iven
5a0c652f4f
fix(hands): 审计修复 — SSRF防护/输入验证/HTTP状态检查/解析加固
...
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
三维度穷尽审计(安全+质量+正确性)后修复:
CRITICAL:
- execute_fetch() 添加完整 SSRF 防护(IPv4/IPv6/私有地址/云元数据/主机名黑名单)
- reqwest 重定向策略限制为3次,阻止重定向链 SSRF
- DDG HTML 解析: split("result__body") → split("class=\"result__body\"") 防误匹配
- Google 变体降级到 Bing 时添加 tracing::warn 日志
HIGH:
- ResearchQuery 输入验证: 查询≤500字符, max_results≤50, 空查询拒绝
- Cache 容量限制: 200 条目上限 + 简单淘汰
- extract_href_uddg 手动 URL 解码替换为标准 percent_decode
- 3个搜索引擎方法添加 HTTP status code 检查(429/503 不再静默)
MEDIUM:
- config.toml default_engine 从 "searxng" 改为 "auto"(Rust 原生优先)
- User-Agent 从机器人标识改为浏览器 UA,降低反爬风险
- 百度解析器从精确匹配改为 c-container 包含匹配,覆盖更多变体
- 添加 url crate 依赖
测试: 60 PASS (新增12: SSRF 5 + percent_decode 3 + 输入验证 4)
2026-04-22 12:11:35 +08:00
iven
0fd981905d
fix(hands): 集成 SearXNG 元搜索引擎 — 替换不可用的 DuckDuckGo Instant Answer API
...
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
- ResearcherHand 新增 search_searxng() 方法,调用 SearXNG JSON API 聚合 70+ 搜索引擎
- SearchEngine 枚举增加 SearXNG 变体,路由逻辑按配置分发搜索后端
- Auto 模式: SearXNG 优先 → DuckDuckGo fallback
- config.toml [tools.web.search] 新增 searxng_url/searxng_timeout 配置
- docker-compose.yml 新增 SearXNG 服务容器 (searxng-config/settings.yml)
- 新增 6 个 SearXNG 相关单元测试 (响应解析/URL构造/分数归一化/配置加载)
- 验证: 124 tests PASS, workspace 0 warnings
2026-04-22 10:52:13 +08:00
iven
1965fa5269
fix: migrate glm-4-flash to glm-4-flash-250414 (model deprecated by Zhipu)
...
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
Zhipu AI has deprecated glm-4-flash, causing 404 errors on all chat requests.
Updated all references:
- config: glm-4-flash → glm-4-flash-250414, added glm-z1-flash
- frontend: defaultModel, conversationStore, ChatArea fallback, ModelsAPI
2026-04-09 18:42:47 +08:00
iven
0d4fa96b82
refactor: 统一项目名称从OpenFang到ZCLAW
...
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
重构所有代码和文档中的项目名称,将OpenFang统一更新为ZCLAW。包括:
- 配置文件中的项目名称
- 代码注释和文档引用
- 环境变量和路径
- 类型定义和接口名称
- 测试用例和模拟数据
同时优化部分代码结构,移除未使用的模块,并更新相关依赖项。
2026-03-27 07:36:03 +08:00
iven
3ff08faa56
release(v0.2.0): streaming, MCP protocol, Browser Hand, security enhancements
...
## Major Features
### Streaming Response System
- Implement LlmDriver trait with `stream()` method returning async Stream
- Add SSE parsing for Anthropic and OpenAI API streaming
- Integrate Tauri event system for frontend streaming (`stream:chunk` events)
- Add StreamChunk types: Delta, ToolStart, ToolEnd, Complete, Error
### MCP Protocol Implementation
- Add MCP JSON-RPC 2.0 types (mcp_types.rs)
- Implement stdio-based MCP transport (mcp_transport.rs)
- Support tool discovery, execution, and resource operations
### Browser Hand Implementation
- Complete browser automation with Playwright-style actions
- Support Navigate, Click, Type, Scrape, Screenshot, Wait actions
- Add educational Hands: Whiteboard, Slideshow, Speech, Quiz
### Security Enhancements
- Implement command whitelist/blacklist for shell_exec tool
- Add SSRF protection with private IP blocking
- Create security.toml configuration file
## Test Improvements
- Fix test import paths (security-utils, setup)
- Fix vi.mock hoisting issues with vi.hoisted()
- Update test expectations for validateUrl and sanitizeFilename
- Add getUnsupportedLocalGatewayStatus mock
## Documentation Updates
- Update architecture documentation
- Improve configuration reference
- Add quick-start guide updates
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-24 03:24:24 +08:00
iven
6f72442531
docs(guide): rewrite CLAUDE.md with ZCLAW-first perspective
...
Major changes:
- Shift from "OpenFang desktop client" to "independent AI Agent desktop app"
- Add decision principle: "Is this useful for ZCLAW? Does it affect ZCLAW?"
- Simplify project structure and tech stack sections
- Replace OpenClaw vs OpenFang comparison with unified backend approach
- Consolidate troubleshooting from scattered sections into organized FAQ
- Update Hands system documentation with 8 capabilities and status
- Stream
2026-03-20 19:30:09 +08:00
iven
9c99ab16d4
feat(phase3-4): add OpenFang config.toml and TypeScript type definitions
...
Phase 3: Configuration Migration (P1)
- Create config/config.toml with comprehensive OpenFang settings
- Migrate openclaw.default.json content to TOML format
- Add server, agent, skills, hands, llm, security, logging configs
- Add desktop-specific settings for ZClaw client
Phase 4: Type System Enhancement (P2)
- Create types/agent.ts: Agent, AgentConfig, AgentStatus types
- Create types/session.ts: Session, SessionMessage, MessageRole types
- Create types/settings.ts: QuickConfig, MCPService, AppSettings types
- Create types/index.ts: Barrel export for all type definitions
Documentation Updates:
- Mark Phase 3 config migration tasks as completed (2/3)
- Mark Phase 4 type definition tasks as completed (3/4)
- Update technical debt cleanup status
- Update type definition section in SYSTEM_ANALYSIS.md
Files Added:
- config/config.toml (289 lines)
- desktop/src/types/agent.ts (68 lines)
- desktop/src/types/session.ts (75 lines)
- desktop/src/types/settings.ts (89 lines)
- desktop/src/types/index.ts (41 lines)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-15 01:45:25 +08:00
