template-monorepo/etc/gateway.dev.example.yaml

# 本機開發設定範例（可安全提交）
# 複製為本機專用檔（勿提交）：
#   cp etc/gateway.dev.example.yaml etc/gateway.dev.yaml
# 再依本機環境修改 Port、Mongo、Redis、SMTP/SES/Mitake 帳密等

Name: gateway
Host: 0.0.0.0
Port: 8888

Mongo:
  Schema: mongodb
  Host: 127.0.0.1
  Port: 27017
  Database: gateway
  AuthSource: ""
  ReplicaName: ""
  TLS: false
  MaxPoolSize: 30
  MinPoolSize: 10
  MaxConnIdleTime: 30m

Redis:
  Host: localhost:6379
  Type: node

Notification:
  DefaultLocale: zh-tw
  Email:
    Provider: mock
    From: noreply@example.com
    SMTP:
      Enable: false
      Sort: 1
      Host: localhost
      Port: 1025
      Username: ""
      Password: ""
    SES:
      Enable: false
      Sort: 2
      Region: ap-northeast-1
      AccessKey: ""
      SecretKey: ""
      SessionToken: ""
  SMS:
    Provider: mock
    Mitake:
      Enable: false
      Sort: 1
      User: ""
      Password: ""
  Async:
    QueueRedisKey: notification:queue
    Worker: 2
    MaxRetry: 5
    BackoffSeconds: [1, 5, 30, 300, 1800]
  RatePerTenant:
    Email: 100
    SMS: 50

Member:
  OTP:
    Length: 6
    TTLSeconds: 300
    MaxAttempts: 5
    ResendCooldownSeconds: 60
    DailyVerifyLimit: 10
  TOTP:
    Issuer: CloudEP
    Algorithm: SHA1
    Digits: 6
    PeriodSeconds: 30
    Window: 1
    BackupCodeCount: 10
    BackupCodeLength: 12
    EnrollTTLSeconds: 600
    ReplayTTLSeconds: 90
    # 32-byte key encoded as hex (64 chars) or base64; leave empty to disable TOTP.
    # Dev-only placeholder for local totp-test; replace in production.
    SecretKEK: "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
  Registration:
    RequireInviteCode: true
    TrustSocialEmailVerified: true

Auth:
  AccessExpire: 900
  RefreshExpire: 604800
  ActiveKID: v1
  # Dev-only placeholders; override via env JWT_ACCESS_SECRET / JWT_REFRESH_SECRET in production.
  AccessSecret: "dev-access-secret-32-bytes-min!!"
  RefreshSecret: "dev-refresh-secret-32-bytes-min!"
  RegistrationSessionTTLSeconds: 600

Permission:
  Casbin:
    Enabled: false                # 預設關閉；要啟用 RBAC enforcement 時改 true
    ModelPath: etc/rbac.conf
    PolicyAdapter: auto            # auto / redis / mongo
  Cache:
    UserRolesTTLSeconds: 300
    RolePermsTTLSeconds: 300
    CatalogTTLSeconds: 600
  Reload:
    Channel: casbin:reload
    DebounceMilliseconds: 200
    HeartbeatSeconds: 60

# ZITADEL identity backend (auth register/login — PR 1+)
# ServiceUserToken: export ZITADEL_SERVICE_TOKEN=...
# OAuthClientSecret: export ZITADEL_OAUTH_CLIENT_SECRET=...
Zitadel:
  Issuer: ""          # e.g. https://zitadel.example.com
  ServiceUserToken: ""
  DefaultOrgID: ""
  OAuthClientID: ""
  OAuthClientSecret: ""
  GoogleClientID: ""
  GoogleClientSecret: ""
  GoogleIdPID: ""
  LdapIdPID: ""
  JWKSUrl: ""
  TimeoutSeconds: 15
chore: gitignore local gateway.dev.yaml and add example template Stop tracking personal dev config (ports, credentials). Developers copy etc/gateway.dev.example.yaml to etc/gateway.dev.yaml locally. Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-20 07:14:44 +00:00			`# 本機開發設定範例（可安全提交）`
			`# 複製為本機專用檔（勿提交）：`
			`# cp etc/gateway.dev.example.yaml etc/gateway.dev.yaml`
			`# 再依本機環境修改 Port、Mongo、Redis、SMTP/SES/Mitake 帳密等`

			`Name: gateway`
			`Host: 0.0.0.0`
			`Port: 8888`

			`Mongo:`
			`Schema: mongodb`
			`Host: 127.0.0.1`
			`Port: 27017`
			`Database: gateway`
			`AuthSource: ""`
			`ReplicaName: ""`
			`TLS: false`
			`MaxPoolSize: 30`
			`MinPoolSize: 10`
			`MaxConnIdleTime: 30m`

			`Redis:`
			`Host: localhost:6379`
			`Type: node`

			`Notification:`
			`DefaultLocale: zh-tw`
			`Email:`
			`Provider: mock`
			`From: noreply@example.com`
			`SMTP:`
			`Enable: false`
			`Sort: 1`
			`Host: localhost`
			`Port: 1025`
			`Username: ""`
			`Password: ""`
			`SES:`
			`Enable: false`
			`Sort: 2`
			`Region: ap-northeast-1`
			`AccessKey: ""`
			`SecretKey: ""`
			`SessionToken: ""`
			`SMS:`
			`Provider: mock`
			`Mitake:`
			`Enable: false`
			`Sort: 1`
			`User: ""`
			`Password: ""`
			`Async:`
			`QueueRedisKey: notification:queue`
			`Worker: 2`
			`MaxRetry: 5`
			`BackoffSeconds: [1, 5, 30, 300, 1800]`
			`RatePerTenant:`
			`Email: 100`
			`SMS: 50`

			`Member:`
			`OTP:`
			`Length: 6`
			`TTLSeconds: 300`
			`MaxAttempts: 5`
			`ResendCooldownSeconds: 60`
			`DailyVerifyLimit: 10`
add member totp 2026-05-20 13:03:59 +00:00			`TOTP:`
			`Issuer: CloudEP`
			`Algorithm: SHA1`
			`Digits: 6`
			`PeriodSeconds: 30`
			`Window: 1`
			`BackupCodeCount: 10`
			`BackupCodeLength: 12`
			`EnrollTTLSeconds: 600`
			`ReplayTTLSeconds: 90`
			`# 32-byte key encoded as hex (64 chars) or base64; leave empty to disable TOTP.`
			`# Dev-only placeholder for local totp-test; replace in production.`
			`SecretKEK: "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"`
feat(auth): add unified registration/login module with Zitadel + lint cleanup - Introduce auth module: handlers, logic, domain/repository/usecase, JWT middleware, and Zitadel OIDC client (password + authorization code + userinfo + JWKS verification) - Wire member rate-limit, structured errors, and refactored member/ notification usecases (introduce shared errors, drop repo_errors.go) - Bring the codebase to zero golangci-lint issues: * goimports formatting * errcheck on io.ReadAll/Unlock cleanup paths * contextcheck: HandlerContext now takes (ctx, http.Request) gocritic: rename shadowed `max`, use http.NoBody * goconst: extract test fixtures and bsonOpSet * testifylint: switch to assert inside httptest handlers Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 06:45:35 +00:00			`Registration:`
			`RequireInviteCode: true`
			`TrustSocialEmailVerified: true`

			`Auth:`
			`AccessExpire: 900`
			`RefreshExpire: 604800`
			`ActiveKID: v1`
			`# Dev-only placeholders; override via env JWT_ACCESS_SECRET / JWT_REFRESH_SECRET in production.`
			`AccessSecret: "dev-access-secret-32-bytes-min!!"`
			`RefreshSecret: "dev-refresh-secret-32-bytes-min!"`
			`RegistrationSessionTTLSeconds: 600`

feat(permission): add RBAC module with Casbin enforcement and policy reload - Multi-tenant RBAC: permission catalog, roles, role-permission mapping, user-role assignment, and external IdP role mapping (zitadel/ldap/scim). - Casbin enforcer with Redis-backed adapter and Pub/Sub reload for multi-instance policy sync; HTTP middleware enforces (tenant, role, path, method) with platform admin bypass. - /api/v1/permissions routes: catalog, me, policy/reload, roles CRUD, role permissions, user roles, role mappings. - New error scope (31) for Permission and biz code descriptions. - Wire Permission module into ServiceContext, config, mongo-index, and add cmd/permission-seed CLI plus etc/rbac.conf model. - Redis client gains lazy PubSubClient helper (go-zero wrapper lacks Subscribe). - Rewrite internal/model/member/README to cover Tenant/Member/Identity. Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 08:47:35 +00:00			`Permission:`
			`Casbin:`
			`Enabled: false # 預設關閉；要啟用 RBAC enforcement 時改 true`
			`ModelPath: etc/rbac.conf`
			`PolicyAdapter: auto # auto / redis / mongo`
			`Cache:`
			`UserRolesTTLSeconds: 300`
			`RolePermsTTLSeconds: 300`
			`CatalogTTLSeconds: 600`
			`Reload:`
			`Channel: casbin:reload`
			`DebounceMilliseconds: 200`
			`HeartbeatSeconds: 60`

feat(auth): add unified registration/login module with Zitadel + lint cleanup - Introduce auth module: handlers, logic, domain/repository/usecase, JWT middleware, and Zitadel OIDC client (password + authorization code + userinfo + JWKS verification) - Wire member rate-limit, structured errors, and refactored member/ notification usecases (introduce shared errors, drop repo_errors.go) - Bring the codebase to zero golangci-lint issues: * goimports formatting * errcheck on io.ReadAll/Unlock cleanup paths * contextcheck: HandlerContext now takes (ctx, http.Request) gocritic: rename shadowed `max`, use http.NoBody * goconst: extract test fixtures and bsonOpSet * testifylint: switch to assert inside httptest handlers Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 06:45:35 +00:00			`# ZITADEL identity backend (auth register/login — PR 1+)`
			`# ServiceUserToken: export ZITADEL_SERVICE_TOKEN=...`
			`# OAuthClientSecret: export ZITADEL_OAUTH_CLIENT_SECRET=...`
			`Zitadel:`
			`Issuer: "" # e.g. https://zitadel.example.com`
			`ServiceUserToken: ""`
			`DefaultOrgID: ""`
			`OAuthClientID: ""`
			`OAuthClientSecret: ""`
			`GoogleClientID: ""`
			`GoogleClientSecret: ""`
			`GoogleIdPID: ""`
add fix eage case 2026-05-27 09:28:13 +00:00			`LdapIdPID: ""`
feat(auth): add unified registration/login module with Zitadel + lint cleanup - Introduce auth module: handlers, logic, domain/repository/usecase, JWT middleware, and Zitadel OIDC client (password + authorization code + userinfo + JWKS verification) - Wire member rate-limit, structured errors, and refactored member/ notification usecases (introduce shared errors, drop repo_errors.go) - Bring the codebase to zero golangci-lint issues: * goimports formatting * errcheck on io.ReadAll/Unlock cleanup paths * contextcheck: HandlerContext now takes (ctx, http.Request) gocritic: rename shadowed `max`, use http.NoBody * goconst: extract test fixtures and bsonOpSet * testifylint: switch to assert inside httptest handlers Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 06:45:35 +00:00			`JWKSUrl: ""`
			`TimeoutSeconds: 15`