1. Fix missing spaces in cron job wake prompt string concatenation.
Python implicit string concatenation produced:
"...scheduled taskProceed..." and "...conversation.After..."
which sent garbled instructions to the LLM agent, causing unreliable
cron job execution.
2. Replace deprecated datetime.utcnow() with
datetime.now(datetime.timezone.utc) in JWT generation.
utcnow() is deprecated since Python 3.12 and returns naive datetime
which can cause incorrect token expiry on non-UTC systems.
Closes#6103Closes#6165
Co-authored-by: easonysliu <easonysliu@tencent.com>
* feat(extension): add PluginSortControl reusable component for sorting
* i18n: add i18n keys for plugin sorting and filtering features
* feat(extension): add sorting and status filtering for installed plugins
Backend changes (plugin.py):
- Add _resolve_plugin_dir method to resolve plugin directory path
- Add _get_plugin_installed_at method to get installation time from file mtime
- Add installed_at field to plugin API response
Frontend changes (InstalledPluginsTab.vue):
- Import PluginSortControl component
- Add status filter toggle (all/enabled/disabled) using v-btn-toggle
- Integrate PluginSortControl for sorting options
- Add toolbar layout with actions and controls sections
Frontend changes (MarketPluginsTab.vue):
- Import PluginSortControl component
- Replace v-select + v-btn combination with unified PluginSortControl
Frontend changes (useExtensionPage.js):
- Add installedStatusFilter, installedSortBy, installedSortOrder refs
- Add installedSortItems and installedSortUsesOrder computed properties
- Add sortInstalledPlugins function with multi-criteria support
- Support sorting by install time, name, author, and update status
- Add status filtering in filteredPlugins computed property
- Disable default table sorting by setting sortable: false
* test: add tests for installed_at field in plugin API
- Assert all plugins have installed_at field in get_plugins response
- Assert installed_at is not null after plugin installation
* fix(extension): add explicit fallbacks for installed plugin sort comparisons
* i18n(extension): rename install time label to last modified
* fix(extension): cache installed_at parsing and validate timestamp format in tests
* test(dashboard): strengthen installed_at coverage for plugin API
* fix: prevent crash on malformed MCP server config (#5666)
* fix: prevent crash on malformed MCP server config (#5666)
* fix: validate MCP connection before persisting server config
* fix: guard mcpServers type before iterating server list
* refactor: use typed empty-config error and extract MCP rollback helper
* fix: translate error messages and comments to English for consistency
---------
Co-authored-by: Soulter <905617992@qq.com>
* feat(skills): add batch upload functionality for multiple skill ZIP files
- Implemented a new endpoint for batch uploading skills.
- Enhanced the SkillsSection component to support multiple file selection and drag-and-drop functionality.
- Updated localization files for new upload features and messages.
- Added tests to validate batch upload behavior and error handling.
* feat(skills): improve batch upload handling and enhance accessibility for dropzone
* feat(skills): enhance batch upload process and improve UI for better user experience
* feat(skills): enhance skills upload dialog layout and styling for improved usability
* feat(skills): update upload dialog description styling for better visibility and usability
* feat(skills): improve upload dialog button styling and layout for enhanced usability
* feat(skills): refine upload dialog text for clarity and consistency
* feat(skills): enhance batch upload functionality by ignoring __MACOSX entries and improving upload dialog styling
* feat(skills): refactor upload dialog and button styles for improved consistency and usability
---------
Co-authored-by: whatevertogo <whatevertogo@users.noreply.github.com>
* refactor: bundled webui static files into wheel and replace astrbot cli log with English
- Translated and standardized log messages in cmd_conf.py for better clarity.
- Updated initialization logic in cmd_init.py to provide clearer user prompts and error handling.
- Improved plugin management commands in cmd_plug.py with consistent language and error messages.
- Enhanced run command in cmd_run.py with clearer status messages and error handling.
- Updated utility functions in basic.py and plugin.py to improve readability and maintainability.
- Added version comparison logic in version_comparator.py with clearer comments.
- Enhanced logging configuration in log.py to suppress noisy loggers.
- Updated the updater logic in updator.py to provide clearer error messages for users.
- Improved IO utility functions in io.py to handle dashboard versioning more effectively.
- Enhanced dashboard server logic in server.py to prioritize bundled assets and improve user feedback.
- Updated pyproject.toml to include bundled dashboard assets and custom build hooks.
- Added a custom build script (hatch_build.py) to automate dashboard builds during package creation.
* refactor: improve exception messages and formatting in CLI command validation
* perf: change npm install to npm ci for consistent dependency installation
* fix
* fix: resolve MCP tools race condition causing 'completion 无法解析' error
- Wait for MCP client initialization to complete before accepting requests
- Add Future-based synchronization in init_mcp_clients()
- Prevent tool_calls from being rejected due to empty func_list
- Improve error logging for MCP initialization failures
Fixes race condition where AI attempts to call MCP tools before they are
registered, resulting in 'API 返回的 completion 无法解析' exceptions.
The issue occurred because:
1. MCP clients were initialized asynchronously without waiting
2. System accepted user requests immediately after startup
3. AI received empty tool list and attempted to call non-existent tools
4. Tool matching failed, causing parsing errors
This fix ensures all MCP tools are loaded before the system processes
any requests that might use them.
* perf: add timeout and better error handling for MCP initialization
- Add 20-second total timeout to prevent slow MCP servers from blocking startup
- Show detailed configuration info when MCP initialization fails
- List all failed services in a summary warning
- Gracefully handle timeout by using already-completed services
This ensures that even if some MCP servers are slow or unreachable,
the system will start within a reasonable time and provide clear
feedback about which services failed and why.
* refactor: simplify MCP init orchestration and improve log security
- Replace Future-based sync with asyncio.wait + name→task mapping
- Explicitly cancel timed-out tasks after 20s timeout
- Downgrade sensitive config details (command/args/URL) to debug level
- Move urllib.parse import to top-level
* fix: prevent initialized MCP clients from being cleaned up on timeout
- Do not cancel pending tasks on timeout; let them continue running
in the background waiting for the termination signal (event.set()),
so successfully initialized services remain available
- Track initialization state with a flag to distinguish init failures
from post-init cancellations in _init_mcp_client_task_wrapper
* fix: restore task cancellation on timeout per review feedback
Pending tasks in asyncio.wait are tasks that have NOT completed
initialization within 20s, so cancelling them is safe and correct.
* fix: separate init signal from client lifetime in MCP task wrapper
The previous design awaited task completion, but tasks only finish
on shutdown (after event.wait()), causing asyncio.wait to always
hit the 20s timeout and cancel all clients.
Fix: introduce a dedicated ready_event that is set immediately after
_init_mcp_client completes. init_mcp_clients now waits only for
ready_event (with 20s timeout), while the long-lived client task
continues running in the background until shutdown_event is set.
This ensures startup returns promptly once clients are ready.
* security: redact sensitive MCP config from debug logs
Only log executable name and argument count instead of full
command/args to avoid leaking tokens or credentials even at
debug level.
* refactor: use McpClientInfo dataclass and MCP_INIT_TIMEOUT constant
- Extract MCP_INIT_TIMEOUT = 20.0 as a named module-level constant
- Replace tuple-based client_info with _McpClientInfo dataclass to
eliminate index-based access and improve readability
- Remove _wait_ready helper; use asyncio.create_task(event.wait()) directly
- Await cancelled tasks after timeout to prevent lingering background
tasks and unobserved exceptions
* fix: handle CancelledError and clean up wait_tasks on timeout
- Catch asyncio.CancelledError separately in _init_mcp_client_task_wrapper
so ready_event.set() is always called (Python 3.8+ CancelledError
inherits BaseException, not Exception)
- Cancel and await lingering wait_tasks after timeout to prevent
them from hanging indefinitely when ready_event is never set
* fix: align enable_mcp_server with new wrapper API and fix security/config issues
- Fix enable_mcp_server to pass shutdown_event + ready_event instead of
ready_future, matching _init_mcp_client_task_wrapper's current signature
- Cancel and await init_task on timeout; clean up mcp_client_event on failure
- Read MCP_INIT_TIMEOUT from env var ASTRBOT_MCP_INIT_TIMEOUT (default 20s)
so operators can tune it without code changes
- Strip userinfo from URL in debug log (use hostname+port only, not netloc)
to avoid leaking credentials embedded in URLs
* refactor: register mcp_client_event only after successful init in enable_mcp_server
Move self.mcp_client_event[name] assignment to after initialization
succeeds, so callers never observe a stale event for a failed client.
* fix: harden MCP init state handling and timeout parsing
* fix: improve MCP timeout and post-init error observability
* refactor: simplify MCP init lifecycle orchestration
* refactor: simplify MCP init flow and cap timeout values
* fix: refine mcp timeout handling and lifecycle task tracking
* fix: harden mcp shutdown and timeout source logging
* refactor: simplify mcp runtime registry and timeout flow
* fix: keep mcp init summary return contract
* refactor: streamline mcp lifecycle and init errors
* refactor: unify mcp lifecycle wait handling
* refactor: simplify mcp runtime ownership and timeout resolution
* fix: harden mcp shutdown waiting and startup signaling
* refactor: streamline mcp lifecycle and shutdown errors
* refactor: harden mcp runtime access and shutdown
* fix: ensure mcp client cleanup and clarify views
* refactor: cache mcp client view and guard startup
* refactor: simplify mcp init cleanup and runtime lock
* refactor: reduce mcp runtime duplication
* refactor: reuse mcp cleanup and client view
---------
Co-authored-by: idiotsj <idiotsj@users.noreply.github.com>
Co-authored-by: 邹永赫 <1259085392@qq.com>
* fix: resolve unhandled UTC timezone offset for timestamps in conversation records
* fix: standardize timezone imports
* fix: unify UTC datetime normalization in dashboard routes
---------
Co-authored-by: 邹永赫 <1259085392@qq.com>
expose skill source metadata and sandbox cache status in the skills API
response so the dashboard can distinguish local, sandbox-only, and
synced skills.
prevent enabling, disabling, or deleting sandbox-only preset skills in
both backend guards and UI actions to avoid invalid local operations.
add source badges, discovery-pending hinting for sandbox runtime, and
new i18n strings for source labels and readonly warnings.
* feat: implement websockets transport mode selection for chat
- Added transport mode selection (SSE/WebSocket) in the chat component.
- Updated conversation sidebar to include transport mode options.
- Integrated transport mode handling in message sending logic.
- Refactored message sending functions to support both SSE and WebSocket.
- Enhanced WebSocket connection management and message handling.
- Updated localization files for transport mode labels.
- Configured Vite to support WebSocket proxying.
* feat(webchat): refactor message parsing logic and integrate new parsing function
* feat(chat): add websocket API key extraction and scope validation
Add backend routes to delete neo candidates and releases with optional
reason support and demo mode protection.
Expose delete actions in the Skills dashboard for candidate and release
rows, refresh data after success, and add localized success/failure
messages in en-US and zh-CN.
* fix(dashboard): 强化 API Key 复制临时节点清理逻辑
* fix(embedding): 自动检测改为探测 OpenAI embedding 最大可用维度
* fix: normalize openai embedding base url and add hint key
* i18n: add embedding_api_base hint translations
* i18n: localize provider embedding/proxy metadata hints
* fix: show provider-specific embedding API Base URL hint as field subtitle
* fix(embedding): cap OpenAI detect_dim probes with early short-circuit
* fix(dashboard): return generic error on provider adapter import failure
* 回退检测逻辑
* feat: add stop functionality for active agent sessions and improve handling of stop requests
* feat: update stop button icon and tooltip in ChatInput component
* fix: correct indentation in tool call handling within ChatRoute class
* feat: add Anthropic Claude Code OAuth provider and adaptive thinking support
* fix: add defensive guard for metadata overrides and align budget condition with docs
* refactor: adopt sourcery-ai suggestions for OAuth provider
- Use use_api_key=False in OAuth subclass to avoid redundant
API-key client construction before replacing with auth_token client
- Generalize metadata override helper to merge all dict keys
instead of only handling 'limit', improving extensibility
* feat: astrbot http api
* Potential fix for code scanning alert no. 34: Use of a broken or weak cryptographic hashing algorithm on sensitive data
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix: improve error handling for missing attachment path in file upload
* feat: implement paginated retrieval of platform sessions for creators
* feat: refactor attachment directory handling in ChatRoute
* feat: update API endpoint paths for file and message handling
* feat: add documentation link to API key management section in settings
* feat: update API key scopes and related configurations in API routes and tests
* feat: enhance API key expiration options and add warning for permanent keys
* feat: add UTC normalization and serialization for API key timestamps
* feat: implement chat session management and validation for usernames
* feat: ignore session_id type chunks in message processing
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* feat: add support for plugin astrbot-version and platform requirement checks
* fix: remove unsupported platform and version constraints from metadata.yaml
* fix: remove restriction on 'v' in astrbot_version specification format
* ruff format
* ci: remove Electron desktop build from release pipeline
* chore: remove electron desktop and switch to tauri release trigger
* ci: remove desktop workflow dispatch trigger
* refactor: migrate data paths to astrbot_path helpers
* fix: point desktop update prompt to AstrBot-desktop releases
When saving config with shipyard_neo sandbox, _validate_neo_connectivity()
performs an async /health check against the Bay endpoint. If Bay is
unreachable, a ⚠️ warning is appended to the success snackbar message.
Config still saves successfully — the warning is informational only.
- Add _discover_bay_credentials() auto-discovery in _get_neo_client_config()
- Catch ValueError separately in _with_neo_client(), log at DEBUG instead of
ERROR with full traceback — prevents log spam when visiting Skills page
without Bay configured
extract shared promote/sync orchestration into `NeoSkillSyncManager` so
computer tools and dashboard routes use the same rollback and error logic
add a reusable neo tool base runner to remove duplicated admin checks and
try/catch handling across skill-related tools, keeping responses consistent
factor sync result serialization into a single helper and reuse it where
stable release sync output is returned
extract a shared `_with_neo_client` wrapper to handle neo client
setup, teardown, and error responses in one place.
reduce duplicated try/except and `BayClient` context boilerplate across
neo skills endpoints while preserving existing request validation and
response payloads.
Add _log_computer_config_changes() to detect and log modifications to
computer_use_runtime and sandbox.* keys when saving config via Dashboard.
Sensitive fields (tokens/secrets) are masked in log output.
Stable Genius
Soulter
Flartiny
eason
orbisai0security
邹永赫
エイカク
ChuwuYo
sanyekana
whatevertogo
Soulter
SJ
RC-CHN
WintryWind
LIghtJUNction
exynos
Raven95676
Minidoracat
whatevertogo
zenfun
Ruochen Pan
Waterwzy