Replace single-shot acquireHotView with retainHotView/releaseHotView
plus a minute-level reaper that closes views idle beyond 5 minutes and
never evicts a view while it still has live retainers. Wrap adapter
calls in try/finally so a failing publish/query still releases the
view. Sample process metrics every minute and expose hot-view policy
and process snapshot via the runtime snapshot for diagnostics.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fall back to looking up article_id from publish_records or publish_batches
when the desktop task payload lacks article_id at the top level. Covers
payloads that only carry content_ref.{article_id,id}, publish_record_id,
or publish_batch_id, preventing spurious 40096 errors when retrying
older desktop tasks.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Plan 0 (workspaces): add workspaces + workspace_memberships schema, extend
JWT/Actor/claims with primary_workspace_id, seed default workspace per tenant,
thread workspace_id through tenant monitoring quota.
Plan A (desktop skeleton): new Electron app (apps/desktop-client) with main/
preload/renderer, shared Vue component package (packages/ui-shared), and server
surface — desktop client registration + token rotation + heartbeat, SSE task
event stream, desktop accounts/tasks/content handlers, publish job endpoint,
and supporting repositories, services, sqlc queries, and migrations.
Hard cutover per plan: remove browser-extension monitoring callback endpoints,
stub legacy media API in admin-web, and delete monitoring_callback_handler.go.
Fifth-round codex+gemini final verification: Gemini gave Ready-to-plan;
codex gave Ready-with-caveats with 5 surgical contract gaps. All 5
closed in v2.5:
1. reconcile status=retry semantics pinned: original task returns to
queued with attempts+1, no cloning, no new job. §6.4 route note,
§7.5 UNKNOWN reconcile table (renamed from "重新创建任务" to "重新
运行"), and §15.1 Mermaid all agree.
2. content_ref workspace boundary rule (Phase 1): tenant-native
entities (article_draft/template_gen/video/brand_asset) must
belong to actor's primary workspace, otherwise 422. Added to
Plan 0 cross-workspace pentration test exit bar.
3. WorkspaceScope input surface unified: removed workspace_id= query
from §6.8.2 modal example; scope solely derived from Actor.
4. Contract drift cleanup: GET /api/desktop/accounts?client=self
return fields add delete_requested_at; retry path clarified to
JSON body.
5. Parked Web cancel endpoint: new POST /api/tenant/tasks/{id}/cancel
(WorkspaceScope) for aborting parked/queued tasks; §15.1 Mermaid
updated with queued→aborted edge and endpoint labels.
Header upgraded to v2.5.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Third-round Claude+Codex+Gemini architect review surfaced foundation-
level issues that prior local patches missed. Codex verdict was
Needs-rework; Gemini verdict was Ready-with-caveats. v2.3 lands all
2 Critical + 9 Warning + 3 Info.
Critical:
- C1 workspace-as-first-class: Prior drafts added a WorkspaceScope
middleware, but Codex verified code: Actor/Claims carry only tenant_id,
cache_support keys scope to tenant, workspaces table migration does
not exist, tenant_monitoring_quotas tracks primary_installation_id.
Add a new Plan 0 (Workspace foundation uplift, 2-3w, blocks Plan A)
covering workspaces + memberships migrations, claims extension,
cache-key rewrite, and the full monitoring-domain migration checklist
(new §6.1.1). §2 hard-constraint 8 rewritten; new hard-constraint 9
reserves credential_holder / account_home naming for future evolution.
- C2 CDP stream-capture path was still inconsistent: Fetch.continueResponse
+ takeResponseBodyAsStream cannot chain per CDP semantics. v2.3 moves
EventSource to Network.eventSourceMessageReceived, fetch-stream to
Network.streamResourceContent + dataReceived (Chromium >=120, OK on
Electron 41), and reserves Fetch only for must-mutate scenarios
without chained continueResponse. Plan A now requires a provider x
transport spike matrix (0.5w) before any adapter work.
Warning:
- W1 Patch-channel minimal loop (G1) promoted from Plan C to Plan B,
so Beta exit criteria are satisfiable.
- W2 waiting_user decoupled from lease: becomes a parked state that
releases the lease, survives hours of human review, and is resumed
via POST /tasks/{id}/lease?from_parked=true.
- W3 credential_holder/account_home evolution seam formalized.
- W4 §6.1.1 lists 8 monitoring-domain migration items that were
previously hidden inside "sqlc rename".
- W5 Deep-link nonce becomes a one-time opaque code bound to
target_client_id, Redis-jti consumed on verify.
- W6 §10.3 block H raised from 1.5w to 2.5-3w after Gemini verified
PublishArticleModal's accounts[0] assumption needs a real rewrite.
- W7 MarkdownPreview extracted into packages/ui-shared so Web preview
and Desktop manual review use the same renderer.
- W8 packages/http-client gains a standardized SseClient (backoff +
Last-Event-ID + snapshot + dedup), shared by both apps.
- W9 Trace viewer now runs inside a CSP-sandboxed iframe with hash
routing for file:// loads; trace data flows in via postMessage.
Info:
- I1 §14 adapter map appendix; Hunyuan renamed to Yuanbao with the
correct entry domain (yuanbao.tencent.com).
- I2 UNKNOWN tasks gain a reconcile workflow (mark-succeeded /
mark-failed / ignore / recreate), plus weekly in-app nudge.
- I3 New §15 listing the 5 Mermaid diagrams Plan A must produce
(sequence, lease state machine, account resync, multi-instance
topology, component tree).
Total effort re-estimated from 24-28w to 28-33w; split expands from
3 plans to 4 (Plan 0 -> A -> B -> C).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
User feedback integrated:
- LLM monitoring scope: 3 → 5 providers (add Hunyuan + Kimi).
Keep-alive table in §4.4 gets 2 rows (default 8 min heartbeat,
re-evaluate on integration). Block B effort 2-3w → 4-5w; total
22-26w → 24-28w; Plan B scope updated.
- New §6.8 "admin-web coordination" covering:
- Publish modal with *account-level* selection (not platform-level):
one workspace has many accounts per platform (e.g., 5 WeChat);
one job expands to N desktop_tasks each bound to (platform, account).
- Media data dashboards at account-level granularity (overview,
publish history, monitoring results).
- New /api/tenant/* aggregation + SSE event bus (separate channel
from /api/desktop/events).
- Offline degradation UX when client(s) are offline.
- Account data consistency: client is SoT for account existence,
server stores projection; startup resync on upsert/delete.
- georankly:// deep links with installed-client detection fallback.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add configurable membership plans (free/plus/pro) synced to DB on boot, a
subscription guard middleware that blocks tenant endpoints on expired or
missing plans, and a MembershipBlockedView that surfaces the reason so
the admin can contact the tenant owner. Quota and brand-library reads now
honor the active plan's policy JSON and expired subscriptions.
Captures the full plan for replacing apps/browser-extension with an
Electron tray client: single main process with multi-session isolation,
embedded web-view login with OS-encrypted local cookie vault, CDP-based
LLM monitoring (no official APIs, cost-driven), unified PublishAdapter
and MonitorAdapter interfaces with dual-track updates (per-adapter patch
channel + full release channel), Playwright-grade tracing, new
/api/desktop/* protocol with SSE + 60s pull, and 5-arch multi-OS
packaging strategy.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add a ?source=workspace|templates query param when opening the
generate page so the back button and the post-submit redirect return
to the originating page; invalidate articles + workspace caches on
success so the new article shows up immediately.
- Poll recent articles every 10s in WorkspaceView and TemplatesView
while any article is in queued/pending/generating/running, and stop
the timer once nothing is active.
- Mark the new article as generating inside the generation Submit
transaction so the client sees the right status as soon as the task
is queued.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add kolAssistURLResolver that fetches reference articles via the Ark
URL extractor when the user's description contains http(s) links, and
merges up to kolAssistReferenceContentMaxRunes of extracted content
into the generate description.
- Rewrite the generate user prompt into a strict template-authoring
brief: output only the final prompt template in Chinese, parameterize
variable info as {{placeholder}}, require at least 3 placeholders
when references exist, and cover goal/topic/title/structure/style/
interaction/constraints.
- Wire LLMConfig and logger through NewKolAssistService and the
handler.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Collect per-request auth diagnostics (header presence, scheme, token
fingerprint, failure stage/reason, subject, expiry) in the auth
middleware and expose them through RequestLogContextFromGin so the
shared logger middleware can emit them.
- Add route, query, user-agent, and referer fields to the request log.
- Log knowledge resolve outcome per stage (no_search_points,
no_candidate_text, no_active_candidates, rerank_failed_fallback,
resolved) with candidate/selected snippet previews and precise facts.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Extract assist runtime (prompt building, response parsing, finalize)
from the worker into kol_assist_runtime so the sync streaming path
and the async task path share the same logic.
- Add POST /kol/manage/assist/stream as a Server-Sent Events endpoint
emitting start/delta/completed/error events, and wire it to a
streamAssist helper on kolManageApi that reports ApiClientError with
the server's error envelope.
- Stream generated content live in KolPromptEditor and KolGenerateView,
switching KolPromptEditArea to a boolean aiBusy flag and refining the
generator page layout.
- Add KolAssistStreamEvent to shared types.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add length/range limits to KOL variable definitions: max_length and
default_value for input/textarea, min_value/max_value/default_number
for number. Backend validates and normalizes; frontend renders limit
inputs in KolVariableConfig and applies limits at runtime in
KolDynamicForm.
- Sort workspace cards by most recent prompt/package update, falling
back to granted_at. Adds updated_at to KolWorkspaceCard.
- Polish TemplatesView, WorkspaceView, and KOL package management UI;
route create/update/publish/archive/delete toasts through i18n and
expand package form copy and status labels.
- Remove stale KnowledgeView.vue.patch.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
9 TDD tasks, each with bite-sized steps and commit points:
validators → service → avatar upload → handlers/routes →
API client → i18n → persona card → view/route/nav → verify.
- Added `EnableWebSearch` and `KnowledgeGroupIDs` fields to `KolGenerationSubmitRequest`.
- Updated `Submit` method in `KolGenerationService` to handle new request fields.
- Integrated web search and knowledge group validation based on card configuration.
- Introduced caching mechanisms in `KolPackageService`, `KolPromptService`, and `KolSubscriptionAdminService` to improve performance.
- Implemented knowledge context resolution in `KolGenerationWorker` to enrich prompts with relevant knowledge snippets.
- Added utility functions for handling card configuration in both backend and frontend.
- Created tests for knowledge extraction and rendering to ensure accuracy and reliability.
- Updated the regex for placeholder matching to support more flexible key formats.
- Refactored variable storage to allow both ID and key lookups in rendering.
- Improved schema validation to check for duplicate keys and enforce non-empty keys.
- Added new utility functions for variable value lookup and display name generation.
- Enhanced tests to cover new key-based variable scenarios.
- Refactored KolPrompt repository to simplify prompt storage and management, including the removal of obsolete revision handling.
- Introduced new API endpoints for saving, activating, and archiving prompts.
- Added new utility functions for handling Kol placeholders and platform options in the admin web.
- Implemented database migrations to simplify prompt storage structure and ensure data integrity.