[codex] secure code sandbox secret isolation

[c121914yu]

What changed

• Replace the Python worker pool with an isolated one-shot Python runner that prewarms idle processes according to SANDBOX_POOL_SIZE.
• Add native Linux isolation support for Python execution through a Go-built shared library using chroot, setuid/setgid, no-new-privs, and seccomp.
• Route sandbox HTTP requests through the parent proxy with request count, timeout, body size, response size, and rate controls.
• Migrate existing Python pool/security/resource tests to the new runner and add native isolation, Docker package, and Python isolated runner tests.
• Include the existing branch change for redirect SSRF checking and related permission/security updates.

Why

The old persistent Python worker model could not fully address the code sandbox secret exposure advisory because user code lived inside a long-running interpreter process. The new model executes each task in a disposable Python subprocess while keeping prewarmed clean processes for latency.

Validation

• pnpm --filter @fastgpt/code-sandbox exec tsc --noEmit
• SANDBOX_MAX_MEMORY_MB=256 pnpm --filter @fastgpt/code-sandbox exec vitest run test/unit/python-isolated-runner.test.ts test/unit/process-pool.test.ts test/unit/resource-limits.test.ts --coverage.enabled=false
• pnpm --filter @fastgpt/code-sandbox build
• Docker smoke/memory test with SANDBOX_POOL_SIZE=10: Python warm idle count 10, Python RSS total about 187MB, container working set about 388MiB.

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	15.7%	1328 / 8458
🔵	Statements	15.63%	1386 / 8866
🔵	Functions	13.74%	277 / 2015
🔵	Branches	12.87%	600 / 4660

File Coverage

No changed files found.

Generated in workflow #1010 for commit a734d30 by the Vitest Coverage Report Action

[github-actions]

✅ Docs Preview Deployed!

🔗 👀 Click here to visit preview

ghcr.io/labring/fastgpt-docs-pr:a734d30f34a7a8a8dc27667051f0606cc132bff2

🕒 Time: 2026-06-24 13:32:52 (UTC+8)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 95cd7a95b3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Drop privileges for JS sandbox workers

This image now creates the sandbox user but falls through to CMD without switching to it. BaseProcessPool.spawnWorker() does not set uid/gid, so /sandbox/js workers inherit the root server uid, whereas the previous Dockerfile ended with USER sandbox; in any deployment using this image, a JS sandbox escape or future allowlist mistake becomes container-root access. Please restore a non-root runtime for JS workers (or spawn them with the sandbox uid/gid) while keeping only the Python native isolation step privileged.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Clear Axios basic auth on cross-host redirects

When a caller uses Axios' auth option and the response redirects to a different host/protocol, this spread carries config.auth into the redirected request. The header filter removes an existing Authorization header, but the Node adapter re-applies Basic auth from auth, so a redirect controlled by the first server can receive those credentials. Drop auth whenever shouldDropSensitiveHeaders would be true.

Useful? React with 👍 / 👎.

[github-actions]

✅ Build Successful - Preview fastgpt Image for this PR:

ghcr.io/labring/fastgpt-pr:fastgpt_a734d30f34a7a8a8dc27667051f0606cc132bff2

🕒 Time: 2026-06-24 13:37:33 (UTC+8)

[github-actions]

✅ Build Successful - Preview code-sandbox Image for this PR:

ghcr.io/labring/fastgpt-pr:code-sandbox_a734d30f34a7a8a8dc27667051f0606cc132bff2

🕒 Time: 2026-06-24 13:39:18 (UTC+8)

[github-actions]

✅ Admin Preview Image Ready!

ghcr.io/labring/fastgpt-pr:admin_a734d30f34a7a8a8dc27667051f0606cc132bff2

🕒 Time: 2026-06-24 13:34:42 (UTC+8)

[c121914yu]

追加本次提交内容：

• Refined agent context compression to count full request context including tools while compressing only non-system history.
• Formatted assistant tool calls and matched tool responses into assistant-only XML content for checkpoint prompts.
• Simplified tool response compression to use max-context based 20%/50% thresholds and improved compression diagnostics.
• Added focused coverage for tool-call formatting, token reuse, and tool response compression paths.
• Updated the pro submodule pointer for the matching benchmark adapter API change.

Related pro PR: https://github.com/labring/fastgpt-pro/pull/994

Validation:

pnpm exec vitest run -c vitest.config.ts test/core/ai/llm/compress/index.test.ts

Result: 42 passed.