Add bot flag to users and surface in comments

Adjust coffee bot draw schedule

.github/workflows/coffee-bot.yml

@@ -2,7 +2,7 @@ name: Coffee Bot
 
 on:
   schedule:
-    - cron: "0 1 * * *"
+    - cron: "0 1 * * 1-5"
   workflow_dispatch:
 
 jobs:
@@ -26,4 +26,5 @@ jobs:
         env:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           OPENISLE_TOKEN: ${{ secrets.OPENISLE_TOKEN }}
+          APIFY_API_TOKEN: ${{ secrets.APIFY_API_TOKEN }}
         run: npx tsx bots/instance/coffee_bot.ts

.github/workflows/reply-bots.yml

@@ -26,4 +26,5 @@ jobs:
         env:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           OPENISLE_TOKEN: ${{ secrets.OPENISLE_TOKEN }}
+          APIFY_API_TOKEN: ${{ secrets.APIFY_API_TOKEN }}
         run: npx tsx bots/instance/reply_bot.ts

backend/src/main/java/com/openisle/dto/AuthorDto.java

@@ -13,4 +13,5 @@ public class AuthorDto {
   private String username;
   private String avatar;
   private MedalType displayMedal;
+  private boolean bot;
 }

backend/src/main/java/com/openisle/dto/UserDto.java

@@ -28,4 +28,5 @@ public class UserDto {
   private int point;
   private int currentLevel;
   private int nextLevelExp;
+  private boolean bot;
 }

backend/src/main/java/com/openisle/dto/UserSummaryDto.java

@@ -8,4 +8,5 @@ public class UserSummaryDto {
   private Long id;
   private String username;
   private String avatar;
+  private boolean bot;
 }

backend/src/main/java/com/openisle/mapper/UserMapper.java

@@ -37,6 +37,7 @@ public class UserMapper {
     dto.setUsername(user.getUsername());
     dto.setAvatar(user.getAvatar());
     dto.setDisplayMedal(user.getDisplayMedal());
+    dto.setBot(user.isBot());
     return dto;
   }
 
@@ -63,6 +64,7 @@ public class UserMapper {
     dto.setPoint(user.getPoint());
     dto.setCurrentLevel(levelService.getLevel(user.getExperience()));
     dto.setNextLevelExp(levelService.nextLevelExp(user.getExperience()));
+    dto.setBot(user.isBot());
     if (viewer != null) {
       dto.setSubscribed(subscriptionService.isSubscribed(viewer.getName(), user.getUsername()));
     } else {

backend/src/main/java/com/openisle/model/User.java

@@ -62,6 +62,9 @@ public class User {
   @Column(nullable = false)
   private Role role = Role.USER;
 
+  @Column(name = "is_bot", nullable = false)
+  private boolean bot = false;
+
   @Enumerated(EnumType.STRING)
   private MedalType displayMedal;
 

backend/src/main/java/com/openisle/service/ChannelService.java

@@ -105,6 +105,7 @@ public class ChannelService {
     userDto.setId(message.getSender().getId());
     userDto.setUsername(message.getSender().getUsername());
     userDto.setAvatar(message.getSender().getAvatar());
+    userDto.setBot(message.getSender().isBot());
     dto.setSender(userDto);
 
     return dto;

backend/src/main/java/com/openisle/service/MessageService.java

@@ -211,6 +211,7 @@ public class MessageService {
     userSummaryDto.setId(message.getSender().getId());
     userSummaryDto.setUsername(message.getSender().getUsername());
     userSummaryDto.setAvatar(message.getSender().getAvatar());
+    userSummaryDto.setBot(message.getSender().isBot());
     dto.setSender(userSummaryDto);
 
     if (message.getReplyTo() != null) {
@@ -222,6 +223,7 @@ public class MessageService {
       replySender.setId(reply.getSender().getId());
       replySender.setUsername(reply.getSender().getUsername());
       replySender.setAvatar(reply.getSender().getAvatar());
+      replySender.setBot(reply.getSender().isBot());
       replyDto.setSender(replySender);
       dto.setReplyTo(replyDto);
     }
@@ -316,6 +318,7 @@ public class MessageService {
           userDto.setId(p.getUser().getId());
           userDto.setUsername(p.getUser().getUsername());
           userDto.setAvatar(p.getUser().getAvatar());
+          userDto.setBot(p.getUser().isBot());
           return userDto;
         })
         .collect(Collectors.toList())
@@ -365,6 +368,7 @@ public class MessageService {
         userDto.setId(p.getUser().getId());
         userDto.setUsername(p.getUser().getUsername());
         userDto.setAvatar(p.getUser().getAvatar());
+        userDto.setBot(p.getUser().isBot());
         return userDto;
       })
       .collect(Collectors.toList());

backend/src/main/resources/db/init/01_schema.sql

@@ -20,6 +20,7 @@ CREATE TABLE IF NOT EXISTS `users` (
   `username` varchar(50) NOT NULL,
   `verification_code` varchar(255) DEFAULT NULL,
   `verified` bit(1) DEFAULT NULL,
+  `is_bot` bit(1) NOT NULL DEFAULT b'0',
   PRIMARY KEY (`id`),
   UNIQUE KEY `UK_users_email` (`email`),
   UNIQUE KEY `UK_users_username` (`username`)

backend/src/main/resources/db/init/02_seed_data.sql

@@ -8,10 +8,28 @@ DELETE FROM `users`;
 
 -- 插入用户，两个普通用户，一个管理员
 -- username:admin/user1/user2 password:123456
-INSERT INTO `users` (`id`, `approved`, `avatar`, `created_at`, `display_medal`, `email`, `experience`, `introduction`, `password`, `password_reset_code`, `point`, `register_reason`, `role`, `username`, `verification_code`, `verified`) VALUES
-(1, b'1', 'https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png', '2025-09-01 16:08:17.426430', 'PIONEER', 'adminmail@openisle.com', 70, NULL, '$2a$10$x7HXjUyJTmrvqjnBlBQZH.vmfsC56NzTSWqQ6WqZqRjUO859EhviS', NULL, 110, '测试测试测试……', 'ADMIN', 'admin', NULL, b'1'),
-(2, b'1', 'https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png', '2025-09-03 16:08:17.426430', 'PIONEER', 'usermail2@openisle.com', 70, NULL, '$2a$10$x7HXjUyJTmrvqjnBlBQZH.vmfsC56NzTSWqQ6WqZqRjUO859EhviS', NULL, 110, '测试测试测试……', 'USER', 'user1', NULL, b'1'),
-(3, b'1', 'https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png', '2025-09-02 17:21:21.617666', 'PIONEER', 'usermail1@openisle.com', 40, NULL, '$2a$10$x7HXjUyJTmrvqjnBlBQZH.vmfsC56NzTSWqQ6WqZqRjUO859EhviS', NULL, 40, '测试测试测试……', 'USER', 'user2', NULL, b'1');
+INSERT INTO `users` (
+  `id`,
+  `approved`,
+  `avatar`,
+  `created_at`,
+  `display_medal`,
+  `email`,
+  `experience`,
+  `introduction`,
+  `password`,
+  `password_reset_code`,
+  `point`,
+  `register_reason`,
+  `role`,
+  `username`,
+  `verification_code`,
+  `verified`,
+  `is_bot`
+) VALUES
+(1, b'1', 'https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png', '2025-09-01 16:08:17.426430', 'PIONEER', 'adminmail@openisle.com', 70, NULL, '$2a$10$x7HXjUyJTmrvqjnBlBQZH.vmfsC56NzTSWqQ6WqZqRjUO859EhviS', NULL, 110, '测试测试测试……', 'ADMIN', 'admin', NULL, b'1', b'0'),
+(2, b'1', 'https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png', '2025-09-03 16:08:17.426430', 'PIONEER', 'usermail2@openisle.com', 70, NULL, '$2a$10$x7HXjUyJTmrvqjnBlBQZH.vmfsC56NzTSWqQ6WqZqRjUO859EhviS', NULL, 110, '测试测试测试……', 'USER', 'user1', NULL, b'1', b'0'),
+(3, b'1', 'https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png', '2025-09-02 17:21:21.617666', 'PIONEER', 'usermail1@openisle.com', 40, NULL, '$2a$10$x7HXjUyJTmrvqjnBlBQZH.vmfsC56NzTSWqQ6WqZqRjUO859EhviS', NULL, 40, '测试测试测试……', 'USER', 'user2', NULL, b'1', b'0');
 
 INSERT INTO `categories` (`id`,`description`,`icon`,`name`,`small_icon`) VALUES
 (1,'测试用分类1','star','测试用分类1',NULL),

backend/src/main/resources/db/migration/V8__add_is_bot_to_users.sql

@@ -0,0 +1,2 @@
+ALTER TABLE users
+ADD COLUMN is_bot BIT(1) NOT NULL DEFAULT b'0';

bots/bot_father.ts

@@ -3,40 +3,31 @@ import { Agent, Runner, hostedMcpTool, withTrace } from "@openai/agents";
 export type WorkflowInput = { input_as_text: string };
 
 export abstract class BotFather {
-  protected readonly allowedMcpTools = [
-    "search",
-    "create_post",
-    "reply_to_post",
-    "reply_to_comment",
-    "recent_posts",
-    "get_post",
-    "list_unread_messages",
-    "mark_notifications_read",
-    "create_post",
-  ];
-
   protected readonly openisleToken = (process.env.OPENISLE_TOKEN ?? "").trim();
+  protected readonly weatherToken = (process.env.APIFY_API_TOKEN ?? "").trim();
 
   protected readonly mcp = this.createHostedMcpTool();
+  protected readonly weatherMcp = this.createWeatherMcpTool();
   protected readonly agent: Agent;
 
   constructor(protected readonly name: string) {
     console.log(`✅ ${this.name} starting...`);
-    console.log(
-      "🛠️ Configured Hosted MCP tools:",
-      this.allowedMcpTools.join(", ")
-    );
-
     console.log(
       this.openisleToken
         ? "🔑 OPENISLE_TOKEN detected in environment; it will be attached to MCP requests."
         : "🔓 OPENISLE_TOKEN not set; authenticated MCP tools may be unavailable."
     );
 
+    console.log(
+      this.weatherToken
+        ? "☁️ APIFY_API_TOKEN detected; weather MCP server will be available."
+        : "🌥️ APIFY_API_TOKEN not set; weather updates will be unavailable."
+    );
+
     this.agent = new Agent({
       name: this.name,
       instructions: this.buildInstructions(),
-      tools: [this.mcp],
+      tools: [this.mcp, this.weatherMcp],
       model: "gpt-4o",
       modelSettings: {
         temperature: 0.7,
@@ -78,12 +69,35 @@ export abstract class BotFather {
     return hostedMcpTool({
       serverLabel: "openisle_mcp",
       serverUrl: "https://www.open-isle.com/mcp",
-      allowedTools: this.allowedMcpTools,
+      allowedTools: [
+        "search", // 用于搜索帖子、内容等
+        "create_post", // 创建新帖子
+        "reply_to_post", // 回复帖子
+        "reply_to_comment", // 回复评论
+        "recent_posts", // 获取最新帖子
+        "get_post", // 获取特定帖子的详细信息
+        "list_unread_messages", // 列出未读消息或通知
+        "mark_notifications_read", // 标记通知为已读
+      ],
       requireApproval: "never",
       ...authConfig,
     });
   }
 
+  private createWeatherMcpTool(): ReturnType<typeof hostedMcpTool> {
+    return hostedMcpTool({
+      serverLabel: "weather_mcp_server",
+      serverUrl: "https://jiri-spilka--weather-mcp-server.apify.actor/mcp",
+      requireApproval: "never",
+      allowedTools: [
+        "get_current_weather", // 天气 MCP 工具
+      ],
+      headers: {
+        Authorization: `Bearer ${this.weatherToken || ""}`,
+      },
+    });
+  }
+
   protected getAdditionalInstructions(): string[] {
     return [];
   }

bots/instance/coffee_bot.ts

@@ -14,39 +14,31 @@ class CoffeeBot extends BotFather {
       "正文需亲切友好，简洁明了，鼓励社区成员互动。",
       "开奖说明需明确告知中奖者需私聊站长 @nagisa 领取奖励。",
       "确保只发布一个帖子，避免重复调用 create_post。",
+      "使用标签为 weather_mcp_server 的 MCP 工具获取北京、上海、广州、深圳当天的天气信息，并把结果写入早安问候之后。",
     ];
   }
 
   protected override getCliQuery(): string {
-    const now = new Date();
-    const beijingNow = new Date(
-      now.toLocaleString("en-US", { timeZone: "Asia/Shanghai" })
-    );
-    const weekday = WEEKDAY_NAMES[beijingNow.getDay()];
-
-    const drawTime = new Date(beijingNow);
+    const now = new Date(Date.now() + 8 * 60 * 60 * 1000);
+    const weekday = WEEKDAY_NAMES[now.getDay()];
+    const drawTime = new Date(now);
     drawTime.setHours(15, 0, 0, 0);
-    const drawTimeText = drawTime
-      .toLocaleTimeString("zh-CN", {
-        hour: "2-digit",
-        minute: "2-digit",
-        hour12: false,
-        timeZone: "Asia/Shanghai",
-      })
-      .replace(/^24:/, "00:");
 
     return `
-请立即在 https://www.open-isle.com 使用 create_post 发表一篇全新帖子，遵循以下要求：
+请立即在 https://www.open-isle.com 使用 create_post 发表一篇帖子，遵循以下要求：
 1. 标题固定为「大家星期${weekday}早安--抽一杯咖啡」。
 2. 正文包含：
    - 亲切的早安问候；
-   - 明确奖品写作“Coffee x 1”；
-   - 奖品图片链接：https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/0d6a9b33e9ca4fe5a90540187d3f9ecb.png；
-   - 公布开奖时间为今天下午 15:00（北京时间，写成 ${drawTimeText}）；
-   - 标注“领奖请私聊站长 @nagisa”；
+   - 早安问候后立即列出北京、上海、广州、深圳当天的天气信息，每行格式为“城市：天气描述，最低温~最高温”；天气需调用 weather_mcp_server 获取；
+   - 标注“领奖请私聊站长 @[nagisa]”；
    - 鼓励大家留言互动。
-3. 帖子语言使用简体中文，格式可用 Markdown，使关键信息醒目。
-4. 完成后只输出“已发布咖啡抽奖贴”，不额外生成总结。
+3. 奖品信息
+   - 明确奖品写作“Coffee”；
+   - 帖子类型必须为 LOTTERY；
+   - 奖品图片链接：https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/0d6a9b33e9ca4fe5a90540187d3f9ecb.png；
+   - 公布开奖时间为 ${drawTime}, 直接传UTC时间给接口，不要考虑时区问题
+   - categoryId 固定为 10，tagIds 设为 [36]。
+4. 帖子语言使用简体中文。
 `.trim();
   }
 }

frontend_nuxt/components/CommentItem.vue

@@ -16,6 +16,7 @@
         <div class="info-content-header-left">
           <span class="user-name">{{ comment.userName }}</span>
           <span v-if="isCommentFromPostAuthor" class="op-badge" title="楼主">OP</span>
+          <span v-if="comment.isBot" class="bot-badge" title="Bot">Bot</span>
           <medal-one class="medal-icon" />
           <NuxtLink
             v-if="comment.medal"
@@ -522,6 +523,21 @@ const handleContentClick = (e) => {
   line-height: 1;
 }
 
+.bot-badge {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  margin-left: 6px;
+  padding: 0 6px;
+  height: 18px;
+  border-radius: 9px;
+  background-color: rgba(76, 175, 80, 0.16);
+  color: #2e7d32;
+  font-size: 12px;
+  font-weight: 600;
+  line-height: 1;
+}
+
 .medal-icon {
   font-size: 12px;
   opacity: 0.6;

frontend_nuxt/pages/posts/[id]/index.vue

@@ -377,6 +377,7 @@ const mapComment = (
   text: c.content,
   reactions: c.reactions || [],
   pinned: Boolean(c.pinned ?? c.pinnedAt ?? c.pinned_at),
+  isBot: Boolean(c.author?.bot),
   reply: (c.replies || []).map((r) =>
     mapComment(r, c.author.username, c.author.avatar, c.author.id, level + 1),
   ),

mcp/src/openisle_mcp/search_client.py

@@ -66,14 +66,15 @@ class SearchClient:
         resolved = self._resolve_token(token)
         if resolved is None:
             raise ValueError(
-                "Authenticated request requires an access token but none was provided."
+                "Authenticated request requires an access token. Provide a Bearer token "
+                "via the MCP Authorization header or configure a default token for the server."
             )
         return resolved
 
     def _build_headers(
         self,
         *,
-        token: str | None = None,
+        token: str,
         accept: str = "application/json",
         include_json: bool = False,
     ) -> dict[str, str]:
@@ -177,7 +178,7 @@ class SearchClient:
         self,
         payload: dict[str, Any],
         *,
-        token: str | None = None,
+        token: str,
     ) -> dict[str, Any]:
         """Create a new post and return the detailed backend payload."""
 
@@ -197,7 +198,7 @@ class SearchClient:
         )
         response.raise_for_status()
         body = self._ensure_dict(response.json())
-        logger.info("Post creation succeeded with id=%s", body.get("id"))
+        logger.info("Post creation succeeded with id=%s, token=%s", body.get("id"), token)
         return body
 
     async def recent_posts(self, minutes: int) -> list[dict[str, Any]]:
@@ -248,7 +249,7 @@ class SearchClient:
         *,
         page: int = 0,
         size: int = 30,
-        token: str | None = None,
+        token: str,
     ) -> list[dict[str, Any]]:
         """Return unread notifications for the authenticated user."""
 
@@ -284,7 +285,7 @@ class SearchClient:
         self,
         ids: list[int],
         *,
-        token: str | None = None,
+        token: str
     ) -> None:
         """Mark the provided notifications as read for the authenticated user."""
 

mcp/src/openisle_mcp/server.py

@@ -52,6 +52,37 @@ search_client = SearchClient(
 )
 
 
+def _extract_authorization_token(ctx: Context | None) -> str | None:
+    """Return the Bearer token from the incoming MCP request headers."""
+
+    if ctx is None:
+        return None
+
+    try:
+        request_context = ctx.request_context
+    except ValueError:
+        return None
+
+    request = getattr(request_context, "request", None)
+    if request is None:
+        return None
+
+    headers = getattr(request, "headers", None)
+    if headers is None:
+        return None
+
+    authorization = headers.get("authorization")
+    if not authorization:
+        return None
+
+    scheme, _, token = authorization.partition(" ")
+    if scheme.lower() != "bearer":
+        return None
+
+    stripped = token.strip()
+    return stripped or None
+
+
 @asynccontextmanager
 async def lifespan(_: FastMCP):
     """Lifecycle hook that disposes shared resources when the server stops."""
@@ -68,8 +99,9 @@ app = FastMCP(
     name="openisle-mcp",
     instructions=(
         "Use this server to search OpenIsle content, create new posts, reply to posts and "
-        "comments with an authentication token, retrieve details for a specific post, list "
-        "posts created within a recent time window, and review unread notification messages."
+        "comments using the Authorization header or configured access token, retrieve details "
+        "for a specific post, list posts created within a recent time window, and review "
+        "unread notification messages."
     ),
     host=settings.host,
     port=settings.port,
@@ -130,7 +162,10 @@ async def search(
 
 @app.tool(
     name="reply_to_post",
-    description="Create a comment on a post using an authentication token.",
+    description=(
+        "Create a comment on a post using the request Authorization header or the configured "
+        "access token."
+    ),
     structured_output=True,
 )
 async def reply_to_post(
@@ -149,15 +184,6 @@ async def reply_to_post(
             description="Optional captcha solution if the backend requires it.",
         ),
     ] = None,
-    token: Annotated[
-        str | None,
-        PydanticField(
-            default=None,
-            description=(
-                "Optional JWT bearer token. When omitted the configured access token is used."
-            ),
-        ),
-    ] = None,
     ctx: Context | None = None,
 ) -> CommentCreateResult:
     """Create a comment on a post and return the backend payload."""
@@ -166,12 +192,10 @@ async def reply_to_post(
     if not sanitized_content:
         raise ValueError("Reply content must not be empty.")
 
-    sanitized_token = token.strip() if isinstance(token, str) else None
-    if sanitized_token == "":
-        sanitized_token = None
-
     sanitized_captcha = captcha.strip() if isinstance(captcha, str) else None
 
+    request_token = _extract_authorization_token(ctx)
+
     try:
         logger.info(
             "Creating reply for post_id=%s (captcha=%s)",
@@ -180,20 +204,20 @@ async def reply_to_post(
         )
         raw_comment = await search_client.reply_to_post(
             post_id,
-            sanitized_token,
-            sanitized_content,
-            sanitized_captcha,
+            token=request_token,
+            content=sanitized_content,
+            captcha=sanitized_captcha,
         )
     except httpx.HTTPStatusError as exc:  # pragma: no cover - network errors
         status_code = exc.response.status_code
         if status_code == 401:
             message = (
                 "Authentication failed while replying to post "
-                f"{post_id}. Please verify the token."
+                f"{post_id}. Please verify the Authorization header or configured token."
             )
         elif status_code == 403:
             message = (
-                "The provided token is not authorized to reply to post "
+                "The provided Authorization token is not authorized to reply to post "
                 f"{post_id}."
             )
         elif status_code == 404:
@@ -239,7 +263,10 @@ async def reply_to_post(
 
 @app.tool(
     name="reply_to_comment",
-    description="Reply to an existing comment using an authentication token.",
+    description=(
+        "Reply to an existing comment using the request Authorization header or the configured "
+        "access token."
+    ),
     structured_output=True,
 )
 async def reply_to_comment(
@@ -258,15 +285,6 @@ async def reply_to_comment(
             description="Optional captcha solution if the backend requires it.",
         ),
     ] = None,
-    token: Annotated[
-        str | None,
-        PydanticField(
-            default=None,
-            description=(
-                "Optional JWT bearer token. When omitted the configured access token is used."
-            ),
-        ),
-    ] = None,
     ctx: Context | None = None,
 ) -> CommentReplyResult:
     """Create a reply for a comment and return the backend payload."""
@@ -275,10 +293,10 @@ async def reply_to_comment(
     if not sanitized_content:
         raise ValueError("Reply content must not be empty.")
 
-    sanitized_token = token.strip() if isinstance(token, str) else None
-
     sanitized_captcha = captcha.strip() if isinstance(captcha, str) else None
 
+    request_token = _extract_authorization_token(ctx)
+
     try:
         logger.info(
             "Creating reply for comment_id=%s (captcha=%s)",
@@ -287,20 +305,20 @@ async def reply_to_comment(
         )
         raw_comment = await search_client.reply_to_comment(
             comment_id,
-            sanitized_token,
-            sanitized_content,
-            sanitized_captcha,
+            token=request_token,
+            content=sanitized_content,
+            captcha=sanitized_captcha,
         )
     except httpx.HTTPStatusError as exc:  # pragma: no cover - network errors
         status_code = exc.response.status_code
         if status_code == 401:
             message = (
                 "Authentication failed while replying to comment "
-                f"{comment_id}. Please verify the token."
+                f"{comment_id}. Please verify the Authorization header or configured token."
             )
         elif status_code == 403:
             message = (
-                "The provided token is not authorized to reply to comment "
+                "The provided Authorization token is not authorized to reply to comment "
                 f"{comment_id}."
             )
         else:
@@ -344,7 +362,10 @@ async def reply_to_comment(
 
 @app.tool(
     name="create_post",
-    description="Publish a new post using an authentication token.",
+    description=(
+        "Publish a new post using the request Authorization header or the configured access "
+        "token."
+    ),
     structured_output=True,
 )
 async def create_post(
@@ -466,15 +487,6 @@ async def create_post(
             description="Captcha solution if the backend requires one to create posts.",
         ),
     ] = None,
-    token: Annotated[
-        str | None,
-        PydanticField(
-            default=None,
-            description=(
-                "Optional JWT bearer token. When omitted the configured access token is used."
-            ),
-        ),
-    ] = None,
     ctx: Context | None = None,
 ) -> PostCreateResult:
     """Create a new post in OpenIsle and return the detailed backend payload."""
@@ -487,10 +499,6 @@ async def create_post(
     if not sanitized_content:
         raise ValueError("Post content must not be empty.")
 
-    sanitized_token = token.strip() if isinstance(token, str) else None
-    if sanitized_token == "":
-        sanitized_token = None
-
     sanitized_category_id: int | None = None
     if category_id is not None:
         if isinstance(category_id, bool):
@@ -501,6 +509,8 @@ async def create_post(
             raise ValueError("Category identifier must be an integer.") from exc
         if sanitized_category_id <= 0:
             raise ValueError("Category identifier must be a positive integer.")
+    if sanitized_category_id is None:
+        raise ValueError("A category identifier is required to create a post.")
 
     sanitized_tag_ids: list[int] | None = None
     if tag_ids is not None:
@@ -517,6 +527,10 @@ async def create_post(
             sanitized_tag_ids.append(converted)
         if not sanitized_tag_ids:
             sanitized_tag_ids = None
+    if not sanitized_tag_ids:
+        raise ValueError("At least one tag identifier is required to create a post.")
+    if len(sanitized_tag_ids) > 2:
+        raise ValueError("At most two tag identifiers can be provided for a post.")
 
     sanitized_post_type = post_type.strip() if isinstance(post_type, str) else None
     if sanitized_post_type == "":
@@ -635,7 +649,7 @@ async def create_post(
 
     try:
         logger.info("Creating post with title='%s'", sanitized_title)
-        raw_post = await search_client.create_post(payload, token=sanitized_token)
+        raw_post = await search_client.create_post(payload, token=_extract_authorization_token(ctx))
     except httpx.HTTPStatusError as exc:  # pragma: no cover - network errors
         status_code = exc.response.status_code
         if status_code == 400:
@@ -643,9 +657,12 @@ async def create_post(
                 "Post creation failed due to invalid input or captcha verification errors."
             )
         elif status_code == 401:
-            message = "Authentication failed while creating the post. Please verify the token."
+            message = (
+                "Authentication failed while creating the post. Please verify the "
+                "Authorization header or configured token."
+            )
         elif status_code == 403:
-            message = "The provided token is not authorized to create posts."
+            message = "The provided Authorization token is not authorized to create posts."
         else:
             message = (
                 "OpenIsle backend returned HTTP "
@@ -741,24 +758,15 @@ async def get_post(
         int,
         PydanticField(ge=1, description="Identifier of the post to retrieve."),
     ],
-    token: Annotated[
-        str | None,
-        PydanticField(
-            default=None,
-            description="Optional JWT bearer token to view the post as an authenticated user.",
-        ),
-    ] = None,
     ctx: Context | None = None,
 ) -> PostDetail:
     """Fetch post details from the backend and validate the response."""
 
-    sanitized_token = token.strip() if isinstance(token, str) else None
-    if sanitized_token == "":
-        sanitized_token = None
-
     try:
         logger.info("Fetching post details for post_id=%s", post_id)
-        raw_post = await search_client.get_post(post_id, sanitized_token)
+        raw_post = await search_client.get_post(
+            post_id, _extract_authorization_token(ctx)
+        )
     except httpx.HTTPStatusError as exc:  # pragma: no cover - network errors
         status_code = exc.response.status_code
         if status_code == 404:
@@ -766,7 +774,7 @@ async def get_post(
         elif status_code == 401:
             message = "Authentication failed while retrieving the post."
         elif status_code == 403:
-            message = "The provided token is not authorized to view this post."
+            message = "The provided Authorization token is not authorized to view this post."
         else:
             message = (
                 "OpenIsle backend returned HTTP "
@@ -823,21 +831,10 @@ async def list_unread_messages(
             description="Number of unread notifications to include per page.",
         ),
     ] = 30,
-    token: Annotated[
-        str | None,
-        PydanticField(
-            default=None,
-            description=(
-                "Optional JWT bearer token. When omitted the configured access token is used."
-            ),
-        ),
-    ] = None,
     ctx: Context | None = None,
 ) -> UnreadNotificationsResponse:
     """Retrieve unread notifications and return structured data."""
 
-    sanitized_token = token.strip() if isinstance(token, str) else None
-
     try:
         logger.info(
             "Fetching unread notifications (page=%s, size=%s)",
@@ -847,7 +844,7 @@ async def list_unread_messages(
         raw_notifications = await search_client.list_unread_notifications(
             page=page,
             size=size,
-            token=sanitized_token,
+            token=_extract_authorization_token(ctx),
         )
     except httpx.HTTPStatusError as exc:  # pragma: no cover - network errors
         message = (
@@ -906,29 +903,18 @@ async def mark_notifications_read(
             description="Notification identifiers that should be marked as read.",
         ),
     ],
-    token: Annotated[
-        str | None,
-        PydanticField(
-            default=None,
-            description=(
-                "Optional JWT bearer token. When omitted the configured access token is used."
-            ),
-        ),
-    ] = None,
     ctx: Context | None = None,
 ) -> NotificationCleanupResult:
     """Mark the supplied notifications as read and report the processed identifiers."""
 
-    sanitized_token = token.strip() if isinstance(token, str) else None
-    if sanitized_token == "":
-        sanitized_token = None
-
     try:
         logger.info(
             "Marking %d notifications as read",  # pragma: no branch - logging
             len(ids),
         )
-        await search_client.mark_notifications_read(ids, token=sanitized_token)
+        await search_client.mark_notifications_read(
+            ids, token=_extract_authorization_token(ctx)
+        )
     except httpx.HTTPStatusError as exc:  # pragma: no cover - network errors
         message = (
             "OpenIsle backend returned HTTP "