Files
ss-tools/.env.enterprise-clean.example
busya 8fd23f7ea1 refactor(ssl): centralize SSL trust management, remove LLM_SSL_VERIFY
Centralized SSL via one contract: CERTS_PATH=/opt/certs mounted into all containers.

Backend:
  - NEW: backend/src/core/ssl.py — system_ssl_context(), httpx_verify(),
    cert_dir_inventory()
  - LLMClient._get_ssl_verify() → delegates to core.ssl
  - _llm_async_http._get_verify() → delegates to core.ssl
  - Removed LLM_SSL_VERIFY env reading from all runtime code

Docker:
  - NEW: docker/certs.sh — shared cert installer (PEM/DER/cer to .crt conversion,
    update-ca-certificates, hash symlinks, NSS import)
  - NEW: docker/agent.entrypoint.sh — agent entrypoint with cert installation
  - backend.entrypoint.sh → uses certs.sh instead of install_llm_ca_certs
  - Dockerfile.agent → adds ca-certificates, openssl, entrypoint

Compose:
  - Removed LLM_CA_CERT_URLS and LLM_SSL_VERIFY from all compose files
  - Added CERTS_PATH volume mount to agent (dev + enterprise)
  - Added certs volume mount to backend/agent in dev compose

Env examples:
  - Removed LLM_SSL_VERIFY, LLM_CA_CERT_URLS from .env.example,
    .env.enterprise-clean.example, .env.current.example, .env.master.example,
    backend/.env.example
  - Enhanced CERTS_PATH comments with accepted formats

Diagnostics:
  - diag_container.py: removed LLM_* checks, added CERTS_PATH inventory,
    uses core.ssl for context creation

Tests:
  - Updated test_llm_analysis_service, test_llm_async_http,
    test_client_headers to verify centralized ssl context (no env disable)
  - 4/4 SSL tests pass
2026-07-06 21:00:28 +03:00

100 lines
4.3 KiB
Plaintext

# #region env.enterprise-clean [C:2] [TYPE Module] [SEMANTICS env,docker,enterprise]
# @BRIEF Переменные окружения для docker-compose.enterprise-clean.yml.
# Сервисы собираются из исходников — не требуют pre-built images.
# Используется внешний PostgreSQL (корпоративный).
# @LAYER Infrastructure
# @RELATION DEPENDS_ON -> [docker-compose.enterprise-clean.yml]
# #endregion env.enterprise-clean
# ======================================================================
# PostgreSQL (внешний, корпоративный) — ОБЯЗАТЕЛЬНО
# ======================================================================
POSTGRES_HOST=postgres.company.local
POSTGRES_PORT=5432
POSTGRES_DB=ss_tools
POSTGRES_USER=postgres
POSTGRES_PASSWORD=change-me
# ======================================================================
# Порты хоста
# ======================================================================
BACKEND_HOST_PORT=8001
FRONTEND_HOST_PORT=8000
FRONTEND_SSL_PORT=443
AGENT_HOST_PORT=7860
# ======================================================================
# Безопасность (ОБЯЗАТЕЛЬНО)
# ======================================================================
# JWT-ключ подписи токенов — единый для backend и agent.
# Сгенерировать: python3 -c "import secrets; print(secrets.token_urlsafe(32))"
AUTH_SECRET_KEY=change-me-to-a-random-secret-32-chars-min
# Fernet-ключ шифрования паролей подключений и API-ключей.
# Сгенерировать: python3 -c "import base64,os; print(base64.urlsafe_b64encode(os.urandom(32)).decode())"
ENCRYPTION_KEY=3YIxOr3_GFht9ZyjRQMqOdtuO1CKOj8Y9mpY89iMbZY=
# Сервисный токен для agent→backend вызовов.
# Сгенерировать: python3 -c "import secrets; print('svc-' + secrets.token_urlsafe(24))"
SERVICE_JWT=agent-service-secret
# ======================================================================
# Сертификаты (корпоративные)
# ======================================================================
CERTS_PATH=./certs
SSL_KEY_PASSPHRASE=
# ======================================================================
# LLM / AI провайдеры
# ======================================================================
OPENAI_API_KEY=
ANTHROPIC_API_KEY=
# Агент: LLM настройки (если не подтягиваются из FastAPI /api/agent/llm-config)
LLM_API_KEY=
LLM_BASE_URL=https://api.openai.com/v1
LLM_MODEL=gpt-4o
# ======================================================================
# Логирование
# ======================================================================
ENABLE_BELIEF_STATE_LOGGING=true
TASK_LOG_LEVEL=INFO
# ======================================================================
# Admin bootstrap (первый запуск)
# ======================================================================
INITIAL_ADMIN_CREATE=false
INITIAL_ADMIN_USERNAME=admin
INITIAL_ADMIN_PASSWORD=change-me
INITIAL_ADMIN_EMAIL=
# ======================================================================
# CORS / Безопасность деплоя
# ======================================================================
ALLOWED_ORIGINS=http://localhost:8000
FORCE_HTTPS=false
APP_TIMEZONE=Europe/Moscow
# ======================================================================
# Features
# ======================================================================
FEATURES__DATASET_REVIEW=true
FEATURES__HEALTH_MONITOR=true
# ======================================================================
# Агент (опциональные тонкие настройки)
# ======================================================================
# GRADIO_ALLOW_PORT_FALLBACK=true
# AGENT_ENABLE_LLM_TITLES=true
# AGENT_TITLE_GENERATION_TIMEOUT_S=0.25
# AGENT_PREFETCH_DASHBOARD_LIMIT=25
# AGENT_CONFIRM_TOOLS=false
# AGENT_INTERRUPT_BEFORE=
# ======================================================================
# ADFS SSO (опционально)
# ======================================================================
# ADFS_CLIENT_ID=
# ADFS_CLIENT_SECRET=
# ADFS_METADATA_URL=