@atomservice/config 0.1.15 → 0.1.17

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atomservice/config",
-  "version": "0.1.15",
+  "version": "0.1.17",
   "description": "配置中心原子服务：基于 Bun 的高性能配置管理服务",
   "type": "module",
   "author": "openorson",
@@ -29,9 +29,9 @@
     ".": "./src/index.ts"
   },
   "dependencies": {
-    "@atomservice/gateway": "0.1.15"
+    "@atomservice/gateway": "0.1.17"
   },
   "peerDependencies": {
-    "@atomservice/core": "0.1.15"
+    "@atomservice/core": "0.1.17"
   }
 }

package/server/Containerfile

@@ -1,15 +1,12 @@
 # syntax=docker/dockerfile:1
 
-# ── Stage 1: Build standalone binary ─────────────────────────────────────────
 FROM oven/bun:1 AS builder
 WORKDIR /build
 
-# Install dependencies first (cache layer)
 ARG NPM_REGISTRY=https://registry.npmjs.org
 COPY package.json ./
 RUN bun install --registry ${NPM_REGISTRY}
 
-# Copy source and compile
 COPY tsconfig.json ./
 COPY src/ ./src/
 RUN bun build --compile --minify --sourcemap --bytecode \
@@ -17,34 +14,28 @@ RUN bun build --compile --minify --sourcemap --bytecode \
     ./src/main.ts \
     --outfile ./dist/config-server
 
-# ── Stage 2: Minimal runtime image ───────────────────────────────────────────
 FROM debian:bookworm-slim
 
-# Optionally switch apt mirror (pass --build-arg APT_MIRROR=mirrors.aliyun.com for China)
 ARG APT_MIRROR=deb.debian.org
 RUN if [ "${APT_MIRROR}" != "deb.debian.org" ]; then \
       sed -i "s|deb.debian.org|${APT_MIRROR}|g" /etc/apt/sources.list.d/debian.sources; \
     fi
 
-# Install curl for HEALTHCHECK (binary is ~100MB anyway, curl adds negligible overhead)
 RUN apt-get update \
     && apt-get install -y --no-install-recommends curl \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 
-# Copy compiled binary
 COPY --from=builder /build/dist/config-server ./config-server
 
-# Prepare data directory (mount a volume here for persistence)
 RUN mkdir -p /data
 
 ENV CONFIG_DB_PATH=/data/config.db
 VOLUME ["/data"]
-EXPOSE 4000
+EXPOSE 52010
 
-# Health check against /v1/health; respects CONFIG_PORT if overridden
 HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
-    CMD curl -sf http://localhost:${CONFIG_PORT:-4000}/v1/health
+    CMD curl -sf http://localhost:52010/v1/health
 
 CMD ["./config-server"]

package/server/src/db/migrations.ts

@@ -114,9 +114,9 @@ export const migrations: Migration[] = [
     `,
   },
   {
-    id: "008_app_tokens",
+    id: "008_access_tokens",
     up: `
-      CREATE TABLE "AppToken" (
+      CREATE TABLE "AccessToken" (
         "id"            TEXT PRIMARY KEY,
         "appId"         TEXT NOT NULL REFERENCES "App"("id") ON DELETE CASCADE,
         "environmentId" TEXT NOT NULL REFERENCES "Environment"("id") ON DELETE CASCADE,
@@ -128,7 +128,7 @@ export const migrations: Migration[] = [
         "createdBy"     TEXT NOT NULL REFERENCES "User"("id"),
         "createdAt"     INTEGER NOT NULL DEFAULT (unixepoch())
       );
-      CREATE INDEX app_token_lookup_idx ON "AppToken"("appId", "environmentId");
+      CREATE INDEX access_token_lookup_idx ON "AccessToken"("appId", "environmentId");
     `,
   },
 ]

package/server/src/db/types.ts

@@ -87,7 +87,7 @@ export interface ReleaseRow {
   createdAt: number
 }
 
-export interface AppTokenRow {
+export interface AccessTokenRow {
   id: string
   appId: string
   environmentId: string

package/server/src/main.ts

@@ -1,7 +1,7 @@
 import { closeDb, migrate, openDb } from "./db/client.ts"
 import { routes } from "./http/router.ts"
 import { bootstrapAdmin } from "./shared/bootstrap.ts"
-import { getEnv, validateEnv } from "./shared/env.ts"
+import { validateEnv } from "./shared/env.ts"
 
 async function main(): Promise<void> {
   validateEnv()
@@ -12,17 +12,15 @@ async function main(): Promise<void> {
 
   await bootstrapAdmin()
 
-  const port = getEnv().port
-
   const server = Bun.serve({
-    port,
+    port: 52010,
     routes,
     fetch() {
       return Response.json({ error: { code: "not_found", message: "未找到该接口" } }, { status: 404 })
     },
   })
 
-  console.log(`config-server 已启动 http://localhost:${server.port}`)
+  console.log(`原子配置服务 已启动 http://localhost:${server.port}`)
 
   const shutdown = () => {
     server.stop()

package/server/src/modules/app.ts

@@ -76,6 +76,14 @@ async function updateApp(req: Request): Promise<Response> {
   return ok({ app: publicApp(updated) })
 }
 
+function getApp(req: Request): Response {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "viewer")
+  const app = findApp(project.id, param(req, "app"))
+  return ok({ app: publicApp(app) })
+}
+
 function deleteApp(req: Request): Response {
   const user = requireUser(req)
   const project = findProject(param(req, "project"))
@@ -95,6 +103,6 @@ function getSchema(req: Request): Response {
 
 export const appRoutes = {
   "/v1/projects/:project/apps": { GET: route(listApps), POST: route(createApp) },
-  "/v1/projects/:project/apps/:app": { PATCH: route(updateApp), DELETE: route(deleteApp) },
+  "/v1/projects/:project/apps/:app": { GET: route(getApp), PATCH: route(updateApp), DELETE: route(deleteApp) },
   "/v1/projects/:project/apps/:app/schema": { GET: route(getSchema) },
 }

package/server/src/modules/env.ts

@@ -70,6 +70,14 @@ async function updateEnv(req: Request): Promise<Response> {
   return ok({ environment: publicEnv(updated) })
 }
 
+function getEnv(req: Request): Response {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "viewer")
+  const env = findEnv(project.id, param(req, "env"))
+  return ok({ environment: publicEnv(env) })
+}
+
 function deleteEnv(req: Request): Response {
   const user = requireUser(req)
   const project = findProject(param(req, "project"))
@@ -82,5 +90,5 @@ function deleteEnv(req: Request): Response {
 
 export const envRoutes = {
   "/v1/projects/:project/envs": { GET: route(listEnvs), POST: route(createEnv) },
-  "/v1/projects/:project/envs/:env": { PATCH: route(updateEnv), DELETE: route(deleteEnv) },
+  "/v1/projects/:project/envs/:env": { GET: route(getEnv), PATCH: route(updateEnv), DELETE: route(deleteEnv) },
 }

package/server/src/modules/inspect.ts

@@ -3,7 +3,7 @@ import type { AppRow, EnvironmentRow, ReleaseRow } from "../db/types.ts"
 import { ok, param, route } from "../http/response.ts"
 import { requireProjectRole, requireUser } from "../shared/auth.ts"
 import { findProject } from "../shared/resolve.ts"
-import { publicApp, publicEnv, publicProject, publicRelease } from "../shared/serialize.ts"
+import { publicApp, publicEnv, publicProject, publicReleaseDetail } from "../shared/serialize.ts"
 
 function inspectProject(req: Request): Response {
   const user = requireUser(req)
@@ -42,14 +42,14 @@ function inspectProject(req: Request): Response {
     envRows = envRows.filter((e) => slugs.has(e.slug))
   }
 
-  const releases: Array<{ app: string; env: string; releases: ReturnType<typeof publicRelease>[] }> = []
+  const releases: Array<{ app: string; env: string; releases: ReturnType<typeof publicReleaseDetail>[] }> = []
   for (const app of appRows) {
     for (const env of envRows) {
       const rows = db
         .query(`SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? ORDER BY createdAt DESC LIMIT ?`)
         .all(app.id, env.id, limit) as ReleaseRow[]
       if (rows.length > 0) {
-        releases.push({ app: app.slug, env: env.slug, releases: rows.map((r) => publicRelease(r, true)) })
+        releases.push({ app: app.slug, env: env.slug, releases: rows.map((r) => publicReleaseDetail(r, true)) })
       }
     }
   }

package/server/src/modules/release.ts

@@ -6,8 +6,8 @@ import { assertEnvAccess, requireAppPrincipal, requireProjectRole, requireUser }
 import { validateAgainstSchema } from "../shared/jsonschema.ts"
 import { findApp, findEnv, findProject } from "../shared/resolve.ts"
 import { bumpSemver, diffChangeKind } from "../shared/semver.ts"
-import { publicRelease } from "../shared/serialize.ts"
-import { isAppToken, isHumanToken, verifyAppToken, verifyHumanToken } from "../shared/token.ts"
+import { publicRelease, publicReleaseDetail } from "../shared/serialize.ts"
+import { isAccessToken, isHumanToken, verifyAccessToken, verifyHumanToken } from "../shared/token.ts"
 import type { AuthUser } from "../shared/types.ts"
 import { isPlainObject, newId } from "../shared/utils.ts"
 
@@ -39,7 +39,7 @@ interface Target {
   project: ProjectRow
   app: AppRow
   env: EnvironmentRow
-  appToken: boolean
+  accessToken: boolean
 }
 
 function authorizeRead(req: Request): Target {
@@ -50,18 +50,18 @@ function authorizeRead(req: Request): Target {
   const header = req.headers.get("authorization") ?? ""
   const token = header.replace(/^Bearer\s+/i, "").trim()
 
-  if (isAppToken(token)) {
+  if (isAccessToken(token)) {
     const principal = requireAppPrincipal(req)
     if (principal.appId !== app.id || principal.environmentId !== env.id) {
       throw new HttpError(403, "forbidden", "该令牌无权访问此应用环境")
     }
-    return { project, app, env, appToken: true }
+    return { project, app, env, accessToken: true }
   }
 
   const user = requireUser(req)
   requireProjectRole(user, project.id, "viewer")
   assertEnvAccess(user, env)
-  return { project, app, env, appToken: false }
+  return { project, app, env, accessToken: false }
 }
 
 function authorizeWatch(req: Request): Target {
@@ -75,13 +75,13 @@ function authorizeWatch(req: Request): Target {
 
   if (!raw) throw new HttpError(401, "unauthorized", "缺少访问凭证")
 
-  if (isAppToken(raw)) {
-    const tokenRow = verifyAppToken(raw)
-    if (!tokenRow) throw new HttpError(401, "unauthorized", "应用令牌无效或已撤销")
+  if (isAccessToken(raw)) {
+    const tokenRow = verifyAccessToken(raw)
+    if (!tokenRow) throw new HttpError(401, "unauthorized", "令牌无效或已撤销")
     if (tokenRow.appId !== app.id || tokenRow.environmentId !== env.id) {
       throw new HttpError(403, "forbidden", "该令牌无权访问此应用环境")
     }
-    return { project, app, env, appToken: true }
+    return { project, app, env, accessToken: true }
   }
 
   if (isHumanToken(raw)) {
@@ -95,7 +95,7 @@ function authorizeWatch(req: Request): Target {
     }
     requireProjectRole(user, project.id, "viewer")
     assertEnvAccess(user, env)
-    return { project, app, env, appToken: false }
+    return { project, app, env, accessToken: false }
   }
 
   throw new HttpError(401, "unauthorized", "凭证格式无效")
@@ -121,16 +121,16 @@ function resolveByRange(appId: string, envId: string, range: string): ReleaseRow
 }
 
 function listReleases(req: Request): Response {
-  const { app, env, appToken } = authorizeRead(req)
-  const sql = appToken
+  const { app, env, accessToken } = authorizeRead(req)
+  const sql = accessToken
     ? `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND status = 'published' ORDER BY createdAt DESC`
     : `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? ORDER BY createdAt DESC`
   const rows = getDb().query(sql).all(app.id, env.id) as ReleaseRow[]
-  return ok({ releases: rows.map((r) => publicRelease(r, false)) })
+  return ok({ releases: rows.map((r) => (accessToken ? publicRelease(r, false) : publicReleaseDetail(r, false))) })
 }
 
 function resolveRelease(req: Request): Response {
-  const { app, env, appToken } = authorizeRead(req)
+  const { app, env, accessToken } = authorizeRead(req)
   const spec = param(req, "spec")
 
   if (spec === "latest") {
@@ -147,7 +147,7 @@ function resolveRelease(req: Request): Response {
     return ok({ release: publicRelease(row, true) })
   }
 
-  const sql = appToken
+  const sql = accessToken
     ? `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND semver = ? AND status = 'published'`
     : `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND semver = ?`
   const row = getDb().query(sql).get(app.id, env.id, spec) as ReleaseRow | null
@@ -183,7 +183,7 @@ function setStatus(req: Request, status: "published" | "unpublished"): Response
   db.query(`UPDATE "Release" SET status = ? WHERE id = ?`).run(status, row.id)
   const updated = db.query(`SELECT * FROM "Release" WHERE id = ?`).get(row.id) as ReleaseRow
   notifyWatchers(app.id, env.id)
-  return ok({ release: publicRelease(updated, false) })
+  return ok({ release: publicReleaseDetail(updated, false) })
 }
 
 function publishRelease(req: Request): Response {
@@ -209,7 +209,7 @@ function resolveSpecSnapshot(target: Target, spec: string): ReturnType<typeof pu
       const row = resolveByRange(target.app.id, target.env.id, range)
       return row ? publicRelease(row, true) : null
     }
-    const sql = target.appToken
+    const sql = target.accessToken
       ? `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND semver = ? AND status = 'published'`
       : `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND semver = ?`
     const row = getDb().query(sql).get(target.app.id, target.env.id, spec) as ReleaseRow | null
@@ -290,7 +290,7 @@ async function createRelease(req: Request): Promise<Response> {
     throw new HttpError(
       422,
       "schema_invalid",
-      `配置不符合应用 schema：${errors.map((e) => `${e.path} ${e.message}`).join("；")}`,
+      `配置无效：\n${errors.map((e) => `  ${e.path.replace(/^\$\./, "")} ${e.message}`).join("\n")}`,
     )
   }
 
@@ -316,7 +316,7 @@ async function createRelease(req: Request): Promise<Response> {
     `INSERT INTO "Release" (id, appId, environmentId, semver, changeKind, status, notes, snapshot, schemaSnapshot, createdBy) VALUES (?, ?, ?, ?, ?, 'unpublished', ?, ?, ?, ?)`,
   ).run(id, app.id, env.id, semver, kind, notes, JSON.stringify(config), app.schema, user.id)
   const created = db.query(`SELECT * FROM "Release" WHERE id = ?`).get(id) as ReleaseRow
-  return ok({ release: publicRelease(created, true) }, 201)
+  return ok({ release: publicReleaseDetail(created, true) }, 201)
 }
 
 export const releaseRoutes = {

package/server/src/modules/setup.ts

@@ -5,6 +5,12 @@ import { hashPassword } from "../shared/password.ts"
 import { publicUser } from "../shared/serialize.ts"
 import { newId } from "../shared/utils.ts"
 
+async function checkSetup(): Promise<Response> {
+  const db = getDb()
+  const hasSuperAdmin = db.query(`SELECT 1 FROM "User" WHERE "isSuperAdmin" = 1 LIMIT 1`).get()
+  return ok({ initialized: !!hasSuperAdmin })
+}
+
 async function setup(req: Request): Promise<Response> {
   const db = getDb()
   const hasSuperAdmin = db.query(`SELECT 1 FROM "User" WHERE "isSuperAdmin" = 1 LIMIT 1`).get()
@@ -31,5 +37,5 @@ async function setup(req: Request): Promise<Response> {
 }
 
 export const setupRoutes = {
-  "/v1/setup": { POST: route(setup) },
+  "/v1/setup": { GET: route(checkSetup), POST: route(setup) },
 }

package/server/src/modules/token.ts

@@ -1,10 +1,10 @@
 import { getDb } from "../db/client.ts"
-import type { AppTokenRow } from "../db/types.ts"
+import type { AccessTokenRow } from "../db/types.ts"
 import { HttpError, ok, optionalString, param, readBody, route } from "../http/response.ts"
 import { assertEnvAccess, requireProjectRole, requireUser } from "../shared/auth.ts"
 import { findApp, findEnv, findProject } from "../shared/resolve.ts"
-import { publicAppToken } from "../shared/serialize.ts"
-import { issueAppToken } from "../shared/token.ts"
+import { publicAccessToken } from "../shared/serialize.ts"
+import { issueAccessToken } from "../shared/token.ts"
 
 function listTokens(req: Request): Response {
   const user = requireUser(req)
@@ -14,9 +14,9 @@ function listTokens(req: Request): Response {
   const env = findEnv(project.id, param(req, "env"))
   assertEnvAccess(user, env)
   const rows = getDb()
-    .query(`SELECT * FROM "AppToken" WHERE appId = ? AND environmentId = ? ORDER BY createdAt DESC`)
-    .all(app.id, env.id) as AppTokenRow[]
-  return ok({ tokens: rows.map(publicAppToken) })
+    .query(`SELECT * FROM "AccessToken" WHERE appId = ? AND environmentId = ? ORDER BY createdAt DESC`)
+    .all(app.id, env.id) as AccessTokenRow[]
+  return ok({ tokens: rows.map(publicAccessToken) })
 }
 
 async function createToken(req: Request): Promise<Response> {
@@ -29,11 +29,11 @@ async function createToken(req: Request): Promise<Response> {
   const body = await readBody(req)
   const name = optionalString(body, "name")
 
-  const issued = issueAppToken(app.id, env.id, user.id, name)
+  const issued = issueAccessToken(app.id, env.id, user.id, name)
   const row = getDb()
-    .query(`SELECT * FROM "AppToken" WHERE tokenPrefix = ? ORDER BY createdAt DESC LIMIT 1`)
-    .get(issued.prefix) as AppTokenRow
-  return ok({ token: issued.raw, info: publicAppToken(row) }, 201)
+    .query(`SELECT * FROM "AccessToken" WHERE tokenPrefix = ? ORDER BY createdAt DESC LIMIT 1`)
+    .get(issued.prefix) as AccessTokenRow
+  return ok({ token: issued.raw, info: publicAccessToken(row) }, 201)
 }
 
 function revokeToken(req: Request): Response {
@@ -45,10 +45,10 @@ function revokeToken(req: Request): Response {
   assertEnvAccess(user, env)
   const tokenId = param(req, "tokenId")
   const existing = getDb()
-    .query(`SELECT 1 FROM "AppToken" WHERE id = ? AND appId = ? AND environmentId = ?`)
+    .query(`SELECT 1 FROM "AccessToken" WHERE id = ? AND appId = ? AND environmentId = ?`)
     .get(tokenId, app.id, env.id)
   if (!existing) throw new HttpError(404, "token_not_found", "令牌不存在")
-  getDb().query(`UPDATE "AppToken" SET revoked = 1 WHERE id = ?`).run(tokenId)
+  getDb().query(`UPDATE "AccessToken" SET revoked = 1 WHERE id = ?`).run(tokenId)
   return ok({ revoked: true })
 }
 

package/server/src/shared/auth.ts

@@ -2,7 +2,7 @@ import { getDb } from "../db/client.ts"
 import type { EnvironmentRow, ProjectRole, UserRow } from "../db/types.ts"
 import { HttpError } from "../http/response.ts"
 import { ROLE_RANK } from "./consts.ts"
-import { isAppToken, isHumanToken, verifyAppToken, verifyHumanToken } from "./token.ts"
+import { isAccessToken, isHumanToken, verifyAccessToken, verifyHumanToken } from "./token.ts"
 import type { AppPrincipal, AuthUser } from "./types.ts"
 
 function bearer(req: Request): string {
@@ -26,9 +26,9 @@ export function requireUser(req: Request): AuthUser {
 
 export function requireAppPrincipal(req: Request): AppPrincipal {
   const raw = bearer(req)
-  if (!isAppToken(raw)) throw new HttpError(401, "unauthorized", "需要应用访问令牌")
-  const token = verifyAppToken(raw)
-  if (!token) throw new HttpError(401, "unauthorized", "应用令牌无效或已撤销")
+  if (!isAccessToken(raw)) throw new HttpError(401, "unauthorized", "需要访问令牌")
+  const token = verifyAccessToken(raw)
+  if (!token) throw new HttpError(401, "unauthorized", "令牌无效或已撤销")
   return { tokenId: token.id, appId: token.appId, environmentId: token.environmentId }
 }
 

package/server/src/shared/consts.ts

@@ -1,7 +1,7 @@
 export const API_PREFIX = "/v1"
 
 export const HUMAN_TOKEN_PREFIX = "atmu"
-export const APP_TOKEN_PREFIX = "atma"
+export const ACCESS_TOKEN_PREFIX = "atma"
 export const TOKEN_BYTES = 32
 
 export const SLUG_RE = /^[a-z][a-z0-9-]*$/

package/server/src/shared/env.ts

@@ -3,7 +3,6 @@ import { type Static, Type } from "typebox"
 import { Value } from "typebox/value"
 
 export const envSchema = Type.Object({
-  CONFIG_PORT: Type.Optional(Type.String({ pattern: "^\\d+$", default: "4921" })),
   CONFIG_DB_PATH: Type.Optional(Type.String({ default: path.join(process.cwd(), "data", "config.db") })),
   CONFIG_ADMIN_NAME: Type.Optional(Type.String({ minLength: 1, default: "admin" })),
   CONFIG_ADMIN_EMAIL: Type.Optional(Type.String()),
@@ -13,7 +12,6 @@ export const envSchema = Type.Object({
 type RawEnv = Static<typeof envSchema>
 
 export interface Env {
-  port: number
   dbPath: string
   adminName: string
   adminEmail: string | undefined
@@ -25,15 +23,12 @@ let cached: Env | undefined
 export function getEnv(): Env {
   if (cached) return cached
   const raw: RawEnv = {
-    CONFIG_PORT: process.env.CONFIG_PORT,
     CONFIG_DB_PATH: process.env.CONFIG_DB_PATH,
     CONFIG_ADMIN_NAME: process.env.CONFIG_ADMIN_NAME,
     CONFIG_ADMIN_EMAIL: process.env.CONFIG_ADMIN_EMAIL,
     CONFIG_ADMIN_PASSWORD: process.env.CONFIG_ADMIN_PASSWORD,
   }
-  const filled = Value.Default(envSchema, raw) as Required<
-    Pick<RawEnv, "CONFIG_PORT" | "CONFIG_DB_PATH" | "CONFIG_ADMIN_NAME">
-  > &
+  const filled = Value.Default(envSchema, raw) as Required<Pick<RawEnv, "CONFIG_DB_PATH" | "CONFIG_ADMIN_NAME">> &
     RawEnv
   const errors = [...Value.Errors(envSchema, filled)]
   if (errors.length) {
@@ -41,7 +36,6 @@ export function getEnv(): Env {
     throw new Error(`环境变量配置错误:\n${msgs}`)
   }
   cached = {
-    port: Number.parseInt(filled.CONFIG_PORT, 10),
     dbPath: filled.CONFIG_DB_PATH,
     adminName: filled.CONFIG_ADMIN_NAME,
     adminEmail: filled.CONFIG_ADMIN_EMAIL,

package/server/src/shared/serialize.ts

@@ -1,6 +1,6 @@
 import type {
+  AccessTokenRow,
   AppRow,
-  AppTokenRow,
   EnvironmentRow,
   ProjectMemberRow,
   ProjectRow,
@@ -60,19 +60,22 @@ export function publicApp(row: AppRow) {
 
 export function publicRelease(row: ReleaseRow, withConfig: boolean) {
   return {
-    id: row.id,
     semver: row.semver,
+    config: withConfig ? JSON.parse(row.snapshot) : undefined,
+  }
+}
+
+export function publicReleaseDetail(row: ReleaseRow, withConfig: boolean) {
+  return {
+    ...publicRelease(row, withConfig),
     changeKind: row.changeKind,
     status: row.status,
     notes: row.notes,
-    createdBy: row.createdBy,
-    createdAt: row.createdAt,
-    config: withConfig ? JSON.parse(row.snapshot) : undefined,
     schema: withConfig ? JSON.parse(row.schemaSnapshot) : undefined,
   }
 }
 
-export function publicAppToken(row: AppTokenRow) {
+export function publicAccessToken(row: AccessTokenRow) {
   return {
     id: row.id,
     name: row.name,

package/server/src/shared/token.ts

@@ -1,6 +1,6 @@
 import { getDb } from "../db/client.ts"
-import type { AppTokenRow, TokenRow, UserRow } from "../db/types.ts"
-import { APP_TOKEN_PREFIX, HUMAN_TOKEN_PREFIX, TOKEN_BYTES } from "./consts.ts"
+import type { AccessTokenRow, TokenRow, UserRow } from "../db/types.ts"
+import { ACCESS_TOKEN_PREFIX, HUMAN_TOKEN_PREFIX, TOKEN_BYTES } from "./consts.ts"
 import type { IssuedToken } from "./types.ts"
 import { newId, nowSec } from "./utils.ts"
 
@@ -17,8 +17,8 @@ export function isHumanToken(raw: string): boolean {
   return raw.startsWith(`${HUMAN_TOKEN_PREFIX}_`)
 }
 
-export function isAppToken(raw: string): boolean {
-  return raw.startsWith(`${APP_TOKEN_PREFIX}_`)
+export function isAccessToken(raw: string): boolean {
+  return raw.startsWith(`${ACCESS_TOKEN_PREFIX}_`)
 }
 
 export function issueHumanToken(userId: string, name?: string): IssuedToken {
@@ -39,21 +39,21 @@ export function verifyHumanToken(raw: string): UserRow | null {
   return db.query(`SELECT * FROM "User" WHERE id = ?`).get(row.userId) as UserRow | null
 }
 
-export function issueAppToken(appId: string, environmentId: string, createdBy: string, name?: string): IssuedToken {
-  const raw = `${APP_TOKEN_PREFIX}_${randomSecret()}`
+export function issueAccessToken(appId: string, environmentId: string, createdBy: string, name?: string): IssuedToken {
+  const raw = `${ACCESS_TOKEN_PREFIX}_${randomSecret()}`
   const prefix = raw.slice(0, 14)
   getDb()
     .query(
-      `INSERT INTO "AppToken" (id, appId, environmentId, name, tokenHash, tokenPrefix, createdBy) VALUES (?, ?, ?, ?, ?, ?, ?)`,
+      `INSERT INTO "AccessToken" (id, appId, environmentId, name, tokenHash, tokenPrefix, createdBy) VALUES (?, ?, ?, ?, ?, ?, ?)`,
     )
     .run(newId(), appId, environmentId, name ?? null, hashSecret(raw), prefix, createdBy)
   return { raw, prefix }
 }
 
-export function verifyAppToken(raw: string): AppTokenRow | null {
+export function verifyAccessToken(raw: string): AccessTokenRow | null {
   const db = getDb()
-  const row = db.query(`SELECT * FROM "AppToken" WHERE tokenHash = ?`).get(hashSecret(raw)) as AppTokenRow | null
+  const row = db.query(`SELECT * FROM "AccessToken" WHERE tokenHash = ?`).get(hashSecret(raw)) as AccessTokenRow | null
   if (!row || row.revoked) return null
-  db.query(`UPDATE "AppToken" SET lastUsedAt = ? WHERE id = ?`).run(nowSec(), row.id)
+  db.query(`UPDATE "AccessToken" SET lastUsedAt = ? WHERE id = ?`).run(nowSec(), row.id)
   return row
 }

package/src/config.compose.ts

@@ -1,44 +1,26 @@
 import { tmpl } from "@atomservice/core"
-import { CONFIG_DEFAULT_PORT } from "./config.consts.ts"
+import { CONFIG_SERVER_PORT } from "./config.consts.ts"
+import type { ConfigComposeOptions } from "./config.types.ts"
 
-export interface ConfigComposeOptions {
-  image: string
-  dataDir: string
-  environment?: Record<string, string>
-  hostPort?: number
-}
-
-export function configCompose(id: string, opts: ConfigComposeOptions): string {
-  const port = CONFIG_DEFAULT_PORT
-  const portsBlock = opts.hostPort ? `\n    ports:\n      - "${opts.hostPort}:${port}"` : ""
-
-  const lines: string[] = []
-  const push = (k: string, v: string | number | undefined) => {
-    if (v === undefined || v === "") return
-    lines.push(`      - ${k}=${v}`)
-  }
-  if (opts.environment) {
-    for (const [k, v] of Object.entries(opts.environment)) push(k, v)
-  }
-  const extraEnv = lines.length ? `\n${lines.join("\n")}` : ""
+export function configCompose(opts: ConfigComposeOptions): string {
+  const portsBlock = opts.hostPort ? `\n    ports:\n      - "${opts.hostPort}:${CONFIG_SERVER_PORT}"` : ""
 
   return tmpl`\
 services:
-  ${id}:
+  ${opts.id}:
     image: ${opts.image}
-    container_name: ${id}
+    container_name: ${opts.id}
     environment:
-      - CONFIG_PORT=${port}
-      - CONFIG_DB_PATH=/data/config.db${extraEnv}
+      - CONFIG_DB_PATH=/data/config.db
     volumes:
       - ${opts.dataDir}:/data
     expose:
-      - "${port}"${portsBlock}
+      - "${CONFIG_SERVER_PORT}"${portsBlock}
     networks:
       - atomservice
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:${port}/v1/health"]
+      test: ["CMD", "curl", "-sf", "http://localhost:${CONFIG_SERVER_PORT}/v1/health"]
       interval: 10s
       timeout: 5s
       retries: 5

package/src/config.consts.ts

@@ -1,5 +1,5 @@
 import pkg from "../package.json" with { type: "json" }
 
-export const CONFIG_IMAGE_REPO = "localhost/atomservice/config-server"
-export const CONFIG_DEFAULT_PORT = 4921
+export const CONFIG_IMAGE_REPO = "localhost/atomservice/config/server"
+export const CONFIG_SERVER_PORT = 52010
 export const CONFIG_VERSION = pkg.version

package/src/config.instance.ts

@@ -13,7 +13,7 @@ export interface ConfigInstance {
   /**
    * 容器网络内访问地址
    *
-   * - 如 `http://config:4921/`
+   * - 如 `http://config:52000/`
    */
   readonly url: string
   /**

package/src/config.options.ts

@@ -11,27 +11,24 @@ export interface ConfigOptions {
   /**
    * 容器对外端口
    *
-   * - 不填则不对外暴露，仅容器网络内访问
+   * - 不指定则不对外暴露，仅容器网络内可访问
    */
   hostPort?: number
   /**
-   * 对外域名
+   * 网关配置
    *
-   * - 填写后自动在网关注册反代路由
-   * - 需要和 `gateway` 原子一起使用
+   * - 关联原子网关并自动注册反代路由
    */
-  domain?: string
-  /**
-   * 自定义环境变量
-   *
-   * - 透传到容器
-   */
-  environment?: Record<string, string>
-  /**
-   * 关联的网关原子
-   *
-   * - 填写后自动向网关注册反代路由
-   * - 通常和 `domain` 一起使用
-   */
-  gateway?: CallableService<GatewayInstance>
+  gateway?: {
+    /**
+     * 关联的原子网关服务实例
+     *
+     * - 填写后自动向网关注册反代路由
+     */
+    service: CallableService<GatewayInstance>
+    /**
+     * 对外域名
+     */
+    domain?: string
+  }
 }

package/src/config.service.ts

@@ -3,7 +3,7 @@ import { fileURLToPath } from "node:url"
 import type { CallableService } from "@atomservice/core"
 import { defineService, onDown, onHealth, onUp, useConfig, useLogger, useShell, useState } from "@atomservice/core"
 import { configCompose } from "./config.compose.ts"
-import { CONFIG_DEFAULT_PORT, CONFIG_IMAGE_REPO, CONFIG_VERSION } from "./config.consts.ts"
+import { CONFIG_IMAGE_REPO, CONFIG_SERVER_PORT, CONFIG_VERSION } from "./config.consts.ts"
 import type { ConfigInstance } from "./config.instance.ts"
 import type { ConfigOptions } from "./config.options.ts"
 import type { ConfigState } from "./config.types.ts"
@@ -13,7 +13,7 @@ const SERVER_DIR = path.resolve(HERE, "..", "server")
 
 export function config(opts: ConfigOptions = {}): CallableService<ConfigInstance> {
   const serviceId = opts.id && opts.id !== "default" ? opts.id : "default"
-  const containerName = serviceId !== "default" ? `config-${serviceId}` : "config"
+  const containerName = serviceId !== "default" ? `atomservice-config-${serviceId}` : "atomservice-config"
   const version = CONFIG_VERSION
   const imageTag = `${CONFIG_IMAGE_REPO}:${version}`
 
@@ -24,7 +24,7 @@ export function config(opts: ConfigOptions = {}): CallableService<ConfigInstance
       const logger = useLogger()
       const $ = useShell()
       const conf = useConfig()
-      const gw = opts.gateway?.()
+      const gw = opts.gateway?.service()
 
       const dir = path.join(conf.root, containerName)
       const composePath = path.join(dir, "compose.yml")
@@ -62,10 +62,10 @@ export function config(opts: ConfigOptions = {}): CallableService<ConfigInstance
 
         await Bun.write(
           composePath,
-          configCompose(containerName, {
+          configCompose({
+            id: containerName,
             image: imageTag,
             dataDir,
-            environment: opts.environment,
             hostPort: opts.hostPort,
           }),
         )
@@ -74,10 +74,10 @@ export function config(opts: ConfigOptions = {}): CallableService<ConfigInstance
         await $`podman compose -f ${composePath} up -d`
         logger.success(`${containerName} 已启动`)
 
-        if (opts.domain && gw) {
-          logger.info(`注册路由 ${opts.domain} → ${containerName}:${CONFIG_DEFAULT_PORT}`)
-          await gw.registerRoute(opts.domain, `${containerName}:${CONFIG_DEFAULT_PORT}`)
-          logger.success(`路由已注册，访问 https://${opts.domain}`)
+        if (opts.gateway?.domain && gw) {
+          logger.info(`注册路由 ${opts.gateway.domain} → ${containerName}:${CONFIG_SERVER_PORT}`)
+          await gw.registerRoute(opts.gateway.domain, `${containerName}:${CONFIG_SERVER_PORT}`)
+          logger.success(`路由已注册，访问 https://${opts.gateway.domain}`)
         }
 
         await save(currentState)
@@ -86,16 +86,15 @@ export function config(opts: ConfigOptions = {}): CallableService<ConfigInstance
       onDown(async () => {
         logger.info(`正在停止 ${containerName}`)
         await $`podman compose -f ${composePath} down`
-        if (opts.domain && gw) await gw.unregisterRoute(opts.domain)
+        if (opts.gateway?.domain && gw) await gw.unregisterRoute(opts.gateway.domain)
         logger.success(`${containerName} 已停止`)
       })
 
       onHealth(async () => {
         try {
-          const result =
-            await $`podman exec ${containerName} curl -sf http://localhost:${CONFIG_DEFAULT_PORT}/v1/health`
-              .quiet()
-              .nothrow()
+          const result = await $`podman exec ${containerName} curl -sf http://localhost:${CONFIG_SERVER_PORT}/v1/health`
+            .quiet()
+            .nothrow()
           if (result.exitCode === 0) return { status: "healthy" }
           return { status: "unhealthy", message: `Config 健康检查返回 ${result.exitCode}` }
         } catch {
@@ -108,13 +107,13 @@ export function config(opts: ConfigOptions = {}): CallableService<ConfigInstance
           return containerName
         },
         get port() {
-          return CONFIG_DEFAULT_PORT
+          return CONFIG_SERVER_PORT
         },
         get url() {
-          return `http://${containerName}:${CONFIG_DEFAULT_PORT}/`
+          return `http://${containerName}:${CONFIG_SERVER_PORT}/`
         },
         get externalUrl() {
-          return opts.domain ? `https://${opts.domain}/` : undefined
+          return opts.gateway?.domain ? `https://${opts.gateway.domain}/` : undefined
         },
       }
     },

package/src/config.types.ts

@@ -1,3 +1,10 @@
 export type ConfigState = {
   version: string
 }
+
+export interface ConfigComposeOptions {
+  id: string
+  image: string
+  dataDir: string
+  hostPort?: number
+}