@xcanwin/manyoyo 5.8.2 → 5.8.5

package/lib/web/frontend/app.css

@@ -15,7 +15,7 @@
     --line-strong: #b59263;
     --line-soft: rgba(181, 146, 99, 0.26);
     --tree-guide: rgba(181, 146, 99, 0.44);
-    --tree-guide-soft: rgba(181, 146, 99, 0.2);
+    --tree-guide-soft: rgba(181, 146, 99, 0.44);
 
     --text: #1f1a14;
     --muted: #6a5f52;
@@ -341,6 +341,17 @@ textarea:focus-visible {
     white-space: pre-wrap;
 }
 
+.modal-success {
+    margin-top: 10px;
+    color: #196c43;
+    font-size: 13px;
+    padding: 8px 10px;
+    border: 1px solid #9fd1b4;
+    border-radius: 8px;
+    background: #eef9f1;
+    white-space: pre-wrap;
+}
+
 .config-editor {
     width: 100%;
     min-height: 340px;
@@ -719,7 +730,7 @@ button.tree-toggle:active {
     width: 10px;
     height: 1px;
     background: var(--tree-guide-soft);
-    transform: translateY(-0.5px);
+    transform: translateY(0);
 }
 
 .disclosure-toggle {

package/lib/web/frontend/app.html

@@ -136,11 +136,12 @@
                 <div class="modal-body">
                     <div id="configPath" class="modal-tip"></div>
                     <textarea id="configEditor" class="config-editor" spellcheck="false"></textarea>
+                    <div id="configStatus" class="modal-success" hidden></div>
                     <div id="configError" class="modal-error" hidden></div>
                 </div>
                 <footer class="modal-footer">
                     <button type="button" id="configReloadBtn" class="secondary">重新加载</button>
-                    <button type="button" id="configSaveBtn">只读</button>
+                    <button type="button" id="configSaveBtn">保存</button>
                 </footer>
             </section>
         </div>

package/lib/web/frontend/app.js

@@ -53,6 +53,7 @@
         agentTemplateModalOpen: false,
         configLoading: false,
         configSaving: false,
+        configSaveMessage: '',
         createLoading: false,
         createSubmitting: false,
         agentTemplateSaving: false,
@@ -127,6 +128,7 @@
     const configModalTitle = document.getElementById('configModalTitle');
     const configPath = document.getElementById('configPath');
     const configEditor = document.getElementById('configEditor');
+    const configStatus = document.getElementById('configStatus');
     const configError = document.getElementById('configError');
     const configReloadBtn = document.getElementById('configReloadBtn');
     const configSaveBtn = document.getElementById('configSaveBtn');
@@ -726,6 +728,18 @@
         configError.textContent = text;
     }
 
+    function showConfigStatus(message) {
+        if (!configStatus) return;
+        const text = String(message || '').trim();
+        if (!text) {
+            configStatus.hidden = true;
+            configStatus.textContent = '';
+            return;
+        }
+        configStatus.hidden = false;
+        configStatus.textContent = text;
+    }
+
     function showDirectoryPickerError(message) {
         if (!directoryPickerError) return;
         const text = String(message || '').trim();
@@ -2032,7 +2046,12 @@
             openConfigBtn.disabled = state.configLoading || state.configSaving;
         }
         if (configSaveBtn) {
-            configSaveBtn.disabled = true;
+            configSaveBtn.disabled = state.configLoading
+                || state.configSaving
+                || !state.configModalOpen
+                || !state.configSnapshot
+                || state.configSnapshot.editable === false;
+            configSaveBtn.textContent = state.configSaving ? '保存中...' : '保存';
         }
         if (configReloadBtn) {
             configReloadBtn.disabled = state.configLoading || state.configSaving;
@@ -2224,30 +2243,33 @@
         return snapshot;
     }
 
+    function renderConfigModalSnapshot(config) {
+        if (configModalTitle) {
+            configModalTitle.textContent = '编辑配置 (~/.manyoyo/manyoyo.json)';
+        }
+        if (configPath) {
+            const lines = [config.path || ''];
+            if (config.notice) {
+                lines.push(config.notice);
+            }
+            configPath.textContent = lines.filter(Boolean).join('\n');
+        }
+        if (configEditor) {
+            configEditor.readOnly = config.editable === false;
+            configEditor.value = typeof config.raw === 'string' ? config.raw : '';
+        }
+    }
+
     async function openConfigModal() {
         closeCreateModal();
         state.configLoading = true;
+        state.configSaveMessage = '';
         showConfigError('');
+        showConfigStatus('');
         syncUi();
         try {
             const config = await fetchConfigSnapshot();
-            if (configModalTitle) {
-                configModalTitle.textContent = '查看配置摘要 (~/.manyoyo/manyoyo.json)';
-            }
-            if (configPath) {
-                const lines = [config.path || ''];
-                if (config.notice) {
-                    lines.push(config.notice);
-                }
-                configPath.textContent = lines.filter(Boolean).join('\n');
-            }
-            if (configEditor) {
-                configEditor.readOnly = true;
-                configEditor.value = stringifyPrettyJson({
-                    defaults: config.defaults || {},
-                    runs: config.parsed && config.parsed.runs ? config.parsed.runs : {}
-                });
-            }
+            renderConfigModalSnapshot(config);
             if (config.parseError) {
                 showConfigError('当前文件存在解析错误：' + config.parseError);
             }
@@ -2267,7 +2289,29 @@
     }
 
     async function saveConfig() {
-        alert('Web 端已禁用明文配置编辑，请在本地 ~/.manyoyo/manyoyo.json 中维护敏感配置。');
+        if (!configEditor || !state.configSnapshot || state.configSnapshot.editable === false) {
+            return;
+        }
+        state.configSaving = true;
+        state.configSaveMessage = '';
+        showConfigError('');
+        showConfigStatus('');
+        syncUi();
+        try {
+            await api('/api/config', {
+                method: 'PUT',
+                body: JSON.stringify({ raw: configEditor.value || '' })
+            });
+            const config = await fetchConfigSnapshot();
+            renderConfigModalSnapshot(config);
+            state.configSaveMessage = '已保存到 ~/.manyoyo/manyoyo.json';
+            showConfigStatus(state.configSaveMessage);
+        } catch (e) {
+            showConfigError(e.message);
+        } finally {
+            state.configSaving = false;
+            syncUi();
+        }
     }
 
     async function openCreateModal() {
@@ -3562,6 +3606,16 @@
         });
     }
 
+    if (configEditor) {
+        configEditor.addEventListener('input', function () {
+            if (!state.configSaveMessage) {
+                return;
+            }
+            state.configSaveMessage = '';
+            showConfigStatus('');
+        });
+    }
+
     if (createCancelBtn) {
         createCancelBtn.addEventListener('click', function () {
             closeCreateModal();

package/lib/web/server.js

@@ -32,6 +32,7 @@ const WEB_AUTH_TTL_SECONDS = 12 * 60 * 60;
 const WEB_SESSION_KEY_SEPARATOR = '~';
 const WEB_DEFAULT_AGENT_ID = 'default';
 const WEB_DEFAULT_AGENT_NAME = 'AGENT 1';
+const WEB_CONFIG_KEEP_SECRET_PLACEHOLDER = '***HIDDEN_SECRET***';
 const FRONTEND_DIR = path.join(__dirname, 'frontend');
 const SAFE_CONTAINER_NAME_PATTERN = /^[A-Za-z0-9][A-Za-z0-9_.-]*$/;
 const IMAGE_VERSION_TAG_PATTERN = /^(\d+\.\d+\.\d+)-([A-Za-z0-9][A-Za-z0-9_.-]*)$/;
@@ -1635,6 +1636,334 @@ function isSensitiveConfigKey(key) {
     return Boolean(normalized) && SENSITIVE_CONFIG_KEY_PATTERN.test(normalized);
 }
 
+function readConfigQuotedString(text, startIndex) {
+    const quote = text[startIndex];
+    let value = '';
+
+    for (let i = startIndex + 1; i < text.length; i += 1) {
+        const ch = text[i];
+        if (ch === '\\') {
+            value += ch;
+            if (i + 1 < text.length) {
+                value += text[i + 1];
+                i += 1;
+            }
+            continue;
+        }
+        if (ch === quote) {
+            return {
+                value,
+                end: i + 1
+            };
+        }
+        value += ch;
+    }
+
+    return null;
+}
+
+function isConfigIdentifierStart(ch) {
+    return /[A-Za-z_$]/.test(ch);
+}
+
+function isConfigIdentifierPart(ch) {
+    return /[A-Za-z0-9_$]/.test(ch);
+}
+
+function skipConfigTrivia(text, index) {
+    let cursor = index;
+    while (cursor < text.length) {
+        const ch = text[cursor];
+        const next = text[cursor + 1];
+        if (/\s/.test(ch)) {
+            cursor += 1;
+            continue;
+        }
+        if (ch === '/' && next === '/') {
+            cursor += 2;
+            while (cursor < text.length && text[cursor] !== '\n') {
+                cursor += 1;
+            }
+            continue;
+        }
+        if (ch === '/' && next === '*') {
+            cursor += 2;
+            while (cursor + 1 < text.length && !(text[cursor] === '*' && text[cursor + 1] === '/')) {
+                cursor += 1;
+            }
+            cursor = cursor + 1 < text.length ? cursor + 2 : text.length;
+            continue;
+        }
+        break;
+    }
+    return cursor;
+}
+
+function scanConfigValueEnd(text, startIndex) {
+    let cursor = startIndex;
+    let stringQuote = '';
+    let lineComment = false;
+    let blockComment = false;
+    let depth = 0;
+
+    for (; cursor < text.length; cursor += 1) {
+        const ch = text[cursor];
+        const next = text[cursor + 1];
+
+        if (lineComment) {
+            if (ch === '\n') {
+                lineComment = false;
+            }
+            continue;
+        }
+        if (blockComment) {
+            if (ch === '*' && next === '/') {
+                blockComment = false;
+                cursor += 1;
+            }
+            continue;
+        }
+        if (stringQuote) {
+            if (ch === '\\') {
+                cursor += 1;
+                continue;
+            }
+            if (ch === stringQuote) {
+                stringQuote = '';
+            }
+            continue;
+        }
+
+        if (ch === '/' && next === '/') {
+            lineComment = true;
+            cursor += 1;
+            continue;
+        }
+        if (ch === '/' && next === '*') {
+            blockComment = true;
+            cursor += 1;
+            continue;
+        }
+        if (ch === '"' || ch === '\'') {
+            stringQuote = ch;
+            continue;
+        }
+        if (ch === '{' || ch === '[' || ch === '(') {
+            depth += 1;
+            continue;
+        }
+        if (ch === '}' || ch === ']' || ch === ')') {
+            if (depth === 0) {
+                break;
+            }
+            depth -= 1;
+            continue;
+        }
+        if (depth === 0 && ch === ',') {
+            break;
+        }
+    }
+
+    let end = cursor;
+    while (end > startIndex && /\s/.test(text[end - 1])) {
+        end -= 1;
+    }
+    return end;
+}
+
+function findConfigRootObjectStart(text) {
+    const start = skipConfigTrivia(String(text || ''), 0);
+    return text[start] === '{' ? start : -1;
+}
+
+function readConfigPropertyToken(text, startIndex) {
+    const ch = text[startIndex];
+    if (ch === '"' || ch === '\'') {
+        const token = readConfigQuotedString(text, startIndex);
+        if (!token) {
+            return null;
+        }
+        return token;
+    }
+    if (!isConfigIdentifierStart(ch)) {
+        return null;
+    }
+    let end = startIndex + 1;
+    while (end < text.length && isConfigIdentifierPart(text[end])) {
+        end += 1;
+    }
+    return {
+        value: text.slice(startIndex, end),
+        end
+    };
+}
+
+function findConfigObjectPropertyValueRange(text, objectStartIndex, propertyName) {
+    let cursor = skipConfigTrivia(text, objectStartIndex + 1);
+    while (cursor < text.length) {
+        cursor = skipConfigTrivia(text, cursor);
+        if (text[cursor] === '}') {
+            return null;
+        }
+        const token = readConfigPropertyToken(text, cursor);
+        if (!token) {
+            return null;
+        }
+        cursor = skipConfigTrivia(text, token.end);
+        if (text[cursor] !== ':') {
+            return null;
+        }
+        const valueStart = skipConfigTrivia(text, cursor + 1);
+        const valueEnd = scanConfigValueEnd(text, valueStart);
+        if (token.value === propertyName) {
+            return { start: valueStart, end: valueEnd };
+        }
+        cursor = skipConfigTrivia(text, valueEnd);
+        if (text[cursor] === ',') {
+            cursor += 1;
+            continue;
+        }
+        if (text[cursor] === '}') {
+            return null;
+        }
+    }
+    return null;
+}
+
+function findConfigValueRangeByPath(text, pathParts) {
+    if (!Array.isArray(pathParts) || pathParts.length === 0) {
+        return null;
+    }
+    let objectStart = findConfigRootObjectStart(text);
+    if (objectStart === -1) {
+        return null;
+    }
+    let range = null;
+    for (let i = 0; i < pathParts.length; i += 1) {
+        range = findConfigObjectPropertyValueRange(text, objectStart, pathParts[i]);
+        if (!range) {
+            return null;
+        }
+        if (i === pathParts.length - 1) {
+            return range;
+        }
+        const nextObjectStart = skipConfigTrivia(text, range.start);
+        if (text[nextObjectStart] !== '{') {
+            return null;
+        }
+        objectStart = nextObjectStart;
+    }
+    return range;
+}
+
+function collectSensitiveConfigPaths(value, pathParts = []) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        return [];
+    }
+    const result = [];
+    Object.entries(toPlainObject(value)).forEach(([key, item]) => {
+        const nextPath = pathParts.concat(key);
+        if (isSensitiveConfigKey(key)) {
+            result.push(nextPath);
+            return;
+        }
+        if (item && typeof item === 'object' && !Array.isArray(item)) {
+            result.push(...collectSensitiveConfigPaths(item, nextPath));
+        }
+    });
+    return result;
+}
+
+function collectSensitivePlaceholderPaths(value, pathParts = []) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        return [];
+    }
+    const result = [];
+    Object.entries(toPlainObject(value)).forEach(([key, item]) => {
+        const nextPath = pathParts.concat(key);
+        if (isSensitiveConfigKey(key)) {
+            if (item === WEB_CONFIG_KEEP_SECRET_PLACEHOLDER) {
+                result.push(nextPath);
+            }
+            return;
+        }
+        if (item && typeof item === 'object' && !Array.isArray(item)) {
+            result.push(...collectSensitivePlaceholderPaths(item, nextPath));
+        }
+    });
+    return result;
+}
+
+function applyConfigTextReplacements(text, replacements) {
+    return replacements
+        .slice()
+        .sort((a, b) => b.start - a.start)
+        .reduce((result, item) => `${result.slice(0, item.start)}${item.text}${result.slice(item.end)}`, text);
+}
+
+function buildConfigPathLabel(pathParts) {
+    return (Array.isArray(pathParts) ? pathParts : []).join('.');
+}
+
+function maskWebConfigRaw(raw, parsed) {
+    const text = String(raw || '');
+    const replacements = collectSensitiveConfigPaths(parsed).map(pathParts => {
+        const range = findConfigValueRangeByPath(text, pathParts);
+        if (!range) {
+            throw new Error(`敏感字段定位失败: ${buildConfigPathLabel(pathParts)}`);
+        }
+        return {
+            start: range.start,
+            end: range.end,
+            text: JSON.stringify(WEB_CONFIG_KEEP_SECRET_PLACEHOLDER)
+        };
+    });
+    return applyConfigTextReplacements(text, replacements);
+}
+
+function parseConfigRawObject(raw) {
+    const parsed = JSON5.parse(String(raw || ''));
+    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+        throw new Error('配置根节点必须是对象(map)');
+    }
+    return toPlainObject(parsed);
+}
+
+function restoreWebConfigSecrets(raw, snapshot) {
+    const text = String(raw || '');
+    if (!text.includes(WEB_CONFIG_KEEP_SECRET_PLACEHOLDER)) {
+        return text;
+    }
+    if (!snapshot || snapshot.parseError) {
+        throw new Error('当前配置存在解析错误，无法回填敏感值');
+    }
+
+    const editedConfig = parseConfigRawObject(text);
+    const placeholderPaths = collectSensitivePlaceholderPaths(editedConfig);
+    if (!placeholderPaths.length) {
+        return text;
+    }
+
+    const currentRaw = String(snapshot.raw || '');
+    const replacements = placeholderPaths.map(pathParts => {
+        const editedRange = findConfigValueRangeByPath(text, pathParts);
+        const currentRange = findConfigValueRangeByPath(currentRaw, pathParts);
+        if (!editedRange) {
+            throw new Error(`敏感字段定位失败: ${buildConfigPathLabel(pathParts)}`);
+        }
+        if (!currentRange) {
+            throw new Error(`敏感字段缺少可保留的旧值: ${buildConfigPathLabel(pathParts)}`);
+        }
+        return {
+            start: editedRange.start,
+            end: editedRange.end,
+            text: currentRaw.slice(currentRange.start, currentRange.end)
+        };
+    });
+
+    return applyConfigTextReplacements(text, replacements);
+}
+
 function redactConfigValue(value) {
     if (Array.isArray(value)) {
         return value.map(item => redactConfigValue(item));
@@ -1673,13 +2002,29 @@ function redactConfigObject(value) {
 
 function buildSafeWebConfigSnapshot(snapshot, ctx) {
     const parsed = snapshot && snapshot.parseError ? {} : toPlainObject(snapshot && snapshot.parsed);
+    let raw = '';
+    let editable = false;
+    let notice = 'Web 端显示原文 JSON5；敏感值以 ***HIDDEN_SECRET*** 占位，保存时会保留原值。';
+    if (snapshot && !snapshot.parseError) {
+        try {
+            raw = maskWebConfigRaw(snapshot.raw || '', parsed);
+            editable = true;
+        } catch (e) {
+            raw = '';
+            editable = false;
+            notice = '当前配置无法安全脱敏显示，请在本地 manyoyo.json 中维护。';
+        }
+    } else if (snapshot && snapshot.parseError) {
+        notice = '当前配置解析失败，Web 端暂不提供安全编辑；请先在本地修复 manyoyo.json。';
+    }
     return {
         path: snapshot && snapshot.path ? snapshot.path : path.resolve(getDefaultWebConfigPath()),
+        raw,
         parsed: redactConfigObject(parsed),
         defaults: redactConfigObject(buildConfigDefaults(ctx, parsed)),
         parseError: snapshot && snapshot.parseError ? snapshot.parseError : null,
-        editable: false,
-        notice: 'Web 端仅显示脱敏后的配置摘要；敏感值请在本地 manyoyo.json 中维护。'
+        editable,
+        notice
     };
 }
 
@@ -1995,11 +2340,7 @@ function readWebConfigSnapshot(configPath) {
 }
 
 function parseAndValidateConfigRaw(raw) {
-    const parsed = JSON5.parse(String(raw || ''));
-    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
-        throw new Error('配置根节点必须是对象(map)');
-    }
-    const config = toPlainObject(parsed);
+    const config = parseConfigRawObject(raw);
     validateWebConfigShape(config);
     return config;
 }
@@ -3223,9 +3564,12 @@ async function handleWebApi(req, res, pathname, ctx, state) {
                     return;
                 }
 
+                const currentSnapshot = readWebConfigSnapshot(state.webConfigPath);
+                let finalRaw = raw;
                 let parsed = null;
                 try {
-                    parsed = parseAndValidateConfigRaw(raw);
+                    finalRaw = restoreWebConfigSecrets(raw, currentSnapshot);
+                    parsed = parseAndValidateConfigRaw(finalRaw);
                 } catch (e) {
                     sendJson(res, 400, { error: '配置格式错误', detail: e.message || '解析失败' });
                     return;
@@ -3233,7 +3577,7 @@ async function handleWebApi(req, res, pathname, ctx, state) {
 
                 const savePath = path.resolve(state.webConfigPath);
                 fs.mkdirSync(path.dirname(savePath), { recursive: true });
-                fs.writeFileSync(savePath, raw, 'utf-8');
+                fs.writeFileSync(savePath, finalRaw, 'utf-8');
 
                 sendJson(res, 200, {
                     saved: true,

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@xcanwin/manyoyo",
-    "version": "5.8.2",
+    "version": "5.8.5",
     "imageVersion": "1.9.0-common",
     "playwrightCliVersion": "0.1.1",
     "description": "AI Agent CLI Security Sandbox for Docker and Podman",
@@ -74,7 +74,7 @@
         "glob": "^13.0.6",
         "minimatch": "^10.2.2",
         "test-exclude": "^8.0.0",
-        "vite": "^6.4.1"
+        "vite": "^6.4.2"
     },
     "jest": {
         "testMatch": [