release v0.8.1

.env.example

@@ -57,6 +57,17 @@ API_TEST_TIMEOUT_MS=15000
 # 警告：若设置为 true 且使用远程 HTTP 访问，浏览器将拒绝设置 Cookie 导致无法登录
 ENABLE_SECURE_COOKIES=true
 
+# Management REST API / legacy actions API
+# - ENABLE_LEGACY_ACTIONS_API=false returns 410 Gone for legacy /api/actions execution.
+# - LEGACY_ACTIONS_DOCS_MODE=hidden returns 410 for legacy docs even when execution stays enabled.
+# - ENABLE_API_KEY_ADMIN_ACCESS=true allows admin-role DB API keys to call admin /api/v1 routes.
+# - CSRF_SECRET signs cookie-authenticated management mutations; set the same value on all replicas.
+ENABLE_LEGACY_ACTIONS_API=true
+LEGACY_ACTIONS_DOCS_MODE=deprecated
+LEGACY_ACTIONS_SUNSET_DATE=2026-12-31
+ENABLE_API_KEY_ADMIN_ACCESS=false
+CSRF_SECRET=
+
 # Redis 配置（用于限流和 Session 追踪）
 # 功能说明：
 # - 限流功能：金额限制（5小时/周/月）+ Session 并发限制
@@ -74,7 +85,9 @@ API_KEY_AUTH_CACHE_TTL_SECONDS="60"      # 鉴权缓存 TTL（秒，默认 60，
 ENABLE_API_KEY_REDIS_CACHE="true"        # 是否启用 API Key Redis 缓存（默认：true）
 
 # Session 配置
-SESSION_TTL=300                         # Session 过期时间（秒，默认 300 = 5 分钟）
+# 降低该值会按签发时间收紧已签发 ADMIN_TOKEN 签名 cookie 的剩余寿命，且不会延长其原始 exp。
+AUTH_SESSION_TTL_SECONDS=604800         # Web UI 登录态过期时间（秒，默认 604800 = 7 天，范围 60-31536000）
+SESSION_TTL=300                         # 代理请求上下文缓存时间（秒，默认 300 = 5 分钟；不控制 Web UI 登录态）
 STORE_SESSION_MESSAGES=false            # 会话消息存储模式（默认：false）
                                         # - false：存储请求/响应体但对 message 内容脱敏 [REDACTED]
                                         # - true：原样存储 message 内容（注意隐私和存储空间影响）

.github/workflows/claude-ci-autofix.yml

@@ -60,7 +60,7 @@ jobs:
           echo "Branch validation passed: syncing $SOURCE -> $TARGET"
 
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: ${{ github.event.inputs.target_branch }}
           fetch-depth: 0
@@ -237,14 +237,14 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: ${{ github.event.workflow_run.head_branch }}
           fetch-depth: 0
 
       - name: Get CI failure details
         id: failure_details
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const run = await github.rest.actions.getWorkflowRun({

.github/workflows/claude-issue-auto-response.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Check if Codex workflow succeeded for this issue
         if: steps.perm_check.outputs.EXTERNAL_USER == 'false'
         id: check
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             // Wait for Codex workflow to complete (max 5 minutes)
@@ -91,7 +91,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/claude-issue-duplicate-check.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/claude-issue-oncall-triage.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Run Claude Code for Oncall Triage
         uses: anthropics/claude-code-action@v1

.github/workflows/claude-issue-stale-cleanup.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Run Claude Code for Stale Issue Cleanup
         uses: anthropics/claude-code-action@v1

.github/workflows/claude-issue-triage.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/claude-mention-responder.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/claude-pr-description.yml

@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/claude-pr-label.yml

@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 1
 

.github/workflows/claude-pr-review.yml

@@ -30,7 +30,7 @@ jobs:
       - name: Check if Codex workflow succeeded for this PR
         if: steps.perm_check.outputs.EXTERNAL_USER == 'false'
         id: check
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             // Wait for Codex workflow to complete (max 10 minutes for PR review)
@@ -99,7 +99,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 1
 

.github/workflows/claude-review-responder.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}

.github/workflows/claude-unified-docs.yml

@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN || secrets.GH_PAT }}

.github/workflows/codex-issue-auto-response.yml

@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/codex-pr-review.yml

@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
           fetch-depth: 0
@@ -60,7 +60,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Post Review Comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         env:
           REVIEW_RESULT: ${{ needs.pr-review.outputs.review_result }}
         with:

.github/workflows/dev.yml

@@ -18,7 +18,7 @@ jobs:
     if: github.event.pusher.name != 'github-actions[bot]' && !contains(github.event.head_commit.message, '[skip ci]')
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -56,7 +56,7 @@ jobs:
           echo "Versioned tag: $VERSIONED_TAG"
 
       - name: Setup Node.js for formatting
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: "20"
 
@@ -66,7 +66,7 @@ jobs:
           bun-version-file: .bun-version
 
       - name: Cache Bun package cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.bun/install/cache
           # This repo intentionally does not track Bun lockfiles; rotate cache on package/runtime inputs.
@@ -112,20 +112,20 @@ jobs:
 
       # Docker构建步骤
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: ./deploy/Dockerfile

.github/workflows/pr-check.yml

@@ -21,20 +21,20 @@ jobs:
 
     steps:
       - name: 📥 Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: 📦 Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
           bun-version-file: .bun-version
 
       - name: 🟢 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '20'
 
       - name: Cache Bun package cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.bun/install/cache
           # This repo intentionally does not track Bun lockfiles; rotate cache on package/runtime inputs.
@@ -71,22 +71,22 @@ jobs:
 
     steps:
       - name: 📥 Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: 📋 Extract metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=ref,event=pr
             type=sha,prefix=pr-
 
       - name: 🏗️ Build Docker image (Test Only - No Push)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: ./deploy/Dockerfile

.github/workflows/release.yml

@@ -37,7 +37,7 @@ jobs:
       (github.event.pusher.name != 'github-actions[bot]' && !contains(github.event.head_commit.message, '[skip ci]'))
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -191,7 +191,7 @@ jobs:
 
       - name: Setup Node.js for formatting
         if: steps.check.outputs.needs_bump == 'true' || github.event_name == 'workflow_dispatch'
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: "20"
 
@@ -203,7 +203,7 @@ jobs:
 
       - name: Cache Bun package cache
         if: steps.check.outputs.needs_bump == 'true' || github.event_name == 'workflow_dispatch'
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.bun/install/cache
           # This repo intentionally does not track Bun lockfiles; rotate cache on package/runtime inputs.
@@ -258,7 +258,7 @@ jobs:
 
       - name: Create GitHub Release
         if: (steps.check.outputs.needs_bump == 'true' || github.event_name == 'workflow_dispatch') && success()
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           tag_name: ${{ steps.next_version.outputs.new_tag }}
           name: Release ${{ steps.next_version.outputs.new_version }}
@@ -381,23 +381,23 @@ jobs:
       # Docker构建步骤
       - name: Set up QEMU
         if: (steps.check.outputs.needs_bump == 'true' || github.event_name == 'workflow_dispatch') && success()
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
         if: (steps.check.outputs.needs_bump == 'true' || github.event_name == 'workflow_dispatch') && success()
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Log in to GitHub Container Registry
         if: (steps.check.outputs.needs_bump == 'true' || github.event_name == 'workflow_dispatch') && success()
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push Docker image
         if: (steps.check.outputs.needs_bump == 'true' || github.event_name == 'workflow_dispatch') && success()
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: ./deploy/Dockerfile