* refactor: migrate to fastapi
* structure refactor
* fix: pyright fix
* refactor: improve error handling and public messages in plugin services
* feat(api): refactor API client integration and enhance request handling
- Updated API client configuration to use a dedicated HTTP client.
- Introduced utility functions for generating options, queries, and form data for API requests.
- Refactored multiple API methods to utilize the new utility functions for improved consistency and readability.
- Renamed types for clarity and updated import statements accordingly.
feat(docs): add script to update OpenAPI JSON from YAML spec
- Created a Python script to convert OpenAPI YAML specification to JSON format.
- The script supports customizable input and output paths.
- Ensured the script handles directory creation for output paths and validates the YAML structure.
* fix
* feat(auth): implement rate limiting for v1 login endpoint and enhance request handling
* Refactor dashboard API routers to use legacy_router for backward compatibility
- Changed all instances of dashboard_router to legacy_router across multiple API modules including platform, plugins, providers, sessions, skills, stats, subagents, t2i, tools, updates, and asgi_runtime.
- Updated route definitions to ensure existing endpoints remain functional under the new router structure.
- Introduced support for Quart request context in asgi_runtime to enhance compatibility with existing Quart-based plugins.
- Added a test case to validate the functionality of the new Quart request context handling in plugin extensions.
* chore: remove cli test
* fix: update dashboard tests for fastapi migration
* chore: satisfy ruff checks
* fix: update openapi api key scopes
* fix: sync config scope chip selection
* fix: restore quart dependency
* docs: clarify quart plugin api compatibility
* docs: update openapi scope documentation
* fix: use singular skill openapi scope
* fix: hide update service exception details
* fix: address fastapi review comments
* fix: address dashboard review findings
* docs: revert unrelated package deployment changes
* docs: update agent api generation guidance
* feat: add plugin page web api helpers
* docs: add plugin page bridge demo
* fix: type plugin upload files
* fix: stabilize plugin page uploads
* fix: type plugin web request proxy
* docs: remove plugin page docs example
* fix: authenticate plugin page SSE bridge
* fix: unify media reference handling
* fix: accept bare base64 record media refs
* chore: update agents.md
* fix: unify file URI handling across media components and utilities
* fix: unify media reference type handling with MediaRefStr alias
* Potential fix for pull request finding 'CodeQL / Incomplete URL substring sanitization'
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Update astrbot/core/platform/sources/discord/discord_platform_adapter.py
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* fix: unify media handling and improve base64 decoding across components
* fix: simplify client_kwargs type definition and enhance media message handling in platform adapter
* fix: unify media utility documentation and enhance function descriptions
* perf: drop "pilk" requirement, improve audio outbound for tencent-related IM apps which using silk
* fix: unify Tencent Silk audio handling and enhance media resolver functionality
---
- Centralize media reference materialization and base64 resolution for local paths, http(s), base64://, data URIs, and legacy bare base64 payloads.
- Normalize incoming Record audio to wav and Image media to temporary jpg during preprocess, with event-scoped cleanup.
- Reuse the shared media resolver across OpenAI, Gemini, Anthropic, MiMo, DeerFlow, STT, and platform media paths while sanitizing logs and cleaning temporary conversion outputs.
- Ensure generated TTS audio is tracked for cleanup after the event finishes.
fix#8676fix#8543fix#7588fix#7580fix#8030fix#8034fix#7461fix#7565fix#6509fix#7144fix#7795
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* feat: add TOTP two-factor authentication for dashboard login
* fix: ensure TOTP verification uses UTC for accurate time comparison
* fix: update recovery code validation logic for disabling TOTP
* test: add unit tests for TOTP functionality and recovery code validation
* chore: format
* feat: add trust_proxy_headers switch for auth rate-limit IP source
* feat: make dashboard auth rate-limit configurable via system settings
Add auth_rate_limit config block to dashboard settings with enable
(default: true), average_interval (default: 1.0s), and max_burst
(default: 3) options. The dashboard auth middleware now reads from
config instead of using hardcoded values. The average_interval and
max_burst fields are conditionally shown only when rate limiting is
enabled.
* fix: normalize dashboard client IP from trusted proxy headers
* refactor: encapsulate rate limiter state into registry, add TTL
* feat: show dynamic page title during two-factor verification
* fix: require two-factor verification for protected config saves
* chore: format
* refactor: reorganize TOTP verification UI components for better layout
* refactor: clean up recovery stage UI by removing unused styles and improving label handling
* docs: add TOTP two-factor authentication documentation for WebUI
---------
Co-authored-by: Soulter <905617992@qq.com>
- Added advanced settings option in update dialog for better user control.
- Implemented detailed progress tracking for update stages including download size and speed.
- Updated localization files for English, Russian, and Chinese to include new strings for update progress and advanced settings.
- Improved UI for update dialog with better layout and responsiveness.
- Enhanced test coverage for update process including progress tracking.
* fix(webui): enforce 12-char dashboard password policy with backend+frontend validation
* fix(i18n): update password policy hints and validation rules for improved security
* test: adapt dashboard auth fixtures for hashed default password
* fix(security): increase PBKDF2 iterations
* feat(auth): implement secure login challenge and proof verification
* chore: ruff format
* fix(auth): update md5 import syntax for consistency
* feat(dashboard): implement random password generation for empty dashboard password
* feat(auth): enforce plaintext password requirement for legacy MD5 hashes
* fix(i18n): update password hint texts to reflect auto-generated initial passwords
* feat(dashboard): implement password change requirement and reset logic
* feat(auth): implement account setup flow and password change requirements
* feat: Implement legacy password support and upgrade mechanism
- Added `hash_legacy_dashboard_password` function for MD5 hashing of passwords.
- Updated configuration handling to store both PBKDF2 and legacy password hashes.
- Introduced logic to check if password storage has been upgraded and if a password change is required.
- Modified dashboard authentication routes to handle legacy password checks and prompts for upgrades.
- Updated frontend to display warnings for legacy password storage and required upgrades.
- Enhanced tests to cover scenarios for legacy password handling and migration to new storage format.
* fix(logo): update text color styles to use CSS variables for consistency
* feat(dashboard): upgrade password storage and enforce change requirement
* fix(dashboard): update minimum password length from 12 to 10 characters
* fix(dashboard): update minimum password length from 10 to 8 characters
---------
Co-authored-by: RC-CHN <1051989940@qq.com>
* fix(provider): fix Anthropic custom headers and system prompt compatibility
- Pass custom_headers via AsyncAnthropic's `default_headers` parameter
instead of creating a separate httpx.AsyncClient. This avoids
`isinstance` check failures when multiple httpx installations exist
on sys.path (e.g. bundled Python + system Python).
- Use list format for the `system` parameter (`[{"type": "text", ...}]`)
instead of a plain string. The list format is supported by the official
Anthropic API and is also compatible with third-party API proxies that
reject the string format.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(provider): fix Anthropic custom headers and system prompt compatibility
- Pass custom_headers via AsyncAnthropic's `default_headers` parameter
instead of creating a separate httpx.AsyncClient. This avoids
`isinstance` check failures when multiple httpx installations exist
on sys.path (e.g. bundled Python + system Python).
- Use list format for the `system` parameter (`[{"type": "text", ...}]`)
instead of a plain string. The list format is supported by the official
Anthropic API and is also compatible with third-party API proxies that
reject the string format.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Add test unit
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add one-line deploy script (deploy-cli.sh) and update cli.md
- Add docs/scripts/deploy-cli.sh for one-command deployment (Linux/macOS/WSL)
- Update docs/zh/deploy/astrbot/cli.md to reference local script
- Replace non-existent https://astrbot.app/deploy.sh with raw.githubusercontent.com URL
- Add local run tip and WSL-based Windows support
* fix: address PR review feedback for deploy-cli.sh
- Replace sort -V with Python-native version check (macOS BSD compat)
- Bump Python requirement from >=3.10 to >=3.12 (match pyproject.toml)
- Detect current directory as project root (avoid nested clone)
- Handle existing non-git directory explicitly
- Add curl dependency check
- Support ASTRBOT_REPO and ASTRBOT_DIR env vars for forks/mirrors
- Update cli.md version description to match
* feat: add Windows PowerShell deploy script and update docs
- Add deploy-cli.ps1 for Windows native environment (PowerShell 7+)
- Update cli.md to document Windows one-liner deployment
- Add local script execution instructions for both bash and ps1
* refactor: standardize log messages and improve clarity in various modules
Co-authored-by: Copilot <copilot@github.com>
* docs: 移除一行命令快速部署部分,简化安装说明
* feat: 添加脚本以复制部署 CLI 文件并更新构建命令
* refactor: 更新日志消息以提高可读性,统一英文提示信息
---------
Co-authored-by: Soulter <905617992@qq.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Weilong Liao <37870767+Soulter@users.noreply.github.com>
* fix: restore T2I text template rendering
- keep using {{ text | safe }} instead of text_base64
- inject Shiki runtime by default for T2I templates
- update built-in templates to read markdown from a hidden textarea
- improve WebUI preview sample text and Shiki runtime serving
- add regression tests for template rendering and runtime injection
* fix: prevent injected Shiki runtime from breaking T2I templates
* fix(t2i): restore raw text template rendering
* test(t2i): remove test
* fix(t2i): restore previewText
* feat: filesystem grep, read, edit file
* feat: add file write tool and enhance file read functionality
* feat: enhance tool prompt formatting and add escaped text decoding for file editing
* feat: remove redundant safe path tests from security restrictions
* feat: implement file read tool with support for text and image files, including validation for large files
* feat: add file read utilities and integrate with filesystem tools
* refactor: move computer tools to builtin tools registry
* refactor: remove unused plugin_context parameter from _apply_sandbox_tools
* feat: supports to display enabled builtin tools in configs
* feat: add tooltip for disabled builtin tools and update localization strings
* feat: add workspace extra prompt handling in message processing
* feat: add ripgrep installation to Dockerfile
* perf: shell executed in workspace dir in local env
* feat: enhance file reading capabilities to support PDF and DOCX parsing, including workspace storage for long documents
* feat: update converted text notice to suggest using grep for large files
* feat: implement handling for large tool results with overflow file writing and read tool integration
* fix: test
* feat: enhance onboarding steps to include computer access configuration and related help information
* feat: add support for additional temporary path in restricted environment checks
* feat: update computer access hints and add detailed configuration instructions
* feat: add audio input support across providers and chatui recording issue fix
- Introduced audio_urls parameter in Provider class and related methods to handle audio input.
- Updated ProviderAnthropic, ProviderGoogleGenAI, and ProviderOpenAIOfficial to process audio URLs.
- Enhanced media_utils with functions to ensure audio format compatibility and detect audio types.
- Modified dashboard components to display audio input support and handle audio attachments in messages.
- Updated localization files to include audio as a supported modality.
- Added new icons for audio input in the dashboard UI.
* feat: enhance audio handling with temporary file cleanup and format support
* feat: track temporary local files for converted audio components
* fix: update image placeholder in prompt from "[图片]" to "[Image]"
* feat(dashboard): add log and cache cleanup in settings
* refactor: simplify storage cleaner log config handling
* fix: Repair abnormal indentation
* fix(storage): harden cleanup config handling
Use typed config value access to avoid treating invalid values as
enabled flags or log paths during storage cleanup.
Also stop exposing raw backend exceptions in the dashboard storage
status API and direct users to server logs for details.
---------
Co-authored-by: RC-CHN <1051989940@qq.com>
* refactor: bundled webui static files into wheel and replace astrbot cli log with English
- Translated and standardized log messages in cmd_conf.py for better clarity.
- Updated initialization logic in cmd_init.py to provide clearer user prompts and error handling.
- Improved plugin management commands in cmd_plug.py with consistent language and error messages.
- Enhanced run command in cmd_run.py with clearer status messages and error handling.
- Updated utility functions in basic.py and plugin.py to improve readability and maintainability.
- Added version comparison logic in version_comparator.py with clearer comments.
- Enhanced logging configuration in log.py to suppress noisy loggers.
- Updated the updater logic in updator.py to provide clearer error messages for users.
- Improved IO utility functions in io.py to handle dashboard versioning more effectively.
- Enhanced dashboard server logic in server.py to prioritize bundled assets and improve user feedback.
- Updated pyproject.toml to include bundled dashboard assets and custom build hooks.
- Added a custom build script (hatch_build.py) to automate dashboard builds during package creation.
* refactor: improve exception messages and formatting in CLI command validation
* perf: change npm install to npm ci for consistent dependency installation
* fix
* fix: resolve unhandled UTC timezone offset for timestamps in conversation records
* fix: standardize timezone imports
* fix: unify UTC datetime normalization in dashboard routes
---------
Co-authored-by: 邹永赫 <1259085392@qq.com>
* feat: add stop functionality for active agent sessions and improve handling of stop requests
* feat: update stop button icon and tooltip in ChatInput component
* fix: correct indentation in tool call handling within ChatRoute class
* ci: remove Electron desktop build from release pipeline
* chore: remove electron desktop and switch to tauri release trigger
* ci: remove desktop workflow dispatch trigger
* refactor: migrate data paths to astrbot_path helpers
* fix: point desktop update prompt to AstrBot-desktop releases