iven
58aca753aa
chore: 发布前准备 — 版本号统一 + 安全加固 + 死组件清理
...
- Cargo.toml workspace version 0.1.0 → 0.9.0-beta.1
- CSP 添加 object-src 'none' 防止插件注入
- .env.example 补充 SaaS 关键环境变量模板
- 移除已废弃的 SkillMarket.tsx 组件
2026-04-11 23:51:58 +08:00
iven
d871685e25
fix(auth): 5 BUG 修复 — refresh token 持久化 + 密码验证 + 浏览器兼容
...
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
BUG-1 (P1): LoginPage 注册密码验证从 6 位改为 8 位,与后端一致
BUG-2 (P0): refresh token 持久化到 OS keyring + restoreSession 三级恢复
(access token → refresh token → cookie auth) + saveSaaSSession 改为 await
BUG-3 (P0): Tauri 聊天路由降级问题,根因同 BUG-2(会话恢复失败)
BUG-4 (P1): App.tsx 跳过 Onboarding 改用 agentStore(兼容所有 client),
Workspace.tsx Tauri invoke 改为动态 import 避免浏览器崩溃
BUG-5: tauri.conf.json createUpdaterArtifacts 改为 boolean true
2026-04-11 09:43:17 +08:00
iven
33008c06c7
chore: 版本号 0.1.0 → 0.9.0-beta.1 + updater 插件预留
...
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
- package.json / tauri.conf.json: version 更新为 0.9.0-beta.1
- tauri.conf.json: 添加 plugins.updater 空壳配置 + createUpdaterArtifacts
- Cargo.toml: 添加 tauri-plugin-updater 依赖
- lib.rs: 注册 updater 插件 (空壳,部署时配置 HTTPS 端点 + Ed25519 密钥)
2026-04-11 03:02:39 +08:00
iven
e3b93ff96d
fix(security): implement all 15 security fixes from penetration test V1
...
Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed.
HIGH:
- H1: JWT password_version mechanism (pwv in Claims, middleware verification,
auto-increment on password change)
- H2: Docker saas port bound to 127.0.0.1
- H3: TOTP encryption key decoupled from JWT secret (production bailout)
- H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src)
MEDIUM:
- M1: Persistent rate limiting (PostgreSQL rate_limit_events table)
- M2: Account lockout (5 failures -> 15min lock)
- M3: RFC 5322 email validation with regex
- M4: Device registration typed struct with length limits
- M5: Provider URL validation on create/update (SSRF prevention)
- M6: Legacy TOTP secret migration (fixed nonce -> random nonce)
- M7: Legacy frontend crypto migration (static salt -> random salt)
- M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only
- M10: Pipeline debug log sanitization (keys only, 100-char truncation)
Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware
skeleton, fixed RegisterDeviceRequest visibility.
2026-04-01 08:38:37 +08:00
iven
978dc5cdd8
fix(安全): 修复HTML导出中的XSS漏洞并清理调试日志
...
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
refactor(日志): 替换console.log为tracing日志系统
style(代码): 移除未使用的代码和依赖项
feat(测试): 添加端到端测试文档和CI工作流
docs(变更日志): 更新CHANGELOG.md记录0.1.0版本变更
perf(构建): 更新依赖版本并优化CI流程
2026-03-26 19:49:03 +08:00
iven
3ff08faa56
release(v0.2.0): streaming, MCP protocol, Browser Hand, security enhancements
...
## Major Features
### Streaming Response System
- Implement LlmDriver trait with `stream()` method returning async Stream
- Add SSE parsing for Anthropic and OpenAI API streaming
- Integrate Tauri event system for frontend streaming (`stream:chunk` events)
- Add StreamChunk types: Delta, ToolStart, ToolEnd, Complete, Error
### MCP Protocol Implementation
- Add MCP JSON-RPC 2.0 types (mcp_types.rs)
- Implement stdio-based MCP transport (mcp_transport.rs)
- Support tool discovery, execution, and resource operations
### Browser Hand Implementation
- Complete browser automation with Playwright-style actions
- Support Navigate, Click, Type, Scrape, Screenshot, Wait actions
- Add educational Hands: Whiteboard, Slideshow, Speech, Quiz
### Security Enhancements
- Implement command whitelist/blacklist for shell_exec tool
- Add SSRF protection with private IP blocking
- Create security.toml configuration file
## Test Improvements
- Fix test import paths (security-utils, setup)
- Fix vi.mock hoisting issues with vi.hoisted()
- Update test expectations for validateUrl and sanitizeFilename
- Add getUnsupportedLocalGatewayStatus mock
## Documentation Updates
- Update architecture documentation
- Improve configuration reference
- Add quick-start guide updates
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-24 03:24:24 +08:00
iven
2fb914c965
fix: UTF-8 boundary issue in compactor and remove openfang-runtime from bundle
2026-03-22 09:23:19 +08:00
iven
a312524abb
fix(gateway): add API fallbacks and connection stability improvements
...
- Add api-fallbacks.ts with structured fallback data for 6 missing API endpoints
- QuickConfig, WorkspaceInfo, UsageStats, PluginStatus, ScheduledTasks, SecurityStatus
- Graceful degradation when backend returns 404
- Add heartbeat mechanism (30s interval, 3 max missed)
- Automatic connection keep-alive with ping/pong
- Triggers reconnect when heartbeats fail
- Improve reconnection strategy
- Emit 'reconnecting' events for UI feedback
- Support infinite reconnect mode
- Add ConnectionStatus component
- Visual indicators for 5 connection states
- Manual reconnect button when disconnected
- Compact and full display modes
Diagnosed via Chrome DevTools: WebSocket was working fine, real issue was
404 errors from missing API endpoints being mistaken for connection problems.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-16 09:56:25 +08:00
iven
4eb164764a
feat(openfang): add bundled OpenFang runtime support
...
- Add prepare-openfang-runtime.mjs script for cross-platform binary download
- Update lib.rs to support binary runtime (fallback to Node.js for legacy)
- Add openfang.cmd/sh launcher scripts
- Update runtime-manifest.json for binary-based runtime
- Add README documentation for bundled runtime architecture
OpenFang binary is downloaded during build, supporting:
- Windows x64/ARM64 (.zip)
- macOS Intel/Apple Silicon (.tar.gz)
- Linux x64/ARM64 (.tar.gz)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-13 18:03:43 +08:00
iven
045e9cef5b
feat: initialize ZCLAW project with core systems and Tauri desktop
...
- Created backend core systems:
- Remote Execution System (远程执行系统)
- Task Orchestration Engine (任务编排引擎)
- Persistent Memory System (持续记忆系统)
- Proactive Service System (主动服务系统)
- Created Tauri desktop app:
- Three-column layout based on AutoClaw design
- React + TypeScript + Tailwind CSS
- Zustand state management
- Lucide React icons
- Components:
- Sidebar (Agent list, IM channels, scheduled tasks)
- ChatArea (Chat interface with message bubbles)
- RightPanel (Task progress, statistics, next actions)
Next: Test Tauri dev server and integrate with OpenClaw backend
2026-03-11 22:06:07 +08:00
