chore: harden production readiness gates and runbooks

backend/providers/postgres/config.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"math"
 	"strconv"
+	"strings"
 	"time"
 
 	"go.ipao.vip/atom/container"
@@ -92,6 +93,8 @@ func (config *Config) checkDefault() {
 
 	if config.SslMode == "" {
 		config.SslMode = "disable"
+	} else {
+		config.SslMode = strings.ToLower(strings.TrimSpace(config.SslMode))
 	}
 
 	if config.TimeZone == "" {
@@ -141,3 +144,9 @@ func (config *Config) DSN() string {
 
 	return base + extras
 }
+
+func (config *Config) IsTLSEnabled() bool {
+	mode := strings.ToLower(strings.TrimSpace(config.SslMode))
+
+	return mode != "" && mode != "disable"
+}

backend/providers/postgres/postgres.go

@@ -3,12 +3,16 @@ package postgres
 import (
 	"context"
 	"database/sql"
+	"fmt"
 	"math"
 	"time"
 
+	"quyun/v2/providers/app"
+
 	logrus "github.com/sirupsen/logrus"
 	"go.ipao.vip/atom/container"
 	"go.ipao.vip/atom/opt"
+	"go.uber.org/dig"
 	"gorm.io/driver/postgres"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
@@ -22,7 +26,13 @@ func Provide(opts ...opt.Option) error {
 		return err
 	}
 
-	return container.Container.Provide(func() (*gorm.DB, *sql.DB, *Config, error) {
+	return container.Container.Provide(func(params struct {
+		dig.In
+		App *app.Config `optional:"true"`
+	}) (*gorm.DB, *sql.DB, *Config, error) {
+		if params.App != nil && params.App.IsReleaseMode() && !conf.IsTLSEnabled() {
+			return nil, nil, nil, fmt.Errorf("release mode requires Database.SslMode to enable TLS")
+		}
 		dbConfig := postgres.Config{DSN: conf.DSN()}
 
 		// 安全日志：不打印密码，仅输出关键连接信息