Update config.yaml

config.yaml

@@ -10,7 +10,7 @@
 # ============================================
 
 # 前端显示的版本号（可选，不填则显示默认版本）
-version: "v1.5.13"
+version: "v1.5.15"
 # 服务器配置
 server:
   host: 0.0.0.0 # 监听地址，0.0.0.0 表示监听所有网络接口

internal/app/app.go

@@ -318,6 +318,7 @@ func New(cfg *config.Config, log *logger.Logger) (*App, error) {
 	}
 	monitorHandler := handler.NewMonitorHandler(mcpServer, executor, db, log.Logger)
 	monitorHandler.SetExternalMCPManager(externalMCPMgr) // 设置外部MCP管理器，以便获取外部MCP执行记录
+	notificationHandler := handler.NewNotificationHandler(db, agentHandler, log.Logger)
 	groupHandler := handler.NewGroupHandler(db, log.Logger)
 	authHandler := handler.NewAuthHandler(authManager, cfg, configPath, log.Logger)
 	attackChainHandler := handler.NewAttackChainHandler(db, &cfg.OpenAI, log.Logger)
@@ -434,6 +435,7 @@ func New(cfg *config.Config, log *logger.Logger) (*App, error) {
 		authHandler,
 		agentHandler,
 		monitorHandler,
+		notificationHandler,
 		conversationHandler,
 		robotHandler,
 		groupHandler,
@@ -600,6 +602,7 @@ func setupRoutes(
 	authHandler *handler.AuthHandler,
 	agentHandler *handler.AgentHandler,
 	monitorHandler *handler.MonitorHandler,
+	notificationHandler *handler.NotificationHandler,
 	conversationHandler *handler.ConversationHandler,
 	robotHandler *handler.RobotHandler,
 	groupHandler *handler.GroupHandler,
@@ -728,6 +731,8 @@ func setupRoutes(
 		protected.DELETE("/monitor/execution/:id", monitorHandler.DeleteExecution)
 		protected.DELETE("/monitor/executions", monitorHandler.DeleteExecutions)
 		protected.GET("/monitor/stats", monitorHandler.GetStats)
+		protected.GET("/notifications/summary", notificationHandler.GetSummary)
+		protected.POST("/notifications/read", notificationHandler.MarkRead)
 
 		// 配置管理
 		protected.GET("/config", configHandler.GetConfig)

internal/handler/hitl.go

@@ -85,7 +85,7 @@ CREATE TABLE IF NOT EXISTS hitl_conversation_configs (
     enabled INTEGER NOT NULL DEFAULT 0,
     mode TEXT NOT NULL DEFAULT 'off',
     sensitive_tools TEXT NOT NULL DEFAULT '[]',
-    timeout_seconds INTEGER NOT NULL DEFAULT 300,
+    timeout_seconds INTEGER NOT NULL DEFAULT 0,
     updated_at DATETIME NOT NULL
 );`)
 	if err != nil {
@@ -133,7 +133,8 @@ func (m *HITLManager) ActivateConversation(conversationID string, req *HITLReque
 			tools[n] = struct{}{}
 		}
 	}
-	timeout := 5 * time.Minute
+	// timeout <= 0 means wait forever (no timeout).
+	timeout := time.Duration(0)
 	if req.TimeoutSeconds > 0 {
 		timeout = time.Duration(req.TimeoutSeconds) * time.Second
 	}
@@ -275,8 +276,8 @@ func (m *HITLManager) ensureConversationHITLModePersisted(conversationID, interr
 	}
 	cfg.Enabled = true
 	cfg.Mode = nm
-	if cfg.TimeoutSeconds <= 0 {
-		cfg.TimeoutSeconds = 300
+	if cfg.TimeoutSeconds < 0 {
+		cfg.TimeoutSeconds = 0
 	}
 	return m.SaveConversationConfig(conversationID, cfg)
 }
@@ -341,7 +342,7 @@ func (m *HITLManager) SaveConversationConfig(conversationID string, req *HITLReq
 		return errors.New("conversationId is required")
 	}
 	if req == nil {
-		req = &HITLRequest{Enabled: false, Mode: "off", TimeoutSeconds: 300}
+		req = &HITLRequest{Enabled: false, Mode: "off", TimeoutSeconds: 0}
 	}
 	mode := normalizeHitlMode(req.Mode)
 	if !req.Enabled {
@@ -349,8 +350,8 @@ func (m *HITLManager) SaveConversationConfig(conversationID string, req *HITLReq
 	}
 	tools, _ := json.Marshal(req.SensitiveTools)
 	timeout := req.TimeoutSeconds
-	if timeout <= 0 {
-		timeout = 300
+	if timeout < 0 {
+		timeout = 0
 	}
 	_, err := m.db.Exec(`INSERT INTO hitl_conversation_configs
 		(conversation_id, enabled, mode, sensitive_tools, timeout_seconds, updated_at)
@@ -368,11 +369,14 @@ func (m *HITLManager) LoadConversationConfig(conversationID string) (*HITLReques
 	err := m.db.QueryRow(`SELECT enabled, mode, sensitive_tools, timeout_seconds FROM hitl_conversation_configs WHERE conversation_id = ?`, conversationID).
 		Scan(&enabledInt, &mode, &toolsJSON, &timeout)
 	if errors.Is(err, sql.ErrNoRows) {
-		return &HITLRequest{Enabled: false, Mode: "off", SensitiveTools: []string{}, TimeoutSeconds: 300}, nil
+		return &HITLRequest{Enabled: false, Mode: "off", SensitiveTools: []string{}, TimeoutSeconds: 0}, nil
 	}
 	if err != nil {
 		return nil, err
 	}
+	if timeout < 0 {
+		timeout = 0
+	}
 	tools := make([]string, 0)
 	_ = json.Unmarshal([]byte(toolsJSON), &tools)
 	return &HITLRequest{
@@ -389,6 +393,12 @@ func (m *HITLManager) waitDecision(ctx context.Context, p *pendingInterrupt, tim
 		delete(m.pending, p.InterruptID)
 		m.mu.Unlock()
 	}()
+	var timeoutCh <-chan time.Time
+	if timeout > 0 {
+		timer := time.NewTimer(timeout)
+		defer timer.Stop()
+		timeoutCh = timer.C
+	}
 	select {
 	case d := <-p.decideCh:
 		// 只有 review_edit 模式允许改参；其他模式一律忽略 edited arguments
@@ -398,7 +408,7 @@ func (m *HITLManager) waitDecision(ctx context.Context, p *pendingInterrupt, tim
 		_, _ = m.db.Exec(`UPDATE hitl_interrupts SET status='decided', decision=?, decision_comment=?, decided_at=? WHERE id=?`,
 			d.Decision, d.Comment, time.Now(), p.InterruptID)
 		return d, nil
-	case <-time.After(timeout):
+	case <-timeoutCh:
 		_, _ = m.db.Exec(`UPDATE hitl_interrupts SET status='timeout', decision='approve', decision_comment='timeout auto approve', decided_at=? WHERE id=?`,
 			time.Now(), p.InterruptID)
 		return hitlDecision{Decision: "approve", Comment: "timeout auto approve"}, nil
@@ -718,8 +728,8 @@ func (h *AgentHandler) GetHITLConversationConfig(c *gin.Context) {
 			cfg2 := *cfg
 			cfg2.Enabled = true
 			cfg2.Mode = normalizeHitlMode(pendMode)
-			if cfg2.TimeoutSeconds <= 0 {
-				cfg2.TimeoutSeconds = 300
+			if cfg2.TimeoutSeconds < 0 {
+				cfg2.TimeoutSeconds = 0
 			}
 			cfg = &cfg2
 		}

internal/handler/notification.go

@@ -0,0 +1,642 @@
+package handler
+
+import (
+	"fmt"
+	"net/http"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"cyberstrike-ai/internal/database"
+	"github.com/gin-gonic/gin"
+	"go.uber.org/zap"
+)
+
+// NotificationHandler 聚合通知（Phase 2：服务端统一计算）
+type NotificationHandler struct {
+	db           *database.DB
+	agentHandler *AgentHandler
+	logger       *zap.Logger
+}
+
+const notificationReadMaxRows = 150
+
+// NotificationSummaryItem 通知项
+type NotificationSummaryItem struct {
+	ID         string `json:"id"`
+	Level      string `json:"level"` // p0/p1/p2
+	Type       string `json:"type"`
+	Title      string `json:"title"`
+	Desc       string `json:"desc"`
+	Ts         string `json:"ts"` // RFC3339
+	Count      int    `json:"count,omitempty"`
+	Actionable bool   `json:"actionable"`
+	Read       bool   `json:"read"`
+	// 以下字段用于前端深链跳转（通知即入口）
+	ConversationID  string `json:"conversationId,omitempty"`
+	VulnerabilityID string `json:"vulnerabilityId,omitempty"`
+	ExecutionID     string `json:"executionId,omitempty"`
+	InterruptID     string `json:"interruptId,omitempty"`
+}
+
+// NotificationSummaryResponse 聚合响应
+type NotificationSummaryResponse struct {
+	SinceMs     int64                     `json:"sinceMs"`
+	GeneratedAt string                    `json:"generatedAt"`
+	P0Count     int                       `json:"p0Count"`
+	UnreadCount int                       `json:"unreadCount"`
+	Counts      map[string]int            `json:"counts"`
+	Items       []NotificationSummaryItem `json:"items"`
+}
+
+func NewNotificationHandler(db *database.DB, agentHandler *AgentHandler, logger *zap.Logger) *NotificationHandler {
+	return &NotificationHandler{
+		db:           db,
+		agentHandler: agentHandler,
+		logger:       logger,
+	}
+}
+
+func parseSinceMs(raw string) int64 {
+	v := strings.TrimSpace(raw)
+	if v == "" {
+		return 0
+	}
+	if ms, err := strconv.ParseInt(v, 10, 64); err == nil && ms > 0 {
+		return ms
+	}
+	if t, err := time.Parse(time.RFC3339, v); err == nil {
+		return t.UnixMilli()
+	}
+	return 0
+}
+
+func unixSecToRFC3339(sec int64) string {
+	if sec <= 0 {
+		return time.Now().UTC().Format(time.RFC3339)
+	}
+	return time.Unix(sec, 0).UTC().Format(time.RFC3339)
+}
+
+func normalizedSinceSec(sinceMs int64) int64 {
+	sec := sinceMs / 1000
+	// SQLite 默认时间精度到秒；给 1s 回看窗口，避免“同秒内新增”被漏算。
+	if sec > 0 {
+		return sec - 1
+	}
+	return 0
+}
+
+func normalizeSinceMs(raw int64) int64 {
+	if raw > 0 {
+		return raw
+	}
+	// 默认仅看最近 24 小时，避免首次打开拉全量历史噪音。
+	return time.Now().Add(-24 * time.Hour).UnixMilli()
+}
+
+func levelBySeverity(sev string) string {
+	switch strings.ToLower(strings.TrimSpace(sev)) {
+	case "critical", "high":
+		return "p0"
+	case "medium":
+		return "p1"
+	default:
+		return "p2"
+	}
+}
+
+func requestWantsEnglish(c *gin.Context) bool {
+	if c == nil {
+		return false
+	}
+	lang := strings.ToLower(strings.TrimSpace(c.Query("lang")))
+	if lang == "" {
+		lang = strings.ToLower(strings.TrimSpace(c.GetHeader("Accept-Language")))
+	}
+	return strings.HasPrefix(lang, "en")
+}
+
+func i18nText(english bool, zh string, en string) string {
+	if english {
+		return en
+	}
+	return zh
+}
+
+func (h *NotificationHandler) loadPendingHITLItems(limit int, english bool) ([]NotificationSummaryItem, error) {
+	rows, err := h.db.Query(`
+		SELECT
+			id,
+			conversation_id,
+			tool_name,
+			COALESCE(CAST(strftime('%s', created_at) AS INTEGER), 0)
+		FROM hitl_interrupts
+		WHERE status = 'pending'
+		ORDER BY created_at DESC
+		LIMIT ?
+	`, limit)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	items := make([]NotificationSummaryItem, 0, limit)
+	for rows.Next() {
+		var id, conversationID, toolName string
+		var createdSec int64
+		if err := rows.Scan(&id, &conversationID, &toolName, &createdSec); err != nil {
+			continue
+		}
+		desc := i18nText(english, "会话 "+conversationID+" 的审批中断待处理", "Conversation "+conversationID+" has pending HITL approval")
+		if strings.TrimSpace(toolName) != "" {
+			desc = i18nText(english, "工具 "+toolName+" 等待审批", "Tool "+toolName+" is waiting for approval")
+		}
+		items = append(items, NotificationSummaryItem{
+			ID:             "hitl:" + id,
+			Level:          "p0",
+			Type:           "hitl_pending",
+			Title:          i18nText(english, "HITL 待审批", "HITL Pending Approval"),
+			Desc:           desc,
+			Ts:             unixSecToRFC3339(createdSec),
+			Count:          1,
+			Actionable:     true,
+			Read:           false,
+			ConversationID: conversationID,
+			InterruptID:    id,
+		})
+	}
+	return items, nil
+}
+
+func (h *NotificationHandler) loadVulnerabilityItems(sinceMs int64, limit int, english bool) ([]NotificationSummaryItem, map[string]int, error) {
+	sinceSec := normalizedSinceSec(sinceMs)
+	rows, err := h.db.Query(`
+		SELECT
+			id,
+			title,
+			severity,
+			conversation_id,
+			COALESCE(CAST(strftime('%s', created_at) AS INTEGER), 0)
+		FROM vulnerabilities
+		WHERE CAST(strftime('%s', created_at) AS INTEGER) > ?
+		ORDER BY created_at DESC
+		LIMIT ?
+	`, sinceSec, limit)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer rows.Close()
+	items := make([]NotificationSummaryItem, 0, limit)
+	counts := map[string]int{
+		"newCriticalVulns": 0,
+		"newHighVulns":     0,
+		"newMediumVulns":   0,
+		"newLowVulns":      0,
+		"newInfoVulns":     0,
+	}
+	for rows.Next() {
+		var id, title, severity, conversationID string
+		var createdSec int64
+		if err := rows.Scan(&id, &title, &severity, &conversationID, &createdSec); err != nil {
+			continue
+		}
+		switch strings.ToLower(strings.TrimSpace(severity)) {
+		case "critical":
+			counts["newCriticalVulns"]++
+		case "high":
+			counts["newHighVulns"]++
+		case "medium":
+			counts["newMediumVulns"]++
+		case "low":
+			counts["newLowVulns"]++
+		default:
+			counts["newInfoVulns"]++
+		}
+		sevUpper := strings.ToUpper(strings.TrimSpace(severity))
+		if sevUpper == "" {
+			sevUpper = "INFO"
+		}
+		finalTitle := i18nText(english, "新漏洞（"+sevUpper+"）", "New Vulnerability ("+sevUpper+")")
+		finalDesc := strings.TrimSpace(title)
+		if finalDesc == "" {
+			finalDesc = i18nText(english, "（无标题）", "(Untitled)")
+		}
+		items = append(items, NotificationSummaryItem{
+			ID:              "vuln:" + id,
+			Level:           levelBySeverity(severity),
+			Type:            "vulnerability_created",
+			Title:           finalTitle,
+			Desc:            finalDesc,
+			Ts:              unixSecToRFC3339(createdSec),
+			Count:           1,
+			Actionable:      false,
+			Read:            false,
+			ConversationID:  conversationID,
+			VulnerabilityID: id,
+		})
+	}
+	return items, counts, nil
+}
+
+func (h *NotificationHandler) loadFailedExecutionItems(sinceMs int64, limit int, english bool) ([]NotificationSummaryItem, int, error) {
+	sinceSec := normalizedSinceSec(sinceMs)
+	rows, err := h.db.Query(`
+		SELECT
+			id,
+			tool_name,
+			COALESCE(CAST(strftime('%s', start_time) AS INTEGER), 0)
+		FROM tool_executions
+		WHERE status = 'failed'
+		  AND CAST(strftime('%s', start_time) AS INTEGER) > ?
+		ORDER BY start_time DESC
+		LIMIT ?
+	`, sinceSec, limit)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer rows.Close()
+	items := make([]NotificationSummaryItem, 0, limit)
+	count := 0
+	for rows.Next() {
+		var id, toolName string
+		var startSec int64
+		if err := rows.Scan(&id, &toolName, &startSec); err != nil {
+			continue
+		}
+		count++
+		if strings.TrimSpace(toolName) == "" {
+			toolName = i18nText(english, "未知工具", "unknown")
+		}
+		items = append(items, NotificationSummaryItem{
+			ID:          "exec_failed:" + id,
+			Level:       "p0",
+			Type:        "task_failed",
+			Title:       i18nText(english, "任务执行失败", "Task Execution Failed"),
+			Desc:        i18nText(english, "工具 "+toolName+" 执行失败", "Tool "+toolName+" execution failed"),
+			Ts:          unixSecToRFC3339(startSec),
+			Count:       1,
+			Actionable:  false,
+			Read:        false,
+			ExecutionID: id,
+		})
+	}
+	return items, count, nil
+}
+
+func (h *NotificationHandler) summarizeLongRunningTasks(threshold time.Duration, english bool) ([]NotificationSummaryItem, int) {
+	if h.agentHandler == nil || h.agentHandler.tasks == nil {
+		return nil, 0
+	}
+	tasks := h.agentHandler.tasks.GetActiveTasks()
+	now := time.Now()
+	items := make([]NotificationSummaryItem, 0, len(tasks))
+	for _, t := range tasks {
+		if t == nil {
+			continue
+		}
+		if now.Sub(t.StartedAt) >= threshold {
+			items = append(items, NotificationSummaryItem{
+				ID:             "task_long:" + t.ConversationID,
+				Level:          "p1",
+				Type:           "long_running_tasks",
+				Title:          i18nText(english, "长时间运行任务", "Long Running Task"),
+				Desc:           i18nText(english, "会话 "+t.ConversationID+" 运行超过 15 分钟", "Conversation "+t.ConversationID+" has been running over 15 minutes"),
+				Ts:             t.StartedAt.UTC().Format(time.RFC3339),
+				Count:          1,
+				Actionable:     true,
+				Read:           false,
+				ConversationID: t.ConversationID,
+			})
+		}
+	}
+	return items, len(items)
+}
+
+func (h *NotificationHandler) summarizeCompletedTasksSince(sinceMs int64, limit int, english bool) ([]NotificationSummaryItem, int) {
+	if h.agentHandler == nil || h.agentHandler.tasks == nil {
+		return nil, 0
+	}
+	since := time.UnixMilli(sinceMs)
+	completed := h.agentHandler.tasks.GetCompletedTasks()
+	items := make([]NotificationSummaryItem, 0, limit)
+	for _, t := range completed {
+		if t == nil {
+			continue
+		}
+		if t.CompletedAt.After(since) {
+			items = append(items, NotificationSummaryItem{
+				ID:             "task_completed:" + t.ConversationID + ":" + strconv.FormatInt(t.CompletedAt.Unix(), 10),
+				Level:          "p2",
+				Type:           "task_completed",
+				Title:          i18nText(english, "任务完成", "Task Completed"),
+				Desc:           i18nText(english, "会话 "+t.ConversationID+" 已完成", "Conversation "+t.ConversationID+" completed"),
+				Ts:             t.CompletedAt.UTC().Format(time.RFC3339),
+				Count:          1,
+				Actionable:     false,
+				Read:           false,
+				ConversationID: t.ConversationID,
+			})
+			if len(items) >= limit {
+				break
+			}
+		}
+	}
+	return items, len(items)
+}
+
+func buildPlaceholders(n int) string {
+	if n <= 0 {
+		return ""
+	}
+	out := make([]string, 0, n)
+	for i := 0; i < n; i++ {
+		out = append(out, "?")
+	}
+	return strings.Join(out, ",")
+}
+
+func (h *NotificationHandler) readStatesByIDs(ids []string) (map[string]bool, error) {
+	result := make(map[string]bool, len(ids))
+	if len(ids) == 0 {
+		return result, nil
+	}
+	holders := buildPlaceholders(len(ids))
+	query := "SELECT event_id FROM notification_reads WHERE event_id IN (" + holders + ")"
+	args := make([]interface{}, 0, len(ids))
+	for _, id := range ids {
+		args = append(args, id)
+	}
+	rows, err := h.db.Query(query, args...)
+	if err != nil {
+		return result, err
+	}
+	defer rows.Close()
+	for rows.Next() {
+		var id string
+		if err := rows.Scan(&id); err != nil {
+			continue
+		}
+		result[id] = true
+	}
+	return result, nil
+}
+
+func (h *NotificationHandler) applyReadStates(items []NotificationSummaryItem) ([]NotificationSummaryItem, error) {
+	markableIDs := make([]string, 0, len(items))
+	for _, item := range items {
+		if item.Actionable {
+			continue
+		}
+		markableIDs = append(markableIDs, item.ID)
+	}
+	readMap, err := h.readStatesByIDs(markableIDs)
+	if err != nil {
+		return items, err
+	}
+	for i := range items {
+		if items[i].Actionable {
+			items[i].Read = false
+			continue
+		}
+		items[i].Read = readMap[items[i].ID]
+	}
+	return items, nil
+}
+
+func filterVisibleItems(items []NotificationSummaryItem) []NotificationSummaryItem {
+	out := make([]NotificationSummaryItem, 0, len(items))
+	for _, item := range items {
+		if item.Actionable || !item.Read {
+			out = append(out, item)
+		}
+	}
+	return out
+}
+
+func countP0(items []NotificationSummaryItem) int {
+	total := 0
+	for _, item := range items {
+		if item.Level == "p0" {
+			if item.Count > 0 {
+				total += item.Count
+			} else {
+				total++
+			}
+		}
+	}
+	return total
+}
+
+func countUnread(items []NotificationSummaryItem) int {
+	total := 0
+	for _, item := range items {
+		if item.Actionable || !item.Read {
+			if item.Count > 0 {
+				total += item.Count
+			} else {
+				total++
+			}
+		}
+	}
+	return total
+}
+
+func createNotificationReadTableIfNeeded(db *database.DB) error {
+	if db == nil {
+		return fmt.Errorf("db is nil")
+	}
+	_, err := db.Exec(`
+		CREATE TABLE IF NOT EXISTS notification_reads (
+			event_id TEXT PRIMARY KEY,
+			read_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+		);
+	`)
+	if err != nil {
+		return err
+	}
+	_, idxErr := db.Exec(`CREATE INDEX IF NOT EXISTS idx_notification_reads_read_at ON notification_reads(read_at DESC);`)
+	return idxErr
+}
+
+func pruneNotificationReads(db *database.DB, maxRows int) error {
+	if db == nil {
+		return fmt.Errorf("db is nil")
+	}
+	if maxRows <= 0 {
+		return nil
+	}
+	_, err := db.Exec(`
+		DELETE FROM notification_reads
+		WHERE event_id NOT IN (
+			SELECT event_id
+			FROM notification_reads
+			ORDER BY read_at DESC, rowid DESC
+			LIMIT ?
+		)
+	`, maxRows)
+	return err
+}
+
+type markReadRequest struct {
+	EventIDs []string `json:"eventIds"`
+}
+
+func normalizeMarkableEventID(id string) (string, bool) {
+	v := strings.TrimSpace(id)
+	if v == "" {
+		return "", false
+	}
+	// 仅允许“可读后隐藏”的信息类事件；Actionable 事件不参与 read 标记。
+	allowedPrefixes := []string{
+		"vuln:",
+		"exec_failed:",
+		"task_completed:",
+	}
+	for _, prefix := range allowedPrefixes {
+		if strings.HasPrefix(v, prefix) {
+			return v, true
+		}
+	}
+	return "", false
+}
+
+// MarkRead 按事件 ID 标记已读
+func (h *NotificationHandler) MarkRead(c *gin.Context) {
+	if err := createNotificationReadTableIfNeeded(h.db); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to prepare notification read table"})
+		return
+	}
+	var req markReadRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+	if len(req.EventIDs) == 0 {
+		c.JSON(http.StatusOK, gin.H{"ok": true, "marked": 0})
+		return
+	}
+	tx, err := h.db.Begin()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to begin transaction"})
+		return
+	}
+	defer func() {
+		_ = tx.Rollback()
+	}()
+	stmt, err := tx.Prepare(`
+		INSERT INTO notification_reads(event_id, read_at)
+		VALUES(?, CURRENT_TIMESTAMP)
+		ON CONFLICT(event_id) DO UPDATE SET read_at = CURRENT_TIMESTAMP
+	`)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to prepare statement"})
+		return
+	}
+	defer stmt.Close()
+	marked := 0
+	for _, raw := range req.EventIDs {
+		id, ok := normalizeMarkableEventID(raw)
+		if !ok {
+			continue
+		}
+		if _, err := stmt.Exec(id); err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to mark read"})
+			return
+		}
+		marked++
+	}
+	if err := tx.Commit(); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to commit read marks"})
+		return
+	}
+	if err := pruneNotificationReads(h.db, notificationReadMaxRows); err != nil {
+		h.logger.Warn("裁剪通知已读记录失败", zap.Error(err))
+	}
+	c.JSON(http.StatusOK, gin.H{"ok": true, "marked": marked})
+}
+
+// GetSummary 返回通知聚合视图（用于头部铃铛）
+func (h *NotificationHandler) GetSummary(c *gin.Context) {
+	if h.db == nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "database unavailable"})
+		return
+	}
+
+	if err := createNotificationReadTableIfNeeded(h.db); err != nil {
+		h.logger.Warn("初始化通知已读表失败", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to initialize notification read table"})
+		return
+	}
+
+	english := requestWantsEnglish(c)
+	sinceMs := normalizeSinceMs(parseSinceMs(c.Query("since")))
+	limit, _ := strconv.Atoi(strings.TrimSpace(c.DefaultQuery("limit", "50")))
+	if limit <= 0 {
+		limit = 50
+	}
+	if limit > 200 {
+		limit = 200
+	}
+
+	hitlItems, err := h.loadPendingHITLItems(limit, english)
+	if err != nil {
+		h.logger.Warn("加载 HITL 通知失败", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to summarize hitl notifications"})
+		return
+	}
+
+	vulnItems, vulnCounts, err := h.loadVulnerabilityItems(sinceMs, limit, english)
+	if err != nil {
+		h.logger.Warn("加载漏洞通知失败", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to summarize vulnerabilities"})
+		return
+	}
+
+	longRunningItems, longRunningCount := h.summarizeLongRunningTasks(15*time.Minute, english)
+	completedItems, completedCount := h.summarizeCompletedTasksSince(sinceMs, limit, english)
+
+	items := make([]NotificationSummaryItem, 0, len(hitlItems)+len(vulnItems)+len(longRunningItems)+len(completedItems))
+	items = append(items, hitlItems...)
+	items = append(items, vulnItems...)
+	items = append(items, longRunningItems...)
+	items = append(items, completedItems...)
+
+	items, err = h.applyReadStates(items)
+	if err != nil {
+		h.logger.Warn("加载通知已读状态失败", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to load notification read states"})
+		return
+	}
+	items = filterVisibleItems(items)
+
+	sort.Slice(items, func(i, j int) bool {
+		ti, errI := time.Parse(time.RFC3339, items[i].Ts)
+		tj, errJ := time.Parse(time.RFC3339, items[j].Ts)
+		if errI != nil || errJ != nil {
+			return i < j
+		}
+		return ti.After(tj)
+	})
+
+	p0Count := countP0(items)
+	unreadCount := countUnread(items)
+	c.JSON(http.StatusOK, NotificationSummaryResponse{
+		SinceMs:     sinceMs,
+		GeneratedAt: time.Now().UTC().Format(time.RFC3339),
+		P0Count:     p0Count,
+		UnreadCount: unreadCount,
+		Counts: map[string]int{
+			"hitlPending":      len(hitlItems),
+			"newCriticalVulns": vulnCounts["newCriticalVulns"],
+			"newHighVulns":     vulnCounts["newHighVulns"],
+			"newMediumVulns":   vulnCounts["newMediumVulns"],
+			"newLowVulns":      vulnCounts["newLowVulns"],
+			"newInfoVulns":     vulnCounts["newInfoVulns"],
+			"failedExecutions": 0,
+			"longRunningTasks": longRunningCount,
+			"completedTasks":   completedCount,
+		},
+		Items: items,
+	})
+}

internal/openai/claude_bridge.go

@@ -752,25 +752,33 @@ func isClaudeProvider(cfg *config.OpenAIConfig) bool {
 // Eino HTTP Client Bridge
 // ============================================================
 
-// NewEinoHTTPClient 为 einoopenai.ChatModelConfig 返回一个支持 Claude 自动桥接的 http.Client。
-// 当 cfg.Provider 为 claude 时，会拦截 /chat/completions 请求，透明转换为 Anthropic Messages API。
+// NewEinoHTTPClient 为 einoopenai.ChatModelConfig 返回一个 http.Client，包含两层 transport 包装：
+//  1. 当 cfg.Provider 为 claude 时，最内层套 claudeRoundTripper，把 OpenAI /chat/completions 透明
+//     桥接为 Anthropic /v1/messages（并把 Claude SSE 翻译回 OpenAI SSE 格式）。
+//  2. 最外层无条件套 einoSSESanitizingRoundTripper，吞掉中转站发的 SSE 心跳/注释/控制行
+//     (": keepalive" / "event: ping" / "retry: 3000" 等)，避免 Eino 用的 meguminnnnnnnnn/go-openai
+//     SDK 在累计超过 300 个非 "data:" 行后抛 "stream has sent too many empty messages"。
+//
+// 两层都对调用方完全透明：普通 JSON 响应原样透传，仅当响应 Content-Type 为 text/event-stream 时
+// sanitizer 才会接管 body；data: payload (含 [DONE]、{"error":...}) 一字节不改。
 func NewEinoHTTPClient(cfg *config.OpenAIConfig, base *http.Client) *http.Client {
 	if base == nil {
 		base = http.DefaultClient
 	}
-	if !isClaudeProvider(cfg) {
-		return base
-	}
 
 	cloned := *base
 	transport := base.Transport
 	if transport == nil {
 		transport = http.DefaultTransport
 	}
-	cloned.Transport = &claudeRoundTripper{
-		base:   transport,
-		config: cfg,
+	if isClaudeProvider(cfg) {
+		transport = &claudeRoundTripper{
+			base:   transport,
+			config: cfg,
+		}
 	}
+	transport = &einoSSESanitizingRoundTripper{base: transport}
+	cloned.Transport = transport
 	return &cloned
 }
 

internal/openai/eino_sse_sanitizer.go

@@ -0,0 +1,149 @@
+package openai
+
+// eino_sse_sanitizer.go 解决 Eino 走 meguminnnnnnnnn/go-openai SDK 时，
+// 中转站心跳/SSE 控制行累计 > 300 行触发 ErrTooManyEmptyStreamMessages
+// （报错文案: "stream has sent too many empty messages"）的问题。
+//
+// 触发链路:
+//   einoopenai.NewChatModel
+//     → eino-ext/libs/acl/openai → meguminnnnnnnnn/go-openai
+//     → streamReader.processLines() 对所有非 "data:" 行计数, > 300 即抛错。
+//
+// 中转站常见的非 data: 行（合法 SSE 但 SDK 不接受）:
+//   ":" / ": keepalive" / ": ping" / "event: ping" / "retry: 3000"
+//   以及思考型模型 prefill 期间穿插的大量心跳。
+//
+// 兜底策略: 在 HTTP transport 层把响应 Body 包一层 reader, 只放行 "data:"
+// 开头的行, 把心跳/注释/事件类型行就地吞掉。下游 SDK 永远见不到非 data: 行,
+// 计数器始终为 0, 该错误不可能再发生。
+//
+// 该层对调用方完全透明:
+//   - 仅当响应 Content-Type 是 text/event-stream 时介入；普通 JSON 响应原样透传
+//   - data: payload (含 [DONE] 与 {"error":...}) 一字节不改
+//   - 上游真断流 (EOF / connection reset / context cancel) 原样透传
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"net/http"
+	"strings"
+)
+
+const (
+	// einoSSEReaderBufSize 给 bufio 一个较大的初始缓冲, 避免单行大 JSON chunk
+	// (含工具调用 arguments / reasoning_content) 频繁触发缓冲区扩容。
+	einoSSEReaderBufSize = 64 * 1024
+)
+
+// einoSSESanitizingRoundTripper 包装下游 RoundTripper, 对 SSE 响应做行级清洗。
+type einoSSESanitizingRoundTripper struct {
+	base http.RoundTripper
+}
+
+func (rt *einoSSESanitizingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	resp, err := rt.base.RoundTrip(req)
+	if err != nil || resp == nil {
+		return resp, err
+	}
+	if !isSSEResponse(resp) {
+		return resp, nil
+	}
+	resp.Body = newEinoSSESanitizingBody(resp.Body)
+	return resp, nil
+}
+
+// isSSEResponse 仅对 200 + text/event-stream 的响应做清洗;
+// 错误响应 (4xx/5xx 通常是 application/json) 不动, 由 SDK 走原错误路径。
+func isSSEResponse(resp *http.Response) bool {
+	if resp.StatusCode != http.StatusOK {
+		return false
+	}
+	ct := resp.Header.Get("Content-Type")
+	if ct == "" {
+		return false
+	}
+	ct = strings.ToLower(strings.TrimSpace(ct))
+	// 兼容 "text/event-stream", "text/event-stream; charset=utf-8" 等。
+	return strings.HasPrefix(ct, "text/event-stream")
+}
+
+// einoSSESanitizingBody 是包装后的响应体: 只放行 data: 行, 其它行吞掉。
+type einoSSESanitizingBody struct {
+	upstream io.ReadCloser
+	reader   *bufio.Reader
+	pending  []byte // 已清洗、待返回给下游的字节 (永远以 \n 结尾的完整 data: 行)
+	err      error  // upstream 终态错误 (io.EOF 或网络错误)
+}
+
+func newEinoSSESanitizingBody(body io.ReadCloser) *einoSSESanitizingBody {
+	return &einoSSESanitizingBody{
+		upstream: body,
+		reader:   bufio.NewReaderSize(body, einoSSEReaderBufSize),
+	}
+}
+
+func (b *einoSSESanitizingBody) Read(p []byte) (int, error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+	if len(b.pending) > 0 {
+		n := copy(p, b.pending)
+		b.pending = b.pending[n:]
+		return n, nil
+	}
+
+	// 从上游读, 直到攒出一行 data: 或拿到终态。
+	// 单次循环可能丢弃任意多行心跳, 但只放行至多一行 data: 后退出,
+	// 避免一次 Read 阻塞过久 / pending 缓冲过大。
+	for b.err == nil {
+		line, err := b.reader.ReadBytes('\n')
+		if len(line) > 0 {
+			if isPassThroughSSELine(line) {
+				if line[len(line)-1] != '\n' {
+					line = append(line, '\n')
+				}
+				b.pending = line
+				if err != nil {
+					b.err = err
+				}
+				break
+			}
+			// 非 data: 行 (空行 / ":" 注释 / event: / retry: / id: / 任何裸文本)
+			// 全部吞掉, 不向下游透出, 继续循环读下一行。
+		}
+		if err != nil {
+			b.err = err
+			break
+		}
+	}
+
+	if len(b.pending) > 0 {
+		n := copy(p, b.pending)
+		b.pending = b.pending[n:]
+		return n, nil
+	}
+	return 0, b.err
+}
+
+func (b *einoSSESanitizingBody) Close() error {
+	return b.upstream.Close()
+}
+
+// isPassThroughSSELine 判定该行是否需要原样放行给下游 SDK。
+// 仅 "data:" (大小写不敏感, 可有任意前导空白) 开头的行需要保留。
+// 注意: 不能用 TrimSpace 去尾部换行后再判, 否则 "  data: x" 会被误判;
+// 我们只 trim 前导空白, 与 SDK 内部 TrimSpace 后再正则 ^data:\s* 的语义一致。
+func isPassThroughSSELine(line []byte) bool {
+	trimmed := bytes.TrimLeft(line, " \t")
+	if len(trimmed) < 5 {
+		return false
+	}
+	// 大小写不敏感比较前 5 字节是否为 "data:"。SSE 规范要求字段名小写,
+	// 但宽松匹配可以兼容个别中转站的非规范实现。
+	return (trimmed[0] == 'd' || trimmed[0] == 'D') &&
+		(trimmed[1] == 'a' || trimmed[1] == 'A') &&
+		(trimmed[2] == 't' || trimmed[2] == 'T') &&
+		(trimmed[3] == 'a' || trimmed[3] == 'A') &&
+		trimmed[4] == ':'
+}

internal/openai/eino_sse_sanitizer_test.go

@@ -0,0 +1,303 @@
+package openai
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"regexp"
+	"strings"
+	"testing"
+)
+
+// 复现 meguminnnnnnnnn/go-openai 的 SSE 行计数算法 (默认 limit=300):
+// - 逐行读
+// - 非 "data:" 行 (空行 / ":" 注释 / event: / retry:) 累计 emptyMessagesCount
+// - > 300 抛 ErrTooManyEmptyStreamMessages
+// - 遇到 data: 行 reset, 返回 payload
+//
+// 这一算法与上游 SDK 的 stream_reader.go processLines() 严格一致 (验证依据见
+// /Users/temp/go/pkg/mod/github.com/meguminnnnnnnnn/go-openai@v0.1.2/stream_reader.go)。
+// 测试中只复刻 "限制触发" 这一行为, 用来回归验证 sanitizer 的根因修复。
+var errTooManyEmptyStreamMessages = errors.New("stream has sent too many empty messages")
+
+func sdkLikeRecvAll(body io.Reader, limit uint) ([]string, error) {
+	headerData := regexp.MustCompile(`^data:\s*`)
+	r := bufio.NewReader(body)
+	var payloads []string
+	for {
+		var emptyMessagesCount uint
+		var payload []byte
+		for {
+			line, err := r.ReadBytes('\n')
+			if err != nil {
+				if err == io.EOF {
+					return payloads, nil
+				}
+				return payloads, err
+			}
+			noSpace := bytes.TrimSpace(line)
+			if !headerData.Match(noSpace) {
+				emptyMessagesCount++
+				if emptyMessagesCount > limit {
+					return payloads, errTooManyEmptyStreamMessages
+				}
+				continue
+			}
+			payload = headerData.ReplaceAll(noSpace, nil)
+			break
+		}
+		if string(payload) == "[DONE]" {
+			return payloads, nil
+		}
+		payloads = append(payloads, string(payload))
+	}
+}
+
+func newSSEServer(t *testing.T, body string, contentType string, status int) *httptest.Server {
+	t.Helper()
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		if contentType != "" {
+			w.Header().Set("Content-Type", contentType)
+		}
+		w.WriteHeader(status)
+		_, _ = io.WriteString(w, body)
+	}))
+}
+
+func sanitizingClient(base *http.Client) *http.Client {
+	if base == nil {
+		base = &http.Client{}
+	}
+	cloned := *base
+	transport := base.Transport
+	if transport == nil {
+		transport = http.DefaultTransport
+	}
+	cloned.Transport = &einoSSESanitizingRoundTripper{base: transport}
+	return &cloned
+}
+
+func readAll(t *testing.T, body io.ReadCloser) string {
+	t.Helper()
+	defer body.Close()
+	out, err := io.ReadAll(body)
+	if err != nil {
+		t.Fatalf("read body: %v", err)
+	}
+	return string(out)
+}
+
+// 1) 仅 data: 行 → 一字节不改地透传。
+func TestSSESanitizer_PassesDataLinesUnchanged(t *testing.T) {
+	body := "data: {\"a\":1}\ndata: {\"b\":2}\ndata: [DONE]\n"
+	srv := newSSEServer(t, body, "text/event-stream", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	if got != body {
+		t.Fatalf("body mismatch:\nwant %q\ngot  %q", body, got)
+	}
+}
+
+// 2) 心跳/注释/事件类型行被吞掉, 仅保留 data: 行。
+func TestSSESanitizer_DropsHeartbeatsAndControlLines(t *testing.T) {
+	body := strings.Join([]string{
+		": keepalive",
+		"",
+		"event: ping",
+		"retry: 3000",
+		"id: 42",
+		"data: {\"x\":1}",
+		": ping",
+		"",
+		"data: {\"x\":2}",
+		"data: [DONE]",
+		"",
+	}, "\n")
+	srv := newSSEServer(t, body, "text/event-stream", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	want := "data: {\"x\":1}\ndata: {\"x\":2}\ndata: [DONE]\n"
+	if got != want {
+		t.Fatalf("sanitized body mismatch:\nwant %q\ngot  %q", want, got)
+	}
+}
+
+// 3) 根因回归: 上游堆 500 行心跳后才发 data:, 原始 SDK 算法会抛
+// ErrTooManyEmptyStreamMessages, sanitize 之后必须能正常拿到所有 data:。
+func TestSSESanitizer_ProtectsAgainstTooManyEmptyMessages(t *testing.T) {
+	const heartbeats = 500
+	var buf bytes.Buffer
+	for i := 0; i < heartbeats; i++ {
+		buf.WriteString(": keepalive\n")
+	}
+	buf.WriteString("data: {\"chunk\":1}\n")
+	buf.WriteString("data: {\"chunk\":2}\n")
+	buf.WriteString("data: [DONE]\n")
+
+	t.Run("baseline_without_sanitizer_must_fail", func(t *testing.T) {
+		_, err := sdkLikeRecvAll(bytes.NewReader(buf.Bytes()), 300)
+		if !errors.Is(err, errTooManyEmptyStreamMessages) {
+			t.Fatalf("expected ErrTooManyEmptyStreamMessages, got %v", err)
+		}
+	})
+
+	t.Run("with_sanitizer_must_succeed", func(t *testing.T) {
+		srv := newSSEServer(t, buf.String(), "text/event-stream", 200)
+		defer srv.Close()
+
+		resp, err := sanitizingClient(nil).Get(srv.URL)
+		if err != nil {
+			t.Fatalf("get: %v", err)
+		}
+		defer resp.Body.Close()
+
+		payloads, err := sdkLikeRecvAll(resp.Body, 300)
+		if err != nil {
+			t.Fatalf("sdk-like recv after sanitize: %v", err)
+		}
+		want := []string{`{"chunk":1}`, `{"chunk":2}`}
+		if len(payloads) != len(want) {
+			t.Fatalf("payload count mismatch: want %d got %d (%v)", len(want), len(payloads), payloads)
+		}
+		for i, w := range want {
+			if payloads[i] != w {
+				t.Fatalf("payload[%d] mismatch: want %q got %q", i, w, payloads[i])
+			}
+		}
+	})
+}
+
+// 4) 心跳穿插在 data: 之间也能正确清洗 (思考型模型 prefill 期间常见)。
+func TestSSESanitizer_HeartbeatsInterleavedWithData(t *testing.T) {
+	var buf bytes.Buffer
+	buf.WriteString("data: {\"chunk\":1}\n")
+	for i := 0; i < 400; i++ {
+		buf.WriteString(": keepalive\n")
+	}
+	buf.WriteString("data: {\"chunk\":2}\n")
+	buf.WriteString("data: [DONE]\n")
+
+	srv := newSSEServer(t, buf.String(), "text/event-stream", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	defer resp.Body.Close()
+
+	payloads, err := sdkLikeRecvAll(resp.Body, 300)
+	if err != nil {
+		t.Fatalf("sdk-like recv: %v", err)
+	}
+	if got, want := len(payloads), 2; got != want {
+		t.Fatalf("payload count: want %d got %d", want, got)
+	}
+}
+
+// 5) 非 SSE 响应 (例如非流式 JSON) 不应被 sanitizer 介入。
+func TestSSESanitizer_PassesNonSSEResponseUntouched(t *testing.T) {
+	body := `{"id":"x","object":"chat.completion","choices":[]}`
+	srv := newSSEServer(t, body, "application/json", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	if got != body {
+		t.Fatalf("non-SSE body must be untouched:\nwant %q\ngot  %q", body, got)
+	}
+}
+
+// 6) 错误响应 (4xx/5xx) 不应被 sanitize, 即使 Content-Type 是 SSE 也不动,
+//    避免吞掉类似 "data: " 之外的错误正文。
+func TestSSESanitizer_PassesNon200Untouched(t *testing.T) {
+	body := `{"error":{"message":"rate limit"}}`
+	srv := newSSEServer(t, body, "text/event-stream", 429)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	if got != body {
+		t.Fatalf("error body must be untouched:\nwant %q\ngot  %q", body, got)
+	}
+}
+
+// 7) data: 行末尾若缺 \n (异常上游) sanitizer 也补齐, 保证下游按行解析。
+func TestSSESanitizer_AppendsTrailingNewlineIfMissing(t *testing.T) {
+	body := "data: {\"a\":1}"
+	srv := newSSEServer(t, body, "text/event-stream", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	want := "data: {\"a\":1}\n"
+	if got != want {
+		t.Fatalf("trailing newline:\nwant %q\ngot  %q", want, got)
+	}
+}
+
+// 8) 大 chunk (一行数十 KB) 也能完整透传, 不被切断。
+func TestSSESanitizer_LargeDataLinePassesIntact(t *testing.T) {
+	huge := strings.Repeat("x", 80*1024)
+	body := "data: {\"big\":\"" + huge + "\"}\ndata: [DONE]\n"
+	srv := newSSEServer(t, body, "text/event-stream", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	if got != body {
+		t.Fatalf("large body length mismatch: want %d got %d", len(body), len(got))
+	}
+}
+
+// 9) isPassThroughSSELine 单元覆盖。
+func TestIsPassThroughSSELine(t *testing.T) {
+	cases := []struct {
+		line string
+		want bool
+	}{
+		{"data: {\"a\":1}\n", true},
+		{"DATA: x\n", true},
+		{"  data: x\n", true},
+		{"data:\n", true},
+		{"\n", false},
+		{"\r\n", false},
+		{": keepalive\n", false},
+		{":\n", false},
+		{"event: ping\n", false},
+		{"retry: 3000\n", false},
+		{"id: 42\n", false},
+		{"datax: y\n", false},
+		{"da", false},
+	}
+	for _, c := range cases {
+		if got := isPassThroughSSELine([]byte(c.line)); got != c.want {
+			t.Errorf("isPassThroughSSELine(%q) = %v, want %v", c.line, got, c.want)
+		}
+	}
+}

web/static/i18n/en-US.json

@@ -20,7 +20,13 @@
     "copied": "Copied",
     "copyFailed": "Copy failed",
     "view": "View",
-    "actions": "Actions"
+    "actions": "Actions",
+    "loadFailed": "Load failed",
+    "untitled": "Untitled",
+    "justNow": "Just now",
+    "minutesAgo": "{{n}} min ago",
+    "hoursAgo": "{{n}} h ago",
+    "daysAgo": "{{n}} d ago"
   },
   "header": {
     "title": "CyberStrikeAI",
@@ -33,6 +39,13 @@
     "version": "Current version",
     "toggleSidebar": "Collapse/expand sidebar"
   },
+  "notifications": {
+    "title": "Notifications",
+    "empty": "No new events",
+    "markAllRead": "Mark all read",
+    "markSingleRead": "Read",
+    "itemDefaultTitle": "Notification"
+  },
   "login": {
     "title": "Sign in to CyberStrikeAI",
     "subtitle": "Enter the access password from config",
@@ -81,6 +94,7 @@
     "severityMedium": "Medium",
     "severityLow": "Low",
     "severityInfo": "Info",
+    "totalVulns": "Total vulnerabilities",
     "runOverview": "Run overview",
     "batchQueues": "Batch task queues",
     "pending": "Pending",
@@ -107,7 +121,80 @@
     "toUse": "To use",
     "active": "Active",
     "highFreq": "High frequency",
-    "noCallData": "No call data"
+    "noCallData": "No call data",
+    "lastUpdated": "Last updated",
+    "viewAll": "View all →",
+    "recentVulns": "Recent vulnerabilities",
+    "noVulnYet": "No vulnerabilities yet — start your first scan",
+    "capabilities": "Capabilities",
+    "mcpTools": "MCP tools",
+    "rolesLabel": "Roles",
+    "agentsLabel": "Agents",
+    "webshellLabel": "WebShell",
+    "pendingCountLabel": "{{count}} pending",
+    "highCountLabel": "High {{count}}",
+    "toolsCountLabel_one": "{{count}} tool",
+    "toolsCountLabel_other": "{{count}} tools",
+    "failedNCalls_one": "{{count}} failed",
+    "failedNCalls_other": "{{count}} failed",
+    "noCallYet": "No calls yet",
+    "allClear": "No new risks",
+    "allIdle": "System idle",
+    "executingNow": "Running",
+    "healthyStatus": "Healthy",
+    "normalStatus": "Mostly OK",
+    "degradedStatus": "Needs attention",
+    "alertTitle": "Heads up",
+    "alertWarningTitle": "Needs attention",
+    "alertDangerTitle": "Action required",
+    "alertCriticalReason_one": "{{count}} open critical vulnerability — please review immediately",
+    "alertCriticalReason_other": "{{count}} open critical vulnerabilities — please review immediately",
+    "alertFailedReason_one": "Tool success rate is low ({{count}} failed call) — check MCP monitor",
+    "alertFailedReason_other": "Tool success rate is low ({{count}} failed calls) — check MCP monitor",
+    "alertHitlReason_one": "{{count}} HITL request pending — Agent is waiting for your decision",
+    "alertHitlReason_other": "{{count}} HITL requests pending — Agent is waiting for your decision",
+    "alertMcpDownReason_one": "{{count}} External MCP server is down — related tools are unavailable",
+    "alertMcpDownReason_other": "{{count}} External MCP servers are down — related tools are unavailable",
+    "alertDismiss": "Dismiss (this session)",
+    "openHighCountLabel": "Open high {{count}}",
+    "allHandled": "All high severity handled",
+    "viewVulns": "View vulnerabilities",
+    "viewMonitor": "View monitor",
+    "viewHitl": "Approve",
+    "viewMcpManagement": "Manage MCP",
+    "statusOpen": "Open",
+    "statusConfirmed": "Confirmed",
+    "statusFixed": "Fixed",
+    "statusFalsePositive": "False positive",
+    "fixRate": "Fix rate",
+    "dataStale": "Data may be stale — please refresh",
+    "recommendedActions": "Recommended Actions",
+    "recommendedActionsHint": "Generated based on current state",
+    "recoFixCritical_one": "Fix {{count}} open critical vulnerability",
+    "recoFixCritical_other": "Fix {{count}} open critical vulnerabilities",
+    "recoFixCriticalDesc": "Critical-level vulnerabilities should be addressed first",
+    "recoApproveHitl_one": "Approve {{count}} HITL request",
+    "recoApproveHitl_other": "Approve {{count}} HITL requests",
+    "recoApproveHitlDesc": "Agent needs your decision to proceed",
+    "recoRestartMcp_one": "Check {{count}} stopped External MCP",
+    "recoRestartMcp_other": "Check {{count}} stopped External MCPs",
+    "recoRestartMcpDesc": "Related tools are unavailable until MCP recovers",
+    "recoCheckMonitor_one": "Investigate {{count}} failed tool call",
+    "recoCheckMonitor_other": "Investigate {{count}} failed tool calls",
+    "recoCheckMonitorDesc": "View failed request details in MCP monitor",
+    "recoSetupMcp": "Configure your first MCP tool",
+    "recoSetupMcpDesc": "Install MCP server before Agent can invoke specific capabilities",
+    "recoStartScan": "Start your first scan",
+    "recoStartScanDesc": "Describe your target in chat, AI will help execute",
+    "recentEvents": "Recent Events",
+    "eventUntitled": "Event",
+    "externalMcpServers": "External MCP",
+    "mcpAllRunning": "All running",
+    "mcpPartialDown_one": "{{count}} stopped",
+    "mcpPartialDown_other": "{{count}} stopped",
+    "mcpAllDown": "All stopped",
+    "noVulnDesc": "System looks safe — start a scan to discover potential issues",
+    "startScanBtn": "Go to chat to scan"
   },
   "chat": {
     "newChat": "New chat",
@@ -239,7 +326,20 @@
   },
   "hitl": {
     "pageTitle": "HITL approvals",
-    "pendingTitle": "Pending approvals"
+    "pendingTitle": "Pending approvals",
+    "loading": "Loading...",
+    "emptyState": "No pending approvals",
+    "dismiss": "Dismiss",
+    "conversationLabel": "Conversation:",
+    "reviewEditHelp": "Review & edit mode: provide a JSON object to override tool arguments. Example: {\"command\":\"ls -la\"}",
+    "approvalHelp": "Approval mode: only approve/reject, argument editing is disabled.",
+    "commentHelp": "Comment (optional): briefly note the approval reason.",
+    "commentPlaceholder": "e.g. allow read-only command",
+    "reject": "Reject",
+    "approve": "Approve",
+    "loadFailed": "Failed to load",
+    "invalidJson": "Invalid JSON arguments",
+    "submitFailedPrefix": "Submit failed:"
   },
   "progress": {
     "callingAI": "Calling AI model...",

web/static/i18n/zh-CN.json

@@ -20,7 +20,13 @@
     "copied": "已复制",
     "copyFailed": "复制失败",
     "view": "查看",
-    "actions": "操作"
+    "actions": "操作",
+    "loadFailed": "加载失败",
+    "untitled": "未命名",
+    "justNow": "刚刚",
+    "minutesAgo": "{{n}} 分钟前",
+    "hoursAgo": "{{n}} 小时前",
+    "daysAgo": "{{n}} 天前"
   },
   "header": {
     "title": "CyberStrikeAI",
@@ -33,6 +39,13 @@
     "version": "当前版本",
     "toggleSidebar": "折叠/展开侧边栏"
   },
+  "notifications": {
+    "title": "事件通知",
+    "empty": "暂无新事件",
+    "markAllRead": "标记已读",
+    "markSingleRead": "已读",
+    "itemDefaultTitle": "通知"
+  },
   "login": {
     "title": "登录 CyberStrikeAI",
     "subtitle": "请输入配置中的访问密码",
@@ -81,6 +94,7 @@
     "severityMedium": "中危",
     "severityLow": "低危",
     "severityInfo": "信息",
+    "totalVulns": "总漏洞数",
     "runOverview": "运行概览",
     "batchQueues": "批量任务队列",
     "pending": "待执行",
@@ -107,7 +121,69 @@
     "toUse": "待使用",
     "active": "活跃",
     "highFreq": "高频",
-    "noCallData": "暂无调用数据"
+    "noCallData": "暂无调用数据",
+    "lastUpdated": "上次更新",
+    "viewAll": "查看全部 →",
+    "recentVulns": "最近漏洞",
+    "noVulnYet": "暂无漏洞，开始你的第一次扫描吧",
+    "capabilities": "能力总览",
+    "mcpTools": "MCP 工具",
+    "rolesLabel": "角色",
+    "agentsLabel": "Agents",
+    "webshellLabel": "WebShell",
+    "pendingCountLabel": "{{count}} 待执行",
+    "highCountLabel": "高危 {{count}}",
+    "toolsCountLabel": "{{count}} 个工具",
+    "failedNCalls": "{{count}} 次失败",
+    "noCallYet": "暂无调用",
+    "allClear": "暂无新增风险",
+    "allIdle": "系统空闲",
+    "executingNow": "正在执行",
+    "healthyStatus": "运行平稳",
+    "normalStatus": "基本正常",
+    "degradedStatus": "需要关注",
+    "alertTitle": "需要关注",
+    "alertWarningTitle": "需要关注",
+    "alertDangerTitle": "需要立即处理",
+    "alertCriticalReason": "存在 {{count}} 个待处理的严重漏洞，建议立即处置",
+    "alertFailedReason": "工具调用成功率偏低（{{count}} 次失败），请检查 MCP 监控",
+    "alertHitlReason": "有 {{count}} 个待审批的人机协同请求，Agent 正在等待你的决策",
+    "alertMcpDownReason": "External MCP 服务器有 {{count}} 个未运行，相关工具不可用",
+    "alertDismiss": "忽略此提醒（仅本次会话）",
+    "openHighCountLabel": "待处理高危 {{count}}",
+    "allHandled": "高严重度已全部处置",
+    "viewVulns": "查看漏洞",
+    "viewMonitor": "查看监控",
+    "viewHitl": "前往审批",
+    "viewMcpManagement": "管理 MCP",
+    "statusOpen": "待处理",
+    "statusConfirmed": "已确认",
+    "statusFixed": "已修复",
+    "statusFalsePositive": "误报",
+    "fixRate": "修复率",
+    "dataStale": "数据可能已过期，请手动刷新",
+    "recommendedActions": "推荐操作",
+    "recommendedActionsHint": "基于当前状态自动生成",
+    "recoFixCritical": "修复 {{count}} 个待处理严重漏洞",
+    "recoFixCriticalDesc": "严重等级的漏洞应优先处置",
+    "recoApproveHitl": "审批 {{count}} 个 HITL 请求",
+    "recoApproveHitlDesc": "Agent 正在等待你的决策才能继续",
+    "recoRestartMcp": "检查 {{count}} 个未运行的 External MCP",
+    "recoRestartMcpDesc": "相关工具在 MCP 服务恢复前不可用",
+    "recoCheckMonitor": "排查 {{count}} 次工具调用失败",
+    "recoCheckMonitorDesc": "在 MCP 监控中查看失败的请求详情",
+    "recoSetupMcp": "配置首个 MCP 工具",
+    "recoSetupMcpDesc": "安装 MCP 服务后 Agent 才能调用具体能力",
+    "recoStartScan": "开始第一次扫描",
+    "recoStartScanDesc": "在对话中描述目标，让 AI 协助执行",
+    "recentEvents": "最近事件",
+    "eventUntitled": "事件",
+    "externalMcpServers": "External MCP",
+    "mcpAllRunning": "全部运行",
+    "mcpPartialDown": "{{count}} 个未运行",
+    "mcpAllDown": "全部未运行",
+    "noVulnDesc": "系统目前安全，开始一次扫描可以发现潜在问题",
+    "startScanBtn": "前往对话发起扫描"
   },
   "chat": {
     "newChat": "新对话",
@@ -239,7 +315,20 @@
   },
   "hitl": {
     "pageTitle": "人机协同审批",
-    "pendingTitle": "待处理审批"
+    "pendingTitle": "待处理审批",
+    "loading": "加载中...",
+    "emptyState": "暂无待审批项",
+    "dismiss": "忽略",
+    "conversationLabel": "会话：",
+    "reviewEditHelp": "审查编辑模式：可填写 JSON 对象覆盖参数。示例：{\"command\":\"ls -la\"}",
+    "approvalHelp": "审批模式：仅通过/拒绝，不支持改参。",
+    "commentHelp": "备注（可选）：建议写审批依据。",
+    "commentPlaceholder": "例如：允许只读命令",
+    "reject": "拒绝",
+    "approve": "通过",
+    "loadFailed": "加载失败",
+    "invalidJson": "JSON 参数格式错误",
+    "submitFailedPrefix": "提交失败："
   },
   "progress": {
     "callingAI": "正在调用AI模型...",

web/static/js/hitl.js

@@ -7,6 +7,19 @@ function hitlModeNormalize(m) {
     return allowed.indexOf(v) >= 0 ? v : 'off';
 }
 
+function hitlT(key, fallback, params) {
+    const fullKey = 'hitl.' + key;
+    try {
+        if (typeof window.t === 'function') {
+            const translated = window.t(fullKey, params || {});
+            if (typeof translated === 'string' && translated && translated !== fullKey) {
+                return translated;
+            }
+        }
+    } catch (e) {}
+    return fallback;
+}
+
 function hitlEffectiveEnabled(cfg) {
     if (!cfg) return false;
     if (cfg.enabled === true) return true;
@@ -36,6 +49,18 @@ function hitlSensitiveToolsToArray(config) {
     return [];
 }
 
+function normalizeHitlTimeoutSeconds(v, fallback) {
+    const n = Number(v);
+    if (Number.isFinite(n)) {
+        return n > 0 ? Math.floor(n) : 0;
+    }
+    const f = Number(fallback);
+    if (Number.isFinite(f)) {
+        return f > 0 ? Math.floor(f) : 0;
+    }
+    return 0;
+}
+
 function getCurrentConversationIdForHitl() {
     if (typeof window.currentConversationId === 'string' && window.currentConversationId) {
         return window.currentConversationId;
@@ -84,6 +109,7 @@ async function saveHitlConversationConfig(conversationId, config) {
     const mode = hitlModeNormalize(config.mode || 'off');
     const enabled = typeof config.enabled === 'boolean' ? config.enabled : (mode !== 'off');
     const sensitiveTools = hitlSensitiveToolsToArray(config);
+    const timeoutSeconds = normalizeHitlTimeoutSeconds(config.timeoutSeconds, 0);
     const resp = await hitlApiFetch('/api/hitl/config', {
         method: 'PUT',
         credentials: 'same-origin',
@@ -93,7 +119,7 @@ async function saveHitlConversationConfig(conversationId, config) {
             enabled: enabled,
             mode: mode,
             sensitiveTools: sensitiveTools,
-            timeoutSeconds: config.timeoutSeconds || 300
+            timeoutSeconds: timeoutSeconds
         })
     });
     if (!resp.ok) {
@@ -126,7 +152,7 @@ async function syncHitlConfigFromServer(conversationId) {
                 enabled: true,
                 mode: localMode,
                 sensitiveTools: localToolsStr.split(/[,\n\r]+/).map(function (s) { return s.trim(); }).filter(Boolean),
-                timeoutSeconds: cfg.timeoutSeconds || 300
+                timeoutSeconds: normalizeHitlTimeoutSeconds(cfg.timeoutSeconds, 0)
             };
             saveHitlConversationConfig(conversationId, {
                 mode: localMode,
@@ -146,7 +172,7 @@ async function syncHitlConfigFromServer(conversationId) {
                     enabled: true,
                     mode: glMode,
                     sensitiveTools: glToolsStr.split(/[,\n\r]+/).map(function (s) { return s.trim(); }).filter(Boolean),
-                    timeoutSeconds: cfg.timeoutSeconds || 300
+                    timeoutSeconds: normalizeHitlTimeoutSeconds(cfg.timeoutSeconds, 0)
                 };
                 saveHitlConversationConfig(conversationId, {
                     mode: glMode,
@@ -265,7 +291,7 @@ async function followAgentRunAfterHitlDecision(conversationId) {
 async function refreshHitlPending() {
     const container = document.getElementById('hitl-pending-list');
     if (!container) return;
-    container.innerHTML = '<div class="loading-spinner">Loading...</div>';
+    container.innerHTML = '<div class="loading-spinner">' + escapeHtml(hitlT('loading', 'Loading...')) + '</div>';
     try {
         const resp = await hitlApiFetch('/api/hitl/pending', { credentials: 'same-origin' });
         if (!resp.ok) {
@@ -274,7 +300,7 @@ async function refreshHitlPending() {
         const data = await resp.json();
         const items = Array.isArray(data.items) ? data.items : [];
         if (!items.length) {
-            container.innerHTML = '<div class="empty-state">暂无待审批项</div>';
+            container.innerHTML = '<div class="empty-state">' + escapeHtml(hitlT('emptyState', 'No pending approvals')) + '</div>';
             return;
         }
         container.innerHTML = items.map(function (item) {
@@ -292,25 +318,25 @@ async function refreshHitlPending() {
                 '<span class="hitl-tool-badge">' + escapeHtml(item.toolName || '-') + '</span>' +
                 '<span class="hitl-mode-tag hitl-mode-tag--' + escapeHtml(mode) + '">' + escapeHtml(item.mode || '-') + '</span>' +
                 '</div>' +
-                '<button class="hitl-dismiss-btn" title="忽略" onclick="dismissHitlItem(' + qId + ')">&times;</button>' +
+                '<button class="hitl-dismiss-btn" title="' + escapeHtml(hitlT('dismiss', 'Dismiss')) + '" onclick="dismissHitlItem(' + qId + ')">&times;</button>' +
                 '</div>' +
-                '<div class="hitl-pending-meta">会话：' + escapeHtml(item.conversationId || '-') + '</div>' +
+                '<div class="hitl-pending-meta">' + escapeHtml(hitlT('conversationLabel', 'Conversation:')) + ' ' + escapeHtml(item.conversationId || '-') + '</div>' +
                 '<pre class="hitl-pending-payload">' + escapeHtml(preview) + '</pre>' +
                 (allowEdit
-                    ? ('<div class="hitl-input-help">审查编辑模式：可填写 JSON 对象覆盖参数。示例：{"command":"ls -la"}</div>' +
+                    ? ('<div class="hitl-input-help">' + escapeHtml(hitlT('reviewEditHelp', 'Review & edit mode: provide a JSON object to override tool arguments. Example: {"command":"ls -la"}')) + '</div>' +
                        '<textarea id="hitl-edit-' + escId + '" class="hitl-edit-args" placeholder=\'{"command":"ls -la"}\'></textarea>')
-                    : '<div class="hitl-input-help">审批模式：仅通过/拒绝，不支持改参。</div>') +
-                '<div class="hitl-input-help">备注（可选）：建议写审批依据。</div>' +
-                '<input id="hitl-comment-' + escId + '" class="hitl-config-input hitl-inline-comment" type="text" placeholder="例如：允许只读命令">' +
+                    : '<div class="hitl-input-help">' + escapeHtml(hitlT('approvalHelp', 'Approval mode: only approve/reject, argument editing is disabled.')) + '</div>') +
+                '<div class="hitl-input-help">' + escapeHtml(hitlT('commentHelp', 'Comment (optional): briefly note the approval reason.')) + '</div>' +
+                '<input id="hitl-comment-' + escId + '" class="hitl-config-input hitl-inline-comment" type="text" placeholder="' + escapeHtml(hitlT('commentPlaceholder', 'e.g. allow read-only command')) + '">' +
                 '<div class="hitl-pending-actions">' +
-                '<button class="btn-secondary" onclick="submitHitlDecision(' + qId + ',&quot;reject&quot;,' + qConv + ')">拒绝</button>' +
-                '<button class="btn-primary" onclick="submitHitlDecision(' + qId + ',&quot;approve&quot;,' + qConv + ')">通过</button>' +
+                '<button class="btn-secondary" onclick="submitHitlDecision(' + qId + ',&quot;reject&quot;,' + qConv + ')">' + escapeHtml(hitlT('reject', 'Reject')) + '</button>' +
+                '<button class="btn-primary" onclick="submitHitlDecision(' + qId + ',&quot;approve&quot;,' + qConv + ')">' + escapeHtml(hitlT('approve', 'Approve')) + '</button>' +
                 '</div>' +
                 '</div>'
             );
         }).join('');
     } catch (e) {
-        container.innerHTML = '<div class="empty-state">加载失败</div>';
+        container.innerHTML = '<div class="empty-state">' + escapeHtml(hitlT('loadFailed', 'Failed to load')) + '</div>';
     }
 }
 
@@ -323,7 +349,7 @@ async function submitHitlDecision(interruptId, decision, conversationIdOpt) {
         try {
             editedArguments = JSON.parse(editBox.value.trim());
         } catch (e) {
-            alert('JSON 参数格式错误');
+            alert(hitlT('invalidJson', 'Invalid JSON arguments'));
             return;
         }
     }
@@ -344,7 +370,7 @@ async function submitHitlDecisionWithPayload(interruptId, decision, comment, edi
             await dismissHitlItem(interruptId, true);
             return true;
         }
-        alert('提交失败：' + errText);
+        alert(hitlT('submitFailedPrefix', 'Submit failed:') + ' ' + errText);
         return false;
     }
     refreshHitlPending();

web/static/js/monitor.js

@@ -2348,9 +2348,28 @@ function renderActiveTasks(tasks) {
     bar.style.display = 'flex';
     bar.innerHTML = '';
 
+    function openActiveTaskConversation(conversationId) {
+        if (!conversationId) return;
+        if (typeof switchPage === 'function') {
+            switchPage('chat');
+        }
+        if (typeof window.loadConversation === 'function') {
+            setTimeout(function () {
+                window.loadConversation(conversationId);
+            }, 120);
+            return;
+        }
+        window.location.hash = 'chat?conversation=' + encodeURIComponent(conversationId);
+    }
+
     normalizedTasks.forEach(task => {
         const item = document.createElement('div');
-        item.className = 'active-task-item';
+        item.className = 'active-task-item active-task-item-clickable';
+        if (task && task.conversationId) {
+            item.title = (typeof window.t === 'function' ? window.t('tasks.viewConversation') : '查看会话');
+            item.setAttribute('role', 'button');
+            item.onclick = () => openActiveTaskConversation(task.conversationId);
+        }
 
         const startedTime = task.startedAt ? new Date(task.startedAt) : null;
         const taskTimeLocale = getCurrentTimeLocale();
@@ -2388,7 +2407,10 @@ function renderActiveTasks(tasks) {
         if (!isFinalStatus) {
             const cancelBtn = item.querySelector('.active-task-cancel');
             if (cancelBtn) {
-                cancelBtn.onclick = () => cancelActiveTask(task.conversationId, cancelBtn);
+                cancelBtn.onclick = (evt) => {
+                    evt.stopPropagation();
+                    cancelActiveTask(task.conversationId, cancelBtn);
+                };
                 if (task.status === 'cancelling') {
                     cancelBtn.disabled = true;
                     cancelBtn.textContent = typeof window.t === 'function' ? window.t('tasks.cancelling') : '取消中...';

web/static/js/notifications.js

@@ -0,0 +1,321 @@
+(function () {
+    const STORAGE_LAST_SEEN_KEY = 'cyberstrike-notification-last-seen-at';
+    const POLL_INTERVAL_ACTIVE_MS = 15000;
+    const POLL_INTERVAL_HIDDEN_MS = 60000;
+    const MAX_RENDER_ITEMS = 20;
+
+    const state = {
+        inFlight: false,
+        timerId: null,
+        dropdownOpen: false,
+        lastSeenAt: readLastSeenAt(),
+        items: [],
+        unreadCount: 0,
+    };
+
+    function readLastSeenAt() {
+        try {
+            const raw = localStorage.getItem(STORAGE_LAST_SEEN_KEY);
+            const n = Number(raw);
+            if (Number.isFinite(n) && n > 0) return n;
+        } catch (e) {
+            console.warn('读取通知已读时间失败:', e);
+        }
+        return 0;
+    }
+
+    function persistLastSeenAt(ts) {
+        try {
+            localStorage.setItem(STORAGE_LAST_SEEN_KEY, String(ts));
+        } catch (e) {
+            console.warn('保存通知已读时间失败:', e);
+        }
+    }
+
+    function getTimeMs(value) {
+        if (!value) return 0;
+        const d = new Date(value);
+        const ms = d.getTime();
+        return Number.isFinite(ms) ? ms : 0;
+    }
+
+    function getLocale() {
+        if (typeof window !== 'undefined') {
+            if (typeof window.__locale === 'string' && window.__locale) {
+                return window.__locale;
+            }
+            if (typeof window.currentLang === 'string' && window.currentLang) {
+                return window.currentLang;
+            }
+        }
+        return 'zh-CN';
+    }
+
+    function formatTime(value) {
+        const ms = getTimeMs(value);
+        if (!ms) return '-';
+        return new Date(ms).toLocaleString(getLocale());
+    }
+
+    function htmlEscape(value) {
+        if (typeof window.escapeHtml === 'function') {
+            return window.escapeHtml(value == null ? '' : String(value));
+        }
+        const div = document.createElement('div');
+        div.textContent = value == null ? '' : String(value);
+        return div.innerHTML;
+    }
+
+    function t(key, fallback, params) {
+        if (typeof window !== 'undefined' && typeof window.t === 'function') {
+            try {
+                const translated = window.t(key, params || {});
+                if (translated && translated !== key) return translated;
+            } catch (_ignored) {}
+        }
+        return fallback;
+    }
+
+    async function apiJson(url, options) {
+        if (typeof window.apiFetch !== 'function') return null;
+        const res = await window.apiFetch(url, options || {});
+        if (!res.ok) return null;
+        return res.json();
+    }
+
+    async function fetchNotificationSummary() {
+        const url = '/api/notifications/summary?since='
+            + encodeURIComponent(String(state.lastSeenAt || 0))
+            + '&limit=80&lang=' + encodeURIComponent(getLocale());
+        try {
+            const summary = await apiJson(url);
+            if (summary && typeof summary === 'object') {
+                return summary;
+            }
+        } catch (_ignored) {}
+        return null;
+    }
+
+    function renderBadge(count) {
+        const badge = document.getElementById('notification-badge');
+        const btn = document.getElementById('notification-bell-btn');
+        if (!badge || !btn) return;
+        if (count <= 0) {
+            badge.style.display = 'none';
+            btn.classList.remove('has-alert');
+            return;
+        }
+        const text = count > 99 ? '99+' : String(count);
+        badge.innerHTML = '<span class="notification-badge-text">' + htmlEscape(text) + '</span>';
+        badge.style.display = 'inline-block';
+        btn.classList.add('has-alert');
+    }
+
+    function countP0(items) {
+        return (Array.isArray(items) ? items : []).reduce((acc, item) => {
+            if (!item || item.level !== 'p0') return acc;
+            if (typeof item.count === 'number' && item.count > 0) return acc + item.count;
+            return acc + 1;
+        }, 0);
+    }
+
+    function markableItems(items) {
+        return (Array.isArray(items) ? items : []).filter(item => item && item.actionable !== true && item.id);
+    }
+
+    function hasAction(item) {
+        if (!item || !item.type) return false;
+        if (item.type === 'vulnerability_created' && item.vulnerabilityId) return true;
+        if ((item.type === 'task_completed' || item.type === 'long_running_tasks') && item.conversationId) return true;
+        if (item.type === 'task_failed' && item.executionId) return true;
+        if (item.type === 'hitl_pending') return true;
+        return false;
+    }
+
+    function openNotificationTarget(item) {
+        if (!item || !item.type) return;
+        if (item.type === 'vulnerability_created' && item.vulnerabilityId) {
+            window.location.hash = 'vulnerabilities?id=' + encodeURIComponent(item.vulnerabilityId);
+            return;
+        }
+        if ((item.type === 'task_completed' || item.type === 'long_running_tasks') && item.conversationId) {
+            window.location.hash = 'chat?conversation=' + encodeURIComponent(item.conversationId);
+            return;
+        }
+        if (item.type === 'task_failed' && item.executionId) {
+            window.location.hash = 'mcp-monitor';
+            setTimeout(function () {
+                if (typeof showMCPDetail === 'function') {
+                    showMCPDetail(item.executionId);
+                }
+            }, 450);
+            return;
+        }
+        if (item.type === 'hitl_pending') {
+            window.location.hash = 'hitl';
+        }
+    }
+
+    async function markItemsRead(eventIds) {
+        if (!Array.isArray(eventIds) || !eventIds.length) return true;
+        const payload = { eventIds: eventIds };
+        try {
+            const result = await apiJson('/api/notifications/read', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(payload),
+            });
+            return !!result;
+        } catch (_ignored) {
+            return false;
+        }
+    }
+
+    function renderNotificationList(items) {
+        const list = document.getElementById('notification-list');
+        if (!list) return;
+        const renderItems = Array.isArray(items) ? items.slice(0, MAX_RENDER_ITEMS) : [];
+        if (!renderItems.length) {
+            list.innerHTML = '<div class="notification-empty">' + htmlEscape(t('notifications.empty', '暂无新事件')) + '</div>';
+            return;
+        }
+        const html = renderItems.map(item => {
+            const canMarkRead = item.actionable !== true && !!item.id;
+            const canView = hasAction(item);
+            return `
+                <div class="notification-item notification-level-${htmlEscape(item.level || 'p2')}">
+                    <div class="notification-item-header">
+                        <div class="notification-item-title">${htmlEscape(item.title || t('notifications.itemDefaultTitle', '通知'))}</div>
+                        <div class="notification-item-actions">
+                            ${canView ? `<button class="notification-item-action-btn notification-item-view-btn" type="button" data-action-id="${htmlEscape(item.id || '')}">${htmlEscape(t('common.view', '查看'))}</button>` : ''}
+                            ${canMarkRead ? `<button class="notification-item-action-btn notification-item-read-btn" type="button" data-notification-id="${htmlEscape(item.id)}">${htmlEscape(t('notifications.markSingleRead', '已读'))}</button>` : ''}
+                        </div>
+                    </div>
+                    <div class="notification-item-desc">${htmlEscape(item.desc || '')}</div>
+                    <div class="notification-item-time">${htmlEscape(formatTime(item.ts))}</div>
+                </div>
+            `;
+        }).join('');
+        list.innerHTML = html;
+        const viewButtons = list.querySelectorAll('.notification-item-view-btn');
+        viewButtons.forEach(btn => {
+            btn.addEventListener('click', function (event) {
+                event.preventDefault();
+                event.stopPropagation();
+                const eventID = btn.getAttribute('data-action-id') || '';
+                if (!eventID) return;
+                const item = state.items.find(it => it && it.id === eventID);
+                if (!item) return;
+                openNotificationTarget(item);
+                closeDropdown();
+            });
+        });
+        const readButtons = list.querySelectorAll('.notification-item-read-btn');
+        readButtons.forEach(btn => {
+            btn.addEventListener('click', async function (event) {
+                event.preventDefault();
+                event.stopPropagation();
+                const eventID = btn.getAttribute('data-notification-id') || '';
+                if (!eventID) return;
+                const ok = await markItemsRead([eventID]);
+                if (ok) {
+                    await refreshNotifications();
+                }
+            });
+        });
+    }
+
+    function closeDropdown() {
+        const dropdown = document.getElementById('notification-dropdown');
+        const bellBtn = document.getElementById('notification-bell-btn');
+        if (dropdown) dropdown.style.display = 'none';
+        if (bellBtn) bellBtn.classList.remove('active');
+        state.dropdownOpen = false;
+    }
+
+    function markSeenNow() {
+        state.lastSeenAt = Date.now();
+        persistLastSeenAt(state.lastSeenAt);
+    }
+
+    async function refreshNotifications() {
+        if (state.inFlight) return;
+        state.inFlight = true;
+        try {
+            const summary = await fetchNotificationSummary();
+            const items = summary && Array.isArray(summary.items) ? summary.items : [];
+            state.items = items;
+            const unreadCount = summary && Number.isFinite(Number(summary.unreadCount))
+                ? Number(summary.unreadCount)
+                : countP0(items);
+            state.unreadCount = Math.max(0, unreadCount);
+            renderBadge(state.unreadCount);
+            renderNotificationList(items);
+        } catch (e) {
+            console.warn('刷新通知失败:', e);
+        } finally {
+            state.inFlight = false;
+        }
+    }
+
+    function scheduleNextPoll() {
+        if (state.timerId) {
+            window.clearTimeout(state.timerId);
+            state.timerId = null;
+        }
+        const interval = document.hidden ? POLL_INTERVAL_HIDDEN_MS : POLL_INTERVAL_ACTIVE_MS;
+        state.timerId = window.setTimeout(async function () {
+            await refreshNotifications();
+            scheduleNextPoll();
+        }, interval);
+    }
+
+    function handleDocumentClick(event) {
+        const container = document.querySelector('.notification-menu-container');
+        if (!container) return;
+        if (!container.contains(event.target)) {
+            closeDropdown();
+        }
+    }
+
+    async function toggleDropdown() {
+        const dropdown = document.getElementById('notification-dropdown');
+        const bellBtn = document.getElementById('notification-bell-btn');
+        if (!dropdown || !bellBtn) return;
+        const isOpen = dropdown.style.display !== 'none';
+        if (isOpen) {
+            closeDropdown();
+            return;
+        }
+        dropdown.style.display = 'block';
+        bellBtn.classList.add('active');
+        state.dropdownOpen = true;
+        await refreshNotifications();
+    }
+
+    async function markAllSeen() {
+        const ids = markableItems(state.items).map(item => item.id);
+        const ok = await markItemsRead(ids);
+        if (ok) {
+            markSeenNow();
+            await refreshNotifications();
+        }
+    }
+
+    function initNotifications() {
+        const bellBtn = document.getElementById('notification-bell-btn');
+        if (!bellBtn) return;
+        document.addEventListener('click', handleDocumentClick);
+        document.addEventListener('visibilitychange', scheduleNextPoll);
+        document.addEventListener('languagechange', function () {
+            refreshNotifications();
+        });
+        refreshNotifications();
+        scheduleNextPoll();
+    }
+
+    window.toggleNotificationDropdown = toggleDropdown;
+    window.markAllNotificationsSeen = markAllSeen;
+
+    document.addEventListener('DOMContentLoaded', initNotifications);
+})();

web/static/js/vulnerability.js

@@ -61,7 +61,7 @@ let vulnerabilityPagination = {
     totalPages: 1
 };
 
-// 从地址栏 #vulnerabilities?conversation_id= / ?task_id= 同步筛选（对话菜单、任务管理联动）
+// 从地址栏 #vulnerabilities?conversation_id= / ?task_id= / ?id= 同步筛选（通知/对话菜单/任务管理联动）
 function syncVulnerabilityFiltersFromLocationHash() {
     const hash = window.location.hash.slice(1);
     const hashParts = hash.split('?');
@@ -69,19 +69,27 @@ function syncVulnerabilityFiltersFromLocationHash() {
         return;
     }
     const params = new URLSearchParams(hashParts.slice(1).join('?'));
+    const vid = (params.get('id') || '').trim();
     const cid = (params.get('conversation_id') || '').trim();
     const tid = (params.get('task_id') || '').trim();
-    if (!cid && !tid) {
+    if (!vid && !cid && !tid) {
         return;
     }
 
+    vulnerabilityFilters.id = '';
     vulnerabilityFilters.conversation_id = '';
     vulnerabilityFilters.task_id = '';
+    const idEl = document.getElementById('vulnerability-id-filter');
     const convEl = document.getElementById('vulnerability-conversation-filter');
     const taskEl = document.getElementById('vulnerability-task-filter');
+    if (idEl) idEl.value = '';
     if (convEl) convEl.value = '';
     if (taskEl) taskEl.value = '';
 
+    if (vid) {
+        vulnerabilityFilters.id = vid;
+        if (idEl) idEl.value = vid;
+    }
     if (cid) {
         vulnerabilityFilters.conversation_id = cid;
         if (convEl) convEl.value = cid;
@@ -334,6 +342,13 @@ function renderVulnerabilities(vulnerabilities) {
     if (typeof window.applyTranslations === 'function') {
         window.applyTranslations(listContainer);
     }
+
+    // 如果通过漏洞ID筛选且只返回一条记录，自动展开详情（提升“点击查看”的用户体验）
+    if (vulnerabilities.length === 1 && vulnerabilityFilters.id && vulnerabilityFilters.id === vulnerabilities[0].id) {
+        setTimeout(() => {
+            toggleVulnerabilityDetails(vulnerabilities[0].id);
+        }, 300);
+    }
 }
 
 // 渲染分页控件

web/templates/index.html

@@ -63,6 +63,24 @@
                                 <div class="lang-option" data-lang="en-US" onclick="onLanguageSelect('en-US')">English</div>
                             </div>
                         </div>
+                        <div class="notification-menu-container">
+                            <button class="notification-btn" id="notification-bell-btn" onclick="toggleNotificationDropdown()" data-i18n="notifications.title" data-i18n-attr="title" data-i18n-skip-text="true" title="事件通知">
+                                <svg width="18" height="18" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+                                    <path d="M18 8a6 6 0 0 0-12 0c0 7-3 9-3 9h18s-3-2-3-9" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+                                    <path d="M13.73 21a2 2 0 0 1-3.46 0" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+                                </svg>
+                                <span class="notification-badge" id="notification-badge" style="display: none;">0</span>
+                            </button>
+                            <div id="notification-dropdown" class="notification-dropdown" style="display: none;">
+                                <div class="notification-dropdown-header">
+                                    <span id="notification-dropdown-title" data-i18n="notifications.title">事件通知</span>
+                                    <button class="notification-mark-read-btn" id="notification-mark-all-read-btn" type="button" onclick="markAllNotificationsSeen()" data-i18n="notifications.markAllRead">标记已读</button>
+                                </div>
+                                <div id="notification-list" class="notification-list">
+                                    <div class="notification-empty" data-i18n="notifications.empty">暂无新事件</div>
+                                </div>
+                            </div>
+                        </div>
                         <div class="user-menu-container">
                             <button class="user-avatar-btn" onclick="toggleUserMenu()" data-i18n="header.userMenu" data-i18n-attr="title" data-i18n-skip-text="true" title="用户菜单">
                                 <svg width="20" height="20" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
@@ -287,41 +305,207 @@
                         <div class="page-header">
                             <h2 data-i18n="dashboard.title">仪表盘</h2>
                             <div class="page-header-actions">
+                                <span class="dashboard-last-updated" id="dashboard-last-updated" aria-live="polite">
+                                    <svg class="dashboard-last-updated-icon" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="12" cy="12" r="10"/><polyline points="12 6 12 12 16 14"/></svg>
+                                    <span data-i18n="dashboard.lastUpdated">上次更新</span>
+                                    <span class="dashboard-last-updated-time" id="dashboard-last-updated-time">-</span>
+                                    <span class="dashboard-last-updated-stale" id="dashboard-last-updated-stale" hidden data-i18n="dashboard.dataStale" data-i18n-attr="title" title="数据可能已过期">
+                                        <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z"/><line x1="12" y1="9" x2="12" y2="13"/><line x1="12" y1="17" x2="12.01" y2="17"/></svg>
+                                    </span>
+                                </span>
                                 <button class="btn-secondary" onclick="refreshDashboard()" data-i18n="dashboard.refreshData" data-i18n-attr="title" title="刷新数据"><span data-i18n="common.refresh">刷新</span></button>
                             </div>
                         </div>
                         <div class="dashboard-content">
-                            <!-- 第一行：核心 KPI（仪表盘最佳实践：关键指标置顶） -->
+                            <!-- 关键提醒条（仅当存在严重风险时渲染，默认 hidden）；右侧 × 可在 session 内忽略 -->
+                            <div class="dashboard-alert-banner" id="dashboard-alert-banner" hidden>
+                                <span class="dashboard-alert-icon" aria-hidden="true">
+                                    <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z"/><line x1="12" y1="9" x2="12" y2="13"/><line x1="12" y1="17" x2="12.01" y2="17"/></svg>
+                                </span>
+                                <div class="dashboard-alert-content">
+                                    <div class="dashboard-alert-title" id="dashboard-alert-title" data-i18n="dashboard.alertTitle">需要关注</div>
+                                    <div class="dashboard-alert-desc" id="dashboard-alert-desc"></div>
+                                </div>
+                                <div class="dashboard-alert-actions" id="dashboard-alert-actions"></div>
+                                <button type="button" class="dashboard-alert-close" id="dashboard-alert-close" data-i18n="dashboard.alertDismiss" data-i18n-attr="title" data-i18n-skip-text="true" title="忽略此提醒（仅本次会话）" aria-label="dismiss">
+                                    <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.4" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
+                                </button>
+                            </div>
+                            <!-- 第一行：核心 KPI（关键指标置顶 + 副标徽章承载次级信息） -->
                             <div class="dashboard-kpi-row" id="dashboard-cards">
-                                <div class="dashboard-kpi-card" role="button" tabindex="0" onclick="switchPage('tasks')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('tasks'); }" data-i18n="dashboard.clickToViewTasks" data-i18n-attr="title" title="点击查看任务管理"> <div class="dashboard-kpi-value" id="dashboard-running-tasks">-</div><div class="dashboard-kpi-label" data-i18n="dashboard.runningTasks">运行中任务</div></div>
-                                <div class="dashboard-kpi-card" role="button" tabindex="0" onclick="switchPage('vulnerabilities')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('vulnerabilities'); }" data-i18n="dashboard.clickToViewVuln" data-i18n-attr="title" title="点击查看漏洞管理"><div class="dashboard-kpi-value" id="dashboard-vuln-total">-</div><div class="dashboard-kpi-label" data-i18n="dashboard.vulnTotal">漏洞总数</div></div>
-                                <div class="dashboard-kpi-card" role="button" tabindex="0" onclick="switchPage('mcp-monitor')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('mcp-monitor'); }" data-i18n="dashboard.clickToViewMCP" data-i18n-attr="title" title="点击查看 MCP 监控"><div class="dashboard-kpi-value" id="dashboard-kpi-tools-calls">-</div><div class="dashboard-kpi-label" data-i18n="dashboard.toolCalls">工具调用次数</div></div>
-                                <div class="dashboard-kpi-card" role="button" tabindex="0" onclick="switchPage('mcp-monitor')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('mcp-monitor'); }" data-i18n="dashboard.clickToViewMCP" data-i18n-attr="title" title="点击查看 MCP 监控"><div class="dashboard-kpi-value" id="dashboard-kpi-success-rate">-</div><div class="dashboard-kpi-label" data-i18n="dashboard.successRate">工具执行成功率</div></div>
+                                <div class="dashboard-kpi-card" role="button" tabindex="0" onclick="switchPage('tasks')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('tasks'); }" data-i18n="dashboard.clickToViewTasks" data-i18n-attr="title" title="点击查看任务管理">
+                                    <div class="dashboard-kpi-head">
+                                        <div class="dashboard-kpi-label" data-i18n="dashboard.runningTasks">运行中任务</div>
+                                        <span class="dashboard-kpi-icon dashboard-kpi-icon-tasks" aria-hidden="true"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M12 2v4"/><path d="M12 18v4"/><path d="M4.93 4.93l2.83 2.83"/><path d="M16.24 16.24l2.83 2.83"/><path d="M2 12h4"/><path d="M18 12h4"/><path d="M4.93 19.07l2.83-2.83"/><path d="M16.24 7.76l2.83-2.83"/></svg></span>
+                                    </div>
+                                    <div class="dashboard-kpi-value" id="dashboard-running-tasks">-</div>
+                                    <div class="dashboard-kpi-sub" id="dashboard-kpi-tasks-sub">
+                                        <span class="dashboard-kpi-sub-text" id="dashboard-kpi-tasks-sub-text">-</span>
+                                    </div>
+                                </div>
+                                <div class="dashboard-kpi-card" role="button" tabindex="0" onclick="switchPage('vulnerabilities')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('vulnerabilities'); }" data-i18n="dashboard.clickToViewVuln" data-i18n-attr="title" title="点击查看漏洞管理">
+                                    <div class="dashboard-kpi-head">
+                                        <div class="dashboard-kpi-label" data-i18n="dashboard.vulnTotal">漏洞总数</div>
+                                        <span class="dashboard-kpi-icon dashboard-kpi-icon-vuln" aria-hidden="true"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z"/></svg></span>
+                                    </div>
+                                    <div class="dashboard-kpi-value" id="dashboard-vuln-total">-</div>
+                                    <div class="dashboard-kpi-sub" id="dashboard-kpi-vuln-sub">
+                                        <span class="dashboard-kpi-sub-badge dashboard-kpi-sub-badge-critical" id="dashboard-kpi-vuln-critical-badge" hidden>
+                                            <span class="dashboard-kpi-sub-badge-dot"></span>
+                                            <span data-i18n="dashboard.severityCritical">严重</span>
+                                            <span id="dashboard-kpi-vuln-critical-count">0</span>
+                                        </span>
+                                        <span class="dashboard-kpi-sub-text" id="dashboard-kpi-vuln-sub-text" data-i18n="dashboard.allClear">暂无新增风险</span>
+                                    </div>
+                                </div>
+                                <div class="dashboard-kpi-card" role="button" tabindex="0" onclick="switchPage('mcp-monitor')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('mcp-monitor'); }" data-i18n="dashboard.clickToViewMCP" data-i18n-attr="title" title="点击查看 MCP 监控">
+                                    <div class="dashboard-kpi-head">
+                                        <div class="dashboard-kpi-label" data-i18n="dashboard.toolCalls">工具调用次数</div>
+                                        <span class="dashboard-kpi-icon dashboard-kpi-icon-calls" aria-hidden="true"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="22 12 18 12 15 21 9 3 6 12 2 12"/></svg></span>
+                                    </div>
+                                    <div class="dashboard-kpi-value" id="dashboard-kpi-tools-calls">-</div>
+                                    <div class="dashboard-kpi-sub">
+                                        <span class="dashboard-kpi-sub-text" id="dashboard-kpi-tools-sub-text">-</span>
+                                    </div>
+                                </div>
+                                <div class="dashboard-kpi-card" role="button" tabindex="0" onclick="switchPage('mcp-monitor')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('mcp-monitor'); }" data-i18n="dashboard.clickToViewMCP" data-i18n-attr="title" title="点击查看 MCP 监控">
+                                    <div class="dashboard-kpi-head">
+                                        <div class="dashboard-kpi-label" data-i18n="dashboard.successRate">工具执行成功率</div>
+                                        <span class="dashboard-kpi-icon dashboard-kpi-icon-rate" aria-hidden="true"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg></span>
+                                    </div>
+                                    <div class="dashboard-kpi-value" id="dashboard-kpi-success-rate">-</div>
+                                    <div class="dashboard-kpi-sub">
+                                        <span class="dashboard-kpi-sub-text" id="dashboard-kpi-rate-sub-text" data-i18n="dashboard.healthyStatus">运行平稳</span>
+                                    </div>
+                                </div>
                             </div>
                             <!-- 两列主内容区 -->
                             <div class="dashboard-grid">
                                 <div class="dashboard-main">
                                     <section class="dashboard-section dashboard-section-chart">
-                                        <h3 class="dashboard-section-title" data-i18n="dashboard.severityDistribution">漏洞严重程度分布</h3>
-                                        <div class="dashboard-chart-wrap">
-                                            <div class="dashboard-stacked-bar" id="dashboard-stacked-bar">
-                                                <span class="dashboard-bar-seg seg-critical" id="dashboard-bar-critical" style="width: 0%"></span>
-                                                <span class="dashboard-bar-seg seg-high" id="dashboard-bar-high" style="width: 0%"></span>
-                                                <span class="dashboard-bar-seg seg-medium" id="dashboard-bar-medium" style="width: 0%"></span>
-                                                <span class="dashboard-bar-seg seg-low" id="dashboard-bar-low" style="width: 0%"></span>
-                                                <span class="dashboard-bar-seg seg-info" id="dashboard-bar-info" style="width: 0%"></span>
+                                        <div class="dashboard-section-header">
+                                            <h3 class="dashboard-section-title" data-i18n="dashboard.severityDistribution">漏洞严重程度分布</h3>
+                                            <a class="dashboard-section-link" onclick="switchPage('vulnerabilities')" data-i18n="dashboard.viewAll">查看全部 →</a>
+                                        </div>
+                                        <div class="dashboard-severity-wrap">
+                                            <div class="dashboard-severity-chart">
+                                                <svg class="dashboard-severity-donut" id="dashboard-severity-donut" viewBox="0 0 480 260" preserveAspectRatio="xMidYMid meet" aria-hidden="true">
+                                                    <g id="dashboard-severity-donut-track"></g>
+                                                    <g id="dashboard-severity-donut-segments"></g>
+                                                    <g id="dashboard-severity-donut-labels"></g>
+                                                </svg>
+                                                <div class="dashboard-severity-center">
+                                                    <div class="dashboard-severity-center-value" id="dashboard-severity-total">0</div>
+                                                    <div class="dashboard-severity-center-label" data-i18n="dashboard.totalVulns">总漏洞数</div>
+                                                </div>
                                             </div>
-                                            <div class="dashboard-legend" id="dashboard-vuln-bars">
-                                                <div class="dashboard-legend-item"><span class="dashboard-legend-dot critical"></span><span class="dashboard-legend-label" data-i18n="dashboard.severityCritical">严重</span><span class="dashboard-legend-value" id="dashboard-severity-critical">0</span></div>
-                                                <div class="dashboard-legend-item"><span class="dashboard-legend-dot high"></span><span class="dashboard-legend-label" data-i18n="dashboard.severityHigh">高危</span><span class="dashboard-legend-value" id="dashboard-severity-high">0</span></div>
-                                                <div class="dashboard-legend-item"><span class="dashboard-legend-dot medium"></span><span class="dashboard-legend-label" data-i18n="dashboard.severityMedium">中危</span><span class="dashboard-legend-value" id="dashboard-severity-medium">0</span></div>
-                                                <div class="dashboard-legend-item"><span class="dashboard-legend-dot low"></span><span class="dashboard-legend-label" data-i18n="dashboard.severityLow">低危</span><span class="dashboard-legend-value" id="dashboard-severity-low">0</span></div>
-                                                <div class="dashboard-legend-item"><span class="dashboard-legend-dot info"></span><span class="dashboard-legend-label" data-i18n="dashboard.severityInfo">信息</span><span class="dashboard-legend-value" id="dashboard-severity-info">0</span></div>
+                                            <div class="dashboard-severity-legend" id="dashboard-vuln-bars">
+                                                <div class="dashboard-severity-legend-item">
+                                                    <span class="dashboard-severity-legend-dot critical"></span>
+                                                    <span class="dashboard-severity-legend-label" data-i18n="dashboard.severityCritical">严重</span>
+                                                    <span class="dashboard-severity-legend-value" id="dashboard-severity-critical">0</span>
+                                                    <span class="dashboard-severity-legend-pct" id="dashboard-severity-critical-pct">0%</span>
+                                                </div>
+                                                <div class="dashboard-severity-legend-item">
+                                                    <span class="dashboard-severity-legend-dot high"></span>
+                                                    <span class="dashboard-severity-legend-label" data-i18n="dashboard.severityHigh">高危</span>
+                                                    <span class="dashboard-severity-legend-value" id="dashboard-severity-high">0</span>
+                                                    <span class="dashboard-severity-legend-pct" id="dashboard-severity-high-pct">0%</span>
+                                                </div>
+                                                <div class="dashboard-severity-legend-item">
+                                                    <span class="dashboard-severity-legend-dot medium"></span>
+                                                    <span class="dashboard-severity-legend-label" data-i18n="dashboard.severityMedium">中危</span>
+                                                    <span class="dashboard-severity-legend-value" id="dashboard-severity-medium">0</span>
+                                                    <span class="dashboard-severity-legend-pct" id="dashboard-severity-medium-pct">0%</span>
+                                                </div>
+                                                <div class="dashboard-severity-legend-item">
+                                                    <span class="dashboard-severity-legend-dot low"></span>
+                                                    <span class="dashboard-severity-legend-label" data-i18n="dashboard.severityLow">低危</span>
+                                                    <span class="dashboard-severity-legend-value" id="dashboard-severity-low">0</span>
+                                                    <span class="dashboard-severity-legend-pct" id="dashboard-severity-low-pct">0%</span>
+                                                </div>
+                                                <div class="dashboard-severity-legend-item">
+                                                    <span class="dashboard-severity-legend-dot info"></span>
+                                                    <span class="dashboard-severity-legend-label" data-i18n="dashboard.severityInfo">信息</span>
+                                                    <span class="dashboard-severity-legend-value" id="dashboard-severity-info">0</span>
+                                                    <span class="dashboard-severity-legend-pct" id="dashboard-severity-info-pct">0%</span>
+                                                </div>
+                                            </div>
+                                        </div>
+                                        <!-- 处置状态 + 修复进度（利用 by_status 数据，避免下半部分留白） -->
+                                        <div class="dashboard-severity-status">
+                                            <div class="dashboard-severity-status-grid">
+                                                <div class="dashboard-severity-status-cell s-open" role="button" tabindex="0" onclick="switchPage('vulnerabilities')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('vulnerabilities'); }">
+                                                    <span class="dashboard-severity-status-icon" aria-hidden="true">
+                                                        <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="9"/><line x1="12" y1="8" x2="12" y2="12"/><line x1="12" y1="16" x2="12.01" y2="16"/></svg>
+                                                    </span>
+                                                    <div class="dashboard-severity-status-text">
+                                                        <span class="dashboard-severity-status-value" id="dashboard-status-open">0</span>
+                                                        <span class="dashboard-severity-status-label" data-i18n="dashboard.statusOpen">待处理</span>
+                                                    </div>
+                                                </div>
+                                                <div class="dashboard-severity-status-cell s-confirmed" role="button" tabindex="0" onclick="switchPage('vulnerabilities')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('vulnerabilities'); }">
+                                                    <span class="dashboard-severity-status-icon" aria-hidden="true">
+                                                        <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"/><polyline points="22 4 12 14.01 9 11.01"/></svg>
+                                                    </span>
+                                                    <div class="dashboard-severity-status-text">
+                                                        <span class="dashboard-severity-status-value" id="dashboard-status-confirmed">0</span>
+                                                        <span class="dashboard-severity-status-label" data-i18n="dashboard.statusConfirmed">已确认</span>
+                                                    </div>
+                                                </div>
+                                                <div class="dashboard-severity-status-cell s-fixed" role="button" tabindex="0" onclick="switchPage('vulnerabilities')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('vulnerabilities'); }">
+                                                    <span class="dashboard-severity-status-icon" aria-hidden="true">
+                                                        <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z"/><polyline points="9 12 11 14 15 10"/></svg>
+                                                    </span>
+                                                    <div class="dashboard-severity-status-text">
+                                                        <span class="dashboard-severity-status-value" id="dashboard-status-fixed">0</span>
+                                                        <span class="dashboard-severity-status-label" data-i18n="dashboard.statusFixed">已修复</span>
+                                                    </div>
+                                                </div>
+                                                <div class="dashboard-severity-status-cell s-fp" role="button" tabindex="0" onclick="switchPage('vulnerabilities')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('vulnerabilities'); }">
+                                                    <span class="dashboard-severity-status-icon" aria-hidden="true">
+                                                        <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"/><line x1="4.93" y1="4.93" x2="19.07" y2="19.07"/></svg>
+                                                    </span>
+                                                    <div class="dashboard-severity-status-text">
+                                                        <span class="dashboard-severity-status-value" id="dashboard-status-fp">0</span>
+                                                        <span class="dashboard-severity-status-label" data-i18n="dashboard.statusFalsePositive">误报</span>
+                                                    </div>
+                                                </div>
+                                            </div>
+                                            <div class="dashboard-severity-progress">
+                                                <div class="dashboard-severity-progress-meta">
+                                                    <span class="dashboard-severity-progress-title" data-i18n="dashboard.fixRate">修复率</span>
+                                                    <span class="dashboard-severity-progress-value">
+                                                        <span id="dashboard-fix-rate">0%</span>
+                                                        <span class="dashboard-severity-progress-detail" id="dashboard-fix-detail">(0 / 0)</span>
+                                                    </span>
+                                                </div>
+                                                <div class="dashboard-severity-progress-track" aria-hidden="true">
+                                                    <div class="dashboard-severity-progress-fixed" id="dashboard-fix-progress-fixed" style="width: 0%"></div>
+                                                    <div class="dashboard-severity-progress-confirmed" id="dashboard-fix-progress-confirmed" style="width: 0%"></div>
+                                                </div>
+                                                <div class="dashboard-severity-progress-legend">
+                                                    <span class="dashboard-severity-progress-legend-item"><span class="dashboard-severity-progress-legend-dot legend-fixed"></span><span data-i18n="dashboard.statusFixed">已修复</span></span>
+                                                    <span class="dashboard-severity-progress-legend-item"><span class="dashboard-severity-progress-legend-dot legend-confirmed"></span><span data-i18n="dashboard.statusConfirmed">已确认</span></span>
+                                                    <span class="dashboard-severity-progress-legend-item"><span class="dashboard-severity-progress-legend-dot legend-open"></span><span data-i18n="dashboard.statusOpen">待处理</span></span>
+                                                </div>
                                             </div>
                                         </div>
                                     </section>
+                                    <section class="dashboard-section dashboard-section-recent-vulns">
+                                        <div class="dashboard-section-header">
+                                            <h3 class="dashboard-section-title" data-i18n="dashboard.recentVulns">最近漏洞</h3>
+                                            <a class="dashboard-section-link" onclick="switchPage('vulnerabilities')" data-i18n="dashboard.viewAll">查看全部 →</a>
+                                        </div>
+                                        <div class="dashboard-recent-vulns" id="dashboard-recent-vulns">
+                                            <div class="dashboard-recent-vulns-empty" id="dashboard-recent-vulns-empty" data-i18n="dashboard.noVulnYet">暂无漏洞，开始你的第一次扫描吧</div>
+                                        </div>
+                                    </section>
                                     <section class="dashboard-section dashboard-section-overview">
-                                        <h3 class="dashboard-section-title" data-i18n="dashboard.runOverview">运行概览</h3>
+                                        <div class="dashboard-section-header">
+                                            <h3 class="dashboard-section-title" data-i18n="dashboard.batchQueues">批量任务队列</h3>
+                                            <a class="dashboard-section-link" onclick="switchPage('tasks')" data-i18n="dashboard.viewAll">查看全部 →</a>
+                                        </div>
                                         <div class="dashboard-overview-list">
                                             <div class="dashboard-overview-item dashboard-overview-item-batch" role="button" tabindex="0" onclick="switchPage('tasks')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('tasks'); }">
                                                 <span class="dashboard-overview-icon dashboard-overview-icon-batch" aria-hidden="true"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><rect x="3" y="3" width="7" height="7"/><rect x="14" y="3" width="7" height="7"/><rect x="14" y="14" width="7" height="7"/><rect x="3" y="14" width="7" height="7"/></svg></span>
@@ -356,80 +540,100 @@
                                                     </div>
                                                 </div>
                                             </div>
-                                            <div class="dashboard-overview-item dashboard-overview-item-tools" role="button" tabindex="0" onclick="switchPage('mcp-monitor')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('mcp-monitor'); }">
-                                                <span class="dashboard-overview-icon dashboard-overview-icon-tools" aria-hidden="true"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M14.7 6.3a1 1 0 0 0 0 1.4l1.6 1.6a1 1 0 0 0 1.4 0l3.77-3.77a6 6 0 0 1-7.94 7.94l-6.91 6.91a2.12 2.12 0 0 1-3-3l6.91-6.91a6 6 0 0 1 7.94-7.94l-3.76 3.76z"/></svg></span>
-                                                <div class="dashboard-overview-content">
-                                                    <div class="dashboard-overview-header">
-                                                        <span class="dashboard-overview-label" data-i18n="dashboard.toolInvocations">工具调用</span>
-                                                        <span class="dashboard-overview-success-rate" id="dashboard-tools-success-rate">-</span>
-                                                    </div>
-                                                    <div class="dashboard-overview-value-group">
-                                                        <span class="dashboard-overview-value-large" id="dashboard-tools-calls">-</span>
-                                                        <span class="dashboard-overview-value-unit" data-i18n="dashboard.callsUnit">次调用</span>
-                                                        <span class="dashboard-overview-value-separator">·</span>
-                                                        <span class="dashboard-overview-value-normal" id="dashboard-tools-count">-</span>
-                                                        <span class="dashboard-overview-value-unit" data-i18n="dashboard.toolsUnit">个工具</span>
-                                                    </div>
-                                                </div>
-                                            </div>
-                                            <div class="dashboard-overview-item dashboard-overview-item-knowledge" role="button" tabindex="0" onclick="switchPage('knowledge-management')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('knowledge-management'); }">
-                                                <span class="dashboard-overview-icon dashboard-overview-icon-knowledge" aria-hidden="true"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M4 19.5A2.5 2.5 0 0 1 6.5 17H20"></path><path d="M6.5 2H20v20H6.5A2.5 2.5 0 0 1 4 19.5v-15A2.5 2.5 0 0 1 6.5 2z"></path></svg></span>
-                                                <div class="dashboard-overview-content">
-                                                    <div class="dashboard-overview-header">
-                                                        <span class="dashboard-overview-label" data-i18n="dashboard.knowledgeLabel">知识</span>
-                                                        <span class="dashboard-overview-status" id="dashboard-knowledge-status">-</span>
-                                                    </div>
-                                                    <div class="dashboard-overview-value-group">
-                                                        <span class="dashboard-overview-value-large" id="dashboard-knowledge-items">-</span>
-                                                        <span class="dashboard-overview-value-unit" data-i18n="dashboard.knowledgeItems">项知识</span>
-                                                        <span class="dashboard-overview-value-separator">·</span>
-                                                        <span class="dashboard-overview-value-normal" id="dashboard-knowledge-categories">-</span>
-                                                        <span class="dashboard-overview-value-unit" data-i18n="dashboard.categoriesUnit">个分类</span>
-                                                    </div>
-                                                </div>
-                                            </div>
-                                            <div class="dashboard-overview-item dashboard-overview-item-skills" role="button" tabindex="0" onclick="switchPage('skills-monitor')" onkeydown="if(event.key==='Enter'||event.key===' ') { event.preventDefault(); switchPage('skills-monitor'); }">
-                                                <span class="dashboard-overview-icon dashboard-overview-icon-skills" aria-hidden="true"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z"/><polyline points="14 2 14 8 20 8"/><line x1="16" y1="13" x2="8" y2="13"/><line x1="16" y1="17" x2="8" y2="17"/></svg></span>
-                                                <div class="dashboard-overview-content">
-                                                    <div class="dashboard-overview-header">
-                                                        <span class="dashboard-overview-label" data-i18n="dashboard.skillsLabel">Skills</span>
-                                                        <span class="dashboard-overview-status" id="dashboard-skills-status">-</span>
-                                                    </div>
-                                                    <div class="dashboard-overview-value-group">
-                                                        <span class="dashboard-overview-value-large" id="dashboard-skills-calls">-</span>
-                                                        <span class="dashboard-overview-value-unit" data-i18n="dashboard.callsUnit">次调用</span>
-                                                        <span class="dashboard-overview-value-separator">·</span>
-                                                        <span class="dashboard-overview-value-normal" id="dashboard-skills-count">-</span>
-                                                        <span class="dashboard-overview-value-unit" data-i18n="dashboard.skillUnit">个 Skill</span>
-                                                    </div>
-                                                </div>
-                                            </div>
                                         </div>
                                     </section>
-                                    <section class="dashboard-section dashboard-section-quick dashboard-quick-inline">
-                                        <h3 class="dashboard-section-title" data-i18n="dashboard.quickLinks">快捷入口</h3>
-                                        <div class="dashboard-quick-links dashboard-quick-links-row">
-                                            <a class="dashboard-quick-link" onclick="switchPage('chat')"><span class="dashboard-quick-icon"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 15a2 2 0 0 1-2 2H7l-4 4V5a2 2 0 0 1 2-2h14a2 2 0 0 1 2 2z"></path></svg></span><span data-i18n="nav.chat">对话</span></a>
-                                            <a class="dashboard-quick-link" onclick="switchPage('tasks')"><span class="dashboard-quick-icon"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M9 11l3 3L22 4"></path><path d="M21 12v7a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h11"></path></svg></span><span data-i18n="nav.tasks">任务管理</span></a>
-                                            <a class="dashboard-quick-link" onclick="switchPage('vulnerabilities')"><span class="dashboard-quick-icon"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z"></path></svg></span><span data-i18n="nav.vulnerabilities">漏洞管理</span></a>
-                                            <a class="dashboard-quick-link" onclick="switchPage('mcp-management')"><span class="dashboard-quick-icon"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M13 2L3 14h9l-1 8 10-12h-9l1-8z"></path></svg></span><span data-i18n="nav.mcpManagement">MCP 管理</span></a>
-                                            <a class="dashboard-quick-link" onclick="switchPage('knowledge-management')"><span class="dashboard-quick-icon"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M2 3h6a4 4 0 0 1 4 4v14a3 3 0 0 0-3-3H2z"></path><path d="M22 3h-6a4 4 0 0 0-4 4v14a3 3 0 0 1 3-3h7z"></path></svg></span><span data-i18n="nav.knowledgeManagement">知识管理</span></a>
-                                            <a class="dashboard-quick-link" onclick="switchPage('skills-management')"><span class="dashboard-quick-icon"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M14.5 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V7.5L14.5 2z"></path><polyline points="14 2 14 8 20 8"></polyline></svg></span><span data-i18n="nav.skillsManagement">Skills 管理</span></a>
-                                            <a class="dashboard-quick-link" onclick="switchPage('roles-management')"><span class="dashboard-quick-icon"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"></path><circle cx="9" cy="7" r="4"></circle><path d="M23 21v-2a4 4 0 0 0-3-3.87"></path><path d="M16 3.13a4 4 0 0 1 0 7.75"></path></svg></span><span data-i18n="nav.rolesManagement">角色管理</span></a>
+                                    <!-- 推荐操作：基于当前数据状态智能生成（如「修复 4 个待处理严重漏洞」「审批 2 个 HITL」），
+                                         比纯静态导航更有意义；当没有任何推荐时整个 section 隐藏 -->
+                                    <section class="dashboard-section dashboard-section-recommend" id="dashboard-section-recommend" hidden>
+                                        <div class="dashboard-section-header">
+                                            <h3 class="dashboard-section-title" data-i18n="dashboard.recommendedActions">推荐操作</h3>
+                                            <span class="dashboard-section-hint" data-i18n="dashboard.recommendedActionsHint">基于当前状态自动生成</span>
                                         </div>
+                                        <div class="dashboard-recommend-list" id="dashboard-recommend-list"></div>
                                     </section>
                                 </div>
                                 <div class="dashboard-side">
                                     <section class="dashboard-section dashboard-section-tools">
-                                        <h3 class="dashboard-section-title" data-i18n="dashboard.toolsExecCount">工具执行次数</h3>
+                                        <div class="dashboard-section-header">
+                                            <h3 class="dashboard-section-title" data-i18n="dashboard.toolsExecCount">工具执行次数</h3>
+                                            <a class="dashboard-section-link" onclick="switchPage('mcp-monitor')" data-i18n="dashboard.viewAll">查看全部 →</a>
+                                        </div>
                                         <div class="dashboard-tools-chart-wrap">
                                             <div class="dashboard-tools-chart-placeholder" id="dashboard-tools-pie-placeholder" data-i18n="common.noData">暂无数据</div>
                                             <div class="dashboard-tools-bar-chart" id="dashboard-tools-bar-chart"></div>
                                         </div>
                                     </section>
+                                    <!-- 最近事件：拉 /api/notifications/summary 取最新 3 条；空时整个隐藏 -->
+                                    <section class="dashboard-section dashboard-section-events" id="dashboard-section-events" hidden>
+                                        <div class="dashboard-section-header">
+                                            <h3 class="dashboard-section-title" data-i18n="dashboard.recentEvents">最近事件</h3>
+                                            <a class="dashboard-section-link" onclick="if(typeof toggleNotificationDropdown==='function') toggleNotificationDropdown()" data-i18n="dashboard.viewAll">查看全部 →</a>
+                                        </div>
+                                        <div class="dashboard-events-list" id="dashboard-events-list"></div>
+                                    </section>
+                                    <section class="dashboard-section dashboard-section-resources">
+                                        <h3 class="dashboard-section-title" data-i18n="dashboard.capabilities">能力总览</h3>
+                                        <div class="dashboard-resource-list" id="dashboard-resource-list">
+                                            <a class="dashboard-resource-item" onclick="switchPage('mcp-management')" role="button" tabindex="0">
+                                                <span class="dashboard-resource-icon dashboard-resource-icon-mcp" aria-hidden="true">
+                                                    <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M13 2L3 14h9l-1 8 10-12h-9l1-8z"/></svg>
+                                                </span>
+                                                <span class="dashboard-resource-label" data-i18n="dashboard.mcpTools">MCP 工具</span>
+                                                <span class="dashboard-resource-value" id="dashboard-resource-tools">-</span>
+                                            </a>
+                                            <!-- External MCP 服务器健康度：N 运行 / N 异常；只有配置过 External MCP 才显示 -->
+                                            <a class="dashboard-resource-item" id="dashboard-resource-external-mcp-row" onclick="switchPage('mcp-management')" role="button" tabindex="0" hidden>
+                                                <span class="dashboard-resource-icon dashboard-resource-icon-external" aria-hidden="true">
+                                                    <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"/><line x1="2" y1="12" x2="22" y2="12"/><path d="M12 2a15.3 15.3 0 0 1 4 10 15.3 15.3 0 0 1-4 10 15.3 15.3 0 0 1-4-10 15.3 15.3 0 0 1 4-10z"/></svg>
+                                                </span>
+                                                <span class="dashboard-resource-label" data-i18n="dashboard.externalMcpServers">External MCP</span>
+                                                <span class="dashboard-resource-value" id="dashboard-resource-external-mcp">
+                                                    <span id="dashboard-resource-external-mcp-text">-</span>
+                                                    <span class="dashboard-resource-health" id="dashboard-resource-external-mcp-health" hidden></span>
+                                                </span>
+                                            </a>
+                                            <a class="dashboard-resource-item" onclick="switchPage('skills-management')" role="button" tabindex="0">
+                                                <span class="dashboard-resource-icon dashboard-resource-icon-skills" aria-hidden="true">
+                                                    <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M14.5 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V7.5L14.5 2z"/><polyline points="14 2 14 8 20 8"/></svg>
+                                                </span>
+                                                <span class="dashboard-resource-label" data-i18n="dashboard.skillsLabel">Skills</span>
+                                                <span class="dashboard-resource-value" id="dashboard-resource-skills">-</span>
+                                            </a>
+                                            <a class="dashboard-resource-item" onclick="switchPage('knowledge-management')" role="button" tabindex="0">
+                                                <span class="dashboard-resource-icon dashboard-resource-icon-knowledge" aria-hidden="true">
+                                                    <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M4 19.5A2.5 2.5 0 0 1 6.5 17H20"/><path d="M6.5 2H20v20H6.5A2.5 2.5 0 0 1 4 19.5v-15A2.5 2.5 0 0 1 6.5 2z"/></svg>
+                                                </span>
+                                                <span class="dashboard-resource-label" data-i18n="dashboard.knowledgeLabel">知识</span>
+                                                <span class="dashboard-resource-value" id="dashboard-resource-knowledge">-</span>
+                                            </a>
+                                            <a class="dashboard-resource-item" onclick="switchPage('roles-management')" role="button" tabindex="0">
+                                                <span class="dashboard-resource-icon dashboard-resource-icon-roles" aria-hidden="true">
+                                                    <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"/><circle cx="9" cy="7" r="4"/><path d="M23 21v-2a4 4 0 0 0-3-3.87"/><path d="M16 3.13a4 4 0 0 1 0 7.75"/></svg>
+                                                </span>
+                                                <span class="dashboard-resource-label" data-i18n="dashboard.rolesLabel">角色</span>
+                                                <span class="dashboard-resource-value" id="dashboard-resource-roles">-</span>
+                                            </a>
+                                            <a class="dashboard-resource-item" onclick="switchPage('agents-management')" role="button" tabindex="0">
+                                                <span class="dashboard-resource-icon dashboard-resource-icon-agents" aria-hidden="true">
+                                                    <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polygon points="12 2 2 7 12 12 22 7 12 2"/><polyline points="2 17 12 22 22 17"/><polyline points="2 12 12 17 22 12"/></svg>
+                                                </span>
+                                                <span class="dashboard-resource-label" data-i18n="dashboard.agentsLabel">Agents</span>
+                                                <span class="dashboard-resource-value" id="dashboard-resource-agents">-</span>
+                                            </a>
+                                            <!-- WebShell 连接：渗透落地后建立的 foothold，对安全运维场景非常关键 -->
+                                            <a class="dashboard-resource-item" onclick="switchPage('webshell')" role="button" tabindex="0">
+                                                <span class="dashboard-resource-icon dashboard-resource-icon-webshell" aria-hidden="true">
+                                                    <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="4 17 10 11 4 5"/><line x1="12" y1="19" x2="20" y2="19"/></svg>
+                                                </span>
+                                                <span class="dashboard-resource-label" data-i18n="dashboard.webshellLabel">WebShell</span>
+                                                <span class="dashboard-resource-value" id="dashboard-resource-webshell">-</span>
+                                            </a>
+                                        </div>
+                                    </section>
                                 </div>
                             </div>
-                            <div class="dashboard-cta-block">
+                            <!-- "开始你的安全之旅" CTA：默认显示；当用户已经有数据（任务/漏洞/调用）后，由 JS 隐藏避免冗余 -->
+                            <div class="dashboard-cta-block" id="dashboard-cta-block">
                                 <div class="dashboard-cta-content">
                                     <div class="dashboard-cta-icon" aria-hidden="true">
                                         <svg width="28" height="28" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.75" stroke-linecap="round" stroke-linejoin="round"><path d="M21 15a2 2 0 0 1-2 2H7l-4 4V5a2 2 0 0 1 2-2h14a2 2 0 0 1 2 2z"></path></svg>
@@ -2832,6 +3036,7 @@
     <script src="/static/js/i18n.js"></script>
     <script src="/static/js/builtin-tools.js"></script>
     <script src="/static/js/auth.js"></script>
+    <script src="/static/js/notifications.js"></script>
     <script src="/static/js/info-collect.js"></script>
     <script src="/static/js/router.js"></script>
     <script src="/static/js/agents.js"></script>