evolclaw 2.2.0 → 2.4.0

package/dist/utils/init.js

@@ -343,42 +343,13 @@ async function initFeishuManual(rl, config) {
     return true;
 }
 // ==================== AUN Environment Check ====================
-export async function checkAunEnvironment(rl) {
-    console.log('\n🔍 AUN 环境检查...\n');
-    // Check python3 (needed for aun_cli.py AID management)
-    if (!commandExists('python3')) {
-        console.log('  ✗ python3 未找到');
-        console.log('  → 请先安装 Python 3: https://www.python.org/downloads/');
-        const answer = (await ask(rl, '  → 返回重新选择渠道？[Y/n] ')).trim().toLowerCase();
-        if (answer === 'n' || answer === 'no')
-            process.exit(0);
-        return false;
-    }
-    console.log('  ✓ python3');
-    // Check aun_core
-    try {
-        execFileSync('python3', ['-c', 'import aun_core'], { encoding: 'utf-8', stdio: 'pipe' });
-        console.log('  ✓ aun_core');
-    }
-    catch {
-        console.log('  ✗ aun_core 未安装');
-        console.log('  → 请安装: pip3 install aun-core');
-        const answer = (await ask(rl, '  → 返回重新选择渠道？[Y/n] ')).trim().toLowerCase();
-        if (answer === 'n' || answer === 'no')
-            process.exit(0);
-        return false;
-    }
-    console.log('');
-    return true;
-}
+// Moved to init-channel.ts
 // ==================== Rich Content Renderer ====================
 async function offerRichContentRenderer(rl, config) {
     const answer = (await ask(rl, '\n是否启用 LaTeX + Mermaid 渲染模块（约 35MB）？[y/N] ')).trim().toLowerCase();
     const enableRich = answer === 'y' || answer === 'yes';
-    // 记录用户选择到配置文件（仅 Feishu 通道需要）
-    if (config.channels?.feishu) {
-        config.channels.feishu.enableRichContent = enableRich;
-    }
+    // 记录用户选择到全局配置
+    config.enableRichContent = enableRich;
     if (!enableRich) {
         console.log('  ✓ 已跳过富内容渲染模块安装');
         return;
@@ -399,125 +370,11 @@ async function offerRichContentRenderer(rl, config) {
         }
         console.log('  → 可稍后手动安装: npm install -g katex mermaid');
         // 安装失败时，将配置设为 false
-        if (config.channels?.feishu) {
-            config.channels.feishu.enableRichContent = false;
-        }
+        config.enableRichContent = false;
     }
 }
 // ==================== AUN AID Helpers ====================
-function isValidAid(name) {
-    const labels = name.split('.');
-    return labels.length >= 3 && labels.every(l => /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$/.test(l));
-}
-async function setupAunAid(rl, config) {
-    const pythonBin = config.channels?.aun?.pythonBin || process.env.AUN_PYTHON || 'python3';
-    const cliScript = path.join(getPackageRoot(), 'aun', 'aun_cli.py');
-    let aid = '';
-    let gatewayPort;
-    // Outer loop: allows retrying with a different AID
-    while (true) {
-        // Ask AID with format validation
-        aid = '';
-        while (!aid) {
-            aid = (await ask(rl, '  AUN Agent ID (例: mybot.agentid.pub): ')).trim();
-            if (!aid) {
-                console.log('  ⚠ 不能为空');
-                continue;
-            }
-            if (!isValidAid(aid)) {
-                console.log('  ⚠ 无效 AID 格式（需要合法域名，至少三级，如 alice.agentid.pub）');
-                aid = '';
-            }
-        }
-        const portStr = (await ask(rl, '  Gateway 端口 [留空使用默认 443]: ')).trim();
-        gatewayPort = portStr ? parseInt(portStr, 10) : undefined;
-        if (gatewayPort !== undefined && (isNaN(gatewayPort) || gatewayPort < 1 || gatewayPort > 65535)) {
-            console.log('  ⚠ 端口号无效，使用默认 443');
-            gatewayPort = undefined;
-        }
-        // Check if AID exists locally
-        const aidDir = path.join(os.homedir(), '.aun', 'AIDs', aid);
-        if (fs.existsSync(aidDir)) {
-            console.log(`  ✓ AID ${aid} 已存在`);
-            break;
-        }
-        const answer = (await ask(rl, `  ⚠ AID ${aid} 本地不存在，是否创建？[Y/n] `)).trim().toLowerCase();
-        if (answer === 'n' || answer === 'no') {
-            console.log('  已跳过 AID 创建（启动时可能连接失败）');
-            break;
-        }
-        // Try creating
-        console.log('  正在创建 AID...');
-        const args = [cliScript, 'aid', 'new', aid];
-        if (gatewayPort)
-            args.push('-p', String(gatewayPort));
-        let failed = false;
-        try {
-            const { stdout, stderr } = await execFileAsync(pythonBin, args, { timeout: 30000, encoding: 'utf-8' });
-            const output = (stdout + stderr).trim();
-            if (output)
-                console.log(`  ${output}`);
-            // aun_cli.py 可能 exit 0 但输出包含错误
-            failed = output.includes('✗') || output.includes('失败');
-        }
-        catch (e) {
-            const msg = e.stderr || e.stdout || e.message || '';
-            console.log(`  ✗ AID 创建失败: ${msg.trim().slice(0, 200)}`);
-            failed = true;
-        }
-        if (!failed) {
-            console.log(`  ✓ AID ${aid} 创建成功`);
-            break;
-        }
-        // Creation failed — retry or give up
-        const retry = (await ask(rl, '  → 重新输入 (r) / 跳过 (s) / 取消 (c)？[r/s/c] ')).trim().toLowerCase();
-        if (retry === 'c')
-            return null;
-        if (retry === 's')
-            break;
-        // default: retry with new AID
-    }
-    return { aid, gatewayPort };
-}
-// ==================== Init AUN (standalone) ====================
-export async function cmdInitAun() {
-    const p = resolvePaths();
-    if (!fs.existsSync(p.config)) {
-        console.log('❌ 配置文件不存在，请先运行 evolclaw init');
-        return;
-    }
-    const config = JSON.parse(fs.readFileSync(p.config, 'utf-8'));
-    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-    try {
-        if (config.channels?.aun?.aid) {
-            const answer = (await ask(rl, '已有 AUN 配置，是否重新配置？[y/N] ')).trim().toLowerCase();
-            if (answer !== 'y' && answer !== 'yes') {
-                console.log('已取消');
-                return;
-            }
-        }
-        if (!await checkAunEnvironment(rl)) {
-            return;
-        }
-        const result = await setupAunAid(rl, config);
-        if (!result)
-            return;
-        if (!config.channels)
-            config.channels = {};
-        config.channels.aun = {
-            enabled: true,
-            aid: result.aid,
-            ...(result.gatewayPort && { gatewayPort: result.gatewayPort }),
-        };
-        if (!config.channels.defaultChannel)
-            config.channels.defaultChannel = 'aun';
-        fs.writeFileSync(p.config, JSON.stringify(config, null, 2) + '\n');
-        console.log('\n✓ AUN 配置已写入');
-    }
-    finally {
-        rl.close();
-    }
-}
+// Moved to init-channel.ts
 // ==================== Main ====================
 export async function cmdInit() {
     const p = resolvePaths();
@@ -584,7 +441,7 @@ export async function cmdInit() {
                 console.log('  2. 手动输入 App ID/Secret');
                 const feishuMethod = (await ask(rl, '请选择 [1]: ')).trim() || '1';
                 if (feishuMethod === '1') {
-                    const { runFeishuQrFlow } = await import('./init-feishu.js');
+                    const { runFeishuQrFlow } = await import('./init-channel.js');
                     const result = await runFeishuQrFlow();
                     if (!result) {
                         console.log('已取消');
@@ -606,7 +463,7 @@ export async function cmdInit() {
                 config.channels.defaultChannel = 'feishu';
             }
             else if (channelChoice === '2') {
-                const { runWechatQrFlow } = await import('./init-wechat.js');
+                const { runWechatQrFlow } = await import('./init-channel.js');
                 const result = await runWechatQrFlow();
                 if (!result) {
                     console.log('已取消');
@@ -621,6 +478,7 @@ export async function cmdInit() {
                 config.channels.defaultChannel = 'wechat';
             }
             else if (channelChoice === '3') {
+                const { checkAunEnvironment, setupAunAid } = await import('./init-channel.js');
                 const aunReady = await checkAunEnvironment(rl);
                 if (!aunReady)
                     continue; // 退回重选渠道
@@ -651,3 +509,50 @@ export async function cmdInit() {
         rl.close();
     }
 }
+/**
+ * Present instance selection menu when existing instances are found.
+ * Returns the user's choice, or null if cancelled.
+ */
+export async function selectInstance(rl, channelType, instances) {
+    const typeLabel = channelType === 'feishu' ? '飞书' : channelType === 'wechat' ? '微信' : 'AUN';
+    console.log(`\n发现已有 ${typeLabel} 机器人：`);
+    const letters = 'abcdefghijklmnopqrstuvwxyz';
+    for (let i = 0; i < instances.length; i++) {
+        console.log(`  ${letters[i]}. ${instances[i].name}`);
+    }
+    const addLetter = letters[instances.length];
+    console.log(`  ${addLetter}. 添加新机器人`);
+    console.log('');
+    const validOptions = letters.slice(0, instances.length + 1).split('');
+    let choice = '';
+    while (!validOptions.includes(choice)) {
+        choice = (await ask(rl, '请选择: ')).trim().toLowerCase();
+        if (!validOptions.includes(choice)) {
+            console.log(`无效选择，请输入 ${validOptions.join('/')}`);
+        }
+    }
+    const choiceIndex = letters.indexOf(choice);
+    if (choiceIndex === instances.length) {
+        // Add new — ask for name
+        let name = '';
+        while (!name) {
+            name = (await ask(rl, '请输入新机器人名称: ')).trim();
+            if (!name)
+                console.log('  名称不能为空');
+            if (instances.some(i => i.name === name)) {
+                console.log(`  名称 "${name}" 已存在，请换一个`);
+                name = '';
+            }
+        }
+        return { action: 'add', name };
+    }
+    // Overwrite — requires confirmation
+    const target = instances[choiceIndex];
+    console.log(`\n已选择：${target.name}`);
+    const confirm = (await ask(rl, `⚠️ 即将覆盖该机器人配置，确认？(y/N) `)).trim().toLowerCase();
+    if (confirm !== 'y' && confirm !== 'yes') {
+        console.log('已取消');
+        return null;
+    }
+    return { action: 'overwrite', index: choiceIndex, name: target.name };
+}

package/dist/utils/logger.js

@@ -25,10 +25,15 @@ function write(stream, data) {
     const line = typeof data === 'string' ? data : JSON.stringify(data);
     stream.write(`${line}\n`);
 }
+export function localTimestamp() {
+    const d = new Date();
+    const pad = (n) => String(n).padStart(2, '0');
+    return `${d.getFullYear()}-${pad(d.getMonth() + 1)}-${pad(d.getDate())}T${pad(d.getHours())}:${pad(d.getMinutes())}:${pad(d.getSeconds())}.${String(d.getMilliseconds()).padStart(3, '0')}`;
+}
 function log(level, ...args) {
     if (!shouldLog(level))
         return;
-    const timestamp = new Date().toISOString();
+    const timestamp = localTimestamp();
     const msg = `[${timestamp}] [${level}] ${args.join(' ')}`;
     // 只写文件，不输出到 console（避免重定向时重复）
     write(streams.main, msg);
@@ -39,9 +44,9 @@ export const logger = {
     warn: (...args) => log('WARN', ...args),
     error: (...args) => log('ERROR', ...args),
     message: (data) => {
-        write(streams.message, { ts: new Date().toISOString(), ...data });
+        write(streams.message, { ts: localTimestamp(), ...data });
     },
     event: (data) => {
-        write(streams.event, { ts: new Date().toISOString(), ...data });
+        write(streams.event, { ts: localTimestamp(), ...data });
     }
 };

package/dist/utils/media-cache.js

@@ -0,0 +1,207 @@
+/**
+ * 统一媒体下载/缓存/SSRF防护框架
+ *
+ * 提供跨通道复用的文件处理能力：
+ * - 文件保存到 uploads 目录（自动去重、文件名清洗）
+ * - 图片类型白名单 + 大小限制
+ * - URL SSRF 防护（域名白名单 + 私有 IP 拦截）
+ * - 下载缓存（相同 key 不重复下载）
+ */
+import path from 'path';
+import fs from 'fs';
+import crypto from 'crypto';
+import { logger } from './logger.js';
+// ── 常量 ──────────────────────────────────────────────────────────────────────
+const DEFAULT_MAX_IMAGE_SIZE = 10 * 1024 * 1024; // 10 MB
+const DEFAULT_MAX_FILE_SIZE = 100 * 1024 * 1024; // 100 MB
+const ALLOWED_IMAGE_MIMES = new Set([
+    'image/png', 'image/jpeg', 'image/gif', 'image/webp',
+]);
+const UPLOADS_SUBDIR = '.evolclaw/uploads';
+// ── SSRF 防护 ─────────────────────────────────────────────────────────────────
+/** 已知安全的 CDN 域名白名单 */
+const ALLOWED_CDN_HOSTS = new Set([
+    'novac2c.cdn.weixin.qq.com',
+    'open.feishu.cn',
+    'internal-api-lark-file.feishu.cn',
+]);
+/** 私有 IP 段正则（IPv4） */
+const PRIVATE_IP_RE = /^(10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|127\.|0\.|169\.254\.|::1|fc|fd|fe80)/;
+/**
+ * 检查 URL 是否安全（非 SSRF）
+ * - 拒绝私有 IP
+ * - 仅允许 https（或白名单域名的 http）
+ * - 可选：域名白名单模式
+ */
+export function validateUrl(url, opts) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        return { ok: false, reason: `Invalid URL: ${url}` };
+    }
+    // 协议检查
+    if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
+        return { ok: false, reason: `Blocked protocol: ${parsed.protocol}` };
+    }
+    // 私有 IP 检查
+    const host = parsed.hostname;
+    if (PRIVATE_IP_RE.test(host)) {
+        return { ok: false, reason: `Blocked private IP: ${host}` };
+    }
+    // 域名白名单（如果提供）
+    const allowed = opts?.allowedHosts ?? ALLOWED_CDN_HOSTS;
+    if (allowed.size > 0 && !allowed.has(host)) {
+        return { ok: false, reason: `Host not in allowlist: ${host}` };
+    }
+    return { ok: true };
+}
+// ── 文件名清洗 ────────────────────────────────────────────────────────────────
+/**
+ * 清洗文件名：
+ * - 移除路径穿越字符（只保留 basename）
+ * - 替换非法字符
+ * - 空结果兜底
+ */
+export function sanitizeFileName(name) {
+    return path.basename(name).replace(/[<>:"|?*\x00-\x1f]/g, '_') || `file_${Date.now()}`;
+}
+// ── 图片验证 ──────────────────────────────────────────────────────────────────
+/**
+ * 验证图片 Buffer：类型白名单 + 大小限制
+ * 返回检测到的 MIME 类型，验证失败返回 null + reason
+ */
+export async function validateImage(buffer, opts) {
+    const maxSize = opts?.maxSize ?? DEFAULT_MAX_IMAGE_SIZE;
+    const allowed = opts?.allowedMimes ?? ALLOWED_IMAGE_MIMES;
+    if (buffer.length === 0) {
+        return { mime: null, reason: 'Empty buffer' };
+    }
+    if (buffer.length > maxSize) {
+        return { mime: null, reason: `Image too large: ${buffer.length} bytes (max ${maxSize})` };
+    }
+    // 动态导入 image-type（ESM only）
+    const { default: imageType } = await import('image-type');
+    const type = await imageType(buffer);
+    if (!type) {
+        return { mime: null, reason: 'Unable to detect image type' };
+    }
+    if (!allowed.has(type.mime)) {
+        return { mime: null, reason: `Unsupported image type: ${type.mime}` };
+    }
+    return { mime: type.mime };
+}
+/**
+ * 保存 Buffer 到 uploads 目录
+ * - 自动创建目录
+ * - 文件名清洗
+ * - 同名文件自动添加时间戳后缀
+ */
+export function saveToUploads(buffer, rawFileName, projectPath, opts) {
+    const fileName = sanitizeFileName(rawFileName);
+    const uploadsDir = path.join(projectPath, UPLOADS_SUBDIR);
+    fs.mkdirSync(uploadsDir, { recursive: true });
+    let targetName = fileName;
+    const targetPath = path.join(uploadsDir, targetName);
+    // 去重：内容相同则复用
+    if (opts?.dedup !== false && fs.existsSync(targetPath)) {
+        const existingHash = hashFile(targetPath);
+        const newHash = crypto.createHash('md5').update(buffer).digest('hex');
+        if (existingHash === newHash) {
+            logger.debug(`[MediaCache] Dedup hit: ${targetName}`);
+            return { filePath: targetPath, fileName: targetName, size: buffer.length };
+        }
+        // 不同内容同名 → 加时间戳
+        const ext = path.extname(fileName);
+        const base = path.basename(fileName, ext);
+        targetName = `${base}_${Date.now()}${ext}`;
+    }
+    const finalPath = path.join(uploadsDir, targetName);
+    fs.writeFileSync(finalPath, buffer);
+    logger.info(`[MediaCache] Saved: ${finalPath} (${buffer.length} bytes)`);
+    return { filePath: finalPath, fileName: targetName, size: buffer.length };
+}
+function hashFile(filePath) {
+    const content = fs.readFileSync(filePath);
+    return crypto.createHash('md5').update(content).digest('hex');
+}
+/**
+ * 安全下载 URL 内容，带 SSRF 防护
+ */
+export async function safeFetch(url, opts) {
+    const maxSize = opts?.maxSize ?? DEFAULT_MAX_FILE_SIZE;
+    const timeout = opts?.timeout ?? 30_000;
+    // SSRF 检查
+    if (!opts?.skipSsrfCheck) {
+        const check = validateUrl(url, { allowedHosts: opts?.allowedHosts });
+        if (!check.ok) {
+            throw new Error(`SSRF blocked: ${check.reason}`);
+        }
+    }
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeout);
+    try {
+        const res = await fetch(url, { signal: controller.signal });
+        if (!res.ok)
+            throw new Error(`Download failed: ${res.status} ${res.statusText}`);
+        // 检查 Content-Length（如果可用）
+        const contentLength = res.headers.get('content-length');
+        if (contentLength && parseInt(contentLength) > maxSize) {
+            throw new Error(`File too large: ${contentLength} bytes (max ${maxSize})`);
+        }
+        const buffer = Buffer.from(await res.arrayBuffer());
+        if (buffer.length > maxSize) {
+            throw new Error(`File too large: ${buffer.length} bytes (max ${maxSize})`);
+        }
+        return buffer;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * 内存级下载缓存
+ * - 相同 key 不重复下载
+ * - TTL 过期自动清理
+ * - 最大条目限制防止内存泄漏
+ */
+export class DownloadCache {
+    cache = new Map();
+    ttlMs;
+    maxEntries;
+    constructor(opts) {
+        this.ttlMs = opts?.ttlMs ?? 5 * 60 * 1000; // 5 min
+        this.maxEntries = opts?.maxEntries ?? 100;
+    }
+    /**
+     * 获取或下载：缓存命中直接返回，否则执行 fetcher 并缓存结果
+     */
+    async getOrFetch(key, fetcher) {
+        this.evict();
+        const cached = this.cache.get(key);
+        if (cached) {
+            logger.debug(`[DownloadCache] Hit: ${key}`);
+            return cached.buffer;
+        }
+        const buffer = await fetcher();
+        this.cache.set(key, { buffer, createdAt: Date.now() });
+        // 超过 maxEntries 时删最旧
+        if (this.cache.size > this.maxEntries) {
+            const oldest = this.cache.keys().next().value;
+            this.cache.delete(oldest);
+        }
+        return buffer;
+    }
+    evict() {
+        const now = Date.now();
+        for (const [key, entry] of this.cache) {
+            if (now - entry.createdAt > this.ttlMs) {
+                this.cache.delete(key);
+            }
+        }
+    }
+    clear() {
+        this.cache.clear();
+    }
+}

package/dist/{core → utils}/stats-collector.js

@@ -23,6 +23,12 @@ export class StatsCollector {
         eventBus.subscribe('session:safe-mode-entered', (_event) => {
             this.recordEvent({ type: 'safe-mode-entered', timestamp: Date.now() });
         });
+        eventBus.subscribe('tool:result', (event) => {
+            const e = event;
+            if (e.isError) {
+                this.recordEvent({ type: 'tool-error', timestamp: Date.now(), toolName: e.toolName });
+            }
+        });
     }
     recordEvent(record) {
         this.events.push(record);
@@ -40,6 +46,8 @@ export class StatsCollector {
         let completed = 0;
         let errors = 0;
         const errorsByType = {};
+        let toolErrors = 0;
+        const toolErrorsByName = {};
         let interrupts = 0;
         let safeModeEntries = 0;
         let totalDuration = 0;
@@ -62,6 +70,12 @@ export class StatsCollector {
                         errorsByType[event.errorType] = (errorsByType[event.errorType] || 0) + 1;
                     }
                     break;
+                case 'tool-error':
+                    toolErrors++;
+                    if (event.toolName) {
+                        toolErrorsByName[event.toolName] = (toolErrorsByName[event.toolName] || 0) + 1;
+                    }
+                    break;
                 case 'interrupted':
                     interrupts++;
                     break;
@@ -77,6 +91,8 @@ export class StatsCollector {
                 completed,
                 errors,
                 errorsByType,
+                toolErrors,
+                toolErrorsByName,
                 interrupts,
                 safeModeEntries,
                 avgResponseMs: durationCount > 0 ? totalDuration / durationCount : 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "evolclaw",
-  "version": "2.2.0",
+  "version": "2.4.0",
   "description": "Lightweight AI Agent gateway connecting Claude Agent SDK to messaging channels (Feishu, ACP) with multi-project session management",
   "type": "module",
   "main": "dist/index.js",
@@ -22,8 +22,8 @@
     "prepublishOnly": "npm run build && npm test"
   },
   "dependencies": {
-    "@anthropic-ai/claude-agent-sdk": "^0.2.75",
-    "@aun/core-node": "file:aun/aun-sdk-core/ts",
+    "@anthropic-ai/claude-agent-sdk": "^0.2.100",
+    "@eleans/aun-core-node": "^0.3.0",
     "@larksuiteoapi/node-sdk": "^1.59.0",
     "@openai/codex-sdk": "^0.118.0",
     "image-type": "^6.0.0",