v0.24.13 -> v0.24.14
Summary
Expands the cloud provider catalogue with two non-streaming completion backends and splits the shared HTTP client to host streaming and non-streaming transports side by side. Adds TUI ergonomics for manual summary regeneration and a guarded session-reset flow that aborts when the summary refresh itself fails. Hardens shell command execution with an AST validator that blocks dynamic-binary bypass vectors previously missed by token-level scanning.
翻譯
擴充雲端 provider 選單,新增兩個非串流 completion backend,並把共用 HTTP client 重整為串流/非串流雙軌並存。TUI 加入手動 summary 重生命令與帶守門的 session reset 流程:summary refresh 失敗即中止而不清空歷史。Shell 指令執行改走 AST 驗證器,封堵舊版 token 掃描漏掉的動態 binary 繞過路徑。
Changes
FEAT
- Add Grok (xAI) and DeepSeek provider support with non-streaming HTTP client [db2a3d4]
- Redesign summary prompt and add manual summary regeneration command [5008d70]
- Add session reset flow and improve summary handling [c699cf3]
翻譯
- 新增 Grok(xAI)與 DeepSeek 兩個 provider;
provider.NewHTTPClient從固定回 SSE-friendly client 重整為串流/非串流雙軌(非 SSE backend 不再被ResponseHeaderTimeout=10s誤殺長 body 場景),既有五個雲端 provider 的new.go同步換新簽章;CLI selectAgent 與 buildAgentRegistry 接入新 provider entry,configs/jsons/providors/{deepseek,grok}.json落 manifest - 重寫
summary_prompt.md與summary_context.md:key_decisions嚴格限定 "locked-in concluded outcomes",避免 tentative leaning 被當 binding;TUI 新增/summary指令,async + spinner 走exec.ForceSummary立即觸發summary.Generate(等同 on-demand cron pass);summary.extract強化 timestamp 抽取,覆蓋更多歷史訊息格式 - TUI
/reset兩階段 popup confirm(forcesummary.Generate→session.ResetHistoryKeepSummary),summary refresh 失敗即 abort 不清歷史,避免最近未 summarize 對話被吞;新增internal/agents/exec/reset.go/internal/session/reset.go邏輯,clearhistory.json/tool_calls//action.log與DBSessionHist::*,保留summary.json/bot.md/status.json/tool_errors/;summary.Generate改回errorreturn 供 reset 路徑判斷
SECURITY
- Add shell command validation for run_command [7e765e1]
翻譯
- 新增
internal/tools/runCommandShell.go::validateShellScript,對sh -c/bash -c走mvdan.cc/sh/v3/syntaxAST walker:每個CallExpr取真正的 binary 比對白名單,shell builtin(cd/echo/test/export/控制流)放行,bypass vector(eval/exec/source/./command)視為非白名單拒絕,dynamic command($var/$(…)/${…})拒絕,nestedsh -c/bash -c遞迴驗證 inner script;舊版strings.Fields(argv[2])[0]對cd X && cmd/VAR=v cmd/管線後段全破且通過後第二段沒查,已淘汰;bash -c也走此 gate(舊版只擋sh -c是漏洞)
Scope
-
internal/agents/provider/grok/,internal/agents/provider/deepseek/— FEAT (new non-streaming providers) -
internal/agents/provider/provider.go— UPDATE (split streaming and non-streaming HTTP client factory) -
internal/agents/provider/{claude,copilot,gemini,nvidia,openai}/new.go— UPDATE (adopt new HTTP client signature) -
configs/jsons/providors/— ADD (deepseek.json,grok.json) -
cmd/app/addProvider.go,cmd/app/buildAgentRegistry.go,configs/configs.go,internal/runtime/cli/selectAgent.go— UPDATE (wire new providers) -
configs/prompts/— UPDATE (summary_prompt.md,summary_context.md,system_prompt.md) -
internal/agents/summary/— UPDATE (extract.go,generate.go) -
internal/session/— FEAT, UPDATE (reset.go,summary.go) -
internal/agents/exec/reset.go— FEAT -
internal/runtime/tui/— FEAT (commandReset.go,commandSummary.go,cmdSelector.go,handlerCommand.go,update.go) -
internal/tools/runCommandShell.go— SECURITY (new AST shell validator) -
internal/tools/runCommand.go— UPDATE (routesh -c/bash -cthrough validator) -
internal/filesystem/path.go— UPDATE -
go.mod,go.sum— CHORE (addmvdan.cc/sh/v3)
Generated by SKILL
Top comments (0)