merge: 同步上游 HKUDS/nanobot 3 commits

上游新提交:
- refactor(setup): enhance SKILL.md for upgrade process clarity
- fix: improve media failure diagnostics and token fallback coverage
- fix: allow_patterns take priority over deny_patterns in ExecTool (HKUDS#3594)

冲突解决:
- shell.py: 保留我们的 rm -rf 移除，采用上游新增的 deny patterns

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: nanobot

nanobot/agent/loop.py

@@ -380,6 +380,8 @@ def _register_default_tools(self) -> None:
                     sandbox=self.exec_config.sandbox,
                     path_append=self.exec_config.path_append,
                     allowed_env_keys=self.exec_config.allowed_env_keys,
+                    allow_patterns=self.exec_config.allow_patterns,
+                    deny_patterns=self.exec_config.deny_patterns,
                 )
             )
         if self.web_config.enable:

nanobot/agent/runner.py

@@ -813,13 +813,13 @@ async def _run_tool(
 
     # Markers identifying tool results that represent a workspace / safety boundary rejection.
     _WORKSPACE_BLOCK_MARKERS: tuple[str, ...] = (
-        "blocked by safety guard",
         "outside the configured workspace",
         "outside allowed directory",
         "working_dir is outside",
         "working_dir could not be resolved",
         "path traversal detected",
         "path outside working dir",
+        "internal/private url detected",
     )
 
     @classmethod

nanobot/agent/subagent.py

@@ -191,6 +191,8 @@ async def _on_checkpoint(payload: dict) -> None:
                     sandbox=self.exec_config.sandbox,
                     path_append=self.exec_config.path_append,
                     allowed_env_keys=self.exec_config.allowed_env_keys,
+                    allow_patterns=self.exec_config.allow_patterns,
+                    deny_patterns=self.exec_config.deny_patterns,
                 ))
             if self.web_config.enable:
                 tools.register(

nanobot/agent/tools/shell.py

@@ -272,13 +272,19 @@ def _guard_command(self, command: str, cwd: str) -> str | None:
         cmd = command.strip()
         lower = cmd.lower()
 
-        for pattern in self.deny_patterns:
-            if re.search(pattern, lower):
-                return "Error: Command blocked by safety guard (dangerous pattern detected)"
+        # allow_patterns take priority over deny_patterns so that users can
+        # exempt specific commands (e.g. "rm -rf" inside a build directory)
+        # from the hardcoded deny list via configuration.
+        explicitly_allowed = bool(self.allow_patterns) and any(
+            re.search(p, lower) for p in self.allow_patterns
+        )
+        if not explicitly_allowed:
+            for pattern in self.deny_patterns:
+                if re.search(pattern, lower):
+                    return "Error: Command blocked by deny pattern filter"
 
-        if self.allow_patterns:
-            if not any(re.search(p, lower) for p in self.allow_patterns):
-                return "Error: Command blocked by safety guard (not in allowlist)"
+            if self.allow_patterns:
+                return "Error: Command blocked by allowlist filter (not in allowlist)"
 
         from nanobot.security.network import contains_internal_url
         if contains_internal_url(cmd):

nanobot/channels/slack.py

@@ -435,9 +435,9 @@ async def _download_slack_file(self, file_info: dict[str, Any]) -> tuple[str | N
         marker = f"[{marker_type}: {name}]"
         url = str(file_info.get("url_private_download") or file_info.get("url_private") or "")
         if not url:
-            return None, f"[{marker_type}: {name}: missing download url]"
+            return None, self._download_failure_marker(marker_type, name, "missing download url")
         if not self.config.bot_token:
-            return None, f"[{marker_type}: {name}: missing bot token]"
+            return None, self._download_failure_marker(marker_type, name, "missing bot token")
 
         filename = safe_filename(f"{file_id}_{name}")
         path = Path(get_media_dir("slack")) / filename
@@ -454,7 +454,14 @@ async def _download_slack_file(self, file_info: dict[str, Any]) -> tuple[str | N
             return str(path), marker
         except Exception as e:
             logger.warning("Failed to download Slack file {}: {}", file_id, e)
-            return None, f"[{marker_type}: {name}: download failed]"
+            return None, self._download_failure_marker(marker_type, name, "download failed")
+
+    @staticmethod
+    def _download_failure_marker(marker_type: str, name: str, reason: str) -> str:
+        return (
+            f"[{marker_type}: {name}: {reason}; not available to nanobot. "
+            "Check Slack files:read scope, reinstall the Slack app, and ensure the bot can access the file.]"
+        )
 
     @staticmethod
     def _looks_like_html_download(response: httpx.Response) -> bool:

nanobot/config/schema.py

@@ -232,6 +232,8 @@ class ExecToolConfig(Base):
     path_append: str = ""
     sandbox: str = ""  # sandbox backend: "" (none) or "bwrap"
     allowed_env_keys: list[str] = Field(default_factory=list)  # Env var names to pass through to subprocess (e.g. ["GOPATH", "JAVA_HOME"])
+    allow_patterns: list[str] = Field(default_factory=list)  # Regex patterns that bypass deny_patterns (e.g. [r"rm\s+-rf\s+/tmp/"])
+    deny_patterns: list[str] = Field(default_factory=list)  # Extra regex patterns to block (appended to built-in list)
 
 class MCPServerConfig(Base):
     """MCP server connection configuration (stdio or HTTP)."""

nanobot/skills/update-setup/SKILL.md

@@ -13,21 +13,45 @@ Use `read_file` to check if `skills/update/SKILL.md` already exists in the works
 
 If it exists, use `ask_user` to ask: "An upgrade skill already exists. Reconfigure?" with options ["yes", "no"]. If no, stop here.
 
-## Step 2: Current Version
+## Step 2: Current Version and Install Clues
 
 Use `exec` to run `nanobot --version`. Tell the user the current version.
 
-## Step 3: Ask Questions
+Then collect install clues with `exec`. These commands are best-effort; if one fails,
+keep going and show the useful output:
 
-Use `ask_user` for the questions below, one question per call.
+```
+command -v nanobot || true
+python -m pip show nanobot-ai || true
+pipx list | sed -n '/nanobot-ai/,+3p' || true
+uv tool list | sed -n '/nanobot-ai/,+3p' || true
+```
+
+Summarize what you found in one short paragraph. Use the clues only to suggest a
+likely install method. Do not treat them as confirmation.
+
+## Step 3: Confirm Required Inputs
+
+CRITICAL: Do not write `skills/update/SKILL.md` until the install method is
+explicitly confirmed by the user. The install method must come from a user
+answer or confirmation, not from inference alone. If you cannot get a clear
+answer, stop and ask the user to rerun this setup when they know how nanobot was
+installed.
+
+Use `ask_user` for the questions below, one question per call. If `ask_user` is
+not available or cannot collect the answer, ask in normal chat and stop without
+writing the skill.
 
 **Question 1 — Install method:**
 
 ```
-question: "How did you install nanobot?"
-options: ["uv", "pipx", "pip", "source (git clone)"]
+question: "I found these install clues: <SUMMARY>. Which update method should this workspace use?"
+options: ["uv", "pipx", "pip", "source (git clone)", "not sure"]
 ```
 
+If the user selected `not sure`, explain the difference between the options and
+stop. Do not generate the upgrade skill.
+
 If the user selected `source (git clone)`, ask for the local checkout path:
 `question: "Where is your nanobot source checkout? Enter an absolute path or a path relative to this workspace:"`.
 
@@ -63,6 +87,18 @@ Determine the upgrade command from the install method:
 
 For source installs, include extras in the editable install command when selected. Quote the source checkout path if it contains spaces.
 
+Determine the preflight check from the install method:
+
+| Method | Preflight check |
+|--------|-----------------|
+| uv | `command -v uv` |
+| pipx | `command -v pipx` |
+| pip | `python -m pip --version` |
+| source | `test -d <SOURCE_CHECKOUT> && test -d <SOURCE_CHECKOUT>/.git && test -f <SOURCE_CHECKOUT>/pyproject.toml` |
+
+For source installs, quote the source checkout path in the preflight check if it
+contains spaces.
+
 Build the skill content. If proxy is configured, add `export http_proxy=URL` and `export https_proxy=URL` lines before the upgrade command.
 
 Use `write_file` to write `skills/update/SKILL.md` with this content:
@@ -76,9 +112,10 @@ description: "Upgrade nanobot to the latest version. Triggers: upgrade nanobot,
 # Update Nanobot
 
 1. (If proxy configured) Set proxy: `export http_proxy=URL && export https_proxy=URL`
-2. Use `exec` to run the upgrade command: <UPGRADE_COMMAND>
-3. Use `exec` to verify: `nanobot --version`
-4. Tell the user the new version. Say: "Run `/restart` to restart nanobot and apply the update. If `/restart` is unavailable in this channel, restart the nanobot process manually."
+2. Use `exec` to run the preflight check: <PREFLIGHT_CHECK>. If it fails, stop and tell the user to rerun `update-setup` because the saved install method no longer matches this environment.
+3. Use `exec` to run the upgrade command: <UPGRADE_COMMAND>
+4. Use `exec` to verify: `nanobot --version`
+5. Tell the user the new version. Say: "Run `/restart` to restart nanobot and apply the update. If `/restart` is unavailable in this channel, restart the nanobot process manually."
 ```
 
 ## Step 5: Confirm

tests/agent/test_runner.py

@@ -352,6 +352,27 @@ async def test_runner_stops_on_workspace_violation_without_fail_on_tool_error():
     ]
 
 
+def test_is_workspace_violation_recognizes_ssrf_block():
+    """Internal/private URL block must be classified as a fatal workspace violation.
+
+    Regression guard: the deny/allowlist filter messages were intentionally split
+    out of `_WORKSPACE_BLOCK_MARKERS` so the LLM can retry, but SSRF rejections
+    are a hard security boundary and must remain fatal.
+    """
+    from nanobot.agent.runner import AgentRunner
+
+    ssrf_msg = "Error: Command blocked by safety guard (internal/private URL detected)"
+    assert AgentRunner._is_workspace_violation(ssrf_msg) is True
+
+    # Sanity: deny/allowlist filter messages are deliberately *not* fatal.
+    assert AgentRunner._is_workspace_violation(
+        "Error: Command blocked by deny pattern filter"
+    ) is False
+    assert AgentRunner._is_workspace_violation(
+        "Error: Command blocked by allowlist filter (not in allowlist)"
+    ) is False
+
+
 @pytest.mark.asyncio
 async def test_runner_persists_large_tool_results_for_follow_up_calls(tmp_path):
     from nanobot.agent.runner import AgentRunSpec, AgentRunner

tests/channels/test_slack_channel.py

@@ -643,6 +643,14 @@ def test_slack_download_rejects_login_html() -> None:
     assert SlackChannel._looks_like_html_download(markdown_response) is False
 
 
+def test_slack_download_failure_marker_is_actionable() -> None:
+    marker = SlackChannel._download_failure_marker("image", "screenshot.png", "download failed")
+
+    assert "not available to nanobot" in marker
+    assert "files:read" in marker
+    assert "reinstall the Slack app" in marker
+
+
 def test_slack_channel_uses_channel_aware_allow_policy() -> None:
     channel = SlackChannel(SlackConfig(enabled=True, allow_from=[]), MessageBus())
     assert channel.is_allowed("U1") is True

tests/tools/test_exec_allow_patterns.py

@@ -0,0 +1,58 @@
+"""Tests for allow_patterns priority over deny_patterns."""
+
+from __future__ import annotations
+
+from nanobot.agent.tools.shell import ExecTool
+
+
+def test_deny_patterns_block_rm_rf():
+    """Baseline: rm -rf is blocked by default deny list."""
+    tool = ExecTool()
+    result = tool._guard_command("rm -rf /tmp/build", "/tmp")
+    assert result is not None
+    assert "deny pattern filter" in result.lower()
+
+
+def test_allow_patterns_bypass_deny():
+    """allow_patterns take priority: matching command skips deny check."""
+    tool = ExecTool(allow_patterns=[r"rm\s+-rf\s+/tmp/"])
+    result = tool._guard_command("rm -rf /tmp/build", "/tmp")
+    assert result is None
+
+
+def test_allow_patterns_must_match_to_bypass():
+    """Non-matching allow_patterns do NOT bypass deny."""
+    tool = ExecTool(allow_patterns=[r"rm\s+-rf\s+/opt/"])
+    result = tool._guard_command("rm -rf /tmp/build", "/tmp")
+    assert result is not None
+    assert "deny pattern filter" in result.lower()
+
+
+def test_extra_deny_patterns_from_config():
+    """User-supplied deny patterns are appended to built-in list."""
+    tool = ExecTool(deny_patterns=[r"\bping\b"])
+    # ping is blocked by extra deny
+    assert tool._guard_command("ping example.com", "/tmp") is not None
+    # rm -rf still blocked by built-in deny
+    assert tool._guard_command("rm -rf /tmp/x", "/tmp") is not None
+
+
+def test_allow_patterns_bypass_extra_deny():
+    """allow_patterns also bypasses user-supplied deny patterns."""
+    tool = ExecTool(
+        deny_patterns=[r"\bping\b"],
+        allow_patterns=[r"\bping\s+example\.com\b"],
+    )
+    result = tool._guard_command("ping example.com", "/tmp")
+    assert result is None
+
+
+def test_allow_patterns_is_whitelist_only():
+    """When allow_patterns is set, non-matching non-denied commands are blocked."""
+    tool = ExecTool(allow_patterns=[r"\becho\b"])
+    # echo matches allow → ok
+    assert tool._guard_command("echo hello", "/tmp") is None
+    # ls does not match allow and is not in deny → blocked by allowlist
+    result = tool._guard_command("ls /tmp", "/tmp")
+    assert result is not None
+    assert "allowlist" in result.lower()