npm - galaxy-opc-plugin - Versions diffs - 0.1.1 → 0.2.0 - Mend

galaxy-opc-plugin 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/index.ts +11 -1
package/openclaw.plugin.json +1 -1
package/package.json +1 -1
package/src/api/companies.ts +12 -1
package/src/api/dashboard.ts +13 -2
package/src/api/middleware.ts +44 -0
package/src/api/rate-limiter.ts +79 -0
package/src/api/routes.ts +19 -2
package/src/db/sqlite-adapter.test.ts +304 -0
package/src/db/sqlite-adapter.ts +1 -1
package/src/opc/company-manager.test.ts +232 -0
package/src/tools/acquisition-tool.test.ts +139 -0
package/src/tools/acquisition-tool.ts +3 -3
package/src/tools/asset-package-tool.ts +4 -4
package/src/tools/finance-tool.test.ts +106 -0
package/src/tools/finance-tool.ts +6 -4
package/src/tools/hr-tool.test.ts +153 -0
package/src/tools/hr-tool.ts +6 -4
package/src/tools/investment-tool.ts +4 -4
package/src/tools/legal-tool.ts +12 -7
package/src/tools/lifecycle-tool.ts +5 -5
package/src/tools/media-tool.ts +7 -5
package/src/tools/monitoring-tool.ts +6 -4
package/src/tools/opb-tool.ts +7 -7
package/src/tools/opc-tool.ts +33 -23
package/src/tools/procurement-tool.ts +4 -4
package/src/tools/project-tool.ts +10 -6
package/src/tools/schemas.ts +47 -43
package/src/tools/staff-tool.ts +8 -6
package/src/utils/tool-helper.ts +28 -2
package/src/web/config-ui.ts +69 -15

package/src/tools/schemas.ts CHANGED Viewed

@@ -2,25 +2,29 @@
  * 星环OPC中心 — TypeBox 工具参数 Schema
  *
  * 使用 Type.Union + action 字符串字段，兼容所有 LLM Provider。
+ * 包含业务规则校验约束（字符串长度、金额范围、日期格式等）。
  */
 import { Type, type Static } from "@sinclair/typebox";
+/** 日期格式 pattern: YYYY-MM-DD */
+const DATE_PATTERN = "^\\d{4}-\\d{2}-\\d{2}$";
 // ── 公司管理 Schema ──────────────────────────────────────────
 const RegisterCompany = Type.Object({
   action: Type.Literal("register_company"),
-  name: Type.String({ description: "公司名称" }),
-  industry: Type.String({ description: "所属行业" }),
-  owner_name: Type.String({ description: "创办人姓名" }),
-  owner_contact: Type.Optional(Type.String({ description: "创办人联系方式（手机/邮箱）" })),
-  registered_capital: Type.Optional(Type.Number({ description: "注册资本（元）" })),
-  description: Type.Optional(Type.String({ description: "公司简介" })),
+  name: Type.String({ description: "公司名称", minLength: 2, maxLength: 100 }),
+  industry: Type.String({ description: "所属行业", minLength: 1, maxLength: 50 }),
+  owner_name: Type.String({ description: "创办人姓名", minLength: 1, maxLength: 50 }),
+  owner_contact: Type.Optional(Type.String({ description: "创办人联系方式（手机/邮箱）", maxLength: 200 })),
+  registered_capital: Type.Optional(Type.Number({ description: "注册资本（元）", minimum: 0 })),
+  description: Type.Optional(Type.String({ description: "公司简介", maxLength: 2000 })),
 });
 const GetCompany = Type.Object({
   action: Type.Literal("get_company"),
-  company_id: Type.String({ description: "公司 ID" }),
+  company_id: Type.String({ description: "公司 ID", minLength: 1 }),
 });
 const ListCompanies = Type.Object({
@@ -32,21 +36,21 @@ const ListCompanies = Type.Object({
 const UpdateCompany = Type.Object({
   action: Type.Literal("update_company"),
-  company_id: Type.String({ description: "公司 ID" }),
-  name: Type.Optional(Type.String({ description: "新公司名称" })),
-  industry: Type.Optional(Type.String({ description: "新行业" })),
-  description: Type.Optional(Type.String({ description: "新简介" })),
-  owner_contact: Type.Optional(Type.String({ description: "新联系方式" })),
+  company_id: Type.String({ description: "公司 ID", minLength: 1 }),
+  name: Type.Optional(Type.String({ description: "新公司名称", minLength: 2, maxLength: 100 })),
+  industry: Type.Optional(Type.String({ description: "新行业", minLength: 1, maxLength: 50 })),
+  description: Type.Optional(Type.String({ description: "新简介", maxLength: 2000 })),
+  owner_contact: Type.Optional(Type.String({ description: "新联系方式", maxLength: 200 })),
 });
 const ActivateCompany = Type.Object({
   action: Type.Literal("activate_company"),
-  company_id: Type.String({ description: "公司 ID" }),
+  company_id: Type.String({ description: "公司 ID", minLength: 1 }),
 });
 const ChangeCompanyStatus = Type.Object({
   action: Type.Literal("change_company_status"),
-  company_id: Type.String({ description: "公司 ID" }),
+  company_id: Type.String({ description: "公司 ID", minLength: 1 }),
   new_status: Type.String({ description: "目标状态: active/suspended/acquired/packaged/terminated" }),
 });
@@ -54,7 +58,7 @@ const ChangeCompanyStatus = Type.Object({
 const AddTransaction = Type.Object({
   action: Type.Literal("add_transaction"),
-  company_id: Type.String({ description: "公司 ID" }),
+  company_id: Type.String({ description: "公司 ID", minLength: 1 }),
   type: Type.String({ description: "交易类型: income(收入) 或 expense(支出)" }),
   category: Type.Optional(
     Type.String({
@@ -62,62 +66,62 @@ const AddTransaction = Type.Object({
         "分类: service_income/product_income/investment_income/salary/rent/utilities/marketing/tax/supplies/other",
     }),
   ),
-  amount: Type.Number({ description: "金额（元）" }),
-  description: Type.Optional(Type.String({ description: "交易描述" })),
-  counterparty: Type.Optional(Type.String({ description: "交易对方" })),
-  transaction_date: Type.Optional(Type.String({ description: "交易日期 (YYYY-MM-DD)，默认今天" })),
+  amount: Type.Number({ description: "金额（元）", minimum: 0 }),
+  description: Type.Optional(Type.String({ description: "交易描述", maxLength: 500 })),
+  counterparty: Type.Optional(Type.String({ description: "交易对方", maxLength: 200 })),
+  transaction_date: Type.Optional(Type.String({ description: "交易日期 (YYYY-MM-DD)，默认今天", pattern: DATE_PATTERN })),
 });
 const ListTransactions = Type.Object({
   action: Type.Literal("list_transactions"),
-  company_id: Type.String({ description: "公司 ID" }),
+  company_id: Type.String({ description: "公司 ID", minLength: 1 }),
   type: Type.Optional(Type.String({ description: "按类型筛选: income/expense" })),
-  start_date: Type.Optional(Type.String({ description: "起始日期 (YYYY-MM-DD)" })),
-  end_date: Type.Optional(Type.String({ description: "截止日期 (YYYY-MM-DD)" })),
-  limit: Type.Optional(Type.Number({ description: "返回条数，默认 50" })),
+  start_date: Type.Optional(Type.String({ description: "起始日期 (YYYY-MM-DD)", pattern: DATE_PATTERN })),
+  end_date: Type.Optional(Type.String({ description: "截止日期 (YYYY-MM-DD)", pattern: DATE_PATTERN })),
+  limit: Type.Optional(Type.Number({ description: "返回条数，默认 50", minimum: 1, maximum: 1000 })),
 });
 const GetFinanceSummary = Type.Object({
   action: Type.Literal("finance_summary"),
-  company_id: Type.String({ description: "公司 ID" }),
-  start_date: Type.Optional(Type.String({ description: "起始日期 (YYYY-MM-DD)" })),
-  end_date: Type.Optional(Type.String({ description: "截止日期 (YYYY-MM-DD)" })),
+  company_id: Type.String({ description: "公司 ID", minLength: 1 }),
+  start_date: Type.Optional(Type.String({ description: "起始日期 (YYYY-MM-DD)", pattern: DATE_PATTERN })),
+  end_date: Type.Optional(Type.String({ description: "截止日期 (YYYY-MM-DD)", pattern: DATE_PATTERN })),
 });
 // ── 客户管理 Schema ──────────────────────────────────────────
 const AddContact = Type.Object({
   action: Type.Literal("add_contact"),
-  company_id: Type.String({ description: "公司 ID" }),
-  name: Type.String({ description: "联系人姓名" }),
-  phone: Type.Optional(Type.String({ description: "手机号" })),
-  email: Type.Optional(Type.String({ description: "邮箱" })),
-  company_name: Type.Optional(Type.String({ description: "联系人所在公司" })),
+  company_id: Type.String({ description: "公司 ID", minLength: 1 }),
+  name: Type.String({ description: "联系人姓名", minLength: 1, maxLength: 100 }),
+  phone: Type.Optional(Type.String({ description: "手机号", maxLength: 30 })),
+  email: Type.Optional(Type.String({ description: "邮箱", maxLength: 200 })),
+  company_name: Type.Optional(Type.String({ description: "联系人所在公司", maxLength: 200 })),
   tags: Type.Optional(Type.String({ description: "标签，JSON 数组格式，如 [\"VIP\",\"供应商\"]" })),
-  notes: Type.Optional(Type.String({ description: "备注" })),
+  notes: Type.Optional(Type.String({ description: "备注", maxLength: 2000 })),
 });
 const ListContacts = Type.Object({
   action: Type.Literal("list_contacts"),
-  company_id: Type.String({ description: "公司 ID" }),
+  company_id: Type.String({ description: "公司 ID", minLength: 1 }),
   tag: Type.Optional(Type.String({ description: "按标签筛选" })),
 });
 const UpdateContact = Type.Object({
   action: Type.Literal("update_contact"),
-  contact_id: Type.String({ description: "联系人 ID" }),
-  name: Type.Optional(Type.String({ description: "新姓名" })),
-  phone: Type.Optional(Type.String({ description: "新手机号" })),
-  email: Type.Optional(Type.String({ description: "新邮箱" })),
-  company_name: Type.Optional(Type.String({ description: "新公司名" })),
+  contact_id: Type.String({ description: "联系人 ID", minLength: 1 }),
+  name: Type.Optional(Type.String({ description: "新姓名", minLength: 1, maxLength: 100 })),
+  phone: Type.Optional(Type.String({ description: "新手机号", maxLength: 30 })),
+  email: Type.Optional(Type.String({ description: "新邮箱", maxLength: 200 })),
+  company_name: Type.Optional(Type.String({ description: "新公司名", maxLength: 200 })),
   tags: Type.Optional(Type.String({ description: "新标签" })),
-  notes: Type.Optional(Type.String({ description: "新备注" })),
-  last_contact_date: Type.Optional(Type.String({ description: "最近联系日期 (YYYY-MM-DD)" })),
+  notes: Type.Optional(Type.String({ description: "新备注", maxLength: 2000 })),
+  last_contact_date: Type.Optional(Type.String({ description: "最近联系日期 (YYYY-MM-DD)", pattern: DATE_PATTERN })),
 });
 const DeleteContact = Type.Object({
   action: Type.Literal("delete_contact"),
-  contact_id: Type.String({ description: "联系人 ID" }),
+  contact_id: Type.String({ description: "联系人 ID", minLength: 1 }),
 });
 // ── Dashboard ────────────────────────────────────────────────
@@ -130,13 +134,13 @@ const GetDashboard = Type.Object({
 const SetCompanySkills = Type.Object({
   action: Type.Literal("set_company_skills"),
-  company_id: Type.String({ description: "公司 ID" }),
+  company_id: Type.String({ description: "公司 ID", minLength: 1 }),
   skills: Type.Array(Type.String(), { description: "OpenClaw 内置 skill 列表，如 [\"company-registration\", \"basic-finance\"]" }),
 });
 const GetCompanySkills = Type.Object({
   action: Type.Literal("get_company_skills"),
-  company_id: Type.String({ description: "公司 ID" }),
+  company_id: Type.String({ description: "公司 ID", minLength: 1 }),
 });
 // ── Union Schema ─────────────────────────────────────────────

package/src/tools/staff-tool.ts CHANGED Viewed

@@ -8,7 +8,7 @@
 import { Type, type Static } from "@sinclair/typebox";
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
 import type { OpcDatabase } from "../db/index.js";
-import { json } from "../utils/tool-helper.js";
+import { json, toolError } from "../utils/tool-helper.js";
 /** 内置 AI 岗位定义 */
 const BUILTIN_ROLES: Record<string, { name: string; prompt: string; skills: string[] }> = {
@@ -147,15 +147,17 @@ export function registerStaffTool(api: OpenClawPluginApi, db: OpcDatabase): void
                 "UPDATE opc_staff_config SET enabled = ?, updated_at = ? WHERE company_id = ? AND role = ?",
                 p.enabled ? 1 : 0, now, p.company_id, p.role,
               );
-              return json(db.queryOne(
+              const staffConfig = db.queryOne(
                 "SELECT * FROM opc_staff_config WHERE company_id = ? AND role = ?",
                 p.company_id, p.role,
-              ) ?? { error: "岗位配置不存在，请先调用 configure_staff 或 init_default_staff" });
+              );
+              if (!staffConfig) return toolError("岗位配置不存在，请先调用 configure_staff 或 init_default_staff", "RECORD_NOT_FOUND");
+              return json(staffConfig);
             }
             case "init_default_staff": {
               const company = db.queryOne("SELECT * FROM opc_companies WHERE id = ?", p.company_id);
-              if (!company) return json({ error: "公司不存在" });
+              if (!company) return toolError("公司不存在", "COMPANY_NOT_FOUND");
               const now = new Date().toISOString();
               const created: string[] = [];
@@ -197,10 +199,10 @@ export function registerStaffTool(api: OpenClawPluginApi, db: OpcDatabase): void
             }
             default:
-              return json({ error: `未知操作: ${(p as { action: string }).action}` });
+              return toolError(`未知操作: ${(p as { action: string }).action}`, "UNKNOWN_ACTION");
           }
         } catch (err) {
-          return json({ error: err instanceof Error ? err.message : String(err) });
+          return toolError(err instanceof Error ? err.message : String(err), "DB_ERROR");
         }
       },
     },

package/src/utils/tool-helper.ts CHANGED Viewed

@@ -10,7 +10,33 @@ export function json(data: unknown) {
   };
 }
+/** 标准错误码 */
+export type OpcErrorCode =
+  | "COMPANY_NOT_FOUND"
+  | "CONTACT_NOT_FOUND"
+  | "EMPLOYEE_NOT_FOUND"
+  | "INVOICE_NOT_FOUND"
+  | "CONTRACT_NOT_FOUND"
+  | "RECORD_NOT_FOUND"
+  | "INVALID_STATUS"
+  | "INVALID_INPUT"
+  | "VALIDATION_ERROR"
+  | "DB_ERROR"
+  | "UNKNOWN_ACTION"
+  | "UNKNOWN_ERROR";
 /** 生成标准错误响应 */
-export function toolError(message: string) {
-  return json({ ok: false, error: message });
+export function toolError(message: string, code?: OpcErrorCode) {
+  return json({ ok: false, error: true, code: code ?? "UNKNOWN_ERROR", message });
+}
+/** 生成字段级验证错误 */
+export function validationError(field: string, message: string) {
+  return json({
+    ok: false,
+    error: true,
+    code: "VALIDATION_ERROR" as OpcErrorCode,
+    message: `${field}: ${message}`,
+    field,
+  });
 }

package/src/web/config-ui.ts CHANGED Viewed

@@ -20,7 +20,6 @@ const CUSTOM_SKILLS_DIR = path.join(os.homedir(), ".openclaw", "custom-skills");
 function sendJson(res: ServerResponse, data: unknown, status = 200): void {
   res.writeHead(status, {
     "Content-Type": "application/json; charset=utf-8",
-    "Access-Control-Allow-Origin": "*",
   });
   res.end(JSON.stringify(data));
 }
@@ -515,9 +514,9 @@ function handleAlertDismiss(db: OpcDatabase, alertId: string): unknown {
 /* ── HTML builder ─────────────────────────────────────────── */
-function buildPageHtml(): string {
+function buildPageHtml(authRequired = false): string {
   const toolsJson = JSON.stringify(TOOL_NAMES);
-  return '<!DOCTYPE html>\n<html lang="zh-CN">\n<head>\n<meta charset="UTF-8">\n<meta name="viewport" content="width=device-width, initial-scale=1.0">\n<title>' + "\u661F\u73AFOPC\u4E2D\u5FC3 - \u7BA1\u7406\u540E\u53F0" + '</title>\n<link rel="preconnect" href="https://fonts.googleapis.com">\n<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>\n<link href="https://fonts.googleapis.com/css2?family=Instrument+Sans:wght@400;500;600;700&family=Noto+Sans+SC:wght@400;500;600;700&display=swap" rel="stylesheet">\n<style>\n' + getCss() + '\n</style>\n</head>\n<body>\n' + getBodyHtml() + '\n<div class="toast" id="toast"></div>\n<script>\nvar TOOLS = ' + toolsJson + ';\n' + getJs() + '\n</script>\n</body>\n</html>';
+  return '<!DOCTYPE html>\n<html lang="zh-CN">\n<head>\n<meta charset="UTF-8">\n<meta name="viewport" content="width=device-width, initial-scale=1.0">\n<title>' + "\u661F\u73AFOPC\u4E2D\u5FC3 - \u7BA1\u7406\u540E\u53F0" + '</title>\n<link rel="preconnect" href="https://fonts.googleapis.com">\n<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>\n<link href="https://fonts.googleapis.com/css2?family=Instrument+Sans:wght@400;500;600;700&family=Noto+Sans+SC:wght@400;500;600;700&display=swap" rel="stylesheet">\n<style>\n' + getCss() + '\n</style>\n</head>\n<body>\n' + getBodyHtml() + '\n<div class="toast" id="toast"></div>\n<script>\nvar TOOLS = ' + toolsJson + ';\nvar _authRequired = ' + (authRequired ? 'true' : 'false') + ';\n' + getJs() + '\n</script>\n</body>\n</html>';
 }
 function getCss(): string {
@@ -791,7 +790,45 @@ function getBodyHtml(): string {
 }
 function getJs(): string {
-  return "if(!localStorage.getItem('openclaw.i18n.locale')){localStorage.setItem('openclaw.i18n.locale','zh-CN');}"
+  return "/* Token management */"
+  + "\n(function(){"
+  + "var p=new URLSearchParams(window.location.search);"
+  + "var t=p.get('token');"
+  + "if(t){sessionStorage.setItem('opc_token',t);p.delete('token');"
+  + "var newUrl=window.location.pathname;"
+  + "var qs=p.toString();"
+  + "if(qs)newUrl+='?'+qs;"
+  + "window.history.replaceState({},'',newUrl);}"
+  + "})();"
+  + "\nvar _opcToken=sessionStorage.getItem('opc_token')||'';"
+  + "\nvar _origFetch=window.fetch;"
+  + "\nwindow.fetch=function(url,opts){"
+  + "opts=opts||{};"
+  + "if(_opcToken){"
+  + "opts.headers=opts.headers||{};"
+  + "if(typeof opts.headers==='object'&&!(opts.headers instanceof Headers)){"
+  + "opts.headers['Authorization']='Bearer '+_opcToken;"
+  + "}}"
+  + "return _origFetch.call(window,url,opts).then(function(r){"
+  + "if(r.status===401){sessionStorage.removeItem('opc_token');_opcToken='';showLoginPage();}return r;"
+  + "});};"
+  + "\nfunction showLoginPage(){"
+  + "document.querySelector('.layout').innerHTML="
+  + "'<div style=\"display:flex;align-items:center;justify-content:center;width:100%;min-height:100vh;background:var(--bg)\">"
+  + "<div style=\"background:var(--card);border:1px solid var(--bd);border-radius:12px;padding:48px;max-width:380px;width:100%;text-align:center\">"
+  + "<h2 style=\"font-size:20px;font-weight:700;margin-bottom:8px\">\\u661F\\u73AFOPC\\u4E2D\\u5FC3</h2>"
+  + "<p style=\"color:var(--tx3);font-size:13px;margin-bottom:24px\">\\u8BF7\\u8F93\\u5165\\u8BBF\\u95EE\\u4EE4\\u724C</p>"
+  + "<input id=\"login-token\" type=\"password\" placeholder=\"Gateway Token\" style=\"width:100%;padding:10px 12px;border:1px solid var(--bd);border-radius:6px;font-size:14px;margin-bottom:16px;outline:none\"/>"
+  + "<button onclick=\"doLogin()\" style=\"width:100%;padding:10px;background:var(--pri);color:#fff;border:none;border-radius:6px;font-size:14px;font-weight:600;cursor:pointer\">\\u767B\\u5F55</button>"
+  + "</div></div>';}"
+  + "\nfunction doLogin(){"
+  + "var v=document.getElementById('login-token').value.trim();"
+  + "if(!v)return;"
+  + "sessionStorage.setItem('opc_token',v);_opcToken=v;"
+  + "window.location.reload();}"
+  + "\nif(_authRequired&&!_opcToken&&window.location.pathname.indexOf('/opc/admin')===0){"
+  + "document.addEventListener('DOMContentLoaded',function(){showLoginPage();});}"
+  + "\nif(!localStorage.getItem('openclaw.i18n.locale')){localStorage.setItem('openclaw.i18n.locale','zh-CN');}"
   + "\nvar toolConfig={};"
   + "var companiesState={search:'',status:'',page:1};"
   + "var currentView='dashboard';"
@@ -1322,7 +1359,7 @@ function getJs(): string {
   + "\nfunction toggleStaff(staffId,companyId,role,enabled){"
   + "fetch('/opc/admin/api/staff/'+encodeURIComponent(staffId)+'/toggle',{method:'PATCH',headers:{'Content-Type':'application/json'},body:JSON.stringify({enabled:enabled?1:0})})"
   + ".then(function(r){return r.json()}).then(function(d){if(d.ok){showToast(enabled?'\\u5df2\\u542f\\u7528 '+role:'\\u5df2\\u505c\\u7528 '+role);}"
-  + "else{showToast(d.error||'\\u64cd\\u4f5c\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
+  + "else{showToast(d.message||d.error||'\\u64cd\\u4f5c\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
   + "\nfunction editStaff(staffId,role,roleName,companyId){"
   + "var existing=document.getElementById('edit-modal');if(existing)existing.remove();"
   + "fetch('/opc/admin/api/staff/'+encodeURIComponent(staffId)).then(function(r){return r.json()}).then(function(s){"
@@ -1345,7 +1382,7 @@ function getJs(): string {
   + "var data={role_name:document.getElementById('sf-name').value,system_prompt:document.getElementById('sf-prompt').value,notes:document.getElementById('sf-notes').value};"
   + "fetch('/opc/admin/api/staff/'+encodeURIComponent(staffId)+'/edit',{method:'PATCH',headers:{'Content-Type':'application/json'},body:JSON.stringify(data)})"
   + ".then(function(r){return r.json()}).then(function(d){if(d.ok){document.getElementById('edit-modal').remove();showToast('\\u5df2\\u4fdd\\u5b58');showCompany(companyId);}"
-  + "else{showToast(d.error||'\\u4fdd\\u5b58\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
+  + "else{showToast(d.message||d.error||'\\u4fdd\\u5b58\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
   + "\nfunction addEmployee(companyId){"
   + "var existing=document.getElementById('edit-modal');if(existing)existing.remove();"
   + "var today=new Date().toISOString().slice(0,10);"
@@ -1366,7 +1403,7 @@ function getJs(): string {
   + "\nfunction saveEmployee(companyId){"
   + "var data={company_id:companyId,employee_name:document.getElementById('emp-name').value,position:document.getElementById('emp-pos').value,salary:parseFloat(document.getElementById('emp-salary').value)||0,contract_type:document.getElementById('emp-type').value,start_date:document.getElementById('emp-date').value};"
   + "fetch('/opc/admin/api/hr/create',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify(data)})"
-  + ".then(function(r){return r.json()}).then(function(d){if(d.ok){document.getElementById('edit-modal').remove();showToast('\\u5458\\u5de5\\u5df2\\u6dfb\\u52a0');showCompany(companyId);}else{showToast(d.error||'\\u4fdd\\u5b58\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
+  + ".then(function(r){return r.json()}).then(function(d){if(d.ok){document.getElementById('edit-modal').remove();showToast('\\u5458\\u5de5\\u5df2\\u6dfb\\u52a0');showCompany(companyId);}else{showToast(d.message||d.error||'\\u4fdd\\u5b58\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
   + "\nfunction createProject(companyId){"
   + "var existing=document.getElementById('edit-modal');if(existing)existing.remove();"
   + "var html='<div id=\"edit-modal\" style=\"position:fixed;inset:0;background:rgba(0,0,0,.45);z-index:200;display:flex;align-items:center;justify-content:center\">';"
@@ -1388,12 +1425,12 @@ function getJs(): string {
   + "\nfunction saveProject(companyId){"
   + "var data={company_id:companyId,name:document.getElementById('pj-name').value,description:document.getElementById('pj-desc').value,start_date:document.getElementById('pj-start').value,end_date:document.getElementById('pj-end').value,budget:parseFloat(document.getElementById('pj-budget').value)||0};"
   + "fetch('/opc/admin/api/projects/create',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify(data)})"
-  + ".then(function(r){return r.json()}).then(function(d){if(d.ok){document.getElementById('edit-modal').remove();showToast('\\u9879\\u76ee\\u5df2\\u521b\\u5efa');showCompany(companyId);}else{showToast(d.error||'\\u4fdd\\u5b58\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
+  + ".then(function(r){return r.json()}).then(function(d){if(d.ok){document.getElementById('edit-modal').remove();showToast('\\u9879\\u76ee\\u5df2\\u521b\\u5efa');showCompany(companyId);}else{showToast(d.message||d.error||'\\u4fdd\\u5b58\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
   + "\nfunction initDefaultStaff(companyId){"
   + "fetch('/opc/admin/api/staff/'+encodeURIComponent(companyId)+'/init',{method:'POST'})"
   + ".then(function(r){return r.json()}).then(function(d){"
   + "if(d.ok){showToast('\\u5df2\\u521d\\u59cb\\u5316 '+d.created+' \\u4e2a\\u5c97\\u4f4d');showCompany(companyId);}"
-  + "else{showToast(d.error||'\\u521d\\u59cb\\u5316\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
+  + "else{showToast(d.message||d.error||'\\u521d\\u59cb\\u5316\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
   // ── 合同编辑 ──
   + "\nfunction editContract(id,title,counterparty,amount,status,startDate,endDate,keyTerms,riskNotes){"
   + "var existing=document.getElementById('edit-modal');if(existing)existing.remove();"
@@ -1427,7 +1464,7 @@ function getJs(): string {
   + "key_terms:document.getElementById('ct-terms').value,notes:document.getElementById('ct-risk').value};"
   + "fetch('/opc/admin/api/contracts/'+encodeURIComponent(id)+'/edit',{method:'PATCH',headers:{'Content-Type':'application/json'},body:JSON.stringify(data)})"
   + ".then(function(r){return r.json()}).then(function(d){if(d.ok){document.getElementById('edit-modal').remove();showToast('\\u5408\\u540c\\u5df2\\u4fdd\\u5b58');showCompany(window.currentCompanyId||'');}"
-  + "else{showToast(d.error||'\\u4fdd\\u5b58\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
+  + "else{showToast(d.message||d.error||'\\u4fdd\\u5b58\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
   // ── createContract ──
   + "\nfunction createContract(companyId){"
   + "var existing=document.getElementById('edit-modal');if(existing)existing.remove();"
@@ -1459,7 +1496,7 @@ function getJs(): string {
   + "var data={company_id:companyId,title:document.getElementById('nc-title').value,counterparty:document.getElementById('nc-counterparty').value,contract_type:document.getElementById('nc-type').value,amount:parseFloat(document.getElementById('nc-amount').value)||0,start_date:document.getElementById('nc-start').value,end_date:document.getElementById('nc-end').value,key_terms:document.getElementById('nc-terms').value,risk_notes:document.getElementById('nc-risk').value};"
   + "fetch('/opc/admin/api/contracts/create',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify(data)})"
   + ".then(function(r){return r.json()}).then(function(d){if(d.ok){document.getElementById('edit-modal').remove();showToast('\\u5408\\u540c\\u5df2\\u65b0\\u5efa');showCompany(companyId);}"
-  + "else{showToast(d.error||'\\u65b0\\u5efa\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
+  + "else{showToast(d.message||d.error||'\\u65b0\\u5efa\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
   // ── addTransaction ──
   + "\nfunction addTransaction(companyId){"
   + "var existing=document.getElementById('edit-modal');if(existing)existing.remove();"
@@ -1484,7 +1521,7 @@ function getJs(): string {
   + "var data={company_id:companyId,type:document.getElementById('tx-type').value,category:document.getElementById('tx-category').value,amount:parseFloat(document.getElementById('tx-amount').value)||0,description:document.getElementById('tx-desc').value,counterparty:document.getElementById('tx-counterparty').value,transaction_date:document.getElementById('tx-date').value};"
   + "fetch('/opc/admin/api/transactions/create',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify(data)})"
   + ".then(function(r){return r.json()}).then(function(d){if(d.ok){document.getElementById('edit-modal').remove();showToast('\\u4ea4\\u6613\\u5df2\\u65b0\\u589e');showCompany(companyId);}"
-  + "else{showToast(d.error||'\\u65b0\\u589e\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
+  + "else{showToast(d.message||d.error||'\\u65b0\\u589e\\u5931\\u8d25');}}).catch(function(){showToast('\\u8bf7\\u6c42\\u5931\\u8d25');});}"
   // ── editCompany (内联编辑) ──
   + "\nfunction editCompany(id,name,industry,ownerName,ownerContact,desc,capital,status){"
   + "var html='<div id=\"edit-modal\" style=\"position:fixed;inset:0;background:rgba(0,0,0,.45);z-index:200;display:flex;align-items:center;justify-content:center\">';"
@@ -1516,7 +1553,7 @@ function getJs(): string {
   + "fetch('/opc/admin/api/companies/'+encodeURIComponent(id)+'/edit',{method:'PATCH',headers:{'Content-Type':'application/json'},body:JSON.stringify(data)})"
   + ".then(function(r){return r.json()}).then(function(d){"
   + "if(d.ok){document.getElementById('edit-modal').remove();showToast('\\u4fdd\\u5b58\\u6210\\u529f');loadCompanyDetail(id);}"
-  + "else{showToast(d.error||'\\u4fdd\\u5b58\\u5931\\u8d25');}}).catch(function(){showToast('\\u64cd\\u4f5c\\u5931\\u8d25');});}"
+  + "else{showToast(d.message||d.error||'\\u4fdd\\u5b58\\u5931\\u8d25');}}).catch(function(){showToast('\\u64cd\\u4f5c\\u5931\\u8d25');});}"
   // ── loadGuide (SOP) ──
   + "\nfunction loadGuide(){var el=document.getElementById('guide-content');if(!el)return;el.innerHTML=renderSopGuide();}"
   + getGuideJs()
@@ -2615,7 +2652,7 @@ function getCanvasJs(): string {
 /* ── Route registration ───────────────────────────────────── */
-export function registerConfigUi(api: OpenClawPluginApi, db: OpcDatabase): void {
+export function registerConfigUi(api: OpenClawPluginApi, db: OpcDatabase, gatewayToken?: string): void {
   api.registerHttpHandler(async (req, res) => {
     const rawUrl = req.url ?? "";
     const urlObj = new URL(rawUrl, "http://localhost");
@@ -2626,6 +2663,23 @@ export function registerConfigUi(api: OpenClawPluginApi, db: OpcDatabase): void
       return false;
     }
+    // API 端点需要认证
+    if (pathname.startsWith("/opc/admin/api/") && gatewayToken) {
+      if (method === "OPTIONS") {
+        res.writeHead(204);
+        res.end();
+        return true;
+      }
+      const authHeader = req.headers["authorization"];
+      const match = authHeader?.match(/^Bearer\s+(.+)$/i);
+      const token = match?.[1];
+      if (token !== gatewayToken) {
+        res.writeHead(401, { "Content-Type": "application/json; charset=utf-8" });
+        res.end(JSON.stringify({ error: "认证令牌无效", code: "AUTH_INVALID" }));
+        return true;
+      }
+    }
     try {
       // Config API: GET
       if (pathname === "/opc/admin/api/config" && method === "GET") {
@@ -3488,7 +3542,7 @@ export function registerConfigUi(api: OpenClawPluginApi, db: OpcDatabase): void
       }
       // Serve HTML page for all other /opc/admin paths
-      sendHtml(res, buildPageHtml());
+      sendHtml(res, buildPageHtml(!!gatewayToken));
       return true;
     } catch (err) {
       res.writeHead(500, { "Content-Type": "application/json; charset=utf-8" });