🐛 fix: bypass audits for headless tool calls

[cy948]

💻 Change Type

• ✨ feat
• 🐛 fix
• ♻️ refactor
• 💄 style
• 👷 build
• ⚡️ perf
• ✅ test
• 📝 docs
• 🔨 chore

🔗 Related Issue

🔀 Description of Change

• Headless 模式下跳过 runtime audit / approval 检查，避免 CLI 非交互执行时因安全审计拦截导致工具调用被吞。
• 调整本地系统工具的 403 提示：403 不再描述为瞬时错误，而是提示可能被远端设备、网关或边缘安全策略禁止， 并引导 Agent 换用等价方式或其他工具（例如 runCommand）。
• 更新 headless 相关测试，覆盖 global audit、security blacklist 和混合工具调用场景。

🧪 How to Test

• Tested locally
• Added/updated tests
• No tests needed

📸 Screenshots / Videos

Before	After
...	...

📝 Additional Information

[vercel]

@cy948 is attempting to deploy a commit to the LobeHub OSS Team on Vercel.

A member of the Team first needs to authorize it.

[sourcery-ai]

Sorry @cy948, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[lobehubbot]

@arvinxx - This PR fixes headless mode tool calling by bypassing runtime audit/approval checks in CLI non-interactive execution, and adjusts 403 error messaging in the local system built-in tool. Please take a look.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9d694d8ce7

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[codecov]

Codecov Report

❌ Patch coverage is 92.81768% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.85%. Comparing base (92ec067) to head (14a33be).

Additional details and impacted files

@@            Coverage Diff             @@
##           canary   #15406      +/-   ##
==========================================
+ Coverage   70.84%   70.85%   +0.01%     
==========================================
  Files        3255     3255              
  Lines      321102   321265     +163     
  Branches    34998    35011      +13     
==========================================
+ Hits       227492   227648     +156     
- Misses      93428    93435       +7     
  Partials      182      182              

Flag	Coverage Δ
app	61.53% <85.39%> (+0.01%)	⬆️
database	92.54% <ø> (ø)
packages/agent-manager-runtime	49.69% <ø> (ø)
packages/agent-runtime	81.08% <100.00%> (+0.60%)	⬆️
packages/builtin-tool-lobe-agent	18.52% <ø> (ø)
packages/context-engine	84.19% <ø> (ø)
packages/conversation-flow	91.29% <ø> (ø)
packages/device-gateway-client	90.51% <ø> (ø)
packages/eval-dataset-parser	95.15% <ø> (ø)
packages/eval-rubric	76.11% <ø> (ø)
packages/fetch-sse	85.57% <ø> (ø)
packages/file-loaders	87.89% <ø> (ø)
packages/memory-user-memory	74.99% <ø> (ø)
packages/model-bank	99.99% <ø> (ø)
packages/model-runtime	84.51% <ø> (ø)
packages/prompts	72.51% <ø> (ø)
packages/python-interpreter	92.90% <ø> (ø)
packages/ssrf-safe-fetch	0.00% <ø> (ø)
packages/types	35.38% <100.00%> (+0.03%)	⬆️
packages/utils	84.98% <ø> (ø)
packages/web-crawler	88.08% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
Store	68.53% <ø> (ø)
Services	54.75% <ø> (ø)
Server	71.83% <85.39%> (+0.01%)	⬆️
Libs	57.15% <ø> (+0.14%)	⬆️
Utils	81.48% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sourcery-ai]

Sorry @cy948, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d61e48b8cc

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Keep credential-read blacklist rules non-overridable

Fresh evidence: the prior always-policy bypass is no longer present, but this commit downgrades credential/privacy reads such as .env from the default always policy to required; GeneralChatAgent now auto-runs global blocks with non-always policy in headless mode (approvalMode === 'headless' && globalPolicy !== 'always'), so an async/headless tool call like cat .env or reading SSH/AWS credentials is executed instead of being rejected. These secret-read blacklist entries need to remain non-overridable or headless must also reject them.

Useful? React with 👍 / 👎.

[lobehubbot]

❤️ Great PR @cy948 ❤️

The growth of project is inseparable from user feedback and contribution, thanks for your contribution! If you are interesting with the lobehub developer community, please join our discord and then dm @arvinxx or @canisminor1990. They will invite you to our private developer channel. We are talking about the lobe-chat development or sharing ai newsletter around the world.