chiguyong
d6f3355e82
Merge branch 'feat/admin-ui-creator-review-status-order-payment' into master
Deploy EternalAI / deploy (push) Has been cancelled
Details
2026-06-22 12:54:58 +08:00
chiguyong
cc0ced9858
feat: add admin UI, creator review status, and order payment flow
...
- U1: Admin login page with isolated token/state management (#admin hash route)
- U2: Admin review list + role detail page with approve/reject actions
- U3: Admin sync form, QR code display, and system config editor
- U4: Creator role cards show review status, run status, and QR code
- U5: Order API (POST/GET /api/orders, GET /api/orders/:id) with auth
- U6: Frontend payment flow calls POST /api/orders and shows real QR code
- Fix e2e test: add qrCodeUrl to synced test role for payment flow
2026-06-22 12:54:11 +08:00
chiguyong
c470ef8f3a
Merge branch 'feat/admin-review-hermes-sync' into master
...
Deploy EternalAI / deploy (push) Waiting to run
Details
合并管理员审核 + Hermes 同步功能 + Hermes Server 程序
包含:
- 管理员审核流程(pending_review → approved → synced)
- sync_token JWT 认证(HS256, 5分钟过期, jti 防重放)
- Hermes Server 独立程序(接收同步、生成二维码、绑定微信)
- ce-code-review 安全修复(2 P0, 8 P1, 10 P2, 12 P3)
- 20 个集成测试全部通过
2026-06-22 10:56:54 +08:00
chiguyong
561a680771
feat(hermes-server): add Hermes Server with ce-code-review security fixes
...
实现独立的 Hermes Server 程序,部署在 Hermes 服务器上接收 EternalAI 同步请求。
主要功能:
- 接收 EternalAI 同步请求(POST /api/sync),验证 sync_token (JWT HS256)
- 回调 EternalAI 拉取 SOUL.md 和 config.yaml 文件
- 创建 profile(文件系统存储,无需数据库)
- 生成二维码绑定链接(PNG)
- 提供绑定页面和绑定 API(POST /api/bind/:profileId)
- 提供 profile 管理 API(列表/详情/删除/文件下载)
- 健康检查端点
ce-code-review 安全修复(2 P0, 8 P1, 10 P2, 12 P3):
- P0: SSRF 防护 — 使用 ETERNALAI_BASE_URL 环境变量,不信任请求体中的 filePullBaseUrl
- P0: profileId 路径穿越防护 — 正则校验 /^hermes_[a-f0-9]{24}$/
- P1: 原子文件写入(临时目录 + rename)
- P1: 绑定竞态条件修复(原子检查 alreadyBound)
- P1: jti 重放保护(内存 Map + 5 分钟 TTL)
- P1: 幂等去重(findByRoleId,重复同步先删后建)
- P1: 生产环境 fail-fast(HERMES_ADMIN_TOKEN 未设置时抛错)
- P1: 恒定时间比较 admin token(crypto.timingSafeEqual)
- P1: trust proxy 修复(仅 loopback)
- P1: IP 白名单使用 socket.remoteAddress
- P2: CORS 来源限制(ALLOWED_ORIGINS)
- P2: body 大小限制(1MB)
- P2: configYaml 非空校验
- P2: QR 码生成顺序(先创建 profile 再生成二维码)
- P2: 输入校验(profileName 长度限制)
- P2: listProfiles 容错
- P2: 健康检查不泄露 syncSecretConfigured
- P2: SOUL.md/config.yaml 本机访问限制
- P2: 绑定页面 try/catch
- P2: req.body null check
- P3: JWT 算法限制(仅 HS256)
- P3: 错误类型区分(504/502/500)
- P3: Content-Type 修复(text/markdown, text/yaml)
- P3: 404 状态码修复
- P3: form action 转义(encodeURIComponent)
- P3: deploy.sh 路径修复 + package-lock.json + npm ci
测试:20 个集成测试全部通过(端到端验证同步、二维码、绑定、写保护等)
2026-06-21 17:38:21 +08:00
chiguyong
a921f64ee0
fix(security): apply ce-code-review fixes (1 P0, 6 P1, 6 P2)
...
P0:
- sync-token.js: remove dead consumeSyncToken code, use crypto.randomBytes for jti
P1:
- admin-sync.js: add SSRF protection (protocol/host allowlist, block private IPs in prod)
- admin-sync.js: add POST /:roleId/reset for syncing state recovery
- admin-sync.js: use BASE_URL env var instead of forgeable Host header
- admin-sync.js: guard catch block to only rollback syncing->failed (not approved)
- admin-config.js: write-protect SYNC_SECRET from manual override
- admin-config.js: add updatedAt to PUT response
- roles.js: reset reviewStatus to pending_review when editing synced role
- roles.js: filter GET /:id by reviewStatus=synced
- scripts/migrate-existing-roles-to-synced.js: data migration for existing roles
P2:
- server.js: mock-hermes use explicit allowlist [development, test]
- auth.js: ADMIN_JWT_SECRET fail-fast in production
- hermes.js: unify error messages to Chinese
- admin-sync.js: do not leak err.message in response
- admin.js: validate pagination params (page/pageSize bounds)
All 54 E2E tests pass (19 admin-sync-flow + 35 existing).
2026-06-21 16:14:53 +08:00
chiguyong
848939dc21
feat: add admin review + Hermes sync workflow with sync_token auth
2026-06-21 15:25:01 +08:00
chiguyong
2055b62afd
fix(security): apply code review fixes and rewrite README
...
Deploy EternalAI / deploy (push) Failing after 29s
Details
- fix(P1): prevent YAML injection in adaptToHermesConfig via yamlString() and sanitizeComment()
- fix(P2): add @@index([userId, createdAt]) to ApiKey model
- fix(P2): change Hermes error responses from text/plain to JSON
- fix(P2): set .env file permissions to 600 in setup-server.sh
- fix(P2): remove dead model fallback code
- fix(P2): unify API Key response naming (GET returns { apiKeys })
- fix(P3): add console.warn to fire-and-forget catch
- fix(P3): correct keyPrefix comment (8 -> 12 chars)
- fix(P3): move require() to file top in auth.js
- fix(P3): stop printing database password in setup-server.sh
- docs: rewrite README with architecture, operation flow, and Hermes interaction flow
2026-06-21 14:05:37 +08:00
chiguyong
6037bf2bd6
feat: add Hermes Agent cross-machine deployment via CLI pull
2026-06-21 14:05:37 +08:00
chiguyong
d6f222c2e0
fix(security): resolve 2 P0 issues - hardcoded JWT secret and stored XSS
...
P0-1: JWT secret hardcoded fallback (src/lib/auth.js)
- Remove insecure hardcoded default 'eternalai_jwt_secret_2026_change_in_prod'
- Fail-fast in production: throw error if JWT_SECRET env var is missing
- Dev/test: print security warning and use dev-only temporary secret
P0-2: Stored XSS via innerHTML (app.js)
- Add escapeHtml() utility function (escapes & < > " ')
- Escape all user-controlled data in innerHTML templates:
- Role library list (id, displayName, desc, avatar, price)
- Creator center role list (id, displayName, avatar, status)
- Role detail price
- Income records (role, time)
- Error messages in catch blocks
All 35 E2E tests pass.
2026-06-21 14:05:37 +08:00
chiguyong
0028091f34
ci: add CI/CD deployment scripts with PM2, Nginx, and auto-setup
...
- Add ecosystem.config.js for PM2 process management
- Add deploy/setup-server.sh for one-shot server initialization (auto-detects OS, installs Node.js 20/PostgreSQL 15/PM2/Nginx)
- Add deploy/deploy.sh for repeatable deployments (pull -> install -> migrate -> reload -> health check)
- Add deploy/nginx.conf reverse proxy template with security headers
- Rewrite .gitea/workflows/deploy.yml with full CI/CD pipeline (checkout -> build -> migrate -> deploy -> health check)
- Add .env.example template with DATABASE_URL/JWT_SECRET/PORT/ALLOWED_ORIGINS
- Add docs/deployment.md (full deployment guide) and docs/business-processes.md
- Update package.json scripts (db:generate, test:e2e, deploy)
- Add logs/ to .gitignore
2026-06-21 14:05:37 +08:00
chiguyong
0bcba03393
test: add 35 E2E tests (auth/roles/creator/navigation) and fix temperature validation bug
2026-06-21 14:05:37 +08:00
chiguyong
6234c27138
feat: add PostgreSQL + JWT backend, fix 4 critical issues (auth/role persistence/edit/library)
2026-06-21 14:05:37 +08:00
chiguyong
9f4ee690db
chore: clean up repo structure and fix config
...
- Remove node_modules/ from git tracking (was committed by mistake)
- Delete stub files: src/index.js, scripts/deploy.sh (empty)
- Fix CI/CD: trigger on master (not main), remove nonexistent build step
- Rewrite README to match actual HTML5 SPA project
- Fix package.json: remove embedded credentials from repo URL
- Update .gitignore: add .DS_Store, *.log, .env
2026-06-21 14:05:37 +08:00
chigulong
a272c62b97
Merge master branch with actual project content
Deploy EternalAI / deploy (push) Failing after 3h0m0s
Details
2026-06-20 20:07:26 +08:00
chigulong
18a46c9af5
Initial deployment setup with Express server and basic UI
2026-06-20 19:38:15 +08:00
chiguyong
5a7155ecbc
fix(a11y): improve accessibility across all views
...
- FAQ: add aria-expanded/aria-controls/role=region via initFaqA11y()
- TabBar/Auth/Center/Preview tabs: add role=tablist/tab/aria-selected
- View switching: focus management + aria-live announcement region
- Role cards: role=button, tabindex=0, Enter/Space keyboard support
- Login form: autocomplete=username/current-password (was off)
- Register form: autocomplete=username/new-password
- Add skip-link for keyboard users
- Add :focus-visible outlines on all interactive elements
- Improve placeholder contrast (0.45 → 0.7 opacity)
- Add prefers-reduced-motion media query
- Add aria-live=polite on dynamic role-list/income-list containers
- Add aria-label on all view sections
2026-06-20 18:40:51 +08:00
chigulong
0ac78360a1
Update README in main branch
2026-06-20 18:28:13 +08:00
chiguyong
7725cf1f65
feat: implement full navigation and PRD P2-P7 pages
...
- U1: 我的 XXX 根据登录态分流(未登录→auth,已登录→role-library/creator-center)
- U2: 新增角色库页(P2),含角色卡片列表与空态
- U3: 新增角色详情页(P3),含付款态切换
- U4: 新增关于 Eternal AI 页(P5),含 FAQ 折叠
- U5: 重构创作者入驻页(P6)为微信联系引导
- U6: 人设蒸馏表单重新定位为创作者中心-角色编辑
- U7: 新增创作者管理中心(P7),含角色/收入/我的 三 tab
- U8: 新增底部 tabBar 导航(首页/蒸馏前任/我的)
- U9: 统一 showView 路由、history 返回、localStorage 状态持久化
2026-06-20 18:19:34 +08:00
Eternal AI Builder
d9d6404218
Add full feature and navigation rationality plan
2026-06-20 18:19:34 +08:00
chigulong
2a13044f12
Configure EternalAI project with Express server and deployment scripts
2026-06-20 18:13:44 +08:00
chigulong
4d1679045c
Merge branch 'master' of http://gitea.fischerai.cn/chigulong/EternalAI
2026-06-20 17:10:31 +08:00
chigulong
c91f49e1f7
Initial commit: EternalAI project setup
2026-06-20 17:10:06 +08:00
Eternal AI Builder
6ce6b8a464
Add distinct auth and distill-ex views per PRD
2026-06-20 17:01:20 +08:00
Eternal AI Builder
75d2271cbe
Adjust card/form margins and add CSS cache busting
2026-06-20 16:43:04 +08:00
Eternal AI Builder
7db0dab973
Initial commit: Eternal AI landing page and character creator
2026-06-20 16:30:12 +08:00
root
1710562c54
Initial commit
2026-06-20 16:21:57 +08:00