qlogicagent 2.11.4 → 2.11.5

package/dist/types/cli/tool-bootstrap.d.ts

@@ -12,6 +12,8 @@ export interface SandboxPermissionSnapshot {
     mode: PermissionMode;
     workdir: string;
     allowedDirs: string[];
+    /** cut7c: current turn is an untrusted community-skill turn → tighten the sandbox. */
+    communityTurn: boolean;
 }
 /** Wire the OS-sandbox permission source (live rule-engine snapshot), or null to clear. */
 export declare function setSandboxPermissionSource(source: (() => SandboxPermissionSnapshot | undefined) | null): void;

package/dist/types/runtime/infra/model-registry.d.ts

@@ -1,3 +1,4 @@
+import { type ReasoningMode } from "./provider-catalog-adapter.js";
 import { type KeyConfig, type KeyHandle, type LoadBalanceStrategy, type PoolStatus, type ProviderPoolConfig } from "./key-pool.js";
 export type RegistryChangeCallback = () => void;
 export type ModelPurpose = "textGeneration" | "smallModel" | "stt" | "tts" | "imageGeneration" | "imageUnderstanding" | "videoGeneration" | "videoUnderstanding" | "threeDGeneration" | "embedding" | "voiceClone" | "musicGeneration" | "realtimeAudio" | "realtimeVideo";
@@ -34,6 +35,8 @@ export interface ModelEntry {
     streamRequired?: boolean;
     capabilities?: string[];
     pricing?: Record<string, unknown>;
+    /** Thinking-strength control class for the UI (see ReasoningMode). */
+    reasoningMode?: ReasoningMode;
 }
 export type PurposeBindings = Partial<Record<ModelPurpose, string>>;
 export interface ModelRegistryConfig {

package/dist/types/runtime/infra/provider-catalog-adapter.d.ts

@@ -1,5 +1,17 @@
 import { type ProviderVariantCapability } from "@xiaozhiclaw/provider-core";
 export type RuntimeProviderVariantCapability = ProviderVariantCapability;
+/**
+ * How a model's thinking depth can be controlled, derived from provider-core
+ * capabilities + quirks. The UI maps each mode to a different effort option set:
+ *   - none      : model has no reasoning/thinking → hide the strength control
+ *   - adaptive  : model self-regulates depth natively (Anthropic Opus/Sonnet
+ *                 type:"adaptive") → only "智能"
+ *   - collapsed : provider collapses effort levels (DeepSeek: low/medium→high,
+ *                 high/xhigh→max) → "标准 / 最大" only
+ *   - effort    : full granular control honored (o-series/Kimi reasoning_effort,
+ *                 Anthropic budget thinking) → full 5 options
+ */
+export type ReasoningMode = "none" | "adaptive" | "collapsed" | "effort";
 export interface RuntimeProviderCatalogProvider {
     id: string;
     name: string;
@@ -24,6 +36,8 @@ export interface RuntimeProviderCatalogModel {
     costCacheRead?: number;
     costCacheWrite?: number;
     pricing?: Record<string, unknown>;
+    /** Derived control class for thinking strength (see ReasoningMode). */
+    reasoningMode?: ReasoningMode;
 }
 export interface RuntimeProviderVariantResolutionInput {
     publicModel: string;

package/dist/types/runtime/ports/permission-contracts.d.ts

@@ -9,6 +9,12 @@ export interface PermissionRuleEntry {
     behavior: PermissionBehavior;
     reason?: string;
     source?: string;
+    /**
+     * When set, the rule only matches if this operation-classification flag is true
+     * (in addition to pattern/pathPrefix). Lets a rule target an operation property
+     * (e.g. a shell command that performs network egress) rather than just a tool name.
+     */
+    requireOp?: "commandNetworkEgress";
 }
 export type PermissionDecisionReason = {
     type: "rule";

package/dist/types/skills/permissions/community-sandbox-policy.d.ts

@@ -1,3 +1,3 @@
 import type { PermissionRuleEntry } from "./types.js";
 export type CommunitySandboxRuleId = "community-l1-shell" | "community-l1-file-read" | "community-l1-file-write" | "community-l1-network" | "community-l1-mcp" | "community-l1-host-control" | "community-l2-host-side-effect" | "community-l2-data-egress" | "community-l2-provider-prompt-egress" | "community-l2-provider-media-egress";
-export declare function createCommunityL1SandboxRules(): PermissionRuleEntry[];
+export declare function createCommunitySandboxScopedRules(): PermissionRuleEntry[];

package/dist/types/skills/permissions/hook-runner.d.ts

@@ -66,7 +66,13 @@ export declare class PermissionChecker {
     private readonly getTurnId;
     private readonly communityTelemetryRecorder;
     private readonly communitySandboxTurnIds;
-    private readonly communitySandboxRuleEngine;
+    /**
+     * cut7c — community-skill (untrusted) scoped deny/ask rules, passed per-call as
+     * `ruleEngine.check(..., { extraRules })` for community turns. NOT a second engine:
+     * the single rule engine evaluates these alongside the base rules. FS/exec tools are
+     * absent here → they flow through the unified pipeline (workspace + prompt + OS sandbox).
+     */
+    private readonly communityScopedRules;
     private unregisterHook;
     /** Tool meta cache — populated from ToolDefinition[] at agent creation */
     private toolMetaCache;
@@ -89,7 +95,12 @@ export declare class PermissionChecker {
      */
     setToolMeta(tools: ToolDefinition[]): void;
     get ruleEngineRef(): PermissionRuleEngine;
-    private checkCommunitySandboxThenBase;
+    /**
+     * cut7c — whether the CURRENT turn is a community-skill (untrusted) turn. Consumed by
+     * the OS-sandbox builder to tighten community execs (netPolicy=deny: no outbound network
+     * from the sandboxed child) as defense-in-depth on POSIX.
+     */
+    isCommunitySandboxTurn(): boolean;
     /** Fire permission.denied hook + onDenied callback + audit log */
     private fireDenied;
     private handleResult;

package/dist/types/skills/permissions/operation-classifier.d.ts

@@ -14,6 +14,13 @@ export interface OperationClassification {
     isEgress: boolean;
     egressCarriesData: boolean;
     isDestructive: boolean;
+    /**
+     * Shell command performs network egress (curl/wget/nc/scp/...). Used to gate
+     * untrusted community-skill shell commands (which would otherwise bypass the
+     * web_fetch/web_search deny via raw shell). Best-effort detection; the OS sandbox
+     * (netPolicy=deny on community turns) is the robust second layer on POSIX.
+     */
+    commandNetworkEgress: boolean;
 }
 export interface ClassifyContext {
     workspaceRoot: string;

package/dist/types/skills/permissions/rule-engine.d.ts

@@ -26,9 +26,18 @@ export declare class PermissionRuleEngine {
      * `op` is optional and defaults to an all-false classification so callers
      * that have not yet been wired to the classifier keep compiling.
      */
-    check(input: ToolPermissionCheckInput, op?: OperationClassification): PermissionResult;
+    check(input: ToolPermissionCheckInput, op?: OperationClassification, ctx?: {
+        extraRules?: readonly PermissionRuleEntry[];
+    }): PermissionResult;
     /** Rebuild compiledPatterns: [persistent-deny] → [session] → [persistent non-deny]. */
     private recompile;
+    /**
+     * Match a caller-supplied rule set (deny-first) against this call, using the SAME
+     * matching semantics as the base rules (pathPrefix prefix-match, else toolName glob).
+     * Returns the first hit's result, or null if none match. Used for per-call scoped
+     * rules (community-skill turns) so trust-level restrictions stay in the one engine.
+     */
+    private matchRuleSet;
 }
 /**
  * Parse permission config from Gateway-injected or local settings.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "qlogicagent",
-  "version": "2.11.4",
+  "version": "2.11.5",
   "description": "XiaozhiClaw Agent CLI — subprocess architecture (JSON-RPC over stdio)",
   "type": "module",
   "main": "dist/index.js",