agent-Specialization/server
JOJO a93f17010c feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI
This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability.

Core execution/security changes
- Introduce and wire a unified host sandbox runner for multi-OS execution:
  - macOS: sandbox-exec
  - Linux: bubblewrap + seccomp
  - Windows: WSL2 path
- Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution.
- Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup.

Permission mode model upgrade
- Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement:
  - readonly: run_command executes in read-only sandbox profile.
  - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call.
- Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads.
- Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details.

Path authorization system
- Add dynamic host policy module and persisted policy file.
- Support dual path classes:
  - writable_paths (read+write)
  - readable_extra_paths (read-only)
- Enforce file access in file_manager by access type (read vs write) under host mode.
- Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow.

Sub-agent and terminal alignment
- Sub-agent process launch now respects host execution mode and sandbox controls in host mode.
- Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation.

Tool surface updates
- Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility.

Docs updates
- Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md
- Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics.

Validation performed
- python unittest smoke suite passes: test.test_server_refactor_smoke
- frontend build passes: npm run build
- syntax checks for touched Python modules completed
2026-05-11 13:41:30 +08:00
..
__init__.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
admin.py feat: add MCP management and host-only runtime policy 2026-04-26 23:49:04 +08:00
api_auth.py feat: add api admin ui and container status fix 2026-01-25 10:49:52 +08:00
api_v1.py feat: add json-based extensible model registry and dynamic model UI 2026-04-09 20:56:54 +08:00
app_legacy.py feat: add json-based extensible model registry and dynamic model UI 2026-04-09 20:56:54 +08:00
app.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
auth_helpers.py fix: persist onboarding prompt status and bump android app to 1.0.20 2026-04-07 20:08:33 +08:00
auth.py feat: add host workspace manager, mcp-tool-config skill, and UI enhancements 2026-04-28 13:04:51 +08:00
chat_flow_helpers.py fix: 修复轮询机制下对话标题不自动更新的问题 2026-04-04 15:12:18 +08:00
chat_flow_runner_helpers.py refactor: split terminal and server chat flow modules 2026-03-07 18:38:30 +08:00
chat_flow_runner.py refactor: further split runner and tools mixins 2026-03-07 20:25:58 +08:00
chat_flow_runtime.py refactor: further split runner and tools mixins 2026-03-07 20:25:58 +08:00
chat_flow_stream_loop.py fix(stream): prevent tool-call argument leakage into text chunks 2026-04-03 16:09:29 +08:00
chat_flow_task_main.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
chat_flow_task_runner.py refactor: isolate chat task main pipeline module 2026-03-07 20:32:02 +08:00
chat_flow_task_support.py feat: add user turn tool protection to shallow compression 2026-04-12 18:48:08 +08:00
chat_flow_tool_loop.py feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
chat_flow.py feat: complete conversation versioning UX and restore workflow 2026-04-11 16:16:40 +08:00
chat.py feat(security): unify host sandbox controls across command/python/terminal/sub-agent and add path authorization UI 2026-05-11 13:41:30 +08:00
context.py feat: add host workspace manager, mcp-tool-config skill, and UI enhancements 2026-04-28 13:04:51 +08:00
conversation_stats.py fix: repair admin monitor auth and add invite CRUD 2026-04-07 18:23:09 +08:00
conversation.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
deep_compression.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
extensions.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
files.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
monitor.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
security.py feat: add api v1 bearer auth and polling docs 2026-01-24 02:35:07 +08:00
socket_handlers.py feat: add json-based extensible model registry and dynamic model UI 2026-04-09 20:56:54 +08:00
state.py feat: add MCP management and host-only runtime policy 2026-04-26 23:49:04 +08:00
status.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
tasks.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
usage.py refactor: split web_server into modular architecture 2026-01-22 09:21:53 +08:00
utils_common.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00