feat: Phase 2.6 edges migration to Qdrant (TKG-only architecture)

Phase 2.6.1: co_occurrence_edges migration
- build_co_occurrence_edges_from_qdrant()
- Qdrant embeddings → frame grouping → YOLO objects
- Result: 6679 edges (vs 6701 PostgreSQL)

Phase 2.6.2: face_face_edges migration
- build_face_face_edges_from_qdrant()
- Qdrant embeddings → frame grouping → face pairs
- mutual_gaze detection preserved
- Result: 6 edges (exact match)

Phase 2.6.3: speaker_face_edges migration
- build_speaker_face_edges_from_qdrant()
- Qdrant embeddings → trace_id frame ranges
- SPEAKS_AS edge creation

Architecture:
- All edges use Qdrant payload (no face_detections queries)
- PostgreSQL fallback for empty Qdrant
- Estimated 3.6x performance improvement

Testing:
- Playground (3003): ✓ All Phase 2.6 logs verified
- Edge counts: ✓ Close match with PostgreSQL
- Fallback: ✓ Working

Docs:
- docs_v1.0/DESIGN/TKG_PHASE2_6_EDGES_MIGRATION.md
- docs_v1.0/M4_workspace/2026-06-21_phase2_6_test.md

v1.1/scripts/security_check_v1.11.sh

@@ -0,0 +1,244 @@
+#!/bin/bash
+# Momentry Core 安全配置檢查腳本
+# 版本: 1.0
+# 更新時間: 2026-04-22
+
+set -e
+
+echo "========================================="
+echo "Momentry Core 安全配置檢查"
+echo "========================================="
+echo ""
+
+# 顏色定義
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# 檢查函數
+check_pass() {
+	echo -e "${GREEN}[✓] $1${NC}"
+}
+
+check_warn() {
+	echo -e "${YELLOW}[!] $1${NC}"
+}
+
+check_fail() {
+	echo -e "${RED}[✗] $1${NC}"
+}
+
+# 1. 環境變數檢查
+echo "1. 環境變數檢查"
+echo "----------------"
+
+# 檢查必要的環境變數
+required_vars=(
+	"DATABASE_URL"
+	"REDIS_URL"
+	"MOMENTRY_API_KEY"
+)
+
+for var in "${required_vars[@]}"; do
+	if [ -z "${!var}" ]; then
+		check_warn "環境變數 $var 未設置"
+	else
+		if [[ "$var" == *"PASSWORD"* ]] || [[ "$var" == *"KEY"* ]] || [[ "$var" == *"SECRET"* ]]; then
+			# 敏感信息只顯示是否存在，不顯示值
+			check_pass "環境變數 $var 已設置 (敏感信息已隱藏)"
+		else
+			check_pass "環境變數 $var 已設置"
+		fi
+	fi
+done
+
+echo ""
+
+# 2. 數據庫安全檢查
+echo "2. 數據庫安全檢查"
+echo "------------------"
+
+# 檢查 PostgreSQL 連接
+if command -v psql &>/dev/null && [ -n "$DATABASE_URL" ]; then
+	if psql "$DATABASE_URL" -c "SELECT 1" &>/dev/null; then
+		check_pass "PostgreSQL 連接正常"
+
+		# 檢查 SSL 連接
+		ssl_status=$(psql "$DATABASE_URL" -c "SHOW ssl" -t 2>/dev/null | tr -d '[:space:]' || echo "unknown")
+		if [ "$ssl_status" == "on" ]; then
+			check_pass "PostgreSQL SSL 已啟用"
+		else
+			check_warn "PostgreSQL SSL 未啟用"
+		fi
+	else
+		check_fail "PostgreSQL 連接失敗"
+	fi
+else
+	check_warn "PostgreSQL 客戶端未安裝或 DATABASE_URL 未設置"
+fi
+
+echo ""
+
+# 3. Redis 安全檢查
+echo "3. Redis 安全檢查"
+echo "------------------"
+
+# 檢查 Redis 連接
+if command -v redis-cli &>/dev/null && [ -n "$REDIS_URL" ]; then
+	# 提取 Redis 主機和端口
+	redis_host=$(echo "$REDIS_URL" | sed -n 's/.*:\/\/\([^:/]*\).*/\1/p')
+	redis_port=$(echo "$REDIS_URL" | sed -n 's/.*:\([0-9]*\)$/\1/p')
+
+	if [ -z "$redis_port" ]; then
+		redis_port=6379
+	fi
+
+	if redis-cli -h "$redis_host" -p "$redis_port" ping &>/dev/null; then
+		check_pass "Redis 連接正常"
+
+		# 檢查 Redis 是否需要密碼
+		if echo "$REDIS_URL" | grep -q "@"; then
+			check_pass "Redis 使用密碼認證"
+		else
+			check_warn "Redis 未使用密碼認證"
+		fi
+	else
+		check_fail "Redis 連接失敗"
+	fi
+else
+	check_warn "Redis 客戶端未安裝或 REDIS_URL 未設置"
+fi
+
+echo ""
+
+# 4. API 安全檢查
+echo "4. API 安全檢查"
+echo "----------------"
+
+# 檢查 API Key 格式
+if [ -n "$MOMENTRY_API_KEY" ]; then
+	if [[ "$MOMENTRY_API_KEY" =~ ^m(user|admin|service|temp)_[a-f0-9]{32}_[0-9]{10}_[a-f0-9]{8}$ ]]; then
+		check_pass "API Key 格式正確"
+	else
+		check_fail "API Key 格式不正確"
+	fi
+else
+	check_warn "MOMENTRY_API_KEY 未設置"
+fi
+
+echo ""
+
+# 5. 文件權限檢查
+echo "5. 文件權限檢查"
+echo "----------------"
+
+# 檢查敏感文件權限
+sensitive_files=(
+	".env"
+	".env.development"
+	"scripts/security_check.sh"
+)
+
+for file in "${sensitive_files[@]}"; do
+	if [ -f "$file" ]; then
+		perms=$(stat -f "%Sp" "$file")
+		if [[ "$perms" == *"rw-------"* ]] || [[ "$perms" == *"rw-r-----"* ]]; then
+			check_pass "$file 權限設置正確 ($perms)"
+		else
+			check_warn "$file 權限可能過寬 ($perms)，建議設置為 600 或 640"
+		fi
+	fi
+done
+
+echo ""
+
+# 6. 依賴包安全檢查
+echo "6. 依賴包安全檢查"
+echo "------------------"
+
+# 檢查 Rust 依賴
+if [ -f "Cargo.toml" ]; then
+	if command -v cargo-audit &>/dev/null; then
+		echo "運行 cargo audit 檢查安全漏洞..."
+		cargo audit
+		if [ $? -eq 0 ]; then
+			check_pass "Rust 依賴包無已知安全漏洞"
+		else
+			check_warn "Rust 依賴包存在安全漏洞，請運行 cargo update 修復"
+		fi
+	else
+		check_warn "cargo-audit 未安裝，無法檢查 Rust 依賴安全"
+		echo "安裝 cargo-audit: cargo install cargo-audit"
+	fi
+fi
+
+echo ""
+
+# 7. 網絡安全檢查
+echo "7. 網絡安全檢查"
+echo "----------------"
+
+# 檢查本地服務端口
+local_ports=(3002 3003 5432 6379 9090 3000)
+
+for port in "${local_ports[@]}"; do
+	if lsof -i :$port &>/dev/null; then
+		service_name=""
+		case $port in
+		3002) service_name="Momentry API (生產)" ;;
+		3003) service_name="Momentry API (開發)" ;;
+		5432) service_name="PostgreSQL" ;;
+		6379) service_name="Redis" ;;
+		9090) service_name="Prometheus" ;;
+		3000) service_name="Grafana" ;;
+		esac
+
+		# 檢查是否只允許本地訪問
+		if netstat -an | grep ":$port" | grep -q "LISTEN" && ! netstat -an | grep ":$port" | grep -q "0.0.0.0"; then
+			check_pass "$service_name ($port) 只允許本地訪問"
+		else
+			check_warn "$service_name ($port) 可能允許外部訪問，請檢查防火牆規則"
+		fi
+	fi
+done
+
+echo ""
+
+# 8. 安全配置建議
+echo "8. 安全配置建議"
+echo "----------------"
+
+echo "建議執行以下安全加固措施："
+echo "1. 啟用數據庫 SSL/TLS 連接"
+echo "2. 配置 Redis 密碼認證"
+echo "3. 定期更新 API Key"
+echo "4. 設置文件系統權限"
+echo "5. 定期運行依賴安全檢查"
+echo "6. 配置防火牆限制外部訪問"
+echo "7. 啟用 API 請求限流"
+echo "8. 配置安全日誌和監控"
+
+echo ""
+echo "========================================="
+echo "檢查完成"
+echo "========================================="
+
+# 總結報告
+echo ""
+echo "安全檢查總結："
+echo "- 環境變數: 檢查完成"
+echo "- 數據庫安全: 檢查完成"
+echo "- Redis 安全: 檢查完成"
+echo "- API 安全: 檢查完成"
+echo "- 文件權限: 檢查完成"
+echo "- 依賴包安全: 檢查完成"
+echo "- 網絡安全: 檢查完成"
+echo ""
+echo "建議："
+echo "1. 定期運行此檢查腳本"
+echo "2. 修復所有警告和錯誤"
+echo "3. 保持依賴包更新"
+echo "4. 監控安全日誌"
+
+exit 0