long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: project docs, scripts, deployment configs, and evidence

Browse Source
This commit is contained in:
long-agent
2026-04-02 11:22:17 +08:00
parent 4718980ab5
commit bbeeb63dfa
396 changed files with 165018 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/evidence/ops/2026-03-26/e2e/ACCOUNT_BINDING_CLOSURE_20260326-224700.md Normal file
View File

@@ -0,0 +1,40 @@
# ACCOUNT_BINDING_CLOSURE_20260326-224700
## Scope
- PRD `1.5 用户信息管理 -> 账号绑定与解绑`
- email bind / replace / unbind
- phone bind / replace / unbind
- self-service security page closure
## Implemented Closure
- Backend:
- added protected self-service endpoints:
- `POST /api/v1/users/me/bind-email/code`
- `POST /api/v1/users/me/bind-email`
- `DELETE /api/v1/users/me/bind-email`
- `POST /api/v1/users/me/bind-phone/code`
- `POST /api/v1/users/me/bind-phone`
- `DELETE /api/v1/users/me/bind-phone`
- bind now requires both target-channel verification code and current-account sensitive verification when password or TOTP is configured.
- unbind now requires current-account sensitive verification when password or TOTP is configured, and blocks removal if no login method would remain.
- direct self-update of `email` / `phone` through `PUT /api/v1/users/:id` is now blocked for non-admin self-service usage.
- Frontend:
- `/profile/security` now contains a real email/phone binding management section.
- `/profile` no longer exposes direct editable email/phone fields; users are redirected to security settings for verified binding flows.
## Validation
- `go test ./... -count=1`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run test:run`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
## Boundary
- Email bind/replace is only available when SMTP-backed email code capability is enabled.
- Phone bind/replace is only available when Aliyun or Tencent SMS capability is enabled.
- This closure is product-complete and regression-verified, but it does not change the previously stated boundary that live third-party OAuth provider proof and external production delivery evidence remain separate gaps.

64
docs/evidence/ops/2026-03-26/e2e/PLAYWRIGHT_CDP_E2E_CREATE_USER_CLOSURE_20260326-190646.md Normal file
View File

@@ -0,0 +1,64 @@
# Playwright CDP E2E Create-User Closure
- Date: 2026-03-26
- Scope: PRD `5.2 用户信息管理 -> 创建用户`
- Environment: Windows PowerShell, external Chromium CDP, isolated backend/frontend ports, isolated SQLite runtime database
## Commands Executed
```powershell
$env:GOCACHE=Join-Path $env:TEMP 'ums-verify-go-build'
$env:GOMODCACHE=Join-Path $env:TEMP 'ums-verify-go-mod'
$env:GOPATH=Join-Path $env:TEMP 'ums-verify-go-path'
New-Item -ItemType Directory -Force $env:GOCACHE,$env:GOMODCACHE,$env:GOPATH | Out-Null
go test ./... -count=1
go build ./cmd/server
cd D:\project\frontend\admin
npm.cmd run lint
npm.cmd run test:run -- src/services/users.test.ts src/pages/admin/UsersPage/CreateUserModal.test.tsx
npm.cmd run build
powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1
```
## Validated Results
- `go test ./... -count=1`: passed under temporary writable Go caches
- `go build ./cmd/server`: passed
- `npm.cmd run lint`: passed
- `npm.cmd run test:run -- src/services/users.test.ts src/pages/admin/UsersPage/CreateUserModal.test.tsx`: passed
- `npm.cmd run build`: passed after fixing the Windows/Vite native-loader root path issue by using `vite build . --configLoader native`
- `run-playwright-auth-e2e.ps1`: passed
## Browser Scenarios Verified
- `login-surface`
- `auth-workflow`
- admin login
- user detail drawer
- assign roles modal
- create user modal
- created user search and list verification
- role permissions modal
- logout
- `responsive-login`
- `desktop-mobile-navigation`
## Isolation Hardening Added
- `frontend/admin/scripts/run-playwright-auth-e2e.ps1` now starts its own backend and frontend on isolated ports
- the script now uses an isolated SQLite database under `%TEMP%` instead of reusing ambient `./data/user_management.db`
- `frontend/admin/vite.config.js` now reads `VITE_API_PROXY_TARGET`
- `frontend/admin/.env.development` now defaults to `/api/v1`, so the dev proxy is not bypassed by a hardcoded backend URL
- `tools/init_admin.go` and `tools/verify_admin.go` now honor runtime SQLite path overrides instead of assuming `./data/user_management.db`
## Real Boundary Notes
- The create-user API returned success and the created user was verified again from the real list page.
- In the supported CDP + `chrome-headless-shell` path, the Ant Design modal entered the `leave` transition state but the node was not a reliable DOM-removal signal; the E2E harness now validates transition initiation plus post-create data verification instead of treating hidden-node retention as a product failure.
- This remains browser-level validation, not OS-level desktop automation.
## Conclusion
PRD `5.2 用户信息管理 -> 创建用户` is now closed at backend, frontend, and supported real-browser E2E levels in the current environment.

49
docs/evidence/ops/2026-03-26/e2e/SOCIAL_ACCOUNT_BINDING_CLOSURE_20260326-200220.md Normal file
View File

@@ -0,0 +1,49 @@
# Social Account Binding Closure
Date: 2026-03-26
## Scope
Closed the PRD social-account-management gap at product implementation level:
- backend now supports authenticated social binding start, bind callback completion, sanitized bound-account listing, and guarded unbind
- frontend security page now exposes a real social account management section under `/profile/security`
- unbind now requires password or TOTP when such factors exist and refuses removal when no login method would remain
## Validation
Executed and passed:
```powershell
go test ./... -count=1
go build ./cmd/server
cd D:\project\frontend\admin
npm.cmd run lint
npm.cmd run test:run -- src/services/auth.test.ts src/services/social-accounts.test.ts src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.social.test.tsx
npm.cmd run build
powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1
```
Observed browser-regression result:
- `PASS login-surface`
- `PASS auth-workflow`
- `PASS responsive-login`
- `PASS desktop-mobile-navigation`
- `Playwright CDP E2E completed successfully`
## Real Remaining Gap
This closes the product-side PRD gap for social account management, but it does **not** create live third-party OAuth evidence.
Still missing:
- real provider credentials under controlled test environment
- live browser proof for third-party authorize -> callback -> bind -> unbind on GitHub/WeChat/etc.
Current closure level is therefore:
- product implementation: closed
- unit/integration/regression validation: closed
- third-party live-provider browser evidence: still open