improve(tts-voice): isolate per-request LuxTTS cookie jar

Adds curl example for creating linked database views using
link_to_page block type with database_id.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

skills/daily-briefing/SKILL.md

@@ -17,22 +17,22 @@ tools:
 
 ## 功能說明
 
-每日自動（或手動觸發）生成早安簡報，包含：
-1. 🌤️ 今日天氣（台灣地區）
-2. 📅 今日行程（來自 workspace/SCHEDULE.md 或 Google Calendar）
-3. ✅ 待辦事項（來自 workspace/TODO.md）
-4. 💡 今日重點提醒
-5. 📊 昨日工作回顧（選配）
+每日自動（或手動觸發）生成早安簡報，讓您一早就能快速掌握今日要務：
+1. 🌤️ **今日天氣**：提供氣溫、降雨機率與貼心穿著建議（台灣地區）。
+2. 📅 **今日行程**：條列即將到來的會議或活動（來自 `workspace/SCHEDULE.md` 或 Google Calendar）。
+3. ✅ **待辦事項**：列出尚未完成的重要任務（來自 `workspace/TODO.md`）。
+4. 💡 **今日重點提醒**：標示到期專案或重要事項。
+5. 📊 **昨日工作回顧**（選配）：簡單總結昨日進度。
 
-## 設定
+## 設定與個人化
 
-在 `workspace/USER.md` 設定：
+為獲得最佳體驗，請在 `workspace/USER.md` 設定您的偏好：
 ```markdown
 ## 個人設定
-- 城市：台北
+- 城市：台北（用於精準天氣預報）
 - 時區：Asia/Taipei
 - 簡報語言：繁體中文
-- 天氣 API Key：<openweathermap-api-key>（選配）
+- 天氣 API Key：<openweathermap-api-key>（選配，可提升預報準確度）
 ```
 
 ## 輸出格式範例
@@ -42,12 +42,12 @@ tools:
 
 ## 🌤️ 今日天氣（台北）
 **氣溫：** 16-22°C，多雲偶晴，東北風 2-3 級  
-💡 **穿著建議：** 可帶薄外套
+💡 **穿著建議：** 早晚微涼，建議帶件薄外套。
 
 ## 📅 今日行程
-- 09:00 - 週會（視訊）
-- 14:00 - 客戶簡報
-- 16:30 - Code Review
+- 09:00 - 📈 週會（視訊）
+- 14:00 - 🤝 客戶簡報
+- 16:30 - 💻 Code Review
 
 ## ✅ 待辦事項（3 項）
 - [ ] 完成 API 文件
@@ -58,10 +58,10 @@ tools:
 - ⚠️ SSL 憑證 90 天後到期（2026-05-20）
 - 🎯 本週 sprint 截止日：2026-02-21
 
-✨ *有什麼想先處理的嗎？*
+✨ *新的一天準備好開始了嗎？有什麼想先處理的任務嗎？*
 ```
 
-## Cron 設定
+## 自動化 Cron 設定
 
 ```bash
 # 每日 08:00 自動觸發
@@ -75,11 +75,11 @@ sudo openclaw cron add \
 
 ## 擴充：Google Calendar 整合
 
-若要連接 Google Calendar，在 workspace/TOOLS.md 記錄：
+若希望行事曆更即時同步，請在 `workspace/TOOLS.md` 加上：
 ```
 Google Calendar API:
 - Service Account: <path-to-credentials.json>
 - Calendar ID: primary
 ```
 
-然後 agent 可透過 Google Calendar API 抓取今日事件。
+設定完成後，agent 即可透過 Google Calendar API 為您抓取最新行程。

skills/dispatch-webhook/SKILL.md

@@ -112,3 +112,4 @@ Task ID: {task_id}
 | 401 Unauthorized | 立即失敗，提示設定 token |
 | 超時（> 30s） | 返回 accepted，等待 callback |
 | VPS 回傳 500 | 記錄錯誤，通知使用者 |
+| 非 HTTPS Webhook（且非 localhost/127.0.0.1） | 直接拒絕，避免 Bearer Token 明文傳輸 |

skills/dispatch-webhook/handler.ts

@@ -51,6 +51,13 @@ function validateInput(raw: any): DispatchInput {
     throw new Error('Webhook URL 協定不支援，僅允許 http 或 https');
   }
 
+  // 安全預設：正式環境僅允許 HTTPS，避免 Bearer Token 明文傳輸
+  // 本機開發保留 http://localhost 與 http://127.0.0.1 例外
+  const isLocalhost = ['localhost', '127.0.0.1'].includes(parsedUrl.hostname);
+  if (parsedUrl.protocol !== 'https:' && !isLocalhost) {
+    throw new Error('Webhook URL 安全性不足：非本機位址必須使用 https');
+  }
+
   if (!input.webhookToken || typeof input.webhookToken !== 'string') {
     throw new Error(`${input.target.toUpperCase()} Webhook Token 未設定`);
   }

skills/notion/SKILL.md

@@ -0,0 +1,197 @@
+---
+name: notion
+description: Notion API for creating and managing pages, databases, and blocks.
+homepage: https://developers.notion.com
+metadata:
+  {
+    "openclaw":
+      { "emoji": "📝", "requires": { "env": ["NOTION_API_KEY"] }, "primaryEnv": "NOTION_API_KEY" },
+  }
+---
+
+# notion
+
+Use the Notion API to create/read/update pages, data sources (databases), and blocks.
+
+## Setup
+
+1. Create an integration at https://notion.so/my-integrations
+2. Copy the API key (starts with `ntn_` or `secret_`)
+3. Store it:
+
+```bash
+mkdir -p ~/.config/notion
+echo "ntn_your_key_here" > ~/.config/notion/api_key
+```
+
+4. Share target pages/databases with your integration (click "..." → "Connect to" → your integration name)
+
+## API Basics
+
+All requests need:
+
+```bash
+NOTION_KEY=$(cat ~/.config/notion/api_key)
+curl -X GET "https://api.notion.com/v1/..." \
+  -H "Authorization: Bearer $NOTION_KEY" \
+  -H "Notion-Version: 2025-09-03" \
+  -H "Content-Type: application/json"
+```
+
+> **Note:** The `Notion-Version` header is required. This skill uses `2025-09-03` (latest). In this version, databases are called "data sources" in the API.
+
+## Common Operations
+
+**Search for pages and data sources:**
+
+```bash
+curl -X POST "https://api.notion.com/v1/search" \
+  -H "Authorization: Bearer $NOTION_KEY" \
+  -H "Notion-Version: 2025-09-03" \
+  -H "Content-Type: application/json" \
+  -d '{"query": "page title"}'
+```
+
+**Get page:**
+
+```bash
+curl "https://api.notion.com/v1/pages/{page_id}" \
+  -H "Authorization: Bearer $NOTION_KEY" \
+  -H "Notion-Version: 2025-09-03"
+```
+
+**Get page content (blocks):**
+
+```bash
+curl "https://api.notion.com/v1/blocks/{page_id}/children" \
+  -H "Authorization: Bearer $NOTION_KEY" \
+  -H "Notion-Version: 2025-09-03"
+```
+
+**Create page in a data source:**
+
+```bash
+curl -X POST "https://api.notion.com/v1/pages" \
+  -H "Authorization: Bearer $NOTION_KEY" \
+  -H "Notion-Version: 2025-09-03" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "parent": {"database_id": "xxx"},
+    "properties": {
+      "Name": {"title": [{"text": {"content": "New Item"}}]},
+      "Status": {"select": {"name": "Todo"}}
+    }
+  }'
+```
+
+**Query a data source (database):**
+
+```bash
+curl -X POST "https://api.notion.com/v1/data_sources/{data_source_id}/query" \
+  -H "Authorization: Bearer $NOTION_KEY" \
+  -H "Notion-Version: 2025-09-03" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "filter": {"property": "Status", "select": {"equals": "Active"}},
+    "sorts": [{"property": "Date", "direction": "descending"}]
+  }'
+```
+
+**Create a database:**
+
+> **IMPORTANT:** Creating databases must use `POST /v1/databases`, NOT `/v1/data_sources`. The data_sources endpoint does not support creation. The mcporter tool `API-create-a-data-source` will fail — use curl instead.
+
+```bash
+curl -X POST "https://api.notion.com/v1/databases" \
+  -H "Authorization: Bearer $NOTION_KEY" \
+  -H "Notion-Version: 2025-09-03" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "parent": {"type": "page_id", "page_id": "xxx"},
+    "title": [{"text": {"content": "My Database"}}],
+    "properties": {
+      "Name": {"title": {}},
+      "Status": {"select": {"options": [{"name": "Todo"}, {"name": "Done"}]}},
+      "Date": {"date": {}}
+    }
+  }'
+```
+
+**Create linked view of database (embed existing database in another page):**
+
+```bash
+curl -X PATCH "https://api.notion.com/v1/blocks/{target_page_id}/children" \
+  -H "Authorization: Bearer $NOTION_KEY" \
+  -H "Notion-Version: 2025-09-03" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "children": [
+      {
+        "object": "block",
+        "type": "link_to_page",
+        "link_to_page": {
+          "type": "database_id",
+          "database_id": "xxx"
+        }
+      }
+    ]
+  }'
+```
+
+**Update page properties:**
+
+```bash
+curl -X PATCH "https://api.notion.com/v1/pages/{page_id}" \
+  -H "Authorization: Bearer $NOTION_KEY" \
+  -H "Notion-Version: 2025-09-03" \
+  -H "Content-Type: application/json" \
+  -d '{"properties": {"Status": {"select": {"name": "Done"}}}}'
+```
+
+**Add blocks to page:**
+
+```bash
+curl -X PATCH "https://api.notion.com/v1/blocks/{page_id}/children" \
+  -H "Authorization: Bearer $NOTION_KEY" \
+  -H "Notion-Version: 2025-09-03" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "children": [
+      {"object": "block", "type": "paragraph", "paragraph": {"rich_text": [{"text": {"content": "Hello"}}]}}
+    ]
+  }'
+```
+
+## Property Types
+
+Common property formats for database items:
+
+- **Title:** `{"title": [{"text": {"content": "..."}}]}`
+- **Rich text:** `{"rich_text": [{"text": {"content": "..."}}]}`
+- **Select:** `{"select": {"name": "Option"}}`
+- **Multi-select:** `{"multi_select": [{"name": "A"}, {"name": "B"}]}`
+- **Date:** `{"date": {"start": "2024-01-15", "end": "2024-01-16"}}`
+- **Checkbox:** `{"checkbox": true}`
+- **Number:** `{"number": 42}`
+- **URL:** `{"url": "https://..."}`
+- **Email:** `{"email": "a@b.com"}`
+- **Relation:** `{"relation": [{"id": "page_id"}]}`
+
+## Key Differences in 2025-09-03
+
+- **Databases → Data Sources:** Use `/data_sources/` endpoints for queries and retrieval, but **creation must use `POST /v1/databases`** (NOT `/v1/data_sources`)
+- **Two IDs:** Each database now has both a `database_id` and a `data_source_id`
+  - Use `database_id` when creating pages (`parent: {"database_id": "..."}`)
+  - Use `data_source_id` when querying (`POST /v1/data_sources/{id}/query`)
+- **Search results:** Databases return as `"object": "data_source"` with their `data_source_id`
+- **Parent in responses:** Pages show `parent.data_source_id` alongside `parent.database_id`
+- **Finding the data_source_id:** Search for the database, or call `GET /v1/data_sources/{data_source_id}`
+
+## Notes
+
+- Page/database IDs are UUIDs (with or without dashes)
+- The API cannot set database view filters — that's UI-only
+- Rate limit: ~3 requests/second average, with `429 rate_limited` responses using `Retry-After`
+- Append block children: up to 100 children per request, up to two levels of nesting in a single append request
+- Payload size limits: up to 1000 block elements and 500KB overall
+- Use `is_inline: true` when creating data sources to embed them in pages

skills/tts-voice/handler.ts

@@ -8,13 +8,15 @@
  *   - curl CLI
  */
 
+import { randomUUID } from 'crypto';
 import { spawnSync } from 'child_process';
 import { readFileSync, existsSync, unlinkSync } from 'fs';
+import { join } from 'path';
+import { tmpdir } from 'os';
 
 const LUXTTS_BASE = 'http://localhost:7860';
 const REF_AUDIO = '/home/selig/LuxTTS/ref_speech.wav';
 const ENV_PATH = '/home/selig/LuxTTS/.env';
-const COOKIE_JAR = '/tmp/luxtts-skill-cookie';
 
 // Trigger keywords to strip from user message
 const TRIGGER_WORDS = [
@@ -38,6 +40,18 @@ interface TtsParams {
   tShift: number;
 }
 
+function createCookieJarPath(): string {
+  return join(tmpdir(), `luxtts-skill-cookie-${randomUUID()}.txt`);
+}
+
+function safeUnlink(path: string): void {
+  try {
+    if (existsSync(path)) unlinkSync(path);
+  } catch {
+    // ignore cleanup errors
+  }
+}
+
 /** Read credentials from .env */
 function loadCredentials(): { user: string; pass: string } {
   try {
@@ -51,10 +65,13 @@ function loadCredentials(): { user: string; pass: string } {
 }
 
 /** Ensure we have a valid session cookie */
-function ensureCookie(): boolean {
+function ensureCookie(cookieJar: string): boolean {
   const { user, pass } = loadCredentials();
   if (!pass) return false;
 
+  // always start fresh to avoid stale session side effects
+  safeUnlink(cookieJar);
+
   try {
     const result = spawnSync(
       'curl',
@@ -62,7 +79,7 @@ function ensureCookie(): boolean {
         '-s',
         '-o', '/dev/null',
         '-w', '%{http_code}',
-        '-c', COOKIE_JAR,
+        '-c', cookieJar,
         '-X', 'POST',
         '-d', `username=${user}&password=${pass}`,
         `${LUXTTS_BASE}/luxtts/login`,
@@ -71,7 +88,7 @@ function ensureCookie(): boolean {
     );
 
     const httpCode = (result.stdout || '').trim();
-    return result.status === 0 && httpCode === '200' && existsSync(COOKIE_JAR);
+    return result.status === 0 && httpCode === '200' && existsSync(cookieJar);
   } catch {
     return false;
   }
@@ -120,7 +137,7 @@ function parseMessage(message: string): { text: string; params: TtsParams } {
 }
 
 /** Call LuxTTS API to generate speech */
-function generateSpeech(text: string, params: TtsParams): string | null {
+function generateSpeech(text: string, params: TtsParams, cookieJar: string): string | null {
   const timestamp = Date.now();
   const outPath = `/tmp/tts_output_${timestamp}.wav`;
 
@@ -129,7 +146,7 @@ function generateSpeech(text: string, params: TtsParams): string | null {
       '-s',
       '-o', outPath,
       '-w', '%{http_code}',
-      '-b', COOKIE_JAR,
+      '-b', cookieJar,
       '-X', 'POST',
       `${LUXTTS_BASE}/luxtts/api/tts`,
       '-F', `ref_audio=@${REF_AUDIO}`,
@@ -151,10 +168,10 @@ function generateSpeech(text: string, params: TtsParams): string | null {
     }
 
     // Clean up failed output
-    if (existsSync(outPath)) unlinkSync(outPath);
+    safeUnlink(outPath);
     return null;
   } catch {
-    if (existsSync(outPath)) unlinkSync(outPath);
+    safeUnlink(outPath);
     return null;
   }
 }
@@ -180,34 +197,40 @@ export async function handler(ctx: any) {
     return { reply: '❌ LuxTTS 服務未啟動，請先執行：`systemctl --user start luxtts`' };
   }
 
-  // Ensure authentication
-  if (!ensureCookie()) {
-    return { reply: '❌ LuxTTS 認證失敗，請檢查 ~/LuxTTS/.env 的帳密設定' };
-  }
+  const cookieJar = createCookieJarPath();
 
-  // Build parameter description
-  const paramDesc: string[] = [];
-  if (params.speed !== 1.0) paramDesc.push(`語速 ${params.speed}x`);
-  if (params.numSteps !== 4) paramDesc.push(`步數 ${params.numSteps}`);
-  const paramStr = paramDesc.length ? `（${paramDesc.join('、')}）` : '';
+  try {
+    // Ensure authentication
+    if (!ensureCookie(cookieJar)) {
+      return { reply: '❌ LuxTTS 認證失敗，請檢查 ~/LuxTTS/.env 的帳密設定' };
+    }
 
-  // Generate
-  const wavPath = generateSpeech(text, params);
+    // Build parameter description
+    const paramDesc: string[] = [];
+    if (params.speed !== 1.0) paramDesc.push(`語速 ${params.speed}x`);
+    if (params.numSteps !== 4) paramDesc.push(`步數 ${params.numSteps}`);
+    const paramStr = paramDesc.length ? `（${paramDesc.join('、')}）` : '';
+
+    // Generate
+    const wavPath = generateSpeech(text, params, cookieJar);
+
+    if (!wavPath) {
+      return {
+        reply: '❌ 語音合成失敗，請稍後再試。',
+        metadata: { text, params, error: true },
+      };
+    }
 
-  if (!wavPath) {
     return {
-      reply: `❌ 語音合成失敗，請稍後再試。`,
-      metadata: { text, params, error: true },
+      reply: `🔊 語音合成完成${paramStr}\n\n📝 文字：${text}\n📂 檔案：\`${wavPath}\``,
+      metadata: {
+        text,
+        params,
+        output: wavPath,
+      },
+      files: [wavPath],
     };
+  } finally {
+    safeUnlink(cookieJar);
   }
-
-  return {
-    reply: `🔊 語音合成完成${paramStr}\n\n📝 文字：${text}\n📂 檔案：\`${wavPath}\``,
-    metadata: {
-      text,
-      params,
-      output: wavPath,
-    },
-    files: [wavPath],
-  };
 }