@ranger1/dx 0.1.0

package/lib/validate-env.js

@@ -0,0 +1,284 @@
+import { existsSync, readdirSync, readFileSync } from 'node:fs'
+import { join } from 'node:path'
+
+const ROOT_DIR = process.env.DX_PROJECT_ROOT || process.cwd()
+const CONFIG_DIR = process.env.DX_CONFIG_DIR || join(ROOT_DIR, 'dx', 'config')
+const ROOT_ENV_FILE = join(ROOT_DIR, '.env')
+const EXTRA_ENV_IGNORED_DIRS = new Set([
+  '.git',
+  '.vercel',
+  'node_modules',
+  '.nx',
+  'dist',
+  'logs',
+  'tmp',
+  '.schaltwerk',
+])
+const EXTRA_ENV_ALLOWED_PATHS = new Set(['docker/.env', 'docker/.env.example'])
+const LOCAL_ALLOWLIST_CONFIG = join(CONFIG_DIR, 'local-env-allowlist.jsonc')
+const EXEMPTED_KEYS_CONFIG = join(CONFIG_DIR, 'exempted-keys.jsonc')
+const ENV_EXAMPLE_FILE = join(ROOT_DIR, '.env.example')
+const PLACEHOLDER_TOKEN = '__SET_IN_env.local__'
+
+const LOCAL_ENV_FILES = [
+  '.env.development.local',
+  '.env.production.local',
+  '.env.test.local',
+  '.env.e2e.local',
+  '.env.staging.local',
+]
+
+let cachedAllowlist = null
+let cachedExemptedKeys = null
+
+export function validateEnvironment() {
+  if (!process.env.NODE_ENV) {
+    console.warn('⚠️  NODE_ENV 未设置，默认使用 development')
+    process.env.NODE_ENV = 'development'
+  }
+
+  if (typeof process.env.APP_ENV === 'string' && process.env.APP_ENV.trim() === '') {
+    delete process.env.APP_ENV
+  }
+
+  enforceRootOnlyEnvFiles()
+  enforceLocalSecretWhitelist()
+  enforceGlobalLocalFileProhibited()
+  enforceNonLocalSecretPlaceholders()
+  enforceEnvExampleSecrets()
+
+  return { nodeEnv: process.env.NODE_ENV, appEnv: process.env.APP_ENV }
+}
+
+function enforceRootOnlyEnvFiles() {
+  if (existsSync(ROOT_ENV_FILE)) {
+    throw new Error(
+      '检测到根目录存在 .env 文件，请迁移到 .env.<env> / .env.<env>.local 并删除 .env',
+    )
+  }
+
+  const violations = []
+  const queue = ['.']
+
+  while (queue.length > 0) {
+    const current = queue.pop()
+    const dirPath = join(ROOT_DIR, current)
+    const entries = readdirSync(dirPath, { withFileTypes: true })
+
+    for (const entry of entries) {
+      if (entry.isDirectory()) {
+        if (EXTRA_ENV_IGNORED_DIRS.has(entry.name)) continue
+        const next = current === '.' ? entry.name : `${current}/${entry.name}`
+        queue.push(next)
+        continue
+      }
+
+      if (!entry.isFile()) continue
+      if (!entry.name.startsWith('.env')) continue
+
+      const relativePath = current === '.' ? entry.name : `${current}/${entry.name}`
+
+      if (!relativePath.includes('/')) {
+        continue
+      }
+
+      if (EXTRA_ENV_ALLOWED_PATHS.has(relativePath)) continue
+
+      violations.push(relativePath)
+    }
+  }
+
+  if (violations.length > 0) {
+    const list = violations.join(', ')
+    throw new Error(
+      `检测到非根目录下的 env 文件: ${list}\n请将这些文件迁移到根目录或删除，再重试命令。`,
+    )
+  }
+}
+
+function enforceLocalSecretWhitelist() {
+  const allowlist = loadLocalAllowlist()
+  const errors = []
+
+  for (const file of LOCAL_ENV_FILES) {
+    const fullPath = join(ROOT_DIR, file)
+    if (!existsSync(fullPath)) continue
+
+    const entries = parseEnvFile(fullPath)
+    const invalidKeys = []
+
+    for (const key of entries.keys()) {
+      if (!allowlist.has(key)) {
+        invalidKeys.push(key)
+      }
+    }
+
+    if (invalidKeys.length > 0) {
+      errors.push(`${file}: ${invalidKeys.join(', ')}`)
+    }
+  }
+
+  if (errors.length > 0) {
+    const message = errors.join('\n')
+    throw new Error(
+      `检测到 *.local 文件包含非白名单键:\n${message}\n请将这些键迁移到对应的 .env.<env> 文件，仅保留白名单内的机密信息在 *.local 中。`,
+    )
+  }
+}
+
+function enforceGlobalLocalFileProhibited() {
+  const legacyLocal = join(ROOT_DIR, '.env.local')
+  if (existsSync(legacyLocal)) {
+    throw new Error('项目已弃用 .env.local，请改用 .env.<env>.local 存放机密信息并删除 .env.local')
+  }
+}
+
+function enforceNonLocalSecretPlaceholders() {
+  const allowlist = loadLocalAllowlist()
+  const exemptedKeys = loadExemptedKeys()
+  const violations = []
+
+  for (const file of listRootEnvFiles()) {
+    if (file === '.env.example') continue
+    if (file.includes('.local')) continue
+
+    const fullPath = join(ROOT_DIR, file)
+    if (!existsSync(fullPath)) continue
+
+    const entries = parseEnvFile(fullPath)
+
+    for (const [key, value] of entries.entries()) {
+      if (!allowlist.has(key)) continue
+      if (exemptedKeys.has(key)) continue // 豁免的键允许使用非占位符值
+
+      const normalized = value.trim()
+      if (normalized !== PLACEHOLDER_TOKEN) {
+        violations.push(`${file}: ${key}`)
+      }
+    }
+  }
+
+  if (violations.length > 0) {
+    const message = violations.join('\n')
+    throw new Error(
+      `检测到非 *.local 文件包含敏感键但未使用占位符 ${PLACEHOLDER_TOKEN}:\n${message}\n` +
+        `请仅在 .env.<env>.local 系列中设置真实值，并在其他文件中使用占位符。`,
+    )
+  }
+}
+
+function enforceEnvExampleSecrets() {
+  if (!existsSync(ENV_EXAMPLE_FILE)) return
+
+  const allowlist = loadLocalAllowlist()
+  const entries = parseEnvFile(ENV_EXAMPLE_FILE)
+  const disallowedKeys = []
+  const invalidPlaceholders = []
+
+  for (const [key, value] of entries.entries()) {
+    const normalized = value.trim()
+
+    if (!allowlist.has(key)) {
+      disallowedKeys.push(key)
+      continue
+    }
+
+    if (normalized !== PLACEHOLDER_TOKEN) {
+      invalidPlaceholders.push(key)
+    }
+  }
+
+  if (disallowedKeys.length > 0) {
+    throw new Error(
+      `.env.example 仅允许包含 scripts/config/local-env-allowlist.jsonc 中的键，检测到非法键: ${disallowedKeys.join(', ')}`,
+    )
+  }
+
+  if (invalidPlaceholders.length > 0) {
+    throw new Error(
+      `.env.example 中以下键未使用占位符 ${PLACEHOLDER_TOKEN}: ${invalidPlaceholders.join(', ')}`,
+    )
+  }
+}
+
+function listRootEnvFiles() {
+  return readdirSync(ROOT_DIR, { withFileTypes: true })
+    .filter(entry => entry.isFile() && entry.name.startsWith('.env'))
+    .map(entry => entry.name)
+}
+
+function parseEnvFile(filePath) {
+  const content = readFileSync(filePath, 'utf8')
+  const map = new Map()
+  const lines = content.split(/\r?\n/)
+
+  for (const raw of lines) {
+    const trimmed = raw.trim()
+    if (!trimmed || trimmed.startsWith('#')) continue
+
+    const eqIdx = trimmed.indexOf('=')
+    if (eqIdx <= 0) continue
+
+    const key = trimmed.slice(0, eqIdx).trim()
+    if (!key) continue
+
+    map.set(key, trimmed.slice(eqIdx + 1))
+  }
+
+  return map
+}
+
+function loadLocalAllowlist() {
+  if (cachedAllowlist) return cachedAllowlist
+
+  if (!existsSync(LOCAL_ALLOWLIST_CONFIG)) {
+    throw new Error('缺少配置文件 scripts/config/local-env-allowlist.jsonc，请补充后重试')
+  }
+
+  const raw = readFileSync(LOCAL_ALLOWLIST_CONFIG, 'utf8')
+  const sanitized = raw.replace(/\/\*[\s\S]*?\*\//g, '').replace(/^\s*\/\/.*$/gm, '')
+  const parsed = JSON.parse(sanitized || '{}') || {}
+
+  const allowedValues = Array.isArray(parsed.allowed) ? parsed.allowed : []
+  if (allowedValues.length === 0) {
+    throw new Error('local-env-allowlist.jsonc 中的 allowed 不能为空，请至少保留一个键')
+  }
+
+  const invalid = allowedValues.filter(
+    value => typeof value !== 'string' || value.trim().length === 0,
+  )
+  if (invalid.length > 0) {
+    throw new Error('local-env-allowlist.jsonc.allowed 中存在非法键，请使用非空字符串')
+  }
+
+  cachedAllowlist = new Set(allowedValues)
+  return cachedAllowlist
+}
+
+function loadExemptedKeys() {
+  if (cachedExemptedKeys) return cachedExemptedKeys
+
+  // 如果豁免配置文件不存在，返回空集合（可选配置）
+  if (!existsSync(EXEMPTED_KEYS_CONFIG)) {
+    cachedExemptedKeys = new Set()
+    return cachedExemptedKeys
+  }
+
+  const raw = readFileSync(EXEMPTED_KEYS_CONFIG, 'utf8')
+  const sanitized = raw.replace(/\/\*[\s\S]*?\*\//g, '').replace(/^\s*\/\/.*$/gm, '')
+  const parsed = JSON.parse(sanitized || '{}') || {}
+
+  const exemptedValues = Array.isArray(parsed.exempted) ? parsed.exempted : []
+  
+  const invalid = exemptedValues.filter(
+    value => typeof value !== 'string' || value.trim().length === 0,
+  )
+  if (invalid.length > 0) {
+    throw new Error('exempted-keys.jsonc.exempted 中存在非法键，请使用非空字符串')
+  }
+
+  cachedExemptedKeys = new Set(exemptedValues)
+  return cachedExemptedKeys
+}
+
+export default { validateEnvironment }

package/lib/vercel-deploy.js

@@ -0,0 +1,237 @@
+import { execSync } from 'node:child_process'
+import { join } from 'node:path'
+import { envManager } from './env.js'
+import { execManager } from './exec.js'
+import { logger } from './logger.js'
+
+const ALLOWED_ENVIRONMENTS = ['development', 'staging', 'production']
+
+export async function deployToVercel(target, options = {}) {
+  const { environment = 'staging' } = options
+
+  // 校验环境参数
+  if (!ALLOWED_ENVIRONMENTS.includes(environment)) {
+    logger.error(`不支持的部署环境: ${environment}`)
+    logger.info(`可用环境: ${ALLOWED_ENVIRONMENTS.join(', ')}`)
+    process.exitCode = 1
+    return
+  }
+
+  const token = process.env.VERCEL_TOKEN
+  const orgId = process.env.VERCEL_ORG_ID
+  const projectIdFront = process.env.VERCEL_PROJECT_ID_FRONT
+  const projectIdAdmin = process.env.VERCEL_PROJECT_ID_ADMIN
+  const projectIdTelegramBot = process.env.VERCEL_PROJECT_ID_TELEGRAM_BOT
+
+  const normalizedTarget = String(target || '').toLowerCase()
+  const targets = normalizedTarget === 'all' ? ['front', 'admin'] : [normalizedTarget]
+
+  // 校验目标有效性
+  for (const t of targets) {
+    if (!['front', 'admin', 'telegram-bot'].includes(t)) {
+      logger.error(`不支持的部署目标: ${t}`)
+      logger.info('可用目标: front, admin, telegram-bot, all')
+      process.exitCode = 1
+      return
+    }
+  }
+
+  // 收集缺失的环境变量
+  const missingVars = []
+
+  if (!token || envManager.isPlaceholderEnvValue(token)) {
+    missingVars.push('VERCEL_TOKEN')
+  }
+
+  if (!orgId || envManager.isPlaceholderEnvValue(orgId)) {
+    missingVars.push('VERCEL_ORG_ID')
+  }
+
+  // 根据目标检查对应的 PROJECT_ID
+  if (targets.includes('front') && (!projectIdFront || envManager.isPlaceholderEnvValue(projectIdFront))) {
+    missingVars.push('VERCEL_PROJECT_ID_FRONT')
+  }
+
+  if (targets.includes('admin') && (!projectIdAdmin || envManager.isPlaceholderEnvValue(projectIdAdmin))) {
+    missingVars.push('VERCEL_PROJECT_ID_ADMIN')
+  }
+
+  if (targets.includes('telegram-bot') && (!projectIdTelegramBot || envManager.isPlaceholderEnvValue(projectIdTelegramBot))) {
+    missingVars.push('VERCEL_PROJECT_ID_TELEGRAM_BOT')
+  }
+
+  // 如果有缺失变量，统一报错并退出
+  if (missingVars.length > 0) {
+    logger.error('缺少以下 Vercel 环境变量:')
+    missingVars.forEach(v => logger.error(`  - ${v}`))
+    logger.info('')
+    logger.info('请在 .env.<env>.local 中配置这些变量，例如:')
+    logger.info('  VERCEL_TOKEN=<your-vercel-token>')
+    logger.info('  VERCEL_ORG_ID=team_xxx')
+    logger.info('  VERCEL_PROJECT_ID_FRONT=prj_xxx')
+    logger.info('  VERCEL_PROJECT_ID_ADMIN=prj_xxx')
+    logger.info('  VERCEL_PROJECT_ID_TELEGRAM_BOT=prj_xxx')
+    logger.info('')
+    logger.info('获取方式:')
+    logger.info('  1. VERCEL_TOKEN: vercel login 后查看 ~/Library/Application Support/com.vercel.cli/auth.json')
+    logger.info('  2. PROJECT_ID: vercel project ls --scope <org> 或通过 Vercel Dashboard 获取')
+    process.exitCode = 1
+    return
+  }
+
+  // 部署前先编译 backend 和 sdk
+  // staging 复用 production 构建配置
+  try {
+    logger.step('编译 backend...')
+    const backendConfig = environment === 'production' || environment === 'staging'
+      ? 'production'
+      : 'development'
+    await execManager.executeCommand(`npx nx build backend --configuration=${backendConfig}`, {
+      app: 'backend',
+      flags: {
+        ...(environment === 'production' ? { prod: true } : {}),
+        ...(environment === 'staging' ? { staging: true } : {}),
+        ...(environment === 'development' ? { dev: true } : {}),
+      },
+    })
+    logger.success('backend 编译成功')
+
+    logger.step('编译 sdk...')
+    const { runSdkBuild } = await import('./sdk-build.js')
+    const sdkArgs = environment === 'production' ? [] : ['dev']
+    await runSdkBuild(sdkArgs)
+    logger.success('sdk 编译成功')
+  } catch (error) {
+    const message = error?.message || String(error)
+    logger.error(`编译失败: ${message}`)
+    logger.error('部署已终止，请先修复编译错误')
+    process.exitCode = 1
+    return
+  }
+
+  // 映射环境标识：development -> dev, staging -> staging, production -> prod
+  const envMap = {
+    development: 'dev',
+    staging: 'staging',
+    production: 'prod',
+  }
+  const buildEnv = envMap[environment]
+
+  for (const t of targets) {
+    // 配置文件映射
+    const configFileMap = {
+      front: 'vercel.front.json',
+      admin: 'vercel.admin.json',
+      'telegram-bot': 'vercel.telegram-bot.json',
+    }
+
+    // PROJECT_ID 映射
+    const projectIdMap = {
+      front: projectIdFront,
+      admin: projectIdAdmin,
+      'telegram-bot': projectIdTelegramBot,
+    }
+
+    const configFile = configFileMap[t]
+    const projectId = projectIdMap[t]
+    const configPath = join(process.cwd(), configFile)
+
+    const envVars = {
+      ...process.env,
+      VERCEL_PROJECT_ID: projectId,
+      APP_ENV: buildEnv,
+    }
+
+    if (orgId) {
+      envVars.VERCEL_ORG_ID = orgId
+    }
+
+    // 绕过 Vercel Git author 权限检查：临时修改最新 commit 的 author
+    const authorEmail = process.env.VERCEL_GIT_COMMIT_AUTHOR_EMAIL
+    let originalAuthor = null
+    if (authorEmail && !envManager.isPlaceholderEnvValue(authorEmail)) {
+      try {
+        originalAuthor = execSync('git log -1 --format="%an <%ae>"', { encoding: 'utf8' }).trim()
+        const authorName = authorEmail.split('@')[0]
+        execSync(`git commit --amend --author="${authorName} <${authorEmail}>" --no-edit`, { stdio: 'ignore' })
+        logger.info(`临时修改 commit author: ${originalAuthor} -> ${authorName} <${authorEmail}>`)
+      } catch (e) {
+        logger.warn(`修改 commit author 失败: ${e.message}`)
+        originalAuthor = null
+      }
+    }
+
+    try {
+      // 第一步：本地构建
+      logger.step(`本地构建 ${t} (${environment})`)
+      const buildCmd = [
+        'vercel build',
+        `--local-config="${configPath}"`,
+        '--yes',
+        `--token=${token}`,
+      ]
+
+      // staging 和 production 环境需要 --prod 标志，确保构建产物与部署环境匹配
+      if (environment === 'staging' || environment === 'production') {
+        buildCmd.push('--prod')
+      }
+
+      if (orgId) {
+        buildCmd.push(`--scope=${orgId}`)
+      }
+
+      execSync(buildCmd.join(' '), {
+        stdio: 'inherit',
+        cwd: process.cwd(),
+        env: envVars,
+      })
+      logger.success(`${t} 本地构建成功`)
+
+      // 第二步：上传预构建产物
+      logger.step(`部署 ${t} 到 Vercel (${environment})`)
+      const deployCmd = [
+        'vercel deploy',
+        '--prebuilt',
+        `--local-config="${configPath}"`,
+        '--yes',
+        `--token=${token}`,
+      ]
+
+      // staging 和 production 环境都添加 --prod 标志以绑定固定域名
+      if (environment === 'staging' || environment === 'production') {
+        deployCmd.push('--prod')
+      }
+
+      if (orgId) {
+        deployCmd.push(`--scope=${orgId}`)
+      }
+
+      execSync(deployCmd.join(' '), {
+        stdio: 'inherit',
+        cwd: process.cwd(),
+        env: envVars,
+      })
+      logger.success(`${t} 部署成功`)
+
+      // Telegram Bot 部署成功后自动设置 Webhook
+      if (t === 'telegram-bot') {
+        const { handleTelegramBotDeploy } = await import('./telegram-webhook.js')
+        await handleTelegramBotDeploy(environment, projectId, orgId, token)
+      }
+    } catch (error) {
+      const message = error?.message || String(error)
+      logger.error(`${t} 构建或部署失败: ${message}`)
+      process.exitCode = 1
+    } finally {
+      // 恢复原 commit author
+      if (originalAuthor) {
+        try {
+          execSync(`git commit --amend --author="${originalAuthor}" --no-edit`, { stdio: 'ignore' })
+          logger.info(`已恢复 commit author: ${originalAuthor}`)
+        } catch {
+          // 忽略错误
+        }
+      }
+    }
+  }
+}