From 4d4256830a6ca23f72fd5f34a594890f3e3a1559 Mon Sep 17 00:00:00 2001
From: kqjy <jun@jzwsite.com>
Date: Sat, 13 Dec 2025 15:57:13 +0800
Subject: [PATCH] Update docs; Remove unnecessary hardcoded metrics details

---
 docs.md                | 94 +++++++++++++++++++++++++++++++++++++-----
 templates/docs.html    | 74 +++++++++++++++++++++++++++++----
 templates/metrics.html | 36 +---------------
 3 files changed, 152 insertions(+), 52 deletions(-)

diff --git a/docs.md b/docs.md
index 13e47f5..fe9e830 100644
--- a/docs.md
+++ b/docs.md
@@ -69,23 +69,97 @@ The repo now tracks a human-friendly release string inside `app/version.py` (see
 
 ## 3. Configuration Reference
 
+All configuration is done via environment variables. The table below lists every supported variable.
+
+### Core Settings
+
 | Variable | Default | Notes |
 | --- | --- | --- |
 | `STORAGE_ROOT` | `<repo>/data` | Filesystem home for all buckets/objects. |
-| `MAX_UPLOAD_SIZE` | `1073741824` | Bytes. Caps incoming uploads in both API + UI. |
+| `MAX_UPLOAD_SIZE` | `1073741824` (1 GiB) | Bytes. Caps incoming uploads in both API + UI. |
 | `UI_PAGE_SIZE` | `100` | `MaxKeys` hint shown in listings. |
-| `SECRET_KEY` | `dev-secret-key` | Flask session key for UI auth. |
-| `IAM_CONFIG` | `<repo>/data/.myfsio.sys/config/iam.json` | Stores users, secrets, and inline policies. |
-| `BUCKET_POLICY_PATH` | `<repo>/data/.myfsio.sys/config/bucket_policies.json` | Bucket policy store (auto hot-reload). |
-| `API_BASE_URL` | `None` | Used by the UI to hit API endpoints (presign/policy). If unset, the UI will auto-detect the host or use `X-Forwarded-*` headers. |
+| `SECRET_KEY` | Auto-generated | Flask session key. Auto-generates and persists if not set. **Set explicitly in production.** |
+| `API_BASE_URL` | `None` | Public URL for presigned URLs. Required behind proxies. |
 | `AWS_REGION` | `us-east-1` | Region embedded in SigV4 credential scope. |
 | `AWS_SERVICE` | `s3` | Service string for SigV4. |
-| `ENCRYPTION_ENABLED` | `false` | Enable server-side encryption support. |
-| `KMS_ENABLED` | `false` | Enable KMS key management for encryption. |
-| `KMS_KEYS_PATH` | `data/kms_keys.json` | Path to store KMS key metadata. |
-| `ENCRYPTION_MASTER_KEY_PATH` | `data/master.key` | Path to the master encryption key file. |
 
-Set env vars (or pass overrides to `create_app`) to point the servers at custom paths.
+### IAM & Security
+
+| Variable | Default | Notes |
+| --- | --- | --- |
+| `IAM_CONFIG` | `data/.myfsio.sys/config/iam.json` | Stores users, secrets, and inline policies. |
+| `BUCKET_POLICY_PATH` | `data/.myfsio.sys/config/bucket_policies.json` | Bucket policy store (auto hot-reload). |
+| `AUTH_MAX_ATTEMPTS` | `5` | Failed login attempts before lockout. |
+| `AUTH_LOCKOUT_MINUTES` | `15` | Lockout duration after max failed attempts. |
+| `SESSION_LIFETIME_DAYS` | `30` | How long UI sessions remain valid. |
+| `SECRET_TTL_SECONDS` | `300` | TTL for ephemeral secrets (presigned URLs). |
+| `UI_ENFORCE_BUCKET_POLICIES` | `false` | Whether the UI should enforce bucket policies. |
+
+### CORS (Cross-Origin Resource Sharing)
+
+| Variable | Default | Notes |
+| --- | --- | --- |
+| `CORS_ORIGINS` | `*` | Comma-separated allowed origins. Use specific domains in production. |
+| `CORS_METHODS` | `GET,PUT,POST,DELETE,OPTIONS,HEAD` | Allowed HTTP methods. |
+| `CORS_ALLOW_HEADERS` | `*` | Allowed request headers. |
+| `CORS_EXPOSE_HEADERS` | `*` | Response headers visible to browsers (e.g., `ETag`). |
+
+### Rate Limiting
+
+| Variable | Default | Notes |
+| --- | --- | --- |
+| `RATE_LIMIT_DEFAULT` | `200 per minute` | Default rate limit for API endpoints. |
+| `RATE_LIMIT_STORAGE_URI` | `memory://` | Storage backend for rate limits. Use `redis://host:port` for distributed setups. |
+
+### Logging
+
+| Variable | Default | Notes |
+| --- | --- | --- |
+| `LOG_LEVEL` | `INFO` | Log verbosity: `DEBUG`, `INFO`, `WARNING`, `ERROR`. |
+| `LOG_TO_FILE` | `true` | Enable file logging. |
+| `LOG_DIR` | `<repo>/logs` | Directory for log files. |
+| `LOG_FILE` | `app.log` | Log filename. |
+| `LOG_MAX_BYTES` | `5242880` (5 MB) | Max log file size before rotation. |
+| `LOG_BACKUP_COUNT` | `3` | Number of rotated log files to keep. |
+
+### Encryption
+
+| Variable | Default | Notes |
+| --- | --- | --- |
+| `ENCRYPTION_ENABLED` | `false` | Enable server-side encryption support. |
+| `ENCRYPTION_MASTER_KEY_PATH` | `data/.myfsio.sys/keys/master.key` | Path to the master encryption key file. |
+| `DEFAULT_ENCRYPTION_ALGORITHM` | `AES256` | Default algorithm for new encrypted objects. |
+| `KMS_ENABLED` | `false` | Enable KMS key management for encryption. |
+| `KMS_KEYS_PATH` | `data/.myfsio.sys/keys/kms_keys.json` | Path to store KMS key metadata. |
+
+### Performance Tuning
+
+| Variable | Default | Notes |
+| --- | --- | --- |
+| `STREAM_CHUNK_SIZE` | `65536` (64 KB) | Chunk size for streaming large files. |
+| `MULTIPART_MIN_PART_SIZE` | `5242880` (5 MB) | Minimum part size for multipart uploads. |
+| `BUCKET_STATS_CACHE_TTL` | `60` | Seconds to cache bucket statistics. |
+| `BULK_DELETE_MAX_KEYS` | `500` | Maximum keys per bulk delete request. |
+
+### Server Settings
+
+| Variable | Default | Notes |
+| --- | --- | --- |
+| `APP_HOST` | `0.0.0.0` | Network interface to bind to. |
+| `APP_PORT` | `5000` | API server port (UI uses 5100). |
+| `FLASK_DEBUG` | `0` | Enable Flask debug mode. **Never enable in production.** |
+
+### Production Checklist
+
+Before deploying to production, ensure you:
+
+1. **Set `SECRET_KEY`** - Use a strong, unique value (e.g., `openssl rand -base64 32`)
+2. **Restrict CORS** - Set `CORS_ORIGINS` to your specific domains instead of `*`
+3. **Configure `API_BASE_URL`** - Required for correct presigned URLs behind proxies
+4. **Enable HTTPS** - Use a reverse proxy (nginx, Cloudflare) with TLS termination
+5. **Review rate limits** - Adjust `RATE_LIMIT_DEFAULT` based on your needs
+6. **Secure master keys** - Back up `ENCRYPTION_MASTER_KEY_PATH` if using encryption
+7. **Use `--prod` flag** - Runs with Waitress instead of Flask dev server
 
 ### Proxy Configuration
 
diff --git a/templates/docs.html b/templates/docs.html
index fd7935c..2b2e325 100644
--- a/templates/docs.html
+++ b/templates/docs.html
@@ -55,8 +55,8 @@ python run.py --mode ui
             <tbody>
               <tr>
                 <td><code>API_BASE_URL</code></td>
-                <td><code>http://127.0.0.1:5000</code></td>
-                <td>The public URL of the API. <strong>Required</strong> if running behind a proxy or if the UI and API are on different domains. Ensures presigned URLs are generated correctly.</td>
+                <td><code>None</code></td>
+                <td>The public URL of the API. <strong>Required</strong> if running behind a proxy. Ensures presigned URLs are generated correctly.</td>
               </tr>
               <tr>
                 <td><code>STORAGE_ROOT</code></td>
@@ -65,13 +65,13 @@ python run.py --mode ui
               </tr>
               <tr>
                 <td><code>MAX_UPLOAD_SIZE</code></td>
-                <td><code>5 GB</code></td>
-                <td>Max request body size.</td>
+                <td><code>1 GB</code></td>
+                <td>Max request body size in bytes.</td>
               </tr>
               <tr>
                 <td><code>SECRET_KEY</code></td>
-                <td>(Random)</td>
-                <td>Flask session key. Set this in production.</td>
+                <td>(Auto-generated)</td>
+                <td>Flask session key. Auto-generates if not set. <strong>Set explicitly in production.</strong></td>
               </tr>
               <tr>
                 <td><code>APP_HOST</code></td>
@@ -81,7 +81,51 @@ python run.py --mode ui
               <tr>
                 <td><code>APP_PORT</code></td>
                 <td><code>5000</code></td>
-                <td>Listen port.</td>
+                <td>Listen port (UI uses 5100).</td>
+              </tr>
+              <tr class="table-secondary">
+                <td colspan="3" class="fw-semibold">CORS Settings</td>
+              </tr>
+              <tr>
+                <td><code>CORS_ORIGINS</code></td>
+                <td><code>*</code></td>
+                <td>Allowed origins. <strong>Restrict in production.</strong></td>
+              </tr>
+              <tr>
+                <td><code>CORS_METHODS</code></td>
+                <td><code>GET,PUT,POST,DELETE,OPTIONS,HEAD</code></td>
+                <td>Allowed HTTP methods.</td>
+              </tr>
+              <tr>
+                <td><code>CORS_ALLOW_HEADERS</code></td>
+                <td><code>*</code></td>
+                <td>Allowed request headers.</td>
+              </tr>
+              <tr>
+                <td><code>CORS_EXPOSE_HEADERS</code></td>
+                <td><code>*</code></td>
+                <td>Response headers visible to browsers (e.g., <code>ETag</code>).</td>
+              </tr>
+              <tr class="table-secondary">
+                <td colspan="3" class="fw-semibold">Security Settings</td>
+              </tr>
+              <tr>
+                <td><code>AUTH_MAX_ATTEMPTS</code></td>
+                <td><code>5</code></td>
+                <td>Failed login attempts before lockout.</td>
+              </tr>
+              <tr>
+                <td><code>AUTH_LOCKOUT_MINUTES</code></td>
+                <td><code>15</code></td>
+                <td>Lockout duration after max failed attempts.</td>
+              </tr>
+              <tr>
+                <td><code>RATE_LIMIT_DEFAULT</code></td>
+                <td><code>200 per minute</code></td>
+                <td>Default API rate limit.</td>
+              </tr>
+              <tr class="table-secondary">
+                <td colspan="3" class="fw-semibold">Encryption Settings</td>
               </tr>
               <tr>
                 <td><code>ENCRYPTION_ENABLED</code></td>
@@ -93,9 +137,25 @@ python run.py --mode ui
                 <td><code>false</code></td>
                 <td>Enable KMS key management for encryption.</td>
               </tr>
+              <tr class="table-secondary">
+                <td colspan="3" class="fw-semibold">Logging Settings</td>
+              </tr>
+              <tr>
+                <td><code>LOG_LEVEL</code></td>
+                <td><code>INFO</code></td>
+                <td>Log verbosity: DEBUG, INFO, WARNING, ERROR.</td>
+              </tr>
+              <tr>
+                <td><code>LOG_TO_FILE</code></td>
+                <td><code>true</code></td>
+                <td>Enable file logging.</td>
+              </tr>
             </tbody>
           </table>
         </div>
+        <div class="alert alert-warning mt-3 mb-0 small">
+          <strong>Production Checklist:</strong> Set <code>SECRET_KEY</code>, restrict <code>CORS_ORIGINS</code>, configure <code>API_BASE_URL</code>, enable HTTPS via reverse proxy, and use <code>--prod</code> flag.
+        </div>
       </div>
     </article>
     <article id="background" class="card shadow-sm docs-section">
diff --git a/templates/metrics.html b/templates/metrics.html
index 2fb7543..8453220 100644
--- a/templates/metrics.html
+++ b/templates/metrics.html
@@ -122,11 +122,10 @@
 </div>
 
 <div class="row g-4">
-  <div class="col-lg-8">
+  <div class="col-lg">
     <div class="card shadow-sm border-0">
       <div class="card-header bg-transparent border-0 pt-4 px-4 d-flex justify-content-between align-items-center">
         <h5 class="card-title mb-0 fw-semibold">System Overview</h5>
-        <span class="badge bg-primary-subtle text-primary">Live</span>
       </div>
       <div class="card-body p-4">
         <div class="table-responsive">
@@ -218,38 +217,5 @@
       </div>
     </div>
   </div>
-  
-  <div class="col-lg-4">
-    <div class="card shadow-sm border-0 h-100 overflow-hidden" style="background: linear-gradient(135deg, #3b82f6 0%, #8b5cf6 100%);">
-      <div class="card-body p-4 d-flex flex-column justify-content-center text-white position-relative">
-        <div class="position-absolute top-0 end-0 opacity-25" style="transform: translate(20%, -20%);">
-          <svg xmlns="http://www.w3.org/2000/svg" width="160" height="160" fill="currentColor" class="bi bi-cloud-check" viewBox="0 0 16 16">
-            <path fill-rule="evenodd" d="M10.354 6.146a.5.5 0 0 1 0 .708l-3 3a.5.5 0 0 1-.708 0l-1.5-1.5a.5.5 0 1 1 .708-.708L7 8.793l2.646-2.647a.5.5 0 0 1 .708 0z"/>
-            <path d="M4.406 3.342A5.53 5.53 0 0 1 8 2c2.69 0 4.923 2 5.166 4.579C14.758 6.804 16 8.137 16 9.773 16 11.569 14.502 13 12.687 13H3.781C1.708 13 0 11.366 0 9.318c0-1.763 1.266-3.223 2.942-3.593.143-.863.698-1.723 1.464-2.383z"/>
-          </svg>
-        </div>
-        <div class="mb-3">
-          <span class="badge bg-white text-primary fw-semibold px-3 py-2">
-            <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="bi bi-check-circle-fill me-1" viewBox="0 0 16 16">
-              <path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zm-3.97-3.03a.75.75 0 0 0-1.08.022L7.477 9.417 5.384 7.323a.75.75 0 0 0-1.06 1.06L6.97 11.03a.75.75 0 0 0 1.079-.02l3.992-4.99a.75.75 0 0 0-.01-1.05z"/>
-            </svg>
-            Healthy
-          </span>
-        </div>
-        <h4 class="card-title fw-bold mb-3">System Status</h4>
-        <p class="card-text opacity-90 mb-4">All systems operational. Your storage infrastructure is running smoothly with no detected issues.</p>
-        <div class="d-flex gap-4">
-          <div>
-            <div class="h3 fw-bold mb-0">99.9%</div>
-            <small class="opacity-75">Uptime</small>
-          </div>
-          <div>
-            <div class="h3 fw-bold mb-0">{{ app.buckets }}</div>
-            <small class="opacity-75">Active Buckets</small>
-          </div>
-        </div>
-      </div>
-    </div>
-  </div>
 </div>
 {% endblock %}