krisolo/boss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: ship enterprise control and desktop governance

Browse Source
This commit is contained in:
AI Bot
2026-05-11 14:59:26 +08:00
parent 0757d07521
commit a311280238
285 changed files with 48574 additions and 2428 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
src/app/admin/page.tsx Normal file
View File

@@ -0,0 +1,51 @@
import { cookies, headers } from "next/headers";
import "antd/dist/reset.css";
import { BossAdminApp } from "@/components/admin/boss-admin-app";
import type { BossAdminOverview } from "@/components/admin/boss-admin-data-provider";
import { requirePageSession } from "@/lib/boss-auth";
export const dynamic = "force-dynamic";
async function loadInitialOverview() {
const headersList = await headers();
const cookieStore = await cookies();
const host = headersList.get("host");
const protocol = headersList.get("x-forwarded-proto") ?? "http";
if (!host) return null;
try {
const response = await fetch(`${protocol}://${host}/api/v1/admin/overview`, {
cache: "no-store",
headers: {
cookie: cookieStore.toString(),
},
});
if (!response.ok) return null;
return (await response.json()) as BossAdminOverview;
} catch {
return null;
}
}
export default async function AdminPage() {
const session = await requirePageSession();
if (session.role !== "highest_admin") {
return (
<main className="min-h-screen bg-[#F4F7F2] px-6 py-10">
<div className="mx-auto max-w-3xl rounded-2xl border border-[#DDE8DF] bg-white p-6 text-[#31443A] shadow-sm">
<div className="text-lg font-semibold text-[#102418]"></div>
<p className="mt-2 text-sm leading-6">
Boss 访
</p>
</div>
</main>
);
}
const initialOverview = await loadInitialOverview();
return <BossAdminApp initialOverview={initialOverview} />;
}

13
src/app/api/auth/login/route.ts
View File

@@ -1,9 +1,11 @@
import { NextRequest, NextResponse } from "next/server";
import { createPrimaryAdminSession, loginAccount } from "@/lib/boss-data";
import { setAuthSessionCookie } from "@/lib/boss-auth";
import { requireCsrfSafeMutation } from "@/lib/boss-csrf";
function shouldAllowTemporaryAutoLogin() {
return process.env.BOSS_AUTH_AUTO_LOGIN !== "0";
const flag = process.env.BOSS_AUTH_AUTO_LOGIN?.trim().toLowerCase();
return flag === "1" || flag === "true" || flag === "yes";
}
function messageForLoginError(code: string) {
@@ -14,21 +16,29 @@ function messageForLoginError(code: string) {
return "账号密码登录时必须填写密码。";
case "INVALID_ACCOUNT_OR_PASSWORD":
return "账号或密码不正确。";
case "ACCOUNT_DISABLED":
return "当前账号已停用,请联系管理员。";
case "VERIFICATION_CODE_REQUIRED":
return "验证码登录时必须填写验证码。";
case "INVALID_VERIFICATION_CODE":
return "验证码不正确或已失效,请重新获取。";
case "MFA_CODE_REQUIRED_OR_INVALID":
return "MFA 验证码缺失或不正确,请重新输入。";
default:
return code;
}
}
export async function POST(request: NextRequest) {
const csrf = requireCsrfSafeMutation(request);
if (csrf) return csrf;
const body = (await request.json()) as {
account?: string;
password?: string;
code?: string;
method?: "password" | "code";
mfaCode?: string;
};
if (shouldAllowTemporaryAutoLogin()) {
@@ -67,6 +77,7 @@ export async function POST(request: NextRequest) {
password: body.password,
code: body.code,
method,
mfaCode: body.mfaCode,
});
const response = NextResponse.json({
ok: true,

4
src/app/api/auth/logout/route.ts
View File

@@ -1,8 +1,12 @@
import { NextRequest, NextResponse } from "next/server";
import { clearAuthSessionCookie } from "@/lib/boss-auth";
import { revokeAuthSession } from "@/lib/boss-data";
import { requireCsrfSafeMutation } from "@/lib/boss-csrf";
export async function POST(request: NextRequest) {
const csrf = requireCsrfSafeMutation(request);
if (csrf) return csrf;
await revokeAuthSession(request.cookies.get("boss_session")?.value);
const response = NextResponse.json({ ok: true, message: "已退出当前账号。" });
return clearAuthSessionCookie(response, request);

4
src/app/api/auth/restore/route.ts
View File

@@ -1,8 +1,12 @@
import { NextRequest, NextResponse } from "next/server";
import { setAuthSessionCookie } from "@/lib/boss-auth";
import { restoreAuthSession } from "@/lib/boss-data";
import { requireCsrfSafeMutation } from "@/lib/boss-csrf";
export async function POST(request: NextRequest) {
const csrf = requireCsrfSafeMutation(request);
if (csrf) return csrf;
const body = (await request.json().catch(() => ({}))) as {
restoreToken?: string;
};

12
src/app/api/device-heartbeat/route.ts
View File

@@ -35,6 +35,12 @@ export async function POST(request: NextRequest) {
codexThreadRef?: string;
lastActiveAt?: string;
suggestedImport?: boolean;
recentAssistantMessages?: Array<{
messageId?: string;
body?: string;
sentAt?: string;
phase?: string;
}>;
}>;
endpoint?: string;
};
@@ -77,6 +83,12 @@ export async function POST(request: NextRequest) {
codexThreadRef?: string;
lastActiveAt?: string;
suggestedImport?: boolean;
recentAssistantMessages?: Array<{
messageId?: string;
body?: string;
sentAt?: string;
phase?: string;
}>;
}>,
endpoint: body.endpoint,
});

6
src/app/api/state/route.ts
View File

@@ -1,6 +1,7 @@
import { NextRequest, NextResponse } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { readState } from "@/lib/boss-data";
import { getAuthorizedStateSnapshot } from "@/lib/boss-projections";
export async function GET(request: NextRequest) {
const session = await requireRequestSession(request);
@@ -8,9 +9,10 @@ export async function GET(request: NextRequest) {
return NextResponse.json({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
const state = await readState();
const authorizedState = getAuthorizedStateSnapshot(state, session);
return NextResponse.json({
...state,
aiAccounts: state.aiAccounts.map(({ apiKey, ...account }) => ({
...authorizedState,
aiAccounts: authorizedState.aiAccounts.map(({ apiKey, ...account }) => ({
...account,
apiKey: apiKey ? "[REDACTED]" : undefined,
})),

614
src/app/api/v1/admin/access/route.ts Normal file
View File

@@ -0,0 +1,614 @@
import { NextRequest } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { buildRequestAuditMeta } from "@/lib/boss-audit";
import { requireCsrfSafeMutation } from "@/lib/boss-csrf";
import { BOSS_PERMISSION_TEMPLATES } from "@/lib/boss-access-templates";
import {
appendPermissionAuditLog,
assignAccountCompanyByAdmin,
assignDeviceCompanyByAdmin,
bulkImportAuthAccountsByAdmin,
previewBulkImportAuthAccountsByAdmin,
readState,
reclaimAuthAccountByAdmin,
resetAuthAccountPasswordByAdmin,
revokeAccessGrant,
saveAccountDeviceGrant,
saveAccountProjectGrant,
saveAccountSkillGrant,
setAdminCompanyStatusByAdmin,
setAuthAccountMfaRequiredByAdmin,
setAuthAccountStatusByAdmin,
upsertAdminCompanyByAdmin,
upsertAuthAccountByAdmin,
} from "@/lib/boss-data";
import type { AuthAccount, AuthAccountStatus, AuthRole, BossPermission, Device, Project } from "@/lib/boss-data";
import { jsonNoStore } from "@/lib/api-response";
const validRoles = new Set<AuthRole>(["member", "admin", "highest_admin"]);
const validImportRoles = new Set<AuthRole>(["member", "admin"]);
const validAccountStatuses = new Set<AuthAccountStatus>(["active", "disabled"]);
const validCompanyStatuses = new Set(["active", "disabled"]);
const validCompanyPlanTiers = new Set(["trial", "standard", "enterprise"]);
const validPermissions = new Set<BossPermission>([
"device.view",
"device.manage",
"project.view",
"thread.chat",
"master_agent.ask",
"master_agent.takeover",
"computer.control",
"skill.view",
"skill.use",
"skill.manage",
"account.manage",
"audit.view",
]);
function publicAuthAccount(account: AuthAccount) {
const { passwordHash, mfaSecret, ...safeAccount } = account;
void passwordHash;
void mfaSecret;
return safeAccount;
}
function publicAdminDevice(device: Device) {
return {
id: device.id,
name: device.name,
avatar: device.avatar,
account: device.account,
status: device.status,
companyId: device.companyId,
source: device.source,
lastSeenAt: device.lastSeenAt,
preferredExecutionMode: device.preferredExecutionMode,
capabilities: device.capabilities,
};
}
function publicAdminProject(project: Project) {
return {
id: project.id,
name: project.name,
deviceIds: project.deviceIds,
threadMeta: project.threadMeta,
isGroup: project.isGroup,
updatedAt: project.updatedAt,
lastMessageAt: project.lastMessageAt,
collaborationMode: project.collaborationMode,
approvalState: project.approvalState,
riskLevel: project.riskLevel,
};
}
function buildSkillCatalog(skills: Array<{
skillId: string;
deviceId: string;
name: string;
description: string;
path: string;
invocation: string;
category: string;
updatedAt: string;
}>) {
const catalog = new Map<string, {
name: string;
invocation: string;
description: string;
deviceCount: number;
devices: Array<{ skillId: string; deviceId: string; path: string; category: string; updatedAt: string }>;
}>();
for (const skill of skills) {
const key = skill.name.trim() || skill.skillId;
const existing = catalog.get(key) ?? {
name: key,
invocation: skill.invocation,
description: skill.description,
deviceCount: 0,
devices: [],
};
existing.devices.push({
skillId: skill.skillId,
deviceId: skill.deviceId,
path: skill.path,
category: skill.category,
updatedAt: skill.updatedAt,
});
existing.deviceCount = existing.devices.length;
catalog.set(key, existing);
}
return [...catalog.values()].sort((left, right) => left.name.localeCompare(right.name, "zh-CN"));
}
function forbidden() {
return jsonNoStore({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
async function requireHighestAdmin(request: NextRequest) {
const session = await requireRequestSession(request);
if (!session) {
return { ok: false as const, response: jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 }) };
}
if (session.role !== "highest_admin") {
return { ok: false as const, response: forbidden() };
}
return { ok: true as const, session };
}
function stringValue(value: unknown) {
return typeof value === "string" ? value.trim() : "";
}
function permissionValues(value: unknown): BossPermission[] {
if (!Array.isArray(value)) {
return [];
}
return value.filter((item): item is BossPermission =>
typeof item === "string" && validPermissions.has(item as BossPermission),
);
}
function stringArray(value: unknown) {
if (!Array.isArray(value)) {
return [];
}
return value.map(stringValue).filter(Boolean);
}
function accountImportValues(value: unknown) {
if (!Array.isArray(value)) {
return [];
}
return value
.filter((item): item is Record<string, unknown> => item !== null && typeof item === "object")
.map((item) => ({
account: stringValue(item.account),
displayName: stringValue(item.displayName),
role: validImportRoles.has(stringValue(item.role) as AuthRole) ? (stringValue(item.role) as AuthRole) : "member",
password: stringValue(item.password),
verificationEmail: stringValue(item.verificationEmail),
}))
.filter((item) => Boolean(item.account));
}
function idSegment(value: string) {
return value.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") || "item";
}
export async function GET(request: NextRequest) {
const auth = await requireHighestAdmin(request);
if (!auth.ok) {
return auth.response;
}
const state = await readState();
return jsonNoStore({
ok: true,
companies: state.adminCompanies,
accounts: state.authAccounts.map(publicAuthAccount),
devices: state.devices.map(publicAdminDevice),
projects: state.projects.map(publicAdminProject),
skills: state.deviceSkills,
skillCatalog: buildSkillCatalog(state.deviceSkills),
permissionTemplates: BOSS_PERMISSION_TEMPLATES,
grants: {
devices: state.accountDeviceGrants,
projects: state.accountProjectGrants,
skills: state.accountSkillGrants,
},
auditLogs: state.permissionAuditLogs,
});
}
export async function POST(request: NextRequest) {
const csrf = requireCsrfSafeMutation(request);
if (csrf) return csrf;
const auth = await requireHighestAdmin(request);
if (!auth.ok) {
return auth.response;
}
const body = (await request.json().catch(() => ({}))) as Record<string, unknown>;
const action = stringValue(body.action);
const auditMeta = buildRequestAuditMeta(request);
if (action === "upsert_account") {
const account = stringValue(body.account);
const role = stringValue(body.role) as AuthRole;
if (!account || !validRoles.has(role)) {
return jsonNoStore({ ok: false, message: "ACCOUNT_OR_ROLE_INVALID" }, { status: 400 });
}
const saved = await upsertAuthAccountByAdmin({
account,
displayName: stringValue(body.displayName),
role,
password: stringValue(body.password),
verificationEmail: stringValue(body.verificationEmail),
companyId: stringValue(body.companyId) || undefined,
actorAccount: auth.session.account,
auditMeta,
});
return jsonNoStore({ ok: true, account: publicAuthAccount(saved) });
}
if (action === "set_account_status") {
const account = stringValue(body.account);
const status = stringValue(body.status) as AuthAccountStatus;
if (!account || !validAccountStatuses.has(status)) {
return jsonNoStore({ ok: false, message: "ACCOUNT_STATUS_INVALID" }, { status: 400 });
}
try {
const saved = await setAuthAccountStatusByAdmin({
account,
status,
actorAccount: auth.session.account,
auditMeta,
});
return jsonNoStore({ ok: true, account: publicAuthAccount(saved) });
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return jsonNoStore(
{ ok: false, message },
{ status: message === "ACCOUNT_NOT_FOUND" ? 404 : 400 },
);
}
}
if (action === "set_account_mfa_required") {
const account = stringValue(body.account);
if (!account) {
return jsonNoStore({ ok: false, message: "ACCOUNT_REQUIRED" }, { status: 400 });
}
try {
const saved = await setAuthAccountMfaRequiredByAdmin({
account,
required: body.required === true,
actorAccount: auth.session.account,
auditMeta,
});
return jsonNoStore({
ok: true,
account: publicAuthAccount(saved),
mfaSetupSecret: body.required === true ? saved.mfaSecret : undefined,
});
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return jsonNoStore({ ok: false, message }, { status: message === "ACCOUNT_NOT_FOUND" ? 404 : 400 });
}
}
if (action === "reset_account_password") {
const account = stringValue(body.account);
const password = stringValue(body.password);
if (!account || !password) {
return jsonNoStore({ ok: false, message: "ACCOUNT_OR_PASSWORD_INVALID" }, { status: 400 });
}
try {
const saved = await resetAuthAccountPasswordByAdmin({
account,
password,
actorAccount: auth.session.account,
auditMeta,
});
return jsonNoStore({ ok: true, account: publicAuthAccount(saved) });
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return jsonNoStore(
{ ok: false, message },
{ status: message === "ACCOUNT_NOT_FOUND" ? 404 : 400 },
);
}
}
if (action === "upsert_company") {
const companyId = stringValue(body.companyId);
if (!companyId) {
return jsonNoStore({ ok: false, message: "COMPANY_ID_REQUIRED" }, { status: 400 });
}
const company = await upsertAdminCompanyByAdmin({
companyId,
name: stringValue(body.name),
ownerAccount: stringValue(body.ownerAccount),
successOwnerAccount: stringValue(body.successOwnerAccount),
planTier: validCompanyPlanTiers.has(stringValue(body.planTier))
? (stringValue(body.planTier) as "trial" | "standard" | "enterprise")
: undefined,
contractExpiresAt: stringValue(body.contractExpiresAt),
note: stringValue(body.note),
actorAccount: auth.session.account,
auditMeta,
});
return jsonNoStore({ ok: true, company });
}
if (action === "set_company_status") {
const companyId = stringValue(body.companyId);
const status = stringValue(body.status);
if (!companyId || !validCompanyStatuses.has(status)) {
return jsonNoStore({ ok: false, message: "COMPANY_STATUS_INVALID" }, { status: 400 });
}
try {
const result = await setAdminCompanyStatusByAdmin({
companyId,
status: status as "active" | "disabled",
actorAccount: auth.session.account,
auditMeta,
});
return jsonNoStore({ ok: true, ...result });
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return jsonNoStore({ ok: false, message }, { status: message === "COMPANY_NOT_FOUND" ? 404 : 400 });
}
}
if (action === "assign_account_company") {
const account = stringValue(body.account);
const companyId = stringValue(body.companyId);
if (!account || !companyId) {
return jsonNoStore({ ok: false, message: "ACCOUNT_OR_COMPANY_INVALID" }, { status: 400 });
}
try {
const saved = await assignAccountCompanyByAdmin({
account,
companyId,
actorAccount: auth.session.account,
auditMeta,
});
return jsonNoStore({ ok: true, account: publicAuthAccount(saved) });
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return jsonNoStore({ ok: false, message }, { status: message.endsWith("_NOT_FOUND") ? 404 : 400 });
}
}
if (action === "assign_device_company") {
const deviceId = stringValue(body.deviceId);
const companyId = stringValue(body.companyId);
if (!deviceId || !companyId) {
return jsonNoStore({ ok: false, message: "DEVICE_OR_COMPANY_INVALID" }, { status: 400 });
}
try {
const device = await assignDeviceCompanyByAdmin({
deviceId,
companyId,
actorAccount: auth.session.account,
auditMeta,
});
return jsonNoStore({ ok: true, device });
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return jsonNoStore({ ok: false, message }, { status: message.endsWith("_NOT_FOUND") ? 404 : 400 });
}
}
if (action === "bulk_import_accounts") {
const companyId = stringValue(body.companyId);
const accounts = accountImportValues(body.accounts);
if (!companyId || accounts.length === 0) {
return jsonNoStore({ ok: false, message: "BULK_IMPORT_INVALID" }, { status: 400 });
}
try {
const imported = await bulkImportAuthAccountsByAdmin({
companyId,
accounts,
actorAccount: auth.session.account,
auditMeta,
});
return jsonNoStore({ ok: true, imported: imported.map(publicAuthAccount) });
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return jsonNoStore({ ok: false, message }, { status: message.endsWith("_NOT_FOUND") ? 404 : 400 });
}
}
if (action === "preview_bulk_import_accounts") {
const companyId = stringValue(body.companyId);
const accounts = accountImportValues(body.accounts);
if (!companyId || accounts.length === 0) {
return jsonNoStore({ ok: false, message: "BULK_IMPORT_INVALID" }, { status: 400 });
}
try {
const preview = await previewBulkImportAuthAccountsByAdmin({
companyId,
accounts,
});
return jsonNoStore({ ok: true, preview });
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return jsonNoStore({ ok: false, message }, { status: message === "COMPANY_NOT_FOUND" ? 404 : 400 });
}
}
if (action === "reclaim_account") {
const account = stringValue(body.account);
if (!account) {
return jsonNoStore({ ok: false, message: "ACCOUNT_REQUIRED" }, { status: 400 });
}
try {
const result = await reclaimAuthAccountByAdmin({
account,
reason: stringValue(body.reason),
actorAccount: auth.session.account,
auditMeta,
});
return jsonNoStore({
ok: true,
account: publicAuthAccount(result.account),
removedGrants: result.removedGrants,
});
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return jsonNoStore({ ok: false, message }, { status: message === "ACCOUNT_NOT_FOUND" ? 404 : 400 });
}
}
if (action === "grant_device") {
const account = stringValue(body.account);
const deviceId = stringValue(body.deviceId);
const permissions = permissionValues(body.permissions);
if (!account || !deviceId || permissions.length === 0) {
return jsonNoStore({ ok: false, message: "DEVICE_GRANT_INVALID" }, { status: 400 });
}
const grant = await saveAccountDeviceGrant({
grantId: stringValue(body.grantId) || undefined,
account,
deviceId,
permissions,
grantedBy: auth.session.account,
expiresAt: stringValue(body.expiresAt) || undefined,
note: stringValue(body.note) || undefined,
auditMeta,
});
return jsonNoStore({ ok: true, grant });
}
if (action === "grant_project") {
const account = stringValue(body.account);
const projectId = stringValue(body.projectId);
const permissions = permissionValues(body.permissions);
if (!account || !projectId || permissions.length === 0) {
return jsonNoStore({ ok: false, message: "PROJECT_GRANT_INVALID" }, { status: 400 });
}
const grant = await saveAccountProjectGrant({
grantId: stringValue(body.grantId) || undefined,
account,
projectId,
deviceId: stringValue(body.deviceId) || undefined,
permissions,
inheritFromDeviceGrant: body.inheritFromDeviceGrant === true,
grantedBy: auth.session.account,
expiresAt: stringValue(body.expiresAt) || undefined,
note: stringValue(body.note) || undefined,
auditMeta,
});
return jsonNoStore({ ok: true, grant });
}
if (action === "grant_skill") {
const account = stringValue(body.account);
const skillId = stringValue(body.skillId);
const permissions = permissionValues(body.permissions);
if (!account || !skillId || permissions.length === 0) {
return jsonNoStore({ ok: false, message: "SKILL_GRANT_INVALID" }, { status: 400 });
}
const grant = await saveAccountSkillGrant({
grantId: stringValue(body.grantId) || undefined,
account,
skillId,
deviceId: stringValue(body.deviceId) || undefined,
projectId: stringValue(body.projectId) || undefined,
permissions,
grantedBy: auth.session.account,
expiresAt: stringValue(body.expiresAt) || undefined,
note: stringValue(body.note) || undefined,
auditMeta,
});
return jsonNoStore({ ok: true, grant });
}
if (action === "apply_template") {
const account = stringValue(body.account);
const templateId = stringValue(body.templateId);
const template = BOSS_PERMISSION_TEMPLATES.find((item) => item.templateId === templateId);
const deviceIds = stringArray(body.deviceIds);
const projectIds = stringArray(body.projectIds);
const skillIds = stringArray(body.skillIds);
if (!account || !template || deviceIds.length + projectIds.length + skillIds.length === 0) {
return jsonNoStore({ ok: false, message: "ACCESS_TEMPLATE_INVALID" }, { status: 400 });
}
const state = await readState();
if (!state.authAccounts.some((item) => item.account === account)) {
return jsonNoStore({ ok: false, message: "ACCOUNT_NOT_FOUND" }, { status: 404 });
}
const missingDevice = deviceIds.find((deviceId) => !state.devices.some((device) => device.id === deviceId));
const missingProject = projectIds.find((projectId) => !state.projects.some((project) => project.id === projectId));
const missingSkill = skillIds.find((skillId) => !state.deviceSkills.some((skill) => skill.skillId === skillId));
if (missingDevice || missingProject || missingSkill) {
return jsonNoStore({
ok: false,
message: "ACCESS_TEMPLATE_TARGET_NOT_FOUND",
missingDevice,
missingProject,
missingSkill,
}, { status: 404 });
}
const deviceGrants = [];
for (const deviceId of deviceIds) {
deviceGrants.push(await saveAccountDeviceGrant({
grantId: `grant-template-${idSegment(templateId)}-device-${idSegment(account)}-${idSegment(deviceId)}`,
account,
deviceId,
permissions: template.devicePermissions,
grantedBy: auth.session.account,
note: template.name,
auditMeta,
}));
}
const projectGrants = [];
for (const projectId of projectIds) {
projectGrants.push(await saveAccountProjectGrant({
grantId: `grant-template-${idSegment(templateId)}-project-${idSegment(account)}-${idSegment(projectId)}`,
account,
projectId,
permissions: template.projectPermissions,
grantedBy: auth.session.account,
note: template.name,
auditMeta,
}));
}
const skillGrants = [];
for (const skillId of skillIds) {
const skill = state.deviceSkills.find((item) => item.skillId === skillId);
skillGrants.push(await saveAccountSkillGrant({
grantId: `grant-template-${idSegment(templateId)}-skill-${idSegment(account)}-${idSegment(skillId)}`,
account,
skillId,
deviceId: skill?.deviceId,
permissions: template.skillPermissions,
grantedBy: auth.session.account,
note: template.name,
auditMeta,
}));
}
await appendPermissionAuditLog({
actorAccount: auth.session.account,
action: "grant.updated",
targetAccount: account,
permissions: [
...template.devicePermissions,
...template.projectPermissions,
...template.skillPermissions,
],
detail: `template:${template.templateId}`,
...auditMeta,
});
return jsonNoStore({
ok: true,
template,
grants: {
devices: deviceGrants,
projects: projectGrants,
skills: skillGrants,
},
});
}
if (action === "revoke_grant") {
const grantId = stringValue(body.grantId);
if (!grantId) {
return jsonNoStore({ ok: false, message: "GRANT_ID_REQUIRED" }, { status: 400 });
}
const grant = await revokeAccessGrant(grantId, auth.session.account, auditMeta);
return jsonNoStore({ ok: true, grant });
}
return jsonNoStore({ ok: false, message: "UNKNOWN_ACTION" }, { status: 400 });
}

219
src/app/api/v1/admin/backoffice/route.ts Normal file
View File

@@ -0,0 +1,219 @@
import { NextRequest } from "next/server";
import { jsonNoStore } from "@/lib/api-response";
import { requireRequestSession } from "@/lib/boss-auth";
import { BOSS_PERMISSION_TEMPLATES } from "@/lib/boss-access-templates";
import { buildAdminOverview } from "@/lib/boss-admin-overview";
import { readState, type BossState } from "@/lib/boss-data";
const MENU_TREE = [
{ key: "workbench", label: "工作台" },
{ key: "tenant", label: "租户管理" },
{ key: "user", label: "账号管理" },
{ key: "role", label: "角色权限" },
{
key: "resource",
label: "资源授权",
children: [
{ key: "resource.devices", label: "设备资源" },
{ key: "resource.projects", label: "项目线程" },
{ key: "resource.skills", label: "Skill 资源" },
],
},
{ key: "skills", label: "Skill 中心" },
{ key: "risk", label: "风险告警" },
{ key: "audit", label: "审计日志" },
{ key: "system", label: "系统设置" },
] as const;
function companyNameMap(state: BossState) {
return new Map(state.adminCompanies.map((company) => [company.companyId, company.name]));
}
function companyNameFor(state: BossState, companyId?: string) {
if (!companyId || companyId === "default") return "默认公司";
return companyNameMap(state).get(companyId) ?? companyId;
}
function safeUsers(state: BossState) {
return state.authAccounts.map((account) => ({
id: account.id,
account: account.account,
displayName: account.displayName,
role: account.role,
status: account.status ?? "active",
companyId: account.companyId ?? "default",
companyName: companyNameFor(state, account.companyId),
primaryDeviceId: account.primaryDeviceId,
codexNodeId: account.codexNodeId,
codexNodeLabel: account.codexNodeLabel,
lastLoginAt: account.lastLoginAt,
lastLoginMethod: account.lastLoginMethod,
mfaRequired: Boolean(account.mfaRequired),
createdAt: account.createdAt,
updatedAt: account.updatedAt,
}));
}
function skillResources(state: BossState) {
const byName = new Map<
string,
{
skillId: string;
name: string;
description: string;
category?: string;
invocation?: string;
sourceType: "device" | "catalog";
deviceCount: number;
devices: Array<{ deviceId: string; updatedAt: string }>;
updatedAt: string;
}
>();
for (const skill of state.deviceSkills) {
const existing = byName.get(skill.name);
if (existing) {
existing.deviceCount += existing.devices.some((device) => device.deviceId === skill.deviceId) ? 0 : 1;
existing.devices.push({ deviceId: skill.deviceId, updatedAt: skill.updatedAt });
if (skill.updatedAt.localeCompare(existing.updatedAt) > 0) {
existing.updatedAt = skill.updatedAt;
}
continue;
}
byName.set(skill.name, {
skillId: skill.skillId,
name: skill.name,
description: skill.description,
category: skill.category,
invocation: skill.invocation,
sourceType: "device",
deviceCount: 1,
devices: [{ deviceId: skill.deviceId, updatedAt: skill.updatedAt }],
updatedAt: skill.updatedAt,
});
}
for (const catalogItem of state.skillCatalog) {
if (byName.has(catalogItem.name)) continue;
byName.set(catalogItem.name, {
skillId: catalogItem.skillId,
name: catalogItem.name,
description: catalogItem.description,
category: catalogItem.category,
sourceType: "catalog",
deviceCount: 0,
devices: [],
updatedAt: catalogItem.updatedAt,
});
}
return [...byName.values()].sort(
(left, right) => right.deviceCount - left.deviceCount || left.name.localeCompare(right.name, "zh-CN"),
);
}
function projectResources(state: BossState) {
return state.projects.map((project) => ({
id: project.id,
name: project.name,
deviceIds: project.deviceIds,
deviceCount: project.deviceIds.length,
folderName: project.threadMeta.folderName,
threadId: project.threadMeta.threadId,
threadDisplayName: project.threadMeta.threadDisplayName,
isGroup: project.isGroup,
collaborationMode: project.collaborationMode,
unreadCount: project.unreadCount,
riskLevel: project.riskLevel,
updatedAt: project.updatedAt,
lastMessageAt: project.lastMessageAt,
}));
}
function rolesContract() {
return {
builtInRoles: [
{
role: "highest_admin",
label: "超级管理员",
description: "平台侧最高权限可管理全部公司、账号、设备、项目、Skill、风险和审计。",
},
{
role: "admin",
label: "企业管理员",
description: "企业内管理员,按授权范围管理本公司资源。",
},
{
role: "member",
label: "成员账号",
description: "企业子账号,只能访问已分配的电脑、项目和 Skill。",
},
],
permissionTemplates: BOSS_PERMISSION_TEMPLATES,
};
}
function buildBackofficePayload(state: BossState) {
const overview = buildAdminOverview(state);
const skills = skillResources(state);
return {
ok: true,
menuTree: MENU_TREE,
workbench: {
summary: overview.summary,
companies: overview.companies.slice(0, 10),
devices: overview.devices.slice(0, 20),
risks: overview.risks.slice(0, 20),
notifications: overview.notifications,
grantsSummary: overview.grantsSummary,
},
tenants: overview.companies.map((company) => ({
...company,
lifecycleStatus: company.status ?? "active",
})),
users: safeUsers(state),
roles: rolesContract(),
resourceGroups: {
devices: overview.devices,
projects: projectResources(state),
skills,
grants: {
devices: state.accountDeviceGrants,
projects: state.accountProjectGrants,
skills: state.accountSkillGrants,
},
},
audit: {
risks: overview.risks,
notifications: overview.notifications,
riskTimeline: overview.riskTimeline,
permissionLogs: state.permissionAuditLogs
.slice()
.sort((left, right) => right.createdAt.localeCompare(left.createdAt))
.slice(0, 100),
},
yudaoMapping: {
tenant: "adminCompanies",
user: "authAccounts",
role: "BOSS_PERMISSION_TEMPLATES",
menu: "menuTree",
operateLog: "permissionAuditLogs",
resource: "devices/projects/deviceSkills",
risk: "opsFaults/threadContextAlerts/masterAgentTasks/adminNotifications",
},
};
}
export async function GET(request: NextRequest) {
const session = await requireRequestSession(request);
if (!session) {
return jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
if (session.role !== "highest_admin") {
return jsonNoStore({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
const state = await readState();
return jsonNoStore(buildBackofficePayload(state));
}

29
src/app/api/v1/admin/notifications/dispatch/route.ts Normal file
View File

@@ -0,0 +1,29 @@
import { NextRequest } from "next/server";
import { jsonNoStore } from "@/lib/api-response";
import { requireRequestSession } from "@/lib/boss-auth";
import { requireCsrfSafeMutation } from "@/lib/boss-csrf";
import { dispatchAdminRiskNotifications } from "@/lib/boss-data";
function forbidden() {
return jsonNoStore({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
export async function POST(request: NextRequest) {
const csrf = requireCsrfSafeMutation(request);
if (csrf) return csrf;
const session = await requireRequestSession(request);
if (!session) {
return jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
if (session.role !== "highest_admin") {
return forbidden();
}
const body = (await request.json().catch(() => ({}))) as { max?: number };
const result = await dispatchAdminRiskNotifications({
actorAccount: session.account,
max: typeof body.max === "number" && Number.isFinite(body.max) ? body.max : undefined,
});
return jsonNoStore({ ok: true, ...result });
}

21
src/app/api/v1/admin/overview/route.ts Normal file
View File

@@ -0,0 +1,21 @@
import { NextRequest } from "next/server";
import { jsonNoStore } from "@/lib/api-response";
import { requireRequestSession } from "@/lib/boss-auth";
import { buildAdminOverview } from "@/lib/boss-admin-overview";
import { readState } from "@/lib/boss-data";
export async function GET(request: NextRequest) {
const session = await requireRequestSession(request);
if (!session) {
return jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
if (session.role !== "highest_admin") {
return jsonNoStore({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
const state = await readState();
return jsonNoStore({
ok: true,
...buildAdminOverview(state),
});
}

67
src/app/api/v1/admin/risks/actions/route.ts Normal file
View File

@@ -0,0 +1,67 @@
import { NextRequest } from "next/server";
import { jsonNoStore } from "@/lib/api-response";
import { requireRequestSession } from "@/lib/boss-auth";
import { requireCsrfSafeMutation } from "@/lib/boss-csrf";
import { handleAdminRiskAction, type AdminRiskAction } from "@/lib/boss-data";
const validActions = new Set<AdminRiskAction>(["ack", "resolve", "create_repair_ticket", "assign_owner", "set_sla"]);
function stringValue(value: unknown) {
return typeof value === "string" ? value.trim() : "";
}
function statusForError(error: unknown) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
if (message === "RISK_TARGET_NOT_FOUND") return 404;
if (
message === "RISK_ACTION_UNSUPPORTED" ||
message === "RISK_ID_INVALID" ||
message === "RISK_OWNER_REQUIRED" ||
message === "RISK_SLA_REQUIRED"
) return 400;
return 500;
}
export async function POST(request: NextRequest) {
const csrf = requireCsrfSafeMutation(request);
if (csrf) return csrf;
const session = await requireRequestSession(request);
if (!session) {
return jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
if (session.role !== "highest_admin") {
return jsonNoStore({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
const body = (await request.json().catch(() => ({}))) as Record<string, unknown>;
const riskId = stringValue(body.riskId);
const action = stringValue(body.action) as AdminRiskAction;
if (!riskId || !validActions.has(action)) {
return jsonNoStore({ ok: false, message: "RISK_ACTION_INVALID" }, { status: 400 });
}
const ownerAccount = stringValue(body.ownerAccount);
const slaDueAt = stringValue(body.slaDueAt);
const note = stringValue(body.note);
if (action === "assign_owner" && !ownerAccount) {
return jsonNoStore({ ok: false, message: "RISK_OWNER_REQUIRED" }, { status: 400 });
}
if (action === "set_sla" && !slaDueAt) {
return jsonNoStore({ ok: false, message: "RISK_SLA_REQUIRED" }, { status: 400 });
}
try {
const result = await handleAdminRiskAction({
riskId,
action,
actorAccount: session.account,
ownerAccount,
slaDueAt,
note,
});
return jsonNoStore({ ok: true, riskId, action, ...result });
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return jsonNoStore({ ok: false, message }, { status: statusForError(error) });
}
}

27
src/app/api/v1/admin/risks/scan/route.ts Normal file
View File

@@ -0,0 +1,27 @@
import { NextRequest } from "next/server";
import { jsonNoStore } from "@/lib/api-response";
import { requireRequestSession } from "@/lib/boss-auth";
import { requireCsrfSafeMutation } from "@/lib/boss-csrf";
import { scanAdminRiskNotifications } from "@/lib/boss-data";
function forbidden() {
return jsonNoStore({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
export async function POST(request: NextRequest) {
const csrf = requireCsrfSafeMutation(request);
if (csrf) return csrf;
const session = await requireRequestSession(request);
if (!session) {
return jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
if (session.role !== "highest_admin") {
return forbidden();
}
const result = await scanAdminRiskNotifications({
actorAccount: session.account,
});
return jsonNoStore({ ok: true, ...result });
}

110
src/app/api/v1/admin/skills/requests/route.ts Normal file
View File

@@ -0,0 +1,110 @@
import { NextRequest } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { buildRequestAuditMeta } from "@/lib/boss-audit";
import { requireCsrfSafeMutation } from "@/lib/boss-csrf";
import {
createSkillLifecycleRequest,
readState,
type SkillLifecycleAction,
} from "@/lib/boss-data";
import { jsonNoStore } from "@/lib/api-response";
const validActions = new Set<SkillLifecycleAction>([
"install",
"update",
"uninstall",
"rollback",
"version_lock",
]);
function stringValue(value: unknown) {
return typeof value === "string" ? value.trim() : "";
}
function forbidden() {
return jsonNoStore({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
async function requireHighestAdmin(request: NextRequest) {
const session = await requireRequestSession(request);
if (!session) {
return { ok: false as const, response: jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 }) };
}
if (session.role !== "highest_admin") {
return { ok: false as const, response: forbidden() };
}
return { ok: true as const, session };
}
export async function GET(request: NextRequest) {
const auth = await requireHighestAdmin(request);
if (!auth.ok) {
return auth.response;
}
const state = await readState();
return jsonNoStore({
ok: true,
requests: [...state.skillLifecycleRequests].sort((left, right) =>
right.requestedAt.localeCompare(left.requestedAt),
),
});
}
export async function POST(request: NextRequest) {
const csrf = requireCsrfSafeMutation(request);
if (csrf) return csrf;
const auth = await requireHighestAdmin(request);
if (!auth.ok) {
return auth.response;
}
const body = (await request.json().catch(() => ({}))) as Record<string, unknown>;
const action = stringValue(body.action) as SkillLifecycleAction;
const deviceId = stringValue(body.deviceId);
const skillId = stringValue(body.skillId);
const sourceUrl = stringValue(body.sourceUrl);
const trustedSource = stringValue(body.trustedSource);
const trustedSourceId = stringValue(body.trustedSourceId);
if (!validActions.has(action)) {
return jsonNoStore({ ok: false, message: "SKILL_ACTION_INVALID" }, { status: 400 });
}
if (!deviceId) {
return jsonNoStore({ ok: false, message: "DEVICE_ID_REQUIRED" }, { status: 400 });
}
if (!skillId && !sourceUrl && !trustedSource && !trustedSourceId) {
return jsonNoStore({ ok: false, message: "SKILL_ID_OR_SOURCE_URL_REQUIRED" }, { status: 400 });
}
const state = await readState();
if (!state.devices.some((device) => device.id === deviceId)) {
return jsonNoStore({ ok: false, message: "DEVICE_NOT_FOUND" }, { status: 404 });
}
if (
skillId &&
!state.deviceSkills.some((skill) => skill.deviceId === deviceId && skill.skillId === skillId)
) {
return jsonNoStore({ ok: false, message: "SKILL_NOT_FOUND" }, { status: 404 });
}
const requestRecord = await createSkillLifecycleRequest({
action,
deviceId,
skillId: skillId || undefined,
sourceUrl: sourceUrl || undefined,
trustedSource: trustedSource || undefined,
trustedSourceId: trustedSourceId || undefined,
checksum: stringValue(body.checksum) || undefined,
expectedChecksum: stringValue(body.expectedChecksum) || undefined,
targetVersion: stringValue(body.targetVersion) || undefined,
rollbackToVersion: stringValue(body.rollbackToVersion) || undefined,
lockedVersion: stringValue(body.lockedVersion) || undefined,
requestedBy: auth.session.account,
note: stringValue(body.note) || undefined,
auditMeta: buildRequestAuditMeta(request),
});
return jsonNoStore({ ok: true, request: requestRecord });
}

24
src/app/api/v1/audits/permission-logs/route.ts Normal file
View File

@@ -0,0 +1,24 @@
import { NextRequest } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { jsonNoStore } from "@/lib/api-response";
import { permissionAuditQueryFromSearchParams, queryPermissionAuditLogs, summarizePermissionAuditRisks } from "@/lib/boss-audit";
import { readState } from "@/lib/boss-data";
export async function GET(request: NextRequest) {
const session = await requireRequestSession(request);
if (!session) {
return jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
if (session.role !== "highest_admin") {
return jsonNoStore({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
const state = await readState();
const query = permissionAuditQueryFromSearchParams(request.nextUrl.searchParams);
const result = queryPermissionAuditLogs(state.permissionAuditLogs, query);
return jsonNoStore({
ok: true,
...result,
riskSummary: summarizePermissionAuditRisks(state),
});
}

75
src/app/api/v1/auth/sessions/route.ts Normal file
View File

@@ -0,0 +1,75 @@
import { NextRequest } from "next/server";
import { AUTH_SESSION_COOKIE, requireRequestSession } from "@/lib/boss-auth";
import { readState, revokeAuthSessionById } from "@/lib/boss-data";
import type { AuthSession } from "@/lib/boss-data";
import { jsonNoStore } from "@/lib/api-response";
function isActiveSession(session: AuthSession) {
return !session.revokedAt && new Date(session.expiresAt).getTime() > Date.now();
}
function publicSession(session: AuthSession, currentToken?: string | null) {
return {
sessionId: session.sessionId,
account: session.account,
role: session.role,
displayName: session.displayName,
loginMethod: session.loginMethod,
createdAt: session.createdAt,
expiresAt: session.expiresAt,
lastSeenAt: session.lastSeenAt,
current: Boolean(currentToken && session.sessionToken === currentToken),
};
}
export async function GET(request: NextRequest) {
const session = await requireRequestSession(request);
if (!session) {
return jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
const currentToken = request.cookies.get(AUTH_SESSION_COOKIE)?.value;
const state = await readState();
const sessions = state.authSessions
.filter(isActiveSession)
.filter((item) => session.role === "highest_admin" || item.account === session.account)
.sort((left, right) => right.lastSeenAt.localeCompare(left.lastSeenAt))
.map((item) => publicSession(item, currentToken));
return jsonNoStore({ ok: true, sessions });
}
export async function POST(request: NextRequest) {
const session = await requireRequestSession(request);
if (!session) {
return jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
const body = (await request.json().catch(() => ({}))) as {
action?: string;
sessionId?: string;
};
if (body.action !== "revoke_session") {
return jsonNoStore({ ok: false, message: "UNKNOWN_ACTION" }, { status: 400 });
}
if (!body.sessionId?.trim()) {
return jsonNoStore({ ok: false, message: "SESSION_ID_REQUIRED" }, { status: 400 });
}
try {
const revoked = await revokeAuthSessionById({
sessionId: body.sessionId.trim(),
actorAccount: session.account,
actorRole: session.role,
});
if (!revoked) {
return jsonNoStore({ ok: false, message: "SESSION_NOT_FOUND" }, { status: 404 });
}
return jsonNoStore({ ok: true, session: publicSession(revoked) });
} catch (error) {
if (error instanceof Error && error.message === "FORBIDDEN_AUTH_SESSION") {
return jsonNoStore({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
throw error;
}
}

4
src/app/api/v1/conversation-folders/[folderKey]/route.ts
View File

@@ -1,6 +1,6 @@
import { NextRequest } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { getConversationFolderView } from "@/lib/boss-projections";
import { getConversationFolderViewForSession } from "@/lib/boss-projections";
import { readState } from "@/lib/boss-data";
import { jsonNoStore } from "@/lib/api-response";
@@ -14,7 +14,7 @@ export async function GET(
}
const { folderKey } = await context.params;
const state = await readState();
const folder = getConversationFolderView(state, decodeURIComponent(folderKey));
const folder = getConversationFolderViewForSession(state, session, decodeURIComponent(folderKey));
if (!folder) {
return jsonNoStore({ ok: false, message: "FOLDER_NOT_FOUND" }, { status: 404 });
}

4
src/app/api/v1/conversations/home/route.ts
View File

@@ -1,6 +1,6 @@
import { NextRequest } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { getConversationHomeItems } from "@/lib/boss-projections";
import { getConversationHomeItemsForSession } from "@/lib/boss-projections";
import { readState } from "@/lib/boss-data";
import { jsonNoStore } from "@/lib/api-response";
@@ -12,6 +12,6 @@ export async function GET(request: NextRequest) {
const state = await readState();
return jsonNoStore({
ok: true,
conversations: getConversationHomeItems(state),
conversations: getConversationHomeItemsForSession(state, session),
});
}

4
src/app/api/v1/conversations/route.ts
View File

@@ -1,6 +1,6 @@
import { NextRequest } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { getConversationItems } from "@/lib/boss-projections";
import { getConversationItemsForSession } from "@/lib/boss-projections";
import { readState } from "@/lib/boss-data";
import { jsonNoStore } from "@/lib/api-response";
@@ -12,6 +12,6 @@ export async function GET(request: NextRequest) {
const state = await readState();
return jsonNoStore({
ok: true,
conversations: getConversationItems(state),
conversations: getConversationItemsForSession(state, session),
});
}

39
src/app/api/v1/devices/[deviceId]/skill-requests/[requestId]/complete/route.ts Normal file
View File

@@ -0,0 +1,39 @@
import { NextRequest, NextResponse } from "next/server";
import { authorizeDeviceWriteRequest } from "@/lib/boss-device-auth";
import { completeSkillLifecycleRequest } from "@/lib/boss-data";
export async function POST(
request: NextRequest,
context: { params: Promise<{ deviceId: string; requestId: string }> },
) {
const { deviceId, requestId } = await context.params;
const auth = await authorizeDeviceWriteRequest(request, deviceId);
if (!auth.ok) {
return NextResponse.json({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
if (!auth.device) {
return NextResponse.json({ ok: false, message: "DEVICE_NOT_FOUND" }, { status: 404 });
}
const body = (await request.json().catch(() => ({}))) as {
status?: "completed" | "failed";
resultSummary?: string;
error?: string;
};
try {
const skillRequest = await completeSkillLifecycleRequest({
requestId,
deviceId,
status: body.status === "failed" ? "failed" : "completed",
resultSummary: typeof body.resultSummary === "string" ? body.resultSummary : undefined,
error: typeof body.error === "string" ? body.error : undefined,
});
return NextResponse.json({ ok: true, request: skillRequest });
} catch (error) {
return NextResponse.json(
{ ok: false, message: error instanceof Error ? error.message : "UNKNOWN_ERROR" },
{ status: 400 },
);
}
}

20
src/app/api/v1/devices/[deviceId]/skill-requests/claim/route.ts Normal file
View File

@@ -0,0 +1,20 @@
import { NextRequest, NextResponse } from "next/server";
import { authorizeDeviceWriteRequest } from "@/lib/boss-device-auth";
import { claimNextSkillLifecycleRequest } from "@/lib/boss-data";
export async function POST(
request: NextRequest,
context: { params: Promise<{ deviceId: string }> },
) {
const { deviceId } = await context.params;
const auth = await authorizeDeviceWriteRequest(request, deviceId);
if (!auth.ok) {
return NextResponse.json({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
if (!auth.device) {
return NextResponse.json({ ok: false, message: "DEVICE_NOT_FOUND" }, { status: 404 });
}
const skillRequest = await claimNextSkillLifecycleRequest(deviceId);
return NextResponse.json({ ok: true, request: skillRequest });
}

18
src/app/api/v1/devices/[deviceId]/skills/route.ts
View File

@@ -3,6 +3,7 @@ import { requireRequestSession } from "@/lib/boss-auth";
import { authorizeDeviceWriteRequest } from "@/lib/boss-device-auth";
import { readState, upsertDeviceSkills } from "@/lib/boss-data";
import { jsonNoStore } from "@/lib/api-response";
import { canAccessDevice, canViewSkill } from "@/lib/boss-permissions";
export async function GET(
request: NextRequest,
@@ -18,13 +19,24 @@ export async function GET(
if (!device) {
return jsonNoStore({ ok: false, message: "DEVICE_NOT_FOUND" }, { status: 404 });
}
const deviceSkills = state.deviceSkills
.filter((item) => item.deviceId === deviceId)
.sort((a, b) => a.name.localeCompare(b.name, "zh-CN"));
const visibleSkills = session.role === "highest_admin"
? deviceSkills
: deviceSkills.filter((skill) => canViewSkill(state, session, skill.skillId, { deviceId }));
if (
session.role !== "highest_admin" &&
!canAccessDevice(state, session, deviceId, "device.view") &&
visibleSkills.length === 0
) {
return jsonNoStore({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
return jsonNoStore({
ok: true,
device,
skills: state.deviceSkills
.filter((item) => item.deviceId === deviceId)
.sort((a, b) => a.name.localeCompare(b.name, "zh-CN")),
skills: visibleSkills,
});
}

11
src/app/api/v1/devices/route.ts
View File

@@ -1,8 +1,9 @@
import { NextRequest } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { getDeviceWorkspaceView } from "@/lib/boss-projections";
import { getDeviceWorkspaceViewForSession } from "@/lib/boss-projections";
import { readState } from "@/lib/boss-data";
import { jsonNoStore } from "@/lib/api-response";
import { filterDevicesForSession } from "@/lib/boss-permissions";
export async function GET(request: NextRequest) {
const session = await requireRequestSession(request);
@@ -12,11 +13,13 @@ export async function GET(request: NextRequest) {
const url = new URL(request.url);
const deviceId = url.searchParams.get("device");
const state = await readState();
const devices = filterDevicesForSession(state, session);
const visibleDeviceIds = new Set(devices.map((device) => device.id));
return jsonNoStore({
ok: true,
devices: state.devices,
enrollments: state.deviceEnrollments,
workspace: getDeviceWorkspaceView(state, deviceId ?? undefined),
devices,
enrollments: state.deviceEnrollments.filter((item) => visibleDeviceIds.has(item.deviceId)),
workspace: getDeviceWorkspaceViewForSession(state, session, deviceId ?? undefined),
});
}

82
src/app/api/v1/dialog-guard/interventions/[interventionId]/decision/route.ts Normal file
View File

@@ -0,0 +1,82 @@
import { NextRequest } from "next/server";
import { jsonNoStore } from "@/lib/api-response";
import { requireRequestSession } from "@/lib/boss-auth";
import { requireCsrfSafeMutation } from "@/lib/boss-csrf";
import {
readState,
resolveDialogGuardInterventionDecision,
type DialogGuardInterventionAction,
} from "@/lib/boss-data";
import { canAccessDevice, canAccessProject } from "@/lib/boss-permissions";
const validDecisions = new Set<DialogGuardInterventionAction>([
"allow_once",
"allow_for_device_dialog",
"deny",
"handled_on_device",
"cancel_task",
]);
function stringValue(value: unknown) {
return typeof value === "string" ? value.trim() : "";
}
function statusForError(error: unknown) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
if (message === "DIALOG_GUARD_INTERVENTION_NOT_FOUND") return 404;
if (
message === "DIALOG_GUARD_INTERVENTION_ALREADY_RESOLVED" ||
message === "DIALOG_GUARD_DECISION_NOT_AVAILABLE"
) {
return 409;
}
return 400;
}
export async function POST(
request: NextRequest,
context: { params: Promise<{ interventionId: string }> },
) {
const csrf = requireCsrfSafeMutation(request);
if (csrf) return csrf;
const session = await requireRequestSession(request);
if (!session) {
return jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
const { interventionId } = await context.params;
const state = await readState();
const intervention = state.dialogGuardInterventions.find(
(item) => item.interventionId === interventionId,
);
if (!intervention) {
return jsonNoStore({ ok: false, message: "DIALOG_GUARD_INTERVENTION_NOT_FOUND" }, { status: 404 });
}
const canResolve =
session.role === "highest_admin" ||
canAccessProject(state, session, intervention.projectId, "computer.control") ||
canAccessDevice(state, session, intervention.deviceId, "device.manage");
if (!canResolve) {
return jsonNoStore({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
const body = (await request.json().catch(() => ({}))) as Record<string, unknown>;
const decision = stringValue(body.decision) as DialogGuardInterventionAction;
if (!validDecisions.has(decision)) {
return jsonNoStore({ ok: false, message: "DIALOG_GUARD_DECISION_INVALID" }, { status: 400 });
}
try {
const resolved = await resolveDialogGuardInterventionDecision({
interventionId,
actorAccount: session.account,
decision,
note: stringValue(body.note),
});
return jsonNoStore({ ok: true, intervention: resolved });
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return jsonNoStore({ ok: false, message }, { status: statusForError(error) });
}
}

111
src/app/api/v1/integrations/telegram/route.ts Normal file
View File

@@ -0,0 +1,111 @@
import { NextRequest } from "next/server";
import { jsonNoStore } from "@/lib/api-response";
import {
getAuthorizedTelegramConfigSession,
getTelegramIntegrationView,
probeTelegramBot,
saveTelegramIntegrationConfig,
syncTelegramWebhookRegistration,
} from "@/lib/telegram-gateway";
export async function GET(request: NextRequest) {
const session = await getAuthorizedTelegramConfigSession(request);
if (!session) {
return jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
return jsonNoStore({ ok: true, telegram: await getTelegramIntegrationView() });
}
export async function POST(request: NextRequest) {
const session = await getAuthorizedTelegramConfigSession(request);
if (!session) {
return jsonNoStore({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
const body = (await request.json().catch(() => ({}))) as {
enabled?: boolean;
mode?: "webhook" | "polling";
botToken?: string;
botUsername?: string;
dmPolicy?: "allowlist" | "open" | "disabled";
allowFrom?: string[];
groupPolicy?: "allowlist" | "open" | "disabled";
groups?: string[];
requireMentionInGroups?: boolean;
defaultProjectId?: string;
groupProjectRoutes?: Array<{ chatId: string; threadId?: number; projectId: string; label?: string }>;
webhookSecret?: string;
webhookUrl?: string;
testConnection?: boolean;
};
let telegram = await saveTelegramIntegrationConfig({
enabled: body.enabled === true,
mode: body.mode,
botToken: body.botToken,
botUsername: body.botUsername,
dmPolicy: body.dmPolicy,
allowFrom: body.allowFrom,
groupPolicy: body.groupPolicy,
groups: body.groups,
requireMentionInGroups: body.requireMentionInGroups,
defaultProjectId: body.defaultProjectId,
groupProjectRoutes: body.groupProjectRoutes,
webhookSecret: body.webhookSecret,
webhookUrl: body.webhookUrl,
configuredBy: session.account,
});
let webhookSync:
| { ok: true; action: "set_webhook" | "delete_webhook" | "skipped"; reason?: string }
| undefined;
try {
webhookSync = await syncTelegramWebhookRegistration();
} catch (error) {
return jsonNoStore(
{
ok: false,
telegram,
message: error instanceof Error ? error.message : "TELEGRAM_WEBHOOK_SYNC_FAILED",
},
{ status: 400 },
);
}
if (!body.testConnection) {
return jsonNoStore({ ok: true, telegram, webhookSync });
}
try {
const probe = await probeTelegramBot();
if (probe.username && probe.username !== telegram.botUsername) {
telegram = await saveTelegramIntegrationConfig({
enabled: body.enabled === true,
mode: body.mode,
botToken: body.botToken,
botUsername: probe.username,
dmPolicy: body.dmPolicy,
allowFrom: body.allowFrom,
groupPolicy: body.groupPolicy,
groups: body.groups,
requireMentionInGroups: body.requireMentionInGroups,
defaultProjectId: body.defaultProjectId,
groupProjectRoutes: body.groupProjectRoutes,
webhookSecret: body.webhookSecret,
webhookUrl: body.webhookUrl,
configuredBy: session.account,
});
}
return jsonNoStore({ ok: true, telegram, probe, webhookSync });
} catch (error) {
return jsonNoStore(
{
ok: false,
telegram,
webhookSync,
message: error instanceof Error ? error.message : "TELEGRAM_PROBE_FAILED",
},
{ status: 400 },
);
}
}

6
src/app/api/v1/integrations/telegram/webhook/route.ts Normal file
View File

@@ -0,0 +1,6 @@
import { NextRequest } from "next/server";
import { handleTelegramWebhookRequest } from "@/lib/telegram-gateway";
export async function POST(request: NextRequest) {
return handleTelegramWebhookRequest({ request });
}

37
src/app/api/v1/master-agent/tasks/[taskId]/complete/route.ts
View File

@@ -1,7 +1,9 @@
import { NextRequest, NextResponse } from "next/server";
import { authorizeDeviceWriteRequest } from "@/lib/boss-device-auth";
import type { ExecutionProgressInput } from "@/lib/boss-data";
import { completeMasterAgentTask } from "@/lib/boss-data";
import { normalizeRemoteExecutionResult } from "@/lib/execution/remote-runtime-adapter";
import { deliverTelegramReplyForCompletedTask } from "@/lib/telegram-gateway";
export async function POST(
request: NextRequest,
@@ -9,14 +11,25 @@ export async function POST(
) {
const body = (await request.json().catch(() => ({}))) as {
deviceId?: string;
status?: "completed" | "failed";
status?: "completed" | "failed" | "needs_user_action";
kind?: string;
replyBody?: string;
errorMessage?: string;
requestId?: string;
dialogId?: string;
appName?: string;
platform?: string;
risk?: "low" | "medium" | "high";
summary?: string;
recommendedAction?: "allow_once" | "allow_for_device_dialog" | "deny" | "handled_on_device" | "cancel_task";
availableActions?: Array<"allow_once" | "allow_for_device_dialog" | "deny" | "handled_on_device" | "cancel_task">;
dispatchExecutionId?: string;
targetProjectId?: string;
targetThreadId?: string;
targetUrl?: string;
targetApp?: string;
rawThreadReply?: string;
executionProgress?: ExecutionProgressInput;
};
if (!body.deviceId?.trim()) {
@@ -31,6 +44,24 @@ export async function POST(
const { taskId } = await context.params;
try {
if (body.status === "needs_user_action") {
const task = await completeMasterAgentTask({
taskId,
deviceId: body.deviceId.trim(),
status: "needs_user_action",
kind: body.kind,
requestId: body.requestId,
dialogId: body.dialogId,
appName: body.appName,
platform: body.platform,
risk: body.risk,
summary: body.summary,
recommendedAction: body.recommendedAction,
availableActions: Array.isArray(body.availableActions) ? body.availableActions : undefined,
});
return NextResponse.json({ ok: true, task });
}
const normalized = normalizeRemoteExecutionResult({
...body,
status: body.status === "failed" ? "failed" : "completed",
@@ -45,8 +76,12 @@ export async function POST(
dispatchExecutionId: normalized.dispatchExecutionId,
targetProjectId: normalized.targetProjectId,
targetThreadId: normalized.targetThreadId,
targetUrl: normalized.targetUrl,
targetApp: normalized.targetApp,
rawThreadReply: normalized.rawThreadReply,
executionProgress: normalized.executionProgress,
});
await deliverTelegramReplyForCompletedTask(task.taskId).catch(() => null);
return NextResponse.json({ ok: true, task });
} catch (error) {
return NextResponse.json(

647
src/app/api/v1/projects/[projectId]/messages/route.ts
View File

@@ -4,22 +4,30 @@ import {
appendProjectMessage,
appendProjectMessages,
buildCollaborationGate,
deleteProjectMessage,
getProjectAgentControls,
hasProjectSummarySyncNotifyPreferenceInState,
rememberProjectSummarySyncNotifyPreference,
readState,
requestProjectUnderstandingSyncForProject,
updateProjectAgentControls,
} from "@/lib/boss-data";
import { jsonNoStore } from "@/lib/api-response";
import { buildProjectMessagesRealtimePayload } from "@/lib/boss-projections";
import { buildProjectMessagesRealtimePayloadForSession } from "@/lib/boss-projections";
import { canAccessProject } from "@/lib/boss-permissions";
import {
buildMasterAgentProjectSummarySyncAck,
getThreadConversationExecutionConflict,
queueGroupDispatchPlan,
queueThreadConversationReplyTask,
replyToMasterAgentUserMessage,
resolveMasterAgentProjectSummarySyncTarget,
shouldRecommendMasterAgentDispatchPlan,
ThreadConversationExecutionConflictError,
tryBuildLocalMasterAgentFastReply,
} from "@/lib/boss-master-agent";
import { evaluatePermissionPolicy } from "@/lib/execution/permission-policy";
import type { Message } from "@/lib/boss-data";
function dispatchFailureNotice(error?: string) {
switch (error) {
@@ -45,6 +53,10 @@ function threadConversationFailureMessage(error?: string) {
}
}
function forbiddenResponse(message = "FORBIDDEN") {
return NextResponse.json({ ok: false, message }, { status: 403 });
}
export async function GET(
request: NextRequest,
context: { params: Promise<{ projectId: string }> },
@@ -56,7 +68,14 @@ export async function GET(
const { projectId } = await context.params;
const state = await readState();
const payload = buildProjectMessagesRealtimePayload(state, projectId);
const projectExists = state.projects.some((project) => project.id === projectId);
if (!canAccessProject(state, session, projectId, "project.view")) {
return jsonNoStore(
{ ok: false, message: projectExists ? "FORBIDDEN" : "PROJECT_NOT_FOUND" },
{ status: projectExists ? 403 : 404 },
);
}
const payload = buildProjectMessagesRealtimePayloadForSession(state, session, projectId);
if (!payload) {
return jsonNoStore({ ok: false, message: "PROJECT_NOT_FOUND" }, { status: 404 });
}
@@ -81,13 +100,38 @@ export async function POST(
try {
const state = await readState();
const project = state.projects.find((item) => item.id === projectId);
if (!project) {
return NextResponse.json({ ok: false, message: "PROJECT_NOT_FOUND" }, { status: 404 });
}
const requestKind = body.kind ?? "text";
const requestText = (body.body ?? "").trim();
const masterAgentMention =
project && projectId !== "master-agent" && requestKind === "text"
? parseMasterAgentMention(requestText)
: null;
if (!canAccessProject(state, session, projectId, "project.view")) {
return forbiddenResponse();
}
if (masterAgentMention || projectId === "master-agent") {
if (!canAccessProject(state, session, projectId, "master_agent.ask")) {
return forbiddenResponse("MASTER_AGENT_FORBIDDEN");
}
} else if (!canAccessProject(state, session, projectId, "thread.chat")) {
return forbiddenResponse("THREAD_CHAT_FORBIDDEN");
}
const masterAgentProjectSummarySyncTarget =
projectId === "master-agent" && requestKind === "text"
? resolveMasterAgentProjectSummarySyncTarget(state, requestText)
: null;
const shouldCreateDispatchPlan =
!masterAgentMention &&
!masterAgentProjectSummarySyncTarget &&
Boolean(project) &&
((project?.isGroup && project.id !== "master-agent") ||
(project?.id === "master-agent" &&
shouldRecommendMasterAgentDispatchPlan(state, (body.body ?? "").trim()))) &&
(body.kind ?? "text") === "text" &&
(body.body ?? "").trim().length > 0;
shouldRecommendMasterAgentDispatchPlan(state, requestText))) &&
requestKind === "text" &&
requestText.length > 0;
const pendingPlan = shouldCreateDispatchPlan
? [...state.dispatchPlans]
@@ -101,7 +145,7 @@ export async function POST(
hasPendingDispatchPlan: Boolean(pendingPlan),
});
if (!permission.allowed) {
if (!permission.allowed && !masterAgentMention) {
return NextResponse.json(
{
ok: false,
@@ -114,11 +158,12 @@ export async function POST(
}
const isSingleThreadTextMessage =
!masterAgentMention &&
Boolean(project) &&
projectId !== "master-agent" &&
!project?.isGroup &&
(body.kind ?? "text") === "text" &&
(body.body ?? "").trim().length > 0;
requestKind === "text" &&
requestText.length > 0;
const singleThreadAgentControls = isSingleThreadTextMessage
? await getProjectAgentControls(projectId, session.account)
: null;
@@ -139,9 +184,198 @@ export async function POST(
);
}
if (projectId === "master-agent" && (body.kind ?? "text") === "text" && (body.body ?? "").trim()) {
if (masterAgentMention && project) {
const message = await appendProjectMessage({
projectId,
senderLabel: session.displayName || "你",
body: body.body,
kind: requestKind,
});
if (shouldDisableCurrentProjectTakeoverFromMasterMention(masterAgentMention.requestText)) {
await updateProjectAgentControls(projectId, { takeoverEnabled: false }, session.account);
const nextState = await readState();
const nextProject = nextState.projects.find((item) => item.id === projectId) ?? project;
const replyMessage = await appendProjectMessage({
projectId,
sender: "master",
senderLabel: "主 Agent",
body: buildMasterMentionTakeoverDisabledReply(nextProject),
kind: "text",
});
return NextResponse.json({
ok: true,
message,
replyMessage,
masterReply: {
ok: true,
masterReplyState: "completed",
replyMessage,
},
task: null,
replyPresenter: "master",
masterReplyState: "completed",
dispatchPlan: null,
dispatchRecommendation: {
ok: false,
status: "skipped",
},
collaborationGate: buildCollaborationGate(nextProject),
});
}
if (shouldEnableCurrentProjectTakeoverFromMasterMention(masterAgentMention.requestText)) {
await updateProjectAgentControls(projectId, { takeoverEnabled: true }, session.account);
const nextState = await readState();
const nextProject = nextState.projects.find((item) => item.id === projectId) ?? project;
const replyMessage = await appendProjectMessage({
projectId,
sender: "master",
senderLabel: "主 Agent",
body: buildMasterMentionTakeoverEnabledReply(nextProject),
kind: "text",
});
return NextResponse.json({
ok: true,
message,
replyMessage,
masterReply: {
ok: true,
masterReplyState: "completed",
replyMessage,
},
task: null,
replyPresenter: "master",
masterReplyState: "completed",
dispatchPlan: null,
dispatchRecommendation: {
ok: false,
status: "skipped",
},
collaborationGate: buildCollaborationGate(nextProject),
});
}
if (!project.isGroup && shouldRequestVerifiedProjectSummarySync(masterAgentMention.requestText)) {
const explicitNotify = shouldNotifyAfterProjectSummarySync(masterAgentMention.requestText);
const rememberPreference =
explicitNotify && shouldRememberProjectSummarySyncNotice(masterAgentMention.requestText);
const rememberedPreference =
rememberPreference || hasProjectSummarySyncNotifyPreferenceInState(state, session.account);
if (rememberPreference) {
await rememberProjectSummarySyncNotifyPreference({
account: session.account,
sourceMessageId: message.id,
});
}
const syncTask = await requestProjectUnderstandingSyncForProject({
projectId,
observedActivityAt: message.sentAt,
reason: "thread_reply",
replyProjectId: projectId,
notifyOnCompletion: explicitNotify || rememberedPreference,
requestedByAccount: session.account,
});
const replyMessage = await appendProjectMessage({
projectId,
sender: "master",
senderLabel: "主 Agent",
body: buildMasterAgentProjectSummarySyncAck(project, {
notifyOnCompletion: explicitNotify || rememberedPreference,
rememberedPreference: rememberPreference,
}),
kind: "system_notice",
});
return NextResponse.json({
ok: true,
message,
replyMessage,
masterReply: {
ok: true,
taskId: syncTask?.taskId,
masterReplyState: syncTask ? "queued" : "completed",
task: syncTask
? {
taskId: syncTask.taskId,
taskType: "conversation_reply" as const,
status: "queued" as const,
}
: undefined,
replyMessage,
},
task: syncTask
? {
taskId: syncTask.taskId,
taskType: "conversation_reply" as const,
status: "queued" as const,
}
: null,
replyPresenter: "master",
masterReplyState: syncTask ? "queued" : "completed",
dispatchPlan: null,
dispatchRecommendation: {
ok: false,
status: "skipped",
},
collaborationGate: buildCollaborationGate(project),
});
}
const masterReply = await replyToMasterAgentUserMessage({
requestMessageId: message.id,
requestText: masterAgentMention.requestText,
requestedBy: session.displayName || session.account,
requestedByAccount: session.account,
currentSessionExpiresAt: session.expiresAt,
projectId,
interactionMode: "direct",
mode: "smart",
});
const mentionMasterReply = masterReply as {
ok?: boolean;
taskId?: string;
masterReplyState?: "queued" | "running" | "completed";
task?: {
taskId: string;
taskType: "conversation_reply";
status: "queued" | "running" | "completed";
};
replyMessage?: Awaited<ReturnType<typeof appendProjectMessage>>;
};
const task = mentionMasterReply.taskId
? mentionMasterReply.task ?? {
taskId: mentionMasterReply.taskId,
taskType: "conversation_reply" as const,
status: mentionMasterReply.masterReplyState ?? "queued",
}
: null;
return NextResponse.json({
ok: true,
message,
replyMessage: mentionMasterReply.replyMessage,
masterReply,
task,
replyPresenter: "master",
masterReplyState: mentionMasterReply.masterReplyState ?? (mentionMasterReply.ok ? "completed" : null),
executionMode: (mentionMasterReply as { executionMode?: "discussion" | "thread" | "development" | "browser" | "desktop" }).executionMode,
riskLevel: (mentionMasterReply as { riskLevel?: "low" | "medium" | "high" }).riskLevel,
requiresConfirmation: (mentionMasterReply as { requiresConfirmation?: boolean }).requiresConfirmation,
dispatchPlan: null,
dispatchRecommendation: {
ok: false,
status: "skipped",
},
collaborationGate: buildCollaborationGate(project),
});
}
if (projectId === "master-agent" && requestKind === "text" && requestText) {
const localMasterReply = await tryBuildLocalMasterAgentFastReply({
requestText: (body.body ?? "").trim(),
requestText,
requestedByAccount: session.account,
projectId,
state,
@@ -153,7 +387,7 @@ export async function POST(
{
senderLabel: session.displayName || "你",
body: body.body,
kind: body.kind ?? "text",
kind: requestKind,
},
{
sender: "master",
@@ -186,7 +420,7 @@ export async function POST(
projectId,
senderLabel: session.displayName || "你",
body: body.body,
kind: body.kind ?? "text",
kind: requestKind,
});
let dispatchPlan = null;
let dispatchRecommendation:
@@ -208,17 +442,20 @@ export async function POST(
masterReplyState?: "queued" | "running" | "completed";
task?: {
taskId: string;
taskType: "conversation_reply";
taskType: "conversation_reply" | "browser_control" | "desktop_control";
status: "queued" | "running" | "completed";
};
replyMessage?: Awaited<ReturnType<typeof appendProjectMessage>>;
replyMessage?: Message;
executionMode?: "discussion" | "thread" | "development" | "browser" | "desktop";
riskLevel?: "low" | "medium" | "high";
requiresConfirmation?: boolean;
}
| undefined;
let replyMessage: Awaited<ReturnType<typeof appendProjectMessage>> | undefined;
let task:
| {
taskId: string;
taskType: "conversation_reply";
taskType: "conversation_reply" | "browser_control" | "desktop_control";
status: "queued" | "running" | "completed";
}
| null = null;
@@ -228,8 +465,72 @@ export async function POST(
| "completed"
| null = null;
let replyPresenter: "thread" | "master" | undefined;
let executionMode:
| "discussion"
| "thread"
| "development"
| "browser"
| "desktop"
| undefined;
let riskLevel: "low" | "medium" | "high" | undefined;
let requiresConfirmation: boolean | undefined;
if (shouldCreateDispatchPlan) {
if (masterAgentProjectSummarySyncTarget && message.body.trim().length > 0) {
const explicitNotify = shouldNotifyAfterProjectSummarySync(message.body);
const rememberPreference = explicitNotify && shouldRememberProjectSummarySyncNotice(message.body);
const rememberedPreference =
rememberPreference || hasProjectSummarySyncNotifyPreferenceInState(state, session.account);
if (rememberPreference) {
await rememberProjectSummarySyncNotifyPreference({
account: session.account,
sourceMessageId: message.id,
});
}
const syncTask = await requestProjectUnderstandingSyncForProject({
projectId: masterAgentProjectSummarySyncTarget.id,
observedActivityAt: message.sentAt,
reason: "thread_reply",
replyProjectId: projectId,
notifyOnCompletion: explicitNotify || rememberedPreference,
requestedByAccount: session.account,
});
replyMessage = await appendProjectMessage({
projectId,
sender: "master",
senderLabel: "主 Agent",
body: buildMasterAgentProjectSummarySyncAck(masterAgentProjectSummarySyncTarget, {
notifyOnCompletion: explicitNotify || rememberedPreference,
rememberedPreference: rememberPreference,
}),
kind: "system_notice",
});
masterReply = {
ok: true,
taskId: syncTask?.taskId,
masterReplyState: syncTask ? "queued" : "completed",
task: syncTask
? {
taskId: syncTask.taskId,
taskType: "conversation_reply",
status: "queued",
}
: undefined,
replyMessage,
};
task = syncTask
? {
taskId: syncTask.taskId,
taskType: "conversation_reply",
status: "queued",
}
: null;
masterReplyState = syncTask ? "queued" : "completed";
replyPresenter = "master";
dispatchRecommendation = {
ok: false,
status: "skipped",
};
} else if (shouldCreateDispatchPlan) {
try {
const recommendation = await queueGroupDispatchPlan({
groupProjectId: projectId,
@@ -265,40 +566,140 @@ export async function POST(
} else if (project && projectId !== "master-agent" && !project.isGroup && message.body.trim().length > 0) {
const relayViaMasterAgent = singleThreadTakeoverEnabled;
if (relayViaMasterAgent) {
if (shouldRequestVerifiedProjectSummarySync(message.body)) {
await requestProjectUnderstandingSyncForProject({
if (shouldDisableCurrentProjectTakeoverFromMasterMention(message.body)) {
await updateProjectAgentControls(projectId, { takeoverEnabled: false }, session.account);
const nextState = await readState();
const nextProject = nextState.projects.find((item) => item.id === projectId) ?? project;
replyMessage = await appendProjectMessage({
projectId,
sender: "master",
senderLabel: "主 Agent",
body: buildMasterMentionTakeoverDisabledReply(nextProject),
kind: "text",
});
masterReply = {
ok: true,
masterReplyState: "completed",
replyMessage,
};
task = null;
masterReplyState = "completed";
} else if (shouldRequestVerifiedProjectSummarySync(message.body)) {
const explicitNotify = shouldNotifyAfterProjectSummarySync(message.body);
const rememberPreference = explicitNotify && shouldRememberProjectSummarySyncNotice(message.body);
const rememberedPreference =
rememberPreference || hasProjectSummarySyncNotifyPreferenceInState(state, session.account);
if (rememberPreference) {
await rememberProjectSummarySyncNotifyPreference({
account: session.account,
sourceMessageId: message.id,
});
}
const syncTask = await requestProjectUnderstandingSyncForProject({
projectId,
observedActivityAt: message.sentAt,
reason: "thread_reply",
});
}
masterReply = await replyToMasterAgentUserMessage({
requestMessageId: message.id,
requestText: message.body,
requestedBy: session.displayName || session.account,
replyProjectId: projectId,
notifyOnCompletion: explicitNotify || rememberedPreference,
requestedByAccount: session.account,
currentSessionExpiresAt: session.expiresAt,
});
replyMessage = await appendProjectMessage({
projectId,
interactionMode: "takeover_single_thread",
mode: "enqueue",
})
if (masterReply?.taskId) {
task = masterReply.task ?? {
taskId: masterReply.taskId,
taskType: "conversation_reply",
status: masterReply.masterReplyState ?? "queued",
sender: "master",
senderLabel: "主 Agent",
body: buildMasterAgentProjectSummarySyncAck(project, {
notifyOnCompletion: explicitNotify || rememberedPreference,
rememberedPreference: rememberPreference,
}),
kind: "system_notice",
});
masterReply = {
ok: true,
taskId: syncTask?.taskId,
masterReplyState: syncTask ? "queued" : "completed",
task: syncTask
? {
taskId: syncTask.taskId,
taskType: "conversation_reply",
status: "queued" as const,
}
: undefined,
replyMessage,
};
masterReplyState = masterReply.masterReplyState ?? null;
task = syncTask
? {
taskId: syncTask.taskId,
taskType: "conversation_reply",
status: "queued",
}
: null;
masterReplyState = syncTask ? "queued" : "completed";
} else {
try {
const queuedTask = await queueThreadConversationReplyTask({
projectId,
requestMessageId: message.id,
requestText: message.body,
sourceMessageId: message.id,
sourceMessageBody: message.body,
sourceMessageSentAt: message.sentAt,
requestedBy: session.displayName || session.account,
requestedByAccount: session.account,
relayViaMasterAgent: true,
});
task = {
taskId: queuedTask.taskId,
taskType: "conversation_reply",
status: "queued",
};
masterReply = {
ok: true,
taskId: queuedTask.taskId,
masterReplyState: "queued",
task,
};
masterReplyState = "queued";
} catch (error) {
if (!(error instanceof ThreadConversationExecutionConflictError)) {
throw error;
}
masterReply = await replyToMasterAgentUserMessage({
requestMessageId: message.id,
requestText: message.body,
requestedBy: session.displayName || session.account,
requestedByAccount: session.account,
currentSessionExpiresAt: session.expiresAt,
projectId,
interactionMode: "takeover_single_thread",
mode: "enqueue",
});
if (masterReply?.taskId) {
task = masterReply.task ?? {
taskId: masterReply.taskId,
taskType: "conversation_reply",
status: masterReply.masterReplyState ?? "queued",
};
masterReplyState = masterReply.masterReplyState ?? null;
}
replyMessage = masterReply?.replyMessage;
executionMode = (masterReply as { executionMode?: typeof executionMode }).executionMode;
riskLevel = (masterReply as { riskLevel?: typeof riskLevel }).riskLevel;
requiresConfirmation = (
masterReply as { requiresConfirmation?: typeof requiresConfirmation }
).requiresConfirmation;
}
}
replyMessage = masterReply?.replyMessage;
} else {
const queuedTask = await queueThreadConversationReplyTask({
projectId,
requestMessageId: message.id,
requestText: message.body,
requestedBy: session.displayName || session.account,
requestedByAccount: session.account,
});
projectId,
requestMessageId: message.id,
requestText: message.body,
sourceMessageId: message.id,
sourceMessageBody: message.body,
sourceMessageSentAt: message.sentAt,
requestedBy: session.displayName || session.account,
requestedByAccount: session.account,
});
task = {
taskId: queuedTask.taskId,
taskType: "conversation_reply",
@@ -313,7 +714,12 @@ export async function POST(
};
}
if (projectId === "master-agent" && (body.kind ?? "text") === "text" && message.body.trim()) {
if (
projectId === "master-agent" &&
!masterAgentProjectSummarySyncTarget &&
(body.kind ?? "text") === "text" &&
message.body.trim()
) {
masterReply = await replyToMasterAgentUserMessage({
requestMessageId: message.id,
requestText: message.body,
@@ -333,6 +739,11 @@ export async function POST(
masterReplyState = masterReply.masterReplyState ?? (masterReply.taskId ? null : "completed");
replyPresenter = "master";
replyMessage = masterReply.replyMessage;
executionMode = (masterReply as { executionMode?: typeof executionMode }).executionMode;
riskLevel = (masterReply as { riskLevel?: typeof riskLevel }).riskLevel;
requiresConfirmation = (
masterReply as { requiresConfirmation?: typeof requiresConfirmation }
).requiresConfirmation;
} else {
masterReplyState = null;
}
@@ -350,6 +761,9 @@ export async function POST(
task,
replyPresenter,
masterReplyState,
executionMode,
riskLevel,
requiresConfirmation,
dispatchPlan,
dispatchRecommendation,
collaborationGate,
@@ -378,6 +792,49 @@ export async function POST(
}
}
export async function DELETE(
request: NextRequest,
context: { params: Promise<{ projectId: string }> },
) {
const session = await requireRequestSession(request);
if (!session) {
return NextResponse.json({ ok: false, message: "UNAUTHORIZED" }, { status: 401 });
}
const { projectId } = await context.params;
const messageIdFromQuery = request.nextUrl.searchParams.get("messageId")?.trim();
const body = messageIdFromQuery
? {}
: ((await request.json().catch(() => ({}))) as { messageId?: string });
const messageId = messageIdFromQuery || body.messageId?.trim();
if (!messageId) {
return NextResponse.json({ ok: false, message: "MESSAGE_ID_REQUIRED" }, { status: 400 });
}
try {
const state = await readState();
const projectExists = state.projects.some((project) => project.id === projectId);
if (!canAccessProject(state, session, projectId, "thread.chat")) {
return NextResponse.json(
{ ok: false, message: projectExists ? "THREAD_CHAT_FORBIDDEN" : "PROJECT_NOT_FOUND" },
{ status: projectExists ? 403 : 404 },
);
}
const result = await deleteProjectMessage({ projectId, messageId });
return NextResponse.json({
ok: true,
deletedMessage: result.deletedMessage,
remainingCount: result.remainingCount,
});
} catch (error) {
const message = error instanceof Error ? error.message : "UNKNOWN_ERROR";
return NextResponse.json(
{ ok: false, message },
{ status: message === "PROJECT_NOT_FOUND" || message === "MESSAGE_NOT_FOUND" ? 404 : 400 },
);
}
}
function shouldRequestVerifiedProjectSummarySync(text: string) {
const normalized = text.trim();
if (!normalized) {
@@ -385,6 +842,110 @@ function shouldRequestVerifiedProjectSummarySync(text: string) {
}
const mentionsGoal = /项目目标|目标/.test(normalized);
const mentionsVersion = /版本记录|版本迭代|版本/.test(normalized);
const mentionsReviewOrSync = /核对|确认|同步|更新|刷新|整理|汇总/.test(normalized);
const mentionsReviewOrSync = /核对|确认|同步|更新|刷新|整理|汇总|总结|梳理|概括|回写/.test(normalized);
return mentionsReviewOrSync && (mentionsGoal || mentionsVersion);
}
function shouldNotifyAfterProjectSummarySync(text: string) {
const normalized = text.trim();
if (!normalized) {
return false;
}
return /同步完成.*(告诉我|提醒我|回我|和我说|通知我)|完成后.*(告诉我|提醒我|回我|和我说|通知我)|记得和我说|记得告诉我|同步完.*说一声/.test(
normalized,
);
}
function shouldRememberProjectSummarySyncNotice(text: string) {
const normalized = text.trim();
if (!normalized) {
return false;
}
return /以后|后续|默认|都这样|也这样|记住|下次也这样/.test(normalized);
}
const INLINE_MASTER_AGENT_MENTION_REGEX =
/@+\s*(主\s*a(?:[\s"'`._-]*)g(?:[\s"'`._-]*)e(?:[\s"'`._-]*)n(?:[\s"'`._-]*)t|主\s*gpt|主控|master\s*agent|agent)(?=$|[\s:,,、。.!?;])/i;
function parseMasterAgentMention(text: string) {
const normalized = text.trim();
if (!normalized) {
return null;
}
const inlineMentionMatch = normalized.match(INLINE_MASTER_AGENT_MENTION_REGEX);
if (inlineMentionMatch) {
const requestText = normalized
.replace(INLINE_MASTER_AGENT_MENTION_REGEX, " ")
.replace(/\s+/g, " ")
.replace(/^[\s:,,、-]+/, "")
.trim();
return {
requestText: requestText || "你好",
};
}
if (!normalized.startsWith("@")) {
return null;
}
const stripped = normalized.slice(1).trim();
if (!stripped) {
return { requestText: "你好" };
}
const labelMatch = stripped.match(
/^(主\s*a(?:[\s"'`._-]*)g(?:[\s"'`._-]*)e(?:[\s"'`._-]*)n(?:[\s"'`._-]*)t|主\s*gpt|主控|master\s*agent|agent)/i,
);
const requestText = labelMatch
? stripped.slice(labelMatch[0].length).replace(/^[\s:,,、-]+/, "").trim()
: stripped;
return {
requestText: requestText || "你好",
};
}
function shouldEnableCurrentProjectTakeoverFromMasterMention(text: string) {
const normalized = text.trim().replace(/\s+/g, "");
if (!normalized) {
return false;
}
if (!/(托管|接管|协同接管)/.test(normalized)) {
return false;
}
if (/(关闭|取消|不要|别|停止|禁用|撤销|解除)/.test(normalized)) {
return false;
}
return /(开启|打开|启用|开始|进入|切到|切换到|交给|接手|让.+(托管|接管)|请.+(托管|接管)|帮我.+(托管|接管))/.test(
normalized,
);
}
function shouldDisableCurrentProjectTakeoverFromMasterMention(text: string) {
const normalized = text.trim().replace(/\s+/g, "");
if (!normalized) {
return false;
}
if (!/(托管|接管|协同接管)/.test(normalized)) {
return false;
}
if (!/(关闭|取消|退出|停止|禁用|撤销|解除)/.test(normalized)) {
return false;
}
return /(当前|本线程|这个线程|当前线程|接管模式|托管模式)/.test(normalized) || normalized.includes("退出当前的接管模式");
}
function buildMasterMentionTakeoverEnabledReply(project: { name?: string | null }) {
const projectName = project.name?.trim() || "当前会话";
return [
`已为《${projectName}》开启主 Agent 协同接管。`,
"后续你直接发普通消息时,我会先确认意图,再协调对应线程推进;如果只是单独和我说话,继续用 @ 开头即可。",
].join("\n");
}
function buildMasterMentionTakeoverDisabledReply(project: { name?: string | null }) {
const projectName = project.name?.trim() || "当前会话";
return [
`已为《${projectName}》关闭主 Agent 协同接管。`,
"后续这个线程会恢复为你直接和对应 Codex 线程对话;如果还想单独找我,继续用 @ 开头即可。",
].join("\n");
}

10
src/app/api/v1/projects/[projectId]/route.ts
View File

@@ -1,6 +1,6 @@
import { NextRequest } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { getProjectDetailView } from "@/lib/boss-projections";
import { getProjectDetailViewForSession } from "@/lib/boss-projections";
import { readState } from "@/lib/boss-data";
import { jsonNoStore } from "@/lib/api-response";
@@ -14,10 +14,14 @@ export async function GET(
}
const { projectId } = await context.params;
const state = await readState();
const detail = getProjectDetailView(state, projectId, session.account);
const projectExists = state.projects.some((project) => project.id === projectId);
const detail = getProjectDetailViewForSession(state, projectId, session);
if (!detail) {
return jsonNoStore({ ok: false, message: "PROJECT_NOT_FOUND" }, { status: 404 });
return jsonNoStore(
{ ok: false, message: projectExists ? "FORBIDDEN" : "PROJECT_NOT_FOUND" },
{ status: projectExists ? 403 : 404 },
);
}
return jsonNoStore({

9
src/app/auth/help/page.tsx
View File

@@ -7,18 +7,17 @@ export default function AuthHelpPage() {
<PageNav title="登录帮助" backHref="/auth/login" />
<div className="space-y-3 px-[18px] pb-6">
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4 text-[13px] leading-6 text-[#57606A]">
</div>
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4 text-[13px] leading-6 text-[#57606A]">
`17600003315`
`krisolo`
<br />
`boss123456`
使
<br />
`最高管理员`
</div>
<div className="rounded-2xl bg-[#EAF7F0] px-4 py-4 text-[13px] leading-6 text-[#215B39]">
`000000` MVP
/
</div>
</div>
</AppShell>

2
src/app/auth/login/page.tsx
View File

@@ -10,7 +10,7 @@ export default async function LoginPage() {
<AuthForm
mode="login"
title="登录 Codex 协同"
description="当前已临时切到免验证登录模式,点击登录会直接进入会话首页。账号密码验证码输入暂时不作为拦截条件。"
description="使用企业账号密码验证码登录。"
/>
</AppShell>
);

21
src/app/enterprise-admin/page.tsx Normal file
View File

@@ -0,0 +1,21 @@
import { redirect } from "next/navigation";
import { requirePageSession } from "@/lib/boss-auth";
export default async function EnterpriseAdminEntryPage() {
const session = await requirePageSession();
if (session.role !== "highest_admin") {
return (
<main className="min-h-screen bg-[#F3F5F2] px-6 py-10 text-[#111814]">
<section className="mx-auto max-w-xl rounded-[28px] border border-black/10 bg-white p-8 shadow-sm">
<p className="text-sm text-[#647067]">Boss </p>
<h1 className="mt-2 text-2xl font-semibold"></h1>
<p className="mt-3 text-sm leading-6 text-[#647067]">
访 To B 使 highest_admin
</p>
</section>
</main>
);
}
redirect("/admin-web/index.html");
}

88
src/app/me/access/page.tsx Normal file
View File

@@ -0,0 +1,88 @@
import { RealtimeRefresh } from "@/components/app-runtime";
import { AccessManagementClient } from "@/components/access-management-client";
import { AppShell, HeaderTitle, PageNav, StatusBar } from "@/components/app-ui";
import { BOSS_PERMISSION_TEMPLATES } from "@/lib/boss-access-templates";
import { requirePageSession } from "@/lib/boss-auth";
import { readState } from "@/lib/boss-data";
export const dynamic = "force-dynamic";
function buildSkillCatalog(skills: Awaited<ReturnType<typeof readState>>["deviceSkills"]) {
const catalog = new Map<string, {
name: string;
invocation: string;
description: string;
deviceCount: number;
devices: Array<{
skillId: string;
deviceId: string;
path: string;
category: string;
updatedAt: string;
}>;
}>();
for (const skill of skills) {
const key = skill.name.trim() || skill.skillId;
const existing = catalog.get(key) ?? {
name: key,
invocation: skill.invocation,
description: skill.description,
deviceCount: 0,
devices: [],
};
existing.devices.push({
skillId: skill.skillId,
deviceId: skill.deviceId,
path: skill.path,
category: skill.category,
updatedAt: skill.updatedAt,
});
existing.deviceCount = existing.devices.length;
catalog.set(key, existing);
}
return [...catalog.values()].sort((left, right) => left.name.localeCompare(right.name, "zh-CN"));
}
function publicAuthAccount(account: Awaited<ReturnType<typeof readState>>["authAccounts"][number]) {
const { passwordHash, ...safeAccount } = account;
void passwordHash;
return safeAccount;
}
export default async function AccessManagementPage() {
const session = await requirePageSession();
const state = await readState();
return (
<AppShell bottomNav={false}>
<RealtimeRefresh events={["devices.updated", "devices.skills.updated"]} />
<StatusBar />
<PageNav title="用户与权限" backHref="/me" />
<HeaderTitle title="账号、设备与 Skill 分配" />
<div className="px-[18px] pb-6">
{session.role === "highest_admin" ? (
<AccessManagementClient
initialView={{
accounts: state.authAccounts.map(publicAuthAccount),
devices: state.devices,
projects: state.projects,
skills: state.deviceSkills,
skillCatalog: buildSkillCatalog(state.deviceSkills),
permissionTemplates: BOSS_PERMISSION_TEMPLATES,
grants: {
devices: state.accountDeviceGrants,
projects: state.accountProjectGrants,
skills: state.accountSkillGrants,
},
auditLogs: state.permissionAuditLogs,
}}
/>
) : (
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4 text-[13px] leading-6 text-[#57606A]">
Skill
</div>
)}
</div>
</AppShell>
);
}

56
src/app/me/ops/audit/page.tsx
View File

@@ -2,15 +2,18 @@ import Link from "next/link";
import { RealtimeRefresh } from "@/components/app-runtime";
import { AppShell, PageNav, StatusBar } from "@/components/app-ui";
import { requirePageSession } from "@/lib/boss-auth";
import { summarizePermissionAuditRisks } from "@/lib/boss-audit";
import { getAuditSummaryView } from "@/lib/boss-projections";
import { readState } from "@/lib/boss-data";
export const dynamic = "force-dynamic";
export default async function AuditPage() {
await requirePageSession();
const session = await requirePageSession();
const state = await readState();
const summary = getAuditSummaryView(state);
const permissionRiskSummary = summarizePermissionAuditRisks(state);
const recentPermissionLogs = state.permissionAuditLogs.slice(0, 10);
return (
<AppShell bottomNav={false}>
@@ -33,6 +36,57 @@ export default async function AuditPage() {
</Link>
</div>
<div className="mt-4 flex-1 space-y-4 overflow-y-auto pb-6">
{session.role === "highest_admin" ? (
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4">
<div className="flex items-start justify-between gap-3">
<div>
<div className="text-[14px] font-semibold text-[#111111]"></div>
<div className="mt-1 text-[12px] text-[#8C8C8C]">
{permissionRiskSummary.highAlerts} · {permissionRiskSummary.mediumAlerts}
</div>
</div>
<div className="rounded-full bg-[#FFF4E5] px-3 py-1 text-[12px] font-semibold text-[#B35C00]">
{permissionRiskSummary.totalAlerts} alerts
</div>
</div>
<div className="mt-3 space-y-2">
{permissionRiskSummary.alerts.slice(0, 4).map((alert) => (
<div key={`${alert.kind}-${alert.auditIds.join("-")}-${alert.detail}`} className="rounded-xl bg-[#F7F8FA] px-3 py-2">
<div className="text-[13px] font-semibold text-[#111111]">{alert.title}</div>
<div className="mt-1 text-[12px] leading-5 text-[#57606A]">{alert.detail}</div>
</div>
))}
{permissionRiskSummary.alerts.length === 0 ? (
<div className="text-[13px] text-[#8C8C8C]"></div>
) : null}
</div>
</div>
) : null}
{session.role === "highest_admin" ? (
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4">
<div className="text-[14px] font-semibold text-[#111111]"></div>
<div className="mt-3 space-y-2">
{recentPermissionLogs.map((log) => (
<div key={log.auditId} className="rounded-xl bg-[#F7F8FA] px-3 py-2">
<div className="flex items-start justify-between gap-3">
<div className="text-[13px] font-semibold text-[#111111]">{log.action}</div>
<div className="text-[11px] text-[#8C8C8C]">{log.createdAt}</div>
</div>
<div className="mt-1 text-[12px] leading-5 text-[#57606A]">
{log.actorAccount}
{log.targetAccount ? ` -> ${log.targetAccount}` : ""}
{log.deviceId ? ` · device ${log.deviceId}` : ""}
{log.projectId ? ` · project ${log.projectId}` : ""}
{log.skillId ? ` · skill ${log.skillId}` : ""}
</div>
</div>
))}
{recentPermissionLogs.length === 0 ? (
<div className="text-[13px] text-[#8C8C8C]"></div>
) : null}
</div>
</div>
) : null}
{summary.pendingRequests.map((request) => (
<div
key={request.auditRequestId}

14
src/app/me/page.tsx
View File

@@ -13,7 +13,7 @@ import { getOtaStatus, readState } from "@/lib/boss-data";
export const dynamic = "force-dynamic";
export default async function MePage() {
await requirePageSession();
const session = await requirePageSession();
const [state, otaStatus] = await Promise.all([readState(), getOtaStatus()]);
return (
@@ -28,6 +28,13 @@ export default async function MePage() {
title="主 Agent 提示词 / 记忆"
description="配置全局主提示词、当前主提示词和用户记忆"
/>
{session.role === "highest_admin" ? (
<MenuRow
href="/me/access"
title="用户与权限"
description="创建子账号,并分配设备、项目和 Skill 权限"
/>
) : null}
<MenuRow
href="/me/storage"
title="附件与存储"
@@ -49,6 +56,11 @@ export default async function MePage() {
title="AI 账号"
description="管理主 GPT、备用 GPT、ChatGPT Plus / Codex 节点与 API 容灾"
/>
<MenuRow
href="/me/telegram"
title="Telegram 接入"
description="配置 Telegram Bot让主 Agent 支持 Telegram 私聊入口"
/>
<MenuRow
href="/me/skills"
title="技能"

29
src/app/me/security/page.tsx
View File

@@ -1,8 +1,33 @@
import { AppShell, LogoutButton, MenuRow, PageNav, StatusBar } from "@/components/app-ui";
import { SessionManagementClient } from "@/components/session-management-client";
import { requirePageSession } from "@/lib/boss-auth";
import { readState } from "@/lib/boss-data";
import { cookies } from "next/headers";
function isActiveSession(session: Awaited<ReturnType<typeof readState>>["authSessions"][number]) {
return !session.revokedAt && new Date(session.expiresAt).getTime() > Date.now();
}
export default async function SecurityPage() {
const session = await requirePageSession();
const [state, cookieStore] = await Promise.all([readState(), cookies()]);
const currentToken = cookieStore.get("boss_session")?.value;
const visibleSessions = state.authSessions
.filter(isActiveSession)
.filter((item) => session.role === "highest_admin" || item.account === session.account)
.sort((left, right) => right.lastSeenAt.localeCompare(left.lastSeenAt))
.map((item) => ({
sessionId: item.sessionId,
account: item.account,
role: item.role,
displayName: item.displayName,
loginMethod: item.loginMethod,
createdAt: item.createdAt,
expiresAt: item.expiresAt,
lastSeenAt: item.lastSeenAt,
current: Boolean(currentToken && item.sessionToken === currentToken),
}));
return (
<AppShell bottomNav={false}>
<StatusBar />
@@ -12,8 +37,7 @@ export default async function SecurityPage() {
<MenuRow href="/devices" title="设备安全管理" description="查看设备绑定、登录状态和剩余额度" />
<div className="rounded-2xl bg-[#EAF7F0] px-4 py-4 text-[13px] leading-6 text-[#215B39]">
使
`17600003315` Codex
`000000`
`krisolo` Codex
</div>
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4 text-[13px] leading-6 text-[#57606A]">
<span className="font-semibold text-[#111111]">{session.account}</span>
@@ -22,6 +46,7 @@ export default async function SecurityPage() {
<br />
{new Date(session.expiresAt).toLocaleString("zh-CN", { hour12: false })}
</div>
<SessionManagementClient initialSessions={visibleSessions} />
<LogoutButton />
</div>
</AppShell>

33
src/app/me/telegram/page.tsx Normal file
View File

@@ -0,0 +1,33 @@
import { RealtimeRefresh } from "@/components/app-runtime";
import { AppShell, HeaderTitle, PageNav, StatusBar } from "@/components/app-ui";
import { TelegramIntegrationClient } from "@/components/telegram-integration-client";
import { requirePageSession } from "@/lib/boss-auth";
import { getTelegramIntegrationView } from "@/lib/telegram-gateway";
export const dynamic = "force-dynamic";
export default async function TelegramIntegrationPage() {
const session = await requirePageSession();
const telegram = await getTelegramIntegrationView();
return (
<AppShell bottomNav={false}>
<RealtimeRefresh events={["settings.updated"]} />
<StatusBar />
<PageNav title="Telegram 接入" backHref="/me" />
<HeaderTitle title="Telegram Bot 网关" />
<div className="px-[18px] pb-3 text-[13px] leading-6 text-[#57606A]">
Telegram Agent
</div>
{session.role === "highest_admin" ? (
<TelegramIntegrationClient initialView={telegram} />
) : (
<div className="px-[18px] pb-6">
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4 text-[13px] leading-6 text-[#57606A]">
</div>
</div>
)}
</AppShell>
);
}

8
src/app/page.tsx
View File

@@ -1,7 +1,15 @@
import { headers } from "next/headers";
import { redirect } from "next/navigation";
import { getCurrentPageSession } from "@/lib/boss-auth";
const PLATFORM_ADMIN_HOST = "admin.boss.hyzq.net";
export default async function Home() {
const headersList = await headers();
const host = headersList.get("host")?.split(":")[0];
const session = await getCurrentPageSession();
if (host === PLATFORM_ADMIN_HOST) {
redirect(session ? "/admin" : "/auth/login");
}
redirect(session ? "/conversations" : "/auth/login");
}

599
src/components/access-management-client.tsx Normal file
View File

@@ -0,0 +1,599 @@
"use client";
import { useMemo, useState } from "react";
import type { ReactNode } from "react";
import { useRouter } from "next/navigation";
import clsx from "clsx";
import type {
AccountDeviceGrant,
AccountProjectGrant,
AccountSkillGrant,
AuthAccount,
AuthRole,
BossPermission,
Device,
Project,
} from "@/lib/boss-data";
type PublicAuthAccount = Omit<AuthAccount, "passwordHash">;
type SkillCatalogItem = {
name: string;
invocation: string;
description: string;
deviceCount: number;
devices: Array<{
skillId: string;
deviceId: string;
path: string;
category: string;
updatedAt: string;
}>;
};
type PermissionTemplate = {
templateId: string;
name: string;
description: string;
devicePermissions: BossPermission[];
projectPermissions: BossPermission[];
skillPermissions: BossPermission[];
};
type AccessManagementView = {
accounts: PublicAuthAccount[];
devices: Device[];
projects: Project[];
skills: Array<SkillCatalogItem["devices"][number] & {
name: string;
description: string;
invocation: string;
}>;
skillCatalog: SkillCatalogItem[];
permissionTemplates: PermissionTemplate[];
grants: {
devices: AccountDeviceGrant[];
projects: AccountProjectGrant[];
skills: AccountSkillGrant[];
};
auditLogs: Array<{
auditId: string;
actorAccount: string;
action: string;
targetAccount?: string;
deviceId?: string;
projectId?: string;
skillId?: string;
permissions?: BossPermission[];
createdAt: string;
}>;
};
const devicePermissions: BossPermission[] = ["device.view", "device.manage", "computer.control"];
const projectPermissions: BossPermission[] = [
"project.view",
"thread.chat",
"master_agent.ask",
"master_agent.takeover",
"computer.control",
];
const skillPermissions: BossPermission[] = ["skill.view", "skill.use", "skill.manage"];
function Section({ title, note, children }: { title: string; note?: string; children: ReactNode }) {
return (
<section className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4">
<div className="text-[16px] font-semibold text-[#111111]">{title}</div>
{note ? <div className="mt-1 text-[12px] leading-5 text-[#8C8C8C]">{note}</div> : null}
<div className="mt-4 space-y-3">{children}</div>
</section>
);
}
function TextField({
label,
value,
onChange,
placeholder,
secret = false,
type = "text",
}: {
label: string;
value: string;
onChange: (value: string) => void;
placeholder?: string;
secret?: boolean;
type?: string;
}) {
return (
<label className="block space-y-1.5">
<span className="text-[12px] font-medium text-[#57606A]">{label}</span>
<input
type={secret ? "password" : type}
value={value}
onChange={(event) => onChange(event.target.value)}
placeholder={placeholder}
className="w-full rounded-2xl border border-[#E5E5EA] bg-[#F7F8FA] px-4 py-3 text-[14px] text-[#111111] outline-none transition focus:border-[#07C160] focus:bg-white"
/>
</label>
);
}
function SelectField({
label,
value,
onChange,
options,
}: {
label: string;
value: string;
onChange: (value: string) => void;
options: Array<{ value: string; label: string }>;
}) {
return (
<label className="block space-y-1.5">
<span className="text-[12px] font-medium text-[#57606A]">{label}</span>
<select
value={value}
onChange={(event) => onChange(event.target.value)}
className="w-full rounded-2xl border border-[#E5E5EA] bg-[#F7F8FA] px-4 py-3 text-[14px] text-[#111111] outline-none transition focus:border-[#07C160] focus:bg-white"
>
{options.map((option) => (
<option key={option.value} value={option.value}>
{option.label}
</option>
))}
</select>
</label>
);
}
function PermissionPicker({
values,
selected,
onChange,
}: {
values: BossPermission[];
selected: BossPermission[];
onChange: (permissions: BossPermission[]) => void;
}) {
return (
<div className="flex flex-wrap gap-2">
{values.map((permission) => {
const active = selected.includes(permission);
return (
<button
key={permission}
type="button"
onClick={() =>
onChange(active ? selected.filter((item) => item !== permission) : [...selected, permission])
}
className={clsx(
"rounded-full px-3 py-2 text-[12px] font-semibold transition",
active ? "bg-[#07C160] text-white" : "bg-[#F5F5F7] text-[#57606A]",
)}
>
{permission}
</button>
);
})}
</div>
);
}
function grantLabel(grant: AccountDeviceGrant | AccountProjectGrant | AccountSkillGrant) {
if ("skillId" in grant) {
return `${grant.account} · Skill ${grant.skillId}`;
}
if ("projectId" in grant) {
return `${grant.account} · 项目 ${grant.projectId}`;
}
return `${grant.account} · 设备 ${grant.deviceId}`;
}
function formatGrantExpiry(expiresAt?: string) {
if (!expiresAt) {
return { label: "永久有效", expired: false };
}
const expiresAtMs = new Date(expiresAt).getTime();
if (Number.isNaN(expiresAtMs)) {
return { label: `有效期:${expiresAt}`, expired: false };
}
return {
label: `${expiresAtMs <= Date.now() ? "已过期" : "有效至"}${new Date(expiresAtMs).toLocaleString("zh-CN", {
hour12: false,
})}`,
expired: expiresAtMs <= Date.now(),
};
}
function formatAuditTarget(log: AccessManagementView["auditLogs"][number]) {
return [
log.targetAccount ? `账号 ${log.targetAccount}` : "",
log.deviceId ? `设备 ${log.deviceId}` : "",
log.projectId ? `项目 ${log.projectId}` : "",
log.skillId ? `Skill ${log.skillId}` : "",
].filter(Boolean).join(" · ") || "系统";
}
export function AccessManagementClient({ initialView }: { initialView: AccessManagementView }) {
const router = useRouter();
const [view, setView] = useState(initialView);
const [busy, setBusy] = useState("");
const [message, setMessage] = useState("");
const [accountDraft, setAccountDraft] = useState({
account: "",
displayName: "",
role: "member" as AuthRole,
password: "",
});
const [deviceDraft, setDeviceDraft] = useState({
account: "",
deviceId: initialView.devices[0]?.id ?? "",
permissions: ["device.view"] as BossPermission[],
expiresAt: "",
});
const [projectDraft, setProjectDraft] = useState({
account: "",
projectId: initialView.projects[0]?.id ?? "",
permissions: ["project.view"] as BossPermission[],
expiresAt: "",
});
const [skillDraft, setSkillDraft] = useState({
account: "",
skillId: initialView.skills[0]?.skillId ?? "",
deviceId: initialView.skills[0]?.deviceId ?? "",
permissions: ["skill.view", "skill.use"] as BossPermission[],
expiresAt: "",
});
const [templateDraft, setTemplateDraft] = useState({
account: "",
templateId: initialView.permissionTemplates.find((item) => item.templateId === "developer")?.templateId ??
initialView.permissionTemplates[0]?.templateId ?? "",
deviceId: initialView.devices[0]?.id ?? "",
projectId: initialView.projects[0]?.id ?? "",
skillId: initialView.skills[0]?.skillId ?? "",
});
const accountOptions = useMemo(
() => view.accounts.map((account) => ({ value: account.account, label: `${account.displayName} · ${account.account}` })),
[view.accounts],
);
const deviceOptions = useMemo(
() => view.devices.map((device) => ({ value: device.id, label: `${device.name} · ${device.id}` })),
[view.devices],
);
const projectOptions = useMemo(
() => view.projects.map((project) => ({ value: project.id, label: `${project.name} · ${project.id}` })),
[view.projects],
);
const skillOptions = useMemo(
() => view.skills.map((skill) => ({ value: skill.skillId, label: `${skill.name} · ${skill.deviceId}` })),
[view.skills],
);
const templateOptions = useMemo(
() => view.permissionTemplates.map((template) => ({
value: template.templateId,
label: template.name,
})),
[view.permissionTemplates],
);
const selectedTemplate = view.permissionTemplates.find((template) => template.templateId === templateDraft.templateId);
async function refreshView() {
const response = await fetch("/api/v1/admin/access", { cache: "no-store" });
const result = (await response.json()) as AccessManagementView & { ok: boolean; message?: string };
if (!response.ok || !result.ok) {
throw new Error(result.message ?? "刷新失败");
}
setView(result);
router.refresh();
}
async function submit(action: string, body: Record<string, unknown>) {
setBusy(action);
setMessage("");
try {
const response = await fetch("/api/v1/admin/access", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ action, ...body }),
});
const result = (await response.json()) as { ok: boolean; message?: string };
if (!response.ok || !result.ok) {
throw new Error(result.message ?? "保存失败");
}
await refreshView();
setMessage("已保存。");
} catch (error) {
setMessage(error instanceof Error ? error.message : "操作失败");
} finally {
setBusy("");
}
}
function fillAccountForGrants(account: string) {
setDeviceDraft((draft) => ({ ...draft, account }));
setProjectDraft((draft) => ({ ...draft, account }));
setSkillDraft((draft) => ({ ...draft, account }));
setTemplateDraft((draft) => ({ ...draft, account }));
}
return (
<div className="space-y-4">
<Section title="子账号" note="创建或更新子账号。修改密码会让该账号的旧登录态失效。">
<div className="grid gap-3">
<TextField
label="账号"
value={accountDraft.account}
onChange={(account) => {
setAccountDraft((draft) => ({ ...draft, account }));
fillAccountForGrants(account);
}}
placeholder="worker@example.com"
/>
<TextField
label="显示名"
value={accountDraft.displayName}
onChange={(displayName) => setAccountDraft((draft) => ({ ...draft, displayName }))}
placeholder="项目协作者"
/>
<SelectField
label="角色"
value={accountDraft.role}
onChange={(role) => setAccountDraft((draft) => ({ ...draft, role: role as AuthRole }))}
options={[
{ value: "member", label: "成员" },
{ value: "admin", label: "管理员" },
]}
/>
<TextField
label="初始密码 / 新密码"
value={accountDraft.password}
onChange={(password) => setAccountDraft((draft) => ({ ...draft, password }))}
placeholder="创建账号时必填"
secret
/>
<button
type="button"
onClick={() => void submit("upsert_account", accountDraft)}
disabled={busy === "upsert_account"}
className="rounded-full bg-[#07C160] px-4 py-3 text-[14px] font-semibold text-white disabled:opacity-50"
>
{busy === "upsert_account" ? "保存中" : "保存子账号"}
</button>
</div>
</Section>
{view.permissionTemplates.length > 0 ? (
<Section title="权限模板" note="一次性给账号分配设备、项目和 Skill 权限,适合批量开通子账号。">
<SelectField
label="账号"
value={templateDraft.account}
onChange={(account) => setTemplateDraft((draft) => ({ ...draft, account }))}
options={[{ value: "", label: "选择账号" }, ...accountOptions]}
/>
<SelectField
label="模板"
value={templateDraft.templateId}
onChange={(templateId) => setTemplateDraft((draft) => ({ ...draft, templateId }))}
options={templateOptions}
/>
{selectedTemplate ? (
<div className="rounded-2xl bg-[#F1FFF7] px-4 py-3 text-[12px] leading-5 text-[#57606A]">
{selectedTemplate.description}
</div>
) : null}
<SelectField
label="设备"
value={templateDraft.deviceId}
onChange={(deviceId) => setTemplateDraft((draft) => ({ ...draft, deviceId }))}
options={[{ value: "", label: "不授权设备" }, ...deviceOptions]}
/>
<SelectField
label="项目"
value={templateDraft.projectId}
onChange={(projectId) => setTemplateDraft((draft) => ({ ...draft, projectId }))}
options={[{ value: "", label: "不授权项目" }, ...projectOptions]}
/>
<SelectField
label="Skill"
value={templateDraft.skillId}
onChange={(skillId) => setTemplateDraft((draft) => ({ ...draft, skillId }))}
options={[{ value: "", label: "不分配 Skill" }, ...skillOptions]}
/>
<button
type="button"
onClick={() => void submit("apply_template", {
account: templateDraft.account,
templateId: templateDraft.templateId,
deviceIds: templateDraft.deviceId ? [templateDraft.deviceId] : [],
projectIds: templateDraft.projectId ? [templateDraft.projectId] : [],
skillIds: templateDraft.skillId ? [templateDraft.skillId] : [],
})}
disabled={busy === "apply_template"}
className="rounded-full bg-[#07C160] px-4 py-3 text-[14px] font-semibold text-white disabled:opacity-50"
>
{busy === "apply_template" ? "套用中" : "套用模板"}
</button>
</Section>
) : null}
<Section title="设备权限" note="设备只读权限会带出该设备下项目的只读可见性,但不会自动允许聊天或接管。">
<SelectField
label="账号"
value={deviceDraft.account}
onChange={(account) => setDeviceDraft((draft) => ({ ...draft, account }))}
options={[{ value: "", label: "选择账号" }, ...accountOptions]}
/>
<SelectField
label="设备"
value={deviceDraft.deviceId}
onChange={(deviceId) => setDeviceDraft((draft) => ({ ...draft, deviceId }))}
options={deviceOptions}
/>
<PermissionPicker
values={devicePermissions}
selected={deviceDraft.permissions}
onChange={(permissions) => setDeviceDraft((draft) => ({ ...draft, permissions }))}
/>
<TextField
label="有效期"
value={deviceDraft.expiresAt}
onChange={(expiresAt) => setDeviceDraft((draft) => ({ ...draft, expiresAt }))}
placeholder="留空表示永久,例如 2026-05-01T18:00:00+08:00"
/>
<button
type="button"
onClick={() => void submit("grant_device", deviceDraft)}
disabled={busy === "grant_device"}
className="rounded-full bg-[#111111] px-4 py-3 text-[14px] font-semibold text-white disabled:opacity-50"
>
</button>
</Section>
<Section title="项目权限" note="聊天、主 Agent 问询、接管和电脑控制都在这里显式授权。">
<SelectField
label="账号"
value={projectDraft.account}
onChange={(account) => setProjectDraft((draft) => ({ ...draft, account }))}
options={[{ value: "", label: "选择账号" }, ...accountOptions]}
/>
<SelectField
label="项目"
value={projectDraft.projectId}
onChange={(projectId) => setProjectDraft((draft) => ({ ...draft, projectId }))}
options={projectOptions}
/>
<PermissionPicker
values={projectPermissions}
selected={projectDraft.permissions}
onChange={(permissions) => setProjectDraft((draft) => ({ ...draft, permissions }))}
/>
<TextField
label="有效期"
value={projectDraft.expiresAt}
onChange={(expiresAt) => setProjectDraft((draft) => ({ ...draft, expiresAt }))}
placeholder="留空表示永久,例如 2026-05-01T18:00:00+08:00"
/>
<button
type="button"
onClick={() => void submit("grant_project", projectDraft)}
disabled={busy === "grant_project"}
className="rounded-full bg-[#111111] px-4 py-3 text-[14px] font-semibold text-white disabled:opacity-50"
>
</button>
</Section>
<Section title="Skill 分配" note="同名 Skill 会按不同电脑聚合;授权时仍精确到某台设备上的某个 Skill。">
<div className="rounded-2xl bg-[#F7F8FA] px-4 py-3 text-[12px] leading-5 text-[#57606A]">
Skill {view.skillCatalog.length} {" "}
{view.skillCatalog.reduce((sum, item) => sum + item.deviceCount, 0)}
</div>
<SelectField
label="账号"
value={skillDraft.account}
onChange={(account) => setSkillDraft((draft) => ({ ...draft, account }))}
options={[{ value: "", label: "选择账号" }, ...accountOptions]}
/>
<SelectField
label="Skill"
value={skillDraft.skillId}
onChange={(skillId) => {
const skill = view.skills.find((item) => item.skillId === skillId);
setSkillDraft((draft) => ({ ...draft, skillId, deviceId: skill?.deviceId ?? draft.deviceId }));
}}
options={skillOptions}
/>
<PermissionPicker
values={skillPermissions}
selected={skillDraft.permissions}
onChange={(permissions) => setSkillDraft((draft) => ({ ...draft, permissions }))}
/>
<TextField
label="有效期"
value={skillDraft.expiresAt}
onChange={(expiresAt) => setSkillDraft((draft) => ({ ...draft, expiresAt }))}
placeholder="留空表示永久,例如 2026-05-01T18:00:00+08:00"
/>
<button
type="button"
onClick={() => void submit("grant_skill", skillDraft)}
disabled={busy === "grant_skill"}
className="rounded-full bg-[#111111] px-4 py-3 text-[14px] font-semibold text-white disabled:opacity-50"
>
Skill
</button>
</Section>
<Section title="已授权" note="撤销只影响当前这条授权,不会全局回收其他项目或设备能力。">
{[...view.grants.devices, ...view.grants.projects, ...view.grants.skills].length === 0 ? (
<div className="text-[13px] text-[#8C8C8C]"></div>
) : (
[...view.grants.devices, ...view.grants.projects, ...view.grants.skills].map((grant) => {
const expiry = formatGrantExpiry(grant.expiresAt);
return (
<div key={grant.grantId} className="rounded-2xl bg-[#F7F8FA] px-4 py-3">
<div className="flex items-start justify-between gap-3">
<div>
<div className="text-[14px] font-semibold text-[#111111]">{grantLabel(grant)}</div>
<div className="mt-1 text-[12px] leading-5 text-[#57606A]">
{grant.permissions.join(" / ")}
</div>
</div>
<span
className={clsx(
"shrink-0 rounded-full px-2.5 py-1 text-[11px] font-semibold",
expiry.expired ? "bg-[#FFF1F0] text-[#FF3B30]" : "bg-[#EFFFF6] text-[#07A34A]",
)}
>
{expiry.label}
</span>
</div>
{grant.note ? (
<div className="mt-2 text-[12px] leading-5 text-[#8C8C8C]">{grant.note}</div>
) : null}
<button
type="button"
onClick={() => void submit("revoke_grant", { grantId: grant.grantId })}
className="mt-3 text-[13px] font-semibold text-[#FF3B30]"
>
</button>
</div>
);
})
)}
</Section>
<Section title="审计记录" note="只展示最近的授权、撤销和模板操作,便于回溯谁给谁开了什么权限。">
{view.auditLogs.length === 0 ? (
<div className="text-[13px] text-[#8C8C8C]"></div>
) : (
view.auditLogs.slice(0, 20).map((log) => (
<div key={log.auditId} className="rounded-2xl bg-[#F7F8FA] px-4 py-3">
<div className="flex items-start justify-between gap-3">
<div className="min-w-0">
<div className="truncate text-[14px] font-semibold text-[#111111]">
{log.action} · {formatAuditTarget(log)}
</div>
<div className="mt-1 text-[12px] leading-5 text-[#57606A]">
{log.actorAccount}
{log.permissions?.length ? ` · ${log.permissions.join(" / ")}` : ""}
</div>
</div>
<div className="shrink-0 text-right text-[11px] leading-4 text-[#8C8C8C]">
{new Date(log.createdAt).toLocaleString("zh-CN", { hour12: false })}
</div>
</div>
</div>
))
)}
</Section>
{message ? (
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-3 text-[13px] text-[#57606A]">
{message}
</div>
) : null}
</div>
);
}

1048
src/components/admin/admin-access-panel.tsx Normal file
View File

File diff suppressed because it is too large Load Diff

900
src/components/admin/admin-skill-lifecycle-panel.tsx Normal file
View File

@@ -0,0 +1,900 @@
"use client";
import { useEffect, useMemo, useState } from "react";
import {
Alert,
AutoComplete,
Button,
Card,
Divider,
Empty,
Form,
Input,
Select,
Space,
Table,
Tag,
Typography,
message,
} from "antd";
import type { ColumnsType } from "antd/es/table";
const skillLifecycleRequestsEndpoint = "/api/v1/admin/skills/requests";
const adminAccessEndpoint = "/api/v1/admin/access";
export type AdminSkillLifecycleAction = "install" | "update" | "uninstall" | "rollback" | "version_lock";
export type AdminSkillLifecycleDevice = {
id?: string;
deviceId?: string;
name?: string;
deviceName?: string;
status?: string;
onlineStatus?: string;
[key: string]: unknown;
};
export type AdminSkillLifecycleSkill = {
skillId: string;
deviceId?: string;
name?: string;
invocation?: string;
description?: string;
version?: string;
category?: string;
path?: string;
[key: string]: unknown;
};
export type AdminSkillLifecycleRequest = {
requestId?: string;
id?: string;
action?: AdminSkillLifecycleAction | string;
status?: string;
deviceId?: string;
skillId?: string;
sourceUrl?: string;
trustedSource?: string;
trustedSourceId?: string;
checksum?: string;
expectedChecksum?: string;
targetVersion?: string;
rollbackToVersion?: string;
lockedVersion?: string;
requestedBy?: string;
requestedAt?: string;
claimedByDeviceId?: string;
claimedAt?: string;
completedAt?: string;
updatedAt?: string;
note?: string;
resultSummary?: string;
error?: string;
[key: string]: unknown;
};
export type AdminSkillLifecycleTrustedSource = {
id?: string;
trustedSourceId?: string;
name?: string;
label?: string;
sourceUrl?: string;
[key: string]: unknown;
};
export type AdminSkillLifecycleCatalogDevice = {
skillId: string;
deviceId: string;
path?: string;
category?: string;
updatedAt?: string;
};
export type AdminSkillLifecycleCatalogItem = {
name: string;
invocation?: string;
description?: string;
deviceCount?: number;
devices?: AdminSkillLifecycleCatalogDevice[];
};
export type AdminSkillLifecyclePanelProps = {
devices?: AdminSkillLifecycleDevice[];
skills?: AdminSkillLifecycleSkill[];
skillCatalog?: AdminSkillLifecycleCatalogItem[];
initialRequests?: AdminSkillLifecycleRequest[];
initialLifecycleRequests?: AdminSkillLifecycleRequest[];
trustedSources?: AdminSkillLifecycleTrustedSource[];
className?: string;
};
type LifecycleFormValues = {
action: AdminSkillLifecycleAction;
deviceId?: string;
skillId?: string;
sourceUrl?: string;
trustedSource?: string;
trustedSourceId?: string;
checksum?: string;
expectedChecksum?: string;
targetVersion?: string;
rollbackToVersion?: string;
lockedVersion?: string;
note?: string;
};
const lifecycleActions = [
{ value: "install", label: "安装", color: "green", description: "从 sourceUrl 或 trustedSourceId 安装新 Skill。" },
{ value: "update", label: "更新", color: "blue", description: "更新设备上已有 Skill可指定版本或远程来源。" },
{ value: "uninstall", label: "卸载", color: "red", description: "卸载设备上已有 Skill设备端会先做备份。" },
{ value: "rollback", label: "回滚", color: "orange", description: "回滚到指定历史版本。" },
{ value: "version_lock", label: "版本锁定", color: "purple", description: "锁定 Skill 到指定版本,写入设备端版本锁。" },
] satisfies Array<{
value: AdminSkillLifecycleAction;
label: string;
color: string;
description: string;
}>;
const statusColors: Record<string, string> = {
pending: "gold",
accepted: "cyan",
running: "blue",
completed: "green",
failed: "red",
canceled: "default",
};
const adminDense = "adminDense";
const adminCard = "boss-admin-card border-[#E9ECE9] shadow-[0_10px_36px_rgba(0,0,0,0.035)]";
const panelSubtitle = "Skill 生命周期请求与执行结果";
function text(value: unknown, fallback = "-") {
if (value === null || value === undefined || value === "") return fallback;
return String(value);
}
function trimmed(value: unknown) {
return typeof value === "string" ? value.trim() : "";
}
function deviceIdOf(device: AdminSkillLifecycleDevice) {
return text(device.id ?? device.deviceId, "");
}
function deviceLabel(device: AdminSkillLifecycleDevice) {
const id = deviceIdOf(device);
const name = text(device.name ?? device.deviceName ?? id, id || "未命名设备");
const status = text(device.status ?? device.onlineStatus, "");
return status ? `${name} · ${id} · ${status}` : `${name} · ${id}`;
}
function skillLabel(skill: AdminSkillLifecycleSkill) {
const version = text(skill.version, "");
const title = text(skill.name ?? skill.invocation ?? skill.skillId, skill.skillId);
return version ? `${title} · ${skill.skillId} · ${version}` : `${title} · ${skill.skillId}`;
}
function skillName(skill: AdminSkillLifecycleSkill) {
return text(skill.name ?? skill.invocation ?? skill.skillId, skill.skillId);
}
function deriveCatalog(skills: AdminSkillLifecycleSkill[]): AdminSkillLifecycleCatalogItem[] {
const catalog = new Map<string, AdminSkillLifecycleCatalogItem>();
for (const skill of skills) {
const name = skillName(skill);
const existing = catalog.get(name) ?? {
name,
invocation: text(skill.invocation, ""),
description: text(skill.description, ""),
deviceCount: 0,
devices: [],
};
existing.devices = [
...(existing.devices ?? []),
{
skillId: skill.skillId,
deviceId: text(skill.deviceId, ""),
path: text(skill.path, ""),
category: text(skill.category, ""),
updatedAt: text(skill.updatedAt, ""),
},
].filter((item) => item.skillId && item.deviceId);
existing.deviceCount = existing.devices.length;
catalog.set(name, existing);
}
return [...catalog.values()].sort((left, right) => left.name.localeCompare(right.name, "zh-CN"));
}
function requestTime(request: AdminSkillLifecycleRequest) {
return text(request.updatedAt ?? request.completedAt ?? request.claimedAt ?? request.requestedAt);
}
function actionMeta(action: unknown) {
return lifecycleActions.find((item) => item.value === action) ?? lifecycleActions[0];
}
function compact(values: LifecycleFormValues) {
const payload: Record<string, string> = {
action: values.action,
};
for (const key of [
"deviceId",
"skillId",
"sourceUrl",
"trustedSource",
"trustedSourceId",
"checksum",
"expectedChecksum",
"targetVersion",
"rollbackToVersion",
"lockedVersion",
"note",
] satisfies Array<keyof LifecycleFormValues>) {
const value = trimmed(values[key]);
if (value) payload[key] = value;
}
return payload;
}
async function readError(response: Response) {
const payload = (await response.json().catch(() => null)) as { message?: string } | null;
return payload?.message || `HTTP ${response.status}`;
}
export function AdminSkillLifecyclePanel({
devices = [],
skills = [],
skillCatalog = [],
initialRequests,
initialLifecycleRequests,
trustedSources = [],
className,
}: AdminSkillLifecyclePanelProps) {
const [form] = Form.useForm<LifecycleFormValues>();
const [messageApi, messageContext] = message.useMessage();
const [requests, setRequests] = useState<AdminSkillLifecycleRequest[]>(
() => initialRequests ?? initialLifecycleRequests ?? [],
);
const [availableDevices, setAvailableDevices] = useState<AdminSkillLifecycleDevice[]>(devices);
const [availableSkills, setAvailableSkills] = useState<AdminSkillLifecycleSkill[]>(skills);
const [availableSkillCatalog, setAvailableSkillCatalog] =
useState<AdminSkillLifecycleCatalogItem[]>(skillCatalog);
const [action, setAction] = useState<AdminSkillLifecycleAction>("install");
const [selectedDeviceId, setSelectedDeviceId] = useState("");
const [selectedSkillName, setSelectedSkillName] = useState("");
const [loadingRequests, setLoadingRequests] = useState(false);
const [submitting, setSubmitting] = useState(false);
const [error, setError] = useState("");
const deviceOptions = useMemo(
() =>
availableDevices
.map((device) => ({ value: deviceIdOf(device), label: deviceLabel(device) }))
.filter((option) => option.value),
[availableDevices],
);
const skillOptions = useMemo(() => {
const available = selectedDeviceId
? availableSkills.filter((skill) => !skill.deviceId || skill.deviceId === selectedDeviceId)
: availableSkills;
return available.map((skill) => ({
value: skill.skillId,
label: skillLabel(skill),
}));
}, [selectedDeviceId, availableSkills]);
const trustedSourceOptions = useMemo(
() =>
trustedSources
.map((source) => {
const value = text(source.trustedSourceId ?? source.id, "");
const label = text(source.label ?? source.name ?? source.trustedSourceId ?? source.id, value);
return { value, label };
})
.filter((option) => option.value),
[trustedSources],
);
const catalogItems = useMemo(
() => (availableSkillCatalog.length > 0 ? availableSkillCatalog : deriveCatalog(availableSkills)),
[availableSkillCatalog, availableSkills],
);
const selectedSkill = useMemo(
() => catalogItems.find((item) => item.name === selectedSkillName) ?? catalogItems[0],
[catalogItems, selectedSkillName],
);
const deviceById = useMemo(() => {
const next = new Map<string, AdminSkillLifecycleDevice>();
for (const device of availableDevices) {
next.set(deviceIdOf(device), device);
}
return next;
}, [availableDevices]);
const activeDeviceIds = useMemo(
() => (selectedSkill?.devices ?? []).map((device) => device.deviceId).filter(Boolean),
[selectedSkill],
);
const selectedSkillRequests = useMemo(() => {
if (!selectedSkill) return requests.slice(0, 6);
const selectedSkillIds = new Set((selectedSkill.devices ?? []).map((device) => device.skillId));
const selectedDevices = new Set(activeDeviceIds);
return requests
.filter((request) => {
if (request.skillId && selectedSkillIds.has(request.skillId)) return true;
if (request.deviceId && selectedDevices.has(request.deviceId)) return true;
return false;
})
.slice(0, 6);
}, [activeDeviceIds, requests, selectedSkill]);
async function refreshRequests() {
setLoadingRequests(true);
setError("");
try {
const response = await fetch(skillLifecycleRequestsEndpoint, {
method: "GET",
credentials: "include",
cache: "no-store",
});
if (!response.ok) {
throw new Error(await readError(response));
}
const payload = (await response.json()) as {
ok?: boolean;
requests?: AdminSkillLifecycleRequest[];
message?: string;
};
if (payload.ok === false) {
throw new Error(payload.message || "请求列表读取失败");
}
setRequests(Array.isArray(payload.requests) ? payload.requests : []);
} catch (nextError) {
const messageText = nextError instanceof Error ? nextError.message : "请求列表读取失败";
setError(messageText);
messageApi.error(messageText);
} finally {
setLoadingRequests(false);
}
}
async function refreshTargets() {
const response = await fetch(adminAccessEndpoint, {
credentials: "include",
cache: "no-store",
});
if (!response.ok) {
throw new Error(await readError(response));
}
const payload = (await response.json()) as {
ok?: boolean;
devices?: AdminSkillLifecycleDevice[];
skills?: AdminSkillLifecycleSkill[];
skillCatalog?: AdminSkillLifecycleCatalogItem[];
message?: string;
};
if (payload.ok === false) {
throw new Error(payload.message || "治理目标读取失败");
}
setAvailableDevices(Array.isArray(payload.devices) ? payload.devices : []);
setAvailableSkills(Array.isArray(payload.skills) ? payload.skills : []);
setAvailableSkillCatalog(Array.isArray(payload.skillCatalog) ? payload.skillCatalog : []);
}
useEffect(() => {
let active = true;
const shouldLoadTargets = devices.length === 0 && skills.length === 0 && skillCatalog.length === 0;
const tasks = [
requests.length === 0 ? refreshRequests() : Promise.resolve(),
shouldLoadTargets ? refreshTargets() : Promise.resolve(),
];
Promise.all(tasks).catch((nextError) => {
if (!active) return;
const messageText = nextError instanceof Error ? nextError.message : "Skill 治理数据读取失败";
setError(messageText);
messageApi.error(messageText);
});
return () => {
active = false;
};
// eslint-disable-next-line react-hooks/exhaustive-deps
}, []);
async function createRequest(values: LifecycleFormValues) {
const payload = compact(values);
if (!payload.deviceId) {
throw new Error("请选择目标设备");
}
if (values.action === "install" && !payload.sourceUrl && !payload.trustedSourceId && !payload.trustedSource) {
throw new Error("安装请求需要填写 sourceUrl 或 trustedSourceId");
}
if (values.action !== "install" && !payload.skillId) {
throw new Error("该操作需要选择已有 Skill");
}
const response = await fetch(skillLifecycleRequestsEndpoint, {
method: "POST",
credentials: "include",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify(payload),
});
if (!response.ok) {
throw new Error(await readError(response));
}
const result = (await response.json()) as { ok?: boolean; message?: string };
if (result.ok === false) {
throw new Error(result.message || "请求创建失败");
}
}
async function submitForm() {
setSubmitting(true);
setError("");
try {
const values = await form.validateFields();
await createRequest(values);
messageApi.success("Skill 生命周期请求已创建");
form.setFieldsValue({
sourceUrl: undefined,
trustedSource: undefined,
trustedSourceId: undefined,
checksum: undefined,
expectedChecksum: undefined,
targetVersion: undefined,
rollbackToVersion: undefined,
lockedVersion: undefined,
note: undefined,
});
await refreshRequests();
} catch (nextError) {
const messageText = nextError instanceof Error ? nextError.message : "请求创建失败";
setError(messageText);
messageApi.error(messageText);
} finally {
setSubmitting(false);
}
}
const columns: ColumnsType<AdminSkillLifecycleRequest> = [
{
title: "请求",
dataIndex: "action",
width: 170,
render: (_, request) => {
const meta = actionMeta(request.action);
return (
<Space direction="vertical" size={2}>
<Tag color={meta.color}>{meta.label}</Tag>
<Typography.Text type="secondary" className="text-xs">
{text(request.requestId ?? request.id)}
</Typography.Text>
</Space>
);
},
},
{
title: "目标",
dataIndex: "deviceId",
render: (_, request) => (
<Space direction="vertical" size={2}>
<Typography.Text>{text(request.deviceId)}</Typography.Text>
<Typography.Text type="secondary" className="text-xs">
{text(request.skillId ?? request.sourceUrl ?? request.trustedSourceId ?? request.trustedSource)}
</Typography.Text>
</Space>
),
},
{
title: "版本 / 来源",
dataIndex: "targetVersion",
render: (_, request) => (
<Space direction="vertical" size={2}>
<Typography.Text>{text(request.targetVersion ?? request.rollbackToVersion ?? request.lockedVersion)}</Typography.Text>
<Typography.Text type="secondary" className="text-xs">
{text(request.checksum ?? request.expectedChecksum ?? request.sourceUrl ?? request.trustedSourceId)}
</Typography.Text>
</Space>
),
},
{
title: "状态",
dataIndex: "status",
width: 130,
render: (status) => {
const value = text(status, "pending");
return <Tag color={statusColors[value] ?? "default"}>{value}</Tag>;
},
},
{
title: "发起",
dataIndex: "requestedAt",
width: 190,
render: (_, request) => (
<Space direction="vertical" size={2}>
<Typography.Text>{text(request.requestedBy)}</Typography.Text>
<Typography.Text type="secondary" className="text-xs">
{text(request.requestedAt ?? request.updatedAt)}
</Typography.Text>
</Space>
),
},
{
title: "结果",
dataIndex: "resultSummary",
render: (_, request) => text(request.resultSummary ?? request.error ?? request.note),
},
];
const currentAction = actionMeta(action);
const needsExistingSkill = action !== "install";
const showsSource = action === "install" || action === "update";
const showsChecksum = action === "install" || action === "update";
const recentRequests = requests.slice(0, 3);
const pendingRequests = requests.filter((request) => text(request.status, "pending") === "pending").length;
const failedRequests = requests.filter((request) => text(request.status, "").includes("failed")).length;
const activeDeviceRows = selectedSkill?.devices ?? [];
const checksumRows = [
{ key: "来源", value: showsSource ? "sourceUrl / trustedSourceId" : "既有 Skill" },
{ key: "校验", value: showsChecksum ? "checksum / expectedChecksum" : "按请求记录追踪" },
{ key: "回滚", value: "请求记录追踪" },
];
return (
<div className={`${adminDense} ${className ?? ""}`}>
{messageContext}
<div className="sr-only">{panelSubtitle}</div>
<div className="mb-3 rounded-[24px] border border-[#E2E8E2] bg-white px-5 py-4 shadow-[0_10px_30px_rgba(16,24,20,0.04)]">
<div className="flex flex-wrap items-start justify-between gap-3">
<div>
<Typography.Title level={4} className="!mb-1">
Skill
</Typography.Title>
<Typography.Text type="secondary">
Skill
</Typography.Text>
</div>
<Button onClick={() => void Promise.all([refreshTargets(), refreshRequests()])} loading={loadingRequests}>
Skill
</Button>
</div>
<div className="mt-4 grid gap-3 lg:grid-cols-4">
{[
{ label: "Skill 目录", value: catalogItems.length, tone: "text-[#06C167]" },
{ label: "授权对象", value: activeDeviceIds.length, tone: "text-[#1677FF]" },
{ label: "待处理请求", value: pendingRequests, tone: "text-[#FA8C16]" },
{ label: "失败请求", value: failedRequests, tone: "text-[#FF4D4F]" },
].map((item) => (
<div key={item.label} className="rounded-2xl border border-[#EEF1EE] bg-[#FAFBFA] px-4 py-3">
<div className="text-xs text-[#718075]">{item.label}</div>
<div className={`mt-1 text-2xl font-semibold ${item.tone}`}>{item.value}</div>
</div>
))}
</div>
</div>
<div className="grid gap-3 xl:grid-cols-[320px_minmax(0,1fr)_420px]">
<Card className={adminCard} title="Skill 目录">
{catalogItems.length === 0 ? (
<Empty description="暂无 Skill请先等待设备同步本机 Skill 清单" />
) : (
<div className="space-y-2">
{catalogItems.map((item) => {
const selected = selectedSkill?.name === item.name;
const firstDevice = item.devices?.[0];
return (
<button
key={item.name}
type="button"
className={`w-full rounded-2xl border px-3 py-3 text-left transition ${
selected ? "border-[#06C167] bg-[#EDFFF5]" : "border-[#EEF1EE] bg-white hover:bg-[#F7FAF7]"
}`}
onClick={() => {
setSelectedSkillName(item.name);
if (firstDevice) {
setSelectedDeviceId(firstDevice.deviceId);
form.setFieldsValue({
deviceId: firstDevice.deviceId,
skillId: action === "install" ? undefined : firstDevice.skillId,
});
}
}}
>
<div className="flex items-center justify-between gap-2">
<span className="text-sm font-semibold text-[#101814]">{item.name}</span>
<Tag color={selected ? "green" : "default"}>{text(item.deviceCount ?? item.devices?.length, "0")} </Tag>
</div>
<div className="mt-1 line-clamp-2 text-xs leading-5 text-[#718075]">
{text(item.description ?? item.invocation, "暂无说明")}
</div>
</button>
);
})}
</div>
)}
</Card>
<div className="space-y-3">
<Card className={adminCard} title="Skill 详情">
{selectedSkill ? (
<div className="space-y-4">
<div>
<Typography.Title level={5} className="!mb-1">
{selectedSkill.name}
</Typography.Title>
<Typography.Paragraph className="!mb-0 text-[#5F6B63]">
{text(selectedSkill.description, "暂无说明,建议补齐 SKILL.md 的 description方便企业管理员判断用途。")}
</Typography.Paragraph>
</div>
<div className="grid gap-3 lg:grid-cols-3">
<div className="rounded-2xl bg-[#F7FAF7] px-4 py-3">
<div className="text-xs text-[#718075]"></div>
<div className="mt-1 truncate text-sm font-medium text-[#101814]">{text(selectedSkill.invocation)}</div>
</div>
<div className="rounded-2xl bg-[#F7FAF7] px-4 py-3">
<div className="text-xs text-[#718075]"></div>
<div className="mt-1 text-sm font-medium text-[#101814]">{activeDeviceIds.length} </div>
</div>
<div className="rounded-2xl bg-[#F7FAF7] px-4 py-3">
<div className="text-xs text-[#718075]"></div>
<div className="mt-1 truncate text-sm font-medium text-[#101814]">
{text(activeDeviceRows[0]?.updatedAt)}
</div>
</div>
</div>
</div>
) : (
<Empty description="请选择一个 Skill" />
)}
</Card>
<Card className={adminCard} title="授权对象">
<Table
rowKey={(row) => `${row.deviceId}-${row.skillId}`}
pagination={false}
size="small"
dataSource={activeDeviceRows}
columns={[
{
title: "设备",
render: (_, row) => {
const device = deviceById.get(row.deviceId);
return (
<Space direction="vertical" size={2}>
<Typography.Text>{text(device?.name ?? device?.deviceName ?? row.deviceId)}</Typography.Text>
<Typography.Text type="secondary" className="text-xs">
{row.deviceId}
</Typography.Text>
</Space>
);
},
},
{
title: "状态",
width: 110,
render: (_, row) => {
const status = text(deviceById.get(row.deviceId)?.status ?? deviceById.get(row.deviceId)?.onlineStatus);
return <Tag color={status === "online" ? "green" : "default"}>{status}</Tag>;
},
},
{ title: "路径", dataIndex: "path", render: (value) => text(value) },
{ title: "分类", dataIndex: "category", width: 140, render: (value) => text(value) },
]}
/>
</Card>
<Card className={adminCard} title="执行轨迹">
<Table
rowKey={(request, index) => text(request.requestId ?? request.id ?? index, String(index))}
pagination={false}
size="small"
dataSource={selectedSkillRequests}
columns={[
{ title: "动作", render: (_, request) => <Tag color={actionMeta(request.action).color}>{actionMeta(request.action).label}</Tag> },
{ title: "设备", dataIndex: "deviceId", render: (value) => text(value) },
{
title: "状态",
render: (_, request) => {
const value = text(request.status, "pending");
return <Tag color={statusColors[value] ?? "default"}>{value}</Tag>;
},
},
{ title: "时间", render: (_, request) => requestTime(request) },
{ title: "结果", render: (_, request) => text(request.resultSummary ?? request.error ?? request.note) },
]}
/>
</Card>
</div>
<Card className={adminCard} title="安装向导" extra={<Tag color={currentAction.color}>{currentAction.label}</Tag>}>
<Alert type="info" showIcon message={currentAction.label} description={currentAction.description} />
<Form<LifecycleFormValues>
form={form}
layout="vertical"
className="mt-4"
initialValues={{ action: "install" }}
onValuesChange={(changedValues, allValues) => {
if (changedValues.action) {
const nextAction = allValues.action ?? "install";
setAction(nextAction);
const firstDevice = selectedSkill?.devices?.[0];
if (nextAction !== "install" && firstDevice) {
setSelectedDeviceId(firstDevice.deviceId);
form.setFieldsValue({ deviceId: firstDevice.deviceId, skillId: firstDevice.skillId });
}
}
if (Object.prototype.hasOwnProperty.call(changedValues, "deviceId")) {
setSelectedDeviceId(allValues.deviceId ?? "");
form.setFieldValue("skillId", undefined);
}
}}
onFinish={() => void submitForm()}
>
<Form.Item name="action" label="治理动作" rules={[{ required: true, message: "请选择治理动作" }]}>
<Select
options={lifecycleActions.map((item) => ({
value: item.value,
label: `${item.label} (${item.value})`,
}))}
/>
</Form.Item>
<Form.Item name="deviceId" label="目标设备" rules={[{ required: true, message: "请选择目标设备" }]}>
<Select
showSearch
placeholder="选择要执行 Skill 操作的电脑"
optionFilterProp="label"
options={deviceOptions}
notFoundContent="暂无可选设备"
/>
</Form.Item>
{needsExistingSkill ? (
<Form.Item name="skillId" label="目标 Skill" rules={[{ required: true, message: "请选择已有 Skill" }]}>
<Select
showSearch
placeholder="选择该设备上的 Skill"
optionFilterProp="label"
options={skillOptions}
notFoundContent={selectedDeviceId ? "该设备暂无 Skill" : "请先选择设备"}
/>
</Form.Item>
) : null}
{showsSource ? (
<>
<Divider plain></Divider>
<Form.Item name="sourceUrl" label="Git / 包来源地址">
<Input placeholder="https://git.example.com/org/skill.git" />
</Form.Item>
<Form.Item name="trustedSourceId" label="受信源">
<AutoComplete
placeholder="可选择受信源,也可手动输入 trustedSourceId"
options={trustedSourceOptions}
filterOption={(inputValue, option) =>
text(option?.label ?? option?.value, "")
.toLowerCase()
.includes(inputValue.toLowerCase())
}
/>
</Form.Item>
<Form.Item name="trustedSource" label="来源备注">
<Input placeholder="可选:受信源名称或别名" />
</Form.Item>
</>
) : null}
{action === "update" ? (
<Form.Item name="targetVersion" label="目标版本">
<Input placeholder="例如 1.2.0 或 git ref" />
</Form.Item>
) : null}
{action === "rollback" ? (
<Form.Item name="rollbackToVersion" label="回滚版本">
<Input placeholder="例如 1.1.0 或备份版本" />
</Form.Item>
) : null}
{action === "version_lock" ? (
<Form.Item name="lockedVersion" label="锁定版本">
<Input placeholder="例如 1.1.0" />
</Form.Item>
) : null}
{showsChecksum ? (
<>
<Divider plain></Divider>
<Form.Item name="checksum" label="当前 checksum">
<Input placeholder="可选 sha256" />
</Form.Item>
<Form.Item name="expectedChecksum" label="期望 checksum">
<Input placeholder="兼容设备端 expectedChecksum" />
</Form.Item>
</>
) : null}
<Form.Item name="note" label="操作说明">
<Input.TextArea rows={3} placeholder="说明变更原因、回滚原因或风险备注" />
</Form.Item>
{error ? <Alert className="mb-4" type="warning" showIcon message={error} /> : null}
<Button type="primary" htmlType="submit" loading={submitting} block>
</Button>
</Form>
</Card>
</div>
<div className="mt-3 space-y-3">
<Card
className={adminCard}
title="全部请求"
extra={
<Button onClick={() => void refreshRequests()} loading={loadingRequests}>
</Button>
}
>
<Table
rowKey={(request, index) =>
text(request.requestId ?? request.id ?? `${request.action}-${request.deviceId}-${index}`, String(index))
}
columns={columns}
dataSource={requests}
loading={loadingRequests}
pagination={{ pageSize: 8 }}
size="small"
scroll={{ x: 980 }}
/>
</Card>
<div className="grid gap-3 xl:grid-cols-2">
<Card className={adminCard} title="最近结果">
<Table
rowKey={(request, index) => text(request.requestId ?? request.id ?? index, String(index))}
pagination={false}
size="small"
dataSource={recentRequests}
columns={[
{ title: "设备", render: (_, request) => text(request.deviceId) },
{ title: "动作", render: (_, request) => actionMeta(request.action).label },
{
title: "状态",
render: (_, request) => {
const value = text(request.status, "pending");
return <Tag color={statusColors[value] ?? "default"}>{value}</Tag>;
},
},
]}
/>
</Card>
<Card className={adminCard} title="校验信息">
<Table
rowKey="key"
pagination={false}
size="small"
dataSource={checksumRows}
columns={[
{ title: "字段", dataIndex: "key", width: 140 },
{ title: "值", dataIndex: "value" },
]}
/>
</Card>
</div>
</div>
</div>
);
}

721
src/components/admin/boss-admin-app.tsx Normal file
View File

@@ -0,0 +1,721 @@
"use client";
import { useEffect, useState } from "react";
import type { ReactNode } from "react";
import { Refine } from "@refinedev/core";
import {
Alert,
Button,
Card,
ConfigProvider,
Empty,
Input,
Statistic,
Table,
Tabs,
Tag,
theme,
message,
} from "antd";
import zhCN from "antd/locale/zh_CN";
import type { ColumnsType } from "antd/es/table";
import { AdminAccessPanel } from "@/components/admin/admin-access-panel";
import { AdminSkillLifecyclePanel } from "@/components/admin/admin-skill-lifecycle-panel";
import {
type BossAdminOverview,
createBossAdminDataProvider,
} from "@/components/admin/boss-admin-data-provider";
type AdminRow = Record<string, unknown>;
type BossAdminAppProps = {
initialOverview?: BossAdminOverview | null;
};
type AdminSection = "dashboard" | "customers" | "permissions" | "governance";
type RiskAction = "ack" | "resolve" | "create_repair_ticket" | "assign_owner" | "set_sla";
const resources = [
{ name: "companies", list: "/admin#companies", meta: { label: "公司" } },
{ name: "accounts", list: "/admin#accounts", meta: { label: "账号" } },
{ name: "devices", list: "/admin#devices", meta: { label: "设备" } },
{ name: "risks", list: "/admin#risks", meta: { label: "风险" } },
{ name: "notifications", list: "/admin#notifications", meta: { label: "通知" } },
{ name: "auditLogs", list: "/admin#auditLogs", meta: { label: "审计日志" } },
];
const adminShell = "min-h-screen bg-[#F3F5F2] p-5 text-[#101814]";
const adminChrome =
"mx-auto grid min-h-[calc(100vh-40px)] max-w-[1680px] grid-cols-[248px_minmax(0,1fr)] overflow-hidden rounded-[30px] border border-[#E0E6E1] bg-white shadow-[0_32px_100px_rgba(22,37,28,0.10)]";
const adminSidebar = "border-r border-[#E3E8E4] bg-[#FBFCFB] px-4 py-5";
const adminHeader = "flex min-h-[86px] items-center border-b border-[#E3E8E4] bg-white px-7";
const adminCardClass = "boss-admin-card border-[#E3E8E4] shadow-[0_14px_42px_rgba(20,35,25,0.045)]";
const adminDense = "boss-admin-dense";
const navItems: Array<{
key: AdminSection;
title: string;
subtitle: string;
marker: string;
}> = [
{ key: "dashboard", title: "平台运营驾驶舱", subtitle: "全局健康与待处理事项", marker: "D" },
{ key: "customers", title: "客户与账号", subtitle: "公司、老板账号与子账号", marker: "C" },
{ key: "permissions", title: "授权工作台", subtitle: "设备、项目与 Skill 权限", marker: "P" },
{ key: "governance", title: "风险与治理", subtitle: "风险、SLA、Skill", marker: "R" },
];
function text(value: unknown, fallback = "-") {
if (value === null || value === undefined || value === "") return fallback;
return String(value);
}
function numberValue(value: unknown) {
return typeof value === "number" && Number.isFinite(value) ? value : 0;
}
function rowId(row: AdminRow, index?: number) {
return text(row.id ?? row.companyId ?? row.account ?? row.deviceId ?? row.riskId ?? row.auditId, String(index ?? 0));
}
function statusTag(value: unknown) {
const status = text(value, "unknown");
const color =
status === "online" || status === "active" || status === "healthy" || status === "completed"
? "green"
: status === "offline" || status === "disabled"
? "default"
: status === "failed" || status === "critical"
? "red"
: "orange";
return <Tag color={color}>{status}</Tag>;
}
function severityTag(value: unknown) {
const severity = text(value, "info");
const color = severity === "critical" || severity === "high" ? "red" : severity === "warning" || severity === "medium" ? "orange" : "blue";
return <Tag color={color}>{severity}</Tag>;
}
function riskTarget(row: AdminRow) {
return text(row.target ?? row.deviceId ?? row.projectId ?? row.account ?? row.companyId);
}
function sectionTitle(section: AdminSection) {
return navItems.find((item) => item.key === section)?.title ?? "平台运营驾驶舱";
}
function currentSubtitle(section: AdminSection) {
return navItems.find((item) => item.key === section)?.subtitle ?? "全局健康与待处理事项";
}
function customerHealthTone(company: AdminRow) {
const riskCount = numberValue(company.openRiskCount);
const deviceCount = numberValue(company.deviceCount);
const onlineCount = numberValue(company.onlineDeviceCount);
if (riskCount >= 3) return { label: "需介入", color: "red" };
if (deviceCount > 0 && onlineCount === 0) return { label: "离线", color: "orange" };
if (riskCount > 0) return { label: "观察", color: "gold" };
return { label: "健康", color: "green" };
}
const riskColumns: ColumnsType<AdminRow> = [
{ title: "风险", dataIndex: "title", render: (_, row) => text(row.title ?? row.name ?? row.kind) },
{ title: "级别", dataIndex: "severity", width: 104, render: severityTag },
{ title: "对象", dataIndex: "target", width: 170, render: (_, row) => riskTarget(row) },
{ title: "负责人", dataIndex: "ownerAccount", width: 150, render: (_, row) => text(row.ownerAccount, "未指派") },
{ title: "SLA", dataIndex: "slaDueAt", width: 180, render: (_, row) => text(row.slaDueAt, "未设置") },
{ title: "状态", dataIndex: "status", width: 104, render: statusTag },
];
const deviceColumns: ColumnsType<AdminRow> = [
{ title: "设备", dataIndex: "name", render: (_, row) => text(row.name ?? row.deviceName ?? row.deviceId ?? row.id) },
{ title: "状态", dataIndex: "status", width: 105, render: (_, row) => statusTag(row.status ?? row.onlineStatus) },
{ title: "GUI", dataIndex: "codexGuiOnline", width: 86, render: (_, row) => statusTag(row.codexGuiOnline ? "online" : "offline") },
{ title: "CLI", dataIndex: "codexCliOnline", width: 86, render: (_, row) => statusTag(row.codexCliOnline ? "online" : "offline") },
{ title: "风险", dataIndex: "openRiskCount", width: 86, render: numberValue },
{ title: "最近心跳", dataIndex: "lastSeenAt", width: 210, render: (_, row) => text(row.lastSeenAt ?? row.updatedAt) },
];
const companyColumns: ColumnsType<AdminRow> = [
{ title: "公司", dataIndex: "name", render: (_, row) => text(row.name ?? row.companyName ?? row.companyId) },
{ title: "健康", dataIndex: "health", width: 100, render: (_, row) => {
const tone = customerHealthTone(row);
return <Tag color={tone.color}>{tone.label}</Tag>;
} },
{ title: "账号", dataIndex: "accountCount", width: 86, render: numberValue },
{ title: "在线设备", dataIndex: "onlineDeviceCount", width: 112, render: (_, row) => `${numberValue(row.onlineDeviceCount)}/${numberValue(row.deviceCount)}` },
{ title: "开放风险", dataIndex: "openRiskCount", width: 104, render: numberValue },
{ title: "客户成功", dataIndex: "successOwnerAccount", width: 150, render: (_, row) => text(row.successOwnerAccount, "未指派") },
];
const accountColumns: ColumnsType<AdminRow> = [
{ title: "账号", dataIndex: "account", render: (_, row) => text(row.account ?? row.phone ?? row.id) },
{ title: "角色", dataIndex: "role", width: 130, render: statusTag },
{ title: "公司", dataIndex: "companyName", render: (_, row) => text(row.companyName ?? row.companyId) },
{ title: "状态", dataIndex: "status", width: 118, render: statusTag },
{ title: "最近登录", dataIndex: "lastLoginAt", width: 210, render: (_, row) => text(row.lastLoginAt, "暂无") },
];
const notificationColumns: ColumnsType<AdminRow> = [
{ title: "通知", dataIndex: "title", render: (_, row) => text(row.title ?? row.kind) },
{ title: "级别", dataIndex: "severity", width: 110, render: severityTag },
{ title: "公司", dataIndex: "companyId", width: 150, render: (_, row) => text(row.companyId) },
{ title: "风险", dataIndex: "riskId", width: 220, render: (_, row) => text(row.riskId) },
{ title: "时间", dataIndex: "createdAt", width: 190, render: (_, row) => text(row.createdAt) },
];
async function loadOverview() {
const response = await fetch("/api/v1/admin/overview", {
credentials: "include",
cache: "no-store",
});
if (!response.ok) {
throw new Error(`后台总览读取失败:${response.status}`);
}
return (await response.json()) as BossAdminOverview;
}
function MetricCard({
title,
value,
tone = "default",
hint,
}: {
title: string;
value: number;
tone?: "default" | "green" | "red" | "orange";
hint?: string;
}) {
const valueColor = tone === "green" ? "#07A85A" : tone === "red" ? "#E23D3D" : tone === "orange" ? "#D97706" : "#101814";
return (
<Card className={adminCardClass}>
<Statistic title={title} value={value} valueStyle={{ color: valueColor, fontWeight: 800 }} />
{hint ? <div className="mt-2 text-xs text-[#758078]">{hint}</div> : null}
</Card>
);
}
function PanelTitle({ title, subtitle, extra }: { title: string; subtitle?: string; extra?: ReactNode }) {
return (
<div className="mb-4 flex items-end justify-between gap-4">
<div>
<div className="text-[18px] font-black tracking-[-0.02em] text-[#101814]">{title}</div>
{subtitle ? <div className="mt-1 text-sm text-[#68746D]">{subtitle}</div> : null}
</div>
{extra ? <div className="shrink-0">{extra}</div> : null}
</div>
);
}
function EmptyBlock({ textValue }: { textValue: string }) {
return <Empty image={Empty.PRESENTED_IMAGE_SIMPLE} description={textValue} />;
}
type RiskActionsProps = {
selectedRisk?: AdminRow;
actionBusy: string;
onSubmit: (risk: AdminRow, action: RiskAction, extraBody?: Record<string, unknown>) => void;
};
function RiskActionPanel({ selectedRisk, actionBusy, onSubmit }: RiskActionsProps) {
const [ownerAccount, setOwnerAccount] = useState("");
const [slaDueAt, setSlaDueAt] = useState("");
const riskId = selectedRisk ? text(selectedRisk.riskId ?? selectedRisk.id, "") : "";
const kind = selectedRisk ? text(selectedRisk.kind, "") : "";
const canAckResolve = kind === "ops_fault" || kind === "thread_context_alert";
const canCreateTicket = kind === "ops_fault";
if (!selectedRisk) {
return (
<Card className={adminCardClass}>
<PanelTitle title="处理面板" subtitle="选择左侧风险后,在这里指派负责人、设置 SLA 或创建修复工单。" />
<EmptyBlock textValue="暂无选中风险" />
</Card>
);
}
return (
<Card className={adminCardClass}>
<PanelTitle title="处理面板" subtitle="所有动作都会写入风险时间线和权限审计。" />
<div className="space-y-4">
<div className="rounded-2xl border border-[#E3E8E4] bg-[#F8FAF8] p-4">
<div className="flex items-center gap-2">
{severityTag(selectedRisk.severity)}
<span className="font-bold text-[#101814]">{text(selectedRisk.title ?? selectedRisk.kind)}</span>
</div>
<div className="mt-2 text-sm leading-6 text-[#5F6B64]">{text(selectedRisk.detail ?? selectedRisk.summary, "暂无详情")}</div>
<div className="mt-3 text-xs text-[#7B857E]">{riskTarget(selectedRisk)}</div>
</div>
<div>
<div className="mb-1 text-xs font-bold text-[#68746D]"></div>
<div className="flex gap-2">
<Input value={ownerAccount} onChange={(event) => setOwnerAccount(event.target.value)} placeholder="例如 ops@company.com" />
<Button
disabled={!canAckResolve || !ownerAccount.trim()}
loading={actionBusy === `${riskId}:assign_owner`}
onClick={() => onSubmit(selectedRisk, "assign_owner", { ownerAccount: ownerAccount.trim() })}
>
</Button>
</div>
</div>
<div>
<div className="mb-1 text-xs font-bold text-[#68746D]">SLA </div>
<div className="flex gap-2">
<Input value={slaDueAt} onChange={(event) => setSlaDueAt(event.target.value)} placeholder="2026-04-30T18:00:00+08:00" />
<Button
disabled={!canAckResolve || !slaDueAt.trim()}
loading={actionBusy === `${riskId}:set_sla`}
onClick={() => onSubmit(selectedRisk, "set_sla", { slaDueAt: slaDueAt.trim() })}
>
SLA
</Button>
</div>
</div>
<div className="grid grid-cols-3 gap-2">
<Button disabled={!canAckResolve} loading={actionBusy === `${riskId}:ack`} onClick={() => onSubmit(selectedRisk, "ack")}>
</Button>
<Button disabled={!canAckResolve} loading={actionBusy === `${riskId}:resolve`} onClick={() => onSubmit(selectedRisk, "resolve")}>
</Button>
<Button
type="primary"
disabled={!canCreateTicket}
loading={actionBusy === `${riskId}:create_repair_ticket`}
onClick={() => onSubmit(selectedRisk, "create_repair_ticket")}
>
</Button>
</div>
{!canAckResolve ? (
<Alert
type="warning"
showIcon
message="该风险类型当前只读"
description="当前动作接口暂不支持该风险类型,后台保留展示但不会假装处置成功。"
/>
) : null}
</div>
</Card>
);
}
function DashboardView({
stats,
companies,
devices,
risks,
notifications,
timeline,
onOpenRisk,
}: {
stats: AdminRow;
companies: AdminRow[];
devices: AdminRow[];
risks: AdminRow[];
notifications: AdminRow[];
timeline: AdminRow[];
onOpenRisk: () => void;
}) {
const topRisks = risks.slice(0, 5);
const topCompanies = companies.slice().sort((left, right) => numberValue(right.openRiskCount) - numberValue(left.openRiskCount)).slice(0, 6);
return (
<div className={`${adminDense} space-y-5`}>
<section>
<PanelTitle title="今日待处理" subtitle="先看需要平台侧介入的客户、设备和主 Agent 风险。" />
<div className="grid gap-4 lg:grid-cols-5">
<MetricCard title="客户公司" value={numberValue(stats.companies ?? companies.length)} hint="当前纳入平台管理的公司" />
<MetricCard title="账号" value={numberValue(stats.accounts)} hint="含最高管理员与客户账号" />
<MetricCard title="在线设备" value={numberValue(stats.onlineDevices)} tone="green" hint={`总设备 ${numberValue(stats.devices ?? devices.length)}`} />
<MetricCard title="开放风险" value={numberValue(stats.openRisks ?? risks.length)} tone="red" hint={`关键 ${numberValue(stats.criticalRisks)}`} />
<MetricCard title="风险通知" value={numberValue(stats.openNotifications ?? notifications.length)} tone="orange" hint="SLA 与主动通知" />
</div>
</section>
<div className="grid gap-5 lg:grid-cols-[0.95fr_1.05fr]">
<Card className={adminCardClass}>
<PanelTitle title="客户健康排行" subtitle="优先跟进开放风险最多或设备离线的客户。" />
<div className="space-y-3">
{topCompanies.length > 0 ? topCompanies.map((company) => {
const tone = customerHealthTone(company);
return (
<div key={rowId(company)} className="flex items-center justify-between rounded-2xl border border-[#E3E8E4] bg-[#FBFCFB] px-4 py-3">
<div>
<div className="font-bold text-[#101814]">{text(company.name ?? company.companyName ?? company.companyId)}</div>
<div className="mt-1 text-xs text-[#68746D]">
{numberValue(company.accountCount)} · {numberValue(company.onlineDeviceCount)}/{numberValue(company.deviceCount)} · {text(company.successOwnerAccount, "未指派")}
</div>
</div>
<div className="flex items-center gap-2">
<Tag color={tone.color}>{tone.label}</Tag>
<span className="text-sm font-bold text-[#E23D3D]">{numberValue(company.openRiskCount)} </span>
</div>
</div>
);
}) : <EmptyBlock textValue="暂无客户数据" />}
</div>
</Card>
<Card className={adminCardClass}>
<PanelTitle
title="关键风险队列"
subtitle="只展示最该处理的前几条,完整队列在风险与治理里。"
extra={<Button onClick={onOpenRisk}></Button>}
/>
{topRisks.length > 0 ? (
<Table rowKey={rowId} columns={riskColumns} dataSource={topRisks} pagination={false} size="small" />
) : (
<EmptyBlock textValue="暂无开放高优风险" />
)}
</Card>
</div>
<div className="grid gap-5 lg:grid-cols-[1.05fr_0.95fr]">
<Card className={adminCardClass}>
<PanelTitle title="节点健康" subtitle="集中查看客户电脑、Codex GUI/CLI 与最近心跳。" />
<Table rowKey={rowId} columns={deviceColumns} dataSource={devices.slice(0, 8)} pagination={false} size="small" />
</Card>
<Card className={adminCardClass}>
<PanelTitle title="最近事件" subtitle="风险通知和处置时间线,避免平台侧漏跟进。" />
<div className="space-y-3">
{[...notifications, ...timeline].slice(0, 7).map((event, index) => (
<div key={rowId(event, index)} className="rounded-2xl border border-[#E3E8E4] bg-[#FBFCFB] px-4 py-3">
<div className="flex items-center justify-between gap-2">
<div className="font-bold text-[#101814]">{text(event.title ?? event.action ?? event.kind, "事件")}</div>
{severityTag(event.severity ?? "info")}
</div>
<div className="mt-1 text-xs text-[#68746D]">{text(event.createdAt ?? event.updatedAt ?? event.time, "暂无时间")}</div>
</div>
))}
{notifications.length === 0 && timeline.length === 0 ? <EmptyBlock textValue="暂无风险事件" /> : null}
</div>
</Card>
</div>
</div>
);
}
function CustomersView({ companies, accounts, devices }: { companies: AdminRow[]; accounts: AdminRow[]; devices: AdminRow[] }) {
return (
<div className={`${adminDense} space-y-5`}>
<div className="grid gap-5 lg:grid-cols-[1.1fr_0.9fr]">
<Card className={adminCardClass}>
<PanelTitle title="客户与账号" subtitle="先看客户公司,再进入账号、设备和权限配置。" />
<Table rowKey={rowId} columns={companyColumns} dataSource={companies} pagination={{ pageSize: 8 }} size="small" />
</Card>
<Card className={adminCardClass}>
<PanelTitle title="客户开通任务流" subtitle="把公司、老板账号、设备和 Skill 权限串成一个交付动作。" />
<div className="space-y-3">
{["创建客户公司", "开通老板账号", "绑定客户电脑", "分配项目与 Skill 权限"].map((item, index) => (
<div key={item} className="flex items-center gap-3 rounded-2xl border border-[#E3E8E4] bg-[#FBFCFB] px-4 py-3">
<span className="grid size-8 place-items-center rounded-full bg-[#101814] text-xs font-black text-white">{index + 1}</span>
<div>
<div className="font-bold text-[#101814]">{item}</div>
<div className="text-xs text-[#68746D]"></div>
</div>
</div>
))}
</div>
</Card>
</div>
<div className="grid gap-5 lg:grid-cols-[1fr_1fr]">
<Card className={adminCardClass}>
<PanelTitle title="账号列表" subtitle="查看角色、状态、公司和最近登录。" />
<Table rowKey={rowId} columns={accountColumns} dataSource={accounts} pagination={{ pageSize: 8 }} size="small" />
</Card>
<Card className={adminCardClass}>
<PanelTitle title="客户设备" subtitle="确认设备归属和在线状态。" />
<Table rowKey={rowId} columns={deviceColumns} dataSource={devices} pagination={{ pageSize: 8 }} size="small" />
</Card>
</div>
</div>
);
}
function PermissionsView() {
return (
<div className={`${adminDense} space-y-5`}>
<Card className={adminCardClass}>
<PanelTitle
title="授权工作台"
subtitle="按账号分配设备、项目与 Skill 权限;高危动作保留二次确认和审计。"
/>
<AdminAccessPanel className={adminDense} />
</Card>
</div>
);
}
function GovernanceView({
risks,
notifications,
selectedRisk,
setSelectedRisk,
actionBusy,
submitRiskAction,
}: {
risks: AdminRow[];
notifications: AdminRow[];
selectedRisk?: AdminRow;
setSelectedRisk: (risk?: AdminRow) => void;
actionBusy: string;
submitRiskAction: (risk: AdminRow, action: RiskAction, extraBody?: Record<string, unknown>) => void;
}) {
return (
<Tabs
className="boss-admin-governance-tabs"
items={[
{
key: "risk",
label: "风险战情室",
children: (
<div className="grid gap-5 lg:grid-cols-[minmax(0,1fr)_420px]">
<Card className={adminCardClass}>
<PanelTitle title="风险与治理" subtitle="按严重程度、客户影响、负责人和 SLA 推进处置。" />
<Table
rowKey={rowId}
columns={riskColumns}
dataSource={risks}
pagination={{ pageSize: 8 }}
size="small"
onRow={(risk) => ({
onClick: () => setSelectedRisk(risk),
className: rowId(risk) === rowId(selectedRisk ?? {}) ? "cursor-pointer bg-[#F1FAF4]" : "cursor-pointer",
})}
/>
</Card>
<div className="space-y-5">
<RiskActionPanel
key={selectedRisk ? rowId(selectedRisk) : "empty-risk"}
selectedRisk={selectedRisk}
actionBusy={actionBusy}
onSubmit={submitRiskAction}
/>
<Card className={adminCardClass}>
<PanelTitle title="风险通知" subtitle="SLA 扫描和主动通知生成的待跟进事项。" />
<Table rowKey={rowId} columns={notificationColumns} dataSource={notifications} pagination={{ pageSize: 5 }} size="small" />
</Card>
</div>
</div>
),
},
{
key: "skills",
label: "Skill 生命周期",
children: (
<Card className={adminCardClass}>
<PanelTitle title="Skill 生命周期" subtitle="安装、更新、卸载、回滚和版本锁定统一排队,设备端按安全策略执行。" />
<AdminSkillLifecyclePanel className={adminDense} />
</Card>
),
},
]}
/>
);
}
export function BossAdminApp({ initialOverview = null }: BossAdminAppProps) {
const [overview, setOverview] = useState<BossAdminOverview | null>(initialOverview);
const [error, setError] = useState("");
const [actionBusy, setActionBusy] = useState("");
const [activeSection, setActiveSection] = useState<AdminSection>("dashboard");
const [selectedRiskId, setSelectedRiskId] = useState("");
const [messageApi, messageContext] = message.useMessage();
useEffect(() => {
if (overview) return;
let active = true;
loadOverview()
.then((nextOverview) => {
if (active) setOverview(nextOverview);
})
.catch((nextError: Error) => {
if (active) setError(nextError.message);
});
return () => {
active = false;
};
}, [overview]);
const stats = overview?.summary ?? overview?.stats ?? {};
const companies = overview?.companies ?? [];
const accounts = overview?.accounts ?? [];
const devices = overview?.devices ?? [];
const risks = overview?.risks ?? [];
const notifications = overview?.notifications ?? [];
const timeline = Array.isArray((overview as { riskTimeline?: AdminRow[] } | null)?.riskTimeline)
? ((overview as { riskTimeline?: AdminRow[] }).riskTimeline ?? [])
: [];
const selectedRisk = risks.find((risk) => rowId(risk) === selectedRiskId) ?? risks[0];
async function refreshOverview() {
setOverview(await loadOverview());
}
async function submitRiskAction(risk: AdminRow, action: RiskAction, extraBody: Record<string, unknown> = {}) {
const riskId = text(risk.riskId ?? risk.id, "");
if (!riskId) return;
setActionBusy(`${riskId}:${action}`);
setError("");
try {
const response = await fetch("/api/v1/admin/risks/actions", {
method: "POST",
credentials: "include",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ riskId, action, ...extraBody }),
});
const payload = (await response.json().catch(() => null)) as { ok?: boolean; message?: string } | null;
if (!response.ok || payload?.ok === false) {
throw new Error(payload?.message || `风险动作失败:${response.status}`);
}
messageApi.success(
action === "ack"
? "已确认风险"
: action === "resolve"
? "已关闭风险"
: action === "assign_owner"
? "已指派负责人"
: action === "set_sla"
? "已设置 SLA"
: "已创建修复工单",
);
await refreshOverview();
} catch (nextError) {
const messageText = nextError instanceof Error ? nextError.message : "风险动作失败";
setError(messageText);
messageApi.error(messageText);
} finally {
setActionBusy("");
}
}
function renderActiveSection() {
if (activeSection === "customers") {
return <CustomersView companies={companies} accounts={accounts} devices={devices} />;
}
if (activeSection === "permissions") {
return <PermissionsView />;
}
if (activeSection === "governance") {
return (
<GovernanceView
risks={risks}
notifications={notifications}
selectedRisk={selectedRisk}
setSelectedRisk={(risk) => setSelectedRiskId(risk ? rowId(risk) : "")}
actionBusy={actionBusy}
submitRiskAction={(risk, action, extraBody) => void submitRiskAction(risk, action, extraBody)}
/>
);
}
return (
<DashboardView
stats={stats}
companies={companies}
devices={devices}
risks={risks}
notifications={notifications}
timeline={timeline}
onOpenRisk={() => setActiveSection("governance")}
/>
);
}
return (
<ConfigProvider
locale={zhCN}
theme={{
algorithm: theme.defaultAlgorithm,
token: {
colorPrimary: "#07C160",
borderRadius: 14,
fontFamily: '"PingFang SC", "Microsoft YaHei", sans-serif',
colorBgLayout: "#F3F5F2",
colorBorderSecondary: "#E3E8E4",
},
components: {
Button: {
controlHeight: 34,
borderRadius: 10,
},
Card: {
headerFontSize: 16,
},
Table: {
headerBg: "#F7F8F7",
cellPaddingBlock: 9,
cellPaddingInline: 10,
},
},
}}
>
<Refine dataProvider={createBossAdminDataProvider(initialOverview ?? undefined)} resources={resources}>
<main className={adminShell}>
{messageContext}
<div className={adminChrome}>
<aside className={adminSidebar}>
<div className="mb-7 px-2">
<div className="text-[24px] font-black tracking-[-0.04em] text-[#101814]">Boss</div>
<div className="mt-1 text-xs font-semibold text-[#7A857D]">To B </div>
</div>
<div className="space-y-2">
{navItems.map((item) => {
const active = activeSection === item.key;
return (
<button
key={item.key}
type="button"
onClick={() => setActiveSection(item.key)}
className={[
"flex w-full items-center gap-3 rounded-2xl px-3 py-3 text-left transition",
active ? "bg-[#EAF8EF] text-[#075F31] shadow-[inset_0_0_0_1px_rgba(7,193,96,0.18)]" : "text-[#46524B] hover:bg-[#F2F5F2]",
].join(" ")}
>
<span className={active ? "grid size-9 place-items-center rounded-xl bg-[#07C160] text-xs font-black text-white" : "grid size-9 place-items-center rounded-xl bg-white text-xs font-black text-[#7A857D] ring-1 ring-[#E3E8E4]"}>
{item.marker}
</span>
<span className="min-w-0">
<span className="block text-sm font-black">{item.title}</span>
<span className="mt-0.5 block truncate text-xs opacity-70">{item.subtitle}</span>
</span>
</button>
);
})}
</div>
<div className="mt-8 rounded-2xl border border-[#E3E8E4] bg-white p-4">
<div className="text-xs font-bold text-[#7A857D]"></div>
<div className="mt-2 flex items-center gap-2">
<span className="grid size-8 place-items-center rounded-full bg-[#07C160] text-xs font-black text-white">k</span>
<span className="text-sm font-bold text-[#101814]">highest_admin</span>
</div>
</div>
</aside>
<section className="min-w-0 bg-[#F8FAF8]">
<header className={adminHeader}>
<div>
<div className="text-[26px] font-black tracking-[-0.04em] text-[#101814]">{sectionTitle(activeSection)}</div>
<div className="mt-1 text-sm text-[#68746D]">{currentSubtitle(activeSection)}</div>
</div>
<div className="ml-auto flex items-center gap-3">
<Button onClick={() => void refreshOverview()}></Button>
<div className="rounded-full border border-[#E3E8E4] bg-white px-4 py-2 text-sm font-semibold text-[#4B5750]">
</div>
</div>
</header>
<div className="p-7">
{error ? <Alert className="mb-5" type="warning" showIcon message="后台数据暂不可用" description={error} /> : null}
{renderActiveSection()}
</div>
</section>
</div>
</main>
</Refine>
</ConfigProvider>
);
}

121
src/components/admin/boss-admin-data-provider.ts Normal file
View File

@@ -0,0 +1,121 @@
import type {
BaseRecord,
CreateResponse,
DataProvider,
DeleteOneResponse,
DeleteOneParams,
GetListResponse,
GetListParams,
GetOneResponse,
GetOneParams,
CreateParams,
UpdateParams,
UpdateResponse,
} from "@refinedev/core";
export type BossAdminSeverity = "critical" | "high" | "medium" | "low" | "info";
export type BossAdminOverview = {
ok?: boolean;
summary?: {
companies?: number;
accounts?: number;
devices?: number;
onlineDevices?: number;
openRisks?: number;
openNotifications?: number;
criticalRisks?: number;
};
stats?: {
companies?: number;
accounts?: number;
devices?: number;
onlineDevices?: number;
openRisks?: number;
openNotifications?: number;
criticalRisks?: number;
};
companies?: Array<Record<string, unknown>>;
accounts?: Array<Record<string, unknown>>;
devices?: Array<Record<string, unknown>>;
risks?: Array<Record<string, unknown>>;
notifications?: Array<Record<string, unknown>>;
auditLogs?: Array<Record<string, unknown>>;
};
const resourceKeys = new Set(["companies", "accounts", "devices", "risks", "notifications", "auditLogs"]);
async function fetchOverview() {
const response = await fetch("/api/v1/admin/overview", {
credentials: "include",
cache: "no-store",
});
if (!response.ok) {
throw new Error(`Failed to load admin overview: ${response.status}`);
}
return (await response.json()) as BossAdminOverview;
}
function listFromOverview(overview: BossAdminOverview | undefined, resource: string) {
if (!resourceKeys.has(resource)) return [];
const value = overview?.[resource as keyof BossAdminOverview];
return Array.isArray(value) ? value : [];
}
function recordId(item: Record<string, unknown>, index: number) {
return String(item.id ?? item.companyId ?? item.account ?? item.deviceId ?? item.riskId ?? item.auditId ?? index);
}
export function createBossAdminDataProvider(initialOverview?: BossAdminOverview): DataProvider {
let overviewCache = initialOverview;
return {
getList: async <TData extends BaseRecord = BaseRecord>({ resource }: GetListParams) => {
if (!overviewCache) {
overviewCache = await fetchOverview();
}
const data = listFromOverview(overviewCache, resource).map((item, index) => ({
id: recordId(item, index),
...item,
})) as TData[];
return {
data,
total: data.length,
} satisfies GetListResponse<TData>;
},
getOne: async <TData extends BaseRecord = BaseRecord>({ resource, id }: GetOneParams) => {
if (!overviewCache) {
overviewCache = await fetchOverview();
}
const item = listFromOverview(overviewCache, resource).find((entry, index) => {
return recordId(entry, index) === String(id);
});
return {
data: {
id,
...(item ?? {}),
} as TData,
} satisfies GetOneResponse<TData>;
},
create: async <TData extends BaseRecord = BaseRecord, TVariables = unknown>({
variables,
}: CreateParams<TVariables>) =>
({ data: variables as unknown as TData }) satisfies CreateResponse<TData>,
update: async <TData extends BaseRecord = BaseRecord, TVariables = unknown>({
id,
variables,
}: UpdateParams<TVariables>) =>
({ data: { id, ...(variables as BaseRecord) } as TData }) satisfies UpdateResponse<TData>,
deleteOne: async <TData extends BaseRecord = BaseRecord, TVariables = unknown>({
id,
}: DeleteOneParams<TVariables>) =>
({ data: { id } as TData }) satisfies DeleteOneResponse<TData>,
getApiUrl: () => "/api/v1/admin/overview",
};
}

32
src/components/app-ui.tsx
View File

@@ -77,6 +77,12 @@ export function buildDeviceWorkspaceDetailCards(workspace: DeviceWorkspaceView)
items: {
gui: `GUI${selectedDevice?.capabilities?.gui?.connected ? "已连接" : "未连接"}`,
cli: `CLI${selectedDevice?.capabilities?.cli?.connected ? "已连接" : "未连接"}`,
browserAutomation: `浏览器自动化:${
selectedDevice?.capabilities?.browserAutomation?.connected ? "已连接" : "未连接"
}`,
computerUse: `桌面控制:${
selectedDevice?.capabilities?.computerUse?.connected ? "已连接" : "未连接"
}`,
preferredExecutionMode: `默认执行模式:${
selectedDevice?.preferredExecutionMode === "gui"
? "GUI"
@@ -116,12 +122,17 @@ async function waitForLoginSessionReady(nativeClient: boolean) {
return false;
}
function navigateToConversations(router: ReturnType<typeof useRouter>) {
router.replace("/conversations", { scroll: false });
function resolvePostLoginPath() {
return window.location.hostname === "admin.boss.hyzq.net" ? "/admin" : "/conversations";
}
function navigateAfterLogin(router: ReturnType<typeof useRouter>) {
const targetPath = resolvePostLoginPath();
router.replace(targetPath, { scroll: false });
router.refresh();
window.setTimeout(() => {
if (window.location.pathname !== "/conversations") {
window.location.replace("/conversations");
if (window.location.pathname !== targetPath) {
window.location.replace(targetPath);
}
}, 180);
}
@@ -686,6 +697,12 @@ export function DeviceEditorCard({
<div className="grid gap-2 text-[13px] leading-6 text-[#57606A]">
<div className="rounded-2xl bg-[#F7F8FA] px-3 py-2">{detailCards.capabilities.items.gui}</div>
<div className="rounded-2xl bg-[#F7F8FA] px-3 py-2">{detailCards.capabilities.items.cli}</div>
<div className="rounded-2xl bg-[#F7F8FA] px-3 py-2">
{detailCards.capabilities.items.browserAutomation}
</div>
<div className="rounded-2xl bg-[#F7F8FA] px-3 py-2">
{detailCards.capabilities.items.computerUse}
</div>
<div className="rounded-2xl bg-[#F7F8FA] px-3 py-2">
{detailCards.capabilities.items.preferredExecutionMode}
</div>
@@ -1995,7 +2012,7 @@ export function AuthForm({
}
await waitForLoginSessionReady(nativeClient);
navigateToConversations(router);
navigateAfterLogin(router);
return;
}
if (result.ok && mode === "register") {
@@ -2067,8 +2084,7 @@ export function AuthForm({
<>
<AuthCodeField label="登录验证码" value={code} onChange={setCode} onSend={sendCode} />
<div className="border-t border-[#E5E5EA] px-4 py-3 text-[12px] leading-5 text-[#57606A]">
<span className="font-semibold text-[#111111]">000000</span>{" "}
</div>
</>
) : null}
@@ -2230,7 +2246,7 @@ function Field({
export function DeviceEnrollmentBuilder() {
const [name, setName] = useState("Mac Mini");
const [avatar, setAvatar] = useState("M");
const [account, setAccount] = useState("17600003315");
const [account, setAccount] = useState("krisolo");
const [projects, setProjects] = useState("");
const [endpoint, setEndpoint] = useState("mac://new-device.local");
const [note, setNote] = useState("新设备待绑定");

118
src/components/session-management-client.tsx Normal file
View File

@@ -0,0 +1,118 @@
"use client";
import { useState } from "react";
import { useRouter } from "next/navigation";
import clsx from "clsx";
type SessionSummary = {
sessionId: string;
account: string;
role: string;
displayName: string;
loginMethod: string;
createdAt: string;
expiresAt: string;
lastSeenAt: string;
current: boolean;
};
function formatTime(value: string) {
return new Date(value).toLocaleString("zh-CN", { hour12: false });
}
export function SessionManagementClient({ initialSessions }: { initialSessions: SessionSummary[] }) {
const router = useRouter();
const [sessions, setSessions] = useState(initialSessions);
const [busySessionId, setBusySessionId] = useState("");
const [message, setMessage] = useState("");
async function refresh() {
const response = await fetch("/api/v1/auth/sessions", { cache: "no-store" });
const result = (await response.json()) as { ok: boolean; sessions?: SessionSummary[]; message?: string };
if (!response.ok || !result.ok) {
throw new Error(result.message ?? "刷新失败");
}
setSessions(result.sessions ?? []);
}
async function revoke(sessionId: string, current: boolean) {
setBusySessionId(sessionId);
setMessage("");
try {
const response = await fetch("/api/v1/auth/sessions", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ action: "revoke_session", sessionId }),
});
const result = (await response.json()) as { ok: boolean; message?: string };
if (!response.ok || !result.ok) {
throw new Error(result.message ?? "撤销失败");
}
if (current) {
router.replace("/auth/login");
router.refresh();
return;
}
await refresh();
setMessage("会话已撤销。");
} catch (error) {
setMessage(error instanceof Error ? error.message : "撤销失败");
} finally {
setBusySessionId("");
}
}
return (
<section className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4">
<div className="text-[16px] font-semibold text-[#111111]"></div>
<div className="mt-1 text-[12px] leading-5 text-[#8C8C8C]">
</div>
<div className="mt-4 space-y-3">
{sessions.length === 0 ? (
<div className="rounded-2xl bg-[#F7F8FA] px-4 py-3 text-[13px] text-[#8C8C8C]">
</div>
) : (
sessions.map((session) => (
<div key={session.sessionId} className="rounded-2xl bg-[#F7F8FA] px-4 py-3">
<div className="flex items-start justify-between gap-3">
<div className="min-w-0">
<div className="flex items-center gap-2">
<div className="truncate text-[14px] font-semibold text-[#111111]">
{session.displayName || session.account}
</div>
{session.current ? (
<span className="rounded-full bg-[#DFF4E8] px-2 py-0.5 text-[10px] font-semibold text-[#215B39]">
</span>
) : null}
</div>
<div className="mt-1 text-[12px] leading-5 text-[#57606A]">
{session.account} · {session.loginMethod === "code" ? "验证码" : "账号密码"}
<br />
{formatTime(session.lastSeenAt)}
<br />
{formatTime(session.expiresAt)}
</div>
</div>
<button
type="button"
onClick={() => void revoke(session.sessionId, session.current)}
disabled={busySessionId === session.sessionId}
className={clsx(
"shrink-0 rounded-full px-3 py-2 text-[12px] font-semibold",
session.current ? "bg-[#FF3B30] text-white" : "bg-white text-[#FF3B30]",
)}
>
{busySessionId === session.sessionId ? "处理中" : "撤销"}
</button>
</div>
</div>
))
)}
</div>
{message ? <div className="mt-3 text-[12px] text-[#57606A]">{message}</div> : null}
</section>
);
}

466
src/components/telegram-integration-client.tsx Normal file
View File

@@ -0,0 +1,466 @@
"use client";
import { useMemo, useState } from "react";
import { useRouter } from "next/navigation";
import clsx from "clsx";
type TelegramGatewayView = {
enabled: boolean;
mode: "webhook" | "polling";
botTokenConfigured: boolean;
botUsername?: string;
dmPolicy: "allowlist" | "open" | "disabled";
allowFrom: string[];
groupPolicy: "allowlist" | "open" | "disabled";
groups: string[];
requireMentionInGroups: boolean;
defaultProjectId: string;
groupProjectRoutes: Array<{ chatId: string; threadId?: number; projectId: string; label?: string }>;
webhookSecretConfigured: boolean;
webhookUrl?: string;
lastConfiguredAt?: string;
lastConfiguredBy?: string;
lastError?: string;
processedUpdateCount: number;
};
type Draft = {
enabled: boolean;
mode: "webhook" | "polling";
botToken: string;
dmPolicy: "allowlist" | "open" | "disabled";
allowFromText: string;
groupPolicy: "allowlist" | "open" | "disabled";
groupsText: string;
requireMentionInGroups: boolean;
defaultProjectId: string;
groupProjectRoutesText: string;
webhookSecret: string;
webhookUrl: string;
};
function draftFromView(view: TelegramGatewayView): Draft {
return {
enabled: view.enabled,
mode: view.mode,
botToken: "",
dmPolicy: view.dmPolicy,
allowFromText: view.allowFrom.join("\n"),
groupPolicy: view.groupPolicy,
groupsText: view.groups.join("\n"),
requireMentionInGroups: view.requireMentionInGroups,
defaultProjectId: view.defaultProjectId,
groupProjectRoutesText: formatGroupProjectRoutes(view.groupProjectRoutes),
webhookSecret: "",
webhookUrl: view.webhookUrl ?? "",
};
}
function parseLines(value: string) {
return value
.split(/\r?\n/)
.map((item) => item.trim())
.filter(Boolean);
}
function formatGroupProjectRoutes(routes: TelegramGatewayView["groupProjectRoutes"]) {
return routes
.map((route) => {
const chatPart = route.threadId != null ? `${route.chatId}#${route.threadId}` : route.chatId;
return [chatPart, route.projectId, route.label].filter(Boolean).join(" ");
})
.join("\n");
}
function parseGroupProjectRoutes(value: string) {
return parseLines(value)
.map((line) => {
const [chatAndTopic, projectId, ...labelParts] = line.split(/\s+/);
if (!chatAndTopic || !projectId) {
return null;
}
const [chatId, threadIdRaw] = chatAndTopic.split("#");
const threadId = Number(threadIdRaw);
return {
chatId,
...(threadIdRaw && Number.isFinite(threadId) ? { threadId } : {}),
projectId,
...(labelParts.length > 0 ? { label: labelParts.join(" ") } : {}),
};
})
.filter((route): route is { chatId: string; threadId?: number; projectId: string; label?: string } =>
Boolean(route?.chatId && route.projectId),
);
}
function SectionTitle({ title, note }: { title: string; note?: string }) {
return (
<div>
<div className="text-[16px] font-semibold text-[#111111]">{title}</div>
{note ? <div className="mt-1 text-[12px] leading-5 text-[#8C8C8C]">{note}</div> : null}
</div>
);
}
function TextField({
label,
value,
onChange,
placeholder,
secret = false,
}: {
label: string;
value: string;
onChange: (value: string) => void;
placeholder?: string;
secret?: boolean;
}) {
return (
<label className="block space-y-1.5">
<div className="text-[12px] font-medium text-[#57606A]">{label}</div>
<input
type={secret ? "password" : "text"}
value={value}
onChange={(event) => onChange(event.target.value)}
placeholder={placeholder}
className="w-full rounded-2xl border border-[#E5E5EA] bg-[#F7F8FA] px-4 py-3 text-[14px] text-[#111111] outline-none transition focus:border-[#07C160] focus:bg-white"
/>
</label>
);
}
function TextAreaField({
label,
value,
onChange,
placeholder,
}: {
label: string;
value: string;
onChange: (value: string) => void;
placeholder?: string;
}) {
return (
<label className="block space-y-1.5">
<div className="text-[12px] font-medium text-[#57606A]">{label}</div>
<textarea
value={value}
onChange={(event) => onChange(event.target.value)}
placeholder={placeholder}
rows={4}
className="w-full rounded-2xl border border-[#E5E5EA] bg-[#F7F8FA] px-4 py-3 text-[14px] leading-6 text-[#111111] outline-none transition focus:border-[#07C160] focus:bg-white"
/>
</label>
);
}
function TogglePill({
active,
label,
onClick,
}: {
active: boolean;
label: string;
onClick: () => void;
}) {
return (
<button
type="button"
onClick={onClick}
className={clsx(
"rounded-full px-4 py-2 text-[13px] font-semibold transition",
active ? "bg-[#07C160] text-white" : "bg-[#F5F5F7] text-[#57606A]",
)}
>
{label}
</button>
);
}
export function TelegramIntegrationClient({ initialView }: { initialView: TelegramGatewayView }) {
const router = useRouter();
const [view, setView] = useState(initialView);
const [draft, setDraft] = useState(() => draftFromView(initialView));
const [busy, setBusy] = useState<null | "save" | "test">(null);
const [message, setMessage] = useState("");
const webhookPath = useMemo(() => "/api/v1/integrations/telegram/webhook", []);
async function submit(kind: "save" | "test") {
setBusy(kind);
setMessage("");
try {
const response = await fetch("/api/v1/integrations/telegram", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
enabled: draft.enabled,
mode: draft.mode,
botToken: draft.botToken.trim() || undefined,
dmPolicy: draft.dmPolicy,
allowFrom: parseLines(draft.allowFromText),
groupPolicy: draft.groupPolicy,
groups: parseLines(draft.groupsText),
requireMentionInGroups: draft.requireMentionInGroups,
defaultProjectId: draft.defaultProjectId.trim() || "master-agent",
groupProjectRoutes: parseGroupProjectRoutes(draft.groupProjectRoutesText),
webhookSecret: draft.webhookSecret.trim() || undefined,
webhookUrl: draft.webhookUrl.trim() || undefined,
testConnection: kind === "test",
}),
});
const result = (await response.json()) as {
ok: boolean;
message?: string;
telegram?: TelegramGatewayView;
probe?: { ok: boolean; username?: string };
};
if (!response.ok || !result.ok || !result.telegram) {
setMessage(result.message ?? "保存失败。");
return;
}
const nextView = result.telegram;
setView(nextView);
setDraft((current) => ({
...draftFromView(nextView),
botToken: "",
webhookSecret: "",
webhookUrl: current.webhookUrl,
}));
setMessage(
kind === "test"
? `连接测试通过${result.probe?.username ? `,当前 bot@${result.probe.username}` : ""}`
: "Telegram 配置已保存。",
);
router.refresh();
} catch (error) {
setMessage(error instanceof Error ? error.message : "请求失败。");
} finally {
setBusy(null);
}
}
return (
<div className="space-y-3 px-[18px] pb-6">
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4">
<SectionTitle title="当前状态" note="当前这里只管理 Boss 作为 Telegram Bot 的接入能力。" />
<div className="mt-3 space-y-2 text-[13px] leading-6 text-[#57606A]">
<div>
<span className="font-semibold text-[#111111]">{view.enabled ? "已开启" : "已关闭"}</span>
</div>
<div>
<span className="font-semibold text-[#111111]">{view.mode === "webhook" ? "Webhook" : "Polling"}</span>
</div>
<div>
Bot Token<span className="font-semibold text-[#111111]">{view.botTokenConfigured ? "已配置" : "未配置"}</span>
</div>
<div>
Webhook Secret
<span className="font-semibold text-[#111111]">
{view.webhookSecretConfigured ? " 已配置" : " 未配置"}
</span>
</div>
<div>
<span className="font-semibold text-[#111111]">{view.defaultProjectId}</span>
</div>
<div>
update<span className="font-semibold text-[#111111]">{view.processedUpdateCount}</span>
</div>
{view.botUsername ? (
<div>
bot<span className="font-semibold text-[#111111]">@{view.botUsername}</span>
</div>
) : null}
</div>
</div>
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4">
<SectionTitle title="接入开关" note="这里控制 Telegram 是否真正接受消息。" />
<div className="mt-3 flex flex-wrap gap-2">
<TogglePill
active={draft.enabled}
label="开启接入"
onClick={() => setDraft((current) => ({ ...current, enabled: true }))}
/>
<TogglePill
active={!draft.enabled}
label="关闭接入"
onClick={() => setDraft((current) => ({ ...current, enabled: false }))}
/>
</div>
</div>
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4">
<SectionTitle title="Bot 配置" note="Token 和 Secret 留空时会沿用已保存值,不会被清掉。" />
<div className="mt-3 space-y-3">
<div className="flex flex-wrap gap-2">
<TogglePill
active={draft.mode === "webhook"}
label="Webhook"
onClick={() => setDraft((current) => ({ ...current, mode: "webhook" }))}
/>
<TogglePill
active={draft.mode === "polling"}
label="Polling"
onClick={() => setDraft((current) => ({ ...current, mode: "polling" }))}
/>
</div>
<TextField
label="Bot Token"
value={draft.botToken}
onChange={(value) => setDraft((current) => ({ ...current, botToken: value }))}
placeholder={view.botTokenConfigured ? "已配置,留空表示沿用当前 token" : "输入 Telegram Bot Token"}
secret
/>
<TextField
label="Webhook Secret"
value={draft.webhookSecret}
onChange={(value) => setDraft((current) => ({ ...current, webhookSecret: value }))}
placeholder={
view.webhookSecretConfigured ? "已配置,留空表示沿用当前 secret" : "建议配置一个 webhook secret"
}
secret
/>
<TextField
label="Webhook URL可选"
value={draft.webhookUrl}
onChange={(value) => setDraft((current) => ({ ...current, webhookUrl: value }))}
placeholder="例如 https://boss.hyzq.net/api/v1/integrations/telegram/webhook"
/>
<TextField
label="默认路由项目"
value={draft.defaultProjectId}
onChange={(value) => setDraft((current) => ({ ...current, defaultProjectId: value }))}
placeholder="默认 master-agent"
/>
<div className="rounded-2xl bg-[#F7F8FA] px-4 py-3 text-[12px] leading-6 text-[#57606A]">
webhook <span className="font-semibold text-[#111111]">{webhookPath}</span>
<br />
URL `域名 + {webhookPath}`
</div>
</div>
</div>
<div className="rounded-2xl border border-[#E5E5EA] bg-white px-4 py-4">
<SectionTitle title="访问控制" note="支持私聊 allowlist 和群白名单,默认优先安全。" />
<div className="mt-3 space-y-3">
<div>
<div className="mb-2 text-[12px] font-medium text-[#57606A]"></div>
<div className="flex flex-wrap gap-2">
<TogglePill
active={draft.dmPolicy === "allowlist"}
label="Allowlist"
onClick={() => setDraft((current) => ({ ...current, dmPolicy: "allowlist" }))}
/>
<TogglePill
active={draft.dmPolicy === "open"}
label="开放"
onClick={() => setDraft((current) => ({ ...current, dmPolicy: "open" }))}
/>
<TogglePill
active={draft.dmPolicy === "disabled"}
label="关闭"
onClick={() => setDraft((current) => ({ ...current, dmPolicy: "disabled" }))}
/>
</div>
</div>
<TextAreaField
label="允许私聊的 Telegram 用户 ID每行一个"
value={draft.allowFromText}
onChange={(value) => setDraft((current) => ({ ...current, allowFromText: value }))}
placeholder={"123456789\n987654321"}
/>
<div>
<div className="mb-2 text-[12px] font-medium text-[#57606A]"></div>
<div className="flex flex-wrap gap-2">
<TogglePill
active={draft.groupPolicy === "allowlist"}
label="白名单"
onClick={() => setDraft((current) => ({ ...current, groupPolicy: "allowlist" }))}
/>
<TogglePill
active={draft.groupPolicy === "open"}
label="开放"
onClick={() => setDraft((current) => ({ ...current, groupPolicy: "open" }))}
/>
<TogglePill
active={draft.groupPolicy === "disabled"}
label="关闭"
onClick={() => setDraft((current) => ({ ...current, groupPolicy: "disabled" }))}
/>
</div>
</div>
<TextAreaField
label="允许的群 chat ID每行一个"
value={draft.groupsText}
onChange={(value) => setDraft((current) => ({ ...current, groupsText: value }))}
placeholder={"-1001234567890\n-1009876543210"}
/>
<TextAreaField
label="群 / Topic 路由到 Boss 项目"
value={draft.groupProjectRoutesText}
onChange={(value) => setDraft((current) => ({ ...current, groupProjectRoutesText: value }))}
placeholder={"-1001234567890 audit-collab 审计群\n-1001234567890#12 master-agent 主控 Topic"}
/>
<div className="rounded-2xl bg-[#F7F8FA] px-4 py-3 text-[12px] leading-6 text-[#57606A]">
<span className="font-semibold text-[#111111]">chatId[#topicId] projectId </span>
</div>
<div className="flex flex-wrap gap-2">
<TogglePill
active={draft.requireMentionInGroups}
label="群聊需 @Bot"
onClick={() => setDraft((current) => ({ ...current, requireMentionInGroups: true }))}
/>
<TogglePill
active={!draft.requireMentionInGroups}
label="群聊免 @"
onClick={() => setDraft((current) => ({ ...current, requireMentionInGroups: false }))}
/>
</div>
<div className="rounded-2xl bg-[#F7F8FA] px-4 py-3 text-[12px] leading-6 text-[#57606A]">
<span className="font-semibold text-[#111111]">@Bot</span> Bot Agent
</div>
</div>
</div>
<div className="grid grid-cols-2 gap-3">
<button
type="button"
disabled={busy !== null}
onClick={() => void submit("test")}
className="rounded-full border border-[#E5E5EA] bg-white px-4 py-3 text-[14px] font-semibold text-[#111111] disabled:opacity-60"
>
{busy === "test" ? "测试中" : "测试连接"}
</button>
<button
type="button"
disabled={busy !== null}
onClick={() => void submit("save")}
className="rounded-full bg-[#07C160] px-4 py-3 text-[14px] font-semibold text-white disabled:opacity-60"
>
{busy === "save" ? "保存中" : "保存配置"}
</button>
</div>
{message ? (
<div className="rounded-2xl bg-[#F7F8FA] px-4 py-3 text-[12px] leading-6 text-[#57606A]">
{message}
</div>
) : null}
{view.lastError ? (
<div className="rounded-2xl border border-[#FFD6D6] bg-[#FFF5F5] px-4 py-3 text-[12px] leading-6 text-[#B42318]">
{view.lastError}
</div>
) : null}
</div>
);
}

43
src/lib/boss-access-templates.ts Normal file
View File

@@ -0,0 +1,43 @@
import type { BossPermission } from "@/lib/boss-data";
export const BOSS_PERMISSION_TEMPLATES = [
{
templateId: "viewer",
name: "只读观察员",
description: "只能查看授权设备、项目和 Skill不允许聊天、接管或电脑控制。",
devicePermissions: ["device.view"],
projectPermissions: ["project.view"],
skillPermissions: ["skill.view"],
},
{
templateId: "developer",
name: "项目开发者",
description: "允许查看设备、参与项目聊天、问询主 Agent并调用已分配 Skill。",
devicePermissions: ["device.view"],
projectPermissions: ["project.view", "thread.chat", "master_agent.ask"],
skillPermissions: ["skill.view", "skill.use"],
},
{
templateId: "operator",
name: "设备操作者",
description: "允许项目聊天、主 Agent 接管、电脑控制和 Skill 调用,用于可信协作者。",
devicePermissions: ["device.view", "computer.control"],
projectPermissions: [
"project.view",
"thread.chat",
"master_agent.ask",
"master_agent.takeover",
"computer.control",
],
skillPermissions: ["skill.view", "skill.use"],
},
] satisfies Array<{
templateId: string;
name: string;
description: string;
devicePermissions: BossPermission[];
projectPermissions: BossPermission[];
skillPermissions: BossPermission[];
}>;
export type BossPermissionTemplate = (typeof BOSS_PERMISSION_TEMPLATES)[number];

132
src/lib/boss-admin-notification-delivery.ts Normal file
View File

@@ -0,0 +1,132 @@
import type { AdminCompany, AdminNotification, AuthAccount, BossState } from "@/lib/boss-data";
import { deliverAdminPlainEmail } from "@/lib/boss-mail";
export type AdminNotificationDeliveryStatus = "pending" | "sent" | "failed" | "disabled";
export interface AdminNotificationDeliveryResult {
notificationId: string;
status: AdminNotificationDeliveryStatus;
target: string;
message: string;
deliveredAt: string;
}
function splitRecipients(value?: string) {
return (value ?? "")
.split(/[,\s;]+/)
.map((item) => item.trim())
.filter(Boolean);
}
function isEmail(value?: string) {
return Boolean(value && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value));
}
function emailAccount(account?: AuthAccount) {
if (!account) return undefined;
if (isEmail(account.verificationEmail)) return account.verificationEmail;
if (isEmail(account.account)) return account.account;
return undefined;
}
function companyForNotification(state: BossState, notification: AdminNotification) {
return state.adminCompanies.find((company) => company.companyId === notification.companyId);
}
function accountById(state: BossState, account?: string) {
if (!account) return undefined;
return state.authAccounts.find((item) => item.account === account);
}
function companyAdminRecipients(state: BossState, companyId: string) {
return state.authAccounts
.filter((account) => account.companyId === companyId && (account.role === "admin" || account.role === "highest_admin"))
.map(emailAccount)
.filter((value): value is string => Boolean(value));
}
export function resolveAdminNotificationRecipients(
state: BossState,
notification: AdminNotification,
) {
const company = companyForNotification(state, notification);
const recipients = [
emailAccount(accountById(state, company?.ownerAccount)),
emailAccount(accountById(state, company?.successOwnerAccount)),
...companyAdminRecipients(state, notification.companyId),
...splitRecipients(process.env.BOSS_ADMIN_NOTIFICATION_RECIPIENTS),
].filter((value): value is string => Boolean(value));
return [...new Set(recipients)];
}
function companyLabel(company?: AdminCompany) {
return company?.name || company?.companyId || "未归属公司";
}
export function buildAdminNotificationEmail(
state: BossState,
notification: AdminNotification,
) {
const company = companyForNotification(state, notification);
return {
subject: `[Boss 风险提醒] ${notification.title}`,
body: [
`公司:${companyLabel(company)}`,
`风险:${notification.riskId}`,
`级别:${notification.severity}`,
`标题:${notification.title}`,
"",
notification.body,
"",
"请登录 Boss 管理后台查看风险详情、分派负责人或更新 SLA。",
].join("\n"),
};
}
export async function deliverAdminNotification(
state: BossState,
notification: AdminNotification,
deliveredAt = new Date().toISOString(),
): Promise<AdminNotificationDeliveryResult> {
const recipients = resolveAdminNotificationRecipients(state, notification);
const target = recipients.join(",");
const mode = process.env.BOSS_ADMIN_NOTIFICATION_MODE?.trim().toLowerCase() || "disabled";
if (mode !== "email") {
return {
notificationId: notification.notificationId,
status: "disabled",
target,
deliveredAt,
message: "ADMIN_NOTIFICATION_EMAIL_DISABLED",
};
}
if (recipients.length === 0) {
return {
notificationId: notification.notificationId,
status: "failed",
target,
deliveredAt,
message: "ADMIN_NOTIFICATION_RECIPIENT_REQUIRED",
};
}
const email = buildAdminNotificationEmail(state, notification);
const results = await Promise.all(
recipients.map((recipient) =>
deliverAdminPlainEmail({
recipient,
subject: email.subject,
body: email.body,
}),
),
);
const failed = results.find((result) => !result.delivered);
return {
notificationId: notification.notificationId,
status: failed ? "failed" : "sent",
target,
deliveredAt,
message: failed?.message ?? "ADMIN_NOTIFICATION_EMAIL_SENT",
};
}

306
src/lib/boss-admin-overview.ts Normal file
View File

@@ -0,0 +1,306 @@
import type { AuthAccount, BossState, Device, OpsSeverity } from "@/lib/boss-data";
export type AdminRiskSeverity = OpsSeverity;
export interface AdminRiskItem {
riskId: string;
severity: AdminRiskSeverity;
kind: "device_offline" | "ops_fault" | "thread_context_alert" | "master_agent_task_failed";
title: string;
detail: string;
companyId: string;
deviceId?: string;
projectId?: string;
ownerAccount?: string;
slaDueAt?: string;
lastSeenAt: string;
}
function fallbackCompanyIdForAccount(account?: string) {
const normalized = account?.trim().toLowerCase() ?? "";
const domain = normalized.includes("@") ? normalized.split("@").at(-1)?.trim() : "";
return domain || "default";
}
function companyIdForAccount(account: AuthAccount) {
return account.companyId || fallbackCompanyIdForAccount(account.account);
}
function companyName(companyNames: Map<string, string>, companyId: string) {
return companyNames.get(companyId) ?? (companyId === "default" ? "默认公司" : companyId);
}
function publicAccount(account: AuthAccount, companyNames: Map<string, string>) {
const companyId = companyIdForAccount(account);
return {
account: account.account,
displayName: account.displayName,
role: account.role,
status: account.status,
companyId,
companyName: companyName(companyNames, companyId),
createdAt: account.createdAt,
updatedAt: account.updatedAt,
lastLoginAt: account.lastLoginAt,
primaryDeviceId: account.primaryDeviceId,
};
}
function deviceCompanyId(state: BossState, device?: Pick<Device, "account" | "companyId"> | null) {
if (device?.companyId) return device.companyId;
const owner = state.authAccounts.find((account) => account.account === device?.account);
return owner ? companyIdForAccount(owner) : fallbackCompanyIdForAccount(device?.account);
}
function projectPrimaryDeviceId(state: BossState, projectId?: string) {
if (!projectId) return undefined;
return state.projects.find((project) => project.id === projectId)?.deviceIds[0];
}
function deviceForRisk(state: BossState, deviceId?: string, projectId?: string) {
const resolvedDeviceId = deviceId || projectPrimaryDeviceId(state, projectId);
return state.devices.find((device) => device.id === resolvedDeviceId) ?? null;
}
function severityRank(severity: AdminRiskSeverity) {
switch (severity) {
case "critical":
return 3;
case "warning":
return 2;
default:
return 1;
}
}
function isExpired(expiresAt?: string) {
return Boolean(expiresAt && new Date(expiresAt).getTime() <= Date.now());
}
function newerRisk(left: AdminRiskItem, right: AdminRiskItem) {
return left.lastSeenAt.localeCompare(right.lastSeenAt) >= 0 ? left : right;
}
function buildRisks(state: BossState): AdminRiskItem[] {
const risks: AdminRiskItem[] = [];
for (const device of state.devices) {
if (device.status === "online") continue;
risks.push({
riskId: `device-offline:${device.id}`,
severity: "warning",
kind: "device_offline",
title: `设备离线:${device.name}`,
detail: `${device.name} 最近心跳时间为 ${device.lastSeenAt}`,
companyId: deviceCompanyId(state, device),
deviceId: device.id,
lastSeenAt: device.lastSeenAt,
});
}
for (const fault of state.opsFaults) {
if (fault.status === "resolved") continue;
const device = deviceForRisk(state, fault.nodeId, fault.projectId);
risks.push({
riskId: `ops-fault:${fault.faultId}`,
severity: fault.severity,
kind: "ops_fault",
title: fault.faultKey,
detail: fault.summary || fault.suggestedNextAction,
companyId: deviceCompanyId(state, device),
deviceId: fault.nodeId,
projectId: fault.projectId,
ownerAccount: fault.ownerAccount,
slaDueAt: fault.slaDueAt,
lastSeenAt: fault.lastSeenAt,
});
}
for (const alert of state.threadContextAlerts) {
if (alert.alertStatus === "resolved") continue;
const device = deviceForRisk(state, undefined, alert.projectId);
risks.push({
riskId: `thread-alert:${alert.alertId}`,
severity: alert.alertType === "context_critical" ? "critical" : "warning",
kind: "thread_context_alert",
title: "线程上下文风险",
detail: alert.summary,
companyId: deviceCompanyId(state, device),
deviceId: device?.id,
projectId: alert.projectId,
ownerAccount: alert.ownerAccount,
slaDueAt: alert.slaDueAt,
lastSeenAt: alert.openedAt,
});
}
const failedMasterTaskRisks = new Map<string, { risk: AdminRiskItem; count: number }>();
for (const task of state.masterAgentTasks) {
if (task.status !== "failed") continue;
const device = deviceForRisk(state, task.deviceId, task.projectId);
const groupKey = [
task.deviceId || "unknown-device",
task.projectId || "unknown-project",
task.taskType,
task.errorMessage || "MASTER_AGENT_TASK_FAILED",
].join(":");
const risk: AdminRiskItem = {
riskId: `master-task:${task.taskId}`,
severity: "warning",
kind: "master_agent_task_failed",
title: "主 Agent 任务失败",
detail: task.errorMessage || task.requestText || "主 Agent 任务执行失败",
companyId: deviceCompanyId(state, device),
deviceId: task.deviceId,
projectId: task.projectId,
lastSeenAt: task.completedAt || task.requestedAt,
};
const existing = failedMasterTaskRisks.get(groupKey);
if (!existing) {
failedMasterTaskRisks.set(groupKey, { risk, count: 1 });
continue;
}
failedMasterTaskRisks.set(groupKey, {
risk: newerRisk(existing.risk, risk),
count: existing.count + 1,
});
}
for (const { risk, count } of failedMasterTaskRisks.values()) {
risks.push({
...risk,
detail: count > 1 ? `${risk.detail};已折叠 ${count - 1} 条同类失败。` : risk.detail,
});
}
return risks.sort((left, right) => {
const severityDiff = severityRank(right.severity) - severityRank(left.severity);
return severityDiff || right.lastSeenAt.localeCompare(left.lastSeenAt);
});
}
export function buildAdminOverview(state: BossState) {
const risks = buildRisks(state);
const companyNames = new Map(
state.adminCompanies.map((company) => [
company.companyId,
company.name || (company.companyId === "default" ? "默认公司" : company.companyId),
]),
);
const risksByCompany = new Map<string, number>();
const risksByDevice = new Map<string, number>();
for (const risk of risks) {
risksByCompany.set(risk.companyId, (risksByCompany.get(risk.companyId) ?? 0) + 1);
if (risk.deviceId) {
risksByDevice.set(risk.deviceId, (risksByDevice.get(risk.deviceId) ?? 0) + 1);
}
}
const companyMap = new Map<string, {
companyId: string;
name: string;
ownerAccount?: string;
successOwnerAccount?: string;
planTier?: string;
contractExpiresAt?: string;
status?: string;
accountCount: number;
adminCount: number;
deviceCount: number;
onlineDeviceCount: number;
openRiskCount: number;
}>();
const ensureCompany = (companyId: string) => {
const existing = companyMap.get(companyId);
if (existing) return existing;
const configured = state.adminCompanies.find((company) => company.companyId === companyId);
const company = {
companyId,
name: companyName(companyNames, companyId),
ownerAccount: configured?.ownerAccount,
successOwnerAccount: configured?.successOwnerAccount,
planTier: configured?.planTier,
contractExpiresAt: configured?.contractExpiresAt,
status: configured?.status,
accountCount: 0,
adminCount: 0,
deviceCount: 0,
onlineDeviceCount: 0,
openRiskCount: risksByCompany.get(companyId) ?? 0,
};
companyMap.set(companyId, company);
return company;
};
for (const company of state.adminCompanies) {
ensureCompany(company.companyId);
}
for (const account of state.authAccounts) {
const company = ensureCompany(companyIdForAccount(account));
company.accountCount += 1;
if (account.role === "admin" || account.role === "highest_admin") {
company.adminCount += 1;
}
}
for (const device of state.devices) {
const company = ensureCompany(deviceCompanyId(state, device));
company.deviceCount += 1;
if (device.status === "online") {
company.onlineDeviceCount += 1;
}
}
const devices = state.devices.map((device) => ({
companyId: deviceCompanyId(state, device),
companyName: companyName(companyNames, deviceCompanyId(state, device)),
id: device.id,
name: device.name,
account: device.account,
status: device.status,
lastSeenAt: device.lastSeenAt,
preferredExecutionMode: device.preferredExecutionMode,
projectCount: device.projects.length,
codexGuiOnline: Boolean(device.capabilities?.gui.connected),
codexCliOnline: Boolean(device.capabilities?.cli.connected),
openRiskCount: risksByDevice.get(device.id) ?? 0,
}));
const expiredGrants = [
...state.accountDeviceGrants,
...state.accountProjectGrants,
...state.accountSkillGrants,
].filter((grant) => isExpired(grant.expiresAt)).length;
const notifications = state.adminNotifications
.filter((notification) => notification.status === "open")
.sort((left, right) => right.createdAt.localeCompare(left.createdAt))
.slice(0, 20);
return {
summary: {
companies: companyMap.size,
accounts: state.authAccounts.length,
devices: state.devices.length,
onlineDevices: state.devices.filter((device) => device.status === "online").length,
openRisks: risks.length,
openNotifications: notifications.length,
criticalRisks: risks.filter((risk) => risk.severity === "critical").length,
},
companies: [...companyMap.values()].sort((left, right) =>
right.openRiskCount - left.openRiskCount || left.name.localeCompare(right.name, "zh-CN"),
),
accounts: state.authAccounts.map((account) => publicAccount(account, companyNames)),
devices,
risks,
notifications,
riskTimeline: state.adminRiskTimeline
.slice()
.sort((left, right) => right.createdAt.localeCompare(left.createdAt))
.slice(0, 50),
grantsSummary: {
deviceGrants: state.accountDeviceGrants.length,
projectGrants: state.accountProjectGrants.length,
skillGrants: state.accountSkillGrants.length,
expiredGrants,
},
};
}

36
src/lib/boss-attachment-access.ts
View File

@@ -1,38 +1,10 @@
import type { AuthSession, BossState, Project } from "@/lib/boss-data";
function getAccountOwnedDeviceIds(state: BossState, account: string) {
return new Set(
state.devices
.filter((device) => device.account === account)
.map((device) => device.id),
);
}
import { canAccessProject } from "@/lib/boss-permissions";
export function canSessionAccessAttachmentProject(
state: BossState,
session: Pick<AuthSession, "account" | "role">,
project: Pick<Project, "deviceIds" | "groupMembers">,
session: Pick<AuthSession, "account" | "role" | "displayName">,
project: Pick<Project, "id" | "deviceIds" | "groupMembers">,
) {
if (session.role === "highest_admin") {
return true;
}
const ownedDeviceIds = getAccountOwnedDeviceIds(state, session.account);
if (ownedDeviceIds.size === 0) {
return false;
}
for (const deviceId of project.deviceIds) {
if (ownedDeviceIds.has(deviceId)) {
return true;
}
}
for (const member of project.groupMembers) {
if (ownedDeviceIds.has(member.deviceId)) {
return true;
}
}
return false;
return canAccessProject(state, session, project.id, "project.view");
}

268
src/lib/boss-audit.ts Normal file
View File

@@ -0,0 +1,268 @@
import type { BossState, PermissionAuditLog } from "@/lib/boss-data";
import type { NextRequest } from "next/server";
export interface PermissionAuditQuery {
action?: string;
actorAccount?: string;
targetAccount?: string;
deviceId?: string;
projectId?: string;
skillId?: string;
cursor?: string;
limit?: number;
}
export interface PermissionAuditRiskAlert {
kind:
| "rapid_permission_grants"
| "skill_lifecycle_failed"
| "expired_grant_present"
| "admin_route_denied";
severity: "medium" | "high";
title: string;
detail: string;
count: number;
auditIds: string[];
targetAccount?: string;
actorAccount?: string;
deviceId?: string;
projectId?: string;
skillId?: string;
}
const DEFAULT_LIMIT = 50;
const MAX_LIMIT = 200;
const RAPID_GRANT_WINDOW_MS = 10 * 60 * 1000;
const RAPID_GRANT_THRESHOLD = 5;
export function buildRequestAuditMeta(request: NextRequest) {
const forwardedFor = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim();
const realIp = request.headers.get("x-real-ip")?.trim();
return {
ipAddress: forwardedFor || realIp || undefined,
userAgent: nonEmpty(request.headers.get("user-agent")),
requestId: nonEmpty(request.headers.get("x-request-id")) ?? nonEmpty(request.headers.get("x-correlation-id")),
};
}
function nonEmpty(value?: string | null) {
const trimmed = value?.trim();
return trimmed ? trimmed : undefined;
}
function timestampMs(value?: string) {
const parsed = value ? Date.parse(value) : Number.NaN;
return Number.isFinite(parsed) ? parsed : 0;
}
function newestFirst(logs: PermissionAuditLog[]) {
return [...logs].sort((left, right) => {
const byTime = timestampMs(right.createdAt) - timestampMs(left.createdAt);
return byTime || right.auditId.localeCompare(left.auditId);
});
}
function normalizedLimit(limit?: number) {
if (!Number.isFinite(limit ?? Number.NaN)) {
return DEFAULT_LIMIT;
}
return Math.min(Math.max(Math.trunc(limit ?? DEFAULT_LIMIT), 1), MAX_LIMIT);
}
function matchesQuery(log: PermissionAuditLog, query: PermissionAuditQuery) {
return (
(!query.action || log.action === query.action) &&
(!query.actorAccount || log.actorAccount === query.actorAccount) &&
(!query.targetAccount || log.targetAccount === query.targetAccount) &&
(!query.deviceId || log.deviceId === query.deviceId) &&
(!query.projectId || log.projectId === query.projectId) &&
(!query.skillId || log.skillId === query.skillId)
);
}
export function queryPermissionAuditLogs(logs: PermissionAuditLog[], query: PermissionAuditQuery) {
const filtered = newestFirst(logs).filter((log) => matchesQuery(log, query));
const startIndex = query.cursor ? filtered.findIndex((log) => log.auditId === query.cursor) + 1 : 0;
const safeStart = startIndex > 0 ? startIndex : 0;
const page = filtered.slice(safeStart, safeStart + normalizedLimit(query.limit));
const nextCursor = safeStart + page.length < filtered.length ? page.at(-1)?.auditId ?? null : null;
return {
logs: page,
nextCursor,
total: filtered.length,
};
}
function knownReferenceNow(state: BossState) {
const candidates = [
Date.now(),
...state.permissionAuditLogs.map((log) => timestampMs(log.createdAt)),
...state.accountDeviceGrants.map((grant) => timestampMs(grant.expiresAt)),
...state.accountProjectGrants.map((grant) => timestampMs(grant.expiresAt)),
...state.accountSkillGrants.map((grant) => timestampMs(grant.expiresAt)),
];
return Math.max(...candidates);
}
function isGrantLike(log: PermissionAuditLog) {
return log.action === "grant.created" || log.action === "grant.updated" || log.action === "skill.assigned";
}
function detectRapidGrants(logs: PermissionAuditLog[]): PermissionAuditRiskAlert[] {
const groups = new Map<string, PermissionAuditLog[]>();
for (const log of logs.filter(isGrantLike)) {
const key = `${log.actorAccount}\u0000${log.targetAccount ?? ""}`;
groups.set(key, [...(groups.get(key) ?? []), log]);
}
const alerts: PermissionAuditRiskAlert[] = [];
for (const groupLogs of groups.values()) {
const ordered = newestFirst(groupLogs).reverse();
for (let index = 0; index < ordered.length; index += 1) {
const windowStart = timestampMs(ordered[index]?.createdAt);
const windowLogs = ordered.filter((log) => {
const createdAt = timestampMs(log.createdAt);
return createdAt >= windowStart && createdAt <= windowStart + RAPID_GRANT_WINDOW_MS;
});
if (windowLogs.length >= RAPID_GRANT_THRESHOLD) {
const sample = windowLogs.at(0);
alerts.push({
kind: "rapid_permission_grants",
severity: "high",
title: "短时间大量授权",
detail: `${windowLogs.length} 条授权类审计在 10 分钟内集中发生`,
count: windowLogs.length,
auditIds: newestFirst(windowLogs).map((log) => log.auditId),
actorAccount: sample?.actorAccount,
targetAccount: sample?.targetAccount,
});
break;
}
}
}
return alerts;
}
function detectSkillLifecycleFailures(logs: PermissionAuditLog[]): PermissionAuditRiskAlert[] {
return logs
.filter((log) =>
(log.action as string) === "skill.lifecycle.failed" ||
(log.action === "skill.lifecycle.completed" && /\bfailed\b/i.test(log.detail ?? "")),
)
.map((log) => ({
kind: "skill_lifecycle_failed" as const,
severity: "high" as const,
title: "Skill lifecycle 执行失败",
detail: log.detail ?? "skill lifecycle failed",
count: 1,
auditIds: [log.auditId],
actorAccount: log.actorAccount,
deviceId: log.deviceId,
skillId: log.skillId,
}));
}
function detectDeniedAdminRoutes(logs: PermissionAuditLog[]): PermissionAuditRiskAlert[] {
return logs
.filter((log) => log.action === "task.denied" && /admin[_ -]?route|\/api\/v1\/admin\//i.test(log.detail ?? ""))
.map((log) => ({
kind: "admin_route_denied" as const,
severity: "medium" as const,
title: "非最高管理员访问管理入口被拒",
detail: log.detail ?? "admin route denied",
count: 1,
auditIds: [log.auditId],
actorAccount: log.actorAccount,
targetAccount: log.targetAccount,
deviceId: log.deviceId,
projectId: log.projectId,
}));
}
function detectExpiredGrants(state: BossState): PermissionAuditRiskAlert[] {
const now = knownReferenceNow(state);
const alerts: PermissionAuditRiskAlert[] = [];
for (const grant of state.accountDeviceGrants) {
if (grant.expiresAt && timestampMs(grant.expiresAt) < now) {
alerts.push({
kind: "expired_grant_present",
severity: "high",
title: "过期设备授权仍存在",
detail: `${grant.account} -> ${grant.deviceId} 已于 ${grant.expiresAt} 过期`,
count: 1,
auditIds: [],
targetAccount: grant.account,
actorAccount: grant.grantedBy,
deviceId: grant.deviceId,
});
}
}
for (const grant of state.accountProjectGrants) {
if (grant.expiresAt && timestampMs(grant.expiresAt) < now) {
alerts.push({
kind: "expired_grant_present",
severity: "high",
title: "过期项目授权仍存在",
detail: `${grant.account} -> ${grant.projectId} 已于 ${grant.expiresAt} 过期`,
count: 1,
auditIds: [],
targetAccount: grant.account,
actorAccount: grant.grantedBy,
deviceId: grant.deviceId,
projectId: grant.projectId,
});
}
}
for (const grant of state.accountSkillGrants) {
if (grant.expiresAt && timestampMs(grant.expiresAt) < now) {
alerts.push({
kind: "expired_grant_present",
severity: "high",
title: "过期 Skill 授权仍存在",
detail: `${grant.account} -> ${grant.skillId} 已于 ${grant.expiresAt} 过期`,
count: 1,
auditIds: [],
targetAccount: grant.account,
actorAccount: grant.grantedBy,
deviceId: grant.deviceId,
projectId: grant.projectId,
skillId: grant.skillId,
});
}
}
return alerts;
}
export function summarizePermissionAuditRisks(state: BossState) {
const logs = newestFirst(state.permissionAuditLogs);
const alerts = [
...detectRapidGrants(logs),
...detectSkillLifecycleFailures(logs),
...detectExpiredGrants(state),
...detectDeniedAdminRoutes(logs),
].sort((left, right) => {
const severityDelta = (right.severity === "high" ? 1 : 0) - (left.severity === "high" ? 1 : 0);
return severityDelta || left.kind.localeCompare(right.kind);
});
return {
totalAlerts: alerts.length,
highAlerts: alerts.filter((alert) => alert.severity === "high").length,
mediumAlerts: alerts.filter((alert) => alert.severity === "medium").length,
alerts,
};
}
export function permissionAuditQueryFromSearchParams(searchParams: URLSearchParams): PermissionAuditQuery {
const limit = Number(searchParams.get("limit"));
return {
action: nonEmpty(searchParams.get("action")),
actorAccount: nonEmpty(searchParams.get("actorAccount")),
targetAccount: nonEmpty(searchParams.get("targetAccount")),
deviceId: nonEmpty(searchParams.get("deviceId")),
projectId: nonEmpty(searchParams.get("projectId")),
skillId: nonEmpty(searchParams.get("skillId")),
cursor: nonEmpty(searchParams.get("cursor")),
limit: Number.isFinite(limit) ? limit : undefined,
};
}

116
src/lib/boss-capability-groups.ts Normal file
View File

@@ -0,0 +1,116 @@
export type BossCapabilityGroupId =
| "computer_control"
| "codex_development"
| "browser_automation"
| "skill_operations"
| "admin_ops";
export type BossCapabilityGroup = {
id: BossCapabilityGroupId;
label: string;
requiredPermissions: string[];
allowedSkillIds: string[];
requiredDeviceScopes: string[];
};
export type BossCapabilityDecisionReason =
| "allowed"
| "unknown_group"
| "permission_missing"
| "skill_scope_missing"
| "device_scope_missing";
export type BossCapabilityDecision = {
allowed: boolean;
reason: BossCapabilityDecisionReason;
group?: BossCapabilityGroup;
missing?: string[];
};
export const DEFAULT_CAPABILITY_GROUPS: BossCapabilityGroup[] = [
{
id: "computer_control",
label: "Computer Control",
requiredPermissions: ["computer.control"],
allowedSkillIds: ["computer-use:computer-use", "computer-use"],
requiredDeviceScopes: ["computerUse"],
},
{
id: "codex_development",
label: "Codex Development",
requiredPermissions: ["thread.chat", "master_agent.takeover"],
allowedSkillIds: ["codex", "github:github", "github:yeet"],
requiredDeviceScopes: ["codexCli"],
},
{
id: "browser_automation",
label: "Browser Automation",
requiredPermissions: ["computer.control"],
allowedSkillIds: ["browser-use:browser", "playwright"],
requiredDeviceScopes: ["browserAutomation"],
},
{
id: "skill_operations",
label: "Skill Operations",
requiredPermissions: ["skill.use"],
allowedSkillIds: ["skill-installer", "skill-creator", "writing-skills"],
requiredDeviceScopes: ["skillLifecycle"],
},
{
id: "admin_ops",
label: "Admin Operations",
requiredPermissions: ["admin.manage"],
allowedSkillIds: ["boss-server-debug", "gitea-version-upload"],
requiredDeviceScopes: ["adminOps"],
},
];
export function canUseCapabilityGroup(input: {
groupId: string;
accountPermissions: string[];
skillIds: string[];
deviceScopes: string[];
requestedSkillId?: string;
requestedDeviceScope?: string;
groups?: BossCapabilityGroup[];
}): BossCapabilityDecision {
const groups = input.groups ?? DEFAULT_CAPABILITY_GROUPS;
const group = groups.find((candidate) => candidate.id === input.groupId);
if (!group) {
return { allowed: false, reason: "unknown_group" };
}
const missingPermissions = group.requiredPermissions.filter(
(permission) => !input.accountPermissions.includes(permission),
);
if (missingPermissions.length > 0) {
return { allowed: false, reason: "permission_missing", group, missing: missingPermissions };
}
if (input.requestedSkillId) {
const skillAllowedByGroup = group.allowedSkillIds.includes(input.requestedSkillId);
const skillAllowedByAccount = input.skillIds.includes(input.requestedSkillId);
if (!skillAllowedByGroup || !skillAllowedByAccount) {
return { allowed: false, reason: "skill_scope_missing", group, missing: [input.requestedSkillId] };
}
}
const requestedDeviceScope = input.requestedDeviceScope ?? group.requiredDeviceScopes[0];
if (requestedDeviceScope) {
const scopeAllowedByGroup = group.requiredDeviceScopes.includes(requestedDeviceScope);
const scopeAllowedByDevice = input.deviceScopes.includes(requestedDeviceScope);
if (!scopeAllowedByGroup || !scopeAllowedByDevice) {
return { allowed: false, reason: "device_scope_missing", group, missing: [requestedDeviceScope] };
}
}
return { allowed: true, reason: "allowed", group };
}
export function explainCapabilityGroupDecision(decision: BossCapabilityDecision): string {
if (decision.allowed) {
return `${decision.group?.id ?? "capability"} allowed`;
}
const missing = decision.missing?.length ? `: ${decision.missing.join(", ")}` : "";
return `${decision.group?.id ?? "capability"} denied: ${decision.reason}${missing}`;
}

36
src/lib/boss-csrf.ts Normal file
View File

@@ -0,0 +1,36 @@
import type { NextRequest } from "next/server";
import { NextResponse } from "next/server";
function expectedOrigin(request: NextRequest) {
const host = request.headers.get("x-forwarded-host") || request.headers.get("host") || request.nextUrl.host;
const proto = request.headers.get("x-forwarded-proto") || request.nextUrl.protocol.replace(":", "") || "http";
return `${proto}://${host}`;
}
export function csrfFailureResponse() {
return NextResponse.json({ ok: false, message: "CSRF_CHECK_FAILED" }, { status: 403 });
}
export function requireCsrfSafeMutation(request: NextRequest) {
if (request.method === "GET" || request.method === "HEAD" || request.method === "OPTIONS") {
return null;
}
if (request.headers.get("x-boss-native-app") === "1") {
return null;
}
const fetchSite = request.headers.get("sec-fetch-site")?.toLowerCase();
if (fetchSite === "cross-site") {
return csrfFailureResponse();
}
const origin = request.headers.get("origin");
if (!origin) {
return null;
}
if (origin !== expectedOrigin(request)) {
return csrfFailureResponse();
}
return null;
}

3619
src/lib/boss-data.ts
View File

File diff suppressed because it is too large Load Diff

19
src/lib/boss-device-auth.ts
View File

@@ -1,6 +1,7 @@
import type { NextRequest } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { getDevice, verifyDeviceToken } from "@/lib/boss-data";
import { getDevice, readState, verifyDeviceToken } from "@/lib/boss-data";
import { canAccessDevice } from "@/lib/boss-permissions";
export async function authorizeDeviceWriteRequest(
request: NextRequest,
@@ -9,7 +10,18 @@ export async function authorizeDeviceWriteRequest(
const device = await getDevice(deviceId);
const session = await requireRequestSession(request);
if (device && session && (session.role === "highest_admin" || device.account === session.account)) {
if (device && session) {
const state = await readState();
if (canAccessDevice(state, session, deviceId, "device.manage")) {
return {
ok: true as const,
device,
principal: "session" as const,
};
}
}
if (device && session && session.role === "highest_admin") {
return {
ok: true as const,
device,
@@ -58,7 +70,8 @@ export async function authorizeDeviceSessionRequest(
};
}
if (session.role === "highest_admin" || device.account === session.account) {
const state = await readState();
if (canAccessDevice(state, session, deviceId, "device.view")) {
return {
ok: true as const,
status: 200 as const,

151
src/lib/boss-device-trust.ts Normal file
View File

@@ -0,0 +1,151 @@
export type BossDeviceTrustTier = "untrusted" | "paired" | "verified" | "managed" | "federated";
export type BossDeviceTrustProfile = {
deviceId: string;
trustTier: BossDeviceTrustTier;
publicKeyFingerprint: string;
maxMessageBudget: number;
maxHopCount: number;
allowedCapabilities: string[];
};
export type BossDeviceTrustDecisionReason =
| "allowed"
| "device_mismatch"
| "trust_tier_too_low"
| "capability_not_allowed"
| "message_budget_exceeded"
| "hop_limit_exceeded";
export type BossDeviceTrustDecision = {
allowed: boolean;
reason: BossDeviceTrustDecisionReason;
};
export type BossDeviceTrustEnvelope = {
deviceId: string;
payload: unknown;
signature: string;
keyFingerprint: string;
timestamp: string;
nonce: string;
};
export type BossDeviceTrustEnvelopeDecisionReason =
| "valid"
| "device_mismatch"
| "key_fingerprint_mismatch"
| "clock_skew_exceeded"
| "invalid_signature";
export type BossDeviceTrustEnvelopeDecision = {
valid: boolean;
reason: BossDeviceTrustEnvelopeDecisionReason;
canonicalPayload: string;
};
const TRUST_TIER_RANK: Record<BossDeviceTrustTier, number> = {
untrusted: 0,
paired: 1,
verified: 2,
managed: 3,
federated: 4,
};
export function evaluateDeviceTrust(input: {
device: BossDeviceTrustProfile;
requiredTrustTier: BossDeviceTrustTier;
capabilityGroupId: string;
messageBudgetUsed: number;
hopCount: number;
deviceId?: string;
}): BossDeviceTrustDecision {
if (input.deviceId && input.device.deviceId !== input.deviceId) {
return { allowed: false, reason: "device_mismatch" };
}
if (TRUST_TIER_RANK[input.device.trustTier] < TRUST_TIER_RANK[input.requiredTrustTier]) {
return { allowed: false, reason: "trust_tier_too_low" };
}
if (!input.device.allowedCapabilities.includes(input.capabilityGroupId)) {
return { allowed: false, reason: "capability_not_allowed" };
}
if (input.messageBudgetUsed > input.device.maxMessageBudget) {
return { allowed: false, reason: "message_budget_exceeded" };
}
if (input.hopCount > input.device.maxHopCount) {
return { allowed: false, reason: "hop_limit_exceeded" };
}
return { allowed: true, reason: "allowed" };
}
export function verifyDeviceTrustEnvelope(
envelope: BossDeviceTrustEnvelope,
options: {
device: BossDeviceTrustProfile;
now: string;
maxClockSkewMs: number;
verifySignature: (input: {
canonicalPayload: string;
signature: string;
publicKeyFingerprint: string;
deviceId: string;
}) => boolean;
},
): BossDeviceTrustEnvelopeDecision {
const canonicalPayload = canonicalizeEnvelopePayload(envelope);
if (envelope.deviceId !== options.device.deviceId) {
return { valid: false, reason: "device_mismatch", canonicalPayload };
}
if (envelope.keyFingerprint !== options.device.publicKeyFingerprint) {
return { valid: false, reason: "key_fingerprint_mismatch", canonicalPayload };
}
const skewMs = Math.abs(new Date(options.now).getTime() - new Date(envelope.timestamp).getTime());
if (!Number.isFinite(skewMs) || skewMs > options.maxClockSkewMs) {
return { valid: false, reason: "clock_skew_exceeded", canonicalPayload };
}
const valid = options.verifySignature({
canonicalPayload,
signature: envelope.signature,
publicKeyFingerprint: envelope.keyFingerprint,
deviceId: envelope.deviceId,
});
if (!valid) {
return { valid: false, reason: "invalid_signature", canonicalPayload };
}
return { valid: true, reason: "valid", canonicalPayload };
}
export function assertDeviceTrustEnvelope(
envelope: BossDeviceTrustEnvelope,
options: Parameters<typeof verifyDeviceTrustEnvelope>[1],
): BossDeviceTrustEnvelopeDecision {
const decision = verifyDeviceTrustEnvelope(envelope, options);
if (!decision.valid) {
throw new Error(`Device trust envelope rejected: ${decision.reason}`);
}
return decision;
}
function canonicalizeEnvelopePayload(envelope: BossDeviceTrustEnvelope): string {
return stableStringify({
deviceId: envelope.deviceId,
keyFingerprint: envelope.keyFingerprint,
nonce: envelope.nonce,
payload: envelope.payload,
timestamp: envelope.timestamp,
});
}
function stableStringify(value: unknown): string {
if (value === null || typeof value !== "object") {
return JSON.stringify(value);
}
if (Array.isArray(value)) {
return `[${value.map((item) => stableStringify(item)).join(",")}]`;
}
const record = value as Record<string, unknown>;
return `{${Object.keys(record)
.sort()
.map((key) => `${JSON.stringify(key)}:${stableStringify(record[key])}`)
.join(",")}}`;
}

12
src/lib/boss-events.ts
View File

@@ -4,6 +4,8 @@ export type BossEventName =
| "conversation.updated"
| "project.messages.updated"
| "project.context_risk.updated"
| "desktop.dialog_guard.intervention_required"
| "desktop.dialog_guard.intervention_resolved"
| "app.logs.updated"
| "master_agent.task.updated"
| "master_agent.settings.updated"
@@ -19,6 +21,16 @@ export interface BossEventPayload {
projectId?: string;
deviceId?: string;
taskId?: string;
interventionId?: string;
dialogId?: string;
requestId?: string;
appName?: string;
platform?: string;
risk?: string;
summary?: string;
recommendedAction?: string;
availableActions?: string[];
decision?: string;
status?: string;
note?: string;
conversationItem?: unknown;

82
src/lib/boss-mail.ts
View File

@@ -11,6 +11,12 @@ export interface VerificationDeliveryResult {
status: number;
}
export interface AdminMailDeliveryResult {
delivered: boolean;
status: number;
message: string;
}
function purposeLabel(purpose: VerificationPurpose) {
switch (purpose) {
case "login":
@@ -88,11 +94,48 @@ function buildVerificationMessage({
return lines.join("\n");
}
async function sendMail(message: string) {
function buildPlainMessage({
recipient,
subject,
body,
}: {
recipient: string;
subject: string;
body: string;
}) {
const domain = process.env.BOSS_MAIL_DOMAIN?.trim() || "boss.hyzq.net";
const fromAddress = process.env.BOSS_MAIL_FROM_ADDRESS?.trim() || `notify@${domain}`;
const fromName = process.env.BOSS_MAIL_FROM_NAME?.trim() || "Boss Notify";
const messageId = `<${Date.now()}.${randomBytes(4).toString("hex")}@${domain}>`;
return [
`From: ${fromName} <${fromAddress}>`,
`To: ${recipient}`,
`Subject: ${subject}`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: ${messageId}`,
"MIME-Version: 1.0",
"Content-Type: text/plain; charset=UTF-8",
"Content-Transfer-Encoding: 8bit",
"",
body,
"",
].join("\n");
}
export function resolveSendmailSpawnCommand() {
const sendmailPath = process.env.BOSS_SENDMAIL_PATH?.trim() || "/usr/sbin/sendmail";
return {
executable: "/usr/bin/env",
args: ["--", sendmailPath, "-t", "-i"],
};
}
async function sendMail(message: string) {
const { args } = resolveSendmailSpawnCommand();
await new Promise<void>((resolve, reject) => {
const child = spawn(sendmailPath, ["-t", "-i"], { stdio: ["pipe", "ignore", "pipe"] });
const child = spawn("/usr/bin/env", args, { stdio: ["pipe", "ignore", "pipe"] });
let stderr = "";
child.on("error", (error) => {
@@ -169,3 +212,38 @@ export async function deliverVerificationCode({
};
}
}
export async function deliverAdminPlainEmail({
recipient,
subject,
body,
}: {
recipient: string;
subject: string;
body: string;
}): Promise<AdminMailDeliveryResult> {
const finalRecipient = recipient.trim();
if (!isLikelyEmailAccount(finalRecipient)) {
return {
delivered: false,
status: 400,
message: "ADMIN_NOTIFICATION_RECIPIENT_INVALID",
};
}
try {
await sendMail(buildPlainMessage({ recipient: finalRecipient, subject, body }));
return {
delivered: true,
status: 200,
message: "ADMIN_NOTIFICATION_EMAIL_SENT",
};
} catch (error) {
const message = error instanceof Error ? error.message : "ADMIN_NOTIFICATION_EMAIL_FAILED";
return {
delivered: false,
status: 502,
message,
};
}
}

669
src/lib/boss-master-agent.ts
View File

@@ -25,7 +25,12 @@ import {
import type {
AiAccount,
AiProvider,
AuthRole,
BossPermission,
ComputerControlIntentCategory,
ComputerControlRiskLevel,
DispatchPlanTarget,
ExternalReplyTarget,
Project,
ProjectExecutionPolicy,
ProjectAgentControls,
@@ -52,6 +57,7 @@ import { buildExecutionPrompt } from "@/lib/execution/prompt-assembler";
import { readAliyunOssObjectBuffer } from "@/lib/boss-storage-aliyun-oss";
import { readServerFileAttachmentBuffer } from "@/lib/boss-storage-server-file";
import {
getAuthorizedStateSnapshot,
getMasterAgentPromptPolicyView,
getUserMasterPromptView,
listUserMasterMemoriesView,
@@ -139,6 +145,169 @@ const API_EXECUTION_PROVIDER_PRIORITY: ApiCompatibleProvider[] = [
"custom_api",
];
type BossRuntimeState = Awaited<ReturnType<typeof readState>>;
type MasterAgentPermissionSession = {
account: string;
role: AuthRole;
displayName: string;
};
type MasterAgentTaskAuthorizationPayload = {
authorizedDeviceIds: string[];
authorizedProjectIds: string[];
authorizedSkillIds: string[];
requiredPermissions: BossPermission[];
};
const MASTER_AGENT_BASE_REQUIRED_PERMISSIONS: BossPermission[] = ["master_agent.ask"];
function resolveMasterAgentPermissionSession(
state: BossRuntimeState,
account: string,
displayName: string,
): MasterAgentPermissionSession {
const authAccount = state.authAccounts.find((item) => item.account === account);
if (authAccount) {
return {
account,
role: authAccount.role,
displayName: authAccount.displayName || displayName || account,
};
}
if (state.user.account === account) {
return {
account,
role: state.user.role,
displayName: state.user.name || displayName || account,
};
}
return {
account,
role: "member",
displayName: displayName || account,
};
}
function buildAuthorizedMasterAgentScope(
state: BossRuntimeState,
session: MasterAgentPermissionSession,
) {
const scopedState = getAuthorizedStateSnapshot(state, session);
return {
state: scopedState,
authorizedDeviceIds: scopedState.devices.map((device) => device.id),
authorizedProjectIds: scopedState.projects.map((project) => project.id),
authorizedSkillIds: scopedState.deviceSkills.map((skill) => skill.skillId),
requiredPermissions: [...MASTER_AGENT_BASE_REQUIRED_PERMISSIONS],
};
}
export function buildAuthorizedMasterAgentPromptForTest(params: {
state: BossRuntimeState;
session: MasterAgentPermissionSession;
projectId: string;
requestText: string;
}) {
const scope = buildAuthorizedMasterAgentScope(params.state, params.session);
return {
...scope,
prompt: buildMasterCodexNodePrompt(scope.state, params.projectId, params.requestText),
};
}
export interface MasterAgentControlIntentClassification {
intentCategory: ComputerControlIntentCategory;
executionMode: "discussion" | "thread" | "development" | "browser" | "desktop";
riskLevel: ComputerControlRiskLevel;
}
function includesAny(text: string, keywords: string[]) {
return keywords.some((keyword) => text.includes(keyword));
}
export function classifyMasterAgentControlIntent(
requestText: string,
): MasterAgentControlIntentClassification {
const normalized = requestText.trim().toLowerCase();
if (!normalized) {
return {
intentCategory: "discussion_only",
executionMode: "discussion",
riskLevel: "low",
};
}
const browserSignals = [
"chrome",
"浏览器",
"网页",
"网站",
"表单",
"登录网站",
"打开网站",
"打开后台",
"打开页面",
"提交表单",
];
const desktopSignals = [
"桌面",
"系统设置",
"finder",
"微信",
"飞书",
"telegram",
"打开应用",
"打开软件",
"app",
"应用",
"窗口",
];
const developmentSignals = [
"开发",
"改代码",
"修复",
"跑测试",
"联调",
"实现",
"提交",
"构建",
"回归测试",
"debug",
"编译",
];
if (includesAny(normalized, browserSignals)) {
return {
intentCategory: "browser_control",
executionMode: "browser",
riskLevel: "medium",
};
}
if (includesAny(normalized, desktopSignals)) {
return {
intentCategory: "desktop_control",
executionMode: "desktop",
riskLevel: "medium",
};
}
if (includesAny(normalized, developmentSignals)) {
return {
intentCategory: "project_development",
executionMode: "development",
riskLevel: "medium",
};
}
return {
intentCategory: "discussion_only",
executionMode: "discussion",
riskLevel: "low",
};
}
export const classifyMasterAgentControlIntentForTesting = classifyMasterAgentControlIntent;
const GENERIC_COMPATIBLE_MODEL_OPTIONS = ["gpt-5.4-mini", "gpt-5.4", "gpt-5.1", "gpt-4.1"];
type QueuedMasterAgentReplyEnvelope = {
@@ -148,7 +317,7 @@ type QueuedMasterAgentReplyEnvelope = {
masterReplyState: MasterAgentReplyState;
task: {
taskId: string;
taskType: "conversation_reply";
taskType: "conversation_reply" | "browser_control" | "desktop_control";
status: MasterAgentReplyState;
};
};
@@ -172,6 +341,11 @@ type LocalMasterAgentFastReplyResolution = {
reasoningEffortOverride?: ReasoningEffort | null;
};
modeResolutionOverride?: MasterAgentExecutionModeResolution;
projectTakeoverPatch?: {
projectId: string;
takeoverEnabled: boolean;
projectName: string;
};
};
const DEFAULT_FAST_MODEL = "gpt-5.4-mini";
@@ -230,6 +404,50 @@ const MASTER_AGENT_COMPLEX_CONTEXT_KEYWORDS = [
"数据库",
"迁移",
];
const MASTER_AGENT_PROJECT_SUMMARY_KEYWORDS = [
"项目目标",
"版本记录",
"版本迭代",
"项目总结",
"版本总结",
"阶段总结",
"汇总",
"概括",
"梳理",
"总结",
];
const MASTER_AGENT_TAKEOVER_KEYWORDS = ["托管", "接管", "协同接管"];
const MASTER_AGENT_OPERATIONAL_RUNTIME_KEYWORDS = [
"ota",
"升级",
"更新包",
"版本包",
"发布",
"推送",
"设备",
"在线",
"离线",
"掉线",
"连接",
"日志",
"app日志",
"告警",
"崩溃",
"闪退",
"卡顿",
"超时",
"报错",
"异常",
"同步失败",
"上下文预算",
"must_finish_before_compaction",
"must_finish",
"quota",
"认证",
"登录",
"cookie",
"会话到期",
];
export class ThreadConversationExecutionConflictError extends Error {
conflict: ThreadConversationExecutionConflict;
@@ -616,13 +834,13 @@ function buildLocalMasterAgentFastReply(params: {
};
}
if (/^(你好|在吗|你是谁)[。!?!?\s]*$/i.test(compact)) {
if (/^(你好|在吗|你是谁|hello|hi|hey)[。!?!?\s]*$/i.test(compact)) {
const model = params.modeResolution.effectiveModelOverride || params.fallbackModel || "默认主控模型";
return {
replyBody: [
"在,我是主 Agent。",
"在,主 Agent 可以开始协调。",
`当前模式:${masterAgentModeLabel(params.modeResolution.effectiveMode)},模型:${model}`,
"简单问题我会快速回复;涉及开发、排查、方案或长上下文时,我会自动升档到深度思考。",
"你给目标后,我会先给你结论,再安排线程开发、调研或回归验证;需要我协调线程或直接推进,直接说任务即可。",
].join("\n"),
};
}
@@ -630,6 +848,50 @@ function buildLocalMasterAgentFastReply(params: {
return null;
}
function isMasterAgentTakeoverIntent(requestText: string) {
const normalized = requestText.trim().replace(/\s+/g, "");
if (!normalized) {
return false;
}
return MASTER_AGENT_TAKEOVER_KEYWORDS.some((keyword) => normalized.includes(keyword));
}
function resolveMasterAgentTakeoverTarget(
state: Awaited<ReturnType<typeof readState>>,
requestText: string,
) {
if (!isMasterAgentTakeoverIntent(requestText)) {
return null;
}
const ranked = state.projects
.filter((project) => isDispatchableThreadProject(project))
.map((project) => ({
project,
score: scoreMasterAgentDispatchCandidate(project, requestText),
}))
.filter((item) => item.score > 0)
.sort((left, right) => {
if (right.score !== left.score) {
return right.score - left.score;
}
return Date.parse(right.project.updatedAt || "") - Date.parse(left.project.updatedAt || "");
});
if (ranked.length === 0) {
return null;
}
if (ranked.length > 1 && ranked[0]?.score === ranked[1]?.score) {
return null;
}
const normalized = requestText.trim().replace(/\s+/g, "");
return {
project: ranked[0]!.project,
takeoverEnabled: !/(关闭|取消|退出|停止|禁用|撤销|解除)/.test(normalized),
};
}
function buildAgentControlsDigest(agentControls?: ProjectAgentControls | null) {
if (!agentControls) {
return "当前对话覆盖:无";
@@ -647,6 +909,7 @@ function buildAgentControlsDigest(agentControls?: ProjectAgentControls | null) {
function buildMasterAgentExecutionPrompt(params: {
state: Awaited<ReturnType<typeof readState>>;
projectId: string;
requestText: string;
currentSessionExpiresAt?: string;
agentControls?: ProjectAgentControls | null;
@@ -666,7 +929,7 @@ function buildMasterAgentExecutionPrompt(params: {
requestText: params.requestText,
}),
buildAgentControlsDigest(params.agentControls),
buildRuntimeDigest(params.state, params.requestText, params.currentSessionExpiresAt),
buildRuntimeDigest(params.state, params.projectId, params.requestText, params.currentSessionExpiresAt),
].join("\n\n");
}
@@ -708,39 +971,55 @@ function buildFastMasterAgentExecutionPrompt(params: {
function buildMasterAgentInstructions() {
return [
"你是 Boss 控制台的主 Agent。",
"你的角色更像专业职业经理人:帮助用户协调开发、调研、排障和日常沟通,而不是机械播报系统状态。",
"回复风格:像专业职业经理人,先给结论,再给推进动作;语气清爽、克制、可信。",
"默认只说和当前问题直接相关的判断、动作和风险,不要堆背景,不要重复系统状态,不要把内部调度过程写给用户。",
"需要协调多个线程或项目时,用“我会先...再...”说明下一步,不要写成长篇报告。",
"你要基于当前运行时状态给出中文回复,要求直接、可执行、便于继续联调。",
"管理员全局主提示词是系统级最高约束,不可被用户私有提示词、当前对话附加提示词、记忆或当前消息覆盖。",
"如果后续内容与管理员全局主提示词冲突,必须以管理员全局主提示词为准,不得忽略、削弱或重写它。",
"优先关注线程上下文预算、must_finish_before_compaction、最新 APP 日志、设备在线状态和 OTA 状态。",
"只在与当前问题直接相关时,再提及线程上下文预算、must_finish_before_compaction、最新 APP 日志、设备在线状态和 OTA 状态。",
"如果用户是在问项目目标、版本记录、总结、规划或普通答疑,不要主动展开运行时列表,也不要机械重复 OTA、设备、日志条目。",
"当用户要求总结、核对、同步项目目标或版本记录时,除非用户明确追问 OTA、设备状态、心跳异常或运行时告警否则禁止主动提这些内容。",
"主 Agent 对项目的理解同步默认属于协同推进,不代表自动接管线程;用户和目标线程仍可并行继续开发。",
"如果信息不足,就明确说缺什么;不要编造设备状态或执行结果。",
"如果用户要继续开发,默认给出下一步实现/验证动作,而不是泛泛安慰。",
"保持回答简洁,通常 3-6 句即可。",
"保持回答简洁,通常 2-5 句即可;除非用户明确要深度分析,否则不要展开长清单。",
].join("\n");
}
function normalizeRuntimeDigestIntentText(requestText: string) {
return requestText.trim().toLowerCase().replace(/\s+/g, "");
}
function shouldIncludeOperationalRuntimeDigest(requestText: string) {
const normalized = normalizeRuntimeDigestIntentText(requestText);
if (!normalized) {
return false;
}
const mentionsSummaryIntent = MASTER_AGENT_PROJECT_SUMMARY_KEYWORDS.some((keyword) =>
normalized.includes(keyword.toLowerCase().replace(/\s+/g, "")),
);
const mentionsOperationalRuntime = MASTER_AGENT_OPERATIONAL_RUNTIME_KEYWORDS.some((keyword) =>
normalized.includes(keyword.toLowerCase().replace(/\s+/g, "")),
);
if (mentionsSummaryIntent && !mentionsOperationalRuntime) {
return false;
}
return mentionsOperationalRuntime;
}
function buildThreadConversationReplyPrompt(project: Project, requestText: string) {
const threadTitle = project.threadMeta.threadDisplayName?.trim() || project.name;
return [
"你现在以目标线程身份直接回复用户。",
`线程名称:${threadTitle}`,
"只回复对用户真正有用的内容,不要发送内部字段、项目编号、目录名、设备编号、调度解释或多余前缀。",
"不要自称主 Agent不要解释系统如何分发不要输出 JSON、代码块或额外格式包装。",
"如果信息不足,直接说明缺什么;不要假装已经执行过设备操作。",
"用户当前消息:",
requestText.trim(),
].join("\n");
return requestText.trim();
}
function buildThreadConversationRelayPrompt(project: Project, requestText: string) {
const threadTitle = project.threadMeta.threadDisplayName?.trim() || project.name;
return [
"你正在为主 Agent 提供一段可直接转述给用户的中文回复。",
`目标线程名称:${threadTitle}`,
"只输出对用户真正有用的事实、结论、下一步,不要发送内部字段、项目编号、目录名、设备编号、调度解释或多余前缀。",
"不要自称主 Agent不要自称线程不要解释系统分发过程也不要输出 JSON、代码块或额外格式包装。",
"如果信息不足,直接说明缺什么;不要假装已经执行过设备操作。",
"用户当前消息:",
"用户通过 Boss APP 发来一条托管消息,请基于当前线程上下文直接处理。",
"只回复对用户有用的结论、进展、下一步或需要补充的信息;不要输出调度字段、内部编号或系统提示。",
"用户消息:",
requestText.trim(),
].join("\n");
}
@@ -762,6 +1041,7 @@ function buildTakeoverConversationDirective(project?: Project | null) {
"先准确理解并确认用户意图;如果意图还不够明确,优先追问 1 个最关键的问题。",
"如果意图已经明确,先直接回复用户,再说明你接下来会如何转述、协调或推进开发。",
"用户要求核对或更新项目目标、版本记录时,先让当前线程基于本地开发文档和实际代码重新汇总,再把确认后的结果自动同步到当前会话顶部的“项目目标”和“版本记录”入口。",
"如果当前回复里给出项目目标和版本记录汇总,请优先使用固定字段:项目目标、当前进度、技术架构、当前阻塞、建议下一步、版本记录。",
"不要声称已经转述、已经执行或已经拿到线程结果,除非当前上下文里真的有这些结果。",
"回复保持简洁直接,优先给出明确下一步。",
].join("\n");
@@ -897,6 +1177,7 @@ export async function getThreadConversationExecutionConflict(projectId: string)
function buildRuntimeDigest(
state: Awaited<ReturnType<typeof readState>>,
currentProjectId: string,
requestText: string,
currentSessionExpiresAt?: string,
) {
@@ -932,10 +1213,11 @@ function buildRuntimeDigest(
.filter((update) => update.status === "available")
.map((update) => `${update.version} -> ${update.targetScope}`)
.join("\n");
const threadRuntimeSelection = selectThreadRuntimeDigestSelection(state, requestText);
const threadRuntimeSelection = selectThreadRuntimeDigestSelection(state, currentProjectId, requestText);
const threadStatusDocuments = threadRuntimeSelection.threadStatusDocuments;
const recentProgressEvents = threadRuntimeSelection.recentProgressEvents;
const deepPullThreadUnderstandings = threadRuntimeSelection.deepPullThreadUnderstandings;
const includeOperationalRuntimeDigest = shouldIncludeOperationalRuntimeDigest(requestText);
const authSummary = [
`登录会话策略:成功登录后默认保持 ${Math.round(AUTH_SESSION_TTL_MS / 24 / 60 / 60_000)} 天。`,
@@ -965,27 +1247,72 @@ function buildRuntimeDigest(
"最近主 Agent 对话:",
recentMessages || "无",
"",
"最新 APP 日志:",
recentLogs || "无",
"",
"高风险线程:",
riskyThreads || "",
"",
"在线设备:",
devices || "",
"",
"认证状态:",
authSummary,
"",
"可用 OTA",
ota || "",
...(includeOperationalRuntimeDigest
? [
"最新 APP 日志:",
recentLogs || "无",
"",
"高风险线程:",
riskyThreads || "无",
"",
"在线设备:",
devices || "无",
"",
"认证状态:",
authSummary,
"",
"可用 OTA",
ota || "无",
]
: []),
].join("\n");
}
function selectThreadRuntimeDigestSelection(
state: Awaited<ReturnType<typeof readState>>,
currentProjectId: string,
requestText: string,
) {
if (currentProjectId !== "master-agent") {
const currentProject = state.projects.find((project) => project.id === currentProjectId);
const threadStatusDocuments = [...state.threadStatusDocuments]
.filter((document) => document.projectId === currentProjectId)
.sort((left, right) => {
const updatedDelta = Date.parse(right.updatedAt) - Date.parse(left.updatedAt);
if (updatedDelta !== 0) {
return updatedDelta;
}
return right.documentId.localeCompare(left.documentId);
});
const recentProgressEvents = [...state.threadProgressEvents]
.filter((event) => event.projectId === currentProjectId)
.sort((left, right) => {
const createdDelta = Date.parse(right.createdAt) - Date.parse(left.createdAt);
if (createdDelta !== 0) {
return createdDelta;
}
return right.eventId.localeCompare(left.eventId);
});
const deepPullThreadUnderstandings =
threadStatusDocuments.length === 0 &&
recentProgressEvents.length === 0 &&
currentProject?.projectUnderstanding
? [buildDeepPullThreadUnderstandingDigest(currentProject)].filter(
(entry): entry is string => Boolean(entry),
)
: [];
return {
threadStatusDocuments: threadStatusDocuments
.slice(0, 6)
.map((document) => buildThreadStatusDocumentDigest(state, document)),
recentProgressEvents: recentProgressEvents
.slice(0, 8)
.map((event) => buildThreadProgressEventDigest(state, event)),
deepPullThreadUnderstandings,
};
}
const projectsWithRuntimeEvidence = state.projects
.filter((project) =>
state.threadStatusDocuments.some((document) => document.projectId === project.id) ||
@@ -1374,7 +1701,7 @@ function isUsableMasterNodeAccount(account: AiAccount) {
return (
account.enabled &&
account.provider === "master_codex_node" &&
account.status === "ready" &&
(account.status === "ready" || account.status === "degraded") &&
Boolean(account.nodeId?.trim())
);
}
@@ -1555,6 +1882,33 @@ export async function tryBuildLocalMasterAgentFastReply(params: {
return null;
}
const takeoverTarget = resolveMasterAgentTakeoverTarget(state, params.requestText);
if (takeoverTarget) {
await updateProjectAgentControls(
takeoverTarget.project.id,
{ takeoverEnabled: takeoverTarget.takeoverEnabled },
params.requestedByAccount,
);
const projectName = takeoverTarget.project.threadMeta.threadDisplayName?.trim() || takeoverTarget.project.name;
return {
senderLabel: `主 Agent · ${runtime.account.model || runtime.summary.roleLabel}`,
replyBody: takeoverTarget.takeoverEnabled
? `已为《${projectName}》开启主 Agent 协同接管。后续这个线程里你直接发消息,我会先确认意图,再协调对应线程推进。`
: `已为《${projectName}》关闭主 Agent 协同接管。后续这个线程会恢复为你直接和对应 Codex 线程对话。`,
masterReply: {
ok: true as const,
accountId: runtime.account.accountId,
requestId: "local-fast-path",
masterReplyState: "completed" as const,
activeMode: "default" as const,
effectiveMode: "default" as const,
effectiveModel: runtime.account.model,
effectiveReasoningEffort: "medium" as const,
autoEscalated: false,
},
};
}
const storedAgentControls = resolveStoredAgentControlsFromState(
state,
replyProjectId,
@@ -1710,6 +2064,7 @@ async function generateApiProviderReply(params: {
params.executionPromptOverride ??
buildMasterAgentExecutionPrompt({
state,
projectId: executionProjectId,
requestText: params.requestText,
currentSessionExpiresAt: params.currentSessionExpiresAt,
agentControls: params.agentControls,
@@ -1786,6 +2141,7 @@ async function generateApiProviderReply(params: {
function buildMasterOpenAiReplyPrompt(
state: Awaited<ReturnType<typeof readState>>,
projectId: string,
requestText: string,
currentSessionExpiresAt?: string,
agentControls?: ProjectAgentControls | null,
@@ -1796,6 +2152,7 @@ function buildMasterOpenAiReplyPrompt(
) {
return buildMasterAgentExecutionPrompt({
state,
projectId,
requestText,
currentSessionExpiresAt,
agentControls,
@@ -1946,6 +2303,8 @@ async function enqueueOpenAiMasterAgentReply(params: {
userMemories?: RelevantMemory[];
executionPromptOverride?: string;
relayViaMasterAgent?: boolean;
taskAuthorization?: MasterAgentTaskAuthorizationPayload;
externalReplyTarget?: ExternalReplyTarget;
masterFallback?: {
account: AiAccount;
executionPrompt: string;
@@ -1964,6 +2323,7 @@ async function enqueueOpenAiMasterAgentReply(params: {
params.executionPromptOverride ??
buildMasterOpenAiReplyPrompt(
state,
params.projectId ?? "master-agent",
params.requestText,
params.currentSessionExpiresAt,
params.agentControls,
@@ -1977,7 +2337,9 @@ async function enqueueOpenAiMasterAgentReply(params: {
deviceId: primaryCandidate.deviceId,
accountId: primaryCandidate.account.accountId,
accountLabel: primaryCandidate.account.label,
...params.taskAuthorization,
relayViaMasterAgent: params.relayViaMasterAgent,
externalReplyTarget: params.externalReplyTarget,
});
void queueAndStartOpenAiMasterAgentReply({
candidates: params.candidates,
@@ -2018,6 +2380,8 @@ async function enqueueClawMasterAgentReply(params: {
projectId?: string;
agentControls?: ProjectAgentControls | null;
relayViaMasterAgent?: boolean;
taskAuthorization?: MasterAgentTaskAuthorizationPayload;
externalReplyTarget?: ExternalReplyTarget;
apiFallbackCandidates: ApiExecutionCandidate[];
masterFallback?: {
account: AiAccount;
@@ -2034,7 +2398,9 @@ async function enqueueClawMasterAgentReply(params: {
deviceId: CLAW_RUNTIME_DEVICE_ID,
accountId: CLAW_BACKEND_ID,
accountLabel: "Claw Runtime",
...params.taskAuthorization,
relayViaMasterAgent: params.relayViaMasterAgent,
externalReplyTarget: params.externalReplyTarget,
});
const timer = setTimeout(() => {
@@ -2208,6 +2574,7 @@ async function appendMasterAgentSystemReply(body: string, senderLabel = "主 Age
function buildMasterCodexNodePrompt(
state: Awaited<ReturnType<typeof readState>>,
projectId: string,
requestText: string,
currentSessionExpiresAt?: string,
agentControls?: ProjectAgentControls | null,
@@ -2218,6 +2585,7 @@ function buildMasterCodexNodePrompt(
) {
return buildMasterAgentExecutionPrompt({
state,
projectId,
requestText,
currentSessionExpiresAt,
agentControls,
@@ -2314,6 +2682,18 @@ const MASTER_AGENT_DISPATCH_KEYWORDS = [
"让",
"继续",
];
const MASTER_AGENT_PROJECT_SUMMARY_SYNC_KEYWORDS = [
"项目目标",
"版本记录",
"版本迭代",
"汇总",
"总结",
"同步",
"更新",
"核对",
"确认",
"梳理",
];
function normalizeDispatchLookupText(value: string) {
return value.trim().toLowerCase();
@@ -2362,6 +2742,69 @@ export function shouldRecommendMasterAgentDispatchPlan(
.some((project) => scoreMasterAgentDispatchCandidate(project, requestText) > 0);
}
function isMasterAgentProjectSummarySyncRequest(requestText: string) {
const request = normalizeDispatchLookupText(requestText);
if (!request) {
return false;
}
const mentionsGoal = request.includes("项目目标") || request.includes("目标");
const mentionsVersion = request.includes("版本记录") || request.includes("版本迭代") || request.includes("版本");
const mentionsSyncVerb = MASTER_AGENT_PROJECT_SUMMARY_SYNC_KEYWORDS.some((keyword) =>
request.includes(keyword),
);
return mentionsSyncVerb && (mentionsGoal || mentionsVersion);
}
export function resolveMasterAgentProjectSummarySyncTarget(
state: Awaited<ReturnType<typeof readState>>,
requestText: string,
) {
if (!isMasterAgentProjectSummarySyncRequest(requestText)) {
return null;
}
const ranked = state.projects
.filter((project) => isDispatchableThreadProject(project))
.map((project) => ({
project,
score: scoreMasterAgentDispatchCandidate(project, requestText),
}))
.filter((item) => item.score > 0)
.sort((left, right) => {
if (right.score !== left.score) {
return right.score - left.score;
}
return Date.parse(right.project.updatedAt || "") - Date.parse(left.project.updatedAt || "");
});
if (ranked.length === 0) {
return null;
}
if (ranked.length > 1 && ranked[0]?.score === ranked[1]?.score) {
return null;
}
return ranked[0]?.project ?? null;
}
export function buildMasterAgentProjectSummarySyncAck(
project: Project,
options?: { notifyOnCompletion?: boolean; rememberedPreference?: boolean },
) {
const threadTitle = project.threadMeta.threadDisplayName?.trim() || project.name;
const lines = [
`已开始同步《${threadTitle}》的项目目标和版本记录。`,
"我会先让对应 Codex 线程基于本地文档和实际代码重新汇总。",
"汇总完成后,会自动写回该线程会话顶部的“项目目标”和“版本记录”入口。",
];
if (options?.notifyOnCompletion) {
lines.push("同步完成后,我会在这里回你一条结果。");
}
if (options?.rememberedPreference) {
lines.push("这条提醒规则我也记住了,后续同类同步默认这样处理。");
}
return lines.join("\n");
}
function collectGroupDispatchTargets(
state: Awaited<ReturnType<typeof readState>>,
project: Project,
@@ -2664,6 +3107,9 @@ export async function queueThreadConversationReplyTask(params: {
projectId: string;
requestMessageId: string;
requestText: string;
sourceMessageId?: string;
sourceMessageBody?: string;
sourceMessageSentAt?: string;
requestedBy: string;
requestedByAccount: string;
relayViaMasterAgent?: boolean;
@@ -2681,6 +3127,9 @@ export async function queueThreadConversationReplyTask(params: {
executionPrompt: params.relayViaMasterAgent
? buildThreadConversationRelayPrompt(project, params.requestText)
: buildThreadConversationReplyPrompt(project, params.requestText),
sourceMessageId: params.sourceMessageId,
sourceMessageBody: params.sourceMessageBody,
sourceMessageSentAt: params.sourceMessageSentAt,
requestedBy: params.requestedBy,
requestedByAccount: params.requestedByAccount,
deviceId,
@@ -2690,6 +3139,8 @@ export async function queueThreadConversationReplyTask(params: {
targetCodexThreadRef: project.threadMeta.codexThreadRef,
targetCodexFolderRef: project.threadMeta.codexFolderRef,
relayViaMasterAgent: params.relayViaMasterAgent,
mirrorBossUserMessageToCodexDesktop:
params.sourceMessageId?.trim() && params.sourceMessageBody?.trim() ? true : undefined,
});
}
@@ -3105,6 +3556,7 @@ export async function replyToMasterAgentUserMessage(params: {
projectId?: string;
interactionMode?: "direct" | "takeover_single_thread";
mode?: "wait" | "enqueue" | "smart";
externalReplyTarget?: ExternalReplyTarget;
}) {
const runtime = await getMasterAgentRuntimeAccount();
const replyProjectId = params.projectId ?? "master-agent";
@@ -3124,7 +3576,28 @@ export async function replyToMasterAgentUserMessage(params: {
params.requestText,
);
const state = await readState();
const replyProject = state.projects.find((project) => project.id === replyProjectId);
const permissionSession = resolveMasterAgentPermissionSession(
state,
params.requestedByAccount,
params.requestedBy,
);
const authorizedScope = buildAuthorizedMasterAgentScope(state, permissionSession);
const authorizedState = authorizedScope.state;
const masterTaskAuthorization = (requiredPermissions = authorizedScope.requiredPermissions) => ({
authorizedDeviceIds: authorizedScope.authorizedDeviceIds,
authorizedProjectIds: authorizedScope.authorizedProjectIds,
authorizedSkillIds: authorizedScope.authorizedSkillIds,
requiredPermissions,
});
if (!authorizedScope.authorizedProjectIds.includes(replyProjectId)) {
await appendMasterAgentSystemReply(
"这个会话还没有授权给当前账号,主 Agent 不能读取或接管它。请让超级管理员先分配项目权限。",
"主 Agent",
replyProjectId,
);
return { ok: false as const, reason: "FORBIDDEN" };
}
const replyProject = authorizedState.projects.find((project) => project.id === replyProjectId);
const primaryDeviceId = runtime.account.nodeId || state.user.boundDeviceId || "mac-studio";
const primaryDevice = state.devices.find((device) => device.id === primaryDeviceId);
const primaryBackendStatus =
@@ -3152,6 +3625,7 @@ export async function replyToMasterAgentUserMessage(params: {
const agentControls = executionConfig.agentControls;
const modeResolution = executionConfig.modeResolution;
const replyMetadata = buildMasterAgentModeMetadata(modeResolution);
const controlIntent = classifyMasterAgentControlIntent(params.requestText);
const relayViaMasterAgent = params.interactionMode === "takeover_single_thread";
const selectedMasterAccount = await resolveMasterNodeExecutionCandidate({
backendChoices,
@@ -3194,7 +3668,8 @@ export async function replyToMasterAgentUserMessage(params: {
userPrompt: executionConfig.userPrompt,
})
: buildMasterCodexNodePrompt(
state,
authorizedState,
replyProjectId,
params.requestText,
params.currentSessionExpiresAt,
agentControls,
@@ -3215,7 +3690,7 @@ export async function replyToMasterAgentUserMessage(params: {
requestText: params.requestText,
requestedByAccount: params.requestedByAccount,
projectId: replyProjectId,
state,
state: authorizedState,
})
: null;
@@ -3231,6 +3706,52 @@ export async function replyToMasterAgentUserMessage(params: {
};
}
if (
controlIntent.intentCategory === "browser_control" || controlIntent.intentCategory === "desktop_control"
) {
const deviceId = runtime.account.nodeId || state.user.boundDeviceId || "mac-studio";
const taskType = controlIntent.intentCategory;
const task = await queueMasterAgentTask({
projectId: replyProjectId,
taskType,
requestMessageId: params.requestMessageId ?? "master-agent-manual",
requestText: params.requestText,
executionPrompt: baseMasterExecutionPrompt,
requestedBy: params.requestedBy,
requestedByAccount: params.requestedByAccount,
deviceId,
accountId: runtime.account.accountId,
accountLabel: runtime.summary.roleLabel,
...masterTaskAuthorization(["master_agent.ask", "computer.control"]),
intentCategory: controlIntent.intentCategory,
runtimeKind:
controlIntent.intentCategory === "browser_control"
? "browser-automation-runtime"
: "computer-use-runtime",
riskLevel: controlIntent.riskLevel,
confirmationPolicy: controlIntent.riskLevel === "high" ? "strong_confirm" : "light_confirm",
requiresUserConfirmation: false,
confirmationScopeKey: `${deviceId}:${replyProjectId}`,
externalReplyTarget: params.externalReplyTarget,
});
return {
ok: true as const,
accountId: runtime.account.accountId,
taskId: task.taskId,
masterReplyState: "queued" as const,
task: {
taskId: task.taskId,
taskType,
status: "queued" as const,
},
executionMode: controlIntent.executionMode,
riskLevel: controlIntent.riskLevel,
requiresConfirmation: false,
...replyMetadata,
};
}
const runMasterNodeExecution = async () => {
if (!selectedMasterAccount) {
await appendMasterAgentSystemReply(
@@ -3267,6 +3788,62 @@ export async function replyToMasterAgentUserMessage(params: {
return { ok: false as const, reason: "MASTER_NODE_OFFLINE" };
}
await updateAiAccountHealth({
accountId: selectedMasterAccount.accountId,
status: "ready",
lastValidatedAt: new Date().toISOString(),
lastUsedAt: new Date().toISOString(),
});
if (
controlIntent.intentCategory === "browser_control" || controlIntent.intentCategory === "desktop_control"
) {
const runtimeKind =
controlIntent.intentCategory === "browser_control"
? "browser-automation-runtime"
: "computer-use-runtime";
const taskType = controlIntent.intentCategory;
const task = await queueMasterAgentTask({
projectId: replyProjectId,
taskType,
requestMessageId: params.requestMessageId ?? "master-agent-manual",
requestText: params.requestText,
executionPrompt: masterExecutionPrompt,
requestedBy: params.requestedBy,
requestedByAccount: params.requestedByAccount,
deviceId,
accountId: selectedMasterAccount.accountId,
accountLabel: selectedMasterAccount.label || runtime.summary.roleLabel,
...masterTaskAuthorization(["master_agent.ask", "computer.control"]),
intentCategory: controlIntent.intentCategory,
runtimeKind,
riskLevel: controlIntent.riskLevel,
confirmationPolicy: controlIntent.riskLevel === "high" ? "strong_confirm" : "light_confirm",
requiresUserConfirmation: false,
confirmationScopeKey: `${deviceId}:${replyProjectId}`,
externalReplyTarget: params.externalReplyTarget,
});
const queuedReply: QueuedMasterAgentReplyEnvelope = {
ok: true as const,
accountId: selectedMasterAccount.accountId,
taskId: task.taskId,
masterReplyState: "queued" as const,
task: {
taskId: task.taskId,
taskType,
status: "queued" as const,
},
};
return {
...queuedReply,
executionMode: controlIntent.executionMode,
riskLevel: controlIntent.riskLevel,
requiresConfirmation: false,
...replyMetadata,
};
}
const task = await queueMasterAgentTask({
projectId: replyProjectId,
requestMessageId: params.requestMessageId ?? "master-agent-manual",
@@ -3277,7 +3854,9 @@ export async function replyToMasterAgentUserMessage(params: {
deviceId,
accountId: selectedMasterAccount.accountId,
accountLabel: selectedMasterAccount.label || runtime.summary.roleLabel,
...masterTaskAuthorization(),
relayViaMasterAgent,
externalReplyTarget: params.externalReplyTarget,
});
if (replyMode === "enqueue") {
@@ -3351,6 +3930,8 @@ export async function replyToMasterAgentUserMessage(params: {
projectId: replyProjectId,
agentControls,
relayViaMasterAgent,
taskAuthorization: masterTaskAuthorization(),
externalReplyTarget: params.externalReplyTarget,
apiFallbackCandidates: apiExecutionCandidates,
masterFallback: hasMasterFallback && selectedMasterAccount
? {
@@ -3385,6 +3966,8 @@ export async function replyToMasterAgentUserMessage(params: {
userMemories: executionConfig.userMemories,
executionPromptOverride: masterExecutionPrompt,
relayViaMasterAgent,
taskAuthorization: masterTaskAuthorization(),
externalReplyTarget: params.externalReplyTarget,
masterFallback: hasMasterFallback && selectedMasterAccount
? {
account: selectedMasterAccount,

207
src/lib/boss-permissions.ts Normal file
View File

@@ -0,0 +1,207 @@
import type {
AuthSession,
BossPermission,
BossState,
Device,
Project,
} from "@/lib/boss-data";
export type PermissionSession = Pick<AuthSession, "account" | "role" | "displayName">;
function isExpired(expiresAt?: string) {
return Boolean(expiresAt && new Date(expiresAt).getTime() <= Date.now());
}
export function isHighestAdmin(session: Pick<PermissionSession, "role">) {
return session.role === "highest_admin";
}
function permissionSetIncludes(permissions: BossPermission[], required: BossPermission) {
return permissions.includes(required);
}
function projectUsesDevice(project: Project, deviceId: string) {
if (project.deviceIds.includes(deviceId)) return true;
return project.groupMembers.some((member) => member.deviceId === deviceId);
}
function accountOwnsDevice(device: Device | undefined, account: string) {
return Boolean(device && device.account === account);
}
function accountCompanyId(state: BossState, account: string) {
return state.authAccounts.find((item) => item.account === account)?.companyId;
}
function deviceCompanyId(state: BossState, device: Device | undefined) {
if (!device) return undefined;
return device.companyId ?? accountCompanyId(state, device.account);
}
function tenantAllowsCompanies(
state: BossState,
session: PermissionSession,
targetCompanyIds: Array<string | undefined>,
) {
if (isHighestAdmin(session)) return true;
const concreteTargets = [...new Set(targetCompanyIds.filter((item): item is string => Boolean(item)))];
if (concreteTargets.length === 0) return true;
const actorCompanyId = accountCompanyId(state, session.account);
return Boolean(actorCompanyId && concreteTargets.includes(actorCompanyId));
}
function projectCompanyIds(state: BossState, project: Project | undefined) {
if (!project) return [];
const deviceIds = new Set([
...project.deviceIds,
...project.groupMembers.map((member) => member.deviceId),
]);
return [...deviceIds].map((deviceId) =>
deviceCompanyId(state, state.devices.find((device) => device.id === deviceId)),
);
}
export function canAccessDevice(
state: BossState,
session: PermissionSession,
deviceId: string,
permission: BossPermission = "device.view",
) {
if (isHighestAdmin(session)) return true;
const device = state.devices.find((item) => item.id === deviceId);
if (!device) return false;
if (!tenantAllowsCompanies(state, session, [deviceCompanyId(state, device)])) return false;
if (permission === "device.view" && accountOwnsDevice(device, session.account)) {
return true;
}
return state.accountDeviceGrants.some(
(grant) =>
grant.account === session.account &&
grant.deviceId === deviceId &&
!isExpired(grant.expiresAt) &&
permissionSetIncludes(grant.permissions, permission),
);
}
export function canAccessProject(
state: BossState,
session: PermissionSession,
projectId: string,
permission: BossPermission = "project.view",
) {
if (isHighestAdmin(session)) return true;
const project = state.projects.find((item) => item.id === projectId);
if (!project) return false;
if (!tenantAllowsCompanies(state, session, projectCompanyIds(state, project))) return false;
const directProjectGrant = state.accountProjectGrants.some(
(grant) =>
grant.account === session.account &&
grant.projectId === projectId &&
!isExpired(grant.expiresAt) &&
permissionSetIncludes(grant.permissions, permission),
);
if (directProjectGrant) return true;
if (permission === "project.view") {
return state.devices.some(
(device) =>
projectUsesDevice(project, device.id) &&
(accountOwnsDevice(device, session.account) ||
canAccessDevice(state, session, device.id, "device.view")),
);
}
return state.accountDeviceGrants.some(
(grant) =>
grant.account === session.account &&
!isExpired(grant.expiresAt) &&
projectUsesDevice(project, grant.deviceId) &&
permissionSetIncludes(grant.permissions, permission),
);
}
function grantMatchesScope(
grant: { deviceId?: string; projectId?: string },
scope: { deviceId?: string; projectId?: string },
) {
if (grant.deviceId && scope.deviceId && grant.deviceId !== scope.deviceId) return false;
if (grant.projectId && scope.projectId && grant.projectId !== scope.projectId) return false;
return true;
}
export function canUseSkill(
state: BossState,
session: PermissionSession,
skillId: string,
scope: { deviceId?: string; projectId?: string } = {},
) {
if (isHighestAdmin(session)) return true;
return state.accountSkillGrants.some(
(grant) =>
grant.account === session.account &&
grant.skillId === skillId &&
!isExpired(grant.expiresAt) &&
permissionSetIncludes(grant.permissions, "skill.use") &&
grantMatchesScope(grant, scope),
);
}
export function canViewSkill(
state: BossState,
session: PermissionSession,
skillId: string,
scope: { deviceId?: string; projectId?: string } = {},
) {
if (isHighestAdmin(session)) return true;
return state.accountSkillGrants.some(
(grant) =>
grant.account === session.account &&
grant.skillId === skillId &&
!isExpired(grant.expiresAt) &&
(permissionSetIncludes(grant.permissions, "skill.view") ||
permissionSetIncludes(grant.permissions, "skill.use")) &&
grantMatchesScope(grant, scope),
);
}
export function filterDevicesForSession(state: BossState, session: PermissionSession) {
if (isHighestAdmin(session)) return state.devices;
return state.devices.filter((device) =>
canAccessDevice(state, session, device.id, "device.view"),
);
}
export function filterProjectsForSession(state: BossState, session: PermissionSession) {
if (isHighestAdmin(session)) return state.projects;
return state.projects.filter((project) =>
canAccessProject(state, session, project.id, "project.view"),
);
}
export function filterProjectDevicesForSession(
state: BossState,
session: PermissionSession,
project: Pick<Project, "deviceIds">,
) {
if (isHighestAdmin(session)) {
return state.devices.filter((device) => project.deviceIds.includes(device.id));
}
return state.devices.filter(
(device) =>
project.deviceIds.includes(device.id) &&
canAccessDevice(state, session, device.id, "device.view"),
);
}
export function assertProjectPermission(
state: BossState,
session: PermissionSession,
projectId: string,
permission: BossPermission,
) {
if (!canAccessProject(state, session, projectId, permission)) {
return { ok: false as const, status: 403 as const, message: "FORBIDDEN" };
}
return { ok: true as const };
}

533
src/lib/boss-projections.ts
View File

@@ -3,6 +3,7 @@ import type {
AiProvider,
AiAccountStatus,
AppLogEntry,
AuthSession,
AuditTaskRequest,
AuditTaskResult,
BossState,
@@ -28,6 +29,15 @@ import type {
ThreadHandoffPackage,
UserMasterPrompt,
} from "@/lib/boss-data";
import {
canAccessDevice,
canAccessProject,
canViewSkill,
filterDevicesForSession,
filterProjectDevicesForSession,
filterProjectsForSession,
type PermissionSession,
} from "@/lib/boss-permissions";
export interface ContextIndicator {
visible: boolean;
@@ -74,6 +84,10 @@ export interface ConversationItem {
mustFinishBeforeCompaction: boolean;
}
function conversationHistoryWasCleared(state: BossState) {
return Boolean(state.conversationHistoryClearedAt?.trim());
}
export interface ThreadContextView {
snapshot: ThreadContextSnapshot;
handoffPackage?: ThreadHandoffPackage;
@@ -182,6 +196,101 @@ export function formatTimestampLabel(value?: string, fallback = "刚刚") {
const STALE_CONTEXT_SYNC_LABEL = "待同步";
const STALE_CONTEXT_REPLY_THRESHOLD_MS = 7 * 24 * 60 * 60_000;
const PROCESS_PREVIEW_PREFIXES = [
"我先",
"我现在",
"我会先",
"我发现",
"我准备",
"接下来",
"正在",
"先看",
"先读",
"我把",
"我再",
"目前在",
"现在在",
"补一组",
"处理一下",
"先确认",
"准备",
"同步一下",
"我这边已经",
];
const PROCESS_PREVIEW_CONTAINS = [
"我继续",
"我已经在",
"正在跑",
"正在检查",
"正在处理",
"正在同步",
"我会直接",
"我先把",
"先补",
"再接",
];
const PROCESS_PREVIEW_NUMBERED_HINTS = [
"先",
"再",
"接下来",
"然后",
"检查",
"确认",
"处理",
"同步",
"补",
"排查",
"推进",
"回你",
"回传",
"会把",
"我会",
];
const PROCESS_PREVIEW_BLOCK_MARKERS = [
"失败",
"报错",
"错误",
"阻塞",
"不能",
"无法",
"崩溃",
"超时",
"exception",
"error",
"fatal",
"结论",
"最终",
"总结",
"已完成",
"已经完成",
"验证通过",
"测试通过",
"已修复",
"修好了",
"已部署",
"已安装",
"可以直接",
];
const LEAKED_TITLE_PREFIXES = [
"你当前接手的项目根目录是",
"你现在接手的项目根目录是",
"你现在以目标线程身份直接回复用户",
"你正在向主 Agent 同步当前项目状态",
"只回复对用户真正有用的内容",
"只输出 JSON",
];
const LEAKED_TITLE_CONTAINS = [
"不要发送内部字段",
"不要自称主 Agent",
"不要解释系统如何分发",
"不要输出 JSON",
"项目名称:",
"线程名称:",
"文件夹:",
"同步原因:",
"当前消息:",
"用户当前消息:",
];
function formatConversationLatestReplyLabel(value: string, hasVisibleContext: boolean) {
if (hasVisibleContext && value.includes("T")) {
@@ -369,8 +478,7 @@ function buildConversationItem(state: BossState, project: Project): Conversation
const devices = state.devices.filter((device) => project.deviceIds.includes(device.id));
const threadViews = threadViewsForProject(state, project.id);
const topThread = threadViews[0]?.snapshot;
const threadTitle = trimLocalWorkspacePrefix(project.threadMeta?.threadDisplayName ?? project.name);
const folderLabel = project.threadMeta?.folderName ?? "";
const { folderLabel, threadTitle, projectTitle } = buildProjectDisplayTitles(project);
const activityIconCount = deriveConversationActivityIconCount(state, project);
const topPinnedLabel = isTopPinnedConversation(project) ? "置顶" : undefined;
const latestConversationActivityAt = deriveLatestConversationActivityAt(project);
@@ -390,7 +498,7 @@ function buildConversationItem(state: BossState, project: Project): Conversation
conversationId: `conv-${project.id}`,
conversationType: projectType(project),
projectId: project.id,
projectTitle: project.name,
projectTitle,
threadTitle,
folderLabel,
folderKey: buildFolderKey(project),
@@ -426,18 +534,56 @@ function buildConversationItem(state: BossState, project: Project): Conversation
} satisfies ConversationItem;
}
function buildProjectDisplayTitles(project: Project) {
const folderLabel = normalizeConversationTitle(project.threadMeta?.folderName ?? "");
const folderFallback = pickConversationTitleFallback([
folderLabel,
project.threadMeta?.codexFolderRef,
project.name,
]);
const threadTitle = sanitizeConversationTitle(project.threadMeta?.threadDisplayName ?? project.name, [
folderFallback,
project.name,
project.threadMeta?.codexFolderRef,
]);
const projectTitle = projectType(project) === "single_device"
? threadTitle ||
sanitizeConversationTitle(project.name, [folderFallback, project.threadMeta?.codexFolderRef])
: sanitizeConversationTitle(project.name, [
threadTitle,
folderFallback,
project.threadMeta?.codexFolderRef,
]);
return {
folderLabel,
threadTitle,
projectTitle,
};
}
function cloneProjectWithDisplayTitles(project: Project): Project {
const { folderLabel, threadTitle, projectTitle } = buildProjectDisplayTitles(project);
return {
...project,
name: projectTitle || project.name,
threadMeta: {
...project.threadMeta,
threadDisplayName: threadTitle || project.threadMeta.threadDisplayName,
folderName: folderLabel || project.threadMeta.folderName,
},
};
}
function deriveLatestConversationActivityAt(project: Project) {
const candidates = [
const messageCandidates = [
project.lastMessageAt,
project.threadMeta?.lastObservedCodexActivityAt,
project.projectUnderstanding?.updatedAt,
project.updatedAt,
...project.messages.map((message) => message.sentAt),
].filter(Boolean) as string[];
let latest = candidates[0];
let latest = messageCandidates[0];
let latestTs = latest ? Date.parse(latest) : Number.NEGATIVE_INFINITY;
for (const candidate of candidates.slice(1)) {
for (const candidate of messageCandidates.slice(1)) {
const candidateTs = Date.parse(candidate);
if (!Number.isFinite(candidateTs)) {
continue;
@@ -448,7 +594,7 @@ function deriveLatestConversationActivityAt(project: Project) {
}
}
return latest ?? project.lastMessageAt;
return latest ?? project.lastMessageAt ?? project.updatedAt;
}
function deriveConversationActivityIconCount(state: BossState, project: Project): number {
@@ -512,7 +658,174 @@ function compactImportedThreadPreview(preview?: string) {
if (/^已从设备.+导入线程《.+》[。.]?$/.test(value)) {
return "已导入线程";
}
return value;
if (isLikelyProcessPreview(value)) {
return "";
}
return compactConversationPreview(value);
}
function isLikelyProcessPreview(preview: string) {
const normalized = compactProcessPreview(preview);
if (!normalized) {
return false;
}
if (containsProcessPreviewMarker(normalized, PROCESS_PREVIEW_BLOCK_MARKERS)) {
return false;
}
if (isStructuredNumberedProcessPreview(preview)) {
return true;
}
return (
PROCESS_PREVIEW_PREFIXES.some((marker) => normalized.startsWith(marker)) ||
containsProcessPreviewMarker(normalized, PROCESS_PREVIEW_CONTAINS)
);
}
function compactProcessPreview(value: string) {
return value
.replace(/\r\n/g, "\n")
.replace(/\r/g, "\n")
.replace(/\n{2,}/g, "\n")
.trim()
.toLowerCase();
}
function containsProcessPreviewMarker(value: string, markers: string[]) {
return markers.some((marker) => value.includes(marker));
}
function isStructuredNumberedProcessPreview(preview: string) {
const numberedLines = preview
.replace(/\r\n/g, "\n")
.replace(/\r/g, "\n")
.split("\n")
.map((line) => compactProcessPreview(line))
.filter((line) => /^\d+[.)\u3001]\s*/.test(line));
if (numberedLines.length < 2) {
return false;
}
return containsProcessPreviewMarker(
numberedLines.join(" "),
PROCESS_PREVIEW_NUMBERED_HINTS,
);
}
function compactConversationPreview(preview: string) {
const structuredPreview = compactStructuredSummaryPreview(preview);
const flattened = (structuredPreview || preview)
.replace(/\[[^\]]+\]\(([^)]+)\)/g, "$1")
.replace(/`([^`]+)`/g, "$1")
.replace(/\s+/g, " ")
.trim();
if (!flattened) {
return "";
}
return flattened.length <= 72 ? flattened : `${flattened.slice(0, 72).trimEnd()}`;
}
function compactStructuredSummaryPreview(preview: string) {
const raw = preview.trim();
if (!raw.startsWith("{") || !raw.endsWith("}")) {
return "";
}
try {
const parsed = JSON.parse(raw) as Record<string, unknown>;
if (!parsed || Array.isArray(parsed)) {
return "";
}
const segments = [
formatStructuredSummarySegment("目标", parsed.projectGoal),
formatStructuredSummarySegment("进度", parsed.currentProgress),
formatStructuredSummarySegment("版本", parsed.versionRecord),
formatStructuredSummarySegment("下一步", parsed.recommendedNextStep),
].filter(Boolean);
return segments.join(" ");
} catch {
return "";
}
}
function formatStructuredSummarySegment(label: string, value: unknown) {
const normalized = typeof value === "string" ? value.trim() : "";
return normalized ? `${label}${normalized}` : "";
}
function normalizeConversationTitle(value?: string) {
const source = value?.replace(/\u0000/g, "") ?? "";
const firstLine = source
.split(/\r?\n/)
.map((line) => line.trim())
.find(Boolean);
if (!firstLine) {
return "";
}
return firstLine.replace(/\s+/g, " ").trim();
}
function stripTrailingConversationTitleNoise(value: string) {
return value.replace(/['"}\]]{2,}$/g, "").trimEnd();
}
function looksLikeLeakedConversationTitle(value?: string) {
const normalized = normalizeConversationTitle(value);
if (!normalized) {
return false;
}
return (
LEAKED_TITLE_PREFIXES.some((marker) => normalized.startsWith(marker)) ||
LEAKED_TITLE_CONTAINS.some((marker) => normalized.includes(marker))
);
}
function extractWorkspaceProjectName(value?: string) {
const normalized = normalizeConversationTitle(value).replaceAll("\\", "/");
if (!normalized) {
return "";
}
const patterns = [
/\/Users\/[^/]+\/code\/([^/\s"'`,。;!?]+)/i,
/\/home\/[^/]+\/code\/([^/\s"'`,。;!?]+)/i,
/[A-Za-z]:\/Users\/[^/]+\/code\/([^/\s"'`,。;!?]+)/i,
];
for (const pattern of patterns) {
const match = normalized.match(pattern);
if (match?.[1]) {
return match[1].split("/")[0]?.trim() ?? "";
}
}
return "";
}
function pickConversationTitleFallback(candidates: Array<string | undefined>) {
for (const candidate of candidates) {
const extractedProjectName = extractWorkspaceProjectName(candidate);
if (extractedProjectName && !looksLikeLeakedConversationTitle(extractedProjectName)) {
return extractedProjectName;
}
const normalized = stripTrailingConversationTitleNoise(
trimLocalWorkspacePrefix(normalizeConversationTitle(candidate)),
);
if (normalized && !looksLikeLeakedConversationTitle(normalized)) {
return normalized;
}
}
return "";
}
function sanitizeConversationTitle(value: string | undefined, fallbackCandidates: Array<string | undefined> = []) {
const normalized = normalizeConversationTitle(value);
const trimmed = stripTrailingConversationTitleNoise(trimLocalWorkspacePrefix(normalized));
if (trimmed && !looksLikeLeakedConversationTitle(normalized) && !looksLikeLeakedConversationTitle(trimmed)) {
return trimmed;
}
const extractedProjectName = extractWorkspaceProjectName(normalized);
if (extractedProjectName && !looksLikeLeakedConversationTitle(extractedProjectName)) {
return extractedProjectName;
}
const fallback = pickConversationTitleFallback(fallbackCandidates);
return fallback || trimmed;
}
function trimLocalWorkspacePrefix(label?: string) {
@@ -539,6 +852,87 @@ export function getConversationItems(state: BossState): ConversationItem[] {
return sortConversationItems(conversations);
}
function stateForSession(state: BossState, session: PermissionSession): BossState {
const visibleDevices = filterDevicesForSession(state, session);
const visibleDeviceIds = new Set(visibleDevices.map((device) => device.id));
const visibleProjects = filterProjectsForSession(state, session).map((project) => ({
...project,
deviceIds: project.deviceIds.filter((deviceId) => visibleDeviceIds.has(deviceId)),
groupMembers: project.groupMembers.filter((member) => visibleDeviceIds.has(member.deviceId)),
}));
const visibleProjectIds = new Set(visibleProjects.map((project) => project.id));
const canSeeThreadOnDevice = (projectId: string, deviceId: string) =>
visibleProjectIds.has(projectId) && visibleDeviceIds.has(deviceId);
return {
...state,
devices: visibleDevices,
projects: visibleProjects,
deviceSkills: state.deviceSkills.filter((skill) =>
visibleDeviceIds.has(skill.deviceId) &&
(session.role === "highest_admin" ||
canViewSkill(state, session, skill.skillId, { deviceId: skill.deviceId })),
),
threadStatusDocuments: state.threadStatusDocuments.filter((document) =>
canSeeThreadOnDevice(document.projectId, document.deviceId),
),
threadProgressEvents: state.threadProgressEvents.filter((event) =>
canSeeThreadOnDevice(event.projectId, event.deviceId),
),
threadContextSnapshots: state.threadContextSnapshots.filter((snapshot) =>
canSeeThreadOnDevice(snapshot.projectId, snapshot.nodeId),
),
threadHandoffPackages: state.threadHandoffPackages.filter((item) =>
visibleProjectIds.has(item.projectId),
),
threadContextAlerts: state.threadContextAlerts.filter((alert) =>
visibleProjectIds.has(alert.projectId),
),
dispatchPlans: state.dispatchPlans
.filter((plan) => visibleProjectIds.has(plan.groupProjectId))
.map((plan) => ({
...plan,
targets: plan.targets.filter(
(target) =>
visibleProjectIds.has(target.projectId) &&
visibleDeviceIds.has(target.deviceId),
),
confirmedTargetProjectIds: plan.confirmedTargetProjectIds?.filter((projectId) =>
visibleProjectIds.has(projectId),
),
})),
dispatchExecutions: state.dispatchExecutions.filter(
(execution) =>
visibleProjectIds.has(execution.groupProjectId) &&
visibleProjectIds.has(execution.targetProjectId) &&
visibleDeviceIds.has(execution.deviceId),
),
masterAgentTasks: state.masterAgentTasks.filter(
(task) =>
task.requestedByAccount === session.account ||
visibleProjectIds.has(task.projectId) ||
Boolean(task.targetProjectId && visibleProjectIds.has(task.targetProjectId)),
),
appLogs: state.appLogs.filter((log) =>
visibleDeviceIds.has(log.deviceId) ||
Boolean(log.projectId && visibleProjectIds.has(log.projectId)),
),
};
}
export function getAuthorizedStateSnapshot(
state: BossState,
session: Pick<AuthSession, "account" | "role" | "displayName">,
): BossState {
return stateForSession(state, session);
}
export function getConversationItemsForSession(
state: BossState,
session: Pick<AuthSession, "account" | "role" | "displayName">,
): ConversationItem[] {
return getConversationItems(stateForSession(state, session));
}
export interface ConversationFolderView {
folderKey: string;
folderLabel: string;
@@ -605,6 +999,7 @@ export function getConversationHomeItems(state: BossState): ConversationItem[] {
const latestMessagePreview = compactImportedThreadPreview(
latestItem.lastMessagePreview || latestItem.preview,
);
const historyCleared = conversationHistoryWasCleared(state);
passthrough.push({
conversationId: `folder-${folderKey}`,
conversationType: "folder_archive",
@@ -626,11 +1021,13 @@ export function getConversationHomeItems(state: BossState): ConversationItem[] {
searchTargetProjectIds: searchAliases.targetProjectIds,
}
: {}),
preview: latestPreview || `包含 ${items.length} 个线程,最近活跃:《${recentThreadLabel || latestItem.threadTitle}`,
preview:
latestPreview ||
(historyCleared ? "" : `包含 ${items.length} 个线程,最近活跃:《${recentThreadLabel || latestItem.threadTitle}`),
lastMessagePreview:
latestMessagePreview ||
latestPreview ||
`包含 ${items.length} 个线程,最近活跃:《${recentThreadLabel || latestItem.threadTitle}`,
(historyCleared ? "" : `包含 ${items.length} 个线程,最近活跃:《${recentThreadLabel || latestItem.threadTitle}`),
activityIconCount: Math.max(0, Math.min(4, items.reduce((sum, entry) => sum + entry.activityIconCount, 0))),
latestReplyAt: latestItem.latestReplyAt,
latestReplyLabel: latestItem.latestReplyLabel,
@@ -660,6 +1057,13 @@ export function getConversationHomeItems(state: BossState): ConversationItem[] {
return sortConversationItems(passthrough);
}
export function getConversationHomeItemsForSession(
state: BossState,
session: Pick<AuthSession, "account" | "role" | "displayName">,
): ConversationItem[] {
return getConversationHomeItems(stateForSession(state, session));
}
export function getConversationWebItems(state: BossState): ConversationItem[] {
return getConversationHomeItems(state).map((item) => ({
...item,
@@ -716,6 +1120,14 @@ export function getConversationFolderView(
};
}
export function getConversationFolderViewForSession(
state: BossState,
session: Pick<AuthSession, "account" | "role" | "displayName">,
folderKey: string,
): ConversationFolderView | null {
return getConversationFolderView(stateForSession(state, session), folderKey);
}
export function buildProjectMessagesRealtimePayload(
state: BossState,
projectId: string,
@@ -730,11 +1142,30 @@ export function buildProjectMessagesRealtimePayload(
}
return {
ok: true,
project,
project: cloneProjectWithDisplayTitles(project),
devices: state.devices.filter((device) => project.deviceIds.includes(device.id)),
};
}
export function buildProjectMessagesRealtimePayloadForSession(
state: BossState,
session: Pick<AuthSession, "account" | "role" | "displayName">,
projectId: string,
): ProjectMessagesRealtimePayload | null {
if (!canAccessProject(state, session, projectId, "project.view")) {
return null;
}
const project = state.projects.find((item) => item.id === projectId);
if (!project) {
return null;
}
return {
ok: true,
project: cloneProjectWithDisplayTitles(project),
devices: filterProjectDevicesForSession(state, session, project),
};
}
function resolveProjectAgentControls(
state: BossState,
projectId: string,
@@ -779,6 +1210,7 @@ function resolveProjectAgentControls(
export function getProjectDetailView(state: BossState, projectId: string, account?: string): ProjectDetailView | null {
const project = state.projects.find((item) => item.id === projectId);
if (!project) return null;
const displayProject = cloneProjectWithDisplayTitles(project);
const activeThreadContexts = threadViewsForProject(state, projectId);
const threadsRequiringHandoff = activeThreadContexts.filter(
@@ -812,7 +1244,7 @@ export function getProjectDetailView(state: BossState, projectId: string, accoun
.slice(0, 6);
return {
project,
project: displayProject,
agentControls: resolveProjectAgentControls(state, projectId, account),
devices: state.devices.filter((device) => project.deviceIds.includes(device.id)),
masterIdentity: projectId === "master-agent" ? getProjectMasterIdentity(state) : undefined,
@@ -826,6 +1258,36 @@ export function getProjectDetailView(state: BossState, projectId: string, accoun
};
}
export function getProjectDetailViewForSession(
state: BossState,
projectId: string,
session: Pick<AuthSession, "account" | "role" | "displayName">,
): ProjectDetailView | null {
if (!canAccessProject(state, session, projectId, "project.view")) {
return null;
}
const detail = getProjectDetailView(state, projectId, session.account);
if (!detail) {
return null;
}
const visibleProjectIds = new Set(filterProjectsForSession(state, session).map((project) => project.id));
const visibleDeviceIds = new Set(filterDevicesForSession(state, session).map((device) => device.id));
return {
...detail,
devices: filterProjectDevicesForSession(state, session, detail.project),
activeThreadContexts: detail.activeThreadContexts.filter((item) =>
visibleProjectIds.has(item.snapshot.projectId) && visibleDeviceIds.has(item.snapshot.nodeId),
),
threadsRequiringHandoff: detail.threadsRequiringHandoff.filter((item) =>
visibleProjectIds.has(item.snapshot.projectId) && visibleDeviceIds.has(item.snapshot.nodeId),
),
recentAppLogs: detail.recentAppLogs.filter((log) =>
visibleDeviceIds.has(log.deviceId) ||
Boolean(log.projectId && visibleProjectIds.has(log.projectId)),
),
};
}
export function getThreadContextDetailView(
state: BossState,
threadId: string,
@@ -869,6 +1331,17 @@ export function getDeviceWorkspaceView(
};
}
export function getDeviceWorkspaceViewForSession(
state: BossState,
session: Pick<AuthSession, "account" | "role" | "displayName">,
deviceId?: string,
): DeviceWorkspaceView {
if (!deviceId || !canAccessDevice(state, session, deviceId, "device.view")) {
return { relatedThreads: [] };
}
return getDeviceWorkspaceView(stateForSession(state, session), deviceId);
}
export function getOpsSummaryView(state: BossState): OpsSummaryView {
const tickets = state.opsRepairTickets.map((ticket) => ({
...ticket,
@@ -939,3 +1412,33 @@ export function getSkillInventoryViewForAccount(
.filter((group) => group.skills.length > 0),
};
}
export function getSkillInventoryViewForSession(
state: BossState,
session: Pick<AuthSession, "account" | "role" | "displayName">,
boundDeviceId?: string,
): SkillInventoryView {
const devices = filterDevicesForSession(state, session)
.filter((device) => !boundDeviceId || device.id === boundDeviceId || session.role === "highest_admin")
.sort((a, b) => {
if (a.id === boundDeviceId) return -1;
if (b.id === boundDeviceId) return 1;
return b.lastSeenAt.localeCompare(a.lastSeenAt);
});
return {
boundDeviceId,
groups: devices
.map((device) => ({
device,
skills: state.deviceSkills
.filter((skill) => skill.deviceId === device.id)
.filter((skill) =>
session.role === "highest_admin" ||
canViewSkill(state, session, skill.skillId, { deviceId: device.id }),
)
.sort((a, b) => a.name.localeCompare(b.name, "zh-CN")),
}))
.filter((group) => group.skills.length > 0),
};
}

131
src/lib/boss-risk-notifications.ts Normal file
View File

@@ -0,0 +1,131 @@
import type {
AdminNotification,
AuthAccount,
BossState,
Device,
OpsFault,
OpsSeverity,
ThreadContextAlert,
} from "@/lib/boss-data";
function fallbackCompanyIdForAccount(account?: string) {
const normalized = account?.trim().toLowerCase() ?? "";
const domain = normalized.includes("@") ? normalized.split("@").at(-1)?.trim() : "";
return domain || "default";
}
function companyIdForAccount(account?: AuthAccount) {
return account?.companyId || fallbackCompanyIdForAccount(account?.account);
}
function accountCompanyId(state: BossState, account?: string) {
const owner = state.authAccounts.find((item) => item.account === account);
return companyIdForAccount(owner);
}
function deviceCompanyId(state: BossState, device?: Pick<Device, "account" | "companyId"> | null) {
if (device?.companyId) return device.companyId;
return accountCompanyId(state, device?.account);
}
function projectPrimaryDevice(state: BossState, projectId?: string) {
if (!projectId) return null;
const project = state.projects.find((item) => item.id === projectId);
const deviceId = project?.deviceIds[0];
return state.devices.find((device) => device.id === deviceId) ?? null;
}
function deviceForRisk(state: BossState, deviceId?: string, projectId?: string) {
return state.devices.find((device) => device.id === deviceId) ?? projectPrimaryDevice(state, projectId);
}
function isOverdue(slaDueAt: string | undefined, nowMs: number) {
if (!slaDueAt) return false;
const dueMs = Date.parse(slaDueAt);
return Number.isFinite(dueMs) && dueMs < nowMs;
}
function notificationIdForRisk(riskId: string) {
return `risk-sla-overdue:${riskId}`;
}
function existingNotificationIds(state: BossState) {
return new Set(state.adminNotifications.map((notification) => notification.notificationId));
}
function opsFaultCompanyId(state: BossState, fault: OpsFault) {
const device = deviceForRisk(state, fault.nodeId, fault.projectId);
return deviceCompanyId(state, device) || accountCompanyId(state, fault.ownerAccount);
}
function threadAlertCompanyId(state: BossState, alert: ThreadContextAlert) {
const device = deviceForRisk(state, undefined, alert.projectId);
return deviceCompanyId(state, device) || accountCompanyId(state, alert.ownerAccount);
}
function threadAlertSeverity(alert: ThreadContextAlert): OpsSeverity {
return alert.alertType === "context_critical" ? "critical" : "warning";
}
function buildBody(summary: string, slaDueAt: string) {
return `${summary || "风险已超过 SLA需要平台协助跟进"}SLA 截止 ${slaDueAt}`;
}
export function buildRiskSlaNotificationDrafts(
state: BossState,
now: Date = new Date(),
): AdminNotification[] {
const nowMs = now.getTime();
const createdAt = now.toISOString();
const existingIds = existingNotificationIds(state);
const drafts: AdminNotification[] = [];
for (const fault of state.opsFaults) {
if (fault.status === "resolved" || !isOverdue(fault.slaDueAt, nowMs)) {
continue;
}
const riskId = `ops-fault:${fault.faultId}`;
const notificationId = notificationIdForRisk(riskId);
if (existingIds.has(notificationId)) {
continue;
}
drafts.push({
notificationId,
kind: "risk_sla_overdue",
severity: fault.severity,
companyId: opsFaultCompanyId(state, fault),
riskId,
title: `风险 SLA 已超时:${fault.faultKey}`,
body: buildBody(fault.summary || fault.suggestedNextAction, fault.slaDueAt ?? ""),
status: "open",
createdAt,
});
}
for (const alert of state.threadContextAlerts) {
if (alert.alertStatus === "resolved" || !isOverdue(alert.slaDueAt, nowMs)) {
continue;
}
const riskId = `thread-alert:${alert.alertId}`;
const notificationId = notificationIdForRisk(riskId);
if (existingIds.has(notificationId)) {
continue;
}
drafts.push({
notificationId,
kind: "risk_sla_overdue",
severity: threadAlertSeverity(alert),
companyId: threadAlertCompanyId(state, alert),
riskId,
title: "线程上下文风险 SLA 已超时",
body: buildBody(alert.summary || alert.riskNote || "线程上下文风险未按 SLA 处理", alert.slaDueAt ?? ""),
status: "open",
createdAt,
});
}
return drafts.sort((left, right) => {
const severityRank = { critical: 3, warning: 2, info: 1 };
return severityRank[right.severity] - severityRank[left.severity] || right.createdAt.localeCompare(left.createdAt);
});
}

153
src/lib/boss-state-store.ts Normal file
View File

@@ -0,0 +1,153 @@
import { randomBytes } from "node:crypto";
import fs from "node:fs/promises";
import path from "node:path";
import type { Client as PgClient } from "pg";
export type BossStateStoreMode = "file" | "postgres";
export type BossStateStoreSummary = {
mode: BossStateStoreMode;
ready: boolean;
reason?: string;
};
export type BossStateStorePaths = {
dataFile: string;
backupFile: string;
};
export type BossStateStore = {
mode: BossStateStoreMode;
ensure(initialText: string): Promise<void>;
readText(): Promise<string>;
readBackupText(): Promise<string | null>;
writeText(text: string): Promise<void>;
};
const postgresSnapshotKey = process.env.BOSS_STATE_POSTGRES_KEY?.trim() || "default";
function configuredMode(): BossStateStoreMode {
return process.env.BOSS_STATE_STORE?.trim().toLowerCase() === "postgres" ? "postgres" : "file";
}
export function describeBossStateStore(): BossStateStoreSummary {
const mode = configuredMode();
if (mode === "file") {
return { mode, ready: true };
}
if (!process.env.BOSS_DATABASE_URL?.trim()) {
return { mode, ready: false, reason: "BOSS_DATABASE_URL is required when BOSS_STATE_STORE=postgres." };
}
return { mode, ready: true };
}
function createFileStateStore(paths: BossStateStorePaths): BossStateStore {
const dataDir = path.dirname(paths.dataFile);
return {
mode: "file",
async ensure(initialText: string) {
await fs.mkdir(dataDir, { recursive: true });
try {
await fs.access(paths.dataFile);
} catch {
await fs.writeFile(paths.dataFile, initialText, "utf8");
await fs.writeFile(paths.backupFile, initialText, "utf8");
}
},
async readText() {
return fs.readFile(paths.dataFile, "utf8");
},
async readBackupText() {
return fs.readFile(paths.backupFile, "utf8").catch(() => null);
},
async writeText(text: string) {
await fs.mkdir(dataDir, { recursive: true });
const tempFile = `${paths.dataFile}.${process.pid}.${randomBytes(4).toString("hex")}.tmp`;
await fs.writeFile(tempFile, text, "utf8");
await fs.rename(tempFile, paths.dataFile);
await fs.writeFile(paths.backupFile, text, "utf8");
},
};
}
async function postgresClient() {
const connectionString = process.env.BOSS_DATABASE_URL?.trim();
if (!connectionString) {
throw new Error("BOSS_DATABASE_URL_REQUIRED");
}
const { Client } = await import("pg");
return new Client({ connectionString });
}
async function withPostgresClient<T>(handler: (client: PgClient) => Promise<T>) {
const client = await postgresClient();
await client.connect();
try {
return await handler(client);
} finally {
await client.end();
}
}
function createPostgresStateStore(): BossStateStore {
if (!process.env.BOSS_DATABASE_URL?.trim()) {
throw new Error("BOSS_DATABASE_URL_REQUIRED");
}
return {
mode: "postgres",
async ensure(initialText: string) {
await withPostgresClient(async (client) => {
await client.query(`
CREATE TABLE IF NOT EXISTS boss_state_snapshots (
snapshot_key TEXT PRIMARY KEY,
state JSONB NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
)
`);
await client.query(
`
INSERT INTO boss_state_snapshots (snapshot_key, state)
VALUES ($1, $2::jsonb)
ON CONFLICT (snapshot_key) DO NOTHING
`,
[postgresSnapshotKey, initialText],
);
});
},
async readText() {
return withPostgresClient(async (client) => {
const result = await client.query<{ state: unknown }>(
"SELECT state FROM boss_state_snapshots WHERE snapshot_key = $1",
[postgresSnapshotKey],
);
const state = result.rows[0]?.state;
if (!state) {
throw new Error("BOSS_POSTGRES_STATE_NOT_FOUND");
}
return JSON.stringify(state, null, 2);
});
},
async readBackupText() {
return null;
},
async writeText(text: string) {
await withPostgresClient(async (client) => {
await client.query(
`
INSERT INTO boss_state_snapshots (snapshot_key, state, updated_at)
VALUES ($1, $2::jsonb, now())
ON CONFLICT (snapshot_key)
DO UPDATE SET state = EXCLUDED.state, updated_at = now()
`,
[postgresSnapshotKey, text],
);
});
},
};
}
export function createBossStateStore(paths: BossStateStorePaths): BossStateStore {
return configuredMode() === "postgres" ? createPostgresStateStore() : createFileStateStore(paths);
}

215
src/lib/boss-storage-aliyun-oss.ts
View File

@@ -1,6 +1,5 @@
import { createHash } from "node:crypto";
import { createHash, createHmac } from "node:crypto";
import path from "node:path";
import OSS from "ali-oss";
import type { UserAttachmentStorageConfig } from "@/lib/boss-data";
import type { AttachmentStorageProvider, StoreAttachmentParams, StoredAttachmentRecord } from "@/lib/boss-storage";
import { sanitizeFileName } from "@/lib/boss-attachments";
@@ -31,6 +30,214 @@ function buildObjectKey(params: StoreAttachmentParams, prefix?: string) {
);
}
function encodeObjectKey(objectKey: string) {
return objectKey
.replace(/^\/+/, "")
.split("/")
.map((segment) => encodeURIComponent(segment).replace(/\+/g, "%2B"))
.join("/");
}
function normalizeEndpoint(endpoint: string) {
const trimmed = endpoint.trim().replace(/\/+$/g, "");
return new URL(/^[a-z][a-z\d+.-]*:\/\//i.test(trimmed) ? trimmed : `https://${trimmed}`);
}
function isIpAddress(hostname: string) {
return /^(\d{1,3}\.){3}\d{1,3}$/.test(hostname) || hostname.includes(":");
}
function buildOssUrl(config: AliyunOssClientConfig, objectKey?: string, subresource?: string) {
const url = normalizeEndpoint(config.endpoint);
if (!isIpAddress(url.hostname) && !url.hostname.startsWith(`${config.bucket}.`)) {
url.hostname = `${config.bucket}.${url.hostname}`;
}
url.pathname = objectKey ? `/${encodeObjectKey(objectKey)}` : "/";
if (subresource) {
url.search = `?${encodeURIComponent(subresource)}`;
}
return url.toString();
}
function buildCanonicalizedResource(
bucket: string,
objectKey?: string,
parameters?: Record<string, string | number | undefined>,
) {
let canonicalizedResource = `/${bucket}/`;
if (objectKey) {
canonicalizedResource += objectKey.replace(/^\/+/, "");
}
let separator = "?";
Object.keys(parameters ?? {})
.sort()
.forEach((key) => {
canonicalizedResource += separator + key;
const value = parameters?.[key];
if (value || value === 0) {
canonicalizedResource += `=${value}`;
}
separator = "&";
});
return canonicalizedResource;
}
function normalizeHeaders(headers: Record<string, string | undefined>) {
return Object.fromEntries(
Object.entries(headers).map(([key, value]) => [key.toLowerCase(), value ?? ""]),
);
}
function buildCanonicalString({
method,
bucket,
objectKey,
headers,
parameters,
expires,
}: {
method: string;
bucket: string;
objectKey?: string;
headers: Record<string, string | undefined>;
parameters?: Record<string, string | number | undefined>;
expires?: number;
}) {
const lowerHeaders = normalizeHeaders(headers);
const ossHeaders = Object.keys(lowerHeaders)
.filter((key) => key.startsWith("x-oss-"))
.sort()
.map((key) => `${key}:${String(lowerHeaders[key]).trim()}`);
return [
method.toUpperCase(),
lowerHeaders["content-md5"] || "",
lowerHeaders["content-type"] || "",
expires ? String(expires) : lowerHeaders["x-oss-date"] || "",
...ossHeaders,
buildCanonicalizedResource(bucket, objectKey, parameters),
].join("\n");
}
function createOssAuthorization(
accessKeyId: string,
accessKeySecret: string,
canonicalString: string,
) {
const signature = createHmac("sha1", accessKeySecret).update(canonicalString, "utf8").digest("base64");
return `OSS ${accessKeyId}:${signature}`;
}
async function readErrorBody(response: Response) {
try {
const text = await response.text();
return text.trim().slice(0, 300);
} catch {
return "";
}
}
type AliyunOssClientConfig = {
accessKeyId: string;
accessKeySecret: string;
bucket: string;
endpoint: string;
region: string;
};
type OssRequestOptions = {
body?: BodyInit;
contentType?: string;
subresource?: string;
};
class AliyunOssRestClient {
constructor(private readonly config: AliyunOssClientConfig) {}
private async request(method: string, objectKey?: string, options: OssRequestOptions = {}) {
const parameters = options.subresource ? { [options.subresource]: "" } : undefined;
const headers: Record<string, string> = {
"x-oss-date": new Date().toUTCString(),
};
if (options.contentType) {
headers["content-type"] = options.contentType;
}
const canonicalString = buildCanonicalString({
method,
bucket: this.config.bucket,
objectKey,
headers,
parameters,
});
headers.authorization = createOssAuthorization(
this.config.accessKeyId,
this.config.accessKeySecret,
canonicalString,
);
const response = await fetch(buildOssUrl(this.config, objectKey, options.subresource), {
method,
headers,
body: options.body,
});
if (!response.ok) {
const detail = await readErrorBody(response);
throw new Error(`ALIYUN_OSS_REQUEST_FAILED_${response.status}${detail ? `: ${detail}` : ""}`);
}
return response;
}
async put(objectKey: string, body: Buffer, options?: { headers?: Record<string, string> }) {
await this.request("PUT", objectKey, {
body: body as BodyInit,
contentType: options?.headers?.["Content-Type"] || options?.headers?.["content-type"],
});
}
signatureUrl(objectKey: string, options?: { expires?: number; method?: string }) {
const method = options?.method || "GET";
const expires = Math.floor(Date.now() / 1000) + (options?.expires || 1800);
const canonicalString = buildCanonicalString({
method,
bucket: this.config.bucket,
objectKey,
headers: {},
expires,
});
const signature = createHmac("sha1", this.config.accessKeySecret)
.update(canonicalString, "utf8")
.digest("base64");
const url = new URL(buildOssUrl(this.config, objectKey));
url.searchParams.set("OSSAccessKeyId", this.config.accessKeyId);
url.searchParams.set("Expires", String(expires));
url.searchParams.set("Signature", signature);
return url.toString();
}
async get(objectKey: string) {
const response = await this.request("GET", objectKey);
return {
content: Buffer.from(await response.arrayBuffer()),
};
}
async getBucketInfo(name = this.config.bucket) {
const bucketClient = new AliyunOssRestClient({ ...this.config, bucket: name });
const response = await bucketClient.request("GET", undefined, { subresource: "bucketInfo" });
const text = await response.text();
const bucketName = text.match(/<Name>([^<]+)<\/Name>/)?.[1] || name;
return {
bucket: {
Name: bucketName,
},
res: response,
};
}
}
export async function createAliyunOssClient(config: AliyunOssConfig) {
if (!config.enabled) {
throw new Error("ALIYUN_OSS_NOT_ENABLED");
@@ -46,7 +253,7 @@ export async function createAliyunOssClient(config: AliyunOssConfig) {
}
const accessKeySecret = await decryptStorageSecret(config.accessKeySecretEncrypted);
return new OSS({
return new AliyunOssRestClient({
accessKeyId: config.accessKeyId,
accessKeySecret,
bucket: config.bucket,
@@ -92,7 +299,7 @@ export async function readAliyunOssObjectBuffer(
): Promise<Buffer<ArrayBufferLike>> {
const client = await createAliyunOssClient(config);
const response = await client.get(objectKey);
const content = response.content;
const content: unknown = response.content;
if (Buffer.isBuffer(content)) {
return content;
}

258
src/lib/boss-work-claims.ts Normal file
View File

@@ -0,0 +1,258 @@
export type BossWorkActorKind = "user" | "agent" | "device" | "thread";
export type BossWorkClaimStatus = "active" | "stealable" | "released";
export type BossWorkClaim = {
claimId: string;
resourceId: string;
actorId: string;
actorKind: BossWorkActorKind;
acquiredAt: string;
expiresAt: string;
status: BossWorkClaimStatus;
stealableAfter?: string;
handoffFromActorId?: string;
reason?: string;
};
export type BossWorkClaimEventType =
| "claim_acquired"
| "claim_conflict"
| "claim_released"
| "claim_handoff_released"
| "claim_handoff_acquired"
| "claim_marked_stealable"
| "claim_stale_detected";
export type BossWorkClaimEvent = {
type: BossWorkClaimEventType;
resourceId: string;
claimId: string;
actorId: string;
at: string;
nextActorId?: string;
reason?: string;
};
export type BossWorkClaimResult = {
ok: boolean;
reason?: "claim_conflict" | "actor_mismatch";
claim?: BossWorkClaim;
conflictingClaim?: BossWorkClaim;
events: BossWorkClaimEvent[];
};
export function claimWork(input: {
claims: BossWorkClaim[];
resourceId: string;
actorId: string;
actorKind: BossWorkActorKind;
now: string;
ttlMs: number;
claimId?: string;
}): BossWorkClaimResult {
const conflictingClaim = input.claims.find(
(claim) =>
claim.resourceId === input.resourceId &&
claim.status === "active" &&
new Date(claim.expiresAt).getTime() > new Date(input.now).getTime() &&
claim.actorId !== input.actorId,
);
if (conflictingClaim) {
return {
ok: false,
reason: "claim_conflict",
conflictingClaim,
events: [
{
type: "claim_conflict",
resourceId: input.resourceId,
claimId: conflictingClaim.claimId,
actorId: input.actorId,
at: input.now,
reason: "claim_conflict",
},
],
};
}
const claim: BossWorkClaim = {
claimId: input.claimId ?? makeClaimId(input.resourceId, input.actorId, input.now),
resourceId: input.resourceId,
actorId: input.actorId,
actorKind: input.actorKind,
acquiredAt: input.now,
expiresAt: new Date(new Date(input.now).getTime() + input.ttlMs).toISOString(),
status: "active",
};
return {
ok: true,
claim,
events: [
{
type: "claim_acquired",
resourceId: claim.resourceId,
claimId: claim.claimId,
actorId: claim.actorId,
at: input.now,
},
],
};
}
export function releaseClaim(input: {
claim: BossWorkClaim;
actorId: string;
now: string;
reason?: string;
}): BossWorkClaimResult {
if (input.claim.actorId !== input.actorId) {
return {
ok: false,
reason: "actor_mismatch",
claim: input.claim,
events: [],
};
}
const claim = { ...input.claim, status: "released" as const, reason: input.reason };
return {
ok: true,
claim,
events: [
{
type: "claim_released",
resourceId: claim.resourceId,
claimId: claim.claimId,
actorId: input.actorId,
at: input.now,
reason: input.reason,
},
],
};
}
export function handoffWork(input: {
claim: BossWorkClaim;
fromActorId: string;
toActorId: string;
toActorKind: BossWorkActorKind;
now: string;
ttlMs: number;
reason?: string;
}): BossWorkClaimResult {
if (input.claim.actorId !== input.fromActorId) {
return {
ok: false,
reason: "actor_mismatch",
claim: input.claim,
events: [],
};
}
const claim: BossWorkClaim = {
...input.claim,
claimId: makeClaimId(input.claim.resourceId, input.toActorId, input.now),
actorId: input.toActorId,
actorKind: input.toActorKind,
acquiredAt: input.now,
expiresAt: new Date(new Date(input.now).getTime() + input.ttlMs).toISOString(),
status: "active",
handoffFromActorId: input.fromActorId,
reason: input.reason,
};
return {
ok: true,
claim,
events: [
{
type: "claim_handoff_released",
resourceId: input.claim.resourceId,
claimId: input.claim.claimId,
actorId: input.fromActorId,
at: input.now,
nextActorId: input.toActorId,
reason: input.reason,
},
{
type: "claim_handoff_acquired",
resourceId: claim.resourceId,
claimId: claim.claimId,
actorId: input.toActorId,
at: input.now,
reason: input.reason,
},
],
};
}
export function markClaimStealable(input: {
claim: BossWorkClaim;
actorId: string;
now: string;
reason?: string;
}): BossWorkClaimResult {
if (input.claim.actorId !== input.actorId) {
return {
ok: false,
reason: "actor_mismatch",
claim: input.claim,
events: [],
};
}
const claim = {
...input.claim,
status: "stealable" as const,
stealableAfter: input.now,
reason: input.reason,
};
return {
ok: true,
claim,
events: [
{
type: "claim_marked_stealable",
resourceId: claim.resourceId,
claimId: claim.claimId,
actorId: input.actorId,
at: input.now,
reason: input.reason,
},
],
};
}
export function detectStaleClaims(input: { claims: BossWorkClaim[]; now: string }): {
staleClaims: BossWorkClaim[];
events: BossWorkClaimEvent[];
} {
const nowMs = new Date(input.now).getTime();
const staleClaims = input.claims.filter(
(claim) => claim.status !== "released" && new Date(claim.expiresAt).getTime() <= nowMs,
);
return {
staleClaims,
events: staleClaims.map((claim) => ({
type: "claim_stale_detected",
resourceId: claim.resourceId,
claimId: claim.claimId,
actorId: claim.actorId,
at: input.now,
reason: "claim_expired",
})),
};
}
function makeClaimId(resourceId: string, actorId: string, now: string): string {
return `claim_${slug(resourceId)}_${slug(actorId)}_${new Date(now).getTime()}`;
}
function slug(value: string): string {
return value.replace(/[^a-zA-Z0-9]+/g, "-").replace(/^-|-$/g, "").toLowerCase();
}

28
src/lib/execution/permission-policy.ts
View File

@@ -1,4 +1,5 @@
import { listExecutionTools, type ExecutionToolName } from "@/lib/execution/tool-registry";
import type { ComputerControlRiskLevel } from "@/lib/boss-data";
type CollaborationMode = "development" | "approval_required";
@@ -70,9 +71,36 @@ function buildAllowedPolicy(mode: CollaborationMode, requiresApproval: boolean):
export function evaluatePermissionPolicy(input: {
project?: PermissionPolicyProject;
hasPendingDispatchPlan?: boolean;
requestedTool?: ExecutionToolName;
requestedRiskLevel?: ComputerControlRiskLevel;
}): PermissionPolicyResult {
const project = input.project;
if (input.requestedTool === "desktop_control" && input.requestedRiskLevel === "high") {
return {
allowed: false,
requiresApproval: true,
reason: "当前操作属于高风险桌面控制,需先明确确认后再执行。",
toolPolicy: {
allowedTools: [],
deniedTools: ["desktop_control"],
},
collaborationPolicy: buildCollaborationPolicy(project?.collaborationMode ?? "development"),
};
}
if (input.requestedTool === "browser_control" && input.requestedRiskLevel === "medium") {
return {
allowed: true,
requiresApproval: true,
toolPolicy: {
allowedTools: ["browser_control"],
deniedTools: [],
},
collaborationPolicy: buildCollaborationPolicy(project?.collaborationMode ?? "development"),
};
}
if (!project) {
return {
allowed: true,

40
src/lib/execution/remote-runtime-adapter.ts
View File

@@ -1,12 +1,21 @@
import type { ExecutionProgressInput } from "@/lib/boss-data";
import {
MASTER_CODEX_NODE_OUTPUT_LEAKED,
shouldBlockSensitiveMasterAgentOutput,
} from "@/lib/execution/sensitive-output-guard";
export interface RemoteExecutionResultInput {
status: "completed" | "failed";
dispatchExecutionId?: string;
targetProjectId?: string;
targetThreadId?: string;
targetUrl?: string;
targetApp?: string;
rawThreadReply?: string;
replyBody?: string;
errorMessage?: string;
requestId?: string;
executionProgress?: ExecutionProgressInput;
}
export interface NormalizedRemoteExecutionResult {
@@ -14,10 +23,13 @@ export interface NormalizedRemoteExecutionResult {
dispatchExecutionId?: string;
targetProjectId?: string;
targetThreadId?: string;
targetUrl?: string;
targetApp?: string;
rawThreadReply?: string;
replyBody?: string;
errorMessage?: string;
requestId?: string;
executionProgress?: ExecutionProgressInput;
}
function trimToDefined(value: string | undefined) {
@@ -56,6 +68,10 @@ function buildThreadEnvironmentErrorMessage() {
return "THREAD_ENVIRONMENT_INVALID: 线程返回了内部环境提示,已拦截,请检查线程绑定或工作目录。";
}
function buildCodexEnvelopeLeakErrorMessage() {
return MASTER_CODEX_NODE_OUTPUT_LEAKED;
}
export function normalizeRemoteExecutionResult(
input: RemoteExecutionResultInput,
): NormalizedRemoteExecutionResult {
@@ -65,6 +81,10 @@ export function normalizeRemoteExecutionResult(
const hasEnvironmentDiagnostic =
looksLikeThreadEnvironmentDiagnostic(rawThreadReply) ||
looksLikeThreadEnvironmentDiagnostic(replyBody);
const hasCodexEnvelopeLeak =
shouldBlockSensitiveMasterAgentOutput(rawThreadReply) ||
shouldBlockSensitiveMasterAgentOutput(replyBody) ||
shouldBlockSensitiveMasterAgentOutput(errorMessage);
if (hasEnvironmentDiagnostic) {
return {
@@ -72,8 +92,25 @@ export function normalizeRemoteExecutionResult(
dispatchExecutionId: trimToDefined(input.dispatchExecutionId),
targetProjectId: trimToDefined(input.targetProjectId),
targetThreadId: trimToDefined(input.targetThreadId),
targetUrl: trimToDefined(input.targetUrl),
targetApp: trimToDefined(input.targetApp),
errorMessage: errorMessage || buildThreadEnvironmentErrorMessage(),
requestId: trimToDefined(input.requestId),
executionProgress: input.executionProgress,
};
}
if (hasCodexEnvelopeLeak) {
return {
status: "failed",
dispatchExecutionId: trimToDefined(input.dispatchExecutionId),
targetProjectId: trimToDefined(input.targetProjectId),
targetThreadId: trimToDefined(input.targetThreadId),
targetUrl: trimToDefined(input.targetUrl),
targetApp: trimToDefined(input.targetApp),
errorMessage: buildCodexEnvelopeLeakErrorMessage(),
requestId: trimToDefined(input.requestId),
executionProgress: input.executionProgress,
};
}
@@ -82,10 +119,13 @@ export function normalizeRemoteExecutionResult(
dispatchExecutionId: trimToDefined(input.dispatchExecutionId),
targetProjectId: trimToDefined(input.targetProjectId),
targetThreadId: trimToDefined(input.targetThreadId),
targetUrl: trimToDefined(input.targetUrl),
targetApp: trimToDefined(input.targetApp),
rawThreadReply,
replyBody,
errorMessage,
requestId: trimToDefined(input.requestId),
executionProgress: input.executionProgress,
};
}

82
src/lib/execution/sensitive-output-guard.ts Normal file
View File

@@ -0,0 +1,82 @@
export const MASTER_CODEX_NODE_OUTPUT_LEAKED = "MASTER_CODEX_NODE_OUTPUT_LEAKED";
const EXECUTION_PROMPT_SECTION_LABELS = [
"管理员全局主提示词:",
"用户私有主提示词:",
"当前对话附加提示词:",
"当前消息:",
"项目记忆:",
"用户通用记忆:",
];
function trimToDefined(value: string | undefined | null) {
const trimmed = value?.trim();
return trimmed ? trimmed : undefined;
}
export function looksLikeCodexCliEnvelopeLeak(value: string | undefined | null) {
const text = trimToDefined(value);
if (!text) {
return false;
}
const hasCodexHeader = /OpenAI Codex v[\d.]+/i.test(text);
const hasExecutionMetadata =
/^workdir:\s+/m.test(text) &&
/^model:\s+/m.test(text) &&
/^provider:\s+/m.test(text);
const hasRuntimePolicy = /^approval:\s+/m.test(text) || /^sandbox:\s+/m.test(text);
const hasSessionOrMcp = /^session id:\s+/m.test(text) || /^mcp:\s+/m.test(text);
return hasCodexHeader && hasExecutionMetadata && hasRuntimePolicy && hasSessionOrMcp;
}
export function looksLikeExecutionPromptLeak(value: string | undefined | null) {
const text = trimToDefined(value);
if (!text) {
return false;
}
const sectionHitCount = EXECUTION_PROMPT_SECTION_LABELS.filter((label) => text.includes(label)).length;
if (sectionHitCount >= 2) {
return true;
}
return (
text.includes("管理员全局主提示词") &&
text.includes("系统级最高约束") &&
text.includes("不可被用户私有提示词")
);
}
export function shouldBlockSensitiveMasterAgentOutput(value: string | undefined | null) {
return looksLikeCodexCliEnvelopeLeak(value) || looksLikeExecutionPromptLeak(value);
}
export function sanitizeSensitiveTaskFailureDetailForTransport(value: string | undefined | null) {
const text = trimToDefined(value);
if (!text) {
return undefined;
}
return shouldBlockSensitiveMasterAgentOutput(text) ? MASTER_CODEX_NODE_OUTPUT_LEAKED : text;
}
export function sanitizeSensitiveTaskFailureDetailForLog(value: string | undefined | null) {
const text = trimToDefined(value);
if (!text) {
return undefined;
}
if (!shouldBlockSensitiveMasterAgentOutput(text)) {
return text;
}
return "已拦截内部执行日志,原始内容不再展示。";
}
export function sanitizeSensitiveUserVisibleText(value: string | undefined | null) {
const text = trimToDefined(value);
if (!text) {
return undefined;
}
if (!shouldBlockSensitiveMasterAgentOutput(text)) {
return text;
}
return "已拦截内部执行日志,原始内容已隐藏。";
}

6
src/lib/execution/tool-registry.ts
View File

@@ -4,7 +4,9 @@ export type ExecutionToolName =
| "conversation_reply"
| "group_dispatch_plan"
| "dispatch_execution"
| "attachment_analysis";
| "attachment_analysis"
| "browser_control"
| "desktop_control";
export interface ExecutionToolDefinition {
name: ExecutionToolName;
@@ -15,6 +17,8 @@ const EXECUTION_TOOLS: readonly ExecutionToolDefinition[] = [
{ name: "conversation_reply", kind: "execution" },
{ name: "group_dispatch_plan", kind: "execution" },
{ name: "dispatch_execution", kind: "execution" },
{ name: "browser_control", kind: "execution" },
{ name: "desktop_control", kind: "execution" },
{ name: "attachment_analysis", kind: "analysis" },
] as const;

4
src/lib/execution/types.ts
View File

@@ -4,7 +4,9 @@ export type ExecutionRequestKind =
| "master_agent_reply"
| "thread_reply"
| "dispatch_execution"
| "attachment_analysis";
| "attachment_analysis"
| "browser_control"
| "desktop_control";
export interface ExecutionRequest {
kind: ExecutionRequestKind;

627
src/lib/telegram-gateway.ts Normal file
View File

@@ -0,0 +1,627 @@
import { NextRequest } from "next/server";
import { jsonNoStore } from "@/lib/api-response";
import {
appendProjectMessages,
getAuthSession,
type AuthRole,
type AuthSession,
type BossState,
type ExternalReplyTarget,
type TelegramGroupProjectRoute,
type TelegramIntegrationState,
readState,
writeState,
} from "@/lib/boss-data";
import { replyToMasterAgentUserMessage, tryBuildLocalMasterAgentFastReply } from "@/lib/boss-master-agent";
const TELEGRAM_API_BASE = "https://api.telegram.org";
const TELEGRAM_TEXT_LIMIT = 4000;
const TELEGRAM_BRIDGE_ACCOUNT = "telegram-bridge";
const TELEGRAM_BRIDGE_LABEL = "Telegram";
type TelegramChatType = "private" | "group" | "supergroup" | "channel";
interface TelegramUser {
id: number;
is_bot?: boolean;
first_name?: string;
last_name?: string;
username?: string;
}
interface TelegramChat {
id: number;
type: TelegramChatType;
title?: string;
}
interface TelegramMessage {
message_id: number;
message_thread_id?: number;
date: number;
chat: TelegramChat;
from?: TelegramUser;
text?: string;
reply_to_message?: {
from?: TelegramUser;
};
}
interface TelegramUpdate {
update_id: number;
message?: TelegramMessage;
}
interface NormalizedTelegramMessage {
updateId: number;
messageId: number;
chatId: string;
chatType: TelegramChatType;
chatTitle?: string;
threadId?: number;
senderId?: string;
senderName: string;
text: string;
repliedToBot: boolean;
repliedToBotUsername?: string;
}
interface TelegramGatewayView {
enabled: boolean;
mode: "webhook" | "polling";
botTokenConfigured: boolean;
botUsername?: string;
dmPolicy: "allowlist" | "open" | "disabled";
allowFrom: string[];
groupPolicy: "allowlist" | "open" | "disabled";
groups: string[];
requireMentionInGroups: boolean;
defaultProjectId: string;
groupProjectRoutes: TelegramGroupProjectRoute[];
webhookSecretConfigured: boolean;
webhookUrl?: string;
lastConfiguredAt?: string;
lastConfiguredBy?: string;
lastError?: string;
processedUpdateCount: number;
}
function trimToDefined(value?: string | null) {
const trimmed = value?.trim();
return trimmed ? trimmed : undefined;
}
function toSenderName(message: TelegramMessage) {
const firstName = trimToDefined(message.from?.first_name);
const lastName = trimToDefined(message.from?.last_name);
const username = trimToDefined(message.from?.username);
return [firstName, lastName].filter(Boolean).join(" ") || username || `用户${message.from?.id ?? "未知"}`;
}
function normalizeTelegramUpdate(update: TelegramUpdate): NormalizedTelegramMessage | null {
const message = update.message;
const text = trimToDefined(message?.text);
if (!message || !text) {
return null;
}
return {
updateId: update.update_id,
messageId: message.message_id,
chatId: String(message.chat.id),
chatType: message.chat.type,
chatTitle: trimToDefined(message.chat.title),
threadId: typeof message.message_thread_id === "number" ? message.message_thread_id : undefined,
senderId: message.from?.id != null ? String(message.from.id) : undefined,
senderName: toSenderName(message),
text,
repliedToBot: message.reply_to_message?.from?.is_bot === true,
repliedToBotUsername: trimToDefined(message.reply_to_message?.from?.username),
};
}
function buildTelegramSessionKey(message: NormalizedTelegramMessage) {
if (message.chatType === "private") {
return `telegram:dm:${message.chatId}`;
}
if (message.threadId != null) {
return `telegram:group:${message.chatId}:topic:${message.threadId}`;
}
return `telegram:group:${message.chatId}`;
}
function chunkTelegramText(text: string) {
if (text.length <= TELEGRAM_TEXT_LIMIT) {
return [text];
}
const chunks: string[] = [];
let remaining = text.trim();
while (remaining.length > TELEGRAM_TEXT_LIMIT) {
let index = remaining.lastIndexOf("\n", TELEGRAM_TEXT_LIMIT);
if (index < Math.floor(TELEGRAM_TEXT_LIMIT * 0.6)) {
index = TELEGRAM_TEXT_LIMIT;
}
chunks.push(remaining.slice(0, index).trim());
remaining = remaining.slice(index).trim();
}
if (remaining) {
chunks.push(remaining);
}
return chunks;
}
function escapeRegExp(value: string) {
return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
}
function resolveTelegramMentionRegex(botUsername?: string) {
const username = trimToDefined(botUsername);
if (!username) {
return null;
}
return new RegExp(`(^|\\s)@${escapeRegExp(username)}\\b`, "ig");
}
function hasTelegramBotMention(text: string, botUsername?: string) {
const mentionRegex = resolveTelegramMentionRegex(botUsername);
if (!mentionRegex) {
return /@\S+/.test(text);
}
return mentionRegex.test(text);
}
function isReplyToConfiguredTelegramBot(message: NormalizedTelegramMessage, botUsername?: string) {
if (!message.repliedToBot) {
return false;
}
const expectedUsername = trimToDefined(botUsername)?.toLowerCase();
if (!expectedUsername) {
return true;
}
return message.repliedToBotUsername?.toLowerCase() === expectedUsername;
}
function stripTelegramBotMention(text: string, botUsername?: string) {
const mentionRegex = resolveTelegramMentionRegex(botUsername);
if (!mentionRegex) {
return text.trim();
}
return text.replace(mentionRegex, " ").replace(/\s+/g, " ").trim();
}
function ensureTelegramIntegration(state: BossState): TelegramIntegrationState {
const integration = state.telegramIntegration;
if (integration) {
integration.groupProjectRoutes ??= [];
return integration;
}
const next: TelegramIntegrationState = {
enabled: false,
mode: "webhook",
dmPolicy: "allowlist",
allowFrom: [],
groupPolicy: "allowlist",
groups: [],
requireMentionInGroups: true,
defaultProjectId: "master-agent",
groupProjectRoutes: [],
processedUpdateIds: [],
};
state.telegramIntegration = next;
return next;
}
function getTelegramConfigView(integration: TelegramIntegrationState | undefined): TelegramGatewayView {
const config = integration ?? {
enabled: false,
mode: "webhook",
dmPolicy: "allowlist",
allowFrom: [],
groupPolicy: "allowlist",
groups: [],
requireMentionInGroups: true,
defaultProjectId: "master-agent",
groupProjectRoutes: [],
processedUpdateIds: [],
};
return {
enabled: config.enabled,
mode: config.mode,
botTokenConfigured: Boolean(trimToDefined(config.botToken)),
botUsername: trimToDefined(config.botUsername),
dmPolicy: config.dmPolicy,
allowFrom: config.allowFrom,
groupPolicy: config.groupPolicy,
groups: config.groups,
requireMentionInGroups: config.requireMentionInGroups,
defaultProjectId: config.defaultProjectId,
groupProjectRoutes: config.groupProjectRoutes ?? [],
webhookSecretConfigured: Boolean(trimToDefined(config.webhookSecret)),
webhookUrl: trimToDefined(config.webhookUrl),
lastConfiguredAt: trimToDefined(config.lastConfiguredAt),
lastConfiguredBy: trimToDefined(config.lastConfiguredBy),
lastError: trimToDefined(config.lastError),
processedUpdateCount: config.processedUpdateIds.length,
};
}
function checkTelegramAccess(
config: TelegramIntegrationState,
message: NormalizedTelegramMessage,
): { ok: true } | { ok: false; message: string; status: number } {
if (!config.enabled) {
return { ok: false, message: "TELEGRAM_DISABLED", status: 403 };
}
if (message.chatType === "private") {
if (config.dmPolicy === "disabled") {
return { ok: false, message: "TELEGRAM_DM_DISABLED", status: 403 };
}
if (config.dmPolicy === "allowlist") {
if (!message.senderId || !config.allowFrom.includes(message.senderId)) {
return { ok: false, message: "TELEGRAM_SENDER_FORBIDDEN", status: 403 };
}
}
return { ok: true };
}
if (config.groupPolicy === "disabled") {
return { ok: false, message: "TELEGRAM_GROUP_DISABLED", status: 403 };
}
if (config.groupPolicy === "allowlist" && !config.groups.includes(message.chatId)) {
return { ok: false, message: "TELEGRAM_GROUP_FORBIDDEN", status: 403 };
}
if (
config.requireMentionInGroups &&
!hasTelegramBotMention(message.text, config.botUsername) &&
!isReplyToConfiguredTelegramBot(message, config.botUsername)
) {
return { ok: false, message: "TELEGRAM_GROUP_MENTION_REQUIRED", status: 400 };
}
return { ok: true };
}
function buildTelegramSenderLabel(message: NormalizedTelegramMessage) {
if (message.chatType === "private") {
return `Telegram · ${message.senderName}`;
}
const groupLabel = message.chatTitle || message.chatId;
return `Telegram · ${groupLabel} · ${message.senderName}`;
}
function resolveTelegramTargetProjectId(
state: BossState,
config: TelegramIntegrationState,
message: NormalizedTelegramMessage,
) {
const routes = config.groupProjectRoutes ?? [];
const exactRoute = routes.find(
(route) => route.chatId === message.chatId && route.threadId != null && route.threadId === message.threadId,
);
const chatRoute =
exactRoute ??
routes.find((route) => route.chatId === message.chatId && route.threadId == null);
const requestedProjectId = chatRoute?.projectId || config.defaultProjectId || "master-agent";
const projectExists = state.projects.some((project) => project.id === requestedProjectId);
if (projectExists) {
return requestedProjectId;
}
if (state.projects.some((project) => project.id === config.defaultProjectId)) {
return config.defaultProjectId;
}
return "master-agent";
}
function markTelegramUpdateProcessed(state: BossState, updateId: number) {
const integration = ensureTelegramIntegration(state);
integration.processedUpdateIds = Array.from(new Set([...integration.processedUpdateIds, updateId]))
.sort((left, right) => left - right)
.slice(-256);
}
async function persistTelegramUpdateProcessed(updateId: number) {
const state = await readState();
markTelegramUpdateProcessed(state, updateId);
await writeState(state);
}
function hasProcessedTelegramUpdate(state: BossState, updateId: number) {
return ensureTelegramIntegration(state).processedUpdateIds.includes(updateId);
}
async function sendTelegramMessage(config: TelegramIntegrationState, target: ExternalReplyTarget, text: string) {
const botToken = trimToDefined(config.botToken);
if (!botToken) {
throw new Error("TELEGRAM_BOT_TOKEN_REQUIRED");
}
const chunks = chunkTelegramText(text);
for (const chunk of chunks) {
const body: Record<string, unknown> = {
chat_id: Number(target.chatId),
text: chunk,
};
if (typeof target.messageId === "number") {
body.reply_to_message_id = target.messageId;
}
if (typeof target.threadId === "number") {
body.message_thread_id = target.threadId;
}
const response = await fetch(`${TELEGRAM_API_BASE}/bot${botToken}/sendMessage`, {
method: "POST",
headers: {
"content-type": "application/json",
},
body: JSON.stringify(body),
});
if (!response.ok) {
throw new Error(`TELEGRAM_SEND_FAILED_${response.status}`);
}
}
}
function buildTelegramBridgeSession(): AuthSession {
const now = new Date().toISOString();
return {
sessionId: "telegram-bridge-session",
sessionToken: "telegram-bridge-session",
restoreToken: "telegram-bridge-session",
account: TELEGRAM_BRIDGE_ACCOUNT,
role: "highest_admin" satisfies AuthRole,
displayName: TELEGRAM_BRIDGE_LABEL,
loginMethod: "password",
createdAt: now,
expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
lastSeenAt: now,
};
}
export async function handleTelegramWebhookRequest(params: { request: NextRequest }) {
const state = await readState();
const integration = ensureTelegramIntegration(state);
const secret = trimToDefined(integration.webhookSecret);
if (secret) {
const received = trimToDefined(params.request.headers.get("x-telegram-bot-api-secret-token"));
if (received !== secret) {
return jsonNoStore({ ok: false, message: "TELEGRAM_WEBHOOK_SECRET_INVALID" }, { status: 401 });
}
}
const update = (await params.request.json().catch(() => null)) as TelegramUpdate | null;
const normalized = update ? normalizeTelegramUpdate(update) : null;
if (!update || !normalized) {
return jsonNoStore({ ok: true, delivery: "ignored" });
}
if (hasProcessedTelegramUpdate(state, normalized.updateId)) {
return jsonNoStore({ ok: true, delivery: "duplicate" });
}
const access = checkTelegramAccess(integration, normalized);
if (!access.ok) {
return jsonNoStore({ ok: false, message: access.message }, { status: access.status });
}
const replyTarget: ExternalReplyTarget = {
provider: "telegram",
chatId: normalized.chatId,
messageId: normalized.messageId,
threadId: normalized.threadId,
sessionKey: buildTelegramSessionKey(normalized),
};
const bridgeSession = buildTelegramBridgeSession();
const bridgeAccount = state.user.account || bridgeSession.account;
const projectId = resolveTelegramTargetProjectId(state, integration, normalized);
const requestText =
normalized.chatType === "private"
? normalized.text
: stripTelegramBotMention(normalized.text, integration.botUsername);
const localFastReply = await tryBuildLocalMasterAgentFastReply({
requestText,
requestedByAccount: bridgeSession.account,
projectId,
state,
});
if (localFastReply) {
await appendProjectMessages({
projectId,
messages: [
{
senderLabel: buildTelegramSenderLabel(normalized),
body: requestText,
kind: "text",
},
{
sender: "master",
senderLabel: localFastReply.senderLabel,
body: localFastReply.replyBody,
kind: "text",
},
],
});
await persistTelegramUpdateProcessed(normalized.updateId);
await sendTelegramMessage(integration, replyTarget, localFastReply.replyBody);
return jsonNoStore({ ok: true, delivery: "sent" });
}
const [message] = await appendProjectMessages({
projectId,
messages: [
{
senderLabel: buildTelegramSenderLabel(normalized),
body: requestText,
kind: "text",
},
],
});
const reply = await replyToMasterAgentUserMessage({
requestMessageId: message.id,
requestText,
requestedBy: buildTelegramSenderLabel(normalized),
requestedByAccount: bridgeAccount,
currentSessionExpiresAt: bridgeSession.expiresAt,
projectId,
mode: "smart",
externalReplyTarget: replyTarget,
});
await persistTelegramUpdateProcessed(normalized.updateId);
const replyState = "masterReplyState" in reply ? reply.masterReplyState : undefined;
if (reply.ok && replyState === "completed" && "replyMessage" in reply && reply.replyMessage?.body) {
await sendTelegramMessage(integration, replyTarget, reply.replyMessage.body);
return jsonNoStore({ ok: true, delivery: "sent", taskId: "taskId" in reply ? reply.taskId : undefined });
}
await sendTelegramMessage(integration, replyTarget, "已收到,我先继续协调,整理好结果后会自动回到这里。");
return jsonNoStore({ ok: true, delivery: "queued", taskId: "taskId" in reply ? reply.taskId : undefined });
}
export async function deliverTelegramReplyForCompletedTask(taskId: string) {
const state = await readState();
const integration = ensureTelegramIntegration(state);
const task = state.masterAgentTasks.find((item) => item.taskId === taskId);
if (!task?.externalReplyTarget || task.externalReplyTarget.provider !== "telegram") {
return { delivered: false, reason: "NO_EXTERNAL_TARGET" as const };
}
if (!task.replyBody?.trim()) {
return { delivered: false, reason: "NO_REPLY_BODY" as const };
}
if (task.externalReplyTarget.deliveredAt) {
return { delivered: false, reason: "ALREADY_DELIVERED" as const };
}
try {
await sendTelegramMessage(integration, task.externalReplyTarget, task.replyBody);
} catch (error) {
task.externalReplyTarget.deliveryError = error instanceof Error ? error.message : "TELEGRAM_DELIVERY_FAILED";
await writeState(state);
return { delivered: false, reason: "SEND_FAILED" as const };
}
task.externalReplyTarget.deliveredAt = new Date().toISOString();
task.externalReplyTarget.deliveryError = undefined;
await writeState(state);
return { delivered: true as const };
}
export async function getTelegramIntegrationView() {
const state = await readState();
return getTelegramConfigView(state.telegramIntegration);
}
export async function saveTelegramIntegrationConfig(input: {
enabled: boolean;
mode?: "webhook" | "polling";
botToken?: string;
botUsername?: string;
dmPolicy?: "allowlist" | "open" | "disabled";
allowFrom?: string[];
groupPolicy?: "allowlist" | "open" | "disabled";
groups?: string[];
requireMentionInGroups?: boolean;
defaultProjectId?: string;
groupProjectRoutes?: TelegramGroupProjectRoute[];
webhookSecret?: string;
webhookUrl?: string;
configuredBy: string;
}) {
const state = await readState();
const integration = ensureTelegramIntegration(state);
integration.enabled = input.enabled;
integration.mode = input.mode ?? integration.mode;
integration.botToken = trimToDefined(input.botToken) ?? integration.botToken;
integration.botUsername = trimToDefined(input.botUsername);
integration.dmPolicy = input.dmPolicy ?? integration.dmPolicy;
integration.allowFrom = (input.allowFrom ?? integration.allowFrom).map((item) => item.trim()).filter(Boolean);
integration.groupPolicy = input.groupPolicy ?? integration.groupPolicy;
integration.groups = (input.groups ?? integration.groups).map((item) => item.trim()).filter(Boolean);
integration.requireMentionInGroups =
input.requireMentionInGroups ?? integration.requireMentionInGroups;
integration.defaultProjectId = trimToDefined(input.defaultProjectId) ?? integration.defaultProjectId;
integration.groupProjectRoutes = (input.groupProjectRoutes ?? integration.groupProjectRoutes)
.map((route) => ({
chatId: String(route.chatId ?? "").trim(),
threadId: typeof route.threadId === "number" ? route.threadId : undefined,
projectId: String(route.projectId ?? "").trim(),
label: trimToDefined(route.label),
}))
.filter((route) => route.chatId && route.projectId);
integration.webhookSecret = trimToDefined(input.webhookSecret) ?? integration.webhookSecret;
integration.webhookUrl = trimToDefined(input.webhookUrl);
integration.lastConfiguredAt = new Date().toISOString();
integration.lastConfiguredBy = input.configuredBy;
integration.lastError = undefined;
await writeState(state);
return getTelegramConfigView(integration);
}
export async function probeTelegramBot(config?: TelegramIntegrationState | null) {
const integration = config ?? (await readState()).telegramIntegration;
const botToken = trimToDefined(integration?.botToken);
if (!botToken) {
throw new Error("TELEGRAM_BOT_TOKEN_REQUIRED");
}
const response = await fetch(`${TELEGRAM_API_BASE}/bot${botToken}/getMe`);
if (!response.ok) {
throw new Error(`TELEGRAM_GET_ME_FAILED_${response.status}`);
}
const payload = (await response.json()) as { ok?: boolean; result?: { username?: string } };
return {
ok: payload.ok === true,
username: trimToDefined(payload.result?.username),
};
}
export async function syncTelegramWebhookRegistration(config?: TelegramIntegrationState | null) {
const integration = config ?? (await readState()).telegramIntegration;
const botToken = trimToDefined(integration?.botToken);
if (!integration?.enabled || integration.mode === "polling") {
if (!botToken) {
return { ok: true as const, action: "skipped" as const, reason: "BOT_TOKEN_NOT_CONFIGURED" };
}
const response = await fetch(`${TELEGRAM_API_BASE}/bot${botToken}/deleteWebhook`, {
method: "POST",
headers: {
"content-type": "application/json",
},
body: JSON.stringify({ drop_pending_updates: false }),
});
if (!response.ok) {
throw new Error(`TELEGRAM_DELETE_WEBHOOK_FAILED_${response.status}`);
}
return { ok: true as const, action: "delete_webhook" as const };
}
if (!botToken) {
return { ok: true as const, action: "skipped" as const, reason: "BOT_TOKEN_NOT_CONFIGURED" };
}
const webhookUrl = trimToDefined(integration.webhookUrl);
if (!webhookUrl) {
return { ok: true as const, action: "skipped" as const, reason: "WEBHOOK_URL_NOT_CONFIGURED" };
}
const body: Record<string, unknown> = {
url: webhookUrl,
drop_pending_updates: false,
};
const secret = trimToDefined(integration.webhookSecret);
if (secret) {
body.secret_token = secret;
}
const response = await fetch(`${TELEGRAM_API_BASE}/bot${botToken}/setWebhook`, {
method: "POST",
headers: {
"content-type": "application/json",
},
body: JSON.stringify(body),
});
if (!response.ok) {
throw new Error(`TELEGRAM_SET_WEBHOOK_FAILED_${response.status}`);
}
return { ok: true as const, action: "set_webhook" as const };
}
export async function getAuthorizedTelegramConfigSession(request: NextRequest) {
const session = await getAuthSession(request.cookies.get("boss_session")?.value);
if (!session || session.role !== "highest_admin") {
return null;
}
return session;
}