Merge remote-tracking branch 'gitea/develop' into fix/review-batch-2

# Conflicts: # AGENTS.md # CHANGELOG.md # README.md # apps/server/src/collaboration/collaboration.handler.ts # apps/server/src/common/helpers/prosemirror/html-embed.spec.ts # apps/server/src/common/helpers/prosemirror/html-embed.util.ts # apps/server/src/core/ai-chat/public-share-chat.service.ts # apps/server/src/core/ai-chat/public-share-chat.spec.ts # apps/server/src/core/ai-chat/public-share-workspace-limiter.ts # apps/server/src/core/page/services/page.service.ts # apps/server/src/core/page/transclusion/transclusion.service.ts # apps/server/src/integrations/import/services/file-import-task.service.ts # apps/server/src/integrations/import/services/import.service.ts
2026-06-21 05:32:44 +03:00
parent a20f4c3876 0fbaebd108
commit 7e26239c3f
65 changed files with 1448 additions and 2927 deletions
--- a/.env.example
+++ b/.env.example
@@ -29,6 +29,11 @@ PORT=3000
 #            `127.0.0.1, 10.0.0.0/8`
 # TRUST_PROXY=

+# APP_SECRET has a DUAL role: it signs JWTs AND derives the AES-256-GCM key that
+# encrypts stored AI-provider credentials (API keys) at rest. CONSEQUENCE: if you
+# change APP_SECRET after setup, every stored AI API key becomes undecryptable —
+# you must re-enter them in AI settings — and all existing sessions/JWTs are
+# invalidated. Choose it ONCE, keep it stable, and back it up alongside your DB.
 # minimum of 32 characters. Generate one with: openssl rand -hex 32
 APP_SECRET=REPLACE_WITH_LONG_SECRET

@@ -139,7 +144,12 @@ MCP_DOCMOST_PASSWORD=
 #
 # Backstop: a cluster-wide, sliding-window cap per workspace (IP-independent,
 # keyed by the server-resolved workspace id) bounds the owner's bill even if the
-# per-IP limit is fully evaded. It is a COST backstop, not an access control,
-# and FAILS OPEN if Redis is unavailable. Override the hourly cap below
+# per-IP limit is fully evaded. It is a COST backstop, not an access control, and
+# FAILS CLOSED if Redis is unavailable (an optional assistant briefly going
+# offline is safer than an unbounded bill). Override the hourly cap below
 # (default: 300 calls per workspace per rolling hour).
 # SHARE_AI_WORKSPACE_MAX_PER_HOUR=300
+#
+# Per-request output-token ceiling for the anonymous assistant (default: 512).
+# Worst-case output per accepted call = agent steps (5) × this value.
+# SHARE_AI_MAX_OUTPUT_TOKENS=512