5 Commits

Author	SHA1	Message	Date
iven	2fd6d08899	fix: SaaS Admin + Tauri 一致性审查修复 ... - 删除 webhook 死代码模块 (4 文件 + worker，未注册未挂载) - 删除孤立组件 StatusTag.tsx (从未被导入) - authStore 权限模型补全 (scheduler/knowledge/billing 6+ permission key) - authStore 硬编码 logout URL 改为 env 变量 - 清理未使用 service 方法 (agent-templates/billing/roles) - Logs.tsx 代码重复消除 (本地常量 → @/constants/status) - TRUTH.md 数字校准 (Tauri 177→183, SaaS API 131→130)	2026-04-07 01:53:54 +08:00
iven	e3b93ff96d	fix(security): implement all 15 security fixes from penetration test V1 ... Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed. HIGH: - H1: JWT password_version mechanism (pwv in Claims, middleware verification, auto-increment on password change) - H2: Docker saas port bound to 127.0.0.1 - H3: TOTP encryption key decoupled from JWT secret (production bailout) - H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src) MEDIUM: - M1: Persistent rate limiting (PostgreSQL rate_limit_events table) - M2: Account lockout (5 failures -> 15min lock) - M3: RFC 5322 email validation with regex - M4: Device registration typed struct with length limits - M5: Provider URL validation on create/update (SSRF prevention) - M6: Legacy TOTP secret migration (fixed nonce -> random nonce) - M7: Legacy frontend crypto migration (static salt -> random salt) - M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only - M10: Pipeline debug log sanitization (keys only, 100-char truncation) Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware skeleton, fixed RegisterDeviceRequest visibility.	2026-04-01 08:38:37 +08:00
iven	6cae768401	fix(desktop): session persistence — refresh/login/context/empty-content 4-bug fix ... 1. App.tsx: add restoreSession() call on startup to prevent redirect to login page after refresh (isRestoring guard + BootstrapScreen) 2. CloneManager: call syncAgents() after loadClones() to restore currentAgent and conversation history on app load 3. zclaw-memory: add get_or_create_session() so frontend session UUID is persisted directly — kernel no longer creates mismatched IDs 4. openai.rs: assistant message content must be non-empty for Kimi/Qwen APIs — replace empty content with meaningful placeholders Also includes admin-v2 ModelServices unified page (merge providers + models + API keys into expandable row layout)	2026-03-31 13:38:59 +08:00
iven	c2aff09811	feat(security): Auth Token HttpOnly Cookie — XSS 安全加固 ... 后端: - axum-extra 启用 cookie feature - login/register/refresh 设置 HttpOnly + Secure + SameSite=Strict cookies - 新增 POST /api/v1/auth/logout 清除 cookies - auth_middleware 支持 cookie 提取路径（fallback from header） - CORS: 添加 allow_credentials(true) + COOKIE header 前端 (admin-v2): - authStore: token 仅存内存，不再写 localStorage（account 保留） - request.ts: 添加 withCredentials: true 发送 cookies - 修复 refresh token rotation bug（之前不更新 stored refreshToken） - logout 调用后端清除 cookie 端点 向后兼容: API 客户端仍可用 Authorization: Bearer header Desktop (Ed25519 设备认证) 完全不受影响	2026-03-30 19:30:42 +08:00
iven	a7d33d0207	feat(admin): Admin V2 — Ant Design Pro 纯 SPA 重写 ... Next.js SSR/hydration 与 SWR fetch-on-mount 存在根本冲突： hydration 卸载组件时 abort 的请求仍占用后端 DB 连接， retry 循环耗尽 PostgreSQL 连接池导致后端完全卡死。 admin-v2 使用 Vite + React + antd 纯 SPA 彻底消除此问题： - 12 页面全部完成（Login, Dashboard, Accounts, Providers, Models, API Keys, Usage, Relay, Config, Prompts, Logs, Agent Templates） - ProTable + ProForm + ProLayout 统一 UI 模式 - TanStack Query + Axios + Zustand 数据层 - JWT 自动刷新 + 401 重试机制 - 全部 18 网络请求 200 OK，零 ERR_ABORTED 同时更新 troubleshooting 第 13 节和 SaaS 平台文档。	2026-03-30 09:35:59 +08:00