From edd6dd5fc83daa432b8266a095d6f175b28b5806 Mon Sep 17 00:00:00 2001 From: iven Date: Sun, 19 Apr 2026 08:46:12 +0800 Subject: [PATCH] =?UTF-8?q?fix(audit):=20Batch=204-6=20=E4=B8=AD=E9=97=B4?= =?UTF-8?q?=E4=BB=B6=E6=B3=A8=E9=87=8A=20+=20=E4=BE=9D=E8=B5=96=E8=BF=81?= =?UTF-8?q?=E7=A7=BB=20+=20=E5=AE=89=E5=85=A8=E5=8A=A0=E5=9B=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Batch 4: - kernel/mod.rs: 添加中间件注册顺序≠执行顺序注释 - EvolutionMiddleware 注册处标注 priority=78 Batch 5: - desktop/src-tauri/Cargo.toml: serde_yaml 0.9 (deprecated) → serde_yaml_bw 2.x Batch 6: - saas/main.rs: CORS 开发模式改为显式 localhost origins (修复 Any+credentials 违规) - docker-compose.yml: 移除默认弱密码 your_secure_password,改为必填校验 - director.rs: 用户输入添加 / 边界标记防注入 全量测试通过: 719 passed, 0 failed --- crates/zclaw-kernel/src/director.rs | 8 +++++-- crates/zclaw-kernel/src/kernel/mod.rs | 6 +++++- crates/zclaw-saas/src/main.rs | 30 ++++++++++++++++++++++++--- desktop/src-tauri/Cargo.toml | 2 +- docker-compose.yml | 4 ++-- 5 files changed, 41 insertions(+), 9 deletions(-) diff --git a/crates/zclaw-kernel/src/director.rs b/crates/zclaw-kernel/src/director.rs index 6dd9270..f1275c2 100644 --- a/crates/zclaw-kernel/src/director.rs +++ b/crates/zclaw-kernel/src/director.rs @@ -642,7 +642,9 @@ Respond with ONLY the number (1-{}) of the agent who should speak next. No expla } if let Some(ref user_input) = input { - context.push_str(&format!("User: {}\n\n", user_input)); + context.push_str("\n"); + context.push_str(&format!("{}\n", user_input)); + context.push_str("\n\n"); } // Add recent history @@ -908,7 +910,9 @@ impl Director { let prompt = format!( r#"你是 ZCLAW 管家。请将以下用户需求拆解为 1-5 个具体子任务。 -用户需求:{} + +{} + 请按 JSON 数组格式输出,每个元素包含: - description: 子任务描述(中文) diff --git a/crates/zclaw-kernel/src/kernel/mod.rs b/crates/zclaw-kernel/src/kernel/mod.rs index 13c621d..aa1aae4 100644 --- a/crates/zclaw-kernel/src/kernel/mod.rs +++ b/crates/zclaw-kernel/src/kernel/mod.rs @@ -239,6 +239,9 @@ impl Kernel { } // Data masking middleware — mask sensitive entities before any other processing + // NOTE: Registration order does NOT determine execution order. + // The chain sorts by priority() ascending before execution. + // Execution order: Evolution(78) → ButlerRouter(80) → DataMasking(90) → ... { use std::sync::Arc; let masker = Arc::new(zclaw_runtime::middleware::data_masking::DataMasker::new()); @@ -252,7 +255,8 @@ impl Kernel { growth = growth.with_llm_driver(driver.clone()); } - // Evolution middleware — shared with MemoryMiddleware for pushing evolution candidates + // Evolution middleware — pushes evolution candidate skills into system prompt + // priority=78, executed first by chain (before ButlerRouter@80) let evolution_mw = std::sync::Arc::new( zclaw_runtime::middleware::evolution::EvolutionMiddleware::new() ); diff --git a/crates/zclaw-saas/src/main.rs b/crates/zclaw-saas/src/main.rs index d4328c4..e7cbc55 100644 --- a/crates/zclaw-saas/src/main.rs +++ b/crates/zclaw-saas/src/main.rs @@ -309,10 +309,34 @@ async fn build_router(state: AppState) -> axum::Router { .unwrap_or(false); if config.server.cors_origins.is_empty() { if is_dev { + // Dev mode: use explicit localhost origins (Any + credentials violates CORS spec) + let dev_origins: Vec = [ + "http://localhost:1420", + "http://localhost:5173", + "http://127.0.0.1:1420", + "http://127.0.0.1:5173", + "http://localhost:8080", + "http://127.0.0.1:8080", + "tauri://localhost", + "https://tauri.localhost", + ].iter() + .filter_map(|o| o.parse::().ok()) + .collect(); CorsLayer::new() - .allow_origin(Any) - .allow_methods(Any) - .allow_headers(Any) + .allow_origin(dev_origins) + .allow_methods([ + axum::http::Method::GET, + axum::http::Method::POST, + axum::http::Method::PUT, + axum::http::Method::PATCH, + axum::http::Method::DELETE, + axum::http::Method::OPTIONS, + ]) + .allow_headers([ + axum::http::header::AUTHORIZATION, + axum::http::header::CONTENT_TYPE, + axum::http::header::COOKIE, + ]) .allow_credentials(true) } else { tracing::error!("生产环境必须配置 server.cors_origins,不能使用 allow_origin(Any)"); diff --git a/desktop/src-tauri/Cargo.toml b/desktop/src-tauri/Cargo.toml index db57251..8a541d9 100644 --- a/desktop/src-tauri/Cargo.toml +++ b/desktop/src-tauri/Cargo.toml @@ -47,7 +47,7 @@ async-trait = { workspace = true } # Serialization serde = { workspace = true } serde_json = { workspace = true } -serde_yaml = "0.9" +serde_yaml = { package = "serde_yaml_bw", version = "2" } toml = "0.8" # HTTP client diff --git a/docker-compose.yml b/docker-compose.yml index 7d7fd24..8afa093 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,7 +16,7 @@ services: environment: POSTGRES_USER: ${POSTGRES_USER:-postgres} - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-your_secure_password} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in .env} POSTGRES_DB: ${POSTGRES_DB:-zclaw} # 确保 UTF-8 编码 — 中文 Windows 默认 GBK 会导致中文数据损坏 POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C.UTF-8" @@ -53,7 +53,7 @@ services: - .env environment: - DATABASE_URL: postgres://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-your_secure_password}@postgres:5432/${POSTGRES_DB:-zclaw} + DATABASE_URL: postgres://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in .env}@postgres:5432/${POSTGRES_DB:-zclaw} depends_on: postgres: