niuniu/lijiaoqiao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
222 Commits 4 Branches 0 Tags
bb67f30be0d8e91fb5745dc2d033a67219b9d661
Commit Graph

5 Commits

Author SHA1 Message Date
Your Name
2e0f6e29aa fix(supply-api): restore uncached build health 2026-04-17 16:20:34 +08:00
Your Name
ad776e4079 fix: P0/P1 security fixes across gateway, token-runtime, and supply-api 
P0 fixes:
- platform-token-runtime: Add store.Save() after Refresh token update (P0-3)
- platform-token-runtime: Add sync.RWMutex to InMemoryRuntimeStore (P0-4)
- platform-token-runtime: Add bearer token auth to /audit-events endpoint (P0-5)
- gateway: Fail startup in production if PASSWORD_ENCRYPTION_KEY uses default (P0-1)
- gateway: Require explicit CORS_ALLOW_ORIGINS in production (P0-2)

P1 fixes:
- gateway: Add TrustedProxies config field + env var GATEWAY_TRUSTED_PROXIES (P1-5)
- gateway: Sanitize X-Request-ID header to prevent log injection (P1-6)
- gateway: Strip internal error details from error responses to clients (P1-7)
- supply-api: Upgrade deriveDEK from trivial byte-rotation to HKDF-SHA256 (P1-1)
- supply-api: Reject HS256/HS384/HS512 in production, require RSA (P1-2)

Code quality fixes:
- supply-api: Add BruteForceMaxAttempts + BruteForceLockoutDuration to AuthConfig (MED-12)
- supply-api: Add TrustedProxies to token_auth_middleware (IP spoofing protection)
- supply-api: Use shared pathutil.SplitPath instead of duplicate splitPath
- supply-api: Fix query_key_reject_middleware call sites with trustedProxies param
- gateway: Wire TrustedProxies into AuthMiddlewareConfig and extractClientIP
- gateway: Add CORSAllowOrigins to AuthConfig, wire into CORSMiddleware
- gateway: Fix CompletionsHandle to have context and RecordResult like ChatCompletions
- gateway: Add sanitizeRequestID helper for X-Request-ID log injection prevention
- gateway: Add os import for PASSWORD_ENCRYPTION_KEY check
- gateway: Add strings import to handler.go for sanitizeRequestID

Environment issues documented in TEST_ENVIRONMENT_ISSUES.md
 2026-04-17 14:36:02 +08:00
Your Name
bf6fc09b88 refactor(cmd): main.go 使用结构化日志替代标准 log 
1. 移除标准库 log 导入
2. 使用 jsonLogger 输出结构化 JSON 日志
3. 添加格式化日志方法 (Infof, Errorf, Fatalf)
4. Fatalf 现在会调用 os.Exit(1)

日志格式示例:
{"timestamp":"...","level":"INFO","service":"supply-api","message":"starting supply-api in prod mode"}

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-13 07:46:52 +08:00
Your Name
789707e4f3 feat(logging): 添加 slog-based 结构化日志支持 
1. 添加 slog_logger.go 实现基于 Go 1.21+ slog 的结构化日志
2. 支持 trace_id、request_id、tenant_id 等标准字段注入
3. 添加日志标准化重构方案文档

推荐使用 Go 内置 log/slog,无需第三方依赖。

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-13 07:41:37 +08:00
Your Name
90fc95bc27 fix(supply-api): add missing runtime support sources 
Check in the healthcheck, structured logging, outbox broker, partition manager, and token status repository files that the committed supply-api runtime already imports. Verified with fresh go test runs for cmd/supply-api, internal/httpapi, internal/pkg/logging, internal/repository, and internal/outbox.
 2026-04-11 09:45:37 +08:00