agent-Specialization/core/main_terminal_parts
JOJO a93f17010c feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability.

Core execution/security changes
- Introduce and wire a unified host sandbox runner for multi-OS execution:
  - macOS: sandbox-exec
  - Linux: bubblewrap + seccomp
  - Windows: WSL2 path
- Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution.
- Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup.

Permission mode model upgrade
- Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement:
  - readonly: run_command executes in read-only sandbox profile.
  - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call.
- Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads.
- Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details.

Path authorization system
- Add dynamic host policy module and persisted policy file.
- Support dual path classes:
  - writable_paths (read+write)
  - readable_extra_paths (read-only)
- Enforce file access in file_manager by access type (read vs write) under host mode.
- Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow.

Sub-agent and terminal alignment
- Sub-agent process launch now respects host execution mode and sandbox controls in host mode.
- Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation.

Tool surface updates
- Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility.

Docs updates
- Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md
- Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics.

Validation performed
- python unittest smoke suite passes: test.test_server_refactor_smoke
- frontend build passes: npm run build
- syntax checks for touched Python modules completed
2026-05-11 13:41:30 +08:00
..
__init__.py refactor: further split runner and tools mixins 2026-03-07 20:25:58 +08:00
commands.py fix: persist media via store and preserve MCP content 2026-04-27 12:21:45 +08:00
context.py feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
tools_definition.py feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
tools_execution.py feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
tools_policy.py fix(mcp): split categories by server and preserve toggle states 2026-04-27 01:42:40 +08:00
tools_read.py feat: add read_skill tool and frontend read-skill rendering 2026-04-19 16:57:02 +08:00
tools.py refactor: further split runner and tools mixins 2026-03-07 20:25:58 +08:00