docs: align documentation and Dockerfile with actual CLI flags and env vars

The README, Dockerfile, and bug report template referenced non-existent
api_key/config-file based configuration. Updated to match the actual code
which uses --token/FLASHDUTY_RUNNER_TOKEN flags and environment variables.
Also added systemd EnvironmentFile directive and custom endpoint examples.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: ysyneu

.github/ISSUE_TEMPLATE/bug_report.md

@@ -37,16 +37,16 @@ A clear and concise description of what you expected to happen and what actually
 
 ### Logs
 
-Paste any available logs. Redact sensitive information like API keys.
+Paste any available logs. Redact sensitive information like tokens.
 
 ```
 (paste logs here)
 ```
 
 ### Configuration (if relevant)
 
-```yaml
-# Paste relevant config (redact api_key!)
+```
+# Paste relevant flags/env vars (redact token!)
 ```
 
 ### Additional context

Dockerfile

@@ -2,42 +2,30 @@ FROM golang:1.25-alpine AS build
 ARG VERSION="dev"
 ARG TARGETARCH
 
-# Set the working directory
 WORKDIR /build
 
-# Install git for version info
 RUN --mount=type=cache,target=/var/cache/apk \
     apk add git
 
-# Build the runner
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=bind,target=. \
     CGO_ENABLED=0 GOARCH=${TARGETARCH} go build \
     -ldflags="-s -w -X main.Version=${VERSION} -X main.GitCommit=$(git rev-parse --short HEAD 2>/dev/null || echo unknown) -X main.BuildTime=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
     -o /bin/flashduty-runner ./cmd
 
-# Make a stage to run the app
 FROM gcr.io/distroless/base-debian12
 
-# Set the working directory
 WORKDIR /app
 
-# Copy the binary from the build stage
 COPY --from=build /bin/flashduty-runner .
 
-# Set environment variables
-ENV FLASHDUTY_RUNNER_API_KEY=""
-ENV FLASHDUTY_RUNNER_API_URL="wss://api.flashcat.cloud/runner/ws"
-ENV FLASHDUTY_RUNNER_NAME=""
-ENV FLASHDUTY_RUNNER_WORKSPACE_ROOT="/workspace"
-ENV FLASHDUTY_RUNNER_AUTO_UPDATE="false"
+ENV FLASHDUTY_RUNNER_TOKEN=""
+ENV FLASHDUTY_RUNNER_URL="wss://api.flashcat.cloud/safari/worknode/ws"
+ENV FLASHDUTY_RUNNER_WORKSPACE="/workspace"
+ENV FLASHDUTY_RUNNER_LOG_LEVEL="info"
 
-# Create workspace directory
 VOLUME ["/workspace"]
 
-# Set the entrypoint
 ENTRYPOINT ["/app/flashduty-runner"]
-
-# Default command
 CMD ["run"]

README.md

@@ -40,7 +40,7 @@ The runner establishes a persistent WebSocket connection to Flashduty cloud, rec
 
 | Layer | Protection |
 |-------|------------|
-| **Transport** | TLS-encrypted WebSocket, API Key authentication |
+| **Transport** | TLS-encrypted WebSocket, token authentication |
 | **Command Execution** | Shell parsing to prevent injection attacks (e.g., `cmd1; cmd2`) |
 | **Permission Control** | Configurable glob-based command whitelist/blacklist |
 | **File System** | Operations sandboxed to workspace root, symlink escape protection |
@@ -127,48 +127,30 @@ sudo mv flashduty-runner /usr/local/bin/
 ```bash
 docker run -d \
   --name flashduty-runner \
-  -e FLASHDUTY_RUNNER_API_KEY=your_api_key \
-  -e FLASHDUTY_RUNNER_NAME=my-runner \
+  -e FLASHDUTY_RUNNER_TOKEN=wnt_xxx \
   -v /var/flashduty/workspace:/workspace \
   registry.flashcat.cloud/public/flashduty-runner:latest
-```
-
-### Configuration
-
-Create `~/.flashduty-runner/config.yaml`:
-
-```yaml
-# API Key from Flashduty Console (required)
-api_key: "fk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 
-# Runner display name (optional, defaults to hostname)
-name: "prod-k8s-runner"
-
-# Labels for task routing (optional)
-labels:
-  - k8s
-  - production
-
-# Workspace root directory (optional)
-workspace_root: "/var/flashduty/workspace"
-
-# Command permissions (see Security section for options)
-permission:
-  bash:
-    "*": "deny"
-    "kubectl get *": "allow"
-    "kubectl describe *": "allow"
-    "kubectl logs *": "allow"
+# With custom endpoint
+docker run -d \
+  --name flashduty-runner \
+  -e FLASHDUTY_RUNNER_TOKEN=wnt_xxx \
+  -e FLASHDUTY_RUNNER_URL=wss://custom.example.com/safari/worknode/ws \
+  -v /var/flashduty/workspace:/workspace \
+  registry.flashcat.cloud/public/flashduty-runner:latest
 ```
 
 ### Running
 
 ```bash
-# Start the runner
-flashduty-runner run
+# Basic usage (token required)
+flashduty-runner run --token wnt_xxx
+
+# Specify workspace directory
+flashduty-runner run --token wnt_xxx --workspace ~/projects
 
-# Start with custom config
-flashduty-runner run --config /path/to/config.yaml
+# Specify custom WebSocket endpoint
+flashduty-runner run --token wnt_xxx --url wss://custom.example.com/safari/worknode/ws
 
 # Check version
 flashduty-runner version
@@ -186,6 +168,7 @@ After=network.target
 [Service]
 Type=simple
 User=flashduty
+EnvironmentFile=/etc/flashduty-runner/env
 ExecStart=/usr/local/bin/flashduty-runner run
 Restart=always
 RestartSec=5
@@ -194,40 +177,31 @@ RestartSec=5
 WantedBy=multi-user.target
 ```
 
+Create `/etc/flashduty-runner/env`:
+
 ```bash
-sudo systemctl daemon-reload
-sudo systemctl enable --now flashduty-runner
+FLASHDUTY_RUNNER_TOKEN=wnt_xxx
+# FLASHDUTY_RUNNER_URL=wss://custom.example.com/safari/worknode/ws
+# FLASHDUTY_RUNNER_WORKSPACE=/var/flashduty/workspace
 ```
 
-## Configuration Reference
-
-| Field | Required | Default | Description |
-|-------|----------|---------|-------------|
-| `api_key` | Yes | - | Flashduty API Key |
-| `api_url` | No | `wss://api.flashcat.cloud/runner/ws` | WebSocket endpoint |
-| `name` | No | hostname | Runner display name |
-| `labels` | No | [] | Labels for task routing |
-| `workspace_root` | No | `~/.flashduty-runner/workspace` | Workspace directory |
-| `permission.bash` | No | deny all | Command permission rules |
-| `log.level` | No | `info` | Log level: debug, info, warn, error |
-
-### Environment Variables
-
-All options can be set via environment variables with `FLASHDUTY_RUNNER_` prefix:
-
 ```bash
-FLASHDUTY_RUNNER_API_KEY=fk_xxx
-FLASHDUTY_RUNNER_NAME=my-runner
-FLASHDUTY_RUNNER_WORKSPACE_ROOT=/workspace
+sudo mkdir -p /etc/flashduty-runner
+sudo vim /etc/flashduty-runner/env   # add your token
+sudo systemctl daemon-reload
+sudo systemctl enable --now flashduty-runner
 ```
 
-### Built-in Labels
+## Configuration Reference
 
-The runner automatically adds these labels for routing:
+Configuration is via command-line flags or environment variables (flags take precedence).
 
-- `os:linux` / `os:darwin` / `os:windows`
-- `arch:amd64` / `arch:arm64`
-- `hostname:<machine-hostname>`
+| Flag | Env Variable | Required | Default | Description |
+|------|-------------|----------|---------|-------------|
+| `--token` | `FLASHDUTY_RUNNER_TOKEN` | Yes | - | Authentication token |
+| `--url` | `FLASHDUTY_RUNNER_URL` | No | `wss://api.flashcat.cloud/safari/worknode/ws` | WebSocket endpoint |
+| `--workspace` | `FLASHDUTY_RUNNER_WORKSPACE` | No | `~/.flashduty-runner/workspace` | Workspace root directory |
+| `--log-level` | `FLASHDUTY_RUNNER_LOG_LEVEL` | No | `info` | Log level: debug, info, warn, error |
 
 ## Troubleshooting
 
@@ -236,8 +210,8 @@ The runner automatically adds these labels for routing:
 | Symptom | Cause | Solution |
 |---------|-------|----------|
 | `failed to connect` | Network issue | Check firewall allows outbound port 443 |
-| `authentication failed` | Invalid API Key | Verify API Key in Flashduty console |
-| Runner not showing online | Connection dropped | Check logs, verify API Key matches account |
+| `authentication failed` | Invalid token | Verify token in Flashduty console |
+| Runner not showing online | Connection dropped | Check logs, verify token matches account |
 
 ```bash
 # Test connectivity
@@ -263,9 +237,11 @@ journalctl -u flashduty-runner -f
 
 Enable debug logging to see detailed permission decisions:
 
-```yaml
-log:
-  level: "debug"
+```bash
+flashduty-runner run --token wnt_xxx --log-level debug
+
+# Or via environment variable
+export FLASHDUTY_RUNNER_LOG_LEVEL=debug
 ```
 
 ## Contributing

README_zh.md

@@ -40,7 +40,7 @@ Runner 与 Flashduty 云端建立持久的 WebSocket 连接，接收任务请求
 
 | 层级 | 保护措施 |
 |------|----------|
-| **传输层** | TLS 加密的 WebSocket，API Key 认证 |
+| **传输层** | TLS 加密的 WebSocket，Token 认证 |
 | **命令执行** | Shell 解析防止注入攻击（如 `cmd1; cmd2`） |
 | **权限控制** | 可配置的 glob 模式命令白名单/黑名单 |
 | **文件系统** | 操作限制在工作区目录内，防止符号链接逃逸 |
@@ -127,48 +127,30 @@ sudo mv flashduty-runner /usr/local/bin/
 ```bash
 docker run -d \
   --name flashduty-runner \
-  -e FLASHDUTY_RUNNER_API_KEY=your_api_key \
-  -e FLASHDUTY_RUNNER_NAME=my-runner \
+  -e FLASHDUTY_RUNNER_TOKEN=wnt_xxx \
   -v /var/flashduty/workspace:/workspace \
   registry.flashcat.cloud/public/flashduty-runner:latest
-```
-
-### 配置
-
-创建 `~/.flashduty-runner/config.yaml`：
-
-```yaml
-# Flashduty 控制台获取的 API Key（必填）
-api_key: "fk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 
-# Runner 显示名称（可选，默认为主机名）
-name: "prod-k8s-runner"
-
-# 任务路由标签（可选）
-labels:
-  - k8s
-  - production
-
-# 工作区根目录（可选）
-workspace_root: "/var/flashduty/workspace"
-
-# 命令权限（参见安全性章节的选项）
-permission:
-  bash:
-    "*": "deny"
-    "kubectl get *": "allow"
-    "kubectl describe *": "allow"
-    "kubectl logs *": "allow"
+# 使用自定义端点
+docker run -d \
+  --name flashduty-runner \
+  -e FLASHDUTY_RUNNER_TOKEN=wnt_xxx \
+  -e FLASHDUTY_RUNNER_URL=wss://custom.example.com/safari/worknode/ws \
+  -v /var/flashduty/workspace:/workspace \
+  registry.flashcat.cloud/public/flashduty-runner:latest
 ```
 
 ### 运行
 
 ```bash
-# 启动 runner
-flashduty-runner run
+# 基本用法（token 必填）
+flashduty-runner run --token wnt_xxx
+
+# 指定工作区目录
+flashduty-runner run --token wnt_xxx --workspace ~/projects
 
-# 使用自定义配置启动
-flashduty-runner run --config /path/to/config.yaml
+# 指定自定义 WebSocket 端点
+flashduty-runner run --token wnt_xxx --url wss://custom.example.com/safari/worknode/ws
 
 # 查看版本
 flashduty-runner version
@@ -186,6 +168,7 @@ After=network.target
 [Service]
 Type=simple
 User=flashduty
+EnvironmentFile=/etc/flashduty-runner/env
 ExecStart=/usr/local/bin/flashduty-runner run
 Restart=always
 RestartSec=5
@@ -194,40 +177,31 @@ RestartSec=5
 WantedBy=multi-user.target
 ```
 
+创建 `/etc/flashduty-runner/env`：
+
 ```bash
-sudo systemctl daemon-reload
-sudo systemctl enable --now flashduty-runner
+FLASHDUTY_RUNNER_TOKEN=wnt_xxx
+# FLASHDUTY_RUNNER_URL=wss://custom.example.com/safari/worknode/ws
+# FLASHDUTY_RUNNER_WORKSPACE=/var/flashduty/workspace
 ```
 
-## 配置参考
-
-| 字段 | 必填 | 默认值 | 说明 |
-|------|------|--------|------|
-| `api_key` | 是 | - | Flashduty API Key |
-| `api_url` | 否 | `wss://api.flashcat.cloud/runner/ws` | WebSocket 端点 |
-| `name` | 否 | 主机名 | Runner 显示名称 |
-| `labels` | 否 | [] | 任务路由标签 |
-| `workspace_root` | 否 | `~/.flashduty-runner/workspace` | 工作区目录 |
-| `permission.bash` | 否 | 全部拒绝 | 命令权限规则 |
-| `log.level` | 否 | `info` | 日志级别：debug, info, warn, error |
-
-### 环境变量
-
-所有选项都可以通过 `FLASHDUTY_RUNNER_` 前缀的环境变量设置：
-
 ```bash
-FLASHDUTY_RUNNER_API_KEY=fk_xxx
-FLASHDUTY_RUNNER_NAME=my-runner
-FLASHDUTY_RUNNER_WORKSPACE_ROOT=/workspace
+sudo mkdir -p /etc/flashduty-runner
+sudo vim /etc/flashduty-runner/env   # 填入您的 token
+sudo systemctl daemon-reload
+sudo systemctl enable --now flashduty-runner
 ```
 
-### 内置标签
+## 配置参考
 
-Runner 会自动添加以下标签用于路由：
+通过命令行参数或环境变量配置（命令行参数优先）。
 
-- `os:linux` / `os:darwin` / `os:windows`
-- `arch:amd64` / `arch:arm64`
-- `hostname:<主机名>`
+| 参数 | 环境变量 | 必填 | 默认值 | 说明 |
+|------|----------|------|--------|------|
+| `--token` | `FLASHDUTY_RUNNER_TOKEN` | 是 | - | 认证令牌 |
+| `--url` | `FLASHDUTY_RUNNER_URL` | 否 | `wss://api.flashcat.cloud/safari/worknode/ws` | WebSocket 端点 |
+| `--workspace` | `FLASHDUTY_RUNNER_WORKSPACE` | 否 | `~/.flashduty-runner/workspace` | 工作区根目录 |
+| `--log-level` | `FLASHDUTY_RUNNER_LOG_LEVEL` | 否 | `info` | 日志级别：debug, info, warn, error |
 
 ## 故障排除
 
@@ -236,8 +210,8 @@ Runner 会自动添加以下标签用于路由：
 | 症状 | 原因 | 解决方案 |
 |------|------|----------|
 | `failed to connect` | 网络问题 | 检查防火墙是否允许出站端口 443 |
-| `authentication failed` | API Key 无效 | 在 Flashduty 控制台验证 API Key |
-| Runner 未显示在线 | 连接断开 | 检查日志，验证 API Key 是否匹配账户 |
+| `authentication failed` | Token 无效 | 在 Flashduty 控制台验证 Token |
+| Runner 未显示在线 | 连接断开 | 检查日志，验证 Token 是否匹配账户 |
 
 ```bash
 # 测试连通性
@@ -263,9 +237,11 @@ journalctl -u flashduty-runner -f
 
 启用调试日志以查看详细的权限决策：
 
-```yaml
-log:
-  level: "debug"
+```bash
+flashduty-runner run --token wnt_xxx --log-level debug
+
+# 或通过环境变量
+export FLASHDUTY_RUNNER_LOG_LEVEL=debug
 ```
 
 ## 贡献