Commit Graph

2050 Commits

Author SHA1 Message Date
zhayujie
4cde25325d fix(evolution): pin review summary language via i18n hint 2026-06-15 22:04:52 +08:00
zhayujie
8d70af5e89 refactor(evolution): simplify review summary prompt 2026-06-15 21:43:53 +08:00
zhayujie
b3408d8e5f fix(windows): persist cow CLI dir to user PATH 2026-06-15 20:53:01 +08:00
zhayujie
e74906fbec fix(evolution): skip idle review while a turn is running 2026-06-15 20:33:52 +08:00
zhayujie
2397ea019e feat: config cli support evolution 2026-06-15 17:57:10 +08:00
zhayujie
77da90e316 feat: record self-evolution turn on streaming chat 2026-06-15 17:51:22 +08:00
zhayujie
ce09b14836 feat: sync self-evolution switch and fix scheduler context 2026-06-15 16:30:34 +08:00
zhayujie
e2cb9e11b0 fix(install): avoid greenlet source build on Windows & guide browser tool install 2026-06-15 11:50:41 +08:00
zhayujie
d281a34c6f fix(models): demote claude-fable-5 from Claude default 2026-06-14 21:06:41 +08:00
zhayujie
ab674a3517 fix(docs): architecture graph link 2026-06-14 17:22:41 +08:00
zhayujie
7d63e7d8fa feat(cli): add agent self-restart command 2026-06-14 17:20:41 +08:00
zhayujie
6538843bdf fix(memory): remove max_tokens cap in deep dream distillation 2026-06-14 11:06:25 +08:00
zhayujie
047fb57630 Merge pull request #2891 from sufan721/feat-add-role-module
- Auto-scan roles/*.json on startup and merge into built-in roles
2026-06-13 18:23:57 +08:00
sufan721
583c1de5ba - Auto-scan roles/*.json on startup and merge into built-in roles
- Same title overrides built-in role; different title appends as new
  - roles/ directory is optional — no impact when absent

  Users can now add custom roles by simply dropping a .json file
  into the roles/ directory and restarting. No config changes needed.
2026-06-13 16:50:54 +08:00
zhayujie
c9c293f67c Merge pull request #2888 from kirs-hi/fix/robustness-cancel-keyerror-compress-loop
fix: avoid KeyError on /cancel and infinite loop in image compression
2026-06-12 18:28:10 +08:00
zhayujie
80d0a6aeb2 Merge pull request #2879 from yangziyu-hhh/master
feat: stream Bash progress and guard message actions during replies
2026-06-12 18:19:13 +08:00
zhayujie
6b5ee245ae feat(web): integrate custom providers into the provider credentials section
- Merge the separate custom-providers section into the unified provider
  grid; "Custom" in the add-provider picker now acts as an add-new action
  (trailing + mark) and opens the dedicated modal, supporting multiple
  OpenAI-compatible endpoints
- Simplify the custom provider modal: drop the default-model field, add
  an inline delete button, align colors with the theme
- Keep the legacy single "custom" card visible (models page, chat
  dropdown and legacy config page) while custom_api_key/custom_api_base
  is still in use, so existing single-provider setups don't disappear
- Unify user-facing wording from "vendor" to "provider" in UI and docs
- Restructure custom provider docs (zh/en/ja) around Web console and
  config file usage
2026-06-12 18:03:33 +08:00
yangziyu-hhh
9387980e74 ci: add Windows Bash streaming tests 2026-06-12 14:07:40 +08:00
yangziyu-hhh
075d9fc608 fix: address Bash streaming review feedback 2026-06-12 13:45:39 +08:00
zhayujie
63bfab03f6 Merge pull request #2877 from kirs-hi/feat/custom-providers-ui
feat(web): manage multiple custom (OpenAI-compatible) providers in console UI
2026-06-12 11:54:48 +08:00
zhayujie
1d7e6b3703 fix(web): accept custom:<id> providers in the chat capability card
_set_chat rejected the expanded "custom:<id>" ids with "unknown
provider", so switching to a custom provider was only possible from
the custom providers section. Now the chat card and the custom section
behave consistently: _set_chat validates the id against
custom_providers, falls back to the provider's default model when none
is picked, and _chat_capability expands the dropdown with the
"custom:<id>" entries (legacy single-custom mode unchanged).

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 11:54:19 +08:00
kirs-hi
ad64e17a34 fix: avoid KeyError on cancel and infinite loop in image compression
Two independent robustness fixes:

1. ChatChannel.cancel_session / cancel_all_session raised KeyError when a
   session existed in self.sessions but no future had been dispatched yet.
   self.sessions[sid] is created in produce(), but self.futures[sid] is only
   created later in consume() on first dispatch. Cancelling in that window
   (e.g. user sends a message then immediately cancels) crashed the cancel
   path. Use self.futures.get(sid, []) so an absent entry is a no-op.

2. compress_imgfile decremented JPEG quality by 5 with no lower bound. For an
   image that cannot be compressed below max_size, quality went 0, negative,
   ... — the loop never terminated and passed invalid quality values to PIL.
   Add a min_quality floor (10) and return the best effort once reached.

Adds tests/test_robustness_fixes.py covering both paths (5 tests).
2026-06-12 11:03:04 +08:00
kirs-hi
0092376c07 fix: address review — no auto-hijack, sync model on activation, cleanup
1. Creating a provider no longer auto-switches bot_type. Only an
   explicit make_active=true changes the active model — prevents
   silently hijacking users on Claude/OpenAI/etc.

2. When a provider IS activated, its 'model' is now written into the
   global 'model' field. This ensures all three paths (regular chat,
   agent_bridge, vision) use the correct model without per-path patches.

3. Removed unused i18n key 'models_custom_name_exists' (no longer
   referenced after the id-based rework removed name-collision checks).

4. Updated tests: 39 passing (added model-sync tests, fixed tests that
   relied on the removed auto-activation behavior).
2026-06-12 10:05:05 +08:00
zhayujie
6fb19a68b5 feat: update default config in run script 2026-06-11 19:30:08 +08:00
zhayujie
d5427d967a fix(installer): fix ASR/TTS default, self-evolution flag, and QuickEdit hang 2026-06-11 19:24:08 +08:00
zhayujie
7fd30b608c fix(cow_cli): fix line breaks in CLI replies 2026-06-11 19:08:30 +08:00
zhayujie
830b05f243 Merge pull request #2886 from kirs-hi/fix/ssrf-and-path-traversal
fix(security): SSRF protection for vision tool + path traversal guard for skill install
2026-06-11 18:24:09 +08:00
kirs-hi
e85290cddc fix(security): SSRF protection for vision tool + path traversal guard for skill install
1. Vision SSRF (#2878, #2872):
   Add _validate_url_safe() that resolves the target hostname via DNS and
   rejects any IP in private (RFC1918), loopback, link-local, or reserved
   ranges before requests.get() is called. This blocks attacks that use
   attacker-controlled image URLs to probe internal services or cloud
   metadata endpoints (169.254.169.254).

2. Skill install path traversal (#2873):
   Add _safe_skill_dir() that validates the skill name cannot escape the
   skills/ root directory. Rejects names containing '..', absolute paths,
   and any resolved path that falls outside the custom_dir boundary.
   Applied to _add_url(), _add_package(), and delete().

Both fixes include comprehensive unit tests (19 test cases) covering
blocked patterns, edge cases, and allowed legitimate usage.

Closes #2878
Closes #2873
Ref: #2872
2026-06-11 17:40:41 +08:00
kirs-hi
1940d628a8 refactor(custom): id-based routing, single source of truth, security fixes
Rework the multi custom-provider design per maintainer review:

1. Data model: use server-generated uuid4 short id as primary key;
   'name' is now a pure display label that can be freely renamed.

2. Routing: drop 'custom_active_provider'; activate a provider by
   setting bot_type to 'custom:<id>'. Single source of truth — no
   pointer drift between bot_type and a separate active selector.

3. Security: drag_sensitive() now recursively masks api_key/secret in
   nested structures (custom_providers list); previously only top-level
   string fields were masked.

4. Per-provider model: the provider's 'model' field now takes effect on
   the main chat path and agent path (was silently ignored before).

5. XSS fix: replace all inline onclick handlers in custom-provider UI
   with data-* attributes + event delegation. Provider names never
   appear in executable HTML contexts.

Legacy compatibility: bot_type='custom' (no colon) still reads the flat
custom_api_key/custom_api_base fields byte-for-byte identically.

Closes: consolidates #2876 into this PR as requested.
Ref: #2838
2026-06-11 17:25:24 +08:00
kirs-hi
cffa590d3e feat(web): manage multiple custom (OpenAI-compatible) providers in console UI
Adds first-class support for configuring more than one custom
OpenAI-compatible provider (e.g. SiliconFlow, DeepSeek, local vLLM)
and switching the active one from the web console, addressing #2838.

Backend:
- config: new `custom_providers` (list) and `custom_active_provider`
  fields, fully backward compatible with the legacy single
  `open_ai_api_base`/`model` fields (used as fallback).
- models/custom_provider.py: centralized resolver
  `resolve_custom_credentials()` returning (api_key, api_base, model),
  with active-provider selection and graceful fallback.
- chat_gpt_bot.py wired to use the resolver.
- web_channel.py: `_provider_overview` expands `custom_providers` into
  one card per provider (id `custom:<name>`, active flag, masked key);
  new POST actions `set_custom_provider`, `delete_custom_provider`,
  `set_active_custom_provider` with hermetic persistence + bridge reset.

Frontend:
- console.js: dedicated "Custom providers" section with add / edit /
  delete / set-active actions, masked-key keep-existing handling, and
  ~20 new zh/en i18n strings.
- chat.html: custom provider modal.

Tests:
- tests/test_custom_provider.py (11) - resolver/config behavior.
- tests/test_custom_provider_handlers.py (18) - write-side handlers and
  overview expansion, including duplicate-name rejection.

All 29 unit tests pass.
2026-06-10 18:12:30 +08:00
yangziyu-hhh
402e2bfee0 feat: stream Bash progress and guard message actions during replies 2026-06-10 14:19:03 +08:00
zhayujie
f5caba81d6 feat(models): support claude-fable-5 2026-06-10 09:39:37 +08:00
zhayujie
354350dec9 fix: hide code block language label when language is undefined 2026-06-09 19:20:15 +08:00
zhayujie
0513298f57 feat(evolution): allow rare persona (AGENT.md) self-evolution 2026-06-09 19:03:49 +08:00
zhayujie
08e23e5bd8 fix(vision): bump vision timeout from 60s to 180s to avoid premature failures 2026-06-09 16:36:01 +08:00
zhayujie
e812c7d29a feat(vision): increase vision tool max_tokens 2026-06-09 16:08:17 +08:00
zhayujie
ef46199346 feat: update run.sh for python3.13 2026-06-09 15:24:32 +08:00
zhayujie
7c9ea62993 chore(evolution): lower trigger thresholds to 6 turns / 10 min idle 2026-06-09 15:22:38 +08:00
zhayujie
8cb53e6129 feat: release 2.1.1 2.1.1 2026-06-09 14:38:05 +08:00
zhayujie
12c0383dc8 docs: update self-evolution docs 2026-06-09 12:07:41 +08:00
zhayujie
83b53039f3 feat: add 2.1.1 release docs 2026-06-09 11:41:32 +08:00
zhayujie
7e6a309935 feat(evolution): default on for new installs, unify naming, add docs 2026-06-09 10:49:43 +08:00
zhayujie
33c03e30d9 fix(web): switch to a sibling session when deleting the active one 2026-06-09 10:49:34 +08:00
zhayujie
1f1abdd7b6 fix(evolution): correct [SILENT] verdict and enable guarded bash for skill creation 2026-06-09 09:29:30 +08:00
zhayujie
16134bd150 fix: update python version in powershell script 2026-06-08 20:19:57 +08:00
zhayujie
c887fc71ad fix: support Python 3.13 by installing web.py from GitHub 2026-06-08 20:15:32 +08:00
zhayujie
9fc39f648f feat(evolution): give review agent full context, add knowledge signal, polish UX 2026-06-08 20:06:01 +08:00
zhayujie
ec9557e3d8 feat(web): resume live streaming when switching back to a session 2026-06-08 17:32:27 +08:00
zhayujie
7cf0f7d42d fix(web): self-heal stuck Cancel send button 2026-06-08 15:48:21 +08:00
zhayujie
b7aa64279d fix(web): support parallel sessions; fix lost/duplicate in-flight replies 2026-06-08 15:36:48 +08:00