## 模型逻辑清理 早期把模型 API 端点/密钥/模型 ID 硬编码的残留(AGENT_API_* / THINKING_* / TITLE_* 三件套)已彻底移除。模型配置统一由 config/custom_models.json (经 model_profiles 解析为档案)描述,运行时通过 apply_profile 注入; 没有任何可用模型时按既定行为报错。 - config/api.py: 删 9 个三件套符号,仅保留 DEFAULT_RESPONSE_MAX_TOKENS - utils/api_client.py: client 改为空配置起步,移除三件套 import - server/chat_flow_helpers.py: 删死 import(TITLE_* 符号) ## 部署级配置外置(按"决策权归谁"分类) config/*.json 不再一概锚定源码树: - 程序能力(docker_risk_markers / skill_hints)留源码树,随版本演进 - 部署者自定义(custom_models / host_workspaces / auto_approval / goal_review / forbidden_commands / host_sandbox_policy)外置到 ~/.agents/<mode>/config/ 新增统一解析机制(config/paths.py): - DEPLOY_CONFIG_DIR(默认 ~/.agents/<mode>/config,可用环境变量覆盖) - resolve_deploy_config():只读,回退链 部署目录→源码树.json→源码树.example (开发环境不必先跑 setup 也能用源码树种子) - deploy_config_path():写回用,稳定指向部署目录 6 个加载点改用上述解析;顺带修复 approval_agent / goal_review_agent 的 DEBUG_TRANSCRIPT_DIR 仍指旧源码树 logs/ 的漏迁问题。 ## 安全与运维 - 含密钥/机器特定的 5 个文件停止 git 追踪(git rm --cached,本地保留) 并加入 .gitignore,仓库仅留 .example 种子;forbidden_commands 保留 追踪作默认黑名单 - scripts/setup.py: 模型配置写到部署目录(用与 paths 一致的独立推导, 不 import config 以免过早锁定路径) - scripts/migrate_runtime_data.py: 新增 config/*.json → 部署目录迁移 (备份 + 不覆盖已存在) ## 关联:P1 配置收敛 + P2 首启向导 - config/server.py: Web 端口/监听地址/debug/NODE_BIN/PYTHON_BIN 单一事实源 - 消灭 8091 多处重复定义(state.py 死代码、app_legacy、main.py 各读各的) - 修复 sub_agent_manager 命令数组硬编码 "node" → NODE_BIN(便携包内置 Node 的前提) - scripts/setup.py: 终端首启向导(模式/端口/管理员/密钥/模型) ## 测试 test_config_paths_resolution 更新以反映新行为(host_workspaces 锚定部署 目录、新增 DEPLOY_CONFIG_DIR 用例);全部离线用例通过。 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
85 lines
1.7 KiB
Python
85 lines
1.7 KiB
Python
"""安全与确认策略配置。"""
|
||
|
||
from pathlib import Path
|
||
import json
|
||
|
||
from .paths import resolve_deploy_config
|
||
|
||
|
||
def _load_forbidden_commands() -> list[str]:
|
||
"""从独立 JSON 文件加载命令拦截关键词。
|
||
|
||
属于部署级配置(部署者可调宽松/严苛),优先读 ~/.agents/<mode>/config,
|
||
回退源码树种子。
|
||
"""
|
||
fallback = [
|
||
"rm -rf /",
|
||
"rm -rf ~",
|
||
"format",
|
||
"shutdown",
|
||
"reboot",
|
||
"kill -9",
|
||
"dd if=",
|
||
]
|
||
cfg_path = Path(resolve_deploy_config("forbidden_commands.json"))
|
||
if not cfg_path.exists():
|
||
return fallback
|
||
try:
|
||
payload = json.loads(cfg_path.read_text(encoding="utf-8"))
|
||
except Exception:
|
||
return fallback
|
||
if isinstance(payload, dict):
|
||
raw_items = payload.get("forbidden_commands")
|
||
elif isinstance(payload, list):
|
||
raw_items = payload
|
||
else:
|
||
raw_items = None
|
||
if not isinstance(raw_items, list):
|
||
return fallback
|
||
items: list[str] = []
|
||
for item in raw_items:
|
||
text = str(item or "").strip().lower()
|
||
if text:
|
||
items.append(text)
|
||
return items or fallback
|
||
|
||
|
||
FORBIDDEN_COMMANDS = _load_forbidden_commands()
|
||
|
||
FORBIDDEN_PATHS = [
|
||
"/System",
|
||
"/usr",
|
||
"/bin",
|
||
"/sbin",
|
||
"/etc",
|
||
"/var",
|
||
"/tmp",
|
||
"/Applications",
|
||
"/Library",
|
||
"C:\\Windows",
|
||
"C:\\Program Files",
|
||
"C:\\Program Files (x86)",
|
||
"C:\\ProgramData",
|
||
]
|
||
|
||
FORBIDDEN_ROOT_PATHS = [
|
||
"/",
|
||
"C:\\",
|
||
"~",
|
||
]
|
||
|
||
NEED_CONFIRMATION = [
|
||
"delete_file",
|
||
"delete_folder",
|
||
"clear_file",
|
||
"execute_terminal",
|
||
"batch_delete",
|
||
]
|
||
|
||
__all__ = [
|
||
"FORBIDDEN_COMMANDS",
|
||
"FORBIDDEN_PATHS",
|
||
"FORBIDDEN_ROOT_PATHS",
|
||
"NEED_CONFIRMATION",
|
||
]
|