agent-Specialization/prompts
JOJO a93f17010c feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability.

Core execution/security changes
- Introduce and wire a unified host sandbox runner for multi-OS execution:
  - macOS: sandbox-exec
  - Linux: bubblewrap + seccomp
  - Windows: WSL2 path
- Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution.
- Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup.

Permission mode model upgrade
- Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement:
  - readonly: run_command executes in read-only sandbox profile.
  - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call.
- Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads.
- Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details.

Path authorization system
- Add dynamic host policy module and persisted policy file.
- Support dual path classes:
  - writable_paths (read+write)
  - readable_extra_paths (read-only)
- Enforce file access in file_manager by access type (read vs write) under host mode.
- Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow.

Sub-agent and terminal alignment
- Sub-agent process launch now respects host execution mode and sandbox controls in host mode.
- Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation.

Tool surface updates
- Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility.

Docs updates
- Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md
- Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics.

Validation performed
- python unittest smoke suite passes: test.test_server_refactor_smoke
- frontend build passes: npm run build
- syntax checks for touched Python modules completed
2026-05-11 13:41:30 +08:00
..
agents_md_inject.txt feat: 添加AGENTS.md自动注入的prompt模板 2026-04-12 16:34:06 +08:00
deep_thinking_mode_guidelines.txt feat: expand model support and qwen-vl ux 2026-01-03 07:01:24 +08:00
execution_mode.txt feat(security): harden host execution model with sandbox/direct controls 2026-05-10 19:19:01 +08:00
human_like_style.txt feat: 添加智能体交流风格选项 2026-04-14 01:47:06 +08:00
main_system_qwenvl.txt feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
main_system.txt feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
permission_mode.txt feat: 权限模式支持管道命令并优化prompt注入 2026-04-13 16:23:24 +08:00
personalization.txt fix: refine title prompt and sandbox config 2026-01-29 11:54:24 +08:00
skills_system.txt feat: add read_skill tool and frontend read-skill rendering 2026-04-19 16:57:02 +08:00
sub_agent_guidelines.txt feat: 添加 terminal-guide 和 sub-agent-guide skills 2026-03-16 21:17:02 +08:00
thinking_mode_guidelines.txt feat: expand model support and qwen-vl ux 2026-01-03 07:01:24 +08:00
title_generation_prompt.txt chore: instruct title gen to ignore first user instructions 2026-01-05 01:13:13 +08:00
todo_guidelines.txt fix: update run_command limits and planning guidance 2026-04-14 14:12:11 +08:00
workspace_system.txt feat: add silent disable option and workspace prompt split 2026-02-03 23:11:15 +08:00