fix(audit): Batch 4-6 中间件注释 + 依赖迁移 + 安全加固
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
Batch 4: - kernel/mod.rs: 添加中间件注册顺序≠执行顺序注释 - EvolutionMiddleware 注册处标注 priority=78 Batch 5: - desktop/src-tauri/Cargo.toml: serde_yaml 0.9 (deprecated) → serde_yaml_bw 2.x Batch 6: - saas/main.rs: CORS 开发模式改为显式 localhost origins (修复 Any+credentials 违规) - docker-compose.yml: 移除默认弱密码 your_secure_password,改为必填校验 - director.rs: 用户输入添加 <user_input>/<user_request> 边界标记防注入 全量测试通过: 719 passed, 0 failed
This commit is contained in:
iven
@@ -642,7 +642,9 @@ Respond with ONLY the number (1-{}) of the agent who should speak next. No expla
|
||||
}
|
||||
|
||||
if let Some(ref user_input) = input {
|
||||
context.push_str(&format!("User: {}\n\n", user_input));
|
||||
context.push_str("<user_input>\n");
|
||||
context.push_str(&format!("{}\n", user_input));
|
||||
context.push_str("</user_input>\n\n");
|
||||
}
|
||||
|
||||
// Add recent history
|
||||
@@ -908,7 +910,9 @@ impl Director {
|
||||
let prompt = format!(
|
||||
r#"你是 ZCLAW 管家。请将以下用户需求拆解为 1-5 个具体子任务。
|
||||
|
||||
用户需求:{}
|
||||
<user_request>
|
||||
{}
|
||||
</user_request>
|
||||
|
||||
请按 JSON 数组格式输出,每个元素包含:
|
||||
- description: 子任务描述(中文)
|
||||
|
||||
@@ -239,6 +239,9 @@ impl Kernel {
|
||||
}
|
||||
|
||||
// Data masking middleware — mask sensitive entities before any other processing
|
||||
// NOTE: Registration order does NOT determine execution order.
|
||||
// The chain sorts by priority() ascending before execution.
|
||||
// Execution order: Evolution(78) → ButlerRouter(80) → DataMasking(90) → ...
|
||||
{
|
||||
use std::sync::Arc;
|
||||
let masker = Arc::new(zclaw_runtime::middleware::data_masking::DataMasker::new());
|
||||
@@ -252,7 +255,8 @@ impl Kernel {
|
||||
growth = growth.with_llm_driver(driver.clone());
|
||||
}
|
||||
|
||||
// Evolution middleware — shared with MemoryMiddleware for pushing evolution candidates
|
||||
// Evolution middleware — pushes evolution candidate skills into system prompt
|
||||
// priority=78, executed first by chain (before ButlerRouter@80)
|
||||
let evolution_mw = std::sync::Arc::new(
|
||||
zclaw_runtime::middleware::evolution::EvolutionMiddleware::new()
|
||||
);
|
||||
|
||||
@@ -309,10 +309,34 @@ async fn build_router(state: AppState) -> axum::Router {
|
||||
.unwrap_or(false);
|
||||
if config.server.cors_origins.is_empty() {
|
||||
if is_dev {
|
||||
// Dev mode: use explicit localhost origins (Any + credentials violates CORS spec)
|
||||
let dev_origins: Vec<HeaderValue> = [
|
||||
"http://localhost:1420",
|
||||
"http://localhost:5173",
|
||||
"http://127.0.0.1:1420",
|
||||
"http://127.0.0.1:5173",
|
||||
"http://localhost:8080",
|
||||
"http://127.0.0.1:8080",
|
||||
"tauri://localhost",
|
||||
"https://tauri.localhost",
|
||||
].iter()
|
||||
.filter_map(|o| o.parse::<HeaderValue>().ok())
|
||||
.collect();
|
||||
CorsLayer::new()
|
||||
.allow_origin(Any)
|
||||
.allow_methods(Any)
|
||||
.allow_headers(Any)
|
||||
.allow_origin(dev_origins)
|
||||
.allow_methods([
|
||||
axum::http::Method::GET,
|
||||
axum::http::Method::POST,
|
||||
axum::http::Method::PUT,
|
||||
axum::http::Method::PATCH,
|
||||
axum::http::Method::DELETE,
|
||||
axum::http::Method::OPTIONS,
|
||||
])
|
||||
.allow_headers([
|
||||
axum::http::header::AUTHORIZATION,
|
||||
axum::http::header::CONTENT_TYPE,
|
||||
axum::http::header::COOKIE,
|
||||
])
|
||||
.allow_credentials(true)
|
||||
} else {
|
||||
tracing::error!("生产环境必须配置 server.cors_origins,不能使用 allow_origin(Any)");
|
||||
|
||||
@@ -47,7 +47,7 @@ async-trait = { workspace = true }
|
||||
# Serialization
|
||||
serde = { workspace = true }
|
||||
serde_json = { workspace = true }
|
||||
serde_yaml = "0.9"
|
||||
serde_yaml = { package = "serde_yaml_bw", version = "2" }
|
||||
toml = "0.8"
|
||||
|
||||
# HTTP client
|
||||
|
||||
@@ -16,7 +16,7 @@ services:
|
||||
|
||||
environment:
|
||||
POSTGRES_USER: ${POSTGRES_USER:-postgres}
|
||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-your_secure_password}
|
||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in .env}
|
||||
POSTGRES_DB: ${POSTGRES_DB:-zclaw}
|
||||
# 确保 UTF-8 编码 — 中文 Windows 默认 GBK 会导致中文数据损坏
|
||||
POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C.UTF-8"
|
||||
@@ -53,7 +53,7 @@ services:
|
||||
- .env
|
||||
|
||||
environment:
|
||||
DATABASE_URL: postgres://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-your_secure_password}@postgres:5432/${POSTGRES_DB:-zclaw}
|
||||
DATABASE_URL: postgres://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in .env}@postgres:5432/${POSTGRES_DB:-zclaw}
|
||||
|
||||
depends_on:
|
||||
postgres:
|
||||
|
||||
Reference in New Issue
Block a user