feat(api-gateway): 添加 standalone 模式 (up2) 支持 2.0 服务与 Kong 同机部署

- 新增 kong-standalone.yml: 2.0 服务通过 host.docker.internal 访问本机端口
  1.0 服务仍走 192.168.1.111, CORS 已添加 mapi.szaiai.com
- 新增 docker-compose.standalone.yml: compose override 添加 extra_hosts
- deploy.sh 新增 up2/sync2 命令

用法:
  ./deploy.sh up2    # 启动 Kong (standalone)
  ./deploy.sh sync2  # 重新同步 standalone 配置

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/api-gateway/deploy.sh

@@ -120,6 +120,45 @@ cmd_up() {
     fi
 }
 
+# 启动服务 (2.0 standalone 模式)
+# 使用 docker-compose.standalone.yml override:
+#   - Kong 加 extra_hosts: host.docker.internal (访问同机 2.0 服务)
+#   - kong-config 加载 kong-standalone.yml (2.0 → localhost, 1.0 → 192.168.1.111)
+cmd_up2() {
+    log_info "启动 Kong API Gateway (standalone 模式)..."
+    check_backend
+
+    local STANDALONE="$COMPOSE_CMD -f docker-compose.yml -f docker-compose.standalone.yml"
+    $STANDALONE up -d
+
+    log_info "等待 Kong 启动..."
+    sleep 10
+
+    if docker ps | grep -q rwa-kong; then
+        log_success "Kong API Gateway (standalone) 启动成功!"
+        echo ""
+        echo "模式: standalone (2.0 → host.docker.internal, 1.0 → 192.168.1.111)"
+        echo "服务地址:"
+        echo "  Proxy:     http://localhost:8000"
+        echo "  Admin API: http://localhost:8001"
+        echo "  Admin GUI: http://localhost:8002"
+        echo ""
+    else
+        log_error "Kong 启动失败，查看日志: $STANDALONE logs"
+        exit 1
+    fi
+}
+
+# 重新同步 standalone 配置
+cmd_sync2() {
+    log_info "同步 kong-standalone.yml 到 Kong..."
+    local STANDALONE="$COMPOSE_CMD -f docker-compose.yml -f docker-compose.standalone.yml"
+    $STANDALONE run --rm kong-config
+    log_success "standalone 配置同步完成"
+    echo ""
+    echo "查看路由: ./deploy.sh routes"
+}
+
 # 停止服务
 cmd_down() {
     log_info "停止 Kong API Gateway..."
@@ -410,6 +449,10 @@ show_help() {
     echo "  test      测试 API 路由"
     echo "  clean     清理容器和数据"
     echo ""
+    echo "Standalone 模式 (2.0 服务与 Kong 同机):"
+    echo "  up2       启动 Kong (standalone, 2.0 → host.docker.internal)"
+    echo "  sync2     重新同步 kong-standalone.yml 配置"
+    echo ""
     echo "Nginx 命令:"
     echo "  nginx install [domain]  安装 Nginx + SSL 证书 (默认: mapi.szaiai.com)"
     echo "  nginx ssl [domain]      申请/续期 SSL 证书"
@@ -468,6 +511,12 @@ main() {
         clean)
             cmd_clean
             ;;
+        up2)
+            cmd_up2
+            ;;
+        sync2)
+            cmd_sync2
+            ;;
         nginx)
             case "${2:-install}" in
                 install)

backend/api-gateway/docker-compose.standalone.yml

@@ -0,0 +1,15 @@
+# =============================================================================
+# Kong Standalone Override - 2.0 服务与 Kong 同机部署
+# =============================================================================
+# 用法: ./deploy.sh up2
+# 等价于: docker compose -f docker-compose.yml -f docker-compose.standalone.yml up -d
+# =============================================================================
+
+services:
+  kong:
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+
+  kong-config:
+    volumes:
+      - ./kong-standalone.yml:/etc/kong/kong.yml:ro

backend/api-gateway/kong-standalone.yml

@@ -0,0 +1,390 @@
+# =============================================================================
+# Kong API Gateway - 2.0 Standalone 声明式配置
+# =============================================================================
+# 部署说明:
+#   - Kong + 2.0 服务: 同一台物理机 (192.168.1.10)
+#   - 1.0 后端服务器: 192.168.1.111
+#   - 2.0 服务通过 host.docker.internal 访问宿主机端口 (无需走局域网)
+#
+# 使用方法:
+#   ./deploy.sh up2    # 启动 Kong 并加载此配置
+#   ./deploy.sh sync2  # 仅重新同步此配置
+# =============================================================================
+
+_format_version: "3.0"
+_transform: true
+
+# =============================================================================
+# Services
+# =============================================================================
+services:
+  # ===========================================================================
+  # 1.0 Services → 192.168.1.111 (通过局域网)
+  # ===========================================================================
+
+  - name: identity-service
+    url: http://192.168.1.111:3000
+    routes:
+      - name: identity-auth
+        paths:
+          - /api/v1/auth
+        strip_path: false
+      - name: identity-me
+        paths:
+          - /api/v1/me
+        strip_path: false
+      - name: identity-user
+        paths:
+          - /api/v1/user
+        strip_path: false
+      - name: identity-users
+        paths:
+          - /api/v1/users
+        strip_path: false
+      - name: identity-health
+        paths:
+          - /api/v1/identity/health
+        strip_path: true
+      - name: identity-admin-pending-actions
+        paths:
+          - /api/v1/admin/pending-actions
+        strip_path: false
+
+  - name: wallet-service
+    url: http://192.168.1.111:3001
+    routes:
+      - name: wallet-api
+        paths:
+          - /api/v1/wallets
+        strip_path: false
+      - name: wallet-main
+        paths:
+          - /api/v1/wallet
+        strip_path: false
+      - name: wallet-health
+        paths:
+          - /api/v1/wallet-service/health
+        strip_path: true
+
+  - name: backup-service
+    url: http://192.168.1.111:3002
+    routes:
+      - name: backup-api
+        paths:
+          - /api/v1/backups
+        strip_path: false
+      - name: backup-share-api
+        paths:
+          - /api/v1/backup-share
+        strip_path: false
+
+  - name: planting-service
+    url: http://192.168.1.111:3003
+    routes:
+      - name: planting-api
+        paths:
+          - /api/v1/planting
+        strip_path: false
+
+  - name: referral-service
+    url: http://192.168.1.111:3004
+    routes:
+      - name: referral-api
+        paths:
+          - /api/v1/referral
+        strip_path: false
+      - name: referral-referrals
+        paths:
+          - /api/v1/referrals
+        strip_path: false
+      - name: referral-team-statistics
+        paths:
+          - /api/v1/team-statistics
+        strip_path: false
+
+  - name: reward-service
+    url: http://192.168.1.111:3005
+    routes:
+      - name: reward-api
+        paths:
+          - /api/v1/rewards
+        strip_path: false
+
+  - name: mpc-service
+    url: http://192.168.1.111:3006
+    routes:
+      - name: mpc-api
+        paths:
+          - /api/v1/mpc
+        strip_path: false
+      - name: mpc-party-api
+        paths:
+          - /api/v1/mpc-party
+        strip_path: false
+
+  - name: leaderboard-service
+    url: http://192.168.1.111:3007
+    routes:
+      - name: leaderboard-api
+        paths:
+          - /api/v1/leaderboard
+        strip_path: false
+      - name: leaderboard-virtual-accounts
+        paths:
+          - /api/v1/virtual-accounts
+        strip_path: false
+
+  - name: reporting-service
+    url: http://192.168.1.111:3008
+    routes:
+      - name: reporting-dashboard
+        paths:
+          - /api/v1/dashboard
+        strip_path: false
+      - name: reporting-api
+        paths:
+          - /api/v1/reports
+        strip_path: false
+      - name: reporting-export
+        paths:
+          - /api/v1/export
+        strip_path: false
+      - name: reporting-system-accounts
+        paths:
+          - /api/v1/system-account-reports
+        strip_path: false
+
+  - name: authorization-service
+    url: http://192.168.1.111:3009
+    routes:
+      - name: authorization-api
+        paths:
+          - /api/v1/authorizations
+        strip_path: false
+      - name: authorization-admin
+        paths:
+          - /api/v1/admin/authorizations
+        strip_path: false
+
+  - name: admin-service
+    url: http://192.168.1.111:3010
+    routes:
+      - name: admin-versions
+        paths:
+          - /api/v1/versions
+        strip_path: false
+      - name: admin-api
+        paths:
+          - /api/v1/admin
+        strip_path: false
+      - name: admin-mobile-version
+        paths:
+          - /api/app/version
+        strip_path: false
+      - name: admin-downloads
+        paths:
+          - /downloads
+        strip_path: false
+      - name: admin-mobile-notifications
+        paths:
+          - /api/v1/mobile/notifications
+        strip_path: false
+      - name: admin-mobile-system
+        paths:
+          - /api/v1/mobile/system
+        strip_path: false
+
+  - name: presence-service
+    url: http://192.168.1.111:3011
+    routes:
+      - name: presence-api
+        paths:
+          - /api/v1/presence
+        strip_path: false
+      - name: presence-analytics
+        paths:
+          - /api/v1/analytics
+        strip_path: false
+
+  - name: blockchain-service
+    url: http://192.168.1.111:3012
+    routes:
+      - name: blockchain-deposit
+        paths:
+          - /api/v1/deposit
+        strip_path: false
+      - name: blockchain-balance
+        paths:
+          - /api/v1/balance
+        strip_path: false
+
+  - name: mpc-account-service
+    url: http://192.168.1.111:4000
+    routes:
+      - name: mpc-co-managed
+        paths:
+          - /api/v1/co-managed
+        strip_path: false
+
+  # ===========================================================================
+  # 2.0 Services → host.docker.internal (同一台物理机，通过宿主机端口)
+  # ===========================================================================
+
+  - name: contribution-service-v2
+    url: http://host.docker.internal:3020
+    routes:
+      - name: contribution-v2-api
+        paths:
+          - /api/v2/contribution
+        strip_path: false
+      - name: contribution-v2-health
+        paths:
+          - /api/v2/contribution/health
+        strip_path: false
+
+  - name: mining-service-v2
+    url: http://host.docker.internal:3021
+    routes:
+      - name: mining-v2-api
+        paths:
+          - /api/v2/mining
+        strip_path: false
+      - name: mining-v2-health
+        paths:
+          - /api/v2/mining/health
+        strip_path: false
+
+  - name: trading-service-v2
+    url: http://host.docker.internal:3022/api/v2
+    routes:
+      - name: trading-v2-api
+        paths:
+          - /api/v2/trading
+        strip_path: true
+      - name: trading-v2-health
+        paths:
+          - /api/v2/trading/health
+        strip_path: true
+
+  - name: trading-ws-service
+    url: http://host.docker.internal:3022
+    routes:
+      - name: trading-ws-price
+        paths:
+          - /ws/price
+        strip_path: true
+        protocols:
+          - http
+          - https
+
+  - name: mining-admin-service
+    url: http://host.docker.internal:3023/api/v2
+    routes:
+      - name: mining-admin-api
+        paths:
+          - /api/v2/mining-admin
+        strip_path: true
+      - name: mining-admin-health
+        paths:
+          - /api/v2/mining-admin/health
+        strip_path: true
+
+  - name: mining-admin-upgrade-service
+    url: http://host.docker.internal:3023
+    routes:
+      - name: mining-admin-upgrade
+        paths:
+          - /mining-admin
+        strip_path: true
+
+  - name: auth-service-v2
+    url: http://host.docker.internal:3024
+    routes:
+      - name: auth-v2-api
+        paths:
+          - /api/v2/auth
+        strip_path: false
+      - name: auth-v2-health
+        paths:
+          - /api/v2/auth/health
+        strip_path: false
+
+  - name: mining-wallet-service
+    url: http://host.docker.internal:3025/api/v2
+    routes:
+      - name: mining-wallet-api
+        paths:
+          - /api/v2/mining-wallet
+        strip_path: true
+      - name: mining-wallet-health
+        paths:
+          - /api/v2/mining-wallet/health
+        strip_path: true
+
+  - name: mining-blockchain-service
+    url: http://host.docker.internal:3026
+    routes:
+      - name: mining-blockchain-api
+        paths:
+          - /api/v1/mining-blockchain
+        strip_path: false
+
+# =============================================================================
+# Plugins
+# =============================================================================
+plugins:
+  - name: cors
+    config:
+      origins:
+        - "https://rwaadmin.szaiai.com"
+        - "https://madmin.szaiai.com"
+        - "https://mapi.szaiai.com"
+        - "https://update.szaiai.com"
+        - "https://app.rwadurian.com"
+        - "http://localhost:3000"
+        - "http://localhost:3020"
+        - "http://localhost:3100"
+      methods:
+        - GET
+        - POST
+        - PUT
+        - PATCH
+        - DELETE
+        - OPTIONS
+      headers:
+        - Accept
+        - Accept-Version
+        - Content-Length
+        - Content-MD5
+        - Content-Type
+        - Date
+        - Authorization
+        - X-Auth-Token
+      exposed_headers:
+        - X-Auth-Token
+      credentials: true
+      max_age: 3600
+
+  - name: rate-limiting
+    config:
+      minute: 10000
+      hour: 500000
+      policy: local
+
+  - name: file-log
+    config:
+      path: /tmp/kong-access.log
+      reopen: true
+
+  - name: request-size-limiting
+    config:
+      allowed_payload_size: 500
+      size_unit: megabytes
+
+  - name: prometheus
+    config:
+      per_consumer: true
+      status_code_metrics: true
+      latency_metrics: true
+      bandwidth_metrics: true
+      upstream_health_metrics: true