easyai-ai-gateway/.env.example
chengcheng 9efeb16fd1 feat(ssf): 实现安全事件一键连接与凭据托管
新增数据库驱动的 SecurityEventConnectionManager,复用 RFC 7662 机器 Client,自动完成 Discovery、Push Bearer 生成、Stream 创建、Verification、首次启用、零停机轮换和安全退役。

增加文件与 Kubernetes SecretStore、最小权限 RBAC、动态 Receiver/撤销水位/内省降级,以及系统设置管理页面。已通过全量 Go 测试、go vet、关键包竞态测试、27 个 Web 测试、类型检查、生产构建、Compose 和 Kubernetes dry-run。
2026-07-15 17:25:00 +08:00

92 lines
4.3 KiB
Plaintext

APP_ENV=development
HTTP_ADDR=:8088
# Reuse the same PostgreSQL 18 instance as Agent memory, but use an independent
# database. When running from the host, use the externally reachable host/port.
AI_GATEWAY_DATABASE_NAME=easyai_ai_gateway
AI_GATEWAY_DATABASE_URL=postgresql://easyai:easyai2025@localhost:5432/easyai_ai_gateway?sslmode=disable
# When running inside the EasyAI docker network, use the container DNS name:
# AI_GATEWAY_DATABASE_URL=postgresql://easyai:easyai2025@easyai-pgvector:5432/easyai_ai_gateway?schema=public
#
# If AI_GATEWAY_DATABASE_URL is omitted, the service can derive host/user/pass
# from MEMORY_DATABASE_URL but will still replace the database with
# AI_GATEWAY_DATABASE_NAME.
# MEMORY_DATABASE_URL=postgresql://easyai:easyai2025@easyai-pgvector:5432/easyai_memory?schema=public
# Keep this aligned with easyai-server-main CONFIG_JWT_SECRET in the first migration phase.
CONFIG_JWT_SECRET=this is a very secret secret
# Identity mode:
# - standalone: Gateway owns users, groups, login/API keys, wallet, recharge, and local billing.
# - server-main: server-main owns users/API keys/billing; Gateway stores synced users/groups for policy execution.
# - hybrid: both sources are accepted and separated by gateway_users.source.
IDENTITY_MODE=hybrid
# Auth Center stable OIDC verification. Keep legacy HS256 during the staged rollout.
OIDC_ENABLED=false
OIDC_ISSUER=https://auth.51easyai.com/issuer/shared
OIDC_AUDIENCE=https://api.51easyai.com/gateway
OIDC_TENANT_ID=
OIDC_ROLE_PREFIX=gateway.
OIDC_REQUIRED_SCOPES=gateway.access
OIDC_JWKS_CACHE_TTL_SECONDS=300
OIDC_ACCEPT_LEGACY_HS256=true
OIDC_INTROSPECTION_ENABLED=false
OIDC_INTROSPECTION_CLIENT_ID=
OIDC_INTROSPECTION_CLIENT_SECRET=
# SSF/CAEP is activated by the durable connection created in System Settings;
# there is no enable flag and no Push Bearer in environment variables.
AI_GATEWAY_PUBLIC_BASE_URL=http://localhost:8088
OIDC_SECURITY_EVENTS_SECRET_STORE=file
OIDC_SECURITY_EVENTS_SECRET_DIR=.local-secrets/ssf
# Kubernetes uses one pre-provisioned empty Secret and narrowly scoped RBAC.
# OIDC_SECURITY_EVENTS_SECRET_STORE=kubernetes
# OIDC_SECURITY_EVENTS_KUBERNETES_NAMESPACE=easyai
# OIDC_SECURITY_EVENTS_KUBERNETES_SECRET_NAME=easyai-gateway-security-events
# OIDC_SECURITY_EVENTS_KUBERNETES_API_SERVER=https://kubernetes.default.svc
OIDC_SECURITY_EVENTS_HEARTBEAT_INTERVAL_SECONDS=60
OIDC_SECURITY_EVENTS_STALE_AFTER_SECONDS=180
OIDC_SECURITY_EVENTS_CLOCK_SKEW_SECONDS=60
# Controlled JIT is opt-in. When enabled, bind the validated Auth Center tid to
# one existing active Gateway tenant; tokens never create Gateway tenants.
OIDC_JIT_PROVISIONING_ENABLED=false
OIDC_GATEWAY_TENANT_KEY=
OIDC_BROWSER_SESSION_ENABLED=true
# Staging/production must use true. Local HTTP development may use false.
OIDC_SESSION_COOKIE_SECURE=false
# Public Client ID generated by Auth Center Control Plane. No Client Secret is used.
OIDC_CLIENT_ID=
OIDC_REDIRECT_URI=http://localhost:8088/api/v1/auth/oidc/callback
OIDC_POST_LOGOUT_REDIRECT_URI=http://localhost:5178/
# Generate a dedicated value with: openssl rand -base64 32
# Keep the real value only in a Git-ignored local file or Secret Manager.
OIDC_SESSION_ENCRYPTION_KEY=
OIDC_SESSION_IDLE_TTL_SECONDS=1800
OIDC_SESSION_ABSOLUTE_TTL_SECONDS=28800
OIDC_SESSION_REFRESH_BEFORE_SECONDS=60
VITE_OIDC_BROWSER_SESSION_ENABLED=true
VITE_OIDC_ENABLED=false
AI_GATEWAY_WEB_BASE_URL=http://localhost:5178
AI_GATEWAY_WEB_BASE_PATH=/
AI_GATEWAY_GO_BUILD_IMAGE=golang:1.26.3-alpine
AI_GATEWAY_API_RUNTIME_IMAGE=alpine:3.22
AI_GATEWAY_NODE_BUILD_IMAGE=node:22-alpine
AI_GATEWAY_WEB_RUNTIME_IMAGE=nginx:1.27-alpine
# Used when the gateway delegates OpenAPI sk-* validation, user/group sync, file upload, and settlement callbacks.
SERVER_MAIN_BASE_URL=http://localhost:3000
SERVER_MAIN_INTERNAL_TOKEN=change-me
SERVER_MAIN_INTERNAL_KEY=gateway
SERVER_MAIN_INTERNAL_SECRET=change-me
# Gateway writes progress events locally, then calls this server-main endpoint.
# server-main receives the callback and pushes it through the existing WebSocket gateway.
TASK_PROGRESS_CALLBACK_ENABLED=true
TASK_PROGRESS_CALLBACK_URL=http://localhost:3000/internal/platform/task-progress-callbacks
TASK_PROGRESS_CALLBACK_TIMEOUT_MS=5000
TASK_PROGRESS_CALLBACK_MAX_ATTEMPTS=10
CORS_ALLOWED_ORIGIN=http://localhost:5178,http://127.0.0.1:5178
VITE_GATEWAY_API_BASE_URL=http://localhost:8088