chore(deploy): remove obsolete env vars from deployment configs

- docker-compose.e2e.yml: remove WEBHOOK_SECRET, REVIEW_* env vars (now configured via assistant API in seed.sh) - e2e/seed.sh: add step to configure assistant via Admin API after boot (login with default password, set webhook secret + review settings) - k8s/gitea-assistant.yaml: Secret now only contains GITEA_ACCESS_TOKEN; ConfigMap reduced to GITEA_API_URL, PORT, QDRANT_URL - cursor rules updated to document DB-first config architecture
2026-03-27 10:05:50 +00:00 · 2026-03-05 11:35:58 +08:00
parent 769517f7bf
commit 7ef35fa8ee
5 changed files with 81 additions and 48 deletions
--- a/.cursor/rules/03-tech-stack-and-dependencies.mdc
+++ b/.cursor/rules/03-tech-stack-and-dependencies.mdc
@@ -38,8 +38,12 @@ From [package.json](mdc:package.json):

 ## Environment Configuration

-The application uses a hybrid configuration approach:
+The application uses a **DB-first** configuration approach (Portainer model):

- **Environment variables** ([src/config/index.ts](mdc:src/config/index.ts)): Gitea settings, server config, webhook security, review engine params
- **Web UI + SQLite DB** ([src/db/](mdc:src/db)): LLM provider settings (API keys, models, endpoints) — managed via Admin Dashboard
- **bun:sqlite**: Embedded database for LLM configuration persistence
+- **Environment variables** (minimal, infrastructure-level only):
+  - `PORT`: Server port
+  - `DATABASE_PATH`: SQLite file path (optional, default: `./data/assistant.db`)
+  - `MASTER_KEY_PATH`: Encryption key path (optional, default: `./data/master.key`)
+- **Web UI + SQLite DB** ([src/db/](mdc:src/db)): All runtime config — Gitea, Feishu, webhook secret, admin password, review engine, memory settings — managed via Admin Dashboard
+- **First-boot seed**: `configManager.seedDefaults()` auto-generates secrets and seeds defaults on first run
+- **bun:sqlite**: Embedded database for all configuration persistence (encrypted for sensitive values)
--- a/.cursor/rules/05-deployment-and-configuration.mdc
+++ b/.cursor/rules/05-deployment-and-configuration.mdc
@@ -5,27 +5,29 @@ alwaysApply: false
 ---
 # Deployment and Configuration

-## Environment Variables
+## Environment Variables (Minimal)

-The application is configured through environment variables, defined in [src/config/index.ts](mdc:src/config/index.ts):
+Only three infrastructure-level settings are read from environment variables. Everything else is managed through the Admin Dashboard Web UI:

- **Gitea Configuration**:
-  - `GITEA_API_URL`: Gitea API endpoint URL
-  - `GITEA_ACCESS_TOKEN`: Access token for Gitea API
+- `PORT`: Server port (default: `5174`)
+- `DATABASE_PATH`: SQLite database file path (optional, default: `./data/assistant.db`)
+- `MASTER_KEY_PATH`: Encryption master key file path (optional, default: `./data/master.key`)

- **LLM Provider Configuration**:
-  - Configured exclusively through the Admin Dashboard Web UI
-  - Supports OpenAI Compatible, OpenAI Responses API, Anthropic, Google Gemini
-  - API keys stored encrypted (AES-256-GCM) in SQLite database
+## First-Boot Seeding

- **Server Configuration**:
-  - `PORT`: Server port (default: 3000)
-  - `WEBHOOK_SECRET`: Secret for webhook verification
+On first startup with an empty `system_settings` table, `configManager.seedDefaults()` automatically:
+- Generates `JWT_SECRET` and `WEBHOOK_SECRET` (64-char hex via `crypto.randomBytes(32)`)
+- Seeds all config fields with their default values
+- Sets `ADMIN_PASSWORD` to `password` (must be changed via Web UI)

- **Custom Prompts**:
-  - `CUSTOM_SUMMARY_PROMPT`: Custom prompt for summary reviews
-  - `CUSTOM_LINE_COMMENT_PROMPT`: Custom prompt for line comments
+## Web UI Configuration

+All runtime settings are managed through the Admin Dashboard at `http://your-server:PORT`:
+- Gitea connection (API URL, access token, admin token)
+- Security settings (webhook secret, admin password, JWT secret)
+- Review engine settings (engine mode, parallelism, file limits, confidence)
+- Feishu integration (webhook URL and secret)
+- Memory/learning features (Qdrant URL, enable flags)
 ## Deployment Options

 ### Local Development
@@ -48,7 +50,7 @@ The [Dockerfile](mdc:Dockerfile) provides containerization support:
 docker build -t gitea-assistant:latest .

 # Run the container
-docker run -p 3000:3000 --env-file .env gitea-assistant:latest
+docker run -p 3000:3000 -v ./data:/app/data -e PORT=3000 gitea-assistant:latest
 ```

 ### Kubernetes Deployment
@@ -58,12 +60,12 @@ The [kubernetes.yaml](mdc:k8s/gitea-assistant.yaml) file provides Kubernetes dep
 Deployment can be managed using:
 ```bash
 # Apply configuration
-kubectl apply -f kubernetes.yaml
+kubectl apply -k k8s/
 ```

 ### Webhook Setup

 Configure Gitea webhooks to point to the `/webhook/gitea` endpoint with:
 - Content type: application/json
- Secret: matching WEBHOOK_SECRET environment variable
+- Secret: matching the Webhook Secret configured in the Admin Dashboard
 - Events: Pull Request and Status events
--- a/docker-compose.e2e.yml
+++ b/docker-compose.e2e.yml
@@ -46,15 +46,15 @@ services:
      - NODE_ENV=production
      - GITEA_API_URL=http://gitea:3000/api/v1
      - GITEA_ACCESS_TOKEN=${E2E_GITEA_TOKEN:-placeholder}
-      - FEISHU_WEBHOOK_URL=http://localhost:9999/noop
      - PORT=3000
-      - WEBHOOK_SECRET=e2e-test-secret
-      - REVIEW_ENGINE=agent
-      - REVIEW_WORKDIR=/tmp/e2e-review
-      - REVIEW_AUTO_PUBLISH_MIN_CONFIDENCE=0.5
-      - REVIEW_ENABLE_HUMAN_GATE=false
-      - REVIEW_ALLOWED_COMMANDS=git,rg,cat,sed,wc
-      - REVIEW_COMMAND_TIMEOUT_MS=30000
+    ports:
+      - "3334:3000"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000/"]
+      interval: 5s
+      timeout: 3s
+      retries: 10
+      start_period: 5s
    ports:
      - "3334:3000"
    healthcheck:
--- a/e2e/seed.sh
+++ b/e2e/seed.sh
@@ -115,7 +115,45 @@ git commit -m "feat: add user handler"
 git push origin feature/add-user-handler 2>/dev/null
 popd > /dev/null

-echo "=== [5/6] 配置 Webhook ==="
+echo "=== [5/7] 配置 Assistant 设置 ==="
+ADMIN_DEFAULT_PASS="password"
+
+# Wait for assistant to be healthy
+for i in $(seq 1 20); do
+  if curl -sf "${ASSISTANT_URL}/" > /dev/null 2>&1; then
+    echo "  Assistant 已就绪"
+    break
+  fi
+  echo "  等待 Assistant... ($i/20)"
+  sleep 3
+done
+
+# Login to get JWT
+LOGIN_RESP=$(curl -sf -X POST "${ASSISTANT_URL}/admin/login" \
+  -H "Content-Type: application/json" \
+  -d "{\"password\": \"${ADMIN_DEFAULT_PASS}\"}" 2>/dev/null || true)
+ADMIN_JWT=$(echo "${LOGIN_RESP}" | python3 -c "import sys,json; print(json.load(sys.stdin).get('token',''))" 2>/dev/null || true)
+
+if [ -z "${ADMIN_JWT}" ]; then
+  echo "  WARNING: 无法获取管理员 JWT，跳过 assistant 配置"
+else
+  echo "  JWT 获取成功，配置 assistant 设置..."
+  curl -sf -X PUT "${ASSISTANT_URL}/admin/config" \
+    -H "Content-Type: application/json" \
+    -H "Authorization: Bearer ${ADMIN_JWT}" \
+    -d "{
+      \"WEBHOOK_SECRET\": \"${WEBHOOK_SECRET}\",
+      \"GITEA_API_URL\": \"http://gitea:3000/api/v1\",
+      \"REVIEW_ENGINE\": \"agent\",
+      \"REVIEW_WORKDIR\": \"/tmp/e2e-review\",
+      \"REVIEW_AUTO_PUBLISH_MIN_CONFIDENCE\": \"0.5\",
+      \"REVIEW_ENABLE_HUMAN_GATE\": \"false\",
+      \"REVIEW_ALLOWED_COMMANDS\": \"git,rg,cat,sed,wc\",
+      \"REVIEW_COMMAND_TIMEOUT_MS\": \"30000\"
+    }" > /dev/null 2>&1 && echo "  Assistant 配置完成" || echo "  WARNING: assistant 配置失败"
+fi
+
+echo "=== [6/7] 配置 Webhook ==="
 curl -sf -X POST "${GITEA_URL}/api/v1/repos/${ADMIN_USER}/${REPO_NAME}/hooks" \
  -H "Authorization: token ${GITEA_TOKEN}" \
  -H "Content-Type: application/json" \
@@ -129,8 +167,7 @@ curl -sf -X POST "${GITEA_URL}/api/v1/repos/${ADMIN_USER}/${REPO_NAME}/hooks" \
      \"secret\": \"${WEBHOOK_SECRET}\"
    }
  }" > /dev/null 2>&1 || echo "  Webhook 配置失败（可能已存在）"
-
-echo "=== [6/6] 创建 Pull Request ==="
+echo "=== [7/7] 创建 Pull Request ==="
 PR_RESPONSE=$(curl -sf -X POST "${GITEA_URL}/api/v1/repos/${ADMIN_USER}/${REPO_NAME}/pulls" \
  -H "Authorization: token ${GITEA_TOKEN}" \
  -H "Content-Type: application/json" \
--- a/k8s/gitea-assistant.yaml
+++ b/k8s/gitea-assistant.yaml
@@ -12,13 +12,8 @@ metadata:
    app.kubernetes.io/part-of: gitea-assistant
 type: Opaque
 data:
-  # REQUIRED: replace with your own base64-encoded values
+  # REQUIRED: replace with your own base64-encoded Gitea access token
  GITEA_ACCESS_TOKEN: eW91cl9naXRlYV90b2tlbg==
-  WEBHOOK_SECRET: eW91cl93ZWJob29rX3NlY3JldA==
-  ADMIN_PASSWORD: cGFzc3dvcmQ=
-  # Optional
-  # FEISHU_WEBHOOK_URL: ""
-  # FEISHU_WEBHOOK_SECRET: ""

 ---
 apiVersion: v1
@@ -30,18 +25,13 @@ metadata:
    app.kubernetes.io/name: gitea-assistant
    app.kubernetes.io/part-of: gitea-assistant
 data:
+  # Required: set to your Gitea instance API endpoint
  GITEA_API_URL: "http://localhost:3000/api/v1"
  PORT: "3000"
+  # Optional: Qdrant vector DB for memory features (configure memory settings via Web UI)
  QDRANT_URL: "http://qdrant.gitea-assistant.svc.cluster.local:6333"
-  REVIEW_ENGINE: "legacy"
-  REVIEW_WORKDIR: "/tmp/gitea-assistant"
-  REVIEW_MAX_PARALLEL_RUNS: "2"
-  REVIEW_MAX_FILES_PER_RUN: "200"
-  REVIEW_AUTO_PUBLISH_MIN_CONFIDENCE: "0.8"
-  REVIEW_ENABLE_HUMAN_GATE: "true"
-  ENABLE_MEMORY: "false"
-  ENABLE_REFLECTION: "false"
-  ENABLE_DEBATE: "false"
+  # All other settings (review engine, Feishu, admin password, etc.) are managed
+  # through the Admin Dashboard Web UI. They are auto-seeded on first boot.

 ---
 apiVersion: apps/v1