Commit Graph

265 Commits

Author SHA1 Message Date
root 461f186337 feat(tenant-api): expose Swagger UI in non-release mode
Adds an in-process Swagger UI and OpenAPI JSON under /swagger,
registered automatically when the Gin mode is not release. The
admin-web Vite dev server and production nginx config now proxy
/swagger to the tenant API so the docs are reachable from the
existing admin host.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 23:19:31 +08:00
root a49ac32aa8 chore(ci): drop unused GitHub Actions backend workflow
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 23:19:24 +08:00
root baff51295a feat(desktop-client): add settings window and switch default API to production
- Open a dedicated settings BrowserWindow with general / login / diagnostics / about tabs
- Persist openAtLogin and keepRunningInBackground via desktop-settings.json; hide main window instead of quitting when background mode is on
- Default API base URL now points to api.shengxintui.com; LoginView and SettingsView share a single constant
- Restore wangyihao session cookies on probe and silent refresh, and accept the legacy http://mp.163.com console origin
- Drop the standalone diagnostics view in favor of the settings tab

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 22:00:01 +08:00
root 40ef60eae2 style(desktop-client): tighten media/AI/publish view copy and table chrome
Rename the media-platforms nav entry to "媒体账号", switch the Accounts hero eyebrow to MEDIA ACCOUNTS, drop the redundant AI platforms intro paragraph, and trim the publish list to use a generic external-link tooltip plus a slightly wider table to fit the renamed columns.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 21:06:12 +08:00
root ed38721feb feat(desktop-client): give login and main views their own BrowserWindow
Spawn a separate window per mode keyed by a ?window= query param so each surface keeps its size, devtools, and renderer state independently. Logout now persists the cleared session and switches windows before awaiting the runtime release, avoiding a stale main-window flash on the way out.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 20:56:03 +08:00
root cdd63db7f1 feat(wangyihao): record public article URL on publish and back-fill responses
Build https://www.163.com/dy/article/<docId>.html when wangyihao tasks finish, and normalize publish-record responses + monitoring alias inputs to surface the same public URL when the doc id is known.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 20:55:53 +08:00
root add918ff4c feat(desktop-client): clear auth failure on active probe and trigger probe when opening console
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 19:32:20 +08:00
root 02b8cd683d feat(account-health): allow silent refresh on scheduled probes and stop treating wangyihao token misses as auth failure
Scheduled probes and reportAccountFailure now request a silent refresh
before marking an account expired, and a missing wangyihao publish
token is classified as ok instead of auth_failure so the cookie-based
refresh path can recover the session.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 19:18:09 +08:00
root b89892be6e feat(desktop-client/wangyihao): persist session cookies and recover bound partitions
Snapshot 163.com/126.net cookies on bind/refresh to a userData vault and
restore them when reattaching a session, recover orphan partitions by
matching the detected mediaInfo, verify the bind window via the console
state instead of a generic profile probe, and route token/draft fetches
through the https API origin while opening console pages over http to
match the live editor.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 19:18:03 +08:00
root c87842347e feat(account-health): reconcile remote bind state and ignore stale runtime reports
Track an authRevision per local record so a fresh bind cancels in-flight
probes, sync server-confirmed health back into the desktop cache via
reconcileTrackedAccountRemoteState, include verified_at in the upsert
signature, and drop runtime health reports older than the stored
verified_at on the server side.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 18:15:39 +08:00
root bf25fa1a80 feat(desktop-client/wangyihao): harden token capture and draft submit flow
Inject the YiDun guardian client to obtain ursToken without relying on
window.neg, fetch the publish detail (wemediaId/onlineState/...) before
saving drafts so 100002 "参数错误" stops blocking submit, downgrade
markdown tables to paragraph rows like Baijiahao, and surface friendlier
errors for token, draft and publish-click failures.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 18:15:20 +08:00
root 9525c1144d feat(admin-web/login): replace default test credentials with remembered login
Why: showing the seed admin account on the login screen is unsafe for production deployments.
How to apply: store identifier/password in localStorage when "记住密码" is checked, restore them on mount, and drop the demo credentials panel.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 18:15:08 +08:00
root 1e46bfa1f4 chore(membership): lower image storage quotas for free and pro tiers
Reduce image_storage_bytes from 500MB to 25MB on free and from 1GB to
500MB on pro to align quotas with current storage cost expectations.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 17:15:09 +08:00
root 3498f558e3 feat(desktop-client/home): break down runtime issues by tasks and accounts
Split the home dashboard runtime panel into a combined issue feed that
lists failed/unknown tasks alongside blocked accounts, with per-kind
counts and per-row detail/badges so operators can triage both classes
of breakage from one place.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 17:12:25 +08:00
root e5f6e93cea feat(desktop-client/yuanbao): capture richer DOM citation sources
Raise the response capture body limit, parse siteName and source
indexes from yuanbao DOM links, merge ordered DOM sources with the
streamed list, and reject runtime/build-diagnostic strings from being
treated as a question.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 17:12:18 +08:00
root fb166fa9fe feat(monitoring): attribute SaaS citations by registrable domain
Persist host/registrable_domain/site_key on monitoring article URL
aliases, populate them on desktop-publish completion, and use them in
the citation pipeline to count how often SaaS-published content
appears as a citation source. Expose a /citation-summary endpoint with
a 7/30-day window switch and surface the new source-share metrics in
the tracking dashboard.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 17:12:09 +08:00
root 6e6e19cccb feat(schedule-tasks): support auto-publish via media accounts
Replace the legacy target_platform string on schedule tasks with a
workspace-aware auto-publish payload (auto_publish + publish_account_ids
JSONB + cover_asset_url + cover_image_asset_id) and migrate the schema,
sqlc queries, generated models, domain struct, ScheduleTaskService DTOs,
and dispatch worker to round-trip the new fields. PromptRuleGeneration
gains a WithPublishJobService hook so executeGeneration can enqueue an
auto-publish job once the article is ready, and worker-generate wires
the publish-job service in. On the admin-web side, extract
PublishArticleModal's account-card builders into a shared
publish-account-cards module, rebuild GenerateTaskDrawer's schedule
mode around account selection plus a CoverPickerModal, and surface the
new "auto publish" column on ScheduleTaskTab. Shared types and i18n
strings cover the new fields.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:32:19 +08:00
root c9267d2fae feat(auth): block disabled user accounts at the subscription guard
RequireActiveTenantSubscription now optionally takes an AuthRepository
and rejects the request with 40311/user_disabled when the actor's user
row is anything other than active. Wire the repo through the tenant
router, surface the new error code in admin-web's
membershipBlockedErrors set, persist a "disabled" membership status when
markStoredMembershipBlocked sees user_disabled, and add localized copy
on the blocked screen and shell membership banner.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:31:26 +08:00
root e15806bd91 feat(template-wizard): require library brand before favoriting competitors
Drop the implicit brand-creation path in handleFavoriteCompetitor and
just refuse to save a competitor until the user has explicitly chosen a
library brand; clear saved state on competitor drafts when the brand is
unset. Also enforce the configured custom-outline label length cap and
auto-focus newly added outline nodes for faster keyboard editing. New
i18n strings cover the brand-required and outline-length messages plus
the updated competitor hint.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:30:29 +08:00
root 14a7921445 feat(prompts): expand keyword guidance to long-tail search queries
Tighten the analyze prompts (runtime + recommendation platform) so the
model returns 8-10 question-style search queries (哪家好/有哪些/怎么选/
价格/排名/避坑 …) instead of generic tag words, and lift the keyword cap
in normalizeAnalyzeResult from 5 to 10 to keep them. Add tests covering
the new ten-keyword window and the question-like guidance in the seeded
analyze prompt.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:28:59 +08:00
root 814ea52c0e feat(desktop-client): validate qiehao session via detected account
The 企鹅号 console returns 200 even when the session is silently expired,
so probe/silent-refresh/console-open now require detect() to return an
account whose identity matches the bound one. Surface a localized
"授权已过期" prompt in the renderer when the new
desktop_account_session_expired error bubbles up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:28:41 +08:00
root 9d9c051d6d feat(media): require cover image for dongchedi publish batches
懂车帝 has the same cover-mandatory rule as 百家号; treat them the same
when deciding whether a publish batch must carry a cover.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:28:23 +08:00
root f9ecb33d8e chore(knowledge): drop verbose snippet payloads from resolve log
Logging the full candidate and selected snippet bodies per resolve was
inflating log volume without adding signal we use.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:28:04 +08:00
root 5216a4847c feat(login-ui): dedupe submissions and surface guard error codes
Collapse rapid double-submits into a single in-flight request across
admin-web, ops-web and the desktop client so users cannot fire parallel
login attempts and trip the new in-progress guard. Map the new
login_rate_limited / login_locked / login_in_progress / login_guard_unavailable
error codes to localized messages in every login surface.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:07:32 +08:00
root 19037a9e4b feat(auth): apply LoginGuard to tenant and ops login endpoints
Wire LoginGuard into tenant-api and ops-api login flows: acquire a
permit before checking credentials, record a failure on every invalid
attempt to drive lockouts, and clear counters on success. Tenant-api
now also forwards the request IP into the service so per-IP and
IP+identifier limits actually fire under real traffic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:07:16 +08:00
root a62c0e4b5d feat(auth): add LoginGuard for rate-limit and lockout primitives
Introduce a Redis-backed LoginGuard that combines per-IP, per-identifier
and IP+identifier rate limits, exponential lockout on consecutive failures,
and a concurrent-attempt lock so a single subject cannot pile up parallel
brute-force tries. The guard ships with an in-memory fallback when Redis
is unreachable so login protection keeps working under degraded mode.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:06:49 +08:00
root 11bd4e4d4e feat(redis): keep services running when Redis is unreachable
Add a lazy Redis client constructor and an in-memory fallback for the
refresh-session store, plus tenant-api and ops-api bootstrap that warns
and continues with the lazy client instead of failing. Refresh and
blacklist operations now silently fall back to the in-memory store while
Redis is down so existing sessions stay valid until it recovers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:06:08 +08:00
root 2aa39d7a11 test(ops/kol-subscription): cover cache invalidation on admin actions
Verify approve/revoke/manual-bind delete the right tenant-scoped keys via
a recording cache double, so the prompt cache stays consistent with the
KOL subscription state changes shipped in the previous commit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 22:08:08 +08:00
root 0729b76cc7 style(ops-web): unify table actions as circular icon buttons
Replace the mixed text-link / button action lists in Accounts,
AdminUsers, and SiteDomainMappings with a shared .table-actions-row +
.action-* class set in styles.css. Each row now renders compact icon
buttons (edit/delete/approve/revoke/key/kol/reset/play) tinted by intent,
matching the new KolSubscriptions console look.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 22:07:55 +08:00
root 73fd7db21a feat(ops-web/kol): add KOL subscription review console
New /kol-subscriptions page lists pending and active subscriptions, lets
operators approve / revoke / manually bind packages to tenants, and links
into the AppShell nav under 订阅包审批. Register Alert globally so the
view's status banners render.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 22:07:41 +08:00
root 9bb7144593 refactor(kol-admin): move subscription admin endpoints from tenant-api to ops-api
Approving / manually binding / revoking KOL subscriptions belonged to the
operations console, not the tenant-admin role on tenant-api. Add a fresh
KolSubscriptionService + repository + handlers under the ops module with
its own list/manual-bind/approve/revoke routes, wire a Redis-backed cache
into ops-api so admin actions can invalidate tenant prompt caches, and
delete the tenant-side admin service/handler now that ops-web owns the UI.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 22:07:25 +08:00
root 4dd8a1bb0e feat(tenant/kol): let KOLs self-subscribe to their own published packages
Add /kol/manage/packages/:id/self-subscription POST/DELETE on the tenant
side so a KOL can grant themselves access to their own published package
without going through the marketplace approval flow. Reject self-subscribe
through the marketplace with a clear error, expose owned_by_current_tenant
on package responses, and surface a self_subscription block on KolPackage
Response. The admin-web KOL workspace gets 订阅自己 / 取消订阅 entries with
matching messaging in the marketplace detail view.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 22:06:57 +08:00
root 088dbb0ec7 docs(self-test): mark 懂车帝 and 微信公众号 as CDP-driven flows
Annotate the two adapters that now run the publish step through the
embedded Chromium DevTools session so future debugging knows which
platforms bypass the plain HTTP path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 21:03:02 +08:00
root 6a56935fb9 chore(admin-web/login): drop redundant tenant admin login subheading
The 欢迎回来 headline already conveys context; the secondary
"Tenant Admin Login" line added noise on the simplified login card.
Remove the paragraph and the now-unused i18n key.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 21:02:52 +08:00
root 2f3055babd feat(admin-web/articles): show partial-success publish status from records
ArticlePublishStatus now derives partial_success when both succeeded and
failed records are present, fetches publish_records eagerly with a 30s
stale window so the popover lights up without a click, and ArticleDetail
Drawer reuses the component instead of its own tag. Relabel partial_
success copy to 部分发布 / Partially Published to match the new bucket.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 21:02:36 +08:00
root e8c4fedb45 feat(tenant/articles): aggregate publish status from per-account records
a.publish_status only stored a coarse summary so the article list/detail
mis-reported as 失败 when one of several accounts failed. Compute the
effective status via a LATERAL join over latest publish_records per
platform_account_id and bucket into success / publishing / failed /
partial_success. Wire the same expression into list filtering and detail
queries, and let normalizePublishStatus / batch-status helpers retain
partial_success end-to-end.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 21:02:03 +08:00
root 677cfc5aff docs(self-test): record weixin-gzh manual publish result
Mark 微信公众号 as passing for image/text/table after the new editor flow,
linked to the verification post used during the run.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 19:57:27 +08:00
root 99a992f34b feat(ui/publish-records): surface 已存草稿 status and client-only manage hint
Render publish_type=draft tasks with the warn tone and 已存草稿 label, swap
the management link copy to 打开草稿箱 for weixin_gzh, and expand the task
summary to mention the publish_authorization_required reason. In the admin
drawer, stop falling back to external_manage_url for missing public links
and instead show a hint pointing operators back to the desktop client for
weixin_gzh / zol records.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 19:57:11 +08:00
root a09d44d8f0 feat(desktop/weixin-gzh): drive editor to publish with draft fallback on verify
Replace the masssend HTTP path with a Playwright-driven editor flow that
clicks "群发" and resolves the publish response, then polls appmsgpublish
for the public mp.weixin.qq.com/s URL. When the dialog asks for admin
verification / scan-code authorization, swallow it as a successful draft
save and surface fallback_reason=publish_authorization_required so the
operator can finish from the console. Also broaden token extraction in
account-binder and treat the draft list URL (cgi-bin/appmsg) as the
console landing page.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 19:56:56 +08:00
root ed6b2c09fa fix(desktop/wangyihao): soften creative statement to a personal-opinion note
"内容由AI生成" tripped Wangyihao's AIGC review and parked drafts under
manual screening. Switch to "个人观点,仅供参考" so legitimate posts move
through normal moderation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 19:56:40 +08:00
root 2e5643ddfd feat(desktop/weixin-gzh): mass-send drafts and resolve public article URL
Drafts previously stopped at the草稿箱 step, leaving the operator to publish
manually. Chain a /cgi-bin/masssend call, then poll the appmsgpublish list
(by title and by latest) to extract the mp.weixin.qq.com/s public link
and a publish_id. Surface dedicated failures for publish and link-missing
states, and switch the result payload to publish_type="publish" with the
appmsgpublish manage URL.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 17:12:49 +08:00
root 2501f9db85 feat(desktop/renderer): surface re-authorize affordance for expired accounts
Replace the generic 重新校验 action with state-aware copy and an arrow
icon when authState is expired, and route the click through the bind flow
so users land directly on the platform login page. AiPlatformsView gains
the same shortcut and an inline alert explaining tasks are paused until
re-auth completes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 17:12:20 +08:00
root b59435dec5 refactor(desktop/renderer): centralize platform label and short-name lookup
Move the per-platform translation map out of HomeView/TasksView and the
titleCaseToken fallback out of PublishManagementView into shared helpers
on media-catalog. Single source of truth keeps renderer views consistent
with the binding catalog when new platforms ship.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 17:12:05 +08:00
root 426e94dd6b feat(desktop/account-health): mark freshly bound accounts as live
Bind callbacks now stamp the runtime account as health=live with a fresh
verified_at and seed the health record via markTrackedAccountBound, so the
UI doesn't show a just-bound account as 尚未校验 while waiting for the next
probe. Also let force probes bypass the cached-result short-circuit so the
manual 重新校验 button always re-runs the probe.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 17:11:50 +08:00
root e89349399b feat(desktop/weixin-gzh): probe authenticated console with token resolver
Naked /cgi-bin/home redirects to the login page even with a live cookie,
which made probe/refresh/verify mis-classify accounts as expired. Resolve
the tokenized console URL via mp.weixin.qq.com first, then read the page
state to detect 登录超时/未登录 banners and reuse detectWeixinGzh to confirm
identity. Open-console also now lands on the tokenized URL.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 17:11:35 +08:00
root 8dcd60b604 fix(desktop/weixin-gzh): tolerate numeric appMsgId and classify login timeout
The MP draft API sometimes returns appMsgId as a number or under the
appmsgid alias; coerce both shapes before treating the response as a
success. Also extend the platform auth adapter to recognize 登录超时/
请重新登录 wording so the runtime drives the account back to re-auth.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 17:11:19 +08:00
root 7ca79723cd fix(desktop/doubao): drop byteimg and bytednsdoc CDN URLs from cited sources
These ByteDance asset CDNs ship images and static docs that are not real
citations, so they pollute the monitoring source list. Filter them at both
buildSourceItem and dedupe stages, and add unit coverage via an exported
test-only helper bag.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 17:11:04 +08:00
root bef55bd11f feat(ops-api/site-mappings): provision monitoring DB pool and readiness check
Open a separate pgx pool for the monitoring database, wire it into the
SiteDomainMappingService, and surface its health in /readyz. Point compose
at the dedicated monitoring-postgres service and align local/dev configs
with the per-instance ports. Also reformat the site_domain_mapping types
with gofmt while the files are touched.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 17:10:48 +08:00
root 665405763c feat(ops-web/site-mappings): add site domain mappings management view
Add a CRUD page for site_domain_mappings with search, pagination, create/
edit/enable/disable/delete actions, and register it in the AppShell nav.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 17:10:17 +08:00
root 9760bec8bd feat(ops/site-mappings): wire site domain mapping routes and monitoring DB
Register site-domain-mappings CRUD endpoints under the authenticated ops
router, add a monitoring_database config block (falling back to the main
ops database when unset) for the service to share the monitoring pool.
2026-04-29 16:02:11 +08:00