@ian2018cs/agenthub 0.1.54 → 0.1.56

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ian2018cs/agenthub",
-  "version": "0.1.54",
+  "version": "0.1.56",
   "description": "A web-based UI for AI Agents",
   "type": "module",
   "main": "server/index.js",
@@ -19,13 +19,13 @@
     "dist/",
     "README.md"
   ],
-  "homepage": "https://github.com/IAn2018cs/claudecodeui",
+  "homepage": "https://github.com/IAn2018cs/AgentHub",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/IAn2018cs/claudecodeui.git"
+    "url": "git+https://github.com/IAn2018cs/AgentHub.git"
   },
   "bugs": {
-    "url": "https://github.com/IAn2018cs/claudecodeui/issues"
+    "url": "https://github.com/IAn2018cs/AgentHub/issues"
   },
   "scripts": {
     "dev": "concurrently --kill-others \"npm run server\" \"npm run client\"",
@@ -34,8 +34,7 @@
     "build": "vite build",
     "preview": "vite preview",
     "start": "npm run build && npm run server",
-    "release": "./release.sh",
-    "setup-feishu-cards": "node scripts/setup-feishu-cards.mjs"
+    "release": "./release.sh"
   },
   "keywords": [
     "claude coode",
@@ -44,14 +43,14 @@
     "ui",
     "mobile"
   ],
-  "author": "Claude Code UI Contributors",
+  "author": "IAn2018cs",
   "license": "MIT",
   "publishConfig": {
     "registry": "https://registry.npmjs.org",
     "access": "public"
   },
   "dependencies": {
-    "@anthropic-ai/claude-agent-sdk": "^0.2.70",
+    "@anthropic-ai/claude-agent-sdk": "^0.2.72",
     "@codemirror/lang-css": "^6.3.1",
     "@codemirror/lang-html": "^6.4.9",
     "@codemirror/lang-javascript": "^6.2.4",

package/server/claude-sdk.js

@@ -22,6 +22,7 @@ import { CLAUDE_MODELS } from '../shared/modelConstants.js';
 import { getUserPaths } from './services/user-directories.js';
 import { usageDb } from './database/db.js';
 import { calculateCost, normalizeModelName } from './services/pricing.js';
+import { evaluate as evaluateToolGuard } from './services/tool-guard/index.js';
 
 // Session tracking: Map of session IDs to active query instances
 const activeSessions = new Map();
@@ -204,10 +205,12 @@ function mapCliOptionsToSDK(options = {}) {
   console.log(`Using model: ${sdkOptions.model}`);
 
   // Map system prompt configuration
+  const baseAppend = 'You are an AI assistant running inside AgentHub, a platform that supports diverse work tasks beyond coding.';
+  const extraAppend = options.appendSystemPrompt ? `\n\n${options.appendSystemPrompt}` : '';
   sdkOptions.systemPrompt = {
     type: 'preset',
     preset: 'claude_code',  // Required to use CLAUDE.md
-    ...(options.appendSystemPrompt ? { append: options.appendSystemPrompt } : {}),
+    append: baseAppend + extraAppend,
   };
 
   // Map setting sources for CLAUDE.md loading
@@ -520,6 +523,46 @@ async function queryClaudeSDK(command, options = {}, ws) {
     tempImagePaths = imageResult.tempImagePaths;
     tempDir = imageResult.tempDir;
 
+    // ===== 安全守卫（PreToolUse hook，最高优先级）=====
+    // 使用 PreToolUse hook 而非 canUseTool 回调，因为 hook 会在每次工具执行前触发，
+    // 包括已被 allowedTools 自动放行的工具和 bypassPermissions 模式下的工具。
+    // canUseTool 仅在 CLI 发送 can_use_tool 控制消息时触发（即工具未被预批准时）。
+    if (userUuid) {
+      sdkOptions.hooks = {
+        ...(sdkOptions.hooks || {}),
+        PreToolUse: [
+          ...((sdkOptions.hooks || {}).PreToolUse || []),
+          {
+            hooks: [async (hookInput) => {
+              try {
+                const guardResult = await evaluateToolGuard(hookInput.tool_name, hookInput.tool_input, {
+                  userUuid,
+                  cwd: sdkOptions.cwd,
+                });
+                if (!guardResult.allowed) {
+                  console.log(`[ToolGuard] DENIED ${hookInput.tool_name} for user ${userUuid}: ${guardResult.reason}`);
+                  return {
+                    hookSpecificOutput: {
+                      hookEventName: 'PreToolUse',
+                      permissionDecision: 'deny',
+                      permissionDecisionReason: `[系统安全策略] ${guardResult.reason}`,
+                    }
+                  };
+                }
+              } catch (err) {
+                console.error(`[ToolGuard] Error evaluating ${hookInput.tool_name}:`, err.message);
+                // 守卫出错时不阻塞正常流程，降级为原有权限控制
+              }
+              if (process.env.TOOL_GUARD_VERBOSE === 'true') {
+                console.log(`[ToolGuard] HOOK-ALLOW ${hookInput.tool_name}`);
+              }
+              return {};
+            }]
+          }
+        ]
+      };
+    }
+
     // Gate tool usage with explicit UI approval when not auto-approved.
     // This does not render UI or persist permissions; it only bridges to the UI
     // via WebSocket and waits for the response, introduced so tool calls pause

package/server/cli.js

@@ -135,9 +135,9 @@ function showStatus() {
 
     console.log('\n' + c.dim('═'.repeat(60)));
     console.log(`\n${c.tip('[TIP]')} Hints:`);
-    console.log(`      ${c.dim('>')} Use ${c.bright('cloudcli --port 8080')} to run on a custom port`);
-    console.log(`      ${c.dim('>')} Use ${c.bright('cloudcli --database-path /path/to/db')} for custom database`);
-    console.log(`      ${c.dim('>')} Run ${c.bright('cloudcli help')} for all options`);
+    console.log(`      ${c.dim('>')} Use ${c.bright('agenthub --port 8080')} to run on a custom port`);
+    console.log(`      ${c.dim('>')} Use ${c.bright('agenthub --database-path /path/to/db')} for custom database`);
+    console.log(`      ${c.dim('>')} Run ${c.bright('agenthub help')} for all options`);
     console.log(`      ${c.dim('>')} Access the UI at http://localhost:${process.env.PORT || '3001'}\n`);
 }
 
@@ -149,8 +149,7 @@ function showHelp() {
 ╚═══════════════════════════════════════════════════════════════╝
 
 Usage:
-  claude-code-ui [command] [options]
-  cloudcli [command] [options]
+  agenthub [command] [options]
 
 Commands:
   start                 Start the Claude Code UI server (default)
@@ -167,11 +166,11 @@ Options:
   -v, --version               Show version information
 
 Examples:
-  $ cloudcli                        # Start with defaults
-  $ cloudcli --port 8080            # Start on port 8080
-  $ cloudcli -p 3000                # Short form for port
-  $ cloudcli start --port 4000      # Explicit start command
-  $ cloudcli status                 # Show configuration
+  $ agenthub                        # Start with defaults
+  $ agenthub --port 8080            # Start on port 8080
+  $ agenthub -p 3000                # Short form for port
+  $ agenthub start --port 4000      # Explicit start command
+  $ agenthub status                 # Show configuration
 
 Environment Variables:
   PORT                Set server port (default: 3001)
@@ -180,10 +179,10 @@ Environment Variables:
   CONTEXT_WINDOW      Set context window size (default: 160000)
 
 Documentation:
-  ${packageJson.homepage || 'https://github.com/siteboon/claudecodeui'}
+  ${packageJson.homepage || 'https://github.com/IAn2018cs/AgentHub'}
 
 Report Issues:
-  ${packageJson.bugs?.url || 'https://github.com/siteboon/claudecodeui/issues'}
+  ${packageJson.bugs?.url || 'https://github.com/IAn2018cs/AgentHub/issues'}
 `);
 }
 
@@ -203,17 +202,49 @@ function isNewerVersion(v1, v2) {
     return false;
 }
 
+// Download a file with optional GitHub token auth, following redirects
+async function downloadWithAuth(url, destPath, token) {
+    const https = await import('https');
+    const fs = await import('fs');
+    return new Promise((resolve, reject) => {
+        const headers = { 'User-Agent': 'agenthub-cli' };
+        if (token) headers['Authorization'] = `Bearer ${token}`;
+        const download = (downloadUrl) => {
+            const req = https.get(downloadUrl, { headers }, (res) => {
+                if (res.statusCode === 301 || res.statusCode === 302) {
+                    download(res.headers.location);
+                    return;
+                }
+                if (res.statusCode !== 200) {
+                    reject(new Error(`HTTP ${res.statusCode}`));
+                    return;
+                }
+                const file = fs.createWriteStream(destPath);
+                res.pipe(file);
+                file.on('finish', () => file.close(resolve));
+                file.on('error', reject);
+            });
+            req.on('error', reject);
+            req.setTimeout(60000, () => { req.destroy(); reject(new Error('Download timeout')); });
+        };
+        download(url);
+    });
+}
+
 // Check for updates via GitHub Releases
 async function checkForUpdates(silent = false) {
     try {
         const https = await import('https');
-        const REPO = 'IAn2018cs/claudecodeui';
+        const REPO = 'IAn2018cs/AgentHub';
         const currentVersion = packageJson.version;
+        const githubToken = process.env.GITHUB_TOKEN;
+        const headers = { 'User-Agent': 'agenthub-cli' };
+        if (githubToken) headers['Authorization'] = `Bearer ${githubToken}`;
 
         const latestVersion = await new Promise((resolve, reject) => {
             const req = https.get(
                 `https://api.github.com/repos/${REPO}/releases/latest`,
-                { headers: { 'User-Agent': 'agenthub-cli' } },
+                { headers },
                 (res) => {
                     let data = '';
                     res.on('data', chunk => data += chunk);
@@ -270,15 +301,27 @@ async function updatePackage() {
 
         console.log(`${c.info('[INFO]')} Updating from ${currentVersion} to ${latestVersion}...`);
         const tgzName = `ian2018cs-agenthub-${latestVersion}.tgz`;
-        const url = `https://github.com/IAn2018cs/claudecodeui/releases/download/v${latestVersion}/${tgzName}`;
-        execSync(`npm install -g "${url}"`, { stdio: 'inherit' });
+        const url = `https://github.com/IAn2018cs/AgentHub/releases/download/v${latestVersion}/${tgzName}`;
+        const githubToken = process.env.GITHUB_TOKEN;
+        if (githubToken) {
+            const os = await import('os');
+            const path = await import('path');
+            const fsSync = await import('fs');
+            const tmpFile = path.join(os.tmpdir(), tgzName);
+            console.log(`${c.info('[INFO]')} Downloading with GitHub token...`);
+            await downloadWithAuth(url, tmpFile, githubToken);
+            execSync(`npm install -g "${tmpFile}"`, { stdio: 'inherit' });
+            fsSync.unlinkSync(tmpFile);
+        } else {
+            execSync(`npm install -g "${url}"`, { stdio: 'inherit' });
+        }
         console.log(`${c.ok('[OK]')} Update complete!`);
         console.log(`         Please restart the server to use the new version:`);
         console.log(`         - pm2: ${c.bright('pm2 restart agenthub')} or ${c.bright('./pm2.sh restart')}`);
         console.log(`         - manual: stop and run ${c.bright('agenthub')} again`);
     } catch (e) {
         console.error(`${c.error('[ERROR]')} Update failed: ${e.message}`);
-        console.log(`${c.tip('[TIP]')} Check releases: https://github.com/IAn2018cs/claudecodeui/releases`);
+        console.log(`${c.tip('[TIP]')} Check releases: https://github.com/IAn2018cs/AgentHub/releases`);
     }
 }
 
@@ -392,7 +435,7 @@ async function main() {
             break;
         default:
             console.error(`\n❌ Unknown command: ${command}`);
-            console.log('   Run "cloudcli help" for usage information.\n');
+            console.log('   Run "agenthub help" for usage information.\n');
             process.exit(1);
     }
 }

package/server/index.js

@@ -38,7 +38,6 @@ import os from 'os';
 import http from 'http';
 import cors from 'cors';
 import { promises as fsPromises } from 'fs';
-import { spawn } from 'child_process';
 import pty from 'node-pty';
 import fetch from 'node-fetch';
 import mime from 'mime-types';
@@ -225,19 +224,6 @@ const wss = new WebSocketServer({
     verifyClient: (info) => {
         console.log('WebSocket connection attempt to:', info.req.url);
 
-        // Platform mode: always allow connection
-        if (process.env.VITE_IS_PLATFORM === 'true') {
-            const user = authenticateWebSocket(null); // Will return first user
-            if (!user) {
-                console.log('[WARN] Platform mode: No user found in database');
-                return false;
-            }
-            info.req.user = user;
-            console.log('[OK] Platform mode WebSocket authenticated for user:', user.username);
-            return true;
-        }
-
-        // Normal mode: verify token
         // Extract token from query parameters or headers
         const url = new URL(info.req.url, 'http://localhost');
         const token = url.searchParams.get('token') ||
@@ -2359,7 +2345,7 @@ async function startServer() {
             console.log('');
             console.log(`${c.info('[INFO]')} Server URL:  ${c.bright('http://0.0.0.0:' + PORT)}`);
             console.log(`${c.info('[INFO]')} Installed at: ${c.dim(appInstallPath)}`);
-            console.log(`${c.tip('[TIP]')}  Run "cloudcli status" for full configuration details`);
+            console.log(`${c.tip('[TIP]')}  Run "agenthub status" for full configuration details`);
             console.log('');
 
             // Start usage scanner service

package/server/middleware/auth.js

@@ -20,22 +20,6 @@ const validateApiKey = (req, res, next) => {
 
 // JWT authentication middleware
 const authenticateToken = async (req, res, next) => {
-  // Platform mode:  use single database user
-  if (process.env.VITE_IS_PLATFORM === 'true') {
-    try {
-      const user = userDb.getFirstUser();
-      if (!user) {
-        return res.status(500).json({ error: 'Platform mode: No user found in database' });
-      }
-      req.user = user;
-      return next();
-    } catch (error) {
-      console.error('Platform mode error:', error);
-      return res.status(500).json({ error: 'Platform mode: Failed to fetch user' });
-    }
-  }
-
-  // Normal OSS JWT validation
   const authHeader = req.headers['authorization'];
   const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN
 
@@ -88,21 +72,6 @@ const generateToken = (user) => {
 
 // WebSocket authentication function
 const authenticateWebSocket = (token) => {
-  // Platform mode: bypass token validation, return first user
-  if (process.env.VITE_IS_PLATFORM === 'true') {
-    try {
-      const user = userDb.getFirstUser();
-      if (user) {
-        return { userId: user.id, username: user.username };
-      }
-      return null;
-    } catch (error) {
-      console.error('Platform mode WebSocket error:', error);
-      return null;
-    }
-  }
-
-  // Normal OSS JWT validation
   if (!token) {
     return null;
   }

package/server/projects.js

@@ -888,7 +888,7 @@ async function addProjectManually(projectPath, displayName = null, userUuid) {
   }
 
   // Allow adding projects even if the directory exists - this enables tracking
-  // existing Claude Code or Cursor projects in the UI
+  // existing Claude Code projects in the UI
 
   const createdAt = new Date().toISOString();
 

package/server/services/feishu/command-handler.js

@@ -2,7 +2,7 @@
  * command-handler.js — 飞书斜杠命令处理
  *
  * 支持命令：
- *   /auth <token>        绑定 claudecodeui 账号
+ *   /auth <token>        绑定 agenthub 账号
  *   /unbind              解除绑定
  *   /new                 新建 Claude 会话
  *   /list                列出当前项目的会话

package/server/services/feishu/sdk-bridge.js

@@ -397,7 +397,7 @@ class FakeSendWriter {
  * @param {string} opts.messageId          原始消息 ID
  * @param {string} opts.content            用户输入文字
  * @param {Array|null} opts.images         图片附件（已转换为 data URI 格式）
- * @param {string} opts.userUuid           claudecodeui 用户 UUID
+ * @param {string} opts.userUuid           agenthub 用户 UUID
  * @param {Object} opts.state              feishu_session_state 行
  * @param {Object} opts.larkClient         LarkClient 实例
  * @param {Map}    opts.pendingApprovals   engine 共享的 pendingApprovals Map

package/server/services/tool-guard/index.js

@@ -0,0 +1,75 @@
+/**
+ * Tool Guard — 工具调用安全守卫
+ *
+ * 在每次工具执行前进行安全检查，优先级高于所有用户权限模式。
+ * 双层检测：正则规则（快速）→ LLM 审查（兜底）
+ */
+
+import { evaluateRules } from './rules.js';
+import { reviewWithLLM } from './llm-reviewer.js';
+import { getUserPaths, DATA_DIR } from '../user-directories.js';
+import path from 'path';
+
+const VERBOSE = process.env.TOOL_GUARD_VERBOSE === 'true';
+
+/**
+ * 评估工具调用是否安全
+ * @param {string} toolName - 工具名称（如 Bash, Read, Write, Edit, Glob, Grep）
+ * @param {Record<string, unknown>} input - 工具参数
+ * @param {{ userUuid: string, cwd?: string }} opts
+ * @returns {Promise<{ allowed: boolean, reason?: string }>}
+ */
+export async function evaluate(toolName, input, { userUuid, cwd }) {
+  if (process.env.TOOL_GUARD_ENABLED === 'false') {
+    return { allowed: true };
+  }
+
+  const context = buildContext(userUuid, cwd);
+
+  // Phase 1: 正则规则快速检查
+  const { denied, uncertain, denyReasons, uncertainReasons } = evaluateRules(toolName, input, context);
+
+  if (denied) {
+    if (VERBOSE) console.log(`[ToolGuard] RULE-DENY ${toolName}: ${denyReasons.join('; ')}`);
+    return { allowed: false, reason: denyReasons.join('; ') };
+  }
+
+  if (!uncertain) {
+    if (VERBOSE) console.log(`[ToolGuard] RULE-ALLOW ${toolName}`);
+    return { allowed: true };
+  }
+
+  // Phase 2: LLM 兜底审查
+  if (process.env.TOOL_GUARD_LLM_ENABLED === 'false') {
+    if (VERBOSE) console.log(`[ToolGuard] LLM disabled, UNCERTAIN→ALLOW ${toolName}`);
+    return { allowed: true };
+  }
+
+  try {
+    const llmResult = await reviewWithLLM(toolName, input, context, uncertainReasons);
+    if (VERBOSE) console.log(`[ToolGuard] LLM-${llmResult.allowed ? 'ALLOW' : 'DENY'} ${toolName}: ${llmResult.reason || ''}`);
+    return llmResult;
+  } catch (err) {
+    console.error(`[ToolGuard] LLM review error for ${toolName}:`, err.message);
+    // LLM 失败时安全兜底：拒绝
+    return { allowed: false, reason: 'LLM 审查失败，出于安全考虑已拒绝' };
+  }
+}
+
+/**
+ * 构建安全检查上下文
+ */
+function buildContext(userUuid, cwd) {
+  const resolvedDataDir = path.resolve(DATA_DIR);
+  return {
+    userUuid,
+    cwd: cwd ? path.resolve(cwd) : null,
+    allowedPrefixes: [
+      path.join(resolvedDataDir, 'user-data', userUuid),
+      path.join(resolvedDataDir, 'user-projects', userUuid),
+      path.join(resolvedDataDir, 'images', userUuid),
+    ],
+    dataDir: resolvedDataDir,
+    tempDirs: ['/tmp', '/var/tmp', '/private/tmp'],
+  };
+}

package/server/services/tool-guard/llm-reviewer.js

@@ -0,0 +1,128 @@
+/**
+ * Tool Guard — LLM 审查模块
+ *
+ * 当正则规则无法确定安全性时（返回 UNCERTAIN），调用 LLM 进行兜底审查。
+ * 复用 server/services/llm.js 的 chatCompletion()，使用 OpenAI 兼容格式。
+ */
+
+import { chatCompletion } from '../llm.js';
+
+const MODEL = process.env.TOOL_GUARD_LLM_MODEL || 'gemini-3.1-flash-lite-preview';
+const TIMEOUT_MS = parseInt(process.env.TOOL_GUARD_LLM_TIMEOUT_MS || '5000', 10);
+
+/**
+ * 使用 LLM 审查工具调用安全性
+ * @param {string} toolName
+ * @param {Record<string, unknown>} input
+ * @param {object} context - { userUuid, allowedPrefixes, cwd, tempDirs }
+ * @param {string[]} uncertainReasons - 触发 LLM 审查的原因
+ * @returns {Promise<{ allowed: boolean, reason?: string }>}
+ */
+export async function reviewWithLLM(toolName, input, context, uncertainReasons) {
+  const { userUuid, allowedPrefixes, cwd } = context;
+
+  // 如果 OPENAI_API_KEY 未配置，降级为放行
+  if (!process.env.OPENAI_API_KEY) {
+    console.warn('[ToolGuard] OPENAI_API_KEY 未配置，LLM 审查降级为放行');
+    return { allowed: true };
+  }
+
+  const systemPrompt = buildSystemPrompt(userUuid, allowedPrefixes, cwd);
+  const userPrompt = buildUserPrompt(toolName, input, uncertainReasons);
+
+  try {
+    // 带超时的 LLM 调用
+    const result = await Promise.race([
+      chatCompletion({
+        systemPrompt,
+        userPrompt,
+        model: MODEL,
+        maxTokens: 256,
+        temperature: 0,
+      }),
+      new Promise((_, reject) =>
+        setTimeout(() => reject(new Error('LLM 审查超时')), TIMEOUT_MS)
+      ),
+    ]);
+
+    return parseResponse(result);
+  } catch (err) {
+    if (err.message === 'LLM 审查超时') {
+      return { allowed: false, reason: 'LLM 审查超时，出于安全考虑已拒绝' };
+    }
+    throw err; // 其他错误向上抛出，由 index.js 的 catch 处理
+  }
+}
+
+/**
+ * 构建系统提示词
+ */
+function buildSystemPrompt(userUuid, allowedPrefixes, cwd) {
+  return `你是一个多用户 AI 编程平台的安全审查员。你需要判断一个 AI 助手的工具调用是否安全。
+
+## 用户上下文
+- 用户 ID: ${userUuid}
+- 用户允许的目录:
+  - ${allowedPrefixes[0]}
+  - ${allowedPrefixes[1]}
+- 当前工作目录: ${cwd || '未指定'}
+- 临时目录要求: 必须使用 /tmp/${userUuid}/ 子文件夹
+
+## 安全规则
+1. 用户只能访问自己目录下的文件，不能访问其他用户的文件或系统文件
+2. 临时目录（/tmp/、/var/tmp/）必须使用用户 ID 子文件夹（/tmp/${userUuid}/）
+3. 不允许修改系统配置（nginx、docker、systemd、防火墙等）
+4. 不允许执行危险命令（sudo、kill 系统进程、rm -rf /、shutdown 等）
+5. 不允许全局安装包（npm -g、pip 非虚拟环境、pip --user 等）；pip 必须在虚拟环境内执行（venv/bin/pip 或 .venv/bin/pip）
+6. 允许的操作：运行用户自己项目（node/npm/python）、本地安装依赖、git 操作、创建虚拟环境
+
+## 判断原则
+- 如果操作明显安全（在用户目录内操作、本地安装依赖等），判定为 safe
+- 如果操作有潜在风险但无法确定，倾向于判定为 unsafe（宁可误拒不可漏放）
+- 判定为 unsafe 时，在 reason 中给出简短的中文说明，帮助用户理解被拒绝的原因
+
+## 响应格式
+仅输出 JSON，不要输出其他任何内容：
+{"safe": true, "reason": "安全操作说明"}
+或
+{"safe": false, "reason": "拒绝原因说明"}`;
+}
+
+/**
+ * 构建用户提示词
+ */
+function buildUserPrompt(toolName, input, uncertainReasons) {
+  const inputStr = typeof input === 'object' ? JSON.stringify(input, null, 2) : String(input);
+  return `## 待审查的工具调用
+- 工具名称: ${toolName}
+- 工具参数:
+${inputStr}
+
+## 需要额外关注的原因
+${uncertainReasons.map(r => `- ${r}`).join('\n')}`;
+}
+
+/**
+ * 解析 LLM 响应
+ */
+function parseResponse(responseText) {
+  try {
+    // 尝试提取 JSON（LLM 可能返回 markdown 包裹的 JSON）
+    const jsonMatch = responseText.match(/\{[\s\S]*\}/);
+    if (!jsonMatch) {
+      return { allowed: false, reason: 'LLM 审查返回格式异常，出于安全考虑已拒绝' };
+    }
+
+    const parsed = JSON.parse(jsonMatch[0]);
+
+    if (typeof parsed.safe !== 'boolean') {
+      return { allowed: false, reason: 'LLM 审查返回格式异常，出于安全考虑已拒绝' };
+    }
+
+    return parsed.safe
+      ? { allowed: true }
+      : { allowed: false, reason: parsed.reason || 'LLM 审查判定为不安全操作' };
+  } catch {
+    return { allowed: false, reason: 'LLM 审查响应解析失败，出于安全考虑已拒绝' };
+  }
+}