9 Commits

Author	SHA1	Message	Date
iven	d871685e25	fix(auth): 5 BUG 修复 — refresh token 持久化 + 密码验证 + 浏览器兼容 ... BUG-1 (P1): LoginPage 注册密码验证从 6 位改为 8 位，与后端一致 BUG-2 (P0): refresh token 持久化到 OS keyring + restoreSession 三级恢复 (access token → refresh token → cookie auth) + saveSaaSSession 改为 await BUG-3 (P0): Tauri 聊天路由降级问题，根因同 BUG-2（会话恢复失败） BUG-4 (P1): App.tsx 跳过 Onboarding 改用 agentStore（兼容所有 client）， Workspace.tsx Tauri invoke 改为动态 import 避免浏览器崩溃 BUG-5: tauri.conf.json createUpdaterArtifacts 改为 boolean true	2026-04-11 09:43:17 +08:00
iven	33008c06c7	chore: 版本号 0.1.0 → 0.9.0-beta.1 + updater 插件预留 ... - package.json / tauri.conf.json: version 更新为 0.9.0-beta.1 - tauri.conf.json: 添加 plugins.updater 空壳配置 + createUpdaterArtifacts - Cargo.toml: 添加 tauri-plugin-updater 依赖 - lib.rs: 注册 updater 插件 (空壳，部署时配置 HTTPS 端点 + Ed25519 密钥)	2026-04-11 03:02:39 +08:00
iven	e3b93ff96d	fix(security): implement all 15 security fixes from penetration test V1 ... Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed. HIGH: - H1: JWT password_version mechanism (pwv in Claims, middleware verification, auto-increment on password change) - H2: Docker saas port bound to 127.0.0.1 - H3: TOTP encryption key decoupled from JWT secret (production bailout) - H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src) MEDIUM: - M1: Persistent rate limiting (PostgreSQL rate_limit_events table) - M2: Account lockout (5 failures -> 15min lock) - M3: RFC 5322 email validation with regex - M4: Device registration typed struct with length limits - M5: Provider URL validation on create/update (SSRF prevention) - M6: Legacy TOTP secret migration (fixed nonce -> random nonce) - M7: Legacy frontend crypto migration (static salt -> random salt) - M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only - M10: Pipeline debug log sanitization (keys only, 100-char truncation) Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware skeleton, fixed RegisterDeviceRequest visibility.	2026-04-01 08:38:37 +08:00
iven	978dc5cdd8	fix(安全): 修复HTML导出中的XSS漏洞并清理调试日志 ... refactor(日志): 替换console.log为tracing日志系统 style(代码): 移除未使用的代码和依赖项 feat(测试): 添加端到端测试文档和CI工作流 docs(变更日志): 更新CHANGELOG.md记录0.1.0版本变更 perf(构建): 更新依赖版本并优化CI流程	2026-03-26 19:49:03 +08:00
iven	3ff08faa56	release(v0.2.0): streaming, MCP protocol, Browser Hand, security enhancements ... ## Major Features ### Streaming Response System - Implement LlmDriver trait with `stream()` method returning async Stream - Add SSE parsing for Anthropic and OpenAI API streaming - Integrate Tauri event system for frontend streaming (`stream:chunk` events) - Add StreamChunk types: Delta, ToolStart, ToolEnd, Complete, Error ### MCP Protocol Implementation - Add MCP JSON-RPC 2.0 types (mcp_types.rs) - Implement stdio-based MCP transport (mcp_transport.rs) - Support tool discovery, execution, and resource operations ### Browser Hand Implementation - Complete browser automation with Playwright-style actions - Support Navigate, Click, Type, Scrape, Screenshot, Wait actions - Add educational Hands: Whiteboard, Slideshow, Speech, Quiz ### Security Enhancements - Implement command whitelist/blacklist for shell_exec tool - Add SSRF protection with private IP blocking - Create security.toml configuration file ## Test Improvements - Fix test import paths (security-utils, setup) - Fix vi.mock hoisting issues with vi.hoisted() - Update test expectations for validateUrl and sanitizeFilename - Add getUnsupportedLocalGatewayStatus mock ## Documentation Updates - Update architecture documentation - Improve configuration reference - Add quick-start guide updates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-24 03:24:24 +08:00
iven	2fb914c965	fix: UTF-8 boundary issue in compactor and remove openfang-runtime from bundle	2026-03-22 09:23:19 +08:00
iven	a312524abb	fix(gateway): add API fallbacks and connection stability improvements ... - Add api-fallbacks.ts with structured fallback data for 6 missing API endpoints - QuickConfig, WorkspaceInfo, UsageStats, PluginStatus, ScheduledTasks, SecurityStatus - Graceful degradation when backend returns 404 - Add heartbeat mechanism (30s interval, 3 max missed) - Automatic connection keep-alive with ping/pong - Triggers reconnect when heartbeats fail - Improve reconnection strategy - Emit 'reconnecting' events for UI feedback - Support infinite reconnect mode - Add ConnectionStatus component - Visual indicators for 5 connection states - Manual reconnect button when disconnected - Compact and full display modes Diagnosed via Chrome DevTools: WebSocket was working fine, real issue was 404 errors from missing API endpoints being mistaken for connection problems. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-16 09:56:25 +08:00
iven	4eb164764a	feat(openfang): add bundled OpenFang runtime support ... - Add prepare-openfang-runtime.mjs script for cross-platform binary download - Update lib.rs to support binary runtime (fallback to Node.js for legacy) - Add openfang.cmd/sh launcher scripts - Update runtime-manifest.json for binary-based runtime - Add README documentation for bundled runtime architecture OpenFang binary is downloaded during build, supporting: - Windows x64/ARM64 (.zip) - macOS Intel/Apple Silicon (.tar.gz) - Linux x64/ARM64 (.tar.gz) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 18:03:43 +08:00
iven	045e9cef5b	feat: initialize ZCLAW project with core systems and Tauri desktop ... - Created backend core systems: - Remote Execution System (远程执行系统) - Task Orchestration Engine (任务编排引擎) - Persistent Memory System (持续记忆系统) - Proactive Service System (主动服务系统) - Created Tauri desktop app: - Three-column layout based on AutoClaw design - React + TypeScript + Tailwind CSS - Zustand state management - Lucide React icons - Components: - Sidebar (Agent list, IM channels, scheduled tasks) - ChatArea (Chat interface with message bubbles) - RightPanel (Task progress, statistics, next actions) Next: Test Tauri dev server and integrate with OpenClaw backend	2026-03-11 22:06:07 +08:00