feat(feishu): carry Lighthouse bridge into v0.8.37

Add the Feishu/Lark long-connection bridge, Tencent Lighthouse runbooks, CNB mirror guidance, CNB tag release pipeline, and China-friendly update fallback documentation for the v0.8.37 line.
2026-05-14 03:56:03 -05:00
parent 019d55694a
commit 9483248a9f
32 changed files with 3795 additions and 35 deletions
@@ -0,0 +1,52 @@
+# CNB Deploy Templates
+
+The root `.cnb.yml` is intentionally source-controlled in GitHub because CNB is
+a one-way mirror from GitHub. Do not add or edit `.cnb.yml` only on the CNB
+side; the next GitHub sync will overwrite it.
+
+The active root `.cnb.yml` does two things:
+
+- runs Feishu bridge and version-drift checks when CNB receives `main`;
+- builds Linux x64 release assets from `v*` tags, creates the CNB release, and
+  uploads `deepseek-linux-x64`, `deepseek-tui-linux-x64`, and
+  `deepseek-artifacts-sha256.txt`.
+
+The files in this directory are retained as deploy-button templates for Tencent
+Lighthouse. Copy only the deploy environment file after the Lighthouse instance
+is already working manually:
+
+```bash
+mkdir -p .cnb
+cp deploy/tencent-lighthouse/cnb/tag_deploy.yml.example .cnb/tag_deploy.yml
+```
+
+If you also need to customize `.cnb.yml`, edit the root file in GitHub and let
+the one-way mirror carry it to CNB.
+
+## Required CNB Secrets
+
+Configure these as protected CNB environment variables or secrets:
+
+- `LIGHTHOUSE_HOST`: public IP or DNS name of the Lighthouse instance
+- `LIGHTHOUSE_SSH_TARGET`: SSH target, for example `ubuntu@203.0.113.10`
+- `LIGHTHOUSE_SSH_PRIVATE_KEY`: private deploy key allowed to update the server
+- `DEEPSEEK_REPO_BRANCH`: branch or tag to deploy, for example `main`
+
+Optional:
+
+- `DEEPSEEK_REPO_URL`: defaults to the CNB mirror URL
+- `LIGHTHOUSE_SSH_PORT`: defaults to `22`
+
+The server side should already have `/opt/whalebro/deepseek-tui`,
+`/etc/deepseek/runtime.env`, `/etc/deepseek/feishu-bridge.env`, and the
+systemd services from `docs/TENCENT_LIGHTHOUSE_HK.md`.
+
+## Safety Notes
+
+- Do not store Feishu App Secret or DeepSeek API keys in CNB. They belong in
+  `/etc/deepseek/*.env` on Lighthouse.
+- Do not expose `127.0.0.1:7878` through EdgeOne, a security group, or a public
+  reverse proxy.
+- Start with a manual deploy button. Automatic deploy on every `main` push is
+  convenient later, but it can consume CNB quota and restart the phone bridge
+  while a turn is active.
@@ -0,0 +1,87 @@
+# Historical CNB config template for the Tencent Lighthouse remote-first path.
+# The active pipeline now lives in the repository-root .cnb.yml so the GitHub
+# -> CNB one-way mirror cannot overwrite CNB-only pipeline edits.
+
+main:
+  push:
+    - docker:
+        image: node:22-bookworm
+      stages:
+        - name: feishu bridge tests
+          script: |
+            cd integrations/feishu-bridge
+            npm install
+            npm run check
+            npm test
+
+    - docker:
+        image: rust:1.88-bookworm
+      stages:
+        - name: release version check
+          script: |
+            ./scripts/release/check-versions.sh
+
+  web_trigger_lighthouse:
+    - docker:
+        image: cnbcool/default-build-env:latest
+      stages:
+        - name: deploy to lighthouse
+          script: |
+            set -euo pipefail
+
+            : "${LIGHTHOUSE_HOST:?Set LIGHTHOUSE_HOST in CNB secrets}"
+            : "${LIGHTHOUSE_SSH_TARGET:?Set LIGHTHOUSE_SSH_TARGET in CNB secrets}"
+            : "${LIGHTHOUSE_SSH_PRIVATE_KEY:?Set LIGHTHOUSE_SSH_PRIVATE_KEY in CNB secrets}"
+
+            if ! command -v ssh >/dev/null 2>&1 || ! command -v ssh-keyscan >/dev/null 2>&1; then
+              apt-get update
+              apt-get install -y openssh-client
+            fi
+
+            LIGHTHOUSE_SSH_PORT="${LIGHTHOUSE_SSH_PORT:-22}"
+            DEEPSEEK_REPO_BRANCH="${DEEPSEEK_REPO_BRANCH:-main}"
+            DEEPSEEK_REPO_URL="${DEEPSEEK_REPO_URL:-https://cnb.cool/deepseek-tui.com/DeepSeek-TUI.git}"
+
+            install -m 700 -d ~/.ssh
+            printf '%s\n' "$LIGHTHOUSE_SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+            chmod 600 ~/.ssh/id_ed25519
+            ssh-keyscan -p "$LIGHTHOUSE_SSH_PORT" -H "$LIGHTHOUSE_HOST" >> ~/.ssh/known_hosts
+
+            ssh -p "$LIGHTHOUSE_SSH_PORT" "$LIGHTHOUSE_SSH_TARGET" \
+              "DEEPSEEK_REPO_BRANCH='$DEEPSEEK_REPO_BRANCH' DEEPSEEK_REPO_URL='$DEEPSEEK_REPO_URL' bash -s" <<'REMOTE'
+            set -euo pipefail
+
+            if [ ! -d /opt/whalebro/deepseek-tui/.git ]; then
+              sudo -u deepseek git clone --branch "$DEEPSEEK_REPO_BRANCH" "$DEEPSEEK_REPO_URL" /opt/whalebro/deepseek-tui
+            fi
+
+            cd /opt/whalebro/deepseek-tui
+            if [ -n "$(sudo -u deepseek git status --porcelain)" ]; then
+              echo "Refusing to deploy over a dirty /opt/whalebro/deepseek-tui checkout." >&2
+              sudo -u deepseek git status --short
+              exit 1
+            fi
+
+            sudo -u deepseek git fetch --all --tags
+            if sudo -u deepseek git rev-parse --verify --quiet "refs/remotes/origin/$DEEPSEEK_REPO_BRANCH" >/dev/null; then
+              sudo -u deepseek git checkout -B "$DEEPSEEK_REPO_BRANCH" "origin/$DEEPSEEK_REPO_BRANCH"
+            elif sudo -u deepseek git rev-parse --verify --quiet "refs/tags/$DEEPSEEK_REPO_BRANCH" >/dev/null; then
+              sudo -u deepseek git checkout --detach "$DEEPSEEK_REPO_BRANCH"
+            else
+              sudo -u deepseek git checkout "$DEEPSEEK_REPO_BRANCH"
+              sudo -u deepseek git pull --ff-only
+            fi
+
+            sudo -iu deepseek bash -lc '
+              set -euo pipefail
+              . "$HOME/.cargo/env"
+              cd /opt/whalebro/deepseek-tui
+              cargo install --path crates/cli --locked --force
+              cargo install --path crates/tui --locked --force
+            '
+
+            sudo bash scripts/tencent-lighthouse/install-services.sh
+            sudo systemctl restart deepseek-runtime
+            sudo systemctl restart deepseek-feishu-bridge
+            sudo bash scripts/tencent-lighthouse/doctor.sh
+            REMOTE
@@ -0,0 +1,16 @@
+# Example CNB deployment environment.
+# Copy to .cnb/tag_deploy.yml only after the Lighthouse deploy target is ready.
+
+environments:
+  - name: lighthouse-hk
+    description: Deploy DeepSeek TUI to Tencent Lighthouse Hong Kong.
+    env:
+      name: lighthouse-hk
+    button:
+      - name: Deploy Lighthouse
+        description: Update /opt/whalebro/deepseek-tui, restart services, and run the Lighthouse doctor.
+        event: web_trigger_lighthouse
+        isDefault: true
+        permissions:
+          roles:
+            - master
@@ -0,0 +1,21 @@
+FEISHU_APP_ID=cli_xxxxxxxxxxxxxxxx
+FEISHU_APP_SECRET=replace-with-app-secret
+FEISHU_DOMAIN=feishu
+
+DEEPSEEK_RUNTIME_URL=http://127.0.0.1:7878
+DEEPSEEK_RUNTIME_TOKEN=replace-with-same-token-as-runtime-env
+DEEPSEEK_WORKSPACE=/opt/whalebro
+DEEPSEEK_MODEL=auto
+DEEPSEEK_MODE=agent
+DEEPSEEK_ALLOW_SHELL=true
+DEEPSEEK_TRUST_MODE=false
+DEEPSEEK_AUTO_APPROVE=false
+DEEPSEEK_CHAT_ALLOWLIST=
+DEEPSEEK_ALLOW_UNLISTED=false
+
+FEISHU_THREAD_MAP_PATH=/var/lib/deepseek-feishu-bridge/thread-map.json
+FEISHU_ALLOW_GROUPS=false
+FEISHU_REQUIRE_PREFIX_IN_GROUP=true
+FEISHU_GROUP_PREFIX=/ds
+FEISHU_MAX_REPLY_CHARS=3500
+DEEPSEEK_TURN_TIMEOUT_MS=900000
@@ -0,0 +1,5 @@
+DEEPSEEK_RUNTIME_TOKEN=replace-with-long-random-token
+DEEPSEEK_RUNTIME_PORT=7878
+DEEPSEEK_RUNTIME_WORKERS=2
+DEEPSEEK_API_KEY=replace-with-deepseek-platform-key
+RUST_LOG=info
@@ -0,0 +1,21 @@
+# AGENTS.md
+
+This directory is a remote travel workspace, not a single project.
+
+Expected layout:
+
+- `deepseek-tui/` - canonical runtime/bridge checkout. The supported CLI is
+  `deepseek`; install both `crates/cli` and `crates/tui`.
+- `whalescale/` - product repo. Active surface is `whalescale-desktop/`.
+- `worktrees/` - remote worktrees created on this VPS.
+
+Operational rules:
+
+- Treat `/opt/whalebro` as the workspace root for phone-controlled work.
+- Keep `deepseek serve --http` bound to `127.0.0.1`.
+- Use SSH keys for Git remotes and never paste secrets into prompts, logs, or
+  committed files.
+- Mac-only release tasks such as iOS simulator runs, `.app` packaging, DMG
+  verification, notarization, and Apple signing still need the local Mac.
+- If a project has its own `AGENTS.md`, read it before editing inside that
+  project.
@@ -0,0 +1,21 @@
+[Unit]
+Description=DeepSeek Feishu/Lark Phone Bridge
+Wants=network-online.target deepseek-runtime.service
+After=network-online.target deepseek-runtime.service
+
+[Service]
+Type=simple
+User=deepseek
+Group=deepseek
+WorkingDirectory=/opt/deepseek/bridge
+EnvironmentFile=/etc/deepseek/feishu-bridge.env
+ExecStart=/usr/bin/node /opt/deepseek/bridge/src/index.mjs
+Restart=on-failure
+RestartSec=5
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=full
+ReadWritePaths=/var/lib/deepseek-feishu-bridge
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,21 @@
+[Unit]
+Description=DeepSeek TUI Runtime API
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+User=deepseek
+Group=deepseek
+WorkingDirectory=/opt/whalebro
+EnvironmentFile=/etc/deepseek/runtime.env
+ExecStart=/home/deepseek/.cargo/bin/deepseek serve --http --host 127.0.0.1 --port ${DEEPSEEK_RUNTIME_PORT} --workers ${DEEPSEEK_RUNTIME_WORKERS} --auth-token ${DEEPSEEK_RUNTIME_TOKEN}
+Restart=on-failure
+RestartSec=5
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=full
+ReadWritePaths=/home/deepseek/.deepseek /opt/whalebro
+
+[Install]
+WantedBy=multi-user.target