refactor(server): crypto 流程改用验证后的 licenceId

Node.js publicEncrypt({ oaepHash }) 会将 OAEP hash 和 MGF1 hash
绑定为同一算法，而 Java OAEPWithSHA-256AndMGF1Padding 默认使用
SHA-256(OAEP) + SHA-1(MGF1)。改用 node-forge 独立配置两个哈希，
确保密文可被管理平台正确解密。

.gitignore

@@ -9,6 +9,11 @@
 # Bun build
 *.bun-build
 
+# SQLite database files
+*.db
+*.db-wal
+*.db-shm
+
 # Turborepo
 .turbo/
 

.sisyphus/notepads/fingerprint-migration/decisions.md

@@ -1,8 +0,0 @@
-## Migration Decisions
-
-- **Library**: `@isaacs/ttlcache` v2.1.4
-- **Rationale**: Minimal, zero-dependency, specialized for TTL, well-maintained.
-- **Cache Key**: Fixed string `'fingerprint'` since we only cache one result.
-- **Max Items**: 1 (singleton fingerprint).
-- **Default TTL**: 10 minutes (compatible with previous implementation).
-

.sisyphus/notepads/fingerprint-migration/learnings.md

@@ -1,8 +0,0 @@
-## @isaacs/ttlcache Migration Learnings
-
-- Successfully replaced manual TTL cache with `@isaacs/ttlcache` in `fingerprint.ts`.
-- Use `catalog:` for dependency management in the Bun monorepo.
-- `TTLCache` does not handle in-flight request deduplication, so the `inFlight` Promise pattern was preserved.
-- Alphabetical sorting in `package.json` catalog is important for consistency.
-- Biome handles import organization and formatting; `bun fix` should be run after manual edits.
-

.sisyphus/notepads/license-activation/decisions.md

@@ -1,3 +0,0 @@
-## Decisions
-
-- Renamed `db` middleware to `dbProvider` as requested, while keeping `db` as an alias to avoid breaking existing routers.

.sisyphus/notepads/license-activation/issues.md

@@ -1,4 +0,0 @@
-## Issues encountered
-
-- `db:migrate` failed due to `device_info` table already existing in the local SQLite database. Resolved by using `db:push` which is suitable for dev environments.
-- `lsp_diagnostics` was not available, used `bun typecheck` (`tsc --noEmit`) instead.

.sisyphus/notepads/license-activation/learnings.md

@@ -1,7 +0,0 @@
-## License Activation Implementation
-
-- Created `license_activation` table for better semantic clarity.
-- Implemented `ensureLicenseActivationInitialized` with UPSERT logic and singleton pattern.
-- Added ORPC endpoints `license.getActivation` and `license.activate`.
-- Used `db:push` to handle migration in dev environment when conflicts occur.
-- Fixed type mismatch in `device.router.ts` where `Date` was returned instead of `number` for timestamp fields.

.vscode/extensions.json

@@ -2,11 +2,8 @@
   "recommendations": [
     "biomejs.biome",
     "hverlin.mise-vscode",
-    "mikestead.dotenv",
     "oven.bun-vscode",
     "redhat.vscode-yaml",
-    "rust-lang.rust-analyzer",
+    "tamasfe.even-better-toml"
-    "tamasfe.even-better-toml",
-    "tauri-apps.tauri-vscode"
   ]
 }

.vscode/settings.json

@@ -1,49 +1,42 @@
 {
-  // Disable the default formatter & linter, use biome instead
-  "prettier.enable": false,
-  "eslint.enable": false,
-
-  // Auto fix
-  "editor.codeActionsOnSave": {
-    "source.fixAll.biome": "explicit",
-    "source.organizeImports.biome": "explicit"
-  },
-  "editor.defaultFormatter": "biomejs.biome",
-  "editor.formatOnSave": true,
   "[javascript]": {
     "editor.defaultFormatter": "biomejs.biome"
   },
   "[javascriptreact]": {
     "editor.defaultFormatter": "biomejs.biome"
   },
-  "[typescript]": {
-    "editor.defaultFormatter": "biomejs.biome"
-  },
-  "[typescriptreact]": {
-    "editor.defaultFormatter": "biomejs.biome"
-  },
   "[json]": {
     "editor.defaultFormatter": "biomejs.biome"
   },
   "[jsonc]": {
     "editor.defaultFormatter": "biomejs.biome"
   },
-  "[yaml]": {
-    "editor.defaultFormatter": "redhat.vscode-yaml"
-  },
   "[toml]": {
     "editor.defaultFormatter": "tamasfe.even-better-toml"
   },
+  "[typescript]": {
+    "editor.defaultFormatter": "biomejs.biome"
+  },
+  "[typescriptreact]": {
+    "editor.defaultFormatter": "biomejs.biome"
+  },
+  "[yaml]": {
+    "editor.defaultFormatter": "redhat.vscode-yaml"
+  },
+  "editor.codeActionsOnSave": {
+    "source.fixAll.biome": "explicit",
+    "source.organizeImports.biome": "explicit"
+  },
+  "editor.defaultFormatter": "biomejs.biome",
+  "editor.formatOnSave": true,
   "files.associations": {
     ".env": "dotenv",
     ".env.*": "dotenv",
-    "**/tsconfig.json": "jsonc",
-    "**/tsconfig.*.json": "jsonc",
     "**/biome.json": "jsonc",
-    "**/opencode.json": "jsonc"
+    "**/opencode.json": "jsonc",
+    "**/tsconfig.*.json": "jsonc",
+    "**/tsconfig.json": "jsonc"
   },
-
-  // TanStack Router
   "files.readonlyInclude": {
     "**/routeTree.gen.ts": true
   },

AGENTS.md

@@ -0,0 +1,219 @@
+# AGENTS.md - AI Coding Agent Guidelines
+
+Guidelines for AI agents working in this Bun monorepo.
+
+## Project Overview
+
+> **This project uses [Bun](https://bun.sh) exclusively as both the JavaScript runtime and package manager. Do NOT use Node.js / npm / yarn / pnpm. All commands start with `bun` — use `bun install` for dependencies and `bun run <script>` for scripts. Always prefer `bun run <script>` over `bun <script>` to avoid conflicts with Bun built-in subcommands (e.g. `bun build` invokes Bun's bundler, NOT your package.json script). Never use `npm`, `npx`, or `node`.**
+
+- **Monorepo**: Bun workspaces + Turborepo orchestration
+- **Runtime**: Bun (see `mise.toml` for version) — **NOT Node.js**
+- **Package Manager**: Bun — **NOT npm / yarn / pnpm**
+- **Apps**:
+  - `apps/server` - TanStack Start fullstack web app (see `apps/server/AGENTS.md`)
+  - `apps/desktop` - Electron desktop shell, sidecar server pattern (see `apps/desktop/AGENTS.md`)
+- **Packages**: `packages/tsconfig` (shared TS configs)
+
+## Build / Lint / Test Commands
+
+### Root Commands (via Turbo)
+```bash
+bun run dev              # Start all apps in dev mode
+bun run build            # Build all apps
+bun run compile          # Compile server to standalone binary (current platform)
+bun run compile:darwin   # Compile server for macOS (arm64 + x64)
+bun run compile:linux    # Compile server for Linux (x64 + arm64)
+bun run compile:windows  # Compile server for Windows x64
+bun run dist             # Package desktop distributable (current platform)
+bun run dist:linux       # Package desktop for Linux (x64 + arm64)
+bun run dist:mac         # Package desktop for macOS (arm64 + x64)
+bun run dist:win         # Package desktop for Windows x64
+bun run fix              # Lint + format (Biome auto-fix)
+bun run typecheck        # TypeScript check across monorepo
+```
+
+### Server App (`apps/server`)
+```bash
+bun run dev                   # Vite dev server (localhost:3000)
+bun run build                 # Production build -> .output/
+bun run compile               # Compile to standalone binary (current platform)
+bun run compile:darwin        # Compile for macOS (arm64 + x64)
+bun run compile:darwin:arm64  # Compile for macOS arm64
+bun run compile:darwin:x64    # Compile for macOS x64
+bun run compile:linux         # Compile for Linux (x64 + arm64)
+bun run compile:linux:arm64   # Compile for Linux arm64
+bun run compile:linux:x64     # Compile for Linux x64
+bun run compile:windows       # Compile for Windows (default: x64)
+bun run compile:windows:x64   # Compile for Windows x64
+bun run fix                   # Biome auto-fix
+bun run typecheck             # TypeScript check
+
+# Database (Drizzle)
+bun run db:generate           # Generate migrations from schema
+bun run db:migrate            # Run migrations
+bun run db:push               # Push schema (dev only)
+bun run db:studio             # Open Drizzle Studio
+```
+
+### Desktop App (`apps/desktop`)
+```bash
+bun run dev                   # electron-vite dev mode (requires server dev running)
+bun run build                 # electron-vite build (main + preload)
+bun run dist                  # Build + package for current platform
+bun run dist:linux            # Build + package for Linux (x64 + arm64)
+bun run dist:linux:x64        # Build + package for Linux x64
+bun run dist:linux:arm64      # Build + package for Linux arm64
+bun run dist:mac              # Build + package for macOS (arm64 + x64)
+bun run dist:mac:arm64        # Build + package for macOS arm64
+bun run dist:mac:x64          # Build + package for macOS x64
+bun run dist:win              # Build + package for Windows x64
+bun run fix                   # Biome auto-fix
+bun run typecheck             # TypeScript check
+```
+
+### Testing
+No test framework configured yet. When adding tests:
+```bash
+bun test path/to/test.ts              # Run single test file
+bun test -t "pattern"                 # Run tests matching pattern
+```
+
+## Code Style (TypeScript)
+
+### Formatting (Biome)
+- **Indent**: 2 spaces | **Line endings**: LF
+- **Quotes**: Single `'` | **Semicolons**: Omit (ASI)
+- **Arrow parentheses**: Always `(x) => x`
+
+### Imports
+Biome auto-organizes. Order: 1) External packages → 2) Internal `@/*` aliases → 3) Type imports (`import type { ... }`)
+
+```typescript
+import { createFileRoute } from '@tanstack/react-router'
+import { z } from 'zod'
+import { db } from '@/server/db'
+import type { ReactNode } from 'react'
+```
+
+### TypeScript Strictness
+- `strict: true`, `noUncheckedIndexedAccess: true`, `noImplicitOverride: true`, `verbatimModuleSyntax: true`
+- Use `@/*` path aliases (maps to `src/*`)
+
+### Naming Conventions
+| Type | Convention | Example |
+|------|------------|---------|
+| Files (utils) | kebab-case | `auth-utils.ts` |
+| Files (components) | PascalCase | `UserProfile.tsx` |
+| Components | PascalCase arrow | `const Button = () => {}` |
+| Functions | camelCase | `getUserById` |
+| Constants | UPPER_SNAKE | `MAX_RETRIES` |
+| Types/Interfaces | PascalCase | `UserProfile` |
+
+### React Patterns
+- Components: arrow functions (enforced by Biome)
+- Routes: TanStack Router file conventions (`export const Route = createFileRoute(...)`)
+- Data fetching: `useSuspenseQuery(orpc.feature.list.queryOptions())`
+- Let React Compiler handle memoization (no manual `useMemo`/`useCallback`)
+
+### Error Handling
+- Use `try-catch` for async operations; throw descriptive errors
+- ORPC: Use `ORPCError` with proper codes (`NOT_FOUND`, `INPUT_VALIDATION_FAILED`)
+- Never use empty catch blocks
+
+## Database (Drizzle ORM v1 beta + postgres-js)
+
+- **ORM**: Drizzle ORM `1.0.0-beta` (RQBv2)
+- **Driver**: `drizzle-orm/postgres-js` (NOT `bun-sql`)
+- **Validation**: `drizzle-orm/zod` (built-in, NOT separate `drizzle-zod` package)
+- **Relations**: Defined via `defineRelations()` in `src/server/db/relations.ts` (contains schema info, so `drizzle()` only needs `{ relations }`)
+- **Query style**: RQBv2 object syntax (`orderBy: { createdAt: 'desc' }`, `where: { id: 1 }`)
+
+```typescript
+export const myTable = pgTable('my_table', {
+  id: uuid().primaryKey().default(sql`uuidv7()`),
+  name: text().notNull(),
+  createdAt: timestamp({ withTimezone: true }).notNull().defaultNow(),
+  updatedAt: timestamp({ withTimezone: true }).notNull().defaultNow().$onUpdateFn(() => new Date()),
+})
+```
+
+## Environment Variables
+
+- Use `@t3-oss/env-core` with Zod validation in `src/env.ts`
+- Server vars: no prefix | Client vars: `VITE_` prefix required
+- Never commit `.env` files
+
+## Dependency Management
+
+- All versions centralized in root `package.json` `catalog` field
+- Workspace packages use `"catalog:"` — never hardcode versions
+- Internal packages use `"workspace:*"` references
+
+## Development Principles
+
+> **These principles apply to ALL code changes. Agents MUST follow them on every task.**
+
+1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks "just in case".
+2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart. This includes updating code snippets in docs when imports, APIs, or patterns change.
+3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns in the same codebase.
+
+## Critical Rules
+
+**DO:**
+- Run `bun run fix` before committing
+- Use `@/*` path aliases (not relative imports)
+- Include `createdAt`/`updatedAt` on all tables
+- Use `catalog:` for dependency versions
+- Update `AGENTS.md` and other docs whenever code patterns change
+
+**DON'T:**
+- Use `npm`, `npx`, `node`, `yarn`, `pnpm` — always use `bun` / `bunx`
+- Edit `src/routeTree.gen.ts` (auto-generated)
+- Use `as any`, `@ts-ignore`, `@ts-expect-error`
+- Commit `.env` files
+- Use empty catch blocks `catch(e) {}`
+- Hardcode dependency versions in workspace packages
+- Leave docs out of sync with code changes
+
+## Git Workflow
+
+1. Make changes following style guide
+2. `bun run fix` - auto-format and lint
+3. `bun run typecheck` - verify types
+4. `bun run dev` - test locally
+5. Commit with descriptive message
+
+## Directory Structure
+
+```
+.
+├── apps/
+│   ├── server/           # TanStack Start fullstack app
+│   │   ├── src/
+│   │   │   ├── client/   # ORPC client + TanStack Query utils
+│   │   │   ├── components/
+│   │   │   ├── routes/   # File-based routing
+│   │   │   └── server/   # API layer + database
+│   │   │       ├── api/  # ORPC contracts, routers, middlewares
+│   │   │       └── db/   # Drizzle schema
+│   │   └── AGENTS.md
+│   └── desktop/          # Electron desktop shell
+│       ├── src/
+│       │   ├── main/
+│       │   │   └── index.ts       # Main process entry
+│       │   └── preload/
+│       │       └── index.ts       # Preload script
+│       ├── electron.vite.config.ts
+│       ├── electron-builder.yml   # Packaging config
+│       └── AGENTS.md
+├── packages/
+│   └── tsconfig/         # Shared TS configs
+├── biome.json            # Linting/formatting config
+├── turbo.json            # Turbo task orchestration
+└── package.json          # Workspace root + dependency catalog
+```
+
+## See Also
+
+- `apps/server/AGENTS.md` - Detailed TanStack Start / ORPC patterns
+- `apps/desktop/AGENTS.md` - Electron desktop development guide

apps/desktop/.gitignore

@@ -0,0 +1,3 @@
+# electron-vite build output
+out/
+dist/

apps/desktop/AGENTS.md

@@ -0,0 +1,95 @@
+# AGENTS.md - Desktop App Guidelines
+
+Thin Electron shell hosting the fullstack server app.
+
+## Tech Stack
+
+> **⚠️ This project uses Bun as the package manager. Runtime is Electron (Node.js). Always use `bun run <script>` (not `bun <script>`) to avoid conflicts with Bun built-in subcommands. Never use `npm`, `npx`, `yarn`, or `pnpm`.**
+
+- **Type**: Electron desktop shell
+- **Design**: Server-driven desktop (thin native window hosting web app)
+- **Runtime**: Electron (Main/Renderer) + Sidecar server binary (Bun-compiled)
+- **Build Tool**: electron-vite (Vite-based, handles main + preload builds)
+- **Packager**: electron-builder (installers, signing, auto-update)
+- **Orchestration**: Turborepo
+
+## Architecture
+
+- **Server-driven design**: The desktop app is a "thin" native shell. It does not contain UI or business logic; it opens a BrowserWindow pointing to the `apps/server` TanStack Start application.
+- **Dev mode**: Opens a BrowserWindow pointing to `localhost:3000`. Requires `apps/server` to be running separately (Turbo handles this).
+- **Production mode**: Spawns a compiled server binary (from `resources/`) as a sidecar process, waits for readiness, then loads its URL.
+
+## Commands
+
+```bash
+bun run dev                    # electron-vite dev (requires server dev running)
+bun run build                  # electron-vite build (main + preload)
+bun run dist                   # Build + package for current platform
+bun run dist:linux             # Build + package for Linux (x64 + arm64)
+bun run dist:linux:x64         # Build + package for Linux x64
+bun run dist:linux:arm64       # Build + package for Linux arm64
+bun run dist:mac               # Build + package for macOS (arm64 + x64)
+bun run dist:mac:arm64         # Build + package for macOS arm64
+bun run dist:mac:x64           # Build + package for macOS x64
+bun run dist:win               # Build + package for Windows x64
+bun run fix                    # Biome auto-fix
+bun run typecheck              # TypeScript check
+```
+
+## Directory Structure
+
+```
+.
+├── src/
+│   ├── main/
+│   │   └── index.ts       # Main process (server lifecycle + BrowserWindow)
+│   └── preload/
+│       └── index.ts       # Preload script (security isolation)
+├── resources/             # Sidecar binaries (gitignored, copied from server build)
+├── out/                   # electron-vite build output (gitignored)
+├── electron.vite.config.ts
+├── electron-builder.yml   # Packaging configuration
+├── package.json
+├── turbo.json
+└── AGENTS.md
+```
+
+## Development Workflow
+
+1. **Start server**: `bun run dev` in `apps/server` (or use root `bun run dev` via Turbo).
+2. **Start desktop**: `bun run dev` in `apps/desktop`.
+3. **Connection**: Main process polls `localhost:3000` until responsive, then opens BrowserWindow.
+
+## Production Build Workflow
+
+From monorepo root, run `bun run dist` to execute the full pipeline automatically (via Turbo task dependencies):
+
+1. **Build server**: `apps/server` → `vite build` → `.output/`
+2. **Compile server**: `apps/server` → `bun compile.ts --target ...` → `out/server-{os}-{arch}`
+3. **Package desktop**: `apps/desktop` → `electron-vite build` + `electron-builder` → distributable
+
+The `electron-builder.yml` `extraResources` config reads binaries directly from `../server/out/`, no manual copy needed.
+
+To build for a specific platform explicitly, use `bun run dist:linux` / `bun run dist:mac` / `bun run dist:win` in `apps/desktop`.
+For single-arch output, use `bun run dist:linux:x64`, `bun run dist:linux:arm64`, `bun run dist:mac:x64`, or `bun run dist:mac:arm64`.
+
+## Development Principles
+
+> **These principles apply to ALL code changes. Agents MUST follow them on every task.**
+
+1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks.
+2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart.
+3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns.
+
+## Critical Rules
+
+**DO:**
+- Use arrow functions for all utility functions.
+- Keep the desktop app as a thin shell — no UI or business logic.
+- Use `catalog:` for all dependency versions in `package.json`.
+
+**DON'T:**
+- Use `npm`, `npx`, `yarn`, or `pnpm`. Use `bun` for package management.
+- Include UI components or business logic in the desktop app.
+- Use `as any` or `@ts-ignore`.
+- Leave docs out of sync with code changes.

apps/desktop/biome.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "../../node_modules/@biomejs/biome/configuration_schema.json",
+  "extends": "//",
+  "css": {
+    "parser": {
+      "tailwindDirectives": true
+    }
+  }
+}

apps/desktop/electron-builder.yml

@@ -0,0 +1,48 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/electron-userland/electron-builder/refs/heads/master/packages/app-builder-lib/scheme.json
+appId: com.furtherverse.desktop
+productName: Furtherverse
+executableName: furtherverse
+
+npmRebuild: false
+asarUnpack:
+  - resources/**
+
+files:
+  - "!**/.vscode/*"
+  - "!src/*"
+  - "!electron.vite.config.{js,ts,mjs,cjs}"
+  - "!{.env,.env.*,bun.lock}"
+  - "!{tsconfig.json,tsconfig.node.json}"
+  - "!{AGENTS.md,README.md,CHANGELOG.md}"
+
+# macOS
+mac:
+  target:
+    - dmg
+  category: public.app-category.productivity
+  extraResources:
+    - from: ../server/out/server-darwin-${arch}
+      to: server
+dmg:
+  artifactName: ${productName}-${version}-${os}-${arch}.${ext}
+
+# Windows
+win:
+  target:
+    - portable
+  extraResources:
+    - from: ../server/out/server-windows-${arch}.exe
+      to: server.exe
+portable:
+  artifactName: ${productName}-${version}-${os}-${arch}-Portable.${ext}
+
+# Linux
+linux:
+  target:
+    - AppImage
+  category: Utility
+  extraResources:
+    - from: ../server/out/server-linux-${arch}
+      to: server
+appImage:
+  artifactName: ${productName}-${version}-${os}-${arch}.${ext}

apps/desktop/electron.vite.config.ts

@@ -0,0 +1,11 @@
+import tailwindcss from '@tailwindcss/vite'
+import react from '@vitejs/plugin-react'
+import { defineConfig } from 'electron-vite'
+
+export default defineConfig({
+  main: {},
+  preload: {},
+  renderer: {
+    plugins: [react(), tailwindcss()],
+  },
+})

apps/desktop/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@furtherverse/desktop",
+  "version": "1.0.0",
+  "private": true,
+  "main": "out/main/index.js",
+  "scripts": {
+    "build": "electron-vite build",
+    "dev": "electron-vite dev --watch",
+    "dist": "electron-builder",
+    "dist:linux": "bun run dist:linux:x64 && bun run dist:linux:arm64",
+    "dist:linux:arm64": "electron-builder --linux --arm64",
+    "dist:linux:x64": "electron-builder --linux --x64",
+    "dist:mac": "bun run dist:mac:arm64 && bun run dist:mac:x64",
+    "dist:mac:arm64": "electron-builder --mac --arm64",
+    "dist:mac:x64": "electron-builder --mac --x64",
+    "dist:win": "electron-builder --win --x64",
+    "fix": "biome check --write",
+    "typecheck": "tsc -b"
+  },
+  "dependencies": {
+    "motion": "catalog:",
+    "react": "catalog:",
+    "react-dom": "catalog:",
+    "tree-kill": "catalog:"
+  },
+  "devDependencies": {
+    "@furtherverse/tsconfig": "workspace:*",
+    "@tailwindcss/vite": "catalog:",
+    "@types/node": "catalog:",
+    "@vitejs/plugin-react": "catalog:",
+    "electron": "catalog:",
+    "electron-builder": "catalog:",
+    "electron-vite": "catalog:",
+    "tailwindcss": "catalog:",
+    "vite": "catalog:"
+  }
+}

apps/desktop/src/main/index.ts

@@ -0,0 +1,198 @@
+import { join } from 'node:path'
+import { app, BrowserWindow, dialog, session, shell } from 'electron'
+import { createSidecarRuntime } from './sidecar'
+
+const DEV_SERVER_URL = 'http://localhost:3000'
+const SAFE_EXTERNAL_PROTOCOLS = new Set(['https:', 'http:', 'mailto:'])
+
+let mainWindow: BrowserWindow | null = null
+let windowCreationPromise: Promise<void> | null = null
+let isQuitting = false
+
+const showErrorAndQuit = (title: string, detail: string) => {
+  if (isQuitting) {
+    return
+  }
+
+  dialog.showErrorBox(title, detail)
+  app.quit()
+}
+
+const sidecar = createSidecarRuntime({
+  devServerUrl: DEV_SERVER_URL,
+  isPackaged: app.isPackaged,
+  resourcesPath: process.resourcesPath,
+  isQuitting: () => isQuitting,
+  onUnexpectedStop: (detail) => {
+    showErrorAndQuit('Service Stopped', detail)
+  },
+})
+
+const toErrorMessage = (error: unknown): string => (error instanceof Error ? error.message : String(error))
+
+const canOpenExternally = (url: string): boolean => {
+  try {
+    const parsed = new URL(url)
+    return SAFE_EXTERNAL_PROTOCOLS.has(parsed.protocol)
+  } catch {
+    return false
+  }
+}
+
+const loadSplash = async (windowRef: BrowserWindow) => {
+  if (process.env.ELECTRON_RENDERER_URL) {
+    await windowRef.loadURL(process.env.ELECTRON_RENDERER_URL)
+    return
+  }
+
+  await windowRef.loadFile(join(__dirname, '../renderer/index.html'))
+}
+
+const createWindow = async () => {
+  if (mainWindow && !mainWindow.isDestroyed()) {
+    mainWindow.focus()
+    return
+  }
+
+  const windowRef = new BrowserWindow({
+    width: 1200,
+    height: 800,
+    show: false,
+    webPreferences: {
+      preload: join(__dirname, '../preload/index.js'),
+      sandbox: true,
+      contextIsolation: true,
+      nodeIntegration: false,
+    },
+  })
+  mainWindow = windowRef
+
+  windowRef.webContents.setWindowOpenHandler(({ url }) => {
+    if (!canOpenExternally(url)) {
+      if (!app.isPackaged) {
+        console.warn(`Blocked external URL: ${url}`)
+      }
+
+      return { action: 'deny' }
+    }
+
+    void shell.openExternal(url)
+    return { action: 'deny' }
+  })
+
+  windowRef.webContents.on('will-navigate', (event, url) => {
+    const allowed = [DEV_SERVER_URL, sidecar.lastResolvedUrl].filter((v): v is string => v != null)
+    const isAllowed = allowed.some((origin) => url.startsWith(origin))
+
+    if (!isAllowed) {
+      event.preventDefault()
+
+      if (canOpenExternally(url)) {
+        void shell.openExternal(url)
+      } else if (!app.isPackaged) {
+        console.warn(`Blocked navigation to: ${url}`)
+      }
+    }
+  })
+
+  windowRef.on('closed', () => {
+    if (mainWindow === windowRef) {
+      mainWindow = null
+    }
+  })
+
+  try {
+    await loadSplash(windowRef)
+  } catch (error) {
+    if (mainWindow === windowRef) {
+      mainWindow = null
+    }
+
+    if (!windowRef.isDestroyed()) {
+      windowRef.destroy()
+    }
+
+    throw error
+  }
+
+  if (!windowRef.isDestroyed()) {
+    windowRef.show()
+  }
+
+  const targetUrl = await sidecar.resolveUrl()
+  if (isQuitting || windowRef.isDestroyed()) {
+    return
+  }
+
+  try {
+    await windowRef.loadURL(targetUrl)
+  } catch (error) {
+    if (mainWindow === windowRef) {
+      mainWindow = null
+    }
+
+    if (!windowRef.isDestroyed()) {
+      windowRef.destroy()
+    }
+
+    throw error
+  }
+}
+
+const ensureWindow = async () => {
+  if (windowCreationPromise) {
+    return windowCreationPromise
+  }
+
+  windowCreationPromise = createWindow().finally(() => {
+    windowCreationPromise = null
+  })
+
+  return windowCreationPromise
+}
+
+const beginQuit = () => {
+  isQuitting = true
+  sidecar.stop()
+}
+
+const handleWindowCreationError = (error: unknown, context: string) => {
+  console.error(`${context}:`, error)
+  showErrorAndQuit(
+    "App Couldn't Start",
+    app.isPackaged
+      ? 'A required component failed to start. Please reinstall the app.'
+      : `${context}: ${toErrorMessage(error)}`,
+  )
+}
+
+app
+  .whenReady()
+  .then(() => {
+    session.defaultSession.setPermissionRequestHandler((_webContents, _permission, callback) => {
+      callback(false)
+    })
+
+    return ensureWindow()
+  })
+  .catch((error) => {
+    handleWindowCreationError(error, 'Failed to create window')
+  })
+
+app.on('window-all-closed', () => {
+  if (process.platform !== 'darwin') {
+    app.quit()
+  }
+})
+
+app.on('activate', () => {
+  if (isQuitting || BrowserWindow.getAllWindows().length > 0) {
+    return
+  }
+
+  ensureWindow().catch((error) => {
+    handleWindowCreationError(error, 'Failed to re-create window')
+  })
+})
+
+app.on('before-quit', beginQuit)

apps/desktop/src/main/sidecar.ts

@@ -0,0 +1,256 @@
+import { type ChildProcess, spawn } from 'node:child_process'
+import { existsSync } from 'node:fs'
+import { createServer } from 'node:net'
+import { join } from 'node:path'
+import killProcessTree from 'tree-kill'
+
+const SERVER_HOST = '127.0.0.1'
+const SERVER_READY_TIMEOUT_MS = 10_000
+const SERVER_REQUEST_TIMEOUT_MS = 1_500
+const SERVER_POLL_INTERVAL_MS = 250
+const SERVER_PROBE_PATHS = ['/api/health', '/']
+
+type SidecarState = {
+  process: ChildProcess | null
+  startup: Promise<string> | null
+  url: string | null
+}
+
+type SidecarRuntimeOptions = {
+  devServerUrl: string
+  isPackaged: boolean
+  resourcesPath: string
+  isQuitting: () => boolean
+  onUnexpectedStop: (detail: string) => void
+}
+
+type SidecarRuntime = {
+  resolveUrl: () => Promise<string>
+  stop: () => void
+  lastResolvedUrl: string | null
+}
+
+const sleep = (ms: number): Promise<void> => new Promise((resolve) => setTimeout(resolve, ms))
+
+const isProcessAlive = (processToCheck: ChildProcess | null): processToCheck is ChildProcess => {
+  if (!processToCheck || !processToCheck.pid) {
+    return false
+  }
+
+  return processToCheck.exitCode === null && !processToCheck.killed
+}
+
+const getAvailablePort = (): Promise<number> =>
+  new Promise((resolve, reject) => {
+    const server = createServer()
+    server.listen(0, () => {
+      const addr = server.address()
+      if (!addr || typeof addr === 'string') {
+        server.close()
+        reject(new Error('Failed to resolve port'))
+        return
+      }
+
+      server.close(() => resolve(addr.port))
+    })
+    server.on('error', reject)
+  })
+
+const isServerReady = async (url: string): Promise<boolean> => {
+  for (const probePath of SERVER_PROBE_PATHS) {
+    try {
+      const probeUrl = new URL(probePath, `${url}/`)
+      const response = await fetch(probeUrl, {
+        method: 'GET',
+        cache: 'no-store',
+        signal: AbortSignal.timeout(SERVER_REQUEST_TIMEOUT_MS),
+      })
+
+      if (response.status < 500) {
+        if (probePath === '/api/health' && response.status === 404) {
+          continue
+        }
+
+        return true
+      }
+    } catch {
+      // Expected: probe request fails while server is still starting up
+    }
+  }
+
+  return false
+}
+
+const waitForServer = async (url: string, isQuitting: () => boolean, processRef?: ChildProcess): Promise<boolean> => {
+  const start = Date.now()
+  while (Date.now() - start < SERVER_READY_TIMEOUT_MS && !isQuitting()) {
+    if (processRef && processRef.exitCode !== null) {
+      return false
+    }
+
+    if (await isServerReady(url)) {
+      return true
+    }
+
+    await sleep(SERVER_POLL_INTERVAL_MS)
+  }
+
+  return false
+}
+
+const resolveBinaryPath = (resourcesPath: string): string => {
+  const binaryName = process.platform === 'win32' ? 'server.exe' : 'server'
+  return join(resourcesPath, binaryName)
+}
+
+const formatUnexpectedStopMessage = (
+  isPackaged: boolean,
+  code: number | null,
+  signal: NodeJS.Signals | null,
+): string => {
+  if (isPackaged) {
+    return 'The background service stopped unexpectedly. Please restart the app.'
+  }
+
+  return `Server process exited unexpectedly (code ${code ?? 'unknown'}, signal ${signal ?? 'none'}).`
+}
+
+export const createSidecarRuntime = (options: SidecarRuntimeOptions): SidecarRuntime => {
+  const state: SidecarState = {
+    process: null,
+    startup: null,
+    url: null,
+  }
+
+  const resetState = (processRef?: ChildProcess) => {
+    if (processRef && state.process !== processRef) {
+      return
+    }
+
+    state.process = null
+    state.url = null
+  }
+
+  const stop = () => {
+    const runningServer = state.process
+    resetState()
+
+    if (!runningServer?.pid || runningServer.exitCode !== null) {
+      return
+    }
+
+    killProcessTree(runningServer.pid, 'SIGTERM', (error?: Error) => {
+      if (error) {
+        console.error('Failed to stop server process:', error)
+      }
+    })
+  }
+
+  const attachLifecycleHandlers = (processRef: ChildProcess) => {
+    processRef.on('error', (error) => {
+      if (state.process !== processRef) {
+        return
+      }
+
+      const hadReadyServer = state.url !== null
+      resetState(processRef)
+
+      if (!options.isQuitting() && hadReadyServer) {
+        options.onUnexpectedStop('The background service crashed unexpectedly. Please restart the app.')
+        return
+      }
+
+      console.error('Failed to start server process:', error)
+    })
+
+    processRef.on('exit', (code, signal) => {
+      if (state.process !== processRef) {
+        return
+      }
+
+      const hadReadyServer = state.url !== null
+      resetState(processRef)
+
+      if (!options.isQuitting() && hadReadyServer) {
+        options.onUnexpectedStop(formatUnexpectedStopMessage(options.isPackaged, code, signal))
+      }
+    })
+  }
+
+  const startPackagedServer = async (): Promise<string> => {
+    if (state.url && isProcessAlive(state.process)) {
+      return state.url
+    }
+
+    if (state.startup) {
+      return state.startup
+    }
+
+    state.startup = (async () => {
+      const binaryPath = resolveBinaryPath(options.resourcesPath)
+      if (!existsSync(binaryPath)) {
+        throw new Error(`Sidecar server binary is missing: ${binaryPath}`)
+      }
+
+      if (options.isQuitting()) {
+        throw new Error('Application is shutting down.')
+      }
+
+      const port = await getAvailablePort()
+      const nextServerUrl = `http://${SERVER_HOST}:${port}`
+      const processRef = spawn(binaryPath, [], {
+        env: {
+          ...process.env,
+          HOST: SERVER_HOST,
+          PORT: String(port),
+        },
+        stdio: 'ignore',
+        windowsHide: true,
+      })
+
+      processRef.unref()
+      state.process = processRef
+      attachLifecycleHandlers(processRef)
+
+      const ready = await waitForServer(nextServerUrl, options.isQuitting, processRef)
+      if (ready && isProcessAlive(processRef)) {
+        state.url = nextServerUrl
+        return nextServerUrl
+      }
+
+      const failureReason =
+        processRef.exitCode !== null
+          ? `The service exited early (code ${processRef.exitCode}).`
+          : `The service did not respond at ${nextServerUrl} within 10 seconds.`
+
+      stop()
+      throw new Error(failureReason)
+    })().finally(() => {
+      state.startup = null
+    })
+
+    return state.startup
+  }
+
+  const resolveUrl = async (): Promise<string> => {
+    if (options.isPackaged) {
+      return startPackagedServer()
+    }
+
+    const ready = await waitForServer(options.devServerUrl, options.isQuitting)
+    if (!ready) {
+      throw new Error('Dev server not responding. Run `bun dev` in apps/server first.')
+    }
+
+    state.url = options.devServerUrl
+    return options.devServerUrl
+  }
+
+  return {
+    resolveUrl,
+    stop,
+    get lastResolvedUrl() {
+      return state.url
+    },
+  }
+}

apps/desktop/src/preload/index.ts

@@ -0,0 +1 @@
+export {}

apps/desktop/src/renderer/components/SplashApp.tsx

@@ -0,0 +1,33 @@
+import { motion } from 'motion/react'
+import logoImage from '../assets/logo.png'
+
+export const SplashApp = () => {
+  return (
+    <main className="m-0 flex h-screen w-screen cursor-default select-none items-center justify-center overflow-hidden bg-white font-sans antialiased">
+      <motion.section
+        animate={{ opacity: 1, y: 0 }}
+        className="flex flex-col items-center gap-8"
+        initial={{ opacity: 0, y: 4 }}
+        transition={{
+          duration: 1,
+          ease: [0.16, 1, 0.3, 1],
+        }}
+      >
+        <img alt="Logo" className="h-20 w-auto object-contain" draggable={false} src={logoImage} />
+
+        <div className="relative h-[4px] w-36 overflow-hidden rounded-full bg-zinc-100">
+          <motion.div
+            animate={{ x: '100%' }}
+            className="h-full w-full bg-zinc-800"
+            initial={{ x: '-100%' }}
+            transition={{
+              duration: 2,
+              ease: [0.4, 0, 0.2, 1],
+              repeat: Infinity,
+            }}
+          />
+        </div>
+      </motion.section>
+    </main>
+  )
+}

apps/desktop/src/renderer/index.html

@@ -0,0 +1,12 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Furtherverse</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="./main.tsx"></script>
+  </body>
+</html>

apps/desktop/src/renderer/main.tsx

@@ -0,0 +1,11 @@
+import { StrictMode } from 'react'
+import { createRoot } from 'react-dom/client'
+import { SplashApp } from './components/SplashApp'
+import './styles.css'
+
+// biome-ignore lint/style/noNonNullAssertion: 一定存在
+createRoot(document.getElementById('root')!).render(
+  <StrictMode>
+    <SplashApp />
+  </StrictMode>,
+)

apps/desktop/src/renderer/styles.css

@@ -0,0 +1 @@
+@import "tailwindcss";

apps/desktop/tsconfig.app.json

@@ -0,0 +1,8 @@
+{
+  "extends": "@furtherverse/tsconfig/react.json",
+  "compilerOptions": {
+    "composite": true,
+    "types": ["vite/client"]
+  },
+  "include": ["src/renderer/**/*"]
+}

apps/desktop/tsconfig.json

@@ -0,0 +1,11 @@
+{
+  "files": [],
+  "references": [
+    {
+      "path": "./tsconfig.app.json"
+    },
+    {
+      "path": "./tsconfig.node.json"
+    }
+  ]
+}

apps/desktop/tsconfig.node.json

@@ -0,0 +1,8 @@
+{
+  "extends": "@furtherverse/tsconfig/base.json",
+  "compilerOptions": {
+    "composite": true,
+    "types": ["node"]
+  },
+  "include": ["src/main/**/*", "src/preload/**/*", "electron.vite.config.ts"]
+}

apps/desktop/turbo.json

@@ -0,0 +1,41 @@
+{
+  "$schema": "../../node_modules/turbo/schema.json",
+  "extends": ["//"],
+  "tasks": {
+    "build": {
+      "outputs": ["out/**"]
+    },
+    "dist": {
+      "dependsOn": ["build", "@furtherverse/server#compile"],
+      "outputs": ["dist/**"]
+    },
+    "dist:linux": {
+      "dependsOn": ["build", "@furtherverse/server#compile:linux:arm64", "@furtherverse/server#compile:linux:x64"],
+      "outputs": ["dist/**"]
+    },
+    "dist:linux:arm64": {
+      "dependsOn": ["build", "@furtherverse/server#compile:linux:arm64"],
+      "outputs": ["dist/**"]
+    },
+    "dist:linux:x64": {
+      "dependsOn": ["build", "@furtherverse/server#compile:linux:x64"],
+      "outputs": ["dist/**"]
+    },
+    "dist:mac": {
+      "dependsOn": ["build", "@furtherverse/server#compile:darwin:arm64", "@furtherverse/server#compile:darwin:x64"],
+      "outputs": ["dist/**"]
+    },
+    "dist:mac:arm64": {
+      "dependsOn": ["build", "@furtherverse/server#compile:darwin:arm64"],
+      "outputs": ["dist/**"]
+    },
+    "dist:mac:x64": {
+      "dependsOn": ["build", "@furtherverse/server#compile:darwin:x64"],
+      "outputs": ["dist/**"]
+    },
+    "dist:win": {
+      "dependsOn": ["build", "@furtherverse/server#compile:windows:x64"],
+      "outputs": ["dist/**"]
+    }
+  }
+}

apps/server/.env.example

@@ -1 +1 @@
-DATABASE_URL=./data/app.db
+DATABASE_PATH=data.db

apps/server/.gitignore

@@ -1,5 +0,0 @@
-# SQLite database files
-data/
-*.db
-*.db-shm
-*.db-wal

apps/server/AGENTS.md

@@ -1,420 +1,279 @@
-# AGENTS.md - AI Coding Agent Guidelines
+# AGENTS.md - Server App Guidelines
 
-本文档为 AI 编程助手提供此 TanStack Start 全栈项目的开发规范和指南。
+TanStack Start fullstack web app with ORPC (contract-first RPC).
 
-## 项目概览
+## Tech Stack
 
-- **框架**: TanStack Start (React SSR 框架，文件路由)
+> **⚠️ This project uses Bun — NOT Node.js / npm. All commands use `bun`. Always use `bun run <script>` (not `bun <script>`) to avoid conflicts with Bun built-in subcommands. Never use `npm`, `npx`, or `node`.**
-- **运行时**: Bun
-- **语言**: TypeScript (strict mode, ESNext)
-- **样式**: Tailwind CSS v4
-- **数据库**: SQLite + Drizzle ORM
-- **状态管理**: TanStack Query
-- **路由**: TanStack Router (文件路由)
-- **RPC**: ORPC (类型安全 RPC，契约优先)
-- **构建工具**: Vite + Turbo
-- **代码质量**: Biome (格式化 + Lint)
 
-## 依赖管理
+- **Framework**: TanStack Start (React 19 SSR, file-based routing)
+- **Runtime**: Bun — **NOT Node.js**
+- **Package Manager**: Bun — **NOT npm / yarn / pnpm**
+- **Language**: TypeScript (strict mode)
+- **Styling**: Tailwind CSS v4
+- **Database**: PostgreSQL + Drizzle ORM v1 beta (`drizzle-orm/postgres-js`, RQBv2)
+- **State**: TanStack Query v5
+- **RPC**: ORPC (contract-first, type-safe)
+- **Build**: Vite + Nitro
 
-项目使用 **Bun Catalog** 统一管理依赖版本。
+## Commands
 
-> **详细流程**: 加载 skill `bun-catalog-package` 获取完整指南。
-
-**快速参考**：
 ```bash
-bun info <pkg> version          # 查询最新版本
+# Development
-bun add <pkg>@catalog:          # 在子包中安装
+bun run dev                    # Vite dev server (localhost:3000)
+bun run db:studio              # Drizzle Studio GUI
+
+# Build
+bun run build                  # Production build → .output/
+bun run compile                # Compile to standalone binary (current platform, depends on build)
+bun run compile:darwin         # Compile for macOS (arm64 + x64)
+bun run compile:darwin:arm64   # Compile for macOS arm64
+bun run compile:darwin:x64     # Compile for macOS x64
+bun run compile:linux          # Compile for Linux (x64 + arm64)
+bun run compile:linux:arm64    # Compile for Linux arm64
+bun run compile:linux:x64      # Compile for Linux x64
+bun run compile:windows        # Compile for Windows (default: x64)
+bun run compile:windows:x64    # Compile for Windows x64
+
+# Code Quality
+bun run fix                    # Biome auto-fix
+bun run typecheck              # TypeScript check
+
+# Database
+bun run db:generate            # Generate migrations from schema
+bun run db:migrate             # Run migrations
+bun run db:push                # Push schema directly (dev only)
+
+# Testing (not yet configured)
+bun test path/to/test.ts       # Run single test
+bun test -t "pattern"          # Run tests matching pattern
 ```
 
-## 构建、Lint 和测试命令
+## Directory Structure
 
-### 开发
+```
-```bash
+src/
-bun dev                    # 启动 Vite 开发服务器
+├── client/                # Client-side code
-bun db:studio              # 打开 Drizzle Studio 数据库管理界面
+│   └── orpc.ts            # ORPC client + TanStack Query utils (single entry point)
+├── components/            # React components
+├── routes/                # TanStack Router file routes
+│   ├── __root.tsx         # Root layout
+│   ├── index.tsx          # Home page
+│   └── api/
+│       ├── $.ts           # OpenAPI handler + Scalar docs
+│       ├── health.ts      # Health check endpoint
+│       └── rpc.$.ts       # ORPC RPC handler
+├── server/                # Server-side code
+│   ├── api/               # ORPC layer
+│   │   ├── contracts/     # Input/output schemas (Zod)
+│   │   ├── middlewares/   # Middleware (db provider, auth)
+│   │   ├── routers/       # Handler implementations
+│   │   ├── interceptors.ts # Shared error interceptors
+│   │   ├── context.ts     # Request context
+│   │   ├── server.ts      # ORPC server instance
+│   │   └── types.ts       # Type exports
+│   └── db/
+│       ├── schema/        # Drizzle table definitions
+│       ├── fields.ts      # Shared field builders (id, createdAt, updatedAt)
+│       ├── relations.ts   # Drizzle relations (defineRelations, RQBv2)
+│       └── index.ts       # Database instance (postgres-js driver)
+├── env.ts                 # Environment variable validation
+├── router.tsx             # Router configuration
+├── routeTree.gen.ts       # Auto-generated (DO NOT EDIT)
+└── styles.css             # Tailwind entry
 ```
 
-### 构建
+## ORPC Pattern
-```bash
-bun build                  # 构建 Vite 应用 (输出到 .output/)
-bun compile                # 编译为独立可执行文件 (使用 build.ts)
-```
 
-### 代码质量
+### 1. Define Contract (`src/server/api/contracts/feature.contract.ts`)
-```bash
-bun typecheck              # 运行 TypeScript 类型检查
-bun fix                    # 运行 Biome 自动修复格式和 Lint 问题
-biome check .              # 检查但不自动修复
-biome format --write .     # 仅格式化代码
-```
-
-### 数据库
-```bash
-bun db:generate            # 从 schema 生成迁移文件
-bun db:migrate             # 执行数据库迁移
-bun db:push                # 直接推送 schema 变更 (仅开发环境)
-```
-
-### 测试
-**注意**: 当前未配置测试框架。添加测试时:
-- 使用 Vitest 或 Bun 内置测试运行器
-- 运行单个测试文件: `bun test path/to/test.ts`
-- 运行特定测试: `bun test -t "测试名称模式"`
-
-## 代码风格指南
-
-### 格式化 (Biome)
-
-**缩进**: 2 空格 (不使用 tab)
-**换行符**: LF (Unix 风格)
-**引号**: 单引号 `'string'`
-**分号**: 按需 (ASI - 自动分号插入)
-**箭头函数括号**: 始终使用 `(x) => x`
-
-示例:
 ```typescript
-const myFunc = (value: string) => {
+import { oc } from '@orpc/contract'
-  return value.toUpperCase()
+import { createSelectSchema } from 'drizzle-orm/zod'
-}
+import { z } from 'zod'
+import { featureTable } from '@/server/db/schema'
+
+const selectSchema = createSelectSchema(featureTable)
+
+export const list = oc.input(z.void()).output(z.array(selectSchema))
+export const create = oc.input(insertSchema).output(selectSchema)
 ```
 
-### 导入组织
+### 2. Implement Router (`src/server/api/routers/feature.router.ts`)
+```typescript
+import { ORPCError } from '@orpc/server'
+import { db } from '../middlewares'
+import { os } from '../server'
 
-Biome 自动组织导入。顺序:
+export const list = os.feature.list.use(db).handler(async ({ context }) => {
-1. 外部依赖
+  return await context.db.query.featureTable.findMany({
-2. 内部导入 (使用 `@/*` 别名)
+    orderBy: { createdAt: 'desc' },
-3. 类型导入 (仅导入类型时使用 `type` 关键字)
+  })
+})
+```
+
+### 3. Register in Index Files
+```typescript
+// src/server/api/contracts/index.ts
+import * as feature from './feature.contract'
+export const contract = { feature }
+
+// src/server/api/routers/index.ts
+import * as feature from './feature.router'
+export const router = os.router({ feature })
+```
+
+### 4. Use in Components
+```typescript
+import { useSuspenseQuery, useMutation } from '@tanstack/react-query'
+import { orpc } from '@/client/orpc'
+
+const { data } = useSuspenseQuery(orpc.feature.list.queryOptions())
+const mutation = useMutation(orpc.feature.create.mutationOptions())
+```
+
+## Database (Drizzle ORM v1 beta)
+
+- **Driver**: `drizzle-orm/postgres-js` (NOT `bun-sql`)
+- **Validation**: `drizzle-orm/zod` (built-in, NOT separate `drizzle-zod` package)
+- **Relations**: Defined via `defineRelations()` in `src/server/db/relations.ts`
+- **Query**: RQBv2 — use `db.query.tableName.findMany()` with object-style `orderBy` and `where`
+
+### Schema Definition
+```typescript
+import { pgTable, text, timestamp, uuid } from 'drizzle-orm/pg-core'
+import { sql } from 'drizzle-orm'
+
+export const myTable = pgTable('my_table', {
+  id: uuid().primaryKey().default(sql`uuidv7()`),
+  name: text().notNull(),
+  createdAt: timestamp({ withTimezone: true }).notNull().defaultNow(),
+  updatedAt: timestamp({ withTimezone: true }).notNull().defaultNow().$onUpdateFn(() => new Date()),
+})
+```
+
+### Relations (RQBv2)
+```typescript
+// src/server/db/relations.ts
+import { defineRelations } from 'drizzle-orm'
+import * as schema from './schema'
+
+export const relations = defineRelations(schema, (r) => ({
+  // Define relations here using r.one / r.many / r.through
+}))
+```
+
+### DB Instance
+```typescript
+// src/server/db/index.ts
+import { drizzle } from 'drizzle-orm/postgres-js'
+import { relations } from '@/server/db/relations'
+// In RQBv2, relations already contain schema info — no separate schema import needed
+
+const db = drizzle({
+  connection: env.DATABASE_URL,
+  relations,
+})
+```
+
+### RQBv2 Query Examples
+```typescript
+// Object-style orderBy (NOT callback style)
+const todos = await db.query.todoTable.findMany({
+  orderBy: { createdAt: 'desc' },
+})
+
+// Object-style where
+const todo = await db.query.todoTable.findFirst({
+  where: { id: someId },
+})
+```
+
+## Code Style
+
+### Formatting (Biome)
+- **Indent**: 2 spaces
+- **Quotes**: Single `'`
+- **Semicolons**: Omit (ASI)
+- **Arrow parens**: Always `(x) => x`
+
+### Imports
+Biome auto-organizes:
+1. External packages
+2. Internal `@/*` aliases
+3. Type imports (`import type { ... }`)
 
-示例:
 ```typescript
 import { createFileRoute } from '@tanstack/react-router'
-import { oc } from '@orpc/contract'
 import { z } from 'zod'
-import { db } from '@/db'
+import { db } from '@/server/db'
-import { todoTable } from '@/db/schema'
 import type { ReactNode } from 'react'
 ```
 
 ### TypeScript
-
-**严格模式**: 启用了额外的严格检查
 - `strict: true`
-- `noUncheckedIndexedAccess: true` - 数组/对象索引返回 `T | undefined`
+- `noUncheckedIndexedAccess: true` - array access returns `T | undefined`
-- `noImplicitOverride: true`
+- Use `@/*` path aliases (maps to `src/*`)
-- `noFallthroughCasesInSwitch: true`
 
-**模块解析**: `bundler` 模式 + `verbatimModuleSyntax`
+### Naming
-- 导入时始终使用 `.ts`/`.tsx` 扩展名
+| Type | Convention | Example |
-- 使用 `@/*` 路径别名指向 `src/*`
+|------|------------|---------|
+| Files (utils) | kebab-case | `auth-utils.ts` |
+| Files (components) | PascalCase | `UserProfile.tsx` |
+| Components | PascalCase arrow | `const Button = () => {}` |
+| Functions | camelCase | `getUserById` |
+| Types | PascalCase | `UserProfile` |
 
-**类型注解**:
+### React
-- 公共 API 的函数参数和返回类型必须注解
+- Use arrow functions for components (Biome enforced)
-- 优先使用显式类型而非 `any`
+- Use `useSuspenseQuery` for guaranteed data
-- 对象形状用 `type`，可扩展契约用 `interface`
+- Let React Compiler handle memoization (no manual `useMemo`/`useCallback`)
-- 不可变 props 使用 `Readonly<T>`
 
-### 命名规范
+## Environment Variables
 
-- **文件**: 工具函数用 kebab-case，组件用 PascalCase
-  - `utils.ts`, `todo.tsx`, `NotFound.tsx`
-- **路由**: 遵循 TanStack Router 约定
-  - `routes/index.tsx` → `/`
-  - `routes/__root.tsx` → 根布局
-- **组件**: PascalCase 箭头函数 (Biome 规则 `useArrowFunction` 强制)
-- **函数**: camelCase
-- **常量**: 真常量用 UPPER_SNAKE_CASE，配置对象用 camelCase
-- **类型/接口**: PascalCase
-
-### React 模式
-
-**组件**: 使用箭头函数
 ```typescript
-const MyComponent = ({ title }: { title: string }) => {
+// src/env.ts - using @t3-oss/env-core
-  return <div>{title}</div>
+import { createEnv } from '@t3-oss/env-core'
-}
-```
-
-**路由**: 使用 `createFileRoute` 定义路由
-```typescript
-export const Route = createFileRoute('/')({
-  component: Home,
-})
-```
-
-**数据获取**: 使用 TanStack Query hooks
-- `useSuspenseQuery` - 保证有数据
-- `useQuery` - 数据可能为空
-
-**Props**: 禁止直接修改 props (Biome 规则 `noReactPropAssignments`)
-
-### 数据库 Schema (Drizzle)
-
-- 在 `src/server/db/schema/*.ts` 定义 schema
-- 从 `src/server/db/schema/index.ts` 导出
-- 使用 `drizzle-orm/sqlite-core` 的 SQLite 类型
-- 主键使用 `uuidv7()` (TEXT 存储)
-- 时间戳使用 `integer({ mode: 'timestamp_ms' })` (Unix 毫秒时间戳)
-- 始终包含 `createdAt` 和 `updatedAt` 时间戳
-
-示例:
-```typescript
-import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core'
-import { v7 as uuidv7 } from 'uuid'
-
-export const myTable = sqliteTable('my_table', {
-  id: text('id').primaryKey().$defaultFn(() => uuidv7()),
-  name: text('name').notNull(),
-  createdAt: integer('created_at', { mode: 'timestamp_ms' }).notNull().$defaultFn(() => new Date()),
-  updatedAt: integer('updated_at', { mode: 'timestamp_ms' }).notNull().$defaultFn(() => new Date()).$onUpdateFn(() => new Date()),
-})
-```
-
-### 环境变量
-
-- 使用 `@t3-oss/env-core` 进行类型安全的环境变量验证
-- 在 `src/env.ts` 定义 schema
-- 服务端变量: 无前缀
-- 客户端变量: 必须有 `VITE_` 前缀
-- 使用 Zod schema 验证
-
-### 错误处理
-
-- 异步操作使用 try-catch
-- 抛出带有描述性消息的错误
-- 用户界面错误优先使用 Result 类型或错误边界
-- 适当记录错误 (避免记录敏感数据)
-
-### 样式 (Tailwind CSS)
-
-- 使用 Tailwind v4 工具类
-- 通过 `@/styles.css?url` 导入样式
-- 优先使用组合而非自定义 CSS
-- 响应式修饰符: `sm:`, `md:`, `lg:`
-- UI 文本适当使用中文
-
-## 目录结构
-
-```
-src/
-├── components/            # 可复用 React 组件
-├── db/
-│   ├── schema/           # Drizzle schema 定义
-│   └── index.ts          # 数据库实例
-├── integrations/         # 第三方集成 (TanStack Query/Router)
-├── lib/                  # 工具函数
-├── orpc/                 # ORPC (RPC 层)
-│   ├── contracts/        # 契约定义 (input/output schemas)
-│   ├── handlers/         # 服务端过程实现
-│   ├── middlewares/      # 中间件 (如 DB provider)
-│   ├── contract.ts       # 契约聚合
-│   ├── router.ts         # 路由组合
-│   ├── server.ts         # 服务端实例
-│   └── client.ts         # 同构客户端
-├── routes/               # TanStack Router 文件路由
-│   ├── __root.tsx        # 根布局
-│   ├── index.tsx         # 首页
-│   └── api/rpc.$.ts      # ORPC HTTP 端点
-├── env.ts                # 环境变量验证
-└── router.tsx            # 路由配置
-```
-
-## 重要提示
-
-- **禁止** 编辑 `src/routeTree.gen.ts` - 自动生成
-- **禁止** 提交 `.env` 文件 - 使用 `.env.example` 作为模板
-- **必须** 在提交前运行 `bun fix`
-- **必须** 使用 `@/*` 路径别名而非相对导入
-- **必须** 利用 React Compiler (babel-plugin-react-compiler) - 避免手动 memoization
-
-## Git 工作流
-
-1. 按照上述风格指南进行修改
-2. 运行 `bun fix` 自动格式化和 lint
-3. 运行 `bun typecheck` 确保类型安全
-4. 使用 `bun dev` 本地测试变更
-5. 使用清晰的描述性消息提交
-
-## 常见模式
-
-### 创建 ORPC 过程
-
-**步骤 1: 定义契约** (`src/orpc/contracts/my-feature.ts`)
-```typescript
-import { oc } from '@orpc/contract'
 import { z } from 'zod'
 
-export const myContract = {
+export const env = createEnv({
-  get: oc.input(z.object({ id: z.uuid() })).output(mySchema),
+  server: {
-  create: oc.input(createSchema).output(mySchema),
+    DATABASE_URL: z.string().url(),
-}
+  },
-```
+  clientPrefix: 'VITE_',
-
+  client: {
-**步骤 2: 实现处理器** (`src/orpc/handlers/my-feature.ts`)
+    VITE_API_URL: z.string().optional(),
-```typescript
+  },
-import { os } from '@/orpc/server'
-import { dbProvider } from '@/orpc/middlewares'
-
-export const get = os.myFeature.get
-  .use(dbProvider)
-  .handler(async ({ context, input }) => {
-    return await context.db.query.myTable.findFirst(...)
 })
 ```
 
-**步骤 3: 注册到契约和路由**
+## Development Principles
-```typescript
-// src/orpc/contract.ts
-export const contract = { myFeature: myContract }
 
-// src/orpc/router.ts
+> **These principles apply to ALL code changes. Agents MUST follow them on every task.**
-import * as myFeature from './handlers/my-feature'
-export const router = os.router({ myFeature })
-```
 
-**步骤 4: 在组件中使用**
+1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks.
-```typescript
+2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart.
-import { orpc } from '@/orpc'
+3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns.
-const query = useSuspenseQuery(orpc.myFeature.get.queryOptions({ id }))
-const mutation = useMutation(orpc.myFeature.create.mutationOptions())
-```
 
----
+## Critical Rules
 
-## 已知问题与解决方案
+**DO:**
+- Run `bun run fix` before committing
+- Use `@/*` path aliases
+- Include `createdAt`/`updatedAt` on all tables
+- Use `ORPCError` with proper codes
+- Use `drizzle-orm/zod` (NOT `drizzle-zod`) for schema validation
+- Use RQBv2 object syntax for `orderBy` and `where`
+- Update `AGENTS.md` and other docs whenever code patterns change
 
-### 构建问题
+**DON'T:**
-
+- Use `npm`, `npx`, `node`, `yarn`, `pnpm` — always use `bun` / `bunx`
-**已解决**: Vite 8.0.0-beta.10 已修复与 Nitro 插件的兼容性问题
+- Edit `src/routeTree.gen.ts` (auto-generated)
-- **当前版本**: Vite 8.0.0-beta.10 + nitro-nightly@3.0.1-20260125
+- Use `as any`, `@ts-ignore`, `@ts-expect-error`
-- **状态**: 构建稳定，开发和生产环境均正常工作
+- Commit `.env` files
-
+- Use empty catch blocks
-### 依赖选择经验
+- Import from `drizzle-zod` (use `drizzle-orm/zod` instead)
-
+- Use RQBv1 callback-style `orderBy` / old `relations()` API
-**ohash vs crypto.createHash**
+- Use `drizzle-orm/bun-sql` driver (use `drizzle-orm/postgres-js`)
-
+- Pass `schema` to `drizzle()` constructor (only `relations` is needed in RQBv2)
-在实现硬件指纹功能时，曾误判 `ohash` 不适合用于硬件指纹识别。经深入研究发现：
+- Import `os` from `@orpc/server` in middleware — use `@/server/api/server` (the local typed instance)
-
+- Leave docs out of sync with code changes
-**事实**：
-- `ohash` 内部使用**完整的 SHA-256** 算法（256 位）
-- 输出 43 字符 Base64URL 编码（等价于 64 字符 Hex）
-- 碰撞概率与 `crypto.createHash('sha256')` **完全相同**（2^128）
-- 自动处理对象序列化，代码更简洁
-
-**对比**：
-```typescript
-// ohash - 推荐用于对象哈希
-import { hash } from 'ohash'
-const fingerprint = hash(systemInfo) // 一行搞定
-
-// crypto - 需要手动序列化
-import { createHash } from 'node:crypto'
-const fingerprint = createHash('sha256')
-  .update(JSON.stringify(systemInfo))
-  .digest('base64url')
-```
-
-**结论**：
-- ✅ `ohash` 完全适合硬件指纹场景（数据来自系统 API，非用户输入）
-- ✅ 两者安全性等价，选择取决于代码风格偏好
-- ⚠️ ohash 文档警告的"序列化安全性"仅针对**用户输入**场景
-
-**经验教训**：
-- 不要仅凭名称（"短哈希"）判断库的实现
-- 深入研究文档和源码再做技术决策
-- 区分"用户输入场景"和"系统数据场景"的安全要求
-
-### 缓存库选择：@isaacs/ttlcache
-
-**决策时间**: 2026-01-26
-
-**背景**：
-硬件指纹功能最初使用手动实现的 TTL 缓存（module-level 变量 + 手动过期检查）。为提高代码可维护性，迁移到专业缓存库。
-
-**选型**：
-- **选择**: `@isaacs/ttlcache` v2.1.4
-- **理由**:
-  - 专为 TTL 场景优化，无需 LRU 追踪开销
-  - 零依赖，6M+ 周下载量
-  - 内置 TypeScript 类型
-  - 自动过期管理，无需手动定时器
-  - API 简洁: `new TTLCache({ ttl, max })`
-
-**实现细节**：
-- 保留 `inFlight` Promise 模式用于并发请求去重（TTLCache 不提供此功能）
-- 使用单一缓存键 `'fingerprint'`（单服务器场景，opts 不影响输出）
-- 默认 TTL: 10 分钟（可通过 `cacheTtlMs` 参数覆盖）
-
-**对比手动实现**：
-- ✅ 更少自定义代码
-- ✅ 更清晰的 TTL 语义
-- ✅ 经过充分测试的库
-- ⚠️ 仍需手动处理并发去重
-
-**经验教训**：
-- 专业库不一定解决所有问题（如并发去重）
-- 对于简单场景，手动实现 vs 库的选择主要取决于可维护性而非功能
-
-### SQLite 数据库使用说明
-
-**技术栈**:
-- **驱动**: `better-sqlite3` v11.8.1 (原生模块，跨平台)
-- **类型定义**: `@types/better-sqlite3` v7.6.12
-- **数据库文件**: `./data/app.db`
-
-**数据类型策略**:
-- **主键**: TEXT 存储 UUIDv7 (36 字符字符串，全局唯一)
-- **时间戳**: INTEGER 存储 Unix 毫秒时间戳 (`integer({ mode: 'timestamp_ms' })`)
-  - Drizzle 自动转换 `Date` ↔ `number`
-- **布尔值**: INTEGER 存储 0/1 (`integer({ mode: 'boolean' })`)
-  - Drizzle 自动转换 `boolean` ↔ `0/1`
-
-**数据库连接**:
-```typescript
-import { drizzle } from 'drizzle-orm/better-sqlite3'
-import Database from 'better-sqlite3'
-import { mkdirSync } from 'node:fs'
-import { dirname } from 'node:path'
-
-export const createDB = () => {
-  const dbPath = env.DATABASE_URL
-  if (dbPath !== ':memory:') {
-    mkdirSync(dirname(dbPath), { recursive: true })
-  }
-  const sqlite = new Database(dbPath)
-  return drizzle(sqlite, { schema })
-}
-```
-
-**注意事项**:
-- SQLite 是文件数据库，适合嵌入环境和单实例应用
-- 不支持多进程并发写入
-- 数据库文件和 WAL 文件 (`.db-shm`, `.db-wal`) 已添加到 `.gitignore`
-- `better-sqlite3` 是原生模块，构建时需匹配生产环境 OS 和架构
-
-### AGENTS.md 文档维护原则
-
-**核心原则**：AGENTS.md 只记录当前项目状态，不记录重构历史
-
-1. **当前状态优先**：只描述项目当前使用的技术栈、架构和最佳实践
-2. **无需向后兼容**：不保留旧技术栈的文档，重构后直接更新为新状态
-3. **避免历史记录**：不记录"从 X 迁移到 Y"的过程，只记录"当前使用 Y"
-4. **保持简洁**：删除过时信息，避免上下文过长影响 AI 理解
-5. **及时同步**：架构变更后立即更新文档，确保文档与代码一致
-
-**何时更新 AGENTS.md**：
-- 更换技术栈（如数据库、框架）
-- 修改项目架构或目录结构
-- 添加/移除重要依赖
-- 发现重要的最佳实践或经验教训
-
-**何时不更新 AGENTS.md**：
-- 日常功能开发
-- Bug 修复
-- 代码重构（不涉及架构变更）
-- 临时实验或 POC
-
----
-
-**最后更新**: 2026-01-26
-**项目版本**: 基于 package.json 依赖版本

apps/server/biome.json

@@ -3,5 +3,10 @@
   "extends": "//",
   "files": {
     "includes": ["**", "!**/routeTree.gen.ts"]
+  },
+  "css": {
+    "parser": {
+      "tailwindDirectives": true
+    }
   }
 }

apps/server/build.ts

@@ -1,289 +0,0 @@
-import { Schema } from '@effect/schema'
-import { $ } from 'bun'
-import { Console, Context, Data, Effect, Layer } from 'effect'
-
-// ============================================================================
-// Domain Models & Schema
-// ============================================================================
-
-const BunTargetSchema = Schema.Literal(
-  'bun-windows-x64',
-  'bun-darwin-arm64',
-  'bun-darwin-x64',
-  'bun-linux-x64',
-  'bun-linux-arm64',
-)
-
-/**
- * 将 bun target 转换为文件后缀 (去掉 'bun-' 前缀)
- */
-const getTargetSuffix = (target: BunTarget): string => {
-  return target.replace('bun-', '')
-}
-
-type BunTarget = Schema.Schema.Type<typeof BunTargetSchema>
-
-const BuildConfigSchema = Schema.Struct({
-  entrypoint: Schema.String.pipe(Schema.nonEmptyString()),
-  outputDir: Schema.String.pipe(Schema.nonEmptyString()),
-  outfile: Schema.String.pipe(Schema.nonEmptyString()),
-  targets: Schema.Array(BunTargetSchema).pipe(Schema.minItems(1)),
-})
-
-type BuildConfig = Schema.Schema.Type<typeof BuildConfigSchema>
-
-const BuildResultSchema = Schema.Struct({
-  target: BunTargetSchema,
-  outputs: Schema.Array(Schema.String),
-})
-
-type BuildResult = Schema.Schema.Type<typeof BuildResultSchema>
-
-// ============================================================================
-// Error Models (使用 Data.TaggedError)
-// ============================================================================
-
-class CleanError extends Data.TaggedError('CleanError')<{
-  readonly dir: string
-  readonly cause: unknown
-}> {}
-
-class BuildError extends Data.TaggedError('BuildError')<{
-  readonly target: BunTarget
-  readonly cause: unknown
-}> {}
-
-class ConfigError extends Data.TaggedError('ConfigError')<{
-  readonly message: string
-  readonly cause: unknown
-}> {}
-
-// ============================================================================
-// Services
-// ============================================================================
-
-/**
- * 配置服务
- */
-class BuildConfigService extends Context.Tag('BuildConfigService')<
-  BuildConfigService,
-  BuildConfig
->() {
-  /**
-   * 从原始数据创建并验证配置
-   */
-  static fromRaw = (raw: unknown) =>
-    Effect.gen(function* () {
-      const decoded = yield* Schema.decodeUnknown(BuildConfigSchema)(raw)
-      return decoded
-    }).pipe(
-      Effect.catchAll((error) =>
-        Effect.fail(
-          new ConfigError({
-            message: '配置验证失败',
-            cause: error,
-          }),
-        ),
-      ),
-    )
-
-  /**
-   * 默认配置 Layer
-   */
-  static readonly Live = Layer.effect(
-    BuildConfigService,
-    BuildConfigService.fromRaw({
-      entrypoint: '.output/server/index.mjs',
-      outputDir: 'out',
-      outfile: 'server',
-      targets: ['bun-windows-x64', 'bun-darwin-arm64', 'bun-linux-x64'],
-    } satisfies BuildConfig),
-  )
-}
-
-/**
- * 文件系统服务
- */
-class FileSystemService extends Context.Tag('FileSystemService')<
-  FileSystemService,
-  {
-    readonly cleanDir: (dir: string) => Effect.Effect<void, CleanError>
-  }
->() {
-  static readonly Live = Layer.succeed(FileSystemService, {
-    cleanDir: (dir: string) =>
-      Effect.tryPromise({
-        try: async () => {
-          await $`rm -rf ${dir}`
-        },
-        catch: (cause: unknown) =>
-          new CleanError({
-            dir,
-            cause,
-          }),
-      }),
-  })
-}
-
-/**
- * 构建服务
- */
-class BuildService extends Context.Tag('BuildService')<
-  BuildService,
-  {
-    readonly buildForTarget: (
-      config: BuildConfig,
-      target: BunTarget,
-    ) => Effect.Effect<BuildResult, BuildError>
-    readonly buildAll: (
-      config: BuildConfig,
-    ) => Effect.Effect<ReadonlyArray<BuildResult>, BuildError>
-  }
->() {
-  static readonly Live = Layer.succeed(BuildService, {
-    buildForTarget: (config: BuildConfig, target: BunTarget) =>
-      Effect.gen(function* () {
-        yield* Console.log(`🔨 开始构建: ${target}`)
-
-        const output = yield* Effect.tryPromise({
-          try: () =>
-            Bun.build({
-              entrypoints: [config.entrypoint],
-              compile: {
-                outfile: `${config.outfile}-${getTargetSuffix(target)}`,
-                target: target,
-              },
-              outdir: config.outputDir,
-            }),
-          catch: (cause: unknown) =>
-            new BuildError({
-              target,
-              cause,
-            }),
-        })
-
-        const paths = output.outputs.map((item: { path: string }) => item.path)
-
-        return {
-          target,
-          outputs: paths,
-        } satisfies BuildResult
-      }),
-
-    buildAll: (config: BuildConfig) =>
-      Effect.gen(function* () {
-        const effects = config.targets.map((target) =>
-          Effect.gen(function* () {
-            yield* Console.log(`🔨 开始构建: ${target}`)
-
-            const output = yield* Effect.tryPromise({
-              try: () =>
-                Bun.build({
-                  entrypoints: [config.entrypoint],
-                  compile: {
-                    outfile: `${config.outfile}-${getTargetSuffix(target)}`,
-                    target: target,
-                  },
-                  outdir: config.outputDir,
-                }),
-              catch: (cause: unknown) =>
-                new BuildError({
-                  target,
-                  cause,
-                }),
-            })
-
-            const paths = output.outputs.map(
-              (item: { path: string }) => item.path,
-            )
-
-            return {
-              target,
-              outputs: paths,
-            } satisfies BuildResult
-          }),
-        )
-        return yield* Effect.all(effects, { concurrency: 'unbounded' })
-      }),
-  })
-}
-
-/**
- * 报告服务
- */
-class ReporterService extends Context.Tag('ReporterService')<
-  ReporterService,
-  {
-    readonly printSummary: (
-      results: ReadonlyArray<BuildResult>,
-    ) => Effect.Effect<void>
-  }
->() {
-  static readonly Live = Layer.succeed(ReporterService, {
-    printSummary: (results: ReadonlyArray<BuildResult>) =>
-      Effect.gen(function* () {
-        yield* Console.log('\n📦 构建完成:')
-        for (const result of results) {
-          yield* Console.log(`  ${result.target}:`)
-          for (const path of result.outputs) {
-            yield* Console.log(`    - ${path}`)
-          }
-        }
-      }),
-  })
-}
-
-// ============================================================================
-// Main Program
-// ============================================================================
-
-const program = Effect.gen(function* () {
-  const config = yield* BuildConfigService
-  const fs = yield* FileSystemService
-  const builder = yield* BuildService
-  const reporter = yield* ReporterService
-
-  // 1. 清理输出目录
-  yield* fs.cleanDir(config.outputDir)
-  yield* Console.log(`✓ 已清理输出目录: ${config.outputDir}`)
-
-  // 2. 并行构建所有目标
-  const results = yield* builder.buildAll(config)
-
-  // 3. 输出构建摘要
-  yield* reporter.printSummary(results)
-
-  return results
-})
-
-// ============================================================================
-// Layer Composition
-// ============================================================================
-
-const MainLayer = Layer.mergeAll(
-  BuildConfigService.Live,
-  FileSystemService.Live,
-  BuildService.Live,
-  ReporterService.Live,
-)
-
-// ============================================================================
-// Runner
-// ============================================================================
-
-const runnable = program.pipe(
-  Effect.provide(MainLayer),
-  Effect.catchTags({
-    CleanError: (error) =>
-      Console.error(`❌ 清理目录失败: ${error.dir}`, error.cause),
-    BuildError: (error) =>
-      Console.error(`❌ 构建失败 [${error.target}]:`, error.cause),
-    ConfigError: (error) =>
-      Console.error(`❌ 配置错误: ${error.message}`, error.cause),
-  }),
-  Effect.tapErrorCause((cause) => Console.error('❌ 未预期的错误:', cause)),
-)
-
-Effect.runPromise(runnable).catch(() => {
-  process.exit(1)
-})

apps/server/compile.ts

@@ -0,0 +1,64 @@
+import { mkdir, rm } from 'node:fs/promises'
+import { parseArgs } from 'node:util'
+
+const ENTRYPOINT = '.output/server/index.mjs'
+const OUTDIR = 'out'
+
+const SUPPORTED_TARGETS: readonly Bun.Build.CompileTarget[] = [
+  'bun-windows-x64',
+  'bun-darwin-arm64',
+  'bun-darwin-x64',
+  'bun-linux-x64',
+  'bun-linux-arm64',
+]
+
+const isSupportedTarget = (value: string): value is Bun.Build.CompileTarget =>
+  (SUPPORTED_TARGETS as readonly string[]).includes(value)
+
+const { values } = parseArgs({
+  options: { target: { type: 'string' } },
+  strict: true,
+  allowPositionals: false,
+})
+
+const resolveTarget = (): Bun.Build.CompileTarget => {
+  if (values.target !== undefined) {
+    if (!isSupportedTarget(values.target)) {
+      throw new Error(`Invalid target: ${values.target}\nAllowed: ${SUPPORTED_TARGETS.join(', ')}`)
+    }
+    return values.target
+  }
+
+  const os = process.platform === 'win32' ? 'windows' : process.platform
+  const candidate = `bun-${os}-${process.arch}`
+  if (!isSupportedTarget(candidate)) {
+    throw new Error(`Unsupported host: ${process.platform}-${process.arch}`)
+  }
+  return candidate
+}
+
+const main = async () => {
+  const target = resolveTarget()
+  const suffix = target.replace('bun-', '')
+  const outfile = `server-${suffix}`
+
+  await mkdir(OUTDIR, { recursive: true })
+  await Promise.all([rm(`${OUTDIR}/${outfile}`, { force: true }), rm(`${OUTDIR}/${outfile}.exe`, { force: true })])
+
+  const result = await Bun.build({
+    entrypoints: [ENTRYPOINT],
+    outdir: OUTDIR,
+    compile: { outfile, target },
+  })
+
+  if (!result.success) {
+    throw new Error(result.logs.map(String).join('\n'))
+  }
+
+  console.log(`✓ ${target} → ${OUTDIR}/${outfile}`)
+}
+
+main().catch((err) => {
+  console.error('❌', err instanceof Error ? err.message : err)
+  process.exit(1)
+})

apps/server/drizzle.config.ts

@@ -1,11 +1,12 @@
 import { defineConfig } from 'drizzle-kit'
-import { env } from '@/env'
+
+const databasePath = process.env.DATABASE_PATH ?? 'data.db'
 
 export default defineConfig({
   out: './drizzle',
   schema: './src/server/db/schema/index.ts',
   dialect: 'sqlite',
   dbCredentials: {
-    url: env.DATABASE_URL,
+    url: databasePath,
   },
 })

apps/server/drizzle/0000_messy_goliath.sql

@@ -1,18 +0,0 @@
-CREATE TABLE `device_info` (
-	`id` text PRIMARY KEY NOT NULL,
-	`created_at` integer NOT NULL,
-	`updated_at` integer NOT NULL,
-	`fingerprint` text NOT NULL,
-	`fingerprint_quality` text NOT NULL,
-	`license` text,
-	`license_activated_at` integer
-);
---> statement-breakpoint
-CREATE UNIQUE INDEX `device_info_fingerprint_unique` ON `device_info` (`fingerprint`);--> statement-breakpoint
-CREATE TABLE `todo` (
-	`id` text PRIMARY KEY NOT NULL,
-	`created_at` integer NOT NULL,
-	`updated_at` integer NOT NULL,
-	`title` text NOT NULL,
-	`completed` integer DEFAULT false NOT NULL
-);

apps/server/drizzle/0001_watery_mongu.sql

@@ -1,10 +0,0 @@
-CREATE TABLE `license_activation` (
-	`id` text PRIMARY KEY NOT NULL,
-	`created_at` integer NOT NULL,
-	`updated_at` integer NOT NULL,
-	`fingerprint` text NOT NULL,
-	`license` text,
-	`license_activated_at` integer
-);
---> statement-breakpoint
-CREATE UNIQUE INDEX `license_activation_fingerprint_unique` ON `license_activation` (`fingerprint`);

apps/server/drizzle/0002_dizzy_kingpin.sql

@@ -1,2 +0,0 @@
-DROP TABLE `device_info`;--> statement-breakpoint
-DROP TABLE `todo`;

apps/server/drizzle/meta/0000_snapshot.json

@@ -1,129 +0,0 @@
-{
-  "version": "6",
-  "dialect": "sqlite",
-  "id": "09c29147-479a-4490-8223-db64c71c910f",
-  "prevId": "00000000-0000-0000-0000-000000000000",
-  "tables": {
-    "device_info": {
-      "name": "device_info",
-      "columns": {
-        "id": {
-          "name": "id",
-          "type": "text",
-          "primaryKey": true,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "created_at": {
-          "name": "created_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "updated_at": {
-          "name": "updated_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "fingerprint": {
-          "name": "fingerprint",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "fingerprint_quality": {
-          "name": "fingerprint_quality",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "license": {
-          "name": "license",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false,
-          "autoincrement": false
-        },
-        "license_activated_at": {
-          "name": "license_activated_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": false,
-          "autoincrement": false
-        }
-      },
-      "indexes": {
-        "device_info_fingerprint_unique": {
-          "name": "device_info_fingerprint_unique",
-          "columns": ["fingerprint"],
-          "isUnique": true
-        }
-      },
-      "foreignKeys": {},
-      "compositePrimaryKeys": {},
-      "uniqueConstraints": {},
-      "checkConstraints": {}
-    },
-    "todo": {
-      "name": "todo",
-      "columns": {
-        "id": {
-          "name": "id",
-          "type": "text",
-          "primaryKey": true,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "created_at": {
-          "name": "created_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "updated_at": {
-          "name": "updated_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "title": {
-          "name": "title",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "completed": {
-          "name": "completed",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false,
-          "default": false
-        }
-      },
-      "indexes": {},
-      "foreignKeys": {},
-      "compositePrimaryKeys": {},
-      "uniqueConstraints": {},
-      "checkConstraints": {}
-    }
-  },
-  "views": {},
-  "enums": {},
-  "_meta": {
-    "schemas": {},
-    "tables": {},
-    "columns": {}
-  },
-  "internal": {
-    "indexes": {}
-  }
-}

apps/server/drizzle/meta/0001_snapshot.json

@@ -1,187 +0,0 @@
-{
-  "version": "6",
-  "dialect": "sqlite",
-  "id": "14bad572-1fc5-489d-90f2-7560a7cad1f4",
-  "prevId": "09c29147-479a-4490-8223-db64c71c910f",
-  "tables": {
-    "device_info": {
-      "name": "device_info",
-      "columns": {
-        "id": {
-          "name": "id",
-          "type": "text",
-          "primaryKey": true,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "created_at": {
-          "name": "created_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "updated_at": {
-          "name": "updated_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "fingerprint": {
-          "name": "fingerprint",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "fingerprint_quality": {
-          "name": "fingerprint_quality",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "license": {
-          "name": "license",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false,
-          "autoincrement": false
-        },
-        "license_activated_at": {
-          "name": "license_activated_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": false,
-          "autoincrement": false
-        }
-      },
-      "indexes": {
-        "device_info_fingerprint_unique": {
-          "name": "device_info_fingerprint_unique",
-          "columns": ["fingerprint"],
-          "isUnique": true
-        }
-      },
-      "foreignKeys": {},
-      "compositePrimaryKeys": {},
-      "uniqueConstraints": {},
-      "checkConstraints": {}
-    },
-    "license_activation": {
-      "name": "license_activation",
-      "columns": {
-        "id": {
-          "name": "id",
-          "type": "text",
-          "primaryKey": true,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "created_at": {
-          "name": "created_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "updated_at": {
-          "name": "updated_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "fingerprint": {
-          "name": "fingerprint",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "license": {
-          "name": "license",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false,
-          "autoincrement": false
-        },
-        "license_activated_at": {
-          "name": "license_activated_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": false,
-          "autoincrement": false
-        }
-      },
-      "indexes": {
-        "license_activation_fingerprint_unique": {
-          "name": "license_activation_fingerprint_unique",
-          "columns": ["fingerprint"],
-          "isUnique": true
-        }
-      },
-      "foreignKeys": {},
-      "compositePrimaryKeys": {},
-      "uniqueConstraints": {},
-      "checkConstraints": {}
-    },
-    "todo": {
-      "name": "todo",
-      "columns": {
-        "id": {
-          "name": "id",
-          "type": "text",
-          "primaryKey": true,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "created_at": {
-          "name": "created_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "updated_at": {
-          "name": "updated_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "title": {
-          "name": "title",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "completed": {
-          "name": "completed",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false,
-          "default": false
-        }
-      },
-      "indexes": {},
-      "foreignKeys": {},
-      "compositePrimaryKeys": {},
-      "uniqueConstraints": {},
-      "checkConstraints": {}
-    }
-  },
-  "views": {},
-  "enums": {},
-  "_meta": {
-    "schemas": {},
-    "tables": {},
-    "columns": {}
-  },
-  "internal": {
-    "indexes": {}
-  }
-}

apps/server/drizzle/meta/0002_snapshot.json

@@ -1,76 +0,0 @@
-{
-  "version": "6",
-  "dialect": "sqlite",
-  "id": "2bdd10cc-8e14-4843-931a-37b1d00f21a6",
-  "prevId": "14bad572-1fc5-489d-90f2-7560a7cad1f4",
-  "tables": {
-    "license_activation": {
-      "name": "license_activation",
-      "columns": {
-        "id": {
-          "name": "id",
-          "type": "text",
-          "primaryKey": true,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "created_at": {
-          "name": "created_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "updated_at": {
-          "name": "updated_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "fingerprint": {
-          "name": "fingerprint",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true,
-          "autoincrement": false
-        },
-        "license": {
-          "name": "license",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false,
-          "autoincrement": false
-        },
-        "license_activated_at": {
-          "name": "license_activated_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": false,
-          "autoincrement": false
-        }
-      },
-      "indexes": {
-        "license_activation_fingerprint_unique": {
-          "name": "license_activation_fingerprint_unique",
-          "columns": ["fingerprint"],
-          "isUnique": true
-        }
-      },
-      "foreignKeys": {},
-      "compositePrimaryKeys": {},
-      "uniqueConstraints": {},
-      "checkConstraints": {}
-    }
-  },
-  "views": {},
-  "enums": {},
-  "_meta": {
-    "schemas": {},
-    "tables": {},
-    "columns": {}
-  },
-  "internal": {
-    "indexes": {}
-  }
-}

apps/server/drizzle/meta/_journal.json

@@ -1,27 +0,0 @@
-{
-  "version": "7",
-  "dialect": "sqlite",
-  "entries": [
-    {
-      "idx": 0,
-      "version": "6",
-      "when": 1769409553227,
-      "tag": "0000_messy_goliath",
-      "breakpoints": true
-    },
-    {
-      "idx": 1,
-      "version": "6",
-      "when": 1769409970060,
-      "tag": "0001_watery_mongu",
-      "breakpoints": true
-    },
-    {
-      "idx": 2,
-      "version": "6",
-      "when": 1769412006512,
-      "tag": "0002_dizzy_kingpin",
-      "breakpoints": true
-    }
-  ]
-}

apps/server/package.json

@@ -4,18 +4,26 @@
   "private": true,
   "type": "module",
   "scripts": {
-    "build": "vite build",
+    "build": "bunx --bun vite build",
-    "compile": "bun build.ts",
+    "compile": "bun compile.ts",
-    "db:generate": "drizzle-kit generate",
+    "compile:darwin": "bun run compile:darwin:arm64 && bun run compile:darwin:x64",
-    "db:migrate": "drizzle-kit migrate",
+    "compile:darwin:arm64": "bun compile.ts --target bun-darwin-arm64",
-    "db:push": "drizzle-kit push",
+    "compile:darwin:x64": "bun compile.ts --target bun-darwin-x64",
-    "db:studio": "drizzle-kit studio",
+    "compile:linux": "bun run compile:linux:x64 && bun run compile:linux:arm64",
-    "dev": "vite dev",
+    "compile:linux:arm64": "bun compile.ts --target bun-linux-arm64",
-    "fix": "biome check --write .",
+    "compile:linux:x64": "bun compile.ts --target bun-linux-x64",
+    "compile:windows": "bun run compile:windows:x64",
+    "compile:windows:x64": "bun compile.ts --target bun-windows-x64",
+    "db:generate": "bun --bun drizzle-kit generate",
+    "db:migrate": "bun --bun drizzle-kit migrate",
+    "db:push": "bun --bun drizzle-kit push",
+    "db:studio": "bun --bun drizzle-kit studio",
+    "dev": "bunx --bun vite dev",
+    "fix": "biome check --write",
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@isaacs/ttlcache": "catalog:",
+    "@furtherverse/crypto": "workspace:*",
     "@orpc/client": "catalog:",
     "@orpc/contract": "catalog:",
     "@orpc/openapi": "catalog:",
@@ -28,9 +36,8 @@
     "@tanstack/react-router-ssr-query": "catalog:",
     "@tanstack/react-start": "catalog:",
     "drizzle-orm": "catalog:",
-    "drizzle-zod": "catalog:",
+    "jszip": "catalog:",
-    "ohash": "catalog:",
+    "lossless-json": "catalog:",
-    "better-sqlite3": "catalog:",
     "react": "catalog:",
     "react-dom": "catalog:",
     "systeminformation": "catalog:",
@@ -38,23 +45,18 @@
     "zod": "catalog:"
   },
   "devDependencies": {
-    "@effect/platform": "catalog:",
-    "@effect/schema": "catalog:",
     "@furtherverse/tsconfig": "workspace:*",
     "@tailwindcss/vite": "catalog:",
     "@tanstack/devtools-vite": "catalog:",
     "@tanstack/react-devtools": "catalog:",
     "@tanstack/react-query-devtools": "catalog:",
     "@tanstack/react-router-devtools": "catalog:",
-    "@types/better-sqlite3": "catalog:",
     "@types/bun": "catalog:",
     "@vitejs/plugin-react": "catalog:",
     "babel-plugin-react-compiler": "catalog:",
     "drizzle-kit": "catalog:",
-    "effect": "catalog:",
     "nitro": "catalog:",
     "tailwindcss": "catalog:",
-    "typescript": "catalog:",
     "vite": "catalog:",
     "vite-tsconfig-paths": "catalog:"
   }

apps/server/src/client/orpc.ts

@@ -1,6 +1,7 @@
 import { createORPCClient } from '@orpc/client'
 import { RPCLink } from '@orpc/client/fetch'
 import { createRouterClient } from '@orpc/server'
+import { createTanstackQueryUtils } from '@orpc/tanstack-query'
 import { createIsomorphicFn } from '@tanstack/react-start'
 import { getRequestHeaders } from '@tanstack/react-start/server'
 import { router } from '@/server/api/routers'
@@ -21,4 +22,6 @@ const getORPCClient = createIsomorphicFn()
     return createORPCClient<RouterClient>(link)
   })
 
-export const orpc: RouterClient = getORPCClient()
+const client: RouterClient = getORPCClient()
+
+export const orpc = createTanstackQueryUtils(client)

apps/server/src/client/query-client.ts

@@ -1,6 +0,0 @@
-import { createTanstackQueryUtils } from '@orpc/tanstack-query'
-import { orpc as orpcClient } from './orpc.client'
-
-export const orpc = createTanstackQueryUtils(orpcClient, {
-  experimental_defaults: {},
-})

apps/server/src/env.ts

@@ -3,7 +3,7 @@ import { z } from 'zod'
 
 export const env = createEnv({
   server: {
-    DATABASE_URL: z.string().min(1),
+    DATABASE_PATH: z.string().min(1).default('data.db'),
   },
   clientPrefix: 'VITE_',
   client: {

apps/server/src/lib/crypto.ts

@@ -1,109 +0,0 @@
-import {
-  constants,
-  createPrivateKey,
-  createPublicKey,
-  privateDecrypt,
-  publicEncrypt,
-} from 'node:crypto'
-
-// 对应 Java: RSA/ECB/OAEPWithSHA-256AndMGF1Padding
-const OAEP_HASH = 'sha256'
-
-/**
- * 使用 Base64 编码的公钥加密明文
- *
- * 加密标准: RSA/ECB/OAEPWithSHA-256AndMGF1Padding (兼容 Java)
- * 公钥格式: SPKI/DER (对应 Java X509EncodedKeySpec)
- *
- * @param plainText - 待加密的明文字符串
- * @param publicKeyBase64 - Base64 编码的公钥 (DER/SPKI 格式)
- * @returns Base64 编码的加密数据
- * @throws {Error} 加密失败时抛出错误
- *
- * @example
- * ```typescript
- * const publicKey = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...'
- * const encrypted = encrypt('sensitive data', publicKey)
- * console.log(encrypted) // "a3f5e8c2d1b4..."
- * ```
- */
-export function encrypt(plainText: string, publicKeyBase64: string): string {
-  const buffer = Buffer.from(plainText, 'utf-8')
-  const keyBuffer = Buffer.from(publicKeyBase64, 'base64')
-
-  try {
-    // 1. 先创建 KeyObject，在这里指定密钥的格式 (DER/SPKI)
-    const publicKey = createPublicKey({
-      key: keyBuffer,
-      format: 'der',
-      type: 'spki', // 对应 Java X509EncodedKeySpec
-    })
-
-    // 2. 使用 KeyObject 进行加密，在这里指定 Padding 模式
-    const encrypted = publicEncrypt(
-      {
-        key: publicKey,
-        padding: constants.RSA_PKCS1_OAEP_PADDING,
-        oaepHash: OAEP_HASH,
-      },
-      buffer,
-    )
-
-    return encrypted.toString('base64')
-  } catch (error) {
-    throw new Error(
-      `Encryption failed: ${error instanceof Error ? error.message : String(error)}`,
-    )
-  }
-}
-
-/**
- * 使用 Base64 编码的私钥解密数据
- *
- * 解密标准: RSA/ECB/OAEPWithSHA-256AndMGF1Padding (兼容 Java)
- * 私钥格式: PKCS8/DER (对应 Java PKCS8EncodedKeySpec)
- *
- * @param encryptedData - Base64 编码的加密数据
- * @param privateKeyBase64 - Base64 编码的私钥 (DER/PKCS8 格式)
- * @returns 解密后的明文字符串
- * @throws {Error} 解密失败时抛出错误
- *
- * @example
- * ```typescript
- * const privateKey = 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASC...'
- * const decrypted = decrypt('a3f5e8c2d1b4...', privateKey)
- * console.log(decrypted) // "sensitive data"
- * ```
- */
-export function decrypt(
-  encryptedData: string,
-  privateKeyBase64: string,
-): string {
-  const buffer = Buffer.from(encryptedData, 'base64')
-  const keyBuffer = Buffer.from(privateKeyBase64, 'base64')
-
-  try {
-    // 1. 先创建 KeyObject，在这里指定密钥的格式 (DER/PKCS8)
-    const privateKey = createPrivateKey({
-      key: keyBuffer,
-      format: 'der',
-      type: 'pkcs8', // 对应 Java PKCS8EncodedKeySpec
-    })
-
-    // 2. 使用 KeyObject 进行解密
-    const decrypted = privateDecrypt(
-      {
-        key: privateKey,
-        padding: constants.RSA_PKCS1_OAEP_PADDING,
-        oaepHash: OAEP_HASH,
-      },
-      buffer,
-    )
-
-    return decrypted.toString('utf-8')
-  } catch (error) {
-    throw new Error(
-      `Decryption failed: ${error instanceof Error ? error.message : String(error)}`,
-    )
-  }
-}

apps/server/src/lib/fingerprint.ts

@@ -1,233 +0,0 @@
-import { TTLCache } from '@isaacs/ttlcache'
-import { hash } from 'ohash'
-import si from 'systeminformation'
-
-/**
- * 硬件指纹质量等级
- * - strong: 2+ 个强标识符可用(推荐用于生产授权)
- * - medium: 1 个强标识符可用(可用但不理想)
- * - weak: 无强标识符(仅适合开发/测试)
- */
-export type FingerprintQuality = 'strong' | 'medium' | 'weak'
-
-/**
- * 标准化的系统信息(用于机器码生成)
- */
-export type NormalizedSystemInfo = {
-  /** 系统 UUID(最稳定的硬件标识符) */
-  systemUuid: string | null
-  /** 系统序列号 */
-  systemSerial: string | null
-  /** 主板序列号 */
-  baseboardSerial: string | null
-  /** 主板制造商 */
-  baseboardManufacturer: string | null
-  /** BIOS 版本 */
-  biosVersion: string | null
-  /** BIOS 供应商 */
-  biosVendor: string | null
-  /** CPU 品牌标识(用于质量评估) */
-  cpuBrand: string | null
-  /** 主硬盘序列号(可选,高稳定性) */
-  primaryDiskSerial?: string | null
-}
-
-/**
- * 硬件指纹配置选项
- */
-export type HardwareFingerprintOptions = {
-  /**
-   * 缓存 TTL(毫秒),默认 10 分钟
-   * 硬件信息变化频率极低,缓存可大幅提升性能
-   */
-  cacheTtlMs?: number
-
-  /**
-   * 是否包含主硬盘序列号(默认 true)
-   * 注意:在容器/虚拟机环境可能获取失败
-   */
-  includePrimaryDisk?: boolean
-}
-
-/**
- * 硬件指纹响应
- */
-export type HardwareFingerprintResult = {
-  /** 机器码(HMAC-SHA256 哈希,64 字符十六进制) */
-  fingerprint: string
-  /** 指纹质量等级 */
-  quality: FingerprintQuality
-  /** 可用的强标识符数量 */
-  strongIdentifiersCount: number
-  /** 生成时间戳 */
-  timestamp: number
-}
-
-// 缓存实例
-const cache = new TTLCache<'fingerprint', HardwareFingerprintResult>({
-  ttl: 10 * 60 * 1000, // 10 minutes default
-  max: 1, // Only one fingerprint cached
-})
-
-// 防止并发重复请求
-let inFlight: Promise<HardwareFingerprintResult> | null = null
-
-/**
- * 计算指纹质量
- */
-function computeQuality(info: NormalizedSystemInfo): {
-  quality: FingerprintQuality
-  count: number
-} {
-  const strongKeys = [
-    info.systemUuid,
-    info.systemSerial,
-    info.baseboardSerial,
-    info.primaryDiskSerial,
-  ].filter(Boolean).length
-
-  if (strongKeys >= 2) return { quality: 'strong', count: strongKeys }
-  if (strongKeys === 1) return { quality: 'medium', count: strongKeys }
-  return { quality: 'weak', count: 0 }
-}
-
-/**
- * 安全地收集标准化系统信息(容错处理)
- */
-async function collectNormalizedInfo(
-  opts: HardwareFingerprintOptions,
-): Promise<NormalizedSystemInfo> {
-  // 使用 Promise.allSettled 避免单点失败
-  const tasks = await Promise.allSettled([
-    si.uuid(),
-    si.system(),
-    si.baseboard(),
-    si.bios(),
-    si.cpu(),
-    opts.includePrimaryDisk !== false ? si.diskLayout() : Promise.resolve([]),
-  ])
-
-  const [uuidRes, systemRes, baseboardRes, biosRes, cpuRes, diskRes] = tasks
-
-  const uuid = uuidRes.status === 'fulfilled' ? uuidRes.value : null
-  const system = systemRes.status === 'fulfilled' ? systemRes.value : null
-  const baseboard =
-    baseboardRes.status === 'fulfilled' ? baseboardRes.value : null
-  const bios = biosRes.status === 'fulfilled' ? biosRes.value : null
-  const cpu = cpuRes.status === 'fulfilled' ? cpuRes.value : null
-
-  // 提取主硬盘序列号(通常是第一个物理磁盘)
-  let primaryDiskSerial: string | null = null
-  if (diskRes.status === 'fulfilled' && Array.isArray(diskRes.value)) {
-    const disks = diskRes.value as Array<{ serialNum?: string; type?: string }>
-    const physicalDisk = disks.find(
-      (d) => d.type !== 'USB' && d.serialNum && d.serialNum.trim(),
-    )
-    primaryDiskSerial = physicalDisk?.serialNum?.trim() || null
-  }
-
-  return {
-    // 系统级标识符(最稳定)
-    systemUuid: (system?.uuid ?? uuid?.hardware ?? null) || null,
-    systemSerial: (system?.serial ?? null) || null,
-
-    // 主板标识符(次稳定)
-    baseboardSerial: (baseboard?.serial ?? null) || null,
-    baseboardManufacturer: (baseboard?.manufacturer ?? null) || null,
-
-    // BIOS 信息(辅助识别)
-    biosVersion: (bios?.version ?? null) || null,
-    biosVendor: (bios?.vendor ?? null) || null,
-
-    // CPU 信息(辅助识别)
-    cpuBrand: (cpu?.brand ?? null) || null,
-
-    // 磁盘序列号(可选,高稳定性)
-    ...(opts.includePrimaryDisk !== false ? { primaryDiskSerial } : {}),
-  }
-}
-
-/**
-/**
- * 获取硬件指纹(机器码)
- *
- * 适用场景:客户端部署的软件授权、机器绑定
- *
- * 安全说明:
- * - 返回 SHA-256 哈希(Base64URL 编码,43 字符),不可逆推原始硬件信息
- * - 使用 ohash 自动处理对象序列化和哈希
- * - 客户端部署场景:客户可以看到代码,无法使用密钥加密
- * - 安全性依赖硬件信息本身的不可伪造性(来自操作系统)
- * - 自动缓存减少系统调用开销
- *
- * 稳定性:
- * - 优先使用系统 UUID、序列号等不易变更的标识符
- * - 避免网络接口等易变信息
- * - 容错处理,部分信息缺失不影响生成
- *
- * @example
- * ```typescript
- * const result = await getHardwareFingerprint({
- *   cacheTtlMs: 600000, // 10 分钟
- *   includePrimaryDisk: true,
- * })
- *
- * console.log(result.fingerprint) // "a3f5e8c2d1b4..."
- * console.log(result.quality)     // "strong"
- * ```
- */
-export async function getHardwareFingerprint(
-  opts: HardwareFingerprintOptions,
-): Promise<HardwareFingerprintResult> {
-  const ttl = opts.cacheTtlMs ?? 10 * 60 * 1000
-  const now = Date.now()
-
-  // 返回缓存结果
-  const cached = cache.get('fingerprint')
-  if (cached) {
-    return cached
-  }
-
-  // 防止并发重复请求
-  if (inFlight) {
-    return inFlight
-  }
-
-  inFlight = (async () => {
-    // 收集标准化信息
-    const info = await collectNormalizedInfo(opts)
-
-    // 计算质量
-    const { quality, count } = computeQuality(info)
-
-    // 使用 ohash 生成指纹(自动序列化 + SHA-256 + Base64URL)
-    const fingerprint = hash({
-      v: 1, // 版本号,未来如需变更采集策略可递增
-      info,
-    })
-
-    const result: HardwareFingerprintResult = {
-      fingerprint,
-      quality,
-      strongIdentifiersCount: count,
-      timestamp: now,
-    }
-
-    // 更新缓存
-    cache.set('fingerprint', result, { ttl })
-
-    return result
-  })().finally(() => {
-    inFlight = null
-  })
-
-  return inFlight
-}
-
-/**
- * 清除指纹缓存(用于测试或强制刷新)
- */
-export function clearFingerprintCache(): void {
-  cache.clear()
-  inFlight = null
-}

apps/server/src/lib/license-init.ts

@@ -1,40 +0,0 @@
-import { getDB } from '@/server/db'
-import { licenseActivationTable } from '@/server/db/schema'
-import { getHardwareFingerprint } from './fingerprint'
-
-let initPromise: Promise<void> | null = null
-
-export async function ensureLicenseActivationInitialized(): Promise<void> {
-  if (initPromise) return initPromise
-
-  initPromise = (async () => {
-    try {
-      const db = getDB()
-      const result = await getHardwareFingerprint({
-        cacheTtlMs: 10 * 60 * 1000,
-        includePrimaryDisk: true,
-      })
-
-      await db
-        .insert(licenseActivationTable)
-        .values({
-          fingerprint: result.fingerprint,
-          license: null,
-          licenseActivatedAt: null,
-        })
-        .onConflictDoUpdate({
-          target: licenseActivationTable.fingerprint,
-          set: {
-            updatedAt: new Date(),
-          },
-        })
-    } catch (error) {
-      console.error('Failed to initialize license activation:', error)
-      // 重置 promise 以便下次重试
-      initPromise = null
-      throw error
-    }
-  })()
-
-  return initPromise
-}

apps/server/src/routeTree.gen.ts

@@ -9,27 +9,21 @@
 // Additionally, you should also exclude this file from your linter and/or formatter to prevent it from being checked or modified.
 
 import { Route as rootRouteImport } from './routes/__root'
-import { Route as LicenseRouteImport } from './routes/license'
-import { Route as FingerprintRouteImport } from './routes/fingerprint'
 import { Route as IndexRouteImport } from './routes/index'
+import { Route as ApiHealthRouteImport } from './routes/api/health'
 import { Route as ApiSplatRouteImport } from './routes/api/$'
 import { Route as ApiRpcSplatRouteImport } from './routes/api/rpc.$'
 
-const LicenseRoute = LicenseRouteImport.update({
-  id: '/license',
-  path: '/license',
-  getParentRoute: () => rootRouteImport,
-} as any)
-const FingerprintRoute = FingerprintRouteImport.update({
-  id: '/fingerprint',
-  path: '/fingerprint',
-  getParentRoute: () => rootRouteImport,
-} as any)
 const IndexRoute = IndexRouteImport.update({
   id: '/',
   path: '/',
   getParentRoute: () => rootRouteImport,
 } as any)
+const ApiHealthRoute = ApiHealthRouteImport.update({
+  id: '/api/health',
+  path: '/api/health',
+  getParentRoute: () => rootRouteImport,
+} as any)
 const ApiSplatRoute = ApiSplatRouteImport.update({
   id: '/api/$',
   path: '/api/$',
@@ -43,58 +37,40 @@ const ApiRpcSplatRoute = ApiRpcSplatRouteImport.update({
 
 export interface FileRoutesByFullPath {
   '/': typeof IndexRoute
-  '/fingerprint': typeof FingerprintRoute
-  '/license': typeof LicenseRoute
   '/api/$': typeof ApiSplatRoute
+  '/api/health': typeof ApiHealthRoute
   '/api/rpc/$': typeof ApiRpcSplatRoute
 }
 export interface FileRoutesByTo {
   '/': typeof IndexRoute
-  '/fingerprint': typeof FingerprintRoute
-  '/license': typeof LicenseRoute
   '/api/$': typeof ApiSplatRoute
+  '/api/health': typeof ApiHealthRoute
   '/api/rpc/$': typeof ApiRpcSplatRoute
 }
 export interface FileRoutesById {
   __root__: typeof rootRouteImport
   '/': typeof IndexRoute
-  '/fingerprint': typeof FingerprintRoute
-  '/license': typeof LicenseRoute
   '/api/$': typeof ApiSplatRoute
+  '/api/health': typeof ApiHealthRoute
   '/api/rpc/$': typeof ApiRpcSplatRoute
 }
 export interface FileRouteTypes {
   fileRoutesByFullPath: FileRoutesByFullPath
-  fullPaths: '/' | '/fingerprint' | '/license' | '/api/$' | '/api/rpc/$'
+  fullPaths: '/' | '/api/$' | '/api/health' | '/api/rpc/$'
   fileRoutesByTo: FileRoutesByTo
-  to: '/' | '/fingerprint' | '/license' | '/api/$' | '/api/rpc/$'
+  to: '/' | '/api/$' | '/api/health' | '/api/rpc/$'
-  id: '__root__' | '/' | '/fingerprint' | '/license' | '/api/$' | '/api/rpc/$'
+  id: '__root__' | '/' | '/api/$' | '/api/health' | '/api/rpc/$'
   fileRoutesById: FileRoutesById
 }
 export interface RootRouteChildren {
   IndexRoute: typeof IndexRoute
-  FingerprintRoute: typeof FingerprintRoute
-  LicenseRoute: typeof LicenseRoute
   ApiSplatRoute: typeof ApiSplatRoute
+  ApiHealthRoute: typeof ApiHealthRoute
   ApiRpcSplatRoute: typeof ApiRpcSplatRoute
 }
 
 declare module '@tanstack/react-router' {
   interface FileRoutesByPath {
-    '/license': {
-      id: '/license'
-      path: '/license'
-      fullPath: '/license'
-      preLoaderRoute: typeof LicenseRouteImport
-      parentRoute: typeof rootRouteImport
-    }
-    '/fingerprint': {
-      id: '/fingerprint'
-      path: '/fingerprint'
-      fullPath: '/fingerprint'
-      preLoaderRoute: typeof FingerprintRouteImport
-      parentRoute: typeof rootRouteImport
-    }
     '/': {
       id: '/'
       path: '/'
@@ -102,6 +78,13 @@ declare module '@tanstack/react-router' {
       preLoaderRoute: typeof IndexRouteImport
       parentRoute: typeof rootRouteImport
     }
+    '/api/health': {
+      id: '/api/health'
+      path: '/api/health'
+      fullPath: '/api/health'
+      preLoaderRoute: typeof ApiHealthRouteImport
+      parentRoute: typeof rootRouteImport
+    }
     '/api/$': {
       id: '/api/$'
       path: '/api/$'
@@ -121,9 +104,8 @@ declare module '@tanstack/react-router' {
 
 const rootRouteChildren: RootRouteChildren = {
   IndexRoute: IndexRoute,
-  FingerprintRoute: FingerprintRoute,
-  LicenseRoute: LicenseRoute,
   ApiSplatRoute: ApiSplatRoute,
+  ApiHealthRoute: ApiHealthRoute,
   ApiRpcSplatRoute: ApiRpcSplatRoute,
 }
 export const routeTree = rootRouteImport

apps/server/src/router.tsx

@@ -5,7 +5,14 @@ import type { RouterContext } from './routes/__root'
 import { routeTree } from './routeTree.gen'
 
 export const getRouter = () => {
-  const queryClient = new QueryClient()
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: {
+        staleTime: 30 * 1000,
+        retry: 1,
+      },
+    },
+  })
 
   const router = createRouter({
     routeTree,

apps/server/src/routes/__root.tsx

@@ -1,15 +1,11 @@
 import { TanStackDevtools } from '@tanstack/react-devtools'
 import type { QueryClient } from '@tanstack/react-query'
 import { ReactQueryDevtoolsPanel } from '@tanstack/react-query-devtools'
-import {
+import { createRootRouteWithContext, HeadContent, Scripts } from '@tanstack/react-router'
-  createRootRouteWithContext,
-  HeadContent,
-  Scripts,
-} from '@tanstack/react-router'
 import { TanStackRouterDevtoolsPanel } from '@tanstack/react-router-devtools'
 import type { ReactNode } from 'react'
 import { ErrorComponent } from '@/components/Error'
-import { NotFoundComponent } from '@/components/NotFount'
+import { NotFoundComponent } from '@/components/NotFound'
 import appCss from '@/styles.css?url'
 
 export interface RouterContext {
@@ -50,6 +46,7 @@ function RootDocument({ children }: Readonly<{ children: ReactNode }>) {
       </head>
       <body>
         {children}
+        {import.meta.env.DEV && (
           <TanStackDevtools
             config={{
               position: 'bottom-right',
@@ -65,6 +62,7 @@ function RootDocument({ children }: Readonly<{ children: ReactNode }>) {
               },
             ]}
           />
+        )}
         <Scripts />
       </body>
     </html>

apps/server/src/routes/api/$.ts

@@ -1,10 +1,10 @@
 import { OpenAPIHandler } from '@orpc/openapi/fetch'
 import { OpenAPIReferencePlugin } from '@orpc/openapi/plugins'
-import { ORPCError, onError, ValidationError } from '@orpc/server'
+import { onError } from '@orpc/server'
 import { ZodToJsonSchemaConverter } from '@orpc/zod/zod4'
 import { createFileRoute } from '@tanstack/react-router'
-import { z } from 'zod'
 import { name, version } from '@/../package.json'
+import { handleValidationError, logError } from '@/server/api/interceptors'
 import { router } from '@/server/api/routers'
 
 const handler = new OpenAPIHandler(router, {
@@ -16,56 +16,16 @@ const handler = new OpenAPIHandler(router, {
         info: {
           title: name,
           version,
+          description:
+            'UX 授权服务 OpenAPI 文档。该服务用于工具箱侧本地身份初始化与密码学能力调用，覆盖设备授权密文生成、任务二维码解密、摘要信息加密、报告签名打包等流程。\n\n推荐调用顺序：\n1) 写入平台公钥；\n2) 写入已签名 licence JSON；\n3) 写入 OpenPGP 私钥；\n4) 读取本机身份状态进行前置校验；\n5) 执行加密/解密与签名接口。\n\n说明：除文件下载接口外，返回体均为 JSON；字段示例已提供，便于联调和 Mock。',
         },
-        // components: {
-        //   securitySchemes: {
-        //     bearerAuth: {
-        //       type: 'http',
-        //       scheme: 'bearer',
-        //     },
-        //   },
-        // },
       },
       docsPath: '/docs',
       specPath: '/spec.json',
     }),
   ],
-  interceptors: [
+  interceptors: [onError(logError)],
-    onError((error) => {
+  clientInterceptors: [onError(handleValidationError)],
-      console.error(error)
-    }),
-  ],
-  clientInterceptors: [
-    onError((error) => {
-      if (
-        error instanceof ORPCError &&
-        error.code === 'BAD_REQUEST' &&
-        error.cause instanceof ValidationError
-      ) {
-        // If you only use Zod you can safely cast to ZodIssue[]
-        const zodError = new z.ZodError(
-          error.cause.issues as z.core.$ZodIssue[],
-        )
-
-        throw new ORPCError('INPUT_VALIDATION_FAILED', {
-          status: 422,
-          message: z.prettifyError(zodError),
-          data: z.flattenError(zodError),
-          cause: error.cause,
-        })
-      }
-
-      if (
-        error instanceof ORPCError &&
-        error.code === 'INTERNAL_SERVER_ERROR' &&
-        error.cause instanceof ValidationError
-      ) {
-        throw new ORPCError('OUTPUT_VALIDATION_FAILED', {
-          cause: error.cause,
-        })
-      }
-    }),
-  ],
 })
 
 export const Route = createFileRoute('/api/$')({

apps/server/src/routes/api/health.ts

@@ -0,0 +1,27 @@
+import { createFileRoute } from '@tanstack/react-router'
+import { name, version } from '@/../package.json'
+
+const createHealthResponse = (): Response =>
+  Response.json(
+    {
+      status: 'ok',
+      service: name,
+      version,
+      timestamp: new Date().toISOString(),
+    },
+    {
+      status: 200,
+      headers: {
+        'cache-control': 'no-store',
+      },
+    },
+  )
+
+export const Route = createFileRoute('/api/health')({
+  server: {
+    handlers: {
+      GET: async () => createHealthResponse(),
+      HEAD: async () => new Response(null, { status: 200 }),
+    },
+  },
+})

apps/server/src/routes/api/rpc.$.ts

@@ -1,46 +1,12 @@
-import { ORPCError, onError, ValidationError } from '@orpc/server'
+import { onError } from '@orpc/server'
 import { RPCHandler } from '@orpc/server/fetch'
 import { createFileRoute } from '@tanstack/react-router'
-import { z } from 'zod'
+import { handleValidationError, logError } from '@/server/api/interceptors'
 import { router } from '@/server/api/routers'
 
 const handler = new RPCHandler(router, {
-  interceptors: [
+  interceptors: [onError(logError)],
-    onError((error) => {
+  clientInterceptors: [onError(handleValidationError)],
-      console.error(error)
-    }),
-  ],
-  clientInterceptors: [
-    onError((error) => {
-      if (
-        error instanceof ORPCError &&
-        error.code === 'BAD_REQUEST' &&
-        error.cause instanceof ValidationError
-      ) {
-        // If you only use Zod you can safely cast to ZodIssue[]
-        const zodError = new z.ZodError(
-          error.cause.issues as z.core.$ZodIssue[],
-        )
-
-        throw new ORPCError('INPUT_VALIDATION_FAILED', {
-          status: 422,
-          message: z.prettifyError(zodError),
-          data: z.flattenError(zodError),
-          cause: error.cause,
-        })
-      }
-
-      if (
-        error instanceof ORPCError &&
-        error.code === 'INTERNAL_SERVER_ERROR' &&
-        error.cause instanceof ValidationError
-      ) {
-        throw new ORPCError('OUTPUT_VALIDATION_FAILED', {
-          cause: error.cause,
-        })
-      }
-    }),
-  ],
 })
 
 export const Route = createFileRoute('/api/rpc/$')({

apps/server/src/routes/fingerprint.tsx

@@ -1,301 +0,0 @@
-import { useSuspenseQuery } from '@tanstack/react-query'
-import { createFileRoute } from '@tanstack/react-router'
-import { useEffect, useState } from 'react'
-import { orpc } from '@/client/query-client'
-
-export const Route = createFileRoute('/fingerprint')({
-  component: FingerprintPage,
-  loader: async ({ context }) => {
-    await context.queryClient.ensureQueryData(
-      orpc.fingerprint.get.queryOptions(),
-    )
-  },
-})
-
-function FingerprintPage() {
-  const query = useSuspenseQuery(orpc.fingerprint.get.queryOptions())
-  const [copied, setCopied] = useState(false)
-
-  const data = query.data
-
-  useEffect(() => {
-    if (copied) {
-      const timer = setTimeout(() => setCopied(false), 2000)
-      return () => clearTimeout(timer)
-    }
-  }, [copied])
-
-  const handleCopy = async () => {
-    await navigator.clipboard.writeText(data.fingerprint)
-    setCopied(true)
-  }
-
-  const qualityConfig = {
-    strong: {
-      label: '强',
-      color: 'text-green-600',
-      bg: 'bg-green-50',
-      border: 'border-green-200',
-      icon: '✓',
-      description: '推荐用于生产授权',
-    },
-    medium: {
-      label: '中',
-      color: 'text-yellow-600',
-      bg: 'bg-yellow-50',
-      border: 'border-yellow-200',
-      icon: '!',
-      description: '可用但不理想',
-    },
-    weak: {
-      label: '弱',
-      color: 'text-red-600',
-      bg: 'bg-red-50',
-      border: 'border-red-200',
-      icon: '×',
-      description: '仅适合开发/测试',
-    },
-  }
-
-  const config = qualityConfig[data.quality]
-
-  return (
-    <div className="min-h-screen bg-gradient-to-br from-slate-50 via-blue-50 to-slate-50 py-12 px-4 sm:px-6 font-sans">
-      <div className="max-w-4xl mx-auto space-y-8">
-        {/* Header */}
-        <div className="text-center space-y-3">
-          <h1 className="text-4xl font-bold text-slate-900 tracking-tight">
-            硬件指纹
-          </h1>
-          <p className="text-slate-500 text-lg">用于软件授权和机器码识别</p>
-        </div>
-
-        {/* Main Card */}
-        <div className="bg-white rounded-3xl shadow-xl border border-slate-100 overflow-hidden">
-          {/* Quality Badge */}
-          <div className={`px-8 py-6 border-b ${config.bg} ${config.border}`}>
-            <div className="flex items-center justify-between">
-              <div className="flex items-center gap-3">
-                <div
-                  className={`w-12 h-12 rounded-full ${config.bg} border-2 ${config.border} flex items-center justify-center text-2xl font-bold ${config.color}`}
-                >
-                  {config.icon}
-                </div>
-                <div>
-                  <div className="flex items-center gap-2">
-                    <span className="text-sm font-medium text-slate-600">
-                      指纹质量
-                    </span>
-                    <span
-                      className={`px-3 py-1 rounded-full text-sm font-semibold ${config.bg} ${config.color} border ${config.border}`}
-                    >
-                      {config.label}
-                    </span>
-                  </div>
-                  <p className="text-xs text-slate-500 mt-1">
-                    {config.description}
-                  </p>
-                </div>
-              </div>
-              <div className="text-right">
-                <div className="text-3xl font-bold text-slate-900">
-                  {data.strongIdentifiersCount}
-                </div>
-                <div className="text-xs font-medium text-slate-400 uppercase tracking-wider">
-                  强标识符
-                </div>
-              </div>
-            </div>
-          </div>
-
-          {/* Fingerprint Display */}
-          <div className="px-8 py-8">
-            <div className="space-y-4">
-              <div className="flex items-center justify-between">
-                <div className="text-sm font-semibold text-slate-700 uppercase tracking-wider">
-                  机器码
-                </div>
-                <button
-                  type="button"
-                  onClick={handleCopy}
-                  className={`px-4 py-2 rounded-lg font-medium text-sm transition-all ${
-                    copied
-                      ? 'bg-green-100 text-green-700 border-2 border-green-300'
-                      : 'bg-slate-100 text-slate-700 hover:bg-slate-200 border-2 border-slate-200'
-                  }`}
-                >
-                  {copied ? '已复制 ✓' : '复制'}
-                </button>
-              </div>
-
-              <div className="relative group">
-                <div className="absolute inset-0 bg-gradient-to-r from-blue-500 to-purple-500 rounded-xl blur-sm opacity-0 group-hover:opacity-20 transition-opacity" />
-                <div className="relative bg-slate-900 rounded-xl p-6 font-mono text-sm break-all leading-relaxed text-slate-100 shadow-inner border-2 border-slate-800">
-                  {data.fingerprint}
-                </div>
-              </div>
-
-              <div className="flex items-center gap-2 text-xs text-slate-500">
-                <svg
-                  className="w-4 h-4"
-                  fill="none"
-                  viewBox="0 0 24 24"
-                  stroke="currentColor"
-                  aria-hidden="true"
-                >
-                  <title>信息</title>
-                  <path
-                    strokeLinecap="round"
-                    strokeLinejoin="round"
-                    strokeWidth={2}
-                    d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
-                  />
-                </svg>
-                <span>SHA-256 哈希，43 字符 Base64URL 编码</span>
-              </div>
-            </div>
-          </div>
-
-          {/* Metadata */}
-          <div className="px-8 py-6 bg-slate-50 border-t border-slate-100">
-            <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
-              <div className="space-y-2">
-                <div className="text-xs font-semibold text-slate-500 uppercase tracking-wider">
-                  生成时间
-                </div>
-                <div className="text-lg font-medium text-slate-900">
-                  {new Date(data.timestamp).toLocaleString('zh-CN', {
-                    year: 'numeric',
-                    month: '2-digit',
-                    day: '2-digit',
-                    hour: '2-digit',
-                    minute: '2-digit',
-                    second: '2-digit',
-                  })}
-                </div>
-              </div>
-
-              <div className="space-y-2">
-                <div className="text-xs font-semibold text-slate-500 uppercase tracking-wider">
-                  缓存状态
-                </div>
-                <div className="flex items-center gap-2">
-                  <div className="w-2 h-2 rounded-full bg-green-500 animate-pulse" />
-                  <span className="text-lg font-medium text-slate-900">
-                    已缓存 10 分钟
-                  </span>
-                </div>
-              </div>
-            </div>
-          </div>
-        </div>
-
-        {/* Info Cards */}
-        <div className="grid grid-cols-1 md:grid-cols-3 gap-6">
-          <div className="bg-white rounded-2xl shadow-md border border-slate-100 p-6 space-y-3">
-            <div className="w-10 h-10 rounded-lg bg-blue-100 flex items-center justify-center">
-              <svg
-                className="w-6 h-6 text-blue-600"
-                fill="none"
-                viewBox="0 0 24 24"
-                stroke="currentColor"
-                aria-hidden="true"
-              >
-                <title>安全</title>
-                <path
-                  strokeLinecap="round"
-                  strokeLinejoin="round"
-                  strokeWidth={2}
-                  d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z"
-                />
-              </svg>
-            </div>
-            <h3 className="font-semibold text-slate-900">安全性</h3>
-            <p className="text-sm text-slate-600 leading-relaxed">
-              使用 HMAC-SHA256 加密，无法反推原始硬件信息
-            </p>
-          </div>
-
-          <div className="bg-white rounded-2xl shadow-md border border-slate-100 p-6 space-y-3">
-            <div className="w-10 h-10 rounded-lg bg-purple-100 flex items-center justify-center">
-              <svg
-                className="w-6 h-6 text-purple-600"
-                fill="none"
-                viewBox="0 0 24 24"
-                stroke="currentColor"
-                aria-hidden="true"
-              >
-                <title>稳定性</title>
-                <path
-                  strokeLinecap="round"
-                  strokeLinejoin="round"
-                  strokeWidth={2}
-                  d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z"
-                />
-              </svg>
-            </div>
-            <h3 className="font-semibold text-slate-900">稳定性</h3>
-            <p className="text-sm text-slate-600 leading-relaxed">
-              基于系统 UUID、序列号等不易变更的标识符
-            </p>
-          </div>
-
-          <div className="bg-white rounded-2xl shadow-md border border-slate-100 p-6 space-y-3">
-            <div className="w-10 h-10 rounded-lg bg-green-100 flex items-center justify-center">
-              <svg
-                className="w-6 h-6 text-green-600"
-                fill="none"
-                viewBox="0 0 24 24"
-                stroke="currentColor"
-                aria-hidden="true"
-              >
-                <title>性能</title>
-                <path
-                  strokeLinecap="round"
-                  strokeLinejoin="round"
-                  strokeWidth={2}
-                  d="M13 10V3L4 14h7v7l9-11h-7z"
-                />
-              </svg>
-            </div>
-            <h3 className="font-semibold text-slate-900">高性能</h3>
-            <p className="text-sm text-slate-600 leading-relaxed">
-              自动缓存，减少系统调用开销
-            </p>
-          </div>
-        </div>
-
-        {/* Usage Hint */}
-        <div className="bg-blue-50 border-2 border-blue-200 rounded-2xl p-6">
-          <div className="flex gap-4">
-            <div className="flex-shrink-0">
-              <svg
-                className="w-6 h-6 text-blue-600"
-                fill="none"
-                viewBox="0 0 24 24"
-                stroke="currentColor"
-                aria-hidden="true"
-              >
-                <title>提示</title>
-                <path
-                  strokeLinecap="round"
-                  strokeLinejoin="round"
-                  strokeWidth={2}
-                  d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
-                />
-              </svg>
-            </div>
-            <div className="space-y-2">
-              <h4 className="font-semibold text-blue-900">使用建议</h4>
-              <ul className="text-sm text-blue-800 space-y-1 list-disc list-inside">
-                <li>将机器码存储在授权服务器进行验证</li>
-                <li>建议配合用户账号进行双因素认证</li>
-                <li>同一台机器的指纹保持稳定，便于授权管理</li>
-              </ul>
-            </div>
-          </div>
-        </div>
-      </div>
-    </div>
-  )
-}

apps/server/src/routes/index.tsx

@@ -1,4 +1,4 @@
-import { createFileRoute, Link } from '@tanstack/react-router'
+import { createFileRoute } from '@tanstack/react-router'
 
 export const Route = createFileRoute('/')({
   component: Home,
@@ -6,40 +6,15 @@ export const Route = createFileRoute('/')({
 
 function Home() {
   return (
-    <div className="min-h-screen bg-slate-50 py-12 px-4 sm:px-6 font-sans">
+    <div className="min-h-screen bg-slate-50 flex items-center justify-center font-sans">
-      <div className="max-w-2xl mx-auto space-y-8 text-center">
+      <div className="text-center space-y-4">
-        <h1 className="text-4xl font-bold text-slate-900 tracking-tight">
+        <h1 className="text-3xl font-bold text-slate-900 tracking-tight">UX Server</h1>
-          License 管理系统
+        <p className="text-slate-500">
-        </h1>
+          API:&nbsp;
-        <p className="text-slate-500 text-lg">
+          <a href="/api" className="text-indigo-600 hover:text-indigo-700 underline">
-          欢迎使用基于 TanStack Start + ORPC 的 License 管理系统
+            /api
+          </a>
         </p>
-
-        <div className="grid grid-cols-1 sm:grid-cols-2 gap-4 mt-8">
-          <Link
-            to="/fingerprint"
-            className="p-6 bg-white rounded-2xl shadow-sm border border-slate-100 hover:shadow-md hover:border-indigo-500/50 transition-all text-left group"
-          >
-            <h2 className="text-xl font-semibold text-slate-900 group-hover:text-indigo-600 transition-colors">
-              设备指纹
-            </h2>
-            <p className="text-slate-500 mt-2 text-sm">
-              查询当前设备的硬件指纹信息，用于 License 绑定
-            </p>
-          </Link>
-
-          <Link
-            to="/license"
-            className="p-6 bg-white rounded-2xl shadow-sm border border-slate-100 hover:shadow-md hover:border-indigo-500/50 transition-all text-left group"
-          >
-            <h2 className="text-xl font-semibold text-slate-900 group-hover:text-indigo-600 transition-colors">
-              License 激活
-            </h2>
-            <p className="text-slate-500 mt-2 text-sm">
-              管理和激活当前设备的 License 授权状态
-            </p>
-          </Link>
-        </div>
       </div>
     </div>
   )

apps/server/src/routes/license.tsx

@@ -1,463 +0,0 @@
-import {
-  useMutation,
-  useQueryClient,
-  useSuspenseQuery,
-} from '@tanstack/react-query'
-import { createFileRoute } from '@tanstack/react-router'
-import { useState } from 'react'
-import { orpc } from '@/client/query-client'
-
-export const Route = createFileRoute('/license')({
-  component: License,
-})
-
-function License() {
-  const [licenseInput, setLicenseInput] = useState('')
-  const [copySuccess, setCopySuccess] = useState(false)
-  const [showDeactivateConfirm, setShowDeactivateConfirm] = useState(false)
-  const queryClient = useQueryClient()
-
-  // 获取激活状态
-  const { data } = useSuspenseQuery(orpc.license.getActivation.queryOptions())
-
-  // 激活 mutation
-  const activateMutation = useMutation({
-    ...orpc.license.activate.mutationOptions(),
-    onSuccess: () => {
-      // 刷新数据
-      queryClient.invalidateQueries({
-        queryKey: orpc.license.getActivation.key(),
-      })
-      // 清空输入
-      setLicenseInput('')
-    },
-  })
-
-  // 反激活 mutation
-  const deactivateMutation = useMutation({
-    ...orpc.license.deactivate.mutationOptions(),
-    onSuccess: () => {
-      queryClient.invalidateQueries({
-        queryKey: orpc.license.getActivation.key(),
-      })
-      setShowDeactivateConfirm(false)
-    },
-  })
-
-  const handleActivate = () => {
-    if (!licenseInput.trim()) return
-    activateMutation.mutate({ license: licenseInput.trim() })
-  }
-
-  const handleDeactivate = () => {
-    deactivateMutation.mutate()
-  }
-
-  const handleCopyFingerprint = async () => {
-    try {
-      await navigator.clipboard.writeText(data.fingerprint)
-      setCopySuccess(true)
-      setTimeout(() => setCopySuccess(false), 2000)
-    } catch (err) {
-      console.error('Failed to copy fingerprint:', err)
-    }
-  }
-
-  const isActivated = !!data.license
-
-  return (
-    <div className="min-h-screen bg-gray-50 flex items-center justify-center p-4 font-sans">
-      <div className="w-full max-w-2xl space-y-6">
-        {/* 页面标题 */}
-        <div className="text-center mb-8">
-          <h1 className="text-3xl font-bold text-gray-900 tracking-tight">
-            License 激活管理
-          </h1>
-          <p className="text-gray-500 mt-2">管理您的设备授权与激活状态</p>
-        </div>
-
-        {/* 设备信息卡片 */}
-        <div className="bg-white rounded-xl shadow-sm border border-gray-100 overflow-hidden">
-          <div className="p-6">
-            <h2 className="text-lg font-semibold text-gray-900 mb-4 flex items-center gap-2">
-              <svg
-                aria-hidden="true"
-                xmlns="http://www.w3.org/2000/svg"
-                width="20"
-                height="20"
-                viewBox="0 0 24 24"
-                fill="none"
-                stroke="currentColor"
-                strokeWidth="2"
-                strokeLinecap="round"
-                strokeLinejoin="round"
-                className="text-blue-500"
-              >
-                <rect x="4" y="4" width="16" height="16" rx="2" ry="2"></rect>
-                <rect x="9" y="9" width="6" height="6"></rect>
-                <line x1="9" y1="1" x2="9" y2="4"></line>
-                <line x1="15" y1="1" x2="15" y2="4"></line>
-                <line x1="9" y1="20" x2="9" y2="23"></line>
-                <line x1="15" y1="20" x2="15" y2="23"></line>
-                <line x1="20" y1="9" x2="23" y2="9"></line>
-                <line x1="20" y1="14" x2="23" y2="14"></line>
-                <line x1="1" y1="9" x2="4" y2="9"></line>
-                <line x1="1" y1="14" x2="4" y2="14"></line>
-              </svg>
-              设备信息
-            </h2>
-            <div className="bg-gray-50 rounded-lg p-4 border border-gray-100">
-              <p className="text-sm text-gray-500 mb-1">
-                设备指纹 (Device Fingerprint)
-              </p>
-              <div className="flex items-center gap-3">
-                <code className="flex-1 font-mono text-sm text-gray-700 break-all select-all">
-                  {data.fingerprint}
-                </code>
-                <button
-                  type="button"
-                  onClick={handleCopyFingerprint}
-                  className={`px-3 py-1.5 rounded-md text-sm font-medium transition-colors flex items-center gap-1.5 ${
-                    copySuccess
-                      ? 'bg-green-100 text-green-700 hover:bg-green-200'
-                      : 'bg-white border border-gray-200 text-gray-700 hover:bg-gray-50 hover:text-gray-900'
-                  }`}
-                >
-                  {copySuccess ? (
-                    <>
-                      <svg
-                        aria-hidden="true"
-                        xmlns="http://www.w3.org/2000/svg"
-                        width="14"
-                        height="14"
-                        viewBox="0 0 24 24"
-                        fill="none"
-                        stroke="currentColor"
-                        strokeWidth="2"
-                        strokeLinecap="round"
-                        strokeLinejoin="round"
-                      >
-                        <polyline points="20 6 9 17 4 12"></polyline>
-                      </svg>
-                      已复制
-                    </>
-                  ) : (
-                    <>
-                      <svg
-                        aria-hidden="true"
-                        xmlns="http://www.w3.org/2000/svg"
-                        width="14"
-                        height="14"
-                        viewBox="0 0 24 24"
-                        fill="none"
-                        stroke="currentColor"
-                        strokeWidth="2"
-                        strokeLinecap="round"
-                        strokeLinejoin="round"
-                      >
-                        <rect
-                          x="9"
-                          y="9"
-                          width="13"
-                          height="13"
-                          rx="2"
-                          ry="2"
-                        ></rect>
-                        <path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1"></path>
-                      </svg>
-                      复制
-                    </>
-                  )}
-                </button>
-              </div>
-            </div>
-          </div>
-        </div>
-
-        {/* License 激活卡片 */}
-        <div className="bg-white rounded-xl shadow-sm border border-gray-100 overflow-hidden">
-          <div className="p-6">
-            <h2 className="text-lg font-semibold text-gray-900 mb-4 flex items-center gap-2">
-              <svg
-                aria-hidden="true"
-                xmlns="http://www.w3.org/2000/svg"
-                width="20"
-                height="20"
-                viewBox="0 0 24 24"
-                fill="none"
-                stroke="currentColor"
-                strokeWidth="2"
-                strokeLinecap="round"
-                strokeLinejoin="round"
-                className="text-purple-500"
-              >
-                <rect x="3" y="11" width="18" height="11" rx="2" ry="2"></rect>
-                <path d="M7 11V7a5 5 0 0 1 10 0v4"></path>
-              </svg>
-              License 激活
-            </h2>
-
-            <div className="space-y-4">
-              <div>
-                <label
-                  htmlFor="license-key"
-                  className="block text-sm font-medium text-gray-700 mb-1"
-                >
-                  License Key
-                </label>
-                <input
-                  id="license-key"
-                  type="text"
-                  value={licenseInput}
-                  onChange={(e) => setLicenseInput(e.target.value)}
-                  disabled={isActivated || activateMutation.isPending}
-                  placeholder={
-                    isActivated ? '已激活，无需输入' : '请输入您的 License Key'
-                  }
-                  className="w-full px-4 py-2.5 bg-white border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500/20 focus:border-purple-500 outline-none transition-all disabled:bg-gray-100 disabled:text-gray-500 placeholder:text-gray-400"
-                />
-              </div>
-
-              {activateMutation.isError && (
-                <div className="p-3 bg-red-50 border border-red-100 rounded-lg text-red-600 text-sm flex items-start gap-2">
-                  <svg
-                    aria-hidden="true"
-                    xmlns="http://www.w3.org/2000/svg"
-                    width="16"
-                    height="16"
-                    viewBox="0 0 24 24"
-                    fill="none"
-                    stroke="currentColor"
-                    strokeWidth="2"
-                    strokeLinecap="round"
-                    strokeLinejoin="round"
-                    className="mt-0.5 shrink-0"
-                  >
-                    <circle cx="12" cy="12" r="10"></circle>
-                    <line x1="12" y1="8" x2="12" y2="12"></line>
-                    <line x1="12" y1="16" x2="12.01" y2="16"></line>
-                  </svg>
-                  <span>激活失败: 请检查 License 是否正确或稍后重试</span>
-                </div>
-              )}
-
-              <button
-                type="button"
-                onClick={handleActivate}
-                disabled={
-                  isActivated ||
-                  activateMutation.isPending ||
-                  !licenseInput.trim()
-                }
-                className={`w-full px-6 py-2.5 rounded-lg font-medium text-white shadow-sm transition-all focus:outline-none focus:ring-2 focus:ring-offset-2 ${
-                  isActivated
-                    ? 'bg-gray-300 cursor-not-allowed'
-                    : activateMutation.isPending
-                      ? 'bg-purple-500 opacity-80 cursor-wait'
-                      : 'bg-purple-600 hover:bg-purple-700 hover:shadow-md active:scale-[0.99] focus:ring-purple-500'
-                }`}
-              >
-                {activateMutation.isPending ? (
-                  <span className="flex items-center justify-center gap-2">
-                    <svg
-                      aria-hidden="true"
-                      className="animate-spin h-4 w-4 text-white"
-                      xmlns="http://www.w3.org/2000/svg"
-                      fill="none"
-                      viewBox="0 0 24 24"
-                    >
-                      <circle
-                        className="opacity-25"
-                        cx="12"
-                        cy="12"
-                        r="10"
-                        stroke="currentColor"
-                        strokeWidth="4"
-                      ></circle>
-                      <path
-                        className="opacity-75"
-                        fill="currentColor"
-                        d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
-                      ></path>
-                    </svg>
-                    正在激活...
-                  </span>
-                ) : isActivated ? (
-                  '已完成激活'
-                ) : (
-                  '立即激活'
-                )}
-              </button>
-            </div>
-          </div>
-        </div>
-
-        {/* 激活状态卡片 */}
-        <div
-          className={`rounded-xl shadow-sm border overflow-hidden transition-colors ${
-            isActivated
-              ? 'bg-green-50/50 border-green-100'
-              : 'bg-white border-gray-100'
-          }`}
-        >
-          <div className="p-6">
-            <h2 className="text-lg font-semibold text-gray-900 mb-4 flex items-center gap-2">
-              <svg
-                aria-hidden="true"
-                xmlns="http://www.w3.org/2000/svg"
-                width="20"
-                height="20"
-                viewBox="0 0 24 24"
-                fill="none"
-                stroke="currentColor"
-                strokeWidth="2"
-                strokeLinecap="round"
-                strokeLinejoin="round"
-                className={isActivated ? 'text-green-500' : 'text-gray-400'}
-              >
-                <path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"></path>
-                <polyline points="22 4 12 14.01 9 11.01"></polyline>
-              </svg>
-              激活状态
-            </h2>
-
-            {isActivated ? (
-              <div className="space-y-3">
-                <div className="flex items-center gap-2 text-green-700 font-medium text-lg">
-                  <svg
-                    aria-hidden="true"
-                    xmlns="http://www.w3.org/2000/svg"
-                    width="24"
-                    height="24"
-                    viewBox="0 0 24 24"
-                    fill="none"
-                    stroke="currentColor"
-                    strokeWidth="2"
-                    strokeLinecap="round"
-                    strokeLinejoin="round"
-                    className="text-green-500"
-                  >
-                    <path d="M12 22c5.523 0 10-4.477 10-10S17.523 2 12 2 2 6.477 2 12s4.477 10 10 10z"></path>
-                    <path d="M9 12l2 2 4-4"></path>
-                  </svg>
-                  <span>License 已激活</span>
-                </div>
-                <div className="pl-8 space-y-1">
-                  <p className="text-gray-600 text-sm">
-                    <span className="font-medium text-gray-700">
-                      当前 License:{' '}
-                    </span>
-                    <span className="font-mono">{data.license}</span>
-                  </p>
-                  {data.licenseActivatedAt && (
-                    <p className="text-gray-500 text-sm">
-                      <span className="font-medium text-gray-700">
-                        激活时间:{' '}
-                      </span>
-                      {new Date(data.licenseActivatedAt).toLocaleString(
-                        'zh-CN',
-                        {
-                          year: 'numeric',
-                          month: '2-digit',
-                          day: '2-digit',
-                          hour: '2-digit',
-                          minute: '2-digit',
-                          second: '2-digit',
-                        },
-                      )}
-                    </p>
-                  )}
-                </div>
-
-                {!showDeactivateConfirm ? (
-                  <button
-                    type="button"
-                    onClick={() => setShowDeactivateConfirm(true)}
-                    className="mt-4 px-4 py-2 bg-red-500 text-white rounded-lg text-sm font-medium hover:bg-red-600 transition-colors shadow-sm"
-                  >
-                    反激活
-                  </button>
-                ) : (
-                  <div className="mt-4 p-4 bg-red-50 rounded-lg border border-red-200">
-                    <p className="text-red-700 text-sm mb-3 flex items-center gap-2">
-                      <svg
-                        aria-hidden="true"
-                        xmlns="http://www.w3.org/2000/svg"
-                        width="16"
-                        height="16"
-                        viewBox="0 0 24 24"
-                        fill="none"
-                        stroke="currentColor"
-                        strokeWidth="2"
-                        strokeLinecap="round"
-                        strokeLinejoin="round"
-                      >
-                        <path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3Z" />
-                        <path d="M12 9v4" />
-                        <path d="M12 17h.01" />
-                      </svg>
-                      确定要反激活吗？此操作会清除当前 License。
-                    </p>
-                    <div className="flex gap-2">
-                      <button
-                        type="button"
-                        onClick={handleDeactivate}
-                        disabled={deactivateMutation.isPending}
-                        className="px-4 py-2 bg-red-600 text-white rounded-md text-sm font-medium hover:bg-red-700 disabled:bg-gray-300 transition-colors"
-                      >
-                        {deactivateMutation.isPending
-                          ? '反激活中...'
-                          : '确认反激活'}
-                      </button>
-                      <button
-                        type="button"
-                        onClick={() => setShowDeactivateConfirm(false)}
-                        className="px-4 py-2 bg-gray-200 text-gray-700 rounded-md text-sm font-medium hover:bg-gray-300 transition-colors"
-                      >
-                        取消
-                      </button>
-                    </div>
-                    {deactivateMutation.isError && (
-                      <p className="text-red-500 mt-2 text-xs">
-                        反激活失败，请重试
-                      </p>
-                    )}
-                  </div>
-                )}
-              </div>
-            ) : (
-              <div className="flex items-start gap-3">
-                <svg
-                  aria-hidden="true"
-                  xmlns="http://www.w3.org/2000/svg"
-                  width="24"
-                  height="24"
-                  viewBox="0 0 24 24"
-                  fill="none"
-                  stroke="currentColor"
-                  strokeWidth="2"
-                  strokeLinecap="round"
-                  strokeLinejoin="round"
-                  className="text-orange-500 shrink-0 mt-0.5"
-                >
-                  <path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z"></path>
-                  <line x1="12" y1="9" x2="12" y2="13"></line>
-                  <line x1="12" y1="17" x2="12.01" y2="17"></line>
-                </svg>
-                <div>
-                  <p className="text-orange-700 font-medium text-lg mb-1">
-                    未激活
-                  </p>
-                  <p className="text-gray-500 text-sm">
-                    您的设备尚未激活。请在上方输入 License Key
-                    进行激活以解锁全部功能。
-                  </p>
-                </div>
-              </div>
-            )}
-          </div>
-        </div>
-      </div>
-    </div>
-  )
-}

apps/server/src/server/api/contracts/config.contract.ts

@@ -0,0 +1,127 @@
+import { oc } from '@orpc/contract'
+import { z } from 'zod'
+import { licenceEnvelopeSchema } from '@/server/licence'
+
+const licenceOutput = z
+  .object({
+    licenceId: z.string().describe('验签通过后的 licence 标识'),
+    expireTime: z.string().describe('授权到期日，格式为 YYYY-MM-DD'),
+    isExpired: z.boolean().describe('当前 licence 是否已过期（按 UTC 自然日计算）'),
+  })
+  .describe('当前已安装 licence 的验证后元数据')
+
+const configOutput = z
+  .object({
+    licence: licenceOutput.nullable().describe('当前本地已验证 licence 的元数据，未设置时为 null'),
+    fingerprint: z.string().describe('UX 本机计算得到的设备特征码（SHA-256）'),
+    hasPlatformPublicKey: z.boolean().describe('是否已配置平台公钥'),
+    hasPgpPrivateKey: z.boolean().describe('是否已配置 OpenPGP 私钥'),
+  })
+  .describe('本地身份配置快照，用于判断设备授权初始化是否完成')
+  .meta({
+    examples: [
+      {
+        licence: {
+          licenceId: 'LIC-20260319-0025',
+          expireTime: '2027-03-19',
+          isExpired: false,
+        },
+        fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
+        hasPlatformPublicKey: true,
+        hasPgpPrivateKey: true,
+      },
+      {
+        licence: null,
+        fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
+        hasPlatformPublicKey: false,
+        hasPgpPrivateKey: false,
+      },
+    ],
+  })
+
+export const get = oc
+  .route({
+    method: 'POST',
+    path: '/config/get',
+    operationId: 'configGet',
+    summary: '读取本机身份配置',
+    description:
+      '查询 UX 当前本地身份配置状态。\n\n典型用途：页面初始化时检测授权状态、验签前检查平台公钥、签名前检查私钥是否就绪。\n\n返回内容：\n- licence：当前已验证 licence 的元数据，未设置时为 null；\n- fingerprint：设备特征码（本机自动计算）；\n- hasPlatformPublicKey：是否已写入平台公钥；\n- hasPgpPrivateKey：是否已写入 OpenPGP 私钥。',
+    tags: ['Config'],
+  })
+  .input(z.object({}).describe('空请求体，仅触发读取当前配置'))
+  .output(configOutput)
+
+export const setLicence = oc
+  .route({
+    method: 'POST',
+    path: '/config/set-licence',
+    operationId: 'configSetLicence',
+    summary: '写入本地 licence',
+    description:
+      '写入或更新本机持久化 licence。\n\n调用时机：设备首次激活、授权码变更、授权修复。\n\n约束与行为：\n- 接收 `.lic` 文件内容对应的 JSON 信封，而不是文件上传；\n- 使用已配置的平台公钥对 payload 原始字符串做 SHA256withRSA 验签；\n- 仅在验签通过且 expire_time 未过期时持久化；\n- fingerprint 由本机自动计算，不允许外部覆盖；\n- 成功后返回最新配置快照，便于前端立即刷新授权状态。',
+    tags: ['Config'],
+  })
+  .input(
+    licenceEnvelopeSchema.meta({
+      examples: [
+        {
+          payload: 'eyJsaWNlbmNlX2lkIjoiTElDLTIwMjYwMzE5LTAwMjUiLCJleHBpcmVfdGltZSI6IjIwMjctMDMtMTkifQ==',
+          signature:
+            'aLd+wwpz1W5AS0jgE/IstSNjCAQ5estQYIMqeLXRWMIsnKxjZpCvC8O5q/G5LEBBLJXnbTk8N6IMTUx295nf2HQYlXNtJkWiBeUXQ6/uzs0RbhCeRAWK2Hx4kSsmiEv4AHGLb4ozI2XekTc+40+ApJQYqaWbDu/NU99TmDm3/da1VkKpQxH60BhSQVwBtU67w9Vp3SpWm8y1faQ7ci5WDtJf1JZaS70kPXoGeA5018rPeMFlEzUp10yDlGW6RcrT7Dm+r7zFyrFznLK+evBEvTf9mMGWwZZP3q9vJtC/wFt1t5zNHdkb27cTwc9yyqGMWdelXQAQDnoisn2Jzi06KA==',
+        },
+      ],
+    }),
+  )
+  .output(configOutput)
+
+export const setPgpPrivateKey = oc
+  .route({
+    method: 'POST',
+    path: '/config/set-pgp-private-key',
+    operationId: 'configSetPgpPrivateKey',
+    summary: '写入本地 OpenPGP 私钥',
+    description:
+      '写入或更新本机持久化 OpenPGP 私钥（ASCII armored）。\n\n调用时机：首次导入签名私钥、私钥轮换。\n\n约束与行为：\n- 仅接收 ASCII armored 私钥文本；\n- 私钥保存在本地，后续报告签名接口会自动读取；\n- 成功后返回最新配置快照，可用于确认 hasPgpPrivateKey 状态。',
+    tags: ['Config'],
+  })
+  .input(
+    z
+      .object({
+        pgpPrivateKey: z.string().min(1).describe('OpenPGP 私钥（ASCII armored 格式）'),
+      })
+      .meta({
+        examples: [
+          {
+            pgpPrivateKey: '-----BEGIN PGP PRIVATE KEY BLOCK-----\n\nxcMGBGd...\n-----END PGP PRIVATE KEY BLOCK-----',
+          },
+        ],
+      }),
+  )
+  .output(configOutput)
+
+export const setPlatformPublicKey = oc
+  .route({
+    method: 'POST',
+    path: '/config/set-platform-public-key',
+    operationId: 'configSetPlatformPublicKey',
+    summary: '写入本地平台公钥',
+    description:
+      '写入或更新本机持久化平台公钥（Base64 编码 SPKI DER）。\n\n调用时机：设备授权初始化、平台公钥轮换。\n\n约束与行为：\n- 仅接收可解析的平台 RSA 公钥文本；\n- 公钥保存在本地，设备授权密文接口和 licence 验签都会自动读取，无需每次传参；\n- 若平台公钥发生变化，已安装 licence 会被清空，需要重新安装已签名 licence；\n- 成功后返回最新配置快照，可用于确认 hasPlatformPublicKey 状态。',
+    tags: ['Config'],
+  })
+  .input(
+    z
+      .object({
+        platformPublicKey: z.string().min(1).describe('平台公钥（Base64 编码 SPKI DER）'),
+      })
+      .meta({
+        examples: [
+          {
+            platformPublicKey:
+              'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB',
+          },
+        ],
+      }),
+  )
+  .output(configOutput)

apps/server/src/server/api/contracts/crypto.contract.ts

@@ -0,0 +1,163 @@
+import { oc } from '@orpc/contract'
+import { z } from 'zod'
+
+export const encryptDeviceInfo = oc
+  .route({
+    method: 'POST',
+    path: '/crypto/encrypt-device-info',
+    operationId: 'encryptDeviceInfo',
+    summary: '生成设备授权二维码密文',
+    description:
+      '生成设备授权流程所需的二维码密文。\n\n处理流程：\n- 读取本机已验证的 licenceId、fingerprint 与本地持久化的平台公钥；\n- 组装为授权载荷 JSON；\n- 使用平台公钥执行 RSA-OAEP(SHA-256) 加密；\n- 返回 Base64 密文供前端生成二维码。\n\n适用场景：设备授权申请、重新授权。\n\n前置条件：需先调用 config.setPlatformPublicKey 写入平台公钥，并通过 config.setLicence 安装已签名 licence。',
+    tags: ['Crypto'],
+  })
+  .input(z.object({}).describe('空请求体。平台公钥由本地配置自动读取'))
+  .output(
+    z
+      .object({
+        encrypted: z.string().describe('Base64 密文（可直接用于设备授权二维码内容）'),
+      })
+      .describe('设备授权密文生成结果')
+      .meta({
+        examples: [
+          {
+            encrypted: 'dGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVkIFJTQS1PQUVQIGVuY3J5cHRlZCBkZXZpY2UgaW5mby4uLg==',
+          },
+        ],
+      }),
+  )
+
+export const decryptTask = oc
+  .route({
+    method: 'POST',
+    path: '/crypto/decrypt-task',
+    operationId: 'decryptTask',
+    summary: '解密任务二维码数据',
+    description:
+      '解密 App 下发的任务二维码密文。\n\n处理流程：\n- 基于本机已验证的 licenceId + fingerprint 派生 AES-256-GCM 密钥；\n- 对二维码中的 Base64 密文进行解密；\n- 返回任务明文 JSON 字符串。\n\n适用场景：扫码接收任务后解析任务详情。',
+    tags: ['Crypto'],
+  })
+  .input(
+    z
+      .object({
+        encryptedData: z.string().min(1).describe('Base64 编码的 AES-256-GCM 密文（来自任务二维码扫描结果）'),
+      })
+      .describe('任务二维码解密请求')
+      .meta({
+        examples: [
+          {
+            encryptedData: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
+          },
+        ],
+      }),
+  )
+  .output(
+    z
+      .object({
+        decrypted: z.string().describe('解密后的任务信息 JSON 字符串（可进一步反序列化）'),
+      })
+      .describe('任务二维码解密结果')
+      .meta({
+        examples: [
+          {
+            decrypted:
+              '{"taskId":"TASK-20260115-4875","enterpriseId":"1173040813421105152","orgName":"超艺科技有限公司","inspectionId":"702286470691215417","inspectionPerson":"警务通","issuedAt":1734571234567}',
+          },
+        ],
+      }),
+  )
+
+export const encryptSummary = oc
+  .route({
+    method: 'POST',
+    path: '/crypto/encrypt-summary',
+    operationId: 'encryptSummary',
+    summary: '加密摘要信息',
+    description:
+      '加密检查摘要信息并产出二维码密文。\n\n处理流程：\n- 使用已验证的 licenceId + fingerprint 结合 taskId(salt) 通过 HKDF-SHA256 派生密钥；\n- 使用 AES-256-GCM 加密摘要明文；\n- 返回 Base64 密文用于摘要二维码生成。\n\n适用场景：任务执行后提交摘要信息。',
+    tags: ['Crypto'],
+  })
+  .input(
+    z
+      .object({
+        salt: z.string().min(1).describe('HKDF salt（通常为 taskId，需与任务上下文一致）'),
+        plaintext: z.string().min(1).describe('待加密的摘要信息 JSON 明文字符串'),
+      })
+      .describe('摘要信息加密请求')
+      .meta({
+        examples: [
+          {
+            salt: 'TASK-20260115-4875',
+            plaintext:
+              '{"enterpriseId":"1173040813421105152","inspectionId":"702286470691215417","summary":{"orgId":"1","orgName":"超艺科技有限公司","checkId":"1","vcheckId":"1","task":{"startTime":"2022-01-01 00:00:00","endTime":"2022-01-01 00:00:00"},"asset":{"count":183},"weakPwd":{"count":5},"vul":{"emergency":13,"high":34,"medium":45,"low":12,"info":3}},"timestamp":1734571234567}',
+          },
+        ],
+      }),
+  )
+  .output(
+    z
+      .object({
+        encrypted: z.string().describe('Base64 密文（用于摘要信息二维码内容）'),
+      })
+      .describe('摘要信息加密结果')
+      .meta({
+        examples: [
+          {
+            encrypted: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
+          },
+        ],
+      }),
+  )
+
+export const signAndPackReport = oc
+  .route({
+    method: 'POST',
+    path: '/crypto/sign-and-pack-report',
+    operationId: 'signAndPackReport',
+    summary: '签名并打包检查报告',
+    description:
+      '对原始报告执行设备签名与 OpenPGP 签名并重新打包。\n\n处理流程：\n- 解析上传 ZIP 并提取 summary.json；\n- 用已验证的 licenceId/fingerprint 计算 deviceSignature(HKDF + HMAC-SHA256) 并回写 summary.json；\n- 生成 META-INF/manifest.json；\n- 使用本地 OpenPGP 私钥生成 detached signature(`META-INF/signature.asc`)；\n- 返回签名后 ZIP。\n\n适用场景：检查结果归档、可追溯签名分发。',
+    tags: ['Report'],
+    spec: (current) => {
+      const multipartContent =
+        current.requestBody && !('$ref' in current.requestBody)
+          ? (current.requestBody.content?.['multipart/form-data'] ?? current.requestBody.content?.['application/json'])
+          : undefined
+
+      return {
+        ...current,
+        requestBody:
+          multipartContent && current.requestBody && !('$ref' in current.requestBody)
+            ? {
+                ...current.requestBody,
+                content: {
+                  'multipart/form-data': multipartContent,
+                },
+              }
+            : current.requestBody,
+      }
+    },
+  })
+  .input(
+    z
+      .object({
+        rawZip: z
+          .file()
+          .mime(['application/zip', 'application/x-zip-compressed'])
+          .describe(
+            '原始报告 ZIP 文件（必须包含 summary.json，以及 assets.json、vulnerabilities.json、weakPasswords.json、漏洞评估报告.html 等报告文件）',
+          ),
+        outputFileName: z
+          .string()
+          .min(1)
+          .optional()
+          .describe('返回 ZIP 文件名（可选，默认 signed-report.zip）')
+          .meta({ examples: ['signed-report.zip'] }),
+      })
+      .describe('报告签名与打包请求'),
+  )
+  .output(
+    z
+      .file()
+      .describe('签名后报告 ZIP 文件（二进制响应，包含 summary.json、META-INF/manifest.json、META-INF/signature.asc）'),
+  )

apps/server/src/server/api/contracts/fingerprint.contract.ts

@@ -1,26 +0,0 @@
-import { oc } from '@orpc/contract'
-import { z } from 'zod'
-
-/**
- * 硬件指纹质量等级
- */
-const fingerprintQualitySchema = z.enum(['strong', 'medium', 'weak'])
-
-/**
- * 硬件指纹响应 Schema
- */
-const fingerprintResultSchema = z.object({
-  /** 机器码（HMAC-SHA256 哈希） */
-  fingerprint: z.string(),
-  /** 指纹质量等级 */
-  quality: fingerprintQualitySchema,
-  /** 可用的强标识符数量 */
-  strongIdentifiersCount: z.number(),
-  /** 生成时间戳 */
-  timestamp: z.number(),
-})
-
-/**
- * 获取硬件指纹契约
- */
-export const get = oc.input(z.void()).output(fingerprintResultSchema)

apps/server/src/server/api/contracts/index.ts

@@ -1,9 +1,9 @@
-import * as fingerprint from './fingerprint.contract'
+import * as config from './config.contract'
-import * as license from './license.contract'
+import * as crypto from './crypto.contract'
 
 export const contract = {
-  fingerprint,
+  config,
-  license,
+  crypto,
 }
 
 export type Contract = typeof contract

apps/server/src/server/api/contracts/license.contract.ts

@@ -1,18 +0,0 @@
-import { oc } from '@orpc/contract'
-import { z } from 'zod'
-
-export const getActivation = oc.input(z.void()).output(
-  z.object({
-    fingerprint: z.string(),
-    license: z.string().nullable(),
-    licenseActivatedAt: z.number().nullable(),
-  }),
-)
-
-export const activate = oc
-  .input(z.object({ license: z.string().min(1) }))
-  .output(z.object({ success: z.boolean() }))
-
-export const deactivate = oc
-  .input(z.void())
-  .output(z.object({ success: z.boolean() }))

apps/server/src/server/api/interceptors.ts

@@ -0,0 +1,26 @@
+import { ORPCError, ValidationError } from '@orpc/server'
+import { z } from 'zod'
+
+export const logError = (error: unknown) => {
+  console.error(error)
+}
+
+export const handleValidationError = (error: unknown) => {
+  if (error instanceof ORPCError && error.code === 'BAD_REQUEST' && error.cause instanceof ValidationError) {
+    // If you only use Zod you can safely cast to ZodIssue[] (per ORPC official docs)
+    const zodError = new z.ZodError(error.cause.issues as z.core.$ZodIssue[])
+
+    throw new ORPCError('INPUT_VALIDATION_FAILED', {
+      status: 422,
+      message: z.prettifyError(zodError),
+      data: z.flattenError(zodError),
+      cause: error.cause,
+    })
+  }
+
+  if (error instanceof ORPCError && error.code === 'INTERNAL_SERVER_ERROR' && error.cause instanceof ValidationError) {
+    throw new ORPCError('OUTPUT_VALIDATION_FAILED', {
+      cause: error.cause,
+    })
+  }
+}

apps/server/src/server/api/middlewares/db.middleware.ts

@@ -1,9 +1,7 @@
-import { os } from '@orpc/server'
+import { os } from '@/server/api/server'
-import { ensureLicenseActivationInitialized } from '@/lib/license-init'
 import { getDB } from '@/server/db'
 
-export const dbProvider = os.middleware(async ({ context, next }) => {
+export const db = os.middleware(async ({ context, next }) => {
-  await ensureLicenseActivationInitialized()
   return next({
     context: {
       ...context,
@@ -11,5 +9,3 @@ export const dbProvider = os.middleware(async ({ context, next }) => {
     },
   })
 })
-
-export const db = dbProvider

apps/server/src/server/api/routers/config.router.ts

@@ -0,0 +1,81 @@
+import { validatePgpPrivateKey, validateRsaPublicKey } from '@furtherverse/crypto'
+import { ORPCError } from '@orpc/server'
+import { isLicenceExpired, verifyAndDecodeLicenceEnvelope } from '@/server/licence'
+import { ensureUxConfig, setUxLicence, setUxPgpPrivateKey, setUxPlatformPublicKey } from '@/server/ux-config'
+import { db } from '../middlewares'
+import { os } from '../server'
+
+const toConfigOutput = (config: {
+  licenceId: string | null
+  licenceExpireTime: string | null
+  fingerprint: string
+  platformPublicKey: string | null
+  pgpPrivateKey: string | null
+}) => ({
+  licence:
+    config.licenceId && config.licenceExpireTime
+      ? {
+          licenceId: config.licenceId,
+          expireTime: config.licenceExpireTime,
+          isExpired: isLicenceExpired(config.licenceExpireTime),
+        }
+      : null,
+  fingerprint: config.fingerprint,
+  hasPlatformPublicKey: config.platformPublicKey != null,
+  hasPgpPrivateKey: config.pgpPrivateKey != null,
+})
+
+export const get = os.config.get.use(db).handler(async ({ context }) => {
+  const config = await ensureUxConfig(context.db)
+  return toConfigOutput(config)
+})
+
+export const setLicence = os.config.setLicence.use(db).handler(async ({ context, input }) => {
+  const currentConfig = await ensureUxConfig(context.db)
+
+  if (!currentConfig.platformPublicKey) {
+    throw new ORPCError('PRECONDITION_FAILED', {
+      message: 'Platform public key is not configured. Call config.setPlatformPublicKey first.',
+    })
+  }
+
+  const payload = verifyAndDecodeLicenceEnvelope(input, currentConfig.platformPublicKey)
+  if (isLicenceExpired(payload.expire_time)) {
+    throw new ORPCError('BAD_REQUEST', {
+      message: 'licence has expired',
+    })
+  }
+
+  const config = await setUxLicence(context.db, {
+    payload: input.payload,
+    signature: input.signature,
+    licenceId: payload.licence_id,
+    expireTime: payload.expire_time,
+  })
+
+  return toConfigOutput(config)
+})
+
+export const setPgpPrivateKey = os.config.setPgpPrivateKey.use(db).handler(async ({ context, input }) => {
+  await validatePgpPrivateKey(input.pgpPrivateKey).catch((error) => {
+    throw new ORPCError('BAD_REQUEST', {
+      message: `Invalid PGP private key: ${error instanceof Error ? error.message : 'unable to parse'}`,
+    })
+  })
+
+  const config = await setUxPgpPrivateKey(context.db, input.pgpPrivateKey)
+  return toConfigOutput(config)
+})
+
+export const setPlatformPublicKey = os.config.setPlatformPublicKey.use(db).handler(async ({ context, input }) => {
+  try {
+    validateRsaPublicKey(input.platformPublicKey)
+  } catch (error) {
+    throw new ORPCError('BAD_REQUEST', {
+      message: `Invalid platform public key: ${error instanceof Error ? error.message : 'unable to parse'}`,
+    })
+  }
+
+  const config = await setUxPlatformPublicKey(context.db, input.platformPublicKey)
+  return toConfigOutput(config)
+})

apps/server/src/server/api/routers/crypto.router.ts

@@ -0,0 +1,219 @@
+import {
+  aesGcmDecrypt,
+  aesGcmEncrypt,
+  hkdfSha256,
+  hmacSha256Base64,
+  pgpSignDetached,
+  rsaOaepEncrypt,
+  sha256,
+  sha256Hex,
+} from '@furtherverse/crypto'
+import { ORPCError } from '@orpc/server'
+import JSZip from 'jszip'
+import {
+  isInteger,
+  isSafeNumber,
+  LosslessNumber,
+  parse as losslessParse,
+  stringify as losslessStringify,
+} from 'lossless-json'
+import { z } from 'zod'
+import { isLicenceExpired } from '@/server/licence'
+import { extractSafeZipFiles, ZipValidationError } from '@/server/safe-zip'
+import { getUxConfig } from '@/server/ux-config'
+import { db } from '../middlewares'
+import { os } from '../server'
+
+const safeNumberParser = (value: string): number | string => {
+  if (isSafeNumber(value)) return Number(value)
+  if (isInteger(value)) return value
+  return Number(value)
+}
+
+const toLosslessNumber = (value: string): LosslessNumber | string =>
+  value !== '' && /^-?\d+$/.test(value) ? new LosslessNumber(value) : value
+
+const summaryPayloadSchema = z
+  .object({
+    taskId: z.string().min(1, 'summary.json must contain a non-empty taskId'),
+    checkId: z.union([z.string(), z.number()]).optional(),
+    inspectionId: z.union([z.string(), z.number()]).optional(),
+    orgId: z.union([z.string(), z.number()]).optional(),
+    enterpriseId: z.union([z.string(), z.number()]).optional(),
+    summary: z.string().optional(),
+  })
+  .loose()
+
+const requireIdentity = async (dbInstance: Parameters<typeof getUxConfig>[0]) => {
+  const config = await getUxConfig(dbInstance)
+  if (!config || !config.licenceId || !config.licenceExpireTime) {
+    throw new ORPCError('PRECONDITION_FAILED', {
+      message: 'Local identity is not initialized. Call config.get and then config.setLicence first.',
+    })
+  }
+
+  if (isLicenceExpired(config.licenceExpireTime)) {
+    throw new ORPCError('PRECONDITION_FAILED', {
+      message: 'Local licence has expired. Install a new signed licence before calling crypto APIs.',
+    })
+  }
+
+  return config as typeof config & { licenceId: string; licenceExpireTime: string }
+}
+
+export const encryptDeviceInfo = os.crypto.encryptDeviceInfo.use(db).handler(async ({ context }) => {
+  const config = await requireIdentity(context.db)
+
+  if (!config.platformPublicKey) {
+    throw new ORPCError('PRECONDITION_FAILED', {
+      message: 'Platform public key is not configured. Call config.setPlatformPublicKey first.',
+    })
+  }
+
+  const deviceInfoJson = JSON.stringify({
+    licence: config.licenceId,
+    fingerprint: config.fingerprint,
+  })
+
+  const encrypted = rsaOaepEncrypt(deviceInfoJson, config.platformPublicKey)
+  return { encrypted }
+})
+
+export const decryptTask = os.crypto.decryptTask.use(db).handler(async ({ context, input }) => {
+  const config = await requireIdentity(context.db)
+
+  const key = sha256(config.licenceId + config.fingerprint)
+  const decrypted = aesGcmDecrypt(input.encryptedData, key)
+  return { decrypted }
+})
+
+export const encryptSummary = os.crypto.encryptSummary.use(db).handler(async ({ context, input }) => {
+  const config = await requireIdentity(context.db)
+
+  const ikm = config.licenceId + config.fingerprint
+  const aesKey = hkdfSha256(ikm, input.salt, 'inspection_report_encryption')
+  const encrypted = aesGcmEncrypt(input.plaintext, aesKey)
+  return { encrypted }
+})
+
+export const signAndPackReport = os.crypto.signAndPackReport.use(db).handler(async ({ context, input }) => {
+  const config = await requireIdentity(context.db)
+
+  if (!config.pgpPrivateKey) {
+    throw new ORPCError('PRECONDITION_FAILED', {
+      message: 'PGP private key is not configured. Call config.setPgpPrivateKey first.',
+    })
+  }
+
+  const rawZipBytes = Buffer.from(await input.rawZip.arrayBuffer())
+
+  const zipFiles = await extractSafeZipFiles(rawZipBytes).catch((error) => {
+    if (error instanceof ZipValidationError) {
+      throw new ORPCError('BAD_REQUEST', { message: error.message })
+    }
+    throw error
+  })
+
+  // Extract and validate summary.json from the ZIP
+  const summaryFile = zipFiles.find((f) => f.name === 'summary.json')
+  if (!summaryFile) {
+    throw new ORPCError('BAD_REQUEST', {
+      message: 'rawZip must contain a summary.json file',
+    })
+  }
+
+  let rawJson: unknown
+  try {
+    rawJson = losslessParse(Buffer.from(summaryFile.bytes).toString('utf-8'), undefined, safeNumberParser)
+  } catch {
+    throw new ORPCError('BAD_REQUEST', {
+      message: 'summary.json in the ZIP is not valid JSON',
+    })
+  }
+
+  const parsed = summaryPayloadSchema.safeParse(rawJson)
+  if (!parsed.success) {
+    throw new ORPCError('BAD_REQUEST', {
+      message: `Invalid summary.json: ${z.prettifyError(parsed.error)}`,
+    })
+  }
+
+  const summaryPayload = parsed.data
+  const checkId = String(summaryPayload.checkId ?? summaryPayload.inspectionId ?? '')
+  const orgId = summaryPayload.orgId ?? summaryPayload.enterpriseId ?? ''
+
+  // Helper: find file in ZIP and compute its SHA256 hash
+  const requireFileHash = (name: string): string => {
+    const file = zipFiles.find((f) => f.name === name)
+    if (!file) {
+      throw new ORPCError('BAD_REQUEST', { message: `rawZip must contain ${name}` })
+    }
+    return sha256Hex(Buffer.from(file.bytes))
+  }
+
+  // Compute SHA256 of each content file (fixed order, matching Kotlin reference)
+  const assetsSha256 = requireFileHash('assets.json')
+  const vulnerabilitiesSha256 = requireFileHash('vulnerabilities.json')
+  const weakPasswordsSha256 = requireFileHash('weakPasswords.json')
+  const reportHtmlSha256 = requireFileHash('漏洞评估报告.html')
+
+  // Compute device signature
+  // signPayload = taskId + inspectionId + assetsSha256 + vulnerabilitiesSha256 + weakPasswordsSha256 + reportHtmlSha256
+  // (plain concatenation, no separators, fixed order — matching Kotlin reference)
+  const ikm = config.licenceId + config.fingerprint
+  const signingKey = hkdfSha256(ikm, 'AUTH_V3_SALT', 'device_report_signature')
+
+  const signPayload = `${summaryPayload.taskId}${checkId}${assetsSha256}${vulnerabilitiesSha256}${weakPasswordsSha256}${reportHtmlSha256}`
+  const deviceSignature = hmacSha256Base64(signingKey, signPayload)
+
+  // Build final summary.json with flat structure (matching Kotlin reference)
+  const finalSummary = {
+    orgId: toLosslessNumber(String(orgId)),
+    checkId: toLosslessNumber(checkId),
+    taskId: summaryPayload.taskId,
+    licence: config.licenceId,
+    fingerprint: config.fingerprint,
+    deviceSignature,
+    summary: summaryPayload.summary ?? '',
+  }
+  const summaryJson = losslessStringify(finalSummary)
+  if (!summaryJson) {
+    throw new ORPCError('INTERNAL_SERVER_ERROR', {
+      message: 'Failed to serialize summary.json',
+    })
+  }
+  const summaryBytes = Buffer.from(summaryJson, 'utf-8')
+
+  // Build manifest.json (fixed file list, matching Kotlin reference)
+  const manifestFiles: Record<string, string> = {
+    'summary.json': sha256Hex(summaryBytes),
+    'assets.json': assetsSha256,
+    'vulnerabilities.json': vulnerabilitiesSha256,
+    'weakPasswords.json': weakPasswordsSha256,
+    '漏洞评估报告.html': reportHtmlSha256,
+  }
+
+  const manifestBytes = Buffer.from(JSON.stringify({ files: manifestFiles }, null, 2), 'utf-8')
+  const signatureAsc = await pgpSignDetached(manifestBytes, config.pgpPrivateKey)
+
+  // Pack signed ZIP
+  const signedZip = new JSZip()
+  signedZip.file('summary.json', summaryBytes)
+  for (const item of zipFiles) {
+    if (item.name !== 'summary.json') {
+      signedZip.file(item.name, item.bytes)
+    }
+  }
+  signedZip.file('META-INF/manifest.json', manifestBytes)
+  signedZip.file('META-INF/signature.asc', signatureAsc)
+
+  const signedZipBytes = await signedZip.generateAsync({
+    type: 'uint8array',
+    compression: 'DEFLATE',
+    compressionOptions: { level: 9 },
+  })
+
+  return new File([Buffer.from(signedZipBytes)], input.outputFileName ?? 'signed-report.zip', {
+    type: 'application/zip',
+  })
+})

apps/server/src/server/api/routers/fingerprint.router.ts

@@ -1,11 +0,0 @@
-import { getHardwareFingerprint } from '@/lib/fingerprint'
-import { os } from '../server'
-
-export const get = os.fingerprint.get.handler(async () => {
-  const result = await getHardwareFingerprint({
-    cacheTtlMs: 10 * 60 * 1000, // 10 分钟缓存
-    includePrimaryDisk: true, // 包含主硬盘序列号以提高稳定性
-  })
-
-  return result
-})

apps/server/src/server/api/routers/index.ts

@@ -1,8 +1,8 @@
 import { os } from '../server'
-import * as fingerprint from './fingerprint.router'
+import * as config from './config.router'
-import * as license from './license.router'
+import * as crypto from './crypto.router'
 
 export const router = os.router({
-  fingerprint,
+  config,
-  license,
+  crypto,
 })

apps/server/src/server/api/routers/license.router.ts

@@ -1,67 +0,0 @@
-import { eq } from 'drizzle-orm'
-import { ensureLicenseActivationInitialized } from '@/lib/license-init'
-import { licenseActivationTable } from '@/server/db/schema'
-import { dbProvider } from '../middlewares'
-import { os } from '../server'
-
-export const getActivation = os.license.getActivation
-  .use(dbProvider)
-  .handler(async ({ context }) => {
-    await ensureLicenseActivationInitialized()
-
-    const record = await context.db.query.licenseActivationTable.findFirst()
-
-    if (!record) {
-      throw new Error('License activation record not found')
-    }
-
-    return {
-      fingerprint: record.fingerprint,
-      license: record.license,
-      licenseActivatedAt: record.licenseActivatedAt?.getTime() ?? null,
-    }
-  })
-
-export const activate = os.license.activate
-  .use(dbProvider)
-  .handler(async ({ context, input }) => {
-    await ensureLicenseActivationInitialized()
-
-    const record = await context.db.query.licenseActivationTable.findFirst()
-
-    if (!record) {
-      throw new Error('License activation record not found')
-    }
-
-    await context.db
-      .update(licenseActivationTable)
-      .set({
-        license: input.license,
-        licenseActivatedAt: new Date(),
-      })
-      .where(eq(licenseActivationTable.id, record.id))
-
-    return { success: true }
-  })
-
-export const deactivate = os.license.deactivate
-  .use(dbProvider)
-  .handler(async ({ context }) => {
-    await ensureLicenseActivationInitialized()
-
-    const record = await context.db.query.licenseActivationTable.findFirst()
-
-    if (!record) {
-      throw new Error('License activation record not found')
-    }
-
-    await context.db
-      .update(licenseActivationTable)
-      .set({
-        license: null,
-        licenseActivatedAt: null,
-      })
-      .where(eq(licenseActivationTable.id, record.id))
-
-    return { success: true }
-  })

apps/server/src/server/api/types.ts

@@ -1,8 +1,4 @@
-import type {
+import type { ContractRouterClient, InferContractRouterInputs, InferContractRouterOutputs } from '@orpc/contract'
-  ContractRouterClient,
-  InferContractRouterInputs,
-  InferContractRouterOutputs,
-} from '@orpc/contract'
 import type { Contract } from './contracts'
 
 export type RouterClient = ContractRouterClient<Contract>

apps/server/src/server/db/fields.ts

@@ -1,16 +1,11 @@
 import { integer, text } from 'drizzle-orm/sqlite-core'
 import { v7 as uuidv7 } from 'uuid'
 
-// id
+export const pk = (name = 'id') =>
-
+  text(name)
-export const id = (name: string) => text(name)
-export const pk = (name: string) =>
-  id(name)
     .primaryKey()
     .$defaultFn(() => uuidv7())
 
-// timestamp
-
 export const createdAt = (name = 'created_at') =>
   integer(name, { mode: 'timestamp_ms' })
     .notNull()
@@ -22,18 +17,13 @@ export const updatedAt = (name = 'updated_at') =>
     .$defaultFn(() => new Date())
     .$onUpdateFn(() => new Date())
 
-// generated fields
-
 export const generatedFields = {
   id: pk('id'),
   createdAt: createdAt('created_at'),
   updatedAt: updatedAt('updated_at'),
 }
 
-// Helper to create omit keys from generatedFields
+const createGeneratedFieldKeys = <T extends Record<string, unknown>>(fields: T): Record<keyof T, true> => {
-const createGeneratedFieldKeys = <T extends Record<string, unknown>>(
-  fields: T,
-): Record<keyof T, true> => {
   return Object.keys(fields).reduce(
     (acc, key) => {
       acc[key as keyof T] = true

apps/server/src/server/db/index.ts

@@ -1,17 +1,13 @@
-import { mkdirSync } from 'node:fs'
+import { Database } from 'bun:sqlite'
-import { dirname } from 'node:path'
+import { drizzle } from 'drizzle-orm/bun-sqlite'
-import Database from 'better-sqlite3'
-import { drizzle } from 'drizzle-orm/better-sqlite3'
 import { env } from '@/env'
-import * as schema from '@/server/db/schema'
+import { relations } from '@/server/db/relations'
 
 export const createDB = () => {
-  const dbPath = env.DATABASE_URL
+  const sqlite = new Database(env.DATABASE_PATH)
-  if (dbPath !== ':memory:') {
+  sqlite.exec('PRAGMA journal_mode = WAL')
-    mkdirSync(dirname(dbPath), { recursive: true })
+  sqlite.exec('PRAGMA foreign_keys = ON')
-  }
+  return drizzle({ client: sqlite, relations })
-  const sqlite = new Database(dbPath)
-  return drizzle(sqlite, { schema })
 }
 
 export type DB = ReturnType<typeof createDB>

apps/server/src/server/db/relations.ts

@@ -0,0 +1,4 @@
+import { defineRelations } from 'drizzle-orm'
+import * as schema from './schema'
+
+export const relations = defineRelations(schema, () => ({}))

apps/server/src/server/db/schema/index.ts

@@ -1 +1 @@
-export * from './license-activation'
+export * from './ux-config'

apps/server/src/server/db/schema/license-activation.ts

@@ -1,9 +0,0 @@
-import { integer, sqliteTable, text } from 'drizzle-orm/sqlite-core'
-import { generatedFields } from './utils/field'
-
-export const licenseActivationTable = sqliteTable('license_activation', {
-  ...generatedFields,
-  fingerprint: text('fingerprint').notNull().unique(),
-  license: text('license'),
-  licenseActivatedAt: integer('license_activated_at', { mode: 'timestamp_ms' }),
-})

apps/server/src/server/db/schema/ux-config.ts

@@ -0,0 +1,14 @@
+import { sqliteTable, text } from 'drizzle-orm/sqlite-core'
+import { generatedFields } from '../fields'
+
+export const uxConfigTable = sqliteTable('ux_config', {
+  ...generatedFields,
+  singletonKey: text('singleton_key').notNull().unique().default('default'),
+  licencePayload: text('licence_payload'),
+  licenceSignature: text('licence_signature'),
+  licenceId: text('licence_id'),
+  licenceExpireTime: text('licence_expire_time'),
+  fingerprint: text('fingerprint').notNull(),
+  platformPublicKey: text('platform_public_key'),
+  pgpPrivateKey: text('pgp_private_key'),
+})

apps/server/src/server/device-fingerprint.ts

@@ -0,0 +1,10 @@
+import { sha256Hex } from '@furtherverse/crypto'
+import { system } from 'systeminformation'
+
+export const computeDeviceFingerprint = async (): Promise<string> => {
+  const { uuid, serial, model, manufacturer } = await system()
+  const source = [uuid, serial, model, manufacturer].join('|')
+  const hash = sha256Hex(source)
+
+  return hash
+}

apps/server/src/server/licence.test.ts

@@ -0,0 +1,32 @@
+import { describe, expect, it } from 'bun:test'
+import { constants, createSign, generateKeyPairSync } from 'node:crypto'
+import { decodeLicencePayload, isLicenceExpired, verifyAndDecodeLicenceEnvelope } from './licence'
+
+describe('licence helpers', () => {
+  it('verifies payload signatures and decodes payload JSON', () => {
+    const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+    const payloadJson = JSON.stringify({ licence_id: 'LIC-20260319-0025', expire_time: '2027-03-19' })
+    const payload = Buffer.from(payloadJson, 'utf-8').toString('base64')
+
+    const signer = createSign('RSA-SHA256')
+    signer.update(Buffer.from(payload, 'utf-8'))
+    signer.end()
+
+    const signature = signer.sign({ key: privateKey, padding: constants.RSA_PKCS1_PADDING }).toString('base64')
+    const publicKeyBase64 = publicKey.export({ format: 'der', type: 'spki' }).toString('base64')
+
+    expect(verifyAndDecodeLicenceEnvelope({ payload, signature }, publicKeyBase64)).toEqual({
+      licence_id: 'LIC-20260319-0025',
+      expire_time: '2027-03-19',
+    })
+  })
+
+  it('treats expire_time as valid through the end of the UTC day', () => {
+    expect(isLicenceExpired('2027-03-19', new Date('2027-03-19T23:59:59.999Z'))).toBe(false)
+    expect(isLicenceExpired('2027-03-19', new Date('2027-03-20T00:00:00.000Z'))).toBe(true)
+  })
+
+  it('rejects malformed payloads', () => {
+    expect(() => decodeLicencePayload('not-base64')).toThrow('payload must be valid Base64')
+  })
+})

apps/server/src/server/licence.ts

@@ -0,0 +1,94 @@
+import { rsaVerifySignature } from '@furtherverse/crypto'
+import { z } from 'zod'
+
+const BASE64_PATTERN = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/
+const DATE_PATTERN = /^(\d{4})-(\d{2})-(\d{2})$/
+
+export const licenceEnvelopeSchema = z.object({
+  payload: z.string().min(1).max(8192).describe('Base64 编码的 licence payload 原文'),
+  signature: z.string().min(1).max(8192).describe('对 payload 字符串 UTF-8 字节做 SHA256withRSA 后得到的 Base64 签名'),
+})
+
+export const licencePayloadSchema = z
+  .object({
+    licence_id: z.string().min(1).describe('验签通过后的 licence 标识'),
+    expire_time: z
+      .string()
+      .regex(DATE_PATTERN, 'expire_time must use YYYY-MM-DD')
+      .describe('授权到期日，格式为 YYYY-MM-DD（按 UTC 自然日末尾失效）'),
+  })
+  .loose()
+
+export type LicenceEnvelope = z.infer<typeof licenceEnvelopeSchema>
+export type LicencePayload = z.infer<typeof licencePayloadSchema>
+
+const decodeBase64 = (value: string, fieldName: string): Buffer => {
+  if (!BASE64_PATTERN.test(value)) {
+    throw new Error(`${fieldName} must be valid Base64`)
+  }
+
+  return Buffer.from(value, 'base64')
+}
+
+const parseUtcDate = (value: string): Date => {
+  const match = DATE_PATTERN.exec(value)
+  if (!match) {
+    throw new Error('expire_time must use YYYY-MM-DD')
+  }
+
+  const [, yearText, monthText, dayText] = match
+  const year = Number(yearText)
+  const month = Number(monthText)
+  const day = Number(dayText)
+  const parsed = new Date(Date.UTC(year, month - 1, day))
+
+  if (
+    Number.isNaN(parsed.getTime()) ||
+    parsed.getUTCFullYear() !== year ||
+    parsed.getUTCMonth() !== month - 1 ||
+    parsed.getUTCDate() !== day
+  ) {
+    throw new Error('expire_time is not a valid calendar date')
+  }
+
+  return parsed
+}
+
+export const isLicenceExpired = (expireTime: string, now = new Date()): boolean => {
+  const expireDate = parseUtcDate(expireTime)
+  const expiresAt = Date.UTC(expireDate.getUTCFullYear(), expireDate.getUTCMonth(), expireDate.getUTCDate() + 1)
+
+  return now.getTime() >= expiresAt
+}
+
+export const decodeLicencePayload = (payloadBase64: string): LicencePayload => {
+  const decodedJson = decodeBase64(payloadBase64, 'payload').toString('utf-8')
+
+  let rawPayload: unknown
+  try {
+    rawPayload = JSON.parse(decodedJson)
+  } catch {
+    throw new Error('payload must decode to valid JSON')
+  }
+
+  const parsedPayload = licencePayloadSchema.safeParse(rawPayload)
+  if (!parsedPayload.success) {
+    throw new Error(z.prettifyError(parsedPayload.error))
+  }
+
+  return parsedPayload.data
+}
+
+export const verifyLicenceEnvelopeSignature = (envelope: LicenceEnvelope, publicKeyBase64: string): void => {
+  const signatureBytes = decodeBase64(envelope.signature, 'signature')
+  const isValid = rsaVerifySignature(Buffer.from(envelope.payload, 'utf-8'), signatureBytes, publicKeyBase64)
+
+  if (!isValid) {
+    throw new Error('licence signature is invalid')
+  }
+}
+
+export const verifyAndDecodeLicenceEnvelope = (envelope: LicenceEnvelope, publicKeyBase64: string): LicencePayload => {
+  verifyLicenceEnvelopeSignature(envelope, publicKeyBase64)
+  return decodeLicencePayload(envelope.payload)
+}

apps/server/src/server/safe-zip.ts

@@ -0,0 +1,96 @@
+import type { JSZipObject } from 'jszip'
+import JSZip from 'jszip'
+
+export class ZipValidationError extends Error {
+  override name = 'ZipValidationError'
+}
+
+export interface ZipFileItem {
+  name: string
+  bytes: Uint8Array
+}
+
+export interface SafeZipOptions {
+  maxRawBytes?: number
+  maxEntries?: number
+  maxSingleFileBytes?: number
+  maxTotalUncompressedBytes?: number
+}
+
+const DEFAULTS = {
+  maxRawBytes: 50 * 1024 * 1024,
+  maxEntries: 64,
+  maxSingleFileBytes: 20 * 1024 * 1024,
+  maxTotalUncompressedBytes: 60 * 1024 * 1024,
+} satisfies Required<SafeZipOptions>
+
+const normalizePath = (name: string): string => name.replaceAll('\\', '/')
+
+const isUnsafePath = (name: string): boolean => {
+  const normalized = normalizePath(name)
+  const segments = normalized.split('/')
+
+  return (
+    normalized.startsWith('/') ||
+    normalized.includes('\0') ||
+    segments.some((segment) => segment === '..' || segment.trim().length === 0)
+  )
+}
+
+export const extractSafeZipFiles = async (
+  rawBytes: Uint8Array | Buffer,
+  options?: SafeZipOptions,
+): Promise<ZipFileItem[]> => {
+  const opts = { ...DEFAULTS, ...options }
+
+  if (rawBytes.byteLength === 0 || rawBytes.byteLength > opts.maxRawBytes) {
+    throw new ZipValidationError('ZIP is empty or exceeds max size limit')
+  }
+
+  const zip = await JSZip.loadAsync(rawBytes, { checkCRC32: true }).catch(() => {
+    throw new ZipValidationError('Not a valid ZIP file')
+  })
+
+  const entries = Object.values(zip.files) as JSZipObject[]
+  if (entries.length > opts.maxEntries) {
+    throw new ZipValidationError(`ZIP contains too many entries: ${entries.length}`)
+  }
+
+  let totalUncompressedBytes = 0
+  const files: ZipFileItem[] = []
+  const seen = new Set<string>()
+
+  for (const entry of entries) {
+    if (entry.dir) {
+      continue
+    }
+
+    if (isUnsafePath(entry.name)) {
+      throw new ZipValidationError(`ZIP contains unsafe entry path: ${entry.name}`)
+    }
+
+    const normalizedName = normalizePath(entry.name)
+    if (seen.has(normalizedName)) {
+      throw new ZipValidationError(`ZIP contains duplicate entry: ${normalizedName}`)
+    }
+    seen.add(normalizedName)
+
+    const content = await entry.async('uint8array')
+    if (content.byteLength > opts.maxSingleFileBytes) {
+      throw new ZipValidationError(`ZIP entry too large: ${normalizedName}`)
+    }
+
+    totalUncompressedBytes += content.byteLength
+    if (totalUncompressedBytes > opts.maxTotalUncompressedBytes) {
+      throw new ZipValidationError('ZIP total uncompressed content exceeds max size limit')
+    }
+
+    files.push({ name: normalizedName, bytes: content })
+  }
+
+  if (files.length === 0) {
+    throw new ZipValidationError('ZIP has no file entries')
+  }
+
+  return files
+}

apps/server/src/server/ux-config.ts

@@ -0,0 +1,99 @@
+import { eq } from 'drizzle-orm'
+import type { DB } from '@/server/db'
+import { uxConfigTable } from '@/server/db/schema'
+import { computeDeviceFingerprint } from './device-fingerprint'
+
+const UX_CONFIG_KEY = 'default'
+
+export const getUxConfig = async (db: DB) => {
+  return await db.query.uxConfigTable.findFirst({
+    where: { singletonKey: UX_CONFIG_KEY },
+  })
+}
+
+export const ensureUxConfig = async (db: DB) => {
+  const fingerprint = await computeDeviceFingerprint()
+  const existing = await getUxConfig(db)
+
+  if (existing) {
+    if (existing.fingerprint !== fingerprint) {
+      const rows = await db
+        .update(uxConfigTable)
+        .set({ fingerprint })
+        .where(eq(uxConfigTable.id, existing.id))
+        .returning()
+      return rows[0] as (typeof rows)[number]
+    }
+    return existing
+  }
+
+  const rows = await db
+    .insert(uxConfigTable)
+    .values({
+      singletonKey: UX_CONFIG_KEY,
+      fingerprint,
+      licencePayload: null,
+      licenceSignature: null,
+      licenceId: null,
+      licenceExpireTime: null,
+    })
+    .returning()
+
+  return rows[0] as (typeof rows)[number]
+}
+
+export const setUxLicence = async (
+  db: DB,
+  licence: {
+    payload: string
+    signature: string
+    licenceId: string
+    expireTime: string
+  },
+) => {
+  const config = await ensureUxConfig(db)
+
+  const rows = await db
+    .update(uxConfigTable)
+    .set({
+      licencePayload: licence.payload,
+      licenceSignature: licence.signature,
+      licenceId: licence.licenceId,
+      licenceExpireTime: licence.expireTime,
+    })
+    .where(eq(uxConfigTable.id, config.id))
+    .returning()
+
+  return rows[0] as (typeof rows)[number]
+}
+
+export const setUxPgpPrivateKey = async (db: DB, pgpPrivateKey: string) => {
+  const config = await ensureUxConfig(db)
+
+  const rows = await db.update(uxConfigTable).set({ pgpPrivateKey }).where(eq(uxConfigTable.id, config.id)).returning()
+
+  return rows[0] as (typeof rows)[number]
+}
+
+export const setUxPlatformPublicKey = async (db: DB, platformPublicKey: string) => {
+  const config = await ensureUxConfig(db)
+  const shouldClearLicence = config.platformPublicKey !== platformPublicKey
+
+  const rows = await db
+    .update(uxConfigTable)
+    .set({
+      platformPublicKey,
+      ...(shouldClearLicence
+        ? {
+            licencePayload: null,
+            licenceSignature: null,
+            licenceId: null,
+            licenceExpireTime: null,
+          }
+        : {}),
+    })
+    .where(eq(uxConfigTable.id, config.id))
+    .returning()
+
+  return rows[0] as (typeof rows)[number]
+}

apps/server/turbo.json

@@ -2,9 +2,46 @@
   "$schema": "../../node_modules/turbo/schema.json",
   "extends": ["//"],
   "tasks": {
+    "build": {
+      "env": ["NODE_ENV", "VITE_*"],
+      "inputs": ["src/**", "public/**", "package.json", "tsconfig.json", "vite.config.ts"],
+      "outputs": [".output/**"]
+    },
     "compile": {
       "dependsOn": ["build"],
       "outputs": ["out/**"]
+    },
+    "compile:darwin": {
+      "dependsOn": ["build"],
+      "outputs": ["out/**"]
+    },
+    "compile:darwin:arm64": {
+      "dependsOn": ["build"],
+      "outputs": ["out/**"]
+    },
+    "compile:darwin:x64": {
+      "dependsOn": ["build"],
+      "outputs": ["out/**"]
+    },
+    "compile:linux": {
+      "dependsOn": ["build"],
+      "outputs": ["out/**"]
+    },
+    "compile:linux:arm64": {
+      "dependsOn": ["build"],
+      "outputs": ["out/**"]
+    },
+    "compile:linux:x64": {
+      "dependsOn": ["build"],
+      "outputs": ["out/**"]
+    },
+    "compile:windows": {
+      "dependsOn": ["build"],
+      "outputs": ["out/**"]
+    },
+    "compile:windows:x64": {
+      "dependsOn": ["build"],
+      "outputs": ["out/**"]
     }
   }
 }

apps/server/vite.config.ts

@@ -10,24 +10,21 @@ export default defineConfig({
   clearScreen: false,
   plugins: [
     tanstackDevtools(),
-    nitro({
-      preset: 'bun',
-      serveStatic: 'inline',
-    }),
-    tsconfigPaths(),
     tailwindcss(),
+    tsconfigPaths(),
     tanstackStart(),
     react({
       babel: {
         plugins: ['babel-plugin-react-compiler'],
       },
     }),
+    nitro({
+      preset: 'bun',
+      serveStatic: 'inline',
+    }),
   ],
   server: {
     port: 3000,
     strictPort: true,
-    watch: {
-      ignored: ['**/src-tauri/**'],
-    },
   },
 })

biome.json

@@ -11,7 +11,8 @@
   "formatter": {
     "enabled": true,
     "indentStyle": "space",
-    "lineEnding": "lf"
+    "lineEnding": "lf",
+    "lineWidth": 120
   },
   "linter": {
     "enabled": true,

docs/摘要+zip/EncryptionTestController.kt

@@ -0,0 +1,432 @@
+package top.tangyh.lamp.filing.controller.compress
+
+import com.fasterxml.jackson.databind.ObjectMapper
+import io.swagger.annotations.Api
+import io.swagger.annotations.ApiOperation
+import io.swagger.annotations.ApiParam
+import org.springframework.validation.annotation.Validated
+import org.springframework.web.bind.annotation.*
+import top.tangyh.basic.annotation.log.WebLog
+import top.tangyh.basic.base.R
+import top.tangyh.lamp.filing.dto.management.UploadInspectionFileV2Request
+import top.tangyh.lamp.filing.utils.AesGcmUtil
+import top.tangyh.lamp.filing.utils.HkdfUtil
+import top.tangyh.lamp.filing.utils.PgpSignatureUtil
+import java.util.*
+
+/**
+ * 加密测试工具类
+ * 
+ * 用于生成加密后的 encrypted 数据，测试 uploadInspectionFileV2Encrypted 接口
+ * 
+ * 使用说明：
+ * 1. 调用 /compression/test/generateEncrypted 接口
+ * 2. 传入 licence、fingerprint、taskId 和明文数据
+ * 3. 获取加密后的 Base64 字符串
+ * 4. 使用返回的 encrypted 数据测试 uploadInspectionFileV2Encrypted 接口
+ */
+@Validated
+@RestController
+@RequestMapping("/compression/test")
+@Api(value = "EncryptionTest", tags = ["加密测试工具"])
+class EncryptionTestController {
+
+    private val objectMapper = ObjectMapper()
+    
+    companion object {
+        private const val DEFAULT_PGP_PRIVATE_KEY = """-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lFgEaSZqXBYJKwYBBAHaRw8BAQdARzZ5JXreuTeTgMFwYcw0Ju7aCWmXuUMmQyff
+5vmN8RQAAP4nli0R/MTNtgx9+g5ZPyAj8XSAnjHaW9u2UJQxYhMIYw8XtBZpdHRj
+PGl0dGNAaXR0Yy5zaC5jbj6IkwQTFgoAOxYhBG8IkI1kmkNpEu8iuqWu91t6SEzN
+BQJpJmpcAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEKWu91t6SEzN
+dSQBAPM5llVG0X6SBa4YM90Iqyb2jWvlNjstoF8jjPVny1CiAP4hIOUvb686oSA0
+OrS3AuICi7X/r+JnSo1Z7pngUA3VC5xdBGkmalwSCisGAQQBl1UBBQEBB0BouQlG
+hIL0bq7EbaB55s+ygLVFOfhjFA8E4fwFBFJGVAMBCAcAAP98ZXRGgzld1XUa5ZGx
+cTE+1qGZY4E4BVIeqkVxdg5tqA64iHgEGBYKACAWIQRvCJCNZJpDaRLvIrqlrvdb
+ekhMzQUCaSZqXAIbDAAKCRClrvdbekhMzcaSAQDB/4pvDuc7SploQg1fBYobFm5P
+vxguByr8I+PrYWKKOQEAnaeXT4ipi1nICXFiigztsIl2xTth3D77XG6pZUU/Zw8=
+=/k1H
+-----END PGP PRIVATE KEY BLOCK-----"""
+        
+        private const val DEFAULT_PGP_PASSPHRASE = ""
+    }
+
+    /**
+     * 生成加密数据请求 DTO
+     */
+    data class GenerateEncryptedRequest(
+        @ApiParam(value = "授权码", required = true)
+        val licence: String,
+        
+        @ApiParam(value = "硬件指纹", required = true)
+        val fingerprint: String,
+        
+        @ApiParam(value = "任务ID", required = true)
+        val taskId: String,
+        
+        @ApiParam(value = "企业ID", required = true)
+        val enterpriseId: Long,
+        
+        @ApiParam(value = "检查ID", required = true)
+        val inspectionId: Long,
+        
+        @ApiParam(value = "摘要信息", required = true)
+        val summary: String
+    )
+
+    /**
+     * 生成加密数据响应 DTO
+     */
+    data class GenerateEncryptedResponse(
+        val encrypted: String,
+        val requestBody: UploadInspectionFileV2Request,
+        val plaintext: String,
+        val keyDerivationInfo: KeyDerivationInfo
+    )
+
+    /**
+     * 密钥派生信息
+     */
+    data class KeyDerivationInfo(
+        val ikm: String,
+        val salt: String,
+        val info: String,
+        val keyLength: Int,
+        val keyHex: String
+    )
+
+    /**
+     * 生成加密数据
+     * 
+     * 模拟工具箱端的加密逻辑：
+     * 1. 使用 HKDF-SHA256 派生 AES 密钥
+     *    - ikm = licence + fingerprint
+     *    - salt = taskId
+     *    - info = "inspection_report_encryption"
+     *    - length = 32 bytes
+     * 
+     * 2. 使用 AES-256-GCM 加密数据
+     *    - 格式：IV (12字节) + Ciphertext + Tag (16字节)
+     *    - Base64 编码返回
+     * 
+     * @param request 生成加密数据请求
+     * @return 加密后的数据和完整的请求体
+     */
+    @ApiOperation(value = "生成加密数据", notes = "生成加密后的 encrypted 数据，用于测试 uploadInspectionFileV2Encrypted 接口")
+    @PostMapping("/generateEncrypted")
+    @WebLog(value = "'生成加密数据:'", request = false)
+    fun generateEncrypted(
+        @RequestBody request: GenerateEncryptedRequest
+    ): R<GenerateEncryptedResponse> {
+        return try {
+            // 1. 组装明文数据（JSON格式）
+            val timestamp = System.currentTimeMillis()
+            val plaintextMap = mapOf(
+                "enterpriseId" to request.enterpriseId.toString(),
+                "inspectionId" to request.inspectionId.toString(),
+                "summary" to request.summary,
+                "timestamp" to timestamp
+            )
+            val plaintext = objectMapper.writeValueAsString(plaintextMap)
+
+            // 2. 使用 HKDF-SHA256 派生 AES 密钥
+            // ikm = licence + fingerprint
+            // salt = taskId（工具箱从二维码获取，平台从请求获取）
+            // info = "inspection_report_encryption"（固定值）
+            // length = 32 bytes
+            val ikm = "${request.licence}${request.fingerprint}"
+            val salt = request.taskId.toString()
+            val info = "inspection_report_encryption"
+            val keyLength = 32
+
+            val aesKey = HkdfUtil.deriveKey(ikm, salt, info, keyLength)
+
+            // 3. 使用 AES-256-GCM 加密数据
+            val encrypted = AesGcmUtil.encrypt(plaintext, aesKey)
+
+            // 4. 组装完整的请求体（appid 需要前端自己赋值）
+            val requestBody = UploadInspectionFileV2Request().apply {
+                this.appid = "test-appid" // 测试用的 appid，实际使用时前端会赋值
+                this.taskId = request.taskId
+                this.encrypted = encrypted
+            }
+
+            // 5. 返回加密数据和密钥派生信息
+            val response = GenerateEncryptedResponse(
+                encrypted = encrypted,
+                requestBody = requestBody,
+                plaintext = plaintext,
+                keyDerivationInfo = KeyDerivationInfo(
+                    ikm = ikm,
+                    salt = salt,
+                    info = info,
+                    keyLength = keyLength,
+                    keyHex = aesKey.joinToString("") { "%02x".format(it) }
+                )
+            )
+
+            R.success(response, "加密数据生成成功")
+        } catch (e: Exception) {
+            R.fail("生成加密数据失败: ${e.message}")
+        }
+    }
+
+    /**
+     * 快速生成测试数据（使用默认值）
+     * 
+     * @return 加密后的数据和完整的请求体
+     */
+    @ApiOperation(value = "快速生成测试数据", notes = "使用默认值快速生成加密数据，用于快速测试")
+    @GetMapping("/generateTestData")
+    @WebLog(value = "'快速生成测试数据:'", request = false)
+    fun generateTestData(): R<GenerateEncryptedResponse> {
+        return try {
+            // 使用默认测试数据
+            val request = GenerateEncryptedRequest(
+                licence = "TEST-LICENCE-001",
+                fingerprint = "TEST-FINGERPRINT-001",
+                taskId = "TASK-20260115-4875",
+                enterpriseId = 1173040813421105152L,
+                inspectionId = 702286470691215417L,
+                summary = "测试摘要信息"
+            )
+
+            generateEncrypted(request).data?.let {
+                R.success(it, "测试数据生成成功")
+            } ?: R.fail("生成测试数据失败")
+        } catch (e: Exception) {
+            R.fail("生成测试数据失败: ${e.message}")
+        }
+    }
+
+    /**
+     * 验证加密数据（解密测试）
+     * 
+     * 用于验证生成的加密数据是否能正确解密
+     * 
+     * @param encrypted 加密后的 Base64 字符串
+     * @param licence 授权码
+     * @param fingerprint 硬件指纹
+     * @param taskId 任务ID
+     * @return 解密后的明文数据
+     */
+    @ApiOperation(value = "验证加密数据", notes = "解密加密数据，验证加密是否正确")
+    @PostMapping("/verifyEncrypted")
+    @WebLog(value = "'验证加密数据:'", request = false)
+    fun verifyEncrypted(
+        @ApiParam(value = "加密后的 Base64 字符串", required = true)
+        @RequestParam encrypted: String,
+        
+        @ApiParam(value = "授权码", required = true)
+        @RequestParam licence: String,
+        
+        @ApiParam(value = "硬件指纹", required = true)
+        @RequestParam fingerprint: String,
+        
+        @ApiParam(value = "任务ID", required = true)
+        @RequestParam taskId: String
+    ): R<Map<String, Any>> {
+        return try {
+            // 1. 使用相同的密钥派生规则派生密钥
+            val ikm = "$licence$fingerprint"
+            val salt = taskId.toString()
+            val info = "inspection_report_encryption"
+            val aesKey = HkdfUtil.deriveKey(ikm, salt, info, 32)
+
+            // 2. 解密数据
+            val decrypted = AesGcmUtil.decrypt(encrypted, aesKey)
+
+            // 3. 解析 JSON
+            @Suppress("UNCHECKED_CAST")
+            val dataMap = objectMapper.readValue(decrypted, Map::class.java) as Map<String, Any>
+
+            R.success(dataMap, "解密成功")
+        } catch (e: Exception) {
+            R.fail("解密失败: ${e.message}")
+        }
+    }
+
+    /**
+     * 生成加密报告 ZIP 文件请求 DTO
+     */
+    data class GenerateEncryptedZipRequest(
+        @ApiParam(value = "授权码", required = true)
+        val licence: String,
+        
+        @ApiParam(value = "硬件指纹", required = true)
+        val fingerprint: String,
+        
+        @ApiParam(value = "任务ID", required = true)
+        val taskId: String,
+        
+        @ApiParam(value = "企业ID", required = true)
+        val enterpriseId: Long,
+        
+        @ApiParam(value = "检查ID", required = true)
+        val inspectionId: Long,
+        
+        @ApiParam(value = "摘要信息", required = true)
+        val summary: String,
+        
+        @ApiParam(value = "资产信息 JSON", required = true)
+        val assetsJson: String,
+        
+        @ApiParam(value = "漏洞信息 JSON", required = true)
+        val vulnerabilitiesJson: String,
+        
+        @ApiParam(value = "弱密码信息 JSON", required = true)
+        val weakPasswordsJson: String,
+        
+        @ApiParam(value = "漏洞评估报告 HTML", required = true)
+        val reportHtml: String,
+        
+        @ApiParam(value = "PGP 私钥（可选，不提供则跳过 PGP 签名）", required = false)
+        val pgpPrivateKey: String? = null,
+        
+        @ApiParam(value = "PGP 私钥密码（可选）", required = false)
+        val pgpPassphrase: String? = null
+    )
+
+    /**
+     * 生成加密报告 ZIP 文件
+     * 
+     * 按照文档《工具箱端-报告加密与签名生成指南.md》生成加密报告 ZIP 文件
+     * 
+     * @param request 生成请求
+     * @return ZIP 文件（二进制流）
+     */
+    @ApiOperation(value = "生成加密报告 ZIP", notes = "生成带设备签名的加密报告 ZIP 文件，可被 uploadInspectionFileV2 接口解密")
+    @PostMapping("/generateEncryptedZip")
+    @WebLog(value = "'生成加密报告 ZIP:'", request = false)
+    fun generateEncryptedZip(
+        @RequestBody request: GenerateEncryptedZipRequest,
+        response: javax.servlet.http.HttpServletResponse
+    ) {
+        try {
+            // 1. 准备文件内容
+            val assetsContent = request.assetsJson.toByteArray(Charsets.UTF_8)
+            val vulnerabilitiesContent = request.vulnerabilitiesJson.toByteArray(Charsets.UTF_8)
+            val weakPasswordsContent = request.weakPasswordsJson.toByteArray(Charsets.UTF_8)
+            val reportHtmlContent = request.reportHtml.toByteArray(Charsets.UTF_8)
+
+            // 2. 生成设备签名
+            // 2.1 密钥派生
+            val ikm = "${request.licence}${request.fingerprint}"
+            val salt = "AUTH_V3_SALT"
+            val info = "device_report_signature"
+            val derivedKey = HkdfUtil.deriveKey(ikm, salt, info, 32)
+
+            // 2.2 计算文件 SHA256
+            fun sha256Hex(content: ByteArray): String {
+                val digest = java.security.MessageDigest.getInstance("SHA-256")
+                return digest.digest(content).joinToString("") { "%02x".format(it) }
+            }
+
+            val assetsSha256 = sha256Hex(assetsContent)
+            val vulnerabilitiesSha256 = sha256Hex(vulnerabilitiesContent)
+            val weakPasswordsSha256 = sha256Hex(weakPasswordsContent)
+            val reportHtmlSha256 = sha256Hex(reportHtmlContent)
+
+            // 2.3 组装签名数据（严格顺序）
+            val signPayload = buildString {
+                append(request.taskId)
+                append(request.inspectionId)
+                append(assetsSha256)
+                append(vulnerabilitiesSha256)
+                append(weakPasswordsSha256)
+                append(reportHtmlSha256)
+            }
+
+            // 2.4 计算 HMAC-SHA256
+            val mac = javax.crypto.Mac.getInstance("HmacSHA256")
+            val secretKey = javax.crypto.spec.SecretKeySpec(derivedKey, "HmacSHA256")
+            mac.init(secretKey)
+            val signatureBytes = mac.doFinal(signPayload.toByteArray(Charsets.UTF_8))
+            val deviceSignature = Base64.getEncoder().encodeToString(signatureBytes)
+
+            // 2.5 生成 summary.json
+            val summaryMap = mapOf(
+                "orgId" to request.enterpriseId,
+                "checkId" to request.inspectionId,
+                "taskId" to request.taskId,
+                "licence" to request.licence,
+                "fingerprint" to request.fingerprint,
+                "deviceSignature" to deviceSignature,
+                "summary" to request.summary
+            )
+            val summaryContent = objectMapper.writeValueAsString(summaryMap).toByteArray(Charsets.UTF_8)
+
+            // 3. 生成 manifest.json
+            val filesHashes = mapOf(
+                "summary.json" to sha256Hex(summaryContent),
+                "assets.json" to assetsSha256,
+                "vulnerabilities.json" to vulnerabilitiesSha256,
+                "weakPasswords.json" to weakPasswordsSha256,
+                "漏洞评估报告.html" to reportHtmlSha256
+            )
+            val manifest = mapOf("files" to filesHashes)
+            val manifestContent = objectMapper.writeValueAsString(manifest).toByteArray(Charsets.UTF_8)
+
+            // 4. 生成 signature.asc
+            val privateKey = request.pgpPrivateKey?.takeIf { it.isNotBlank() } ?: DEFAULT_PGP_PRIVATE_KEY
+            val passphrase = request.pgpPassphrase ?: DEFAULT_PGP_PASSPHRASE
+            
+            val signatureAsc = try {
+                PgpSignatureUtil.generateDetachedSignature(
+                    manifestContent,
+                    privateKey,
+                    passphrase
+                )
+            } catch (e: Exception) {
+                throw RuntimeException("生成 PGP 签名失败: ${e.message}", e)
+            }
+
+            // 5. 打包 ZIP 文件到内存
+            val baos = java.io.ByteArrayOutputStream()
+            java.util.zip.ZipOutputStream(baos).use { zipOut ->
+                zipOut.putNextEntry(java.util.zip.ZipEntry("summary.json"))
+                zipOut.write(summaryContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("assets.json"))
+                zipOut.write(assetsContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("vulnerabilities.json"))
+                zipOut.write(vulnerabilitiesContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("weakPasswords.json"))
+                zipOut.write(weakPasswordsContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("漏洞评估报告.html"))
+                zipOut.write(reportHtmlContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("META-INF/manifest.json"))
+                zipOut.write(manifestContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("META-INF/signature.asc"))
+                zipOut.write(signatureAsc)
+                zipOut.closeEntry()
+            }
+
+            val zipBytes = baos.toByteArray()
+
+            // 6. 设置响应头并输出
+            response.contentType = "application/octet-stream"
+            response.setHeader("Content-Disposition", "attachment; filename=\"report_${request.taskId}.zip\"")
+            response.setHeader("Content-Length", zipBytes.size.toString())
+            response.outputStream.write(zipBytes)
+            response.outputStream.flush()
+        } catch (e: Exception) {
+            response.reset()
+            response.contentType = "application/json; charset=UTF-8"
+            response.writer.write("{\"code\": 500, \"msg\": \"生成 ZIP 文件失败: ${e.message}\"}")
+        }
+    }
+}
+

mise.toml

@@ -1,4 +1,3 @@
 [tools]
-node = "latest"
 bun = "1"
-rust = 'latest'
+node = "24"

package.json

@@ -10,56 +10,64 @@
   "scripts": {
     "build": "turbo run build",
     "compile": "turbo run compile",
-    "deploy": "turbo run deploy",
+    "compile:darwin": "turbo run compile:darwin",
+    "compile:linux": "turbo run compile:linux",
+    "compile:windows": "turbo run compile:windows",
     "dev": "turbo run dev",
+    "dist": "turbo run dist",
+    "dist:linux": "turbo run dist:linux",
+    "dist:mac": "turbo run dist:mac",
+    "dist:win": "turbo run dist:win",
     "fix": "turbo run fix",
     "typecheck": "turbo run typecheck"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.3.12",
+    "@biomejs/biome": "^2.4.7",
-    "turbo": "^2.7.6"
+    "turbo": "^2.8.17",
+    "typescript": "^5.9.3"
   },
   "catalog": {
-    "@biomejs/biome": "^2.3.11",
+    "@orpc/client": "^1.13.7",
-    "@effect/platform": "^0.94.2",
+    "@orpc/contract": "^1.13.7",
-    "@effect/schema": "^0.75.5",
+    "@orpc/openapi": "^1.13.7",
-    "@isaacs/ttlcache": "^2.1.4",
+    "@orpc/server": "^1.13.7",
-    "@orpc/client": "^1.13.4",
+    "@orpc/tanstack-query": "^1.13.7",
-    "@orpc/contract": "^1.13.4",
+    "@orpc/zod": "^1.13.7",
-    "@orpc/openapi": "^1.13.4",
-    "@orpc/server": "^1.13.4",
-    "@orpc/tanstack-query": "^1.13.4",
-    "@orpc/zod": "^1.13.4",
     "@t3-oss/env-core": "^0.13.10",
-    "@tailwindcss/vite": "^4.1.18",
+    "@tailwindcss/vite": "^4.2.1",
-    "@tanstack/devtools-vite": "^0.4.1",
+    "@tanstack/devtools-vite": "^0.5.5",
-    "@tanstack/react-devtools": "^0.9.2",
+    "@tanstack/react-devtools": "^0.9.13",
-    "@tanstack/react-query": "^5.90.20",
+    "@tanstack/react-query": "^5.90.21",
-    "@tanstack/react-query-devtools": "^5.91.2",
+    "@tanstack/react-query-devtools": "^5.91.3",
-    "@tanstack/react-router": "^1.157.14",
+    "@tanstack/react-router": "^1.167.3",
-    "@tanstack/react-router-devtools": "^1.157.14",
+    "@tanstack/react-router-devtools": "^1.166.9",
-    "@tanstack/react-router-ssr-query": "^1.157.14",
+    "@tanstack/react-router-ssr-query": "^1.166.9",
-    "@tanstack/react-start": "^1.157.14",
+    "@tanstack/react-start": "^1.166.14",
-    "@types/better-sqlite3": "^7.6.12",
+    "@types/bun": "^1.3.10",
-    "@types/bun": "^1.3.6",
+    "@types/node": "^24.12.0",
-    "@vitejs/plugin-react": "^5.1.2",
+    "@vitejs/plugin-react": "^5.2.0",
     "babel-plugin-react-compiler": "^1.0.0",
-    "drizzle-kit": "^0.31.8",
+    "drizzle-kit": "1.0.0-beta.15-859cf75",
-    "drizzle-orm": "^0.45.1",
+    "drizzle-orm": "1.0.0-beta.15-859cf75",
-    "drizzle-zod": "^0.8.3",
+    "electron": "^34.0.0",
-    "effect": "^3.19.15",
+    "electron-builder": "^26.8.1",
-    "nitro": "npm:nitro-nightly@3.0.1-20260125-215009-8882bc9e",
+    "electron-vite": "^5.0.0",
-    "ohash": "^2.0.11",
+    "jszip": "^3.10.1",
-    "better-sqlite3": "^11.8.1",
+    "lossless-json": "^4.3.0",
-    "react": "^19.2.3",
+    "motion": "^12.36.0",
-    "react-dom": "^19.2.3",
+    "nitro": "npm:nitro-nightly@3.0.1-20260315-195328-c31268c6",
-    "tailwindcss": "^4.1.18",
+    "openpgp": "^6.0.1",
-    "turbo": "^2.7.5",
+    "react": "^19.2.4",
-    "typescript": "^5.9.3",
+    "react-dom": "^19.2.4",
+    "tailwindcss": "^4.2.1",
+    "tree-kill": "^1.2.2",
     "uuid": "^13.0.0",
-    "systeminformation": "^5.30.6",
+    "vite": "^8.0.0",
-    "vite": "^8.0.0-beta.10",
+    "vite-tsconfig-paths": "^6.1.1",
-    "vite-tsconfig-paths": "^6.0.5",
+    "systeminformation": "^5.31.4",
     "zod": "^4.3.6"
+  },
+  "overrides": {
+    "@types/node": "catalog:"
   }
 }

packages/crypto/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "@furtherverse/crypto",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "exports": {
+    ".": "./src/index.ts"
+  },
+  "dependencies": {
+    "node-forge": "^1.3.3",
+    "openpgp": "catalog:"
+  },
+  "devDependencies": {
+    "@furtherverse/tsconfig": "workspace:*",
+    "@types/bun": "catalog:",
+    "@types/node-forge": "^1.3.14"
+  }
+}

packages/crypto/src/aes-gcm.ts

@@ -0,0 +1,53 @@
+import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'
+
+const GCM_IV_LENGTH = 12 // 96 bits
+const GCM_TAG_LENGTH = 16 // 128 bits
+const ALGORITHM = 'aes-256-gcm'
+
+/**
+ * AES-256-GCM encrypt.
+ *
+ * Output format (before Base64): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
+ *
+ * @param plaintext - UTF-8 string to encrypt
+ * @param key - 32-byte AES key
+ * @returns Base64-encoded encrypted data
+ */
+export const aesGcmEncrypt = (plaintext: string, key: Buffer): string => {
+  const iv = randomBytes(GCM_IV_LENGTH)
+  const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
+
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()])
+  const tag = cipher.getAuthTag()
+
+  // Layout: IV + ciphertext + tag
+  const combined = Buffer.concat([iv, encrypted, tag])
+  return combined.toString('base64')
+}
+
+/**
+ * AES-256-GCM decrypt.
+ *
+ * Input format (after Base64 decode): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
+ *
+ * @param encryptedBase64 - Base64-encoded encrypted data
+ * @param key - 32-byte AES key
+ * @returns Decrypted UTF-8 string
+ */
+export const aesGcmDecrypt = (encryptedBase64: string, key: Buffer): string => {
+  const data = Buffer.from(encryptedBase64, 'base64')
+
+  if (data.length < GCM_IV_LENGTH + GCM_TAG_LENGTH) {
+    throw new Error('Encrypted data too short: must contain IV + tag at minimum')
+  }
+
+  const iv = data.subarray(0, GCM_IV_LENGTH)
+  const tag = data.subarray(data.length - GCM_TAG_LENGTH)
+  const ciphertext = data.subarray(GCM_IV_LENGTH, data.length - GCM_TAG_LENGTH)
+
+  const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
+  decipher.setAuthTag(tag)
+
+  const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()])
+  return decrypted.toString('utf-8')
+}

packages/crypto/src/hash.ts

@@ -0,0 +1,15 @@
+import { createHash } from 'node:crypto'
+
+/**
+ * Compute SHA-256 hash and return raw Buffer.
+ */
+export const sha256 = (data: string | Buffer): Buffer => {
+  return createHash('sha256').update(data).digest()
+}
+
+/**
+ * Compute SHA-256 hash and return lowercase hex string.
+ */
+export const sha256Hex = (data: string | Buffer): string => {
+  return createHash('sha256').update(data).digest('hex')
+}

packages/crypto/src/hkdf.ts

@@ -0,0 +1,15 @@
+import { hkdfSync } from 'node:crypto'
+
+/**
+ * Derive a key using HKDF-SHA256.
+ *
+ * @param ikm - Input keying material (string, will be UTF-8 encoded)
+ * @param salt - Salt value (string, will be UTF-8 encoded)
+ * @param info - Info/context string (will be UTF-8 encoded)
+ * @param length - Output key length in bytes (default: 32 for AES-256)
+ * @returns Derived key as Buffer
+ */
+export const hkdfSha256 = (ikm: string, salt: string, info: string, length = 32): Buffer => {
+  const derived = hkdfSync('sha256', ikm, salt, info, length)
+  return Buffer.from(derived)
+}

packages/crypto/src/hmac.ts

@@ -0,0 +1,23 @@
+import { createHmac } from 'node:crypto'
+
+/**
+ * Compute HMAC-SHA256 and return Base64-encoded signature.
+ *
+ * @param key - HMAC key (Buffer)
+ * @param data - Data to sign (UTF-8 string)
+ * @returns Base64-encoded HMAC-SHA256 signature
+ */
+export const hmacSha256Base64 = (key: Buffer, data: string): string => {
+  return createHmac('sha256', key).update(data, 'utf-8').digest('base64')
+}
+
+/**
+ * Compute HMAC-SHA256 and return raw Buffer.
+ *
+ * @param key - HMAC key (Buffer)
+ * @param data - Data to sign (UTF-8 string)
+ * @returns HMAC-SHA256 digest as Buffer
+ */
+export const hmacSha256 = (key: Buffer, data: string): Buffer => {
+  return createHmac('sha256', key).update(data, 'utf-8').digest()
+}

packages/crypto/src/index.ts

@@ -0,0 +1,7 @@
+export { aesGcmDecrypt, aesGcmEncrypt } from './aes-gcm'
+export { sha256, sha256Hex } from './hash'
+export { hkdfSha256 } from './hkdf'
+export { hmacSha256, hmacSha256Base64 } from './hmac'
+export { generatePgpKeyPair, pgpSignDetached, pgpVerifyDetached, validatePgpPrivateKey } from './pgp'
+export { rsaOaepEncrypt } from './rsa-oaep'
+export { rsaVerifySignature, validateRsaPublicKey } from './rsa-signature'

packages/crypto/src/pgp.ts

@@ -0,0 +1,79 @@
+import * as openpgp from 'openpgp'
+
+/**
+ * Generate an OpenPGP RSA key pair.
+ *
+ * @param name - User name for the key
+ * @param email - User email for the key
+ * @returns ASCII-armored private and public keys
+ */
+export const generatePgpKeyPair = async (
+  name: string,
+  email: string,
+): Promise<{ privateKey: string; publicKey: string }> => {
+  const { privateKey, publicKey } = await openpgp.generateKey({
+    type: 'rsa',
+    rsaBits: 2048,
+    userIDs: [{ name, email }],
+    format: 'armored',
+  })
+
+  return { privateKey, publicKey }
+}
+
+/**
+ * Create a detached OpenPGP signature for the given data.
+ *
+ * @param data - Raw data to sign (Buffer or Uint8Array)
+ * @param armoredPrivateKey - ASCII-armored private key
+ * @returns ASCII-armored detached signature (signature.asc content)
+ */
+export const validatePgpPrivateKey = async (armoredKey: string): Promise<void> => {
+  await openpgp.readPrivateKey({ armoredKey })
+}
+
+export const pgpSignDetached = async (data: Uint8Array, armoredPrivateKey: string): Promise<string> => {
+  const privateKey = await openpgp.readPrivateKey({ armoredKey: armoredPrivateKey })
+  const message = await openpgp.createMessage({ binary: data })
+
+  const signature = await openpgp.sign({
+    message,
+    signingKeys: privateKey,
+    detached: true,
+    format: 'armored',
+  })
+
+  return signature as string
+}
+
+/**
+ * Verify a detached OpenPGP signature.
+ *
+ * @param data - Original data (Buffer or Uint8Array)
+ * @param armoredSignature - ASCII-armored detached signature
+ * @param armoredPublicKey - ASCII-armored public key
+ * @returns true if signature is valid
+ */
+export const pgpVerifyDetached = async (
+  data: Uint8Array,
+  armoredSignature: string,
+  armoredPublicKey: string,
+): Promise<boolean> => {
+  const publicKey = await openpgp.readKey({ armoredKey: armoredPublicKey })
+  const signature = await openpgp.readSignature({ armoredSignature })
+  const message = await openpgp.createMessage({ binary: data })
+
+  const verificationResult = await openpgp.verify({
+    message,
+    signature,
+    verificationKeys: publicKey,
+  })
+
+  const { verified } = verificationResult.signatures[0]!
+  try {
+    await verified
+    return true
+  } catch {
+    return false
+  }
+}

packages/crypto/src/rsa-oaep.ts

@@ -0,0 +1,32 @@
+import forge from 'node-forge'
+
+/**
+ * RSA-OAEP encrypt with platform public key.
+ *
+ * Matches Java's {@code Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding")}
+ * with **default SunJCE parameters**:
+ *
+ * | Parameter | Value  |
+ * |-----------|--------|
+ * | OAEP hash | SHA-256|
+ * | MGF1 hash | SHA-1  |
+ *
+ * Node.js `crypto.publicEncrypt({ oaepHash })` ties both hashes together,
+ * so we use `node-forge` which allows independent configuration.
+ *
+ * @param plaintext - UTF-8 string to encrypt
+ * @param publicKeyBase64 - Platform RSA public key (X.509 / SPKI DER, Base64)
+ * @returns Base64-encoded ciphertext
+ */
+export const rsaOaepEncrypt = (plaintext: string, publicKeyBase64: string): string => {
+  const derBytes = forge.util.decode64(publicKeyBase64)
+  const asn1 = forge.asn1.fromDer(derBytes)
+  const publicKey = forge.pki.publicKeyFromAsn1(asn1) as forge.pki.rsa.PublicKey
+
+  const encrypted = publicKey.encrypt(plaintext, 'RSA-OAEP', {
+    md: forge.md.sha256.create(),
+    mgf1: { md: forge.md.sha1.create() },
+  })
+
+  return forge.util.encode64(encrypted)
+}

packages/crypto/src/rsa-signature.test.ts

@@ -0,0 +1,24 @@
+import { describe, expect, it } from 'bun:test'
+import { constants, createSign, generateKeyPairSync } from 'node:crypto'
+import { rsaVerifySignature, validateRsaPublicKey } from './rsa-signature'
+
+describe('rsaVerifySignature', () => {
+  it('verifies SHA256withRSA signatures over raw payload bytes', () => {
+    const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+    const payload = Buffer.from('eyJsaWNlbmNlX2lkIjoiTElDLTAwMSIsImV4cGlyZV90aW1lIjoiMjAyNy0wMy0xOSJ9', 'utf-8')
+
+    const signer = createSign('RSA-SHA256')
+    signer.update(payload)
+    signer.end()
+
+    const signature = signer.sign({ key: privateKey, padding: constants.RSA_PKCS1_PADDING })
+    const publicKeyBase64 = publicKey.export({ format: 'der', type: 'spki' }).toString('base64')
+
+    expect(rsaVerifySignature(payload, signature, publicKeyBase64)).toBe(true)
+    expect(rsaVerifySignature(Buffer.from(`${payload}x`, 'utf-8'), signature, publicKeyBase64)).toBe(false)
+  })
+
+  it('rejects malformed SPKI public keys', () => {
+    expect(() => validateRsaPublicKey('not-a-public-key')).toThrow()
+  })
+})