docs(config): update .env.example files for production deployment

- Update all .env.example files with production topology documentation - Add network configuration for Server A (119.145.15.38/192.168.1.100) and Server B (192.168.1.111) - Document service ports and connection URLs for all microservices - Add architecture diagrams in comments for easy reference - Include security notes and key generation commands Files updated: - backend/services/.env.example (main config) - backend/services/identity-service/.env.example - backend/services/mpc-service/.env.example - backend/services/blockchain-service/.env.example - backend/mpc-system/.env.example - backend/api-gateway/.env.example - backend/infrastructure/.env.example 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-07 04:55:21 -08:00 · 2025-12-07 04:55:21 -08:00 · b25a893d37
parent ab8852907d
commit b25a893d37
7 changed files with 477 additions and 122 deletions
--- a/backend/api-gateway/.env.example
+++ b/backend/api-gateway/.env.example
@ -1,16 +1,51 @@
 # =============================================================================
-# API Gateway (Kong) - Environment Configuration
+# API Gateway (Kong) - Production Environment Configuration
 # =============================================================================
-# This file contains all environment variables needed for Kong API Gateway.
+#
+# Deployment: Server A (192.168.1.100)
+# Role: API gateway with rate limiting, authentication, and routing
+#
+# Architecture:
+# ┌─────────────────────────────────────────────────────────────────────────┐
+# │ Internet (https://rwaapi.szaiai.com)                                    │
+# └─────────────────────────────────────────────────────────────────────────┘
+#                                    │
+#                                    ▼
+# ┌─────────────────────────────────────────────────────────────────────────┐
+# │ Server A - 119.145.15.38 (Public) / 192.168.1.100 (Internal)            │
+# │   ├── nginx (port 80/443) - SSL termination, reverse proxy             │
+# │   ├── Kong (port 8000)    - API gateway, routing, rate limiting        │
+# │   └── Kong Admin (8001)   - Admin API (internal only)                  │
+# └─────────────────────────────────────────────────────────────────────────┘
+#                                    │
+#                                    ▼
+# ┌─────────────────────────────────────────────────────────────────────────┐
+# │ Server B - 192.168.1.111 (Internal Only)                                │
+# │   └── Microservices (identity:3000, wallet:3001, mpc:3006, etc.)        │
+# └─────────────────────────────────────────────────────────────────────────┘
 #
 # Setup Instructions:
 #   1. Copy this file: cp .env.example .env
 #   2. Update values according to your deployment environment
-#   3. Start services: ./deploy.sh up
+#   3. Update kong.yml service URLs to point to 192.168.1.111
+#   4. Start services: ./deploy.sh up
 #
 # IMPORTANT: In production, change all default passwords and secrets!
 # =============================================================================

+# =============================================================================
+# Network Configuration
+# =============================================================================
+# Public domain for the API
+PUBLIC_DOMAIN=rwaapi.szaiai.com
+
+# Server A: Gateway server (this server)
+GATEWAY_SERVER_PUBLIC_IP=119.145.15.38
+GATEWAY_SERVER_INTERNAL_IP=192.168.1.100
+
+# Server B: Backend services server
+BACKEND_SERVER_IP=192.168.1.111
+
 # =============================================================================
 # Kong Database Configuration
 # =============================================================================
@ -25,10 +60,10 @@ KONG_PG_PASSWORD=kong_password
 # Kong Admin GUI Configuration
 # =============================================================================
 # Admin GUI URL - Update to match your deployment domain
-# Examples:
-#   Development: http://localhost:8002
-#   Production:  https://admin.yourdomain.com
-KONG_ADMIN_GUI_URL=http://localhost:8002
+# For production with nginx reverse proxy:
+#   https://admin.rwaapi.szaiai.com or internal only access
+# SECURITY: Consider not exposing admin GUI publicly!
+KONG_ADMIN_GUI_URL=http://192.168.1.100:8002

 # =============================================================================
 # Monitoring Stack Configuration (Optional)
@ -40,34 +75,35 @@ GRAFANA_ADMIN_PASSWORD=admin123

 # Grafana Root URL - CRITICAL: Must match the actual URL users access Grafana from
 # IMPORTANT: This affects CORS, redirects, and authentication!
-# Examples:
-#   Local development:           http://localhost:3030
-#   Production with Nginx+SSL:   https://monitor.szaiai.com
-#   Production without SSL:      http://monitor.szaiai.com
 #
-# If you use install-monitor.sh with domain "monitor.szaiai.com", set:
+# For your deployment with nginx SSL:
 #   GRAFANA_ROOT_URL=https://monitor.szaiai.com
 #
 # Common mistake: Setting localhost when accessing via domain causes "origin not allowed" error!
 # After changing this value, you MUST restart monitoring services:
 #   ./deploy.sh monitoring down && ./deploy.sh monitoring up
-GRAFANA_ROOT_URL=http://localhost:3030
+GRAFANA_ROOT_URL=https://monitor.szaiai.com

 # Docker network name for monitoring services
 # Note: This should match the network created by docker-compose.yml
 NETWORK_NAME=api-gateway_rwa-network

 # =============================================================================
-# Backend Services Configuration
+# Kong Upstream Service URLs (for kong.yml configuration)
 # =============================================================================
-# Backend server IP address for connectivity checks
-# IMPORTANT: Update this to the actual IP where your microservices are deployed!
-# You MUST also update service URLs in kong.yml to match this IP
-# Examples:
-#   Local development: 127.0.0.1
-#   Remote server:     192.168.1.111
-#   Same server:       127.0.0.1
+# These are reference values - actual configuration is in kong.yml
+# All services run on Server B (192.168.1.111):
 #
-# Default is example IP - CHANGE THIS to your actual backend server IP!
-# If backend is on same server as Kong, use 127.0.0.1
-BACKEND_SERVER_IP=192.168.1.111
+# identity-service:    http://192.168.1.111:3000
+# wallet-service:      http://192.168.1.111:3001
+# backup-service:      http://192.168.1.111:3002
+# planting-service:    http://192.168.1.111:3003
+# referral-service:    http://192.168.1.111:3004
+# reward-service:      http://192.168.1.111:3005
+# mpc-service:         http://192.168.1.111:3006
+# leaderboard-service: http://192.168.1.111:3007
+# reporting-service:   http://192.168.1.111:3008
+# authorization-service: http://192.168.1.111:3009
+# admin-service:       http://192.168.1.111:3010
+# presence-service:    http://192.168.1.111:3011
+# blockchain-service:  http://192.168.1.111:3012
--- a/backend/infrastructure/.env.example
+++ b/backend/infrastructure/.env.example
@ -1,47 +1,94 @@
 # =============================================================================
-# RWA Infrastructure - 环境变量配置
+# RWA Infrastructure - Production Environment Configuration
 # =============================================================================
-# 复制此文件为 .env 并修改配置
+#
+# Deployment: Server B (192.168.1.111) or separate monitoring server
+# Role: Observability stack - metrics, logs, tracing, service discovery
+#
+# Components:
+# ┌─────────────────────────────────────────────────────────────────────────┐
+# │ Observability Stack                                                     │
+# ├─────────────────────────────────────────────────────────────────────────┤
+# │ Grafana     :3030  - Dashboards and visualization                       │
+# │ Prometheus  :9090  - Metrics collection and alerting                    │
+# │ Loki        :3100  - Log aggregation                                    │
+# │ Jaeger      :16686 - Distributed tracing                                │
+# │ Consul      :8500  - Service discovery (optional)                       │
+# └─────────────────────────────────────────────────────────────────────────┘
+#
+# Network Topology:
+#   Server A (192.168.1.100): Kong API Gateway
+#   Server B (192.168.1.111): Microservices + MPC System
+#   Prometheus scrapes metrics from both servers
+#
+# Setup:
+#   1. Copy to .env: cp .env.example .env
+#   2. Update passwords and URLs
+#   3. Start: docker-compose up -d
 # =============================================================================

-# -----------------------------------------------------------------------------
-# Consul 配置
-# -----------------------------------------------------------------------------
+# =============================================================================
+# Network Configuration
+# =============================================================================
+# Server A: Gateway (Kong)
+KONG_SERVER_IP=192.168.1.100
+
+# Server B: Backend services
+BACKEND_SERVER_IP=192.168.1.111
+
+# Public domain
+PUBLIC_DOMAIN=rwaapi.szaiai.com
+
+# =============================================================================
+# Consul Configuration (Service Discovery)
+# =============================================================================
 CONSUL_HTTP_PORT=8500
 CONSUL_DNS_PORT=8600

-# -----------------------------------------------------------------------------
-# Jaeger 配置
-# -----------------------------------------------------------------------------
+# =============================================================================
+# Jaeger Configuration (Distributed Tracing)
+# =============================================================================
 JAEGER_UI_PORT=16686

-# -----------------------------------------------------------------------------
-# Loki 配置
-# -----------------------------------------------------------------------------
+# =============================================================================
+# Loki Configuration (Log Aggregation)
+# =============================================================================
 LOKI_PORT=3100

-# -----------------------------------------------------------------------------
-# Grafana 配置
-# -----------------------------------------------------------------------------
+# =============================================================================
+# Grafana Configuration (Dashboards)
+# =============================================================================
 GRAFANA_PORT=3030
 GRAFANA_ADMIN_USER=admin
+# SECURITY: Change this in production!
+# Example command to generate: openssl rand -base64 24
 GRAFANA_ADMIN_PASSWORD=admin123
-GRAFANA_ROOT_URL=http://localhost:3030
+
+# Grafana Root URL - MUST match actual access URL for CORS/auth
+# For internal access: http://192.168.1.111:3030
+# For external access with nginx: https://monitor.szaiai.com
+GRAFANA_ROOT_URL=https://monitor.szaiai.com
 GRAFANA_LOG_LEVEL=info

-# -----------------------------------------------------------------------------
-# Prometheus 配置
-# -----------------------------------------------------------------------------
+# =============================================================================
+# Prometheus Configuration (Metrics)
+# =============================================================================
 PROMETHEUS_PORT=9090

-# -----------------------------------------------------------------------------
-# 后端服务器 IP (用于 Prometheus 抓取)
-# -----------------------------------------------------------------------------
-BACKEND_SERVER_IP=192.168.1.111
-KONG_SERVER_IP=192.168.1.100
+# Scrape targets (configured in prometheus.yml):
+# - Kong:                   192.168.1.100:8001/metrics
+# - identity-service:       192.168.1.111:3000/metrics
+# - wallet-service:         192.168.1.111:3001/metrics
+# - mpc-service:            192.168.1.111:3006/metrics
+# - blockchain-service:     192.168.1.111:3012/metrics
+# - mpc-system services:    192.168.1.111:4000/metrics, etc.

-# -----------------------------------------------------------------------------
-# PostgreSQL 配置 (用于 Grafana 数据源)
-# -----------------------------------------------------------------------------
+# =============================================================================
+# PostgreSQL Configuration (for Grafana data source)
+# =============================================================================
+# Connect to main RWA database for dashboards
+POSTGRES_HOST=192.168.1.111
+POSTGRES_PORT=5432
 POSTGRES_USER=rwa_user
+# SECURITY: Use the same password as backend/services/.env
 POSTGRES_PASSWORD=your_password_here
--- a/backend/mpc-system/.env.example
+++ b/backend/mpc-system/.env.example
@ -1,7 +1,31 @@
 # =============================================================================
-# MPC System - Environment Configuration
+# MPC System - Production Environment Configuration
 # =============================================================================
-# This file contains all environment variables needed for MPC System deployment.
+#
+# Deployment: Server B (192.168.1.111)
+# Role: Threshold Signature Scheme (TSS) backend for 2-of-3 MPC wallet operations
+#
+# Architecture:
+# ┌─────────────────────────────────────────────────────────────────────────┐
+# │ MPC System Components (Go services on Server B)                         │
+# ├─────────────────────────────────────────────────────────────────────────┤
+# │ account-service        :4000  - User account & session management       │
+# │ session-coordinator    :8081  - TSS protocol coordination               │
+# │ message-router         :8082  - WebSocket for P2P TSS messages          │
+# │ server-party-api       :8083  - Server-side party operations            │
+# │ server-party-1         :8091  - TSS party instance 1                    │
+# │ server-party-2         :8092  - TSS party instance 2                    │
+# ├─────────────────────────────────────────────────────────────────────────┤
+# │ Infrastructure                                                          │
+# │ postgres               :5432  - MPC database                            │
+# │ redis                  :6379  - Session cache                           │
+# │ rabbitmq               :5672  - Internal message queue                  │
+# └─────────────────────────────────────────────────────────────────────────┘
+#
+# Network Flow:
+#   mpc-service (NestJS) → account-service → session-coordinator → parties
+#         ↓
+#   Mobile App → message-router (WebSocket) → client party
 #
 # Setup Instructions:
 #   1. Copy this file: cp .env.example .env
@ -22,6 +46,15 @@
 # Options: development, staging, production
 ENVIRONMENT=production

+# =============================================================================
+# Network Configuration
+# =============================================================================
+# Server B internal IP (where MPC system runs)
+MPC_SERVER_IP=192.168.1.111
+
+# Server A internal IP (Kong gateway, for ALLOWED_IPS if needed)
+GATEWAY_SERVER_IP=192.168.1.100
+
 # =============================================================================
 # PostgreSQL Database Configuration
 # =============================================================================
@ -58,6 +91,7 @@ RABBITMQ_PASSWORD=change_this_to_secure_rabbitmq_password
 # JWT signing secret key (minimum 32 characters)
 # SECURITY: Generate a strong random key in production!
 # Example command: openssl rand -base64 48
+# IMPORTANT: This MUST match MPC_JWT_SECRET in mpc-service configuration!
 JWT_SECRET_KEY=change_this_jwt_secret_key_to_random_value_min_32_chars

 # =============================================================================
@ -82,12 +116,16 @@ MPC_API_KEY=change_this_api_key_to_match_your_mpc_service_config
 # Allowed IP addresses (comma-separated list)
 # Only these IPs can access the MPC system APIs
 # IMPORTANT: In production, restrict this to your actual backend server IP(s)!
+#
+# Recommended configuration for your environment:
+#   - 192.168.1.111: Server B (mpc-service running here)
+#   - 192.168.1.100: Server A (if Kong needs direct access)
+#   - 127.0.0.1:     Local Docker network
+#
 # Examples:
 #   Single IP:    ALLOWED_IPS=192.168.1.111
-#   Multiple IPs: ALLOWED_IPS=192.168.1.111,192.168.1.112
-#   Local only:   ALLOWED_IPS=127.0.0.1
-#   Allow all:    ALLOWED_IPS=  (empty, relies on API_KEY auth only - NOT RECOMMENDED for production)
+#   Multiple IPs: ALLOWED_IPS=192.168.1.111,192.168.1.100,127.0.0.1
+#   Allow all:    ALLOWED_IPS=  (empty, relies on API_KEY auth only - NOT RECOMMENDED)
 #
-# Default allows all IPs (protected by API_KEY authentication)
-# SECURITY WARNING: Change this in production to specific backend server IP(s)!
-ALLOWED_IPS=
+# For your deployment (mpc-service on same server as mpc-system):
+ALLOWED_IPS=192.168.1.111,127.0.0.1
--- a/backend/services/.env.example
+++ b/backend/services/.env.example
@ -1,32 +1,101 @@
 # =============================================================================
-# RWA Backend Services - Environment Configuration Template
+# RWA Backend Services - Production Environment Configuration
 # =============================================================================
-# Copy this file to .env and fill in the values
+#
+# Deployment Topology:
+# ┌─────────────────────────────────────────────────────────────────────────┐
+# │ Internet (https://rwaapi.szaiai.com)                                    │
+# └─────────────────────────────────────────────────────────────────────────┘
+#                                    │
+#                                    ▼
+# ┌─────────────────────────────────────────────────────────────────────────┐
+# │ Server A (Gateway) - 119.145.15.38 (Public) / 192.168.1.100 (Internal)  │
+# │   nginx (SSL termination) → Kong (API Gateway)                          │
+# └─────────────────────────────────────────────────────────────────────────┘
+#                                    │
+#                                    ▼
+# ┌─────────────────────────────────────────────────────────────────────────┐
+# │ Server B (Backend) - 192.168.1.111 (Internal Only)                      │
+# │   ├── Microservices (identity, wallet, mpc-service, blockchain, etc.)   │
+# │   ├── MPC System (account-service, session-coordinator, message-router) │
+# │   └── Infrastructure (PostgreSQL, Redis, Kafka)                         │
+# └─────────────────────────────────────────────────────────────────────────┘
+#
+# Setup Instructions:
+#   1. Copy this file: cp .env.example .env
+#   2. Update ALL password/secret values (generate with openssl commands below)
+#   3. Start services: ./deploy.sh up
+#
 # WARNING: Never commit .env to version control!
 # =============================================================================

+# =============================================================================
+# Network Configuration
+# =============================================================================
+# Public domain for the API
+PUBLIC_DOMAIN=rwaapi.szaiai.com
+
+# Server A: Gateway server (nginx + kong)
+GATEWAY_SERVER_PUBLIC_IP=119.145.15.38
+GATEWAY_SERVER_INTERNAL_IP=192.168.1.100
+
+# Server B: Backend services server
+BACKEND_SERVER_IP=192.168.1.111
+
+# =============================================================================
 # PostgreSQL Database
+# =============================================================================
 POSTGRES_USER=rwa_user
+# SECURITY: Generate with: openssl rand -base64 32
 POSTGRES_PASSWORD=your_secure_password_here

-# Redis (leave empty for no password)
+# =============================================================================
+# Redis Cache
+# =============================================================================
+# Leave empty if Redis is only accessible within Docker network
+# For additional security, generate with: openssl rand -base64 24
 REDIS_PASSWORD=

-# JWT Configuration (generate with: openssl rand -base64 32)
+# =============================================================================
+# JWT Configuration
+# =============================================================================
+# SECURITY: Generate with: openssl rand -base64 32
 JWT_SECRET=your_jwt_secret_here

+# =============================================================================
 # Service-to-Service Authentication
+# =============================================================================
+# SECURITY: Generate with: openssl rand -base64 32
 SERVICE_JWT_SECRET=your_service_jwt_secret_here

-# Wallet Encryption Salt
+# =============================================================================
+# Wallet Encryption
+# =============================================================================
+# SECURITY: Generate with: openssl rand -base64 32
 WALLET_ENCRYPTION_SALT=your_wallet_salt_here

-# Backup Encryption Key (256-bit hex: openssl rand -hex 32)
+# =============================================================================
+# Backup Service Encryption
+# =============================================================================
+# SECURITY: Generate 256-bit hex key with: openssl rand -hex 32
 BACKUP_ENCRYPTION_KEY=your_64_char_hex_key_here

-# MPC Share Master Key (256-bit hex: openssl rand -hex 32)
+# =============================================================================
+# MPC Share Encryption
+# =============================================================================
+# SECURITY: Generate 256-bit hex key with: openssl rand -hex 32
+# WARNING: If you lose this key, encrypted shares cannot be recovered!
 SHARE_MASTER_KEY=your_64_char_hex_key_here

-# MPC System Address (running on 192.168.1.111)
+# =============================================================================
+# MPC System Configuration (Go TSS Backend on Server B)
+# =============================================================================
+# These URLs are used when services communicate directly with mpc-system
+# Note: In Docker Compose, services use internal Docker network names instead
 MPC_COORDINATOR_URL=http://192.168.1.111:8081
 MPC_MESSAGE_ROUTER_URL=ws://192.168.1.111:8082
+MPC_ACCOUNT_SERVICE_URL=http://192.168.1.111:4000
+
+# MPC JWT Secret - MUST match mpc-system's JWT_SECRET_KEY
+# SECURITY: Generate with: openssl rand -base64 48
+MPC_JWT_SECRET=change_this_jwt_secret_key_to_random_value_min_32_chars
--- a/backend/services/blockchain-service/.env.example
+++ b/backend/services/blockchain-service/.env.example
@ -1,36 +1,94 @@
+# =============================================================================
+# Blockchain Service - Production Environment Configuration
+# =============================================================================
+#
+# Deployment: Server B (192.168.1.111)
+# Role: Blockchain address derivation, balance queries, transaction monitoring
+#
+# Responsibilities:
+#   - Derive multi-chain addresses from public keys (KAVA, DST, BSC)
+#   - Monitor blockchain transactions for deposit detection
+#   - Publish WalletAddressCreated events to Kafka
+#   - Query wallet balances across supported chains
+#
+# Flow: mpc-service → blockchain-service → Kafka → identity-service
+#       (publicKey)    (derive addresses)  (event)  (save addresses)
+#
+# Setup:
+#   1. Copy to .env: cp .env.example .env
+#   2. In Docker Compose mode, most values are overridden by docker-compose.yml
+# =============================================================================
+
+# =============================================================================
 # Application
-NODE_ENV=development
+# =============================================================================
+NODE_ENV=production
 PORT=3012
 SERVICE_NAME=blockchain-service
+API_PREFIX=api/v1

-# Database
-DATABASE_URL=postgresql://rwa:rwa_password@localhost:5432/rwa_blockchain?schema=public
+# =============================================================================
+# Database (PostgreSQL on Server B)
+# =============================================================================
+# Docker Compose: postgresql://rwa_user:xxx@postgres:5432/rwa_blockchain
+# Direct access:  postgresql://rwa_user:xxx@192.168.1.111:5432/rwa_blockchain
+DATABASE_URL=postgresql://rwa_user:your_password@192.168.1.111:5432/rwa_blockchain?schema=public

-# Redis
-REDIS_HOST=localhost
+# =============================================================================
+# Redis (on Server B)
+# =============================================================================
+# Docker Compose: redis / Direct: 192.168.1.111
+REDIS_HOST=192.168.1.111
 REDIS_PORT=6379
 REDIS_DB=11
 REDIS_PASSWORD=

-# Kafka
-KAFKA_BROKERS=localhost:9092
+# =============================================================================
+# Kafka (on Server B)
+# =============================================================================
+# Docker Compose: kafka:29092 / Direct: 192.168.1.111:9092
+KAFKA_BROKERS=192.168.1.111:9092
 KAFKA_CLIENT_ID=blockchain-service
 KAFKA_GROUP_ID=blockchain-service-group

-# Blockchain - KAVA (EVM)
+# =============================================================================
+# Blockchain - KAVA (EVM-compatible Cosmos chain)
+# =============================================================================
+# Official KAVA EVM RPC endpoint
 KAVA_RPC_URL=https://evm.kava.io
 KAVA_CHAIN_ID=2222
+# KAVA USDT contract address
 KAVA_USDT_CONTRACT=0x919C1c267BC06a7039e03fcc2eF738525769109c

-# Blockchain - BSC
+# =============================================================================
+# Blockchain - BSC (Binance Smart Chain)
+# =============================================================================
+# Public BSC RPC endpoint (consider using paid RPC for production)
 BSC_RPC_URL=https://bsc-dataseed.binance.org
 BSC_CHAIN_ID=56
+# BSC USDT (Binance-Peg) contract address
 BSC_USDT_CONTRACT=0x55d398326f99059fF775485246999027B3197955

-# Block Scanner
+# =============================================================================
+# Blockchain - DST (Cosmos chain, placeholder)
+# =============================================================================
+# DST_RPC_URL=https://rpc.dst.network
+# DST_CHAIN_ID=dst-1
+
+# =============================================================================
+# Block Scanner Configuration
+# =============================================================================
+# Interval between block scans (milliseconds)
 BLOCK_SCAN_INTERVAL_MS=5000
+
+# Number of confirmations required before considering transaction final
 BLOCK_CONFIRMATIONS_REQUIRED=12
+
+# Maximum blocks to process in one batch
 BLOCK_SCAN_BATCH_SIZE=100

+# =============================================================================
 # Logging
-LOG_LEVEL=debug
+# =============================================================================
+# Options: debug, info, warn, error
+LOG_LEVEL=info
--- a/backend/services/identity-service/.env.example
+++ b/backend/services/identity-service/.env.example
@ -1,62 +1,107 @@
 # =============================================================================
-# Identity Service - Environment Variables
+# Identity Service - Production Environment Configuration
+# =============================================================================
+#
+# Deployment: Server B (192.168.1.111)
+# Role: User account management, authentication, wallet address storage
+#
+# Flow: Kong → identity-service → mpc-service → blockchain-service
+#       ↑                                              ↓
+#       └────────────────── Kafka ←───────────────────┘
+#
+# Setup:
+#   1. Copy to .env: cp .env.example .env
+#   2. In Docker Compose mode, most values are overridden by docker-compose.yml
+#   3. For local development, update values below
 # =============================================================================

+# =============================================================================
 # Application
+# =============================================================================
 APP_PORT=3000
-APP_ENV="development"
+APP_ENV="production"

-# Database (PostgreSQL)
-DATABASE_URL="postgresql://postgres:password@localhost:5432/rwa_identity?schema=public"
+# =============================================================================
+# Database (PostgreSQL on Server B)
+# =============================================================================
+# Docker Compose: postgresql://rwa_user:xxx@postgres:5432/rwa_identity
+# Direct access:  postgresql://rwa_user:xxx@192.168.1.111:5432/rwa_identity
+DATABASE_URL="postgresql://rwa_user:your_password@192.168.1.111:5432/rwa_identity?schema=public"

-# JWT
+# =============================================================================
+# JWT Configuration
+# =============================================================================
+# SECURITY: Generate with: openssl rand -base64 32
+# MUST match JWT_SECRET in backend/services/.env
 JWT_SECRET="your-super-secret-jwt-key-change-in-production"
 JWT_ACCESS_EXPIRES_IN="2h"
 JWT_REFRESH_EXPIRES_IN="30d"

-# Redis
-REDIS_HOST="localhost"
+# =============================================================================
+# Redis (on Server B)
+# =============================================================================
+# Docker Compose: redis / Direct: 192.168.1.111
+REDIS_HOST="192.168.1.111"
 REDIS_PORT=6379
 REDIS_PASSWORD=""
 REDIS_DB=0

-# Kafka
-KAFKA_BROKERS="localhost:9092"
+# =============================================================================
+# Kafka (on Server B)
+# =============================================================================
+# Docker Compose: kafka:29092 / Direct: 192.168.1.111:9092
+KAFKA_BROKERS="192.168.1.111:9092"
 KAFKA_CLIENT_ID="identity-service"
 KAFKA_GROUP_ID="identity-service-group"

-# SMS Service
+# =============================================================================
+# SMS Service (External)
+# =============================================================================
 SMS_API_URL="https://sms-api.example.com"
 SMS_API_KEY="your-sms-api-key"

+# =============================================================================
 # Wallet Encryption
+# =============================================================================
+# SECURITY: Generate with: openssl rand -base64 32
 WALLET_ENCRYPTION_SALT="rwa-wallet-salt-change-in-production"

 # =============================================================================
 # MPC Service Configuration
 # =============================================================================
-# 调用路径: identity-service -> mpc-service (NestJS) -> mpc-system (Go)
+# Flow: identity-service → mpc-service (NestJS) → mpc-system (Go/TSS)
+#
+# Docker Compose: http://mpc-service:3006
+# Direct access:  http://192.168.1.111:3006
+MPC_SERVICE_URL="http://192.168.1.111:3006"

-# MPC Service URL (NestJS gateway)
-MPC_SERVICE_URL="http://localhost:3001"
+# MPC Mode:
+#   - local:  Mock mode for testing (generates random addresses)
+#   - remote: Production mode (calls mpc-service for real MPC keygen)
+MPC_MODE="remote"

-# MPC Mode: local (模拟) / remote (调用 mpc-service)
-MPC_MODE="local"
-
-# Use event-driven communication for MPC operations
+# Use Kafka event-driven communication for MPC operations
+# Recommended: true for production (async, more reliable)
 MPC_USE_EVENT_DRIVEN="true"

 # =============================================================================
 # Backup Service Configuration
 # =============================================================================
-# 安全要求: 必须部署在与 identity-service 不同的物理服务器上!
+# SECURITY: For production, deploy backup-service on a DIFFERENT server!
+# This ensures no single point of failure for encrypted key shares.
+#
+# Docker Compose: http://backup-service:3002
+# Direct access:  http://192.168.1.111:3002 (or different server IP)
+BACKUP_SERVICE_URL="http://192.168.1.111:3002"
+BACKUP_SERVICE_ENABLED="true"

-BACKUP_SERVICE_URL="http://backup-server:3002"
-BACKUP_SERVICE_ENABLED="false"
+# Service-to-service authentication secret
+# MUST match SERVICE_JWT_SECRET in backup-service
+# SECURITY: Generate with: openssl rand -base64 32
 SERVICE_JWT_SECRET="your-service-jwt-secret-change-in-production"

 # =============================================================================
-# Blockchain RPC URLs (for address verification)
+# Blockchain RPC URLs (for address verification, external endpoints)
 # =============================================================================
 KAVA_RPC_URL="https://evm.kava.io"
 BSC_RPC_URL="https://bsc-dataseed.binance.org"
--- a/backend/services/mpc-service/.env.example
+++ b/backend/services/mpc-service/.env.example
@ -1,69 +1,131 @@
 # =============================================================================
-# MPC Service - Environment Variables
+# MPC Service - Production Environment Configuration
 # =============================================================================
 #
-# mpc-service 作为 MPC 服务网关:
-# 1. 缓存 username + publicKey 的映射关系
-# 2. 存储 delegate share
-# 3. 转发请求到 mpc-system (Go/TSS实现)
+# Deployment: Server B (192.168.1.111)
+# Role: MPC gateway service that bridges NestJS microservices with Go TSS backend
 #
+# Architecture:
+# ┌─────────────────────────────────────────────────────────────────────────┐
+# │ mpc-service (NestJS on port 3006)                                       │
+# │   ├── Caches username ↔ publicKey mappings                              │
+# │   ├── Stores delegate key shares (encrypted)                            │
+# │   ├── Forwards keygen/signing requests to mpc-system                    │
+# │   └── Publishes events to Kafka for identity-service                    │
+# └─────────────────────────────────────────────────────────────────────────┘
+#                                    │
+#                                    ▼
+# ┌─────────────────────────────────────────────────────────────────────────┐
+# │ mpc-system (Go/TSS on Server B)                                         │
+# │   ├── account-service:       port 4000 (session management)             │
+# │   ├── session-coordinator:   port 8081 (TSS coordination)               │
+# │   ├── message-router:        port 8082 (WebSocket for TSS messages)     │
+# │   └── server-party-api:      port 8083 (server party operations)        │
+# └─────────────────────────────────────────────────────────────────────────┘
+#
+# Setup:
+#   1. Copy to .env: cp .env.example .env
+#   2. In Docker Compose mode, most values are overridden by docker-compose.yml
 # =============================================================================

+# =============================================================================
 # Application
-NODE_ENV="development"
-APP_PORT=3001
+# =============================================================================
+NODE_ENV="production"
+APP_PORT=3006
 API_PREFIX="api/v1"

-# Database (PostgreSQL)
-DATABASE_URL="postgresql://postgres:password@localhost:5432/rwa_mpc?schema=public"
+# =============================================================================
+# Database (PostgreSQL on Server B)
+# =============================================================================
+# Docker Compose: postgresql://rwa_user:xxx@rwa-postgres:5432/rwa_mpc
+# Direct access:  postgresql://rwa_user:xxx@192.168.1.111:5432/rwa_mpc
+DATABASE_URL="postgresql://rwa_user:your_password@192.168.1.111:5432/rwa_mpc?schema=public"

-# Redis
-REDIS_HOST="localhost"
+# =============================================================================
+# Redis (on Server B)
+# =============================================================================
+# Docker Compose: rwa-redis / Direct: 192.168.1.111
+REDIS_HOST="192.168.1.111"
 REDIS_PORT=6379
 REDIS_PASSWORD=""
 REDIS_DB=5

-# JWT
+# =============================================================================
+# JWT Configuration
+# =============================================================================
+# SECURITY: Generate with: openssl rand -base64 32
+# MUST match JWT_SECRET in backend/services/.env
 JWT_SECRET="your-jwt-secret-change-in-production"
 JWT_ACCESS_EXPIRES_IN="2h"
 JWT_REFRESH_EXPIRES_IN="30d"

-# Kafka
-KAFKA_BROKERS="localhost:9092"
+# =============================================================================
+# Kafka (on Server B)
+# =============================================================================
+# Docker Compose: rwa-kafka:29092 / Direct: 192.168.1.111:9092
+KAFKA_BROKERS="192.168.1.111:9092"
 KAFKA_CLIENT_ID="mpc-service"
 KAFKA_GROUP_ID="mpc-service-group"

 # =============================================================================
-# MPC System Configuration (Go/TSS Backend)
+# MPC System Configuration (Go/TSS Backend on Server B)
 # =============================================================================
+# All mpc-system services run in Docker on Server B (192.168.1.111)

-# MPC System Account Service URL (creates keygen/signing sessions)
-MPC_SYSTEM_URL="http://192.168.1.111:4000"
+# Account Service - Creates and manages keygen/signing sessions
+# Docker Compose: http://mpc-account-service:8080
+# Direct access:  http://192.168.1.111:4000
+MPC_ACCOUNT_SERVICE_URL="http://192.168.1.111:4000"

-# API Key for authenticating with MPC system
-MPC_API_KEY="your-mpc-api-key-change-in-production"
-
-# Session Coordinator URL (coordinates TSS sessions)
+# Session Coordinator - Coordinates TSS protocol execution
+# Docker Compose: http://mpc-session-coordinator:8080
+# Direct access:  http://192.168.1.111:8081
 MPC_COORDINATOR_URL="http://192.168.1.111:8081"
+MPC_SESSION_COORDINATOR_URL="http://192.168.1.111:8081"

-# Message Router WebSocket URL (TSS message routing)
+# Message Router - WebSocket for TSS peer-to-peer messages
+# Docker Compose: ws://mpc-message-router:8080
+# Direct access:  ws://192.168.1.111:8082
 MPC_MESSAGE_ROUTER_WS_URL="ws://192.168.1.111:8082"

+# Server Party API - Server-side party operations
+# Docker Compose: http://mpc-server-party-api:8080
+# Direct access:  http://192.168.1.111:8083
+MPC_SERVER_PARTY_API_URL="http://192.168.1.111:8083"
+
+# MPC JWT Secret - MUST match mpc-system's JWT_SECRET_KEY
+# SECURITY: Generate with: openssl rand -base64 48
+MPC_JWT_SECRET="change_this_jwt_secret_key_to_random_value_min_32_chars"
+
 # Coordinator timeout in milliseconds
 MPC_COORDINATOR_TIMEOUT=30000

+# =============================================================================
+# Blockchain Service Configuration
+# =============================================================================
+# Docker Compose: http://rwa-blockchain-service:3012
+# Direct access:  http://192.168.1.111:3012
+BLOCKCHAIN_SERVICE_URL="http://192.168.1.111:3012"
+
 # =============================================================================
 # Share Encryption
 # =============================================================================
-# IMPORTANT: Generate a secure 32-byte hex key for production
-# Example: openssl rand -hex 32
+# SECURITY: Generate 256-bit hex key with: openssl rand -hex 32
+# WARNING: If you lose this key, encrypted shares cannot be recovered!
+# MUST match SHARE_MASTER_KEY in backend/services/.env
 SHARE_MASTER_KEY="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"

 # =============================================================================
 # MPC Protocol Timeouts (in milliseconds)
 # =============================================================================
+# Keygen: 2-of-3 threshold key generation (typically 30-60 seconds)
 MPC_KEYGEN_TIMEOUT=300000
+
+# Signing: Threshold signature generation (typically 5-15 seconds)
 MPC_SIGNING_TIMEOUT=180000
+
+# Key refresh: Update key shares without changing public key
 MPC_REFRESH_TIMEOUT=300000

 # =============================================================================