b7fe5f2b02
2 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
| 8d665ad6de |
feat(permission): add auto-approval mode with approval agent, UI flow, and docs sync
Implemented a new permission mode between and , including backend policy, runtime behavior, frontend display, and documentation updates. Backend & policy changes: - Added to permission mode validation and persistence paths. - Updated tool permission evaluation: workspace-local direct pass, out-of-workspace requires approval. - Kept readonly-first flow and added auto-approval decision path when permission denial occurs. - Added approval reason/decider support in tool approval manager. - Improved rejection tool-content format to natural language: '工具调用被拒绝\n原因:...' - Fixed permission-mode sync edge cases on conversation create/load and restart-first-switch behavior. Approval agent subsystem: - Added and . - Added lightweight auto-approval config at (name/url/key/model/extra_params + timeouts). - Added optional transcript debug switch in code and transcript output under logs/approval_agent. - Aligned transcript saving toward cumulative messages format and captured reasoning/content/tool_calls/tool sequence. Frontend changes: - Added option to personalization and permission menus. - Reworked approval panel auto-review display into a dedicated block with simplified lines: start, command, final approve/reject + reason. - Added delayed sidebar auto-close (10s) after approval resolved. - Added stricter permission-switch verification and rollback on mismatch/error. Docs updated: - Synced AGENTS.md, README.md, and docs/host_sandbox_and_permission_model.md with new permission mode, approval-agent behavior, config, and current constraints (including docker caveat). |
|||
| a93f17010c |
feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability. Core execution/security changes - Introduce and wire a unified host sandbox runner for multi-OS execution: - macOS: sandbox-exec - Linux: bubblewrap + seccomp - Windows: WSL2 path - Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution. - Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup. Permission mode model upgrade - Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement: - readonly: run_command executes in read-only sandbox profile. - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call. - Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads. - Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details. Path authorization system - Add dynamic host policy module and persisted policy file. - Support dual path classes: - writable_paths (read+write) - readable_extra_paths (read-only) - Enforce file access in file_manager by access type (read vs write) under host mode. - Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow. Sub-agent and terminal alignment - Sub-agent process launch now respects host execution mode and sandbox controls in host mode. - Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation. Tool surface updates - Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility. Docs updates - Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md - Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics. Validation performed - python unittest smoke suite passes: test.test_server_refactor_smoke - frontend build passes: npm run build - syntax checks for touched Python modules completed |