agent-Specialization/modules
JOJO a93f17010c feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability.

Core execution/security changes
- Introduce and wire a unified host sandbox runner for multi-OS execution:
  - macOS: sandbox-exec
  - Linux: bubblewrap + seccomp
  - Windows: WSL2 path
- Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution.
- Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup.

Permission mode model upgrade
- Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement:
  - readonly: run_command executes in read-only sandbox profile.
  - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call.
- Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads.
- Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details.

Path authorization system
- Add dynamic host policy module and persisted policy file.
- Support dual path classes:
  - writable_paths (read+write)
  - readable_extra_paths (read-only)
- Enforce file access in file_manager by access type (read vs write) under host mode.
- Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow.

Sub-agent and terminal alignment
- Sub-agent process launch now respects host execution mode and sandbox controls in host mode.
- Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation.

Tool surface updates
- Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility.

Docs updates
- Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md
- Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics.

Validation performed
- python unittest smoke suite passes: test.test_server_refactor_smoke
- frontend build passes: npm run build
- syntax checks for touched Python modules completed
2026-05-11 13:41:30 +08:00
..
__pycache__ <fix thinking chunk> 2025-11-19 20:47:56 +08:00
admin_policy_manager.py fix(mcp): split categories by server and preserve toggle states 2026-04-27 01:42:40 +08:00
api_user_manager.py feat: add skills framework and controls 2026-02-07 00:20:35 +08:00
background_command_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
balance_client.py fix: stop converting Kimi balance and switch Qwen endpoint to business.aliyuncs.com 2026-01-05 14:22:06 +08:00
container_file_proxy.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
container_monitor.py docs: refresh readme and phase2 summary 2025-11-23 21:24:09 +08:00
custom_tool_executor.py chore: sync pending changes 2026-01-05 21:48:55 +08:00
custom_tool_registry.py feat: add custom tools guide and id validation 2026-01-05 21:46:55 +08:00
easter_egg_manager.py feat: modularize easter egg effects 2025-11-22 13:07:54 +08:00
file_manager.py feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
gui_file_manager.py chore: initial import 2025-11-14 16:44:12 +08:00
host_sandbox_policy.py feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
host_sandbox_runner.py feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
host_workspace_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
mcp_client_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
mcp_server_registry.py fix(mcp): split categories by server and preserve toggle states 2026-04-27 01:42:40 +08:00
memory_manager.py feat: index-based memory tool with append/replace/delete 2025-12-14 17:56:18 +08:00
ocr_client.py feat: update model support and multimodal 2026-02-25 01:41:05 +08:00
persistent_terminal.py feat(security): harden host execution model with sandbox/direct controls 2026-05-10 19:19:01 +08:00
personalization_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
search_engine.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
skill_hint_manager.py chore: add docs and remove sub_agent 2026-03-17 22:46:43 +08:00
skills_manager.py feat: add host workspace manager, mcp-tool-config skill, and UI enhancements 2026-04-28 13:04:51 +08:00
sub_agent_manager.py feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
terminal_manager.py feat(security): harden host execution model with sandbox/direct controls 2026-05-10 19:19:01 +08:00
terminal_ops.py feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
todo_manager.py feat: support batch todo updates 2026-01-30 18:50:02 +08:00
tool_approval_manager.py feat: add conversation-bound permission modes and tool approval flow 2026-04-11 04:07:28 +08:00
toolbox_container.py fix: improve terminal timeouts and clean outputs 2025-12-15 18:13:53 +08:00
upload_security.py feat: add upload quarantine scanning and ui toasts 2025-11-24 14:31:13 +08:00
usage_tracker.py fix: improve api error diagnostics and raise model quotas 2026-03-06 17:02:19 +08:00
user_container_manager.py feat(security): harden host execution model with sandbox/direct controls 2026-05-10 19:19:01 +08:00
user_manager.py fix: persist onboarding prompt status and bump android app to 1.0.20 2026-04-07 20:08:33 +08:00
versioning_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
webpage_extractor.py chore: initial import 2025-11-14 16:44:12 +08:00