545 Commits

Author SHA1 Message Date
Haoran Xu
e7b9e32242 fix: add catch-all Exception handler for dashboard API (#9271) 2026-07-15 15:38:17 +08:00
Haoran Xu
efd08c8557 fix: skills download archive filename mismatch with versioned skill names (#9270) 2026-07-15 15:35:37 +08:00
Soulter
6070da9ae2 fix: resume ChatUI streams after refresh (#9259)
* fix: resume ChatUI streams after refresh

* fix: hide chat run service errors

* fix: harden resumed chat streams
2026-07-13 23:05:03 +08:00
VectorPeak
a957b2e5dc fix: return HTTP errors for failed skill downloads (#9213)
* fix: return HTTP errors for failed skill downloads

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

* fix: harden skill archive error responses

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

* fix: use structured skill archive status codes

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

---------

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
2026-07-12 16:04:12 +08:00
VectorPeak
dcc40ede1d fix: validate dashboard account username updates (#9175)
Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
2026-07-08 00:27:52 +08:00
Fiber
56326c7551 fix: serialize webchat history timestamps as UTC-aware ISO strings (#9159)
ChatService serialized PlatformMessageHistory records via bare model_dump(),
causing created_at/updated_at to be emitted as naive ISO strings without a
timezone suffix. The frontend new Date() parses such strings as local time
per ES2015+, so UTC values were displayed as-is instead of converted.

Add serialize_history_entry helper and apply it to get_session, get_thread,
and update_message. This matches the SSE real-time path and session list
path, ensuring the frontend consistently receives ISO strings with the
+00:00 suffix across all code paths.
2026-07-06 21:12:29 +08:00
Weilong Liao
18e067fab1 fix: keep model metadata separate from providers (#9161) 2026-07-06 21:10:57 +08:00
Weilong Liao
6627fd53c2 feat: show model metadata in selectors
Surface cached model metadata in model/provider selectors, show neutral capability/context badges, and add provider test actions.
2026-07-06 20:38:30 +08:00
LIghtJUNction
30426c4f67 fix: secure project update temp staging (#9083)
* fix: secure project update temp staging

* Update astrbot/dashboard/services/update_service.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* fix: close update staging temp context

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2026-07-05 09:49:11 +08:00
VectorPeak
041fba4df4 fix: enforce ownership when reading ChatUI sessions (#9141) 2026-07-05 09:34:38 +08:00
Weilong Liao
b43cc6dee0 feat: improve ChatUI attachment display (#9134) 2026-07-04 17:56:33 +08:00
lxfight
ea9e3421d9 fix: align knowledge base CRUD API contract with kb_name, canonical payload fields, and matching OpenAPI types (#9000)
Warning: Potential breaking changes in /kb related openapi.

* fix(kb): align CRUD API contract end-to-end

Unify knowledge base create/update/list with kb_name, canonical_payload,
optional list pagination with total, and matching OpenAPI plus dashboard types.

* fix: restore _model_dict references, add KnowledgeBaseCreateRequest, fix OpenAPI allOf validation

- Replace 3 remaining _model_dict() calls with payload.model_dump(exclude_none=True)
- Add KnowledgeBaseCreateRequest schema with required kb_name + embedding_provider_id
- Remove additionalProperties: false from OpenAPI allOf sub-schema to avoid validation failures
- Use Pydantic Field(alias="name") + populate_by_name=True for legacy name migration
- Delegate _canonical_kb_payload to KnowledgeBaseRequest to eliminate duplicated logic
- Add getattr default None for update_kb to prevent AttributeError
- Add validation error tests: missing kb_name, missing embedding_provider_id

* fix: address knowledge base contract follow-ups

* fix: preserve knowledge base create error shape
2026-07-03 22:18:56 +08:00
Weilong Liao
e7d5be632f feat: add ChatUI project workspaces (#9066)
* feat: add ChatUI project workspaces

* feat: refine chatui layout

* feat: enhance chat input and project view styles for attachment handling

* feat: adjust chat sidebar brand logo positioning

* feat: enhance project dialog with error handling and loading state
2026-07-03 21:54:20 +08:00
Weilong Liao
1e3b12acc9 fix: preserve webhook callback responses
Preserve raw webhook callback responses and fix QQ webhook validation handling.
2026-07-03 00:25:09 +08:00
Marshall
ea19be1d06 fix: wecom adapter returning json instead of plain text (#9107)
* Fix wecom adapter returning json instead of plain text

* Fix handle_verify return class
2026-07-02 23:27:08 +08:00
エイカク
b673cb375f fix: guard desktop-managed core restart (#9098) 2026-07-02 11:21:02 +09:00
lxfight
758e43273d fix: paginate knowledge base dashboard lists (#9055)
* fix: paginate knowledge base dashboard lists

* fix: preserve knowledge document search pagination
2026-06-28 14:00:45 +08:00
Weilong Liao
3d4c4ed01b fix: validate plugin install sources (#9061) 2026-06-28 13:45:59 +08:00
Weilong Liao
0ef790d289 fix: track plugin install source for updates (#9037)
* fix: track plugin install source for updates

* feat: refine plugin source management flow

* test: align plugin update expectation
2026-06-27 15:02:04 +08:00
Lovely Moe Moli
110cc8736c fix: 'DashboardRequest' object has no attribute 'get_data' (#9021) (#9023) 2026-06-26 22:04:29 +08:00
Weilong Liao
c6b2c65b04 fix: preserve image formats in media handling (#9019)
* fix: preserve image formats in media handling

* fix: address image format review feedback

* fix: avoid tainted image temp path rename
2026-06-26 11:27:32 +08:00
FuShang114
b7cadfe704 fix: allow plugin page asset token fallback (#8970)
Co-authored-by: beidou-lab-macmini <beidou-lab-macmini@beidou-lab-macminideMac-mini.local>
2026-06-24 22:11:49 +08:00
Weilong Liao
421d718041 feat: show public version details on login (#8986)
* feat: show public version details on login

* fix: address login version review feedback
2026-06-24 21:46:29 +08:00
Weilong Liao
967ed01cf7 fix: add data scope to api keys (#8985) 2026-06-24 16:37:46 +08:00
VectorPeak
3c7956e8c8 fix: prevent path traversal in plugin upload filenames (#8968) 2026-06-24 15:55:53 +08:00
VectorPeak
5266d170a3 fix: prevent path traversal vulnerability in knowledge base upload filenames (#8971) 2026-06-24 15:55:01 +08:00
lingyun14
42ca89d6c8 fix: 修复提供商源修改 ID 后保存被静默还原的问题 (#8915)
* Update schemas.py

* Update schemas.py
2026-06-21 11:55:54 +08:00
Soulter
a7533aacda fix: fall back to stale WebUI when repair fails 2026-06-20 00:01:29 +08:00
Weilong Liao
1b0f5cb0d3 fix: keep WebUI assets in sync with core version (#8901)
* fix: keep WebUI assets in sync with core version

* fix: import dashboard version before bundled fallback

* fix: remove stale WebUI dist robustly
2026-06-19 22:46:38 +08:00
Weilong Liao
49b86320cb docs: clarify OpenAPI chat username identity (#8880) 2026-06-18 23:17:50 +08:00
Weilong Liao
264e7eaaa3 fix: restore OpenAPI file uploads
Expose /api/v1/file in OpenAPI, enable file-scoped API keys, and regenerate docs/client artifacts.
2026-06-18 12:37:38 +08:00
Weilong Liao
19864b3f85 fix: recover interrupted dashboard upgrades 2026-06-17 22:48:47 +08:00
Weilong Liao
55af880369 feat(qqofficial): allow QQ Official Webhook adapters to proactively send group messages without requiring a cached msg_id (#8841)
* feat(qqofficial): support webhook QR setup

* docs(qqofficial): simplify webhook QR setup step
2026-06-17 21:13:05 +08:00
Weilong Liao
fda5161451 fix: preserve persona default tool selection
Fix https://github.com/AstrBotDevs/AstrBot/issues/8828
2026-06-17 11:08:46 +08:00
Weilong Liao
f1854df620 feat: add qq official qr binding
Add QQ Official Bot QR binding registration flow for the WebSocket adapter, wire dashboard credential autofill, and mark the WebSocket template as recommended.
2026-06-16 19:08:41 +08:00
Weilong Liao
5566bd621c feat: reorganize settings system configuration (#8777)
* feat: reorganize settings system configuration

* fix: float system config restart notice

* fix: blur system config restart notice

* fix: tint restart notice blur background

* fix: allow totp setup without body

* fix: filter public openapi docs

* fix: handle settings autosave cleanup

* chore: ui
2026-06-16 11:03:42 +08:00
Weilong Liao
dd46cce09e fix: make project update flow atomic (#8805)
* fix: make project update flow atomic

* fix: address atomic update review feedback

* fix: show update success after restart

* fix: prevent update progress reset during restart

* fix: align update success feedback styling
2026-06-15 23:32:29 +08:00
Weilong Liao
a938620467 fix: avoid WebUI ready banner when assets missing (#8804) 2026-06-15 22:59:40 +08:00
Weilong Liao
0d8e8682db refactor(core): migrate backend backbone from Quart to FastAPI and introduce more OpenAPI (#8688)
* refactor: migrate to fastapi

* structure refactor

* fix: pyright fix

* refactor: improve error handling and public messages in plugin services

* feat(api): refactor API client integration and enhance request handling

- Updated API client configuration to use a dedicated HTTP client.
- Introduced utility functions for generating options, queries, and form data for API requests.
- Refactored multiple API methods to utilize the new utility functions for improved consistency and readability.
- Renamed types for clarity and updated import statements accordingly.

feat(docs): add script to update OpenAPI JSON from YAML spec

- Created a Python script to convert OpenAPI YAML specification to JSON format.
- The script supports customizable input and output paths.
- Ensured the script handles directory creation for output paths and validates the YAML structure.

* fix

* feat(auth): implement rate limiting for v1 login endpoint and enhance request handling

* Refactor dashboard API routers to use legacy_router for backward compatibility

- Changed all instances of dashboard_router to legacy_router across multiple API modules including platform, plugins, providers, sessions, skills, stats, subagents, t2i, tools, updates, and asgi_runtime.
- Updated route definitions to ensure existing endpoints remain functional under the new router structure.
- Introduced support for Quart request context in asgi_runtime to enhance compatibility with existing Quart-based plugins.
- Added a test case to validate the functionality of the new Quart request context handling in plugin extensions.

* chore: remove cli test

* fix: update dashboard tests for fastapi migration

* chore: satisfy ruff checks

* fix: update openapi api key scopes

* fix: sync config scope chip selection

* fix: restore quart dependency

* docs: clarify quart plugin api compatibility

* docs: update openapi scope documentation

* fix: use singular skill openapi scope

* fix: hide update service exception details

* fix: address fastapi review comments

* fix: address dashboard review findings

* docs: revert unrelated package deployment changes

* docs: update agent api generation guidance

* feat: add plugin page web api helpers

* docs: add plugin page bridge demo

* fix: type plugin upload files

* fix: stabilize plugin page uploads

* fix: type plugin web request proxy

* docs: remove plugin page docs example

* fix: authenticate plugin page SSE bridge
2026-06-14 15:03:26 +08:00
Ruochen Pan
ae44b912fc feat(dashboard): add per-tool permission management for function tools (#8693)
* feat(func-tool): add per-tool permission management

* feat(dashboard): add permission column to function tool table

* refactor(dashboard): encapsulate tool actions into composable and unify permission UI

* style: format code

* fix: guard sync handler, simplify sp access, skip builtin instantiation
2026-06-09 14:47:41 +08:00
lxfight
65fe0574b9 feat: sync dashboard theme to plugin pages (#8390)
* feat(plugin): pass theme through plugin page asset URLs and initial context

Add theme query parameter propagation through the plugin page asset pipeline
so that the bridge SDK initial context includes isDark.

* feat(plugin): inject data-theme and color-scheme into plugin page HTML

Set data-theme on <html> and add color-scheme meta tag server-side
to prevent flash when entering plugin pages in dark mode.

* feat(webui): add isDark getter to customizer store

* feat(webui): sync theme to plugin iframe via URL param and postMessage

Append theme query parameter to iframe src URL and include isDark
in the postMessage context. Watch uiTheme changes to re-send context.

* feat(bridge): auto-apply data-theme from context in plugin bridge SDK

Set data-theme attribute on document.documentElement when context
includes isDark, enabling live theme switching via postMessage.

* docs: add light/dark theme adaptation guide for plugin pages

Add theme adaptation section to existing plugin-pages docs in both
Chinese and English, covering CSS variables and onContext() usage.

* test: add theme sync tests for plugin page bridge and content

Verify isDark in bridge SDK initial context with various theme params,
and verify data-theme and color-scheme injection in rewritten HTML.

* fix(plugin): use case-insensitive regex for head tag in HTML rewrite

Replace string match for <head> with case-insensitive regex to handle
uppercase tags and tags with attributes, preventing duplicate injection
of color-scheme meta tag.

* refactor(webui): generalize isDark getter to support any dark theme

Replace hardcoded PurpleThemeDark check with suffix-based detection
so all dark theme variants are recognized automatically.

* refactor(plugin): extract theme helpers for HTML rewriting

Extract _get_request_theme and _apply_theme_to_html to eliminate
duplicate theme-parsing logic and isolate HTML mutation. Use case-
insensitive regex for head tag detection to prevent duplicate
injection when tags use mixed casing.

* style: apply ruff formatting to plugin page tests

Wrap long function call lines for consistency with project style.

* fix(plugin): handle existing data-theme and case-sensitive fallback in HTML rewrite

Strip any existing data-theme attribute before adding the new one to
prevent duplicate attributes. Use case-insensitive regex for the
<head> fallback insertion to avoid corrupting <html> tag attributes.

* fix(webui): add null guard to isDark getter

Guard against undefined uiTheme to prevent TypeError when the
theme config has not been initialized.

* fix(webui): centralize theme mapping and preserve hash in plugin page URL

Extract themeParam computed to avoid drift between URL and context.
Include hash fragment in iframe URL to support SPA hash routing.

* fix(webui): address CR feedback - deduplicate color-scheme meta, harden isDark getter, consolidate theme source

- _apply_theme_to_html: strip existing color-scheme meta before injecting to
  avoid duplicates; merge data-theme strip+add into single-pass regex callback
- customizer.ts: replace brittle endsWith('Dark') with explicit theme name check
- _rewrite_plugin_page_html: use _get_request_theme() directly instead of
  reading theme from extra_query_params

* fix(webui): 简化 isDark 推导、优化查询参数构建、使用暗色主题集合

- isDark 推导简化为 theme == "dark"(None == "dark" 为 False,去掉多余三元表达式)
- _prepare_plugin_page_query_params 改为线性构建,先计算再构建字典
- isDark getter 改用显式 DARK_THEMES Set,替代硬编码单值比较

---------

Co-authored-by: lxfight <lxfight@192.168.5.50>
2026-06-06 00:35:47 +08:00
Weilong Liao
7e22a07e0d feat: introduce a command /name to name a umo, and display in ui (#8575)
* feat: introduce a command /name to name a umo, and display in ui

* docs: add docs

* fix

* fix test

* fix: test
2026-06-05 19:09:48 +08:00
Weilong Liao
24f568b149 feat: future task UI (#8559)
* feat: future task UI

* fix: update filter label for UMO in English and Chinese locales

* feat: enhance cron job management with delivery target handling and UI improvements

* fix: update session label to indicate optional delivery target

* feat: add tooltip for last run time and error in cron job display
2026-06-03 22:02:59 +08:00
lxfight
e5d7b43090 fix(dashboard): relax frame security headers when running under launcher (#8554)
* fix(dashboard): relax frame security headers when running under launcher

When AstrBot is launched by the AstrBot Launcher, the dashboard is
embedded in a cross-origin iframe (the Tauri webview).  The plugin page
responses set X-Frame-Options: SAMEORIGIN and CSP frame-ancestors
'self', both of which inspect the *entire* ancestor chain — not just the
immediate parent.  Because the top-level Tauri webview has a different
origin, these headers block the plugin page from loading inside the
nested iframe, resulting in 'localhost refused to connect'.

Fix: skip the restrictive frame headers when ASTRBOT_LAUNCHER=1 is set,
which the launcher already injects as an environment variable.  Other
security measures (iframe sandbox, JWT asset_token, postMessage bridge)
remain in place.

* fix(dashboard): preserve object-src and base-uri CSP directives under launcher

Keep object-src 'none' and base-uri 'self' in the CSP header even when
ASTRBOT_LAUNCHER is set.  Only frame-ancestors and X-Frame-Options need
to be relaxed because the Tauri webview is a cross-origin ancestor.

* fix(dashboard): tighten ASTRBOT_LAUNCHER check and always emit CSP

Use explicit value check ('1' / 'true') instead of truthiness for the
ASTRBOT_LAUNCHER env var.  Always emit a Content-Security-Policy header
and only conditionally prepend frame-ancestors 'self' — this keeps
object-src 'none' and base-uri 'self' active under the launcher.
2026-06-03 18:42:15 +08:00
鸦羽
e8d13af5b9 feat: add TOTP two-factor authentication for dashboard login (#8189)
* feat: add TOTP two-factor authentication for dashboard login

* fix: ensure TOTP verification uses UTC for accurate time comparison

* fix: update recovery code validation logic for disabling TOTP

* test: add unit tests for TOTP functionality and recovery code validation

* chore: format

* feat: add trust_proxy_headers switch for auth rate-limit IP source

* feat: make dashboard auth rate-limit configurable via system settings

Add auth_rate_limit config block to dashboard settings with enable
(default: true), average_interval (default: 1.0s), and max_burst
(default: 3) options. The dashboard auth middleware now reads from
config instead of using hardcoded values. The average_interval and
max_burst fields are conditionally shown only when rate limiting is
enabled.

* fix: normalize dashboard client IP from trusted proxy headers

* refactor: encapsulate rate limiter state into registry, add TTL

* feat: show dynamic page title during two-factor verification

* fix: require two-factor verification for protected config saves

* chore: format

* refactor: reorganize TOTP verification UI components for better layout

* refactor: clean up recovery stage UI by removing unused styles and improving label handling

* docs: add TOTP two-factor authentication documentation for WebUI

---------

Co-authored-by: Soulter <905617992@qq.com>
2026-06-01 16:40:29 +08:00
Misaka Mikoto
90a3a2171a fix: Template config optimization (#8228)
* fix: improve template list config handling

* feat(webui): show template list display item

* feat(webui): allow hiding template list hints

* docs: document template list metadata fields

* fix: support file fields in template list configs
2026-05-30 22:13:09 +08:00
Soulter
61b6813dc7 fix(docs): update download link for dashboard zip file in FAQ 2026-05-30 14:49:44 +08:00
Soulter
9fc03fa95e chore: remove useless logs
closes: #8142
2026-05-30 14:45:56 +08:00
elecvoid243
adae1f3598 fix(command-suggestion): support custom wake-up words & hover information (#8353)
* feature: add command suggestion for ChatUI

* feat(chat): add focus functionality to chat input after sending messages

* feat(llm): add error handling for LLM provider selection failures

* feat(command-suggestion): enhance command filtering and sorting logic

* fix(command-suggestion): support custom wake-up words & hover information

* ruff

---------

Co-authored-by: Soulter <905617992@qq.com>
2026-05-29 01:17:32 +08:00
Waterwzy
e087b9def3 fix(plugin): plugin name in the marketplace does not match the local plugin (#8276)
* fix: plugin name in the marketplace does not match the local plugin

* chore: update test

* Update astrbot/dashboard/routes/plugin.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update astrbot/dashboard/routes/plugin.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update astrbot/dashboard/routes/plugin.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* chore: reformat code

* Clean up unused variables in useExtensionPage.js

Removed unused sets for installed repositories and names.

* fix: 统一repo匹配逻辑,移除fallback

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2026-05-29 01:02:51 +08:00