feat: sync current progress (P0 hardening + P1 observability + deploy docs/systemd)

deploy/Dockerfile

@@ -0,0 +1,17 @@
+FROM golang:1.23-alpine AS builder
+WORKDIR /app
+COPY go.mod go.sum* ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=1 GOOS=linux go build -o asset-tracker ./cmd/server
+
+FROM alpine:3.20
+WORKDIR /app
+RUN apk add --no-cache ca-certificates
+COPY --from=builder /app/asset-tracker /app/asset-tracker
+COPY --from=builder /app/openapi.yaml /app/openapi.yaml
+COPY --from=builder /app/web/dist /app/web/dist
+COPY --from=builder /app/web/legacy /app/web/legacy
+RUN mkdir -p /app/data
+EXPOSE 9530
+CMD ["/app/asset-tracker"]

deploy/docker-compose.yml

@@ -0,0 +1,24 @@
+version: '3.9'
+services:
+  asset-tracker:
+    build:
+      context: ..
+      dockerfile: deploy/Dockerfile
+    container_name: asset-tracker
+    ports:
+      - "9530:9530"
+    environment:
+      - HTTP_ADDR=:9530
+      - DB_PATH=/app/data/asset-tracker.db
+      - APP_ENV=production
+      - JWT_SECRET=${JWT_SECRET:?JWT_SECRET is required}
+      - ACCESS_TTL_MINUTES=30
+      - REFRESH_TTL_HOURS=168
+    volumes:
+      - ../data:/app/data
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:9530/healthz"]
+      interval: 30s
+      timeout: 3s
+      retries: 5

deploy/systemd/asset-tracker.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=Asset Tracker Service
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/root/.openclaw/workspace/asset-tracker
+EnvironmentFile=-/root/.openclaw/workspace/asset-tracker/.env.production
+Environment=APP_ENV=production
+Environment=HTTP_ADDR=:9530
+Environment=DB_PATH=/root/.openclaw/workspace/asset-tracker/data/asset-tracker.db
+Environment=DEFAULT_TIMEZONE=Asia/Shanghai
+ExecStart=/root/.openclaw/workspace/asset-tracker/bin/asset-tracker
+Restart=always
+RestartSec=3
+LimitNOFILE=65535
+StandardOutput=append:/root/.openclaw/workspace/asset-tracker/logs/server.log
+StandardError=append:/root/.openclaw/workspace/asset-tracker/logs/server.log
+
+[Install]
+WantedBy=multi-user.target

deploy/systemd/install_systemd.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SERVICE_NAME=asset-tracker.service
+SRC_DIR="$(cd "$(dirname "$0")" && pwd)"
+SRC_FILE="$SRC_DIR/$SERVICE_NAME"
+DST_FILE="/etc/systemd/system/$SERVICE_NAME"
+ENV_FILE="/root/.openclaw/workspace/asset-tracker/.env.production"
+
+if [[ ! -f "$SRC_FILE" ]]; then
+  echo "missing $SRC_FILE"
+  exit 1
+fi
+
+install -m 0644 "$SRC_FILE" "$DST_FILE"
+systemctl daemon-reload
+
+if [[ ! -f "$ENV_FILE" ]]; then
+  cp /root/.openclaw/workspace/asset-tracker/.env.production.example "$ENV_FILE"
+  echo "Created $ENV_FILE from example. Please set JWT_SECRET before start."
+fi
+
+echo "Installed $DST_FILE"
+echo "Next: edit $ENV_FILE and set strong JWT_SECRET"
+echo "Then run: systemctl enable --now asset-tracker"