54 lines
3.4 KiB
Markdown
54 lines
3.4 KiB
Markdown
# Known Limitations & Production Gaps (V0.1)
|
|
|
|
This document covers known limitations that operators should be aware of before deploying `sub2api-cn-relay-manager` v0.1 to production.
|
|
|
|
## Core Limitations
|
|
|
|
### 1. Automated Reconcile Is Available, but Disabled by Default (P2)
|
|
- A built-in background reconcile worker is now available in the control plane server.
|
|
- It is gated by `SUB2API_CRM_RECONCILE_WORKER_ENABLED=true` and uses `SUB2API_CRM_RECONCILE_POLL_INTERVAL` for cadence.
|
|
- The current scheduler model is still a simple polling runner rather than a full generic jobs platform.
|
|
- Manual `POST /api/providers/{providerID}/reconcile` and CLI reconcile remain supported.
|
|
|
|
### 2. Real sub2api Compatibility Is Verified on a Fresh Host, but Requires Explicit Operator Preparation
|
|
- Real-host validation has now been executed against a fresh redeployed sub2api host.
|
|
- Evidence: `artifacts/real-host-acceptance/20260518_redeploy_matrix`.
|
|
- Both `self_service` and `subscription` ordinary-user access paths reached `/v1/models -> 200`.
|
|
- However, host initialization alone is not enough: operators must explicitly create ordinary users, keep reusable credentials, bind keys to the correct group, and satisfy the billing/subscription prerequisites documented in `docs/REAL_HOST_ACCEPTANCE_RUNBOOK.md`.
|
|
- This is therefore no longer a code-compatibility blocker; it is an explicit operational prerequisite.
|
|
|
|
### 3. Standard Multi-stage Docker Build Still Depends on Outbound Module Download
|
|
- `Dockerfile.local` has been validated as the recommended proxy-safe build path.
|
|
- `scripts/deploy/build_local_image.sh` now prebuilds the Linux binary on the host and produces `sub2api-cn-relay-manager:local` reliably in this environment.
|
|
- The standard multi-stage `Dockerfile` still requires outbound Go module download from inside the container build context; in restricted networks, prefer the local-image path.
|
|
|
|
## Accepted Design Trade-offs
|
|
|
|
### 4. CLI Run Functions Not Unit-Tested
|
|
- `runInstallPack`, `runImportProvider`, `runPreviewProvider`, `runRollbackProvider`, `runReconcileProvider`, `findProvider` connect to real SQLite/sub2api — these are 0% covered in unit tests.
|
|
- The `execute()` dispatch and all `parse*` functions are fully tested.
|
|
- In an integration/E2E context these functions are exercised through the host stub.
|
|
|
|
### 5. No Web UI
|
|
- Administration is through CLI and HTTP API only.
|
|
- Consistent with MVP scope defined in PRD.
|
|
|
|
## Operational Notes
|
|
|
|
### Token Security
|
|
- `SUB2API_CRM_ADMIN_TOKEN` must be at least 20 characters, rotated outside source control.
|
|
- To support continuous background reconcile, the latest access closure now persists probe metadata in control-plane state:
|
|
`self_service` stores the probe API key, and `subscription` stores the subscription user selector metadata.
|
|
- Operators should therefore treat the SQLite database as secret-bearing state and protect it accordingly.
|
|
|
|
### Database
|
|
- SQLite is the only supported database backend for v0.1.
|
|
- SQLite WAL mode is handled automatically by the driver.
|
|
- For high availability, mount the SQLite file on persistent storage (host volume or NFS).
|
|
- No external DB migration tool is needed — Flyway-style migrations are embedded in the binary.
|
|
|
|
### Monitoring
|
|
- Only `/healthz` endpoint is available for container orchestration liveness checks.
|
|
- No metrics, structured logging, or APM integration in v0.1.
|
|
- Use standard log collection (stdout/json) for observability.
|