@ian2018cs/agenthub 0.1.61 → 0.1.63

package/server/claude-sdk.js

@@ -232,13 +232,14 @@ function mapCliOptionsToSDK(options = {}) {
  * @param {Array<string>} tempImagePaths - Temp image file paths for cleanup
  * @param {string} tempDir - Temp directory for cleanup
  */
-function addSession(sessionId, queryInstance, tempImagePaths = [], tempDir = null) {
+function addSession(sessionId, queryInstance, tempImagePaths = [], tempDir = null, abortController = null) {
   activeSessions.set(sessionId, {
     instance: queryInstance,
     startTime: Date.now(),
     status: 'active',
     tempImagePaths,
-    tempDir
+    tempDir,
+    abortController
   });
 }
 
@@ -511,6 +512,10 @@ async function queryClaudeSDK(command, options = {}, ws) {
     // Map CLI options to SDK format
     const sdkOptions = mapCliOptionsToSDK(options);
 
+    // Create AbortController for session cancellation
+    const abortController = new AbortController();
+    sdkOptions.abortController = abortController;
+
     // Load MCP configuration
     const mcpServers = await loadMcpConfig(options.cwd, userUuid);
     if (mcpServers) {
@@ -651,7 +656,7 @@ async function queryClaudeSDK(command, options = {}, ws) {
 
     // Track the query instance for abort capability
     if (capturedSessionId) {
-      addSession(capturedSessionId, queryInstance, tempImagePaths, tempDir);
+      addSession(capturedSessionId, queryInstance, tempImagePaths, tempDir, abortController);
     }
 
     // Process streaming messages
@@ -661,7 +666,7 @@ async function queryClaudeSDK(command, options = {}, ws) {
       if (message.session_id && !capturedSessionId) {
 
         capturedSessionId = message.session_id;
-        addSession(capturedSessionId, queryInstance, tempImagePaths, tempDir);
+        addSession(capturedSessionId, queryInstance, tempImagePaths, tempDir, abortController);
 
         // Set session ID on writer
         if (ws.setSessionId && typeof ws.setSessionId === 'function') {
@@ -775,17 +780,33 @@ async function queryClaudeSDK(command, options = {}, ws) {
     // Clean up temporary image files
     await cleanupTempFiles(tempImagePaths, tempDir);
 
-    // Send completion event
-    console.log('Streaming complete, sending claude-complete event');
-    ws.send({
-      type: 'claude-complete',
-      sessionId: capturedSessionId,
-      exitCode: 0,
-      isNewSession: !sessionId && !!command
-    });
-    console.log('claude-complete event sent');
+    // Only send completion event if not aborted — when the session is aborted
+    // via abortClaudeSDKSession(), that function already sends 'session-aborted'
+    // to the frontend, so we must not send a duplicate 'claude-complete'.
+    if (!abortController.signal.aborted) {
+      console.log('Streaming complete, sending claude-complete event');
+      ws.send({
+        type: 'claude-complete',
+        sessionId: capturedSessionId,
+        exitCode: 0,
+        isNewSession: !sessionId && !!command
+      });
+      console.log('claude-complete event sent');
+    } else {
+      console.log('Session was aborted, skipping claude-complete event');
+    }
 
   } catch (error) {
+    // If the session was aborted, this is expected — do not treat as an error.
+    if (abortController.signal.aborted) {
+      console.log('Session aborted, ignoring post-abort error:', error.message);
+      if (capturedSessionId) {
+        removeSession(capturedSessionId);
+      }
+      await cleanupTempFiles(tempImagePaths, tempDir);
+      return;
+    }
+
     console.error('SDK query error:', error);
 
     // Clean up session on error
@@ -822,8 +843,20 @@ async function abortClaudeSDKSession(sessionId) {
   try {
     console.log(`Aborting SDK session: ${sessionId}`);
 
-    // Call interrupt() on the query instance
-    await session.instance.interrupt();
+    // Signal abort via AbortController (stops SDK internal operations)
+    if (session.abortController) {
+      session.abortController.abort();
+    }
+
+    // Forcefully close the query and terminate the underlying process.
+    // close() is the correct method for aborting a running query — it kills the
+    // CLI subprocess and cleans up all resources (MCP transports, pending requests).
+    // interrupt() only works in streaming-input mode and is not reliable here.
+    try {
+      session.instance.close();
+    } catch (closeError) {
+      console.error(`Error closing session ${sessionId}:`, closeError);
+    }
 
     // Update session status
     session.status = 'aborted';

package/server/database/db.js

@@ -190,6 +190,18 @@ const runMigrations = () => {
       db.exec('ALTER TABLE users ADD COLUMN daily_limit_usd REAL DEFAULT NULL');
     }
 
+    // Add feature_permissions column for per-user feature access control
+    if (!columnNames.includes('feature_permissions')) {
+      console.log('Running migration: Adding feature_permissions column');
+      db.exec('ALTER TABLE users ADD COLUMN feature_permissions TEXT DEFAULT NULL');
+    }
+
+    // Add visible_agents column for per-user agent visibility control
+    if (!columnNames.includes('visible_agents')) {
+      console.log('Running migration: Adding visible_agents column');
+      db.exec('ALTER TABLE users ADD COLUMN visible_agents TEXT DEFAULT NULL');
+    }
+
     // Add raw_model column to usage_records for tracking actual model IDs
     const usageTableInfo = db.prepare("PRAGMA table_info(usage_records)").all();
     const usageColumnNames = usageTableInfo.map(col => col.name);
@@ -314,6 +326,11 @@ const runMigrations = () => {
     db.exec('CREATE INDEX IF NOT EXISTS idx_agent_submissions_user ON agent_submissions(user_id)');
     db.exec('CREATE INDEX IF NOT EXISTS idx_agent_submissions_status ON agent_submissions(status)');
 
+    // Migration: add update_notes column
+    try {
+      db.exec('ALTER TABLE agent_submissions ADD COLUMN update_notes TEXT');
+    } catch (_) { /* 列已存在 */ }
+
     // 聊天图片持久化关联表
     db.exec(`
       CREATE TABLE IF NOT EXISTS message_images (
@@ -498,7 +515,7 @@ const userDb = {
   getAllUsers: () => {
     try {
       return db.prepare(
-        'SELECT id, username, email, uuid, role, status, created_at, last_login, total_limit_usd, daily_limit_usd FROM users ORDER BY created_at DESC'
+        'SELECT id, username, email, uuid, role, status, created_at, last_login, total_limit_usd, daily_limit_usd, feature_permissions, visible_agents FROM users ORDER BY created_at DESC'
       ).all();
     } catch (err) {
       throw err;
@@ -599,6 +616,46 @@ const userDb = {
     } catch (err) {
       throw err;
     }
+  },
+
+  // Get user feature permissions (raw JSON string)
+  getFeaturePermissions: (userId) => {
+    try {
+      const row = db.prepare('SELECT feature_permissions FROM users WHERE id = ?').get(userId);
+      return row?.feature_permissions || null;
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Update user feature permissions (JSON string or null to reset to default)
+  updateFeaturePermissions: (userId, permissions) => {
+    try {
+      const value = permissions === null ? null : JSON.stringify(permissions);
+      db.prepare('UPDATE users SET feature_permissions = ? WHERE id = ?').run(value, userId);
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Get user visible agents (raw JSON string)
+  getVisibleAgents: (userId) => {
+    try {
+      const row = db.prepare('SELECT visible_agents FROM users WHERE id = ?').get(userId);
+      return row?.visible_agents || null;
+    } catch (err) {
+      throw err;
+    }
+  },
+
+  // Update user visible agents (JSON array or null to reset)
+  updateVisibleAgents: (userId, agents) => {
+    try {
+      const value = agents === null ? null : JSON.stringify(agents);
+      db.prepare('UPDATE users SET visible_agents = ? WHERE id = ?').run(value, userId);
+    } catch (err) {
+      throw err;
+    }
   }
 };
 
@@ -1331,11 +1388,11 @@ const imageDb = {
 
 // Agent submissions database operations
 const agentSubmissionDb = {
-  create: ({ userId, agentName, displayName, description, zipPath }) => {
+  create: ({ userId, agentName, displayName, description, zipPath, updateNotes }) => {
     const result = db.prepare(`
-      INSERT INTO agent_submissions (user_id, agent_name, display_name, description, zip_path)
-      VALUES (?, ?, ?, ?, ?)
-    `).run(userId, agentName, displayName, description || null, zipPath);
+      INSERT INTO agent_submissions (user_id, agent_name, display_name, description, zip_path, update_notes)
+      VALUES (?, ?, ?, ?, ?, ?)
+    `).run(userId, agentName, displayName, description || null, zipPath, updateNotes || null);
     return result.lastInsertRowid;
   },
 
@@ -1378,6 +1435,13 @@ const agentSubmissionDb = {
       SET status = ?, version = ?, reject_reason = ?, reviewed_by = ?, reviewed_at = CURRENT_TIMESTAMP
       WHERE id = ?
     `).run(status, version, rejectReason, reviewedBy, id);
+  },
+
+  // Get approved agent names by user (for auto-visibility)
+  getApprovedAgentNamesByUser: (userId) => {
+    return db.prepare(`
+      SELECT DISTINCT agent_name FROM agent_submissions WHERE user_id = ? AND status = 'approved'
+    `).all(userId).map(row => row.agent_name);
   }
 };
 

package/server/routes/admin.js

@@ -4,6 +4,7 @@ import { v4 as uuidv4 } from 'uuid';
 import { userDb, domainWhitelistDb, settingsDb } from '../database/db.js';
 import { authenticateToken } from '../middleware/auth.js';
 import { deleteUserDirectories, initUserDirectories } from '../services/user-directories.js';
+import { getDefaultPermissions, ALL_FEATURE_PERMISSIONS } from '../services/feature-permissions.js';
 
 const router = express.Router();
 
@@ -418,4 +419,190 @@ router.put('/settings/default-limits', (req, res) => {
   }
 });
 
+// ==================== Feature Permissions ====================
+
+// Get user feature permissions (raw, not resolved)
+router.get('/users/:id/permissions', (req, res) => {
+  try {
+    const { id } = req.params;
+
+    const user = userDb.getUserById(id);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+
+    const raw = userDb.getFeaturePermissions(id);
+    let permissions = null;
+    if (raw) {
+      try { permissions = JSON.parse(raw); } catch (_) { /* ignore */ }
+    }
+
+    res.json({ permissions });
+  } catch (error) {
+    console.error('Error fetching user permissions:', error);
+    res.status(500).json({ error: '获取用户权限失败' });
+  }
+});
+
+// Update user feature permissions
+router.patch('/users/:id/permissions', (req, res) => {
+  try {
+    const { id } = req.params;
+    const { permissions } = req.body;
+
+    const user = userDb.getUserById(id);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+
+    // admin / super_admin 免检，不应设置权限
+    if (['admin', 'super_admin'].includes(user.role)) {
+      return res.status(400).json({ error: '管理员始终拥有全部权限，无需配置' });
+    }
+
+    // admin 不能操作 admin/super_admin
+    if (req.user.role === 'admin' && ['admin', 'super_admin'].includes(user.role)) {
+      return res.status(403).json({ error: '无权修改管理员的权限' });
+    }
+
+    // permissions 为 null 表示重置为默认
+    if (permissions === null) {
+      userDb.updateFeaturePermissions(parseInt(id), null);
+      return res.json({ success: true, message: '用户权限已重置为默认' });
+    }
+
+    // 校验 permissions 对象
+    if (typeof permissions !== 'object' || Array.isArray(permissions)) {
+      return res.status(400).json({ error: '权限格式无效' });
+    }
+
+    // 只允许已知的权限 key
+    const validKeys = Object.keys(ALL_FEATURE_PERMISSIONS);
+    const filtered = {};
+    for (const key of validKeys) {
+      if (key in permissions) {
+        filtered[key] = !!permissions[key];
+      }
+    }
+
+    userDb.updateFeaturePermissions(parseInt(id), filtered);
+    res.json({ success: true, message: '用户权限已更新', permissions: filtered });
+  } catch (error) {
+    console.error('Error updating user permissions:', error);
+    res.status(500).json({ error: '更新用户权限失败' });
+  }
+});
+
+// Get default feature permissions
+router.get('/settings/default-permissions', (req, res) => {
+  try {
+    const permissions = getDefaultPermissions();
+    // 同时返回 DB 中存储的原始值，以便前端区分是否已设置
+    const raw = settingsDb.get('default_feature_permissions');
+    res.json({ permissions, hasCustom: raw !== null });
+  } catch (error) {
+    console.error('Error fetching default permissions:', error);
+    res.status(500).json({ error: '获取默认权限设置失败' });
+  }
+});
+
+// Update default feature permissions
+router.put('/settings/default-permissions', (req, res) => {
+  try {
+    const { permissions } = req.body;
+
+    // permissions 为 null 表示清除自定义，回退到环境变量/硬编码
+    if (permissions === null) {
+      settingsDb.delete('default_feature_permissions');
+      return res.json({ success: true, message: '默认权限已重置', permissions: getDefaultPermissions() });
+    }
+
+    if (typeof permissions !== 'object' || Array.isArray(permissions)) {
+      return res.status(400).json({ error: '权限格式无效' });
+    }
+
+    // 只允许已知的权限 key
+    const validKeys = Object.keys(ALL_FEATURE_PERMISSIONS);
+    const filtered = {};
+    for (const key of validKeys) {
+      if (key in permissions) {
+        filtered[key] = !!permissions[key];
+      }
+    }
+
+    settingsDb.set('default_feature_permissions', JSON.stringify(filtered), req.user.id);
+    res.json({ success: true, message: '默认权限已更新', permissions: { ...ALL_FEATURE_PERMISSIONS, ...filtered } });
+  } catch (error) {
+    console.error('Error updating default permissions:', error);
+    res.status(500).json({ error: '更新默认权限设置失败' });
+  }
+});
+
+// ─── Agent Visibility ───────────────────────────────────────────────────────
+
+// GET /api/admin/users/:id/visible-agents - Get user's visible agents config
+router.get('/users/:id/visible-agents', (req, res) => {
+  try {
+    const { id } = req.params;
+    const user = userDb.getUserById(id);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+
+    const raw = userDb.getVisibleAgents(id);
+    let agents = null;
+    if (raw) {
+      try { agents = JSON.parse(raw); } catch (_) { /* ignore */ }
+    }
+
+    res.json({ agents });
+  } catch (error) {
+    console.error('Error getting user visible agents:', error);
+    res.status(500).json({ error: '获取用户 Agent 可见性失败' });
+  }
+});
+
+// PATCH /api/admin/users/:id/visible-agents - Update user's visible agents
+router.patch('/users/:id/visible-agents', (req, res) => {
+  try {
+    const { id } = req.params;
+    const { agents } = req.body;
+
+    const user = userDb.getUserById(id);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+
+    // admin/super_admin always see all agents, no need to configure
+    if (['admin', 'super_admin'].includes(user.role)) {
+      return res.status(400).json({ error: '管理员始终可见全部 Agent，无需配置' });
+    }
+
+    // admin cannot modify admin/super_admin
+    if (req.user.role === 'admin' && ['admin', 'super_admin'].includes(user.role)) {
+      return res.status(403).json({ error: '无权修改管理员的 Agent 可见性' });
+    }
+
+    // null = reset to default (no agents visible)
+    if (agents === null) {
+      userDb.updateVisibleAgents(parseInt(id), null);
+      return res.json({ success: true, message: 'Agent 可见性已重置为默认' });
+    }
+
+    // Validate agents is an array
+    if (!Array.isArray(agents)) {
+      return res.status(400).json({ error: 'agents 必须是数组' });
+    }
+
+    // Only allow non-empty strings
+    const filtered = agents.filter(a => typeof a === 'string' && a.length > 0);
+
+    userDb.updateVisibleAgents(parseInt(id), filtered);
+    res.json({ success: true, message: 'Agent 可见性已更新', agents: filtered });
+  } catch (error) {
+    console.error('Error updating user visible agents:', error);
+    res.status(500).json({ error: '更新用户 Agent 可见性失败' });
+  }
+});
+
 export default router;

package/server/routes/agents.js

@@ -7,7 +7,7 @@ import AdmZip from 'adm-zip';
 import { getUserPaths, getPublicPaths } from '../services/user-directories.js';
 import { scanAgents, ensureAgentRepo, incrementPatchVersion, publishAgentToRepo } from '../services/system-agent-repo.js';
 import { addProjectManually, loadProjectConfig, saveProjectConfig } from '../projects.js';
-import { agentSubmissionDb } from '../database/db.js';
+import { agentSubmissionDb, userDb } from '../database/db.js';
 import { chatCompletion } from '../services/llm.js';
 
 const router = express.Router();
@@ -292,10 +292,44 @@ async function installMcp(mcpName, repoUrl, userUuid) {
  * GET /api/agents
  * List all available agents from the system agent repo
  */
-router.get('/', async (_req, res) => {
+router.get('/', async (req, res) => {
   try {
     const agents = await scanAgents();
-    res.json({ agents });
+
+    // admin/super_admin see all agents
+    const userRole = req.user?.role;
+    if (userRole === 'admin' || userRole === 'super_admin') {
+      return res.json({ agents });
+    }
+
+    // Regular user: filter by visibility whitelist + own approved submissions
+    const userId = req.user?.id;
+    const visibleSet = new Set();
+
+    // 1. Admin-configured visible agents
+    const raw = userId ? userDb.getVisibleAgents(userId) : null;
+    if (raw) {
+      try {
+        const list = JSON.parse(raw);
+        if (Array.isArray(list)) {
+          list.forEach(name => visibleSet.add(name));
+        }
+      } catch (_) { /* ignore */ }
+    }
+
+    // 2. User's own approved submissions (auto-visible)
+    if (userId) {
+      const approvedNames = agentSubmissionDb.getApprovedAgentNamesByUser(userId);
+      approvedNames.forEach(name => visibleSet.add(name));
+    }
+
+    // If no visible agents at all, return empty list
+    if (visibleSet.size === 0) {
+      return res.json({ agents: [] });
+    }
+
+    const filtered = agents.filter(a => visibleSet.has(a.dirName) || visibleSet.has(a.name));
+    res.json({ agents: filtered });
   } catch (error) {
     console.error('Error listing agents:', error);
     res.status(500).json({ error: 'Failed to list agents', details: error.message });
@@ -517,6 +551,42 @@ router.get('/preview', async (req, res) => {
   }
 });
 
+/**
+ * GET /api/agents/check-name/:name
+ * Check if an agent name already exists in the repo, and if there's a pending conflict.
+ * Returns existing agent config for pre-fill and pending conflict info.
+ */
+router.get('/check-name/:name', async (req, res) => {
+  try {
+    const { name } = req.params;
+    const userId = req.user?.id;
+    if (!name) return res.status(400).json({ error: 'name is required' });
+
+    // 1. Check if agent exists in the repo
+    const agents = await scanAgents();
+    const existing = agents.find(a => a.dirName === name || a.name === name);
+
+    // 2. Check for pending submissions with the same name from other users
+    const pendingConflict = agentSubmissionDb.listAll('pending')
+      .find(s => s.agent_name === name && s.user_id !== userId);
+
+    res.json({
+      existing: existing ? {
+        display_name: existing.display_name,
+        description: existing.description,
+        version: existing.version
+      } : null,
+      pendingConflict: pendingConflict ? {
+        username: pendingConflict.username || pendingConflict.email,
+        submitted_at: pendingConflict.submitted_at
+      } : null
+    });
+  } catch (error) {
+    console.error('Error checking agent name:', error);
+    res.status(500).json({ error: 'Failed to check agent name', details: error.message });
+  }
+});
+
 /**
  * POST /api/agents/generate-description
  * Use LLM to generate an Agent description based on CLAUDE.md + selected skills/MCPs.
@@ -588,7 +658,7 @@ router.post('/submit', async (req, res) => {
     const userId = req.user?.id;
     if (!userUuid || !userId) return res.status(401).json({ error: 'User authentication required' });
 
-    const { agentName, displayName, description, projectKey, agentYaml, refFiles = [] } = req.body;
+    const { agentName, displayName, description, projectKey, agentYaml, refFiles = [], updateNotes } = req.body;
     if (!agentName) return res.status(400).json({ error: 'agentName is required' });
     if (!displayName) return res.status(400).json({ error: 'displayName is required' });
     if (!projectKey) return res.status(400).json({ error: 'projectKey is required' });
@@ -644,7 +714,8 @@ router.post('/submit', async (req, res) => {
       agentName,
       displayName,
       description: description || '',
-      zipPath
+      zipPath,
+      updateNotes: updateNotes || null
     });
 
     res.json({
@@ -793,6 +864,28 @@ router.post('/submissions/:id/approve', async (req, res) => {
       reviewedBy: reviewerId
     });
 
+    // Auto-update submitter's installed agent version
+    try {
+      const submitterUser = userDb.getUserById(submission.user_id);
+      if (submitterUser?.uuid) {
+        const config = await loadProjectConfig(submitterUser.uuid);
+        let updated = false;
+        for (const [key, entry] of Object.entries(config)) {
+          if (entry.agentInfo?.isAgent && entry.agentInfo.agentName === submission.agent_name) {
+            entry.agentInfo.installedVersion = newVersion;
+            entry.agentInfo.installedAt = new Date().toISOString();
+            updated = true;
+          }
+        }
+        if (updated) {
+          await saveProjectConfig(config, submitterUser.uuid);
+        }
+      }
+    } catch (err) {
+      // Non-critical: don't fail the approval if auto-update fails
+      console.error('[AgentApprove] Failed to auto-update submitter config:', err.message);
+    }
+
     // Cleanup extracted dir
     fs.rm(extractDir, { recursive: true, force: true }).catch(() => {});
 

package/server/routes/auth.js

@@ -8,6 +8,7 @@ import { initUserDirectories } from '../services/user-directories.js';
 import { initSystemRepoForUser } from '../services/system-repo.js';
 import { initSystemMcpRepoForUser } from '../services/system-mcp-repo.js';
 import { sendVerificationCode, isSmtpConfigured } from '../services/email.js';
+import { resolvePermissions } from '../services/feature-permissions.js';
 
 const router = express.Router();
 
@@ -213,6 +214,11 @@ router.post('/login', async (req, res) => {
 
 // Get current user (protected route)
 router.get('/user', authenticateToken, (req, res) => {
+  // 查询用户的 feature_permissions 列
+  const rawPerms = userDb.getFeaturePermissions(req.user.id);
+  const userWithPerms = { ...req.user, feature_permissions: rawPerms };
+  const featurePermissions = resolvePermissions(userWithPerms);
+
   res.json({
     user: {
       id: req.user.id,
@@ -220,7 +226,8 @@ router.get('/user', authenticateToken, (req, res) => {
       email: req.user.email,
       uuid: req.user.uuid,
       role: req.user.role
-    }
+    },
+    featurePermissions
   });
 });
 
@@ -273,6 +280,19 @@ router.patch('/change-password', authenticateToken, async (req, res) => {
   }
 });
 
+// Get current user's resolved feature permissions
+router.get('/feature-permissions', authenticateToken, (req, res) => {
+  try {
+    const rawPerms = userDb.getFeaturePermissions(req.user.id);
+    const userWithPerms = { ...req.user, feature_permissions: rawPerms };
+    const featurePermissions = resolvePermissions(userWithPerms);
+    res.json({ featurePermissions });
+  } catch (error) {
+    console.error('Error fetching feature permissions:', error);
+    res.status(500).json({ error: '获取功能权限失败' });
+  }
+});
+
 // Get current user's spending limit status
 router.get('/limit-status', authenticateToken, (req, res) => {
   try {