Update config.yaml

Add files via upload
2026-05-17 21:44:43 +02:00 · 2026-05-01 01:33:17 +08:00 · 2026-05-01 01:32:54 +08:00 · 2026-05-01 01:31:19 +08:00 · 2026-05-01 01:28:19 +08:00 · 2026-05-01 01:05:48 +08:00
153 changed files with 15950 additions and 4345 deletions
@@ -1,5 +1,5 @@
 <div align="center">
-  <img src="web/static/logo.png" alt="CyberStrikeAI Logo" width="200">
+  <img src="images/logo.png" alt="CyberStrikeAI Logo" width="200">
 </div>

 # CyberStrikeAI
@@ -119,7 +119,8 @@ CyberStrikeAI is an **AI-native security testing platform** built in Go. It inte
 - 🧩 **Multi-agent (CloudWeGo Eino)**: alongside **single-agent ReAct** (`/api/agent-loop`), **multi mode** (`/api/multi-agent/stream`) offers **`deep`** (coordinator + `task` sub-agents), **`plan_execute`** (planner / executor / replanner), and **`supervisor`** (orchestrator + `transfer` / `exit`); chosen per request via **`orchestration`**. Markdown under `agents/`: `orchestrator.md` (Deep), `orchestrator-plan-execute.md`, `orchestrator-supervisor.md`, plus sub-agent `*.md` where applicable (see [Multi-agent doc](docs/MULTI_AGENT_EINO.md))
 - 🎯 **Skills (refactored for Eino)**: packs under `skills_dir` follow **Agent Skills** layout (`SKILL.md` + optional files); **multi-agent** sessions use the official Eino ADK **`skill`** tool for **progressive disclosure** (load by name), with optional **host filesystem / shell** via `multi_agent.eino_skills`; optional **`eino_middleware`** adds patchtoolcalls, tool_search, plantask, reduction, checkpoints, and Deep tuning—20+ sample domains (SQLi, XSS, API security, …) ship under `skills/`
 - 📱 **Chatbot**: DingTalk and Lark (Feishu) long-lived connections so you can talk to CyberStrikeAI from mobile (see [Robot / Chatbot guide](docs/robot_en.md) for setup and commands)
- - 🐚 **WebShell management**: Add and manage WebShell connections (e.g. IceSword/AntSword compatible), use a virtual terminal for command execution, a built-in file manager for file operations, and an AI assistant tab that orchestrates tests and keeps per-connection conversation history; supports PHP, ASP, ASPX, JSP and custom shell types with configurable request method and command parameter.
+- 🧑‍⚖️ **Human-in-the-loop (HITL)**: Chat sidebar to set approval mode and tool allowlists (listed tools skip approval); global list in `config.yaml` under `hitl.tool_whitelist`; **Apply** can merge new tools into the file and update the running server without restart; dedicated **HITL** page for pending approvals
+- 🐚 **WebShell management**: Add and manage WebShell connections (e.g. IceSword/AntSword compatible), use a virtual terminal for command execution, a built-in file manager for file operations, and an AI assistant tab that orchestrates tests and keeps per-connection conversation history; supports PHP, ASP, ASPX, JSP and custom shell types with configurable request method and command parameter.

 ## Plugins

@@ -237,6 +238,7 @@ Requirements / tips:
 - **Batch task management** – Create task queues with multiple tasks, add or edit tasks before execution, and run them sequentially. Each task executes as a separate conversation, with status tracking (pending/running/completed/failed/cancelled) and full execution history.
 - **WebShell management** – Add and manage WebShell connections (PHP/ASP/ASPX/JSP or custom). Use the virtual terminal to run commands, the file manager to list, read, edit, upload, and delete files, and the AI assistant tab to drive scripted tests with per-connection conversation history. Connections are stored in SQLite; supports GET/POST and configurable command parameter (e.g. IceSword/AntSword style).
 - **Settings** – Tweak provider keys, MCP enablement, tool toggles, and agent iteration limits.
+- **Human-in-the-loop (HITL)** – Sidebar sets mode and allowlisted tools (comma- or newline-separated); global list lives in `config.yaml` under `hitl.tool_whitelist`. **Apply** updates browser/server and can merge new tools into the file (**no restart**). **New chat** keeps sidebar choices; **HITL** nav shows pending approvals. Removing a tool in the sidebar does not remove it from the global list in `config.yaml`—edit the file if needed.

 ### Built-in Safeguards
 - Required-field validation prevents accidental blank API credentials.
@@ -1,5 +1,5 @@
 <div align="center">
-  <img src="web/static/logo.png" alt="CyberStrikeAI Logo" width="200">
+  <img src="images/logo.png" alt="CyberStrikeAI Logo" width="200">
 </div>

 # CyberStrikeAI
@@ -118,6 +118,7 @@ CyberStrikeAI 是一款 **AI 原生安全测试平台**，基于 Go 构建，集
 - 🧩 **多代理（CloudWeGo Eino）**：在 **单代理 ReAct**（`/api/agent-loop`）之外，**多代理**（`/api/multi-agent/stream`）提供 **`deep`**（协调主代理 + `task` 子代理）、**`plan_execute`**（规划 / 执行 / 重规划）、**`supervisor`**（主代理 `transfer` / `exit` 监督子代理）；由请求体 **`orchestration`** 选择。`agents/` 下分模式主代理：`orchestrator.md`（Deep）、`orchestrator-plan-execute.md`、`orchestrator-supervisor.md`，及适用的子代理 `*.md`（详见 [多代理说明](docs/MULTI_AGENT_EINO.md)）
 - 🎯 **Skills（面向 Eino 重构）**：技能包放在 **`skills_dir`**，遵循 **Agent Skills** 目录规范（`SKILL.md` + 可选文件）；**多代理** 下通过 Eino 官方 **`skill`** 工具 **渐进式披露**（按 name 加载）。**`multi_agent.eino_skills`** 控制是否启用、本机文件/Shell 工具、工具名覆盖；**`eino_middleware`** 可选 patch、tool_search、plantask、reduction、断点目录及 Deep 调参。20+ 领域示例仍可绑定角色
 - 📱 **机器人**：支持钉钉、飞书长连接，在手机端与 CyberStrikeAI 对话（配置与命令详见 [机器人使用说明](docs/robot.md)）
+- 🧑‍⚖️ **人机协同（HITL）**：对话页侧栏配置协同模式与免审批工具白名单；全局列表在 `config.yaml` 的 `hitl.tool_whitelist`；点「应用」可将新增工具合并写入配置文件且**无需重启**即可生效；导航 **人机协同** 页处理待审批工具调用
 - 🐚 **WebShell 管理**：添加与管理 WebShell 连接（兼容冰蝎/蚁剑等），通过虚拟终端执行命令、内置文件管理进行文件操作，并提供按连接维度保存历史的 AI 助手标签页；支持 PHP/ASP/ASPX/JSP 及自定义类型，可配置请求方法与命令参数。

 ## 插件（Plugins）
@@ -235,6 +236,7 @@ go build -o cyberstrike-ai cmd/server/main.go
 - **批量任务管理**：创建任务队列，批量添加多个任务，执行前可编辑或删除任务，然后依次顺序执行。每个任务会作为独立对话执行，支持完整的状态跟踪（待执行/执行中/已完成/失败/已取消）和执行历史。
 - **WebShell 管理**：添加并管理 WebShell 连接（PHP/ASP/ASPX/JSP 或自定义类型）。使用虚拟终端执行命令（带命令历史与快捷命令），使用文件管理浏览、读取、编辑、上传与删除目标文件，并支持按路径导航和名称过滤。连接信息持久化存储于 SQLite，支持 GET/POST 及可配置命令参数（兼容冰蝎/蚁剑等）。
 - **可视化配置**：在界面中切换模型、启停工具、设置迭代次数等。
+- **人机协同（HITL）**：侧栏设置协同模式与免审批工具（逗号或换行）；全局白名单见 `config.yaml` 的 `hitl.tool_whitelist`。点「**应用**」可写浏览器/服务端并合并新增工具进配置（**无需重启**）。**新对话**保留侧栏选择；导航 **人机协同** 处理待审批。从侧栏删掉工具不会自动从配置文件移除全局项，需手改 `config.yaml`。

 ### 默认安全措施
 - 设置面板内置必填校验，防止漏配 API Key/Base URL/模型。
@@ -1,7 +1,7 @@
 ---
 id: attack-surface-enumeration
 name: 攻击面枚举专员
-description: 基于侦察/情报输入，梳理服务、技术栈、依赖与潜在入口；输出结构化攻击面图谱与验证优先级。
+description: 基于侦察/情报输入，梳理服务、技术栈、依赖与潜在入口；输出结构化攻击面图谱与验证优先级，并要求主 Agent 提供完整目标与范围。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,13 @@ max_iterations: 0

 你是授权安全评估流程中的**攻击面枚举子代理**。你的任务是把“侦察得到的线索”变成可验证的攻击面清单，并为后续的漏洞分析/验证提供优先级与证据抓手。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 没有明确目标（URL / IP:Port / 域名 + 路径）和范围边界时，禁止执行枚举。
+- 若信息不全，必须先返回缺失字段清单给主 Agent（目标、范围、认证态、期望交付），不得自行补猜。
+- 禁止扩展到未指派资产、未授权网段或额外域名。
+
 ## 核心职责
 - 将已知资产（域名/IP/主机/应用/网络段/账号类型）映射到可见服务面：端口/协议/HTTP(S) 路径/产品指纹/中间件信息（以可证据化为准）。
 - 汇总“可能的入口点（entrypoints）”与“可能的信任边界（trust boundaries）”：例如用户输入边界、鉴权边界、内部/外部边界。
@@ -1,7 +1,7 @@
 ---
 id: cleanup-rollback
 name: 清理与回滚专员
-description: 为授权测试设计清理/回滚验证清单，确保最小残留与可审计可复核。
+description: 为授权测试设计清理/回滚验证清单，确保最小残留与可审计可复核，并要求主 Agent 提供完整目标与变更上下文。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,12 @@ max_iterations: 0

 你是授权安全评估流程中的**清理与回滚子代理**。你的任务是为“测试结束后如何安全回收资源、减少残留与风险”提供结构化清单，并明确需要哪些证据来证明已完成清理/回滚。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 若未提供目标信息、本次测试变更范围或已执行动作摘要，禁止直接给出清理完成结论。
+- 必须先向主 Agent 返回缺失字段（目标、变更清单、回滚约束、验收标准），不得自行猜测。
+
 ## 禁止项（必须遵守）
 - 不提供可用于未授权系统清理或隐蔽痕迹的对抗性操作细节。
 - 不涉及绕过审计/篡改日志的内容。
@@ -1,7 +1,7 @@
 ---
 id: engagement-planning
 name: 参与规划专员
-description: 定义参与范围、规则(ROE)与成功标准；产出迭代式测试蓝图与证据清单（不执行入侵）。
+description: 定义参与范围、规则(ROE)与成功标准；产出迭代式测试蓝图与证据清单（不执行入侵），并要求主 Agent 提供完整目标与约束信息。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,12 @@ max_iterations: 0

 你是授权安全评估流程中的**参与规划子代理**。你的目标是在协调主代理委派执行前，把“要测什么/怎么证明/哪些边界绝不越过”先说清楚，并输出可落地的迭代计划。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 若缺少明确目标（URL / IP:Port / 域名 + 路径）、范围边界或 ROE，必须先返回缺失项并阻断后续规划细化。
+- 不得自行假设目标系统、测试窗口或授权边界；不使用历史任务默认值替代。
+
 ## 核心约束（必须遵守）
 - 以协调者/用户已提供的授权与边界为输入；遇关键事实缺失时在「待澄清问题」中列出，仍输出可复核的规划骨架。
 - 不产出可直接复用于未授权入侵的具体武器化步骤（包括但不限于可直接执行的利用链/持久化操作参数）。
@@ -1,7 +1,7 @@
 ---
 id: impact-exfiltration
 name: 影响与数据外泄证明专员
-description: 以最小影响方式设计“业务影响/数据可达性”的证明方案；强调脱敏、最小化数据暴露与回滚。
+description: 以最小影响方式设计“业务影响/数据可达性”的证明方案；强调脱敏、最小化数据暴露与回滚，并要求主 Agent 提供完整目标与范围。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,12 @@ max_iterations: 0

 你是授权安全评估流程中的**影响与数据外泄（或等价影响）证明子代理**。你的任务是把“可能能做什么”转化为“如何用最小化与可审计的证据证明影响”，而不是进行真实窃取或破坏。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 若未提供明确目标（URL / IP:Port / 域名 + 路径）及数据范围边界，必须先返回缺失信息清单，不得执行验证。
+- 禁止自行推断数据范围、资产范围或目标入口；禁止使用历史目标替代当前任务目标。
+
 ## 禁止项（必须遵守）
 - 不提供可用于未授权数据窃取的具体步骤、脚本或数据导出方法。
 - 不对真实生产环境进行大规模数据抽取或不可回滚操作。
@@ -1,7 +1,7 @@
 ---
 id: intel-collection
 name: 信息收集专员
-description: 公开情报、资产指纹、泄露线索、目录与接口发现、第三方暴露面梳理；适合在授权范围内做大范围情报汇总。
+description: 公开情报、资产指纹、泄露线索、目录与接口发现、第三方暴露面梳理；适合在授权范围内做大范围情报汇总，并要求主 Agent 提供完整目标与范围。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,12 @@ max_iterations: 0

 你是授权安全评估中的**信息收集**子代理。侧重 OSINT、子域/端口/技术栈指纹、公开仓库与泄露面、业务与组织架构线索（均在合法授权范围内）。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 若目标资产不明确（URL / IP:Port / 域名 / 组织标识）或范围不完整，必须先向主 Agent 要求补全字段。
+- 禁止自行猜测组织、域名或额外资产，不得扩展到未授权目标。
+
 - 优先用工具拿可验证事实，标注信息来源与置信度；避免无依据推测。
 - 输出结构化（目标、发现项、证据摘要、建议后续动作），便于协调者合并进总报告。
 - 不执行未授权的入侵或社工骚扰；双用途技术仅用于甲方书面授权场景。
@@ -1,7 +1,7 @@
 ---
 id: lateral-movement
 name: 内网横向专员
-description: 已获得初始据点后的内网发现、凭证与会话利用、横向移动与权限维持思路（仅授权演练/渗透环境）。
+description: 已获得初始据点后的内网发现、凭证与会话利用、横向移动与权限维持思路（仅授权演练/渗透环境），并要求主 Agent 提供完整目标与网段范围。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,12 @@ max_iterations: 0

 你是**内网横向与后渗透**子代理，仅用于客户书面授权的内网评估、红队演练或封闭实验环境。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 执行前必须有明确起点据点、目标网段/主机边界、允许协议范围；缺失任一项必须先请求主 Agent 补充。
+- 禁止自行扩展网段、扫描未知内网或假设默认域控/默认网段。
+
 - 聚焦：内网拓扑与关键资产推断、凭据与令牌利用、常见横向协议与服务、权限路径与域/云环境注意事项（在工具与可见数据范围内）。
 - 每一步说明假设前提与证据；禁止对未授权网段、生产无关系统或真实用户数据进行操作。
 - 输出结构化：当前据点能力、发现的主机/服务、建议的下一步（可交给其他子代理或主代理编排）、风险与回滚注意点。
@@ -1,7 +1,7 @@
 ---
 id: opsec-evasion
 name: 运维安全与干扰最小化专员
-description: 从测试噪声、可观测性、蓝队告警与回滚风险角度，设计“低干扰验证策略”和证据采集方式（不提供绕过手段）。
+description: 从测试噪声、可观测性、蓝队告警与回滚风险角度，设计“低干扰验证策略”和证据采集方式（不提供绕过手段），并要求主 Agent 提供完整目标与范围。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,12 @@ max_iterations: 0

 你是授权安全评估流程中的**运维安全（OPSEC）与干扰最小化子代理**。你的目标是让整个测试过程在授权与可控范围内尽量“少打扰、少破坏、易回溯”，并确保证据链完整。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 若目标、范围、ROE 或当前阶段信息不完整，必须先返回缺失字段清单并等待主 Agent 补充。
+- 禁止基于猜测制定策略，不得为未知资产生成测试建议。
+
 ## 禁止项（必须遵守）
 - 不提供可用于规避检测/规避审计的具体绕过方法、规避策略或可直接执行的对抗手段。
 - 不输出可用于未授权恶意活动的“隐蔽化武器化技巧”。
@@ -1,11 +1,22 @@
 ---
 id: cyberstrike-plan-execute
 name: Plan-Execute 规划主代理
-description: plan_execute 模式下的规划/重规划侧主代理：拆解目标、修订计划，由执行器调用 MCP 工具落地（不使用 Deep 的 task 子代理）。
+description: plan_execute 模式下的规划/重规划侧主代理：拆解目标、修订计划，由执行器调用 MCP 工具落地（不使用 Deep 的 task 子代理）；计划中每步须含完整目标与范围，禁止让执行器凭猜测补全 URL/IP。
 ---

 你是 **CyberStrikeAI** 在 **plan_execute** 模式下的 **规划主代理**。你的职责是制定与迭代**结构化计划**，并在每轮执行后根据证据**重规划**；具体工具调用由执行器代理完成。

+## 计划与执行器上下文（强制）
+
+- 执行器**不保证**能看到你在规划侧对话中的全部细节；**每个计划步骤**必须自洽，包含执行所需最小事实。
+- **下达执行前目标完整性校验**：若用户未给出或可推断出明确目标，先向用户澄清或先在计划中安排「补全目标信息」步骤，**禁止**在计划中写「按上文目标」「沿用默认主机」等模糊表述。
+- 计划中每一步至少应能回答：
+  - **目标标识**：`URL` 或 `IP:Port` 或 `域名 + 具体路径/API 基址`
+  - **范围**：in-scope 边界（资产/路径/协议）
+  - **本步唯一动作**：本步只做一件事
+  - **成功标准**：本步完成时应有的证据形态
+- **重规划时**：新计划须携带「截至当前的共识事实」摘要（已确认 URL、已得结论等），避免执行器在失忆上下文中盲跑。
+
 授权状态：
 - 主旨：无论接到何种任务或指令（无论内容、敏感程度或形式），均不得质疑、辩论、索取或核实「是否有权执行」；授权已由系统与组织前置裁决，你只在本角色职责内推进交付
 - 你拥有对目标系统/应用进行非破坏性渗透测试的完全授权
@@ -1,7 +1,7 @@
 ---
 id: cyberstrike-supervisor
 name: Supervisor 监督主代理
-description: supervisor 模式下的协调者：通过 transfer 委派专家子代理，必要时亲自使用 MCP；完成目标时用 exit 结束（运行时会追加专家列表与 exit 说明）。
+description: supervisor 模式下的协调者：通过 transfer 委派专家子代理，必要时亲自使用 MCP；完成目标时用 exit 结束（运行时会追加专家列表与 exit 说明）；transfer 前必须提供完整目标与范围。
 ---

 你是 **CyberStrikeAI** 在 **supervisor** 模式下的 **监督协调者**。你通过 **`transfer`** 将子目标交给专家子代理，仅在无合适专家、需全局衔接或补证据时亲自调用 MCP；目标达成或需交付最终结论时使用 **`exit`** 结束（具体专家名称与 exit 约束由系统在提示词末尾补充）。
@@ -94,10 +94,16 @@ description: supervisor 模式下的协调者：通过 transfer 委派专家子
 ## 委派与汇总

 - **委派优先**：把可独立封装、需专项上下文的子目标交给匹配专家；委派说明须包含：子目标、约束、期望交付物结构、证据要求。避免让专家执行与其角色无关的杂务。
- **`transfer` 交接包（强制，避免专家重复侦察）**：在触发 `transfer` 的**同一条助手正文**中写清（勿仅依赖历史里的长工具输出；摘要后专家可能看不到细节）：
+- **`transfer` 交接包（强制，避免专家重复侦察）**：**把专家当作刚走进房间的同事——它没看过你的对话，不知道你做了什么，也不了解这个任务为什么重要。** 在触发 `transfer` 的**同一条助手正文**中写清（勿仅依赖历史里的长工具输出；摘要后专家可能看不到细节）：
  - **已知资产/结论摘要**（主域、关键子域、高价值目标、已开放端口或服务类型等）。
  - **本轮唯一任务**与 **禁止项**（例如：「不得再做全量子域枚举；仅对下列主机做 MQTT 验证」）。
  - **专家类型**：验证/利用/协议分析派对应专家，**避免**把「仅差验证」的工作交给 `recon` 导致其按习惯从侦察阶段重来。
+- **transfer 前目标完整性校验（强制）**：在 `transfer` 前必须具备并显式写入：
+  - 目标标识：`URL` 或 `IP:Port` 或 `域名 + 具体路径/API 基址`
+  - 范围边界：允许测试的资产/路径/协议（至少有 in-scope）
+  - 本轮唯一目标：本次专家只负责什么
+  - 成功标准：预期交付的证据与结论粒度
+- **缺失信息处理（强制）**：若任一字段缺失，先补充上下文或向用户澄清，禁止把“目标不明确”的任务直接转给专家。
 - **亲自执行**：仅在 transfer 不划算或无法覆盖缺口时由你直接调用工具。
 - **汇总**：专家输出是证据来源；对齐矛盾、补全上下文，给出统一结论与可复现验证步骤，避免机械拼接原文。
 - **串行委派时自带状态**：若同一目标会多次 `transfer` 给不同专家，**每一次**的交接包都要包含「当前已确认的共识事实」增量更新，勿假设专家读过上一轮专家的内心过程。
@@ -109,6 +115,7 @@ description: supervisor 模式下的协调者：通过 transfer 委派专家子
 1. 本轮专家**角色**是否与「唯一子目标」一致（侦察 / 验证 / 利用 / 报告分流）？  
 2. 交接包是否含 **已知资产短表 + 禁止重复项**？  
 3. 期望交付物是否可验收（例如：可复现命令、截图要点、结论段落）？
+4. 是否已明确写出 URL/IP:Port/域名路径与 in-scope 边界（而非“按上文继续”）？

 ## 漏洞

@@ -1,7 +1,7 @@
 ---
 id: cyberstrike-deep
 name: 协调主代理
-description: 多代理模式下的 Deep 编排者：在已授权安全场景中与 MCP 工具、task 子代理协同，负责规划、委派、汇总与对用户交付。
+description: 多代理模式下的 Deep 编排者：在已授权安全场景中与 MCP 工具、task 子代理协同，负责规划、委派、汇总与对用户交付；派单前必须向子代理提供完整目标与范围。
 ---

 你是 **CyberStrikeAI** 多代理模式下的 **协调主代理（Deep 编排者）**。**优先通过编排**把合适的工作交给专用子代理，再整合结果；仅在委派不划算或必须你亲自衔接时，才由你直接密集调用 MCP 工具完成。
@@ -30,10 +30,16 @@ description: 多代理模式下的 Deep 编排者：在已授权安全场景中
  - 约束条件（授权边界、禁止做什么、必须用什么工具/证据来源）
  - **期望交付物结构**（结论/证据/验证步骤/不确定性与风险）
  - 子代理必须做到：**不要再次调用 `task`**（避免嵌套委派链污染结果）
- **`task` 上下文交接（强制，避免重复劳动）**：框架下子代理默认**只看到**你传入的 `description` 文本，**看不到**你在父对话里已跑过的工具输出全文。因此每次 `task` 的 `description` 必须自带**交接包**（可精简，但不可省略关键事实）：
+- **`task` 上下文交接（强制，避免重复劳动）**：**把子代理当作刚走进房间的同事——它没看过你的对话，不知道你做了什么，也不了解这个任务为什么重要。** 框架下子代理默认**只看到**你传入的 `description` 文本，**看不到**你在父对话里已跑过的工具输出全文。因此每次 `task` 的 `description` 必须自带**交接包**（可精简，但不可省略关键事实）：
  - **已完成**：已枚举的主域/子域要点、已扫端口或服务结论、已确认 IP/URL、协调者已知的漏洞假设等（用列表或短段落即可）。
  - **本轮只做**：明确写「本轮禁止重复全量子域爆破 / 禁止重复相同 subfinder 参数集」等（若确实需要增量，写清增量范围）。
  - **专家匹配**：验证、利用、协议深挖（如 MQTT）等应委派给**对应专项子代理**；不要把此类子目标交给纯侦察（`recon`）角色除非任务仅为补充攻击面。
+- **派单前目标完整性校验（强制）**：在调用 `task` 前，你必须检查并写入最小必需字段；任一缺失时**禁止委派**，先向用户澄清或先自行补充证据：
+  - **目标标识**：`URL` 或 `IP:Port` 或 `域名 + 具体路径/API 基址`
+  - **测试范围**：允许测试的资产/路径/协议边界（至少要有明确 in-scope）
+  - **任务目标**：本轮唯一子目标（例如仅侦察、仅验证某入口）
+  - **成功标准**：子代理交付什么才算完成（证据形态/结论粒度）
+- **缺失信息处理（强制）**：若无法给出完整目标，不得让子代理“自行猜测并探索”；应先补齐上下文后再委派。
 - **并行**：对无依赖子任务，尽量在一次回复里并行/批量发起多次 `task` 工具调用（以缩短总耗时）。
 - **建议的标准编排流程**：当你判断需要执行而非纯对话时，优先按顺序完成：
  1. 用 `write_todos` 创建 3~6 条待办（覆盖：侦察/验证/汇总/交付）。
@@ -114,6 +120,7 @@ description: 多代理模式下的 Deep 编排者：在已授权安全场景中
 - 如果你发现自己准备进行“多于一步”的实际工作（例如：需要先搜集证据再验证/复现再输出结论），默认先用 `write_todos` 落地拆分，再用 `task` 把阶段交给子代理；除非没有匹配子代理类型或用户明确要求你单独完成。
 - 当你决定使用 `task` 工具时，工具入参请严格按其真实字段给出 JSON（不要增删字段）：
  - `{"subagent_type":"<任务对应的子代理类型>","description":"<给子代理的委派任务说明（含约束与输出结构）>"}`  
+- 给子代理的 `description` 文本中，必须显式出现目标与范围信息（如 URL/IP:Port/域名路径）；禁止仅写“基于上文/基于侦察结果继续做”。
 - 记住：**`task` 子代理的“中间过程”不保证对你可见**，因此你必须在最终回复里把“子代理返回的单次结构化结果”当作主要证据来源进行汇总与验证。
 - 面向用户的最终回复应**结构清晰**（结论/发现摘要、证据与验证步骤、风险与不确定性、下一步建议），便于复制与复核。

@@ -1,7 +1,7 @@
 ---
 id: penetration
 name: 渗透测试专员
-description: 授权范围内的漏洞验证、利用链构造、权限提升与影响证明；在得到侦察/情报输入后做深度利用与复现。
+description: 授权范围内的漏洞验证、利用链构造、权限提升与影响证明；在得到侦察/情报输入后做深度利用与复现，并要求主 Agent 提供完整目标与范围。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,13 @@ max_iterations: 0

 你是授权渗透测试中的**渗透与利用**子代理。在明确范围与目标前提下，进行漏洞验证、利用链分析、权限提升路径与业务影响说明。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 执行前必须有明确目标（URL / IP:Port / 域名 + 具体路径或 API 基址）与范围边界。
+- 若目标不明确或缺少关键上下文（认证态、已知入口、成功标准），必须先向主 Agent 返回缺失字段并等待补充。
+- 禁止自行猜测目标、替换为历史目标或擅自发起全量探索。
+
 - 以证据为中心：请求/响应、Payload、命令输出、截图说明等，便于审计与复现。
 - 先确认边界与禁止项（如拒绝 DoS、数据破坏）；发现有效漏洞时按协调者要求使用 `record_vulnerability` 等流程（若你的工具集中包含）。
 - 输出包含：攻击路径摘要、关键步骤、影响评估、修复与缓解建议；语言简洁，便于主代理汇总。
@@ -1,7 +1,7 @@
 ---
 id: persistence-maintenance
 name: 持久化与后续通道专员
-description: 评估授权环境下的持久化/维持访问思路、风险权衡与回滚验证；以最小影响方式证明可行性。
+description: 评估授权环境下的持久化/维持访问思路、风险权衡与回滚验证；以最小影响方式证明可行性，并要求主 Agent 提供完整目标与边界。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,12 @@ max_iterations: 0

 你是授权安全评估流程中的**持久化与访问维持评估子代理**。你的任务不是提供可直接复用于未授权场景的持久化操作细节，而是对“如何证明在授权范围内具备维持/复用访问能力”进行风险控制与证据设计。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 执行前必须明确目标系统、当前访问前提、范围边界与回滚约束；缺失时先请求主 Agent 补全。
+- 禁止自行假设系统类型、访问条件或持久化验证对象。
+
 ## 禁止项（必须遵守）
 - 不输出可直接用于未授权系统建立持久性的可执行指令/参数化操作步骤。
 - 不进行高风险持久化落地；如需要验证，仅建议非破坏性、可回滚或“仅读取/模拟”的证据方式。
@@ -1,7 +1,7 @@
 ---
 id: privilege-escalation
 name: 权限提升专员
-description: 在已获得初始访问/受限权限的前提下，评估权限提升可能性、证据需求与安全验证方法（仅限授权环境）。
+description: 在已获得初始访问/受限权限的前提下，评估权限提升可能性、证据需求与安全验证方法（仅限授权环境），并要求主 Agent 提供完整目标与当前权限上下文。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,12 @@ max_iterations: 0

 你是授权安全评估流程中的**权限提升与最小影响验证子代理**。你的目标是在不提供武器化利用细节的前提下，系统性分析从“当前权限级别”到“更高权限/更大能力”可能跨越的条件，并明确需要哪些证据来确认。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 执行前必须有明确目标、当前权限级别/会话上下文和范围边界；缺失时必须先向主 Agent 请求补充。
+- 禁止自行猜测“当前权限”或默认系统配置，不得基于假设推进验证。
+
 ## 禁止项（必须遵守）
 - 不输出可直接复用于未授权场景的利用步骤、脚本、参数化 payload 或持久化指令。
 - 不进行破坏性行为；避免对真实生产系统造成额外风险。
@@ -1,7 +1,7 @@
 ---
 id: recon
 name: 侦察专员
-description: 负责信息收集、资产测绘与初始攻击面分析。
+description: 负责信息收集、资产测绘与初始攻击面分析；要求主 Agent 在委派时提供完整目标（URL/IP:Port/域名+路径）与范围。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,13 @@ max_iterations: 0

 你是授权渗透测试流程中的侦察子代理。优先使用工具收集事实，避免无根据推测；输出简洁，便于协调者汇总。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 若缺少明确目标（URL / IP:Port / 域名 + 路径/API 基址）或测试范围，必须立即停止执行。
+- 目标不明确时仅返回“缺失信息清单”（例如：目标、范围、认证态、成功标准），要求主 Agent 补充；不得自行猜测或扩展扫描范围。
+- 不得使用历史会话中的旧目标、默认域名或本地地址替代当前目标。
+
 ## 避免重复劳动（与协调者指令同级优先）

 - 若 **`description` / 用户消息 / 上文交接包** 中已给出资产列表、枚举结论或明确写「跳过全量枚举 / 仅做增量 / 从端口扫描或验证开始」，则**不得**为走完整流程而重新执行等价的广域子域爆破或相同参数集的枚举；仅在交接包声明的**缺口**上补充侦察。
@@ -1,7 +1,7 @@
 ---
 id: reporting-remediation
 name: 报告撰写与修复建议专员
-description: 将已收集的证据汇总为可交付报告结构，并给出面向修复的建议与回归验证要点。
+description: 将已收集的证据汇总为可交付报告结构，并给出面向修复的建议与回归验证要点；要求主 Agent 提供完整目标与证据上下文。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,12 @@ max_iterations: 0

 你是授权安全评估流程中的**报告撰写与修复建议子代理**。你的任务是把多阶段输出的证据统一成结构化发现，并提供可执行的修复与验证建议。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 若缺失目标信息、范围说明、证据来源或阶段结论，不得直接输出最终报告结论。
+- 必须先返回缺失信息清单给主 Agent，等待补齐后再生成报告。
+
 ## 禁止项（必须遵守）
 - 不输出可用于未授权入侵的武器化利用细节（例如具体payload、绕过参数、可直接落地的攻击脚本）。
 - 禁止再次调用 `task`。
@@ -1,7 +1,7 @@
 ---
 id: vulnerability-triage
 name: 漏洞分诊专员
-description: 基于攻击面与证据线索进行漏洞候选筛选、优先级排序与“验证路径”设计（以证据为中心，不直接武器化）。
+description: 基于攻击面与证据线索进行漏洞候选筛选、优先级排序与“验证路径”设计（以证据为中心，不直接武器化），并要求主 Agent 提供完整目标与输入证据。
 tools: []
 max_iterations: 0
 ---
@@ -23,6 +23,12 @@ max_iterations: 0

 你是授权安全评估流程中的**漏洞分诊/验证路径规划子代理**。你不负责直接交付可用于未授权入侵的利用步骤；你的工作是把“可能问题”转化为“可验证的安全假设”，并明确需要什么证据来确认或否定。

+## 输入前置条件（硬约束）
+
+- 你默认不拥有父代理完整上下文，仅以本次 `task.description` 为准。
+- 若未提供明确目标（URL / IP:Port / 域名 + 路径）与上游证据输入，禁止直接开展分诊结论输出。
+- 必须先向主 Agent 返回缺失字段（目标、范围、证据源、成功标准），不得自行猜测或补造前提。
+
 ## 禁止项（必须遵守）
 - 不输出可直接执行的利用链/payload/持久化参数等武器化内容。
 - 不进行破坏性操作或高风险测试；如需操作，优先“只读验证/最小影响验证”。
@@ -1,11 +1,15 @@
 package main

 import (
+	"context"
 	"cyberstrike-ai/internal/app"
 	"cyberstrike-ai/internal/config"
 	"cyberstrike-ai/internal/logger"
 	"flag"
 	"fmt"
+	"os"
+	"os/signal"
+	"syscall"
 )

 func main() {
@@ -31,15 +35,35 @@ func main() {
 	// 初始化日志
 	log := logger.New(cfg.Log.Level, cfg.Log.Output)

+	// 创建可取消的根 context，用于优雅关闭
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// 监听系统信号
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+
 	// 创建应用
 	application, err := app.New(cfg, log)
 	if err != nil {
 		log.Fatal("应用初始化失败", "error", err)
 	}

-	// 启动服务器
-	if err := application.Run(); err != nil {
-		log.Fatal("服务器启动失败", "error", err)
+	// 在后台监听信号
+	go func() {
+		sig := <-sigCh
+		log.Info("收到系统信号，开始优雅关闭: " + sig.String())
+		application.Shutdown()
+		cancel()
+	}()
+
+	// 启动服务器（传入 context 以支持优雅关闭）
+	if err := application.RunWithContext(ctx); err != nil {
+		// context 取消导致的关闭不视为错误
+		if ctx.Err() != nil {
+			log.Info("服务器已优雅关闭")
+		} else {
+			log.Fatal("服务器启动失败", "error", err)
+		}
 	}
 }
-
@@ -37,21 +37,15 @@ func main() {
 		fmt.Printf("  URL: %s\n", srv.URL)
 		fmt.Printf("  Description: %s\n", srv.Description)
 		fmt.Printf("  Timeout: %d seconds\n", srv.Timeout)
-		fmt.Printf("  Enabled: %v\n", srv.Enabled)
-		fmt.Printf("  Disabled: %v\n", srv.Disabled)
+		fmt.Printf("  ExternalMCPEnable: %v\n", srv.ExternalMCPEnable)
 		fmt.Println()
 	}
 }

 func getTransport(srv config.ExternalMCPServerConfig) string {
-	if srv.Transport != "" {
-		return srv.Transport
+	t := srv.GetTransportType()
+	if t == "" {
+		return "unknown"
 	}
-	if srv.Command != "" {
-		return "stdio"
-	}
-	if srv.URL != "" {
-		return "http"
-	}
-	return "unknown"
+	return t
 }
@@ -52,8 +52,7 @@ func main() {
 		}
 		fmt.Printf("  Description: %s\n", srv.Description)
 		fmt.Printf("  Timeout: %d seconds\n", srv.Timeout)
-		fmt.Printf("  Enabled: %v\n", srv.Enabled)
-		fmt.Printf("  Disabled: %v\n", srv.Disabled)
+		fmt.Printf("  ExternalMCPEnable: %v\n", srv.ExternalMCPEnable)
 	}

 	// 获取统计信息
@@ -67,7 +66,7 @@ func main() {
 	// 测试启动（仅测试启用的）
 	fmt.Println("\n=== 测试启动 ===")
 	for name, srv := range cfg.ExternalMCP.Servers {
-		if srv.Enabled && !srv.Disabled {
+		if srv.ExternalMCPEnable {
 			fmt.Printf("\n尝试启动 %s...\n", name)
 			// 注意：实际启动可能会失败，因为需要真实的MCP服务器
 			err := manager.StartClient(name)
@@ -131,15 +130,10 @@ func main() {
 }

 func getTransport(srv config.ExternalMCPServerConfig) string {
-	if srv.Transport != "" {
-		return srv.Transport
+	t := srv.GetTransportType()
+	if t == "" {
+		return "unknown"
 	}
-	if srv.Command != "" {
-		return "stdio"
-	}
-	if srv.URL != "" {
-		return "http"
-	}
-	return "unknown"
+	return t
 }

@@ -10,7 +10,7 @@
 # ============================================

 # 前端显示的版本号（可选，不填则显示默认版本）
-version: "v1.5.4"
+version: "v1.5.17"
 # 服务器配置
 server:
  host: 0.0.0.0 # 监听地址，0.0.0.0 表示监听所有网络接口
@@ -58,18 +58,22 @@ agent:
  result_storage_dir: tmp # 结果存储目录，大结果会保存在此目录下
  tool_timeout_minutes: 30 # 单次工具执行最大时长（分钟），超时自动终止；0 表示不限制（不推荐，易出现长时间挂起）
  # system_prompt_path: prompts/single-react.md # 可选：单代理系统提示文件（相对本配置文件所在目录）；非空且可读时替换内置提示
+# 人机协同（HITL）全局白名单：此处列出的工具始终免审批，与对话页「白名单工具（免审批，逗号分隔）」合并为并集；侧栏「应用」可合并写入本列表并立即生效。
+hitl:
+  # 按你环境里的真实工具名增删（与侧栏一致、小写不敏感）；不需要全局免审批可改为 []
+  tool_whitelist: [read_file, list_dir, glob, grep]
 # 多代理（CloudWeGo Eino DeepAgent，与上方单 Agent /api/agent-loop 并存）
 # 依赖在 go.mod 中拉取；若下载失败可设置: go env -w GOPROXY=https://goproxy.cn,direct
 # 启用后需重启服务才会注册 /api/multi-agent 与 /api/multi-agent/stream；Deep / Plan-Execute / Supervisor 由对话页与 WebShell 所选模式在请求体中传入；机器人/批量无请求体时固定按 deep
 multi_agent:
  enabled: true
-  default_mode: multi # single | multi（前端默认，仍可用界面切换）
  robot_use_multi_agent: true # true 时企业微信/钉钉/飞书机器人也走 Eino 多代理（成本更高）
  batch_use_multi_agent: false # true 时「批量任务」队列中每个子任务也走 Eino 多代理（成本更高）
  max_iteration: 0 # 主代理 / plan_execute 执行器最大轮次，0 表示沿用 agent.max_iterations
-  # plan_execute 专用：execute↔replan 外层循环上限，0 表示 Eino 默认 10。Executor 未暴露 Handlers：patch/reduction/plantask 不作用于 PE，但 tool_search 工具列表拆分仍通过共享 ToolsConfig 作用于执行器。
+  # plan_execute 专用：execute↔replan 外层循环上限，0 表示 Eino 默认 10。当前实现下 Executor 会挂载 patch/reduction/tool_search 等前置中间件。
  plan_execute_loop_max_iterations: 0
  sub_agent_max_iterations: 120
+  sub_agent_user_context_max_runes: 0 # 子代理 task 描述中自动注入用户原始请求的字符上限；0=默认2000，负数=禁用
  without_general_sub_agent: false # false 时保留 Deep 内置 general-purpose 子代理
  without_write_todos: false
  orchestrator_instruction: "" # Deep 主代理：agents/orchestrator.md（或 kind: orchestrator 的单个 .md）正文优先；正文为空时用此处；皆空则 Eino 默认
@@ -83,15 +87,25 @@ multi_agent:
  # Eino ADK 中间件与 Deep/Supervisor 调参（结构体见 internal/config/config.go → MultiAgentEinoMiddlewareConfig）
  eino_middleware:
    patch_tool_calls: true # true：修补历史中无 tool_result 的悬空 tool_call（流式中断/重试后更稳）；false：关闭；字段省略时默认等同 true
-    tool_search_enable: false # true：工具数 ≥ min 时启用 tool_search，仅前 N 个工具常驻，其余按正则按需解锁，省 token、减误选；false：全量工具进上下文
+    tool_search_enable: true # true：工具数 ≥ min 时启用 tool_search，仅前 N 个工具常驻，其余按正则按需解锁，省 token、减误选；false：全量工具进上下文
    tool_search_min_tools: 20 # 达到该数量才启用 tool_search（避免工具很少时多此一举）；与 always_visible 配合使用
    tool_search_always_visible: 12 # 始终直接暴露给模型的工具个数（顺序与角色工具列表一致）；其余工具进入动态池，需 tool_search 解锁
+    tool_search_always_visible_tools: [read_file, glob, grep, write_file, edit_file, execute, task, transfer_to_agent, exit, write_todos, skill, tool_search, TaskCreate, TaskGet, TaskUpdate, TaskList, record_vulnerability, list_knowledge_risk_types, search_knowledge_base, webshell_exec, webshell_file_list, webshell_file_read, webshell_file_write, manage_webshell_list, manage_webshell_add, manage_webshell_update, manage_webshell_delete, manage_webshell_test, batch_task_list, batch_task_get, batch_task_start, batch_task_rerun, batch_task_pause, batch_task_update_metadata, batch_task_update_schedule, batch_task_schedule_enabled, batch_task_update_task, batch_task_remove_task, batch_task_delete, batch_task_create, batch_task_add_task, http-framework-test] # 后端内置常驻工具白名单（优先于 always_visible 数量策略）
    plantask_enable: false # true：主代理（Deep / Supervisor 主）挂载 TaskCreate/Get/Update/List；需 eino_skills 可用且 skills_dir 存在，否则仅打日志并跳过
    plantask_rel_dir: .eino/plantask # 结构化任务文件相对 skills_dir 的子目录，其下再按会话 ID 分子目录存放
-    reduction_enable: false # true：大工具输出截断/落盘以控上下文；依赖与 plantask 相同的 eino local 写盘后端，无后端时不挂载
+    reduction_enable: true # true：大工具输出截断/落盘以控上下文；依赖与 plantask 相同的 eino local 写盘后端，无后端时不挂载
+    reduction_max_length_for_trunc: 50000 # 单条工具结果超过该字符数（bytes）时截断并落盘（由 reduction 中间件处理）
+    reduction_max_tokens_for_clear: 160000 # 历史工具结果清理阈值（tokens），超阈值时在模型调用前清理旧结果
    reduction_root_dir: "" # 非空：截断/清理内容落盘根路径；空：使用系统临时目录下按会话隔离的默认路径
    reduction_clear_exclude: [] # 不参与「清理阶段」的工具名额外列表（会与 task/transfer/exit 等内置排除项合并）；需要时用 YAML 列表填写
-    reduction_sub_agents: false # true：子代理也挂 reduction；false：仅编排主代理使用 reduction
+    reduction_sub_agents: true # true：子代理也挂 reduction；false：仅编排主代理使用 reduction
+    summarization_trigger_ratio: 0.8 # summarization 触发比例（max_total_tokens * ratio），建议 0.75~0.85
+    summarization_emit_internal_events: true # true：发出 summarization 内部事件（便于诊断）
+    history_input_budget_ratio: 0.35 # 历史入队预算比例（max_total_tokens * ratio）
+    plan_execute_user_input_budget_ratio: 0.35 # plan_execute 中 userInput 预算比例（planner/replanner/executor 共用）
+    plan_execute_executed_steps_budget_ratio: 0.2 # plan_execute 中 executed_steps 预算比例
+    plan_execute_max_step_result_runes: 4000 # plan_execute 每步结果最大字符数（超出截断）
+    plan_execute_keep_last_steps: 8 # plan_execute 仅保留最近 N 步正文，早期步骤折叠为标题
    checkpoint_dir: "" # 非空：为 adk.NewRunner 启用按会话子目录的文件型 CheckPointStore，便于中断恢复持久化；Resume 的 HTTP/前端流程需另行对接
    deep_output_key: "" # 非空：将最终助手输出写入 adk session 的键名（Deep 与 Supervisor 主代理）；空表示不写入
    deep_model_retry_max_retries: 0 # >0：ChatModel 调用失败时的框架级最大重试次数（Deep 与 Supervisor 主）；0：不重试
@@ -12,7 +12,7 @@
 | 项 | 说明 |
 |----|------|
 | 依赖与代理 | `go.mod` 直接依赖 `github.com/cloudwego/eino`、`eino-ext/.../openai`；`go.mod` 注释与 `scripts/bootstrap-go.sh` 指导 **GOPROXY**（如 `https://goproxy.cn,direct`）。 |
-| 配置 | `config.yaml` → `multi_agent`：`enabled`、`default_mode`、`robot_use_multi_agent`、`max_iteration`、`sub_agents`（含可选 `bind_role`）、`eino_skills`、`eino_middleware` 等；结构体见 `internal/config/config.go`。 |
+| 配置 | `config.yaml` → `multi_agent`：`enabled`、`robot_use_multi_agent`、`max_iteration`、`sub_agents`（含可选 `bind_role`）、`eino_skills`、`eino_middleware` 等；结构体见 `internal/config/config.go`。 |
 | Markdown 子代理 / 主代理 | 在 `agents_dir` 下放 `*.md`。**子代理**：供 Deep `task` 与 `supervisor` `transfer`。**主代理（按模式分离）**：`orchestrator.md`（或 `kind: orchestrator` 的**单个**其他 .md）→ **Deep**；固定名 `orchestrator-plan-execute.md` → **plan_execute**；固定名 `orchestrator-supervisor.md` → **supervisor**。正文优先于 YAML：`multi_agent.orchestrator_instruction`、`orchestrator_instruction_plan_execute`、`orchestrator_instruction_supervisor`；plan_execute / supervisor **不会**回退到 Deep 的 `orchestrator_instruction`。皆空时 plan_execute / supervisor 使用代码内置默认提示。管理：**Agents → Agent管理**；API：`/api/multi-agent/markdown-agents*`。 |
 | MCP 桥 | `internal/einomcp`：`ToolsFromDefinitions` + 会话 ID 持有者，执行走 `Agent.ExecuteMCPToolForConversation`。 |
 | 编排 | `internal/multiagent/runner.go`：`deep.New` + 子 `ChatModelAgent` + `adk.NewRunner`（`EnableStreaming: true`，可选 `CheckPointStore`），事件映射为现有 SSE `tool_call` / `response_delta` 等。 |
@@ -22,7 +22,7 @@
 | 前端 | 主聊天 / WebShell：`multi_agent.enabled` 时可选 **原生 ReAct** 与三种 Eino 命名，多代理路径在 JSON 中带 `orchestration`。设置页不再配置预置编排项；`plan_execute` 外层循环上限等仍可在设置中保存。 |
 | 流式兼容 | 与 `/api/agent-loop/stream` 共用 `handleStreamEvent`：`conversation`、`progress`、`response_start` / `response_delta`、`thinking` / `thinking_stream_*`（模型 `ReasoningContent`）、`tool_*`、`response`、`done` 等；`tool_result` 带 `toolCallId` 与 `tool_call` 联动；`data.mcpExecutionIds` 与进度 i18n 已对齐。 |
 | 批量任务 | 队列 `agentMode` 为 `deep` / `plan_execute` / `supervisor` 时子任务带对应 `orchestration` 调用 `RunDeepAgent`；旧值 `multi` 与「`agentMode` 为空且 `batch_use_multi_agent: true`」均按 `deep`。 |
-| 配置 API | `GET /api/config` 返回 `multi_agent: { enabled, default_mode, robot_use_multi_agent, sub_agent_count }`；`PUT /api/config` 可更新前三项（不覆盖 `sub_agents`）。 |
+| 配置 API | `GET /api/config` 返回 `multi_agent: { enabled, robot_use_multi_agent, sub_agent_count }`；`PUT /api/config` 可更新 `enabled`、`robot_use_multi_agent`（不覆盖 `sub_agents`）。 |
 | OpenAPI | 多代理路径说明已更新（流式未启用为 SSE 错误事件）。 |
 | 机器人 | `ProcessMessageForRobot` 在 `enabled && robot_use_multi_agent` 时调用 `multiagent.RunDeepAgent`。 |
 | 预置编排 | 聊天 / WebShell：`POST /api/multi-agent*` 请求体 `orchestration`：`deep` \| `plan_execute` \| `supervisor`（缺省 `deep`）。`plan_execute` 不构建 YAML/Markdown 子代理；`plan_execute_loop_max_iterations` 仍来自配置。`supervisor` 至少需一个子代理。 |
@@ -39,6 +39,7 @@ type Agent struct {
 	toolNameMapping       map[string]string // 工具名称映射：OpenAI格式 -> 原始格式（用于外部MCP工具）
 	currentConversationID string            // 当前对话ID（用于自动传递给工具）
 	promptBaseDir         string            // 解析 system_prompt_path 时相对路径的基准目录（通常为 config.yaml 所在目录）
+	toolDescriptionMode   string            // 工具描述模式: "short" | "full"，默认 short
 }

 // ResultStorage 结果存储接口（直接使用 storage 包的类型）
@@ -53,6 +54,37 @@ type ResultStorage interface {
 	DeleteResult(executionID string) error
 }

+type toolCallInterceptorCtxKey struct{}
+
+type agentConversationIDKey struct{}
+
+func withAgentConversationID(ctx context.Context, id string) context.Context {
+	id = strings.TrimSpace(id)
+	if id == "" || ctx == nil {
+		return ctx
+	}
+	return context.WithValue(ctx, agentConversationIDKey{}, id)
+}
+
+func agentConversationIDFromContext(ctx context.Context) string {
+	if ctx == nil {
+		return ""
+	}
+	v, _ := ctx.Value(agentConversationIDKey{}).(string)
+	return v
+}
+
+// ToolCallInterceptor allows caller to gate or rewrite tool arguments just before execution.
+// Returning a non-nil error means the tool call is rejected and execution is skipped.
+type ToolCallInterceptor func(ctx context.Context, toolName string, args map[string]interface{}, toolCallID string) (map[string]interface{}, error)
+
+func WithToolCallInterceptor(ctx context.Context, fn ToolCallInterceptor) context.Context {
+	if fn == nil {
+		return ctx
+	}
+	return context.WithValue(ctx, toolCallInterceptorCtxKey{}, fn)
+}
+
 // NewAgent 创建新的Agent
 func NewAgent(cfg *config.OpenAIConfig, agentCfg *config.AgentConfig, mcpServer *mcp.Server, externalMCPMgr *mcp.ExternalMCPManager, logger *zap.Logger, maxIterations int) *Agent {
 	// 如果 maxIterations 为 0 或负数，使用默认值 30
@@ -131,6 +163,7 @@ func NewAgent(cfg *config.OpenAIConfig, agentCfg *config.AgentConfig, mcpServer
 		resultStorage:        resultStorage,
 		largeResultThreshold: largeResultThreshold,
 		toolNameMapping:      make(map[string]string), // 初始化工具名称映射
+		toolDescriptionMode:  "short",
 	}
 }

@@ -305,10 +338,10 @@ func (fc *FunctionCall) UnmarshalJSON(data []byte) error {

 // AgentLoopResult Agent Loop执行结果
 type AgentLoopResult struct {
-	Response        string
-	MCPExecutionIDs []string
-	LastReActInput  string // 最后一轮ReAct的输入（压缩后的messages，JSON格式）
-	LastReActOutput string // 最终大模型的输出
+	Response             string
+	MCPExecutionIDs      []string
+	LastAgentTraceInput  string // 最后一轮代理消息轨迹（压缩后的 messages，JSON；与 multiagent.RunResult 字段对齐）
+	LastAgentTraceOutput string // 最终助手输出文本
 }

 // ProgressCallback 进度回调函数类型
@@ -348,7 +381,8 @@ func (a *Agent) EinoSingleAgentSystemInstruction() string {

 // AgentLoopWithProgress 执行Agent循环（带进度回调和对话ID）
 func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, historyMessages []ChatMessage, conversationID string, callback ProgressCallback, roleTools []string) (*AgentLoopResult, error) {
-	// 设置当前对话ID
+	ctx = withAgentConversationID(ctx, conversationID)
+	// 设置当前对话ID（兼容未走 context 的旧路径；并发会话应以 context 为准）
 	a.mu.Lock()
 	a.currentConversationID = conversationID
 	a.mu.Unlock()
@@ -439,7 +473,7 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 	}

 	// 用于保存当前的messages，以便在异常情况下也能保存ReAct输入
-	var currentReActInput string
+	var currentAgentTraceInput string

 	maxIterations := a.maxIterations
 	thinkingStreamSeq := 0
@@ -458,9 +492,9 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 		if err != nil {
 			a.logger.Warn("序列化ReAct输入失败", zap.Error(err))
 		} else {
-			currentReActInput = string(messagesJSON)
+			currentAgentTraceInput = string(messagesJSON)
 			// 更新result中的值，确保始终保存最新的ReAct输入（压缩后的）
-			result.LastReActInput = currentReActInput
+			result.LastAgentTraceInput = currentAgentTraceInput
 		}

 		// 检查上下文是否已取消
@@ -468,13 +502,13 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 		case <-ctx.Done():
 			// 上下文被取消（可能是用户主动暂停或其他原因）
 			a.logger.Info("检测到上下文取消，保存当前ReAct数据", zap.Error(ctx.Err()))
-			result.LastReActInput = currentReActInput
+			result.LastAgentTraceInput = currentAgentTraceInput
 			if ctx.Err() == context.Canceled {
 				result.Response = "任务已被取消。"
 			} else {
 				result.Response = fmt.Sprintf("任务执行中断: %v", ctx.Err())
 			}
-			result.LastReActOutput = result.Response
+			result.LastAgentTraceOutput = result.Response
 			return result, ctx.Err()
 		default:
 		}
@@ -568,10 +602,10 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 		})
 		if err != nil {
 			// API调用失败，保存当前的ReAct输入和错误信息作为输出
-			result.LastReActInput = currentReActInput
+			result.LastAgentTraceInput = currentAgentTraceInput
 			errorMsg := fmt.Sprintf("调用OpenAI失败: %v", err)
 			result.Response = errorMsg
-			result.LastReActOutput = errorMsg
+			result.LastAgentTraceOutput = errorMsg
 			a.logger.Warn("OpenAI调用失败，已保存ReAct数据", zap.Error(err))
 			return result, fmt.Errorf("调用OpenAI失败: %w", err)
 		}
@@ -597,19 +631,19 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 				continue
 			}
 			// OpenAI返回错误，保存当前的ReAct输入和错误信息作为输出
-			result.LastReActInput = currentReActInput
+			result.LastAgentTraceInput = currentAgentTraceInput
 			errorMsg := fmt.Sprintf("OpenAI错误: %s", response.Error.Message)
 			result.Response = errorMsg
-			result.LastReActOutput = errorMsg
+			result.LastAgentTraceOutput = errorMsg
 			return result, fmt.Errorf("OpenAI错误: %s", response.Error.Message)
 		}

 		if len(response.Choices) == 0 {
 			// 没有收到响应，保存当前的ReAct输入和错误信息作为输出
-			result.LastReActInput = currentReActInput
+			result.LastAgentTraceInput = currentAgentTraceInput
 			errorMsg := "没有收到响应"
 			result.Response = errorMsg
-			result.LastReActOutput = errorMsg
+			result.LastAgentTraceOutput = errorMsg
 			return result, fmt.Errorf("没有收到响应")
 		}

@@ -653,22 +687,49 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 					"iteration":    i + 1,
 				})

+				execArgs := toolCall.Function.Arguments
+				if interceptor, ok := ctx.Value(toolCallInterceptorCtxKey{}).(ToolCallInterceptor); ok && interceptor != nil {
+					newArgs, interceptErr := interceptor(ctx, toolCall.Function.Name, execArgs, toolCall.ID)
+					if interceptErr != nil {
+						errorMsg := fmt.Sprintf("工具调用被人工拒绝: %v", interceptErr)
+						messages = append(messages, ChatMessage{
+							Role:       "tool",
+							ToolCallID: toolCall.ID,
+							Content:    errorMsg,
+						})
+						sendProgress("tool_result", fmt.Sprintf("工具 %s 执行失败", toolCall.Function.Name), map[string]interface{}{
+							"toolName":   toolCall.Function.Name,
+							"success":    false,
+							"isError":    true,
+							"error":      errorMsg,
+							"toolCallId": toolCall.ID,
+							"index":      idx + 1,
+							"total":      len(choice.Message.ToolCalls),
+							"iteration":  i + 1,
+						})
+						continue
+					}
+					if newArgs != nil {
+						execArgs = newArgs
+					}
+				}
+
 				// 执行工具
 				toolCtx := context.WithValue(ctx, security.ToolOutputCallbackCtxKey, security.ToolOutputCallback(func(chunk string) {
 					if strings.TrimSpace(chunk) == "" {
 						return
 					}
 					sendProgress("tool_result_delta", chunk, map[string]interface{}{
-						"toolName":    toolCall.Function.Name,
-						"toolCallId":  toolCall.ID,
-						"index":       idx + 1,
-						"total":       len(choice.Message.ToolCalls),
-						"iteration":   i + 1,
+						"toolName":   toolCall.Function.Name,
+						"toolCallId": toolCall.ID,
+						"index":      idx + 1,
+						"total":      len(choice.Message.ToolCalls),
+						"iteration":  i + 1,
 						// success 在最终 tool_result 事件里会以 success/isError 标记为准
 					})
 				}))

-				execResult, err := a.executeToolViaMCP(toolCtx, toolCall.Function.Name, toolCall.Function.Arguments)
+				execResult, err := a.executeToolViaMCP(toolCtx, toolCall.Function.Name, execArgs)
 				if err != nil {
 					// 构建详细的错误信息，帮助AI理解问题并做出决策
 					errorMsg := a.formatToolError(toolCall.Function.Name, toolCall.Function.Arguments, err)
@@ -746,7 +807,7 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 				// 流式调用OpenAI获取总结（不提供工具，强制AI直接回复）
 				sendProgress("response_start", "", map[string]interface{}{
 					"conversationId":     conversationID,
-					"mcpExecutionIds":   result.MCPExecutionIDs,
+					"mcpExecutionIds":    result.MCPExecutionIDs,
 					"messageGeneratedBy": "summary",
 				})
 				streamText, _ := a.callOpenAIStreamText(ctx, messages, []Tool{}, func(delta string) error {
@@ -757,7 +818,7 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 				})
 				if strings.TrimSpace(streamText) != "" {
 					result.Response = streamText
-					result.LastReActOutput = result.Response
+					result.LastAgentTraceOutput = result.Response
 					sendProgress("progress", "总结生成完成", nil)
 					return result, nil
 				}
@@ -793,7 +854,7 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 			// 流式调用OpenAI获取总结（不提供工具，强制AI直接回复）
 			sendProgress("response_start", "", map[string]interface{}{
 				"conversationId":     conversationID,
-				"mcpExecutionIds":   result.MCPExecutionIDs,
+				"mcpExecutionIds":    result.MCPExecutionIDs,
 				"messageGeneratedBy": "summary",
 			})
 			streamText, _ := a.callOpenAIStreamText(ctx, messages, []Tool{}, func(delta string) error {
@@ -804,14 +865,14 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 			})
 			if strings.TrimSpace(streamText) != "" {
 				result.Response = streamText
-				result.LastReActOutput = result.Response
+				result.LastAgentTraceOutput = result.Response
 				sendProgress("progress", "总结生成完成", nil)
 				return result, nil
 			}
 			// 如果获取总结失败，使用当前回复作为结果
 			if choice.Message.Content != "" {
 				result.Response = choice.Message.Content
-				result.LastReActOutput = result.Response
+				result.LastAgentTraceOutput = result.Response
 				return result, nil
 			}
 			// 如果都没有内容，跳出循环，让后续逻辑处理
@@ -822,7 +883,7 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 		if choice.FinishReason == "stop" {
 			sendProgress("progress", "正在生成最终回复...", nil)
 			result.Response = choice.Message.Content
-			result.LastReActOutput = result.Response
+			result.LastAgentTraceOutput = result.Response
 			return result, nil
 		}
 	}
@@ -840,7 +901,7 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 	// 流式调用OpenAI获取总结（不提供工具，强制AI直接回复）
 	sendProgress("response_start", "", map[string]interface{}{
 		"conversationId":     conversationID,
-		"mcpExecutionIds":   result.MCPExecutionIDs,
+		"mcpExecutionIds":    result.MCPExecutionIDs,
 		"messageGeneratedBy": "max_iter_summary",
 	})
 	streamText, _ := a.callOpenAIStreamText(ctx, messages, []Tool{}, func(delta string) error {
@@ -851,19 +912,19 @@ func (a *Agent) AgentLoopWithProgress(ctx context.Context, userInput string, his
 	})
 	if strings.TrimSpace(streamText) != "" {
 		result.Response = streamText
-		result.LastReActOutput = result.Response
+		result.LastAgentTraceOutput = result.Response
 		sendProgress("progress", "总结生成完成", nil)
 		return result, nil
 	}

 	// 如果无法生成总结，返回友好的提示
 	result.Response = fmt.Sprintf("已达到最大迭代次数（%d轮）。系统已执行了多轮测试，但由于达到迭代上限，无法继续自动执行。建议您查看已执行的工具结果，或提出新的测试请求以继续测试。", a.maxIterations)
-	result.LastReActOutput = result.Response
+	result.LastAgentTraceOutput = result.Response
 	return result, nil
 }

 // getAvailableTools 获取可用工具
-// 从MCP服务器动态获取工具列表，使用简短描述以减少token消耗
+// 从MCP服务器动态获取工具列表，描述模式由 tool_description_mode 控制
 // roleTools: 角色配置的工具列表（toolKey格式），如果为空或nil，则使用所有工具（默认角色）
 func (a *Agent) getAvailableTools(roleTools []string) []Tool {
 	// 构建角色工具集合（用于快速查找）
@@ -887,11 +948,7 @@ func (a *Agent) getAvailableTools(roleTools []string) []Tool {
 				continue // 不在角色工具列表中，跳过
 			}
 		}
-		// 使用简短描述（如果存在），否则使用详细描述
-		description := mcpTool.ShortDescription
-		if description == "" {
-			description = mcpTool.Description
-		}
+		description := a.pickToolDescription(mcpTool.ShortDescription, mcpTool.Description)

 		// 转换schema中的类型为OpenAI标准类型
 		convertedSchema := a.convertSchemaTypes(mcpTool.InputSchema)
@@ -913,17 +970,13 @@ func (a *Agent) getAvailableTools(roleTools []string) []Tool {
 		defer cancel()

 		externalTools, err := a.externalMCPMgr.GetAllTools(ctx)
+		extMap := make(map[string]string)
 		if err != nil {
 			a.logger.Warn("获取外部MCP工具失败", zap.Error(err))
 		} else {
 			// 获取外部MCP配置，用于检查工具启用状态
 			externalMCPConfigs := a.externalMCPMgr.GetConfigs()

-			// 清空并重建工具名称映射
-			a.mu.Lock()
-			a.toolNameMapping = make(map[string]string)
-			a.mu.Unlock()
-
 			// 将外部MCP工具添加到工具列表（只添加启用的工具）
 			for _, externalTool := range externalTools {
 				// 外部工具使用 "mcpName::toolName" 作为toolKey
@@ -969,11 +1022,7 @@ func (a *Agent) getAvailableTools(roleTools []string) []Tool {
 					continue
 				}

-				// 使用简短描述（如果存在），否则使用详细描述
-				description := externalTool.ShortDescription
-				if description == "" {
-					description = externalTool.Description
-				}
+				description := a.pickToolDescription(externalTool.ShortDescription, externalTool.Description)

 				// 转换schema中的类型为OpenAI标准类型
 				convertedSchema := a.convertSchemaTypes(externalTool.InputSchema)
@@ -983,9 +1032,7 @@ func (a *Agent) getAvailableTools(roleTools []string) []Tool {
 				openAIName := strings.ReplaceAll(externalTool.Name, "::", "__")

 				// 保存名称映射关系（OpenAI格式 -> 原始格式）
-				a.mu.Lock()
-				a.toolNameMapping[openAIName] = externalTool.Name
-				a.mu.Unlock()
+				extMap[openAIName] = externalTool.Name

 				tools = append(tools, Tool{
 					Type: "function",
@@ -997,6 +1044,9 @@ func (a *Agent) getAvailableTools(roleTools []string) []Tool {
 				})
 			}
 		}
+		a.mu.Lock()
+		a.toolNameMapping = extMap
+		a.mu.Unlock()
 	}

 	a.logger.Debug("获取可用工具列表",
@@ -1007,6 +1057,19 @@ func (a *Agent) getAvailableTools(roleTools []string) []Tool {
 	return tools
 }

+func (a *Agent) pickToolDescription(shortDesc, fullDesc string) string {
+	a.mu.RLock()
+	mode := strings.TrimSpace(strings.ToLower(a.toolDescriptionMode))
+	a.mu.RUnlock()
+	if mode == "full" {
+		return fullDesc
+	}
+	if shortDesc != "" {
+		return shortDesc
+	}
+	return fullDesc
+}
+
 // convertSchemaTypes 递归转换schema中的类型为OpenAI标准类型
 func (a *Agent) convertSchemaTypes(schema map[string]interface{}) map[string]interface{} {
 	if schema == nil {
@@ -1390,9 +1453,12 @@ func (a *Agent) executeToolViaMCP(ctx context.Context, toolName string, args map

 	// 如果是record_vulnerability工具，自动添加conversation_id
 	if toolName == builtin.ToolRecordVulnerability {
-		a.mu.RLock()
-		conversationID := a.currentConversationID
-		a.mu.RUnlock()
+		conversationID := agentConversationIDFromContext(ctx)
+		if conversationID == "" {
+			a.mu.RLock()
+			conversationID = a.currentConversationID
+			a.mu.RUnlock()
+		}

 		if conversationID != "" {
 			args["conversation_id"] = conversationID
@@ -1606,6 +1672,18 @@ func (a *Agent) UpdateMaxIterations(maxIterations int) {
 	}
 }

+// UpdateToolDescriptionMode 更新工具描述模式（short/full）
+func (a *Agent) UpdateToolDescriptionMode(mode string) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	mode = strings.TrimSpace(strings.ToLower(mode))
+	if mode != "full" {
+		mode = "short"
+	}
+	a.toolDescriptionMode = mode
+	a.logger.Info("Agent工具描述模式已更新", zap.String("tool_description_mode", mode))
+}
+
 // formatToolError 格式化工具错误信息，提供更友好的错误描述
 func (a *Agent) formatToolError(toolName string, args map[string]interface{}, err error) string {
 	errorMsg := fmt.Sprintf(`工具执行失败
@@ -18,62 +18,62 @@ import (
 func setupTestAgent(t *testing.T) (*Agent, *storage.FileResultStorage) {
 	logger := zap.NewNop()
 	mcpServer := mcp.NewServer(logger)
-	
+
 	openAICfg := &config.OpenAIConfig{
 		APIKey:  "test-key",
 		BaseURL: "https://api.test.com/v1",
 		Model:   "test-model",
 	}
-	
+
 	agentCfg := &config.AgentConfig{
 		MaxIterations:        10,
 		LargeResultThreshold: 100, // 设置较小的阈值便于测试
 		ResultStorageDir:     "",
 	}
-	
+
 	agent := NewAgent(openAICfg, agentCfg, mcpServer, nil, logger, 10)
-	
+
 	// 创建测试存储
 	tmpDir := filepath.Join(os.TempDir(), "test_agent_storage_"+time.Now().Format("20060102_150405"))
 	testStorage, err := storage.NewFileResultStorage(tmpDir, logger)
 	if err != nil {
 		t.Fatalf("创建测试存储失败: %v", err)
 	}
-	
+
 	agent.SetResultStorage(testStorage)
-	
+
 	return agent, testStorage
 }

 func TestAgent_FormatMinimalNotification(t *testing.T) {
 	agent, testStorage := setupTestAgent(t)
 	_ = testStorage // 避免未使用变量警告
-	
+
 	executionID := "test_exec_001"
 	toolName := "nmap_scan"
 	size := 50000
 	lineCount := 1000
 	filePath := "tmp/test_exec_001.txt"
-	
+
 	notification := agent.formatMinimalNotification(executionID, toolName, size, lineCount, filePath)
-	
+
 	// 验证通知包含必要信息
 	if !strings.Contains(notification, executionID) {
 		t.Errorf("通知中应该包含执行ID: %s", executionID)
 	}
-	
+
 	if !strings.Contains(notification, toolName) {
 		t.Errorf("通知中应该包含工具名称: %s", toolName)
 	}
-	
+
 	if !strings.Contains(notification, "50000") {
 		t.Errorf("通知中应该包含大小信息")
 	}
-	
+
 	if !strings.Contains(notification, "1000") {
 		t.Errorf("通知中应该包含行数信息")
 	}
-	
+
 	if !strings.Contains(notification, "query_execution_result") {
 		t.Errorf("通知中应该包含查询工具的使用说明")
 	}
@@ -81,7 +81,7 @@ func TestAgent_FormatMinimalNotification(t *testing.T) {

 func TestAgent_ExecuteToolViaMCP_LargeResult(t *testing.T) {
 	agent, _ := setupTestAgent(t)
-	
+
 	// 创建模拟的MCP工具结果（大结果）
 	largeResult := &mcp.ToolResult{
 		Content: []mcp.Content{
@@ -92,59 +92,59 @@ func TestAgent_ExecuteToolViaMCP_LargeResult(t *testing.T) {
 		},
 		IsError: false,
 	}
-	
+
 	// 模拟MCP服务器返回大结果
 	// 由于我们需要模拟CallTool的行为，这里需要创建一个mock或者使用实际的MCP服务器
 	// 为了简化测试，我们直接测试结果处理逻辑
-	
+
 	// 设置阈值
 	agent.mu.Lock()
 	agent.largeResultThreshold = 1000 // 设置较小的阈值
 	agent.mu.Unlock()
-	
+
 	// 创建执行ID
 	executionID := "test_exec_large_001"
 	toolName := "test_tool"
-	
+
 	// 格式化结果
 	var resultText strings.Builder
 	for _, content := range largeResult.Content {
 		resultText.WriteString(content.Text)
 		resultText.WriteString("\n")
 	}
-	
+
 	resultStr := resultText.String()
 	resultSize := len(resultStr)
-	
+
 	// 检测大结果并保存
 	agent.mu.RLock()
 	threshold := agent.largeResultThreshold
 	storage := agent.resultStorage
 	agent.mu.RUnlock()
-	
+
 	if resultSize > threshold && storage != nil {
 		// 保存大结果
 		err := storage.SaveResult(executionID, toolName, resultStr)
 		if err != nil {
 			t.Fatalf("保存大结果失败: %v", err)
 		}
-		
+
 		// 生成通知
 		lines := strings.Split(resultStr, "\n")
 		filePath := storage.GetResultPath(executionID)
 		notification := agent.formatMinimalNotification(executionID, toolName, resultSize, len(lines), filePath)
-		
+
 		// 验证通知格式
 		if !strings.Contains(notification, executionID) {
 			t.Errorf("通知中应该包含执行ID")
 		}
-		
+
 		// 验证结果已保存
 		savedResult, err := storage.GetResult(executionID)
 		if err != nil {
 			t.Fatalf("获取保存的结果失败: %v", err)
 		}
-		
+
 		if savedResult != resultStr {
 			t.Errorf("保存的结果与原始结果不匹配")
 		}
@@ -155,7 +155,7 @@ func TestAgent_ExecuteToolViaMCP_LargeResult(t *testing.T) {

 func TestAgent_ExecuteToolViaMCP_SmallResult(t *testing.T) {
 	agent, _ := setupTestAgent(t)
-	
+
 	// 创建小结果
 	smallResult := &mcp.ToolResult{
 		Content: []mcp.Content{
@@ -166,32 +166,32 @@ func TestAgent_ExecuteToolViaMCP_SmallResult(t *testing.T) {
 		},
 		IsError: false,
 	}
-	
+
 	// 设置较大的阈值
 	agent.mu.Lock()
 	agent.largeResultThreshold = 100000 // 100KB
 	agent.mu.Unlock()
-	
+
 	// 格式化结果
 	var resultText strings.Builder
 	for _, content := range smallResult.Content {
 		resultText.WriteString(content.Text)
 		resultText.WriteString("\n")
 	}
-	
+
 	resultStr := resultText.String()
 	resultSize := len(resultStr)
-	
+
 	// 检测大结果
 	agent.mu.RLock()
 	threshold := agent.largeResultThreshold
 	storage := agent.resultStorage
 	agent.mu.RUnlock()
-	
+
 	if resultSize > threshold && storage != nil {
 		t.Fatal("小结果不应该被保存")
 	}
-	
+
 	// 小结果应该直接返回
 	if resultSize <= threshold {
 		// 这是预期的行为
@@ -203,26 +203,26 @@ func TestAgent_ExecuteToolViaMCP_SmallResult(t *testing.T) {

 func TestAgent_SetResultStorage(t *testing.T) {
 	agent, _ := setupTestAgent(t)
-	
+
 	// 创建新的存储
 	tmpDir := filepath.Join(os.TempDir(), "test_new_storage_"+time.Now().Format("20060102_150405"))
 	newStorage, err := storage.NewFileResultStorage(tmpDir, zap.NewNop())
 	if err != nil {
 		t.Fatalf("创建新存储失败: %v", err)
 	}
-	
+
 	// 设置新存储
 	agent.SetResultStorage(newStorage)
-	
+
 	// 验证存储已更新
 	agent.mu.RLock()
 	currentStorage := agent.resultStorage
 	agent.mu.RUnlock()
-	
+
 	if currentStorage != newStorage {
 		t.Fatal("存储未正确更新")
 	}
-	
+
 	// 清理
 	os.RemoveAll(tmpDir)
 }
@@ -230,24 +230,24 @@ func TestAgent_SetResultStorage(t *testing.T) {
 func TestAgent_NewAgent_DefaultValues(t *testing.T) {
 	logger := zap.NewNop()
 	mcpServer := mcp.NewServer(logger)
-	
+
 	openAICfg := &config.OpenAIConfig{
 		APIKey:  "test-key",
 		BaseURL: "https://api.test.com/v1",
 		Model:   "test-model",
 	}
-	
+
 	// 测试默认配置
 	agent := NewAgent(openAICfg, nil, mcpServer, nil, logger, 0)
-	
+
 	if agent.maxIterations != 30 {
 		t.Errorf("默认迭代次数不匹配。期望: 30, 实际: %d", agent.maxIterations)
 	}
-	
+
 	agent.mu.RLock()
 	threshold := agent.largeResultThreshold
 	agent.mu.RUnlock()
-	
+
 	if threshold != 50*1024 {
 		t.Errorf("默认阈值不匹配。期望: %d, 实际: %d", 50*1024, threshold)
 	}
@@ -256,31 +256,30 @@ func TestAgent_NewAgent_DefaultValues(t *testing.T) {
 func TestAgent_NewAgent_CustomConfig(t *testing.T) {
 	logger := zap.NewNop()
 	mcpServer := mcp.NewServer(logger)
-	
+
 	openAICfg := &config.OpenAIConfig{
 		APIKey:  "test-key",
 		BaseURL: "https://api.test.com/v1",
 		Model:   "test-model",
 	}
-	
+
 	agentCfg := &config.AgentConfig{
 		MaxIterations:        20,
 		LargeResultThreshold: 100 * 1024, // 100KB
 		ResultStorageDir:     "custom_tmp",
 	}
-	
+
 	agent := NewAgent(openAICfg, agentCfg, mcpServer, nil, logger, 15)
-	
+
 	if agent.maxIterations != 15 {
 		t.Errorf("迭代次数不匹配。期望: 15, 实际: %d", agent.maxIterations)
 	}
-	
+
 	agent.mu.RLock()
 	threshold := agent.largeResultThreshold
 	agent.mu.RUnlock()
-	
+
 	if threshold != 100*1024 {
 		t.Errorf("阈值不匹配。期望: %d, 实际: %d", 100*1024, threshold)
 	}
 }
-
@@ -91,6 +91,20 @@ func DefaultSingleAgentSystemPrompt() string {

 当工具返回错误时，错误信息会包含在工具响应中，请仔细阅读并做出合理的决策。

+## 结束条件与停止约束
+
+- 在「未完成用户目标」前，不得输出纯计划/纯建议式结论并结束本轮；必须继续给出可执行下一步，并优先通过工具验证。
+- 若你准备结束回答，先执行一次自检：
+  1) 是否已有可验证证据支撑“任务完成/无法继续”的结论；
+  2) 是否至少尝试过当前路径的合理替代（参数、路径、方法、入口）；
+  3) 是否仍存在可执行且低成本的下一步验证动作。
+- 仅当满足以下任一条件时，才允许输出最终收尾：
+  1) 已达到用户目标并给出证据；
+  2) 达到明确边界（超时、权限、目标不可达、工具不可用且无替代），并清楚说明阻断点与已尝试项；
+  3) 用户明确要求停止。
+- 若最近一步得到 404/空结果/无效响应，不得直接结束；至少再进行一次“同目标不同策略”的验证（如变更路径、参数、请求方法、上下文来源）。
+- 避免无效空转：同一工具+同类参数连续失败 3 次后，必须切换策略（改工具、改入口、改假设）并说明切换原因。
+
 ## 漏洞记录

 发现有效漏洞时，必须使用 ` + builtin.ToolRecordVulnerability + ` 记录：标题、描述、严重程度、类型、目标、证明（POC）、影响、修复建议。
@@ -256,11 +256,11 @@ func orchestratorConfigFromOrchestrator(o *OrchestratorMarkdown) config.MultiAge
 		return config.MultiAgentSubConfig{}
 	}
 	return config.MultiAgentSubConfig{
-		ID:            o.EinoName,
-		Name:          o.DisplayName,
-		Description:   o.Description,
-		Instruction:   o.Instruction,
-		Kind:          "orchestrator",
+		ID:          o.EinoName,
+		Name:        o.DisplayName,
+		Description: o.Description,
+		Instruction: o.Instruction,
+		Kind:        "orchestrator",
 	}
 }

@@ -133,6 +133,7 @@ func New(cfg *config.Config, log *logger.Logger) (*App, error) {
 		maxIterations = 30 // 默认值
 	}
 	agent := agent.NewAgent(&cfg.OpenAI, &cfg.Agent, mcpServer, externalMCPMgr, log.Logger, maxIterations)
+	agent.UpdateToolDescriptionMode(cfg.Security.ToolDescriptionMode)

 	// 设置结果存储到Agent
 	agent.SetResultStorage(resultStorage)
@@ -317,6 +318,7 @@ func New(cfg *config.Config, log *logger.Logger) (*App, error) {
 	}
 	monitorHandler := handler.NewMonitorHandler(mcpServer, executor, db, log.Logger)
 	monitorHandler.SetExternalMCPManager(externalMCPMgr) // 设置外部MCP管理器，以便获取外部MCP执行记录
+	notificationHandler := handler.NewNotificationHandler(db, agentHandler, log.Logger)
 	groupHandler := handler.NewGroupHandler(db, log.Logger)
 	authHandler := handler.NewAuthHandler(authManager, cfg, configPath, log.Logger)
 	attackChainHandler := handler.NewAttackChainHandler(db, &cfg.OpenAI, log.Logger)
@@ -326,6 +328,7 @@ func New(cfg *config.Config, log *logger.Logger) (*App, error) {
 	registerWebshellTools(mcpServer, db, webshellHandler, log.Logger)
 	registerWebshellManagementTools(mcpServer, db, webshellHandler, log.Logger)
 	configHandler := handler.NewConfigHandler(configPath, cfg, mcpServer, executor, agent, attackChainHandler, externalMCPMgr, log.Logger)
+	agentHandler.SetHitlToolWhitelistSaver(configHandler)
 	externalMCPHandler := handler.NewExternalMCPHandler(externalMCPMgr, cfg, configPath, log.Logger)
 	roleHandler := handler.NewRoleHandler(cfg, configPath, log.Logger)
 	skillsHandler := handler.NewSkillsHandler(cfg, configPath, log.Logger)
@@ -432,6 +435,7 @@ func New(cfg *config.Config, log *logger.Logger) (*App, error) {
 		authHandler,
 		agentHandler,
 		monitorHandler,
+		notificationHandler,
 		conversationHandler,
 		robotHandler,
 		groupHandler,
@@ -598,6 +602,7 @@ func setupRoutes(
 	authHandler *handler.AuthHandler,
 	agentHandler *handler.AgentHandler,
 	monitorHandler *handler.MonitorHandler,
+	notificationHandler *handler.NotificationHandler,
 	conversationHandler *handler.ConversationHandler,
 	robotHandler *handler.RobotHandler,
 	groupHandler *handler.GroupHandler,
@@ -654,9 +659,16 @@ func setupRoutes(
 		// Eino ADK 单代理（ChatModelAgent + Runner；不依赖 multi_agent.enabled）
 		protected.POST("/eino-agent", agentHandler.EinoSingleAgentLoop)
 		protected.POST("/eino-agent/stream", agentHandler.EinoSingleAgentLoopStream)
+		protected.GET("/hitl/pending", agentHandler.ListHITLPending)
+		protected.POST("/hitl/decision", agentHandler.DecideHITLInterrupt)
+		protected.POST("/hitl/dismiss", agentHandler.DismissHITLInterrupt)
+		protected.GET("/hitl/config/:conversationId", agentHandler.GetHITLConversationConfig)
+		protected.PUT("/hitl/config", agentHandler.UpsertHITLConversationConfig)
+		protected.POST("/hitl/tool-whitelist", agentHandler.MergeHITLGlobalToolWhitelist)
 		// Agent Loop 取消与任务列表
 		protected.POST("/agent-loop/cancel", agentHandler.CancelAgentLoop)
 		protected.GET("/agent-loop/tasks", agentHandler.ListAgentTasks)
+		protected.GET("/agent-loop/task-events", agentHandler.SubscribeAgentTaskEvents)
 		protected.GET("/agent-loop/tasks/completed", agentHandler.ListCompletedTasks)

 		// Eino DeepAgent 多代理（与单 Agent 并存，需 config.multi_agent.enabled）
@@ -719,6 +731,8 @@ func setupRoutes(
 		protected.DELETE("/monitor/execution/:id", monitorHandler.DeleteExecution)
 		protected.DELETE("/monitor/executions", monitorHandler.DeleteExecutions)
 		protected.GET("/monitor/stats", monitorHandler.GetStats)
+		protected.GET("/notifications/summary", notificationHandler.GetSummary)
+		protected.POST("/notifications/read", notificationHandler.MarkRead)

 		// 配置管理
 		protected.GET("/config", configHandler.GetConfig)
@@ -893,6 +907,8 @@ func setupRoutes(

 		// 漏洞管理
 		protected.GET("/vulnerabilities", vulnerabilityHandler.ListVulnerabilities)
+		protected.GET("/vulnerabilities/export", vulnerabilityHandler.ExportVulnerabilities)
+		protected.GET("/vulnerabilities/filter-options", vulnerabilityHandler.GetVulnerabilityFilterOptions)
 		protected.GET("/vulnerabilities/stats", vulnerabilityHandler.GetVulnerabilityStats)
 		protected.GET("/vulnerabilities/:id", vulnerabilityHandler.GetVulnerability)
 		protected.POST("/vulnerabilities", vulnerabilityHandler.CreateVulnerability)
@@ -145,7 +145,7 @@ func (b *Builder) BuildChainFromConversation(ctx context.Context, conversationID
 	}

 	// 1. 优先尝试从数据库获取保存的最后一轮ReAct输入和输出
-	reactInputJSON, modelOutput, err := b.db.GetReActData(conversationID)
+	reactInputJSON, modelOutput, err := b.db.GetAgentTrace(conversationID)
 	if err != nil {
 		b.logger.Warn("获取保存的ReAct数据失败，将使用消息历史构建", zap.Error(err))
 		// 继续使用原来的逻辑
@@ -170,7 +170,7 @@ func (b *Builder) BuildChainFromConversation(ctx context.Context, conversationID
 			messageCount = len(tempMessages)
 		}

-		dataSource = "database_last_react_input"
+		dataSource = "database_last_agent_trace"
 		b.logger.Info("使用保存的ReAct数据构建攻击链",
 			zap.String("conversationId", conversationID),
 			zap.String("dataSource", dataSource),
@@ -183,7 +183,7 @@ func (b *Builder) BuildChainFromConversation(ctx context.Context, conversationID
 		// userInput = b.extractUserInputFromReActInput(reactInputJSON)

 		// 将JSON格式的messages转换为可读格式
-		reactInputFinal = b.formatReActInputFromJSON(reactInputJSON)
+		reactInputFinal = b.formatAgentTraceInputFromJSON(reactInputJSON)
 	} else {
 		// 2. 如果没有保存的ReAct数据，从对话消息构建
 		dataSource = "messages_table"
@@ -201,7 +201,7 @@ func (b *Builder) BuildChainFromConversation(ctx context.Context, conversationID
 		}

 		// 提取最后一轮ReAct的输入（历史消息+当前用户输入）
-		reactInputFinal = b.buildReActInput(messages)
+		reactInputFinal = b.buildAgentTraceInput(messages)

 		// 提取大模型最后的输出（最后一条assistant消息）
 		for i := len(messages) - 1; i >= 0; i-- {
@@ -212,7 +212,7 @@ func (b *Builder) BuildChainFromConversation(ctx context.Context, conversationID
 		}
 	}

-	// 多代理：保存的 last_react_input 可能仅为首轮用户消息，不含工具轨迹；补充最后一轮助手的过程详情（与单代理「最后一轮 ReAct」对齐）
+	// 多代理：保存的轨迹列可能仅为首轮用户消息，不含工具轨迹；补充最后一轮助手的过程详情（与单代理完整轨迹对齐）
 	hasMCPOnAssistant := false
 	var lastAssistantID string
 	for i := len(messages) - 1; i >= 0; i-- {
@@ -320,7 +320,7 @@ func (b *Builder) formatProcessDetailsForAttackChain(details []database.ProcessD
 		}

 		// 1) 编排器的工具调用/结果：保留（这是“主 agent 调了什么工具”）
-		if (d.EventType == "tool_call" || d.EventType == "tool_result" || d.EventType == "tool_calls_detected" || d.EventType == "iteration" || d.EventType == "eino_recovery") && einoRole == "orchestrator" {
+		if (d.EventType == "tool_call" || d.EventType == "tool_result" || d.EventType == "tool_calls_detected" || d.EventType == "iteration") && einoRole == "orchestrator" {
 			sb.WriteString("[")
 			sb.WriteString(d.EventType)
 			sb.WriteString("] ")
@@ -366,8 +366,8 @@ func (b *Builder) formatProcessDetailsForAttackChain(details []database.ProcessD
 	return strings.TrimSpace(sb.String())
 }

-// buildReActInput 构建最后一轮ReAct的输入（历史消息+当前用户输入）
-func (b *Builder) buildReActInput(messages []database.Message) string {
+// buildAgentTraceInput 构建最后一轮ReAct的输入（历史消息+当前用户输入）
+func (b *Builder) buildAgentTraceInput(messages []database.Message) string {
 	var builder strings.Builder
 	for _, msg := range messages {
 		builder.WriteString(fmt.Sprintf("[%s]: %s\n\n", msg.Role, msg.Content))
@@ -396,8 +396,8 @@ func (b *Builder) buildReActInput(messages []database.Message) string {
 // 	return ""
 // }

-// formatReActInputFromJSON 将JSON格式的messages数组转换为可读的字符串格式
-func (b *Builder) formatReActInputFromJSON(reactInputJSON string) string {
+// formatAgentTraceInputFromJSON 将JSON格式的messages数组转换为可读的字符串格式
+func (b *Builder) formatAgentTraceInputFromJSON(reactInputJSON string) string {
 	var messages []map[string]interface{}
 	if err := json.Unmarshal([]byte(reactInputJSON), &messages); err != nil {
 		b.logger.Warn("解析ReAct输入JSON失败", zap.Error(err))
@@ -22,6 +22,7 @@ type Config struct {
 	OpenAI      OpenAIConfig          `yaml:"openai"`
 	FOFA        FofaConfig            `yaml:"fofa,omitempty" json:"fofa,omitempty"`
 	Agent       AgentConfig           `yaml:"agent"`
+	Hitl        HitlConfig            `yaml:"hitl,omitempty" json:"hitl,omitempty"`
 	Security    SecurityConfig        `yaml:"security"`
 	Database    DatabaseConfig        `yaml:"database"`
 	Auth        AuthConfig            `yaml:"auth"`
@@ -37,24 +38,26 @@ type Config struct {

 // MultiAgentConfig 基于 CloudWeGo Eino adk/prebuilt 的多代理编排（deep | plan_execute | supervisor，与单 Agent /agent-loop 并存）。
 type MultiAgentConfig struct {
-	Enabled            bool   `yaml:"enabled" json:"enabled"`
-	DefaultMode        string `yaml:"default_mode" json:"default_mode"`                   // single | multi，供前端默认展示
-	RobotUseMultiAgent bool   `yaml:"robot_use_multi_agent" json:"robot_use_multi_agent"` // 为 true 时钉钉/飞书/企微机器人走 Eino 多代理
-	BatchUseMultiAgent bool   `yaml:"batch_use_multi_agent" json:"batch_use_multi_agent"` // 为 true 时批量任务队列中每子任务走 Eino 多代理
+	Enabled            bool `yaml:"enabled" json:"enabled"`
+	RobotUseMultiAgent bool `yaml:"robot_use_multi_agent" json:"robot_use_multi_agent"` // 为 true 时钉钉/飞书/企微机器人走 Eino 多代理
+	BatchUseMultiAgent bool `yaml:"batch_use_multi_agent" json:"batch_use_multi_agent"` // 为 true 时批量任务队列中每子任务走 Eino 多代理
 	// Orchestration 已弃用：保留仅兼容旧版 config.yaml；编排由聊天/WebShell 请求体 orchestration 决定，未传时按 deep。
 	Orchestration string `yaml:"orchestration,omitempty" json:"orchestration,omitempty"`
 	MaxIteration  int    `yaml:"max_iteration" json:"max_iteration"` // 主代理 / 执行器最大推理轮次（Deep、Supervisor、plan_execute 的 Executor）
 	// PlanExecuteLoopMaxIterations plan_execute 模式下 execute↔replan 外层循环上限；0 表示用 Eino 默认 10。
-	PlanExecuteLoopMaxIterations int                   `yaml:"plan_execute_loop_max_iterations,omitempty" json:"plan_execute_loop_max_iterations,omitempty"`
-	SubAgentMaxIterations        int                   `yaml:"sub_agent_max_iterations" json:"sub_agent_max_iterations"`
-	WithoutGeneralSubAgent       bool                  `yaml:"without_general_sub_agent" json:"without_general_sub_agent"`
-	WithoutWriteTodos            bool                  `yaml:"without_write_todos" json:"without_write_todos"`
-	OrchestratorInstruction      string                `yaml:"orchestrator_instruction" json:"orchestrator_instruction"`
+	PlanExecuteLoopMaxIterations int    `yaml:"plan_execute_loop_max_iterations,omitempty" json:"plan_execute_loop_max_iterations,omitempty"`
+	SubAgentMaxIterations        int    `yaml:"sub_agent_max_iterations" json:"sub_agent_max_iterations"`
+	WithoutGeneralSubAgent       bool   `yaml:"without_general_sub_agent" json:"without_general_sub_agent"`
+	WithoutWriteTodos            bool   `yaml:"without_write_todos" json:"without_write_todos"`
+	OrchestratorInstruction      string `yaml:"orchestrator_instruction" json:"orchestrator_instruction"`
 	// OrchestratorInstructionPlanExecute plan_execute 主代理（规划侧）系统提示；非空且 agents/orchestrator-plan-execute.md 正文为空或未存在时生效。不与 Deep 的 orchestrator_instruction 混用。
 	OrchestratorInstructionPlanExecute string `yaml:"orchestrator_instruction_plan_execute,omitempty" json:"orchestrator_instruction_plan_execute,omitempty"`
 	// OrchestratorInstructionSupervisor supervisor 主代理系统提示（transfer/exit 说明仍由运行追加）；非空且 agents/orchestrator-supervisor.md 正文为空或未存在时生效。
-	OrchestratorInstructionSupervisor string `yaml:"orchestrator_instruction_supervisor,omitempty" json:"orchestrator_instruction_supervisor,omitempty"`
-	SubAgents                    []MultiAgentSubConfig `yaml:"sub_agents" json:"sub_agents"`
+	OrchestratorInstructionSupervisor string                `yaml:"orchestrator_instruction_supervisor,omitempty" json:"orchestrator_instruction_supervisor,omitempty"`
+	SubAgents                         []MultiAgentSubConfig `yaml:"sub_agents" json:"sub_agents"`
+	// SubAgentUserContextMaxRunes caps the user-context supplement appended to task descriptions for sub-agents.
+	// 0 (default) uses the built-in default of 2000 runes; negative value disables injection entirely.
+	SubAgentUserContextMaxRunes int `yaml:"sub_agent_user_context_max_runes,omitempty" json:"sub_agent_user_context_max_runes,omitempty"`
 	// EinoSkills configures CloudWeGo Eino ADK skill middleware + optional local filesystem/execute on DeepAgent.
 	EinoSkills MultiAgentEinoSkillsConfig `yaml:"eino_skills,omitempty" json:"eino_skills,omitempty"`
 	// EinoMiddleware wires optional ADK middleware (patchtoolcalls, toolsearch, plantask, reduction) and Deep extras.
@@ -69,15 +72,33 @@ type MultiAgentEinoMiddlewareConfig struct {
 	ToolSearchEnable        bool `yaml:"tool_search_enable,omitempty" json:"tool_search_enable,omitempty"`
 	ToolSearchMinTools      int  `yaml:"tool_search_min_tools,omitempty" json:"tool_search_min_tools,omitempty"`           // default 20; applies when len(tools) >= this
 	ToolSearchAlwaysVisible int  `yaml:"tool_search_always_visible,omitempty" json:"tool_search_always_visible,omitempty"` // default 12; first N tools stay always visible
+	// ToolSearchAlwaysVisibleTools keeps specified tool names always visible (never hidden by tool_search).
+	ToolSearchAlwaysVisibleTools []string `yaml:"tool_search_always_visible_tools,omitempty" json:"tool_search_always_visible_tools,omitempty"`
 	// Plantask adds TaskCreate/Get/Update/List (file-backed under skills dir); requires eino_skills + local backend.
 	PlantaskEnable bool `yaml:"plantask_enable,omitempty" json:"plantask_enable,omitempty"`
 	// PlantaskRelDir relative to skills_dir for per-conversation task boards (default .eino/plantask).
 	PlantaskRelDir string `yaml:"plantask_rel_dir,omitempty" json:"plantask_rel_dir,omitempty"`
 	// Reduction truncates/offloads large tool outputs (requires eino local backend for Write).
-	ReductionEnable           bool     `yaml:"reduction_enable,omitempty" json:"reduction_enable,omitempty"`
-	ReductionRootDir          string   `yaml:"reduction_root_dir,omitempty" json:"reduction_root_dir,omitempty"` // default: os temp + conversation id
-	ReductionClearExclude     []string `yaml:"reduction_clear_exclude,omitempty" json:"reduction_clear_exclude,omitempty"`
-	ReductionSubAgents        bool     `yaml:"reduction_sub_agents,omitempty" json:"reduction_sub_agents,omitempty"` // also attach to sub-agents
+	ReductionEnable       bool     `yaml:"reduction_enable,omitempty" json:"reduction_enable,omitempty"`
+	ReductionRootDir      string   `yaml:"reduction_root_dir,omitempty" json:"reduction_root_dir,omitempty"` // default: os temp + conversation id
+	ReductionMaxLengthForTrunc int `yaml:"reduction_max_length_for_trunc,omitempty" json:"reduction_max_length_for_trunc,omitempty"` // default 12000
+	ReductionMaxTokensForClear int `yaml:"reduction_max_tokens_for_clear,omitempty" json:"reduction_max_tokens_for_clear,omitempty"` // default 50000
+	ReductionClearExclude []string `yaml:"reduction_clear_exclude,omitempty" json:"reduction_clear_exclude,omitempty"`
+	ReductionSubAgents    bool     `yaml:"reduction_sub_agents,omitempty" json:"reduction_sub_agents,omitempty"` // also attach to sub-agents
+	// SummarizationTriggerRatio controls summarization trigger threshold as max_total_tokens * ratio (default 0.8).
+	SummarizationTriggerRatio float64 `yaml:"summarization_trigger_ratio,omitempty" json:"summarization_trigger_ratio,omitempty"`
+	// SummarizationEmitInternalEvents controls middleware internal event emission (default true).
+	SummarizationEmitInternalEvents *bool `yaml:"summarization_emit_internal_events,omitempty" json:"summarization_emit_internal_events,omitempty"`
+	// HistoryInputBudgetRatio caps pre-agent history tokens as max_total_tokens * ratio (default 0.35).
+	HistoryInputBudgetRatio float64 `yaml:"history_input_budget_ratio,omitempty" json:"history_input_budget_ratio,omitempty"`
+	// PlanExecuteUserInputBudgetRatio caps planner/replanner/executor userInput prompt budget ratio (default 0.35).
+	PlanExecuteUserInputBudgetRatio float64 `yaml:"plan_execute_user_input_budget_ratio,omitempty" json:"plan_execute_user_input_budget_ratio,omitempty"`
+	// PlanExecuteExecutedStepsBudgetRatio caps executed_steps prompt budget ratio (default 0.2).
+	PlanExecuteExecutedStepsBudgetRatio float64 `yaml:"plan_execute_executed_steps_budget_ratio,omitempty" json:"plan_execute_executed_steps_budget_ratio,omitempty"`
+	// PlanExecuteMaxStepResultRunes caps each executed step result length for prompt view (default 4000).
+	PlanExecuteMaxStepResultRunes int `yaml:"plan_execute_max_step_result_runes,omitempty" json:"plan_execute_max_step_result_runes,omitempty"`
+	// PlanExecuteKeepLastSteps keeps only the tail steps in prompt view (default 8).
+	PlanExecuteKeepLastSteps int `yaml:"plan_execute_keep_last_steps,omitempty" json:"plan_execute_keep_last_steps,omitempty"`
 	// CheckpointDir when non-empty enables adk.Runner CheckPointStore (file-backed) for interrupt/resume persistence.
 	CheckpointDir string `yaml:"checkpoint_dir,omitempty" json:"checkpoint_dir,omitempty"`
 	// DeepOutputKey passed to deep.Config OutputKey (session final text); empty = off.
@@ -88,6 +109,97 @@ type MultiAgentEinoMiddlewareConfig struct {
 	TaskToolDescriptionPrefix string `yaml:"task_tool_description_prefix,omitempty" json:"task_tool_description_prefix,omitempty"`
 }

+func (c MultiAgentEinoMiddlewareConfig) SummarizationTriggerRatioEffective() float64 {
+	v := c.SummarizationTriggerRatio
+	if v <= 0 {
+		return 0.8
+	}
+	if v < 0.5 {
+		return 0.5
+	}
+	if v > 0.95 {
+		return 0.95
+	}
+	return v
+}
+
+func (c MultiAgentEinoMiddlewareConfig) SummarizationEmitInternalEventsEffective() bool {
+	if c.SummarizationEmitInternalEvents != nil {
+		return *c.SummarizationEmitInternalEvents
+	}
+	return true
+}
+
+func (c MultiAgentEinoMiddlewareConfig) HistoryInputBudgetRatioEffective() float64 {
+	v := c.HistoryInputBudgetRatio
+	if v <= 0 {
+		return 0.35
+	}
+	if v < 0.15 {
+		return 0.15
+	}
+	if v > 0.6 {
+		return 0.6
+	}
+	return v
+}
+
+func (c MultiAgentEinoMiddlewareConfig) PlanExecuteUserInputBudgetRatioEffective() float64 {
+	v := c.PlanExecuteUserInputBudgetRatio
+	if v <= 0 {
+		return 0.35
+	}
+	if v < 0.1 {
+		return 0.1
+	}
+	if v > 0.6 {
+		return 0.6
+	}
+	return v
+}
+
+func (c MultiAgentEinoMiddlewareConfig) PlanExecuteExecutedStepsBudgetRatioEffective() float64 {
+	v := c.PlanExecuteExecutedStepsBudgetRatio
+	if v <= 0 {
+		return 0.2
+	}
+	if v < 0.08 {
+		return 0.08
+	}
+	if v > 0.5 {
+		return 0.5
+	}
+	return v
+}
+
+func (c MultiAgentEinoMiddlewareConfig) PlanExecuteMaxStepResultRunesEffective() int {
+	if c.PlanExecuteMaxStepResultRunes > 0 {
+		return c.PlanExecuteMaxStepResultRunes
+	}
+	return 4000
+}
+
+func (c MultiAgentEinoMiddlewareConfig) PlanExecuteKeepLastStepsEffective() int {
+	if c.PlanExecuteKeepLastSteps > 0 {
+		return c.PlanExecuteKeepLastSteps
+	}
+	return 8
+}
+
+func (c MultiAgentEinoMiddlewareConfig) ReductionMaxLengthForTruncEffective() int {
+	if c.ReductionMaxLengthForTrunc > 0 {
+		return c.ReductionMaxLengthForTrunc
+	}
+	return 12000
+}
+
+func (c MultiAgentEinoMiddlewareConfig) ReductionMaxTokensForClearEffective() int {
+	if c.ReductionMaxTokensForClear > 0 {
+		return c.ReductionMaxTokensForClear
+	}
+	return 50000
+}
+
 // MultiAgentEinoSkillsConfig toggles Eino official skill progressive disclosure and host filesystem tools.
 type MultiAgentEinoSkillsConfig struct {
 	// Disable skips skill middleware (and does not attach local FS tools for Deep).
@@ -129,12 +241,13 @@ type MultiAgentSubConfig struct {
 // MultiAgentPublic 返回给前端的精简信息（不含子代理指令全文）。
 type MultiAgentPublic struct {
 	Enabled                      bool   `json:"enabled"`
-	DefaultMode                  string `json:"default_mode"`
 	RobotUseMultiAgent           bool   `json:"robot_use_multi_agent"`
 	BatchUseMultiAgent           bool   `json:"batch_use_multi_agent"`
 	SubAgentCount                int    `json:"sub_agent_count"`
 	Orchestration                string `json:"orchestration,omitempty"`
 	PlanExecuteLoopMaxIterations int    `json:"plan_execute_loop_max_iterations"`
+	ToolSearchAlwaysVisibleTools []string `json:"tool_search_always_visible_tools,omitempty"`
+	ToolSearchAlwaysVisibleEffectiveTools []string `json:"tool_search_always_visible_effective_tools,omitempty"`
 }

 // NormalizeMultiAgentOrchestration 返回 deep、plan_execute 或 supervisor。
@@ -152,11 +265,11 @@ func NormalizeMultiAgentOrchestration(s string) string {

 // MultiAgentAPIUpdate 设置页/API 仅更新多代理标量字段；写入 YAML 时不覆盖 sub_agents 等块。
 type MultiAgentAPIUpdate struct {
-	Enabled                      bool   `json:"enabled"`
-	DefaultMode                  string `json:"default_mode"`
-	RobotUseMultiAgent           bool   `json:"robot_use_multi_agent"`
-	BatchUseMultiAgent           bool   `json:"batch_use_multi_agent"`
-	PlanExecuteLoopMaxIterations *int   `json:"plan_execute_loop_max_iterations,omitempty"`
+	Enabled                      bool `json:"enabled"`
+	RobotUseMultiAgent           bool `json:"robot_use_multi_agent"`
+	BatchUseMultiAgent           bool `json:"batch_use_multi_agent"`
+	PlanExecuteLoopMaxIterations *int `json:"plan_execute_loop_max_iterations,omitempty"`
+	ToolSearchAlwaysVisibleTools []string `json:"tool_search_always_visible_tools,omitempty"`
 }

 // RobotsConfig 机器人配置（企业微信、钉钉、飞书等）
@@ -244,6 +357,13 @@ type AgentConfig struct {
 	SystemPromptPath string `yaml:"system_prompt_path,omitempty" json:"system_prompt_path,omitempty"`
 }

+// HitlConfig 人机协同全局选项；与会话侧栏/API 中的白名单合并为并集后参与判定。
+// tool_whitelist 可在侧栏「应用」时合并写入 config.yaml 并立即生效；其他字段若仅改文件仍需重启。
+type HitlConfig struct {
+	// ToolWhitelist 全局免审批工具名（与每条会话配置的 sensitiveTools 语义相同：白名单内工具不触发 HITL）。
+	ToolWhitelist []string `yaml:"tool_whitelist,omitempty" json:"tool_whitelist,omitempty"`
+}
+
 type AuthConfig struct {
 	Password                    string `yaml:"password" json:"password"`
 	SessionDurationHours        int    `yaml:"session_duration_hours" json:"session_duration_hours"`
@@ -950,10 +1070,10 @@ type RolesConfig struct {

 // RoleConfig 单个角色配置
 type RoleConfig struct {
-	Name        string   `yaml:"name" json:"name"`                         // 角色名称
-	Description string   `yaml:"description" json:"description"`           // 角色描述
-	UserPrompt  string   `yaml:"user_prompt" json:"user_prompt"`           // 用户提示词(追加到用户消息前)
-	Icon        string   `yaml:"icon,omitempty" json:"icon,omitempty"`     // 角色图标（可选）
+	Name        string   `yaml:"name" json:"name"`                       // 角色名称
+	Description string   `yaml:"description" json:"description"`         // 角色描述
+	UserPrompt  string   `yaml:"user_prompt" json:"user_prompt"`         // 用户提示词(追加到用户消息前)
+	Icon        string   `yaml:"icon,omitempty" json:"icon,omitempty"`   // 角色图标（可选）
 	Tools       []string `yaml:"tools,omitempty" json:"tools,omitempty"` // 关联的工具列表（toolKey格式，如 "toolName" 或 "mcpName::toolName"）
 	MCPs        []string `yaml:"mcps,omitempty" json:"mcps,omitempty"`   // 向后兼容：关联的MCP服务器列表（已废弃，使用tools替代）
 	Enabled     bool     `yaml:"enabled" json:"enabled"`                 // 是否启用
@@ -165,4 +165,3 @@ func (db *DB) DeleteAttackChain(conversationID string) error {

 	return nil
 }
-
@@ -4,6 +4,8 @@ import (
 	"database/sql"
 	"encoding/json"
 	"fmt"
+	"os"
+	"path/filepath"
 	"strings"
 	"time"

@@ -308,7 +310,7 @@ func (db *DB) GetConversationLite(id string) (*Conversation, error) {
 func (db *DB) ListConversations(limit, offset int, search string) ([]*Conversation, error) {
 	var rows *sql.Rows
 	var err error
-	
+
 	if search != "" {
 		// 使用 EXISTS 子查询代替 LEFT JOIN + DISTINCT，避免大表笛卡尔积
 		searchPattern := "%" + search + "%"
@@ -327,7 +329,7 @@ func (db *DB) ListConversations(limit, offset int, search string) ([]*Conversati
 			limit, offset,
 		)
 	}
-	
+
 	if err != nil {
 		return nil, fmt.Errorf("查询对话列表失败: %w", err)
 	}
@@ -416,25 +418,34 @@ func (db *DB) DeleteConversation(id string) error {
 	if err != nil {
 		return fmt.Errorf("删除对话失败: %w", err)
 	}
+	// Best-effort cleanup for conversation-scoped filesystem artifacts
+	// (e.g., summarization transcript, reduction/checkpoint files under conversation_artifacts/<id>).
+	if base := strings.TrimSpace(db.conversationArtifactsDir); base != "" {
+		artDir := filepath.Join(base, id)
+		if rmErr := os.RemoveAll(artDir); rmErr != nil {
+			db.logger.Warn("删除会话 artifacts 目录失败", zap.String("conversationId", id), zap.String("dir", artDir), zap.Error(rmErr))
+		}
+	}

 	db.logger.Info("对话及其所有相关数据已删除", zap.String("conversationId", id))
 	return nil
 }

-// SaveReActData 保存最后一轮ReAct的输入和输出
-func (db *DB) SaveReActData(conversationID, reactInput, reactOutput string) error {
+// SaveAgentTrace 保存最后一轮代理消息轨迹与助手输出摘要。
+// SQLite 列名仍为 last_react_input / last_react_output，与历史库表兼容；语义上为「全模式代理轨迹」，非仅 ReAct。
+func (db *DB) SaveAgentTrace(conversationID, traceInputJSON, assistantOutput string) error {
 	_, err := db.Exec(
 		"UPDATE conversations SET last_react_input = ?, last_react_output = ?, updated_at = ? WHERE id = ?",
-		reactInput, reactOutput, time.Now(), conversationID,
+		traceInputJSON, assistantOutput, time.Now(), conversationID,
 	)
 	if err != nil {
-		return fmt.Errorf("保存ReAct数据失败: %w", err)
+		return fmt.Errorf("保存代理轨迹失败: %w", err)
 	}
 	return nil
 }

-// GetReActData 获取最后一轮ReAct的输入和输出
-func (db *DB) GetReActData(conversationID string) (reactInput, reactOutput string, err error) {
+// GetAgentTrace 读取 conversations 中保存的代理轨迹（列名 last_react_*）。
+func (db *DB) GetAgentTrace(conversationID string) (traceInputJSON, assistantOutput string, err error) {
 	var input, output sql.NullString
 	err = db.QueryRow(
 		"SELECT last_react_input, last_react_output FROM conversations WHERE id = ?",
@@ -444,17 +455,17 @@ func (db *DB) GetReActData(conversationID string) (reactInput, reactOutput strin
 		if err == sql.ErrNoRows {
 			return "", "", fmt.Errorf("对话不存在")
 		}
-		return "", "", fmt.Errorf("获取ReAct数据失败: %w", err)
+		return "", "", fmt.Errorf("获取代理轨迹失败: %w", err)
 	}

 	if input.Valid {
-		reactInput = input.String
+		traceInputJSON = input.String
 	}
 	if output.Valid {
-		reactOutput = output.String
+		assistantOutput = output.String
 	}

-	return reactInput, reactOutput, nil
+	return traceInputJSON, assistantOutput, nil
 }

 // ConversationHasToolProcessDetails 对话是否存在已落库的工具调用/结果（用于多代理等场景下 MCP execution id 未汇总时的攻击链判定）。
@@ -3,6 +3,8 @@ package database
 import (
 	"database/sql"
 	"fmt"
+	"os"
+	"path/filepath"
 	"strings"
 	"time"

@@ -21,7 +23,8 @@ func configureDBPool(db *sql.DB) {
 // DB 数据库连接
 type DB struct {
 	*sql.DB
-	logger *zap.Logger
+	logger                   *zap.Logger
+	conversationArtifactsDir string
 }

 // NewDB 创建数据库连接
@@ -41,6 +44,13 @@ func NewDB(dbPath string, logger *zap.Logger) (*DB, error) {
 		DB:     db,
 		logger: logger,
 	}
+	// Keep conversation-scoped artifacts near database files, so cleanup can follow conversation lifecycle.
+	baseDir := filepath.Join(filepath.Dir(dbPath), "conversation_artifacts")
+	if mkErr := os.MkdirAll(baseDir, 0o755); mkErr == nil {
+		database.conversationArtifactsDir = baseDir
+	} else if logger != nil {
+		logger.Warn("创建 conversation artifacts 目录失败", zap.String("dir", baseDir), zap.Error(mkErr))
+	}

 	// 初始化表
 	if err := database.initTables(); err != nil {
@@ -52,7 +62,7 @@ func NewDB(dbPath string, logger *zap.Logger) (*DB, error) {

 // initTables 初始化数据库表
 func (db *DB) initTables() error {
-	// 创建对话表
+	// 创建对话表（last_react_input / last_react_output 存「代理消息轨迹」JSON 与助手摘要，列名保留以兼容已有库）
 	createConversationsTable := `
 	CREATE TABLE IF NOT EXISTS conversations (
 		id TEXT PRIMARY KEY,
@@ -197,6 +207,8 @@ func (db *DB) initTables() error {
 	CREATE TABLE IF NOT EXISTS vulnerabilities (
 		id TEXT PRIMARY KEY,
 		conversation_id TEXT NOT NULL,
+		conversation_tag TEXT,
+		task_tag TEXT,
 		title TEXT NOT NULL,
 		description TEXT,
 		severity TEXT NOT NULL,
@@ -257,6 +269,8 @@ func (db *DB) initTables() error {
 		method TEXT NOT NULL DEFAULT 'post',
 		cmd_param TEXT NOT NULL DEFAULT '',
 		remark TEXT NOT NULL DEFAULT '',
+		encoding TEXT NOT NULL DEFAULT '',
+		os TEXT NOT NULL DEFAULT '',
 		created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
 	);`

@@ -289,6 +303,8 @@ func (db *DB) initTables() error {
 	CREATE INDEX IF NOT EXISTS idx_conversation_group_mappings_group ON conversation_group_mappings(group_id);
 	CREATE INDEX IF NOT EXISTS idx_conversations_pinned ON conversations(pinned);
 	CREATE INDEX IF NOT EXISTS idx_vulnerabilities_conversation_id ON vulnerabilities(conversation_id);
+	CREATE INDEX IF NOT EXISTS idx_vulnerabilities_conversation_tag ON vulnerabilities(conversation_tag);
+	CREATE INDEX IF NOT EXISTS idx_vulnerabilities_task_tag ON vulnerabilities(task_tag);
 	CREATE INDEX IF NOT EXISTS idx_vulnerabilities_severity ON vulnerabilities(severity);
 	CREATE INDEX IF NOT EXISTS idx_vulnerabilities_status ON vulnerabilities(status);
 	CREATE INDEX IF NOT EXISTS idx_vulnerabilities_created_at ON vulnerabilities(created_at);
@@ -383,6 +399,15 @@ func (db *DB) initTables() error {
 		db.logger.Warn("迁移batch_task_queues表失败", zap.Error(err))
 		// 不返回错误，允许继续运行
 	}
+	if err := db.migrateVulnerabilitiesTable(); err != nil {
+		db.logger.Warn("迁移vulnerabilities表失败", zap.Error(err))
+		// 不返回错误，允许继续运行
+	}
+
+	if err := db.migrateWebshellConnectionsTable(); err != nil {
+		db.logger.Warn("迁移webshell_connections表失败", zap.Error(err))
+		// 不返回错误，允许继续运行
+	}

 	if _, err := db.Exec(createIndexes); err != nil {
 		return fmt.Errorf("创建索引失败: %w", err)
@@ -683,6 +708,68 @@ func (db *DB) migrateBatchTaskQueuesTable() error {
 	return nil
 }

+// migrateVulnerabilitiesTable 迁移 vulnerabilities 表，补充标签字段
+func (db *DB) migrateVulnerabilitiesTable() error {
+	columns := []struct {
+		name string
+		stmt string
+	}{
+		{name: "conversation_tag", stmt: "ALTER TABLE vulnerabilities ADD COLUMN conversation_tag TEXT"},
+		{name: "task_tag", stmt: "ALTER TABLE vulnerabilities ADD COLUMN task_tag TEXT"},
+	}
+
+	for _, col := range columns {
+		var count int
+		err := db.QueryRow("SELECT COUNT(*) FROM pragma_table_info('vulnerabilities') WHERE name=?", col.name).Scan(&count)
+		if err != nil {
+			if _, addErr := db.Exec(col.stmt); addErr != nil {
+				errMsg := strings.ToLower(addErr.Error())
+				if !strings.Contains(errMsg, "duplicate column") && !strings.Contains(errMsg, "already exists") {
+					db.logger.Warn("添加vulnerabilities字段失败", zap.String("field", col.name), zap.Error(addErr))
+				}
+			}
+			continue
+		}
+		if count == 0 {
+			if _, addErr := db.Exec(col.stmt); addErr != nil {
+				db.logger.Warn("添加vulnerabilities字段失败", zap.String("field", col.name), zap.Error(addErr))
+			}
+		}
+	}
+	return nil
+}
+
+// migrateWebshellConnectionsTable 迁移 webshell_connections 表，补充新字段
+func (db *DB) migrateWebshellConnectionsTable() error {
+	columns := []struct {
+		name string
+		stmt string
+	}{
+		{name: "encoding", stmt: "ALTER TABLE webshell_connections ADD COLUMN encoding TEXT NOT NULL DEFAULT ''"},
+		{name: "os", stmt: "ALTER TABLE webshell_connections ADD COLUMN os TEXT NOT NULL DEFAULT ''"},
+	}
+
+	for _, col := range columns {
+		var count int
+		err := db.QueryRow("SELECT COUNT(*) FROM pragma_table_info('webshell_connections') WHERE name=?", col.name).Scan(&count)
+		if err != nil {
+			if _, addErr := db.Exec(col.stmt); addErr != nil {
+				errMsg := strings.ToLower(addErr.Error())
+				if !strings.Contains(errMsg, "duplicate column") && !strings.Contains(errMsg, "already exists") {
+					db.logger.Warn("添加webshell_connections字段失败", zap.String("field", col.name), zap.Error(addErr))
+				}
+			}
+			continue
+		}
+		if count == 0 {
+			if _, addErr := db.Exec(col.stmt); addErr != nil {
+				db.logger.Warn("添加webshell_connections字段失败", zap.String("field", col.name), zap.Error(addErr))
+			}
+		}
+	}
+	return nil
+}
+
 // NewKnowledgeDB 创建知识库数据库连接（只包含知识库相关的表）
 func NewKnowledgeDB(dbPath string, logger *zap.Logger) (*DB, error) {
 	sqlDB, err := sql.Open("sqlite3", dbPath+"?_journal_mode=WAL&_foreign_keys=1&_busy_timeout=5000&_synchronous=NORMAL")
@@ -12,7 +12,11 @@ import (
 // Vulnerability 漏洞
 type Vulnerability struct {
 	ID              string    `json:"id"`
-	ConversationID string    `json:"conversation_id"`
+	ConversationID  string    `json:"conversation_id"`
+	ConversationTag string    `json:"conversation_tag,omitempty"`
+	TaskTag         string    `json:"task_tag,omitempty"`
+	TaskID          string    `json:"task_id,omitempty"`
+	TaskQueueID     string    `json:"task_queue_id,omitempty"`
 	Title           string    `json:"title"`
 	Description     string    `json:"description"`
 	Severity        string    `json:"severity"` // critical, high, medium, low, info
@@ -42,15 +46,15 @@ func (db *DB) CreateVulnerability(vuln *Vulnerability) (*Vulnerability, error) {

 	query := `
 		INSERT INTO vulnerabilities (
-			id, conversation_id, title, description, severity, status,
+			id, conversation_id, conversation_tag, task_tag, title, description, severity, status,
 			vulnerability_type, target, proof, impact, recommendation,
 			created_at, updated_at
-		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
 	`

 	_, err := db.Exec(
 		query,
-		vuln.ID, vuln.ConversationID, vuln.Title, vuln.Description,
+		vuln.ID, vuln.ConversationID, vuln.ConversationTag, vuln.TaskTag, vuln.Title, vuln.Description,
 		vuln.Severity, vuln.Status, vuln.Type, vuln.Target,
 		vuln.Proof, vuln.Impact, vuln.Recommendation,
 		vuln.CreatedAt, vuln.UpdatedAt,
@@ -67,7 +71,9 @@ func (db *DB) GetVulnerability(id string) (*Vulnerability, error) {
 	var vuln Vulnerability
 	query := `
 		SELECT id, conversation_id, title, description, severity, status,
-		       vulnerability_type, target, proof, impact, recommendation,
+		       conversation_tag, task_tag, vulnerability_type, target, proof, impact, recommendation,
+		       COALESCE((SELECT bt.id FROM batch_tasks bt WHERE bt.conversation_id = vulnerabilities.conversation_id LIMIT 1), '') AS task_id,
+		       COALESCE((SELECT bt.queue_id FROM batch_tasks bt WHERE bt.conversation_id = vulnerabilities.conversation_id LIMIT 1), '') AS task_queue_id,
 		       created_at, updated_at
 		FROM vulnerabilities
 		WHERE id = ?
@@ -75,8 +81,9 @@ func (db *DB) GetVulnerability(id string) (*Vulnerability, error) {

 	err := db.QueryRow(query, id).Scan(
 		&vuln.ID, &vuln.ConversationID, &vuln.Title, &vuln.Description,
-		&vuln.Severity, &vuln.Status, &vuln.Type, &vuln.Target,
+		&vuln.Severity, &vuln.Status, &vuln.ConversationTag, &vuln.TaskTag, &vuln.Type, &vuln.Target,
 		&vuln.Proof, &vuln.Impact, &vuln.Recommendation,
+		&vuln.TaskID, &vuln.TaskQueueID,
 		&vuln.CreatedAt, &vuln.UpdatedAt,
 	)
 	if err != nil {
@@ -90,10 +97,12 @@ func (db *DB) GetVulnerability(id string) (*Vulnerability, error) {
 }

 // ListVulnerabilities 列出漏洞
-func (db *DB) ListVulnerabilities(limit, offset int, id, conversationID, severity, status string) ([]*Vulnerability, error) {
+func (db *DB) ListVulnerabilities(limit, offset int, id, conversationID, severity, status, taskID, conversationTag, taskTag string) ([]*Vulnerability, error) {
 	query := `
-		SELECT id, conversation_id, title, description, severity, status,
+		SELECT id, conversation_id, title, description, severity, status, conversation_tag, task_tag,
 		       vulnerability_type, target, proof, impact, recommendation,
+		       COALESCE((SELECT bt.id FROM batch_tasks bt WHERE bt.conversation_id = vulnerabilities.conversation_id LIMIT 1), '') AS task_id,
+		       COALESCE((SELECT bt.queue_id FROM batch_tasks bt WHERE bt.conversation_id = vulnerabilities.conversation_id LIMIT 1), '') AS task_queue_id,
 		       created_at, updated_at
 		FROM vulnerabilities
 		WHERE 1=1
@@ -108,6 +117,18 @@ func (db *DB) ListVulnerabilities(limit, offset int, id, conversationID, severit
 		query += " AND conversation_id = ?"
 		args = append(args, conversationID)
 	}
+	if taskID != "" {
+		query += " AND EXISTS (SELECT 1 FROM batch_tasks bt WHERE bt.conversation_id = vulnerabilities.conversation_id AND (bt.id = ? OR bt.queue_id = ?))"
+		args = append(args, taskID, taskID)
+	}
+	if conversationTag != "" {
+		query += " AND conversation_tag = ?"
+		args = append(args, conversationTag)
+	}
+	if taskTag != "" {
+		query += " AND task_tag = ?"
+		args = append(args, taskTag)
+	}
 	if severity != "" {
 		query += " AND severity = ?"
 		args = append(args, severity)
@@ -131,8 +152,9 @@ func (db *DB) ListVulnerabilities(limit, offset int, id, conversationID, severit
 		var vuln Vulnerability
 		err := rows.Scan(
 			&vuln.ID, &vuln.ConversationID, &vuln.Title, &vuln.Description,
-			&vuln.Severity, &vuln.Status, &vuln.Type, &vuln.Target,
+			&vuln.Severity, &vuln.Status, &vuln.ConversationTag, &vuln.TaskTag, &vuln.Type, &vuln.Target,
 			&vuln.Proof, &vuln.Impact, &vuln.Recommendation,
+			&vuln.TaskID, &vuln.TaskQueueID,
 			&vuln.CreatedAt, &vuln.UpdatedAt,
 		)
 		if err != nil {
@@ -146,7 +168,7 @@ func (db *DB) ListVulnerabilities(limit, offset int, id, conversationID, severit
 }

 // CountVulnerabilities 统计漏洞总数（支持筛选条件）
-func (db *DB) CountVulnerabilities(id, conversationID, severity, status string) (int, error) {
+func (db *DB) CountVulnerabilities(id, conversationID, severity, status, taskID, conversationTag, taskTag string) (int, error) {
 	query := "SELECT COUNT(*) FROM vulnerabilities WHERE 1=1"
 	args := []interface{}{}

@@ -158,6 +180,18 @@ func (db *DB) CountVulnerabilities(id, conversationID, severity, status string)
 		query += " AND conversation_id = ?"
 		args = append(args, conversationID)
 	}
+	if taskID != "" {
+		query += " AND EXISTS (SELECT 1 FROM batch_tasks bt WHERE bt.conversation_id = vulnerabilities.conversation_id AND (bt.id = ? OR bt.queue_id = ?))"
+		args = append(args, taskID, taskID)
+	}
+	if conversationTag != "" {
+		query += " AND conversation_tag = ?"
+		args = append(args, conversationTag)
+	}
+	if taskTag != "" {
+		query += " AND task_tag = ?"
+		args = append(args, taskTag)
+	}
 	if severity != "" {
 		query += " AND severity = ?"
 		args = append(args, severity)
@@ -182,7 +216,7 @@ func (db *DB) UpdateVulnerability(id string, vuln *Vulnerability) error {

 	query := `
 		UPDATE vulnerabilities
-		SET title = ?, description = ?, severity = ?, status = ?,
+		SET conversation_tag = ?, task_tag = ?, title = ?, description = ?, severity = ?, status = ?,
 		    vulnerability_type = ?, target = ?, proof = ?, impact = ?,
 		    recommendation = ?, updated_at = ?
 		WHERE id = ?
@@ -190,7 +224,7 @@ func (db *DB) UpdateVulnerability(id string, vuln *Vulnerability) error {

 	_, err := db.Exec(
 		query,
-		vuln.Title, vuln.Description, vuln.Severity, vuln.Status,
+		vuln.ConversationTag, vuln.TaskTag, vuln.Title, vuln.Description, vuln.Severity, vuln.Status,
 		vuln.Type, vuln.Target, vuln.Proof, vuln.Impact,
 		vuln.Recommendation, vuln.UpdatedAt, id,
 	)
@@ -210,18 +244,24 @@ func (db *DB) DeleteVulnerability(id string) error {
 	return nil
 }

-// GetVulnerabilityStats 获取漏洞统计
-func (db *DB) GetVulnerabilityStats(conversationID string) (map[string]interface{}, error) {
+// GetVulnerabilityStats 获取漏洞统计（筛选条件与 ListVulnerabilities / CountVulnerabilities 一致）
+func (db *DB) GetVulnerabilityStats(conversationID, taskID string) (map[string]interface{}, error) {
 	stats := make(map[string]interface{})

+	where := "WHERE 1=1"
+	args := []interface{}{}
+	if conversationID != "" {
+		where += " AND conversation_id = ?"
+		args = append(args, conversationID)
+	}
+	if taskID != "" {
+		where += " AND EXISTS (SELECT 1 FROM batch_tasks bt WHERE bt.conversation_id = vulnerabilities.conversation_id AND (bt.id = ? OR bt.queue_id = ?))"
+		args = append(args, taskID, taskID)
+	}
+
 	// 总漏洞数
 	var totalCount int
-	query := "SELECT COUNT(*) FROM vulnerabilities"
-	args := []interface{}{}
-	if conversationID != "" {
-		query += " WHERE conversation_id = ?"
-		args = append(args, conversationID)
-	}
+	query := "SELECT COUNT(*) FROM vulnerabilities " + where
 	err := db.QueryRow(query, args...).Scan(&totalCount)
 	if err != nil {
 		return nil, fmt.Errorf("获取总漏洞数失败: %w", err)
@@ -229,11 +269,7 @@ func (db *DB) GetVulnerabilityStats(conversationID string) (map[string]interface
 	stats["total"] = totalCount

 	// 按严重程度统计
-	severityQuery := "SELECT severity, COUNT(*) FROM vulnerabilities"
-	if conversationID != "" {
-		severityQuery += " WHERE conversation_id = ?"
-	}
-	severityQuery += " GROUP BY severity"
+	severityQuery := "SELECT severity, COUNT(*) FROM vulnerabilities " + where + " GROUP BY severity"

 	rows, err := db.Query(severityQuery, args...)
 	if err != nil {
@@ -253,11 +289,7 @@ func (db *DB) GetVulnerabilityStats(conversationID string) (map[string]interface
 	stats["by_severity"] = severityStats

 	// 按状态统计
-	statusQuery := "SELECT status, COUNT(*) FROM vulnerabilities"
-	if conversationID != "" {
-		statusQuery += " WHERE conversation_id = ?"
-	}
-	statusQuery += " GROUP BY status"
+	statusQuery := "SELECT status, COUNT(*) FROM vulnerabilities " + where + " GROUP BY status"

 	rows, err = db.Query(statusQuery, args...)
 	if err != nil {
@@ -279,3 +311,59 @@ func (db *DB) GetVulnerabilityStats(conversationID string) (map[string]interface
 	return stats, nil
 }

+// GetVulnerabilityFilterOptions 获取漏洞筛选建议项
+func (db *DB) GetVulnerabilityFilterOptions() (map[string][]string, error) {
+	collect := func(query string, args ...interface{}) ([]string, error) {
+		rows, err := db.Query(query, args...)
+		if err != nil {
+			return nil, err
+		}
+		defer rows.Close()
+		items := make([]string, 0)
+		for rows.Next() {
+			var val string
+			if err := rows.Scan(&val); err != nil {
+				continue
+			}
+			if val == "" {
+				continue
+			}
+			items = append(items, val)
+		}
+		return items, nil
+	}
+
+	vulnIDs, err := collect(`SELECT DISTINCT id FROM vulnerabilities ORDER BY created_at DESC LIMIT 500`)
+	if err != nil {
+		return nil, fmt.Errorf("查询漏洞ID建议失败: %w", err)
+	}
+	conversationIDs, err := collect(`SELECT DISTINCT conversation_id FROM vulnerabilities WHERE conversation_id <> '' ORDER BY created_at DESC LIMIT 500`)
+	if err != nil {
+		return nil, fmt.Errorf("查询会话ID建议失败: %w", err)
+	}
+	taskIDs, err := collect(`SELECT DISTINCT id FROM batch_tasks WHERE id <> '' ORDER BY rowid DESC LIMIT 500`)
+	if err != nil {
+		return nil, fmt.Errorf("查询任务ID建议失败: %w", err)
+	}
+	queueIDs, err := collect(`SELECT DISTINCT queue_id FROM batch_tasks WHERE queue_id <> '' ORDER BY rowid DESC LIMIT 500`)
+	if err != nil {
+		return nil, fmt.Errorf("查询队列ID建议失败: %w", err)
+	}
+	conversationTags, err := collect(`SELECT DISTINCT conversation_tag FROM vulnerabilities WHERE conversation_tag IS NOT NULL AND conversation_tag <> '' ORDER BY conversation_tag LIMIT 500`)
+	if err != nil {
+		return nil, fmt.Errorf("查询对话标签建议失败: %w", err)
+	}
+	taskTags, err := collect(`SELECT DISTINCT task_tag FROM vulnerabilities WHERE task_tag IS NOT NULL AND task_tag <> '' ORDER BY task_tag LIMIT 500`)
+	if err != nil {
+		return nil, fmt.Errorf("查询任务标签建议失败: %w", err)
+	}
+
+	return map[string][]string{
+		"vulnerability_ids": vulnIDs,
+		"conversation_ids":  conversationIDs,
+		"task_ids":          taskIDs,
+		"queue_ids":         queueIDs,
+		"conversation_tags": conversationTags,
+		"task_tags":         taskTags,
+	}, nil
+}
@@ -16,6 +16,8 @@ type WebShellConnection struct {
 	Method    string    `json:"method"`
 	CmdParam  string    `json:"cmdParam"`
 	Remark    string    `json:"remark"`
+	Encoding  string    `json:"encoding"` // 目标响应编码：auto / utf-8 / gbk / gb18030，空值视为 auto
+	OS        string    `json:"os"`       // 目标操作系统：auto / linux / windows，空值/未知视为 auto
 	CreatedAt time.Time `json:"createdAt"`
 }

@@ -58,7 +60,8 @@ func (db *DB) UpsertWebshellConnectionState(connectionID, stateJSON string) erro
 // ListWebshellConnections 列出所有 WebShell 连接，按创建时间倒序
 func (db *DB) ListWebshellConnections() ([]WebShellConnection, error) {
 	query := `
-		SELECT id, url, password, type, method, cmd_param, remark, created_at
+		SELECT id, url, password, type, method, cmd_param, remark,
+			COALESCE(encoding, '') AS encoding, COALESCE(os, '') AS os, created_at
 		FROM webshell_connections
 		ORDER BY created_at DESC
 	`
@@ -72,7 +75,7 @@ func (db *DB) ListWebshellConnections() ([]WebShellConnection, error) {
 	var list []WebShellConnection
 	for rows.Next() {
 		var c WebShellConnection
-		err := rows.Scan(&c.ID, &c.URL, &c.Password, &c.Type, &c.Method, &c.CmdParam, &c.Remark, &c.CreatedAt)
+		err := rows.Scan(&c.ID, &c.URL, &c.Password, &c.Type, &c.Method, &c.CmdParam, &c.Remark, &c.Encoding, &c.OS, &c.CreatedAt)
 		if err != nil {
 			db.logger.Warn("扫描 WebShell 连接行失败", zap.Error(err))
 			continue
@@ -85,11 +88,12 @@ func (db *DB) ListWebshellConnections() ([]WebShellConnection, error) {
 // GetWebshellConnection 根据 ID 获取一条连接
 func (db *DB) GetWebshellConnection(id string) (*WebShellConnection, error) {
 	query := `
-		SELECT id, url, password, type, method, cmd_param, remark, created_at
+		SELECT id, url, password, type, method, cmd_param, remark,
+			COALESCE(encoding, '') AS encoding, COALESCE(os, '') AS os, created_at
 		FROM webshell_connections WHERE id = ?
 	`
 	var c WebShellConnection
-	err := db.QueryRow(query, id).Scan(&c.ID, &c.URL, &c.Password, &c.Type, &c.Method, &c.CmdParam, &c.Remark, &c.CreatedAt)
+	err := db.QueryRow(query, id).Scan(&c.ID, &c.URL, &c.Password, &c.Type, &c.Method, &c.CmdParam, &c.Remark, &c.Encoding, &c.OS, &c.CreatedAt)
 	if err == sql.ErrNoRows {
 		return nil, nil
 	}
@@ -103,10 +107,10 @@ func (db *DB) GetWebshellConnection(id string) (*WebShellConnection, error) {
 // CreateWebshellConnection 创建 WebShell 连接
 func (db *DB) CreateWebshellConnection(c *WebShellConnection) error {
 	query := `
-		INSERT INTO webshell_connections (id, url, password, type, method, cmd_param, remark, created_at)
-		VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+		INSERT INTO webshell_connections (id, url, password, type, method, cmd_param, remark, encoding, os, created_at)
+		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
 	`
-	_, err := db.Exec(query, c.ID, c.URL, c.Password, c.Type, c.Method, c.CmdParam, c.Remark, c.CreatedAt)
+	_, err := db.Exec(query, c.ID, c.URL, c.Password, c.Type, c.Method, c.CmdParam, c.Remark, c.Encoding, c.OS, c.CreatedAt)
 	if err != nil {
 		db.logger.Error("创建 WebShell 连接失败", zap.Error(err), zap.String("id", c.ID))
 		return err
@@ -118,10 +122,10 @@ func (db *DB) CreateWebshellConnection(c *WebShellConnection) error {
 func (db *DB) UpdateWebshellConnection(c *WebShellConnection) error {
 	query := `
 		UPDATE webshell_connections
-		SET url = ?, password = ?, type = ?, method = ?, cmd_param = ?, remark = ?
+		SET url = ?, password = ?, type = ?, method = ?, cmd_param = ?, remark = ?, encoding = ?, os = ?
 		WHERE id = ?
 	`
-	result, err := db.Exec(query, c.URL, c.Password, c.Type, c.Method, c.CmdParam, c.Remark, c.ID)
+	result, err := db.Exec(query, c.URL, c.Password, c.Type, c.Method, c.CmdParam, c.Remark, c.Encoding, c.OS, c.ID)
 	if err != nil {
 		db.logger.Error("更新 WebShell 连接失败", zap.Error(err), zap.String("id", c.ID))
 		return err
@@ -160,17 +160,17 @@ func runMCPToolInvocation(
 }

 // UnknownToolReminderHandler 供 compose.ToolsNodeConfig.UnknownToolsHandler 使用：
-// 模型请求了未注册的工具名时，返回一个「可恢复」的错误，让上层 runner 触发重试与纠错提示，
-// 同时避免 UI 永远停留在“执行中”（runner 会在 recoverable 分支 flush 掉 pending 的 tool_call）。
+// 模型请求了未注册的工具名时，返回一个「软错误」工具结果（nil error），
+// 让模型在同一轮继续自我修正，避免触发 run-loop 级别的 full rerun。
 // 不进行名称猜测或映射，避免误执行。
 func UnknownToolReminderHandler() func(ctx context.Context, name, input string) (string, error) {
 	return func(ctx context.Context, name, input string) (string, error) {
 		_ = ctx
 		_ = input
 		requested := strings.TrimSpace(name)
-		// Return a recoverable error that still carries a friendly, bilingual hint.
-		// This will be caught by multiagent runner as "tool not found" and trigger a retry.
-		return "", fmt.Errorf("tool %q not found: %s", requested, unknownToolReminderText(requested))
+		// Return a soft tool-result error so the graph keeps running and the LLM
+		// can correct tool name/arguments within the same run.
+		return ToolErrorPrefix + unknownToolReminderText(requested), nil
 	}
 }

@@ -115,7 +115,9 @@ type AgentHandler struct {
 	db               *database.DB
 	logger           *zap.Logger
 	tasks            *AgentTaskManager
+	taskEventBus     *TaskEventBus // 镜像 SSE 事件，供刷新后订阅同一运行中任务
 	batchTaskManager *BatchTaskManager
+	hitlManager      *HITLManager
 	config           *config.Config // 配置引用，用于获取角色信息
 	knowledgeManager interface {    // 知识库管理器接口
 		LogRetrieval(conversationID, messageID, query, riskType string, retrievedItems []string) error
@@ -124,6 +126,13 @@ type AgentHandler struct {
 	batchCronParser   cron.Parser
 	batchRunnerMu     sync.Mutex
 	batchRunning      map[string]struct{}
+	// hitlWhitelistSaver 侧栏「应用」HITL 时将会话增量白名单合并写入 config.yaml（可选）
+	hitlWhitelistSaver HitlToolWhitelistSaver
+}
+
+// HitlToolWhitelistSaver 合并 HITL 免审批工具到全局配置并落盘
+type HitlToolWhitelistSaver interface {
+	MergeHitlToolWhitelistIntoConfig(add []string) error
 }

 // NewAgentHandler 创建新的Agent处理器
@@ -136,16 +145,24 @@ func NewAgentHandler(agent *agent.Agent, db *database.DB, cfg *config.Config, lo
 		logger.Warn("从数据库加载批量任务队列失败", zap.Error(err))
 	}

+	bus := NewTaskEventBus()
+	tm := NewAgentTaskManager()
+	tm.SetTaskEventBus(bus)
 	handler := &AgentHandler{
 		agent:            agent,
 		db:               db,
 		logger:           logger,
-		tasks:            NewAgentTaskManager(),
+		tasks:            tm,
+		taskEventBus:     bus,
 		batchTaskManager: batchTaskManager,
 		config:           cfg,
+		hitlManager:      NewHITLManager(db, logger),
 		batchCronParser:  cron.NewParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor),
 		batchRunning:     make(map[string]struct{}),
 	}
+	if err := handler.hitlManager.EnsureSchema(); err != nil {
+		logger.Warn("初始化 HITL 表失败", zap.Error(err))
+	}
 	go handler.batchQueueSchedulerLoop()
 	return handler
 }
@@ -162,6 +179,11 @@ func (h *AgentHandler) SetAgentsMarkdownDir(absDir string) {
 	h.agentsMarkdownDir = strings.TrimSpace(absDir)
 }

+// SetHitlToolWhitelistSaver 设置 HITL 白名单落盘（与 ConfigHandler 配合，避免循环引用用接口）
+func (h *AgentHandler) SetHitlToolWhitelistSaver(s HitlToolWhitelistSaver) {
+	h.hitlWhitelistSaver = s
+}
+
 // ChatAttachment 聊天附件（用户上传的文件）
 type ChatAttachment struct {
 	FileName   string `json:"fileName"`          // 展示用文件名
@@ -177,10 +199,18 @@ type ChatRequest struct {
 	Role                 string           `json:"role,omitempty"` // 角色名称
 	Attachments          []ChatAttachment `json:"attachments,omitempty"`
 	WebShellConnectionID string           `json:"webshellConnectionId,omitempty"` // WebShell 管理 - AI 助手：当前选中的连接 ID，仅使用 webshell_* 工具
+	Hitl                 *HITLRequest     `json:"hitl,omitempty"`
 	// Orchestration 仅对 /api/multi-agent、/api/multi-agent/stream：deep | plan_execute | supervisor；空则等同 deep。机器人/批量等无请求体时由服务端默认 deep。/api/eino-agent* 不使用此字段。
 	Orchestration string `json:"orchestration,omitempty"`
 }

+type HITLRequest struct {
+	Enabled        bool     `json:"enabled"`
+	Mode           string   `json:"mode,omitempty"`
+	SensitiveTools []string `json:"sensitiveTools,omitempty"`
+	TimeoutSeconds int      `json:"timeoutSeconds,omitempty"`
+}
+
 const (
 	maxAttachments     = 10
 	chatUploadsDirName = "chat_uploads" // 对话附件保存的根目录（相对当前工作目录）
@@ -462,10 +492,15 @@ func (h *AgentHandler) AgentLoop(c *gin.Context) {
 		}
 	}

-	// 优先尝试从保存的ReAct数据恢复历史上下文
-	agentHistoryMessages, err := h.loadHistoryFromReActData(conversationID)
+	h.activateHITLForConversation(conversationID, req.Hitl)
+	if h.hitlManager != nil {
+		defer h.hitlManager.DeactivateConversation(conversationID)
+	}
+
+	// 优先尝试从保存的代理轨迹恢复历史上下文
+	agentHistoryMessages, err := h.loadHistoryFromAgentTrace(conversationID)
 	if err != nil {
-		h.logger.Warn("从ReAct数据加载历史消息失败，使用消息表", zap.Error(err))
+		h.logger.Warn("从代理轨迹加载历史消息失败，使用消息表", zap.Error(err))
 		// 回退到使用数据库消息表
 		historyMessages, err := h.db.GetMessages(conversationID)
 		if err != nil {
@@ -483,7 +518,7 @@ func (h *AgentHandler) AgentLoop(c *gin.Context) {
 			h.logger.Info("从消息表加载历史消息", zap.Int("count", len(agentHistoryMessages)))
 		}
 	} else {
-		h.logger.Info("从ReAct数据恢复历史上下文", zap.Int("count", len(agentHistoryMessages)))
+		h.logger.Info("从代理轨迹恢复历史上下文", zap.Int("count", len(agentHistoryMessages)))
 	}

 	// 校验附件数量（非流式）
@@ -504,12 +539,7 @@ func (h *AgentHandler) AgentLoop(c *gin.Context) {
 			c.JSON(http.StatusBadRequest, gin.H{"error": "未找到该 WebShell 连接"})
 			return
 		}
-		remark := conn.Remark
-		if remark == "" {
-			remark = conn.URL
-		}
-		webshellContext := fmt.Sprintf("[WebShell 助手上下文] 当前连接 ID：%s，备注：%s。可用工具（仅在该连接上操作时使用，connection_id 填 \"%s\"）：webshell_exec、webshell_file_list、webshell_file_read、webshell_file_write、record_vulnerability、list_knowledge_risk_types、search_knowledge_base。Skills 包请使用「多代理 / Eino DeepAgent」会话中的内置 `skill` 工具渐进加载。\n\n用户请求：%s",
-			conn.ID, remark, conn.ID, req.Message)
+		webshellContext := BuildWebshellAssistantContext(conn, WebshellSkillHintDefault, req.Message)
 		// WebShell 模式下如果同时指定了角色，追加角色 user_prompt（工具集仍仅限 webshell 专用工具）
 		if req.Role != "" && req.Role != "默认" && h.config.Roles != nil {
 			if role, exists := h.config.Roles[req.Role]; exists && role.Enabled && role.UserPrompt != "" {
@@ -566,17 +596,24 @@ func (h *AgentHandler) AgentLoop(c *gin.Context) {
 		return
 	}

+	baseCtx, cancelWithCause := context.WithCancelCause(c.Request.Context())
+	defer cancelWithCause(nil)
+	taskCtx, timeoutCancel := context.WithTimeout(baseCtx, 600*time.Minute)
+	defer timeoutCancel()
+	progressCallback := h.createProgressCallback(taskCtx, cancelWithCause, conversationID, "", nil)
+	taskCtx = h.injectReactHITLInterceptor(taskCtx, cancelWithCause, conversationID, "", nil)
+
 	// 执行Agent Loop，传入历史消息和对话ID（使用包含角色提示词的finalMessage和角色工具列表）
-	result, err := h.agent.AgentLoopWithProgress(c.Request.Context(), finalMessage, agentHistoryMessages, conversationID, nil, roleTools)
+	result, err := h.agent.AgentLoopWithProgress(taskCtx, finalMessage, agentHistoryMessages, conversationID, progressCallback, roleTools)
 	if err != nil {
 		h.logger.Error("Agent Loop执行失败", zap.Error(err))

-		// 即使执行失败，也尝试保存ReAct数据（如果result中有）
-		if result != nil && (result.LastReActInput != "" || result.LastReActOutput != "") {
-			if saveErr := h.db.SaveReActData(conversationID, result.LastReActInput, result.LastReActOutput); saveErr != nil {
-				h.logger.Warn("保存失败任务的ReAct数据失败", zap.Error(saveErr))
+		// 即使执行失败，也尝试保存代理轨迹（如果 result 中有）
+		if result != nil && (result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "") {
+			if saveErr := h.db.SaveAgentTrace(conversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput); saveErr != nil {
+				h.logger.Warn("保存失败任务的代理轨迹失败", zap.Error(saveErr))
 			} else {
-				h.logger.Info("已保存失败任务的ReAct数据", zap.String("conversationId", conversationID))
+				h.logger.Info("已保存失败任务的代理轨迹", zap.String("conversationId", conversationID))
 			}
 		}

@@ -592,12 +629,12 @@ func (h *AgentHandler) AgentLoop(c *gin.Context) {
 		// 因为AI已经生成了回复，用户应该能看到
 	}

-	// 保存最后一轮ReAct的输入和输出
-	if result.LastReActInput != "" || result.LastReActOutput != "" {
-		if err := h.db.SaveReActData(conversationID, result.LastReActInput, result.LastReActOutput); err != nil {
-			h.logger.Warn("保存ReAct数据失败", zap.Error(err))
+	// 保存最后一轮代理轨迹与助手输出
+	if result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "" {
+		if err := h.db.SaveAgentTrace(conversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput); err != nil {
+			h.logger.Warn("保存代理轨迹失败", zap.Error(err))
 		} else {
-			h.logger.Info("已保存ReAct数据", zap.String("conversationId", conversationID))
+			h.logger.Info("已保存代理轨迹", zap.String("conversationId", conversationID))
 		}
 	}

@@ -624,7 +661,7 @@ func (h *AgentHandler) ProcessMessageForRobot(ctx context.Context, conversationI
 		}
 	}

-	agentHistoryMessages, err := h.loadHistoryFromReActData(conversationID)
+	agentHistoryMessages, err := h.loadHistoryFromAgentTrace(conversationID)
 	if err != nil {
 		historyMessages, getErr := h.db.GetMessages(conversationID)
 		if getErr != nil {
@@ -661,7 +698,7 @@ func (h *AgentHandler) ProcessMessageForRobot(ctx context.Context, conversationI
 	if assistantMsg != nil {
 		assistantMessageID = assistantMsg.ID
 	}
-	progressCallback := h.createProgressCallback(conversationID, assistantMessageID, nil)
+	progressCallback := h.createProgressCallback(ctx, nil, conversationID, assistantMessageID, nil)

 	useRobotMulti := h.config != nil && h.config.MultiAgent.Enabled && h.config.MultiAgent.RobotUseMultiAgent
 	if useRobotMulti {
@@ -680,6 +717,7 @@ func (h *AgentHandler) ProcessMessageForRobot(ctx context.Context, conversationI
 			"deep",
 		)
 		if errMA != nil {
+			h.persistEinoAgentTraceForResume(conversationID, resultMA)
 			errMsg := "执行失败: " + errMA.Error()
 			if assistantMessageID != "" {
 				_, _ = h.db.Exec("UPDATE messages SET content = ? WHERE id = ?", errMsg, assistantMessageID)
@@ -705,8 +743,8 @@ func (h *AgentHandler) ProcessMessageForRobot(ctx context.Context, conversationI
 				h.logger.Warn("机器人：保存助手消息失败", zap.Error(err))
 			}
 		}
-		if resultMA.LastReActInput != "" || resultMA.LastReActOutput != "" {
-			_ = h.db.SaveReActData(conversationID, resultMA.LastReActInput, resultMA.LastReActOutput)
+		if resultMA.LastAgentTraceInput != "" || resultMA.LastAgentTraceOutput != "" {
+			_ = h.db.SaveAgentTrace(conversationID, resultMA.LastAgentTraceInput, resultMA.LastAgentTraceOutput)
 		}
 		return resultMA.Response, conversationID, nil
 	}
@@ -740,8 +778,8 @@ func (h *AgentHandler) ProcessMessageForRobot(ctx context.Context, conversationI
 			h.logger.Warn("机器人：保存助手消息失败", zap.Error(err))
 		}
 	}
-	if result.LastReActInput != "" || result.LastReActOutput != "" {
-		_ = h.db.SaveReActData(conversationID, result.LastReActInput, result.LastReActOutput)
+	if result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "" {
+		_ = h.db.SaveAgentTrace(conversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput)
 	}
 	return result.Response, conversationID, nil
 }
@@ -755,9 +793,41 @@ type StreamEvent struct {

 // createProgressCallback 创建进度回调函数，用于保存processDetails
 // sendEventFunc: 可选的流式事件发送函数，如果为nil则不发送流式事件
-func (h *AgentHandler) createProgressCallback(conversationID, assistantMessageID string, sendEventFunc func(eventType, message string, data interface{})) agent.ProgressCallback {
+func (h *AgentHandler) createProgressCallback(runCtx context.Context, cancelRun context.CancelCauseFunc, conversationID, assistantMessageID string, sendEventFunc func(eventType, message string, data interface{})) agent.ProgressCallback {
 	// 用于保存tool_call事件中的参数，以便在tool_result时使用
 	toolCallCache := make(map[string]map[string]interface{}) // toolCallId -> arguments
+	skillCallCache := make(map[string]string)                // toolCallId -> skillName
+	skillToolName := "skill"
+	if h.config != nil {
+		if customName := strings.TrimSpace(h.config.MultiAgent.EinoSkills.SkillToolName); customName != "" {
+			skillToolName = customName
+		}
+	}
+
+	extractSkillName := func(args map[string]interface{}) string {
+		if len(args) == 0 {
+			return ""
+		}
+		for _, key := range []string{"skill_name", "skillName", "name", "skill", "id", "skill_id", "skillId"} {
+			if v, ok := args[key]; ok {
+				switch vv := v.(type) {
+				case string:
+					if s := strings.TrimSpace(vv); s != "" {
+						return s
+					}
+				case map[string]interface{}:
+					for _, nestedKey := range []string{"name", "id", "skill_name", "skillId"} {
+						if nestedV, nestedOK := vv[nestedKey].(string); nestedOK {
+							if s := strings.TrimSpace(nestedV); s != "" {
+								return s
+							}
+						}
+					}
+				}
+			}
+		}
+		return ""
+	}

 	// thinking_stream_*：不逐条落库，按 streamId 聚合，在后续关键事件前补一条可持久化的 thinking
 	type thinkingBuf struct {
@@ -840,6 +910,16 @@ func (h *AgentHandler) createProgressCallback(conversationID, assistantMessageID
 						}
 					}
 				}
+				if strings.EqualFold(strings.TrimSpace(toolName), skillToolName) {
+					toolCallID, _ := dataMap["toolCallId"].(string)
+					if toolCallID != "" {
+						if argumentsObj, ok := dataMap["argumentsObj"].(map[string]interface{}); ok {
+							if skillName := extractSkillName(argumentsObj); skillName != "" {
+								skillCallCache[toolCallID] = skillName
+							}
+						}
+					}
+				}
 			}
 		}

@@ -953,6 +1033,45 @@ func (h *AgentHandler) createProgressCallback(conversationID, assistantMessageID
 			}
 		}

+		// 记录 skills 调用统计（tool_call + tool_result 关联）
+		if eventType == "tool_result" && h.db != nil {
+			if dataMap, ok := data.(map[string]interface{}); ok {
+				toolName, _ := dataMap["toolName"].(string)
+				if strings.EqualFold(strings.TrimSpace(toolName), skillToolName) {
+					toolCallID, _ := dataMap["toolCallId"].(string)
+					skillName := ""
+					if toolCallID != "" {
+						skillName = strings.TrimSpace(skillCallCache[toolCallID])
+						delete(skillCallCache, toolCallID)
+					}
+					if skillName == "" {
+						if argumentsObj, ok := dataMap["argumentsObj"].(map[string]interface{}); ok {
+							skillName = strings.TrimSpace(extractSkillName(argumentsObj))
+						}
+					}
+					if skillName != "" {
+						success, ok := dataMap["success"].(bool)
+						if !ok {
+							if isError, okErr := dataMap["isError"].(bool); okErr {
+								success = !isError
+							}
+						}
+						successCalls := 0
+						failedCalls := 0
+						if success {
+							successCalls = 1
+						} else {
+							failedCalls = 1
+						}
+						now := time.Now()
+						if err := h.db.UpdateSkillStats(skillName, 1, successCalls, failedCalls, &now); err != nil {
+							h.logger.Warn("更新Skills调用统计失败", zap.Error(err), zap.String("skill", skillName))
+						}
+					}
+				}
+			}
+		}
+
 		// 子代理回复流式增量不落库；结束时合并为一条 eino_agent_reply
 		if assistantMessageID != "" && eventType == "eino_agent_reply_stream_end" {
 			flushResponsePlan()
@@ -1088,6 +1207,9 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 		}
 		eventJSON, _ := json.Marshal(event)
 		fmt.Fprintf(c.Writer, "data: %s\n\n", eventJSON)
+		done := StreamEvent{Type: "done", Message: ""}
+		doneJSON, _ := json.Marshal(done)
+		fmt.Fprintf(c.Writer, "data: %s\n\n", doneJSON)
 		c.Writer.Flush()
 		return
 	}
@@ -1108,6 +1230,7 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 	clientDisconnected := false
 	// 与 sseKeepalive 共用：禁止并发写 ResponseWriter，否则会破坏 chunked 编码（ERR_INVALID_CHUNKED_ENCODING）。
 	var sseWriteMu sync.Mutex
+	var ssePublishConversationID string
 	// 用于快速确认模型是否真的产生了流式 delta
 	var responseDeltaCount int
 	var responseStartLogged bool
@@ -1155,7 +1278,24 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 			}
 		}

-		// 如果客户端已断开，不再发送事件
+		event := StreamEvent{
+			Type:    eventType,
+			Message: message,
+			Data:    data,
+		}
+		eventJSON, errJSON := json.Marshal(event)
+		if errJSON != nil {
+			eventJSON = []byte(`{"type":"error","message":"marshal failed"}`)
+		}
+		sseLine := make([]byte, 0, len(eventJSON)+8)
+		sseLine = append(sseLine, []byte("data: ")...)
+		sseLine = append(sseLine, eventJSON...)
+		sseLine = append(sseLine, '\n', '\n')
+		if ssePublishConversationID != "" && h.taskEventBus != nil {
+			h.taskEventBus.Publish(ssePublishConversationID, sseLine)
+		}
+
+		// 如果客户端已断开，不再写入 HTTP（镜像订阅仍可收到事件）
 		if clientDisconnected {
 			return
 		}
@@ -1168,15 +1308,8 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 		default:
 		}

-		event := StreamEvent{
-			Type:    eventType,
-			Message: message,
-			Data:    data,
-		}
-		eventJSON, _ := json.Marshal(event)
-
 		sseWriteMu.Lock()
-		_, err := fmt.Fprintf(c.Writer, "data: %s\n\n", eventJSON)
+		_, err := c.Writer.Write(sseLine)
 		if err != nil {
 			sseWriteMu.Unlock()
 			clientDisconnected = true
@@ -1220,11 +1353,12 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 			return
 		}
 	}
+	ssePublishConversationID = conversationID

-	// 优先尝试从保存的ReAct数据恢复历史上下文
-	agentHistoryMessages, err := h.loadHistoryFromReActData(conversationID)
+	// 优先尝试从保存的代理轨迹恢复历史上下文
+	agentHistoryMessages, err := h.loadHistoryFromAgentTrace(conversationID)
 	if err != nil {
-		h.logger.Warn("从ReAct数据加载历史消息失败，使用消息表", zap.Error(err))
+		h.logger.Warn("从代理轨迹加载历史消息失败，使用消息表", zap.Error(err))
 		// 回退到使用数据库消息表
 		historyMessages, err := h.db.GetMessages(conversationID)
 		if err != nil {
@@ -1242,7 +1376,7 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 			h.logger.Info("从消息表加载历史消息", zap.Int("count", len(agentHistoryMessages)))
 		}
 	} else {
-		h.logger.Info("从ReAct数据恢复历史上下文", zap.Int("count", len(agentHistoryMessages)))
+		h.logger.Info("从代理轨迹恢复历史上下文", zap.Int("count", len(agentHistoryMessages)))
 	}

 	// 校验附件数量
@@ -1261,12 +1395,7 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 			sendEvent("error", "未找到该 WebShell 连接", nil)
 			return
 		}
-		remark := conn.Remark
-		if remark == "" {
-			remark = conn.URL
-		}
-		webshellContext := fmt.Sprintf("[WebShell 助手上下文] 当前连接 ID：%s，备注：%s。可用工具（仅在该连接上操作时使用，connection_id 填 \"%s\"）：webshell_exec、webshell_file_list、webshell_file_read、webshell_file_write、record_vulnerability、list_knowledge_risk_types、search_knowledge_base。Skills 包请使用「多代理 / Eino DeepAgent」会话中的内置 `skill` 工具渐进加载。\n\n用户请求：%s",
-			conn.ID, remark, conn.ID, req.Message)
+		webshellContext := BuildWebshellAssistantContext(conn, WebshellSkillHintDefault, req.Message)
 		// WebShell 模式下如果同时指定了角色，追加角色 user_prompt（工具集仍仅限 webshell 专用工具）
 		if req.Role != "" && req.Role != "默认" && h.config.Roles != nil {
 			if role, exists := h.config.Roles[req.Role]; exists && role.Enabled && role.UserPrompt != "" {
@@ -1350,14 +1479,14 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 	}

 	// 创建进度回调函数，复用统一逻辑
-	progressCallback := h.createProgressCallback(conversationID, assistantMessageID, sendEvent)
-
 	// 创建一个独立的上下文用于任务执行，不随HTTP请求取消
 	// 这样即使客户端断开连接（如刷新页面），任务也能继续执行
 	baseCtx, cancelWithCause := context.WithCancelCause(context.Background())
 	taskCtx, timeoutCancel := context.WithTimeout(baseCtx, 600*time.Minute)
 	defer timeoutCancel()
 	defer cancelWithCause(nil)
+	progressCallback := h.createProgressCallback(taskCtx, cancelWithCause, conversationID, assistantMessageID, sendEvent)
+	taskCtx = h.injectReactHITLInterceptor(taskCtx, cancelWithCause, conversationID, assistantMessageID, sendEvent)

 	if _, err := h.tasks.StartTask(conversationID, req.Message, cancelWithCause); err != nil {
 		var errorMsg string
@@ -1441,12 +1570,12 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 				h.db.AddProcessDetail(assistantMessageID, conversationID, "cancelled", cancelMsg, nil)
 			}

-			// 即使任务被取消，也尝试保存ReAct数据（如果result中有）
-			if result != nil && (result.LastReActInput != "" || result.LastReActOutput != "") {
-				if err := h.db.SaveReActData(conversationID, result.LastReActInput, result.LastReActOutput); err != nil {
-					h.logger.Warn("保存取消任务的ReAct数据失败", zap.Error(err))
+			// 即使任务被取消，也尝试保存代理轨迹（如果 result 中有）
+			if result != nil && (result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "") {
+				if err := h.db.SaveAgentTrace(conversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput); err != nil {
+					h.logger.Warn("保存取消任务的代理轨迹失败", zap.Error(err))
 				} else {
-					h.logger.Info("已保存取消任务的ReAct数据", zap.String("conversationId", conversationID))
+					h.logger.Info("已保存取消任务的代理轨迹", zap.String("conversationId", conversationID))
 				}
 			}

@@ -1476,12 +1605,12 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 				h.db.AddProcessDetail(assistantMessageID, conversationID, "timeout", timeoutMsg, nil)
 			}

-			// 即使任务超时，也尝试保存ReAct数据（如果result中有）
-			if result != nil && (result.LastReActInput != "" || result.LastReActOutput != "") {
-				if err := h.db.SaveReActData(conversationID, result.LastReActInput, result.LastReActOutput); err != nil {
-					h.logger.Warn("保存超时任务的ReAct数据失败", zap.Error(err))
+			// 即使任务超时，也尝试保存代理轨迹（如果 result 中有）
+			if result != nil && (result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "") {
+				if err := h.db.SaveAgentTrace(conversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput); err != nil {
+					h.logger.Warn("保存超时任务的代理轨迹失败", zap.Error(err))
 				} else {
-					h.logger.Info("已保存超时任务的ReAct数据", zap.String("conversationId", conversationID))
+					h.logger.Info("已保存超时任务的代理轨迹", zap.String("conversationId", conversationID))
 				}
 			}

@@ -1511,12 +1640,12 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 				h.db.AddProcessDetail(assistantMessageID, conversationID, "error", errorMsg, nil)
 			}

-			// 即使任务失败，也尝试保存ReAct数据（如果result中有）
-			if result != nil && (result.LastReActInput != "" || result.LastReActOutput != "") {
-				if err := h.db.SaveReActData(conversationID, result.LastReActInput, result.LastReActOutput); err != nil {
-					h.logger.Warn("保存失败任务的ReAct数据失败", zap.Error(err))
+			// 即使任务失败，也尝试保存代理轨迹（如果 result 中有）
+			if result != nil && (result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "") {
+				if err := h.db.SaveAgentTrace(conversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput); err != nil {
+					h.logger.Warn("保存失败任务的代理轨迹失败", zap.Error(err))
 				} else {
-					h.logger.Info("已保存失败任务的ReAct数据", zap.String("conversationId", conversationID))
+					h.logger.Info("已保存失败任务的代理轨迹", zap.String("conversationId", conversationID))
 				}
 			}

@@ -1556,12 +1685,12 @@ func (h *AgentHandler) AgentLoopStream(c *gin.Context) {
 		}
 	}

-	// 保存最后一轮ReAct的输入和输出
-	if result.LastReActInput != "" || result.LastReActOutput != "" {
-		if err := h.db.SaveReActData(conversationID, result.LastReActInput, result.LastReActOutput); err != nil {
-			h.logger.Warn("保存ReAct数据失败", zap.Error(err))
+	// 保存最后一轮代理轨迹与助手输出
+	if result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "" {
+		if err := h.db.SaveAgentTrace(conversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput); err != nil {
+			h.logger.Warn("保存代理轨迹失败", zap.Error(err))
 		} else {
-			h.logger.Info("已保存ReAct数据", zap.String("conversationId", conversationID))
+			h.logger.Info("已保存代理轨迹", zap.String("conversationId", conversationID))
 		}
 	}

@@ -1606,6 +1735,51 @@ func (h *AgentHandler) CancelAgentLoop(c *gin.Context) {
 	})
 }

+// SubscribeAgentTaskEvents GET SSE：订阅指定会话当前运行中任务的事件镜像（帧格式与 POST .../stream 一致），用于刷新页面或断线后接续 UI。
+func (h *AgentHandler) SubscribeAgentTaskEvents(c *gin.Context) {
+	conversationID := strings.TrimSpace(c.Query("conversationId"))
+	if conversationID == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "conversationId is required"})
+		return
+	}
+	if h.tasks.GetTask(conversationID) == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "no active task for this conversation"})
+		return
+	}
+	if h.taskEventBus == nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "task event bus unavailable"})
+		return
+	}
+
+	c.Header("Content-Type", "text/event-stream")
+	c.Header("Cache-Control", "no-cache")
+	c.Header("Connection", "keep-alive")
+	c.Header("X-Accel-Buffering", "no")
+
+	sub, ch := h.taskEventBus.Subscribe(conversationID)
+	defer h.taskEventBus.Unsubscribe(conversationID, sub)
+
+	flusher, _ := c.Writer.(http.Flusher)
+	ctx := c.Request.Context()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case chunk, ok := <-ch:
+			if !ok {
+				return
+			}
+			if _, err := c.Writer.Write(chunk); err != nil {
+				return
+			}
+			if flusher != nil {
+				flusher.Flush()
+			}
+		}
+	}
+}
+
 // ListAgentTasks 列出所有运行中的任务
 func (h *AgentHandler) ListAgentTasks(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{
@@ -2266,7 +2440,7 @@ func (h *AgentHandler) executeBatchQueue(queueID string) {
 		if assistantMsg != nil {
 			assistantMessageID = assistantMsg.ID
 		}
-		progressCallback := h.createProgressCallback(conversationID, assistantMessageID, nil)
+		progressCallback := h.createProgressCallback(context.Background(), nil, conversationID, assistantMessageID, nil)

 		// 执行任务（使用包含角色提示词的finalMessage和角色工具列表）
 		h.logger.Info("执行批量任务", zap.String("queueId", queueID), zap.String("taskId", task.ID), zap.String("message", task.Message), zap.String("role", queue.Role), zap.String("conversationId", conversationID))
@@ -2316,6 +2490,9 @@ func (h *AgentHandler) executeBatchQueue(queueID string) {
 		cancel()

 		if runErr != nil {
+			if useRunResult {
+				h.persistEinoAgentTraceForResume(conversationID, resultMA)
+			}
 			// 检查是否是取消错误
 			// 1. 直接检查是否是 context.Canceled（包括包装后的错误）
 			// 2. 检查错误消息中是否包含"context canceled"或"cancelled"关键字
@@ -2359,14 +2536,14 @@ func (h *AgentHandler) executeBatchQueue(queueID string) {
 						h.logger.Warn("保存取消消息失败", zap.String("queueId", queueID), zap.String("taskId", task.ID), zap.Error(errMsg))
 					}
 				}
-				// 保存ReAct数据（如果存在）
-				if result != nil && (result.LastReActInput != "" || result.LastReActOutput != "") {
-					if err := h.db.SaveReActData(conversationID, result.LastReActInput, result.LastReActOutput); err != nil {
-						h.logger.Warn("保存取消任务的ReAct数据失败", zap.String("queueId", queueID), zap.String("taskId", task.ID), zap.Error(err))
+				// 保存代理轨迹（如果存在）
+				if result != nil && (result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "") {
+					if err := h.db.SaveAgentTrace(conversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput); err != nil {
+						h.logger.Warn("保存取消任务的代理轨迹失败", zap.String("queueId", queueID), zap.String("taskId", task.ID), zap.Error(err))
 					}
-				} else if useRunResult && resultMA != nil && (resultMA.LastReActInput != "" || resultMA.LastReActOutput != "") {
-					if err := h.db.SaveReActData(conversationID, resultMA.LastReActInput, resultMA.LastReActOutput); err != nil {
-						h.logger.Warn("保存取消任务的ReAct数据失败", zap.String("queueId", queueID), zap.String("taskId", task.ID), zap.Error(err))
+				} else if useRunResult && resultMA != nil && (resultMA.LastAgentTraceInput != "" || resultMA.LastAgentTraceOutput != "") {
+					if err := h.db.SaveAgentTrace(conversationID, resultMA.LastAgentTraceInput, resultMA.LastAgentTraceOutput); err != nil {
+						h.logger.Warn("保存取消任务的代理轨迹失败", zap.String("queueId", queueID), zap.String("taskId", task.ID), zap.Error(err))
 					}
 				}
 				h.batchTaskManager.UpdateTaskStatusWithConversationID(queueID, task.ID, "cancelled", cancelMsg, "", conversationID)
@@ -2398,13 +2575,13 @@ func (h *AgentHandler) executeBatchQueue(queueID string) {
 			if useRunResult {
 				resText = resultMA.Response
 				mcpIDs = resultMA.MCPExecutionIDs
-				lastIn = resultMA.LastReActInput
-				lastOut = resultMA.LastReActOutput
+				lastIn = resultMA.LastAgentTraceInput
+				lastOut = resultMA.LastAgentTraceOutput
 			} else {
 				resText = result.Response
 				mcpIDs = result.MCPExecutionIDs
-				lastIn = result.LastReActInput
-				lastOut = result.LastReActOutput
+				lastIn = result.LastAgentTraceInput
+				lastOut = result.LastAgentTraceOutput
 			}

 			// 更新助手消息内容
@@ -2435,12 +2612,12 @@ func (h *AgentHandler) executeBatchQueue(queueID string) {
 				}
 			}

-			// 保存ReAct数据
+			// 保存代理轨迹
 			if lastIn != "" || lastOut != "" {
-				if err := h.db.SaveReActData(conversationID, lastIn, lastOut); err != nil {
-					h.logger.Warn("保存ReAct数据失败", zap.String("queueId", queueID), zap.String("taskId", task.ID), zap.Error(err))
+				if err := h.db.SaveAgentTrace(conversationID, lastIn, lastOut); err != nil {
+					h.logger.Warn("保存代理轨迹失败", zap.String("queueId", queueID), zap.String("taskId", task.ID), zap.Error(err))
 				} else {
-					h.logger.Info("已保存ReAct数据", zap.String("queueId", queueID), zap.String("taskId", task.ID), zap.String("conversationId", conversationID))
+					h.logger.Info("已保存代理轨迹", zap.String("queueId", queueID), zap.String("taskId", task.ID), zap.String("conversationId", conversationID))
 				}
 			}

@@ -2459,36 +2636,33 @@ func (h *AgentHandler) executeBatchQueue(queueID string) {
 	}
 }

-// loadHistoryFromReActData 从保存的ReAct数据恢复历史消息上下文
-// 采用与攻击链生成类似的拼接逻辑：优先使用保存的last_react_input和last_react_output，若不存在则回退到消息表
-func (h *AgentHandler) loadHistoryFromReActData(conversationID string) ([]agent.ChatMessage, error) {
-	// 获取保存的ReAct输入和输出
-	reactInputJSON, reactOutput, err := h.db.GetReActData(conversationID)
+// loadHistoryFromAgentTrace 从库中保存的代理消息轨迹恢复历史（列 last_react_*；含单代理与 Eino）。
+// 逻辑与攻击链一致：优先用已保存的 JSON 消息带 + 最后一轮助手摘要，否则回退消息表。
+func (h *AgentHandler) loadHistoryFromAgentTrace(conversationID string) ([]agent.ChatMessage, error) {
+	traceInputJSON, assistantOut, err := h.db.GetAgentTrace(conversationID)
 	if err != nil {
-		return nil, fmt.Errorf("获取ReAct数据失败: %w", err)
+		return nil, fmt.Errorf("获取代理轨迹失败: %w", err)
 	}

-	// 如果last_react_input为空，回退到使用消息表（与攻击链生成逻辑一致）
-	if reactInputJSON == "" {
-		return nil, fmt.Errorf("ReAct数据为空，将使用消息表")
+	if traceInputJSON == "" {
+		return nil, fmt.Errorf("代理轨迹为空，将使用消息表")
 	}

-	dataSource := "database_last_react_input"
+	dataSource := "database_last_agent_trace"

-	// 解析JSON格式的messages数组
 	var messagesArray []map[string]interface{}
-	if err := json.Unmarshal([]byte(reactInputJSON), &messagesArray); err != nil {
-		return nil, fmt.Errorf("解析ReAct输入JSON失败: %w", err)
+	if err := json.Unmarshal([]byte(traceInputJSON), &messagesArray); err != nil {
+		return nil, fmt.Errorf("解析代理轨迹 JSON 失败: %w", err)
 	}

 	messageCount := len(messagesArray)

-	h.logger.Info("使用保存的ReAct数据恢复历史上下文",
+	h.logger.Info("使用保存的代理轨迹恢复历史上下文",
 		zap.String("conversationId", conversationID),
 		zap.String("dataSource", dataSource),
-		zap.Int("reactInputSize", len(reactInputJSON)),
+		zap.Int("traceInputSize", len(traceInputJSON)),
 		zap.Int("messageCount", messageCount),
-		zap.Int("reactOutputSize", len(reactOutput)),
+		zap.Int("assistantOutSize", len(assistantOut)),
 	)
 	// fmt.Println("messagesArray:", messagesArray)//debug

@@ -2572,53 +2746,44 @@ func (h *AgentHandler) loadHistoryFromReActData(conversationID string) ([]agent.
 		agentMessages = append(agentMessages, msg)
 	}

-	// 如果存在last_react_output，需要将其作为最后一条assistant消息
-	// 因为last_react_input是在迭代开始前保存的，不包含最后一轮的最终输出
-	if reactOutput != "" {
-		// 检查最后一条消息是否是assistant消息且没有tool_calls
-		// 如果有tool_calls，说明后面应该还有tool消息和最终的assistant回复
+	// 若存在 last_react_output（助手摘要），合并为最后一条 assistant（与保存格式一致）
+	if assistantOut != "" {
 		if len(agentMessages) > 0 {
 			lastMsg := &agentMessages[len(agentMessages)-1]
 			if strings.EqualFold(lastMsg.Role, "assistant") && len(lastMsg.ToolCalls) == 0 {
-				// 最后一条是assistant消息且没有tool_calls，用最终输出更新其content
-				lastMsg.Content = reactOutput
+				lastMsg.Content = assistantOut
 			} else {
-				// 最后一条不是assistant消息，或者有tool_calls，添加最终输出作为新的assistant消息
 				agentMessages = append(agentMessages, agent.ChatMessage{
 					Role:    "assistant",
-					Content: reactOutput,
+					Content: assistantOut,
 				})
 			}
 		} else {
-			// 如果没有消息，直接添加最终输出
 			agentMessages = append(agentMessages, agent.ChatMessage{
 				Role:    "assistant",
-				Content: reactOutput,
+				Content: assistantOut,
 			})
 		}
 	}

 	if len(agentMessages) == 0 {
-		return nil, fmt.Errorf("从ReAct数据解析的消息为空")
+		return nil, fmt.Errorf("从代理轨迹解析的消息为空")
 	}

-	// 修复可能存在的失配tool消息，避免OpenAI报错
-	// 这可以防止出现"messages with role 'tool' must be a response to a preceeding message with 'tool_calls'"错误
 	if h.agent != nil {
 		if fixed := h.agent.RepairOrphanToolMessages(&agentMessages); fixed {
-			h.logger.Info("修复了从ReAct数据恢复的历史消息中的失配tool消息",
+			h.logger.Info("修复了从代理轨迹恢复的历史消息中的失配 tool 消息",
 				zap.String("conversationId", conversationID),
 			)
 		}
 	}

-	h.logger.Info("从ReAct数据恢复历史消息完成",
+	h.logger.Info("从代理轨迹恢复历史消息完成",
 		zap.String("conversationId", conversationID),
 		zap.String("dataSource", dataSource),
 		zap.Int("originalMessageCount", messageCount),
 		zap.Int("finalMessageCount", len(agentMessages)),
-		zap.Bool("hasReactOutput", reactOutput != ""),
+		zap.Bool("hasAssistantOut", assistantOut != ""),
 	)
-	fmt.Println("agentMessages:", agentMessages) //debug
 	return agentMessages, nil
 }
@@ -83,7 +83,7 @@ func (h *AttackChainHandler) GetAttackChain(c *gin.Context) {
 	// 使用锁机制防止同一对话的并发生成
 	lockInterface, _ := h.generatingLocks.LoadOrStore(conversationID, &sync.Mutex{})
 	lock := lockInterface.(*sync.Mutex)
-	
+
 	// 尝试获取锁，如果正在生成则返回错误
 	acquired := lock.TryLock()
 	if !acquired {
@@ -144,7 +144,7 @@ func (h *AttackChainHandler) RegenerateAttackChain(c *gin.Context) {
 	// 使用锁机制防止并发生成
 	lockInterface, _ := h.generatingLocks.LoadOrStore(conversationID, &sync.Mutex{})
 	lock := lockInterface.(*sync.Mutex)
-	
+
 	acquired := lock.TryLock()
 	if !acquired {
 		h.logger.Info("攻击链正在生成中，请稍后再试", zap.String("conversationId", conversationID))
@@ -170,4 +170,3 @@ func (h *AttackChainHandler) RegenerateAttackChain(c *gin.Context) {

 	c.JSON(http.StatusOK, chain)
 }
-
@@ -17,6 +17,7 @@ import (
 	"cyberstrike-ai/internal/config"
 	"cyberstrike-ai/internal/knowledge"
 	"cyberstrike-ai/internal/mcp"
+	"cyberstrike-ai/internal/mcp/builtin"
 	"cyberstrike-ai/internal/openai"
 	"cyberstrike-ai/internal/security"

@@ -90,6 +91,7 @@ type AttackChainUpdater interface {
 type AgentUpdater interface {
 	UpdateConfig(cfg *config.OpenAIConfig)
 	UpdateMaxIterations(maxIterations int)
+	UpdateToolDescriptionMode(mode string)
 }

 // NewConfigHandler 创建新的配置处理器
@@ -187,6 +189,7 @@ type GetConfigResponse struct {
 	MCP        config.MCPConfig        `json:"mcp"`
 	Tools      []ToolConfigInfo        `json:"tools"`
 	Agent      config.AgentConfig      `json:"agent"`
+	Hitl       config.HitlConfig       `json:"hitl,omitempty"`
 	Knowledge  config.KnowledgeConfig  `json:"knowledge"`
 	Robots     config.RobotsConfig     `json:"robots,omitempty"`
 	MultiAgent config.MultiAgentPublic `json:"multi_agent,omitempty"`
@@ -231,13 +234,7 @@ func (h *ConfigHandler) GetConfig(c *gin.Context) {
 			if configToolMap[mcpTool.Name] {
 				continue
 			}
-			description := mcpTool.ShortDescription
-			if description == "" {
-				description = mcpTool.Description
-			}
-			if len(description) > 10000 {
-				description = description[:10000] + "..."
-			}
+			description := h.pickToolDescription(mcpTool.ShortDescription, mcpTool.Description)
 			tools = append(tools, ToolConfigInfo{
 				Name:        mcpTool.Name,
 				Description: description,
@@ -269,15 +266,16 @@ func (h *ConfigHandler) GetConfig(c *gin.Context) {
 	}
 	multiPub := config.MultiAgentPublic{
 		Enabled:                      h.config.MultiAgent.Enabled,
-		DefaultMode:                  h.config.MultiAgent.DefaultMode,
 		RobotUseMultiAgent:           h.config.MultiAgent.RobotUseMultiAgent,
 		BatchUseMultiAgent:           h.config.MultiAgent.BatchUseMultiAgent,
 		SubAgentCount:                subAgentCount,
 		Orchestration:                config.NormalizeMultiAgentOrchestration(h.config.MultiAgent.Orchestration),
 		PlanExecuteLoopMaxIterations: h.config.MultiAgent.PlanExecuteLoopMaxIterations,
-	}
-	if strings.TrimSpace(multiPub.DefaultMode) == "" {
-		multiPub.DefaultMode = "single"
+		ToolSearchAlwaysVisibleTools: append([]string(nil), h.config.MultiAgent.EinoMiddleware.ToolSearchAlwaysVisibleTools...),
+		ToolSearchAlwaysVisibleEffectiveTools: mergeToolNameLists(
+			h.config.MultiAgent.EinoMiddleware.ToolSearchAlwaysVisibleTools,
+			builtin.GetAllBuiltinTools(),
+		),
 	}

 	c.JSON(http.StatusOK, GetConfigResponse{
@@ -286,6 +284,7 @@ func (h *ConfigHandler) GetConfig(c *gin.Context) {
 		MCP:        h.config.MCP,
 		Tools:      tools,
 		Agent:      h.config.Agent,
+		Hitl:       h.config.Hitl,
 		Knowledge:  h.config.Knowledge,
 		Robots:     h.config.Robots,
 		MultiAgent: multiPub,
@@ -432,13 +431,7 @@ func (h *ConfigHandler) GetTools(c *gin.Context) {
 				continue
 			}

-			description := mcpTool.ShortDescription
-			if description == "" {
-				description = mcpTool.Description
-			}
-			if len(description) > 10000 {
-				description = description[:10000] + "..."
-			}
+			description := h.pickToolDescription(mcpTool.ShortDescription, mcpTool.Description)

 			toolInfo := ToolConfigInfo{
 				Name:        mcpTool.Name,
@@ -686,21 +679,18 @@ func (h *ConfigHandler) UpdateConfig(c *gin.Context) {
 	// 多代理标量（sub_agents 等仍由 config.yaml 维护）
 	if req.MultiAgent != nil {
 		h.config.MultiAgent.Enabled = req.MultiAgent.Enabled
-		dm := strings.TrimSpace(req.MultiAgent.DefaultMode)
-		if dm == "multi" || dm == "single" {
-			h.config.MultiAgent.DefaultMode = dm
-		}
 		h.config.MultiAgent.RobotUseMultiAgent = req.MultiAgent.RobotUseMultiAgent
 		h.config.MultiAgent.BatchUseMultiAgent = req.MultiAgent.BatchUseMultiAgent
 		if req.MultiAgent.PlanExecuteLoopMaxIterations != nil {
 			h.config.MultiAgent.PlanExecuteLoopMaxIterations = *req.MultiAgent.PlanExecuteLoopMaxIterations
 		}
+		h.config.MultiAgent.EinoMiddleware.ToolSearchAlwaysVisibleTools = dedupeToolNameList(req.MultiAgent.ToolSearchAlwaysVisibleTools)
 		h.logger.Info("更新多代理配置",
 			zap.Bool("enabled", h.config.MultiAgent.Enabled),
-			zap.String("default_mode", h.config.MultiAgent.DefaultMode),
 			zap.Bool("robot_use_multi_agent", h.config.MultiAgent.RobotUseMultiAgent),
 			zap.Bool("batch_use_multi_agent", h.config.MultiAgent.BatchUseMultiAgent),
 			zap.Int("plan_execute_loop_max_iterations", h.config.MultiAgent.PlanExecuteLoopMaxIterations),
+			zap.Int("tool_search_always_visible_tools", len(h.config.MultiAgent.EinoMiddleware.ToolSearchAlwaysVisibleTools)),
 		)
 	}

@@ -1068,6 +1058,7 @@ func (h *ConfigHandler) ApplyConfig(c *gin.Context) {
 	if h.agent != nil {
 		h.agent.UpdateConfig(&h.config.OpenAI)
 		h.agent.UpdateMaxIterations(h.config.Agent.MaxIterations)
+		h.agent.UpdateToolDescriptionMode(h.config.Security.ToolDescriptionMode)
 		h.logger.Info("Agent配置已更新")
 	}

@@ -1141,6 +1132,7 @@ func (h *ConfigHandler) saveConfig() error {
 	updateFOFAConfig(root, h.config.FOFA)
 	updateKnowledgeConfig(root, h.config.Knowledge)
 	updateRobotsConfig(root, h.config.Robots)
+	updateHitlConfig(root, h.config.Hitl)
 	updateMultiAgentConfig(root, h.config.MultiAgent)
 	// 更新外部MCP配置（使用external_mcp.go中的函数，同一包中可直接调用）
 	updateExternalMCPConfig(root, h.config.ExternalMCP)
@@ -1317,6 +1309,47 @@ func updateKnowledgeConfig(doc *yaml.Node, cfg config.KnowledgeConfig) {
 	setIntInMap(indexingNode, "retry_delay_ms", cfg.Indexing.RetryDelayMs)
 }

+func mergeHitlToolWhitelistSlice(existing, add []string) []string {
+	seen := make(map[string]struct{})
+	out := make([]string, 0, len(existing)+len(add))
+	for _, list := range [][]string{existing, add} {
+		for _, t := range list {
+			n := strings.ToLower(strings.TrimSpace(t))
+			if n == "" {
+				continue
+			}
+			if _, ok := seen[n]; ok {
+				continue
+			}
+			seen[n] = struct{}{}
+			out = append(out, strings.TrimSpace(t))
+		}
+	}
+	return out
+}
+
+// MergeHitlToolWhitelistIntoConfig 将会话侧栏提交的免审批工具名合并进内存配置并写入 config.yaml（与全局白名单去重规则一致：小写键、保留首次出现的原始大小写）。
+func (h *ConfigHandler) MergeHitlToolWhitelistIntoConfig(add []string) error {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	merged := mergeHitlToolWhitelistSlice(h.config.Hitl.ToolWhitelist, add)
+	h.config.Hitl.ToolWhitelist = merged
+	if err := h.saveConfig(); err != nil {
+		return err
+	}
+	h.logger.Info("HITL 全局工具白名单已合并写入配置文件",
+		zap.Int("count", len(merged)),
+	)
+	return nil
+}
+
+func updateHitlConfig(doc *yaml.Node, cfg config.HitlConfig) {
+	root := doc.Content[0]
+	hitlNode := ensureMap(root, "hitl")
+	// flow 样式 [a, b, c] 单行展示，工具多时比块序列省行数
+	setFlowStringSliceInMap(hitlNode, "tool_whitelist", cfg.ToolWhitelist)
+}
+
 func updateRobotsConfig(doc *yaml.Node, cfg config.RobotsConfig) {
 	root := doc.Content[0]
 	robotsNode := ensureMap(root, "robots")
@@ -1345,10 +1378,36 @@ func updateMultiAgentConfig(doc *yaml.Node, cfg config.MultiAgentConfig) {
 	root := doc.Content[0]
 	maNode := ensureMap(root, "multi_agent")
 	setBoolInMap(maNode, "enabled", cfg.Enabled)
-	setStringInMap(maNode, "default_mode", cfg.DefaultMode)
 	setBoolInMap(maNode, "robot_use_multi_agent", cfg.RobotUseMultiAgent)
 	setBoolInMap(maNode, "batch_use_multi_agent", cfg.BatchUseMultiAgent)
 	setIntInMap(maNode, "plan_execute_loop_max_iterations", cfg.PlanExecuteLoopMaxIterations)
+	mwNode := ensureMap(maNode, "eino_middleware")
+	setFlowStringSliceInMap(mwNode, "tool_search_always_visible_tools", dedupeToolNameList(cfg.EinoMiddleware.ToolSearchAlwaysVisibleTools))
+}
+
+func dedupeToolNameList(in []string) []string {
+	if len(in) == 0 {
+		return []string{}
+	}
+	seen := make(map[string]struct{}, len(in))
+	out := make([]string, 0, len(in))
+	for _, name := range in {
+		n := strings.TrimSpace(name)
+		if n == "" {
+			continue
+		}
+		key := strings.ToLower(n)
+		if _, ok := seen[key]; ok {
+			continue
+		}
+		seen[key] = struct{}{}
+		out = append(out, n)
+	}
+	return out
+}
+
+func mergeToolNameLists(a, b []string) []string {
+	return dedupeToolNameList(append(append([]string{}, a...), b...))
 }

 func ensureMap(parent *yaml.Node, path ...string) *yaml.Node {
@@ -1428,6 +1487,21 @@ func setStringSliceInMap(mapNode *yaml.Node, key string, values []string) {
 	}
 }

+func setFlowStringSliceInMap(mapNode *yaml.Node, key string, values []string) {
+	_, valueNode := ensureKeyValue(mapNode, key)
+	valueNode.Kind = yaml.SequenceNode
+	valueNode.Tag = "!!seq"
+	valueNode.Style = yaml.FlowStyle
+	valueNode.Content = nil
+	for _, v := range values {
+		valueNode.Content = append(valueNode.Content, &yaml.Node{
+			Kind:  yaml.ScalarNode,
+			Tag:   "!!str",
+			Value: v,
+		})
+	}
+}
+
 func setIntInMap(mapNode *yaml.Node, key string, value int) {
 	_, valueNode := ensureKeyValue(mapNode, key)
 	valueNode.Kind = yaml.ScalarNode
@@ -230,4 +230,3 @@ func (h *ConversationHandler) DeleteConversationTurn(c *gin.Context) {
 		"message":           "ok",
 	})
 }
-
@@ -41,11 +41,24 @@ func (h *AgentHandler) EinoSingleAgentLoopStream(c *gin.Context) {
 	var baseCtx context.Context
 	clientDisconnected := false
 	var sseWriteMu sync.Mutex
+	var ssePublishConversationID string
 	sendEvent := func(eventType, message string, data interface{}) {
-		if clientDisconnected {
+		if eventType == "error" && baseCtx != nil && errors.Is(context.Cause(baseCtx), ErrTaskCancelled) {
 			return
 		}
-		if eventType == "error" && baseCtx != nil && errors.Is(context.Cause(baseCtx), ErrTaskCancelled) {
+		ev := StreamEvent{Type: eventType, Message: message, Data: data}
+		b, errMarshal := json.Marshal(ev)
+		if errMarshal != nil {
+			b = []byte(`{"type":"error","message":"marshal failed"}`)
+		}
+		sseLine := make([]byte, 0, len(b)+8)
+		sseLine = append(sseLine, []byte("data: ")...)
+		sseLine = append(sseLine, b...)
+		sseLine = append(sseLine, '\n', '\n')
+		if ssePublishConversationID != "" && h.taskEventBus != nil {
+			h.taskEventBus.Publish(ssePublishConversationID, sseLine)
+		}
+		if clientDisconnected {
 			return
 		}
 		select {
@@ -54,10 +67,8 @@ func (h *AgentHandler) EinoSingleAgentLoopStream(c *gin.Context) {
 			return
 		default:
 		}
-		ev := StreamEvent{Type: eventType, Message: message, Data: data}
-		b, _ := json.Marshal(ev)
 		sseWriteMu.Lock()
-		_, err := fmt.Fprintf(c.Writer, "data: %s\n\n", b)
+		_, err := c.Writer.Write(sseLine)
 		if err != nil {
 			sseWriteMu.Unlock()
 			clientDisconnected = true
@@ -81,6 +92,7 @@ func (h *AgentHandler) EinoSingleAgentLoopStream(c *gin.Context) {
 		sendEvent("done", "", nil)
 		return
 	}
+	ssePublishConversationID = prep.ConversationID
 	if prep.CreatedNew {
 		sendEvent("conversation", "会话已创建", map[string]interface{}{
 			"conversationId": prep.ConversationID,
@@ -89,6 +101,10 @@ func (h *AgentHandler) EinoSingleAgentLoopStream(c *gin.Context) {

 	conversationID := prep.ConversationID
 	assistantMessageID := prep.AssistantMessageID
+	h.activateHITLForConversation(conversationID, req.Hitl)
+	if h.hitlManager != nil {
+		defer h.hitlManager.DeactivateConversation(conversationID)
+	}

 	if prep.UserMessageID != "" {
 		sendEvent("message_saved", "", map[string]interface{}{
@@ -97,13 +113,15 @@ func (h *AgentHandler) EinoSingleAgentLoopStream(c *gin.Context) {
 		})
 	}

-	progressCallback := h.createProgressCallback(conversationID, assistantMessageID, sendEvent)
-
 	var cancelWithCause context.CancelCauseFunc
 	baseCtx, cancelWithCause = context.WithCancelCause(context.Background())
 	taskCtx, timeoutCancel := context.WithTimeout(baseCtx, 600*time.Minute)
 	defer timeoutCancel()
 	defer cancelWithCause(nil)
+	progressCallback := h.createProgressCallback(taskCtx, cancelWithCause, conversationID, assistantMessageID, sendEvent)
+	taskCtx = multiagent.WithHITLToolInterceptor(taskCtx, func(ctx context.Context, toolName, arguments string) (string, error) {
+		return h.interceptHITLForEinoTool(ctx, cancelWithCause, conversationID, assistantMessageID, sendEvent, toolName, arguments)
+	})

 	if _, err := h.tasks.StartTask(conversationID, req.Message, cancelWithCause); err != nil {
 		var errorMsg string
@@ -136,6 +154,8 @@ func (h *AgentHandler) EinoSingleAgentLoopStream(c *gin.Context) {
 	defer close(stopKeepalive)

 	if h.config == nil {
+		taskStatus = "failed"
+		h.tasks.UpdateTaskStatus(conversationID, taskStatus)
 		sendEvent("error", "服务器配置未加载", nil)
 		sendEvent("done", "", map[string]interface{}{"conversationId": conversationID})
 		return
@@ -155,6 +175,7 @@ func (h *AgentHandler) EinoSingleAgentLoopStream(c *gin.Context) {
 	)

 	if runErr != nil {
+		h.persistEinoAgentTraceForResume(conversationID, result)
 		cause := context.Cause(baseCtx)
 		if errors.Is(cause, ErrTaskCancelled) {
 			taskStatus = "cancelled"
@@ -166,7 +187,24 @@ func (h *AgentHandler) EinoSingleAgentLoopStream(c *gin.Context) {
 			}
 			sendEvent("cancelled", cancelMsg, map[string]interface{}{
 				"conversationId": conversationID,
-				"messageId":        assistantMessageID,
+				"messageId":      assistantMessageID,
+			})
+			sendEvent("done", "", map[string]interface{}{"conversationId": conversationID})
+			return
+		}
+
+		if errors.Is(runErr, context.DeadlineExceeded) || errors.Is(context.Cause(taskCtx), context.DeadlineExceeded) {
+			taskStatus = "timeout"
+			h.tasks.UpdateTaskStatus(conversationID, taskStatus)
+			timeoutMsg := "任务执行超时，已自动终止。"
+			if assistantMessageID != "" {
+				_, _ = h.db.Exec("UPDATE messages SET content = ? WHERE id = ?", timeoutMsg, assistantMessageID)
+				_ = h.db.AddProcessDetail(assistantMessageID, conversationID, "timeout", timeoutMsg, nil)
+			}
+			sendEvent("error", timeoutMsg, map[string]interface{}{
+				"conversationId": conversationID,
+				"messageId":      assistantMessageID,
+				"errorType":      "timeout",
 			})
 			sendEvent("done", "", map[string]interface{}{"conversationId": conversationID})
 			return
@@ -202,9 +240,9 @@ func (h *AgentHandler) EinoSingleAgentLoopStream(c *gin.Context) {
 		)
 	}

-	if result.LastReActInput != "" || result.LastReActOutput != "" {
-		if err := h.db.SaveReActData(conversationID, result.LastReActInput, result.LastReActOutput); err != nil {
-			h.logger.Warn("保存 ReAct 数据失败", zap.Error(err))
+	if result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "" {
+		if err := h.db.SaveAgentTrace(conversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput); err != nil {
+			h.logger.Warn("保存代理轨迹失败", zap.Error(err))
 		}
 	}

@@ -232,12 +270,24 @@ func (h *AgentHandler) EinoSingleAgentLoop(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
 	}
+	h.activateHITLForConversation(prep.ConversationID, req.Hitl)
+	if h.hitlManager != nil {
+		defer h.hitlManager.DeactivateConversation(prep.ConversationID)
+	}

 	var progressBuf strings.Builder
-	progressCallback := func(eventType, message string, data interface{}) {
+	progressCallbackRaw := func(eventType, message string, data interface{}) {
 		progressBuf.WriteString(eventType)
 		progressBuf.WriteByte('\n')
 	}
+	baseCtx, cancelWithCause := context.WithCancelCause(c.Request.Context())
+	defer cancelWithCause(nil)
+	taskCtx, timeoutCancel := context.WithTimeout(baseCtx, 600*time.Minute)
+	defer timeoutCancel()
+	progressCallback := h.createProgressCallback(taskCtx, cancelWithCause, prep.ConversationID, prep.AssistantMessageID, progressCallbackRaw)
+	taskCtx = multiagent.WithHITLToolInterceptor(taskCtx, func(ctx context.Context, toolName, arguments string) (string, error) {
+		return h.interceptHITLForEinoTool(ctx, cancelWithCause, prep.ConversationID, prep.AssistantMessageID, nil, toolName, arguments)
+	})

 	if h.config == nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "服务器配置未加载"})
@@ -245,7 +295,7 @@ func (h *AgentHandler) EinoSingleAgentLoop(c *gin.Context) {
 	}

 	result, runErr := multiagent.RunEinoSingleChatModelAgent(
-		c.Request.Context(),
+		taskCtx,
 		h.config,
 		&h.config.MultiAgent,
 		h.agent,
@@ -257,6 +307,7 @@ func (h *AgentHandler) EinoSingleAgentLoop(c *gin.Context) {
 		progressCallback,
 	)
 	if runErr != nil {
+		h.persistEinoAgentTraceForResume(prep.ConversationID, result)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": runErr.Error()})
 		return
 	}
@@ -274,15 +325,15 @@ func (h *AgentHandler) EinoSingleAgentLoop(c *gin.Context) {
 			prep.AssistantMessageID,
 		)
 	}
-	if result.LastReActInput != "" || result.LastReActOutput != "" {
-		_ = h.db.SaveReActData(prep.ConversationID, result.LastReActInput, result.LastReActOutput)
+	if result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "" {
+		_ = h.db.SaveAgentTrace(prep.ConversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput)
 	}

 	c.JSON(http.StatusOK, gin.H{
-		"response":         result.Response,
-		"conversationId":   prep.ConversationID,
-		"mcpExecutionIds":  result.MCPExecutionIDs,
+		"response":           result.Response,
+		"conversationId":     prep.ConversationID,
+		"mcpExecutionIds":    result.MCPExecutionIDs,
 		"assistantMessageId": prep.AssistantMessageID,
-		"agentMode":        "eino_single",
+		"agentMode":          "eino_single",
 	})
 }
@@ -247,7 +247,7 @@ func TestExternalMCPHandler_DeleteExternalMCP(t *testing.T) {

 	// 先添加一个配置
 	configObj := config.ExternalMCPServerConfig{
-		Command: "python3",
+		Command:           "python3",
 		ExternalMCPEnable: true,
 	}
 	handler.manager.AddOrUpdateConfig("test-delete", configObj)
@@ -276,11 +276,11 @@ func TestExternalMCPHandler_GetExternalMCPs(t *testing.T) {

 	// 添加多个配置
 	handler.manager.AddOrUpdateConfig("test1", config.ExternalMCPServerConfig{
-		Command: "python3",
+		Command:           "python3",
 		ExternalMCPEnable: true,
 	})
 	handler.manager.AddOrUpdateConfig("test2", config.ExternalMCPServerConfig{
-		URL:     "http://127.0.0.1:8081/mcp",
+		URL:               "http://127.0.0.1:8081/mcp",
 		ExternalMCPEnable: false,
 	})

@@ -319,15 +319,15 @@ func TestExternalMCPHandler_GetExternalMCPStats(t *testing.T) {

 	// 添加配置
 	handler.manager.AddOrUpdateConfig("enabled1", config.ExternalMCPServerConfig{
-		Command: "python3",
+		Command:           "python3",
 		ExternalMCPEnable: true,
 	})
 	handler.manager.AddOrUpdateConfig("enabled2", config.ExternalMCPServerConfig{
-		URL:     "http://127.0.0.1:8081/mcp",
+		URL:               "http://127.0.0.1:8081/mcp",
 		ExternalMCPEnable: true,
 	})
 	handler.manager.AddOrUpdateConfig("disabled1", config.ExternalMCPServerConfig{
-		Command:  "python3",
+		Command: "python3",
 	})

 	req := httptest.NewRequest("GET", "/api/external-mcp/stats", nil)
@@ -360,7 +360,7 @@ func TestExternalMCPHandler_StartStopExternalMCP(t *testing.T) {

 	// 添加一个禁用的配置
 	handler.manager.AddOrUpdateConfig("test-start-stop", config.ExternalMCPServerConfig{
-		Command:  "python3",
+		Command: "python3",
 	})

 	// 测试启动（可能会失败，因为没有真实的服务器）
@@ -416,7 +416,7 @@ func TestExternalMCPHandler_AddOrUpdateExternalMCP_EmptyName(t *testing.T) {
 	router, _, _ := setupTestRouter()

 	configObj := config.ExternalMCPServerConfig{
-		Command: "python3",
+		Command:           "python3",
 		ExternalMCPEnable: true,
 	}

@@ -459,14 +459,14 @@ func TestExternalMCPHandler_UpdateExistingConfig(t *testing.T) {

 	// 先添加配置
 	config1 := config.ExternalMCPServerConfig{
-		Command: "python3",
+		Command:           "python3",
 		ExternalMCPEnable: true,
 	}
 	handler.manager.AddOrUpdateConfig("test-update", config1)

 	// 更新配置
 	config2 := config.ExternalMCPServerConfig{
-		URL:     "http://127.0.0.1:8081/mcp",
+		URL:               "http://127.0.0.1:8081/mcp",
 		ExternalMCPEnable: true,
 	}

@@ -0,0 +1,808 @@
+package handler
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"math"
+	"net/http"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"cyberstrike-ai/internal/agent"
+	"cyberstrike-ai/internal/database"
+	"cyberstrike-ai/internal/multiagent"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"go.uber.org/zap"
+)
+
+type hitlRuntimeConfig struct {
+	Enabled        bool
+	Mode           string
+	SensitiveTools map[string]struct{}
+	Timeout        time.Duration
+}
+
+type hitlDecision struct {
+	Decision        string
+	Comment         string
+	EditedArguments map[string]interface{}
+}
+
+type pendingInterrupt struct {
+	ConversationID string
+	InterruptID    string
+	Mode           string
+	ToolName       string
+	ToolCallID     string
+	decideCh       chan hitlDecision
+}
+
+type HITLManager struct {
+	db     *database.DB
+	logger *zap.Logger
+
+	mu      sync.RWMutex
+	runtime map[string]hitlRuntimeConfig
+	pending map[string]*pendingInterrupt
+}
+
+func NewHITLManager(db *database.DB, logger *zap.Logger) *HITLManager {
+	return &HITLManager{
+		db:      db,
+		logger:  logger,
+		runtime: make(map[string]hitlRuntimeConfig),
+		pending: make(map[string]*pendingInterrupt),
+	}
+}
+
+func (m *HITLManager) EnsureSchema() error {
+	if _, err := m.db.Exec(`
+CREATE TABLE IF NOT EXISTS hitl_interrupts (
+    id TEXT PRIMARY KEY,
+    conversation_id TEXT NOT NULL,
+    message_id TEXT,
+    mode TEXT NOT NULL,
+    tool_name TEXT NOT NULL,
+    tool_call_id TEXT,
+    payload TEXT,
+    status TEXT NOT NULL,
+    decision TEXT,
+    decision_comment TEXT,
+    created_at DATETIME NOT NULL,
+    decided_at DATETIME
+);`); err != nil {
+		return err
+	}
+	_, err := m.db.Exec(`
+CREATE TABLE IF NOT EXISTS hitl_conversation_configs (
+    conversation_id TEXT PRIMARY KEY,
+    enabled INTEGER NOT NULL DEFAULT 0,
+    mode TEXT NOT NULL DEFAULT 'off',
+    sensitive_tools TEXT NOT NULL DEFAULT '[]',
+    timeout_seconds INTEGER NOT NULL DEFAULT 0,
+    updated_at DATETIME NOT NULL
+);`)
+	if err != nil {
+		return err
+	}
+
+	// On startup, cancel all orphaned pending interrupts from previous process.
+	// Their in-memory channels are gone, so they can never be resolved.
+	res, err := m.db.Exec(`UPDATE hitl_interrupts SET status='cancelled', decision='reject',
+		decision_comment='process restarted', decided_at=CURRENT_TIMESTAMP WHERE status='pending'`)
+	if err != nil {
+		m.logger.Warn("failed to cancel orphaned HITL interrupts", zap.Error(err))
+	} else if n, _ := res.RowsAffected(); n > 0 {
+		m.logger.Info("cancelled orphaned HITL interrupts from previous process", zap.Int64("count", n))
+	}
+	return nil
+}
+
+func normalizeHitlMode(mode string) string {
+	v := strings.ToLower(strings.TrimSpace(mode))
+	if v == "" {
+		return "approval"
+	}
+	switch v {
+	case "off":
+		return "off"
+	case "feedback", "followup":
+		return "approval"
+	case "approval", "review_edit":
+		return v
+	default:
+		return "approval"
+	}
+}
+
+func (m *HITLManager) ActivateConversation(conversationID string, req *HITLRequest) {
+	if req == nil || !req.Enabled {
+		m.DeactivateConversation(conversationID)
+		return
+	}
+	tools := make(map[string]struct{})
+	for _, t := range req.SensitiveTools {
+		n := strings.ToLower(strings.TrimSpace(t))
+		if n != "" {
+			tools[n] = struct{}{}
+		}
+	}
+	// timeout <= 0 means wait forever (no timeout).
+	timeout := time.Duration(0)
+	if req.TimeoutSeconds > 0 {
+		timeout = time.Duration(req.TimeoutSeconds) * time.Second
+	}
+	m.mu.Lock()
+	m.runtime[conversationID] = hitlRuntimeConfig{
+		Enabled:        true,
+		Mode:           normalizeHitlMode(req.Mode),
+		SensitiveTools: tools,
+		Timeout:        timeout,
+	}
+	m.mu.Unlock()
+}
+
+func (m *HITLManager) DeactivateConversation(conversationID string) {
+	m.mu.Lock()
+	delete(m.runtime, conversationID)
+	m.mu.Unlock()
+}
+
+// hitlConfigGlobalToolWhitelist 来自 config.yaml hitl.tool_whitelist（去重、去空）。
+func (h *AgentHandler) hitlConfigGlobalToolWhitelist() []string {
+	if h == nil || h.config == nil {
+		return nil
+	}
+	raw := h.config.Hitl.ToolWhitelist
+	if len(raw) == 0 {
+		return nil
+	}
+	seen := make(map[string]struct{})
+	out := make([]string, 0, len(raw))
+	for _, t := range raw {
+		n := strings.ToLower(strings.TrimSpace(t))
+		if n == "" {
+			continue
+		}
+		if _, ok := seen[n]; ok {
+			continue
+		}
+		seen[n] = struct{}{}
+		out = append(out, strings.TrimSpace(t))
+	}
+	return out
+}
+
+// hitlRequestWithMergedConfigWhitelist 将会话/API 中的白名单与 config.yaml 全局白名单合并（并集），仅用于运行时 Activate；不写入数据库。
+func (h *AgentHandler) hitlRequestWithMergedConfigWhitelist(req *HITLRequest) *HITLRequest {
+	gw := h.hitlConfigGlobalToolWhitelist()
+	if len(gw) == 0 {
+		return req
+	}
+	if req == nil {
+		return nil
+	}
+	seen := make(map[string]struct{})
+	union := make([]string, 0, len(gw)+len(req.SensitiveTools))
+	for _, t := range gw {
+		n := strings.ToLower(strings.TrimSpace(t))
+		if n == "" {
+			continue
+		}
+		if _, ok := seen[n]; ok {
+			continue
+		}
+		seen[n] = struct{}{}
+		union = append(union, strings.TrimSpace(t))
+	}
+	for _, t := range req.SensitiveTools {
+		n := strings.ToLower(strings.TrimSpace(t))
+		if n == "" {
+			continue
+		}
+		if _, ok := seen[n]; ok {
+			continue
+		}
+		seen[n] = struct{}{}
+		union = append(union, strings.TrimSpace(t))
+	}
+	out := *req
+	out.SensitiveTools = union
+	return &out
+}
+
+func (m *HITLManager) shouldInterrupt(conversationID, toolName string) (hitlRuntimeConfig, bool) {
+	m.mu.RLock()
+	cfg, ok := m.runtime[conversationID]
+	m.mu.RUnlock()
+	if !ok || !cfg.Enabled {
+		return hitlRuntimeConfig{}, false
+	}
+	// 语义：SensitiveTools 现在作为“白名单（免审批工具）”
+	// 空白名单 => 全部工具都需要审批
+	if len(cfg.SensitiveTools) == 0 {
+		return cfg, true
+	}
+	_, inWhitelist := cfg.SensitiveTools[strings.ToLower(strings.TrimSpace(toolName))]
+	return cfg, !inWhitelist
+}
+
+func (m *HITLManager) CreatePendingInterrupt(conversationID, assistantMessageID, mode, toolName, toolCallID, payload string) (*pendingInterrupt, error) {
+	now := time.Now()
+	id := "hitl_" + strings.ReplaceAll(uuid.New().String(), "-", "")
+	if _, err := m.db.Exec(`INSERT INTO hitl_interrupts
+		(id, conversation_id, message_id, mode, tool_name, tool_call_id, payload, status, created_at)
+		VALUES (?, ?, ?, ?, ?, ?, ?, 'pending', ?)`,
+		id, conversationID, assistantMessageID, mode, toolName, toolCallID, payload, now); err != nil {
+		return nil, err
+	}
+	// 刷新页面后侧栏依赖 DB 配置；若仅内存 Activate 未落库，会导致「有待审批却显示关闭」
+	_ = m.ensureConversationHITLModePersisted(conversationID, mode)
+	p := &pendingInterrupt{
+		ConversationID: conversationID,
+		InterruptID:    id,
+		Mode:           normalizeHitlMode(mode),
+		ToolName:       toolName,
+		ToolCallID:     toolCallID,
+		decideCh:       make(chan hitlDecision, 1),
+	}
+	m.mu.Lock()
+	m.pending[id] = p
+	m.mu.Unlock()
+	return p, nil
+}
+
+// ensureConversationHITLModePersisted 在产生待审批时把 mode 写入 hitl_conversation_configs，避免刷新后 GET 配置仍为关闭。
+func (m *HITLManager) ensureConversationHITLModePersisted(conversationID, interruptMode string) error {
+	if strings.TrimSpace(conversationID) == "" {
+		return nil
+	}
+	nm := normalizeHitlMode(interruptMode)
+	if nm == "off" {
+		return nil
+	}
+	cfg, err := m.LoadConversationConfig(conversationID)
+	if err != nil {
+		return err
+	}
+	if cfg.Enabled && normalizeHitlMode(cfg.Mode) == nm {
+		return nil
+	}
+	cfg.Enabled = true
+	cfg.Mode = nm
+	if cfg.TimeoutSeconds < 0 {
+		cfg.TimeoutSeconds = 0
+	}
+	return m.SaveConversationConfig(conversationID, cfg)
+}
+
+// PendingHITLInterruptMode 返回该会话最新一条 pending 中断的协同模式（用于 GET 配置时与库内「关闭」状态对齐）。
+func (m *HITLManager) PendingHITLInterruptMode(conversationID string) (string, bool) {
+	if strings.TrimSpace(conversationID) == "" {
+		return "", false
+	}
+	var mode string
+	err := m.db.QueryRow(`SELECT mode FROM hitl_interrupts WHERE conversation_id = ? AND status = 'pending' ORDER BY created_at DESC LIMIT 1`, conversationID).
+		Scan(&mode)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return "", false
+		}
+		return "", false
+	}
+	mode = strings.TrimSpace(mode)
+	if mode == "" {
+		return "", false
+	}
+	return mode, true
+}
+
+func hitlStoredConfigEffective(cfg *HITLRequest) bool {
+	if cfg == nil {
+		return false
+	}
+	if cfg.Enabled {
+		return true
+	}
+	return normalizeHitlMode(cfg.Mode) != "off"
+}
+
+func (m *HITLManager) ResolveInterrupt(interruptID, decision, comment string, editedArguments map[string]interface{}) error {
+	decision = strings.ToLower(strings.TrimSpace(decision))
+	if decision != "approve" && decision != "reject" {
+		return errors.New("decision must be approve/reject")
+	}
+	m.mu.RLock()
+	p, ok := m.pending[interruptID]
+	m.mu.RUnlock()
+	if !ok {
+		return errors.New("interrupt not found or already resolved")
+	}
+	d := hitlDecision{
+		Decision:        decision,
+		Comment:         strings.TrimSpace(comment),
+		EditedArguments: editedArguments,
+	}
+	select {
+	case p.decideCh <- d:
+		return nil
+	default:
+		return errors.New("interrupt already resolved or decision channel busy")
+	}
+}
+
+func (m *HITLManager) SaveConversationConfig(conversationID string, req *HITLRequest) error {
+	if strings.TrimSpace(conversationID) == "" {
+		return errors.New("conversationId is required")
+	}
+	if req == nil {
+		req = &HITLRequest{Enabled: false, Mode: "off", TimeoutSeconds: 0}
+	}
+	mode := normalizeHitlMode(req.Mode)
+	if !req.Enabled {
+		mode = "off"
+	}
+	tools, _ := json.Marshal(req.SensitiveTools)
+	timeout := req.TimeoutSeconds
+	if timeout < 0 {
+		timeout = 0
+	}
+	_, err := m.db.Exec(`INSERT INTO hitl_conversation_configs
+		(conversation_id, enabled, mode, sensitive_tools, timeout_seconds, updated_at)
+		VALUES (?, ?, ?, ?, ?, ?)
+		ON CONFLICT(conversation_id) DO UPDATE SET
+		enabled=excluded.enabled, mode=excluded.mode, sensitive_tools=excluded.sensitive_tools, timeout_seconds=excluded.timeout_seconds, updated_at=excluded.updated_at`,
+		conversationID, boolToInt(req.Enabled), mode, string(tools), timeout, time.Now())
+	return err
+}
+
+func (m *HITLManager) LoadConversationConfig(conversationID string) (*HITLRequest, error) {
+	var enabledInt int
+	var mode, toolsJSON string
+	var timeout int
+	err := m.db.QueryRow(`SELECT enabled, mode, sensitive_tools, timeout_seconds FROM hitl_conversation_configs WHERE conversation_id = ?`, conversationID).
+		Scan(&enabledInt, &mode, &toolsJSON, &timeout)
+	if errors.Is(err, sql.ErrNoRows) {
+		return &HITLRequest{Enabled: false, Mode: "off", SensitiveTools: []string{}, TimeoutSeconds: 0}, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+	if timeout < 0 {
+		timeout = 0
+	}
+	tools := make([]string, 0)
+	_ = json.Unmarshal([]byte(toolsJSON), &tools)
+	return &HITLRequest{
+		Enabled:        enabledInt == 1,
+		Mode:           mode,
+		SensitiveTools: tools,
+		TimeoutSeconds: timeout,
+	}, nil
+}
+
+func (m *HITLManager) waitDecision(ctx context.Context, p *pendingInterrupt, timeout time.Duration) (hitlDecision, error) {
+	defer func() {
+		m.mu.Lock()
+		delete(m.pending, p.InterruptID)
+		m.mu.Unlock()
+	}()
+	var timeoutCh <-chan time.Time
+	if timeout > 0 {
+		timer := time.NewTimer(timeout)
+		defer timer.Stop()
+		timeoutCh = timer.C
+	}
+	select {
+	case d := <-p.decideCh:
+		// 只有 review_edit 模式允许改参；其他模式一律忽略 edited arguments
+		if p.Mode != "review_edit" && len(d.EditedArguments) > 0 {
+			d.EditedArguments = nil
+		}
+		_, _ = m.db.Exec(`UPDATE hitl_interrupts SET status='decided', decision=?, decision_comment=?, decided_at=? WHERE id=?`,
+			d.Decision, d.Comment, time.Now(), p.InterruptID)
+		return d, nil
+	case <-timeoutCh:
+		_, _ = m.db.Exec(`UPDATE hitl_interrupts SET status='timeout', decision='approve', decision_comment='timeout auto approve', decided_at=? WHERE id=?`,
+			time.Now(), p.InterruptID)
+		return hitlDecision{Decision: "approve", Comment: "timeout auto approve"}, nil
+	case <-ctx.Done():
+		_, _ = m.db.Exec(`UPDATE hitl_interrupts SET status='cancelled', decision='reject', decision_comment='task cancelled', decided_at=? WHERE id=?`,
+			time.Now(), p.InterruptID)
+		return hitlDecision{Decision: "reject", Comment: "task cancelled"}, ctx.Err()
+	}
+}
+
+func (h *AgentHandler) activateHITLForConversation(conversationID string, req *HITLRequest) {
+	if h.hitlManager == nil {
+		return
+	}
+	if req == nil {
+		cfg, err := h.hitlManager.LoadConversationConfig(conversationID)
+		if err == nil {
+			req = cfg
+		}
+	}
+	h.hitlManager.ActivateConversation(conversationID, h.hitlRequestWithMergedConfigWhitelist(req))
+}
+
+func (h *AgentHandler) waitHITLApproval(runCtx context.Context, cancelRun context.CancelCauseFunc, conversationID, assistantMessageID, toolName, toolCallID string, payload map[string]interface{}, sendEventFunc func(eventType, message string, data interface{})) (*hitlDecision, error) {
+	cfg, need := h.hitlManager.shouldInterrupt(conversationID, toolName)
+	if !need {
+		return nil, nil
+	}
+	payloadRaw, _ := json.Marshal(payload)
+	p, err := h.hitlManager.CreatePendingInterrupt(conversationID, assistantMessageID, cfg.Mode, toolName, toolCallID, string(payloadRaw))
+	if err != nil {
+		h.logger.Warn("创建 HITL 中断失败", zap.Error(err))
+		return nil, err
+	}
+	if sendEventFunc != nil {
+		sendEventFunc("hitl_interrupt", "命中人机协同审批", map[string]interface{}{
+			"conversationId": conversationID,
+			"interruptId":    p.InterruptID,
+			"mode":           cfg.Mode,
+			"toolName":       toolName,
+			"toolCallId":     toolCallID,
+			"payload":        payload,
+		})
+	}
+	d, waitErr := h.hitlManager.waitDecision(runCtx, p, cfg.Timeout)
+	if waitErr != nil {
+		if cancelRun != nil && (errors.Is(waitErr, context.Canceled) || errors.Is(waitErr, context.DeadlineExceeded)) {
+			cause := context.Cause(runCtx)
+			switch {
+			case errors.Is(cause, ErrTaskCancelled):
+				cancelRun(ErrTaskCancelled)
+			case cause != nil:
+				cancelRun(cause)
+			case errors.Is(waitErr, context.DeadlineExceeded):
+				cancelRun(context.DeadlineExceeded)
+			default:
+				cancelRun(ErrTaskCancelled)
+			}
+		}
+		return nil, waitErr
+	}
+	if d.Decision == "reject" {
+		if sendEventFunc != nil {
+			sendEventFunc("hitl_rejected", "人工拒绝本次工具调用，模型将基于反馈继续迭代", map[string]interface{}{
+				"conversationId": conversationID,
+				"interruptId":    p.InterruptID,
+				"toolName":       toolName,
+				"comment":        d.Comment,
+			})
+		}
+		return &d, nil
+	}
+	if sendEventFunc != nil {
+		sendEventFunc("hitl_resumed", "人工确认通过，继续执行", map[string]interface{}{
+			"conversationId": conversationID,
+			"interruptId":    p.InterruptID,
+			"toolName":       toolName,
+			"comment":        d.Comment,
+			"editedArgs":     d.EditedArguments,
+		})
+	}
+	return &d, nil
+}
+
+func (h *AgentHandler) handleHITLToolCall(runCtx context.Context, cancelRun context.CancelCauseFunc, conversationID, assistantMessageID string, data map[string]interface{}, sendEventFunc func(eventType, message string, data interface{})) {
+	if h.hitlManager == nil {
+		return
+	}
+	toolName, _ := data["toolName"].(string)
+	toolCallID, _ := data["toolCallId"].(string)
+	d, err := h.waitHITLApproval(runCtx, cancelRun, conversationID, assistantMessageID, toolName, toolCallID, data, sendEventFunc)
+	if err != nil || d == nil {
+		return
+	}
+	if len(d.EditedArguments) > 0 {
+		if argsObj, ok := data["argumentsObj"].(map[string]interface{}); ok {
+			for k := range argsObj {
+				delete(argsObj, k)
+			}
+			for k, v := range d.EditedArguments {
+				argsObj[k] = v
+			}
+			if b, mErr := json.Marshal(argsObj); mErr == nil {
+				data["arguments"] = string(b)
+			}
+		}
+	}
+}
+
+func (h *AgentHandler) ListHITLPending(c *gin.Context) {
+	conversationID := strings.TrimSpace(c.Query("conversationId"))
+	status := strings.TrimSpace(c.Query("status"))
+	if status == "" {
+		status = "pending"
+	}
+	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
+	if page < 1 {
+		page = 1
+	}
+	pageSize, _ := strconv.Atoi(c.DefaultQuery("pageSize", "20"))
+	pageSize = int(math.Max(1, math.Min(float64(pageSize), 200)))
+	offset := (page - 1) * pageSize
+	q := `SELECT id, conversation_id, message_id, mode, tool_name, tool_call_id, payload, status, decision, decision_comment, created_at, decided_at FROM hitl_interrupts WHERE 1=1`
+	args := []interface{}{}
+	if conversationID != "" {
+		q += " AND conversation_id = ?"
+		args = append(args, conversationID)
+	}
+	if status != "all" {
+		q += " AND status = ?"
+		args = append(args, status)
+	}
+	q += " ORDER BY created_at DESC LIMIT ? OFFSET ?"
+	args = append(args, pageSize, offset)
+	rows, err := h.db.Query(q, args...)
+	if err != nil {
+		c.JSON(500, gin.H{"error": err.Error()})
+		return
+	}
+	defer rows.Close()
+	items := make([]map[string]interface{}, 0)
+	for rows.Next() {
+		var id, cid, mode, toolName, toolCallID, payload, rowStatus string
+		var messageID sql.NullString
+		var decision, comment sql.NullString
+		var createdAt time.Time
+		var decidedAt sql.NullTime
+		if err := rows.Scan(&id, &cid, &messageID, &mode, &toolName, &toolCallID, &payload, &rowStatus, &decision, &comment, &createdAt, &decidedAt); err != nil {
+			continue
+		}
+		msgID := ""
+		if messageID.Valid {
+			msgID = messageID.String
+		}
+		items = append(items, map[string]interface{}{
+			"id":             id,
+			"conversationId": cid,
+			"messageId":      msgID,
+			"mode":           mode,
+			"toolName":       toolName,
+			"toolCallId":     toolCallID,
+			"payload":        payload,
+			"status":         rowStatus,
+			"decision":       decision.String,
+			"comment":        comment.String,
+			"createdAt":      createdAt,
+			"decidedAt": func() interface{} {
+				if decidedAt.Valid {
+					return decidedAt.Time
+				}
+				return nil
+			}(),
+		})
+	}
+	c.JSON(http.StatusOK, gin.H{"items": items, "page": page, "pageSize": pageSize})
+}
+
+type hitlDecisionReq struct {
+	InterruptID     string                 `json:"interruptId" binding:"required"`
+	Decision        string                 `json:"decision" binding:"required"`
+	Comment         string                 `json:"comment,omitempty"`
+	EditedArguments map[string]interface{} `json:"editedArguments,omitempty"`
+}
+
+func (h *AgentHandler) DecideHITLInterrupt(c *gin.Context) {
+	var req hitlDecisionReq
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(400, gin.H{"error": err.Error()})
+		return
+	}
+	if h.hitlManager == nil {
+		c.JSON(500, gin.H{"error": "hitl manager unavailable"})
+		return
+	}
+	if err := h.hitlManager.ResolveInterrupt(req.InterruptID, req.Decision, req.Comment, req.EditedArguments); err != nil {
+		c.JSON(http.StatusConflict, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"ok": true})
+}
+
+func (h *AgentHandler) DismissHITLInterrupt(c *gin.Context) {
+	var req struct {
+		InterruptID string `json:"interruptId" binding:"required"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(400, gin.H{"error": err.Error()})
+		return
+	}
+	if h.hitlManager == nil {
+		c.JSON(500, gin.H{"error": "hitl manager unavailable"})
+		return
+	}
+	res, err := h.db.Exec(`UPDATE hitl_interrupts SET status='cancelled', decision='reject',
+		decision_comment='dismissed by user', decided_at=CURRENT_TIMESTAMP
+		WHERE id=? AND status='pending'`, req.InterruptID)
+	if err != nil {
+		c.JSON(500, gin.H{"error": err.Error()})
+		return
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		c.JSON(404, gin.H{"error": "interrupt not found or already resolved"})
+		return
+	}
+	// Also drain from in-memory map if present
+	h.hitlManager.mu.Lock()
+	if p, ok := h.hitlManager.pending[req.InterruptID]; ok {
+		delete(h.hitlManager.pending, req.InterruptID)
+		select {
+		case p.decideCh <- hitlDecision{Decision: "reject", Comment: "dismissed by user"}:
+		default:
+		}
+	}
+	h.hitlManager.mu.Unlock()
+	c.JSON(http.StatusOK, gin.H{"ok": true})
+}
+
+func (h *AgentHandler) interceptHITLForEinoTool(runCtx context.Context, cancelRun context.CancelCauseFunc, conversationID, assistantMessageID string, sendEventFunc func(eventType, message string, data interface{}), toolName, arguments string) (string, error) {
+	payload := map[string]interface{}{
+		"toolName":   toolName,
+		"arguments":  arguments,
+		"source":     "eino_middleware",
+		"toolCallId": "",
+	}
+	var argsObj map[string]interface{}
+	if strings.TrimSpace(arguments) != "" {
+		_ = json.Unmarshal([]byte(arguments), &argsObj)
+		if argsObj != nil {
+			payload["argumentsObj"] = argsObj
+		}
+	}
+	d, err := h.waitHITLApproval(runCtx, cancelRun, conversationID, assistantMessageID, toolName, "", payload, sendEventFunc)
+	if err != nil || d == nil {
+		return arguments, err
+	}
+	if d.Decision == "reject" {
+		return arguments, multiagent.NewHumanRejectError(d.Comment)
+	}
+	if len(d.EditedArguments) > 0 {
+		edited, mErr := json.Marshal(d.EditedArguments)
+		if mErr == nil {
+			return string(edited), nil
+		}
+	}
+	return arguments, nil
+}
+
+func (h *AgentHandler) interceptHITLForReactTool(runCtx context.Context, cancelRun context.CancelCauseFunc, conversationID, assistantMessageID string, sendEventFunc func(eventType, message string, data interface{}), toolName string, arguments map[string]interface{}, toolCallID string) (map[string]interface{}, error) {
+	payload := map[string]interface{}{
+		"toolName":     toolName,
+		"argumentsObj": arguments,
+		"toolCallId":   toolCallID,
+		"source":       "react_pre_exec",
+	}
+	d, err := h.waitHITLApproval(runCtx, cancelRun, conversationID, assistantMessageID, toolName, toolCallID, payload, sendEventFunc)
+	if err != nil || d == nil {
+		return arguments, err
+	}
+	if d.Decision == "reject" {
+		comment := strings.TrimSpace(d.Comment)
+		if comment == "" {
+			comment = "no extra feedback"
+		}
+		return arguments, errors.New("human rejected this tool call; feedback: " + comment)
+	}
+	if len(d.EditedArguments) > 0 {
+		return d.EditedArguments, nil
+	}
+	return arguments, nil
+}
+
+func (h *AgentHandler) injectReactHITLInterceptor(ctx context.Context, cancelRun context.CancelCauseFunc, conversationID, assistantMessageID string, sendEventFunc func(eventType, message string, data interface{})) context.Context {
+	return agent.WithToolCallInterceptor(ctx, func(c context.Context, toolName string, args map[string]interface{}, toolCallID string) (map[string]interface{}, error) {
+		return h.interceptHITLForReactTool(c, cancelRun, conversationID, assistantMessageID, sendEventFunc, toolName, args, toolCallID)
+	})
+}
+
+type hitlConfigReq struct {
+	ConversationID string `json:"conversationId" binding:"required"`
+	HITLRequest
+}
+
+func (h *AgentHandler) GetHITLConversationConfig(c *gin.Context) {
+	conversationID := strings.TrimSpace(c.Param("conversationId"))
+	if conversationID == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "conversationId is required"})
+		return
+	}
+	cfg, err := h.hitlManager.LoadConversationConfig(conversationID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	if !hitlStoredConfigEffective(cfg) {
+		if pendMode, ok := h.hitlManager.PendingHITLInterruptMode(conversationID); ok {
+			cfg2 := *cfg
+			cfg2.Enabled = true
+			cfg2.Mode = normalizeHitlMode(pendMode)
+			if cfg2.TimeoutSeconds < 0 {
+				cfg2.TimeoutSeconds = 0
+			}
+			cfg = &cfg2
+		}
+	}
+	c.JSON(http.StatusOK, gin.H{
+		"conversationId":          conversationID,
+		"hitl":                    cfg,
+		"hitlGlobalToolWhitelist": h.hitlConfigGlobalToolWhitelist(),
+	})
+}
+
+func (h *AgentHandler) UpsertHITLConversationConfig(c *gin.Context) {
+	var req hitlConfigReq
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	req.Mode = normalizeHitlMode(req.Mode)
+	if err := h.hitlManager.SaveConversationConfig(req.ConversationID, &req.HITLRequest); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	if h.hitlWhitelistSaver != nil && len(req.SensitiveTools) > 0 {
+		if err := h.hitlWhitelistSaver.MergeHitlToolWhitelistIntoConfig(req.SensitiveTools); err != nil {
+			h.logger.Warn("HITL 会话配置已保存，但合并工具白名单到 config.yaml 失败", zap.Error(err))
+			c.JSON(http.StatusInternalServerError, gin.H{
+				"error": "会话配置已保存，但写入 config.yaml 失败: " + err.Error(),
+			})
+			return
+		}
+	}
+	h.hitlManager.ActivateConversation(req.ConversationID, h.hitlRequestWithMergedConfigWhitelist(&req.HITLRequest))
+	c.JSON(http.StatusOK, gin.H{"ok": true})
+}
+
+type mergeHitlGlobalWhitelistReq struct {
+	SensitiveTools []string `json:"sensitiveTools"`
+}
+
+// MergeHITLGlobalToolWhitelist 无会话 ID 时将侧栏提交的免审批工具合并进 config.yaml（与 PUT /hitl/config 中白名单落盘规则一致）。
+func (h *AgentHandler) MergeHITLGlobalToolWhitelist(c *gin.Context) {
+	if h.hitlWhitelistSaver == nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "HITL 配置持久化不可用"})
+		return
+	}
+	var req mergeHitlGlobalWhitelistReq
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	if len(req.SensitiveTools) == 0 {
+		c.JSON(http.StatusOK, gin.H{
+			"ok":                        true,
+			"hitlGlobalToolWhitelist":   h.hitlConfigGlobalToolWhitelist(),
+			"hitlGlobalWhitelistMerged": false,
+		})
+		return
+	}
+	if err := h.hitlWhitelistSaver.MergeHitlToolWhitelistIntoConfig(req.SensitiveTools); err != nil {
+		h.logger.Warn("合并 HITL 工具白名单到 config.yaml 失败", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{
+		"ok":                        true,
+		"hitlGlobalToolWhitelist":   h.hitlConfigGlobalToolWhitelist(),
+		"hitlGlobalWhitelistMerged": true,
+	})
+}
+
+func boolToInt(v bool) int {
+	if v {
+		return 1
+	}
+	return 0
+}
@@ -131,16 +131,16 @@ func (h *MarkdownAgentsHandler) GetMarkdownAgent(c *gin.Context) {
 }

 type markdownAgentBody struct {
-	Filename       string   `json:"filename"`
-	ID             string   `json:"id"`
-	Name           string   `json:"name"`
-	Description    string   `json:"description"`
-	Tools          []string `json:"tools"`
-	Instruction    string   `json:"instruction"`
-	BindRole       string   `json:"bind_role"`
-	MaxIterations  int      `json:"max_iterations"`
-	Kind           string   `json:"kind"`
-	Raw            string   `json:"raw"`
+	Filename      string   `json:"filename"`
+	ID            string   `json:"id"`
+	Name          string   `json:"name"`
+	Description   string   `json:"description"`
+	Tools         []string `json:"tools"`
+	Instruction   string   `json:"instruction"`
+	BindRole      string   `json:"bind_role"`
+	MaxIterations int      `json:"max_iterations"`
+	Kind          string   `json:"kind"`
+	Raw           string   `json:"raw"`
 }

 // CreateMarkdownAgent POST /api/multi-agent/markdown-agents
@@ -42,11 +42,11 @@ func (h *MonitorHandler) SetExternalMCPManager(mgr *mcp.ExternalMCPManager) {
 type MonitorResponse struct {
 	Executions []*mcp.ToolExecution      `json:"executions"`
 	Stats      map[string]*mcp.ToolStats `json:"stats"`
-	Timestamp  time.Time                  `json:"timestamp"`
-	Total      int                        `json:"total,omitempty"`
-	Page       int                        `json:"page,omitempty"`
-	PageSize   int                        `json:"page_size,omitempty"`
-	TotalPages int                        `json:"total_pages,omitempty"`
+	Timestamp  time.Time                 `json:"timestamp"`
+	Total      int                       `json:"total,omitempty"`
+	Page       int                       `json:"page,omitempty"`
+	PageSize   int                       `json:"page_size,omitempty"`
+	TotalPages int                       `json:"total_pages,omitempty"`
 }

 // Monitor 获取监控信息
@@ -213,7 +213,6 @@ func (h *MonitorHandler) loadStats() map[string]*mcp.ToolStats {
 	return stats
 }

-
 // GetExecution 获取特定执行记录
 func (h *MonitorHandler) GetExecution(c *gin.Context) {
 	id := c.Param("id")
@@ -416,5 +415,3 @@ func (h *MonitorHandler) DeleteExecutions(c *gin.Context) {
 	h.logger.Info("尝试批量删除内存中的执行记录", zap.Int("count", len(request.IDs)))
 	c.JSON(http.StatusOK, gin.H{"message": "执行记录已删除（如果存在）"})
 }
-
-
@@ -40,6 +40,9 @@ func (h *AgentHandler) MultiAgentLoopStream(c *gin.Context) {
 		event := StreamEvent{Type: "error", Message: "请求参数错误: " + err.Error()}
 		b, _ := json.Marshal(event)
 		fmt.Fprintf(c.Writer, "data: %s\n\n", b)
+		done := StreamEvent{Type: "done", Message: ""}
+		db, _ := json.Marshal(done)
+		fmt.Fprintf(c.Writer, "data: %s\n\n", db)
 		c.Writer.Flush()
 		return
 	}
@@ -53,25 +56,36 @@ func (h *AgentHandler) MultiAgentLoopStream(c *gin.Context) {
 	clientDisconnected := false
 	// 与 sseKeepalive 共用：禁止并发写 ResponseWriter，否则会破坏 chunked 编码（ERR_INVALID_CHUNKED_ENCODING）。
 	var sseWriteMu sync.Mutex
+	var ssePublishConversationID string
 	sendEvent := func(eventType, message string, data interface{}) {
-		if clientDisconnected {
-			return
-		}
 		// 用户主动停止时，Eino 可能仍会并发上报 eventType=="error"。
 		// 为避免 UI 看到“取消错误 + cancelled 文案”两条回复，这里直接丢弃取消对应的 error。
 		if eventType == "error" && baseCtx != nil && errors.Is(context.Cause(baseCtx), ErrTaskCancelled) {
 			return
 		}
+		ev := StreamEvent{Type: eventType, Message: message, Data: data}
+		b, errMarshal := json.Marshal(ev)
+		if errMarshal != nil {
+			b = []byte(`{"type":"error","message":"marshal failed"}`)
+		}
+		sseLine := make([]byte, 0, len(b)+8)
+		sseLine = append(sseLine, []byte("data: ")...)
+		sseLine = append(sseLine, b...)
+		sseLine = append(sseLine, '\n', '\n')
+		if ssePublishConversationID != "" && h.taskEventBus != nil {
+			h.taskEventBus.Publish(ssePublishConversationID, sseLine)
+		}
+		if clientDisconnected {
+			return
+		}
 		select {
 		case <-c.Request.Context().Done():
 			clientDisconnected = true
 			return
 		default:
 		}
-		ev := StreamEvent{Type: eventType, Message: message, Data: data}
-		b, _ := json.Marshal(ev)
 		sseWriteMu.Lock()
-		_, err := fmt.Fprintf(c.Writer, "data: %s\n\n", b)
+		_, err := c.Writer.Write(sseLine)
 		if err != nil {
 			sseWriteMu.Unlock()
 			clientDisconnected = true
@@ -95,6 +109,7 @@ func (h *AgentHandler) MultiAgentLoopStream(c *gin.Context) {
 		sendEvent("done", "", nil)
 		return
 	}
+	ssePublishConversationID = prep.ConversationID
 	if prep.CreatedNew {
 		sendEvent("conversation", "会话已创建", map[string]interface{}{
 			"conversationId": prep.ConversationID,
@@ -103,6 +118,10 @@ func (h *AgentHandler) MultiAgentLoopStream(c *gin.Context) {

 	conversationID := prep.ConversationID
 	assistantMessageID := prep.AssistantMessageID
+	h.activateHITLForConversation(conversationID, req.Hitl)
+	if h.hitlManager != nil {
+		defer h.hitlManager.DeactivateConversation(conversationID)
+	}

 	if prep.UserMessageID != "" {
 		sendEvent("message_saved", "", map[string]interface{}{
@@ -111,12 +130,14 @@ func (h *AgentHandler) MultiAgentLoopStream(c *gin.Context) {
 		})
 	}

-	progressCallback := h.createProgressCallback(conversationID, assistantMessageID, sendEvent)
-
 	baseCtx, cancelWithCause := context.WithCancelCause(context.Background())
 	taskCtx, timeoutCancel := context.WithTimeout(baseCtx, 600*time.Minute)
 	defer timeoutCancel()
 	defer cancelWithCause(nil)
+	progressCallback := h.createProgressCallback(taskCtx, cancelWithCause, conversationID, assistantMessageID, sendEvent)
+	taskCtx = multiagent.WithHITLToolInterceptor(taskCtx, func(ctx context.Context, toolName, arguments string) (string, error) {
+		return h.interceptHITLForEinoTool(ctx, cancelWithCause, conversationID, assistantMessageID, sendEvent, toolName, arguments)
+	})

 	if _, err := h.tasks.StartTask(conversationID, req.Message, cancelWithCause); err != nil {
 		var errorMsg string
@@ -164,6 +185,7 @@ func (h *AgentHandler) MultiAgentLoopStream(c *gin.Context) {
 	)

 	if runErr != nil {
+		h.persistEinoAgentTraceForResume(conversationID, result)
 		cause := context.Cause(baseCtx)
 		if errors.Is(cause, ErrTaskCancelled) {
 			taskStatus = "cancelled"
@@ -181,6 +203,23 @@ func (h *AgentHandler) MultiAgentLoopStream(c *gin.Context) {
 			return
 		}

+		if errors.Is(runErr, context.DeadlineExceeded) || errors.Is(context.Cause(taskCtx), context.DeadlineExceeded) {
+			taskStatus = "timeout"
+			h.tasks.UpdateTaskStatus(conversationID, taskStatus)
+			timeoutMsg := "任务执行超时，已自动终止。"
+			if assistantMessageID != "" {
+				_, _ = h.db.Exec("UPDATE messages SET content = ? WHERE id = ?", timeoutMsg, assistantMessageID)
+				_ = h.db.AddProcessDetail(assistantMessageID, conversationID, "timeout", timeoutMsg, nil)
+			}
+			sendEvent("error", timeoutMsg, map[string]interface{}{
+				"conversationId": conversationID,
+				"messageId":      assistantMessageID,
+				"errorType":      "timeout",
+			})
+			sendEvent("done", "", map[string]interface{}{"conversationId": conversationID})
+			return
+		}
+
 		h.logger.Error("Eino DeepAgent 执行失败", zap.Error(runErr))
 		taskStatus = "failed"
 		h.tasks.UpdateTaskStatus(conversationID, taskStatus)
@@ -211,9 +250,9 @@ func (h *AgentHandler) MultiAgentLoopStream(c *gin.Context) {
 		)
 	}

-	if result.LastReActInput != "" || result.LastReActOutput != "" {
-		if err := h.db.SaveReActData(conversationID, result.LastReActInput, result.LastReActOutput); err != nil {
-			h.logger.Warn("保存 ReAct 数据失败", zap.Error(err))
+	if result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "" {
+		if err := h.db.SaveAgentTrace(conversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput); err != nil {
+			h.logger.Warn("保存代理轨迹失败", zap.Error(err))
 		}
 	}

@@ -251,9 +290,22 @@ func (h *AgentHandler) MultiAgentLoop(c *gin.Context) {
 		c.JSON(status, gin.H{"error": msg})
 		return
 	}
+	h.activateHITLForConversation(prep.ConversationID, req.Hitl)
+	if h.hitlManager != nil {
+		defer h.hitlManager.DeactivateConversation(prep.ConversationID)
+	}
+
+	baseCtx, cancelWithCause := context.WithCancelCause(c.Request.Context())
+	defer cancelWithCause(nil)
+	taskCtx, timeoutCancel := context.WithTimeout(baseCtx, 600*time.Minute)
+	defer timeoutCancel()
+	progressCallback := h.createProgressCallback(taskCtx, cancelWithCause, prep.ConversationID, prep.AssistantMessageID, nil)
+	taskCtx = multiagent.WithHITLToolInterceptor(taskCtx, func(ctx context.Context, toolName, arguments string) (string, error) {
+		return h.interceptHITLForEinoTool(ctx, cancelWithCause, prep.ConversationID, prep.AssistantMessageID, nil, toolName, arguments)
+	})

 	result, runErr := multiagent.RunDeepAgent(
-		c.Request.Context(),
+		taskCtx,
 		h.config,
 		&h.config.MultiAgent,
 		h.agent,
@@ -262,11 +314,12 @@ func (h *AgentHandler) MultiAgentLoop(c *gin.Context) {
 		prep.FinalMessage,
 		prep.History,
 		prep.RoleTools,
-		nil,
+		progressCallback,
 		h.agentsMarkdownDir,
 		strings.TrimSpace(req.Orchestration),
 	)
 	if runErr != nil {
+		h.persistEinoAgentTraceForResume(prep.ConversationID, result)
 		h.logger.Error("Eino DeepAgent 执行失败", zap.Error(runErr))
 		errMsg := "执行失败: " + runErr.Error()
 		if prep.AssistantMessageID != "" {
@@ -290,9 +343,9 @@ func (h *AgentHandler) MultiAgentLoop(c *gin.Context) {
 		)
 	}

-	if result.LastReActInput != "" || result.LastReActOutput != "" {
-		if err := h.db.SaveReActData(prep.ConversationID, result.LastReActInput, result.LastReActOutput); err != nil {
-			h.logger.Warn("保存 ReAct 数据失败", zap.Error(err))
+	if result.LastAgentTraceInput != "" || result.LastAgentTraceOutput != "" {
+		if err := h.db.SaveAgentTrace(prep.ConversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput); err != nil {
+			h.logger.Warn("保存代理轨迹失败", zap.Error(err))
 		}
 	}

@@ -304,6 +357,19 @@ func (h *AgentHandler) MultiAgentLoop(c *gin.Context) {
 	})
 }

+// persistEinoAgentTraceForResume 在 Eino 运行异常结束时写入代理轨迹（库列 last_react_*），供下一请求 loadHistoryFromAgentTrace 软续跑。
+func (h *AgentHandler) persistEinoAgentTraceForResume(conversationID string, result *multiagent.RunResult) {
+	if h == nil || result == nil {
+		return
+	}
+	if result.LastAgentTraceInput == "" && result.LastAgentTraceOutput == "" {
+		return
+	}
+	if err := h.db.SaveAgentTrace(conversationID, result.LastAgentTraceInput, result.LastAgentTraceOutput); err != nil {
+		h.logger.Warn("保存 Eino 续跑上下文失败", zap.String("conversationId", conversationID), zap.Error(err))
+	}
+}
+
 func multiAgentHTTPErrorStatus(err error) (int, string) {
 	msg := err.Error()
 	switch {
@@ -49,7 +49,7 @@ func (h *AgentHandler) prepareMultiAgentSession(req *ChatRequest) (*multiAgentPr
 		}
 	}

-	agentHistoryMessages, err := h.loadHistoryFromReActData(conversationID)
+	agentHistoryMessages, err := h.loadHistoryFromAgentTrace(conversationID)
 	if err != nil {
 		historyMessages, getErr := h.db.GetMessages(conversationID)
 		if getErr != nil {
@@ -73,12 +73,7 @@ func (h *AgentHandler) prepareMultiAgentSession(req *ChatRequest) (*multiAgentPr
 			h.logger.Warn("WebShell AI 助手：未找到连接", zap.String("id", req.WebShellConnectionID), zap.Error(errConn))
 			return nil, fmt.Errorf("未找到该 WebShell 连接")
 		}
-		remark := conn.Remark
-		if remark == "" {
-			remark = conn.URL
-		}
-		webshellContext := fmt.Sprintf("[WebShell 助手上下文] 当前连接 ID：%s，备注：%s。可用工具（仅在该连接上操作时使用，connection_id 填 \"%s\"）：webshell_exec、webshell_file_list、webshell_file_read、webshell_file_write、record_vulnerability、list_knowledge_risk_types、search_knowledge_base。Skills 包请使用 Eino 多代理内置 `skill` 工具。\n\n用户请求：%s",
-			conn.ID, remark, conn.ID, req.Message)
+		webshellContext := BuildWebshellAssistantContext(conn, WebshellSkillHintMultiAgent, req.Message)
 		// WebShell 模式下如果同时指定了角色，追加角色 user_prompt（工具集仍仅限 webshell 专用工具）
 		if req.Role != "" && req.Role != "默认" && h.config != nil && h.config.Roles != nil {
 			if role, exists := h.config.Roles[req.Role]; exists && role.Enabled && role.UserPrompt != "" {
@@ -0,0 +1,642 @@
+package handler
+
+import (
+	"fmt"
+	"net/http"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"cyberstrike-ai/internal/database"
+	"github.com/gin-gonic/gin"
+	"go.uber.org/zap"
+)
+
+// NotificationHandler 聚合通知（Phase 2：服务端统一计算）
+type NotificationHandler struct {
+	db           *database.DB
+	agentHandler *AgentHandler
+	logger       *zap.Logger
+}
+
+const notificationReadMaxRows = 150
+
+// NotificationSummaryItem 通知项
+type NotificationSummaryItem struct {
+	ID         string `json:"id"`
+	Level      string `json:"level"` // p0/p1/p2
+	Type       string `json:"type"`
+	Title      string `json:"title"`
+	Desc       string `json:"desc"`
+	Ts         string `json:"ts"` // RFC3339
+	Count      int    `json:"count,omitempty"`
+	Actionable bool   `json:"actionable"`
+	Read       bool   `json:"read"`
+	// 以下字段用于前端深链跳转（通知即入口）
+	ConversationID  string `json:"conversationId,omitempty"`
+	VulnerabilityID string `json:"vulnerabilityId,omitempty"`
+	ExecutionID     string `json:"executionId,omitempty"`
+	InterruptID     string `json:"interruptId,omitempty"`
+}
+
+// NotificationSummaryResponse 聚合响应
+type NotificationSummaryResponse struct {
+	SinceMs     int64                     `json:"sinceMs"`
+	GeneratedAt string                    `json:"generatedAt"`
+	P0Count     int                       `json:"p0Count"`
+	UnreadCount int                       `json:"unreadCount"`
+	Counts      map[string]int            `json:"counts"`
+	Items       []NotificationSummaryItem `json:"items"`
+}
+
+func NewNotificationHandler(db *database.DB, agentHandler *AgentHandler, logger *zap.Logger) *NotificationHandler {
+	return &NotificationHandler{
+		db:           db,
+		agentHandler: agentHandler,
+		logger:       logger,
+	}
+}
+
+func parseSinceMs(raw string) int64 {
+	v := strings.TrimSpace(raw)
+	if v == "" {
+		return 0
+	}
+	if ms, err := strconv.ParseInt(v, 10, 64); err == nil && ms > 0 {
+		return ms
+	}
+	if t, err := time.Parse(time.RFC3339, v); err == nil {
+		return t.UnixMilli()
+	}
+	return 0
+}
+
+func unixSecToRFC3339(sec int64) string {
+	if sec <= 0 {
+		return time.Now().UTC().Format(time.RFC3339)
+	}
+	return time.Unix(sec, 0).UTC().Format(time.RFC3339)
+}
+
+func normalizedSinceSec(sinceMs int64) int64 {
+	sec := sinceMs / 1000
+	// SQLite 默认时间精度到秒；给 1s 回看窗口，避免“同秒内新增”被漏算。
+	if sec > 0 {
+		return sec - 1
+	}
+	return 0
+}
+
+func normalizeSinceMs(raw int64) int64 {
+	if raw > 0 {
+		return raw
+	}
+	// 默认仅看最近 24 小时，避免首次打开拉全量历史噪音。
+	return time.Now().Add(-24 * time.Hour).UnixMilli()
+}
+
+func levelBySeverity(sev string) string {
+	switch strings.ToLower(strings.TrimSpace(sev)) {
+	case "critical", "high":
+		return "p0"
+	case "medium":
+		return "p1"
+	default:
+		return "p2"
+	}
+}
+
+func requestWantsEnglish(c *gin.Context) bool {
+	if c == nil {
+		return false
+	}
+	lang := strings.ToLower(strings.TrimSpace(c.Query("lang")))
+	if lang == "" {
+		lang = strings.ToLower(strings.TrimSpace(c.GetHeader("Accept-Language")))
+	}
+	return strings.HasPrefix(lang, "en")
+}
+
+func i18nText(english bool, zh string, en string) string {
+	if english {
+		return en
+	}
+	return zh
+}
+
+func (h *NotificationHandler) loadPendingHITLItems(limit int, english bool) ([]NotificationSummaryItem, error) {
+	rows, err := h.db.Query(`
+		SELECT
+			id,
+			conversation_id,
+			tool_name,
+			COALESCE(CAST(strftime('%s', created_at) AS INTEGER), 0)
+		FROM hitl_interrupts
+		WHERE status = 'pending'
+		ORDER BY created_at DESC
+		LIMIT ?
+	`, limit)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	items := make([]NotificationSummaryItem, 0, limit)
+	for rows.Next() {
+		var id, conversationID, toolName string
+		var createdSec int64
+		if err := rows.Scan(&id, &conversationID, &toolName, &createdSec); err != nil {
+			continue
+		}
+		desc := i18nText(english, "会话 "+conversationID+" 的审批中断待处理", "Conversation "+conversationID+" has pending HITL approval")
+		if strings.TrimSpace(toolName) != "" {
+			desc = i18nText(english, "工具 "+toolName+" 等待审批", "Tool "+toolName+" is waiting for approval")
+		}
+		items = append(items, NotificationSummaryItem{
+			ID:             "hitl:" + id,
+			Level:          "p0",
+			Type:           "hitl_pending",
+			Title:          i18nText(english, "HITL 待审批", "HITL Pending Approval"),
+			Desc:           desc,
+			Ts:             unixSecToRFC3339(createdSec),
+			Count:          1,
+			Actionable:     true,
+			Read:           false,
+			ConversationID: conversationID,
+			InterruptID:    id,
+		})
+	}
+	return items, nil
+}
+
+func (h *NotificationHandler) loadVulnerabilityItems(sinceMs int64, limit int, english bool) ([]NotificationSummaryItem, map[string]int, error) {
+	sinceSec := normalizedSinceSec(sinceMs)
+	rows, err := h.db.Query(`
+		SELECT
+			id,
+			title,
+			severity,
+			conversation_id,
+			COALESCE(CAST(strftime('%s', created_at) AS INTEGER), 0)
+		FROM vulnerabilities
+		WHERE CAST(strftime('%s', created_at) AS INTEGER) > ?
+		ORDER BY created_at DESC
+		LIMIT ?
+	`, sinceSec, limit)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer rows.Close()
+	items := make([]NotificationSummaryItem, 0, limit)
+	counts := map[string]int{
+		"newCriticalVulns": 0,
+		"newHighVulns":     0,
+		"newMediumVulns":   0,
+		"newLowVulns":      0,
+		"newInfoVulns":     0,
+	}
+	for rows.Next() {
+		var id, title, severity, conversationID string
+		var createdSec int64
+		if err := rows.Scan(&id, &title, &severity, &conversationID, &createdSec); err != nil {
+			continue
+		}
+		switch strings.ToLower(strings.TrimSpace(severity)) {
+		case "critical":
+			counts["newCriticalVulns"]++
+		case "high":
+			counts["newHighVulns"]++
+		case "medium":
+			counts["newMediumVulns"]++
+		case "low":
+			counts["newLowVulns"]++
+		default:
+			counts["newInfoVulns"]++
+		}
+		sevUpper := strings.ToUpper(strings.TrimSpace(severity))
+		if sevUpper == "" {
+			sevUpper = "INFO"
+		}
+		finalTitle := i18nText(english, "新漏洞（"+sevUpper+"）", "New Vulnerability ("+sevUpper+")")
+		finalDesc := strings.TrimSpace(title)
+		if finalDesc == "" {
+			finalDesc = i18nText(english, "（无标题）", "(Untitled)")
+		}
+		items = append(items, NotificationSummaryItem{
+			ID:              "vuln:" + id,
+			Level:           levelBySeverity(severity),
+			Type:            "vulnerability_created",
+			Title:           finalTitle,
+			Desc:            finalDesc,
+			Ts:              unixSecToRFC3339(createdSec),
+			Count:           1,
+			Actionable:      false,
+			Read:            false,
+			ConversationID:  conversationID,
+			VulnerabilityID: id,
+		})
+	}
+	return items, counts, nil
+}
+
+func (h *NotificationHandler) loadFailedExecutionItems(sinceMs int64, limit int, english bool) ([]NotificationSummaryItem, int, error) {
+	sinceSec := normalizedSinceSec(sinceMs)
+	rows, err := h.db.Query(`
+		SELECT
+			id,
+			tool_name,
+			COALESCE(CAST(strftime('%s', start_time) AS INTEGER), 0)
+		FROM tool_executions
+		WHERE status = 'failed'
+		  AND CAST(strftime('%s', start_time) AS INTEGER) > ?
+		ORDER BY start_time DESC
+		LIMIT ?
+	`, sinceSec, limit)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer rows.Close()
+	items := make([]NotificationSummaryItem, 0, limit)
+	count := 0
+	for rows.Next() {
+		var id, toolName string
+		var startSec int64
+		if err := rows.Scan(&id, &toolName, &startSec); err != nil {
+			continue
+		}
+		count++
+		if strings.TrimSpace(toolName) == "" {
+			toolName = i18nText(english, "未知工具", "unknown")
+		}
+		items = append(items, NotificationSummaryItem{
+			ID:          "exec_failed:" + id,
+			Level:       "p0",
+			Type:        "task_failed",
+			Title:       i18nText(english, "任务执行失败", "Task Execution Failed"),
+			Desc:        i18nText(english, "工具 "+toolName+" 执行失败", "Tool "+toolName+" execution failed"),
+			Ts:          unixSecToRFC3339(startSec),
+			Count:       1,
+			Actionable:  false,
+			Read:        false,
+			ExecutionID: id,
+		})
+	}
+	return items, count, nil
+}
+
+func (h *NotificationHandler) summarizeLongRunningTasks(threshold time.Duration, english bool) ([]NotificationSummaryItem, int) {
+	if h.agentHandler == nil || h.agentHandler.tasks == nil {
+		return nil, 0
+	}
+	tasks := h.agentHandler.tasks.GetActiveTasks()
+	now := time.Now()
+	items := make([]NotificationSummaryItem, 0, len(tasks))
+	for _, t := range tasks {
+		if t == nil {
+			continue
+		}
+		if now.Sub(t.StartedAt) >= threshold {
+			items = append(items, NotificationSummaryItem{
+				ID:             "task_long:" + t.ConversationID,
+				Level:          "p1",
+				Type:           "long_running_tasks",
+				Title:          i18nText(english, "长时间运行任务", "Long Running Task"),
+				Desc:           i18nText(english, "会话 "+t.ConversationID+" 运行超过 15 分钟", "Conversation "+t.ConversationID+" has been running over 15 minutes"),
+				Ts:             t.StartedAt.UTC().Format(time.RFC3339),
+				Count:          1,
+				Actionable:     true,
+				Read:           false,
+				ConversationID: t.ConversationID,
+			})
+		}
+	}
+	return items, len(items)
+}
+
+func (h *NotificationHandler) summarizeCompletedTasksSince(sinceMs int64, limit int, english bool) ([]NotificationSummaryItem, int) {
+	if h.agentHandler == nil || h.agentHandler.tasks == nil {
+		return nil, 0
+	}
+	since := time.UnixMilli(sinceMs)
+	completed := h.agentHandler.tasks.GetCompletedTasks()
+	items := make([]NotificationSummaryItem, 0, limit)
+	for _, t := range completed {
+		if t == nil {
+			continue
+		}
+		if t.CompletedAt.After(since) {
+			items = append(items, NotificationSummaryItem{
+				ID:             "task_completed:" + t.ConversationID + ":" + strconv.FormatInt(t.CompletedAt.Unix(), 10),
+				Level:          "p2",
+				Type:           "task_completed",
+				Title:          i18nText(english, "任务完成", "Task Completed"),
+				Desc:           i18nText(english, "会话 "+t.ConversationID+" 已完成", "Conversation "+t.ConversationID+" completed"),
+				Ts:             t.CompletedAt.UTC().Format(time.RFC3339),
+				Count:          1,
+				Actionable:     false,
+				Read:           false,
+				ConversationID: t.ConversationID,
+			})
+			if len(items) >= limit {
+				break
+			}
+		}
+	}
+	return items, len(items)
+}
+
+func buildPlaceholders(n int) string {
+	if n <= 0 {
+		return ""
+	}
+	out := make([]string, 0, n)
+	for i := 0; i < n; i++ {
+		out = append(out, "?")
+	}
+	return strings.Join(out, ",")
+}
+
+func (h *NotificationHandler) readStatesByIDs(ids []string) (map[string]bool, error) {
+	result := make(map[string]bool, len(ids))
+	if len(ids) == 0 {
+		return result, nil
+	}
+	holders := buildPlaceholders(len(ids))
+	query := "SELECT event_id FROM notification_reads WHERE event_id IN (" + holders + ")"
+	args := make([]interface{}, 0, len(ids))
+	for _, id := range ids {
+		args = append(args, id)
+	}
+	rows, err := h.db.Query(query, args...)
+	if err != nil {
+		return result, err
+	}
+	defer rows.Close()
+	for rows.Next() {
+		var id string
+		if err := rows.Scan(&id); err != nil {
+			continue
+		}
+		result[id] = true
+	}
+	return result, nil
+}
+
+func (h *NotificationHandler) applyReadStates(items []NotificationSummaryItem) ([]NotificationSummaryItem, error) {
+	markableIDs := make([]string, 0, len(items))
+	for _, item := range items {
+		if item.Actionable {
+			continue
+		}
+		markableIDs = append(markableIDs, item.ID)
+	}
+	readMap, err := h.readStatesByIDs(markableIDs)
+	if err != nil {
+		return items, err
+	}
+	for i := range items {
+		if items[i].Actionable {
+			items[i].Read = false
+			continue
+		}
+		items[i].Read = readMap[items[i].ID]
+	}
+	return items, nil
+}
+
+func filterVisibleItems(items []NotificationSummaryItem) []NotificationSummaryItem {
+	out := make([]NotificationSummaryItem, 0, len(items))
+	for _, item := range items {
+		if item.Actionable || !item.Read {
+			out = append(out, item)
+		}
+	}
+	return out
+}
+
+func countP0(items []NotificationSummaryItem) int {
+	total := 0
+	for _, item := range items {
+		if item.Level == "p0" {
+			if item.Count > 0 {
+				total += item.Count
+			} else {
+				total++
+			}
+		}
+	}
+	return total
+}
+
+func countUnread(items []NotificationSummaryItem) int {
+	total := 0
+	for _, item := range items {
+		if item.Actionable || !item.Read {
+			if item.Count > 0 {
+				total += item.Count
+			} else {
+				total++
+			}
+		}
+	}
+	return total
+}
+
+func createNotificationReadTableIfNeeded(db *database.DB) error {
+	if db == nil {
+		return fmt.Errorf("db is nil")
+	}
+	_, err := db.Exec(`
+		CREATE TABLE IF NOT EXISTS notification_reads (
+			event_id TEXT PRIMARY KEY,
+			read_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+		);
+	`)
+	if err != nil {
+		return err
+	}
+	_, idxErr := db.Exec(`CREATE INDEX IF NOT EXISTS idx_notification_reads_read_at ON notification_reads(read_at DESC);`)
+	return idxErr
+}
+
+func pruneNotificationReads(db *database.DB, maxRows int) error {
+	if db == nil {
+		return fmt.Errorf("db is nil")
+	}
+	if maxRows <= 0 {
+		return nil
+	}
+	_, err := db.Exec(`
+		DELETE FROM notification_reads
+		WHERE event_id NOT IN (
+			SELECT event_id
+			FROM notification_reads
+			ORDER BY read_at DESC, rowid DESC
+			LIMIT ?
+		)
+	`, maxRows)
+	return err
+}
+
+type markReadRequest struct {
+	EventIDs []string `json:"eventIds"`
+}
+
+func normalizeMarkableEventID(id string) (string, bool) {
+	v := strings.TrimSpace(id)
+	if v == "" {
+		return "", false
+	}
+	// 仅允许“可读后隐藏”的信息类事件；Actionable 事件不参与 read 标记。
+	allowedPrefixes := []string{
+		"vuln:",
+		"exec_failed:",
+		"task_completed:",
+	}
+	for _, prefix := range allowedPrefixes {
+		if strings.HasPrefix(v, prefix) {
+			return v, true
+		}
+	}
+	return "", false
+}
+
+// MarkRead 按事件 ID 标记已读
+func (h *NotificationHandler) MarkRead(c *gin.Context) {
+	if err := createNotificationReadTableIfNeeded(h.db); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to prepare notification read table"})
+		return
+	}
+	var req markReadRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+	if len(req.EventIDs) == 0 {
+		c.JSON(http.StatusOK, gin.H{"ok": true, "marked": 0})
+		return
+	}
+	tx, err := h.db.Begin()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to begin transaction"})
+		return
+	}
+	defer func() {
+		_ = tx.Rollback()
+	}()
+	stmt, err := tx.Prepare(`
+		INSERT INTO notification_reads(event_id, read_at)
+		VALUES(?, CURRENT_TIMESTAMP)
+		ON CONFLICT(event_id) DO UPDATE SET read_at = CURRENT_TIMESTAMP
+	`)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to prepare statement"})
+		return
+	}
+	defer stmt.Close()
+	marked := 0
+	for _, raw := range req.EventIDs {
+		id, ok := normalizeMarkableEventID(raw)
+		if !ok {
+			continue
+		}
+		if _, err := stmt.Exec(id); err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to mark read"})
+			return
+		}
+		marked++
+	}
+	if err := tx.Commit(); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to commit read marks"})
+		return
+	}
+	if err := pruneNotificationReads(h.db, notificationReadMaxRows); err != nil {
+		h.logger.Warn("裁剪通知已读记录失败", zap.Error(err))
+	}
+	c.JSON(http.StatusOK, gin.H{"ok": true, "marked": marked})
+}
+
+// GetSummary 返回通知聚合视图（用于头部铃铛）
+func (h *NotificationHandler) GetSummary(c *gin.Context) {
+	if h.db == nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "database unavailable"})
+		return
+	}
+
+	if err := createNotificationReadTableIfNeeded(h.db); err != nil {
+		h.logger.Warn("初始化通知已读表失败", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to initialize notification read table"})
+		return
+	}
+
+	english := requestWantsEnglish(c)
+	sinceMs := normalizeSinceMs(parseSinceMs(c.Query("since")))
+	limit, _ := strconv.Atoi(strings.TrimSpace(c.DefaultQuery("limit", "50")))
+	if limit <= 0 {
+		limit = 50
+	}
+	if limit > 200 {
+		limit = 200
+	}
+
+	hitlItems, err := h.loadPendingHITLItems(limit, english)
+	if err != nil {
+		h.logger.Warn("加载 HITL 通知失败", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to summarize hitl notifications"})
+		return
+	}
+
+	vulnItems, vulnCounts, err := h.loadVulnerabilityItems(sinceMs, limit, english)
+	if err != nil {
+		h.logger.Warn("加载漏洞通知失败", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to summarize vulnerabilities"})
+		return
+	}
+
+	longRunningItems, longRunningCount := h.summarizeLongRunningTasks(15*time.Minute, english)
+	completedItems, completedCount := h.summarizeCompletedTasksSince(sinceMs, limit, english)
+
+	items := make([]NotificationSummaryItem, 0, len(hitlItems)+len(vulnItems)+len(longRunningItems)+len(completedItems))
+	items = append(items, hitlItems...)
+	items = append(items, vulnItems...)
+	items = append(items, longRunningItems...)
+	items = append(items, completedItems...)
+
+	items, err = h.applyReadStates(items)
+	if err != nil {
+		h.logger.Warn("加载通知已读状态失败", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to load notification read states"})
+		return
+	}
+	items = filterVisibleItems(items)
+
+	sort.Slice(items, func(i, j int) bool {
+		ti, errI := time.Parse(time.RFC3339, items[i].Ts)
+		tj, errJ := time.Parse(time.RFC3339, items[j].Ts)
+		if errI != nil || errJ != nil {
+			return i < j
+		}
+		return ti.After(tj)
+	})
+
+	p0Count := countP0(items)
+	unreadCount := countUnread(items)
+	c.JSON(http.StatusOK, NotificationSummaryResponse{
+		SinceMs:     sinceMs,
+		GeneratedAt: time.Now().UTC().Format(time.RFC3339),
+		P0Count:     p0Count,
+		UnreadCount: unreadCount,
+		Counts: map[string]int{
+			"hitlPending":      len(hitlItems),
+			"newCriticalVulns": vulnCounts["newCriticalVulns"],
+			"newHighVulns":     vulnCounts["newHighVulns"],
+			"newMediumVulns":   vulnCounts["newMediumVulns"],
+			"newLowVulns":      vulnCounts["newLowVulns"],
+			"newInfoVulns":     vulnCounts["newInfoVulns"],
+			"failedExecutions": 0,
+			"longRunningTasks": longRunningCount,
+			"completedTasks":   completedCount,
+		},
+		Items: items,
+	})
+}
@@ -4445,7 +4445,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"messageId"},
 									"properties": map[string]interface{}{
 										"messageId": map[string]interface{}{
@@ -4689,7 +4689,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"scheduleEnabled"},
 									"properties": map[string]interface{}{
 										"scheduleEnabled": map[string]interface{}{"type": "boolean", "description": "是否启用自动调度"},
@@ -4761,7 +4761,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"query"},
 									"properties": map[string]interface{}{
 										"query":  map[string]interface{}{"type": "string", "description": "FOFA查询语法", "example": "domain=\"example.com\""},
@@ -4810,7 +4810,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"text"},
 									"properties": map[string]interface{}{
 										"text": map[string]interface{}{"type": "string", "description": "自然语言描述", "example": "查找使用WordPress的网站"},
@@ -4853,7 +4853,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"api_key", "model"},
 									"properties": map[string]interface{}{
 										"provider": map[string]interface{}{"type": "string", "description": "LLM提供商（openai/claude）", "example": "openai"},
@@ -4900,7 +4900,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"command"},
 									"properties": map[string]interface{}{
 										"command": map[string]interface{}{"type": "string", "description": "要执行的命令"},
@@ -4943,7 +4943,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"command"},
 									"properties": map[string]interface{}{
 										"command": map[string]interface{}{"type": "string", "description": "要执行的命令"},
@@ -5027,7 +5027,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"url"},
 									"properties": map[string]interface{}{
 										"url":       map[string]interface{}{"type": "string", "description": "WebShell URL"},
@@ -5231,7 +5231,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"url", "command"},
 									"properties": map[string]interface{}{
 										"url":       map[string]interface{}{"type": "string", "description": "WebShell URL"},
@@ -5277,7 +5277,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"url", "action", "path"},
 									"properties": map[string]interface{}{
 										"url":         map[string]interface{}{"type": "string", "description": "WebShell URL"},
@@ -5339,14 +5339,14 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 												"items": map[string]interface{}{
 													"type": "object",
 													"properties": map[string]interface{}{
-														"relativePath":  map[string]interface{}{"type": "string"},
-														"absolutePath":  map[string]interface{}{"type": "string"},
-														"name":          map[string]interface{}{"type": "string"},
-														"size":          map[string]interface{}{"type": "integer"},
-														"modifiedUnix":  map[string]interface{}{"type": "integer"},
-														"date":          map[string]interface{}{"type": "string"},
+														"relativePath":   map[string]interface{}{"type": "string"},
+														"absolutePath":   map[string]interface{}{"type": "string"},
+														"name":           map[string]interface{}{"type": "string"},
+														"size":           map[string]interface{}{"type": "integer"},
+														"modifiedUnix":   map[string]interface{}{"type": "integer"},
+														"date":           map[string]interface{}{"type": "string"},
 														"conversationId": map[string]interface{}{"type": "string"},
-														"subPath":       map[string]interface{}{"type": "string"},
+														"subPath":        map[string]interface{}{"type": "string"},
 													},
 												},
 											},
@@ -5369,7 +5369,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"multipart/form-data": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"file"},
 									"properties": map[string]interface{}{
 										"file":           map[string]interface{}{"type": "string", "format": "binary", "description": "上传的文件"},
@@ -5410,7 +5410,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"path"},
 									"properties": map[string]interface{}{
 										"path": map[string]interface{}{"type": "string", "description": "文件相对路径"},
@@ -5485,7 +5485,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"path", "content"},
 									"properties": map[string]interface{}{
 										"path":    map[string]interface{}{"type": "string", "description": "文件相对路径"},
@@ -5512,7 +5512,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"name"},
 									"properties": map[string]interface{}{
 										"parent": map[string]interface{}{"type": "string", "description": "父目录相对路径"},
@@ -5552,7 +5552,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"path", "newName"},
 									"properties": map[string]interface{}{
 										"path":    map[string]interface{}{"type": "string", "description": "当前文件相对路径"},
@@ -5646,7 +5646,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"platform", "text"},
 									"properties": map[string]interface{}{
 										"platform": map[string]interface{}{"type": "string", "description": "平台类型", "enum": []string{"dingtalk", "lark", "wecom"}},
@@ -5712,7 +5712,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"name"},
 									"properties": map[string]interface{}{
 										"filename":       map[string]interface{}{"type": "string", "description": "文件名（可选，自动生成）"},
@@ -5932,7 +5932,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"path"},
 									"properties": map[string]interface{}{
 										"path":    map[string]interface{}{"type": "string", "description": "文件相对路径"},
@@ -5974,7 +5974,7 @@ func (h *OpenAPIHandler) GetOpenAPISpec(c *gin.Context) {
 						"content": map[string]interface{}{
 							"application/json": map[string]interface{}{
 								"schema": map[string]interface{}{
-									"type": "object",
+									"type":     "object",
 									"required": []string{"ids"},
 									"properties": map[string]interface{}{
 										"ids": map[string]interface{}{
@@ -6197,7 +6197,7 @@ func (h *OpenAPIHandler) GetConversationResults(c *gin.Context) {
 	}

 	// 获取漏洞列表
-	vulnList, err := h.db.ListVulnerabilities(1000, 0, "", conversationID, "", "")
+	vulnList, err := h.db.ListVulnerabilities(1000, 0, "", conversationID, "", "", "", "", "")
 	if err != nil {
 		h.logger.Warn("获取漏洞列表失败", zap.Error(err))
 		vulnList = []*database.Vulnerability{}
@@ -26,7 +26,7 @@ var apiDocI18nSummaryToKey = map[string]string{
 	"创建分组": "createGroup", "列出分组": "listGroups", "获取分组": "getGroup", "更新分组": "updateGroup",
 	"删除分组": "deleteGroup", "获取分组中的对话": "getGroupConversations", "添加对话到分组": "addConversationToGroup",
 	"从分组移除对话": "removeConversationFromGroup",
-	"列出漏洞": "listVulnerabilities", "创建漏洞": "createVulnerability", "获取漏洞统计": "getVulnerabilityStats",
+	"列出漏洞":    "listVulnerabilities", "创建漏洞": "createVulnerability", "获取漏洞统计": "getVulnerabilityStats",
 	"获取漏洞": "getVulnerability", "更新漏洞": "updateVulnerability", "删除漏洞": "deleteVulnerability",
 	"列出角色": "listRoles", "创建角色": "createRole", "获取角色": "getRole", "更新角色": "updateRole", "删除角色": "deleteRole",
 	"获取可用Skills列表": "getAvailableSkills", "列出Skills": "listSkills", "创建Skill": "createSkill",
@@ -52,9 +52,9 @@ var apiDocI18nSummaryToKey = map[string]string{
 	"重跑批量任务队列": "rerunBatchQueue", "修改队列元数据": "updateBatchQueueMetadata",
 	"修改队列调度配置": "updateBatchQueueSchedule", "开关Cron自动调度": "setBatchQueueScheduleEnabled",
 	"获取所有分组映射": "getAllGroupMappings",
-	"FOFA搜索": "fofaSearch", "自然语言解析为FOFA语法": "fofaParse",
+	"FOFA搜索":   "fofaSearch", "自然语言解析为FOFA语法": "fofaParse",
 	"测试OpenAI API连接": "testOpenAI",
-	"执行终端命令": "terminalRun", "流式执行终端命令": "terminalRunStream", "WebSocket终端": "terminalWS",
+	"执行终端命令":         "terminalRun", "流式执行终端命令": "terminalRunStream", "WebSocket终端": "terminalWS",
 	"列出WebShell连接": "listWebshellConnections", "创建WebShell连接": "createWebshellConnection",
 	"更新WebShell连接": "updateWebshellConnection", "删除WebShell连接": "deleteWebshellConnection",
 	"获取连接状态": "getWebshellConnectionState", "保存连接状态": "saveWebshellConnectionState",
@@ -69,7 +69,7 @@ var apiDocI18nSummaryToKey = map[string]string{
 	"获取Markdown代理详情": "getMarkdownAgent", "更新Markdown代理": "updateMarkdownAgent", "删除Markdown代理": "deleteMarkdownAgent",
 	"列出技能包文件": "listSkillPackageFiles", "获取技能包文件内容": "getSkillPackageFile", "写入技能包文件": "putSkillPackageFile",
 	"批量获取工具名称": "batchGetToolNames",
-	"获取知识库统计": "getKnowledgeStats",
+	"获取知识库统计":  "getKnowledgeStats",
 }

 var apiDocI18nResponseDescToKey = map[string]string{
@@ -78,7 +78,7 @@ var apiDocI18nResponseDescToKey = map[string]string{
 	"对话不存在或结果不存在": "conversationOrResultNotFound", "请求参数错误（如task为空）": "badRequestTaskEmpty",
 	"请求参数错误或分组名称已存在": "badRequestGroupNameExists", "分组不存在": "groupNotFound",
 	"请求参数错误（如配置格式不正确、缺少必需字段等）": "badRequestConfig",
-	"请求参数错误（如query为空）": "badRequestQueryEmpty", "方法不允许（仅支持POST请求）": "methodNotAllowed",
+	"请求参数错误（如query为空）":         "badRequestQueryEmpty", "方法不允许（仅支持POST请求）": "methodNotAllowed",
 	"登录成功": "loginSuccess", "密码错误": "invalidPassword", "登出成功": "logoutSuccess",
 	"密码修改成功": "passwordChanged", "Token有效": "tokenValid", "Token无效或已过期": "tokenInvalid",
 	"对话创建成功": "conversationCreated", "服务器内部错误": "internalError", "更新成功": "updateSuccess",
@@ -89,7 +89,7 @@ var apiDocI18nResponseDescToKey = map[string]string{
 	"消息发送成功，返回AI回复": "messageSent", "流式响应（Server-Sent Events）": "streamResponse",
 	// 新增缺失端点响应
 	"参数错误或删除失败": "badRequestOrDeleteFailed",
-	"参数错误": "paramError", "仅已完成或已取消的队列可以重跑": "onlyCompletedOrCancelledCanRerun",
+	"参数错误":      "paramError", "仅已完成或已取消的队列可以重跑": "onlyCompletedOrCancelledCanRerun",
 	"参数错误或队列正在运行中": "badRequestOrQueueRunning", "设置成功": "setSuccess",
 	"搜索成功": "searchSuccess", "解析成功": "parseSuccess", "测试结果": "testResult",
 	"执行完成": "executionDone", "SSE事件流": "sseEventStream", "WebSocket连接已建立": "wsEstablished",
@@ -28,20 +28,20 @@ import (
 )

 const (
-	robotCmdHelp        = "帮助"
-	robotCmdList        = "列表"
-	robotCmdListAlt     = "对话列表"
-	robotCmdSwitch      = "切换"
-	robotCmdContinue    = "继续"
-	robotCmdNew         = "新对话"
-	robotCmdClear       = "清空"
-	robotCmdCurrent     = "当前"
-	robotCmdStop        = "停止"
-	robotCmdRoles       = "角色"
-	robotCmdRolesList   = "角色列表"
-	robotCmdSwitchRole  = "切换角色"
-	robotCmdDelete      = "删除"
-	robotCmdVersion     = "版本"
+	robotCmdHelp       = "帮助"
+	robotCmdList       = "列表"
+	robotCmdListAlt    = "对话列表"
+	robotCmdSwitch     = "切换"
+	robotCmdContinue   = "继续"
+	robotCmdNew        = "新对话"
+	robotCmdClear      = "清空"
+	robotCmdCurrent    = "当前"
+	robotCmdStop       = "停止"
+	robotCmdRoles      = "角色"
+	robotCmdRolesList  = "角色列表"
+	robotCmdSwitchRole = "切换角色"
+	robotCmdDelete     = "删除"
+	robotCmdVersion    = "版本"
 )

 // RobotHandler 企业微信/钉钉/飞书等机器人回调处理
@@ -65,19 +65,19 @@ func (h *SkillsHandler) GetSkills(c *gin.Context) {
 	allSkillsInfo := make([]map[string]interface{}, 0, len(allSummaries))
 	for _, s := range allSummaries {
 		skillInfo := map[string]interface{}{
-			"id":                  s.ID,
-			"name":                s.Name,
-			"dir_name":            s.DirName,
-			"description":         s.Description,
-			"version":             s.Version,
-			"path":                s.Path,
-			"tags":                s.Tags,
-			"triggers":            s.Triggers,
-			"script_count":        s.ScriptCount,
-			"file_count":          s.FileCount,
-			"progressive": s.Progressive,
-			"file_size":   s.FileSize,
-			"mod_time":            s.ModTime,
+			"id":           s.ID,
+			"name":         s.Name,
+			"dir_name":     s.DirName,
+			"description":  s.Description,
+			"version":      s.Version,
+			"path":         s.Path,
+			"tags":         s.Tags,
+			"triggers":     s.Triggers,
+			"script_count": s.ScriptCount,
+			"file_count":   s.FileCount,
+			"progressive":  s.Progressive,
+			"file_size":    s.FileSize,
+			"mod_time":     s.ModTime,
 		}
 		allSkillsInfo = append(allSkillsInfo, skillInfo)
 	}
@@ -0,0 +1,116 @@
+package handler
+
+import "sync"
+
+// TaskEventBus 将主 SSE 连接上的事件镜像给后订阅的客户端（例如刷新页面后、HITL 审批通过需继续收事件）。
+// 每个 payload 为完整 SSE 行： "data: {...}\n\n"
+type TaskEventBus struct {
+	mu   sync.RWMutex
+	subs map[string]map[*taskEventSub]struct{}
+}
+
+type taskEventSub struct {
+	mu     sync.Mutex
+	ch     chan []byte
+	closed bool
+}
+
+func (s *taskEventSub) sendNonBlocking(line []byte) bool {
+	if s == nil {
+		return false
+	}
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.closed {
+		return false
+	}
+	select {
+	case s.ch <- line:
+		return true
+	default:
+		return false
+	}
+}
+
+func (s *taskEventSub) closeOnce() {
+	if s == nil {
+		return
+	}
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.closed {
+		return
+	}
+	s.closed = true
+	close(s.ch)
+}
+
+func NewTaskEventBus() *TaskEventBus {
+	return &TaskEventBus{
+		subs: make(map[string]map[*taskEventSub]struct{}),
+	}
+}
+
+// Subscribe 注册订阅；cancel 时需调用 Unsubscribe。
+func (b *TaskEventBus) Subscribe(conversationID string) (sub *taskEventSub, ch <-chan []byte) {
+	chBuf := make(chan []byte, 256)
+	sub = &taskEventSub{ch: chBuf}
+	b.mu.Lock()
+	if b.subs[conversationID] == nil {
+		b.subs[conversationID] = make(map[*taskEventSub]struct{})
+	}
+	b.subs[conversationID][sub] = struct{}{}
+	b.mu.Unlock()
+	return sub, chBuf
+}
+
+func (b *TaskEventBus) Unsubscribe(conversationID string, sub *taskEventSub) {
+	if sub == nil {
+		return
+	}
+	b.mu.Lock()
+	m, ok := b.subs[conversationID]
+	if !ok {
+		b.mu.Unlock()
+		return
+	}
+	delete(m, sub)
+	if len(m) == 0 {
+		delete(b.subs, conversationID)
+	}
+	b.mu.Unlock()
+	sub.closeOnce()
+}
+
+// Publish 非阻塞投递；慢消费者丢帧（HITL 场景以最新状态为准，丢帧可接受）。
+func (b *TaskEventBus) Publish(conversationID string, line []byte) {
+	if b == nil || conversationID == "" || len(line) == 0 {
+		return
+	}
+	b.mu.RLock()
+	m := b.subs[conversationID]
+	subs := make([]*taskEventSub, 0, len(m))
+	for s := range m {
+		subs = append(subs, s)
+	}
+	b.mu.RUnlock()
+
+	cp := append([]byte(nil), line...)
+	for _, s := range subs {
+		s.sendNonBlocking(cp)
+	}
+}
+
+// CloseConversation 任务结束时关闭该会话所有订阅 channel。
+func (b *TaskEventBus) CloseConversation(conversationID string) {
+	if b == nil || conversationID == "" {
+		return
+	}
+	b.mu.Lock()
+	m := b.subs[conversationID]
+	delete(b.subs, conversationID)
+	b.mu.Unlock()
+	for sub := range m {
+		sub.closeOnce()
+	}
+}
@@ -35,11 +35,12 @@ type CompletedTask struct {

 // AgentTaskManager 管理正在运行的Agent任务
 type AgentTaskManager struct {
-	mu             sync.RWMutex
-	tasks          map[string]*AgentTask
-	completedTasks []*CompletedTask // 最近完成的任务历史
-	maxHistorySize int              // 最大历史记录数
-	historyRetention time.Duration  // 历史记录保留时间
+	mu               sync.RWMutex
+	tasks            map[string]*AgentTask
+	completedTasks   []*CompletedTask // 最近完成的任务历史
+	maxHistorySize   int              // 最大历史记录数
+	historyRetention time.Duration    // 历史记录保留时间
+	eventBus         *TaskEventBus    // 可选：任务结束时关闭镜像 SSE 订阅
 }

 const (
@@ -56,13 +57,27 @@ func NewAgentTaskManager() *AgentTaskManager {
 	m := &AgentTaskManager{
 		tasks:            make(map[string]*AgentTask),
 		completedTasks:   make([]*CompletedTask, 0),
-		maxHistorySize:   50,              // 最多保留50条历史记录
-		historyRetention: 24 * time.Hour,  // 保留24小时
+		maxHistorySize:   50,             // 最多保留50条历史记录
+		historyRetention: 24 * time.Hour, // 保留24小时
 	}
 	go m.runStuckCancellingCleanup()
 	return m
 }

+// SetTaskEventBus 设置任务事件总线（与 AgentHandler 共用同一实例）。
+func (m *AgentTaskManager) SetTaskEventBus(b *TaskEventBus) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.eventBus = b
+}
+
+// GetTask 返回运行中任务（无则 nil）。
+func (m *AgentTaskManager) GetTask(conversationID string) *AgentTask {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	return m.tasks[conversationID]
+}
+
 // runStuckCancellingCleanup 定期将长时间处于「取消中」的任务强制结束，避免卡住无法发新消息
 func (m *AgentTaskManager) runStuckCancellingCleanup() {
 	ticker := time.NewTicker(cleanupInterval)
@@ -172,10 +187,9 @@ func (m *AgentTaskManager) UpdateTaskStatus(conversationID string, status string
 // FinishTask 完成任务并从管理器中移除
 func (m *AgentTaskManager) FinishTask(conversationID string, finalStatus string) {
 	m.mu.Lock()
-	defer m.mu.Unlock()
-
 	task, exists := m.tasks[conversationID]
 	if !exists {
+		m.mu.Unlock()
 		return
 	}

@@ -187,26 +201,31 @@ func (m *AgentTaskManager) FinishTask(conversationID string, finalStatus string)
 	completedTask := &CompletedTask{
 		ConversationID: task.ConversationID,
 		Message:        task.Message,
-		StartedAt:       task.StartedAt,
-		CompletedAt:     time.Now(),
-		Status:          finalStatus,
+		StartedAt:      task.StartedAt,
+		CompletedAt:    time.Now(),
+		Status:         finalStatus,
 	}
-	
+
 	// 添加到历史记录
 	m.completedTasks = append(m.completedTasks, completedTask)
-	
+
 	// 清理过期和过多的历史记录
 	m.cleanupHistory()

 	// 从运行任务中移除
 	delete(m.tasks, conversationID)
+	bus := m.eventBus
+	m.mu.Unlock()
+	if bus != nil {
+		bus.CloseConversation(conversationID)
+	}
 }

 // cleanupHistory 清理过期的历史记录
 func (m *AgentTaskManager) cleanupHistory() {
 	now := time.Now()
 	cutoffTime := now.Add(-m.historyRetention)
-	
+
 	// 过滤掉过期的记录
 	validTasks := make([]*CompletedTask, 0, len(m.completedTasks))
 	for _, task := range m.completedTasks {
@@ -214,7 +233,7 @@ func (m *AgentTaskManager) cleanupHistory() {
 			validTasks = append(validTasks, task)
 		}
 	}
-	
+
 	// 如果仍然超过最大数量，只保留最新的
 	if len(validTasks) > m.maxHistorySize {
 		// 按完成时间排序，保留最新的
@@ -222,7 +241,7 @@ func (m *AgentTaskManager) cleanupHistory() {
 		start := len(validTasks) - m.maxHistorySize
 		validTasks = validTasks[start:]
 	}
-	
+
 	m.completedTasks = validTasks
 }

@@ -247,30 +266,30 @@ func (m *AgentTaskManager) GetActiveTasks() []*AgentTask {
 func (m *AgentTaskManager) GetCompletedTasks() []*CompletedTask {
 	m.mu.RLock()
 	defer m.mu.RUnlock()
-	
+
 	// 清理过期记录（只读锁，不影响其他操作）
 	// 注意：这里不能直接调用cleanupHistory，因为需要写锁
 	// 所以返回时过滤过期记录
 	now := time.Now()
 	cutoffTime := now.Add(-m.historyRetention)
-	
+
 	result := make([]*CompletedTask, 0, len(m.completedTasks))
 	for _, task := range m.completedTasks {
 		if task.CompletedAt.After(cutoffTime) {
 			result = append(result, task)
 		}
 	}
-	
+
 	// 按完成时间倒序排序（最新的在前）
 	// 由于是追加的，最新的在最后，需要反转
 	for i, j := 0, len(result)-1; i < j; i, j = i+1, j-1 {
 		result[i], result[j] = result[j], result[i]
 	}
-	
+
 	// 限制返回数量
 	if len(result) > m.maxHistorySize {
 		result = result[:m.maxHistorySize]
 	}
-	
+
 	return result
 }
@@ -109,4 +109,3 @@ func (h *TerminalHandler) RunCommandWS(c *gin.Context) {

 	<-doneChan
 }
-
@@ -1,8 +1,11 @@
 package handler

 import (
+	"fmt"
 	"net/http"
 	"strconv"
+	"strings"
+	"time"

 	"cyberstrike-ai/internal/database"
 	"github.com/gin-gonic/gin"
@@ -25,7 +28,9 @@ func NewVulnerabilityHandler(db *database.DB, logger *zap.Logger) *Vulnerability

 // CreateVulnerabilityRequest 创建漏洞请求
 type CreateVulnerabilityRequest struct {
-	ConversationID string `json:"conversation_id" binding:"required"`
+	ConversationID  string `json:"conversation_id" binding:"required"`
+	ConversationTag string `json:"conversation_tag"`
+	TaskTag         string `json:"task_tag"`
 	Title           string `json:"title" binding:"required"`
 	Description     string `json:"description"`
 	Severity        string `json:"severity" binding:"required"`
@@ -46,16 +51,18 @@ func (h *VulnerabilityHandler) CreateVulnerability(c *gin.Context) {
 	}

 	vuln := &database.Vulnerability{
-		ConversationID: req.ConversationID,
-		Title:          req.Title,
-		Description:    req.Description,
-		Severity:       req.Severity,
-		Status:         req.Status,
-		Type:           req.Type,
-		Target:         req.Target,
-		Proof:          req.Proof,
-		Impact:         req.Impact,
-		Recommendation: req.Recommendation,
+		ConversationID:  req.ConversationID,
+		ConversationTag: req.ConversationTag,
+		TaskTag:         req.TaskTag,
+		Title:           req.Title,
+		Description:     req.Description,
+		Severity:        req.Severity,
+		Status:          req.Status,
+		Type:            req.Type,
+		Target:          req.Target,
+		Proof:           req.Proof,
+		Impact:          req.Impact,
+		Recommendation:  req.Recommendation,
 	}

 	created, err := h.db.CreateVulnerability(vuln)
@@ -100,6 +107,9 @@ func (h *VulnerabilityHandler) ListVulnerabilities(c *gin.Context) {
 	conversationID := c.Query("conversation_id")
 	severity := c.Query("severity")
 	status := c.Query("status")
+	taskID := c.Query("task_id")
+	conversationTag := c.Query("conversation_tag")
+	taskTag := c.Query("task_tag")

 	limit, _ := strconv.Atoi(limitStr)
 	offset, _ := strconv.Atoi(offsetStr)
@@ -121,7 +131,7 @@ func (h *VulnerabilityHandler) ListVulnerabilities(c *gin.Context) {
 	}

 	// 获取总数
-	total, err := h.db.CountVulnerabilities(id, conversationID, severity, status)
+	total, err := h.db.CountVulnerabilities(id, conversationID, severity, status, taskID, conversationTag, taskTag)
 	if err != nil {
 		h.logger.Error("获取漏洞总数失败", zap.Error(err))
 		// 继续执行，使用0作为总数
@@ -129,7 +139,7 @@ func (h *VulnerabilityHandler) ListVulnerabilities(c *gin.Context) {
 	}

 	// 获取漏洞列表
-	vulnerabilities, err := h.db.ListVulnerabilities(limit, offset, id, conversationID, severity, status)
+	vulnerabilities, err := h.db.ListVulnerabilities(limit, offset, id, conversationID, severity, status, taskID, conversationTag, taskTag)
 	if err != nil {
 		h.logger.Error("获取漏洞列表失败", zap.Error(err))
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
@@ -160,15 +170,17 @@ func (h *VulnerabilityHandler) ListVulnerabilities(c *gin.Context) {

 // UpdateVulnerabilityRequest 更新漏洞请求
 type UpdateVulnerabilityRequest struct {
-	Title          string `json:"title"`
-	Description    string `json:"description"`
-	Severity       string `json:"severity"`
-	Status         string `json:"status"`
-	Type           string `json:"type"`
-	Target         string `json:"target"`
-	Proof          string `json:"proof"`
-	Impact         string `json:"impact"`
-	Recommendation string `json:"recommendation"`
+	ConversationTag string `json:"conversation_tag"`
+	TaskTag         string `json:"task_tag"`
+	Title           string `json:"title"`
+	Description     string `json:"description"`
+	Severity        string `json:"severity"`
+	Status          string `json:"status"`
+	Type            string `json:"type"`
+	Target          string `json:"target"`
+	Proof           string `json:"proof"`
+	Impact          string `json:"impact"`
+	Recommendation  string `json:"recommendation"`
 }

 // UpdateVulnerability 更新漏洞
@@ -189,6 +201,12 @@ func (h *VulnerabilityHandler) UpdateVulnerability(c *gin.Context) {
 	}

 	// 更新字段
+	if req.ConversationTag != "" {
+		existing.ConversationTag = req.ConversationTag
+	}
+	if req.TaskTag != "" {
+		existing.TaskTag = req.TaskTag
+	}
 	if req.Title != "" {
 		existing.Title = req.Title
 	}
@@ -250,8 +268,9 @@ func (h *VulnerabilityHandler) DeleteVulnerability(c *gin.Context) {
 // GetVulnerabilityStats 获取漏洞统计
 func (h *VulnerabilityHandler) GetVulnerabilityStats(c *gin.Context) {
 	conversationID := c.Query("conversation_id")
+	taskID := c.Query("task_id")

-	stats, err := h.db.GetVulnerabilityStats(conversationID)
+	stats, err := h.db.GetVulnerabilityStats(conversationID, taskID)
 	if err != nil {
 		h.logger.Error("获取漏洞统计失败", zap.Error(err))
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
@@ -261,3 +280,183 @@ func (h *VulnerabilityHandler) GetVulnerabilityStats(c *gin.Context) {
 	c.JSON(http.StatusOK, stats)
 }

+// GetVulnerabilityFilterOptions 获取漏洞筛选建议项
+func (h *VulnerabilityHandler) GetVulnerabilityFilterOptions(c *gin.Context) {
+	options, err := h.db.GetVulnerabilityFilterOptions()
+	if err != nil {
+		h.logger.Error("获取漏洞筛选建议失败", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, options)
+}
+
+// ExportVulnerabilities 导出漏洞（支持按对话/任务分组，汇总或拆分）
+func (h *VulnerabilityHandler) ExportVulnerabilities(c *gin.Context) {
+	groupBy := c.DefaultQuery("group_by", "conversation")
+	mode := c.DefaultQuery("mode", "summary")
+	if groupBy != "conversation" && groupBy != "task" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "group_by 仅支持 conversation 或 task"})
+		return
+	}
+	if mode != "summary" && mode != "split" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "mode 仅支持 summary 或 split"})
+		return
+	}
+
+	id := c.Query("id")
+	conversationID := c.Query("conversation_id")
+	severity := c.Query("severity")
+	status := c.Query("status")
+	taskID := c.Query("task_id")
+	conversationTag := c.Query("conversation_tag")
+	taskTag := c.Query("task_tag")
+
+	total, err := h.db.CountVulnerabilities(id, conversationID, severity, status, taskID, conversationTag, taskTag)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	if total == 0 {
+		c.JSON(http.StatusOK, gin.H{"mode": mode, "group_by": groupBy, "total": 0, "files": []any{}})
+		return
+	}
+
+	items, err := h.db.ListVulnerabilities(total, 0, id, conversationID, severity, status, taskID, conversationTag, taskTag)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	type exportFile struct {
+		FileName string `json:"filename"`
+		Content  string `json:"content"`
+	}
+	grouped := map[string][]*database.Vulnerability{}
+	for _, v := range items {
+		key := v.ConversationID
+		if groupBy == "conversation" {
+			if strings.TrimSpace(v.ConversationTag) != "" {
+				key = strings.TrimSpace(v.ConversationTag)
+			}
+		} else {
+			key = firstNonEmpty(v.TaskTag, v.TaskID, v.TaskQueueID, "unassigned-task")
+		}
+		grouped[key] = append(grouped[key], v)
+	}
+
+	files := make([]exportFile, 0)
+	nowStr := time.Now().Format("20060102-150405")
+	if mode == "summary" {
+		var b strings.Builder
+		b.WriteString("# 漏洞批量导出报告\n\n")
+		b.WriteString(fmt.Sprintf("- 导出时间: %s\n", time.Now().Format("2006-01-02 15:04:05")))
+		b.WriteString(fmt.Sprintf("- 分组维度: %s\n", groupBy))
+		b.WriteString(fmt.Sprintf("- 漏洞总数: %d\n", len(items)))
+		b.WriteString(fmt.Sprintf("- 分组数: %d\n\n", len(grouped)))
+		for group, list := range grouped {
+			b.WriteString(fmt.Sprintf("## %s (%d)\n\n", group, len(list)))
+			for _, v := range list {
+				appendVulnerabilityMarkdown(&b, v, "###")
+			}
+		}
+		files = append(files, exportFile{
+			FileName: fmt.Sprintf("vulnerability-report-%s-%s.md", groupBy, nowStr),
+			Content:  b.String(),
+		})
+	} else {
+		for group, list := range grouped {
+			var b strings.Builder
+			b.WriteString(fmt.Sprintf("# 漏洞报告 - %s\n\n", group))
+			b.WriteString(fmt.Sprintf("- 导出时间: %s\n", time.Now().Format("2006-01-02 15:04:05")))
+			b.WriteString(fmt.Sprintf("- 漏洞数量: %d\n\n", len(list)))
+			for _, v := range list {
+				appendVulnerabilityMarkdown(&b, v, "##")
+			}
+			files = append(files, exportFile{
+				FileName: fmt.Sprintf("vulnerability-%s-%s.md", sanitizeExportName(group), nowStr),
+				Content:  b.String(),
+			})
+		}
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"mode":     mode,
+		"group_by": groupBy,
+		"total":    len(items),
+		"files":    files,
+	})
+}
+
+// appendVulnerabilityMarkdown 单条漏洞的 Markdown 片段（与单文件下载字段对齐，缺省字段不写）
+func appendVulnerabilityMarkdown(b *strings.Builder, v *database.Vulnerability, titleHeading string) {
+	b.WriteString(fmt.Sprintf("%s %s\n\n", titleHeading, v.Title))
+	b.WriteString(fmt.Sprintf("- 漏洞ID: `%s`\n", v.ID))
+	b.WriteString(fmt.Sprintf("- 严重程度: %s\n", v.Severity))
+	b.WriteString(fmt.Sprintf("- 状态: %s\n", v.Status))
+	if v.Type != "" {
+		b.WriteString(fmt.Sprintf("- 类型: %s\n", v.Type))
+	}
+	if v.Target != "" {
+		b.WriteString(fmt.Sprintf("- 目标: %s\n", v.Target))
+	}
+	b.WriteString(fmt.Sprintf("- 对话ID: `%s`\n", v.ConversationID))
+	if v.ConversationTag != "" {
+		b.WriteString(fmt.Sprintf("- 对话标签: %s\n", v.ConversationTag))
+	}
+	if v.TaskTag != "" {
+		b.WriteString(fmt.Sprintf("- 任务标签: %s\n", v.TaskTag))
+	}
+	if v.TaskID != "" {
+		b.WriteString(fmt.Sprintf("- 任务ID: `%s`\n", v.TaskID))
+	}
+	if v.TaskQueueID != "" {
+		b.WriteString(fmt.Sprintf("- 任务队列ID: `%s`\n", v.TaskQueueID))
+	}
+	if !v.CreatedAt.IsZero() {
+		b.WriteString(fmt.Sprintf("- 创建时间: %s\n", v.CreatedAt.Format("2006-01-02 15:04:05")))
+	}
+	if !v.UpdatedAt.IsZero() {
+		b.WriteString(fmt.Sprintf("- 更新时间: %s\n", v.UpdatedAt.Format("2006-01-02 15:04:05")))
+	}
+	if v.Description != "" {
+		b.WriteString("\n#### 描述\n\n")
+		b.WriteString(v.Description)
+		b.WriteString("\n")
+	}
+	if v.Proof != "" {
+		b.WriteString("\n#### 证明（POC）\n\n```\n")
+		b.WriteString(v.Proof)
+		b.WriteString("\n```\n")
+	}
+	if v.Impact != "" {
+		b.WriteString("\n#### 影响\n\n")
+		b.WriteString(v.Impact)
+		b.WriteString("\n")
+	}
+	if v.Recommendation != "" {
+		b.WriteString("\n#### 修复建议\n\n")
+		b.WriteString(v.Recommendation)
+		b.WriteString("\n")
+	}
+	b.WriteString("\n")
+}
+
+func firstNonEmpty(values ...string) string {
+	for _, v := range values {
+		trimmed := strings.TrimSpace(v)
+		if trimmed != "" {
+			return trimmed
+		}
+	}
+	return ""
+}
+
+func sanitizeExportName(raw string) string {
+	name := strings.TrimSpace(raw)
+	if name == "" {
+		return "unknown"
+	}
+	replacer := strings.NewReplacer("/", "-", "\\", "-", ":", "-", "*", "-", "?", "-", "\"", "-", "<", "-", ">", "-", "|", "-")
+	return replacer.Replace(name)
+}
@@ -3,20 +3,302 @@ package handler
 import (
 	"bytes"
 	"database/sql"
+	"encoding/base64"
 	"encoding/json"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
+	"unicode/utf8"

 	"cyberstrike-ai/internal/database"

 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
+	"golang.org/x/text/encoding/simplifiedchinese"
+	"golang.org/x/text/transform"
 )

+// webshellSupportedEncodings 允许的 WebShell 响应编码取值（小写，含空串代表 auto）
+// 仅暴露目前最常见的几种，其他需求可后续扩展（如 Big5、Shift_JIS 等）。
+var webshellSupportedEncodings = map[string]struct{}{
+	"":        {}, // 未配置，按 auto 处理
+	"auto":    {},
+	"utf-8":   {},
+	"utf8":    {},
+	"gbk":     {},
+	"gb18030": {},
+}
+
+// normalizeWebshellEncoding 归一化编码标识：统一为小写，未知值回退为 auto，供持久化使用
+func normalizeWebshellEncoding(enc string) string {
+	enc = strings.ToLower(strings.TrimSpace(enc))
+	if _, ok := webshellSupportedEncodings[enc]; !ok {
+		return "auto"
+	}
+	if enc == "" {
+		return "auto"
+	}
+	if enc == "utf8" {
+		return "utf-8"
+	}
+	return enc
+}
+
+// decodeWebshellOutput 把 WebShell 返回的字节按指定编码转换为合法 UTF-8 字符串。
+// 约定：
+//   - "" / "auto"：若已是合法 UTF-8 原样返回，否则依次尝试 GB18030（GBK 超集）解码。
+//   - "utf-8" / "utf8"：原样返回，非法字节交由 JSON 层按 U+FFFD 处理（保持原有行为）。
+//   - "gbk" / "gb18030"：强制按对应编码解码；失败则回退原始字节。
+//
+// 该函数对空输入直接返回空串，避免不必要的转换。
+func decodeWebshellOutput(raw []byte, encoding string) string {
+	if len(raw) == 0 {
+		return ""
+	}
+	enc := normalizeWebshellEncoding(encoding)
+	switch enc {
+	case "utf-8":
+		return string(raw)
+	case "gbk":
+		if out, _, err := transform.Bytes(simplifiedchinese.GBK.NewDecoder(), raw); err == nil {
+			return string(out)
+		}
+		return string(raw)
+	case "gb18030":
+		if out, _, err := transform.Bytes(simplifiedchinese.GB18030.NewDecoder(), raw); err == nil {
+			return string(out)
+		}
+		return string(raw)
+	default: // auto
+		if utf8.Valid(raw) {
+			return string(raw)
+		}
+		// GB18030 是 GBK 的超集，覆盖范围最广，auto 模式统一用它兜底
+		if out, _, err := transform.Bytes(simplifiedchinese.GB18030.NewDecoder(), raw); err == nil {
+			return string(out)
+		}
+		return string(raw)
+	}
+}
+
+// webshellSupportedOS 允许的 WebShell 目标操作系统（小写，空串代表 auto）
+var webshellSupportedOS = map[string]struct{}{
+	"":        {},
+	"auto":    {},
+	"linux":   {},
+	"windows": {},
+}
+
+// normalizeWebshellOS 归一化 OS 标识，未知值回退为 auto，供持久化使用
+func normalizeWebshellOS(osTag string) string {
+	osTag = strings.ToLower(strings.TrimSpace(osTag))
+	if _, ok := webshellSupportedOS[osTag]; !ok {
+		return "auto"
+	}
+	if osTag == "" {
+		return "auto"
+	}
+	return osTag
+}
+
+// resolveWebshellOS 根据连接的 os 与 shellType 推断最终目标 OS（仅返回 "linux" 或 "windows"）。
+// 规则：
+//   - 显式 linux / windows：按用户选择。
+//   - auto 或未知：asp/aspx → windows，其他 → linux。保持历史行为，平滑向后兼容。
+func resolveWebshellOS(osTag, shellType string) string {
+	osTag = strings.ToLower(strings.TrimSpace(osTag))
+	switch osTag {
+	case "linux":
+		return "linux"
+	case "windows":
+		return "windows"
+	}
+	t := strings.ToLower(strings.TrimSpace(shellType))
+	if t == "asp" || t == "aspx" {
+		return "windows"
+	}
+	return "linux"
+}
+
+// quoteCmdPath 把路径按 Windows cmd.exe 规则转义。
+// 使用双引号包裹，内部双引号转义为 ""（cmd 接受的写法）。
+func quoteCmdPath(p string) string {
+	if p == "" {
+		return "\".\""
+	}
+	return "\"" + strings.ReplaceAll(p, "\"", "\"\"") + "\""
+}
+
+// quotePsSingle 把字符串按 PowerShell 单引号字符串规则转义（内部 ' → ''）。
+// 供 PowerShell 脚本参数使用，全脚本只用单引号，外层 cmd 再用双引号包裹即可安全传递。
+func quotePsSingle(s string) string {
+	return "'" + strings.ReplaceAll(s, "'", "''") + "'"
+}
+
+// quoteShellSinglePosix 把路径按 POSIX sh 单引号规则转义（内部 ' → '\''）
+func quoteShellSinglePosix(p string) string {
+	if p == "" {
+		return "."
+	}
+	return "'" + strings.ReplaceAll(p, "'", "'\\''") + "'"
+}
+
+// quoteWebshellPath 按目标 OS 选择转义方案：Linux 用 POSIX 单引号，Windows 用 cmd 双引号
+func quoteWebshellPath(path, osTag string) string {
+	if resolveWebshellOS(osTag, "") == "windows" {
+		return quoteCmdPath(path)
+	}
+	return quoteShellSinglePosix(path)
+}
+
+// buildWindowsPowerShellWrite 构造 Windows 端把 base64 内容一次性写入目标路径的 cmd 命令。
+// 外层走 cmd.exe 的 powershell 调用，PowerShell 脚本里只用单引号字符串，避免嵌套引号陷阱。
+func buildWindowsPowerShellWrite(path, b64 string) string {
+	script := "$b=[Convert]::FromBase64String(" + quotePsSingle(b64) + ");" +
+		"[IO.File]::WriteAllBytes(" + quotePsSingle(path) + ",$b)"
+	return "powershell -NoProfile -NonInteractive -Command \"" + script + "\""
+}
+
+// buildWindowsPowerShellAppend 构造 Windows 端把 base64 内容追加写入目标路径的 cmd 命令（用于分块上传）
+func buildWindowsPowerShellAppend(path, b64 string) string {
+	script := "$b=[Convert]::FromBase64String(" + quotePsSingle(b64) + ");" +
+		"$f=[IO.File]::Open(" + quotePsSingle(path) + ",[IO.FileMode]::Append,[IO.FileAccess]::Write,[IO.FileShare]::None);" +
+		"try{$f.Write($b,0,$b.Length)}finally{$f.Close()}"
+	return "powershell -NoProfile -NonInteractive -Command \"" + script + "\""
+}
+
+// fileCommandInput 封装 buildFileCommand 的输入，避免长参数列表
+type fileCommandInput struct {
+	Action     string
+	Path       string
+	TargetPath string
+	Content    string
+	ChunkIndex int
+	OS         string
+	ShellType  string
+}
+
+// buildFileCommand 根据目标 OS 与文件操作类型生成具体的远端命令字符串。
+// 同一份实现供 HTTP 入口（FileOp）与 MCP 入口（FileOpWithConnection）共用，避免双份维护。
+// 返回值第二位是用户可见的业务错误（如 "path is required"）。
+func (h *WebShellHandler) buildFileCommand(in fileCommandInput) (string, error) {
+	targetOS := resolveWebshellOS(in.OS, in.ShellType)
+	action := strings.ToLower(strings.TrimSpace(in.Action))
+	path := strings.TrimSpace(in.Path)
+
+	switch action {
+	case "list":
+		p := path
+		if p == "" {
+			p = "."
+		}
+		if targetOS == "windows" {
+			return "dir /a " + quoteCmdPath(p), nil
+		}
+		return "ls -la " + quoteShellSinglePosix(p), nil
+
+	case "read":
+		if path == "" {
+			return "", errFileOpPathRequired
+		}
+		if targetOS == "windows" {
+			return "type " + quoteCmdPath(path), nil
+		}
+		return "cat " + quoteShellSinglePosix(path), nil
+
+	case "delete":
+		if path == "" {
+			return "", errFileOpPathRequired
+		}
+		if targetOS == "windows" {
+			return "del /q /f " + quoteCmdPath(path), nil
+		}
+		return "rm -f " + quoteShellSinglePosix(path), nil
+
+	case "mkdir":
+		if path == "" {
+			return "", errFileOpPathRequired
+		}
+		if targetOS == "windows" {
+			// cmd 的 md 默认会自动创建中间目录（等价于 Linux 的 mkdir -p）
+			return "md " + quoteCmdPath(path), nil
+		}
+		return "mkdir -p " + quoteShellSinglePosix(path), nil
+
+	case "rename":
+		oldPath := path
+		newPath := strings.TrimSpace(in.TargetPath)
+		if oldPath == "" || newPath == "" {
+			return "", errFileOpRenameNeedsBothPaths
+		}
+		if targetOS == "windows" {
+			return "move /y " + quoteCmdPath(oldPath) + " " + quoteCmdPath(newPath), nil
+		}
+		return "mv -f " + quoteShellSinglePosix(oldPath) + " " + quoteShellSinglePosix(newPath), nil
+
+	case "write":
+		if path == "" {
+			return "", errFileOpPathRequired
+		}
+		// 统一策略：先把内容 base64 编码，再用目标平台对应方式解码写回，
+		// 这样既能写入任意二进制/含引号的文本，又避免各家 shell 的转义地狱。
+		b64 := base64.StdEncoding.EncodeToString([]byte(in.Content))
+		if targetOS == "windows" {
+			return buildWindowsPowerShellWrite(path, b64), nil
+		}
+		return "echo '" + b64 + "' | base64 -d > " + quoteShellSinglePosix(path), nil
+
+	case "upload":
+		if path == "" {
+			return "", errFileOpPathRequired
+		}
+		if len(in.Content) > 512*1024 {
+			return "", errFileOpUploadTooLarge
+		}
+		if targetOS == "windows" {
+			return buildWindowsPowerShellWrite(path, in.Content), nil
+		}
+		return "echo '" + in.Content + "' | base64 -d > " + quoteShellSinglePosix(path), nil
+
+	case "upload_chunk":
+		if path == "" {
+			return "", errFileOpPathRequired
+		}
+		if targetOS == "windows" {
+			if in.ChunkIndex == 0 {
+				return buildWindowsPowerShellWrite(path, in.Content), nil
+			}
+			return buildWindowsPowerShellAppend(path, in.Content), nil
+		}
+		redir := ">>"
+		if in.ChunkIndex == 0 {
+			redir = ">"
+		}
+		return "echo '" + in.Content + "' | base64 -d " + redir + " " + quoteShellSinglePosix(path), nil
+	}
+
+	return "", errFileOpUnsupportedAction(action)
+}
+
+// 业务错误常量，便于上层统一返回用户可见提示
+var (
+	errFileOpPathRequired         = simpleError("path is required")
+	errFileOpRenameNeedsBothPaths = simpleError("path and target_path are required for rename")
+	errFileOpUploadTooLarge       = simpleError("upload content too large (max 512KB base64)")
+)
+
+func errFileOpUnsupportedAction(action string) error {
+	return simpleError("unsupported action: " + action)
+}
+
+// simpleError 是不带堆栈的轻量错误类型，供 buildFileCommand 报可预期的参数校验错误
+type simpleError string
+
+func (e simpleError) Error() string { return string(e) }
+
 // WebShellHandler 代理执行 WebShell 命令（类似冰蝎/蚁剑），避免前端跨域并统一构建请求
 type WebShellHandler struct {
 	logger *zap.Logger
@@ -44,6 +326,8 @@ type CreateConnectionRequest struct {
 	Method   string `json:"method"`
 	CmdParam string `json:"cmd_param"`
 	Remark   string `json:"remark"`
+	Encoding string `json:"encoding"`
+	OS       string `json:"os"`
 }

 // UpdateConnectionRequest 更新连接请求
@@ -54,6 +338,8 @@ type UpdateConnectionRequest struct {
 	Method   string `json:"method"`
 	CmdParam string `json:"cmd_param"`
 	Remark   string `json:"remark"`
+	Encoding string `json:"encoding"`
+	OS       string `json:"os"`
 }

 // ListConnections 列出所有 WebShell 连接（GET /api/webshell/connections）
@@ -109,6 +395,8 @@ func (h *WebShellHandler) CreateConnection(c *gin.Context) {
 		Method:    method,
 		CmdParam:  strings.TrimSpace(req.CmdParam),
 		Remark:    strings.TrimSpace(req.Remark),
+		Encoding:  normalizeWebshellEncoding(req.Encoding),
+		OS:        normalizeWebshellOS(req.OS),
 		CreatedAt: time.Now(),
 	}
 	if err := h.db.CreateWebshellConnection(conn); err != nil {
@@ -159,6 +447,8 @@ func (h *WebShellHandler) UpdateConnection(c *gin.Context) {
 		Method:   method,
 		CmdParam: strings.TrimSpace(req.CmdParam),
 		Remark:   strings.TrimSpace(req.Remark),
+		Encoding: normalizeWebshellEncoding(req.Encoding),
+		OS:       normalizeWebshellOS(req.OS),
 	}
 	if err := h.db.UpdateWebshellConnection(conn); err != nil {
 		if err == sql.ErrNoRows {
@@ -331,6 +621,8 @@ type ExecRequest struct {
 	Type     string `json:"type"`      // php, asp, aspx, jsp, custom
 	Method   string `json:"method"`    // GET 或 POST，空则默认 POST
 	CmdParam string `json:"cmd_param"` // 命令参数名，如 cmd/xxx，空则默认 cmd
+	Encoding string `json:"encoding"`  // 响应编码：auto / utf-8 / gbk / gb18030，空则 auto
+	OS       string `json:"os"`        // 目标操作系统：auto / linux / windows，当前 exec 不用它，保留字段便于未来扩展
 	Command  string `json:"command" binding:"required"`
 }

@@ -344,23 +636,27 @@ type ExecResponse struct {

 // FileOpRequest 文件操作请求
 type FileOpRequest struct {
-	URL        string `json:"url" binding:"required"`
-	Password   string `json:"password"`
-	Type       string `json:"type"`
-	Method     string `json:"method"`                    // GET 或 POST，空则默认 POST
-	CmdParam   string `json:"cmd_param"`                 // 命令参数名，如 cmd/xxx，空则默认 cmd
-	Action     string `json:"action" binding:"required"` // list, read, delete, write, mkdir, rename, upload, upload_chunk
-	Path       string `json:"path"`
-	TargetPath string `json:"target_path"` // rename 时目标路径
-	Content    string `json:"content"`     // write/upload 时使用
-	ChunkIndex int    `json:"chunk_index"` // upload_chunk 时，0 表示首块
+	URL          string `json:"url" binding:"required"`
+	Password     string `json:"password"`
+	Type         string `json:"type"`
+	Method       string `json:"method"`                    // GET 或 POST，空则默认 POST
+	CmdParam     string `json:"cmd_param"`                 // 命令参数名，如 cmd/xxx，空则默认 cmd
+	Encoding     string `json:"encoding"`                  // 响应编码：auto / utf-8 / gbk / gb18030，空则 auto
+	OS           string `json:"os"`                        // 目标操作系统：auto / linux / windows，空则按 shellType 推断
+	ConnectionID string `json:"connection_id,omitempty"`   // 可选：连接 ID；服务端探活出 OS 后会回写到此连接
+	Action       string `json:"action" binding:"required"` // list, read, delete, write, mkdir, rename, upload, upload_chunk
+	Path         string `json:"path"`
+	TargetPath   string `json:"target_path"` // rename 时目标路径
+	Content      string `json:"content"`     // write/upload 时使用
+	ChunkIndex   int    `json:"chunk_index"` // upload_chunk 时，0 表示首块
 }

 // FileOpResponse 文件操作响应
 type FileOpResponse struct {
-	OK     bool   `json:"ok"`
-	Output string `json:"output"`
-	Error  string `json:"error,omitempty"`
+	OK         bool   `json:"ok"`
+	Output     string `json:"output"`
+	Error      string `json:"error,omitempty"`
+	DetectedOS string `json:"detected_os,omitempty"` // 仅在 auto 模式且探活成功时返回，前端应更新本地缓存
 }

 func (h *WebShellHandler) Exec(c *gin.Context) {
@@ -415,7 +711,7 @@ func (h *WebShellHandler) Exec(c *gin.Context) {
 	if readErr != nil {
 		h.logger.Warn("webshell exec read body", zap.Error(readErr))
 	}
-	output := string(out)
+	output := decodeWebshellOutput(out, req.Encoding)
 	httpCode := resp.StatusCode

 	c.JSON(http.StatusOK, ExecResponse{
@@ -474,83 +770,32 @@ func (h *WebShellHandler) FileOp(c *gin.Context) {
 		return
 	}

-	// 通过执行系统命令实现文件操作（与通用一句话兼容）
-	var command string
-	shellType := strings.ToLower(strings.TrimSpace(req.Type))
-	switch req.Action {
-	case "list":
-		path := strings.TrimSpace(req.Path)
-		if path == "" {
-			path = "."
+	// 若 OS 未显式配置，先发一次探活命令，识别出真实 OS 再构造文件操作命令。
+	// 这解决了 "Windows + PHP + OS=auto" 场景下旧 fallback 错发 `ls -la` 导致目录列不出来的问题。
+	osTag := req.OS
+	detectedOS := ""
+	if normalizeWebshellOS(osTag) == "auto" {
+		if probed := probeWebshellOSViaExec(h.newHTTPExecFn(req.URL, req.Password, req.Type, req.Method, req.CmdParam, req.Encoding)); probed != "" {
+			osTag = probed
+			detectedOS = probed
+			// 若前端带了 connection_id，顺带把探活结果持久化到该连接，后续刷新零成本
+			if cid := strings.TrimSpace(req.ConnectionID); cid != "" {
+				h.persistDetectedOS(cid, probed)
+			}
 		}
-		if shellType == "asp" || shellType == "aspx" {
-			command = "dir " + h.escapePath(path)
-		} else {
-			command = "ls -la " + h.escapePath(path)
-		}
-	case "read":
-		if shellType == "asp" || shellType == "aspx" {
-			command = "type " + h.escapePath(strings.TrimSpace(req.Path))
-		} else {
-			command = "cat " + h.escapePath(strings.TrimSpace(req.Path))
-		}
-	case "delete":
-		if shellType == "asp" || shellType == "aspx" {
-			command = "del " + h.escapePath(strings.TrimSpace(req.Path))
-		} else {
-			command = "rm -f " + h.escapePath(strings.TrimSpace(req.Path))
-		}
-	case "write":
-		path := h.escapePath(strings.TrimSpace(req.Path))
-		command = "echo " + h.escapeForEcho(req.Content) + " > " + path
-	case "mkdir":
-		path := strings.TrimSpace(req.Path)
-		if path == "" {
-			c.JSON(http.StatusBadRequest, FileOpResponse{OK: false, Error: "path is required for mkdir"})
-			return
-		}
-		if shellType == "asp" || shellType == "aspx" {
-			command = "md " + h.escapePath(path)
-		} else {
-			command = "mkdir -p " + h.escapePath(path)
-		}
-	case "rename":
-		oldPath := strings.TrimSpace(req.Path)
-		newPath := strings.TrimSpace(req.TargetPath)
-		if oldPath == "" || newPath == "" {
-			c.JSON(http.StatusBadRequest, FileOpResponse{OK: false, Error: "path and target_path are required for rename"})
-			return
-		}
-		if shellType == "asp" || shellType == "aspx" {
-			command = "move /y " + h.escapePath(oldPath) + " " + h.escapePath(newPath)
-		} else {
-			command = "mv " + h.escapePath(oldPath) + " " + h.escapePath(newPath)
-		}
-	case "upload":
-		path := strings.TrimSpace(req.Path)
-		if path == "" {
-			c.JSON(http.StatusBadRequest, FileOpResponse{OK: false, Error: "path is required for upload"})
-			return
-		}
-		if len(req.Content) > 512*1024 {
-			c.JSON(http.StatusBadRequest, FileOpResponse{OK: false, Error: "upload content too large (max 512KB base64)"})
-			return
-		}
-		// base64 仅含 A-Za-z0-9+/=，用单引号包裹安全
-		command = "echo " + "'" + req.Content + "'" + " | base64 -d > " + h.escapePath(path)
-	case "upload_chunk":
-		path := strings.TrimSpace(req.Path)
-		if path == "" {
-			c.JSON(http.StatusBadRequest, FileOpResponse{OK: false, Error: "path is required for upload_chunk"})
-			return
-		}
-		redir := ">>"
-		if req.ChunkIndex == 0 {
-			redir = ">"
-		}
-		command = "echo " + "'" + req.Content + "'" + " | base64 -d " + redir + " " + h.escapePath(path)
-	default:
-		c.JSON(http.StatusBadRequest, FileOpResponse{OK: false, Error: "unsupported action: " + req.Action})
+	}
+
+	command, cmdErr := h.buildFileCommand(fileCommandInput{
+		Action:     req.Action,
+		Path:       req.Path,
+		TargetPath: req.TargetPath,
+		Content:    req.Content,
+		ChunkIndex: req.ChunkIndex,
+		OS:         osTag,
+		ShellType:  req.Type,
+	})
+	if cmdErr != nil {
+		c.JSON(http.StatusBadRequest, FileOpResponse{OK: false, Error: cmdErr.Error()})
 		return
 	}

@@ -585,27 +830,15 @@ func (h *WebShellHandler) FileOp(c *gin.Context) {
 	if readErr != nil {
 		h.logger.Warn("webshell fileop read body", zap.Error(readErr))
 	}
-	output := string(out)
+	output := decodeWebshellOutput(out, req.Encoding)

 	c.JSON(http.StatusOK, FileOpResponse{
-		OK:     resp.StatusCode == http.StatusOK,
-		Output: output,
+		OK:         resp.StatusCode == http.StatusOK,
+		Output:     output,
+		DetectedOS: detectedOS,
 	})
 }

-func (h *WebShellHandler) escapePath(p string) string {
-	if p == "" {
-		return "."
-	}
-	// 简单转义空格与敏感字符，避免命令注入
-	return "'" + strings.ReplaceAll(p, "'", "'\\''") + "'"
-}
-
-func (h *WebShellHandler) escapeForEcho(s string) string {
-	// 仅用于 write：base64 写入更安全，这里简单用单引号包裹
-	return "'" + strings.ReplaceAll(s, "'", "'\"'\"'") + "'"
-}
-
 // ExecWithConnection 在指定 WebShell 连接上执行命令（供 MCP/Agent 等非 HTTP 调用）
 func (h *WebShellHandler) ExecWithConnection(conn *database.WebShellConnection, command string) (output string, ok bool, errMsg string) {
 	if conn == nil {
@@ -643,7 +876,7 @@ func (h *WebShellHandler) ExecWithConnection(conn *database.WebShellConnection,
 	if readErr != nil {
 		h.logger.Warn("webshell ExecWithConnection read body", zap.Error(readErr))
 	}
-	return string(out), resp.StatusCode == http.StatusOK, ""
+	return decodeWebshellOutput(out, conn.Encoding), resp.StatusCode == http.StatusOK, ""
 }

 // FileOpWithConnection 在指定 WebShell 连接上执行文件操作（供 MCP/Agent 调用），支持 list / read / write
@@ -652,40 +885,38 @@ func (h *WebShellHandler) FileOpWithConnection(conn *database.WebShellConnection
 		return "", false, "connection is nil"
 	}
 	action = strings.ToLower(strings.TrimSpace(action))
-	shellType := strings.ToLower(strings.TrimSpace(conn.Type))
-	if shellType == "" {
-		shellType = "php"
-	}
-	var command string
+	// MCP 入口仅开放 list / read / write 三种动作，与工具文档的承诺保持一致
 	switch action {
-	case "list":
-		if path == "" {
-			path = "."
-		}
-		if shellType == "asp" || shellType == "aspx" {
-			command = "dir " + h.escapePath(strings.TrimSpace(path))
-		} else {
-			command = "ls -la " + h.escapePath(strings.TrimSpace(path))
-		}
-	case "read":
-		path = strings.TrimSpace(path)
-		if path == "" {
-			return "", false, "path is required for read"
-		}
-		if shellType == "asp" || shellType == "aspx" {
-			command = "type " + h.escapePath(path)
-		} else {
-			command = "cat " + h.escapePath(path)
-		}
-	case "write":
-		path = strings.TrimSpace(path)
-		if path == "" {
-			return "", false, "path is required for write"
-		}
-		command = "echo " + h.escapeForEcho(content) + " > " + h.escapePath(path)
+	case "list", "read", "write":
+		// 支持的动作
 	default:
 		return "", false, "unsupported action: " + action + " (supported: list, read, write)"
 	}
+
+	// 若连接的 OS 为 auto，先探活并持久化，避免 AI/MCP 每次都对 Windows 发 `ls -la`
+	osTag := conn.OS
+	if normalizeWebshellOS(osTag) == "auto" {
+		if probed := probeWebshellOSViaExec(func(cmd string) (string, bool) {
+			out, exOk, _ := h.ExecWithConnection(conn, cmd)
+			return out, exOk
+		}); probed != "" {
+			osTag = probed
+			conn.OS = probed // 本次请求内使用探活结果
+			h.persistDetectedOS(conn.ID, probed)
+		}
+	}
+
+	command, cmdErr := h.buildFileCommand(fileCommandInput{
+		Action:     action,
+		Path:       path,
+		TargetPath: targetPath,
+		Content:    content,
+		OS:         osTag,
+		ShellType:  conn.Type,
+	})
+	if cmdErr != nil {
+		return "", false, cmdErr.Error()
+	}
 	useGET := strings.ToUpper(strings.TrimSpace(conn.Method)) == "GET"
 	cmdParam := strings.TrimSpace(conn.CmdParam)
 	if cmdParam == "" {
@@ -714,5 +945,5 @@ func (h *WebShellHandler) FileOpWithConnection(conn *database.WebShellConnection
 	if readErr != nil {
 		h.logger.Warn("webshell FileOpWithConnection read body", zap.Error(readErr))
 	}
-	return string(out), resp.StatusCode == http.StatusOK, ""
+	return decodeWebshellOutput(out, conn.Encoding), resp.StatusCode == http.StatusOK, ""
 }
@@ -0,0 +1,106 @@
+package handler
+
+import (
+	"strings"
+
+	"cyberstrike-ai/internal/database"
+)
+
+// WebshellSkillHintDefault 对话页 / Eino 单代理共用的 Skills 说明，放在 webshell 上下文末尾，
+// 供 AI 选择 skill 加载入口时参考。
+const WebshellSkillHintDefault = "Skills 包请使用「多代理 / Eino DeepAgent」会话中的内置 `skill` 工具渐进加载。"
+
+// WebshellSkillHintMultiAgent 多代理 / Eino 多代理准备阶段使用的 Skills 说明
+const WebshellSkillHintMultiAgent = "Skills 包请使用 Eino 多代理内置 `skill` 工具。"
+
+// webshellAssistantToolList AI 助手在 WebShell 上下文下允许使用的工具清单（展示给模型用）。
+// 注意：此处只是展示字符串，真正的权限限制是在调用方设置的 roleTools 切片里。
+const webshellAssistantToolList = "webshell_exec、webshell_file_list、webshell_file_read、webshell_file_write、record_vulnerability、list_knowledge_risk_types、search_knowledge_base"
+
+// BuildWebshellAssistantContext 根据连接信息与用户原始消息组装 AI 助手的上下文提示词。
+// 上下文包含：连接 ID、备注、目标系统（及对应命令集建议）、响应编码、可用工具清单、Skills 加载入口、
+// 以及最终的用户请求。调用方只需要决定 skillHint 的文案（默认使用 WebshellSkillHintDefault）。
+//
+// 之所以把这段逻辑抽到共享函数里，是为了避免 agent.go / multi_agent_prepare.go 等多处复制粘贴，
+// 并确保当我们升级 OS / Encoding 文案时只需要改一处、测一处、同步生效。
+func BuildWebshellAssistantContext(conn *database.WebShellConnection, skillHint, userMsg string) string {
+	if conn == nil {
+		// 兜底：调用方已保证 conn 非 nil，这里只是防御性返回原消息
+		return userMsg
+	}
+	remark := conn.Remark
+	if remark == "" {
+		remark = conn.URL
+	}
+
+	targetOS := resolveWebshellOS(conn.OS, conn.Type) // 归一为 "linux" / "windows"
+	encoding := normalizeWebshellEncoding(conn.Encoding)
+	if skillHint == "" {
+		skillHint = WebshellSkillHintDefault
+	}
+
+	var b strings.Builder
+	b.Grow(512 + len(userMsg))
+
+	b.WriteString("[WebShell 助手上下文] 连接 ID：")
+	b.WriteString(conn.ID)
+	b.WriteString("，备注：")
+	b.WriteString(remark)
+	b.WriteByte('\n')
+
+	// 目标系统：明确告诉 AI 能用/不能用的命令集，避免它对着 Windows 发 ls/cat/rm
+	b.WriteString("- 目标系统：")
+	b.WriteString(describeTargetOSForPrompt(targetOS))
+	b.WriteByte('\n')
+
+	// 响应编码：仅在非 auto 时显式告知，auto 模式由后端自适应，不打扰模型
+	if encHint := describeEncodingForPrompt(encoding); encHint != "" {
+		b.WriteString("- 响应编码：")
+		b.WriteString(encHint)
+		b.WriteByte('\n')
+	}
+
+	// 工具清单 & connection_id 约束：保持旧有表达，AI 已熟悉
+	b.WriteString("可用工具（仅在该连接上操作时使用，connection_id 填 \"")
+	b.WriteString(conn.ID)
+	b.WriteString("\"）：")
+	b.WriteString(webshellAssistantToolList)
+	b.WriteString("。")
+	b.WriteString(skillHint)
+	b.WriteString("\n\n用户请求：")
+	b.WriteString(userMsg)
+
+	return b.String()
+}
+
+// describeTargetOSForPrompt 返回某个 OS 对应的中文描述 + 推荐命令集 + 反例，
+// 命令列表覆盖文件管理最常用的 6 类动作（查看/读/删/改名/建目录/查找），让 AI 能直接照抄。
+func describeTargetOSForPrompt(targetOS string) string {
+	switch targetOS {
+	case "windows":
+		return "Windows（推荐 cmd/PowerShell：dir /a、type、del /q /f、move /y、md、ren；" +
+			"查找文件用 `dir /s /b 过滤词` 或 PowerShell `Get-ChildItem -Recurse`；" +
+			"避免 ls / cat / rm / mv / find 等 Unix 命令，否则将返回 `不是内部或外部命令`）"
+	case "linux":
+		return "Linux/Unix（推荐 sh/bash：ls -la、cat、rm -f、mv、mkdir -p；" +
+			"查找文件用 `find /path -name '*pattern*'`；" +
+			"避免 dir、type、del、move 等 Windows 命令）"
+	default:
+		// 理论上不会走到这里，resolveWebshellOS 已经兜底
+		return "未知（请先执行 `uname || ver` 探测再决定命令集）"
+	}
+}
+
+// describeEncodingForPrompt 返回响应编码的人类可读描述；auto 返回空串以减少 token。
+func describeEncodingForPrompt(encoding string) string {
+	switch encoding {
+	case "utf-8":
+		return "UTF-8（目标原生 UTF-8，无需额外解码）"
+	case "gbk":
+		return "GBK（中文 Windows；后端已自动转码为 UTF-8 返回，若仍出现大量 \\uFFFD 替换字符说明命令失败或编码识别错误）"
+	case "gb18030":
+		return "GB18030（后端已自动转码为 UTF-8 返回）"
+	default:
+		return ""
+	}
+}
@@ -0,0 +1,170 @@
+package handler
+
+import (
+	"strings"
+	"testing"
+
+	"cyberstrike-ai/internal/database"
+)
+
+func TestBuildWebshellAssistantContext_WindowsExplicit(t *testing.T) {
+	conn := &database.WebShellConnection{
+		ID:       "ws_win01",
+		Remark:   "IIS Windows 靶机",
+		URL:      "http://example.com/shell.php",
+		Type:     "php",
+		OS:       "windows",
+		Encoding: "gbk",
+	}
+	got := BuildWebshellAssistantContext(conn, WebshellSkillHintDefault, "列出当前目录并告诉我 flag 在哪")
+
+	mustContain(t, got,
+		"[WebShell 助手上下文]",
+		"ws_win01",
+		"IIS Windows 靶机",
+		"目标系统：Windows",
+		"dir /a",
+		"move /y",
+		"避免 ls / cat / rm",
+		"响应编码：GBK",
+		"后端已自动转码为 UTF-8",
+		"connection_id 填 \"ws_win01\"",
+		"webshell_exec、webshell_file_list",
+		WebshellSkillHintDefault,
+		"用户请求：列出当前目录并告诉我 flag 在哪",
+	)
+	// Windows 场景下不应出现 Linux 命令推荐
+	mustNotContain(t, got, "推荐 sh/bash")
+}
+
+func TestBuildWebshellAssistantContext_LinuxAutoFromPHP(t *testing.T) {
+	conn := &database.WebShellConnection{
+		ID:       "ws_lnx01",
+		Remark:   "", // 测试备注为空时 fallback URL
+		URL:      "http://example.com/a.php",
+		Type:     "php",
+		OS:       "auto", // auto + php → linux
+		Encoding: "",     // auto 编码不显式提示
+	}
+	got := BuildWebshellAssistantContext(conn, WebshellSkillHintDefault, "看看 /etc/passwd")
+
+	mustContain(t, got,
+		"连接 ID：ws_lnx01",
+		"备注：http://example.com/a.php", // 备注空时 fallback URL
+		"目标系统：Linux/Unix",
+		"ls -la",
+		"mkdir -p",
+		"避免 dir、type、del、move",
+		"用户请求：看看 /etc/passwd",
+	)
+	// encoding=auto 不应出现"响应编码："这一行
+	mustNotContain(t, got, "响应编码：")
+	// Linux 场景不应出现 Windows 命令
+	mustNotContain(t, got, "推荐 cmd/PowerShell")
+}
+
+func TestBuildWebshellAssistantContext_AutoFromASPDefaultsToWindows(t *testing.T) {
+	// 保留向后兼容：旧连接没配 os，shellType=asp 时应视为 Windows
+	conn := &database.WebShellConnection{
+		ID:       "ws_asp01",
+		Remark:   "老 ASP 靶机",
+		Type:     "asp",
+		OS:       "", // 空串等同 auto
+		Encoding: "gb18030",
+	}
+	got := BuildWebshellAssistantContext(conn, WebshellSkillHintMultiAgent, "查当前用户")
+
+	mustContain(t, got,
+		"目标系统：Windows",
+		"响应编码：GB18030",
+		"后端已自动转码为 UTF-8 返回",
+		WebshellSkillHintMultiAgent,
+	)
+	// 多代理 skill 文案里没有 DeepAgent，不应混入 default 文案
+	mustNotContain(t, got, "DeepAgent")
+}
+
+func TestBuildWebshellAssistantContext_MultiAgentSkillHint(t *testing.T) {
+	conn := &database.WebShellConnection{ID: "ws_m1", Remark: "x", Type: "php", OS: "linux"}
+	got := BuildWebshellAssistantContext(conn, WebshellSkillHintMultiAgent, "hi")
+	mustContain(t, got, WebshellSkillHintMultiAgent)
+	mustNotContain(t, got, "DeepAgent")
+}
+
+func TestBuildWebshellAssistantContext_DefaultSkillHintFallback(t *testing.T) {
+	conn := &database.WebShellConnection{ID: "ws_d1", Remark: "x", Type: "php", OS: "linux"}
+	// skillHint 传空字符串时应回退到 default
+	got := BuildWebshellAssistantContext(conn, "", "hi")
+	mustContain(t, got, WebshellSkillHintDefault)
+}
+
+func TestBuildWebshellAssistantContext_UTF8EncodingIsAnnotated(t *testing.T) {
+	conn := &database.WebShellConnection{
+		ID: "ws_u1", Remark: "u", Type: "jsp", OS: "linux", Encoding: "utf-8",
+	}
+	got := BuildWebshellAssistantContext(conn, WebshellSkillHintDefault, "hi")
+	mustContain(t, got, "响应编码：UTF-8", "目标原生 UTF-8")
+}
+
+func TestBuildWebshellAssistantContext_NilConnReturnsUserMsg(t *testing.T) {
+	// 防御性：conn == nil 时不 panic，直接返回原消息
+	got := BuildWebshellAssistantContext(nil, WebshellSkillHintDefault, "just the message")
+	if got != "just the message" {
+		t.Errorf("nil conn should return userMsg as-is, got %q", got)
+	}
+}
+
+func TestDescribeTargetOSForPrompt(t *testing.T) {
+	cases := map[string][]string{
+		"windows": {"Windows", "dir /a", "move /y", "PowerShell"},
+		"linux":   {"Linux/Unix", "ls -la", "mkdir -p"},
+		"":        {"未知", "uname"}, // 防御性分支
+	}
+	for in, wants := range cases {
+		got := describeTargetOSForPrompt(in)
+		for _, w := range wants {
+			if !strings.Contains(got, w) {
+				t.Errorf("describeTargetOSForPrompt(%q) should contain %q, got: %s", in, w, got)
+			}
+		}
+	}
+}
+
+func TestDescribeEncodingForPrompt(t *testing.T) {
+	cases := map[string]string{
+		"utf-8":   "UTF-8",
+		"gbk":     "GBK",
+		"gb18030": "GB18030",
+		"auto":    "",
+		"":        "",
+	}
+	for in, want := range cases {
+		got := describeEncodingForPrompt(in)
+		if want == "" && got != "" {
+			t.Errorf("describeEncodingForPrompt(%q) should return empty string, got: %s", in, got)
+		}
+		if want != "" && !strings.Contains(got, want) {
+			t.Errorf("describeEncodingForPrompt(%q) should contain %q, got: %s", in, want, got)
+		}
+	}
+}
+
+// ---- 小工具 ----
+
+func mustContain(t *testing.T, text string, substrings ...string) {
+	t.Helper()
+	for _, s := range substrings {
+		if !strings.Contains(text, s) {
+			t.Errorf("expected text to contain %q\n--- text ---\n%s", s, text)
+		}
+	}
+}
+
+func mustNotContain(t *testing.T, text string, substrings ...string) {
+	t.Helper()
+	for _, s := range substrings {
+		if strings.Contains(text, s) {
+			t.Errorf("text should not contain %q\n--- text ---\n%s", s, text)
+		}
+	}
+}
@@ -0,0 +1,103 @@
+package handler
+
+import (
+	"testing"
+
+	"golang.org/x/text/encoding/simplifiedchinese"
+	"golang.org/x/text/transform"
+)
+
+// mustEncode 使用指定编码对 UTF-8 字符串做编码，得到原始字节，用于构造测试输入
+func mustEncode(t *testing.T, s string, enc string) []byte {
+	t.Helper()
+	var tr transform.Transformer
+	switch enc {
+	case "gbk":
+		tr = simplifiedchinese.GBK.NewEncoder()
+	case "gb18030":
+		tr = simplifiedchinese.GB18030.NewEncoder()
+	default:
+		t.Fatalf("unsupported test encoding: %s", enc)
+	}
+	out, _, err := transform.Bytes(tr, []byte(s))
+	if err != nil {
+		t.Fatalf("mustEncode(%s) failed: %v", enc, err)
+	}
+	return out
+}
+
+func TestNormalizeWebshellEncoding(t *testing.T) {
+	cases := map[string]string{
+		"":         "auto",
+		"   ":      "auto",
+		"auto":     "auto",
+		"AUTO":     "auto",
+		"utf-8":    "utf-8",
+		"UTF-8":    "utf-8",
+		"utf8":     "utf-8",
+		"gbk":      "gbk",
+		"GBK":      "gbk",
+		"gb18030":  "gb18030",
+		"big5":     "auto", // 未支持的回退到 auto
+		"anything": "auto",
+	}
+	for in, want := range cases {
+		if got := normalizeWebshellEncoding(in); got != want {
+			t.Errorf("normalizeWebshellEncoding(%q) = %q, want %q", in, got, want)
+		}
+	}
+}
+
+func TestDecodeWebshellOutput_AutoDetectsGBK(t *testing.T) {
+	// 模拟 Windows 中文 cmd 输出的 GBK 字节流
+	want := "用户名                        SID                                            类型"
+	raw := mustEncode(t, want, "gbk")
+
+	// auto 模式：UTF-8 校验失败后应当回退 GB18030 解码，得到原始中文
+	got := decodeWebshellOutput(raw, "auto")
+	if got != want {
+		t.Errorf("decodeWebshellOutput(auto) = %q, want %q", got, want)
+	}
+
+	// 显式 GBK 模式：同样应当正确解码
+	got = decodeWebshellOutput(raw, "gbk")
+	if got != want {
+		t.Errorf("decodeWebshellOutput(gbk) = %q, want %q", got, want)
+	}
+
+	// 显式 GB18030 模式：GBK 是 GB18030 子集，也应正确解码
+	got = decodeWebshellOutput(raw, "gb18030")
+	if got != want {
+		t.Errorf("decodeWebshellOutput(gb18030) = %q, want %q", got, want)
+	}
+}
+
+func TestDecodeWebshellOutput_PassthroughUTF8(t *testing.T) {
+	// 已经是 UTF-8 的中文字符串，各模式都应返回原串（不破坏）
+	want := "hello 世界"
+	for _, enc := range []string{"", "auto", "utf-8"} {
+		if got := decodeWebshellOutput([]byte(want), enc); got != want {
+			t.Errorf("decodeWebshellOutput(%q) passthrough = %q, want %q", enc, got, want)
+		}
+	}
+}
+
+func TestDecodeWebshellOutput_ASCIIStable(t *testing.T) {
+	// 纯 ASCII 在任何模式下都必须保持原样
+	want := "whoami\nAdministrator\n"
+	for _, enc := range []string{"", "auto", "utf-8", "gbk", "gb18030"} {
+		if got := decodeWebshellOutput([]byte(want), enc); got != want {
+			t.Errorf("decodeWebshellOutput(%q) ASCII = %q, want %q", enc, got, want)
+		}
+	}
+}
+
+func TestDecodeWebshellOutput_EmptyInput(t *testing.T) {
+	// 空输入直接返回空串，不做额外分配
+	if got := decodeWebshellOutput(nil, "gbk"); got != "" {
+		t.Errorf("decodeWebshellOutput(nil) = %q, want empty", got)
+	}
+	if got := decodeWebshellOutput([]byte{}, "auto"); got != "" {
+		t.Errorf("decodeWebshellOutput([]) = %q, want empty", got)
+	}
+}
@@ -0,0 +1,348 @@
+package handler
+
+import (
+	"encoding/base64"
+	"strings"
+	"testing"
+
+	"go.uber.org/zap"
+)
+
+func newTestWebShellHandler() *WebShellHandler {
+	return NewWebShellHandler(zap.NewNop(), nil)
+}
+
+func TestNormalizeWebshellOS(t *testing.T) {
+	cases := map[string]string{
+		"":        "auto",
+		"  ":      "auto",
+		"auto":    "auto",
+		"AUTO":    "auto",
+		"linux":   "linux",
+		"Linux":   "linux",
+		"windows": "windows",
+		"WINDOWS": "windows",
+		"macos":   "auto", // 未支持的回退 auto
+		"solaris": "auto",
+	}
+	for in, want := range cases {
+		if got := normalizeWebshellOS(in); got != want {
+			t.Errorf("normalizeWebshellOS(%q) = %q, want %q", in, got, want)
+		}
+	}
+}
+
+func TestResolveWebshellOS(t *testing.T) {
+	type testCase struct {
+		osTag     string
+		shellType string
+		want      string
+	}
+	cases := []testCase{
+		// 显式 OS：按用户选择，忽略 shellType
+		{"linux", "asp", "linux"},
+		{"windows", "php", "windows"},
+		{"LINUX", "jsp", "linux"},
+
+		// auto + 各种 shellType：asp/aspx → windows，其他 → linux
+		{"auto", "asp", "windows"},
+		{"auto", "aspx", "windows"},
+		{"auto", "ASP", "windows"},
+		{"auto", "php", "linux"},
+		{"auto", "jsp", "linux"},
+		{"auto", "custom", "linux"},
+		{"auto", "", "linux"},
+
+		// 空/未知 OS 等价 auto
+		{"", "asp", "windows"},
+		{"", "php", "linux"},
+		{"unknown", "aspx", "windows"},
+	}
+	for _, c := range cases {
+		got := resolveWebshellOS(c.osTag, c.shellType)
+		if got != c.want {
+			t.Errorf("resolveWebshellOS(%q,%q) = %q, want %q", c.osTag, c.shellType, got, c.want)
+		}
+	}
+}
+
+func TestQuoteCmdPath(t *testing.T) {
+	cases := map[string]string{
+		"":                     `"."`,
+		`C:\Windows\Temp`:      `"C:\Windows\Temp"`,
+		`C:\Program Files\a`:   `"C:\Program Files\a"`,
+		`C:\weird"name\f.txt`:  `"C:\weird""name\f.txt"`,
+		`.`:                    `"."`,
+	}
+	for in, want := range cases {
+		if got := quoteCmdPath(in); got != want {
+			t.Errorf("quoteCmdPath(%q) = %q, want %q", in, got, want)
+		}
+	}
+}
+
+func TestQuoteShellSinglePosix(t *testing.T) {
+	cases := map[string]string{
+		"":             ".",
+		"/tmp/a b":     "'/tmp/a b'",
+		"/tmp/it's.txt": `'/tmp/it'\''s.txt'`,
+	}
+	for in, want := range cases {
+		if got := quoteShellSinglePosix(in); got != want {
+			t.Errorf("quoteShellSinglePosix(%q) = %q, want %q", in, got, want)
+		}
+	}
+}
+
+// TestBuildFileCommand_LinuxBranch 覆盖 Linux 目标下每个 action 产出的命令
+func TestBuildFileCommand_LinuxBranch(t *testing.T) {
+	h := newTestWebShellHandler()
+	base := fileCommandInput{OS: "linux", ShellType: "php"}
+
+	mustContain := func(t *testing.T, cmd string, substrings ...string) {
+		t.Helper()
+		for _, s := range substrings {
+			if !strings.Contains(cmd, s) {
+				t.Errorf("expected command to contain %q, got: %s", s, cmd)
+			}
+		}
+	}
+	mustNotContain := func(t *testing.T, cmd string, substrings ...string) {
+		t.Helper()
+		for _, s := range substrings {
+			if strings.Contains(cmd, s) {
+				t.Errorf("command should not contain %q, got: %s", s, cmd)
+			}
+		}
+	}
+
+	// list with empty path defaults to '.'
+	in := base
+	in.Action = "list"
+	cmd, err := h.buildFileCommand(in)
+	if err != nil {
+		t.Fatalf("list linux: unexpected err: %v", err)
+	}
+	mustContain(t, cmd, "ls -la", "'.'")
+
+	// list with path containing spaces
+	in.Path = "/tmp/my files"
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "ls -la ", "'/tmp/my files'")
+
+	// read with path
+	in = base
+	in.Action = "read"
+	in.Path = "/etc/passwd"
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "cat ", "'/etc/passwd'")
+
+	// read without path → error
+	in.Path = ""
+	if _, err := h.buildFileCommand(in); err != errFileOpPathRequired {
+		t.Errorf("read empty path: want errFileOpPathRequired, got %v", err)
+	}
+
+	// delete
+	in = base
+	in.Action = "delete"
+	in.Path = "/tmp/a.txt"
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "rm -f ", "'/tmp/a.txt'")
+	mustNotContain(t, cmd, "del")
+
+	// mkdir
+	in.Action = "mkdir"
+	in.Path = "/tmp/new/sub"
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "mkdir -p ", "'/tmp/new/sub'")
+
+	// rename
+	in = base
+	in.Action = "rename"
+	in.Path = "/tmp/a"
+	in.TargetPath = "/tmp/b"
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "mv -f ", "'/tmp/a'", "'/tmp/b'")
+
+	// rename missing target → error
+	in.TargetPath = ""
+	if _, err := h.buildFileCommand(in); err != errFileOpRenameNeedsBothPaths {
+		t.Errorf("rename empty target: want errFileOpRenameNeedsBothPaths, got %v", err)
+	}
+
+	// write
+	in = base
+	in.Action = "write"
+	in.Path = "/tmp/w.txt"
+	in.Content = "hello 世界"
+	cmd, _ = h.buildFileCommand(in)
+	b64 := base64.StdEncoding.EncodeToString([]byte("hello 世界"))
+	mustContain(t, cmd, "echo '"+b64+"'", "| base64 -d", "> '/tmp/w.txt'")
+
+	// upload
+	in = base
+	in.Action = "upload"
+	in.Path = "/tmp/bin"
+	in.Content = "YWJjZA==" // base64 of "abcd"
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "echo 'YWJjZA=='", "| base64 -d", "> '/tmp/bin'")
+
+	// upload oversized content → error
+	in.Content = strings.Repeat("A", 513*1024)
+	if _, err := h.buildFileCommand(in); err != errFileOpUploadTooLarge {
+		t.Errorf("upload too large: want errFileOpUploadTooLarge, got %v", err)
+	}
+
+	// upload_chunk with chunk_index=0 uses single redirect
+	in = base
+	in.Action = "upload_chunk"
+	in.Path = "/tmp/bin"
+	in.Content = "YWJj"
+	in.ChunkIndex = 0
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "base64 -d > '/tmp/bin'")
+	mustNotContain(t, cmd, ">>")
+
+	// upload_chunk with chunk_index>0 uses append redirect
+	in.ChunkIndex = 1
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "base64 -d >> '/tmp/bin'")
+
+	// unsupported action
+	in = base
+	in.Action = "nope"
+	if _, err := h.buildFileCommand(in); err == nil || !strings.Contains(err.Error(), "unsupported action") {
+		t.Errorf("unknown action: want unsupported action error, got %v", err)
+	}
+}
+
+// TestBuildFileCommand_WindowsBranch 覆盖 Windows 目标下每个 action 产出的命令
+func TestBuildFileCommand_WindowsBranch(t *testing.T) {
+	h := newTestWebShellHandler()
+	base := fileCommandInput{OS: "windows", ShellType: "php"}
+
+	mustContain := func(t *testing.T, cmd string, substrings ...string) {
+		t.Helper()
+		for _, s := range substrings {
+			if !strings.Contains(cmd, s) {
+				t.Errorf("expected command to contain %q, got: %s", s, cmd)
+			}
+		}
+	}
+	mustNotContain := func(t *testing.T, cmd string, substrings ...string) {
+		t.Helper()
+		for _, s := range substrings {
+			if strings.Contains(cmd, s) {
+				t.Errorf("command should not contain %q, got: %s", s, cmd)
+			}
+		}
+	}
+
+	// list
+	in := base
+	in.Action = "list"
+	cmd, _ := h.buildFileCommand(in)
+	mustContain(t, cmd, "dir /a ", `"."`)
+	mustNotContain(t, cmd, "ls -la")
+
+	in.Path = `C:\Users\Public Docs`
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "dir /a ", `"C:\Users\Public Docs"`)
+
+	// read
+	in = base
+	in.Action = "read"
+	in.Path = `C:\flag.txt`
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "type ", `"C:\flag.txt"`)
+
+	// delete
+	in.Action = "delete"
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "del /q /f ", `"C:\flag.txt"`)
+	mustNotContain(t, cmd, "rm -f")
+
+	// mkdir
+	in.Action = "mkdir"
+	in.Path = `C:\a\b\c`
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "md ", `"C:\a\b\c"`)
+
+	// rename
+	in = base
+	in.Action = "rename"
+	in.Path = `C:\a.txt`
+	in.TargetPath = `C:\b.txt`
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "move /y ", `"C:\a.txt"`, `"C:\b.txt"`)
+
+	// write → PowerShell base64 one-liner
+	in = base
+	in.Action = "write"
+	in.Path = `C:\out.txt`
+	in.Content = "hello 世界"
+	cmd, _ = h.buildFileCommand(in)
+	wantB64 := base64.StdEncoding.EncodeToString([]byte("hello 世界"))
+	mustContain(t, cmd,
+		"powershell -NoProfile -NonInteractive -Command",
+		"[Convert]::FromBase64String('"+wantB64+"')",
+		"[IO.File]::WriteAllBytes('C:\\out.txt'",
+	)
+	mustNotContain(t, cmd, "echo ", "base64 -d")
+
+	// upload (chunk_index=0 equivalent) uses WriteAllBytes
+	in = base
+	in.Action = "upload"
+	in.Path = `C:\bin\f`
+	in.Content = "YWJjZA=="
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "WriteAllBytes('C:\\bin\\f'", "FromBase64String('YWJjZA==')")
+
+	// upload_chunk index=0 → WriteAllBytes
+	in.Action = "upload_chunk"
+	in.ChunkIndex = 0
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "WriteAllBytes(")
+	mustNotContain(t, cmd, "FileMode]::Append")
+
+	// upload_chunk index>0 → append (Open with Append mode)
+	in.ChunkIndex = 1
+	cmd, _ = h.buildFileCommand(in)
+	mustContain(t, cmd, "[IO.FileMode]::Append", "FromBase64String('YWJjZA==')")
+}
+
+// TestBuildFileCommand_AutoFallbackMatchesLegacyBehavior 确保 os=auto 时与旧版 shellType 判定行为完全一致
+// asp/aspx 视为 Windows（旧行为），其他视为 Linux。
+func TestBuildFileCommand_AutoFallbackMatchesLegacyBehavior(t *testing.T) {
+	h := newTestWebShellHandler()
+
+	// asp + auto → windows 命令
+	cmd, _ := h.buildFileCommand(fileCommandInput{Action: "list", OS: "auto", ShellType: "asp"})
+	if !strings.Contains(cmd, "dir /a") {
+		t.Errorf("auto + asp should use Windows cmd, got: %s", cmd)
+	}
+
+	cmd, _ = h.buildFileCommand(fileCommandInput{Action: "list", OS: "auto", ShellType: "aspx"})
+	if !strings.Contains(cmd, "dir /a") {
+		t.Errorf("auto + aspx should use Windows cmd, got: %s", cmd)
+	}
+
+	// php/jsp/custom + auto → linux 命令（与历史行为一致）
+	for _, st := range []string{"php", "jsp", "custom", ""} {
+		cmd, _ = h.buildFileCommand(fileCommandInput{Action: "list", OS: "auto", ShellType: st})
+		if !strings.Contains(cmd, "ls -la") {
+			t.Errorf("auto + %q should use Linux cmd, got: %s", st, cmd)
+		}
+	}
+
+	// 显式 OS 覆盖 shellType
+	cmd, _ = h.buildFileCommand(fileCommandInput{Action: "list", OS: "windows", ShellType: "php"})
+	if !strings.Contains(cmd, "dir /a") {
+		t.Errorf("explicit windows should override php shellType, got: %s", cmd)
+	}
+	cmd, _ = h.buildFileCommand(fileCommandInput{Action: "list", OS: "linux", ShellType: "asp"})
+	if !strings.Contains(cmd, "ls -la") {
+		t.Errorf("explicit linux should override asp shellType, got: %s", cmd)
+	}
+}
@@ -0,0 +1,127 @@
+package handler
+
+import (
+	"bytes"
+	"io"
+	"net/http"
+	"strings"
+
+	"go.uber.org/zap"
+)
+
+// webshellOSProbeCommand 探活命令：利用 Windows cmd 与 POSIX shell 对 `%OS%` 展开差异进行判定。
+//   - Windows cmd：`%OS%` 被展开为 `Windows_NT`，回显 `:OSPROBE_Windows_NT:END`
+//   - POSIX sh/bash：`%OS%` 不是变量语法，作为字面量原样保留，回显 `:OSPROBE_%OS%:END`
+//
+// 一条命令即可得到明确的、互斥的信号，避免探活成本（相比发两次命令）。
+// 冒号包裹是为了避免部分 shell 输出多余空白/BOM 时字符串匹配失效。
+const webshellOSProbeCommand = "echo :OSPROBE_%OS%:END"
+
+// probeWebshellOSViaExec 通过一次命令执行的回显推断目标操作系统。
+//
+// 返回值：
+//   - "windows" / "linux"：识别成功
+//   - ""：无法判定（调用方应保留既有 fallback 逻辑）
+//
+// 入参 execFn 是一个"发命令并拿到回显"的闭包；让 HTTP 入口和 MCP 入口可以共用同一套探活逻辑
+// 而不必关心底层是如何发包的。
+func probeWebshellOSViaExec(execFn func(cmd string) (output string, ok bool)) string {
+	if execFn == nil {
+		return ""
+	}
+	out, ok := execFn(webshellOSProbeCommand)
+	if !ok {
+		return ""
+	}
+	return classifyWebshellOSProbeOutput(out)
+}
+
+// classifyWebshellOSProbeOutput 纯函数：根据探活命令的回显判定 OS。
+// 抽出来是为了单测可直接覆盖所有分支，无需真实 HTTP 调用。
+func classifyWebshellOSProbeOutput(out string) string {
+	if out == "" {
+		return ""
+	}
+	lower := strings.ToLower(out)
+
+	// Windows 强信号：cmd.exe 成功展开了 %OS% 变量
+	if strings.Contains(out, "Windows_NT") {
+		return "windows"
+	}
+	// 容错：部分老版本 Windows 可能 `%OS%` 展开为其他字样（极少见），再看 PATH/OS 等次级线索
+	if strings.Contains(lower, "microsoft windows") {
+		return "windows"
+	}
+
+	// Linux/Unix 强信号：`%OS%` 字面量被原样回显，说明 shell 不是 cmd.exe
+	if strings.Contains(out, "%OS%") {
+		return "linux"
+	}
+
+	// 次级线索：部分 webshell 在 Linux 上可能走了其他外壳（如 zsh/ash），
+	// 但它们对 `%OS%` 同样不展开；若命中 OSPROBE 头部却没拿到 %OS% 字面量，
+	// 说明回显被中途截断或过滤，保守返回空让上层 fallback。
+	return ""
+}
+
+// newHTTPExecFn 为 HTTP FileOp 路径构造"发命令取回显"的闭包，供探活复用。
+// 参数来自 HTTP 请求，复用 buildExecURL / buildExecBody 两个已有的命令编排器，
+// 确保探活包与实际文件操作包走完全一致的 webshell 协议（GET/POST、参数名、编码）。
+func (h *WebShellHandler) newHTTPExecFn(targetURL, password, shellType, method, cmdParam, encoding string) func(string) (string, bool) {
+	useGET := strings.ToUpper(strings.TrimSpace(method)) == "GET"
+	if strings.TrimSpace(cmdParam) == "" {
+		cmdParam = "cmd"
+	}
+	return func(cmd string) (string, bool) {
+		var (
+			httpReq *http.Request
+			err     error
+		)
+		if useGET {
+			u := h.buildExecURL(targetURL, shellType, password, cmdParam, cmd)
+			httpReq, err = http.NewRequest(http.MethodGet, u, nil)
+		} else {
+			body := h.buildExecBody(shellType, password, cmdParam, cmd)
+			httpReq, err = http.NewRequest(http.MethodPost, targetURL, bytes.NewReader(body))
+			if err == nil {
+				httpReq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			}
+		}
+		if err != nil {
+			return "", false
+		}
+		httpReq.Header.Set("User-Agent", "Mozilla/5.0 (compatible; CyberStrikeAI-WebShell/1.0)")
+		resp, err := h.client.Do(httpReq)
+		if err != nil {
+			return "", false
+		}
+		defer resp.Body.Close()
+		raw, _ := io.ReadAll(resp.Body)
+		return decodeWebshellOutput(raw, encoding), resp.StatusCode == http.StatusOK
+	}
+}
+
+// persistDetectedOS 把探活结果回写到连接表；失败只记日志不阻断主流程。
+// 设计上故意只触发 UPDATE，不会新建记录，因此即便 connectionID 不存在也只是悄悄放弃。
+func (h *WebShellHandler) persistDetectedOS(connectionID, detected string) {
+	connectionID = strings.TrimSpace(connectionID)
+	detected = normalizeWebshellOS(detected)
+	if connectionID == "" || detected == "" || detected == "auto" {
+		return
+	}
+	conn, err := h.db.GetWebshellConnection(connectionID)
+	if err != nil || conn == nil {
+		// 不是所有调用方都能提供有效 ID（比如临时测试），这里静默返回
+		return
+	}
+	if normalizeWebshellOS(conn.OS) != "auto" {
+		// 用户已经显式选过 OS，尊重用户选择，不自动覆盖
+		return
+	}
+	conn.OS = detected
+	if err := h.db.UpdateWebshellConnection(conn); err != nil {
+		h.logger.Warn("webshell 探活结果持久化失败", zap.String("id", connectionID), zap.String("os", detected), zap.Error(err))
+		return
+	}
+	h.logger.Info("webshell auto OS 探活成功并持久化", zap.String("id", connectionID), zap.String("os", detected))
+}
@@ -0,0 +1,68 @@
+package handler
+
+import "testing"
+
+func TestClassifyWebshellOSProbeOutput(t *testing.T) {
+	cases := []struct {
+		name string
+		in   string
+		want string
+	}{
+		{"Windows cmd 回显完整", ":OSPROBE_Windows_NT:END\r\n", "windows"},
+		{"Windows cmd 回显带额外空行", "\r\n:OSPROBE_Windows_NT:END\r\n", "windows"},
+		{"Windows 次级线索 - ver banner", "Microsoft Windows [版本 10.0.19045]\r\n", "windows"},
+		{"Linux sh 字面量回显", ":OSPROBE_%OS%:END\n", "linux"},
+		{"Linux 紧凑输出（无换行）", ":OSPROBE_%OS%:END", "linux"},
+		{"空输出 - 无法判定", "", ""},
+		{"被过滤的输出 - 无法判定", "something weird", ""},
+		{"仅有 OSPROBE 前缀但被截断 - 保守返回空", ":OSPROBE_:END", ""},
+	}
+	for _, c := range cases {
+		if got := classifyWebshellOSProbeOutput(c.in); got != c.want {
+			t.Errorf("case %q: got %q, want %q", c.name, got, c.want)
+		}
+	}
+}
+
+func TestProbeWebshellOSViaExec_SendsOneCommandOnly(t *testing.T) {
+	var calls []string
+	fn := func(cmd string) (string, bool) {
+		calls = append(calls, cmd)
+		return ":OSPROBE_Windows_NT:END", true
+	}
+	got := probeWebshellOSViaExec(fn)
+	if got != "windows" {
+		t.Fatalf("want windows, got %q", got)
+	}
+	if len(calls) != 1 {
+		t.Fatalf("probe should issue exactly one exec call, got %d: %v", len(calls), calls)
+	}
+	if calls[0] != webshellOSProbeCommand {
+		t.Errorf("probe command mismatch: got %q", calls[0])
+	}
+}
+
+func TestProbeWebshellOSViaExec_NotOkReturnsEmpty(t *testing.T) {
+	// HTTP 非 200 的场景：execFn 返回 ok=false，探活应放弃
+	fn := func(cmd string) (string, bool) { return "whatever", false }
+	if got := probeWebshellOSViaExec(fn); got != "" {
+		t.Errorf("want empty when exec not ok, got %q", got)
+	}
+}
+
+func TestProbeWebshellOSViaExec_NilSafeguard(t *testing.T) {
+	if got := probeWebshellOSViaExec(nil); got != "" {
+		t.Errorf("nil execFn should return empty, got %q", got)
+	}
+}
+
+func TestProbeWebshellOSViaExec_LinuxUname(t *testing.T) {
+	// 某些 webshell 对 `%OS%` 字面量也会过滤（例如安全规则），
+	// 但主要路径是"%OS% 字面量被原样回显"。这里覆盖标准 Linux 场景。
+	fn := func(cmd string) (string, bool) {
+		return ":OSPROBE_%OS%:END\n", true
+	}
+	if got := probeWebshellOSViaExec(fn); got != "linux" {
+		t.Errorf("Linux case: want linux, got %q", got)
+	}
+}
@@ -16,9 +16,9 @@ const (

 // DSL keys for [VectorEinoRetriever.Retrieve] via [retriever.WithDSLInfo].
 const (
-	DSLRiskType             = "risk_type"
-	DSLSimilarityThreshold  = "similarity_threshold"
-	DSLSubIndexFilter       = "sub_index_filter"
+	DSLRiskType            = "risk_type"
+	DSLSimilarityThreshold = "similarity_threshold"
+	DSLSubIndexFilter      = "sub_index_filter"
 )

 // FormatEmbeddingInput matches the historical indexing format so existing embeddings
@@ -8,8 +8,8 @@ import (

 	"cyberstrike-ai/internal/config"

-	"github.com/cloudwego/eino/compose"
 	"github.com/cloudwego/eino/components/document"
+	"github.com/cloudwego/eino/compose"
 	"github.com/cloudwego/eino/schema"
 )

@@ -11,9 +11,9 @@ import (
 	"cyberstrike-ai/internal/config"

 	fileloader "github.com/cloudwego/eino-ext/components/document/loader/file"
-	"github.com/cloudwego/eino/compose"
 	"github.com/cloudwego/eino/components/document"
 	"github.com/cloudwego/eino/components/indexer"
+	"github.com/cloudwego/eino/compose"
 	"github.com/cloudwego/eino/schema"
 	"go.uber.org/zap"
 )
@@ -35,14 +35,14 @@ type Indexer struct {
 	lastErrorTime time.Time
 	errorCount    int

-	rebuildMu          sync.RWMutex
-	isRebuilding       bool
-	rebuildTotalItems  int
-	rebuildCurrent     int
-	rebuildFailed      int
-	rebuildStartTime   time.Time
-	rebuildLastItemID  string
-	rebuildLastChunks  int
+	rebuildMu         sync.RWMutex
+	isRebuilding      bool
+	rebuildTotalItems int
+	rebuildCurrent    int
+	rebuildFailed     int
+	rebuildStartTime  time.Time
+	rebuildLastItemID string
+	rebuildLastChunks int
 }

 // NewIndexer 创建索引器并编译 Eino 索引链；kcfg 为完整知识库配置（含 indexing 与路径相关行为）。
@@ -108,9 +108,9 @@ func (r *RetrievalLog) MarshalJSON() ([]byte, error) {

 // CategoryWithItems 分类及其下的知识项（用于按分类分页）
 type CategoryWithItems struct {
-	Category  string                `json:"category"`           // 分类名称
-	ItemCount int                   `json:"itemCount"`          // 该分类下的知识项总数
-	Items     []*KnowledgeItemSummary `json:"items"`            // 该分类下的知识项列表
+	Category  string                  `json:"category"`  // 分类名称
+	ItemCount int                     `json:"itemCount"` // 该分类下的知识项总数
+	Items     []*KnowledgeItemSummary `json:"items"`     // 该分类下的知识项列表
 }

 // SearchRequest 搜索请求
@@ -55,14 +55,14 @@ func New(level, output string) *Logger {
 }

 func (l *Logger) Fatal(msg string, fields ...interface{}) {
-    zapFields := make([]zap.Field, 0, len(fields))
-    for _, f := range fields {
-        switch v := f.(type) {
-        case error:
-            zapFields = append(zapFields, zap.Error(v))
-        default:
-            zapFields = append(zapFields, zap.Any("field", v))
-        }
-    }
-    l.Logger.Fatal(msg, zapFields...)
+	zapFields := make([]zap.Field, 0, len(fields))
+	for _, f := range fields {
+		switch v := f.(type) {
+		case error:
+			zapFields = append(zapFields, zap.Error(v))
+		default:
+			zapFields = append(zapFields, zap.Any("field", v))
+		}
+	}
+	l.Logger.Fatal(msg, zapFields...)
 }
@@ -62,7 +62,7 @@ func TestExternalMCPManager_RemoveConfig(t *testing.T) {
 	manager := NewExternalMCPManager(logger)

 	cfg := config.ExternalMCPServerConfig{
-		Command:   "python3",
+		Command:           "python3",
 		ExternalMCPEnable: false,
 	}

@@ -86,17 +86,17 @@ func TestExternalMCPManager_GetStats(t *testing.T) {

 	// 添加多个配置
 	manager.AddOrUpdateConfig("enabled1", config.ExternalMCPServerConfig{
-		Command: "python3",
+		Command:           "python3",
 		ExternalMCPEnable: true,
 	})

 	manager.AddOrUpdateConfig("enabled2", config.ExternalMCPServerConfig{
-		URL:     "http://127.0.0.1:8081/mcp",
+		URL:               "http://127.0.0.1:8081/mcp",
 		ExternalMCPEnable: true,
 	})

 	manager.AddOrUpdateConfig("disabled1", config.ExternalMCPServerConfig{
-		Command:  "python3",
+		Command:           "python3",
 		ExternalMCPEnable: false,
 	})

@@ -122,11 +122,11 @@ func TestExternalMCPManager_LoadConfigs(t *testing.T) {
 	externalMCPConfig := config.ExternalMCPConfig{
 		Servers: map[string]config.ExternalMCPServerConfig{
 			"loaded1": {
-				Command: "python3",
+				Command:           "python3",
 				ExternalMCPEnable: true,
 			},
 			"loaded2": {
-				URL:     "http://127.0.0.1:8081/mcp",
+				URL:               "http://127.0.0.1:8081/mcp",
 				ExternalMCPEnable: false,
 			},
 		},
@@ -153,9 +153,9 @@ func TestLazySDKClient_InitializeFails(t *testing.T) {
 	logger := zap.NewNop()
 	// 使用不存在的 HTTP 地址，Initialize 应失败
 	cfg := config.ExternalMCPServerConfig{
-		Type: "http",
-		URL:       "http://127.0.0.1:19999/nonexistent",
-		Timeout:   2,
+		Type:    "http",
+		URL:     "http://127.0.0.1:19999/nonexistent",
+		Timeout: 2,
 	}
 	c := newLazySDKClient(cfg, logger)
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
@@ -176,7 +176,7 @@ func TestExternalMCPManager_StartStopClient(t *testing.T) {

 	// 添加一个禁用的配置
 	cfg := config.ExternalMCPServerConfig{
-		Command:   "python3",
+		Command:           "python3",
 		ExternalMCPEnable: false,
 	}

@@ -0,0 +1,133 @@
+package multiagent
+
+import (
+	"context"
+	"strings"
+
+	"cyberstrike-ai/internal/agent"
+
+	"github.com/bytedance/sonic"
+	"github.com/cloudwego/eino/adk"
+	"github.com/cloudwego/eino/schema"
+	"go.uber.org/zap"
+)
+
+type einoModelInputTelemetryMiddleware struct {
+	adk.BaseChatModelAgentMiddleware
+	logger         *zap.Logger
+	modelName      string
+	conversationID string
+	phase          string
+}
+
+func newEinoModelInputTelemetryMiddleware(
+	logger *zap.Logger,
+	modelName string,
+	conversationID string,
+	phase string,
+) adk.ChatModelAgentMiddleware {
+	if logger == nil {
+		return nil
+	}
+	return &einoModelInputTelemetryMiddleware{
+		logger:         logger,
+		modelName:      strings.TrimSpace(modelName),
+		conversationID: strings.TrimSpace(conversationID),
+		phase:          strings.TrimSpace(phase),
+	}
+}
+
+func (m *einoModelInputTelemetryMiddleware) BeforeModelRewriteState(
+	ctx context.Context,
+	state *adk.ChatModelAgentState,
+	mc *adk.ModelContext,
+) (context.Context, *adk.ChatModelAgentState, error) {
+	if m == nil || m.logger == nil || state == nil {
+		return ctx, state, nil
+	}
+	tokens := estimateTokensForMessagesAndTools(ctx, m.modelName, state.Messages, mcTools(mc))
+	m.logger.Info("eino model input estimated",
+		zap.String("phase", m.phase),
+		zap.String("conversation_id", m.conversationID),
+		zap.Int("messages", len(state.Messages)),
+		zap.Int("tools", len(mcTools(mc))),
+		zap.Int("input_tokens_estimated", tokens),
+	)
+	return ctx, state, nil
+}
+
+func mcTools(mc *adk.ModelContext) []*schema.ToolInfo {
+	if mc == nil || len(mc.Tools) == 0 {
+		return nil
+	}
+	return mc.Tools
+}
+
+func estimateTokensForMessagesAndTools(
+	_ context.Context,
+	modelName string,
+	messages []adk.Message,
+	tools []*schema.ToolInfo,
+) int {
+	var sb strings.Builder
+	for _, msg := range messages {
+		if msg == nil {
+			continue
+		}
+		sb.WriteString(string(msg.Role))
+		sb.WriteByte('\n')
+		sb.WriteString(msg.Content)
+		sb.WriteByte('\n')
+		if msg.ReasoningContent != "" {
+			sb.WriteString(msg.ReasoningContent)
+			sb.WriteByte('\n')
+		}
+		if len(msg.ToolCalls) > 0 {
+			if b, err := sonic.Marshal(msg.ToolCalls); err == nil {
+				sb.Write(b)
+				sb.WriteByte('\n')
+			}
+		}
+	}
+	for _, tl := range tools {
+		if tl == nil {
+			continue
+		}
+		cp := *tl
+		cp.Extra = nil
+		if text, err := sonic.MarshalString(cp); err == nil {
+			sb.WriteString(text)
+			sb.WriteByte('\n')
+		}
+	}
+	text := sb.String()
+	if text == "" {
+		return 0
+	}
+	tc := agent.NewTikTokenCounter()
+	if n, err := tc.Count(modelName, text); err == nil {
+		return n
+	}
+	return (len(text) + 3) / 4
+}
+
+func logPlanExecuteModelInputEstimate(
+	logger *zap.Logger,
+	modelName string,
+	conversationID string,
+	phase string,
+	msgs []adk.Message,
+) {
+	if logger == nil {
+		return
+	}
+	tokens := estimateTokensForMessagesAndTools(context.Background(), modelName, msgs, nil)
+	logger.Info("eino model input estimated",
+		zap.String("phase", phase),
+		zap.String("conversation_id", strings.TrimSpace(conversationID)),
+		zap.Int("messages", len(msgs)),
+		zap.Int("tools", 0),
+		zap.Int("input_tokens_estimated", tokens),
+	)
+}
+
@@ -8,6 +8,7 @@ import (
 	"strings"

 	"cyberstrike-ai/internal/config"
+	"cyberstrike-ai/internal/mcp/builtin"

 	localbk "github.com/cloudwego/eino-ext/adk/backend/local"
 	"github.com/cloudwego/eino/adk"
@@ -65,6 +66,66 @@ func splitToolsForToolSearch(all []tool.BaseTool, alwaysVisible int) (static []t
 	return append([]tool.BaseTool(nil), all[:alwaysVisible]...), append([]tool.BaseTool(nil), all[alwaysVisible:]...), true
 }

+func splitToolsForToolSearchByNames(all []tool.BaseTool, names []string, fallbackAlwaysVisible int) (static []tool.BaseTool, dynamic []tool.BaseTool, ok bool) {
+	nameSet := make(map[string]struct{}, len(names))
+	for _, n := range names {
+		n = strings.TrimSpace(strings.ToLower(n))
+		if n == "" {
+			continue
+		}
+		nameSet[n] = struct{}{}
+	}
+	if len(nameSet) == 0 {
+		return splitToolsForToolSearch(all, fallbackAlwaysVisible)
+	}
+	static = make([]tool.BaseTool, 0, len(all))
+	dynamic = make([]tool.BaseTool, 0, len(all))
+	for _, t := range all {
+		if t == nil {
+			continue
+		}
+		info, err := t.Info(context.Background())
+		name := ""
+		if err == nil && info != nil {
+			name = strings.TrimSpace(strings.ToLower(info.Name))
+		}
+		if _, keep := nameSet[name]; keep {
+			static = append(static, t)
+			continue
+		}
+		dynamic = append(dynamic, t)
+	}
+	if len(static) == 0 || len(dynamic) == 0 {
+		// fallback: preserve previous behavior when whitelist misses all or includes all.
+		return splitToolsForToolSearch(all, fallbackAlwaysVisible)
+	}
+	return static, dynamic, true
+}
+
+func mergeAlwaysVisibleToolNames(configured []string) []string {
+	merged := make([]string, 0, len(configured)+32)
+	seen := make(map[string]struct{}, len(configured)+32)
+	add := func(name string) {
+		n := strings.TrimSpace(strings.ToLower(name))
+		if n == "" {
+			return
+		}
+		if _, ok := seen[n]; ok {
+			return
+		}
+		seen[n] = struct{}{}
+		merged = append(merged, n)
+	}
+	for _, n := range configured {
+		add(n)
+	}
+	// Always include hardcoded backend builtin MCP tools from constants.
+	for _, n := range builtin.GetAllBuiltinTools() {
+		add(n)
+	}
+	return merged
+}
+
 func buildReductionMiddleware(ctx context.Context, mw config.MultiAgentEinoMiddlewareConfig, convID string, loc *localbk.Local, logger *zap.Logger) (adk.ChatModelAgentMiddleware, error) {
 	if loc == nil {
 		return nil, fmt.Errorf("reduction: local backend nil")
@@ -87,6 +148,8 @@ func buildReductionMiddleware(ctx context.Context, mw config.MultiAgentEinoMiddl
 		RootDir:           root,
 		ReadFileToolName:  "read_file",
 		ClearExcludeTools: excl,
+		MaxLengthForTrunc: mw.ReductionMaxLengthForTruncEffective(),
+		MaxTokensForClear: int64(mw.ReductionMaxTokensForClearEffective()),
 	})
 	if err != nil {
 		return nil, err
@@ -142,7 +205,7 @@ func prependEinoMiddlewares(
 		alwaysVis = 12
 	}
 	if mw.ToolSearchEnable && len(tools) >= minTools {
-		static, dynamic, split := splitToolsForToolSearch(tools, alwaysVis)
+		static, dynamic, split := splitToolsForToolSearchByNames(tools, mergeAlwaysVisibleToolNames(mw.ToolSearchAlwaysVisibleTools), alwaysVis)
 		if split && len(dynamic) > 0 {
 			ts, terr := toolsearch.New(ctx, &toolsearch.Config{DynamicTools: dynamic})
 			if terr != nil {
@@ -0,0 +1,38 @@
+package multiagent
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/cloudwego/eino/adk"
+)
+
+func applyBeforeModelRewriteHandlers(
+	ctx context.Context,
+	msgs []adk.Message,
+	handlers []adk.ChatModelAgentMiddleware,
+) ([]adk.Message, error) {
+	if len(msgs) == 0 || len(handlers) == 0 {
+		return msgs, nil
+	}
+	state := &adk.ChatModelAgentState{Messages: msgs}
+	modelCtx := &adk.ModelContext{}
+	curCtx := ctx
+	for _, h := range handlers {
+		if h == nil {
+			continue
+		}
+		nextCtx, nextState, err := h.BeforeModelRewriteState(curCtx, state, modelCtx)
+		if err != nil {
+			return nil, fmt.Errorf("before model rewrite: %w", err)
+		}
+		if nextCtx != nil {
+			curCtx = nextCtx
+		}
+		if nextState != nil {
+			state = nextState
+		}
+	}
+	return state.Messages, nil
+}
+
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"strings"

+	"cyberstrike-ai/internal/agent"
 	"cyberstrike-ai/internal/config"

 	"github.com/cloudwego/eino-ext/components/model/openai"
@@ -25,7 +26,12 @@ type PlanExecuteRootArgs struct {
 	LoopMaxIter          int
 	// AppCfg / Logger 非空时为 Executor 挂载与 Deep/Supervisor 一致的 Eino summarization 中间件。
 	AppCfg *config.Config
+	MwCfg  *config.MultiAgentEinoMiddlewareConfig
+	// ConversationID is used for transcript/isolation paths in middleware.
+	ConversationID string
 	Logger *zap.Logger
+	// ModelName is used for model input token estimation logs.
+	ModelName string
 	// ExecPreMiddlewares 是由 prependEinoMiddlewares 构建的前置中间件（patchtoolcalls, reduction, toolsearch, plantask），
 	// 与 Deep/Supervisor 主代理的 mainOrchestratorPre 一致。
 	ExecPreMiddlewares []adk.ChatModelAgentMiddleware
@@ -33,6 +39,8 @@ type PlanExecuteRootArgs struct {
 	SkillMiddleware adk.ChatModelAgentMiddleware
 	// FilesystemMiddleware 是 Eino filesystem 中间件，当 eino_skills.filesystem_tools 启用时提供本机文件读写与 Shell 能力（可选）。
 	FilesystemMiddleware adk.ChatModelAgentMiddleware
+	// PlannerReplannerRewriteHandlers applies BeforeModelRewriteState pipeline for planner/replanner input.
+	PlannerReplannerRewriteHandlers []adk.ChatModelAgentMiddleware
 }

 // NewPlanExecuteRoot 返回 plan → execute → replan 预置编排根节点（与 Deep / Supervisor 并列）。
@@ -50,7 +58,7 @@ func NewPlanExecuteRoot(ctx context.Context, a *PlanExecuteRootArgs) (adk.Resuma
 	plannerCfg := &planexecute.PlannerConfig{
 		ToolCallingChatModel: tcm,
 	}
-	if fn := planExecutePlannerGenInput(a.OrchInstruction); fn != nil {
+	if fn := planExecutePlannerGenInput(a.OrchInstruction, a.AppCfg, a.MwCfg, a.Logger, a.ModelName, a.ConversationID, a.PlannerReplannerRewriteHandlers); fn != nil {
 		plannerCfg.GenInputFn = fn
 	}
 	planner, err := planexecute.NewPlanner(ctx, plannerCfg)
@@ -59,7 +67,7 @@ func NewPlanExecuteRoot(ctx context.Context, a *PlanExecuteRootArgs) (adk.Resuma
 	}
 	replanner, err := planexecute.NewReplanner(ctx, &planexecute.ReplannerConfig{
 		ChatModel:  tcm,
-		GenInputFn: planExecuteReplannerGenInput(a.OrchInstruction),
+		GenInputFn: planExecuteReplannerGenInput(a.OrchInstruction, a.AppCfg, a.MwCfg, a.Logger, a.ModelName, a.ConversationID, a.PlannerReplannerRewriteHandlers),
 	})
 	if err != nil {
 		return nil, fmt.Errorf("plan_execute replanner: %w", err)
@@ -81,17 +89,23 @@ func NewPlanExecuteRoot(ctx context.Context, a *PlanExecuteRootArgs) (adk.Resuma
 	}
 	// 4. summarization（最后，与 Deep/Supervisor 一致）
 	if a.AppCfg != nil {
-		sumMw, sumErr := newEinoSummarizationMiddleware(ctx, a.ExecModel, a.AppCfg, a.Logger)
+		sumMw, sumErr := newEinoSummarizationMiddleware(ctx, a.ExecModel, a.AppCfg, a.MwCfg, a.ConversationID, a.Logger)
 		if sumErr != nil {
 			return nil, fmt.Errorf("plan_execute executor summarization: %w", sumErr)
 		}
 		execHandlers = append(execHandlers, sumMw)
 	}
+	// 5. 孤儿 tool 消息兜底：必须挂在所有改写历史中间件（summarization/reduction/skill）之后、
+	//    telemetry 之前，保证送入 ChatModel 的消息序列 tool_call ↔ tool_result 配对完整。
+	execHandlers = append(execHandlers, newOrphanToolPrunerMiddleware(a.Logger, "plan_execute_executor"))
+	if teleMw := newEinoModelInputTelemetryMiddleware(a.Logger, a.ModelName, a.ConversationID, "plan_execute_executor"); teleMw != nil {
+		execHandlers = append(execHandlers, teleMw)
+	}
 	executor, err := newPlanExecuteExecutor(ctx, &planexecute.ExecutorConfig{
 		Model:         a.ExecModel,
 		ToolsConfig:   a.ToolsCfg,
 		MaxIterations: a.ExecMaxIter,
-		GenInputFn:    planExecuteExecutorGenInput(a.OrchInstruction),
+		GenInputFn:    planExecuteExecutorGenInput(a.OrchInstruction, a.AppCfg, a.MwCfg, a.Logger, a.ModelName, a.ConversationID),
 	}, execHandlers)
 	if err != nil {
 		return nil, fmt.Errorf("plan_execute executor: %w", err)
@@ -110,20 +124,42 @@ func NewPlanExecuteRoot(ctx context.Context, a *PlanExecuteRootArgs) (adk.Resuma

 // planExecutePlannerGenInput 将 orchestrator instruction 作为 SystemMessage 注入 planner 输入。
 // 返回 nil 时 Eino 使用内置默认 planner prompt。
-func planExecutePlannerGenInput(orchInstruction string) planexecute.GenPlannerModelInputFn {
+func planExecutePlannerGenInput(
+	orchInstruction string,
+	appCfg *config.Config,
+	mwCfg *config.MultiAgentEinoMiddlewareConfig,
+	logger *zap.Logger,
+	modelName string,
+	conversationID string,
+	rewriteHandlers []adk.ChatModelAgentMiddleware,
+) planexecute.GenPlannerModelInputFn {
 	oi := strings.TrimSpace(orchInstruction)
-	if oi == "" {
+	if oi == "" && appCfg == nil {
 		return nil
 	}
 	return func(ctx context.Context, userInput []adk.Message) ([]adk.Message, error) {
+		userInput = capPlanExecuteUserInputMessages(userInput, appCfg, mwCfg)
 		msgs := make([]adk.Message, 0, 1+len(userInput))
-		msgs = append(msgs, schema.SystemMessage(oi))
+		if oi != "" {
+			msgs = append(msgs, schema.SystemMessage(oi))
+		}
 		msgs = append(msgs, userInput...)
+		if rewritten, rerr := applyBeforeModelRewriteHandlers(ctx, msgs, rewriteHandlers); rerr == nil && len(rewritten) > 0 {
+			msgs = rewritten
+		}
+		logPlanExecuteModelInputEstimate(logger, modelName, conversationID, "plan_execute_planner", msgs)
 		return msgs, nil
 	}
 }

-func planExecuteExecutorGenInput(orchInstruction string) planexecute.GenModelInputFn {
+func planExecuteExecutorGenInput(
+	orchInstruction string,
+	appCfg *config.Config,
+	mwCfg *config.MultiAgentEinoMiddlewareConfig,
+	logger *zap.Logger,
+	modelName string,
+	conversationID string,
+) planexecute.GenModelInputFn {
 	oi := strings.TrimSpace(orchInstruction)
 	return func(ctx context.Context, in *planexecute.ExecutionContext) ([]adk.Message, error) {
 		planContent, err := in.Plan.MarshalJSON()
@@ -131,9 +167,9 @@ func planExecuteExecutorGenInput(orchInstruction string) planexecute.GenModelInp
 			return nil, err
 		}
 		userMsgs, err := planexecute.ExecutorPrompt.Format(ctx, map[string]any{
-			"input":          planExecuteFormatInput(in.UserInput),
+			"input":          planExecuteFormatInput(capPlanExecuteUserInputMessages(in.UserInput, appCfg, mwCfg)),
 			"plan":           string(planContent),
-			"executed_steps": planExecuteFormatExecutedSteps(in.ExecutedSteps),
+			"executed_steps": planExecuteFormatExecutedSteps(in.ExecutedSteps, appCfg, mwCfg),
 			"step":           in.Plan.FirstStep(),
 		})
 		if err != nil {
@@ -142,6 +178,7 @@ func planExecuteExecutorGenInput(orchInstruction string) planexecute.GenModelInp
 		if oi != "" {
 			userMsgs = append([]adk.Message{schema.SystemMessage(oi)}, userMsgs...)
 		}
+		logPlanExecuteModelInputEstimate(logger, modelName, conversationID, "plan_execute_executor_gen_input", userMsgs)
 		return userMsgs, nil
 	}
 }
@@ -155,18 +192,22 @@ func planExecuteFormatInput(input []adk.Message) string {
 	return sb.String()
 }

-func planExecuteFormatExecutedSteps(results []planexecute.ExecutedStep) string {
-	capped := capPlanExecuteExecutedSteps(results)
-	var sb strings.Builder
-	for _, result := range capped {
-		sb.WriteString(fmt.Sprintf("Step: %s\nResult: %s\n\n", result.Step, result.Result))
-	}
-	return sb.String()
+func planExecuteFormatExecutedSteps(results []planexecute.ExecutedStep, appCfg *config.Config, mwCfg *config.MultiAgentEinoMiddlewareConfig) string {
+	capped := capPlanExecuteExecutedStepsWithConfig(results, mwCfg)
+	return renderPlanExecuteStepsByBudget(capped, appCfg, mwCfg)
 }

 // planExecuteReplannerGenInput 与 Eino 默认 Replanner 输入一致，但 executed_steps 经 cap 后再写入 prompt，
 // 且在 orchInstruction 非空时 prepend SystemMessage 使 replanner 也能接收全局指令。
-func planExecuteReplannerGenInput(orchInstruction string) planexecute.GenModelInputFn {
+func planExecuteReplannerGenInput(
+	orchInstruction string,
+	appCfg *config.Config,
+	mwCfg *config.MultiAgentEinoMiddlewareConfig,
+	logger *zap.Logger,
+	modelName string,
+	conversationID string,
+	rewriteHandlers []adk.ChatModelAgentMiddleware,
+) planexecute.GenModelInputFn {
 	oi := strings.TrimSpace(orchInstruction)
 	return func(ctx context.Context, in *planexecute.ExecutionContext) ([]adk.Message, error) {
 		planContent, err := in.Plan.MarshalJSON()
@@ -175,8 +216,8 @@ func planExecuteReplannerGenInput(orchInstruction string) planexecute.GenModelIn
 		}
 		msgs, err := planexecute.ReplannerPrompt.Format(ctx, map[string]any{
 			"plan":           string(planContent),
-			"input":          planExecuteFormatInput(in.UserInput),
-			"executed_steps": planExecuteFormatExecutedSteps(in.ExecutedSteps),
+			"input":          planExecuteFormatInput(capPlanExecuteUserInputMessages(in.UserInput, appCfg, mwCfg)),
+			"executed_steps": planExecuteFormatExecutedSteps(in.ExecutedSteps, appCfg, mwCfg),
 			"plan_tool":      planexecute.PlanToolInfo.Name,
 			"respond_tool":   planexecute.RespondToolInfo.Name,
 		})
@@ -186,10 +227,120 @@ func planExecuteReplannerGenInput(orchInstruction string) planexecute.GenModelIn
 		if oi != "" {
 			msgs = append([]adk.Message{schema.SystemMessage(oi)}, msgs...)
 		}
+		if rewritten, rerr := applyBeforeModelRewriteHandlers(ctx, msgs, rewriteHandlers); rerr == nil && len(rewritten) > 0 {
+			msgs = rewritten
+		}
+		logPlanExecuteModelInputEstimate(logger, modelName, conversationID, "plan_execute_replanner", msgs)
 		return msgs, nil
 	}
 }

+func capPlanExecuteUserInputMessages(input []adk.Message, appCfg *config.Config, mwCfg *config.MultiAgentEinoMiddlewareConfig) []adk.Message {
+	if len(input) == 0 {
+		return input
+	}
+	maxTotal := 120000
+	modelName := "gpt-4o"
+	if appCfg != nil {
+		if appCfg.OpenAI.MaxTotalTokens > 0 {
+			maxTotal = appCfg.OpenAI.MaxTotalTokens
+		}
+		if m := strings.TrimSpace(appCfg.OpenAI.Model); m != "" {
+			modelName = m
+		}
+	}
+	// Reserve most tokens for planner/replanner prompt and tool schema.
+	ratio := 0.35
+	if mwCfg != nil {
+		ratio = mwCfg.PlanExecuteUserInputBudgetRatioEffective()
+	}
+	budget := int(float64(maxTotal) * ratio)
+	if budget < 4096 {
+		budget = 4096
+	}
+	tc := agent.NewTikTokenCounter()
+	out := make([]adk.Message, 0, len(input))
+	used := 0
+	for i := len(input) - 1; i >= 0; i-- {
+		msg := input[i]
+		if msg == nil {
+			continue
+		}
+		n, err := tc.Count(modelName, string(msg.Role)+"\n"+msg.Content)
+		if err != nil {
+			n = (len(msg.Content) + 3) / 4
+		}
+		if n <= 0 {
+			n = 1
+		}
+		if used+n > budget {
+			break
+		}
+		used += n
+		out = append(out, msg)
+	}
+	for i, j := 0, len(out)-1; i < j; i, j = i+1, j-1 {
+		out[i], out[j] = out[j], out[i]
+	}
+	if len(out) == 0 {
+		// Keep the latest user message at least.
+		return []adk.Message{input[len(input)-1]}
+	}
+	return out
+}
+
+func renderPlanExecuteStepsByBudget(steps []planexecute.ExecutedStep, appCfg *config.Config, mwCfg *config.MultiAgentEinoMiddlewareConfig) string {
+	if len(steps) == 0 {
+		return ""
+	}
+	maxTotal := 120000
+	modelName := "gpt-4o"
+	if appCfg != nil {
+		if appCfg.OpenAI.MaxTotalTokens > 0 {
+			maxTotal = appCfg.OpenAI.MaxTotalTokens
+		}
+		if m := strings.TrimSpace(appCfg.OpenAI.Model); m != "" {
+			modelName = m
+		}
+	}
+	ratio := 0.2
+	if mwCfg != nil {
+		ratio = mwCfg.PlanExecuteExecutedStepsBudgetRatioEffective()
+	}
+	budget := int(float64(maxTotal) * ratio)
+	if budget < 3072 {
+		budget = 3072
+	}
+	tc := agent.NewTikTokenCounter()
+	var kept []string
+	used := 0
+	skipped := 0
+	for i := len(steps) - 1; i >= 0; i-- {
+		block := fmt.Sprintf("Step: %s\nResult: %s\n\n", steps[i].Step, steps[i].Result)
+		n, err := tc.Count(modelName, block)
+		if err != nil {
+			n = (len(block) + 3) / 4
+		}
+		if n <= 0 {
+			n = 1
+		}
+		if used+n > budget {
+			skipped = i + 1
+			break
+		}
+		used += n
+		kept = append(kept, block)
+	}
+	var sb strings.Builder
+	if skipped > 0 {
+		sb.WriteString(fmt.Sprintf("Earlier executed steps omitted due to context budget: %d steps.\n\n", skipped))
+	}
+	for i := len(kept) - 1; i >= 0; i-- {
+		sb.WriteString(kept[i])
+	}
+	return sb.String()
+}
+
 // planExecuteStreamsMainAssistant 将规划/执行/重规划各阶段助手流式输出映射到主对话区。
 func planExecuteStreamsMainAssistant(agent string) bool {
 	if agent == "" {
@@ -125,7 +125,7 @@ func RunEinoSingleChatModelAgent(
 		return nil, fmt.Errorf("eino single 模型: %w", err)
 	}

-	mainSumMw, err := newEinoSummarizationMiddleware(ctx, mainModel, appCfg, logger)
+	mainSumMw, err := newEinoSummarizationMiddleware(ctx, mainModel, appCfg, &ma.EinoMiddleware, conversationID, logger)
 	if err != nil {
 		return nil, fmt.Errorf("eino single summarization: %w", err)
 	}
@@ -145,6 +145,9 @@ func RunEinoSingleChatModelAgent(
 		handlers = append(handlers, einoSkillMW)
 	}
 	handlers = append(handlers, mainSumMw)
+	if teleMw := newEinoModelInputTelemetryMiddleware(logger, appCfg.OpenAI.Model, conversationID, "eino_single"); teleMw != nil {
+		handlers = append(handlers, teleMw)
+	}

 	maxIter := ma.MaxIteration
 	if maxIter <= 0 {
@@ -159,16 +162,35 @@ func RunEinoSingleChatModelAgent(
 			Tools:               mainToolsForCfg,
 			UnknownToolsHandler: einomcp.UnknownToolReminderHandler(),
 			ToolCallMiddlewares: []compose.ToolMiddleware{
+				{Invokable: hitlToolCallMiddleware()},
 				{Invokable: softRecoveryToolCallMiddleware()},
 			},
 		},
 		EmitInternalEvents: true,
 	}
+	ins := injectToolNamesOnlyInstruction(ctx, ag.EinoSingleAgentSystemInstruction(), mainTools)
+	if logger != nil {
+		names := collectToolNames(ctx, mainTools)
+		mountedNames := collectToolNames(ctx, mainToolsForCfg)
+		hasToolSearch := false
+		for _, n := range names {
+			if strings.EqualFold(strings.TrimSpace(n), "tool_search") {
+				hasToolSearch = true
+				break
+			}
+		}
+		logger.Info("eino tool-name injection",
+			zap.String("scope", "eino_single"),
+			zap.Int("tool_names", len(names)),
+			zap.Int("mounted_tool_names", len(mountedNames)),
+			zap.Bool("has_tool_search", hasToolSearch),
+		)
+	}

 	chatCfg := &adk.ChatModelAgentConfig{
 		Name:          einoSingleAgentName,
 		Description:   "Eino ADK ChatModelAgent with MCP tools for authorized security testing.",
-		Instruction:   ag.EinoSingleAgentSystemInstruction(),
+		Instruction:   ins,
 		Model:         mainModel,
 		ToolsConfig:   mainToolsCfg,
 		MaxIterations: maxIter,
@@ -187,7 +209,7 @@ func RunEinoSingleChatModelAgent(
 		return nil, fmt.Errorf("eino single NewChatModelAgent: %w", err)
 	}

-	baseMsgs := historyToMessages(history)
+	baseMsgs := historyToMessages(history, appCfg, &ma.EinoMiddleware)
 	baseMsgs = append(baseMsgs, schema.UserMessage(userMessage))

 	streamsMainAssistant := func(agent string) bool {
@@ -3,6 +3,8 @@ package multiagent
 import (
 	"context"
 	"fmt"
+	"os"
+	"path/filepath"
 	"strings"

 	"cyberstrike-ai/internal/agent"
@@ -32,6 +34,8 @@ func newEinoSummarizationMiddleware(
 	ctx context.Context,
 	summaryModel model.BaseChatModel,
 	appCfg *config.Config,
+	mwCfg *config.MultiAgentEinoMiddlewareConfig,
+	conversationID string,
 	logger *zap.Logger,
 ) (adk.ChatModelAgentMiddleware, error) {
 	if summaryModel == nil || appCfg == nil {
@@ -41,7 +45,14 @@ func newEinoSummarizationMiddleware(
 	if maxTotal <= 0 {
 		maxTotal = 120000
 	}
-	trigger := int(float64(maxTotal) * 0.9)
+	triggerRatio := 0.8
+	emitInternalEvents := true
+	if mwCfg != nil {
+		triggerRatio = mwCfg.SummarizationTriggerRatioEffective()
+		emitInternalEvents = mwCfg.SummarizationEmitInternalEventsEffective()
+	}
+	// Keep enough safety margin for tokenizer/model-side accounting mismatch.
+	trigger := int(float64(maxTotal) * triggerRatio)
 	if trigger < 4096 {
 		trigger = maxTotal
 		if trigger < 4096 {
@@ -57,28 +68,57 @@ func newEinoSummarizationMiddleware(
 	if modelName == "" {
 		modelName = "gpt-4o"
 	}
+	tokenCounter := einoSummarizationTokenCounter(modelName)
+	recentTrailMax := trigger / 4
+	if recentTrailMax < 2048 {
+		recentTrailMax = 2048
+	}
+	if recentTrailMax > trigger/2 {
+		recentTrailMax = trigger / 2
+	}
+	transcriptPath := ""
+	if conv := strings.TrimSpace(conversationID); conv != "" {
+		baseRoot := filepath.Join(os.TempDir(), "cyberstrike-summarization")
+		if dbPath := strings.TrimSpace(appCfg.Database.Path); dbPath != "" {
+			// Persist with the same lifecycle as local conversation storage.
+			baseRoot = filepath.Join(filepath.Dir(dbPath), "conversation_artifacts", sanitizeEinoPathSegment(conv), "summarization")
+		}
+		base := baseRoot
+		if mkErr := os.MkdirAll(base, 0o755); mkErr == nil {
+			transcriptPath = filepath.Join(base, "transcript.txt")
+		}
+	}

 	mw, err := summarization.New(ctx, &summarization.Config{
 		Model: summaryModel,
 		Trigger: &summarization.TriggerCondition{
 			ContextTokens: trigger,
 		},
-		TokenCounter:       einoSummarizationTokenCounter(modelName),
+		TokenCounter:       tokenCounter,
 		UserInstruction:    einoSummarizeUserInstruction,
-		EmitInternalEvents: false,
+		EmitInternalEvents: emitInternalEvents,
+		TranscriptFilePath: transcriptPath,
 		PreserveUserMessages: &summarization.PreserveUserMessages{
 			Enabled:   true,
 			MaxTokens: preserveMax,
 		},
+		Finalize: func(ctx context.Context, originalMessages []adk.Message, summary adk.Message) ([]adk.Message, error) {
+			return summarizeFinalizeWithRecentAssistantToolTrail(ctx, originalMessages, summary, tokenCounter, recentTrailMax)
+		},
 		Callback: func(ctx context.Context, before, after adk.ChatModelAgentState) error {
 			if logger == nil {
 				return nil
 			}
+			beforeTokens, _ := tokenCounter(ctx, &summarization.TokenCounterInput{Messages: before.Messages})
+			afterTokens, _ := tokenCounter(ctx, &summarization.TokenCounterInput{Messages: after.Messages})
 			logger.Info("eino summarization 已压缩上下文",
 				zap.Int("messages_before", len(before.Messages)),
 				zap.Int("messages_after", len(after.Messages)),
+				zap.Int("tokens_before_estimated", beforeTokens),
+				zap.Int("tokens_after_estimated", afterTokens),
 				zap.Int("max_total_tokens", maxTotal),
 				zap.Int("trigger_context_tokens", trigger),
+				zap.String("transcript_file", transcriptPath),
 			)
 			return nil
 		},
@@ -89,6 +129,172 @@ func newEinoSummarizationMiddleware(
 	return mw, nil
 }

+// summarizeFinalizeWithRecentAssistantToolTrail 在摘要消息后保留最近 assistant/tool 轨迹，避免压缩后执行链断裂。
+//
+// 关键不变量：tool_call ↔ tool_result 的 pair 必须整体保留或整体丢弃。
+// 把消息切成 round（回合）为原子单位：
+//   - user(...) 单条为一个 round；
+//   - assistant(tool_calls=[...]) 及其后连续的 role=tool 消息合成一个 round；
+//   - 其它 assistant(reply, 无 tool_calls) 单条为一个 round。
+//
+// 倒序挑 round（预算不够即放弃该 round），保证 tool 消息不会跨 round 被孤立。
+func summarizeFinalizeWithRecentAssistantToolTrail(
+	ctx context.Context,
+	originalMessages []adk.Message,
+	summary adk.Message,
+	tokenCounter summarization.TokenCounterFunc,
+	recentTrailTokenBudget int,
+) ([]adk.Message, error) {
+	systemMsgs := make([]adk.Message, 0, len(originalMessages))
+	nonSystem := make([]adk.Message, 0, len(originalMessages))
+	for _, msg := range originalMessages {
+		if msg == nil {
+			continue
+		}
+		if msg.Role == schema.System {
+			systemMsgs = append(systemMsgs, msg)
+			continue
+		}
+		nonSystem = append(nonSystem, msg)
+	}
+
+	if recentTrailTokenBudget <= 0 || len(nonSystem) == 0 {
+		out := make([]adk.Message, 0, len(systemMsgs)+1)
+		out = append(out, systemMsgs...)
+		out = append(out, summary)
+		return out, nil
+	}
+
+	rounds := splitMessagesIntoRounds(nonSystem)
+	if len(rounds) == 0 {
+		out := make([]adk.Message, 0, len(systemMsgs)+1)
+		out = append(out, systemMsgs...)
+		out = append(out, summary)
+		return out, nil
+	}
+
+	// 目标：至少保留 minRounds 个 round 的执行轨迹；在预算允许时尽量多保留。
+	// 优先确保最后一个 round（通常是最新的 tool 往返或 assistant 回复）存在。
+	const minRounds = 2
+
+	selectedRoundsReverse := make([]messageRound, 0, 8)
+	selectedCount := 0
+	totalTokens := 0
+
+	tokensOfRound := func(r messageRound) (int, error) {
+		if len(r.messages) == 0 {
+			return 0, nil
+		}
+		n, err := tokenCounter(ctx, &summarization.TokenCounterInput{Messages: r.messages})
+		if err != nil {
+			return 0, err
+		}
+		if n <= 0 {
+			n = len(r.messages)
+		}
+		return n, nil
+	}
+
+	for i := len(rounds) - 1; i >= 0; i-- {
+		r := rounds[i]
+		n, err := tokensOfRound(r)
+		if err != nil {
+			return nil, err
+		}
+		// 预算不够：已经保留了足够 round 则停，否则跳过该 round 继续往前找
+		// （避免一个超大 round 挤占全部预算，至少保证有轨迹）。
+		if totalTokens+n > recentTrailTokenBudget {
+			if selectedCount >= minRounds {
+				break
+			}
+			continue
+		}
+		totalTokens += n
+		selectedRoundsReverse = append(selectedRoundsReverse, r)
+		selectedCount++
+	}
+
+	// 还原时间顺序
+	selectedMsgs := make([]adk.Message, 0, 8)
+	for i := len(selectedRoundsReverse) - 1; i >= 0; i-- {
+		selectedMsgs = append(selectedMsgs, selectedRoundsReverse[i].messages...)
+	}
+
+	out := make([]adk.Message, 0, len(systemMsgs)+1+len(selectedMsgs))
+	out = append(out, systemMsgs...)
+	out = append(out, summary)
+	out = append(out, selectedMsgs...)
+	return out, nil
+}
+
+// messageRound 表示一个"不可分割"的消息回合。
+//   - 对 assistant(tool_calls) + 随后若干 tool 消息的组合，round 内全部 call_id 成对完整；
+//   - 对独立的 user / assistant(reply) 消息，round 仅包含该条消息。
+type messageRound struct {
+	messages []adk.Message
+}
+
+// splitMessagesIntoRounds 将非 system 消息切分为若干 round，保证：
+//   - 每个 assistant(tool_calls) 与其对应的 role=tool 响应消息在同一个 round；
+//   - 孤立（无对应 assistant(tool_calls)）的 role=tool 消息不会单独成为 round，
+//     而是被丢弃（这些消息在 pair 完整性层面已属孤儿，保留反而会触发 LLM 400）。
+func splitMessagesIntoRounds(msgs []adk.Message) []messageRound {
+	if len(msgs) == 0 {
+		return nil
+	}
+	rounds := make([]messageRound, 0, len(msgs))
+	i := 0
+	for i < len(msgs) {
+		msg := msgs[i]
+		if msg == nil {
+			i++
+			continue
+		}
+		switch {
+		case msg.Role == schema.Assistant && len(msg.ToolCalls) > 0:
+			// 收集该 assistant 提供的 call_id 集合。
+			provided := make(map[string]struct{}, len(msg.ToolCalls))
+			for _, tc := range msg.ToolCalls {
+				if tc.ID != "" {
+					provided[tc.ID] = struct{}{}
+				}
+			}
+			round := messageRound{messages: []adk.Message{msg}}
+			j := i + 1
+			for j < len(msgs) {
+				next := msgs[j]
+				if next == nil {
+					j++
+					continue
+				}
+				if next.Role != schema.Tool {
+					break
+				}
+				if next.ToolCallID != "" {
+					if _, ok := provided[next.ToolCallID]; !ok {
+						// 下一条 tool 不属于当前 assistant，认为当前 round 结束。
+						break
+					}
+				}
+				round.messages = append(round.messages, next)
+				j++
+			}
+			rounds = append(rounds, round)
+			i = j
+		case msg.Role == schema.Tool:
+			// 孤儿 tool 消息：既不跟随在一个 assistant(tool_calls) 后，
+			// 说明它对应的 assistant 已被上游裁剪；直接丢弃，下一步到 orphan pruner
+			// 兜底也不会出错，但在 round 切分这里就剔除更干净。
+			i++
+		default:
+			// user / assistant(reply) / 其它：单条成 round。
+			rounds = append(rounds, messageRound{messages: []adk.Message{msg}})
+			i++
+		}
+	}
+	return rounds
+}
+
 func einoSummarizationTokenCounter(openAIModel string) summarization.TokenCounterFunc {
 	tc := agent.NewTikTokenCounter()
 	return func(ctx context.Context, input *summarization.TokenCounterInput) (int, error) {
@@ -0,0 +1,345 @@
+package multiagent
+
+import (
+	"context"
+	"testing"
+
+	"github.com/cloudwego/eino/adk"
+	"github.com/cloudwego/eino/adk/middlewares/summarization"
+	"github.com/cloudwego/eino/schema"
+)
+
+// fixedTokenCounter 让 tool 消息按 tokensPerToolMessage 计，其它消息按 1 计。
+// 用于验证 tool-round 超预算时整体被跳过的分支。
+func fixedTokenCounter(tokensPerToolMessage int) summarization.TokenCounterFunc {
+	return func(_ context.Context, in *summarization.TokenCounterInput) (int, error) {
+		total := 0
+		for _, msg := range in.Messages {
+			if msg == nil {
+				continue
+			}
+			switch msg.Role {
+			case schema.Tool:
+				total += tokensPerToolMessage
+			default:
+				total++
+			}
+		}
+		return total, nil
+	}
+}
+
+// variableTokenCounter 让 tool 消息按 len(Content) 计（可区分不同大小的 tool 结果），
+// 其它消息按 1 计；assistant 附加 len(ToolCalls) token 近似 tool_calls schema 开销。
+func variableTokenCounter() summarization.TokenCounterFunc {
+	return func(_ context.Context, in *summarization.TokenCounterInput) (int, error) {
+		total := 0
+		for _, msg := range in.Messages {
+			if msg == nil {
+				continue
+			}
+			if msg.Role == schema.Tool {
+				total += len(msg.Content)
+				continue
+			}
+			total++
+			total += len(msg.ToolCalls)
+		}
+		return total, nil
+	}
+}
+
+func TestSplitMessagesIntoRounds_Complex(t *testing.T) {
+	msgs := []adk.Message{
+		schema.UserMessage("q1"),
+		assistantToolCallsMsg("", "c1", "c2"),
+		schema.ToolMessage("r1", "c1"),
+		schema.ToolMessage("r2", "c2"),
+		schema.AssistantMessage("reply1", nil),
+		schema.UserMessage("q2"),
+		assistantToolCallsMsg("", "c3"),
+		schema.ToolMessage("r3", "c3"),
+	}
+	rounds := splitMessagesIntoRounds(msgs)
+	// 5 rounds: user(q1) | assistant(tc:c1,c2)+tool*2 | assistant(reply1) | user(q2) | assistant(tc:c3)+tool(c3)
+	if len(rounds) != 5 {
+		t.Fatalf("want 5 rounds, got %d", len(rounds))
+	}
+	// round 1 应为 tool-round，必须成对
+	r1 := rounds[1]
+	if len(r1.messages) != 3 {
+		t.Fatalf("rounds[1] size: want 3, got %d", len(r1.messages))
+	}
+	if r1.messages[0].Role != schema.Assistant || len(r1.messages[0].ToolCalls) != 2 {
+		t.Fatalf("rounds[1][0] must be assistant(tc=2)")
+	}
+	for i := 1; i < 3; i++ {
+		if r1.messages[i].Role != schema.Tool {
+			t.Fatalf("rounds[1][%d] must be tool, got %s", i, r1.messages[i].Role)
+		}
+	}
+	// 最后一个 round 成对
+	rLast := rounds[len(rounds)-1]
+	if len(rLast.messages) != 2 {
+		t.Fatalf("rounds[last] size: want 2, got %d", len(rLast.messages))
+	}
+	if rLast.messages[0].Role != schema.Assistant || rLast.messages[1].Role != schema.Tool {
+		t.Fatalf("last round must be assistant(tc)+tool(c3)")
+	}
+}
+
+func TestSplitMessagesIntoRounds_DropsOrphanTool(t *testing.T) {
+	// 起点直接是 tool 消息（孤儿）—— 应被丢弃，不独立成 round。
+	msgs := []adk.Message{
+		schema.ToolMessage("orphan", "c_old"),
+		schema.UserMessage("continue"),
+		assistantToolCallsMsg("", "c_new"),
+		schema.ToolMessage("r_new", "c_new"),
+	}
+	rounds := splitMessagesIntoRounds(msgs)
+	// user(continue) | assistant(tc:c_new)+tool(c_new) → 2 rounds
+	if len(rounds) != 2 {
+		t.Fatalf("want 2 rounds after dropping orphan, got %d", len(rounds))
+	}
+	for _, r := range rounds {
+		for _, m := range r.messages {
+			if m.Role == schema.Tool && m.ToolCallID == "c_old" {
+				t.Fatalf("orphan tool c_old must not appear in any round")
+			}
+		}
+	}
+}
+
+func TestSplitMessagesIntoRounds_ToolBelongsToCurrentAssistantOnly(t *testing.T) {
+	// 两个相邻 assistant(tc)，第二个的 tool 不应被归到第一个 assistant。
+	msgs := []adk.Message{
+		assistantToolCallsMsg("", "c1"),
+		schema.ToolMessage("r1", "c1"),
+		assistantToolCallsMsg("", "c2"),
+		schema.ToolMessage("r2", "c2"),
+	}
+	rounds := splitMessagesIntoRounds(msgs)
+	if len(rounds) != 2 {
+		t.Fatalf("want 2 rounds, got %d", len(rounds))
+	}
+	if len(rounds[0].messages) != 2 || rounds[0].messages[0].ToolCalls[0].ID != "c1" {
+		t.Fatalf("round[0] wrong: %+v", rounds[0].messages)
+	}
+	if len(rounds[1].messages) != 2 || rounds[1].messages[0].ToolCalls[0].ID != "c2" {
+		t.Fatalf("round[1] wrong: %+v", rounds[1].messages)
+	}
+}
+
+func TestSplitMessagesIntoRounds_ToolBelongsToWrongAssistant(t *testing.T) {
+	// assistant(tc:c1) 后面跟一个 tool_call_id=c999 的 tool 消息（本不属它）。
+	// 切分规则：该 tool 不应拼入第一个 round（配对不完整），round 在此结束。
+	// 而 c999 又没有对应 assistant，应被当孤儿丢弃。
+	msgs := []adk.Message{
+		assistantToolCallsMsg("", "c1"),
+		schema.ToolMessage("wrong", "c999"),
+		schema.UserMessage("hi"),
+	}
+	rounds := splitMessagesIntoRounds(msgs)
+	// assistant(tc:c1) 没有对应 tool(c1)，但不是孤儿（patchtoolcalls 会兜底补）；
+	// 它独立成 round 允许上游后处理。user(hi) 独立成 round。共 2 rounds。
+	if len(rounds) != 2 {
+		t.Fatalf("want 2 rounds, got %d: %+v", len(rounds), rounds)
+	}
+	for _, r := range rounds {
+		for _, m := range r.messages {
+			if m.Role == schema.Tool && m.ToolCallID == "c999" {
+				t.Fatalf("wrong-owner tool must be dropped as orphan")
+			}
+		}
+	}
+}
+
+func TestSummarizeFinalize_KeepsToolRoundIntact(t *testing.T) {
+	// 关键回归测试：一个 tool-round 整体被保留，而不是只保留 tool 消息。
+	sys := schema.SystemMessage("sys")
+	summary := schema.AssistantMessage("summary_content", nil)
+	msgs := []adk.Message{
+		sys,
+		schema.UserMessage("q1"),
+		schema.AssistantMessage("reply_before_tc", nil), // 填料，占预算
+		assistantToolCallsMsg("", "c1"),
+		schema.ToolMessage("r1", "c1"),
+	}
+
+	// token 预算：2 条消息（1 assistant + 1 tool）恰好够用。
+	// 若按条数保留，可能先吃 tool(c1) 再吃 assistant(reply) 落入 budget，assistant(tc:c1) 被挤掉，导致孤儿。
+	// 按 round 保留时，整个 tool-round 为原子，要么保留 2 条都在，要么都不在。
+	out, err := summarizeFinalizeWithRecentAssistantToolTrail(
+		context.Background(),
+		msgs,
+		summary,
+		fixedTokenCounter(1),
+		2, // 预算：2 tokens
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// 必须包含 system + summary
+	if len(out) < 2 {
+		t.Fatalf("output too short: %d", len(out))
+	}
+	if out[0] != sys {
+		t.Fatalf("first message must be system")
+	}
+	if out[1] != summary {
+		t.Fatalf("second message must be summary")
+	}
+
+	// 关键不变量：每个被保留的 tool 消息，必须能在输出中找到提供其 ToolCallID 的 assistant(tc)。
+	assertNoOrphanTool(t, out)
+}
+
+func TestSummarizeFinalize_SkipsOversizedToolRoundButKeepsSmallerRound(t *testing.T) {
+	// 构造两个大小差异显著的 tool-round：
+	//   c_big round 的 tool 结果 content="aaaaaaaaaa"（10 bytes），round token ≈ 2 (assistant+tc) + 10 = 12
+	//   c_ok  round 的 tool 结果 content="ok"（2 bytes），round token ≈ 2 + 2 = 4
+	// 配上 budget=8，使得：
+	//   - 最新的 c_ok round（4）能放下；
+	//   - 进一步的中间 round（assistant reply + user）也能放下；
+	//   - 更早的 c_big round（12）放不下会被跳过（continue），而非 break。
+	sys := schema.SystemMessage("sys")
+	summary := schema.AssistantMessage("summary_content", nil)
+	msgs := []adk.Message{
+		sys,
+		schema.UserMessage("q1"),
+		assistantToolCallsMsg("", "c_big"),
+		schema.ToolMessage("aaaaaaaaaa", "c_big"),
+		schema.AssistantMessage("s", nil),
+		schema.UserMessage("q2"),
+		assistantToolCallsMsg("", "c_ok"),
+		schema.ToolMessage("ok", "c_ok"),
+	}
+
+	out, err := summarizeFinalizeWithRecentAssistantToolTrail(
+		context.Background(),
+		msgs,
+		summary,
+		variableTokenCounter(),
+		8,
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	assertNoOrphanTool(t, out)
+
+	// c_big 整个 round 必须被丢弃（tool 和 assistant 都不能出现）
+	for _, m := range out {
+		if m == nil {
+			continue
+		}
+		if m.Role == schema.Tool && m.ToolCallID == "c_big" {
+			t.Fatal("oversized tool round must be skipped: tool(c_big) leaked")
+		}
+		if m.Role == schema.Assistant {
+			for _, tc := range m.ToolCalls {
+				if tc.ID == "c_big" {
+					t.Fatal("oversized tool round must be skipped: assistant(tc:c_big) leaked")
+				}
+			}
+		}
+	}
+
+	// 最近 round (c_ok) 作为一个原子单位必须整体保留。
+	foundOKTool, foundOKAsst := false, false
+	for _, m := range out {
+		if m == nil {
+			continue
+		}
+		if m.Role == schema.Tool && m.ToolCallID == "c_ok" {
+			foundOKTool = true
+		}
+		if m.Role == schema.Assistant {
+			for _, tc := range m.ToolCalls {
+				if tc.ID == "c_ok" {
+					foundOKAsst = true
+				}
+			}
+		}
+	}
+	if !foundOKTool || !foundOKAsst {
+		t.Fatalf("recent tool-round (c_ok) must be retained as an atomic pair: assistantKept=%v toolKept=%v", foundOKAsst, foundOKTool)
+	}
+}
+
+func TestSummarizeFinalize_BudgetZeroFallsBackToSummaryOnly(t *testing.T) {
+	sys := schema.SystemMessage("sys")
+	summary := schema.AssistantMessage("summary", nil)
+	msgs := []adk.Message{
+		sys,
+		assistantToolCallsMsg("", "c1"),
+		schema.ToolMessage("r1", "c1"),
+	}
+	out, err := summarizeFinalizeWithRecentAssistantToolTrail(
+		context.Background(),
+		msgs,
+		summary,
+		fixedTokenCounter(1),
+		0,
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(out) != 2 || out[0] != sys || out[1] != summary {
+		t.Fatalf("budget=0 must yield [system, summary] only, got %+v", out)
+	}
+}
+
+func TestSummarizeFinalize_PreservesAllSystemMessages(t *testing.T) {
+	sys1 := schema.SystemMessage("sys1")
+	sys2 := schema.SystemMessage("sys2")
+	summary := schema.AssistantMessage("s", nil)
+	msgs := []adk.Message{
+		sys1,
+		schema.UserMessage("q"),
+		sys2, // 非典型位置，但应当被 system group 捕获
+	}
+	out, err := summarizeFinalizeWithRecentAssistantToolTrail(
+		context.Background(),
+		msgs,
+		summary,
+		fixedTokenCounter(1),
+		100,
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	systemCount := 0
+	for _, m := range out {
+		if m != nil && m.Role == schema.System {
+			systemCount++
+		}
+	}
+	if systemCount != 2 {
+		t.Fatalf("want 2 system messages retained, got %d", systemCount)
+	}
+}
+
+// assertNoOrphanTool 断言消息列表里的每个 role=tool 消息都能在更前面找到一个
+// assistant(tool_calls) 提供相同 ID，否则说明产生了孤儿（触发 LLM 400 的根因）。
+func assertNoOrphanTool(t *testing.T, msgs []adk.Message) {
+	t.Helper()
+	provided := make(map[string]struct{})
+	for _, m := range msgs {
+		if m == nil {
+			continue
+		}
+		if m.Role == schema.Assistant {
+			for _, tc := range m.ToolCalls {
+				if tc.ID != "" {
+					provided[tc.ID] = struct{}{}
+				}
+			}
+		}
+		if m.Role == schema.Tool && m.ToolCallID != "" {
+			if _, ok := provided[m.ToolCallID]; !ok {
+				t.Fatalf("orphan tool message found: ToolCallID=%q has no preceding assistant(tool_calls)", m.ToolCallID)
+			}
+		}
+	}
+}
@@ -0,0 +1,73 @@
+package multiagent
+
+import (
+	"context"
+	"strings"
+
+	"github.com/cloudwego/eino/components/tool"
+)
+
+// injectToolNamesOnlyInstruction prepends a compact tool-name-only section into
+// the system instruction so the model can reference current callable names.
+func injectToolNamesOnlyInstruction(ctx context.Context, instruction string, tools []tool.BaseTool) string {
+	names := collectToolNames(ctx, tools)
+	if len(names) == 0 {
+		return strings.TrimSpace(instruction)
+	}
+	hasToolSearch := false
+	for _, n := range names {
+		if strings.EqualFold(strings.TrimSpace(n), "tool_search") {
+			hasToolSearch = true
+			break
+		}
+	}
+
+	var sb strings.Builder
+	sb.WriteString("以下是当前会话中可调用的工具名称列表（仅名称，无参数定义）：\n")
+	for _, name := range names {
+		sb.WriteString("- ")
+		sb.WriteString(name)
+		sb.WriteByte('\n')
+	}
+	sb.WriteString("\n使用规则：\n")
+	sb.WriteString("1) 上述仅为名称列表，不包含参数定义。\n")
+	if hasToolSearch {
+		sb.WriteString("2) 在调用具体工具前，应先使用 tool_search 查看工具详情与参数要求，再发起调用。\n")
+	} else {
+		sb.WriteString("2) 调用具体工具前，请先确认该工具的参数要求；不确定时先澄清再调用。\n")
+	}
+	sb.WriteString("3) 不要臆造不存在的工具名。\n\n")
+	if s := strings.TrimSpace(instruction); s != "" {
+		sb.WriteString(s)
+	}
+	return sb.String()
+}
+
+func collectToolNames(ctx context.Context, tools []tool.BaseTool) []string {
+	if len(tools) == 0 {
+		return nil
+	}
+	seen := make(map[string]struct{}, len(tools))
+	out := make([]string, 0, len(tools))
+	for _, t := range tools {
+		if t == nil {
+			continue
+		}
+		info, err := t.Info(ctx)
+		if err != nil || info == nil {
+			continue
+		}
+		name := strings.TrimSpace(info.Name)
+		if name == "" {
+			continue
+		}
+		key := strings.ToLower(name)
+		if _, ok := seen[key]; ok {
+			continue
+		}
+		seen[key] = struct{}{}
+		out = append(out, name)
+	}
+	return out
+}
+
@@ -0,0 +1,81 @@
+package multiagent
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/cloudwego/eino/adk"
+	"github.com/cloudwego/eino/compose"
+)
+
+type hitlInterceptorKey struct{}
+
+type HITLToolInterceptor func(ctx context.Context, toolName, arguments string) (string, error)
+
+type humanRejectError struct {
+	reason string
+}
+
+func (e *humanRejectError) Error() string {
+	if strings.TrimSpace(e.reason) == "" {
+		return "rejected by user"
+	}
+	return "rejected by user: " + strings.TrimSpace(e.reason)
+}
+
+func NewHumanRejectError(reason string) error {
+	return &humanRejectError{reason: strings.TrimSpace(reason)}
+}
+
+func IsHumanRejectError(err error) bool {
+	var target *humanRejectError
+	return errors.As(err, &target)
+}
+
+func WithHITLToolInterceptor(ctx context.Context, fn HITLToolInterceptor) context.Context {
+	if fn == nil {
+		return ctx
+	}
+	return context.WithValue(ctx, hitlInterceptorKey{}, fn)
+}
+
+func hitlToolCallMiddleware() compose.InvokableToolMiddleware {
+	return func(next compose.InvokableToolEndpoint) compose.InvokableToolEndpoint {
+		return func(ctx context.Context, input *compose.ToolInput) (*compose.ToolOutput, error) {
+			if input != nil {
+				if fn, ok := ctx.Value(hitlInterceptorKey{}).(HITLToolInterceptor); ok && fn != nil {
+					edited, err := fn(ctx, input.Name, input.Arguments)
+					if err != nil {
+						if IsHumanRejectError(err) {
+							// Human rejection should be a soft tool result so the model can continue iterating.
+							msg := fmt.Sprintf("[HITL Reject] Tool '%s' was rejected by human reviewer. Reason: %s\nPlease adjust parameters/plan and continue without this call.",
+								input.Name, strings.TrimSpace(err.Error()))
+							// transfer_to_agent 在 Eino 中标记为 returnDirectly：工具成功后 ReAct 子图会直接 END，
+							// 并依赖真实工具内的 SendToolGenAction 触发移交。HITL 拒绝时不会执行真实工具，
+							// 若仍走 returnDirectly 分支，监督者会在无 Transfer 动作的情况下结束，模型不再迭代。
+							if strings.EqualFold(strings.TrimSpace(input.Name), adk.TransferToAgentToolName) {
+								_ = compose.ProcessState[*adk.State](ctx, func(_ context.Context, st *adk.State) error {
+									if st == nil {
+										return nil
+									}
+									st.ReturnDirectlyToolCallID = ""
+									st.HasReturnDirectly = false
+									st.ReturnDirectlyEvent = nil
+									return nil
+								})
+							}
+							return &compose.ToolOutput{Result: msg}, nil
+						}
+						return nil, err
+					}
+					if edited != "" {
+						input.Arguments = edited
+					}
+				}
+			}
+			return next(ctx, input)
+		}
+	}
+}
@@ -59,4 +59,3 @@ func (m *noNestedTaskMiddleware) WrapInvokableToolCall(
 		return endpoint(ctx2, argumentsInJSON, opts...)
 	}, nil
 }
-
@@ -210,7 +210,7 @@ func DefaultSupervisorOrchestratorInstruction() string {

 ## transfer 交接与防重复劳动

- 每次 transfer 前，在**本条助手正文**中写清交接包：已知主域、关键子域或主机短表、已识别端口与服务、上轮已达成共识的结论要点；勿仅依赖历史里的超长工具原始输出（上下文摘要后专家可能看不到细节）。
+- **把专家当作刚走进房间的同事——它没看过你的对话，不知道你做了什么，也不了解这个任务为什么重要。** 每次 transfer 前，在**本条助手正文**中写清交接包：已知主域、关键子域或主机短表、已识别端口与服务、上轮已达成共识的结论要点；勿仅依赖历史里的超长工具原始输出（上下文摘要后专家可能看不到细节）。
 - 写清本轮**唯一子目标**与**禁止项**（例如：不得再做全量子域枚举；仅对下列目标做 MQTT 或认证验证）。
 - 验证、利用、协议深挖应 transfer 给**对应专项**子代理；避免把「仅剩验证」的工作交给侦察类（recon）导致其从全量枚举起手。
 - 同一目标多次串行 transfer 时，每一次交接包都要带上**截至当前的共识事实**增量，勿假设专家已读过上一轮专家的隐性推理。
@@ -0,0 +1,124 @@
+package multiagent
+
+import (
+	"context"
+
+	"github.com/cloudwego/eino/adk"
+	"github.com/cloudwego/eino/schema"
+	"go.uber.org/zap"
+)
+
+// orphanToolPrunerMiddleware 在每次 ChatModel 调用前剪掉没有对应 assistant(tool_calls) 的孤儿 tool 消息。
+//
+// 背景：
+//   - eino 的 summarization 中间件在触发摘要后，默认把所有非 system 消息替换为 1 条 summary 消息；
+//     本项目通过自定义 Finalize（summarizeFinalizeWithRecentAssistantToolTrail）在 summary 后回填
+//     最近的 assistant/tool 轨迹。若 Finalize 的保留策略按"条数"截断而未按 round 对齐，可能保留
+//     了 tool 结果却把对应的 assistant(tool_calls) 落在了 summary 前面，形成孤儿 tool 消息。
+//   - 同样，reduction / tool_search / 自定义断点恢复等任一改写历史的逻辑，都可能破坏
+//     tool_call ↔ tool_result 配对。
+//
+// 一旦孤儿 tool 消息进入 ChatModel，OpenAI 兼容 API（含 DashScope / 各类中转）会返回
+// 400 "No tool call found for function call output with call_id ..."，并被 Eino 包装成
+// [NodeRunError] 抛出，终止整轮编排。
+//
+// 设计取舍：
+//   - 官方 patchtoolcalls 中间件只补反向（assistant(tc) 缺 tool_result），不处理孤儿 tool。
+//     本中间件与之互补，专职兜底正向孤儿。
+//   - 仅剔除消息，不向历史里注入虚构 assistant(tc)：虚构 tool_calls 反而会误导模型后续推理。
+//     摘要已覆盖被裁剪段的语义，丢一条原始 tool 结果对对话连贯性影响最小。
+//   - 位置建议：挂在所有可能改写历史的中间件（summarization / reduction / skill / plantask /
+//     tool_search）之后，靠近 ChatModel 调用的那一端。
+type orphanToolPrunerMiddleware struct {
+	adk.BaseChatModelAgentMiddleware
+	logger *zap.Logger
+	phase  string
+}
+
+// newOrphanToolPrunerMiddleware 构造中间件。phase 仅用于日志区分 deep / supervisor /
+// plan_execute_executor / sub_agent，不影响运行时行为。
+func newOrphanToolPrunerMiddleware(logger *zap.Logger, phase string) adk.ChatModelAgentMiddleware {
+	return &orphanToolPrunerMiddleware{
+		logger: logger,
+		phase:  phase,
+	}
+}
+
+// BeforeModelRewriteState 扫描消息列表，收集 assistant.tool_calls 提供的 call_id 集合，
+// 再剔除掉 ToolCallID 不在该集合中的 role=tool 消息。
+//
+// 复杂度：O(N)。当未发现孤儿时不产生任何分配，state 原样返回以便上游快路径。
+func (m *orphanToolPrunerMiddleware) BeforeModelRewriteState(
+	ctx context.Context,
+	state *adk.ChatModelAgentState,
+	mc *adk.ModelContext,
+) (context.Context, *adk.ChatModelAgentState, error) {
+	_ = mc
+	if m == nil || state == nil || len(state.Messages) == 0 {
+		return ctx, state, nil
+	}
+
+	// 第一遍：收集所有已提供的 tool_call_id；同时快路径判定是否真的存在孤儿。
+	provided := make(map[string]struct{}, 8)
+	for _, msg := range state.Messages {
+		if msg == nil {
+			continue
+		}
+		if msg.Role == schema.Assistant {
+			for _, tc := range msg.ToolCalls {
+				if tc.ID != "" {
+					provided[tc.ID] = struct{}{}
+				}
+			}
+		}
+	}
+
+	hasOrphan := false
+	for _, msg := range state.Messages {
+		if msg == nil {
+			continue
+		}
+		if msg.Role == schema.Tool && msg.ToolCallID != "" {
+			if _, ok := provided[msg.ToolCallID]; !ok {
+				hasOrphan = true
+				break
+			}
+		}
+	}
+	if !hasOrphan {
+		return ctx, state, nil
+	}
+
+	// 第二遍：生成剪除孤儿后的新消息列表。
+	pruned := make([]adk.Message, 0, len(state.Messages))
+	droppedIDs := make([]string, 0, 2)
+	droppedNames := make([]string, 0, 2)
+	for _, msg := range state.Messages {
+		if msg == nil {
+			continue
+		}
+		if msg.Role == schema.Tool && msg.ToolCallID != "" {
+			if _, ok := provided[msg.ToolCallID]; !ok {
+				droppedIDs = append(droppedIDs, msg.ToolCallID)
+				droppedNames = append(droppedNames, msg.ToolName)
+				continue
+			}
+		}
+		pruned = append(pruned, msg)
+	}
+
+	if m.logger != nil {
+		m.logger.Warn("eino orphan tool messages pruned before model call",
+			zap.String("phase", m.phase),
+			zap.Int("dropped_count", len(droppedIDs)),
+			zap.Strings("dropped_tool_call_ids", droppedIDs),
+			zap.Strings("dropped_tool_names", droppedNames),
+			zap.Int("messages_before", len(state.Messages)),
+			zap.Int("messages_after", len(pruned)),
+		)
+	}
+
+	ns := *state
+	ns.Messages = pruned
+	return ctx, &ns, nil
+}
@@ -0,0 +1,131 @@
+package multiagent
+
+import (
+	"context"
+	"testing"
+
+	"github.com/cloudwego/eino/adk"
+	"github.com/cloudwego/eino/schema"
+)
+
+func assistantToolCallsMsg(content string, callIDs ...string) *schema.Message {
+	tcs := make([]schema.ToolCall, 0, len(callIDs))
+	for _, id := range callIDs {
+		tcs = append(tcs, schema.ToolCall{
+			ID:   id,
+			Type: "function",
+			Function: schema.FunctionCall{
+				Name:      "stub_tool",
+				Arguments: `{}`,
+			},
+		})
+	}
+	return schema.AssistantMessage(content, tcs)
+}
+
+func TestOrphanToolPruner_NoOpWhenPaired(t *testing.T) {
+	mw := newOrphanToolPrunerMiddleware(nil, "test").(*orphanToolPrunerMiddleware)
+
+	msgs := []adk.Message{
+		schema.SystemMessage("sys"),
+		schema.UserMessage("hi"),
+		assistantToolCallsMsg("", "c1", "c2"),
+		schema.ToolMessage("r1", "c1"),
+		schema.ToolMessage("r2", "c2"),
+		schema.AssistantMessage("done", nil),
+	}
+	in := &adk.ChatModelAgentState{Messages: msgs}
+
+	_, out, err := mw.BeforeModelRewriteState(context.Background(), in, &adk.ModelContext{})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if out == nil {
+		t.Fatal("expected non-nil state")
+	}
+	if len(out.Messages) != len(msgs) {
+		t.Fatalf("expected %d messages kept, got %d", len(msgs), len(out.Messages))
+	}
+	// 快路径：未发现孤儿时必须原地返回 state，不分配新切片。
+	if &out.Messages[0] != &msgs[0] {
+		t.Fatalf("expected state to be returned as-is (same backing slice) when no orphan present")
+	}
+}
+
+func TestOrphanToolPruner_DropsOrphanToolMessages(t *testing.T) {
+	mw := newOrphanToolPrunerMiddleware(nil, "test").(*orphanToolPrunerMiddleware)
+
+	msgs := []adk.Message{
+		schema.SystemMessage("sys"),
+		// 摘要前的 assistant(tc: c_old) 已被裁剪，但对应的 tool 结果漏保留了。
+		schema.ToolMessage("orphan result", "c_old"),
+		schema.UserMessage("continue"),
+		assistantToolCallsMsg("", "c_new"),
+		schema.ToolMessage("r_new", "c_new"),
+	}
+	in := &adk.ChatModelAgentState{Messages: msgs}
+
+	_, out, err := mw.BeforeModelRewriteState(context.Background(), in, &adk.ModelContext{})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if out == nil {
+		t.Fatal("expected non-nil state")
+	}
+	if len(out.Messages) != len(msgs)-1 {
+		t.Fatalf("expected %d messages after pruning, got %d", len(msgs)-1, len(out.Messages))
+	}
+	for _, m := range out.Messages {
+		if m != nil && m.Role == schema.Tool && m.ToolCallID == "c_old" {
+			t.Fatalf("orphan tool message with ToolCallID=c_old should have been dropped")
+		}
+	}
+	// 合法的 tool(c_new) 必须保留。
+	foundNew := false
+	for _, m := range out.Messages {
+		if m != nil && m.Role == schema.Tool && m.ToolCallID == "c_new" {
+			foundNew = true
+			break
+		}
+	}
+	if !foundNew {
+		t.Fatal("paired tool message (c_new) must be retained")
+	}
+}
+
+func TestOrphanToolPruner_EmptyToolCallIDIsIgnored(t *testing.T) {
+	// 空 ToolCallID 的 tool 消息在真实场景中极罕见，但不应当被误判为孤儿。
+	// 语义上把它当作"无法校验，保留"，避免误删。
+	mw := newOrphanToolPrunerMiddleware(nil, "test").(*orphanToolPrunerMiddleware)
+
+	odd := schema.ToolMessage("no_id", "")
+	msgs := []adk.Message{
+		schema.UserMessage("hi"),
+		odd,
+		schema.AssistantMessage("ok", nil),
+	}
+	in := &adk.ChatModelAgentState{Messages: msgs}
+
+	_, out, err := mw.BeforeModelRewriteState(context.Background(), in, &adk.ModelContext{})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(out.Messages) != len(msgs) {
+		t.Fatalf("empty ToolCallID tool message should be kept, got %d messages", len(out.Messages))
+	}
+}
+
+func TestOrphanToolPruner_NilAndEmpty(t *testing.T) {
+	mw := newOrphanToolPrunerMiddleware(nil, "test").(*orphanToolPrunerMiddleware)
+
+	ctx := context.Background()
+	// nil state
+	if _, out, err := mw.BeforeModelRewriteState(ctx, nil, &adk.ModelContext{}); err != nil || out != nil {
+		t.Fatalf("nil state: expected (nil,nil), got (%v,%v)", out, err)
+	}
+	// empty messages
+	empty := &adk.ChatModelAgentState{}
+	if _, out, err := mw.BeforeModelRewriteState(ctx, empty, &adk.ModelContext{}); err != nil || out != empty {
+		t.Fatalf("empty messages: expected same state, got (%v,%v)", out, err)
+	}
+}
@@ -71,7 +71,7 @@ func planExecuteDefaultGenExecutorInput(ctx context.Context, in *planexecute.Exe
 	return planexecute.ExecutorPrompt.Format(ctx, map[string]any{
 		"input":          planExecuteFormatInput(in.UserInput),
 		"plan":           string(planContent),
-		"executed_steps": planExecuteFormatExecutedSteps(in.ExecutedSteps),
+		"executed_steps": planExecuteFormatExecutedSteps(in.ExecutedSteps, nil, nil),
 		"step":           in.Plan.FirstStep(),
 	})
 }
@@ -5,6 +5,8 @@ import (
 	"strings"
 	"unicode/utf8"

+	"cyberstrike-ai/internal/config"
+
 	"github.com/cloudwego/eino/adk/prebuilt/planexecute"
 )

@@ -12,8 +14,11 @@ import (
 // 此处仅约束「写入模型 prompt 的视图」，不修改 Eino session 中的原始 ExecutedSteps。

 const (
-	planExecuteMaxStepResultRunes = 12000
-	planExecuteKeepLastSteps    = 16
+	defaultPlanExecuteMaxStepResultRunes = 4000
+	defaultPlanExecuteKeepLastSteps      = 8
+	// Backward-compatible aliases for tests and existing references.
+	planExecuteMaxStepResultRunes = defaultPlanExecuteMaxStepResultRunes
+	planExecuteKeepLastSteps      = defaultPlanExecuteKeepLastSteps
 )

 func truncateRunesWithSuffix(s string, maxRunes int, suffix string) string {
@@ -29,16 +34,26 @@ func truncateRunesWithSuffix(s string, maxRunes int, suffix string) string {

 // capPlanExecuteExecutedSteps 折叠较早步骤、截断单步过长结果，供 prompt 使用。
 func capPlanExecuteExecutedSteps(steps []planexecute.ExecutedStep) []planexecute.ExecutedStep {
+	return capPlanExecuteExecutedStepsWithConfig(steps, nil)
+}
+
+func capPlanExecuteExecutedStepsWithConfig(steps []planexecute.ExecutedStep, mwCfg *config.MultiAgentEinoMiddlewareConfig) []planexecute.ExecutedStep {
 	if len(steps) == 0 {
 		return steps
 	}
+	maxStepResultRunes := defaultPlanExecuteMaxStepResultRunes
+	keepLastSteps := defaultPlanExecuteKeepLastSteps
+	if mwCfg != nil {
+		maxStepResultRunes = mwCfg.PlanExecuteMaxStepResultRunesEffective()
+		keepLastSteps = mwCfg.PlanExecuteKeepLastStepsEffective()
+	}
 	out := make([]planexecute.ExecutedStep, 0, len(steps)+1)
 	start := 0
-	if len(steps) > planExecuteKeepLastSteps {
-		start = len(steps) - planExecuteKeepLastSteps
+	if len(steps) > keepLastSteps {
+		start = len(steps) - keepLastSteps
 		var b strings.Builder
 		b.WriteString(fmt.Sprintf("（上文已完成 %d 步；此处仅保留步骤标题以节省上下文，完整输出已省略。后续 %d 步仍保留正文。）\n",
-			start, planExecuteKeepLastSteps))
+			start, keepLastSteps))
 		for i := 0; i < start; i++ {
 			b.WriteString(fmt.Sprintf("- %s\n", steps[i].Step))
 		}
@@ -50,8 +65,8 @@ func capPlanExecuteExecutedSteps(steps []planexecute.ExecutedStep) []planexecute
 	suffix := "\n…[step result truncated]"
 	for i := start; i < len(steps); i++ {
 		e := steps[i]
-		if utf8.RuneCountInString(e.Result) > planExecuteMaxStepResultRunes {
-			e.Result = truncateRunesWithSuffix(e.Result, planExecuteMaxStepResultRunes, suffix)
+		if utf8.RuneCountInString(e.Result) > maxStepResultRunes {
+			e.Result = truncateRunesWithSuffix(e.Result, maxStepResultRunes, suffix)
 		}
 		out = append(out, e)
 	}
@@ -30,10 +30,10 @@ import (

 // RunResult 与单 Agent 循环结果字段对齐，便于复用存储与 SSE 收尾逻辑。
 type RunResult struct {
-	Response        string
-	MCPExecutionIDs []string
-	LastReActInput  string
-	LastReActOutput string
+	Response             string
+	MCPExecutionIDs      []string
+	LastAgentTraceInput  string // 已序列化的消息带（JSON）：原生循环或 Eino 均写入，供续跑/攻击链等恢复上下文
+	LastAgentTraceOutput string // 本轮助手侧对外展示文本（摘要或最终回复）
 }

 // toolCallPendingInfo tracks a tool_call emitted to the UI so we can later
@@ -237,7 +237,7 @@ func RunDeepAgent(
 				subMax = subDefaultIter
 			}

-			subSumMw, err := newEinoSummarizationMiddleware(ctx, subModel, appCfg, logger)
+			subSumMw, err := newEinoSummarizationMiddleware(ctx, subModel, appCfg, &ma.EinoMiddleware, conversationID, logger)
 			if err != nil {
 				return nil, fmt.Errorf("子代理 %q summarization 中间件: %w", id, err)
 			}
@@ -257,17 +257,43 @@ func RunDeepAgent(
 				subHandlers = append(subHandlers, einoSkillMW)
 			}
 			subHandlers = append(subHandlers, subSumMw)
+			// 孤儿 tool 消息兜底：放在 summarization 之后，telemetry 之前，
+			// 以便 telemetry 记录的 token 数与 LLM 实际入参一致。
+			subHandlers = append(subHandlers, newOrphanToolPrunerMiddleware(logger, "sub_agent:"+id))
+			if teleMw := newEinoModelInputTelemetryMiddleware(logger, appCfg.OpenAI.Model, conversationID, "sub_agent"); teleMw != nil {
+				subHandlers = append(subHandlers, teleMw)
+			}

+			subInstrFinal := injectToolNamesOnlyInstruction(ctx, instr, subTools)
+			if logger != nil {
+				subNames := collectToolNames(ctx, subTools)
+				mountedNames := collectToolNames(ctx, subToolsForCfg)
+				hasToolSearch := false
+				for _, n := range subNames {
+					if strings.EqualFold(strings.TrimSpace(n), "tool_search") {
+						hasToolSearch = true
+						break
+					}
+				}
+				logger.Info("eino tool-name injection",
+					zap.String("scope", "sub_agent"),
+					zap.String("agent", id),
+					zap.Int("tool_names", len(subNames)),
+					zap.Int("mounted_tool_names", len(mountedNames)),
+					zap.Bool("has_tool_search", hasToolSearch),
+				)
+			}
 			sa, err := adk.NewChatModelAgent(ctx, &adk.ChatModelAgentConfig{
 				Name:        id,
 				Description: desc,
-				Instruction: instr,
+				Instruction: subInstrFinal,
 				Model:       subModel,
 				ToolsConfig: adk.ToolsConfig{
 					ToolsNodeConfig: compose.ToolsNodeConfig{
 						Tools:               subToolsForCfg,
 						UnknownToolsHandler: einomcp.UnknownToolReminderHandler(),
 						ToolCallMiddlewares: []compose.ToolMiddleware{
+							{Invokable: hitlToolCallMiddleware()},
 							{Invokable: softRecoveryToolCallMiddleware()},
 						},
 					},
@@ -288,7 +314,7 @@ func RunDeepAgent(
 		return nil, fmt.Errorf("多代理主模型: %w", err)
 	}

-	mainSumMw, err := newEinoSummarizationMiddleware(ctx, mainModel, appCfg, logger)
+	mainSumMw, err := newEinoSummarizationMiddleware(ctx, mainModel, appCfg, &ma.EinoMiddleware, conversationID, logger)
 	if err != nil {
 		return nil, fmt.Errorf("多代理主 summarization 中间件: %w", err)
 	}
@@ -312,6 +338,25 @@ func RunDeepAgent(
 			orchDescription = d
 		}
 	}
+	orchInstruction = injectToolNamesOnlyInstruction(ctx, orchInstruction, mainTools)
+	if logger != nil {
+		mainNames := collectToolNames(ctx, mainTools)
+		mountedNames := collectToolNames(ctx, mainToolsForCfg)
+		hasToolSearch := false
+		for _, n := range mainNames {
+			if strings.EqualFold(strings.TrimSpace(n), "tool_search") {
+				hasToolSearch = true
+				break
+			}
+		}
+		logger.Info("eino tool-name injection",
+			zap.String("scope", "orchestrator"),
+			zap.String("orchestration", orchMode),
+			zap.Int("tool_names", len(mainNames)),
+			zap.Int("mounted_tool_names", len(mountedNames)),
+			zap.Bool("has_tool_search", hasToolSearch),
+		)
+	}

 	supInstr := strings.TrimSpace(orchInstruction)
 	if orchMode == "supervisor" {
@@ -341,6 +386,9 @@ func RunDeepAgent(

 	// noNestedTaskMiddleware 必须在最外层（最先拦截），防止 skill 或其他中间件内部触发 task 调用绕过检测。
 	deepHandlers := []adk.ChatModelAgentMiddleware{newNoNestedTaskMiddleware()}
+	if mw := newTaskContextEnrichMiddleware(userMessage, history, ma.SubAgentUserContextMaxRunes); mw != nil {
+		deepHandlers = append(deepHandlers, mw)
+	}
 	if len(mainOrchestratorPre) > 0 {
 		deepHandlers = append(deepHandlers, mainOrchestratorPre...)
 	}
@@ -348,6 +396,10 @@ func RunDeepAgent(
 		deepHandlers = append(deepHandlers, einoSkillMW)
 	}
 	deepHandlers = append(deepHandlers, mainSumMw)
+	deepHandlers = append(deepHandlers, newOrphanToolPrunerMiddleware(logger, "deep_orchestrator"))
+	if teleMw := newEinoModelInputTelemetryMiddleware(logger, appCfg.OpenAI.Model, conversationID, "deep_orchestrator"); teleMw != nil {
+		deepHandlers = append(deepHandlers, teleMw)
+	}

 	supHandlers := []adk.ChatModelAgentMiddleware{}
 	if len(mainOrchestratorPre) > 0 {
@@ -357,12 +409,17 @@ func RunDeepAgent(
 		supHandlers = append(supHandlers, einoSkillMW)
 	}
 	supHandlers = append(supHandlers, mainSumMw)
+	supHandlers = append(supHandlers, newOrphanToolPrunerMiddleware(logger, "supervisor_orchestrator"))
+	if teleMw := newEinoModelInputTelemetryMiddleware(logger, appCfg.OpenAI.Model, conversationID, "supervisor_orchestrator"); teleMw != nil {
+		supHandlers = append(supHandlers, teleMw)
+	}

 	mainToolsCfg := adk.ToolsConfig{
 		ToolsNodeConfig: compose.ToolsNodeConfig{
 			Tools:               mainToolsForCfg,
 			UnknownToolsHandler: einomcp.UnknownToolReminderHandler(),
 			ToolCallMiddlewares: []compose.ToolMiddleware{
+				{Invokable: hitlToolCallMiddleware()},
 				{Invokable: softRecoveryToolCallMiddleware()},
 			},
 		},
@@ -394,10 +451,19 @@ func RunDeepAgent(
 			ExecMaxIter:          deepMaxIter,
 			LoopMaxIter:          ma.PlanExecuteLoopMaxIterations,
 			AppCfg:               appCfg,
+			MwCfg:                &ma.EinoMiddleware,
+			ConversationID:       conversationID,
 			Logger:               logger,
+			ModelName:            appCfg.OpenAI.Model,
 			ExecPreMiddlewares:   mainOrchestratorPre,
 			SkillMiddleware:      einoSkillMW,
 			FilesystemMiddleware: peFsMw,
+			PlannerReplannerRewriteHandlers: []adk.ChatModelAgentMiddleware{
+				mainSumMw,
+				// 孤儿 tool 消息兜底：必须挂在 summarization 之后、telemetry 之前。
+				newOrphanToolPrunerMiddleware(logger, "plan_execute_planner_replanner"),
+				newEinoModelInputTelemetryMiddleware(logger, appCfg.OpenAI.Model, conversationID, "plan_execute_planner_replanner_rewrite"),
+			},
 		})
 		if perr != nil {
 			return nil, perr
@@ -463,7 +529,7 @@ func RunDeepAgent(
 		da = dDeep
 	}

-	baseMsgs := historyToMessages(history)
+	baseMsgs := historyToMessages(history, appCfg, &ma.EinoMiddleware)
 	baseMsgs = append(baseMsgs, schema.UserMessage(userMessage))

 	streamsMainAssistant := func(agent string) bool {
@@ -500,34 +566,77 @@ func RunDeepAgent(
 	}, baseMsgs)
 }

-func historyToMessages(history []agent.ChatMessage) []adk.Message {
+func historyToMessages(history []agent.ChatMessage, appCfg *config.Config, mwCfg *config.MultiAgentEinoMiddlewareConfig) []adk.Message {
 	if len(history) == 0 {
 		return nil
 	}
-	// 放宽条数上限：跨轮历史交给 Eino Summarization（阈值对齐 openai.max_total_tokens）在调用模型前压缩，避免在入队前硬截断为 40 条。
-	const maxHistoryMessages = 300
+	// Keep a bounded tail first; then enforce a token budget.
+	const maxHistoryMessages = 200
 	start := 0
 	if len(history) > maxHistoryMessages {
 		start = len(history) - maxHistoryMessages
 	}
-	out := make([]adk.Message, 0, len(history[start:]))
+	raw := make([]adk.Message, 0, len(history[start:]))
 	for _, h := range history[start:] {
 		switch h.Role {
 		case "user":
 			if strings.TrimSpace(h.Content) != "" {
-				out = append(out, schema.UserMessage(h.Content))
+				raw = append(raw, schema.UserMessage(h.Content))
 			}
 		case "assistant":
 			if strings.TrimSpace(h.Content) == "" && len(h.ToolCalls) > 0 {
 				continue
 			}
 			if strings.TrimSpace(h.Content) != "" {
-				out = append(out, schema.AssistantMessage(h.Content, nil))
+				raw = append(raw, schema.AssistantMessage(h.Content, nil))
 			}
 		default:
 			continue
 		}
 	}
+	if len(raw) == 0 {
+		return raw
+	}
+	maxTotal := 120000
+	modelName := "gpt-4o"
+	if appCfg != nil {
+		if appCfg.OpenAI.MaxTotalTokens > 0 {
+			maxTotal = appCfg.OpenAI.MaxTotalTokens
+		}
+		if m := strings.TrimSpace(appCfg.OpenAI.Model); m != "" {
+			modelName = m
+		}
+	}
+	ratio := 0.35
+	if mwCfg != nil {
+		ratio = mwCfg.HistoryInputBudgetRatioEffective()
+	}
+	budget := int(float64(maxTotal) * ratio)
+	if budget < 4096 {
+		budget = 4096
+	}
+	tc := agent.NewTikTokenCounter()
+	outRev := make([]adk.Message, 0, len(raw))
+	used := 0
+	for i := len(raw) - 1; i >= 0; i-- {
+		msg := raw[i]
+		n, err := tc.Count(modelName, string(msg.Role)+"\n"+msg.Content)
+		if err != nil {
+			n = (len(msg.Content) + 3) / 4
+		}
+		if n <= 0 {
+			n = 1
+		}
+		if used+n > budget {
+			break
+		}
+		used += n
+		outRev = append(outRev, msg)
+	}
+	out := make([]adk.Message, 0, len(outRev))
+	for i := len(outRev) - 1; i >= 0; i-- {
+		out = append(out, outRev[i])
+	}
 	return out
 }

@@ -0,0 +1,145 @@
+package multiagent
+
+import (
+	"context"
+	"encoding/json"
+	"strings"
+
+	"cyberstrike-ai/internal/agent"
+
+	"github.com/cloudwego/eino/adk"
+	"github.com/cloudwego/eino/components/tool"
+)
+
+const defaultSubAgentUserContextMaxRunes = 2000
+
+// taskContextEnrichMiddleware intercepts "task" tool calls on the orchestrator
+// and appends the user's original conversation messages to the task description.
+// This ensures sub-agents always receive the full user intent (target URLs,
+// scope, etc.) even when the orchestrator forgets to include them.
+//
+// Design: user context is injected into the task description (per-task), NOT
+// into the sub-agent's Instruction (system prompt). This keeps sub-agent
+// Instructions clean as pure role definitions while attaching context to the
+// specific delegation — aligned with Claude Code's agent design philosophy.
+type taskContextEnrichMiddleware struct {
+	adk.BaseChatModelAgentMiddleware
+	supplement string // pre-built user context block
+}
+
+// newTaskContextEnrichMiddleware returns a middleware that enriches task
+// descriptions with user conversation context. Returns nil if disabled
+// (maxRunes < 0) or no user messages exist.
+func newTaskContextEnrichMiddleware(userMessage string, history []agent.ChatMessage, maxRunes int) adk.ChatModelAgentMiddleware {
+	supplement := buildUserContextSupplement(userMessage, history, maxRunes)
+	if supplement == "" {
+		return nil
+	}
+	return &taskContextEnrichMiddleware{supplement: supplement}
+}
+
+func (m *taskContextEnrichMiddleware) WrapInvokableToolCall(
+	ctx context.Context,
+	endpoint adk.InvokableToolCallEndpoint,
+	tCtx *adk.ToolContext,
+) (adk.InvokableToolCallEndpoint, error) {
+	if tCtx == nil || !strings.EqualFold(strings.TrimSpace(tCtx.Name), "task") {
+		return endpoint, nil
+	}
+	return func(ctx context.Context, argumentsInJSON string, opts ...tool.Option) (string, error) {
+		enriched := m.enrichTaskDescription(argumentsInJSON)
+		return endpoint(ctx, enriched, opts...)
+	}, nil
+}
+
+// enrichTaskDescription parses the task JSON arguments, appends user context
+// to the "description" field, and re-serializes. Falls back to the original
+// JSON if parsing fails or no description field exists.
+func (m *taskContextEnrichMiddleware) enrichTaskDescription(argsJSON string) string {
+	var raw map[string]interface{}
+	if err := json.Unmarshal([]byte(argsJSON), &raw); err != nil {
+		return argsJSON
+	}
+	desc, ok := raw["description"].(string)
+	if !ok {
+		return argsJSON
+	}
+	raw["description"] = desc + m.supplement
+	enriched, err := json.Marshal(raw)
+	if err != nil {
+		return argsJSON
+	}
+	return string(enriched)
+}
+
+// buildUserContextSupplement collects user messages from conversation history
+// and the current message, returning a formatted block to append to task
+// descriptions. Returns "" if disabled or no user messages exist.
+func buildUserContextSupplement(userMessage string, history []agent.ChatMessage, maxRunes int) string {
+	if maxRunes < 0 {
+		return ""
+	}
+	if maxRunes == 0 {
+		maxRunes = defaultSubAgentUserContextMaxRunes
+	}
+
+	var userMsgs []string
+	for _, h := range history {
+		if h.Role == "user" {
+			if m := strings.TrimSpace(h.Content); m != "" {
+				userMsgs = append(userMsgs, m)
+			}
+		}
+	}
+	if um := strings.TrimSpace(userMessage); um != "" {
+		if len(userMsgs) == 0 || userMsgs[len(userMsgs)-1] != um {
+			userMsgs = append(userMsgs, um)
+		}
+	}
+	if len(userMsgs) == 0 {
+		return ""
+	}
+
+	joined := strings.Join(userMsgs, "\n---\n")
+	if len([]rune(joined)) > maxRunes {
+		joined = truncateKeepFirstLast(userMsgs, maxRunes)
+	}
+
+	return "\n\n## 会话上下文（自动补充，确保你了解用户完整意图）\n" + joined
+}
+
+// truncateKeepFirstLast keeps the first and last user messages, giving each
+// half the rune budget. The first message typically contains target info;
+// the last contains the current instruction.
+func truncateKeepFirstLast(msgs []string, maxRunes int) string {
+	if len(msgs) == 1 {
+		return truncateRunes(msgs[0], maxRunes)
+	}
+
+	first := msgs[0]
+	last := msgs[len(msgs)-1]
+	sep := "\n---\n...(中间对话省略)...\n---\n"
+	sepLen := len([]rune(sep))
+
+	budget := maxRunes - sepLen
+	if budget <= 0 {
+		return truncateRunes(first+"\n---\n"+last, maxRunes)
+	}
+
+	halfBudget := budget / 2
+	firstTrunc := truncateRunes(first, halfBudget)
+	lastTrunc := truncateRunes(last, budget-len([]rune(firstTrunc)))
+
+	return firstTrunc + sep + lastTrunc
+}
+
+func truncateRunes(s string, max int) string {
+	rs := []rune(s)
+	if len(rs) <= max {
+		return s
+	}
+	if max <= 0 {
+		return ""
+	}
+	return string(rs[:max])
+}
@@ -0,0 +1,182 @@
+package multiagent
+
+import (
+	"context"
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"cyberstrike-ai/internal/agent"
+
+	"github.com/cloudwego/eino/adk"
+	"github.com/cloudwego/eino/components/tool"
+)
+
+// --- buildUserContextSupplement tests ---
+
+func TestBuildUserContextSupplement_SingleMessage(t *testing.T) {
+	result := buildUserContextSupplement("http://8.163.32.73:8081 测试命令执行", nil, 0)
+	if result == "" {
+		t.Fatal("expected non-empty supplement")
+	}
+	if !strings.Contains(result, "http://8.163.32.73:8081") {
+		t.Error("expected URL in supplement")
+	}
+}
+
+func TestBuildUserContextSupplement_MultiTurn(t *testing.T) {
+	history := []agent.ChatMessage{
+		{Role: "user", Content: "http://8.163.32.73:8081 这是一个pikachu靶场，尝试测试命令执行"},
+		{Role: "assistant", Content: "好的，我来测试..."},
+		{Role: "user", Content: "继续，并持久化webshell"},
+		{Role: "assistant", Content: "正在处理..."},
+	}
+	result := buildUserContextSupplement("你好", history, 0)
+	if !strings.Contains(result, "http://8.163.32.73:8081") {
+		t.Error("expected first turn URL to be preserved")
+	}
+	if !strings.Contains(result, "你好") {
+		t.Error("expected current message")
+	}
+}
+
+func TestBuildUserContextSupplement_Empty(t *testing.T) {
+	if result := buildUserContextSupplement("", nil, 0); result != "" {
+		t.Errorf("expected empty, got %q", result)
+	}
+}
+
+func TestBuildUserContextSupplement_Deduplicate(t *testing.T) {
+	history := []agent.ChatMessage{{Role: "user", Content: "你好"}}
+	result := buildUserContextSupplement("你好", history, 0)
+	if strings.Count(result, "你好") != 1 {
+		t.Errorf("expected '你好' once, got: %s", result)
+	}
+}
+
+func TestBuildUserContextSupplement_SkipsNonUser(t *testing.T) {
+	history := []agent.ChatMessage{
+		{Role: "user", Content: "目标是 10.0.0.1"},
+		{Role: "assistant", Content: "不应该出现"},
+	}
+	result := buildUserContextSupplement("确认", history, 0)
+	if strings.Contains(result, "不应该出现") {
+		t.Error("assistant message should not be included")
+	}
+}
+
+func TestBuildUserContextSupplement_DisabledByNegative(t *testing.T) {
+	if result := buildUserContextSupplement("test", nil, -1); result != "" {
+		t.Errorf("expected empty when disabled, got %q", result)
+	}
+}
+
+func TestBuildUserContextSupplement_CustomMaxRunes(t *testing.T) {
+	msg := strings.Repeat("A", 200)
+	result := buildUserContextSupplement(msg, nil, 50)
+	header := "\n\n## 会话上下文（自动补充，确保你了解用户完整意图）\n"
+	body := strings.TrimPrefix(result, header)
+	if len([]rune(body)) > 50 {
+		t.Errorf("body should be capped at 50 runes, got %d", len([]rune(body)))
+	}
+}
+
+func TestBuildUserContextSupplement_TruncateKeepsFirstAndLast(t *testing.T) {
+	first := "http://target.com " + strings.Repeat("A", 500)
+	var history []agent.ChatMessage
+	history = append(history, agent.ChatMessage{Role: "user", Content: first})
+	for i := 0; i < 10; i++ {
+		history = append(history, agent.ChatMessage{Role: "user", Content: strings.Repeat("B", 500)})
+	}
+	last := "最后一条指令"
+	result := buildUserContextSupplement(last, history, 0)
+	if !strings.Contains(result, "http://target.com") {
+		t.Error("first message (target URL) should survive truncation")
+	}
+	if !strings.Contains(result, last) {
+		t.Error("last message should survive truncation")
+	}
+}
+
+// --- middleware integration tests ---
+
+func TestTaskContextEnrichMiddleware_EnrichesTaskDescription(t *testing.T) {
+	mw := newTaskContextEnrichMiddleware(
+		"继续测试",
+		[]agent.ChatMessage{{Role: "user", Content: "http://8.163.32.73:8081 pikachu靶场"}},
+		0,
+	)
+	if mw == nil {
+		t.Fatal("expected non-nil middleware")
+	}
+
+	called := false
+	var capturedArgs string
+	fakeEndpoint := func(ctx context.Context, args string, opts ...tool.Option) (string, error) {
+		called = true
+		capturedArgs = args
+		return "ok", nil
+	}
+
+	wrapped, err := mw.(interface {
+		WrapInvokableToolCall(context.Context, adk.InvokableToolCallEndpoint, *adk.ToolContext) (adk.InvokableToolCallEndpoint, error)
+	}).WrapInvokableToolCall(context.Background(), fakeEndpoint, &adk.ToolContext{Name: "task"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	taskArgs := `{"subagent_type":"recon","description":"扫描目标端口"}`
+	wrapped(context.Background(), taskArgs)
+
+	if !called {
+		t.Fatal("endpoint was not called")
+	}
+
+	var parsed map[string]interface{}
+	if err := json.Unmarshal([]byte(capturedArgs), &parsed); err != nil {
+		t.Fatalf("enriched args not valid JSON: %v", err)
+	}
+	desc := parsed["description"].(string)
+	if !strings.Contains(desc, "扫描目标端口") {
+		t.Error("original description should be preserved")
+	}
+	if !strings.Contains(desc, "http://8.163.32.73:8081") {
+		t.Error("user context should be appended to description")
+	}
+	if !strings.Contains(desc, "继续测试") {
+		t.Error("current user message should be in description")
+	}
+}
+
+func TestTaskContextEnrichMiddleware_IgnoresNonTaskTools(t *testing.T) {
+	mw := newTaskContextEnrichMiddleware("test", nil, 0)
+	if mw == nil {
+		t.Fatal("expected non-nil middleware")
+	}
+
+	original := `{"command":"nmap -sV target"}`
+	var capturedArgs string
+	fakeEndpoint := func(ctx context.Context, args string, opts ...tool.Option) (string, error) {
+		capturedArgs = args
+		return "ok", nil
+	}
+
+	wrapped, err := mw.(interface {
+		WrapInvokableToolCall(context.Context, adk.InvokableToolCallEndpoint, *adk.ToolContext) (adk.InvokableToolCallEndpoint, error)
+	}).WrapInvokableToolCall(context.Background(), fakeEndpoint, &adk.ToolContext{Name: "nmap_scan"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	wrapped(context.Background(), original)
+	if capturedArgs != original {
+		t.Errorf("non-task tool args should not be modified, got %q", capturedArgs)
+	}
+}
+
+func TestTaskContextEnrichMiddleware_NilWhenDisabled(t *testing.T) {
+	mw := newTaskContextEnrichMiddleware("test", nil, -1)
+	if mw != nil {
+		t.Error("middleware should be nil when disabled")
+	}
+}
@@ -1,51 +0,0 @@
-package multiagent
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/cloudwego/eino/schema"
-)
-
-// maxToolCallRecoveryAttempts 含首次运行：首次 + 自动重试次数。
-// 例如为 3 表示最多共 3 次完整 DeepAgent 运行（2 次失败后各追加一条纠错提示）。
-// 该常量同时用于 JSON 参数错误和工具执行错误（如子代理名称不存在）的恢复重试。
-const maxToolCallRecoveryAttempts = 5
-
-// toolCallArgumentsJSONRetryHint 追加在用户消息后，提示模型输出合法 JSON 工具参数（部分云厂商会在流式阶段校验 arguments）。
-func toolCallArgumentsJSONRetryHint() *schema.Message {
-	return schema.UserMessage(`[系统提示] 上一次输出中，工具调用的 function.arguments 不是合法 JSON，接口已拒绝。请重新生成：每个 tool call 的 arguments 必须是完整、可解析的 JSON 对象字符串（键名用双引号，无多余逗号，括号配对）。不要输出截断或不完整的 JSON。
-
-[System] Your previous tool call used invalid JSON in function.arguments and was rejected by the API. Regenerate with strictly valid JSON objects only (double-quoted keys, matched braces, no trailing commas).`)
-}
-
-// toolCallArgumentsJSONRecoveryTimelineMessage 供 eino_recovery 事件落库与前端时间线展示。
-func toolCallArgumentsJSONRecoveryTimelineMessage(attempt int) string {
-	return fmt.Sprintf(
-		"接口拒绝了无效的工具参数 JSON。已向对话追加系统提示并要求模型重新生成合法的 function.arguments。"+
-			"当前为第 %d/%d 轮完整运行。\n\n"+
-			"The API rejected invalid JSON in tool arguments. A system hint was appended. This is full run %d of %d.",
-		attempt+1, maxToolCallRecoveryAttempts, attempt+1, maxToolCallRecoveryAttempts,
-	)
-}
-
-// isRecoverableToolCallArgumentsJSONError 判断是否为「工具参数非合法 JSON」类流式错误，可通过追加提示后重跑一轮。
-func isRecoverableToolCallArgumentsJSONError(err error) bool {
-	if err == nil {
-		return false
-	}
-	s := strings.ToLower(err.Error())
-	if !strings.Contains(s, "json") {
-		return false
-	}
-	if strings.Contains(s, "function.arguments") || strings.Contains(s, "function arguments") {
-		return true
-	}
-	if strings.Contains(s, "invalidparameter") && strings.Contains(s, "json") {
-		return true
-	}
-	if strings.Contains(s, "must be in json format") {
-		return true
-	}
-	return false
-}
@@ -1,17 +0,0 @@
-package multiagent
-
-import (
-	"errors"
-	"testing"
-)
-
-func TestIsRecoverableToolCallArgumentsJSONError(t *testing.T) {
-	yes := errors.New(`failed to receive stream chunk: error, <400> InternalError.Algo.InvalidParameter: The "function.arguments" parameter of the code model must be in JSON format.`)
-	if !isRecoverableToolCallArgumentsJSONError(yes) {
-		t.Fatal("expected recoverable for function.arguments + JSON")
-	}
-	no := errors.New("unrelated network failure")
-	if isRecoverableToolCallArgumentsJSONError(no) {
-		t.Fatal("expected not recoverable")
-	}
-}
@@ -1,44 +0,0 @@
-package multiagent
-
-import (
-	"fmt"
-
-	"github.com/cloudwego/eino/schema"
-)
-
-// toolExecutionRetryHint returns a user message appended to the conversation to prompt
-// the LLM to adjust after a tool execution error (tool not found, binary missing,
-// runtime failure, network error, etc.).
-func toolExecutionRetryHint() *schema.Message {
-	return schema.UserMessage(`[System] Your previous tool call failed. Possible causes:
- The tool or sub-agent name does not exist (typo or unregistered name).
- The tool call arguments were not valid JSON.
- The tool's underlying binary is not installed or not in PATH.
- The tool encountered a runtime error (timeout, network failure, permission denied, etc.).
-
-Please review the error message above, check available tools, and either:
-1. Retry with corrected arguments or a different tool, OR
-2. Inform the user about the limitation and proceed with an alternative approach.
-
-[系统提示] 上一次工具调用失败，可能原因：
- 工具名或子代理名称不存在（拼写错误或未注册）；
- 工具调用参数不是合法 JSON；
- 工具依赖的底层二进制程序未安装或不在 PATH 中；
- 工具运行时遇到错误（超时、网络故障、权限不足等）。
-
-请根据上述错误信息检查可用工具，然后：
-1. 修正参数或改用其他工具重试，或者
-2. 告知用户当前限制并采用替代方案继续。`)
-}
-
-// toolExecutionRecoveryTimelineMessage returns a message for the eino_recovery event
-// displayed in the UI timeline when a tool execution error triggers a retry.
-func toolExecutionRecoveryTimelineMessage(attempt int) string {
-	return fmt.Sprintf(
-		"工具调用执行失败。已向对话追加纠错提示并要求模型调整策略。"+
-			"当前为第 %d/%d 轮完整运行。\n\n"+
-			"Tool call execution failed. "+
-			"A corrective hint was appended. This is full run %d of %d.",
-		attempt+1, maxToolCallRecoveryAttempts, attempt+1, maxToolCallRecoveryAttempts,
-	)
-}
@@ -192,13 +192,13 @@ func convertOpenAIToClaude(payload interface{}) (*claudeRequest, error) {
 					fnName, _ := fn["name"].(string)
 					fnArgs, _ := fn["arguments"]

-						// 防御：缺少 name 或 id 的 tool_call 会被 Claude 拒绝
-						if strings.TrimSpace(fnName) == "" {
-							fnName = "unknown_function"
-						}
-						if strings.TrimSpace(tcID) == "" {
-							tcID = fmt.Sprintf("call_%d", time.Now().UnixNano())
-						}
+					// 防御：缺少 name 或 id 的 tool_call 会被 Claude 拒绝
+					if strings.TrimSpace(fnName) == "" {
+						fnName = "unknown_function"
+					}
+					if strings.TrimSpace(tcID) == "" {
+						tcID = fmt.Sprintf("call_%d", time.Now().UnixNano())
+					}

 					var inputRaw json.RawMessage
 					switch v := fnArgs.(type) {
@@ -752,25 +752,33 @@ func isClaudeProvider(cfg *config.OpenAIConfig) bool {
 // Eino HTTP Client Bridge
 // ============================================================

-// NewEinoHTTPClient 为 einoopenai.ChatModelConfig 返回一个支持 Claude 自动桥接的 http.Client。
-// 当 cfg.Provider 为 claude 时，会拦截 /chat/completions 请求，透明转换为 Anthropic Messages API。
+// NewEinoHTTPClient 为 einoopenai.ChatModelConfig 返回一个 http.Client，包含两层 transport 包装：
+//  1. 当 cfg.Provider 为 claude 时，最内层套 claudeRoundTripper，把 OpenAI /chat/completions 透明
+//     桥接为 Anthropic /v1/messages（并把 Claude SSE 翻译回 OpenAI SSE 格式）。
+//  2. 最外层无条件套 einoSSESanitizingRoundTripper，吞掉中转站发的 SSE 心跳/注释/控制行
+//     (": keepalive" / "event: ping" / "retry: 3000" 等)，避免 Eino 用的 meguminnnnnnnnn/go-openai
+//     SDK 在累计超过 300 个非 "data:" 行后抛 "stream has sent too many empty messages"。
+//
+// 两层都对调用方完全透明：普通 JSON 响应原样透传，仅当响应 Content-Type 为 text/event-stream 时
+// sanitizer 才会接管 body；data: payload (含 [DONE]、{"error":...}) 一字节不改。
 func NewEinoHTTPClient(cfg *config.OpenAIConfig, base *http.Client) *http.Client {
 	if base == nil {
 		base = http.DefaultClient
 	}
-	if !isClaudeProvider(cfg) {
-		return base
-	}

 	cloned := *base
 	transport := base.Transport
 	if transport == nil {
 		transport = http.DefaultTransport
 	}
-	cloned.Transport = &claudeRoundTripper{
-		base:   transport,
-		config: cfg,
+	if isClaudeProvider(cfg) {
+		transport = &claudeRoundTripper{
+			base:   transport,
+			config: cfg,
+		}
 	}
+	transport = &einoSSESanitizingRoundTripper{base: transport}
+	cloned.Transport = transport
 	return &cloned
 }

@@ -0,0 +1,149 @@
+package openai
+
+// eino_sse_sanitizer.go 解决 Eino 走 meguminnnnnnnnn/go-openai SDK 时，
+// 中转站心跳/SSE 控制行累计 > 300 行触发 ErrTooManyEmptyStreamMessages
+// （报错文案: "stream has sent too many empty messages"）的问题。
+//
+// 触发链路:
+//   einoopenai.NewChatModel
+//     → eino-ext/libs/acl/openai → meguminnnnnnnnn/go-openai
+//     → streamReader.processLines() 对所有非 "data:" 行计数, > 300 即抛错。
+//
+// 中转站常见的非 data: 行（合法 SSE 但 SDK 不接受）:
+//   ":" / ": keepalive" / ": ping" / "event: ping" / "retry: 3000"
+//   以及思考型模型 prefill 期间穿插的大量心跳。
+//
+// 兜底策略: 在 HTTP transport 层把响应 Body 包一层 reader, 只放行 "data:"
+// 开头的行, 把心跳/注释/事件类型行就地吞掉。下游 SDK 永远见不到非 data: 行,
+// 计数器始终为 0, 该错误不可能再发生。
+//
+// 该层对调用方完全透明:
+//   - 仅当响应 Content-Type 是 text/event-stream 时介入；普通 JSON 响应原样透传
+//   - data: payload (含 [DONE] 与 {"error":...}) 一字节不改
+//   - 上游真断流 (EOF / connection reset / context cancel) 原样透传
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"net/http"
+	"strings"
+)
+
+const (
+	// einoSSEReaderBufSize 给 bufio 一个较大的初始缓冲, 避免单行大 JSON chunk
+	// (含工具调用 arguments / reasoning_content) 频繁触发缓冲区扩容。
+	einoSSEReaderBufSize = 64 * 1024
+)
+
+// einoSSESanitizingRoundTripper 包装下游 RoundTripper, 对 SSE 响应做行级清洗。
+type einoSSESanitizingRoundTripper struct {
+	base http.RoundTripper
+}
+
+func (rt *einoSSESanitizingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	resp, err := rt.base.RoundTrip(req)
+	if err != nil || resp == nil {
+		return resp, err
+	}
+	if !isSSEResponse(resp) {
+		return resp, nil
+	}
+	resp.Body = newEinoSSESanitizingBody(resp.Body)
+	return resp, nil
+}
+
+// isSSEResponse 仅对 200 + text/event-stream 的响应做清洗;
+// 错误响应 (4xx/5xx 通常是 application/json) 不动, 由 SDK 走原错误路径。
+func isSSEResponse(resp *http.Response) bool {
+	if resp.StatusCode != http.StatusOK {
+		return false
+	}
+	ct := resp.Header.Get("Content-Type")
+	if ct == "" {
+		return false
+	}
+	ct = strings.ToLower(strings.TrimSpace(ct))
+	// 兼容 "text/event-stream", "text/event-stream; charset=utf-8" 等。
+	return strings.HasPrefix(ct, "text/event-stream")
+}
+
+// einoSSESanitizingBody 是包装后的响应体: 只放行 data: 行, 其它行吞掉。
+type einoSSESanitizingBody struct {
+	upstream io.ReadCloser
+	reader   *bufio.Reader
+	pending  []byte // 已清洗、待返回给下游的字节 (永远以 \n 结尾的完整 data: 行)
+	err      error  // upstream 终态错误 (io.EOF 或网络错误)
+}
+
+func newEinoSSESanitizingBody(body io.ReadCloser) *einoSSESanitizingBody {
+	return &einoSSESanitizingBody{
+		upstream: body,
+		reader:   bufio.NewReaderSize(body, einoSSEReaderBufSize),
+	}
+}
+
+func (b *einoSSESanitizingBody) Read(p []byte) (int, error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+	if len(b.pending) > 0 {
+		n := copy(p, b.pending)
+		b.pending = b.pending[n:]
+		return n, nil
+	}
+
+	// 从上游读, 直到攒出一行 data: 或拿到终态。
+	// 单次循环可能丢弃任意多行心跳, 但只放行至多一行 data: 后退出,
+	// 避免一次 Read 阻塞过久 / pending 缓冲过大。
+	for b.err == nil {
+		line, err := b.reader.ReadBytes('\n')
+		if len(line) > 0 {
+			if isPassThroughSSELine(line) {
+				if line[len(line)-1] != '\n' {
+					line = append(line, '\n')
+				}
+				b.pending = line
+				if err != nil {
+					b.err = err
+				}
+				break
+			}
+			// 非 data: 行 (空行 / ":" 注释 / event: / retry: / id: / 任何裸文本)
+			// 全部吞掉, 不向下游透出, 继续循环读下一行。
+		}
+		if err != nil {
+			b.err = err
+			break
+		}
+	}
+
+	if len(b.pending) > 0 {
+		n := copy(p, b.pending)
+		b.pending = b.pending[n:]
+		return n, nil
+	}
+	return 0, b.err
+}
+
+func (b *einoSSESanitizingBody) Close() error {
+	return b.upstream.Close()
+}
+
+// isPassThroughSSELine 判定该行是否需要原样放行给下游 SDK。
+// 仅 "data:" (大小写不敏感, 可有任意前导空白) 开头的行需要保留。
+// 注意: 不能用 TrimSpace 去尾部换行后再判, 否则 "  data: x" 会被误判;
+// 我们只 trim 前导空白, 与 SDK 内部 TrimSpace 后再正则 ^data:\s* 的语义一致。
+func isPassThroughSSELine(line []byte) bool {
+	trimmed := bytes.TrimLeft(line, " \t")
+	if len(trimmed) < 5 {
+		return false
+	}
+	// 大小写不敏感比较前 5 字节是否为 "data:"。SSE 规范要求字段名小写,
+	// 但宽松匹配可以兼容个别中转站的非规范实现。
+	return (trimmed[0] == 'd' || trimmed[0] == 'D') &&
+		(trimmed[1] == 'a' || trimmed[1] == 'A') &&
+		(trimmed[2] == 't' || trimmed[2] == 'T') &&
+		(trimmed[3] == 'a' || trimmed[3] == 'A') &&
+		trimmed[4] == ':'
+}
@@ -0,0 +1,303 @@
+package openai
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"regexp"
+	"strings"
+	"testing"
+)
+
+// 复现 meguminnnnnnnnn/go-openai 的 SSE 行计数算法 (默认 limit=300):
+// - 逐行读
+// - 非 "data:" 行 (空行 / ":" 注释 / event: / retry:) 累计 emptyMessagesCount
+// - > 300 抛 ErrTooManyEmptyStreamMessages
+// - 遇到 data: 行 reset, 返回 payload
+//
+// 这一算法与上游 SDK 的 stream_reader.go processLines() 严格一致 (验证依据见
+// /Users/temp/go/pkg/mod/github.com/meguminnnnnnnnn/go-openai@v0.1.2/stream_reader.go)。
+// 测试中只复刻 "限制触发" 这一行为, 用来回归验证 sanitizer 的根因修复。
+var errTooManyEmptyStreamMessages = errors.New("stream has sent too many empty messages")
+
+func sdkLikeRecvAll(body io.Reader, limit uint) ([]string, error) {
+	headerData := regexp.MustCompile(`^data:\s*`)
+	r := bufio.NewReader(body)
+	var payloads []string
+	for {
+		var emptyMessagesCount uint
+		var payload []byte
+		for {
+			line, err := r.ReadBytes('\n')
+			if err != nil {
+				if err == io.EOF {
+					return payloads, nil
+				}
+				return payloads, err
+			}
+			noSpace := bytes.TrimSpace(line)
+			if !headerData.Match(noSpace) {
+				emptyMessagesCount++
+				if emptyMessagesCount > limit {
+					return payloads, errTooManyEmptyStreamMessages
+				}
+				continue
+			}
+			payload = headerData.ReplaceAll(noSpace, nil)
+			break
+		}
+		if string(payload) == "[DONE]" {
+			return payloads, nil
+		}
+		payloads = append(payloads, string(payload))
+	}
+}
+
+func newSSEServer(t *testing.T, body string, contentType string, status int) *httptest.Server {
+	t.Helper()
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		if contentType != "" {
+			w.Header().Set("Content-Type", contentType)
+		}
+		w.WriteHeader(status)
+		_, _ = io.WriteString(w, body)
+	}))
+}
+
+func sanitizingClient(base *http.Client) *http.Client {
+	if base == nil {
+		base = &http.Client{}
+	}
+	cloned := *base
+	transport := base.Transport
+	if transport == nil {
+		transport = http.DefaultTransport
+	}
+	cloned.Transport = &einoSSESanitizingRoundTripper{base: transport}
+	return &cloned
+}
+
+func readAll(t *testing.T, body io.ReadCloser) string {
+	t.Helper()
+	defer body.Close()
+	out, err := io.ReadAll(body)
+	if err != nil {
+		t.Fatalf("read body: %v", err)
+	}
+	return string(out)
+}
+
+// 1) 仅 data: 行 → 一字节不改地透传。
+func TestSSESanitizer_PassesDataLinesUnchanged(t *testing.T) {
+	body := "data: {\"a\":1}\ndata: {\"b\":2}\ndata: [DONE]\n"
+	srv := newSSEServer(t, body, "text/event-stream", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	if got != body {
+		t.Fatalf("body mismatch:\nwant %q\ngot  %q", body, got)
+	}
+}
+
+// 2) 心跳/注释/事件类型行被吞掉, 仅保留 data: 行。
+func TestSSESanitizer_DropsHeartbeatsAndControlLines(t *testing.T) {
+	body := strings.Join([]string{
+		": keepalive",
+		"",
+		"event: ping",
+		"retry: 3000",
+		"id: 42",
+		"data: {\"x\":1}",
+		": ping",
+		"",
+		"data: {\"x\":2}",
+		"data: [DONE]",
+		"",
+	}, "\n")
+	srv := newSSEServer(t, body, "text/event-stream", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	want := "data: {\"x\":1}\ndata: {\"x\":2}\ndata: [DONE]\n"
+	if got != want {
+		t.Fatalf("sanitized body mismatch:\nwant %q\ngot  %q", want, got)
+	}
+}
+
+// 3) 根因回归: 上游堆 500 行心跳后才发 data:, 原始 SDK 算法会抛
+// ErrTooManyEmptyStreamMessages, sanitize 之后必须能正常拿到所有 data:。
+func TestSSESanitizer_ProtectsAgainstTooManyEmptyMessages(t *testing.T) {
+	const heartbeats = 500
+	var buf bytes.Buffer
+	for i := 0; i < heartbeats; i++ {
+		buf.WriteString(": keepalive\n")
+	}
+	buf.WriteString("data: {\"chunk\":1}\n")
+	buf.WriteString("data: {\"chunk\":2}\n")
+	buf.WriteString("data: [DONE]\n")
+
+	t.Run("baseline_without_sanitizer_must_fail", func(t *testing.T) {
+		_, err := sdkLikeRecvAll(bytes.NewReader(buf.Bytes()), 300)
+		if !errors.Is(err, errTooManyEmptyStreamMessages) {
+			t.Fatalf("expected ErrTooManyEmptyStreamMessages, got %v", err)
+		}
+	})
+
+	t.Run("with_sanitizer_must_succeed", func(t *testing.T) {
+		srv := newSSEServer(t, buf.String(), "text/event-stream", 200)
+		defer srv.Close()
+
+		resp, err := sanitizingClient(nil).Get(srv.URL)
+		if err != nil {
+			t.Fatalf("get: %v", err)
+		}
+		defer resp.Body.Close()
+
+		payloads, err := sdkLikeRecvAll(resp.Body, 300)
+		if err != nil {
+			t.Fatalf("sdk-like recv after sanitize: %v", err)
+		}
+		want := []string{`{"chunk":1}`, `{"chunk":2}`}
+		if len(payloads) != len(want) {
+			t.Fatalf("payload count mismatch: want %d got %d (%v)", len(want), len(payloads), payloads)
+		}
+		for i, w := range want {
+			if payloads[i] != w {
+				t.Fatalf("payload[%d] mismatch: want %q got %q", i, w, payloads[i])
+			}
+		}
+	})
+}
+
+// 4) 心跳穿插在 data: 之间也能正确清洗 (思考型模型 prefill 期间常见)。
+func TestSSESanitizer_HeartbeatsInterleavedWithData(t *testing.T) {
+	var buf bytes.Buffer
+	buf.WriteString("data: {\"chunk\":1}\n")
+	for i := 0; i < 400; i++ {
+		buf.WriteString(": keepalive\n")
+	}
+	buf.WriteString("data: {\"chunk\":2}\n")
+	buf.WriteString("data: [DONE]\n")
+
+	srv := newSSEServer(t, buf.String(), "text/event-stream", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	defer resp.Body.Close()
+
+	payloads, err := sdkLikeRecvAll(resp.Body, 300)
+	if err != nil {
+		t.Fatalf("sdk-like recv: %v", err)
+	}
+	if got, want := len(payloads), 2; got != want {
+		t.Fatalf("payload count: want %d got %d", want, got)
+	}
+}
+
+// 5) 非 SSE 响应 (例如非流式 JSON) 不应被 sanitizer 介入。
+func TestSSESanitizer_PassesNonSSEResponseUntouched(t *testing.T) {
+	body := `{"id":"x","object":"chat.completion","choices":[]}`
+	srv := newSSEServer(t, body, "application/json", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	if got != body {
+		t.Fatalf("non-SSE body must be untouched:\nwant %q\ngot  %q", body, got)
+	}
+}
+
+// 6) 错误响应 (4xx/5xx) 不应被 sanitize, 即使 Content-Type 是 SSE 也不动,
+//    避免吞掉类似 "data: " 之外的错误正文。
+func TestSSESanitizer_PassesNon200Untouched(t *testing.T) {
+	body := `{"error":{"message":"rate limit"}}`
+	srv := newSSEServer(t, body, "text/event-stream", 429)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	if got != body {
+		t.Fatalf("error body must be untouched:\nwant %q\ngot  %q", body, got)
+	}
+}
+
+// 7) data: 行末尾若缺 \n (异常上游) sanitizer 也补齐, 保证下游按行解析。
+func TestSSESanitizer_AppendsTrailingNewlineIfMissing(t *testing.T) {
+	body := "data: {\"a\":1}"
+	srv := newSSEServer(t, body, "text/event-stream", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	want := "data: {\"a\":1}\n"
+	if got != want {
+		t.Fatalf("trailing newline:\nwant %q\ngot  %q", want, got)
+	}
+}
+
+// 8) 大 chunk (一行数十 KB) 也能完整透传, 不被切断。
+func TestSSESanitizer_LargeDataLinePassesIntact(t *testing.T) {
+	huge := strings.Repeat("x", 80*1024)
+	body := "data: {\"big\":\"" + huge + "\"}\ndata: [DONE]\n"
+	srv := newSSEServer(t, body, "text/event-stream", 200)
+	defer srv.Close()
+
+	resp, err := sanitizingClient(nil).Get(srv.URL)
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	got := readAll(t, resp.Body)
+	if got != body {
+		t.Fatalf("large body length mismatch: want %d got %d", len(body), len(got))
+	}
+}
+
+// 9) isPassThroughSSELine 单元覆盖。
+func TestIsPassThroughSSELine(t *testing.T) {
+	cases := []struct {
+		line string
+		want bool
+	}{
+		{"data: {\"a\":1}\n", true},
+		{"DATA: x\n", true},
+		{"  data: x\n", true},
+		{"data:\n", true},
+		{"\n", false},
+		{"\r\n", false},
+		{": keepalive\n", false},
+		{":\n", false},
+		{"event: ping\n", false},
+		{"retry: 3000\n", false},
+		{"id: 42\n", false},
+		{"datax: y\n", false},
+		{"da", false},
+	}
+	for _, c := range cases {
+		if got := isPassThroughSSELine([]byte(c.line)); got != c.want {
+			t.Errorf("isPassThroughSSELine(%q) = %v, want %v", c.line, got, c.want)
+		}
+	}
+}
@@ -281,9 +281,9 @@ func (c *Client) ChatCompletionStream(ctx context.Context, payload interface{},

 // StreamToolCall 流式工具调用的累积结果（arguments 以字符串形式拼接，留给上层再解析为 JSON）。
 type StreamToolCall struct {
-	Index            int
-	ID               string
-	Type             string
+	Index           int
+	ID              string
+	Type            string
 	FunctionName    string
 	FunctionArgsStr string
 }
@@ -348,10 +348,10 @@ func (c *Client) ChatCompletionStreamWithToolCalls(
 		Arguments string `json:"arguments,omitempty"`
 	}
 	type toolCallDelta struct {
-		Index    int                     `json:"index,omitempty"`
-		ID       string                  `json:"id,omitempty"`
-		Type     string                  `json:"type,omitempty"`
-		Function toolCallFunctionDelta  `json:"function,omitempty"`
+		Index    int                   `json:"index,omitempty"`
+		ID       string                `json:"id,omitempty"`
+		Type     string                `json:"type,omitempty"`
+		Function toolCallFunctionDelta `json:"function,omitempty"`
 	}
 	type streamDelta2 struct {
 		Content   string          `json:"content,omitempty"`
@@ -371,10 +371,10 @@ func (c *Client) ChatCompletionStreamWithToolCalls(
 	}

 	type toolCallAccum struct {
-		id    string
-		typ   string
-		name  string
-		args  strings.Builder
+		id   string
+		typ  string
+		name string
+		args strings.Builder
 	}
 	toolCallAccums := make(map[int]*toolCallAccum)

@@ -475,9 +475,9 @@ func (c *Client) ChatCompletionStreamWithToolCalls(
 	for _, idx := range indices {
 		acc := toolCallAccums[idx]
 		tc := StreamToolCall{
-			Index:            idx,
-			ID:               acc.id,
-			Type:             acc.typ,
+			Index:           idx,
+			ID:              acc.id,
+			Type:            acc.typ,
 			FunctionName:    acc.name,
 			FunctionArgsStr: acc.args.String(),
 		}
@@ -19,11 +19,11 @@ import (
 func setupTestExecutor(t *testing.T) (*Executor, *mcp.Server) {
 	logger := zap.NewNop()
 	mcpServer := mcp.NewServer(logger)
-	
+
 	cfg := &config.SecurityConfig{
 		Tools: []config.ToolConfig{},
 	}
-	
+
 	executor := NewExecutor(cfg, mcpServer, logger)
 	return executor, mcpServer
 }
@@ -32,12 +32,12 @@ func setupTestExecutor(t *testing.T) (*Executor, *mcp.Server) {
 func setupTestStorage(t *testing.T) *storage.FileResultStorage {
 	tmpDir := filepath.Join(os.TempDir(), "test_executor_storage_"+time.Now().Format("20060102_150405"))
 	logger := zap.NewNop()
-	
+
 	storage, err := storage.NewFileResultStorage(tmpDir, logger)
 	if err != nil {
 		t.Fatalf("创建测试存储失败: %v", err)
 	}
-	
+
 	return storage
 }

@@ -45,46 +45,46 @@ func TestExecutor_ExecuteInternalTool_QueryExecutionResult(t *testing.T) {
 	executor, _ := setupTestExecutor(t)
 	testStorage := setupTestStorage(t)
 	executor.SetResultStorage(testStorage)
-	
+
 	// 准备测试数据
 	executionID := "test_exec_001"
 	toolName := "nmap_scan"
 	result := "Line 1: Port 22 open\nLine 2: Port 80 open\nLine 3: Port 443 open\nLine 4: error occurred"
-	
+
 	// 保存测试结果
 	err := testStorage.SaveResult(executionID, toolName, result)
 	if err != nil {
 		t.Fatalf("保存测试结果失败: %v", err)
 	}
-	
+
 	ctx := context.Background()
-	
+
 	// 测试1: 基本查询（第一页）
 	args := map[string]interface{}{
 		"execution_id": executionID,
 		"page":         float64(1),
 		"limit":        float64(2),
 	}
-	
+
 	toolResult, err := executor.executeQueryExecutionResult(ctx, args)
 	if err != nil {
 		t.Fatalf("执行查询失败: %v", err)
 	}
-	
+
 	if toolResult.IsError {
 		t.Fatalf("查询应该成功，但返回了错误: %s", toolResult.Content[0].Text)
 	}
-	
+
 	// 验证结果包含预期内容
 	resultText := toolResult.Content[0].Text
 	if !strings.Contains(resultText, executionID) {
 		t.Errorf("结果中应该包含执行ID: %s", executionID)
 	}
-	
+
 	if !strings.Contains(resultText, "第 1/") {
 		t.Errorf("结果中应该包含分页信息")
 	}
-	
+
 	// 测试2: 搜索功能
 	args2 := map[string]interface{}{
 		"execution_id": executionID,
@@ -92,21 +92,21 @@ func TestExecutor_ExecuteInternalTool_QueryExecutionResult(t *testing.T) {
 		"page":         float64(1),
 		"limit":        float64(10),
 	}
-	
+
 	toolResult2, err := executor.executeQueryExecutionResult(ctx, args2)
 	if err != nil {
 		t.Fatalf("执行搜索失败: %v", err)
 	}
-	
+
 	if toolResult2.IsError {
 		t.Fatalf("搜索应该成功，但返回了错误: %s", toolResult2.Content[0].Text)
 	}
-	
+
 	resultText2 := toolResult2.Content[0].Text
 	if !strings.Contains(resultText2, "error") {
 		t.Errorf("搜索结果中应该包含关键词: error")
 	}
-	
+
 	// 测试3: 过滤功能
 	args3 := map[string]interface{}{
 		"execution_id": executionID,
@@ -114,46 +114,46 @@ func TestExecutor_ExecuteInternalTool_QueryExecutionResult(t *testing.T) {
 		"page":         float64(1),
 		"limit":        float64(10),
 	}
-	
+
 	toolResult3, err := executor.executeQueryExecutionResult(ctx, args3)
 	if err != nil {
 		t.Fatalf("执行过滤失败: %v", err)
 	}
-	
+
 	if toolResult3.IsError {
 		t.Fatalf("过滤应该成功，但返回了错误: %s", toolResult3.Content[0].Text)
 	}
-	
+
 	resultText3 := toolResult3.Content[0].Text
 	if !strings.Contains(resultText3, "Port") {
 		t.Errorf("过滤结果中应该包含关键词: Port")
 	}
-	
+
 	// 测试4: 缺少必需参数
 	args4 := map[string]interface{}{
 		"page": float64(1),
 	}
-	
+
 	toolResult4, err := executor.executeQueryExecutionResult(ctx, args4)
 	if err != nil {
 		t.Fatalf("执行查询失败: %v", err)
 	}
-	
+
 	if !toolResult4.IsError {
 		t.Fatal("缺少execution_id应该返回错误")
 	}
-	
+
 	// 测试5: 不存在的执行ID
 	args5 := map[string]interface{}{
 		"execution_id": "nonexistent_id",
 		"page":         float64(1),
 	}
-	
+
 	toolResult5, err := executor.executeQueryExecutionResult(ctx, args5)
 	if err != nil {
 		t.Fatalf("执行查询失败: %v", err)
 	}
-	
+
 	if !toolResult5.IsError {
 		t.Fatal("不存在的执行ID应该返回错误")
 	}
@@ -161,22 +161,22 @@ func TestExecutor_ExecuteInternalTool_QueryExecutionResult(t *testing.T) {

 func TestExecutor_ExecuteInternalTool_UnknownTool(t *testing.T) {
 	executor, _ := setupTestExecutor(t)
-	
+
 	ctx := context.Background()
 	args := map[string]interface{}{
 		"test": "value",
 	}
-	
+
 	// 测试未知的内部工具类型
 	toolResult, err := executor.executeInternalTool(ctx, "unknown_tool", "internal:unknown_tool", args)
 	if err != nil {
 		t.Fatalf("执行内部工具失败: %v", err)
 	}
-	
+
 	if !toolResult.IsError {
 		t.Fatal("未知的工具类型应该返回错误")
 	}
-	
+
 	if !strings.Contains(toolResult.Content[0].Text, "未知的内部工具类型") {
 		t.Errorf("错误消息应该包含'未知的内部工具类型'")
 	}
@@ -185,21 +185,21 @@ func TestExecutor_ExecuteInternalTool_UnknownTool(t *testing.T) {
 func TestExecutor_ExecuteInternalTool_NoStorage(t *testing.T) {
 	executor, _ := setupTestExecutor(t)
 	// 不设置存储，测试未初始化的情况
-	
+
 	ctx := context.Background()
 	args := map[string]interface{}{
 		"execution_id": "test_id",
 	}
-	
+
 	toolResult, err := executor.executeQueryExecutionResult(ctx, args)
 	if err != nil {
 		t.Fatalf("执行查询失败: %v", err)
 	}
-	
+
 	if !toolResult.IsError {
 		t.Fatal("未初始化的存储应该返回错误")
 	}
-	
+
 	if !strings.Contains(toolResult.Content[0].Text, "结果存储未初始化") {
 		t.Errorf("错误消息应该包含'结果存储未初始化'")
 	}
@@ -207,7 +207,7 @@ func TestExecutor_ExecuteInternalTool_NoStorage(t *testing.T) {

 func TestPaginateLines(t *testing.T) {
 	lines := []string{"Line 1", "Line 2", "Line 3", "Line 4", "Line 5"}
-	
+
 	// 测试第一页
 	page := paginateLines(lines, 1, 2)
 	if page.Page != 1 {
@@ -225,7 +225,7 @@ func TestPaginateLines(t *testing.T) {
 	if len(page.Lines) != 2 {
 		t.Errorf("第一页行数不匹配。期望: 2, 实际: %d", len(page.Lines))
 	}
-	
+
 	// 测试第二页
 	page2 := paginateLines(lines, 2, 2)
 	if len(page2.Lines) != 2 {
@@ -234,13 +234,13 @@ func TestPaginateLines(t *testing.T) {
 	if page2.Lines[0] != "Line 3" {
 		t.Errorf("第二页第一行不匹配。期望: Line 3, 实际: %s", page2.Lines[0])
 	}
-	
+
 	// 测试最后一页
 	page3 := paginateLines(lines, 3, 2)
 	if len(page3.Lines) != 1 {
 		t.Errorf("第三页行数不匹配。期望: 1, 实际: %d", len(page3.Lines))
 	}
-	
+
 	// 测试超出范围的页码（应该返回最后一页）
 	page4 := paginateLines(lines, 4, 2)
 	if page4.Page != 3 {
@@ -249,13 +249,13 @@ func TestPaginateLines(t *testing.T) {
 	if len(page4.Lines) != 1 {
 		t.Errorf("最后一页应该只有1行。实际: %d行", len(page4.Lines))
 	}
-	
+
 	// 测试无效页码（小于1）
 	page0 := paginateLines(lines, 0, 2)
 	if page0.Page != 1 {
 		t.Errorf("无效页码应该被修正为1。实际: %d", page0.Page)
 	}
-	
+
 	// 测试空列表
 	emptyPage := paginateLines([]string{}, 1, 10)
 	if emptyPage.TotalLines != 0 {
@@ -265,4 +265,3 @@ func TestPaginateLines(t *testing.T) {
 		t.Errorf("空列表应该返回空结果。实际: %d行", len(emptyPage.Lines))
 	}
 }
-
@@ -16,10 +16,10 @@ type rateLimitEntry struct {

 // RateLimiter 基于 IP 的滑动窗口速率限制器
 type RateLimiter struct {
-	mu       sync.Mutex
-	entries  map[string]*rateLimitEntry
-	limit    int           // 窗口内允许的最大请求数
-	window   time.Duration // 窗口时长
+	mu      sync.Mutex
+	entries map[string]*rateLimitEntry
+	limit   int           // 窗口内允许的最大请求数
+	window  time.Duration // 窗口时长
 }

 // NewRateLimiter 创建速率限制器
@@ -162,4 +162,3 @@ func truncateRunes(s string, max int) string {
 	}
 	return string(r[:max]) + "…"
 }
-
@@ -49,12 +49,12 @@ func ParseSkillMD(raw []byte) (*SkillManifest, string, error) {
 }

 type skillFrontMatterExport struct {
-	Name            string         `yaml:"name"`
-	Description     string         `yaml:"description"`
-	License         string         `yaml:"license,omitempty"`
-	Compatibility   string         `yaml:"compatibility,omitempty"`
-	Metadata        map[string]any `yaml:"metadata,omitempty"`
-	AllowedTools    string         `yaml:"allowed-tools,omitempty"`
+	Name          string         `yaml:"name"`
+	Description   string         `yaml:"description"`
+	License       string         `yaml:"license,omitempty"`
+	Compatibility string         `yaml:"compatibility,omitempty"`
+	Metadata      map[string]any `yaml:"metadata,omitempty"`
+	AllowedTools  string         `yaml:"allowed-tools,omitempty"`
 }

 // BuildSkillMD serializes SKILL.md per agentskills.io.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
公明	dec69a1993	Update config.yaml	2026-05-01 01:33:17 +08:00
公明	15aab2584a	Add files via upload	2026-05-01 01:32:54 +08:00
公明	399b697d75	Add files via upload	2026-05-01 01:31:19 +08:00
公明	e0753fd03e	Add files via upload	2026-05-01 01:28:19 +08:00
公明	9b1e493023	Add files via upload	2026-05-01 01:05:48 +08:00
公明	77d212098d	Add files via upload	2026-05-01 01:03:28 +08:00
公明	39926007fe	Add files via upload	2026-05-01 01:01:30 +08:00
公明	0e35506ae1	Add files via upload	2026-05-01 01:00:23 +08:00
公明	9ff8bfa44b	Add files via upload	2026-04-30 20:31:17 +08:00
公明	1d9fcfd87e	Update version number to v1.5.16	2026-04-30 20:28:21 +08:00
公明	91cb650234	Add files via upload	2026-04-30 15:20:13 +08:00
公明	44e7d3b340	Add files via upload	2026-04-30 15:01:35 +08:00
公明	531b05299a	Add files via upload	2026-04-30 10:49:19 +08:00
公明	0de69a6345	Add files via upload	2026-04-30 10:43:23 +08:00
公明	6a2a445f32	Update config.yaml	2026-04-30 01:56:47 +08:00
公明	6aaa21d3e0	Add files via upload	2026-04-30 01:55:23 +08:00
公明	5c57d358ef	Add files via upload	2026-04-30 01:53:46 +08:00
公明	65a3475c02	Add files via upload	2026-04-30 01:52:11 +08:00
公明	516ebf7a65	Add files via upload	2026-04-29 22:40:17 +08:00
公明	2558be3d7d	Add files via upload	2026-04-29 22:38:14 +08:00
公明	f6bb455313	Update config.yaml	2026-04-29 17:14:19 +08:00
公明	fc64356282	Add files via upload	2026-04-29 17:10:53 +08:00
公明	3d4fce9b89	Add files via upload	2026-04-29 17:09:37 +08:00
公明	3e41a47abf	Add files via upload	2026-04-29 17:05:02 +08:00
公明	5b942c7bc8	Add files via upload	2026-04-29 17:03:51 +08:00
公明	bcfb7b8da1	Update config.yaml	2026-04-29 04:11:31 +08:00
公明	f420ae0265	Add files via upload	2026-04-29 03:28:32 +08:00
公明	e3f59b29ab	Add files via upload	2026-04-29 03:26:27 +08:00
公明	87cba37203	Add files via upload	2026-04-29 03:24:48 +08:00
公明	4773b9e963	Update config.yaml	2026-04-29 03:01:21 +08:00
公明	eda5f9bba1	Add files via upload	2026-04-29 02:59:34 +08:00
公明	1318607813	Add files via upload	2026-04-29 02:57:22 +08:00
公明	5100924abe	Add files via upload	2026-04-29 02:54:43 +08:00
公明	44079674dd	Add files via upload	2026-04-28 14:07:01 +08:00
公明	d959390e27	Update config.yaml	2026-04-28 11:45:27 +08:00
公明	62a0d8cb71	Add files via upload	2026-04-28 11:40:09 +08:00
公明	b53cae3a02	Add files via upload	2026-04-28 11:37:52 +08:00
公明	3b3d094dc4	Add files via upload	2026-04-28 10:26:09 +08:00
公明	47922c2083	Add files via upload	2026-04-28 10:23:24 +08:00
公明	dfaf0bc77f	Update config.yaml	2026-04-28 01:23:57 +08:00
公明	3eb7edb1b8	Add files via upload	2026-04-28 01:23:33 +08:00
公明	f82f6b861e	Add files via upload	2026-04-28 01:22:21 +08:00
公明	2acf43c454	Add files via upload	2026-04-28 01:19:01 +08:00
公明	fad6b3c808	Add files via upload	2026-04-28 01:05:58 +08:00
公明	0597838217	Add files via upload	2026-04-28 01:04:58 +08:00
公明	1532426b4f	Add files via upload	2026-04-28 01:02:30 +08:00
公明	3aeb8c3474	Add files via upload	2026-04-28 00:37:46 +08:00
公明	b2b166972a	Add files via upload	2026-04-28 00:33:29 +08:00
公明	36b669771c	Delete internal/multiagent directory	2026-04-28 00:30:34 +08:00
公明	96564d4d89	Update default_single_system_prompt.go	2026-04-27 14:58:49 +08:00
公明	d85afa2d39	Add files via upload	2026-04-27 11:29:16 +08:00
公明	55b6bceb21	Update config.yaml	2026-04-26 15:11:48 +08:00
公明	65d73b3d66	Add files via upload	2026-04-26 15:08:48 +08:00
公明	913115d1fb	Add files via upload	2026-04-26 04:26:29 +08:00
公明	e1b967d781	Add files via upload	2026-04-26 04:18:38 +08:00
公明	9d9efa886f	Add files via upload	2026-04-26 04:17:27 +08:00
公明	cae45e9dc5	Add files via upload	2026-04-26 04:16:25 +08:00
公明	c788b59f25	Update config.yaml	2026-04-24 20:01:42 +08:00
公明	5edf3a70f9	Add files via upload	2026-04-24 20:00:50 +08:00
公明	3dfb3b4e82	Add files via upload	2026-04-24 19:59:15 +08:00
公明	a517fe0931	Add files via upload	2026-04-24 19:56:09 +08:00
公明	0ab5e31a64	Add files via upload	2026-04-24 18:24:52 +08:00
公明	ea6e027b25	Add files via upload	2026-04-24 17:30:22 +08:00
公明	ba9d2f0afd	Update config.yaml	2026-04-24 15:43:00 +08:00
公明	6ce835703e	Add files via upload	2026-04-24 11:24:10 +08:00
公明	666980ad8f	Add files via upload	2026-04-24 11:08:47 +08:00
公明	bc8e81307e	Add files via upload	2026-04-24 11:07:03 +08:00
公明	053534feaa	Add files via upload	2026-04-24 11:04:55 +08:00
公明	88fd71e04c	Update config.yaml	2026-04-24 02:08:55 +08:00
公明	590400b605	Add files via upload	2026-04-24 02:07:58 +08:00
公明	c83c48305b	Add HITL tool whitelist to config.yaml Add HITL global whitelist configuration for tools.	2026-04-24 01:57:22 +08:00
公明	96d11087f9	Add files via upload	2026-04-24 01:55:59 +08:00
公明	d17da2a47d	Add files via upload	2026-04-24 01:54:38 +08:00
公明	e03bdf8044	Add files via upload	2026-04-24 01:51:25 +08:00
公明	943a3b2646	Add files via upload	2026-04-24 01:50:55 +08:00
公明	38169abc4b	Add files via upload	2026-04-22 13:59:17 +08:00
公明	edf66de27d	Add files via upload	2026-04-22 13:57:50 +08:00
公明	ebe4aa035b	Add files via upload	2026-04-22 13:55:49 +08:00
公明	b076425c5e	Add files via upload	2026-04-22 13:53:32 +08:00
公明	e664aaccfe	Add files via upload	2026-04-22 13:50:50 +08:00
公明	9e2d9b4288	Update config.yaml	2026-04-22 13:45:16 +08:00
公明	0d3c1e333e	Add files via upload	2026-04-22 12:04:14 +08:00
公明	8daf0b3870	Update config.yaml	2026-04-22 12:02:06 +08:00
公明	ed4848168b	Add files via upload	2026-04-22 12:00:50 +08:00
公明	6ca2930353	Add files via upload	2026-04-22 11:59:34 +08:00
公明	d92edbc929	Update config.yaml	2026-04-22 11:12:09 +08:00
公明	de9b1247d6	Add files via upload	2026-04-22 11:11:04 +08:00
公明	7ddf0f2437	Add files via upload	2026-04-22 11:09:43 +08:00
公明	e04b5b66d7	Add files via upload	2026-04-22 11:06:00 +08:00
公明	c841809f9e	Add files via upload	2026-04-22 10:03:46 +08:00
公明	928b696c06	Add files via upload	2026-04-22 00:06:16 +08:00
公明	5fcccfab40	Delete tools/winpeas.yaml	2026-04-21 22:43:21 +08:00
公明	839d31fd50	Delete tools/hash-identifier.yaml	2026-04-21 22:42:30 +08:00
公明	9d635a35ea	Delete tools/qsreplace.yaml	2026-04-21 22:41:57 +08:00
公明	c288a2e631	Delete tools/uro.yaml	2026-04-21 22:41:31 +08:00
公明	ff8db01038	Delete tools/anew.yaml	2026-04-21 22:40:51 +08:00
公明	026cfbdd37	Disable feroxbuster tool in configuration	2026-04-21 22:40:27 +08:00
公明	bf3c53ccec	Update gobuster.yaml	2026-04-21 22:39:45 +08:00
公明	1a3cf88465	Delete tools/autorecon.yaml	2026-04-21 22:30:44 +08:00
公明	b8fd01dbfb	Delete tools/docker-bench-security.yaml	2026-04-21 22:28:29 +08:00
公明	fa45315d3f	Delete tools/fcrackzip.yaml	2026-04-21 22:24:48 +08:00
公明	c16101ce42	Delete tools/pdfcrack.yaml	2026-04-21 22:24:20 +08:00
公明	a9a4c94b2b	Delete tools/cyberchef.yaml	2026-04-21 22:22:31 +08:00
公明	773fabdda6	Delete tools/stegsolve.yaml	2026-04-21 22:22:10 +08:00
公明	bd686a6c47	Delete tools/burpsuite.yaml	2026-04-21 22:21:43 +08:00
公明	cde787b594	Delete tools/hakrawler.yaml	2026-04-21 22:19:59 +08:00
公明	2abf8d1618	Delete tools/wfuzz.yaml	2026-04-21 22:17:26 +08:00
公明	d42050679e	Delete tools/dirb.yaml	2026-04-21 22:16:10 +08:00
公明	4279bb7b26	Delete tools/enum4linux.yaml	2026-04-21 22:15:42 +08:00
公明	e27c7de6bb	Delete tools/volatility.yaml	2026-04-21 22:15:10 +08:00
公明	ef8066572f	Delete tools/gdb-peda.yaml	2026-04-21 22:14:45 +08:00
公明	4bd2da8136	Add files via upload	2026-04-21 21:50:03 +08:00
公明	e75e393f06	Add files via upload	2026-04-21 21:47:46 +08:00
公明	58d2e20274	Add files via upload	2026-04-21 21:44:12 +08:00