feat(sandbox_provider): add default sandbox provider for CE

api/core/sandbox/initializer/dify_cli_initializer.py

@@ -49,10 +49,6 @@ class DifyCliInitializer(SandboxInitializer):
 
         env.upload_file(DIFY_CLI_PATH, BytesIO(binary.path.read_bytes()))
 
-        pipeline(env).add(
-            ["chmod", "+x", DIFY_CLI_PATH], error_message="Failed to mark dify CLI as executable"
-        ).execute(raise_on_error=True)
-
         logger.info("Dify CLI uploaded to sandbox, path=%s", DIFY_CLI_PATH)
 
         artifact = SkillManager.load_tool_artifact(self._tenant_id, self._app_id, self._assets_id)

api/migrations/versions/2026_01_21_0030-201d71cc4f34_add_default_docker_sandbox_system_config.py

@@ -0,0 +1,64 @@
+"""add_default_docker_sandbox_system_config
+
+Revision ID: 201d71cc4f34
+Revises: 45471e916693
+Create Date: 2026-01-21 00:30:01.908057
+
+"""
+from uuid import uuid4
+
+from alembic import op
+import models as models
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '201d71cc4f34'
+down_revision = '45471e916693'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # Import encryption utility
+    from core.tools.utils.system_encryption import encrypt_system_params
+
+    # Define the default Docker configuration
+    docker_config = {
+        "docker_image": "langgenius/dify-agentbox:latest",
+        "docker_sock": "unix:///var/run/docker.sock"
+    }
+
+    # Encrypt the configuration
+    encrypted_config = encrypt_system_params(docker_config)
+
+    # Generate UUID for the record
+    record_id = str(uuid4())
+
+    # Insert the default Docker sandbox system config if it doesn't exist
+    op.execute(
+        sa.text(
+            """
+            INSERT INTO sandbox_provider_system_config
+            (id, provider_type, encrypted_config, created_at, updated_at)
+            VALUES (:id, :provider_type, :encrypted_config, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
+            ON CONFLICT (provider_type) DO NOTHING
+            """
+        ).bindparams(
+            id=record_id,
+            provider_type='docker',
+            encrypted_config=encrypted_config
+        )
+    )
+
+
+def downgrade():
+    # Delete the default Docker sandbox system config
+    op.execute(
+        sa.text(
+            """
+            DELETE FROM sandbox_provider_system_config
+            WHERE provider_type = :provider_type
+            """
+        ).bindparams(provider_type='docker')
+    )

api/services/sandbox/sandbox_provider_service.py

@@ -91,7 +91,9 @@ class SandboxProviderService:
 
         with Session(db.engine) as session:
             provider = _query_tenant_config(session, tenant_id, provider_type)
-            encrypter = _get_encrypter(tenant_id, provider_type)
+            encrypter, cache = create_sandbox_config_encrypter(
+                tenant_id, VMConfig.get_schema(SandboxType(provider_type)), provider_type
+            )
             if not provider:
                 provider = SandboxProvider(
                     tenant_id=tenant_id,
@@ -112,6 +114,8 @@ class SandboxProviderService:
             provider.is_active = activate or provider.is_active or cls.is_system_default_config(session, tenant_id)
             provider.configure_type = "user"
             session.commit()
+
+            cache.delete()
         return {"result": "success"}
 
     @classmethod