ba632ac8 feat: expand model support and qwen-vl ux 2026-01-03 07:01:24 +08:00
7853830624 feat: improve vlm workflow and workspace image serving 2026-01-01 18:56:29 +08:00
2a67e10e9b feat: add tool intent toggle 2026-01-01 06:20:41 +08:00
da3ea7426c refactor: simplify tool outputs 2025-12-16 22:16:16 +08:00
4617e00693 fix: improve terminal timeouts and clean outputs 2025-12-15 18:13:53 +08:00
8fe06753bb fix: stabilize terminal tool timeouts 2025-12-15 15:15:03 +08:00
ca8f65fe35 feat: index-based memory tool with append/replace/delete 2025-12-14 17:56:18 +08:00
053db95fee feat: virtual monitor 2025-12-14 04:22:00 +08:00
eb7ccf1dd2 feat: restore run mode personalization 2025-12-02 19:03:33 +08:00
8cc3a24abf fix: compact tool outputs and file tree context 2025-12-02 09:33:03 +08:00
51bb0f1033 fix: improve write_file_diff diagnostics 2025-12-01 23:44:56 +08:00