feat(server): hot-reload config store and reloadable infra clients

- Replace single Load() with a watching Store that re-reads config files
  (and config.local.yaml) and fans out a ReloadEvent with a per-field diff
  so consumers can decide whether the change is hot-applicable or requires
  a process restart.
- Wrap llm, retrieval, vector store, and object storage clients in
  Reloadable* shells so the bootstrap can swap their underlying impls when
  config changes without re-instantiating handlers.
- Make jwt.Manager and ops TokenIssuer mutable under a lock so secrets and
  TTLs can be rotated live; thread default plan code through a setter on
  the ops AdminUserService.
- Wire ConfigStore through bootstrap and every cmd/main.go, scheduler /
  worker / tenant-api / ops-api start the watcher; services and handlers
  take a config.Provider so they always read current values for things
  like generation.stream_enabled, scheduler dispatch, retrieval, etc.
- Switch shared/config decoding off viper to a Kratos-derived runtime
  package so env placeholders (\${VAR:default}) resolve consistently and
  the same source machinery powers both the loader and the watcher.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-01 16:01:23 +08:00
parent ce2d8a2907
commit 618399f86d
61 changed files with 3186 additions and 496 deletions
+34 -5
View File
@@ -5,6 +5,7 @@ import (
"errors"
"fmt"
"strings"
"sync"
"time"
"github.com/golang-jwt/jwt/v5"
@@ -26,15 +27,31 @@ type OperatorClaims struct {
}
type TokenIssuer struct {
mu sync.RWMutex
secret []byte
accessTTL time.Duration
}
func NewTokenIssuer(secret string, accessTTL time.Duration) *TokenIssuer {
return &TokenIssuer{secret: []byte(secret), accessTTL: accessTTL}
issuer := &TokenIssuer{}
issuer.Update(secret, accessTTL)
return issuer
}
func (t *TokenIssuer) AccessTTL() time.Duration { return t.accessTTL }
func (t *TokenIssuer) Update(secret string, accessTTL time.Duration) {
if t == nil {
return
}
t.mu.Lock()
defer t.mu.Unlock()
t.secret = []byte(secret)
t.accessTTL = accessTTL
}
func (t *TokenIssuer) AccessTTL() time.Duration {
_, accessTTL := t.snapshot()
return accessTTL
}
type IssuedToken struct {
AccessToken string
@@ -42,8 +59,9 @@ type IssuedToken struct {
}
func (t *TokenIssuer) Issue(operator *domain.OperatorAccount) (*IssuedToken, error) {
secret, accessTTL := t.snapshot()
now := time.Now()
exp := now.Add(t.accessTTL)
exp := now.Add(accessTTL)
claims := OperatorClaims{
OperatorID: operator.ID,
Username: operator.Username,
@@ -56,7 +74,7 @@ func (t *TokenIssuer) Issue(operator *domain.OperatorAccount) (*IssuedToken, err
ExpiresAt: jwt.NewNumericDate(exp),
},
}
signed, err := jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString(t.secret)
signed, err := jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString(secret)
if err != nil {
return nil, fmt.Errorf("sign ops token: %w", err)
}
@@ -64,11 +82,12 @@ func (t *TokenIssuer) Issue(operator *domain.OperatorAccount) (*IssuedToken, err
}
func (t *TokenIssuer) Parse(raw string) (*OperatorClaims, error) {
secret, _ := t.snapshot()
token, err := jwt.ParseWithClaims(raw, &OperatorClaims{}, func(tok *jwt.Token) (any, error) {
if _, ok := tok.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", tok.Header["alg"])
}
return t.secret, nil
return secret, nil
})
if err != nil {
return nil, err
@@ -83,6 +102,16 @@ func (t *TokenIssuer) Parse(raw string) (*OperatorClaims, error) {
return claims, nil
}
func (t *TokenIssuer) snapshot() ([]byte, time.Duration) {
if t == nil {
return nil, 0
}
t.mu.RLock()
defer t.mu.RUnlock()
secret := append([]byte(nil), t.secret...)
return secret, t.accessTTL
}
type AuthService struct {
accounts *repository.AccountRepository
audits *AuditService