agent-Specialization/server
JOJO 6ee8cda2a7 feat(security): harden host execution model with sandbox/direct controls
This commit introduces a substantial security and runtime architecture update for host mode, with three major goals: (1) enforce OS-level sandboxing by default, (2) support a controlled temporary direct-execution escape hatch for admin users, and (3) eliminate silent fallback behavior that could hide risk.

Backend/runtime changes:\n- Added a unified host sandbox runner (macOS sandbox-exec / Linux bubblewrap+seccomp / Windows WSL2).\n- Converted host terminal creation to sandboxed interactive shells by default.\n- Kept run_command/run_python on the same execution policy and added host execution mode plumbing (sandbox|direct).\n- Added session-scoped direct mode with TTL auto-revert (default 10 minutes), configurable via environment.\n- Added execution mode APIs (GET/POST /api/execution-mode), host+admin gating, status propagation, and rate limiting.\n- Added runtime refresh hooks so tool calls honor TTL expiration and mode transitions consistently.\n- Removed docker->host silent fallback paths: docker startup/runtime failures now fail fast instead of degrading silently.\n- Added host sandbox prompt injection (host-only) to guide agent behavior under permission constraints.

Configuration and policy changes:\n- Added HOST_EXECUTION_MODE_DEFAULT and HOST_EXECUTION_DIRECT_TTL_SECONDS.\n- Added HOST_SANDBOX_MACOS_WRITABLE_PATHS to support user-defined writable path allowlists.\n- Updated macOS sandbox profile generation to use minimal defaults (workspace + tmp + /dev/null) plus explicit allowlist extensions.\n- Updated .env.example documentation for new execution/sandbox controls.

Frontend changes:\n- Extended permission popover to a two-column model (Permission + Execution Environment) for host admin sessions.\n- Added execution mode state/options to app state, fetching, and status synchronization flows.\n- Added execution mode switching action and user feedback toasts.\n- Kept warning emphasis via text styling only (removed warning border per UX request).

Validation:\n- Python syntax checks passed for modified backend modules.\n- Existing smoke tests passed: python3 -m unittest test.test_server_refactor_smoke\n- Frontend production build passed: npm run build
2026-05-10 19:19:01 +08:00
..
__init__.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
admin.py feat: add MCP management and host-only runtime policy 2026-04-26 23:49:04 +08:00
api_auth.py feat: add api admin ui and container status fix 2026-01-25 10:49:52 +08:00
api_v1.py feat: add json-based extensible model registry and dynamic model UI 2026-04-09 20:56:54 +08:00
app_legacy.py feat: add json-based extensible model registry and dynamic model UI 2026-04-09 20:56:54 +08:00
app.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
auth_helpers.py fix: persist onboarding prompt status and bump android app to 1.0.20 2026-04-07 20:08:33 +08:00
auth.py feat: add host workspace manager, mcp-tool-config skill, and UI enhancements 2026-04-28 13:04:51 +08:00
chat_flow_helpers.py fix: 修复轮询机制下对话标题不自动更新的问题 2026-04-04 15:12:18 +08:00
chat_flow_runner_helpers.py refactor: split terminal and server chat flow modules 2026-03-07 18:38:30 +08:00
chat_flow_runner.py refactor: further split runner and tools mixins 2026-03-07 20:25:58 +08:00
chat_flow_runtime.py refactor: further split runner and tools mixins 2026-03-07 20:25:58 +08:00
chat_flow_stream_loop.py fix(stream): prevent tool-call argument leakage into text chunks 2026-04-03 16:09:29 +08:00
chat_flow_task_main.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
chat_flow_task_runner.py refactor: isolate chat task main pipeline module 2026-03-07 20:32:02 +08:00
chat_flow_task_support.py feat: add user turn tool protection to shallow compression 2026-04-12 18:48:08 +08:00
chat_flow_tool_loop.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
chat_flow.py feat: complete conversation versioning UX and restore workflow 2026-04-11 16:16:40 +08:00
chat.py feat(security): harden host execution model with sandbox/direct controls 2026-05-10 19:19:01 +08:00
context.py feat: add host workspace manager, mcp-tool-config skill, and UI enhancements 2026-04-28 13:04:51 +08:00
conversation_stats.py fix: repair admin monitor auth and add invite CRUD 2026-04-07 18:23:09 +08:00
conversation.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
deep_compression.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
extensions.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
files.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
monitor.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
security.py feat: add api v1 bearer auth and polling docs 2026-01-24 02:35:07 +08:00
socket_handlers.py feat: add json-based extensible model registry and dynamic model UI 2026-04-09 20:56:54 +08:00
state.py feat: add MCP management and host-only runtime policy 2026-04-26 23:49:04 +08:00
status.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
tasks.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
usage.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
utils_common.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00