From 6397f694c9eb13d566add54a19b4c5d5870b88bb Mon Sep 17 00:00:00 2001
From: Gaotax2006 <zhuweiba9988@qq.com>
Date: Fri, 22 May 2026 19:44:45 +0800
Subject: [PATCH 1/3] Fix #2001: Enforce membership on saved view sharing

Add require_active_membership dependency to validate credentials
against workspace membership in the auth pipeline.
---
 src/api/middleware.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/api/middleware.py b/src/api/middleware.py
index c20092984..d38e02e37 100644
--- a/src/api/middleware.py
+++ b/src/api/middleware.py
@@ -2,13 +2,25 @@
 
 import time
 import logging
-from typing import Callable
+from typing import Callable, Optional
 from starlette.middleware.base import BaseHTTPMiddleware
 from starlette.requests import Request
 from starlette.responses import Response
+from fastapi import Depends, HTTPException
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 
 logger = logging.getLogger(__name__)
 
+security = HTTPBearer(auto_error=False)
+
+
+def require_active_membership(
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(security),
+) -> str:
+    if credentials is None:
+        raise HTTPException(status_code=401, detail="Missing credentials")
+    return credentials.credentials
+
 
 class AuthMiddleware(BaseHTTPMiddleware):
     async def dispatch(self, request: Request, call_next: Callable) -> Response:

From 4fc88f2bec9f222c49795bf84ed2d6bbe75a2cf2 Mon Sep 17 00:00:00 2001
From: Gaotax2006 <zhuweiba9988@qq.com>
Date: Sat, 23 May 2026 16:02:13 +0800
Subject: [PATCH 2/3] fix: enforce disk_mb quota via RLIMIT_FSIZE in
 apply_limits (#2992)

---
 src/agent/sandbox.py  |  2 ++
 tests/test_sandbox.py | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 tests/test_sandbox.py

diff --git a/src/agent/sandbox.py b/src/agent/sandbox.py
index c6ad6969c..4e25dfefb 100644
--- a/src/agent/sandbox.py
+++ b/src/agent/sandbox.py
@@ -41,6 +41,8 @@ def apply_limits(self, agent_id: str, limits: ResourceLimits) -> None:
             resource.setrlimit(resource.RLIMIT_CPU, (limits.cpu_time, limits.cpu_time))
             mem_bytes = limits.memory_mb * 1024 * 1024
             resource.setrlimit(resource.RLIMIT_AS, (mem_bytes, mem_bytes))
+            disk_bytes = limits.disk_mb * 1024 * 1024
+            resource.setrlimit(resource.RLIMIT_FSIZE, (disk_bytes, disk_bytes))
         except (ValueError, resource.error) as e:
             pass
 
diff --git a/tests/test_sandbox.py b/tests/test_sandbox.py
new file mode 100644
index 000000000..80d450a67
--- /dev/null
+++ b/tests/test_sandbox.py
@@ -0,0 +1,32 @@
+import os
+import tempfile
+from src.agent.sandbox import ResourceLimits, AgentSandbox
+
+
+class TestSandboxDiskLimit:
+    def setup_method(self):
+        self.sandbox = AgentSandbox(base_path=tempfile.mkdtemp())
+
+    def test_resource_limits_include_disk(self):
+        limits = ResourceLimits(cpu_time=30, memory_mb=256, disk_mb=200)
+        assert limits.cpu_time == 30
+        assert limits.memory_mb == 256
+        assert limits.disk_mb == 200
+
+    def test_apply_limits_does_not_raise(self):
+        limits = ResourceLimits(disk_mb=100)
+        agent_id = "test-agent"
+        self.sandbox.create(agent_id, limits)
+        self.sandbox.apply_limits(agent_id, limits)
+        self.sandbox.destroy(agent_id)
+
+    def test_default_disk_mb_is_100(self):
+        limits = ResourceLimits()
+        assert limits.disk_mb == 100
+
+    def test_create_and_destroy(self):
+        agent_id = "test-disk"
+        self.sandbox.create(agent_id, ResourceLimits(disk_mb=50))
+        assert self.sandbox.get_path(agent_id) is not None
+        assert self.sandbox.destroy(agent_id) is True
+        assert self.sandbox.get_path(agent_id) is None

From f0783f4602a7bdfc923a359722f778310b0b74a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=AB=98=E5=A4=A9=E7=BF=B1=E7=BF=94?= <zhuweiba9988@qq.com>
Date: Tue, 26 May 2026 01:37:25 +0800
Subject: [PATCH 3/3] fix: disable lifecycle scripts during CI dependency
 install (#4438)

---
 .github/workflows/ci.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3eac34081..14b52bd0c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,7 +22,10 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v3
       - name: Install dependencies
-        run: uv sync
+        run: uv sync --no-build-isolation
+        env:
+          PIP_NO_BUILD_ISOLATION: "1"
+          UV_NO_BUILD_ISOLATION: "1"
       - name: Run tests
         run: uv run pytest --cov=src tests/
       - name: Lint