chore(cli): pre-merge cleanup — docker images, comments, tsconfig lib

- docker-compose.yaml: revert api/web from build: back to image tags (1.14.1); fix api_websocket/worker/worker_beat downgraded to 1.14.0 - Remove verbose internal design comments from openapi controllers - web/next.config.ts: trim anti-framing comment to one line - cli/tsconfig.json: drop lib:ES2015 override (broke Error.cause typing) - eslint.config.mjs: ignore cli/context/** and cli/docs/** (local caches) - pnpm-lock.yaml: regenerate after fresh install
2026-05-26 20:07:46 +08:00 · 2026-05-14 20:35:05 -07:00
parent 9d554495cf
commit e0f4e98a2f
10 changed files with 1697 additions and 1248 deletions
--- a/api/controllers/openapi/_models.py
+++ b/api/controllers/openapi/_models.py
@ -9,9 +9,7 @@ from pydantic import BaseModel, ConfigDict, Field, field_validator
 from libs.helper import UUIDStrOrEmpty, uuid_value
 from models.model import AppMode

-# Server-side cap on `limit` query param for any /openapi/v1/* list endpoint.
-# Sibling endpoints (`/apps`, `/account/sessions`, future routes) all clamp to
-# this; do not introduce per-endpoint caps without raising the constant.
+# Server-side cap on `limit` query param for /openapi/v1/* list endpoints.
 MAX_PAGE_LIMIT = 200


--- a/api/controllers/openapi/apps.py
+++ b/api/controllers/openapi/apps.py
@ -46,9 +46,6 @@ from services.app_service import AppListParams, AppService
 from services.openapi.visibility import apply_openapi_gate, is_openapi_visible
 from services.tag_service import TagService

-# method_decorators applies left-to-right innermost-first; flask_restx wraps
-# in order, so the LAST entry is the outermost. Execution flows
-# validate_bearer → accept_subjects → require_scope → handler.
 _APPS_READ_DECORATORS = [
    require_scope(Scope.APPS_READ),
    accept_subjects(SubjectType.ACCOUNT),
--- a/api/controllers/openapi/apps_permitted_external.py
+++ b/api/controllers/openapi/apps_permitted_external.py
@ -37,13 +37,6 @@ from services.openapi.visibility import apply_openapi_gate

@openapi_ns.route("/permitted-external-apps")
 class PermittedExternalAppsListApi(Resource):
-    # method_decorators applies left-to-right innermost-first; execution
-    # flows enterprise_only → validate_bearer → accept_subjects →
-    # license_required → require_scope → handler. validate_bearer is
-    # widened to ACCEPT_USER_ANY so accept_subjects can emit the
-    # `openapi.wrong_surface_denied` audit on dfoa_→external misses
-    # instead of validate_bearer rejecting silently with "subject type
-    # not accepted here".
    method_decorators = [
        require_scope(Scope.APPS_READ_PERMITTED_EXTERNAL),
        license_required,
@ -104,7 +97,6 @@ class PermittedExternalAppsListApi(Resource):
                    workspace_name=tenant.name if tenant else None,
                )
            )
-        # total/has_more reflect the EE-side allow-list; len(items) may be < limit when local rows are dropped.
        env = PermittedExternalAppsListResponse(
            page=query.page,
            limit=query.limit,
--- a/api/controllers/openapi/auth/composition.py
+++ b/api/controllers/openapi/auth/composition.py
@ -35,12 +35,6 @@ def _resolve_app_authz_strategy() -> AppAuthzStrategy:
    return MembershipStrategy()


-# Pipeline currently serves only `/openapi/v1/apps/<id>/run` — an account
-# (dfoa_) surface route. SurfaceCheck runs right after BearerCheck so
-# pipeline-guarded routes get the same wrong_surface 403 + audit emit as
-# the inline `@accept_subjects` decorator on read endpoints. When the
-# external-surface run route lands, swap in an external-pipeline builder
-# that constructs SurfaceCheck(accepted=frozenset({USER_EXT_SSO})).
 OAUTH_BEARER_PIPELINE = Pipeline(
    BearerCheck(),
    SurfaceCheck(accepted=frozenset({SubjectType.ACCOUNT})),
--- a/api/controllers/openapi/auth/steps.py
+++ b/api/controllers/openapi/auth/steps.py
@ -160,8 +160,6 @@ class CallerMount:
        raise Unauthorized("no caller mounter for subject type")


-# AuthContext re-export so callers reading `g.auth_ctx` after a pipeline
-# run get a consistent import location next to the step that writes it.
 __all__ = [
    "AppAuthzCheck",
    "AppResolver",
--- a/cli/tsconfig.json
+++ b/cli/tsconfig.json
@ -1,7 +1,6 @@
 {
  "extends": "@dify/tsconfig/node.json",
  "compilerOptions": {
-    "lib": ["ES2015"],
    "rootDir": "src",
    "types": ["node"],
    "declaration": true,
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@ -226,6 +226,7 @@ services:
  # API service
  api:
    <<: *shared-api-worker-config
+    image: langgenius/dify-api:1.14.1
    build:
      context: ../api
      dockerfile: Dockerfile
@ -272,7 +273,7 @@ services:
  # WebSocket service for workflow collaboration.
  api_websocket:
    <<: *shared-api-worker-config
-    image: langgenius/dify-api:1.14.0
+    image: langgenius/dify-api:1.14.1
    profiles:
      - collaboration
    environment:
@ -298,7 +299,7 @@ services:
  # The Celery worker for processing all queues (dataset, workflow, mail, etc.)
  worker:
    <<: *shared-worker-config
-    image: langgenius/dify-api:1.14.0
+    image: langgenius/dify-api:1.14.1
    environment:
      MODE: worker
      SENTRY_DSN: ${API_SENTRY_DSN:-}
@ -341,7 +342,7 @@ services:
  # Celery beat for scheduling periodic tasks.
  worker_beat:
    <<: *shared-worker-beat-config
-    image: langgenius/dify-api:1.14.0
+    image: langgenius/dify-api:1.14.1
    environment:
      MODE: beat
    depends_on:
@ -374,6 +375,7 @@ services:

  # Frontend web application.
  web:
+    image: langgenius/dify-web:1.14.1
    build:
      context: ..
      dockerfile: web/Dockerfile
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@ -23,7 +23,8 @@ export default antfu(
      '!web/**',
      '!e2e/**',
      '!cli/**',
-      'cli/docs/specs/**',
+      'cli/context/**',
+      'cli/docs/**',
      'cli/oclif.manifest.json',
      '!eslint.config.mjs',
      '!package.json',
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/web/next.config.ts
+++ b/web/next.config.ts
@ -34,14 +34,11 @@ const nextConfig: NextConfig = {
      },
    ]
  },
-  // Anti-framing for device-flow surfaces. A framed /device page could UI-trick
-  // a victim with a valid device_approval_grant cookie into approving a
-  // device_code — functionally CSRF, bypasses the double-submit token. Deny
-  // framing outright on every device-flow route; no trusted embedder exists.
+  // Deny framing on device-flow routes — no trusted embedder exists.
  async headers() {
    const antiFrame = [
      { key: 'X-Frame-Options', value: 'DENY' },
-      { key: 'Content-Security-Policy', value: "frame-ancestors 'none'" },
+      { key: 'Content-Security-Policy', value: 'frame-ancestors \'none\'' },
    ]
    return [
      { source: '/device', headers: antiFrame },