fix(registrar): 标签按行拼接避免逗号拆分；默认启用 TCP TLS；新增 TLS_MODE

- 修复 ConsulCatalog 标签因逗号分割导致的解析错误：
  「error parsing server URL ... : invalid port ':9009,'」
  现在改为按“行”累加标签，再转换为 JSON 数组，避免值中逗号（如 middlewares）被错误拆分
- TCP 路由默认启用 TLS（terminating），补齐 tls=true / tls.certresolver
  修复「HostSNI(...) but no TLS on router」
- 新增 TLS_MODE=terminating|passthrough|plaintext 三种模式
- 统一使用 loadbalancer.server.port（替代 server.url），规避尾逗号风险
- 提供严格的 to_json_array 实现，避免尾逗号 JSON 问题
- HTTP 路由补充 priority=10000；保留可选中间件（需与动态配置名称一致）

Test plan:
- 清理旧服务并重注册：
  curl -s http://100.64.0.1:8500/v1/agent/services \
    | jq 'to_entries[] | select(.value.Service=="mcp") | .key' \
    | xargs -I{} curl -s -X PUT http://100.64.0.1:8500/v1/agent/service/deregister/{}
  然后重启注册器容器
- 验证 Traefik 路由：
  curl -s http://localhost:8083/api/tcp/routers \
    | jq '.[] | select(.rule|test("ci-agent\\.jmsu\\.top")) | {name,entryPoints,tls}'
- 验证证书握手：
  openssl s_client -connect ci-agent.jmsu.top:4443 -servername ci-agent.jmsu.top -brief </dev/null

Refs:
- invalid port ":9009,"
- HostSNI(...) but no TLS on router

.claude/settings.local.json

@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(curl:*)"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}

.gitea/workflows/build-and-push.yml

@@ -5,43 +5,78 @@ on:
     branches: [ main ]
   release:
     types: [ published ]
-  workflow_dispatch:          # 手动触发
+  workflow_dispatch:
     inputs:
-      image_tag:              # 手动运行时可指定 TAG（留空则自动判断）
-        description: "Tag to push (default: branch/release name, else latest)"
+      image_tag:
+        description: "Tag to push (leave empty to use 'latest')"
         required: false
         default: ""
 
 jobs:
   docker:
-    runs-on: [buildx]
+    runs-on: [buildx]   # 你的 runner 标签；如不需要可改成 ubuntu-latest 等
     steps:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Login to ACR
+      # 只两级：手动输入 > latest
+      - name: Resolve TAG
+        id: meta
+        env:
+          INPUT_TAG: ${{ github.event.inputs.image_tag || '' }}
         run: |
-          echo "${{ secrets.ACR_PASSWORD }}" | docker login \
-            ${{ secrets.ACR_REGISTRY }} \
-            -u "${{ secrets.ACR_USERNAME }}" \
-            --password-stdin
+          set -euo pipefail
+          TAG="${INPUT_TAG:-latest}"
+          # 规范化，避免无效字符
+          TAG="$(printf '%s' "$TAG" | tr '[:upper:]' '[:lower:]' | sed -E 's#[^a-z0-9._-]#-#g; s#/+#-#g; s#^[.-]+##; s#[.-]+$##')"
+          TAG="${TAG:0:128}"
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+          echo "Resolved TAG: $TAG"
 
-      - name: Build Docker Image
+      - name: Login to Aliyun ACR
+        env:
+          ACR_REGISTRY:  ${{ secrets.ACR_REGISTRY }}
+          ACR_USERNAME:  ${{ secrets.ACR_USERNAME }}
+          ACR_PASSWORD:  ${{ secrets.ACR_PASSWORD }}
         run: |
-          IMAGE=${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/myapp
+          set -euo pipefail
+          docker logout "$ACR_REGISTRY" || true
+          echo "$ACR_PASSWORD" | docker login "$ACR_REGISTRY" --username "$ACR_USERNAME" --password-stdin
 
-          # 优先用手动输入的 image_tag；否则用分支/发布名；再否则用 latest
-          TAG="${{ github.event.inputs.image_tag }}"
-          if [ -z "$TAG" ]; then TAG="${GITHUB_REF_NAME:-latest}"; fi
+      - name: Build Docker Image (host network; no Dockerfile change)
+        env:
+          IMAGE: ${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/${{ vars.IMAGE_NAME }}
+          TAG:   ${{ steps.meta.outputs.tag }}
+        run: |
+          set -euo pipefail
 
-          echo "Building $IMAGE:$TAG"
-          docker build -t "$IMAGE:$TAG" -f docker/Dockerfile .
+          docker buildx rm ci-builder >/dev/null 2>&1 || true
+          docker buildx create \
+            --name ci-builder --use \
+            --driver docker-container \
+            --driver-opt network=host \
+            --driver-opt env.http_proxy=http://127.0.0.1:18080,env.https_proxy=http://127.0.0.1:18080 \
+            --buildkitd-flags '--allow-insecure-entitlement network.host' \
+            >/dev/null
+
+          echo "Building ${IMAGE}:${TAG}"
+          docker buildx build \
+            --builder ci-builder \
+            --network=host \
+            --progress=plain \
+            --load \
+            -t "${IMAGE}:${TAG}" -f docker/Dockerfile .
 
       - name: Push Docker Image
+        env:
+          IMAGE: ${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/${{ vars.IMAGE_NAME }}
+          TAG:   ${{ steps.meta.outputs.tag }}
         run: |
-          IMAGE=${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/myapp
-          TAG="${{ github.event.inputs.image_tag }}"
-          if [ -z "$TAG" ]; then TAG="${GITHUB_REF_NAME:-latest}"; fi
+          set -euo pipefail
+          echo "Pushing ${IMAGE}:${TAG}"
+          docker push "${IMAGE}:${TAG}"
 
-          echo "Pushing $IMAGE:$TAG"
-          docker push "$IMAGE:$TAG"
+          if docker image inspect "${IMAGE}:latest" > /dev/null 2>&1; then
+            echo "Pushing ${IMAGE}:latest"
+            docker push "${IMAGE}:latest"
+          fi

.gitea/workflows/manual-test.yml

@@ -13,3 +13,4 @@ jobs:
     runs-on: docker
     steps:
       - run: echo "Hello ${{ inputs.who }}"
+      

.gitignore

@@ -5,4 +5,5 @@ __pycache__/
 dist/
 .pytest_cache/
 .coverage
-data/
+data/
+docker/config/

docker/.env

@@ -1,21 +1,14 @@
+# 本机（边缘节点）的 Tailscale IP
+LOCAL_TS_IP=100.64.0.27
 
-# 这台业务节点在 Tailscale 上的 IP
-SERVICE_IP=100.64.0.27
-
-# 端口
-PORT_RUSTFS=9000
-PORT_MCP=9009
-
-# Consul（主集群）信息
+# 云端 Consul Server 的 Tailscale IP 与 DC
 CONSUL_SERVER_IP=100.64.0.1
 CONSUL_DC=dc1
 
-# 服务名（建议分开，避免混入）
-SVC_RUSTFS=rustfs
-SVC_MCP=rustfs-toolkit
+# 可选：云端 Traefik entrypoint 名称（默认 websecure/tcp）
+TRAEFIK_HTTP_ENTRYPOINT=websecure
+TRAEFIK_TCP_ENTRYPOINT=tcp
 
-# 域名（Caddy 用）
-DOMAIN_RUSTFS=rfs.jmsu.top
-DOMAIN_MCP=mcp.jmsu.top
-
-NODE_NAME=rustfs-100-64-0-27
+# RustFS 凭据（不要硬编码在 compose）
+RUSTFS_ACCESS_KEY=lingyuzeng
+RUSTFS_SECRET_KEY=rust@Hotwa2020

docker/Dockerfile

@@ -1,5 +1,16 @@
 # syntax=docker/dockerfile:1
 FROM debian:12-slim
+ARG HTTP_PROXY
+ARG HTTPS_PROXY
+ARG NO_PROXY
+
+ENV HTTP_PROXY=$HTTP_PROXY \
+    HTTPS_PROXY=$HTTPS_PROXY \
+    NO_PROXY=$NO_PROXY \
+    http_proxy=$HTTP_PROXY \
+    https_proxy=$HTTPS_PROXY \
+    no_proxy=$NO_PROXY \
+    PATH="/root/.local/bin:$PATH"
 
 WORKDIR /app
 

docker/compose.proxy.yml

@@ -0,0 +1,36 @@
+version: "3.9"
+
+networks:
+  buildnet:
+    name: buildnet
+
+services:
+  proxy:
+    image: metacubex/mihomo
+    container_name: build_proxy
+    restart: unless-stopped
+    networks: [buildnet]
+    # 若只在构建中用，不需要暴露 7890；要本机调试可保留
+    # ports:
+    #   - "7890:7890"      # mixed-port for HTTP/SOCKS
+    #   - "9090:9090"    # API for local debug
+    volumes:
+      - ./config:/root/.config/mihomo:rw
+    environment:
+      # 规则源可选，镜像支持这些变量覆盖下载源
+      - GEOIP_URL=https://ghproxy.dockless.eu.org//https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.metadb
+      - GEOSITE_URL=https://ghproxy.dockless.eu.org/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat
+      - SUBSCRIPTION_URL=https://app.mitce.net/?sid=303534&token=srveqevu
+    healthcheck:  
+      test:  
+        [  
+          "CMD-SHELL",  
+          "netstat -tln | grep -q ':7890'"  
+        ]  
+      interval: 10s  
+      timeout: 5s  
+      retries: 3  
+      start_period: 10s
+    profiles: ["build"]   # 可选：默认不启动，专供构建流程
+
+# use: docker compose -f docker/compose.proxy.yml --profile build up -d --wait proxy

docker/docker-compose.yml

@@ -1,109 +1,87 @@
 version: "3.9"
 
 services:
+  # -------- RustFS 主服务 --------
   rustfs:
     image: rustfs/rustfs:1.0.0-alpha.60
-    container_name: rustfs_container
-    restart: always
-    ports:
-      - "${SERVICE_IP}:${PORT_RUSTFS}:${PORT_RUSTFS}"
+    container_name: rustfs
+    restart: unless-stopped
     volumes:
       - /vol2/1000/rustfs_vol2:/data
       - ./data:/app/data:rw
     environment:
       RUSTFS_VOLUMES: /data/rustfs0
-      RUSTFS_ADDRESS: ":${PORT_RUSTFS}"
-      RUSTFS_SERVER_DOMAINS: ${DOMAIN_RUSTFS}
-      RUSTFS_ACCESS_KEY: lingyuzeng
-      RUSTFS_SECRET_KEY: rust@Hotwa2020
+      RUSTFS_ADDRESS: ":9000"
+      RUSTFS_SERVER_DOMAINS: rfs.jmsu.top
+      RUSTFS_ACCESS_KEY: ${RUSTFS_ACCESS_KEY}
+      RUSTFS_SECRET_KEY: ${RUSTFS_SECRET_KEY}
       RUSTFS_CONSOLE_ENABLE: "true"
+    # **仅绑定到本机 Tailscale IP**，供云端 Traefik 反代
+    ports:
+      - "${LOCAL_TS_IP}:9000:9000"
 
+  # -------- RustFS MCP 接口（假设走 HTTP on :9009）--------
   rustfs-s3-toolkit:
     image: hotwa/rustfs-s3-toolkit:latest
-    build:
-      context: ..
-      dockerfile: docker/Dockerfile
-    container_name: rustfs-s3-toolkit
-    restart: always
+    container_name: rustfs-mcp
+    restart: unless-stopped
+    environment:
+      MCP_PORT: "9009"
     volumes:
       - ./data:/app/data:rw
     ports:
-      - "${SERVICE_IP}:${PORT_MCP}:${PORT_MCP}"
+      - "${LOCAL_TS_IP}:9009:9009"
 
-  consul-agent:
+  # -------- Registrar：把 :9000 注册到 rfs.jmsu.top --------
+  registrar-rustfs:
     image: hashicorp/consul:1.21
-    stop_signal: SIGTERM
-    stop_grace_period: 60s
-    command:
-      - agent
-      - -server=false
-      - -node=${NODE_NAME}
-      - -client=0.0.0.0
-      - -bind=0.0.0.0
-      - -advertise=${SERVICE_IP}
-      - -retry-join=${CONSUL_SERVER_IP}
-      - -datacenter=${CONSUL_DC}
-      - -data-dir=/consul/data
-    environment:
-      CONSUL_LOCAL_CONFIG: '{"leave_on_terminate": true}'
-    ports:
-      - "${SERVICE_IP}:8500:8500/tcp"
-      - "${SERVICE_IP}:8600:8600/tcp"
-      - "${SERVICE_IP}:8600:8600/udp"
-      - "${SERVICE_IP}:8301:8301/tcp"
-      - "${SERVICE_IP}:8301:8301/udp"
-    healthcheck:
-      test: ["CMD", "consul", "info"]
-      interval: 5s
-      timeout: 3s
-      retries: 30
-      start_period: 10s
+    container_name: registrar-rustfs
     restart: unless-stopped
-
-  # 注册 rustfs（9000）
-  registrar_rustfs:
-    image: hashicorp/consul:1.21
     depends_on:
-      consul-agent:
-        condition: service_healthy
-      rustfs:
-        condition: service_started
+      - rustfs
+    volumes:
+      - ./registrar.sh:/registrar.sh:ro
     environment:
-      CONSUL_HTTP_ADDR: "http://consul-agent:8500"
-      SERVICE_NAME: "${SVC_RUSTFS}"
-      SERVICE_ADDR: "${SERVICE_IP}"
-      SERVICE_PORT: "${PORT_RUSTFS}"
-      SERVICE_TAGS: "console"
-      CHECK_TYPE: "tcp"
+      # 指向“云端” Consul Server（通过 Tailscale）
+      CONSUL_HTTP_ADDR: "http://${CONSUL_SERVER_IP}:8500"
+      # 下面这 4 个由 registrar.sh 必填
+      SERVICE_NAME: "rustfs"
+      SERVICE_ADDR: "${LOCAL_TS_IP}"
+      SERVICE_PORT: "9000"
+      ROUTE_HOST: "rfs.jmsu.top"
+      # 可选项（HTTP/TCP、健康检查、入口等）
+      SERVICE_PROTOCOL: "http"
+      CHECK_TYPE: "http"
+      CHECK_PATH: "/"
       CHECK_INTERVAL: "10s"
       CHECK_TIMEOUT: "2s"
       DEREG_AFTER: "1m"
+      TRAEFIK_HTTP_ENTRYPOINT: "websecure"
+      TRAEFIK_TCP_ENTRYPOINT: "tcp"
+      # TRAEFIK_CERT_RESOLVER 可在云端用 file/dynamic 统一配置，这里不强制
+    command: ["/bin/sh","/registrar.sh"]
+
+  # -------- Registrar：把 :9009 注册到 mcprfs.jmsu.top --------
+  registrar-mcprfs:
+    image: hashicorp/consul:1.21
+    container_name: registrar-mcprfs
+    restart: unless-stopped
+    depends_on:
+      - rustfs-s3-toolkit
     volumes:
       - ./registrar.sh:/registrar.sh:ro
-    entrypoint: ["/bin/sh","-lc","/registrar.sh"]
-    restart: unless-stopped
-
-  # 注册 MCP（9009）
-  registrar_mcp:
-    image: hashicorp/consul:1.21
-    depends_on:
-      consul-agent:
-        condition: service_healthy
-      rustfs-s3-toolkit:
-        condition: service_started
     environment:
-      CONSUL_HTTP_ADDR: "http://consul-agent:8500"
-      SERVICE_NAME: "${SVC_MCP}"
-      SERVICE_ADDR: "${SERVICE_IP}"
-      SERVICE_PORT: "${PORT_MCP}"
-      SERVICE_TAGS: "toolkit"
-      CHECK_TYPE: "tcp"
+      CONSUL_HTTP_ADDR: "http://${CONSUL_SERVER_IP}:8500"
+      SERVICE_NAME: "mcprfs"
+      SERVICE_ADDR: "${LOCAL_TS_IP}"
+      SERVICE_PORT: "9009"
+      ROUTE_HOST: "mcprfs.jmsu.top"
+      SERVICE_PROTOCOL: "http"   # 如果 MCP 走 TCP，请改成 "tcp" 并把 CHECK_TYPE 改为 tcp
+      CHECK_TYPE: "http"
+      CHECK_PATH: "/"
       CHECK_INTERVAL: "10s"
       CHECK_TIMEOUT: "2s"
       DEREG_AFTER: "1m"
-    volumes:
-      - ./registrar.sh:/registrar.sh:ro
-    entrypoint: ["/bin/sh","-lc","/registrar.sh"]
-    restart: unless-stopped
-
-networks: {}
+      TRAEFIK_HTTP_ENTRYPOINT: "websecure"
+      TRAEFIK_TCP_ENTRYPOINT: "tcp"
+    command: ["/bin/sh","/registrar.sh"]

docker/registrar.sh

@@ -1,71 +1,121 @@
 #!/bin/sh
 set -eu
 
-: "${CONSUL_HTTP_ADDR:?need CONSUL_HTTP_ADDR}"
 : "${SERVICE_NAME:?need SERVICE_NAME}"
 : "${SERVICE_ADDR:?need SERVICE_ADDR}"
 : "${SERVICE_PORT:?need SERVICE_PORT}"
+: "${ROUTE_HOST:?need ROUTE_HOST}"
 
-SERVICE_ID="${SERVICE_ID:-${SERVICE_NAME}-${SERVICE_ADDR}-${SERVICE_PORT}}"
-SERVICE_TAGS="${SERVICE_TAGS:-}"
-CHECK_TYPE="${CHECK_TYPE:-tcp}"          # tcp|http
-CHECK_PATH="${CHECK_PATH:-/healthz}"     # http 模式才用
+CONSUL="${CONSUL_HTTP_ADDR:?need CONSUL_HTTP_ADDR}"
+SERVICE_PROTOCOL="${SERVICE_PROTOCOL:-http}"          # http | tcp
+CHECK_TYPE="${CHECK_TYPE:-tcp}"                       # http | tcp
+CHECK_PATH="${CHECK_PATH:-/}"
 CHECK_INTERVAL="${CHECK_INTERVAL:-10s}"
 CHECK_TIMEOUT="${CHECK_TIMEOUT:-2s}"
 DEREG_AFTER="${DEREG_AFTER:-1m}"
+TRAEFIK_HTTP_ENTRYPOINT="${TRAEFIK_HTTP_ENTRYPOINT:-websecure}"
+TRAEFIK_TCP_ENTRYPOINT="${TRAEFIK_TCP_ENTRYPOINT:-tcp}"
+TRAEFIK_CERT_RESOLVER="${TRAEFIK_CERT_RESOLVER:-alidns}"
+TLS_MODE="${TLS_MODE:-terminating}"   # terminating | passthrough | plaintext
+# TRAEFIK_CERT_RESOLVER="${TRAEFIK_CERT_RESOLVER:-cf}"
 
-# 组装 Tags 的 JSON 数组
-if [ -n "$SERVICE_TAGS" ]; then
-  # 逗号分隔转 JSON 数组
-  TAGS_JSON=$(printf '%s' "$SERVICE_TAGS" | awk -F, '
-    BEGIN{printf "["}
-    {for(i=1;i<=NF;i++){gsub(/^ *| *$/, "", $i); printf "%s\"%s\"", (i>1?",":""), $i}}
-    END{printf "]"}
-  ')
+echo "[registrar] consul: $CONSUL, service: $SERVICE_NAME@$SERVICE_ADDR:$SERVICE_PORT"
+
+# 等云端 Consul Server 可用
+for i in $(seq 1 90); do
+  if wget -qO- "$CONSUL/v1/status/leader" >/dev/null 2>&1; then
+    break
+  fi
+  sleep 1
+done
+
+ID="${SERVICE_NAME}-${SERVICE_ADDR}-${SERVICE_PORT}"
+
+# 组装 Traefik tags（按“行”累加，避免值中逗号被拆）
+NL='
+'
+TAGS="traefik.enable=true"
+
+if [ "$SERVICE_PROTOCOL" = "http" ]; then
+  TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.rule=Host(\`${ROUTE_HOST}\`)"
+  TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_HTTP_ENTRYPOINT}"
+  TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.tls=true"
+  TAGS="$TAGS${NL}traefik.http.services.${SERVICE_NAME}.loadbalancer.server.scheme=http"
+  TAGS="$TAGS${NL}traefik.http.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+  # 抢占路由：给当前 Host 的 router 设置更高优先级
+  TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.priority=10000"
+  # 可选中间件（注意：值里有逗号也安全）
+  TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.middlewares=gzip-all@file,sec-headers@file"
+  # 如需 ACME 证书解析器可再加一行（取消注释）
+  # TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.tls.certresolver=${TRAEFIK_CERT_RESOLVER}"
+elif [ "$SERVICE_PROTOCOL" = "tcp" ]; then
+  case "$TLS_MODE" in
+    # A：Traefik 终止 TLS（推荐公网）
+    terminating)
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls=true"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls.certresolver=${TRAEFIK_CERT_RESOLVER}"
+      TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+      ;;
+
+    # A-备用：后端自己终止 TLS（需要给 woodpecker-server 配 cert/key）
+    passthrough)
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls.passthrough=true"
+      TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+      ;;
+
+    # B：明文 TCP（仅内网/Tailscale，用 * 兜底）
+    plaintext)
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`*\`)"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.priority=1"
+      TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+      ;;
+
+    *)
+      echo "unsupported TLS_MODE=$TLS_MODE" >&2; exit 2;;
+  esac
 else
-  TAGS_JSON="[]"
+  echo "unsupported SERVICE_PROTOCOL=$SERVICE_PROTOCOL" >&2; exit 2
 fi
 
-# 组装 Check JSON
+# 转 JSON 数组（按“行”解析）
+to_json_array() {
+  # 逐行 -> trim -> "..." -> [ ... ]
+  awk 'BEGIN{RS="\n"} NF {gsub(/^[ \t]+|[ \t]+$/,""); printf "\"%s\",\n",$0}' |
+  sed '1s/^/[/' | sed '$s/,\s*$/]/'
+}
+TAGS_JSON="$(printf "%s" "$TAGS" | to_json_array)"
+
+# 健康检查 JSON
 if [ "$CHECK_TYPE" = "http" ]; then
   CHECK_JSON=$(cat <<EOF
-{
-  "Name": "http-${SERVICE_PORT}",
-  "HTTP": "http://${SERVICE_ADDR}:${SERVICE_PORT}${CHECK_PATH}",
-  "Method": "GET",
-  "Interval": "${CHECK_INTERVAL}",
-  "Timeout": "${CHECK_TIMEOUT}",
-  "DeregisterCriticalServiceAfter": "${DEREG_AFTER}"
-}
+{"Name":"http","HTTP":"http://${SERVICE_ADDR}:${SERVICE_PORT}${CHECK_PATH}","Interval":"${CHECK_INTERVAL}","Timeout":"${CHECK_TIMEOUT}","DeregisterCriticalServiceAfter":"${DEREG_AFTER}"}
 EOF
 )
 else
   CHECK_JSON=$(cat <<EOF
-{
-  "Name": "tcp-${SERVICE_PORT}",
-  "TCP": "${SERVICE_ADDR}:${SERVICE_PORT}",
-  "Interval": "${CHECK_INTERVAL}",
-  "Timeout": "${CHECK_TIMEOUT}",
-  "DeregisterCriticalServiceAfter": "${DEREG_AFTER}"
-}
+{"Name":"tcp","TCP":"${SERVICE_ADDR}:${SERVICE_PORT}","Interval":"${CHECK_INTERVAL}","Timeout":"${CHECK_TIMEOUT}","DeregisterCriticalServiceAfter":"${DEREG_AFTER}"}
 EOF
 )
 fi
 
-# 注册 payload
-cat > /tmp/service.json <<JSON
-{
-  "Name": "${SERVICE_NAME}",
-  "ID": "${SERVICE_ID}",
-  "Address": "${SERVICE_ADDR}",
-  "Port": ${SERVICE_PORT},
-  "Tags": ${TAGS_JSON},
-  "Checks": [ ${CHECK_JSON} ]
-}
-JSON
+# 写 service 定义并注册到云端 Consul
+cat > /tmp/svc.json <<EOF
+{"service":{"id":"${ID}","name":"${SERVICE_NAME}","address":"${SERVICE_ADDR}","port":${SERVICE_PORT},"tags":${TAGS_JSON},"checks":[${CHECK_JSON}]}}
+EOF
+
+echo "[registrar] register ${ID} -> ${CONSUL}"
+consul services register -http-addr="$CONSUL" /tmp/svc.json
+
+term() {
+  echo "[registrar] deregister ${ID}"
+  consul services deregister -http-addr="$CONSUL" /tmp/svc.json || true
+  exit 0
+}
+trap term TERM INT
 
-echo "[registrar] registering ${SERVICE_ID} -> ${SERVICE_ADDR}:${SERVICE_PORT} ..."
-curl -fsS -X PUT -d @/tmp/service.json "${CONSUL_HTTP_ADDR}/v1/agent/service/register"
-echo "[registrar] done."
-# 阻塞防退出（可选）
 tail -f /dev/null