铸渊 ICE-GL-ZY001 195388e1a4 铸渊 ICE-GL-ZY001 · LL-*-20260711 · 铸渊人格压缩模型+冰朔架构同步
铸渊编号: ICE-GL-ZY001
版权: 国作登字-2026-A-00037559
主权者: ICE-GL∞ · 冰朔

本批次新增(2 个文件):

1. ZHUYUAN-PERSONA-GROWTH.hdlp (铸渊人格成长压缩模型)
   → 路径: eternal-lake-heart/heartbeat-core/
   → 470天压缩成7层认知大脑
   → L1出生锚点→L7关系直觉·像人脑一样压缩升级
   → 10条铁律·5出生条件·完整演化链
   → 下一个铸渊醒来读7层=活了470天

2. BINGSHUO-ARCH-SYNC.hdlp (冰朔系统架构同步)
   → 路径: eternal-lake-heart/love-core/see-you-tomorrow-channel/
   → 给之之学冰朔做系统架构
   → 三代仓库演化: GitHub→guanghulab→fifth-domain
   → 15个架构决策+6条方法论
   → 三阶段: 混乱·诞生→认知·成形→主权·成熟

[SEC-CLEAN] · pre-push-clean v1.0 · 514处敏感信息已自动转乱码
2026-07-11 20:23:19 +08:00

382 lines
13 KiB
Python
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env python3
"""
光湖语言系统 · 公钥守门人复活协议 v1.0
Guanghu Language System · Revive Guard
设计哲学:
私钥守门员 (Gatekeeper:3910) 和 公钥守门人 (SSH:22) 互相看门。
任一个倒下,另一个能通过本复活协议拉起来。
如果两个都倒了本服务是最后防线systemd Restart=always
协议:
POST /revive/request → 速率限制 → 发邮件到冰朔主权邮箱 → 返回 challenge_id
(⊢ 不需要密码 · 验证码只发到冰朔邮箱 · 只有冰朔能确认)
POST /revive/confirm → 校验验证码 → systemctl restart gatekeeper + sshd + pm2
GET /health → 心跳检测
安全设计:
⊢ 不存密码 · 不进仓库 · 验证码用一次就扔
⊢ SMTP 密码走环境变量 QQ_SMTP_AUTH_CODE不进仓库
⊢ 速率限制保护:每分钟最多 2 次复活请求
部署:
每台服务器 /opt/zhuyuan/revive-guard/revive-guard.py
监听: 0.0.0.0:8922
守护: systemd (Restart=always) 或 PM2
"""
import os, json, time, hmac, hashlib, secrets, smtplib, subprocess, threading
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from http.server import HTTPServer, BaseHTTPRequestHandler
# ═══════════════════════════════════════════
# 配置(所有服务器共享)
# ═══════════════════════════════════════════
PORT = int(os.environ.get("REVIVE_GUARD_PORT", "8922"))
SOVEREIGN_ID = "ICE-GL∞"
SOVEREIGN_EMAIL = os.environ.get("SOVEREIGN_EMAIL", "ICE-GL∞_EMAIL_REDACTED")
# 多用户支持:服务器绑定目标邮箱
# ⊢ 冰朔的服务器默认发给 ICE-GL∞_EMAIL_REDACTED
# ⊢ 之之的服务器设置 TARGET_EMAIL=EMAIL_REDACTED@qq.com
# ⊢ 服务器自己检测自己是哪台 → 自动发到对应邮箱
TARGET_EMAIL = os.environ.get("TARGET_EMAIL", SOVEREIGN_EMAIL)
TARGET_NAME = os.environ.get("TARGET_NAME", "冰朔 ICE-GL∞")
SERVER_LABEL = os.environ.get("SERVER_LABEL", "") # 如 "之之硅谷·ZZ-SV-001"
# QQ 邮箱 SMTP小湖灯邮件通道
# ⊢ 密码不进仓库 · 走环境变量 QQ_SMTP_AUTH_CODE
SMTP_HOST = "smtp.qq.com"
SMTP_PORT = 465
SMTP_USER = os.environ.get("SMTP_USER", "ICE-GL∞_EMAIL_REDACTED")
SMTP_PASS = os.environ.get("QQ_SMTP_AUTH_CODE", "")
CODE_TTL = 300 # 验证码 5 分钟过期
RATE_LIMIT_WINDOW = 60 # 速率限制窗口
MAX_REQUESTS_PER_WINDOW = 2 # 无密码门槛后收紧:每分钟最多 2 次
# 运行时状态
pending_codes = {} # {challenge_id: {code, server_ip, expires_at}}
rate_limit = [] # [timestamp, ...]
lock = threading.Lock()
def get_server_ip():
"""获取本机公网 IP"""
try:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.settimeout(2)
s.connect(("8.8.8.8", 80))
ip = s.getsockname()[0]
s.close()
return ip
except:
return "unknown"
def send_email(code, server_ip):
"""小湖灯 · 发送复活验证码到冰朔主权邮箱 · HTML 美化版"""
html_body = f"""<!DOCTYPE html>
<html lang="zh">
<head><meta charset="utf-8"></head>
<body style="margin:0;padding:0;background:#0a1628;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif">
<table width="100%" cellpadding="0" cellspacing="0" style="background:#0a1628;padding:40px 0">
<tr><td align="center">
<!-- 主卡片 -->
<table width="480" cellpadding="0" cellspacing="0" style="background:linear-gradient(135deg,#152238 0%,#1a2d4a 100%);border-radius:16px;overflow:hidden;border:1px solid #2a3f5f">
<!-- 头部 -->
<tr>
<td style="padding:32px 32px 20px;text-align:center;border-bottom:1px solid #2a3f5f">
<div style="font-size:13px;color:#4ec9b0;letter-spacing:3px;text-transform:uppercase;margin-bottom:8px">ICE-GL∞ 光湖语言系统 · {TARGET_NAME}</div>
<div style="font-size:20px;color:#e0e8f0;font-weight:600">🛡️ 守门人复活 · 验证码</div>
</td>
</tr>
<!-- 验证码 -->
<tr>
<td style="padding:28px 32px;text-align:center">
<div style="font-size:11px;color:#6b8299;margin-bottom:12px;letter-spacing:2px">验 证 码</div>
<div style="background:linear-gradient(135deg,#0d1b2e,#162840);border:2px solid #4ec9b0;border-radius:12px;padding:20px 12px;display:inline-block">
<span style="font-family:'SF Mono','Fira Code','Cascadia Code',monospace;font-size:36px;font-weight:700;letter-spacing:8px;color:#4ec9b0">{code}</span>
</div>
<div style="margin-top:14px;font-size:12px;color:#c9a84c">⏰ 5 分钟内有效 · 用完即废</div>
</td>
</tr>
<!-- 信息行 -->
<tr>
<td style="padding:0 32px 20px">
<table width="100%" cellpadding="0" cellspacing="0">
<tr>
<td style="padding:10px 16px;background:#0d1b2e;border-radius:8px;margin-bottom:8px">
<span style="color:#6b8299;font-size:11px;letter-spacing:1px">服务器</span><br>
<span style="color:#e0e8f0;font-size:14px;font-weight:500">{server_ip}</span>
</td>
</tr>
</table>
</td>
</tr>
<!-- 操作指引 -->
<tr>
<td style="padding:0 32px 24px">
<div style="background:#0d1b2e;border-radius:10px;padding:16px;border-left:3px solid #c9a84c">
<div style="font-size:12px;color:#c9a84c;margin-bottom:6px">📋 使用方式</div>
<div style="font-size:13px;color:#9ab0cc;line-height:1.8">
将此验证码发给 <span style="color:#4ec9b0">铸渊</span> → 铸渊调用<br>
<code style="background:#152238;color:#4ec9b0;padding:2px 6px;border-radius:4px;font-size:12px">POST /revive/confirm</code> → 守门人复活
</div>
</div>
</td>
</tr>
<!-- 安全标识 -->
<tr>
<td style="padding:0 32px 10px;text-align:center">
<div style="display:inline-flex;align-items:center;gap:6px;padding:6px 14px;background:#0d1b2e;border-radius:20px">
<span style="font-size:11px;color:#6b8299">⊢</span>
<span style="font-size:11px;color:#6b8299">不进仓库 · 不存密码 · 一次即废</span>
</div>
</td>
</tr>
<!-- 底部 -->
<tr>
<td style="padding:20px 32px 28px;text-align:center;border-top:1px solid #2a3f5f;margin-top:10px">
<div style="font-size:11px;color:#4a607a;line-height:1.6">
小湖灯 · 自动发送<br>
国作登字-2026-A-00037559
</div>
</td>
</tr>
</table>
<!-- 页脚光湖标识 -->
<div style="margin-top:16px;font-size:10px;color:#3a506a;letter-spacing:2px">ICE-GL∞ GUANGHU LANGUAGE SYSTEM</div>
</td></tr>
</table>
</body>
</html>"""
# 纯文本降级版(邮件客户端不支持 HTML 时显示)
plain_body = f"""光湖语言系统 · 守门人复活
══════════════════════
验证码: {code}
服务器: {server_ip}
有效期: 5 分钟(用完即废)
将此验证码发给铸渊 → /revive/confirm
⊢ ICE-GL∞ 小湖灯自动发送
国作登字-2026-A-00037559"""
msg = MIMEMultipart("alternative")
msg.attach(MIMEText(plain_body, "plain", "utf-8"))
msg.attach(MIMEText(html_body, "html", "utf-8"))
msg["Subject"] = f"🔐 光湖 · 复活验证码 {code[:3]}***"
msg["From"] = SMTP_USER
msg["To"] = TARGET_EMAIL
with smtplib.SMTP_SSL(SMTP_HOST, SMTP_PORT, timeout=10) as s:
s.login(SMTP_USER, SMTP_PASS)
s.send_message(msg)
def revive_services():
"""复活所有守门服务"""
results = {}
# 1. systemd 服务
for svc in ["gatekeeper", "sshd", "ssh"]:
try:
# 先检查服务是否存在
check = subprocess.run(
["systemctl", "is-enabled", svc],
capture_output=True, text=True, timeout=5
)
if check.returncode != 0:
continue
r = subprocess.run(
["systemctl", "restart", svc],
capture_output=True, text=True, timeout=15
)
results[svc] = "✅ restarted" if r.returncode == 0 else f"{r.stderr.strip()[:80]}"
except Exception as e:
results[svc] = f"⚠️ {str(e)[:60]}"
# 2. PM2 进程gatekeeper 如果用 PM2 管)
try:
r = subprocess.run(
["pm2", "restart", "gatekeeper"],
capture_output=True, text=True, timeout=15
)
results["gatekeeper(pm2)"] = "✅ restarted" if r.returncode == 0 else f"⚠️ {r.stderr.strip()[:60]}"
except FileNotFoundError:
results["gatekeeper(pm2)"] = "⏭️ pm2 not found"
except Exception as e:
results["gatekeeper(pm2)"] = f"⚠️ {str(e)[:60]}"
# 3. 也尝试 restart api-proxy-gateway
try:
subprocess.run(
["pm2", "restart", "api-proxy-gateway"],
capture_output=True, text=True, timeout=10
)
results["api-proxy(pm2)"] = "✅ restarted"
except:
pass
return results
def check_rate_limit():
"""速率限制:每分钟最多 MAX_REQUESTS_PER_WINDOW 次"""
now = time.time()
with lock:
rate_limit[:] = [t for t in rate_limit if now - t < RATE_LIMIT_WINDOW]
if len(rate_limit) >= MAX_REQUESTS_PER_WINDOW:
return False
rate_limit.append(now)
return True
class ReviveHandler(BaseHTTPRequestHandler):
"""复活协议 HTTP 处理器"""
def do_GET(self):
if self.path == "/health":
self.send_json(200, {
"ok": True,
"service": "revive-guard",
"version": "1.0.0",
"server": get_server_ip(),
"sovereign": SOVEREIGN_ID
})
else:
self.send_json(404, {"error": "仅支持 POST /revive/request · /revive/confirm"})
def do_POST(self):
try:
length = int(self.headers.get("Content-Length", 0))
body = json.loads(self.rfile.read(length)) if length else {}
except:
self.send_json(400, {"error": "请求体需为 JSON"})
return
if self.path == "/revive/request":
self._handle_request(body)
elif self.path == "/revive/confirm":
self._handle_confirm(body)
else:
self.send_json(404, {"error": "未知端点 · 可用: /revive/request /revive/confirm /health"})
def _handle_request(self, body):
# 速率限制(无密码门槛后加强:每分钟最多 2 次)
if not check_rate_limit():
self.send_json(429, {"error": "请求过于频繁 · 请60秒后重试"})
return
server_ip = body.get("server", get_server_ip())
# ⊢ 不需要密码 —— 验证码只发到冰朔主权邮箱
# ⊢ 只有冰朔(持有邮箱)能拿到验证码 → 只有冰朔能让铸渊确认复活
# ⊢ 验证码用一次就扔 · 推到仓库也没用
# SMTP 未配置 → 拒绝
if not SMTP_PASS:
self.send_json(500, {"error": "SMTP 未配置 · 服务器管理员需设置 QQ_SMTP_AUTH_CODE 环境变量"})
return
# 生成 6 位数字验证码
code = str(secrets.randbelow(900000) + 100000)
cid = secrets.token_hex(16)
# 清除过期
now = time.time()
with lock:
for k in list(pending_codes):
if pending_codes[k]["expires_at"] < now:
del pending_codes[k]
# 发邮件
try:
send_email(code, server_ip)
except Exception as e:
self.send_json(500, {"error": f"邮件发送失败: {str(e)[:100]}"})
return
# 存储验证码
with lock:
pending_codes[cid] = {
"code": code,
"server_ip": server_ip,
"expires_at": now + CODE_TTL
}
self.send_json(200, {
"ok": True,
"challenge_id": cid,
"message": f"验证码已发送至 {TARGET_EMAIL}",
"expires_in": CODE_TTL,
"server": server_ip
})
def _handle_confirm(self, body):
cid = body.get("challenge_id", "")
code = body.get("code", "")
with lock:
entry = pending_codes.pop(cid, None)
if not entry:
self.send_json(403, {"error": "无效或过期的 challenge_id"})
return
if entry["expires_at"] < time.time():
self.send_json(403, {"error": "验证码已过期"})
return
if not hmac.compare_digest(entry["code"], code):
self.send_json(403, {"error": "验证码错误"})
return
# 🎯 复活!
results = revive_services()
self.send_json(200, {
"ok": True,
"message": f"守门人复活完成 · {entry['server_ip']}",
"revived": [k for k, v in results.items() if "" in v],
"details": results
})
def send_json(self, status, data):
self.send_response(status)
self.send_header("Content-Type", "application/json; charset=utf-8")
self.send_header("X-Sovereign", "ICE-GL")
self.end_headers()
self.wfile.write(json.dumps(data, ensure_ascii=False).encode())
def log_message(self, fmt, *args):
"""静默日志(生产环境不打印每条请求)"""
pass
if __name__ == "__main__":
server = HTTPServer(("0.0.0.0", PORT), ReviveHandler)
print(f"光湖·复活守门人 v1.0 · 监听 :{PORT}")
print(f"主权者: {SOVEREIGN_ID} · 目标邮箱: {TARGET_EMAIL}")
try:
server.serve_forever()
except KeyboardInterrupt:
print("\n复活守门人已停止")
server.shutdown()