The desktop publish queue could stall for a long time and end users assumed
the software was broken. Root cause: a hung adapter held its execution slot
with no wall-clock timeout while auto-renewing its lease forever, so the
server never reclaimed it and every queued task behind it stayed 等待发布.
Auto-recovery also risked silently re-posting a non-idempotent article.
Client (Electron):
- per-task wall-clock deadline + abort; progress-gated lease renewal that
stops and aborts a stalled task instead of renewing it forever
- decouple the concurrency cap from CDP-induced CPU/memory pressure
(admission gate instead of self-throttling collapse); 15s watchdog pump
- all adapter network I/O now has fetch timeouts and honors context.signal;
bounded image-upload concurrency with per-image timeout
- surface live adapter progress, elapsed time, queue position and a
working-vs-queued distinction in the publish view
Server (tenant-api):
- publish lease-recovery worker (every 3m) + supporting index: reclaim
expired in_progress publish leases, requeue (<3 attempts) or terminal-fail
- 3-minute lease TTL with client-presence-gated extension; max 3 attempts
Idempotency (production-grade core):
- durable publish_submit_started_at marker, set before the irreversible
platform submit POST; recovery and abort route a maybe-submitted task to
unknown (manual reconcile, kept in the dedup set) instead of re-posting
- desktop UI requires explicit confirmation before retrying a possibly-
already-published task
Verified: go build/vet/test (incl. resolvePublishRecoveryOutcome), vue-tsc,
vitest 141/141, gofmt all clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Introduce an end-to-end media-supply feature: tenant-side resource sync
service/worker backed by a Meijiequan supplier client, ops-side management
APIs, and admin/ops web views for resources, orders, favorites and
submission. Adds a shared digitocr helper, MediaSupply config blocks for
tenant and ops, shared types, and migrations for supplier media resources,
price overrides, customer visibility and order refunds.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Consolidate per-platform cover/image fetch failure prompts into a single
PUBLISH_IMAGE_FETCH_FAILED_MESSAGE constant shared by baijiahao, bilibili,
dongchedi, qiehao, smzdm, and zol adapters, and generalize the normalizer
to match any *_image_fetch_failed / *_cover_fetch_failed code. Also split
desktop publish list loading into initial vs manual-refresh states so the
refresh button no longer blanks the table, and fix admin-web active-task
detection to cover all pending statuses.
In the admin publish modal, fetch the article's publish records, disable
accounts that already succeeded for the same article/platform, label
queued/publishing accounts inline, and route the success notification by
created vs existing task counts (with a dedicated warning for the
`desktop_publish_duplicate` server error).
Replace the "再次发送" mutation/popconfirm on both admin and desktop publish
management views with a "重新创建发布任务" action that calls the same Create
endpoint, only enables on failed/aborted/unknown rows, and reports created
vs existing task counts (with a tailored warning for `unknown` results
that may have already succeeded).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add SMZDM to the cover-required platform list on both client and server,
register a 800x800 native cover spec in the admin cover catalog, and
normalize the desktop-client `smzdm_image_fetch_failed` adapter error to a
user-friendly Chinese prompt across the publisher error pipeline.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Rework the Doubao monitor adapter so success answers come exclusively from
CHUNK_DELTA SSE text and require an SSE_REPLY_END finish event — DOM fallbacks
and FULL_MSG_NOTIFY user echoes can no longer pose as the model reply. Also
auto-switch to the 思考 answer mode, repair mixed-mojibake fragments per run,
unwrap Doubao redirect URLs, scrub "unknown" source metadata, recover from
mid-query navigation by returning unknown for retry, and surface stream/finish
counters in diagnostics.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When the standard search-results panel never opens, click the reasoning-chain
"搜索到 N 个网页" affordance to reveal the citation source list, and prefer the
revealed panel links over stale snapshot links so citations point at the right
URLs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Route content/cover images through the desktop media-image asset
pipeline and abort before submitting when any body image was not
replaced with a Toutiao-hosted URL, so we don't publish articles
that reference our own private asset endpoints.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When a desktop monitoring task fails with a non-retryable authorization failure
(login expired, challenge required, risk control), all pending same-client/same-platform
tasks for the same business day are immediately bulk-failed as non-retryable, avoiding
wasted execution attempts. Adds preflight authorization checks before task execution,
enriches failure payloads with disposition metadata (code, category, retryable flags),
and triggers account health reports on auth state degradation.
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Shrink desktop presence TTL to 30s and heartbeat to 15s so unexpected
client exits surface within one TTL even if the explicit offline call
is missed; keep migration default aligned.
- Trust a known presence miss in resolveDesktopClientOnline instead of
falling back to the recent-heartbeat heuristic, so a still-cached
LastSeenAt cannot mask an offline client.
- Release the runtime session before clearing renderer desktop sessions
on shutdown to avoid leaving stale leases behind.
- Auto-refresh the MediaView account list every 5s and revamp card
layout (inline platform badge, status tags, UID row, meta box).
- Let the brand-question AI wizard accept multiple seed topics via a
tag-style input; candidates from each topic are merged and deduped.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Introduce `navigateRemoteURL` / `showLocalPage` / `showErrorPage` helpers
that centralize remote navigation, watchdog wiring, and error fallback,
replacing the ad-hoc logic inside `loadWindowURLSafely`.
- Show a localized loading page (`loadingPageDataURL`) while a remote URL
is fetching, so the window no longer sits on blank white during slow
navigations.
- Add a 25s remote-load timeout watchdog that switches the window to the
error page when the target never finishes loading, plus an active load
token so stale watchdogs from earlier navigations cannot fire on the
current attempt.
- Track `localPageKind` and `activeTargetURL` per window so blank-page
retries, did-fail-load handlers, and ready-for-detection checks behave
correctly when the window is currently showing a local loading/error
page.
- Escalate the blank-page watchdog: after the retry attempt, if the page
is still blank, surface the error page instead of looping silent
reloads.
- Restyle the error page (drop gradients, use a neutral light/dark token
palette, single primary retry button) and add a dedicated loading page
template with the same look.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Map dongchedi adapter failures (raw "server exception" or
dongchedi_platform_exception) to a Chinese prompt steering the user to
the dongchedi backend, so renderer/admin views and desktop-task error
payloads no longer surface the opaque platform message.
Playwright serializes page.evaluate callbacks via Function.prototype.toString and runs them in the target page context. Obfuscating the main bundle injected string-array helper references that the browser page could not resolve, surfacing as `ReferenceError: wO is not defined` for bilibili and dongchedi publishes. Mirrors the existing Vite `minify: false` guard for main/preload.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Detect the passport.qianwen.com bridge page after a successful SSO login
and navigate the webContents back to the original returnUrl so account
binding can proceed instead of stalling on the bridge.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
setName pins the runtime app name (menu bar, task switcher) and
setAboutPanelOptions overrides the macOS About panel which is sourced
separately from Info.plist when running unpackaged. Packaged builds are
unaffected: electron-builder productName "省心推" still drives the .app
bundle and NSIS installer metadata. The macOS Dock label in dev still
shows "Electron" because that comes from the unpacked Electron.app
bundle's CFBundleName, which is outside Electron's API surface.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Baijiahao throws baijiahao_challenge_required when its risk control flags
the network environment, but PublishManagementView previously showed the
raw "code: ..., message: ..." string. Route the error through the existing
normalizer pipeline so users see a clear "需要人机验证 + 去后台手动完成
一次发稿" prompt instead.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Playwright serializes the function passed to page.evaluate via .toString()
and runs it in the browser context. With main-process minify on, esbuild
renames inlined helpers (e.g. __name) and closure references to two-letter
identifiers like FK/p/ed; their definitions stay at module scope on the
Node side, so the browser eval throws ReferenceError. Mac dev builds were
unaffected because dev mode doesn't minify; only packaged Windows builds
hit this. Main process bundle size is irrelevant (loaded once on startup)
so turning minify off is the cheapest correct fix.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Toutiao's wap_login redirect chain raises ERR_ABORTED (-3) without the
literal symbol in the message, so the previous regex fell through to the
fallback error page. Now match the numeric form too, and add a 7s blank-
page watchdog that auto-reloads stuck "Loading..." popups once per fresh
navigation.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
K2.6 introduced new UI surfaces that polluted the answer extraction and
the busy-signal probe, breaking monitor runs even though Kimi rendered a
correct answer:
- collectCandidates now drops elements that contain a chat composer child
(<textarea>, non-hidden <input>, [contenteditable]). This filters
wrapper containers like .chat-detail-content that the wide
[class*="content"] fallback would otherwise pick, pulling editor
placeholder text ("可快捷使用技能", "Kimi K2.6 已就位") into the answer.
- isAuxiliaryPanelElement skips elements with role="dialog" /
"alertdialog", aria-modal="true", or the <dialog> tag, so the K2.6
launch-announcement popover ("Kimi K2.6, 已就位 / 一键部署 OpenClaw")
no longer counts as answer content.
- Drop the class-based loading-indicator probe entirely. The previous
global [class*="loading"]/"stream"/"typing"/"spinner" sweep matched
K2.6's always-on text-stream wrapper and held busy=true forever, which
caused kimi_query_timeout even after the assistant turn had fully
rendered. The textual busySignalsPattern (思考中/搜索中/生成中…) is
the actual semantic signal and survives any UI rename.
- Surface a capacityNotice from the assistant turn when Kimi shows its
short capacity-exhausted message ("算力不够 / 请稍后再试"). The top
level falls back to it when answerText is empty so the SaaS pipeline
records the user-visible message instead of an unknown row, with
capacity_limited / capacity_notice flagged in raw_response_json.
All filters lean on HTML form / ARIA semantics and visible text rather
than Kimi-specific BEM classes, so they survive future redesigns.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- findInteractiveByText now also accepts elements carrying business
attributes [dt-button-id]/[data-button-id]. The new yuanbao toolbar
renders the deep-think toggle as <div dt-button-id="deep_think"> rather
than a <button>, so the previous text-only locator missed it and probes
silently ran in the fast model — without inline citations.
- Lower <div data-idx-list="1,2,10"> placeholders to bare "[1][2][10]"
(previously "[citation:1] [citation:2] [citation:10]") and accept both
forms in YUANBAO_CITATION_MARKER_PATTERN. Final answer text runs through
normalizeCitationMarkers so any residual SSE [citation:N] is rewritten
to [N], matching DeepSeek's chip rendering on the SaaS side.
- searchGuid frames in the new protocol carry every reference inside
docs[] (each with a 1-based index that mirrors the answer markers) and
citations is now always null. Promote docs into the citations bucket so
citations[index-1] aligns with the inline marker, eliminating the
spurious yuanbao_incomplete_citations failures.
- Update the SaaS detail view: createYuanbaoCitationPattern accepts both
"[N]" and "[citation:N]" so yuanbao answers render the same clickable
superscript chips as DeepSeek.
Tests cover the new searchGuid.docs alignment, fast-cache answers (no
markers, no sources -> still succeed), legacy [citation:N] -> [N]
rewriting, and mixed-format marker extraction.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Refactor readDeepseekAccountIdentity so the JSON payload parser is a pure
ts function (extractDeepseekIdentityFromPayload). The webContents IIFE now
just polls for userToken and returns the raw API JSON; payload picking lives
in ts and is unit-tested.
Tests lock the contract for both login types we observed in the wild:
- WeChat-bound account: id_profile.name = '阿白', picture present.
- Phone-only login: id_profile = null, mobile_number = '177******08',
email = '' (empty string, not null) — the case that originally regressed.
Plus regressions for the priority order (profile.name > mobile_number > email),
the all-empty fallback, and non-record payloads.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Phone-number logins return id_profile=null, mobile_number="177******08", and
email="" (empty string, not null). The previous fallback used `??`, which only
short-circuits on null/undefined, so an empty email string clobbered the
mobile_number fallback and the displayName ended up null — leaving the
DeepSeek card stuck on the "${label} 会话" placeholder.
Switch to a truthy pickString helper that requires a non-empty trimmed string
before accepting a candidate, and prefer mobile_number over email so the
masked phone number shows up exactly the way DeepSeek's own sidebar renders it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The generic AI page-state heuristic only catches displayName via DOM patterns
like [class*="user-name"], so wenxin/yuanbao/deepseek (CSS-module hashed
classes or no exposed store) fell back to the placeholder "${label} 会话".
Add per-platform readers under adapters/{wenxin,yuanbao,deepseek}/account-identity.ts:
- wenxin: GET /eb/user/info with BDUSS cookie; fall back to __NEXT_REDUX_STORE__
and sidebar DOM if the API fails or hasn't responded yet.
- yuanbao: poll the stable BEM .yb-nav__user .nick-info-name + avatar img,
since yuanbao exposes no user-info API and the sidebar renders late.
- deepseek: poll localStorage for userToken, then call /api/v0/users/current
with Authorization: Bearer <token>; reads biz_data.id_profile.{name,picture}.
detectWenxin/Yuanbao/DeepSeekPlatform now run the credential-backed detector
first, then override the placeholder displayName/avatar via the per-platform
reader. Existing rows in DB still hold the placeholder until the account is
re-bound — probe does not write back display_name yet.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The AI 平台 badge counted distinct platforms with at least one
active-auth account, while 媒体账号 counted raw account rows
regardless of auth state. The two numbers shared a slot but meant
different things, which made them not comparable at a glance.
Switch the AI 平台 count to mirror 媒体账号: account-level count
of accounts whose platform falls in the monitoring catalog, with
no authState filter.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Business calls (heartbeat, account sync, lease/pull/resume tasks,
preempt monitoring lease) used to short-circuit any 401 into
handleAuthExpired, which tore down the runtime and switched the
window to login. That stole the screen on transient or per-request
auth glitches and conflicted with the renderer-side proactive token
renewal.
Now business 401s fall through to the existing warn/danger activity
log paths and runtime keeps running. The login redirect is owned
solely by the renderer's renewAuthenticatedSession → on refresh /
rotate failure → forceLogoutAfterRenewFailure path. Server-side
revocation via error code 40991 is unaffected.
Removed the now-orphan plumbing: handleAuthExpired,
isApiClientError helper, emitRuntimeAuthExpired /
onRuntimeAuthExpired events, and forceLoginWindowForAuthExpired
listener registration.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>