zcdsj
/
zcbot
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
135 Commits 1 Branch 0 Tags 6.8 MiB
Python 73.4%
HTML 25.8%
Shell 0.4%
Dockerfile 0.3%
Go to file
caoqianming 160e801ab0 Stage C Step 2: Docker per-user 容器池 + iptables blocklist 基底 
- deploy/sandbox/Dockerfile: python:3.11-slim + tini + iptables + non-root uid via HOST_UID build-arg + 全套 requirements
- deploy/sandbox/init.sh: 6 段红线 IPv4 + ::1 + ZCBOT_PG_IPS 环境注入,任一规则失败 fail-fast
- core/sandbox/network.py: ensure_network() 创 --internal zcbot-sandbox-net
- core/sandbox/pool.py: SandboxPool 容器命名 zcbot-sandbox-<user_id>,per-user asyncio.Lock,
  in-memory _last_active dict(Docker 23+ 移除 docker update --label-add),hardening flags
  全套(read-only / tmpfs / cap-drop ALL + NET_ADMIN / no-new-privileges / pids/mem/cpu limit /
  bind mount user_root → /workspace)
- core/sandbox/__init__.py: 公开 SandboxPool / container_name / setup_pool / NETWORK_NAME

Step 2 范围明确不含 AgentLoop 集成 / shell-run_python 切容器 / egress proxy / reaper task ——
pool 孤立 commit,Step 3 接入。本地 Windows 无 docker 走不动,Ubuntu 上 5 条 smoke 命令
(build / iptables 段 / non-root uid / read-only / 销毁)写进 RUN.md "Sandbox(Stage C,Ubuntu)" 段。

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 		2026-05-26 10:44:34 +08:00
config Add web_search and web_fetch tools via Bocha AI search API 2026-05-25 11:37:33 +08:00
core Stage C Step 2: Docker per-user 容器池 + iptables blocklist 基底 2026-05-26 10:44:34 +08:00
db/migrations feat(media): 接入豆包 Seedream 5.0 图像生成 tool + 0007 cost_usd→cost_cny 全表统一币种 2026-05-20 15:20:34 +08:00
deploy/sandbox Stage C Step 2: Docker per-user 容器池 + iptables blocklist 基底 2026-05-26 10:44:34 +08:00
prompts/system feat(paths): 对外路径统一全形式 <wd_name>/<rel> + UI 一次性兼容历史简写 2026-05-22 12:45:54 +08:00
scripts feat(seedance): 加 seedance_2_pro variant + smoke 支持 --variant 参数 2026-05-22 10:11:31 +08:00
skills 新增 patent skill + REVISIONS.md 修订日志机制 2026-05-26 09:34:01 +08:00
tests Vendor markdown frontend assets 2026-05-25 09:31:36 +08:00
tools Add web_search and web_fetch tools via Bocha AI search API 2026-05-25 11:37:33 +08:00
web Vendor markdown frontend assets 2026-05-25 09:31:36 +08:00
.gitignore skills+core(命名约定): task 级宪法文件 <date>-<short_id>-<name>.spec.md + spec_lock → spec 简化 2026-05-20 14:03:21 +08:00
CLAUDE.md ui(media): tool 结果与 assistant 正文同路径 chip/inline 图去重 — Set O(n) + CLAUDE.md 加 "实施前先对方案" 段 2026-05-20 16:33:47 +08:00
DESIGN.md 在 DESIGN §7.5 末尾沉淀 Stage C 沙盒实施硬协议 2026-05-26 09:00:16 +08:00
DOCUMENT_SEARCH_API.md feat(skill): documents skill 接内部材料学科知识库(document_search API) 2026-05-21 15:31:21 +08:00
EMBED.md feat(web): embed 模式接受 ?task_id=<uuid> URL 参数自动定位 task 2026-05-22 15:27:19 +08:00
PROGRESS.md Stage C Step 2: Docker per-user 容器池 + iptables blocklist 基底 2026-05-26 10:44:34 +08:00
RUN.md Stage C Step 2: Docker per-user 容器池 + iptables blocklist 基底 2026-05-26 10:44:34 +08:00
alembic.ini core(§7 B Step 1): Storage 基建 — SQLAlchemy ORM + alembic + db CLI 2026-05-14 10:41:44 +08:00
main.py ui+api: 登录页加管理员发用户入口 + 删 chat meta 重复的 条/tok 显示 2026-05-21 15:51:02 +08:00
requirements.txt Add web_search and web_fetch tools via Bocha AI search API 2026-05-25 11:37:33 +08:00