feat(deploy): v0.7.0 一键上传脚本(Windows PS) + nginx 脱敏脚本

upload-frontend-v0.7.0.ps1:
- 自动打包 4 端 dist + scp + ssh 解压
- 用户只需在 PowerShell 跑一次

nginx-access-log-redact.sh:
- 自定义 log_format(去掉 Authorization/Cookie)
- 支持 --rollback 回滚
- nginx -t 验证语法 + nginx -s reload 热重载

Co-Authored-By: Claude <noreply@anthropic.com>

deploy-server/nginx-access-log-redact.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+# =============================================================================
+# nginx access_log 脱敏脚本(生产服务器跑)
+# =============================================================================
+# 作用:把默认的 access_log 换成自定义 log_format,删除 Authorization/Cookie 等
+#      敏感 header,避免泄漏到日志
+# 用法:bash nginx-access-log-redact.sh
+# 回滚:bash nginx-access-log-redact.sh --rollback
+# =============================================================================
+
+set -e
+
+CONTAINER="wecom_it_nginx"   # 注意是下划线
+CONF_PATH="/etc/nginx/conf.d/log-format.conf"
+BACKUP_PATH="/etc/nginx/conf.d/log-format.conf.bak"
+
+if [[ "$1" == "--rollback" ]]; then
+    echo "[ROLLBACK] 恢复默认 access_log..."
+    docker exec "$CONTAINER" bash -c "
+        if [[ -f $BACKUP_PATH ]]; then
+            mv $BACKUP_PATH $CONF_PATH
+        else
+            echo 'access_log /var/log/nginx/access.log;' > $CONF_PATH
+        fi
+    "
+    docker exec "$CONTAINER" nginx -t
+    docker exec "$CONTAINER" nginx -s reload
+    echo "[OK] 已回滚到默认 access_log"
+    exit 0
+fi
+
+echo "[1/5] 备份现有 log-format.conf(如有)..."
+docker exec "$CONTAINER" bash -c "
+    if [[ -f $CONF_PATH ]]; then
+        cp $CONF_PATH $BACKUP_PATH
+    fi
+"
+
+echo "[2/5] 写入脱敏 log_format 配置..."
+docker exec "$CONTAINER" bash -c "cat > $CONF_PATH << 'EOF'
+# 自定义 access_log 格式 — 删除 Authorization/Cookie 等敏感 header
+# 仅保留请求方法 + URI + 状态码 + 字节数 + UA + Referer
+log_format secure \$remote_addr - \$remote_user [\$time_local] \"\$request_method \$uri \$server_protocol\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\";
+
+# 应用:覆盖默认 access_log
+access_log /var/log/nginx/access.log secure;
+EOF
+"
+
+echo "[3/5] 验证配置文件..."
+docker exec "$CONTAINER" cat $CONF_PATH
+echo ""
+
+echo "[4/5] nginx -t 验证语法..."
+docker exec "$CONTAINER" nginx -t
+echo ""
+
+echo "[5/5] reload nginx(不中断连接)..."
+docker exec "$CONTAINER" nginx -s reload
+echo ""
+
+echo "========================================"
+echo "[OK] nginx access_log 脱敏已生效"
+echo "========================================"
+echo ""
+echo "验证:tail 一下 access.log 看新格式"
+echo "  docker exec $CONTAINER tail -5 /var/log/nginx/access.log"
+echo ""
+echo "回滚:bash nginx-access-log-redact.sh --rollback"

deploy-server/upload-frontend-v0.7.0.ps1

@@ -0,0 +1,67 @@
+# =============================================================================
+# v0.7.0 前端 dist 一键上传到生产
+# =============================================================================
+# 用途:打包 4 端 dist + scp 到生产 + 在生产解压 + 重载 nginx
+# 用法:在 Windows PowerShell 7+ 跑 .\upload-frontend-v0.7.0.ps1
+# 前置:已 PuTTY 跳到堡垒机 → 再到生产(同一会话)
+# =============================================================================
+
+$ErrorActionPreference = "Stop"
+
+$ProjectRoot = "D:\资料\03-项目开发\wecom_it_smart_desk-claude"
+$TarPath = "$env:TEMP\frontend-v0.7.0.tar.gz"
+$Server = "root@10.90.5.110"
+
+Write-Host "========================================" -ForegroundColor Cyan
+Write-Host " v0.7.0 前端 dist 一键上传" -ForegroundColor Cyan
+Write-Host "========================================" -ForegroundColor Cyan
+Write-Host ""
+
+# 步骤 1:打包 4 端 dist
+Write-Host "[1/4] 打包 4 端 dist..." -ForegroundColor Yellow
+Set-Location $ProjectRoot
+& tar -czf $TarPath `
+  frontend-admin/dist `
+  frontend-agent/dist `
+  frontend-portal/dist `
+  frontend-h5/dist
+$Size = (Get-Item $TarPath).Length / 1MB
+Write-Host "    OK: $TarPath ($([math]::Round($Size, 2)) MB)" -ForegroundColor Green
+
+# 步骤 2:scp 到生产
+Write-Host ""
+Write-Host "[2/4] scp 到生产 $Server:/tmp/..." -ForegroundColor Yellow
+Write-Host "    (会提示输入密码,用 PuTTY 的密码)" -ForegroundColor Gray
+& scp -o StrictHostKeyChecking=no -o ConnectTimeout=30 $TarPath "${Server}:/tmp/frontend-v0.7.0.tar.gz"
+if ($LASTEXITCODE -ne 0) {
+    Write-Host "    FAILED: scp 失败" -ForegroundColor Red
+    exit 1
+}
+Write-Host "    OK" -ForegroundColor Green
+
+# 步骤 3:在生产解压(走 ssh,需要输密码)
+Write-Host ""
+Write-Host "[3/4] ssh 到生产解压到 nginx 挂载点..." -ForegroundColor Yellow
+Write-Host "    (会再次提示输入密码)" -ForegroundColor Gray
+$RemoteCmd = @"
+cd /opt/wecom-it-desk &&
+echo '解压前端...' &&
+sudo tar -xzf /tmp/frontend-v0.7.0.tar.gz &&
+echo '清理 tar 包...' &&
+sudo rm /tmp/frontend-v0.7.0.tar.gz &&
+echo '清理本地 tar 包...' &&
+rm $TarPath &&
+echo '========================================' &&
+echo '前端 4 端 dist 已更新到生产!' &&
+echo '========================================'
+"@
+& ssh -o StrictHostKeyChecking=no -o ConnectTimeout=30 $Server $RemoteCmd
+if ($LASTEXITCODE -ne 0) {
+    Write-Host "    FAILED: ssh 解压失败" -ForegroundColor Red
+    exit 1
+}
+
+Write-Host ""
+Write-Host "[4/4] 完成!" -ForegroundColor Green
+Write-Host "下一步:在生产跑 nginx 脱敏配置 + reload" -ForegroundColor Cyan
+Write-Host "详见 docs/DEPLOY-QUICK-v0.7.0.md Step 5-6" -ForegroundColor Cyan