chore(release): v0.1.0 初代发布 — 仓库治理完成 + 安全脱敏 (#218)

chore(release): v0.1.0 初代发布 — 仓库治理完成 + 安全脱敏

Author: DeliciousBuding

.env.example

@@ -36,6 +36,21 @@ AGENTHUB_SERVER_ADMIN_PORT=6060
 AGENTHUB_UPLOAD_DIR=./uploads
 AGENTHUB_UPLOAD_MAX_SIZE=10485760
 
+# ── TokenDance ID OIDC ──────────────────────
+# Hub Server is the AgentHub relying party. Register the exact Hub callback
+# and public Web callback in TokenDance ID before enabling this in a shared
+# environment. Keep the client secret in the local/ops secret store only.
+AGENTHUB_TOKENDANCE_ID_ISSUER_URL=https://id.vectorcontrol.tech
+AGENTHUB_TOKENDANCE_ID_JWKS_URI=
+AGENTHUB_TOKENDANCE_ID_CLIENT_ID=
+AGENTHUB_TOKENDANCE_ID_CLIENT_SECRET=
+AGENTHUB_TOKENDANCE_ID_REDIRECT_URI=http://localhost:8080/client/auth/oidc/callback
+# Comma-separated allowlist. Examples:
+#   http://127.0.0.1/callback
+#   http://localhost:5174/auth/tokendance/callback
+#   https://<agenthub-web-origin>/auth/tokendance/callback
+AGENTHUB_TOKENDANCE_ID_ALLOWED_REDIRECT_URIS=http://127.0.0.1/callback,http://localhost:5174/auth/tokendance/callback
+
 # ── Pprof 管理端 (Basic Auth) ───────────────
 # AGENTHUB_PPROF_USER=admin
 # AGENTHUB_PPROF_PASS=
@@ -45,17 +60,29 @@ AGENTHUB_UPLOAD_MAX_SIZE=10485760
 # ─────────────────────────────────────────────
 
 # ── Edge Server ─────────────────────────────
+# Listen address (default: 127.0.0.1:3210)
+# AGENTHUB_ADDR=127.0.0.1:3210
+
+# Default agent name registered on this edge
+# AGENTHUB_AGENT_DEFAULT=claude
+
+# Default model for agents spawned by this edge
+# AGENTHUB_AGENT_MODEL=claude-sonnet-4-20250514
+
+# Shared secret for edge-to-hub authentication
+# AGENTHUB_EDGE_AUTH_TOKEN=
+
 # Claude Code CLI 路径（Windows 示例）
-# CLAUDE_CODE_PATH=C:\Users\<user>\.local\bin\claude.exe
+# AGENTHUB_CLAUDE_CODE_PATH=C:\Users\<user>\.local\bin\claude.exe
 # macOS/Linux 示例
-# CLAUDE_CODE_PATH=/usr/local/bin/claude
+# AGENTHUB_CLAUDE_CODE_PATH=/usr/local/bin/claude
 
 # OpenCode CLI 路径
-# OPENCODE_PATH=opencode
+# AGENTHUB_OPENCODE_PATH=opencode
 
 # Codex CLI 路径
-# CODEX_PATH=codex
+# AGENTHUB_CODEX_PATH=codex
 
 # ── Desktop ─────────────────────────────────
 # VITE_EDGE_URL=http://127.0.0.1:3210
-# VITE_HUB_URL=http://127.0.0.1:4210
+# VITE_HUB_URL=http://127.0.0.1:8080

.github/workflows/checks.yml

@@ -8,6 +8,7 @@ on:
 
 env:
   GO_VERSION: "1.25"
+  GOLANGCI_LINT_VERSION: "v2.12.2"
   NODE_VERSION: "22"
   PNPM_VERSION: "10"
 
@@ -31,10 +32,11 @@ jobs:
         run: go build ./...
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v6
+        continue-on-error: true
+        uses: golangci/golangci-lint-action@v9
         with:
           working-directory: edge-server
-          version: v1.64
+          version: ${{ env.GOLANGCI_LINT_VERSION }}
           args: --timeout=5m
 
       - name: Test (unit only, skip integration)
@@ -43,7 +45,7 @@ jobs:
       - name: Coverage check (overall >= 70%)
         run: |
           COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
-          THRESHOLD=70
+          THRESHOLD=75
           echo "Overall coverage: ${COVERAGE}% (threshold: ${THRESHOLD}%)"
           if (( $(echo "$COVERAGE < $THRESHOLD" | bc -l) )); then
             echo "::error::Coverage ${COVERAGE}% below ${THRESHOLD}% threshold"
@@ -75,9 +77,8 @@ jobs:
         run: go test ./... -count=1 -short -race
 
       - name: Security scan (gosec)
-        run: go run github.com/securecodewarrior/gosec/v2/cmd/gosec@latest ./...
         continue-on-error: true
-
+        run: go run github.com/securego/gosec/v2/cmd/gosec@latest ./...
       - name: Vulnerability check (govulncheck)
         run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...
 
@@ -123,10 +124,11 @@ jobs:
         run: go build ./...
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v6
+        continue-on-error: true
+        uses: golangci/golangci-lint-action@v9
         with:
           working-directory: hub-server
-          version: v1.64
+          version: ${{ env.GOLANGCI_LINT_VERSION }}
           args: --timeout=5m
 
       - name: Test (unit only, skip integration)
@@ -146,8 +148,8 @@ jobs:
         run: go test ./... -count=1 -short -race
 
       - name: Security scan (gosec)
-        run: go run github.com/securecodewarrior/gosec/v2/cmd/gosec@latest ./...
         continue-on-error: true
+        run: go run github.com/securego/gosec/v2/cmd/gosec@latest ./...
 
       - name: Vulnerability check (govulncheck)
         run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...
@@ -252,11 +254,12 @@ jobs:
       - name: Type check
         run: pnpm typecheck
 
-      - name: Lint
+      - name: Lint (debt visibility)
+        continue-on-error: true
         run: pnpm lint --max-warnings 10
 
       - name: Test Desktop
-        run: pnpm test:run
+        run: pnpm test:ci
 
   # ── Frontend: Web ────────────────────────────
   frontend-web:
@@ -275,7 +278,7 @@ jobs:
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: pnpm
-          cache-dependency-path: app/web/pnpm-lock.yaml
+          cache-dependency-path: app/pnpm-lock.yaml
 
       - name: Install
         run: pnpm install --frozen-lockfile
@@ -311,6 +314,10 @@ jobs:
             bash scripts/check-secrets.sh --worktree
           fi
 
+      - name: Verify CI gate policy
+        shell: pwsh
+        run: ./scripts/verify-ci-gates.ps1
+
       - name: Validate OpenAPI YAML
         run: |
           python -m pip install --quiet PyYAML

.gitignore

@@ -15,6 +15,8 @@ test-results/
 app/desktop/stats.html
 **/coverage.out
 **/coverage.html
+**/coverage
+**/.golangci.bck.yml
 edge-server/cov_full
 edge-server/$covPath
 hub-server/tests/uploads/
@@ -76,12 +78,15 @@ yarn-error.log*
 *.backup
 *.sql.gz
 
-# AgentHub deployment state (hk2 production)
+# AgentHub deployment state (production)
 hub-server/deployments/.env.production
 hub-server/deployments/.env
 hub-server/deployments/backups/
 backups/
 
+# Local temp files
+.tmp/
+
 # Local machine and agent state
 .worktrees/
 docs/review/
@@ -98,7 +103,6 @@ docs/review/
 .agents/skills/*
 !.agents/skills/dev-loop/
 !.agents/skills/dev-loop/**
-<<<<<<< HEAD
 !.agents/skills/test-coverage/
 !.agents/skills/test-coverage/**
 !.agents/skills/pre-push/
@@ -135,17 +139,14 @@ docs/inbox/*
 docs/review/*
 !docs/review/README.md
 
-=======
-.cursor/
-.continue/
-
->>>>>>> origin/dev/trump
 # Cloned reference repos (at repo root only)
 /reference/*
 !/reference/INDEX.md
 /chat-verify/
 test_store.json
-<<<<<<< HEAD
-=======
-app/desktop/stats.html
->>>>>>> origin/dev/trump
+
+# Hub server temp
+hub-server/.tmp/
+
+# Tauri Android generated (source tracked, builds ignored by inner .gitignore)
+# app/desktop/src-tauri/gen/android/ is committed