157 Commits

Author	SHA1	Message	Date
iven	2fd6d08899	fix: SaaS Admin + Tauri 一致性审查修复 ... - 删除 webhook 死代码模块 (4 文件 + worker，未注册未挂载) - 删除孤立组件 StatusTag.tsx (从未被导入) - authStore 权限模型补全 (scheduler/knowledge/billing 6+ permission key) - authStore 硬编码 logout URL 改为 env 变量 - 清理未使用 service 方法 (agent-templates/billing/roles) - Logs.tsx 代码重复消除 (本地常量 → @/constants/status) - TRUTH.md 数字校准 (Tauri 177→183, SaaS API 131→130)	2026-04-07 01:53:54 +08:00
iven	ae55ad6dc4	docs: fix middleware count — 11 layers (not 12) ... Clarification is a separate system, not a middleware layer. Verified against crates/zclaw-runtime/src/middleware/ directory.	2026-04-06 22:54:19 +08:00
iven	29a1b3db5b	docs: complete features docs sync — roadmap, TRUTH, security-auth ... - roadmap.md: Tauri 177, skills 75, Pipeline 17 templates, Admin 15 pages - TRUTH.md: Admin V2 15 pages, desktop settings 19 tabs, changelog entry - 02-state-management.md: expanded Store details and descriptions - 03-security-auth.md: updated date - README.md: DeerFlow 2.0 description, skill count correction	2026-04-06 22:49:07 +08:00
iven	efc391a165	docs: sync features docs with current project state ... Update docs/features/ to reflect latest architecture: - Tauri commands: 177 (160 @connected + 16 @reserved) - Zustand stores: 18 (including chatStore 4 sub-stores) - SaaS API routes: 131 (12 modules, 34 data tables) - Workers: 7 (added AggregateUsage + GenerateEmbedding) - React 19 + Tailwind 4 tech stack - Schema v8, subtaskStatus taskId threading	2026-04-06 22:45:29 +08:00
iven	7a3334384a	docs: deep audit complete - all 52 items verified, 51 fixed + 1 false positive ... Deep audit of DEFECT_LIST.md verified every claimed fix against actual code: - P3-03/P3-07/P3-09 were found unimplemented, now all fixed - M11-01 confirmed as FALSE_POSITIVE (blocking_lock never existed) - All P0-P3 defects closed, cargo check passes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-06 12:27:56 +08:00
iven	4e8f2c7692	fix: resolve 6 remaining defects (P2-18, P2-21, P3-04, P3-05, P3-06, P3-02) ... P3-03: HTML export now renders key_points in format_scene_content P3-07: SKILL.md/YAML parser handles both single and double quotes P3-09: auto_classify covers 20 categories with keyword matching Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-06 12:27:02 +08:00
iven	7f9799b7e0	fix: P2-24 memory dedup + P2-25 audit logging + P3-02 whiteboard unification ... P2-24: Add content_hash column to memories table with index. Before INSERT, check for existing entry with same normalized content hash within agent scope; merge importance and bump access_count. P2-25: Add hand_executed/hand_approved/hand_denied/skill_executed event types to security-audit.ts. Insert audit logging calls in kernel-hands.ts triggerHand/approveHand and kernel-skills.ts executeSkill execution paths. P3-02: SceneRenderer now imports WhiteboardCanvas component instead of inline SVG rendering, gaining chart/latex support. Deleted 27 lines of duplicated renderWhiteboardItem code. Update DEFECT_LIST.md: P1-01 ✅ (Fantoccini confirmed), P3-02 ✅, add P2-24/P2-25 entries. Active count: 48→50 fixed, 3→1 remaining.	2026-04-06 11:40:53 +08:00
iven	38e7c7bd9b	refactor(classroom): unify whiteboard rendering to WhiteboardCanvas ... Replace inline SVG whiteboard rendering in SceneRenderer with the dedicated WhiteboardCanvas component, gaining chart/latex support and eliminating 27 lines of duplicated rendering logic.	2026-04-06 10:53:21 +08:00
iven	828be3cc9e	fix: resolve 6 remaining defects (P2-18, P2-21, P3-04, P3-05, P3-06, P3-02) ... - P2-18: TOTP QR code local generation via qrcode lib (no external service) - P2-21: Suspend foreign LLM providers (OpenAI/Anthropic/Gemini) for early stage - P3-04: get_progress() now calculates actual percentage from completed/total steps - P3-05: saveSaaSSession calls now have .catch() error logging - P3-06: SaaS relay chatStream passes session_key/agent_id to backend - P3-02: Whiteboard unification plan document created Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-06 09:52:28 +08:00
iven	d3da7d4dbb	docs: update fix confirmation list with P2/P3 evidence + correct line offsets ... - Add 22 new entries for P2-01 through P3-09 fixes with exact file evidence - Correct stale line numbers: M11-02 (431→440,516), M11-06 (176→187) - All 18 legacy entries verified present in codebase Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-06 09:20:32 +08:00
iven	26a833d1c8	fix: resolve 17 P2 defects and 5 P3 defects from pre-launch audit ... Batch fix covering multiple modules: - P2-01: HandRegistry Semaphore-based max_concurrent enforcement - P2-03: Populate toolCount/metricCount from Hand trait methods - P2-06: heartbeat_update_config minimum interval validation - P2-07: ReflectionResult used_fallback marker for rule-based fallback - P2-08/09: identity_propose_change parameter naming consistency - P2-10: ClassroomMetadata is_placeholder flag for LLM failure - P2-11: classroomStore userDidCloseDuringGeneration intent tracking - P2-12: workflowStore pipeline_create sends actionType - P2-13/14: PipelineInfo step_count + PipelineStepInfo for proper step mapping - P2-15: Pipe transform support in context.resolve (8 transforms) - P2-16: Mustache {{...}} → \${...} auto-normalization - P2-17: SaaSLogin password placeholder 6→8 - P2-19: serialize_skill_md + update_skill preserve tools field - P2-22: ToolOutputGuard sensitive patterns from warn→block - P2-23: Mutex::unwrap() → unwrap_or_else in relay/service.rs - P3-01/03/07/08/09: Various P3 fixes - DEFECT_LIST.md: comprehensive status sync (43/51 fixed, 8 remaining) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-06 00:49:16 +08:00
iven	f9e1ce1d6e	docs: add Tauri functional test report with P0-P2 findings	2026-04-05 22:03:14 +08:00
iven	bcaab50c56	fix(desktop): resolve all remaining P1 defects (P1-02/05/06, P1-01 experimental) ... - P1-02: Heartbeat auto-initialized in kernel_init for default agent - P1-05: CloneManager shows warning when deleting active agent + auto-switch - P1-06: AgentInfo returns soul/system_prompt/temperature/max_tokens - P1-01: Browser Hand marked experimental (requires Fantoccini bridge) - Updated DEFECT_LIST.md: all P1 resolved (0 active) - Updated RELEASE_READINESS.md: all P1 sections reflect current status	2026-04-05 21:21:33 +08:00
iven	e65b49c821	docs: update defect list and release readiness after P1 fixes ... P1-03 and P1-04 marked as fixed. Active P1 count: 6→4, total active defects: 38→36. Release blockers cleared — Beta release path confirmed.	2026-04-05 19:18:48 +08:00
iven	a458e3f7d8	docs: add pre-launch audit defect list and release readiness assessment ... DEFECT_LIST.md: 38 active defects (0 P0, 6 P1, 23 P2, 9 P3) - 13 V12 issues confirmed fixed - 4 new issues discovered during testing RELEASE_READINESS.md: Overall health 73→79 (+6) - 2 blocking items: classroom model hardcode + LLM API concurrency - T5-T8 modules at 78-91/100 (low risk) - Recommended: fix 2 blockers then release as Beta	2026-04-05 18:52:39 +08:00
iven	1f792bdfe0	test: add T6 SaaS, T7 Skills, T8 Chat audit reports ... T6 SaaS Desktop (health 85→89, +4): - M7-02 P1 PUT path param 已修复 - M7-04 P1 refreshToken body 已修复 - M7-01 P2 密码长度不一致（6 vs 8）未修复 T7 Skills (health 85→87, +2): - M5-01 P1 triggers 映射已修复（正确使用 backend.triggers） - category 全部为 null（仍从 tags[0] 映射） - 75 个技能全部成功加载 T8 Chat (health 91→91, 0): - ChatStore 4-sub-store 重构完成 - 11 层中间件链确认存在 - 11 项 V12 问题全为 P2/P3	2026-04-05 18:50:19 +08:00
iven	66827a55a5	test: add T5 Pipeline workflow audit report ... T5 Pipeline (health 72→78, +6): - M6-01 P1 route_intent 已修复 (已注册) - M6-02 P1 v1/v2 解析器分裂已修复 (fallback) - 15 个行业模板全部成功列举 - pipeline_run 异步执行基本工作 - M6-03/04/05/07 P2 未修复	2026-04-05 18:44:28 +08:00
iven	4431bef71c	test: add T4 Classroom system audit report ... T4 Classroom (health 70→75, +5): - M11-01 P1 blocking_lock 已修复 (try_lock) - M11-02 P1 map_err 已修复 - M11-03 P1 持久化已修复 (SQLite) - M11-06 Date.now→crypto.randomUUID 已修复 - NEW P1: GenerationPipeline 硬编码 model="default" 导致课堂生成 404	2026-04-05 18:38:20 +08:00
iven	a3bfdbb01c	test: add T2 Intelligence and T3 Agent audit reports ... T2 Intelligence (health 61→74, +13): - M4-01 P0 双数据库已修复 (unified-client 统一路径) - M4-03 Heartbeat 不自动启动 (未修复) - M4-08 心跳间隔无下限 (未修复) - 记忆 CRUD 全链路通过 T3 Agent (health 67→73, +6): - M2-01 字段丢失部分修复 (写入成功但读取不返回) - M2-05 删除活跃 Agent 无警告 (未修复) - M2-08 参数验证部分修复 (max_tokens=0 未拒绝) - CRUD 操作基本工作	2026-04-05 18:29:29 +08:00
iven	5877e794fa	test: add T1 Hands audit report and baseline results ... Phase 1 baseline + T1 Hands functional audit: - Desktop vitest: 174/185 passed (chatStore refactoring) - Admin vitest: 36/71 passed (API mock issues) - Cargo check: 0 errors - T1 Hands: 18/23 TCs executed, health 58→68 (+10) - Key findings: M3-01/M3-06 fixed, M3-02/M3-04 unfixed - New P1: LLM API concurrent DATABASE_ERROR	2026-04-05 18:19:32 +08:00
iven	0a3ba2fad4	docs: add pre-launch functional audit test execution plan (T1-T12, 5 chunks, 112 TCs)	2026-04-05 17:53:39 +08:00
iven	7e56b40972	docs: add functional verification plan and report ... Comprehensive 15-module verification of ZCLAW desktop app via tauri-mcp. Found 8 issues (1 CRITICAL fixed, 3 MAJOR, 4 MINOR). Key findings: - Skills system shows 0 loaded (should be 75) - Automation/Skills/Workflow views have no UI navigation entry - Rate limiting triggered by rapid page switching	2026-04-05 15:49:19 +08:00
iven	d6b1f44119	feat(admin): add ConfigSync page + close ADMIN-01/02 (AUDIT_TRACKER) ... - ADMIN-01 FIXED: ConfigSync.tsx page with ProTable + pagination - config-sync service calling GET /config/sync-logs - route + nav item + breadcrumb - backend @reserved → @connected - ADMIN-02 FALSE_POSITIVE: Logs.tsx + logs service already exist	2026-04-05 01:40:38 +08:00
iven	745c2fd754	feat(saas): add down migrations for all incremental schema changes (AUD3-DB-01) ... - 16 down SQL files in migrations/down/ for each incremental migration - db::run_down_migrations() executes rollback files in reverse order - migrate_down CLI task: task=migrate_down timestamp=20260402 - Initial schema and seed data excluded (would be destructive)	2026-04-05 01:35:33 +08:00
iven	3b0ab1a7b7	fix(types): Desktop type safety hardening (TYPE-01) ... - Unify ConnectionState: kernel-types.ts now canonical source with 'handshaking', gateway-types.ts re-exports - PromptTemplateInfo source/status → union literals - PromptVariable.type → union literal - CreateRoleRequest id/permissions → optional - PropertyPanel: replace 13 as any with typed accessor pattern - chatStore: window cast via as unknown as Record	2026-04-05 01:30:29 +08:00
iven	36168d6978	docs(audit): sync AUD3-FE-05/06 table status to FIXED	2026-04-05 01:13:27 +08:00
iven	b84a503500	docs(audit): batch close 17 OPEN items + update TRUTH.md command counts ... Closed items (FALSE_POSITIVE): V11-P3-02/03/08, V11-P4-03/04/05, AUD3-FE-04/07/08, V11-P3-04/06, AUD3-CONC-03, DOC-03/04, V11-P4-01 Fixed: V11-P2-05, AUD3-FE-03, AUD3-FE-09, DOC-03 Documented: AUD3-API-02, V11-P4-02, SEC2-P3-01/02 TRUTH.md: 171→177 commands (160 @connected / 16 @reserved) CLAUDE.md: skills 76→75, unified counts	2026-04-05 01:07:08 +08:00
iven	13a40dbbf5	docs(audit): update tracker with DEAD-05 + V11-P2-05 progress ... - DEAD-05: 10 dead saas-client methods removed (PARTIALLY_FIXED) - V11-P2-05: 9 stale @reserved annotations corrected to @connected Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-05 00:23:45 +08:00
iven	26dc500b1b	docs(audit): batch close 15 P2/P3 items as FALSE_POSITIVE ... CLOSED items: - BREAK-02/03/04: FALSE_POSITIVE (already closed in changelog) - V11-P2-01: saas-admin.ts deleted - V11-P2-02: admin-v2 has roles service+page - V11-P2-04: ToolDefinition re-export, not duplicate - V11-P2-06: fetch_all sync-only, no LIMIT needed - V11-P3-02/03: function removed or feature-gated - V11-P3-05/DEAD-04: properly feature-gated - AUD3-CONC-02/DB-02: already covered by SEC2-P2-05/08 - EVAL-01: zclaw-channels removed - SEC-V9-02: comprehensive validation exists - DOC-01/02: tauri command count updated 175→171 Also fixed BREAK-02/03/04 table rows to match changelog status.	2026-04-04 23:52:33 +08:00
iven	37e77d0d5e	docs(audit): close P2/P3 items, FALSE_POSITIVE resolved ... - SEC-V9-02: relay input validation already comprehensive - AUDIT-01: audit-logger.ts already deleted in prior cleanup - G-07: provider_keys vs account_api_keys intentional architecture - V11-P2-03: gateway-storage sync methods already replaced - V11-P3-01: audit-logger.ts already deleted - V11-P3-07: secure-storage sync same as V11-P2-03 - Batch 7 commit hash corrected (1fec8cf)	2026-04-04 21:51:36 +08:00
iven	61224efff5	docs(truth): update numbers after V12 modular audit ... - Pipeline templates: 10 → 17 YAML files - Hands disabled: clarify Predictor/Lead have no TOML/Rust impl - Classroom commands: annotate @reserved status - Add V12 audit changelog entries	2026-04-04 21:34:24 +08:00
iven	6c6fcb76b3	docs(audit): resolve 3 P1 architecture decisions ... - SEC2-P1-01 FactStore: FALSE_POSITIVE (trait already removed) - V11-P1-03 3 SQL tables: FALSE_POSITIVE (2 active via JOIN, 1 write-only downgrade to P3) - M4-04 deep approval: WONTFIX (4-layer defense-in-depth sufficient) - M11-02: FIXED (map_err added in prev commit)	2026-04-04 21:31:47 +08:00
iven	1fec8cfbc1	fix(arch): unify TS/Rust types + classroom persistence registration + approval audit ... - M11-03: Register ClassroomPersistence via Tauri .setup() hook with in-memory fallback. Previously missing — classroom commands would crash at runtime. - M3-02: Document BrowserHand as schema validator + TypeScript delegation passthrough (dual-path architecture explicitly documented). - M4-04: Add defense-in-depth audit logging in execute_hand() and execute_hand_with_source() when needs_approval hands bypass approval gate. - TYPE-01: Add #[serde(rename_all = "camelCase")] to Rust AgentInfo. Add missing fields to TS AgentInfo (messageCount, createdAt, updatedAt). Fix KernelStatus TS interface to match Rust KernelStatusResponse (baseUrl/model instead of defaultProvider/defaultModel). - SEC2-P1-01: Document EXTRACTION_DRIVER OnceCell as legacy path; Kernel struct field is the active path. - TriggerSource: Add #[derive(PartialEq)] for approval audit comparisons.	2026-04-04 21:09:02 +08:00
iven	8e56df74ec	docs: update audit tracker with V12 module audit fix progress	2026-04-04 19:28:11 +08:00
iven	442ec0eeef	docs(audit): V12 模块化端到端审计报告 — 11 模块 + 总报告 ... 混合矩阵式审计：10 个功能模块 × 五维检查清单 - 项目整体健康度: 76/100 - 2 个 P0 (M4 双数据库 + 反思引擎 LLM 未接入) - 15 个 P1 (跨 M2/M3/M4/M5/M6/M7/M11) - 三类断链模式: 写了没接/接了不对/双实现未统一 - 三阶段修复路线图: P0(2-3天) → P1(5-7天) → P2(5-7天)	2026-04-04 17:55:03 +08:00
iven	5db2907420	test(desktop): add agent-chat comprehensive E2E test spec ... Full E2E test suite for agent chat functionality including: - Message send/receive flow - Streaming response verification - Model switching behavior - Error handling scenarios - Multi-turn conversation context Includes test report documenting coverage and known gaps.	2026-04-03 23:02:00 +08:00
iven	cc26797faf	fix(saas): eliminate 6 compiler warnings + stabilize directive complete ... - Remove unused imports: Utc (billing/service), StatusCode (billing/handlers), Sha256 (billing/handlers) - Fix unused variables: _db (scheduler), _e (payment WeChat error) - Fix visibility: RegisterDeviceRequest pub(super) → pub (used in pub handler) - Update STABILIZATION_DIRECTIVE.md: all 7 criteria met, downgrade to advisory - Fix TRUTH.md §2.2: mark P0/P1 defects as resolved, update Admin pages count to 14 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-03 21:57:04 +08:00
iven	2ceeeaba3d	fix(production-readiness): 3-batch production readiness cleanup — 12 tasks ... Batch 1 — User-facing fixes: - B1-1: Pipeline verified end-to-end (14 Rust commands, 8 frontend invoke, fully connected) - B1-2: MessageSearch restored to ChatArea with search button in DeerFlow header - B1-3: Viking cleanup — removed 5 orphan invokes (no Rust impl), added addWithMetadata + storeWithSummaries methods + summary generation UI - B1-4: api-fallbacks transparency — added _isFallback markers + console.warn to all 6 fallback functions Batch 2 — System health: - B2-1: Document drift calibration — TRUTH.md/README.md numbers verified and updated - B2-2: @reserved annotations on 15 SaaS handler functions with no frontend callers - B2-3: Scheduled Task Admin V2 — new service + page + route + sidebar navigation - B2-4: TRUTH.md Pipeline/Viking/ScheduledTask records corrected Batch 3 — Long-term quality: - B3-1: hand_run_status/hand_run_list verified as fully implemented (not stubs) - B3-2: Identity snapshot rollback UI added to RightPanel - B3-3: P2 code quality — 4 fixes (TODO comments, fire-and-forget notes, design notes, table name validation), 2 verified N/A, 1 upstream - B3-4: Config PATCH→PUT alignment (admin-v2 config.ts matched to SaaS backend)	2026-04-03 21:34:56 +08:00
iven	305984c982	fix(saas): P2 code quality fixes + config PATCH/PUT alignment ... P2 code quality (SEC2-P2-01~10): - P2-04: Replace vague TODO with detailed Phase 2 design note in generate_embedding.rs - P2-05: Add NOTE(fire-and-forget) annotations to 4 long-running tokio::spawn in main.rs - P2-07: Add DESIGN NOTE to scheduler explaining sequential execution rationale - P2-08: Add compile-time table name whitelist + runtime char validation in db.rs - P2-02: Verified N/A (only zclaw-pipeline uses serde_yaml_bw, no inconsistency) - P2-06: Verified N/A (bind loop correctly matches 6-column placeholders) - P2-03: Remains OPEN (requires upstream sqlx release) Config HTTP method alignment (B3-4): - Fix admin-v2 config.ts: request.patch -> request.put to match backend .put() route - Fix backend handler doc comment: PATCH -> PUT - Add @reserved annotations to 6 config handlers without frontend callers	2026-04-03 21:32:17 +08:00
iven	22b967d2a6	docs(features): v0.10.1/v0.10.2 数字校准 + 行业模板文档更新 ... - README.md: SKILL 76→75, Tauri 命令 175→171, SaaS API 58→131, Workers 5→7, 数据表 25→34, Admin 11→13 页面 - 00-saas-overview.md: Agent Template 新增 5 个端点文档、种子数据表、端到端数据流图 - roadmap.md: 同步最新数字 - fix(saasStore): toTopRequired → totpRequired 拼写修复	2026-04-03 21:29:44 +08:00
iven	1c697d0b46	chore: 清理临时管理目录并更新文档索引 ... 删除 admin-temp-dir 目录及其内容 更新文档索引以包含 dashmap 相关文件	2026-04-03 00:42:48 +08:00
iven	d8e2954d73	docs: stabilization directive + TRUTH document + AI session prompts + dockerignore ... - STABILIZATION_DIRECTIVE.md: feature freeze rules, banned actions, priorities - TRUTH.md: single source of truth for system state (crate counts, store counts) - AI_SESSION_PROMPTS.md: three-layer prompt system for AI sessions - Industry agent delivery design spec - Stabilization test suite for regression prevention - Delete stale ISSUE-TRACKER.md - Add .dockerignore for container builds - Add brainstorm session artifacts	2026-04-03 00:29:16 +08:00
iven	0a04b260a4	refactor(desktop): ChatStore structured split + IDB persistence + stream cancel ... Split monolithic chatStore.ts (908 lines) into 4 focused stores: - chatStore.ts: facade layer, owns messages[], backward-compatible selectors - conversationStore.ts: conversation CRUD, agent switching, IndexedDB persistence - streamStore.ts: streaming orchestration, chat mode, suggestions - messageStore.ts: token tracking Key fixes from 3-round deep audit: - C1: Fix Rust serde camelCase vs TS snake_case mismatch (toolStart/toolEnd/iterationStart) - C2: Fix IDB async rehydration race with persist.hasHydrated() subscribe - C3: Add sessionKey to partialize to survive page refresh - H3: Fix IDB migration retry on failure (don't set migrated=true in catch) - M3: Fix ToolCallStep deduplication (toolStart creates, toolEnd updates) - M-NEW-2: Clear sessionKey on cancelStream Also adds: - Rust backend stream cancellation via AtomicBool + cancel_stream command - IndexedDB storage adapter with one-time localStorage migration - HMR cleanup for cross-store subscriptions	2026-04-03 00:24:16 +08:00
iven	8898bb399e	docs: audit reports + feature docs + skills + admin-v2 + config sync ... Update audit tracker, roadmap, architecture docs, add admin-v2 Roles page + Billing tests, sync CLAUDE.md, Cargo.toml, docker-compose.yml, add deep-research / frontend-design / chart-visualization skills Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-02 19:25:00 +08:00
iven	62df7feac1	docs(spec): switch payment integration from Stripe to Alipay/WeChat Pay direct ... Target market is domestic China users only — integrate Alipay Face-to-Face Payment and WeChat Native Pay directly instead of Stripe as intermediary. Updated billing module structure, risk table, and verification criteria. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-01 23:21:22 +08:00
iven	73ff5e8c5e	feat(desktop): DeerFlow visual redesign + stream hang fix + intelligence client ... DeerFlow frontend visual overhaul: - Card-style input box (white rounded card, textarea top, actions bottom) - Dropdown mode selector (闪速/思考/Pro/Ultra with icons+descriptions) - Colored quick-action chips (小惊喜/写作/研究/收集/学习) - Minimal top bar (title + token count + export) - Warm gray color system (#faf9f6 bg, #f5f4f1 sidebar, #e8e6e1 border) - DeerFlow-style sidebar (新对话/对话/智能体 nav) - Reasoning block, tool call chain, task progress visualization - Streaming text, model selector, suggestion chips components - Resizable artifact panel with drag handle - Virtualized message list for 100+ messages Bug fixes: - Stream hang: GatewayClient onclose code 1000 now calls onComplete - WebView2 textarea border: CSS !important override for UA styles - Gateway stream event handling (response/phase/tool_call types) Intelligence client: - Unified client with fallback drivers (compactor/heartbeat/identity/memory/reflection) - Gateway API types and type conversions	2026-04-01 22:03:07 +08:00
iven	e3b93ff96d	fix(security): implement all 15 security fixes from penetration test V1 ... Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed. HIGH: - H1: JWT password_version mechanism (pwv in Claims, middleware verification, auto-increment on password change) - H2: Docker saas port bound to 127.0.0.1 - H3: TOTP encryption key decoupled from JWT secret (production bailout) - H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src) MEDIUM: - M1: Persistent rate limiting (PostgreSQL rate_limit_events table) - M2: Account lockout (5 failures -> 15min lock) - M3: RFC 5322 email validation with regex - M4: Device registration typed struct with length limits - M5: Provider URL validation on create/update (SSRF prevention) - M6: Legacy TOTP secret migration (fixed nonce -> random nonce) - M7: Legacy frontend crypto migration (static salt -> random salt) - M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only - M10: Pipeline debug log sanitization (keys only, 100-char truncation) Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware skeleton, fixed RegisterDeviceRequest visibility.	2026-04-01 08:38:37 +08:00
iven	6cae768401	fix(desktop): session persistence — refresh/login/context/empty-content 4-bug fix ... 1. App.tsx: add restoreSession() call on startup to prevent redirect to login page after refresh (isRestoring guard + BootstrapScreen) 2. CloneManager: call syncAgents() after loadClones() to restore currentAgent and conversation history on app load 3. zclaw-memory: add get_or_create_session() so frontend session UUID is persisted directly — kernel no longer creates mismatched IDs 4. openai.rs: assistant message content must be non-empty for Kimi/Qwen APIs — replace empty content with meaningful placeholders Also includes admin-v2 ModelServices unified page (merge providers + models + API keys into expandable row layout)	2026-03-31 13:38:59 +08:00
iven	3e5d64484e	fix(relay): fix llm_routing read path bug and add User-Agent header for Coding Plan ... 1. connectionStore.ts: storedAccount.account.llm_routing → storedAccount.llm_routing - saveSaaSSession stores SaaSAccountInfo directly, not { account: SaaSAccountInfo } - This bug caused admin llm_routing config to never take effect 2. relay/service.rs: add User-Agent: claude-code/1.0 header - Kimi Coding Plan requires recognized coding agent User-Agent - Default reqwest UA is rejected with 403 3. Docs: add llm_routing routing mode explanation and troubleshooting entries	2026-03-31 12:02:32 +08:00
iven	f79560a911	refactor(desktop): split kernel_commands/pipeline_commands into modules, add SaaS client libs and gateway modules ... Split monolithic kernel_commands.rs (2185 lines) and pipeline_commands.rs (1391 lines) into focused sub-modules under kernel_commands/ and pipeline_commands/ directories. Add gateway module (commands, config, io, runtime), health_check, and 15 new TypeScript client libraries for SaaS relay, auth, admin, telemetry, and kernel sub-systems (a2a, agent, chat, hands, skills, triggers). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-31 11:12:47 +08:00