feat: add release hardening, auth, CI, and deployment

Author: PPPPanda

.env.example

@@ -0,0 +1,14 @@
+# ContentPipe service
+CONTENTPIPE_HOST=0.0.0.0
+CONTENTPIPE_PORT=8765
+CONTENTPIPE_PUBLIC_BASE_URL=http://localhost:8765
+CONTENTPIPE_AUTH_TOKEN=change-me
+CONTENTPIPE_NOTIFY_CHANNEL=
+CONTENTPIPE_LOG_LEVEL=INFO
+
+# OpenClaw Gateway
+OPENCLAW_GATEWAY_URL=http://host.docker.internal:18789
+
+# Optional publishing credentials
+WECHAT_APPID=
+WECHAT_SECRET=

.github/workflows/ci.yml

@@ -0,0 +1,37 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.11", "3.12"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+          cache-dependency-path: |
+            requirements.txt
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt pytest
+      - name: Compile check
+        run: python -m compileall scripts
+      - name: Run tests
+        run: pytest -q

.gitignore

@@ -23,6 +23,7 @@ Thumbs.db
 # Secrets / local config
 .env
 .env.*
+!.env.example
 settings.local.yaml
 
 # Build artifacts

CONTRIBUTING.md

@@ -0,0 +1,38 @@
+# Contributing
+
+Thanks for contributing to ContentPipe.
+
+## Local Setup
+
+```bash
+python3 -m venv .venv
+source .venv/bin/activate
+pip install -r requirements.txt
+pip install pytest
+./start.sh start
+```
+
+## Before Opening a PR
+
+Please run:
+
+```bash
+python3 -m compileall scripts
+pytest
+```
+
+## Commit Style
+
+Prefer Conventional Commits:
+
+- `feat:` new feature
+- `fix:` bug fix
+- `docs:` documentation only
+- `refactor:` internal restructuring
+- `test:` tests
+- `chore:` maintenance
+
+## Scope
+
+Small, focused PRs are preferred.
+If you touch prompts, config, templates, and code together, explain why in the PR body.

Dockerfile

@@ -0,0 +1,15 @@
+FROM python:3.11-slim
+
+WORKDIR /app
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
+
+COPY requirements.txt ./
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY . .
+
+EXPOSE 8765
+
+CMD ["python3", "-m", "uvicorn", "web.app:app", "--app-dir", "scripts", "--host", "0.0.0.0", "--port", "8765"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 ssp
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -198,6 +198,8 @@ CONTENTPIPE_PORT=8765
 CONTENTPIPE_HOST=0.0.0.0
 CONTENTPIPE_NOTIFY_CHANNEL=<discord_channel_id>
 CONTENTPIPE_PUBLIC_BASE_URL=http://localhost:8765
+CONTENTPIPE_AUTH_TOKEN=change-me
+CONTENTPIPE_LOG_LEVEL=INFO
 
 WECHAT_APPID=...
 WECHAT_SECRET=...
@@ -209,6 +211,7 @@ ANTHROPIC_API_KEY=...
 说明：
 - `CONTENTPIPE_NOTIFY_CHANNEL` 为空时，不会发送 Discord 通知
 - `CONTENTPIPE_PUBLIC_BASE_URL` 用于 Discord 通知里的回链地址
+- `CONTENTPIPE_AUTH_TOKEN` 非空时，Web UI / API 会开启鉴权（浏览器登录或请求头 `X-ContentPipe-Token`）
 - 发布相关密钥建议只通过环境变量或本地未跟踪配置注入
 
 ---
@@ -225,14 +228,27 @@ ANTHROPIC_API_KEY=...
 ./start.sh restart
 ```
 
-### 6.2 直接启动 uvicorn
+### 6.2 Docker 一键部署（推荐给外部用户）
+
+```bash
+cp .env.example .env
+# 修改 .env 里的 CONTENTPIPE_AUTH_TOKEN / OPENCLAW_GATEWAY_URL
+
+docker compose up -d --build
+```
+
+启动后：
+- Web UI: `http://localhost:8765`
+- 首次访问会要求输入 `CONTENTPIPE_AUTH_TOKEN`
+
+### 6.3 直接启动 uvicorn
 
 ```bash
 cd scripts
 python3 -m uvicorn web.app:app --host 0.0.0.0 --port 8765
 ```
 
-### 6.3 健康检查
+### 6.4 健康检查
 
 ```bash
 curl http://localhost:8765/api/health
@@ -378,12 +394,16 @@ git push origin main
 
 ---
 
-## 12. License / 使用说明
+## 12. License / 开源配套文件
 
-仓库当前未附带正式许可证文件；在公开发布前，建议补充：
+仓库当前已经补齐以下公开发布基础文件：
 
-- `LICENSE`
+- `LICENSE`（MIT）
 - `CONTRIBUTING.md`
 - `SECURITY.md`
 
-如果你计划公开给其他人部署，这三项最好补齐。
+如果你准备正式 release，建议下一步继续补：
+
+- `CHANGELOG.md`
+- GitHub Release notes
+- 部署示例截图 / demo 数据

SECURITY.md

@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported Versions
+
+Current maintained line:
+
+- `0.7.x`
+
+## Reporting a Vulnerability
+
+Please do **not** open a public GitHub issue for security-sensitive findings.
+
+Instead, report privately to the maintainer with:
+
+- affected version / commit
+- reproduction steps
+- expected vs actual behavior
+- impact assessment
+- suggested fix (optional)
+
+## Deployment Guidance
+
+Before exposing ContentPipe beyond localhost, you should:
+
+- set `CONTENTPIPE_AUTH_TOKEN`
+- place the service behind HTTPS / reverse proxy
+- restrict network exposure where possible
+- keep API keys in environment variables, not committed files
+- review upload limits and publishing credentials

docker-compose.yml

@@ -0,0 +1,15 @@
+version: "3.9"
+
+services:
+  contentpipe:
+    build: .
+    container_name: contentpipe
+    restart: unless-stopped
+    ports:
+      - "8765:8765"
+    env_file:
+      - .env
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    volumes:
+      - ./output:/app/output

scripts/logutil.py

@@ -0,0 +1,15 @@
+from __future__ import annotations
+
+import logging
+import os
+
+_LEVEL = os.environ.get("CONTENTPIPE_LOG_LEVEL", "INFO").upper()
+
+logging.basicConfig(
+    level=getattr(logging, _LEVEL, logging.INFO),
+    format="%(asctime)s | %(levelname)s | %(name)s | %(message)s",
+)
+
+
+def get_logger(name: str) -> logging.Logger:
+    return logging.getLogger(name)