* fix: adapt MiMo STT to V2.5 models and reject non-WAV audio
The MiMo-V2 series went offline on 2026-06-30, so the default STT model
mimo-v2-omni fails for every default configuration. Switch the default
to mimo-v2.5-asr, the dedicated speech recognition model whose official
docs use exactly the bare input_audio payload this provider sends.
For non-ASR multimodal models such as mimo-v2.5, the audio understanding
docs require a text instruction alongside the audio, so restore the
system/user transcription prompts for that model family only.
Also validate that the resolved audio payload really is RIFF/WAVE before
calling the API: when a platform voice file (e.g. Tencent SILK from QQ)
slips through the WAV conversion chain unchanged, fail locally with an
actionable error instead of the opaque HTTP 400 from the API.
Fixes#9113
* fix: accept unpadded MiMo wav headers
---------
Co-authored-by: tangtaizong666 <212687958+tangtaizong666@users.noreply.github.com>
- Add ExaWebSearchTool (web_search_exa) with keyword/semantic search,
category filters, domain restrictions, and date range support
- Add ExaGetContentsTool (exa_get_contents) for extracting web page content
- Add _exa_search() and _exa_get_contents() API helpers hitting
https://api.exa.ai/search and https://api.exa.ai/contents
- Add _EXA_KEY_ROTATOR for multi-key rotation
- Register Exa tools in _apply_web_search_tools() dispatch
- Add Exa to WEB_SEARCH_CITATION_TOOL_NAMES for citation support
- Add websearch_exa_key config default and provider option
- Add i18n metadata for en-US, zh-CN, ru-RU
- Add Exa section to docs (en + zh)
- Add 6 unit tests covering search, contents, error handling, and
legacy config migration
Closes#5621
Add QQ Official Bot QR binding registration flow for the WebSocket adapter, wire dashboard credential autofill, and mark the WebSocket template as recommended.
* refactor: migrate to fastapi
* structure refactor
* fix: pyright fix
* refactor: improve error handling and public messages in plugin services
* feat(api): refactor API client integration and enhance request handling
- Updated API client configuration to use a dedicated HTTP client.
- Introduced utility functions for generating options, queries, and form data for API requests.
- Refactored multiple API methods to utilize the new utility functions for improved consistency and readability.
- Renamed types for clarity and updated import statements accordingly.
feat(docs): add script to update OpenAPI JSON from YAML spec
- Created a Python script to convert OpenAPI YAML specification to JSON format.
- The script supports customizable input and output paths.
- Ensured the script handles directory creation for output paths and validates the YAML structure.
* fix
* feat(auth): implement rate limiting for v1 login endpoint and enhance request handling
* Refactor dashboard API routers to use legacy_router for backward compatibility
- Changed all instances of dashboard_router to legacy_router across multiple API modules including platform, plugins, providers, sessions, skills, stats, subagents, t2i, tools, updates, and asgi_runtime.
- Updated route definitions to ensure existing endpoints remain functional under the new router structure.
- Introduced support for Quart request context in asgi_runtime to enhance compatibility with existing Quart-based plugins.
- Added a test case to validate the functionality of the new Quart request context handling in plugin extensions.
* chore: remove cli test
* fix: update dashboard tests for fastapi migration
* chore: satisfy ruff checks
* fix: update openapi api key scopes
* fix: sync config scope chip selection
* fix: restore quart dependency
* docs: clarify quart plugin api compatibility
* docs: update openapi scope documentation
* fix: use singular skill openapi scope
* fix: hide update service exception details
* fix: address fastapi review comments
* fix: address dashboard review findings
* docs: revert unrelated package deployment changes
* docs: update agent api generation guidance
* feat: add plugin page web api helpers
* docs: add plugin page bridge demo
* fix: type plugin upload files
* fix: stabilize plugin page uploads
* fix: type plugin web request proxy
* docs: remove plugin page docs example
* fix: authenticate plugin page SSE bridge
* fix(context): restore turn cap, serialize content parts and tool calls for llm compress, fix AftCompact debug log
Three context-compaction regression fixes after #8226:
1. Restore max_context_length -> enforce_max_turns propagation so
normal turn-based truncation works again.
2. Serialize ContentPart and ToolCall objects into plain dicts in
_message_to_dict so llm_compress no longer fails with JSON
serialization errors.
3. Print _provider_messages (compacted) instead of run_context.messages
(unchanged) in AftCompact debug log; truncate long role lists to
first4,...,last4 to avoid log spam.
Assertions in tests are also hardened to avoid coupling to exact prompt
wording.
* fix(tool_loop_agent_runner): simplify context handling by removing redundant provider messages
* fix(tool_loop_agent_runner): rename context manager variables for clarity
* fix: update context compression to use recent token ratio instead of fixed count
* fix: enhance LLMSummaryCompressor to sanitize contexts and improve message handling
* ruff format
---------
Co-authored-by: Soulter <905617992@qq.com>
* feat: add TOTP two-factor authentication for dashboard login
* fix: ensure TOTP verification uses UTC for accurate time comparison
* fix: update recovery code validation logic for disabling TOTP
* test: add unit tests for TOTP functionality and recovery code validation
* chore: format
* feat: add trust_proxy_headers switch for auth rate-limit IP source
* feat: make dashboard auth rate-limit configurable via system settings
Add auth_rate_limit config block to dashboard settings with enable
(default: true), average_interval (default: 1.0s), and max_burst
(default: 3) options. The dashboard auth middleware now reads from
config instead of using hardcoded values. The average_interval and
max_burst fields are conditionally shown only when rate limiting is
enabled.
* fix: normalize dashboard client IP from trusted proxy headers
* refactor: encapsulate rate limiter state into registry, add TTL
* feat: show dynamic page title during two-factor verification
* fix: require two-factor verification for protected config saves
* chore: format
* refactor: reorganize TOTP verification UI components for better layout
* refactor: clean up recovery stage UI by removing unused styles and improving label handling
* docs: add TOTP two-factor authentication documentation for WebUI
---------
Co-authored-by: Soulter <905617992@qq.com>
* refactor(ltm): redesign long-term memory with context compaction
- Add raw_records / contexts / summaries data model per group
- Add LLM summary compaction strategy alongside truncation
- Add turn-based (_split_into_rounds) granularity
- Add image caption integration into LTM history
- Add tool_call / tool_result persistence into raw_records
- Add active reply support driven by LTM state
- Improve summary injection prefix with system note and delimiters
- Add info-level logging for summary compaction lifecycle
- Clarify default summary prompt with explicit preserve/drop rules
- Add context_guard for history overflow protection in agent runner
- Add internal agent history compaction in agent_sub_stages
- Add comprehensive LTM unit tests and compaction test suites
* fix(ltm): handle malformed JSON in tool args and clean up lock on session removal
* fix(ltm): guard against duplicate system prompt note injection
* fix(ltm): fall back to user message when internal marker parsing fails
- Treat lines starting with <T:CALL>, <T:RES, or <BOT/ as regular user
messages when their respective parsers return None, instead of silently
dropping them. Defensive guard against malformed internal markers.
* fix(ltm): release session lock during LLM summary generation
* fix(ltm): trim raw_records in handle_message to prevent unbounded growth
* perf(ltm): use len(s) instead of len(s.encode()) in trim loop
Avoid allocating a new bytes object for every string when calculating
buffer size in _trim_raw_records. Character count is sufficient for
the approximate memory cap.
* feat(ltm): make user segment truncation limits configurable
* feat(ltm): pre-fill default LTM summary prompt in config and i18n
* refactor(ltm): hardcode internal segment/trim constants
* refactor(ltm): unify compaction strategy with main agent runner
* feat(ltm): add @mention weight marker for group chat messages
* test: fix test failures from LTM compaction unification
* chore(dashboard): remove obsolete LTM compaction i18n metadata
* chore: shrink codebase
* feat(group-chat): implement group chat context management and related functionality
---------
Co-authored-by: Tsukumi <112180165+Tsukumi233@users.noreply.github.com>
Co-authored-by: zenfun <zenfun510@gmail.com>
Co-authored-by: Soulter <905617992@qq.com>