Commit Graph

211 Commits

Author SHA1 Message Date
Soulter
598a739bab fix: improve WebUI update stability 2026-06-21 16:40:11 +08:00
Weilong Liao
66ec415e56 fix: restrict local file paths in message tools (#8660)
* fix: restrict local file paths in message tool

* Update astrbot/core/tools/message_tools.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* fix: rf

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2026-06-08 01:20:47 +08:00
Soulter
05c137eb29 fix: qq official webhook mode can not restart normally 2026-06-07 18:10:45 +08:00
Copilot
1a04998787 perf: handle Anthropic usage=None on content-filtered responses (#8647)
* Initial plan

* fix: handle missing anthropic usage on filtered responses

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
2026-06-07 15:29:22 +08:00
Weilong Liao
c7e9d5b481 fix: Prevent duplicate web search citation prompts from being repeatedly appended to the system message after multiple tool invocations in a single interaction (#8642) 2026-06-07 12:23:03 +08:00
Weilong Liao
bdc32bb78c Revert "fix: retry provider stats on sqlite lock" (#8639)
This reverts commit 1ad2b2c385.
2026-06-07 10:51:27 +08:00
Weilong Liao
c70a1924fe Revert "fix SQLAlchemy compatibility issues on macOS" (#8638)
* Revert "fix SQLAlchemy compatibility issues on macOS (#7724)"

This reverts commit 2d78626840.

* fix

* chore: add busy timeout pragma
2026-06-07 10:50:33 +08:00
Weilong Liao
ef53a933ec fix: keep DingTalk stream reconnecting (#8610)
* fix: keep DingTalk stream reconnecting

* fix
2026-06-06 00:46:37 +08:00
lxfight
65fe0574b9 feat: sync dashboard theme to plugin pages (#8390)
* feat(plugin): pass theme through plugin page asset URLs and initial context

Add theme query parameter propagation through the plugin page asset pipeline
so that the bridge SDK initial context includes isDark.

* feat(plugin): inject data-theme and color-scheme into plugin page HTML

Set data-theme on <html> and add color-scheme meta tag server-side
to prevent flash when entering plugin pages in dark mode.

* feat(webui): add isDark getter to customizer store

* feat(webui): sync theme to plugin iframe via URL param and postMessage

Append theme query parameter to iframe src URL and include isDark
in the postMessage context. Watch uiTheme changes to re-send context.

* feat(bridge): auto-apply data-theme from context in plugin bridge SDK

Set data-theme attribute on document.documentElement when context
includes isDark, enabling live theme switching via postMessage.

* docs: add light/dark theme adaptation guide for plugin pages

Add theme adaptation section to existing plugin-pages docs in both
Chinese and English, covering CSS variables and onContext() usage.

* test: add theme sync tests for plugin page bridge and content

Verify isDark in bridge SDK initial context with various theme params,
and verify data-theme and color-scheme injection in rewritten HTML.

* fix(plugin): use case-insensitive regex for head tag in HTML rewrite

Replace string match for <head> with case-insensitive regex to handle
uppercase tags and tags with attributes, preventing duplicate injection
of color-scheme meta tag.

* refactor(webui): generalize isDark getter to support any dark theme

Replace hardcoded PurpleThemeDark check with suffix-based detection
so all dark theme variants are recognized automatically.

* refactor(plugin): extract theme helpers for HTML rewriting

Extract _get_request_theme and _apply_theme_to_html to eliminate
duplicate theme-parsing logic and isolate HTML mutation. Use case-
insensitive regex for head tag detection to prevent duplicate
injection when tags use mixed casing.

* style: apply ruff formatting to plugin page tests

Wrap long function call lines for consistency with project style.

* fix(plugin): handle existing data-theme and case-sensitive fallback in HTML rewrite

Strip any existing data-theme attribute before adding the new one to
prevent duplicate attributes. Use case-insensitive regex for the
<head> fallback insertion to avoid corrupting <html> tag attributes.

* fix(webui): add null guard to isDark getter

Guard against undefined uiTheme to prevent TypeError when the
theme config has not been initialized.

* fix(webui): centralize theme mapping and preserve hash in plugin page URL

Extract themeParam computed to avoid drift between URL and context.
Include hash fragment in iframe URL to support SPA hash routing.

* fix(webui): address CR feedback - deduplicate color-scheme meta, harden isDark getter, consolidate theme source

- _apply_theme_to_html: strip existing color-scheme meta before injecting to
  avoid duplicates; merge data-theme strip+add into single-pass regex callback
- customizer.ts: replace brittle endsWith('Dark') with explicit theme name check
- _rewrite_plugin_page_html: use _get_request_theme() directly instead of
  reading theme from extra_query_params

* fix(webui): 简化 isDark 推导、优化查询参数构建、使用暗色主题集合

- isDark 推导简化为 theme == "dark"(None == "dark" 为 False,去掉多余三元表达式)
- _prepare_plugin_page_query_params 改为线性构建,先计算再构建字典
- isDark getter 改用显式 DARK_THEMES Set,替代硬编码单值比较

---------

Co-authored-by: lxfight <lxfight@192.168.5.50>
2026-06-06 00:35:47 +08:00
Weilong Liao
7e22a07e0d feat: introduce a command /name to name a umo, and display in ui (#8575)
* feat: introduce a command /name to name a umo, and display in ui

* docs: add docs

* fix

* fix test

* fix: test
2026-06-05 19:09:48 +08:00
エイカク
1ad2b2c385 fix: retry provider stats on sqlite lock
Retry transient SQLite lock failures when persisting internal provider stats.
2026-06-04 19:24:12 +09:00
Foolllll
1daa0e3367 fix(compress): improve context compression, improve kv-cache rate of context compression, handle compression model modalities (#8530)
* fix(context): restore turn cap, serialize content parts and tool calls for llm compress, fix AftCompact debug log

Three context-compaction regression fixes after #8226:

1. Restore max_context_length -> enforce_max_turns propagation so
   normal turn-based truncation works again.
2. Serialize ContentPart and ToolCall objects into plain dicts in
   _message_to_dict so llm_compress no longer fails with JSON
   serialization errors.
3. Print _provider_messages (compacted) instead of run_context.messages
   (unchanged) in AftCompact debug log; truncate long role lists to
   first4,...,last4 to avoid log spam.

Assertions in tests are also hardened to avoid coupling to exact prompt
wording.

* fix(tool_loop_agent_runner): simplify context handling by removing redundant provider messages

* fix(tool_loop_agent_runner): rename context manager variables for clarity

* fix: update context compression to use recent token ratio instead of fixed count

* fix: enhance LLMSummaryCompressor to sanitize contexts and improve message handling

* ruff format

---------

Co-authored-by: Soulter <905617992@qq.com>
2026-06-03 17:40:05 +08:00
Ruochen Pan
d2f5551513 fix(ltm): prevent wake commands from being recorded as group chat context (#8536)
* fix(ltm): prevent wake commands from being recorded as group chat context

* test: fix mock event get_extra return value in group context wiring tests

* test: strengthen group context mock and add slash-command skip test
2026-06-03 09:25:01 +08:00
C₂₂H₂₅NO₆
4b097011cf fix(core): Fix image delivery to the model by treating empty modalities as unconfigured (#8451)
* fix(core): 将空 list modalities 视为未配置,修复图片无法传递到模型的问题

migra_helper 将未配置的 modalities 迁移为空 list [],而新增的
_provider_supports_modality()、_assemble_request_context_for_provider()、
_should_fix_modalities_for_provider()、_func_tool_for_provider() 四个函数
对 [] 和 None 的处理不一致,导致所有未在 WebUI 手动配置 modalities 的
provider 无法传递图片、引用图片被跳过、工具被错误清除。

修改策略:将 [] 与 None 统一视为未配置状态,保持向后兼容。
仅在 modalities 为非空 list 时才启用过滤和修复逻辑。

- _provider_supports_modality: [] 返回 True,默认支持
- _assemble_request_context_for_provider: [] 不过滤图片
- _should_fix_modalities_for_provider: [] 不触发历史上下文修复
- _func_tool_for_provider: [] 不清除工具

复现脚本已确认 Bug 不再复现,82 个相关单元测试全部通过。

* fix(core): 补充修复 tool loop 中 cached images 的 modalities 判断

上一笔 commit 遗漏了 tool_loop_agent_runner.py 第 917 行对
cached images 的 modalities 检查,当 modalities=[] 时,tool call
返回的图片不会被追加到消息中,导致模型看不到 tool 结果中的图片。

修复方式与主修复一致:not modalities or image in modalities

复现脚本和 82 个单元测试全部通过。

* test: 补充 fake_save_image mock 缺少的 mime_type 字段

修复 modalities=[] 导致 cached images 分支变为可达后,暴露
了 test_tool_result_includes_all_calltoolresult_content 中
fake_save_image mock 不完整的问题:返回的 SimpleNamespace
缺少 mime_type 属性,而实际 tool_image_cache.save_image()
始终包含该字段。

---------

Co-authored-by: C₂₂H₂₅NO₆ <Sisyphbaous-DT-Project@users.noreply.github.com>
2026-06-02 08:53:59 +08:00
NayukiChiba
7d45a247d5 fix(message): Fix private message sending failure caused by extra fields in Reply component's toDict method (#8477)
- Reply.toDict() 继承 BaseMessageComponent.toDict() 会将所有非 None 默认字段序列化,导致 OneBot V11 reply 段包含多余字段,引起私聊引用回复失败(message not found)
- 重写 Reply.toDict() 方法,仅返回 {"type": "reply", "data": {"id": str(self.id)}},符合协议标准
- 新增 tests/unit/test_aiocqhttp_reply.py,覆盖 Reply.toDict() 输出格式、_parse_onebot_json 路径及私聊发送场景的验证
2026-06-02 08:40:55 +08:00
鸦羽
e8d13af5b9 feat: add TOTP two-factor authentication for dashboard login (#8189)
* feat: add TOTP two-factor authentication for dashboard login

* fix: ensure TOTP verification uses UTC for accurate time comparison

* fix: update recovery code validation logic for disabling TOTP

* test: add unit tests for TOTP functionality and recovery code validation

* chore: format

* feat: add trust_proxy_headers switch for auth rate-limit IP source

* feat: make dashboard auth rate-limit configurable via system settings

Add auth_rate_limit config block to dashboard settings with enable
(default: true), average_interval (default: 1.0s), and max_burst
(default: 3) options. The dashboard auth middleware now reads from
config instead of using hardcoded values. The average_interval and
max_burst fields are conditionally shown only when rate limiting is
enabled.

* fix: normalize dashboard client IP from trusted proxy headers

* refactor: encapsulate rate limiter state into registry, add TTL

* feat: show dynamic page title during two-factor verification

* fix: require two-factor verification for protected config saves

* chore: format

* refactor: reorganize TOTP verification UI components for better layout

* refactor: clean up recovery stage UI by removing unused styles and improving label handling

* docs: add TOTP two-factor authentication documentation for WebUI

---------

Co-authored-by: Soulter <905617992@qq.com>
2026-06-01 16:40:29 +08:00
Misaka Mikoto
90a3a2171a fix: Template config optimization (#8228)
* fix: improve template list config handling

* feat(webui): show template list display item

* feat(webui): allow hiding template list hints

* docs: document template list metadata fields

* fix: support file fields in template list configs
2026-05-30 22:13:09 +08:00
Weilong Liao
0da17485bd fix(plugin_manager): improve plugin state cleanup and add tests for unbinding and loading plugins (#8441)
fixes: #8439
2026-05-30 18:45:33 +08:00
NayukiChiba
bd597859f3 fix(provider): 修复 base64:// 图片引用的 MIME 类型声明不准确问题 (#8177)
- 新增 `_detect_image_format` 方法,使用 Pillow verify() 检测图片真实格式,避免完整解码像素带来的额外开销
- 新增 `_base64_image_ref_to_data_url` 方法,将 base64:// 引用转换为携带真实 MIME 类型的 data URL,修复 PNG/GIF/WebP 等图片被错误声明为 image/jpeg 的问题
- 提取 `_IMAGE_FORMAT_MIME_TYPES` 类常量和 `_image_format_to_mime_type` 方法,统一本地文件与 base64:// 引用的格式映射逻辑,新增 TIFF/AVIF 格式支持
- 新增单元测试 `test_resolve_image_part_preserves_base64_png_mime_type`,覆盖 PNG 图片 MIME 类型正确声明的场景

Closes #8174
2026-05-30 17:26:36 +08:00
Ruochen Pan
95d80578bf refactor(ltm): redesign long-term memory with context compaction (reopen of #8144) (#8226)
* refactor(ltm): redesign long-term memory with context compaction

- Add raw_records / contexts / summaries data model per group
- Add LLM summary compaction strategy alongside truncation
- Add turn-based (_split_into_rounds) granularity
- Add image caption integration into LTM history
- Add tool_call / tool_result persistence into raw_records
- Add active reply support driven by LTM state
- Improve summary injection prefix with system note and delimiters
- Add info-level logging for summary compaction lifecycle
- Clarify default summary prompt with explicit preserve/drop rules
- Add context_guard for history overflow protection in agent runner
- Add internal agent history compaction in agent_sub_stages
- Add comprehensive LTM unit tests and compaction test suites

* fix(ltm): handle malformed JSON in tool args and clean up lock on session removal

* fix(ltm): guard against duplicate system prompt note injection

* fix(ltm): fall back to user message when internal marker parsing fails

- Treat lines starting with <T:CALL>, <T:RES, or <BOT/ as regular user
  messages when their respective parsers return None, instead of silently
  dropping them. Defensive guard against malformed internal markers.

* fix(ltm): release session lock during LLM summary generation

* fix(ltm): trim raw_records in handle_message to prevent unbounded growth

* perf(ltm): use len(s) instead of len(s.encode()) in trim loop

Avoid allocating a new bytes object for every string when calculating
buffer size in _trim_raw_records. Character count is sufficient for
the approximate memory cap.

* feat(ltm): make user segment truncation limits configurable

* feat(ltm): pre-fill default LTM summary prompt in config and i18n

* refactor(ltm): hardcode internal segment/trim constants

* refactor(ltm): unify compaction strategy with main agent runner

* feat(ltm): add @mention weight marker for group chat messages

* test: fix test failures from LTM compaction unification

* chore(dashboard): remove obsolete LTM compaction i18n metadata

* chore: shrink codebase

* feat(group-chat): implement group chat context management and related functionality

---------

Co-authored-by: Tsukumi <112180165+Tsukumi233@users.noreply.github.com>
Co-authored-by: zenfun <zenfun510@gmail.com>
Co-authored-by: Soulter <905617992@qq.com>
2026-05-30 17:16:36 +08:00
NayukiChiba
8353fe1608 fix(anthropic): Anthropic API tool_choice schema conversion (#8328)
* fix(anthropic): 修复 Anthropic API tool_choice 格式转换及参数支持

- 将 tool_choice 从简单的 auto/required 逻辑改为遵循 Anthropic API 规范,支持 auto/any/none/tool 四种原生值
- 兼容 OpenAI 风格的 tool_choice="required",自动映射为 {"type": "any"}
- 允许直接传入 dict 类型的 tool_choice 以实现指定工具调用
- 更新 text_chat 和 stream_chat 入口的参数类型标注,扩大可接收的 tool_choice 类型
- 新增 tool_choice 格式转换的单元测试,覆盖各类输入场景

Closes #8319

* Clean up test cases and remove unused mocks

Removed unused mock classes and tests for tool_choice conversion.

* fix(anthropic): 修复 Anthropic API tool_choice="tool" 参数处理及重构格式转换逻辑

- 提取静态方法 _normalize_tool_choice 统一处理 tool_choice 格式转换,消除重复代码
- 处理字符串 "tool" 值时,因无法指定具体工具名而回退为 auto 并记录警告,避免无效请求
- 在 _query 和 _stream_query 中采用默认值 auto 并应用规范化逻辑,确保一致性

* test(anthropic): 添加空工具集时跳过工具参数设置的测试

- 新增 _EmptyToolSet 模拟类,模拟无工具场景
- 新增测试用例 test_tool_choice_empty_tool_list_skips_tool_choice
- 验证当 ToolSet 存在但工具列表为空时,请求不包含 tools 和 tool_choice 参数
- 完善边缘情况测试覆盖,确保与现有逻辑一致

* style: ruff 格式化一下

---------

Co-authored-by: Weilong Liao <37870767+Soulter@users.noreply.github.com>
2026-05-30 13:44:45 +08:00
Waterwzy
e087b9def3 fix(plugin): plugin name in the marketplace does not match the local plugin (#8276)
* fix: plugin name in the marketplace does not match the local plugin

* chore: update test

* Update astrbot/dashboard/routes/plugin.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update astrbot/dashboard/routes/plugin.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update astrbot/dashboard/routes/plugin.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* chore: reformat code

* Clean up unused variables in useExtensionPage.js

Removed unused sets for installed repositories and names.

* fix: 统一repo匹配逻辑,移除fallback

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2026-05-29 01:02:51 +08:00
千岚之夏
022a5dd9f8 fix: prevent duplicate processing of quoted images by multimodal main providers when no dedicated image caption provider is configured (#8401)
Co-authored-by: C₂₂H₂₅NO₆ <Sisyphbaous-DT-Project@users.noreply.github.com>
Co-authored-by: Soulter <905617992@qq.com>
2026-05-29 00:54:36 +08:00
liuwanwan
8b16e4d6c9 fix: sanitize file name in file component (#8318)
* fix: sanitize remote file component names

* fix: handle windows-invalid file names

* test: cover windows-invalid file names

---------

Co-authored-by: liuwanwan1 <243261597+liuwanwan1@users.noreply.github.com>
2026-05-28 08:20:11 +08:00
Yufeng He
26e867cc6d fix(core): route image requests to vision fallback (#8089) 2026-05-27 22:21:55 +08:00
NayukiChiba
85f9c4dff8 fix(mimo): 修复voice design模型请求中包含无效voice参数的问题 (#8326)
* fix(mimo): 修复voice design模型请求中包含无效voice参数的问题

- voice design模型不支持audio.voice参数,之前统一添加导致请求可能出错
- 在构建请求payload时根据模型名称动态决定是否包含voice字段
- 增加单元测试覆盖voicedesign模型和普通模型的参数构建逻辑

close #8283

* style: 使用snake case命名法
2026-05-27 21:36:22 +08:00
lxfight
23d70dbdbd feat(webui): add direct access button on plugin cards and improve embedded page height (#8369)
* feat(plugin): add pages field to plugin list API response

Include discovered page names for each plugin in the /api/plugin/get
response, so the frontend can determine whether a plugin has a WebUI
without an extra detail request.

* feat(webui): add direct WebUI access button on plugin cards

- Add "open-webui" button on plugin cards when plugin has pages
- Navigate to plugin's first page directly from the card
- Adjust PluginPagePage iframe height for better UX
- Add i18n labels (zh-CN/en-US/ru-RU)

* perf(plugin): use asyncio.gather for concurrent page discovery

Replace sequential await loop with concurrent processing to avoid
blocking on disk I/O when discovering plugin pages.

* fix(webui): disable open plugin UI button when plugin is deactivated

Prevent navigation to a disabled plugin's WebUI page which would
result in an error.

* test: update plugin API tests to match pages field in list response

- test_plugin_get_excludes_scanned_pages: expect pages field now present
- test_plugins: use name-based lookup instead of exact count assertion

---------

Co-authored-by: lxfight <lxfight@192.168.5.50>
2026-05-27 20:33:10 +08:00
hibiki233i
2d78626840 fix SQLAlchemy compatibility issues on macOS (#7724)
* Stabilize packaged SQLite knowledge base initialization

* Apply suggestion from @sourcery-ai[bot]

Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>

* Apply suggestion from @gemini-code-assist[bot]

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* fix: updating database URL handling and ensuring unique document IDs

* fix: preserve sqlite pragmas with null pool

---------

Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: 邹永赫 <1259085392@qq.com>
2026-05-26 09:37:01 +09:00
elecvoid243
dcc99e6b9b feat: 为ChatUI添加指令候选功能 (#8279)
* feature: add command suggestion for ChatUI

* feat(chat): add focus functionality to chat input after sending messages

* feat(llm): add error handling for LLM provider selection failures

* feat(command-suggestion): enhance command filtering and sorting logic

---------

Co-authored-by: Soulter <905617992@qq.com>
2026-05-22 20:57:19 +08:00
Weilong Liao
d15606d202 feat(password): add command to change AstrBot dashboard password (#8272)
closes: #8268
2026-05-21 21:37:10 +08:00
Yufeng He
c4693fa68e fix: support rst and adoc knowledge uploads (#8255) 2026-05-20 14:38:16 +08:00
Yufeng He
5bbcdced0f fix: skip empty llm summaries (#8195) 2026-05-19 09:38:55 +08:00
Weilong Liao
c88025c2a3 feat(dingtalk): implement one-click QR registration and polling mechanism (#8198) 2026-05-15 18:43:21 +08:00
Weilong Liao
aace90daab feat: supports scan QR code to configure feishu / lark (#8191)
* feat(lark): implement app registration and bot info retrieval

- Add app registration functionality for Lark and Feishu platforms, including endpoints and request handling.
- Introduce polling mechanism for app registration status.
- Create bot info retrieval functionality to fetch bot details after successful registration.
- Enhance dashboard with new UI components for one-click QR setup and manual setup options.
- Update internationalization files to support new features and actions.
- Add unit tests for app registration endpoint resolution and data handling.

* feat(weixin_oc): add WeChat login registration and QR code handling
2026-05-15 13:00:26 +08:00
Yufeng He
3290d75519 fix: prefer bundled dashboard over stale data dist (#8172)
* fix: prefer bundled dashboard over stale dist

* fix: harden dashboard dist version checks
2026-05-14 09:00:16 +08:00
Soulter
0e6ad1c443 feat: cli supports ASTRBOT_DASHBOARD_INITIAL_PASSWORD env 2026-05-14 01:13:46 +08:00
Soulter
e05dd650ab feat(auth): add legacy password login failure message and FAQ guidance for upgrade issues 2026-05-14 00:48:15 +08:00
Soulter
93428a7976 feat: add initial dashboard password resolution from environment variable 2026-05-14 00:45:37 +08:00
Soulter
37142fd253 feat: enhance update dialog with progress tracking and localization updates
- Added advanced settings option in update dialog for better user control.
- Implemented detailed progress tracking for update stages including download size and speed.
- Updated localization files for English, Russian, and Chinese to include new strings for update progress and advanced settings.
- Improved UI for update dialog with better layout and responsiveness.
- Enhanced test coverage for update process including progress tracking.
2026-05-14 00:40:24 +08:00
Tsukumi
1b09132e4a fix: respect explicit Shipyard Neo profile (#8167) 2026-05-13 14:38:11 +08:00
NayukiMeko
22ba831a31 fix(message_tools): throw exception and block message sending when path does not exist (#8149)
* fix(message_tools): 路径不存在时抛出异常并阻止消息发送

- _resolve_path_from_sandbox 在所有解析路径均失败时改为抛出 FileNotFoundError,而非静默返回原始路径,避免将无效路径传递给下游组件
- 新增 component_type 关键字参数,使错误信息能明确指出是 image/record/video/file 哪类资源路径缺失
- 在 call 方法中捕获 FileNotFoundError 并提前返回错误字符串,确保路径无效时不会继续构建或发送任何消息组件
- 补充单元测试,验证缺失图片路径场景下 send_message 不会被调用

* Update tests/unit/test_message_tools.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* fix(tools): propagate sandbox error instead of masking as FileNotFoundError

---------

Co-authored-by: Ruochen Pan <badbatch0x01@gmail.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: RC-CHN <1051989940@qq.com>
2026-05-13 11:50:06 +08:00
Soulter
48e111e47e chore: remove test 2026-05-12 23:57:16 +08:00
Weilong Liao
7ddf6371b9 fix(webui): enforce 12-char dashboard password policy with backend+frontend validation (#7338)
* fix(webui): enforce 12-char dashboard password policy with backend+frontend validation

* fix(i18n): update password policy hints and validation rules for improved security

* test: adapt dashboard auth fixtures for hashed default password

* fix(security): increase PBKDF2 iterations

* feat(auth): implement secure login challenge and proof verification

* chore: ruff format

* fix(auth): update md5 import syntax for consistency

* feat(dashboard): implement random password generation for empty dashboard password

* feat(auth): enforce plaintext password requirement for legacy MD5 hashes

* fix(i18n): update password hint texts to reflect auto-generated initial passwords

* feat(dashboard): implement password change requirement and reset logic

* feat(auth): implement account setup flow and password change requirements

* feat: Implement legacy password support and upgrade mechanism

- Added `hash_legacy_dashboard_password` function for MD5 hashing of passwords.
- Updated configuration handling to store both PBKDF2 and legacy password hashes.
- Introduced logic to check if password storage has been upgraded and if a password change is required.
- Modified dashboard authentication routes to handle legacy password checks and prompts for upgrades.
- Updated frontend to display warnings for legacy password storage and required upgrades.
- Enhanced tests to cover scenarios for legacy password handling and migration to new storage format.

* fix(logo): update text color styles to use CSS variables for consistency

* feat(dashboard): upgrade password storage and enforce change requirement

* fix(dashboard): update minimum password length from 12 to 10 characters

* fix(dashboard): update minimum password length from 10 to 8 characters

---------

Co-authored-by: RC-CHN <1051989940@qq.com>
2026-05-12 23:46:57 +08:00
Yufeng He
f86de988a4 fix: keep Discord startup alive on command quota (#8061)
* fix: keep Discord startup alive on command quota

* Update discord_platform_adapter.py

---------

Co-authored-by: Weilong Liao <37870767+Soulter@users.noreply.github.com>
2026-05-12 23:28:23 +08:00
NayukiMeko
041c35c35b Fix: Fix issue where temporary directory is not cleaned and error tracking false positives when repeatedly installing plugins (#8148)
* fix(star): 修复重复安装插件时临时目录未清理及错误追踪误报问题

- 引入 skip_failed_tracking 标志,当目标目录已存在时跳过失败安装追踪,避免将预期冲突错误误记为安装失败
- 修复 finally 块中临时目录清理逻辑,确保冲突场景下 plugin_upload_* 临时目录也能被正确删除
- 新增测试用例 test_install_plugin_from_file_conflict_keeps_failed_plugins_clean,验证重复安装同名插件时 failed_plugin_dict 为空且无残留临时目录

Ref #8122

* style(star): ruff 格式化
2026-05-11 16:36:03 +08:00
Ruochen Pan
f29b339ea2 fix(t2i): validate template content to prevent Jinja2 SSTI injection (#8077)
* fix(t2i): validate template content to prevent Jinja2 SSTI injection

* fix(t2i): add error feedback

* fix(test): update assertion to match previous commits

* style: format code
2026-05-08 15:30:52 +08:00
エイカク
f02845ebdc fix(config): expose cua idle timeout in dashboard (#8075)
* fix(config): expose cua idle timeout in dashboard

* fix(config): remove exposed cua ttl setting

* fix(config): centralize cua idle timeout default
2026-05-08 10:08:53 +09:00
エイカク
49cd4d2a20 feat(cua): expire idle sandbox sessions (#8074)
* feat(cua): expire idle sandbox sessions

* fix(cua): simplify idle timeout state
2026-05-08 09:41:59 +09:00
Yufeng He
116c66b5b7 fix: skip KB retrieval for blank prompts (#8073) 2026-05-08 08:35:24 +08:00
エイカク
5745ce5b80 fix(cua): use native file interfaces for uploads (#8069) 2026-05-08 02:36:43 +09:00