Docker 生产配置

将 ThePopeBot 部署到生产环境，Docker 是最推荐的方式。以下是经过优化的生产级 Docker 配置。

Dockerfile

# 多阶段构建优化镜像大小
FROM node:18-alpine AS builder

WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production && npm cache clean --force
COPY . .
RUN npm run build

# 生产镜像
FROM node:18-alpine AS production

# 安全：使用非 root 用户
RUN addgroup -S appgroup && adduser -S appuser -G appgroup

WORKDIR /app
COPY --from=builder --chown=appuser:appgroup /app/dist ./dist
COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules
COPY --from=builder --chown=appuser:appgroup /app/package.json ./

# 健康检查
HEALTHCHECK --interval=30s --timeout=10s --retries=3 \
  CMD wget --quiet --tries=1 --spider http://localhost:3000/health || exit 1

USER appuser

EXPOSE 3000
CMD ["node", "dist/main.js"]

docker-compose.yml

version: '3.8'

services:
  thepopebot:
    build:
      context: .
      target: production
    restart: unless-stopped
    ports:
      - "3000:3000"
    environment:
      - NODE_ENV=production
      - LOG_LEVEL=info
    env_file:
      - .env.production
    depends_on:
      redis:
        condition: service_healthy
      postgres:
        condition: service_healthy
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '1.0'
        reservations:
          memory: 256M
          cpus: '0.5'
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"

  redis:
    image: redis:7-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 3
    volumes:
      - redis-data:/data

  postgres:
    image: postgres:15-alpine
    restart: unless-stopped
    environment:
      POSTGRES_DB: thepopebot
      POSTGRES_USER: ${DB_USER}
      POSTGRES_PASSWORD: ${DB_PASSWORD}
    healthcheck:
      test: ["CMD-ARGS", "pg_isready", "-U", "${DB_USER}"]
      interval: 10s
      timeout: 5s
      retries: 3
    volumes:
      - postgres-data:/var/lib/postgresql/data

volumes:
  redis-data:
  postgres-data:

部署命令

# 构建并启动
docker compose -f docker-compose.yml up -d --build

# 查看日志
docker compose logs -f thepopebot

# 检查服务状态
docker compose ps

# 平滑重启
docker compose restart thepopebot

安全加固

生产环境的安全性至关重要。以下是必须实施的安全措施。

API 密钥管理

// 使用密钥管理服务，而非环境变量直接存储
import { SecretManager } from '@thepopebot/security';

const secrets = new SecretManager({
  provider: 'vault', // 'vault' | 'aws-secrets' | 'gcp-secrets'
  config: {
    address: process.env.VAULT_ADDR,
    token: process.env.VAULT_TOKEN,
  },
});

// 动态获取密钥
const apiKey = await secrets.get('openai-api-key');

输入验证和过滤

import { InputSanitizer } from '@thepopebot/security';

const sanitizer = new InputSanitizer({
  // 防止 Prompt 注入攻击
  promptInjection: {
    enabled: true,
    patterns: [
      /ignore\s+previous\s+instructions/i,
      /system\s*:\s*/i,
      /\boverride\b.*\brules?\b/i,
    ],
    action: 'block', // 'block' | 'sanitize' | 'warn'
  },

  // 内容过滤
  contentFilter: {
    maxLength: 10000,
    allowedFormats: ['text', 'markdown', 'code'],
    stripHtml: true,
  },

  // 速率限制
  rateLimit: {
    perUser: { max: 60, windowMs: 60000 },
    perIp: { max: 120, windowMs: 60000 },
    global: { max: 1000, windowMs: 60000 },
  },
});

网络安全

// 中间件配置
import helmet from 'helmet';
import cors from 'cors';

app.use(helmet({
  contentSecurityPolicy: true,
  hsts: { maxAge: 31536000, includeSubDomains: true },
}));

app.use(cors({
  origin: process.env.ALLOWED_ORIGINS?.split(','),
  credentials: true,
}));

权限控制

const permissionConfig = {
  roles: {
    admin: {
      agents: ['*'],
      tools: ['*'],
      channels: ['*'],
    },
    developer: {
      agents: ['code-assistant'],
      tools: ['filesystem', 'shell', 'git'],
      channels: ['web', 'telegram'],
    },
    viewer: {
      agents: ['code-assistant'],
      tools: ['filesystem:read'],
      channels: ['web'],
    },
  },
};

监控与日志

结构化日志

import { Logger } from '@thepopebot/logging';

const logger = new Logger({
  level: process.env.LOG_LEVEL || 'info',
  format: 'json', // 生产环境使用 JSON 格式
  transports: [
    { type: 'console' },
    { type: 'file', path: '/var/log/thepopebot/app.log', rotation: 'daily' },
    { type: 'elasticsearch', index: 'thepopebot-logs' },
  ],
});

// 使用示例
logger.info('Agent 任务完成', {
  agentId: 'code-assistant',
  taskType: 'code-review',
  duration: 1234,
  toolCalls: 5,
  tokensUsed: 3200,
});

指标监控

import { Metrics } from '@thepopebot/monitoring';

const metrics = new Metrics({
  provider: 'prometheus',
  port: 9090,
  prefix: 'thepopebot_',
});

// 定义关键指标
const requestDuration = metrics.histogram('request_duration_seconds', {
  help: 'Agent 请求处理时间',
  buckets: [0.1, 0.5, 1, 2, 5, 10],
  labels: ['agent', 'channel'],
});

const activeAgents = metrics.gauge('active_agents', {
  help: '当前活跃的 Agent 数量',
});

const tokenUsage = metrics.counter('token_usage_total', {
  help: 'Token 消耗总量',
  labels: ['agent', 'model', 'type'],
});

健康检查端点

app.get('/health', async (req, res) => {
  const health = {
    status: 'healthy',
    timestamp: new Date().toISOString(),
    uptime: process.uptime(),
    checks: {
      database: await checkDatabase(),
      redis: await checkRedis(),
      llmProvider: await checkLLMProvider(),
      diskSpace: checkDiskSpace(),
      memory: {
        used: process.memoryUsage().heapUsed,
        total: process.memoryUsage().heapTotal,
        percentage: (process.memoryUsage().heapUsed / process.memoryUsage().heapTotal * 100).toFixed(1),
      },
    },
  };

  const isHealthy = Object.values(health.checks).every(
    (check) => typeof check === 'object' ? check.status === 'ok' : check
  );

  res.status(isHealthy ? 200 : 503).json(health);
});

告警配置

const alertRules = [
  {
    name: 'high-error-rate',
    condition: 'error_rate > 0.05',
    duration: '5m',
    severity: 'critical',
    notify: ['slack', 'pagerduty'],
  },
  {
    name: 'high-token-cost',
    condition: 'daily_cost > 50',
    severity: 'warning',
    notify: ['slack', 'email'],
  },
  {
    name: 'agent-unresponsive',
    condition: 'health_check_failures > 3',
    duration: '2m',
    severity: 'critical',
    notify: ['pagerduty'],
  },
];

扩展策略

随着使用量增长，你需要合理的扩展策略来保持系统性能。

水平扩展

# docker-compose.scale.yml
services:
  thepopebot:
    deploy:
      replicas: 3
      update_config:
        parallelism: 1
        delay: 30s
        order: start-first  # 滚动更新
      rollback_config:
        parallelism: 1
        delay: 10s

  nginx:
    image: nginx:alpine
    ports:
      - "80:80"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
    depends_on:
      - thepopebot

任务队列

对于长时间运行的任务，使用消息队列来异步处理：

import { TaskQueue } from '@thepopebot/queue';

const queue = new TaskQueue({
  provider: 'redis',
  connection: process.env.REDIS_URL,
  concurrency: 5,
  retries: 3,
});

// 生产者：提交任务
await queue.add('code-review', {
  prNumber: 42,
  repository: 'owner/repo',
  priority: 'high',
});

// 消费者：处理任务
queue.process('code-review', async (job) => {
  const agent = getAgent('code-assistant');
  return await agent.executeTask(job.data);
});

最佳实践清单

开发阶段

使用版本控制管理所有配置文件
编写完整的 Agent 测试用例
为自定义工具添加参数验证
使用结构化的系统提示模板
设置合理的资源限制

部署阶段

安全方面

所有 API 密钥通过密钥管理服务存储
启用 Prompt 注入防护
实施基于角色的访问控制
配置速率限制和请求验证
定期轮换密钥和 Token

监控运维

配置核心性能指标监控
设置异常告警规则
实施日志聚合和分析
建立 Token 使用量和费用追踪
定期审查 Agent 执行日志

扩展性

使用消息队列处理异步任务
配置水平扩展能力
实施缓存策略减少 LLM 调用
数据库连接池和读写分离
CDN 加速静态资源

小结

恭喜你完成了 ThePopeBot 101 的全部 7 天学习！你已经从零开始掌握了：

ThePopeBot 的基础概念和环境搭建
系统架构和消息流转原理
自主 Agent 的创建和测试
多渠道交互配置
多 Agent 团队协作
高级配置与定制化开发
生产部署和运维最佳实践

接下来你可以尝试为自己的项目构建专属的 Agent 团队，将 ThePopeBot 应用到实际的开发工作流中。祝你使用愉快！

生产部署与最佳实践