lzh/picoclaw
1
0
Fork 0
mirror of https://github.com/sipeed/picoclaw.git synced 2026-06-12 18:08:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,218 Commits 12 Branches 15 Tags
1bf0d898deffda90d12356cbfb053985199e6ed8
Commit Graph

2218 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Anton Bogdanovich 1bf0d898de test(message): cover slack and feishu media fallbacks 2026-05-22 16:28:28 -07:00
Anton Bogdanovich c05e5e29c6 test(message): cover pico and weixin media text semantics 2026-05-22 16:25:50 -07:00
Anton Bogdanovich 987f117f31 style(telegram): satisfy formatter rules 2026-05-22 16:25:50 -07:00
Anton Bogdanovich 5a4e42d1b6 feat(message): support media attachments in outbound tool 2026-05-22 16:25:50 -07:00
Mauro f09a7d67f7 Merge pull request #2930 from lc6464/fix/security-xnet-html-0.55.0 
build(deps): bump golang.org/x/net to v0.55.0
 2026-05-22 19:46:28 +02:00
Mauro 2cce7b8abe Merge pull request #2788 from LiusCraft/feat/session-message-timestamps 
feat(session): add per-message created_at timestamps
 2026-05-22 19:45:53 +02:00
lc6464 044a9d1df6 fix(deps): bump golang.org/x/net to v0.55.0 2026-05-23 00:33:03 +08:00
Mauro d3ac0a74c4 Merge pull request #2921 from sipeed/dependabot/go_modules/github.com/adhocore/gronx-1.20.0 
build(deps): bump github.com/adhocore/gronx from 1.19.7 to 1.20.0
 2026-05-22 08:49:50 +02:00
Mauro 24e8285e73 Merge pull request #2923 from sipeed/dependabot/go_modules/github.com/line/line-bot-sdk-go/v8-8.20.0 
build(deps): bump github.com/line/line-bot-sdk-go/v8 from 8.19.0 to 8.20.0
 2026-05-22 08:49:24 +02:00
LiusCraft 33e5503e26 fix(session): normalize CreatedAt in SessionManager AddFullMessage/SetHistory 2026-05-22 13:42:35 +08:00
LiusCraft fd08ebd3db fix(test): read back history after SetHistory in steering test for CreatedAt normalization 2026-05-22 13:15:56 +08:00
LiusCraft 34e73f6b1a fix(test): read back history after SetHistory to account for CreatedAt normalization 2026-05-22 13:15:56 +08:00
LiusCraft 3e30e8abc6 style: wrap long error messages to satisfy golines 2026-05-22 13:15:56 +08:00
LiusCraft 81bbef62b1 feat(session): add per-message created_at timestamps 
- Persistence layer (jsonl.go addMsg/SetHistory) normalizes CreatedAt
  when missing so the invariant is guaranteed at the storage boundary
- API layer (session.go) exposes created_at on all transcript message
  types with session.updated fallback for legacy messages
- Frontend uses per-message timestamps when available
- messagesContentEqual ignores CreatedAt for tail-matching after
  JSONL roundtrip

Fixes #2787
 2026-05-22 13:15:56 +08:00
lxowalle 2992eccbf0 feat: add request-scoped context policies (#2914) 
* feat: add request-scoped context policies

Add named turn profiles under agents.defaults so callers can opt into
per-request context and tool policies without changing default chat behavior.

Profiles can disable history, system context, skill prompts, or tools, and can
limit skills/tools with allow lists. Wire profile selection through Pico message
payloads, agent turn execution, Web chat selection, and Web visual config.

Reject invalid turn profiles before saving config through Web APIs and document
the new request context policy behavior.

* fix: address turn profile review blockers

* feat: simplify request context policy config

* fix: suppress tool prompt when turn tools are disabled

* fix: enforce turn profile tool restrictions
v0.2.9 		2026-05-22 10:06:40 +08:00
dependabot[bot] 76175b4bcf build(deps): bump github.com/line/line-bot-sdk-go/v8 
Bumps [github.com/line/line-bot-sdk-go/v8](https://github.com/line/line-bot-sdk-go) from 8.19.0 to 8.20.0.
- [Release notes](https://github.com/line/line-bot-sdk-go/releases)
- [Commits](https://github.com/line/line-bot-sdk-go/compare/v8.19.0...v8.20.0)

---
updated-dependencies:
- dependency-name: github.com/line/line-bot-sdk-go/v8
  dependency-version: 8.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-05-21 18:28:37 +00:00
dependabot[bot] 0dfdb54198 build(deps): bump github.com/adhocore/gronx from 1.19.7 to 1.20.0 
Bumps [github.com/adhocore/gronx](https://github.com/adhocore/gronx) from 1.19.7 to 1.20.0.
- [Release notes](https://github.com/adhocore/gronx/releases)
- [Changelog](https://github.com/adhocore/gronx/blob/main/CHANGELOG.md)
- [Commits](https://github.com/adhocore/gronx/compare/v1.19.7...v1.20.0)

---
updated-dependencies:
- dependency-name: github.com/adhocore/gronx
  dependency-version: 1.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-05-21 18:28:28 +00:00
LC 5bbebb5fc8 feat(provider): add gpt4free openai-compatible provider (#2909) 2026-05-21 16:08:46 +08:00
LC f55d7a0598 fix(i18n): sync locale strings for model provider UI (#2911) 2026-05-21 15:55:37 +08:00
Guoguo 30938df40b fix(web): use stored API key when fetching models for saved providers (#2910) 
When editing an existing model, the edit form initializes apiKey as
empty for security. This caused "Fetch Available Models" to reject with
"please enter API Key first" even though the key is saved server-side.

Add model_index support: the frontend passes the model's index to the
backend, which looks up the stored key from config. The key never leaves
the backend. Provider and API base are validated to prevent a stored key
from being sent to an unrelated endpoint.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-21 15:51:45 +08:00
lxowalle e7e21df354 fix(agent): honor explicit thinking off (#2898) 
* fix(agent): honor explicit thinking off

* fix(agent): address thinking off lint failures

* Clarify unset thinking level display

* fix ci
 2026-05-21 11:07:39 +08:00
Mauro 33f9d63862 Merge pull request #2891 from SiYue-ZO/feat/factory-reset 
feat: add reset to factory defaults
 2026-05-20 21:59:38 +02:00
LC b7db059544 feat(chat,seahorse): persist and display model_name across history (#2897) 
* feat(chat,seahorse): persist and display model_name across history

* test(seahorse): fix lint regressions in repair coverage

* fix(pico): preserve model_name in live updates

* fix(pico): preserve model_name through live stream wrappers
 2026-05-20 13:42:21 +08:00
LC 548dc15acd refactor(models): unify provider metadata around backend catalog (#2896) 
* feat(models): unify provider metadata around backend catalog

- Move shared provider metadata and alias normalization into backend-owned provider catalog
- Expose display, fetch, auth, and default model metadata through /api/models provider_options
- Replace frontend static provider registry with catalog-driven selection, validation, grouping, and fallback rendering
- Treat provider default api_base as placeholder and effective fetch/test base while keep submitted api_base separate from derived defaults
- Add model page retry handling, touched locale updates, and provider metadata assertions in backend tests

* fix(models): canonicalize backend provider aliases and common models

* fix(models): restore deepseek common model recommendations
 2026-05-20 11:50:34 +08:00
lxowalle 639b32703a feat: support streaming (#2892) 
* Support streaming

* fix: stream pico reasoning updates

Route Pico reasoning through the active streamer and hide empty thought placeholders.

* fix: harden configured streaming delivery

* fix ci

* fix split issue
 2026-05-19 16:38:47 +08:00
LC 941bac2332 feat(web): add chat detail visibility selector (#2886) 2026-05-18 14:50:57 +08:00
SiYue-ZO 3f653161e3 feat(frontend): add factory reset button with confirmation dialog 
Add resetAppConfig API function, AlertDialog-confirmed factory reset
button in config page, and i18n keys for en/zh/pt-br locales.
 2026-05-18 13:53:34 +08:00
SiYue-ZO f53222f6a4 feat(api): add POST /api/config/reset endpoint 
Add handleResetConfig handler that calls ResetToDefaults, applies
runtime log level, and restarts the gateway if running.
 2026-05-18 13:02:45 +08:00
SiYue-ZO d61902d42a feat(config): add ResetToDefaults and CLI config reset command 
Export MakeBackup for external use, add ResetToDefaults function that
backs up current config, creates defaults, and preserves security
credentials. Add `picoclaw config reset` CLI command with --force flag.
 2026-05-18 13:01:39 +08:00
sky5454 cb5d33124c fix(powershell): windows security enhancement, sec deny powershell encoding bypass via iex inje… (#2836) 
* fix(powershell):  sec deny  powershell encoding bypass   via iex injection.

* fix(exec): security guard bypass fixes for PowerShell/CMD encoding and path traversal

- Split deny patterns into defaultDenyPatterns (all platforms) and
  windowsDenyPatterns (Windows-only) to avoid false positives
- Add PowerShell encoding bypass detection:
  - [Text.Encoding] and [System.Text.Encoding] variants
  - -EncodedCommand short forms (-e, -ec, -enc)
  - .GetString([byte[]] with whitespace variations
  - FromBase64String decoding
  - PowerShell variable = [byte[](...) patterns
  - Literal \uXXXX Unicode escape sequences
- Expand PowerShell ($env:VAR) and CMD (%VAR%) environment variables
  before workspace path checking to prevent $env:USERPROFILE bypass
- Expand ~ to home directory on Windows
- Add .../.../ path traversal variant detection (blocks .../.../, ..../..../)
- Add symlink/junction resolution before workspace check
- Add Windows path normalization for ADS (file.txt:stream) and
  extended-length paths (\?\)
- Add comprehensive tests for all new patterns

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(exec): fix -EncodedCommand regex and rename Windows tests with expanded payloads

- Fix -EncodedCommand regex to match all short forms: -e, -ec, -enc, -en
- Rename Windows-specific tests with TestWindows_ prefix for clarity:
  - TestWindows_TildeBypassPrevented
  - TestWindows_SymlinkBypassPrevented
  - TestWindows_PowerShellEncodingBypass
- Expand test payloads:
  - [Text.Encoding]: add UTF8 and Unicode variants
  - -EncodedCommand: add -enc and -en forms
  - Unicode escape: add multiple \uXXXX forms

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* ci: retest

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-18 10:28:03 +08:00
Mauro 68e572f969 fix(config): make load_image configurable (#2879) 2026-05-18 10:17:34 +08:00
LC 57876248e2 feat(provider): add SiliconFlow provider support (#2885) 2026-05-18 10:16:09 +08:00
LC 789f907f6d feat(chat): add independent code block copy and collapse controls (#2882) 
* feat(chat): add independent copy and collapse controls for code blocks

* fix(chat): unify code block rendering styles

* fix(chat): refine code block labels

* feat(chat): highlight tool call code blocks as json
 2026-05-18 10:01:39 +08:00
Guoguo feacd84b84 docs: update wechat qrcode (#2889) 2026-05-18 09:50:36 +08:00
肆月 604187e312 feat(web,api): test connection with real connectivity verification (#2833) 
* feat(web,api): add fetch models and saved catalog support

Split from PR #2752 (part 2 of 3).

Backend:
- /api/models/catalog endpoint for browsing remote model catalogs
- /api/models/fetch endpoint for fetching available models from providers
- Credential reuse with provider/API base matching for security
- Default API base resolution for providers without explicit base

Frontend:
- FetchModelsDialog for importing models from remote providers
- CatalogDialog for browsing and importing from model catalogs
- Static import for FetchModelsDialog (replaces dynamic import from PR1)
- Dynamic import retained for TestModelDialog (PR3 territory)

* feat(web,api): add test connection with real connectivity verification

Split from PR #2752 (part 3 of 3).

Backend:
- /api/models/{index}/test endpoint for testing saved model configs
- /api/models/test-inline endpoint for testing unsaved form values
- Real network probe (GET /models) for connectivity verification
- Credential reuse with provider/API base matching for security
- Default API base resolution for providers without explicit base

Frontend:
- TestModelDialog for testing model connectivity
- Inline test support for add/edit model sheets
- Static import for TestModelDialog (replaces dynamic import from PR1)
 2026-05-18 09:47:44 +08:00
美電球 0df050ff2e Merge pull request #2766 from SiYue-ZO/docs/v3-config-format-sync 
docs: sync all documentation to V3 config format
 2026-05-15 22:06:08 +08:00
Mauro 6817aa5311 Merge pull request #2811 from afjcjsbx/fix/mcp-streamable-http-support 
fix(mcp): support streamable HTTP alias, request-response mode and integration tests
 2026-05-15 12:55:58 +02:00
lxowalle 412705783d fix(pico): preserve image media across pico attachments and client (#2874) 
* fix(pico): preserve image media across pico attachments and client

* * fix ci

* fix(pico): preserve text when client media parsing fails

- Skip non-inline Pico attachment URLs instead of treating them as invalid inline media
- Preserve pico_client text messages when malformed media payloads are received
- Add regression coverage for media.create, download attachments, and invalid media payloads

* fix lint
 2026-05-15 15:49:07 +08:00
wenjie bfb2b35f74 chore: update slack-go to v0.23.1 (#2875) 
Adapt Slack media uploads to the renamed UploadFile API.
 2026-05-15 13:58:11 +08:00
wenjie b225629af8 build(deps): update @tailwindcss/vite to 4.3.0 (#2876) 2026-05-15 13:58:09 +08:00
美電球 c62a9bf55b Merge pull request #2862 from lc6464/fix/mimo-reasoning-history-replay 
fix(openai_compat): align MiMo reasoning replay with DeepSeek
 2026-05-15 12:09:52 +08:00
美電球 f7d25c6546 Merge pull request #2741 from lc6464/fix/deepseek-stream-reasoning-content 
fix(openai_compat): parse reasoning_content in streaming responses
 2026-05-15 12:09:26 +08:00
dependabot[bot] 215d98aa78 build(deps): bump tailwindcss from 4.2.4 to 4.3.0 in /web/frontend (#2872) 
Bumps [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) from 4.2.4 to 4.3.0.
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/tailwindcss)

---
updated-dependencies:
- dependency-name: tailwindcss
  dependency-version: 4.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-15 11:23:13 +08:00
dependabot[bot] dab8391344 build(deps-dev): bump typescript-eslint in /web/frontend (#2871) 
Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.59.1 to 8.59.3.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.3/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: typescript-eslint
  dependency-version: 8.59.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-15 11:08:46 +08:00
dependabot[bot] a4abbf62e2 build(deps-dev): bump prettier-plugin-tailwindcss in /web/frontend (#2870) 
Bumps [prettier-plugin-tailwindcss](https://github.com/tailwindlabs/prettier-plugin-tailwindcss) from 0.7.2 to 0.8.0.
- [Release notes](https://github.com/tailwindlabs/prettier-plugin-tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/prettier-plugin-tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/prettier-plugin-tailwindcss/compare/v0.7.2...v0.8.0)

---
updated-dependencies:
- dependency-name: prettier-plugin-tailwindcss
  dependency-version: 0.8.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-15 10:58:34 +08:00
dependabot[bot] 8ab455171c build(deps): bump jotai from 2.19.1 to 2.20.0 in /web/frontend (#2869) 
Bumps [jotai](https://github.com/pmndrs/jotai) from 2.19.1 to 2.20.0.
- [Release notes](https://github.com/pmndrs/jotai/releases)
- [Commits](https://github.com/pmndrs/jotai/compare/v2.19.1...v2.20.0)

---
updated-dependencies:
- dependency-name: jotai
  dependency-version: 2.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-15 10:46:39 +08:00
dependabot[bot] eec4436e64 build(deps): bump github.com/adhocore/gronx from 1.19.6 to 1.19.7 (#2868) 
Bumps [github.com/adhocore/gronx](https://github.com/adhocore/gronx) from 1.19.6 to 1.19.7.
- [Release notes](https://github.com/adhocore/gronx/releases)
- [Changelog](https://github.com/adhocore/gronx/blob/main/CHANGELOG.md)
- [Commits](https://github.com/adhocore/gronx/compare/v1.19.6...v1.19.7)

---
updated-dependencies:
- dependency-name: github.com/adhocore/gronx
  dependency-version: 1.19.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-15 10:31:30 +08:00
dependabot[bot] dc41c9c566 build(deps): bump golang.org/x/net from 0.53.0 to 0.54.0 (#2867) 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.53.0 to 0.54.0.
- [Commits](https://github.com/golang/net/compare/v0.53.0...v0.54.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.54.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-15 10:21:14 +08:00
dependabot[bot] 2f8429f57c build(deps): bump github.com/mymmrac/telego from 1.8.0 to 1.9.0 (#2866) 
Bumps [github.com/mymmrac/telego](https://github.com/mymmrac/telego) from 1.8.0 to 1.9.0.
- [Release notes](https://github.com/mymmrac/telego/releases)
- [Commits](https://github.com/mymmrac/telego/compare/v1.8.0...v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/mymmrac/telego
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-15 10:13:57 +08:00
dependabot[bot] d8385ce0a7 build(deps-dev): bump vite from 8.0.10 to 8.0.13 in /web/frontend (#2865) 
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 8.0.10 to 8.0.13.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.13/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 8.0.13
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-15 10:08:02 +08:00