18 Commits

Author	SHA1	Message	Date
iven	54764a8bbd	docs: enforce commit-push-after-comeliminate-work as mandatory step ... CLAUDE.md §3.3 闭环工作法: 代码通过→提交→推送→文档同步 三步必须按顺序执行，不允许跳过 CLAUDE.md |8.3 收尾流程: 按步骤 A/B/C/D 强制执行	2026-04-03 00:54:14 +08:00
iven	5a5a4b322d	docs: update CLAUDE.md with stabilization rules, security audit, and production checklist	2026-04-03 00:29:21 +08:00
iven	8898bb399e	docs: audit reports + feature docs + skills + admin-v2 + config sync ... Update audit tracker, roadmap, architecture docs, add admin-v2 Roles page + Billing tests, sync CLAUDE.md, Cargo.toml, docker-compose.yml, add deep-research / frontend-design / chart-visualization skills Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-02 19:25:00 +08:00
iven	e3b93ff96d	fix(security): implement all 15 security fixes from penetration test V1 ... Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed. HIGH: - H1: JWT password_version mechanism (pwv in Claims, middleware verification, auto-increment on password change) - H2: Docker saas port bound to 127.0.0.1 - H3: TOTP encryption key decoupled from JWT secret (production bailout) - H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src) MEDIUM: - M1: Persistent rate limiting (PostgreSQL rate_limit_events table) - M2: Account lockout (5 failures -> 15min lock) - M3: RFC 5322 email validation with regex - M4: Device registration typed struct with length limits - M5: Provider URL validation on create/update (SSRF prevention) - M6: Legacy TOTP secret migration (fixed nonce -> random nonce) - M7: Legacy frontend crypto migration (static salt -> random salt) - M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only - M10: Pipeline debug log sanitization (keys only, 100-char truncation) Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware skeleton, fixed RegisterDeviceRequest visibility.	2026-04-01 08:38:37 +08:00
iven	eb956d0dce	feat: 新增管理后台前端项目及安全加固 ... refactor(saas): 重构认证中间件与限流策略 - 登录限流调整为5次/分钟/IP - 注册限流调整为3次/小时/IP - GET请求不计入限流 fix(saas): 修复调度器时间戳处理 - 使用NOW()替代文本时间戳 - 兼容TEXT和TIMESTAMPTZ列类型 feat(saas): 实现环境变量插值 - 支持${ENV_VAR}语法解析 - 数据库密码支持环境变量注入 chore: 新增前端管理界面 - 基于React+Ant Design Pro - 包含路由守卫/错误边界 - 对接58个API端点 docs: 更新安全加固文档 - 新增密钥管理规范 - 记录P0安全项审计结果 - 补充TLS终止说明 test: 完善配置解析单元测试 - 新增环境变量插值测试用例	2026-03-31 00:11:33 +08:00
iven	13c0b18bbc	feat: Batch 5-9 — GrowthIntegration桥接、验证补全、死代码清理、Pipeline模板、Speech/Twitter真实实现 ... Batch 5 (P0): GrowthIntegration 接入 Tauri - Kernel 新增 set_viking()/set_extraction_driver() 桥接 SqliteStorage - 中间件链共享存储，MemoryExtractor 接入 LLM 驱动 Batch 6 (P1): 输入验证 + Heartbeat - Relay 验证补全（stream 兼容检查、API key 格式校验） - UUID 类型校验、SessionId 错误返回 - Heartbeat 默认开启 + 首次聊天自动初始化 Batch 7 (P2): 死代码清理 - zclaw-channels 整体移除（317 行） - multi-agent 特性门控、admin 方法标注 Batch 8 (P2): Pipeline 模板 - PipelineMetadata 新增 annotations 字段 - pipeline_templates 命令 + 2 个示例模板 - fallback driver base_url 修复（doubao/qwen/deepseek 端点） Batch 9 (P1): SpeechHand/TwitterHand 真实实现 - SpeechHand: tts_method 字段 + Browser TTS 前端集成 (Web Speech API) - TwitterHand: 12 个 action 全部替换为 Twitter API v2 真实 HTTP 调用 - chatStore/useAutomationEvents 双路径 TTS 触发	2026-03-30 09:24:50 +08:00
iven	5fdf96c3f5	chore: 提交所有工作进度 — SaaS 后端增强、Admin UI、桌面端集成 ... 包含大量 SaaS 平台改进、Admin 管理后台更新、桌面端集成完善、 文档同步、测试文件重构等内容。为 QA 测试准备干净工作树。	2026-03-29 10:46:41 +08:00
iven	80d98b35a5	fix(audit): v5 审计修复 8 项 — 条件编译、安全加固、冗余清理 ... - N1: Whiteboard Export 动作标注 demo=true - N2/N3: Director + A2A 通过 #[cfg(feature)] 条件编译隔离 - N4: viking_adapter 文本匹配降级为 LOW（生产路径走 SqliteStorage） - N5: 移除冗余 compactor_compact_llm Tauri 命令注册 - M3: hand_approve/hand_cancel 添加 hand_id 验证防跨 Hand 审批 - N7: scheduled_task 文档注释标注 PLANNNED - 新增 COMPREHENSIVE_AUDIT_V5.md 独立审计报告 - 更新 DEEP_AUDIT_REPORT.md 追加修复记录（累计 32 项）	2026-03-27 12:33:44 +08:00
iven	8bcabbfb43	refactor: 代码质量清理 - 移除死代码和遗留别名 ... 基于全面审计报告的 P0-P2 修复工作： P0 (已完成): - intelligence 模块: 精确注释 dead_code 标注原因（Tauri runtime 注册） - compactor.rs: 实现 LLM 摘要生成（compact_with_llm） - pipeline_commands.rs: 替换 println! 为 tracing 宏 P1 (已完成): - 移除 8 个 gateway_* 向后兼容别名（OpenClaw 遗留） - 前端 tauri-gateway.ts 改为调用 zclaw_* 命令 - 清理 generation.rs 6 个重复的实例方法（-217 行） - A2A dead_code 注释更新 P2 (已完成): - Predictor/Lead HAND.toml 设置 enabled=false - Wasm/Native SkillMode 添加未实现说明 - browser/mod.rs 移除未使用的 re-export（消除 4 个警告） 文档更新: - feature-checklist.md 从 v0.4.0 更新到 v0.6.0 - CLAUDE.md Hands 状态更新 验证: cargo check 零警告, 42 测试通过, 净减 371 行代码	2026-03-27 00:54:57 +08:00
iven	978dc5cdd8	fix(安全): 修复HTML导出中的XSS漏洞并清理调试日志 ... refactor(日志): 替换console.log为tracing日志系统 style(代码): 移除未使用的代码和依赖项 feat(测试): 添加端到端测试文档和CI工作流 docs(变更日志): 更新CHANGELOG.md记录0.1.0版本变更 perf(构建): 更新依赖版本并优化CI流程	2026-03-26 19:49:03 +08:00
iven	3ff08faa56	release(v0.2.0): streaming, MCP protocol, Browser Hand, security enhancements ... ## Major Features ### Streaming Response System - Implement LlmDriver trait with `stream()` method returning async Stream - Add SSE parsing for Anthropic and OpenAI API streaming - Integrate Tauri event system for frontend streaming (`stream:chunk` events) - Add StreamChunk types: Delta, ToolStart, ToolEnd, Complete, Error ### MCP Protocol Implementation - Add MCP JSON-RPC 2.0 types (mcp_types.rs) - Implement stdio-based MCP transport (mcp_transport.rs) - Support tool discovery, execution, and resource operations ### Browser Hand Implementation - Complete browser automation with Playwright-style actions - Support Navigate, Click, Type, Scrape, Screenshot, Wait actions - Add educational Hands: Whiteboard, Slideshow, Speech, Quiz ### Security Enhancements - Implement command whitelist/blacklist for shell_exec tool - Add SSRF protection with private IP blocking - Create security.toml configuration file ## Test Improvements - Fix test import paths (security-utils, setup) - Fix vi.mock hoisting issues with vi.hoisted() - Update test expectations for validateUrl and sanitizeFilename - Add getUnsupportedLocalGatewayStatus mock ## Documentation Updates - Update architecture documentation - Improve configuration reference - Add quick-start guide updates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-24 03:24:24 +08:00
iven	e8b9e813a6	chore: cleanup phase 5, remove external runtime dependencies	2026-03-22 09:43:01 +08:00
iven	34f4654039	docs: update architecture to reflect internal Rust kernel	2026-03-22 09:08:25 +08:00
iven	ce562e8bfc	feat: complete Phase 1-3 architecture optimization ... Phase 1 - Security: - Add AES-GCM encryption for localStorage fallback - Enforce WSS protocol for non-localhost WebSocket connections - Add URL sanitization to prevent XSS in markdown links Phase 2 - Domain Reorganization: - Create Intelligence Domain with Valtio store and caching - Add unified intelligence-client for Rust backend integration - Migrate from legacy agent-memory, heartbeat, reflection modules Phase 3 - Core Optimization: - Add virtual scrolling for ChatArea with react-window - Implement LRU cache with TTL for intelligence operations - Add message virtualization utilities Additional: - Add OpenFang compatibility test suite - Update E2E test fixtures - Add audit logging infrastructure - Update project documentation and plans Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-21 22:11:50 +08:00
iven	1900abe152	test(intelligence): update tests to use intelligenceClient ... - Rewrite context-compactor.test.ts to use intelligenceClient - Rewrite heartbeat-reflection.test.ts to use intelligenceClient - Rewrite swarm-skills.test.ts to use intelligenceClient - Update CLAUDE.md architecture section for unified intelligence layer All tests now mock Tauri backend calls for unit testing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-21 15:26:35 +08:00
iven	6f72442531	docs(guide): rewrite CLAUDE.md with ZCLAW-first perspective ... Major changes: - Shift from "OpenFang desktop client" to "independent AI Agent desktop app" - Add decision principle: "Is this useful for ZCLAW? Does it affect ZCLAW?" - Simplify project structure and tech stack sections - Replace OpenClaw vs OpenFang comparison with unified backend approach - Consolidate troubleshooting from scattered sections into organized FAQ - Update Hands system documentation with 8 capabilities and status - Stream	2026-03-20 19:30:09 +08:00
iven	adfd7024df	docs(claude): restructure documentation management and add feedback system ... - Restructure §8 from "文档沉淀规则" to "文档管理规则" with 4 subsections - Add docs/ structure with features/ and knowledge-base/ directories - Add feature documentation template with 7 sections (概述/设计初衷/技术设计/预期作用/实际效果/演化路线/头脑风暴) - Add feature update trigger matrix (新增/修改/完成/问题/反馈) - Add documentation quality checklist - Add §16	2026-03-16 13:54:03 +08:00
iven	07079293f4	feat(hands): restructure Hands UI with Chinese localization ... Major changes: - Add HandList.tsx component for left sidebar - Add HandTaskPanel.tsx for middle content area - Restructure Sidebar tabs: 分身/HANDS/Workflow - Remove Hands tab from RightPanel - Localize all UI text to Chinese - Archive legacy OpenClaw documentation - Add Hands integration lessons document - Update feature checklist with new components UI improvements: - Left sidebar now shows Hands list with status icons - Middle area shows selected Hand's tasks and results - Consistent styling with Tailwind CSS - Chinese status labels and buttons Documentation: - Create docs/archive/openclaw-legacy/ for old docs - Add docs/knowledge-base/hands-integration-lessons.md - Update docs/knowledge-base/feature-checklist.md - Update docs/knowledge-base/README.md Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-14 23:16:32 +08:00