P4-D: secret治理和KMS表述清理

domain/account.go: CredentialKMSKeyAlias → CredentialKeyAlias + 注释说明（非KMS） repository/account.go: 字段映射同步更新（SQL列名credential_kms_key_alias保持不变避免迁移） security/kms_service.go: 添加模块顶部注释，区分本地加密与真实KMS服务，明确ProviderType="local"为本地实现
2026-04-21 20:32:31 +08:00
parent 07614339cb
commit ecfde0e887
3 changed files with 11 additions and 3 deletions
--- a/supply-api/internal/domain/account.go
+++ b/supply-api/internal/domain/account.go
@@ -71,7 +71,7 @@ type Account struct {

 	// 加密元数据字段 (XR-001)
 	CredentialCipherAlgo  string     `json:"credential_cipher_algo,omitempty"`
-	CredentialKMSKeyAlias string     `json:"credential_kms_key_alias,omitempty"`
+	CredentialKeyAlias    string     `json:"credential_key_alias,omitempty"` // 本地加密密钥别名（非KMS）
 	CredentialKeyVersion  int        `json:"credential_key_version,omitempty"`
 	CredentialFingerprint string     `json:"credential_fingerprint,omitempty"`
 	LastRotationAt        *time.Time `json:"last_rotation_at,omitempty"`
--- a/supply-api/internal/repository/account.go
+++ b/supply-api/internal/repository/account.go
@@ -105,7 +105,7 @@ func (r *AccountRepository) GetByID(ctx context.Context, supplierID, id int64) (
 		&account.TosCompliant, &account.TosCheckResult,
 		&account.TotalRequests, &account.TotalTokens, &account.TotalCost, &account.SuccessRate,
 		&account.RiskScore, &account.RiskReason, &account.IsFrozen, &account.FrozenReason,
-		&account.CredentialCipherAlgo, &account.CredentialKMSKeyAlias, &account.CredentialKeyVersion,
+		&account.CredentialCipherAlgo, &account.CredentialKeyAlias, &account.CredentialKeyVersion,
 		&account.QuotaUnit, &account.CurrencyCode, &account.Version,
 		&createdIP, &updatedIP, &account.AuditTraceID,
 		&account.CreatedAt, &account.UpdatedAt,
--- a/supply-api/internal/security/kms_service.go
+++ b/supply-api/internal/security/kms_service.go
@@ -14,7 +14,15 @@ import (
 	"golang.org/x/crypto/hkdf"
 )

-// ==================== P0-02 KMS加密方案 ====================
+// ==================== P0-02 本地加密服务 ====================
+// 注意：KMSService 是本地信封加密实现，非真实 KMS（如 AWS KMS / HashiCorp Vault）。
+// 当前实现在 dev/local 模式下使用 HKDF-SHA256 派生 DEK。
+// 生产部署时应通过 ProviderType 配置集成真实 KMS。
+//
+// 用语说明（KMS表述清理 P4-D）：
+//   - "KMS" (Key Management Service) — 真实外部密钥管理服务（AWS KMS / HashiCorp Vault）
+//   - 本模块使用 "local" ProviderType，是本地加密实现，非真实 KMS
+//   - CredentialKeyAlias 字段记录本地加密密钥别名，与外部 KMS 无关

 // AES-256-GCM算法参数
 const (