This commit consolidates a large set of host-mode security and UX fixes across backend and frontend. Security / execution model: - Make permission/execution mode switches apply immediately (no deferred pending-only behavior). - Keep runtime mode change notices durable and visible via user-message guidance path. - Add explicit runtime message source taxonomy support and persistence: user / presend / guidance / notify / sub_agent / background_command. - Ensure guidance/notify insertion is batched per tool-cycle so mid-run inserts are committed together. - Separate notify from guidance semantics for mode-change notices. - Add direct-mode auto-fallback handling visibility on frontend. Approval and command gating: - Align run_command approval pre-check logic with docker behavior for approval/auto_approval modes in host execution paths. - Keep approval retry flow and final-result semantics intact when permission errors trigger approval. - Externalize forbidden command keyword list into JSON config: config/forbidden_commands.json. - Update forbidden command rejection message to user-facing wording: 用户不允许执行包含“... ”的指令. Prompt/runtime guidance: - Refine execution-mode runtime rule text to avoid endless workaround loops: one safe alternative first, then request switching to direct mode when truly required. Chat rendering / message UX: - Prevent injected guidance/notify user-messages from incorrectly triggering assistant work header/timer chain. - Restore correct visibility after history reload while preserving runtime-source behavior. - Update user-header icon/label rendering by message source: - guidance -> 引导 + navigation icon - notify/sub_agent/background_command -> 通知 + bell icon - user/presend -> keep normal user header. - Add new icons: static/icons/navigation.svg, static/icons/bell.svg. Approval panel UX: - Convert desktop approval panel from layout-compress sidebar to overlay + blur sheet. - Fix panel transition behavior (remove unintended vertical motion; use dedicated desktop overlay transition). - Improve approval result display: - decision and reason split lines, - green/red status styling, - multiline reason rendering, - auto-collapse delay adjusted to 3s. Execution mode TTL feedback: - When direct mode auto-expires to sandbox, frontend menu state is updated from status snapshot. - Show non-auto-dismiss warning toast to explicitly notify auto-fallback. Misc consistency updates: - Execution mode label text cleanup in composer. - Runtime notice wording normalization (权限模式修改为..., 执行环境修改为...). Build/test notes: - Frontend rebuilt after UI changes. - Smoke tests passed for server refactor path.
79 lines
1.6 KiB
Python
79 lines
1.6 KiB
Python
"""安全与确认策略配置。"""
|
|
|
|
from pathlib import Path
|
|
import json
|
|
|
|
|
|
def _load_forbidden_commands() -> list[str]:
|
|
"""从独立 JSON 文件加载命令拦截关键词。"""
|
|
fallback = [
|
|
"rm -rf /",
|
|
"rm -rf ~",
|
|
"format",
|
|
"shutdown",
|
|
"reboot",
|
|
"kill -9",
|
|
"dd if=",
|
|
]
|
|
cfg_path = Path(__file__).resolve().parent / "forbidden_commands.json"
|
|
if not cfg_path.exists():
|
|
return fallback
|
|
try:
|
|
payload = json.loads(cfg_path.read_text(encoding="utf-8"))
|
|
except Exception:
|
|
return fallback
|
|
if isinstance(payload, dict):
|
|
raw_items = payload.get("forbidden_commands")
|
|
elif isinstance(payload, list):
|
|
raw_items = payload
|
|
else:
|
|
raw_items = None
|
|
if not isinstance(raw_items, list):
|
|
return fallback
|
|
items: list[str] = []
|
|
for item in raw_items:
|
|
text = str(item or "").strip().lower()
|
|
if text:
|
|
items.append(text)
|
|
return items or fallback
|
|
|
|
|
|
FORBIDDEN_COMMANDS = _load_forbidden_commands()
|
|
|
|
FORBIDDEN_PATHS = [
|
|
"/System",
|
|
"/usr",
|
|
"/bin",
|
|
"/sbin",
|
|
"/etc",
|
|
"/var",
|
|
"/tmp",
|
|
"/Applications",
|
|
"/Library",
|
|
"C:\\Windows",
|
|
"C:\\Program Files",
|
|
"C:\\Program Files (x86)",
|
|
"C:\\ProgramData",
|
|
]
|
|
|
|
FORBIDDEN_ROOT_PATHS = [
|
|
"/",
|
|
"C:\\",
|
|
"~",
|
|
]
|
|
|
|
NEED_CONFIRMATION = [
|
|
"delete_file",
|
|
"delete_folder",
|
|
"clear_file",
|
|
"execute_terminal",
|
|
"batch_delete",
|
|
]
|
|
|
|
__all__ = [
|
|
"FORBIDDEN_COMMANDS",
|
|
"FORBIDDEN_PATHS",
|
|
"FORBIDDEN_ROOT_PATHS",
|
|
"NEED_CONFIRMATION",
|
|
]
|