Merge remote-tracking branch 'upstream/v2' into feat/intent-node/config-output-reason

Author: wangliang181230

apps/application/serializers/application.py

@@ -1036,8 +1036,8 @@ def edit(self, instance: Dict, with_valid=True):
         if 'work_flow' in instance:
             # 修改语音配置相关
             self.update_work_flow_model(instance)
-        if 'mcp_servers' in instance:
-            ToolExecutor().validate_mcp_transport(instance.get('mcp_servers'))
+        if 'mcp_servers' in instance and len(instance.get('mcp_servers', {})) > 0:
+            ToolExecutor().validate_mcp_transport(json.dumps(instance.get('mcp_servers')))
         update_keys = ['name', 'desc', 'model_id', 'multiple_rounds_dialogue', 'prologue', 'status',
                        'knowledge_setting', 'model_setting', 'problem_optimization', 'dialogue_number',
                        'stt_model_id', 'tts_model_id', 'tts_model_enable', 'stt_model_enable', 'tts_type',

apps/tools/serializers/tool.py

@@ -613,17 +613,19 @@ def one(self):
                     'size': skill_file.file_size,
                 } if skill_file else None
             work_flow = {}
+            is_publish = False
             if tool.tool_type == 'WORKFLOW':
                 tool_workflow = QuerySet(ToolWorkflow).filter(tool_id=tool.id).first()
                 if tool_workflow:
                     work_flow = tool_workflow.work_flow
-
+                    is_publish = tool_workflow.is_publish
             return {
                 **ToolModelSerializer(tool).data,
                 'init_params': tool.init_params if tool.init_params else {},
                 'nick_name': nick_name,
                 'fileList': [skill_file_dict] if tool.tool_type == 'SKILL' else [],
-                'work_flow': work_flow
+                'work_flow': work_flow,
+                'is_publish': is_publish
             }
 
         def export(self):

apps/users/serializers/login.py

@@ -7,8 +7,8 @@
     @desc:
 """
 import base64
-import datetime
 import json
+import logging
 
 from captcha.image import ImageCaptcha
 from django.core import signing
@@ -23,9 +23,10 @@
 from common.database_model_manage.database_model_manage import DatabaseModelManage
 from common.exception.app_exception import AppApiException
 from common.utils.common import password_encrypt, get_random_chars
-from common.utils.rsa_util import encrypt, decrypt
+from common.utils.rsa_util import decrypt
 from maxkb.const import CONFIG
 from users.models import User
+from common.utils.logger import maxkb_logger
 
 
 class LoginRequest(serializers.Serializer):
@@ -48,26 +49,34 @@ class LoginResponse(serializers.Serializer):
 
 
 def record_login_fail(username: str, expire: int = 600):
-    """记录登录失败次数"""
+    """记录登录失败次数（原子）返回当前失败计数"""
     if not username:
-        return
+        return 0
     fail_key = system_get_key(f'system_{username}')
-    fail_count = cache.get(fail_key, version=system_version)
-    if fail_count is None:
+    try:
+        fail_count = cache.incr(fail_key, 1, version=system_version)
+    except ValueError:
+        # key 不存在，初始化并设置过期
         cache.set(fail_key, 1, timeout=expire, version=system_version)
-    else:
-        cache.incr(fail_key, 1, version=system_version)
+        fail_count = 1
+    return fail_count
 
 
 def record_login_fail_lock(username: str, expire: int = 10):
+    """
+    使用 cache.incr 保证原子递增，并在不存在时初始化计数器并返回当前值。
+    这里的计数器用于判断是否应当进入“锁定”分支，避免依赖非原子 get -> set 的组合。
+    """
     if not username:
-        return
+        return 0
     fail_key = system_get_key(f'system_{username}_lock_count')
-    fail_count = cache.get(fail_key, version=system_version)
-    if fail_count is None:
+    try:
+        fail_count = cache.incr(fail_key, 1, version=system_version)
+    except ValueError:
+        # key 不存在，初始化并设置过期（分钟转秒）
         cache.set(fail_key, 1, timeout=expire * 60, version=system_version)
-    else:
-        cache.incr(fail_key, 1, version=system_version)
+        fail_count = 1
+    return fail_count
 
 
 class LoginSerializer(serializers.Serializer):
@@ -93,8 +102,16 @@ def login(instance):
         encrypted_data = instance.get("encryptedData", "")
 
         if encrypted_data:
-            decrypted_data = json.loads(decrypt(encrypted_data))
-            instance.update(decrypted_data)
+            try:
+                decrypted_raw = decrypt(encrypted_data)
+                # decrypt 可能返回非 JSON 字符串，防护解析异常
+                decrypted_data = json.loads(decrypted_raw) if decrypted_raw else {}
+                if isinstance(decrypted_data, dict):
+                    instance.update(decrypted_data)
+            except Exception as e:
+                maxkb_logger.exception("Failed to decrypt/parse encryptedData for user %s: %s", username, e)
+                raise AppApiException(500, _("Invalid encrypted data"))
+
         try:
             LoginRequest(data=instance).is_valid(raise_exception=True)
         except serializers.ValidationError:
@@ -128,7 +145,7 @@ def login(instance):
                 LoginSerializer._validate_captcha(username, captcha)
 
         # 验证用户凭据
-        user = QuerySet(User).filter(
+        user = User.objects.filter(
             username=username,
             password=password_encrypt(password)
         ).first()
@@ -190,34 +207,61 @@ def _validate_captcha(username: str, captcha: str) -> None:
 
     @staticmethod
     def _handle_failed_login(username: str, is_license_valid: bool, failed_attempts: int, lock_time: int) -> None:
-        """处理登录失败"""
-        record_login_fail(username)
-        record_login_fail_lock(username, lock_time)
+        """处理登录失败
+
+        修复要点：
+        - 使用 record_login_fail / record_login_fail_lock 两个原子 incr 来记录失败；
+        - 不再依赖精确等于 0 的比较来触发锁，而是基于原子计数 >= 阈值来决定进入锁定分支；
+        - 使用 cache.add 原子创建锁键，cache.add 保证只有第一个成功创建者可写入该键；
+          其他并发到达的请求若发现计数已到达阈值也应当返回“已锁定”响应，避免出现绕过。
+        """
+        # 记录普通失败计数（供验证码触发使用）
+        try:
+            record_login_fail(username)
+        except Exception:
+            maxkb_logger.exception("Failed to record login fail for user %s", username)
+
+        # 记录用于锁定判断的失败计数（按 lock_time 作为初始化过期分钟）
+        lock_fail_count = 0
+        try:
+            lock_fail_count = record_login_fail_lock(username, lock_time)
+        except Exception:
+            maxkb_logger.exception("Failed to record lock fail count for user %s", username)
 
+        # 如果不是企业版或禁用锁定功能，直接返回（但计数已经记录）
         if not is_license_valid or failed_attempts <= 0:
             return
 
-        fail_count = cache.get(system_get_key(f'system_{username}_lock_count'), version=system_version) or 0
-        remain_attempts = failed_attempts - fail_count
-
-        if remain_attempts > 0:
+        # 当计数小于阈值，告知剩余尝试次数
+        if lock_fail_count < failed_attempts:
+            remain_attempts = failed_attempts - lock_fail_count
             raise AppApiException(
                 1005,
                 _("Login failed %s times, account will be locked, you have %s more chances !") % (
                     failed_attempts, remain_attempts
                 )
             )
-        elif remain_attempts == 0:
-            cache.set(
+
+        # 当计数达到或超过阈值时，尝试原子创建锁键；无论 cache.add 返回 True/False，都返回已锁定响应，
+        # 因为若为 False 说明其他并发请求已将账户标记为锁定，行为应一致。
+        try:
+            locked = cache.add(
                 system_get_key(f'system_{username}_lock'),
                 1,
                 timeout=lock_time * 60,
                 version=system_version
             )
-            raise AppApiException(
-                1005,
-                _("This account has been locked for %s minutes, please try again later") % lock_time
-            )
+            if locked:
+                maxkb_logger.info("Account %s locked by setting cache key", username)
+            else:
+                maxkb_logger.info("Account %s lock key already present (another request set it)", username)
+        except Exception:
+            maxkb_logger.exception("Failed to set lock key for user %s", username)
+
+        raise AppApiException(
+            1005,
+            _("This account has been locked for %s minutes, please try again later") % lock_time
+        )
 
 
 class CaptchaResponse(serializers.Serializer):

installer/sandbox.c

@@ -511,6 +511,7 @@ long syscall(long number, ...) {
         case SYS_accept:
         case SYS_accept4:
         case SYS_sendto:
+        case SYS_sendmsg:
         case SYS_recvmsg:
         case SYS_getsockopt:
         case SYS_setsockopt:
@@ -542,6 +543,9 @@ long syscall(long number, ...) {
         case SYS_shmget:
         case SYS_shmctl:
         case SYS_prctl:
+        case SYS_io_uring_setup:
+        case SYS_io_uring_enter:
+        case SYS_io_uring_register:
             if (!allow_access_syscall()) {
                 throw_permission_denied_err(true, "access syscall %ld", number);
              }

installer/start-maxkb.sh

@@ -11,4 +11,16 @@ fi
 mkdir -p /opt/maxkb/python-packages
 
 rm -f /opt/maxkb-app/tmp/*
+
+INIT_SHELL_DIR="/opt/maxkb/local/init-shells"
+if [ -d "$INIT_SHELL_DIR" ]; then
+    find "$INIT_SHELL_DIR" -maxdepth 1 -type f -name "*.sh" | sort | while IFS= read -r f; do
+        if bash "$f"; then
+            echo "[OK] init-shell >>> $f"
+        else
+            echo "[ERROR] init-shell >>> $f failed with exit code $?" >&2
+        fi
+    done
+fi
+
 python /opt/maxkb-app/main.py start

ui/src/components/ai-chat/index.vue

@@ -195,6 +195,7 @@ import bus from '@/bus'
 import { throttle } from 'lodash-es'
 import { copyClick } from '@/utils/clipboard'
 import { loadSharedApi } from '@/utils/dynamics-api/shared-api'
+import { getWrite } from '@/utils/chat'
 
 provide('upload', (file: any, loading?: Ref<boolean>) => {
   return props.type === 'debug-ai-chat'
@@ -560,86 +561,7 @@ function getChartOpenId(chat?: any, problem?: string, re_chat?: boolean, other_p
   })
 }
 
-/**
- * 获取一个递归函数,处理流式数据
- * @param chat    每一条对话记录
- * @param reader  流数据
- * @param stream  是否是流式数据
- */
-const getWrite = (chat: any, reader: any, stream: boolean) => {
-  let tempResult = ''
-
-  const write_stream = async () => {
-    try {
-      while (true) {
-        const { done, value } = await reader.read()
-
-        if (done) {
-          ChatManagement.close(chat.id)
-          return
-        }
-
-        const decoder = new TextDecoder('utf-8')
-        let str = decoder.decode(value, { stream: true })
-
-        tempResult += str
-        const split = tempResult.match(/data:.*?}\n\n/g)
-        if (split) {
-          str = split.join('')
-          tempResult = tempResult.replace(str, '')
-
-          // 批量处理所有 chunk
-          for (const item of split) {
-            const chunk = JSON.parse(item.replace('data:', ''))
-            chat.chat_id = chunk.chat_id
-            chat.record_id = chunk.chat_record_id
-
-            if (!chunk.is_end) {
-              ChatManagement.appendChunk(chat.id, chunk)
-            }
-
-            if (chunk.is_end) {
-              return Promise.resolve()
-            }
-          }
-        }
-        // 如果没有匹配到完整chunk，继续读取下一块
-      }
-    } catch (e) {
-      return Promise.reject(e)
-    }
-  }
-
-  const write_json = async () => {
-    try {
-      while (true) {
-        const { done, value } = await reader.read()
-
-        if (done) {
-          const result_block = JSON.parse(tempResult)
-          if (result_block.code === 500) {
-            return Promise.reject(result_block.message)
-          } else {
-            if (result_block.content) {
-              ChatManagement.append(chat.id, result_block.content)
-            }
-          }
-          ChatManagement.close(chat.id)
-          return
-        }
 
-        if (value) {
-          const decoder = new TextDecoder('utf-8')
-          tempResult += decoder.decode(value)
-        }
-      }
-    } catch (e) {
-      return Promise.reject(e)
-    }
-  }
-
-  return stream ? write_stream : write_json
-}
 const errorWrite = (chat: any, message?: string) => {
   ChatManagement.addChatRecord(chat, 50, loading)
   ChatManagement.write(chat.id)

ui/src/components/dynamics-form/constructor/data.ts

@@ -59,5 +59,9 @@ const input_type_list = [
     label: t('dynamicsForm.input_type_list.Model'),
     value: 'Model',
   },
+    {
+    label: t('dynamicsForm.input_type_list.Knowledge'),
+    value: 'Knowledge',
+  },
 ]
 export { input_type_list }