admin/aiagent
1
0
Fork 0
Code Issues 14 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 修复35个安全与功能缺陷,补全知识进化/数字孪生/行为采集模块

Browse Source 
## 安全修复 (12项)
- Webhook接口添加全局Token认证,过滤敏感请求头
- 修复JWT Base64 padding公式,防止签名验证绕过
- 数据库密码/飞书Token从源码移除,改为环境变量
- 工作流引擎添加路径遍历防护 (_resolve_safe_path)
- eval()添加模板长度上限检查
- 审批API添加认证依赖
- 前端v-html增强XSS转义,console.log仅开发模式输出
- 500错误不再暴露内部异常详情

## Agent运行时修复 (7项)
- 删除_inject_knowledge_context中未定义db变量的finally块
- 工具执行添加try/except保护,异常不崩溃Agent
- LLM重试计入budget计数器
- self_review异常时passed=False
- max_iterations截断标记success=False
- 工具参数JSON解析失败时记录警告日志
- run()开始时重置_llm_invocations计数器

## 配置与基础设施
- DEBUG默认False,SQL_ECHO独立配置项
- init_db()补全13个缺失模型导入
- 新增WEBHOOK_AUTH_TOKEN/SQL_ECHO配置项
- 新增.env.example模板文件

## 前端修复 (12项)
- 登录改用URLSearchParams替代FormData
- 401拦截器通过Pinia store统一清理状态
- SSE流超时从60s延长至300s
- final/error事件时清除streamTimeout
- localStorage聊天记录添加24h TTL
- safeParseArgCount替代模板中裸JSON.parse
- fetchUser 401时同时清除user对象

## 新增模块
- 知识进化: knowledge_extractor/retriever/tasks
- 数字孪生: shadow_executor/comparison模型
- 行为采集: behavior_middleware/collector/fingerprint_engine
- 代码审查: code_review_agent/document_review_agent
- 反馈学习: feedback_learner
- 瓶颈检测/优化引擎/成本估算/需求估算
- 速率限制器 (rate_limiter)
- Alembic迁移 015-020

## 文档
- 商业化落地计划
- 8篇docs文档 (架构/API/部署/开发/贡献等)
- Docker Compose生产配置

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
renjianbo
2026-05-10 19:50:20 +08:00
parent f79dc0b3c6
commit ab1589921a
77 changed files with 9442 additions and 265 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
backend/app/api/approval.py
View File

@@ -4,9 +4,11 @@ from __future__ import annotations
import logging
from fastapi import APIRouter, HTTPException
from fastapi import APIRouter, HTTPException, Depends
from pydantic import BaseModel, Field
from app.api.auth import get_current_user
from app.models.user import User
from app.services.approval_manager import approval_manager
logger = logging.getLogger(__name__)
@@ -19,7 +21,7 @@ class ApprovalDecisionRequest(BaseModel):
@router.post("/{approval_id}/resolve")
async def resolve_approval(approval_id: str, req: ApprovalDecisionRequest):
async def resolve_approval(approval_id: str, req: ApprovalDecisionRequest, current_user: User = Depends(get_current_user)):
"""提交工具审批决定。
- **approved**: 批准执行
@@ -33,7 +35,7 @@ async def resolve_approval(approval_id: str, req: ApprovalDecisionRequest):
@router.get("/{approval_id}")
async def get_approval(approval_id: str):
async def get_approval(approval_id: str, current_user: User = Depends(get_current_user)):
"""查询待审批请求详情(用于前端展示工具名和参数)。"""
req = approval_manager.get_pending(approval_id)
if not req: