fix: resolve three architectural gaps in wrapper layer

src/praisonai/praisonai/inc/models.py

@@ -7,8 +7,6 @@
 import importlib.util
 
 logger = logging.getLogger(__name__)
-_loglevel = os.environ.get('LOGLEVEL', 'INFO').strip().upper() or 'INFO'
-logging.basicConfig(level=_loglevel, format='%(asctime)s - %(levelname)s - %(message)s')
 
 # Constants
 LOCAL_SERVER_API_KEY_PLACEHOLDER = "not-needed"

src/praisonai/praisonai/llm/env.py

@@ -18,11 +18,23 @@ class LLMEndpoint:
     api_key: Optional[str]
 
 
+# Map well-known model prefixes to their (env-var, default base_url).
+_PROVIDER_MAP = {
+    "anthropic/":  ("ANTHROPIC_API_KEY",  "https://api.anthropic.com/v1"),
+    "google/":     ("GOOGLE_API_KEY",     "https://generativelanguage.googleapis.com/v1beta"),
+    "gemini/":     ("GEMINI_API_KEY",     "https://generativelanguage.googleapis.com/v1beta"),
+    "groq/":       ("GROQ_API_KEY",       "https://api.groq.com/openai/v1"),
+    "cohere/":     ("COHERE_API_KEY",     "https://api.cohere.ai/v1"),
+    "openrouter/": ("OPENROUTER_API_KEY", "https://openrouter.ai/api/v1"),
+    "ollama/":     ("OLLAMA_API_KEY",     "http://localhost:11434/v1"),
+}
+
 # Documented, single precedence list. Add new providers here only.
 _MODEL_VARS = ("MODEL_NAME", "OPENAI_MODEL_NAME")
 _BASE_URL_VARS = ("OPENAI_BASE_URL", "OPENAI_API_BASE", "OLLAMA_API_BASE")
 _DEFAULT_MODEL = "gpt-4o-mini"
 _DEFAULT_BASE = "https://api.openai.com/v1"
+_DEFAULT_KEY_VAR = "OPENAI_API_KEY"
 
 
 def _first_set(*names: str) -> Optional[str]:
@@ -34,23 +46,42 @@ def _first_set(*names: str) -> Optional[str]:
     return None
 
 
+def _provider_from_model(model: str) -> tuple[str, str | None]:
+    """Get provider-specific API key environment variable and base URL for a model."""
+    for prefix, (key_var, default_base) in _PROVIDER_MAP.items():
+        if model.startswith(prefix):
+            return key_var, default_base
+    return _DEFAULT_KEY_VAR, None
+
+
 def resolve_llm_endpoint(*, default_base: str = _DEFAULT_BASE) -> LLMEndpoint:
     """
     Resolve LLM endpoint configuration from environment variables.
 
     Precedence order:
     - Model: MODEL_NAME > OPENAI_MODEL_NAME > default
-    - Base URL: OPENAI_BASE_URL > OPENAI_API_BASE > OLLAMA_API_BASE > default
-    - API Key: OPENAI_API_KEY
+    - Base URL: OPENAI_BASE_URL > OPENAI_API_BASE > OLLAMA_API_BASE > provider default > default
+    - API Key: provider-specific key (e.g., ANTHROPIC_API_KEY) > OPENAI_API_KEY fallback
 
     Args:
         default_base: Default base URL if none found in environment variables
 
     Returns:
         LLMEndpoint with resolved configuration
     """
-    return LLMEndpoint(
-        model=_first_set(*_MODEL_VARS) or _DEFAULT_MODEL,
-        base_url=_first_set(*_BASE_URL_VARS) or default_base,
-        api_key=os.environ.get("OPENAI_API_KEY"),
-    )
+    model = _first_set(*_MODEL_VARS) or _DEFAULT_MODEL
+    key_var, provider_base = _provider_from_model(model)
+
+    base_url = (
+        _first_set(*_BASE_URL_VARS)
+        or provider_base
+        or default_base
+    )
+
+    # Try provider-specific key first; fall back to OPENAI_API_KEY only for
+    # OpenAI-compatible proxies that may use a single shared key.
+    api_key = os.environ.get(key_var) or (
+        os.environ.get("OPENAI_API_KEY") if key_var == "OPENAI_API_KEY" else None
+    )
+
+    return LLMEndpoint(model=model, base_url=base_url, api_key=api_key)

src/praisonai/praisonai/sandbox/subprocess.py

@@ -20,6 +20,7 @@
     SandboxStatus,
     ResourceLimits,
 )
+from praisonaiagents.sandbox.config import SecurityPolicy
 
 logger = logging.getLogger(__name__)
 
@@ -51,6 +52,48 @@ def __init__(
         self._is_running = False
         self._temp_dir: Optional[str] = None
 
+    def _build_child_env(self, policy: SecurityPolicy, overrides: Dict[str, str] | None) -> Dict[str, str]:
+        """Construct a minimal, policy-driven env for the child process."""
+        # Start with the explicit env from SandboxConfig and the per-call overrides only.
+        env = dict(self.config.env)
+        if overrides:
+            env.update(overrides)
+
+        # If the policy allows network, pass through proxy-related vars so the child can
+        # reach the outside world; otherwise withhold them.
+        if policy.allow_network:
+            for var in ("HTTP_PROXY", "HTTPS_PROXY", "NO_PROXY", "http_proxy",
+                        "https_proxy", "no_proxy"):
+                if var in os.environ:
+                    env[var] = os.environ[var]
+
+        # Always pass a minimal PATH (so /usr/bin/python resolves) — never the host's.
+        env.setdefault("PATH", "/usr/local/bin:/usr/bin:/bin")
+        # HOME uses temp_dir which is set during start() - /tmp is defensive fallback  # noqa: S108
+        env.setdefault("HOME", self._temp_dir or "/tmp")
+        return env
+
+    def _apply_rlimits(self, limits: ResourceLimits):
+        """Apply resource limits via POSIX setrlimit (Linux/macOS only)."""
+        if os.name != "posix":
+            logger.warning("Resource limits not supported on Windows - sandbox isolation is weaker")
+            return
+
+        try:
+            import resource
+            if limits.memory_mb and limits.memory_mb > 0:
+                bytes_ = limits.memory_mb * 1024 * 1024
+                resource.setrlimit(resource.RLIMIT_AS, (bytes_, bytes_))
+            if limits.max_processes and limits.max_processes > 0:
+                resource.setrlimit(resource.RLIMIT_NPROC, (limits.max_processes, limits.max_processes))
+            if limits.max_open_files and limits.max_open_files > 0:
+                resource.setrlimit(resource.RLIMIT_NOFILE, (limits.max_open_files, limits.max_open_files))
+            # Note: RLIMIT_CPU is process CPU time, not wall clock time - timeout is handled separately
+        except ImportError:
+            logger.warning("Resource module not available - resource limits not enforced")
+        except (OSError, ValueError) as e:
+            logger.warning(f"Failed to set resource limits: {e}")
+
     @property
     def is_available(self) -> bool:
         """Subprocess sandbox is always available."""
@@ -107,27 +150,43 @@ async def execute(
         else:
             cmd = ["python", code_file]
 
-        process_env = os.environ.copy()
-        if env:
-            process_env.update(env)
+        # Build environment based on security policy instead of copying host environment
+        process_env = self._build_child_env(self.config.security_policy, env)
 
         started_at = time.time()
 
+        # preexec_fn is POSIX-only; omit on Windows
+        popen_kwargs = {
+            "stdout": asyncio.subprocess.PIPE,
+            "stderr": asyncio.subprocess.PIPE,
+            "cwd": working_dir or self._temp_dir,
+            "env": process_env,
+        }
+        if os.name == "posix":
+            popen_kwargs["start_new_session"] = True
+            popen_kwargs["preexec_fn"] = lambda: self._apply_rlimits(limits)
+        else:
+            logger.warning("Resource limits and session isolation not available on Windows")
+
         try:
-            proc = await asyncio.create_subprocess_exec(
-                *cmd,
-                stdout=asyncio.subprocess.PIPE,
-                stderr=asyncio.subprocess.PIPE,
-                cwd=working_dir or self._temp_dir,
-                env=process_env,
-            )
+            proc = await asyncio.create_subprocess_exec(*cmd, **popen_kwargs)
 
             try:
+                # Truncate output to max_output_size after reading
+                max_output_size = self.config.security_policy.max_output_size
+
                 stdout, stderr = await asyncio.wait_for(
                     proc.communicate(),
                     timeout=limits.timeout_seconds,
                 )
 
+                # Truncate output if it exceeds max_output_size
+                if max_output_size and max_output_size > 0:
+                    if len(stdout) > max_output_size:
+                        stdout = stdout[:max_output_size] + b"\n[OUTPUT TRUNCATED]"
+                    if len(stderr) > max_output_size:
+                        stderr = stderr[:max_output_size] + b"\n[OUTPUT TRUNCATED]"
+
                 completed_at = time.time()
 
                 return SandboxResult(
@@ -141,7 +200,15 @@ async def execute(
                     completed_at=completed_at,
                 )
             except asyncio.TimeoutError:
-                proc.kill()
+                # Kill the whole process group, not just the leader
+                try:
+                    if os.name == "posix":
+                        import signal
+                        os.killpg(proc.pid, signal.SIGKILL)
+                    else:
+                        proc.kill()
+                except (ProcessLookupError, PermissionError, OSError):
+                    proc.kill()
                 await proc.wait()
 
                 return SandboxResult(
@@ -211,27 +278,41 @@ async def run_command(
         from ._shell import build_argv
         cmd = build_argv(command, shell=shell)
 
-        process_env = os.environ.copy()
-        if env:
-            process_env.update(env)
+        # Build environment based on security policy instead of copying host environment
+        process_env = self._build_child_env(self.config.security_policy, env)
 
         started_at = time.time()
 
+        # preexec_fn is POSIX-only; omit on Windows
+        popen_kwargs = {
+            "stdout": asyncio.subprocess.PIPE,
+            "stderr": asyncio.subprocess.PIPE,
+            "cwd": working_dir or self._temp_dir,
+            "env": process_env,
+        }
+        if os.name == "posix":
+            popen_kwargs["start_new_session"] = True
+            popen_kwargs["preexec_fn"] = lambda: self._apply_rlimits(limits)
+        else:
+            logger.warning("Resource limits and session isolation not available on Windows")
+
         try:
-            proc = await asyncio.create_subprocess_exec(
-                *cmd,
-                stdout=asyncio.subprocess.PIPE,
-                stderr=asyncio.subprocess.PIPE,
-                cwd=working_dir or self._temp_dir,
-                env=process_env,
-            )
+            proc = await asyncio.create_subprocess_exec(*cmd, **popen_kwargs)
 
             try:
                 stdout, stderr = await asyncio.wait_for(
                     proc.communicate(),
                     timeout=limits.timeout_seconds,
                 )
 
+                # Truncate output if it exceeds max_output_size
+                max_output_size = self.config.security_policy.max_output_size
+                if max_output_size and max_output_size > 0:
+                    if len(stdout) > max_output_size:
+                        stdout = stdout[:max_output_size] + b"\n[OUTPUT TRUNCATED]"
+                    if len(stderr) > max_output_size:
+                        stderr = stderr[:max_output_size] + b"\n[OUTPUT TRUNCATED]"
+
                 completed_at = time.time()
 
                 return SandboxResult(
@@ -245,7 +326,15 @@ async def run_command(
                     completed_at=completed_at,
                 )
             except asyncio.TimeoutError:
-                proc.kill()
+                # Kill the whole process group, not just the leader
+                try:
+                    if os.name == "posix":
+                        import signal
+                        os.killpg(proc.pid, signal.SIGKILL)
+                    else:
+                        proc.kill()
+                except (ProcessLookupError, PermissionError, OSError):
+                    proc.kill()
                 await proc.wait()
 
                 return SandboxResult(