refactor(policy): centralize sandbox enforcement and validate config#297
Merged
liujuanjuan1984 merged 8 commits intomainfrom Mar 23, 2026
Merged
refactor(policy): centralize sandbox enforcement and validate config#297liujuanjuan1984 merged 8 commits intomainfrom
liujuanjuan1984 merged 8 commits intomainfrom
Conversation
Collaborator
Author
|
本轮对 PR 代码变动的审查结论如下。 结论
代码变动评估1. 策略中心化方向是正确的
2. shell 暴露与运行时策略已对齐
3. settings 层一致性校验是必要补强
当前残余风险 / 后续空间1. 仍然是入口级 enforcement,不是 syscall 级沙箱
2. 当前策略收紧点优先覆盖了
|
Collaborator
Author
|
已基于当前分支补做一轮清理,聚焦本 PR 自己引入的死代码/不必要套壳:
本轮不改变外部行为,只收紧实现边界,让策略层更直接。 已重新验证:
|
Collaborator
Author
|
已继续基于当前分支修正 reviewer 指出的残留套壳:
本轮验证:
|
Collaborator
Author
|
已继续基于当前分支清理
本轮验证:
|
Collaborator
Author
|
已继续基于当前分支清理你指出的最后一层
本轮验证:
|
Collaborator
Author
|
已继续基于当前分支收口一批额外薄壳函数/属性:
本轮验证:
|
Collaborator
Author
|
本轮继续做了一次薄壳收口,已提交并推送: 本次主要处理:
保留项说明:
验证结果:
|
Collaborator
Author
|
补一条干净的收口说明。 本轮新增提交: 本次继续清理的薄壳:
保留项:
验证结果:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
关联
改动概览
本 PR 将沙箱相关判断收敛到统一策略对象,并把目录解析、shell 能力暴露、配置一致性校验接到同一套 policy 语义上;同时继续清理执行链路中没有语义增益的薄壳方法。
按模块说明
src/opencode_a2a/sandbox_policy.py
src/opencode_a2a/execution/executor.py
src/opencode_a2a/server/application.py
_entry_expired/_entry_in_use这类单行状态 helper,减少额外跳转。src/opencode_a2a/profile/runtime.py
src/opencode_a2a/config.py
BeforeValidator(_parse_declared_list)直接解析 declared list,移除额外 validator 薄壳。Settings.from_env()作为应用入口与类型适配点;测试侧普通场景直接使用Settings()。src/opencode_a2a/contracts/extensions.py
DeploymentConditionalMethod.availability这类仅包一层布尔表达式的 property,直接在 retention 文档中写入值。测试
Settings(),保留仅对应用入口需要的from_env()依赖。相关提交
4572436refactor(policy): centralize sandbox decisions for directory and shell (#278)9fd7531fix(config): validate sandbox policy consistency (#278)0f47531refactor(policy): remove wrapper helpers from sandbox policy (#278)26385b9refactor(execution): remove policy wrapper layer (#278)df356ddrefactor(execution): inline sandbox and session control hooks (#278)4b94d81refactor(execution): remove remaining resolve_directory wrapper (#278)5e3026frefactor(config): remove validator and accessor wrappers (#278)e26b4b1refactor(policy): inline remaining thin wrappers in sandbox paths (#278)验证
uv run pre-commit run --all-filesuv run pytest345 passedcoverage: 91.01%