17 Commits

Author	SHA1	Message	Date
iven	f97e6fdbb6	feat: Evolution Engine Phase 3-5 — WorkflowComposer+FeedbackCollector+EvolutionMiddleware+反馈闭环 ... Phase 3: - EvolutionMiddleware (priority 78): 管家对话中注入进化确认提示 - GrowthIntegration.check_evolution() API 串入 Phase 4: - WorkflowComposer: 轨迹工具链模式聚类 + Pipeline YAML prompt 构建 + JSON 解析 - EvolutionEngine.analyze_trajectory_patterns() L3 入口 Phase 5: - FeedbackCollector: 反馈信号收集 + 信任度管理 + 推荐(Optimize/Archive/Promote) - EvolutionEngine 反馈闭环方法: submit_feedback/get_artifacts_needing_optimization 新增 12 个测试（111→123），全 workspace 701 测试通过。	2026-04-18 21:27:59 +08:00
iven	ee1c9ef3ea	chore: Cargo warnings 清零 — 39→0 (仅剩 sqlx-postgres 外部依赖警告) ... - runtime: 移除未使用的 SessionId/Datelike import，修复 unused variable - intelligence: 模块级 #![allow(dead_code)] 抑制 Hermes 预留代码警告 - mcp.rs/persist.rs/nl_schedule.rs: 标注 #[allow(dead_code)] 保留接口	2026-04-15 01:53:11 +08:00
iven	f8c5a76ce6	fix(industry): 审计收尾 — MEDIUM + LOW 全部清零 ... M-1: Industries 创建弹窗添加 cold_start_template + pain_seed_categories M-3: industryStore console.warn → createLogger 结构化日志 B2: classify_with_industries 平局打破 + 归一化因子 3.0 文档化 S3: set_account_industries 验证移入事务内消除 TOCTOU T1: 4 个 SaaS 请求类型添加 deny_unknown_fields I3: store_trigger_experience Debug 格式 → signal_name 描述名 L-1: 删除 Accounts.tsx 死代码 editingIndustries L-3: Industries.tsx filters 类型补全 source 字段	2026-04-12 20:37:48 +08:00
iven	fbc8c9fdde	fix(industry): 审计修复 — 4 CRITICAL + 5 HIGH 全部解决 ... C1: SaaS industry/service.rs SQL 注入风险 → 参数化查询 ($N 绑定) C2: INDUSTRY_CONFIGS 死链 → Kernel 共享 Arc 接通 ButlerRouter C3: IndustryListItem 缺 keywords_count → SQL 查询 + 类型补全 C4: set_account_industries 非事务性 → batch 验证 + 事务 DELETE+INSERT H8: Accounts.tsx mutate 竞态 → mutateAsync 顺序等待 H9: XML 注入未转义 → xml_escape() 辅助函数 H10: update_industry 覆盖 source → 保留原始值 H11: 面包屑缺少 /industries → 添加行业配置映射	2026-04-12 19:06:19 +08:00
iven	b357916d97	feat(intelligence): Phase 5 主动行为激活 — 注入格式 + 跨会话连续性 + 触发持久化 ... Task 5.1+5.4: ButlerRouter/experience 注入格式升级为 <butler-context> XML fencing - butler_router: [路由上下文] → <butler-context><routing>...</routing></butler-context> - experience: [过往经验] → <butler-context><experience>...</experience></butler-context> - 统一 system-note 提示，引导 LLM 自然运用上下文 Task 5.2: 跨会话连续性 — pre_conversation_hook 注入活跃痛点 + 相关经验 - 从 VikingStorage 检索相关记忆(相似度>=0.3) - 从 pain_aggregator 获取 High severity 痛点(top 3) Task 5.3: 触发信号持久化 — post_conversation_hook 将触发信号存入 VikingStorage - store_trigger_experience(): 模板提取，零 LLM 成本 - 为未来 LLM 深度反思积累数据基础	2026-04-12 18:31:37 +08:00
iven	5d1050bf6f	feat(industry): Phase 1 行业配置基础 — 数据模型 + 四行业内置配置 + ButlerRouter 动态关键词 ... - 新增 SaaS industry 模块 (types/service/handlers/mod/builtin) - 4 行业内置配置: healthcare/education/garment/ecommerce - 数据库迁移: industries + account_industries 表 - 8 个 API 端点 (CRUD + 用户行业关联) - ButlerRouter 改造: 支持 IndustryKeywordConfig 动态注入 - 12 个测试全通过 (含动态行业分类测试)	2026-04-12 15:42:35 +08:00
iven	1e675947d5	feat(butler): upgrade ButlerRouter to semantic skill routing ... Replace keyword-only ButlerRouter with SemanticSkillRouter (TF-IDF). 75 skills now participate in intent classification instead of 4 hardcoded domains. - Expose ButlerRouterBackend trait + RoutingHint as pub - Add with_router() constructor for injecting custom backends - Add SemanticRouterAdapter in kernel layer (bridges skills ↔ runtime) - Enhance context injection with skill-level match info	2026-04-10 21:24:30 +08:00
iven	4b15ead8e7	feat(hermes): implement intelligence pipeline — 4 chunks, 684 tests passing ... Hermes Intelligence Pipeline closes breakpoints in ZCLAW's existing intelligence components with 4 self-contained modules: Chunk 1 — Self-improvement Loop: - ExperienceStore (zclaw-growth): FTS5+TF-IDF wrapper with scope prefix - ExperienceExtractor (desktop/intelligence): template-based extraction from successful proposals with implicit keyword detection Chunk 2 — User Modeling: - UserProfileStore (zclaw-memory): SQLite-backed structured profiles with industry/role/expertise/comm_style/recent_topics/pain_points - UserProfiler (desktop/intelligence): fact classification by category (Preference/Knowledge/Behavior) with profile summary formatting Chunk 3 — NL Cron Chinese Time Parser: - NlScheduleParser (zclaw-runtime): 6 pattern matchers for Chinese time expressions (每天/每周/工作日/间隔/每月/一次性) producing cron expressions - Period-aware hour adjustment (下午3点→15, 晚上8点→20) - Schedule intent detection + task description extraction Chunk 4 — Trajectory Compression: - TrajectoryStore (zclaw-memory): trajectory_events + compressed_trajectories - TrajectoryRecorderMiddleware (zclaw-runtime/middleware): priority 650, async non-blocking event recording via tokio::spawn - TrajectoryCompressor (desktop/intelligence): dedup, request classification, satisfaction detection, execution chain JSON Schema migrations: v2→v3 (user_profiles), v3→v4 (trajectory tables)	2026-04-09 17:47:43 +08:00
iven	3f2acb49fb	fix: pre-release audit fixes — Twitter OAuth, DataMasking perf, Prompt versioning ... - Twitter like/retweet: return explicit unavailable error instead of sending doomed Bearer token requests (would 403 on Twitter API v2) - DataMasking: pre-compile regex patterns with LazyLock (was compiling 6 patterns on every mask() call) - Prompt version: fix get_version handler ignoring version path param, add service::get_version_by_number for correct per-version retrieval	2026-04-09 16:43:24 +08:00
iven	ffaee49d67	feat(middleware): add butler router for semantic skill routing ... New ButlerRouterMiddleware (priority 80) intercepts user messages, classifies intent using keyword-based domain detection, and injects routing context into the system prompt. Supports healthcare, data report, policy compliance, and meeting coordination domains. - New: butler_router.rs — keyword classifier + MiddlewareContext injection - Registered in Kernel::create_middleware_chain() at priority 80 - 9 tests passing (classification + middleware integration)	2026-04-09 09:26:48 +08:00
iven	8aed363fc8	feat(middleware): add DataMaskingMiddleware — sensitive entity protection (Chunk 3) ... Priority 90 — runs before Compaction@100 and Memory@150. Detects and replaces company names, money amounts, phone numbers, emails, and ID card numbers with deterministic tokens (__ENTITY_N__). External callers can restore originals via DataMasker::unmask().	2026-04-07 08:01:05 +08:00
iven	26a833d1c8	fix: resolve 17 P2 defects and 5 P3 defects from pre-launch audit ... Batch fix covering multiple modules: - P2-01: HandRegistry Semaphore-based max_concurrent enforcement - P2-03: Populate toolCount/metricCount from Hand trait methods - P2-06: heartbeat_update_config minimum interval validation - P2-07: ReflectionResult used_fallback marker for rule-based fallback - P2-08/09: identity_propose_change parameter naming consistency - P2-10: ClassroomMetadata is_placeholder flag for LLM failure - P2-11: classroomStore userDidCloseDuringGeneration intent tracking - P2-12: workflowStore pipeline_create sends actionType - P2-13/14: PipelineInfo step_count + PipelineStepInfo for proper step mapping - P2-15: Pipe transform support in context.resolve (8 transforms) - P2-16: Mustache {{...}} → \${...} auto-normalization - P2-17: SaaSLogin password placeholder 6→8 - P2-19: serialize_skill_md + update_skill preserve tools field - P2-22: ToolOutputGuard sensitive patterns from warn→block - P2-23: Mutex::unwrap() → unwrap_or_else in relay/service.rs - P3-01/03/07/08/09: Various P3 fixes - DEFECT_LIST.md: comprehensive status sync (43/51 fixed, 8 remaining) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-06 00:49:16 +08:00
iven	619bad30cb	fix(security): Gemini API key header + Mutex safety + Agent validation ... M1-01: Move Gemini API key from URL query param to x-goog-api-key header, preventing key leakage in logs/proxy/telemetry (matches Anthropic/OpenAI pattern) M1-03/M1-04: Replace Mutex .unwrap() with .unwrap_or_else(|e| e.into_inner()) in MemoryMiddleware and LoopGuardMiddleware — recovers from poison instead of panicking async runtime M2-08: Add input validation to agent_create — reject empty names, out-of-range temperature (0-2), and zero max_tokens M11-06: Replace Date.now() message ID with crypto.randomUUID() to prevent collisions in classroom chat	2026-04-04 19:15:50 +08:00
iven	52bdafa633	refactor(crates): kernel/generation module split + DeerFlow optimizations + middleware + dead code cleanup ... - Split zclaw-kernel/kernel.rs (1486 lines) into 9 domain modules - Split zclaw-kernel/generation.rs (1080 lines) into 3 modules - Add DeerFlow-inspired middleware: DanglingTool, SubagentLimit, ToolError, ToolOutputGuard - Add PromptBuilder for structured system prompt assembly - Add FactStore (zclaw-memory) for persistent fact extraction - Add task builtin tool for agent task management - Driver improvements: Anthropic/OpenAI extended thinking, Gemini safety settings - Replace let _ = with proper log::warn! across SaaS handlers - Remove unused dependency (url) from zclaw-hands	2026-04-03 00:28:03 +08:00
iven	1bf0d3a73d	fix(memory): CJK-aware short query threshold + Chinese synonym expansion ... 1. MemoryMiddleware: replace byte-length check (query.len() < 4) with char-count check (query.chars().count() < 2). Single CJK characters are 3 UTF-8 bytes but 1 meaningful character — the old threshold incorrectly skipped 1-2 char Chinese queries like "你好". 2. QueryAnalyzer: add Chinese synonym mappings for 13 common technical terms (错误→bug, 优化→improve, 配置→config, etc.) so CJK queries can find relevant English-keyword memories and vice versa. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-02 01:21:29 +08:00
iven	e3b93ff96d	fix(security): implement all 15 security fixes from penetration test V1 ... Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed. HIGH: - H1: JWT password_version mechanism (pwv in Claims, middleware verification, auto-increment on password change) - H2: Docker saas port bound to 127.0.0.1 - H3: TOTP encryption key decoupled from JWT secret (production bailout) - H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src) MEDIUM: - M1: Persistent rate limiting (PostgreSQL rate_limit_events table) - M2: Account lockout (5 failures -> 15min lock) - M3: RFC 5322 email validation with regex - M4: Device registration typed struct with length limits - M5: Provider URL validation on create/update (SSRF prevention) - M6: Legacy TOTP secret migration (fixed nonce -> random nonce) - M7: Legacy frontend crypto migration (static salt -> random salt) - M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only - M10: Pipeline debug log sanitization (keys only, 100-char truncation) Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware skeleton, fixed RegisterDeviceRequest visibility.	2026-04-01 08:38:37 +08:00
iven	04c366fe8b	feat(runtime): DeerFlow 模式中间件链 Phase 1-4 全部完成 ... 借鉴 DeerFlow 架构，实现完整中间件链系统： Phase 1 - Agent 中间件链基础设施 - MiddlewareChain Clone 支持 - LoopRunner 双路径集成 (middleware/legacy) - Kernel create_middleware_chain() 工厂方法 Phase 2 - 技能按需注入 - SkillIndexMiddleware (priority 200) - SkillLoadTool 工具 - SkillDetail/SkillIndexEntry 结构体 - KernelSkillExecutor trait 扩展 Phase 3 - Guardrail 安全护栏 - GuardrailMiddleware (priority 400, fail_open) - ShellExecRule / FileWriteRule / WebFetchRule Phase 4 - 记忆闭环统一 - MemoryMiddleware (priority 150, 30s 防抖) - after_completion 双路径调用 中间件注册顺序： 100 Compaction | 150 Memory | 200 SkillIndex 400 Guardrail | 500 LoopGuard | 700 TokenCalibration 向后兼容：Option<MiddlewareChain> 默认 None 走旧路径	2026-03-29 23:19:41 +08:00