11 changed files with 41 additions and 174 deletions
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@ -47,50 +47,47 @@ jobs:
            --tag ${{ secrets.SWR_SERVER }}/${{ secrets.SWR_ORG }}/video-web:latest \
            ./web 2>&1 | tee -a /tmp/build.log

-      - name: Setup SSH
+      - name: Setup Kubectl
        run: |
-          mkdir -p ~/.ssh
-          echo "${{ secrets.K3S_SSH_KEY }}" > ~/.ssh/id_rsa
-          chmod 600 ~/.ssh/id_rsa
-          ssh-keyscan -H ${{ secrets.K3S_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+          curl -LO "https://dl.k8s.io/release/v1.28.2/bin/linux/amd64/kubectl" || \
+          curl -LO "https://cdn.dl.k8s.io/release/v1.28.2/bin/linux/amd64/kubectl"
+          chmod +x kubectl
+          mv kubectl /usr/local/bin/

-      - name: Deploy to K3s via SSH
-        id: deploy
+      - name: Deploy to K3s
+        uses: Azure/k8s-set-context@v3
+        with:
+          method: kubeconfig
+          kubeconfig: ${{ secrets.KUBE_CONFIG }}
+
+      - name: Create or Update Secrets
        run: |
-          SWR_IMAGE="${{ secrets.SWR_SERVER }}/${{ secrets.SWR_ORG }}"
-
-          # Replace image placeholders in yaml files
-          sed -i "s|\${CI_REGISTRY_IMAGE}/video-backend:latest|${SWR_IMAGE}/video-backend:latest|g" k8s/backend-deployment.yaml
-          sed -i "s|\${CI_REGISTRY_IMAGE}/video-web:latest|${SWR_IMAGE}/video-web:latest|g" k8s/web-deployment.yaml
-
-          # Copy k8s manifests to server
-          scp -o StrictHostKeyChecking=no k8s/backend-deployment.yaml k8s/web-deployment.yaml k8s/ingress.yaml root@${{ secrets.K3S_HOST }}:/tmp/
-
-          # Create/update secrets and apply manifests on server
-          set -o pipefail
-          ssh -o StrictHostKeyChecking=no root@${{ secrets.K3S_HOST }} << ENDSSH
-            export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
-
          kubectl create secret generic video-backend-secrets \
-              --from-literal=ARK_API_KEY='${{ secrets.ARK_API_KEY }}' \
-              --from-literal=TOS_ACCESS_KEY='${{ secrets.TOS_ACCESS_KEY }}' \
-              --from-literal=TOS_SECRET_KEY='${{ secrets.TOS_SECRET_KEY }}' \
-              --from-literal=DJANGO_SECRET_KEY='${{ secrets.DJANGO_SECRET_KEY }}' \
-              --from-literal=DB_HOST='${{ secrets.DB_HOST }}' \
-              --from-literal=DB_USER='${{ secrets.DB_USER }}' \
-              --from-literal=DB_PASSWORD='${{ secrets.DB_PASSWORD }}' \
-              --from-literal=ALIYUN_SMS_ACCESS_KEY='${{ secrets.ALIYUN_SMS_ACCESS_KEY }}' \
-              --from-literal=ALIYUN_SMS_ACCESS_SECRET='${{ secrets.ALIYUN_SMS_ACCESS_SECRET }}' \
+            --from-literal=ARK_API_KEY=${{ secrets.ARK_API_KEY }} \
+            --from-literal=TOS_ACCESS_KEY=${{ secrets.TOS_ACCESS_KEY }} \
+            --from-literal=TOS_SECRET_KEY=${{ secrets.TOS_SECRET_KEY }} \
+            --from-literal=DJANGO_SECRET_KEY=${{ secrets.DJANGO_SECRET_KEY }} \
+            --from-literal=DB_HOST=${{ secrets.DB_HOST }} \
+            --from-literal=DB_USER=${{ secrets.DB_USER }} \
+            --from-literal=DB_PASSWORD=${{ secrets.DB_PASSWORD }} \
            --dry-run=client -o yaml | kubectl apply -f -

-            kubectl apply -f /tmp/backend-deployment.yaml
-            kubectl apply -f /tmp/web-deployment.yaml
-            kubectl apply -f /tmp/ingress.yaml
+      - name: Apply K8s Manifests
+        id: deploy
+        run: |
+          # Replace image placeholders
+          sed -i "s|\${CI_REGISTRY_IMAGE}/video-backend:latest|${{ secrets.SWR_SERVER }}/${{ secrets.SWR_ORG }}/video-backend:latest|g" k8s/backend-deployment.yaml
+          sed -i "s|\${CI_REGISTRY_IMAGE}/video-web:latest|${{ secrets.SWR_SERVER }}/${{ secrets.SWR_ORG }}/video-web:latest|g" k8s/web-deployment.yaml
+
+          # Apply all manifests
+          set -o pipefail
+          {
+            kubectl apply -f k8s/backend-deployment.yaml
+            kubectl apply -f k8s/web-deployment.yaml
+            kubectl apply -f k8s/ingress.yaml
            kubectl rollout restart deployment/video-backend
            kubectl rollout restart deployment/video-web
-
-            rm -f /tmp/backend-deployment.yaml /tmp/web-deployment.yaml /tmp/ingress.yaml
-          ENDSSH
+          } 2>&1 | tee /tmp/deploy.log

      # ===== Log Center: failure reporting =====
      - name: Report failure to Log Center
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -444,7 +444,6 @@ npx tsx src/index.ts --resume /Users/maidong/Desktop/zyc/研究openclaw/视频
 | 2026-03-18 | v0.9.1: 系统设置页 — 异常检测总开关、R1-R5默认阈值、飞书接收人+测试、告警冷却 | Frontend |
 | 2026-03-18 | v0.9.1: 团队管理 — 预期登录城市(必填) + 自动学习 + disabled_by 来源标签 | Full stack |
 | 2026-03-18 | v0.9.1: 前端拦截器 — user_disabled/team_disabled 错误码处理，弹窗提示后跳登录 | Frontend |
-| 2026-03-19 | fix: LoginRecord 创建时显式传 geo 空字段，修复 MySQL 严格模式 IntegrityError | Backend |

 ### Phase 4 Details (2026-03-13)

--- a/backend/apps/accounts/views.py
+++ b/backend/apps/accounts/views.py
@ -103,7 +103,6 @@ def login_view(request):
    user_agent = request.META.get('HTTP_USER_AGENT', '')
    login_record = LoginRecord.objects.create(
        user=user, team=user.team, ip_address=ip, user_agent=user_agent,
-        geo_country='', geo_province='', geo_city='', geo_source='',
    )

    # IP 归属地解析 + 异常检测（不阻塞登录）
--- a/backend/config/settings.py
+++ b/backend/config/settings.py
@ -193,11 +193,3 @@ ARK_API_KEY = os.environ.get('ARK_API_KEY', '')
 ARK_BASE_URL = os.environ.get('ARK_BASE_URL', 'https://ark.cn-beijing.volces.com/api/v3')
 # Set to True when Seedance model is activated on ARK platform
 SEEDANCE_ENABLED = os.environ.get('SEEDANCE_ENABLED', 'false').lower() == 'true'
-
-# ──────────────────────────────────────────────
-# Aliyun SMS (短信告警)
-# ──────────────────────────────────────────────
-ALIYUN_SMS_ACCESS_KEY = os.environ.get('ALIYUN_SMS_ACCESS_KEY', '')
-ALIYUN_SMS_ACCESS_SECRET = os.environ.get('ALIYUN_SMS_ACCESS_SECRET', '')
-ALIYUN_SMS_SIGN_NAME = os.environ.get('ALIYUN_SMS_SIGN_NAME', '广州气元科技')
-ALIYUN_SMS_TEMPLATE_CODE = os.environ.get('ALIYUN_SMS_TEMPLATE_CODE', 'SMS_503445109')
--- a/backend/utils/alert_service.py
+++ b/backend/utils/alert_service.py
@ -222,95 +222,6 @@ def send_feishu_alert(anomaly):
            logger.error('Feishu alert error for %s: %s', mobile, e)


-def send_sms_alert(anomaly):
-    """发送短信告警到配置的接收人。"""
-    from apps.generation.models import QuotaConfig
-    from django.conf import settings as django_settings
-
-    try:
-        config = QuotaConfig.objects.get(pk=1)
-    except QuotaConfig.DoesNotExist:
-        logger.warning('QuotaConfig not found, skip SMS alert')
-        return
-
-    mobiles = [m.strip() for m in config.sms_alert_mobiles.split(',') if m.strip()]
-    if not mobiles:
-        return
-
-    access_key = django_settings.ALIYUN_SMS_ACCESS_KEY
-    access_secret = django_settings.ALIYUN_SMS_ACCESS_SECRET
-    sign_name = django_settings.ALIYUN_SMS_SIGN_NAME
-    template_code = django_settings.ALIYUN_SMS_TEMPLATE_CODE
-
-    if not all([access_key, access_secret, template_code]):
-        logger.warning('Aliyun SMS credentials not configured, skip SMS alert')
-        return
-
-    rule_name = _RULE_NAMES.get(anomaly.rule, anomaly.rule)
-    auto_action = '已自动封禁' if anomaly.auto_disabled else '仅告警'
-
-    template_param = json.dumps({
-        'team_name': anomaly.team.name[:20],
-        'rule_name': rule_name[:20],
-        'username': anomaly.user.username[:20],
-        'city': anomaly.login_record.geo_city or '未知',
-        'auto_action': auto_action,
-    }, ensure_ascii=False)
-
-    # 使用阿里云 SMS HTTP API
-    import hashlib
-    import hmac
-    import base64
-    import urllib.parse
-    import uuid
-    from datetime import datetime
-
-    def _percent_encode(s):
-        return urllib.parse.quote(s, safe='', encoding='utf-8')
-
-    for mobile in mobiles:
-        try:
-            params = {
-                'AccessKeyId': access_key,
-                'Action': 'SendSms',
-                'Format': 'JSON',
-                'PhoneNumbers': mobile,
-                'RegionId': 'cn-hangzhou',
-                'SignName': sign_name,
-                'SignatureMethod': 'HMAC-SHA1',
-                'SignatureNonce': str(uuid.uuid4()),
-                'SignatureVersion': '1.0',
-                'TemplateCode': template_code,
-                'TemplateParam': template_param,
-                'Timestamp': datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%SZ'),
-                'Version': '2017-05-25',
-            }
-
-            sorted_params = sorted(params.items())
-            query_string = '&'.join(f'{_percent_encode(k)}={_percent_encode(v)}' for k, v in sorted_params)
-            string_to_sign = f'GET&{_percent_encode("/")}&{_percent_encode(query_string)}'
-
-            sign_key = (access_secret + '&').encode('utf-8')
-            signature = base64.b64encode(
-                hmac.new(sign_key, string_to_sign.encode('utf-8'), hashlib.sha1).digest()
-            ).decode('utf-8')
-
-            params['Signature'] = signature
-
-            resp = requests.get(
-                'https://dysmsapi.aliyuncs.com/',
-                params=params,
-                timeout=10,
-            )
-            data = resp.json()
-            if data.get('Code') == 'OK':
-                logger.info('SMS alert sent to %s for rule %s', mobile, anomaly.rule)
-            else:
-                logger.error('SMS send failed to %s: %s', mobile, data)
-        except Exception as e:
-            logger.error('SMS alert error for %s: %s', mobile, e)
-
-
 def send_feishu_test(mobile):
    """发送测试消息到指定手机号。Returns (success, message)。"""
    try:
--- a/backend/utils/anomaly_detector.py
+++ b/backend/utils/anomaly_detector.py
@ -305,8 +305,7 @@ def _send_alert_safe(anomaly_pk):
        from apps.accounts.models import LoginAnomaly
        anomaly = LoginAnomaly.objects.select_related('team', 'user', 'login_record').get(pk=anomaly_pk)

-        from utils.alert_service import send_feishu_alert, send_sms_alert
+        from utils.alert_service import send_feishu_alert
        send_feishu_alert(anomaly)
-        send_sms_alert(anomaly)
    except Exception as e:
        logger.error('Failed to send alert for anomaly %s: %s', anomaly_pk, e)
--- a/k8s/backend-deployment.yaml
+++ b/k8s/backend-deployment.yaml
@ -14,8 +14,6 @@ spec:
      labels:
        app: video-backend
    spec:
-      imagePullSecrets:
-      - name: swr-secret
      containers:
      - name: video-backend
        image: ${CI_REGISTRY_IMAGE}/video-backend:latest
@ -91,21 +89,6 @@ spec:
              key: ARK_API_KEY
        - name: SEEDANCE_ENABLED
          value: "true"
-        # Aliyun SMS
-        - name: ALIYUN_SMS_ACCESS_KEY
-          valueFrom:
-            secretKeyRef:
-              name: video-backend-secrets
-              key: ALIYUN_SMS_ACCESS_KEY
-        - name: ALIYUN_SMS_ACCESS_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: video-backend-secrets
-              key: ALIYUN_SMS_ACCESS_SECRET
-        - name: ALIYUN_SMS_SIGN_NAME
-          value: "广州气元科技"
-        - name: ALIYUN_SMS_TEMPLATE_CODE
-          value: "SMS_503445109"
        livenessProbe:
          httpGet:
            path: /healthz/
--- a/k8s/cert-manager-issuer.yaml
+++ b/k8s/cert-manager-issuer.yaml
@ -1,15 +0,0 @@
-# ClusterIssuer for Let's Encrypt automatic certificate generation & renewal
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-prod
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: airlabsv001@gmail.com
-    privateKeySecretRef:
-      name: letsencrypt-prod-key
-    solvers:
-    - http01:
-        ingress:
-          class: alb
--- a/k8s/ingress.yaml
+++ b/k8s/ingress.yaml
@ -9,8 +9,10 @@ spec:
  tls:
  - hosts:
    - video-huoshan-api.airlabs.art
+    secretName: video-huoshan-api-tls
+  - hosts:
    - video-huoshan-web.airlabs.art
-    secretName: video-huoshan-tls
+    secretName: video-huoshan-web-tls
  rules:
  - host: video-huoshan-api.airlabs.art
    http:
--- a/k8s/web-deployment.yaml
+++ b/k8s/web-deployment.yaml
@ -14,8 +14,6 @@ spec:
      labels:
        app: video-web
    spec:
-      imagePullSecrets:
-      - name: swr-secret
      containers:
      - name: video-web
        image: ${CI_REGISTRY_IMAGE}/video-web:latest
--- a/web/src/pages/SettingsPage.tsx
+++ b/web/src/pages/SettingsPage.tsx
@ -316,12 +316,14 @@ export function SettingsPage() {
            </div>

            <div className={styles.formGroup}>
-              <label>短信告警手机号</label>
+              <label>短信告警手机号（Coming soon）</label>
              <input
                type="text"
                value={settings.sms_alert_mobiles}
                onChange={(e) => setSettings({ ...settings, sms_alert_mobiles: e.target.value })}
-                placeholder="多个手机号用逗号分隔，如 13800138000,13900139000"
+                placeholder="暂未开放"
+                disabled
+                style={{ opacity: 0.5 }}
              />
            </div>