mirror of
https://github.com/bytedance/deer-flow.git
synced 2026-05-27 02:53:46 +00:00
84dccef230
Finish Phase 2 of the config refactor: production code no longer calls AppConfig.current() anywhere. AppConfig now flows as an explicit parameter down every consumer lane. Call-site migrations -------------------- - Memory subsystem (queue/updater/storage): MemoryConfig captured at enqueue time so the Timer closure survives the ContextVar boundary. - Sandbox layer: tools.py, security.py, sandbox_provider.py, local_sandbox_provider, aio_sandbox_provider all take app_config explicitly. Module-level caching in tools.py's path helpers is removed — pure parameter flow. - Skills layer: manager.py + loader.py + lead_agent.prompt cache refresh all thread app_config; cache worker closes over it. - Community tools (tavily, jina, firecrawl, exa, ddg, image_search, infoquest, aio_sandbox): read runtime.context.app_config. - Subagents registry: get_subagent_config / list_subagents / get_available_subagent_names require app_config. - Runtime worker: requires RunContext.app_config; no fallback. - Gateway routers (uploads, skills): add Depends(get_config). - Channels feishu: uses AppConfig.from_file() (pure) at its sync boundary. - LangGraph Server bootstrap (make_lead_agent): falls back to AppConfig.from_file() — pure load, not ambient lookup. Context resolution ------------------ - resolve_context(runtime) now raises on non-DeerFlowContext runtime.context. Every entry point attaches typed context; dict/None shapes are rejected loudly instead of being papered over with an ambient AppConfig lookup. AppConfig lifecycle ------------------- - AppConfig.current() kept as a deprecated slot that raises RuntimeError, purely so legacy tests that still run `patch.object(AppConfig, "current")` don't trip AttributeError at teardown. Production never calls it. - conftest autouse fixture no longer monkey-patches `current` — it only stubs `from_file()` so tests don't need a real config.yaml. Design refs ----------- - docs/plans/2026-04-12-config-refactor-plan.md (Phase 2: P2-6..P2-10) - docs/plans/2026-04-12-config-refactor-design.md §8 All 2338 non-e2e tests pass. Zero AppConfig.current() call sites remain in backend/packages or backend/app (docstrings in deps.py excepted).
40 lines
1.6 KiB
Python
40 lines
1.6 KiB
Python
"""Security helpers for sandbox capability gating."""
|
|
|
|
from deerflow.config.app_config import AppConfig
|
|
|
|
_LOCAL_SANDBOX_PROVIDER_MARKERS = (
|
|
"deerflow.sandbox.local:LocalSandboxProvider",
|
|
"deerflow.sandbox.local.local_sandbox_provider:LocalSandboxProvider",
|
|
)
|
|
|
|
LOCAL_HOST_BASH_DISABLED_MESSAGE = (
|
|
"Host bash execution is disabled for LocalSandboxProvider because it is not a secure "
|
|
"sandbox boundary. Switch to AioSandboxProvider for isolated bash access, or set "
|
|
"sandbox.allow_host_bash: true only in a fully trusted local environment."
|
|
)
|
|
|
|
LOCAL_BASH_SUBAGENT_DISABLED_MESSAGE = (
|
|
"Bash subagent is disabled for LocalSandboxProvider because host bash execution is not "
|
|
"a secure sandbox boundary. Switch to AioSandboxProvider for isolated bash access, or "
|
|
"set sandbox.allow_host_bash: true only in a fully trusted local environment."
|
|
)
|
|
|
|
|
|
def uses_local_sandbox_provider(config: AppConfig) -> bool:
|
|
"""Return True when the active sandbox provider is the host-local provider."""
|
|
sandbox_cfg = getattr(config, "sandbox", None)
|
|
sandbox_use = getattr(sandbox_cfg, "use", "")
|
|
if sandbox_use in _LOCAL_SANDBOX_PROVIDER_MARKERS:
|
|
return True
|
|
return sandbox_use.endswith(":LocalSandboxProvider") and "deerflow.sandbox.local" in sandbox_use
|
|
|
|
|
|
def is_host_bash_allowed(config: AppConfig) -> bool:
|
|
"""Return whether host bash execution is explicitly allowed."""
|
|
sandbox_cfg = getattr(config, "sandbox", None)
|
|
if sandbox_cfg is None:
|
|
return True
|
|
if not uses_local_sandbox_provider(config):
|
|
return True
|
|
return bool(getattr(sandbox_cfg, "allow_host_bash", False))
|