docs: de-emphasize legacy contract wording

This commit is contained in:
Codex
2026-06-11 10:57:15 +00:00
parent 73d9c2332b
commit 9bf56ca5a3
4 changed files with 23 additions and 23 deletions
+7 -7
View File
@@ -9,10 +9,10 @@
- `scripts/src/gh.ts`UniDesk `gh` CLI 已经是 repo-native GitHub REST wrapper,优先读取 `GH_TOKEN`,其次读取 `GITHUB_TOKEN`,再 fallback 到系统 `gh auth token`。它不会打印 token 值,并已把 `missing-token``permission-denied``scope-insufficient``github-transient``network-proxy-failed``unsupported-command` 等失败结构化;其中 `github-transient` 是可重试的 GitHub DNS/API 连接失败,不等同于缺 token 或权限不足。
- `scripts/code-queue-pr-preflight-example.ts`:本地示例先检查 env token,再跑 `gh auth status``gh pr create --dry-run``gh pr comment --dry-run`。没有 env token 时该 workflow 直接失败。
- `src/components/microservices/code-queue/src/runtime-preflight.ts`D601 scheduler preflight 检查 `GH_TOKEN` / `GITHUB_TOKEN` 是否存在,用 curl/gh/git 探测 GitHub API、issue、PR、SSH 和可选 push dry-run。
- `scripts/src/code-queue.ts``codex pr-preflight` 把 runtime preflight 压缩为 runner 合同scheduler env token 与 active runner/dev container token 是独立 scope。缺少 scheduler env token 或 auth-broker 时输出 `failureKind=auth-missing``degradedReason=auth-broker-needed``runnerDisposition=infra-blocked`,并用 `authScopeSummary`/`scopeBoundary`/`recommendedActions` 明确这不等于当前 active runner 不能创建 PRactive task 内仍需用 repo-native `bun scripts/cli.ts gh auth status` 和 PR create dry-run 验证。
- `scripts/src/code-queue.ts``codex pr-preflight` 把 runtime preflight 压缩为 runner capability 摘要scheduler env token 与 active runner/dev container token 是独立 scope。缺少 scheduler env token 或 auth-broker 时输出 `failureKind=auth-missing``degradedReason=auth-broker-needed``runnerDisposition=infra-blocked`,并用 `authScopeSummary`/`scopeBoundary`/`recommendedActions` 明确这不等于当前 active runner 不能创建 PRactive task 内仍需用 repo-native `bun scripts/cli.ts gh auth status` 和 PR create dry-run 验证。
- `src/components/microservices/code-queue/src/index.ts``CODE_QUEUE_REMOTE_CODEX_ENV_KEYS` 默认包含 `GH_TOKEN``GITHUB_TOKEN``GH_HOST``GITHUB_API_URL``GH_REPO`,用于把 scheduler env 继续传给 provider dev container。这是凭证分发路径,不适合作为 P0 的唯一解。
- `src/components/microservices/code-queue/docker-compose.d601.yml`D601 Code Queue 从 `.state/code-queue-d601.env` 读取运行时环境,并配置 provider-gateway egress proxy。该文件不能承载本任务中的真实 secret 值。
- `src/components/microservices/code-queue/Dockerfile`runner 镜像已经包含 `git``gh``curl``jq``rg``cargo``rustc``rustfmt`,足够执行轻量 broker client、preflight 和 contract test;本 P0 不需要为了调研临时安装新系统包。
- `src/components/microservices/code-queue/Dockerfile`runner 镜像已经包含 `git``gh``curl``jq``rg``cargo``rustc``rustfmt`,足够执行轻量 broker client、preflight 和端到端 CLI 交互验证;本 P0 不需要为了调研临时安装新系统包。
Artifact registry / deploy 路径的问题不同:D601 registry 是 host loopback 的 artifact cache,标准 CD 先验证 commit-pinned manifest,再 pull/import/retag/rollout。P0 auth broker 不代理 Docker registry credential、不替代 provider-gateway Host SSH、不执行 deploy apply,也不解决 production registry 发布授权。
@@ -21,13 +21,13 @@ Artifact registry / deploy 路径的问题不同:D601 registry 是 host loopba
P0 只解决 GitHub REST 权限不应出现在普通 runner env 中的问题:
- 新增 Rust 单二进制服务 skeleton,路径为 `src/components/microservices/auth-broker`,工作名 `auth-broker`
- 新增 CLI adapter contract,入口为 `bun scripts/cli.ts auth-broker contract|health --dry-run|credential-request --dry-run|pr-preflight --dry-run`
- 新增 CLI adapter dry-run 形态,入口为 `bun scripts/cli.ts auth-broker contract|health --dry-run|credential-request --dry-run|pr-preflight --dry-run`
- 先只在 D601 dev 验证,入口只能是 k3s ClusterIP、backend-core/microservice 私有代理或 D601 loopback,不开放公网端口。
- broker 持有服务端 GitHub 凭证引用并调用 GitHub REST;runner 不接收、不读取、不打印 `GH_TOKEN` / `GITHUB_TOKEN`
- API 只接受结构化 operation,不接受 shell、argv、任意 URL 或原始 `gh api`
- P0 不实现真实 secret 存储、轮换、用户身份绑定、细粒度授权、production rollout 或 registry/deploy 凭证代理。
P0 可以让 Code Queue 并行推进,但必须把实现拆成互不冲突的 laneRust API skeleton、CLI client adapter、runtime-preflight contract、D601 dev manifest/dry-run、文档和 contract test。真实凭证配置、D601 dev Secret 创建、production 启用和 live write allowlist 需要人工确认。
P0 可以让 Code Queue 并行推进,但必须把实现拆成互不冲突的 laneRust API skeleton、CLI client adapter、runtime-preflight capability 摘要、D601 dev manifest/dry-run、文档和端到端 CLI 交互验证。真实凭证配置、D601 dev Secret 创建、production 启用和 live write allowlist 需要人工确认。
## API
@@ -41,11 +41,11 @@ The first skeleton lives at:
- `docker-compose.yml` service `auth-broker` behind Compose profile `auth-broker`
- `scripts/src/auth-broker.ts`
The skeleton intentionally does not read `GH_TOKEN` or `GITHUB_TOKEN`. It uses only redacted readiness configuration such as `AUTH_BROKER_GITHUB_CONFIGURED`, `AUTH_BROKER_GITHUB_CREDENTIAL_REF`, `AUTH_BROKER_ALLOWED_REPOS` and optional `AUTH_BROKER_AUDIT_LOG`. Real secret mounting is outside this contract.
The skeleton intentionally does not read `GH_TOKEN` or `GITHUB_TOKEN`. It uses only redacted readiness configuration such as `AUTH_BROKER_GITHUB_CONFIGURED`, `AUTH_BROKER_GITHUB_CREDENTIAL_REF`, `AUTH_BROKER_ALLOWED_REPOS` and optional `AUTH_BROKER_AUDIT_LOG`. Real secret mounting is outside this dry-run surface.
## P1 Source Registration
P1 keeps Auth Broker in source/contract/dry-run only:
P1 keeps Auth Broker in source and dry-run only:
- `config.json` registers stable microservice id `auth-broker` on `main-server`, private backend `http://auth-broker:4291`, health path `/health`, and allowed proxy prefixes `/health` plus `/v1/github/`.
- `docker-compose.yml` defines service `auth-broker` with `profiles: ["auth-broker"]`, `restart: "no"`, no public `ports`, and redacted env names only. Default `server start` does not select this profile, so this source registration must not change current production runtime.
@@ -219,7 +219,7 @@ All failures must include `message`, `requestId`, `failureKind`, `degradedReason
## CLI Adapter
The local runner adapter is a dry-run contract surface only:
The local runner adapter is a dry-run surface only:
```bash
bun scripts/cli.ts auth-broker contract