mirror of
https://github.com/shareAI-lab/analysis_claude_code.git
synced 2026-06-21 04:33:36 +08:00
1baf1aca5a
* feat: s01-s14 docs quality overhaul — tool pipeline, single-agent, knowledge & resilience Rewrite code.py and README (zh/en/ja) for s01-s14, each chapter building incrementally on the previous. Key fixes across chapters: - s01-s04: agent loop, tool dispatch, permission pipeline, hooks - s05-s08: todo write, subagent, skill loading, context compact - s09-s11: memory system, system prompt assembly, error recovery - s12-s14: task graph, background tasks, cron scheduler All chapters CC source-verified. Code inherits fixes forward (PROMPT_SECTIONS, json.dumps cache, real-state context, can_start dep protection, etc.). * feat: s15-s19 docs quality overhaul — multi-agent platform: teams, protocols, autonomy, worktree, MCP tools Rewrite code.py and README (zh/en/ja) for s15-s19, the multi-agent platform chapters. Each chapter inherits all previous fixes and adds one mechanism: - s15: agent teams (TeamCreate, teammate threads, shared task list) - s16: team protocols (plan approval, shutdown handshake, consume_inbox) - s17: autonomous agents (idle polling, auto-claim, consume_lead_inbox) - s18: worktree isolation (git worktree, bind_task, cwd switching, safety) - s19: MCP tools (MCPClient, normalize_mcp_name, assemble_tool_pool, no cache) All appendix source code references verified against CC source. Config priority corrected: claude.ai < plugin < user < project < local. * fix: 5 regressions across s05-s19 — glob safety, todo validation, memory extraction, protocol types, dep crash - s05-s09: glob results now filter with is_relative_to(WORKDIR) (inherited from s02) - s06-s08: todo_write validates content/status required fields (inherited from s05) - s09: extract_memories uses pre-compression snapshot instead of compacted messages - s16: submit_plan docstring clarifies protocol-only (not code-level gate) - s17-s19: match_response restores type mismatch validation (from s16) - s17-s19: claim_task deps list handles missing dep files without crashing * fix: s12 Todo V2 logic reversal, s14/s15 cron range validation, s18/s19 worktree name validation - s12 README (zh/en/ja): fix Todo V2 direction — interactive defaults to Task, non-interactive/SDK defaults to TodoWrite. Fix env var name to CLAUDE_CODE_ENABLE_TASKS (not TODO_V2). - s14/s15: add _validate_cron_field with per-field range checks (minute 0-59, hour 0-23, dom 1-31, month 1-12, dow 0-6), step > 0, range lo <= hi. Replace old try/except validation that only caught exceptions. - s18/s19: add validate_worktree_name() to remove_worktree and keep_worktree, not just create_worktree. * fix: align s16-s19 teaching tool consistency * fix pr265 chapter diagrams * Add comprehensive s20 harness chapter * Fix chapter smoke test regressions * Clarify README tutorial track transition --------- Co-authored-by: Haoran <bill-billion@outlook.com>
252 lines
9.8 KiB
Python
252 lines
9.8 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
s03_permission.py - Permission System
|
|
|
|
Three gates inserted before tool execution:
|
|
|
|
Gate 1: Hard deny list (rm -rf /, sudo, ...)
|
|
Gate 2: Rule matching (write outside workspace? destructive cmd?)
|
|
Gate 3: User approval (pause and wait for confirmation)
|
|
|
|
+-------+ +--------+ +--------+ +--------+ +------+
|
|
| Tool | -> | Gate 1 | -> | Gate 2 | -> | Gate 3 | -> | Exec |
|
|
| call | | deny? | | match? | | allow? | | |
|
|
+-------+ +--------+ +--------+ +--------+ +------+
|
|
| | | |
|
|
v v v v
|
|
(normal) (blocked) (ask user) (user says no?)
|
|
|
|
Only one line added to the agent loop:
|
|
|
|
if not check_permission(block):
|
|
continue
|
|
|
|
Builds on s02 (multi-tool). Usage:
|
|
|
|
python s03_permission/code.py
|
|
Needs: pip install anthropic python-dotenv + ANTHROPIC_API_KEY in .env
|
|
"""
|
|
|
|
import os, subprocess
|
|
from pathlib import Path
|
|
|
|
try:
|
|
import readline
|
|
readline.parse_and_bind('set bind-tty-special-chars off')
|
|
readline.parse_and_bind('set input-meta on')
|
|
readline.parse_and_bind('set output-meta on')
|
|
readline.parse_and_bind('set convert-meta off')
|
|
except ImportError:
|
|
pass
|
|
|
|
from anthropic import Anthropic
|
|
from dotenv import load_dotenv
|
|
|
|
load_dotenv(override=True)
|
|
if os.getenv("ANTHROPIC_BASE_URL"):
|
|
os.environ.pop("ANTHROPIC_AUTH_TOKEN", None)
|
|
|
|
WORKDIR = Path.cwd()
|
|
client = Anthropic(base_url=os.getenv("ANTHROPIC_BASE_URL"))
|
|
MODEL = os.environ["MODEL_ID"]
|
|
|
|
SYSTEM = f"You are a coding agent at {WORKDIR}. All destructive operations require user approval."
|
|
|
|
|
|
# ═══════════════════════════════════════════════════════════
|
|
# FROM s02 (unchanged): Tool Implementations
|
|
# ═══════════════════════════════════════════════════════════
|
|
|
|
def safe_path(p: str) -> Path:
|
|
path = (WORKDIR / p).resolve()
|
|
if not path.is_relative_to(WORKDIR):
|
|
raise ValueError(f"Path escapes workspace: {p}")
|
|
return path
|
|
|
|
|
|
def run_bash(command: str) -> str:
|
|
try:
|
|
r = subprocess.run(command, shell=True, cwd=WORKDIR,
|
|
capture_output=True, text=True, timeout=120)
|
|
out = (r.stdout + r.stderr).strip()
|
|
return out[:50000] if out else "(no output)"
|
|
except subprocess.TimeoutExpired:
|
|
return "Error: Timeout (120s)"
|
|
|
|
|
|
def run_read(path: str, limit: int | None = None) -> str:
|
|
try:
|
|
lines = safe_path(path).read_text().splitlines()
|
|
if limit and limit < len(lines):
|
|
lines = lines[:limit] + [f"... ({len(lines) - limit} more lines)"]
|
|
return "\n".join(lines)
|
|
except Exception as e:
|
|
return f"Error: {e}"
|
|
|
|
|
|
def run_write(path: str, content: str) -> str:
|
|
try:
|
|
file_path = safe_path(path)
|
|
file_path.parent.mkdir(parents=True, exist_ok=True)
|
|
file_path.write_text(content)
|
|
return f"Wrote {len(content)} bytes to {path}"
|
|
except Exception as e:
|
|
return f"Error: {e}"
|
|
|
|
|
|
def run_edit(path: str, old_text: str, new_text: str) -> str:
|
|
try:
|
|
file_path = safe_path(path)
|
|
text = file_path.read_text()
|
|
if old_text not in text:
|
|
return f"Error: text not found in {path}"
|
|
file_path.write_text(text.replace(old_text, new_text, 1))
|
|
return f"Edited {path}"
|
|
except Exception as e:
|
|
return f"Error: {e}"
|
|
|
|
|
|
def run_glob(pattern: str) -> str:
|
|
import glob as g
|
|
try:
|
|
results = []
|
|
for match in g.glob(pattern, root_dir=WORKDIR):
|
|
if (WORKDIR / match).resolve().is_relative_to(WORKDIR):
|
|
results.append(match)
|
|
return "\n".join(results) if results else "(no matches)"
|
|
except Exception as e:
|
|
return f"Error: {e}"
|
|
|
|
|
|
# ═══════════════════════════════════════════════════════════
|
|
# FROM s02 (unchanged): Tool Definitions & Dispatch
|
|
# ═══════════════════════════════════════════════════════════
|
|
|
|
TOOLS = [
|
|
{"name": "bash", "description": "Run a shell command.",
|
|
"input_schema": {"type": "object", "properties": {"command": {"type": "string"}}, "required": ["command"]}},
|
|
{"name": "read_file", "description": "Read file contents.",
|
|
"input_schema": {"type": "object", "properties": {"path": {"type": "string"}, "limit": {"type": "integer"}}, "required": ["path"]}},
|
|
{"name": "write_file", "description": "Write content to a file.",
|
|
"input_schema": {"type": "object", "properties": {"path": {"type": "string"}, "content": {"type": "string"}}, "required": ["path", "content"]}},
|
|
{"name": "edit_file", "description": "Replace exact text in a file once.",
|
|
"input_schema": {"type": "object", "properties": {"path": {"type": "string"}, "old_text": {"type": "string"}, "new_text": {"type": "string"}}, "required": ["path", "old_text", "new_text"]}},
|
|
{"name": "glob", "description": "Find files matching a glob pattern.",
|
|
"input_schema": {"type": "object", "properties": {"pattern": {"type": "string"}}, "required": ["pattern"]}},
|
|
]
|
|
|
|
TOOL_HANDLERS = {
|
|
"bash": run_bash, "read_file": run_read, "write_file": run_write,
|
|
"edit_file": run_edit, "glob": run_glob,
|
|
}
|
|
|
|
|
|
# ═══════════════════════════════════════════════════════════
|
|
# NEW in s03: Three-Gate Permission Pipeline
|
|
# ═══════════════════════════════════════════════════════════
|
|
|
|
# Gate 1: Hard deny list — always forbidden
|
|
DENY_LIST = ["rm -rf /", "sudo", "shutdown", "reboot", "mkfs", "dd if=", "> /dev/sda"]
|
|
|
|
def check_deny_list(command: str) -> str | None:
|
|
for pattern in DENY_LIST:
|
|
if pattern in command:
|
|
return f"Blocked: '{pattern}' is on the deny list"
|
|
return None
|
|
|
|
|
|
# Gate 2: Rule matching — context-dependent checks
|
|
PERMISSION_RULES = [
|
|
{"tools": ["write_file", "edit_file"],
|
|
"check": lambda args: not (WORKDIR / args.get("path", "")).resolve().is_relative_to(WORKDIR),
|
|
"message": "Writing outside workspace"},
|
|
{"tools": ["bash"],
|
|
"check": lambda args: any(kw in args.get("command", "") for kw in ["rm ", "> /etc/", "chmod 777"]),
|
|
"message": "Potentially destructive command"},
|
|
]
|
|
|
|
def check_rules(tool_name: str, args: dict) -> str | None:
|
|
for rule in PERMISSION_RULES:
|
|
if tool_name in rule["tools"] and rule["check"](args):
|
|
return rule["message"]
|
|
return None
|
|
|
|
|
|
# Gate 3: User approval — wait for confirmation after rule match
|
|
def ask_user(tool_name: str, args: dict, reason: str) -> str:
|
|
print(f"\n\033[33m⚠ {reason}\033[0m")
|
|
print(f" Tool: {tool_name}({args})")
|
|
choice = input(" Allow? [y/N] ").strip().lower()
|
|
return "allow" if choice in ("y", "yes") else "deny"
|
|
|
|
|
|
# Pipeline: all three gates chained
|
|
def check_permission(block) -> bool:
|
|
if block.name == "bash":
|
|
reason = check_deny_list(block.input.get("command", ""))
|
|
if reason:
|
|
print(f"\n\033[31m⛔ {reason}\033[0m")
|
|
return False
|
|
reason = check_rules(block.name, block.input)
|
|
if reason:
|
|
decision = ask_user(block.name, block.input, reason)
|
|
if decision == "deny":
|
|
return False
|
|
return True
|
|
|
|
|
|
# ═══════════════════════════════════════════════════════════
|
|
# agent_loop — same as s02, with check_permission() inserted
|
|
# ═══════════════════════════════════════════════════════════
|
|
|
|
def agent_loop(messages: list):
|
|
while True:
|
|
response = client.messages.create(
|
|
model=MODEL, system=SYSTEM, messages=messages,
|
|
tools=TOOLS, max_tokens=8000,
|
|
)
|
|
messages.append({"role": "assistant", "content": response.content})
|
|
|
|
if response.stop_reason != "tool_use":
|
|
return
|
|
|
|
results = []
|
|
for block in response.content:
|
|
if block.type != "tool_use":
|
|
continue
|
|
|
|
print(f"\033[36m> {block.name}\033[0m")
|
|
|
|
# s03 change: run through permission pipeline before executing
|
|
if not check_permission(block):
|
|
results.append({"type": "tool_result", "tool_use_id": block.id,
|
|
"content": "Permission denied."})
|
|
continue
|
|
|
|
handler = TOOL_HANDLERS.get(block.name)
|
|
output = handler(**block.input) if handler else f"Unknown: {block.name}"
|
|
print(str(output)[:200])
|
|
results.append({"type": "tool_result", "tool_use_id": block.id, "content": output})
|
|
|
|
messages.append({"role": "user", "content": results})
|
|
|
|
|
|
if __name__ == "__main__":
|
|
print("s03: Permission")
|
|
print("输入问题,回车发送。输入 q 退出。\n")
|
|
|
|
history = []
|
|
while True:
|
|
try:
|
|
query = input("\033[36ms03 >> \033[0m")
|
|
except (EOFError, KeyboardInterrupt):
|
|
break
|
|
if query.strip().lower() in ("q", "exit", ""):
|
|
break
|
|
history.append({"role": "user", "content": query})
|
|
agent_loop(history)
|
|
for block in history[-1]["content"]:
|
|
if getattr(block, "type", None) == "text":
|
|
print(block.text)
|
|
print()
|