chore(deploy): remove obsolete env vars from deployment configs

- docker-compose.e2e.yml: remove WEBHOOK_SECRET, REVIEW_* env vars (now configured via assistant API in seed.sh) - e2e/seed.sh: add step to configure assistant via Admin API after boot (login with default password, set webhook secret + review settings) - k8s/gitea-assistant.yaml: Secret now only contains GITEA_ACCESS_TOKEN; ConfigMap reduced to GITEA_API_URL, PORT, QDRANT_URL - cursor rules updated to document DB-first config architecture
2026-03-27 10:05:50 +00:00 · 2026-03-05 11:35:58 +08:00
parent 769517f7bf
commit 7ef35fa8ee
5 changed files with 81 additions and 48 deletions
--- a/.cursor/rules/03-tech-stack-and-dependencies.mdc
+++ b/.cursor/rules/03-tech-stack-and-dependencies.mdc
@@ -38,8 +38,12 @@ From [package.json](mdc:package.json):
 ## Environment Configuration
-The application uses a hybrid configuration approach:
+The application uses a **DB-first** configuration approach (Portainer model):
- **Environment variables** ([src/config/index.ts](mdc:src/config/index.ts)): Gitea settings, server config, webhook security, review engine params
+- **Environment variables** (minimal, infrastructure-level only):
- **Web UI + SQLite DB** ([src/db/](mdc:src/db)): LLM provider settings (API keys, models, endpoints) — managed via Admin Dashboard
+  - `PORT`: Server port
- **bun:sqlite**: Embedded database for LLM configuration persistence
+  - `DATABASE_PATH`: SQLite file path (optional, default: `./data/assistant.db`)
  - `MASTER_KEY_PATH`: Encryption key path (optional, default: `./data/master.key`)
 - **Web UI + SQLite DB** ([src/db/](mdc:src/db)): All runtime config — Gitea, Feishu, webhook secret, admin password, review engine, memory settings — managed via Admin Dashboard
 - **First-boot seed**: `configManager.seedDefaults()` auto-generates secrets and seeds defaults on first run
 - **bun:sqlite**: Embedded database for all configuration persistence (encrypted for sensitive values)
--- a/.cursor/rules/05-deployment-and-configuration.mdc
+++ b/.cursor/rules/05-deployment-and-configuration.mdc
@@ -5,27 +5,29 @@ alwaysApply: false
 ---
 # Deployment and Configuration
-## Environment Variables
+## Environment Variables (Minimal)
-The application is configured through environment variables, defined in [src/config/index.ts](mdc:src/config/index.ts):
+Only three infrastructure-level settings are read from environment variables. Everything else is managed through the Admin Dashboard Web UI:
- **Gitea Configuration**:
+- `PORT`: Server port (default: `5174`)
-  - `GITEA_API_URL`: Gitea API endpoint URL
+- `DATABASE_PATH`: SQLite database file path (optional, default: `./data/assistant.db`)
-  - `GITEA_ACCESS_TOKEN`: Access token for Gitea API
+- `MASTER_KEY_PATH`: Encryption master key file path (optional, default: `./data/master.key`)
- **LLM Provider Configuration**:
+## First-Boot Seeding
  - Configured exclusively through the Admin Dashboard Web UI
  - Supports OpenAI Compatible, OpenAI Responses API, Anthropic, Google Gemini
  - API keys stored encrypted (AES-256-GCM) in SQLite database
- **Server Configuration**:
+On first startup with an empty `system_settings` table, `configManager.seedDefaults()` automatically:
-  - `PORT`: Server port (default: 3000)
+- Generates `JWT_SECRET` and `WEBHOOK_SECRET` (64-char hex via `crypto.randomBytes(32)`)
-  - `WEBHOOK_SECRET`: Secret for webhook verification
+- Seeds all config fields with their default values
 - Sets `ADMIN_PASSWORD` to `password` (must be changed via Web UI)
- **Custom Prompts**:
+## Web UI Configuration
  - `CUSTOM_SUMMARY_PROMPT`: Custom prompt for summary reviews
  - `CUSTOM_LINE_COMMENT_PROMPT`: Custom prompt for line comments
 All runtime settings are managed through the Admin Dashboard at `http://your-server:PORT`:
 - Gitea connection (API URL, access token, admin token)
 - Security settings (webhook secret, admin password, JWT secret)
 - Review engine settings (engine mode, parallelism, file limits, confidence)
 - Feishu integration (webhook URL and secret)
 - Memory/learning features (Qdrant URL, enable flags)
 ## Deployment Options
 ### Local Development
@@ -48,7 +50,7 @@ The [Dockerfile](mdc:Dockerfile) provides containerization support:
 docker build -t gitea-assistant:latest .
 # Run the container
-docker run -p 3000:3000 --env-file .env gitea-assistant:latest
+docker run -p 3000:3000 -v ./data:/app/data -e PORT=3000 gitea-assistant:latest
 ```
 ### Kubernetes Deployment
@@ -58,12 +60,12 @@ The [kubernetes.yaml](mdc:k8s/gitea-assistant.yaml) file provides Kubernetes dep
 Deployment can be managed using:
 ```bash
 # Apply configuration
-kubectl apply -f kubernetes.yaml
+kubectl apply -k k8s/
 ```
 ### Webhook Setup
 Configure Gitea webhooks to point to the `/webhook/gitea` endpoint with:
 - Content type: application/json
- Secret: matching WEBHOOK_SECRET environment variable
+- Secret: matching the Webhook Secret configured in the Admin Dashboard
 - Events: Pull Request and Status events
--- a/docker-compose.e2e.yml
+++ b/docker-compose.e2e.yml
@@ -46,15 +46,15 @@ services:
      - NODE_ENV=production
      - GITEA_API_URL=http://gitea:3000/api/v1
      - GITEA_ACCESS_TOKEN=${E2E_GITEA_TOKEN:-placeholder}
      - FEISHU_WEBHOOK_URL=http://localhost:9999/noop
      - PORT=3000
-      - WEBHOOK_SECRET=e2e-test-secret
+    ports:
-      - REVIEW_ENGINE=agent
+      - "3334:3000"
-      - REVIEW_WORKDIR=/tmp/e2e-review
+    healthcheck:
-      - REVIEW_AUTO_PUBLISH_MIN_CONFIDENCE=0.5
+      test: ["CMD", "curl", "-f", "http://localhost:3000/"]
-      - REVIEW_ENABLE_HUMAN_GATE=false
+      interval: 5s
-      - REVIEW_ALLOWED_COMMANDS=git,rg,cat,sed,wc
+      timeout: 3s
-      - REVIEW_COMMAND_TIMEOUT_MS=30000
+      retries: 10
      start_period: 5s
    ports:
      - "3334:3000"
    healthcheck:
--- a/e2e/seed.sh
+++ b/e2e/seed.sh
@@ -115,7 +115,45 @@ git commit -m "feat: add user handler"
 git push origin feature/add-user-handler 2>/dev/null
 popd > /dev/null
-echo "=== [5/6] 配置 Webhook ==="
+echo "=== [5/7] 配置 Assistant 设置 ==="
 ADMIN_DEFAULT_PASS="password"
 # Wait for assistant to be healthy
 for i in $(seq 1 20); do
  if curl -sf "${ASSISTANT_URL}/" > /dev/null 2>&1; then
    echo "  Assistant 已就绪"
    break
  fi
  echo "  等待 Assistant... ($i/20)"
  sleep 3
 done
 # Login to get JWT
 LOGIN_RESP=$(curl -sf -X POST "${ASSISTANT_URL}/admin/login" \
  -H "Content-Type: application/json" \
  -d "{\"password\": \"${ADMIN_DEFAULT_PASS}\"}" 2>/dev/null || true)
 ADMIN_JWT=$(echo "${LOGIN_RESP}" | python3 -c "import sys,json; print(json.load(sys.stdin).get('token',''))" 2>/dev/null || true)
 if [ -z "${ADMIN_JWT}" ]; then
  echo "  WARNING: 无法获取管理员 JWT，跳过 assistant 配置"
 else
  echo "  JWT 获取成功，配置 assistant 设置..."
  curl -sf -X PUT "${ASSISTANT_URL}/admin/config" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${ADMIN_JWT}" \
    -d "{
      \"WEBHOOK_SECRET\": \"${WEBHOOK_SECRET}\",
      \"GITEA_API_URL\": \"http://gitea:3000/api/v1\",
      \"REVIEW_ENGINE\": \"agent\",
      \"REVIEW_WORKDIR\": \"/tmp/e2e-review\",
      \"REVIEW_AUTO_PUBLISH_MIN_CONFIDENCE\": \"0.5\",
      \"REVIEW_ENABLE_HUMAN_GATE\": \"false\",
      \"REVIEW_ALLOWED_COMMANDS\": \"git,rg,cat,sed,wc\",
      \"REVIEW_COMMAND_TIMEOUT_MS\": \"30000\"
    }" > /dev/null 2>&1 && echo "  Assistant 配置完成" || echo "  WARNING: assistant 配置失败"
 fi
 echo "=== [6/7] 配置 Webhook ==="
 curl -sf -X POST "${GITEA_URL}/api/v1/repos/${ADMIN_USER}/${REPO_NAME}/hooks" \
  -H "Authorization: token ${GITEA_TOKEN}" \
  -H "Content-Type: application/json" \
@@ -129,8 +167,7 @@ curl -sf -X POST "${GITEA_URL}/api/v1/repos/${ADMIN_USER}/${REPO_NAME}/hooks" \
      \"secret\": \"${WEBHOOK_SECRET}\"
    }
  }" > /dev/null 2>&1 || echo "  Webhook 配置失败（可能已存在）"
-
+echo "=== [7/7] 创建 Pull Request ==="
 echo "=== [6/6] 创建 Pull Request ==="
 PR_RESPONSE=$(curl -sf -X POST "${GITEA_URL}/api/v1/repos/${ADMIN_USER}/${REPO_NAME}/pulls" \
  -H "Authorization: token ${GITEA_TOKEN}" \
  -H "Content-Type: application/json" \
--- a/k8s/gitea-assistant.yaml
+++ b/k8s/gitea-assistant.yaml
@@ -12,13 +12,8 @@ metadata:
    app.kubernetes.io/part-of: gitea-assistant
 type: Opaque
 data:
-  # REQUIRED: replace with your own base64-encoded values
+  # REQUIRED: replace with your own base64-encoded Gitea access token
  GITEA_ACCESS_TOKEN: eW91cl9naXRlYV90b2tlbg==
  WEBHOOK_SECRET: eW91cl93ZWJob29rX3NlY3JldA==
  ADMIN_PASSWORD: cGFzc3dvcmQ=
  # Optional
  # FEISHU_WEBHOOK_URL: ""
  # FEISHU_WEBHOOK_SECRET: ""
 ---
 apiVersion: v1
@@ -30,18 +25,13 @@ metadata:
    app.kubernetes.io/name: gitea-assistant
    app.kubernetes.io/part-of: gitea-assistant
 data:
  # Required: set to your Gitea instance API endpoint
  GITEA_API_URL: "http://localhost:3000/api/v1"
  PORT: "3000"
  # Optional: Qdrant vector DB for memory features (configure memory settings via Web UI)
  QDRANT_URL: "http://qdrant.gitea-assistant.svc.cluster.local:6333"
-  REVIEW_ENGINE: "legacy"
+  # All other settings (review engine, Feishu, admin password, etc.) are managed
-  REVIEW_WORKDIR: "/tmp/gitea-assistant"
+  # through the Admin Dashboard Web UI. They are auto-seeded on first boot.
  REVIEW_MAX_PARALLEL_RUNS: "2"
  REVIEW_MAX_FILES_PER_RUN: "200"
  REVIEW_AUTO_PUBLISH_MIN_CONFIDENCE: "0.8"
  REVIEW_ENABLE_HUMAN_GATE: "true"
  ENABLE_MEMORY: "false"
  ENABLE_REFLECTION: "false"
  ENABLE_DEBATE: "false"
 ---
 apiVersion: apps/v1