feat(web): add password protection for web console

- Add `web_password` config to enable login authentication - Use stateless HMAC-signed token (survives restart, invalidates on password change) - Add `web_session_expire_days` config (default 30 days) - Protect all API endpoints with auth check (401 on failure) - Add login page UI with auto-redirect on session expiry - Add password management in config page (masked display, inline edit) - Add tooltip hints for Agent config fields - Update default agent_max_context_turns to 20, agent_max_steps to 20 - Update docs and docker-compose.yml
2026-06-02 00:57:41 +08:00 · 2026-04-12 20:37:04 +08:00
parent 4dd497fb6d
commit fbe48a4b4e
14 changed files with 498 additions and 56 deletions
--- a/config.py
+++ b/config.py
@@ -195,11 +195,13 @@ available_setting = {
    "Minimax_group_id": "",
    "Minimax_base_url": "",
    "web_port": 9899,
+    "web_password": "",  # Web console password; empty means no authentication required
+    "web_session_expire_days": 30,  # Auth session expiry in days
    "agent": True,  # 是否开启Agent模式
    "agent_workspace": "~/cow",  # agent工作空间路径，用于存储skills、memory等
    "agent_max_context_tokens": 50000,  # Agent模式下最大上下文tokens
-    "agent_max_context_turns": 30,  # Agent模式下最大上下文记忆轮次
-    "agent_max_steps": 15,  # Agent模式下单次运行最大决策步数
+    "agent_max_context_turns": 20,  # Agent模式下最大上下文记忆轮次
+    "agent_max_steps": 20,  # Agent模式下单次运行最大决策步数
    "knowledge": True,  # 是否开启知识库功能
 }