feat: 新增管理后台前端项目及安全加固

refactor(saas): 重构认证中间件与限流策略
- 登录限流调整为5次/分钟/IP
- 注册限流调整为3次/小时/IP
- GET请求不计入限流

fix(saas): 修复调度器时间戳处理
- 使用NOW()替代文本时间戳
- 兼容TEXT和TIMESTAMPTZ列类型

feat(saas): 实现环境变量插值
- 支持${ENV_VAR}语法解析
- 数据库密码支持环境变量注入

chore: 新增前端管理界面
- 基于React+Ant Design Pro
- 包含路由守卫/错误边界
- 对接58个API端点

docs: 更新安全加固文档
- 新增密钥管理规范
- 记录P0安全项审计结果
- 补充TLS终止说明

test: 完善配置解析单元测试
- 新增环境变量插值测试用例

admin-temp-dir/src/services/accounts.ts

@@ -0,0 +1,16 @@
+import request, { withSignal } from './request'
+import type { AccountPublic, PaginatedResponse } from '@/types'
+
+export const accountService = {
+  list: (params?: Record<string, unknown>, signal?: AbortSignal) =>
+    request.get<PaginatedResponse<AccountPublic>>('/accounts', withSignal({ params }, signal)).then((r) => r.data),
+
+  get: (id: string, signal?: AbortSignal) =>
+    request.get<AccountPublic>(`/accounts/${id}`, withSignal({}, signal)).then((r) => r.data),
+
+  update: (id: string, data: Partial<Pick<AccountPublic, 'display_name' | 'email' | 'role'>>, signal?: AbortSignal) =>
+    request.patch<AccountPublic>(`/accounts/${id}`, data, withSignal({}, signal)).then((r) => r.data),
+
+  updateStatus: (id: string, data: { status: AccountPublic['status'] }, signal?: AbortSignal) =>
+    request.patch(`/accounts/${id}/status`, data, withSignal({}, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/agent-templates.ts

@@ -0,0 +1,28 @@
+import request, { withSignal } from './request'
+import type { AgentTemplate, PaginatedResponse } from '@/types'
+
+export const agentTemplateService = {
+  list: (params?: Record<string, unknown>, signal?: AbortSignal) =>
+    request.get<PaginatedResponse<AgentTemplate>>('/agent-templates', withSignal({ params }, signal)).then((r) => r.data),
+
+  get: (id: string, signal?: AbortSignal) =>
+    request.get<AgentTemplate>(`/agent-templates/${id}`, withSignal({}, signal)).then((r) => r.data),
+
+  create: (data: {
+    name: string; description?: string; category?: string; source?: string
+    model?: string; system_prompt?: string; tools?: string[]
+    capabilities?: string[]; temperature?: number; max_tokens?: number
+    visibility?: string
+  }, signal?: AbortSignal) =>
+    request.post<AgentTemplate>('/agent-templates', data, withSignal({}, signal)).then((r) => r.data),
+
+  update: (id: string, data: {
+    description?: string; model?: string; system_prompt?: string
+    tools?: string[]; capabilities?: string[]; temperature?: number
+    max_tokens?: number; visibility?: string; status?: string
+  }, signal?: AbortSignal) =>
+    request.post<AgentTemplate>(`/agent-templates/${id}`, data, withSignal({}, signal)).then((r) => r.data),
+
+  archive: (id: string, signal?: AbortSignal) =>
+    request.delete<AgentTemplate>(`/agent-templates/${id}`, withSignal({}, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/api-keys.ts

@@ -0,0 +1,13 @@
+import request, { withSignal } from './request'
+import type { TokenInfo, CreateTokenRequest, PaginatedResponse } from '@/types'
+
+export const apiKeyService = {
+  list: (params?: Record<string, unknown>, signal?: AbortSignal) =>
+    request.get<PaginatedResponse<TokenInfo>>('/keys', withSignal({ params }, signal)).then((r) => r.data),
+
+  create: (data: CreateTokenRequest, signal?: AbortSignal) =>
+    request.post<TokenInfo>('/keys', data, withSignal({}, signal)).then((r) => r.data),
+
+  revoke: (id: string, signal?: AbortSignal) =>
+    request.delete(`/keys/${id}`, withSignal({}, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/auth.ts

@@ -0,0 +1,10 @@
+import request, { withSignal } from './request'
+import type { AccountPublic, LoginRequest, LoginResponse } from '@/types'
+
+export const authService = {
+  login: (data: LoginRequest, signal?: AbortSignal) =>
+    request.post<LoginResponse>('/auth/login', data, withSignal({}, signal)).then((r) => r.data),
+
+  me: (signal?: AbortSignal) =>
+    request.get<AccountPublic>('/auth/me', withSignal({}, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/config.ts

@@ -0,0 +1,11 @@
+import request, { withSignal } from './request'
+import type { ConfigItem, PaginatedResponse } from '@/types'
+
+export const configService = {
+  list: (params?: Record<string, unknown>, signal?: AbortSignal) =>
+    request.get<PaginatedResponse<ConfigItem>>('/config/items', withSignal({ params }, signal))
+      .then((r) => r.data.items),
+
+  update: (id: string, data: { value: string | number | boolean }, signal?: AbortSignal) =>
+    request.patch<ConfigItem>(`/config/items/${id}`, data, withSignal({}, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/logs.ts

@@ -0,0 +1,7 @@
+import request, { withSignal } from './request'
+import type { OperationLog, PaginatedResponse } from '@/types'
+
+export const logService = {
+  list: (params?: Record<string, unknown>, signal?: AbortSignal) =>
+    request.get<PaginatedResponse<OperationLog>>('/logs/operations', withSignal({ params }, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/models.ts

@@ -0,0 +1,16 @@
+import request, { withSignal } from './request'
+import type { Model, PaginatedResponse } from '@/types'
+
+export const modelService = {
+  list: (params?: Record<string, unknown>, signal?: AbortSignal) =>
+    request.get<PaginatedResponse<Model>>('/models', withSignal({ params }, signal)).then((r) => r.data),
+
+  create: (data: Partial<Omit<Model, 'id'>>, signal?: AbortSignal) =>
+    request.post<Model>('/models', data, withSignal({}, signal)).then((r) => r.data),
+
+  update: (id: string, data: Partial<Omit<Model, 'id'>>, signal?: AbortSignal) =>
+    request.patch<Model>(`/models/${id}`, data, withSignal({}, signal)).then((r) => r.data),
+
+  delete: (id: string, signal?: AbortSignal) =>
+    request.delete(`/models/${id}`, withSignal({}, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/prompts.ts

@@ -0,0 +1,35 @@
+import request, { withSignal } from './request'
+import type { PromptTemplate, PromptVersion, PaginatedResponse } from '@/types'
+
+export const promptService = {
+  list: (params?: Record<string, unknown>, signal?: AbortSignal) =>
+    request.get<PaginatedResponse<PromptTemplate>>('/prompts', withSignal({ params }, signal)).then((r) => r.data),
+
+  get: (name: string, signal?: AbortSignal) =>
+    request.get<PromptTemplate>(`/prompts/${encodeURIComponent(name)}`, withSignal({}, signal)).then((r) => r.data),
+
+  create: (data: {
+    name: string; category: string; description?: string; source?: string
+    system_prompt: string; user_prompt_template?: string
+    variables?: unknown[]; min_app_version?: string
+  }, signal?: AbortSignal) =>
+    request.post<PromptTemplate>('/prompts', data, withSignal({}, signal)).then((r) => r.data),
+
+  update: (name: string, data: { description?: string; status?: string }, signal?: AbortSignal) =>
+    request.put<PromptTemplate>(`/prompts/${encodeURIComponent(name)}`, data, withSignal({}, signal)).then((r) => r.data),
+
+  archive: (name: string, signal?: AbortSignal) =>
+    request.delete<PromptTemplate>(`/prompts/${encodeURIComponent(name)}`, withSignal({}, signal)).then((r) => r.data),
+
+  listVersions: (name: string, signal?: AbortSignal) =>
+    request.get<PromptVersion[]>(`/prompts/${encodeURIComponent(name)}/versions`, withSignal({}, signal)).then((r) => r.data),
+
+  createVersion: (name: string, data: {
+    system_prompt: string; user_prompt_template?: string
+    variables?: unknown[]; changelog?: string; min_app_version?: string
+  }, signal?: AbortSignal) =>
+    request.post<PromptVersion>(`/prompts/${encodeURIComponent(name)}/versions`, data, withSignal({}, signal)).then((r) => r.data),
+
+  rollback: (name: string, version: number, signal?: AbortSignal) =>
+    request.post<PromptTemplate>(`/prompts/${encodeURIComponent(name)}/rollback/${version}`, undefined, withSignal({}, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/providers.ts

@@ -0,0 +1,31 @@
+import request, { withSignal } from './request'
+import type { Provider, ProviderKey, PaginatedResponse } from '@/types'
+
+export const providerService = {
+  list: (params?: Record<string, unknown>, signal?: AbortSignal) =>
+    request.get<PaginatedResponse<Provider>>('/providers', withSignal({ params }, signal)).then((r) => r.data),
+
+  create: (data: Partial<Omit<Provider, 'id' | 'created_at' | 'updated_at'>>, signal?: AbortSignal) =>
+    request.post<Provider>('/providers', data, withSignal({}, signal)).then((r) => r.data),
+
+  update: (id: string, data: Partial<Omit<Provider, 'id' | 'created_at' | 'updated_at'>>, signal?: AbortSignal) =>
+    request.patch<Provider>(`/providers/${id}`, data, withSignal({}, signal)).then((r) => r.data),
+
+  delete: (id: string, signal?: AbortSignal) =>
+    request.delete(`/providers/${id}`, withSignal({}, signal)).then((r) => r.data),
+
+  listKeys: (providerId: string, signal?: AbortSignal) =>
+    request.get<ProviderKey[]>(`/providers/${providerId}/keys`, withSignal({}, signal)).then((r) => r.data),
+
+  addKey: (providerId: string, data: {
+    key_label: string; key_value: string; priority?: number
+    max_rpm?: number; max_tpm?: number; quota_reset_interval?: string
+  }, signal?: AbortSignal) =>
+    request.post<{ ok: boolean; key_id: string }>(`/providers/${providerId}/keys`, data, withSignal({}, signal)).then((r) => r.data),
+
+  toggleKey: (providerId: string, keyId: string, active: boolean, signal?: AbortSignal) =>
+    request.put<{ ok: boolean }>(`/providers/${providerId}/keys/${keyId}/toggle`, { active }, withSignal({}, signal)).then((r) => r.data),
+
+  deleteKey: (providerId: string, keyId: string, signal?: AbortSignal) =>
+    request.delete<{ ok: boolean }>(`/providers/${providerId}/keys/${keyId}`, withSignal({}, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/relay.ts

@@ -0,0 +1,10 @@
+import request, { withSignal } from './request'
+import type { RelayTask, PaginatedResponse } from '@/types'
+
+export const relayService = {
+  list: (params?: Record<string, unknown>, signal?: AbortSignal) =>
+    request.get<PaginatedResponse<RelayTask>>('/relay/tasks', withSignal({ params }, signal)).then((r) => r.data),
+
+  get: (id: string, signal?: AbortSignal) =>
+    request.get<RelayTask>(`/relay/tasks/${id}`, withSignal({}, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/request.ts

@@ -0,0 +1,127 @@
+// ============================================================
+// ZCLAW Admin V2 — Axios 实例 + JWT 拦截器
+// ============================================================
+//
+// 认证策略: 主路径使用 HttpOnly cookie（浏览器自动附加），
+// Authorization header 作为 fallback 保留用于 API 客户端。
+
+import axios from 'axios'
+import type { AxiosError, InternalAxiosRequestConfig } from 'axios'
+import type { AxiosRequestConfig } from 'axios'
+import type { ApiError } from '@/types'
+import { useAuthStore } from '@/stores/authStore'
+
+const BASE_URL = import.meta.env.VITE_API_BASE_URL || '/api/v1'
+const TIMEOUT_MS = 30_000
+
+/** API 业务错误 */
+export class ApiRequestError extends Error {
+  constructor(
+    public status: number,
+    public body: ApiError,
+  ) {
+    super(body.message || `Request failed with status ${status}`)
+    this.name = 'ApiRequestError'
+  }
+}
+
+const request = axios.create({
+  baseURL: BASE_URL,
+  timeout: TIMEOUT_MS,
+  headers: { 'Content-Type': 'application/json' },
+  withCredentials: true, // 发送 HttpOnly cookies
+})
+
+// ── 请求拦截器：附加 Authorization header fallback ──────────
+
+request.interceptors.request.use((config: InternalAxiosRequestConfig) => {
+  const token = useAuthStore.getState().token
+  if (token) {
+    config.headers.Authorization = `Bearer ${token}`
+  }
+  return config
+})
+
+// ── 响应拦截器：401 自动刷新 ──────────────────────────────
+
+let isRefreshing = false
+let pendingRequests: Array<(token: string) => void> = []
+
+function onTokenRefreshed(newToken: string) {
+  pendingRequests.forEach((cb) => cb(newToken))
+  pendingRequests = []
+}
+
+request.interceptors.response.use(
+  (response) => response,
+  async (error: AxiosError<{ error?: string; message?: string }>) => {
+    const originalRequest = error.config as InternalAxiosRequestConfig & { _retry?: boolean }
+
+    // 401 → 尝试刷新 Token
+    if (error.response?.status === 401 && !originalRequest._retry) {
+      const store = useAuthStore.getState()
+      if (!store.refreshToken) {
+        store.logout()
+        window.location.href = '/login'
+        return Promise.reject(error)
+      }
+
+      if (isRefreshing) {
+        return new Promise((resolve) => {
+          pendingRequests.push((newToken: string) => {
+            originalRequest.headers.Authorization = `Bearer ${newToken}`
+            resolve(request(originalRequest))
+          })
+        })
+      }
+
+      originalRequest._retry = true
+      isRefreshing = true
+
+      try {
+        const res = await axios.post(`${BASE_URL}/auth/refresh`, null, {
+          headers: { Authorization: `Bearer ${store.refreshToken}` },
+          withCredentials: true, // 发送 refresh cookie
+        })
+        const newToken = res.data.token as string
+        const newRefreshToken = res.data.refresh_token as string
+        // 更新内存中的 token（实际认证通过 HttpOnly cookie，浏览器已自动更新）
+        store.setToken(newToken)
+        if (newRefreshToken) {
+          store.setRefreshToken(newRefreshToken)
+        }
+        onTokenRefreshed(newToken)
+        originalRequest.headers.Authorization = `Bearer ${newToken}`
+        return request(originalRequest)
+      } catch {
+        store.logout()
+        window.location.href = '/login'
+        return Promise.reject(error)
+      } finally {
+        isRefreshing = false
+      }
+    }
+
+    // 构造 ApiRequestError
+    if (error.response) {
+      const body: ApiError = {
+        error: error.response.data?.error || 'unknown',
+        message: error.response.data?.message || `请求失败 (${error.response.status})`,
+        status: error.response.status,
+      }
+      return Promise.reject(new ApiRequestError(error.response.status, body))
+    }
+
+    return Promise.reject(error)
+  },
+)
+
+export default request
+
+/** 将 AbortSignal 注入 Axios config，用于 TanStack Query 的请求取消 */
+export function withSignal(config: AxiosRequestConfig = {}, signal?: AbortSignal): AxiosRequestConfig {
+  if (signal) {
+    return { ...config, signal }
+  }
+  return config
+}

admin-temp-dir/src/services/stats.ts

@@ -0,0 +1,7 @@
+import request, { withSignal } from './request'
+import type { DashboardStats } from '@/types'
+
+export const statsService = {
+  dashboard: (signal?: AbortSignal) =>
+    request.get<DashboardStats>('/stats/dashboard', withSignal({}, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/telemetry.ts

@@ -0,0 +1,10 @@
+import request, { withSignal } from './request'
+import type { ModelUsageStat, DailyUsageStat } from '@/types'
+
+export const telemetryService = {
+  modelStats: (params?: Record<string, unknown>, signal?: AbortSignal) =>
+    request.get<ModelUsageStat[]>('/telemetry/stats', withSignal({ params }, signal)).then((r) => r.data),
+
+  dailyStats: (params?: { days?: number }, signal?: AbortSignal) =>
+    request.get<DailyUsageStat[]>('/telemetry/daily', withSignal({ params }, signal)).then((r) => r.data),
+}

admin-temp-dir/src/services/usage.ts

@@ -0,0 +1,12 @@
+import request, { withSignal } from './request'
+import type { UsageRecord, UsageByModel } from '@/types'
+
+export const usageService = {
+  daily: (params?: { days?: number }, signal?: AbortSignal) =>
+    request.get<{ by_day: UsageRecord[] }>('/usage', withSignal({ params: { ...params, group_by: 'day' } }, signal))
+      .then((r) => r.data.by_day || []),
+
+  byModel: (params?: { days?: number }, signal?: AbortSignal) =>
+    request.get<{ by_model: UsageByModel[] }>('/usage', withSignal({ params: { ...params, group_by: 'model' } }, signal))
+      .then((r) => r.data.by_model || []),
+}