docs: project docs, scripts, deployment configs, and evidence

2026-04-02 11:22:17 +08:00
parent 4718980ab5
commit bbeeb63dfa
396 changed files with 165018 additions and 0 deletions
--- a/docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/SECRET_BOUNDARY_DRILL.md
+++ b/docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/SECRET_BOUNDARY_DRILL.md
@@ -0,0 +1,37 @@
+# Secret Boundary Drill
+
+- Generated at: 2026-03-24 10:41:28 +08:00
+- Source DB: D:\project\data\user_management.db
+- Isolated DB: D:\project\docs\evidence\ops\2026-03-24\secret-boundary\20260324-104122\user_management.secret-boundary.db
+- Isolated config: D:\project\docs\evidence\ops\2026-03-24\secret-boundary\20260324-104122\config.secret-boundary.yaml
+
+## Template Validation
+
+- config template jwt.secret blank: True
+- config template postgresql.password blank: True
+- config template mysql.password blank: True
+- forbidden placeholders removed from configs/config.yaml: True
+- .gitignore protects local JWT key files: True
+- .gitignore protects .env files: True
+
+## Runtime Injection Validation
+
+- Startup path: UMS_CONFIG_PATH + UMS_JWT_ALGORITHM + UMS_JWT_SECRET
+- Synthetic JWT algorithm injected: HS256
+- Synthetic JWT secret length: 45
+- GET /health: pass
+- GET /health/ready: pass
+- GET /api/v1/auth/capabilities: {"password":true,"email_code":false,"sms_code":false,"password_reset":false,"oauth_providers":[]}
+
+## Scope Note
+
+- This drill proves the repo-level secret boundary and environment injection path are executable locally.
+- It does not prove external secrets manager, KMS rotation, or CI/CD environment delivery evidence.
+
+## Evidence Files
+
+- server.stdout.log
+- server.stderr.log
+- capabilities.json
+- config.secret-boundary.yaml
+
--- a/docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/capabilities.json
+++ b/docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/capabilities.json
@@ -0,0 +1,10 @@
+{
+    "password":  true,
+    "email_code":  false,
+    "sms_code":  false,
+    "password_reset":  false,
+    "oauth_providers":  [
+
+                        ]
+}
+
--- a/docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/config.secret-boundary.yaml
+++ b/docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/config.secret-boundary.yaml
@@ -0,0 +1,216 @@
+server:
+  port: 18088
+  mode: release  # debug, release
+  read_timeout: 30s
+  read_header_timeout: 10s
+  write_timeout: 30s
+  idle_timeout: 60s
+  shutdown_timeout: 15s
+  max_header_bytes: 1048576
+
+database:
+  type: sqlite  # current runtime support: sqlite
+  sqlite:
+    path: "D:/project/docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/user_management.secret-boundary.db"
+  postgresql:
+    host: localhost
+    port: 5432
+    database: user_management
+    username: postgres
+    password: ""
+    ssl_mode: disable
+    max_open_conns: 100
+    max_idle_conns: 10
+  mysql:
+    host: localhost
+    port: 3306
+    database: user_management
+    username: root
+    password: ""
+    charset: utf8mb4
+    max_open_conns: 100
+    max_idle_conns: 10
+
+cache:
+  l1:
+    enabled: true
+    max_size: 10000
+    ttl: 5m
+  l2:
+    enabled: false
+    type: redis
+    redis:
+      addr: localhost:6379
+      password: ""
+      db: 0
+      pool_size: 50
+      ttl: 30m
+
+redis:
+  enabled: false
+  addr: localhost:6379
+  password: ""
+  db: 0
+
+jwt:
+  algorithm: RS256
+  secret: ""
+  private_key_path: "./data/jwt/private.pem"
+  public_key_path: "./data/jwt/public.pem"
+  private_key_pem: ""
+  public_key_pem: ""
+  access_token_expire: 2h
+  refresh_token_expire: 168h  # 7天 = 168小时
+
+security:
+  password_min_length: 8
+  password_require_special: true
+  password_require_number: true
+  login_max_attempts: 5
+  login_lock_duration: 30m
+
+ratelimit:
+  enabled: true
+  login:
+    enabled: true
+    algorithm: token_bucket
+    capacity: 5
+    rate: 1
+    window: 1m
+  register:
+    enabled: true
+    algorithm: leaky_bucket
+    capacity: 3
+    rate: 1
+    window: 1h
+  api:
+    enabled: true
+    algorithm: sliding_window
+    capacity: 1000
+    window: 1m
+
+monitoring:
+  prometheus:
+    enabled: true
+    path: /metrics
+  tracing:
+    enabled: false
+    endpoint: http://localhost:4318
+    service_name: user-management-system
+
+logging:
+  level: info  # debug, info, warn, error
+  format: json  # json, text
+  output:
+    - stdout
+    - ./logs/app.log
+  rotation:
+    max_size: 100  # MB
+    max_age: 30    # days
+    max_backups: 10
+
+admin:
+  username: ""
+  password: ""
+  email: ""
+
+cors:
+  enabled: true
+  allowed_origins:
+    - "http://localhost:3000"
+    - "http://127.0.0.1:3000"
+  allowed_methods:
+    - GET
+    - POST
+    - PUT
+    - DELETE
+    - OPTIONS
+  allowed_headers:
+    - Authorization
+    - Content-Type
+    - X-Requested-With
+    - X-CSRF-Token
+  max_age: 3600
+
+email:
+  host: ""          # 生产环境填写真实 SMTP Host
+  port: 18088
+  username: ""
+  password: ""
+  from_email: ""
+  from_name: "用户管理系统"
+
+sms:
+  enabled: false
+  provider: ""  # aliyun, tencent；留空表示禁用短信能力
+  code_ttl: 5m
+  resend_cooldown: 1m
+  max_daily_limit: 10
+  aliyun:
+    access_key_id: ""
+    access_key_secret: ""
+    sign_name: ""
+    template_code: ""
+    endpoint: ""
+    region_id: "cn-hangzhou"
+    code_param_name: "code"
+  tencent:
+    secret_id: ""
+    secret_key: ""
+    app_id: ""
+    sign_name: ""
+    template_id: ""
+    region: "ap-guangzhou"
+    endpoint: ""
+
+password_reset:
+  token_ttl: 15m
+  site_url: "http://localhost:8080"
+
+# OAuth 社交登录配置（留空则禁用对应 Provider）
+oauth:
+  google:
+    client_id: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/google/callback"
+  wechat:
+    app_id: ""
+    app_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/wechat/callback"
+  github:
+    client_id: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/github/callback"
+  qq:
+    app_id: ""
+    app_key: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/qq/callback"
+  alipay:
+    app_id: ""
+    private_key: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/alipay/callback"
+    sandbox: false
+  douyin:
+    client_key: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/douyin/callback"
+
+# Webhook 全局配置
+webhook:
+  enabled: true
+  secret_header: "X-Webhook-Signature"   # 签名 Header 名称
+  timeout_sec: 30                         # 单次投递超时（秒）
+  max_retries: 3                          # 最大重试次数
+  retry_backoff: "exponential"            # 退避策略：exponential / fixed
+  worker_count: 4                         # 后台投递协程数
+  queue_size: 1000                        # 投递队列大小
+
+# IP 安全配置
+ip_security:
+  auto_block_enabled: true               # 是否启用自动封禁
+  auto_block_duration: 30m              # 自动封禁时长
+  brute_force_threshold: 10             # 暴力破解阈值（窗口内失败次数）
+  detection_window: 15m                 # 检测时间窗口
+
+
+
--- a/docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/user_management.secret-boundary.db
+++ b/docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/user_management.secret-boundary.db