iven/zclaw_openfang
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
0bb526509da5ad220e508b265c54685e081d1b3d
zclaw_openfang/config/config.toml
iven 5a0c652f4f
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
Details
CI / Unit Tests (push) Has been cancelled
Details
CI / Build Frontend (push) Has been cancelled
Details
CI / Rust Check (push) Has been cancelled
Details
CI / Security Scan (push) Has been cancelled
Details
CI / E2E Tests (push) Has been cancelled
Details
fix(hands): 审计修复 — SSRF防护/输入验证/HTTP状态检查/解析加固 
三维度穷尽审计(安全+质量+正确性)后修复:

CRITICAL:
- execute_fetch() 添加完整 SSRF 防护(IPv4/IPv6/私有地址/云元数据/主机名黑名单)
- reqwest 重定向策略限制为3次,阻止重定向链 SSRF
- DDG HTML 解析: split("result__body") → split("class=\"result__body\"") 防误匹配
- Google 变体降级到 Bing 时添加 tracing::warn 日志

HIGH:
- ResearchQuery 输入验证: 查询≤500字符, max_results≤50, 空查询拒绝
- Cache 容量限制: 200 条目上限 + 简单淘汰
- extract_href_uddg 手动 URL 解码替换为标准 percent_decode
- 3个搜索引擎方法添加 HTTP status code 检查(429/503 不再静默)

MEDIUM:
- config.toml default_engine 从 "searxng" 改为 "auto"(Rust 原生优先)
- User-Agent 从机器人标识改为浏览器 UA,降低反爬风险
- 百度解析器从精确匹配改为 c-container 包含匹配,覆盖更多变体
- 添加 url crate 依赖

测试: 60 PASS (新增12: SSRF 5 + percent_decode 3 + 输入验证 4)
2026-04-22 12:11:35 +08:00

296 lines
6.6 KiB
TOML
Raw Blame History

# ============================================================
# ZCLAW Main Configuration
# ZCLAW TOML format configuration file
# ============================================================
#
# Usage:
# 1. Copy this file to ~/.zclaw/config.toml
# 2. Set environment variables for API keys
# 3. Import chinese-providers.toml for Chinese LLM support
#
# Environment variables:
# ZHIPU_API_KEY, QWEN_API_KEY, KIMI_API_KEY,
# MINIMAX_API_KEY, DEEPSEEK_API_KEY, OPENAI_API_KEY
# ============================================================
# ============================================================
# Server Configuration
# ============================================================
[server]
# gRPC server host and port (default 4200 from runtime-manifest.json)
host = "127.0.0.1"
port = 4200
# WebSocket configuration
websocket_port = 4200
websocket_path = "/ws"
# CORS settings for desktop client
cors_origins = ["http://localhost:1420", "tauri://localhost"]
# API version prefix
api_version = "v1"
# ============================================================
# Agent Configuration
# ============================================================
[agent.defaults]
# Default workspace for agent operations
workspace = "~/.zclaw/zclaw-workspace"
# Default model for new sessions
default_model = "zhipu/glm-4-plus"
# Fallback models if primary fails
fallback_models = ["qwen/qwen-max", "deepseek/deepseek-chat"]
# Heartbeat interval for agent health checks
heartbeat_interval = "1h"
# Session timeout
session_timeout = "24h"
# Maximum concurrent sessions
max_sessions = 10
[agent.defaults.sandbox]
# Sandbox root directory
workspace_root = "~/.zclaw/zclaw-workspace"
# Allowed shell commands (empty = all allowed)
# allowed_commands = ["git", "npm", "pnpm", "cargo"]
# Enable shell execution
shell_enabled = true
# Network access in sandbox
network_enabled = true
[agent.defaults.memory]
# Conversation memory settings
max_history_length = 100
summarize_threshold = 50
# ============================================================
# Skills Configuration
# ============================================================
[skills]
# Additional skill directories to load
extra_dirs = ["./skills"]
# Enable hot reload for skill development
hot_reload = false
# Skill execution timeout
execution_timeout = "5m"
# ============================================================
# Hands Configuration
# ============================================================
[hands]
# Additional hand directories to load
extra_dirs = ["./hands"]
# Default approval mode: "auto", "manual", "smart"
default_approval_mode = "smart"
# Hand execution settings
max_concurrent = 5
execution_timeout = "30m"
# Audit settings
audit_enabled = true
audit_log_path = "~/.zclaw/logs/hands-audit.log"
# ============================================================
# LLM Provider Configuration
# ============================================================
[llm]
# Default provider settings
default_provider = "zhipu"
default_model = "glm-4-plus"
# Rate limiting
requests_per_minute = 60
tokens_per_minute = 100000
# Retry settings
max_retries = 3
retry_delay = "1s"
# ============================================================
# Model Aliases
# ============================================================
[llm.aliases]
# 智谱 GLM 模型 (使用正确的 API 模型 ID)
"glm-4-flash" = "zhipu/glm-4-flash-250414"
"glm-4-plus" = "zhipu/glm-4-plus"
"glm-4.5" = "zhipu/glm-4.5"
# 其他模型
"qwen3.5" = "qwen/qwen-plus"
"gpt-4" = "openai/gpt-4o"
# ============================================================
# Security Configuration
# ============================================================
[security]
# Enable all security layers
enabled = true
# Authentication
[security.auth]
# JWT token expiration
token_expiration = "24h"
# Ed25519 key settings
key_rotation_interval = "30d"
# RBAC settings
[security.rbac]
enabled = true
default_role = "user"
# Rate limiting
[security.rate_limit]
enabled = true
requests_per_second = 10
burst_size = 20
# Audit logging
[security.audit]
enabled = true
log_path = "~/.zclaw/logs/audit.log"
log_format = "json"
# ============================================================
# Logging Configuration
# ============================================================
[logging]
# Log level: "trace", "debug", "info", "warn", "error"
level = "info"
# Log format: "json", "pretty", "compact"
format = "pretty"
# Log file settings
[logging.file]
enabled = true
path = "~/.zclaw/logs/zclaw.log"
max_size = "10MB"
max_files = 5
compress = true
# Console logging
[logging.console]
enabled = true
colorize = true
# ============================================================
# Channels Configuration (Integrations)
# ============================================================
[channels]
# Feishu (Lark) integration
[channels.feishu]
enabled = false
[channels.feishu.default]
app_id = ""
app_secret = ""
enabled = false
# ============================================================
# Tools Configuration
# ============================================================
[tools]
# Shell execution tool
[tools.exec]
shell_enabled = true
timeout = "30s"
# Web search tool
[tools.web]
[tools.web.search]
enabled = true
default_engine = "auto"
max_results = 10
searxng_url = "http://localhost:8888"
searxng_timeout = 15
# File system tool
[tools.fs]
allowed_paths = ["~/.zclaw/zclaw-workspace"]
max_file_size = "10MB"
# ============================================================
# Workflow Configuration
# ============================================================
[workflow]
# Workflow storage
storage_path = "~/.zclaw/workflows"
# Execution settings
max_steps = 100
step_timeout = "5m"
# Trigger settings
[workflow.triggers]
enabled = true
max_scheduled = 50
# ============================================================
# Desktop Client Configuration
# ============================================================
[desktop]
# Desktop-specific settings for ZClaw client
[desktop.ui]
# Theme settings
default_theme = "system"
theme_transition_ms = 200
# Animation settings
animations_enabled = true
animation_duration_ms = 300
[desktop.connection]
# Connection retry settings
auto_reconnect = true
reconnect_delay_ms = 1000
max_reconnect_attempts = 5
# Connection timeout
connection_timeout_ms = 5000
request_timeout_ms = 30000
# ============================================================
# Development Settings (for local development only)
# ============================================================
[development]
# Enable debug mode
debug = false
# Verbose logging
verbose = false
# Mock mode (for testing without real LLM)
mock_llm = false
# Profiling
profiling_enabled = false
profiling_port = 6060
Reference in New Issue View Git Blame Copy Permalink