fix(knowledge): verification audit — 3 medium issues

- create_item: wrap item + version INSERT in transaction for atomicity - update_item handler: validate content length (100KB) before DB hit - KnowledgeChunk: document missing embedding field, safe per explicit SELECT usage
2026-04-02 19:16:32 +08:00
parent 7e4b787d5c
commit d40c4605b2
3 changed files with 14 additions and 2 deletions
--- a/crates/zclaw-saas/src/knowledge/service.rs
+++ b/crates/zclaw-saas/src/knowledge/service.rs
@@ -296,6 +296,9 @@ pub async fn create_item(
        ));
    }

+    // 使用事务保证 item + version 原子性
+    let mut tx = pool.begin().await?;
+
    let item = sqlx::query_as::<_, KnowledgeItem>(
        "INSERT INTO knowledge_items \
         (id, category_id, title, content, keywords, related_questions, priority, tags, created_by) \
@@ -311,7 +314,7 @@ pub async fn create_item(
    .bind(priority)
    .bind(tags)
    .bind(account_id)
-    .fetch_one(pool)
+    .fetch_one(&mut *tx)
    .await?;

    // 创建初始版本快照
@@ -328,9 +331,10 @@ pub async fn create_item(
    .bind(keywords)
    .bind(related_questions)
    .bind(account_id)
-    .execute(pool)
+    .execute(&mut *tx)
    .await?;

+    tx.commit().await?;
    Ok(item)
 }