feat: 添加 LocalMemoryRecallTool 和 VaultHttpFetchTool

- LocalMemoryRecallTool: 跨会话本地笔记召回，权限门控，大小限制 - VaultHttpFetchTool: 使用 vault 密钥的认证 HTTP 请求，ACL 规则 - agentToolFilter: 子 agent 工具继承过滤层 - ALL_AGENT_DISALLOWED_TOOLS 白名单更新 Co-Authored-By: glm-5-turbo <zai-org@claude-code-best.win>
2026-06-23 00:35:51 +00:00 · 2026-05-09 23:04:12 +08:00
parent a2ea69c05e
commit 5bb0306da6
18 changed files with 3815 additions and 0 deletions
--- a/packages/builtin-tools/src/tools/LocalMemoryRecallTool/stripUntrusted.ts
+++ b/packages/builtin-tools/src/tools/LocalMemoryRecallTool/stripUntrusted.ts
@@ -0,0 +1,34 @@
+/**
+ * Strip Unicode bidi overrides, zero-width chars, BOM, line/paragraph
+ * separators, NEL, and ASCII control chars (except newline, CR, tab) from
+ * user-stored memory content before placing it in tool_result.
+ *
+ * Memory content is data the user typed; it may contain prompt-injection
+ * vectors (RTL overrides that flip apparent text, ANSI escapes, zero-width
+ * characters that hide injected payloads).
+ *
+ * NOTE on regex construction: built via new RegExp(string) rather than
+ * regex literals. Two reasons:
+ *   (a) U+2028 and U+2029 are JS regex-literal terminators, so they
+ *       cannot appear directly in a regex literal,
+ *   (b) the escape sequences in a regex literal are TS-source-level,
+ *       which can be corrupted by editor save round-trips on Windows.
+ * Building from a string with explicit unicode escape sequences sidesteps
+ * both problems.
+ */
+
+const STRIP_PATTERN = new RegExp(
+  // Bidi overrides U+202A..U+202E and U+2066..U+2069
+  '[\u202A-\u202E\u2066-\u2069]|' +
+    // Zero-width U+200B..U+200F and BOM U+FEFF
+    '[\u200B-\u200F\uFEFF]|' +
+    // ASCII control chars except newline/CR/tab; DEL included
+    '[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]',
+  'g',
+)
+
+const LINE_SEP_PATTERN = /[\u2028\u2029\u0085]/g
+
+export function stripUntrustedControl(s: string): string {
+  return s.replace(STRIP_PATTERN, '').replace(LINE_SEP_PATTERN, ' ')
+}