@abtnode/core 1.16.47-beta-20250805-140707-3a4df7fd → 1.16.47-beta-20250808-102837-d10f3b40

package/lib/blocklet/manager/disk.js

@@ -435,33 +435,31 @@ class DiskBlockletManager extends BaseBlockletManager {
     await this.ensureAutoBackupJobs();
     await this.ensureAutoCheckUpdateJobs();
 
-    if (process.env.ABT_NODE_ENABLE_ENSURE_BLOCKLET_RUNNING !== 'ignore') {
-      ensureBlockletRunning.initialize({
-        restart: async (params) => {
-          await this.restart(params);
-        },
-        stop: async (params) => {
-          await this.stop(params);
-        },
-        createAuditLog: (params) => this.createAuditLog(params),
-        notification: (did, title, description, severity) => {
-          try {
-            this._createNotification(did, {
-              title,
-              description,
-              action: `/blocklets/${did}/overview`,
-              blockletDashboardAction: `${WELLKNOWN_SERVICE_PATH_PREFIX}/admin/blocklets`,
-              entityType: 'blocklet',
-              entityId: did,
-              severity,
-            });
-          } catch (err) {
-            logger.error('create notification failed', { err });
-          }
-        },
-        checkSystemHighLoad: (...args) => this.nodeAPI.runtimeMonitor.checkSystemHighLoad(...args),
-      });
-    }
+    ensureBlockletRunning.initialize({
+      restart: async (params) => {
+        await this.restart(params);
+      },
+      stop: async (params) => {
+        await this.stop(params);
+      },
+      createAuditLog: (params) => this.createAuditLog(params),
+      notification: (did, title, description, severity) => {
+        try {
+          this._createNotification(did, {
+            title,
+            description,
+            action: `/blocklets/${did}/overview`,
+            blockletDashboardAction: `${WELLKNOWN_SERVICE_PATH_PREFIX}/admin/blocklets`,
+            entityType: 'blocklet',
+            entityId: did,
+            severity,
+          });
+        } catch (err) {
+          logger.error('create notification failed', { err });
+        }
+      },
+      checkSystemHighLoad: (...args) => this.nodeAPI.runtimeMonitor.checkSystemHighLoad(...args),
+    });
   }
 
   async ensureJobs({ queue, getJobId, find, entity, action, interval, restoreCancelled }) {
@@ -922,7 +920,6 @@ class DiskBlockletManager extends BaseBlockletManager {
               nodeInfo,
               env,
               ...hookArgs,
-              timeout: 20000,
             });
           }
           return hooks[hookName](b, {

package/lib/blocklet/manager/ensure-blocklet-running.js

@@ -12,16 +12,10 @@ const inProgressStatuses = [BlockletStatus.stopping, BlockletStatus.restarting,
 class EnsureBlockletRunning {
   initialized = false;
 
-  firstChecked = false;
+  whenCycleCheck = false;
 
   // 每次任务的最小间隔时间
-  checkInterval = +process.env.ABT_NODE_ENSURE_RUNNING_CHECK_INTERVAL || 60 * 1000;
-
-  // 首次任务的延迟时间
-  deferredTime = +process.env.ABT_NODE_ENSURE_RUNNING_DEFERRED_TIME || 30 * 1000;
-
-  // 每个重启任务（did + componentDids）的重启间隔为 2 min，如果 2 min 内重启过，就不会再重启
-  restartInterval = 1000 * 60 * 2;
+  checkInterval = +process.env.ABT_NODE_ENSURE_RUNNING_CHECK_INTERVAL || 180 * 1000;
 
   everyBlockletCheckInterval = 2000;
 
@@ -41,7 +35,7 @@ class EnsureBlockletRunning {
 
   fakeRunningBlocklets = {};
 
-  fakeRunningBlockletsTimes = {};
+  needRestartBlocklets = {};
 
   restartingBlocklets = {};
 
@@ -52,23 +46,36 @@ class EnsureBlockletRunning {
   // Ease to mock
   isBlockletPortHealthy = isBlockletPortHealthy;
 
-  isBlockletPortHealthyWithRetries = async (blocklet, isDoing = false) => {
+  isBlockletPortHealthyWithRetries = async (blocklet, fastCheck = false) => {
     let error;
-    const maxAttempts = this.firstChecked ? 10 : 2;
-    const timeout = this.firstChecked ? 6000 : 3000;
+    if (!this.whenCycleCheck) {
+      try {
+        // eslint-disable-next-line no-await-in-loop
+        await this.isBlockletPortHealthy(blocklet, {
+          minConsecutiveTime: 200,
+          timeout: 1000,
+        });
+        return true;
+      } catch (e) {
+        logger.error('blocklet port is not healthy', e);
+      }
+      return false;
+    }
 
-    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    for (let attempt = 0; attempt < 10; attempt++) {
       try {
         // eslint-disable-next-line no-await-in-loop
         await this.isBlockletPortHealthy(blocklet, {
           minConsecutiveTime: 3000,
-          timeout,
+          timeout: 6000,
         });
         return true;
       } catch (e) {
         error = e;
         // eslint-disable-next-line no-await-in-loop
-        await sleep(isDoing ? this.everyBlockletDoingInterval : this.everyBlockletCheckInterval);
+        await sleep(
+          fastCheck && this.whenCycleCheck ? this.everyBlockletDoingInterval : this.everyBlockletCheckInterval
+        );
       }
     }
     logger.error('blocklet port is not healthy', error);
@@ -91,7 +98,9 @@ class EnsureBlockletRunning {
     this.checkSystemHighLoad = checkSystemHighLoad;
     logger.info('check and fix blocklet status interval', this.checkInterval);
     const task = async () => {
-      await sleep(this.checkInterval);
+      if (this.whenCycleCheck) {
+        await sleep(this.checkInterval);
+      }
       try {
         await this.checkAndFix();
       } catch (e) {
@@ -116,91 +125,72 @@ class EnsureBlockletRunning {
 
   checkAndFix = async () => {
     logger.info('check and fix blocklet status');
-    if (process.env.ABT_NODE_RESTART_RUNNING_COMPONENT === '1') {
-      logger.info('skip check and fix blocklet status because ABT_NODE_RESTART_RUNNING_COMPONENT is 1');
-      return;
-    }
-
     const systemHighLoad = this.checkSystemHighLoad({
       maxCpus: this.highLoadCpu,
       maxMem: this.highLoadMemory,
       maxDisk: this.highLoadDisk,
     });
 
-    if (systemHighLoad.isHighLoad) {
+    if (this.whenCycleCheck && systemHighLoad.isHighLoad) {
       logger.warn('Skip once ensure blocklet running because system high load', systemHighLoad);
       return;
     }
+
     this.runningBlocklets = {};
     this.fakeRunningBlocklets = {};
-    this.fakeRunningBlockletsTimes = {};
+    this.needRestartBlocklets = {};
 
+    const startTime = Date.now();
     try {
       await this.getRunningBlocklets();
       await this.getFakeRunningBlocklets();
-      if (process.env.ABT_NODE_ENSURE_RUNNING_SET_FAKE_RUNNING_TO_WAITING === '1') {
+      if (!this.whenCycleCheck) {
         await this.setFakeRunningToWaiting();
       }
       await this.restartFakeRunningBlocklets();
     } catch (e) {
       logger.error('ensure blocklet status failed', e);
     }
+    logger.info(
+      `ensure blocklet status finished in ${Date.now() - startTime}ms. It's server first start: ${!this.whenCycleCheck}`
+    );
     this.runningRootBlocklets = {};
-    this.firstChecked = true;
+    this.whenCycleCheck = true;
   };
 
   getRunningBlocklets = async () => {
-    const blocklets = await this.states.blocklet.getBlocklets({
-      status: { $in: [BlockletStatus.running, BlockletStatus.waiting, BlockletStatus.starting] },
-    });
-    for (const realBlocklet of blocklets) {
-      const { did } = realBlocklet.meta;
-      if (realBlocklet.children) {
-        for (const childBlocklet of realBlocklet.children) {
-          if (childBlocklet.status === BlockletStatus.running || childBlocklet.status === BlockletStatus.waiting) {
-            if (!this.runningBlocklets[did]) {
-              this.runningBlocklets[did] = [];
-            }
-            if (this.runningBlocklets[did].find((b) => b.meta.did === childBlocklet.meta.did)) {
-              continue;
-            }
-            this.runningBlocklets[did].push(childBlocklet);
-            this.runningRootBlocklets[did] = realBlocklet;
-          }
-        }
-      }
-    }
-
-    const blockletDoings = await this.states.blocklet.getBlocklets({
-      status: {
-        $in: inProgressStatuses,
-      },
-    });
+    const runningStatuses = this.whenCycleCheck
+      ? [BlockletStatus.running, BlockletStatus.waiting, BlockletStatus.starting]
+      : [BlockletStatus.running, BlockletStatus.waiting, BlockletStatus.starting, BlockletStatus.error];
 
-    for (const rootBlocklet of blockletDoings) {
+    const blocklets = await this.states.blocklet.getBlocklets();
+    for (const rootBlocklet of blocklets) {
       const { did } = rootBlocklet.meta;
       if (rootBlocklet.children) {
         for (const childBlocklet of rootBlocklet.children) {
-          if (inProgressStatuses.includes(childBlocklet.status)) {
-            if (this.runningBlocklets[did]?.find((b) => b.meta.did === childBlocklet.meta.did)) {
-              continue;
-            }
+          const isRunning = runningStatuses.includes(childBlocklet.status);
+          const isInProgress = inProgressStatuses.includes(childBlocklet.status);
+          if (isRunning || isInProgress) {
             if (!this.runningBlocklets[did]) {
               this.runningBlocklets[did] = [];
             }
+            if (this.runningBlocklets[did].find((b) => b.meta.did === childBlocklet.meta.did)) {
+              continue;
+            }
             this.runningBlocklets[did].push(childBlocklet);
+            this.runningRootBlocklets[did] = rootBlocklet;
           }
         }
       }
     }
+
     logger.info('get running blocklets', Object.keys(this.runningBlocklets).length);
   };
 
   getFakeRunningBlocklets = async () => {
-    this.fakeRunningBlocklets = {};
-    const blockletDids = Object.keys(this.runningBlocklets);
+    const rootDids = Object.keys(this.runningBlocklets);
     await pAll(
-      blockletDids.map((did) => {
+      rootDids.map((did) => {
         return async () => {
           const blocklets = this.runningBlocklets[did];
           // eslint-disable-next-line
@@ -241,7 +231,7 @@ class EnsureBlockletRunning {
           );
         };
       }),
-      { concurrency: 3 }
+      { concurrency: 8 }
     );
 
     logger.info('get fake running blocklets', Object.keys(this.fakeRunningBlocklets).length);
@@ -257,7 +247,9 @@ class EnsureBlockletRunning {
       blockletDids.map((did) => {
         return async () => {
           const blocklets = this.fakeRunningBlocklets[did];
-          const componentDids = blocklets.filter((b) => b.status === BlockletStatus.running).map((b) => b.meta.did);
+          const componentDids = blocklets
+            .filter((b) => b.status === BlockletStatus.running || b.status === BlockletStatus.waiting)
+            .map((b) => b.meta.did);
           try {
             // eslint-disable-next-line
             await this.states.blocklet.setBlockletStatus(did, BlockletStatus.waiting, { componentDids });
@@ -266,17 +258,11 @@ class EnsureBlockletRunning {
           }
         };
       }),
-      { concurrency: 4 }
+      { concurrency: 8 }
     );
   };
 
   restartFakeRunningBlocklets = async () => {
-    for (const key of Object.keys(this.restartingBlocklets)) {
-      if (Date.now() - this.restartingBlocklets[key] > this.restartInterval) {
-        delete this.restartingBlocklets[key];
-      }
-    }
-
     // blocklet 一组组重启
     const blockletDids = Object.keys(this.fakeRunningBlocklets);
     await pAll(
@@ -286,7 +272,8 @@ class EnsureBlockletRunning {
           const componentDids = blocklets.map((b) => b.meta.did);
           if (componentDids.length > 0) {
             const key = `${did}-${componentDids.join('-')}`;
-            if (this.restartingBlocklets[key]) {
+            this.needRestartBlocklets[key] = true;
+            if (this.restartingBlocklets[key] && this.restartingBlocklets[key] + this.checkInterval < Date.now()) {
               return;
             }
             this.restartingBlocklets[key] = Date.now();
@@ -294,31 +281,36 @@ class EnsureBlockletRunning {
             const blockletDisplayName = this.getDisplayNameByRootDid(did);
             const restartTitle = 'Blocklet health check failed';
             const restartDescription = `Blocklet ${blockletDisplayName} with components ${componentDids.map((v) => this.getDisplayName(blocklets.find((b) => b.meta.did === v))).join(', ')} health check failed, restarting...`;
-            this.notification(did, restartTitle, restartDescription, 'warning');
+            if (this.whenCycleCheck) {
+              this.notification(did, restartTitle, restartDescription, 'warning');
+            }
 
             try {
               logger.info('restart blocklet:', did, componentDids);
               await this.restart({ did, componentDids, checkHealthImmediately: true });
-              this.createAuditLog({
-                action: 'ensureBlockletRunning',
-                args: {
-                  teamDid: did,
-                  componentDids,
-                },
-                context: {
-                  user: {
-                    did,
-                    role: 'daemon',
-                    blockletDid: did,
-                    fullName: blockletDisplayName,
-                    elevated: false,
+              if (this.whenCycleCheck) {
+                this.createAuditLog({
+                  action: 'ensureBlockletRunning',
+                  args: {
+                    teamDid: did,
+                    componentDids,
                   },
-                },
-                result: {
-                  title: restartTitle,
-                  description: restartDescription,
-                },
-              });
+                  context: {
+                    user: {
+                      did,
+                      role: 'daemon',
+                      blockletDid: did,
+                      fullName: blockletDisplayName,
+                      elevated: false,
+                    },
+                  },
+                  result: {
+                    title: restartTitle,
+                    description: restartDescription,
+                  },
+                });
+              }
+
               delete this.restartingBlocklets[key];
             } catch (e) {
               logger.error('restart blocklet failed', did, componentDids, e);
@@ -327,15 +319,16 @@ class EnsureBlockletRunning {
               }
               this.errorStartBlocklets[key] += 1;
 
-              // 如果重启失败次数超过 3 次，则设置为 stopped
-              if (this.errorStartBlocklets[key] >= 3) {
+              // 如果重启失败次数超过 3 次，则发送通知, 如果 server 是第一次启动遇到失败，则立刻发送通知
+              if (this.errorStartBlocklets[key] >= 3 || !this.whenCycleCheck) {
                 const title = 'Restart blocklet failed when health check failed';
                 const description = `Restart blocklet ${blockletDisplayName} with components ${componentDids.map((v) => this.getDisplayName(blocklets.find((b) => b.meta.did === v))).join(', ')} failed`;
                 this.notification(did, title, description, 'error');
                 delete this.errorStartBlocklets[key];
-                logger.error('restart many times blocklet failed, set stopped', did, componentDids, e);
+                logger.error('restart many times blocklet failed', did, componentDids, e);
                 try {
-                  await this.stop({ did, componentDids });
+                  // 失败了应该保持 error 状态
+                  await this.states.blocklet.setBlockletStatus(did, BlockletStatus.error, { componentDids });
                   this.createAuditLog({
                     action: 'ensureBlockletRunning',
                     args: {
@@ -358,14 +351,14 @@ class EnsureBlockletRunning {
                     },
                   });
                 } catch (err) {
-                  logger.error('set blocklet stopped failed', did, componentDids, err);
+                  logger.error('ensure blocklet running, create audit log failed', did, componentDids, err);
                 }
               }
             }
           }
         };
       }),
-      { concurrency: 2 }
+      { concurrency: 8 }
     );
   };
 }

package/lib/blocklet/migration-dist/migration.cjs

@@ -38918,7 +38918,7 @@ module.exports = require("zlib");
 /***/ ((module) => {
 
 "use strict";
-module.exports = /*#__PURE__*/JSON.parse('{"name":"@abtnode/core","publishConfig":{"access":"public"},"version":"1.16.46","description":"","main":"lib/index.js","files":["lib"],"scripts":{"lint":"eslint tests lib --ignore-pattern \'tests/assets/*\'","lint:fix":"eslint --fix tests lib","test":"node tools/jest.js","coverage":"npm run test -- --coverage"},"keywords":[],"author":"wangshijun <wangshijun2010@gmail.com> (http://github.com/wangshijun)","license":"Apache-2.0","dependencies":{"@abtnode/analytics":"1.16.46","@abtnode/auth":"1.16.46","@abtnode/certificate-manager":"1.16.46","@abtnode/client":"1.16.46","@abtnode/constant":"1.16.46","@abtnode/cron":"1.16.46","@abtnode/db-cache":"1.16.46","@abtnode/docker-utils":"1.16.46","@abtnode/logger":"1.16.46","@abtnode/models":"1.16.46","@abtnode/queue":"1.16.46","@abtnode/rbac":"1.16.46","@abtnode/router-provider":"1.16.46","@abtnode/static-server":"1.16.46","@abtnode/timemachine":"1.16.46","@abtnode/util":"1.16.46","@aigne/aigne-hub":"^0.2.2","@arcblock/did":"1.21.0","@arcblock/did-auth":"1.21.0","@arcblock/did-ext":"1.21.0","@arcblock/did-motif":"^1.1.14","@arcblock/did-util":"1.21.0","@arcblock/event-hub":"1.21.0","@arcblock/jwt":"1.21.0","@arcblock/pm2-events":"^0.0.5","@arcblock/validator":"1.21.0","@arcblock/vc":"1.21.0","@blocklet/constant":"1.16.46","@blocklet/did-space-js":"^1.1.13","@blocklet/env":"1.16.46","@blocklet/error":"^0.2.5","@blocklet/meta":"1.16.46","@blocklet/resolver":"1.16.46","@blocklet/sdk":"1.16.46","@blocklet/store":"1.16.46","@blocklet/theme":"^3.0.37","@fidm/x509":"^1.2.1","@ocap/mcrypto":"1.21.0","@ocap/util":"1.21.0","@ocap/wallet":"1.21.0","@slack/webhook":"^5.0.4","archiver":"^7.0.1","axios":"^1.7.9","axon":"^2.0.3","chalk":"^4.1.2","cross-spawn":"^7.0.3","dayjs":"^1.11.13","deep-diff":"^1.0.2","detect-port":"^1.5.1","envfile":"^7.1.0","escape-string-regexp":"^4.0.0","fast-glob":"^3.3.2","filesize":"^10.1.1","flat":"^5.0.2","fs-extra":"^11.2.0","get-port":"^5.1.1","hasha":"^5.2.2","is-base64":"^1.1.0","is-cidr":"4","is-ip":"3","is-url":"^1.2.4","joi":"17.12.2","joi-extension-semver":"^5.0.0","js-yaml":"^4.1.0","kill-port":"^2.0.1","lodash":"^4.17.21","node-stream-zip":"^1.15.0","p-all":"^3.0.0","p-limit":"^3.1.0","p-map":"^4.0.0","p-retry":"^4.6.2","p-wait-for":"^3.2.0","rate-limiter-flexible":"^5.0.5","read-last-lines":"^1.8.0","semver":"^7.6.3","sequelize":"^6.35.0","shelljs":"^0.8.5","slugify":"^1.6.6","ssri":"^8.0.1","stream-throttle":"^0.1.3","stream-to-promise":"^3.0.0","systeminformation":"^5.23.3","tail":"^2.2.4","tar":"^6.1.11","transliteration":"^2.3.5","ua-parser-js":"^1.0.2","ufo":"^1.5.3","uuid":"^11.1.0","valid-url":"^1.0.9","which":"^2.0.2","xbytes":"^1.8.0"},"devDependencies":{"expand-tilde":"^2.0.2","express":"^4.18.2","jest":"^29.7.0","unzipper":"^0.10.11"},"gitHead":"e5764f753181ed6a7c615cd4fc6682aacf0cb7cd"}');
+module.exports = /*#__PURE__*/JSON.parse('{"name":"@abtnode/core","publishConfig":{"access":"public"},"version":"1.16.46","description":"","main":"lib/index.js","files":["lib"],"scripts":{"lint":"eslint tests lib --ignore-pattern \'tests/assets/*\'","lint:fix":"eslint --fix tests lib","test":"node tools/jest.js","coverage":"npm run test -- --coverage"},"keywords":[],"author":"wangshijun <wangshijun2010@gmail.com> (http://github.com/wangshijun)","license":"Apache-2.0","dependencies":{"@abtnode/analytics":"1.16.46","@abtnode/auth":"1.16.46","@abtnode/certificate-manager":"1.16.46","@abtnode/client":"1.16.46","@abtnode/constant":"1.16.46","@abtnode/cron":"1.16.46","@abtnode/db-cache":"1.16.46","@abtnode/docker-utils":"1.16.46","@abtnode/logger":"1.16.46","@abtnode/models":"1.16.46","@abtnode/queue":"1.16.46","@abtnode/rbac":"1.16.46","@abtnode/router-provider":"1.16.46","@abtnode/static-server":"1.16.46","@abtnode/timemachine":"1.16.46","@abtnode/util":"1.16.46","@aigne/aigne-hub":"^0.4.6","@arcblock/did":"1.21.2","@arcblock/did-connect-js":"1.21.2","@arcblock/did-ext":"1.21.2","@arcblock/did-motif":"^1.1.14","@arcblock/did-util":"1.21.2","@arcblock/event-hub":"1.21.2","@arcblock/jwt":"1.21.2","@arcblock/pm2-events":"^0.0.5","@arcblock/validator":"1.21.2","@arcblock/vc":"1.21.2","@blocklet/constant":"1.16.46","@blocklet/did-space-js":"^1.1.14","@blocklet/env":"1.16.46","@blocklet/error":"^0.2.5","@blocklet/meta":"1.16.46","@blocklet/resolver":"1.16.46","@blocklet/sdk":"1.16.46","@blocklet/store":"1.16.46","@blocklet/theme":"^3.1.3","@fidm/x509":"^1.2.1","@ocap/mcrypto":"1.21.2","@ocap/util":"1.21.2","@ocap/wallet":"1.21.2","@slack/webhook":"^5.0.4","archiver":"^7.0.1","axios":"^1.7.9","axon":"^2.0.3","chalk":"^4.1.2","cross-spawn":"^7.0.3","dayjs":"^1.11.13","deep-diff":"^1.0.2","detect-port":"^1.5.1","envfile":"^7.1.0","escape-string-regexp":"^4.0.0","fast-glob":"^3.3.2","filesize":"^10.1.1","flat":"^5.0.2","fs-extra":"^11.2.0","get-port":"^5.1.1","hasha":"^5.2.2","is-base64":"^1.1.0","is-cidr":"4","is-ip":"3","is-url":"^1.2.4","joi":"17.12.2","joi-extension-semver":"^5.0.0","js-yaml":"^4.1.0","kill-port":"^2.0.1","lodash":"^4.17.21","node-stream-zip":"^1.15.0","p-all":"^3.0.0","p-limit":"^3.1.0","p-map":"^4.0.0","p-retry":"^4.6.2","p-wait-for":"^3.2.0","private-ip":"^2.3.4","rate-limiter-flexible":"^5.0.5","read-last-lines":"^1.8.0","semver":"^7.6.3","sequelize":"^6.35.0","shelljs":"^0.8.5","slugify":"^1.6.6","ssri":"^8.0.1","stream-throttle":"^0.1.3","stream-to-promise":"^3.0.0","systeminformation":"^5.23.3","tail":"^2.2.4","tar":"^6.1.11","transliteration":"^2.3.5","ua-parser-js":"^1.0.2","ufo":"^1.5.3","uuid":"^11.1.0","valid-url":"^1.0.9","which":"^2.0.2","xbytes":"^1.8.0"},"devDependencies":{"expand-tilde":"^2.0.2","express":"^4.18.2","jest":"^29.7.0","unzipper":"^0.10.11"},"gitHead":"e5764f753181ed6a7c615cd4fc6682aacf0cb7cd"}');
 
 /***/ }),
 

package/lib/monitor/node-runtime-monitor.js

@@ -234,7 +234,8 @@ class NodeRuntimeMonitor extends EventEmitter {
     if (cpus.some((v) => v > maxCpus) && memory > maxMem) {
       highType = 'cpu and memory';
     }
-    if (disks.some((v) => v > maxDisk)) {
+    // 1 表示虚拟盘，不参与计算
+    if (disks.some((v) => v !== 1 && v > maxDisk)) {
       highType = 'disk';
     }
     if (highType) {

package/lib/states/base.js

@@ -1,4 +1,6 @@
 const { BaseState } = require('@abtnode/models');
+const { isAllowedURL } = require('@abtnode/util/lib/ssrf-protector');
+const { CustomError } = require('@blocklet/error');
 const logger = require('@abtnode/logger')('@abtnode/core:states:base');
 
 const { isCLI } = require('../util');
@@ -20,6 +22,37 @@ class ExtendedBase extends BaseState {
   update(condition, updates, options) {
     return super.update(condition, updates, { returnUpdatedDocs: true, ...options });
   }
+
+  /**
+   * 验证输入的URL是否合法，如果非法禁止保存
+   */
+  async validateURL(urls = [], label = '') {
+    if (urls.length === 0) {
+      return true;
+    }
+    const validateResults = await Promise.all(
+      urls.map(async (url) => {
+        try {
+          const allowed = await isAllowedURL(url);
+          return { url, allowed };
+        } catch (error) {
+          logger.warn('URL validation failed', { url, error });
+          return { url, allowed: false };
+        }
+      })
+    );
+
+    const allowed = validateResults.every((item) => item.allowed);
+    if (!allowed) {
+      const invalidUrls = validateResults
+        .filter((result) => !result.allowed)
+        .map((result) => result.url)
+        .filter(Boolean);
+
+      throw new CustomError(400, `Invalid ${label || 'URLs'}: ${invalidUrls.join(', ')}`);
+    }
+    return true;
+  }
 }
 
 module.exports = ExtendedBase;

package/lib/states/user.js

@@ -121,6 +121,10 @@ class User extends ExtendBase {
       Object.assign(pending, await this._extractInviteInfo({ did, ...pending }));
     }
 
+    // 验证 webhooks 中 URL 是否合法
+    const webhooks = get(pending, 'extra.webhooks', []);
+    await this.validateURL(webhooks.map((x) => x.url));
+
     await super.update({ did }, { $set: pending });
     await Promise.all(
       (get(cloneData, 'passports') || [])

package/lib/states/webhook-endpoint.js

@@ -1,4 +1,6 @@
 const Joi = require('joi');
+const { CustomError } = require('@blocklet/error');
+
 const BaseState = require('./base');
 
 const webhookEndpointSchema = Joi.object({
@@ -41,6 +43,9 @@ const updateWebhookEndpointSchema = Joi.object({
  */
 class WebhookEndpointState extends BaseState {
   async create(input) {
+    // 校验非法的URL
+    await this.validateURL([input.url], 'webhook endpoint URL');
+
     await webhookEndpointSchema.validateAsync(input, { stripUnknown: true });
 
     const webhook = await this.insert(input);
@@ -55,7 +60,7 @@ class WebhookEndpointState extends BaseState {
   async updateWebhook(id, updates) {
     const doc = await this.findOne({ where: { id } });
     if (!doc) {
-      throw new Error('webhook endpoint not found');
+      throw new CustomError(400, 'webhook endpoint not found');
     }
 
     await updateWebhookEndpointSchema.validateAsync(updates, { stripUnknown: true });
@@ -67,7 +72,7 @@ class WebhookEndpointState extends BaseState {
   async deleteWebhook(id) {
     const doc = await this.findOne({ where: { id } });
     if (!doc) {
-      throw new Error('webhook endpoint not found');
+      throw new CustomError(400, 'webhook endpoint not found');
     }
 
     await this.remove({ id });

package/lib/states/webhook.js

@@ -9,6 +9,10 @@ const { validateWebhook } = require('../validators/webhook');
 class WebhookState extends BaseState {
   async create(info, { mock } = {}) {
     const { type, params } = info;
+
+    const urls = params.map((item) => item.value);
+    await this.validateURL(urls, 'webhook URLs');
+
     const filterParams = params.map((item) => {
       const data = {
         name: item.name,

package/lib/team/manager.js

@@ -495,7 +495,7 @@ class TeamManager extends EventEmitter {
       // 获取 notification state
       const notificationState = await this.getNotificationState(teamDid);
       if (!notificationState) {
-        throw new Error('notificationState not found');
+        return undefined;
       }
 
       // 检查通知是否已存在
@@ -505,7 +505,7 @@ class TeamManager extends EventEmitter {
 
       if (!receivers?.length && process.env.NODE_ENV !== 'test') {
         logger.warn('No valid receivers', { teamDid, receiver });
-        throw new Error('No valid receivers');
+        return undefined;
       }
 
       const notificationActor = notification?.activity?.actor || payload.activity?.actor;

package/lib/util/aigne-verify.js

@@ -49,7 +49,7 @@ const verifyAigneHub = async (config, blocklet) => {
     const { did, name } = blocklet.meta || {};
 
     const modelConfig = {
-      accessKey: decryptValue(config.key, did),
+      apiKey: decryptValue(config.key, did),
       model: !config.model || config.model === 'auto' ? undefined : config.model,
       url: baseUrl,
     };

package/lib/util/blocklet.js

@@ -21,7 +21,7 @@ const diff = require('deep-diff');
 const createArchive = require('archiver');
 const isUrl = require('is-url');
 const semver = require('semver');
-const { chainInfo: chainInfoSchema } = require('@arcblock/did-auth/lib/schema');
+const { chainInfo: chainInfoSchema } = require('@arcblock/did-connect-js/lib/schema');
 
 const urlPathFriendly = require('@blocklet/meta/lib/url-path-friendly').default;
 const { fromSecretKey, fromPublicKey } = require('@ocap/wallet');
@@ -145,7 +145,7 @@ const getBlockletEngineNameByPlatform = (meta) => getBlockletEngine(meta).interp
 const startLock = new DBCache(() => ({
   ...getAbtNodeRedisAndSQLiteUrl(),
   prefix: 'blocklet-start-locks2',
-  ttl: 1000 * 60 * 1,
+  ttl: 1000 * 60 * 3,
 }));
 
 const blockletCache = new DBCache(() => ({
@@ -737,6 +737,7 @@ const startBlockletProcess = async (
 
     if (b.mode === BLOCKLET_MODES.DEVELOPMENT) {
       options.env.NODE_ENV = e2eMode ? 'e2e' : 'development';
+      options.env.IS_E2E = e2eMode ? '1' : undefined;
       options.env.BROWSER = 'none';
       options.env.PORT = options.env[BLOCKLET_DEFAULT_PORT_NAME];
 
@@ -818,23 +819,21 @@ const startBlockletProcess = async (
      * @returns
      */
     async (b, { ancestors }) => {
-      const lockName = [
-        blocklet.meta.did,
-        blocklet.meta.version,
-        blocklet.meta.group,
-        b.meta.did,
-        b.meta.version,
-        b.meta.group,
-      ].join('__');
+      const lockName = `${blocklet.meta.did}-${b.meta.did}`;
 
+      // 如果锁存在，则跳过执行
+      if (!(await startLock.hasExpired(lockName))) {
+        return;
+      }
       await startLock.acquire(lockName);
+
       try {
         await startBlockletTask(b, { ancestors });
       } finally {
         startLock.releaseLock(lockName);
       }
     },
-    { parallel: true, concurrencyLimit: nodeInfo.enableDocker ? 2 : 4 }
+    { parallel: true, concurrencyLimit: 4 }
   );
 };
 

package/lib/util/docker/docker-exec-chown.js

@@ -12,7 +12,7 @@ const { createDockerImage } = require('./create-docker-image');
 
 const lockFile = new DBCache(() => ({
   prefix: 'docker-exec-chown-locks',
-  ttl: 1000 * 60 * 2,
+  ttl: 1000 * 60 * 3,
   ...getAbtNodeRedisAndSQLiteUrl(),
 }));
 
@@ -53,10 +53,14 @@ async function dockerExecChown({ name, dirs, code = 777, force = false }) {
       return `chmod ${code === 750 ? '' : '-R'} ${code} ${path.join(baseDir, dir.replace(process.env.ABT_NODE_DATA_DIR, ''))}`;
     })
     .join(' && ');
-  const realName = parseDockerName(name, 'docker-exec-chown');
-  const startTime = Date.now();
 
+  const startTime = Date.now();
+  const realName = parseDockerName(name, 'docker-exec-chown');
+  if (!(await lockFile.hasExpired(realName))) {
+    return;
+  }
   await lockFile.acquire(realName);
+
   try {
     await promiseSpawn(
       `docker rm -fv ${realName} > /dev/null 2>&1 || true && docker run --rm --name ${realName} ${volumes} ${image} sh -c '${command}'`,

package/lib/util/docker/docker-exec.js

@@ -2,10 +2,20 @@ const fs = require('fs').promises;
 const fse = require('fs-extra');
 const path = require('path');
 const promiseSpawn = require('@abtnode/util/lib/promise-spawn');
+const { DBCache, getAbtNodeRedisAndSQLiteUrl } = require('@abtnode/db-cache');
 const logger = require('@abtnode/logger')('@abtnode/docker-exec');
+
 const parseDockerOptionsFromPm2 = require('./parse-docker-options-from-pm2');
 const { checkDockerInstalled } = require('./check-docker-installed');
 
+const lock = new DBCache(() => {
+  return {
+    ...getAbtNodeRedisAndSQLiteUrl(),
+    prefix: 'docker-exec',
+    ttl: 1000 * 60 * 3,
+  };
+});
+
 async function dockerExec({
   blocklet,
   meta,
@@ -15,7 +25,7 @@ async function dockerExec({
   runScriptDir,
   runScriptParams,
   nodeInfo,
-  timeout = 10000,
+  timeout = 120_000,
   retry = 3,
   output,
   error,
@@ -40,8 +50,13 @@ async function dockerExec({
     await fs.writeFile(paramsFilePath, JSON.stringify(runScriptParams));
   }
 
-  const command = `sh -c 'cd $BLOCKLET_APP_DIR && ${script}'`;
+  const lockKey = `${blockletDid}-${meta.name}-${hookName}`;
+  if (!(await lock.hasExpired(lockKey))) {
+    return;
+  }
+  await lock.acquire(lockKey);
 
+  const command = `sh -c 'cd $BLOCKLET_APP_DIR && ${script}'`;
   const options = await parseDockerOptionsFromPm2({
     options: {
       name: `${blockletDid}-${meta.name}-${hookName}`,
@@ -54,6 +69,7 @@ async function dockerExec({
     dockerNamePrefix: 'docker-exec',
     eventName: hookName,
   });
+
   const startTime = Date.now();
   try {
     await promiseSpawn(
@@ -65,12 +81,9 @@ async function dockerExec({
       { timeout, retry }
     );
   } finally {
+    await lock.releaseLock(lockKey);
     if (nodeInfo.isDockerInstalled) {
-      await promiseSpawn(
-        `docker rm -fv ${options.env.dockerName} > /dev/null 2>&1 || true`,
-        {},
-        { timeout: 1000 * 10, retry: 3 }
-      );
+      await promiseSpawn(`docker rm -f ${options.env.dockerName} > /dev/null 2>&1 || true`, {}, { timeout: 1000 * 10 });
     }
   }
   logger.info(`dockerExec ${options.env.dockerName} cost time: ${Date.now() - startTime}ms`);

package/lib/util/docker/parse-docker-options-from-pm2.js

@@ -334,13 +334,8 @@ async function parseDockerOptionsFromPm2({
     user = `-u ${uid}:${gid}`;
   }
 
-  try {
-    await promiseSpawn(`docker rm -f ${name}`, { mute: true }, { timeout: 5 * 1000, retry: 0 });
-  } catch (_) {
-    // ignore error
-  }
-
   nextOptions.script = `
+  docker rm -f ${name} > /dev/null 2>&1 || true && \
   docker run --rm --name ${name} \
   ${user} \
   ${volumes} \
@@ -350,7 +345,6 @@ async function parseDockerOptionsFromPm2({
   --cpus="${dockerEnv.BLOCKLET_DOCKER_CPUS}" \
   --memory="${dockerEnv.BLOCKLET_DOCKER_MEMORY}" \
   --memory-swap="${dockerEnv.BLOCKLET_DOCKER_MEMORY}" \
-  --memory-swappiness=0 \
   --oom-kill-disable=false \
   --env-file ${dockerEnvFile} \
   ${dockerInfo.network} \

package/lib/util/ensure-bun.js

@@ -36,7 +36,7 @@ async function _ensureBun() {
     // 如果有 bun 且版本大于等于 BUN_VERSION, 则直接使用现有的 bun
     if (whichBun) {
       // 检查 bun 版本
-      const bunVersion = shelljs.exec(`${whichBun} --version`).stdout.trim();
+      const bunVersion = shelljs.exec(`${whichBun} --version`, { silent: true }).stdout.trim();
       // 判断 bun 版本是否大于等于 BUN_VERSION, 应该用版本对比库
       if (semver.gte(bunVersion, BUN_VERSION)) {
         return whichBun.toString();

package/lib/util/env.js

@@ -1,6 +1,7 @@
 const serverJobBackoffSeconds = process.env.ABT_NODE_JOB_BACKOFF_SECONDS
   ? +process.env.ABT_NODE_JOB_BACKOFF_SECONDS
   : 600;
+const isE2E = process.env.NODE_ENV === 'e2e' || ['1', 'true'].includes(process.env.IS_E2E);
 
 const shouldJobBackoff = () => {
   if (process.env.ABT_NODE_JOB_BACKOFF_SECONDS === '0') {
@@ -13,4 +14,5 @@ const shouldJobBackoff = () => {
 module.exports = {
   serverJobBackoffSeconds,
   shouldJobBackoff,
+  isE2E,
 };

package/lib/util/reset-node.js

@@ -1,6 +1,7 @@
 const logger = require('@abtnode/logger')('@abtnode/core:util:reset');
 
 const states = require('../states');
+const { isE2E } = require('./env');
 
 const noop = () => true;
 
@@ -121,7 +122,7 @@ module.exports = async ({
   teamManager,
   certManager,
 }) => {
-  if (process.env.NODE_ENV !== 'e2e') {
+  if (!isE2E) {
     throw new Error('Reset node only exists for test purpose');
   }
 

package/lib/webhook/index.js

@@ -3,6 +3,7 @@ const { evaluateURLs } = require('@abtnode/util/lib/url-evaluation');
 const checkURLAccessible = require('@abtnode/util/lib/url-evaluation/check-accessible-node');
 const { EVENTS } = require('@abtnode/constant');
 const isEmpty = require('lodash/isEmpty');
+const { isAllowedReferer } = require('@abtnode/util/lib/ssrf-protector');
 
 const { joinURL } = require('ufo');
 const isUrl = require('is-url');
@@ -235,13 +236,21 @@ module.exports = ({ events, dataDirs, instance, teamManager }) => {
     }
   };
 
-  const sendTestMessage = async (msg) => {
+  const sendTestMessage = async (msg, context) => {
     const { webhookId, message } = msg;
     try {
+      if (context?.referer) {
+        const { host = '' } = context || {};
+        if (!isAllowedReferer(context.referer, host)) {
+          throw new Error('Invalid request');
+        }
+      }
       const webhook = webhookId ? await webhookState.findOne(webhookId) : msg.webhook;
+
       await sentTextMessage(webhook, message);
     } catch (error) {
       logger.error('webhook sender error', { error, msg });
+      throw new Error(error.message);
     }
   };
 

package/lib/webhook/sender/api/index.js

@@ -1,6 +1,7 @@
 const Joi = require('joi');
 const axios = require('@abtnode/util/lib/axios');
 const logger = require('@abtnode/logger')('@abtnode/core:sender:api');
+const { isAllowedURL } = require('@abtnode/util/lib/ssrf-protector');
 const BaseSender = require('../base');
 
 class APISender extends BaseSender {
@@ -9,6 +10,9 @@ class APISender extends BaseSender {
     const { status, name, title, description } = message;
 
     try {
+      if (!(await isAllowedURL(url))) {
+        throw new Error('Invalid URL');
+      }
       await axios.post(
         url,
         {

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.47-beta-20250805-140707-3a4df7fd",
+  "version": "1.16.47-beta-20250808-102837-d10f3b40",
   "description": "",
   "main": "lib/index.js",
   "files": [
@@ -19,46 +19,46 @@
   "author": "wangshijun <wangshijun2010@gmail.com> (http://github.com/wangshijun)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/analytics": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/auth": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/certificate-manager": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/client": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/constant": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/cron": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/db-cache": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/docker-utils": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/logger": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/models": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/queue": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/rbac": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/router-provider": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/static-server": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/timemachine": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/util": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@aigne/aigne-hub": "^0.2.2",
-    "@arcblock/did": "1.21.0",
-    "@arcblock/did-auth": "1.21.0",
-    "@arcblock/did-ext": "1.21.0",
+    "@abtnode/analytics": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/auth": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/certificate-manager": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/client": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/constant": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/cron": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/db-cache": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/docker-utils": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/logger": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/models": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/queue": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/rbac": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/router-provider": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/static-server": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/timemachine": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/util": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@aigne/aigne-hub": "^0.4.6",
+    "@arcblock/did": "1.21.2",
+    "@arcblock/did-connect-js": "1.21.2",
+    "@arcblock/did-ext": "1.21.2",
     "@arcblock/did-motif": "^1.1.14",
-    "@arcblock/did-util": "1.21.0",
-    "@arcblock/event-hub": "1.21.0",
-    "@arcblock/jwt": "1.21.0",
+    "@arcblock/did-util": "1.21.2",
+    "@arcblock/event-hub": "1.21.2",
+    "@arcblock/jwt": "1.21.2",
     "@arcblock/pm2-events": "^0.0.5",
-    "@arcblock/validator": "1.21.0",
-    "@arcblock/vc": "1.21.0",
-    "@blocklet/constant": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@blocklet/did-space-js": "^1.1.13",
-    "@blocklet/env": "1.16.47-beta-20250805-140707-3a4df7fd",
+    "@arcblock/validator": "1.21.2",
+    "@arcblock/vc": "1.21.2",
+    "@blocklet/constant": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@blocklet/did-space-js": "^1.1.14",
+    "@blocklet/env": "1.16.47-beta-20250808-102837-d10f3b40",
     "@blocklet/error": "^0.2.5",
-    "@blocklet/meta": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@blocklet/resolver": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@blocklet/sdk": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@blocklet/store": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@blocklet/theme": "^3.0.37",
+    "@blocklet/meta": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@blocklet/resolver": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@blocklet/sdk": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@blocklet/store": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@blocklet/theme": "^3.1.3",
     "@fidm/x509": "^1.2.1",
-    "@ocap/mcrypto": "1.21.0",
-    "@ocap/util": "1.21.0",
-    "@ocap/wallet": "1.21.0",
+    "@ocap/mcrypto": "1.21.2",
+    "@ocap/util": "1.21.2",
+    "@ocap/wallet": "1.21.2",
     "@slack/webhook": "^5.0.4",
     "archiver": "^7.0.1",
     "axios": "^1.7.9",
@@ -91,6 +91,7 @@
     "p-map": "^4.0.0",
     "p-retry": "^4.6.2",
     "p-wait-for": "^3.2.0",
+    "private-ip": "^2.3.4",
     "rate-limiter-flexible": "^5.0.5",
     "read-last-lines": "^1.8.0",
     "semver": "^7.6.3",
@@ -117,5 +118,5 @@
     "jest": "^29.7.0",
     "unzipper": "^0.10.11"
   },
-  "gitHead": "eee7c229e99cc764a20be2ce0347d6895766a8a0"
+  "gitHead": "545f4b619e4e872f3cb6645aa95a0c22c06b58d0"
 }