feat(server): hot-reload config store and reloadable infra clients

- Replace single Load() with a watching Store that re-reads config files
  (and config.local.yaml) and fans out a ReloadEvent with a per-field diff
  so consumers can decide whether the change is hot-applicable or requires
  a process restart.
- Wrap llm, retrieval, vector store, and object storage clients in
  Reloadable* shells so the bootstrap can swap their underlying impls when
  config changes without re-instantiating handlers.
- Make jwt.Manager and ops TokenIssuer mutable under a lock so secrets and
  TTLs can be rotated live; thread default plan code through a setter on
  the ops AdminUserService.
- Wire ConfigStore through bootstrap and every cmd/main.go, scheduler /
  worker / tenant-api / ops-api start the watcher; services and handlers
  take a config.Provider so they always read current values for things
  like generation.stream_enabled, scheduler dispatch, retrieval, etc.
- Switch shared/config decoding off viper to a Kratos-derived runtime
  package so env placeholders (\${VAR:default}) resolve consistently and
  the same source machinery powers both the loader and the watcher.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-01 16:01:23 +08:00
parent ce2d8a2907
commit 618399f86d
61 changed files with 3186 additions and 496 deletions
@@ -11,6 +11,7 @@ import (
"github.com/stretchr/testify/assert"
"github.com/geo-platform/tenant-api/internal/bootstrap"
"github.com/geo-platform/tenant-api/internal/shared/config"
"github.com/geo-platform/tenant-api/internal/tenant/repository"
)
@@ -50,10 +51,9 @@ func TestAssetHandlerServeDesktop_AllowsStaleSignedTenantAsset(t *testing.T) {
objectKey := "tenants/7/images/test.webp"
storage := &fakeAssetObjectStorage{content: mustDecodeBase64(t, "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/x8AAwMCAO+/p9sAAAAASUVORK5CYII=")}
handler := &AssetHandler{
secret: "current-secret",
app: &bootstrap.App{ObjectStorage: storage},
app: testAssetApp(storage, "current-secret"),
}
staleToken := (&AssetHandler{secret: "old-secret"}).signObjectKey(objectKey)
staleToken := testSignedAssetToken(objectKey, "old-secret")
router := gin.New()
router.GET("/api/desktop/content/assets/:token", func(c *gin.Context) {
@@ -76,10 +76,9 @@ func TestAssetHandlerServeDesktop_RejectsOtherTenantAsset(t *testing.T) {
storage := &fakeAssetObjectStorage{content: []byte("not used")}
handler := &AssetHandler{
secret: "current-secret",
app: &bootstrap.App{ObjectStorage: storage},
app: testAssetApp(storage, "current-secret"),
}
token := (&AssetHandler{secret: "old-secret"}).signObjectKey("tenants/8/images/test.webp")
token := testSignedAssetToken("tenants/8/images/test.webp", "old-secret")
router := gin.New()
router.GET("/api/desktop/content/assets/:token", func(c *gin.Context) {
@@ -105,3 +104,15 @@ func mustDecodeBase64(t *testing.T, value string) []byte {
}
return data
}
func testAssetApp(storage *fakeAssetObjectStorage, secret string) *bootstrap.App {
store, err := config.NewStaticStore(&config.Config{JWT: config.JWTConfig{Secret: secret}})
if err != nil {
panic(err)
}
return &bootstrap.App{ConfigStore: store, ObjectStorage: storage}
}
func testSignedAssetToken(objectKey, secret string) string {
return (&AssetHandler{app: testAssetApp(nil, secret)}).signObjectKey(objectKey)
}