AskaEth/Cyrene
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

feat: Phase 6.2 宿主机安全操控 — 沙箱执行 + 文件系统隔离 + 进程管理

Browse Source 
- host.Sandbox: 命令白名单 + 目录限制 + 超时控制 + 环境变量过滤
- host.Manager: 文件读写列表 + 系统信息查询 + 路径验证
- 3个新工具: host_exec (沙箱命令执行), host_file (文件操作), host_system (系统信息)
- 后台思考器自主工具策略已更新,允许安全使用主机工具
- host_exec 标记为高风险工具,受频率限制

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
AskaEth
2026-05-23 22:23:45 +08:00
parent 313f41633a
commit 38b36fc5ad
5 changed files with 662 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/ai-core/cmd/main.go
+15 -1
View File
@@ -17,6 +17,7 @@ import (
"github.com/yourname/cyrene-ai/ai-core/internal/background"
aiConfig "github.com/yourname/cyrene-ai/ai-core/internal/config"
ctxbuild "github.com/yourname/cyrene-ai/ai-core/internal/context"
"github.com/yourname/cyrene-ai/ai-core/internal/host"
"github.com/yourname/cyrene-ai/ai-core/internal/llm"
"github.com/yourname/cyrene-ai/ai-core/internal/memory"
"github.com/yourname/cyrene-ai/ai-core/internal/model"
@@ -122,6 +123,13 @@ func main() {
log.Println("IoT 客户端未配置 (IOT_SERVICE_URL 和 IOT_DEBUG_SERVICE_URL 均为空)")
}
// 初始化主机操控管理器 (Phase 6.2: 沙箱执行 + 文件系统隔离)
hostSandbox := host.NewSandbox(host.DefaultSandboxConfig())
hostManager := host.NewManager(hostSandbox)
dataDir := getEnv("DATA_DIR", "/tmp/cyrene_data")
hostManager.SetAllowedDirs([]string{dataDir, os.TempDir(), "."})
log.Printf("主机操控管理器已就绪: 沙箱执行 + 文件隔离 (数据目录=%s)", dataDir)
// 初始化工具注册中心
toolRegistry := tools.NewRegistry()
if getEnvBool("ENABLE_TOOLS", true) {
@@ -137,13 +145,19 @@ func main() {
toolRegistry.Register(tools.NewMarkdownTool())
// File tool uses DATA_DIR or defaults to /tmp/cyrene_data
dataDir := getEnv("DATA_DIR", "/tmp/cyrene_data")
toolRegistry.Register(tools.NewFileTool(dataDir))
if iotClient != nil {
toolRegistry.Register(tools.NewIoTQueryTool(iotClient))
toolRegistry.Register(tools.NewIoTControlTool(iotClient))
}
// Phase 6.2: 主机操控工具
if hostManager != nil {
toolRegistry.Register(tools.NewHostExecTool(hostManager))
toolRegistry.Register(tools.NewHostFileTool(hostManager))
toolRegistry.Register(tools.NewHostSystemTool(hostManager))
}
log.Printf("工具注册中心已就绪: %d 个工具 (%v)", len(toolRegistry.ListTools()), toolRegistry.ListTools())
}