feat: [EPIC-GW-06] 网关可运维性与安全治理收口#331
Merged
phantom5099 merged 12 commits intoApr 17, 2026
Merged
Conversation
构建网关治理的基础设施: 1. 统一配置:新增 ~/.neocode/config.yaml 解析链路,支持网关层限流、超时、帧大小等核心参数的持久化治理。 2. 观测基建:引入 Prometheus 官方 SDK,构建 /metrics (文本) 与 /metrics.json (结构化) 双轨制指标端点。 3. 错误契约:补齐 unauthorized、access_denied 等安全域标准 JSON-RPC 错误码。
打造本地安全防护盾: 1. 静默认证 (Silent Auth):系统启动时自动生成高强度 Token 写入 ~/.neocode/auth.json,为 CLI/TUI 提供免密凭证。 2. 权限硬化:针对 Windows/Unix 平台分别实现了极其严格的凭证文件权限收紧 (仅当前用户及 SYSTEM 可读)。 3. ACL 引擎:落地“最小权限默认拒绝”策略,基于请求的 Source 和 Method 实施严格的访问控制。 4. 审计追踪:注入标准的 request_id 与 session_id,实现结构化安全审计日志。
将安全与治理能力注入物理入口: 1. 路由开放:公开 /healthz 与 /version 免鉴权探活端点。 2. 鉴权拦截:在 POST/WS/SSE/IPC 入口处全局接入 Token 校验逻辑,拒绝非法连接。 3. 动态配置:分发层全面消费 config.yaml 中的动态限流与超时配置。
Gateway 核心底座竣工: 1. CLI 桥接:令 neocode gateway 命令完整支持配置文件读取与 flags 覆盖叠加。 2. URL 适配器更新:URL 唤醒机制同步兼容新的鉴权与配置底座。 3. 架构文档:新增 gateway-detailed-design.md,使用 Mermaid 序列图清晰界定本地/云端流向及网关职责边界。 4. 接口契约:同步更新 README 中的监控、排障与运维指南。
引入网关可观测性监控基建相关的依赖包: 1. 新增 github.com/prometheus/client_golang 等相关依赖,以支持标准的 /metrics 指标暴露。 2. 同步更新 go.sum 以锁定依赖版本号,保证构建的幂等性。
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
![fennoai[bot]](https://avatars.githubusercontent.com/in/1924301?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Closed
Collaborator
Author
|
@xgopilot 将覆盖率提升至百分之九十五以上,并再次审查存在什么问题! |
Generated with [codeagent](https://github.com/qbox/codeagent) Co-authored-by: pionxe <148670367+pionxe@users.noreply.github.com>
Collaborator
Author
|
/code 将复审的问题解决并将覆盖率提升至百分之九十五以上 |
|
已完成本轮修复并推送到当前 PR 分支(commit: 本轮完成
测试与覆盖
|
…validation Generated with [codeagent](https://github.com/qbox/codeagent) Co-authored-by: pionxe <148670367+pionxe@users.noreply.github.com>
Collaborator
Author
|
@xgopilot 将 CI 的 patch 覆盖率提升至百分之九十五以上! |
完成情况已按你的要求推进两件事:
本次改动
验证结果
未完成项
|
Generated with [codeagent](https://github.com/qbox/codeagent) Co-authored-by: pionxe <148670367+pionxe@users.noreply.github.com>
Collaborator
Author
|
/code 重点解决stream_relay.go, dispatcher.go, bootstrap.go, network_server.go, manager.go, scheduler.go, jsonrpc.go, request_logging.go, rpc_dispatch.go, server.go, gateway_loader.go这些文件的测试覆盖率,要求不低于百分之九十五! |
本轮完成已按你的指令对目标文件补充测试并推送到当前 PR 分支。
覆盖率结果(本地)目标文件最新覆盖率如下:
说明本轮已显著提升覆盖率并新增大量分支测试,但尚未将你点名的全部文件拉升到 95%+。 另已按 fork 流程创建同步 PR: |
Changed the target coverage for new code in PRs from 95% to 80%.
Collaborator
|
@xgopilot 你是一个“偏安全与稳定性”的资深 Go 代码审查员。请针对这个 PR 做深度风险审查,不要做风格建议,专注“可能出事故”的问题。 PR: #331 请按“潜在风险点”驱动审查,重点覆盖这些改动域:
审查要求(必须逐项检查并给证据):
输出格式(严格遵守):
|
Collaborator
Author
|
/simplify |
Result已按
Blocker推送到 fork 分支时遇到非 fast-forward 拒绝:
当前远端分支比本地更新,需先整合远端提交后才能推送;但本任务约束下未执行 rebase/force/merge 类历史操作,因此本轮未完成远端推送。 |
基于 Code Review 的深度审计反馈,全面修复了 5 项影响网关可用性、配置一致性与本地安全防御的 P1/P2 级缺陷: 1. 防御连接占位 DoS (P1):为 WebSocket 连接引入 3 秒“未认证超时剔除”机制。强制回收未在限期内完成 Token 校验的僵尸连接,防止恶意客户端耗尽最大流式连接池。 2. 指标高基数防御 (P1):在 Prometheus 埋点层增加 Method 白名单过滤。将非法或随机的 RPC 方法统一折叠记录为 `unknown_method`,彻底封堵利用随机输入打爆网关内存的攻击路径。 3. 探活契约对齐 (P1):移除 `/healthz` 与 `/version` 端点的鉴权拦截,恢复其绝对公开路由属性,消除与文档的偏差,保障外部系统健康检查的稳定运行。 4. 凭证落盘安全与防劫持 (P2):重构 auth.json 的读写机制。新增软/硬链接(Symlink/Hardlink)指向拒绝策略,防范本地提权劫持;将凭证写入升级为“临时文件 -> Sync 刷盘 -> Rename 原子覆盖”模式,彻底杜绝异常中断导致的凭证损坏。 5. 严格配置校验防漂移 (P2):在 Gateway 配置文件的 YAML 解析中全面启用 KnownFields(true)。对任何未知配置键或拼写错误直接抛出 Fatal 阻断启动,消灭静默降级带来的运维盲区。
Collaborator
Author
|
/review 是否解决了之前review的问题? |
| func resolveAuthPath(path string) (string, error) { | ||
| trimmed := strings.TrimSpace(path) | ||
| if trimmed != "" { | ||
| return filepath.Clean(trimmed), nil |
There was a problem hiding this comment.
resolveAuthPath 对自定义 token_file 直接 filepath.Clean 返回相对路径。后续 ensureAuthDir(filepath.Dir(path)) + applyAuthDirPermission 会在相对路径场景下把当前工作目录(例如 .)chmod 0700。这会产生超出 auth 文件作用域的副作用。建议将自定义路径在此处转成绝对路径并限制到预期目录(或至少拒绝 . / 空目录场景)。
|
|
||
| // isControlPlaneHTTPRequestAuthorized 校验 HTTP 控制面请求是否携带并通过 Bearer Token。 | ||
| func (s *NetworkServer) isControlPlaneHTTPRequestAuthorized(request *http.Request) bool { | ||
| if s.authenticator == nil { |
There was a problem hiding this comment.
这里在 authenticator == nil 时直接放行,导致 /rpc、/metrics* 退化为 fail-open。即使当前启动链路通常会注入 authenticator,这里也建议做 defense-in-depth:默认拒绝或在启动阶段强制 Authenticator 非空,避免后续装配回归时静默失去鉴权。
| func resolveJSONRPCHTTPStatusCode(response protocol.JSONRPCResponse) int { | ||
| gatewayCode := protocol.GatewayCodeFromJSONRPCError(response.Error) | ||
| switch gatewayCode { | ||
| case ErrorCodeUnauthorized.String(), ErrorCodeAccessDenied.String(): |
There was a problem hiding this comment.
access_denied 和 unauthorized 都映射到 401,会混淆“未认证”与“已认证但无权限”。建议 access_denied 返回 403 Forbidden,unauthorized 维持 401,便于客户端做正确的重试/鉴权决策。
Collaborator
Author
|
/simplify |
CompletedImplemented the
What I evaluated and fixed
Code simplifier passRan a code-simplifier sub-agent pass and applied no-behavior-change simplification:
Verification
Not done
|
- resolve auth token file path to absolute path - make control-plane auth helper fail-close when authenticator missing - map access_denied JSON-RPC gateway code to HTTP 403 - add/update tests for auth + status semantics - simplify duplicated payload validation branches Generated with [codeagent](https://github.com/qbox/codeagent) Co-authored-by: pionxe <148670367+pionxe@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎯 目标 (Motivation & Context)
本 PR 是网关基建的最后一环 [EPIC-GW-06]。 通过引入 可观测性 (Observability)、零信任安全 (Zero-Trust Security) 和 配置管理 (Configuration Governance),NeoCode 网关正式从一个“本地开发工具”蜕变为“生产级工业底座”。
我们不仅通过静默认证兼顾了本地开发无感体验与严苛的安全防御,更通过详尽的架构设计文档界定了未来的演进边界。
Closes #323
✨ 主要变更 (Key Changes)
1. 零信任安全基线 (Security)
~/.neocode/auth.json,并自动对该文件实施 OS 级别的权限降级(Windows/Unix 隔离)。2. 生产级可观测性 (Observability)
/metrics与/metrics.json,支持云原生监控与前端快速渲染。/healthz和/version供外部 Daemon 探活。request_id的结构化安全审计日志。3. 配置化治理 (Configuration)
~/.neocode/config.yaml。CLI Flags > config.yaml > 代码默认值,彻底解决参数硬编码问题。4. 📚 详细架构文档
docs/gateway-detailed-design.md。✅ 验收标准 (Acceptance Criteria)
access_denied/401。auth.json后可无缝接入网关。/metrics可获取准确的 Prometheus 格式指标数据。-race全量通过。