imbytecat/fullstack-starter
1
1
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: imbytecat:8be32bf15b6714592bcc290f0d32c972eeafcbb8
Branches Tags
imbytecat:main imbytecat:ux imbytecat:backup/legacy imbytecat:backup/ux
..
compare: imbytecat:backup/ux
Branches Tags
imbytecat:main imbytecat:ux imbytecat:backup/legacy imbytecat:backup/ux

17 Commits
8be32bf15b ... backup/ux

Author SHA1 Message Date
imbytecat
1f6592739b docs: 简化依赖管理文档,聚焦 Bun Catalog 版本控制 
- 简化依赖管理文档,聚焦使用 Bun Catalog 统一版本控制,并提供清晰的安装与查询命令参考。
 2026-01-26 16:40:44 +08:00
imbytecat
900cd28a04 refactor: 移除设备与待办事项相关功能,重构许可证管理系统 
- 删除设备信息表和待办事项表
- 添加许可证激活记录表的数据库模式快照,包含指纹唯一约束和时间戳字段。
- 添加新的迁移版本记录以支持最新数据库结构变更
- 移除 todo 相关操作的默认缓存失效配置,将 experimental_defaults 设置为空对象。
- 删除设备初始化逻辑,移除硬件指纹获取及数据库初始化相关功能。
- 将主页组件从待办事项列表替换为 License 管理系统欢迎界面,并添加设备指纹和 License 激活两个功能入口链接。
- 删除设备相关接口契约定义及验证规则
- 移除未使用的设备和待办事项合约导入,并更新合约导出对象。
- 删除待办事项接口契约文件中定义的输入输出验证 schema 及其相关路由契约
- 移除设备初始化逻辑,仅保留许可证激活初始化。
- 删除设备信息获取和许可证设置的API路由逻辑
- 移除未使用的路由模块导入并清理路由注册列表
- 删除待办事项相关的API路由定义及其实现逻辑
- 删除设备信息表的数据库模式定义。
- 移除设备信息表的导出,仅保留许可证激活表的导出。
- 删除待办事项数据表的定义及其相关字段配置
 2026-01-26 15:24:33 +08:00
imbytecat
492fba3105 feat: 添加许可证停用功能及确认弹窗 
- 添加反激活许可证的确认弹窗功能,包含二次确认提示和操作反馈。
- 添加停用许可证的接口合约定义。
- 添加许可证停用功能,确保激活记录存在后将其许可证信息和激活时间清空。
 2026-01-26 15:14:23 +08:00
imbytecat
8952bf4205 feat: 完善许可证激活功能及数据库初始化 
- 将 db 中间件重命名为 dbProvider,同时保留 db 作为别名以避免破坏现有路由。
- 记录并解决开发环境中数据库迁移和类型检查工具使用问题。
- 完善许可证激活功能,新增数据表与初始化逻辑,实现UPSERT操作及单例模式,添加RPC接口支持,修复时间戳类型不匹配问题。
- 创建设备信息和待办事项数据表,并为设备指纹添加唯一索引。
- 添加许可证激活表及指纹唯一索引
- 添加设备信息和待办事项表的数据库模式快照,包含字段定义、主键约束及指纹唯一索引。
- 添加初始数据库模式快照,包含设备信息、许可证激活和待办事项三张表的结构定义。
- 添加新的迁移日志文件以记录数据库版本变更和迁移步骤
- 确保设备信息在数据库中正确初始化,使用硬件指纹唯一标识设备并支持并发安全的单例模式初始化。
- 初始化许可证激活记录,确保基于硬件指纹创建或更新激活信息。
- 添加许可证激活管理页面,包含设备指纹展示、许可证输入激活功能及激活状态实时反馈。
- 添加许可证页面路由配置并更新相关路由类型和路径映射。
- 添加设备信息获取与许可证设置的接口契约定义,包含数据校验 schema 和接口输入输出规范。
- 添加设备和许可证合约接口到导出契约对象中
- 添加许可证相关API契约,定义获取激活状态和激活许可证的输入输出结构。
- 初始化设备和许可激活状态,并将数据库中间件重命名为dbProvider,同时导出原始db名称以保持兼容性。
- 添加设备信息获取和许可证设置接口,确保设备初始化并安全处理数据读写。
- 添加设备和许可证路由到API路由器中。
- 添加许可证激活状态查询和激活功能,支持通过数据库记录管理许可证信息并返回激活时间戳。
- 添加设备信息表结构,包含指纹、指纹质量等级、许可证及激活时间字段。
- 添加设备信息和许可证激活相关数据模型导出
- 添加许可证激活记录表,包含指纹、许可证信息及激活时间字段。
 2026-01-26 15:03:33 +08:00
imbytecat
90f9ec9528 refactor: 重构 AGENTS.md 并调整数据库忽略规则 
- 移除SQLite数据库文件相关的忽略规则
- 添加SQLite数据库文件的忽略规则,防止数据库文件被提交到版本控制。
- 重构 AGENTS.md 文档结构,将 PostgreSQL 迁移记录整合为 SQLite 使用说明,并明确文档维护原则与更新时机。
 2026-01-26 14:13:58 +08:00
imbytecat
5e56383f6f feat: 迁移数据库至SQLite并适配嵌入式环境 
- 添加SQLite数据库文件及数据目录的忽略规则
- 将数据库连接地址更新为本地SQLite数据库文件路径
- 将数据库从 PostgreSQL 迁移至 SQLite,更新依赖、Drizzle 方言及数据类型映射,确保嵌入式环境兼容性并保持应用层代码不变。
- 将数据库方言从 PostgreSQL 更改为 SQLite。
- 将数据库依赖从 postgres 替换为 better-sqlite3,并添加 better-sqlite3 的类型定义。
- 修改数据库连接字符串验证规则,从URL格式验证改为非空字符串验证。
- 将数据库连接从 PostgreSQL 切换为 Better-SQLite3,并支持创建目录和内存数据库。
- 将 todo 表的 completed 字段从 PostgreSQL 的 boolean 类型改为 SQLite 的 boolean 模式整数类型。
- 将字段定义从 PostgreSQL 适配改为 SQLite 适配,使用文本类型 ID 和时间戳整数类型,并统一使用 UUIDv7 和当前时间作为默认值。
- 添加 better-sqlite3 及其类型定义,并引入相关依赖以支持其功能
- 添加 better-sqlite3 依赖并移除 postgres 依赖
 2026-01-26 14:10:25 +08:00
imbytecat
a4c44a3fba feat: 添加支持Java兼容的RSA加密解密工具 
- 添加RSA加密解密工具函数,支持与Java兼容的OAEPWithSHA-256AndMGF1Padding加密标准,使用DER/SPKI和DER/PKCS8格式的公私钥进行加解密操作。
 2026-01-26 13:49:37 +08:00
imbytecat
158e7291d1 feat: 使用 ttlcache 优化指纹缓存管理 
- 添加指纹缓存迁移决策,选用零依赖的 ttlcache 库并配置单例缓存与十分钟过期时间。
- 使用 `@isaacs/ttlcache` 成功替换手动 TTL 缓存并保留请求去重逻辑,优化依赖管理与代码格式化流程。
- 添加缓存库选型说明,明确采用 @isaacs/ttlcache 提升硬件指纹功能的可维护性与稳定性。
- 添加 ttlcache 依赖以支持缓存功能
- 使用 TTLCache 替代手动缓存逻辑,提升缓存管理的可靠性和可维护性。
- 添加 @isaacs/ttlcache 依赖并指定版本 2.1.4,更新锁定文件以确保依赖一致性。
- 添加 ttlcache 依赖以支持缓存功能
 2026-01-26 11:27:10 +08:00
imbytecat
42bd3a7657 refactor: 移除过时 Tauri 桌面壳说明并更新版本信息 
- 移除过时的 Tauri 桌面壳说明,简化开发与构建命令,更新 Vite 兼容性问题为已解决状态并同步最新版本信息。
 2026-01-26 10:57:42 +08:00
imbytecat
4e3a227a79 fix: 修复 Biome 代码检查命令路径指定 
- 修复 Biome 代码检查命令,明确指定检查路径为当前目录
 2026-01-26 10:56:57 +08:00
imbytecat
e6a5d4cfae refactor: 移除 Tauri 窗口标题设置并升级关键依赖 
- 移除 Tauri 相关窗口标题设置逻辑
- 更新依赖包版本以修复安全漏洞并提升性能,包括升级 `lightningcss`、`@tanstack/query-core`、`solid-js`、`cheerio` 和 `undici` 等关键依赖。
 2026-01-26 10:54:37 +08:00
imbytecat
d23b4402bf rm: tauri 2026-01-26 10:52:36 +08:00
imbytecat
4afb913069 chore: 升级核心依赖至最新版本 
- 升级依赖版本以包含最新修复和功能,包括 Biome、Turbo、TanStack 套件、Nitro 和 Vite 等核心工具的版本更新。
- 升级依赖包至最新版本以修复已知问题并获取新功能,包括 biome、turbo、react-query、react-router、nitro、vite 及其相关插件。
 2026-01-26 09:29:16 +08:00
imbytecat
b0d3245b9d refactor: 重构硬件指纹模块并清理无关依赖 
- 添加 ohash 和 systeminformation 依赖项到项目中
- 将硬件指纹生成模块从工具包移至服务器应用,并统一优化注释中的标点符号为中文全角格式,提升代码注释的可读性与一致性。
- 将硬件指纹获取方法的导入路径从 '@furtherverse/utils/fingerprint' 更新为 '@/lib/fingerprint'。
- 移除对本地 workspace 包 @furtherverse/utils 的依赖并清理相关配置
- 删除未使用的工具包配置文件并移除相关依赖项
- 删除硬件指纹测试文件,移除对 systeminformation 模块的模拟和相关测试用例。
- 移除对 fingerprint 工具函数的导出
- 删除未使用的 tsconfig 配置文件
 2026-01-24 03:42:12 +08:00
imbytecat
8ceb212033 feat: 添加硬件指纹功能并优化依赖管理 
- 更新依赖管理文档,明确使用 Bun Catalog 统一管理版本并规范安装方式,新增已知问题与解决方案、依赖选择经验及 Git 工作流要求,强化团队协作与技术决策可追溯性。
- 添加硬件指纹页面,展示机器码、指纹质量等级及详细信息,并支持一键复制和缓存提示。
- 添加指纹路由配置并更新路由树类型定义以包含新路由路径和相关类型。
- 添加硬件指纹获取接口的契约定义,包含指纹字符串、质量等级、强标识符数量和时间戳的验证规则。
- 添加指纹合约到API合约导出中
- 添加硬件指纹获取接口,支持10分钟缓存并包含主硬盘序列号以提升指纹稳定性。
- 添加指纹路由到API路由器中
- 重构硬件指纹生成逻辑,引入缓存机制、质量等级评估和容错处理,提升稳定性与可维护性。
 2026-01-24 03:34:25 +08:00
imbytecat
0612eda74c fix: 更新系统信息空值模拟数据以准确测试指纹生成逻辑 
- 更新系统信息空值的模拟数据以更准确地测试指纹生成逻辑
 2026-01-23 17:01:27 +08:00
imbytecat
49549b6e00 refactor: 添加类型检查、测试用例及TS配置 
- 添加类型检查和代码修复脚本以提升开发效率和代码质量。
- 添加硬件指纹生成函数的完整测试用例,覆盖正常情况、边界条件和mock数据验证。
- 添加通用工具包的 TypeScript 配置并继承基础配置文件
 2026-01-23 16:59:54 +08:00
114 changed files with 3168 additions and 7035 deletions
Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -9,11 +9,6 @@
# Bun build
*.bun-build
# SQLite database files
*.db
*.db-wal
*.db-shm
# Turborepo
.turbo/

8
.sisyphus/notepads/fingerprint-migration/decisions.md Normal file
View File

@@ -0,0 +1,8 @@
## Migration Decisions
- **Library**: `@isaacs/ttlcache` v2.1.4
- **Rationale**: Minimal, zero-dependency, specialized for TTL, well-maintained.
- **Cache Key**: Fixed string `'fingerprint'` since we only cache one result.
- **Max Items**: 1 (singleton fingerprint).
- **Default TTL**: 10 minutes (compatible with previous implementation).

8
.sisyphus/notepads/fingerprint-migration/learnings.md Normal file
View File

@@ -0,0 +1,8 @@
## @isaacs/ttlcache Migration Learnings
- Successfully replaced manual TTL cache with `@isaacs/ttlcache` in `fingerprint.ts`.
- Use `catalog:` for dependency management in the Bun monorepo.
- `TTLCache` does not handle in-flight request deduplication, so the `inFlight` Promise pattern was preserved.
- Alphabetical sorting in `package.json` catalog is important for consistency.
- Biome handles import organization and formatting; `bun fix` should be run after manual edits.

3
.sisyphus/notepads/license-activation/decisions.md Normal file
View File

@@ -0,0 +1,3 @@
## Decisions
- Renamed `db` middleware to `dbProvider` as requested, while keeping `db` as an alias to avoid breaking existing routers.

4
.sisyphus/notepads/license-activation/issues.md Normal file
View File

@@ -0,0 +1,4 @@
## Issues encountered
- `db:migrate` failed due to `device_info` table already existing in the local SQLite database. Resolved by using `db:push` which is suitable for dev environments.
- `lsp_diagnostics` was not available, used `bun typecheck` (`tsc --noEmit`) instead.

7
.sisyphus/notepads/license-activation/learnings.md Normal file
View File

@@ -0,0 +1,7 @@
## License Activation Implementation
- Created `license_activation` table for better semantic clarity.
- Implemented `ensureLicenseActivationInitialized` with UPSERT logic and singleton pattern.
- Added ORPC endpoints `license.getActivation` and `license.activate`.
- Used `db:push` to handle migration in dev environment when conflicts occur.
- Fixed type mismatch in `device.router.ts` where `Date` was returned instead of `number` for timestamp fields.

5
.vscode/extensions.json vendored
View File

@@ -2,8 +2,11 @@
"recommendations": [
"biomejs.biome",
"hverlin.mise-vscode",
"mikestead.dotenv",
"oven.bun-vscode",
"redhat.vscode-yaml",
"tamasfe.even-better-toml"
"rust-lang.rust-analyzer",
"tamasfe.even-better-toml",
"tauri-apps.tauri-vscode"
]
}

41
.vscode/settings.json vendored
View File

@@ -1,42 +1,49 @@
{
// Disable the default formatter & linter, use biome instead
"prettier.enable": false,
"eslint.enable": false,
// Auto fix
"editor.codeActionsOnSave": {
"source.fixAll.biome": "explicit",
"source.organizeImports.biome": "explicit"
},
"editor.defaultFormatter": "biomejs.biome",
"editor.formatOnSave": true,
"[javascript]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[javascriptreact]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[typescript]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[typescriptreact]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[json]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[jsonc]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[toml]": {
"editor.defaultFormatter": "tamasfe.even-better-toml"
},
"[typescript]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[typescriptreact]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[yaml]": {
"editor.defaultFormatter": "redhat.vscode-yaml"
},
"editor.codeActionsOnSave": {
"source.fixAll.biome": "explicit",
"source.organizeImports.biome": "explicit"
"[toml]": {
"editor.defaultFormatter": "tamasfe.even-better-toml"
},
"editor.defaultFormatter": "biomejs.biome",
"editor.formatOnSave": true,
"files.associations": {
".env": "dotenv",
".env.*": "dotenv",
"**/biome.json": "jsonc",
"**/opencode.json": "jsonc",
"**/tsconfig.json": "jsonc",
"**/tsconfig.*.json": "jsonc",
"**/tsconfig.json": "jsonc"
"**/biome.json": "jsonc",
"**/opencode.json": "jsonc"
},
// TanStack Router
"files.readonlyInclude": {
"**/routeTree.gen.ts": true
},

219
AGENTS.md
View File

@@ -1,219 +0,0 @@
# AGENTS.md - AI Coding Agent Guidelines
Guidelines for AI agents working in this Bun monorepo.
## Project Overview
> **This project uses [Bun](https://bun.sh) exclusively as both the JavaScript runtime and package manager. Do NOT use Node.js / npm / yarn / pnpm. All commands start with `bun` — use `bun install` for dependencies and `bun run <script>` for scripts. Always prefer `bun run <script>` over `bun <script>` to avoid conflicts with Bun built-in subcommands (e.g. `bun build` invokes Bun's bundler, NOT your package.json script). Never use `npm`, `npx`, or `node`.**
- **Monorepo**: Bun workspaces + Turborepo orchestration
- **Runtime**: Bun (see `mise.toml` for version) — **NOT Node.js**
- **Package Manager**: Bun — **NOT npm / yarn / pnpm**
- **Apps**:
- `apps/server` - TanStack Start fullstack web app (see `apps/server/AGENTS.md`)
- `apps/desktop` - Electron desktop shell, sidecar server pattern (see `apps/desktop/AGENTS.md`)
- **Packages**: `packages/tsconfig` (shared TS configs)
## Build / Lint / Test Commands
### Root Commands (via Turbo)
```bash
bun run dev # Start all apps in dev mode
bun run build # Build all apps
bun run compile # Compile server to standalone binary (current platform)
bun run compile:darwin # Compile server for macOS (arm64 + x64)
bun run compile:linux # Compile server for Linux (x64 + arm64)
bun run compile:windows # Compile server for Windows x64
bun run dist # Package desktop distributable (current platform)
bun run dist:linux # Package desktop for Linux (x64 + arm64)
bun run dist:mac # Package desktop for macOS (arm64 + x64)
bun run dist:win # Package desktop for Windows x64
bun run fix # Lint + format (Biome auto-fix)
bun run typecheck # TypeScript check across monorepo
```
### Server App (`apps/server`)
```bash
bun run dev # Vite dev server (localhost:3000)
bun run build # Production build -> .output/
bun run compile # Compile to standalone binary (current platform)
bun run compile:darwin # Compile for macOS (arm64 + x64)
bun run compile:darwin:arm64 # Compile for macOS arm64
bun run compile:darwin:x64 # Compile for macOS x64
bun run compile:linux # Compile for Linux (x64 + arm64)
bun run compile:linux:arm64 # Compile for Linux arm64
bun run compile:linux:x64 # Compile for Linux x64
bun run compile:windows # Compile for Windows (default: x64)
bun run compile:windows:x64 # Compile for Windows x64
bun run fix # Biome auto-fix
bun run typecheck # TypeScript check
# Database (Drizzle)
bun run db:generate # Generate migrations from schema
bun run db:migrate # Run migrations
bun run db:push # Push schema (dev only)
bun run db:studio # Open Drizzle Studio
```
### Desktop App (`apps/desktop`)
```bash
bun run dev # electron-vite dev mode (requires server dev running)
bun run build # electron-vite build (main + preload)
bun run dist # Build + package for current platform
bun run dist:linux # Build + package for Linux (x64 + arm64)
bun run dist:linux:x64 # Build + package for Linux x64
bun run dist:linux:arm64 # Build + package for Linux arm64
bun run dist:mac # Build + package for macOS (arm64 + x64)
bun run dist:mac:arm64 # Build + package for macOS arm64
bun run dist:mac:x64 # Build + package for macOS x64
bun run dist:win # Build + package for Windows x64
bun run fix # Biome auto-fix
bun run typecheck # TypeScript check
```
### Testing
No test framework configured yet. When adding tests:
```bash
bun test path/to/test.ts # Run single test file
bun test -t "pattern" # Run tests matching pattern
```
## Code Style (TypeScript)
### Formatting (Biome)
- **Indent**: 2 spaces | **Line endings**: LF
- **Quotes**: Single `'` | **Semicolons**: Omit (ASI)
- **Arrow parentheses**: Always `(x) => x`
### Imports
Biome auto-organizes. Order: 1) External packages → 2) Internal `@/*` aliases → 3) Type imports (`import type { ... }`)
```typescript
import { createFileRoute } from '@tanstack/react-router'
import { z } from 'zod'
import { db } from '@/server/db'
import type { ReactNode } from 'react'
```
### TypeScript Strictness
- `strict: true`, `noUncheckedIndexedAccess: true`, `noImplicitOverride: true`, `verbatimModuleSyntax: true`
- Use `@/*` path aliases (maps to `src/*`)
### Naming Conventions
| Type | Convention | Example |
|------|------------|---------|
| Files (utils) | kebab-case | `auth-utils.ts` |
| Files (components) | PascalCase | `UserProfile.tsx` |
| Components | PascalCase arrow | `const Button = () => {}` |
| Functions | camelCase | `getUserById` |
| Constants | UPPER_SNAKE | `MAX_RETRIES` |
| Types/Interfaces | PascalCase | `UserProfile` |
### React Patterns
- Components: arrow functions (enforced by Biome)
- Routes: TanStack Router file conventions (`export const Route = createFileRoute(...)`)
- Data fetching: `useSuspenseQuery(orpc.feature.list.queryOptions())`
- Let React Compiler handle memoization (no manual `useMemo`/`useCallback`)
### Error Handling
- Use `try-catch` for async operations; throw descriptive errors
- ORPC: Use `ORPCError` with proper codes (`NOT_FOUND`, `INPUT_VALIDATION_FAILED`)
- Never use empty catch blocks
## Database (Drizzle ORM v1 beta + postgres-js)
- **ORM**: Drizzle ORM `1.0.0-beta` (RQBv2)
- **Driver**: `drizzle-orm/postgres-js` (NOT `bun-sql`)
- **Validation**: `drizzle-orm/zod` (built-in, NOT separate `drizzle-zod` package)
- **Relations**: Defined via `defineRelations()` in `src/server/db/relations.ts` (contains schema info, so `drizzle()` only needs `{ relations }`)
- **Query style**: RQBv2 object syntax (`orderBy: { createdAt: 'desc' }`, `where: { id: 1 }`)
```typescript
export const myTable = pgTable('my_table', {
id: uuid().primaryKey().default(sql`uuidv7()`),
name: text().notNull(),
createdAt: timestamp({ withTimezone: true }).notNull().defaultNow(),
updatedAt: timestamp({ withTimezone: true }).notNull().defaultNow().$onUpdateFn(() => new Date()),
})
```
## Environment Variables
- Use `@t3-oss/env-core` with Zod validation in `src/env.ts`
- Server vars: no prefix | Client vars: `VITE_` prefix required
- Never commit `.env` files
## Dependency Management
- All versions centralized in root `package.json` `catalog` field
- Workspace packages use `"catalog:"` — never hardcode versions
- Internal packages use `"workspace:*"` references
## Development Principles
> **These principles apply to ALL code changes. Agents MUST follow them on every task.**
1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks "just in case".
2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart. This includes updating code snippets in docs when imports, APIs, or patterns change.
3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns in the same codebase.
## Critical Rules
**DO:**
- Run `bun run fix` before committing
- Use `@/*` path aliases (not relative imports)
- Include `createdAt`/`updatedAt` on all tables
- Use `catalog:` for dependency versions
- Update `AGENTS.md` and other docs whenever code patterns change
**DON'T:**
- Use `npm`, `npx`, `node`, `yarn`, `pnpm` — always use `bun` / `bunx`
- Edit `src/routeTree.gen.ts` (auto-generated)
- Use `as any`, `@ts-ignore`, `@ts-expect-error`
- Commit `.env` files
- Use empty catch blocks `catch(e) {}`
- Hardcode dependency versions in workspace packages
- Leave docs out of sync with code changes
## Git Workflow
1. Make changes following style guide
2. `bun run fix` - auto-format and lint
3. `bun run typecheck` - verify types
4. `bun run dev` - test locally
5. Commit with descriptive message
## Directory Structure
```
.
├── apps/
│ ├── server/ # TanStack Start fullstack app
│ │ ├── src/
│ │ │ ├── client/ # ORPC client + TanStack Query utils
│ │ │ ├── components/
│ │ │ ├── routes/ # File-based routing
│ │ │ └── server/ # API layer + database
│ │ │ ├── api/ # ORPC contracts, routers, middlewares
│ │ │ └── db/ # Drizzle schema
│ │ └── AGENTS.md
│ └── desktop/ # Electron desktop shell
│ ├── src/
│ │ ├── main/
│ │ │ └── index.ts # Main process entry
│ │ └── preload/
│ │ └── index.ts # Preload script
│ ├── electron.vite.config.ts
│ ├── electron-builder.yml # Packaging config
│ └── AGENTS.md
├── packages/
│ └── tsconfig/ # Shared TS configs
├── biome.json # Linting/formatting config
├── turbo.json # Turbo task orchestration
└── package.json # Workspace root + dependency catalog
```
## See Also
- `apps/server/AGENTS.md` - Detailed TanStack Start / ORPC patterns
- `apps/desktop/AGENTS.md` - Electron desktop development guide

3
apps/desktop/.gitignore vendored
View File

@@ -1,3 +0,0 @@
# electron-vite build output
out/
dist/

95
apps/desktop/AGENTS.md
View File

@@ -1,95 +0,0 @@
# AGENTS.md - Desktop App Guidelines
Thin Electron shell hosting the fullstack server app.
## Tech Stack
> **⚠️ This project uses Bun as the package manager. Runtime is Electron (Node.js). Always use `bun run <script>` (not `bun <script>`) to avoid conflicts with Bun built-in subcommands. Never use `npm`, `npx`, `yarn`, or `pnpm`.**
- **Type**: Electron desktop shell
- **Design**: Server-driven desktop (thin native window hosting web app)
- **Runtime**: Electron (Main/Renderer) + Sidecar server binary (Bun-compiled)
- **Build Tool**: electron-vite (Vite-based, handles main + preload builds)
- **Packager**: electron-builder (installers, signing, auto-update)
- **Orchestration**: Turborepo
## Architecture
- **Server-driven design**: The desktop app is a "thin" native shell. It does not contain UI or business logic; it opens a BrowserWindow pointing to the `apps/server` TanStack Start application.
- **Dev mode**: Opens a BrowserWindow pointing to `localhost:3000`. Requires `apps/server` to be running separately (Turbo handles this).
- **Production mode**: Spawns a compiled server binary (from `resources/`) as a sidecar process, waits for readiness, then loads its URL.
## Commands
```bash
bun run dev # electron-vite dev (requires server dev running)
bun run build # electron-vite build (main + preload)
bun run dist # Build + package for current platform
bun run dist:linux # Build + package for Linux (x64 + arm64)
bun run dist:linux:x64 # Build + package for Linux x64
bun run dist:linux:arm64 # Build + package for Linux arm64
bun run dist:mac # Build + package for macOS (arm64 + x64)
bun run dist:mac:arm64 # Build + package for macOS arm64
bun run dist:mac:x64 # Build + package for macOS x64
bun run dist:win # Build + package for Windows x64
bun run fix # Biome auto-fix
bun run typecheck # TypeScript check
```
## Directory Structure
```
.
├── src/
│ ├── main/
│ │ └── index.ts # Main process (server lifecycle + BrowserWindow)
│ └── preload/
│ └── index.ts # Preload script (security isolation)
├── resources/ # Sidecar binaries (gitignored, copied from server build)
├── out/ # electron-vite build output (gitignored)
├── electron.vite.config.ts
├── electron-builder.yml # Packaging configuration
├── package.json
├── turbo.json
└── AGENTS.md
```
## Development Workflow
1. **Start server**: `bun run dev` in `apps/server` (or use root `bun run dev` via Turbo).
2. **Start desktop**: `bun run dev` in `apps/desktop`.
3. **Connection**: Main process polls `localhost:3000` until responsive, then opens BrowserWindow.
## Production Build Workflow
From monorepo root, run `bun run dist` to execute the full pipeline automatically (via Turbo task dependencies):
1. **Build server**: `apps/server``vite build``.output/`
2. **Compile server**: `apps/server``bun compile.ts --target ...``out/server-{os}-{arch}`
3. **Package desktop**: `apps/desktop``electron-vite build` + `electron-builder` → distributable
The `electron-builder.yml` `extraResources` config reads binaries directly from `../server/out/`, no manual copy needed.
To build for a specific platform explicitly, use `bun run dist:linux` / `bun run dist:mac` / `bun run dist:win` in `apps/desktop`.
For single-arch output, use `bun run dist:linux:x64`, `bun run dist:linux:arm64`, `bun run dist:mac:x64`, or `bun run dist:mac:arm64`.
## Development Principles
> **These principles apply to ALL code changes. Agents MUST follow them on every task.**
1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks.
2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart.
3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns.
## Critical Rules
**DO:**
- Use arrow functions for all utility functions.
- Keep the desktop app as a thin shell — no UI or business logic.
- Use `catalog:` for all dependency versions in `package.json`.
**DON'T:**
- Use `npm`, `npx`, `yarn`, or `pnpm`. Use `bun` for package management.
- Include UI components or business logic in the desktop app.
- Use `as any` or `@ts-ignore`.
- Leave docs out of sync with code changes.

9
apps/desktop/biome.json
View File

@@ -1,9 +0,0 @@
{
"$schema": "../../node_modules/@biomejs/biome/configuration_schema.json",
"extends": "//",
"css": {
"parser": {
"tailwindDirectives": true
}
}
}

BIN
apps/desktop/build/icon.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 83 KiB

48
apps/desktop/electron-builder.yml
View File

@@ -1,48 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/electron-userland/electron-builder/refs/heads/master/packages/app-builder-lib/scheme.json
appId: com.furtherverse.desktop
productName: Furtherverse
executableName: furtherverse
npmRebuild: false
asarUnpack:
- resources/**
files:
- "!**/.vscode/*"
- "!src/*"
- "!electron.vite.config.{js,ts,mjs,cjs}"
- "!{.env,.env.*,bun.lock}"
- "!{tsconfig.json,tsconfig.node.json}"
- "!{AGENTS.md,README.md,CHANGELOG.md}"
# macOS
mac:
target:
- dmg
category: public.app-category.productivity
extraResources:
- from: ../server/out/server-darwin-${arch}
to: server
dmg:
artifactName: ${productName}-${version}-${os}-${arch}.${ext}
# Windows
win:
target:
- portable
extraResources:
- from: ../server/out/server-windows-${arch}.exe
to: server.exe
portable:
artifactName: ${productName}-${version}-${os}-${arch}-Portable.${ext}
# Linux
linux:
target:
- AppImage
category: Utility
extraResources:
- from: ../server/out/server-linux-${arch}
to: server
appImage:
artifactName: ${productName}-${version}-${os}-${arch}.${ext}

11
apps/desktop/electron.vite.config.ts
View File

@@ -1,11 +0,0 @@
import tailwindcss from '@tailwindcss/vite'
import react from '@vitejs/plugin-react'
import { defineConfig } from 'electron-vite'
export default defineConfig({
main: {},
preload: {},
renderer: {
plugins: [react(), tailwindcss()],
},
})

37
apps/desktop/package.json
View File

@@ -1,37 +0,0 @@
{
"name": "@furtherverse/desktop",
"version": "1.0.0",
"private": true,
"main": "out/main/index.js",
"scripts": {
"build": "electron-vite build",
"dev": "electron-vite dev --watch",
"dist": "electron-builder",
"dist:linux": "bun run dist:linux:x64 && bun run dist:linux:arm64",
"dist:linux:arm64": "electron-builder --linux --arm64",
"dist:linux:x64": "electron-builder --linux --x64",
"dist:mac": "bun run dist:mac:arm64 && bun run dist:mac:x64",
"dist:mac:arm64": "electron-builder --mac --arm64",
"dist:mac:x64": "electron-builder --mac --x64",
"dist:win": "electron-builder --win --x64",
"fix": "biome check --write",
"typecheck": "tsc -b"
},
"dependencies": {
"motion": "catalog:",
"react": "catalog:",
"react-dom": "catalog:",
"tree-kill": "catalog:"
},
"devDependencies": {
"@furtherverse/tsconfig": "workspace:*",
"@tailwindcss/vite": "catalog:",
"@types/node": "catalog:",
"@vitejs/plugin-react": "catalog:",
"electron": "catalog:",
"electron-builder": "catalog:",
"electron-vite": "catalog:",
"tailwindcss": "catalog:",
"vite": "catalog:"
}
}

0
apps/desktop/resources/.gitkeep
View File

198
apps/desktop/src/main/index.ts
View File

@@ -1,198 +0,0 @@
import { join } from 'node:path'
import { app, BrowserWindow, dialog, session, shell } from 'electron'
import { createSidecarRuntime } from './sidecar'
const DEV_SERVER_URL = 'http://localhost:3000'
const SAFE_EXTERNAL_PROTOCOLS = new Set(['https:', 'http:', 'mailto:'])
let mainWindow: BrowserWindow | null = null
let windowCreationPromise: Promise<void> | null = null
let isQuitting = false
const showErrorAndQuit = (title: string, detail: string) => {
if (isQuitting) {
return
}
dialog.showErrorBox(title, detail)
app.quit()
}
const sidecar = createSidecarRuntime({
devServerUrl: DEV_SERVER_URL,
isPackaged: app.isPackaged,
resourcesPath: process.resourcesPath,
isQuitting: () => isQuitting,
onUnexpectedStop: (detail) => {
showErrorAndQuit('Service Stopped', detail)
},
})
const toErrorMessage = (error: unknown): string => (error instanceof Error ? error.message : String(error))
const canOpenExternally = (url: string): boolean => {
try {
const parsed = new URL(url)
return SAFE_EXTERNAL_PROTOCOLS.has(parsed.protocol)
} catch {
return false
}
}
const loadSplash = async (windowRef: BrowserWindow) => {
if (process.env.ELECTRON_RENDERER_URL) {
await windowRef.loadURL(process.env.ELECTRON_RENDERER_URL)
return
}
await windowRef.loadFile(join(__dirname, '../renderer/index.html'))
}
const createWindow = async () => {
if (mainWindow && !mainWindow.isDestroyed()) {
mainWindow.focus()
return
}
const windowRef = new BrowserWindow({
width: 1200,
height: 800,
show: false,
webPreferences: {
preload: join(__dirname, '../preload/index.js'),
sandbox: true,
contextIsolation: true,
nodeIntegration: false,
},
})
mainWindow = windowRef
windowRef.webContents.setWindowOpenHandler(({ url }) => {
if (!canOpenExternally(url)) {
if (!app.isPackaged) {
console.warn(`Blocked external URL: ${url}`)
}
return { action: 'deny' }
}
void shell.openExternal(url)
return { action: 'deny' }
})
windowRef.webContents.on('will-navigate', (event, url) => {
const allowed = [DEV_SERVER_URL, sidecar.lastResolvedUrl].filter((v): v is string => v != null)
const isAllowed = allowed.some((origin) => url.startsWith(origin))
if (!isAllowed) {
event.preventDefault()
if (canOpenExternally(url)) {
void shell.openExternal(url)
} else if (!app.isPackaged) {
console.warn(`Blocked navigation to: ${url}`)
}
}
})
windowRef.on('closed', () => {
if (mainWindow === windowRef) {
mainWindow = null
}
})
try {
await loadSplash(windowRef)
} catch (error) {
if (mainWindow === windowRef) {
mainWindow = null
}
if (!windowRef.isDestroyed()) {
windowRef.destroy()
}
throw error
}
if (!windowRef.isDestroyed()) {
windowRef.show()
}
const targetUrl = await sidecar.resolveUrl()
if (isQuitting || windowRef.isDestroyed()) {
return
}
try {
await windowRef.loadURL(targetUrl)
} catch (error) {
if (mainWindow === windowRef) {
mainWindow = null
}
if (!windowRef.isDestroyed()) {
windowRef.destroy()
}
throw error
}
}
const ensureWindow = async () => {
if (windowCreationPromise) {
return windowCreationPromise
}
windowCreationPromise = createWindow().finally(() => {
windowCreationPromise = null
})
return windowCreationPromise
}
const beginQuit = () => {
isQuitting = true
sidecar.stop()
}
const handleWindowCreationError = (error: unknown, context: string) => {
console.error(`${context}:`, error)
showErrorAndQuit(
"App Couldn't Start",
app.isPackaged
? 'A required component failed to start. Please reinstall the app.'
: `${context}: ${toErrorMessage(error)}`,
)
}
app
.whenReady()
.then(() => {
session.defaultSession.setPermissionRequestHandler((_webContents, _permission, callback) => {
callback(false)
})
return ensureWindow()
})
.catch((error) => {
handleWindowCreationError(error, 'Failed to create window')
})
app.on('window-all-closed', () => {
if (process.platform !== 'darwin') {
app.quit()
}
})
app.on('activate', () => {
if (isQuitting || BrowserWindow.getAllWindows().length > 0) {
return
}
ensureWindow().catch((error) => {
handleWindowCreationError(error, 'Failed to re-create window')
})
})
app.on('before-quit', beginQuit)

256
apps/desktop/src/main/sidecar.ts
View File

@@ -1,256 +0,0 @@
import { type ChildProcess, spawn } from 'node:child_process'
import { existsSync } from 'node:fs'
import { createServer } from 'node:net'
import { join } from 'node:path'
import killProcessTree from 'tree-kill'
const SERVER_HOST = '127.0.0.1'
const SERVER_READY_TIMEOUT_MS = 10_000
const SERVER_REQUEST_TIMEOUT_MS = 1_500
const SERVER_POLL_INTERVAL_MS = 250
const SERVER_PROBE_PATHS = ['/api/health', '/']
type SidecarState = {
process: ChildProcess | null
startup: Promise<string> | null
url: string | null
}
type SidecarRuntimeOptions = {
devServerUrl: string
isPackaged: boolean
resourcesPath: string
isQuitting: () => boolean
onUnexpectedStop: (detail: string) => void
}
type SidecarRuntime = {
resolveUrl: () => Promise<string>
stop: () => void
lastResolvedUrl: string | null
}
const sleep = (ms: number): Promise<void> => new Promise((resolve) => setTimeout(resolve, ms))
const isProcessAlive = (processToCheck: ChildProcess | null): processToCheck is ChildProcess => {
if (!processToCheck || !processToCheck.pid) {
return false
}
return processToCheck.exitCode === null && !processToCheck.killed
}
const getAvailablePort = (): Promise<number> =>
new Promise((resolve, reject) => {
const server = createServer()
server.listen(0, () => {
const addr = server.address()
if (!addr || typeof addr === 'string') {
server.close()
reject(new Error('Failed to resolve port'))
return
}
server.close(() => resolve(addr.port))
})
server.on('error', reject)
})
const isServerReady = async (url: string): Promise<boolean> => {
for (const probePath of SERVER_PROBE_PATHS) {
try {
const probeUrl = new URL(probePath, `${url}/`)
const response = await fetch(probeUrl, {
method: 'GET',
cache: 'no-store',
signal: AbortSignal.timeout(SERVER_REQUEST_TIMEOUT_MS),
})
if (response.status < 500) {
if (probePath === '/api/health' && response.status === 404) {
continue
}
return true
}
} catch {
// Expected: probe request fails while server is still starting up
}
}
return false
}
const waitForServer = async (url: string, isQuitting: () => boolean, processRef?: ChildProcess): Promise<boolean> => {
const start = Date.now()
while (Date.now() - start < SERVER_READY_TIMEOUT_MS && !isQuitting()) {
if (processRef && processRef.exitCode !== null) {
return false
}
if (await isServerReady(url)) {
return true
}
await sleep(SERVER_POLL_INTERVAL_MS)
}
return false
}
const resolveBinaryPath = (resourcesPath: string): string => {
const binaryName = process.platform === 'win32' ? 'server.exe' : 'server'
return join(resourcesPath, binaryName)
}
const formatUnexpectedStopMessage = (
isPackaged: boolean,
code: number | null,
signal: NodeJS.Signals | null,
): string => {
if (isPackaged) {
return 'The background service stopped unexpectedly. Please restart the app.'
}
return `Server process exited unexpectedly (code ${code ?? 'unknown'}, signal ${signal ?? 'none'}).`
}
export const createSidecarRuntime = (options: SidecarRuntimeOptions): SidecarRuntime => {
const state: SidecarState = {
process: null,
startup: null,
url: null,
}
const resetState = (processRef?: ChildProcess) => {
if (processRef && state.process !== processRef) {
return
}
state.process = null
state.url = null
}
const stop = () => {
const runningServer = state.process
resetState()
if (!runningServer?.pid || runningServer.exitCode !== null) {
return
}
killProcessTree(runningServer.pid, 'SIGTERM', (error?: Error) => {
if (error) {
console.error('Failed to stop server process:', error)
}
})
}
const attachLifecycleHandlers = (processRef: ChildProcess) => {
processRef.on('error', (error) => {
if (state.process !== processRef) {
return
}
const hadReadyServer = state.url !== null
resetState(processRef)
if (!options.isQuitting() && hadReadyServer) {
options.onUnexpectedStop('The background service crashed unexpectedly. Please restart the app.')
return
}
console.error('Failed to start server process:', error)
})
processRef.on('exit', (code, signal) => {
if (state.process !== processRef) {
return
}
const hadReadyServer = state.url !== null
resetState(processRef)
if (!options.isQuitting() && hadReadyServer) {
options.onUnexpectedStop(formatUnexpectedStopMessage(options.isPackaged, code, signal))
}
})
}
const startPackagedServer = async (): Promise<string> => {
if (state.url && isProcessAlive(state.process)) {
return state.url
}
if (state.startup) {
return state.startup
}
state.startup = (async () => {
const binaryPath = resolveBinaryPath(options.resourcesPath)
if (!existsSync(binaryPath)) {
throw new Error(`Sidecar server binary is missing: ${binaryPath}`)
}
if (options.isQuitting()) {
throw new Error('Application is shutting down.')
}
const port = await getAvailablePort()
const nextServerUrl = `http://${SERVER_HOST}:${port}`
const processRef = spawn(binaryPath, [], {
env: {
...process.env,
HOST: SERVER_HOST,
PORT: String(port),
},
stdio: 'ignore',
windowsHide: true,
})
processRef.unref()
state.process = processRef
attachLifecycleHandlers(processRef)
const ready = await waitForServer(nextServerUrl, options.isQuitting, processRef)
if (ready && isProcessAlive(processRef)) {
state.url = nextServerUrl
return nextServerUrl
}
const failureReason =
processRef.exitCode !== null
? `The service exited early (code ${processRef.exitCode}).`
: `The service did not respond at ${nextServerUrl} within 10 seconds.`
stop()
throw new Error(failureReason)
})().finally(() => {
state.startup = null
})
return state.startup
}
const resolveUrl = async (): Promise<string> => {
if (options.isPackaged) {
return startPackagedServer()
}
const ready = await waitForServer(options.devServerUrl, options.isQuitting)
if (!ready) {
throw new Error('Dev server not responding. Run `bun dev` in apps/server first.')
}
state.url = options.devServerUrl
return options.devServerUrl
}
return {
resolveUrl,
stop,
get lastResolvedUrl() {
return state.url
},
}
}

1
apps/desktop/src/preload/index.ts
View File

@@ -1 +0,0 @@
export {}

BIN
apps/desktop/src/renderer/assets/logo.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 83 KiB

33
apps/desktop/src/renderer/components/SplashApp.tsx
View File

@@ -1,33 +0,0 @@
import { motion } from 'motion/react'
import logoImage from '../assets/logo.png'
export const SplashApp = () => {
return (
<main className="m-0 flex h-screen w-screen cursor-default select-none items-center justify-center overflow-hidden bg-white font-sans antialiased">
<motion.section
animate={{ opacity: 1, y: 0 }}
className="flex flex-col items-center gap-8"
initial={{ opacity: 0, y: 4 }}
transition={{
duration: 1,
ease: [0.16, 1, 0.3, 1],
}}
>
<img alt="Logo" className="h-20 w-auto object-contain" draggable={false} src={logoImage} />
<div className="relative h-[4px] w-36 overflow-hidden rounded-full bg-zinc-100">
<motion.div
animate={{ x: '100%' }}
className="h-full w-full bg-zinc-800"
initial={{ x: '-100%' }}
transition={{
duration: 2,
ease: [0.4, 0, 0.2, 1],
repeat: Infinity,
}}
/>
</div>
</motion.section>
</main>
)
}

12
apps/desktop/src/renderer/index.html
View File

@@ -1,12 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Furtherverse</title>
</head>
<body>
<div id="root"></div>
<script type="module" src="./main.tsx"></script>
</body>
</html>

11
apps/desktop/src/renderer/main.tsx
View File

@@ -1,11 +0,0 @@
import { StrictMode } from 'react'
import { createRoot } from 'react-dom/client'
import { SplashApp } from './components/SplashApp'
import './styles.css'
// biome-ignore lint/style/noNonNullAssertion: 一定存在
createRoot(document.getElementById('root')!).render(
<StrictMode>
<SplashApp />
</StrictMode>,
)

1
apps/desktop/src/renderer/styles.css
View File

@@ -1 +0,0 @@
@import "tailwindcss";

8
apps/desktop/tsconfig.app.json
View File

@@ -1,8 +0,0 @@
{
"extends": "@furtherverse/tsconfig/react.json",
"compilerOptions": {
"composite": true,
"types": ["vite/client"]
},
"include": ["src/renderer/**/*"]
}

11
apps/desktop/tsconfig.json
View File

@@ -1,11 +0,0 @@
{
"files": [],
"references": [
{
"path": "./tsconfig.app.json"
},
{
"path": "./tsconfig.node.json"
}
]
}

8
apps/desktop/tsconfig.node.json
View File

@@ -1,8 +0,0 @@
{
"extends": "@furtherverse/tsconfig/base.json",
"compilerOptions": {
"composite": true,
"types": ["node"]
},
"include": ["src/main/**/*", "src/preload/**/*", "electron.vite.config.ts"]
}

41
apps/desktop/turbo.json
View File

@@ -1,41 +0,0 @@
{
"$schema": "../../node_modules/turbo/schema.json",
"extends": ["//"],
"tasks": {
"build": {
"outputs": ["out/**"]
},
"dist": {
"dependsOn": ["build", "@furtherverse/server#compile"],
"outputs": ["dist/**"]
},
"dist:linux": {
"dependsOn": ["build", "@furtherverse/server#compile:linux:arm64", "@furtherverse/server#compile:linux:x64"],
"outputs": ["dist/**"]
},
"dist:linux:arm64": {
"dependsOn": ["build", "@furtherverse/server#compile:linux:arm64"],
"outputs": ["dist/**"]
},
"dist:linux:x64": {
"dependsOn": ["build", "@furtherverse/server#compile:linux:x64"],
"outputs": ["dist/**"]
},
"dist:mac": {
"dependsOn": ["build", "@furtherverse/server#compile:darwin:arm64", "@furtherverse/server#compile:darwin:x64"],
"outputs": ["dist/**"]
},
"dist:mac:arm64": {
"dependsOn": ["build", "@furtherverse/server#compile:darwin:arm64"],
"outputs": ["dist/**"]
},
"dist:mac:x64": {
"dependsOn": ["build", "@furtherverse/server#compile:darwin:x64"],
"outputs": ["dist/**"]
},
"dist:win": {
"dependsOn": ["build", "@furtherverse/server#compile:windows:x64"],
"outputs": ["dist/**"]
}
}
}

2
apps/server/.env.example
View File

@@ -1 +1 @@
DATABASE_PATH=data.db
DATABASE_URL=./data/app.db

5
apps/server/.gitignore vendored Normal file
View File

@@ -0,0 +1,5 @@
# SQLite database files
data/
*.db
*.db-shm
*.db-wal

619
apps/server/AGENTS.md
View File

@@ -1,279 +1,420 @@
# AGENTS.md - Server App Guidelines
# AGENTS.md - AI Coding Agent Guidelines
TanStack Start fullstack web app with ORPC (contract-first RPC).
本文档为 AI 编程助手提供此 TanStack Start 全栈项目的开发规范和指南。
## Tech Stack
## 项目概览
> **⚠️ This project uses Bun — NOT Node.js / npm. All commands use `bun`. Always use `bun run <script>` (not `bun <script>`) to avoid conflicts with Bun built-in subcommands. Never use `npm`, `npx`, or `node`.**
- **框架**: TanStack Start (React SSR 框架,文件路由)
- **运行时**: Bun
- **语言**: TypeScript (strict mode, ESNext)
- **样式**: Tailwind CSS v4
- **数据库**: SQLite + Drizzle ORM
- **状态管理**: TanStack Query
- **路由**: TanStack Router (文件路由)
- **RPC**: ORPC (类型安全 RPC契约优先)
- **构建工具**: Vite + Turbo
- **代码质量**: Biome (格式化 + Lint)
- **Framework**: TanStack Start (React 19 SSR, file-based routing)
- **Runtime**: Bun — **NOT Node.js**
- **Package Manager**: Bun — **NOT npm / yarn / pnpm**
- **Language**: TypeScript (strict mode)
- **Styling**: Tailwind CSS v4
- **Database**: PostgreSQL + Drizzle ORM v1 beta (`drizzle-orm/postgres-js`, RQBv2)
- **State**: TanStack Query v5
- **RPC**: ORPC (contract-first, type-safe)
- **Build**: Vite + Nitro
## 依赖管理
## Commands
项目使用 **Bun Catalog** 统一管理依赖版本。
> **详细流程**: 加载 skill `bun-catalog-package` 获取完整指南。
**快速参考**
```bash
# Development
bun run dev # Vite dev server (localhost:3000)
bun run db:studio # Drizzle Studio GUI
# Build
bun run build # Production build → .output/
bun run compile # Compile to standalone binary (current platform, depends on build)
bun run compile:darwin # Compile for macOS (arm64 + x64)
bun run compile:darwin:arm64 # Compile for macOS arm64
bun run compile:darwin:x64 # Compile for macOS x64
bun run compile:linux # Compile for Linux (x64 + arm64)
bun run compile:linux:arm64 # Compile for Linux arm64
bun run compile:linux:x64 # Compile for Linux x64
bun run compile:windows # Compile for Windows (default: x64)
bun run compile:windows:x64 # Compile for Windows x64
# Code Quality
bun run fix # Biome auto-fix
bun run typecheck # TypeScript check
# Database
bun run db:generate # Generate migrations from schema
bun run db:migrate # Run migrations
bun run db:push # Push schema directly (dev only)
# Testing (not yet configured)
bun test path/to/test.ts # Run single test
bun test -t "pattern" # Run tests matching pattern
bun info <pkg> version # 查询最新版本
bun add <pkg>@catalog: # 在子包中安装
```
## Directory Structure
## 构建、Lint 和测试命令
```
src/
├── client/ # Client-side code
│ └── orpc.ts # ORPC client + TanStack Query utils (single entry point)
├── components/ # React components
├── routes/ # TanStack Router file routes
│ ├── __root.tsx # Root layout
│ ├── index.tsx # Home page
│ └── api/
│ ├── $.ts # OpenAPI handler + Scalar docs
│ ├── health.ts # Health check endpoint
│ └── rpc.$.ts # ORPC RPC handler
├── server/ # Server-side code
│ ├── api/ # ORPC layer
│ │ ├── contracts/ # Input/output schemas (Zod)
│ │ ├── middlewares/ # Middleware (db provider, auth)
│ │ ├── routers/ # Handler implementations
│ │ ├── interceptors.ts # Shared error interceptors
│ │ ├── context.ts # Request context
│ │ ├── server.ts # ORPC server instance
│ │ └── types.ts # Type exports
│ └── db/
│ ├── schema/ # Drizzle table definitions
│ ├── fields.ts # Shared field builders (id, createdAt, updatedAt)
│ ├── relations.ts # Drizzle relations (defineRelations, RQBv2)
│ └── index.ts # Database instance (postgres-js driver)
├── env.ts # Environment variable validation
├── router.tsx # Router configuration
├── routeTree.gen.ts # Auto-generated (DO NOT EDIT)
└── styles.css # Tailwind entry
### 开发
```bash
bun dev # 启动 Vite 开发服务器
bun db:studio # 打开 Drizzle Studio 数据库管理界面
```
## ORPC Pattern
### 构建
```bash
bun build # 构建 Vite 应用 (输出到 .output/)
bun compile # 编译为独立可执行文件 (使用 build.ts)
```
### 1. Define Contract (`src/server/api/contracts/feature.contract.ts`)
### 代码质量
```bash
bun typecheck # 运行 TypeScript 类型检查
bun fix # 运行 Biome 自动修复格式和 Lint 问题
biome check . # 检查但不自动修复
biome format --write . # 仅格式化代码
```
### 数据库
```bash
bun db:generate # 从 schema 生成迁移文件
bun db:migrate # 执行数据库迁移
bun db:push # 直接推送 schema 变更 (仅开发环境)
```
### 测试
**注意**: 当前未配置测试框架。添加测试时:
- 使用 Vitest 或 Bun 内置测试运行器
- 运行单个测试文件: `bun test path/to/test.ts`
- 运行特定测试: `bun test -t "测试名称模式"`
## 代码风格指南
### 格式化 (Biome)
**缩进**: 2 空格 (不使用 tab)
**换行符**: LF (Unix 风格)
**引号**: 单引号 `'string'`
**分号**: 按需 (ASI - 自动分号插入)
**箭头函数括号**: 始终使用 `(x) => x`
示例:
```typescript
import { oc } from '@orpc/contract'
import { createSelectSchema } from 'drizzle-orm/zod'
import { z } from 'zod'
import { featureTable } from '@/server/db/schema'
const selectSchema = createSelectSchema(featureTable)
export const list = oc.input(z.void()).output(z.array(selectSchema))
export const create = oc.input(insertSchema).output(selectSchema)
const myFunc = (value: string) => {
return value.toUpperCase()
}
```
### 2. Implement Router (`src/server/api/routers/feature.router.ts`)
```typescript
import { ORPCError } from '@orpc/server'
import { db } from '../middlewares'
import { os } from '../server'
### 导入组织
export const list = os.feature.list.use(db).handler(async ({ context }) => {
return await context.db.query.featureTable.findMany({
orderBy: { createdAt: 'desc' },
})
})
```
### 3. Register in Index Files
```typescript
// src/server/api/contracts/index.ts
import * as feature from './feature.contract'
export const contract = { feature }
// src/server/api/routers/index.ts
import * as feature from './feature.router'
export const router = os.router({ feature })
```
### 4. Use in Components
```typescript
import { useSuspenseQuery, useMutation } from '@tanstack/react-query'
import { orpc } from '@/client/orpc'
const { data } = useSuspenseQuery(orpc.feature.list.queryOptions())
const mutation = useMutation(orpc.feature.create.mutationOptions())
```
## Database (Drizzle ORM v1 beta)
- **Driver**: `drizzle-orm/postgres-js` (NOT `bun-sql`)
- **Validation**: `drizzle-orm/zod` (built-in, NOT separate `drizzle-zod` package)
- **Relations**: Defined via `defineRelations()` in `src/server/db/relations.ts`
- **Query**: RQBv2 — use `db.query.tableName.findMany()` with object-style `orderBy` and `where`
### Schema Definition
```typescript
import { pgTable, text, timestamp, uuid } from 'drizzle-orm/pg-core'
import { sql } from 'drizzle-orm'
export const myTable = pgTable('my_table', {
id: uuid().primaryKey().default(sql`uuidv7()`),
name: text().notNull(),
createdAt: timestamp({ withTimezone: true }).notNull().defaultNow(),
updatedAt: timestamp({ withTimezone: true }).notNull().defaultNow().$onUpdateFn(() => new Date()),
})
```
### Relations (RQBv2)
```typescript
// src/server/db/relations.ts
import { defineRelations } from 'drizzle-orm'
import * as schema from './schema'
export const relations = defineRelations(schema, (r) => ({
// Define relations here using r.one / r.many / r.through
}))
```
### DB Instance
```typescript
// src/server/db/index.ts
import { drizzle } from 'drizzle-orm/postgres-js'
import { relations } from '@/server/db/relations'
// In RQBv2, relations already contain schema info — no separate schema import needed
const db = drizzle({
connection: env.DATABASE_URL,
relations,
})
```
### RQBv2 Query Examples
```typescript
// Object-style orderBy (NOT callback style)
const todos = await db.query.todoTable.findMany({
orderBy: { createdAt: 'desc' },
})
// Object-style where
const todo = await db.query.todoTable.findFirst({
where: { id: someId },
})
```
## Code Style
### Formatting (Biome)
- **Indent**: 2 spaces
- **Quotes**: Single `'`
- **Semicolons**: Omit (ASI)
- **Arrow parens**: Always `(x) => x`
### Imports
Biome auto-organizes:
1. External packages
2. Internal `@/*` aliases
3. Type imports (`import type { ... }`)
Biome 自动组织导入。顺序:
1. 外部依赖
2. 内部导入 (使用 `@/*` 别名)
3. 类型导入 (仅导入类型时使用 `type` 关键字)
示例:
```typescript
import { createFileRoute } from '@tanstack/react-router'
import { oc } from '@orpc/contract'
import { z } from 'zod'
import { db } from '@/server/db'
import { db } from '@/db'
import { todoTable } from '@/db/schema'
import type { ReactNode } from 'react'
```
### TypeScript
**严格模式**: 启用了额外的严格检查
- `strict: true`
- `noUncheckedIndexedAccess: true` - array access returns `T | undefined`
- Use `@/*` path aliases (maps to `src/*`)
- `noUncheckedIndexedAccess: true` - 数组/对象索引返回 `T | undefined`
- `noImplicitOverride: true`
- `noFallthroughCasesInSwitch: true`
### Naming
| Type | Convention | Example |
|------|------------|---------|
| Files (utils) | kebab-case | `auth-utils.ts` |
| Files (components) | PascalCase | `UserProfile.tsx` |
| Components | PascalCase arrow | `const Button = () => {}` |
| Functions | camelCase | `getUserById` |
| Types | PascalCase | `UserProfile` |
**模块解析**: `bundler` 模式 + `verbatimModuleSyntax`
- 导入时始终使用 `.ts`/`.tsx` 扩展名
- 使用 `@/*` 路径别名指向 `src/*`
### React
- Use arrow functions for components (Biome enforced)
- Use `useSuspenseQuery` for guaranteed data
- Let React Compiler handle memoization (no manual `useMemo`/`useCallback`)
**类型注解**:
- 公共 API 的函数参数和返回类型必须注解
- 优先使用显式类型而非 `any`
- 对象形状用 `type`,可扩展契约用 `interface`
- 不可变 props 使用 `Readonly<T>`
## Environment Variables
### 命名规范
- **文件**: 工具函数用 kebab-case组件用 PascalCase
- `utils.ts`, `todo.tsx`, `NotFound.tsx`
- **路由**: 遵循 TanStack Router 约定
- `routes/index.tsx``/`
- `routes/__root.tsx` → 根布局
- **组件**: PascalCase 箭头函数 (Biome 规则 `useArrowFunction` 强制)
- **函数**: camelCase
- **常量**: 真常量用 UPPER_SNAKE_CASE配置对象用 camelCase
- **类型/接口**: PascalCase
### React 模式
**组件**: 使用箭头函数
```typescript
// src/env.ts - using @t3-oss/env-core
import { createEnv } from '@t3-oss/env-core'
import { z } from 'zod'
const MyComponent = ({ title }: { title: string }) => {
return <div>{title}</div>
}
```
export const env = createEnv({
server: {
DATABASE_URL: z.string().url(),
},
clientPrefix: 'VITE_',
client: {
VITE_API_URL: z.string().optional(),
},
**路由**: 使用 `createFileRoute` 定义路由
```typescript
export const Route = createFileRoute('/')({
component: Home,
})
```
## Development Principles
**数据获取**: 使用 TanStack Query hooks
- `useSuspenseQuery` - 保证有数据
- `useQuery` - 数据可能为空
> **These principles apply to ALL code changes. Agents MUST follow them on every task.**
**Props**: 禁止直接修改 props (Biome 规则 `noReactPropAssignments`)
1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks.
2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart.
3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns.
### 数据库 Schema (Drizzle)
## Critical Rules
-`src/server/db/schema/*.ts` 定义 schema
-`src/server/db/schema/index.ts` 导出
- 使用 `drizzle-orm/sqlite-core` 的 SQLite 类型
- 主键使用 `uuidv7()` (TEXT 存储)
- 时间戳使用 `integer({ mode: 'timestamp_ms' })` (Unix 毫秒时间戳)
- 始终包含 `createdAt``updatedAt` 时间戳
**DO:**
- Run `bun run fix` before committing
- Use `@/*` path aliases
- Include `createdAt`/`updatedAt` on all tables
- Use `ORPCError` with proper codes
- Use `drizzle-orm/zod` (NOT `drizzle-zod`) for schema validation
- Use RQBv2 object syntax for `orderBy` and `where`
- Update `AGENTS.md` and other docs whenever code patterns change
示例:
```typescript
import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core'
import { v7 as uuidv7 } from 'uuid'
**DON'T:**
- Use `npm`, `npx`, `node`, `yarn`, `pnpm` — always use `bun` / `bunx`
- Edit `src/routeTree.gen.ts` (auto-generated)
- Use `as any`, `@ts-ignore`, `@ts-expect-error`
- Commit `.env` files
- Use empty catch blocks
- Import from `drizzle-zod` (use `drizzle-orm/zod` instead)
- Use RQBv1 callback-style `orderBy` / old `relations()` API
- Use `drizzle-orm/bun-sql` driver (use `drizzle-orm/postgres-js`)
- Pass `schema` to `drizzle()` constructor (only `relations` is needed in RQBv2)
- Import `os` from `@orpc/server` in middleware — use `@/server/api/server` (the local typed instance)
- Leave docs out of sync with code changes
export const myTable = sqliteTable('my_table', {
id: text('id').primaryKey().$defaultFn(() => uuidv7()),
name: text('name').notNull(),
createdAt: integer('created_at', { mode: 'timestamp_ms' }).notNull().$defaultFn(() => new Date()),
updatedAt: integer('updated_at', { mode: 'timestamp_ms' }).notNull().$defaultFn(() => new Date()).$onUpdateFn(() => new Date()),
})
```
### 环境变量
- 使用 `@t3-oss/env-core` 进行类型安全的环境变量验证
- `src/env.ts` 定义 schema
- 服务端变量: 无前缀
- 客户端变量: 必须有 `VITE_` 前缀
- 使用 Zod schema 验证
### 错误处理
- 异步操作使用 try-catch
- 抛出带有描述性消息的错误
- 用户界面错误优先使用 Result 类型或错误边界
- 适当记录错误 (避免记录敏感数据)
### 样式 (Tailwind CSS)
- 使用 Tailwind v4 工具类
- 通过 `@/styles.css?url` 导入样式
- 优先使用组合而非自定义 CSS
- 响应式修饰符: `sm:`, `md:`, `lg:`
- UI 文本适当使用中文
## 目录结构
```
src/
├── components/ # 可复用 React 组件
├── db/
│ ├── schema/ # Drizzle schema 定义
│ └── index.ts # 数据库实例
├── integrations/ # 第三方集成 (TanStack Query/Router)
├── lib/ # 工具函数
├── orpc/ # ORPC (RPC 层)
│ ├── contracts/ # 契约定义 (input/output schemas)
│ ├── handlers/ # 服务端过程实现
│ ├── middlewares/ # 中间件 (如 DB provider)
│ ├── contract.ts # 契约聚合
│ ├── router.ts # 路由组合
│ ├── server.ts # 服务端实例
│ └── client.ts # 同构客户端
├── routes/ # TanStack Router 文件路由
│ ├── __root.tsx # 根布局
│ ├── index.tsx # 首页
│ └── api/rpc.$.ts # ORPC HTTP 端点
├── env.ts # 环境变量验证
└── router.tsx # 路由配置
```
## 重要提示
- **禁止** 编辑 `src/routeTree.gen.ts` - 自动生成
- **禁止** 提交 `.env` 文件 - 使用 `.env.example` 作为模板
- **必须** 在提交前运行 `bun fix`
- **必须** 使用 `@/*` 路径别名而非相对导入
- **必须** 利用 React Compiler (babel-plugin-react-compiler) - 避免手动 memoization
## Git 工作流
1. 按照上述风格指南进行修改
2. 运行 `bun fix` 自动格式化和 lint
3. 运行 `bun typecheck` 确保类型安全
4. 使用 `bun dev` 本地测试变更
5. 使用清晰的描述性消息提交
## 常见模式
### 创建 ORPC 过程
**步骤 1: 定义契约** (`src/orpc/contracts/my-feature.ts`)
```typescript
import { oc } from '@orpc/contract'
import { z } from 'zod'
export const myContract = {
get: oc.input(z.object({ id: z.uuid() })).output(mySchema),
create: oc.input(createSchema).output(mySchema),
}
```
**步骤 2: 实现处理器** (`src/orpc/handlers/my-feature.ts`)
```typescript
import { os } from '@/orpc/server'
import { dbProvider } from '@/orpc/middlewares'
export const get = os.myFeature.get
.use(dbProvider)
.handler(async ({ context, input }) => {
return await context.db.query.myTable.findFirst(...)
})
```
**步骤 3: 注册到契约和路由**
```typescript
// src/orpc/contract.ts
export const contract = { myFeature: myContract }
// src/orpc/router.ts
import * as myFeature from './handlers/my-feature'
export const router = os.router({ myFeature })
```
**步骤 4: 在组件中使用**
```typescript
import { orpc } from '@/orpc'
const query = useSuspenseQuery(orpc.myFeature.get.queryOptions({ id }))
const mutation = useMutation(orpc.myFeature.create.mutationOptions())
```
---
## 已知问题与解决方案
### 构建问题
**已解决**: Vite 8.0.0-beta.10 已修复与 Nitro 插件的兼容性问题
- **当前版本**: Vite 8.0.0-beta.10 + nitro-nightly@3.0.1-20260125
- **状态**: 构建稳定,开发和生产环境均正常工作
### 依赖选择经验
**ohash vs crypto.createHash**
在实现硬件指纹功能时,曾误判 `ohash` 不适合用于硬件指纹识别。经深入研究发现:
**事实**
- `ohash` 内部使用**完整的 SHA-256** 算法256 位)
- 输出 43 字符 Base64URL 编码(等价于 64 字符 Hex
- 碰撞概率与 `crypto.createHash('sha256')` **完全相同**2^128
- 自动处理对象序列化,代码更简洁
**对比**
```typescript
// ohash - 推荐用于对象哈希
import { hash } from 'ohash'
const fingerprint = hash(systemInfo) // 一行搞定
// crypto - 需要手动序列化
import { createHash } from 'node:crypto'
const fingerprint = createHash('sha256')
.update(JSON.stringify(systemInfo))
.digest('base64url')
```
**结论**
-`ohash` 完全适合硬件指纹场景(数据来自系统 API非用户输入
- ✅ 两者安全性等价,选择取决于代码风格偏好
- ⚠️ ohash 文档警告的"序列化安全性"仅针对**用户输入**场景
**经验教训**
- 不要仅凭名称("短哈希")判断库的实现
- 深入研究文档和源码再做技术决策
- 区分"用户输入场景"和"系统数据场景"的安全要求
### 缓存库选择:@isaacs/ttlcache
**决策时间**: 2026-01-26
**背景**
硬件指纹功能最初使用手动实现的 TTL 缓存module-level 变量 + 手动过期检查)。为提高代码可维护性,迁移到专业缓存库。
**选型**
- **选择**: `@isaacs/ttlcache` v2.1.4
- **理由**:
- 专为 TTL 场景优化,无需 LRU 追踪开销
- 零依赖6M+ 周下载量
- 内置 TypeScript 类型
- 自动过期管理,无需手动定时器
- API 简洁: `new TTLCache({ ttl, max })`
**实现细节**
- 保留 `inFlight` Promise 模式用于并发请求去重TTLCache 不提供此功能)
- 使用单一缓存键 `'fingerprint'`单服务器场景opts 不影响输出)
- 默认 TTL: 10 分钟(可通过 `cacheTtlMs` 参数覆盖)
**对比手动实现**
- ✅ 更少自定义代码
- ✅ 更清晰的 TTL 语义
- ✅ 经过充分测试的库
- ⚠️ 仍需手动处理并发去重
**经验教训**
- 专业库不一定解决所有问题(如并发去重)
- 对于简单场景,手动实现 vs 库的选择主要取决于可维护性而非功能
### SQLite 数据库使用说明
**技术栈**:
- **驱动**: `better-sqlite3` v11.8.1 (原生模块,跨平台)
- **类型定义**: `@types/better-sqlite3` v7.6.12
- **数据库文件**: `./data/app.db`
**数据类型策略**:
- **主键**: TEXT 存储 UUIDv7 (36 字符字符串,全局唯一)
- **时间戳**: INTEGER 存储 Unix 毫秒时间戳 (`integer({ mode: 'timestamp_ms' })`)
- Drizzle 自动转换 `Date``number`
- **布尔值**: INTEGER 存储 0/1 (`integer({ mode: 'boolean' })`)
- Drizzle 自动转换 `boolean``0/1`
**数据库连接**:
```typescript
import { drizzle } from 'drizzle-orm/better-sqlite3'
import Database from 'better-sqlite3'
import { mkdirSync } from 'node:fs'
import { dirname } from 'node:path'
export const createDB = () => {
const dbPath = env.DATABASE_URL
if (dbPath !== ':memory:') {
mkdirSync(dirname(dbPath), { recursive: true })
}
const sqlite = new Database(dbPath)
return drizzle(sqlite, { schema })
}
```
**注意事项**:
- SQLite 是文件数据库,适合嵌入环境和单实例应用
- 不支持多进程并发写入
- 数据库文件和 WAL 文件 (`.db-shm`, `.db-wal`) 已添加到 `.gitignore`
- `better-sqlite3` 是原生模块,构建时需匹配生产环境 OS 和架构
### AGENTS.md 文档维护原则
**核心原则**AGENTS.md 只记录当前项目状态,不记录重构历史
1. **当前状态优先**:只描述项目当前使用的技术栈、架构和最佳实践
2. **无需向后兼容**:不保留旧技术栈的文档,重构后直接更新为新状态
3. **避免历史记录**:不记录"从 X 迁移到 Y"的过程,只记录"当前使用 Y"
4. **保持简洁**:删除过时信息,避免上下文过长影响 AI 理解
5. **及时同步**:架构变更后立即更新文档,确保文档与代码一致
**何时更新 AGENTS.md**
- 更换技术栈(如数据库、框架)
- 修改项目架构或目录结构
- 添加/移除重要依赖
- 发现重要的最佳实践或经验教训
**何时不更新 AGENTS.md**
- 日常功能开发
- Bug 修复
- 代码重构(不涉及架构变更)
- 临时实验或 POC
---
**最后更新**: 2026-01-26
**项目版本**: 基于 package.json 依赖版本

5
apps/server/biome.json
View File

@@ -3,10 +3,5 @@
"extends": "//",
"files": {
"includes": ["**", "!**/routeTree.gen.ts"]
},
"css": {
"parser": {
"tailwindDirectives": true
}
}
}

289
apps/server/build.ts Normal file
View File

@@ -0,0 +1,289 @@
import { Schema } from '@effect/schema'
import { $ } from 'bun'
import { Console, Context, Data, Effect, Layer } from 'effect'
// ============================================================================
// Domain Models & Schema
// ============================================================================
const BunTargetSchema = Schema.Literal(
'bun-windows-x64',
'bun-darwin-arm64',
'bun-darwin-x64',
'bun-linux-x64',
'bun-linux-arm64',
)
/**
* 将 bun target 转换为文件后缀 (去掉 'bun-' 前缀)
*/
const getTargetSuffix = (target: BunTarget): string => {
return target.replace('bun-', '')
}
type BunTarget = Schema.Schema.Type<typeof BunTargetSchema>
const BuildConfigSchema = Schema.Struct({
entrypoint: Schema.String.pipe(Schema.nonEmptyString()),
outputDir: Schema.String.pipe(Schema.nonEmptyString()),
outfile: Schema.String.pipe(Schema.nonEmptyString()),
targets: Schema.Array(BunTargetSchema).pipe(Schema.minItems(1)),
})
type BuildConfig = Schema.Schema.Type<typeof BuildConfigSchema>
const BuildResultSchema = Schema.Struct({
target: BunTargetSchema,
outputs: Schema.Array(Schema.String),
})
type BuildResult = Schema.Schema.Type<typeof BuildResultSchema>
// ============================================================================
// Error Models (使用 Data.TaggedError)
// ============================================================================
class CleanError extends Data.TaggedError('CleanError')<{
readonly dir: string
readonly cause: unknown
}> {}
class BuildError extends Data.TaggedError('BuildError')<{
readonly target: BunTarget
readonly cause: unknown
}> {}
class ConfigError extends Data.TaggedError('ConfigError')<{
readonly message: string
readonly cause: unknown
}> {}
// ============================================================================
// Services
// ============================================================================
/**
* 配置服务
*/
class BuildConfigService extends Context.Tag('BuildConfigService')<
BuildConfigService,
BuildConfig
>() {
/**
* 从原始数据创建并验证配置
*/
static fromRaw = (raw: unknown) =>
Effect.gen(function* () {
const decoded = yield* Schema.decodeUnknown(BuildConfigSchema)(raw)
return decoded
}).pipe(
Effect.catchAll((error) =>
Effect.fail(
new ConfigError({
message: '配置验证失败',
cause: error,
}),
),
),
)
/**
* 默认配置 Layer
*/
static readonly Live = Layer.effect(
BuildConfigService,
BuildConfigService.fromRaw({
entrypoint: '.output/server/index.mjs',
outputDir: 'out',
outfile: 'server',
targets: ['bun-windows-x64', 'bun-darwin-arm64', 'bun-linux-x64'],
} satisfies BuildConfig),
)
}
/**
* 文件系统服务
*/
class FileSystemService extends Context.Tag('FileSystemService')<
FileSystemService,
{
readonly cleanDir: (dir: string) => Effect.Effect<void, CleanError>
}
>() {
static readonly Live = Layer.succeed(FileSystemService, {
cleanDir: (dir: string) =>
Effect.tryPromise({
try: async () => {
await $`rm -rf ${dir}`
},
catch: (cause: unknown) =>
new CleanError({
dir,
cause,
}),
}),
})
}
/**
* 构建服务
*/
class BuildService extends Context.Tag('BuildService')<
BuildService,
{
readonly buildForTarget: (
config: BuildConfig,
target: BunTarget,
) => Effect.Effect<BuildResult, BuildError>
readonly buildAll: (
config: BuildConfig,
) => Effect.Effect<ReadonlyArray<BuildResult>, BuildError>
}
>() {
static readonly Live = Layer.succeed(BuildService, {
buildForTarget: (config: BuildConfig, target: BunTarget) =>
Effect.gen(function* () {
yield* Console.log(`🔨 开始构建: ${target}`)
const output = yield* Effect.tryPromise({
try: () =>
Bun.build({
entrypoints: [config.entrypoint],
compile: {
outfile: `${config.outfile}-${getTargetSuffix(target)}`,
target: target,
},
outdir: config.outputDir,
}),
catch: (cause: unknown) =>
new BuildError({
target,
cause,
}),
})
const paths = output.outputs.map((item: { path: string }) => item.path)
return {
target,
outputs: paths,
} satisfies BuildResult
}),
buildAll: (config: BuildConfig) =>
Effect.gen(function* () {
const effects = config.targets.map((target) =>
Effect.gen(function* () {
yield* Console.log(`🔨 开始构建: ${target}`)
const output = yield* Effect.tryPromise({
try: () =>
Bun.build({
entrypoints: [config.entrypoint],
compile: {
outfile: `${config.outfile}-${getTargetSuffix(target)}`,
target: target,
},
outdir: config.outputDir,
}),
catch: (cause: unknown) =>
new BuildError({
target,
cause,
}),
})
const paths = output.outputs.map(
(item: { path: string }) => item.path,
)
return {
target,
outputs: paths,
} satisfies BuildResult
}),
)
return yield* Effect.all(effects, { concurrency: 'unbounded' })
}),
})
}
/**
* 报告服务
*/
class ReporterService extends Context.Tag('ReporterService')<
ReporterService,
{
readonly printSummary: (
results: ReadonlyArray<BuildResult>,
) => Effect.Effect<void>
}
>() {
static readonly Live = Layer.succeed(ReporterService, {
printSummary: (results: ReadonlyArray<BuildResult>) =>
Effect.gen(function* () {
yield* Console.log('\n📦 构建完成:')
for (const result of results) {
yield* Console.log(` ${result.target}:`)
for (const path of result.outputs) {
yield* Console.log(` - ${path}`)
}
}
}),
})
}
// ============================================================================
// Main Program
// ============================================================================
const program = Effect.gen(function* () {
const config = yield* BuildConfigService
const fs = yield* FileSystemService
const builder = yield* BuildService
const reporter = yield* ReporterService
// 1. 清理输出目录
yield* fs.cleanDir(config.outputDir)
yield* Console.log(`✓ 已清理输出目录: ${config.outputDir}`)
// 2. 并行构建所有目标
const results = yield* builder.buildAll(config)
// 3. 输出构建摘要
yield* reporter.printSummary(results)
return results
})
// ============================================================================
// Layer Composition
// ============================================================================
const MainLayer = Layer.mergeAll(
BuildConfigService.Live,
FileSystemService.Live,
BuildService.Live,
ReporterService.Live,
)
// ============================================================================
// Runner
// ============================================================================
const runnable = program.pipe(
Effect.provide(MainLayer),
Effect.catchTags({
CleanError: (error) =>
Console.error(`❌ 清理目录失败: ${error.dir}`, error.cause),
BuildError: (error) =>
Console.error(`❌ 构建失败 [${error.target}]:`, error.cause),
ConfigError: (error) =>
Console.error(`❌ 配置错误: ${error.message}`, error.cause),
}),
Effect.tapErrorCause((cause) => Console.error('❌ 未预期的错误:', cause)),
)
Effect.runPromise(runnable).catch(() => {
process.exit(1)
})

64
apps/server/compile.ts
View File

@@ -1,64 +0,0 @@
import { mkdir, rm } from 'node:fs/promises'
import { parseArgs } from 'node:util'
const ENTRYPOINT = '.output/server/index.mjs'
const OUTDIR = 'out'
const SUPPORTED_TARGETS: readonly Bun.Build.CompileTarget[] = [
'bun-windows-x64',
'bun-darwin-arm64',
'bun-darwin-x64',
'bun-linux-x64',
'bun-linux-arm64',
]
const isSupportedTarget = (value: string): value is Bun.Build.CompileTarget =>
(SUPPORTED_TARGETS as readonly string[]).includes(value)
const { values } = parseArgs({
options: { target: { type: 'string' } },
strict: true,
allowPositionals: false,
})
const resolveTarget = (): Bun.Build.CompileTarget => {
if (values.target !== undefined) {
if (!isSupportedTarget(values.target)) {
throw new Error(`Invalid target: ${values.target}\nAllowed: ${SUPPORTED_TARGETS.join(', ')}`)
}
return values.target
}
const os = process.platform === 'win32' ? 'windows' : process.platform
const candidate = `bun-${os}-${process.arch}`
if (!isSupportedTarget(candidate)) {
throw new Error(`Unsupported host: ${process.platform}-${process.arch}`)
}
return candidate
}
const main = async () => {
const target = resolveTarget()
const suffix = target.replace('bun-', '')
const outfile = `server-${suffix}`
await mkdir(OUTDIR, { recursive: true })
await Promise.all([rm(`${OUTDIR}/${outfile}`, { force: true }), rm(`${OUTDIR}/${outfile}.exe`, { force: true })])
const result = await Bun.build({
entrypoints: [ENTRYPOINT],
outdir: OUTDIR,
compile: { outfile, target },
})
if (!result.success) {
throw new Error(result.logs.map(String).join('\n'))
}
console.log(`${target}${OUTDIR}/${outfile}`)
}
main().catch((err) => {
console.error('❌', err instanceof Error ? err.message : err)
process.exit(1)
})

5
apps/server/drizzle.config.ts
View File

@@ -1,12 +1,11 @@
import { defineConfig } from 'drizzle-kit'
const databasePath = process.env.DATABASE_PATH ?? 'data.db'
import { env } from '@/env'
export default defineConfig({
out: './drizzle',
schema: './src/server/db/schema/index.ts',
dialect: 'sqlite',
dbCredentials: {
url: databasePath,
url: env.DATABASE_URL,
},
})

18
apps/server/drizzle/0000_messy_goliath.sql Normal file
View File

@@ -0,0 +1,18 @@
CREATE TABLE `device_info` (
`id` text PRIMARY KEY NOT NULL,
`created_at` integer NOT NULL,
`updated_at` integer NOT NULL,
`fingerprint` text NOT NULL,
`fingerprint_quality` text NOT NULL,
`license` text,
`license_activated_at` integer
);
--> statement-breakpoint
CREATE UNIQUE INDEX `device_info_fingerprint_unique` ON `device_info` (`fingerprint`);--> statement-breakpoint
CREATE TABLE `todo` (
`id` text PRIMARY KEY NOT NULL,
`created_at` integer NOT NULL,
`updated_at` integer NOT NULL,
`title` text NOT NULL,
`completed` integer DEFAULT false NOT NULL
);

10
apps/server/drizzle/0001_watery_mongu.sql Normal file
View File

@@ -0,0 +1,10 @@
CREATE TABLE `license_activation` (
`id` text PRIMARY KEY NOT NULL,
`created_at` integer NOT NULL,
`updated_at` integer NOT NULL,
`fingerprint` text NOT NULL,
`license` text,
`license_activated_at` integer
);
--> statement-breakpoint
CREATE UNIQUE INDEX `license_activation_fingerprint_unique` ON `license_activation` (`fingerprint`);

2
apps/server/drizzle/0002_dizzy_kingpin.sql Normal file
View File

@@ -0,0 +1,2 @@
DROP TABLE `device_info`;--> statement-breakpoint
DROP TABLE `todo`;

129
apps/server/drizzle/meta/0000_snapshot.json Normal file
View File

@@ -0,0 +1,129 @@
{
"version": "6",
"dialect": "sqlite",
"id": "09c29147-479a-4490-8223-db64c71c910f",
"prevId": "00000000-0000-0000-0000-000000000000",
"tables": {
"device_info": {
"name": "device_info",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint": {
"name": "fingerprint",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint_quality": {
"name": "fingerprint_quality",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"license": {
"name": "license",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"license_activated_at": {
"name": "license_activated_at",
"type": "integer",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"device_info_fingerprint_unique": {
"name": "device_info_fingerprint_unique",
"columns": ["fingerprint"],
"isUnique": true
}
},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"todo": {
"name": "todo",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"title": {
"name": "title",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"completed": {
"name": "completed",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false,
"default": false
}
},
"indexes": {},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
}
},
"views": {},
"enums": {},
"_meta": {
"schemas": {},
"tables": {},
"columns": {}
},
"internal": {
"indexes": {}
}
}

187
apps/server/drizzle/meta/0001_snapshot.json Normal file
View File

@@ -0,0 +1,187 @@
{
"version": "6",
"dialect": "sqlite",
"id": "14bad572-1fc5-489d-90f2-7560a7cad1f4",
"prevId": "09c29147-479a-4490-8223-db64c71c910f",
"tables": {
"device_info": {
"name": "device_info",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint": {
"name": "fingerprint",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint_quality": {
"name": "fingerprint_quality",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"license": {
"name": "license",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"license_activated_at": {
"name": "license_activated_at",
"type": "integer",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"device_info_fingerprint_unique": {
"name": "device_info_fingerprint_unique",
"columns": ["fingerprint"],
"isUnique": true
}
},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"license_activation": {
"name": "license_activation",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint": {
"name": "fingerprint",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"license": {
"name": "license",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"license_activated_at": {
"name": "license_activated_at",
"type": "integer",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"license_activation_fingerprint_unique": {
"name": "license_activation_fingerprint_unique",
"columns": ["fingerprint"],
"isUnique": true
}
},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"todo": {
"name": "todo",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"title": {
"name": "title",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"completed": {
"name": "completed",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false,
"default": false
}
},
"indexes": {},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
}
},
"views": {},
"enums": {},
"_meta": {
"schemas": {},
"tables": {},
"columns": {}
},
"internal": {
"indexes": {}
}
}

76
apps/server/drizzle/meta/0002_snapshot.json Normal file
View File

@@ -0,0 +1,76 @@
{
"version": "6",
"dialect": "sqlite",
"id": "2bdd10cc-8e14-4843-931a-37b1d00f21a6",
"prevId": "14bad572-1fc5-489d-90f2-7560a7cad1f4",
"tables": {
"license_activation": {
"name": "license_activation",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint": {
"name": "fingerprint",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"license": {
"name": "license",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"license_activated_at": {
"name": "license_activated_at",
"type": "integer",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"license_activation_fingerprint_unique": {
"name": "license_activation_fingerprint_unique",
"columns": ["fingerprint"],
"isUnique": true
}
},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
}
},
"views": {},
"enums": {},
"_meta": {
"schemas": {},
"tables": {},
"columns": {}
},
"internal": {
"indexes": {}
}
}

27
apps/server/drizzle/meta/_journal.json Normal file
View File

@@ -0,0 +1,27 @@
{
"version": "7",
"dialect": "sqlite",
"entries": [
{
"idx": 0,
"version": "6",
"when": 1769409553227,
"tag": "0000_messy_goliath",
"breakpoints": true
},
{
"idx": 1,
"version": "6",
"when": 1769409970060,
"tag": "0001_watery_mongu",
"breakpoints": true
},
{
"idx": 2,
"version": "6",
"when": 1769412006512,
"tag": "0002_dizzy_kingpin",
"breakpoints": true
}
]
}

35
apps/server/package.json
View File

@@ -4,26 +4,18 @@
"private": true,
"type": "module",
"scripts": {
"build": "bunx --bun vite build",
"compile": "bun compile.ts",
"compile:darwin": "bun run compile:darwin:arm64 && bun run compile:darwin:x64",
"compile:darwin:arm64": "bun compile.ts --target bun-darwin-arm64",
"compile:darwin:x64": "bun compile.ts --target bun-darwin-x64",
"compile:linux": "bun run compile:linux:x64 && bun run compile:linux:arm64",
"compile:linux:arm64": "bun compile.ts --target bun-linux-arm64",
"compile:linux:x64": "bun compile.ts --target bun-linux-x64",
"compile:windows": "bun run compile:windows:x64",
"compile:windows:x64": "bun compile.ts --target bun-windows-x64",
"db:generate": "bun --bun drizzle-kit generate",
"db:migrate": "bun --bun drizzle-kit migrate",
"db:push": "bun --bun drizzle-kit push",
"db:studio": "bun --bun drizzle-kit studio",
"dev": "bunx --bun vite dev",
"fix": "biome check --write",
"build": "vite build",
"compile": "bun build.ts",
"db:generate": "drizzle-kit generate",
"db:migrate": "drizzle-kit migrate",
"db:push": "drizzle-kit push",
"db:studio": "drizzle-kit studio",
"dev": "vite dev",
"fix": "biome check --write .",
"typecheck": "tsc --noEmit"
},
"dependencies": {
"@furtherverse/crypto": "workspace:*",
"@isaacs/ttlcache": "catalog:",
"@orpc/client": "catalog:",
"@orpc/contract": "catalog:",
"@orpc/openapi": "catalog:",
@@ -36,7 +28,9 @@
"@tanstack/react-router-ssr-query": "catalog:",
"@tanstack/react-start": "catalog:",
"drizzle-orm": "catalog:",
"jszip": "catalog:",
"drizzle-zod": "catalog:",
"ohash": "catalog:",
"better-sqlite3": "catalog:",
"react": "catalog:",
"react-dom": "catalog:",
"systeminformation": "catalog:",
@@ -44,18 +38,23 @@
"zod": "catalog:"
},
"devDependencies": {
"@effect/platform": "catalog:",
"@effect/schema": "catalog:",
"@furtherverse/tsconfig": "workspace:*",
"@tailwindcss/vite": "catalog:",
"@tanstack/devtools-vite": "catalog:",
"@tanstack/react-devtools": "catalog:",
"@tanstack/react-query-devtools": "catalog:",
"@tanstack/react-router-devtools": "catalog:",
"@types/better-sqlite3": "catalog:",
"@types/bun": "catalog:",
"@vitejs/plugin-react": "catalog:",
"babel-plugin-react-compiler": "catalog:",
"drizzle-kit": "catalog:",
"effect": "catalog:",
"nitro": "catalog:",
"tailwindcss": "catalog:",
"typescript": "catalog:",
"vite": "catalog:",
"vite-tsconfig-paths": "catalog:"
}

5
apps/server/src/client/orpc.ts → apps/server/src/client/orpc.client.ts
View File

@@ -1,7 +1,6 @@
import { createORPCClient } from '@orpc/client'
import { RPCLink } from '@orpc/client/fetch'
import { createRouterClient } from '@orpc/server'
import { createTanstackQueryUtils } from '@orpc/tanstack-query'
import { createIsomorphicFn } from '@tanstack/react-start'
import { getRequestHeaders } from '@tanstack/react-start/server'
import { router } from '@/server/api/routers'
@@ -22,6 +21,4 @@ const getORPCClient = createIsomorphicFn()
return createORPCClient<RouterClient>(link)
})
const client: RouterClient = getORPCClient()
export const orpc = createTanstackQueryUtils(client)
export const orpc: RouterClient = getORPCClient()

6
apps/server/src/client/query-client.ts Normal file
View File

@@ -0,0 +1,6 @@
import { createTanstackQueryUtils } from '@orpc/tanstack-query'
import { orpc as orpcClient } from './orpc.client'
export const orpc = createTanstackQueryUtils(orpcClient, {
experimental_defaults: {},
})

0
apps/server/src/components/NotFound.tsx → apps/server/src/components/NotFount.tsx
View File

2
apps/server/src/env.ts
View File

@@ -3,7 +3,7 @@ import { z } from 'zod'
export const env = createEnv({
server: {
DATABASE_PATH: z.string().min(1).default('data.db'),
DATABASE_URL: z.string().min(1),
},
clientPrefix: 'VITE_',
client: {

109
apps/server/src/lib/crypto.ts Normal file
View File

@@ -0,0 +1,109 @@
import {
constants,
createPrivateKey,
createPublicKey,
privateDecrypt,
publicEncrypt,
} from 'node:crypto'
// 对应 Java: RSA/ECB/OAEPWithSHA-256AndMGF1Padding
const OAEP_HASH = 'sha256'
/**
* 使用 Base64 编码的公钥加密明文
*
* 加密标准: RSA/ECB/OAEPWithSHA-256AndMGF1Padding (兼容 Java)
* 公钥格式: SPKI/DER (对应 Java X509EncodedKeySpec)
*
* @param plainText - 待加密的明文字符串
* @param publicKeyBase64 - Base64 编码的公钥 (DER/SPKI 格式)
* @returns Base64 编码的加密数据
* @throws {Error} 加密失败时抛出错误
*
* @example
* ```typescript
* const publicKey = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...'
* const encrypted = encrypt('sensitive data', publicKey)
* console.log(encrypted) // "a3f5e8c2d1b4..."
* ```
*/
export function encrypt(plainText: string, publicKeyBase64: string): string {
const buffer = Buffer.from(plainText, 'utf-8')
const keyBuffer = Buffer.from(publicKeyBase64, 'base64')
try {
// 1. 先创建 KeyObject在这里指定密钥的格式 (DER/SPKI)
const publicKey = createPublicKey({
key: keyBuffer,
format: 'der',
type: 'spki', // 对应 Java X509EncodedKeySpec
})
// 2. 使用 KeyObject 进行加密,在这里指定 Padding 模式
const encrypted = publicEncrypt(
{
key: publicKey,
padding: constants.RSA_PKCS1_OAEP_PADDING,
oaepHash: OAEP_HASH,
},
buffer,
)
return encrypted.toString('base64')
} catch (error) {
throw new Error(
`Encryption failed: ${error instanceof Error ? error.message : String(error)}`,
)
}
}
/**
* 使用 Base64 编码的私钥解密数据
*
* 解密标准: RSA/ECB/OAEPWithSHA-256AndMGF1Padding (兼容 Java)
* 私钥格式: PKCS8/DER (对应 Java PKCS8EncodedKeySpec)
*
* @param encryptedData - Base64 编码的加密数据
* @param privateKeyBase64 - Base64 编码的私钥 (DER/PKCS8 格式)
* @returns 解密后的明文字符串
* @throws {Error} 解密失败时抛出错误
*
* @example
* ```typescript
* const privateKey = 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASC...'
* const decrypted = decrypt('a3f5e8c2d1b4...', privateKey)
* console.log(decrypted) // "sensitive data"
* ```
*/
export function decrypt(
encryptedData: string,
privateKeyBase64: string,
): string {
const buffer = Buffer.from(encryptedData, 'base64')
const keyBuffer = Buffer.from(privateKeyBase64, 'base64')
try {
// 1. 先创建 KeyObject在这里指定密钥的格式 (DER/PKCS8)
const privateKey = createPrivateKey({
key: keyBuffer,
format: 'der',
type: 'pkcs8', // 对应 Java PKCS8EncodedKeySpec
})
// 2. 使用 KeyObject 进行解密
const decrypted = privateDecrypt(
{
key: privateKey,
padding: constants.RSA_PKCS1_OAEP_PADDING,
oaepHash: OAEP_HASH,
},
buffer,
)
return decrypted.toString('utf-8')
} catch (error) {
throw new Error(
`Decryption failed: ${error instanceof Error ? error.message : String(error)}`,
)
}
}

233
apps/server/src/lib/fingerprint.ts Normal file
View File

@@ -0,0 +1,233 @@
import { TTLCache } from '@isaacs/ttlcache'
import { hash } from 'ohash'
import si from 'systeminformation'
/**
* 硬件指纹质量等级
* - strong: 2+ 个强标识符可用(推荐用于生产授权)
* - medium: 1 个强标识符可用(可用但不理想)
* - weak: 无强标识符(仅适合开发/测试)
*/
export type FingerprintQuality = 'strong' | 'medium' | 'weak'
/**
* 标准化的系统信息(用于机器码生成)
*/
export type NormalizedSystemInfo = {
/** 系统 UUID(最稳定的硬件标识符) */
systemUuid: string | null
/** 系统序列号 */
systemSerial: string | null
/** 主板序列号 */
baseboardSerial: string | null
/** 主板制造商 */
baseboardManufacturer: string | null
/** BIOS 版本 */
biosVersion: string | null
/** BIOS 供应商 */
biosVendor: string | null
/** CPU 品牌标识(用于质量评估) */
cpuBrand: string | null
/** 主硬盘序列号(可选,高稳定性) */
primaryDiskSerial?: string | null
}
/**
* 硬件指纹配置选项
*/
export type HardwareFingerprintOptions = {
/**
* 缓存 TTL(毫秒),默认 10 分钟
* 硬件信息变化频率极低,缓存可大幅提升性能
*/
cacheTtlMs?: number
/**
* 是否包含主硬盘序列号(默认 true)
* 注意:在容器/虚拟机环境可能获取失败
*/
includePrimaryDisk?: boolean
}
/**
* 硬件指纹响应
*/
export type HardwareFingerprintResult = {
/** 机器码(HMAC-SHA256 哈希,64 字符十六进制) */
fingerprint: string
/** 指纹质量等级 */
quality: FingerprintQuality
/** 可用的强标识符数量 */
strongIdentifiersCount: number
/** 生成时间戳 */
timestamp: number
}
// 缓存实例
const cache = new TTLCache<'fingerprint', HardwareFingerprintResult>({
ttl: 10 * 60 * 1000, // 10 minutes default
max: 1, // Only one fingerprint cached
})
// 防止并发重复请求
let inFlight: Promise<HardwareFingerprintResult> | null = null
/**
* 计算指纹质量
*/
function computeQuality(info: NormalizedSystemInfo): {
quality: FingerprintQuality
count: number
} {
const strongKeys = [
info.systemUuid,
info.systemSerial,
info.baseboardSerial,
info.primaryDiskSerial,
].filter(Boolean).length
if (strongKeys >= 2) return { quality: 'strong', count: strongKeys }
if (strongKeys === 1) return { quality: 'medium', count: strongKeys }
return { quality: 'weak', count: 0 }
}
/**
* 安全地收集标准化系统信息(容错处理)
*/
async function collectNormalizedInfo(
opts: HardwareFingerprintOptions,
): Promise<NormalizedSystemInfo> {
// 使用 Promise.allSettled 避免单点失败
const tasks = await Promise.allSettled([
si.uuid(),
si.system(),
si.baseboard(),
si.bios(),
si.cpu(),
opts.includePrimaryDisk !== false ? si.diskLayout() : Promise.resolve([]),
])
const [uuidRes, systemRes, baseboardRes, biosRes, cpuRes, diskRes] = tasks
const uuid = uuidRes.status === 'fulfilled' ? uuidRes.value : null
const system = systemRes.status === 'fulfilled' ? systemRes.value : null
const baseboard =
baseboardRes.status === 'fulfilled' ? baseboardRes.value : null
const bios = biosRes.status === 'fulfilled' ? biosRes.value : null
const cpu = cpuRes.status === 'fulfilled' ? cpuRes.value : null
// 提取主硬盘序列号(通常是第一个物理磁盘)
let primaryDiskSerial: string | null = null
if (diskRes.status === 'fulfilled' && Array.isArray(diskRes.value)) {
const disks = diskRes.value as Array<{ serialNum?: string; type?: string }>
const physicalDisk = disks.find(
(d) => d.type !== 'USB' && d.serialNum && d.serialNum.trim(),
)
primaryDiskSerial = physicalDisk?.serialNum?.trim() || null
}
return {
// 系统级标识符(最稳定)
systemUuid: (system?.uuid ?? uuid?.hardware ?? null) || null,
systemSerial: (system?.serial ?? null) || null,
// 主板标识符(次稳定)
baseboardSerial: (baseboard?.serial ?? null) || null,
baseboardManufacturer: (baseboard?.manufacturer ?? null) || null,
// BIOS 信息(辅助识别)
biosVersion: (bios?.version ?? null) || null,
biosVendor: (bios?.vendor ?? null) || null,
// CPU 信息(辅助识别)
cpuBrand: (cpu?.brand ?? null) || null,
// 磁盘序列号(可选,高稳定性)
...(opts.includePrimaryDisk !== false ? { primaryDiskSerial } : {}),
}
}
/**
/**
* 获取硬件指纹(机器码)
*
* 适用场景:客户端部署的软件授权、机器绑定
*
* 安全说明:
* - 返回 SHA-256 哈希(Base64URL 编码,43 字符),不可逆推原始硬件信息
* - 使用 ohash 自动处理对象序列化和哈希
* - 客户端部署场景:客户可以看到代码,无法使用密钥加密
* - 安全性依赖硬件信息本身的不可伪造性(来自操作系统)
* - 自动缓存减少系统调用开销
*
* 稳定性:
* - 优先使用系统 UUID、序列号等不易变更的标识符
* - 避免网络接口等易变信息
* - 容错处理,部分信息缺失不影响生成
*
* @example
* ```typescript
* const result = await getHardwareFingerprint({
* cacheTtlMs: 600000, // 10 分钟
* includePrimaryDisk: true,
* })
*
* console.log(result.fingerprint) // "a3f5e8c2d1b4..."
* console.log(result.quality) // "strong"
* ```
*/
export async function getHardwareFingerprint(
opts: HardwareFingerprintOptions,
): Promise<HardwareFingerprintResult> {
const ttl = opts.cacheTtlMs ?? 10 * 60 * 1000
const now = Date.now()
// 返回缓存结果
const cached = cache.get('fingerprint')
if (cached) {
return cached
}
// 防止并发重复请求
if (inFlight) {
return inFlight
}
inFlight = (async () => {
// 收集标准化信息
const info = await collectNormalizedInfo(opts)
// 计算质量
const { quality, count } = computeQuality(info)
// 使用 ohash 生成指纹(自动序列化 + SHA-256 + Base64URL)
const fingerprint = hash({
v: 1, // 版本号,未来如需变更采集策略可递增
info,
})
const result: HardwareFingerprintResult = {
fingerprint,
quality,
strongIdentifiersCount: count,
timestamp: now,
}
// 更新缓存
cache.set('fingerprint', result, { ttl })
return result
})().finally(() => {
inFlight = null
})
return inFlight
}
/**
* 清除指纹缓存(用于测试或强制刷新)
*/
export function clearFingerprintCache(): void {
cache.clear()
inFlight = null
}

40
apps/server/src/lib/license-init.ts Normal file
View File

@@ -0,0 +1,40 @@
import { getDB } from '@/server/db'
import { licenseActivationTable } from '@/server/db/schema'
import { getHardwareFingerprint } from './fingerprint'
let initPromise: Promise<void> | null = null
export async function ensureLicenseActivationInitialized(): Promise<void> {
if (initPromise) return initPromise
initPromise = (async () => {
try {
const db = getDB()
const result = await getHardwareFingerprint({
cacheTtlMs: 10 * 60 * 1000,
includePrimaryDisk: true,
})
await db
.insert(licenseActivationTable)
.values({
fingerprint: result.fingerprint,
license: null,
licenseActivatedAt: null,
})
.onConflictDoUpdate({
target: licenseActivationTable.fingerprint,
set: {
updatedAt: new Date(),
},
})
} catch (error) {
console.error('Failed to initialize license activation:', error)
// 重置 promise 以便下次重试
initPromise = null
throw error
}
})()
return initPromise
}

60
apps/server/src/routeTree.gen.ts
View File

@@ -9,21 +9,27 @@
// Additionally, you should also exclude this file from your linter and/or formatter to prevent it from being checked or modified.
import { Route as rootRouteImport } from './routes/__root'
import { Route as LicenseRouteImport } from './routes/license'
import { Route as FingerprintRouteImport } from './routes/fingerprint'
import { Route as IndexRouteImport } from './routes/index'
import { Route as ApiHealthRouteImport } from './routes/api/health'
import { Route as ApiSplatRouteImport } from './routes/api/$'
import { Route as ApiRpcSplatRouteImport } from './routes/api/rpc.$'
const LicenseRoute = LicenseRouteImport.update({
id: '/license',
path: '/license',
getParentRoute: () => rootRouteImport,
} as any)
const FingerprintRoute = FingerprintRouteImport.update({
id: '/fingerprint',
path: '/fingerprint',
getParentRoute: () => rootRouteImport,
} as any)
const IndexRoute = IndexRouteImport.update({
id: '/',
path: '/',
getParentRoute: () => rootRouteImport,
} as any)
const ApiHealthRoute = ApiHealthRouteImport.update({
id: '/api/health',
path: '/api/health',
getParentRoute: () => rootRouteImport,
} as any)
const ApiSplatRoute = ApiSplatRouteImport.update({
id: '/api/$',
path: '/api/$',
@@ -37,40 +43,58 @@ const ApiRpcSplatRoute = ApiRpcSplatRouteImport.update({
export interface FileRoutesByFullPath {
'/': typeof IndexRoute
'/fingerprint': typeof FingerprintRoute
'/license': typeof LicenseRoute
'/api/$': typeof ApiSplatRoute
'/api/health': typeof ApiHealthRoute
'/api/rpc/$': typeof ApiRpcSplatRoute
}
export interface FileRoutesByTo {
'/': typeof IndexRoute
'/fingerprint': typeof FingerprintRoute
'/license': typeof LicenseRoute
'/api/$': typeof ApiSplatRoute
'/api/health': typeof ApiHealthRoute
'/api/rpc/$': typeof ApiRpcSplatRoute
}
export interface FileRoutesById {
__root__: typeof rootRouteImport
'/': typeof IndexRoute
'/fingerprint': typeof FingerprintRoute
'/license': typeof LicenseRoute
'/api/$': typeof ApiSplatRoute
'/api/health': typeof ApiHealthRoute
'/api/rpc/$': typeof ApiRpcSplatRoute
}
export interface FileRouteTypes {
fileRoutesByFullPath: FileRoutesByFullPath
fullPaths: '/' | '/api/$' | '/api/health' | '/api/rpc/$'
fullPaths: '/' | '/fingerprint' | '/license' | '/api/$' | '/api/rpc/$'
fileRoutesByTo: FileRoutesByTo
to: '/' | '/api/$' | '/api/health' | '/api/rpc/$'
id: '__root__' | '/' | '/api/$' | '/api/health' | '/api/rpc/$'
to: '/' | '/fingerprint' | '/license' | '/api/$' | '/api/rpc/$'
id: '__root__' | '/' | '/fingerprint' | '/license' | '/api/$' | '/api/rpc/$'
fileRoutesById: FileRoutesById
}
export interface RootRouteChildren {
IndexRoute: typeof IndexRoute
FingerprintRoute: typeof FingerprintRoute
LicenseRoute: typeof LicenseRoute
ApiSplatRoute: typeof ApiSplatRoute
ApiHealthRoute: typeof ApiHealthRoute
ApiRpcSplatRoute: typeof ApiRpcSplatRoute
}
declare module '@tanstack/react-router' {
interface FileRoutesByPath {
'/license': {
id: '/license'
path: '/license'
fullPath: '/license'
preLoaderRoute: typeof LicenseRouteImport
parentRoute: typeof rootRouteImport
}
'/fingerprint': {
id: '/fingerprint'
path: '/fingerprint'
fullPath: '/fingerprint'
preLoaderRoute: typeof FingerprintRouteImport
parentRoute: typeof rootRouteImport
}
'/': {
id: '/'
path: '/'
@@ -78,13 +102,6 @@ declare module '@tanstack/react-router' {
preLoaderRoute: typeof IndexRouteImport
parentRoute: typeof rootRouteImport
}
'/api/health': {
id: '/api/health'
path: '/api/health'
fullPath: '/api/health'
preLoaderRoute: typeof ApiHealthRouteImport
parentRoute: typeof rootRouteImport
}
'/api/$': {
id: '/api/$'
path: '/api/$'
@@ -104,8 +121,9 @@ declare module '@tanstack/react-router' {
const rootRouteChildren: RootRouteChildren = {
IndexRoute: IndexRoute,
FingerprintRoute: FingerprintRoute,
LicenseRoute: LicenseRoute,
ApiSplatRoute: ApiSplatRoute,
ApiHealthRoute: ApiHealthRoute,
ApiRpcSplatRoute: ApiRpcSplatRoute,
}
export const routeTree = rootRouteImport

9
apps/server/src/router.tsx
View File

@@ -5,14 +5,7 @@ import type { RouterContext } from './routes/__root'
import { routeTree } from './routeTree.gen'
export const getRouter = () => {
const queryClient = new QueryClient({
defaultOptions: {
queries: {
staleTime: 30 * 1000,
retry: 1,
},
},
})
const queryClient = new QueryClient()
const router = createRouter({
routeTree,

10
apps/server/src/routes/__root.tsx
View File

@@ -1,11 +1,15 @@
import { TanStackDevtools } from '@tanstack/react-devtools'
import type { QueryClient } from '@tanstack/react-query'
import { ReactQueryDevtoolsPanel } from '@tanstack/react-query-devtools'
import { createRootRouteWithContext, HeadContent, Scripts } from '@tanstack/react-router'
import {
createRootRouteWithContext,
HeadContent,
Scripts,
} from '@tanstack/react-router'
import { TanStackRouterDevtoolsPanel } from '@tanstack/react-router-devtools'
import type { ReactNode } from 'react'
import { ErrorComponent } from '@/components/Error'
import { NotFoundComponent } from '@/components/NotFound'
import { NotFoundComponent } from '@/components/NotFount'
import appCss from '@/styles.css?url'
export interface RouterContext {
@@ -46,7 +50,6 @@ function RootDocument({ children }: Readonly<{ children: ReactNode }>) {
</head>
<body>
{children}
{import.meta.env.DEV && (
<TanStackDevtools
config={{
position: 'bottom-right',
@@ -62,7 +65,6 @@ function RootDocument({ children }: Readonly<{ children: ReactNode }>) {
},
]}
/>
)}
<Scripts />
</body>
</html>

51
apps/server/src/routes/api/$.ts
View File

@@ -1,10 +1,10 @@
import { OpenAPIHandler } from '@orpc/openapi/fetch'
import { OpenAPIReferencePlugin } from '@orpc/openapi/plugins'
import { onError } from '@orpc/server'
import { ORPCError, onError, ValidationError } from '@orpc/server'
import { ZodToJsonSchemaConverter } from '@orpc/zod/zod4'
import { createFileRoute } from '@tanstack/react-router'
import { z } from 'zod'
import { name, version } from '@/../package.json'
import { handleValidationError, logError } from '@/server/api/interceptors'
import { router } from '@/server/api/routers'
const handler = new OpenAPIHandler(router, {
@@ -16,15 +16,56 @@ const handler = new OpenAPIHandler(router, {
info: {
title: name,
version,
description: 'UX 授权服务 OpenAPI 文档:设备授权、任务解密、摘要加密与报告签名打包接口。',
},
// components: {
// securitySchemes: {
// bearerAuth: {
// type: 'http',
// scheme: 'bearer',
// },
// },
// },
},
docsPath: '/docs',
specPath: '/spec.json',
}),
],
interceptors: [onError(logError)],
clientInterceptors: [onError(handleValidationError)],
interceptors: [
onError((error) => {
console.error(error)
}),
],
clientInterceptors: [
onError((error) => {
if (
error instanceof ORPCError &&
error.code === 'BAD_REQUEST' &&
error.cause instanceof ValidationError
) {
// If you only use Zod you can safely cast to ZodIssue[]
const zodError = new z.ZodError(
error.cause.issues as z.core.$ZodIssue[],
)
throw new ORPCError('INPUT_VALIDATION_FAILED', {
status: 422,
message: z.prettifyError(zodError),
data: z.flattenError(zodError),
cause: error.cause,
})
}
if (
error instanceof ORPCError &&
error.code === 'INTERNAL_SERVER_ERROR' &&
error.cause instanceof ValidationError
) {
throw new ORPCError('OUTPUT_VALIDATION_FAILED', {
cause: error.cause,
})
}
}),
],
})
export const Route = createFileRoute('/api/$')({

27
apps/server/src/routes/api/health.ts
View File

@@ -1,27 +0,0 @@
import { createFileRoute } from '@tanstack/react-router'
import { name, version } from '@/../package.json'
const createHealthResponse = (): Response =>
Response.json(
{
status: 'ok',
service: name,
version,
timestamp: new Date().toISOString(),
},
{
status: 200,
headers: {
'cache-control': 'no-store',
},
},
)
export const Route = createFileRoute('/api/health')({
server: {
handlers: {
GET: async () => createHealthResponse(),
HEAD: async () => new Response(null, { status: 200 }),
},
},
})

42
apps/server/src/routes/api/rpc.$.ts
View File

@@ -1,12 +1,46 @@
import { onError } from '@orpc/server'
import { ORPCError, onError, ValidationError } from '@orpc/server'
import { RPCHandler } from '@orpc/server/fetch'
import { createFileRoute } from '@tanstack/react-router'
import { handleValidationError, logError } from '@/server/api/interceptors'
import { z } from 'zod'
import { router } from '@/server/api/routers'
const handler = new RPCHandler(router, {
interceptors: [onError(logError)],
clientInterceptors: [onError(handleValidationError)],
interceptors: [
onError((error) => {
console.error(error)
}),
],
clientInterceptors: [
onError((error) => {
if (
error instanceof ORPCError &&
error.code === 'BAD_REQUEST' &&
error.cause instanceof ValidationError
) {
// If you only use Zod you can safely cast to ZodIssue[]
const zodError = new z.ZodError(
error.cause.issues as z.core.$ZodIssue[],
)
throw new ORPCError('INPUT_VALIDATION_FAILED', {
status: 422,
message: z.prettifyError(zodError),
data: z.flattenError(zodError),
cause: error.cause,
})
}
if (
error instanceof ORPCError &&
error.code === 'INTERNAL_SERVER_ERROR' &&
error.cause instanceof ValidationError
) {
throw new ORPCError('OUTPUT_VALIDATION_FAILED', {
cause: error.cause,
})
}
}),
],
})
export const Route = createFileRoute('/api/rpc/$')({

301
apps/server/src/routes/fingerprint.tsx Normal file
View File

@@ -0,0 +1,301 @@
import { useSuspenseQuery } from '@tanstack/react-query'
import { createFileRoute } from '@tanstack/react-router'
import { useEffect, useState } from 'react'
import { orpc } from '@/client/query-client'
export const Route = createFileRoute('/fingerprint')({
component: FingerprintPage,
loader: async ({ context }) => {
await context.queryClient.ensureQueryData(
orpc.fingerprint.get.queryOptions(),
)
},
})
function FingerprintPage() {
const query = useSuspenseQuery(orpc.fingerprint.get.queryOptions())
const [copied, setCopied] = useState(false)
const data = query.data
useEffect(() => {
if (copied) {
const timer = setTimeout(() => setCopied(false), 2000)
return () => clearTimeout(timer)
}
}, [copied])
const handleCopy = async () => {
await navigator.clipboard.writeText(data.fingerprint)
setCopied(true)
}
const qualityConfig = {
strong: {
label: '强',
color: 'text-green-600',
bg: 'bg-green-50',
border: 'border-green-200',
icon: '✓',
description: '推荐用于生产授权',
},
medium: {
label: '中',
color: 'text-yellow-600',
bg: 'bg-yellow-50',
border: 'border-yellow-200',
icon: '!',
description: '可用但不理想',
},
weak: {
label: '弱',
color: 'text-red-600',
bg: 'bg-red-50',
border: 'border-red-200',
icon: '×',
description: '仅适合开发/测试',
},
}
const config = qualityConfig[data.quality]
return (
<div className="min-h-screen bg-gradient-to-br from-slate-50 via-blue-50 to-slate-50 py-12 px-4 sm:px-6 font-sans">
<div className="max-w-4xl mx-auto space-y-8">
{/* Header */}
<div className="text-center space-y-3">
<h1 className="text-4xl font-bold text-slate-900 tracking-tight">
</h1>
<p className="text-slate-500 text-lg"></p>
</div>
{/* Main Card */}
<div className="bg-white rounded-3xl shadow-xl border border-slate-100 overflow-hidden">
{/* Quality Badge */}
<div className={`px-8 py-6 border-b ${config.bg} ${config.border}`}>
<div className="flex items-center justify-between">
<div className="flex items-center gap-3">
<div
className={`w-12 h-12 rounded-full ${config.bg} border-2 ${config.border} flex items-center justify-center text-2xl font-bold ${config.color}`}
>
{config.icon}
</div>
<div>
<div className="flex items-center gap-2">
<span className="text-sm font-medium text-slate-600">
</span>
<span
className={`px-3 py-1 rounded-full text-sm font-semibold ${config.bg} ${config.color} border ${config.border}`}
>
{config.label}
</span>
</div>
<p className="text-xs text-slate-500 mt-1">
{config.description}
</p>
</div>
</div>
<div className="text-right">
<div className="text-3xl font-bold text-slate-900">
{data.strongIdentifiersCount}
</div>
<div className="text-xs font-medium text-slate-400 uppercase tracking-wider">
</div>
</div>
</div>
</div>
{/* Fingerprint Display */}
<div className="px-8 py-8">
<div className="space-y-4">
<div className="flex items-center justify-between">
<div className="text-sm font-semibold text-slate-700 uppercase tracking-wider">
</div>
<button
type="button"
onClick={handleCopy}
className={`px-4 py-2 rounded-lg font-medium text-sm transition-all ${
copied
? 'bg-green-100 text-green-700 border-2 border-green-300'
: 'bg-slate-100 text-slate-700 hover:bg-slate-200 border-2 border-slate-200'
}`}
>
{copied ? '已复制 ✓' : '复制'}
</button>
</div>
<div className="relative group">
<div className="absolute inset-0 bg-gradient-to-r from-blue-500 to-purple-500 rounded-xl blur-sm opacity-0 group-hover:opacity-20 transition-opacity" />
<div className="relative bg-slate-900 rounded-xl p-6 font-mono text-sm break-all leading-relaxed text-slate-100 shadow-inner border-2 border-slate-800">
{data.fingerprint}
</div>
</div>
<div className="flex items-center gap-2 text-xs text-slate-500">
<svg
className="w-4 h-4"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
aria-hidden="true"
>
<title></title>
<path
strokeLinecap="round"
strokeLinejoin="round"
strokeWidth={2}
d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
/>
</svg>
<span>SHA-256 43 Base64URL </span>
</div>
</div>
</div>
{/* Metadata */}
<div className="px-8 py-6 bg-slate-50 border-t border-slate-100">
<div className="grid grid-cols-1 md:grid-cols-2 gap-6">
<div className="space-y-2">
<div className="text-xs font-semibold text-slate-500 uppercase tracking-wider">
</div>
<div className="text-lg font-medium text-slate-900">
{new Date(data.timestamp).toLocaleString('zh-CN', {
year: 'numeric',
month: '2-digit',
day: '2-digit',
hour: '2-digit',
minute: '2-digit',
second: '2-digit',
})}
</div>
</div>
<div className="space-y-2">
<div className="text-xs font-semibold text-slate-500 uppercase tracking-wider">
</div>
<div className="flex items-center gap-2">
<div className="w-2 h-2 rounded-full bg-green-500 animate-pulse" />
<span className="text-lg font-medium text-slate-900">
10
</span>
</div>
</div>
</div>
</div>
</div>
{/* Info Cards */}
<div className="grid grid-cols-1 md:grid-cols-3 gap-6">
<div className="bg-white rounded-2xl shadow-md border border-slate-100 p-6 space-y-3">
<div className="w-10 h-10 rounded-lg bg-blue-100 flex items-center justify-center">
<svg
className="w-6 h-6 text-blue-600"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
aria-hidden="true"
>
<title></title>
<path
strokeLinecap="round"
strokeLinejoin="round"
strokeWidth={2}
d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z"
/>
</svg>
</div>
<h3 className="font-semibold text-slate-900"></h3>
<p className="text-sm text-slate-600 leading-relaxed">
使 HMAC-SHA256
</p>
</div>
<div className="bg-white rounded-2xl shadow-md border border-slate-100 p-6 space-y-3">
<div className="w-10 h-10 rounded-lg bg-purple-100 flex items-center justify-center">
<svg
className="w-6 h-6 text-purple-600"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
aria-hidden="true"
>
<title></title>
<path
strokeLinecap="round"
strokeLinejoin="round"
strokeWidth={2}
d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z"
/>
</svg>
</div>
<h3 className="font-semibold text-slate-900"></h3>
<p className="text-sm text-slate-600 leading-relaxed">
UUID
</p>
</div>
<div className="bg-white rounded-2xl shadow-md border border-slate-100 p-6 space-y-3">
<div className="w-10 h-10 rounded-lg bg-green-100 flex items-center justify-center">
<svg
className="w-6 h-6 text-green-600"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
aria-hidden="true"
>
<title></title>
<path
strokeLinecap="round"
strokeLinejoin="round"
strokeWidth={2}
d="M13 10V3L4 14h7v7l9-11h-7z"
/>
</svg>
</div>
<h3 className="font-semibold text-slate-900"></h3>
<p className="text-sm text-slate-600 leading-relaxed">
</p>
</div>
</div>
{/* Usage Hint */}
<div className="bg-blue-50 border-2 border-blue-200 rounded-2xl p-6">
<div className="flex gap-4">
<div className="flex-shrink-0">
<svg
className="w-6 h-6 text-blue-600"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
aria-hidden="true"
>
<title></title>
<path
strokeLinecap="round"
strokeLinejoin="round"
strokeWidth={2}
d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
/>
</svg>
</div>
<div className="space-y-2">
<h4 className="font-semibold text-blue-900">使</h4>
<ul className="text-sm text-blue-800 space-y-1 list-disc list-inside">
<li></li>
<li></li>
<li>便</li>
</ul>
</div>
</div>
</div>
</div>
</div>
)
}

43
apps/server/src/routes/index.tsx
View File

@@ -1,4 +1,4 @@
import { createFileRoute } from '@tanstack/react-router'
import { createFileRoute, Link } from '@tanstack/react-router'
export const Route = createFileRoute('/')({
component: Home,
@@ -6,15 +6,40 @@ export const Route = createFileRoute('/')({
function Home() {
return (
<div className="min-h-screen bg-slate-50 flex items-center justify-center font-sans">
<div className="text-center space-y-4">
<h1 className="text-3xl font-bold text-slate-900 tracking-tight">UX Server</h1>
<p className="text-slate-500">
API:&nbsp;
<a href="/api" className="text-indigo-600 hover:text-indigo-700 underline">
/api
</a>
<div className="min-h-screen bg-slate-50 py-12 px-4 sm:px-6 font-sans">
<div className="max-w-2xl mx-auto space-y-8 text-center">
<h1 className="text-4xl font-bold text-slate-900 tracking-tight">
License
</h1>
<p className="text-slate-500 text-lg">
使 TanStack Start + ORPC License
</p>
<div className="grid grid-cols-1 sm:grid-cols-2 gap-4 mt-8">
<Link
to="/fingerprint"
className="p-6 bg-white rounded-2xl shadow-sm border border-slate-100 hover:shadow-md hover:border-indigo-500/50 transition-all text-left group"
>
<h2 className="text-xl font-semibold text-slate-900 group-hover:text-indigo-600 transition-colors">
</h2>
<p className="text-slate-500 mt-2 text-sm">
License
</p>
</Link>
<Link
to="/license"
className="p-6 bg-white rounded-2xl shadow-sm border border-slate-100 hover:shadow-md hover:border-indigo-500/50 transition-all text-left group"
>
<h2 className="text-xl font-semibold text-slate-900 group-hover:text-indigo-600 transition-colors">
License
</h2>
<p className="text-slate-500 mt-2 text-sm">
License
</p>
</Link>
</div>
</div>
</div>
)

463
apps/server/src/routes/license.tsx Normal file
View File

@@ -0,0 +1,463 @@
import {
useMutation,
useQueryClient,
useSuspenseQuery,
} from '@tanstack/react-query'
import { createFileRoute } from '@tanstack/react-router'
import { useState } from 'react'
import { orpc } from '@/client/query-client'
export const Route = createFileRoute('/license')({
component: License,
})
function License() {
const [licenseInput, setLicenseInput] = useState('')
const [copySuccess, setCopySuccess] = useState(false)
const [showDeactivateConfirm, setShowDeactivateConfirm] = useState(false)
const queryClient = useQueryClient()
// 获取激活状态
const { data } = useSuspenseQuery(orpc.license.getActivation.queryOptions())
// 激活 mutation
const activateMutation = useMutation({
...orpc.license.activate.mutationOptions(),
onSuccess: () => {
// 刷新数据
queryClient.invalidateQueries({
queryKey: orpc.license.getActivation.key(),
})
// 清空输入
setLicenseInput('')
},
})
// 反激活 mutation
const deactivateMutation = useMutation({
...orpc.license.deactivate.mutationOptions(),
onSuccess: () => {
queryClient.invalidateQueries({
queryKey: orpc.license.getActivation.key(),
})
setShowDeactivateConfirm(false)
},
})
const handleActivate = () => {
if (!licenseInput.trim()) return
activateMutation.mutate({ license: licenseInput.trim() })
}
const handleDeactivate = () => {
deactivateMutation.mutate()
}
const handleCopyFingerprint = async () => {
try {
await navigator.clipboard.writeText(data.fingerprint)
setCopySuccess(true)
setTimeout(() => setCopySuccess(false), 2000)
} catch (err) {
console.error('Failed to copy fingerprint:', err)
}
}
const isActivated = !!data.license
return (
<div className="min-h-screen bg-gray-50 flex items-center justify-center p-4 font-sans">
<div className="w-full max-w-2xl space-y-6">
{/* 页面标题 */}
<div className="text-center mb-8">
<h1 className="text-3xl font-bold text-gray-900 tracking-tight">
License
</h1>
<p className="text-gray-500 mt-2"></p>
</div>
{/* 设备信息卡片 */}
<div className="bg-white rounded-xl shadow-sm border border-gray-100 overflow-hidden">
<div className="p-6">
<h2 className="text-lg font-semibold text-gray-900 mb-4 flex items-center gap-2">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="20"
height="20"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className="text-blue-500"
>
<rect x="4" y="4" width="16" height="16" rx="2" ry="2"></rect>
<rect x="9" y="9" width="6" height="6"></rect>
<line x1="9" y1="1" x2="9" y2="4"></line>
<line x1="15" y1="1" x2="15" y2="4"></line>
<line x1="9" y1="20" x2="9" y2="23"></line>
<line x1="15" y1="20" x2="15" y2="23"></line>
<line x1="20" y1="9" x2="23" y2="9"></line>
<line x1="20" y1="14" x2="23" y2="14"></line>
<line x1="1" y1="9" x2="4" y2="9"></line>
<line x1="1" y1="14" x2="4" y2="14"></line>
</svg>
</h2>
<div className="bg-gray-50 rounded-lg p-4 border border-gray-100">
<p className="text-sm text-gray-500 mb-1">
(Device Fingerprint)
</p>
<div className="flex items-center gap-3">
<code className="flex-1 font-mono text-sm text-gray-700 break-all select-all">
{data.fingerprint}
</code>
<button
type="button"
onClick={handleCopyFingerprint}
className={`px-3 py-1.5 rounded-md text-sm font-medium transition-colors flex items-center gap-1.5 ${
copySuccess
? 'bg-green-100 text-green-700 hover:bg-green-200'
: 'bg-white border border-gray-200 text-gray-700 hover:bg-gray-50 hover:text-gray-900'
}`}
>
{copySuccess ? (
<>
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="14"
height="14"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
>
<polyline points="20 6 9 17 4 12"></polyline>
</svg>
</>
) : (
<>
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="14"
height="14"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
>
<rect
x="9"
y="9"
width="13"
height="13"
rx="2"
ry="2"
></rect>
<path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1"></path>
</svg>
</>
)}
</button>
</div>
</div>
</div>
</div>
{/* License 激活卡片 */}
<div className="bg-white rounded-xl shadow-sm border border-gray-100 overflow-hidden">
<div className="p-6">
<h2 className="text-lg font-semibold text-gray-900 mb-4 flex items-center gap-2">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="20"
height="20"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className="text-purple-500"
>
<rect x="3" y="11" width="18" height="11" rx="2" ry="2"></rect>
<path d="M7 11V7a5 5 0 0 1 10 0v4"></path>
</svg>
License
</h2>
<div className="space-y-4">
<div>
<label
htmlFor="license-key"
className="block text-sm font-medium text-gray-700 mb-1"
>
License Key
</label>
<input
id="license-key"
type="text"
value={licenseInput}
onChange={(e) => setLicenseInput(e.target.value)}
disabled={isActivated || activateMutation.isPending}
placeholder={
isActivated ? '已激活,无需输入' : '请输入您的 License Key'
}
className="w-full px-4 py-2.5 bg-white border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500/20 focus:border-purple-500 outline-none transition-all disabled:bg-gray-100 disabled:text-gray-500 placeholder:text-gray-400"
/>
</div>
{activateMutation.isError && (
<div className="p-3 bg-red-50 border border-red-100 rounded-lg text-red-600 text-sm flex items-start gap-2">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="16"
height="16"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className="mt-0.5 shrink-0"
>
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="8" x2="12" y2="12"></line>
<line x1="12" y1="16" x2="12.01" y2="16"></line>
</svg>
<span>激活失败: 请检查 License </span>
</div>
)}
<button
type="button"
onClick={handleActivate}
disabled={
isActivated ||
activateMutation.isPending ||
!licenseInput.trim()
}
className={`w-full px-6 py-2.5 rounded-lg font-medium text-white shadow-sm transition-all focus:outline-none focus:ring-2 focus:ring-offset-2 ${
isActivated
? 'bg-gray-300 cursor-not-allowed'
: activateMutation.isPending
? 'bg-purple-500 opacity-80 cursor-wait'
: 'bg-purple-600 hover:bg-purple-700 hover:shadow-md active:scale-[0.99] focus:ring-purple-500'
}`}
>
{activateMutation.isPending ? (
<span className="flex items-center justify-center gap-2">
<svg
aria-hidden="true"
className="animate-spin h-4 w-4 text-white"
xmlns="http://www.w3.org/2000/svg"
fill="none"
viewBox="0 0 24 24"
>
<circle
className="opacity-25"
cx="12"
cy="12"
r="10"
stroke="currentColor"
strokeWidth="4"
></circle>
<path
className="opacity-75"
fill="currentColor"
d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
></path>
</svg>
...
</span>
) : isActivated ? (
'已完成激活'
) : (
'立即激活'
)}
</button>
</div>
</div>
</div>
{/* 激活状态卡片 */}
<div
className={`rounded-xl shadow-sm border overflow-hidden transition-colors ${
isActivated
? 'bg-green-50/50 border-green-100'
: 'bg-white border-gray-100'
}`}
>
<div className="p-6">
<h2 className="text-lg font-semibold text-gray-900 mb-4 flex items-center gap-2">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="20"
height="20"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className={isActivated ? 'text-green-500' : 'text-gray-400'}
>
<path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"></path>
<polyline points="22 4 12 14.01 9 11.01"></polyline>
</svg>
</h2>
{isActivated ? (
<div className="space-y-3">
<div className="flex items-center gap-2 text-green-700 font-medium text-lg">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="24"
height="24"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className="text-green-500"
>
<path d="M12 22c5.523 0 10-4.477 10-10S17.523 2 12 2 2 6.477 2 12s4.477 10 10 10z"></path>
<path d="M9 12l2 2 4-4"></path>
</svg>
<span>License </span>
</div>
<div className="pl-8 space-y-1">
<p className="text-gray-600 text-sm">
<span className="font-medium text-gray-700">
License:{' '}
</span>
<span className="font-mono">{data.license}</span>
</p>
{data.licenseActivatedAt && (
<p className="text-gray-500 text-sm">
<span className="font-medium text-gray-700">
:{' '}
</span>
{new Date(data.licenseActivatedAt).toLocaleString(
'zh-CN',
{
year: 'numeric',
month: '2-digit',
day: '2-digit',
hour: '2-digit',
minute: '2-digit',
second: '2-digit',
},
)}
</p>
)}
</div>
{!showDeactivateConfirm ? (
<button
type="button"
onClick={() => setShowDeactivateConfirm(true)}
className="mt-4 px-4 py-2 bg-red-500 text-white rounded-lg text-sm font-medium hover:bg-red-600 transition-colors shadow-sm"
>
</button>
) : (
<div className="mt-4 p-4 bg-red-50 rounded-lg border border-red-200">
<p className="text-red-700 text-sm mb-3 flex items-center gap-2">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="16"
height="16"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
>
<path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3Z" />
<path d="M12 9v4" />
<path d="M12 17h.01" />
</svg>
License
</p>
<div className="flex gap-2">
<button
type="button"
onClick={handleDeactivate}
disabled={deactivateMutation.isPending}
className="px-4 py-2 bg-red-600 text-white rounded-md text-sm font-medium hover:bg-red-700 disabled:bg-gray-300 transition-colors"
>
{deactivateMutation.isPending
? '反激活中...'
: '确认反激活'}
</button>
<button
type="button"
onClick={() => setShowDeactivateConfirm(false)}
className="px-4 py-2 bg-gray-200 text-gray-700 rounded-md text-sm font-medium hover:bg-gray-300 transition-colors"
>
</button>
</div>
{deactivateMutation.isError && (
<p className="text-red-500 mt-2 text-xs">
</p>
)}
</div>
)}
</div>
) : (
<div className="flex items-start gap-3">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="24"
height="24"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className="text-orange-500 shrink-0 mt-0.5"
>
<path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z"></path>
<line x1="12" y1="9" x2="12" y2="13"></line>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<div>
<p className="text-orange-700 font-medium text-lg mb-1">
</p>
<p className="text-gray-500 text-sm">
License Key
</p>
</div>
</div>
)}
</div>
</div>
</div>
</div>
)
}

82
apps/server/src/server/api/contracts/config.contract.ts
View File

@@ -1,82 +0,0 @@
import { oc } from '@orpc/contract'
import { z } from 'zod'
const configOutput = z
.object({
licence: z.string().nullable().describe('当前本地 licence未设置时为 null'),
fingerprint: z.string().describe('UX 本机计算得到的设备特征码SHA-256'),
hasPgpPrivateKey: z.boolean().describe('是否已配置 OpenPGP 私钥'),
})
.meta({
examples: [
{
licence: 'LIC-8F2A-XXXX',
fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
hasPgpPrivateKey: true,
},
{
licence: null,
fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
hasPgpPrivateKey: false,
},
],
})
export const get = oc
.route({
method: 'POST',
path: '/config/get',
operationId: 'configGet',
summary: '读取本机身份配置',
description:
'返回 UX 本地持久化的 licence、本机设备特征码fingerprint以及 OpenPGP 私钥配置状态。工具箱端可据此判断是否已完成本地身份初始化。',
tags: ['Config'],
})
.input(z.object({}))
.output(configOutput)
export const setLicence = oc
.route({
method: 'POST',
path: '/config/set-licence',
operationId: 'configSetLicence',
summary: '写入本地 licence',
description:
'写入或更新本机持久化的 licence。设备特征码fingerprint始终由 UX 本机自动计算,无需外部传入。此接口应在设备授权流程前调用。',
tags: ['Config'],
})
.input(
z
.object({
licence: z.string().min(1).describe('本地持久化的 licence'),
})
.meta({
examples: [{ licence: 'LIC-8F2A-XXXX' }],
}),
)
.output(configOutput)
export const setPgpPrivateKey = oc
.route({
method: 'POST',
path: '/config/set-pgp-private-key',
operationId: 'configSetPgpPrivateKey',
summary: '写入本地 OpenPGP 私钥',
description:
'写入或更新本机持久化的 OpenPGP 私钥ASCII armored 格式),用于报告签名。私钥与设备绑定,调用报告签名接口时 UX 自动读取,无需每次传入。',
tags: ['Config'],
})
.input(
z
.object({
pgpPrivateKey: z.string().min(1).describe('OpenPGP 私钥ASCII armored 格式)'),
})
.meta({
examples: [
{
pgpPrivateKey: '-----BEGIN PGP PRIVATE KEY BLOCK-----\n\nxcMGBGd...\n-----END PGP PRIVATE KEY BLOCK-----',
},
],
}),
)
.output(configOutput)

150
apps/server/src/server/api/contracts/crypto.contract.ts
View File

@@ -1,150 +0,0 @@
import { oc } from '@orpc/contract'
import { z } from 'zod'
export const encryptDeviceInfo = oc
.route({
method: 'POST',
path: '/crypto/encrypt-device-info',
operationId: 'encryptDeviceInfo',
summary: '生成设备授权二维码密文',
description:
'将本机 licence 与 fingerprint 组装为 JSON使用平台 RSA 公钥RSA-OAEP + SHA-256加密后返回 Base64 密文,供工具箱生成设备授权二维码。参见《工具箱端 - 设备授权二维码生成指南》。',
tags: ['Crypto'],
})
.input(
z
.object({
platformPublicKey: z.string().min(1).describe('平台公钥Base64SPKI DER'),
})
.meta({
examples: [
{
platformPublicKey:
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB',
},
],
}),
)
.output(
z
.object({
encrypted: z.string().describe('Base64 密文(用于设备授权二维码)'),
})
.meta({
examples: [
{
encrypted: 'dGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVkIFJTQS1PQUVQIGVuY3J5cHRlZCBkZXZpY2UgaW5mby4uLg==',
},
],
}),
)
export const decryptTask = oc
.route({
method: 'POST',
path: '/crypto/decrypt-task',
operationId: 'decryptTask',
summary: '解密任务二维码数据',
description:
'使用本机 licence 与 fingerprint 派生 AES-256-GCM 密钥SHA-256解密 App 任务二维码中的 Base64 密文,返回任务信息明文。参见《工具箱端 - 任务二维码解密指南》。',
tags: ['Crypto'],
})
.input(
z
.object({
encryptedData: z.string().min(1).describe('Base64 编码的 AES-256-GCM 密文(来自任务二维码扫描结果)'),
})
.meta({
examples: [
{
encryptedData: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
},
],
}),
)
.output(
z
.object({
decrypted: z.string().describe('解密后的任务信息 JSON 字符串'),
})
.meta({
examples: [
{
decrypted:
'{"taskId":"TASK-20260115-4875","enterpriseId":"1173040813421105152","orgName":"超艺科技有限公司","inspectionId":"702286470691215417","inspectionPerson":"警务通","issuedAt":1734571234567}',
},
],
}),
)
export const encryptSummary = oc
.route({
method: 'POST',
path: '/crypto/encrypt-summary',
operationId: 'encryptSummary',
summary: '加密摘要信息',
description:
'使用本机 licence 与 fingerprint 通过 HKDF-SHA256 派生密钥,以 AES-256-GCM 加密检查摘要明文并返回 Base64 密文,供工具箱生成摘要信息二维码。参见《工具箱端 - 摘要信息二维码生成指南》。',
tags: ['Crypto'],
})
.input(
z
.object({
salt: z.string().min(1).describe('HKDF salt即 taskId从任务二维码中获取'),
plaintext: z.string().min(1).describe('待加密的摘要信息 JSON 明文'),
})
.meta({
examples: [
{
salt: 'TASK-20260115-4875',
plaintext:
'{"enterpriseId":"1173040813421105152","inspectionId":"702286470691215417","summary":"检查摘要信息发现3个高危漏洞5个中危漏洞","timestamp":1734571234567}',
},
],
}),
)
.output(
z
.object({
encrypted: z.string().describe('Base64 密文(用于摘要信息二维码)'),
})
.meta({
examples: [
{
encrypted: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
},
],
}),
)
export const signAndPackReport = oc
.route({
method: 'POST',
path: '/crypto/sign-and-pack-report',
operationId: 'signAndPackReport',
summary: '签名并打包检查报告',
description:
'上传包含 summary.json 的原始报告 ZIPUX 自动从 ZIP 中提取 summary.json使用本地存储的 licence/fingerprint 计算设备签名HKDF + HMAC-SHA256并使用本地 OpenPGP 私钥生成分离式签名。返回包含 summary.json含 deviceSignature、META-INF/manifest.json、META-INF/signature.asc 的签名报告 ZIP。参见《工具箱端 - 报告加密与签名生成指南》。',
tags: ['Crypto', 'Report'],
})
.input(
z.object({
rawZip: z
.file()
.mime(['application/zip', 'application/x-zip-compressed'])
.describe(
'原始报告 ZIP 文件(必须包含 summary.json以及 assets.json、vulnerabilities.json、weakPasswords.json、漏洞评估报告.html 等报告文件)',
),
outputFileName: z
.string()
.min(1)
.optional()
.describe('返回 ZIP 文件名(可选,默认 signed-report.zip')
.meta({ examples: ['signed-report.zip'] }),
}),
)
.output(
z
.file()
.describe('签名后报告 ZIP 文件(二进制响应,包含 summary.json、META-INF/manifest.json、META-INF/signature.asc'),
)

26
apps/server/src/server/api/contracts/fingerprint.contract.ts Normal file
View File

@@ -0,0 +1,26 @@
import { oc } from '@orpc/contract'
import { z } from 'zod'
/**
* 硬件指纹质量等级
*/
const fingerprintQualitySchema = z.enum(['strong', 'medium', 'weak'])
/**
* 硬件指纹响应 Schema
*/
const fingerprintResultSchema = z.object({
/** 机器码HMAC-SHA256 哈希) */
fingerprint: z.string(),
/** 指纹质量等级 */
quality: fingerprintQualitySchema,
/** 可用的强标识符数量 */
strongIdentifiersCount: z.number(),
/** 生成时间戳 */
timestamp: z.number(),
})
/**
* 获取硬件指纹契约
*/
export const get = oc.input(z.void()).output(fingerprintResultSchema)

8
apps/server/src/server/api/contracts/index.ts
View File

@@ -1,9 +1,9 @@
import * as config from './config.contract'
import * as crypto from './crypto.contract'
import * as fingerprint from './fingerprint.contract'
import * as license from './license.contract'
export const contract = {
config,
crypto,
fingerprint,
license,
}
export type Contract = typeof contract

18
apps/server/src/server/api/contracts/license.contract.ts Normal file
View File

@@ -0,0 +1,18 @@
import { oc } from '@orpc/contract'
import { z } from 'zod'
export const getActivation = oc.input(z.void()).output(
z.object({
fingerprint: z.string(),
license: z.string().nullable(),
licenseActivatedAt: z.number().nullable(),
}),
)
export const activate = oc
.input(z.object({ license: z.string().min(1) }))
.output(z.object({ success: z.boolean() }))
export const deactivate = oc
.input(z.void())
.output(z.object({ success: z.boolean() }))

26
apps/server/src/server/api/interceptors.ts
View File

@@ -1,26 +0,0 @@
import { ORPCError, ValidationError } from '@orpc/server'
import { z } from 'zod'
export const logError = (error: unknown) => {
console.error(error)
}
export const handleValidationError = (error: unknown) => {
if (error instanceof ORPCError && error.code === 'BAD_REQUEST' && error.cause instanceof ValidationError) {
// If you only use Zod you can safely cast to ZodIssue[] (per ORPC official docs)
const zodError = new z.ZodError(error.cause.issues as z.core.$ZodIssue[])
throw new ORPCError('INPUT_VALIDATION_FAILED', {
status: 422,
message: z.prettifyError(zodError),
data: z.flattenError(zodError),
cause: error.cause,
})
}
if (error instanceof ORPCError && error.code === 'INTERNAL_SERVER_ERROR' && error.cause instanceof ValidationError) {
throw new ORPCError('OUTPUT_VALIDATION_FAILED', {
cause: error.cause,
})
}
}

8
apps/server/src/server/api/middlewares/db.middleware.ts
View File

@@ -1,7 +1,9 @@
import { os } from '@/server/api/server'
import { os } from '@orpc/server'
import { ensureLicenseActivationInitialized } from '@/lib/license-init'
import { getDB } from '@/server/db'
export const db = os.middleware(async ({ context, next }) => {
export const dbProvider = os.middleware(async ({ context, next }) => {
await ensureLicenseActivationInitialized()
return next({
context: {
...context,
@@ -9,3 +11,5 @@ export const db = os.middleware(async ({ context, next }) => {
},
})
})
export const db = dbProvider

24
apps/server/src/server/api/routers/config.router.ts
View File

@@ -1,24 +0,0 @@
import { ensureUxConfig, setUxLicence, setUxPgpPrivateKey } from '@/server/ux-config'
import { db } from '../middlewares'
import { os } from '../server'
const toConfigOutput = (config: { licence: string | null; fingerprint: string; pgpPrivateKey: string | null }) => ({
licence: config.licence,
fingerprint: config.fingerprint,
hasPgpPrivateKey: config.pgpPrivateKey != null,
})
export const get = os.config.get.use(db).handler(async ({ context }) => {
const config = await ensureUxConfig(context.db)
return toConfigOutput(config)
})
export const setLicence = os.config.setLicence.use(db).handler(async ({ context, input }) => {
const config = await setUxLicence(context.db, input.licence)
return toConfigOutput(config)
})
export const setPgpPrivateKey = os.config.setPgpPrivateKey.use(db).handler(async ({ context, input }) => {
const config = await setUxPgpPrivateKey(context.db, input.pgpPrivateKey)
return toConfigOutput(config)
})

171
apps/server/src/server/api/routers/crypto.router.ts
View File

@@ -1,171 +0,0 @@
import {
aesGcmDecrypt,
aesGcmEncrypt,
hkdfSha256,
hmacSha256Base64,
pgpSignDetached,
rsaOaepEncrypt,
sha256,
sha256Hex,
} from '@furtherverse/crypto'
import { ORPCError } from '@orpc/server'
import JSZip from 'jszip'
import { z } from 'zod'
import { extractSafeZipFiles, ZipValidationError } from '@/server/safe-zip'
import { getUxConfig } from '@/server/ux-config'
import { db } from '../middlewares'
import { os } from '../server'
const summaryPayloadSchema = z
.object({
taskId: z.string().min(1, 'summary.json must contain a non-empty taskId'),
checkId: z.string().optional(),
inspectionId: z.string().optional(),
})
.loose()
const requireIdentity = async (dbInstance: Parameters<typeof getUxConfig>[0]) => {
const config = await getUxConfig(dbInstance)
if (!config || !config.licence) {
throw new ORPCError('PRECONDITION_FAILED', {
message: 'Local identity is not initialized. Call config.get and then config.setLicence first.',
})
}
return config as typeof config & { licence: string }
}
export const encryptDeviceInfo = os.crypto.encryptDeviceInfo.use(db).handler(async ({ context, input }) => {
const config = await requireIdentity(context.db)
const deviceInfoJson = JSON.stringify({
licence: config.licence,
fingerprint: config.fingerprint,
})
const encrypted = rsaOaepEncrypt(deviceInfoJson, input.platformPublicKey)
return { encrypted }
})
export const decryptTask = os.crypto.decryptTask.use(db).handler(async ({ context, input }) => {
const config = await requireIdentity(context.db)
const key = sha256(config.licence + config.fingerprint)
const decrypted = aesGcmDecrypt(input.encryptedData, key)
return { decrypted }
})
export const encryptSummary = os.crypto.encryptSummary.use(db).handler(async ({ context, input }) => {
const config = await requireIdentity(context.db)
const ikm = config.licence + config.fingerprint
const aesKey = hkdfSha256(ikm, input.salt, 'inspection_report_encryption')
const encrypted = aesGcmEncrypt(input.plaintext, aesKey)
return { encrypted }
})
export const signAndPackReport = os.crypto.signAndPackReport.use(db).handler(async ({ context, input }) => {
const config = await requireIdentity(context.db)
if (!config.pgpPrivateKey) {
throw new ORPCError('PRECONDITION_FAILED', {
message: 'PGP private key is not configured. Call config.setPgpPrivateKey first.',
})
}
const rawZipBytes = Buffer.from(await input.rawZip.arrayBuffer())
const zipFiles = await extractSafeZipFiles(rawZipBytes).catch((error) => {
if (error instanceof ZipValidationError) {
throw new ORPCError('BAD_REQUEST', { message: error.message })
}
throw error
})
// Extract and validate summary.json from the ZIP
const summaryFile = zipFiles.find((f) => f.name === 'summary.json')
if (!summaryFile) {
throw new ORPCError('BAD_REQUEST', {
message: 'rawZip must contain a summary.json file',
})
}
let rawJson: unknown
try {
rawJson = JSON.parse(Buffer.from(summaryFile.bytes).toString('utf-8'))
} catch {
throw new ORPCError('BAD_REQUEST', {
message: 'summary.json in the ZIP is not valid JSON',
})
}
const parsed = summaryPayloadSchema.safeParse(rawJson)
if (!parsed.success) {
throw new ORPCError('BAD_REQUEST', {
message: `Invalid summary.json: ${z.prettifyError(parsed.error)}`,
})
}
const summaryPayload = parsed.data
const checkId = summaryPayload.checkId ?? summaryPayload.inspectionId ?? ''
const signingContext = `${summaryPayload.taskId}${checkId}`
// Compute device signature
const ikm = config.licence + config.fingerprint
const signingKey = hkdfSha256(ikm, 'AUTH_V3_SALT', 'device_report_signature')
const fileHashEntries = zipFiles
.map((item) => ({
name: item.name,
hash: sha256Hex(Buffer.from(item.bytes)),
}))
.sort((a, b) => a.name.localeCompare(b.name, 'en'))
const hashPayload = fileHashEntries.map((item) => `${item.name}:${item.hash}`).join('|')
const signPayload = `${signingContext}|${hashPayload}`
const deviceSignature = hmacSha256Base64(signingKey, signPayload)
// Build final summary.json with device signature and identity
const finalSummary = {
deviceSignature,
signingContext,
licence: config.licence,
fingerprint: config.fingerprint,
payload: summaryPayload,
timestamp: Date.now(),
}
const summaryBytes = Buffer.from(JSON.stringify(finalSummary), 'utf-8')
// Build manifest.json
const manifestFiles: Record<string, string> = {
'summary.json': sha256Hex(summaryBytes),
}
for (const item of fileHashEntries) {
if (item.name !== 'summary.json') {
manifestFiles[item.name] = item.hash
}
}
const manifestBytes = Buffer.from(JSON.stringify({ files: manifestFiles }, null, 2), 'utf-8')
const signatureAsc = await pgpSignDetached(manifestBytes, config.pgpPrivateKey)
// Pack signed ZIP
const signedZip = new JSZip()
signedZip.file('summary.json', summaryBytes)
for (const item of zipFiles) {
if (item.name !== 'summary.json') {
signedZip.file(item.name, item.bytes)
}
}
signedZip.file('META-INF/manifest.json', manifestBytes)
signedZip.file('META-INF/signature.asc', signatureAsc)
const signedZipBytes = await signedZip.generateAsync({
type: 'uint8array',
compression: 'DEFLATE',
compressionOptions: { level: 9 },
})
return new File([Buffer.from(signedZipBytes)], input.outputFileName ?? 'signed-report.zip', {
type: 'application/zip',
})
})

11
apps/server/src/server/api/routers/fingerprint.router.ts Normal file
View File

@@ -0,0 +1,11 @@
import { getHardwareFingerprint } from '@/lib/fingerprint'
import { os } from '../server'
export const get = os.fingerprint.get.handler(async () => {
const result = await getHardwareFingerprint({
cacheTtlMs: 10 * 60 * 1000, // 10 分钟缓存
includePrimaryDisk: true, // 包含主硬盘序列号以提高稳定性
})
return result
})

8
apps/server/src/server/api/routers/index.ts
View File

@@ -1,8 +1,8 @@
import { os } from '../server'
import * as config from './config.router'
import * as crypto from './crypto.router'
import * as fingerprint from './fingerprint.router'
import * as license from './license.router'
export const router = os.router({
config,
crypto,
fingerprint,
license,
})

67
apps/server/src/server/api/routers/license.router.ts Normal file
View File

@@ -0,0 +1,67 @@
import { eq } from 'drizzle-orm'
import { ensureLicenseActivationInitialized } from '@/lib/license-init'
import { licenseActivationTable } from '@/server/db/schema'
import { dbProvider } from '../middlewares'
import { os } from '../server'
export const getActivation = os.license.getActivation
.use(dbProvider)
.handler(async ({ context }) => {
await ensureLicenseActivationInitialized()
const record = await context.db.query.licenseActivationTable.findFirst()
if (!record) {
throw new Error('License activation record not found')
}
return {
fingerprint: record.fingerprint,
license: record.license,
licenseActivatedAt: record.licenseActivatedAt?.getTime() ?? null,
}
})
export const activate = os.license.activate
.use(dbProvider)
.handler(async ({ context, input }) => {
await ensureLicenseActivationInitialized()
const record = await context.db.query.licenseActivationTable.findFirst()
if (!record) {
throw new Error('License activation record not found')
}
await context.db
.update(licenseActivationTable)
.set({
license: input.license,
licenseActivatedAt: new Date(),
})
.where(eq(licenseActivationTable.id, record.id))
return { success: true }
})
export const deactivate = os.license.deactivate
.use(dbProvider)
.handler(async ({ context }) => {
await ensureLicenseActivationInitialized()
const record = await context.db.query.licenseActivationTable.findFirst()
if (!record) {
throw new Error('License activation record not found')
}
await context.db
.update(licenseActivationTable)
.set({
license: null,
licenseActivatedAt: null,
})
.where(eq(licenseActivationTable.id, record.id))
return { success: true }
})

6
apps/server/src/server/api/types.ts
View File

@@ -1,4 +1,8 @@
import type { ContractRouterClient, InferContractRouterInputs, InferContractRouterOutputs } from '@orpc/contract'
import type {
ContractRouterClient,
InferContractRouterInputs,
InferContractRouterOutputs,
} from '@orpc/contract'
import type { Contract } from './contracts'
export type RouterClient = ContractRouterClient<Contract>

18
apps/server/src/server/db/index.ts
View File

@@ -1,13 +1,17 @@
import { Database } from 'bun:sqlite'
import { drizzle } from 'drizzle-orm/bun-sqlite'
import { mkdirSync } from 'node:fs'
import { dirname } from 'node:path'
import Database from 'better-sqlite3'
import { drizzle } from 'drizzle-orm/better-sqlite3'
import { env } from '@/env'
import { relations } from '@/server/db/relations'
import * as schema from '@/server/db/schema'
export const createDB = () => {
const sqlite = new Database(env.DATABASE_PATH)
sqlite.exec('PRAGMA journal_mode = WAL')
sqlite.exec('PRAGMA foreign_keys = ON')
return drizzle({ client: sqlite, relations })
const dbPath = env.DATABASE_URL
if (dbPath !== ':memory:') {
mkdirSync(dirname(dbPath), { recursive: true })
}
const sqlite = new Database(dbPath)
return drizzle(sqlite, { schema })
}
export type DB = ReturnType<typeof createDB>

4
apps/server/src/server/db/relations.ts
View File

@@ -1,4 +0,0 @@
import { defineRelations } from 'drizzle-orm'
import * as schema from './schema'
export const relations = defineRelations(schema, () => ({}))

2
apps/server/src/server/db/schema/index.ts
View File

@@ -1 +1 @@
export * from './ux-config'
export * from './license-activation'

9
apps/server/src/server/db/schema/license-activation.ts Normal file
View File

@@ -0,0 +1,9 @@
import { integer, sqliteTable, text } from 'drizzle-orm/sqlite-core'
import { generatedFields } from './utils/field'
export const licenseActivationTable = sqliteTable('license_activation', {
...generatedFields,
fingerprint: text('fingerprint').notNull().unique(),
license: text('license'),
licenseActivatedAt: integer('license_activated_at', { mode: 'timestamp_ms' }),
})

16
apps/server/src/server/db/fields.ts → apps/server/src/server/db/schema/utils/field.ts
View File

@@ -1,11 +1,16 @@
import { integer, text } from 'drizzle-orm/sqlite-core'
import { v7 as uuidv7 } from 'uuid'
export const pk = (name = 'id') =>
text(name)
// id
export const id = (name: string) => text(name)
export const pk = (name: string) =>
id(name)
.primaryKey()
.$defaultFn(() => uuidv7())
// timestamp
export const createdAt = (name = 'created_at') =>
integer(name, { mode: 'timestamp_ms' })
.notNull()
@@ -17,13 +22,18 @@ export const updatedAt = (name = 'updated_at') =>
.$defaultFn(() => new Date())
.$onUpdateFn(() => new Date())
// generated fields
export const generatedFields = {
id: pk('id'),
createdAt: createdAt('created_at'),
updatedAt: updatedAt('updated_at'),
}
const createGeneratedFieldKeys = <T extends Record<string, unknown>>(fields: T): Record<keyof T, true> => {
// Helper to create omit keys from generatedFields
const createGeneratedFieldKeys = <T extends Record<string, unknown>>(
fields: T,
): Record<keyof T, true> => {
return Object.keys(fields).reduce(
(acc, key) => {
acc[key as keyof T] = true

10
apps/server/src/server/db/schema/ux-config.ts
View File

@@ -1,10 +0,0 @@
import { sqliteTable, text } from 'drizzle-orm/sqlite-core'
import { generatedFields } from '../fields'
export const uxConfigTable = sqliteTable('ux_config', {
...generatedFields,
singletonKey: text('singleton_key').notNull().unique().default('default'),
licence: text('licence'),
fingerprint: text('fingerprint').notNull(),
pgpPrivateKey: text('pgp_private_key'),
})

10
apps/server/src/server/device-fingerprint.ts
View File

@@ -1,10 +0,0 @@
import { sha256Hex } from '@furtherverse/crypto'
import { system } from 'systeminformation'
export const computeDeviceFingerprint = async (): Promise<string> => {
const { uuid, serial, model, manufacturer } = await system()
const source = [uuid, serial, model, manufacturer].join('|')
const hash = sha256Hex(source)
return hash
}

96
apps/server/src/server/safe-zip.ts
View File

@@ -1,96 +0,0 @@
import type { JSZipObject } from 'jszip'
import JSZip from 'jszip'
export class ZipValidationError extends Error {
override name = 'ZipValidationError'
}
export interface ZipFileItem {
name: string
bytes: Uint8Array
}
export interface SafeZipOptions {
maxRawBytes?: number
maxEntries?: number
maxSingleFileBytes?: number
maxTotalUncompressedBytes?: number
}
const DEFAULTS = {
maxRawBytes: 50 * 1024 * 1024,
maxEntries: 64,
maxSingleFileBytes: 20 * 1024 * 1024,
maxTotalUncompressedBytes: 60 * 1024 * 1024,
} satisfies Required<SafeZipOptions>
const normalizePath = (name: string): string => name.replaceAll('\\', '/')
const isUnsafePath = (name: string): boolean => {
const normalized = normalizePath(name)
const segments = normalized.split('/')
return (
normalized.startsWith('/') ||
normalized.includes('\0') ||
segments.some((segment) => segment === '..' || segment.trim().length === 0)
)
}
export const extractSafeZipFiles = async (
rawBytes: Uint8Array | Buffer,
options?: SafeZipOptions,
): Promise<ZipFileItem[]> => {
const opts = { ...DEFAULTS, ...options }
if (rawBytes.byteLength === 0 || rawBytes.byteLength > opts.maxRawBytes) {
throw new ZipValidationError('ZIP is empty or exceeds max size limit')
}
const zip = await JSZip.loadAsync(rawBytes, { checkCRC32: true }).catch(() => {
throw new ZipValidationError('Not a valid ZIP file')
})
const entries = Object.values(zip.files) as JSZipObject[]
if (entries.length > opts.maxEntries) {
throw new ZipValidationError(`ZIP contains too many entries: ${entries.length}`)
}
let totalUncompressedBytes = 0
const files: ZipFileItem[] = []
const seen = new Set<string>()
for (const entry of entries) {
if (entry.dir) {
continue
}
if (isUnsafePath(entry.name)) {
throw new ZipValidationError(`ZIP contains unsafe entry path: ${entry.name}`)
}
const normalizedName = normalizePath(entry.name)
if (seen.has(normalizedName)) {
throw new ZipValidationError(`ZIP contains duplicate entry: ${normalizedName}`)
}
seen.add(normalizedName)
const content = await entry.async('uint8array')
if (content.byteLength > opts.maxSingleFileBytes) {
throw new ZipValidationError(`ZIP entry too large: ${normalizedName}`)
}
totalUncompressedBytes += content.byteLength
if (totalUncompressedBytes > opts.maxTotalUncompressedBytes) {
throw new ZipValidationError('ZIP total uncompressed content exceeds max size limit')
}
files.push({ name: normalizedName, bytes: content })
}
if (files.length === 0) {
throw new ZipValidationError('ZIP has no file entries')
}
return files
}

56
apps/server/src/server/ux-config.ts
View File

@@ -1,56 +0,0 @@
import { eq } from 'drizzle-orm'
import type { DB } from '@/server/db'
import { uxConfigTable } from '@/server/db/schema'
import { computeDeviceFingerprint } from './device-fingerprint'
const UX_CONFIG_KEY = 'default'
export const getUxConfig = async (db: DB) => {
return await db.query.uxConfigTable.findFirst({
where: { singletonKey: UX_CONFIG_KEY },
})
}
export const ensureUxConfig = async (db: DB) => {
const fingerprint = await computeDeviceFingerprint()
const existing = await getUxConfig(db)
if (existing) {
if (existing.fingerprint !== fingerprint) {
const rows = await db
.update(uxConfigTable)
.set({ fingerprint })
.where(eq(uxConfigTable.id, existing.id))
.returning()
return rows[0] as (typeof rows)[number]
}
return existing
}
const rows = await db
.insert(uxConfigTable)
.values({
singletonKey: UX_CONFIG_KEY,
fingerprint,
licence: null,
})
.returning()
return rows[0] as (typeof rows)[number]
}
export const setUxLicence = async (db: DB, licence: string) => {
const config = await ensureUxConfig(db)
const rows = await db.update(uxConfigTable).set({ licence }).where(eq(uxConfigTable.id, config.id)).returning()
return rows[0] as (typeof rows)[number]
}
export const setUxPgpPrivateKey = async (db: DB, pgpPrivateKey: string) => {
const config = await ensureUxConfig(db)
const rows = await db.update(uxConfigTable).set({ pgpPrivateKey }).where(eq(uxConfigTable.id, config.id)).returning()
return rows[0] as (typeof rows)[number]
}

37
apps/server/turbo.json
View File

@@ -2,46 +2,9 @@
"$schema": "../../node_modules/turbo/schema.json",
"extends": ["//"],
"tasks": {
"build": {
"env": ["NODE_ENV", "VITE_*"],
"inputs": ["src/**", "public/**", "package.json", "tsconfig.json", "vite.config.ts"],
"outputs": [".output/**"]
},
"compile": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:darwin": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:darwin:arm64": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:darwin:x64": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:linux": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:linux:arm64": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:linux:x64": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:windows": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:windows:x64": {
"dependsOn": ["build"],
"outputs": ["out/**"]
}
}
}

13
apps/server/vite.config.ts
View File

@@ -10,21 +10,24 @@ export default defineConfig({
clearScreen: false,
plugins: [
tanstackDevtools(),
tailwindcss(),
nitro({
preset: 'bun',
serveStatic: 'inline',
}),
tsconfigPaths(),
tailwindcss(),
tanstackStart(),
react({
babel: {
plugins: ['babel-plugin-react-compiler'],
},
}),
nitro({
preset: 'bun',
serveStatic: 'inline',
}),
],
server: {
port: 3000,
strictPort: true,
watch: {
ignored: ['**/src-tauri/**'],
},
},
})

3
biome.json
View File

@@ -11,8 +11,7 @@
"formatter": {
"enabled": true,
"indentStyle": "space",
"lineEnding": "lf",
"lineWidth": 120
"lineEnding": "lf"
},
"linter": {
"enabled": true,

1402
bun.lock
View File

File diff suppressed because it is too large Load Diff

124
docs/工具箱端-授权对接指南/utils/AesGcmUtil.kt
View File

@@ -1,124 +0,0 @@
package top.tangyh.lamp.filing.utils
import io.github.oshai.kotlinlogging.KotlinLogging
import java.nio.charset.StandardCharsets
import java.util.*
import javax.crypto.Cipher
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec
private val logger = KotlinLogging.logger {}
/**
* AES-256-GCM 加密解密工具类
*
* 安全设计说明:
* - 使用 AES-256-GCM 提供认证加密AEAD
* - GCM 模式自动提供认证标签tag防止数据被篡改
* - IV初始化向量长度为 12 字节96位符合 GCM 推荐
* - 认证标签长度为 16 字节128位提供强认证
* - 加密数据格式IV (12字节) + Ciphertext (变长) + Tag (16字节)
*
* 为什么第三方无法伪造:
* - 只有拥有正确 licence + fingerprint 的设备才能派生正确的 AES 密钥
* - GCM 模式会验证认证标签,任何篡改都会导致解密失败
* - 即使第三方获取了加密数据,也无法解密(缺少密钥)
*/
object AesGcmUtil {
private const val ALGORITHM = "AES"
private const val TRANSFORMATION = "AES/GCM/NoPadding"
private const val IV_LENGTH = 12 // 12 bytes = 96 bits (GCM 推荐)
private const val TAG_LENGTH = 16 // 16 bytes = 128 bits (GCM 认证标签长度)
private const val GCM_TAG_LENGTH_BITS = TAG_LENGTH * 8 // 128 bits
/**
* 解密 AES-256-GCM 加密的数据
*
* @param encryptedData Base64 编码的加密数据格式iv + ciphertext + tag
* @param key AES 密钥32字节
* @return 解密后的明文UTF-8 字符串)
* @throws RuntimeException 如果解密失败(密钥错误、数据被篡改等)
*/
fun decrypt(encryptedData: String, key: ByteArray): String {
return try {
// 1. Base64 解码
val encryptedBytes = Base64.getDecoder().decode(encryptedData)
// 2. 提取 IV、密文和认证标签
if (encryptedBytes.size < IV_LENGTH + TAG_LENGTH) {
throw IllegalArgumentException("加密数据长度不足,无法提取 IV 和 Tag")
}
val iv = encryptedBytes.copyOfRange(0, IV_LENGTH)
val tag = encryptedBytes.copyOfRange(encryptedBytes.size - TAG_LENGTH, encryptedBytes.size)
val ciphertext = encryptedBytes.copyOfRange(IV_LENGTH, encryptedBytes.size - TAG_LENGTH)
// 3. 创建 SecretKeySpec
val secretKey = SecretKeySpec(key, ALGORITHM)
// 4. 创建 GCMParameterSpec包含 IV 和认证标签长度)
val gcmSpec = GCMParameterSpec(GCM_TAG_LENGTH_BITS, iv)
// 5. 初始化 Cipher 进行解密
val cipher = Cipher.getInstance(TRANSFORMATION)
cipher.init(Cipher.DECRYPT_MODE, secretKey, gcmSpec)
// 6. 执行解密GCM 模式会自动验证认证标签)
// 如果认证标签验证失败,会抛出异常
val decryptedBytes = cipher.doFinal(ciphertext + tag)
// 7. 转换为 UTF-8 字符串
String(decryptedBytes, StandardCharsets.UTF_8)
} catch (e: javax.crypto.AEADBadTagException) {
logger.error(e) { "AES-GCM 认证标签验证失败,数据可能被篡改或密钥错误" }
throw RuntimeException("解密失败:认证标签验证失败,数据可能被篡改或密钥错误", e)
} catch (e: Exception) {
logger.error(e) { "AES-GCM 解密失败" }
throw RuntimeException("解密失败: ${e.message}", e)
}
}
/**
* 加密数据(用于测试或客户端实现参考)
*
* @param plaintext 明文数据
* @param key AES 密钥32字节
* @return Base64 编码的加密数据格式iv + ciphertext + tag
*/
fun encrypt(plaintext: String, key: ByteArray): String {
return try {
// 1. 生成随机 IV
val iv = ByteArray(IV_LENGTH)
java.security.SecureRandom().nextBytes(iv)
// 2. 创建 SecretKeySpec
val secretKey = SecretKeySpec(key, ALGORITHM)
// 3. 创建 GCMParameterSpec
val gcmSpec = GCMParameterSpec(GCM_TAG_LENGTH_BITS, iv)
// 4. 初始化 Cipher 进行加密
val cipher = Cipher.getInstance(TRANSFORMATION)
cipher.init(Cipher.ENCRYPT_MODE, secretKey, gcmSpec)
// 5. 执行加密
val plaintextBytes = plaintext.toByteArray(StandardCharsets.UTF_8)
val encryptedBytes = cipher.doFinal(plaintextBytes)
// 6. 组装IV + Ciphertext + Tag
// GCM 模式会将认证标签附加到密文末尾
val ciphertext = encryptedBytes.copyOfRange(0, encryptedBytes.size - TAG_LENGTH)
val tag = encryptedBytes.copyOfRange(encryptedBytes.size - TAG_LENGTH, encryptedBytes.size)
val result = iv + ciphertext + tag
// 7. Base64 编码返回
Base64.getEncoder().encodeToString(result)
} catch (e: Exception) {
logger.error(e) { "AES-GCM 加密失败" }
throw RuntimeException("加密失败: ${e.message}", e)
}
}
}

42
docs/工具箱端-授权对接指南/utils/DateUtil.kt
View File

@@ -1,42 +0,0 @@
package top.tangyh.lamp.filing.utils
import java.text.SimpleDateFormat
import java.util.*
class DateUtil {
companion object {
// 获取当前时间戳
fun getCurrentTimestamp(): Long {
return System.currentTimeMillis()
}
// 格式化日期
fun formatDate(date: Date, format: String = "yyyy-MM-dd HH:mm:ss"): String {
val sdf = SimpleDateFormat(format)
return sdf.format(date)
}
// 解析日期字符串
fun parseDate(dateString: String, format: String = "yyyy-MM-dd HH:mm:ss"): Date? {
val sdf = SimpleDateFormat(format)
return try {
sdf.parse(dateString)
} catch (e: Exception) {
null
}
}
// 计算两个日期之间的天数差
fun getDaysBetweenDates(date1: Date, date2: Date): Long {
val diff = Math.abs(date1.time - date2.time)
return diff / (24 * 60 * 60 * 1000)
}
// 获取当前时间并格式化为 yyyy-MM-dd_HH-mm-ss
fun getCurrentFormattedTime(format: String = "yyyy-MM-dd_HH-mm-ss"): String {
val sdf = SimpleDateFormat(format)
return sdf.format(Date())
}
}
}

129
docs/工具箱端-授权对接指南/utils/DeviceSignatureUtil.kt
View File

@@ -1,129 +0,0 @@
package top.tangyh.lamp.filing.utils
import io.github.oshai.kotlinlogging.KotlinLogging
import java.nio.charset.StandardCharsets
import java.security.MessageDigest
import java.util.*
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
private val logger = KotlinLogging.logger {}
/**
* 设备签名工具类
* 用于生成和验证设备报告签名
*
* 签名算法HMAC-SHA256
* 签名数据(严格顺序):
* sign_payload = taskId + inspectionId +
* SHA256(assets.json) +
* SHA256(vulnerabilities.json) +
* SHA256(weakPasswords.json) +
* SHA256(漏洞评估报告.html)
*
* 安全设计说明:
* - 使用 HMAC-SHA256 提供消息认证,防止伪造和篡改
* - 签名包含 taskId 和 inspectionId确保签名与特定任务绑定
* - 包含多个报告文件的 SHA256确保报告内容完整性
* - 只有拥有正确 licence + fingerprint 的设备才能生成有效签名
*/
object DeviceSignatureUtil {
private const val HMAC_ALGORITHM = "HmacSHA256"
/**
* 签名数据文件列表(严格顺序)
*/
data class SignatureFileHashes(
val assetsJsonSha256: String,
val vulnerabilitiesJsonSha256: String,
val weakPasswordsJsonSha256: String,
val reportHtmlSha256: String
)
/**
* 生成设备签名
*
* @param key 派生密钥32字节
* @param taskId 任务ID
* @param inspectionId 检查ID
* @param fileHashes 各个文件的 SHA256 哈希值hex字符串
* @return Base64 编码的签名
*/
fun generateSignature(
key: ByteArray,
taskId: String,
inspectionId: Long,
fileHashes: SignatureFileHashes
): String {
return try {
// 组装签名数据(严格顺序):
// taskId + inspectionId + SHA256(assets.json) + SHA256(vulnerabilities.json) +
// SHA256(weakPasswords.json) + SHA256(漏洞评估报告.html)
val signatureData = buildString {
append(taskId)
append(inspectionId)
append(fileHashes.assetsJsonSha256)
append(fileHashes.vulnerabilitiesJsonSha256)
append(fileHashes.weakPasswordsJsonSha256)
append(fileHashes.reportHtmlSha256)
}
val dataBytes = signatureData.toByteArray(StandardCharsets.UTF_8)
// 使用 HMAC-SHA256 计算签名
val mac = Mac.getInstance(HMAC_ALGORITHM)
val secretKey = SecretKeySpec(key, HMAC_ALGORITHM)
mac.init(secretKey)
val signatureBytes = mac.doFinal(dataBytes)
// Base64 编码返回
Base64.getEncoder().encodeToString(signatureBytes)
} catch (e: Exception) {
logger.error(e) { "生成设备签名失败: taskId=$taskId, inspectionId=$inspectionId" }
throw RuntimeException("生成设备签名失败: ${e.message}", e)
}
}
/**
* 验证设备签名
*
* @param key 派生密钥32字节
* @param taskId 任务ID
* @param inspectionId 检查ID
* @param fileHashes 各个文件的 SHA256 哈希值hex字符串
* @param expectedSignature Base64 编码的期望签名
* @return true 如果签名匹配false 否则
*/
fun verifySignature(
key: ByteArray,
taskId: String,
inspectionId: Long,
fileHashes: SignatureFileHashes,
expectedSignature: String
): Boolean {
return try {
val calculatedSignature = generateSignature(key, taskId, inspectionId, fileHashes)
// 使用时间安全的比较,防止时序攻击
MessageDigest.isEqual(
Base64.getDecoder().decode(expectedSignature),
Base64.getDecoder().decode(calculatedSignature)
)
} catch (e: Exception) {
logger.error(e) { "验证设备签名失败: taskId=$taskId, inspectionId=$inspectionId" }
false
}
}
/**
* 计算文件的 SHA256 哈希值hex字符串
*
* @param fileContent 文件内容
* @return SHA256 哈希值的 hex 字符串
*/
fun calculateSha256(fileContent: ByteArray): String {
val digest = MessageDigest.getInstance("SHA-256")
val hashBytes = digest.digest(fileContent)
return hashBytes.joinToString("") { "%02x".format(it) }
}
}

12
docs/工具箱端-授权对接指南/utils/DistributedIdUtil.kt
View File

@@ -1,12 +0,0 @@
package top.tangyh.lamp.filing.utils
object DistributedIdUtil {
fun generateId(platformId: Long, localId: Long): Long {
require(platformId in 0..0xFFFF) { "platformId must be 0-65535" }
val safeLocalId = localId and 0xFFFFFFFFFFFF
return (platformId shl 48) or safeLocalId
}
fun parsePlatform(id: Long): Long = id ushr 48
fun parseLocal(id: Long): Long = id and 0xFFFFFFFFFFFF
}

18
docs/工具箱端-授权对接指南/utils/HashUtil.kt
View File

@@ -1,18 +0,0 @@
package top.tangyh.lamp.filing.utils
import java.io.InputStream
import java.security.MessageDigest
object HashUtil {
fun calculateFileHash(inputStream: InputStream): String {
val digest = MessageDigest.getInstance("SHA-256")
val buffer = ByteArray(8192)
var bytesRead: Int
while (inputStream.read(buffer).also { bytesRead = it } != -1) {
digest.update(buffer, 0, bytesRead)
}
return digest.digest().joinToString("") { "%02x".format(it) }
}
}

66
docs/工具箱端-授权对接指南/utils/HkdfUtil.kt
View File

@@ -1,66 +0,0 @@
package top.tangyh.lamp.filing.utils
import io.github.oshai.kotlinlogging.KotlinLogging
import org.bouncycastle.crypto.digests.SHA256Digest
import org.bouncycastle.crypto.generators.HKDFBytesGenerator
import org.bouncycastle.crypto.params.HKDFParameters
import java.nio.charset.StandardCharsets
private val logger = KotlinLogging.logger {}
/**
* HKDF (HMAC-based Key Derivation Function) 工具类
* 用于从 licence + fingerprint 派生设备签名密钥
*
* 安全设计说明:
* - 使用 HKDF 而非直接哈希,提供更好的密钥分离和扩展性
* - Salt 固定为 "AUTH_V3_SALT",确保同一输入产生相同密钥
* - Info 参数用于区分不同用途的密钥派生device_report_signature
* - 输出长度 32 字节256位适用于 HMAC-SHA256
*/
object HkdfUtil {
private const val SALT = "AUTH_V3_SALT"
private const val INFO = "device_report_signature"
private const val KEY_LENGTH = 32 // 32 bytes = 256 bits
/**
* 使用 HKDF 派生密钥(使用默认 salt 和 info
*
* @param input 输入密钥材料licence + fingerprint
* @return 派生出的密钥32字节
*/
fun deriveKey(input: String): ByteArray {
return deriveKey(input, SALT, INFO)
}
/**
* 使用 HKDF 派生密钥(支持自定义 salt 和 info
*
* @param input 输入密钥材料licence + fingerprint
* @param salt Salt 值(用于密钥派生)
* @param info Info 值(用于区分不同用途的密钥)
* @param keyLength 输出密钥长度默认32字节
* @return 派生出的密钥
*/
fun deriveKey(input: String, salt: String, info: String, keyLength: Int = KEY_LENGTH): ByteArray {
return try {
val inputBytes = input.toByteArray(StandardCharsets.UTF_8)
val saltBytes = salt.toByteArray(StandardCharsets.UTF_8)
val infoBytes = info.toByteArray(StandardCharsets.UTF_8)
val hkdf = HKDFBytesGenerator(SHA256Digest())
val params = HKDFParameters(inputBytes, saltBytes, infoBytes)
hkdf.init(params)
val derivedKey = ByteArray(keyLength)
hkdf.generateBytes(derivedKey, 0, keyLength)
derivedKey
} catch (e: Exception) {
logger.error(e) { "HKDF 密钥派生失败: input=$input, salt=$salt, info=$info" }
throw RuntimeException("HKDF 密钥派生失败: ${e.message}", e)
}
}
}

50
docs/工具箱端-授权对接指南/utils/JwtUtil.kt
View File

@@ -1,50 +0,0 @@
package top.tangyh.lamp.filing.utils
import io.jsonwebtoken.Jwts
import io.jsonwebtoken.SignatureAlgorithm
import io.jsonwebtoken.security.Keys
import org.springframework.beans.factory.annotation.Value
import org.springframework.stereotype.Component
import java.time.LocalDateTime
import java.time.ZoneId
import java.util.*
import javax.crypto.SecretKey
@Component
class JwtUtil(
@Value("\${jwt.secret}")
private val secretKey: String
) {
// 生成签名 KeyHS256
private val signingKey: SecretKey = Keys.hmacShaKeyFor(Base64.getDecoder().decode(secretKey))
/**
* 生成 Token
* */
fun generateToken(subject: String, claims: Map<String, Any> = emptyMap(), expireDays: Long = 7): String {
val now = LocalDateTime.now()
val expiration = now.plusDays(expireDays)
return Jwts.builder()
.setSubject(subject)
.setClaims(claims)
.setIssuedAt(Date.from(now.atZone(ZoneId.systemDefault()).toInstant()))
.setExpiration(Date.from(expiration.atZone(ZoneId.systemDefault()).toInstant()))
.signWith(signingKey, SignatureAlgorithm.HS256)
.compact()
}
/**
* 解析 Token 获取 Claims
*/
fun parseToken(token: String): Map<String, Any> {
return Jwts.parserBuilder()
.setSigningKey(signingKey)
.build()
.parseClaimsJws(token)
.body
}
}

22
docs/工具箱端-授权对接指南/utils/RegionUtil.kt
View File

@@ -1,22 +0,0 @@
package top.tangyh.lamp.filing.utils
import kotlin.text.substring
object RegionUtil {
fun getLevel(code: String?): String {
if (code == null || code.length != 6) {
return "无效编码"
}
val province = code.substring(0, 2)
val city = code.substring(2, 4)
val county = code.substring(4, 6)
return when {
city == "00" && county == "00" -> "province"
city != "00" && county == "00" -> "city"
county != "00" -> "county"
else -> "未知级别"
}
}
}

115
docs/工具箱端-授权对接指南/utils/RsaOaepDecryptionUtil.kt
View File

@@ -1,115 +0,0 @@
package top.tangyh.lamp.filing.utils
import io.github.oshai.kotlinlogging.KotlinLogging
import org.springframework.beans.factory.annotation.Value
import org.springframework.stereotype.Component
import java.nio.charset.StandardCharsets
import java.security.KeyFactory
import java.security.PublicKey
import java.security.spec.PKCS8EncodedKeySpec
import java.security.spec.X509EncodedKeySpec
import java.util.*
import javax.crypto.Cipher
private val logger = KotlinLogging.logger {}
/**
* RSA-OAEP 解密工具类
* 用于设备身份首次绑定时解密设备信息
*
* 使用场景:设备使用平台的公钥加密数据,平台使用私钥解密
*/
@Component
class RsaOaepDecryptionUtil(
@Value("\${device.encrypt.privateKey:}")
private val privateKeyBase64: String
) {
private val keyFactory = KeyFactory.getInstance("RSA")
private val cipherAlgorithm = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
// 缓存私钥,避免每次解密都重新加载
private val privateKey by lazy {
if (privateKeyBase64.isBlank()) {
throw IllegalStateException("RSA私钥未配置无法解密设备信息")
}
val privateKeyBytes = Base64.getDecoder().decode(privateKeyBase64)
val keySpec = PKCS8EncodedKeySpec(privateKeyBytes)
keyFactory.generatePrivate(keySpec)
}
init {
if (privateKeyBase64.isBlank()) {
logger.warn { "RSA私钥未配置设备授权解密功能可能无法使用" }
}
}
/**
* 使用RSA-OAEP解密设备信息
* @param encryptedData Base64编码的加密数据
* @return 解密后的JSON字符串
*/
fun decrypt(encryptedData: String): String {
if (privateKeyBase64.isBlank()) {
throw IllegalStateException("RSA私钥未配置无法解密设备信息")
}
return try {
// 创建新的Cipher实例Cipher不是线程安全的
val cipher = Cipher.getInstance(cipherAlgorithm)
// 初始化解密器
cipher.init(Cipher.DECRYPT_MODE, privateKey)
// Base64解码加密数据
val encryptedBytes = Base64.getDecoder().decode(encryptedData)
// 解密数据
val decryptedBytes = cipher.doFinal(encryptedBytes)
// 返回解密后的字符串
String(decryptedBytes, StandardCharsets.UTF_8)
} catch (e: Exception) {
logger.error(e) { "RSA-OAEP解密设备信息失败" }
throw RuntimeException("RSA-OAEP解密设备信息失败: ${e.message}", e)
}
}
/**
* 使用平台公钥加密数据
*
* @param plainText 原始JSON字符串设备信息
* @param publicKeyBase64 平台公钥Base64
* @return Base64编码的密文
*/
fun encrypt1(
plainText: String,
publicKeyBase64: String
): String {
try {
val publicKey = loadPublicKey(publicKeyBase64)
val cipher = Cipher.getInstance(cipherAlgorithm)
cipher.init(Cipher.ENCRYPT_MODE, publicKey)
val encryptedBytes = cipher.doFinal(
plainText.toByteArray(StandardCharsets.UTF_8)
)
return Base64.getEncoder().encodeToString(encryptedBytes)
} catch (e: Exception) {
logger.error(e) { "RSA-OAEP 加密失败" }
throw RuntimeException("RSA-OAEP 加密失败: ${e.message}", e)
}
}
private fun loadPublicKey(base64Key: String): PublicKey {
val keyBytes = Base64.getDecoder().decode(base64Key)
val keySpec = X509EncodedKeySpec(keyBytes)
return keyFactory.generatePublic(keySpec)
}
}

103
docs/工具箱端-授权对接指南/utils/RsaOaepDecryptionUtilV2.kt
View File

@@ -1,103 +0,0 @@
package top.tangyh.lamp.filing.utils
import java.nio.charset.StandardCharsets
import java.security.KeyFactory
import java.security.KeyPairGenerator
import java.security.PublicKey
import java.security.spec.PKCS8EncodedKeySpec
import java.security.spec.X509EncodedKeySpec
import java.util.*
import javax.crypto.Cipher
object RsaOaepCryptoUtil {
private const val cipherAlgorithm =
"RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
private val keyFactory = KeyFactory.getInstance("RSA")
fun encrypt(
plainText: String,
publicKeyBase64: String
): String {
val publicKey = loadPublicKey(publicKeyBase64)
val cipher = Cipher.getInstance(cipherAlgorithm)
cipher.init(Cipher.ENCRYPT_MODE, publicKey)
val encryptedBytes = cipher.doFinal(
plainText.toByteArray(StandardCharsets.UTF_8)
)
return Base64.getEncoder().encodeToString(encryptedBytes)
}
fun decrypt(
encryptedData: String,
privateKeyBase64: String
): String {
val privateKeyBytes = Base64.getDecoder().decode(privateKeyBase64)
val keySpec = PKCS8EncodedKeySpec(privateKeyBytes)
val privateKey = keyFactory.generatePrivate(keySpec)
val cipher = Cipher.getInstance(cipherAlgorithm)
cipher.init(Cipher.DECRYPT_MODE, privateKey)
val decryptedBytes = cipher.doFinal(
Base64.getDecoder().decode(encryptedData)
)
return String(decryptedBytes, StandardCharsets.UTF_8)
}
private fun loadPublicKey(base64Key: String): PublicKey {
val keyBytes = Base64.getDecoder().decode(base64Key)
val keySpec = X509EncodedKeySpec(keyBytes)
return keyFactory.generatePublic(keySpec)
}
}
object Test {
@JvmStatic
fun main(args: Array<String>) {
val keyPairGenerator = KeyPairGenerator.getInstance("RSA")
keyPairGenerator.initialize(2048)
val keyPair = keyPairGenerator.generateKeyPair()
// val publicKey = Base64.getEncoder().encodeToString(keyPair.public.encoded)
// val privateKey = Base64.getEncoder().encodeToString(keyPair.private.encoded)
val publicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB"
val privateKey = "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDMOVm8wNVov5+OXTkeLXzYk4BQBo3iCH2s4X7U2Ep87gnp7QcvLyUG7KWncDjGhOLJR6M2bbaHR2oCANI+dj/FlHvo84VMPWygevYtoUI3wkBtD3o/yATvAL2qmhOyxW8hVEftBtV3brQnp4PRLPBzH1yDn3VFI3r2kyl7khVGLxP30eGqXr/Cdkc5E+vXx4RIs5j3eNGyQvNzSrXyvrxFGhMmJB/71gLy5vmIqnusKNWc+LVRshiZeYvTy2TmaSxgDQ2pZABrWh8rHH/21C0H25OOFPG5O73hdT2OUZTzupodmz6SmprwIBthgkVtI/XEfChnOlTaOnDZoXbYcFjHAgMBAAECggEBAKUDagjj3wwmWWwU00QZCRmOBU2kHhyXM8Tu5yZgJb/QLt5/ESEE/OwdZrRmLtnpIb31TmF6QNQJ1hQMSdUCgwDIu1489mXl89GvyR6RgAnBwYDd0q+alLHxbU9d87CtauAJU5ynuvAn2RV5ez8XCqpamswXmg/lXUPDIO+h1+K+UJPwYFhzHL3WpZQXHofcSUCRn0JONbz7c9OwVFYe0v1g18wwAvIAsEEimcnXFZaIJ/md2md0Jk4+LOFUsbgCM5skNTooXarDiHGCRFMJXxvYpavC6hhhcWfh3K2ydHMhFdF70ZOs169ShDtYq4i/hkaZ+p7kFVo8Z6oxVUpC8IECgYEA+OQxfc2iGMD9uus/r1yjUx0kdhYKik202tE53C4ikAn490+Lb8qcY/kykFj721MHBc73ijq/ZNU21JxyMx4T1jbdvl+5Kv9EUFAQmsJuTSudC1Dud3MlUgYEtVUhau2WOexUIRyCda6V4NUYkJG4vLRyMloPprF3xThmJRgG9qcCgYEA0g6QrU1e/DjADSpymRfqoOX4ASp7G++CRHTB2NZvA6ZxnWoEX59TO3mW4z4fgJkIwevkPUA9nfO2bRQWph+aom5qAczsPmZ2OpR9cjel63AIV1AboUV2Gr/H4IfHs7qGX7JWmW1SnZyvvGuI5MdBHEcysJO+L5V1OVyFRzvj8OECgYAO21A4+jVa1OpQZgp/JUB6jZrHkbk/WDQbe7HAeuCFSJMb8BuaqLV9IjrqcuVVyjb5Gcmc7rTOCAwl1NDcTEdS2iOSYZRkBKjHQoA7PK/o21mce1BAwRbRNprBWDuObnAxNPIwp8sBy1IXAaFdv9UPLpZCey3D/YPwudUfEbgYsQKBgQCZax3sFYh8ew56Dzin7Dnnzk72uwozexkP2p8COovWhKiSqi4LkRh/Zez4iBUGHb+xsxJ+Uf8u8CObQ4LPTmHopPAz5HHfmYJcgrukwlQiwy60ZsPnZA5AtzXLHiCTenZOSrjJUnl2uEv6OChBv+4kMzQol5/erTBy9so5Htr6wQKBgQC3apeFD/x+0FjABleVITzGyAWj/Kxl/OOiL4dQAYW49wVD/j0ujG3CvbK0GHZFwy/Ju+pWlHISbiZiKYko/4GBtp+JwxG9fFmbHdl4BZSTwfQMYdNq8hN+0hBfWwcceIhbEZcFLIvG/ZhkcT3yh874XRn1A5V/AR8W9YFH1EWYwQ=="
// val plainText = "{\n" +
// " \"taskId\": 723047797139586052,\n" +
// " \"licence\": \"LIC-8F2A-XXXX\",\n" +
// " \"fingerprint\": \"FP-2c91e9f3\",\n" +
// " \"enterpriseId\": \"1173040813421105152\",\n" +
// " \"inspectionId\": \"702286470691215417\",\n" +
// " \"summary\": \"1\"\n" +
// "}"
val plainText = "{\n" +
" \"licence\": \"lic-1234567890\",\n" +
" \"fingerprint\": \"e19c60d21c544c1118e3b633eae1bb935e2762ebddbc671b60b8b61c65c05d1c\"\n" +
"}"
val encryptedText =
RsaOaepCryptoUtil.encrypt(plainText, publicKey)
val decryptedText =
RsaOaepCryptoUtil.decrypt(encryptedText, privateKey)
println("Plain Text: $plainText")
println("Public Key: $publicKey")
println("Private Key: $privateKey")
println("Encrypted: $encryptedText")
println("Decrypted: $decryptedText")
}
}

120
docs/工具箱端-授权对接指南/utils/TaskEncryptionUtil.kt
View File

@@ -1,120 +0,0 @@
package top.tangyh.lamp.filing.utils
import io.github.oshai.kotlinlogging.KotlinLogging
import java.nio.charset.StandardCharsets
import java.security.MessageDigest
import java.security.SecureRandom
import java.util.*
import javax.crypto.Cipher
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec
private val logger = KotlinLogging.logger {}
/**
* 任务加密工具类
* 使用 licence + fingerprint 作为密钥对任务数据进行 AES-256-GCM 对称加密
*
* GCM 模式提供认证加密,比 ECB 模式更安全
* 加密数据格式IV(12字节) + 加密数据 + 认证标签(16字节)
*/
object TaskEncryptionUtil {
private const val ALGORITHM = "AES"
private const val TRANSFORMATION = "AES/GCM/NoPadding"
private const val GCM_IV_LENGTH = 12 // GCM 推荐使用 12 字节 IV
private const val GCM_TAG_LENGTH = 16 // GCM 认证标签长度128位
private const val KEY_LENGTH = 32 // AES-256 密钥长度256位 = 32字节
private val secureRandom = SecureRandom()
/**
* 使用 licence + fingerprint 加密任务数据AES-256-GCM
* @param data 待加密的数据JSON字符串
* @param licence 授权码
* @param fingerprint 硬件指纹
* @return Base64编码的加密数据包含IV + 加密数据 + 认证标签)
*/
fun encrypt(data: String, licence: String, fingerprint: String): String {
return try {
// 使用 licence + fingerprint 生成密钥
val key = generateKey(licence, fingerprint)
// 生成随机 IV12字节
val iv = ByteArray(GCM_IV_LENGTH)
secureRandom.nextBytes(iv)
// 创建加密器
val cipher = Cipher.getInstance(TRANSFORMATION)
val parameterSpec = GCMParameterSpec(GCM_TAG_LENGTH * 8, iv) // 标签长度以位为单位
cipher.init(Cipher.ENCRYPT_MODE, key, parameterSpec)
// 加密数据
val encryptedBytes = cipher.doFinal(data.toByteArray(StandardCharsets.UTF_8))
// 组合IV + 加密数据(包含认证标签)
val combined = ByteArray(iv.size + encryptedBytes.size)
System.arraycopy(iv, 0, combined, 0, iv.size)
System.arraycopy(encryptedBytes, 0, combined, iv.size, encryptedBytes.size)
// 返回 Base64 编码的加密数据
Base64.getEncoder().encodeToString(combined)
} catch (e: Exception) {
logger.error(e) { "AES-256-GCM加密任务数据失败" }
throw RuntimeException("加密任务数据失败: ${e.message}", e)
}
}
/**
* 使用 licence + fingerprint 解密任务数据AES-256-GCM
* @param encryptedData Base64编码的加密数据包含IV + 加密数据 + 认证标签)
* @param licence 授权码
* @param fingerprint 硬件指纹
* @return 解密后的数据JSON字符串
*/
fun decrypt(encryptedData: String, licence: String, fingerprint: String): String {
return try {
// 使用 licence + fingerprint 生成密钥
val key = generateKey(licence, fingerprint)
// Base64 解码
val combined = Base64.getDecoder().decode(encryptedData)
// 分离 IV 和加密数据
if (combined.size < GCM_IV_LENGTH) {
throw IllegalArgumentException("加密数据格式错误:数据长度不足")
}
val iv = combined.sliceArray(0 until GCM_IV_LENGTH)
val cipherText = combined.sliceArray(GCM_IV_LENGTH until combined.size)
// 创建解密器
val cipher = Cipher.getInstance(TRANSFORMATION)
val parameterSpec = GCMParameterSpec(GCM_TAG_LENGTH * 8, iv)
cipher.init(Cipher.DECRYPT_MODE, key, parameterSpec)
// 解密数据GCM 会自动验证认证标签)
val decryptedBytes = cipher.doFinal(cipherText)
// 返回解密后的字符串
String(decryptedBytes, StandardCharsets.UTF_8)
} catch (e: Exception) {
logger.error(e) { "AES-256-GCM解密任务数据失败" }
throw RuntimeException("解密任务数据失败: ${e.message}", e)
}
}
/**
* 使用 licence + fingerprint 生成 AES-256 密钥256位 = 32字节
* 使用 SHA-256 哈希的全部32字节作为密钥
*/
private fun generateKey(licence: String, fingerprint: String): SecretKeySpec {
val combined = "$licence$fingerprint"
val digest = MessageDigest.getInstance("SHA-256")
val hash = digest.digest(combined.toByteArray(StandardCharsets.UTF_8))
// 使用全部32字节作为 AES-256 密钥
return SecretKeySpec(hash, ALGORITHM)
}
}

134
docs/工具箱端-授权对接指南/utils/ZipVerifierUtil.kt
View File

@@ -1,134 +0,0 @@
package top.tangyh.lamp.filing.utils
import com.fasterxml.jackson.databind.ObjectMapper
import io.github.oshai.kotlinlogging.KotlinLogging
import org.bouncycastle.openpgp.*
import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider
import java.io.ByteArrayInputStream
import java.io.InputStream
import java.security.MessageDigest
import java.security.Security
import java.util.zip.ZipFile
object ZipVerifierUtil {
private val logger = KotlinLogging.logger {}
// @JvmStatic
// fun main(args: Array<String>) {
// verifyZip("signed.zip", "public.key")
// }
/**
* 验证 ZIP 文件
*/
@Throws(Exception::class)
fun verifyZip(zipPath: String, pubkeyContent: String):Boolean {
println(Security.getProviders().joinToString { it.name })
val publicKey = readPublicKey(
ByteArrayInputStream(pubkeyContent.toByteArray())
)
val zip = ZipFile(zipPath)
// 1. 读取 manifest.json
val manifestEntry = zip.getEntry("META-INF/manifest.json")
?: throw RuntimeException("manifest.json is missing!")
val manifestJson = zip.getInputStream(manifestEntry).readAllBytes().toString(Charsets.UTF_8)
// 2. 读取 signature.asc
val sigEntry = zip.getEntry("META-INF/signature.asc")
?: throw RuntimeException("signature.asc is missing!")
val signature = zip.getInputStream(sigEntry).readAllBytes()
// 3. 使用 OpenPGP 验证签名
val ok = verifyDetachedSignature(publicKey, manifestJson.toByteArray(), signature)
if (!ok) throw RuntimeException("PGP signature invalid!")
// 4. 校验 manifest 里每个文件的 SHA-256
val mapper = ObjectMapper()
val manifest = mapper.readValue(manifestJson, Map::class.java)
val files = manifest["files"] as? Map<String, String>
?: throw RuntimeException("Invalid manifest.json: missing 'files'")
for ((name, expectedHash) in files) {
val entry = zip.getEntry(name)
?: throw RuntimeException("文件不存在: $name")
val data = zip.getInputStream(entry).readAllBytes()
val hash = sha256Hex(data)
if (!hash.equals(expectedHash, ignoreCase = true)) {
throw RuntimeException("Hash mismatch: $name")
}
}
return true
}
@Throws(Exception::class)
private fun sha256Hex(data: ByteArray): String {
val md = MessageDigest.getInstance("SHA-256")
return bytesToHex(md.digest(data))
}
private fun bytesToHex(bytes: ByteArray): String {
return bytes.joinToString("") { "%02x".format(it) }
}
@Throws(Exception::class)
private fun readPublicKey(keyIn: InputStream): PGPPublicKey {
val keyRings = PGPPublicKeyRingCollection(
PGPUtil.getDecoderStream(keyIn),
JcaKeyFingerprintCalculator()
)
for (keyRing in keyRings) {
for (key in keyRing) {
if (key.isEncryptionKey || key.isMasterKey) {
return key
}
}
}
throw IllegalArgumentException("Can't find public key")
}
@Throws(Exception::class)
private fun verifyDetachedSignature(
key: PGPPublicKey,
data: ByteArray,
sigBytes: ByteArray
): Boolean {
val decoder = PGPUtil.getDecoderStream(ByteArrayInputStream(sigBytes))
val factory = PGPObjectFactory(decoder, JcaKeyFingerprintCalculator())
val message = factory.nextObject()
?: throw IllegalArgumentException("Invalid signature file")
val sigList = when (message) {
is PGPSignatureList -> message
is PGPCompressedData -> {
val compressedFactory = PGPObjectFactory(
message.dataStream,
JcaKeyFingerprintCalculator()
)
val compressedObj = compressedFactory.nextObject()
compressedObj as? PGPSignatureList
?: throw IllegalArgumentException("Invalid PGP signature (not signature list)")
}
else ->
throw IllegalArgumentException("Unsupported PGP signature format: ${message::class.java}")
}
val sig = sigList[0]
sig.init(JcaPGPContentVerifierBuilderProvider().setProvider("BC"), key)
sig.update(data)
return sig.verify()
}
}

644
docs/工具箱端-授权对接指南/工具箱端-任务二维码解密指南.md
View File

@@ -1,644 +0,0 @@
# 工具箱端 - 任务二维码解密指南
## 概述
本文档说明工具箱端如何解密任务二维码数据。App 创建任务后,平台会生成加密的任务数据并返回给 AppApp 将其生成二维码。工具箱扫描二维码后,需要使用自己的 `licence``fingerprint` 解密任务数据。
> ### UX 集成模式补充(当前项目实现)
>
> 在当前集成模式中,工具箱扫描二维码后将密文提交给 UX 的 `crypto.decryptTask`。
> UX 从本地配置读取 licence/fingerprint 执行底层解密并返回明文字符串。
## 一、业务流程
```
App创建任务 → 平台加密任务数据 → 返回加密数据 → App生成二维码
工具箱扫描二维码 → 提取加密数据 → AES-256-GCM解密 → 获取任务信息
```
## 二、任务数据结构
### 2.1 任务数据 JSON 格式
解密后的任务数据为 JSON 格式,包含以下字段:
```json
{
"taskId": "TASK-20260115-4875",
"enterpriseId": "1173040813421105152",
"orgName": "超艺科技有限公司",
"inspectionId": "702286470691215417",
"inspectionPerson": "警务通",
"issuedAt": 1734571234567
}
```
### 2.2 字段说明
| 字段名 | 类型 | 说明 | 示例 |
|--------|------|------|------|
| `taskId` | String | 任务唯一ID格式TASK-YYYYMMDD-XXXX | `"TASK-20260115-4875"` |
| `enterpriseId` | String | 企业ID | `"1173040813421105152"` |
| `orgName` | String | 单位名称 | `"超艺科技有限公司"` |
| `inspectionId` | String | 检查ID | `"702286470691215417"` |
| `inspectionPerson` | String | 检查人 | `"警务通"` |
| `issuedAt` | Number | 任务发布时间戳(毫秒) | `1734571234567` |
## 三、加密算法说明
### 3.1 加密方式
- **算法**AES-256-GCMGalois/Counter Mode
- **密钥长度**256 位32 字节)
- **IV 长度**12 字节96 位)
- **认证标签长度**16 字节128 位)
### 3.2 密钥生成
密钥由工具箱的 `licence``fingerprint` 生成:
```
密钥 = SHA-256(licence + fingerprint)
```
**重要说明**
- `licence``fingerprint` 直接字符串拼接(无分隔符)
- 使用 SHA-256 哈希算法的全部 32 字节作为 AES-256 密钥
- 工具箱必须使用与平台绑定时相同的 `licence``fingerprint`
### 3.3 加密数据格式
加密后的数据格式Base64 编码前):
```
[IV(12字节)] + [加密数据] + [认证标签(16字节)]
```
**数据布局**
```
+------------------+------------------+------------------+
| IV (12字节) | 加密数据 | 认证标签(16字节)|
+------------------+------------------+------------------+
```
## 四、解密步骤
### 4.1 解密流程
1. **扫描二维码**:获取 Base64 编码的加密数据
2. **Base64 解码**:将 Base64 字符串解码为字节数组
3. **分离数据**:从字节数组中分离 IV、加密数据和认证标签
4. **生成密钥**:使用 `licence + fingerprint` 生成 AES-256 密钥
5. **解密数据**:使用 AES-256-GCM 解密(自动验证认证标签)
6. **解析 JSON**:将解密后的字符串解析为 JSON 对象
### 4.2 Python 实现示例
```python
import base64
import json
import hashlib
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from cryptography.hazmat.backends import default_backend
def decrypt_task_data(
encrypted_data_base64: str,
licence: str,
fingerprint: str
) -> dict:
"""
解密任务二维码数据
Args:
encrypted_data_base64: Base64编码的加密数据
licence: 设备授权码
fingerprint: 设备硬件指纹
Returns:
解密后的任务数据(字典)
"""
# 1. Base64 解码
encrypted_bytes = base64.b64decode(encrypted_data_base64)
# 2. 分离 IV 和加密数据(包含认证标签)
if len(encrypted_bytes) < 12:
raise ValueError("加密数据格式错误:数据长度不足")
iv = encrypted_bytes[:12] # IV: 前12字节
ciphertext_with_tag = encrypted_bytes[12:] # 加密数据 + 认证标签
# 3. 生成密钥SHA-256(licence + fingerprint)
combined = licence + fingerprint
key = hashlib.sha256(combined.encode('utf-8')).digest()
# 4. 使用 AES-256-GCM 解密
aesgcm = AESGCM(key)
decrypted_bytes = aesgcm.decrypt(iv, ciphertext_with_tag, None)
# 5. 解析 JSON
decrypted_json = decrypted_bytes.decode('utf-8')
task_data = json.loads(decrypted_json)
return task_data
# 使用示例
if __name__ == "__main__":
# 从二维码扫描获取的加密数据
encrypted_data = "Base64编码的加密数据..."
# 工具箱的授权信息(必须与平台绑定时一致)
licence = "LIC-8F2A-XXXX"
fingerprint = "FP-2c91e9f3"
# 解密任务数据
task_data = decrypt_task_data(encrypted_data, licence, fingerprint)
print("任务ID:", task_data["taskId"])
print("企业ID:", task_data["enterpriseId"])
print("单位名称:", task_data["orgName"])
print("检查ID:", task_data["inspectionId"])
print("检查人:", task_data["inspectionPerson"])
print("发布时间:", task_data["issuedAt"])
```
### 4.3 Java/Kotlin 实现示例
```kotlin
import com.fasterxml.jackson.databind.ObjectMapper
import java.nio.charset.StandardCharsets
import java.security.MessageDigest
import java.util.Base64
import javax.crypto.Cipher
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec
object TaskDecryptionUtil {
private const val ALGORITHM = "AES"
private const val TRANSFORMATION = "AES/GCM/NoPadding"
private const val GCM_IV_LENGTH = 12 // GCM 推荐使用 12 字节 IV
private const val GCM_TAG_LENGTH = 16 // GCM 认证标签长度128位
private const val KEY_LENGTH = 32 // AES-256 密钥长度256位 = 32字节
private val objectMapper = ObjectMapper()
/**
* 解密任务二维码数据
*
* @param encryptedDataBase64 Base64编码的加密数据
* @param licence 设备授权码
* @param fingerprint 设备硬件指纹
* @return 解密后的任务数据Map
*/
fun decryptTaskData(
encryptedDataBase64: String,
licence: String,
fingerprint: String
): Map<String, Any> {
// 1. Base64 解码
val encryptedBytes = Base64.getDecoder().decode(encryptedDataBase64)
// 2. 分离 IV 和加密数据(包含认证标签)
if (encryptedBytes.size < GCM_IV_LENGTH) {
throw IllegalArgumentException("加密数据格式错误:数据长度不足")
}
val iv = encryptedBytes.sliceArray(0 until GCM_IV_LENGTH)
val ciphertextWithTag = encryptedBytes.sliceArray(GCM_IV_LENGTH until encryptedBytes.size)
// 3. 生成密钥SHA-256(licence + fingerprint)
val combined = "$licence$fingerprint"
val digest = MessageDigest.getInstance("SHA-256")
val keyBytes = digest.digest(combined.toByteArray(StandardCharsets.UTF_8))
val key = SecretKeySpec(keyBytes, ALGORITHM)
// 4. 使用 AES-256-GCM 解密
val cipher = Cipher.getInstance(TRANSFORMATION)
val parameterSpec = GCMParameterSpec(GCM_TAG_LENGTH * 8, iv) // 标签长度以位为单位
cipher.init(Cipher.DECRYPT_MODE, key, parameterSpec)
// 解密数据GCM 会自动验证认证标签)
val decryptedBytes = cipher.doFinal(ciphertextWithTag)
// 5. 解析 JSON
val decryptedJson = String(decryptedBytes, StandardCharsets.UTF_8)
@Suppress("UNCHECKED_CAST")
return objectMapper.readValue(decryptedJson, Map::class.java) as Map<String, Any>
}
}
// 使用示例
fun main() {
// 从二维码扫描获取的加密数据
val encryptedData = "Base64编码的加密数据..."
// 工具箱的授权信息(必须与平台绑定时一致)
val licence = "LIC-8F2A-XXXX"
val fingerprint = "FP-2c91e9f3"
// 解密任务数据
val taskData = TaskDecryptionUtil.decryptTaskData(encryptedData, licence, fingerprint)
println("任务ID: ${taskData["taskId"]}")
println("企业ID: ${taskData["enterpriseId"]}")
println("单位名称: ${taskData["orgName"]}")
println("检查ID: ${taskData["inspectionId"]}")
println("检查人: ${taskData["inspectionPerson"]}")
println("发布时间: ${taskData["issuedAt"]}")
}
```
### 4.4 C# 实现示例
```csharp
using System;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
public class TaskDecryptionUtil
{
private const int GcmIvLength = 12; // GCM 推荐使用 12 字节 IV
private const int GcmTagLength = 16; // GCM 认证标签长度128位
/// <summary>
/// 解密任务二维码数据
/// </summary>
public static Dictionary<string, object> DecryptTaskData(
string encryptedDataBase64,
string licence,
string fingerprint
)
{
// 1. Base64 解码
byte[] encryptedBytes = Convert.FromBase64String(encryptedDataBase64);
// 2. 分离 IV 和加密数据(包含认证标签)
if (encryptedBytes.Length < GcmIvLength)
{
throw new ArgumentException("加密数据格式错误:数据长度不足");
}
byte[] iv = new byte[GcmIvLength];
Array.Copy(encryptedBytes, 0, iv, 0, GcmIvLength);
byte[] ciphertextWithTag = new byte[encryptedBytes.Length - GcmIvLength];
Array.Copy(encryptedBytes, GcmIvLength, ciphertextWithTag, 0, ciphertextWithTag.Length);
// 3. 生成密钥SHA-256(licence + fingerprint)
string combined = licence + fingerprint;
byte[] keyBytes = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(combined));
// 4. 使用 AES-256-GCM 解密
using (AesGcm aesGcm = new AesGcm(keyBytes))
{
byte[] decryptedBytes = new byte[ciphertextWithTag.Length - GcmTagLength];
byte[] tag = new byte[GcmTagLength];
Array.Copy(ciphertextWithTag, ciphertextWithTag.Length - GcmTagLength, tag, 0, GcmTagLength);
Array.Copy(ciphertextWithTag, 0, decryptedBytes, 0, decryptedBytes.Length);
aesGcm.Decrypt(iv, decryptedBytes, tag, null, decryptedBytes);
// 5. 解析 JSON
string decryptedJson = Encoding.UTF8.GetString(decryptedBytes);
return JsonSerializer.Deserialize<Dictionary<string, object>>(decryptedJson);
}
}
}
// 使用示例
class Program
{
static void Main()
{
// 从二维码扫描获取的加密数据
string encryptedData = "Base64编码的加密数据...";
// 工具箱的授权信息(必须与平台绑定时一致)
string licence = "LIC-8F2A-XXXX";
string fingerprint = "FP-2c91e9f3";
// 解密任务数据
var taskData = TaskDecryptionUtil.DecryptTaskData(encryptedData, licence, fingerprint);
Console.WriteLine($"任务ID: {taskData["taskId"]}");
Console.WriteLine($"企业ID: {taskData["enterpriseId"]}");
Console.WriteLine($"单位名称: {taskData["orgName"]}");
Console.WriteLine($"检查ID: {taskData["inspectionId"]}");
Console.WriteLine($"检查人: {taskData["inspectionPerson"]}");
Console.WriteLine($"发布时间: {taskData["issuedAt"]}");
}
}
```
## 五、完整流程示例
### 5.1 Python 完整示例(包含二维码扫描)
```python
import base64
import json
import hashlib
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from pyzbar import pyzbar
from PIL import Image
class TaskQRCodeDecoder:
"""任务二维码解码器"""
def __init__(self, licence: str, fingerprint: str):
"""
初始化解码器
Args:
licence: 设备授权码
fingerprint: 设备硬件指纹
"""
self.licence = licence
self.fingerprint = fingerprint
self._key = self._generate_key()
def _generate_key(self) -> bytes:
"""生成 AES-256 密钥"""
combined = self.licence + self.fingerprint
return hashlib.sha256(combined.encode('utf-8')).digest()
def scan_qr_code(self, qr_image_path: str) -> dict:
"""
扫描二维码并解密任务数据
Args:
qr_image_path: 二维码图片路径
Returns:
解密后的任务数据(字典)
"""
# 1. 扫描二维码
image = Image.open(qr_image_path)
qr_codes = pyzbar.decode(image)
if not qr_codes:
raise ValueError("未找到二维码")
# 获取二维码内容Base64编码的加密数据
encrypted_data_base64 = qr_codes[0].data.decode('utf-8')
print(f"扫描到二维码内容: {encrypted_data_base64[:50]}...")
# 2. 解密任务数据
return self.decrypt_task_data(encrypted_data_base64)
def decrypt_task_data(self, encrypted_data_base64: str) -> dict:
"""
解密任务数据
Args:
encrypted_data_base64: Base64编码的加密数据
Returns:
解密后的任务数据(字典)
"""
# 1. Base64 解码
encrypted_bytes = base64.b64decode(encrypted_data_base64)
# 2. 分离 IV 和加密数据(包含认证标签)
if len(encrypted_bytes) < 12:
raise ValueError("加密数据格式错误:数据长度不足")
iv = encrypted_bytes[:12] # IV: 前12字节
ciphertext_with_tag = encrypted_bytes[12:] # 加密数据 + 认证标签
# 3. 使用 AES-256-GCM 解密
aesgcm = AESGCM(self._key)
decrypted_bytes = aesgcm.decrypt(iv, ciphertext_with_tag, None)
# 4. 解析 JSON
decrypted_json = decrypted_bytes.decode('utf-8')
task_data = json.loads(decrypted_json)
return task_data
# 使用示例
if __name__ == "__main__":
# 工具箱的授权信息(必须与平台绑定时一致)
licence = "LIC-8F2A-XXXX"
fingerprint = "FP-2c91e9f3"
# 创建解码器
decoder = TaskQRCodeDecoder(licence, fingerprint)
# 扫描二维码并解密
try:
task_data = decoder.scan_qr_code("task_qr_code.png")
print("\n=== 任务信息 ===")
print(f"任务ID: {task_data['taskId']}")
print(f"企业ID: {task_data['enterpriseId']}")
print(f"单位名称: {task_data['orgName']}")
print(f"检查ID: {task_data['inspectionId']}")
print(f"检查人: {task_data['inspectionPerson']}")
print(f"发布时间: {task_data['issuedAt']}")
# 可以使用任务信息执行检查任务
# execute_inspection_task(task_data)
except Exception as e:
print(f"解密失败: {e}")
```
### 5.2 Java/Kotlin 完整示例(包含二维码扫描)
```kotlin
import com.fasterxml.jackson.databind.ObjectMapper
import com.google.zxing.BinaryBitmap
import com.google.zxing.MultiFormatReader
import com.google.zxing.Result
import com.google.zxing.client.j2se.BufferedImageLuminanceSource
import com.google.zxing.common.HybridBinarizer
import java.awt.image.BufferedImage
import java.io.File
import java.nio.charset.StandardCharsets
import java.security.MessageDigest
import java.util.Base64
import javax.crypto.Cipher
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec
import javax.imageio.ImageIO
class TaskQRCodeDecoder(
private val licence: String,
private val fingerprint: String
) {
private val key: SecretKeySpec by lazy {
val combined = "$licence$fingerprint"
val digest = MessageDigest.getInstance("SHA-256")
val keyBytes = digest.digest(combined.toByteArray(StandardCharsets.UTF_8))
SecretKeySpec(keyBytes, "AES")
}
private val objectMapper = ObjectMapper()
/**
* 扫描二维码并解密任务数据
*/
fun scanAndDecrypt(qrImagePath: String): Map<String, Any> {
// 1. 扫描二维码
val image: BufferedImage = ImageIO.read(File(qrImagePath))
val source = BufferedImageLuminanceSource(image)
val bitmap = BinaryBitmap(HybridBinarizer(source))
val reader = MultiFormatReader()
val result: Result = reader.decode(bitmap)
// 获取二维码内容Base64编码的加密数据
val encryptedDataBase64 = result.text
println("扫描到二维码内容: ${encryptedDataBase64.take(50)}...")
// 2. 解密任务数据
return decryptTaskData(encryptedDataBase64)
}
/**
* 解密任务数据
*/
fun decryptTaskData(encryptedDataBase64: String): Map<String, Any> {
// 1. Base64 解码
val encryptedBytes = Base64.getDecoder().decode(encryptedDataBase64)
// 2. 分离 IV 和加密数据(包含认证标签)
if (encryptedBytes.size < 12) {
throw IllegalArgumentException("加密数据格式错误:数据长度不足")
}
val iv = encryptedBytes.sliceArray(0 until 12)
val ciphertextWithTag = encryptedBytes.sliceArray(12 until encryptedBytes.size)
// 3. 使用 AES-256-GCM 解密
val cipher = Cipher.getInstance("AES/GCM/NoPadding")
val parameterSpec = GCMParameterSpec(16 * 8, iv) // 标签长度以位为单位
cipher.init(Cipher.DECRYPT_MODE, key, parameterSpec)
// 解密数据GCM 会自动验证认证标签)
val decryptedBytes = cipher.doFinal(ciphertextWithTag)
// 4. 解析 JSON
val decryptedJson = String(decryptedBytes, StandardCharsets.UTF_8)
@Suppress("UNCHECKED_CAST")
return objectMapper.readValue(decryptedJson, Map::class.java) as Map<String, Any>
}
}
// 使用示例
fun main() {
// 工具箱的授权信息(必须与平台绑定时一致)
val licence = "LIC-8F2A-XXXX"
val fingerprint = "FP-2c91e9f3"
// 创建解码器
val decoder = TaskQRCodeDecoder(licence, fingerprint)
// 扫描二维码并解密
try {
val taskData = decoder.scanAndDecrypt("task_qr_code.png")
println("\n=== 任务信息 ===")
println("任务ID: ${taskData["taskId"]}")
println("企业ID: ${taskData["enterpriseId"]}")
println("单位名称: ${taskData["orgName"]}")
println("检查ID: ${taskData["inspectionId"]}")
println("检查人: ${taskData["inspectionPerson"]}")
println("发布时间: ${taskData["issuedAt"]}")
// 可以使用任务信息执行检查任务
// executeInspectionTask(taskData)
} catch (e: Exception) {
println("解密失败: ${e.message}")
}
}
```
## 六、常见错误和注意事项
### 6.1 解密失败
**可能原因**
1. **密钥不匹配**`licence``fingerprint` 与平台绑定时不一致
- 确保使用与设备授权时相同的 `licence``fingerprint`
- 检查字符串拼接是否正确(无分隔符)
2. **数据格式错误**Base64 编码或数据布局错误
- 确保 Base64 解码正确
- 确保 IV 长度正确12 字节)
3. **认证标签验证失败**:数据被篡改或损坏
- GCM 模式会自动验证认证标签
- 如果验证失败,说明数据被篡改或密钥错误
4. **算法不匹配**:必须使用 `AES/GCM/NoPadding`
- 确保使用正确的加密算法
- 确保认证标签长度为 128 位16 字节)
### 6.2 二维码扫描失败
**可能原因**
1. **二维码图片质量差**:确保图片清晰,有足够的对比度
2. **二维码内容过长**:如果加密数据过长,可能需要更高版本的二维码
3. **扫描库不支持**:确保使用支持 Base64 字符串的二维码扫描库
### 6.3 JSON 解析失败
**可能原因**
1. **字符编码错误**:确保使用 UTF-8 编码
2. **JSON 格式错误**:确保解密后的字符串是有效的 JSON
3. **字段缺失**:确保所有必需字段都存在
## 七、安全设计说明
### 7.1 为什么使用 AES-256-GCM
1. **认证加密AEAD**GCM 模式提供加密和认证,防止数据被篡改
2. **强安全性**AES-256 提供 256 位密钥强度
3. **自动验证**GCM 模式会自动验证认证标签,任何篡改都会导致解密失败
### 7.2 为什么第三方无法解密
1. **密钥绑定**:只有拥有正确 `licence + fingerprint` 的工具箱才能生成正确的密钥
2. **认证标签**GCM 模式会验证认证标签,任何篡改都会导致解密失败
3. **密钥唯一性**:每个设备的 `licence + fingerprint` 组合是唯一的
### 7.3 密钥生成的安全性
1. **SHA-256 哈希**:使用强哈希算法生成密钥
2. **密钥长度**:使用全部 32 字节作为 AES-256 密钥
3. **密钥隔离**:每个设备的密钥是独立的,互不影响
## 八、测试建议
1. **单元测试**
- 测试密钥生成是否正确
- 测试解密功能是否正常
- 测试 JSON 解析是否正确
2. **集成测试**
- 使用真实平台生成的二维码进行测试
- 测试不同长度的任务数据
- 测试错误的密钥是否会导致解密失败
3. **边界测试**
- 测试超长的任务数据
- 测试特殊字符的处理
- 测试错误的 Base64 格式
## 九、参考实现
- **Python**`cryptography`AES-GCM 加密)、`pyzbar` 库(二维码扫描)
- **Java/Kotlin**JDK `javax.crypto`AES-GCM 加密、ZXing 库(二维码扫描)
- **C#**`System.Security.Cryptography`AES-GCM 加密、ZXing.Net 库(二维码扫描)
## 十、联系支持
如有问题,请联系平台技术支持团队获取:
- 测试环境地址
- 技术支持

647
docs/工具箱端-授权对接指南/工具箱端-报告加密与签名生成指南.md
View File

@@ -1,647 +0,0 @@
# 工具箱端 - 报告加密与签名生成指南
## 概述
本文档说明工具箱端如何生成加密和签名的检查报告 ZIP 文件,以确保:
1. **授权校验**:只有合法授权的工具箱才能生成有效的报告
2. **防篡改校验**:确保报告内容在传输过程中未被篡改
> ### UX 集成模式补充(当前项目实现)
>
> 在当前集成模式中,工具箱可将原始报告 ZIP 直接上传到 UX 的 `crypto.signAndPackReport`
>
> 1. 工具箱先通过 `config.setLicence` 完成本地 licence 配置;
> 2. 工具箱传入 `pgpPrivateKey`、`signingContext`、`summaryJson` 与 `rawZip`
> 3. UX 从本地配置读取 licence/fingerprint执行签名与打包能力生成 `summary.json`、`META-INF/manifest.json`、`META-INF/signature.asc`
> 4. UX 返回签名后的 ZIP二进制文件响应工具箱再用于离线介质回传平台。
## 一、ZIP 文件结构要求
工具箱生成的 ZIP 文件必须包含以下文件:
```
report.zip
├── summary.json # 摘要信息(必须包含授权和签名字段)
├── assets.json # 资产信息(用于签名校验)
├── vulnerabilities.json # 漏洞信息(用于签名校验)
├── weakPasswords.json # 弱密码信息(用于签名校验)
├── 漏洞评估报告.html # 漏洞评估报告(用于签名校验)
└── META-INF/
├── manifest.json # 文件清单(用于 OpenPGP 签名)
└── signature.asc # OpenPGP 签名文件(防篡改)
```
## 二、授权校验 - 设备签名device_signature
### 2.1 目的
设备签名用于验证报告是由合法授权的工具箱生成的,防止第三方伪造扫描结果。
### 2.2 密钥派生
使用 **HKDF-SHA256** 从设备的 `licence``fingerprint` 派生签名密钥:
```
K = HKDF(
input = licence + fingerprint, # 输入密钥材料(字符串拼接)
salt = "AUTH_V3_SALT", # 固定盐值
info = "device_report_signature", # 固定信息参数
hash = SHA-256, # 哈希算法
length = 32 # 输出密钥长度32字节 = 256位
)
```
**伪代码示例**
```python
import hkdf
# 输入密钥材料
ikm = licence + fingerprint # 字符串直接拼接
# HKDF 参数
salt = "AUTH_V3_SALT"
info = "device_report_signature"
key_length = 32 # 32字节 = 256位
# 派生密钥
derived_key = hkdf.HKDF(
algorithm=hashlib.sha256,
length=key_length,
salt=salt.encode('utf-8'),
info=info.encode('utf-8'),
ikm=ikm.encode('utf-8')
).derive()
```
### 2.3 签名数据组装(严格顺序)
签名数据必须按照以下**严格顺序**组装:
```
sign_payload =
taskId + # 任务ID字符串
inspectionId + # 检查ID数字转字符串
SHA256(assets.json) + # assets.json 的 SHA256hex字符串小写
SHA256(vulnerabilities.json) + # vulnerabilities.json 的 SHA256hex字符串小写
SHA256(weakPasswords.json) + # weakPasswords.json 的 SHA256hex字符串小写
SHA256(漏洞评估报告.html) # 漏洞评估报告.html 的 SHA256hex字符串小写
```
**重要说明**
- 所有字符串直接拼接,**不添加任何分隔符**
- SHA256 哈希值必须是 **hex 字符串(小写)**,例如:`a1b2c3d4...`
- 文件内容必须是**原始字节**,不能进行任何编码转换
- 顺序必须严格一致,任何顺序错误都会导致签名验证失败
**伪代码示例**
```python
import hashlib
# 1. 读取文件内容(原始字节)
assets_content = read_file("assets.json")
vulnerabilities_content = read_file("vulnerabilities.json")
weak_passwords_content = read_file("weakPasswords.json")
report_html_content = read_file("漏洞评估报告.html")
# 2. 计算 SHA256hex字符串小写
def sha256_hex(content: bytes) -> str:
return hashlib.sha256(content).hexdigest()
assets_sha256 = sha256_hex(assets_content)
vulnerabilities_sha256 = sha256_hex(vulnerabilities_content)
weak_passwords_sha256 = sha256_hex(weak_passwords_content)
report_html_sha256 = sha256_hex(report_html_content)
# 3. 组装签名数据(严格顺序,直接拼接)
sign_payload = (
str(task_id) +
str(inspection_id) +
assets_sha256 +
vulnerabilities_sha256 +
weak_passwords_sha256 +
report_html_sha256
)
```
### 2.4 生成设备签名
使用 **HMAC-SHA256** 计算签名:
```
device_signature = Base64(HMAC-SHA256(key=K, data=sign_payload))
```
**伪代码示例**
```python
import hmac
import base64
# 使用派生密钥计算 HMAC-SHA256
mac = hmac.new(
key=derived_key, # 派生密钥32字节
msg=sign_payload.encode('utf-8'), # 签名数据UTF-8编码
digestmod=hashlib.sha256
)
# 计算签名
signature_bytes = mac.digest()
# Base64 编码
device_signature = base64.b64encode(signature_bytes).decode('utf-8')
```
### 2.5 写入 summary.json
`device_signature` 写入 `summary.json`
```json
{
"orgId": 1173040813421105152,
"checkId": 702286470691215417,
"taskId": "TASK-20260115-4875",
"licence": "LIC-8F2A-XXXX",
"fingerprint": "FP-2c91e9f3",
"deviceSignature": "Base64编码的签名值",
"summary": "检查摘要信息",
......
}
```
**必需字段**
- `licence`:设备授权码(字符串)
- `fingerprint`:设备硬件指纹(字符串)
- `taskId`任务ID字符串
- `deviceSignature`设备签名Base64字符串
- `checkId``inspectionId`检查ID数字
## 三、防篡改校验 - OpenPGP 签名
### 3.1 目的
OpenPGP 签名用于验证 ZIP 文件在传输过程中未被篡改,确保文件完整性。
### 3.2 生成 manifest.json
创建 `META-INF/manifest.json` 文件,包含所有文件的 SHA-256 哈希值:
```json
{
"files": {
"summary.json": "a1b2c3d4e5f6...",
"assets.json": "b2c3d4e5f6a1...",
"vulnerabilities.json": "c3d4e5f6a1b2...",
"weakPasswords.json": "d4e5f6a1b2c3...",
"漏洞评估报告.html": "e5f6a1b2c3d4..."
}
}
```
**伪代码示例**
```python
import hashlib
import json
def calculate_sha256_hex(content: bytes) -> str:
return hashlib.sha256(content).hexdigest()
# 计算所有文件的 SHA256
files_hashes = {
"summary.json": calculate_sha256_hex(summary_content),
"assets.json": calculate_sha256_hex(assets_content),
"vulnerabilities.json": calculate_sha256_hex(vulnerabilities_content),
"weakPasswords.json": calculate_sha256_hex(weak_passwords_content),
"漏洞评估报告.html": calculate_sha256_hex(report_html_content)
}
# 生成 manifest.json
manifest = {
"files": files_hashes
}
manifest_json = json.dumps(manifest, ensure_ascii=False, indent=2)
```
### 3.3 生成 OpenPGP 签名
使用工具箱的**私钥**对 `manifest.json` 进行 OpenPGP 签名,生成 `META-INF/signature.asc`
**伪代码示例(使用 Python gnupg**
```python
import gnupg
# 初始化 GPG
gpg = gnupg.GPG()
# 导入私钥(或使用已配置的密钥)
# gpg.import_keys(private_key_data)
# 对 manifest.json 进行签名
with open('META-INF/manifest.json', 'rb') as f:
signed_data = gpg.sign_file(
f,
detach=True, # 分离式签名
clearsign=False, # 不使用明文签名
output='META-INF/signature.asc'
)
```
**伪代码示例(使用 BouncyCastle - Java/Kotlin**
```kotlin
import org.bouncycastle.openpgp.*
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPPrivateKey
import java.io.ByteArrayOutputStream
import java.io.FileOutputStream
fun generatePGPSignature(
manifestContent: ByteArray,
privateKey: PGPPrivateKey,
publicKey: PGPPublicKey
): ByteArray {
val signatureGenerator = PGPSignatureGenerator(
JcaPGPContentSignerBuilder(publicKey.algorithm, PGPUtil.SHA256)
)
signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey)
signatureGenerator.update(manifestContent)
val signature = signatureGenerator.generate()
val signatureList = PGPSignatureList(signature)
val out = ByteArrayOutputStream()
val pgpOut = PGPObjectFactory(PGPUtil.getEncoderStream(out))
signatureList.encode(out)
return out.toByteArray()
}
```
### 3.4 打包 ZIP 文件
将所有文件打包成 ZIP 文件,确保包含:
- 所有报告文件summary.json、assets.json 等)
- `META-INF/manifest.json`
- `META-INF/signature.asc`
**伪代码示例**
```python
import zipfile
def create_signed_zip(output_path: str):
with zipfile.ZipFile(output_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
# 添加报告文件
zipf.write('summary.json', 'summary.json')
zipf.write('assets.json', 'assets.json')
zipf.write('vulnerabilities.json', 'vulnerabilities.json')
zipf.write('weakPasswords.json', 'weakPasswords.json')
zipf.write('漏洞评估报告.html', '漏洞评估报告.html')
# 添加签名文件
zipf.write('META-INF/manifest.json', 'META-INF/manifest.json')
zipf.write('META-INF/signature.asc', 'META-INF/signature.asc')
```
## 四、完整流程示例
### 4.1 Python 完整示例
```python
import hashlib
import hmac
import base64
import json
import zipfile
import hkdf
import gnupg
def generate_report_zip(
licence: str,
fingerprint: str,
task_id: str,
inspection_id: int,
output_path: str
):
"""
生成带签名和加密的检查报告 ZIP 文件
"""
# ========== 1. 读取报告文件 ==========
assets_content = read_file("assets.json")
vulnerabilities_content = read_file("vulnerabilities.json")
weak_passwords_content = read_file("weakPasswords.json")
report_html_content = read_file("漏洞评估报告.html")
# ========== 2. 生成设备签名 ==========
# 2.1 密钥派生
ikm = licence + fingerprint
salt = "AUTH_V3_SALT"
info = "device_report_signature"
key_length = 32
derived_key = hkdf.HKDF(
algorithm=hashlib.sha256,
length=key_length,
salt=salt.encode('utf-8'),
info=info.encode('utf-8'),
ikm=ikm.encode('utf-8')
).derive()
# 2.2 计算文件 SHA256
def sha256_hex(content: bytes) -> str:
return hashlib.sha256(content).hexdigest()
assets_sha256 = sha256_hex(assets_content)
vulnerabilities_sha256 = sha256_hex(vulnerabilities_content)
weak_passwords_sha256 = sha256_hex(weak_passwords_content)
report_html_sha256 = sha256_hex(report_html_content)
# 2.3 组装签名数据(严格顺序)
sign_payload = (
str(task_id) +
str(inspection_id) +
assets_sha256 +
vulnerabilities_sha256 +
weak_passwords_sha256 +
report_html_sha256
)
# 2.4 计算 HMAC-SHA256
mac = hmac.new(
key=derived_key,
msg=sign_payload.encode('utf-8'),
digestmod=hashlib.sha256
)
device_signature = base64.b64encode(mac.digest()).decode('utf-8')
# 2.5 生成 summary.json
summary = {
"orgId": 1173040813421105152,
"checkId": inspection_id,
"taskId": task_id,
"licence": licence,
"fingerprint": fingerprint,
"deviceSignature": device_signature,
"summary": "检查摘要信息"
}
summary_content = json.dumps(summary, ensure_ascii=False).encode('utf-8')
# ========== 3. 生成 OpenPGP 签名 ==========
# 3.1 生成 manifest.json
files_hashes = {
"summary.json": sha256_hex(summary_content),
"assets.json": assets_sha256,
"vulnerabilities.json": vulnerabilities_sha256,
"weakPasswords.json": weak_passwords_sha256,
"漏洞评估报告.html": report_html_sha256
}
manifest = {"files": files_hashes}
manifest_content = json.dumps(manifest, ensure_ascii=False, indent=2).encode('utf-8')
# 3.2 生成 OpenPGP 签名
gpg = gnupg.GPG()
with open('META-INF/manifest.json', 'wb') as f:
f.write(manifest_content)
with open('META-INF/manifest.json', 'rb') as f:
signed_data = gpg.sign_file(
f,
detach=True,
output='META-INF/signature.asc'
)
# ========== 4. 打包 ZIP 文件 ==========
with zipfile.ZipFile(output_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
zipf.writestr('summary.json', summary_content)
zipf.writestr('assets.json', assets_content)
zipf.writestr('vulnerabilities.json', vulnerabilities_content)
zipf.writestr('weakPasswords.json', weak_passwords_content)
zipf.writestr('漏洞评估报告.html', report_html_content)
zipf.writestr('META-INF/manifest.json', manifest_content)
zipf.write('META-INF/signature.asc', 'META-INF/signature.asc')
print(f"报告 ZIP 文件生成成功: {output_path}")
```
### 4.2 Java/Kotlin 完整示例
```kotlin
import org.bouncycastle.crypto.digests.SHA256Digest
import org.bouncycastle.crypto.generators.HKDFBytesGenerator
import org.bouncycastle.crypto.params.HKDFParameters
import java.security.MessageDigest
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
import java.util.Base64
import java.util.zip.ZipOutputStream
import java.io.FileOutputStream
fun generateReportZip(
licence: String,
fingerprint: String,
taskId: String,
inspectionId: Long,
outputPath: String
) {
// ========== 1. 读取报告文件 ==========
val assetsContent = readFile("assets.json")
val vulnerabilitiesContent = readFile("vulnerabilities.json")
val weakPasswordsContent = readFile("weakPasswords.json")
val reportHtmlContent = readFile("漏洞评估报告.html")
// ========== 2. 生成设备签名 ==========
// 2.1 密钥派生
val ikm = (licence + fingerprint).toByteArray(Charsets.UTF_8)
val salt = "AUTH_V3_SALT".toByteArray(Charsets.UTF_8)
val info = "device_report_signature".toByteArray(Charsets.UTF_8)
val keyLength = 32
val hkdf = HKDFBytesGenerator(SHA256Digest())
hkdf.init(HKDFParameters(ikm, salt, info))
val derivedKey = ByteArray(keyLength)
hkdf.generateBytes(derivedKey, 0, keyLength)
// 2.2 计算文件 SHA256
fun sha256Hex(content: ByteArray): String {
val digest = MessageDigest.getInstance("SHA-256")
val hashBytes = digest.digest(content)
return hashBytes.joinToString("") { "%02x".format(it) }
}
val assetsSha256 = sha256Hex(assetsContent)
val vulnerabilitiesSha256 = sha256Hex(vulnerabilitiesContent)
val weakPasswordsSha256 = sha256Hex(weakPasswordsContent)
val reportHtmlSha256 = sha256Hex(reportHtmlContent)
// 2.3 组装签名数据(严格顺序)
val signPayload = buildString {
append(taskId)
append(inspectionId)
append(assetsSha256)
append(vulnerabilitiesSha256)
append(weakPasswordsSha256)
append(reportHtmlSha256)
}
// 2.4 计算 HMAC-SHA256
val mac = Mac.getInstance("HmacSHA256")
val secretKey = SecretKeySpec(derivedKey, "HmacSHA256")
mac.init(secretKey)
val signatureBytes = mac.doFinal(signPayload.toByteArray(Charsets.UTF_8))
val deviceSignature = Base64.getEncoder().encodeToString(signatureBytes)
// 2.5 生成 summary.json
val summary = mapOf(
"orgId" to 1173040813421105152L,
"checkId" to inspectionId,
"taskId" to taskId,
"licence" to licence,
"fingerprint" to fingerprint,
"deviceSignature" to deviceSignature,
"summary" to "检查摘要信息"
)
val summaryContent = objectMapper.writeValueAsString(summary).toByteArray(Charsets.UTF_8)
// ========== 3. 生成 OpenPGP 签名 ==========
// 3.1 生成 manifest.json
val filesHashes = mapOf(
"summary.json" to sha256Hex(summaryContent),
"assets.json" to assetsSha256,
"vulnerabilities.json" to vulnerabilitiesSha256,
"weakPasswords.json" to weakPasswordsSha256,
"漏洞评估报告.html" to reportHtmlSha256
)
val manifest = mapOf("files" to filesHashes)
val manifestContent = objectMapper.writeValueAsString(manifest).toByteArray(Charsets.UTF_8)
// 3.2 生成 OpenPGP 签名(使用 BouncyCastle
val signatureAsc = generatePGPSignature(manifestContent, privateKey, publicKey)
// ========== 4. 打包 ZIP 文件 ==========
ZipOutputStream(FileOutputStream(outputPath)).use { zipOut ->
zipOut.putNextEntry(ZipEntry("summary.json"))
zipOut.write(summaryContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("assets.json"))
zipOut.write(assetsContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("vulnerabilities.json"))
zipOut.write(vulnerabilitiesContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("weakPasswords.json"))
zipOut.write(weakPasswordsContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("漏洞评估报告.html"))
zipOut.write(reportHtmlContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("META-INF/manifest.json"))
zipOut.write(manifestContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("META-INF/signature.asc"))
zipOut.write(signatureAsc)
zipOut.closeEntry()
}
println("报告 ZIP 文件生成成功: $outputPath")
}
```
## 五、平台端验证流程
平台端会按以下顺序验证:
1. **OpenPGP 签名验证**(防篡改)
- 读取 `META-INF/manifest.json``META-INF/signature.asc`
- 使用平台公钥验证签名
- 验证所有文件的 SHA256 是否与 manifest.json 中的哈希值匹配
2. **设备签名验证**(授权)
-`summary.json` 提取 `licence``fingerprint``taskId``deviceSignature`
- 验证 `licence + fingerprint` 是否已绑定
- 验证 `taskId` 是否存在且属于该设备
- 使用相同的 HKDF 派生密钥
- 重新计算签名并与 `deviceSignature` 比较
## 六、常见错误和注意事项
### 6.1 设备签名验证失败
**可能原因**
1. **密钥派生错误**:确保使用正确的 `salt``info` 参数
2. **签名数据顺序错误**:必须严格按照 `taskId + inspectionId + SHA256(...)` 的顺序
3. **SHA256 格式错误**:必须是 hex 字符串(小写),不能包含分隔符
4. **文件内容错误**:确保使用原始文件内容,不能进行编码转换
5. **licence 或 fingerprint 不匹配**:确保与平台绑定的值一致
### 6.2 OpenPGP 签名验证失败
**可能原因**
1. **私钥不匹配**:确保使用与平台公钥对应的私钥
2. **manifest.json 格式错误**:确保 JSON 格式正确
3. **文件哈希值错误**:确保 manifest.json 中的哈希值与实际文件匹配
### 6.3 文件缺失
**必需文件**
- `summary.json`(必须包含授权字段)
- `assets.json`
- `vulnerabilities.json`
- `weakPasswords.json`(文件名大小写不敏感)
- `漏洞评估报告.html`(文件名包含"漏洞评估报告"且以".html"结尾)
- `META-INF/manifest.json`
- `META-INF/signature.asc`
## 七、安全设计说明
### 7.1 为什么第三方无法伪造
1. **设备签名**
- 只有拥有正确 `licence + fingerprint` 的设备才能派生正确的签名密钥
- 即使第三方获取了某个设备的签名,也无法用于其他任务(`taskId` 绑定)
- 即使第三方修改了报告内容,签名也会失效(多个文件的 SHA256 绑定)
2. **OpenPGP 签名**
- 只有拥有私钥的工具箱才能生成有效签名
- 任何文件修改都会导致哈希值不匹配
### 7.2 密钥分离
使用 HKDF 的 `info` 参数区分不同用途的密钥:
- `device_report_signature`:用于设备签名
- 其他用途可以使用不同的 `info` 值,确保密钥隔离
## 八、测试建议
1. **单元测试**
- 测试密钥派生是否正确
- 测试签名生成和验证是否匹配
- 测试文件 SHA256 计算是否正确
2. **集成测试**
- 使用真实数据生成 ZIP 文件
- 上传到平台验证是否通过
- 测试篡改文件后验证是否失败
3. **边界测试**
- 测试文件缺失的情况
- 测试签名数据顺序错误的情况
- 测试错误的 `licence``fingerprint` 的情况
## 九、参考实现
- **HKDF 实现**BouncyCastleJava/Kotlin`hkdf`Python
- **HMAC-SHA256**Java `javax.crypto.Mac`、Python `hmac`
- **OpenPGP**BouncyCastleJava/Kotlin`gnupg`Python
## 十、联系支持
如有问题,请联系平台技术支持团队。

Some files were not shown because too many files have changed in this diff Show More