futuremeng · futuremeng · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml
@@ -3,14 +3,8 @@
 name: Deploy website to GitHub Pages
 
 on:
-  push:
-    branches: [main]
-    paths:
-      - "website/**"
-      - "scripts/install.sh"
-      - "scripts/install.ps1"
-      - "scripts/install.bat"
-      - ".github/workflows/deploy-website.yml"
+  release:
+    types: [published]
   workflow_dispatch:
 
 permissions:

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -12,6 +12,8 @@ Thank you for your interest in contributing to CoPaw! CoPaw is an open-source **
 
 To keep collaboration smooth and maintain quality, please follow these guidelines.
 
+> Branching recommendation: read the [Dual-Mainline Branching SOP (Local Collaboration)](DEV_BRANCHING_SOP.md) first.
+
 ### 1. Check Existing Plans and Issues
 
 Before starting:

diff --git a/CONTRIBUTING_zh.md b/CONTRIBUTING_zh.md
@@ -12,6 +12,8 @@
 
 为了保持协作顺畅并维护质量，请遵循以下指南。
 
+> 分支协作建议：请先阅读[双主线开发 SOP（本地协作版）](DEV_BRANCHING_SOP_zh.md)。
+
 ### 1. 检查现有计划和问题
 
 在开始之前：

diff --git a/DEV_BRANCHING_SOP.md b/DEV_BRANCHING_SOP.md
@@ -0,0 +1,80 @@
+# CoPaw Dual-Mainline Branching SOP (Local Collaboration)
+
+This SOP standardizes local dual-mainline workflows and prevents accidental merges into the wrong mainline.
+
+## 1. Branch Roles
+
+- upstream/main: upstream source-of-truth mainline for sync and upstream PR baselines.
+- fork/main: local development mainline where features are merged and validated first.
+- main (local): choose exactly one model and keep it consistent.
+  - Model A (recommended): upstream mirror line.
+  - Model B: local release integration line.
+
+Important: The team must align on what local main means before daily work.
+
+## 2. Standard Development Flow
+
+1. Refresh base lines
+- git fetch --all --prune
+- git checkout fork/main
+- git merge --ff-only upstream/main
+
+2. Create feature branch
+- git checkout -b feat/upstream/<topic> fork/main
+
+3. Develop and commit
+- Follow Conventional Commits.
+- Pass local gates before push/PR (pre-commit, pytest).
+
+4. First merge stage (required)
+- Merge feature into fork/main first.
+- Commands:
+  - git checkout fork/main
+  - git merge --no-ff feat/upstream/<topic>
+
+5. Second merge stage (optional, policy-based)
+- If main is a local release integration line: merge fork/main into main.
+- If main is an upstream mirror line: do not merge fork/main directly into main; open PR to upstream/main instead.
+
+## 3. PR Target Mapping
+
+- For upstream contribution:
+  - source: feat/upstream/<topic> (or cleaned equivalent)
+  - target: upstream/main
+- For local fork integration:
+  - source: feat/upstream/<topic>
+  - target: fork/main
+
+## 4. Pre-Merge Checklist
+
+- Working tree is clean (git status has no pending changes).
+- Target branch is correct (fork/main or main).
+- Local mainline role is explicit (mirror vs integration).
+- Diff/log range is explainable (git log / git diff).
+- Required tests have passed (at least local gates).
+
+## 5. Command Templates
+
+### 5.1 Merge into development mainline first (fork/main)
+
+- git checkout fork/main
+- git merge --no-ff feat/upstream/knowledge-layer-mvp-sop-cognee
+
+### 5.2 Merge into local mainline (only when main = integration line)
+
+- git checkout main
+- git merge --no-ff fork/main
+
+## 6. Common Pitfalls
+
+- Pitfall 1: Merge feature directly into main after implementation.
+  - Risk: pollutes mirror semantics if main is meant to track upstream.
+- Pitfall 2: Let fork/main drift too far from upstream/main.
+  - Risk: conflict debt accumulates and PR review cost rises.
+- Pitfall 3: Merge to mainline before local gates pass.
+  - Risk: unstable mainline and expensive rollback.
+
+## 7. Relation to CONTRIBUTING
+
+- This SOP complements, not replaces, CONTRIBUTING rules.
+- Keep enforcing Conventional Commits, PR title format, pre-commit and test gates.
diff --git a/DEV_BRANCHING_SOP_zh.md b/DEV_BRANCHING_SOP_zh.md
@@ -0,0 +1,80 @@
+# CoPaw 双主线开发 SOP（本地协作版）
+
+本文用于规范本地双主线协作，避免 feature 直接误合到错误主线。
+
+## 1. 分支角色
+
+- upstream/main：上游事实主线，仅用于同步上游状态、构建上游 PR 基线。
+- fork/main：本地开发主线，功能先合入这里并完成验证。
+- main（本地）：建议固定为以下两种之一。
+  - 方案 A（推荐）：上游镜像线。尽量保持与 upstream/main 对齐。
+  - 方案 B：本地发布整合线。承接 fork/main，服务本地发布。
+
+注意：项目内必须先统一 main 的定位，避免不同成员按不同语义操作。
+
+## 2. 标准开发路径
+
+1. 更新基线
+- git fetch --all --prune
+- git checkout fork/main
+- git merge --ff-only upstream/main
+
+2. 创建功能分支
+- git checkout -b feat/upstream/<topic> fork/main
+
+3. 开发与提交
+- 按 Conventional Commits 提交。
+- push/提 PR 前通过本地门禁（pre-commit、pytest）。
+
+4. 第一段合并（必须）
+- 目标：先合入 fork/main。
+- 命令：
+  - git checkout fork/main
+  - git merge --no-ff feat/upstream/<topic>
+
+5. 第二段合并（按需）
+- 如果 main 是“本地发布整合线”：再将 fork/main 合入 main。
+- 如果 main 是“上游镜像线”：不要把 fork/main 直接合入 main；改为对 upstream/main 提 PR。
+
+## 3. PR 与分支对应关系
+
+- 面向 upstream：
+  - 源分支：feat/upstream/<topic>（或清理后的等价分支）
+  - 目标分支：upstream/main
+- 面向 fork 内部整合：
+  - 源分支：feat/upstream/<topic>
+  - 目标分支：fork/main
+
+## 4. 合并前检查清单
+
+- 当前工作区干净（git status 无未提交改动）。
+- 当前目标分支正确（fork/main 或 main）。
+- 明确 main 当前语义（上游镜像线 / 本地发布整合线）。
+- 确认 feature 与目标分支差异范围可解释（git log/ git diff）。
+- 必要测试已通过（至少本地门禁）。
+
+## 5. 推荐命令模板
+
+### 5.1 先合开发主线（fork/main）
+
+- git checkout fork/main
+- git merge --no-ff feat/upstream/knowledge-layer-mvp-sop-cognee
+
+### 5.2 再合本地 main（仅当 main=本地发布整合线）
+
+- git checkout main
+- git merge --no-ff fork/main
+
+## 6. 常见误区
+
+- 误区 1：feature 完成后直接合 main。
+  - 风险：若 main 是上游镜像线，会污染镜像语义。
+- 误区 2：fork/main 与 upstream/main 长期不对齐。
+  - 风险：后续冲突集中爆发，PR 审核成本升高。
+- 误区 3：未先做门禁验证就推进主线合并。
+  - 风险：主线不稳定，后续回滚成本上升。
+
+## 7. 与贡献规范的关系
+
+- 本 SOP 不替代 CONTRIBUTING 中的提交与质量规范。
+- 所有分支流程仍需遵守：Conventional Commits、PR 标题规范、pre-commit 与测试门禁。
diff --git a/console/public/copaw-dark.png b/console/public/copaw-dark.png
diff --git a/console/public/dark-logo.png b/console/public/dark-logo.png
diff --git a/console/src/App.tsx b/console/src/App.tsx
@@ -1,18 +1,23 @@
 import { createGlobalStyle } from "antd-style";
 import { ConfigProvider, bailianTheme } from "@agentscope-ai/design";
-import { BrowserRouter } from "react-router-dom";
+import { BrowserRouter, Routes, Route, Navigate } from "react-router-dom";
 import { useEffect, useState } from "react";
 import { useTranslation } from "react-i18next";
 import zhCN from "antd/locale/zh_CN";
 import enUS from "antd/locale/en_US";
 import jaJP from "antd/locale/ja_JP";
 import ruRU from "antd/locale/ru_RU";
 import type { Locale } from "antd/es/locale";
+import { theme as antdTheme } from "antd";
 import dayjs from "dayjs";
 import "dayjs/locale/zh-cn";
 import "dayjs/locale/ja";
 import "dayjs/locale/ru";
 import MainLayout from "./layouts/MainLayout";
+import { ThemeProvider, useTheme } from "./contexts/ThemeContext";
+import LoginPage from "./pages/Login";
+import { authApi } from "./api/modules/auth";
+import { getApiUrl, getApiToken, clearAuthToken } from "./api/config";
 import "./styles/layout.css";
 import "./styles/form-override.css";
 
@@ -37,8 +42,71 @@ const GlobalStyle = createGlobalStyle`
 }
 `;
 
-function App() {
+function AuthGuard({ children }: { children: React.ReactNode }) {
+  const [status, setStatus] = useState<"loading" | "auth-required" | "ok">(
+    "loading",
+  );
+
+  useEffect(() => {
+    let cancelled = false;
+    (async () => {
+      try {
+        const res = await authApi.getStatus();
+        if (cancelled) return;
+        if (!res.enabled) {
+          setStatus("ok");
+          return;
+        }
+        const token = getApiToken();
+        if (!token) {
+          setStatus("auth-required");
+          return;
+        }
+        try {
+          const r = await fetch(getApiUrl("/auth/verify"), {
+            headers: { Authorization: `Bearer ${token}` },
+          });
+          if (cancelled) return;
+          if (r.ok) {
+            setStatus("ok");
+          } else {
+            clearAuthToken();
+            setStatus("auth-required");
+          }
+        } catch {
+          if (!cancelled) {
+            clearAuthToken();
+            setStatus("auth-required");
+          }
+        }
+      } catch {
+        if (!cancelled) setStatus("ok");
+      }
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  if (status === "loading") return null;
+  if (status === "auth-required")
+    return (
+      <Navigate
+        to={`/login?redirect=${encodeURIComponent(window.location.pathname)}`}
+        replace
+      />
+    );
+  return <>{children}</>;
+}
+
+function getRouterBasename(pathname: string): string | undefined {
+  return /^\/console(?:\/|$)/.test(pathname) ? "/console" : undefined;
+}
+
+function AppInner() {
+  const basename = getRouterBasename(window.location.pathname);
   const { i18n } = useTranslation();
+  const { isDark } = useTheme();
   const lang = i18n.resolvedLanguage || i18n.language || "en";
   const [antdLocale, setAntdLocale] = useState<Locale>(
     antdLocaleMap[lang] ?? enUS,
@@ -61,18 +129,42 @@ function App() {
   }, [i18n]);
 
   return (
-    <BrowserRouter>
+    <BrowserRouter basename={basename}>
       <GlobalStyle />
       <ConfigProvider
         {...bailianTheme}
         prefix="copaw"
         prefixCls="copaw"
         locale={antdLocale}
+        theme={{
+          ...(bailianTheme as any)?.theme,
+          algorithm: isDark
+            ? antdTheme.darkAlgorithm
+            : antdTheme.defaultAlgorithm,
+        }}
       >
-        <MainLayout />
+        <Routes>
+          <Route path="/login" element={<LoginPage />} />
+          <Route
+            path="/*"
+            element={
+              <AuthGuard>
+                <MainLayout />
+              </AuthGuard>
+            }
+          />
+        </Routes>
       </ConfigProvider>
     </BrowserRouter>
   );
 }
 
+function App() {
+  return (
+    <ThemeProvider>
+      <AppInner />
+    </ThemeProvider>
+  );
+}
+
 export default App;
diff --git a/console/src/api/config.ts b/console/src/api/config.ts
@@ -1,6 +1,8 @@
 declare const BASE_URL: string;
 declare const TOKEN: string;
 
+const AUTH_TOKEN_KEY = "copaw_auth_token";
+
 /**
  * Get the full API URL with /api prefix
  * @param path - API path (e.g., "/models", "/skills")
@@ -14,9 +16,26 @@ export function getApiUrl(path: string): string {
 }
 
 /**
- * Get the API token
+ * Get the API token - checks localStorage first (auth login),
+ * then falls back to the build-time TOKEN constant.
  * @returns API token string or empty string
  */
 export function getApiToken(): string {
+  const stored = localStorage.getItem(AUTH_TOKEN_KEY);
+  if (stored) return stored;
   return typeof TOKEN !== "undefined" ? TOKEN : "";
 }
+
+/**
+ * Store the auth token in localStorage after login.
+ */
+export function setAuthToken(token: string): void {
+  localStorage.setItem(AUTH_TOKEN_KEY, token);
+}
+
+/**
+ * Remove the auth token from localStorage (logout / 401).
+ */
+export function clearAuthToken(): void {
+  localStorage.removeItem(AUTH_TOKEN_KEY);
+}