Feat/tool safety#188
Open
impself wants to merge 8 commits into
Open
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #188 +/- ##
==========================================
Coverage ? 87.11262%
==========================================
Files ? 483
Lines ? 46821
Branches ? 0
==========================================
Hits ? 40787
Misses ? 6034
Partials ? 0 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
CLA Assistant Lite bot: I have read the CLA Document and I hereby sign the CLA You can retrigger this bot by commenting recheck in this Pull Request |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
关联 Issue
Closes #90
问题背景
tRPC-Agent 的 Tool、MCP Tool、Skill 和 CodeExecutor 可以执行脚本、调用系统命令、读写文件及访问网络。这些能力是 Agent 自动化任务的重要基础,但也可能被恶意或不可信输入利用,例如:
.env、SSH 私钥或其他凭据文件subprocess、os.system、shell 管道或命令注入绕过限制pip、npm、apt等修改运行环境沙箱负责运行时隔离,但无法独立覆盖执行前策略判断、人工复核、审计记录和可观测性需求。本 PR 新增 Tool Script Safety Guard,在脚本或命令进入真实执行器前进行静态风险扫描和策略决策。
方案摘要
安全扫描
在
trpc_agent_sdk/tools/safety/新增安全检查模块,支持:allow、deny、needs_human_review三态决策覆盖以下风险类型:
pip install、npm install、apt install等依赖安装策略配置
提供
tool_safety_policy.yaml示例,支持配置:修改策略文件即可调整安全边界,无需修改扫描代码。
执行前接入
提供以下接入方式:
ToolScriptSafetyFilterSafetyWrappedCallableSafetyCheckedExecutorwrapper 会在委托真实执行器前完成扫描和审计:
deny始终阻止执行needs_human_review根据策略暂停执行或等待人工批准结构化报告与审计
每次扫描输出完整的
SafetyReport,包含:decisionrisk_levelrule_idsfindings[].categoryfindings[].rule_idfindings[].evidencefindings[].recommendationrecommendationscan_duration_msredacted审计日志采用 JSONL 格式,每次扫描写入一条事件,包含:
tool_nametool_kinddecisionrisk_levelrule_idsduration_msredactedexecution_blockedpolicy_hashscript_sha256timestamp审计事件不会保存原始脚本、环境变量值、未脱敏参数或原始敏感信息。
示例与文档
在
trpc_agent_sdk/tools/safety/examples/提供:manifest_run.json中每个样本均保存完整结构化报告,而非仅保存决策摘要。同时新增:
docs/mkdocs/en/tool_safety_guard.mddocs/mkdocs/zh/tool_safety_guard.zh_CN.mdscripts/tool_safety_check.py测试结果
运行完整测试:
公开样本验收结果:
allow:4deny:8needs_human_review:2批量样本验证:
manifest 中包含
deny和needs_human_review,因此 CLI 返回非零退出码属于预期安全决策;验收结果以matches_expected为准。风险和限制
needs_human_review。tool_kind无法根据脚本内容可靠推断。CLI 样本未声明来源时使用unknown;真实接入应明确设置为tool、mcp、skill或code_executor。trpc_agent_sdk.tools.safety.*前缀,后续可以统一为与 Python 包路径无关的稳定属性名。Release Notes
新增 Tool Script Safety Guard:
allow、deny和needs_human_review三态安全决策该功能提供执行前风险识别、拦截和审计能力。生产环境仍需配合沙箱隔离、最小权限、网络出口控制及运行时资源限制。