feat(security): 启动时自动迁移并持久化JWT密钥

- 新增 security_secrets 表及 Ent schema 用于存储系统级密钥 - 启动阶段支持无 jwt.secret 配置并在数据库中自动生成持久化 - 在 Ent 初始化后补齐密钥并执行完整配置校验 - 增加并发与异常分支单元测试，覆盖密钥引导核心路径 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 11:41:20 +08:00
parent 6533a4647d
commit 6b36992d34
27 changed files with 3350 additions and 9 deletions
--- a/backend/cmd/jwtgen/main.go
+++ b/backend/cmd/jwtgen/main.go
@@ -17,7 +17,7 @@ func main() {
 	email := flag.String("email", "", "Admin email to issue a JWT for (defaults to first active admin)")
 	flag.Parse()

-	cfg, err := config.Load()
+	cfg, err := config.LoadForBootstrap()
 	if err != nil {
 		log.Fatalf("failed to load config: %v", err)
 	}
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -137,7 +137,7 @@ func runSetupServer() {
 }

 func runMainServer() {
-	cfg, err := config.Load()
+	cfg, err := config.LoadForBootstrap()
 	if err != nil {
 		log.Fatalf("Failed to load config: %v", err)
 	}