Nexora = Nexus + ora (edge, frontier)
- Nexus — a central hub where things connect. Nexora is the nexus where AI agents, enterprise tools, team members, and messaging channels converge into a unified workspace.
- Ora — derived from Latin ora (edge, boundary), representing the frontier of AI-driven enterprise operations.
Together, the name embodies the platform's mission: the central hub at the frontier of enterprise AI — connecting intelligent agents with the people and tools that run your business, under controlled governance.
Nexora AI Platform is an enterprise-grade AI workspace built on QwenPaw. It inherits all the core capabilities of QwenPaw — multi-agent orchestration, multi-channel messaging, skill extensions, local model support, and memory-evolving agents — while adding enterprise-essential layers: multi-tenant access control, security governance, audit logging, and token usage analytics.
What you can do with Nexora:
- Team AI workspace — Multiple users share one platform, each with their own agents and permissions
- Social media & productivity — Daily hot post digests, email highlights, newsletter summaries pushed to DingTalk/Feishu/WeChat
- Creative & building — Describe a goal, let agents auto-execute; full workflow from idea to prototype
- Research & learning — Track tech & AI news, personal knowledge base search and reuse
- Desktop & files — Organize and search local files, read & summarize documents
- Operations & governance — Audit every AI action, control who can use which tools, track token spend per user
| Feature | Description |
|---|---|
| Multi-Agent Collaboration | Create multiple independent agents, each with their own role; enable inter-agent communication for complex tasks |
| Skills Extension | Built-in scheduling, PDF/Office processing, news digest, web search, and more; custom skills auto-loaded |
| Memory-Evolving & Proactive | Agents learn from interactions, reflect on experience, and proactively serve you — smarter the more you use |
| Multi-Channel Messaging | DingTalk, Feishu, WeChat, Discord, Telegram, Slack, QQ, and more — one platform, connect as needed |
| Local Model Support | Run LLMs entirely on your machine via llama.cpp, Ollama, or LM Studio — no API keys required |
| Cloud LLM Providers | DashScope (Qwen), OpenAI, Gemini, Claude, MiniMax, DeepSeek, and many more |
| Coding Mode | Built-in Web IDE with file tree, tabbed editor, inline diff review, and Git panel |
| Plugin Ecosystem | Extend with custom tools, skills, and MCP servers; official plugin marketplace |
| Scheduled Tasks (Cron) | Automate recurring tasks — daily briefings, periodic data checks, scheduled reports |
| Context Management | Intelligent context compression for long conversations |
| Tool Guard | Automatically intercepts dangerous shell commands (rm -rf, fork bombs, reverse shells) |
| File Access Guard | Restricts agent access to sensitive paths (~/.ssh, key files, system directories) |
| Skill Security Scanning | Detects risks like prompt injection, command injection, hardcoded keys before installing skills |
| Feature | Description |
|---|---|
| Multi-Tenant RBAC | Two-role model (admin / operator) with platform-level access control and user management |
| Agent Authorization | Fine-grained agent grants per user — control who can access which AI agents |
| Capability Approval | Risk-based approval workflow for installing/removing tools, skills, MCP servers, and plugins |
| Audit Logging | Full audit trail with PostgreSQL backend — auth, chat, tool use, config changes, admin actions |
| Token Usage Analytics | Track LLM token consumption by user, agent, model, and date with dashboard visualization |
| Security Governance | Resource policies, tool scanners, and centralized secret management |
| PostgreSQL Backend | All enterprise data (users, grants, audit, config, tokens) stored in PostgreSQL |
┌─────────────────────────────────────────────────────────────┐
│ Frontend (React + Vite) │
│ ┌───────────────────────┐ ┌─────────────────────────────┐ │
│ │ QwenPaw Console UI │ │ Nexora Admin Dashboard │ │
│ │ Chat / Agents / Cron │ │ Users / Grants / Audit │ │
│ │ Skills / MCP / Coding│ │ Token Usage / Governance │ │
│ └───────────────────────┘ └─────────────────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ Backend (FastAPI) │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐ │
│ │ QwenPaw │ │ Nexora │ │ Auth Middleware │ │
│ │ Core Engine │ │ Extension │ │ JWT + RBAC │ │
│ │ Agents │ │ RBAC/Audit │ │ Route Guards │ │
│ │ Providers │ │ Governance │ │ │ │
│ │ Channels │ │ Token Track │ │ │ │
│ └──────────────┘ └──────────────┘ └──────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ PostgreSQL 16 │
│ Users · Roles · Agent Grants · Audit Logs · Approvals │
│ Runtime Config · Governance Policies · Token Usage │
├─────────────────────────────────────────────────────────────┤
│ Channels │
│ Console · DingTalk · Feishu · WeChat · Discord · Telegram │
│ Slack · QQ · iMessage · Email · ... │
└─────────────────────────────────────────────────────────────┘
Extension isolation: All Nexora-specific code lives in dedicated directories (src/qwenpaw_ext/nexora/ and console/src/nexora/), keeping the upstream QwenPaw core clean for future syncs.
Full details in Technical Solution
Nexora enforces access control through three cascading layers — each request must pass all applicable checks before reaching the agent runtime:
Layer 1 — Platform Access Layer 2 — Agent Authorization Layer 3 — Capability Approval
┌──────────────────────┐ ┌──────────────────────┐ ┌──────────────────────┐
│ User authenticates │ │ Check agent_grants │ │ When user installs │
│ via JWT │──pass──▶ │ for this user │ │ or removes a tool, │
│ │ │ │ │ skill, MCP, plugin │
│ RBAC role checked │ │ Only granted agents │ │ Low risk → allow │
│ against route │ │ are visible & usable│ │ High risk → queue │
└──────────────────────┘ └──────────────────────┘ └──────────────────────┘
│ fail │ fail │ pending
▼ ▼ ▼
401 / 403 403 Forbidden Approval Request
+ audit log + audit log → Admin reviews
→ Approve or reject
+ audit log
Every user action flows through a unified pipeline — auth, permission, execution, and audit are never bypassed:
Browser ──▶ FastAPI ──▶ JWT Middleware ──▶ RBAC Guard ──▶ Agent Grant Check
│
┌─────────────────────────────────────┘
▼
QwenPaw Agent Runtime ──▶ LLM Provider
│ │
▼ ▼
Tool Execution Token Recording
│ │
└───────────────────────┘
▼
PostgreSQL
(audit · tokens · approvals)
Capability changes (install/remove tools, skills, MCP, plugins)
go through a separate approval workflow before taking effect.
Nexora manages 100+ agents on a single node using lazy loading and automatic lifecycle management:
┌─────────────────────────────────┐
│ MultiAgentManager │
│ │
User request ────▶ │ ┌─ Active Agent Pool ────────┐ │
(agent_id) │ │ agent_a [last used: 10s] │ │ Max active: 20
│ │ agent_b [last used: 45s] │ │ Idle TTL: 1 hour
│ │ agent_c [last used: 300s]│ │ Eviction: LRU
│ └────────────────────────────┘ │
│ ▲ │ │
│ lazy load idle evict │
│ │ ▼ │
│ ┌─ Agent Configs (disk) ─────┐ │
│ │ 100+ agent YAML configs │ │
│ └────────────────────────────┘ │
└─────────────────────────────────┘
- Agents are loaded on first request, not at startup — cold start stays fast
- Idle agents are evicted after a configurable TTL (default 1 hour)
- When the pool is full, least-recently-used agents are evicted first
- Each agent maintains its own memory, tools, and channel bindings
When users install or remove capabilities (tools, skills, MCP servers, plugins), a configurable approval gate controls the change:
User adds/removes capability ──▶ Policy Engine checks risk level
(skill.create, mcp.delete, │
plugin.install, tool.create…) │
┌────────────┼────────────┐
▼ ▼ ▼
Low Risk Medium Risk High Risk
│ │ │
▼ ▼ ▼
Auto-allow Configurable Must approve
+ audit log (approve/ + audit log
auto)
│
▼
┌─────────────┐
│ Approval │──▶ Admin reviews in Approval Center
│ Queue │ (capability type, action, risk level,
│ (PG-backed)│ requesting user context)
└─────────────┘
│
┌─────────┴─────────┐
▼ ▼
Approved Rejected
Change applied Change blocked
+ audit log + audit log
Policies are configurable per capability type, per risk level, and per environment — stored in nexora_capability_policies.
Every significant action produces an immutable audit record in PostgreSQL:
┌──────────────────────────────────────────────────────────┐
│ Audit Event Record │
├──────────┬───────────────────────────────────────────────┤
│ actor │ The authenticated user who triggered action │
│ action │ e.g. chat.message.send, auth.login, tool.exec│
│ resource │ Type + ID of affected resource │
│ status │ success / failure │
│ ip │ Client IP address │
│ ua │ User-Agent string │
│ detail │ JSON payload (params, result summary, etc.) │
│ timestamp│ Server-side UTC timestamp │
└──────────┴───────────────────────────────────────────────┘
Audit coverage:
| Category | Events |
|---|---|
| Auth | Login success/failure, registration, logout |
| Users | Create, delete, role change, password reset |
| Agents | Grant/revoke authorization, config changes |
| Chat | Message send, reconnect, stop, file upload |
| Tools | Execution attempts (success + blocked) |
| Approvals | Request created, approved, rejected, timeout |
| Config | Model changes, environment variable updates |
Audit writes are fire-and-forget — a failed audit write never blocks the main operation.
Token consumption is attributed to the authenticated JWT user (not the chat payload sender), using Python's ContextVar to propagate identity through the async call chain:
JWT Middleware Console Router Model Wrapper
───────────── ────────────── ─────────────
request.state.user = "alice" → set_current_actor("alice") → get_current_actor()
│
▼
INSERT INTO nexora_token_usage
(actor="alice", model, tokens)
via background daemon thread
Records are aggregated by user, agent, model, and date — visualized in the Token Usage dashboard with trend charts and per-user breakdown tables.
Nexora follows a strict "upstream core + extension layer" architecture to minimize merge conflicts when syncing with QwenPaw:
┌────────────────────────────────────────────────────────────────┐
│ QwenPaw Core (upstream) Modification: ≤5% │
│ ├── app/auth.py ·············· JWT middleware hook │
│ ├── app/routers/console.py ··· audit + ContextVar injection │
│ ├── app/routers/__init__.py ·· register nexora router │
│ └── token_usage/model_wrapper · PG write hook │
├────────────────────────────────────────────────────────────────┤
│ Nexora Extension Layer (isolated) Modification: 100% │
│ ├── qwenpaw_ext/nexora/ ····· All backend business logic │
│ │ ├── rbac.py, audit.py, agent_grants.py, ... │
│ │ └── repositories/ ······ PostgreSQL data access │
│ ├── console/src/nexora/ ····· All frontend pages & API │
│ └── alembic/versions/ ······ Database migrations │
└────────────────────────────────────────────────────────────────┘
Only 4 upstream files are modified — the rest of Nexora lives entirely in extension directories. This keeps git merge upstream/main clean in >95% of cases.
Multiple independent safety layers protect the system — no single bypass compromises security:
Inbound Request
│
┌───────▼───────┐
│ JWT Auth │ Identity verification
│ (middleware) │ Reject: 401 Unauthorized
└───────┬───────┘
┌───────▼───────┐
│ RBAC Guard │ Role-based route protection
│ (per-route) │ Reject: 403 Forbidden
└───────┬───────┘
┌───────▼───────┐
│ Agent Grants │ Per-user agent access control
│ (DB lookup) │ Reject: 403 Forbidden
└───────┬───────┘
┌───────▼───────┐
│ Tool Guard │ Block rm -rf, fork bombs, reverse shells
│ (pattern) │ Reject: blocked + audit log
└───────┬───────┘
┌───────▼───────┐
│ File Guard │ Restrict ~/.ssh, /etc/passwd, key files
│ (path check) │ Reject: blocked + audit log
└───────┬───────┘
┌───────▼───────┐
│ Capability │ Approval gate for installing/removing
│ Approval │ tools, skills, MCP, plugins
└───────┬───────┘
┌───────▼───────┐
│ Skill Scanner │ Pre-install scan for injection, exfil,
│ (static) │ hardcoded keys, suspicious patterns
└───────┬───────┘
▼
Execute + Audit
### PostgreSQL Schema
All enterprise data is persisted in PostgreSQL with versioned migrations (Alembic):
| Table | Purpose |
|-------|---------|
| `nexora_users` | User accounts, password hashes, roles |
| `nexora_agent_grants` | User ↔ Agent authorization mapping |
| `nexora_audit_events` | Full audit trail (indexed by date, actor) |
| `nexora_approval_requests` | Capability change approval queue and results |
| `nexora_capability_policies` | Risk-based capability change approval policies |
| `nexora_governance` | Agent ↔ Tool/MCP/Skill resource policies |
| `nexora_token_usage` | LLM token consumption records |
| `nexora_runtime_config` | Runtime configuration key-value store |
### Streaming Chat & Task Management
Chat sessions use server-sent events (SSE) with background task tracking — clients can disconnect and reconnect without losing the agent's response:
Client POST /console/chat │ ▼ TaskTracker.attach_or_start() │ ├──▶ New chat: spawn background task → agent.stream_one() │ │ │ SSE events ──▶ Queue │ │ └──▶ Reconnect: attach to existing queue ◀──┘ │ ▼ StreamingResponse (SSE) "data: {token}..." "data: {token}..." "data: [DONE]"
- Agent runs in background — client abort doesn't kill the computation
- `POST /console/chat/stop` sends a cancellation signal
- Multiple subscribers can attach to the same running stream
- Chat title is auto-generated via LLM in a detached background task
---
## Quick Start
### Prerequisites
- Python 3.10 ~ 3.13
- Node.js 18+
- PostgreSQL 16 (or use the bundled Docker Compose)
### 1. Clone and install
```bash
git clone https://github.com/your-org/nexora-ai-platform.git
cd nexora-ai-platform
pip install -e .
cd console && npm install && npm run build && cd ..
docker compose up -d postgres# Database connection
export NEXORA_DB_URL="postgresql+psycopg2://nexora:changeme@127.0.0.1:5432/nexora"
# LLM API key (example for DashScope/Qwen)
export DASHSCOPE_API_KEY="your-api-key"bash start-qwenpaw-zh.shOpen http://127.0.0.1:8088 in your browser. Go to Settings > Models to configure your LLM provider and start chatting.
docker compose up -dSee Docker Deployment Guide for details.
Nexora supports both cloud and local LLM providers:
Configure via Settings > Models in the web UI, or set environment variables:
| Provider | Env Variable | Notes |
|---|---|---|
| DashScope (Qwen) | DASHSCOPE_API_KEY |
Recommended for Chinese users |
| OpenAI | OPENAI_API_KEY |
GPT-4o, GPT-4, etc. |
| Google Gemini | GOOGLE_API_KEY |
Gemini Pro, etc. |
| Anthropic | ANTHROPIC_API_KEY |
Claude series |
| DeepSeek | DEEPSEEK_API_KEY |
DeepSeek series |
| MiniMax | via Settings UI | MiniMax models |
| Backend | Best for | Setup |
|---|---|---|
| llama.cpp | Cross-platform | Click "Download" in the web UI |
| Ollama | Easy model management | Install Ollama app, then configure in Settings |
| LM Studio | GUI-based | Install LM Studio, start server, configure in Settings |
Connect your agents to the platforms your team already uses:
| Channel | Status | Auth Method |
|---|---|---|
| Console (Web UI) | Built-in | JWT |
| DingTalk | Supported | Bot Token |
| Feishu (Lark) | Supported | App Credentials |
| WeChat (Enterprise) | Supported | Webhook |
| Discord | Supported | Bot Token |
| Telegram | Supported | Bot Token |
| Slack | Supported | OAuth |
| Supported | Bot API | |
| Supported | IMAP/SMTP |
See Channel Documentation for setup guides.
src/
├── qwenpaw/ # QwenPaw core engine
│ ├── app/ # FastAPI app, routers, middleware, auth
│ ├── agents/ # Agent runtime, memory, proactive behavior
│ ├── providers/ # LLM provider adapters (OpenAI, DashScope, etc.)
│ ├── token_usage/ # Token consumption tracking (model wrapper)
│ ├── security/ # Tool guard, file guard, skill scanner
│ ├── plugins/ # Plugin system runtime
│ ├── config/ # Configuration management
│ └── cli/ # Command-line interface
└── qwenpaw_ext/
└── nexora/ # Nexora enterprise extension layer
├── rbac.py # Role-based access control
├── audit.py # Audit event logging
├── agent_grants.py # Per-user agent authorization
├── capability_approval.py # Capability change approval workflow
├── governance.py # Resource governance policies
├── authorization.py # Authorization engine
├── db.py # PostgreSQL schema & connection
└── repositories/ # Data access layer
console/src/
├── nexora/ # Nexora frontend extensions
│ ├── pages/ # Admin pages (users, grants, audit, governance)
│ └── api/ # Nexora API clients
├── pages/ # Core pages (Chat, Settings, Login, Agent, Inbox)
│ └── Settings/TokenUsage/ # Token consumption dashboard
├── components/ # Shared UI components
└── layouts/ # App layout (sidebar, header)
tests/
├── unit/ # Unit tests (including nexora modules)
├── integration/ # Integration tests
├── contract/ # Contract tests (API, security)
├── e2e/ # End-to-end tests
└── load/ # Load testing (Locust)
docs/ # Documentation
plugins/ # Plugin bundles and tools
deploy/ # Docker deployment configs
Nexora combines QwenPaw's built-in security with enterprise governance:
| Layer | Mechanism | Description |
|---|---|---|
| Authentication | JWT + Password | Login required, token-based session management |
| Authorization | RBAC | Admin / Operator roles with route-level guards |
| Agent Access | Agent Grants | Users can only access explicitly authorized agents |
| Tool Safety | Tool Guard | Blocks dangerous commands (rm -rf, fork bombs, etc.) |
| File Safety | File Access Guard | Restricts access to sensitive system paths |
| Skill Safety | Security Scanner | Scans for injection, hardcoded keys, data exfiltration |
| Capability Control | Approval Workflow | Installing/removing capabilities requires admin approval |
| Audit | Full Logging | Every action logged to PostgreSQL with actor, timestamp, detail |
| Data | Local Deployment | All data stays on your infrastructure |
Nexora maintains two Git remotes to stay current with QwenPaw improvements:
# Add upstream (first time only)
git remote add upstream https://github.com/agentscope-ai/QwenPaw.git
# Sync upstream updates
git fetch upstream
git checkout -b sync/upstream-YYYYMMDD
git merge upstream/main
# Resolve conflicts, test, merge to mainPost-merge checklist:
- Login / logout works
- Chat functions normally
- Agent and user management pages load
- Frontend builds successfully
- Backend starts without errors
| Topic | Link |
|---|---|
| Technical Solution | docs/technical-solution.md |
| Docker Deployment | docs/docker-deployment-guide.md |
| Engineering Governance | docs/company-grade-engineering-governance.md |
| QwenPaw Core Docs | qwenpaw.agentscope.io |
| Models Configuration | QwenPaw Models Guide |
| Channel Setup | QwenPaw Channels Guide |
| Skills & Plugins | QwenPaw Skills Guide |
| Security | QwenPaw Security Guide |
This project is licensed under Apache 2.0, same as the upstream QwenPaw project.
Built on QwenPaw by AgentScope AI.
Nexora = Nexus + ora(边界、前沿)
- Nexus — 连接的枢纽。Nexora 是 AI 智能体、企业工具、团队成员和消息渠道汇聚的统一工作台。
- Ora — 源自拉丁语 ora(边界、前沿),代表 AI 驱动企业运营的最前沿。
两者合一,体现平台的使命:企业 AI 前沿的中枢平台 — 在可控的治理框架下,将智能体与业务中的人和工具连接在一起。
Nexora AI Platform 是基于 QwenPaw 构建的企业级 AI 工作台。完整继承了 QwenPaw 的所有核心能力 — 多智能体协作、多渠道消息接入、技能扩展、本地模型支持、记忆进化 — 并在此基础上增加了企业必需的多租户权限控制、安全治理、审计日志和 Token 消耗分析。
你可以用 Nexora 做什么:
- 团队 AI 工作台 — 多用户共享平台,每个人拥有独立的智能体和权限
- 资讯与效率 — 每日热帖摘要、邮件要点、新闻简报,推送到钉钉/飞书/企业微信
- 创意与构建 — 描述目标,让智能体自动执行,醒来即可看到原型
- 研究与学习 — 追踪科技和 AI 动态,个人知识库搜索复用
- 文件与桌面 — 整理搜索本地文件,阅读并总结文档
- 运维与治理 — 审计每一次 AI 操作,控制谁能使用哪些工具,按用户追踪 Token 消耗
| 功能 | 说明 |
|---|---|
| 多智能体协作 | 创建多个独立智能体,各有角色分工,支持跨智能体通信协作 |
| 技能扩展 | 内置定时任务、PDF/Office 处理、新闻摘要、网页搜索等;自定义技能自动加载 |
| 记忆进化与主动服务 | 智能体从交互中学习,反思经验,主动服务 — 越用越聪明 |
| 多渠道消息接入 | 钉钉、飞书、微信、Discord、Telegram、Slack、QQ 等 — 一个平台,按需接入 |
| 本地模型支持 | 通过 llama.cpp、Ollama、LM Studio 在本机运行 LLM,无需 API 密钥 |
| 云端模型支持 | 通义千问、OpenAI、Gemini、Claude、MiniMax、DeepSeek 等主流供应商 |
| Coding 模式 | 内置 Web IDE,含文件树、标签编辑器、行内 diff 审查和 Git 面板 |
| 插件生态 | 自定义工具、技能和 MCP 服务器扩展;官方插件市场 |
| 定时任务 (Cron) | 自动化重复任务 — 每日简报、定期数据检查、定时报告 |
| 安全防护 | 工具守卫(拦截危险命令)、文件访问控制、技能安全扫描 |
| 功能 | 说明 |
|---|---|
| 多租户 RBAC | 管理员 / 操作员双角色模型,平台级访问控制和用户管理 |
| 智能体授权 | 按用户精细分配智能体访问权限,控制谁可以使用哪个智能体 |
| 能力审批 | 安装/卸载工具、技能、MCP 服务器、插件时的风险审批流程,可配置策略 |
| 审计日志 | PostgreSQL 存储的全链路审计 — 认证、对话、工具调用、配置变更、管理操作 |
| Token 消耗分析 | 按用户、智能体、模型、日期维度追踪 LLM Token 消耗,可视化仪表盘 |
| 安全治理 | 资源策略、工具扫描器、集中化密钥管理 |
| PostgreSQL 后端 | 全部企业数据(用户、授权、审计、配置、Token)存储在 PostgreSQL |
完整文档见 技术方案
Nexora 通过三层级联访问控制保护平台资源 — 每个请求必须逐层通过所有检查:
第一层 — 平台访问 第二层 — 智能体授权 第三层 — 能力审批
┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
│ 用户 JWT 认证 │ │ 检查 agent_grants│ │ 安装/卸载工具、 │
│ │──通过──▶ │ 是否授权该智能体 │ │ 技能、MCP、插件时│
│ RBAC 角色校验 │ │ │ │ 低风险 → 直接放行│
│ 路由级权限守卫 │ │ 仅展示已授权智能体│ │ 高风险 → 进入审批│
└──────────────────┘ └──────────────────┘ └──────────────────┘
│ 拒绝 │ 拒绝 │ 待审批
▼ ▼ ▼
401 / 403 403 禁止访问 审批请求 → 管理员审批
+ 审计日志 + 审计日志 → 通过或拒绝 + 审计日志
单节点管理 100+ 智能体,按需懒加载,自动生命周期管理:
┌─────────────────────────────────┐
│ MultiAgentManager │
│ │
用户请求 ─────▶ │ ┌─ 活跃智能体池 ────────────┐ │
(agent_id) │ │ agent_a [最近使用: 10s] │ │ 最大活跃: 20
│ │ agent_b [最近使用: 45s] │ │ 空闲回收: 1小时
│ │ agent_c [最近使用: 300s] │ │ 淘汰策略: LRU
│ └────────────────────────────┘ │
│ ▲ │ │
│ 懒加载 空闲回收 │
│ │ ▼ │
│ ┌─ 智能体配置 (磁盘) ────────┐ │
│ │ 100+ 智能体 YAML 配置 │ │
│ └────────────────────────────┘ │
└─────────────────────────────────┘
- 智能体首次请求时才加载,启动保持快速
- 空闲超过 TTL 自动回收(默认 1 小时)
- 池满时按最近最少使用(LRU)策略淘汰
- 每个智能体独立维护记忆、工具和渠道绑定
用户安装或卸载能力(工具、技能、MCP 服务器、插件)时,通过可配置的审批闸口管控变更:
用户新增/删除能力 ──▶ 策略引擎检查风险等级
(skill.create, mcp.delete, │
plugin.install, tool.create…) │
┌──────────┼──────────┐
▼ ▼ ▼
低风险 中风险 高风险
│ │ │
▼ ▼ ▼
自动放行 可配置 必须审批
+ 审计 (审批/自动) + 审计
│
▼
┌─────────────┐
│ 审批队列 │──▶ 管理员在审批中心审核
│ (PG 存储) │ (能力类型、操作、风险等级、
└─────────────┘ 请求用户上下文)
│
┌─────────┴─────────┐
▼ ▼
通过 拒绝
变更生效 变更阻止
+ 审计日志 + 审计日志
每个重要操作产生一条不可变的审计记录:
| 分类 | 审计事件 |
|---|---|
| 认证 | 登录成功/失败、注册、退出 |
| 用户 | 创建、删除、角色变更、密码重置 |
| 智能体 | 授权/撤销、配置变更 |
| 对话 | 消息发送、重连、停止、文件上传 |
| 工具 | 执行尝试(成功 + 被拦截) |
| 审批 | 请求创建、审批通过、拒绝、超时 |
| 配置 | 模型变更、环境变量更新 |
审计写入采用 fire-and-forget 模式 — 审计写入失败不会阻断主流程。
Token 消耗归属到 JWT 认证用户(而非聊天负载中的 sender_id),通过 Python ContextVar 在异步调用链中传递身份:
JWT 中间件 Console 路由 模型包装器
────────── ────────── ──────────
request.state.user = "alice" → set_current_actor("alice") → get_current_actor()
│
▼
INSERT INTO nexora_token_usage
(actor="alice", model, tokens)
后台守护线程写入,不阻塞请求
按用户、智能体、模型、日期四维聚合,在 Token 消耗仪表盘中可视化展示趋势图和用户明细表。
严格的"上游核心 + 扩展层"架构,最小化上游合并冲突:
┌────────────────────────────────────────────────────────────────┐
│ QwenPaw 核心 (上游) 修改比例: ≤5% │
│ ├── app/auth.py ·············· JWT 中间件挂载点 │
│ ├── app/routers/console.py ··· 审计 + ContextVar 注入 │
│ ├── app/routers/__init__.py ·· 注册 nexora 路由 │
│ └── token_usage/model_wrapper · PG 写入挂载点 │
├────────────────────────────────────────────────────────────────┤
│ Nexora 扩展层 (隔离) 修改比例: 100% │
│ ├── qwenpaw_ext/nexora/ ····· 全部后端业务逻辑 │
│ │ ├── rbac.py, audit.py, agent_grants.py, ... │
│ │ └── repositories/ ······ PostgreSQL 数据访问层 │
│ ├── console/src/nexora/ ····· 全部前端页面和 API │
│ └── alembic/versions/ ······ 数据库迁移脚本 │
└────────────────────────────────────────────────────────────────┘
仅修改 4 个上游文件,其余 Nexora 代码完全在扩展目录中。git merge upstream/main 在 95% 以上的情况下无冲突。
多层独立安全机制 — 任何单一绕过都不会导致系统失守:
请求进入
│
┌───────▼───────┐
│ JWT 认证 │ 身份验证 → 401
└───────┬───────┘
┌───────▼───────┐
│ RBAC 守卫 │ 角色权限 → 403
└───────┬───────┘
┌───────▼───────┐
│ 智能体授权 │ 用户-智能体映射 → 403
└───────┬───────┘
┌───────▼───────┐
│ 工具守卫 │ 拦截危险命令 → blocked
└───────┬───────┘
┌───────▼───────┐
│ 文件守卫 │ 限制敏感路径 → blocked
└───────┬───────┘
┌───────▼───────┐
│ 能力审批 │ 安装/卸载能力 → 审批管控
└───────┬───────┘
┌───────▼───────┐
│ 技能扫描器 │ 安装前检测注入/泄露 → blocked
└───────┬───────┘
▼
执行 + 审计记录
对话使用 SSE(Server-Sent Events)推送,后台任务跟踪 — 客户端断线重连不丢失响应:
客户端 POST /console/chat
│
▼
TaskTracker.attach_or_start()
│
├──▶ 新对话: 启动后台任务 → agent.stream_one()
│ │
│ SSE 事件 ──▶ 队列
│ │
└──▶ 重连: 接入已有队列 ◀────────┘
│
▼
StreamingResponse (SSE)
"data: {token}..."
"data: [DONE]"
- 智能体在后台运行 — 客户端断开不会终止计算
POST /console/chat/stop发送取消信号- 多个订阅者可以接入同一运行中的流
- 对话标题通过 LLM 在后台自动生成
全部企业数据通过 Alembic 版本化迁移持久化在 PostgreSQL:
| 表名 | 用途 |
|---|---|
nexora_users |
用户账号、密码哈希、角色 |
nexora_agent_grants |
用户 ↔ 智能体授权映射 |
nexora_audit_events |
全链路审计日志(按日期、用户索引) |
nexora_approval_requests |
能力审批队列与结果 |
nexora_capability_policies |
基于风险的审批策略配置 |
nexora_governance |
智能体 ↔ 工具/MCP/Skill 资源策略 |
nexora_token_usage |
LLM Token 消耗记录 |
nexora_runtime_config |
运行时配置键值存储 |
- Python 3.10 ~ 3.13
- Node.js 18+
- PostgreSQL 16(或使用项目自带的 Docker Compose)
git clone https://github.com/your-org/nexora-ai-platform.git
cd nexora-ai-platform
pip install -e .
cd console && npm install && npm run build && cd ..
docker compose up -d postgres
export NEXORA_DB_URL="postgresql+psycopg2://nexora:changeme@127.0.0.1:5432/nexora"
bash start-qwenpaw-zh.sh浏览器打开 http://127.0.0.1:8088,进入 设置 > 模型 配置你的 LLM 供应商,即可开始对话。
docker compose up -d详见 Docker 部署指南。
通过 Web 界面 设置 > 模型 配置,或设置环境变量:
| 供应商 | 环境变量 | 说明 |
|---|---|---|
| 通义千问 (DashScope) | DASHSCOPE_API_KEY |
推荐国内用户使用 |
| OpenAI | OPENAI_API_KEY |
GPT-4o、GPT-4 等 |
| DeepSeek | DEEPSEEK_API_KEY |
DeepSeek 系列 |
| Google Gemini | GOOGLE_API_KEY |
Gemini Pro 等 |
| Anthropic | ANTHROPIC_API_KEY |
Claude 系列 |
| 方式 | 适用场景 | 配置 |
|---|---|---|
| llama.cpp | 跨平台 | 在 Web 界面点击"下载" |
| Ollama | 模型管理便捷 | 安装 Ollama 应用后在设置中配置 |
| LM Studio | 图形界面 | 安装 LM Studio 后启动服务器并配置 |
将智能体连接到团队已在使用的平台:
| 渠道 | 状态 | 认证方式 |
|---|---|---|
| 控制台 (Web UI) | 内置 | JWT |
| 钉钉 | 支持 | Bot Token |
| 飞书 | 支持 | App 凭证 |
| 企业微信 | 支持 | Webhook |
| Discord | 支持 | Bot Token |
| Telegram | 支持 | Bot Token |
| Slack | 支持 | OAuth |
| 支持 | Bot API | |
| 邮箱 | 支持 | IMAP/SMTP |
详见 渠道配置文档。
| 层级 | 机制 | 说明 |
|---|---|---|
| 认证 | JWT + 密码 | 登录认证,基于 Token 的会话管理 |
| 授权 | RBAC | 管理员/操作员角色,路由级权限守卫 |
| 智能体访问 | 智能体授权 | 用户只能访问被明确授权的智能体 |
| 工具安全 | 工具守卫 | 拦截危险命令(rm -rf、fork 炸弹等) |
| 文件安全 | 文件访问控制 | 限制访问敏感系统路径 |
| 技能安全 | 安全扫描器 | 安装前检测注入、硬编码密钥、数据泄露 |
| 能力管控 | 审批流程 | 安装/卸载能力需管理员审批 |
| 审计 | 全链路日志 | 每个操作记录到 PostgreSQL,含操作者、时间、详情 |
| 数据 | 本地部署 | 所有数据存储在你自己的基础设施上 |
| 主题 | 链接 |
|---|---|
| 技术方案 | docs/technical-solution.md |
| Docker 部署 | docs/docker-deployment-guide.md |
| 工程治理规范 | docs/company-grade-engineering-governance.md |
| QwenPaw 核心文档 | qwenpaw.agentscope.io |
| 模型配置 | QwenPaw 模型指南 |
| 渠道接入 | QwenPaw 渠道指南 |
| 技能与插件 | QwenPaw 技能指南 |
本项目采用 Apache 2.0 协议,与上游 QwenPaw 项目一致。
基于 AgentScope AI 团队的 QwenPaw 构建。