@lobehub/chat 1.20.3 → 1.20.5

package/CHANGELOG.md

@@ -2,6 +2,40 @@
 
 # Changelog
 
+### [Version 1.20.5](https://github.com/lobehub/lobe-chat/compare/v1.20.4...v1.20.5)
+
+<sup>Released on **2024-09-29**</sup>
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
+### [Version 1.20.4](https://github.com/lobehub/lobe-chat/compare/v1.20.3...v1.20.4)
+
+<sup>Released on **2024-09-28**</sup>
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
 ### [Version 1.20.3](https://github.com/lobehub/lobe-chat/compare/v1.20.2...v1.20.3)
 
 <sup>Released on **2024-09-28**</sup>

package/Dockerfile

@@ -1,4 +1,4 @@
-## Base image for all the stages
+## Base image for all building stages
 FROM node:20-slim AS base
 
 ARG USE_CN_MIRROR
@@ -10,19 +10,22 @@ RUN \
     if [ "${USE_CN_MIRROR:-false}" = "true" ]; then \
         sed -i "s/deb.debian.org/mirrors.ustc.edu.cn/g" "/etc/apt/sources.list.d/debian.sources"; \
     fi \
-    # Add required package & update base package
+    # Add required package
     && apt update \
-    && apt install busybox proxychains-ng -qy \
-    && apt full-upgrade -qy \
-    && apt autoremove -qy --purge \
-    && apt clean -qy \
-    # Configure BusyBox
-    && busybox --install -s \
-    # Add nextjs:nodejs to run the app
-    && addgroup --system --gid 1001 nodejs \
-    && adduser --system --home "/app" --gid 1001 -uid 1001 nextjs \
-    # Set permission for nextjs:nodejs
-    && chown -R nextjs:nodejs "/etc/proxychains4.conf" \
+    && apt install ca-certificates proxychains-ng -qy \
+    # Prepare required package to distroless
+    && mkdir -p /distroless/bin /distroless/etc /distroless/etc/ssl/certs /distroless/lib \
+    # Copy proxychains to distroless
+    && cp /usr/lib/$(arch)-linux-gnu/libproxychains.so.4 /distroless/lib/libproxychains.so.4 \
+    && cp /usr/lib/$(arch)-linux-gnu/libdl.so.2 /distroless/lib/libdl.so.2 \
+    && cp /usr/bin/proxychains4 /distroless/bin/proxychains \
+    && cp /etc/proxychains4.conf /distroless/etc/proxychains4.conf \
+    # Copy node to distroless
+    && cp /usr/lib/$(arch)-linux-gnu/libstdc++.so.6 /distroless/lib/libstdc++.so.6 \
+    && cp /usr/lib/$(arch)-linux-gnu/libgcc_s.so.1 /distroless/lib/libgcc_s.so.1 \
+    && cp /usr/local/bin/node /distroless/bin/node \
+    # Copy CA certificates to distroless
+    && cp /etc/ssl/certs/ca-certificates.crt /distroless/etc/ssl/certs/ca-certificates.crt \
     # Cleanup temp files
     && rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/*
 
@@ -61,6 +64,7 @@ RUN \
     if [ "${USE_CN_MIRROR:-false}" = "true" ]; then \
         export SENTRYCLI_CDNURL="https://npmmirror.com/mirrors/sentry-cli"; \
         npm config set registry "https://registry.npmmirror.com/"; \
+        echo 'canvas_binary_host_mirror=https://npmmirror.com/mirrors/canvas' >> .npmrc; \
     fi \
     # Set the registry for corepack
     && export COREPACK_NPM_REGISTRY=$(npm config get registry | sed 's/\/$//') \
@@ -80,7 +84,9 @@ COPY . .
 RUN npm run build:docker
 
 ## Application image, copy all the files for production
-FROM scratch AS app
+FROM busybox:latest AS app
+
+COPY --from=base /distroless/ /
 
 COPY --from=builder /app/public /app/public
 
@@ -90,13 +96,25 @@ COPY --from=builder /app/.next/standalone /app/
 COPY --from=builder /app/.next/static /app/.next/static
 COPY --from=builder /deps/node_modules/.pnpm /app/node_modules/.pnpm
 
+# Copy server launcher
+COPY --from=builder /app/scripts/serverLauncher/startServer.js /app/startServer.js
+
+RUN \
+    # Add nextjs:nodejs to run the app
+    addgroup -S -g 1001 nodejs \
+    && adduser -D -G nodejs -H -S -h /app -u 1001 nextjs \
+    # Set permission for nextjs:nodejs
+    && chown -R nextjs:nodejs /app /etc/proxychains4.conf
+
 ## Production image, copy all the files and run next
-FROM base
+FROM scratch
 
 # Copy all the files from app, set the correct permission for prerender cache
-COPY --from=app --chown=nextjs:nodejs /app /app
+COPY --from=app / /
 
 ENV NODE_ENV="production" \
+    NODE_OPTIONS="--use-openssl-ca" \
+    NODE_EXTRA_CA_CERTS="/etc/ssl/certs/ca-certificates.crt" \
     NODE_TLS_REJECT_UNAUTHORIZED=""
 
 # set hostname to localhost
@@ -176,36 +194,6 @@ USER nextjs
 
 EXPOSE 3210/tcp
 
-CMD \
-    if [ -n "$PROXY_URL" ]; then \
-        # Set regex for IPv4
-        IP_REGEX="^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$"; \
-        # Set proxychains command
-        PROXYCHAINS="proxychains -q"; \
-        # Parse the proxy URL
-        host_with_port="${PROXY_URL#*//}"; \
-        host="${host_with_port%%:*}"; \
-        port="${PROXY_URL##*:}"; \
-        protocol="${PROXY_URL%%://*}"; \
-        # Resolve to IP address if the host is a domain
-        if ! [[ "$host" =~ "$IP_REGEX" ]]; then \
-            nslookup=$(nslookup -q="A" "$host" | tail -n +3 | grep 'Address:'); \
-            if [ -n "$nslookup" ]; then \
-                host=$(echo "$nslookup" | tail -n 1 | awk '{print $2}'); \
-            fi; \
-        fi; \
-        # Generate proxychains configuration file
-        printf "%s\n" \
-            'localnet 127.0.0.0/255.0.0.0' \
-            'localnet ::1/128' \
-            'proxy_dns' \
-            'remote_dns_subnet 224' \
-            'strict_chain' \
-            'tcp_connect_time_out 8000' \
-            'tcp_read_time_out 15000' \
-            '[ProxyList]' \
-            "$protocol $host $port" \
-        > "/etc/proxychains4.conf"; \
-    fi; \
-    # Run the server
-    ${PROXYCHAINS} node "/app/server.js";
+ENTRYPOINT ["/bin/node"]
+
+CMD ["/app/startServer.js"]

package/Dockerfile.database

@@ -1,4 +1,4 @@
-## Base image for all the stages
+## Base image for all building stages
 FROM node:20-slim AS base
 
 ARG USE_CN_MIRROR
@@ -10,19 +10,22 @@ RUN \
     if [ "${USE_CN_MIRROR:-false}" = "true" ]; then \
         sed -i "s/deb.debian.org/mirrors.ustc.edu.cn/g" "/etc/apt/sources.list.d/debian.sources"; \
     fi \
-    # Add required package & update base package
+    # Add required package
     && apt update \
-    && apt install busybox proxychains-ng -qy \
-    && apt full-upgrade -qy \
-    && apt autoremove -qy --purge \
-    && apt clean -qy \
-    # Configure BusyBox
-    && busybox --install -s \
-    # Add nextjs:nodejs to run the app
-    && addgroup --system --gid 1001 nodejs \
-    && adduser --system --home "/app" --gid 1001 -uid 1001 nextjs \
-    # Set permission for nextjs:nodejs
-    && chown -R nextjs:nodejs "/etc/proxychains4.conf" \
+    && apt install ca-certificates proxychains-ng -qy \
+    # Prepare required package to distroless
+    && mkdir -p /distroless/bin /distroless/etc /distroless/etc/ssl/certs /distroless/lib \
+    # Copy proxychains to distroless
+    && cp /usr/lib/$(arch)-linux-gnu/libproxychains.so.4 /distroless/lib/libproxychains.so.4 \
+    && cp /usr/lib/$(arch)-linux-gnu/libdl.so.2 /distroless/lib/libdl.so.2 \
+    && cp /usr/bin/proxychains4 /distroless/bin/proxychains \
+    && cp /etc/proxychains4.conf /distroless/etc/proxychains4.conf \
+    # Copy node to distroless
+    && cp /usr/lib/$(arch)-linux-gnu/libstdc++.so.6 /distroless/lib/libstdc++.so.6 \
+    && cp /usr/lib/$(arch)-linux-gnu/libgcc_s.so.1 /distroless/lib/libgcc_s.so.1 \
+    && cp /usr/local/bin/node /distroless/bin/node \
+    # Copy CA certificates to distroless
+    && cp /etc/ssl/certs/ca-certificates.crt /distroless/etc/ssl/certs/ca-certificates.crt \
     # Cleanup temp files
     && rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/*
 
@@ -65,6 +68,7 @@ RUN \
     if [ "${USE_CN_MIRROR:-false}" = "true" ]; then \
         export SENTRYCLI_CDNURL="https://npmmirror.com/mirrors/sentry-cli"; \
         npm config set registry "https://registry.npmmirror.com/"; \
+        echo 'canvas_binary_host_mirror=https://npmmirror.com/mirrors/canvas' >> .npmrc; \
     fi \
     # Set the registry for corepack
     && export COREPACK_NPM_REGISTRY=$(npm config get registry | sed 's/\/$//') \
@@ -84,7 +88,9 @@ COPY . .
 RUN npm run build:docker
 
 ## Application image, copy all the files for production
-FROM scratch AS app
+FROM busybox:latest AS app
+
+COPY --from=base /distroless/ /
 
 COPY --from=builder /app/public /app/public
 
@@ -103,13 +109,25 @@ COPY --from=builder /app/src/database/server/migrations /app/migrations
 COPY --from=builder /app/scripts/migrateServerDB/docker.cjs /app/docker.cjs
 COPY --from=builder /app/scripts/migrateServerDB/errorHint.js /app/errorHint.js
 
+# Copy server launcher
+COPY --from=builder /app/scripts/serverLauncher/startServer.js /app/startServer.js
+
+RUN \
+    # Add nextjs:nodejs to run the app
+    addgroup -S -g 1001 nodejs \
+    && adduser -D -G nodejs -H -S -h /app -u 1001 nextjs \
+    # Set permission for nextjs:nodejs
+    && chown -R nextjs:nodejs /app /etc/proxychains4.conf
+
 ## Production image, copy all the files and run next
-FROM base
+FROM scratch
 
 # Copy all the files from app, set the correct permission for prerender cache
-COPY --from=app --chown=nextjs:nodejs /app /app
+COPY --from=app / /
 
 ENV NODE_ENV="production" \
+    NODE_OPTIONS="--use-openssl-ca" \
+    NODE_EXTRA_CA_CERTS="/etc/ssl/certs/ca-certificates.crt" \
     NODE_TLS_REJECT_UNAUTHORIZED=""
 
 # set hostname to localhost
@@ -208,40 +226,6 @@ USER nextjs
 
 EXPOSE 3210/tcp
 
-CMD \
-    if [ -n "$PROXY_URL" ]; then \
-        # Set regex for IPv4
-        IP_REGEX="^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$"; \
-        # Set proxychains command
-        PROXYCHAINS="proxychains -q"; \
-        # Parse the proxy URL
-        host_with_port="${PROXY_URL#*//}"; \
-        host="${host_with_port%%:*}"; \
-        port="${PROXY_URL##*:}"; \
-        protocol="${PROXY_URL%%://*}"; \
-        # Resolve to IP address if the host is a domain
-        if ! [[ "$host" =~ "$IP_REGEX" ]]; then \
-            nslookup=$(nslookup -q="A" "$host" | tail -n +3 | grep 'Address:'); \
-            if [ -n "$nslookup" ]; then \
-                host=$(echo "$nslookup" | tail -n 1 | awk '{print $2}'); \
-            fi; \
-        fi; \
-        # Generate proxychains configuration file
-        printf "%s\n" \
-            'localnet 127.0.0.0/255.0.0.0' \
-            'localnet ::1/128' \
-            'proxy_dns' \
-            'remote_dns_subnet 224' \
-            'strict_chain' \
-            'tcp_connect_time_out 8000' \
-            'tcp_read_time_out 15000' \
-            '[ProxyList]' \
-            "$protocol $host $port" \
-        > "/etc/proxychains4.conf"; \
-    fi; \
-    # Run migration
-    node "/app/docker.cjs"; \
-    if [ "$?" -eq "0" ]; then \
-      # Run the server
-      ${PROXYCHAINS} node "/app/server.js"; \
-    fi;
+ENTRYPOINT ["/bin/node"]
+
+CMD ["/app/startServer.js"]

package/docker-compose/local/zitadel/.env.example

@@ -0,0 +1,33 @@
+# Required: LobeChat domain for tRPC calls
+# Ensure this domain is whitelisted in your NextAuth providers and S3 service CORS settings
+APP_URL=http://localhost:3210
+
+# Postgres related environment variables
+# Required: Secret key for encrypting sensitive information. Generate with: openssl rand -base64 32
+KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ=
+# Required: Postgres database connection string
+DATABASE_URL=postgresql://postgres:uWNZugjBqixf8dxC@postgresql:5432/lobechat
+
+# NEXT_AUTH related environment variables
+NEXTAUTH_URL=http://localhost:3210/api/auth
+NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg
+NEXT_AUTH_SSO_PROVIDERS=zitadel
+# ZiTADEL provider configuration
+# Please refer to：https://lobehub.com/zh/docs/self-hosting/advanced/auth/next-auth/zitadel
+AUTH_ZITADEL_ID=285945938244075523
+AUTH_ZITADEL_SECRET=hkbtzHLaCEIeHeFThym14UcydpmQiEB5JtAX08HSqSoJxhAlVVkyovTuNUZ5TNrT
+AUTH_ZITADEL_ISSUER=http://localhost:8080
+
+# MinIO S3 configuration
+S3_ACCESS_KEY_ID=        
+S3_SECRET_ACCESS_KEY=
+S3_ENDPOINT=http://localhost:9000
+S3_BUCKET=lobe 
+S3_PUBLIC_DOMAIN=http://localhost:9000
+S3_ENABLE_PATH_STYLE=1
+LLM_VISION_IMAGE_USE_BASE64=1
+
+# Other environment variables, as needed. You can refer to the environment variables configuration for the client version, making sure not to have ACCESS_CODE.
+# OPENAI_API_KEY=sk-xxxx
+# OPENAI_PROXY_URL=https://api.openai.com/v1
+# OPENAI_MODEL_LIST=...

package/docker-compose/local/zitadel/.env.zh-CN.example

@@ -0,0 +1,32 @@
+# LobeChat 域名
+APP_URL=http://localhost:3210
+
+# Postgres 相关，也即 DB 必须的环境变量
+# 用于加密敏感信息的密钥，可以使用 openssl rand -base64 32 生成
+KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ=
+# Postgres 数据库连接字符串
+DATABASE_URL=postgresql://postgres:uWNZugjBqixf8dxC@postgresql:5432/lobechat
+
+# NEXT_AUTH 相关
+NEXTAUTH_URL=http://localhost:3210/api/auth
+NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg
+NEXT_AUTH_SSO_PROVIDERS=zitadel
+# ZiTADEL 鉴权服务提供商部分
+# 请参考：https://lobehub.com/zh/docs/self-hosting/advanced/auth/next-auth/zitadel
+AUTH_ZITADEL_ID=285945938244075523
+AUTH_ZITADEL_SECRET=hkbtzHLaCEIeHeFThym14UcydpmQiEB5JtAX08HSqSoJxhAlVVkyovTuNUZ5TNrT
+AUTH_ZITADEL_ISSUER=http://localhost:8080
+
+# MinIO S3 配置
+S3_ACCESS_KEY_ID=        
+S3_SECRET_ACCESS_KEY=
+S3_ENDPOINT=http://localhost:9000
+S3_BUCKET=lobe 
+S3_PUBLIC_DOMAIN=http://localhost:9000
+S3_ENABLE_PATH_STYLE=1
+LLM_VISION_IMAGE_USE_BASE64=1
+
+# 其他环境变量，视需求而定，可以参照客户端版本的环境变量配置，注意不要有 ACCESS_CODE
+# OPENAI_API_KEY=sk-xxxx
+# OPENAI_PROXY_URL=https://api.openai.com/v1
+# OPENAI_MODEL_LIST=...

package/docker-compose/local/zitadel/docker-compose.yml

@@ -0,0 +1,86 @@
+services:
+  network-service:
+    image: alpine
+    container_name: lobe-network
+    ports:
+      - '9000:9000'  # MinIO API
+      - '9001:9001'  # MinIO Console
+      - '8080:8080' # Zitadel Console
+      - '3210:3210' # LobeChat
+    command: tail -f /dev/null
+    networks:
+      - lobe-network
+
+  postgresql:
+    image: pgvector/pgvector:pg16
+    container_name: lobe-postgres
+    ports:
+      - "5432:5432"
+    volumes:
+      - './data:/var/lib/postgresql/data'
+    environment:
+      - 'POSTGRES_DB=lobechat'
+      - 'POSTGRES_PASSWORD=uWNZugjBqixf8dxC'
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U postgres']
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    restart: always
+    networks:
+      - lobe-network
+
+  minio:
+    image: minio/minio
+    container_name: lobe-minio
+    network_mode: 'service:network-service'
+    volumes:
+      - './s3_data:/etc/minio/data'
+    environment:
+      - 'MINIO_ROOT_USER=YOUR_MINIO_USER'
+      - 'MINIO_ROOT_PASSWORD=YOUR_MINIO_PASSWORD'
+      - 'MINIO_API_CORS_ALLOW_ORIGIN=http://localhost:3210'
+    restart: always
+    command: >
+      server /etc/minio/data --address ":9000" --console-address ":9001"
+
+  zitadel:
+    restart: 'always'
+    image: 'ghcr.io/zitadel/zitadel:latest'
+    container_name: lobe-zitadel
+    network_mode: 'service:network-service'
+    command: start-from-init --config /zitadel-config.yaml --steps
+      /zitadel-init-steps.yaml --masterkey "cft3Tekr/rQBOqwoQSCPoncA9BHbn7QJ"
+      --tlsMode disabled  #MasterkeyNeedsToHave32Characters
+    volumes:
+      - ./zitadel-config.yaml:/zitadel-config.yaml:ro
+      - ./zitadel-init-steps.yaml:/zitadel-init-steps.yaml:ro     
+    depends_on:
+      postgresql:
+        condition: service_healthy
+
+  lobe:
+    image: lobehub/lobe-chat-database
+    container_name: lobe-database
+    network_mode: 'service:network-service'
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      network-service:
+        condition: service_started
+      minio:
+        condition: service_started
+      zitadel:
+        condition: service_started
+    env_file:
+      - .env
+    restart: always
+
+volumes:
+  data:
+    driver: local
+  s3_data:
+    driver: local
+networks:
+  lobe-network:
+    driver: bridge

package/docker-compose/local/zitadel/zitadel-config.yaml

@@ -0,0 +1,26 @@
+Log:
+  Level: 'info'
+
+Port: 8080
+ExternalPort: 8080 
+ExternalDomain: localhost
+ExternalSecure: false
+TLS:
+  Enabled: false 
+
+# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
+Database:
+  postgres:
+    Host: postgresql
+    Port: 5432
+    Database: zitadel
+    User:
+      Username: 'zitadel'
+      Password: 'zitadel'
+      SSL:
+        Mode: 'disable'
+    Admin:
+      Username: 'postgres'
+      Password: 'uWNZugjBqixf8dxC' #postgres password
+      SSL:
+        Mode: 'disable'

package/docker-compose/local/zitadel/zitadel-init-steps.yaml

@@ -0,0 +1,11 @@
+# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/setup/steps.yaml
+FirstInstance:
+  Org:
+    Human:
+      # use the loginname root@zitadel.localhost
+      Username: 'root'
+      # The password must be 8 characters or more and must contain uppercase letters, lowercase letters, symbols, and numbers. The first login will require a password change. 
+      Password: 'Password1!'
+      Email:
+        # Optional, if set, can be used to log in with email.
+        Address: 'example@zitadel.com' # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_EMAIL_ADDRESS  

package/docker-compose/production/zitadel/.env.example

@@ -0,0 +1,53 @@
+# Required: LobeChat domain for tRPC calls
+# Ensure this domain is whitelisted in your NextAuth providers and S3 service CORS settings
+APP_URL=https://lobe.example.com/
+
+# Postgres related environment variables
+# Required: Secret key for encrypting sensitive information. Generate with: openssl rand -base64 32
+KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ=
+# Required: Postgres database connection string
+# Format: postgresql://username:password@host:port/dbname
+# If using Docker, you can use the container name as the host
+DATABASE_URL=postgresql://postgres:uWNZugjBqixf8dxC@postgresql:5432/lobe
+
+# NEXT_AUTH related environment variables
+# Required: NextAuth URL for callbacks
+NEXTAUTH_URL=https://lobe.example.com/api/auth
+# Required: NextAuth secret key. Generate with: openssl rand -base64 32
+NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg
+# Required: Specify the authentication provider
+NEXT_AUTH_SSO_PROVIDERS=zitadel
+
+# ZiTADEL provider configuration
+# Please refer to：https://lobehub.com/zh/docs/self-hosting/advanced/auth/next-auth/zitadel
+AUTH_ZITADEL_ID=285934220675723622
+AUTH_ZITADEL_SECRET=pe7Nh3lopXkZkfqh5YEDYI2xsbIz08eZKqInOUZxssd3refRia518Apbv3DZ
+AUTH_ZITADEL_ISSUER=https://zitadel.example.com
+
+# Proxy settings (if needed, e.g., when using GitHub as an auth provider)
+# HTTP_PROXY=http://localhost:7890
+# HTTPS_PROXY=http://localhost:7890
+
+# S3 related environment variables (example using MinIO)
+# Required: S3 Access Key ID (for MinIO, invalid until manually created in MinIO UI)
+S3_ACCESS_KEY_ID=YOUR_S3_ACCESS_KEY_ID
+# Required: S3 Secret Access Key (for MinIO, invalid until manually created in MinIO UI)
+S3_SECRET_ACCESS_KEY=YOUR_S3_SECRET_ACCESS_KEY
+# Required: S3 Endpoint for server/client connections to S3 API
+S3_ENDPOINT=https://lobe-s3-api.example.com
+# Required: S3 Bucket (invalid until manually created in MinIO UI)
+S3_BUCKET=lobe
+# Required: S3 Public Domain for client access to unstructured data
+S3_PUBLIC_DOMAIN=https://lobe-s3-api.example.com
+# Optional: S3 Enable Path Style
+# Use 0 for mainstream S3 cloud providers; use 1 for self-hosted MinIO
+# See: https://lobehub.com/docs/self-hosting/advanced/s3#s-3-enable-path-style
+S3_ENABLE_PATH_STYLE=1
+
+# Other basic environment variables (as needed)
+# See: https://lobehub.com/docs/self-hosting/environment-variables/basic
+# Note: For server versions, the API must support embedding models (OpenAI text-embedding-3-small) for file processing
+# You don't need to specify this model in OPENAI_MODEL_LIST
+# OPENAI_API_KEY=sk-xxxx
+# OPENAI_PROXY_URL=https://api.openai.com/v1
+# OPENAI_MODEL_LIST=...

package/docker-compose/production/zitadel/.env.zh-CN.example

@@ -0,0 +1,48 @@
+# 必填，LobeChat 域名，用于 tRPC 调用
+# 请保证此域名在你的 NextAuth 鉴权服务提供商、S3 服务商的 CORS 白名单中
+APP_URL=https://lobe.example.com/
+
+# Postgres 相关，也即 DB 必需的环境变量
+# 必填，用于加密敏感信息的密钥，可以使用 openssl rand -base64 32 生成
+KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ=
+# 必填，Postgres 数据库连接字符串，用于连接到数据库
+# 格式：postgresql://username:password@host:port/dbname，如果你的 pg 实例为 Docker 容器且位于同一 docker-compose 文件中，亦可使用容器名作为 host
+DATABASE_URL=postgresql://postgres:uWNZugjBqixf8dxC@postgresql:5432/lobe
+
+# NEXT_AUTH 相关，也即鉴权服务必需的环境变量
+# 必填，NextAuth 的 URL，用于 NextAuth 的回调
+NEXTAUTH_URL=https://lobe.example.com/api/auth
+# 必填，用于 NextAuth 的密钥，可以使用 openssl rand -base64 32 生成
+NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg
+# 必填，指定鉴权服务提供商
+NEXT_AUTH_SSO_PROVIDERS=zitadel
+
+# ZiTADEL 鉴权服务提供商部分
+# 请参考：https://lobehub.com/zh/docs/self-hosting/advanced/auth/next-auth/zitadel
+AUTH_ZITADEL_ID=285934220675723622
+AUTH_ZITADEL_SECRET=pe7Nh3lopXkZkfqh5YEDYI2xsbIz08eZKqInOUZxssd3refRia518Apbv3DZ
+AUTH_ZITADEL_ISSUER=https://zitadel.example.com
+
+# S3 相关，也即非结构化数据（文件、图片等）存储必需的环境变量
+# 这里以 MinIO 为例
+# 必填，S3 的 Access Key ID，对于 MinIO 来说，直到在 MinIO UI 中手动创建之前都是无效的
+S3_ACCESS_KEY_ID=YOUR_S3_ACCESS_KEY_ID
+# 必填，S3 的 Secret Access Key，对于 MinIO 来说，直到在 MinIO UI 中手动创建之前都是无效的
+S3_SECRET_ACCESS_KEY=YOUR_S3_SECRET_ACCESS_KEY
+# 必填，S3 的 Endpoint，用于服务端/客户端连接到 S3 API
+S3_ENDPOINT=https://lobe-s3-api.example.com
+# 必填，S3 的 Bucket，直到在 MinIO UI 中手动创建之前都是无效的
+S3_BUCKET=lobe
+# 必填，S3 的 Public Domain，用于客户端通过公开连接访问非结构化数据
+S3_PUBLIC_DOMAIN=https://lobe-s3-api.example.com
+# 选填，S3 的 Enable Path Style
+# 对于主流 S3 Cloud 服务商，一般填 0 即可；对于自部署的 MinIO，请填 1
+# 请参考：https://lobehub.com/zh/docs/self-hosting/advanced/s3#s-3-enable-path-style
+S3_ENABLE_PATH_STYLE=1
+
+# 其他基础环境变量，视需求而定。注意不要有 ACCESS_CODE
+# 请参考：https://lobehub.com/zh/docs/self-hosting/environment-variables/basic
+# 请注意，对于服务端版本，其 API 必须支持嵌入（即 OpenAI text-embedding-3-small）模型，否则无法对上传文件进行处理，但你无需在 OPENAI_MODEL_LIST 中指定此模型
+# OPENAI_API_KEY=sk-xxxx
+# OPENAI_PROXY_URL=https://api.openai.com/v1
+# OPENAI_MODEL_LIST=...

package/docker-compose/production/zitadel/docker-compose.yml

@@ -0,0 +1,69 @@
+services:
+  postgresql:
+    image: pgvector/pgvector:pg16
+    container_name: lobe-postgres
+    ports:
+      - '5432:5432'
+    volumes:
+      - './data:/var/lib/postgresql/data'
+    environment:
+      - 'POSTGRES_DB=lobe'
+      - 'POSTGRES_PASSWORD=uWNZugjBqixf8dxC'
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U postgres']
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    restart: always
+
+  minio:
+    image: minio/minio
+    container_name: lobe-minio
+    ports:
+      - '9000:9000'
+      - '9001:9001'
+    volumes:
+      - './s3_data:/etc/minio/data'
+    environment:
+      - 'MINIO_ROOT_USER=YOUR_MINIO_USER'
+      - 'MINIO_ROOT_PASSWORD=YOUR_MINIO_PASSWORD'
+      - 'MINIO_DOMAIN=lobe-s3-api.example.com'
+      - 'MINIO_API_CORS_ALLOW_ORIGIN=https://lobe.example.com' # Your LobeChat's domain name.
+    restart: always
+    command: >
+      server /etc/minio/data --address ":9000" --console-address ":9001"
+      
+  zitadel:
+    restart: always
+    image: ghcr.io/zitadel/zitadel:latest
+    container_name: lobe-zitadel
+    command: start-from-init --config /zitadel-config.yaml --steps
+      /zitadel-init-steps.yaml --masterkey "cft3Tekr/rQBOqwoQSCPoncA9BHbn7QJ"
+      --tlsMode external  #MasterkeyNeedsToHave32Characters
+    ports:
+      - 8080:8080
+    volumes:
+      - ./zitadel-config.yaml:/zitadel-config.yaml:ro
+      - ./zitadel-init-steps.yaml:/zitadel-init-steps.yaml:ro
+    depends_on:
+      postgresql:
+        condition: service_healthy
+
+  lobe:
+    image: lobehub/lobe-chat-database
+    container_name: lobe-database
+    ports:
+      - '3210:3210'
+    depends_on:
+      - postgresql
+      - minio
+      - zitadel
+    env_file:
+      - .env
+    restart: always
+
+volumes:
+  data:
+    driver: local
+  s3_data:
+    driver: local

package/docker-compose/production/zitadel/zitadel-config.yaml

@@ -0,0 +1,25 @@
+Log:
+  Level: 'info'
+
+ExternalPort: 443 
+ExternalDomain: example.com #Your zitadel's domain name
+ExternalSecure: true 
+TLS:
+  Enabled: false # ZITADEL_TLS_ENABLED
+
+# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
+Database:
+  postgres:
+    Host: postgresql
+    Port: 5432
+    Database: zitadel
+    User:
+      Username: 'zitadel'
+      Password: 'zitadel'
+      SSL:
+        Mode: 'disable'
+    Admin:
+      Username: 'postgres'
+      Password: 'uWNZugjBqixf8dxC' #postgres password
+      SSL:
+        Mode: 'disable'

package/docker-compose/production/zitadel/zitadel-init-steps.yaml

@@ -0,0 +1,11 @@
+# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/setup/steps.yaml
+FirstInstance:
+  Org:
+    Human:
+      # use the loginname root@zitadel.localhost, replace localhost with your configured external domain
+      Username: 'root'
+      # The password must be 8 characters or more and must contain uppercase letters, lowercase letters, symbols, and numbers. The first login will require a password change. 
+      Password: 'Password1!'
+      Email:
+        # Optional, if set, can be used to log in with email.
+        Address: 'example@zitadel.com' # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_EMAIL_ADDRESS    

package/docs/self-hosting/server-database/docker-compose.mdx

@@ -88,7 +88,7 @@ docker compose up -d
    - `Redirect URI` should be `http://localhost:3210/api/auth/callback/logto`
    - `Post sign-out redirect URI` should be `http://localhost:3210/`
 
-3. Obtain the `App ID` and `App secrets`, and fill them into your `.env` file corresponding to `LOGTO_CLIENT_ID` and `LOGTO_CLIENT_SECRET`.
+3. Obtain the `App ID` and `App secrets`, and fill them into your `.env` file corresponding to `AUTH_LOGTO_ID` and `AUTH_LOGTO_SECRET`.
 
 ### Configure MinIO S3
 
@@ -258,9 +258,9 @@ You need to first access the WebUI for configuration:
      src="https://github.com/user-attachments/assets/5b816379-c07b-40ea-bde4-df16e2e4e523"
    />
 
-5. Obtain `App ID` and `App secrets`, and fill them into your `.env` file under `LOGTO_CLIENT_ID` and `LOGTO_CLIENT_SECRET`.
+5. Obtain `App ID` and `App secrets`, and fill them into your `.env` file under `AUTH_LOGTO_ID` and `AUTH_LOGTO_SECRET`.
 
-6. Set `LOGTO_ISSUER` in your `.env` file to `https://lobe-auth-api.example.com/oidc`.
+6. Set `AUTH_LOGTO_ISSUER` in your `.env` file to `https://lobe-auth-api.example.com/oidc`.
 
    <Image
      alt="Configure environment variables"
@@ -349,8 +349,8 @@ To facilitate one-click copying, here are the example configuration files needed
 
 ```sh
 # Logto secret
-LOGTO_CLIENT_ID=
-LOGTO_CLIENT_SECRET=
+AUTH_LOGTO_ID=
+AUTH_LOGTO_SECRET=
 
 # MinIO S3 configuration
 MINIO_ROOT_USER=YOUR_MINIO_USER
@@ -467,7 +467,7 @@ services:
       - 'KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ='
       - 'NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg'
       - 'NEXTAUTH_URL=http://localhost:${LOBE_PORT}/api/auth'
-      - 'LOGTO_ISSUER=http://localhost:${LOGTO_PORT}/oidc'
+      - 'AUTH_LOGTO_ISSUER=http://localhost:${LOGTO_PORT}/oidc'
       - 'DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgresql:5432/${LOBE_DB_NAME}'
       - 'S3_ENDPOINT=http://localhost:${MINIO_PORT}'
       - 'S3_BUCKET=${MINIO_LOBE_BUCKET}'
@@ -519,9 +519,9 @@ NEXTAUTH_URL=https://lobe.example.com/api/auth
 
 # NextAuth providers configuration (example using Logto)
 # For other providers, see: https://lobehub.com/docs/self-hosting/environment-variables/auth
-LOGTO_CLIENT_ID=YOUR_LOGTO_CLIENT_ID
-LOGTO_CLIENT_SECRET=YOUR_LOGTO_CLIENT_SECRET
-LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc
+AUTH_LOGTO_ID=YOUR_LOGTO_CLIENT_ID
+AUTH_LOGTO_SECRET=YOUR_LOGTO_CLIENT_SECRET
+AUTH_LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc
 
 # Proxy settings (if needed, e.g., when using GitHub as an auth provider)
 # HTTP_PROXY=http://localhost:7890

package/docs/self-hosting/server-database/docker-compose.zh-CN.mdx

@@ -86,7 +86,7 @@ docker compose up -d
    - `Redirect URI` 为 `http://localhost:3210/api/auth/callback/logto`
    - `Post sign-out redirect URI` 为 `http://localhost:3210/`
 
-3. 获取 `App ID` 和 `App secrets`，填入 `.env` 文件中对应的 `LOGTO_CLIENT_ID` 、 `LOGTO_CLIENT_SECRETT`
+3. 获取 `App ID` 和 `App secrets`，填入 `.env` 文件中对应的 `AUTH_LOGTO_ID` 、 `AUTH_LOGTO_SECRET`
 
 ### 配置 MinIO S3
 
@@ -256,9 +256,9 @@ docker compose up -d # 重新启动
      src="https://github.com/user-attachments/assets/5b816379-c07b-40ea-bde4-df16e2e4e523"
    />
 
-5. 获取 `App ID` 和 `App secrets`，填入你的 `.env` 文件中的 `LOGTO_CLIENT_ID` 和 `LOGTO_CLIENT_SECRETT` 中
+5. 获取 `App ID` 和 `App secrets`，填入你的 `.env` 文件中的 `AUTH_LOGTO_ID` 和 `AUTH_LOGTO_SECRET` 中
 
-6. 配置你的 `.env` 文件中 `LOGTO_ISSUER` 为 `https://lobe-auth-api.example.com/oidc`
+6. 配置你的 `.env` 文件中 `AUTH_LOGTO_ISSUER` 为 `https://lobe-auth-api.example.com/oidc`
 
    <Image
      alt="配置 Logto 环境变量"
@@ -346,8 +346,8 @@ docker compose up -d # 重新启动
 
 ```sh
 # Logto secret
-LOGTO_CLIENT_ID=
-LOGTO_CLIENT_SECRET=
+AUTH_LOGTO_ID=
+AUTH_LOGTO_SECRET=
 
 # MinIO S3 配置
 MINIO_ROOT_USER=YOUR_MINIO_USER
@@ -464,7 +464,7 @@ services:
       - 'KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ='
       - 'NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg'
       - 'NEXTAUTH_URL=http://localhost:${LOBE_PORT}/api/auth'
-      - 'LOGTO_ISSUER=http://localhost:${LOGTO_PORT}/oidc'
+      - 'AUTH_LOGTO_ISSUER=http://localhost:${LOGTO_PORT}/oidc'
       - 'DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgresql:5432/${LOBE_DB_NAME}'
       - 'S3_ENDPOINT=http://localhost:${MINIO_PORT}'
       - 'S3_BUCKET=${MINIO_LOBE_BUCKET}'
@@ -515,9 +515,9 @@ NEXTAUTH_URL=https://lobe.example.com/api/auth
 
 # NextAuth 鉴权服务提供商部分，以 Logto 为例
 # 其他鉴权服务提供商所需的环境变量，请参考：https://lobehub.com/zh/docs/self-hosting/environment-variables/auth
-LOGTO_CLIENT_ID=YOUR_LOGTO_CLIENT_ID
-LOGTO_CLIENT_SECRET=YOUR_LOGTO_CLIENT_SECRET
-LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc
+AUTH_LOGTO_ID=YOUR_LOGTO_CLIENT_ID
+AUTH_LOGTO_SECRET=YOUR_LOGTO_CLIENT_SECRET
+AUTH_LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc
 
 # 代理相关，如果你需要的话（比如你使用 GitHub 作为鉴权服务提供商）
 # HTTP_PROXY=http://localhost:7890

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobehub/chat",
-  "version": "1.20.3",
+  "version": "1.20.5",
   "description": "Lobe Chat - an open-source, high-performance chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.",
   "keywords": [
     "framework",
@@ -217,7 +217,7 @@
     "systemjs": "^6.15.1",
     "ts-md5": "^1.3.1",
     "ua-parser-js": "^1.0.38",
-    "unstructured-client": "^0.16.0",
+    "unstructured-client": "^0.18.0",
     "url-join": "^5.0.0",
     "use-merge-value": "^1.2.0",
     "utility-types": "^3.11.0",

package/scripts/serverLauncher/startServer.js

@@ -0,0 +1,181 @@
+const dns = require('dns').promises;
+const fs = require('fs');
+const tls = require('tls');
+const { spawn } = require('child_process');
+
+// Set file paths
+const DB_MIGRATION_SCRIPT_PATH = '/app/docker.cjs';
+const SERVER_SCRIPT_PATH = '/app/server.js';
+const PROXYCHAINS_CONF_PATH = '/etc/proxychains4.conf';
+
+// Function to check if a string is a valid IP address
+const isValidIP = (ip, version = 4) => {
+  const ipv4Regex = /^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$/;
+  const ipv6Regex = /^(([0-9a-f]{1,4}:){7,7}[0-9a-f]{1,4}|([0-9a-f]{1,4}:){1,7}:|([0-9a-f]{1,4}:){1,6}:[0-9a-f]{1,4}|([0-9a-f]{1,4}:){1,5}(:[0-9a-f]{1,4}){1,2}|([0-9a-f]{1,4}:){1,4}(:[0-9a-f]{1,4}){1,3}|([0-9a-f]{1,4}:){1,3}(:[0-9a-f]{1,4}){1,4}|([0-9a-f]{1,4}:){1,2}(:[0-9a-f]{1,4}){1,5}|[0-9a-f]{1,4}:((:[0-9a-f]{1,4}){1,6})|:((:[0-9a-f]{1,4}){1,7}|:)|fe80:(:[0-9a-f]{0,4}){0,4}%[0-9a-z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-f]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$/;
+
+  switch (version) {
+    case 4:
+      return ipv4Regex.test(ip);
+    case 6:
+      return ipv6Regex.test(ip);
+    default:
+      return ipv4Regex.test(ip) || ipv6Regex.test(ip);
+  }
+};
+
+// Function to check TLS validity of a URL
+const isValidTLS = (url = '') => {
+  if (!url) {
+    console.log('⚠️ TLS Check: No URL provided. Skipping TLS check. Ensure correct setting ENV.');
+    console.log('-------------------------------------');
+    return Promise.resolve();
+  }
+
+  const { protocol, host, port } = parseUrl(url);
+  if (protocol !== 'https') {
+    console.log(`⚠️ TLS Check: Non-HTTPS protocol (${protocol}). Skipping TLS check for ${url}.`);
+    console.log('-------------------------------------');
+    return Promise.resolve();
+  }
+
+  const options = { host, port, servername: host };
+  return new Promise((resolve, reject) => {
+    const socket = tls.connect(options, () => {
+      if (socket.authorized) {
+        console.log(`✅ TLS Check: Valid certificate for ${host}:${port}.`);
+        console.log('-------------------------------------');
+        resolve();
+      }
+      socket.end();
+    });
+
+    socket.on('error', (err) => {
+      const errMsg = `❌ TLS Check: Error for ${host}:${port}. Details:`;
+      switch (err.code) {
+        case 'CERT_HAS_EXPIRED':
+        case 'DEPTH_ZERO_SELF_SIGNED_CERT':
+          console.error(`${errMsg} Certificate is not valid. Consider setting NODE_TLS_REJECT_UNAUTHORIZED="0" or mapping /etc/ssl/certs/ca-certificates.crt.`);
+          break;
+        case 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY':
+          console.error(`${errMsg} Unable to verify issuer. Ensure correct mapping of /etc/ssl/certs/ca-certificates.crt.`);
+          break;
+        default:
+          console.error(`${errMsg} Network issue. Check firewall or DNS.`);
+          break;
+      }
+      reject(err);
+    });
+  });
+};
+
+// Function to check TLS connections for OSS and Auth Issuer
+const checkTLSConnections = async () => {
+  await Promise.all([
+    isValidTLS(process.env.S3_ENDPOINT),
+    isValidTLS(process.env.S3_PUBLIC_DOMAIN),
+    isValidTLS(getEnvVarsByKeyword('_ISSUER')),
+  ]);
+};
+
+// Function to get environment variable by keyword
+const getEnvVarsByKeyword = (keyword) => {
+  return Object.entries(process.env)
+    .filter(([key, value]) => key.includes(keyword) && value)
+    .map(([, value]) => value)[0] || null;
+};
+
+// Function to parse protocol, host and port from a URL
+const parseUrl = (url) => {
+  const { protocol, hostname: host, port } = new URL(url);
+  return { protocol: protocol.replace(':', ''), host, port: port || 443 };
+};
+
+// Function to resolve host IP via DNS
+const resolveHostIP = async (host, version = 4) => {
+  try {
+    const { address } = await dns.lookup(host, { family: version });
+
+    if (!isValidIP(address, version)) {
+      console.error(`❌ DNS Error: Invalid resolved IP: ${address}. IP address must be IPv${version}.`);
+      process.exit(1);
+    }
+
+    return address;
+  } catch (err) {
+    console.error(`❌ DNS Error: Could not resolve ${host}. Check DNS server.`, err);
+    process.exit(1);
+  }
+};
+
+// Function to generate proxychains configuration
+const runProxyChainsConfGenerator = async (url) => {
+  const { protocol, host, port } = parseUrl(url);
+
+  if (!['http', 'socks4', 'socks5'].includes(protocol)) {
+    console.error(`❌ ProxyChains: Invalid protocol (${protocol}). Protocol must be 'http', 'socks4' and 'socks5'.`);
+    process.exit(1);
+  }
+
+  const validPort = parseInt(port, 10);
+  if (isNaN(validPort) || validPort <= 0 || validPort > 65535) {
+    console.error(`❌ ProxyChains: Invalid port (${port}). Port must be a number between 1 and 65535.`);
+    process.exit(1);
+  }
+
+  let ip = isValidIP(host, 4) ? host : await resolveHostIP(host, 4);
+
+  const configContent = `
+localnet 127.0.0.0/255.0.0.0
+localnet ::1/128
+proxy_dns
+remote_dns_subnet 224
+strict_chain
+tcp_connect_time_out 8000
+tcp_read_time_out 15000
+[ProxyList]
+${protocol} ${ip} ${port}
+`.trim();
+
+  fs.writeFileSync(PROXYCHAINS_CONF_PATH, configContent);
+  console.log(`✅ ProxyChains: All outgoing traffic routed via ${protocol}://${ip}:${port}.`);
+  console.log('-------------------------------------');
+};
+
+// Function to execute a script with child process spawn
+const runScript = (scriptPath, useProxy = false) => {
+  const command = useProxy ? ['/bin/proxychains', '-q', '/bin/node', scriptPath] : ['/bin/node', scriptPath];
+  return new Promise((resolve, reject) => {
+    const process = spawn(command.shift(), command, { stdio: 'inherit' });
+    process.on('close', (code) => (code === 0 ? resolve() : reject(new Error(`🔴 Process exited with code ${code}`))));
+  });
+};
+
+// Main function to run the server with optional proxy
+const runServer = async () => {
+  const PROXY_URL = process.env.PROXY_URL || ''; // Default empty string to avoid undefined errors
+
+  if (PROXY_URL) {
+    await runProxyChainsConfGenerator(PROXY_URL);
+    return runScript(SERVER_SCRIPT_PATH, true);
+  }
+  return runScript(SERVER_SCRIPT_PATH);
+};
+
+// Main execution block
+(async () => {
+  console.log('🌐 DNS Server:', dns.getServers());
+  console.log('-------------------------------------');
+
+  if (process.env.DATABASE_DRIVER) {
+    try {
+      await runScript(DB_MIGRATION_SCRIPT_PATH);
+      await checkTLSConnections();
+    } catch (err) {
+      console.error('❌ Error during DB migration or TLS connection check:', err);
+      process.exit(1);
+    }
+  }
+
+  // Run the server in either database or non-database mode
+  await runServer();
+})();

package/src/app/(main)/chat/(workspace)/_layout/Desktop/ChatHeader/index.tsx

@@ -3,6 +3,12 @@ import { ChatHeader } from '@lobehub/ui';
 import HeaderAction from './HeaderAction';
 import Main from './Main';
 
-const Header = () => <ChatHeader left={<Main />} right={<HeaderAction />} style={{ zIndex: 11 }} />;
+const Header = () => (
+  <ChatHeader
+    left={<Main />}
+    right={<HeaderAction />}
+    style={{ minHeight: 64, position: 'initial', zIndex: 11 }}
+  />
+);
 
 export default Header;

package/src/app/(main)/chat/(workspace)/_layout/Desktop/Portal.tsx

@@ -6,7 +6,6 @@ import { rgba } from 'polished';
 import { PropsWithChildren, memo } from 'react';
 import { Flexbox } from 'react-layout-kit';
 
-import SafeSpacing from '@/components/SafeSpacing';
 import { CHAT_DOCK_TOOL_UI_WIDTH, CHAT_DOCK_WIDTH, MAX_WIDTH } from '@/const/layoutTokens';
 import { useChatStore } from '@/store/chat';
 import { chatPortalSelectors } from '@/store/chat/slices/portal/selectors';
@@ -69,7 +68,6 @@ const PortalPanel = memo(({ children }: PropsWithChildren) => {
             minWidth: CHAT_DOCK_WIDTH,
           }}
         >
-          <SafeSpacing />
           <Flexbox className={styles.panel}>{children}</Flexbox>
         </DraggablePanelContainer>
       </DraggablePanel>

package/src/app/(main)/chat/(workspace)/_layout/Desktop/TopicPanel.tsx

@@ -5,7 +5,6 @@ import { createStyles, useResponsive } from 'antd-style';
 import isEqual from 'fast-deep-equal';
 import { PropsWithChildren, memo, useEffect, useState } from 'react';
 
-import SafeSpacing from '@/components/SafeSpacing';
 import { CHAT_SIDEBAR_WIDTH } from '@/const/layoutTokens';
 import { useChatStore } from '@/store/chat';
 import { chatPortalSelectors } from '@/store/chat/slices/portal/selectors';
@@ -71,7 +70,6 @@ const TopicPanel = memo(({ children }: PropsWithChildren) => {
             minWidth: CHAT_SIDEBAR_WIDTH,
           }}
         >
-          <SafeSpacing />
           {children}
         </DraggablePanelContainer>
       </DraggablePanel>

package/src/app/(main)/chat/@session/features/SessionListContent/Modals/ConfigGroupModal/index.tsx

@@ -13,7 +13,7 @@ import { SessionGroupItem } from '@/types/session';
 
 import GroupItem from './GroupItem';
 
-const useStyles = createStyles(({ css, token, stylish }) => ({
+const useStyles = createStyles(({ css, token }) => ({
   container: css`
     height: 36px;
     padding-inline: 8px;
@@ -21,7 +21,6 @@ const useStyles = createStyles(({ css, token, stylish }) => ({
     transition: background 0.2s ease-in-out;
 
     &:hover {
-      ${stylish.blur};
       background: ${token.colorFillTertiary};
     }
   `,

package/src/components/DragUpload/index.tsx

@@ -58,7 +58,6 @@ const useStyles = createStyles(({ css, token }) => {
       height: 100%;
 
       background: ${token.colorBgMask};
-      backdrop-filter: blur(4px);
 
       transition: all 0.3s ease-in-out;
     `,

package/src/components/FunctionModal/style.tsx

@@ -31,7 +31,6 @@ export const useStyles = createStyles(({ css, token, prefixCls, isDarkMode, resp
     `,
     wrap: css`
       overflow: hidden auto;
-      backdrop-filter: blur(2px);
     `,
   };
 });

package/src/components/GuideModal/index.tsx

@@ -32,7 +32,6 @@ const useStyles = createStyles(({ css, token, prefixCls }) => {
     `,
     wrap: css`
       overflow: hidden auto;
-      backdrop-filter: blur(2px);
     `,
   };
 });

package/src/features/Conversation/components/VirtualizedList/index.tsx

@@ -43,10 +43,9 @@ const VirtualizedList = memo<VirtualizedListProps>(({ mobile }) => {
 
   const data = useChatStore((s) => {
     const showInboxWelcome = chatSelectors.showInboxWelcome(s);
-    const ids = showInboxWelcome
+    return showInboxWelcome
       ? [WELCOME_GUIDE_CHAT_ID]
       : chatSelectors.currentChatIDsWithGuideMessage(s);
-    return ['empty', ...ids];
   }, isEqual);
 
   useEffect(() => {
@@ -71,11 +70,7 @@ const VirtualizedList = memo<VirtualizedListProps>(({ mobile }) => {
     (index: number, id: string) => {
       if (id === WELCOME_GUIDE_CHAT_ID) return <InboxWelcome />;
 
-      return index === 0 ? (
-        <div style={{ height: 24 + (mobile ? 0 : 64) }} />
-      ) : (
-        <Item id={id} index={index - 1} />
-      );
+      return <Item id={id} index={index} />;
     },
     [mobile],
   );

package/src/layout/AuthProvider/Clerk/useAppearance.ts

@@ -26,7 +26,6 @@ export const useStyles = createStyles(
       `,
       modalBackdrop: css`
         background: ${token.colorBgMask};
-        backdrop-filter: blur(2px);
       `,
       modalContent: css`
         &.${prefixCls}-modalContent {