53 Commits

Author	SHA1	Message	Date
iven	ffaee49d67	feat(middleware): add butler router for semantic skill routing ... New ButlerRouterMiddleware (priority 80) intercepts user messages, classifies intent using keyword-based domain detection, and injects routing context into the system prompt. Supports healthcare, data report, policy compliance, and meeting coordination domains. - New: butler_router.rs — keyword classifier + MiddlewareContext injection - Registered in Kernel::create_middleware_chain() at priority 80 - 9 tests passing (classification + middleware integration)	2026-04-09 09:26:48 +08:00
iven	adcce0d70c	fix: 4 pre-release bug fixes — identity override, model config, agent sync, auto-identity ... P1: identity.rs get_identity() returns empty soul/instructions for agents without explicit identity files. This prevents the default ZCLAW personality from overriding agent_config.system_prompt. New get_identity_or_default() method added for the DEFAULT agent. P2: messaging.rs now uses agent_config.model.model when available, falling back to global Kernel config. This allows per-agent model selection. P2: agentStore.ts loadClones retries up to 3 times (300ms interval) when getClient() returns null, handling the coordinator initialization race. P2: agent_create Tauri command auto-populates identity files (soul + instructions) from creation parameters, ensuring build_system_prompt() has content for new agents. Also fixes conversationStore upsertActiveConversation to persist generated conversation IDs, preventing duplicate entries on new conversations.	2026-04-08 21:47:46 +08:00
iven	a5b887051d	fix: butler audit critical fixes — pain detection, proposal trigger, URI + data flow ... 5 fixes from focused audit: - Connect analyze_for_pain_signals() to post_conversation_hook (pain points now auto-created) - Add "generate solution" button in InsightsSection for high-confidence pain points (>=0.7) - Fix Memory URI mismatch: viking://agents/ → viking://agent/ (singular) - Remove duplicate .then() chain in useButlerInsights (was destructuring undefined) - Update stale director.rs doc comment (multi-agent now enabled by default)	2026-04-07 10:23:54 +08:00
iven	e1f3a9719e	feat(multi-agent): enable Director + butler delegation (Chunk 4) ... - Enable multi-agent feature by default in desktop build - Add butler delegation logic: task decomposition, expert assignment - Add ExpertTask, DelegationResult, butler_delegate() to Director - Add butler_delegate_task Tauri command bridging Director to frontend - 13 Director tests passing (6 original + 7 new butler tests) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-07 09:21:49 +08:00
iven	8aed363fc8	feat(middleware): add DataMaskingMiddleware — sensitive entity protection (Chunk 3) ... Priority 90 — runs before Compaction@100 and Memory@150. Detects and replaces company names, money amounts, phone numbers, emails, and ID card numbers with deterministic tokens (__ENTITY_N__). External callers can restore originals via DataMasker::unmask().	2026-04-07 08:01:05 +08:00
iven	14c3c963c2	feat: ask_clarification tool + clarification system prompt + progressive skill loading fix ... - New ask_clarification tool (crates/zclaw-runtime/src/tool/builtin/ask_clarification.rs) with 5 clarification types: missing_info, ambiguous_requirement, approach_choice, risk_confirmation, suggestion - Registered as built-in tool in builtin.rs - Added clarification system prompt instructions to messaging.rs system prompt - Fixed messaging.rs skill injection: when SkillIndexMiddleware is active, only inject usage instructions (not full skill list), avoiding duplicate injection - Fixed pre-existing unicode arrow character causing string literal parse error Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-06 13:19:10 +08:00
iven	c3ab7985d2	refactor(skills): progressive skill loading — avoid duplicate injection ... When SkillIndexMiddleware is active, build_system_prompt_with_skills no longer injects the full categorized skill list. Instead it only adds usage instructions, while the middleware handles the lightweight index. This reduces ~2000 tokens per request for the 75-skill system.	2026-04-06 13:11:49 +08:00
iven	cb140b5151	feat: DeerFlow 2.0 core capabilities — Phase 1.0 + 1.1 ... Phase 1.0 — Butler Mode UI: - Hide "自动化" and "技能市场" entries from sidebar navigation - Remove AutomationPanel and SkillMarket view rendering from App.tsx - Simplify MainViewType to only 'chat' - Main interface is now: chat + conversation list + detail panel only Phase 1.1 — Mode Differentiation: - Add subagent_enabled field to ChatModeConfig (Rust), StreamChatRequest (Tauri), gateway-client, kernel-client, saas-relay-client, and streamStore - TaskTool is now only registered when subagent_enabled=true (Ultra mode) - System prompt includes sub-agent delegation instructions only in Ultra mode - Frontend transmits subagent_enabled from ChatMode config through the full stack This connects the 4-tier mode selector (Flash/Thinking/Pro/Ultra) to actual backend behavioral differences — Ultra mode now truly enables sub-agent delegation.	2026-04-06 12:46:43 +08:00
iven	4e8f2c7692	fix: resolve 6 remaining defects (P2-18, P2-21, P3-04, P3-05, P3-06, P3-02) ... P3-03: HTML export now renders key_points in format_scene_content P3-07: SKILL.md/YAML parser handles both single and double quotes P3-09: auto_classify covers 20 categories with keyword matching Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-06 12:27:02 +08:00
iven	828be3cc9e	fix: resolve 6 remaining defects (P2-18, P2-21, P3-04, P3-05, P3-06, P3-02) ... - P2-18: TOTP QR code local generation via qrcode lib (no external service) - P2-21: Suspend foreign LLM providers (OpenAI/Anthropic/Gemini) for early stage - P3-04: get_progress() now calculates actual percentage from completed/total steps - P3-05: saveSaaSSession calls now have .catch() error logging - P3-06: SaaS relay chatStream passes session_key/agent_id to backend - P3-02: Whiteboard unification plan document created Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-06 09:52:28 +08:00
iven	26a833d1c8	fix: resolve 17 P2 defects and 5 P3 defects from pre-launch audit ... Batch fix covering multiple modules: - P2-01: HandRegistry Semaphore-based max_concurrent enforcement - P2-03: Populate toolCount/metricCount from Hand trait methods - P2-06: heartbeat_update_config minimum interval validation - P2-07: ReflectionResult used_fallback marker for rule-based fallback - P2-08/09: identity_propose_change parameter naming consistency - P2-10: ClassroomMetadata is_placeholder flag for LLM failure - P2-11: classroomStore userDidCloseDuringGeneration intent tracking - P2-12: workflowStore pipeline_create sends actionType - P2-13/14: PipelineInfo step_count + PipelineStepInfo for proper step mapping - P2-15: Pipe transform support in context.resolve (8 transforms) - P2-16: Mustache {{...}} → \${...} auto-normalization - P2-17: SaaSLogin password placeholder 6→8 - P2-19: serialize_skill_md + update_skill preserve tools field - P2-22: ToolOutputGuard sensitive patterns from warn→block - P2-23: Mutex::unwrap() → unwrap_or_else in relay/service.rs - P3-01/03/07/08/09: Various P3 fixes - DEFECT_LIST.md: comprehensive status sync (43/51 fixed, 8 remaining) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-06 00:49:16 +08:00
iven	bcaab50c56	fix(desktop): resolve all remaining P1 defects (P1-02/05/06, P1-01 experimental) ... - P1-02: Heartbeat auto-initialized in kernel_init for default agent - P1-05: CloneManager shows warning when deleting active agent + auto-switch - P1-06: AgentInfo returns soul/system_prompt/temperature/max_tokens - P1-01: Browser Hand marked experimental (requires Fantoccini bridge) - Updated DEFECT_LIST.md: all P1 resolved (0 active) - Updated RELEASE_READINESS.md: all P1 sections reflect current status	2026-04-05 21:21:33 +08:00
iven	90855dc83e	fix(desktop): resolve 2 release-blocking P1 defects ... P1-04: GenerationPipeline hardcoded model="default" causing classroom generation 404. Added model field to GenerationPipeline struct, passed from kernel config via with_driver(driver, model). Static scene generation now receives model parameter. P1-03: LLM API concurrent 500 DATABASE_ERROR. Added transient DB error retry (PoolTimedOut/Io) in create_relay_task with 200ms backoff. Recommend setting ZCLAW_DB_MIN_CONNECTIONS=10 for burst resilience.	2026-04-05 19:18:41 +08:00
iven	1680f931e9	fix(kernel): add map_err context to classroom LLM generation calls ... Stage 1 (outline) and Stage 2 (scene) LLM calls now provide descriptive error messages instead of propagating opaque driver errors. Closes M11-02	2026-04-04 21:25:50 +08:00
iven	1fec8cfbc1	fix(arch): unify TS/Rust types + classroom persistence registration + approval audit ... - M11-03: Register ClassroomPersistence via Tauri .setup() hook with in-memory fallback. Previously missing — classroom commands would crash at runtime. - M3-02: Document BrowserHand as schema validator + TypeScript delegation passthrough (dual-path architecture explicitly documented). - M4-04: Add defense-in-depth audit logging in execute_hand() and execute_hand_with_source() when needs_approval hands bypass approval gate. - TYPE-01: Add #[serde(rename_all = "camelCase")] to Rust AgentInfo. Add missing fields to TS AgentInfo (messageCount, createdAt, updatedAt). Fix KernelStatus TS interface to match Rust KernelStatusResponse (baseUrl/model instead of defaultProvider/defaultModel). - SEC2-P1-01: Document EXTRACTION_DRIVER OnceCell as legacy path; Kernel struct field is the active path. - TriggerSource: Add #[derive(PartialEq)] for approval audit comparisons.	2026-04-04 21:09:02 +08:00
iven	59f660b93b	fix(hands): add max_concurrent + timeout_secs fields + hand timeout enforcement ... M3-04/M3-05 audit fixes: - HandConfig: add max_concurrent (u32) and timeout_secs (u64) with serde defaults - Kernel execute_hand: enforce timeout via tokio::time::timeout, cancel on expiry - All 9 hand implementations: add max_concurrent: 0, timeout_secs: 0 - Agent createClone: pass soul field through to kernel - Fix duplicate soul block in agent_create command	2026-04-04 18:41:15 +08:00
iven	9af7b0dd46	fix(kernel): enable multi-agent compilation + A2A routing tests ... - director.rs: add missing CompletionRequest fields (thinking_enabled, reasoning_effort, plan_mode) for multi-agent feature gate - agents.rs: remove unused AgentState import behind multi-agent feature - lib.rs: replace ambiguous glob re-export with explicit director types, resolving AgentRole conflict between director and generation modules - a2a.rs: add 5 integration tests covering direct message delivery, broadcast routing, group messaging, agent unregistration, and expired message rejection (10 total A2A tests, all passing) - Verified: 537 workspace tests pass with multi-agent feature enabled Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-04 09:41:24 +08:00
iven	f4ed1b33e0	feat(kernel): add multi-skill orchestration bridge + true parallel execution ... - Kernel orchestration bridge: execute_orchestration, auto_compose_skills, validate_orchestration methods on Kernel struct - True parallel execution: replace sequential for-loop with tokio::JoinSet for concurrent node execution within parallel groups - Tauri commands: orchestration_execute (auto-compose or pre-defined graph), orchestration_validate (dry-run validation) - Full type conversions: OrchestrationRequest/Response with camelCase serde Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-04 09:18:26 +08:00
iven	1399054547	feat(skills): add LLM fallback routing + CJK TF-IDF bigram fix ... - SemanticSkillRouter: add RuntimeLlmIntent trait and with_llm_fallback() builder - route(): call LLM fallback when TF-IDF/embedding confidence < threshold - CJK tokenization: generate bigrams for Chinese/Japanese/Korean text - Fix: previous tokenizer treated entire CJK string as one huge token - SemanticSkillRouter: add RuntimeLlmIntent trait and with_llm_fallback() builder - route(): call LLM fallback when TF-IDF/embedding confidence < threshold - CJK tokenization: generate bigrams for Chinese/Japanese/Korean text - Fix: previous tokenizer treated entire CJK string as one huge token - LlmSkillFallback: concrete RuntimeLlmIntent using LlmDriver - Asks LLM to pick best skill from ambiguous candidates list - Parses structured JSON response from LLM output - Includes tests for LLM fallback and CJK tokenization Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-04 07:44:42 +08:00
iven	b25dfc967a	feat(kernel): persist agent runtime state across restarts ... - Schema: migrations now execute ALTER TABLE ADD COLUMN for state/message_count - MemoryStore: add update_agent_runtime() and list_agents_with_runtime() - Registry: add register_with_runtime() to accept persisted state/message_count - Kernel boot: restore agents with their persisted state (not always Running) - Kernel shutdown: persist all agent states/message_counts before terminating Agents that were suspended stay suspended after restart. Message counts survive restarts instead of resetting to 0.	2026-04-04 01:19:53 +08:00
iven	305984c982	fix(saas): P2 code quality fixes + config PATCH/PUT alignment ... P2 code quality (SEC2-P2-01~10): - P2-04: Replace vague TODO with detailed Phase 2 design note in generate_embedding.rs - P2-05: Add NOTE(fire-and-forget) annotations to 4 long-running tokio::spawn in main.rs - P2-07: Add DESIGN NOTE to scheduler explaining sequential execution rationale - P2-08: Add compile-time table name whitelist + runtime char validation in db.rs - P2-02: Verified N/A (only zclaw-pipeline uses serde_yaml_bw, no inconsistency) - P2-06: Verified N/A (bind loop correctly matches 6-column placeholders) - P2-03: Remains OPEN (requires upstream sqlx release) Config HTTP method alignment (B3-4): - Fix admin-v2 config.ts: request.patch -> request.put to match backend .put() route - Fix backend handler doc comment: PATCH -> PUT - Add @reserved annotations to 6 config handlers without frontend callers	2026-04-03 21:32:17 +08:00
iven	52bdafa633	refactor(crates): kernel/generation module split + DeerFlow optimizations + middleware + dead code cleanup ... - Split zclaw-kernel/kernel.rs (1486 lines) into 9 domain modules - Split zclaw-kernel/generation.rs (1080 lines) into 3 modules - Add DeerFlow-inspired middleware: DanglingTool, SubagentLimit, ToolError, ToolOutputGuard - Add PromptBuilder for structured system prompt assembly - Add FactStore (zclaw-memory) for persistent fact extraction - Add task builtin tool for agent task management - Driver improvements: Anthropic/OpenAI extended thinking, Gemini safety settings - Replace let _ = with proper log::warn! across SaaS handlers - Remove unused dependency (url) from zclaw-hands	2026-04-03 00:28:03 +08:00
iven	6cae768401	fix(desktop): session persistence — refresh/login/context/empty-content 4-bug fix ... 1. App.tsx: add restoreSession() call on startup to prevent redirect to login page after refresh (isRestoring guard + BootstrapScreen) 2. CloneManager: call syncAgents() after loadClones() to restore currentAgent and conversation history on app load 3. zclaw-memory: add get_or_create_session() so frontend session UUID is persisted directly — kernel no longer creates mismatched IDs 4. openai.rs: assistant message content must be non-empty for Kimi/Qwen APIs — replace empty content with meaningful placeholders Also includes admin-v2 ModelServices unified page (merge providers + models + API keys into expandable row layout)	2026-03-31 13:38:59 +08:00
iven	eb956d0dce	feat: 新增管理后台前端项目及安全加固 ... refactor(saas): 重构认证中间件与限流策略 - 登录限流调整为5次/分钟/IP - 注册限流调整为3次/小时/IP - GET请求不计入限流 fix(saas): 修复调度器时间戳处理 - 使用NOW()替代文本时间戳 - 兼容TEXT和TIMESTAMPTZ列类型 feat(saas): 实现环境变量插值 - 支持${ENV_VAR}语法解析 - 数据库密码支持环境变量注入 chore: 新增前端管理界面 - 基于React+Ant Design Pro - 包含路由守卫/错误边界 - 对接58个API端点 docs: 更新安全加固文档 - 新增密钥管理规范 - 记录P0安全项审计结果 - 补充TLS终止说明 test: 完善配置解析单元测试 - 新增环境变量插值测试用例	2026-03-31 00:11:33 +08:00
iven	6529b67353	feat(a2a): 消息重入队列 + 广播丢弃修复 + Router group 管理 ... A2A 协议完善 (feature-gated by multi-agent): - AgentInbox wrapper: VecDeque 暂存非匹配消息，requeue 替代丢弃 - a2a_delegate_task: 非匹配消息安全重入队列，不再静默丢弃 - A2aRouter: 广播/组播改用 try_send + 日志，避免持有 RwLock 跨 await - 新增 group 管理方法: add_to_group/remove_from_group/list_groups/get_group_members - 修复 Capability import 在 multi-agent feature 下的编译问题	2026-03-30 19:55:06 +08:00
iven	bc8c77e7fe	fix(security): P0 审计修复 — 6项关键安全/编译问题 ... F1: kernel.rs multi-agent 编译错误 — 重排 spawn_agent 中 A2A 注册顺序， 在 config 被 registry.register() 消费前使用 F2: saas-config.toml 从 git 追踪中移除 — 包含数据库密码已进入版本历史 F3: config.rs 硬编码开发密钥改用 #[cfg(debug_assertions)] 编译时门控 — dev fallback 密钥不再进入 release 构建 F4: 公共认证端点添加 IP 速率限制 (20 RPM) — 防止暴力破解 F5: SSE relay 路由分离出全局 15s TimeoutLayer — 避免长流式响应被截断 F6: Provider API 密钥入库前 AES-256-GCM 加密 — 明文存储修复 附带：完整审计报告 docs/superpowers/specs/2026-03-30-comprehensive-audit-report.md	2026-03-30 13:32:22 +08:00
iven	834aa12076	fix: P0 panic风险修复 + P1编译warnings清零 + P2代码/文档清理 ... P0 安全性: - account/handlers.rs: .unwrap() → .expect() 语义化错误信息 - relay/handlers.rs: SSE Response .unwrap() → .expect() P1 编译质量 (6 warnings → 0): - kernel.rs: 移除未使用的 Capability import 和 config_clone 变量 - pipeline_commands.rs: 未使用变量 id → _id - db.rs: 移除多余括号 - relay/service.rs: 移除未使用的 StreamExt import - telemetry/service.rs: 抑制 param_idx 未读赋值警告 - main.rs: TcpKeepalive::with_retries() Linux-only 条件编译 P2 代码清理: - 移除 handStore/HandsPanel/HandTaskPanel/gateway-api/SchedulerPanel 调试 console.log - SchedulerPanel: 修复 updateWorkflow 未解构导致 TS 编译错误 - 文档清理 zclaw-channels 已移除 crate 的引用	2026-03-30 11:33:47 +08:00
iven	813b49a986	feat: P0 KernelClient功能修复 + P1/P2/P3质量改进 ... P0 KernelClient 功能断裂修复: - Skill CUD: registry.rs create/update/delete + serialize_skill_md + kernel proxy - Workflow CUD: pipeline_commands.rs create/update/delete + serde_yaml依赖 - Agent更新: registry update方法 + AgentConfigUpdated事件 + agent_update命令 - Hand流式事件: HandStart/HandEnd变体替换ToolStart/ToolEnd - 后端验证: hand_get/hand_run_status/hand_run_list确认实现完整 - Approval闭环: respond_to_approval后台spawn+5分钟超时轮询 P2/P3 质量改进: - Browser WebDriver: TCP探测ChromeDriver/GeckoDriver/Edge端口替换硬编码true - api-fallbacks: 移除假技能和16个捏造安全层，替换为真实能力映射 - dead_code清理: 移除5个模块级#![allow(dead_code)]，删除3个真正死方法， 删除未注册的compactor_compact_llm命令，warnings从8降到3 - 所有变更通过cargo check + tsc --noEmit验证	2026-03-30 10:55:08 +08:00
iven	13c0b18bbc	feat: Batch 5-9 — GrowthIntegration桥接、验证补全、死代码清理、Pipeline模板、Speech/Twitter真实实现 ... Batch 5 (P0): GrowthIntegration 接入 Tauri - Kernel 新增 set_viking()/set_extraction_driver() 桥接 SqliteStorage - 中间件链共享存储，MemoryExtractor 接入 LLM 驱动 Batch 6 (P1): 输入验证 + Heartbeat - Relay 验证补全（stream 兼容检查、API key 格式校验） - UUID 类型校验、SessionId 错误返回 - Heartbeat 默认开启 + 首次聊天自动初始化 Batch 7 (P2): 死代码清理 - zclaw-channels 整体移除（317 行） - multi-agent 特性门控、admin 方法标注 Batch 8 (P2): Pipeline 模板 - PipelineMetadata 新增 annotations 字段 - pipeline_templates 命令 + 2 个示例模板 - fallback driver base_url 修复（doubao/qwen/deepseek 端点） Batch 9 (P1): SpeechHand/TwitterHand 真实实现 - SpeechHand: tts_method 字段 + Browser TTS 前端集成 (Web Speech API) - TwitterHand: 12 个 action 全部替换为 Twitter API v2 真实 HTTP 调用 - chatStore/useAutomationEvents 双路径 TTS 触发	2026-03-30 09:24:50 +08:00
iven	5595083b96	feat(skills): SemanticSkillRouter — TF-IDF + Embedding 混合路由 ... 实现 SemanticSkillRouter 核心模块 (zclaw-skills): - Embedder trait + NoOpEmbedder (TF-IDF fallback) - SkillTfidfIndex 全文索引 - retrieve_candidates() Top-K 检索 - route() 置信度阈值路由 (0.85) - cosine_similarity 公共函数 - 单元测试覆盖 Kernel 适配层 (zclaw-kernel): - EmbeddingAdapter: zclaw-growth EmbeddingClient → Embedder 文档同步: - 01-intelligent-routing.md Phase 1+2 标记完成	2026-03-30 00:54:11 +08:00
iven	f3f586efef	feat(kernel): Agent 导入/导出 + message_count 跟踪 ... Sprint 3.1 message_count 修复: - AgentRegistry 新增 message_counts 字段跟踪每个 agent 的消息数 - increment_message_count() 在 send_message 和 send_message_stream 中调用 - get_info() 返回实际计数值 Sprint 3.3 Agent 导入/导出: - Kernel 新增 get_agent_config() 方法返回原始 AgentConfig - 新增 agent_export Tauri 命令，导出配置为 JSON - 新增 agent_import Tauri 命令，从 JSON 导入并自动生成新 ID - 注册到 Tauri invoke_handler	2026-03-30 00:19:02 +08:00
iven	6040d98b18	fix(kernel): message_count 始终为 0 的 bug ... - AgentRegistry 新增 message_counts: DashMap<AgentId, u64> 跟踪字段 - 添加 increment_message_count() 方法 - Kernel.send_message() 和 send_message_stream() 中递增计数 - get_info() 返回实际计数值而非硬编码 0	2026-03-30 00:04:55 +08:00
iven	7e90cea117	fix(kernel): BREAK-02 记忆提取链路闭合 + BREAK-03 审批 HandRun 跟踪 ... BREAK-02 记忆提取链路闭合: - Kernel 新增 viking: Arc<VikingAdapter> 共享存储后端 - VikingAdapter 在 boot() 中初始化, 全生命周期共享 - create_middleware_chain() 注册 MemoryMiddleware (priority 150) - CompactionMiddleware 的 growth 参数从 None 改为 GrowthIntegration - zclaw-runtime 重新导出 VikingAdapter BREAK-03 审批后 HandRun 跟踪: - respond_to_approval() 添加完整 HandRun 生命周期跟踪 - Pending → Running → Completed/Failed 状态转换 - 支持 duration_ms 计时和 cancellation 注册 - 与 execute_hand() 保持一致的跟踪粒度	2026-03-29 23:45:52 +08:00
iven	04c366fe8b	feat(runtime): DeerFlow 模式中间件链 Phase 1-4 全部完成 ... 借鉴 DeerFlow 架构，实现完整中间件链系统： Phase 1 - Agent 中间件链基础设施 - MiddlewareChain Clone 支持 - LoopRunner 双路径集成 (middleware/legacy) - Kernel create_middleware_chain() 工厂方法 Phase 2 - 技能按需注入 - SkillIndexMiddleware (priority 200) - SkillLoadTool 工具 - SkillDetail/SkillIndexEntry 结构体 - KernelSkillExecutor trait 扩展 Phase 3 - Guardrail 安全护栏 - GuardrailMiddleware (priority 400, fail_open) - ShellExecRule / FileWriteRule / WebFetchRule Phase 4 - 记忆闭环统一 - MemoryMiddleware (priority 150, 30s 防抖) - after_completion 双路径调用 中间件注册顺序： 100 Compaction | 150 Memory | 200 SkillIndex 400 Guardrail | 500 LoopGuard | 700 TokenCalibration 向后兼容：Option<MiddlewareChain> 默认 None 走旧路径	2026-03-29 23:19:41 +08:00
iven	7de294375b	feat(auth): 添加异步密码哈希和验证函数 ... refactor(relay): 复用HTTP客户端和请求体序列化结果 feat(kernel): 添加获取单个审批记录的方法 fix(store): 改进SaaS连接错误分类和降级处理 docs: 更新审计文档和系统架构文档 refactor(prompt): 优化SQL查询参数化绑定 refactor(migration): 使用静态SQL和COALESCE更新配置项 feat(commands): 添加审批执行状态追踪和事件通知 chore: 更新启动脚本以支持Admin后台 fix(auth-guard): 优化授权状态管理和错误处理 refactor(db): 使用异步密码哈希函数 refactor(totp): 使用异步密码验证函数 style: 清理无用文件和注释 docs: 更新功能全景和审计文档 refactor(service): 优化HTTP客户端重用和请求处理 fix(connection): 改进SaaS不可用时的降级处理 refactor(handlers): 使用异步密码验证函数 chore: 更新依赖和工具链配置	2026-03-29 21:45:29 +08:00
iven	5fdf96c3f5	chore: 提交所有工作进度 — SaaS 后端增强、Admin UI、桌面端集成 ... 包含大量 SaaS 平台改进、Admin 管理后台更新、桌面端集成完善、 文档同步、测试文件重构等内容。为 QA 测试准备干净工作树。	2026-03-29 10:46:41 +08:00
iven	80d98b35a5	fix(audit): v5 审计修复 8 项 — 条件编译、安全加固、冗余清理 ... - N1: Whiteboard Export 动作标注 demo=true - N2/N3: Director + A2A 通过 #[cfg(feature)] 条件编译隔离 - N4: viking_adapter 文本匹配降级为 LOW（生产路径走 SqliteStorage） - N5: 移除冗余 compactor_compact_llm Tauri 命令注册 - M3: hand_approve/hand_cancel 添加 hand_id 验证防跨 Hand 审批 - N7: scheduled_task 文档注释标注 PLANNNED - 新增 COMPREHENSIVE_AUDIT_V5.md 独立审计报告 - 更新 DEEP_AUDIT_REPORT.md 追加修复记录（累计 32 项）	2026-03-27 12:33:44 +08:00
iven	a71c4138cc	fix(audit): 修复深度审计发现的 P0/P1 问题 (8项) ... 基于 DEEP_AUDIT_REPORT.md 修复 2 CRITICAL + 4 HIGH + 1 MEDIUM 问题: - C1: PromptOnly 技能集成 LLM 调用 — 定义 LlmCompleter trait， 通过 LlmDriverAdapter 桥接 zclaw_runtime::LlmDriver， PromptOnlySkill.execute() 现在调用 LLM 生成内容 - C2: 反思引擎空记忆 bug — 新增 query_memories_for_reflection() 从 VikingStorage 查询真实记忆传入 reflect() - H7: Agent Store 接口适配 — KernelClient 添加 listClones/createClone/ deleteClone/updateClone 方法，映射到 agent_* 命令 - H8: Hand 审批检查 — hand_execute 执行前检查 needs_approval， 需审批返回 pending_approval 状态 - M1: 幽灵命令注册 — 注册 hand_get/hand_run_status/hand_run_list 三个 Tauri 桩命令 - H1/H2: SpeechHand/TwitterHand 添加 demo 标签 - H5: 归档过时 VERIFICATION_REPORT 文档更新: DEEP_AUDIT_REPORT.md 标记修复状态，README.md 更新 关键指标和变更历史。整体完成度从 ~50% 提升至 ~58%。	2026-03-27 09:36:50 +08:00
iven	eed347e1a6	feat: 实现循环防护和安全验证功能 ... refactor(loop_guard): 为LoopGuard添加Clone派生 feat(capabilities): 实现CapabilityManager.validate()安全验证 fix(agentStore): 添加token用量追踪 chore: 删除未实现的Predictor/Lead HAND.toml文件 style(Credits): 移除假数据并标注开发中状态 refactor(Skills): 动态加载技能卡片 perf(configStore): 为定时任务添加localStorage降级 docs: 更新功能文档和版本变更记录	2026-03-27 07:56:53 +08:00
iven	0d4fa96b82	refactor: 统一项目名称从OpenFang到ZCLAW ... 重构所有代码和文档中的项目名称，将OpenFang统一更新为ZCLAW。包括： - 配置文件中的项目名称 - 代码注释和文档引用 - 环境变量和路径 - 类型定义和接口名称 - 测试用例和模拟数据 同时优化部分代码结构，移除未使用的模块，并更新相关依赖项。	2026-03-27 07:36:03 +08:00
iven	8bcabbfb43	refactor: 代码质量清理 - 移除死代码和遗留别名 ... 基于全面审计报告的 P0-P2 修复工作： P0 (已完成): - intelligence 模块: 精确注释 dead_code 标注原因（Tauri runtime 注册） - compactor.rs: 实现 LLM 摘要生成（compact_with_llm） - pipeline_commands.rs: 替换 println! 为 tracing 宏 P1 (已完成): - 移除 8 个 gateway_* 向后兼容别名（OpenClaw 遗留） - 前端 tauri-gateway.ts 改为调用 zclaw_* 命令 - 清理 generation.rs 6 个重复的实例方法（-217 行） - A2A dead_code 注释更新 P2 (已完成): - Predictor/Lead HAND.toml 设置 enabled=false - Wasm/Native SkillMode 添加未实现说明 - browser/mod.rs 移除未使用的 re-export（消除 4 个警告） 文档更新: - feature-checklist.md 从 v0.4.0 更新到 v0.6.0 - CLAUDE.md Hands 状态更新 验证: cargo check 零警告, 42 测试通过, 净减 371 行代码	2026-03-27 00:54:57 +08:00
iven	978dc5cdd8	fix(安全): 修复HTML导出中的XSS漏洞并清理调试日志 ... refactor(日志): 替换console.log为tracing日志系统 style(代码): 移除未使用的代码和依赖项 feat(测试): 添加端到端测试文档和CI工作流 docs(变更日志): 更新CHANGELOG.md记录0.1.0版本变更 perf(构建): 更新依赖版本并优化CI流程	2026-03-26 19:49:03 +08:00
iven	b7f3d94950	fix(presentation): 修复 presentation 模块类型错误和语法问题 ... - 创建 types.ts 定义完整的类型系统 - 重写 DocumentRenderer.tsx 修复语法错误 - 重写 QuizRenderer.tsx 修复语法错误 - 重写 PresentationContainer.tsx 添加类型守卫 - 重写 TypeSwitcher.tsx 修复类型引用 - 更新 index.ts 移除不存在的 ChartRenderer 导出 审计结果: - 类型检查: 通过 - 单元测试: 222 passed - 构建: 成功	2026-03-26 17:19:28 +08:00
iven	bf6d81f9c6	refactor: 清理未使用代码并添加未来功能标记 ... style: 统一代码格式和注释风格 docs: 更新多个功能文档的完整度和状态 feat(runtime): 添加路径验证工具支持 fix(pipeline): 改进条件判断和变量解析逻辑 test(types): 为ID类型添加全面测试用例 chore: 更新依赖项和Cargo.lock文件 perf(mcp): 优化MCP协议传输和错误处理	2026-03-25 21:55:12 +08:00
iven	aa6a9cbd84	feat: 新增技能编排引擎和工作流构建器组件 ... refactor: 统一Hands系统常量到单个源文件 refactor: 更新Hands中文名称和描述 fix: 修复技能市场在连接状态变化时重新加载 fix: 修复身份变更提案的错误处理逻辑 docs: 更新多个功能文档的验证状态和实现位置 docs: 更新Hands系统文档 test: 添加测试文件验证工作区路径	2026-03-25 08:27:25 +08:00
iven	9981a4674e	fix(skills): inject skill list into system prompt for LLM awareness ... Problem: Agent could not invoke appropriate skills when user asked about financial reports because LLM didn't know which skills were available. Root causes: 1. System prompt lacked available skill list 2. SkillManifest struct missing 'triggers' field 3. SKILL.md loader not parsing triggers list 4. "财报" keyword not matching "财务报告" trigger Changes: - Add triggers field to SkillManifest struct - Parse triggers list from SKILL.md frontmatter - Inject skill list into system prompt in kernel.rs - Add "财报", "财务数据", "盈利", "营收" triggers to finance-tracker - Add "财报分析" trigger to analytics-reporter - Document fix in troubleshooting.md Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-24 15:39:18 +08:00
iven	504d5746aa	feat(skill-execution): implement execute_skill tool with full execution chain ... - Add ExecuteSkillTool for LLM to call skills during conversation - Implement SkillExecutor trait in Kernel for skill execution - Update AgentLoop to support tool execution with skill_executor - Add default skills_dir configuration in KernelConfig - Connect frontend skillMarketStore to backend skill_list command - Update technical documentation with Skill system architecture Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-24 13:24:23 +08:00
iven	1441f98c5e	feat(hands): implement 4 new Hands and fix BrowserHand registration ... - Add ResearcherHand: DuckDuckGo search, web fetch, report generation - Add CollectorHand: data collection, aggregation, multiple output formats - Add ClipHand: video processing (trim, convert, thumbnail, concat) - Add TwitterHand: Twitter/X automation (tweet, retweet, like, search) - Fix BrowserHand not registered in Kernel (critical bug) - Add HandError variant to ZclawError enum - Update documentation: 9/11 Hands implemented (82%) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-24 13:22:44 +08:00
iven	3ff08faa56	release(v0.2.0): streaming, MCP protocol, Browser Hand, security enhancements ... ## Major Features ### Streaming Response System - Implement LlmDriver trait with `stream()` method returning async Stream - Add SSE parsing for Anthropic and OpenAI API streaming - Integrate Tauri event system for frontend streaming (`stream:chunk` events) - Add StreamChunk types: Delta, ToolStart, ToolEnd, Complete, Error ### MCP Protocol Implementation - Add MCP JSON-RPC 2.0 types (mcp_types.rs) - Implement stdio-based MCP transport (mcp_transport.rs) - Support tool discovery, execution, and resource operations ### Browser Hand Implementation - Complete browser automation with Playwright-style actions - Support Navigate, Click, Type, Scrape, Screenshot, Wait actions - Add educational Hands: Whiteboard, Slideshow, Speech, Quiz ### Security Enhancements - Implement command whitelist/blacklist for shell_exec tool - Add SSRF protection with private IP blocking - Create security.toml configuration file ## Test Improvements - Fix test import paths (security-utils, setup) - Fix vi.mock hoisting issues with vi.hoisted() - Update test expectations for validateUrl and sanitizeFilename - Add getUnsupportedLocalGatewayStatus mock ## Documentation Updates - Update architecture documentation - Improve configuration reference - Add quick-start guide updates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-24 03:24:24 +08:00
iven	cbd3da46a3	chore: remove debug logging ... Remove temporary console.log and eprintln! statements added during troubleshooting the model configuration issue. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-23 23:06:20 +08:00