iven/zclaw_openfang
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Compare commits

base: iven:worktree-saas-backend
Branches Tags
iven:main iven:chore/sqlx-0.8-upgrade iven:worktree-saas-backend
..
compare: iven:7de294375b047472efbb37e2a322db4d524dfe3e
Branches Tags
iven:main iven:chore/sqlx-0.8-upgrade iven:worktree-saas-backend

7 Commits
worktree-s ... 7de294375b

Author SHA1 Message Date
iven
7de294375b feat(auth): 添加异步密码哈希和验证函数
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
Details
CI / Unit Tests (push) Has been cancelled
Details
CI / Build Frontend (push) Has been cancelled
Details
CI / Rust Check (push) Has been cancelled
Details
CI / Security Scan (push) Has been cancelled
Details
CI / E2E Tests (push) Has been cancelled
Details 
refactor(relay): 复用HTTP客户端和请求体序列化结果

feat(kernel): 添加获取单个审批记录的方法

fix(store): 改进SaaS连接错误分类和降级处理

docs: 更新审计文档和系统架构文档

refactor(prompt): 优化SQL查询参数化绑定

refactor(migration): 使用静态SQL和COALESCE更新配置项

feat(commands): 添加审批执行状态追踪和事件通知

chore: 更新启动脚本以支持Admin后台

fix(auth-guard): 优化授权状态管理和错误处理

refactor(db): 使用异步密码哈希函数

refactor(totp): 使用异步密码验证函数

style: 清理无用文件和注释

docs: 更新功能全景和审计文档

refactor(service): 优化HTTP客户端重用和请求处理

fix(connection): 改进SaaS不可用时的降级处理

refactor(handlers): 使用异步密码验证函数

chore: 更新依赖和工具链配置
 2026-03-29 21:45:29 +08:00
iven
b7ec317d2c docs: 更新功能文档 — 反映架构重构成果
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
Details
CI / Unit Tests (push) Has been cancelled
Details
CI / Build Frontend (push) Has been cancelled
Details
CI / Rust Check (push) Has been cancelled
Details
CI / Security Scan (push) Has been cancelled
Details
CI / E2E Tests (push) Has been cancelled
Details 
- docs/features/README.md — 技能数 69→70, Hands 11个, 成熟度更新
- 智能层文档成熟度上调 (身份演化 L3, 反思引擎 L3)
- 后端集成文档更新 SaaS 迁移系统说明
- 知识库添加架构重构记录
 2026-03-29 19:42:37 +08:00
iven
a0ca35c9dd feat(saas): SQL 迁移系统 + TIMESTAMPTZ + 热路径重构 
P0: SQL 迁移系统
- crates/zclaw-saas/migrations/ — 独立 SQL 迁移文件目录
- 20260329000001_initial_schema.sql — TIMESTAMPTZ 完整 schema
- 20260329000002_seed_data.sql — 角色种子数据
- db.rs: 移除 335 行内联 SCHEMA_SQL,改为文件加载
- 版本追踪: saas_schema_version 表管理迁移状态
- 向后兼容: 已有 TEXT 时间戳数据库不受影响

P1: 安全重构
- relay/service.rs: update_task_status 从 format!() 改为 3 条独立参数化查询
- config.rs: 移除 TODO 注释,补充字段文档说明
- state.rs: 添加 dispatch_log_operation 异步日志派发方法

P2: Worker 集成
- state.rs: WorkerDispatcher 接入 AppState
- 所有异步后台任务基础设施就绪
 2026-03-29 19:41:03 +08:00
iven
77374121dd fix(saas): 清理 role/mod.rs 重复路由定义 
移除重复的 routes() 函数,将 get_role_permissions 路由指向 handlers_ext
 2026-03-29 19:23:40 +08:00
iven
8b9d506893 refactor(saas): 架构重构 + 性能优化 — 借鉴 loco-rs 模式 
Phase 0: 知识库
- docs/knowledge-base/loco-rs-patterns.md — loco-rs 10 个可借鉴模式研究

Phase 1: 数据层重构
- crates/zclaw-saas/src/models/ — 15 个 FromRow 类型化模型
- Login 3 次查询合并为 1 次 AccountLoginRow 查询
- 所有 service 文件从元组解构迁移到 FromRow 结构体

Phase 2: Worker + Scheduler 系统
- crates/zclaw-saas/src/workers/ — Worker trait + 5 个具体实现
- crates/zclaw-saas/src/scheduler.rs — TOML 声明式调度器
- crates/zclaw-saas/src/tasks/ — CLI 任务系统

Phase 3: 性能修复
- Relay N+1 查询 → 精准 SQL (relay/handlers.rs)
- Config RwLock → AtomicU32 无锁 rate limit (state.rs, middleware.rs)
- SSE std::sync::Mutex → tokio::sync::Mutex (relay/service.rs)
- /auth/refresh 阻塞清理 → Scheduler 定期执行

Phase 4: 多环境配置
- config/saas-{development,production,test}.toml
- ZCLAW_ENV 环境选择 + ZCLAW_SAAS_CONFIG 精确覆盖
- scheduler 配置集成到 TOML
 2026-03-29 19:21:48 +08:00
iven
5fdf96c3f5 chore: 提交所有工作进度 — SaaS 后端增强、Admin UI、桌面端集成 
包含大量 SaaS 平台改进、Admin 管理后台更新、桌面端集成完善、
文档同步、测试文件重构等内容。为 QA 测试准备干净工作树。
 2026-03-29 10:46:41 +08:00
iven
9a5fad2b59 feat(saas): 合并 SaaS 后端、Admin 管理后台、桌面端集成 
- 14 commits from worktree-saas-backend
- crates/zclaw-saas: Axum 后端 (auth, accounts, models, relay, config-sync)
- admin/: Next.js 管理后台
- desktop/: SaaS 客户端集成 (saasStore, 2FA, relay, config sync)
- saas-config.toml, docker-compose.yml, Dockerfile
- 84 files, 15558 insertions
 2026-03-28 00:54:53 +08:00
332 changed files with 25821 additions and 12269 deletions
Expand all files Collapse all files

BIN
.claude/skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc
View File

Binary file not shown.

BIN
.claude/skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc
View File

Binary file not shown.

1
.claude/worktrees/saas-backend Submodule

Submodule .claude/worktrees/saas-backend added at 4d8d560d1f

93
.dockerignore
View File

@@ -1,93 +0,0 @@
# ============================================================
# ZCLAW SaaS Backend - Docker Ignore
# ============================================================
# Build artifacts
target/
# Frontend applications (not needed for SaaS backend)
desktop/
admin/
design-system/
# Node.js
node_modules/
.pnpm-store/
bun.lock
pnpm-lock.yaml
package.json
package-lock.json
# Git
.git/
.gitignore
# IDE and editor
.vscode/
.idea/
*.swp
*.swo
*~
# OS files
.DS_Store
Thumbs.db
# Docker
.docker/
docker-compose*.yml
Dockerfile
.dockerignore
# Documentation
docs/
*.md
!saas-config.toml
CLAUDE.md
CLAUDE*.md
# Environment files (secrets)
.env
.env.*
saas-env.example
# Data files
saas-data/
saas-data.db
saas-data.db-shm
saas-data.db-wal
*.db
*.db-shm
*.db-wal
# Test artifacts
tests/
test-results/
test.rs
*.log
# Temporary files
tmp-screenshot.png
tmp/
temp/
*.tmp
# Claude worktree metadata
.claude/
plans/
pipelines/
scripts/
hands/
skills/
plugins/
config/
extract.js
extract_models.js
extract_privacy.js
start-all.ps1
start.ps1
start.sh
Makefile
PROGRESS.md
CHANGELOG.md
pencil-new.pen

4
.gitignore vendored
View File

@@ -12,6 +12,10 @@ build/
.env.local
.env.*.local
# SaaS config (contains database credentials)
saas-config.toml
!saas-config.toml.example
# Logs
logs/
*.log

0
saas-data.db-wal → Authorization
View File

30
CLAUDE.md
View File

@@ -37,16 +37,20 @@ ZCLAW/
│ ├── zclaw-skills/ # 技能系统 (SKILL.md解析, 执行器)
│ ├── zclaw-hands/ # 自主能力 (Hand/Trigger 注册管理)
│ ├── zclaw-channels/ # 通道适配器 (仅 ConsoleChannel 测试适配器)
── zclaw-protocols/ # 协议支持 (MCP, A2A)
── zclaw-protocols/ # 协议支持 (MCP, A2A)
│ └── zclaw-saas/ # SaaS 后端 (账号, 模型配置, 中转, 配置同步)
├── admin/ # Next.js 管理后台
├── desktop/ # Tauri 桌面应用
│ ├── src/
│ │ ├── components/ # React UI 组件
│ │ ├── store/ # Zustand 状态管理
│ │ └── lib/ # 客户端通信 / 工具函数
│ │ ├── components/ # React UI 组件 (含 SaaS 集成)
│ │ ├── store/ # Zustand 状态管理 (含 saasStore)
│ │ └── lib/ # 客户端通信 / 工具函数 (含 saas-client)
│ └── src-tauri/ # Tauri Rust 后端 (集成 Kernel)
├── skills/ # SKILL.md 技能定义
├── hands/ # HAND.toml 自主能力配置
├── config/ # TOML 配置文件
├── saas-config.toml # SaaS 后端配置 (PostgreSQL 连接等)
├── docker-compose.yml # PostgreSQL 容器配置
├── docs/ # 架构文档和知识库
└── tests/ # Vitest 回归测试
```
@@ -66,7 +70,9 @@ ZCLAW/
| 桌面框架 | Tauri 2.x |
| 样式方案 | Tailwind CSS |
| 配置格式 | TOML |
| 后端核心 | Rust Workspace (8 crates) |
| 后端核心 | Rust Workspace (9 crates) |
| SaaS 后端 | Axum + PostgreSQL (zclaw-saas) |
| 管理后台 | Next.js (admin/) |
### 2.3 Crate 依赖关系
@@ -79,6 +85,8 @@ zclaw-runtime (→ types, memory)
zclaw-kernel (→ types, memory, runtime)
zclaw-saas (→ types, 独立运行于 8080 端口)
desktop/src-tauri (→ kernel, skills, hands, channels, protocols)
```
@@ -260,6 +268,18 @@ docs/
- **面向未来** - 文档要帮助未来的开发者快速理解
- **中文优先** - 所有面向用户的文档使用中文
### 8.3 完成工作后的文档同步(强制)
每次完成功能实现、架构变更、问题修复后,**必须**同步更新以下文档:
1. **CLAUDE.md** — 如果涉及项目结构、技术栈、工作流程、命令的变化
2. **docs/features/** — 如果涉及新功能、功能变更、功能状态更新
3. **docs/knowledge-base/** — 如果涉及新知识、故障排查经验、配置说明
4. **saas-config.toml 注释** — 如果涉及 SaaS 配置项变更
5. **CHANGELOG** — 如果涉及对外可见的行为变化
**执行时机:** 代码编译通过且验证成功后,在标记任务完成之前,立即执行文档更新。文档更新是任务完成的必要条件,不是可选步骤。
***
## 9. 常见问题排查

1069
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

8
Cargo.toml
View File

@@ -57,7 +57,7 @@ chrono = { version = "0.4", features = ["serde"] }
uuid = { version = "1", features = ["v4", "v5", "serde"] }
# Database
sqlx = { version = "0.7", features = ["runtime-tokio", "postgres", "chrono"] }
sqlx = { version = "0.7", features = ["runtime-tokio", "sqlite", "postgres"] }
libsqlite3-sys = { version = "0.27", features = ["bundled"] }
# HTTP client (for LLM drivers)
@@ -94,6 +94,10 @@ regex = "1"
# Shell parsing
shlex = "1"
# WASM runtime
wasmtime = { version = "43", default-features = false, features = ["cranelift"] }
wasmtime-wasi = { version = "43" }
# Testing
tempfile = "3"
@@ -101,7 +105,7 @@ tempfile = "3"
axum = { version = "0.7", features = ["macros"] }
axum-extra = { version = "0.9", features = ["typed-header"] }
tower = { version = "0.4", features = ["util"] }
tower-http = { version = "0.5", features = ["cors", "trace", "limit"] }
tower-http = { version = "0.5", features = ["cors", "trace", "limit", "timeout"] }
jsonwebtoken = "9"
argon2 = "0.5"
totp-rs = "5"

83
Dockerfile
View File

@@ -1,83 +0,0 @@
# ============================================================
# ZCLAW SaaS Backend - Multi-stage Docker Build
# ============================================================
# ---- Stage 1: Builder ----
FROM rust:1.75-bookworm AS builder
# Install build dependencies for sqlx (postgres) and libsqlite3-sys (bundled)
RUN apt-get update && apt-get install -y --no-install-recommends \
pkg-config \
libssl-dev \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Copy workspace manifests first to leverage Docker layer caching
COPY Cargo.toml Cargo.lock ./
# Create stub source files so cargo can resolve and cache dependencies
# This avoids rebuilding dependencies when only application code changes
RUN mkdir -p crates/zclaw-saas/src \
&& echo 'fn main() {}' > crates/zclaw-saas/src/main.rs \
&& for crate in zclaw-types zclaw-memory zclaw-runtime zclaw-kernel \
zclaw-skills zclaw-hands zclaw-channels zclaw-protocols \
zclaw-pipeline zclaw-growth; do \
mkdir -p crates/$crate/src && echo '' > crates/$crate/src/lib.rs; \
done \
&& mkdir -p desktop/src-tauri/src && echo 'fn main() {}' > desktop/src-tauri/src/main.rs
# Pre-build dependencies (release profile with caching)
RUN cargo build --release --package zclaw-saas 2>/dev/null || true
# Copy actual source code (invalidates stubs, triggers recompile of app code only)
COPY crates/ crates/
COPY desktop/ desktop/
# Touch source files to invalidate the stub timestamps
RUN touch crates/zclaw-saas/src/main.rs \
&& for crate in zclaw-types zclaw-memory zclaw-runtime zclaw-kernel \
zclaw-skills zclaw-hands zclaw-channels zclaw-protocols \
zclaw-pipeline zclaw-growth; do \
touch crates/$crate/src/lib.rs 2>/dev/null || true; \
done \
&& touch desktop/src-tauri/src/main.rs 2>/dev/null || true
# Build the actual binary
RUN cargo build --release --package zclaw-saas
# ---- Stage 2: Runtime ----
FROM debian:bookworm-slim AS runtime
# Install runtime dependencies (ca-certificates for HTTPS, libgcc for Rust runtime)
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates \
libgcc-s \
&& rm -rf /var/lib/apt/lists/* \
&& update-ca-certificates
# Create non-root user for security
RUN groupadd --gid 1000 zclaw \
&& useradd --uid 1000 --gid zclaw --shell /bin/false zclaw
WORKDIR /app
# Copy binary from builder
COPY --from=builder /app/target/release/zclaw-saas /app/zclaw-saas
# Copy configuration file
COPY saas-config.toml /app/saas-config.toml
# Ensure the non-root user owns the application files
RUN chown -R zclaw:zclaw /app
USER zclaw
# Expose the SaaS API port
EXPOSE 8080
# Health check endpoint (matches the saas-config.toml port)
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD ["/app/zclaw-saas", "--healthcheck"] || exit 1
ENTRYPOINT ["/app/zclaw-saas"]

33
Makefile
View File

@@ -1,9 +1,7 @@
# ZCLAW Makefile
# Cross-platform task runner
.PHONY: help start start-dev start-no-browser desktop desktop-build setup test clean \
saas-build saas-run saas-test saas-test-integration saas-clippy saas-migrate \
saas-docker-up saas-docker-down saas-docker-build
.PHONY: help start start-dev start-no-browser desktop desktop-build setup test clean
help: ## Show this help message
@echo "ZCLAW - AI Agent Desktop Client"
@@ -73,32 +71,3 @@ clean-deep: clean ## Deep clean (including pnpm cache)
@rm -rf desktop/pnpm-lock.yaml
@rm -rf pnpm-lock.yaml
@echo "Deep clean complete. Run 'pnpm install' to reinstall."
# === SaaS Backend ===
saas-build: ## Build zclaw-saas crate
@cargo build -p zclaw-saas
saas-run: ## Start SaaS backend (cargo run)
@cargo run -p zclaw-saas
saas-test: ## Run SaaS unit tests
@cargo test -p zclaw-saas -- --test-threads=1
saas-test-integration: ## Run SaaS integration tests (requires PostgreSQL)
@cargo test -p zclaw-saas -- --ignored --test-threads=1
saas-clippy: ## Run clippy on zclaw-saas
@cargo clippy -p zclaw-saas -- -D warnings
saas-migrate: ## Run database migrations
@cargo run -p zclaw-saas -- --migrate
saas-docker-up: ## Start SaaS services (PostgreSQL + backend)
@docker compose up -d
saas-docker-down: ## Stop SaaS services
@docker compose down
saas-docker-build: ## Build SaaS Docker images
@docker compose build

2
admin/.gitignore vendored
View File

@@ -1,4 +1,2 @@
.next/
node_modules/
.env.local
.env*.local

37
admin/next.config.js
View File

@@ -1,41 +1,10 @@
/** @type {import('next').NextConfig} */
const nextConfig = {
async headers() {
async rewrites() {
return [
{
source: '/(.*)',
headers: [
{
key: 'X-Frame-Options',
value: 'DENY',
},
{
key: 'X-Content-Type-Options',
value: 'nosniff',
},
{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin',
},
{
key: 'Content-Security-Policy',
value: [
"default-src 'self'",
"script-src 'self' 'unsafe-eval' 'unsafe-inline'",
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
"font-src 'self' https://fonts.gstatic.com",
"img-src 'self' data: blob:",
"connect-src 'self'",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
].join('; '),
},
{
key: 'Permissions-Policy',
value: 'camera=(), microphone=(), geolocation=()',
},
],
source: '/api/:path*',
destination: 'http://localhost:8080/api/:path*',
},
]
},

2
admin/package.json
View File

@@ -22,7 +22,7 @@
"react": "^18.3.1",
"react-dom": "^18.3.1",
"recharts": "^2.15.3",
"sonner": "^2.0.7",
"swr": "^2.4.1",
"tailwind-merge": "^3.0.2"
},
"devDependencies": {

43
admin/pnpm-lock.yaml generated
View File

@@ -47,9 +47,9 @@ importers:
recharts:
specifier: ^2.15.3
version: 2.15.4(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
sonner:
specifier: ^2.0.7
version: 2.0.7(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
swr:
specifier: ^2.4.1
version: 2.4.1(react@18.3.1)
tailwind-merge:
specifier: ^3.0.2
version: 3.5.0
@@ -722,6 +722,10 @@ packages:
decimal.js-light@2.5.1:
resolution: {integrity: sha512-qIMFpTMZmny+MMIitAB6D7iVPEorVw6YQRWkvarTkT4tBeSLLiHzcwj6q0MmYSFCiVpiqPJTJEYIrpcPzVEIvg==}
dequal@2.0.3:
resolution: {integrity: sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==}
engines: {node: '>=6'}
detect-node-es@1.1.0:
resolution: {integrity: sha512-ypdmJU/TbBby2Dxibuv7ZLW3Bs1QEmM7nHjEANfohJLvE0XVujisn1qPJcZxg+qDucsr+bP6fLD1rPS3AhJ7EQ==}
@@ -1066,12 +1070,6 @@ packages:
scheduler@0.23.2:
resolution: {integrity: sha512-UOShsPwz7NrMUqhR6t0hWjFduvOzbtv7toDH1/hIrfRNIDBnnBWd0CwJTGvTpngVlmwGCdP9/Zl/tVrDqcuYzQ==}
sonner@2.0.7:
resolution: {integrity: sha512-W6ZN4p58k8aDKA4XPcx2hpIQXBRAgyiWVkYhT7CvK6D3iAu7xjvVyhQHg2/iaKJZ1XVJ4r7XuwGL+WGEK37i9w==}
peerDependencies:
react: ^18.0.0 || ^19.0.0 || ^19.0.0-rc
react-dom: ^18.0.0 || ^19.0.0 || ^19.0.0-rc
source-map-js@1.2.1:
resolution: {integrity: sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==}
engines: {node: '>=0.10.0'}
@@ -1102,6 +1100,11 @@ packages:
resolution: {integrity: sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==}
engines: {node: '>= 0.4'}
swr@2.4.1:
resolution: {integrity: sha512-2CC6CiKQtEwaEeNiqWTAw9PGykW8SR5zZX8MZk6TeAvEAnVS7Visz8WzphqgtQ8v2xz/4Q5K+j+SeMaKXeeQIA==}
peerDependencies:
react: ^16.11.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
tailwind-merge@3.5.0:
resolution: {integrity: sha512-I8K9wewnVDkL1NTGoqWmVEIlUcB9gFriAEkXkfCjX5ib8ezGxtR3xD7iZIxrfArjEsH7F1CHD4RFUtxefdqV/A==}
@@ -1168,6 +1171,11 @@ packages:
'@types/react':
optional: true
use-sync-external-store@1.6.0:
resolution: {integrity: sha512-Pp6GSwGP/NrPIrxVFAIkOQeyw8lFenOHijQWkUTrDvrF4ALqylP2C/KCkeS9dpUM3KvYRQhna5vt7IL95+ZQ9w==}
peerDependencies:
react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
util-deprecate@1.0.2:
resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==}
@@ -1753,6 +1761,8 @@ snapshots:
decimal.js-light@2.5.1: {}
dequal@2.0.3: {}
detect-node-es@1.1.0: {}
didyoumean@1.2.2: {}
@@ -2061,11 +2071,6 @@ snapshots:
dependencies:
loose-envify: 1.4.0
sonner@2.0.7(react-dom@18.3.1(react@18.3.1))(react@18.3.1):
dependencies:
react: 18.3.1
react-dom: 18.3.1(react@18.3.1)
source-map-js@1.2.1: {}
streamsearch@1.1.0: {}
@@ -2087,6 +2092,12 @@ snapshots:
supports-preserve-symlinks-flag@1.0.0: {}
swr@2.4.1(react@18.3.1):
dependencies:
dequal: 2.0.3
react: 18.3.1
use-sync-external-store: 1.6.0(react@18.3.1)
tailwind-merge@3.5.0: {}
tailwindcss@3.4.19:
@@ -2165,6 +2176,10 @@ snapshots:
optionalDependencies:
'@types/react': 18.3.28
use-sync-external-store@1.6.0(react@18.3.1):
dependencies:
react: 18.3.1
util-deprecate@1.0.2: {}
victory-vendor@36.9.2:

93
admin/src/app/(dashboard)/accounts/page.tsx
View File

@@ -1,6 +1,7 @@
'use client'
import { useEffect, useState, useCallback } from 'react'
import { useState } from 'react'
import useSWR from 'swr'
import {
Search,
Plus,
@@ -40,7 +41,10 @@ import {
} from '@/components/ui/select'
import { api } from '@/lib/api-client'
import { ApiRequestError } from '@/lib/api-client'
import { formatDate } from '@/lib/utils'
import { formatDate, getSwrErrorMessage } from '@/lib/utils'
import { ErrorBanner, EmptyState } from '@/components/ui/state'
import { TableSkeleton } from '@/components/ui/skeleton'
import { useDebounce } from '@/hooks/use-debounce'
import type { AccountPublic } from '@/lib/types'
const PAGE_SIZE = 20
@@ -64,21 +68,28 @@ const statusLabels: Record<string, string> = {
}
export default function AccountsPage() {
const [accounts, setAccounts] = useState<AccountPublic[]>([])
const [total, setTotal] = useState(0)
const [page, setPage] = useState(1)
const [search, setSearch] = useState('')
// 搜索 debounce: 输入后 300ms 再触发请求
const [debouncedSearchState, setDebouncedSearchState] = useState('')
useEffect(() => {
const timer = setTimeout(() => setDebouncedSearchState(search), 300)
return () => clearTimeout(timer)
}, [search])
const [roleFilter, setRoleFilter] = useState<string>('all')
const [statusFilter, setStatusFilter] = useState<string>('all')
const [loading, setLoading] = useState(true)
const [error, setError] = useState('')
const [mutationError, setMutationError] = useState('')
const debouncedSearch = useDebounce(search, 300)
const { data, error: swrError, isLoading, mutate } = useSWR(
['accounts', page, debouncedSearch, roleFilter, statusFilter],
() => {
const params: Record<string, unknown> = { page, page_size: PAGE_SIZE }
if (debouncedSearch.trim()) params.search = debouncedSearch.trim()
if (roleFilter !== 'all') params.role = roleFilter
if (statusFilter !== 'all') params.status = statusFilter
return api.accounts.list(params)
},
)
const accounts = data?.items ?? []
const total = data?.total ?? 0
const error = getSwrErrorMessage(swrError) || mutationError
// 编辑 Dialog
const [editTarget, setEditTarget] = useState<AccountPublic | null>(null)
@@ -89,33 +100,6 @@ export default function AccountsPage() {
const [confirmTarget, setConfirmTarget] = useState<{ id: string; action: string; status: string } | null>(null)
const [confirmSaving, setConfirmSaving] = useState(false)
const fetchAccounts = useCallback(async () => {
setLoading(true)
setError('')
try {
const params: Record<string, unknown> = { page, page_size: PAGE_SIZE }
if (debouncedSearchState.trim()) params.search = debouncedSearchState.trim()
if (roleFilter !== 'all') params.role = roleFilter
if (statusFilter !== 'all') params.status = statusFilter
const res = await api.accounts.list(params)
setAccounts(res.items)
setTotal(res.total)
} catch (err) {
if (err instanceof ApiRequestError) {
setError(err.body.message)
} else {
setError('加载失败')
}
} finally {
setLoading(false)
}
}, [page, debouncedSearchState, roleFilter, statusFilter])
useEffect(() => {
fetchAccounts()
}, [fetchAccounts])
const totalPages = Math.max(1, Math.ceil(total / PAGE_SIZE))
function openEditDialog(account: AccountPublic) {
@@ -137,10 +121,10 @@ export default function AccountsPage() {
role: editForm.role as AccountPublic['role'],
})
setEditTarget(null)
fetchAccounts()
mutate()
} catch (err) {
if (err instanceof ApiRequestError) {
setError(err.body.message)
setMutationError(err.body.message)
}
} finally {
setEditSaving(false)
@@ -164,10 +148,10 @@ export default function AccountsPage() {
status: confirmTarget.status as AccountPublic['status'],
})
setConfirmTarget(null)
fetchAccounts()
mutate()
} catch (err) {
if (err instanceof ApiRequestError) {
setError(err.body.message)
setMutationError(err.body.message)
}
} finally {
setConfirmSaving(false)
@@ -212,24 +196,13 @@ export default function AccountsPage() {
</div>
{/* 错误提示 */}
{error && (
<div className="rounded-md bg-destructive/10 border border-destructive/20 px-4 py-3 text-sm text-destructive">
{error}
<button onClick={() => setError('')} className="ml-2 underline cursor-pointer">
</button>
</div>
)}
{error && <ErrorBanner message={error} onDismiss={() => { setMutationError('') }} />}
{/* 表格 */}
{loading ? (
<div className="flex h-64 items-center justify-center">
<Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
</div>
) : accounts.length === 0 ? (
<div className="flex h-64 items-center justify-center text-muted-foreground text-sm">
</div>
{isLoading ? (
<TableSkeleton rows={6} cols={7} />
) : error ? null : accounts.length === 0 ? (
<EmptyState />
) : (
<>
<Table>

290
admin/src/app/(dashboard)/agent-templates/page.tsx Normal file
View File

@@ -0,0 +1,290 @@
'use client'
import { useState } from 'react'
import useSWR from 'swr'
import { api } from '@/lib/api-client'
import type { AgentTemplate } from '@/lib/types'
import { ErrorBanner, EmptyState } from '@/components/ui/state'
import { TableSkeleton } from '@/components/ui/skeleton'
export default function AgentTemplatesPage() {
const [page, setPage] = useState(1)
const [error, setError] = useState('')
const [showCreate, setShowCreate] = useState(false)
const [editingId, setEditingId] = useState<string | null>(null)
const { data, isLoading, mutate } = useSWR(
['agentTemplates.list', page],
() => api.agentTemplates.list({ page, page_size: 50 }),
)
const templates = data?.items ?? []
const total = data?.total ?? 0
const handleCreate = async (e: React.FormEvent<HTMLFormElement>) => {
e.preventDefault()
const fd = new FormData(e.currentTarget)
try {
const tools = (fd.get('tools') as string || '').split(',').map(s => s.trim()).filter(Boolean)
const capabilities = (fd.get('capabilities') as string || '').split(',').map(s => s.trim()).filter(Boolean)
await api.agentTemplates.create({
name: fd.get('name') as string,
description: (fd.get('description') as string) || undefined,
category: (fd.get('category') as string) || 'general',
model: (fd.get('model') as string) || undefined,
system_prompt: (fd.get('system_prompt') as string) || undefined,
tools: tools.length > 0 ? tools : undefined,
capabilities: capabilities.length > 0 ? capabilities : undefined,
temperature: (fd.get('temperature') as string) ? parseFloat(fd.get('temperature') as string) : undefined,
max_tokens: (fd.get('max_tokens') as string) ? parseInt(fd.get('max_tokens') as string, 10) : undefined,
visibility: (fd.get('visibility') as string) || 'public',
})
setShowCreate(false)
mutate()
} catch {
setError('创建失败')
}
}
const handleArchive = async (id: string, name: string) => {
if (!confirm(`确认归档模板 "${name}"`)) return
try {
await api.agentTemplates.archive(id)
mutate()
} catch {
setError('归档失败')
}
}
const statusBadge = (status: string) => {
const colors: Record<string, string> = {
active: 'bg-emerald-500/20 text-emerald-400',
archived: 'bg-zinc-500/20 text-zinc-400',
}
return <span className={`px-2 py-0.5 text-xs rounded-full ${colors[status] || colors.archived}`}>{status}</span>
}
const sourceBadge = (source: string) => {
const colors: Record<string, string> = {
builtin: 'bg-blue-500/20 text-blue-400',
custom: 'bg-purple-500/20 text-purple-400',
}
return (
<span className={`px-2 py-0.5 text-xs rounded-full ${colors[source] || ''}`}>
{source === 'builtin' ? '内置' : '自定义'}
</span>
)
}
return (
<div className="space-y-6">
<div className="flex items-center justify-between">
<div>
<h1 className="text-2xl font-bold text-white">Agent </h1>
<p className="text-sm text-zinc-400 mt-1"> Agent </p>
</div>
<button
onClick={() => setShowCreate(true)}
className="px-4 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 transition-colors text-sm"
>
+
</button>
</div>
{error && <ErrorBanner message={error} onDismiss={() => setError('')} />}
<div className="bg-zinc-900 rounded-xl border border-zinc-800 overflow-hidden">
<table className="w-full text-sm">
<thead>
<tr className="border-b border-zinc-800">
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-right px-4 py-3 text-zinc-400 font-medium"></th>
</tr>
</thead>
<tbody>
{isLoading ? (
<tr>
<td colSpan={9}>
<TableSkeleton rows={5} cols={9} hasToolbar={false} />
</td>
</tr>
) : templates.length === 0 ? (
<tr><td colSpan={9}><EmptyState message="暂无 Agent 模板" /></td></tr>
) : (
templates.map(t => (
<tr key={t.id} className="border-b border-zinc-800/50 hover:bg-zinc-800/30">
<td className="px-4 py-3">
<div>
<span className="text-white font-medium">{t.name}</span>
{t.description && (
<p className="text-xs text-zinc-500 mt-0.5 truncate max-w-[200px]">{t.description}</p>
)}
</div>
</td>
<td className="px-4 py-3 text-zinc-400">{t.category}</td>
<td className="px-4 py-3">{sourceBadge(t.source)}</td>
<td className="px-4 py-3 text-zinc-300 font-mono text-xs">{t.model || '-'}</td>
<td className="px-4 py-3 text-zinc-400">{t.tools.length}</td>
<td className="px-4 py-3 text-zinc-400">{t.visibility}</td>
<td className="px-4 py-3">{statusBadge(t.status)}</td>
<td className="px-4 py-3 text-zinc-500 text-xs">
{new Date(t.updated_at).toLocaleString('zh-CN')}
</td>
<td className="px-4 py-3 text-right">
<button
onClick={() => setEditingId(editingId === t.id ? null : t.id)}
className="text-zinc-400 hover:text-white mr-2"
>
</button>
{t.source === 'custom' && (
<button
onClick={() => handleArchive(t.id, t.name)}
className="text-red-400 hover:text-red-300"
>
</button>
)}
</td>
</tr>
))
)}
</tbody>
</table>
<div className="px-4 py-2 text-xs text-zinc-500 border-t border-zinc-800">
{total}
</div>
</div>
{/* 展开详情 */}
{editingId && (() => {
const t = templates.find(t => t.id === editingId)
if (!t) return null
return (
<div className="bg-zinc-900 rounded-xl border border-zinc-800 p-4">
<div className="flex items-center justify-between mb-3">
<h2 className="text-lg font-semibold text-white">{t.name} </h2>
<button onClick={() => setEditingId(null)} className="text-zinc-400 hover:text-white text-sm"></button>
</div>
<div className="grid grid-cols-2 gap-4 text-sm">
<div>
<span className="text-zinc-500"></span>
<span className="text-zinc-300">{t.category}</span>
</div>
<div>
<span className="text-zinc-500"></span>
<span className="text-zinc-300 font-mono">{t.model || '未指定'}</span>
</div>
<div>
<span className="text-zinc-500"></span>
<span className="text-zinc-300">{t.temperature?.toFixed(2) || '默认'}</span>
</div>
<div>
<span className="text-zinc-500"> Token</span>
<span className="text-zinc-300">{t.max_tokens || '未限制'}</span>
</div>
<div className="col-span-2">
<span className="text-zinc-500"></span>
<div className="flex flex-wrap gap-1 mt-1">
{t.tools.length > 0 ? t.tools.map(tool => (
<span key={tool} className="px-2 py-0.5 bg-zinc-800 rounded text-xs text-zinc-300">{tool}</span>
)) : <span className="text-zinc-600"></span>}
</div>
</div>
<div className="col-span-2">
<span className="text-zinc-500"></span>
<div className="flex flex-wrap gap-1 mt-1">
{t.capabilities.length > 0 ? t.capabilities.map(cap => (
<span key={cap} className="px-2 py-0.5 bg-blue-500/10 rounded text-xs text-blue-400">{cap}</span>
)) : <span className="text-zinc-600"></span>}
</div>
</div>
{t.system_prompt && (
<div className="col-span-2">
<span className="text-zinc-500"></span>
<pre className="text-xs text-zinc-400 bg-zinc-800/50 rounded p-2 mt-1 overflow-x-auto max-h-32">
{t.system_prompt.substring(0, 500)}{t.system_prompt.length > 500 ? '...' : ''}
</pre>
</div>
)}
</div>
</div>
)
})()}
{/* Create Modal */}
{showCreate && (
<div className="fixed inset-0 bg-black/50 flex items-center justify-center z-50">
<form onSubmit={handleCreate} className="bg-zinc-900 rounded-xl border border-zinc-700 p-6 w-full max-w-lg space-y-4 max-h-[80vh] overflow-y-auto">
<h2 className="text-lg font-semibold text-white"> Agent </h2>
<div>
<label className="block text-sm text-zinc-400 mb-1"> *</label>
<input name="name" required className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm" placeholder="my_agent" />
</div>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<input name="description" className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm" placeholder="可选" />
</div>
<div className="grid grid-cols-2 gap-4">
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<select name="category" className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm">
<option value="general"></option>
<option value="coding"></option>
<option value="research"></option>
<option value="creative"></option>
<option value="assistant"></option>
</select>
</div>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<input name="model" className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm" placeholder="如 glm-4-plus" />
</div>
</div>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<textarea name="system_prompt" rows={4} className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm font-mono" placeholder="Agent 系统提示词" />
</div>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<input name="tools" className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm" placeholder="browser, file_system, code_execute" />
</div>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<input name="capabilities" className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm" placeholder="streaming, vision, function_calling" />
</div>
<div className="grid grid-cols-3 gap-4">
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<input name="temperature" type="number" step="0.1" className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm" placeholder="默认" />
</div>
<div>
<label className="block text-sm text-zinc-400 mb-1"> Token</label>
<input name="max_tokens" type="number" className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm" placeholder="不限" />
</div>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<select name="visibility" className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm">
<option value="public"></option>
<option value="team"></option>
<option value="private"></option>
</select>
</div>
</div>
<div className="flex gap-2 justify-end">
<button type="button" onClick={() => setShowCreate(false)} className="px-4 py-2 bg-zinc-700 text-white rounded-lg hover:bg-zinc-600 text-sm"></button>
<button type="submit" className="px-4 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 text-sm"></button>
</div>
</form>
</div>
)}
</div>
)
}

67
admin/src/app/(dashboard)/api-keys/page.tsx
View File

@@ -1,6 +1,7 @@
'use client'
import { useEffect, useState, useCallback } from 'react'
import { useState } from 'react'
import useSWR from 'swr'
import {
Plus,
Loader2,
@@ -32,8 +33,10 @@ import {
DialogDescription,
} from '@/components/ui/dialog'
import { api } from '@/lib/api-client'
import { ErrorBanner, EmptyState } from '@/components/ui/state'
import { ApiRequestError } from '@/lib/api-client'
import { formatDate } from '@/lib/utils'
import { formatDate, getSwrErrorMessage } from '@/lib/utils'
import { TableSkeleton } from '@/components/ui/skeleton'
import type { TokenInfo } from '@/lib/types'
const PAGE_SIZE = 20
@@ -45,11 +48,17 @@ const allPermissions = [
]
export default function ApiKeysPage() {
const [tokens, setTokens] = useState<TokenInfo[]>([])
const [total, setTotal] = useState(0)
const [page, setPage] = useState(1)
const [loading, setLoading] = useState(true)
const [error, setError] = useState('')
const [mutationError, setMutationError] = useState('')
const { data, error: swrError, isLoading, mutate } = useSWR(
['tokens', page],
() => api.tokens.list({ page, page_size: PAGE_SIZE }),
)
const tokens = data?.items ?? []
const total = data?.total ?? 0
const error = getSwrErrorMessage(swrError) || mutationError
// 创建 Dialog
const [createOpen, setCreateOpen] = useState(false)
@@ -64,25 +73,6 @@ export default function ApiKeysPage() {
const [revokeTarget, setRevokeTarget] = useState<TokenInfo | null>(null)
const [revoking, setRevoking] = useState(false)
const fetchTokens = useCallback(async () => {
setLoading(true)
setError('')
try {
const res = await api.tokens.list({ page, page_size: PAGE_SIZE })
setTokens(res.items)
setTotal(res.total)
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
else setError('加载失败')
} finally {
setLoading(false)
}
}, [page])
useEffect(() => {
fetchTokens()
}, [fetchTokens])
const totalPages = Math.max(1, Math.ceil(total / PAGE_SIZE))
function togglePermission(perm: string) {
@@ -107,9 +97,9 @@ export default function ApiKeysPage() {
setCreateOpen(false)
setCreatedToken(res)
setCreateForm({ name: '', expires_days: '', permissions: ['chat'] })
fetchTokens()
mutate()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
if (err instanceof ApiRequestError) setMutationError(err.body.message)
} finally {
setCreating(false)
}
@@ -121,9 +111,9 @@ export default function ApiKeysPage() {
try {
await api.tokens.revoke(revokeTarget.id)
setRevokeTarget(null)
fetchTokens()
mutate()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
if (err instanceof ApiRequestError) setMutationError(err.body.message)
} finally {
setRevoking(false)
}
@@ -158,21 +148,12 @@ export default function ApiKeysPage() {
</Button>
</div>
{error && (
<div className="rounded-md bg-destructive/10 border border-destructive/20 px-4 py-3 text-sm text-destructive">
{error}
<button onClick={() => setError('')} className="ml-2 underline cursor-pointer"></button>
</div>
)}
{error && <ErrorBanner message={error} onDismiss={() => setMutationError('')} />}
{loading ? (
<div className="flex h-64 items-center justify-center">
<Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
</div>
) : tokens.length === 0 ? (
<div className="flex h-64 items-center justify-center text-muted-foreground text-sm">
</div>
{isLoading ? (
<TableSkeleton rows={6} cols={7} />
) : error ? null : tokens.length === 0 ? (
<EmptyState />
) : (
<>
<Table>

91
admin/src/app/(dashboard)/config/page.tsx
View File

@@ -1,6 +1,7 @@
'use client'
import { useEffect, useState, useCallback } from 'react'
import { useState } from 'react'
import useSWR from 'swr'
import {
Loader2,
Pencil,
@@ -35,6 +36,8 @@ import {
} from '@/components/ui/dialog'
import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/components/ui/tabs'
import { api } from '@/lib/api-client'
import { TableSkeleton } from '@/components/ui/skeleton'
import { ErrorBanner, EmptyState } from '@/components/ui/state'
import { ApiRequestError } from '@/lib/api-client'
import type { ConfigItem } from '@/lib/types'
@@ -51,56 +54,31 @@ const sourceVariants: Record<string, 'secondary' | 'info' | 'default'> = {
}
export default function ConfigPage() {
const [configs, setConfigs] = useState<ConfigItem[]>([])
const [loading, setLoading] = useState(true)
const [error, setError] = useState('')
const [activeTab, setActiveTab] = useState('all')
// SWR for config list
const { data: configs = [], isLoading, mutate } = useSWR(
['config', activeTab],
() => {
const params: Record<string, unknown> = {}
if (activeTab !== 'all') params.category = activeTab
return api.config.list(params)
}
)
// 编辑 Dialog
const [editTarget, setEditTarget] = useState<ConfigItem | null>(null)
const [editValue, setEditValue] = useState('')
const [saving, setSaving] = useState(false)
const fetchConfigs = useCallback(async (category?: string) => {
setLoading(true)
setError('')
try {
const params: Record<string, unknown> = {}
if (category && category !== 'all') params.category = category
const res = await api.config.list(params)
setConfigs(res)
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
else setError('加载失败')
} finally {
setLoading(false)
}
}, [])
useEffect(() => {
fetchConfigs(activeTab)
}, [fetchConfigs, activeTab])
function openEditDialog(config: ConfigItem) {
setEditTarget(config)
setEditValue(config.current_value !== undefined ? String(config.current_value) : '')
setEditValue(config.current_value ?? '')
}
async function handleSave() {
if (!editTarget) return
// 表单验证
if (editValue.trim() === '') {
setError('配置值不能为空')
return
}
if (editTarget.value_type === 'number' && isNaN(Number(editValue))) {
setError('请输入有效的数字')
return
}
if (editTarget.value_type === 'boolean' && editValue !== 'true' && editValue !== 'false') {
setError('布尔值只能为 true 或 false')
return
}
setSaving(true)
try {
let parsedValue: string | number | boolean = editValue
@@ -109,9 +87,9 @@ export default function ConfigPage() {
} else if (editTarget.value_type === 'boolean') {
parsedValue = editValue === 'true'
}
await api.config.update(editTarget.id, { current_value: parsedValue })
await api.config.update(editTarget.id, { value: parsedValue })
setEditTarget(null)
fetchConfigs(activeTab)
mutate()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
} finally {
@@ -125,7 +103,15 @@ export default function ConfigPage() {
return String(value)
}
const categories = ['all', 'auth', 'relay', 'model', 'system']
const categoryLabels: Record<string, string> = {
all: '全部',
server: '服务器',
agent: 'Agent',
memory: '记忆',
llm: 'LLM',
security: '安全策略',
}
const categories = Object.keys(categoryLabels)
return (
<div className="space-y-4">
@@ -134,27 +120,18 @@ export default function ConfigPage() {
<TabsList>
{categories.map((cat) => (
<TabsTrigger key={cat} value={cat}>
{cat === 'all' ? '全部' : cat}
{categoryLabels[cat] || cat}
</TabsTrigger>
))}
</TabsList>
</Tabs>
{error && (
<div className="rounded-md bg-destructive/10 border border-destructive/20 px-4 py-3 text-sm text-destructive">
{error}
<button onClick={() => setError('')} className="ml-2 underline cursor-pointer"></button>
</div>
)}
{error && <ErrorBanner message={error} onDismiss={() => setError('')} />}
{loading ? (
<div className="flex h-64 items-center justify-center">
<Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
</div>
) : configs.length === 0 ? (
<div className="flex h-64 items-center justify-center text-muted-foreground text-sm">
</div>
{isLoading ? (
<TableSkeleton rows={8} cols={8} hasToolbar={false} />
) : error ? null : configs.length === 0 ? (
<EmptyState message="暂无配置项" />
) : (
<Table>
<TableHeader>
@@ -233,7 +210,7 @@ export default function ConfigPage() {
</div>
<div className="space-y-2">
<Label>
{editTarget?.default_value !== undefined && (
{editTarget?.default_value != null && (
<span className="text-xs text-muted-foreground ml-2">
(: {formatValue(editTarget.default_value)})
</span>
@@ -262,7 +239,7 @@ export default function ConfigPage() {
<Button
variant="outline"
onClick={() => {
if (editTarget?.default_value !== undefined) {
if (editTarget?.default_value != null) {
setEditValue(String(editTarget.default_value))
}
}}

125
admin/src/app/(dashboard)/devices/page.tsx
View File

@@ -1,125 +0,0 @@
'use client'
import { useEffect, useState } from 'react'
import { Monitor, Loader2, RefreshCw } from 'lucide-react'
import { Badge } from '@/components/ui/badge'
import {
Table, TableBody, TableCell, TableHead, TableHeader, TableRow,
} from '@/components/ui/table'
import { api } from '@/lib/api-client'
import { ApiRequestError } from '@/lib/api-client'
import type { DeviceInfo } from '@/lib/types'
function formatRelativeTime(dateStr: string): string {
const now = Date.now()
const then = new Date(dateStr).getTime()
const diffMs = now - then
const diffMin = Math.floor(diffMs / 60000)
const diffHour = Math.floor(diffMs / 3600000)
const diffDay = Math.floor(diffMs / 86400000)
if (diffMin < 1) return '刚刚'
if (diffMin < 60) return `${diffMin} 分钟前`
if (diffHour < 24) return `${diffHour} 小时前`
return `${diffDay} 天前`
}
function isOnline(lastSeen: string): boolean {
return Date.now() - new Date(lastSeen).getTime() < 5 * 60 * 1000
}
export default function DevicesPage() {
const [devices, setDevices] = useState<DeviceInfo[]>([])
const [loading, setLoading] = useState(true)
const [error, setError] = useState('')
async function fetchDevices() {
setLoading(true)
setError('')
try {
const res = await api.devices.list()
setDevices(res)
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
else setError('加载失败')
} finally {
setLoading(false)
}
}
useEffect(() => { fetchDevices() }, [])
return (
<div className="space-y-4">
<div className="flex items-center justify-between">
<h2 className="text-lg font-semibold text-foreground"></h2>
<button
onClick={fetchDevices}
disabled={loading}
className="flex items-center gap-2 rounded-md border border-border px-3 py-1.5 text-sm text-muted-foreground hover:bg-muted hover:text-foreground transition-colors cursor-pointer disabled:opacity-50"
>
<RefreshCw className={`h-4 w-4 ${loading ? 'animate-spin' : ''}`} />
</button>
</div>
{error && (
<div className="rounded-md bg-destructive/10 border border-destructive/20 px-4 py-3 text-sm text-destructive">
{error}
</div>
)}
{loading && !devices.length ? (
<div className="flex items-center justify-center py-12">
<Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
</div>
) : devices.length === 0 ? (
<div className="flex flex-col items-center justify-center py-12 text-muted-foreground">
<Monitor className="h-10 w-10 mb-3" />
<p className="text-sm"></p>
</div>
) : (
<div className="rounded-md border border-border">
<Table>
<TableHeader>
<TableRow>
<TableHead></TableHead>
<TableHead></TableHead>
<TableHead></TableHead>
<TableHead></TableHead>
<TableHead></TableHead>
<TableHead></TableHead>
</TableRow>
</TableHeader>
<TableBody>
{devices.map((d) => (
<TableRow key={d.id}>
<TableCell className="font-medium">
{d.device_name || d.device_id}
</TableCell>
<TableCell>
<Badge variant="secondary">{d.platform || 'unknown'}</Badge>
</TableCell>
<TableCell className="text-muted-foreground">
{d.app_version || '-'}
</TableCell>
<TableCell>
<Badge variant={isOnline(d.last_seen_at) ? 'success' : 'outline'}>
{isOnline(d.last_seen_at) ? '在线' : '离线'}
</Badge>
</TableCell>
<TableCell className="text-muted-foreground">
{formatRelativeTime(d.last_seen_at)}
</TableCell>
<TableCell className="text-muted-foreground text-xs">
{new Date(d.created_at).toLocaleString('zh-CN')}
</TableCell>
</TableRow>
))}
</TableBody>
</Table>
</div>
)}
</div>
)
}

140
admin/src/app/(dashboard)/layout.tsx
View File

@@ -1,6 +1,6 @@
'use client'
import { useState, useEffect, type ReactNode } from 'react'
import { useState, type ReactNode } from 'react'
import Link from 'next/link'
import { usePathname, useRouter } from 'next/navigation'
import {
@@ -13,73 +13,71 @@ import {
ArrowLeftRight,
Settings,
FileText,
MessageSquare,
Bot,
LogOut,
ChevronLeft,
Menu,
Bell,
UserCog,
ShieldCheck,
Monitor,
} from 'lucide-react'
import { AuthGuard, useAuth } from '@/components/auth-guard'
import { logout } from '@/lib/auth'
import { cn } from '@/lib/utils'
/** 权限常量 — 与后端 db.rs SEED_ROLES 保持同步 */
const ROLE_PERMISSIONS: Record<string, string[]> = {
super_admin: ['admin:full', 'account:admin', 'provider:manage', 'model:manage', 'relay:admin', 'config:write', 'prompt:read', 'prompt:write', 'prompt:publish', 'prompt:admin'],
admin: ['account:read', 'account:admin', 'provider:manage', 'model:read', 'model:manage', 'relay:use', 'relay:admin', 'config:read', 'config:write', 'prompt:read', 'prompt:write', 'prompt:publish'],
user: ['model:read', 'relay:use', 'config:read', 'prompt:read'],
}
/** 根据 role 获取权限列表 */
function getPermissionsForRole(role: string): string[] {
return ROLE_PERMISSIONS[role] ?? []
}
const navItems = [
{ href: '/', label: '仪表盘', icon: LayoutDashboard, permission: null },
{ href: '/', label: '仪表盘', icon: LayoutDashboard },
{ href: '/accounts', label: '账号管理', icon: Users, permission: 'account:admin' },
{ href: '/providers', label: '服务商', icon: Server, permission: 'model:admin' },
{ href: '/models', label: '模型管理', icon: Cpu, permission: 'model:admin' },
{ href: '/api-keys', label: 'API 密钥', icon: Key, permission: null },
{ href: '/usage', label: '用量统计', icon: BarChart3, permission: null },
{ href: '/relay', label: '中转任务', icon: ArrowLeftRight, permission: 'relay:admin' },
{ href: '/config', label: '系统配置', icon: Settings, permission: 'admin:full' },
{ href: '/providers', label: '服务商', icon: Server, permission: 'provider:manage' },
{ href: '/models', label: '模型管理', icon: Cpu, permission: 'model:read' },
{ href: '/agent-templates', label: 'Agent 模板', icon: Bot, permission: 'model:read' },
{ href: '/api-keys', label: 'API 密钥', icon: Key, permission: 'admin:full' },
{ href: '/usage', label: '用量统计', icon: BarChart3, permission: 'admin:full' },
{ href: '/relay', label: '中转任务', icon: ArrowLeftRight, permission: 'relay:use' },
{ href: '/config', label: '系统配置', icon: Settings, permission: 'config:read' },
{ href: '/prompts', label: '提示词管理', icon: MessageSquare, permission: 'prompt:read' },
{ href: '/logs', label: '操作日志', icon: FileText, permission: 'admin:full' },
{ href: '/profile', label: '个人设置', icon: UserCog, permission: null },
{ href: '/security', label: '安全设置', icon: ShieldCheck, permission: null },
{ href: '/devices', label: '设备管理', icon: Monitor, permission: null },
]
function Sidebar({
collapsed,
onToggle,
mobileOpen,
onMobileClose,
}: {
collapsed: boolean
onToggle: () => void
mobileOpen: boolean
onMobileClose: () => void
}) {
const pathname = usePathname()
const router = useRouter()
const { account } = useAuth()
// 路由变化时关闭移动端菜单
useEffect(() => {
onMobileClose()
}, [pathname, onMobileClose])
const permissions = account ? getPermissionsForRole(account.role) : []
function handleLogout() {
logout()
router.replace('/login')
}
const filteredNavItems = navItems.filter((item) => {
if (!item.permission) return true
return permissions.includes(item.permission) || permissions.includes('admin:full')
})
return (
<>
{/* 移动端 overlay */}
{mobileOpen && (
<div
className="fixed inset-0 z-40 bg-black/50 lg:hidden"
onClick={onMobileClose}
/>
)}
<aside
className={cn(
'fixed left-0 top-0 z-50 flex h-screen flex-col border-r border-border bg-card transition-all duration-300',
'fixed left-0 top-0 z-40 flex h-screen flex-col border-r border-border bg-card transition-all duration-300',
collapsed ? 'w-16' : 'w-64',
'lg:z-40',
mobileOpen ? 'translate-x-0' : '-translate-x-full lg:translate-x-0',
)}
>
{/* Logo */}
@@ -100,15 +98,7 @@ function Sidebar({
{/* 导航 */}
<nav className="flex-1 overflow-y-auto scrollbar-thin py-2 px-2">
<ul className="space-y-1">
{navItems
.filter((item) => {
if (!item.permission) return true
if (!account) return false
// super_admin 拥有所有权限
if (account.role === 'super_admin') return true
return account.permissions?.includes(item.permission) ?? false
})
.map((item) => {
{filteredNavItems.map((item) => {
const isActive =
item.href === '/'
? pathname === '/'
@@ -152,19 +142,6 @@ function Sidebar({
</button>
</div>
{/* 折叠时显示退出按钮 */}
{collapsed && (
<div className="border-t border-border p-2">
<button
onClick={handleLogout}
className="flex w-full items-center justify-center rounded-md px-3 py-2 text-muted-foreground hover:bg-muted hover:text-destructive transition-colors duration-200 cursor-pointer"
title="退出登录"
>
<LogOut className="h-4 w-4" />
</button>
</div>
)}
{/* 用户信息 */}
{!collapsed && (
<div className="border-t border-border p-3">
@@ -191,11 +168,10 @@ function Sidebar({
</div>
)}
</aside>
</>
)
}
function Header({ children }: { children?: ReactNode }) {
function Header() {
const pathname = usePathname()
const currentNav = navItems.find(
(item) =>
@@ -207,7 +183,7 @@ function Header({ children }: { children?: ReactNode }) {
return (
<header className="sticky top-0 z-30 flex h-14 items-center border-b border-border bg-background/80 backdrop-blur-sm px-6">
{/* 移动端菜单按钮 */}
{children}
<MobileMenuButton />
{/* 页面标题 */}
<h1 className="text-lg font-semibold text-foreground">
@@ -227,10 +203,10 @@ function Header({ children }: { children?: ReactNode }) {
)
}
function MobileMenuButton({ onClick }: { onClick: () => void }) {
function MobileMenuButton() {
// Placeholder for mobile menu toggle
return (
<button
onClick={onClick}
className="mr-3 rounded-md p-2 text-muted-foreground hover:bg-muted hover:text-foreground transition-colors duration-200 lg:hidden cursor-pointer"
>
<Menu className="h-5 w-5" />
@@ -238,68 +214,28 @@ function MobileMenuButton({ onClick }: { onClick: () => void }) {
)
}
/** 路由级权限守卫:隐藏导航项但用户直接访问 URL 时拦截 */
function PageGuard({ children }: { children: ReactNode }) {
const pathname = usePathname()
const router = useRouter()
const { account } = useAuth()
const matchedNav = navItems.find((item) =>
item.href === '/' ? pathname === '/' : pathname.startsWith(item.href),
)
if (matchedNav?.permission && account) {
if (account.role !== 'super_admin' && !(account.permissions?.includes(matchedNav.permission) ?? false)) {
return (
<div className="flex flex-1 items-center justify-center">
<div className="text-center space-y-3">
<p className="text-lg font-medium text-muted-foreground"></p>
<p className="text-sm text-muted-foreground">访{matchedNav.label}</p>
<button
onClick={() => router.replace('/')}
className="text-sm text-primary hover:underline cursor-pointer"
>
</button>
</div>
</div>
)
}
}
return <>{children}</>
}
export default function DashboardLayout({ children }: { children: ReactNode }) {
const [sidebarCollapsed, setSidebarCollapsed] = useState(false)
const [mobileOpen, setMobileOpen] = useState(false)
return (
<AuthGuard>
<PageGuard>
<div className="flex min-h-screen">
<Sidebar
collapsed={sidebarCollapsed}
onToggle={() => setSidebarCollapsed(!sidebarCollapsed)}
mobileOpen={mobileOpen}
onMobileClose={() => setMobileOpen(false)}
/>
<div
className={cn(
'flex flex-1 flex-col transition-all duration-300',
'ml-0 lg:transition-all',
sidebarCollapsed ? 'lg:ml-16' : 'lg:ml-64',
sidebarCollapsed ? 'ml-16' : 'ml-64',
)}
>
<Header>
<MobileMenuButton onClick={() => setMobileOpen(true)} />
</Header>
<Header />
<main className="flex-1 overflow-auto p-6 scrollbar-thin">
{children}
</main>
</div>
</div>
</PageGuard>
</AuthGuard>
)
}

82
admin/src/app/(dashboard)/models/page.tsx
View File

@@ -1,6 +1,7 @@
'use client'
import { useEffect, useState, useCallback } from 'react'
import { useState } from 'react'
import useSWR from 'swr'
import {
Plus,
Loader2,
@@ -37,6 +38,8 @@ import {
SelectTrigger,
SelectValue,
} from '@/components/ui/select'
import { TableSkeleton } from '@/components/ui/skeleton'
import { ErrorBanner, EmptyState } from '@/components/ui/state'
import { api } from '@/lib/api-client'
import { ApiRequestError } from '@/lib/api-client'
import { formatNumber } from '@/lib/utils'
@@ -71,14 +74,29 @@ const emptyForm: ModelForm = {
}
export default function ModelsPage() {
const [models, setModels] = useState<Model[]>([])
const [providers, setProviders] = useState<Provider[]>([])
const [total, setTotal] = useState(0)
const [page, setPage] = useState(1)
const [providerFilter, setProviderFilter] = useState<string>('all')
const [loading, setLoading] = useState(true)
const [error, setError] = useState('')
// SWR for models list
const { data, isLoading, mutate } = useSWR(
['models', page, providerFilter],
() => {
const params: Record<string, unknown> = { page, page_size: PAGE_SIZE }
if (providerFilter !== 'all') params.provider_id = providerFilter
return api.models.list(params)
}
)
const models = data?.items ?? []
const total = data?.total ?? 0
// SWR for providers list (dropdown)
const { data: providersData } = useSWR(
['providers.all'],
() => api.providers.list({ page: 1, page_size: 100 })
)
const providers = providersData?.items ?? []
// Dialog
const [dialogOpen, setDialogOpen] = useState(false)
const [editTarget, setEditTarget] = useState<Model | null>(null)
@@ -89,37 +107,6 @@ export default function ModelsPage() {
const [deleteTarget, setDeleteTarget] = useState<Model | null>(null)
const [deleting, setDeleting] = useState(false)
const fetchModels = useCallback(async () => {
setLoading(true)
setError('')
try {
const params: Record<string, unknown> = { page, page_size: PAGE_SIZE }
if (providerFilter !== 'all') params.provider_id = providerFilter
const res = await api.models.list(params)
setModels(res.items)
setTotal(res.total)
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
else setError('加载失败')
} finally {
setLoading(false)
}
}, [page, providerFilter])
const fetchProviders = useCallback(async () => {
try {
const res = await api.providers.list()
setProviders(res)
} catch {
// ignore
}
}, [])
useEffect(() => {
fetchModels()
fetchProviders()
}, [fetchModels, fetchProviders])
const totalPages = Math.max(1, Math.ceil(total / PAGE_SIZE))
const providerMap = new Map(providers.map((p) => [p.id, p.display_name || p.name]))
@@ -169,7 +156,7 @@ export default function ModelsPage() {
await api.models.create(payload)
}
setDialogOpen(false)
fetchModels()
mutate()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
} finally {
@@ -183,7 +170,7 @@ export default function ModelsPage() {
try {
await api.models.delete(deleteTarget.id)
setDeleteTarget(null)
fetchModels()
mutate()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
} finally {
@@ -213,21 +200,12 @@ export default function ModelsPage() {
</Button>
</div>
{error && (
<div className="rounded-md bg-destructive/10 border border-destructive/20 px-4 py-3 text-sm text-destructive">
{error}
<button onClick={() => setError('')} className="ml-2 underline cursor-pointer"></button>
</div>
)}
{error && <ErrorBanner message={error} onDismiss={() => setError('')} />}
{loading ? (
<div className="flex h-64 items-center justify-center">
<Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
</div>
) : models.length === 0 ? (
<div className="flex h-64 items-center justify-center text-muted-foreground text-sm">
</div>
{isLoading ? (
<TableSkeleton rows={8} cols={9} hasToolbar={false} />
) : error ? null : models.length === 0 ? (
<EmptyState />
) : (
<>
<Table>

95
admin/src/app/(dashboard)/page.tsx
View File

@@ -1,12 +1,10 @@
'use client'
import { useEffect, useState } from 'react'
import {
Users,
Server,
ArrowLeftRight,
Zap,
Loader2,
TrendingUp,
} from 'lucide-react'
import {
@@ -21,8 +19,12 @@ import {
Bar,
Legend,
} from 'recharts'
import useSWR from 'swr'
import { Card, CardContent, CardHeader, CardTitle } from '@/components/ui/card'
import { Badge } from '@/components/ui/badge'
import { StatsSkeleton } from '@/components/ui/skeleton'
import { ChartSkeleton } from '@/components/ui/skeleton'
import { TableSkeleton } from '@/components/ui/skeleton'
import {
Table,
TableBody,
@@ -35,7 +37,7 @@ import { api } from '@/lib/api-client'
import { formatNumber, formatDate } from '@/lib/utils'
import type {
DashboardStats,
UsageStats,
UsageRecord,
OperationLog,
} from '@/lib/types'
@@ -86,65 +88,26 @@ function StatusBadge({ status }: { status: string }) {
}
export default function DashboardPage() {
const [stats, setStats] = useState<DashboardStats | null>(null)
const [usageStats, setUsageStats] = useState<UsageStats | null>(null)
const [recentLogs, setRecentLogs] = useState<OperationLog[]>([])
const [loading, setLoading] = useState(true)
const [error, setError] = useState('')
useEffect(() => {
async function fetchData() {
try {
const [statsRes, usageRes, logsRes] = await Promise.allSettled([
api.stats.dashboard(),
api.usage.get(),
api.logs.list({ page: 1, page_size: 5 }),
])
if (statsRes.status === 'fulfilled') setStats(statsRes.value)
if (usageRes.status === 'fulfilled') setUsageStats(usageRes.value)
if (logsRes.status === 'fulfilled') setRecentLogs(logsRes.value)
if (statsRes.status === 'rejected' && usageRes.status === 'rejected' && logsRes.status === 'rejected') {
setError('加载数据失败,请检查后端服务是否启动')
}
} finally {
setLoading(false)
}
}
fetchData()
}, [])
if (loading) {
return (
<div className="flex h-[60vh] items-center justify-center">
<div className="flex flex-col items-center gap-3">
<Loader2 className="h-8 w-8 animate-spin text-primary" />
<p className="text-sm text-muted-foreground">...</p>
</div>
</div>
const { data: stats, isLoading: statsLoading } = useSWR(
['stats.dashboard'],
() => api.stats.dashboard(),
)
}
if (error) {
return (
<div className="flex h-[60vh] items-center justify-center">
<div className="text-center">
<p className="text-destructive">{error}</p>
<button
onClick={() => window.location.reload()}
className="mt-4 text-sm text-primary hover:underline cursor-pointer"
>
</button>
</div>
</div>
const { data: usageData = [], isLoading: usageLoading } = useSWR(
['usage.daily.30'],
() => api.usage.daily({ days: 30 }),
)
}
const chartData = (usageStats?.by_day ?? []).map((r) => ({
day: r.date.slice(5), // MM-DD
请求量: r.request_count,
const { data: logsData, isLoading: logsLoading } = useSWR(
['logs.recent'],
() => api.logs.list({ page: 1, page_size: 5 }),
)
const recentLogs: OperationLog[] = logsData?.items ?? []
const chartData = usageData.map((r: UsageRecord) => ({
day: r.day.slice(5), // MM-DD
请求量: r.count,
Input: r.input_tokens,
Output: r.output_tokens,
}))
@@ -152,6 +115,9 @@ export default function DashboardPage() {
return (
<div className="space-y-6">
{/* 统计卡片 */}
{statsLoading ? (
<StatsSkeleton count={4} />
) : (
<div className="grid grid-cols-1 gap-4 sm:grid-cols-2 lg:grid-cols-4">
<StatCard
title="总账号数"
@@ -182,10 +148,14 @@ export default function DashboardPage() {
subtitle={`In: ${formatNumber(stats?.tokens_today_input ?? 0)} / Out: ${formatNumber(stats?.tokens_today_output ?? 0)}`}
/>
</div>
)}
{/* 图表 */}
<div className="grid grid-cols-1 gap-4 lg:grid-cols-2">
{/* 请求趋势 */}
{usageLoading ? (
<ChartSkeleton height={280} />
) : (
<Card>
<CardHeader>
<CardTitle className="flex items-center gap-2 text-base">
@@ -239,8 +209,12 @@ export default function DashboardPage() {
)}
</CardContent>
</Card>
)}
{/* Token 用量 */}
{usageLoading ? (
<ChartSkeleton height={280} />
) : (
<Card>
<CardHeader>
<CardTitle className="flex items-center gap-2 text-base">
@@ -285,6 +259,7 @@ export default function DashboardPage() {
)}
</CardContent>
</Card>
)}
</div>
{/* 最近操作日志 */}
@@ -293,7 +268,9 @@ export default function DashboardPage() {
<CardTitle className="text-base"></CardTitle>
</CardHeader>
<CardContent>
{recentLogs.length > 0 ? (
{logsLoading ? (
<TableSkeleton rows={5} cols={5} hasToolbar={false} />
) : recentLogs.length > 0 ? (
<Table>
<TableHeader>
<TableRow>

154
admin/src/app/(dashboard)/profile/page.tsx
View File

@@ -1,154 +0,0 @@
'use client'
import { useState } from 'react'
import { Lock, Loader2, Eye, EyeOff, Check } from 'lucide-react'
import { Button } from '@/components/ui/button'
import { Input } from '@/components/ui/input'
import { Label } from '@/components/ui/label'
import { Card, CardContent, CardHeader, CardTitle, CardDescription } from '@/components/ui/card'
import { api } from '@/lib/api-client'
import { ApiRequestError } from '@/lib/api-client'
export default function ProfilePage() {
const [oldPassword, setOldPassword] = useState('')
const [newPassword, setNewPassword] = useState('')
const [confirmPassword, setConfirmPassword] = useState('')
const [showOld, setShowOld] = useState(false)
const [showNew, setShowNew] = useState(false)
const [showConfirm, setShowConfirm] = useState(false)
const [saving, setSaving] = useState(false)
const [error, setError] = useState('')
const [success, setSuccess] = useState('')
async function handleSubmit(e: React.FormEvent) {
e.preventDefault()
setError('')
setSuccess('')
if (newPassword.length < 8) {
setError('新密码至少 8 个字符')
return
}
if (newPassword !== confirmPassword) {
setError('两次输入的新密码不一致')
return
}
setSaving(true)
try {
await api.auth.changePassword({ old_password: oldPassword, new_password: newPassword })
setSuccess('密码修改成功')
setOldPassword('')
setNewPassword('')
setConfirmPassword('')
} catch (err) {
if (err instanceof ApiRequestError) {
setError(err.body.message || '修改失败')
} else {
setError('网络错误,请稍后重试')
}
} finally {
setSaving(false)
}
}
return (
<div className="max-w-lg">
<Card>
<CardHeader>
<CardTitle className="flex items-center gap-2">
<Lock className="h-5 w-5" />
</CardTitle>
<CardDescription></CardDescription>
</CardHeader>
<CardContent>
<form onSubmit={handleSubmit} className="space-y-4">
<div className="space-y-2">
<Label htmlFor="old-password"></Label>
<div className="relative">
<Input
id="old-password"
type={showOld ? 'text' : 'password'}
value={oldPassword}
onChange={(e) => setOldPassword(e.target.value)}
placeholder="请输入当前密码"
required
/>
<button
type="button"
onClick={() => setShowOld(!showOld)}
className="absolute right-3 top-1/2 -translate-y-1/2 text-muted-foreground hover:text-foreground cursor-pointer"
>
{showOld ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
</button>
</div>
</div>
<div className="space-y-2">
<Label htmlFor="new-password"></Label>
<div className="relative">
<Input
id="new-password"
type={showNew ? 'text' : 'password'}
value={newPassword}
onChange={(e) => setNewPassword(e.target.value)}
placeholder="至少 8 个字符"
required
minLength={8}
/>
<button
type="button"
onClick={() => setShowNew(!showNew)}
className="absolute right-3 top-1/2 -translate-y-1/2 text-muted-foreground hover:text-foreground cursor-pointer"
>
{showNew ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
</button>
</div>
</div>
<div className="space-y-2">
<Label htmlFor="confirm-password"></Label>
<div className="relative">
<Input
id="confirm-password"
type={showConfirm ? 'text' : 'password'}
value={confirmPassword}
onChange={(e) => setConfirmPassword(e.target.value)}
placeholder="再次输入新密码"
required
minLength={8}
/>
<button
type="button"
onClick={() => setShowConfirm(!showConfirm)}
className="absolute right-3 top-1/2 -translate-y-1/2 text-muted-foreground hover:text-foreground cursor-pointer"
>
{showConfirm ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
</button>
</div>
</div>
{error && (
<div className="rounded-md bg-destructive/10 border border-destructive/20 px-4 py-3 text-sm text-destructive">
{error}
</div>
)}
{success && (
<div className="rounded-md bg-emerald-500/10 border border-emerald-500/20 px-4 py-3 text-sm text-emerald-500 flex items-center gap-2">
<Check className="h-4 w-4" />
{success}
</div>
)}
<Button type="submit" disabled={saving || !oldPassword || !newPassword || !confirmPassword}>
{saving && <Loader2 className="mr-2 h-4 w-4 animate-spin" />}
</Button>
</form>
</CardContent>
</Card>
</div>
)
}

341
admin/src/app/(dashboard)/prompts/page.tsx Normal file
View File

@@ -0,0 +1,341 @@
'use client'
import { useState } from 'react'
import useSWR from 'swr'
import { api } from '@/lib/api-client'
import type { PromptTemplate, PromptVersion } from '@/lib/types'
import { EmptyState } from '@/components/ui/state'
import { TableSkeleton } from '@/components/ui/skeleton'
export default function PromptsPage() {
const [page, setPage] = useState(1)
const [selectedName, setSelectedName] = useState<string | null>(null)
const [versions, setVersions] = useState<PromptVersion[]>([])
const [showCreate, setShowCreate] = useState(false)
const [showNewVersion, setShowNewVersion] = useState(false)
const [filter, setFilter] = useState<{ source?: string; status?: string }>({})
const { data, error, isLoading, mutate } = useSWR(
['prompts.list', page, filter.source, filter.status],
() => api.prompts.list({ page, page_size: 50, ...filter }),
)
const templates = data?.items ?? []
const total = data?.total ?? 0
const fetchVersions = async (name: string) => {
try {
const res = await api.prompts.listVersions(name)
setVersions(res)
setSelectedName(name)
} catch (err) {
console.error('Failed to fetch versions:', err)
}
}
const handleCreate = async (e: React.FormEvent<HTMLFormElement>) => {
e.preventDefault()
const fd = new FormData(e.currentTarget)
try {
await api.prompts.create({
name: fd.get('name') as string,
category: fd.get('category') as string,
description: (fd.get('description') as string) || undefined,
source: 'custom',
system_prompt: fd.get('system_prompt') as string,
})
setShowCreate(false)
mutate()
} catch (err) {
console.error('Failed to create prompt:', err)
}
}
const handleNewVersion = async (e: React.FormEvent<HTMLFormElement>) => {
e.preventDefault()
if (!selectedName) return
const fd = new FormData(e.currentTarget)
try {
await api.prompts.createVersion(selectedName, {
system_prompt: fd.get('system_prompt') as string,
changelog: (fd.get('changelog') as string) || undefined,
})
setShowNewVersion(false)
fetchVersions(selectedName)
} catch (err) {
console.error('Failed to create version:', err)
}
}
const handleRollback = async (name: string, version: number) => {
if (!confirm(`确认回退到版本 ${version}`)) return
try {
await api.prompts.rollback(name, version)
fetchVersions(name)
mutate()
} catch (err) {
console.error('Failed to rollback:', err)
}
}
const handleArchive = async (name: string) => {
if (!confirm(`确认归档 ${name}`)) return
try {
await api.prompts.archive(name)
mutate()
} catch (err) {
console.error('Failed to archive:', err)
}
}
const statusBadge = (status: string) => {
const colors: Record<string, string> = {
active: 'bg-emerald-500/20 text-emerald-400',
deprecated: 'bg-amber-500/20 text-amber-400',
archived: 'bg-zinc-500/20 text-zinc-400',
}
return (
<span className={`px-2 py-0.5 text-xs rounded-full ${colors[status] || colors.archived}`}>
{status}
</span>
)
}
const sourceBadge = (source: string) => {
const colors: Record<string, string> = {
builtin: 'bg-blue-500/20 text-blue-400',
custom: 'bg-purple-500/20 text-purple-400',
}
return (
<span className={`px-2 py-0.5 text-xs rounded-full ${colors[source] || ''}`}>
{source === 'builtin' ? '内置' : '自定义'}
</span>
)
}
return (
<div className="space-y-6">
{/* Header */}
<div className="flex items-center justify-between">
<div>
<h1 className="text-2xl font-bold text-white"></h1>
<p className="text-sm text-zinc-400 mt-1"> OTA </p>
</div>
<button
onClick={() => setShowCreate(true)}
className="px-4 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 transition-colors text-sm"
>
+
</button>
</div>
{/* Filters */}
<div className="flex gap-2">
{(['all', 'builtin', 'custom'] as const).map(s => (
<button
key={s}
onClick={() => setFilter(s === 'all' ? {} : { source: s })}
className={`px-3 py-1 text-sm rounded-lg transition-colors ${
(filter.source || 'all') === s
? 'bg-zinc-700 text-white'
: 'bg-zinc-800 text-zinc-400 hover:text-white'
}`}
>
{s === 'all' ? '全部' : s === 'builtin' ? '内置' : '自定义'}
</button>
))}
</div>
{/* Template List */}
<div className="bg-zinc-900 rounded-xl border border-zinc-800 overflow-hidden">
<table className="w-full text-sm">
<thead>
<tr className="border-b border-zinc-800">
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-left px-4 py-3 text-zinc-400 font-medium"></th>
<th className="text-right px-4 py-3 text-zinc-400 font-medium"></th>
</tr>
</thead>
<tbody>
{isLoading ? (
<tr>
<td colSpan={7}>
<TableSkeleton rows={5} cols={7} hasToolbar={false} />
</td>
</tr>
) : error ? (
<tr><td colSpan={7} className="px-4 py-8 text-center text-red-400"></td></tr>
) : templates.length === 0 ? (
<tr><td colSpan={7}><EmptyState message="暂无提示词模板" /></td></tr>
) : (
templates.map(t => (
<tr key={t.id} className="border-b border-zinc-800/50 hover:bg-zinc-800/30">
<td className="px-4 py-3">
<button
onClick={() => fetchVersions(t.name)}
className="text-blue-400 hover:text-blue-300 font-mono"
>
{t.name}
</button>
</td>
<td className="px-4 py-3 text-zinc-400">{t.category}</td>
<td className="px-4 py-3">{sourceBadge(t.source)}</td>
<td className="px-4 py-3 text-zinc-300">v{t.current_version}</td>
<td className="px-4 py-3">{statusBadge(t.status)}</td>
<td className="px-4 py-3 text-zinc-500 text-xs">
{new Date(t.updated_at).toLocaleString('zh-CN')}
</td>
<td className="px-4 py-3 text-right">
<button
onClick={() => fetchVersions(t.name)}
className="text-zinc-400 hover:text-white mr-2"
>
</button>
{t.source === 'custom' && (
<button
onClick={() => handleArchive(t.name)}
className="text-red-400 hover:text-red-300"
>
</button>
)}
</td>
</tr>
))
)}
</tbody>
</table>
<div className="px-4 py-2 text-xs text-zinc-500 border-t border-zinc-800">
{total}
</div>
</div>
{/* Version History Panel */}
{selectedName && (
<div className="bg-zinc-900 rounded-xl border border-zinc-800 p-4">
<div className="flex items-center justify-between mb-4">
<h2 className="text-lg font-semibold text-white">
{selectedName}
</h2>
<div className="flex gap-2">
<button
onClick={() => setShowNewVersion(true)}
className="px-3 py-1.5 bg-blue-600 text-white rounded-lg hover:bg-blue-700 text-xs"
>
</button>
<button
onClick={() => { setSelectedName(null); setVersions([]) }}
className="px-3 py-1.5 bg-zinc-700 text-white rounded-lg hover:bg-zinc-600 text-xs"
>
</button>
</div>
</div>
<div className="space-y-3">
{versions.map(v => (
<div key={v.id} className="bg-zinc-800/50 rounded-lg p-3">
<div className="flex items-center justify-between mb-2">
<span className="text-sm font-mono text-zinc-300">v{v.version}</span>
<div className="flex items-center gap-2">
<span className="text-xs text-zinc-500">
{new Date(v.created_at).toLocaleString('zh-CN')}
</span>
{v.changelog && (
<span className="text-xs text-zinc-400"> {v.changelog}</span>
)}
{v.min_app_version && (
<span className="text-xs text-amber-400">: {v.min_app_version}</span>
)}
</div>
</div>
<pre className="text-xs text-zinc-400 bg-zinc-900 rounded p-2 overflow-x-auto max-h-32">
{v.system_prompt.substring(0, 300)}{v.system_prompt.length > 300 ? '...' : ''}
</pre>
<div className="mt-2 flex gap-2">
<button
onClick={() => {
navigator.clipboard.writeText(v.system_prompt)
}}
className="text-xs text-zinc-500 hover:text-white"
>
</button>
<button
onClick={() => handleRollback(selectedName, v.version)}
className="text-xs text-amber-500 hover:text-amber-400"
>
退
</button>
</div>
</div>
))}
{versions.length === 0 && (
<EmptyState message="暂无版本历史" />
)}
</div>
</div>
)}
{/* Create Modal */}
{showCreate && (
<div className="fixed inset-0 bg-black/50 flex items-center justify-center z-50">
<form onSubmit={handleCreate} className="bg-zinc-900 rounded-xl border border-zinc-700 p-6 w-full max-w-lg space-y-4">
<h2 className="text-lg font-semibold text-white"></h2>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<input name="name" required className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm" placeholder="my_prompt" />
</div>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<select name="category" className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm">
<option value="custom_system"></option>
<option value="custom_extraction"></option>
<option value="custom_compaction"></option>
<option value="custom_other"></option>
</select>
</div>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<input name="description" className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm" placeholder="可选" />
</div>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<textarea name="system_prompt" required rows={6} className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm font-mono" />
</div>
<div className="flex gap-2 justify-end">
<button type="button" onClick={() => setShowCreate(false)} className="px-4 py-2 bg-zinc-700 text-white rounded-lg hover:bg-zinc-600 text-sm"></button>
<button type="submit" className="px-4 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 text-sm"></button>
</div>
</form>
</div>
)}
{/* New Version Modal */}
{showNewVersion && selectedName && (
<div className="fixed inset-0 bg-black/50 flex items-center justify-center z-50">
<form onSubmit={handleNewVersion} className="bg-zinc-900 rounded-xl border border-zinc-700 p-6 w-full max-w-lg space-y-4">
<h2 className="text-lg font-semibold text-white"> {selectedName} </h2>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<textarea name="system_prompt" required rows={6} className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm font-mono" />
</div>
<div>
<label className="block text-sm text-zinc-400 mb-1"></label>
<input name="changelog" className="w-full px-3 py-2 bg-zinc-800 border border-zinc-700 rounded-lg text-white text-sm" placeholder="描述本次变更" />
</div>
<div className="flex gap-2 justify-end">
<button type="button" onClick={() => setShowNewVersion(false)} className="px-4 py-2 bg-zinc-700 text-white rounded-lg hover:bg-zinc-600 text-sm"></button>
<button type="submit" className="px-4 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 text-sm"></button>
</div>
</form>
</div>
)}
</div>
)
}

314
admin/src/app/(dashboard)/providers/page.tsx
View File

@@ -1,6 +1,7 @@
'use client'
import { useEffect, useState, useCallback } from 'react'
import { useState } from 'react'
import useSWR from 'swr'
import {
Plus,
Loader2,
@@ -8,6 +9,9 @@ import {
ChevronRight,
Pencil,
Trash2,
KeyRound,
Power,
PowerOff,
} from 'lucide-react'
import { Button } from '@/components/ui/button'
import { Input } from '@/components/ui/input'
@@ -37,10 +41,18 @@ import {
SelectTrigger,
SelectValue,
} from '@/components/ui/select'
import { TableSkeleton } from '@/components/ui/skeleton'
import { ErrorBanner, EmptyState } from '@/components/ui/state'
import { api } from '@/lib/api-client'
import { ApiRequestError } from '@/lib/api-client'
import { formatDate } from '@/lib/utils'
import type { Provider } from '@/lib/types'
import { formatDate, maskApiKey } from '@/lib/utils'
function formatTokens(tokens: number): string {
if (tokens >= 1_000_000) return `${(tokens / 1_000_000).toFixed(1)}M`
if (tokens >= 1_000) return `${(tokens / 1_000).toFixed(1)}K`
return String(tokens)
}
import type { Provider, ProviderKey } from '@/lib/types'
const PAGE_SIZE = 20
@@ -49,6 +61,7 @@ interface ProviderForm {
display_name: string
base_url: string
api_protocol: 'openai' | 'anthropic'
api_key: string
enabled: boolean
rate_limit_rpm: string
rate_limit_tpm: string
@@ -59,18 +72,24 @@ const emptyForm: ProviderForm = {
display_name: '',
base_url: '',
api_protocol: 'openai',
api_key: '',
enabled: true,
rate_limit_rpm: '',
rate_limit_tpm: '',
}
export default function ProvidersPage() {
const [providers, setProviders] = useState<Provider[]>([])
const [total, setTotal] = useState(0)
const [page, setPage] = useState(1)
const [loading, setLoading] = useState(true)
const [error, setError] = useState('')
// SWR for providers list
const { data, isLoading, mutate } = useSWR(
['providers', page],
() => api.providers.list({ page, page_size: PAGE_SIZE })
)
const providers = data?.items ?? []
const total = data?.total ?? 0
// 创建/编辑 Dialog
const [dialogOpen, setDialogOpen] = useState(false)
const [editTarget, setEditTarget] = useState<Provider | null>(null)
@@ -81,24 +100,24 @@ export default function ProvidersPage() {
const [deleteTarget, setDeleteTarget] = useState<Provider | null>(null)
const [deleting, setDeleting] = useState(false)
const fetchProviders = useCallback(async () => {
setLoading(true)
setError('')
try {
const res = await api.providers.list({ page, page_size: PAGE_SIZE })
setProviders(res.items)
setTotal(res.total)
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
else setError('加载失败')
} finally {
setLoading(false)
}
}, [page])
// Key Pool 管理
const [keyPoolProvider, setKeyPoolProvider] = useState<Provider | null>(null)
const [showAddKey, setShowAddKey] = useState(false)
const [addKeyForm, setAddKeyForm] = useState({
key_label: '',
key_value: '',
priority: 0,
max_rpm: '',
max_tpm: '',
quota_reset_interval: '',
})
const [addingKey, setAddingKey] = useState(false)
useEffect(() => {
fetchProviders()
}, [fetchProviders])
// SWR for key pool — only fetches when dialog is open
const { data: providerKeys = [], isLoading: keysLoading, mutate: mutateKeys } = useSWR(
keyPoolProvider ? ['provider.keys', keyPoolProvider.id] : null,
() => api.providers.listKeys(keyPoolProvider!.id)
)
const totalPages = Math.max(1, Math.ceil(total / PAGE_SIZE))
@@ -115,6 +134,7 @@ export default function ProvidersPage() {
display_name: provider.display_name,
base_url: provider.base_url,
api_protocol: provider.api_protocol,
api_key: provider.api_key || '',
enabled: provider.enabled,
rate_limit_rpm: provider.rate_limit_rpm?.toString() || '',
rate_limit_tpm: provider.rate_limit_tpm?.toString() || '',
@@ -131,6 +151,7 @@ export default function ProvidersPage() {
display_name: form.display_name.trim(),
base_url: form.base_url.trim(),
api_protocol: form.api_protocol,
api_key: form.api_key.trim() || undefined,
enabled: form.enabled,
rate_limit_rpm: form.rate_limit_rpm ? parseInt(form.rate_limit_rpm, 10) : undefined,
rate_limit_tpm: form.rate_limit_tpm ? parseInt(form.rate_limit_tpm, 10) : undefined,
@@ -141,7 +162,7 @@ export default function ProvidersPage() {
await api.providers.create(payload)
}
setDialogOpen(false)
fetchProviders()
mutate()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
} finally {
@@ -155,7 +176,7 @@ export default function ProvidersPage() {
try {
await api.providers.delete(deleteTarget.id)
setDeleteTarget(null)
fetchProviders()
mutate()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
} finally {
@@ -163,6 +184,55 @@ export default function ProvidersPage() {
}
}
// ── Key Pool 管理 ─────────────────────────────────────
function openKeyPool(provider: Provider) {
setKeyPoolProvider(provider)
setShowAddKey(false)
}
async function handleAddKey() {
if (!keyPoolProvider || !addKeyForm.key_label.trim() || !addKeyForm.key_value.trim()) return
setAddingKey(true)
try {
await api.providers.addKey(keyPoolProvider.id, {
key_label: addKeyForm.key_label.trim(),
key_value: addKeyForm.key_value.trim(),
priority: addKeyForm.priority,
max_rpm: addKeyForm.max_rpm ? parseInt(addKeyForm.max_rpm, 10) : undefined,
max_tpm: addKeyForm.max_tpm ? parseInt(addKeyForm.max_tpm, 10) : undefined,
quota_reset_interval: addKeyForm.quota_reset_interval.trim() || undefined,
})
setAddKeyForm({ key_label: '', key_value: '', priority: 0, max_rpm: '', max_tpm: '', quota_reset_interval: '' })
setShowAddKey(false)
mutateKeys()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
} finally {
setAddingKey(false)
}
}
async function handleToggleKey(keyId: string, active: boolean) {
if (!keyPoolProvider) return
try {
await api.providers.toggleKey(keyPoolProvider.id, keyId, active)
mutateKeys()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
}
}
async function handleDeleteKey(keyId: string) {
if (!keyPoolProvider || !confirm('确认删除此 Key')) return
try {
await api.providers.deleteKey(keyPoolProvider.id, keyId)
mutateKeys()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
}
}
return (
<div className="space-y-4">
{/* 工具栏 */}
@@ -174,21 +244,12 @@ export default function ProvidersPage() {
</Button>
</div>
{error && (
<div className="rounded-md bg-destructive/10 border border-destructive/20 px-4 py-3 text-sm text-destructive">
{error}
<button onClick={() => setError('')} className="ml-2 underline cursor-pointer"></button>
</div>
)}
{error && <ErrorBanner message={error} onDismiss={() => setError('')} />}
{loading ? (
<div className="flex h-64 items-center justify-center">
<Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
</div>
) : providers.length === 0 ? (
<div className="flex h-64 items-center justify-center text-muted-foreground text-sm">
</div>
{isLoading ? (
<TableSkeleton rows={6} cols={9} hasToolbar={false} />
) : error ? null : providers.length === 0 ? (
<EmptyState />
) : (
<>
<Table>
@@ -198,6 +259,7 @@ export default function ProvidersPage() {
<TableHead></TableHead>
<TableHead>Base URL</TableHead>
<TableHead></TableHead>
<TableHead>API Key</TableHead>
<TableHead></TableHead>
<TableHead>RPM </TableHead>
<TableHead></TableHead>
@@ -217,6 +279,9 @@ export default function ProvidersPage() {
{p.api_protocol}
</Badge>
</TableCell>
<TableCell className="font-mono text-xs text-muted-foreground">
{maskApiKey(p.api_key)}
</TableCell>
<TableCell>
<Badge variant={p.enabled ? 'success' : 'secondary'}>
{p.enabled ? '是' : '否'}
@@ -230,6 +295,9 @@ export default function ProvidersPage() {
</TableCell>
<TableCell className="text-right">
<div className="flex items-center justify-end gap-1">
<Button variant="ghost" size="icon" onClick={() => openKeyPool(p)} title="Key Pool">
<KeyRound className="h-4 w-4" />
</Button>
<Button variant="ghost" size="icon" onClick={() => openEditDialog(p)} title="编辑">
<Pencil className="h-4 w-4" />
</Button>
@@ -308,6 +376,15 @@ export default function ProvidersPage() {
</SelectContent>
</Select>
</div>
<div className="space-y-2">
<Label>API Key</Label>
<Input
type="password"
value={form.api_key}
onChange={(e) => setForm({ ...form, api_key: e.target.value })}
placeholder={editTarget ? '留空则不修改' : 'sk-...'}
/>
</div>
<div className="flex items-center gap-3">
<Switch
checked={form.enabled}
@@ -364,6 +441,165 @@ export default function ProvidersPage() {
</DialogFooter>
</DialogContent>
</Dialog>
{/* Key Pool 管理 Dialog */}
<Dialog open={!!keyPoolProvider} onOpenChange={() => setKeyPoolProvider(null)}>
<DialogContent className="max-w-2xl">
<DialogHeader>
<DialogTitle>Key Pool {keyPoolProvider?.display_name || keyPoolProvider?.name}</DialogTitle>
<DialogDescription>
API Key
</DialogDescription>
</DialogHeader>
<div className="max-h-[50vh] overflow-y-auto scrollbar-thin">
{keysLoading ? (
<TableSkeleton rows={4} cols={8} hasToolbar={false} />
) : providerKeys.length === 0 && !showAddKey ? (
<div className="text-center py-8 text-muted-foreground text-sm">
<p> Key Pool</p>
<p className="mt-1 text-xs">使 API Key 退</p>
</div>
) : (
<Table>
<TableHeader>
<TableRow>
<TableHead></TableHead>
<TableHead></TableHead>
<TableHead>RPM</TableHead>
<TableHead>TPM</TableHead>
<TableHead></TableHead>
<TableHead>/Token</TableHead>
<TableHead> 429</TableHead>
<TableHead className="text-right"></TableHead>
</TableRow>
</TableHeader>
<TableBody>
{providerKeys.map((k) => {
const isCooling = k.cooldown_until && new Date(k.cooldown_until) > new Date()
return (
<TableRow key={k.id} className={isCooling ? 'opacity-60' : ''}>
<TableCell className="font-medium">{k.key_label}</TableCell>
<TableCell>{k.priority}</TableCell>
<TableCell className="text-muted-foreground">{k.max_rpm ?? '-'}</TableCell>
<TableCell className="text-muted-foreground">{k.max_tpm ?? '-'}</TableCell>
<TableCell>
<Badge variant={k.is_active ? 'success' : 'secondary'}>
{isCooling ? '冷却中' : k.is_active ? '活跃' : '禁用'}
</Badge>
</TableCell>
<TableCell className="text-xs text-muted-foreground">
{k.total_requests} / {formatTokens(k.total_tokens)}
</TableCell>
<TableCell className="text-xs text-muted-foreground">
{k.last_429_at ? formatDate(k.last_429_at) : '-'}
</TableCell>
<TableCell className="text-right">
<div className="flex items-center justify-end gap-1">
<Button
variant="ghost"
size="icon"
onClick={() => handleToggleKey(k.id, !k.is_active)}
title={k.is_active ? '禁用' : '启用'}
>
{k.is_active ? <PowerOff className="h-3.5 w-3.5 text-amber-500" /> : <Power className="h-3.5 w-3.5 text-green-500" />}
</Button>
<Button
variant="ghost"
size="icon"
onClick={() => handleDeleteKey(k.id)}
title="删除"
>
<Trash2 className="h-3.5 w-3.5 text-destructive" />
</Button>
</div>
</TableCell>
</TableRow>
)
})}
</TableBody>
</Table>
)}
</div>
{!showAddKey ? (
<DialogFooter>
<Button variant="outline" onClick={() => setKeyPoolProvider(null)}></Button>
<Button onClick={() => setShowAddKey(true)}>
<Plus className="h-4 w-4 mr-2" />
Key
</Button>
</DialogFooter>
) : (
<div className="space-y-3 border-t pt-4">
<p className="text-sm font-medium"> Key</p>
<div className="grid grid-cols-2 gap-3">
<div className="space-y-1">
<Label className="text-xs"> *</Label>
<Input
value={addKeyForm.key_label}
onChange={(e) => setAddKeyForm({ ...addKeyForm, key_label: e.target.value })}
placeholder="如 zhipu-coding-1"
/>
</div>
<div className="space-y-1">
<Label className="text-xs"></Label>
<Input
type="number"
value={addKeyForm.priority}
onChange={(e) => setAddKeyForm({ ...addKeyForm, priority: parseInt(e.target.value, 10) || 0 })}
placeholder="0"
/>
</div>
<div className="col-span-2 space-y-1">
<Label className="text-xs">API Key *</Label>
<Input
type="password"
value={addKeyForm.key_value}
onChange={(e) => setAddKeyForm({ ...addKeyForm, key_value: e.target.value })}
placeholder="输入 API Key"
/>
</div>
<div className="space-y-1">
<Label className="text-xs">RPM </Label>
<Input
type="number"
value={addKeyForm.max_rpm}
onChange={(e) => setAddKeyForm({ ...addKeyForm, max_rpm: e.target.value })}
placeholder="不限"
/>
</div>
<div className="space-y-1">
<Label className="text-xs">TPM </Label>
<Input
type="number"
value={addKeyForm.max_tpm}
onChange={(e) => setAddKeyForm({ ...addKeyForm, max_tpm: e.target.value })}
placeholder="不限"
/>
</div>
<div className="col-span-2 space-y-1">
<Label className="text-xs"></Label>
<Input
value={addKeyForm.quota_reset_interval}
onChange={(e) => setAddKeyForm({ ...addKeyForm, quota_reset_interval: e.target.value })}
placeholder="如 5h, 1d可选"
/>
</div>
</div>
<DialogFooter>
<Button variant="outline" onClick={() => { setShowAddKey(false); setAddKeyForm({ key_label: '', key_value: '', priority: 0, max_rpm: '', max_tpm: '', quota_reset_interval: '' }) }}>
</Button>
<Button onClick={handleAddKey} disabled={addingKey || !addKeyForm.key_label.trim() || !addKeyForm.key_value.trim()}>
{addingKey && <Loader2 className="mr-2 h-4 w-4 animate-spin" />}
</Button>
</DialogFooter>
</div>
)}
</DialogContent>
</Dialog>
</div>
)
}

93
admin/src/app/(dashboard)/relay/page.tsx
View File

@@ -1,13 +1,14 @@
'use client'
import { useEffect, useState, useCallback } from 'react'
import { useState } from 'react'
import useSWR from 'swr'
import {
Search,
Loader2,
ChevronLeft,
ChevronRight,
ChevronDown,
ChevronUp,
RotateCcw,
} from 'lucide-react'
import { Button } from '@/components/ui/button'
import { Badge } from '@/components/ui/badge'
@@ -28,7 +29,9 @@ import {
} from '@/components/ui/table'
import { api } from '@/lib/api-client'
import { ApiRequestError } from '@/lib/api-client'
import { formatDate, formatNumber } from '@/lib/utils'
import { formatDate, formatNumber, getSwrErrorMessage } from '@/lib/utils'
import { ErrorBanner, EmptyState } from '@/components/ui/state'
import { TableSkeleton } from '@/components/ui/skeleton'
import type { RelayTask } from '@/lib/types'
const PAGE_SIZE = 20
@@ -48,35 +51,22 @@ const statusLabels: Record<string, string> = {
}
export default function RelayPage() {
const [tasks, setTasks] = useState<RelayTask[]>([])
const [total, setTotal] = useState(0)
const [page, setPage] = useState(1)
const [statusFilter, setStatusFilter] = useState<string>('all')
const [loading, setLoading] = useState(true)
const [error, setError] = useState('')
const [expandedId, setExpandedId] = useState<string | null>(null)
const [retryingId, setRetryingId] = useState<string | null>(null)
const fetchTasks = useCallback(async () => {
setLoading(true)
setError('')
try {
const { data, error: swrError, isLoading } = useSWR(
['relay', page, statusFilter],
() => {
const params: Record<string, unknown> = { page, page_size: PAGE_SIZE }
if (statusFilter !== 'all') params.status = statusFilter
const res = await api.relay.list(params)
setTasks(res.items)
setTotal(res.total)
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
else setError('加载失败')
} finally {
setLoading(false)
}
}, [page, statusFilter])
return api.relay.list(params)
},
)
useEffect(() => {
fetchTasks()
}, [fetchTasks])
const tasks = data?.items ?? []
const total = data?.total ?? 0
const error = getSwrErrorMessage(swrError)
const totalPages = Math.max(1, Math.ceil(total / PAGE_SIZE))
@@ -84,20 +74,6 @@ export default function RelayPage() {
setExpandedId((prev) => (prev === id ? null : id))
}
async function handleRetry(taskId: string, e: React.MouseEvent) {
e.stopPropagation()
setRetryingId(taskId)
try {
await api.relay.retry(taskId)
fetchTasks()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
else setError('重试失败')
} finally {
setRetryingId(null)
}
}
return (
<div className="space-y-4">
{/* 筛选 */}
@@ -116,21 +92,12 @@ export default function RelayPage() {
</Select>
</div>
{error && (
<div className="rounded-md bg-destructive/10 border border-destructive/20 px-4 py-3 text-sm text-destructive">
{error}
<button onClick={() => setError('')} className="ml-2 underline cursor-pointer"></button>
</div>
)}
{error && <ErrorBanner message={error} onDismiss={() => {}} />}
{loading ? (
<div className="flex h-64 items-center justify-center">
<Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
</div>
) : tasks.length === 0 ? (
<div className="flex h-64 items-center justify-center text-muted-foreground text-sm">
</div>
{isLoading ? (
<TableSkeleton rows={6} cols={10} />
) : error ? null : tasks.length === 0 ? (
<EmptyState />
) : (
<>
<Table>
@@ -146,7 +113,6 @@ export default function RelayPage() {
<TableHead>Output Tokens</TableHead>
<TableHead></TableHead>
<TableHead></TableHead>
<TableHead className="text-right"></TableHead>
</TableRow>
</TableHeader>
<TableBody>
@@ -185,27 +151,10 @@ export default function RelayPage() {
<TableCell className="font-mono text-xs text-muted-foreground">
{formatDate(task.created_at)}
</TableCell>
<TableCell className="text-right">
{task.status === 'failed' && (
<Button
variant="ghost"
size="icon"
onClick={(e) => handleRetry(task.id, e)}
disabled={retryingId === task.id}
title="重试"
>
{retryingId === task.id ? (
<Loader2 className="h-4 w-4 animate-spin" />
) : (
<RotateCcw className="h-4 w-4" />
)}
</Button>
)}
</TableCell>
</TableRow>
{expandedId === task.id && (
<TableRow key={`${task.id}-detail`}>
<TableCell colSpan={11} className="bg-muted/20 px-8 py-4">
<TableCell colSpan={10} className="bg-muted/20 px-8 py-4">
<div className="grid grid-cols-2 gap-4 text-sm">
<div>
<p className="text-muted-foreground"> ID</p>

203
admin/src/app/(dashboard)/security/page.tsx
View File

@@ -1,203 +0,0 @@
'use client'
import { useState } from 'react'
import { ShieldCheck, Loader2, Eye, EyeOff, QrCode, Key, AlertTriangle } from 'lucide-react'
import { Button } from '@/components/ui/button'
import { Input } from '@/components/ui/input'
import { Label } from '@/components/ui/label'
import { Card, CardContent, CardHeader, CardTitle, CardDescription } from '@/components/ui/card'
import { Badge } from '@/components/ui/badge'
import { api } from '@/lib/api-client'
import { useAuth } from '@/components/auth-guard'
import { ApiRequestError } from '@/lib/api-client'
export default function SecurityPage() {
const { account } = useAuth()
const totpEnabled = account?.totp_enabled ?? false
// Setup state
const [step, setStep] = useState<'idle' | 'verify' | 'done'>('idle')
const [otpauthUri, setOtpauthUri] = useState('')
const [secret, setSecret] = useState('')
const [verifyCode, setVerifyCode] = useState('')
const [loading, setLoading] = useState(false)
const [error, setError] = useState('')
// Disable state
const [disablePassword, setDisablePassword] = useState('')
const [showDisablePassword, setShowDisablePassword] = useState(false)
const [disabling, setDisabling] = useState(false)
async function handleSetup() {
setLoading(true)
setError('')
try {
const res = await api.auth.totpSetup()
setOtpauthUri(res.otpauth_uri)
setSecret(res.secret)
setStep('verify')
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message || '获取密钥失败')
else setError('网络错误')
} finally {
setLoading(false)
}
}
async function handleVerify() {
if (verifyCode.length !== 6) {
setError('请输入 6 位验证码')
return
}
setLoading(true)
setError('')
try {
await api.auth.totpVerify({ code: verifyCode })
setStep('done')
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message || '验证失败')
else setError('网络错误')
} finally {
setLoading(false)
}
}
async function handleDisable() {
if (!disablePassword) {
setError('请输入密码以确认禁用')
return
}
setDisabling(true)
setError('')
try {
await api.auth.totpDisable({ password: disablePassword })
setDisablePassword('')
window.location.reload()
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message || '禁用失败')
else setError('网络错误')
} finally {
setDisabling(false)
}
}
return (
<div className="max-w-lg space-y-6">
{/* TOTP 状态 */}
<Card>
<CardHeader>
<CardTitle className="flex items-center gap-2">
<ShieldCheck className="h-5 w-5" />
(TOTP)
</CardTitle>
<CardDescription>
使 Google Authenticator
</CardDescription>
</CardHeader>
<CardContent>
<div className="flex items-center gap-3 mb-4">
<span className="text-sm text-muted-foreground">:</span>
<Badge variant={totpEnabled ? 'success' : 'secondary'}>
{totpEnabled ? '已启用' : '未启用'}
</Badge>
</div>
{error && (
<div className="rounded-md bg-destructive/10 border border-destructive/20 px-4 py-3 text-sm text-destructive mb-4">
{error}
<button onClick={() => setError('')} className="ml-2 underline cursor-pointer"></button>
</div>
)}
{/* 未启用: 设置流程 */}
{!totpEnabled && step === 'idle' && (
<Button onClick={handleSetup} disabled={loading}>
{loading && <Loader2 className="mr-2 h-4 w-4 animate-spin" />}
<Key className="mr-2 h-4 w-4" />
</Button>
)}
{!totpEnabled && step === 'verify' && (
<div className="space-y-4">
<div className="rounded-md border border-border p-4 space-y-3">
<div className="flex items-center gap-2 text-sm font-medium">
<QrCode className="h-4 w-4" />
1: 扫描二维码或手动输入密钥
</div>
<div className="bg-muted rounded-md p-3 font-mono text-xs break-all">
{otpauthUri}
</div>
<div className="space-y-1">
<p className="text-xs text-muted-foreground">:</p>
<p className="font-mono text-sm font-medium select-all">{secret}</p>
</div>
</div>
<div className="space-y-2">
<Label>
2: 输入 6
</Label>
<Input
value={verifyCode}
onChange={(e) => setVerifyCode(e.target.value.replace(/\D/g, '').slice(0, 6))}
placeholder="请输入应用中显示的 6 位数字"
maxLength={6}
className="font-mono tracking-widest text-center"
/>
</div>
<div className="flex gap-2">
<Button variant="outline" onClick={() => { setStep('idle'); setVerifyCode('') }}>
</Button>
<Button onClick={handleVerify} disabled={loading || verifyCode.length !== 6}>
{loading && <Loader2 className="mr-2 h-4 w-4 animate-spin" />}
</Button>
</div>
</div>
)}
{!totpEnabled && step === 'done' && (
<div className="rounded-md bg-emerald-500/10 border border-emerald-500/20 p-4 text-sm text-emerald-500">
</div>
)}
{/* 已启用: 禁用流程 */}
{totpEnabled && (
<div className="space-y-4">
<div className="rounded-md bg-amber-500/10 border border-amber-500/20 p-3 flex items-start gap-2 text-sm text-amber-600">
<AlertTriangle className="h-4 w-4 mt-0.5 shrink-0" />
<span></span>
</div>
<div className="space-y-2">
<Label></Label>
<div className="relative">
<Input
type={showDisablePassword ? 'text' : 'password'}
value={disablePassword}
onChange={(e) => setDisablePassword(e.target.value)}
placeholder="请输入当前密码"
/>
<button
type="button"
onClick={() => setShowDisablePassword(!showDisablePassword)}
className="absolute right-3 top-1/2 -translate-y-1/2 text-muted-foreground hover:text-foreground cursor-pointer"
>
{showDisablePassword ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
</button>
</div>
</div>
<Button variant="destructive" onClick={handleDisable} disabled={disabling || !disablePassword}>
{disabling && <Loader2 className="mr-2 h-4 w-4 animate-spin" />}
</Button>
</div>
)}
</CardContent>
</Card>
</div>
)
}

322
admin/src/app/(dashboard)/usage/page.tsx
View File

@@ -1,7 +1,8 @@
'use client'
import { useEffect, useState, useCallback } from 'react'
import { Loader2, Zap } from 'lucide-react'
import { useState } from 'react'
import useSWR from 'swr'
import { Zap, Monitor, Smartphone } from 'lucide-react'
import {
LineChart,
Line,
@@ -15,6 +16,8 @@ import {
Legend,
} from 'recharts'
import { Card, CardContent, CardHeader, CardTitle } from '@/components/ui/card'
import { ErrorBanner, EmptyState } from '@/components/ui/state'
import { TableSkeleton, ChartSkeleton } from '@/components/ui/skeleton'
import {
Select,
SelectContent,
@@ -22,83 +25,87 @@ import {
SelectTrigger,
SelectValue,
} from '@/components/ui/select'
import {
Table,
TableBody,
TableCell,
TableHead,
TableHeader,
TableRow,
} from '@/components/ui/table'
import { Badge } from '@/components/ui/badge'
import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/components/ui/tabs'
import { api } from '@/lib/api-client'
import { ApiRequestError } from '@/lib/api-client'
import { formatNumber } from '@/lib/utils'
import type { UsageStats } from '@/lib/types'
import type { UsageRecord, UsageByModel, ModelUsageStat, DailyUsageStat } from '@/lib/types'
export default function UsagePage() {
const [days, setDays] = useState(7)
const [usageStats, setUsageStats] = useState<UsageStats | null>(null)
const [loading, setLoading] = useState(true)
const [activeTab, setActiveTab] = useState('relay')
const [error, setError] = useState('')
const fetchData = useCallback(async () => {
setLoading(true)
setError('')
try {
const from = new Date()
from.setDate(from.getDate() - days)
const fromStr = from.toISOString().slice(0, 10)
const res = await api.usage.get({ from: fromStr })
setUsageStats(res)
} catch (err) {
if (err instanceof ApiRequestError) setError(err.body.message)
else setError('加载数据失败')
} finally {
setLoading(false)
}
}, [days])
// 4 parallel SWR calls — each loads independently
const { data: dailyData = [], isLoading: dailyLoading } = useSWR(
['usage.daily', days],
() => api.usage.daily({ days })
)
const { data: modelData = [], isLoading: modelLoading } = useSWR(
['usage.byModel', days],
() => api.usage.byModel({ days })
)
const { data: telemetryModels = [] } = useSWR(
['telemetry.modelStats'],
() => api.telemetry.modelStats()
)
const { data: telemetryDaily = [] } = useSWR(
['telemetry.dailyStats', days],
() => api.telemetry.dailyStats({ days })
)
useEffect(() => {
fetchData()
}, [fetchData])
const relayLoading = dailyLoading || modelLoading
const telemetryLoading = !telemetryModels.length && !telemetryDaily.length && (dailyLoading || modelLoading)
const byDay = usageStats?.by_day ?? []
// === Relay 用量图表数据 ===
const lineChartData = byDay.map((r) => ({
day: r.date.slice(5),
const relayLineData = dailyData.map((r) => ({
day: r.day.slice(5),
Input: r.input_tokens,
Output: r.output_tokens,
}))
const barChartData = (usageStats?.by_model ?? []).map((r) => ({
const relayBarData = modelData.map((r) => ({
model: r.model_id,
请求量: r.request_count,
请求量: r.count,
Input: r.input_tokens,
Output: r.output_tokens,
}))
const totalInput = byDay.reduce((s, r) => s + r.input_tokens, 0)
const totalOutput = byDay.reduce((s, r) => s + r.output_tokens, 0)
const totalRequests = byDay.reduce((s, r) => s + r.request_count, 0)
const relayTotalInput = dailyData.reduce((s, r) => s + r.input_tokens, 0)
const relayTotalOutput = dailyData.reduce((s, r) => s + r.output_tokens, 0)
const relayTotalRequests = dailyData.reduce((s, r) => s + r.count, 0)
if (loading) {
return (
<div className="flex h-[60vh] items-center justify-center">
<div className="flex flex-col items-center gap-3">
<Loader2 className="h-8 w-8 animate-spin text-primary" />
<p className="text-sm text-muted-foreground">...</p>
</div>
</div>
)
}
// === 遥测图表数据 ===
if (error) {
return (
<div className="flex h-[60vh] items-center justify-center">
<div className="text-center">
<p className="text-destructive">{error}</p>
<button onClick={() => fetchData()} className="mt-4 text-sm text-primary hover:underline cursor-pointer">
</button>
</div>
</div>
)
}
const telemetryLineData = telemetryDaily.map((r) => ({
day: r.day.slice(5),
Input: r.input_tokens,
Output: r.output_tokens,
设备数: r.unique_devices,
}))
const telemetryTotalInput = telemetryDaily.reduce((s, r) => s + r.input_tokens, 0)
const telemetryTotalOutput = telemetryDaily.reduce((s, r) => s + r.output_tokens, 0)
const telemetryTotalRequests = telemetryDaily.reduce((s, r) => s + r.request_count, 0)
// === 合计 ===
const totalInput = relayTotalInput + telemetryTotalInput
const totalOutput = relayTotalOutput + telemetryTotalOutput
const totalRequests = relayTotalRequests + telemetryTotalRequests
return (
<div className="space-y-6">
{error && <ErrorBanner message={error} onDismiss={() => setError('')} />}
{/* 时间范围 */}
<div className="flex items-center gap-3">
<span className="text-sm text-muted-foreground">:</span>
@@ -114,8 +121,8 @@ export default function UsagePage() {
</Select>
</div>
{/* 汇总统计 */}
<div className="grid grid-cols-1 gap-4 sm:grid-cols-3">
{/* 汇总统计 — render immediately, use 0 while loading */}
<div className="grid grid-cols-1 gap-4 sm:grid-cols-2 lg:grid-cols-5">
<Card>
<CardContent className="p-6">
<p className="text-sm text-muted-foreground"></p>
@@ -126,7 +133,7 @@ export default function UsagePage() {
</Card>
<Card>
<CardContent className="p-6">
<p className="text-sm text-muted-foreground">Input Tokens</p>
<p className="text-sm text-muted-foreground"> Input Tokens</p>
<p className="mt-1 text-2xl font-bold text-blue-400">
{formatNumber(totalInput)}
</p>
@@ -134,101 +141,190 @@ export default function UsagePage() {
</Card>
<Card>
<CardContent className="p-6">
<p className="text-sm text-muted-foreground">Output Tokens</p>
<p className="text-sm text-muted-foreground"> Output Tokens</p>
<p className="mt-1 text-2xl font-bold text-orange-400">
{formatNumber(totalOutput)}
</p>
</CardContent>
</Card>
<Card>
<CardContent className="p-6">
<div className="flex items-center gap-2">
<Monitor className="h-4 w-4 text-green-400" />
<p className="text-sm text-muted-foreground"></p>
</div>
<p className="mt-1 text-2xl font-bold text-green-400">
{formatNumber(relayTotalRequests)}
</p>
</CardContent>
</Card>
<Card>
<CardContent className="p-6">
<div className="flex items-center gap-2">
<Smartphone className="h-4 w-4 text-purple-400" />
<p className="text-sm text-muted-foreground"></p>
</div>
<p className="mt-1 text-2xl font-bold text-purple-400">
{formatNumber(telemetryTotalRequests)}
</p>
</CardContent>
</Card>
</div>
{/* Token 用量趋势 */}
{/* Tab 切换 */}
<Tabs value={activeTab} onValueChange={setActiveTab}>
<TabsList>
<TabsTrigger value="relay">
<Monitor className="h-4 w-4 mr-1" />
</TabsTrigger>
<TabsTrigger value="telemetry">
<Smartphone className="h-4 w-4 mr-1" />
</TabsTrigger>
</TabsList>
{/* Relay 用量 Tab */}
<TabsContent value="relay" className="space-y-6">
{relayLoading ? (
<>
<ChartSkeleton height={320} />
<ChartSkeleton height={280} />
</>
) : (
<>
<Card>
<CardHeader>
<CardTitle className="flex items-center gap-2 text-base">
<Zap className="h-4 w-4 text-primary" />
Token
Token
</CardTitle>
</CardHeader>
<CardContent>
{lineChartData.length > 0 ? (
{relayLineData.length > 0 ? (
<ResponsiveContainer width="100%" height={320}>
<LineChart data={lineChartData}>
<LineChart data={relayLineData}>
<CartesianGrid strokeDasharray="3 3" stroke="#1E293B" />
<XAxis
dataKey="day"
tick={{ fontSize: 12, fill: '#94A3B8' }}
axisLine={{ stroke: '#1E293B' }}
/>
<YAxis
tick={{ fontSize: 12, fill: '#94A3B8' }}
axisLine={{ stroke: '#1E293B' }}
/>
<Tooltip
contentStyle={{
backgroundColor: '#0F172A',
border: '1px solid #1E293B',
borderRadius: '8px',
color: '#F8FAFC',
fontSize: '12px',
}}
/>
<XAxis dataKey="day" tick={{ fontSize: 12, fill: '#94A3B8' }} axisLine={{ stroke: '#1E293B' }} />
<YAxis tick={{ fontSize: 12, fill: '#94A3B8' }} axisLine={{ stroke: '#1E293B' }} />
<Tooltip contentStyle={{ backgroundColor: '#0F172A', border: '1px solid #1E293B', borderRadius: '8px', color: '#F8FAFC', fontSize: '12px' }} />
<Legend wrapperStyle={{ fontSize: '12px', color: '#94A3B8' }} />
<Line type="monotone" dataKey="Input" stroke="#3B82F6" strokeWidth={2} dot={false} />
<Line type="monotone" dataKey="Output" stroke="#F97316" strokeWidth={2} dot={false} />
</LineChart>
</ResponsiveContainer>
) : (
<div className="flex h-[320px] items-center justify-center text-muted-foreground text-sm">
</div>
<EmptyState message="暂无中转数据" />
)}
</CardContent>
</Card>
{/* 按模型分布 */}
<Card>
<CardHeader>
<CardTitle className="text-base"></CardTitle>
<CardTitle className="text-base"></CardTitle>
</CardHeader>
<CardContent>
{barChartData.length > 0 ? (
<ResponsiveContainer width="100%" height={320}>
<BarChart data={barChartData} layout="vertical">
{relayBarData.length > 0 ? (
<ResponsiveContainer width="100%" height={Math.max(200, relayBarData.length * 40)}>
<BarChart data={relayBarData} layout="vertical">
<CartesianGrid strokeDasharray="3 3" stroke="#1E293B" />
<XAxis
type="number"
tick={{ fontSize: 12, fill: '#94A3B8' }}
axisLine={{ stroke: '#1E293B' }}
/>
<YAxis
type="category"
dataKey="model"
tick={{ fontSize: 12, fill: '#94A3B8' }}
axisLine={{ stroke: '#1E293B' }}
width={120}
/>
<Tooltip
contentStyle={{
backgroundColor: '#0F172A',
border: '1px solid #1E293B',
borderRadius: '8px',
color: '#F8FAFC',
fontSize: '12px',
}}
/>
<XAxis type="number" tick={{ fontSize: 12, fill: '#94A3B8' }} axisLine={{ stroke: '#1E293B' }} />
<YAxis type="category" dataKey="model" tick={{ fontSize: 12, fill: '#94A3B8' }} axisLine={{ stroke: '#1E293B' }} width={120} />
<Tooltip contentStyle={{ backgroundColor: '#0F172A', border: '1px solid #1E293B', borderRadius: '8px', color: '#F8FAFC', fontSize: '12px' }} />
<Legend wrapperStyle={{ fontSize: '12px', color: '#94A3B8' }} />
<Bar dataKey="Input" fill="#3B82F6" radius={[0, 2, 2, 0]} />
<Bar dataKey="Output" fill="#F97316" radius={[0, 2, 2, 0]} />
</BarChart>
</ResponsiveContainer>
) : (
<div className="flex h-[320px] items-center justify-center text-muted-foreground text-sm">
</div>
<EmptyState />
)}
</CardContent>
</Card>
</>
)}
</TabsContent>
{/* 遥测 Tab */}
<TabsContent value="telemetry" className="space-y-6">
{telemetryLoading ? (
<>
<ChartSkeleton height={320} />
<TableSkeleton rows={5} cols={6} hasToolbar={false} />
</>
) : (
<>
<Card>
<CardHeader>
<CardTitle className="flex items-center gap-2 text-base">
<Smartphone className="h-4 w-4 text-purple-400" />
Token
</CardTitle>
</CardHeader>
<CardContent>
{telemetryLineData.length > 0 ? (
<ResponsiveContainer width="100%" height={320}>
<LineChart data={telemetryLineData}>
<CartesianGrid strokeDasharray="3 3" stroke="#1E293B" />
<XAxis dataKey="day" tick={{ fontSize: 12, fill: '#94A3B8' }} axisLine={{ stroke: '#1E293B' }} />
<YAxis tick={{ fontSize: 12, fill: '#94A3B8' }} axisLine={{ stroke: '#1E293B' }} />
<Tooltip contentStyle={{ backgroundColor: '#0F172A', border: '1px solid #1E293B', borderRadius: '8px', color: '#F8FAFC', fontSize: '12px' }} />
<Legend wrapperStyle={{ fontSize: '12px', color: '#94A3B8' }} />
<Line type="monotone" dataKey="Input" stroke="#3B82F6" strokeWidth={2} dot={false} />
<Line type="monotone" dataKey="Output" stroke="#F97316" strokeWidth={2} dot={false} />
</LineChart>
</ResponsiveContainer>
) : (
<EmptyState message="暂无桌面端遥测数据(需要桌面端上报)" />
)}
</CardContent>
</Card>
<Card>
<CardHeader>
<CardTitle className="text-base"></CardTitle>
</CardHeader>
<CardContent>
{telemetryModels.length > 0 ? (
<Table>
<TableHeader>
<TableRow>
<TableHead></TableHead>
<TableHead className="text-right"></TableHead>
<TableHead className="text-right">Input Tokens</TableHead>
<TableHead className="text-right">Output Tokens</TableHead>
<TableHead className="text-right"></TableHead>
<TableHead className="text-right"></TableHead>
</TableRow>
</TableHeader>
<TableBody>
{telemetryModels.map((stat) => (
<TableRow key={stat.model_id}>
<TableCell className="font-mono text-sm">{stat.model_id}</TableCell>
<TableCell className="text-right">{formatNumber(stat.request_count)}</TableCell>
<TableCell className="text-right text-blue-400">{formatNumber(stat.input_tokens)}</TableCell>
<TableCell className="text-right text-orange-400">{formatNumber(stat.output_tokens)}</TableCell>
<TableCell className="text-right">
{stat.avg_latency_ms !== null ? `${Math.round(stat.avg_latency_ms)}ms` : '-'}
</TableCell>
<TableCell className="text-right">
<Badge variant={stat.success_rate >= 0.95 ? 'default' : 'destructive'}>
{(stat.success_rate * 100).toFixed(1)}%
</Badge>
</TableCell>
</TableRow>
))}
</TableBody>
</Table>
) : (
<EmptyState />
)}
</CardContent>
</Card>
</>
)}
</TabsContent>
</Tabs>
</div>
)
}

4
admin/src/app/icon.svg Normal file
View File

@@ -0,0 +1,4 @@
<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 32 32">
<rect width="32" height="32" rx="6" fill="#0f172a"/>
<text x="16" y="22" font-family="system-ui, sans-serif" font-size="16" font-weight="700" fill="#60a5fa" text-anchor="middle">Z</text>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 282 B

5
admin/src/app/layout.tsx
View File

@@ -1,5 +1,5 @@
import type { Metadata } from 'next'
import { Toaster } from 'sonner'
import { SWRProvider } from '@/lib/swr-provider'
import './globals.css'
export const metadata: Metadata = {
@@ -21,8 +21,9 @@ export default function RootLayout({
/>
</head>
<body className="min-h-screen bg-background font-sans antialiased">
<SWRProvider>
{children}
<Toaster richColors position="top-right" />
</SWRProvider>
</body>
</html>
)

59
admin/src/app/login/page.tsx
View File

@@ -11,9 +11,10 @@ export default function LoginPage() {
const router = useRouter()
const [username, setUsername] = useState('')
const [password, setPassword] = useState('')
const [showPassword, setShowPassword] = useState(false)
const [totpCode, setTotpCode] = useState('')
const [showTotp, setShowTotp] = useState(false)
const [showPassword, setShowPassword] = useState(false)
const [needTotp, setNeedTotp] = useState(false)
const [remember, setRemember] = useState(false)
const [loading, setLoading] = useState(false)
const [error, setError] = useState('')
@@ -35,18 +36,19 @@ export default function LoginPage() {
const res = await api.auth.login({
username: username.trim(),
password,
totp_code: showTotp ? totpCode.trim() || undefined : undefined,
totp_code: totpCode.trim() || undefined,
})
login(res.token, res.account)
router.replace('/')
} catch (err) {
if (err instanceof ApiRequestError) {
// 检测 TOTP 错误码,自动显示验证码输入框
if (err.body.error === 'totp_required' || err.body.message?.includes('双因素认证') || err.body.message?.includes('TOTP')) {
setShowTotp(true)
setError(err.body.message || '此账号已启用双因素认证,请输入验证码')
const msg = err.body.message || ''
// 后端返回 "需要 TOTP" 时显示 TOTP 输入框
if (msg.includes('TOTP') || msg.includes('totp') || msg.includes('2FA') || msg.includes('验证码') || err.status === 403) {
setNeedTotp(true)
setError(msg || '请输入两步验证码')
} else {
setError(err.body.message || '登录失败,请检查用户名和密码')
setError(msg || '登录失败,请检查用户名和密码')
}
} else {
setError('网络错误,请稍后重试')
@@ -163,31 +165,52 @@ export default function LoginPage() {
</div>
</div>
{/* TOTP 验证码 (仅账号启用 2FA 时显示) */}
{showTotp && (
{/* TOTP 验证码 */}
{needTotp && (
<div className="space-y-2">
<label
htmlFor="totp_code"
htmlFor="totp"
className="text-sm font-medium text-foreground"
>
<span className="inline-flex items-center gap-1">
<ShieldCheck className="h-3.5 w-3.5" />
</span>
</label>
<div className="relative">
<ShieldCheck className="absolute left-3 top-1/2 -translate-y-1/2 h-4 w-4 text-muted-foreground" />
<input
id="totp_code"
id="totp"
type="text"
placeholder="请输入 6 位验证码"
value={totpCode}
onChange={(e) => setTotpCode(e.target.value.replace(/\D/g, '').slice(0, 6))}
className="flex h-10 w-full rounded-md border border-input bg-transparent px-3 py-2 text-sm tracking-widest text-center font-mono shadow-sm transition-colors duration-200 placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring"
maxLength={6}
autoFocus
className="flex h-10 w-full rounded-md border border-input bg-transparent pl-10 pr-3 py-2 text-sm shadow-sm transition-colors duration-200 placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring tracking-widest"
autoComplete="one-time-code"
inputMode="numeric"
/>
</div>
<p className="text-xs text-muted-foreground">
使 App Google Authenticator
</p>
</div>
)}
{/* 记住我 */}
<div className="flex items-center gap-2">
<input
id="remember"
type="checkbox"
checked={remember}
onChange={(e) => setRemember(e.target.checked)}
className="h-4 w-4 rounded border-input bg-transparent accent-primary cursor-pointer"
/>
<label
htmlFor="remember"
className="text-sm text-muted-foreground cursor-pointer select-none"
>
</label>
</div>
{/* 错误信息 */}
{error && (
<div className="rounded-md bg-destructive/10 border border-destructive/20 px-4 py-3 text-sm text-destructive">

141
admin/src/components/auth-guard.tsx
View File

@@ -1,26 +1,11 @@
'use client'
import { createContext, useContext, useEffect, useState, useCallback, type ReactNode } from 'react'
import { useEffect, useState, useRef, useCallback, type ReactNode } from 'react'
import { useRouter } from 'next/navigation'
import { isAuthenticated, getAccount, logout as clearCredentials, scheduleTokenRefresh, cancelTokenRefresh, setOnSessionExpired } from '@/lib/auth'
import { api } from '@/lib/api-client'
import { isAuthenticated, getAccount, clearAuth } from '@/lib/auth'
import { api, ApiRequestError } from '@/lib/api-client'
import type { AccountPublic } from '@/lib/types'
interface AuthContextValue {
account: AccountPublic | null
loading: boolean
refresh: () => Promise<void>
}
const AuthContext = createContext<AuthContextValue>({
account: null,
loading: true,
refresh: async () => {},
})
export function useAuth() {
return useContext(AuthContext)
}
import { AlertTriangle, RefreshCw } from 'lucide-react'
interface AuthGuardProps {
children: ReactNode
@@ -28,44 +13,72 @@ interface AuthGuardProps {
export function AuthGuard({ children }: AuthGuardProps) {
const router = useRouter()
const [authorized, setAuthorized] = useState(false)
const [account, setAccount] = useState<AccountPublic | null>(null)
const [loading, setLoading] = useState(true)
const [verifying, setVerifying] = useState(true)
const [connectionError, setConnectionError] = useState(false)
const refresh = useCallback(async () => {
try {
const me = await api.auth.me()
setAccount(me)
} catch {
clearCredentials()
router.replace('/login')
}
}, [router])
// Ref 跟踪授权状态,避免 useCallback 闭包捕获过时的 state
const authorizedRef = useRef(false)
// 防止并发验证RSC 导航可能触发多次 effect
const verifyingRef = useRef(false)
const verifyAuth = useCallback(async () => {
// 防止并发验证
if (verifyingRef.current) return
verifyingRef.current = true
setVerifying(true)
setConnectionError(false)
useEffect(() => {
if (!isAuthenticated()) {
setVerifying(false)
verifyingRef.current = false
router.replace('/login')
return
}
// 验证 token 有效性并获取最新账号信息
refresh().finally(() => setLoading(false))
}, [router, refresh])
// Set up proactive token refresh with session-expired handler
useEffect(() => {
const handleSessionExpired = () => {
clearCredentials()
router.replace('/login')
try {
const serverAccount = await api.auth.me()
setAccount(serverAccount)
setAuthorized(true)
authorizedRef.current = true
} catch (err) {
// AbortError: 导航/SWR 取消了请求,忽略
// 如果已有授权ref 跟踪),保持不变;否则尝试 localStorage 缓存
if (err instanceof DOMException && err.name === 'AbortError') {
if (!authorizedRef.current) {
const cachedAccount = getAccount()
if (cachedAccount) {
setAccount(cachedAccount)
setAuthorized(true)
authorizedRef.current = true
}
setOnSessionExpired(handleSessionExpired)
scheduleTokenRefresh()
return () => {
cancelTokenRefresh()
setOnSessionExpired(null)
}
return
}
// 401/403: 真正的认证失败,清除 token
if (err instanceof ApiRequestError && (err.status === 401 || err.status === 403)) {
clearAuth()
authorizedRef.current = false
router.replace('/login')
} else {
// 网络错误/超时 — 仅在未授权时显示连接错误
// 已授权的情况下忽略瞬态错误,保持当前状态
if (!authorizedRef.current) {
setConnectionError(true)
}
}
} finally {
setVerifying(false)
verifyingRef.current = false
}
}, [router])
if (loading) {
useEffect(() => {
verifyAuth()
}, [verifyAuth])
if (verifying) {
return (
<div className="flex h-screen w-screen items-center justify-center bg-background">
<div className="h-8 w-8 animate-spin rounded-full border-2 border-primary border-t-transparent" />
@@ -73,13 +86,39 @@ export function AuthGuard({ children }: AuthGuardProps) {
)
}
if (!account) {
if (connectionError) {
return (
<div className="flex h-screen w-screen flex-col items-center justify-center gap-4 bg-background">
<AlertTriangle className="h-12 w-12 text-yellow-500" />
<h2 className="text-lg font-semibold text-foreground"></h2>
<p className="text-sm text-muted-foreground"></p>
<button
onClick={verifyAuth}
className="mt-2 inline-flex items-center gap-2 rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground hover:bg-primary/90 transition-colors cursor-pointer"
>
<RefreshCw className="h-4 w-4" />
</button>
</div>
)
}
if (!authorized) {
return null
}
return (
<AuthContext.Provider value={{ account, loading, refresh }}>
{children}
</AuthContext.Provider>
)
return <>{children}</>
}
export function useAuth() {
const [account, setAccount] = useState<AccountPublic | null>(null)
const [loading, setLoading] = useState(true)
useEffect(() => {
const acc = getAccount()
setAccount(acc)
setLoading(false)
}, [])
return { account, loading, isAuthenticated: isAuthenticated() }
}

115
admin/src/components/ui/skeleton.tsx Normal file
View File

@@ -0,0 +1,115 @@
// ============================================================
// Skeleton 组件 — 替代全屏 spinner 的骨架屏
// ============================================================
import { cn } from '@/lib/utils'
function SkeletonBase({ className }: { className?: string }) {
return (
<div
className={cn(
'animate-pulse rounded-md bg-muted',
className,
)}
/>
)
}
/** 表格骨架屏 */
export function TableSkeleton({
rows = 5,
cols = 5,
hasToolbar = true,
}: {
rows?: number
cols?: number
hasToolbar?: boolean
}) {
return (
<div className="space-y-4">
{hasToolbar && (
<div className="flex items-center justify-between">
<SkeletonBase className="h-9 w-[200px]" />
<SkeletonBase className="h-9 w-[120px]" />
</div>
)}
<div className="rounded-md border border-border overflow-hidden">
{/* Header */}
<div className="border-b border-border bg-muted/30 px-4 py-3">
<div className="flex gap-4">
{Array.from({ length: cols }).map((_, i) => (
<SkeletonBase
key={i}
className={cn(
'h-4',
i === 0 ? 'w-[120px]' : i === cols - 1 ? 'w-[80px]' : 'w-[100px]',
)}
/>
))}
</div>
</div>
{/* Rows */}
{Array.from({ length: rows }).map((_, rowIdx) => (
<div
key={rowIdx}
className={cn(
'px-4 py-3',
rowIdx < rows - 1 && 'border-b border-border',
)}
>
<div className="flex gap-4">
{Array.from({ length: cols }).map((_, colIdx) => (
<SkeletonBase
key={colIdx}
className={cn(
'h-4',
colIdx === 0 ? 'w-[120px]' : colIdx === cols - 1 ? 'w-[80px]' : 'w-[100px]',
)}
/>
))}
</div>
</div>
))}
</div>
{/* Pagination */}
<div className="flex items-center justify-between">
<SkeletonBase className="h-4 w-[140px]" />
<div className="flex gap-2">
<SkeletonBase className="h-8 w-[80px]" />
<SkeletonBase className="h-8 w-[80px]" />
</div>
</div>
</div>
)
}
/** 统计卡片骨架屏 */
export function StatsSkeleton({ count = 4 }: { count?: number }) {
return (
<div className={`grid grid-cols-1 gap-4 sm:grid-cols-2 lg:grid-cols-${count}`}>
{Array.from({ length: count }).map((_, i) => (
<div key={i} className="rounded-lg border border-border p-6">
<SkeletonBase className="h-4 w-[80px]" />
<SkeletonBase className="mt-2 h-8 w-[100px]" />
<SkeletonBase className="mt-1 h-3 w-[120px]" />
</div>
))}
</div>
)
}
/** 图表骨架屏 */
export function ChartSkeleton({ height }: { height?: number }) {
return (
<div className="rounded-lg border border-border">
<div className="border-b border-border px-6 py-4">
<SkeletonBase className="h-5 w-[140px]" />
</div>
<div className="p-6">
<SkeletonBase className="w-full" />
</div>
</div>
)
}
export { SkeletonBase as Skeleton }

63
admin/src/components/ui/state.tsx Normal file
View File

@@ -0,0 +1,63 @@
'use client'
import { AlertCircle, Inbox } from 'lucide-react'
/** 统一的错误提示横幅 */
export function ErrorBanner({
message,
onDismiss,
}: {
message: string
onDismiss?: () => void
}) {
return (
<div className="rounded-md bg-destructive/10 border border-destructive/20 px-4 py-3 text-sm text-destructive flex items-center gap-2">
<AlertCircle className="h-4 w-4 shrink-0" />
<span className="flex-1">{message}</span>
{onDismiss && (
<button
onClick={onDismiss}
className="underline cursor-pointer shrink-0"
>
</button>
)}
</div>
)
}
/** 统一的空状态占位 */
export function EmptyState({
message = '暂无数据',
}: {
message?: string
}) {
return (
<div className="flex h-64 flex-col items-center justify-center gap-2 text-muted-foreground">
<Inbox className="h-8 w-8" />
<span className="text-sm">{message}</span>
</div>
)
}
/** 统一的加载失败提示 + 重试 */
export function ErrorRetry({
message = '请求失败,请重试',
onRetry,
}: {
message?: string
onRetry: () => void
}) {
return (
<div className="flex h-64 flex-col items-center justify-center gap-3 text-muted-foreground">
<AlertCircle className="h-8 w-8 text-destructive" />
<span className="text-sm">{message}</span>
<button
onClick={onRetry}
className="rounded-md bg-primary px-4 py-2 text-sm text-primary-foreground hover:bg-primary/90 transition-colors cursor-pointer"
>
</button>
</div>
)
}

16
admin/src/hooks/use-debounce.ts Normal file
View File

@@ -0,0 +1,16 @@
// ============================================================
// useDebounce — 防抖 hook
// ============================================================
import { useState, useEffect } from 'react'
export function useDebounce<T>(value: T, delay = 300): T {
const [debouncedValue, setDebouncedValue] = useState<T>(value)
useEffect(() => {
const handler = setTimeout(() => setDebouncedValue(value), delay)
return () => clearTimeout(handler)
}, [value, delay])
return debouncedValue
}

350
admin/src/lib/api-client.ts
View File

@@ -2,25 +2,29 @@
// ZCLAW SaaS Admin — 类型化 HTTP 客户端
// ============================================================
import { getToken, logout, refreshToken } from './auth'
import { toast } from 'sonner'
import { getToken, login as saveToken, logout, getAccount } from './auth'
import type {
AccountPublic,
AgentTemplate,
ApiError,
ConfigItem,
CreateTokenRequest,
DashboardStats,
DeviceInfo,
DailyUsageStat,
LoginRequest,
LoginResponse,
Model,
ModelUsageStat,
OperationLog,
PaginatedResponse,
PromptTemplate,
PromptVersion,
Provider,
ProviderKey,
RelayTask,
TokenInfo,
UsageByModel,
UsageStats,
UsageRecord,
} from './types'
// ── 错误类 ────────────────────────────────────────────────
@@ -37,14 +41,70 @@ export class ApiRequestError extends Error {
// ── 基础请求 ──────────────────────────────────────────────
const BASE_URL = process.env.NEXT_PUBLIC_SAAS_API_URL || 'http://localhost:8080'
const API_PREFIX = '/api/v1'
const BASE_URL = process.env.NEXT_PUBLIC_SAAS_API_URL || '/api/v1'
const DEFAULT_TIMEOUT_MS = 10_000
const MAX_RETRIES = 2
function sleep(ms: number): Promise<void> {
return new Promise(resolve => setTimeout(resolve, ms))
}
/** 判断是否为可重试的网络错误(不含 AbortError */
function isRetryableNetworkError(err: unknown): boolean {
// AbortError 不重试:可能是组件卸载或路由切换导致的外部取消
if (err instanceof DOMException && err.name === 'AbortError') return false
if (err instanceof TypeError) {
const msg = (err as TypeError).message
return msg.includes('Failed to fetch') || msg.includes('NetworkError') || msg.includes('ECONNREFUSED')
}
return false
}
/** 尝试刷新 Token成功返回新 token失败返回 null */
async function tryRefreshToken(): Promise<string | null> {
try {
const token = getToken()
if (!token) return null
const res = await fetch(`${BASE_URL}/auth/refresh`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${token}`,
},
})
if (!res.ok) return null
const data = await res.json()
const newToken = data.token as string
const account = getAccount()
if (account && newToken) {
saveToken(newToken, account)
}
return newToken
} catch {
return null
}
}
async function request<T>(
method: string,
path: string,
body?: unknown,
_isRetry = false,
externalSignal?: AbortSignal,
): Promise<T> {
let lastError: unknown
for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
// Merge external signal (e.g. from SWR) with a timeout signal
const signals: AbortSignal[] = [AbortSignal.timeout(DEFAULT_TIMEOUT_MS)]
if (externalSignal) signals.push(externalSignal)
const signal = signals.length === 1 ? signals[0] : AbortSignal.any(signals)
try {
const token = getToken()
const headers: Record<string, string> = {
'Content-Type': 'application/json',
@@ -53,33 +113,18 @@ async function request<T>(
headers['Authorization'] = `Bearer ${token}`
}
const res = await fetch(`${BASE_URL}${API_PREFIX}${path}`, {
const res = await fetch(`${BASE_URL}${path}`, {
method,
headers,
body: body ? JSON.stringify(body) : undefined,
signal,
})
if (res.status === 401) {
// 尝试刷新 token 后重试
try {
const newToken = await refreshToken()
headers['Authorization'] = `Bearer ${newToken}`
const retryRes = await fetch(`${BASE_URL}${API_PREFIX}${path}`, {
method,
headers,
body: body ? JSON.stringify(body) : undefined,
})
if (retryRes.ok || retryRes.status === 204) {
return retryRes.status === 204 ? (undefined as T) : retryRes.json()
}
// 刷新成功但重试仍失败,走正常错误处理
if (!retryRes.ok) {
let errorBody: ApiError
try { errorBody = await retryRes.json() } catch { errorBody = { error: 'unknown', message: `请求失败 (${retryRes.status})` } }
throw new ApiRequestError(retryRes.status, errorBody)
}
} catch {
// 刷新失败,执行登出
// 401: 尝试刷新 Token 后重试
if (res.status === 401 && !_isRetry) {
const newToken = await tryRefreshToken()
if (newToken) {
return request<T>(method, path, body, true)
}
logout()
if (typeof window !== 'undefined') {
@@ -95,9 +140,6 @@ async function request<T>(
} catch {
errorBody = { error: 'unknown', message: `请求失败 (${res.status})` }
}
if (typeof window !== 'undefined') {
toast.error(errorBody.message || `请求失败 (${res.status})`)
}
throw new ApiRequestError(res.status, errorBody)
}
@@ -107,6 +149,24 @@ async function request<T>(
}
return res.json() as Promise<T>
} catch (err) {
// API 错误和外部取消的 AbortError 直接抛出,不重试
if (err instanceof ApiRequestError) throw err
if (err instanceof DOMException && err.name === 'AbortError') throw err
lastError = err
// 仅对可重试的网络错误重试
if (attempt < MAX_RETRIES && isRetryableNetworkError(err)) {
await sleep(1000 * Math.pow(2, attempt))
continue
}
throw err
}
}
throw lastError
}
// ── API 客户端 ────────────────────────────────────────────
@@ -130,22 +190,6 @@ export const api = {
async me(): Promise<AccountPublic> {
return request<AccountPublic>('GET', '/auth/me')
},
async changePassword(data: { old_password: string; new_password: string }): Promise<void> {
return request<void>('PUT', '/auth/password', data)
},
async totpSetup(): Promise<{ otpauth_uri: string; secret: string; issuer: string }> {
return request<{ otpauth_uri: string; secret: string; issuer: string }>('POST', '/auth/totp/setup')
},
async totpVerify(data: { code: string }): Promise<void> {
return request<void>('POST', '/auth/totp/verify', data)
},
async totpDisable(data: { password: string }): Promise<void> {
return request<void>('POST', '/auth/totp/disable', data)
},
},
// ── 账号管理 ──────────────────────────────────────────
@@ -169,7 +213,7 @@ export const api = {
id: string,
data: Partial<Pick<AccountPublic, 'display_name' | 'email' | 'role'>>,
): Promise<AccountPublic> {
return request<AccountPublic>('PUT', `/accounts/${id}`, data)
return request<AccountPublic>('PATCH', `/accounts/${id}`, data)
},
async updateStatus(
@@ -190,10 +234,6 @@ export const api = {
return request<PaginatedResponse<Provider>>('GET', `/providers${qs}`)
},
async get(id: string): Promise<Provider> {
return request<Provider>('GET', `/providers/${id}`)
},
async create(data: Partial<Omit<Provider, 'id' | 'created_at' | 'updated_at'>>): Promise<Provider> {
return request<Provider>('POST', '/providers', data)
},
@@ -202,12 +242,36 @@ export const api = {
id: string,
data: Partial<Omit<Provider, 'id' | 'created_at' | 'updated_at'>>,
): Promise<Provider> {
return request<Provider>('PUT', `/providers/${id}`, data)
return request<Provider>('PATCH', `/providers/${id}`, data)
},
async delete(id: string): Promise<void> {
return request<void>('DELETE', `/providers/${id}`)
},
// Key Pool 管理
async listKeys(providerId: string): Promise<ProviderKey[]> {
return request<ProviderKey[]>('GET', `/providers/${providerId}/keys`)
},
async addKey(providerId: string, data: {
key_label: string
key_value: string
priority?: number
max_rpm?: number
max_tpm?: number
quota_reset_interval?: string
}): Promise<{ ok: boolean; key_id: string }> {
return request<{ ok: boolean; key_id: string }>('POST', `/providers/${providerId}/keys`, data)
},
async toggleKey(providerId: string, keyId: string, active: boolean): Promise<{ ok: boolean }> {
return request<{ ok: boolean }>('PUT', `/providers/${providerId}/keys/${keyId}/toggle`, { active })
},
async deleteKey(providerId: string, keyId: string): Promise<{ ok: boolean }> {
return request<{ ok: boolean }>('DELETE', `/providers/${providerId}/keys/${keyId}`)
},
},
// ── 模型管理 ──────────────────────────────────────────
@@ -221,16 +285,12 @@ export const api = {
return request<PaginatedResponse<Model>>('GET', `/models${qs}`)
},
async get(id: string): Promise<Model> {
return request<Model>('GET', `/models/${id}`)
},
async create(data: Partial<Omit<Model, 'id'>>): Promise<Model> {
return request<Model>('POST', '/models', data)
},
async update(id: string, data: Partial<Omit<Model, 'id'>>): Promise<Model> {
return request<Model>('PUT', `/models/${id}`, data)
return request<Model>('PATCH', `/models/${id}`, data)
},
async delete(id: string): Promise<void> {
@@ -245,23 +305,30 @@ export const api = {
page_size?: number
}): Promise<PaginatedResponse<TokenInfo>> {
const qs = buildQueryString(params)
return request<PaginatedResponse<TokenInfo>>('GET', `/tokens${qs}`)
return request<PaginatedResponse<TokenInfo>>('GET', `/keys${qs}`)
},
async create(data: CreateTokenRequest): Promise<TokenInfo> {
return request<TokenInfo>('POST', '/tokens', data)
return request<TokenInfo>('POST', '/keys', data)
},
async revoke(id: string): Promise<void> {
return request<void>('DELETE', `/tokens/${id}`)
return request<void>('DELETE', `/keys/${id}`)
},
},
// ── 用量统计 ──────────────────────────────────────────
usage: {
async get(params?: { from?: string; to?: string; provider_id?: string; model_id?: string }): Promise<UsageStats> {
const qs = buildQueryString(params)
return request<UsageStats>('GET', `/usage${qs}`)
async daily(params?: { days?: number }): Promise<UsageRecord[]> {
const qs = buildQueryString({ ...params, group_by: 'day' })
const result = await request<{ by_day: UsageRecord[] }>('GET', `/usage${qs}`)
return result.by_day || []
},
async byModel(params?: { days?: number }): Promise<UsageByModel[]> {
const qs = buildQueryString({ ...params, group_by: 'model' })
const result = await request<{ by_model: UsageByModel[] }>('GET', `/usage${qs}`)
return result.by_model || []
},
},
@@ -279,23 +346,22 @@ export const api = {
async get(id: string): Promise<RelayTask> {
return request<RelayTask>('GET', `/relay/tasks/${id}`)
},
async retry(id: string): Promise<void> {
return request<void>('POST', `/relay/tasks/${id}/retry`)
},
},
// ── 系统配置 ──────────────────────────────────────────
config: {
async list(params?: {
category?: string
page?: number
page_size?: number
}): Promise<ConfigItem[]> {
const qs = buildQueryString(params)
return request<ConfigItem[]>('GET', `/config/items${qs}`)
const result = await request<PaginatedResponse<ConfigItem>>('GET', `/config/items${qs}`)
return result.items
},
async update(id: string, data: { current_value: string | number | boolean }): Promise<ConfigItem> {
return request<ConfigItem>('PUT', `/config/items/${id}`, data)
async update(id: string, data: { value: string | number | boolean }): Promise<ConfigItem> {
return request<ConfigItem>('PATCH', `/config/items/${id}`, data)
},
},
@@ -305,9 +371,9 @@ export const api = {
page?: number
page_size?: number
action?: string
}): Promise<OperationLog[]> {
}): Promise<PaginatedResponse<OperationLog>> {
const qs = buildQueryString(params)
return request<OperationLog[]>('GET', `/logs/operations${qs}`)
return request<PaginatedResponse<OperationLog>>('GET', `/logs/operations${qs}`)
},
},
@@ -318,16 +384,138 @@ export const api = {
},
},
// ── 设备管理 ──────────────────────────────────────────
devices: {
async list(): Promise<DeviceInfo[]> {
return request<DeviceInfo[]>('GET', '/devices')
// ── 提示词管理 ────────────────────────────────────────
prompts: {
async list(params?: {
category?: string
source?: string
status?: string
page?: number
page_size?: number
}): Promise<PaginatedResponse<PromptTemplate>> {
const qs = buildQueryString(params)
return request<PaginatedResponse<PromptTemplate>>('GET', `/prompts${qs}`)
},
async register(data: { device_id: string; device_name?: string; platform?: string; app_version?: string }) {
return request<{ ok: boolean; device_id: string }>('POST', '/devices/register', data)
async get(name: string): Promise<PromptTemplate> {
return request<PromptTemplate>('GET', `/prompts/${encodeURIComponent(name)}`)
},
async heartbeat(data: { device_id: string }) {
return request<{ ok: boolean }>('POST', '/devices/heartbeat', data)
async create(data: {
name: string
category: string
description?: string
source?: string
system_prompt: string
user_prompt_template?: string
variables?: unknown[]
min_app_version?: string
}): Promise<PromptTemplate> {
return request<PromptTemplate>('POST', '/prompts', data)
},
async update(name: string, data: {
description?: string
status?: string
}): Promise<PromptTemplate> {
return request<PromptTemplate>('PUT', `/prompts/${encodeURIComponent(name)}`, data)
},
async archive(name: string): Promise<PromptTemplate> {
return request<PromptTemplate>('DELETE', `/prompts/${encodeURIComponent(name)}`)
},
async listVersions(name: string): Promise<PromptVersion[]> {
return request<PromptVersion[]>('GET', `/prompts/${encodeURIComponent(name)}/versions`)
},
async createVersion(name: string, data: {
system_prompt: string
user_prompt_template?: string
variables?: unknown[]
changelog?: string
min_app_version?: string
}): Promise<PromptVersion> {
return request<PromptVersion>('POST', `/prompts/${encodeURIComponent(name)}/versions`, data)
},
async rollback(name: string, version: number): Promise<PromptTemplate> {
return request<PromptTemplate>('POST', `/prompts/${encodeURIComponent(name)}/rollback/${version}`)
},
},
// ── Agent 配置模板 ──────────────────────────────────
agentTemplates: {
async list(params?: {
category?: string
source?: string
visibility?: string
status?: string
page?: number
page_size?: number
}): Promise<PaginatedResponse<AgentTemplate>> {
const qs = buildQueryString(params)
return request<PaginatedResponse<AgentTemplate>>('GET', `/agent-templates${qs}`)
},
async get(id: string): Promise<AgentTemplate> {
return request<AgentTemplate>('GET', `/agent-templates/${id}`)
},
async create(data: {
name: string
description?: string
category?: string
source?: string
model?: string
system_prompt?: string
tools?: string[]
capabilities?: string[]
temperature?: number
max_tokens?: number
visibility?: string
}): Promise<AgentTemplate> {
return request<AgentTemplate>('POST', '/agent-templates', data)
},
async update(id: string, data: {
description?: string
model?: string
system_prompt?: string
tools?: string[]
capabilities?: string[]
temperature?: number
max_tokens?: number
visibility?: string
status?: string
}): Promise<AgentTemplate> {
return request<AgentTemplate>('POST', `/agent-templates/${id}`, data)
},
async archive(id: string): Promise<AgentTemplate> {
return request<AgentTemplate>('DELETE', `/agent-templates/${id}`)
},
},
// ── 遥测统计 ──────────────────────────────────────────
telemetry: {
/** 按模型聚合用量统计 */
async modelStats(params?: {
from?: string
to?: string
model_id?: string
connection_mode?: string
}): Promise<ModelUsageStat[]> {
const qs = buildQueryString(params)
return request<ModelUsageStat[]>('GET', `/telemetry/stats${qs}`)
},
/** 按天聚合用量统计 */
async dailyStats(params?: {
days?: number
}): Promise<DailyUsageStat[]> {
const qs = buildQueryString(params)
return request<DailyUsageStat[]>('GET', `/telemetry/daily${qs}`)
},
},
}

13
admin/src/lib/api-error.ts Normal file
View File

@@ -0,0 +1,13 @@
// ============================================================
// API Error 类 — 与 swr-fetcher 共享
// ============================================================
export class ApiRequestError extends Error {
constructor(
public status: number,
public body: { error?: string; message?: string },
) {
super(body.message || `Request failed with status ${status}`)
this.name = 'ApiRequestError'
}
}

184
admin/src/lib/auth.ts
View File

@@ -2,74 +2,28 @@
// ZCLAW SaaS Admin — JWT Token 管理
// ============================================================
import type { AccountPublic, LoginResponse } from './types'
import type { AccountPublic } from './types'
const TOKEN_KEY = 'zclaw_admin_token'
const ACCOUNT_KEY = 'zclaw_admin_account'
// ── JWT 辅助函数 ────────────────────────────────────────────
interface JwtPayload {
exp?: number
iat?: number
sub?: string
}
/**
* Decode a JWT payload without verifying the signature.
* Returns the parsed JSON payload, or null if the token is malformed.
*/
function decodeJwtPayload<T = Record<string, unknown>>(token: string): T | null {
try {
const parts = token.split('.')
if (parts.length !== 3) return null
const base64 = parts[1].replace(/-/g, '+').replace(/_/g, '/')
const json = decodeURIComponent(
atob(base64)
.split('')
.map((c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2))
.join(''),
)
return JSON.parse(json) as T
} catch {
return null
}
}
/**
* Calculate the delay (ms) until 80% of the token's remaining lifetime
* has elapsed. Returns null if the token is already past that point.
*/
function getRefreshDelay(exp: number): number | null {
const now = Math.floor(Date.now() / 1000)
const totalLifetime = exp - now
if (totalLifetime <= 0) return null
const refreshAt = now + Math.floor(totalLifetime * 0.8)
const delayMs = (refreshAt - now) * 1000
return delayMs > 5000 ? delayMs : 5000
}
// ── 定时刷新状态 ────────────────────────────────────────────
let refreshTimerId: ReturnType<typeof setTimeout> | null = null
let visibilityHandler: (() => void) | null = null
let sessionExpiredCallback: (() => void) | null = null
// ── 凭证操作 ────────────────────────────────────────────────
/** 保存登录凭证并启动自动刷新 */
/** 保存登录凭证 */
export function login(token: string, account: AccountPublic): void {
if (typeof window === 'undefined') return
localStorage.setItem(TOKEN_KEY, token)
localStorage.setItem(ACCOUNT_KEY, JSON.stringify(account))
scheduleTokenRefresh()
}
/** 清除登录凭证并停止自动刷新 */
/** 清除登录凭证 */
export function logout(): void {
if (typeof window === 'undefined') return
cancelTokenRefresh()
localStorage.removeItem(TOKEN_KEY)
localStorage.removeItem(ACCOUNT_KEY)
}
/** 清除认证状态(用于 Token 验证失败时) */
export function clearAuth(): void {
if (typeof window === 'undefined') return
localStorage.removeItem(TOKEN_KEY)
localStorage.removeItem(ACCOUNT_KEY)
}
@@ -96,121 +50,3 @@ export function getAccount(): AccountPublic | null {
export function isAuthenticated(): boolean {
return !!getToken()
}
/** 尝试刷新 token成功则更新 localStorage 并返回新 token */
export async function refreshToken(): Promise<string> {
const res = await fetch(
`${process.env.NEXT_PUBLIC_SAAS_API_URL || 'http://localhost:8080'}/api/v1/auth/refresh`,
{
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${getToken()}`,
},
},
)
if (!res.ok) {
throw new Error('Token 刷新失败')
}
const data: LoginResponse = await res.json()
login(data.token, data.account)
return data.token
}
// ── 自动刷新调度 ────────────────────────────────────────────
/**
* Register a callback invoked when the proactive token refresh fails.
* The caller should use this to trigger a logout/redirect flow.
*/
export function setOnSessionExpired(handler: (() => void) | null): void {
sessionExpiredCallback = handler
}
/**
* Schedule a proactive token refresh at 80% of the token's remaining lifetime.
* Also registers a visibilitychange listener to re-check when the tab regains focus.
*/
export function scheduleTokenRefresh(): void {
cancelTokenRefresh()
const token = getToken()
if (!token) return
const payload = decodeJwtPayload<JwtPayload>(token)
if (!payload?.exp) return
const delay = getRefreshDelay(payload.exp)
if (delay === null) {
attemptTokenRefresh()
return
}
refreshTimerId = setTimeout(() => {
attemptTokenRefresh()
}, delay)
if (typeof document !== 'undefined' && !visibilityHandler) {
visibilityHandler = () => {
if (document.visibilityState === 'visible') {
checkAndRefreshToken()
}
}
document.addEventListener('visibilitychange', visibilityHandler)
}
}
/**
* Cancel any pending token refresh timer and remove the visibility listener.
*/
export function cancelTokenRefresh(): void {
if (refreshTimerId !== null) {
clearTimeout(refreshTimerId)
refreshTimerId = null
}
if (visibilityHandler !== null && typeof document !== 'undefined') {
document.removeEventListener('visibilitychange', visibilityHandler)
visibilityHandler = null
}
}
/**
* Check if the current token is close to expiry and refresh if needed.
* Called on visibility change to handle clock skew / long background tabs.
*/
function checkAndRefreshToken(): void {
const token = getToken()
if (!token) return
const payload = decodeJwtPayload<JwtPayload>(token)
if (!payload?.exp) return
const now = Math.floor(Date.now() / 1000)
const remaining = payload.exp - now
if (remaining <= 0) {
attemptTokenRefresh()
return
}
const delay = getRefreshDelay(payload.exp)
if (delay !== null && delay < 60_000) {
attemptTokenRefresh()
}
}
/**
* Attempt to refresh the token. On success, the new token is persisted via
* login() which also reschedules the next refresh. On failure, invoke the
* session-expired callback.
*/
async function attemptTokenRefresh(): Promise<void> {
try {
await refreshToken()
} catch {
cancelTokenRefresh()
if (sessionExpiredCallback) {
sessionExpiredCallback()
}
}
}

75
admin/src/lib/swr-fetcher.ts Normal file
View File

@@ -0,0 +1,75 @@
// ============================================================
// SWR fetcher — 将 SWR key 映射到 api-client 调用
// ============================================================
import { api } from './api-client'
import { ApiRequestError } from './api-client'
type ApiMethod = typeof api
/** SWR fetcher: key 可以是字符串或 [method-path, params] 元组 */
type SwrKey =
| string
| [string, ...unknown[]]
/** SWR fetcher 支持 AbortSignal 传递 */
type SwrFetcherArgs = { signal?: AbortSignal } | null
async function resolveApiCall(key: SwrKey, args: SwrFetcherArgs): Promise<unknown> {
if (typeof key === 'string') {
// 简单字符串 key直接 fetch
return fetchGeneric(key, args?.signal)
}
const [path, ...rest] = key
return callByPath(path, rest, args?.signal)
}
async function fetchGeneric(path: string, signal?: AbortSignal): Promise<unknown> {
const res = await fetch(path, {
headers: {
'Content-Type': 'application/json',
},
signal,
})
if (!res.ok) {
const body = await res.json().catch(() => ({ error: 'unknown', message: `请求失败 (${res.status})` }))
throw new ApiRequestError(res.status, body)
}
if (res.status === 204) return null
return res.json()
}
/** 根据 path 调用对应的 api 方法 */
// eslint-disable-next-line @typescript-eslint/no-explicit-any
async function callByPath(path: string, callArgs: unknown[], signal?: AbortSignal): Promise<unknown> {
const parts = path.split('.')
// eslint-disable-next-line @typescript-eslint/no-explicit-any
let target: any = api
for (const part of parts) {
target = target[part]
if (!target) throw new Error(`API method not found: ${path}`)
}
// Append signal as last argument if the target is the request function
// For api.xxx() calls that ultimately use request(), we pass signal through
// The simplest approach: pass signal as part of an options bag
return target(...callArgs, signal ? { signal } : undefined)
}
/**
* SWR fetcher — 接受 SWR 自动传入的 AbortSignal
*
* 用法: useSWR(key, swrFetcher)
* SWR 会自动在组件卸载或 key 变化时 abort 请求
*/
export function swrFetcher<T = unknown>(key: SwrKey, args: SwrFetcherArgs): Promise<T> {
return resolveApiCall(key, args) as Promise<T>
}
/** 创建 SWR key helper — 类型安全 */
export function createKey<TMethod extends string>(
method: TMethod,
...args: unknown[]
): [TMethod, ...unknown[]] {
return [method, ...args]
}

38
admin/src/lib/swr-provider.tsx Normal file
View File

@@ -0,0 +1,38 @@
'use client'
import { SWRConfig } from 'swr'
import type { ReactNode } from 'react'
/** 判断是否为请求被中断(页面导航等场景) */
function isAbortError(err: unknown): boolean {
if (err instanceof DOMException && err.name === 'AbortError') return true
if (err instanceof Error && err.message?.includes('aborted')) return true
return false
}
export function SWRProvider({ children }: { children: ReactNode }) {
return (
<SWRConfig
value={{
revalidateOnFocus: false,
dedupingInterval: 5000,
errorRetryCount: 2,
errorRetryInterval: 3000,
shouldRetryOnError: (err: unknown) => {
if (isAbortError(err)) return false
if (err && typeof err === 'object' && 'status' in err) {
const status = (err as { status: number }).status
return status !== 401 && status !== 403
}
return true
},
onError: (err: unknown) => {
// 中断错误静默忽略,不展示给用户
if (isAbortError(err)) return
},
}}
>
{children}
</SWRConfig>
)
}

196
admin/src/lib/types.ts
View File

@@ -9,9 +9,9 @@ export interface AccountPublic {
email: string
display_name: string
role: 'super_admin' | 'admin' | 'user'
permissions: string[]
status: 'active' | 'disabled' | 'suspended'
totp_enabled: boolean
last_login_at: string | null
created_at: string
}
@@ -25,6 +25,7 @@ export interface LoginRequest {
/** 登录响应 */
export interface LoginResponse {
token: string
refresh_token: string
account: AccountPublic
}
@@ -49,11 +50,12 @@ export interface Provider {
id: string
name: string
display_name: string
api_key?: string
base_url: string
api_protocol: 'openai' | 'anthropic'
api_protocol: string
enabled: boolean
rate_limit_rpm?: number
rate_limit_tpm?: number
rate_limit_rpm: number | null
rate_limit_tpm: number | null
created_at: string
updated_at: string
}
@@ -98,40 +100,31 @@ export interface RelayTask {
account_id: string
provider_id: string
model_id: string
status: 'queued' | 'processing' | 'completed' | 'failed'
status: string
priority: number
attempt_count: number
max_attempts: number
input_tokens: number
output_tokens: number
error_message?: string
queued_at?: string
started_at?: string
completed_at?: string
error_message: string | null
queued_at: string
started_at: string | null
completed_at: string | null
created_at: string
}
/** 用量统计 — 后端返回的完整结构 */
export interface UsageStats {
total_requests: number
total_input_tokens: number
total_output_tokens: number
by_model: UsageByModel[]
by_day: DailyUsage[]
}
/** 每日用量 */
export interface DailyUsage {
date: string
request_count: number
/** 用量记录 */
export interface UsageRecord {
day: string
count: number
input_tokens: number
output_tokens: number
}
/** 按模型用量 */
export interface UsageByModel {
provider_id: string
model_id: string
request_count: number
count: number
input_tokens: number
output_tokens: number
}
@@ -141,11 +134,11 @@ export interface ConfigItem {
id: string
category: string
key_path: string
value_type: 'string' | 'number' | 'boolean'
current_value?: string
default_value?: string
source: 'default' | 'env' | 'db'
description?: string
value_type: string
current_value: string | null
default_value: string | null
source: string
description: string | null
requires_restart: boolean
created_at: string
updated_at: string
@@ -154,12 +147,12 @@ export interface ConfigItem {
/** 操作日志 */
export interface OperationLog {
id: number
account_id: string
account_id: string | null
action: string
target_type: string
target_id: string
details?: Record<string, unknown>
ip_address?: string
target_type: string | null
target_id: string | null
details: Record<string, unknown> | null
ip_address: string | null
created_at: string
}
@@ -174,20 +167,133 @@ export interface DashboardStats {
tokens_today_output: number
}
/** 设备信息 */
export interface DeviceInfo {
id: string
device_id: string
device_name?: string
platform?: string
app_version?: string
last_seen_at: string
created_at: string
}
/** API 错误响应 */
export interface ApiError {
error: string
message: string
status?: number
}
// ── 提示词模板 ────────────────────────────────────────────
/** 提示词模板 */
export interface PromptTemplate {
id: string
name: string
category: string
description?: string
source: 'builtin' | 'custom'
current_version: number
status: 'active' | 'deprecated' | 'archived'
created_at: string
updated_at: string
}
/** 提示词版本 */
export interface PromptVersion {
id: string
template_id: string
version: number
system_prompt: string
user_prompt_template?: string
variables: PromptVariable[]
changelog?: string
min_app_version?: string
created_at: string
}
/** 提示词变量定义 */
export interface PromptVariable {
name: string
type: 'string' | 'number' | 'select' | 'boolean'
default_value?: string
description?: string
required?: boolean
}
/** OTA 更新检查请求 */
export interface PromptCheckRequest {
device_id: string
versions: Record<string, number>
}
/** OTA 更新响应 */
export interface PromptCheckResponse {
updates: PromptUpdatePayload[]
server_time: string
}
/** 单个更新载荷 */
export interface PromptUpdatePayload {
name: string
version: number
system_prompt: string
user_prompt_template?: string
variables: PromptVariable[]
source: string
min_app_version?: string
changelog?: string
}
// ── Agent 配置模板 ────────────────────────────────────────
/** Agent 模板 */
export interface AgentTemplate {
id: string
name: string
description?: string
category: string
source: 'builtin' | 'custom'
model?: string
system_prompt?: string
tools: string[]
capabilities: string[]
temperature?: number
max_tokens?: number
visibility: 'public' | 'team' | 'private'
status: 'active' | 'archived'
current_version: number
created_at: string
updated_at: string
}
// ── Provider Key Pool ─────────────────────────────────────
/** Provider Key */
export interface ProviderKey {
id: string
provider_id: string
key_label: string
priority: number
max_rpm?: number
max_tpm?: number
quota_reset_interval?: string
is_active: boolean
last_429_at?: string
cooldown_until?: string
total_requests: number
total_tokens: number
created_at: string
updated_at: string
}
// ── 遥测统计 ────────────────────────────────────────────
/** 按模型聚合的用量统计 */
export interface ModelUsageStat {
model_id: string
request_count: number
input_tokens: number
output_tokens: number
avg_latency_ms: number | null
success_rate: number
}
/** 按天的用量统计 */
export interface DailyUsageStat {
day: string
request_count: number
input_tokens: number
output_tokens: number
unique_devices: number
}

11
admin/src/lib/utils.ts
View File

@@ -32,3 +32,14 @@ export function maskApiKey(key?: string): string {
export function sleep(ms: number): Promise<void> {
return new Promise(resolve => setTimeout(resolve, ms))
}
/** 从 SWR error 中提取用户可见消息,过滤 abort 错误 */
export function getSwrErrorMessage(err: unknown): string | undefined {
if (!err) return undefined
if (err instanceof DOMException && err.name === 'AbortError') return undefined
if (err instanceof Error) {
if (err.name === 'AbortError' || err.message?.includes('aborted')) return undefined
return err.message
}
return String(err)
}

33
config/saas-development.toml Normal file
View File

@@ -0,0 +1,33 @@
# ZCLAW SaaS 开发环境配置
# 通过 ZCLAW_ENV=development 或默认使用此配置
[server]
host = "0.0.0.0"
port = 8080
cors_origins = [] # 空 = 开发模式允许所有来源
[database]
url = "postgres://postgres:123123@localhost:5432/zclaw"
[auth]
jwt_expiration_hours = 24
totp_issuer = "ZCLAW SaaS (dev)"
refresh_token_hours = 168
[relay]
max_queue_size = 1000
max_concurrent_per_provider = 5
batch_window_ms = 50
retry_delay_ms = 1000
max_attempts = 3
[rate_limit]
requests_per_minute = 120
burst = 20
[scheduler]
jobs = [
{ name = "cleanup_rate_limit", interval = "5m", task = "cleanup_rate_limit", run_on_start = false },
{ name = "cleanup_refresh_tokens", interval = "1h", task = "cleanup_refresh_tokens", run_on_start = false },
{ name = "cleanup_devices", interval = "24h", task = "cleanup_devices", run_on_start = false },
]

35
config/saas-production.toml Normal file
View File

@@ -0,0 +1,35 @@
# ZCLAW SaaS 生产环境配置
# 通过 ZCLAW_ENV=production 使用此配置
[server]
host = "0.0.0.0"
port = 8080
# 生产环境必须配置 CORS 白名单
cors_origins = ["https://admin.zclaw.ai", "https://zclaw.ai"]
[database]
# 生产环境通过 ZCLAW_DATABASE_URL 环境变量覆盖,此处为占位
url = "postgres://zclaw:CHANGE_ME@db:5432/zclaw"
[auth]
jwt_expiration_hours = 12
totp_issuer = "ZCLAW SaaS"
refresh_token_hours = 168
[relay]
max_queue_size = 5000
max_concurrent_per_provider = 10
batch_window_ms = 50
retry_delay_ms = 2000
max_attempts = 3
[rate_limit]
requests_per_minute = 60
burst = 10
[scheduler]
jobs = [
{ name = "cleanup_rate_limit", interval = "5m", task = "cleanup_rate_limit", run_on_start = false },
{ name = "cleanup_refresh_tokens", interval = "1h", task = "cleanup_refresh_tokens", run_on_start = false },
{ name = "cleanup_devices", interval = "24h", task = "cleanup_devices", run_on_start = true },
]

31
config/saas-test.toml Normal file
View File

@@ -0,0 +1,31 @@
# ZCLAW SaaS 测试环境配置
# 通过 ZCLAW_ENV=test 使用此配置
[server]
host = "127.0.0.1"
port = 8090
cors_origins = []
[database]
# 测试环境使用独立数据库
url = "postgres://postgres:123123@localhost:5432/zclaw_test"
[auth]
jwt_expiration_hours = 1
totp_issuer = "ZCLAW SaaS (test)"
refresh_token_hours = 24
[relay]
max_queue_size = 100
max_concurrent_per_provider = 2
batch_window_ms = 10
retry_delay_ms = 100
max_attempts = 2
[rate_limit]
requests_per_minute = 200
burst = 50
[scheduler]
# 测试环境不启动定时任务
jobs = []

103
crates/zclaw-growth/src/storage/sqlite.rs
View File

@@ -289,6 +289,44 @@ impl sqlx::FromRow<'_, SqliteRow> for MemoryRow {
}
}
/// Private helper methods on SqliteStorage (NOT in impl VikingStorage block)
impl SqliteStorage {
/// Fetch memories by scope with importance-based ordering.
/// Used internally by find() for scope-based queries.
pub(crate) async fn fetch_by_scope_priv(&self, scope: Option<&str>, limit: usize) -> Result<Vec<MemoryRow>> {
let rows = if let Some(scope) = scope {
sqlx::query_as::<_, MemoryRow>(
r#"
SELECT uri, memory_type, content, keywords, importance, access_count, created_at, last_accessed, overview, abstract_summary
FROM memories
WHERE uri LIKE ?
ORDER BY importance DESC, access_count DESC
LIMIT ?
"#
)
.bind(format!("{}%", scope))
.bind(limit as i64)
.fetch_all(&self.pool)
.await
.map_err(|e| ZclawError::StorageError(format!("Failed to fetch by scope: {}", e)))?
} else {
sqlx::query_as::<_, MemoryRow>(
r#"
SELECT uri, memory_type, content, keywords, importance, access_count, created_at, last_accessed, overview, abstract_summary
FROM memories
ORDER BY importance DESC
LIMIT ?
"#
)
.bind(limit as i64)
.fetch_all(&self.pool)
.await
.map_err(|e| ZclawError::StorageError(format!("Failed to fetch by scope: {}", e)))?
};
Ok(rows)
}
}
#[async_trait]
impl VikingStorage for SqliteStorage {
async fn store(&self, entry: &MemoryEntry) -> Result<()> {
@@ -374,22 +412,61 @@ impl VikingStorage for SqliteStorage {
}
async fn find(&self, query: &str, options: FindOptions) -> Result<Vec<MemoryEntry>> {
// Get all matching entries
let rows = if let Some(ref scope) = options.scope {
let limit = options.limit.unwrap_or(50).max(20); // Fetch more candidates for reranking
// Strategy: use FTS5 for initial filtering when query is non-empty,
// then score candidates with TF-IDF / embedding for precise ranking.
// Fallback to scope-only scan when query is empty (e.g., "list all").
let rows = if !query.is_empty() {
// FTS5-powered candidate retrieval (fast, index-based)
let fts_candidates = if let Some(ref scope) = options.scope {
sqlx::query_as::<_, MemoryRow>(
"SELECT uri, memory_type, content, keywords, importance, access_count, created_at, last_accessed, overview, abstract_summary FROM memories WHERE uri LIKE ?"
r#"
SELECT m.uri, m.memory_type, m.content, m.keywords, m.importance,
m.access_count, m.created_at, m.last_accessed, m.overview, m.abstract_summary
FROM memories m
INNER JOIN memories_fts f ON m.uri = f.uri
WHERE f.memories_fts MATCH ?
AND m.uri LIKE ?
ORDER BY f.rank
LIMIT ?
"#
)
.bind(query)
.bind(format!("{}%", scope))
.bind(limit as i64)
.fetch_all(&self.pool)
.await
.map_err(|e| ZclawError::StorageError(format!("Failed to find memories: {}", e)))?
} else {
sqlx::query_as::<_, MemoryRow>(
"SELECT uri, memory_type, content, keywords, importance, access_count, created_at, last_accessed, overview, abstract_summary FROM memories"
r#"
SELECT m.uri, m.memory_type, m.content, m.keywords, m.importance,
m.access_count, m.created_at, m.last_accessed, m.overview, m.abstract_summary
FROM memories m
INNER JOIN memories_fts f ON m.uri = f.uri
WHERE f.memories_fts MATCH ?
ORDER BY f.rank
LIMIT ?
"#
)
.bind(query)
.bind(limit as i64)
.fetch_all(&self.pool)
.await
.map_err(|e| ZclawError::StorageError(format!("Failed to find memories: {}", e)))?
};
match fts_candidates {
Ok(rows) if !rows.is_empty() => rows,
Ok(_) | Err(_) => {
// FTS5 returned nothing or query syntax was invalid —
// fallback to scope-based scan (no full table scan unless no scope)
tracing::debug!("[SqliteStorage] FTS5 returned no results, falling back to scope scan");
self.fetch_by_scope_priv(options.scope.as_deref(), limit).await?
}
}
} else {
// Empty query: scope-based scan only (no FTS5 needed)
self.fetch_by_scope_priv(options.scope.as_deref(), limit).await?
};
// Convert to entries and compute semantic scores
@@ -464,16 +541,8 @@ impl VikingStorage for SqliteStorage {
}
async fn find_by_prefix(&self, prefix: &str) -> Result<Vec<MemoryEntry>> {
let rows = sqlx::query_as::<_, MemoryRow>(
"SELECT uri, memory_type, content, keywords, importance, access_count, created_at, last_accessed, overview, abstract_summary FROM memories WHERE uri LIKE ?"
)
.bind(format!("{}%", prefix))
.fetch_all(&self.pool)
.await
.map_err(|e| ZclawError::StorageError(format!("Failed to find by prefix: {}", e)))?;
let rows = self.fetch_by_scope_priv(Some(prefix), 100).await?;
let entries = rows.iter().map(|row| self.row_to_entry(row)).collect();
Ok(entries)
}
@@ -484,13 +553,13 @@ impl VikingStorage for SqliteStorage {
.await
.map_err(|e| ZclawError::StorageError(format!("Failed to delete memory: {}", e)))?;
// Remove from FTS
// Remove from FTS index
let _ = sqlx::query("DELETE FROM memories_fts WHERE uri = ?")
.bind(uri)
.execute(&self.pool)
.await;
// Remove from scorer
// Remove from in-memory scorer
let mut scorer = self.scorer.write().await;
scorer.remove_entry(uri);

22
crates/zclaw-kernel/src/config.rs
View File

@@ -54,6 +54,11 @@ pub struct LlmConfig {
/// Temperature
#[serde(default = "default_temperature")]
pub temperature: f32,
/// Context window size in tokens (default: 128000)
/// Used to calculate dynamic compaction threshold.
#[serde(default = "default_context_window")]
pub context_window: u32,
}
impl LlmConfig {
@@ -66,6 +71,7 @@ impl LlmConfig {
api_protocol: ApiProtocol::OpenAI,
max_tokens: default_max_tokens(),
temperature: default_temperature(),
context_window: default_context_window(),
}
}
@@ -140,6 +146,10 @@ fn default_temperature() -> f32 {
0.7
}
fn default_context_window() -> u32 {
128000
}
impl Default for KernelConfig {
fn default() -> Self {
Self {
@@ -151,6 +161,7 @@ impl Default for KernelConfig {
api_protocol: ApiProtocol::OpenAI,
max_tokens: default_max_tokens(),
temperature: default_temperature(),
context_window: default_context_window(),
},
skills_dir: default_skills_dir(),
}
@@ -345,6 +356,17 @@ impl KernelConfig {
pub fn temperature(&self) -> f32 {
self.llm.temperature
}
/// Get context window size in tokens
pub fn context_window(&self) -> u32 {
self.llm.context_window
}
/// Dynamic compaction threshold = context_window * 0.6
/// Leaves 40% headroom for system prompt + response tokens
pub fn compaction_threshold(&self) -> usize {
(self.llm.context_window as f64 * 0.6) as usize
}
}
// === Preset configurations for common providers ===

580
crates/zclaw-kernel/src/kernel.rs
View File

@@ -3,7 +3,9 @@
use std::pin::Pin;
use std::sync::Arc;
use tokio::sync::{broadcast, mpsc, Mutex};
use zclaw_types::{AgentConfig, AgentId, AgentInfo, Event, Result};
use zclaw_types::{AgentConfig, AgentId, AgentInfo, Capability, Event, Result, HandRun, HandRunId, HandRunStatus, HandRunFilter, TriggerSource};
#[cfg(feature = "multi-agent")]
use zclaw_protocols::{A2aRouter, A2aAgentProfile, A2aCapability, A2aEnvelope, A2aMessageType, A2aRecipient};
use async_trait::async_trait;
use serde_json::Value;
@@ -12,7 +14,7 @@ use crate::capabilities::CapabilityManager;
use crate::events::EventBus;
use crate::config::KernelConfig;
use zclaw_memory::MemoryStore;
use zclaw_runtime::{AgentLoop, LlmDriver, ToolRegistry, tool::SkillExecutor};
use zclaw_runtime::{AgentLoop, LlmDriver, ToolRegistry, tool::SkillExecutor, tool::builtin::PathValidator};
use zclaw_skills::SkillRegistry;
use zclaw_skills::LlmCompleter;
use zclaw_hands::{HandRegistry, HandContext, HandResult, hands::{BrowserHand, SlideshowHand, SpeechHand, QuizHand, WhiteboardHand, ResearcherHand, CollectorHand, ClipHand, TwitterHand, quiz::LlmQuizGenerator}};
@@ -20,6 +22,8 @@ use zclaw_hands::{HandRegistry, HandContext, HandResult, hands::{BrowserHand, Sl
/// Adapter that bridges `zclaw_runtime::LlmDriver` → `zclaw_skills::LlmCompleter`
struct LlmDriverAdapter {
driver: Arc<dyn LlmDriver>,
max_tokens: u32,
temperature: f32,
}
impl zclaw_skills::LlmCompleter for LlmDriverAdapter {
@@ -32,8 +36,8 @@ impl zclaw_skills::LlmCompleter for LlmDriverAdapter {
Box::pin(async move {
let request = zclaw_runtime::CompletionRequest {
messages: vec![zclaw_types::Message::user(prompt)],
max_tokens: Some(4096),
temperature: Some(0.7),
max_tokens: Some(self.max_tokens),
temperature: Some(self.temperature),
..Default::default()
};
let response = driver.complete(request).await
@@ -59,7 +63,7 @@ pub struct KernelSkillExecutor {
impl KernelSkillExecutor {
pub fn new(skills: Arc<SkillRegistry>, driver: Arc<dyn LlmDriver>) -> Self {
let llm: Arc<dyn zclaw_skills::LlmCompleter> = Arc::new(LlmDriverAdapter { driver });
let llm: Arc<dyn zclaw_skills::LlmCompleter> = Arc::new(LlmDriverAdapter { driver, max_tokens: 4096, temperature: 0.7 });
Self { skills, llm }
}
}
@@ -98,6 +102,14 @@ pub struct Kernel {
hands: Arc<HandRegistry>,
trigger_manager: crate::trigger_manager::TriggerManager,
pending_approvals: Arc<Mutex<Vec<ApprovalEntry>>>,
/// Running hand runs that can be cancelled (run_id -> cancelled flag)
running_hand_runs: Arc<dashmap::DashMap<HandRunId, Arc<std::sync::atomic::AtomicBool>>>,
/// A2A router for inter-agent messaging (gated by multi-agent feature)
#[cfg(feature = "multi-agent")]
a2a_router: Arc<A2aRouter>,
/// Per-agent A2A inbox receivers
#[cfg(feature = "multi-agent")]
a2a_inboxes: Arc<dashmap::DashMap<AgentId, Arc<Mutex<mpsc::Receiver<A2aEnvelope>>>>>,
}
impl Kernel {
@@ -143,7 +155,11 @@ impl Kernel {
// Create LLM completer for skill system (shared with skill_executor)
let llm_completer: Arc<dyn zclaw_skills::LlmCompleter> =
Arc::new(LlmDriverAdapter { driver: driver.clone() });
Arc::new(LlmDriverAdapter {
driver: driver.clone(),
max_tokens: config.max_tokens(),
temperature: config.temperature(),
});
// Initialize trigger manager
let trigger_manager = crate::trigger_manager::TriggerManager::new(hands.clone());
@@ -154,6 +170,13 @@ impl Kernel {
registry.register(agent);
}
// Initialize A2A router for multi-agent support
#[cfg(feature = "multi-agent")]
let a2a_router = {
let kernel_agent_id = AgentId::new();
Arc::new(A2aRouter::new(kernel_agent_id))
};
Ok(Self {
config,
registry,
@@ -167,6 +190,11 @@ impl Kernel {
hands,
trigger_manager,
pending_approvals: Arc::new(Mutex::new(Vec::new())),
running_hand_runs: Arc::new(dashmap::DashMap::new()),
#[cfg(feature = "multi-agent")]
a2a_router,
#[cfg(feature = "multi-agent")]
a2a_inboxes: Arc::new(dashmap::DashMap::new()),
})
}
@@ -294,8 +322,17 @@ impl Kernel {
self.memory.save_agent(&config).await?;
// Register in registry
let config_clone = config.clone();
self.registry.register(config);
// Register with A2A router for multi-agent messaging
#[cfg(feature = "multi-agent")]
{
let profile = Self::agent_config_to_a2a_profile(&config_clone);
let rx = self.a2a_router.register_agent(profile).await;
self.a2a_inboxes.insert(id, Arc::new(Mutex::new(rx)));
}
// Emit event
self.events.publish(Event::AgentSpawned {
agent_id: id,
@@ -313,6 +350,13 @@ impl Kernel {
// Remove from memory
self.memory.delete_agent(id).await?;
// Unregister from A2A router
#[cfg(feature = "multi-agent")]
{
self.a2a_router.unregister_agent(id).await;
self.a2a_inboxes.remove(id);
}
// Emit event
self.events.publish(Event::AgentTerminated {
agent_id: *id,
@@ -346,7 +390,7 @@ impl Kernel {
// Create agent loop with model configuration
let tools = self.create_tool_registry();
let loop_runner = AgentLoop::new(
let mut loop_runner = AgentLoop::new(
*agent_id,
self.driver.clone(),
tools,
@@ -356,7 +400,22 @@ impl Kernel {
.with_skill_executor(self.skill_executor.clone())
.with_max_tokens(agent_config.max_tokens.unwrap_or_else(|| self.config.max_tokens()))
.with_temperature(agent_config.temperature.unwrap_or_else(|| self.config.temperature()))
.with_compaction_threshold(15_000); // Compact when context exceeds ~15k tokens
.with_compaction_threshold(
agent_config.compaction_threshold
.map(|t| t as usize)
.unwrap_or_else(|| self.config.compaction_threshold()),
);
// Set path validator from agent's workspace directory (if configured)
if let Some(ref workspace) = agent_config.workspace {
let path_validator = PathValidator::new().with_workspace(workspace.clone());
tracing::info!(
"[Kernel] Setting path_validator with workspace: {} for agent {}",
workspace.display(),
agent_id
);
loop_runner = loop_runner.with_path_validator(path_validator);
}
// Build system prompt with skill information injected
let system_prompt = self.build_system_prompt_with_skills(agent_config.system_prompt.as_ref()).await;
@@ -378,21 +437,35 @@ impl Kernel {
agent_id: &AgentId,
message: String,
) -> Result<mpsc::Receiver<zclaw_runtime::LoopEvent>> {
self.send_message_stream_with_prompt(agent_id, message, None).await
self.send_message_stream_with_prompt(agent_id, message, None, None).await
}
/// Send a message with streaming and optional external system prompt
/// Send a message with streaming, optional system prompt, and optional session reuse
pub async fn send_message_stream_with_prompt(
&self,
agent_id: &AgentId,
message: String,
system_prompt_override: Option<String>,
session_id_override: Option<zclaw_types::SessionId>,
) -> Result<mpsc::Receiver<zclaw_runtime::LoopEvent>> {
let agent_config = self.registry.get(agent_id)
.ok_or_else(|| zclaw_types::ZclawError::NotFound(format!("Agent not found: {}", agent_id)))?;
// Create session
let session_id = self.memory.create_session(agent_id).await?;
// Reuse existing session or create new one
let session_id = match session_id_override {
Some(id) => {
// Verify the session exists; if not, create a new one
let existing = self.memory.get_messages(&id).await;
match existing {
Ok(msgs) if !msgs.is_empty() => id,
_ => {
tracing::debug!("Session {} not found or empty, creating new session", id);
self.memory.create_session(agent_id).await?
}
}
}
None => self.memory.create_session(agent_id).await?,
};
// Always use Kernel's current model configuration
// This ensures user's "模型与 API" settings are respected
@@ -400,7 +473,7 @@ impl Kernel {
// Create agent loop with model configuration
let tools = self.create_tool_registry();
let loop_runner = AgentLoop::new(
let mut loop_runner = AgentLoop::new(
*agent_id,
self.driver.clone(),
tools,
@@ -410,7 +483,23 @@ impl Kernel {
.with_skill_executor(self.skill_executor.clone())
.with_max_tokens(agent_config.max_tokens.unwrap_or_else(|| self.config.max_tokens()))
.with_temperature(agent_config.temperature.unwrap_or_else(|| self.config.temperature()))
.with_compaction_threshold(15_000); // Compact when context exceeds ~15k tokens
.with_compaction_threshold(
agent_config.compaction_threshold
.map(|t| t as usize)
.unwrap_or_else(|| self.config.compaction_threshold()),
);
// Set path validator from agent's workspace directory (if configured)
// This enables file_read / file_write tools to access the workspace
if let Some(ref workspace) = agent_config.workspace {
let path_validator = PathValidator::new().with_workspace(workspace.clone());
tracing::info!(
"[Kernel] Setting path_validator with workspace: {} for agent {}",
workspace.display(),
agent_id
);
loop_runner = loop_runner.with_path_validator(path_validator);
}
// Use external prompt if provided, otherwise build default
let system_prompt = match system_prompt_override {
@@ -489,15 +578,194 @@ impl Kernel {
self.hands.list().await
}
/// Execute a hand with the given input
/// Execute a hand with the given input, tracking the run
pub async fn execute_hand(
&self,
hand_id: &str,
input: serde_json::Value,
) -> Result<HandResult> {
// Use default context (agent_id will be generated)
) -> Result<(HandResult, HandRunId)> {
let run_id = HandRunId::new();
let now = chrono::Utc::now().to_rfc3339();
// Create the initial HandRun record
let mut run = HandRun {
id: run_id,
hand_name: hand_id.to_string(),
trigger_source: TriggerSource::Manual,
params: input.clone(),
status: HandRunStatus::Pending,
result: None,
error: None,
duration_ms: None,
created_at: now.clone(),
started_at: None,
completed_at: None,
};
self.memory.save_hand_run(&run).await?;
// Transition to Running
run.status = HandRunStatus::Running;
run.started_at = Some(chrono::Utc::now().to_rfc3339());
self.memory.update_hand_run(&run).await?;
// Register cancellation flag
let cancel_flag = Arc::new(std::sync::atomic::AtomicBool::new(false));
self.running_hand_runs.insert(run_id, cancel_flag.clone());
// Execute the hand
let context = HandContext::default();
self.hands.execute(hand_id, &context, input).await
let start = std::time::Instant::now();
let hand_result = self.hands.execute(hand_id, &context, input).await;
let duration = start.elapsed();
// Check if cancelled during execution
if cancel_flag.load(std::sync::atomic::Ordering::Relaxed) {
let mut run_update = run.clone();
run_update.status = HandRunStatus::Cancelled;
run_update.completed_at = Some(chrono::Utc::now().to_rfc3339());
run_update.duration_ms = Some(duration.as_millis() as u64);
self.memory.update_hand_run(&run_update).await?;
self.running_hand_runs.remove(&run_id);
return Err(zclaw_types::ZclawError::Internal("Hand execution cancelled".to_string()));
}
// Remove from running map
self.running_hand_runs.remove(&run_id);
// Update HandRun with result
let completed_at = chrono::Utc::now().to_rfc3339();
match &hand_result {
Ok(res) => {
run.status = HandRunStatus::Completed;
run.result = Some(res.output.clone());
run.error = res.error.clone();
}
Err(e) => {
run.status = HandRunStatus::Failed;
run.error = Some(e.to_string());
}
}
run.duration_ms = Some(duration.as_millis() as u64);
run.completed_at = Some(completed_at);
self.memory.update_hand_run(&run).await?;
hand_result.map(|res| (res, run_id))
}
/// Execute a hand with a specific trigger source (for scheduled/event triggers)
pub async fn execute_hand_with_source(
&self,
hand_id: &str,
input: serde_json::Value,
trigger_source: TriggerSource,
) -> Result<(HandResult, HandRunId)> {
let run_id = HandRunId::new();
let now = chrono::Utc::now().to_rfc3339();
let mut run = HandRun {
id: run_id,
hand_name: hand_id.to_string(),
trigger_source,
params: input.clone(),
status: HandRunStatus::Pending,
result: None,
error: None,
duration_ms: None,
created_at: now,
started_at: None,
completed_at: None,
};
self.memory.save_hand_run(&run).await?;
run.status = HandRunStatus::Running;
run.started_at = Some(chrono::Utc::now().to_rfc3339());
self.memory.update_hand_run(&run).await?;
let cancel_flag = Arc::new(std::sync::atomic::AtomicBool::new(false));
self.running_hand_runs.insert(run_id, cancel_flag.clone());
let context = HandContext::default();
let start = std::time::Instant::now();
let hand_result = self.hands.execute(hand_id, &context, input).await;
let duration = start.elapsed();
// Check if cancelled during execution
if cancel_flag.load(std::sync::atomic::Ordering::Relaxed) {
run.status = HandRunStatus::Cancelled;
run.completed_at = Some(chrono::Utc::now().to_rfc3339());
run.duration_ms = Some(duration.as_millis() as u64);
self.memory.update_hand_run(&run).await?;
self.running_hand_runs.remove(&run_id);
return Err(zclaw_types::ZclawError::Internal("Hand execution cancelled".to_string()));
}
self.running_hand_runs.remove(&run_id);
let completed_at = chrono::Utc::now().to_rfc3339();
match &hand_result {
Ok(res) => {
run.status = HandRunStatus::Completed;
run.result = Some(res.output.clone());
run.error = res.error.clone();
}
Err(e) => {
run.status = HandRunStatus::Failed;
run.error = Some(e.to_string());
}
}
run.duration_ms = Some(duration.as_millis() as u64);
run.completed_at = Some(completed_at);
self.memory.update_hand_run(&run).await?;
hand_result.map(|res| (res, run_id))
}
// ============================================================
// Hand Run Tracking
// ============================================================
/// Get a hand run by ID
pub async fn get_hand_run(&self, id: &HandRunId) -> Result<Option<HandRun>> {
self.memory.get_hand_run(id).await
}
/// List hand runs with filter
pub async fn list_hand_runs(&self, filter: &HandRunFilter) -> Result<Vec<HandRun>> {
self.memory.list_hand_runs(filter).await
}
/// Count hand runs matching filter
pub async fn count_hand_runs(&self, filter: &HandRunFilter) -> Result<u32> {
self.memory.count_hand_runs(filter).await
}
/// Cancel a running hand execution
pub async fn cancel_hand_run(&self, id: &HandRunId) -> Result<()> {
if let Some((_, flag)) = self.running_hand_runs.remove(id) {
flag.store(true, std::sync::atomic::Ordering::Relaxed);
// Note: the actual status update happens in execute_hand_with_source
// when it detects the cancel flag
Ok(())
} else {
// Not currently running — check if exists at all
let run = self.memory.get_hand_run(id).await?;
match run {
Some(r) if r.status == HandRunStatus::Pending => {
let mut updated = r;
updated.status = HandRunStatus::Cancelled;
updated.completed_at = Some(chrono::Utc::now().to_rfc3339());
self.memory.update_hand_run(&updated).await?;
Ok(())
}
Some(r) => Err(zclaw_types::ZclawError::InvalidInput(
format!("Cannot cancel hand run {} with status {}", id, r.status)
)),
None => Err(zclaw_types::ZclawError::NotFound(
format!("Hand run {} not found", id)
)),
}
}
}
// ============================================================
@@ -555,6 +823,14 @@ impl Kernel {
approvals.iter().filter(|a| a.status == "pending").cloned().collect()
}
/// Get a single approval by ID (any status, not just pending)
///
/// Returns None if no approval with the given ID exists.
pub async fn get_approval(&self, id: &str) -> Option<ApprovalEntry> {
let approvals = self.pending_approvals.lock().await;
approvals.iter().find(|a| a.id == id).cloned()
}
/// Create a pending approval (called when a needs_approval hand is triggered)
pub async fn create_approval(&self, hand_id: String, input: serde_json::Value) -> ApprovalEntry {
let entry = ApprovalEntry {
@@ -563,6 +839,7 @@ impl Kernel {
status: "pending".to_string(),
created_at: chrono::Utc::now(),
input,
reject_reason: None,
};
let mut approvals = self.pending_approvals.lock().await;
approvals.push(entry.clone());
@@ -574,13 +851,16 @@ impl Kernel {
&self,
id: &str,
approved: bool,
_reason: Option<String>,
reason: Option<String>,
) -> Result<()> {
let mut approvals = self.pending_approvals.lock().await;
let entry = approvals.iter_mut().find(|a| a.id == id && a.status == "pending")
.ok_or_else(|| zclaw_types::ZclawError::NotFound(format!("Approval not found: {}", id)))?;
entry.status = if approved { "approved".to_string() } else { "rejected".to_string() };
if let Some(r) = reason {
entry.reject_reason = Some(r);
}
if approved {
let hand_id = entry.hand_id.clone();
@@ -623,9 +903,268 @@ impl Kernel {
entry.status = "cancelled".to_string();
Ok(())
}
// ============================================================
// A2A (Agent-to-Agent) Messaging
// ============================================================
/// Derive an A2A agent profile from an AgentConfig
#[cfg(feature = "multi-agent")]
fn agent_config_to_a2a_profile(config: &AgentConfig) -> A2aAgentProfile {
let caps: Vec<A2aCapability> = config.tools.iter().map(|tool_name| {
A2aCapability {
name: tool_name.clone(),
description: format!("Tool: {}", tool_name),
input_schema: None,
output_schema: None,
requires_approval: false,
version: "1.0.0".to_string(),
tags: vec![],
}
}).collect();
A2aAgentProfile {
id: config.id,
name: config.name.clone(),
description: config.description.clone().unwrap_or_default(),
capabilities: caps,
protocols: vec!["a2a".to_string()],
role: "worker".to_string(),
priority: 5,
metadata: std::collections::HashMap::new(),
groups: vec![],
last_seen: 0,
}
}
/// Approval entry for pending approvals
/// Check if an agent is authorized to send messages to a target
#[cfg(feature = "multi-agent")]
fn check_a2a_permission(&self, from: &AgentId, to: &AgentId) -> Result<()> {
let caps = self.capabilities.get(from);
match caps {
Some(cap_set) => {
let has_permission = cap_set.capabilities.iter().any(|cap| {
match cap {
Capability::AgentMessage { pattern } => {
pattern == "*" || to.to_string().starts_with(pattern)
}
_ => false,
}
});
if !has_permission {
return Err(zclaw_types::ZclawError::PermissionDenied(
format!("Agent {} does not have AgentMessage capability for {}", from, to)
));
}
Ok(())
}
None => {
// No capabilities registered — deny by default
Err(zclaw_types::ZclawError::PermissionDenied(
format!("Agent {} has no capabilities registered", from)
))
}
}
}
/// Send a direct A2A message from one agent to another
#[cfg(feature = "multi-agent")]
pub async fn a2a_send(
&self,
from: &AgentId,
to: &AgentId,
payload: serde_json::Value,
message_type: Option<A2aMessageType>,
) -> Result<()> {
// Validate sender exists
self.registry.get(from)
.ok_or_else(|| zclaw_types::ZclawError::NotFound(
format!("Sender agent not found: {}", from)
))?;
// Validate receiver exists and is running
self.registry.get(to)
.ok_or_else(|| zclaw_types::ZclawError::NotFound(
format!("Target agent not found: {}", to)
))?;
// Check capability permission
self.check_a2a_permission(from, to)?;
// Build and route envelope
let envelope = A2aEnvelope::new(
*from,
A2aRecipient::Direct { agent_id: *to },
message_type.unwrap_or(A2aMessageType::Notification),
payload,
);
self.a2a_router.route(envelope).await?;
// Emit event
self.events.publish(Event::A2aMessageSent {
from: *from,
to: format!("{}", to),
message_type: "direct".to_string(),
});
Ok(())
}
/// Broadcast a message from one agent to all other agents
#[cfg(feature = "multi-agent")]
pub async fn a2a_broadcast(
&self,
from: &AgentId,
payload: serde_json::Value,
) -> Result<()> {
// Validate sender exists
self.registry.get(from)
.ok_or_else(|| zclaw_types::ZclawError::NotFound(
format!("Sender agent not found: {}", from)
))?;
let envelope = A2aEnvelope::new(
*from,
A2aRecipient::Broadcast,
A2aMessageType::Notification,
payload,
);
self.a2a_router.route(envelope).await?;
self.events.publish(Event::A2aMessageSent {
from: *from,
to: "broadcast".to_string(),
message_type: "broadcast".to_string(),
});
Ok(())
}
/// Discover agents that have a specific capability
#[cfg(feature = "multi-agent")]
pub async fn a2a_discover(&self, capability: &str) -> Result<Vec<A2aAgentProfile>> {
let result = self.a2a_router.discover(capability).await?;
self.events.publish(Event::A2aAgentDiscovered {
agent_id: AgentId::new(),
capabilities: vec![capability.to_string()],
});
Ok(result)
}
/// Try to receive a pending A2A message for an agent (non-blocking)
#[cfg(feature = "multi-agent")]
pub async fn a2a_receive(&self, agent_id: &AgentId) -> Result<Option<A2aEnvelope>> {
let inbox = self.a2a_inboxes.get(agent_id)
.ok_or_else(|| zclaw_types::ZclawError::NotFound(
format!("No A2A inbox for agent: {}", agent_id)
))?;
let mut rx = inbox.lock().await;
match rx.try_recv() {
Ok(envelope) => {
self.events.publish(Event::A2aMessageReceived {
from: envelope.from,
to: format!("{}", agent_id),
message_type: "direct".to_string(),
});
Ok(Some(envelope))
}
Err(_) => Ok(None),
}
}
/// Delegate a task to another agent and wait for response with timeout
#[cfg(feature = "multi-agent")]
pub async fn a2a_delegate_task(
&self,
from: &AgentId,
to: &AgentId,
task_description: String,
timeout_ms: u64,
) -> Result<serde_json::Value> {
// Validate both agents exist
self.registry.get(from)
.ok_or_else(|| zclaw_types::ZclawError::NotFound(
format!("Sender agent not found: {}", from)
))?;
self.registry.get(to)
.ok_or_else(|| zclaw_types::ZclawError::NotFound(
format!("Target agent not found: {}", to)
))?;
// Check capability permission
self.check_a2a_permission(from, to)?;
// Send task request
let task_id = uuid::Uuid::new_v4().to_string();
let envelope = A2aEnvelope::new(
*from,
A2aRecipient::Direct { agent_id: *to },
A2aMessageType::Task,
serde_json::json!({
"task_id": task_id,
"description": task_description,
}),
).with_conversation(task_id.clone());
let envelope_id = envelope.id.clone();
self.a2a_router.route(envelope).await?;
self.events.publish(Event::A2aMessageSent {
from: *from,
to: format!("{}", to),
message_type: "task".to_string(),
});
// Wait for response with timeout
let timeout = tokio::time::Duration::from_millis(timeout_ms);
let result = tokio::time::timeout(timeout, async {
let inbox = self.a2a_inboxes.get(from)
.ok_or_else(|| zclaw_types::ZclawError::NotFound(
format!("No A2A inbox for agent: {}", from)
))?;
let mut rx = inbox.lock().await;
// Poll for matching response
loop {
match rx.recv().await {
Some(msg) => {
// Check if this is a response to our task
if msg.message_type == A2aMessageType::Response
&& msg.reply_to.as_deref() == Some(&envelope_id) {
return Ok::<_, zclaw_types::ZclawError>(msg.payload);
}
// Not our response — put it back by logging it (would need a re-queue mechanism for production)
tracing::warn!("Received non-matching A2A response, discarding: {}", msg.id);
}
None => {
return Err(zclaw_types::ZclawError::Internal(
"A2A inbox channel closed".to_string()
));
}
}
}
}).await;
match result {
Ok(Ok(payload)) => Ok(payload),
Ok(Err(e)) => Err(e),
Err(_) => Err(zclaw_types::ZclawError::Timeout(
format!("A2A task delegation timed out after {}ms", timeout_ms)
)),
}
}
/// Get all online agents via A2A profiles
#[cfg(feature = "multi-agent")]
pub async fn a2a_get_online_agents(&self) -> Result<Vec<A2aAgentProfile>> {
Ok(self.a2a_router.list_profiles().await)
}
}
#[derive(Debug, Clone)]
pub struct ApprovalEntry {
pub id: String,
@@ -633,6 +1172,7 @@ pub struct ApprovalEntry {
pub status: String,
pub created_at: chrono::DateTime<chrono::Utc>,
pub input: serde_json::Value,
pub reject_reason: Option<String>,
}
/// Response from sending a message

9
crates/zclaw-kernel/src/lib.rs
View File

@@ -8,6 +8,7 @@ mod capabilities;
mod events;
pub mod trigger_manager;
pub mod config;
pub mod scheduler;
#[cfg(feature = "multi-agent")]
pub mod director;
pub mod generation;
@@ -21,8 +22,16 @@ pub use config::*;
pub use trigger_manager::{TriggerManager, TriggerEntry, TriggerUpdateRequest, TriggerManagerConfig};
#[cfg(feature = "multi-agent")]
pub use director::*;
#[cfg(feature = "multi-agent")]
pub use zclaw_protocols::{
A2aRouter, A2aAgentProfile, A2aCapability, A2aEnvelope, A2aMessageType, A2aRecipient,
A2aReceiver,
BasicA2aClient,
A2aClient,
};
pub use generation::*;
pub use export::{ExportFormat, ExportOptions, ExportResult, Exporter, export_classroom};
// Re-export hands types for convenience
pub use zclaw_hands::{HandRegistry, HandContext, HandResult, HandConfig, Hand, HandStatus};
pub use scheduler::SchedulerService;

341
crates/zclaw-kernel/src/scheduler.rs Normal file
View File

@@ -0,0 +1,341 @@
//! Scheduler service for automatic trigger execution
//!
//! Periodically scans scheduled triggers and fires them at the appropriate time.
use std::sync::Arc;
use std::sync::atomic::{AtomicBool, Ordering};
use chrono::{Datelike, Timelike};
use tokio::sync::RwLock;
use tokio::time::{self, Duration};
use zclaw_types::Result;
use crate::Kernel;
/// Scheduler service that runs in the background and executes scheduled triggers
pub struct SchedulerService {
kernel: Arc<RwLock<Option<Kernel>>>,
running: Arc<AtomicBool>,
check_interval: Duration,
}
impl SchedulerService {
/// Create a new scheduler service
pub fn new(kernel: Arc<RwLock<Option<Kernel>>>, check_interval_secs: u64) -> Self {
Self {
kernel,
running: Arc::new(AtomicBool::new(false)),
check_interval: Duration::from_secs(check_interval_secs),
}
}
/// Start the scheduler loop in the background
pub fn start(&self) {
if self.running.compare_exchange(false, true, Ordering::SeqCst, Ordering::SeqCst).is_err() {
tracing::warn!("[Scheduler] Already running, ignoring start request");
return;
}
let kernel = self.kernel.clone();
let running = self.running.clone();
let interval = self.check_interval;
tokio::spawn(async move {
tracing::info!("[Scheduler] Starting scheduler loop with {}s interval", interval.as_secs());
let mut ticker = time::interval(interval);
// First tick fires immediately — skip it
ticker.tick().await;
while running.load(Ordering::Relaxed) {
ticker.tick().await;
if !running.load(Ordering::Relaxed) {
break;
}
if let Err(e) = Self::check_and_fire_scheduled_triggers(&kernel).await {
tracing::error!("[Scheduler] Error checking triggers: {}", e);
}
}
tracing::info!("[Scheduler] Scheduler loop stopped");
});
}
/// Stop the scheduler loop
pub fn stop(&self) {
self.running.store(false, Ordering::Relaxed);
tracing::info!("[Scheduler] Stop requested");
}
/// Check if the scheduler is running
pub fn is_running(&self) -> bool {
self.running.load(Ordering::Relaxed)
}
/// Check all scheduled triggers and fire those that are due
async fn check_and_fire_scheduled_triggers(
kernel_lock: &Arc<RwLock<Option<Kernel>>>,
) -> Result<()> {
let kernel_read = kernel_lock.read().await;
let kernel = match kernel_read.as_ref() {
Some(k) => k,
None => return Ok(()),
};
// Get all triggers
let triggers = kernel.list_triggers().await;
let now = chrono::Utc::now();
// Filter to enabled Schedule triggers
let scheduled: Vec<_> = triggers.iter()
.filter(|t| {
t.config.enabled && matches!(t.config.trigger_type, zclaw_hands::TriggerType::Schedule { .. })
})
.collect();
if scheduled.is_empty() {
return Ok(());
}
tracing::debug!("[Scheduler] Checking {} scheduled triggers", scheduled.len());
// Drop the read lock before executing
let to_execute: Vec<(String, String, String)> = scheduled.iter()
.filter_map(|t| {
if let zclaw_hands::TriggerType::Schedule { ref cron } = t.config.trigger_type {
// Simple cron matching: check if we should fire now
if Self::should_fire_cron(cron, &now) {
Some((t.config.id.clone(), t.config.hand_id.clone(), cron.clone()))
} else {
None
}
} else {
None
}
})
.collect();
drop(kernel_read);
// Execute due triggers (with write lock since execute_hand may need it)
for (trigger_id, hand_id, cron_expr) in to_execute {
tracing::info!(
"[Scheduler] Firing scheduled trigger '{}' → hand '{}' (cron: {})",
trigger_id, hand_id, cron_expr
);
let kernel_read = kernel_lock.read().await;
if let Some(kernel) = kernel_read.as_ref() {
let trigger_source = zclaw_types::TriggerSource::Scheduled {
trigger_id: trigger_id.clone(),
};
let input = serde_json::json!({
"trigger_id": trigger_id,
"trigger_type": "schedule",
"cron": cron_expr,
"fired_at": now.to_rfc3339(),
});
match kernel.execute_hand_with_source(&hand_id, input, trigger_source).await {
Ok((_result, run_id)) => {
tracing::info!(
"[Scheduler] Successfully fired trigger '{}' → run {}",
trigger_id, run_id
);
}
Err(e) => {
tracing::error!(
"[Scheduler] Failed to execute trigger '{}': {}",
trigger_id, e
);
}
}
}
}
Ok(())
}
/// Simple cron expression matcher
///
/// Supports basic cron format: `minute hour day month weekday`
/// Also supports interval shorthand: `every:Ns`, `every:Nm`, `every:Nh`
fn should_fire_cron(cron: &str, now: &chrono::DateTime<chrono::Utc>) -> bool {
let cron = cron.trim();
// Handle interval shorthand: "every:30s", "every:5m", "every:1h"
if let Some(interval_str) = cron.strip_prefix("every:") {
return Self::check_interval_shorthand(interval_str, now);
}
// Handle ISO timestamp for one-shot: "2026-03-29T10:00:00Z"
if cron.contains('T') && cron.contains('-') {
if let Ok(target) = chrono::DateTime::parse_from_rfc3339(cron) {
let target_utc = target.with_timezone(&chrono::Utc);
// Fire if within the check window (± check_interval/2, approx 30s)
let diff = (*now - target_utc).num_seconds().abs();
return diff <= 30;
}
}
// Standard 5-field cron: minute hour day_of_month month day_of_week
let parts: Vec<&str> = cron.split_whitespace().collect();
if parts.len() != 5 {
tracing::warn!("[Scheduler] Invalid cron expression (expected 5 fields): '{}'", cron);
return false;
}
let minute = now.minute() as i32;
let hour = now.hour() as i32;
let day = now.day() as i32;
let month = now.month() as i32;
let weekday = now.weekday().num_days_from_monday() as i32; // Mon=0..Sun=6
Self::cron_field_matches(parts[0], minute)
&& Self::cron_field_matches(parts[1], hour)
&& Self::cron_field_matches(parts[2], day)
&& Self::cron_field_matches(parts[3], month)
&& Self::cron_field_matches(parts[4], weekday)
}
/// Check if a single cron field matches the current value
fn cron_field_matches(field: &str, value: i32) -> bool {
if field == "*" || field == "?" {
return true;
}
// Handle step: */N
if let Some(step_str) = field.strip_prefix("*/") {
if let Ok(step) = step_str.parse::<i32>() {
if step > 0 {
return value % step == 0;
}
}
return false;
}
// Handle range: N-M
if field.contains('-') {
let range_parts: Vec<&str> = field.split('-').collect();
if range_parts.len() == 2 {
if let (Ok(start), Ok(end)) = (range_parts[0].parse::<i32>(), range_parts[1].parse::<i32>()) {
return value >= start && value <= end;
}
}
return false;
}
// Handle list: N,M,O
if field.contains(',') {
return field.split(',').any(|part| {
part.trim().parse::<i32>().map(|p| p == value).unwrap_or(false)
});
}
// Simple value
field.parse::<i32>().map(|p| p == value).unwrap_or(false)
}
/// Check interval shorthand expressions
fn check_interval_shorthand(interval: &str, now: &chrono::DateTime<chrono::Utc>) -> bool {
let (num_str, unit) = if interval.ends_with('s') {
(&interval[..interval.len()-1], 's')
} else if interval.ends_with('m') {
(&interval[..interval.len()-1], 'm')
} else if interval.ends_with('h') {
(&interval[..interval.len()-1], 'h')
} else {
return false;
};
let num: i64 = match num_str.parse() {
Ok(n) => n,
Err(_) => return false,
};
if num <= 0 {
return false;
}
let interval_secs = match unit {
's' => num,
'm' => num * 60,
'h' => num * 3600,
_ => return false,
};
// Check if current timestamp aligns with the interval
let timestamp = now.timestamp();
timestamp % interval_secs == 0
}
}
#[cfg(test)]
mod tests {
use super::*;
use chrono::Timelike;
#[test]
fn test_cron_field_wildcard() {
assert!(SchedulerService::cron_field_matches("*", 5));
assert!(SchedulerService::cron_field_matches("?", 5));
}
#[test]
fn test_cron_field_exact() {
assert!(SchedulerService::cron_field_matches("5", 5));
assert!(!SchedulerService::cron_field_matches("5", 6));
}
#[test]
fn test_cron_field_step() {
assert!(SchedulerService::cron_field_matches("*/5", 0));
assert!(SchedulerService::cron_field_matches("*/5", 5));
assert!(SchedulerService::cron_field_matches("*/5", 10));
assert!(!SchedulerService::cron_field_matches("*/5", 3));
}
#[test]
fn test_cron_field_range() {
assert!(SchedulerService::cron_field_matches("1-5", 1));
assert!(SchedulerService::cron_field_matches("1-5", 3));
assert!(SchedulerService::cron_field_matches("1-5", 5));
assert!(!SchedulerService::cron_field_matches("1-5", 0));
assert!(!SchedulerService::cron_field_matches("1-5", 6));
}
#[test]
fn test_cron_field_list() {
assert!(SchedulerService::cron_field_matches("1,3,5", 1));
assert!(SchedulerService::cron_field_matches("1,3,5", 3));
assert!(SchedulerService::cron_field_matches("1,3,5", 5));
assert!(!SchedulerService::cron_field_matches("1,3,5", 2));
}
#[test]
fn test_should_fire_every_minute() {
let now = chrono::Utc::now();
assert!(SchedulerService::should_fire_cron("every:1m", &now));
}
#[test]
fn test_should_fire_cron_wildcard() {
let now = chrono::Utc::now();
// Every minute match
assert!(SchedulerService::should_fire_cron(
&format!("{} * * * *", now.minute()),
&now,
));
}
#[test]
fn test_should_not_fire_cron() {
let now = chrono::Utc::now();
let wrong_minute = if now.minute() < 59 { now.minute() + 1 } else { 0 };
assert!(!SchedulerService::should_fire_cron(
&format!("{} * * * *", wrong_minute),
&now,
));
}
}

18
crates/zclaw-memory/src/schema.rs
View File

@@ -49,8 +49,26 @@ CREATE TABLE IF NOT EXISTS schema_version (
version INTEGER PRIMARY KEY
);
-- Hand execution runs table
CREATE TABLE IF NOT EXISTS hand_runs (
id TEXT PRIMARY KEY,
hand_name TEXT NOT NULL,
trigger_source TEXT NOT NULL,
params TEXT NOT NULL,
status TEXT NOT NULL DEFAULT 'pending',
result TEXT,
error TEXT,
duration_ms INTEGER,
created_at TEXT NOT NULL,
started_at TEXT,
completed_at TEXT
);
-- Indexes
CREATE INDEX IF NOT EXISTS idx_sessions_agent ON sessions(agent_id);
CREATE INDEX IF NOT EXISTS idx_messages_session ON messages(session_id);
CREATE INDEX IF NOT EXISTS idx_kv_agent ON kv_store(agent_id);
CREATE INDEX IF NOT EXISTS idx_hand_runs_hand ON hand_runs(hand_name);
CREATE INDEX IF NOT EXISTS idx_hand_runs_status ON hand_runs(status);
CREATE INDEX IF NOT EXISTS idx_hand_runs_created ON hand_runs(created_at);
"#;

189
crates/zclaw-memory/src/store.rs
View File

@@ -1,7 +1,7 @@
//! Memory store implementation
use sqlx::SqlitePool;
use zclaw_types::{AgentConfig, AgentId, SessionId, Message, Result, ZclawError};
use zclaw_types::{AgentConfig, AgentId, SessionId, Message, Result, ZclawError, HandRun, HandRunId, HandRunStatus, HandRunFilter};
/// Memory store for persisting ZCLAW data
pub struct MemoryStore {
@@ -283,6 +283,193 @@ impl MemoryStore {
Ok(rows.into_iter().map(|(key,)| key).collect())
}
// === Hand Run Tracking ===
/// Save a new hand run record
pub async fn save_hand_run(&self, run: &HandRun) -> Result<()> {
let id = run.id.to_string();
let trigger_source = serde_json::to_string(&run.trigger_source)?;
let params = serde_json::to_string(&run.params)?;
let result = run.result.as_ref().map(|v| serde_json::to_string(v)).transpose()?;
let error = run.error.as_ref().map(|e| serde_json::to_string(e)).transpose()?;
sqlx::query(
r#"
INSERT INTO hand_runs (id, hand_name, trigger_source, params, status, result, error, duration_ms, created_at, started_at, completed_at)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
"#,
)
.bind(&id)
.bind(&run.hand_name)
.bind(&trigger_source)
.bind(&params)
.bind(run.status.to_string())
.bind(result.as_deref())
.bind(error.as_deref())
.bind(run.duration_ms.map(|d| d as i64))
.bind(&run.created_at)
.bind(run.started_at.as_deref())
.bind(run.completed_at.as_deref())
.execute(&self.pool)
.await
.map_err(|e| ZclawError::StorageError(e.to_string()))?;
Ok(())
}
/// Update an existing hand run record
pub async fn update_hand_run(&self, run: &HandRun) -> Result<()> {
let id = run.id.to_string();
let trigger_source = serde_json::to_string(&run.trigger_source)?;
let params = serde_json::to_string(&run.params)?;
let result = run.result.as_ref().map(|v| serde_json::to_string(v)).transpose()?;
let error = run.error.as_ref().map(|e| serde_json::to_string(e)).transpose()?;
sqlx::query(
r#"
UPDATE hand_runs SET
hand_name = ?, trigger_source = ?, params = ?, status = ?,
result = ?, error = ?, duration_ms = ?,
started_at = ?, completed_at = ?
WHERE id = ?
"#,
)
.bind(&run.hand_name)
.bind(&trigger_source)
.bind(&params)
.bind(run.status.to_string())
.bind(result.as_deref())
.bind(error.as_deref())
.bind(run.duration_ms.map(|d| d as i64))
.bind(run.started_at.as_deref())
.bind(run.completed_at.as_deref())
.bind(&id)
.execute(&self.pool)
.await
.map_err(|e| ZclawError::StorageError(e.to_string()))?;
Ok(())
}
/// Get a hand run by ID
pub async fn get_hand_run(&self, id: &HandRunId) -> Result<Option<HandRun>> {
let id_str = id.to_string();
let row = sqlx::query_as::<_, (String, String, String, String, String, Option<String>, Option<String>, Option<i64>, String, Option<String>, Option<String>)>(
"SELECT id, hand_name, trigger_source, params, status, result, error, duration_ms, created_at, started_at, completed_at FROM hand_runs WHERE id = ?"
)
.bind(&id_str)
.fetch_optional(&self.pool)
.await
.map_err(|e| ZclawError::StorageError(e.to_string()))?;
match row {
Some(r) => Ok(Some(Self::row_to_hand_run(r)?)),
None => Ok(None),
}
}
/// List hand runs with optional filter
pub async fn list_hand_runs(&self, filter: &HandRunFilter) -> Result<Vec<HandRun>> {
let mut query = String::from(
"SELECT id, hand_name, trigger_source, params, status, result, error, duration_ms, created_at, started_at, completed_at FROM hand_runs WHERE 1=1"
);
let mut bind_values: Vec<String> = Vec::new();
if let Some(ref hand_name) = filter.hand_name {
query.push_str(" AND hand_name = ?");
bind_values.push(hand_name.clone());
}
if let Some(ref status) = filter.status {
query.push_str(" AND status = ?");
bind_values.push(status.to_string());
}
query.push_str(" ORDER BY created_at DESC");
if let Some(limit) = filter.limit {
query.push_str(&format!(" LIMIT {}", limit));
}
if let Some(offset) = filter.offset {
query.push_str(&format!(" OFFSET {}", offset));
}
let mut sql_query = sqlx::query_as::<_, (String, String, String, String, String, Option<String>, Option<String>, Option<i64>, String, Option<String>, Option<String>)>(&query);
for val in &bind_values {
sql_query = sql_query.bind(val);
}
let rows = sql_query
.fetch_all(&self.pool)
.await
.map_err(|e| ZclawError::StorageError(e.to_string()))?;
rows.into_iter()
.map(|r| Self::row_to_hand_run(r))
.collect()
}
/// Count hand runs matching filter
pub async fn count_hand_runs(&self, filter: &HandRunFilter) -> Result<u32> {
let mut query = String::from("SELECT COUNT(*) FROM hand_runs WHERE 1=1");
let mut bind_values: Vec<String> = Vec::new();
if let Some(ref hand_name) = filter.hand_name {
query.push_str(" AND hand_name = ?");
bind_values.push(hand_name.clone());
}
if let Some(ref status) = filter.status {
query.push_str(" AND status = ?");
bind_values.push(status.to_string());
}
let mut sql_query = sqlx::query_scalar::<_, i64>(&query);
for val in &bind_values {
sql_query = sql_query.bind(val);
}
let count = sql_query
.fetch_one(&self.pool)
.await
.map_err(|e| ZclawError::StorageError(e.to_string()))?;
Ok(count as u32)
}
fn row_to_hand_run(
row: (String, String, String, String, String, Option<String>, Option<String>, Option<i64>, String, Option<String>, Option<String>),
) -> Result<HandRun> {
let (id, hand_name, trigger_source, params, status, result, error, duration_ms, created_at, started_at, completed_at) = row;
let run_id: HandRunId = id.parse()
.map_err(|e| ZclawError::StorageError(format!("Invalid HandRunId: {}", e)))?;
let trigger: zclaw_types::TriggerSource = serde_json::from_str(&trigger_source)?;
let params_val: serde_json::Value = serde_json::from_str(&params)?;
let run_status: HandRunStatus = status.parse()
.map_err(|e| ZclawError::StorageError(e))?;
let result_val: Option<serde_json::Value> = result.map(|r| serde_json::from_str(&r)).transpose()?;
let error_val: Option<String> = error.as_ref()
.map(|e| serde_json::from_str::<String>(e))
.transpose()
.unwrap_or_else(|_| error.clone());
Ok(HandRun {
id: run_id,
hand_name,
trigger_source: trigger,
params: params_val,
status: run_status,
result: result_val,
error: error_val,
duration_ms: duration_ms.map(|d| d as u64),
created_at,
started_at,
completed_at,
})
}
}
#[cfg(test)]

22
crates/zclaw-protocols/src/a2a.rs
View File

@@ -427,6 +427,28 @@ impl A2aRouter {
pub fn agent_id(&self) -> &AgentId {
&self.agent_id
}
/// Discover agents that have a specific capability
pub async fn discover(&self, capability: &str) -> Result<Vec<A2aAgentProfile>> {
let cap_index = self.capability_index.read().await;
let profiles = self.profiles.read().await;
match cap_index.get(capability) {
Some(agent_ids) => {
let result: Vec<A2aAgentProfile> = agent_ids.iter()
.filter_map(|id| profiles.get(id).cloned())
.collect();
Ok(result)
}
None => Ok(Vec::new()),
}
}
/// Get all registered agent profiles
pub async fn list_profiles(&self) -> Vec<A2aAgentProfile> {
let profiles = self.profiles.read().await;
profiles.values().cloned().collect()
}
}
/// Basic A2A client implementation

69
crates/zclaw-runtime/src/compaction.rs
View File

@@ -13,6 +13,7 @@
//! Optionally flushes old messages to the growth/memory system before discarding.
use std::sync::Arc;
use std::sync::atomic::{AtomicU64, Ordering};
use zclaw_types::{AgentId, Message, SessionId};
use crate::driver::{CompletionRequest, ContentBlock, LlmDriver};
@@ -40,9 +41,18 @@ pub fn estimate_tokens(text: &str) -> usize {
{
// CJK ideographs — ~1.5 tokens
tokens += 1.5;
} else if (0xAC00..=0xD7AF).contains(&code) || (0x1100..=0x11FF).contains(&code) {
// Korean Hangul syllables + Jamo — ~1.5 tokens
tokens += 1.5;
} else if (0x3040..=0x309F).contains(&code) || (0x30A0..=0x30FF).contains(&code) {
// Japanese Hiragana + Katakana — ~1.5 tokens
tokens += 1.5;
} else if (0x3000..=0x303F).contains(&code) || (0xFF00..=0xFFEF).contains(&code) {
// CJK / fullwidth punctuation — ~1.0 token
tokens += 1.0;
} else if (0x1F000..=0x1FAFF).contains(&code) || (0x2600..=0x27BF).contains(&code) {
// Emoji & Symbols — ~2.0 tokens
tokens += 2.0;
} else if char == ' ' || char == '\n' || char == '\t' {
// whitespace
tokens += 0.25;
@@ -88,6 +98,54 @@ pub fn estimate_messages_tokens(messages: &[Message]) -> usize {
total
}
// ============================================================
// Calibration: adjust heuristic estimates using API feedback
// ============================================================
const F64_1_0_BITS: u64 = 4607182418800017408u64; // 1.0f64.to_bits()
/// Global calibration factor for token estimation (stored as f64 bits).
///
/// Updated via exponential moving average when API returns actual token counts.
/// Initial value is 1.0 (no adjustment).
static CALIBRATION_FACTOR_BITS: AtomicU64 = AtomicU64::new(F64_1_0_BITS);
/// Get the current calibration factor.
pub fn get_calibration_factor() -> f64 {
f64::from_bits(CALIBRATION_FACTOR_BITS.load(Ordering::Relaxed))
}
/// Update calibration factor using exponential moving average.
///
/// Compares estimated tokens with actual tokens from API response:
/// - `ratio = actual / estimated` so underestimates push factor UP
/// - EMA: `new = current * 0.7 + ratio * 0.3`
/// - Clamped to [0.5, 2.0] to prevent runaway values
pub fn update_calibration(estimated: usize, actual: u32) {
if actual == 0 || estimated == 0 {
return;
}
let ratio = actual as f64 / estimated as f64;
let current = get_calibration_factor();
let new_factor = (current * 0.7 + ratio * 0.3).clamp(0.5, 2.0);
CALIBRATION_FACTOR_BITS.store(new_factor.to_bits(), Ordering::Relaxed);
tracing::debug!(
"[Compaction] Calibration: estimated={}, actual={}, ratio={:.2}, factor {:.2} → {:.2}",
estimated, actual, ratio, current, new_factor
);
}
/// Estimate total tokens for messages with calibration applied.
fn estimate_messages_tokens_calibrated(messages: &[Message]) -> usize {
let raw = estimate_messages_tokens(messages);
let factor = get_calibration_factor();
if (factor - 1.0).abs() < f64::EPSILON {
raw
} else {
((raw as f64 * factor).ceil()) as usize
}
}
/// Compact a message list by summarizing old messages and keeping recent ones.
///
/// When `messages.len() > keep_recent`, the oldest messages are summarized
@@ -134,7 +192,7 @@ pub fn compact_messages(messages: Vec<Message>, keep_recent: usize) -> (Vec<Mess
///
/// Returns the (possibly compacted) message list.
pub fn maybe_compact(messages: Vec<Message>, threshold: usize) -> Vec<Message> {
let tokens = estimate_messages_tokens(&messages);
let tokens = estimate_messages_tokens_calibrated(&messages);
if tokens < threshold {
return messages;
}
@@ -208,7 +266,7 @@ pub async fn maybe_compact_with_config(
driver: Option<&Arc<dyn LlmDriver>>,
growth: Option<&GrowthIntegration>,
) -> CompactionOutcome {
let tokens = estimate_messages_tokens(&messages);
let tokens = estimate_messages_tokens_calibrated(&messages);
if tokens < threshold {
return CompactionOutcome {
messages,
@@ -475,10 +533,11 @@ fn generate_summary(messages: &[Message]) -> String {
let summary = sections.join("\n");
// Enforce max length
// Enforce max length (char-safe for CJK)
let max_chars = 800;
if summary.len() > max_chars {
format!("{}...\n(摘要已截断)", &summary[..max_chars])
if summary.chars().count() > max_chars {
let truncated: String = summary.chars().take(max_chars).collect();
format!("{}...\n(摘要已截断)", truncated)
} else {
summary
}

251
crates/zclaw-runtime/src/driver/openai.rs
View File

@@ -130,7 +130,8 @@ impl LlmDriver for OpenAiDriver {
let api_key = self.api_key.expose_secret().to_string();
Box::pin(stream! {
tracing::debug!("[OpenAiDriver:stream] Starting HTTP request...");
println!("[OpenAI:stream] POST to {}/chat/completions", base_url);
println!("[OpenAI:stream] Request model={}, stream={}", stream_request.model, stream_request.stream);
let response = match self.client
.post(format!("{}/chat/completions", base_url))
.header("Authorization", format!("Bearer {}", api_key))
@@ -141,11 +142,11 @@ impl LlmDriver for OpenAiDriver {
.await
{
Ok(r) => {
tracing::debug!("[OpenAiDriver:stream] Got response, status: {}", r.status());
println!("[OpenAI:stream] Response status: {}, content-type: {:?}", r.status(), r.headers().get("content-type"));
r
},
Err(e) => {
tracing::error!("[OpenAiDriver:stream] HTTP request failed: {:?}", e);
println!("[OpenAI:stream] HTTP request FAILED: {:?}", e);
yield Err(ZclawError::LlmError(format!("HTTP request failed: {}", e)));
return;
}
@@ -154,6 +155,7 @@ impl LlmDriver for OpenAiDriver {
if !response.status().is_success() {
let status = response.status();
let body = response.text().await.unwrap_or_default();
println!("[OpenAI:stream] API error {}: {}", status, &body[..body.len().min(500)]);
yield Err(ZclawError::LlmError(format!("API error {}: {}", status, body)));
return;
}
@@ -161,21 +163,45 @@ impl LlmDriver for OpenAiDriver {
let mut byte_stream = response.bytes_stream();
let mut accumulated_tool_calls: std::collections::HashMap<String, (String, String)> = std::collections::HashMap::new();
let mut current_tool_id: Option<String> = None;
let mut sse_event_count: usize = 0;
let mut raw_bytes_total: usize = 0;
while let Some(chunk_result) = byte_stream.next().await {
let chunk = match chunk_result {
Ok(c) => c,
Err(e) => {
println!("[OpenAI:stream] Byte stream error: {:?}", e);
yield Err(ZclawError::LlmError(format!("Stream error: {}", e)));
continue;
}
};
raw_bytes_total += chunk.len();
let text = String::from_utf8_lossy(&chunk);
// Log first 500 bytes of raw data for debugging SSE format
if raw_bytes_total <= 600 {
println!("[OpenAI:stream] RAW chunk ({} bytes): {:?}", text.len(), &text[..text.len().min(500)]);
}
for line in text.lines() {
if let Some(data) = line.strip_prefix("data: ") {
let trimmed = line.trim();
if trimmed.is_empty() || trimmed.starts_with(':') {
continue; // Skip empty lines and SSE comments
}
// Handle both "data: " (standard) and "data:" (no space)
let data = if let Some(d) = trimmed.strip_prefix("data: ") {
Some(d)
} else if let Some(d) = trimmed.strip_prefix("data:") {
Some(d.trim_start())
} else {
None
};
if let Some(data) = data {
sse_event_count += 1;
if sse_event_count <= 3 || data == "[DONE]" {
println!("[OpenAI:stream] SSE #{}: {}", sse_event_count, &data[..data.len().min(300)]);
}
if data == "[DONE]" {
tracing::debug!("[OpenAI] Stream done, accumulated_tool_calls: {:?}", accumulated_tool_calls.len());
println!("[OpenAI:stream] Received [DONE], total SSE events: {}, raw bytes: {}", sse_event_count, raw_bytes_total);
// Emit ToolUseEnd for all accumulated tool calls (skip invalid ones with empty name)
for (id, (name, args)) in &accumulated_tool_calls {
@@ -216,10 +242,19 @@ impl LlmDriver for OpenAiDriver {
// Handle text content
if let Some(content) = &delta.content {
if !content.is_empty() {
tracing::debug!("[OpenAI:stream] TextDelta: {} chars", content.len());
yield Ok(StreamChunk::TextDelta { delta: content.clone() });
}
}
// Handle reasoning_content (Kimi, Qwen, DeepSeek, GLM thinking)
if let Some(reasoning) = &delta.reasoning_content {
if !reasoning.is_empty() {
tracing::debug!("[OpenAI:stream] ThinkingDelta (reasoning_content): {} chars", reasoning.len());
yield Ok(StreamChunk::ThinkingDelta { delta: reasoning.clone() });
}
}
// Handle tool calls
if let Some(tool_calls) = &delta.tool_calls {
tracing::trace!("[OpenAI] Received tool_calls delta: {:?}", tool_calls);
@@ -284,6 +319,7 @@ impl LlmDriver for OpenAiDriver {
}
}
}
println!("[OpenAI:stream] Byte stream ended. Total: {} SSE events, {} raw bytes", sse_event_count, raw_bytes_total);
})
}
}
@@ -304,55 +340,122 @@ impl OpenAiDriver {
request.system.clone()
};
let messages: Vec<OpenAiMessage> = request.messages
.iter()
.filter_map(|msg| match msg {
zclaw_types::Message::User { content } => Some(OpenAiMessage {
// Build messages with tool result truncation to prevent payload overflow.
// Most LLM APIs have a 2-4MB HTTP payload limit.
const MAX_TOOL_RESULT_BYTES: usize = 32_768; // 32KB per tool result
const MAX_PAYLOAD_BYTES: usize = 1_800_000; // 1.8MB (under 2MB API limit)
let mut messages: Vec<OpenAiMessage> = Vec::new();
let mut pending_tool_calls: Option<Vec<OpenAiToolCall>> = None;
let mut pending_content: Option<String> = None;
let mut pending_reasoning: Option<String> = None;
let flush_pending = |tc: &mut Option<Vec<OpenAiToolCall>>,
c: &mut Option<String>,
r: &mut Option<String>,
out: &mut Vec<OpenAiMessage>| {
let calls = tc.take();
let content = c.take();
let reasoning = r.take();
if let Some(calls) = calls {
if !calls.is_empty() {
// Merge assistant content + reasoning into the tool call message
out.push(OpenAiMessage {
role: "assistant".to_string(),
content: content.filter(|s| !s.is_empty()),
reasoning_content: reasoning.filter(|s| !s.is_empty()),
tool_calls: Some(calls),
tool_call_id: None,
});
return;
}
}
// No tool calls — emit a plain assistant message
if content.is_some() || reasoning.is_some() {
out.push(OpenAiMessage {
role: "assistant".to_string(),
content: content.filter(|s| !s.is_empty()),
reasoning_content: reasoning.filter(|s| !s.is_empty()),
tool_calls: None,
tool_call_id: None,
});
}
};
for msg in &request.messages {
match msg {
zclaw_types::Message::User { content } => {
flush_pending(&mut pending_tool_calls, &mut pending_content, &mut pending_reasoning, &mut messages);
messages.push(OpenAiMessage {
role: "user".to_string(),
content: Some(content.clone()),
tool_calls: None,
}),
zclaw_types::Message::Assistant { content, thinking: _ } => Some(OpenAiMessage {
role: "assistant".to_string(),
content: Some(content.clone()),
tool_calls: None,
}),
zclaw_types::Message::System { content } => Some(OpenAiMessage {
tool_call_id: None,
reasoning_content: None,
});
}
zclaw_types::Message::Assistant { content, thinking } => {
flush_pending(&mut pending_tool_calls, &mut pending_content, &mut pending_reasoning, &mut messages);
// Don't push immediately — wait to see if next messages are ToolUse
pending_content = Some(content.clone());
pending_reasoning = thinking.clone();
}
zclaw_types::Message::System { content } => {
flush_pending(&mut pending_tool_calls, &mut pending_content, &mut pending_reasoning, &mut messages);
messages.push(OpenAiMessage {
role: "system".to_string(),
content: Some(content.clone()),
tool_calls: None,
}),
tool_call_id: None,
reasoning_content: None,
});
}
zclaw_types::Message::ToolUse { id, tool, input } => {
// Ensure arguments is always a valid JSON object, never null or invalid
// Accumulate tool calls — they'll be merged with the pending assistant message
let args = if input.is_null() {
"{}".to_string()
} else {
serde_json::to_string(input).unwrap_or_else(|_| "{}".to_string())
};
Some(OpenAiMessage {
role: "assistant".to_string(),
content: None,
tool_calls: Some(vec![OpenAiToolCall {
pending_tool_calls
.get_or_insert_with(Vec::new)
.push(OpenAiToolCall {
id: id.clone(),
r#type: "function".to_string(),
function: FunctionCall {
name: tool.to_string(),
arguments: args,
},
}]),
})
});
}
zclaw_types::Message::ToolResult { tool_call_id: _, output, is_error, .. } => Some(OpenAiMessage {
role: "tool".to_string(),
content: Some(if *is_error {
zclaw_types::Message::ToolResult { tool_call_id, output, is_error, .. } => {
flush_pending(&mut pending_tool_calls, &mut pending_content, &mut pending_reasoning, &mut messages);
let content_str = if *is_error {
format!("Error: {}", output)
} else {
output.to_string()
}),
};
// Truncate oversized tool results to prevent payload overflow
let truncated = if content_str.len() > MAX_TOOL_RESULT_BYTES {
let mut s = String::from(&content_str[..MAX_TOOL_RESULT_BYTES]);
s.push_str("\n\n... [内容已截断,原文过大]");
s
} else {
content_str
};
messages.push(OpenAiMessage {
role: "tool".to_string(),
content: Some(truncated),
tool_calls: None,
}),
})
.collect();
tool_call_id: Some(tool_call_id.clone()),
reasoning_content: None,
});
}
}
}
// Flush any remaining accumulated assistant content and/or tool calls
flush_pending(&mut pending_tool_calls, &mut pending_content, &mut pending_reasoning, &mut messages);
// Add system prompt if provided
let mut messages = messages;
@@ -361,6 +464,8 @@ impl OpenAiDriver {
role: "system".to_string(),
content: Some(system.clone()),
tool_calls: None,
tool_call_id: None,
reasoning_content: None,
});
}
@@ -376,7 +481,7 @@ impl OpenAiDriver {
})
.collect();
OpenAiRequest {
let api_request = OpenAiRequest {
model: request.model.clone(), // Use model ID directly without any transformation
messages,
max_tokens: request.max_tokens,
@@ -384,7 +489,75 @@ impl OpenAiDriver {
stop: if request.stop.is_empty() { None } else { Some(request.stop.clone()) },
stream: request.stream,
tools: if tools.is_empty() { None } else { Some(tools) },
};
// Pre-send payload size validation
if let Ok(serialized) = serde_json::to_string(&api_request) {
if serialized.len() > MAX_PAYLOAD_BYTES {
tracing::warn!(
target: "openai_driver",
"Request payload too large: {} bytes (limit: {}), truncating messages",
serialized.len(),
MAX_PAYLOAD_BYTES
);
return Self::truncate_messages_to_fit(api_request, MAX_PAYLOAD_BYTES);
}
tracing::debug!(
target: "openai_driver",
"Request payload size: {} bytes (limit: {})",
serialized.len(),
MAX_PAYLOAD_BYTES
);
}
api_request
}
/// Emergency truncation: drop oldest non-system messages until payload fits
fn truncate_messages_to_fit(mut request: OpenAiRequest, _max_bytes: usize) -> OpenAiRequest {
// Keep system message (if any) and last 4 non-system messages
let has_system = request.messages.first()
.map(|m| m.role == "system")
.unwrap_or(false);
let non_system: Vec<OpenAiMessage> = request.messages.into_iter()
.filter(|m| m.role != "system")
.collect();
// Keep last N messages and truncate any remaining large tool results
let keep_count = 4.min(non_system.len());
let start = non_system.len() - keep_count;
let kept: Vec<OpenAiMessage> = non_system.into_iter()
.skip(start)
.map(|mut msg| {
// Additional per-message truncation for tool results
if msg.role == "tool" {
if let Some(ref content) = msg.content {
if content.len() > 16_384 {
let mut s = String::from(&content[..16_384]);
s.push_str("\n\n... [上下文压缩截断]");
msg.content = Some(s);
}
}
}
msg
})
.collect();
let mut messages = Vec::new();
if has_system {
messages.push(OpenAiMessage {
role: "system".to_string(),
content: Some("You are a helpful AI assistant. (注意:对话历史已被压缩以适应上下文大小限制)".to_string()),
tool_calls: None,
tool_call_id: None,
reasoning_content: None,
});
}
messages.extend(kept);
request.messages = messages;
request
}
fn convert_response(&self, api_response: OpenAiResponse, model: String) -> CompletionResponse {
@@ -398,6 +571,7 @@ impl OpenAiDriver {
// This is important because some providers return empty content with tool_calls
let has_tool_calls = c.message.tool_calls.as_ref().map(|tc| !tc.is_empty()).unwrap_or(false);
let has_content = c.message.content.as_ref().map(|t| !t.is_empty()).unwrap_or(false);
let has_reasoning = c.message.reasoning_content.as_ref().map(|t| !t.is_empty()).unwrap_or(false);
let blocks = if has_tool_calls {
// Tool calls take priority
@@ -413,6 +587,11 @@ impl OpenAiDriver {
let text = c.message.content.as_ref().unwrap();
tracing::debug!("[OpenAiDriver:convert_response] Using text content: {} chars", text.len());
vec![ContentBlock::Text { text: text.clone() }]
} else if has_reasoning {
// Content empty but reasoning_content present (Kimi, Qwen, DeepSeek)
let reasoning = c.message.reasoning_content.as_ref().unwrap();
tracing::debug!("[OpenAiDriver:convert_response] Using reasoning_content: {} chars", reasoning.len());
vec![ContentBlock::Text { text: reasoning.clone() }]
} else {
// No content or tool_calls
tracing::debug!("[OpenAiDriver:convert_response] No content or tool_calls, using empty text");
@@ -594,6 +773,10 @@ struct OpenAiMessage {
content: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
tool_calls: Option<Vec<OpenAiToolCall>>,
#[serde(skip_serializing_if = "Option::is_none")]
tool_call_id: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
reasoning_content: Option<String>,
}
#[derive(Serialize)]
@@ -656,6 +839,8 @@ struct OpenAiResponseMessage {
#[serde(default)]
content: Option<String>,
#[serde(default)]
reasoning_content: Option<String>,
#[serde(default)]
tool_calls: Option<Vec<OpenAiToolCallResponse>>,
}
@@ -705,6 +890,8 @@ struct OpenAiDelta {
#[serde(default)]
content: Option<String>,
#[serde(default)]
reasoning_content: Option<String>,
#[serde(default)]
tool_calls: Option<Vec<OpenAiToolCallDelta>>,
}

22
crates/zclaw-runtime/src/growth.rs
View File

@@ -4,22 +4,14 @@
//! enabling automatic memory retrieval before conversations and memory extraction
//! after conversations.
//!
//! # Usage
//! **Note (2026-03-27 audit)**: In the Tauri desktop deployment, this module is
//! NOT wired into the Kernel. The intelligence_hooks module in desktop/src-tauri
//! provides the same functionality (memory retrieval, heartbeat, reflection) via
//! direct VikingStorage calls. GrowthIntegration remains available for future
//! use (e.g., headless/server deployments where intelligence_hooks is not available).
//!
//! ```rust,ignore
//! use zclaw_runtime::growth::GrowthIntegration;
//! use zclaw_growth::{VikingAdapter, MemoryExtractor, MemoryRetriever, PromptInjector};
//!
//! // Create growth integration
//! let viking = Arc::new(VikingAdapter::in_memory());
//! let growth = GrowthIntegration::new(viking);
//!
//! // Before conversation: enhance system prompt
//! let enhanced_prompt = growth.enhance_prompt(&agent_id, &base_prompt, &user_input).await?;
//!
//! // After conversation: extract and store memories
//! growth.process_conversation(&agent_id, &messages, session_id).await?;
//! ```
//! The `AgentLoop.growth` field defaults to `None` and the code gracefully falls
//! through to normal behavior when not set.
use std::sync::Arc;
use zclaw_growth::{

6
crates/zclaw-runtime/src/lib.rs
View File

@@ -3,8 +3,10 @@
//! LLM drivers, tool system, and agent loop implementation.
/// Default User-Agent header sent with all outgoing HTTP requests.
/// Some LLM providers (e.g. Moonshot, Qwen, DashScope Coding Plan) reject requests without one.
pub const USER_AGENT: &str = "ZCLAW/0.1.0";
/// Coding Plan providers (Kimi, Bailian/DashScope, Zhipu) validate the User-Agent against a
/// whitelist of known Coding Agents (e.g. claude-code, kimi-cli, roo-code, kilo-code).
/// Must use the exact lowercase format to pass validation.
pub const USER_AGENT: &str = "claude-code/0.1.0";
pub mod driver;
pub mod tool;

132
crates/zclaw-runtime/src/loop_runner.rs
View File

@@ -131,12 +131,30 @@ impl AgentLoop {
/// Create tool context for tool execution
fn create_tool_context(&self, session_id: SessionId) -> ToolContext {
// If no path_validator is configured, create a default one with user home as workspace.
// This allows file_read/file_write tools to work without explicit workspace config,
// while still restricting access to the user's home directory for security.
let path_validator = self.path_validator.clone().unwrap_or_else(|| {
let home = std::env::var("USERPROFILE")
.or_else(|_| std::env::var("HOME"))
.unwrap_or_else(|_| ".".to_string());
let home_path = std::path::PathBuf::from(&home);
tracing::info!(
"[AgentLoop] No path_validator configured, using user home as workspace: {}",
home_path.display()
);
PathValidator::new().with_workspace(home_path)
});
let working_dir = path_validator.workspace_root()
.map(|p| p.to_string_lossy().to_string());
ToolContext {
agent_id: self.agent_id.clone(),
working_directory: None,
working_directory: working_dir,
session_id: Some(session_id.to_string()),
skill_executor: self.skill_executor.clone(),
path_validator: self.path_validator.clone(),
path_validator: Some(path_validator),
}
}
@@ -222,6 +240,14 @@ impl AgentLoop {
total_input_tokens += response.input_tokens;
total_output_tokens += response.output_tokens;
// Calibrate token estimation on first iteration
if iterations == 1 {
compaction::update_calibration(
compaction::estimate_messages_tokens(&messages),
response.input_tokens,
);
}
// Extract tool calls from response
let tool_calls: Vec<(String, String, serde_json::Value)> = response.content.iter()
.filter_map(|block| match block {
@@ -230,30 +256,49 @@ impl AgentLoop {
})
.collect();
// If no tool calls, we have the final response
if tool_calls.is_empty() {
// Extract text content
let text = response.content.iter()
// Extract text and thinking separately
let text_parts: Vec<String> = response.content.iter()
.filter_map(|block| match block {
ContentBlock::Text { text } => Some(text.clone()),
ContentBlock::Thinking { thinking } => Some(format!("[思考] {}", thinking)),
_ => None,
})
.collect::<Vec<_>>()
.join("\n");
.collect();
let thinking_parts: Vec<String> = response.content.iter()
.filter_map(|block| match block {
ContentBlock::Thinking { thinking } => Some(thinking.clone()),
_ => None,
})
.collect();
let text_content = text_parts.join("\n");
let thinking_content = if thinking_parts.is_empty() { None } else { Some(thinking_parts.join("")) };
// Save final assistant message
self.memory.append_message(&session_id, &Message::assistant(&text)).await?;
// If no tool calls, we have the final response
if tool_calls.is_empty() {
// Save final assistant message with thinking
let msg = if let Some(thinking) = &thinking_content {
Message::assistant_with_thinking(&text_content, thinking)
} else {
Message::assistant(&text_content)
};
self.memory.append_message(&session_id, &msg).await?;
break AgentLoopResult {
response: text,
response: text_content,
input_tokens: total_input_tokens,
output_tokens: total_output_tokens,
iterations,
};
}
// There are tool calls - add assistant message with tool calls to history
// There are tool calls - push assistant message with thinking before tool calls
// (required by Kimi and other thinking-enabled APIs)
let assistant_msg = if let Some(thinking) = &thinking_content {
Message::assistant_with_thinking(&text_content, thinking)
} else {
Message::assistant(&text_content)
};
messages.push(assistant_msg);
for (id, name, input) in &tool_calls {
messages.push(Message::tool_use(id, zclaw_types::ToolId::new(name), input.clone()));
}
@@ -417,19 +462,29 @@ impl AgentLoop {
let mut stream = driver.stream(request);
let mut pending_tool_calls: Vec<(String, String, serde_json::Value)> = Vec::new();
let mut iteration_text = String::new();
let mut reasoning_text = String::new(); // Track reasoning separately for API requirement
// Process stream chunks
tracing::debug!("[AgentLoop] Starting to process stream chunks");
let mut chunk_count: usize = 0;
let mut text_delta_count: usize = 0;
let mut thinking_delta_count: usize = 0;
while let Some(chunk_result) = stream.next().await {
match chunk_result {
Ok(chunk) => {
chunk_count += 1;
match &chunk {
StreamChunk::TextDelta { delta } => {
text_delta_count += 1;
tracing::debug!("[AgentLoop] TextDelta #{}: {} chars", text_delta_count, delta.len());
iteration_text.push_str(delta);
let _ = tx.send(LoopEvent::Delta(delta.clone())).await;
}
StreamChunk::ThinkingDelta { delta } => {
let _ = tx.send(LoopEvent::Delta(format!("[思考] {}", delta))).await;
thinking_delta_count += 1;
tracing::debug!("[AgentLoop] ThinkingDelta #{}: {} chars", thinking_delta_count, delta.len());
// Accumulate reasoning separately — not mixed into iteration_text
reasoning_text.push_str(delta);
}
StreamChunk::ToolUseStart { id, name } => {
tracing::debug!("[AgentLoop] ToolUseStart: id={}, name={}", id, name);
@@ -458,6 +513,13 @@ impl AgentLoop {
tracing::debug!("[AgentLoop] Stream complete: input_tokens={}, output_tokens={}", it, ot);
total_input_tokens += *it;
total_output_tokens += *ot;
// Calibrate token estimation on first iteration
if iteration == 1 {
compaction::update_calibration(
compaction::estimate_messages_tokens(&messages),
*it,
);
}
}
StreamChunk::Error { message } => {
tracing::error!("[AgentLoop] Stream error: {}", message);
@@ -471,16 +533,27 @@ impl AgentLoop {
}
}
}
tracing::debug!("[AgentLoop] Stream ended, pending_tool_calls count: {}", pending_tool_calls.len());
tracing::info!("[AgentLoop] Stream ended: {} total chunks (text={}, thinking={}, tools={}), iteration_text={} chars",
chunk_count, text_delta_count, thinking_delta_count, pending_tool_calls.len(),
iteration_text.len());
if iteration_text.is_empty() {
tracing::warn!("[AgentLoop] WARNING: iteration_text is EMPTY after {} chunks! text_delta={}, thinking_delta={}",
chunk_count, text_delta_count, thinking_delta_count);
}
// If no tool calls, we have the final response
if pending_tool_calls.is_empty() {
tracing::debug!("[AgentLoop] No tool calls, returning final response");
// Save final assistant message
let _ = memory.append_message(&session_id_clone, &Message::assistant(&iteration_text)).await;
tracing::info!("[AgentLoop] No tool calls, returning final response: {} chars (reasoning: {} chars)", iteration_text.len(), reasoning_text.len());
// Save final assistant message with reasoning
if let Err(e) = memory.append_message(&session_id_clone, &Message::assistant_with_thinking(
&iteration_text,
&reasoning_text,
)).await {
tracing::warn!("[AgentLoop] Failed to save final assistant message: {}", e);
}
let _ = tx.send(LoopEvent::Complete(AgentLoopResult {
response: iteration_text,
response: iteration_text.clone(),
input_tokens: total_input_tokens,
output_tokens: total_output_tokens,
iterations: iteration,
@@ -488,7 +561,13 @@ impl AgentLoop {
break 'outer;
}
tracing::debug!("[AgentLoop] Processing {} tool calls", pending_tool_calls.len());
tracing::debug!("[AgentLoop] Processing {} tool calls (reasoning: {} chars)", pending_tool_calls.len(), reasoning_text.len());
// Push assistant message with reasoning before tool calls (required by Kimi and other thinking-enabled APIs)
messages.push(Message::assistant_with_thinking(
&iteration_text,
&reasoning_text,
));
// There are tool calls - add to message history
for (id, name, input) in &pending_tool_calls {
@@ -519,12 +598,21 @@ impl AgentLoop {
}
LoopGuardResult::Allowed => {}
}
// Use pre-resolved path_validator (already has default fallback from create_tool_context logic)
let pv = path_validator.clone().unwrap_or_else(|| {
let home = std::env::var("USERPROFILE")
.or_else(|_| std::env::var("HOME"))
.unwrap_or_else(|_| ".".to_string());
PathValidator::new().with_workspace(std::path::PathBuf::from(&home))
});
let working_dir = pv.workspace_root()
.map(|p| p.to_string_lossy().to_string());
let tool_context = ToolContext {
agent_id: agent_id.clone(),
working_directory: None,
working_directory: working_dir,
session_id: Some(session_id_clone.to_string()),
skill_executor: skill_executor.clone(),
path_validator: path_validator.clone(),
path_validator: Some(pv),
};
let (result, is_error) = if let Some(tool) = tools.get(&name) {

5
crates/zclaw-runtime/src/tool/builtin/path_validator.rs
View File

@@ -160,6 +160,11 @@ impl PathValidator {
self
}
/// Get the workspace root directory
pub fn workspace_root(&self) -> Option<&PathBuf> {
self.workspace_root.as_ref()
}
/// Validate a path for read access
pub fn validate_read(&self, path: &str) -> Result<PathBuf> {
let canonical = self.resolve_and_validate(path)?;

12
crates/zclaw-saas/Cargo.toml
View File

@@ -9,8 +9,12 @@ name = "zclaw-saas"
path = "src/main.rs"
[dependencies]
zclaw-types = { workspace = true }
tokio = { workspace = true }
tokio-stream = { workspace = true }
futures = { workspace = true }
async-trait = { workspace = true }
serde = { workspace = true }
serde_json = { workspace = true }
toml = { workspace = true }
@@ -31,8 +35,6 @@ url = "2"
axum = { workspace = true }
axum-extra = { workspace = true }
bytes = { workspace = true }
async-stream = { workspace = true }
tower = { workspace = true }
tower-http = { workspace = true }
jsonwebtoken = { workspace = true }
@@ -40,9 +42,9 @@ argon2 = { workspace = true }
totp-rs = { workspace = true }
urlencoding = "2"
data-encoding = "2"
aes-gcm = { workspace = true }
utoipa = { version = "5", features = ["axum_extras"] }
utoipa-swagger-ui = { version = "5", features = ["axum"] }
regex = "1"
aes-gcm = "0.10"
bytes = "1"
[dev-dependencies]
tempfile = { workspace = true }

339
crates/zclaw-saas/migrations/20260329000001_initial_schema.sql Normal file
View File

@@ -0,0 +1,339 @@
-- Migration: Initial schema with TIMESTAMPTZ
-- Extracted from inline SCHEMA_SQL in db.rs, with TEXT timestamps converted to TIMESTAMPTZ.
CREATE TABLE IF NOT EXISTS saas_schema_version (
version INTEGER PRIMARY KEY
);
CREATE TABLE IF NOT EXISTS accounts (
id TEXT PRIMARY KEY,
username TEXT NOT NULL UNIQUE,
email TEXT NOT NULL UNIQUE,
password_hash TEXT NOT NULL,
display_name TEXT NOT NULL DEFAULT '',
avatar_url TEXT,
role TEXT NOT NULL DEFAULT 'user',
status TEXT NOT NULL DEFAULT 'active',
totp_secret TEXT,
totp_enabled BOOLEAN NOT NULL DEFAULT FALSE,
last_login_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_accounts_email ON accounts(email);
CREATE INDEX IF NOT EXISTS idx_accounts_role ON accounts(role);
CREATE TABLE IF NOT EXISTS api_tokens (
id TEXT PRIMARY KEY,
account_id TEXT NOT NULL,
name TEXT NOT NULL,
token_hash TEXT NOT NULL,
token_prefix TEXT NOT NULL,
permissions TEXT NOT NULL DEFAULT '[]',
last_used_at TIMESTAMPTZ,
expires_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
revoked_at TIMESTAMPTZ,
FOREIGN KEY (account_id) REFERENCES accounts(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_api_tokens_account ON api_tokens(account_id);
CREATE INDEX IF NOT EXISTS idx_api_tokens_hash ON api_tokens(token_hash);
CREATE TABLE IF NOT EXISTS roles (
id TEXT PRIMARY KEY,
name TEXT NOT NULL,
description TEXT,
permissions TEXT NOT NULL DEFAULT '[]',
is_system BOOLEAN NOT NULL DEFAULT FALSE,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE TABLE IF NOT EXISTS permission_templates (
id TEXT PRIMARY KEY,
name TEXT NOT NULL,
description TEXT,
permissions TEXT NOT NULL DEFAULT '[]',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE TABLE IF NOT EXISTS operation_logs (
id BIGSERIAL PRIMARY KEY,
account_id TEXT,
action TEXT NOT NULL,
target_type TEXT,
target_id TEXT,
details TEXT,
ip_address TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_op_logs_account ON operation_logs(account_id);
CREATE INDEX IF NOT EXISTS idx_op_logs_action ON operation_logs(action);
CREATE INDEX IF NOT EXISTS idx_op_logs_time ON operation_logs(created_at);
CREATE TABLE IF NOT EXISTS providers (
id TEXT PRIMARY KEY,
name TEXT NOT NULL UNIQUE,
display_name TEXT NOT NULL,
api_key TEXT,
base_url TEXT NOT NULL,
api_protocol TEXT NOT NULL DEFAULT 'openai',
enabled BOOLEAN NOT NULL DEFAULT TRUE,
rate_limit_rpm INTEGER,
rate_limit_tpm INTEGER,
config_json TEXT DEFAULT '{}',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE TABLE IF NOT EXISTS models (
id TEXT PRIMARY KEY,
provider_id TEXT NOT NULL,
model_id TEXT NOT NULL,
alias TEXT NOT NULL,
context_window BIGINT NOT NULL DEFAULT 8192,
max_output_tokens BIGINT NOT NULL DEFAULT 4096,
supports_streaming BOOLEAN NOT NULL DEFAULT TRUE,
supports_vision BOOLEAN NOT NULL DEFAULT FALSE,
enabled BOOLEAN NOT NULL DEFAULT TRUE,
pricing_input DOUBLE PRECISION DEFAULT 0,
pricing_output DOUBLE PRECISION DEFAULT 0,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
UNIQUE(provider_id, model_id),
FOREIGN KEY (provider_id) REFERENCES providers(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_models_provider ON models(provider_id);
CREATE TABLE IF NOT EXISTS account_api_keys (
id TEXT PRIMARY KEY,
account_id TEXT NOT NULL,
provider_id TEXT NOT NULL,
key_value TEXT NOT NULL,
key_label TEXT,
permissions TEXT NOT NULL DEFAULT '[]',
enabled BOOLEAN NOT NULL DEFAULT TRUE,
last_used_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
revoked_at TIMESTAMPTZ,
FOREIGN KEY (account_id) REFERENCES accounts(id) ON DELETE CASCADE,
FOREIGN KEY (provider_id) REFERENCES providers(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_account_api_keys_account ON account_api_keys(account_id);
CREATE TABLE IF NOT EXISTS usage_records (
id BIGSERIAL PRIMARY KEY,
account_id TEXT NOT NULL,
provider_id TEXT NOT NULL,
model_id TEXT NOT NULL,
input_tokens INTEGER NOT NULL DEFAULT 0,
output_tokens INTEGER NOT NULL DEFAULT 0,
latency_ms INTEGER,
status TEXT NOT NULL DEFAULT 'success',
error_message TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_usage_account ON usage_records(account_id);
CREATE INDEX IF NOT EXISTS idx_usage_time ON usage_records(created_at);
-- idx_usage_day: Skipping because ::date on TIMESTAMPTZ is not IMMUTABLE
-- CREATE INDEX IF NOT EXISTS idx_usage_day ON usage_records((created_at::date));
CREATE TABLE IF NOT EXISTS relay_tasks (
id TEXT PRIMARY KEY,
account_id TEXT NOT NULL,
provider_id TEXT NOT NULL,
model_id TEXT NOT NULL,
request_hash TEXT NOT NULL,
status TEXT NOT NULL DEFAULT 'queued',
priority INTEGER NOT NULL DEFAULT 0,
attempt_count INTEGER NOT NULL DEFAULT 0,
max_attempts INTEGER NOT NULL DEFAULT 3,
request_body TEXT NOT NULL,
response_body TEXT,
input_tokens INTEGER DEFAULT 0,
output_tokens INTEGER DEFAULT 0,
error_message TEXT,
queued_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
started_at TIMESTAMPTZ,
completed_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_relay_status ON relay_tasks(status);
CREATE INDEX IF NOT EXISTS idx_relay_account ON relay_tasks(account_id);
CREATE INDEX IF NOT EXISTS idx_relay_provider ON relay_tasks(provider_id);
CREATE INDEX IF NOT EXISTS idx_relay_time ON relay_tasks(created_at);
-- idx_relay_day: Skipping because ::date on TIMESTAMPTZ is not IMMUTABLE
-- CREATE INDEX IF NOT EXISTS idx_relay_day ON relay_tasks((created_at::date));
CREATE TABLE IF NOT EXISTS config_items (
id TEXT PRIMARY KEY,
category TEXT NOT NULL,
key_path TEXT NOT NULL,
value_type TEXT NOT NULL,
current_value TEXT,
default_value TEXT,
source TEXT NOT NULL DEFAULT 'local',
description TEXT,
requires_restart BOOLEAN NOT NULL DEFAULT FALSE,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
UNIQUE(category, key_path)
);
CREATE INDEX IF NOT EXISTS idx_config_category ON config_items(category);
CREATE TABLE IF NOT EXISTS config_sync_log (
id BIGSERIAL PRIMARY KEY,
account_id TEXT NOT NULL,
client_fingerprint TEXT NOT NULL,
action TEXT NOT NULL,
config_keys TEXT NOT NULL,
client_values TEXT,
saas_values TEXT,
resolution TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_sync_account ON config_sync_log(account_id);
CREATE TABLE IF NOT EXISTS devices (
id TEXT PRIMARY KEY,
account_id TEXT NOT NULL,
device_id TEXT NOT NULL,
device_name TEXT,
platform TEXT,
app_version TEXT,
last_seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
FOREIGN KEY (account_id) REFERENCES accounts(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_devices_account ON devices(account_id);
CREATE INDEX IF NOT EXISTS idx_devices_device_id ON devices(device_id);
CREATE UNIQUE INDEX IF NOT EXISTS idx_devices_unique ON devices(account_id, device_id);
-- Prompt template master table
CREATE TABLE IF NOT EXISTS prompt_templates (
id TEXT PRIMARY KEY,
name TEXT NOT NULL UNIQUE,
category TEXT NOT NULL,
description TEXT,
source TEXT NOT NULL DEFAULT 'builtin',
current_version INTEGER NOT NULL DEFAULT 1,
status TEXT NOT NULL DEFAULT 'active',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_prompt_status ON prompt_templates(status);
-- Prompt versions table (immutable)
CREATE TABLE IF NOT EXISTS prompt_versions (
id TEXT PRIMARY KEY,
template_id TEXT NOT NULL,
version INTEGER NOT NULL,
system_prompt TEXT,
user_prompt_template TEXT,
variables TEXT NOT NULL DEFAULT '[]',
changelog TEXT,
min_app_version TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
UNIQUE(template_id, version)
);
CREATE INDEX IF NOT EXISTS idx_prompt_ver_template ON prompt_versions(template_id);
-- Client prompt sync status
CREATE TABLE IF NOT EXISTS prompt_sync_status (
device_id TEXT NOT NULL,
template_id TEXT NOT NULL,
synced_version INTEGER NOT NULL,
synced_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
PRIMARY KEY(device_id, template_id)
);
-- Provider Key Pool table
CREATE TABLE IF NOT EXISTS provider_keys (
id TEXT PRIMARY KEY,
provider_id TEXT NOT NULL,
key_label TEXT NOT NULL,
key_value TEXT NOT NULL,
priority INTEGER NOT NULL DEFAULT 0,
max_rpm INTEGER,
max_tpm INTEGER,
quota_reset_interval TEXT,
is_active BOOLEAN NOT NULL DEFAULT TRUE,
last_429_at TIMESTAMPTZ,
cooldown_until TIMESTAMPTZ,
total_requests BIGINT NOT NULL DEFAULT 0,
total_tokens BIGINT NOT NULL DEFAULT 0,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_pkeys_provider ON provider_keys(provider_id);
CREATE INDEX IF NOT EXISTS idx_pkeys_active ON provider_keys(provider_id, is_active);
-- Key usage sliding window
CREATE TABLE IF NOT EXISTS key_usage_window (
key_id TEXT NOT NULL,
window_minute TEXT NOT NULL,
request_count INTEGER NOT NULL DEFAULT 0,
token_count BIGINT NOT NULL DEFAULT 0,
PRIMARY KEY(key_id, window_minute)
);
-- Agent config template table
CREATE TABLE IF NOT EXISTS agent_templates (
id TEXT PRIMARY KEY,
name TEXT NOT NULL,
description TEXT,
category TEXT NOT NULL DEFAULT 'general',
source TEXT NOT NULL DEFAULT 'builtin',
model TEXT,
system_prompt TEXT,
tools TEXT NOT NULL DEFAULT '[]'::text,
capabilities TEXT NOT NULL DEFAULT '[]'::text,
temperature DOUBLE PRECISION,
max_tokens INTEGER,
visibility TEXT NOT NULL DEFAULT 'public',
status TEXT NOT NULL DEFAULT 'active',
current_version INTEGER NOT NULL DEFAULT 1,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_agent_tmpl_status ON agent_templates(status);
CREATE INDEX IF NOT EXISTS idx_agent_tmpl_visibility ON agent_templates(visibility);
-- Desktop telemetry report table (token usage statistics, no content)
CREATE TABLE IF NOT EXISTS telemetry_reports (
id TEXT PRIMARY KEY,
account_id TEXT NOT NULL,
device_id TEXT NOT NULL,
app_version TEXT,
model_id TEXT NOT NULL,
input_tokens BIGINT NOT NULL DEFAULT 0,
output_tokens BIGINT NOT NULL DEFAULT 0,
latency_ms INTEGER,
success BOOLEAN NOT NULL DEFAULT TRUE,
error_type TEXT,
connection_mode TEXT NOT NULL DEFAULT 'tauri',
reported_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_telemetry_account ON telemetry_reports(account_id);
CREATE INDEX IF NOT EXISTS idx_telemetry_time ON telemetry_reports(reported_at);
CREATE INDEX IF NOT EXISTS idx_telemetry_model ON telemetry_reports(model_id);
-- idx_telemetry_day: Skipping because ::date on TIMESTAMPTZ is not IMMUTABLE
-- CREATE INDEX IF NOT EXISTS idx_telemetry_day ON telemetry_reports((reported_at::date));
-- Refresh Token storage (single-use, JWT jti tracking)
CREATE TABLE IF NOT EXISTS refresh_tokens (
id TEXT PRIMARY KEY,
account_id TEXT NOT NULL,
jti TEXT NOT NULL UNIQUE,
token_hash TEXT NOT NULL,
expires_at TIMESTAMPTZ NOT NULL,
used_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
FOREIGN KEY (account_id) REFERENCES accounts(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_refresh_account ON refresh_tokens(account_id);
CREATE INDEX IF NOT EXISTS idx_refresh_jti ON refresh_tokens(jti);
CREATE INDEX IF NOT EXISTS idx_refresh_expires ON refresh_tokens(expires_at);

9
crates/zclaw-saas/migrations/20260329000002_seed_data.sql Normal file
View File

@@ -0,0 +1,9 @@
-- Migration: Seed roles (super_admin, admin, user)
-- Timestamps use NOW() to match TIMESTAMPTZ columns from initial schema.
INSERT INTO roles (id, name, description, permissions, is_system, created_at, updated_at)
VALUES
('super_admin', '超级管理员', '拥有所有权限', '["admin:full","account:admin","provider:manage","model:manage","relay:admin","config:write","prompt:read","prompt:write","prompt:publish","prompt:admin"]', TRUE, NOW(), NOW()),
('admin', '管理员', '管理账号和配置', '["account:read","account:admin","provider:manage","model:read","model:manage","relay:use","relay:admin","config:read","config:write","prompt:read","prompt:write","prompt:publish"]', TRUE, NOW(), NOW()),
('user', '普通用户', '基础使用权限', '["model:read","relay:use","config:read","prompt:read"]', TRUE, NOW(), NOW())
ON CONFLICT (id) DO NOTHING;

225
crates/zclaw-saas/src/account/handlers.rs
View File

@@ -8,6 +8,7 @@ use crate::state::AppState;
use crate::error::{SaasError, SaasResult};
use crate::auth::types::AuthContext;
use crate::auth::handlers::{log_operation, check_permission};
use crate::models::{OperationLogRow, DashboardStatsRow, DashboardTodayRow};
use super::{types::*, service};
fn require_admin(ctx: &AuthContext) -> SaasResult<()> {
@@ -37,7 +38,7 @@ pub async fn get_account(
service::get_account(&state.db, &id).await.map(Json)
}
/// PUT /api/v1/accounts/:id (admin or self for limited fields)
/// PATCH /api/v1/accounts/:id (admin or self for limited fields)
pub async fn update_account(
State(state): State<AppState>,
Path(id): Path<String>,
@@ -80,12 +81,15 @@ pub async fn update_status(
Ok(Json(serde_json::json!({"ok": true})))
}
/// GET /api/v1/tokens
/// GET /api/v1/tokens?page=1&page_size=20
pub async fn list_tokens(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
) -> SaasResult<Json<Vec<TokenInfo>>> {
service::list_api_tokens(&state.db, &ctx.account_id).await.map(Json)
Query(params): Query<std::collections::HashMap<String, String>>,
) -> SaasResult<Json<PaginatedResponse<TokenInfo>>> {
let page = params.get("page").and_then(|v| v.parse().ok());
let page_size = params.get("page_size").and_then(|v| v.parse().ok());
service::list_api_tokens(&state.db, &ctx.account_id, page, page_size).await.map(Json)
}
/// POST /api/v1/tokens
@@ -94,9 +98,24 @@ pub async fn create_token(
Extension(ctx): Extension<AuthContext>,
Json(req): Json<CreateTokenRequest>,
) -> SaasResult<Json<TokenInfo>> {
let token = service::create_api_token(&state.db, &ctx.account_id, &req).await?;
// 权限校验: 创建的 token 不能超出创建者已有的权限
let allowed_permissions: Vec<String> = req.permissions
.into_iter()
.filter(|p| ctx.permissions.contains(p))
.collect();
if allowed_permissions.is_empty() {
return Err(SaasError::InvalidInput("请求的权限均不被允许".into()));
}
let filtered_req = CreateTokenRequest {
name: req.name,
permissions: allowed_permissions,
expires_days: req.expires_days,
};
let token = service::create_api_token(&state.db, &ctx.account_id, &filtered_req).await?;
log_operation(&state.db, &ctx.account_id, "token.create", "api_token", &token.id,
Some(serde_json::json!({"name": &req.name})), ctx.client_ip.as_deref()).await?;
Some(serde_json::json!({"name": &filtered_req.name})), ctx.client_ip.as_deref()).await?;
Ok(Json(token))
}
@@ -116,52 +135,35 @@ pub async fn list_operation_logs(
State(state): State<AppState>,
Query(params): Query<std::collections::HashMap<String, String>>,
Extension(ctx): Extension<AuthContext>,
) -> SaasResult<Json<Vec<serde_json::Value>>> {
) -> SaasResult<Json<PaginatedResponse<serde_json::Value>>> {
require_admin(&ctx)?;
let page: i64 = params.get("page").and_then(|v| v.parse().ok()).unwrap_or(1);
let page_size: i64 = params.get("page_size").and_then(|v| v.parse().ok()).unwrap_or(50);
let offset = (page - 1) * page_size;
let action_filter = params.get("action").map(|s| s.as_str());
let target_type_filter = params.get("target_type").map(|s| s.as_str());
let page: u32 = params.get("page").and_then(|v| v.parse().ok()).unwrap_or(1).max(1);
let page_size: u32 = params.get("page_size").and_then(|v| v.parse().ok()).unwrap_or(50).min(100);
let offset = ((page - 1) * page_size) as i64;
let mut sql = String::from(
let total: i64 = sqlx::query_scalar("SELECT COUNT(*) FROM operation_logs")
.fetch_one(&state.db).await?;
let rows: Vec<OperationLogRow> =
sqlx::query_as(
"SELECT id, account_id, action, target_type, target_id, details, ip_address, created_at
FROM operation_logs"
);
let mut param_idx: usize = 1;
if action_filter.is_some() || target_type_filter.is_some() {
sql.push_str(" WHERE 1=1");
if action_filter.is_some() {
sql.push_str(&format!(" AND action = ${}", param_idx));
param_idx += 1;
}
if target_type_filter.is_some() {
sql.push_str(&format!(" AND target_type = ${}", param_idx));
param_idx += 1;
}
}
sql.push_str(&format!(" ORDER BY created_at DESC LIMIT ${} OFFSET ${}", param_idx, param_idx + 1));
FROM operation_logs ORDER BY created_at DESC LIMIT $1 OFFSET $2"
)
.bind(page_size as i64)
.bind(offset)
.fetch_all(&state.db)
.await?;
let mut query = sqlx::query_as::<_, (i64, Option<String>, String, Option<String>, Option<String>, Option<String>, Option<String>, chrono::DateTime<chrono::Utc>)>(&sql);
if let Some(action) = action_filter {
query = query.bind(action);
}
if let Some(target_type) = target_type_filter {
query = query.bind(target_type);
}
query = query.bind(page_size).bind(offset);
let rows = query.fetch_all(&state.db).await?;
let items: Vec<serde_json::Value> = rows.into_iter().map(|(id, account_id, action, target_type, target_id, details, ip_address, created_at)| {
let items: Vec<serde_json::Value> = rows.into_iter().map(|r| {
serde_json::json!({
"id": id, "account_id": account_id, "action": action,
"target_type": target_type, "target_id": target_id,
"details": details.and_then(|d| serde_json::from_str::<serde_json::Value>(&d).ok()),
"ip_address": ip_address, "created_at": created_at.to_rfc3339(),
"id": r.id, "account_id": r.account_id, "action": r.action,
"target_type": r.target_type, "target_id": r.target_id,
"details": r.details.and_then(|d| serde_json::from_str::<serde_json::Value>(&d).ok()),
"ip_address": r.ip_address, "created_at": r.created_at,
})
}).collect();
Ok(Json(items))
Ok(Json(PaginatedResponse { items, total, page, page_size }))
}
/// GET /api/v1/stats/dashboard — 仪表盘聚合统计 (需要 admin 权限)
@@ -171,27 +173,41 @@ pub async fn dashboard_stats(
) -> SaasResult<Json<serde_json::Value>> {
require_admin(&ctx)?;
let row: (i64, i64, i64, i64, i64, i64, i64) = sqlx::query_as(
// 查询 1: 账号 + Provider + Model 聚合 (一次查询)
let stats_row: DashboardStatsRow = sqlx::query_as(
"SELECT
(SELECT COUNT(*) FROM accounts),
(SELECT COUNT(*) FROM accounts WHERE status = 'active'),
(SELECT COUNT(*) FROM relay_tasks WHERE DATE(created_at) = CURRENT_DATE),
(SELECT COUNT(*) FROM providers WHERE enabled = true),
(SELECT COUNT(*) FROM models WHERE enabled = true),
(SELECT COALESCE(SUM(input_tokens), 0) FROM usage_records WHERE DATE(created_at) = CURRENT_DATE),
(SELECT COALESCE(SUM(output_tokens), 0) FROM usage_records WHERE DATE(created_at) = CURRENT_DATE)"
)
.fetch_one(&state.db)
.await?;
(SELECT COUNT(*) FROM accounts) as total_accounts,
(SELECT COUNT(*) FROM accounts WHERE status = 'active') as active_accounts,
(SELECT COUNT(*) FROM providers WHERE enabled = true) as active_providers,
(SELECT COUNT(*) FROM models WHERE enabled = true) as active_models"
).fetch_one(&state.db).await?;
// 查询 2: 今日中转统计 — 使用范围查询走 B-tree 索引
let today_start = chrono::Utc::now()
.date_naive()
.and_hms_opt(0, 0, 0).unwrap()
.and_utc()
.to_rfc3339();
let tomorrow_start = (chrono::Utc::now() + chrono::Duration::days(1))
.date_naive()
.and_hms_opt(0, 0, 0).unwrap()
.and_utc()
.to_rfc3339();
let today_row: DashboardTodayRow = sqlx::query_as(
"SELECT
(SELECT COUNT(*) FROM relay_tasks WHERE created_at >= $1 AND created_at < $2) as tasks_today,
COALESCE((SELECT SUM(input_tokens) FROM usage_records WHERE created_at >= $1 AND created_at < $2), 0) as tokens_input,
COALESCE((SELECT SUM(output_tokens) FROM usage_records WHERE created_at >= $1 AND created_at < $2), 0) as tokens_output"
).bind(&today_start).bind(&tomorrow_start).fetch_one(&state.db).await?;
Ok(Json(serde_json::json!({
"total_accounts": row.0,
"active_accounts": row.1,
"tasks_today": row.2,
"active_providers": row.3,
"active_models": row.4,
"tokens_today_input": row.5,
"tokens_today_output": row.6,
"total_accounts": stats_row.total_accounts,
"active_accounts": stats_row.active_accounts,
"tasks_today": today_row.tasks_today,
"active_providers": stats_row.active_providers,
"active_models": stats_row.active_models,
"tokens_today_input": today_row.tokens_input,
"tokens_today_output": today_row.tokens_output,
})))
}
@@ -201,9 +217,16 @@ pub async fn dashboard_stats(
pub async fn register_device(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
Json(req): Json<super::types::RegisterDeviceRequest>,
Json(req): Json<serde_json::Value>,
) -> SaasResult<Json<serde_json::Value>> {
let now = chrono::Utc::now();
let device_id = req.get("device_id")
.and_then(|v| v.as_str())
.ok_or_else(|| SaasError::InvalidInput("缺少 device_id".into()))?;
let device_name = req.get("device_name").and_then(|v| v.as_str()).unwrap_or("Unknown");
let platform = req.get("platform").and_then(|v| v.as_str()).unwrap_or("unknown");
let app_version = req.get("app_version").and_then(|v| v.as_str()).unwrap_or("");
let now = chrono::Utc::now().to_rfc3339();
let device_uuid = uuid::Uuid::new_v4().to_string();
// UPSERT: 已存在则更新 last_seen_at不存在则插入
@@ -211,40 +234,62 @@ pub async fn register_device(
"INSERT INTO devices (id, account_id, device_id, device_name, platform, app_version, last_seen_at, created_at)
VALUES ($1, $2, $3, $4, $5, $6, $7, $7)
ON CONFLICT(account_id, device_id) DO UPDATE SET
device_name = EXCLUDED.device_name, platform = EXCLUDED.platform, app_version = EXCLUDED.app_version, last_seen_at = EXCLUDED.last_seen_at"
device_name = $4, platform = $5, app_version = $6, last_seen_at = $7"
)
.bind(&device_uuid)
.bind(&ctx.account_id)
.bind(&req.device_id)
.bind(&req.device_name)
.bind(&req.platform)
.bind(&req.app_version)
.bind(device_id)
.bind(device_name)
.bind(platform)
.bind(app_version)
.bind(&now)
.execute(&state.db)
.await?;
log_operation(&state.db, &ctx.account_id, "device.register", "device", &req.device_id,
Some(serde_json::json!({"device_name": req.device_name, "platform": req.platform})),
log_operation(&state.db, &ctx.account_id, "device.register", "device", device_id,
Some(serde_json::json!({"device_name": device_name, "platform": platform})),
ctx.client_ip.as_deref()).await?;
Ok(Json(serde_json::json!({"ok": true, "device_id": req.device_id})))
Ok(Json(serde_json::json!({"ok": true, "device_id": device_id})))
}
/// POST /api/v1/devices/heartbeat — 设备心跳
pub async fn device_heartbeat(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
Json(req): Json<super::types::DeviceHeartbeatRequest>,
Json(req): Json<serde_json::Value>,
) -> SaasResult<Json<serde_json::Value>> {
let now = chrono::Utc::now();
let result = sqlx::query(
let device_id = req.get("device_id")
.and_then(|v| v.as_str())
.ok_or_else(|| SaasError::InvalidInput("缺少 device_id".into()))?;
let now = chrono::Utc::now().to_rfc3339();
// Also update platform/app_version if provided (supports client upgrades)
let platform = req.get("platform").and_then(|v| v.as_str());
let app_version = req.get("app_version").and_then(|v| v.as_str());
let result = if platform.is_some() || app_version.is_some() {
sqlx::query(
"UPDATE devices SET last_seen_at = $1, platform = COALESCE($4, platform), app_version = COALESCE($5, app_version) WHERE account_id = $2 AND device_id = $3"
)
.bind(&now)
.bind(&ctx.account_id)
.bind(device_id)
.bind(platform)
.bind(app_version)
.execute(&state.db)
.await?
} else {
sqlx::query(
"UPDATE devices SET last_seen_at = $1 WHERE account_id = $2 AND device_id = $3"
)
.bind(&now)
.bind(&ctx.account_id)
.bind(&req.device_id)
.bind(device_id)
.execute(&state.db)
.await?;
.await?
};
if result.rows_affected() == 0 {
return Err(SaasError::NotFound("设备未注册".into()));
@@ -253,27 +298,13 @@ pub async fn device_heartbeat(
Ok(Json(serde_json::json!({"ok": true})))
}
/// GET /api/v1/devices — 列出当前用户的设备
/// GET /api/v1/devices?page=1&page_size=20 — 列出当前用户的设备
pub async fn list_devices(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
) -> SaasResult<Json<Vec<super::types::DeviceInfo>>> {
let rows: Vec<(String, String, Option<String>, Option<String>, Option<String>, chrono::DateTime<chrono::Utc>, chrono::DateTime<chrono::Utc>)> =
sqlx::query_as(
"SELECT id, device_id, device_name, platform, app_version, last_seen_at, created_at
FROM devices WHERE account_id = $1 ORDER BY last_seen_at DESC"
)
.bind(&ctx.account_id)
.fetch_all(&state.db)
.await?;
let items: Vec<super::types::DeviceInfo> = rows.into_iter().map(|r| {
super::types::DeviceInfo {
id: r.0, device_id: r.1,
device_name: r.2, platform: r.3, app_version: r.4,
last_seen_at: r.5.to_rfc3339(), created_at: r.6.to_rfc3339(),
}
}).collect();
Ok(Json(items))
Query(params): Query<std::collections::HashMap<String, String>>,
) -> SaasResult<Json<PaginatedResponse<serde_json::Value>>> {
let page = params.get("page").and_then(|v| v.parse().ok());
let page_size = params.get("page_size").and_then(|v| v.parse().ok());
service::list_devices(&state.db, &ctx.account_id, page, page_size).await.map(Json)
}

10
crates/zclaw-saas/src/account/mod.rs
View File

@@ -4,17 +4,17 @@ pub mod types;
pub mod service;
pub mod handlers;
use axum::routing::{delete, get, patch, post, put};
use axum::routing::{delete, get, patch, post};
pub fn routes() -> axum::Router<crate::state::AppState> {
axum::Router::new()
.route("/api/v1/accounts", get(handlers::list_accounts))
.route("/api/v1/accounts/{id}", get(handlers::get_account))
.route("/api/v1/accounts/{id}", put(handlers::update_account))
.route("/api/v1/accounts/{id}/status", patch(handlers::update_status))
.route("/api/v1/accounts/:id", get(handlers::get_account))
.route("/api/v1/accounts/:id", patch(handlers::update_account))
.route("/api/v1/accounts/:id/status", patch(handlers::update_status))
.route("/api/v1/tokens", get(handlers::list_tokens))
.route("/api/v1/tokens", post(handlers::create_token))
.route("/api/v1/tokens/{id}", delete(handlers::revoke_token))
.route("/api/v1/tokens/:id", delete(handlers::revoke_token))
.route("/api/v1/logs/operations", get(handlers::list_operation_logs))
.route("/api/v1/stats/dashboard", get(handlers::dashboard_stats))
.route("/api/v1/devices", get(handlers::list_devices))

289
crates/zclaw-saas/src/account/service.rs
View File

@@ -2,6 +2,8 @@
use sqlx::PgPool;
use crate::error::{SaasError, SaasResult};
use crate::common::{PaginatedResponse, normalize_pagination};
use crate::models::{AccountRow, ApiTokenRow, DeviceRow};
use super::types::*;
pub async fn list_accounts(
@@ -12,60 +14,116 @@ pub async fn list_accounts(
let page_size = query.page_size.unwrap_or(20).min(100);
let offset = (page - 1) * page_size;
let mut where_clauses = Vec::new();
let mut params: Vec<String> = Vec::new();
let mut param_idx: usize = 1;
if let Some(role) = &query.role {
where_clauses.push(format!("role = ${}", param_idx));
params.push(role.clone());
param_idx += 1;
}
if let Some(status) = &query.status {
where_clauses.push(format!("status = ${}", param_idx));
params.push(status.clone());
param_idx += 1;
}
if let Some(search) = &query.search {
where_clauses.push(format!("(username LIKE ${} OR email LIKE ${} OR display_name LIKE ${})", param_idx, param_idx + 1, param_idx + 2));
// Static SQL per combination -- no format!() string interpolation
let (total, rows) = match (&query.role, &query.status, &query.search) {
// role + status + search
(Some(role), Some(status), Some(search)) => {
let pattern = format!("%{}%", search);
params.push(pattern.clone());
params.push(pattern.clone());
params.push(pattern);
param_idx += 3;
}
let where_sql = if where_clauses.is_empty() {
String::new()
} else {
format!("WHERE {}", where_clauses.join(" AND "))
};
let count_sql = format!("SELECT COUNT(*) as count FROM accounts {}", where_sql);
let mut count_query = sqlx::query_scalar::<_, i64>(&count_sql);
for p in &params {
count_query = count_query.bind(p);
}
let total: i64 = count_query.fetch_one(db).await?;
let data_sql = format!(
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM accounts WHERE role = $1 AND status = $2 AND (username LIKE $3 OR email LIKE $3 OR display_name LIKE $3)"
).bind(role).bind(status).bind(&pattern).fetch_one(db).await?;
let rows = sqlx::query_as::<_, AccountRow>(
"SELECT id, username, email, display_name, role, status, totp_enabled, last_login_at, created_at
FROM accounts {} ORDER BY created_at DESC LIMIT ${} OFFSET ${}",
where_sql, param_idx, param_idx + 1
);
let mut data_query = sqlx::query_as::<_, (String, String, String, String, String, String, bool, Option<chrono::DateTime<chrono::Utc>>, chrono::DateTime<chrono::Utc>)>(&data_sql);
for p in &params {
data_query = data_query.bind(p);
FROM accounts WHERE role = $1 AND status = $2 AND (username LIKE $3 OR email LIKE $3 OR display_name LIKE $3)
ORDER BY created_at DESC LIMIT $4 OFFSET $5"
).bind(role).bind(status).bind(&pattern).bind(page_size as i64).bind(offset as i64).fetch_all(db).await?;
(total, rows)
}
let rows = data_query.bind(page_size as i64).bind(offset as i64).fetch_all(db).await?;
// role + status
(Some(role), Some(status), None) => {
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM accounts WHERE role = $1 AND status = $2"
).bind(role).bind(status).fetch_one(db).await?;
let rows = sqlx::query_as::<_, AccountRow>(
"SELECT id, username, email, display_name, role, status, totp_enabled, last_login_at, created_at
FROM accounts WHERE role = $1 AND status = $2
ORDER BY created_at DESC LIMIT $3 OFFSET $4"
).bind(role).bind(status).bind(page_size as i64).bind(offset as i64).fetch_all(db).await?;
(total, rows)
}
// role + search
(Some(role), None, Some(search)) => {
let pattern = format!("%{}%", search);
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM accounts WHERE role = $1 AND (username LIKE $2 OR email LIKE $2 OR display_name LIKE $2)"
).bind(role).bind(&pattern).fetch_one(db).await?;
let rows = sqlx::query_as::<_, AccountRow>(
"SELECT id, username, email, display_name, role, status, totp_enabled, last_login_at, created_at
FROM accounts WHERE role = $1 AND (username LIKE $2 OR email LIKE $2 OR display_name LIKE $2)
ORDER BY created_at DESC LIMIT $3 OFFSET $4"
).bind(role).bind(&pattern).bind(page_size as i64).bind(offset as i64).fetch_all(db).await?;
(total, rows)
}
// status + search
(None, Some(status), Some(search)) => {
let pattern = format!("%{}%", search);
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM accounts WHERE status = $1 AND (username LIKE $2 OR email LIKE $2 OR display_name LIKE $2)"
).bind(status).bind(&pattern).fetch_one(db).await?;
let rows = sqlx::query_as::<_, AccountRow>(
"SELECT id, username, email, display_name, role, status, totp_enabled, last_login_at, created_at
FROM accounts WHERE status = $1 AND (username LIKE $2 OR email LIKE $2 OR display_name LIKE $2)
ORDER BY created_at DESC LIMIT $3 OFFSET $4"
).bind(status).bind(&pattern).bind(page_size as i64).bind(offset as i64).fetch_all(db).await?;
(total, rows)
}
// role only
(Some(role), None, None) => {
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM accounts WHERE role = $1"
).bind(role).fetch_one(db).await?;
let rows = sqlx::query_as::<_, AccountRow>(
"SELECT id, username, email, display_name, role, status, totp_enabled, last_login_at, created_at
FROM accounts WHERE role = $1
ORDER BY created_at DESC LIMIT $2 OFFSET $3"
).bind(role).bind(page_size as i64).bind(offset as i64).fetch_all(db).await?;
(total, rows)
}
// status only
(None, Some(status), None) => {
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM accounts WHERE status = $1"
).bind(status).fetch_one(db).await?;
let rows = sqlx::query_as::<_, AccountRow>(
"SELECT id, username, email, display_name, role, status, totp_enabled, last_login_at, created_at
FROM accounts WHERE status = $1
ORDER BY created_at DESC LIMIT $2 OFFSET $3"
).bind(status).bind(page_size as i64).bind(offset as i64).fetch_all(db).await?;
(total, rows)
}
// search only
(None, None, Some(search)) => {
let pattern = format!("%{}%", search);
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM accounts WHERE (username LIKE $1 OR email LIKE $1 OR display_name LIKE $1)"
).bind(&pattern).fetch_one(db).await?;
let rows = sqlx::query_as::<_, AccountRow>(
"SELECT id, username, email, display_name, role, status, totp_enabled, last_login_at, created_at
FROM accounts WHERE (username LIKE $1 OR email LIKE $1 OR display_name LIKE $1)
ORDER BY created_at DESC LIMIT $2 OFFSET $3"
).bind(&pattern).bind(page_size as i64).bind(offset as i64).fetch_all(db).await?;
(total, rows)
}
// no filter
(None, None, None) => {
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM accounts"
).fetch_one(db).await?;
let rows = sqlx::query_as::<_, AccountRow>(
"SELECT id, username, email, display_name, role, status, totp_enabled, last_login_at, created_at
FROM accounts ORDER BY created_at DESC LIMIT $1 OFFSET $2"
).bind(page_size as i64).bind(offset as i64).fetch_all(db).await?;
(total, rows)
}
};
let items: Vec<serde_json::Value> = rows
.into_iter()
.map(|(id, username, email, display_name, role, status, totp_enabled, last_login_at, created_at)| {
.map(|r| {
serde_json::json!({
"id": id, "username": username, "email": email, "display_name": display_name,
"role": role, "status": status, "totp_enabled": totp_enabled,
"last_login_at": last_login_at.map(|t| t.to_rfc3339()), "created_at": created_at.to_rfc3339(),
"id": r.id, "username": r.username, "email": r.email, "display_name": r.display_name,
"role": r.role, "status": r.status, "totp_enabled": r.totp_enabled,
"last_login_at": r.last_login_at, "created_at": r.created_at,
})
})
.collect();
@@ -74,7 +132,7 @@ pub async fn list_accounts(
}
pub async fn get_account(db: &PgPool, account_id: &str) -> SaasResult<serde_json::Value> {
let row: Option<(String, String, String, String, String, String, bool, Option<chrono::DateTime<chrono::Utc>>, chrono::DateTime<chrono::Utc>)> =
let row: Option<AccountRow> =
sqlx::query_as(
"SELECT id, username, email, display_name, role, status, totp_enabled, last_login_at, created_at
FROM accounts WHERE id = $1"
@@ -83,13 +141,12 @@ pub async fn get_account(db: &PgPool, account_id: &str) -> SaasResult<serde_json
.fetch_optional(db)
.await?;
let (id, username, email, display_name, role, status, totp_enabled, last_login_at, created_at) =
row.ok_or_else(|| SaasError::NotFound(format!("账号 {} 不存在", account_id)))?;
let r = row.ok_or_else(|| SaasError::NotFound(format!("账号 {} 不存在", account_id)))?;
Ok(serde_json::json!({
"id": id, "username": username, "email": email, "display_name": display_name,
"role": role, "status": status, "totp_enabled": totp_enabled,
"last_login_at": last_login_at.map(|t| t.to_rfc3339()), "created_at": created_at.to_rfc3339(),
"id": r.id, "username": r.username, "email": r.email, "display_name": r.display_name,
"role": r.role, "status": r.status, "totp_enabled": r.totp_enabled,
"last_login_at": r.last_login_at, "created_at": r.created_at,
}))
}
@@ -98,31 +155,27 @@ pub async fn update_account(
account_id: &str,
req: &UpdateAccountRequest,
) -> SaasResult<serde_json::Value> {
let now = chrono::Utc::now();
let mut updates = Vec::new();
let mut params: Vec<String> = Vec::new();
let mut param_idx: usize = 1;
let now = chrono::Utc::now().to_rfc3339();
if let Some(ref v) = req.display_name { updates.push(format!("display_name = ${}", param_idx)); params.push(v.clone()); param_idx += 1; }
if let Some(ref v) = req.email { updates.push(format!("email = ${}", param_idx)); params.push(v.clone()); param_idx += 1; }
if let Some(ref v) = req.role { updates.push(format!("role = ${}", param_idx)); params.push(v.clone()); param_idx += 1; }
if let Some(ref v) = req.avatar_url { updates.push(format!("avatar_url = ${}", param_idx)); params.push(v.clone()); param_idx += 1; }
// COALESCE pattern: all updatable fields in a single static SQL.
// NULL parameters leave the column unchanged.
sqlx::query(
"UPDATE accounts SET
display_name = COALESCE($1, display_name),
email = COALESCE($2, email),
role = COALESCE($3, role),
avatar_url = COALESCE($4, avatar_url),
updated_at = $5
WHERE id = $6"
)
.bind(req.display_name.as_deref())
.bind(req.email.as_deref())
.bind(req.role.as_deref())
.bind(req.avatar_url.as_deref())
.bind(&now)
.bind(account_id)
.execute(db).await?;
if updates.is_empty() {
return get_account(db, account_id).await;
}
updates.push(format!("updated_at = ${}", param_idx));
param_idx += 1;
params.push(account_id.to_string());
let sql = format!("UPDATE accounts SET {} WHERE id = ${}", updates.join(", "), param_idx);
let mut query = sqlx::query(&sql);
for p in &params {
query = query.bind(p);
}
query = query.bind(now);
query.execute(db).await?;
get_account(db, account_id).await
}
@@ -135,7 +188,7 @@ pub async fn update_account_status(
if !valid.contains(&status) {
return Err(SaasError::InvalidInput(format!("无效状态: {},有效值: {:?}", status, valid)));
}
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
let result = sqlx::query("UPDATE accounts SET status = $1, updated_at = $2 WHERE id = $3")
.bind(status).bind(&now).bind(account_id)
.execute(db).await?;
@@ -160,12 +213,10 @@ pub async fn create_api_token(
let token_hash = hex::encode(Sha256::digest(raw_token.as_bytes()));
let token_prefix = raw_token[..8].to_string();
let now = chrono::Utc::now();
let now_str = now.to_rfc3339();
let now = chrono::Utc::now().to_rfc3339();
let expires_at = req.expires_days.map(|d| {
chrono::Utc::now() + chrono::Duration::days(d)
(chrono::Utc::now() + chrono::Duration::days(d)).to_rfc3339()
});
let expires_at_str = expires_at.as_ref().map(|t| t.to_rfc3339());
let permissions = serde_json::to_string(&req.permissions)?;
let token_id = uuid::Uuid::new_v4().to_string();
@@ -190,8 +241,8 @@ pub async fn create_api_token(
token_prefix,
permissions: req.permissions.clone(),
last_used_at: None,
expires_at: expires_at_str,
created_at: now_str,
expires_at,
created_at: now,
token: Some(raw_token),
})
}
@@ -199,24 +250,76 @@ pub async fn create_api_token(
pub async fn list_api_tokens(
db: &PgPool,
account_id: &str,
) -> SaasResult<Vec<TokenInfo>> {
let rows: Vec<(String, String, String, String, Option<chrono::DateTime<chrono::Utc>>, Option<chrono::DateTime<chrono::Utc>>, chrono::DateTime<chrono::Utc>)> =
sqlx::query_as(
"SELECT id, name, token_prefix, permissions, last_used_at, expires_at, created_at
FROM api_tokens WHERE account_id = $1 AND revoked_at IS NULL ORDER BY created_at DESC"
page: Option<u32>,
page_size: Option<u32>,
) -> SaasResult<PaginatedResponse<TokenInfo>> {
let (p, ps, offset) = normalize_pagination(page, page_size);
let total: (i64,) = sqlx::query_as(
"SELECT COUNT(*) FROM api_tokens WHERE account_id = $1 AND revoked_at IS NULL"
)
.bind(account_id)
.fetch_one(db)
.await?;
let rows: Vec<ApiTokenRow> =
sqlx::query_as(
"SELECT id, name, token_prefix, permissions, last_used_at, expires_at, created_at
FROM api_tokens WHERE account_id = $1 AND revoked_at IS NULL ORDER BY created_at DESC LIMIT $2 OFFSET $3"
)
.bind(account_id)
.bind(ps as i64)
.bind(offset)
.fetch_all(db)
.await?;
Ok(rows.into_iter().map(|(id, name, token_prefix, perms, last_used, expires, created)| {
let permissions: Vec<String> = serde_json::from_str(&perms).unwrap_or_default();
TokenInfo { id, name, token_prefix, permissions, last_used_at: last_used.map(|t| t.to_rfc3339()), expires_at: expires.map(|t| t.to_rfc3339()), created_at: created.to_rfc3339(), token: None, }
}).collect())
let items = rows.into_iter().map(|r| {
let permissions: Vec<String> = serde_json::from_str(&r.permissions).unwrap_or_default();
TokenInfo { id: r.id, name: r.name, token_prefix: r.token_prefix, permissions, last_used_at: r.last_used_at, expires_at: r.expires_at, created_at: r.created_at, token: None, }
}).collect();
Ok(PaginatedResponse { items, total: total.0, page: p, page_size: ps })
}
pub async fn list_devices(
db: &PgPool,
account_id: &str,
page: Option<u32>,
page_size: Option<u32>,
) -> SaasResult<PaginatedResponse<serde_json::Value>> {
let (p, ps, offset) = normalize_pagination(page, page_size);
let total: (i64,) = sqlx::query_as(
"SELECT COUNT(*) FROM devices WHERE account_id = $1"
)
.bind(account_id)
.fetch_one(db)
.await?;
let rows: Vec<DeviceRow> =
sqlx::query_as(
"SELECT id, device_id, device_name, platform, app_version, last_seen_at, created_at
FROM devices WHERE account_id = $1 ORDER BY last_seen_at DESC LIMIT $2 OFFSET $3"
)
.bind(account_id)
.bind(ps as i64)
.bind(offset)
.fetch_all(db)
.await?;
let items: Vec<serde_json::Value> = rows.into_iter().map(|r| {
serde_json::json!({
"id": r.id, "device_id": r.device_id,
"device_name": r.device_name, "platform": r.platform, "app_version": r.app_version,
"last_seen_at": r.last_seen_at, "created_at": r.created_at,
})
}).collect();
Ok(PaginatedResponse { items, total: total.0, page: p, page_size: ps })
}
pub async fn revoke_api_token(db: &PgPool, token_id: &str, account_id: &str) -> SaasResult<()> {
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
let result = sqlx::query(
"UPDATE api_tokens SET revoked_at = $1 WHERE id = $2 AND account_id = $3 AND revoked_at IS NULL"
)

67
crates/zclaw-saas/src/account/types.rs
View File

@@ -2,7 +2,10 @@
use serde::{Deserialize, Serialize};
#[derive(Debug, Deserialize, utoipa::ToSchema)]
// Re-export from common module
pub use crate::common::PaginatedResponse;
#[derive(Debug, Deserialize)]
pub struct UpdateAccountRequest {
pub display_name: Option<String>,
pub email: Option<String>,
@@ -10,12 +13,12 @@ pub struct UpdateAccountRequest {
pub avatar_url: Option<String>,
}
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct UpdateStatusRequest {
pub status: String,
}
#[derive(Debug, Deserialize, utoipa::ToSchema, utoipa::IntoParams)]
#[derive(Debug, Deserialize)]
pub struct ListAccountsQuery {
pub page: Option<u32>,
pub page_size: Option<u32>,
@@ -24,36 +27,14 @@ pub struct ListAccountsQuery {
pub search: Option<String>,
}
#[derive(Debug, Serialize)]
pub struct PaginatedResponse<T: Serialize> {
pub items: Vec<T>,
pub total: i64,
pub page: u32,
pub page_size: u32,
}
/// Concrete type alias for OpenAPI schema generation.
///
/// NOTE: This is intentionally a concrete (non-generic) type because utoipa
/// requires concrete types for schema generation. It is functionally
/// identical to `Paginated<AccountPublic>`.
#[derive(Debug, Serialize, utoipa::ToSchema)]
#[allow(clippy::manual_non_exhaustive)] // kept for OpenAPI schema
pub struct AccountPublicPaginatedResponse {
pub items: Vec<crate::auth::types::AccountPublic>,
pub total: i64,
pub page: u32,
pub page_size: u32,
}
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct CreateTokenRequest {
pub name: String,
pub permissions: Vec<String>,
pub expires_days: Option<i64>,
}
#[derive(Debug, Serialize, utoipa::ToSchema)]
#[derive(Debug, Serialize)]
pub struct TokenInfo {
pub id: String,
pub name: String,
@@ -65,35 +46,3 @@ pub struct TokenInfo {
#[serde(skip_serializing_if = "Option::is_none")]
pub token: Option<String>,
}
// ============ Device Types ============
#[derive(Debug, Deserialize, utoipa::ToSchema)]
pub struct RegisterDeviceRequest {
pub device_id: String,
#[serde(default = "default_device_name")]
pub device_name: String,
#[serde(default = "default_platform")]
pub platform: String,
#[serde(default)]
pub app_version: String,
}
fn default_device_name() -> String { "Unknown".into() }
fn default_platform() -> String { "unknown".into() }
#[derive(Debug, Deserialize, utoipa::ToSchema)]
pub struct DeviceHeartbeatRequest {
pub device_id: String,
}
#[derive(Debug, Serialize, utoipa::ToSchema)]
pub struct DeviceInfo {
pub id: String,
pub device_id: String,
pub device_name: Option<String>,
pub platform: Option<String>,
pub app_version: Option<String>,
pub last_seen_at: String,
pub created_at: String,
}

104
crates/zclaw-saas/src/agent_template/handlers.rs Normal file
View File

@@ -0,0 +1,104 @@
//! Agent 配置模板 HTTP 处理器
use axum::{
extract::{Extension, Path, Query, State},
Json,
};
use crate::state::AppState;
use crate::error::SaasResult;
use crate::auth::types::AuthContext;
use crate::auth::handlers::{log_operation, check_permission};
use super::types::*;
use super::service;
/// GET /api/v1/agent-templates — 列出 Agent 模板
pub async fn list_templates(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
Query(query): Query<AgentTemplateListQuery>,
) -> SaasResult<Json<crate::common::PaginatedResponse<AgentTemplateInfo>>> {
check_permission(&ctx, "model:read")?;
Ok(Json(service::list_templates(&state.db, &query).await?))
}
/// POST /api/v1/agent-templates — 创建 Agent 模板
pub async fn create_template(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
Json(req): Json<CreateAgentTemplateRequest>,
) -> SaasResult<Json<AgentTemplateInfo>> {
check_permission(&ctx, "model:manage")?;
let category = req.category.as_deref().unwrap_or("general");
let source = req.source.as_deref().unwrap_or("custom");
let visibility = req.visibility.as_deref().unwrap_or("public");
let tools = req.tools.as_deref().unwrap_or(&[]);
let capabilities = req.capabilities.as_deref().unwrap_or(&[]);
let result = service::create_template(
&state.db, &req.name, req.description.as_deref(),
category, source, req.model.as_deref(),
req.system_prompt.as_deref(),
tools, capabilities,
req.temperature, req.max_tokens, visibility,
).await?;
log_operation(&state.db, &ctx.account_id, "agent_template.create", "agent_template", &result.id,
Some(serde_json::json!({"name": req.name})), ctx.client_ip.as_deref()).await?;
Ok(Json(result))
}
/// GET /api/v1/agent-templates/:id — 获取单个 Agent 模板
pub async fn get_template(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
Path(id): Path<String>,
) -> SaasResult<Json<AgentTemplateInfo>> {
check_permission(&ctx, "model:read")?;
Ok(Json(service::get_template(&state.db, &id).await?))
}
/// POST /api/v1/agent-templates/:id — 更新 Agent 模板
pub async fn update_template(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
Path(id): Path<String>,
Json(req): Json<UpdateAgentTemplateRequest>,
) -> SaasResult<Json<AgentTemplateInfo>> {
check_permission(&ctx, "model:manage")?;
let result = service::update_template(
&state.db, &id,
req.description.as_deref(),
req.model.as_deref(),
req.system_prompt.as_deref(),
req.tools.as_deref(),
req.capabilities.as_deref(),
req.temperature,
req.max_tokens,
req.visibility.as_deref(),
req.status.as_deref(),
).await?;
log_operation(&state.db, &ctx.account_id, "agent_template.update", "agent_template", &id,
None, ctx.client_ip.as_deref()).await?;
Ok(Json(result))
}
/// DELETE /api/v1/agent-templates/:id — 归档 Agent 模板
pub async fn archive_template(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
Path(id): Path<String>,
) -> SaasResult<Json<AgentTemplateInfo>> {
check_permission(&ctx, "model:manage")?;
let result = service::archive_template(&state.db, &id).await?;
log_operation(&state.db, &ctx.account_id, "agent_template.archive", "agent_template", &id,
None, ctx.client_ip.as_deref()).await?;
Ok(Json(result))
}

17
crates/zclaw-saas/src/agent_template/mod.rs Normal file
View File

@@ -0,0 +1,17 @@
//! Agent 配置模板管理模块
pub mod types;
pub mod service;
pub mod handlers;
use axum::routing::{delete, get, post};
use crate::state::AppState;
/// Agent 模板管理路由 (需要认证)
pub fn routes() -> axum::Router<AppState> {
axum::Router::new()
.route("/api/v1/agent-templates", get(handlers::list_templates).post(handlers::create_template))
.route("/api/v1/agent-templates/:id", get(handlers::get_template))
.route("/api/v1/agent-templates/:id", post(handlers::update_template))
.route("/api/v1/agent-templates/:id", delete(handlers::archive_template))
}

170
crates/zclaw-saas/src/agent_template/service.rs Normal file
View File

@@ -0,0 +1,170 @@
//! Agent 配置模板业务逻辑
use sqlx::PgPool;
use crate::error::{SaasError, SaasResult};
use super::types::*;
fn row_to_template(
row: (String, String, Option<String>, String, String, Option<String>, Option<String>,
String, String, Option<f64>, Option<i32>, String, String, i32, String, String),
) -> AgentTemplateInfo {
AgentTemplateInfo {
id: row.0, name: row.1, description: row.2, category: row.3, source: row.4,
model: row.5, system_prompt: row.6, tools: serde_json::from_str(&row.7).unwrap_or_default(),
capabilities: serde_json::from_str(&row.8).unwrap_or_default(),
temperature: row.9, max_tokens: row.10, visibility: row.11, status: row.12,
current_version: row.13, created_at: row.14, updated_at: row.15,
}
}
/// Row type for agent_template queries (avoids multi-line turbofish parsing issues)
type AgentTemplateRow = (String, String, Option<String>, String, String, Option<String>, Option<String>, String, String, Option<f64>, Option<i32>, String, String, i32, String, String);
/// 创建 Agent 模板
pub async fn create_template(
db: &PgPool,
name: &str,
description: Option<&str>,
category: &str,
source: &str,
model: Option<&str>,
system_prompt: Option<&str>,
tools: &[String],
capabilities: &[String],
temperature: Option<f64>,
max_tokens: Option<i32>,
visibility: &str,
) -> SaasResult<AgentTemplateInfo> {
let id = uuid::Uuid::new_v4().to_string();
let now = chrono::Utc::now().to_rfc3339();
let tools_json = serde_json::to_string(tools).unwrap_or_else(|_| "[]".to_string());
let caps_json = serde_json::to_string(capabilities).unwrap_or_else(|_| "[]".to_string());
sqlx::query(
"INSERT INTO agent_templates (id, name, description, category, source, model, system_prompt,
tools, capabilities, temperature, max_tokens, visibility, status, current_version, created_at, updated_at)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, 'active', 1, $13, $13)"
)
.bind(&id).bind(name).bind(description).bind(category).bind(source)
.bind(model).bind(system_prompt).bind(&tools_json).bind(&caps_json)
.bind(temperature).bind(max_tokens).bind(visibility).bind(&now)
.execute(db).await.map_err(|e| {
if e.to_string().contains("unique") {
SaasError::AlreadyExists(format!("Agent 模板 '{}' 已存在", name))
} else {
SaasError::Database(e)
}
})?;
get_template(db, &id).await
}
/// 获取单个模板
pub async fn get_template(db: &PgPool, id: &str) -> SaasResult<AgentTemplateInfo> {
let row: Option<AgentTemplateRow> = sqlx::query_as(
"SELECT id, name, description, category, source, model, system_prompt,
tools, capabilities, temperature, max_tokens, visibility, status,
current_version, created_at, updated_at
FROM agent_templates WHERE id = $1"
).bind(id).fetch_optional(db).await?;
row.map(row_to_template)
.ok_or_else(|| SaasError::NotFound(format!("Agent 模板 {} 不存在", id)))
}
/// 列出模板(分页 + 过滤)
/// Static SQL + conditional filter pattern: ($N IS NULL OR col = $N).
/// When the parameter is NULL the whole OR evaluates to TRUE (no filter).
pub async fn list_templates(
db: &PgPool,
query: &AgentTemplateListQuery,
) -> SaasResult<crate::common::PaginatedResponse<AgentTemplateInfo>> {
let page = query.page.unwrap_or(1).max(1);
let page_size = query.page_size.unwrap_or(20).min(100);
let offset = ((page - 1) * page_size) as i64;
let count_sql = "SELECT COUNT(*) FROM agent_templates WHERE ($1 IS NULL OR category = $1) AND ($2 IS NULL OR source = $2) AND ($3 IS NULL OR visibility = $3) AND ($4 IS NULL OR status = $4)";
let data_sql = "SELECT id, name, description, category, source, model, system_prompt,
tools, capabilities, temperature, max_tokens, visibility, status,
current_version, created_at, updated_at
FROM agent_templates WHERE ($1 IS NULL OR category = $1) AND ($2 IS NULL OR source = $2) AND ($3 IS NULL OR visibility = $3) AND ($4 IS NULL OR status = $4) ORDER BY created_at DESC LIMIT $5 OFFSET $6";
let total: i64 = sqlx::query_scalar(count_sql)
.bind(&query.category)
.bind(&query.source)
.bind(&query.visibility)
.bind(&query.status)
.fetch_one(db).await?;
let rows: Vec<AgentTemplateRow> = sqlx::query_as(data_sql)
.bind(&query.category)
.bind(&query.source)
.bind(&query.visibility)
.bind(&query.status)
.bind(page_size as i64)
.bind(offset)
.fetch_all(db).await?;
let items = rows.into_iter().map(row_to_template).collect();
Ok(crate::common::PaginatedResponse { items, total, page, page_size })
}
/// 更新模板
/// COALESCE pattern: all updatable fields in a single static SQL.
/// NULL parameters leave the column unchanged.
pub async fn update_template(
db: &PgPool,
id: &str,
description: Option<&str>,
model: Option<&str>,
system_prompt: Option<&str>,
tools: Option<&[String]>,
capabilities: Option<&[String]>,
temperature: Option<f64>,
max_tokens: Option<i32>,
visibility: Option<&str>,
status: Option<&str>,
) -> SaasResult<AgentTemplateInfo> {
// Confirm existence
get_template(db, id).await?;
let now = chrono::Utc::now().to_rfc3339();
// Serialize JSON fields upfront so we can bind Option<&str> consistently
let tools_json = tools.map(|t| serde_json::to_string(t).unwrap_or_else(|_| "[]".to_string()));
let caps_json = capabilities.map(|c| serde_json::to_string(c).unwrap_or_else(|_| "[]".to_string()));
sqlx::query(
"UPDATE agent_templates SET
description = COALESCE($1, description),
model = COALESCE($2, model),
system_prompt = COALESCE($3, system_prompt),
tools = COALESCE($4, tools),
capabilities = COALESCE($5, capabilities),
temperature = COALESCE($6, temperature),
max_tokens = COALESCE($7, max_tokens),
visibility = COALESCE($8, visibility),
status = COALESCE($9, status),
updated_at = $10
WHERE id = $11"
)
.bind(description)
.bind(model)
.bind(system_prompt)
.bind(tools_json.as_deref())
.bind(caps_json.as_deref())
.bind(temperature)
.bind(max_tokens)
.bind(visibility)
.bind(status)
.bind(&now)
.bind(id)
.execute(db).await?;
get_template(db, id).await
}
/// 归档模板
pub async fn archive_template(db: &PgPool, id: &str) -> SaasResult<AgentTemplateInfo> {
update_template(db, id, None, None, None, None, None, None, None, None, Some("archived")).await
}

65
crates/zclaw-saas/src/agent_template/types.rs Normal file
View File

@@ -0,0 +1,65 @@
//! Agent 配置模板类型定义
use serde::{Deserialize, Serialize};
// --- Agent Template ---
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AgentTemplateInfo {
pub id: String,
pub name: String,
pub description: Option<String>,
pub category: String,
pub source: String,
pub model: Option<String>,
pub system_prompt: Option<String>,
pub tools: Vec<String>,
pub capabilities: Vec<String>,
pub temperature: Option<f64>,
pub max_tokens: Option<i32>,
pub visibility: String,
pub status: String,
pub current_version: i32,
pub created_at: String,
pub updated_at: String,
}
#[derive(Debug, Deserialize)]
pub struct CreateAgentTemplateRequest {
pub name: String,
pub description: Option<String>,
pub category: Option<String>,
pub source: Option<String>,
pub model: Option<String>,
pub system_prompt: Option<String>,
pub tools: Option<Vec<String>>,
pub capabilities: Option<Vec<String>>,
pub temperature: Option<f64>,
pub max_tokens: Option<i32>,
pub visibility: Option<String>,
}
#[derive(Debug, Deserialize)]
pub struct UpdateAgentTemplateRequest {
pub description: Option<String>,
pub model: Option<String>,
pub system_prompt: Option<String>,
pub tools: Option<Vec<String>>,
pub capabilities: Option<Vec<String>>,
pub temperature: Option<f64>,
pub max_tokens: Option<i32>,
pub visibility: Option<String>,
pub status: Option<String>,
}
// --- List ---
#[derive(Debug, Deserialize)]
pub struct AgentTemplateListQuery {
pub category: Option<String>,
pub source: Option<String>,
pub visibility: Option<String>,
pub status: Option<String>,
pub page: Option<u32>,
pub page_size: Option<u32>,
}

336
crates/zclaw-saas/src/auth/handlers.rs
View File

@@ -5,32 +5,45 @@ use std::net::SocketAddr;
use secrecy::ExposeSecret;
use crate::state::AppState;
use crate::error::{SaasError, SaasResult};
use crate::models::{AccountAuthRow, AccountLoginRow};
use super::{
jwt::create_token,
password::{hash_password, verify_password},
types::{AuthContext, LoginRequest, LoginResponse, RegisterRequest, ChangePasswordRequest, AccountPublic},
jwt::{create_token, create_refresh_token, verify_token, verify_token_skip_expiry},
password::{hash_password_async, verify_password_async},
types::{AuthContext, LoginRequest, LoginResponse, RegisterRequest, ChangePasswordRequest, AccountPublic, RefreshRequest},
};
/// POST /api/v1/auth/register
/// 注册成功后自动签发 JWT返回与 login 一致的 LoginResponse
pub async fn register(
State(state): State<AppState>,
ConnectInfo(addr): ConnectInfo<SocketAddr>,
Json(req): Json<RegisterRequest>,
) -> SaasResult<(StatusCode, Json<LoginResponse>)> {
// 4.6: 用户名格式验证 — 3-32 字符,仅允许字母数字下划线
if req.username.len() < 3 || req.username.len() > 32 {
return Err(SaasError::InvalidInput("用户名长度需在 3-32 个字符之间".into()));
if req.username.len() < 3 {
return Err(SaasError::InvalidInput("用户名至少 3 个字符".into()));
}
if !req.username.chars().all(|c| c.is_alphanumeric() || c == '_') {
return Err(SaasError::InvalidInput("用户名仅允许字母、数字和下划线".into()));
if req.username.len() > 32 {
return Err(SaasError::InvalidInput("用户名最多 32 个字符".into()));
}
// 4.7: 邮箱格式验证
if !req.email.contains('@') || !req.email.split('@').nth(1).map_or(false, |d| d.contains('.')) {
static USERNAME_RE: std::sync::OnceLock<regex::Regex> = std::sync::OnceLock::new();
let username_re = USERNAME_RE.get_or_init(|| regex::Regex::new(r"^[a-zA-Z0-9_-]+$").unwrap());
if !username_re.is_match(&req.username) {
return Err(SaasError::InvalidInput("用户名只能包含字母、数字、下划线和连字符".into()));
}
if !req.email.contains('@') || !req.email.contains('.') {
return Err(SaasError::InvalidInput("邮箱格式不正确".into()));
}
if req.password.len() < 8 {
return Err(SaasError::InvalidInput("密码至少 8 个字符".into()));
}
if req.password.len() > 128 {
return Err(SaasError::InvalidInput("密码最多 128 个字符".into()));
}
if let Some(ref name) = req.display_name {
if name.len() > 64 {
return Err(SaasError::InvalidInput("显示名称最多 64 个字符".into()));
}
}
let existing: Vec<(String,)> = sqlx::query_as(
"SELECT id FROM accounts WHERE username = $1 OR email = $2"
@@ -44,11 +57,11 @@ pub async fn register(
return Err(SaasError::AlreadyExists("用户名或邮箱已存在".into()));
}
let password_hash = hash_password(&req.password)?;
let password_hash = hash_password_async(req.password.clone()).await?;
let account_id = uuid::Uuid::new_v4().to_string();
let role = "user".to_string(); // 注册固定为普通用户,角色由管理员分配
let display_name = req.display_name.unwrap_or_default();
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
sqlx::query(
"INSERT INTO accounts (id, username, email, password_hash, display_name, role, status, created_at, updated_at)
@@ -60,32 +73,45 @@ pub async fn register(
.bind(&password_hash)
.bind(&display_name)
.bind(&role)
.bind(now)
.bind(&now)
.execute(&state.db)
.await?;
let client_ip = addr.ip().to_string();
log_operation(&state.db, &account_id, "account.create", "account", &account_id, None, Some(&client_ip)).await?;
// Generate JWT token for auto-login after registration
// 注册成功后自动签发 JWT + Refresh Token
let permissions = get_role_permissions(&state.db, &state.role_permissions_cache, &role).await?;
let config = state.config.read().await;
let token = create_token(
&account_id, &role, vec![],
state.jwt_secret.expose_secret(), config.auth.jwt_expiration_hours,
&account_id, &role, permissions.clone(),
state.jwt_secret.expose_secret(),
config.auth.jwt_expiration_hours,
)?;
let refresh_token = create_refresh_token(
&account_id, &role, permissions,
state.jwt_secret.expose_secret(),
config.auth.refresh_token_hours,
)?;
drop(config);
store_refresh_token(
&state.db, &account_id, &refresh_token,
state.jwt_secret.expose_secret(), 168,
).await?;
Ok((StatusCode::CREATED, Json(LoginResponse {
token,
refresh_token,
account: AccountPublic {
id: account_id,
username: req.username,
email: req.email,
display_name,
role,
permissions: vec![],
status: "active".into(),
totp_enabled: false,
created_at: now.to_rfc3339(),
created_at: now,
},
})))
}
@@ -96,109 +122,170 @@ pub async fn login(
ConnectInfo(addr): ConnectInfo<SocketAddr>,
Json(req): Json<LoginRequest>,
) -> SaasResult<Json<LoginResponse>> {
let row: Option<(String, String, String, String, String, String, bool, chrono::DateTime<chrono::Utc>)> =
// 一次查询获取用户信息 + password_hash + totp_secret合并原来的 3 次查询)
let row: Option<AccountLoginRow> =
sqlx::query_as(
"SELECT id, username, email, display_name, role, status, totp_enabled, created_at
"SELECT id, username, email, display_name, role, status, totp_enabled,
password_hash, totp_secret, created_at
FROM accounts WHERE username = $1 OR email = $1"
)
.bind(&req.username)
.fetch_optional(&state.db)
.await?;
let (id, username, email, display_name, role, status, totp_enabled, created_at) =
row.ok_or_else(|| SaasError::AuthError("用户名或密码错误".into()))?;
let created_at = created_at.to_rfc3339();
let r = row.ok_or_else(|| SaasError::AuthError("用户名或密码错误".into()))?;
if status != "active" {
return Err(SaasError::Forbidden(format!("账号已{},请联系管理员", status)));
if r.status != "active" {
return Err(SaasError::Forbidden(format!("账号已{},请联系管理员", r.status)));
}
let (password_hash,): (String,) = sqlx::query_as(
"SELECT password_hash FROM accounts WHERE id = $1"
)
.bind(&id)
.fetch_one(&state.db)
.await?;
if !verify_password(&req.password, &password_hash)? {
if !verify_password_async(req.password.clone(), r.password_hash.clone()).await? {
return Err(SaasError::AuthError("用户名或密码错误".into()));
}
// TOTP 验证: 如果用户已启用 2FA必须提供有效 TOTP 码
if totp_enabled {
if r.totp_enabled {
let code = req.totp_code.as_deref()
.ok_or_else(|| SaasError::Totp("此账号已启用双因素认证,请提供 TOTP 码".into()))?;
let (totp_secret,): (Option<String>,) = sqlx::query_as(
"SELECT totp_secret FROM accounts WHERE id = $1"
)
.bind(&id)
.fetch_one(&state.db)
.await?;
let secret = totp_secret.ok_or_else(|| {
let secret = r.totp_secret.clone().ok_or_else(|| {
SaasError::Internal("TOTP 已启用但密钥丢失,请联系管理员".into())
})?;
// 解密 TOTP 密钥(兼容迁移期间的明文数据)
let decrypted_secret = state.field_encryption.decrypt_or_plaintext(&secret);
// 解密 TOTP secret (兼容旧的明文格式)
let config = state.config.read().await;
let enc_key = config.totp_encryption_key()
.map_err(|e| SaasError::Internal(e.to_string()))?;
let secret = super::totp::decrypt_totp_for_login(&secret, &enc_key)?;
if !super::totp::verify_totp_code(&decrypted_secret, code) {
if !super::totp::verify_totp_code(&secret, code) {
return Err(SaasError::Totp("TOTP 码错误或已过期".into()));
}
}
let permissions = get_role_permissions(&state.db, &role).await?;
let permissions = get_role_permissions(&state.db, &state.role_permissions_cache, &r.role).await?;
let config = state.config.read().await;
let token = create_token(
&id, &role, permissions.clone(),
&r.id, &r.role, permissions.clone(),
state.jwt_secret.expose_secret(),
config.auth.jwt_expiration_hours,
)?;
let refresh_token = create_refresh_token(
&r.id, &r.role, permissions,
state.jwt_secret.expose_secret(),
config.auth.refresh_token_hours,
)?;
drop(config);
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
sqlx::query("UPDATE accounts SET last_login_at = $1 WHERE id = $2")
.bind(now).bind(&id)
.bind(&now).bind(&r.id)
.execute(&state.db).await?;
let client_ip = addr.ip().to_string();
log_operation(&state.db, &id, "account.login", "account", &id, None, Some(&client_ip)).await?;
log_operation(&state.db, &r.id, "account.login", "account", &r.id, None, Some(&client_ip)).await?;
store_refresh_token(
&state.db, &r.id, &refresh_token,
state.jwt_secret.expose_secret(), 168,
).await?;
Ok(Json(LoginResponse {
token,
refresh_token,
account: AccountPublic {
id, username, email, display_name, role, permissions, status, totp_enabled, created_at,
id: r.id, username: r.username, email: r.email, display_name: r.display_name,
role: r.role, status: r.status, totp_enabled: r.totp_enabled, created_at: r.created_at,
},
}))
}
/// POST /api/v1/auth/refresh
/// 使用 refresh_token 换取新的 access + refresh token 对
/// refresh_token 一次性使用,使用后立即失效
pub async fn refresh(
State(state): State<AppState>,
axum::extract::Extension(ctx): axum::extract::Extension<AuthContext>,
) -> SaasResult<Json<LoginResponse>> {
Json(req): Json<RefreshRequest>,
) -> SaasResult<Json<serde_json::Value>> {
// 1. 验证 refresh token 签名 (跳过过期检查,但有 7 天窗口限制)
let claims = verify_token_skip_expiry(&req.refresh_token, state.jwt_secret.expose_secret())?;
// 2. 确认是 refresh 类型 token
if claims.token_type != "refresh" {
return Err(SaasError::AuthError("无效的 refresh token".into()));
}
let jti = claims.jti.as_deref()
.ok_or_else(|| SaasError::AuthError("refresh token 缺少 jti".into()))?;
// 3. 从 DB 查找 refresh token确保未被使用
let row: Option<(String,)> = sqlx::query_as(
"SELECT account_id FROM refresh_tokens WHERE jti = $1 AND used_at IS NULL AND expires_at > $2"
)
.bind(jti)
.bind(&chrono::Utc::now().to_rfc3339())
.fetch_optional(&state.db)
.await?;
let token_account_id = row
.ok_or_else(|| SaasError::AuthError("refresh token 已使用、已过期或不存在".into()))?
.0;
// 4. 验证 token 中的 account_id 与 DB 中的一致
if token_account_id != claims.sub {
return Err(SaasError::AuthError("refresh token 账号不匹配".into()));
}
// 5. 标记旧 refresh token 为已使用 (一次性)
let now = chrono::Utc::now().to_rfc3339();
sqlx::query("UPDATE refresh_tokens SET used_at = $1 WHERE jti = $2")
.bind(&now).bind(jti)
.execute(&state.db).await?;
// 6. 获取最新角色权限
let (role,): (String,) = sqlx::query_as(
"SELECT role FROM accounts WHERE id = $1 AND status = 'active'"
)
.bind(&claims.sub)
.fetch_optional(&state.db)
.await?
.ok_or_else(|| SaasError::AuthError("账号不存在或已禁用".into()))?;
let permissions = get_role_permissions(&state.db, &state.role_permissions_cache, &role).await?;
// 7. 创建新的 access token + refresh token
let config = state.config.read().await;
let token = create_token(
&ctx.account_id, &ctx.role, ctx.permissions.clone(),
let new_access = create_token(
&claims.sub, &role, permissions.clone(),
state.jwt_secret.expose_secret(),
config.auth.jwt_expiration_hours,
)?;
let new_refresh = create_refresh_token(
&claims.sub, &role, permissions.clone(),
state.jwt_secret.expose_secret(),
config.auth.refresh_token_hours,
)?;
drop(config);
// 查询账号信息以返回完整 LoginResponse
let row = sqlx::query_as::<_, (String, String, String, String, String, String, bool, chrono::DateTime<chrono::Utc>)>(
"SELECT id, username, email, display_name, role, status, totp_enabled, created_at
FROM accounts WHERE id = $1"
// 8. 存储新 refresh token 到 DB
let new_claims = verify_token(&new_refresh, state.jwt_secret.expose_secret())?;
let new_jti = new_claims.jti.unwrap_or_default();
let new_id = uuid::Uuid::new_v4().to_string();
let refresh_expires = (chrono::Utc::now() + chrono::Duration::hours(168)).to_rfc3339();
sqlx::query(
"INSERT INTO refresh_tokens (id, account_id, jti, token_hash, expires_at, created_at)
VALUES ($1, $2, $3, $4, $5, $6)"
)
.bind(&ctx.account_id)
.fetch_optional(&state.db)
.await?
.ok_or_else(|| SaasError::NotFound("账号不存在".into()))?;
.bind(&new_id).bind(&claims.sub).bind(&new_jti)
.bind(sha256_hex(&new_refresh)).bind(&refresh_expires).bind(&now)
.execute(&state.db).await?;
let (id, username, email, display_name, role, status, totp_enabled, created_at) = row;
let created_at = created_at.to_rfc3339();
Ok(Json(LoginResponse {
token,
account: AccountPublic { id, username, email, display_name, role, permissions: ctx.permissions, status, totp_enabled, created_at },
}))
// 9. 清理过期/已使用的 refresh tokens 已迁移到 Scheduler 定期执行
// 不再在每次 refresh 时阻塞请求
Ok(Json(serde_json::json!({
"token": new_access,
"refresh_token": new_refresh,
})))
}
/// GET /api/v1/auth/me — 返回当前认证用户的公开信息
@@ -206,7 +293,7 @@ pub async fn me(
State(state): State<AppState>,
axum::extract::Extension(ctx): axum::extract::Extension<AuthContext>,
) -> SaasResult<Json<AccountPublic>> {
let row: Option<(String, String, String, String, String, String, bool, chrono::DateTime<chrono::Utc>)> =
let row: Option<AccountAuthRow> =
sqlx::query_as(
"SELECT id, username, email, display_name, role, status, totp_enabled, created_at
FROM accounts WHERE id = $1"
@@ -215,12 +302,11 @@ pub async fn me(
.fetch_optional(&state.db)
.await?;
let (id, username, email, display_name, role, status, totp_enabled, created_at) =
row.ok_or_else(|| SaasError::NotFound("账号不存在".into()))?;
let created_at = created_at.to_rfc3339();
let r = row.ok_or_else(|| SaasError::NotFound("账号不存在".into()))?;
Ok(Json(AccountPublic {
id, username, email, display_name, role, permissions: ctx.permissions, status, totp_enabled, created_at,
id: r.id, username: r.username, email: r.email, display_name: r.display_name,
role: r.role, status: r.status, totp_enabled: r.totp_enabled, created_at: r.created_at,
}))
}
@@ -243,16 +329,16 @@ pub async fn change_password(
.await?;
// 验证旧密码
if !verify_password(&req.old_password, &password_hash)? {
if !verify_password_async(req.old_password.clone(), password_hash.clone()).await? {
return Err(SaasError::AuthError("旧密码错误".into()));
}
// 更新密码
let new_hash = hash_password(&req.new_password)?;
let now = chrono::Utc::now();
let new_hash = hash_password_async(req.new_password.clone()).await?;
let now = chrono::Utc::now().to_rfc3339();
sqlx::query("UPDATE accounts SET password_hash = $1, updated_at = $2 WHERE id = $3")
.bind(&new_hash)
.bind(now)
.bind(&now)
.bind(&ctx.account_id)
.execute(&state.db)
.await?;
@@ -263,7 +349,16 @@ pub async fn change_password(
Ok(Json(serde_json::json!({"ok": true, "message": "密码修改成功"})))
}
pub(crate) async fn get_role_permissions(db: &sqlx::PgPool, role: &str) -> SaasResult<Vec<String>> {
pub(crate) async fn get_role_permissions(
db: &sqlx::PgPool,
cache: &dashmap::DashMap<String, Vec<String>>,
role: &str,
) -> SaasResult<Vec<String>> {
// Check cache first
if let Some(cached) = cache.get(role) {
return Ok(cached.clone());
}
let row: Option<(String,)> = sqlx::query_as(
"SELECT permissions FROM roles WHERE id = $1"
)
@@ -272,10 +367,11 @@ pub(crate) async fn get_role_permissions(db: &sqlx::PgPool, role: &str) -> SaasR
.await?;
let permissions_str = row
.ok_or_else(|| SaasError::Forbidden(format!("角色 {} 不存在或无权限", role)))?
.ok_or_else(|| SaasError::Internal(format!("角色 {} 不存在", role)))?
.0;
let permissions: Vec<String> = serde_json::from_str(&permissions_str)?;
cache.insert(role.to_string(), permissions.clone());
Ok(permissions)
}
@@ -300,7 +396,7 @@ pub async fn log_operation(
details: Option<serde_json::Value>,
ip_address: Option<&str>,
) -> SaasResult<()> {
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
sqlx::query(
"INSERT INTO operation_logs (account_id, action, target_type, target_id, details, ip_address, created_at)
VALUES ($1, $2, $3, $4, $5, $6, $7)"
@@ -311,54 +407,52 @@ pub async fn log_operation(
.bind(target_id)
.bind(details.map(|d| d.to_string()))
.bind(ip_address)
.bind(now)
.bind(&now)
.execute(db)
.await?;
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
use crate::auth::types::AuthContext;
/// 存储 refresh token 到 DB
async fn store_refresh_token(
db: &sqlx::PgPool,
account_id: &str,
refresh_token: &str,
secret: &str,
refresh_hours: i64,
) -> SaasResult<()> {
let claims = verify_token(refresh_token, secret)?;
let jti = claims.jti.unwrap_or_default();
let id = uuid::Uuid::new_v4().to_string();
let now = chrono::Utc::now().to_rfc3339();
let expires_at = (chrono::Utc::now() + chrono::Duration::hours(refresh_hours)).to_rfc3339();
fn ctx(permissions: Vec<&str>) -> AuthContext {
AuthContext {
account_id: "test-id".into(),
role: "user".into(),
permissions: permissions.into_iter().map(String::from).collect(),
client_ip: None,
}
sqlx::query(
"INSERT INTO refresh_tokens (id, account_id, jti, token_hash, expires_at, created_at)
VALUES ($1, $2, $3, $4, $5, $6)"
)
.bind(&id).bind(account_id).bind(&jti)
.bind(sha256_hex(refresh_token)).bind(&expires_at).bind(&now)
.execute(db).await?;
Ok(())
}
#[test]
fn test_check_permission_admin_full() {
let c = ctx(vec!["admin:full"]);
assert!(check_permission(&c, "config:write").is_ok());
assert!(check_permission(&c, "account:admin").is_ok());
assert!(check_permission(&c, "any:permission").is_ok());
/// 清理过期和已使用的 refresh tokens
/// 注意: 现已迁移到 Worker/Scheduler 定期执行,此函数保留作为备用
#[allow(dead_code)]
async fn cleanup_expired_refresh_tokens(db: &sqlx::PgPool) -> SaasResult<()> {
let now = chrono::Utc::now().to_rfc3339();
// 删除过期超过 30 天的已使用 token (减少 DB 膨胀)
sqlx::query(
"DELETE FROM refresh_tokens WHERE (used_at IS NOT NULL AND used_at < $1) OR (expires_at < $1)"
)
.bind(&now)
.execute(db).await?;
Ok(())
}
#[test]
fn test_check_permission_has_permission() {
let c = ctx(vec!["config:write", "model:read"]);
assert!(check_permission(&c, "config:write").is_ok());
assert!(check_permission(&c, "model:read").is_ok());
}
#[test]
fn test_check_permission_missing() {
let c = ctx(vec!["model:read"]);
let result = check_permission(&c, "config:write");
assert!(result.is_err());
let err = result.unwrap_err().to_string();
assert!(err.contains("config:write"));
}
#[test]
fn test_check_permission_empty_list() {
let c = ctx(vec![]);
assert!(check_permission(&c, "config:write").is_err());
assert!(check_permission(&c, "admin:full").is_err());
}
/// SHA-256 hex digest
fn sha256_hex(input: &str) -> String {
use sha2::{Sha256, Digest};
hex::encode(Sha256::digest(input.as_bytes()))
}

116
crates/zclaw-saas/src/auth/jwt.rs
View File

@@ -9,34 +9,52 @@ use crate::error::SaasResult;
/// JWT Claims
#[derive(Debug, Serialize, Deserialize)]
pub struct Claims {
/// JWT ID — 唯一标识,用于 token 追踪和吊销
pub jti: Option<String>,
pub sub: String,
pub aud: String,
pub iss: String,
pub role: String,
pub permissions: Vec<String>,
/// token 类型: "access" 或 "refresh"
#[serde(default = "default_token_type")]
pub token_type: String,
pub iat: i64,
pub exp: i64,
}
const JWT_AUDIENCE: &str = "zclaw-saas";
const JWT_ISSUER: &str = "zclaw-saas";
fn default_token_type() -> String {
"access".to_string()
}
impl Claims {
pub fn new(account_id: &str, role: &str, permissions: Vec<String>, expiration_hours: i64) -> Self {
pub fn new_access(account_id: &str, role: &str, permissions: Vec<String>, expiration_hours: i64) -> Self {
let now = Utc::now();
Self {
jti: Some(uuid::Uuid::new_v4().to_string()),
sub: account_id.to_string(),
aud: JWT_AUDIENCE.to_string(),
iss: JWT_ISSUER.to_string(),
role: role.to_string(),
permissions,
token_type: "access".to_string(),
iat: now.timestamp(),
exp: (now + Duration::hours(expiration_hours)).timestamp(),
}
}
/// 创建 refresh token claims (有效期更长,用于一次性刷新)
pub fn new_refresh(account_id: &str, role: &str, permissions: Vec<String>, refresh_hours: i64) -> Self {
let now = Utc::now();
Self {
jti: Some(uuid::Uuid::new_v4().to_string()),
sub: account_id.to_string(),
role: role.to_string(),
permissions,
token_type: "refresh".to_string(),
iat: now.timestamp(),
exp: (now + Duration::hours(refresh_hours)).timestamp(),
}
}
}
/// 创建 JWT Token
/// 创建 Access JWT Token
pub fn create_token(
account_id: &str,
role: &str,
@@ -44,7 +62,24 @@ pub fn create_token(
secret: &str,
expiration_hours: i64,
) -> SaasResult<String> {
let claims = Claims::new(account_id, role, permissions, expiration_hours);
let claims = Claims::new_access(account_id, role, permissions, expiration_hours);
let token = encode(
&Header::default(),
&claims,
&EncodingKey::from_secret(secret.as_bytes()),
)?;
Ok(token)
}
/// 创建 Refresh JWT Token (独立 jti有效期更长)
pub fn create_refresh_token(
account_id: &str,
role: &str,
permissions: Vec<String>,
secret: &str,
refresh_hours: i64,
) -> SaasResult<String> {
let claims = Claims::new_refresh(account_id, role, permissions, refresh_hours);
let token = encode(
&Header::default(),
&claims,
@@ -55,18 +90,60 @@ pub fn create_token(
/// 验证 JWT Token
pub fn verify_token(token: &str, secret: &str) -> SaasResult<Claims> {
let mut validation = Validation::default();
validation.set_audience(&[JWT_AUDIENCE]);
validation.set_issuer(&[JWT_ISSUER]);
let token_data = decode::<Claims>(
token,
&DecodingKey::from_secret(secret.as_bytes()),
&Validation::default(),
)?;
Ok(token_data.claims)
}
/// 验证 JWT Token 但跳过过期检查(仅用于 refresh token 刷新)
/// 限制: 原始 token 的 iat 必须在 7 天内
pub fn verify_token_skip_expiry(token: &str, secret: &str) -> SaasResult<Claims> {
let mut validation = Validation::default();
validation.validate_exp = false;
let token_data = decode::<Claims>(
token,
&DecodingKey::from_secret(secret.as_bytes()),
&validation,
)?;
let claims = &token_data.claims;
// 限制刷新窗口: token 签发时间必须在 7 天内
let now = Utc::now().timestamp();
let max_refresh_window = 7 * 24 * 3600; // 7 天
if now - claims.iat > max_refresh_window {
return Err(jsonwebtoken::errors::Error::from(
jsonwebtoken::errors::ErrorKind::ExpiredSignature
).into());
}
Ok(token_data.claims)
}
/// Token 对: access token + refresh token
#[derive(Debug, serde::Serialize)]
pub struct TokenPair {
pub access_token: String,
pub refresh_token: String,
}
/// 创建 access + refresh token 对
pub fn create_token_pair(
account_id: &str,
role: &str,
permissions: Vec<String>,
secret: &str,
access_hours: i64,
refresh_hours: i64,
) -> SaasResult<TokenPair> {
Ok(TokenPair {
access_token: create_token(account_id, role, permissions.clone(), secret, access_hours)?,
refresh_token: create_refresh_token(account_id, role, permissions, secret, refresh_hours)?,
})
}
#[cfg(test)]
mod tests {
use super::*;
@@ -85,6 +162,8 @@ mod tests {
assert_eq!(claims.sub, "account-123");
assert_eq!(claims.role, "admin");
assert_eq!(claims.permissions, vec!["model:read"]);
assert!(claims.jti.is_some());
assert_eq!(claims.token_type, "access");
}
#[test]
@@ -99,4 +178,17 @@ mod tests {
let result = verify_token(&token, "wrong-secret");
assert!(result.is_err());
}
#[test]
fn test_refresh_token_has_different_jti() {
let access = create_token("acct-1", "user", vec![], TEST_SECRET, 1).unwrap();
let refresh = create_refresh_token("acct-1", "user", vec![], TEST_SECRET, 168).unwrap();
let access_claims = verify_token(&access, TEST_SECRET).unwrap();
let refresh_claims = verify_token(&refresh, TEST_SECRET).unwrap();
assert_ne!(access_claims.jti, refresh_claims.jti);
assert_eq!(access_claims.token_type, "access");
assert_eq!(refresh_claims.token_type, "refresh");
}
}

31
crates/zclaw-saas/src/auth/mod.rs
View File

@@ -58,7 +58,7 @@ async fn verify_api_token(state: &AppState, raw_token: &str, client_ip: Option<S
.ok_or(SaasError::Unauthorized)?;
// 合并 token 权限与角色权限(去重)
let role_permissions = handlers::get_role_permissions(&state.db, &role).await?;
let role_permissions = handlers::get_role_permissions(&state.db, &state.role_permissions_cache, &role).await?;
let token_permissions: Vec<String> = serde_json::from_str(&permissions_json).unwrap_or_default();
let mut permissions = role_permissions;
for p in token_permissions {
@@ -70,9 +70,9 @@ async fn verify_api_token(state: &AppState, raw_token: &str, client_ip: Option<S
// 异步更新 last_used_at不阻塞请求
let db = state.db.clone();
tokio::spawn(async move {
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
let _ = sqlx::query("UPDATE api_tokens SET last_used_at = $1 WHERE token_hash = $2")
.bind(now).bind(&token_hash)
.bind(&now).bind(&token_hash)
.execute(&db).await;
});
@@ -84,11 +84,23 @@ async fn verify_api_token(state: &AppState, raw_token: &str, client_ip: Option<S
})
}
/// 从请求中提取客户端 IP(仅信任直连 IP不信任可伪造的 proxy header
/// 从请求中提取客户端 IP
fn extract_client_ip(req: &Request) -> Option<String> {
req.extensions()
.get::<ConnectInfo<SocketAddr>>()
.map(|addr| addr.ip().to_string())
// 优先从 ConnectInfo 获取
if let Some(ConnectInfo(addr)) = req.extensions().get::<ConnectInfo<SocketAddr>>() {
return Some(addr.ip().to_string());
}
// 回退到 X-Forwarded-For / X-Real-IP
if let Some(forwarded) = req.headers()
.get("x-forwarded-for")
.and_then(|v| v.to_str().ok())
{
return Some(forwarded.split(',').next()?.trim().to_string());
}
req.headers()
.get("x-real-ip")
.and_then(|v| v.to_str().ok())
.map(|s| s.to_string())
}
/// 认证中间件: 从 JWT 或 API Token 提取身份
@@ -109,7 +121,8 @@ pub async fn auth_middleware(
verify_api_token(&state, token, client_ip.clone()).await
} else {
// JWT 路径
jwt::verify_token(token, state.jwt_secret.expose_secret())
let verify_result = jwt::verify_token(token, state.jwt_secret.expose_secret());
verify_result
.map(|claims| AuthContext {
account_id: claims.sub,
role: claims.role,
@@ -141,6 +154,7 @@ pub fn routes() -> axum::Router<AppState> {
axum::Router::new()
.route("/api/v1/auth/register", post(handlers::register))
.route("/api/v1/auth/login", post(handlers::login))
.route("/api/v1/auth/refresh", post(handlers::refresh))
}
/// 需要认证的路由
@@ -148,7 +162,6 @@ pub fn protected_routes() -> axum::Router<AppState> {
use axum::routing::{get, post, put};
axum::Router::new()
.route("/api/v1/auth/refresh", post(handlers::refresh))
.route("/api/v1/auth/me", get(handlers::me))
.route("/api/v1/auth/password", put(handlers::change_password))
.route("/api/v1/auth/totp/setup", post(totp::setup_totp))

22
crates/zclaw-saas/src/auth/password.rs
View File

@@ -1,4 +1,8 @@
//! 密码哈希 (Argon2id)
//!
//! Argon2 是 CPU 密集型操作(~100-500ms不能在 tokio worker 线程上直接执行,
//! 否则会阻塞整个异步运行时。所有 async 上下文必须使用 `hash_password_async`
//! 和 `verify_password_async`。
use argon2::{
password_hash::{rand_core::OsRng, PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
@@ -7,7 +11,7 @@ use argon2::{
use crate::error::{SaasError, SaasResult};
/// 哈希密码
/// 哈希密码(同步版本,仅用于测试和启动时 seed
pub fn hash_password(password: &str) -> SaasResult<String> {
let salt = SaltString::generate(&mut OsRng);
let argon2 = Argon2::default();
@@ -17,7 +21,7 @@ pub fn hash_password(password: &str) -> SaasResult<String> {
Ok(hash.to_string())
}
/// 验证密码
/// 验证密码(同步版本,仅用于测试)
pub fn verify_password(password: &str, hash: &str) -> SaasResult<bool> {
let parsed_hash = PasswordHash::new(hash)
.map_err(|e| SaasError::PasswordHash(e.to_string()))?;
@@ -26,6 +30,20 @@ pub fn verify_password(password: &str, hash: &str) -> SaasResult<bool> {
.is_ok())
}
/// 异步哈希密码 — 在 spawn_blocking 线程池中执行 Argon2
pub async fn hash_password_async(password: String) -> SaasResult<String> {
tokio::task::spawn_blocking(move || hash_password(&password))
.await
.map_err(|e| SaasError::Internal(format!("spawn_blocking error: {e}")))?
}
/// 异步验证密码 — 在 spawn_blocking 线程池中执行 Argon2
pub async fn verify_password_async(password: String, hash: String) -> SaasResult<bool> {
tokio::task::spawn_blocking(move || verify_password(&password, &hash))
.await
.map_err(|e| SaasError::Internal(format!("spawn_blocking error: {e}")))?
}
#[cfg(test)]
mod tests {
use super::*;

128
crates/zclaw-saas/src/auth/totp.rs
View File

@@ -8,6 +8,7 @@ use crate::state::AppState;
use crate::error::{SaasError, SaasResult};
use crate::auth::types::AuthContext;
use crate::auth::handlers::log_operation;
use crate::crypto;
use serde::{Deserialize, Serialize};
/// TOTP 设置响应
@@ -46,6 +47,21 @@ fn base32_decode(data: &str) -> Option<Vec<u8>> {
data_encoding::BASE32.decode(data.as_bytes()).ok()
}
/// 加密 TOTP secret (AES-256-GCM随机 nonce)
/// 存储格式: enc:<base64(nonce||ciphertext)>
/// 委托给 crypto::encrypt_value 统一加密
fn encrypt_totp_secret(plaintext: &str, key: &[u8; 32]) -> Result<String, SaasError> {
crate::crypto::encrypt_value(plaintext, key)
.map_err(|e| SaasError::Internal(e.to_string()))
}
/// 解密 TOTP secret (仅支持新格式: 随机 nonce)
/// 旧的固定 nonce 格式应通过启动时迁移转换。
fn decrypt_totp_secret(encrypted: &str, key: &[u8; 32]) -> Result<String, SaasError> {
crate::crypto::decrypt_value(encrypted, key)
.map_err(|e| SaasError::Internal(e.to_string()))
}
/// 生成 TOTP 密钥并返回 otpauth URI
pub fn generate_totp_secret(issuer: &str, account_name: &str) -> TotpSetupResponse {
let secret = generate_random_secret();
@@ -103,8 +119,11 @@ pub async fn setup_totp(
let config = state.config.read().await;
let setup = generate_totp_secret(&config.auth.totp_issuer, &username);
// 加密 TOTP 密钥后存储 (但不启用,需要 /verify 确认)
let encrypted_secret = state.field_encryption.encrypt(&setup.secret)?;
// 加密后存储密钥 (但不启用,需要 /verify 确认)
let enc_key = config.totp_encryption_key()
.map_err(|e| SaasError::Internal(e.to_string()))?;
let encrypted_secret = encrypt_totp_secret(&setup.secret, &enc_key)?;
sqlx::query("UPDATE accounts SET totp_secret = $1 WHERE id = $2")
.bind(&encrypted_secret)
.bind(&ctx.account_id)
@@ -137,21 +156,37 @@ pub async fn verify_totp(
.fetch_one(&state.db)
.await?;
let secret = totp_secret.ok_or_else(|| {
let encrypted_secret = totp_secret.ok_or_else(|| {
SaasError::InvalidInput("请先调用 /totp/setup 获取密钥".into())
})?;
// 解密 TOTP 密钥(兼容迁移期间的明文数据)
let decrypted_secret = state.field_encryption.decrypt_or_plaintext(&secret);
// 解密 secret (兼容旧的明文格式)
let config = state.config.read().await;
let enc_key = config.totp_encryption_key()
.map_err(|e| SaasError::Internal(e.to_string()))?;
let secret = if encrypted_secret.starts_with(crypto::ENCRYPTED_PREFIX) {
decrypt_totp_secret(&encrypted_secret, &enc_key)?
} else {
// 旧格式: 明文存储,需要迁移
encrypted_secret.clone()
};
if !verify_totp_code(&decrypted_secret, code) {
if !verify_totp_code(&secret, code) {
return Err(SaasError::Totp("TOTP 码验证失败".into()));
}
// 验证成功 → 启用 TOTP
let now = chrono::Utc::now();
sqlx::query("UPDATE accounts SET totp_enabled = true, updated_at = $1 WHERE id = $2")
.bind(now)
// 验证成功 → 启用 TOTP,同时确保密钥已加密
let final_secret = if encrypted_secret.starts_with(crypto::ENCRYPTED_PREFIX) {
encrypted_secret
} else {
// 迁移: 加密旧明文密钥
encrypt_totp_secret(&secret, &enc_key)?
};
let now = chrono::Utc::now().to_rfc3339();
sqlx::query("UPDATE accounts SET totp_enabled = true, totp_secret = $1, updated_at = $2 WHERE id = $3")
.bind(&final_secret)
.bind(&now)
.bind(&ctx.account_id)
.execute(&state.db)
.await?;
@@ -177,14 +212,14 @@ pub async fn disable_totp(
.fetch_one(&state.db)
.await?;
if !crate::auth::password::verify_password(&req.password, &password_hash)? {
if !crate::auth::password::verify_password_async(req.password.clone(), password_hash.clone()).await? {
return Err(SaasError::AuthError("密码错误".into()));
}
// 清除 TOTP
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
sqlx::query("UPDATE accounts SET totp_enabled = false, totp_secret = NULL, updated_at = $1 WHERE id = $2")
.bind(now)
.bind(&now)
.bind(&ctx.account_id)
.execute(&state.db)
.await?;
@@ -195,64 +230,13 @@ pub async fn disable_totp(
Ok(Json(serde_json::json!({"ok": true, "totp_enabled": false, "message": "TOTP 已禁用"})))
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_generate_totp_secret_format() {
let result = generate_totp_secret("TestIssuer", "user@example.com");
assert!(result.otpauth_uri.starts_with("otpauth://totp/"));
assert!(result.otpauth_uri.contains("secret="));
assert!(result.otpauth_uri.contains("issuer=TestIssuer"));
assert!(result.otpauth_uri.contains("algorithm=SHA1"));
assert!(result.otpauth_uri.contains("digits=6"));
assert!(result.otpauth_uri.contains("period=30"));
// Base32 编码的 20 字节 = 32 字符
assert_eq!(result.secret.len(), 32);
assert_eq!(result.issuer, "TestIssuer");
}
#[test]
fn test_generate_totp_secret_special_chars() {
let result = generate_totp_secret("My App", "user@domain:8080");
// 特殊字符应被 URL 编码
assert!(!result.otpauth_uri.contains("user@domain:8080"));
assert!(result.otpauth_uri.contains("user%40domain"));
}
#[test]
fn test_verify_totp_code_valid() {
// 使用 generate_random_secret 创建合法 secret然后生成并验证码
let secret = generate_random_secret();
let secret_bytes = data_encoding::BASE32.decode(secret.as_bytes()).unwrap();
let totp = totp_rs::TOTP::new(
totp_rs::Algorithm::SHA1, 6, 1, 30, secret_bytes,
).unwrap();
let valid_code = totp.generate(chrono::Utc::now().timestamp() as u64);
assert!(verify_totp_code(&secret, &valid_code));
}
#[test]
fn test_verify_totp_code_invalid() {
let secret = generate_random_secret();
assert!(!verify_totp_code(&secret, "000000"));
assert!(!verify_totp_code(&secret, "999999"));
assert!(!verify_totp_code(&secret, "abcdef"));
}
#[test]
fn test_verify_totp_code_invalid_secret() {
assert!(!verify_totp_code("not-valid-base32!!!", "123456"));
assert!(!verify_totp_code("", "123456"));
assert!(!verify_totp_code("", "123456"));
}
#[test]
fn test_verify_totp_code_empty() {
let secret = "JBSWY3DPEHPK3PXP";
assert!(!verify_totp_code(secret, ""));
assert!(!verify_totp_code(secret, "12345"));
assert!(!verify_totp_code(secret, "1234567"));
/// 解密 TOTP secret (供 login handler 使用)
/// 返回解密后的明文 secret
pub fn decrypt_totp_for_login(encrypted_secret: &str, enc_key: &[u8; 32]) -> SaasResult<String> {
if encrypted_secret.starts_with(crypto::ENCRYPTED_PREFIX) {
decrypt_totp_secret(encrypted_secret, enc_key)
} else {
// 兼容旧的明文格式
Ok(encrypted_secret.to_string())
}
}

18
crates/zclaw-saas/src/auth/types.rs
View File

@@ -3,7 +3,7 @@
use serde::{Deserialize, Serialize};
/// 登录请求
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct LoginRequest {
pub username: String,
pub password: String,
@@ -11,14 +11,15 @@ pub struct LoginRequest {
}
/// 登录响应
#[derive(Debug, Serialize, utoipa::ToSchema)]
#[derive(Debug, Serialize)]
pub struct LoginResponse {
pub token: String,
pub refresh_token: String,
pub account: AccountPublic,
}
/// 注册请求
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct RegisterRequest {
pub username: String,
pub email: String,
@@ -27,21 +28,20 @@ pub struct RegisterRequest {
}
/// 修改密码请求
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct ChangePasswordRequest {
pub old_password: String,
pub new_password: String,
}
/// 公开账号信息 (无敏感数据)
#[derive(Debug, Clone, Serialize, utoipa::ToSchema)]
#[derive(Debug, Clone, Serialize)]
pub struct AccountPublic {
pub id: String,
pub username: String,
pub email: String,
pub display_name: String,
pub role: String,
pub permissions: Vec<String>,
pub status: String,
pub totp_enabled: bool,
pub created_at: String,
@@ -55,3 +55,9 @@ pub struct AuthContext {
pub permissions: Vec<String>,
pub client_ip: Option<String>,
}
/// Token 刷新请求
#[derive(Debug, Deserialize)]
pub struct RefreshRequest {
pub refresh_token: String,
}

51
crates/zclaw-saas/src/common.rs Normal file
View File

@@ -0,0 +1,51 @@
//! 公共类型和工具函数
use serde::Serialize;
/// 分页响应通用包装
#[derive(Debug, Serialize)]
pub struct PaginatedResponse<T: Serialize> {
pub items: Vec<T>,
pub total: i64,
pub page: u32,
pub page_size: u32,
}
/// 分页上限
pub const MAX_PAGE_SIZE: u32 = 100;
/// 默认分页大小
pub const DEFAULT_PAGE_SIZE: u32 = 20;
/// 规范化分页参数,返回 (page, page_size, offset)
pub fn normalize_pagination(page: Option<u32>, page_size: Option<u32>) -> (u32, u32, i64) {
let p = page.unwrap_or(1).max(1);
let ps = page_size.unwrap_or(DEFAULT_PAGE_SIZE).min(MAX_PAGE_SIZE).max(1);
let offset = ((p - 1) * ps) as i64;
(p, ps, offset)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_normalize_pagination_defaults() {
let (page, size, offset) = normalize_pagination(None, None);
assert_eq!(page, 1);
assert_eq!(size, DEFAULT_PAGE_SIZE);
assert_eq!(offset, 0);
}
#[test]
fn test_normalize_pagination_clamp() {
let (page, size, offset) = normalize_pagination(None, Some(999));
assert_eq!(size, MAX_PAGE_SIZE);
}
#[test]
fn test_normalize_pagination_offset() {
let (page, size, offset) = normalize_pagination(Some(3), Some(10));
assert_eq!(offset, 20);
}
}

223
crates/zclaw-saas/src/config.rs
View File

@@ -2,7 +2,8 @@
use serde::{Deserialize, Serialize};
use std::path::PathBuf;
use secrecy::SecretString;
use secrecy::{ExposeSecret, SecretString};
use sha2::Digest;
/// SaaS 服务器完整配置
#[derive(Debug, Clone, Serialize, Deserialize)]
@@ -13,6 +14,37 @@ pub struct SaaSConfig {
pub relay: RelayConfig,
#[serde(default)]
pub rate_limit: RateLimitConfig,
#[serde(default)]
pub scheduler: SchedulerConfig,
}
/// Scheduler 定时任务配置
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SchedulerConfig {
#[serde(default)]
pub jobs: Vec<JobConfig>,
}
/// 单个定时任务配置
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct JobConfig {
pub name: String,
/// 间隔时间,支持 "5m", "1h", "24h", "30s" 格式
pub interval: String,
/// 对应的 Worker 名称
pub task: String,
/// 传递给 Worker 的参数JSON 格式)
#[serde(default)]
pub args: Option<serde_json::Value>,
/// 是否在启动时立即执行
#[serde(default)]
pub run_on_start: bool,
}
impl Default for SchedulerConfig {
fn default() -> Self {
Self { jobs: Vec::new() }
}
}
/// 服务器配置
@@ -40,18 +72,20 @@ pub struct AuthConfig {
pub jwt_expiration_hours: i64,
#[serde(default = "default_totp_issuer")]
pub totp_issuer: String,
/// Refresh Token 有效期 (小时), 默认 168 小时 = 7 天
#[serde(default = "default_refresh_hours")]
pub refresh_token_hours: i64,
}
/// 中转服务配置
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct RelayConfig {
#[doc(hidden)]
#[serde(default = "default_max_queue")]
pub max_queue_size: usize,
#[doc(hidden)]
/// 每个 Provider 最大并发请求数 (预留,当前由 max_queue_size 控制)
#[serde(default = "default_max_concurrent")]
pub max_concurrent_per_provider: usize,
#[doc(hidden)]
/// 批量窗口间隔 (预留,用于请求合并优化)
#[serde(default = "default_batch_window")]
pub batch_window_ms: u64,
#[serde(default = "default_retry_delay")]
@@ -62,24 +96,10 @@ pub struct RelayConfig {
fn default_host() -> String { "0.0.0.0".into() }
fn default_port() -> u16 { 8080 }
fn default_db_url() -> String {
// 无默认值:生产环境必须通过 DATABASE_URL 或配置文件设置
// 开发环境可设置 ZCLAW_SAAS_DEV=true 使用 postgres://localhost:5432/zclaw
std::env::var("DATABASE_URL")
.unwrap_or_else(|_| {
let is_dev = std::env::var("ZCLAW_SAAS_DEV")
.map(|v| v == "true" || v == "1")
.unwrap_or(false);
if is_dev {
"postgres://localhost:5432/zclaw".into()
} else {
tracing::error!("DATABASE_URL 未设置且非开发环境");
String::new()
}
})
}
fn default_db_url() -> String { "postgres://localhost:5432/zclaw".into() }
fn default_jwt_hours() -> i64 { 24 }
fn default_totp_issuer() -> String { "ZCLAW SaaS".into() }
fn default_refresh_hours() -> i64 { 168 }
fn default_max_queue() -> usize { 1000 }
fn default_max_concurrent() -> usize { 5 }
fn default_batch_window() -> u64 { 50 }
@@ -117,6 +137,7 @@ impl Default for SaaSConfig {
auth: AuthConfig::default(),
relay: RelayConfig::default(),
rate_limit: RateLimitConfig::default(),
scheduler: SchedulerConfig::default(),
}
}
}
@@ -142,6 +163,7 @@ impl Default for AuthConfig {
Self {
jwt_expiration_hours: default_jwt_hours(),
totp_issuer: default_totp_issuer(),
refresh_token_hours: default_refresh_hours(),
}
}
}
@@ -159,13 +181,33 @@ impl Default for RelayConfig {
}
impl SaaSConfig {
/// 加载配置文件,优先级: 环境变量 > ZCLAW_SAAS_CONFIG > ./saas-config.toml
/// 加载配置文件,优先级: ZCLAW_SAAS_CONFIG > ZCLAW_ENV > ./saas-config.toml
///
/// ZCLAW_ENV 环境选择:
/// development → config/saas-development.toml
/// production → config/saas-production.toml
/// test → config/saas-test.toml
///
/// ZCLAW_SAAS_CONFIG 指定精确路径(最高优先级)
pub fn load() -> anyhow::Result<Self> {
let config_path = std::env::var("ZCLAW_SAAS_CONFIG")
.map(PathBuf::from)
.unwrap_or_else(|_| PathBuf::from("saas-config.toml"));
let config_path = if let Ok(path) = std::env::var("ZCLAW_SAAS_CONFIG") {
PathBuf::from(path)
} else if let Ok(env) = std::env::var("ZCLAW_ENV") {
let filename = format!("config/saas-{}.toml", env);
let path = PathBuf::from(&filename);
if !path.exists() {
anyhow::bail!(
"ZCLAW_ENV={} 指定的配置文件 {} 不存在",
env, filename
);
}
tracing::info!("Loading config for environment: {}", env);
path
} else {
PathBuf::from("saas-config.toml")
};
let config = if config_path.exists() {
let mut config = if config_path.exists() {
let content = std::fs::read_to_string(&config_path)?;
toml::from_str(&content)?
} else {
@@ -173,14 +215,9 @@ impl SaaSConfig {
SaaSConfig::default()
};
// 验证数据库 URL 已配置
if config.database.url.is_empty() {
anyhow::bail!(
"数据库 URL 未配置。请通过以下方式之一设置:\n\
1. 在配置文件中设置 [database].url\n\
2. 设置 DATABASE_URL 环境变量\n\
开发环境可设置 ZCLAW_SAAS_DEV=true 使用默认值。"
);
// 环境变量覆盖数据库 URL (避免在配置文件中存储密码)
if let Ok(db_url) = std::env::var("ZCLAW_DATABASE_URL") {
config.database.url = db_url;
}
Ok(config)
@@ -209,95 +246,47 @@ impl SaaSConfig {
}
}
}
/// 获取 API Key 加密密钥 (复用 TOTP 加密密钥)
pub fn api_key_encryption_key(&self) -> anyhow::Result<[u8; 32]> {
self.totp_encryption_key()
}
#[cfg(test)]
mod tests {
use super::*;
/// 获取 TOTP 加密密钥 (AES-256-GCM, 32 字节)
/// 从 ZCLAW_TOTP_ENCRYPTION_KEY 环境变量加载 (hex 编码的 64 字符)
/// 开发环境使用默认值 (不安全)
pub fn totp_encryption_key(&self) -> anyhow::Result<[u8; 32]> {
let is_dev = std::env::var("ZCLAW_SAAS_DEV")
.map(|v| v == "true" || v == "1")
.unwrap_or(false);
#[test]
fn default_config_has_expected_values() {
let config = SaaSConfig::default();
assert_eq!(config.server.host, "0.0.0.0");
assert_eq!(config.server.port, 8080);
assert!(config.server.cors_origins.is_empty());
assert_eq!(config.auth.jwt_expiration_hours, 24);
assert_eq!(config.auth.totp_issuer, "ZCLAW SaaS");
assert_eq!(config.rate_limit.requests_per_minute, 60);
assert_eq!(config.rate_limit.burst, 10);
assert_eq!(config.relay.max_queue_size, 1000);
assert_eq!(config.relay.max_concurrent_per_provider, 5);
assert_eq!(config.relay.max_attempts, 3);
match std::env::var("ZCLAW_TOTP_ENCRYPTION_KEY") {
Ok(hex_key) => {
if hex_key.len() != 64 {
anyhow::bail!("ZCLAW_TOTP_ENCRYPTION_KEY 必须是 64 个十六进制字符 (32 字节)");
}
let mut key = [0u8; 32];
for i in 0..32 {
key[i] = u8::from_str_radix(&hex_key[i*2..i*2+2], 16)
.map_err(|_| anyhow::anyhow!("ZCLAW_TOTP_ENCRYPTION_KEY 包含无效的十六进制字符"))?;
}
Ok(key)
}
Err(_) => {
if is_dev {
tracing::warn!("ZCLAW_TOTP_ENCRYPTION_KEY not set, using development default (INSECURE)");
// 开发环境使用固定密钥
let mut key = [0u8; 32];
key.copy_from_slice(b"zclaw-dev-totp-encrypt-key-32b!x");
Ok(key)
} else {
// 生产环境: 使用 JWT 密钥的 SHA-256 哈希作为加密密钥
tracing::warn!("ZCLAW_TOTP_ENCRYPTION_KEY not set, deriving from JWT secret");
let jwt = self.jwt_secret()?;
let hash = sha2::Sha256::digest(jwt.expose_secret().as_bytes());
Ok(hash.into())
}
#[test]
fn rate_limit_default_matches_manual() {
let config = SaaSConfig::default();
assert_eq!(config.rate_limit.requests_per_minute, 60);
assert_eq!(config.rate_limit.burst, 10);
}
#[test]
fn parse_minimal_config_toml() {
let toml_str = r#"
[server]
host = "127.0.0.1"
port = 9090
[database]
url = "postgres://localhost/zclaw"
[auth]
jwt_expiration_hours = 48
[relay]
max_queue_size = 500
"#;
let config: SaaSConfig = toml::from_str(toml_str).expect("parse should succeed");
assert_eq!(config.server.host, "127.0.0.1");
assert_eq!(config.server.port, 9090);
assert_eq!(config.database.url, "postgres://localhost/zclaw");
assert_eq!(config.auth.jwt_expiration_hours, 48);
assert_eq!(config.relay.max_queue_size, 500);
// defaults should fill in
assert_eq!(config.rate_limit.requests_per_minute, 60);
assert_eq!(config.relay.max_attempts, 3);
}
#[test]
fn parse_full_config_with_rate_limit() {
let toml_str = r#"
[server]
host = "0.0.0.0"
port = 8080
cors_origins = ["http://localhost:3000", "http://admin.example.com"]
[database]
url = "postgres://db:5432/zclaw"
[auth]
jwt_expiration_hours = 12
totp_issuer = "MyCorp"
[relay]
max_queue_size = 2000
max_concurrent_per_provider = 10
batch_window_ms = 100
retry_delay_ms = 2000
max_attempts = 5
[rate_limit]
requests_per_minute = 120
burst = 20
"#;
let config: SaaSConfig = toml::from_str(toml_str).expect("parse should succeed");
assert_eq!(config.server.cors_origins.len(), 2);
assert_eq!(config.auth.jwt_expiration_hours, 12);
assert_eq!(config.auth.totp_issuer, "MyCorp");
assert_eq!(config.relay.max_concurrent_per_provider, 10);
assert_eq!(config.relay.retry_delay_ms, 2000);
assert_eq!(config.relay.max_attempts, 5);
assert_eq!(config.rate_limit.requests_per_minute, 120);
assert_eq!(config.rate_limit.burst, 20);
}
}

328
crates/zclaw-saas/src/crypto.rs
View File

@@ -1,277 +1,103 @@
//! AES-256-GCM 字段级加密
//! 通用加密工具 (AES-256-GCM)
//!
//! 用于加密数据库中存储的敏感字段(如 API Key
//! 每次加密生成随机 12 字节 nonce密文格式: `base64(nonce || ciphertext || tag)`。
use aes_gcm::aead::{AeadInPlace, KeyInit, OsRng};
use aes_gcm::{Aes256Gcm, AeadCore, Nonce};
use data_encoding::BASE64;
use std::fmt;
//! 提供 API Key、TOTP secret 等敏感数据的加密/解密
//! 存储格式: `enc:<base64(nonce(12 bytes) || ciphertext)>`
use aes_gcm::aead::{Aead, KeyInit, OsRng};
use aes_gcm::aead::rand_core::RngCore;
use aes_gcm::{Aes256Gcm, Nonce};
use crate::error::{SaasError, SaasResult};
/// AES-256-GCM 密钥字节长度
const KEY_LEN: usize = 32;
/// 加密值的前缀标识
pub const ENCRYPTED_PREFIX: &str = "enc:";
/// GCM nonce 字节长度 (96-bit推荐值)
const NONCE_LEN: usize = 12;
/// AES-256-GCM nonce 长度 (12 字节)
const NONCE_SIZE: usize = 12;
/// 字段加密器,持有 AES-256-GCM 密钥
/// 加密明文值 (AES-256-GCM, 随机 nonce)
///
/// 线程安全,可通过 `Arc` 在多任务间共享。
pub struct FieldEncryption {
cipher: Aes256Gcm,
/// 返回格式: `enc:<base64(nonce(12 bytes) || ciphertext)>`
/// 每次加密使用随机 nonce相同明文产生不同密文。
pub fn encrypt_value(plaintext: &str, key: &[u8; 32]) -> SaasResult<String> {
let cipher = Aes256Gcm::new_from_slice(key)
.map_err(|e| SaasError::Encryption(format!("加密初始化失败: {}", e)))?;
let mut nonce_bytes = [0u8; NONCE_SIZE];
OsRng.fill_bytes(&mut nonce_bytes);
let nonce = Nonce::from_slice(&nonce_bytes);
let ciphertext = cipher.encrypt(nonce, plaintext.as_bytes())
.map_err(|e| SaasError::Encryption(format!("加密失败: {}", e)))?;
let mut combined = nonce_bytes.to_vec();
combined.extend_from_slice(&ciphertext);
Ok(format!("{}{}", ENCRYPTED_PREFIX, data_encoding::BASE64.encode(&combined)))
}
impl fmt::Debug for FieldEncryption {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("FieldEncryption")
.field("cipher", &"<redacted>")
.finish()
}
}
impl FieldEncryption {
/// 从环境变量加载或生成加密密钥
/// 解密 `enc:` 前缀的加密值
///
/// - **生产环境**: 必须设置 `ZCLAW_SAAS_FIELD_ENCRYPTION_KEY`32 字节 hex 编码)
/// - **开发环境** (`ZCLAW_SAAS_DEV=true`): 自动生成随机密钥并输出警告
pub fn new() -> anyhow::Result<Self> {
let is_dev = std::env::var("ZCLAW_SAAS_DEV")
.map(|v| v == "true" || v == "1")
.unwrap_or(false);
/// 仅支持新格式 (随机 nonce),不支持旧格式 (固定 nonce)。
/// 旧格式数据应通过一次性迁移函数转换。
pub fn decrypt_value(encrypted: &str, key: &[u8; 32]) -> SaasResult<String> {
let encoded = encrypted.strip_prefix(ENCRYPTED_PREFIX)
.ok_or_else(|| SaasError::Encryption("加密值格式无效 (缺少 enc: 前缀)".into()))?;
let key_bytes = match std::env::var("ZCLAW_SAAS_FIELD_ENCRYPTION_KEY") {
Ok(hex_key) => {
let bytes = hex::decode(&hex_key).map_err(|e| {
anyhow::anyhow!(
"ZCLAW_SAAS_FIELD_ENCRYPTION_KEY 格式无效 (期望 64 字符 hex): {e}"
)
})?;
if bytes.len() != KEY_LEN {
anyhow::bail!(
"ZCLAW_SAAS_FIELD_ENCRYPTION_KEY 长度错误: 期望 {KEY_LEN} 字节, 实际 {} 字节",
bytes.len()
);
}
tracing::info!("Field encryption key loaded from environment");
bytes
}
Err(_) => {
if is_dev {
let random_key: [u8; KEY_LEN] = rand::random();
let hex_key = hex::encode(random_key);
tracing::warn!(
"ZCLAW_SAAS_FIELD_ENCRYPTION_KEY 未设置,已生成随机密钥 (仅限开发环境):\n {hex_key}\n\
生产环境必须设置此环境变量!"
);
random_key.to_vec()
} else {
anyhow::bail!(
"ZCLAW_SAAS_FIELD_ENCRYPTION_KEY 环境变量未设置。\n\
请设置一个 32 字节 hex 编码密钥 (64 字符)。\n\
生成方式: openssl rand -hex 32\n\
开发环境可设置 ZCLAW_SAAS_DEV=true 自动生成。"
);
}
}
};
let raw = data_encoding::BASE64.decode(encoded.as_bytes())
.map_err(|_| SaasError::Encryption("加密值 Base64 解码失败".into()))?;
let key = aes_gcm::Key::<Aes256Gcm>::from_slice(&key_bytes);
let cipher = Aes256Gcm::new(key);
Ok(Self { cipher })
if raw.len() <= NONCE_SIZE {
return Err(SaasError::Encryption("加密值数据不完整".into()));
}
/// 加密明文,返回 base64 编码密文
///
/// 密文格式: `base64(nonce_12bytes || ciphertext || gcm_tag_16bytes)`
pub fn encrypt(&self, plaintext: &str) -> SaasResult<String> {
let nonce = Aes256Gcm::generate_nonce(&mut OsRng);
let payload = plaintext.as_bytes();
let cipher = Aes256Gcm::new_from_slice(key)
.map_err(|e| SaasError::Encryption(format!("解密初始化失败: {}", e)))?;
// AeadInPlace::encrypt_in_place_append_tag 会在 payload 后面追加 16 字节 tag
let mut buffer = payload.to_vec();
self.cipher
.encrypt_in_place(&nonce, &[], &mut buffer)
.map_err(|e| SaasError::Encryption(format!("加密失败: {e}")))?;
// 构造输出: nonce (12) || ciphertext + tag
let mut output = Vec::with_capacity(NONCE_LEN + buffer.len());
output.extend_from_slice(&nonce);
output.extend_from_slice(&buffer);
Ok(BASE64.encode(&output))
}
/// 解密 base64 编码密文,返回原始明文
///
/// 输入格式: `base64(nonce_12bytes || ciphertext || gcm_tag_16bytes)`
pub fn decrypt(&self, ciphertext: &str) -> SaasResult<String> {
let raw = BASE64
.decode(ciphertext.as_bytes())
.map_err(|e| SaasError::Encryption(format!("Base64 解码失败: {e}")))?;
if raw.len() < NONCE_LEN {
return Err(SaasError::Encryption(
"密文长度不足: 无法提取 nonce".to_string(),
));
}
let (nonce_bytes, encrypted) = raw.split_at(NONCE_LEN);
let (nonce_bytes, ciphertext) = raw.split_at(NONCE_SIZE);
let nonce = Nonce::from_slice(nonce_bytes);
let mut buffer = encrypted.to_vec();
self.cipher
.decrypt_in_place(nonce, &[], &mut buffer)
.map_err(|e| SaasError::Encryption(format!("解密失败 (密文可能已损坏或密钥不匹配): {e}")))?;
let plaintext = cipher.decrypt(nonce, ciphertext)
.map_err(|_| SaasError::Encryption("解密失败 (密钥可能已变更)".into()))?;
String::from_utf8(buffer)
.map_err(|e| SaasError::Encryption(format!("解密结果非有效 UTF-8: {e}")))
String::from_utf8(plaintext)
.map_err(|_| SaasError::Encryption("解密后数据无效 UTF-8".into()))
}
/// 尝试解密,失败时返回原始明文(用于迁移期间兼容未加密的旧数据)
/// 检查值是否已加密 (以 `enc:` 开头)
pub fn is_encrypted(value: &str) -> bool {
value.starts_with(ENCRYPTED_PREFIX)
}
/// 批量迁移: 将旧的固定 nonce 加密值重新加密为随机 nonce 格式
///
/// 在字段加密上线前,数据库中可能已存在未加密的明文数据
/// 此方法先尝试解密若解密失败Base64 解码失败、GCM 认证失败等),
/// 则假设数据是旧版明文,直接返回原值。
pub fn decrypt_or_plaintext(&self, value: &str) -> String {
self.decrypt(value).unwrap_or_else(|_| value.to_string())
/// 输入为旧格式 (固定 nonce `zclaw_totp_nce`) 加密的 base64 数据
/// 输出为新格式 `enc:<base64(random_nonce || ciphertext)>`。
pub fn re_encrypt_from_legacy(legacy_base64: &str, legacy_key: &[u8; 32], new_key: &[u8; 32]) -> SaasResult<String> {
// 先用旧 nonce 解密
let cipher = Aes256Gcm::new_from_slice(legacy_key)
.map_err(|e| SaasError::Encryption(format!("解密初始化失败: {}", e)))?;
let raw = data_encoding::BASE64.decode(legacy_base64.as_bytes())
.or_else(|_| data_encoding::BASE32.decode(legacy_base64.as_bytes()))
.map_err(|_| SaasError::Encryption("旧格式 Base64/Base32 解码失败".into()))?;
// 尝试新格式 (前 12 字节为 nonce)
if raw.len() > NONCE_SIZE {
let (nonce_bytes, ciphertext) = raw.split_at(NONCE_SIZE);
let nonce = Nonce::from_slice(nonce_bytes);
if let Ok(plaintext_bytes) = cipher.decrypt(nonce, ciphertext) {
let plaintext = String::from_utf8(plaintext_bytes)
.map_err(|_| SaasError::Encryption("旧格式解密后数据无效".into()))?;
return encrypt_value(&plaintext, new_key);
}
}
#[cfg(test)]
mod tests {
use super::*;
// 回退到旧格式: 固定 nonce
let legacy_nonce = Nonce::from_slice(b"zclaw_totp_nce");
let plaintext_bytes = cipher.decrypt(legacy_nonce, raw.as_ref())
.map_err(|_| SaasError::Encryption("旧格式解密失败".into()))?;
let plaintext = String::from_utf8(plaintext_bytes)
.map_err(|_| SaasError::Encryption("旧格式解密后数据无效".into()))?;
/// 辅助: 用固定密钥创建 FieldEncryption测试专用
fn test_encryption() -> FieldEncryption {
// 固定 32 字节密钥,仅用于测试
let key_bytes: [u8; KEY_LEN] = [
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
];
let key = aes_gcm::Key::<Aes256Gcm>::from_slice(&key_bytes);
let cipher = Aes256Gcm::new(key);
FieldEncryption { cipher }
}
#[test]
fn encrypt_produces_base64_output() {
let enc = test_encryption();
let result = enc.encrypt("hello world");
assert!(result.is_ok());
let ciphertext = result.unwrap();
// base64 输出应该能被 BASE64 解码
assert!(BASE64.decode(ciphertext.as_bytes()).is_ok());
}
#[test]
fn encrypt_decrypt_roundtrip() {
let enc = test_encryption();
let plaintext = "sk-proj-abc123SECRET_API_KEY_!@#$%";
let ciphertext = enc.encrypt(plaintext).expect("encrypt should succeed");
let decrypted = enc.decrypt(&ciphertext).expect("decrypt should succeed");
assert_eq!(decrypted, plaintext);
}
#[test]
fn encrypt_decrypt_roundtrip_chinese() {
let enc = test_encryption();
let plaintext = "这是一个包含中文的敏感字段测试";
let ciphertext = enc.encrypt(plaintext).expect("encrypt should succeed");
let decrypted = enc.decrypt(&ciphertext).expect("decrypt should succeed");
assert_eq!(decrypted, plaintext);
}
#[test]
fn different_encryptions_produce_different_ciphertexts() {
let enc = test_encryption();
let plaintext = "same-plaintext";
let ct1 = enc.encrypt(plaintext).unwrap();
let ct2 = enc.encrypt(plaintext).unwrap();
// 由于随机 nonce相同明文的密文应该不同
assert_ne!(ct1, ct2);
}
#[test]
fn decrypt_wrong_key_fails() {
let enc1 = test_encryption();
// 用不同密钥创建另一个加密器
let key_bytes2: [u8; KEY_LEN] = [
0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
0xef, 0xee, 0xed, 0xec, 0xeb, 0xea, 0xe9, 0xe8,
0xe7, 0xe6, 0xe5, 0xe4, 0xe3, 0xe2, 0xe1, 0xe0,
];
let key2 = aes_gcm::Key::<Aes256Gcm>::from_slice(&key_bytes2);
let cipher2 = Aes256Gcm::new(key2);
let enc2 = FieldEncryption { cipher: cipher2 };
let ciphertext = enc1.encrypt("secret").unwrap();
let result = enc2.decrypt(&ciphertext);
assert!(result.is_err());
}
#[test]
fn decrypt_invalid_base64_fails() {
let enc = test_encryption();
let result = enc.decrypt("not-valid-base64!!!");
assert!(result.is_err());
}
#[test]
fn decrypt_too_short_ciphertext_fails() {
let enc = test_encryption();
// 构造一个短于 12 字节 nonce 的有效 base64 字符串
let short = BASE64.encode(&[0x01, 0x02, 0x03]);
let result = enc.decrypt(&short);
assert!(result.is_err());
}
#[test]
fn decrypt_tampered_ciphertext_fails() {
let enc = test_encryption();
let ciphertext = enc.encrypt("sensitive-data").unwrap();
// 解码、篡改、重新编码
let mut raw = BASE64.decode(ciphertext.as_bytes()).unwrap();
// 翻转 nonce 后的一个字节
let tamper_pos = NONCE_LEN + 2;
if tamper_pos < raw.len() {
raw[tamper_pos] ^= 0xff;
}
let tampered = BASE64.encode(&raw);
let result = enc.decrypt(&tampered);
assert!(result.is_err());
}
#[test]
fn encrypt_empty_string_roundtrip() {
let enc = test_encryption();
let ciphertext = enc.encrypt("").unwrap();
let decrypted = enc.decrypt(&ciphertext).unwrap();
assert_eq!(decrypted, "");
}
#[test]
fn ciphertext_format_has_nonce_prefix() {
let enc = test_encryption();
let ciphertext = enc.encrypt("test").unwrap();
let raw = BASE64.decode(ciphertext.as_bytes()).unwrap();
// raw 应该 = nonce(12) + ciphertext + tag(16)
// 至少 12 + 16 = 28 字节(明文 4 字节加密后 4 字节 + 16 字节 tag
assert!(raw.len() >= NONCE_LEN + 16);
}
encrypt_value(&plaintext, new_key)
}

243
crates/zclaw-saas/src/csrf.rs
View File

@@ -1,243 +0,0 @@
//! CSRF 防护: Origin 校验中间件
//!
//! 对所有状态变更请求 (POST/PUT/PATCH/DELETE) 校验 `Origin` 请求头,
//! 确保其与 `server.cors_origins` 白名单中的某项匹配。
//!
//! - GET / HEAD / OPTIONS 请求跳过校验 (安全方法)
//! - 缺少 Origin 头时拒绝 (403)
//! - Origin 不匹配白名单时拒绝 (403)
//! - `ZCLAW_SAAS_DEV=true` 时跳过校验
//!
//! 这是 Bearer Token API 最合适的 CSRF 防护方案。
//! 如果未来迁移到 Cookie 认证,需要升级为 CSRF Token 方案。
use axum::{
extract::{Request, State},
http::{header, StatusCode},
middleware::Next,
response::{IntoResponse, Response},
};
use tracing::warn;
use crate::state::AppState;
/// 需要进行 Origin 校验的 HTTP 方法
const CSRF_UNSAFE_METHODS: &[&str] = &["POST", "PUT", "PATCH", "DELETE"];
/// Origin 校验中间件
///
/// 在 auth_middleware 之后、rate_limit_middleware 之前执行。
/// 已认证的请求若缺少或不匹配 Origin 头,返回 403 Forbidden。
pub async fn origin_check_middleware(
State(state): State<AppState>,
req: Request,
next: Next,
) -> Response {
// 开发模式跳过校验
if is_dev_mode() {
return next.run(req).await;
}
// 安全方法跳过校验
let method = req.method().as_str().to_uppercase();
if !CSRF_UNSAFE_METHODS.contains(&method.as_str()) {
return next.run(req).await;
}
// 获取 Origin 头
let origin_header = match req.headers().get(header::ORIGIN) {
Some(value) => match value.to_str() {
Ok(origin) => origin,
Err(_) => {
warn!("CSRF: Origin header contains invalid UTF-8");
return csrf_reject("ORIGIN_INVALID", "Origin 请求头格式无效");
}
},
None => {
warn!("CSRF: Missing Origin header on {} {}", method, req.uri());
return csrf_reject("ORIGIN_MISSING", "缺少 Origin 请求头");
}
};
// 从配置读取白名单
let allowed_origins = {
let config = state.config.read().await;
config.server.cors_origins.clone()
};
// 白名单为空时不校验 (生产环境已在 main.rs 中强制要求配置)
if allowed_origins.is_empty() {
return next.run(req).await;
}
// 校验 Origin 是否在白名单中
if !origin_matches_whitelist(origin_header, &allowed_origins) {
warn!(
"CSRF: Origin '{}' not in whitelist for {} {}",
origin_header,
method,
req.uri()
);
return csrf_reject("ORIGIN_NOT_ALLOWED", "Origin 不在允许列表中");
}
next.run(req).await
}
/// 判断是否为开发模式
fn is_dev_mode() -> bool {
std::env::var("ZCLAW_SAAS_DEV")
.map(|v| v == "true" || v == "1")
.unwrap_or(false)
}
/// 校验 Origin 是否匹配白名单中的某项
///
/// 匹配规则: 精确匹配 (scheme + host + port)。
/// 例如白名单 `https://admin.zclaw.com` 只匹配该 Origin
/// 不匹配 `https://evil.zclaw.com`。
fn origin_matches_whitelist(origin: &str, whitelist: &[String]) -> bool {
// 使用 url::Url 进行规范化比较,避免字符串拼接攻击
let parsed_origin = match url::Url::parse(origin) {
Ok(url) => url,
Err(_) => return false,
};
for allowed in whitelist {
if let Ok(allowed_url) = url::Url::parse(allowed) {
if origins_equal(&parsed_origin, &allowed_url) {
return true;
}
} else {
// 白名单条目本身无法解析,降级为字符串比较
if origin == allowed {
return true;
}
}
}
false
}
/// 比较两个 Origin URL 是否相等 (scheme + host + port)
///
/// 同时拒绝包含路径的 URL: 真实的 Origin 头永远不会包含路径。
/// 如果传入的 origin 字符串包含路径,视为不合法的 Origin。
fn origins_equal(a: &url::Url, b: &url::Url) -> bool {
// scheme 必须完全一致
if a.scheme() != b.scheme() {
return false;
}
// host 必须完全一致
if a.host_str() != b.host_str() {
return false;
}
// port 必须完全一致 (url::Url 会规范化默认端口: 80/HTTP, 443/HTTPS)
if a.port() != b.port() {
return false;
}
// 防御性检查: 合法的 Origin 不应包含路径、query string 或 fragment
// 如果任一 URL 的 path 不是 "/" 或有 query/fragment视为可疑请求
if a.path() != "/" || b.path() != "/" {
return false;
}
if a.query().is_some() || b.query().is_some() {
return false;
}
if a.fragment().is_some() || b.fragment().is_some() {
return false;
}
true
}
/// 返回 403 拒绝响应
fn csrf_reject(error_code: &str, message: &str) -> Response {
(
StatusCode::FORBIDDEN,
[("Content-Type", "application/json")],
axum::Json(serde_json::json!({
"error": error_code,
"message": message,
})),
)
.into_response()
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_origin_matches_whitelist_exact() {
let whitelist = vec![
"https://admin.zclaw.com".to_string(),
"http://localhost:3000".to_string(),
];
assert!(origin_matches_whitelist("https://admin.zclaw.com", &whitelist));
assert!(origin_matches_whitelist("http://localhost:3000", &whitelist));
assert!(!origin_matches_whitelist("https://evil.zclaw.com", &whitelist));
// url::Url normalizes port 443 for HTTPS to None, so these match
assert!(origin_matches_whitelist("https://admin.zclaw.com:443", &whitelist));
assert!(!origin_matches_whitelist("http://localhost:3001", &whitelist));
}
#[test]
fn test_origin_matches_whitelist_empty() {
let whitelist: Vec<String> = vec![];
assert!(!origin_matches_whitelist("https://example.com", &whitelist));
}
#[test]
fn test_origin_matches_whitelist_with_path() {
let whitelist = vec!["https://admin.zclaw.com".to_string()];
// 标准 Origin 不包含路径,应该匹配
assert!(origin_matches_whitelist("https://admin.zclaw.com", &whitelist));
// 包含路径的 Origin 不合法 (浏览器永远不会发送带路径的 Origin)
assert!(!origin_matches_whitelist("https://admin.zclaw.com/evil", &whitelist));
// 带查询字符串的 Origin 也不合法
assert!(!origin_matches_whitelist("https://admin.zclaw.com/?evil=1", &whitelist));
}
#[test]
fn test_origin_matches_whitelist_invalid_origin() {
let whitelist = vec!["https://admin.zclaw.com".to_string()];
assert!(!origin_matches_whitelist("not-a-url", &whitelist));
assert!(!origin_matches_whitelist("", &whitelist));
}
#[test]
fn test_origins_equal() {
let a = url::Url::parse("https://admin.zclaw.com").unwrap();
let b = url::Url::parse("https://admin.zclaw.com").unwrap();
assert!(origins_equal(&a, &b));
// Different scheme
let c = url::Url::parse("http://admin.zclaw.com").unwrap();
assert!(!origins_equal(&a, &c));
// Different host
let d = url::Url::parse("https://evil.zclaw.com").unwrap();
assert!(!origins_equal(&a, &d));
// Different port
let e = url::Url::parse("https://admin.zclaw.com:8443").unwrap();
assert!(!origins_equal(&a, &e));
// Explicit default port vs implicit
let f = url::Url::parse("https://admin.zclaw.com:443").unwrap();
// url::Url normalizes 443 for HTTPS, so both have None port
assert!(origins_equal(&a, &f));
}
#[test]
fn test_is_dev_mode() {
// Don't modify env in tests; just verify the function signature works
// Actual env-var-based behavior tested in integration tests
let _ = is_dev_mode();
}
}

538
crates/zclaw-saas/src/db.rs
View File

@@ -1,387 +1,257 @@
//! 数据库初始化与 Schema (PostgreSQL)
use sqlx::postgres::PgPoolOptions;
use sqlx::PgPool;
use crate::error::SaasResult;
const SCHEMA_VERSION: i32 = 2;
const SCHEMA_SQL: &str = r#"
CREATE TABLE IF NOT EXISTS saas_schema_version (
version INTEGER PRIMARY KEY
);
CREATE TABLE IF NOT EXISTS accounts (
id TEXT PRIMARY KEY,
username TEXT NOT NULL UNIQUE,
email TEXT NOT NULL UNIQUE,
password_hash TEXT NOT NULL,
display_name TEXT NOT NULL DEFAULT '',
avatar_url TEXT,
role TEXT NOT NULL DEFAULT 'user',
status TEXT NOT NULL DEFAULT 'active',
totp_secret TEXT,
totp_enabled BOOLEAN NOT NULL DEFAULT false,
last_login_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_accounts_email ON accounts(email);
CREATE INDEX IF NOT EXISTS idx_accounts_role ON accounts(role);
CREATE TABLE IF NOT EXISTS api_tokens (
id TEXT PRIMARY KEY,
account_id TEXT NOT NULL,
name TEXT NOT NULL,
token_hash TEXT NOT NULL,
token_prefix TEXT NOT NULL,
permissions TEXT NOT NULL DEFAULT '[]',
last_used_at TIMESTAMPTZ,
expires_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
revoked_at TIMESTAMPTZ,
FOREIGN KEY (account_id) REFERENCES accounts(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_api_tokens_account ON api_tokens(account_id);
CREATE INDEX IF NOT EXISTS idx_api_tokens_hash ON api_tokens(token_hash);
CREATE TABLE IF NOT EXISTS roles (
id TEXT PRIMARY KEY,
name TEXT NOT NULL UNIQUE,
description TEXT,
permissions TEXT NOT NULL DEFAULT '[]',
is_system BOOLEAN NOT NULL DEFAULT false,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE TABLE IF NOT EXISTS operation_logs (
id BIGSERIAL PRIMARY KEY,
account_id TEXT,
action TEXT NOT NULL,
target_type TEXT,
target_id TEXT,
details TEXT,
ip_address TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_op_logs_account ON operation_logs(account_id);
CREATE INDEX IF NOT EXISTS idx_op_logs_action ON operation_logs(action);
CREATE INDEX IF NOT EXISTS idx_op_logs_time ON operation_logs(created_at);
CREATE TABLE IF NOT EXISTS providers (
id TEXT PRIMARY KEY,
name TEXT NOT NULL UNIQUE,
display_name TEXT NOT NULL,
api_key TEXT,
base_url TEXT NOT NULL,
api_protocol TEXT NOT NULL DEFAULT 'openai',
enabled BOOLEAN NOT NULL DEFAULT true,
rate_limit_rpm INTEGER,
rate_limit_tpm INTEGER,
config_json TEXT DEFAULT '{}',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE TABLE IF NOT EXISTS models (
id TEXT PRIMARY KEY,
provider_id TEXT NOT NULL,
model_id TEXT NOT NULL,
alias TEXT NOT NULL,
context_window INTEGER NOT NULL DEFAULT 8192,
max_output_tokens INTEGER NOT NULL DEFAULT 4096,
supports_streaming BOOLEAN NOT NULL DEFAULT true,
supports_vision BOOLEAN NOT NULL DEFAULT false,
enabled BOOLEAN NOT NULL DEFAULT true,
pricing_input DOUBLE PRECISION DEFAULT 0,
pricing_output DOUBLE PRECISION DEFAULT 0,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
UNIQUE(provider_id, model_id),
FOREIGN KEY (provider_id) REFERENCES providers(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_models_provider ON models(provider_id);
CREATE TABLE IF NOT EXISTS account_api_keys (
id TEXT PRIMARY KEY,
account_id TEXT NOT NULL,
provider_id TEXT NOT NULL,
key_value TEXT NOT NULL,
key_label TEXT,
permissions TEXT NOT NULL DEFAULT '[]',
enabled BOOLEAN NOT NULL DEFAULT true,
last_used_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
revoked_at TIMESTAMPTZ,
FOREIGN KEY (account_id) REFERENCES accounts(id) ON DELETE CASCADE,
FOREIGN KEY (provider_id) REFERENCES providers(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_account_api_keys_account ON account_api_keys(account_id);
CREATE TABLE IF NOT EXISTS usage_records (
id BIGSERIAL PRIMARY KEY,
account_id TEXT NOT NULL,
provider_id TEXT NOT NULL,
model_id TEXT NOT NULL,
input_tokens INTEGER NOT NULL DEFAULT 0,
output_tokens INTEGER NOT NULL DEFAULT 0,
latency_ms INTEGER,
status TEXT NOT NULL DEFAULT 'success',
error_message TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_usage_account ON usage_records(account_id);
CREATE INDEX IF NOT EXISTS idx_usage_time ON usage_records(created_at);
CREATE INDEX IF NOT EXISTS idx_usage_provider ON usage_records(provider_id);
CREATE INDEX IF NOT EXISTS idx_usage_model ON usage_records(model_id);
CREATE TABLE IF NOT EXISTS relay_tasks (
id TEXT PRIMARY KEY,
account_id TEXT NOT NULL,
provider_id TEXT NOT NULL,
model_id TEXT NOT NULL,
request_hash TEXT NOT NULL,
status TEXT NOT NULL DEFAULT 'queued',
priority INTEGER NOT NULL DEFAULT 0,
attempt_count INTEGER NOT NULL DEFAULT 0,
max_attempts INTEGER NOT NULL DEFAULT 3,
request_body TEXT NOT NULL,
response_body TEXT,
input_tokens INTEGER DEFAULT 0,
output_tokens INTEGER DEFAULT 0,
error_message TEXT,
queued_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
started_at TIMESTAMPTZ,
completed_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_relay_status ON relay_tasks(status);
CREATE INDEX IF NOT EXISTS idx_relay_account ON relay_tasks(account_id);
CREATE INDEX IF NOT EXISTS idx_relay_provider ON relay_tasks(provider_id);
CREATE INDEX IF NOT EXISTS idx_relay_account_status ON relay_tasks(account_id, status);
CREATE TABLE IF NOT EXISTS config_items (
id TEXT PRIMARY KEY,
category TEXT NOT NULL,
key_path TEXT NOT NULL,
value_type TEXT NOT NULL,
current_value TEXT,
default_value TEXT,
source TEXT NOT NULL DEFAULT 'local',
description TEXT,
requires_restart BOOLEAN NOT NULL DEFAULT false,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
UNIQUE(category, key_path)
);
CREATE INDEX IF NOT EXISTS idx_config_category ON config_items(category);
CREATE TABLE IF NOT EXISTS config_sync_log (
id BIGSERIAL PRIMARY KEY,
account_id TEXT NOT NULL,
client_fingerprint TEXT NOT NULL,
action TEXT NOT NULL,
config_keys TEXT NOT NULL,
client_values TEXT,
saas_values TEXT,
resolution TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_sync_account ON config_sync_log(account_id);
CREATE TABLE IF NOT EXISTS devices (
id TEXT PRIMARY KEY,
account_id TEXT NOT NULL,
device_id TEXT NOT NULL,
device_name TEXT,
platform TEXT,
app_version TEXT,
last_seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
FOREIGN KEY (account_id) REFERENCES accounts(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_devices_account ON devices(account_id);
CREATE INDEX IF NOT EXISTS idx_devices_device_id ON devices(device_id);
CREATE UNIQUE INDEX IF NOT EXISTS idx_devices_unique ON devices(account_id, device_id);
"#;
const SEED_ROLES: &str = r#"
INSERT INTO roles (id, name, description, permissions, is_system, created_at, updated_at)
VALUES
('super_admin', '超级管理员', '拥有所有权限', '["admin:full","account:admin","provider:manage","model:manage","relay:admin","config:write"]', true, NOW(), NOW()),
('admin', '管理员', '管理账号和配置', '["account:read","account:admin","provider:manage","model:read","model:manage","relay:use","relay:admin","config:read","config:write"]', true, NOW(), NOW()),
('user', '普通用户', '基础使用权限', '["model:read","relay:use","config:read"]', true, NOW(), NOW())
ON CONFLICT (id) DO NOTHING;
"#;
/// PostgreSQL 不支持在单条 prepared statement 中执行多条 SQL 命令,
/// 因此需要拆分后逐条执行。
async fn execute_multi_statements(pool: &PgPool, sql: &str) -> SaasResult<()> {
for stmt in sql.split(';') {
let trimmed = stmt.trim();
if trimmed.is_empty() {
continue;
}
if let Err(e) = sqlx::query(trimmed).execute(pool).await {
let err_str = e.to_string();
// 忽略 "已存在" 类错误 (并发初始化或重复调用)
let is_already_exists = err_str.contains("already exists")
|| err_str.contains("已经存在")
|| err_str.contains("重复键");
if !is_already_exists {
return Err(e.into());
}
}
}
Ok(())
}
const SCHEMA_VERSION: i32 = 6;
/// 初始化数据库
pub async fn init_db(database_url: &str) -> SaasResult<PgPool> {
tracing::info!("Connecting to database: {}", database_url);
let pool = PgPool::connect(database_url).await?;
execute_multi_statements(&pool, SCHEMA_SQL).await?;
execute_multi_statements(&pool, SEED_ROLES).await?;
let pool = PgPoolOptions::new()
.max_connections(50)
.min_connections(5)
.acquire_timeout(std::time::Duration::from_secs(10))
.idle_timeout(std::time::Duration::from_secs(300))
.max_lifetime(std::time::Duration::from_secs(1800))
.connect(database_url)
.await?;
run_migrations(&pool).await?;
seed_admin_account(&pool).await?;
seed_builtin_prompts(&pool).await?;
tracing::info!("Database initialized (schema v{})", SCHEMA_VERSION);
Ok(pool)
}
/// 创建测试数据库 (连接到真实 PG 实例)
/// 测试前清空所有数据,确保每次从干净状态开始
pub async fn init_test_db() -> SaasResult<PgPool> {
let url = std::env::var("ZCLAW_TEST_DATABASE_URL")
.unwrap_or_else(|_| "postgres://localhost:5432/zclaw_test".to_string());
let pool = PgPool::connect(&url).await?;
execute_multi_statements(&pool, SCHEMA_SQL).await?;
clean_test_data(&pool).await?;
execute_multi_statements(&pool, SEED_ROLES).await?;
Ok(pool)
/// 执行数据库迁移
///
/// 优先使用 migrations/ 目录下的 SQL 文件(支持 TIMESTAMPTZ
/// 如果不存在则回退到内联 schema向后兼容 TEXT 时间戳的旧数据库)。
async fn run_migrations(pool: &PgPool) -> SaasResult<()> {
// 检查是否已有 schema已有的数据库保持 TEXT 类型不变)
let existing_version: Option<i32> = sqlx::query_scalar(
"SELECT version FROM saas_schema_version ORDER BY version DESC LIMIT 1"
)
.fetch_optional(pool)
.await
.unwrap_or(None);
match existing_version {
Some(v) if v >= SCHEMA_VERSION => {
tracing::debug!("Schema already at v{}, no migration needed", v);
return Ok(());
}
Some(v) => {
tracing::info!("Schema at v{}, upgrading to v{}", v, SCHEMA_VERSION);
}
None => {
tracing::info!("No schema found, running initial migration");
}
}
/// 清空所有表数据 (按外键依赖顺序,使用 DELETE 而非 TRUNCATE)
/// DELETE 不获取 ACCESS EXCLUSIVE 锁,对并发更友好
pub async fn clean_test_data(pool: &PgPool) -> SaasResult<()> {
let tables_to_clean = [
"config_sync_log", "config_items", "usage_records", "relay_tasks",
"account_api_keys", "models", "providers", "operation_logs",
"api_tokens", "devices", "roles", "accounts",
];
for table in &tables_to_clean {
let _ = sqlx::query(&format!("DELETE FROM {}", table))
.execute(pool).await;
// 尝试从 migrations 目录加载 SQL 文件
let migrations_dir = std::path::Path::new("crates/zclaw-saas/migrations");
if migrations_dir.exists() {
run_migration_files(pool, migrations_dir).await?;
} else {
// 回退:使用 migrations/ 的替代路径(开发环境可能在项目根目录)
let alt_dir = std::path::Path::new("migrations");
if alt_dir.exists() {
run_migration_files(pool, alt_dir).await?;
} else {
tracing::warn!("No migrations directory found, schema may be incomplete");
}
}
// 更新 schema 版本
sqlx::query("INSERT INTO saas_schema_version (version) VALUES ($1) ON CONFLICT DO NOTHING")
.bind(SCHEMA_VERSION)
.execute(pool)
.await?;
// Seed roles
seed_roles(pool).await?;
Ok(())
}
/// 从目录加载并执行迁移文件(按文件名排序)
async fn run_migration_files(pool: &PgPool, dir: &std::path::Path) -> SaasResult<()> {
let mut entries: Vec<std::path::PathBuf> = std::fs::read_dir(dir)?
.filter_map(|e| e.ok())
.map(|e| e.path())
.filter(|p| p.extension().map(|ext| ext == "sql").unwrap_or(false))
.collect();
entries.sort();
for path in &entries {
let filename = path.file_name().unwrap_or_default().to_string_lossy();
tracing::info!("Running migration: {}", filename);
let content = std::fs::read_to_string(path)?;
for stmt in content.split(';') {
let trimmed = stmt.trim();
if !trimmed.is_empty() && !trimmed.starts_with("--") {
sqlx::query(trimmed).execute(pool).await?;
}
}
}
Ok(())
}
/// 如果 accounts 表为空且环境变量已设置,自动创建 super_admin 账号
async fn seed_admin_account(pool: &PgPool) -> SaasResult<()> {
let has_accounts: (bool,) = sqlx::query_as(
"SELECT EXISTS(SELECT 1 FROM accounts LIMIT 1) as has"
/// Seed 角色数据
async fn seed_roles(pool: &PgPool) -> SaasResult<()> {
let now = chrono::Utc::now().to_rfc3339();
sqlx::query(
r#"INSERT INTO roles (id, name, description, permissions, is_system, created_at, updated_at)
VALUES
('super_admin', '超级管理员', '拥有所有权限', '["admin:full","account:admin","provider:manage","model:manage","relay:admin","config:write","prompt:read","prompt:write","prompt:publish","prompt:admin"]', TRUE, $1, $1),
('admin', '管理员', '管理账号和配置', '["account:read","account:admin","provider:manage","model:read","model:manage","relay:use","relay:admin","config:read","config:write","prompt:read","prompt:write","prompt:publish"]', TRUE, $1, $1),
('user', '普通用户', '基础使用权限', '["model:read","relay:use","config:read","prompt:read"]', TRUE, $1, $1)
ON CONFLICT (id) DO NOTHING"#
)
.fetch_one(pool)
.bind(&now)
.execute(pool)
.await?;
if has_accounts.0 {
return Ok(());
Ok(())
}
/// 如果 accounts 表为空且环境变量已设置,自动创建 super_admin 账号
/// 或者更新现有 admin 用户的角色为 super_admin
pub async fn seed_admin_account(pool: &PgPool) -> SaasResult<()> {
let admin_username = std::env::var("ZCLAW_ADMIN_USERNAME")
.unwrap_or_else(|_| "admin".to_string());
// 检查是否设置了管理员密码
let admin_password = match std::env::var("ZCLAW_ADMIN_PASSWORD") {
Ok(pwd) => pwd,
Err(_) => {
tracing::warn!(
"accounts 表为空但未设置 ZCLAW_ADMIN_PASSWORD 环境变量。\
请通过 POST /api/v1/auth/register 注册首个用户,然后手动将其 role 改为 super_admin\
或设置 ZCLAW_ADMIN_USERNAME 和 ZCLAW_ADMIN_PASSWORD 环境变量后重启服务。"
);
// 没有设置密码,尝试更新现有 admin 用户的角色
let result = sqlx::query(
"UPDATE accounts SET role = 'super_admin' WHERE username = $1 AND role != 'super_admin'"
)
.bind(&admin_username)
.execute(pool)
.await?;
if result.rows_affected() > 0 {
tracing::info!("已将用户 {} 的角色更新为 super_admin", admin_username);
}
return Ok(());
}
};
use crate::auth::password::hash_password;
// 检查 admin 用户是否已存在
let existing: Option<(String,)> = sqlx::query_as(
"SELECT id FROM accounts WHERE username = $1"
)
.bind(&admin_username)
.fetch_optional(pool)
.await?;
let password_hash = hash_password(&admin_password)?;
if let Some((account_id,)) = existing {
// 更新现有用户的密码和角色(使用 spawn_blocking 避免阻塞 tokio 运行时)
let password_hash = crate::auth::password::hash_password_async(admin_password.clone()).await?;
let now = chrono::Utc::now().to_rfc3339();
sqlx::query(
"UPDATE accounts SET password_hash = $1, role = 'super_admin', updated_at = $2 WHERE id = $3"
)
.bind(&password_hash)
.bind(&now)
.bind(&account_id)
.execute(pool)
.await?;
tracing::info!("已更新用户 {} 的密码和角色为 super_admin", admin_username);
} else {
// 创建新的 super_admin 账号
let password_hash = crate::auth::password::hash_password_async(admin_password.clone()).await?;
let account_id = uuid::Uuid::new_v4().to_string();
let email = format!("{}@zclaw.local", admin_username);
let now = chrono::Utc::now().to_rfc3339();
sqlx::query(
"INSERT INTO accounts (id, username, email, password_hash, display_name, role, status, created_at, updated_at)
VALUES ($1, $2, $3, $4, $5, 'super_admin', 'active', NOW(), NOW())"
VALUES ($1, $2, $3, $4, $5, 'super_admin', 'active', $6, $6)"
)
.bind(&account_id)
.bind(&admin_username)
.bind(&email)
.bind(&password_hash)
.bind(&admin_username)
.bind(&now)
.execute(pool)
.await?;
tracing::info!(
"自动创建 super_admin 账号: username={}, email={}", admin_username, email
);
tracing::info!("自动创建 super_admin 账号: username={}, email={}", admin_username, email);
}
Ok(())
}
/// 种子化内置提示词模板(仅当表为空时)
async fn seed_builtin_prompts(pool: &PgPool) -> SaasResult<()> {
let count: (i64,) = sqlx::query_as("SELECT COUNT(*) FROM prompt_templates")
.fetch_one(pool).await?;
if count.0 > 0 {
return Ok(());
}
let now = chrono::Utc::now().to_rfc3339();
// reflection 提示词
let reflection_id = uuid::Uuid::new_v4().to_string();
let reflection_ver_id = uuid::Uuid::new_v4().to_string();
sqlx::query(
"INSERT INTO prompt_templates (id, name, category, description, source, current_version, status, created_at, updated_at)
VALUES ($1, 'reflection', 'builtin_system', 'Agent 自我反思引擎', 'builtin', 1, 'active', $2, $2)"
).bind(&reflection_id).bind(&now).execute(pool).await?;
sqlx::query(
"INSERT INTO prompt_versions (id, template_id, version, system_prompt, user_prompt_template, variables, changelog, min_app_version, created_at)
VALUES ($1, $2, 1, $3, $4, '[]', '初始版本', NULL, $5)"
).bind(&reflection_ver_id).bind(&reflection_id)
.bind("你是一个 AI Agent 的自我反思引擎。分析最近的对话历史,识别行为模式,并生成改进建议。\n\n输出 JSON 格式:\n{\n \"patterns\": [\n {\n \"observation\": \"观察到的模式描述\",\n \"frequency\": 数字,\n \"sentiment\": \"positive/negative/neutral\",\n \"evidence\": [\"证据1\", \"证据2\"]\n }\n ],\n \"improvements\": [\n {\n \"area\": \"改进领域\",\n \"suggestion\": \"具体建议\",\n \"priority\": \"high/medium/low\"\n }\n ],\n \"identityProposals\": []\n}")
.bind("分析以下对话历史,进行自我反思:\n\n{{context}}\n\n请识别行为模式(积极和消极),并提供具体的改进建议。")
.bind(&now).execute(pool).await?;
// compaction 提示词
let compaction_id = uuid::Uuid::new_v4().to_string();
let compaction_ver_id = uuid::Uuid::new_v4().to_string();
sqlx::query(
"INSERT INTO prompt_templates (id, name, category, description, source, current_version, status, created_at, updated_at)
VALUES ($1, 'compaction', 'builtin_compaction', '对话上下文压缩', 'builtin', 1, 'active', $2, $2)"
).bind(&compaction_id).bind(&now).execute(pool).await?;
sqlx::query(
"INSERT INTO prompt_versions (id, template_id, version, system_prompt, user_prompt_template, variables, changelog, min_app_version, created_at)
VALUES ($1, $2, 1, $3, $4, '[]', '初始版本', NULL, $5)"
).bind(&compaction_ver_id).bind(&compaction_id)
.bind("你是一个对话摘要专家。将长对话压缩为简洁的摘要,保留关键信息。\n\n要求:\n1. 保留所有重要决策和结论\n2. 保留用户偏好和约束\n3. 保留未完成的任务\n4. 保持时间顺序\n5. 摘要应能在后续对话中替代原始内容")
.bind("请将以下对话压缩为简洁摘要,保留关键信息:\n\n{{messages}}")
.bind(&now).execute(pool).await?;
// extraction 提示词
let extraction_id = uuid::Uuid::new_v4().to_string();
let extraction_ver_id = uuid::Uuid::new_v4().to_string();
sqlx::query(
"INSERT INTO prompt_templates (id, name, category, description, source, current_version, status, created_at, updated_at)
VALUES ($1, 'extraction', 'builtin_extraction', '记忆提取引擎', 'builtin', 1, 'active', $2, $2)"
).bind(&extraction_id).bind(&now).execute(pool).await?;
sqlx::query(
"INSERT INTO prompt_versions (id, template_id, version, system_prompt, user_prompt_template, variables, changelog, min_app_version, created_at)
VALUES ($1, $2, 1, $3, $4, '[]', '初始版本', NULL, $5)"
).bind(&extraction_ver_id).bind(&extraction_id)
.bind("你是一个记忆提取专家。从对话中提取值得长期记住的信息。\n\n提取类型:\n- fact: 用户告知的事实(如\"我的公司叫XXX\"\n- preference: 用户的偏好(如\"我喜欢简洁的回答\"\n- lesson: 本次对话的经验教训\n- task: 未完成的任务或承诺\n\n输出 JSON 数组:\n[\n {\n \"content\": \"记忆内容\",\n \"type\": \"fact/preference/lesson/task\",\n \"importance\": 1-10,\n \"tags\": [\"标签1\", \"标签2\"]\n }\n]")
.bind("从以下对话中提取值得长期记住的信息:\n\n{{conversation}}\n\n如果没有值得记忆的内容,返回空数组 []。")
.bind(&now).execute(pool).await?;
tracing::info!("Seeded 3 builtin prompt templates (reflection, compaction, extraction)");
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
/// 全局 Mutex 用于序列化所有数据库测试,避免并行测试之间的数据竞争
static TEST_LOCK: std::sync::Mutex<()> = std::sync::Mutex::new(());
/// 共享测试连接池,避免每次测试都创建新连接
static TEST_POOL: tokio::sync::OnceCell<PgPool> = tokio::sync::OnceCell::const_new();
/// 获取测试连接池(异步初始化,避免嵌套 runtime 问题)
async fn get_test_pool() -> &'static PgPool {
TEST_POOL.get_or_init(|| async {
init_test_db().await.expect("init_test_db failed")
}).await
}
/// 每个测试前清理数据,确保隔离
async fn clean_before_test(pool: &PgPool) {
clean_test_data(pool).await.expect("clean_test_data failed");
execute_multi_statements(pool, SEED_ROLES).await.expect("seed roles failed");
}
#[tokio::test]
async fn test_init_test_db() {
// 获取全局锁,确保测试串行执行
let _guard = TEST_LOCK.lock().unwrap();
let pool = get_test_pool().await;
clean_before_test(pool).await;
let roles: Vec<(String,)> = sqlx::query_as(
"SELECT id FROM roles WHERE is_system = true"
)
.fetch_all(pool)
.await
.unwrap();
assert_eq!(roles.len(), 3);
}
#[tokio::test]
async fn test_schema_tables_exist() {
let _guard = TEST_LOCK.lock().unwrap();
let pool = get_test_pool().await;
clean_before_test(pool).await;
let tables = [
"accounts", "api_tokens", "roles",
"operation_logs", "providers", "models", "account_api_keys",
"usage_records", "relay_tasks", "config_items", "config_sync_log", "devices",
];
for table in tables {
let count: (i64,) = sqlx::query_as(&format!(
"SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='public' AND table_name='{}'", table
))
.fetch_one(pool)
.await
.unwrap();
assert_eq!(count.0, 1, "Table {} should exist", table);
}
}
// PostgreSQL 单元测试需要真实数据库连接,此处保留接口兼容
// 集成测试见 tests/integration_test.rs
}

59
crates/zclaw-saas/src/error.rs
View File

@@ -127,62 +127,3 @@ impl IntoResponse for SaasError {
/// Result 类型别名
pub type SaasResult<T> = std::result::Result<T, SaasError>;
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn status_code_maps_correctly() {
assert_eq!(SaasError::NotFound("x".into()).status_code(), StatusCode::NOT_FOUND);
assert_eq!(SaasError::Forbidden("x".into()).status_code(), StatusCode::FORBIDDEN);
assert_eq!(SaasError::Unauthorized.status_code(), StatusCode::UNAUTHORIZED);
assert_eq!(SaasError::InvalidInput("x".into()).status_code(), StatusCode::BAD_REQUEST);
assert_eq!(SaasError::AlreadyExists("x".into()).status_code(), StatusCode::CONFLICT);
assert_eq!(SaasError::RateLimited("x".into()).status_code(), StatusCode::TOO_MANY_REQUESTS);
assert_eq!(SaasError::Relay("x".into()).status_code(), StatusCode::BAD_GATEWAY);
assert_eq!(SaasError::Totp("x".into()).status_code(), StatusCode::BAD_REQUEST);
assert_eq!(SaasError::Internal("x".into()).status_code(), StatusCode::INTERNAL_SERVER_ERROR);
assert_eq!(SaasError::AuthError("x".into()).status_code(), StatusCode::UNAUTHORIZED);
}
#[test]
fn error_code_returns_expected_strings() {
assert_eq!(SaasError::NotFound("x".into()).error_code(), "NOT_FOUND");
assert_eq!(SaasError::RateLimited("x".into()).error_code(), "RATE_LIMITED");
assert_eq!(SaasError::Unauthorized.error_code(), "UNAUTHORIZED");
assert_eq!(SaasError::Encryption("x".into()).error_code(), "ENCRYPTION_ERROR");
}
#[tokio::test]
async fn into_response_hides_internal_errors() {
// 内部错误不应泄露细节
let err = SaasError::Internal("secret database password exposed".into());
let resp = err.into_response();
assert_eq!(resp.status(), StatusCode::INTERNAL_SERVER_ERROR);
let body_bytes = axum::body::to_bytes(resp.into_body(), 1024)
.await
.expect("body should be readable");
let body: serde_json::Value = serde_json::from_slice(&body_bytes).unwrap();
assert_eq!(body["error"], "INTERNAL_ERROR");
assert_eq!(body["message"], "服务内部错误");
assert!(!body["message"].as_str().unwrap().contains("secret"));
}
#[tokio::test]
async fn into_response_shows_user_facing_errors() {
let err = SaasError::InvalidInput("用户名不能为空".into());
let resp = err.into_response();
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
let body_bytes = axum::body::to_bytes(resp.into_body(), 1024)
.await
.expect("body should be readable");
let body: serde_json::Value = serde_json::from_slice(&body_bytes).unwrap();
assert_eq!(body["error"], "INVALID_INPUT");
// InvalidInput includes the "无效输入: " prefix from Display impl
let msg = body["message"].as_str().unwrap();
assert!(msg.contains("用户名不能为空"));
}
}

11
crates/zclaw-saas/src/lib.rs
View File

@@ -2,17 +2,24 @@
//!
//! 独立的 SaaS 后端服务,提供账号权限管理、模型配置、请求中转和配置迁移。
pub mod common;
pub mod config;
pub mod crypto;
pub mod csrf;
pub mod db;
pub mod error;
pub mod middleware;
pub mod openapi;
pub mod models;
pub mod scheduler;
pub mod state;
pub mod tasks;
pub mod workers;
pub mod auth;
pub mod account;
pub mod model_config;
pub mod relay;
pub mod migration;
pub mod role;
pub mod prompt;
pub mod agent_template;
pub mod telemetry;

155
crates/zclaw-saas/src/main.rs
View File

@@ -1,16 +1,15 @@
//! ZCLAW SaaS 服务入口
use std::time::{Duration, Instant};
use axum::extract::State;
use tower_http::timeout::TimeoutLayer;
use tracing::info;
use zclaw_saas::{config::SaaSConfig, db::init_db, state::AppState};
use axum::{extract::State, Json};
async fn health_handler(State(_state): State<AppState>) -> Json<serde_json::Value> {
Json(serde_json::json!({
"status": "ok",
"service": "zclaw-saas",
}))
}
use zclaw_saas::workers::WorkerDispatcher;
use zclaw_saas::workers::log_operation::LogOperationWorker;
use zclaw_saas::workers::cleanup_refresh_tokens::CleanupRefreshTokensWorker;
use zclaw_saas::workers::cleanup_rate_limit::CleanupRateLimitWorker;
use zclaw_saas::workers::record_usage::RecordUsageWorker;
use zclaw_saas::workers::update_last_used::UpdateLastUsedWorker;
#[tokio::main]
async fn main() -> anyhow::Result<()> {
@@ -27,64 +26,36 @@ async fn main() -> anyhow::Result<()> {
let db = init_db(&config.database.url).await?;
info!("Database initialized");
let state = AppState::new(db, config.clone())?;
// 初始化 Worker 调度器 + 注册所有 Worker
let mut dispatcher = WorkerDispatcher::new(db.clone());
dispatcher.register(LogOperationWorker);
dispatcher.register(CleanupRefreshTokensWorker);
dispatcher.register(CleanupRateLimitWorker);
dispatcher.register(RecordUsageWorker);
dispatcher.register(UpdateLastUsedWorker);
info!("Worker dispatcher initialized (5 workers registered)");
// SEC-14: 后台清理 rate_limit_entries DashMap防止不活跃账号条目无限增长。
// 中间件仅在被请求命中时清理对应 entry不活跃的 account 永远不会被回收。
// 此任务每 5 分钟扫描一次,移除所有时间戳均已超过 2 分钟的 entry
// (滑动窗口为 1 分钟2 分钟是安全的 2x 余量)。
{
let rate_limit_entries = state.rate_limit_entries.clone();
let state = AppState::new(db.clone(), config.clone(), dispatcher)?;
// 启动声明式 Scheduler从 TOML 配置读取定时任务)
let scheduler_config = &config.scheduler;
zclaw_saas::scheduler::start_scheduler(scheduler_config, db.clone(), state.worker_dispatcher.clone_ref());
info!("Scheduler started with {} jobs", scheduler_config.jobs.len());
// 启动内置 DB 清理任务(设备清理等不通过 Worker 的任务)
zclaw_saas::scheduler::start_db_cleanup_tasks(db.clone());
// 启动内存中的 rate limit 条目清理
let rate_limit_state = state.clone();
tokio::spawn(async move {
let mut interval = tokio::time::interval(std::time::Duration::from_secs(300));
loop {
tokio::time::sleep(Duration::from_secs(5 * 60)).await;
let cutoff = Instant::now() - Duration::from_secs(2 * 60);
let mut removed = 0usize;
rate_limit_entries.retain(|_account_id, timestamps| {
timestamps.retain(|&ts| ts > cutoff);
let keep = !timestamps.is_empty();
if !keep {
removed += 1;
}
keep
});
if removed > 0 {
info!(
removed,
remaining = rate_limit_entries.len(),
"rate limiter cleanup: removed stale entries"
);
}
interval.tick().await;
rate_limit_state.cleanup_rate_limit_entries();
}
});
}
// CORS 安全检查:生产环境必须配置 cors_origins
if config.server.cors_origins.is_empty() {
let is_dev = std::env::var("ZCLAW_SAAS_DEV")
.map(|v| v == "true" || v == "1")
.unwrap_or(false);
if !is_dev {
anyhow::bail!("生产环境必须配置 server.cors_origins 白名单。开发环境可设置 ZCLAW_SAAS_DEV=true 绕过。");
}
}
let app = build_router(state, &config);
// Swagger UI / OpenAPI 文档
// TODO: 启用 Swagger UI 后取消注释 (需要 utoipa / utoipa-swagger-ui 版本对齐)
// let app = {
// use utoipa_swagger_ui::SwaggerUi;
// use utoipa::OpenApi;
// let openapi = zclaw_saas::openapi::ApiDoc::openapi();
// app.merge(
// SwaggerUi::new("/api-docs/openapi.json")
// .url("/api-docs/openapi.json", openapi),
// )
// };
let app = build_router(state).await;
let listener = tokio::net::TcpListener::bind(format!("{}:{}", config.server.host, config.server.port))
.await?;
@@ -94,44 +65,89 @@ async fn main() -> anyhow::Result<()> {
Ok(())
}
fn build_router(state: AppState, config: &SaaSConfig) -> axum::Router {
async fn health_handler(State(state): State<AppState>) -> axum::Json<serde_json::Value> {
let db_healthy = sqlx::query_scalar::<_, i32>("SELECT 1")
.fetch_one(&state.db)
.await
.is_ok();
let status = if db_healthy { "healthy" } else { "degraded" };
let _code = if db_healthy { 200 } else { 503 };
axum::Json(serde_json::json!({
"status": status,
"database": db_healthy,
"timestamp": chrono::Utc::now().to_rfc3339(),
"version": env!("CARGO_PKG_VERSION"),
}))
}
async fn build_router(state: AppState) -> axum::Router {
use axum::middleware;
use tower_http::cors::{Any, CorsLayer};
use tower_http::trace::TraceLayer;
use axum::http::HeaderValue;
let cors = {
let config = state.config.read().await;
let is_dev = std::env::var("ZCLAW_SAAS_DEV")
.map(|v| v == "true" || v == "1")
.unwrap_or(false);
if config.server.cors_origins.is_empty() {
// 开发环境允许任意 origin生产环境已在 main 中拦截)
if is_dev {
CorsLayer::new()
.allow_origin(Any)
.allow_methods(Any)
.allow_headers(Any)
} else {
tracing::error!("生产环境必须配置 server.cors_origins不能使用 allow_origin(Any)");
panic!("生产环境必须配置 server.cors_origins 白名单。开发环境可设置 ZCLAW_SAAS_DEV=true 绕过。");
}
} else {
let origins: Vec<HeaderValue> = config.server.cors_origins.iter()
.filter_map(|o: &String| o.parse::<HeaderValue>().ok())
.collect();
CorsLayer::new()
.allow_origin(origins)
.allow_methods(Any)
.allow_headers(Any)
.allow_methods([
axum::http::Method::GET,
axum::http::Method::POST,
axum::http::Method::PUT,
axum::http::Method::PATCH,
axum::http::Method::DELETE,
axum::http::Method::OPTIONS,
])
.allow_headers([
axum::http::header::AUTHORIZATION,
axum::http::header::CONTENT_TYPE,
axum::http::HeaderName::from_static("x-request-id"),
])
}
};
let public_routes = zclaw_saas::auth::routes();
let public_routes = zclaw_saas::auth::routes()
.route("/api/health", axum::routing::get(health_handler));
let protected_routes = zclaw_saas::auth::protected_routes()
.merge(zclaw_saas::account::routes())
.merge(zclaw_saas::model_config::routes())
.merge(zclaw_saas::relay::routes())
.merge(zclaw_saas::migration::routes())
.merge(zclaw_saas::role::routes())
.merge(zclaw_saas::prompt::routes())
.merge(zclaw_saas::agent_template::routes())
.merge(zclaw_saas::telemetry::routes())
.layer(middleware::from_fn_with_state(
state.clone(),
zclaw_saas::middleware::rate_limit_middleware,
zclaw_saas::middleware::api_version_middleware,
))
.layer(middleware::from_fn_with_state(
state.clone(),
zclaw_saas::csrf::origin_check_middleware,
zclaw_saas::middleware::request_id_middleware,
))
.layer(middleware::from_fn_with_state(
state.clone(),
zclaw_saas::middleware::rate_limit_middleware,
))
.layer(middleware::from_fn_with_state(
state.clone(),
@@ -139,10 +155,9 @@ fn build_router(state: AppState, config: &SaaSConfig) -> axum::Router {
));
axum::Router::new()
.route("/api/health", axum::routing::get(health_handler))
.merge(public_routes)
.merge(protected_routes)
.layer(axum::extract::DefaultBodyLimit::max(10 * 1024 * 1024)) // 10MB 请求体限制,防止 DoS
.layer(TimeoutLayer::new(std::time::Duration::from_secs(30)))
.layer(TraceLayer::new_for_http())
.layer(cors)
.with_state(state)

305
crates/zclaw-saas/src/middleware.rs
View File

@@ -1,274 +1,83 @@
//! 通用中间件
//! 中间件模块
use axum::{
extract::{Request, State},
http::StatusCode,
body::Body,
extract::State,
http::{HeaderValue, Request, Response},
middleware::Next,
response::{IntoResponse, Response},
response::IntoResponse,
};
use std::time::Instant;
use crate::state::AppState;
use crate::error::SaasError;
use crate::auth::types::AuthContext;
/// 速率限制检查结果
#[derive(Debug, PartialEq)]
pub(crate) enum RateLimitResult {
/// 允许通过
Allowed,
/// 被限制,附带 Retry-After 秒数
Limited { retry_after_secs: u64 },
/// 请求 ID 追踪中间件
/// 为每个请求生成唯一 ID便于日志追踪
pub async fn request_id_middleware(
State(_state): State<AppState>,
mut req: Request<Body>,
next: Next,
) -> Response<Body> {
let request_id = uuid::Uuid::new_v4().to_string();
req.extensions_mut().insert(request_id.clone());
let mut response = next.run(req).await;
if let Ok(value) = HeaderValue::from_str(&request_id) {
response.headers_mut().insert("X-Request-ID", value);
}
/// 滑动窗口速率限制核心逻辑(纯函数,便于测试)
///
/// 返回 `RateLimitResult::Allowed` 表示未超限(已记录本次请求),
/// `RateLimitResult::Limited` 表示超限。
pub(crate) fn check_rate_limit(
entries: &mut Vec<Instant>,
now: Instant,
window_duration: std::time::Duration,
max_requests: u64,
) -> RateLimitResult {
let window_start = now - window_duration;
// 清理过期条目
entries.retain(|&ts| ts > window_start);
let count = entries.len() as u64;
if count < max_requests {
entries.push(now);
RateLimitResult::Allowed
} else {
// 计算最早条目的过期时间作为 Retry-After
entries.sort();
let earliest = *entries.first().unwrap_or(&now);
let elapsed = now.duration_since(earliest).as_secs();
let retry_after = window_duration.as_secs().saturating_sub(elapsed);
RateLimitResult::Limited {
retry_after_secs: retry_after,
}
}
response
}
#[cfg(test)]
/// 清理过期条目并移除空 entry
fn cleanup_stale_entries(
map: &dashmap::DashMap<String, Vec<Instant>>,
cutoff: Instant,
) {
map.retain(|_, entries| {
entries.retain(|&ts| ts > cutoff);
!entries.is_empty()
});
/// API 版本控制中间件
/// 在响应头中添加版本信息
pub async fn api_version_middleware(
State(_state): State<AppState>,
req: Request<Body>,
next: Next,
) -> Response<Body> {
let mut response = next.run(req).await;
response.headers_mut().insert("X-API-Version", HeaderValue::from_static("1.0.0"));
response.headers_mut().insert("X-API-Deprecated", HeaderValue::from_static("false"));
response
}
/// 滑动窗口速率限制中间件
///
/// 按 account_id (从 AuthContext 提取) 做 per-minute 限流。
/// 超限时返回 429 Too Many Requests + Retry-After header。
/// 速率限制中间件
/// 基于账号的请求频率限制
pub async fn rate_limit_middleware(
State(state): State<AppState>,
req: Request,
req: Request<Body>,
next: Next,
) -> Response {
// 从 AuthContext 提取 account_id由 auth_middleware 在此之前注入)
let account_id = req
.extensions()
.get::<crate::auth::types::AuthContext>()
.map(|ctx| ctx.account_id.clone());
) -> Response<Body> {
let account_id = req.extensions()
.get::<AuthContext>()
.map(|ctx| ctx.account_id.clone())
.unwrap_or_else(|| "anonymous".to_string());
let account_id = match account_id {
Some(id) => id,
None => return next.run(req).await,
};
// 无锁读取 rate limit 配置(避免每个请求获取 RwLock
let rate_limit = state.rate_limit_rpm() as usize;
let config = state.config.read().await;
let rpm = config.rate_limit.requests_per_minute as u64;
let burst = config.rate_limit.burst as u64;
let max_requests = rpm + burst;
drop(config);
let key = format!("rate_limit:{}", account_id);
let now = Instant::now();
let window = std::time::Duration::from_secs(60);
let window_start = now - std::time::Duration::from_secs(60);
let current_count = {
let mut entries = state.rate_limit_entries.entry(account_id.clone()).or_default();
let result = check_rate_limit(&mut entries, now, window, max_requests);
if let RateLimitResult::Limited { retry_after_secs } = result {
if let Some(entries) = state.rate_limit_entries.get_mut(&account_id) {
if entries.is_empty() {
drop(entries);
state.rate_limit_entries.remove(&account_id);
}
}
return (
StatusCode::TOO_MANY_REQUESTS,
[
("Retry-After", retry_after_secs.to_string()),
("Content-Type", "application/json".to_string()),
],
axum::Json(serde_json::json!({
"error": "RATE_LIMITED",
"message": format!("请求过于频繁,请在 {} 秒后重试", retry_after_secs),
})),
)
.into_response();
}
entries.len() as u64
};
let mut entries = state.rate_limit_entries.entry(key).or_insert_with(Vec::new);
entries.retain(|&time| time > window_start);
// 清理空 entry (不再活跃的用户)
if current_count == 0 {
if let Some(entries) = state.rate_limit_entries.get_mut(&account_id) {
if entries.is_empty() {
drop(entries);
state.rate_limit_entries.remove(&account_id);
}
}
if entries.len() >= rate_limit {
return SaasError::RateLimited(format!(
"请求频率超限,每分钟最多 {} 次请求",
rate_limit
)).into_response();
}
entries.push(now);
next.run(req).await
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn allows_under_limit() {
let mut entries: Vec<Instant> = vec![];
let now = Instant::now();
let window = std::time::Duration::from_secs(60);
for i in 0..5 {
let result = check_rate_limit(&mut entries, now, window, 10);
assert_eq!(result, RateLimitResult::Allowed, "request {} should be allowed", i);
}
assert_eq!(entries.len() as u64, 5);
}
#[test]
fn blocks_at_limit() {
let mut entries: Vec<Instant> = vec![];
let now = Instant::now();
let window = std::time::Duration::from_secs(60);
let limit: u64 = 3;
// 填到限额
for _ in 0..limit {
let result = check_rate_limit(&mut entries, now, window, limit);
assert_eq!(result, RateLimitResult::Allowed);
}
assert_eq!(entries.len() as u64, limit);
// 下一个应该被限流
let result = check_rate_limit(&mut entries, now, window, limit);
assert_eq!(result, RateLimitResult::Limited { retry_after_secs: 60 });
// 不应该增加新条目
assert_eq!(entries.len() as u64, limit);
}
#[test]
fn expired_entries_are_cleaned() {
let mut entries: Vec<Instant> = vec![];
let now = Instant::now();
let window = std::time::Duration::from_secs(60);
// 插入一个 61 秒前的旧条目
entries.push(now - std::time::Duration::from_secs(61));
assert_eq!(entries.len(), 1);
// 旧条目应该被清理,然后允许新请求
let result = check_rate_limit(&mut entries, now, window, 1);
assert_eq!(result, RateLimitResult::Allowed);
}
#[test]
fn retry_after_reflects_earliest_entry() {
let mut entries: Vec<Instant> = vec![];
let now = Instant::now();
let window = std::time::Duration::from_secs(60);
let limit: u64 = 2;
// 第一个请求在 10 秒前
let first_time = now - std::time::Duration::from_secs(10);
entries.push(first_time);
// 第二个请求现在
entries.push(now);
assert_eq!(entries.len() as u64, limit);
let result = check_rate_limit(&mut entries, now, window, limit);
assert_eq!(result, RateLimitResult::Limited { retry_after_secs: 50 });
}
#[test]
fn burst_allows_extra_requests() {
let mut entries: Vec<Instant> = vec![];
let now = Instant::now();
let window = std::time::Duration::from_secs(60);
let rpm: u64 = 5;
let burst: u64 = 3;
let max = rpm + burst; // 8
// 前 8 个请求应该全部通过
for _ in 0..max {
let result = check_rate_limit(&mut entries, now, window, max);
assert_eq!(result, RateLimitResult::Allowed);
}
// 第 9 个被限流
let result = check_rate_limit(&mut entries, now, window, max);
assert_eq!(result, RateLimitResult::Limited { retry_after_secs: 60 });
}
#[test]
fn cleanup_removes_expired_and_empty() {
let map: dashmap::DashMap<String, Vec<Instant>> = dashmap::DashMap::new();
let now = Instant::now();
let cutoff = now - std::time::Duration::from_secs(120);
// 活跃用户
map.insert("active".to_string(), vec![now]);
// 过期用户
map.insert(
"expired".to_string(),
vec![now - std::time::Duration::from_secs(200)],
);
// 空用户
map.insert("empty".to_string(), vec![]);
cleanup_stale_entries(&map, cutoff);
assert!(map.contains_key("active"));
assert!(!map.contains_key("expired"));
assert!(!map.contains_key("empty"));
}
#[test]
fn empty_entries_allowed() {
let mut entries: Vec<Instant> = vec![];
let now = Instant::now();
let window = std::time::Duration::from_secs(60);
let result = check_rate_limit(&mut entries, now, window, 0);
// limit=0 means always limited
assert_eq!(result, RateLimitResult::Limited { retry_after_secs: 60 });
}
#[test]
fn single_request_with_large_window() {
let mut entries: Vec<Instant> = vec![];
let now = Instant::now();
let window = std::time::Duration::from_secs(3600);
let limit: u64 = 100;
for _ in 0..limit {
let result = check_rate_limit(&mut entries, now, window, limit);
assert_eq!(result, RateLimitResult::Allowed);
}
assert_eq!(entries.len() as u64, limit);
let result = check_rate_limit(&mut entries, now, window, limit);
assert!(matches!(result, RateLimitResult::Limited { .. }));
}
}

100
crates/zclaw-saas/src/migration/handlers.rs
View File

@@ -8,15 +8,22 @@ use crate::state::AppState;
use crate::error::SaasResult;
use crate::auth::types::AuthContext;
use crate::auth::handlers::{check_permission, log_operation};
use crate::common::PaginatedResponse;
use super::{types::*, service};
/// GET /api/v1/config/items?category=xxx&source=xxx
/// GET /api/v1/config/items?category=xxx&source=xxx&page=1&page_size=20
pub async fn list_config_items(
State(state): State<AppState>,
Query(query): Query<ConfigQuery>,
_ctx: Extension<AuthContext>,
) -> SaasResult<Json<Vec<ConfigItemInfo>>> {
service::list_config_items(&state.db, &query).await.map(Json)
) -> SaasResult<Json<PaginatedResponse<ConfigItemInfo>>> {
let filter_query = ConfigQuery {
category: query.category.clone(),
source: query.source.clone(),
page: None,
page_size: None,
};
service::list_config_items(&state.db, &filter_query, query.page, query.page_size).await.map(Json)
}
/// GET /api/v1/config/items/:id
@@ -36,13 +43,11 @@ pub async fn create_config_item(
) -> SaasResult<(StatusCode, Json<ConfigItemInfo>)> {
check_permission(&ctx, "config:write")?;
let item = service::create_config_item(&state.db, &req).await?;
log_operation(&state.db, &ctx.account_id, "config.create", "config_item", &item.id,
Some(serde_json::json!({"category": req.category, "key_path": req.key_path})),
ctx.client_ip.as_deref()).await?;
log_operation(&state.db, &ctx.account_id, "config.create", "config_item", &item.id, None, ctx.client_ip.as_deref()).await?;
Ok((StatusCode::CREATED, Json(item)))
}
/// PUT /api/v1/config/items/:id (admin only)
/// PATCH /api/v1/config/items/:id (admin only)
pub async fn update_config_item(
State(state): State<AppState>,
Path(id): Path<String>,
@@ -51,8 +56,7 @@ pub async fn update_config_item(
) -> SaasResult<Json<ConfigItemInfo>> {
check_permission(&ctx, "config:write")?;
let item = service::update_config_item(&state.db, &id, &req).await?;
log_operation(&state.db, &ctx.account_id, "config.update", "config_item", &id, None,
ctx.client_ip.as_deref()).await?;
log_operation(&state.db, &ctx.account_id, "config.update", "config_item", &id, None, ctx.client_ip.as_deref()).await?;
Ok(Json(item))
}
@@ -64,8 +68,7 @@ pub async fn delete_config_item(
) -> SaasResult<Json<serde_json::Value>> {
check_permission(&ctx, "config:write")?;
service::delete_config_item(&state.db, &id).await?;
log_operation(&state.db, &ctx.account_id, "config.delete", "config_item", &id, None,
ctx.client_ip.as_deref()).await?;
log_operation(&state.db, &ctx.account_id, "config.delete", "config_item", &id, None, ctx.client_ip.as_deref()).await?;
Ok(Json(serde_json::json!({"ok": true})))
}
@@ -84,23 +87,36 @@ pub async fn seed_config(
) -> SaasResult<Json<serde_json::Value>> {
check_permission(&ctx, "config:write")?;
let count = service::seed_default_config_items(&state.db).await?;
log_operation(&state.db, &ctx.account_id, "config.seed", "config_items", "batch",
Some(serde_json::json!({"created": count})),
ctx.client_ip.as_deref()).await?;
log_operation(&state.db, &ctx.account_id, "config.seed", "config_item", "batch", Some(serde_json::json!({"count": count})), ctx.client_ip.as_deref()).await?;
Ok(Json(serde_json::json!({"created": count})))
}
/// POST /api/v1/config/sync (admin only)
/// POST /api/v1/config/sync (需要 config:write 权限)
pub async fn sync_config(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
Json(req): Json<SyncConfigRequest>,
) -> SaasResult<Json<super::service::ConfigSyncResult>> {
// 权限检查:仅 config:write 可推送配置
check_permission(&ctx, "config:write")?;
let result = super::service::sync_config(&state.db, &ctx.account_id, &req).await?;
log_operation(&state.db, &ctx.account_id, "config.sync", "config_sync", &ctx.account_id,
Some(serde_json::json!({"action": req.action, "updated": result.updated, "created": result.created, "skipped": result.skipped})),
ctx.client_ip.as_deref()).await?;
// 审计日志
log_operation(
&state.db,
&ctx.account_id,
"config.sync",
"config",
"batch",
Some(serde_json::json!({
"client_fingerprint": req.client_fingerprint,
"action": req.action,
"config_count": req.config_keys.len(),
})),
ctx.client_ip.as_deref(),
).await.ok();
Ok(Json(result))
}
@@ -111,13 +127,55 @@ pub async fn config_diff(
Extension(_ctx): Extension<AuthContext>,
Json(req): Json<SyncConfigRequest>,
) -> SaasResult<Json<ConfigDiffResponse>> {
// diff 操作虽然不修改数据,但涉及敏感配置信息,仍需认证用户
service::compute_config_diff(&state.db, &req).await.map(Json)
}
/// GET /api/v1/config/sync-logs
/// GET /api/v1/config/sync-logs?page=1&page_size=20
pub async fn list_sync_logs(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
) -> SaasResult<Json<Vec<ConfigSyncLogInfo>>> {
service::list_sync_logs(&state.db, &ctx.account_id).await.map(Json)
Query(params): Query<std::collections::HashMap<String, String>>,
) -> SaasResult<Json<crate::common::PaginatedResponse<ConfigSyncLogInfo>>> {
let page: u32 = params.get("page").and_then(|v| v.parse().ok()).unwrap_or(1).max(1);
let page_size: u32 = params.get("page_size").and_then(|v| v.parse().ok()).unwrap_or(20).min(100);
service::list_sync_logs(&state.db, &ctx.account_id, page, page_size).await.map(Json)
}
/// GET /api/v1/config/pull?since=2026-03-28T00:00:00Z
/// 批量拉取配置(供桌面端启动时一次性拉取)
/// 返回扁平的 key-value map可选 since 参数过滤仅返回该时间之后更新的配置
pub async fn pull_config(
State(state): State<AppState>,
_ctx: Extension<AuthContext>,
Query(params): Query<std::collections::HashMap<String, String>>,
) -> SaasResult<Json<serde_json::Value>> {
let since = params.get("since").cloned();
let items = service::fetch_all_config_items(
&state.db,
&ConfigQuery { category: None, source: None, page: None, page_size: None },
).await?;
let mut configs: Vec<serde_json::Value> = Vec::new();
for item in items {
// 如果指定了 since只返回 updated_at > since 的配置
if let Some(ref since_val) = since {
if item.updated_at <= *since_val {
continue;
}
}
configs.push(serde_json::json!({
"key": item.key_path,
"category": item.category,
"value": item.current_value,
"value_type": item.value_type,
"default": item.default_value,
"updated_at": item.updated_at,
}));
}
Ok(Json(serde_json::json!({
"configs": configs,
"pulled_at": chrono::Utc::now().to_rfc3339(),
})))
}

3
crates/zclaw-saas/src/migration/mod.rs
View File

@@ -11,10 +11,11 @@ use crate::state::AppState;
pub fn routes() -> axum::Router<AppState> {
axum::Router::new()
.route("/api/v1/config/items", get(handlers::list_config_items).post(handlers::create_config_item))
.route("/api/v1/config/items/{id}", get(handlers::get_config_item).put(handlers::update_config_item).delete(handlers::delete_config_item))
.route("/api/v1/config/items/:id", get(handlers::get_config_item).put(handlers::update_config_item).delete(handlers::delete_config_item))
.route("/api/v1/config/analysis", get(handlers::analyze_config))
.route("/api/v1/config/seed", post(handlers::seed_config))
.route("/api/v1/config/sync", post(handlers::sync_config))
.route("/api/v1/config/diff", post(handlers::config_diff))
.route("/api/v1/config/sync-logs", get(handlers::list_sync_logs))
.route("/api/v1/config/pull", get(handlers::pull_config))
}

358
crates/zclaw-saas/src/migration/service.rs
View File

@@ -2,12 +2,15 @@
use sqlx::PgPool;
use crate::error::{SaasError, SaasResult};
use crate::common::{PaginatedResponse, normalize_pagination};
use crate::models::{ConfigItemRow, ConfigSyncLogRow};
use super::types::*;
use serde::Serialize;
// ============ Config Items ============
pub async fn list_config_items(
/// Fetch all config items matching the query (internal use, no pagination).
pub(crate) async fn fetch_all_config_items(
db: &PgPool, query: &ConfigQuery,
) -> SaasResult<Vec<ConfigItemInfo>> {
let sql = match (&query.category, &query.source) {
@@ -29,7 +32,7 @@ pub async fn list_config_items(
}
};
let mut query_builder = sqlx::query_as::<_, (String, String, String, String, Option<String>, Option<String>, String, Option<String>, bool, chrono::DateTime<chrono::Utc>, chrono::DateTime<chrono::Utc>)>(sql);
let mut query_builder = sqlx::query_as::<_, ConfigItemRow>(sql);
if let Some(cat) = &query.category {
query_builder = query_builder.bind(cat);
@@ -39,13 +42,71 @@ pub async fn list_config_items(
}
let rows = query_builder.fetch_all(db).await?;
Ok(rows.into_iter().map(|(id, category, key_path, value_type, current_value, default_value, source, description, requires_restart, created_at, updated_at)| {
ConfigItemInfo { id, category, key_path, value_type, current_value, default_value, source, description, requires_restart, created_at: created_at.to_rfc3339(), updated_at: updated_at.to_rfc3339() }
Ok(rows.into_iter().map(|r| {
ConfigItemInfo { id: r.id, category: r.category, key_path: r.key_path, value_type: r.value_type, current_value: r.current_value, default_value: r.default_value, source: r.source, description: r.description, requires_restart: r.requires_restart, created_at: r.created_at, updated_at: r.updated_at }
}).collect())
}
/// Paginated list of config items (HTTP handler entry point).
pub async fn list_config_items(
db: &PgPool, query: &ConfigQuery,
page: Option<u32>, page_size: Option<u32>,
) -> SaasResult<PaginatedResponse<ConfigItemInfo>> {
let (p, ps, offset) = normalize_pagination(page, page_size);
// Static SQL per combination -- no format!() string interpolation
let (total, rows) = match (&query.category, &query.source) {
(Some(cat), Some(src)) => {
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM config_items WHERE category = $1 AND source = $2"
).bind(cat).bind(src).fetch_one(db).await?;
let rows = sqlx::query_as::<_, ConfigItemRow>(
"SELECT id, category, key_path, value_type, current_value, default_value, source, description, requires_restart, created_at, updated_at
FROM config_items WHERE category = $1 AND source = $2 ORDER BY category, key_path LIMIT $3 OFFSET $4"
).bind(cat).bind(src).bind(ps as i64).bind(offset).fetch_all(db).await?;
(total, rows)
}
(Some(cat), None) => {
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM config_items WHERE category = $1"
).bind(cat).fetch_one(db).await?;
let rows = sqlx::query_as::<_, ConfigItemRow>(
"SELECT id, category, key_path, value_type, current_value, default_value, source, description, requires_restart, created_at, updated_at
FROM config_items WHERE category = $1 ORDER BY category, key_path LIMIT $2 OFFSET $3"
).bind(cat).bind(ps as i64).bind(offset).fetch_all(db).await?;
(total, rows)
}
(None, Some(src)) => {
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM config_items WHERE source = $1"
).bind(src).fetch_one(db).await?;
let rows = sqlx::query_as::<_, ConfigItemRow>(
"SELECT id, category, key_path, value_type, current_value, default_value, source, description, requires_restart, created_at, updated_at
FROM config_items WHERE source = $1 ORDER BY category, key_path LIMIT $2 OFFSET $3"
).bind(src).bind(ps as i64).bind(offset).fetch_all(db).await?;
(total, rows)
}
(None, None) => {
let total: i64 = sqlx::query_scalar(
"SELECT COUNT(*) FROM config_items"
).fetch_one(db).await?;
let rows = sqlx::query_as::<_, ConfigItemRow>(
"SELECT id, category, key_path, value_type, current_value, default_value, source, description, requires_restart, created_at, updated_at
FROM config_items ORDER BY category, key_path LIMIT $1 OFFSET $2"
).bind(ps as i64).bind(offset).fetch_all(db).await?;
(total, rows)
}
};
let items = rows.into_iter().map(|r| {
ConfigItemInfo { id: r.id, category: r.category, key_path: r.key_path, value_type: r.value_type, current_value: r.current_value, default_value: r.default_value, source: r.source, description: r.description, requires_restart: r.requires_restart, created_at: r.created_at, updated_at: r.updated_at }
}).collect();
Ok(PaginatedResponse { items, total, page: p, page_size: ps })
}
pub async fn get_config_item(db: &PgPool, item_id: &str) -> SaasResult<ConfigItemInfo> {
let row: Option<(String, String, String, String, Option<String>, Option<String>, String, Option<String>, bool, chrono::DateTime<chrono::Utc>, chrono::DateTime<chrono::Utc>)> =
let row: Option<ConfigItemRow> =
sqlx::query_as(
"SELECT id, category, key_path, value_type, current_value, default_value, source, description, requires_restart, created_at, updated_at
FROM config_items WHERE id = $1"
@@ -54,17 +115,16 @@ pub async fn get_config_item(db: &PgPool, item_id: &str) -> SaasResult<ConfigIte
.fetch_optional(db)
.await?;
let (id, category, key_path, value_type, current_value, default_value, source, description, requires_restart, created_at, updated_at) =
row.ok_or_else(|| SaasError::NotFound(format!("配置项 {} 不存在", item_id)))?;
let r = row.ok_or_else(|| SaasError::NotFound(format!("配置项 {} 不存在", item_id)))?;
Ok(ConfigItemInfo { id, category, key_path, value_type, current_value, default_value, source, description, requires_restart, created_at: created_at.to_rfc3339(), updated_at: updated_at.to_rfc3339() })
Ok(ConfigItemInfo { id: r.id, category: r.category, key_path: r.key_path, value_type: r.value_type, current_value: r.current_value, default_value: r.default_value, source: r.source, description: r.description, requires_restart: r.requires_restart, created_at: r.created_at, updated_at: r.updated_at })
}
pub async fn create_config_item(
db: &PgPool, req: &CreateConfigItemRequest,
) -> SaasResult<ConfigItemInfo> {
let id = uuid::Uuid::new_v4().to_string();
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
let source = req.source.as_deref().unwrap_or("local");
let requires_restart = req.requires_restart.unwrap_or(false);
@@ -96,30 +156,24 @@ pub async fn create_config_item(
pub async fn update_config_item(
db: &PgPool, item_id: &str, req: &UpdateConfigItemRequest,
) -> SaasResult<ConfigItemInfo> {
let now = chrono::Utc::now();
let mut updates = Vec::new();
let mut params: Vec<String> = Vec::new();
let mut param_idx: i32 = 1;
let now = chrono::Utc::now().to_rfc3339();
if let Some(ref v) = req.current_value { updates.push(format!("current_value = ${}", param_idx)); params.push(v.clone()); param_idx += 1; }
if let Some(ref v) = req.source { updates.push(format!("source = ${}", param_idx)); params.push(v.clone()); param_idx += 1; }
if let Some(ref v) = req.description { updates.push(format!("description = ${}", param_idx)); params.push(v.clone()); param_idx += 1; }
if updates.is_empty() {
return get_config_item(db, item_id).await;
}
updates.push(format!("updated_at = ${}", param_idx));
param_idx += 1;
params.push(item_id.to_string());
let sql = format!("UPDATE config_items SET {} WHERE id = ${}", updates.join(", "), param_idx);
let mut query = sqlx::query(&sql);
for p in &params {
query = query.bind(p);
}
query = query.bind(now);
query.execute(db).await?;
// COALESCE pattern: all updatable fields in a single static SQL.
// NULL parameters leave the column unchanged.
sqlx::query(
"UPDATE config_items SET
current_value = COALESCE($1, current_value),
source = COALESCE($2, source),
description = COALESCE($3, description),
updated_at = $4
WHERE id = $5"
)
.bind(req.current_value.as_deref())
.bind(req.source.as_deref())
.bind(req.description.as_deref())
.bind(&now)
.bind(item_id)
.execute(db).await?;
get_config_item(db, item_id).await
}
@@ -136,7 +190,7 @@ pub async fn delete_config_item(db: &PgPool, item_id: &str) -> SaasResult<()> {
// ============ Config Analysis ============
pub async fn analyze_config(db: &PgPool) -> SaasResult<ConfigAnalysis> {
let items = list_config_items(db, &ConfigQuery { category: None, source: None }).await?;
let items = fetch_all_config_items(db, &ConfigQuery { category: None, source: None, page: None, page_size: None }).await?;
let mut categories: std::collections::HashMap<String, (i64, i64)> = std::collections::HashMap::new();
for item in &items {
@@ -174,10 +228,23 @@ pub async fn seed_default_config_items(db: &PgPool) -> SaasResult<usize> {
("llm", "llm.default_provider", "string", Some("zhipu"), Some("zhipu"), "默认 LLM Provider"),
("llm", "llm.temperature", "float", Some("0.7"), Some("0.7"), "默认温度"),
("llm", "llm.max_tokens", "integer", Some("4096"), Some("4096"), "默认最大 token 数"),
// 安全策略配置
("security", "security.autonomy_level", "string", Some("standard"), Some("standard"), "自主级别: minimal/standard/full"),
("security", "security.max_tokens_per_request", "integer", Some("32768"), Some("32768"), "单次请求最大 Token 数"),
("security", "security.shell_enabled", "boolean", Some("true"), Some("true"), "是否启用 Shell 工具"),
("security", "security.shell_whitelist", "array", Some("[]"), Some("[]"), "Shell 命令白名单 (空=全部禁止)"),
("security", "security.file_write_enabled", "boolean", Some("true"), Some("true"), "是否允许文件写入"),
("security", "security.network_access_enabled", "boolean", Some("true"), Some("true"), "是否允许网络访问"),
("security", "security.browser_enabled", "boolean", Some("true"), Some("true"), "是否启用浏览器自动化"),
("security", "security.max_concurrent_tasks", "integer", Some("3"), Some("3"), "最大并发自主任务数"),
("security", "security.approval_required", "boolean", Some("false"), Some("false"), "高风险操作是否需要审批"),
("security", "security.content_filter_enabled", "boolean", Some("true"), Some("true"), "是否启用内容过滤"),
("security", "security.audit_log_enabled", "boolean", Some("true"), Some("true"), "是否启用审计日志"),
("security", "security.audit_log_max_entries", "integer", Some("500"), Some("500"), "审计日志最大条目数"),
];
let mut created = 0;
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
for (category, key_path, value_type, default_value, current_value, description) in defaults {
let existing: Option<(String,)> = sqlx::query_as(
@@ -206,20 +273,21 @@ pub async fn seed_default_config_items(db: &PgPool) -> SaasResult<usize> {
// ============ Config Sync ============
/// 纯函数:计算客户端与 SaaS 配置项的差异(不依赖数据库)
pub fn compute_diff_items(
config_keys: &[String],
client_values: &serde_json::Value,
saas_items: &[ConfigItemInfo],
) -> (Vec<ConfigDiffItem>, usize) {
/// 计算客户端与 SaaS 端的配置差异
pub async fn compute_config_diff(
db: &PgPool, req: &SyncConfigRequest,
) -> SaasResult<ConfigDiffResponse> {
let saas_items = fetch_all_config_items(db, &ConfigQuery { category: None, source: None, page: None, page_size: None }).await?;
let mut items = Vec::new();
let mut conflicts = 0usize;
for key in config_keys {
let client_val = client_values.get(key)
for key in &req.config_keys {
let client_val = req.client_values.get(key)
.and_then(|v| v.as_str())
.map(|s| s.to_string());
// 查找 SaaS 端的值
let saas_item = saas_items.iter().find(|item| item.key_path == *key);
let saas_val = saas_item.and_then(|item| item.current_value.clone());
@@ -240,17 +308,6 @@ pub fn compute_diff_items(
});
}
(items, conflicts)
}
/// 计算客户端与 SaaS 端的配置差异
pub async fn compute_config_diff(
db: &PgPool, req: &SyncConfigRequest,
) -> SaasResult<ConfigDiffResponse> {
let saas_items = list_config_items(db, &ConfigQuery { category: None, source: None }).await?;
let (items, conflicts) = compute_diff_items(&req.config_keys, &req.client_values, &saas_items);
Ok(ConfigDiffResponse {
total_keys: items.len(),
conflicts,
@@ -262,15 +319,16 @@ pub async fn compute_config_diff(
pub async fn sync_config(
db: &PgPool, account_id: &str, req: &SyncConfigRequest,
) -> SaasResult<ConfigSyncResult> {
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
let config_keys_str = serde_json::to_string(&req.config_keys)?;
let client_values_str = Some(serde_json::to_string(&req.client_values)?);
// 获取 SaaS 端的配置值
let saas_items = list_config_items(db, &ConfigQuery { category: None, source: None }).await?;
let saas_items = fetch_all_config_items(db, &ConfigQuery { category: None, source: None, page: None, page_size: None }).await?;
let mut updated = 0i64;
let mut created = 0i64;
let mut skipped = 0i64;
let mut conflicts: Vec<String> = Vec::new();
for key in &req.config_keys {
let client_val = req.client_values.get(key)
@@ -281,29 +339,51 @@ pub async fn sync_config(
match req.action.as_str() {
"push" => {
// 客户端推送 → 覆盖 SaaS 值
// 客户端推送 → 覆盖 SaaS 值 (带 CAS 保护)
if let Some(val) = &client_val {
if let Some(item) = saas_item {
// 更新已有配置项
// CAS: 如果客户端提供了该 key 的 timestamp做乐观锁
if let Some(ref client_ts) = req.client_timestamps.get(key) {
let result = sqlx::query(
"UPDATE config_items SET current_value = $1, source = 'local', updated_at = $2 WHERE id = $3 AND updated_at = $4"
)
.bind(val).bind(&now).bind(&item.id).bind(client_ts)
.execute(db).await?;
if result.rows_affected() == 0 {
// SaaS 端已被修改 → 跳过,记录冲突
tracing::warn!(
"[ConfigSync] CAS conflict for key '{}': client_ts={}, saas_ts={}",
key, client_ts, item.updated_at
);
conflicts.push(key.clone());
skipped += 1;
} else {
updated += 1;
}
} else {
// 无 CAS timestamp → 无条件覆盖 (向后兼容)
sqlx::query("UPDATE config_items SET current_value = $1, source = 'local', updated_at = $2 WHERE id = $3")
.bind(val).bind(&now).bind(&item.id)
.execute(db).await?;
updated += 1;
}
} else {
// SaaS 不存在该 key → 自动创建
let new_id = uuid::Uuid::new_v4().to_string();
// 推送时 SaaS 不存在该 key → 创建新配置项
let id = uuid::Uuid::new_v4().to_string();
let parts: Vec<&str> = key.splitn(2, '.').collect();
let category = parts.first().unwrap_or(&"general").to_string();
sqlx::query(
"INSERT INTO config_items (id, category, key_path, value_type, current_value, source, requires_restart, created_at, updated_at)
VALUES ($1, 'imported', $2, 'string', $3, 'local', false, $4, $4)"
"INSERT INTO config_items (id, category, key_path, value_type, current_value, default_value, source, description, requires_restart, created_at, updated_at)
VALUES ($1, $2, $3, 'string', $4, $4, 'local', '客户端推送', false, $5, $5)"
)
.bind(&new_id).bind(key).bind(val).bind(&now)
.bind(&id).bind(&category).bind(key).bind(val).bind(&now)
.execute(db).await?;
created += 1;
}
}
}
"merge" => {
// 合并: 客户端有值且 SaaS 无值 → 创建; 都有值 → SaaS 优先保留
// 合并: 客户端有值且 SaaS 无值 → 填入; 都有值 → SaaS 优先保留
if let Some(val) = &client_val {
if let Some(item) = saas_item {
if item.current_value.is_none() || item.current_value.as_deref() == Some("") {
@@ -316,15 +396,8 @@ pub async fn sync_config(
skipped += 1;
}
} else {
// SaaS 完全没有 key → 创建
let new_id = uuid::Uuid::new_v4().to_string();
sqlx::query(
"INSERT INTO config_items (id, category, key_path, value_type, current_value, source, requires_restart, created_at, updated_at)
VALUES ($1, 'imported', $2, 'string', $3, 'local', false, $4, $4)"
)
.bind(&new_id).bind(key).bind(val).bind(&now)
.execute(db).await?;
created += 1;
// 客户端有但 SaaS 完全没有 key → 不自动创建 (需要管理员先创建)
skipped += 1;
}
}
}
@@ -358,7 +431,7 @@ pub async fn sync_config(
.execute(db)
.await?;
Ok(ConfigSyncResult { updated, created, skipped })
Ok(ConfigSyncResult { updated, created, skipped, conflicts })
}
/// 同步结果
@@ -367,129 +440,36 @@ pub struct ConfigSyncResult {
pub updated: i64,
pub created: i64,
pub skipped: i64,
/// Keys skipped due to CAS conflict (SaaS was modified after client read)
pub conflicts: Vec<String>,
}
pub async fn list_sync_logs(
db: &PgPool, account_id: &str,
) -> SaasResult<Vec<ConfigSyncLogInfo>> {
let rows: Vec<(i64, String, String, String, String, Option<String>, Option<String>, Option<String>, chrono::DateTime<chrono::Utc>)> =
sqlx::query_as(
"SELECT id, account_id, client_fingerprint, action, config_keys, client_values, saas_values, resolution, created_at
FROM config_sync_log WHERE account_id = $1 ORDER BY created_at DESC LIMIT 50"
db: &PgPool, account_id: &str, page: u32, page_size: u32,
) -> SaasResult<crate::common::PaginatedResponse<ConfigSyncLogInfo>> {
let offset = ((page - 1) * page_size) as i64;
let total: (i64,) = sqlx::query_as(
"SELECT COUNT(*) FROM config_sync_log WHERE account_id = $1"
)
.bind(account_id)
.fetch_one(db)
.await?;
let rows: Vec<ConfigSyncLogRow> =
sqlx::query_as(
"SELECT id, account_id, client_fingerprint, action, config_keys, client_values, saas_values, resolution, created_at
FROM config_sync_log WHERE account_id = $1 ORDER BY created_at DESC LIMIT $2 OFFSET $3"
)
.bind(account_id)
.bind(page_size as i64)
.bind(offset)
.fetch_all(db)
.await?;
Ok(rows.into_iter().map(|(id, account_id, client_fingerprint, action, config_keys, client_values, saas_values, resolution, created_at)| {
ConfigSyncLogInfo { id, account_id, client_fingerprint, action, config_keys, client_values, saas_values, resolution, created_at: created_at.to_rfc3339() }
}).collect())
}
let items = rows.into_iter().map(|r| {
ConfigSyncLogInfo { id: r.id, account_id: r.account_id, client_fingerprint: r.client_fingerprint, action: r.action, config_keys: r.config_keys, client_values: r.client_values, saas_values: r.saas_values, resolution: r.resolution, created_at: r.created_at }
}).collect();
#[cfg(test)]
mod tests {
use super::*;
fn make_saas_item(key: &str, value: Option<&str>) -> ConfigItemInfo {
ConfigItemInfo {
id: "test-id".into(),
category: "test".into(),
key_path: key.into(),
value_type: "string".into(),
current_value: value.map(String::from),
default_value: None,
source: "local".into(),
description: None,
requires_restart: false,
created_at: "2026-01-01T00:00:00Z".into(),
updated_at: "2026-01-01T00:00:00Z".into(),
}
}
#[test]
fn test_diff_identical_values() {
let keys = vec!["server.host".into(), "server.port".into()];
let client = serde_json::json!({"server.host": "127.0.0.1", "server.port": "8080"});
let saas = vec![
make_saas_item("server.host", Some("127.0.0.1")),
make_saas_item("server.port", Some("8080")),
];
let (items, conflicts) = compute_diff_items(&keys, &client, &saas);
assert_eq!(conflicts, 0);
assert_eq!(items.len(), 2);
assert!(!items[0].conflict);
assert!(!items[1].conflict);
}
#[test]
fn test_diff_conflict() {
let keys = vec!["server.host".into()];
let client = serde_json::json!({"server.host": "0.0.0.0"});
let saas = vec![make_saas_item("server.host", Some("127.0.0.1"))];
let (items, conflicts) = compute_diff_items(&keys, &client, &saas);
assert_eq!(conflicts, 1);
assert!(items[0].conflict);
assert_eq!(items[0].client_value.as_deref(), Some("0.0.0.0"));
assert_eq!(items[0].saas_value.as_deref(), Some("127.0.0.1"));
}
#[test]
fn test_diff_client_only_key() {
let keys = vec!["new.key".into()];
let client = serde_json::json!({"new.key": "value1"});
let saas = vec![]; // SaaS 没有这个 key
let (items, conflicts) = compute_diff_items(&keys, &client, &saas);
assert_eq!(conflicts, 0);
assert_eq!(items[0].client_value.as_deref(), Some("value1"));
assert!(items[0].saas_value.is_none());
}
#[test]
fn test_diff_missing_client_value() {
let keys = vec!["server.host".into()];
let client = serde_json::json!({}); // 客户端没有这个 key
let saas = vec![make_saas_item("server.host", Some("127.0.0.1"))];
let (items, conflicts) = compute_diff_items(&keys, &client, &saas);
assert_eq!(conflicts, 0); // 一方为 null 不算冲突
assert!(items[0].client_value.is_none());
assert_eq!(items[0].saas_value.as_deref(), Some("127.0.0.1"));
}
#[test]
fn test_diff_empty_keys() {
let keys: Vec<String> = vec![];
let client = serde_json::json!({"server.host": "127.0.0.1"});
let saas = vec![make_saas_item("server.host", Some("127.0.0.1"))];
let (items, conflicts) = compute_diff_items(&keys, &client, &saas);
assert!(items.is_empty());
assert_eq!(conflicts, 0);
}
#[test]
fn test_diff_mixed() {
let keys = vec!["same".into(), "conflict".into(), "client_only".into(), "saas_only".into()];
let client = serde_json::json!({
"same": "val1",
"conflict": "client-val",
"client_only": "new-val",
});
let saas = vec![
make_saas_item("same", Some("val1")),
make_saas_item("conflict", Some("saas-val")),
make_saas_item("saas_only", Some("only-here")),
];
let (items, conflicts) = compute_diff_items(&keys, &client, &saas);
assert_eq!(items.len(), 4);
assert_eq!(conflicts, 1);
// same: no conflict
assert!(!items[0].conflict);
// conflict: has conflict
assert!(items[1].conflict);
// client_only: SaaS has no such key
assert!(items[2].saas_value.is_none());
assert_eq!(items[2].client_value.as_deref(), Some("new-val"));
// saas_only: client has no such key
assert!(items[3].client_value.is_none());
assert_eq!(items[3].saas_value.as_deref(), Some("only-here"));
}
Ok(crate::common::PaginatedResponse { items, total: total.0, page, page_size })
}

29
crates/zclaw-saas/src/migration/types.rs
View File

@@ -3,7 +3,7 @@
use serde::{Deserialize, Serialize};
/// 配置项信息
#[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ConfigItemInfo {
pub id: String,
pub category: String,
@@ -19,7 +19,7 @@ pub struct ConfigItemInfo {
}
/// 创建配置项请求
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct CreateConfigItemRequest {
pub category: String,
pub key_path: String,
@@ -32,7 +32,7 @@ pub struct CreateConfigItemRequest {
}
/// 更新配置项请求
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct UpdateConfigItemRequest {
pub current_value: Option<String>,
pub source: Option<String>,
@@ -40,7 +40,7 @@ pub struct UpdateConfigItemRequest {
}
/// 配置同步日志
#[derive(Debug, Clone, Serialize, utoipa::ToSchema)]
#[derive(Debug, Clone, Serialize)]
pub struct ConfigSyncLogInfo {
pub id: i64,
pub account_id: String,
@@ -54,14 +54,14 @@ pub struct ConfigSyncLogInfo {
}
/// 配置分析结果
#[derive(Debug, Serialize, utoipa::ToSchema)]
#[derive(Debug, Serialize)]
pub struct ConfigAnalysis {
pub total_items: i64,
pub categories: Vec<CategorySummary>,
pub items: Vec<ConfigItemInfo>,
}
#[derive(Debug, Serialize, utoipa::ToSchema)]
#[derive(Debug, Serialize)]
pub struct CategorySummary {
pub category: String,
pub count: i64,
@@ -69,20 +69,25 @@ pub struct CategorySummary {
}
/// 配置同步请求
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct SyncConfigRequest {
pub client_fingerprint: String,
/// 同步方向: "push", "merge"
/// 同步方向: "push", "pull", "merge"
#[serde(default = "default_sync_action")]
pub action: String,
pub config_keys: Vec<String>,
pub client_values: serde_json::Value,
/// Client-side timestamps per key for optimistic locking (push CAS).
/// Maps `key_path` → `updated_at` as seen by client before this push.
/// Keys present here get `WHERE updated_at = $ts` on UPDATE; absent keys use unconditional overwrite.
#[serde(default)]
pub client_timestamps: std::collections::HashMap<String, String>,
}
fn default_sync_action() -> String { "push".to_string() }
/// 配置差异项
#[derive(Debug, Clone, Serialize, utoipa::ToSchema)]
#[derive(Debug, Clone, Serialize)]
pub struct ConfigDiffItem {
pub key_path: String,
pub client_value: Option<String>,
@@ -91,7 +96,7 @@ pub struct ConfigDiffItem {
}
/// 配置差异响应
#[derive(Debug, Serialize, utoipa::ToSchema)]
#[derive(Debug, Serialize)]
pub struct ConfigDiffResponse {
pub items: Vec<ConfigDiffItem>,
pub total_keys: usize,
@@ -99,8 +104,10 @@ pub struct ConfigDiffResponse {
}
/// 配置查询参数
#[derive(Debug, Deserialize, utoipa::ToSchema, utoipa::IntoParams)]
#[derive(Debug, Deserialize)]
pub struct ConfigQuery {
pub category: Option<String>,
pub source: Option<String>,
pub page: Option<u32>,
pub page_size: Option<u32>,
}

61
crates/zclaw-saas/src/model_config/handlers.rs
View File

@@ -5,19 +5,24 @@ use axum::{
http::StatusCode, Json,
};
use crate::state::AppState;
use crate::error::SaasResult;
use crate::error::{SaasResult, SaasError};
use crate::auth::types::AuthContext;
use crate::auth::handlers::{log_operation, check_permission};
use crate::common::PaginatedResponse;
use super::{types::*, service};
// ============ Providers ============
/// GET /api/v1/providers
/// GET /api/v1/providers?enabled=true&page=1&page_size=20
pub async fn list_providers(
State(state): State<AppState>,
_ctx: Extension<AuthContext>,
) -> SaasResult<Json<Vec<ProviderInfo>>> {
service::list_providers(&state.db).await.map(Json)
Query(params): Query<std::collections::HashMap<String, String>>,
) -> SaasResult<Json<PaginatedResponse<ProviderInfo>>> {
let page = params.get("page").and_then(|v| v.parse().ok());
let page_size = params.get("page_size").and_then(|v| v.parse().ok());
let enabled_filter = params.get("enabled").and_then(|v| v.parse().ok());
service::list_providers(&state.db, page, page_size, enabled_filter).await.map(Json)
}
/// GET /api/v1/providers/:id
@@ -36,13 +41,17 @@ pub async fn create_provider(
Json(req): Json<CreateProviderRequest>,
) -> SaasResult<(StatusCode, Json<ProviderInfo>)> {
check_permission(&ctx, "provider:manage")?;
let provider = service::create_provider(&state.db, &state.field_encryption, &req).await?;
let config = state.config.read().await;
let enc_key = config.api_key_encryption_key()
.map_err(|e| SaasError::Internal(e.to_string()))?;
drop(config);
let provider = service::create_provider(&state.db, &req, &enc_key).await?;
log_operation(&state.db, &ctx.account_id, "provider.create", "provider", &provider.id,
Some(serde_json::json!({"name": &req.name})), ctx.client_ip.as_deref()).await?;
Ok((StatusCode::CREATED, Json(provider)))
}
/// PUT /api/v1/providers/:id (admin only)
/// PATCH /api/v1/providers/:id (admin only)
pub async fn update_provider(
State(state): State<AppState>,
Path(id): Path<String>,
@@ -50,7 +59,11 @@ pub async fn update_provider(
Json(req): Json<UpdateProviderRequest>,
) -> SaasResult<Json<ProviderInfo>> {
check_permission(&ctx, "provider:manage")?;
let provider = service::update_provider(&state.db, &state.field_encryption, &id, &req).await?;
let config = state.config.read().await;
let enc_key = config.api_key_encryption_key()
.map_err(|e| SaasError::Internal(e.to_string()))?;
drop(config);
let provider = service::update_provider(&state.db, &id, &req, &enc_key).await?;
log_operation(&state.db, &ctx.account_id, "provider.update", "provider", &id, None, ctx.client_ip.as_deref()).await?;
Ok(Json(provider))
}
@@ -69,14 +82,16 @@ pub async fn delete_provider(
// ============ Models ============
/// GET /api/v1/models?provider_id=xxx
/// GET /api/v1/models?provider_id=xxx&page=1&page_size=20
pub async fn list_models(
State(state): State<AppState>,
Query(params): Query<std::collections::HashMap<String, String>>,
_ctx: Extension<AuthContext>,
) -> SaasResult<Json<Vec<ModelInfo>>> {
) -> SaasResult<Json<PaginatedResponse<ModelInfo>>> {
let provider_id = params.get("provider_id").map(|s| s.as_str());
service::list_models(&state.db, provider_id).await.map(Json)
let page = params.get("page").and_then(|v| v.parse().ok());
let page_size = params.get("page_size").and_then(|v| v.parse().ok());
service::list_models(&state.db, provider_id, page, page_size).await.map(Json)
}
/// GET /api/v1/models/:id
@@ -101,7 +116,7 @@ pub async fn create_model(
Ok((StatusCode::CREATED, Json(model)))
}
/// PUT /api/v1/models/:id (admin only)
/// PATCH /api/v1/models/:id (admin only)
pub async fn update_model(
State(state): State<AppState>,
Path(id): Path<String>,
@@ -128,14 +143,16 @@ pub async fn delete_model(
// ============ Account API Keys ============
/// GET /api/v1/keys?provider_id=xxx
/// GET /api/v1/keys?provider_id=xxx&page=1&page_size=20
pub async fn list_api_keys(
State(state): State<AppState>,
Extension(ctx): Extension<AuthContext>,
Query(params): Query<std::collections::HashMap<String, String>>,
) -> SaasResult<Json<Vec<AccountApiKeyInfo>>> {
) -> SaasResult<Json<PaginatedResponse<AccountApiKeyInfo>>> {
let provider_id = params.get("provider_id").map(|s| s.as_str());
service::list_account_api_keys(&state.db, &state.field_encryption, &ctx.account_id, provider_id).await.map(Json)
let page = params.get("page").and_then(|v| v.parse().ok());
let page_size = params.get("page_size").and_then(|v| v.parse().ok());
service::list_account_api_keys(&state.db, &ctx.account_id, provider_id, page, page_size).await.map(Json)
}
/// POST /api/v1/keys
@@ -144,7 +161,11 @@ pub async fn create_api_key(
Extension(ctx): Extension<AuthContext>,
Json(req): Json<CreateAccountApiKeyRequest>,
) -> SaasResult<(StatusCode, Json<AccountApiKeyInfo>)> {
let key = service::create_account_api_key(&state.db, &state.field_encryption, &ctx.account_id, &req).await?;
let config = state.config.read().await;
let enc_key = config.api_key_encryption_key()
.map_err(|e| SaasError::Internal(e.to_string()))?;
drop(config);
let key = service::create_account_api_key(&state.db, &ctx.account_id, &req, &enc_key).await?;
log_operation(&state.db, &ctx.account_id, "api_key.create", "api_key", &key.id,
Some(serde_json::json!({"provider_id": &req.provider_id})), ctx.client_ip.as_deref()).await?;
Ok((StatusCode::CREATED, Json(key)))
@@ -157,7 +178,11 @@ pub async fn rotate_api_key(
Extension(ctx): Extension<AuthContext>,
Json(req): Json<RotateApiKeyRequest>,
) -> SaasResult<Json<serde_json::Value>> {
service::rotate_account_api_key(&state.db, &state.field_encryption, &id, &ctx.account_id, &req.new_key_value).await?;
let config = state.config.read().await;
let enc_key = config.api_key_encryption_key()
.map_err(|e| SaasError::Internal(e.to_string()))?;
drop(config);
service::rotate_account_api_key(&state.db, &id, &ctx.account_id, &req.new_key_value, &enc_key).await?;
log_operation(&state.db, &ctx.account_id, "api_key.rotate", "api_key", &id, None, ctx.client_ip.as_deref()).await?;
Ok(Json(serde_json::json!({"ok": true})))
}
@@ -189,6 +214,6 @@ pub async fn list_provider_models(
State(state): State<AppState>,
Path(provider_id): Path<String>,
_ctx: Extension<AuthContext>,
) -> SaasResult<Json<Vec<ModelInfo>>> {
service::list_models(&state.db, Some(&provider_id)).await.map(Json)
) -> SaasResult<Json<PaginatedResponse<ModelInfo>>> {
service::list_models(&state.db, Some(&provider_id), None, None).await.map(Json)
}

10
crates/zclaw-saas/src/model_config/mod.rs
View File

@@ -12,15 +12,15 @@ pub fn routes() -> axum::Router<AppState> {
axum::Router::new()
// Providers
.route("/api/v1/providers", get(handlers::list_providers).post(handlers::create_provider))
.route("/api/v1/providers/{id}", get(handlers::get_provider).put(handlers::update_provider).delete(handlers::delete_provider))
.route("/api/v1/providers/{id}/models", get(handlers::list_provider_models))
.route("/api/v1/providers/:id", get(handlers::get_provider).patch(handlers::update_provider).delete(handlers::delete_provider))
.route("/api/v1/providers/:id/models", get(handlers::list_provider_models))
// Models
.route("/api/v1/models", get(handlers::list_models).post(handlers::create_model))
.route("/api/v1/models/{id}", get(handlers::get_model).put(handlers::update_model).delete(handlers::delete_model))
.route("/api/v1/models/:id", get(handlers::get_model).patch(handlers::update_model).delete(handlers::delete_model))
// Account API Keys
.route("/api/v1/keys", get(handlers::list_api_keys).post(handlers::create_api_key))
.route("/api/v1/keys/{id}", delete(handlers::revoke_api_key))
.route("/api/v1/keys/{id}/rotate", post(handlers::rotate_api_key))
.route("/api/v1/keys/:id", delete(handlers::revoke_api_key))
.route("/api/v1/keys/:id/rotate", post(handlers::rotate_api_key))
// Usage
.route("/api/v1/usage", get(handlers::get_usage))
}

487
crates/zclaw-saas/src/model_config/service.rs
View File

@@ -1,29 +1,59 @@
//! 模型配置业务逻辑
use sqlx::PgPool;
use std::sync::Arc;
use crate::crypto::FieldEncryption;
use sqlx::{PgPool, Row};
use crate::error::{SaasError, SaasResult};
use crate::common::{PaginatedResponse, normalize_pagination};
use crate::crypto;
use crate::models::{ProviderRow, ModelRow, AccountApiKeyRow, UsageByModelRow, UsageByDayRow};
use super::types::*;
// ============ Providers ============
pub async fn list_providers(db: &PgPool) -> SaasResult<Vec<ProviderInfo>> {
let rows: Vec<(String, String, String, String, String, bool, Option<i64>, Option<i64>, chrono::DateTime<chrono::Utc>, chrono::DateTime<chrono::Utc>)> =
sqlx::query_as(
"SELECT id, name, display_name, base_url, api_protocol, enabled, rate_limit_rpm, rate_limit_tpm, created_at, updated_at
FROM providers ORDER BY name"
)
.fetch_all(db)
.await?;
pub async fn list_providers(
db: &PgPool, page: Option<u32>, page_size: Option<u32>, enabled_filter: Option<bool>,
) -> SaasResult<PaginatedResponse<ProviderInfo>> {
let (p, ps, offset) = normalize_pagination(page, page_size);
Ok(rows.into_iter().map(|(id, name, display_name, base_url, api_protocol, enabled, rpm, tpm, created_at, updated_at)| {
ProviderInfo { id, name, display_name, base_url, api_protocol, enabled, rate_limit_rpm: rpm, rate_limit_tpm: tpm, created_at: created_at.to_rfc3339(), updated_at: updated_at.to_rfc3339() }
}).collect())
let (count_sql, data_sql) = if enabled_filter.is_some() {
(
"SELECT COUNT(*) FROM providers WHERE enabled = $1",
"SELECT id, name, display_name, base_url, api_protocol, enabled, rate_limit_rpm, rate_limit_tpm, created_at, updated_at
FROM providers WHERE enabled = $1 ORDER BY name LIMIT $2 OFFSET $3",
)
} else {
(
"SELECT COUNT(*) FROM providers",
"SELECT id, name, display_name, base_url, api_protocol, enabled, rate_limit_rpm, rate_limit_tpm, created_at, updated_at
FROM providers ORDER BY name LIMIT $1 OFFSET $2",
)
};
let total: (i64,) = if let Some(en) = enabled_filter {
sqlx::query_as(count_sql).bind(en).fetch_one(db).await?
} else {
sqlx::query_as(count_sql).fetch_one(db).await?
};
let rows: Vec<ProviderRow> =
if let Some(en) = enabled_filter {
sqlx::query_as(data_sql)
.bind(en).bind(ps as i64).bind(offset)
.fetch_all(db).await?
} else {
sqlx::query_as(data_sql)
.bind(ps as i64).bind(offset)
.fetch_all(db).await?
};
let items = rows.into_iter().map(|r| {
ProviderInfo { id: r.id, name: r.name, display_name: r.display_name, base_url: r.base_url, api_protocol: r.api_protocol, enabled: r.enabled, rate_limit_rpm: r.rate_limit_rpm, rate_limit_tpm: r.rate_limit_tpm, created_at: r.created_at, updated_at: r.updated_at }
}).collect();
Ok(PaginatedResponse { items, total: total.0, page: p, page_size: ps })
}
pub async fn get_provider(db: &PgPool, provider_id: &str) -> SaasResult<ProviderInfo> {
let row: Option<(String, String, String, String, String, bool, Option<i64>, Option<i64>, chrono::DateTime<chrono::Utc>, chrono::DateTime<chrono::Utc>)> =
let row: Option<ProviderRow> =
sqlx::query_as(
"SELECT id, name, display_name, base_url, api_protocol, enabled, rate_limit_rpm, rate_limit_tpm, created_at, updated_at
FROM providers WHERE id = $1"
@@ -32,17 +62,14 @@ pub async fn get_provider(db: &PgPool, provider_id: &str) -> SaasResult<Provider
.fetch_optional(db)
.await?;
let (id, name, display_name, base_url, api_protocol, enabled, rpm, tpm, created_at, updated_at) =
row.ok_or_else(|| SaasError::NotFound(format!("Provider {} 不存在", provider_id)))?;
let r = row.ok_or_else(|| SaasError::NotFound(format!("Provider {} 不存在", provider_id)))?;
Ok(ProviderInfo { id, name, display_name, base_url, api_protocol, enabled, rate_limit_rpm: rpm, rate_limit_tpm: tpm, created_at: created_at.to_rfc3339(), updated_at: updated_at.to_rfc3339() })
Ok(ProviderInfo { id: r.id, name: r.name, display_name: r.display_name, base_url: r.base_url, api_protocol: r.api_protocol, enabled: r.enabled, rate_limit_rpm: r.rate_limit_rpm, rate_limit_tpm: r.rate_limit_tpm, created_at: r.created_at, updated_at: r.updated_at })
}
pub async fn create_provider(
db: &PgPool, encryption: &Arc<FieldEncryption>, req: &CreateProviderRequest,
) -> SaasResult<ProviderInfo> {
pub async fn create_provider(db: &PgPool, req: &CreateProviderRequest, enc_key: &[u8; 32]) -> SaasResult<ProviderInfo> {
let id = uuid::Uuid::new_v4().to_string();
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
// 检查名称唯一性
let existing: Option<(String,)> = sqlx::query_as("SELECT id FROM providers WHERE name = $1")
@@ -52,9 +79,14 @@ pub async fn create_provider(
}
// 加密 API Key 后存储
let encrypted_api_key: Option<String> = match &req.api_key {
Some(key) => Some(encryption.encrypt(key)?),
None => None,
let encrypted_api_key = if let Some(ref key) = req.api_key {
if key.is_empty() {
String::new()
} else {
crypto::encrypt_value(key, enc_key)?
}
} else {
String::new()
};
sqlx::query(
@@ -69,42 +101,41 @@ pub async fn create_provider(
}
pub async fn update_provider(
db: &PgPool, encryption: &Arc<FieldEncryption>, provider_id: &str, req: &UpdateProviderRequest,
db: &PgPool, provider_id: &str, req: &UpdateProviderRequest, enc_key: &[u8; 32],
) -> SaasResult<ProviderInfo> {
let now = chrono::Utc::now();
let mut updates = Vec::new();
let mut params: Vec<Box<dyn std::fmt::Display + Send + Sync>> = Vec::new();
let mut param_idx: i32 = 1;
let now = chrono::Utc::now().to_rfc3339();
if let Some(ref v) = req.display_name { updates.push(format!("display_name = ${}", param_idx)); params.push(Box::new(v.clone())); param_idx += 1; }
if let Some(ref v) = req.base_url { updates.push(format!("base_url = ${}", param_idx)); params.push(Box::new(v.clone())); param_idx += 1; }
if let Some(ref v) = req.api_protocol { updates.push(format!("api_protocol = ${}", param_idx)); params.push(Box::new(v.clone())); param_idx += 1; }
if let Some(ref v) = req.api_key {
// 加密 API Key 后存储
let encrypted = encryption.encrypt(v)?;
updates.push(format!("api_key = ${}", param_idx));
params.push(Box::new(encrypted));
param_idx += 1;
}
if let Some(v) = req.enabled { updates.push(format!("enabled = ${}", param_idx)); params.push(Box::new(v)); param_idx += 1; }
if let Some(v) = req.rate_limit_rpm { updates.push(format!("rate_limit_rpm = ${}", param_idx)); params.push(Box::new(v)); param_idx += 1; }
if let Some(v) = req.rate_limit_tpm { updates.push(format!("rate_limit_tpm = ${}", param_idx)); params.push(Box::new(v)); param_idx += 1; }
// Encrypt api_key upfront if provided
let encrypted_api_key = match req.api_key {
Some(ref v) if !v.is_empty() => Some(crypto::encrypt_value(v, enc_key)?),
Some(ref v) if v.is_empty() => Some(String::new()),
_ => None,
};
if updates.is_empty() {
return get_provider(db, provider_id).await;
}
updates.push(format!("updated_at = ${}", param_idx));
param_idx += 1;
params.push(Box::new(provider_id.to_string()));
let sql = format!("UPDATE providers SET {} WHERE id = ${}", updates.join(", "), param_idx);
let mut query = sqlx::query(&sql);
for p in &params {
query = query.bind(format!("{}", p));
}
query = query.bind(now);
query.execute(db).await?;
// COALESCE pattern: all updatable fields in a single static SQL.
// NULL parameters leave the column unchanged.
sqlx::query(
"UPDATE providers SET
display_name = COALESCE($1, display_name),
base_url = COALESCE($2, base_url),
api_protocol = COALESCE($3, api_protocol),
api_key = COALESCE($4, api_key),
enabled = COALESCE($5, enabled),
rate_limit_rpm = COALESCE($6, rate_limit_rpm),
rate_limit_tpm = COALESCE($7, rate_limit_tpm),
updated_at = $8
WHERE id = $9"
)
.bind(req.display_name.as_deref())
.bind(req.base_url.as_deref())
.bind(req.api_protocol.as_deref())
.bind(encrypted_api_key.as_deref())
.bind(req.enabled)
.bind(req.rate_limit_rpm)
.bind(req.rate_limit_tpm)
.bind(&now)
.bind(provider_id)
.execute(db).await?;
get_provider(db, provider_id).await
}
@@ -121,24 +152,42 @@ pub async fn delete_provider(db: &PgPool, provider_id: &str) -> SaasResult<()> {
// ============ Models ============
pub async fn list_models(db: &PgPool, provider_id: Option<&str>) -> SaasResult<Vec<ModelInfo>> {
let sql = if provider_id.is_some() {
pub async fn list_models(
db: &PgPool, provider_id: Option<&str>, page: Option<u32>, page_size: Option<u32>,
) -> SaasResult<PaginatedResponse<ModelInfo>> {
let (p, ps, offset) = normalize_pagination(page, page_size);
let (count_sql, data_sql) = if provider_id.is_some() {
(
"SELECT COUNT(*) FROM models WHERE provider_id = $1",
"SELECT id, provider_id, model_id, alias, context_window, max_output_tokens, supports_streaming, supports_vision, enabled, pricing_input, pricing_output, created_at, updated_at
FROM models WHERE provider_id = $1 ORDER BY alias"
FROM models WHERE provider_id = $1 ORDER BY alias LIMIT $2 OFFSET $3",
)
} else {
(
"SELECT COUNT(*) FROM models",
"SELECT id, provider_id, model_id, alias, context_window, max_output_tokens, supports_streaming, supports_vision, enabled, pricing_input, pricing_output, created_at, updated_at
FROM models ORDER BY provider_id, alias"
FROM models ORDER BY provider_id, alias LIMIT $1 OFFSET $2",
)
};
let mut query = sqlx::query_as::<_, (String, String, String, String, i64, i64, bool, bool, bool, f64, f64, chrono::DateTime<chrono::Utc>, chrono::DateTime<chrono::Utc>)>(sql);
let total: (i64,) = if let Some(pid) = provider_id {
sqlx::query_as(count_sql).bind(pid).fetch_one(db).await?
} else {
sqlx::query_as(count_sql).fetch_one(db).await?
};
let mut query = sqlx::query_as::<_, ModelRow>(data_sql);
if let Some(pid) = provider_id {
query = query.bind(pid);
}
let rows = query.bind(ps as i64).bind(offset).fetch_all(db).await?;
let rows = query.fetch_all(db).await?;
Ok(rows.into_iter().map(|(id, provider_id, model_id, alias, ctx, max_out, streaming, vision, enabled, pi, po, created_at, updated_at)| {
ModelInfo { id, provider_id, model_id, alias, context_window: ctx, max_output_tokens: max_out, supports_streaming: streaming, supports_vision: vision, enabled, pricing_input: pi, pricing_output: po, created_at: created_at.to_rfc3339(), updated_at: updated_at.to_rfc3339() }
}).collect())
let items = rows.into_iter().map(|r| {
ModelInfo { id: r.id, provider_id: r.provider_id, model_id: r.model_id, alias: r.alias, context_window: r.context_window, max_output_tokens: r.max_output_tokens, supports_streaming: r.supports_streaming, supports_vision: r.supports_vision, enabled: r.enabled, pricing_input: r.pricing_input, pricing_output: r.pricing_output, created_at: r.created_at, updated_at: r.updated_at }
}).collect();
Ok(PaginatedResponse { items, total: total.0, page: p, page_size: ps })
}
pub async fn create_model(db: &PgPool, req: &CreateModelRequest) -> SaasResult<ModelInfo> {
@@ -146,7 +195,7 @@ pub async fn create_model(db: &PgPool, req: &CreateModelRequest) -> SaasResult<M
let provider = get_provider(db, &req.provider_id).await?;
let id = uuid::Uuid::new_v4().to_string();
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
// 检查 model 唯一性
let existing: Option<(String,)> = sqlx::query_as(
@@ -180,7 +229,7 @@ pub async fn create_model(db: &PgPool, req: &CreateModelRequest) -> SaasResult<M
}
pub async fn get_model(db: &PgPool, model_id: &str) -> SaasResult<ModelInfo> {
let row: Option<(String, String, String, String, i64, i64, bool, bool, bool, f64, f64, chrono::DateTime<chrono::Utc>, chrono::DateTime<chrono::Utc>)> =
let row: Option<ModelRow> =
sqlx::query_as(
"SELECT id, provider_id, model_id, alias, context_window, max_output_tokens, supports_streaming, supports_vision, enabled, pricing_input, pricing_output, created_at, updated_at
FROM models WHERE id = $1"
@@ -189,44 +238,42 @@ pub async fn get_model(db: &PgPool, model_id: &str) -> SaasResult<ModelInfo> {
.fetch_optional(db)
.await?;
let (id, provider_id, model_id, alias, ctx, max_out, streaming, vision, enabled, pi, po, created_at, updated_at) =
row.ok_or_else(|| SaasError::NotFound(format!("模型 {} 不存在", model_id)))?;
let r = row.ok_or_else(|| SaasError::NotFound(format!("模型 {} 不存在", model_id)))?;
Ok(ModelInfo { id, provider_id, model_id, alias, context_window: ctx, max_output_tokens: max_out, supports_streaming: streaming, supports_vision: vision, enabled, pricing_input: pi, pricing_output: po, created_at: created_at.to_rfc3339(), updated_at: updated_at.to_rfc3339() })
Ok(ModelInfo { id: r.id, provider_id: r.provider_id, model_id: r.model_id, alias: r.alias, context_window: r.context_window, max_output_tokens: r.max_output_tokens, supports_streaming: r.supports_streaming, supports_vision: r.supports_vision, enabled: r.enabled, pricing_input: r.pricing_input, pricing_output: r.pricing_output, created_at: r.created_at, updated_at: r.updated_at })
}
pub async fn update_model(
db: &PgPool, model_id: &str, req: &UpdateModelRequest,
) -> SaasResult<ModelInfo> {
let now = chrono::Utc::now();
let mut updates = Vec::new();
let mut params: Vec<Box<dyn std::fmt::Display + Send + Sync>> = Vec::new();
let mut param_idx: i32 = 1;
let now = chrono::Utc::now().to_rfc3339();
if let Some(ref v) = req.alias { updates.push(format!("alias = ${}", param_idx)); params.push(Box::new(v.clone())); param_idx += 1; }
if let Some(v) = req.context_window { updates.push(format!("context_window = ${}", param_idx)); params.push(Box::new(v)); param_idx += 1; }
if let Some(v) = req.max_output_tokens { updates.push(format!("max_output_tokens = ${}", param_idx)); params.push(Box::new(v)); param_idx += 1; }
if let Some(v) = req.supports_streaming { updates.push(format!("supports_streaming = ${}", param_idx)); params.push(Box::new(v)); param_idx += 1; }
if let Some(v) = req.supports_vision { updates.push(format!("supports_vision = ${}", param_idx)); params.push(Box::new(v)); param_idx += 1; }
if let Some(v) = req.enabled { updates.push(format!("enabled = ${}", param_idx)); params.push(Box::new(v)); param_idx += 1; }
if let Some(v) = req.pricing_input { updates.push(format!("pricing_input = ${}", param_idx)); params.push(Box::new(v)); param_idx += 1; }
if let Some(v) = req.pricing_output { updates.push(format!("pricing_output = ${}", param_idx)); params.push(Box::new(v)); param_idx += 1; }
if updates.is_empty() {
return get_model(db, model_id).await;
}
updates.push(format!("updated_at = ${}", param_idx));
param_idx += 1;
params.push(Box::new(model_id.to_string()));
let sql = format!("UPDATE models SET {} WHERE id = ${}", updates.join(", "), param_idx);
let mut query = sqlx::query(&sql);
for p in &params {
query = query.bind(format!("{}", p));
}
query = query.bind(now);
query.execute(db).await?;
// COALESCE pattern: all updatable fields in a single static SQL.
// NULL parameters leave the column unchanged.
sqlx::query(
"UPDATE models SET
alias = COALESCE($1, alias),
context_window = COALESCE($2, context_window),
max_output_tokens = COALESCE($3, max_output_tokens),
supports_streaming = COALESCE($4, supports_streaming),
supports_vision = COALESCE($5, supports_vision),
enabled = COALESCE($6, enabled),
pricing_input = COALESCE($7, pricing_input),
pricing_output = COALESCE($8, pricing_output),
updated_at = $9
WHERE id = $10"
)
.bind(req.alias.as_deref())
.bind(req.context_window)
.bind(req.max_output_tokens)
.bind(req.supports_streaming)
.bind(req.supports_vision)
.bind(req.enabled)
.bind(req.pricing_input)
.bind(req.pricing_output)
.bind(&now)
.bind(model_id)
.execute(db).await?;
get_model(db, model_id).await
}
@@ -244,45 +291,62 @@ pub async fn delete_model(db: &PgPool, model_id: &str) -> SaasResult<()> {
// ============ Account API Keys ============
pub async fn list_account_api_keys(
db: &PgPool, encryption: &Arc<FieldEncryption>, account_id: &str, provider_id: Option<&str>,
) -> SaasResult<Vec<AccountApiKeyInfo>> {
let sql = if provider_id.is_some() {
db: &PgPool, account_id: &str, provider_id: Option<&str>,
page: Option<u32>, page_size: Option<u32>,
) -> SaasResult<PaginatedResponse<AccountApiKeyInfo>> {
let (p, ps, offset) = normalize_pagination(page, page_size);
// Build COUNT and data queries based on whether provider_id is provided
let (count_sql, data_sql) = if provider_id.is_some() {
(
"SELECT COUNT(*) FROM account_api_keys WHERE account_id = $1 AND provider_id = $2 AND revoked_at IS NULL",
"SELECT id, provider_id, key_label, permissions, enabled, last_used_at, created_at, key_value
FROM account_api_keys WHERE account_id = $1 AND provider_id = $2 AND revoked_at IS NULL ORDER BY created_at DESC"
FROM account_api_keys WHERE account_id = $1 AND provider_id = $2 AND revoked_at IS NULL ORDER BY created_at DESC LIMIT $3 OFFSET $4",
)
} else {
(
"SELECT COUNT(*) FROM account_api_keys WHERE account_id = $1 AND revoked_at IS NULL",
"SELECT id, provider_id, key_label, permissions, enabled, last_used_at, created_at, key_value
FROM account_api_keys WHERE account_id = $1 AND revoked_at IS NULL ORDER BY created_at DESC"
FROM account_api_keys WHERE account_id = $1 AND revoked_at IS NULL ORDER BY created_at DESC LIMIT $2 OFFSET $3",
)
};
let mut query = sqlx::query_as::<_, (String, String, Option<String>, String, bool, Option<chrono::DateTime<chrono::Utc>>, chrono::DateTime<chrono::Utc>, String)>(sql)
let total: (i64,) = if provider_id.is_some() {
let mut q = sqlx::query_as(count_sql).bind(account_id);
if let Some(pid) = provider_id { q = q.bind(pid); }
q.fetch_one(db).await?
} else {
sqlx::query_as(count_sql).bind(account_id).fetch_one(db).await?
};
let mut query = sqlx::query_as::<_, AccountApiKeyRow>(data_sql)
.bind(account_id);
if let Some(pid) = provider_id {
query = query.bind(pid);
}
let rows = query.bind(ps as i64).bind(offset).fetch_all(db).await?;
let rows = query.fetch_all(db).await?;
Ok(rows.into_iter().map(|(id, provider_id, key_label, perms, enabled, last_used, created_at, key_value)| {
let permissions: Vec<String> = serde_json::from_str(&perms).unwrap_or_default();
// 解密 key_value 后再做掩码处理(兼容迁移期间的明文数据)
let decrypted = encryption.decrypt_or_plaintext(&key_value);
let masked = mask_api_key(&decrypted);
AccountApiKeyInfo { id, provider_id, key_label, permissions, enabled, last_used_at: last_used.map(|t| t.to_rfc3339()), created_at: created_at.to_rfc3339(), masked_key: masked }
}).collect())
let items = rows.into_iter().map(|r| {
let permissions: Vec<String> = serde_json::from_str(&r.permissions).unwrap_or_default();
let masked = mask_api_key(&r.key_value);
AccountApiKeyInfo { id: r.id, provider_id: r.provider_id, key_label: r.key_label, permissions, enabled: r.enabled, last_used_at: r.last_used_at, created_at: r.created_at, masked_key: masked }
}).collect();
Ok(PaginatedResponse { items, total: total.0, page: p, page_size: ps })
}
pub async fn create_account_api_key(
db: &PgPool, encryption: &Arc<FieldEncryption>, account_id: &str, req: &CreateAccountApiKeyRequest,
db: &PgPool, account_id: &str, req: &CreateAccountApiKeyRequest, enc_key: &[u8; 32],
) -> SaasResult<AccountApiKeyInfo> {
// 验证 provider 存在
get_provider(db, &req.provider_id).await?;
let id = uuid::Uuid::new_v4().to_string();
let now = chrono::Utc::now();
let now_str = now.to_rfc3339();
let now = chrono::Utc::now().to_rfc3339();
let permissions = serde_json::to_string(&req.permissions)?;
// 加密 key_value 后存储
let encrypted_key_value = encryption.encrypt(&req.key_value)?;
let encrypted_key_value = crypto::encrypt_value(&req.key_value, enc_key)?;
sqlx::query(
"INSERT INTO account_api_keys (id, account_id, provider_id, key_value, key_label, permissions, enabled, created_at, updated_at)
@@ -296,20 +360,19 @@ pub async fn create_account_api_key(
Ok(AccountApiKeyInfo {
id, provider_id: req.provider_id.clone(), key_label: req.key_label.clone(),
permissions: req.permissions.clone(), enabled: true, last_used_at: None,
created_at: now_str, masked_key: masked,
created_at: now, masked_key: masked,
})
}
pub async fn rotate_account_api_key(
db: &PgPool, encryption: &Arc<FieldEncryption>, key_id: &str, account_id: &str, new_key_value: &str,
db: &PgPool, key_id: &str, account_id: &str, new_key_value: &str, enc_key: &[u8; 32],
) -> SaasResult<()> {
let now = chrono::Utc::now();
// 加密新 key_value 后存储
let encrypted_key = encryption.encrypt(new_key_value)?;
let now = chrono::Utc::now().to_rfc3339();
let encrypted_value = crypto::encrypt_value(new_key_value, enc_key)?;
let result = sqlx::query(
"UPDATE account_api_keys SET key_value = $1, updated_at = $2 WHERE id = $3 AND account_id = $4 AND revoked_at IS NULL"
)
.bind(&encrypted_key).bind(&now).bind(key_id).bind(account_id)
.bind(&encrypted_value).bind(&now).bind(key_id).bind(account_id)
.execute(db).await?;
if result.rows_affected() == 0 {
@@ -321,7 +384,7 @@ pub async fn rotate_account_api_key(
pub async fn revoke_account_api_key(
db: &PgPool, key_id: &str, account_id: &str,
) -> SaasResult<()> {
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
let result = sqlx::query(
"UPDATE account_api_keys SET revoked_at = $1 WHERE id = $2 AND account_id = $3 AND revoked_at IS NULL"
)
@@ -339,75 +402,61 @@ pub async fn revoke_account_api_key(
pub async fn get_usage_stats(
db: &PgPool, account_id: &str, query: &UsageQuery,
) -> SaasResult<UsageStats> {
let mut param_idx: i32 = 1;
let mut where_clauses = vec![format!("account_id = ${}", param_idx)];
param_idx += 1;
let mut params: Vec<String> = vec![account_id.to_string()];
// Static SQL with conditional filter pattern:
// account_id is always required; optional filters use ($N IS NULL OR col = $N).
let total_sql = "SELECT COUNT(*)::bigint, COALESCE(SUM(input_tokens), 0), COALESCE(SUM(output_tokens), 0)
FROM usage_records WHERE account_id = $1 AND ($2 IS NULL OR created_at >= $2) AND ($3 IS NULL OR created_at <= $3) AND ($4 IS NULL OR provider_id = $4) AND ($5 IS NULL OR model_id = $5)";
if let Some(ref from) = query.from {
where_clauses.push(format!("created_at >= ${}", param_idx));
param_idx += 1;
params.push(from.clone());
}
if let Some(ref to) = query.to {
where_clauses.push(format!("created_at <= ${}", param_idx));
param_idx += 1;
params.push(to.clone());
}
if let Some(ref pid) = query.provider_id {
where_clauses.push(format!("provider_id = ${}", param_idx));
param_idx += 1;
params.push(pid.clone());
}
if let Some(ref mid) = query.model_id {
where_clauses.push(format!("model_id = ${}", param_idx));
params.push(mid.clone());
}
let where_sql = where_clauses.join(" AND ");
// 总量统计
let total_sql = format!(
"SELECT COUNT(*), COALESCE(SUM(input_tokens), 0), COALESCE(SUM(output_tokens), 0)
FROM usage_records WHERE {}", where_sql
);
let mut total_query = sqlx::query_as::<_, (i64, i64, i64)>(&total_sql);
for p in &params {
total_query = total_query.bind(p);
}
let (total_requests, total_input, total_output) = total_query.fetch_one(db).await?;
let row = sqlx::query(total_sql)
.bind(account_id)
.bind(&query.from)
.bind(&query.to)
.bind(&query.provider_id)
.bind(&query.model_id)
.fetch_one(db).await?;
let total_requests: i64 = row.try_get(0).unwrap_or(0);
let total_input: i64 = row.try_get(1).unwrap_or(0);
let total_output: i64 = row.try_get(2).unwrap_or(0);
// 按模型统计
let by_model_sql = format!(
"SELECT provider_id, model_id, COUNT(*), COALESCE(SUM(input_tokens), 0), COALESCE(SUM(output_tokens), 0)
FROM usage_records WHERE {} GROUP BY provider_id, model_id ORDER BY COUNT(*) DESC LIMIT 20",
where_sql
);
let mut by_model_query = sqlx::query_as::<_, (String, String, i64, i64, i64)>(&by_model_sql);
for p in &params {
by_model_query = by_model_query.bind(p);
}
let by_model_rows = by_model_query.fetch_all(db).await?;
let by_model_sql = "SELECT provider_id, model_id, COUNT(*)::bigint AS request_count, COALESCE(SUM(input_tokens), 0) AS input_tokens, COALESCE(SUM(output_tokens), 0) AS output_tokens
FROM usage_records WHERE account_id = $1 AND ($2 IS NULL OR created_at >= $2) AND ($3 IS NULL OR created_at <= $3) AND ($4 IS NULL OR provider_id = $4) AND ($5 IS NULL OR model_id = $5) GROUP BY provider_id, model_id ORDER BY COUNT(*) DESC LIMIT 20";
let by_model_rows: Vec<UsageByModelRow> = sqlx::query_as(by_model_sql)
.bind(account_id)
.bind(&query.from)
.bind(&query.to)
.bind(&query.provider_id)
.bind(&query.model_id)
.fetch_all(db).await?;
let by_model: Vec<ModelUsage> = by_model_rows.into_iter()
.map(|(provider_id, model_id, count, input, output)| {
ModelUsage { provider_id, model_id, request_count: count, input_tokens: input, output_tokens: output }
.map(|r| {
ModelUsage { provider_id: r.provider_id, model_id: r.model_id, request_count: r.request_count, input_tokens: r.input_tokens, output_tokens: r.output_tokens }
}).collect();
// 按天统计 (最近 30 天)
let from_30d = chrono::Utc::now() - chrono::Duration::days(30);
let daily_sql = format!(
"SELECT DATE(created_at) as day, COUNT(*), COALESCE(SUM(input_tokens), 0), COALESCE(SUM(output_tokens), 0)
// 按天统计 (使用 days 参数或默认 30 天)
let days = query.days.unwrap_or(30).min(365).max(1) as i64;
let from_days = (chrono::Utc::now() - chrono::Duration::days(days))
.date_naive()
.and_hms_opt(0, 0, 0).unwrap()
.and_utc()
.to_rfc3339();
let daily_sql = "SELECT SUBSTRING(created_at, 1, 10) as day, COUNT(*)::bigint AS request_count, COALESCE(SUM(input_tokens), 0) AS input_tokens, COALESCE(SUM(output_tokens), 0) AS output_tokens
FROM usage_records WHERE account_id = $1 AND created_at >= $2
GROUP BY DATE(created_at) ORDER BY day DESC LIMIT 30"
);
let daily_rows: Vec<(String, i64, i64, i64)> = sqlx::query_as(&daily_sql)
.bind(account_id).bind(&from_30d)
GROUP BY SUBSTRING(created_at, 1, 10) ORDER BY day DESC LIMIT $3";
let daily_rows: Vec<UsageByDayRow> = sqlx::query_as(daily_sql)
.bind(account_id).bind(&from_days).bind(days as i32)
.fetch_all(db).await?;
let by_day: Vec<DailyUsage> = daily_rows.into_iter()
.map(|(date, count, input, output)| {
DailyUsage { date, request_count: count, input_tokens: input, output_tokens: output }
.map(|r| {
DailyUsage { date: r.day, request_count: r.request_count, input_tokens: r.input_tokens, output_tokens: r.output_tokens }
}).collect();
// 按 group_by 过滤返回
let group_by = query.group_by.as_deref();
let by_model = if group_by == Some("model") || group_by.is_none() { by_model } else { vec![] };
let by_day = if group_by == Some("day") || group_by.is_none() { by_day } else { vec![] };
Ok(UsageStats {
total_requests,
total_input_tokens: total_input,
@@ -422,7 +471,7 @@ pub async fn record_usage(
input_tokens: i64, output_tokens: i64, latency_ms: Option<i64>,
status: &str, error_message: Option<&str>,
) -> SaasResult<()> {
let now = chrono::Utc::now();
let now = chrono::Utc::now().to_rfc3339();
sqlx::query(
"INSERT INTO usage_records (account_id, provider_id, model_id, input_tokens, output_tokens, latency_ms, status, error_message, created_at)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)"
@@ -442,73 +491,3 @@ fn mask_api_key(key: &str) -> String {
}
format!("{}...{}", &key[..4], &key[key.len()-4..])
}
#[cfg(test)]
mod tests {
use super::*;
// ---- mask_api_key ----
#[test]
fn mask_key_long_key() {
let key = "sk-abcdefghijklmnopqrstuvwxyz123456";
let masked = mask_api_key(key);
assert_eq!(masked, "sk-a...3456");
}
#[test]
fn mask_key_exactly_8_chars() {
// keys <= 8 chars are fully masked
let key = "12345678";
let masked = mask_api_key(key);
assert_eq!(masked, "********");
}
#[test]
fn mask_key_7_chars() {
let key = "abcdefg";
let masked = mask_api_key(key);
assert_eq!(masked, "*******");
}
#[test]
fn mask_key_1_char() {
let key = "a";
let masked = mask_api_key(key);
assert_eq!(masked, "*");
}
#[test]
fn mask_key_empty() {
let key = "";
let masked = mask_api_key(key);
assert_eq!(masked, "");
}
#[test]
fn mask_key_9_chars_boundary() {
// 9 chars is the first that uses prefix...suffix format
let key = "abcdefghi";
let masked = mask_api_key(key);
assert_eq!(masked, "abcd...fghi");
}
#[test]
fn mask_key_standard_openai_format() {
let key = "sk-proj-abcdefghijklmnopqrstuvwx";
let masked = mask_api_key(key);
assert_eq!(masked, "sk-p...uvwx");
}
#[test]
fn mask_key_no_ellipsis_for_short() {
let masked = mask_api_key("short");
assert!(!masked.contains("..."));
}
#[test]
fn mask_key_has_ellipsis_for_long() {
let masked = mask_api_key("this_is_a_very_long_key_value");
assert!(masked.contains("..."));
}
}

49
crates/zclaw-saas/src/model_config/types.rs
View File

@@ -4,7 +4,7 @@ use serde::{Deserialize, Serialize};
// --- Provider ---
#[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ProviderInfo {
pub id: String,
pub name: String,
@@ -18,7 +18,7 @@ pub struct ProviderInfo {
pub updated_at: String,
}
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct CreateProviderRequest {
pub name: String,
pub display_name: String,
@@ -32,7 +32,7 @@ pub struct CreateProviderRequest {
fn default_protocol() -> String { "openai".into() }
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct UpdateProviderRequest {
pub display_name: Option<String>,
pub base_url: Option<String>,
@@ -45,7 +45,7 @@ pub struct UpdateProviderRequest {
// --- Model ---
#[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ModelInfo {
pub id: String,
pub provider_id: String,
@@ -62,7 +62,7 @@ pub struct ModelInfo {
pub updated_at: String,
}
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct CreateModelRequest {
pub provider_id: String,
pub model_id: String,
@@ -75,7 +75,7 @@ pub struct CreateModelRequest {
pub pricing_output: Option<f64>,
}
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct UpdateModelRequest {
pub alias: Option<String>,
pub context_window: Option<i64>,
@@ -89,7 +89,7 @@ pub struct UpdateModelRequest {
// --- Account API Key ---
#[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AccountApiKeyInfo {
pub id: String,
pub provider_id: String,
@@ -101,7 +101,7 @@ pub struct AccountApiKeyInfo {
pub masked_key: String,
}
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct CreateAccountApiKeyRequest {
pub provider_id: String,
pub key_value: String,
@@ -110,14 +110,14 @@ pub struct CreateAccountApiKeyRequest {
pub permissions: Vec<String>,
}
#[derive(Debug, Deserialize, utoipa::ToSchema)]
#[derive(Debug, Deserialize)]
pub struct RotateApiKeyRequest {
pub new_key_value: String,
}
// --- Usage ---
#[derive(Debug, Serialize, utoipa::ToSchema)]
#[derive(Debug, Serialize)]
pub struct UsageStats {
pub total_requests: i64,
pub total_input_tokens: i64,
@@ -126,7 +126,7 @@ pub struct UsageStats {
pub by_day: Vec<DailyUsage>,
}
#[derive(Debug, Serialize, utoipa::ToSchema)]
#[derive(Debug, Serialize)]
pub struct ModelUsage {
pub provider_id: String,
pub model_id: String,
@@ -135,7 +135,7 @@ pub struct ModelUsage {
pub output_tokens: i64,
}
#[derive(Debug, Serialize, utoipa::ToSchema)]
#[derive(Debug, Serialize)]
pub struct DailyUsage {
pub date: String,
pub request_count: i64,
@@ -143,11 +143,34 @@ pub struct DailyUsage {
pub output_tokens: i64,
}
#[derive(Debug, Deserialize, utoipa::ToSchema, utoipa::IntoParams)]
#[derive(Debug, Deserialize)]
pub struct UsageQuery {
pub from: Option<String>,
pub to: Option<String>,
pub provider_id: Option<String>,
pub model_id: Option<String>,
/// 聚合维度: "day" 或 "model"。不传则返回完整 UsageStats
pub group_by: Option<String>,
/// 最近 N 天
pub days: Option<i32>,
}
// --- Seed Data ---
#[derive(Debug, Deserialize)]
pub struct SeedProvider {
pub name: String,
pub display_name: String,
pub base_url: String,
pub models: Vec<SeedModel>,
}
#[derive(Debug, Deserialize)]
pub struct SeedModel {
pub id: String,
pub alias: String,
pub context_window: Option<i64>,
pub max_output_tokens: Option<i64>,
pub supports_streaming: Option<bool>,
pub supports_vision: Option<bool>,
}

75
crates/zclaw-saas/src/models/account.rs Normal file
View File

@@ -0,0 +1,75 @@
//! Account 表相关模型
use sqlx::FromRow;
/// accounts 表完整行 (含 last_login_at)
#[derive(Debug, FromRow)]
pub struct AccountRow {
pub id: String,
pub username: String,
pub email: String,
pub display_name: String,
pub role: String,
pub status: String,
pub totp_enabled: bool,
pub last_login_at: Option<String>,
pub created_at: String,
}
/// accounts 表行 (不含 last_login_at用于 auth/me 等场景)
#[derive(Debug, FromRow)]
pub struct AccountAuthRow {
pub id: String,
pub username: String,
pub email: String,
pub display_name: String,
pub role: String,
pub status: String,
pub totp_enabled: bool,
pub created_at: String,
}
/// Login 一次性查询行(合并用户信息 + password_hash + totp_secret
#[derive(Debug, FromRow)]
pub struct AccountLoginRow {
pub id: String,
pub username: String,
pub email: String,
pub display_name: String,
pub role: String,
pub status: String,
pub totp_enabled: bool,
pub password_hash: String,
pub totp_secret: Option<String>,
pub created_at: String,
}
/// operation_logs 表行
#[derive(Debug, FromRow)]
pub struct OperationLogRow {
pub id: i64,
pub account_id: Option<String>,
pub action: String,
pub target_type: Option<String>,
pub target_id: Option<String>,
pub details: Option<String>,
pub ip_address: Option<String>,
pub created_at: String,
}
/// Dashboard 统计聚合行
#[derive(Debug, FromRow)]
pub struct DashboardStatsRow {
pub total_accounts: i64,
pub active_accounts: i64,
pub active_providers: i64,
pub active_models: i64,
}
/// Dashboard 今日统计聚合行
#[derive(Debug, FromRow)]
pub struct DashboardTodayRow {
pub tasks_today: i64,
pub tokens_input: i64,
pub tokens_output: i64,
}

15
crates/zclaw-saas/src/models/api_token.rs Normal file
View File

@@ -0,0 +1,15 @@
//! api_tokens 表相关模型
use sqlx::FromRow;
/// api_tokens 表行 (用于列表查询)
#[derive(Debug, FromRow)]
pub struct ApiTokenRow {
pub id: String,
pub name: String,
pub token_prefix: String,
pub permissions: String,
pub last_used_at: Option<String>,
pub expires_at: Option<String>,
pub created_at: String,
}

33
crates/zclaw-saas/src/models/config.rs Normal file
View File

@@ -0,0 +1,33 @@
//! config_items + config_sync_log 表相关模型
use sqlx::FromRow;
/// config_items 表行
#[derive(Debug, FromRow)]
pub struct ConfigItemRow {
pub id: String,
pub category: String,
pub key_path: String,
pub value_type: String,
pub current_value: Option<String>,
pub default_value: Option<String>,
pub source: String,
pub description: Option<String>,
pub requires_restart: bool,
pub created_at: String,
pub updated_at: String,
}
/// config_sync_log 表行
#[derive(Debug, FromRow)]
pub struct ConfigSyncLogRow {
pub id: i64,
pub account_id: String,
pub client_fingerprint: String,
pub action: String,
pub config_keys: String,
pub client_values: Option<String>,
pub saas_values: Option<String>,
pub resolution: Option<String>,
pub created_at: String,
}

15
crates/zclaw-saas/src/models/device.rs Normal file
View File

@@ -0,0 +1,15 @@
//! devices 表相关模型
use sqlx::FromRow;
/// devices 表行
#[derive(Debug, FromRow)]
pub struct DeviceRow {
pub id: String,
pub device_id: String,
pub device_name: Option<String>,
pub platform: Option<String>,
pub app_version: Option<String>,
pub last_seen_at: String,
pub created_at: String,
}

33
crates/zclaw-saas/src/models/mod.rs Normal file
View File

@@ -0,0 +1,33 @@
//! 类型化数据库模型 (sqlx::FromRow)
//!
//! 替代原始元组解构 `(String, String, ...)`,提供编译期字段检查。
//! 每个结构体对应一个数据库查询结果,字段名与 SQL 列名一致。
pub mod account;
pub mod api_token;
pub mod config;
pub mod device;
pub mod model;
pub mod permission_template;
pub mod prompt;
pub mod provider;
pub mod provider_key;
pub mod relay_task;
pub mod role;
pub mod telemetry;
pub mod usage;
// Re-export all row types for convenient access
pub use account::*;
pub use api_token::*;
pub use config::*;
pub use device::*;
pub use model::*;
pub use permission_template::*;
pub use prompt::*;
pub use provider::*;
pub use provider_key::*;
pub use relay_task::*;
pub use role::*;
pub use telemetry::*;
pub use usage::*;

34
crates/zclaw-saas/src/models/model.rs Normal file
View File

@@ -0,0 +1,34 @@
//! models + account_api_keys 表相关模型
use sqlx::FromRow;
/// models 表行
#[derive(Debug, FromRow)]
pub struct ModelRow {
pub id: String,
pub provider_id: String,
pub model_id: String,
pub alias: String,
pub context_window: i64,
pub max_output_tokens: i64,
pub supports_streaming: bool,
pub supports_vision: bool,
pub enabled: bool,
pub pricing_input: f64,
pub pricing_output: f64,
pub created_at: String,
pub updated_at: String,
}
/// account_api_keys 表行
#[derive(Debug, FromRow)]
pub struct AccountApiKeyRow {
pub id: String,
pub provider_id: String,
pub key_label: Option<String>,
pub permissions: String,
pub enabled: bool,
pub last_used_at: Option<String>,
pub created_at: String,
pub key_value: String,
}

Some files were not shown because too many files have changed in this diff Show More