# visionA — stage 環境變數範本 # # 使用方式: # 1. 在 stage host 上: # cp .env.stage.example .env.stage # nano .env.stage # 填入 secrets(見下方說明) # 2. .env.stage 與 docker-compose.stage.yml 同目錄 # 3. ⚠️ 不進 git(.gitignore 已排除) # # Secret 產生方式: # openssl rand -hex 32 # # 對齊: # - visionA-backend/internal/config/config.go(A1 後 ClientSecret 變選填、預留 ServiceClient*) # - .autoflow/04-architecture/oidc-tdd.md §13.1 # - .autoflow/progress.md Phase 0.7 → S6(OIDC public PKCE-only client) # ============================================================ # OIDC — Member Center @ stage # ============================================================ # Issuer URL — 結尾斜線**必要**(MC discovery 回的 issuer 帶 slash,否則 client init reject) VISIONA_OIDC_ISSUER_URL=https://stage-9527.innovedus.com:7850/ # Login client(public PKCE-only — 無 secret) VISIONA_OIDC_CLIENT_ID=b8093fea1a504a5d8f0e04bee9f78f2e # 留空 → backend 走 PKCE-only mode(A1 後支援;見 ADR-013) VISIONA_OIDC_CLIENT_SECRET= # Phase 0.8b 移除:VISIONA_OIDC_SERVICE_CLIENT_ID / _SECRET # 服務間認證從 OAuth client_credentials 改為 pre-shared API key(見 ADR-015); # 兩個 service client env 不再讀取(OIDCConfig.ServiceClientID/Secret struct 欄位 # 為了 backward compat 暫保留、但 conversion 模組不再依賴)。 # 已洩漏的 stage service client secret 自此作廢,無 rotate 需求。 # Callback URL — 必須與 MC 端 client 設定的 redirect_uri 完全一致 VISIONA_OIDC_REDIRECT_URL=https://stage-9527.innovedus.com:9527/api/auth/callback # Frontend URL — OIDC callback 完成後 302 回的目標(同 host 同 port) VISIONA_FRONTEND_URL=https://stage-9527.innovedus.com:9527 # ============================================================ # Cookie session(OIDC 登入後在 browser 端的 session cookie) # ============================================================ # Cookie HMAC 簽章金鑰 — **必須換掉** # 產生:openssl rand -hex 32 VISIONA_SESSION_SECRET=CHANGE_ME_OPENSSL_RAND_HEX_32 # CookieDomain:留空 = host-only cookie(推薦,stage 只有單一 host) # 若未來要跨子網域共享 session 才設成 .innovedus.com 之類 VISIONA_SESSION_COOKIE_DOMAIN= # CookieSecure:stage 走 HTTPS → 必須 true VISIONA_SESSION_COOKIE_SECURE=true # Session TTL(預設值。如要改,去掉註解填值) # VISIONA_SESSION_ABSOLUTE_TTL=168h # VISIONA_SESSION_IDLE_TTL=24h # ============================================================ # Server — port 都對齊 nginx.stage.conf # ============================================================ VISIONA_HOST=0.0.0.0 VISIONA_API_PORT=3721 VISIONA_TUNNEL_PORT=3800 VISIONA_PROXY_INTERNAL_PORT=3801 VISIONA_PROXY_INTERNAL_URL=http://127.0.0.1:3801 # api-server 端的 SessionStore backend:proxy-client = 透過 internal HTTP 查 remote-proxy # remote-proxy 端的 SessionStore backend:inmemory = 自己持有 yamux session # 兩個 binary 共讀此 .env,但各自只看自己需要的欄位 VISIONA_SESSION_BACKEND=proxy-client # Agent 連 tunnel 用的對外 URL(/api/pairing/exchange 回給 agent) # 注意 ws→wss、host:port 與對外 HTTPS 一致 VISIONA_RELAY_PUBLIC_URL=wss://stage-9527.innovedus.com:9527 # ============================================================ # CORS — stage 同 host 同源(frontend 與 backend 都從 :9527 出來),不需放 # ============================================================ VISIONA_CORS_ALLOWED_ORIGINS= # ============================================================ # Storage — 雛形 LocalFS(host 的 /opt/visiona/data/ 掛進 container) # ============================================================ VISIONA_STORAGE_BACKEND=localfs VISIONA_STORAGE_LOCALFS_ROOT=/data/storage # presigned URL 對外可達 base,與公司 host nginx 對外一致 VISIONA_STORAGE_LOCALFS_BASE_URL=https://stage-9527.innovedus.com:9527/storage # presigned URL HMAC secret — **必須換掉** # 產生:openssl rand -hex 32 VISIONA_STORAGE_SIGNING_SECRET=CHANGE_ME_OPENSSL_RAND_HEX_32 # ============================================================ # Model upload # ============================================================ # 模型上傳大小上限(MB)— 注意要與 nginx.stage.conf 的 client_max_body_size 對齊 # 目前 nginx 設 100M,這裡也 100;要改大兩處要一起改 VISIONA_MODEL_MAX_SIZE_MB=100 # ============================================================ # Pairing token(雛形:留空 = 動態配發;填值 = 寫死) # 對齊 .autoflow/02-prd/feature-pairing-token.md # ============================================================ VISIONA_PAIRING_TOKEN= # ============================================================ # Misc # ============================================================ VISIONA_LOG_LEVEL=info # stage 不塞 demo data(避免 storage 被假資料污染) VISIONA_SEED_DEMO_DATA=false # Phase 0.7 security audit (2026-05-01) 後 stage/prod 不再讀此值; # 已從 api.Deps 移除(見 .autoflow/05-implementation/review/phase-0.7-security-audit.md C1)。 # 留註解作為 audit trail;stage 部署不需設定 VISIONA_STATIC_USER_ID。 # ============================================================ # Phase 0.8 / 0.8b — 轉檔功能整合(converter pre-shared API key) # ============================================================ # 對齊 docs/autoflow/04-architecture/conversion.md §3 + ADR-015 + ADR-016。 # # Phase 0.8b 變更:服務間認證從 OAuth client_credentials 改為 pre-shared API key。 # # 啟用判定:2 個欄位(ConverterBaseURL / ConverterAPIKey)**全部非空**才視為啟用; # 任一缺 → 5 個 /api/conversion/* endpoint 不註冊。 # # Phase 0.8b 移除(不再讀取,也別再放進 .env.stage): # - VISIONA_OIDC_SERVICE_CLIENT_ID / _SECRET(服務間認證取消 MC client_credentials) # - VISIONA_CONVERSION_TENANT_ID / VISIONA_OIDC_TENANT_ID(取消 tenant 概念) # - VISIONA_FAA_DELEGATED_TTL_SECONDS(取消 delegated download token 機制;改 server-side stream proxy) # # Phase 0.8b v0.6 T4 移除(不再讀取,也別再放進 .env.stage;ADR-016 撤回 v0.5 設計缺口): # - VISIONA_FAA_BASE_URL(visionA 端不再直接呼叫 FAA) # - VISIONA_FAA_API_KEY(同上;download / promote 改走 converter.GetResult) # kneron_model_converter task-scheduler base URL(stage 公司內網) VISIONA_CONVERTER_BASE_URL=http://192.168.0.130:9501 # Pre-shared API key — visionA → converter 服務間認證(Phase 0.8b 新增;ADR-015 §3) # **必須換掉**:openssl rand -hex 32 產生 64 字元 hex;與 converter 端 CONVERTER_API_KEY 對齊 # 雙方獨立持有、不共用、嚴格分環境(dev / stage / prod 各自獨立 key) # log 永遠不印此值全文;部署時用 AWS Secrets Manager / Vault 注入 VISIONA_CONVERTER_API_KEY=CHANGE_ME_OPENSSL_RAND_HEX_32