feat: Phase 6.2 宿主机安全操控 — 沙箱执行 + 文件系统隔离 + 进程管理

- host.Sandbox: 命令白名单 + 目录限制 + 超时控制 + 环境变量过滤
- host.Manager: 文件读写列表 + 系统信息查询 + 路径验证
- 3个新工具: host_exec (沙箱命令执行), host_file (文件操作), host_system (系统信息)
- 后台思考器自主工具策略已更新，允许安全使用主机工具
- host_exec 标记为高风险工具，受频率限制

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/ai-core/internal/host/manager.go

@@ -0,0 +1,208 @@
+package host
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+)
+
+// Manager provides controlled access to the host machine.
+// It wraps a Sandbox for command execution and adds file system
+// operations with path allow-list enforcement.
+type Manager struct {
+	sandbox    *Sandbox
+	allowedDirs []string
+}
+
+// NewManager creates a new host Manager.
+func NewManager(sandbox *Sandbox) *Manager {
+	m := &Manager{sandbox: sandbox}
+	if sandbox != nil {
+		m.allowedDirs = sandbox.cfg.AllowedDirs
+	}
+	return m
+}
+
+// SetAllowedDirs updates the list of directories accessible for file operations.
+func (m *Manager) SetAllowedDirs(dirs []string) {
+	m.allowedDirs = dirs
+	m.sandbox.cfg.AllowedDirs = dirs
+}
+
+// Exec runs a command in the sandbox.
+func (m *Manager) Exec(ctx context.Context, command, workDir string, timeout time.Duration) (*ExecResult, error) {
+	return m.sandbox.Exec(ctx, command, workDir, timeout)
+}
+
+// ReadFile reads the contents of a file within allowed directories.
+func (m *Manager) ReadFile(path string, maxBytes int) (string, error) {
+	if maxBytes <= 0 {
+		maxBytes = 1024 * 1024
+	}
+	if err := m.validatePath(path); err != nil {
+		return "", err
+	}
+	info, err := os.Stat(path)
+	if err != nil {
+		return "", fmt.Errorf("cannot stat file: %w", err)
+	}
+	if info.IsDir() {
+		return "", fmt.Errorf("path is a directory: %s", path)
+	}
+	if info.Size() > int64(maxBytes) {
+		return "", fmt.Errorf("file too large: %d bytes (max %d)", info.Size(), maxBytes)
+	}
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return "", fmt.Errorf("cannot read file: %w", err)
+	}
+	if len(data) > maxBytes {
+		data = data[:maxBytes]
+	}
+	return string(data), nil
+}
+
+// WriteFile writes data to a file within allowed directories.
+func (m *Manager) WriteFile(path, content string, maxBytes int) error {
+	if maxBytes <= 0 {
+		maxBytes = 1024 * 1024
+	}
+	if len(content) > maxBytes {
+		return fmt.Errorf("content too large: %d bytes (max %d)", len(content), maxBytes)
+	}
+	if err := m.validatePath(path); err != nil {
+		return err
+	}
+	dir := filepath.Dir(path)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return fmt.Errorf("cannot create directory: %w", err)
+	}
+	return os.WriteFile(path, []byte(content), 0644)
+}
+
+// ListDir lists directory contents within allowed directories.
+func (m *Manager) ListDir(path string) ([]DirEntry, error) {
+	if err := m.validatePath(path); err != nil {
+		return nil, err
+	}
+	entries, err := os.ReadDir(path)
+	if err != nil {
+		return nil, fmt.Errorf("cannot read directory: %w", err)
+	}
+	result := make([]DirEntry, 0, len(entries))
+	for _, e := range entries {
+		info, _ := e.Info()
+		size := int64(0)
+		modTime := time.Time{}
+		if info != nil {
+			size = info.Size()
+			modTime = info.ModTime()
+		}
+		result = append(result, DirEntry{
+			Name:    e.Name(),
+			IsDir:   e.IsDir(),
+			Size:    size,
+			ModTime: modTime.Format(time.RFC3339),
+		})
+	}
+	return result, nil
+}
+
+// DirEntry represents a filesystem directory entry.
+type DirEntry struct {
+	Name    string `json:"name"`
+	IsDir   bool   `json:"is_dir"`
+	Size    int64  `json:"size"`
+	ModTime string `json:"mod_time"`
+}
+
+// SystemInfo returns basic system information.
+func (m *Manager) SystemInfo() map[string]interface{} {
+	hostname, _ := os.Hostname()
+	wd, _ := os.Getwd()
+
+	info := map[string]interface{}{
+		"hostname":    hostname,
+		"os":          runtime.GOOS,
+		"arch":        runtime.GOARCH,
+		"num_cpu":     runtime.NumCPU(),
+		"go_version":  runtime.Version(),
+		"work_dir":    wd,
+	}
+
+	if runtime.GOOS == "windows" {
+		cmd := exec.Command("systeminfo")
+		out, err := cmd.Output()
+		if err == nil {
+			lines := strings.Split(string(out), "\n")
+			for _, line := range lines {
+				line = strings.TrimSpace(line)
+				if strings.Contains(line, "Total Physical Memory") {
+					parts := strings.SplitN(line, ":", 2)
+					if len(parts) == 2 {
+						info["total_memory"] = strings.TrimSpace(parts[1])
+					}
+				}
+				if strings.Contains(line, "OS Name") {
+					parts := strings.SplitN(line, ":", 2)
+					if len(parts) == 2 {
+						info["os_name"] = strings.TrimSpace(parts[1])
+					}
+				}
+			}
+		}
+	} else {
+		if data, err := os.ReadFile("/proc/meminfo"); err == nil {
+			for _, line := range strings.Split(string(data), "\n") {
+				if strings.HasPrefix(line, "MemTotal:") {
+					info["total_memory"] = strings.TrimSpace(strings.TrimPrefix(line, "MemTotal:"))
+					break
+				}
+			}
+		}
+	}
+	return info
+}
+
+// DiskUsage returns disk usage for the given path.
+func (m *Manager) DiskUsage(path string) (map[string]interface{}, error) {
+	if err := m.validatePath(path); err != nil {
+		return nil, err
+	}
+	info, err := os.Stat(path)
+	if err != nil {
+		return nil, fmt.Errorf("cannot stat path: %w", err)
+	}
+	result := map[string]interface{}{
+		"path":     path,
+		"is_dir":   info.IsDir(),
+		"size":     info.Size(),
+		"mod_time": info.ModTime().Format(time.RFC3339),
+	}
+	return result, nil
+}
+
+func (m *Manager) validatePath(path string) error {
+	absPath, err := filepath.Abs(path)
+	if err != nil {
+		return fmt.Errorf("cannot resolve path: %w", err)
+	}
+	if len(m.allowedDirs) == 0 {
+		return nil
+	}
+	for _, allowed := range m.allowedDirs {
+		absAllowed, err := filepath.Abs(allowed)
+		if err != nil {
+			continue
+		}
+		if strings.HasPrefix(absPath, absAllowed+string(os.PathSeparator)) || absPath == absAllowed {
+			return nil
+		}
+	}
+	return fmt.Errorf("path not in allowed directories: %s", path)
+}

backend/ai-core/internal/host/sandbox.go

@@ -0,0 +1,219 @@
+package host
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+// SandboxConfig configures the sandbox execution environment.
+type SandboxConfig struct {
+	AllowedCommands []string
+	AllowedDirs     []string
+	MaxOutputBytes  int
+	DefaultTimeout  time.Duration
+	MaxTimeout      time.Duration
+}
+
+// DefaultSandboxConfig returns a safe default configuration.
+func DefaultSandboxConfig() SandboxConfig {
+	return SandboxConfig{
+		AllowedCommands: []string{
+			"echo", "cat", "ls", "dir", "pwd", "date", "time",
+			"wc", "head", "tail", "sort", "uniq", "grep", "find",
+			"python", "python3", "node", "go", "rustc", "cargo",
+			"git", "curl", "wget", "ping", "nslookup", "tracert",
+			"dotnet", "java", "javac", "gcc", "g++", "make", "cmake",
+			"npm", "npx", "yarn", "pnpm", "pip", "pip3",
+			"docker", "kubectl", "helm",
+			"ffmpeg", "ffprobe", "imagemagick", "convert",
+			"systeminfo", "tasklist", "taskkill", "netstat",
+		},
+		MaxOutputBytes: 512 * 1024,
+		DefaultTimeout: 30 * time.Second,
+		MaxTimeout:     300 * time.Second,
+	}
+}
+
+// Sandbox provides a safe execution environment for host commands.
+type Sandbox struct {
+	cfg SandboxConfig
+}
+
+// NewSandbox creates a new sandbox.
+func NewSandbox(cfg SandboxConfig) *Sandbox {
+	return &Sandbox{cfg: cfg}
+}
+
+// ExecResult holds the result of a sandboxed command execution.
+type ExecResult struct {
+	Stdout   string `json:"stdout"`
+	Stderr   string `json:"stderr"`
+	ExitCode int    `json:"exit_code"`
+	Duration string `json:"duration"`
+	TimedOut bool   `json:"timed_out"`
+}
+
+// Exec runs a command inside the sandbox. The command string is parsed into
+// the executable name and arguments. Returns the combined output.
+func (s *Sandbox) Exec(ctx context.Context, command string, workDir string, timeout time.Duration) (*ExecResult, error) {
+	if command == "" {
+		return nil, fmt.Errorf("empty command")
+	}
+
+	parts := strings.Fields(command)
+	if len(parts) == 0 {
+		return nil, fmt.Errorf("empty command")
+	}
+
+	cmdName := parts[0]
+	var args []string
+	if len(parts) > 1 {
+		args = parts[1:]
+	}
+
+	if !s.isCommandAllowed(cmdName) {
+		return nil, fmt.Errorf("command not allowed: %s", cmdName)
+	}
+
+	if workDir == "" {
+		workDir = s.defaultWorkDir()
+	}
+	if err := s.validateWorkDir(workDir); err != nil {
+		return nil, err
+	}
+
+	if timeout <= 0 {
+		timeout = s.cfg.DefaultTimeout
+	}
+	if timeout > s.cfg.MaxTimeout {
+		timeout = s.cfg.MaxTimeout
+	}
+
+	execCtx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	cmd := exec.CommandContext(execCtx, cmdName, args...)
+	cmd.Dir = workDir
+	cmd.Env = s.filteredEnv()
+
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	start := time.Now()
+	err := cmd.Run()
+	elapsed := time.Since(start)
+
+	result := &ExecResult{
+		Duration: elapsed.Round(time.Millisecond).String(),
+	}
+
+	if stdout.Len() > s.cfg.MaxOutputBytes {
+		result.Stdout = stdout.String()[:s.cfg.MaxOutputBytes] + "\n... [output truncated]"
+	} else {
+		result.Stdout = stdout.String()
+	}
+	if stderr.Len() > s.cfg.MaxOutputBytes {
+		result.Stderr = stderr.String()[:s.cfg.MaxOutputBytes] + "\n... [output truncated]"
+	} else {
+		result.Stderr = stderr.String()
+	}
+
+	if execCtx.Err() == context.DeadlineExceeded {
+		result.TimedOut = true
+		result.ExitCode = -1
+		return result, fmt.Errorf("command timed out after %s", timeout)
+	}
+
+	if err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			result.ExitCode = exitErr.ExitCode()
+		} else {
+			result.ExitCode = -1
+		}
+	} else {
+		result.ExitCode = 0
+	}
+
+	return result, err
+}
+
+func (s *Sandbox) isCommandAllowed(cmd string) bool {
+	if len(s.cfg.AllowedCommands) == 0 {
+		return true
+	}
+	base := filepath.Base(cmd)
+	base = strings.TrimSuffix(base, ".exe")
+	for _, allowed := range s.cfg.AllowedCommands {
+		if strings.EqualFold(base, allowed) {
+			return true
+		}
+	}
+	return false
+}
+
+func (s *Sandbox) validateWorkDir(dir string) error {
+	info, err := os.Stat(dir)
+	if err != nil {
+		return fmt.Errorf("work directory not accessible: %s: %w", dir, err)
+	}
+	if !info.IsDir() {
+		return fmt.Errorf("not a directory: %s", dir)
+	}
+
+	if len(s.cfg.AllowedDirs) == 0 {
+		return nil
+	}
+
+	absDir, err := filepath.Abs(dir)
+	if err != nil {
+		return fmt.Errorf("cannot resolve path: %w", err)
+	}
+
+	for _, allowed := range s.cfg.AllowedDirs {
+		absAllowed, err := filepath.Abs(allowed)
+		if err != nil {
+			continue
+		}
+		if strings.HasPrefix(absDir, absAllowed) {
+			return nil
+		}
+	}
+	return fmt.Errorf("directory not in allowed list: %s", dir)
+}
+
+func (s *Sandbox) defaultWorkDir() string {
+	if len(s.cfg.AllowedDirs) > 0 {
+		return s.cfg.AllowedDirs[0]
+	}
+	wd, _ := os.Getwd()
+	return wd
+}
+
+func (s *Sandbox) filteredEnv() []string {
+	allowed := map[string]bool{
+		"PATH": true, "HOME": true, "USER": true, "USERNAME": true,
+		"TMP": true, "TEMP": true, "TMPDIR": true,
+		"LANG": true, "LC_ALL": true, "SHELL": true,
+		"SYSTEMROOT": true, "WINDIR": true, "ProgramFiles": true,
+		"GOPATH": true, "GOROOT": true, "GOPROXY": true,
+		"NODE_PATH": true, "PYTHONPATH": true,
+		"JAVA_HOME": true, "DOTNET_ROOT": true,
+		"CARGO_HOME": true, "RUSTUP_HOME": true,
+	}
+	var filtered []string
+	for _, e := range os.Environ() {
+		kv := strings.SplitN(e, "=", 2)
+		if len(kv) == 2 && allowed[kv[0]] {
+			filtered = append(filtered, e)
+		}
+	}
+	filtered = append(filtered, "CYRENE_SANDBOX=1")
+	return filtered
+}