完善配置密钥治理与启动校验

- 为 configuration.py 增加环境变量占位符解析、配置归一化、脱敏快照与启动校验\n- 在 main.py 启动阶段接入配置校验日志，并在致命缺项时阻止进程继续启动\n- 新增 config.example.yaml，并将默认 config.yaml 改为安全占位模板，移除仓库内明文敏感信息\n- 调整 docker-entrypoint.sh 与文档，统一说明配置复制、环境变量注入与当前优化进展
2026-04-30 15:44:53 +08:00
parent cb99e94493
commit c6d72cbb69
8 changed files with 672 additions and 117 deletions
--- a/config.yaml
+++ b/config.yaml
@@ -1,64 +1,62 @@
+environment: "${ABOT_ENVIRONMENT:development}"
+plugin_dir: "${ABOT_PLUGIN_DIR:plugins}"
+
 db_config:
-  pool_name: "wechat_boot_pool"
-  pool_size: 10
-  host: "192.168.2.41"
-  prot: "3306"
-  user: "root"
-  password: "lw123456"
-  database: "message_archive"
-  charset: "utf8mb4"
+  pool_name: "${ABOT_DB_POOL_NAME:wechat_boot_pool}"
+  pool_size: "${ABOT_DB_POOL_SIZE:10}"
+  host: "${ABOT_DB_HOST:127.0.0.1}"
+  # 新配置统一使用 port；prot 仅作为历史兼容字段保留。
+  port: "${ABOT_DB_PORT:3306}"
+  prot: "${ABOT_DB_PORT:3306}"
+  user: "${ABOT_DB_USER:root}"
+  password: "${ABOT_DB_PASSWORD}"
+  database: "${ABOT_DB_NAME:message_archive}"
+  charset: "${ABOT_DB_CHARSET:utf8mb4}"
  use_unicode: true
  get_warnings: true
  pool_reset_session: true

 redis_config:
-  host: "192.168.2.40"
-  port: 6379
-  password: ""
-  db: 0
+  host: "${ABOT_REDIS_HOST:127.0.0.1}"
+  port: "${ABOT_REDIS_PORT:6379}"
+  password: "${ABOT_REDIS_PASSWORD:}"
+  db: "${ABOT_REDIS_DB:0}"
  decode_responses: true

-
 # 邮件发送配置
 email_config:
-  smtp_server: "smtp.163.com"
-  smtp_port: 465
-  sender_email: "bovine_liu@163.com"
-  sender_password: "CCWpEQzSdxQUqhDE"
-  alert_recipient: "bovine_liu@163.com"  # 警报邮件接收者
+  smtp_server: "${ABOT_EMAIL_SMTP_SERVER:smtp.163.com}"
+  smtp_port: "${ABOT_EMAIL_SMTP_PORT:465}"
+  sender_email: "${ABOT_EMAIL_SENDER:}"
+  sender_password: "${ABOT_EMAIL_PASSWORD:}"
+  alert_recipient: "${ABOT_EMAIL_ALERT_RECIPIENT:}"

 glances:
-  host: "192.168.2.170"
-  port: 61208
-
+  host: "${ABOT_GLANCES_HOST:127.0.0.1}"
+  port: "${ABOT_GLANCES_PORT:61208}"

 wx_config:
-  #微信管理账号，用于接收部分管理员指令
-  #菜单调整和系统更新
-  admin: [ "Jyunere" ]
+  # 微信管理账号，用于接收部分管理员指令。
+  admin: [ "${ABOT_WX_ADMIN:admin}" ]

 llm:
-  default_backend: "dify_workflow_chat"
+  default_backend: "${ABOT_LLM_DEFAULT_BACKEND:dify_workflow_chat}"
  backends:
    dify_workflow_chat:
      provider: "dify"
      mode: "workflow"
-      api_key: "app-u5EnYq3ill19bm6pWJwGkY4D"
-      api_base_url: "http://192.168.2.240/v1"
+      api_key: "${ABOT_LLM_DIFY_WORKFLOW_CHAT_API_KEY:}"
+      api_base_url: "${ABOT_LLM_DIFY_API_BASE_URL:http://127.0.0.1:8080/v1}"
      endpoint: "workflows/run"
      response_mode: "blocking"
-      # 聊天工作流偶尔会超过 40 秒：
-      # 1. 原先 40 秒超时会导致客户端提前放弃；
-      # 2. 本地统一客户端默认又会自动重试，容易在 Dify 后台看到同一问题连续触发 3 次；
-      # 3. 这里把超时提高到 120 秒，并将重试次数收敛为 1，避免重复触发整条工作流。
      request_timeout: 120
      max_retries: 1
      retry_delay_seconds: 1.0
    dify_workflow_member_context:
      provider: "dify"
      mode: "workflow"
-      api_key: "app-b2cj03DipGCIAmgBfcx7SKsT"
-      api_base_url: "http://192.168.2.240/v1"
+      api_key: "${ABOT_LLM_DIFY_MEMBER_CONTEXT_API_KEY:}"
+      api_base_url: "${ABOT_LLM_DIFY_API_BASE_URL:http://127.0.0.1:8080/v1}"
      endpoint: "workflows/run"
      workflow_output_key: "text"
      response_mode: "streaming"
@@ -66,8 +64,8 @@ llm:
    dify_workflow_message_summary:
      provider: "dify"
      mode: "workflow"
-      api_key: "app-shCA6bo5l2VDmnvhg2BtuJbk"
-      api_base_url: "http://192.168.2.240/v1"
+      api_key: "${ABOT_LLM_DIFY_MESSAGE_SUMMARY_API_KEY:}"
+      api_base_url: "${ABOT_LLM_DIFY_API_BASE_URL:http://127.0.0.1:8080/v1}"
      endpoint: "workflows/run"
      workflow_output_key: "text"
      response_mode: "streaming"
@@ -75,38 +73,35 @@ llm:
    dify_workflow_douyu_daily_report:
      provider: "dify"
      mode: "workflow"
-      # 斗鱼日报专用工作流：请替换为你在 Dify 上创建的“斗鱼日报”应用 Key。
-      api_key: "app-S1oyi2udgIn197Vu0oOGUgAl"
-      api_base_url: "http://192.168.2.240/v1"
+      api_key: "${ABOT_LLM_DIFY_DOUYU_REPORT_API_KEY:}"
+      api_base_url: "${ABOT_LLM_DIFY_API_BASE_URL:http://127.0.0.1:8080/v1}"
      endpoint: "workflows/run"
-      # 工作流最终输出字段建议固定为 text，便于统一客户端直接读取结果文本。
      workflow_output_key: "text"
      response_mode: "blocking"
-      # 斗鱼日报 payload 较大，适当提高超时时间，避免高峰时段超时回退。
      request_timeout: 240
    dify_chat_global_news:
      provider: "dify"
      mode: "chat"
-      api_key: "app-rhhKkbvHd2IAQoGX7xTzXZJj"
-      api_base_url: "http://192.168.2.240/v1"
+      api_key: "${ABOT_LLM_DIFY_GLOBAL_NEWS_API_KEY:}"
+      api_base_url: "${ABOT_LLM_DIFY_API_BASE_URL:http://127.0.0.1:8080/v1}"
      endpoint: "chat-messages"
      response_mode: "blocking"
      request_timeout: 60
    openai_compatible_game_task:
      provider: "openai_compatible"
-      api_url: "https://ark.cn-beijing.volces.com/api/v3/chat/completions"
-      api_key: "b8586595-eb81-483d-8e91-a35cc789729e"
-      model: "doubao-1-5-lite-32k-250115"
+      api_url: "${ABOT_LLM_GAME_TASK_API_URL:https://api.example.com/v1/chat/completions}"
+      api_key: "${ABOT_LLM_GAME_TASK_API_KEY:}"
+      model: "${ABOT_LLM_GAME_TASK_MODEL:doubao-1-5-lite-32k-250115}"
      stream: false
      temperature: 0.2
      max_tokens: 1000
      timeout_seconds: 60
    openai_compatible_ai_auto_response:
      provider: "openai_compatible"
-      api_base_url: "http://192.168.2.240:3000/v1"
+      api_base_url: "${ABOT_LLM_AUTO_REPLY_API_BASE_URL:https://api.example.com/v1}"
      endpoint: "chat/completions"
-      api_key: "sk-hC6WMLAsTdItpywyrYdxT6pQ4E7NARGbUKuPWRH0zMheen9e"
-      model: "gpt-5.4"
+      api_key: "${ABOT_LLM_AUTO_REPLY_API_KEY:}"
+      model: "${ABOT_LLM_AUTO_REPLY_MODEL:gpt-5.4}"
      stream: true
      temperature: 0.35
      max_tokens: 120
@@ -116,35 +111,24 @@ llm:
    dify_workflow_ai_auto_response:
      provider: "dify"
      mode: "workflow"
-      api_key: "app-ukHWWGoleANS5aZVmx28UAQ4"
-      api_base_url: "http://192.168.2.240/v1"
+      api_key: "${ABOT_LLM_DIFY_AUTO_REPLY_API_KEY:}"
+      api_base_url: "${ABOT_LLM_DIFY_API_BASE_URL:http://127.0.0.1:8080/v1}"
      endpoint: "workflows/run"
      workflow_output_key: "result_json"
      response_mode: "blocking"
-      # 群聊自动回复强调时效性：
-      # 1. Dify 请求不能等太久，否则容易出现“过了场子再补回”的违和感；
-      # 2. 这里把单次请求超时收紧，并关闭重试，让过期消息尽快放弃。
      request_timeout: 15
      max_retries: 1
      retry_delay_seconds: 1.0
    openai_compatible_ai_gen_image:
      provider: "openai_compatible"
-      # AI 绘图专用网关：
-      # 1. 这里使用用户提供的 OpenAI 兼容服务地址；
-      # 2. 插件会在此 base_url 基础上请求 images/generations；
-      # 3. endpoint 保留为图片接口默认值，便于后续统一调整。
-      api_base_url: "https://freeapi.dgbmc.top/v1"
+      api_base_url: "${ABOT_LLM_IMAGE_API_BASE_URL:https://api.example.com/v1}"
      endpoint: "chat/completions"
-      api_key: "sk-2XccrBRsX8OmxqCEsZjdDRczhHNaAG7Mn88mNVL7Y0w0tx72"
-      # 图片模型默认使用 gpt-image-1；
-      # 若网关只支持其他模型，可后续直接在这里替换。
-      model: "gpt-image-2"
+      api_key: "${ABOT_LLM_IMAGE_API_KEY:}"
+      model: "${ABOT_LLM_IMAGE_MODEL:gpt-image-1}"
      stream: false
      timeout_seconds: 300
      max_retries: 2
      retry_delay_seconds: 1.0
-  # 场景路由层：插件建议优先使用 scene，而不是直接绑定 backend。
-  # 这样当模型或供应商切换时，只需要改这里，不需要逐个改插件配置。
  scenes:
    "chat.main": "dify_workflow_chat"
    "member.profile": "dify_workflow_member_context"