Introduce workspace-level goal state persistence, goal prompt injection, and after-turn review handling so an active task can continue until the configured completion conditions are met.
Add a dedicated goal review agent with readonly and active evidence modes, configurable model settings, review prompt, token/turn boundaries, idle-no-tool protection, and progress/completed/stopped events.
Wire goal_mode through task creation, task restoration, compression handoff, runtime user messages, API message sanitization, and tool-call ordering so goal continuations survive long-running tasks and deep compression.
Add Vue UI for arming goal mode from the quick menu, showing running/completed banners, displaying progress metrics, restoring running goal state, and exposing personalization settings for review mode and stop limits.
Include goal mode research notes and default goal review configuration.
This commit consolidates a large set of host-mode security and UX fixes across backend and frontend.
Security / execution model:
- Make permission/execution mode switches apply immediately (no deferred pending-only behavior).
- Keep runtime mode change notices durable and visible via user-message guidance path.
- Add explicit runtime message source taxonomy support and persistence:
user / presend / guidance / notify / sub_agent / background_command.
- Ensure guidance/notify insertion is batched per tool-cycle so mid-run inserts are committed together.
- Separate notify from guidance semantics for mode-change notices.
- Add direct-mode auto-fallback handling visibility on frontend.
Approval and command gating:
- Align run_command approval pre-check logic with docker behavior for approval/auto_approval modes in host execution paths.
- Keep approval retry flow and final-result semantics intact when permission errors trigger approval.
- Externalize forbidden command keyword list into JSON config:
config/forbidden_commands.json.
- Update forbidden command rejection message to user-facing wording:
用户不允许执行包含“... ”的指令.
Prompt/runtime guidance:
- Refine execution-mode runtime rule text to avoid endless workaround loops:
one safe alternative first, then request switching to direct mode when truly required.
Chat rendering / message UX:
- Prevent injected guidance/notify user-messages from incorrectly triggering assistant work header/timer chain.
- Restore correct visibility after history reload while preserving runtime-source behavior.
- Update user-header icon/label rendering by message source:
- guidance -> 引导 + navigation icon
- notify/sub_agent/background_command -> 通知 + bell icon
- user/presend -> keep normal user header.
- Add new icons: static/icons/navigation.svg, static/icons/bell.svg.
Approval panel UX:
- Convert desktop approval panel from layout-compress sidebar to overlay + blur sheet.
- Fix panel transition behavior (remove unintended vertical motion; use dedicated desktop overlay transition).
- Improve approval result display:
- decision and reason split lines,
- green/red status styling,
- multiline reason rendering,
- auto-collapse delay adjusted to 3s.
Execution mode TTL feedback:
- When direct mode auto-expires to sandbox, frontend menu state is updated from status snapshot.
- Show non-auto-dismiss warning toast to explicitly notify auto-fallback.
Misc consistency updates:
- Execution mode label text cleanup in composer.
- Runtime notice wording normalization (权限模式修改为..., 执行环境修改为...).
Build/test notes:
- Frontend rebuilt after UI changes.
- Smoke tests passed for server refactor path.
- Add docker risk markers config (config/docker_risk_markers.json) and load it in tools permission evaluation.
- In docker mode, pre-evaluate run_command/terminal_input: readonly-safe and no-risk -> direct run; otherwise require approval/auto-approval.
- Keep docker write_file/edit_file behavior aligned with agreed policy: approval requires review, auto_approval passes directly.
- Pass risk markers into auto approval payload and include current working directory context for approval agent.
- Fix permission dropdown layout: only use split two-column menu when execution mode section is enabled; remove empty right blank area in docker mode.
- Center mobile approval overlay to prevent sheet overflow on small screens.
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability.
Core execution/security changes
- Introduce and wire a unified host sandbox runner for multi-OS execution:
- macOS: sandbox-exec
- Linux: bubblewrap + seccomp
- Windows: WSL2 path
- Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution.
- Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup.
Permission mode model upgrade
- Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement:
- readonly: run_command executes in read-only sandbox profile.
- approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call.
- Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads.
- Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details.
Path authorization system
- Add dynamic host policy module and persisted policy file.
- Support dual path classes:
- writable_paths (read+write)
- readable_extra_paths (read-only)
- Enforce file access in file_manager by access type (read vs write) under host mode.
- Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow.
Sub-agent and terminal alignment
- Sub-agent process launch now respects host execution mode and sandbox controls in host mode.
- Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation.
Tool surface updates
- Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility.
Docs updates
- Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md
- Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics.
Validation performed
- python unittest smoke suite passes: test.test_server_refactor_smoke
- frontend build passes: npm run build
- syntax checks for touched Python modules completed
- Add stop flag monitoring loop (checks every 100ms during tool execution)
- Cancel tool task immediately when stop flag is detected
- Return cancellation message to conversation history with role=tool
- Save cancellation result: '命令执行被用户取消'
- Clean up pending tasks to prevent 'Task was destroyed but it is pending' warnings
- Fix terminal_ops.py to properly cancel stdout/stderr read tasks
Known issue: Tool result display in frontend still shows arguments instead of cancellation message when expanded
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Remove direct task.cancel() calls, use stop flag instead
- Monitor stop flag every 100ms during tool execution
- Cancel tool task immediately when stop flag is detected
- Return "命令执行被用户取消" as tool result with role=tool
- Save cancellation result to conversation history
- Prevent abrupt task termination, allow graceful shutdown
Changes:
- server/socket_handlers.py: Comment out pending_task.cancel()
- server/tasks.py: Comment out entry['task'].cancel()
- server/chat_flow_tool_loop.py: Add stop flag monitoring loop
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>