3. 权限与安全模型

3.1 分层权限

┌─────────────────────────────────────────────────────────────────┐
│                    Permission Layers                             │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  Layer 1: Auto-Approved (无需确认)                               │
│  ├── read_file                                                   │
│  ├── list_dir                                                    │
│  ├── grep (read-only)                                            │
│  └── codebase_search                                             │
│                                                                  │
│  Layer 2: Requires Confirmation (需要用户确认)                    │
│  ├── write_file                                                  │
│  ├── edit_file                                                   │
│  ├── delete_file                                                 │
│  └── run_terminal_cmd (sandboxed)                                │
│                                                                  │
│  Layer 3: Explicit Permission (需要显式权限)                      │
│  ├── network access                                              │
│  ├── git_write operations                                        │
│  └── run_terminal_cmd (unsandboxed)                              │
│                                                                  │
│  Layer 4: Blocked (禁止)                                         │
│  ├── Access ignored files                                        │
│  ├── System modifications                                        │
│  └── Sensitive data access                                       │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

3.2 沙箱执行

interface SandboxConfig {
  // 文件系统限制
  filesystem: {
    writeAllowed: string[];   // 允许写入的路径
    readAllowed: string[];    // 允许读取的路径
    blocked: string[];        // 禁止访问的路径
  };
  
  // 网络限制
  network: {
    allowed: boolean;
    allowedHosts?: string[];
  };
  
  // 进程限制
  process: {
    maxTime: number;          // 最大执行时间
    maxMemory: number;        // 最大内存
  };
  
  // Git 限制
  git: {
    readAllowed: boolean;
    writeAllowed: boolean;
  };
}

class SandboxExecutor {
  async execute(command: string, permissions: string[]) {
    const config = this.buildConfig(permissions);
    
    // 使用 firejail 或类似工具创建沙箱
    const sandbox = await createSandbox(config);
    
    try {
      const result = await sandbox.run(command);
      return result;
    } catch (error) {
      if (this.isSandboxError(error)) {
        return {
          success: false,
          error: "Operation blocked by sandbox",
          suggestion: "Request appropriate permissions"
        };
      }
      throw error;
    }
  }
}

3.3 用户确认流程

class ConfirmationManager {
  async requestPermission(operation: Operation): Promise<boolean> {
    // 描述操作
    const description = this.describeOperation(operation);
    
    // 显示给用户
    console.log(`\n${chalk.yellow('⚠️ Permission Required')}`);
    console.log(description);
    console.log(`\n${chalk.dim('This action requires your approval.')}`);
    
    // 等待用户输入
    const { confirmed } = await prompts({
      type: 'confirm',
      name: 'confirmed',
      message: 'Allow this operation?',
      initial: false
    });
    
    // 记录决定
    this.logDecision(operation, confirmed);
    
    return confirmed;
  }
  
  describeOperation(op: Operation): string {
    switch (op.type) {
      case 'write_file':
        return `Write to file: ${op.path}\nContent length: ${op.content.length} characters`;
      case 'run_command':
        return `Execute command: ${op.command}\nPermissions: ${op.permissions.join(', ')}`;
      case 'delete_file':
        return `Delete file: ${op.path}`;
      default:
        return `Perform: ${op.type}`;
    }
  }
}

---