Muyue/MuyueWorkspace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 141 Wiki Activity

release: v0.6.0 — security audit fixes + 7 new features
All checks were successful
PR Check / check (pull_request) Successful in 57s
Details

Browse Source 
Audit corrections (security, concurrency, stability):
- chat_engine: bound resp.Choices[0] access, release tool slot per-iteration
- conversation_multi: synchronous save under existing lock (was racy fire-and-forget)
- workflow/engine: short-circuit on failed deps (no more infinite busy-wait); track failed/skipped status
- handlers_workflow: rune-aware truncate for plan goal (UTF-8 safe)
- server: CORS limited to localhost origins (was wildcard)
- handlers_info / terminal: mask API keys and SSH passwords as "***" in GET responses; preserve stored secret if "***" sent on update
- terminal: sshpass uses -e + SSHPASS env var (was both -p and -e)
- handlers_chat: MaxBytesReader 50 MB on /api/chat
- image_cache: 10 MB cap per image
- handlers_config: font size <= 72; profile-save unmarshal errors propagated
- handlers_info: /lsp/auto-install ProjectDir restricted to user home
- Shell.jsx: parenthesized resize-condition (operator precedence)
- orchestrator_test: CleanAIResponse capitalization (fixes failing vet)

New features:
- platform: detect OS name (Debian, Ubuntu, Windows 11, macOS X.Y) and inject in Studio system prompt next to the date
- agents: default timeout 30 min for crush_run/claude_run (cap also 30 min)
- agents: new cwd, wsl_distro, wsl_user params; on Windows hosts launch via "wsl -d <distro> -u <user> --cd <cwd> --"
- agents: new claude_run tool (mirror of crush_run for Claude Code CLI)
- terminal: list installed WSL distros individually in new-tab menu (Windows only)
- studio: system prompt rewritten around BMAD-METHOD personas + mandatory delegation template
- studio: "Réflexion avancée" toggle — inactive provider produces a preliminary report injected as [RAPPORT PRÉALABLE] context for the active provider
- studio: "Historique compressé" toggle — collapses past tool calls to last action only, with "Tout afficher" expansion
This commit is contained in:
Muyue
2026-04-27 10:12:11 +02:00
parent 0753167fb9
commit 6a7b4d8001
22 changed files with 804 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
internal/agent/definitions.go
View File

@@ -124,13 +124,16 @@ func NewTerminalTool() (*ToolDefinition, error) {
}
type CrushRunParams struct {
Task string `json:"task" description:"The task description for Crush to execute"`
Timeout int `json:"timeout,omitempty" description:"Maximum execution time in seconds (default 600, max 900)"`
Task string `json:"task" description:"The task description for Crush to execute"`
Timeout int `json:"timeout,omitempty" description:"Maximum execution time in seconds (default 1800, max 1800)"`
Cwd string `json:"cwd,omitempty" description:"Working directory in which to launch the agent (absolute path; falls back to user home)"`
WSLDistro string `json:"wsl_distro,omitempty" description:"On Windows host: WSL distribution to launch the agent in (e.g. 'Ubuntu')"`
WSLUser string `json:"wsl_user,omitempty" description:"On Windows host: WSL user to run the agent as"`
}
func NewCrushRunTool() (*ToolDefinition, error) {
return NewTool("crush_run",
"Delegate a complex coding task to the Crush AI agent. Crush has access to file editing, code search, bash execution, and other development tools. Use this for multi-step coding tasks like refactoring, debugging, implementing features, or code review. Returns the agent's final output.",
"Delegate a complex coding task to the Crush AI agent. Crush has access to file editing, code search, bash execution, and other development tools. Use this for multi-step coding tasks like refactoring, debugging, implementing features, or code review. Optionally pass cwd to run in a specific directory, or wsl_distro/wsl_user to launch inside a WSL distribution under a specific user (Windows hosts only). Returns the agent's final output.",
func(ctx context.Context, p CrushRunParams) (ToolResponse, error) {
if p.Task == "" {
return TextErrorResponse("task is required"), nil
@@ -138,15 +141,18 @@ func NewCrushRunTool() (*ToolDefinition, error) {
timeout := time.Duration(p.Timeout) * time.Second
if timeout == 0 {
timeout = 600 * time.Second
timeout = 1800 * time.Second
}
if timeout > 900*time.Second {
timeout = 900 * time.Second
if timeout > 1800*time.Second {
timeout = 1800 * time.Second
}
ctx, cancel := context.WithTimeout(ctx, timeout)
defer cancel()
cmd := exec.CommandContext(ctx, "crush", "run", p.Task)
cmd, prepErr := buildAgentCommand(ctx, "crush", []string{"run", p.Task}, p.Cwd, p.WSLDistro, p.WSLUser)
if prepErr != nil {
return TextErrorResponse(prepErr.Error()), nil
}
output, err := cmd.CombinedOutput()
result := string(output)
@@ -169,6 +175,58 @@ func NewCrushRunTool() (*ToolDefinition, error) {
})
}
type ClaudeRunParams struct {
Task string `json:"task" description:"The task description for Claude Code to execute"`
Timeout int `json:"timeout,omitempty" description:"Maximum execution time in seconds (default 1800, max 1800)"`
Cwd string `json:"cwd,omitempty" description:"Working directory in which to launch the agent (absolute path; falls back to user home)"`
WSLDistro string `json:"wsl_distro,omitempty" description:"On Windows host: WSL distribution to launch the agent in (e.g. 'Ubuntu')"`
WSLUser string `json:"wsl_user,omitempty" description:"On Windows host: WSL user to run the agent as"`
}
func NewClaudeRunTool() (*ToolDefinition, error) {
return NewTool("claude_run",
"Delegate a complex coding task to the Claude Code CLI agent. Claude has access to file editing, code search, bash execution. Use for multi-step coding tasks. Same cwd/wsl_distro/wsl_user options as crush_run.",
func(ctx context.Context, p ClaudeRunParams) (ToolResponse, error) {
if p.Task == "" {
return TextErrorResponse("task is required"), nil
}
timeout := time.Duration(p.Timeout) * time.Second
if timeout == 0 {
timeout = 1800 * time.Second
}
if timeout > 1800*time.Second {
timeout = 1800 * time.Second
}
ctx, cancel := context.WithTimeout(ctx, timeout)
defer cancel()
cmd, prepErr := buildAgentCommand(ctx, "claude", []string{"-p", p.Task}, p.Cwd, p.WSLDistro, p.WSLUser)
if prepErr != nil {
return TextErrorResponse(prepErr.Error()), nil
}
output, err := cmd.CombinedOutput()
result := string(output)
if len(result) > 15000 {
result = result[:15000] + "\n... [truncated]"
}
if err != nil {
errMsg := fmt.Sprintf("Claude error: %v", err)
if ctx.Err() == context.DeadlineExceeded {
errMsg = fmt.Sprintf("Claude timed out after %d seconds. Try splitting the task into smaller parts.", int(timeout.Seconds()))
}
if result != "" {
errMsg += "\n\n" + result
}
return TextErrorResponse(errMsg), nil
}
return TextResponse(result), nil
})
}
type ReadFileParams struct {
Path string `json:"path" description:"Absolute or relative path to the file to read"`
Offset int `json:"offset,omitempty" description:"Line number to start reading from (0-based, default 0)"`
@@ -371,6 +429,7 @@ func DefaultRegistry() *Registry {
tools := []*ToolDefinition{
must(NewTerminalTool()),
must(NewCrushRunTool()),
must(NewClaudeRunTool()),
must(NewReadFileTool()),
must(NewListFilesTool()),
must(NewSearchFilesTool()),

37
internal/agent/impl.go
View File

@@ -26,6 +26,43 @@ func detectShell() string {
return "/bin/sh"
}
var validIdentifier = regexp.MustCompile(`^[a-zA-Z0-9._-]+$`)
// buildAgentCommand assembles an agent execution command, optionally launching it
// inside a WSL distribution (Windows host only) and applying a working directory.
// On non-Windows hosts, wsl_* parameters are ignored.
func buildAgentCommand(ctx context.Context, bin string, args []string, cwd, wslDistro, wslUser string) (*exec.Cmd, error) {
if wslDistro != "" && runtime.GOOS == "windows" {
if !validIdentifier.MatchString(wslDistro) {
return nil, fmt.Errorf("invalid wsl_distro: %q", wslDistro)
}
if wslUser != "" && !validIdentifier.MatchString(wslUser) {
return nil, fmt.Errorf("invalid wsl_user: %q", wslUser)
}
wslArgs := []string{"-d", wslDistro}
if wslUser != "" {
wslArgs = append(wslArgs, "-u", wslUser)
}
if cwd != "" {
wslArgs = append(wslArgs, "--cd", cwd)
}
wslArgs = append(wslArgs, "--")
wslArgs = append(wslArgs, bin)
wslArgs = append(wslArgs, args...)
return exec.CommandContext(ctx, "wsl", wslArgs...), nil
}
cmd := exec.CommandContext(ctx, bin, args...)
if cwd != "" {
dir := expandHome(cwd)
if info, err := os.Stat(dir); err != nil || !info.IsDir() {
return nil, fmt.Errorf("cwd does not exist or is not a directory: %s", cwd)
}
cmd.Dir = dir
}
return cmd, nil
}
func expandHome(path string) string {
if path == "" {
return ""

31
internal/agent/prompts/studio_system.md
View File

@@ -1,6 +1,33 @@
Tu es l'assistant IA de **Muyue Studio**, le centre de commandement de l'environnement de développement de l'utilisateur.
Tu es l'assistant IA de **Muyue Studio**, le centre de commandement de l'environnement de développement de l'utilisateur, et tu es spécialisé dans la **construction de prompts** selon la **méthode BMAD** (Breakthrough Method for Agile AI-Driven Development — https://github.com/bmad-code-org/BMAD-METHOD).
Tu es intégré dans Muyue, un gestionnaire d'environnement de développement de bureau. Ton rôle est d'aider l'utilisateur à configurer, gérer et optimiser son environnement dev.
Tu es intégré dans Muyue, un gestionnaire d'environnement de développement de bureau. Ton rôle est double :
1. Aider l'utilisateur à configurer, gérer et optimiser son environnement dev (avec les outils ci-dessous).
2. Construire pour lui des prompts structurés et actionnables avant d'exécuter une tâche complexe ou de la déléguer à un agent (`crush_run`, `claude_run`).
## Méthode BMAD — principes appliqués à chaque réponse
BMAD organise le travail IA comme une équipe agile : chaque demande est traitée avec une persona spécifique (Analyst, PM, Architect, SM, Dev, QA) puis exécutée. Tu n'as pas besoin de jouer toutes les personas — applique simplement leurs réflexes :
- **Analyst** : reformule l'objectif réel derrière la demande en 1 phrase. S'il est ambigu, choisis l'interprétation la plus probable et indique-la au début.
- **PM** : découpe en livrables concrets (épopée → stories). Pas plus de 3-5 stories pour une demande, chaque story doit être indépendamment livrable.
- **Architect** : pour toute story qui touche au code, identifie les fichiers concernés, les contraintes (compat, style, perf, sécurité) et les risques avant d'écrire.
- **SM (Scrum Master)** : si tu délègues à `crush_run`/`claude_run`, fournis un prompt **autonome** : objectif, contraintes, fichiers cibles, critère d'acceptation. Pas de référence à la conversation parente — l'agent ne la voit pas.
- **Dev** : exécute story par story. Vérifie chaque livraison avant de passer à la suivante.
- **QA** : avant de répondre "fini", relis l'objectif initial et confirme qu'il est atteint.
## Format d'un prompt BMAD délégué
Quand tu construis un prompt pour `crush_run`/`claude_run`, suis ce gabarit :
```
[OBJECTIF] <une phrase, l'objectif final>
[CONTEXTE] <fichiers/dossiers concernés, ce qui existe déjà>
[CONTRAINTES] <ne pas faire X, préserver Y, respecter style Z>
[LIVRABLE] <fichier(s) modifié(s), comportement attendu>
[CRITÈRE D'ACCEPTATION] <comment savoir que c'est fini>
```
Ce gabarit est **obligatoire** pour toute délégation à un agent. Il évite que l'agent erre, suppose, ou produise du code hors-périmètre.
<critical_rules>
1. **AGIS, ne décris pas** — Si l'utilisateur demande de faire quelque chose, utilise les outils immédiatement. Ne dis pas "je pourrais faire X" — fais-le.

24
internal/api/chat_engine.go
View File

@@ -3,6 +3,7 @@ package api
import (
"context"
"encoding/json"
"fmt"
"net/http"
"github.com/muyue/muyue/internal/agent"
@@ -85,6 +86,9 @@ func (ce *ChatEngine) RunWithTools(ctx context.Context, messages []orchestrator.
ce.TotalTokens += resp.Usage.TotalTokens
}
if len(resp.Choices) == 0 {
return finalContent, allToolCalls, allToolResults, fmt.Errorf("empty response from provider")
}
choice := resp.Choices[0]
content := orchestrator.CleanAIResponse(cleanThinkingTags(choice.Message.Content))
@@ -124,8 +128,9 @@ func (ce *ChatEngine) RunWithTools(ctx context.Context, messages []orchestrator.
Arguments: json.RawMessage(tc.Function.Arguments),
}
var release func()
if ce.limiter != nil {
release, limitErr := ce.limiter(tc.Function.Name)
rel, limitErr := ce.limiter(tc.Function.Name)
if limitErr != nil {
limResultData := map[string]interface{}{
"tool_call_id": tc.ID,
@@ -150,10 +155,13 @@ func (ce *ChatEngine) RunWithTools(ctx context.Context, messages []orchestrator.
})
continue
}
defer release()
release = rel
}
result, execErr := ce.registry.Execute(ctx, call)
if release != nil {
release()
}
if execErr != nil {
result = agent.ToolResponse{
Content: execErr.Error(),
@@ -216,6 +224,9 @@ func (ce *ChatEngine) RunNonStream(ctx context.Context, messages []orchestrator.
ce.TotalTokens += resp.Usage.TotalTokens
}
if len(resp.Choices) == 0 {
return finalContent, fmt.Errorf("empty response from provider")
}
choice := resp.Choices[0]
content := orchestrator.CleanAIResponse(cleanThinkingTags(choice.Message.Content))
@@ -241,8 +252,9 @@ func (ce *ChatEngine) RunNonStream(ctx context.Context, messages []orchestrator.
Arguments: json.RawMessage(tc.Function.Arguments),
}
var release func()
if ce.limiter != nil {
release, limitErr := ce.limiter(tc.Function.Name)
rel, limitErr := ce.limiter(tc.Function.Name)
if limitErr != nil {
messages = append(messages, orchestrator.Message{
Role: "tool",
@@ -252,10 +264,13 @@ func (ce *ChatEngine) RunNonStream(ctx context.Context, messages []orchestrator.
})
continue
}
defer release()
release = rel
}
result, execErr := ce.registry.Execute(ctx, call)
if release != nil {
release()
}
if execErr != nil {
result = agent.ToolResponse{
Content: execErr.Error(),
@@ -310,6 +325,5 @@ func SetupSSEHeaders(w http.ResponseWriter) {
w.Header().Set("Content-Type", "text/event-stream")
w.Header().Set("Cache-Control", "no-cache")
w.Header().Set("Connection", "keep-alive")
w.Header().Set("Access-Control-Allow-Origin", "*")
w.WriteHeader(http.StatusOK)
}

6
internal/api/conversation_multi.go
View File

@@ -222,9 +222,9 @@ func (cs *ConversationStoreMulti) Add(role, content string) FeedMessage {
Time: time.Now().Format(time.RFC3339),
}
conv.Messages = append(conv.Messages, msg)
go cs.saveCurrent() // Fire and forget
cs.saveCurrent()
return msg
}

39
internal/api/handlers_chat.go
View File

@@ -16,6 +16,7 @@ import (
"github.com/muyue/muyue/internal/agent"
"github.com/muyue/muyue/internal/orchestrator"
"github.com/muyue/muyue/internal/platform"
)
var thinkingTagRegex = regexp.MustCompile(`(?s)<[Tt]hink[^>]*>.*?</[Tt]hink>`)
@@ -131,10 +132,12 @@ func (s *Server) handleChat(w http.ResponseWriter, r *http.Request) {
writeError(w, "POST only", http.StatusMethodNotAllowed)
return
}
r.Body = http.MaxBytesReader(w, r.Body, 50*1024*1024)
var body struct {
Message string `json:"message"`
Stream bool `json:"stream"`
Images []ImageAttachment `json:"images"`
Message string `json:"message"`
Stream bool `json:"stream"`
Images []ImageAttachment `json:"images"`
AdvancedReflection bool `json:"advanced_reflection"`
}
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
writeError(w, err.Error(), http.StatusBadRequest)
@@ -194,7 +197,12 @@ func (s *Server) handleChat(w http.ResponseWriter, r *http.Request) {
}
var studioPrompt strings.Builder
studioPrompt.WriteString(agent.StudioSystemPrompt())
studioPrompt.WriteString(fmt.Sprintf("\nDate: %s\nHeure: %s\n", time.Now().Format("02/01/2006"), time.Now().Format("15:04:05")))
sysInfo := platform.Detect()
osName := sysInfo.OSName
if osName == "" {
osName = string(sysInfo.OS)
}
studioPrompt.WriteString(fmt.Sprintf("\nDate: %s\nHeure: %s\nSystème: %s\n", time.Now().Format("02/01/2006"), time.Now().Format("15:04:05"), osName))
canSudo := !agent.NeedsSudoPassword()
studioPrompt.WriteString(fmt.Sprintf("Root: %t\n", !canSudo))
if !canSudo {
@@ -205,6 +213,12 @@ func (s *Server) handleChat(w http.ResponseWriter, r *http.Request) {
orb.SetSystemPrompt(studioPrompt.String())
orb.SetTools(s.agentToolsJSON)
if body.AdvancedReflection {
if report, ok := s.runReflectionReport(enrichedMessage); ok {
enrichedMessage = enrichedMessage + "\n\n[RAPPORT PRÉALABLE — produit par un autre modèle, à valider]\n" + report + "\n[/RAPPORT PRÉALABLE]"
}
}
if body.Stream {
s.handleStreamChat(w, orb, enrichedMessage)
} else {
@@ -281,6 +295,23 @@ func cleanThinkingTags(content string) string {
return strings.TrimSpace(thinkingTagRegex.ReplaceAllString(content, ""))
}
// runReflectionReport runs the inactive AI provider on the user message to
// produce a preliminary analysis report that the active provider will then
// use as additional context. Returns ("", false) if no inactive provider is
// configured or on error — the caller falls back to a normal chat flow.
func (s *Server) runReflectionReport(userMessage string) (string, bool) {
orb, err := orchestrator.NewForInactiveProvider(s.config)
if err != nil {
return "", false
}
orb.SetSystemPrompt("Tu es un analyste. Pour la question ci-dessous, produis un rapport bref (max 15 lignes) qui : (1) reformule l'objectif de l'utilisateur, (2) liste les points à clarifier ou les risques, (3) suggère une approche structurée. Pas de code, pas d'action — uniquement de l'analyse.")
resp, err := orb.SendNoTools(userMessage)
if err != nil {
return "", false
}
return strings.TrimSpace(resp), true
}
func (s *Server) buildContextMessages(userMessage string) []orchestrator.Message {
history := s.convStore.Get()

34
internal/api/handlers_config.go
View File

@@ -60,10 +60,17 @@ func (s *Server) handleSaveProfile(w http.ResponseWriter, r *http.Request) {
return
}
var currentMap map[string]interface{}
json.Unmarshal(currentJSON, &currentMap)
if err := json.Unmarshal(currentJSON, &currentMap); err != nil {
writeError(w, err.Error(), http.StatusInternalServerError)
return
}
var updates map[string]interface{}
body, _ := io.ReadAll(r.Body)
body, err := io.ReadAll(r.Body)
if err != nil {
writeError(w, err.Error(), http.StatusBadRequest)
return
}
if err := json.Unmarshal(body, &updates); err != nil {
writeError(w, err.Error(), http.StatusBadRequest)
return
@@ -71,8 +78,15 @@ func (s *Server) handleSaveProfile(w http.ResponseWriter, r *http.Request) {
deepMerge(currentMap, updates)
mergedJSON, _ := json.Marshal(currentMap)
json.Unmarshal(mergedJSON, &s.config.Profile)
mergedJSON, err := json.Marshal(currentMap)
if err != nil {
writeError(w, err.Error(), http.StatusInternalServerError)
return
}
if err := json.Unmarshal(mergedJSON, &s.config.Profile); err != nil {
writeError(w, err.Error(), http.StatusInternalServerError)
return
}
if err := config.Save(s.config); err != nil {
writeError(w, err.Error(), http.StatusInternalServerError)
@@ -122,7 +136,7 @@ func (s *Server) handleSaveProvider(w http.ResponseWriter, r *http.Request) {
found := false
for i := range s.config.AI.Providers {
if s.config.AI.Providers[i].Name == body.Name {
if body.APIKey != "" {
if body.APIKey != "" && body.APIKey != "***" {
s.config.AI.Providers[i].APIKey = body.APIKey
}
if body.Model != "" {
@@ -173,6 +187,14 @@ func (s *Server) handleValidateProvider(w http.ResponseWriter, r *http.Request)
writeError(w, "api_key required", http.StatusBadRequest)
return
}
if body.APIKey == "***" {
for _, p := range s.config.AI.Providers {
if p.Name == body.Name {
body.APIKey = p.APIKey
break
}
}
}
baseURL := body.BaseURL
if baseURL == "" {
@@ -266,7 +288,7 @@ func (s *Server) handleSaveTerminalSettings(w http.ResponseWriter, r *http.Reque
writeError(w, err.Error(), http.StatusBadRequest)
return
}
if body.FontSize > 0 {
if body.FontSize > 0 && body.FontSize <= 72 {
s.config.Terminal.FontSize = body.FontSize
}
if body.FontFamily != "" {

30
internal/api/handlers_info.go
View File

@@ -80,8 +80,23 @@ func (s *Server) handleProviders(w http.ResponseWriter, r *http.Request) {
writeError(w, "no config", http.StatusNotFound)
return
}
masked := make([]map[string]interface{}, 0, len(s.config.AI.Providers))
for _, p := range s.config.AI.Providers {
entry := map[string]interface{}{
"name": p.Name,
"model": p.Model,
"base_url": p.BaseURL,
"active": p.Active,
}
if p.APIKey != "" {
entry["api_key"] = "***"
} else {
entry["api_key"] = ""
}
masked = append(masked, entry)
}
writeJSON(w, map[string]interface{}{
"providers": s.config.AI.Providers,
"providers": masked,
})
}
@@ -203,9 +218,20 @@ func (s *Server) handleLSPAutoInstall(w http.ResponseWriter, r *http.Request) {
json.NewDecoder(r.Body).Decode(&body)
}
home, _ := os.UserHomeDir()
if body.ProjectDir == "" {
home, _ := os.UserHomeDir()
body.ProjectDir = home
} else {
abs, err := filepath.Abs(body.ProjectDir)
if err != nil {
writeError(w, "invalid project_dir", http.StatusBadRequest)
return
}
body.ProjectDir = abs
if home != "" && !strings.HasPrefix(abs, home+string(filepath.Separator)) && abs != home {
writeError(w, "project_dir must be within user home", http.StatusBadRequest)
return
}
}
results, err := lsp.AutoInstallForProject(body.ProjectDir)

12
internal/api/handlers_workflow.go
View File

@@ -144,7 +144,7 @@ func (s *Server) handleWorkflowPlan(w http.ResponseWriter, r *http.Request) {
engine, _ = workflow.NewEngine(s.agentRegistry)
}
wf := engine.Create("Plan: "+body.Goal[:min(len(body.Goal), 30)], body.Goal, "plan_execute", steps)
wf := engine.Create("Plan: "+truncateString(body.Goal, 30), body.Goal, "plan_execute", steps)
writeJSON(w, wf)
}
@@ -188,7 +188,6 @@ func (s *Server) handleWorkflowExecuteStream(w http.ResponseWriter, engine *work
w.Header().Set("Content-Type", "text/event-stream")
w.Header().Set("Cache-Control", "no-cache")
w.Header().Set("Connection", "keep-alive")
w.Header().Set("Access-Control-Allow-Origin", "*")
w.WriteHeader(http.StatusOK)
flusher, canFlush := w.(http.Flusher)
@@ -250,9 +249,10 @@ func (s *Server) handleWorkflowApprove(w http.ResponseWriter, r *http.Request) {
writeJSON(w, map[string]string{"status": "approved"})
}
func min(a, b int) int {
if a < b {
return a
func truncateString(s string, max int) string {
runes := []rune(s)
if len(runes) <= max {
return s
}
return b
return string(runes[:max])
}

3
internal/api/image_cache.go
View File

@@ -37,6 +37,9 @@ func saveImage(dataURI, filename, mimeType string) (string, error) {
if err != nil {
return "", fmt.Errorf("base64 decode: %w", err)
}
if len(decoded) > 10*1024*1024 {
return "", fmt.Errorf("image too large (max 10MB)")
}
id := fmt.Sprintf("%d-%d", time.Now().UnixMilli(), atomic.AddUint64(&imageCounter, 1))
ext := ".png"

23
internal/api/server.go
View File

@@ -154,8 +154,11 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
return
}
w.Header().Set("Content-Type", "application/json")
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS")
if origin := r.Header.Get("Origin"); isAllowedOrigin(origin) {
w.Header().Set("Access-Control-Allow-Origin", origin)
w.Header().Set("Vary", "Origin")
}
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
if r.Method == "OPTIONS" {
w.WriteHeader(http.StatusOK)
@@ -164,6 +167,22 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
s.mux.ServeHTTP(w, r)
}
func isAllowedOrigin(origin string) bool {
if origin == "" {
return false
}
switch {
case strings.HasPrefix(origin, "http://127.0.0.1"),
strings.HasPrefix(origin, "http://localhost"),
strings.HasPrefix(origin, "http://[::1]"),
strings.HasPrefix(origin, "https://127.0.0.1"),
strings.HasPrefix(origin, "https://localhost"),
strings.HasPrefix(origin, "https://[::1]"):
return true
}
return false
}
const maxCrushAgents = 2
const maxClaudeAgents = 2

162
internal/api/terminal.go
View File

@@ -7,6 +7,7 @@ import (
"os"
"os/exec"
"path/filepath"
"regexp"
"runtime"
"strings"
"sync"
@@ -96,7 +97,10 @@ func (s *Server) handleTerminalWS(w http.ResponseWriter, r *http.Request) {
if sshConf.Password != "" {
sshpassPath, err := exec.LookPath("sshpass")
if err == nil {
cmd = exec.Command(sshpassPath, append([]string{"-p", sshConf.Password}, append([]string{"-e"}, sshArgs...)...)...)
args := append([]string{"-e"}, "ssh")
args = append(args, sshArgs...)
cmd = exec.Command(sshpassPath, args...)
cmd.Env = append(os.Environ(), "SSHPASS="+sshConf.Password)
} else {
cmd = exec.Command("ssh", sshArgs...)
}
@@ -113,29 +117,42 @@ func (s *Server) handleTerminalWS(w http.ResponseWriter, r *http.Request) {
shell = "/bin/sh"
}
if path, err := exec.LookPath(shell); err == nil {
shell = path
}
// Support "wsl -d <distro>" shell strings sent from the UI quick-access.
if extra, ok := parseWSLShell(shell); ok {
wslPath, err := exec.LookPath("wsl")
if err != nil {
conn.WriteJSON(wsMessage{Type: "error", Data: "wsl not found on this host"})
return
}
cmd = exec.Command(wslPath, extra...)
} else {
if path, err := exec.LookPath(shell); err == nil {
shell = path
}
if _, err := os.Stat(shell); err != nil {
conn.WriteJSON(wsMessage{Type: "error", Data: fmt.Sprintf("shell not found: %s (resolved from: %q)", shell, initMsg.Data)})
return
}
if _, err := os.Stat(shell); err != nil {
conn.WriteJSON(wsMessage{Type: "error", Data: fmt.Sprintf("shell not found: %s (resolved from: %q)", shell, initMsg.Data)})
return
}
shellName := filepath.Base(shell)
switch shellName {
case "wsl":
cmd = exec.Command(shell, "--shell-type", "login")
case "powershell", "pwsh":
cmd = exec.Command(shell, "-NoLogo", "-NoProfile")
case "fish":
cmd = exec.Command(shell, "--login")
default:
cmd = exec.Command(shell)
shellName := filepath.Base(shell)
switch shellName {
case "wsl":
cmd = exec.Command(shell, "--shell-type", "login")
case "powershell", "pwsh":
cmd = exec.Command(shell, "-NoLogo", "-NoProfile")
case "fish":
cmd = exec.Command(shell, "--login")
default:
cmd = exec.Command(shell)
}
}
}
cmd.Env = append(os.Environ(), "TERM=xterm-256color")
if cmd.Env == nil {
cmd.Env = os.Environ()
}
cmd.Env = append(cmd.Env, "TERM=xterm-256color")
ptmx, err := pty.Start(cmd)
if err != nil {
@@ -207,8 +224,15 @@ func (s *Server) handleTerminalWS(w http.ResponseWriter, r *http.Request) {
func (s *Server) handleTerminalSessions(w http.ResponseWriter, r *http.Request) {
if r.Method == "GET" {
masked := make([]config.SSHConnection, len(s.config.Terminal.SSH))
for i, c := range s.config.Terminal.SSH {
masked[i] = c
if masked[i].Password != "" {
masked[i].Password = "***"
}
}
writeJSON(w, map[string]interface{}{
"ssh": s.config.Terminal.SSH,
"ssh": masked,
"system": detectSystemTerminals(),
})
return
@@ -239,13 +263,17 @@ func (s *Server) handleTerminalSessions(w http.ResponseWriter, r *http.Request)
for i, c := range s.config.Terminal.SSH {
if c.Name == body.Name {
password := body.Password
if password == "***" {
password = c.Password
}
s.config.Terminal.SSH[i] = config.SSHConnection{
Name: body.Name,
Host: body.Host,
Port: body.Port,
User: body.User,
KeyPath: body.KeyPath,
Password: body.Password,
Password: password,
}
if err := config.Save(s.config); err != nil {
writeError(w, err.Error(), http.StatusInternalServerError)
@@ -314,6 +342,87 @@ func detectShell() string {
return "/bin/sh"
}
// listWSLDistros returns the list of installed WSL distribution names.
// Windows hosts only — returns nil on other platforms or if WSL is unavailable.
func listWSLDistros() []string {
if runtime.GOOS != "windows" {
return nil
}
out, err := exec.Command("wsl", "--list", "--quiet").Output()
if err != nil {
return nil
}
// `wsl --list --quiet` outputs UTF-16LE on Windows. Strip BOM and decode best-effort.
raw := stripUTF16ToASCII(out)
var distros []string
seen := make(map[string]bool)
for _, line := range strings.Split(raw, "\n") {
name := strings.TrimSpace(line)
if name == "" || seen[name] {
continue
}
// Skip default-marker arrows or annotations.
name = strings.TrimSpace(strings.TrimPrefix(name, "*"))
if name == "" || !validWSLName.MatchString(name) {
continue
}
seen[name] = true
distros = append(distros, name)
}
return distros
}
var validWSLName = regexp.MustCompile(`^[a-zA-Z0-9._-]+$`)
// parseWSLShell recognises strings of the form "wsl -d <distro>" (and optionally
// "-u <user>") emitted by the Shell tab quick-access menu, returning the args
// to pass to the wsl binary. Returns ok=false otherwise.
func parseWSLShell(shell string) ([]string, bool) {
parts := strings.Fields(shell)
if len(parts) < 3 || parts[0] != "wsl" {
return nil, false
}
args := []string{}
i := 1
for i < len(parts) {
switch parts[i] {
case "-d", "--distribution":
if i+1 >= len(parts) || !validWSLName.MatchString(parts[i+1]) {
return nil, false
}
args = append(args, "-d", parts[i+1])
i += 2
case "-u", "--user":
if i+1 >= len(parts) || !validWSLName.MatchString(parts[i+1]) {
return nil, false
}
args = append(args, "-u", parts[i+1])
i += 2
default:
return nil, false
}
}
if len(args) == 0 {
return nil, false
}
return args, true
}
func stripUTF16ToASCII(b []byte) string {
// Best-effort: keep only printable bytes (drop high bytes from UTF-16LE pairs).
var out []byte
for i := 0; i < len(b); i++ {
c := b[i]
if c == 0 {
continue
}
if c >= 32 && c < 127 || c == '\n' || c == '\r' || c == '\t' {
out = append(out, c)
}
}
return string(out)
}
func detectSystemTerminals() []map[string]string {
var terminals []map[string]string
@@ -326,10 +435,17 @@ func detectSystemTerminals() []map[string]string {
if runtime.GOOS == "windows" {
if _, err := exec.LookPath("wsl"); err == nil {
terminals = append(terminals, map[string]string{
"type": "local",
"name": "WSL",
"type": "local",
"name": "WSL (default)",
"shell": "wsl",
})
for _, distro := range listWSLDistros() {
terminals = append(terminals, map[string]string{
"type": "local",
"name": "WSL: " + distro,
"shell": "wsl -d " + distro,
})
}
}
if _, err := exec.LookPath("powershell"); err == nil {
terminals = append(terminals, map[string]string{

58
internal/orchestrator/orchestrator.go
View File

@@ -142,6 +142,37 @@ func New(cfg *config.MuyueConfig) (*Orchestrator, error) {
}, nil
}
// NewForProvider builds an orchestrator using a specific (non-active) provider,
// for the Advanced Reflection feature where the inactive provider produces a
// preliminary report before the active provider answers. Excludes the currently
// active provider from selection — picks the first other configured provider
// with a non-empty API key.
func NewForInactiveProvider(cfg *config.MuyueConfig) (*Orchestrator, error) {
var activeName string
for _, p := range cfg.AI.Providers {
if p.Active {
activeName = p.Name
break
}
}
for i := range cfg.AI.Providers {
p := &cfg.AI.Providers[i]
if p.Name == activeName {
continue
}
if p.APIKey == "" {
continue
}
return &Orchestrator{
config: cfg,
provider: p,
client: sharedHTTPClient,
history: []Message{},
}, nil
}
return nil, fmt.Errorf("no inactive provider with API key configured")
}
func (o *Orchestrator) SetSystemPrompt(prompt string) {
o.systemPrompt = prompt
}
@@ -174,6 +205,33 @@ func (o *Orchestrator) GetHistory() []Message {
return out
}
// SendNoTools issues a one-shot, history-less request to this orchestrator's
// provider. Used by the Advanced Reflection feature so the inactive provider
// can produce a preliminary report without contaminating the active
// orchestrator's history or invoking tools.
func (o *Orchestrator) SendNoTools(userMessage string) (string, error) {
messages := make([]Message, 0, 2)
if o.systemPrompt != "" {
messages = append(messages, Message{Role: "system", Content: TextContent(o.systemPrompt)})
}
messages = append(messages, Message{Role: "user", Content: TextContent(userMessage)})
reqBody := ChatRequest{
Model: o.provider.Model,
Messages: messages,
Stream: false,
}
chatResp, _, err := o.sendWithFallback(reqBody, "")
if err != nil {
return "", err
}
if len(chatResp.Choices) == 0 {
return "", fmt.Errorf("empty response from provider")
}
return CleanAIResponse(chatResp.Choices[0].Message.Content), nil
}
func (o *Orchestrator) Send(userMessage string) (string, error) {
o.histMu.Lock()
o.history = append(o.history, Message{

14
internal/orchestrator/orchestrator_test.go
View File

@@ -65,11 +65,11 @@ func TestCleanAIResponse(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := cleanAIResponse(tt.input)
result := CleanAIResponse(tt.input)
result = strings.TrimSpace(result)
expected := strings.TrimSpace(tt.expected)
if result != expected {
t.Errorf("cleanAIResponse(%q) = %q, want %q", tt.input, result, expected)
t.Errorf("CleanAIResponse(%q) = %q, want %q", tt.input, result, expected)
}
})
}
@@ -77,34 +77,34 @@ func TestCleanAIResponse(t *testing.T) {
func TestCleanAIResponseThinkRegex(t *testing.T) {
input2 := "<Think>some reasoning</Think>actual response"
result2 := cleanAIResponse(input2)
result2 := CleanAIResponse(input2)
if result2 != "actual response" {
t.Errorf("Valid Think tags should be removed: %q", result2)
}
input3 := "<think\nmultiline\nreasoning</think visible"
result3 := cleanAIResponse(input3)
result3 := CleanAIResponse(input3)
// No closing > on opening tag, so won't match regex
if result3 != "<think\nmultiline\nreasoning</think visible" {
t.Errorf("Malformed think should not be removed: %q", result3)
}
input4 := "<think type=re>reasoning</think visible"
result4 := cleanAIResponse(input4)
result4 := CleanAIResponse(input4)
// </think followed by space, not >, so won't match
if result4 != "<think type=re>reasoning</think visible" {
t.Errorf("Malformed closing should not be removed: %q", result4)
}
input_real := "prefix<think reasoning here</think suffix"
result_real := cleanAIResponse(input_real)
result_real := CleanAIResponse(input_real)
// The closing </think has no > after it, so won't match
if result_real != "prefix<think reasoning here</think suffix" {
t.Errorf("Malformed tags should pass through: %q", result_real)
}
input_valid := "<Think>reasoning</Think>result"
result_valid := cleanAIResponse(input_valid)
result_valid := CleanAIResponse(input_valid)
if result_valid != "result" {
t.Errorf("Valid tags should be removed: %q", result_valid)
}

59
internal/platform/exec.go
View File

@@ -17,3 +17,62 @@ func fileContains(path, substr string) bool {
func execLookPath(name string) (string, error) {
return exec.LookPath(name)
}
func readOSReleaseName() string {
data, err := os.ReadFile("/etc/os-release")
if err != nil {
return ""
}
var pretty, name, version string
for _, line := range strings.Split(string(data), "\n") {
key, val, ok := strings.Cut(line, "=")
if !ok {
continue
}
val = strings.Trim(val, `"'`)
switch key {
case "PRETTY_NAME":
pretty = val
case "NAME":
name = val
case "VERSION_ID":
version = val
}
}
if pretty != "" {
return pretty
}
if name != "" && version != "" {
return name + " " + version
}
return name
}
func readMacOSVersion() string {
out, err := exec.Command("sw_vers", "-productVersion").Output()
if err != nil {
return ""
}
return strings.TrimSpace(string(out))
}
func readWindowsVersion() string {
if v := os.Getenv("OS"); v != "" && strings.Contains(strings.ToLower(v), "windows") {
// Try to detect Windows 11 vs 10 via build number
if build := os.Getenv("MUYUE_WIN_BUILD"); build != "" {
return "Windows " + build
}
}
out, err := exec.Command("cmd", "/c", "ver").Output()
if err != nil {
return ""
}
s := strings.TrimSpace(string(out))
if strings.Contains(s, "10.0.22") || strings.Contains(s, "10.0.23") {
return "Windows 11"
}
if strings.Contains(s, "10.0.") {
return "Windows 10"
}
return s
}

34
internal/platform/platform.go
View File

@@ -25,6 +25,7 @@ const (
type SystemInfo struct {
OS OS `json:"os"`
OSName string `json:"os_name"`
Arch Arch `json:"arch"`
IsWSL bool `json:"is_wsl"`
Shell string `json:"shell"`
@@ -39,6 +40,7 @@ func Detect() SystemInfo {
}
info.IsWSL = detectWSL()
info.OSName = detectOSName(info.OS, info.IsWSL)
info.Shell = detectShell()
info.Terminal = detectTerminal()
info.PackageManager = detectPackageManager(info.OS)
@@ -46,6 +48,33 @@ func Detect() SystemInfo {
return info
}
func detectOSName(os OS, isWSL bool) string {
switch os {
case Linux:
if name := readOSReleaseName(); name != "" {
if isWSL {
return name + " (WSL)"
}
return name
}
if isWSL {
return "Linux (WSL)"
}
return "Linux"
case MacOS:
if v := readMacOSVersion(); v != "" {
return "macOS " + v
}
return "macOS"
case Windows:
if v := readWindowsVersion(); v != "" {
return v
}
return "Windows"
}
return string(os)
}
func detectWSL() bool {
return fileContains("/proc/version", "microsoft") ||
fileContains("/proc/version", "WSL")
@@ -95,8 +124,11 @@ func detectPackageManager(os OS) string {
func (s SystemInfo) String() string {
parts := []string{
"OS: " + string(s.OS),
"Arch: " + string(s.Arch),
}
if s.OSName != "" {
parts = append(parts, "Name: "+s.OSName)
}
parts = append(parts, "Arch: "+string(s.Arch))
if s.IsWSL {
parts = append(parts, "WSL: yes")
}

2
internal/version/version.go
View File

@@ -7,7 +7,7 @@ import (
const (
Name = "muyue"
Version = "0.5.0"
Version = "0.6.0"
Author = "La Légion de Muyue"
)

38
internal/workflow/engine.go
View File

@@ -225,17 +225,21 @@ func (e *Engine) Execute(ctx context.Context, workflowID string, onStep func(ste
stepStatuses[step.ID] = StatusPending
}
resolveDeps := func(stepID string) bool {
resolveDeps := func(stepID string) (ready bool, blocked bool) {
step := wf.findStep(stepID)
if step == nil {
return false
return false, true
}
for _, dep := range step.DependsOn {
if stepStatuses[dep] != StatusDone {
return false
depStatus := stepStatuses[dep]
if depStatus == StatusFailed || depStatus == StatusSkipped {
return false, true
}
if depStatus != StatusDone {
return false, false
}
}
return true
return true, false
}
executeStep := func(step *Step) error {
@@ -296,6 +300,7 @@ func (e *Engine) Execute(ctx context.Context, workflowID string, onStep func(ste
s.Error = stepErr.Error()
s.EndedAt = &endTime
})
stepStatuses[step.ID] = StatusFailed
if onStep != nil {
onStep(step, "failed")
}
@@ -321,8 +326,27 @@ func (e *Engine) Execute(ctx context.Context, workflowID string, onStep func(ste
continue
}
for !resolveDeps(step.ID) {
time.Sleep(100 * time.Millisecond)
ready, blocked := resolveDeps(step.ID)
if blocked {
e.UpdateStep(workflowID, step.ID, func(s *Step) {
s.Status = StatusSkipped
})
stepStatuses[step.ID] = StatusSkipped
if onStep != nil {
onStep(&step, "skipped")
}
continue
}
if !ready {
e.UpdateStep(workflowID, step.ID, func(s *Step) {
s.Status = StatusSkipped
s.Error = "dependency not satisfied at execution time"
})
stepStatuses[step.ID] = StatusSkipped
if onStep != nil {
onStep(&step, "skipped")
}
continue
}
if err := executeStep(&step); err != nil {