Commit Graph

2224 Commits

Author SHA1 Message Date
LIghtJUNction
7b22e56252 security: remove legacy SHA256/MD5 password verification and fix API key logging
- Remove insecure SHA256/MD5 password hash verification from cmd_conf.py
  (rejection logic for storing legacy hashes is preserved)
- Remove API key logging from gemini_source.py, openai_source.py
- Remove header logging (contains Authorization header) from volcengine_tts.py

CodeQL issues fixed:
- Broken cryptographic hash (SHA256/MD5 for passwords)
- Clear-text logging of sensitive information (API keys)
2026-03-29 15:48:38 +08:00
LIghtJUNction
2b70c29ea4 chore: bump version to 4.25.0 2026-03-29 15:46:11 +08:00
LIghtJUNction
5ea790d045 chore: misc fixes and new test files
- fix(openai_source): remove dead code comment
- fix(common.ts): use resolveApiUrl helper for live-log endpoint
- style(mdi-subset): clean up icon CSS
- feat: add translation check script and unit tests
2026-03-29 15:40:58 +08:00
LIghtJUNction
eca534f6d4 feat(core): add ToolSessionManager for stateful tool execution
Introduce session-level state management for tools that need to maintain
state across conversation turns within the same session (UMO).

- Add ToolSessionManager class for central per-(UMO, tool_name) state
- Add ToolSessionState with set_persistent(key) support
- Add is_stateful flag to FunctionTool base class
- Wire session_manager through run_context in all agent runners
- Update ExecuteShellTool to use framework session manager
- Update CLAUDE.md with stateful tool documentation

BREAKING: Tools that were manually managing session state via _sessions
dict should migrate to use the framework's ToolSessionManager for proper
lifecycle management and persistence support.
2026-03-29 15:40:57 +08:00
LIghtJUNction
1faeee3732 merge: pull latest master into dev
Resolved conflicts:
- openai_source.py: keep dev version with abort_signal filtering
- customizer.ts: keep dev version with viewMode functionality
- useSessions.ts: keep dev version with pendingSessionId handling
- platformUtils.js: keep dev version with correct tutorial links
- AddNewPlatform.vue: keep dev version with correct docs link
- FullLayout.vue: keep dev version with viewMode-based logic
- VerticalHeader.vue: keep dev version with viewMode-based logic
2026-03-28 12:14:10 +08:00
LIghtJUNction
bc01532e59 fix(provider): filter abort_signal from payloads to avoid JSON serialize error
`abort_signal` (asyncio.Event) is passed via **kwargs into payloads during
tool_call streaming, causing "Object of type Event is not JSON serializable"
when the OpenAI client tries to serialize the request body.

Regression test added: test_prepare_chat_payload_strips_non_json_serializable_kwargs
2026-03-28 01:15:21 +08:00
LIghtJUNction
0c194576c4 fix: 修复 tool_call.function 类型错误和合并冲突
- tool.py: 重构 openai_schema 避免 dict[str, str] 类型推断问题
- openai_source.py: 使用 getattr 安全访问 tool_call.function
- 解决 origin/dev 中的合并冲突
2026-03-27 20:45:35 +08:00
LIghtJUNction
2a5e55641d feat(abp): initial ABP protocol implementation
- Add ABP (AstrBot Plugin) protocol Python package (astrbot/core/plugin/)
  - PluginManager for plugin lifecycle management
  - PluginClient for out-of-process plugin communication
  - Transport layer (Stdio, Unix Socket, HTTP)
  - Data models and constants
- Add ABP error codes to Rust error.rs (-32700 to -32211)
- Fix Rust server.rs compilation issues
  - Fix UNIX_EPOODY typo
  - Fix mutable borrow issues
  - Fix API response type mismatches
- Update _core.pyi type stubs with ABP types
- Add openspec change archive for ABP protocol implementation
2026-03-27 18:07:09 +08:00
Haoyuan Li
55ed0289c2 feat(weixin_oc): Add "typing" ("对方正在输入...") state control for weixin_oc plateform (#6977)
* feat: Add "typing" state control for weixin_oc plateform

* fix: avoid typing state mutation during cleanup

* fix: preserve typing error tracebacks in logs

* refactor: simplify typing task cancellation flow

* chore: remove tests

* fix: remove unnecessary platform check for stopping typing

---------

Co-authored-by: Soulter <905617992@qq.com>
2026-03-27 15:54:41 +08:00
Soulter
777b831691 fix(weixin_oc): add error handling and retry logic for inbound updates polling (#7041)
fixes: #7022
2026-03-27 15:36:31 +08:00
silwings1986
26627887d1 fix(wecom): fallback to message API when kf returns 40096 (#7012)
* fix(wecom): fallback to regular message API when kf API returns 40096

When sending WeCom messages via kf/send_msg, if the API returns error
40096 (invalid external userid), fall back to the regular message/send
API. This handles internal employees who don't have external userids.

Fixes the issue where internal WeCom users (e.g. WangCong) would cause
kf API to fail with 'invalid external userid' error.

* fix(wecom): improve error handling for kf API fallback to regular message API

---------

Co-authored-by: Soulter <905617992@qq.com>
2026-03-27 11:34:18 +08:00
sanyekana
a5e86c8b94 fix(telegram): preserve attachment captions (#7020)
* fix(telegram): preserve attachment captions

* Update astrbot/core/platform/sources/telegram/tg_adapter.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2026-03-27 11:29:03 +08:00
Izayoi9
af6f9cfc5e fix: 使用 removesuffix 替代 rstrip 修复 URL 字符误删问题 (#7026)
之前在 #6863 中我提交的修复使用了 rstrip() 来移除末尾的 /embeddings,
但 rstrip() 是字符集操作,会误删 URL 末尾属于该字符集的字符。

例如 siliconflow.cn 的末尾 n 会被误删,导致 URL 变成 siliconflow.c

改用 removesuffix() 可以正确处理这种情况,只在字符串以指定后缀结尾时才移除。

closes #7025
2026-03-27 11:24:06 +08:00
Soulter
045be7943d revert: "fix(provider): restore parameter transparency in core LLM provider ad…" (#7023)
This reverts commit 1ad7e10c0f.
2026-03-27 01:58:04 +08:00
LIghtJUNction
af59ab9534 merge: 合并 master 分支 (webui 改进和 attachment recovery)
- 采用 master 的 README 多语言版本和文档更新
- 采用 dev 版本号 (4.25.0) + master 的 Python 版本限制 (<3.14)
- 采用 master 的 _image_ref_to_data_url 图片处理实现
- 从 git 中移除 MDI 字体二进制文件,改由脚本生成
- 其他冲突均采用 master 版本
2026-03-27 00:27:03 +08:00
LIghtJUNction
e8cd999596 chore: 更新项目配置和 CLI
- 更新 .env.example 环境变量示例
- 更新 pyproject.toml 依赖配置
- 删除 tui 相关命令 (cmd_tui.py, cmd_run_tui.py)
- 更新 CLI i18n 和核心模块
- 删除 tombi.toml
2026-03-27 00:16:03 +08:00
エイカク
cd4e999526 fix: harden OpenAI attachment recovery (#7004)
* fix: harden OpenAI attachment recovery

* fix: refine OpenAI image loading

* fix: restore OpenAI image encoding errors

* refactor: streamline OpenAI image helpers

* refactor: simplify OpenAI attachment helpers

* refactor: simplify OpenAI helper flow

* refactor: clarify OpenAI image modes

* refactor: reduce OpenAI materialization copies
2026-03-27 00:49:19 +09:00
LIghtJUNction
37f7b43d6e fix(tool): add list_tools() method to ToolSet
Commit 292199dc renamed tools.func_list -> tools.list_tools() in
openai_source.py but forgot to add the list_tools() method to the
ToolSet class, causing AttributeError at runtime.
2026-03-26 21:02:02 +08:00
Helian Nuits
1ad7e10c0f fix(provider): restore parameter transparency in core LLM provider adapters (#6934)
* fix(provider): restore parameter transparency in core LLM provider adapters

核心对话适配器(OpenAI, Anthropic, Gemini)在准备请求 Payload 时未对 kwargs 进行合并,导致插件层传入的自定义参数(如 max_tokens, temperature, timeout 等)失效,回退到提供商的保守默认值。本次修复确保了各主流模型适配器对请求参数的完整透传。

* fix(payloads): 使用字典解包
2026-03-26 19:32:27 +08:00
Rainor_da!
2b5d86b35c fix: honor computer_use_require_admin in shipyard_neo tools (#6951) 2026-03-26 09:32:19 +08:00
LIghtJUNction
292199dcac feat: add backend URL preset sharing via URL parameters
- Add URL param support (?api_url=, ?username=) for shareable config
- Add share link button to server config dialog
- Fix ToolSet API bug: tools.func_list -> tools.list_tools()
- Fix Vue template bugs in CommandTable.vue (orphaned v-else, wrong prop)
- Use master version of InstalledPluginsTab.vue (dev had pre-existing bugs)

BREAKING CHANGE: Uses master version for InstalledPluginsTab.vue
2026-03-26 00:20:52 +08:00
Soulter
b2718b07b6 chore: bump version to 4.22.1 2026-03-26 00:03:23 +08:00
エイカク
c529c716f4 feat: add two-phase startup lifecycle (#6942)
* feat: add two-phase startup lifecycle

Allow the dashboard to become available before plugin bootstrap completes and surface runtime readiness and failure states to API callers.

Guard plugin-facing endpoints until runtime is ready and clean up provider and plugin runtime state safely across bootstrap failures, retries, stop, and restart flows.

* fix: harden runtime cleanup review fixes

Continue terminating remaining providers and disable MCP servers even if one provider terminate hook fails.

Also add InitialLoader failure-path coverage and extract guarded plugin routes into a shared constant for easier review and maintenance.

* fix: harden deferred startup recovery

* fix: streamline runtime guard handling

* fix: simplify runtime lifecycle coordination

* fix: restore orchestrator logger binding
2026-03-25 23:48:49 +08:00
Soulter
c55f2546e2 feat(skills): enhance skill installation to support multiple top-level folders and add duplicate handling, and Chinese skill name support (#6952)
* feat(skills): enhance skill installation to support multiple top-level folders and add duplicate handling

closes: #6949

* refactor(skill_manager): streamline skill name normalization and validation logic

* fix(skill_manager): update skill name regex to allow underscores in skill names

* fix(skill_manager): improve skill name normalization and validation logic
2026-03-25 21:51:44 +08:00
LIghtJUNction
55c8c8a8d6 fix(maturin-hook): handle broken dashboard dist symlink gracefully
The dev branch has astrbot/dashboard/dist as a symlink to
../../dashboard/dist, which is valid in the dev workspace but
becomes a broken symlink when cloned to /opt/astrbot for installation.

Fix the maturin build hook to:
- Remove broken symlinks before creating placeholder directories
- Handle symlink vs directory removal in copy_dashboard_dist()
- Always generate placeholder when dashboard build is skipped or fails
2026-03-25 19:01:56 +08:00
LIU Yaohua
e4ce090db2 fix(provider): add missing index field to streaming tool_call deltas (#6661) (#6692)
* fix(provider): add missing index field to streaming tool_call deltas

- Fix #6661: Streaming tool_call arguments lost when OpenAI-compatible proxy omits index field
- Gemini and some proxies (e.g. Continue) don't include index field in tool_call deltas
- Add default index=0 when missing to prevent ChatCompletionStreamState.handle_chunk() from rejecting chunks

Fixes #6661

* fix(provider): use enumerate for multi-tool-call index assignment

- Use enumerate() to assign correct index based on list position
- Iterate over all choices (not just the first) for completeness
- Addresses review feedback from sourcery-ai and gemini-code-assist

---------

Co-authored-by: Yaohua-Leo <3067173925@qq.com>
Co-authored-by: Soulter <905617992@qq.com>
2026-03-25 18:31:35 +08:00
naer-lily
11c7591b17 Fix payload handling for msg_id in QQ API (#6604)
Remove msg_id from payload to prevent errors with proactive tool-call path and avoid permission issues.

Co-authored-by: Naer <88199249+V-YOP@users.noreply.github.com>
2026-03-25 17:48:51 +08:00
Izayoi9
d7f8af5d42 feat: auto-append /v1 to embedding_api_base in OpenAI embedding provider (#6863)
* fix: auto-append /v1 to embedding_api_base in OpenAI embedding provider (#6855)

When users configure `embedding_api_base` without the `/v1` suffix,
the OpenAI SDK does not auto-complete it, causing request path errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: ensure API base URL for OpenAI embedding ends with /v1 or /v4

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Soulter <905617992@qq.com>
2026-03-25 17:21:07 +08:00
Rainor_da!
2031f3da74 fix: keep weixin_oc polling after inbound timeouts (#6915)
* fix: keep weixin_oc polling after inbound timeouts

* Delete tests/test_weixin_oc_adapter.py

---------

Co-authored-by: Soulter <37870767+Soulter@users.noreply.github.com>
2026-03-25 16:20:18 +08:00
LIghtJUNction
be65022de1 refactor(protocols): update protocol client implementations 2026-03-25 00:10:29 +08:00
LIghtJUNction
3e9584b128 style: apply ruff unsafe-fixes and format 2026-03-24 18:22:29 +08:00
LIghtJUNction
f746efcbe6 style: move Coroutine to collections.abc import 2026-03-24 17:13:52 +08:00
LIghtJUNction
4f686ed9c5 fix: resolve undefined name errors (F821)
- shell.py: Replace undefined TContext with AstrAgentContext
- context.py: Add missing Coroutine import from typing
- lsp/client.py: cleanup (already applied)
2026-03-24 17:12:58 +08:00
LIghtJUNction
dd53727e81 style: apply ruff --unsafe-fixes for common issues
Fixed 31 issues including:
- Remove print statements (T201)
- Fix star imports (F403)
- Other auto-fixable style issues
2026-03-24 16:36:46 +08:00
LIghtJUNction
92ba30b6e1 chore: apply ruff format to codebase
Reformat 23 files for consistent code style.
2026-03-24 10:14:28 +08:00
LIghtJUNction
15789efbfb chore: auto commit 2026-03-24 00:06:24 +08:00
LIghtJUNction
310d2d6998 feat: add integration tests infrastructure and MCP echo server fixture
- Add tests/integration/ directory with fixtures/
- Create echo_mcp_server.py for MCP testing
- Create test_mcp_integration.py with basic tests
- Fix bug in MCP client: use stdio_transport instead of _streams_context
- Add examples/abp_demo.py demonstrating ABP protocol
- Update openspec with integration tests change
2026-03-23 23:01:55 +08:00
LIghtJUNction
67373ccaa1 merge: resolve conflicts from master 2026-03-23 22:31:33 +08:00
LIghtJUNction
ced1a4fbb6 chore: auto commit 2026-03-23 21:35:18 +08:00
LIghtJUNction
f60ffdb62a refactor(dashboard): remove unused sha256 utility
The sha256.ts module is no longer used by any frontend code.
2026-03-23 20:38:43 +08:00
LIghtJUNction
a78a55bcc0 perf: validate config_path before checking existence (#6722)
Add a check for empty config_path in check_exist method
2026-03-23 19:04:07 +08:00
LIghtJUNction
bbcdc502a5 feat(dashboard): clarify frontend/backend behavior with better messages
- Track _webui_fallback flag to distinguish "frontend disabled" vs "frontend enabled but files missing"
- Improve messages:
  - "前端未内置或未初始化,回退到仅启动后端" when fallback occurs
  - "前端已禁用" when user explicitly disabled
  - "正在启动 API Server" instead of "WebUI 已分离"
  - "前端未启用,请访问在线面板" for HTTP responses when frontend disabled
2026-03-23 17:43:30 +08:00
LIghtJUNction
f688343072 fix: remove incorrect startup suggestion from version check 2026-03-23 17:32:52 +08:00
LIghtJUNction
cfdb4ef651 feat: add Python version check requiring 3.12 or 3.13
- Add version check at startup in both __main__.py and cmd_run.py
- Suggest using `uv run -m astrbot` or reinstalling with uv
- Add ABC base class and abstract methods to ComputerBooter
- Improve type annotations in OpenAIAgentsRunner
2026-03-23 17:32:11 +08:00
LIghtJUNction
99c66c2410 feat(cli): add real-time log streaming in non-interactive mode
- Non-interactive mode now streams logs to stdout with color-coded levels
- Add proper async cleanup when shutting down
- Fix type annotations in coze and deerflow agent runners
2026-03-23 17:21:05 +08:00
Soulter
31487995bb chore: ruff format 2026-03-23 16:13:30 +08:00
Soulter
3c6cd22e2c feat(lark): add collapsible reasoning panel support and enhance message handling (#6831)
* feat(lark): add collapsible reasoning panel support and enhance message handling

* feat(lark): refactor collapsible panel creation for improved readability and maintainability
2026-03-23 16:12:43 +08:00
lightjunction
999ce123a7 fix(discord): remove duplicate command registration loop
The _collect_and_register_commands method was iterating over
star_handlers_registry twice: once via collect_commands() and again
in a redundant second loop. This caused the same commands to be
registered to the Discord client twice, resulting in "Application
command names must be unique" errors during sync_commands().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-23 15:29:06 +08:00
LIghtJUNction
8e0314a559 refactor: reorganize agent runner imports for openai-agents integration
- Move AgentResponse to its own module in core/agent/response
- Update import paths in all runner files
- Add provider_config parameter to ToolLoopAgentRunner
2026-03-23 13:29:53 +08:00
LIghtJUNction
19e0952a6f fix: standardize dashboard env vars to ASTRBOT_* prefix only
- Remove all DASHBOARD_* and ASTRBOT_DASHBOARD_* fallback chains
- server.py now only checks ASTRBOT_HOST, ASTRBOT_PORT, ASTRBOT_SSL_*
- cmd_run.py no longer sets legacy DASHBOARD_* environment variables
- Clean up import paths for agent runners
2026-03-23 13:18:23 +08:00