jim800121chen
9e29ebf767
對齊 ADR-016 / conversion.md v0.6.1 §3.1:visionA 端不再需要 FAA 設定(v0.5 T1 加的 FAAAPIKey/FAABaseURL 撤回)。
config 砍除:
- internal/config/config.go: ConversionConfig.FAABaseURL + FAAAPIKey 兩欄位
- internal/config/load.go: VISIONA_FAA_BASE_URL + VISIONA_FAA_API_KEY 兩 env 讀取
- Enabled() 簡化為「ConverterBaseURL + ConverterAPIKey 兩個非空」
- internal/config/load_test.go: TestLoad_ConversionEnabled 從 6 case 簡化為 4 case (all_set / missing_converter_url / missing_converter_key / all_empty)
.env*.example 對齊(3 個檔):
- visionA-backend/.env.example: 砍 2 個 FAA env row + 註解;header 改「2 欄位啟用」
- .env.stage.example: 同上;VISIONA_CONVERTER_API_KEY 保留 CHANGE_ME_OPENSSL_RAND_HEX_32 placeholder
- .env.dev.example: 註解區塊統一對齊
T3 review polish:
- m-2 internal/api/conversion.go: i18n message map 砍 4 個 dead case (download_token_failed / mc_token_unavailable / idp_misconfigured / idp_unavailable) — 對應 v0.5 mc_token_client 撤回時砍的 sentinel;落入 default「內部錯誤」、行為不變
- m-3 internal/conversion/util.go: hashObjectKey godoc 補「設計約束(重要)」段 + 3 條「不應做的事」(不出現在 response body/header / 不組 URL / 不寫進 user-facing 錯誤訊息)— 明示用途限定於 slog 欄位內、避免 misuse vector
- cmd/api-server/main.go: godoc 對齊 T4 完成狀態
驗證:
- B 層 verification 主動跑(T3 reviewer 接受暫緩、backend 主動跑避免 reviewer 二次要求):
* 跨檔 grep: production code 0 functional 命中(殘留全是註解 audit trail / test fixture name)
* 17 packages race -count=3 全綠
* 3 個 .env 環境一致性驗證
- go build ./... exit 0
- go test -race -count=3 ./... 17 packages 全綠
- Reviewer 5 軸(v0.6-t4-review)✅ 通過(0 Critical / 0 Major / 2 Minor / 4 Suggestion)
v0.6 對齊改造事實上完工:
- T1 ConverterClient.GetResult method
- T2 flow.go DownloadStream/PromoteToModels 改用 GetResult + e2e endpoint
- T3 faa_client 整檔砍 + ErrFAA* sentinel 清 + s-3/s-4/s-5 必補 + mockFAA regression-only
- T4 config FAA 欄位砍 + .env 清 + i18n/godoc polish
main.go startup log 已是「converter_api_key_set only」、無 FAA 殘留 / 無 tenant_id(T2-T3 已處理)。e2e regression 防護由 mockFAA negative assertion 守住(T3)。
下一步:
- visionA backend 端 ADR-016 對齊完工,等使用者跨 repo 加 converter GET /api/v1/jobs/{id}/result endpoint
- stage redeploy + e2e 完整測試
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
144 lines
6.9 KiB
Plaintext
144 lines
6.9 KiB
Plaintext
# visionA — stage 環境變數範本
|
||
#
|
||
# 使用方式:
|
||
# 1. 在 stage host 上:
|
||
# cp .env.stage.example .env.stage
|
||
# nano .env.stage # 填入 secrets(見下方說明)
|
||
# 2. .env.stage 與 docker-compose.stage.yml 同目錄
|
||
# 3. ⚠️ 不進 git(.gitignore 已排除)
|
||
#
|
||
# Secret 產生方式:
|
||
# openssl rand -hex 32
|
||
#
|
||
# 對齊:
|
||
# - visionA-backend/internal/config/config.go(A1 後 ClientSecret 變選填、預留 ServiceClient*)
|
||
# - .autoflow/04-architecture/oidc-tdd.md §13.1
|
||
# - .autoflow/progress.md Phase 0.7 → S6(OIDC public PKCE-only client)
|
||
|
||
# ============================================================
|
||
# OIDC — Member Center @ stage
|
||
# ============================================================
|
||
# Issuer URL — 結尾斜線**必要**(MC discovery 回的 issuer 帶 slash,否則 client init reject)
|
||
VISIONA_OIDC_ISSUER_URL=https://stage-9527.innovedus.com:7850/
|
||
|
||
# Login client(public PKCE-only — 無 secret)
|
||
VISIONA_OIDC_CLIENT_ID=b8093fea1a504a5d8f0e04bee9f78f2e
|
||
# 留空 → backend 走 PKCE-only mode(A1 後支援;見 ADR-013)
|
||
VISIONA_OIDC_CLIENT_SECRET=
|
||
|
||
# Phase 0.8b 移除:VISIONA_OIDC_SERVICE_CLIENT_ID / _SECRET
|
||
# 服務間認證從 OAuth client_credentials 改為 pre-shared API key(見 ADR-015);
|
||
# 兩個 service client env 不再讀取(OIDCConfig.ServiceClientID/Secret struct 欄位
|
||
# 為了 backward compat 暫保留、但 conversion 模組不再依賴)。
|
||
# 已洩漏的 stage service client secret 自此作廢,無 rotate 需求。
|
||
|
||
# Callback URL — 必須與 MC 端 client 設定的 redirect_uri 完全一致
|
||
VISIONA_OIDC_REDIRECT_URL=https://stage-9527.innovedus.com:9527/api/auth/callback
|
||
|
||
# Frontend URL — OIDC callback 完成後 302 回的目標(同 host 同 port)
|
||
VISIONA_FRONTEND_URL=https://stage-9527.innovedus.com:9527
|
||
|
||
# ============================================================
|
||
# Cookie session(OIDC 登入後在 browser 端的 session cookie)
|
||
# ============================================================
|
||
# Cookie HMAC 簽章金鑰 — **必須換掉**
|
||
# 產生:openssl rand -hex 32
|
||
VISIONA_SESSION_SECRET=CHANGE_ME_OPENSSL_RAND_HEX_32
|
||
|
||
# CookieDomain:留空 = host-only cookie(推薦,stage 只有單一 host)
|
||
# 若未來要跨子網域共享 session 才設成 .innovedus.com 之類
|
||
VISIONA_SESSION_COOKIE_DOMAIN=
|
||
|
||
# CookieSecure:stage 走 HTTPS → 必須 true
|
||
VISIONA_SESSION_COOKIE_SECURE=true
|
||
|
||
# Session TTL(預設值。如要改,去掉註解填值)
|
||
# VISIONA_SESSION_ABSOLUTE_TTL=168h
|
||
# VISIONA_SESSION_IDLE_TTL=24h
|
||
|
||
# ============================================================
|
||
# Server — port 都對齊 nginx.stage.conf
|
||
# ============================================================
|
||
VISIONA_HOST=0.0.0.0
|
||
VISIONA_API_PORT=3721
|
||
VISIONA_TUNNEL_PORT=3800
|
||
VISIONA_PROXY_INTERNAL_PORT=3801
|
||
VISIONA_PROXY_INTERNAL_URL=http://127.0.0.1:3801
|
||
|
||
# api-server 端的 SessionStore backend:proxy-client = 透過 internal HTTP 查 remote-proxy
|
||
# remote-proxy 端的 SessionStore backend:inmemory = 自己持有 yamux session
|
||
# 兩個 binary 共讀此 .env,但各自只看自己需要的欄位
|
||
VISIONA_SESSION_BACKEND=proxy-client
|
||
|
||
# Agent 連 tunnel 用的對外 URL(/api/pairing/exchange 回給 agent)
|
||
# 注意 ws→wss、host:port 與對外 HTTPS 一致
|
||
VISIONA_RELAY_PUBLIC_URL=wss://stage-9527.innovedus.com:9527
|
||
|
||
# ============================================================
|
||
# CORS — stage 同 host 同源(frontend 與 backend 都從 :9527 出來),不需放
|
||
# ============================================================
|
||
VISIONA_CORS_ALLOWED_ORIGINS=
|
||
|
||
# ============================================================
|
||
# Storage — 雛形 LocalFS(host 的 /opt/visiona/data/ 掛進 container)
|
||
# ============================================================
|
||
VISIONA_STORAGE_BACKEND=localfs
|
||
VISIONA_STORAGE_LOCALFS_ROOT=/data/storage
|
||
# presigned URL 對外可達 base,與公司 host nginx 對外一致
|
||
VISIONA_STORAGE_LOCALFS_BASE_URL=https://stage-9527.innovedus.com:9527/storage
|
||
# presigned URL HMAC secret — **必須換掉**
|
||
# 產生:openssl rand -hex 32
|
||
VISIONA_STORAGE_SIGNING_SECRET=CHANGE_ME_OPENSSL_RAND_HEX_32
|
||
|
||
# ============================================================
|
||
# Model upload
|
||
# ============================================================
|
||
# 模型上傳大小上限(MB)— 注意要與 nginx.stage.conf 的 client_max_body_size 對齊
|
||
# 目前 nginx 設 100M,這裡也 100;要改大兩處要一起改
|
||
VISIONA_MODEL_MAX_SIZE_MB=100
|
||
|
||
# ============================================================
|
||
# Pairing token(雛形:留空 = 動態配發;填值 = 寫死)
|
||
# 對齊 .autoflow/02-prd/feature-pairing-token.md
|
||
# ============================================================
|
||
VISIONA_PAIRING_TOKEN=
|
||
|
||
# ============================================================
|
||
# Misc
|
||
# ============================================================
|
||
VISIONA_LOG_LEVEL=info
|
||
# stage 不塞 demo data(避免 storage 被假資料污染)
|
||
VISIONA_SEED_DEMO_DATA=false
|
||
|
||
# Phase 0.7 security audit (2026-05-01) 後 stage/prod 不再讀此值;
|
||
# 已從 api.Deps 移除(見 .autoflow/05-implementation/review/phase-0.7-security-audit.md C1)。
|
||
# 留註解作為 audit trail;stage 部署不需設定 VISIONA_STATIC_USER_ID。
|
||
|
||
# ============================================================
|
||
# Phase 0.8 / 0.8b — 轉檔功能整合(converter pre-shared API key)
|
||
# ============================================================
|
||
# 對齊 docs/autoflow/04-architecture/conversion.md §3 + ADR-015 + ADR-016。
|
||
#
|
||
# Phase 0.8b 變更:服務間認證從 OAuth client_credentials 改為 pre-shared API key。
|
||
#
|
||
# 啟用判定:2 個欄位(ConverterBaseURL / ConverterAPIKey)**全部非空**才視為啟用;
|
||
# 任一缺 → 5 個 /api/conversion/* endpoint 不註冊。
|
||
#
|
||
# Phase 0.8b 移除(不再讀取,也別再放進 .env.stage):
|
||
# - VISIONA_OIDC_SERVICE_CLIENT_ID / _SECRET(服務間認證取消 MC client_credentials)
|
||
# - VISIONA_CONVERSION_TENANT_ID / VISIONA_OIDC_TENANT_ID(取消 tenant 概念)
|
||
# - VISIONA_FAA_DELEGATED_TTL_SECONDS(取消 delegated download token 機制;改 server-side stream proxy)
|
||
#
|
||
# Phase 0.8b v0.6 T4 移除(不再讀取,也別再放進 .env.stage;ADR-016 撤回 v0.5 設計缺口):
|
||
# - VISIONA_FAA_BASE_URL(visionA 端不再直接呼叫 FAA)
|
||
# - VISIONA_FAA_API_KEY(同上;download / promote 改走 converter.GetResult)
|
||
|
||
# kneron_model_converter task-scheduler base URL(stage 公司內網)
|
||
VISIONA_CONVERTER_BASE_URL=http://192.168.0.130:9501
|
||
|
||
# Pre-shared API key — visionA → converter 服務間認證(Phase 0.8b 新增;ADR-015 §3)
|
||
# **必須換掉**:openssl rand -hex 32 產生 64 字元 hex;與 converter 端 CONVERTER_API_KEY 對齊
|
||
# 雙方獨立持有、不共用、嚴格分環境(dev / stage / prod 各自獨立 key)
|
||
# log 永遠不印此值全文;部署時用 AWS Secrets Manager / Vault 注入
|
||
VISIONA_CONVERTER_API_KEY=CHANGE_ME_OPENSSL_RAND_HEX_32
|