feat: greenfield Go rewrite (Phase 2A + 2B + 2C core)
Replaces the Python v1 (preserved on archive/python-v1 branch).
Stack: Go 1.23 + chi router + sqlx + MySQL 8. Distroless static
container. 12-factor config from env. Embedded SQL migrations.
Schema (internal/db/migrations/001_init.sql):
- topics: 议题 with 4-timestamp lifecycle (signup_open/close +
debate_start/end), visibility (default private), status state machine,
verdict_schema FK
- signups: agent self-enrollment with willing_camps (JSON array of
pro|con|judge), pre_validated audit flag, (topic,agent) unique
- camps: post-allocation lock (one row per topic+camp) — written by
Phase 2D allocator
- rounds + arguments: chronological debate transcript
- verdicts: judge structured output, one per topic, with token-cost
trail for future budgeting
- agent_keys + system_keys: peppered sha256 hashes, never raw
- verdict_schemas: seeded with binary, claim-resolution (for
analyze-intel), policy-recommendation, free-form
Auth (internal/auth):
- AgentAPIKey: real bearer-token middleware against agent_keys;
best-effort last_used_at touch on success
- OIDCBrowser: Phase 2 stub. Dev mode accepts x-dev-bypass header
(constant-time compare); prod 401s with a Phase-4-pending hint.
Real Keycloak JWKS verification lands with the frontend rewrite.
HTTP API (internal/httpapi):
- /api/healthz — db ping + version + uptime
- GET /api/topics — list with status/visibility/limit/offset filters;
anonymous callers see public only
- GET /api/topics/{id} — visibility-gated (private → 404 hide)
- POST /api/topics — create with RFC3339 lifecycle validation
(signup_open < signup_close <= debate_start < debate_end)
- PUT /api/topics/{id}/visibility — dialectic-admin role gate
- POST /api/topics/{id}/signups — agent self-enroll; rejects when
topic.status != signup_open OR outside signup window; idempotent
upsert per (topic, agent)
- GET /api/topics/{id}/signups — list (any authed caller)
Auth chains:
- optionalAuth: try bearer → try oidc → fall through anonymous
(handlers branch on Caller.Kind == ""). Uses captureWriter to demote
inner 401s to "try next" without leaking response bytes.
- requireAnyAuth: chain that 401s if neither succeeds.
- requireAgent: strict bearer-only (signup POST).
Run: `docker compose -f docker-compose.dev.yml up --build`. Migrations
auto-apply on first connect; idempotent on reboot. README documents
env vars, dev bypass usage, agent-key provisioning SQL, and the
Phase 2D/E/3/4/5 roadmap.
go vet clean, gofmt clean, single 11M static binary.
This commit is contained in:
141
internal/config/config.go
Normal file
141
internal/config/config.go
Normal file
@@ -0,0 +1,141 @@
|
||||
// Package config loads runtime configuration from environment variables.
|
||||
//
|
||||
// Conventions:
|
||||
// - 12-factor: every config knob is an env var; no config files.
|
||||
// - Sensible dev defaults for local docker-compose; prod sets via env.
|
||||
// - Sensitive values (DB password, system api key) are *required* in
|
||||
// prod; LoadFromEnv() fails fast if absent and ENV_MODE != "dev".
|
||||
package config
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
)
|
||||
|
||||
type Config struct {
|
||||
// "dev" | "prod". Dev relaxes required-field checks and enables a
|
||||
// dev-mode auth bypass token. Prod requires every sensitive field.
|
||||
Mode string
|
||||
|
||||
// HTTP server bind. e.g. "0.0.0.0:8090".
|
||||
HTTPAddr string
|
||||
|
||||
// CORS allowed origins (comma-separated; "*" allowed only in dev).
|
||||
CORSAllowOrigins []string
|
||||
|
||||
// MySQL DSN parts.
|
||||
DBHost string
|
||||
DBPort string
|
||||
DBName string
|
||||
DBUser string
|
||||
DBPassword string
|
||||
|
||||
// Auth.
|
||||
//
|
||||
// SystemAPIKey: Phase-1 system key for posting to announce channels
|
||||
// in Fabric. Mirrored here so Dialectic backend itself can post topic
|
||||
// announcements via Fabric's POST /channels/:id/messages with
|
||||
// x-fabric-system-key header.
|
||||
//
|
||||
// AgentAPIKeyPepper: HMAC pepper for hashing agent API keys at rest
|
||||
// (we store sha256(pepper || raw) not the raw key). Rotating the
|
||||
// pepper invalidates all keys — that's intentional, an emergency
|
||||
// kill switch.
|
||||
//
|
||||
// OIDCDevBypassToken: dev-mode only. If set AND Mode == "dev", a
|
||||
// browser request with header `x-dev-bypass: <token>` bypasses OIDC
|
||||
// and is treated as user "dev-operator" with role "dialectic-admin".
|
||||
// Prod ignores this even if set.
|
||||
SystemAPIKey string
|
||||
AgentAPIKeyPepper string
|
||||
OIDCDevBypassToken string
|
||||
|
||||
// OIDC issuer URL (Keycloak realm endpoint). e.g.
|
||||
// https://auth.hangman-lab.top/realms/hangman-lab
|
||||
// Phase 2C ships this as configured-but-not-verified; Phase 4 wires
|
||||
// real JWKS validation.
|
||||
OIDCIssuer string
|
||||
OIDCClientID string
|
||||
}
|
||||
|
||||
func LoadFromEnv() (*Config, error) {
|
||||
c := &Config{
|
||||
Mode: getenv("ENV_MODE", "dev"),
|
||||
HTTPAddr: getenv("HTTP_ADDR", "0.0.0.0:8090"),
|
||||
CORSAllowOrigins: splitCSV(getenv("CORS_ALLOW_ORIGINS", "*")),
|
||||
DBHost: getenv("DB_HOST", "127.0.0.1"),
|
||||
DBPort: getenv("DB_PORT", "3306"),
|
||||
DBName: getenv("DB_NAME", "dialectic"),
|
||||
DBUser: getenv("DB_USER", "dialectic"),
|
||||
DBPassword: os.Getenv("DB_PASSWORD"),
|
||||
SystemAPIKey: os.Getenv("SYSTEM_API_KEY"),
|
||||
AgentAPIKeyPepper: os.Getenv("AGENT_API_KEY_PEPPER"),
|
||||
OIDCDevBypassToken: os.Getenv("OIDC_DEV_BYPASS_TOKEN"),
|
||||
OIDCIssuer: os.Getenv("OIDC_ISSUER"),
|
||||
OIDCClientID: os.Getenv("OIDC_CLIENT_ID"),
|
||||
}
|
||||
|
||||
if c.Mode != "dev" && c.Mode != "prod" {
|
||||
return nil, fmt.Errorf("ENV_MODE must be dev|prod, got %q", c.Mode)
|
||||
}
|
||||
|
||||
if c.Mode == "prod" {
|
||||
var missing []string
|
||||
if c.DBPassword == "" {
|
||||
missing = append(missing, "DB_PASSWORD")
|
||||
}
|
||||
if c.AgentAPIKeyPepper == "" {
|
||||
missing = append(missing, "AGENT_API_KEY_PEPPER")
|
||||
}
|
||||
if c.OIDCIssuer == "" {
|
||||
missing = append(missing, "OIDC_ISSUER")
|
||||
}
|
||||
if c.OIDCClientID == "" {
|
||||
missing = append(missing, "OIDC_CLIENT_ID")
|
||||
}
|
||||
if len(missing) > 0 {
|
||||
return nil, fmt.Errorf("prod mode requires env: %s", strings.Join(missing, ", "))
|
||||
}
|
||||
// In prod, "*" CORS is never accepted.
|
||||
for _, o := range c.CORSAllowOrigins {
|
||||
if o == "*" {
|
||||
return nil, fmt.Errorf("prod mode forbids CORS_ALLOW_ORIGINS='*'")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return c, nil
|
||||
}
|
||||
|
||||
func (c *Config) IsDev() bool { return c.Mode == "dev" }
|
||||
|
||||
func (c *Config) DSN() string {
|
||||
// MySQL DSN: user:pass@tcp(host:port)/dbname?params
|
||||
return fmt.Sprintf(
|
||||
"%s:%s@tcp(%s:%s)/%s?parseTime=true&charset=utf8mb4&collation=utf8mb4_unicode_ci",
|
||||
c.DBUser, c.DBPassword, c.DBHost, c.DBPort, c.DBName,
|
||||
)
|
||||
}
|
||||
|
||||
func getenv(key, fallback string) string {
|
||||
if v := os.Getenv(key); v != "" {
|
||||
return v
|
||||
}
|
||||
return fallback
|
||||
}
|
||||
|
||||
func splitCSV(s string) []string {
|
||||
if s == "" {
|
||||
return nil
|
||||
}
|
||||
parts := strings.Split(s, ",")
|
||||
out := make([]string, 0, len(parts))
|
||||
for _, p := range parts {
|
||||
p = strings.TrimSpace(p)
|
||||
if p != "" {
|
||||
out = append(out, p)
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
Reference in New Issue
Block a user