CJackHwang
diff --git a/‎.env.example‎
Lines changed: 12 additions & 1 deletion b/‎.env.example‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎api_utils/routers/model_capabilities.py‎
Lines changed: 61 additions & 127 deletions b/‎api_utils/routers/model_capabilities.py‎
Lines changed: 61 additions & 127 deletions
diff --git a/‎api_utils/routers/ports.py‎
Lines changed: 30 additions & 3 deletions b/‎api_utils/routers/ports.py‎
Lines changed: 30 additions & 3 deletions
@@ -179,4 +179,15 @@ AI_STUDIO_URL_PATTERN=aistudio.google.com/
 
 # 排除模型列表文件 (相对于项目根目录)
 # 此文件中列出的模型将不会在 /v1/models 端点中返回
-EXCLUDED_MODELS_FILENAME=excluded_models.txt
+EXCLUDED_MODELS_FILENAME=excluded_models.txt
+
+# =============================================================================
+# 9. 前端构建配置 (Frontend Build Configuration)
+# =============================================================================
+
+# 跳过前端构建检查 (Skip Frontend Build)
+# 设置为 true 可跳过启动时的前端构建检查。
+# 适用于没有 Node.js/npm 的环境，或使用预构建资源。
+# 也可以通过命令行参数 --skip-frontend-build 来设置。
+# Options: true, false, 1, 0, yes, no
+SKIP_FRONTEND_BUILD=false
@@ -4,21 +4,48 @@
 SINGLE SOURCE OF TRUTH for model thinking capabilities.
 Frontend fetches this to determine UI controls dynamically.
 
-When new models are released, update ONLY this file.
+Configuration is loaded from config/model_capabilities.json.
+When new models are released, update the JSON file - no code changes needed.
 """
 
-from typing import Literal
+import json
+import re
+from functools import lru_cache
+from pathlib import Path
+from typing import Any
 
 from fastapi import APIRouter
 from fastapi.responses import JSONResponse
 
 router = APIRouter()
 
-# Model category types
-ThinkingType = Literal["level", "budget", "none"]
+# Config file path
+_CONFIG_PATH = (
+    Path(__file__).parent.parent.parent / "config" / "model_capabilities.json"
+)
 
 
-def _get_model_capabilities(model_id: str) -> dict:
+@lru_cache(maxsize=1)
+def _load_config() -> dict[str, Any]:
+    """
+    Load model capabilities configuration from JSON file.
+
+    Uses LRU cache to avoid repeated file reads.
+    Raises FileNotFoundError if config is missing.
+    """
+    if not _CONFIG_PATH.exists():
+        raise FileNotFoundError(f"Model capabilities config not found: {_CONFIG_PATH}")
+
+    with open(_CONFIG_PATH, encoding="utf-8") as f:
+        return json.load(f)
+
+
+def reload_config() -> None:
+    """Clear the config cache, forcing a reload on next access."""
+    _load_config.cache_clear()
+
+
+def _get_model_capabilities(model_id: str) -> dict[str, Any]:
     """
     Determine thinking capabilities for a model.
 
@@ -27,73 +54,32 @@ def _get_model_capabilities(model_id: str) -> dict:
     - levels: List of thinking levels (for type="level")
     - alwaysOn: Whether thinking is always on (for Gemini 2.5 Pro)
     - budgetRange: [min, max] for budget slider
+    - supportsGoogleSearch: Whether the model supports Google Search
     """
+    config = _load_config()
+    categories = config.get("categories", {})
+    matchers = config.get("matchers", [])
+
     model_lower = model_id.lower()
 
-    # Gemini 3 Flash: 4-level selector
-    if (
-        "gemini-3" in model_lower or "gemini3" in model_lower
-    ) and "flash" in model_lower:
-        return {
-            "thinkingType": "level",
-            "levels": ["minimal", "low", "medium", "high"],
-            "defaultLevel": "high",
-            "supportsGoogleSearch": True,
-        }
-
-    # Gemini 3 Pro: 2-level selector
-    if ("gemini-3" in model_lower or "gemini3" in model_lower) and "pro" in model_lower:
-        return {
-            "thinkingType": "level",
-            "levels": ["low", "high"],
-            "defaultLevel": "high",
-            "supportsGoogleSearch": True,
-        }
-
-    # Gemini 2.5 Pro: Always-on thinking with budget
-    if "gemini-2.5-pro" in model_lower or "gemini-2.5pro" in model_lower:
-        return {
-            "thinkingType": "budget",
-            "alwaysOn": True,
-            "budgetRange": [1024, 32768],
-            "defaultBudget": 32768,
-            "supportsGoogleSearch": True,
-        }
-
-    # Gemini 2.5 Flash and latest variants: Toggle + budget
-    if (
-        "gemini-2.5-flash" in model_lower
-        or "gemini-2.5flash" in model_lower
-        or model_lower == "gemini-flash-latest"
-        or model_lower == "gemini-flash-lite-latest"
-    ):
-        return {
-            "thinkingType": "budget",
-            "alwaysOn": False,
-            "budgetRange": [512, 24576],
-            "defaultBudget": 24576,
-            "supportsGoogleSearch": True,
-        }
-
-    # Gemini 2.0 models: No thinking, no Google Search
-    if "gemini-2.0" in model_lower or "gemini2.0" in model_lower:
-        return {
-            "thinkingType": "none",
-            "supportsGoogleSearch": False,
-        }
-
-    # Gemini robotics models: special case - has Google Search
-    if "gemini-robotics" in model_lower:
-        return {
-            "thinkingType": "none",
-            "supportsGoogleSearch": True,
-        }
-
-    # Other models: No thinking controls, default to Google Search enabled
-    return {
-        "thinkingType": "none",
-        "supportsGoogleSearch": True,
-    }
+    # Try each matcher in order (order matters: more specific first)
+    for matcher in matchers:
+        pattern = matcher.get("pattern", "")
+        category_name = matcher.get("category", "")
+
+        if pattern and category_name:
+            try:
+                if re.search(pattern, model_lower, re.IGNORECASE):
+                    if category_name in categories:
+                        return categories[category_name].copy()
+            except re.error:
+                # Invalid regex pattern, skip
+                continue
+
+    # Default to "other" category
+    return categories.get(
+        "other", {"thinkingType": "none", "supportsGoogleSearch": True}
+    )
 
 
 @router.get("/api/model-capabilities")
@@ -103,68 +89,16 @@ async def get_model_capabilities() -> JSONResponse:
 
     Frontend uses this to dynamically configure thinking controls.
     """
-    return JSONResponse(
-        content={
-            "categories": {
-                "gemini3Flash": {
-                    "thinkingType": "level",
-                    "levels": ["minimal", "low", "medium", "high"],
-                    "defaultLevel": "high",
-                    "supportsGoogleSearch": True,
-                },
-                "gemini3Pro": {
-                    "thinkingType": "level",
-                    "levels": ["low", "high"],
-                    "defaultLevel": "high",
-                    "supportsGoogleSearch": True,
-                },
-                "gemini25Pro": {
-                    "thinkingType": "budget",
-                    "alwaysOn": True,
-                    "budgetRange": [1024, 32768],
-                    "defaultBudget": 32768,
-                    "supportsGoogleSearch": True,
-                },
-                "gemini25Flash": {
-                    "thinkingType": "budget",
-                    "alwaysOn": False,
-                    "budgetRange": [512, 24576],
-                    "defaultBudget": 24576,
-                    "supportsGoogleSearch": True,
-                },
-                "gemini2": {
-                    "thinkingType": "none",
-                    "supportsGoogleSearch": False,
-                },
-                "other": {
-                    "thinkingType": "none",
-                    "supportsGoogleSearch": True,
-                },
-            },
-            "matchers": [
-                # Order matters: more specific patterns first
-                {
-                    "pattern": "gemini-3.*flash|gemini3.*flash",
-                    "category": "gemini3Flash",
-                },
-                {"pattern": "gemini-3.*pro|gemini3.*pro", "category": "gemini3Pro"},
-                {
-                    "pattern": "gemini-2\\.5-pro|gemini-2\\.5pro",
-                    "category": "gemini25Pro",
-                },
-                {
-                    "pattern": "gemini-2\\.5-flash|gemini-2\\.5flash|gemini-flash-latest|gemini-flash-lite-latest",
-                    "category": "gemini25Flash",
-                },
-                {"pattern": "gemini-2\\.0|gemini2\\.0", "category": "gemini2"},
-            ],
-        }
-    )
+    config = _load_config()
+    return JSONResponse(content=config)
 
 
-@router.get("/api/model-capabilities/{model_id}")
+@router.get("/api/model-capabilities/{model_id:path}")
 async def get_single_model_capabilities(model_id: str) -> JSONResponse:
     """
     Return thinking capabilities for a specific model.
+
+    Args:
+        model_id: Model identifier (e.g., "gemini-2.5-flash-preview")
     """
     return JSONResponse(content=_get_model_capabilities(model_id))
@@ -7,10 +7,8 @@
 import json
 import os
 import platform
-import signal
 import subprocess
 from pathlib import Path
-from typing import Optional
 
 from fastapi import APIRouter, HTTPException
 from fastapi.responses import JSONResponse
@@ -318,14 +316,43 @@ async def kill_process(request: KillRequest) -> JSONResponse:
     """
     终止指定PID的进程。
 
-    需要 confirm=true 确认操作。
+    安全性验证：
+    - 需要 confirm=true 确认操作
+    - PID必须属于配置的端口上的进程
+
+    Args:
+        request: 包含 PID 和确认标志的请求
+
+    Raises:
+        HTTPException 400: 未确认操作
+        HTTPException 403: PID不属于跟踪的端口
     """
     if not request.confirm:
         raise HTTPException(
             status_code=400,
             detail="请设置 confirm=true 确认终止进程",
         )
 
+    # Security: Validate PID belongs to a tracked port
+    config = _load_port_config()
+    tracked_pids: set[int] = set()
+
+    # Collect PIDs from all configured ports
+    for port in [config.fastapi_port, config.camoufox_debug_port]:
+        for proc in _find_processes_on_port(port):
+            tracked_pids.add(proc.pid)
+
+    # Also check stream proxy port if enabled
+    if config.stream_proxy_enabled and config.stream_proxy_port > 0:
+        for proc in _find_processes_on_port(config.stream_proxy_port):
+            tracked_pids.add(proc.pid)
+
+    if request.pid not in tracked_pids:
+        raise HTTPException(
+            status_code=403,
+            detail=f"安全验证失败：PID {request.pid} 不属于配置的端口。只能终止在 FastAPI ({config.fastapi_port})、Camoufox ({config.camoufox_debug_port}) 或 Stream Proxy ({config.stream_proxy_port}) 端口上运行的进程。",
+        )
+
     success, message = _kill_process(request.pid)
 
     return JSONResponse(