imbytecat/fullstack-starter
1
1
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: imbytecat:backup/ux
Branches Tags
imbytecat:main imbytecat:ux imbytecat:backup/legacy imbytecat:backup/ux
..
compare: imbytecat:eb2f6554b2c9c4ef6702b9c6f42c116fd2a9249e
Branches Tags
imbytecat:main imbytecat:ux imbytecat:backup/legacy imbytecat:backup/ux

102 Commits
backup/ux ... eb2f6554b2

Author SHA1 Message Date
imbytecat
eb2f6554b2 docs: 更新 signAndPackReport 为 multipart 文件上传说明 2026-03-05 16:32:49 +08:00
imbytecat
58d57fa148 refactor(server): 使用 multipart File 替代报告 ZIP 的 base64 上传 2026-03-05 16:32:41 +08:00
imbytecat
509860bba8 docs: 补充 UX 集成模式与授权对接说明 2026-03-05 16:24:21 +08:00
imbytecat
4e7c4e1aa5 feat(server): 实现设备授权与报告 ZIP 签名打包接口 2026-03-05 16:24:10 +08:00
imbytecat
8261409d7d refactor(server): 切换 SQLite 并重建设备/任务表结构 2026-03-05 16:23:30 +08:00
imbytecat
d2eb98d612 feat: 新增共享加密包并引入 ZIP/PGP 依赖 2026-03-05 16:23:13 +08:00
imbytecat
9d8a38a4c4 fix: 修正 ORPC handler 语义、加固 Electron 安全、优化构建与运行时配置 
- todo.router: create 错误码 NOT_FOUND → INTERNAL_SERVER_ERROR,remove 增加存在性检查
- __root: devtools 仅在 DEV 环境渲染
- Electron: 添加 will-navigate 导航拦截、显式安全 webPreferences、deny-all 权限请求
- sidecar: 空 catch 块补充意图注释,新增 lastResolvedUrl getter
- todo.contract: 硬编码 omit 改用 generatedFieldKeys
- router: QueryClient 添加 staleTime/retry 默认值
- turbo: build 任务精细化 inputs 提升缓存命中率
- fields: id() 改为模块私有
 2026-03-05 14:06:43 +08:00
imbytecat
cd7448c3b3 docs: 统一使用 bun run <script> 避免与 Bun 内置子命令冲突 
bun build 会调用 Bun 内置 bundler 而非 package.json script,
将所有文档中的 bun <script> 改为 bun run <script> 以避免歧义。
bun test 保留不变(直接使用 Bun 内置 test runner)。
 2026-03-05 12:57:26 +08:00
imbytecat
58d7a453b6 style: 将 biome lineWidth 从默认 80 调整为 120 2026-03-05 12:28:18 +08:00
imbytecat
afc3b66efa refactor: 移除根 package.json 中冗余的 --filter 参数 
Turbo 会自动只在定义了对应 script 的包上执行任务,无需手动指定 filter。
 2026-03-05 12:08:48 +08:00
imbytecat
3c97e9c3eb refactor: 移除根 turbo.json 中冗余的 compile/dist 任务定义 
子包 turbo.json(extends root)已各自定义了完整配置,
根级重复注册无实际作用。
 2026-03-05 12:06:11 +08:00
imbytecat
58620b4d4b feat: 补充 root compile/dist 脚本,通过 Turbo filter 委托到对应 app 2026-03-05 11:56:49 +08:00
imbytecat
04b8dedb3e fix: 修正 middleware 导入路径、清理 catalog 冗余项、同步文档 2026-03-05 11:22:49 +08:00
imbytecat
02bdfffe79 refactor(client): 合并 orpc.ts 和 query-client.ts 为单文件,遵循 ORPC 官方模式 2026-03-05 11:05:53 +08:00
imbytecat
0cd8b57d24 refactor: 优化项目结构 — 修复拼写、提取共享 interceptor、扁平化 db 目录、清理空包 2026-03-05 10:58:55 +08:00
imbytecat
0438b52c93 refactor(db): 移除 drizzle() 多余的 schema 参数,RQBv2 只需 relations 2026-03-05 10:37:47 +08:00
imbytecat
fd9478d64e docs: 同步 AGENTS.md 至 Drizzle v1 beta 并添加开发原则 
- 所有 AGENTS.md 新增「开发原则」:不向后兼容、改代码必须同步文档、前向迁移
- 根 AGENTS.md: 更新 Database 段落为 Drizzle v1 beta + postgres-js + RQBv2
- server AGENTS.md: 更新 tech stack、目录结构、ORPC 示例、数据库段落
  - drizzle-zod → drizzle-orm/zod
  - bun-sql → postgres-js
  - RQBv1 回调 → RQBv2 对象语法
  - 新增 relations.ts 和 DB instance 示例
- desktop AGENTS.md: 添加开发原则和文档同步规则
 2026-03-05 10:21:31 +08:00
imbytecat
73614204f7 chore(deps): 升级 Drizzle ORM 到 1.0 beta 并迁移至 RQBv2 
- drizzle-orm/drizzle-kit 从 0.45.1/0.31.9 升级到 1.0.0-beta.15
- 移除独立的 drizzle-zod 包,改用 drizzle-orm/zod 内置导入
- DB driver 从 bun-sql 切换到 postgres-js
- 新增 defineRelations 入口 (RQBv2)
- 查询语法迁移到 RQBv2 对象风格 orderBy
 2026-03-05 10:17:10 +08:00
imbytecat
61e7a1b621 chore(deps): 升级依赖并同步 VSCode 配置 2026-03-05 10:00:13 +08:00
imbytecat
5ccde0a121 fix(server): 避免 SSR 导入 *.client 模块导致构建失败 2026-02-26 12:09:45 +08:00
imbytecat
0553347bfe chore(deps): 升级 TanStack Start 与构建相关依赖 2026-02-26 12:09:37 +08:00
imbytecat
52af81b079 ci(gitea): 移除 Gitea Actions 工作流 2026-02-17 18:30:38 +08:00
imbytecat
527c1d1020 ci(gitea): 将 dist 工作流重命名为 release 并上传 AppImage 产物
All checks were successful
Release / release (push) Successful in 52s
Details
2026-02-17 18:21:54 +08:00
imbytecat
4ed961760a ci(gitea): 升级 mise action 并补充版本输出
All checks were successful
Build Dist / dist (push) Successful in 1m5s
Details
2026-02-17 18:00:32 +08:00
imbytecat
c54b7d27a6 ci(gitea): 新增 mise + turbo dist 构建工作流
Some checks failed
Build Dist / dist (push) Has been cancelled
Details
2026-02-17 17:52:28 +08:00
imbytecat
d478b94c13 chore(server): 切换 Bun 运行链路并同步升级核心依赖 2026-02-17 17:43:07 +08:00
imbytecat
908b369732 fix(server): 使用 SubmitEventHandler 消除 React 19 弃用告警 2026-02-16 05:30:44 +08:00
imbytecat
51724a7936 feat(desktop): 调整启动页 logo 与加载动画视觉 2026-02-16 05:18:27 +08:00
imbytecat
93a2519012 feat(desktop): 迁移启动页到 React 并接入 Motion 动画 2026-02-16 05:10:15 +08:00
imbytecat
5edab0ba1d feat(desktop): 恢复启动加载页并在服务就绪后切换 2026-02-16 04:28:37 +08:00
imbytecat
a451e08209 fix(server): 移除重复的 NODE_ENV 环境变量声明 2026-02-16 04:09:14 +08:00
imbytecat
e76a03d0f4 feat(desktop): 拆分 sidecar 管理并接入健康检查路由 2026-02-16 04:06:41 +08:00
imbytecat
aa1e2c81c6 chore: remove unused fingerprint utility and stale deps 2026-02-16 03:03:33 +08:00
imbytecat
7e2621ae37 chore(build): 调整脚本顺序并移除多余空行 2026-02-16 00:05:22 +08:00
imbytecat
94a9122f34 feat(build): 统一编译命令并默认启用双架构 2026-02-15 23:48:37 +08:00
imbytecat
275c8e4795 docs(agents): 同步多架构构建与打包命令说明 2026-02-15 23:32:32 +08:00
imbytecat
8245abe217 feat(build): 支持桌面端多架构打包矩阵 2026-02-15 23:26:00 +08:00
imbytecat
627e6f9dd3 chore: bump dependency catalog and lockfile versions 2026-02-15 22:01:03 +08:00
imbytecat
e59e085217 chore(vscode): remove unused extension recommendations 2026-02-15 21:51:36 +08:00
imbytecat
cd9826ded3 chore(desktop): tweak electron-vite dev watch and remove redundant --config flags 2026-02-09 04:19:53 +08:00
imbytecat
2efc57d9ee feat(desktop): show native error dialogs on startup failures 
Replace silent console.error + app.quit() with dialog.showErrorBox()
so users actually see why the app failed to start instead of it just
disappearing. Covers server spawn errors, timeout, port allocation
failure, mid-session server crashes, and window creation failures.
 2026-02-09 03:35:24 +08:00
imbytecat
1f5940438a fix(desktop): use array format for win target in electron-builder config 2026-02-09 03:16:48 +08:00
imbytecat
0bab6372ac chore(desktop): reorganize electron-builder config and refine packaging targets 2026-02-09 03:15:01 +08:00
imbytecat
5f0c9d33cb chore 2026-02-09 02:58:43 +08:00
imbytecat
73982939a8 chore(desktop): add app icon and track resources directory 2026-02-09 02:51:56 +08:00
imbytecat
10c2d61523 fix(desktop): use CJS for preload script to fix sandbox loading error 2026-02-09 02:17:57 +08:00
imbytecat
18ce05854a feat(server): add NODE_ENV to shared env schema 2026-02-09 01:59:45 +08:00
imbytecat
7eccef5d8f chore(desktop): remove redundant config fields for KISS 2026-02-09 01:41:34 +08:00
imbytecat
41667cb33b refactor(desktop): simplify main process logic and improve naming 
- Remove logLifecycle wrapper, inline the conditional logging
- Remove redundant shouldAbortWindowLoad check before final loadURL
- Rename getServerUrl to resolveServerUrl to reflect side effects
- Add .catch on createWindow to prevent silent async failures
 2026-02-09 01:27:29 +08:00
imbytecat
00c944e1b5 refactor(desktop): 精简主进程启动与退出逻辑并减少打包态日志噪音 2026-02-09 01:13:08 +08:00
imbytecat
f9edfd0058 fix(desktop): guard shutdown race and kill sidecar process tree 2026-02-09 00:57:30 +08:00
imbytecat
9aea89e16d fix(desktop): force app exit on windows window close 2026-02-09 00:40:01 +08:00
imbytecat
26b74b25f2 fix(desktop): use stdio ignore for sidecar to prevent process hang on quit 
Piped stdio handles kept the event loop alive on Windows after killing
the sidecar process, preventing the Electron app from exiting.
 2026-02-09 00:23:05 +08:00
imbytecat
ccf220fc29 fix(desktop): ensure sidecar process stops on app shutdown 2026-02-08 23:59:54 +08:00
imbytecat
a585069cdc refactor: rename compile:mac/win to compile:darwin/windows to match Bun target names 2026-02-08 23:39:30 +08:00
imbytecat
b149cc5dc0 refactor: decentralize turbo task config — move compile/dist to workspace turbo.json 
Sink package-specific tasks from root turbo.json into workspace configs:
- compile/compile:* → apps/server/turbo.json (only server compiles binaries)
- dist/dist:* → apps/desktop/turbo.json (only desktop distributes)
- Cross-package deps (desktop→server#compile) owned by desktop config
- Desktop dist scripts no longer bypass Turbo by calling bun run build

Root turbo.json reduced from 16 to 4 generic lifecycle tasks.
 2026-02-08 23:26:24 +08:00
imbytecat
9f38636d76 refactor(server): use Bun.Build.CompileTarget and derive host target instead of manual map 2026-02-08 22:47:39 +08:00
imbytecat
63906ec09b refactor(server): use util.parseArgs for declarative CLI arg parsing in compile.ts 2026-02-08 22:38:49 +08:00
imbytecat
8c4e4ad150 refactor(server): use type guard to eliminate as Target casts in compile.ts 2026-02-08 22:33:02 +08:00
imbytecat
e171db8196 refactor: simplify compile.ts to single-target and add per-platform compile scripts 
- Rewrite compile.ts from 112 to 66 lines: single target with auto-detect host, remove multi-target batch logic
- Add compile:linux/mac/win scripts to server, root, and turbo configs
- Wire desktop dist:* to depend on matching server compile:* (avoid unnecessary cross-platform compilation)
- Update AGENTS.md docs across root, server, and desktop
 2026-02-08 22:25:30 +08:00
imbytecat
dac6bb1643 refactor: 统一打包命令为 dist 体系,build 仅编译不打包 
- build:linux/mac/win → dist/dist:linux/dist:mac/dist:win
- Turbo 任务依赖:desktop#dist:* → server#compile → server#build
- 根目录 bun dist 一条命令完成完整打包流水线
- 更新 AGENTS.md 文档同步命令变更
 2026-02-08 20:48:58 +08:00
imbytecat
8c0ea632d7 style(desktop): 规范 package.json 字段排序 2026-02-08 20:31:17 +08:00
imbytecat
db23ee42fc chore: 更新 lockfile 依赖版本 2026-02-08 20:26:16 +08:00
imbytecat
0784546e50 fix(desktop): 修复 artifactName 路径错误并移除 deb 构建目标 
scoped package name 中的 / 导致 ${name} 作为路径出错,改用 ${productName};
移除 deb target(fpm 依赖不可用);补充 package.json 元信息字段
 2026-02-08 20:03:47 +08:00
imbytecat
2fe3e15659 refactor: 重命名 build.ts → compile.ts,统一脚本与文件命名 
- compile 脚本调用 compile.ts,消除与 build 的歧义
- desktop turbo.json 添加 build outputs 缓存配置
 2026-02-08 19:46:04 +08:00
imbytecat
ed02993350 style(desktop): loading 页面改为白色轻盈主题 2026-02-08 19:40:20 +08:00
imbytecat
e4e5ff2211 chore: 移除 useSortedClasses 规则,等待 nursery 毕业后再启用 2026-02-08 19:19:18 +08:00
imbytecat
d69a573a33 feat: 为 desktop/server 添加 Tailwind CSS 支持和 Biome 集成 
- desktop renderer 接入 @tailwindcss/vite,loading 页面改用 Tailwind 类
- 两个 app 添加 biome.json 继承配置:tailwindDirectives + useSortedClasses
 2026-02-08 19:17:53 +08:00
imbytecat
6cc1bc6834 refactor(desktop): 用类型收窄替代 as AddressInfo 断言 2026-02-08 19:03:13 +08:00
imbytecat
894fd17d1a fix(desktop): 动态分配 sidecar 端口替代硬编码,避免端口冲突 
使用 net.createServer().listen(0) 探测可用端口,通过 PORT 环境变量
传递给 sidecar binary(VS Code language server 同款模式)
 2026-02-08 18:38:45 +08:00
imbytecat
888f20fdab fix(desktop): 加载 loading 页面作为启动屏,配置平台级 extraResources 对接交叉编译 
- main process 启动时先加载 renderer/index.html 显示 spinner
- electron-builder 按平台引用 server/out/ 下对应架构的 sidecar binary
- 移除 mise.toml 中无关的 rust 工具配置
 2026-02-08 18:21:40 +08:00
imbytecat
7318600e20 refactor(desktop): 替换 WebUI 为 Electron + electron-vite 桌面壳方案 
- 使用 electron-vite 构建 main/preload,electron-builder 打包分发
- main process: dev 模式直连 localhost:3000,生产模式 spawn sidecar binary
- 添加 loading 页面,server 就绪前显示加载动画
- 更新 catalog 依赖: electron, electron-vite, electron-builder
- 移除 @webui-dev/bun-webui 依赖
 2026-02-08 18:16:13 +08:00
imbytecat
e8e473b357 refactor(desktop): 替换 Electrobun 为 WebUI 作为桌面窗口方案 
Electrobun 太不稳定,改用 webui-dev/webui(轻量 C 库,~300KB)通过
系统浏览器或 WebView 提供桌面窗口。已验证 bun:ffi 加载和
bun build --compile 均正常工作。

- 移除 electrobun 依赖和配置
- 添加 @webui-dev/bun-webui 依赖
- 重写桌面入口为 WebUI 窗口方案
- 移除 Conveyor 打包工具(mise.toml)
 2026-02-08 04:15:34 +08:00
imbytecat
41d97ca312 refactor(deps): 将 @hydraulic/conveyor 从 bun 依赖迁移到 mise 全局工具 2026-02-08 03:21:38 +08:00
imbytecat
cfe7de2a70 chore(deps): 添加 @hydraulic/conveyor 依赖到 desktop 应用 2026-02-08 03:11:43 +08:00
imbytecat
b87de26e17 chore(deps): 升级 TanStack devtools 和 vite-tsconfig-paths 依赖版本 2026-02-08 02:41:22 +08:00
imbytecat
b8d38872ad refactor(desktop): 优化 Electrobun 构建配置 
- 从 package.json 动态读取版本号替代硬编码
- 启用所有平台的 CEF 捆绑
- 将构建目标从配置文件移至 CLI 参数
- 启用 asar 打包并为 dev 脚本添加 --env=dev 标志
 2026-02-08 02:38:37 +08:00
imbytecat
7450c685d3 chore: 移除已完成的 electrobun 生产模式计划文档 2026-02-08 00:40:43 +08:00
imbytecat
2048f73155 refactor(server): 按照官方推荐顺序重排 Vite 插件并清理冗余配置 2026-02-07 22:13:16 +08:00
imbytecat
70b5d27493 chore(desktop): 添加 win-x64 构建目标 2026-02-07 21:04:39 +08:00
imbytecat
5d5d3a51f6 chore(desktop): 禁用 mac 和 win 平台的 CEF 捆绑 2026-02-07 20:57:58 +08:00
imbytecat
3306e18395 refactor(desktop): 使用预分配端口替代 stdout 解析获取服务器端口 2026-02-07 19:32:56 +08:00
imbytecat
14bcdb33af chore(deps): 升级 TanStack 路由和 Start 依赖版本 2026-02-07 19:11:28 +08:00
imbytecat
cc81d95178 chore(desktop): 升级 electrobun 至 1.12.0-beta.1 2026-02-07 19:10:33 +08:00
imbytecat
55d45e6a49 docs(desktop): 更新 AGENTS.md 文档与开发计划以反映最新实现 2026-02-07 18:49:50 +08:00
imbytecat
b7a6a793a3 feat(desktop): 实现生产模式下的内嵌服务器子进程支持 2026-02-07 18:49:41 +08:00
imbytecat
6b12745e50 chore(desktop): 更新应用名称、标识符和版本号 2026-02-07 17:46:00 +08:00
imbytecat
989d8973f5 chore(desktop): 简化构建和开发脚本 2026-02-07 17:16:32 +08:00
imbytecat
41e79449ce docs: 更新 AGENTS.md 适配 Electrobun 替代 Tauri 2026-02-07 17:00:52 +08:00
imbytecat
4bbb0c4a16 refactor(server): simplify build script, remove Effect dependency 2026-02-07 16:44:56 +08:00
imbytecat
2b3026cf69 chore(turbo): simplify and optimize monorepo configuration 2026-02-07 16:35:30 +08:00
imbytecat
adb14cff77 chore: 重构 Turbo 构建配置并强化 Bun 专用说明 
将应用特定的构建输出配置下沉至各自 turbo.json,根级 build 任务添加拓扑依赖;AGENTS.md 统一添加 Bun 专用运行时警告;桌面端启用 Linux CEF 渲染器。
 2026-02-07 16:14:55 +08:00
imbytecat
44ca7a0f5e chore: 扩展 Turbo build 任务的输出目录配置 2026-02-07 07:06:55 +08:00
imbytecat
59b4edc2d2 chore(desktop): 降级 electrobun 至 0.8.0 稳定版 2026-02-07 06:59:19 +08:00
imbytecat
9d0e9a6aac chore(desktop): 添加 .gitignore 和多平台构建脚本 2026-02-07 06:29:08 +08:00
imbytecat
f758fd5947 chore: 更新 bun.lock 锁文件 2026-02-07 06:15:52 +08:00
imbytecat
26f9421130 chore: 统一 Node/TypeScript 配置并修复桌面端类型环境 2026-02-07 05:53:38 +08:00
imbytecat
29969550ed refactor(desktop): 从 Tauri 迁移到 Electrobun 
- 移除 Tauri v2 代码 (src-tauri/, copy.ts)
- 添加 Electrobun 配置和入口 (electrobun.config.ts, src/bun/index.ts)
- 更新 package.json 使用 catalog 管理 electrobun 依赖
- 移除 server 中的 @tauri-apps/api 依赖
- 更新 AGENTS.md 文档
 2026-02-07 05:04:53 +08:00
imbytecat
9aa3b46ee5 chore(desktop): 更新 Cargo 依赖 2026-02-07 03:45:08 +08:00
imbytecat
f3ea0f0789 chore: 更新依赖版本 2026-02-07 03:32:42 +08:00
imbytecat
bde325d9ae chore: 更新 biome 和 turbo 依赖版本 2026-02-07 03:31:01 +08:00
imbytecat
e41c4e4515 docs: 更新 AGENTS.md 文档结构和内容 
- 新增根目录 AGENTS.md 作为 monorepo 总览
- 移动 desktop AGENTS.md 从 src-tauri/ 到 apps/desktop/
- 修正 server AGENTS.md 目录结构 (src/server/api/ 而非 src/orpc/)
- 明确 desktop 为纯 Tauri 壳子,无前端代码,通过 sidecar 加载 server
 2026-02-07 03:29:51 +08:00
104 changed files with 6184 additions and 3166 deletions
Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -9,6 +9,11 @@
# Bun build # Bun build
*.bun-build *.bun-build
# SQLite database files
*.db
*.db-wal
*.db-shm
# Turborepo # Turborepo
.turbo/ .turbo/

8
.sisyphus/notepads/fingerprint-migration/decisions.md
View File

@@ -1,8 +0,0 @@
## Migration Decisions
- **Library**: `@isaacs/ttlcache` v2.1.4
- **Rationale**: Minimal, zero-dependency, specialized for TTL, well-maintained.
- **Cache Key**: Fixed string `'fingerprint'` since we only cache one result.
- **Max Items**: 1 (singleton fingerprint).
- **Default TTL**: 10 minutes (compatible with previous implementation).

8
.sisyphus/notepads/fingerprint-migration/learnings.md
View File

@@ -1,8 +0,0 @@
## @isaacs/ttlcache Migration Learnings
- Successfully replaced manual TTL cache with `@isaacs/ttlcache` in `fingerprint.ts`.
- Use `catalog:` for dependency management in the Bun monorepo.
- `TTLCache` does not handle in-flight request deduplication, so the `inFlight` Promise pattern was preserved.
- Alphabetical sorting in `package.json` catalog is important for consistency.
- Biome handles import organization and formatting; `bun fix` should be run after manual edits.

3
.sisyphus/notepads/license-activation/decisions.md
View File

@@ -1,3 +0,0 @@
## Decisions
- Renamed `db` middleware to `dbProvider` as requested, while keeping `db` as an alias to avoid breaking existing routers.

4
.sisyphus/notepads/license-activation/issues.md
View File

@@ -1,4 +0,0 @@
## Issues encountered
- `db:migrate` failed due to `device_info` table already existing in the local SQLite database. Resolved by using `db:push` which is suitable for dev environments.
- `lsp_diagnostics` was not available, used `bun typecheck` (`tsc --noEmit`) instead.

7
.sisyphus/notepads/license-activation/learnings.md
View File

@@ -1,7 +0,0 @@
## License Activation Implementation
- Created `license_activation` table for better semantic clarity.
- Implemented `ensureLicenseActivationInitialized` with UPSERT logic and singleton pattern.
- Added ORPC endpoints `license.getActivation` and `license.activate`.
- Used `db:push` to handle migration in dev environment when conflicts occur.
- Fixed type mismatch in `device.router.ts` where `Date` was returned instead of `number` for timestamp fields.

5
.vscode/extensions.json vendored
View File

@@ -2,11 +2,8 @@
"recommendations": [ "recommendations": [
"biomejs.biome", "biomejs.biome",
"hverlin.mise-vscode", "hverlin.mise-vscode",
"mikestead.dotenv",
"oven.bun-vscode", "oven.bun-vscode",
"redhat.vscode-yaml", "redhat.vscode-yaml",
"rust-lang.rust-analyzer", "tamasfe.even-better-toml"
"tamasfe.even-better-toml",
"tauri-apps.tauri-vscode"
] ]
} }

43
.vscode/settings.json vendored
View File

@@ -1,49 +1,42 @@
{ {
// Disable the default formatter & linter, use biome instead
"prettier.enable": false,
"eslint.enable": false,
// Auto fix
"editor.codeActionsOnSave": {
"source.fixAll.biome": "explicit",
"source.organizeImports.biome": "explicit"
},
"editor.defaultFormatter": "biomejs.biome",
"editor.formatOnSave": true,
"[javascript]": { "[javascript]": {
"editor.defaultFormatter": "biomejs.biome" "editor.defaultFormatter": "biomejs.biome"
}, },
"[javascriptreact]": { "[javascriptreact]": {
"editor.defaultFormatter": "biomejs.biome" "editor.defaultFormatter": "biomejs.biome"
}, },
"[typescript]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[typescriptreact]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[json]": { "[json]": {
"editor.defaultFormatter": "biomejs.biome" "editor.defaultFormatter": "biomejs.biome"
}, },
"[jsonc]": { "[jsonc]": {
"editor.defaultFormatter": "biomejs.biome" "editor.defaultFormatter": "biomejs.biome"
}, },
"[yaml]": {
"editor.defaultFormatter": "redhat.vscode-yaml"
},
"[toml]": { "[toml]": {
"editor.defaultFormatter": "tamasfe.even-better-toml" "editor.defaultFormatter": "tamasfe.even-better-toml"
}, },
"[typescript]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[typescriptreact]": {
"editor.defaultFormatter": "biomejs.biome"
},
"[yaml]": {
"editor.defaultFormatter": "redhat.vscode-yaml"
},
"editor.codeActionsOnSave": {
"source.fixAll.biome": "explicit",
"source.organizeImports.biome": "explicit"
},
"editor.defaultFormatter": "biomejs.biome",
"editor.formatOnSave": true,
"files.associations": { "files.associations": {
".env": "dotenv", ".env": "dotenv",
".env.*": "dotenv", ".env.*": "dotenv",
"**/tsconfig.json": "jsonc",
"**/tsconfig.*.json": "jsonc",
"**/biome.json": "jsonc", "**/biome.json": "jsonc",
"**/opencode.json": "jsonc" "**/opencode.json": "jsonc",
"**/tsconfig.*.json": "jsonc",
"**/tsconfig.json": "jsonc"
}, },
// TanStack Router
"files.readonlyInclude": { "files.readonlyInclude": {
"**/routeTree.gen.ts": true "**/routeTree.gen.ts": true
}, },

219
AGENTS.md Normal file
View File

@@ -0,0 +1,219 @@
# AGENTS.md - AI Coding Agent Guidelines
Guidelines for AI agents working in this Bun monorepo.
## Project Overview
> **This project uses [Bun](https://bun.sh) exclusively as both the JavaScript runtime and package manager. Do NOT use Node.js / npm / yarn / pnpm. All commands start with `bun` — use `bun install` for dependencies and `bun run <script>` for scripts. Always prefer `bun run <script>` over `bun <script>` to avoid conflicts with Bun built-in subcommands (e.g. `bun build` invokes Bun's bundler, NOT your package.json script). Never use `npm`, `npx`, or `node`.**
- **Monorepo**: Bun workspaces + Turborepo orchestration
- **Runtime**: Bun (see `mise.toml` for version) — **NOT Node.js**
- **Package Manager**: Bun — **NOT npm / yarn / pnpm**
- **Apps**:
- `apps/server` - TanStack Start fullstack web app (see `apps/server/AGENTS.md`)
- `apps/desktop` - Electron desktop shell, sidecar server pattern (see `apps/desktop/AGENTS.md`)
- **Packages**: `packages/tsconfig` (shared TS configs)
## Build / Lint / Test Commands
### Root Commands (via Turbo)
```bash
bun run dev # Start all apps in dev mode
bun run build # Build all apps
bun run compile # Compile server to standalone binary (current platform)
bun run compile:darwin # Compile server for macOS (arm64 + x64)
bun run compile:linux # Compile server for Linux (x64 + arm64)
bun run compile:windows # Compile server for Windows x64
bun run dist # Package desktop distributable (current platform)
bun run dist:linux # Package desktop for Linux (x64 + arm64)
bun run dist:mac # Package desktop for macOS (arm64 + x64)
bun run dist:win # Package desktop for Windows x64
bun run fix # Lint + format (Biome auto-fix)
bun run typecheck # TypeScript check across monorepo
```
### Server App (`apps/server`)
```bash
bun run dev # Vite dev server (localhost:3000)
bun run build # Production build -> .output/
bun run compile # Compile to standalone binary (current platform)
bun run compile:darwin # Compile for macOS (arm64 + x64)
bun run compile:darwin:arm64 # Compile for macOS arm64
bun run compile:darwin:x64 # Compile for macOS x64
bun run compile:linux # Compile for Linux (x64 + arm64)
bun run compile:linux:arm64 # Compile for Linux arm64
bun run compile:linux:x64 # Compile for Linux x64
bun run compile:windows # Compile for Windows (default: x64)
bun run compile:windows:x64 # Compile for Windows x64
bun run fix # Biome auto-fix
bun run typecheck # TypeScript check
# Database (Drizzle)
bun run db:generate # Generate migrations from schema
bun run db:migrate # Run migrations
bun run db:push # Push schema (dev only)
bun run db:studio # Open Drizzle Studio
```
### Desktop App (`apps/desktop`)
```bash
bun run dev # electron-vite dev mode (requires server dev running)
bun run build # electron-vite build (main + preload)
bun run dist # Build + package for current platform
bun run dist:linux # Build + package for Linux (x64 + arm64)
bun run dist:linux:x64 # Build + package for Linux x64
bun run dist:linux:arm64 # Build + package for Linux arm64
bun run dist:mac # Build + package for macOS (arm64 + x64)
bun run dist:mac:arm64 # Build + package for macOS arm64
bun run dist:mac:x64 # Build + package for macOS x64
bun run dist:win # Build + package for Windows x64
bun run fix # Biome auto-fix
bun run typecheck # TypeScript check
```
### Testing
No test framework configured yet. When adding tests:
```bash
bun test path/to/test.ts # Run single test file
bun test -t "pattern" # Run tests matching pattern
```
## Code Style (TypeScript)
### Formatting (Biome)
- **Indent**: 2 spaces | **Line endings**: LF
- **Quotes**: Single `'` | **Semicolons**: Omit (ASI)
- **Arrow parentheses**: Always `(x) => x`
### Imports
Biome auto-organizes. Order: 1) External packages → 2) Internal `@/*` aliases → 3) Type imports (`import type { ... }`)
```typescript
import { createFileRoute } from '@tanstack/react-router'
import { z } from 'zod'
import { db } from '@/server/db'
import type { ReactNode } from 'react'
```
### TypeScript Strictness
- `strict: true`, `noUncheckedIndexedAccess: true`, `noImplicitOverride: true`, `verbatimModuleSyntax: true`
- Use `@/*` path aliases (maps to `src/*`)
### Naming Conventions
| Type | Convention | Example |
|------|------------|---------|
| Files (utils) | kebab-case | `auth-utils.ts` |
| Files (components) | PascalCase | `UserProfile.tsx` |
| Components | PascalCase arrow | `const Button = () => {}` |
| Functions | camelCase | `getUserById` |
| Constants | UPPER_SNAKE | `MAX_RETRIES` |
| Types/Interfaces | PascalCase | `UserProfile` |
### React Patterns
- Components: arrow functions (enforced by Biome)
- Routes: TanStack Router file conventions (`export const Route = createFileRoute(...)`)
- Data fetching: `useSuspenseQuery(orpc.feature.list.queryOptions())`
- Let React Compiler handle memoization (no manual `useMemo`/`useCallback`)
### Error Handling
- Use `try-catch` for async operations; throw descriptive errors
- ORPC: Use `ORPCError` with proper codes (`NOT_FOUND`, `INPUT_VALIDATION_FAILED`)
- Never use empty catch blocks
## Database (Drizzle ORM v1 beta + postgres-js)
- **ORM**: Drizzle ORM `1.0.0-beta` (RQBv2)
- **Driver**: `drizzle-orm/postgres-js` (NOT `bun-sql`)
- **Validation**: `drizzle-orm/zod` (built-in, NOT separate `drizzle-zod` package)
- **Relations**: Defined via `defineRelations()` in `src/server/db/relations.ts` (contains schema info, so `drizzle()` only needs `{ relations }`)
- **Query style**: RQBv2 object syntax (`orderBy: { createdAt: 'desc' }`, `where: { id: 1 }`)
```typescript
export const myTable = pgTable('my_table', {
id: uuid().primaryKey().default(sql`uuidv7()`),
name: text().notNull(),
createdAt: timestamp({ withTimezone: true }).notNull().defaultNow(),
updatedAt: timestamp({ withTimezone: true }).notNull().defaultNow().$onUpdateFn(() => new Date()),
})
```
## Environment Variables
- Use `@t3-oss/env-core` with Zod validation in `src/env.ts`
- Server vars: no prefix | Client vars: `VITE_` prefix required
- Never commit `.env` files
## Dependency Management
- All versions centralized in root `package.json` `catalog` field
- Workspace packages use `"catalog:"` — never hardcode versions
- Internal packages use `"workspace:*"` references
## Development Principles
> **These principles apply to ALL code changes. Agents MUST follow them on every task.**
1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks "just in case".
2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart. This includes updating code snippets in docs when imports, APIs, or patterns change.
3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns in the same codebase.
## Critical Rules
**DO:**
- Run `bun run fix` before committing
- Use `@/*` path aliases (not relative imports)
- Include `createdAt`/`updatedAt` on all tables
- Use `catalog:` for dependency versions
- Update `AGENTS.md` and other docs whenever code patterns change
**DON'T:**
- Use `npm`, `npx`, `node`, `yarn`, `pnpm` — always use `bun` / `bunx`
- Edit `src/routeTree.gen.ts` (auto-generated)
- Use `as any`, `@ts-ignore`, `@ts-expect-error`
- Commit `.env` files
- Use empty catch blocks `catch(e) {}`
- Hardcode dependency versions in workspace packages
- Leave docs out of sync with code changes
## Git Workflow
1. Make changes following style guide
2. `bun run fix` - auto-format and lint
3. `bun run typecheck` - verify types
4. `bun run dev` - test locally
5. Commit with descriptive message
## Directory Structure
```
.
├── apps/
│ ├── server/ # TanStack Start fullstack app
│ │ ├── src/
│ │ │ ├── client/ # ORPC client + TanStack Query utils
│ │ │ ├── components/
│ │ │ ├── routes/ # File-based routing
│ │ │ └── server/ # API layer + database
│ │ │ ├── api/ # ORPC contracts, routers, middlewares
│ │ │ └── db/ # Drizzle schema
│ │ └── AGENTS.md
│ └── desktop/ # Electron desktop shell
│ ├── src/
│ │ ├── main/
│ │ │ └── index.ts # Main process entry
│ │ └── preload/
│ │ └── index.ts # Preload script
│ ├── electron.vite.config.ts
│ ├── electron-builder.yml # Packaging config
│ └── AGENTS.md
├── packages/
│ └── tsconfig/ # Shared TS configs
├── biome.json # Linting/formatting config
├── turbo.json # Turbo task orchestration
└── package.json # Workspace root + dependency catalog
```
## See Also
- `apps/server/AGENTS.md` - Detailed TanStack Start / ORPC patterns
- `apps/desktop/AGENTS.md` - Electron desktop development guide

3
apps/desktop/.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
# electron-vite build output
out/
dist/

95
apps/desktop/AGENTS.md Normal file
View File

@@ -0,0 +1,95 @@
# AGENTS.md - Desktop App Guidelines
Thin Electron shell hosting the fullstack server app.
## Tech Stack
> **⚠️ This project uses Bun as the package manager. Runtime is Electron (Node.js). Always use `bun run <script>` (not `bun <script>`) to avoid conflicts with Bun built-in subcommands. Never use `npm`, `npx`, `yarn`, or `pnpm`.**
- **Type**: Electron desktop shell
- **Design**: Server-driven desktop (thin native window hosting web app)
- **Runtime**: Electron (Main/Renderer) + Sidecar server binary (Bun-compiled)
- **Build Tool**: electron-vite (Vite-based, handles main + preload builds)
- **Packager**: electron-builder (installers, signing, auto-update)
- **Orchestration**: Turborepo
## Architecture
- **Server-driven design**: The desktop app is a "thin" native shell. It does not contain UI or business logic; it opens a BrowserWindow pointing to the `apps/server` TanStack Start application.
- **Dev mode**: Opens a BrowserWindow pointing to `localhost:3000`. Requires `apps/server` to be running separately (Turbo handles this).
- **Production mode**: Spawns a compiled server binary (from `resources/`) as a sidecar process, waits for readiness, then loads its URL.
## Commands
```bash
bun run dev # electron-vite dev (requires server dev running)
bun run build # electron-vite build (main + preload)
bun run dist # Build + package for current platform
bun run dist:linux # Build + package for Linux (x64 + arm64)
bun run dist:linux:x64 # Build + package for Linux x64
bun run dist:linux:arm64 # Build + package for Linux arm64
bun run dist:mac # Build + package for macOS (arm64 + x64)
bun run dist:mac:arm64 # Build + package for macOS arm64
bun run dist:mac:x64 # Build + package for macOS x64
bun run dist:win # Build + package for Windows x64
bun run fix # Biome auto-fix
bun run typecheck # TypeScript check
```
## Directory Structure
```
.
├── src/
│ ├── main/
│ │ └── index.ts # Main process (server lifecycle + BrowserWindow)
│ └── preload/
│ └── index.ts # Preload script (security isolation)
├── resources/ # Sidecar binaries (gitignored, copied from server build)
├── out/ # electron-vite build output (gitignored)
├── electron.vite.config.ts
├── electron-builder.yml # Packaging configuration
├── package.json
├── turbo.json
└── AGENTS.md
```
## Development Workflow
1. **Start server**: `bun run dev` in `apps/server` (or use root `bun run dev` via Turbo).
2. **Start desktop**: `bun run dev` in `apps/desktop`.
3. **Connection**: Main process polls `localhost:3000` until responsive, then opens BrowserWindow.
## Production Build Workflow
From monorepo root, run `bun run dist` to execute the full pipeline automatically (via Turbo task dependencies):
1. **Build server**: `apps/server``vite build``.output/`
2. **Compile server**: `apps/server``bun compile.ts --target ...``out/server-{os}-{arch}`
3. **Package desktop**: `apps/desktop``electron-vite build` + `electron-builder` → distributable
The `electron-builder.yml` `extraResources` config reads binaries directly from `../server/out/`, no manual copy needed.
To build for a specific platform explicitly, use `bun run dist:linux` / `bun run dist:mac` / `bun run dist:win` in `apps/desktop`.
For single-arch output, use `bun run dist:linux:x64`, `bun run dist:linux:arm64`, `bun run dist:mac:x64`, or `bun run dist:mac:arm64`.
## Development Principles
> **These principles apply to ALL code changes. Agents MUST follow them on every task.**
1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks.
2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart.
3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns.
## Critical Rules
**DO:**
- Use arrow functions for all utility functions.
- Keep the desktop app as a thin shell — no UI or business logic.
- Use `catalog:` for all dependency versions in `package.json`.
**DON'T:**
- Use `npm`, `npx`, `yarn`, or `pnpm`. Use `bun` for package management.
- Include UI components or business logic in the desktop app.
- Use `as any` or `@ts-ignore`.
- Leave docs out of sync with code changes.

9
apps/desktop/biome.json Normal file
View File

@@ -0,0 +1,9 @@
{
"$schema": "../../node_modules/@biomejs/biome/configuration_schema.json",
"extends": "//",
"css": {
"parser": {
"tailwindDirectives": true
}
}
}

BIN
apps/desktop/build/icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 83 KiB

48
apps/desktop/electron-builder.yml Normal file
View File

@@ -0,0 +1,48 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/electron-userland/electron-builder/refs/heads/master/packages/app-builder-lib/scheme.json
appId: com.furtherverse.desktop
productName: Furtherverse
executableName: furtherverse
npmRebuild: false
asarUnpack:
- resources/**
files:
- "!**/.vscode/*"
- "!src/*"
- "!electron.vite.config.{js,ts,mjs,cjs}"
- "!{.env,.env.*,bun.lock}"
- "!{tsconfig.json,tsconfig.node.json}"
- "!{AGENTS.md,README.md,CHANGELOG.md}"
# macOS
mac:
target:
- dmg
category: public.app-category.productivity
extraResources:
- from: ../server/out/server-darwin-${arch}
to: server
dmg:
artifactName: ${productName}-${version}-${os}-${arch}.${ext}
# Windows
win:
target:
- portable
extraResources:
- from: ../server/out/server-windows-${arch}.exe
to: server.exe
portable:
artifactName: ${productName}-${version}-${os}-${arch}-Portable.${ext}
# Linux
linux:
target:
- AppImage
category: Utility
extraResources:
- from: ../server/out/server-linux-${arch}
to: server
appImage:
artifactName: ${productName}-${version}-${os}-${arch}.${ext}

11
apps/desktop/electron.vite.config.ts Normal file
View File

@@ -0,0 +1,11 @@
import tailwindcss from '@tailwindcss/vite'
import react from '@vitejs/plugin-react'
import { defineConfig } from 'electron-vite'
export default defineConfig({
main: {},
preload: {},
renderer: {
plugins: [react(), tailwindcss()],
},
})

37
apps/desktop/package.json Normal file
View File

@@ -0,0 +1,37 @@
{
"name": "@furtherverse/desktop",
"version": "1.0.0",
"private": true,
"main": "out/main/index.js",
"scripts": {
"build": "electron-vite build",
"dev": "electron-vite dev --watch",
"dist": "electron-builder",
"dist:linux": "bun run dist:linux:x64 && bun run dist:linux:arm64",
"dist:linux:arm64": "electron-builder --linux --arm64",
"dist:linux:x64": "electron-builder --linux --x64",
"dist:mac": "bun run dist:mac:arm64 && bun run dist:mac:x64",
"dist:mac:arm64": "electron-builder --mac --arm64",
"dist:mac:x64": "electron-builder --mac --x64",
"dist:win": "electron-builder --win --x64",
"fix": "biome check --write",
"typecheck": "tsc -b"
},
"dependencies": {
"motion": "catalog:",
"react": "catalog:",
"react-dom": "catalog:",
"tree-kill": "catalog:"
},
"devDependencies": {
"@furtherverse/tsconfig": "workspace:*",
"@tailwindcss/vite": "catalog:",
"@types/node": "catalog:",
"@vitejs/plugin-react": "catalog:",
"electron": "catalog:",
"electron-builder": "catalog:",
"electron-vite": "catalog:",
"tailwindcss": "catalog:",
"vite": "catalog:"
}
}

0
apps/desktop/resources/.gitkeep Normal file
View File

198
apps/desktop/src/main/index.ts Normal file
View File

@@ -0,0 +1,198 @@
import { join } from 'node:path'
import { app, BrowserWindow, dialog, session, shell } from 'electron'
import { createSidecarRuntime } from './sidecar'
const DEV_SERVER_URL = 'http://localhost:3000'
const SAFE_EXTERNAL_PROTOCOLS = new Set(['https:', 'http:', 'mailto:'])
let mainWindow: BrowserWindow | null = null
let windowCreationPromise: Promise<void> | null = null
let isQuitting = false
const showErrorAndQuit = (title: string, detail: string) => {
if (isQuitting) {
return
}
dialog.showErrorBox(title, detail)
app.quit()
}
const sidecar = createSidecarRuntime({
devServerUrl: DEV_SERVER_URL,
isPackaged: app.isPackaged,
resourcesPath: process.resourcesPath,
isQuitting: () => isQuitting,
onUnexpectedStop: (detail) => {
showErrorAndQuit('Service Stopped', detail)
},
})
const toErrorMessage = (error: unknown): string => (error instanceof Error ? error.message : String(error))
const canOpenExternally = (url: string): boolean => {
try {
const parsed = new URL(url)
return SAFE_EXTERNAL_PROTOCOLS.has(parsed.protocol)
} catch {
return false
}
}
const loadSplash = async (windowRef: BrowserWindow) => {
if (process.env.ELECTRON_RENDERER_URL) {
await windowRef.loadURL(process.env.ELECTRON_RENDERER_URL)
return
}
await windowRef.loadFile(join(__dirname, '../renderer/index.html'))
}
const createWindow = async () => {
if (mainWindow && !mainWindow.isDestroyed()) {
mainWindow.focus()
return
}
const windowRef = new BrowserWindow({
width: 1200,
height: 800,
show: false,
webPreferences: {
preload: join(__dirname, '../preload/index.js'),
sandbox: true,
contextIsolation: true,
nodeIntegration: false,
},
})
mainWindow = windowRef
windowRef.webContents.setWindowOpenHandler(({ url }) => {
if (!canOpenExternally(url)) {
if (!app.isPackaged) {
console.warn(`Blocked external URL: ${url}`)
}
return { action: 'deny' }
}
void shell.openExternal(url)
return { action: 'deny' }
})
windowRef.webContents.on('will-navigate', (event, url) => {
const allowed = [DEV_SERVER_URL, sidecar.lastResolvedUrl].filter((v): v is string => v != null)
const isAllowed = allowed.some((origin) => url.startsWith(origin))
if (!isAllowed) {
event.preventDefault()
if (canOpenExternally(url)) {
void shell.openExternal(url)
} else if (!app.isPackaged) {
console.warn(`Blocked navigation to: ${url}`)
}
}
})
windowRef.on('closed', () => {
if (mainWindow === windowRef) {
mainWindow = null
}
})
try {
await loadSplash(windowRef)
} catch (error) {
if (mainWindow === windowRef) {
mainWindow = null
}
if (!windowRef.isDestroyed()) {
windowRef.destroy()
}
throw error
}
if (!windowRef.isDestroyed()) {
windowRef.show()
}
const targetUrl = await sidecar.resolveUrl()
if (isQuitting || windowRef.isDestroyed()) {
return
}
try {
await windowRef.loadURL(targetUrl)
} catch (error) {
if (mainWindow === windowRef) {
mainWindow = null
}
if (!windowRef.isDestroyed()) {
windowRef.destroy()
}
throw error
}
}
const ensureWindow = async () => {
if (windowCreationPromise) {
return windowCreationPromise
}
windowCreationPromise = createWindow().finally(() => {
windowCreationPromise = null
})
return windowCreationPromise
}
const beginQuit = () => {
isQuitting = true
sidecar.stop()
}
const handleWindowCreationError = (error: unknown, context: string) => {
console.error(`${context}:`, error)
showErrorAndQuit(
"App Couldn't Start",
app.isPackaged
? 'A required component failed to start. Please reinstall the app.'
: `${context}: ${toErrorMessage(error)}`,
)
}
app
.whenReady()
.then(() => {
session.defaultSession.setPermissionRequestHandler((_webContents, _permission, callback) => {
callback(false)
})
return ensureWindow()
})
.catch((error) => {
handleWindowCreationError(error, 'Failed to create window')
})
app.on('window-all-closed', () => {
if (process.platform !== 'darwin') {
app.quit()
}
})
app.on('activate', () => {
if (isQuitting || BrowserWindow.getAllWindows().length > 0) {
return
}
ensureWindow().catch((error) => {
handleWindowCreationError(error, 'Failed to re-create window')
})
})
app.on('before-quit', beginQuit)

256
apps/desktop/src/main/sidecar.ts Normal file
View File

@@ -0,0 +1,256 @@
import { type ChildProcess, spawn } from 'node:child_process'
import { existsSync } from 'node:fs'
import { createServer } from 'node:net'
import { join } from 'node:path'
import killProcessTree from 'tree-kill'
const SERVER_HOST = '127.0.0.1'
const SERVER_READY_TIMEOUT_MS = 10_000
const SERVER_REQUEST_TIMEOUT_MS = 1_500
const SERVER_POLL_INTERVAL_MS = 250
const SERVER_PROBE_PATHS = ['/api/health', '/']
type SidecarState = {
process: ChildProcess | null
startup: Promise<string> | null
url: string | null
}
type SidecarRuntimeOptions = {
devServerUrl: string
isPackaged: boolean
resourcesPath: string
isQuitting: () => boolean
onUnexpectedStop: (detail: string) => void
}
type SidecarRuntime = {
resolveUrl: () => Promise<string>
stop: () => void
lastResolvedUrl: string | null
}
const sleep = (ms: number): Promise<void> => new Promise((resolve) => setTimeout(resolve, ms))
const isProcessAlive = (processToCheck: ChildProcess | null): processToCheck is ChildProcess => {
if (!processToCheck || !processToCheck.pid) {
return false
}
return processToCheck.exitCode === null && !processToCheck.killed
}
const getAvailablePort = (): Promise<number> =>
new Promise((resolve, reject) => {
const server = createServer()
server.listen(0, () => {
const addr = server.address()
if (!addr || typeof addr === 'string') {
server.close()
reject(new Error('Failed to resolve port'))
return
}
server.close(() => resolve(addr.port))
})
server.on('error', reject)
})
const isServerReady = async (url: string): Promise<boolean> => {
for (const probePath of SERVER_PROBE_PATHS) {
try {
const probeUrl = new URL(probePath, `${url}/`)
const response = await fetch(probeUrl, {
method: 'GET',
cache: 'no-store',
signal: AbortSignal.timeout(SERVER_REQUEST_TIMEOUT_MS),
})
if (response.status < 500) {
if (probePath === '/api/health' && response.status === 404) {
continue
}
return true
}
} catch {
// Expected: probe request fails while server is still starting up
}
}
return false
}
const waitForServer = async (url: string, isQuitting: () => boolean, processRef?: ChildProcess): Promise<boolean> => {
const start = Date.now()
while (Date.now() - start < SERVER_READY_TIMEOUT_MS && !isQuitting()) {
if (processRef && processRef.exitCode !== null) {
return false
}
if (await isServerReady(url)) {
return true
}
await sleep(SERVER_POLL_INTERVAL_MS)
}
return false
}
const resolveBinaryPath = (resourcesPath: string): string => {
const binaryName = process.platform === 'win32' ? 'server.exe' : 'server'
return join(resourcesPath, binaryName)
}
const formatUnexpectedStopMessage = (
isPackaged: boolean,
code: number | null,
signal: NodeJS.Signals | null,
): string => {
if (isPackaged) {
return 'The background service stopped unexpectedly. Please restart the app.'
}
return `Server process exited unexpectedly (code ${code ?? 'unknown'}, signal ${signal ?? 'none'}).`
}
export const createSidecarRuntime = (options: SidecarRuntimeOptions): SidecarRuntime => {
const state: SidecarState = {
process: null,
startup: null,
url: null,
}
const resetState = (processRef?: ChildProcess) => {
if (processRef && state.process !== processRef) {
return
}
state.process = null
state.url = null
}
const stop = () => {
const runningServer = state.process
resetState()
if (!runningServer?.pid || runningServer.exitCode !== null) {
return
}
killProcessTree(runningServer.pid, 'SIGTERM', (error?: Error) => {
if (error) {
console.error('Failed to stop server process:', error)
}
})
}
const attachLifecycleHandlers = (processRef: ChildProcess) => {
processRef.on('error', (error) => {
if (state.process !== processRef) {
return
}
const hadReadyServer = state.url !== null
resetState(processRef)
if (!options.isQuitting() && hadReadyServer) {
options.onUnexpectedStop('The background service crashed unexpectedly. Please restart the app.')
return
}
console.error('Failed to start server process:', error)
})
processRef.on('exit', (code, signal) => {
if (state.process !== processRef) {
return
}
const hadReadyServer = state.url !== null
resetState(processRef)
if (!options.isQuitting() && hadReadyServer) {
options.onUnexpectedStop(formatUnexpectedStopMessage(options.isPackaged, code, signal))
}
})
}
const startPackagedServer = async (): Promise<string> => {
if (state.url && isProcessAlive(state.process)) {
return state.url
}
if (state.startup) {
return state.startup
}
state.startup = (async () => {
const binaryPath = resolveBinaryPath(options.resourcesPath)
if (!existsSync(binaryPath)) {
throw new Error(`Sidecar server binary is missing: ${binaryPath}`)
}
if (options.isQuitting()) {
throw new Error('Application is shutting down.')
}
const port = await getAvailablePort()
const nextServerUrl = `http://${SERVER_HOST}:${port}`
const processRef = spawn(binaryPath, [], {
env: {
...process.env,
HOST: SERVER_HOST,
PORT: String(port),
},
stdio: 'ignore',
windowsHide: true,
})
processRef.unref()
state.process = processRef
attachLifecycleHandlers(processRef)
const ready = await waitForServer(nextServerUrl, options.isQuitting, processRef)
if (ready && isProcessAlive(processRef)) {
state.url = nextServerUrl
return nextServerUrl
}
const failureReason =
processRef.exitCode !== null
? `The service exited early (code ${processRef.exitCode}).`
: `The service did not respond at ${nextServerUrl} within 10 seconds.`
stop()
throw new Error(failureReason)
})().finally(() => {
state.startup = null
})
return state.startup
}
const resolveUrl = async (): Promise<string> => {
if (options.isPackaged) {
return startPackagedServer()
}
const ready = await waitForServer(options.devServerUrl, options.isQuitting)
if (!ready) {
throw new Error('Dev server not responding. Run `bun dev` in apps/server first.')
}
state.url = options.devServerUrl
return options.devServerUrl
}
return {
resolveUrl,
stop,
get lastResolvedUrl() {
return state.url
},
}
}

1
apps/desktop/src/preload/index.ts Normal file
View File

@@ -0,0 +1 @@
export {}

BIN
apps/desktop/src/renderer/assets/logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 83 KiB

33
apps/desktop/src/renderer/components/SplashApp.tsx Normal file
View File

@@ -0,0 +1,33 @@
import { motion } from 'motion/react'
import logoImage from '../assets/logo.png'
export const SplashApp = () => {
return (
<main className="m-0 flex h-screen w-screen cursor-default select-none items-center justify-center overflow-hidden bg-white font-sans antialiased">
<motion.section
animate={{ opacity: 1, y: 0 }}
className="flex flex-col items-center gap-8"
initial={{ opacity: 0, y: 4 }}
transition={{
duration: 1,
ease: [0.16, 1, 0.3, 1],
}}
>
<img alt="Logo" className="h-20 w-auto object-contain" draggable={false} src={logoImage} />
<div className="relative h-[4px] w-36 overflow-hidden rounded-full bg-zinc-100">
<motion.div
animate={{ x: '100%' }}
className="h-full w-full bg-zinc-800"
initial={{ x: '-100%' }}
transition={{
duration: 2,
ease: [0.4, 0, 0.2, 1],
repeat: Infinity,
}}
/>
</div>
</motion.section>
</main>
)
}

12
apps/desktop/src/renderer/index.html Normal file
View File

@@ -0,0 +1,12 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Furtherverse</title>
</head>
<body>
<div id="root"></div>
<script type="module" src="./main.tsx"></script>
</body>
</html>

11
apps/desktop/src/renderer/main.tsx Normal file
View File

@@ -0,0 +1,11 @@
import { StrictMode } from 'react'
import { createRoot } from 'react-dom/client'
import { SplashApp } from './components/SplashApp'
import './styles.css'
// biome-ignore lint/style/noNonNullAssertion: 一定存在
createRoot(document.getElementById('root')!).render(
<StrictMode>
<SplashApp />
</StrictMode>,
)

1
apps/desktop/src/renderer/styles.css Normal file
View File

@@ -0,0 +1 @@
@import "tailwindcss";

8
apps/desktop/tsconfig.app.json Normal file
View File

@@ -0,0 +1,8 @@
{
"extends": "@furtherverse/tsconfig/react.json",
"compilerOptions": {
"composite": true,
"types": ["vite/client"]
},
"include": ["src/renderer/**/*"]
}

11
apps/desktop/tsconfig.json Normal file
View File

@@ -0,0 +1,11 @@
{
"files": [],
"references": [
{
"path": "./tsconfig.app.json"
},
{
"path": "./tsconfig.node.json"
}
]
}

8
apps/desktop/tsconfig.node.json Normal file
View File

@@ -0,0 +1,8 @@
{
"extends": "@furtherverse/tsconfig/base.json",
"compilerOptions": {
"composite": true,
"types": ["node"]
},
"include": ["src/main/**/*", "src/preload/**/*", "electron.vite.config.ts"]
}

41
apps/desktop/turbo.json Normal file
View File

@@ -0,0 +1,41 @@
{
"$schema": "../../node_modules/turbo/schema.json",
"extends": ["//"],
"tasks": {
"build": {
"outputs": ["out/**"]
},
"dist": {
"dependsOn": ["build", "@furtherverse/server#compile"],
"outputs": ["dist/**"]
},
"dist:linux": {
"dependsOn": ["build", "@furtherverse/server#compile:linux:arm64", "@furtherverse/server#compile:linux:x64"],
"outputs": ["dist/**"]
},
"dist:linux:arm64": {
"dependsOn": ["build", "@furtherverse/server#compile:linux:arm64"],
"outputs": ["dist/**"]
},
"dist:linux:x64": {
"dependsOn": ["build", "@furtherverse/server#compile:linux:x64"],
"outputs": ["dist/**"]
},
"dist:mac": {
"dependsOn": ["build", "@furtherverse/server#compile:darwin:arm64", "@furtherverse/server#compile:darwin:x64"],
"outputs": ["dist/**"]
},
"dist:mac:arm64": {
"dependsOn": ["build", "@furtherverse/server#compile:darwin:arm64"],
"outputs": ["dist/**"]
},
"dist:mac:x64": {
"dependsOn": ["build", "@furtherverse/server#compile:darwin:x64"],
"outputs": ["dist/**"]
},
"dist:win": {
"dependsOn": ["build", "@furtherverse/server#compile:windows:x64"],
"outputs": ["dist/**"]
}
}
}

2
apps/server/.env.example
View File

@@ -1 +1 @@
DATABASE_URL=./data/app.db DATABASE_PATH=data.db

5
apps/server/.gitignore vendored
View File

@@ -1,5 +0,0 @@
# SQLite database files
data/
*.db
*.db-shm
*.db-wal

617
apps/server/AGENTS.md
View File

@@ -1,420 +1,279 @@
# AGENTS.md - AI Coding Agent Guidelines # AGENTS.md - Server App Guidelines
本文档为 AI 编程助手提供此 TanStack Start 全栈项目的开发规范和指南。 TanStack Start fullstack web app with ORPC (contract-first RPC).
## 项目概览 ## Tech Stack
- **框架**: TanStack Start (React SSR 框架,文件路由) > **⚠️ This project uses Bun — NOT Node.js / npm. All commands use `bun`. Always use `bun run <script>` (not `bun <script>`) to avoid conflicts with Bun built-in subcommands. Never use `npm`, `npx`, or `node`.**
- **运行时**: Bun
- **语言**: TypeScript (strict mode, ESNext)
- **样式**: Tailwind CSS v4
- **数据库**: SQLite + Drizzle ORM
- **状态管理**: TanStack Query
- **路由**: TanStack Router (文件路由)
- **RPC**: ORPC (类型安全 RPC契约优先)
- **构建工具**: Vite + Turbo
- **代码质量**: Biome (格式化 + Lint)
## 依赖管理 - **Framework**: TanStack Start (React 19 SSR, file-based routing)
- **Runtime**: Bun — **NOT Node.js**
- **Package Manager**: Bun — **NOT npm / yarn / pnpm**
- **Language**: TypeScript (strict mode)
- **Styling**: Tailwind CSS v4
- **Database**: PostgreSQL + Drizzle ORM v1 beta (`drizzle-orm/postgres-js`, RQBv2)
- **State**: TanStack Query v5
- **RPC**: ORPC (contract-first, type-safe)
- **Build**: Vite + Nitro
项目使用 **Bun Catalog** 统一管理依赖版本。 ## Commands
> **详细流程**: 加载 skill `bun-catalog-package` 获取完整指南。
**快速参考**
```bash ```bash
bun info <pkg> version # 查询最新版本 # Development
bun add <pkg>@catalog: # 在子包中安装 bun run dev # Vite dev server (localhost:3000)
bun run db:studio # Drizzle Studio GUI
# Build
bun run build # Production build → .output/
bun run compile # Compile to standalone binary (current platform, depends on build)
bun run compile:darwin # Compile for macOS (arm64 + x64)
bun run compile:darwin:arm64 # Compile for macOS arm64
bun run compile:darwin:x64 # Compile for macOS x64
bun run compile:linux # Compile for Linux (x64 + arm64)
bun run compile:linux:arm64 # Compile for Linux arm64
bun run compile:linux:x64 # Compile for Linux x64
bun run compile:windows # Compile for Windows (default: x64)
bun run compile:windows:x64 # Compile for Windows x64
# Code Quality
bun run fix # Biome auto-fix
bun run typecheck # TypeScript check
# Database
bun run db:generate # Generate migrations from schema
bun run db:migrate # Run migrations
bun run db:push # Push schema directly (dev only)
# Testing (not yet configured)
bun test path/to/test.ts # Run single test
bun test -t "pattern" # Run tests matching pattern
``` ```
## 构建、Lint 和测试命令 ## Directory Structure
### 开发 ```
```bash src/
bun dev # 启动 Vite 开发服务器 ├── client/ # Client-side code
bun db:studio # 打开 Drizzle Studio 数据库管理界面 │ └── orpc.ts # ORPC client + TanStack Query utils (single entry point)
├── components/ # React components
├── routes/ # TanStack Router file routes
│ ├── __root.tsx # Root layout
│ ├── index.tsx # Home page
│ └── api/
│ ├── $.ts # OpenAPI handler + Scalar docs
│ ├── health.ts # Health check endpoint
│ └── rpc.$.ts # ORPC RPC handler
├── server/ # Server-side code
│ ├── api/ # ORPC layer
│ │ ├── contracts/ # Input/output schemas (Zod)
│ │ ├── middlewares/ # Middleware (db provider, auth)
│ │ ├── routers/ # Handler implementations
│ │ ├── interceptors.ts # Shared error interceptors
│ │ ├── context.ts # Request context
│ │ ├── server.ts # ORPC server instance
│ │ └── types.ts # Type exports
│ └── db/
│ ├── schema/ # Drizzle table definitions
│ ├── fields.ts # Shared field builders (id, createdAt, updatedAt)
│ ├── relations.ts # Drizzle relations (defineRelations, RQBv2)
│ └── index.ts # Database instance (postgres-js driver)
├── env.ts # Environment variable validation
├── router.tsx # Router configuration
├── routeTree.gen.ts # Auto-generated (DO NOT EDIT)
└── styles.css # Tailwind entry
``` ```
### 构建 ## ORPC Pattern
```bash
bun build # 构建 Vite 应用 (输出到 .output/)
bun compile # 编译为独立可执行文件 (使用 build.ts)
```
### 代码质量 ### 1. Define Contract (`src/server/api/contracts/feature.contract.ts`)
```bash
bun typecheck # 运行 TypeScript 类型检查
bun fix # 运行 Biome 自动修复格式和 Lint 问题
biome check . # 检查但不自动修复
biome format --write . # 仅格式化代码
```
### 数据库
```bash
bun db:generate # 从 schema 生成迁移文件
bun db:migrate # 执行数据库迁移
bun db:push # 直接推送 schema 变更 (仅开发环境)
```
### 测试
**注意**: 当前未配置测试框架。添加测试时:
- 使用 Vitest 或 Bun 内置测试运行器
- 运行单个测试文件: `bun test path/to/test.ts`
- 运行特定测试: `bun test -t "测试名称模式"`
## 代码风格指南
### 格式化 (Biome)
**缩进**: 2 空格 (不使用 tab)
**换行符**: LF (Unix 风格)
**引号**: 单引号 `'string'`
**分号**: 按需 (ASI - 自动分号插入)
**箭头函数括号**: 始终使用 `(x) => x`
示例:
```typescript ```typescript
const myFunc = (value: string) => { import { oc } from '@orpc/contract'
return value.toUpperCase() import { createSelectSchema } from 'drizzle-orm/zod'
} import { z } from 'zod'
import { featureTable } from '@/server/db/schema'
const selectSchema = createSelectSchema(featureTable)
export const list = oc.input(z.void()).output(z.array(selectSchema))
export const create = oc.input(insertSchema).output(selectSchema)
``` ```
### 导入组织 ### 2. Implement Router (`src/server/api/routers/feature.router.ts`)
```typescript
import { ORPCError } from '@orpc/server'
import { db } from '../middlewares'
import { os } from '../server'
Biome 自动组织导入。顺序: export const list = os.feature.list.use(db).handler(async ({ context }) => {
1. 外部依赖 return await context.db.query.featureTable.findMany({
2. 内部导入 (使用 `@/*` 别名) orderBy: { createdAt: 'desc' },
3. 类型导入 (仅导入类型时使用 `type` 关键字) })
})
```
### 3. Register in Index Files
```typescript
// src/server/api/contracts/index.ts
import * as feature from './feature.contract'
export const contract = { feature }
// src/server/api/routers/index.ts
import * as feature from './feature.router'
export const router = os.router({ feature })
```
### 4. Use in Components
```typescript
import { useSuspenseQuery, useMutation } from '@tanstack/react-query'
import { orpc } from '@/client/orpc'
const { data } = useSuspenseQuery(orpc.feature.list.queryOptions())
const mutation = useMutation(orpc.feature.create.mutationOptions())
```
## Database (Drizzle ORM v1 beta)
- **Driver**: `drizzle-orm/postgres-js` (NOT `bun-sql`)
- **Validation**: `drizzle-orm/zod` (built-in, NOT separate `drizzle-zod` package)
- **Relations**: Defined via `defineRelations()` in `src/server/db/relations.ts`
- **Query**: RQBv2 — use `db.query.tableName.findMany()` with object-style `orderBy` and `where`
### Schema Definition
```typescript
import { pgTable, text, timestamp, uuid } from 'drizzle-orm/pg-core'
import { sql } from 'drizzle-orm'
export const myTable = pgTable('my_table', {
id: uuid().primaryKey().default(sql`uuidv7()`),
name: text().notNull(),
createdAt: timestamp({ withTimezone: true }).notNull().defaultNow(),
updatedAt: timestamp({ withTimezone: true }).notNull().defaultNow().$onUpdateFn(() => new Date()),
})
```
### Relations (RQBv2)
```typescript
// src/server/db/relations.ts
import { defineRelations } from 'drizzle-orm'
import * as schema from './schema'
export const relations = defineRelations(schema, (r) => ({
// Define relations here using r.one / r.many / r.through
}))
```
### DB Instance
```typescript
// src/server/db/index.ts
import { drizzle } from 'drizzle-orm/postgres-js'
import { relations } from '@/server/db/relations'
// In RQBv2, relations already contain schema info — no separate schema import needed
const db = drizzle({
connection: env.DATABASE_URL,
relations,
})
```
### RQBv2 Query Examples
```typescript
// Object-style orderBy (NOT callback style)
const todos = await db.query.todoTable.findMany({
orderBy: { createdAt: 'desc' },
})
// Object-style where
const todo = await db.query.todoTable.findFirst({
where: { id: someId },
})
```
## Code Style
### Formatting (Biome)
- **Indent**: 2 spaces
- **Quotes**: Single `'`
- **Semicolons**: Omit (ASI)
- **Arrow parens**: Always `(x) => x`
### Imports
Biome auto-organizes:
1. External packages
2. Internal `@/*` aliases
3. Type imports (`import type { ... }`)
示例:
```typescript ```typescript
import { createFileRoute } from '@tanstack/react-router' import { createFileRoute } from '@tanstack/react-router'
import { oc } from '@orpc/contract'
import { z } from 'zod' import { z } from 'zod'
import { db } from '@/db' import { db } from '@/server/db'
import { todoTable } from '@/db/schema'
import type { ReactNode } from 'react' import type { ReactNode } from 'react'
``` ```
### TypeScript ### TypeScript
**严格模式**: 启用了额外的严格检查
- `strict: true` - `strict: true`
- `noUncheckedIndexedAccess: true` - 数组/对象索引返回 `T | undefined` - `noUncheckedIndexedAccess: true` - array access returns `T | undefined`
- `noImplicitOverride: true` - Use `@/*` path aliases (maps to `src/*`)
- `noFallthroughCasesInSwitch: true`
**模块解析**: `bundler` 模式 + `verbatimModuleSyntax` ### Naming
- 导入时始终使用 `.ts`/`.tsx` 扩展名 | Type | Convention | Example |
- 使用 `@/*` 路径别名指向 `src/*` |------|------------|---------|
| Files (utils) | kebab-case | `auth-utils.ts` |
| Files (components) | PascalCase | `UserProfile.tsx` |
| Components | PascalCase arrow | `const Button = () => {}` |
| Functions | camelCase | `getUserById` |
| Types | PascalCase | `UserProfile` |
**类型注解**: ### React
- 公共 API 的函数参数和返回类型必须注解 - Use arrow functions for components (Biome enforced)
- 优先使用显式类型而非 `any` - Use `useSuspenseQuery` for guaranteed data
- 对象形状用 `type`,可扩展契约用 `interface` - Let React Compiler handle memoization (no manual `useMemo`/`useCallback`)
- 不可变 props 使用 `Readonly<T>`
### 命名规范 ## Environment Variables
- **文件**: 工具函数用 kebab-case组件用 PascalCase
- `utils.ts`, `todo.tsx`, `NotFound.tsx`
- **路由**: 遵循 TanStack Router 约定
- `routes/index.tsx``/`
- `routes/__root.tsx` → 根布局
- **组件**: PascalCase 箭头函数 (Biome 规则 `useArrowFunction` 强制)
- **函数**: camelCase
- **常量**: 真常量用 UPPER_SNAKE_CASE配置对象用 camelCase
- **类型/接口**: PascalCase
### React 模式
**组件**: 使用箭头函数
```typescript ```typescript
const MyComponent = ({ title }: { title: string }) => { // src/env.ts - using @t3-oss/env-core
return <div>{title}</div> import { createEnv } from '@t3-oss/env-core'
}
```
**路由**: 使用 `createFileRoute` 定义路由
```typescript
export const Route = createFileRoute('/')({
component: Home,
})
```
**数据获取**: 使用 TanStack Query hooks
- `useSuspenseQuery` - 保证有数据
- `useQuery` - 数据可能为空
**Props**: 禁止直接修改 props (Biome 规则 `noReactPropAssignments`)
### 数据库 Schema (Drizzle)
-`src/server/db/schema/*.ts` 定义 schema
-`src/server/db/schema/index.ts` 导出
- 使用 `drizzle-orm/sqlite-core` 的 SQLite 类型
- 主键使用 `uuidv7()` (TEXT 存储)
- 时间戳使用 `integer({ mode: 'timestamp_ms' })` (Unix 毫秒时间戳)
- 始终包含 `createdAt``updatedAt` 时间戳
示例:
```typescript
import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core'
import { v7 as uuidv7 } from 'uuid'
export const myTable = sqliteTable('my_table', {
id: text('id').primaryKey().$defaultFn(() => uuidv7()),
name: text('name').notNull(),
createdAt: integer('created_at', { mode: 'timestamp_ms' }).notNull().$defaultFn(() => new Date()),
updatedAt: integer('updated_at', { mode: 'timestamp_ms' }).notNull().$defaultFn(() => new Date()).$onUpdateFn(() => new Date()),
})
```
### 环境变量
- 使用 `@t3-oss/env-core` 进行类型安全的环境变量验证
-`src/env.ts` 定义 schema
- 服务端变量: 无前缀
- 客户端变量: 必须有 `VITE_` 前缀
- 使用 Zod schema 验证
### 错误处理
- 异步操作使用 try-catch
- 抛出带有描述性消息的错误
- 用户界面错误优先使用 Result 类型或错误边界
- 适当记录错误 (避免记录敏感数据)
### 样式 (Tailwind CSS)
- 使用 Tailwind v4 工具类
- 通过 `@/styles.css?url` 导入样式
- 优先使用组合而非自定义 CSS
- 响应式修饰符: `sm:`, `md:`, `lg:`
- UI 文本适当使用中文
## 目录结构
```
src/
├── components/ # 可复用 React 组件
├── db/
│ ├── schema/ # Drizzle schema 定义
│ └── index.ts # 数据库实例
├── integrations/ # 第三方集成 (TanStack Query/Router)
├── lib/ # 工具函数
├── orpc/ # ORPC (RPC 层)
│ ├── contracts/ # 契约定义 (input/output schemas)
│ ├── handlers/ # 服务端过程实现
│ ├── middlewares/ # 中间件 (如 DB provider)
│ ├── contract.ts # 契约聚合
│ ├── router.ts # 路由组合
│ ├── server.ts # 服务端实例
│ └── client.ts # 同构客户端
├── routes/ # TanStack Router 文件路由
│ ├── __root.tsx # 根布局
│ ├── index.tsx # 首页
│ └── api/rpc.$.ts # ORPC HTTP 端点
├── env.ts # 环境变量验证
└── router.tsx # 路由配置
```
## 重要提示
- **禁止** 编辑 `src/routeTree.gen.ts` - 自动生成
- **禁止** 提交 `.env` 文件 - 使用 `.env.example` 作为模板
- **必须** 在提交前运行 `bun fix`
- **必须** 使用 `@/*` 路径别名而非相对导入
- **必须** 利用 React Compiler (babel-plugin-react-compiler) - 避免手动 memoization
## Git 工作流
1. 按照上述风格指南进行修改
2. 运行 `bun fix` 自动格式化和 lint
3. 运行 `bun typecheck` 确保类型安全
4. 使用 `bun dev` 本地测试变更
5. 使用清晰的描述性消息提交
## 常见模式
### 创建 ORPC 过程
**步骤 1: 定义契约** (`src/orpc/contracts/my-feature.ts`)
```typescript
import { oc } from '@orpc/contract'
import { z } from 'zod' import { z } from 'zod'
export const myContract = { export const env = createEnv({
get: oc.input(z.object({ id: z.uuid() })).output(mySchema), server: {
create: oc.input(createSchema).output(mySchema), DATABASE_URL: z.string().url(),
} },
``` clientPrefix: 'VITE_',
client: {
**步骤 2: 实现处理器** (`src/orpc/handlers/my-feature.ts`) VITE_API_URL: z.string().optional(),
```typescript },
import { os } from '@/orpc/server'
import { dbProvider } from '@/orpc/middlewares'
export const get = os.myFeature.get
.use(dbProvider)
.handler(async ({ context, input }) => {
return await context.db.query.myTable.findFirst(...)
}) })
``` ```
**步骤 3: 注册到契约和路由** ## Development Principles
```typescript
// src/orpc/contract.ts
export const contract = { myFeature: myContract }
// src/orpc/router.ts > **These principles apply to ALL code changes. Agents MUST follow them on every task.**
import * as myFeature from './handlers/my-feature'
export const router = os.router({ myFeature })
```
**步骤 4: 在组件中使用** 1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks.
```typescript 2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart.
import { orpc } from '@/orpc' 3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns.
const query = useSuspenseQuery(orpc.myFeature.get.queryOptions({ id }))
const mutation = useMutation(orpc.myFeature.create.mutationOptions())
```
--- ## Critical Rules
## 已知问题与解决方案 **DO:**
- Run `bun run fix` before committing
- Use `@/*` path aliases
- Include `createdAt`/`updatedAt` on all tables
- Use `ORPCError` with proper codes
- Use `drizzle-orm/zod` (NOT `drizzle-zod`) for schema validation
- Use RQBv2 object syntax for `orderBy` and `where`
- Update `AGENTS.md` and other docs whenever code patterns change
### 构建问题 **DON'T:**
- Use `npm`, `npx`, `node`, `yarn`, `pnpm` — always use `bun` / `bunx`
**已解决**: Vite 8.0.0-beta.10 已修复与 Nitro 插件的兼容性问题 - Edit `src/routeTree.gen.ts` (auto-generated)
- **当前版本**: Vite 8.0.0-beta.10 + nitro-nightly@3.0.1-20260125 - Use `as any`, `@ts-ignore`, `@ts-expect-error`
- **状态**: 构建稳定,开发和生产环境均正常工作 - Commit `.env` files
- Use empty catch blocks
### 依赖选择经验 - Import from `drizzle-zod` (use `drizzle-orm/zod` instead)
- Use RQBv1 callback-style `orderBy` / old `relations()` API
**ohash vs crypto.createHash** - Use `drizzle-orm/bun-sql` driver (use `drizzle-orm/postgres-js`)
- Pass `schema` to `drizzle()` constructor (only `relations` is needed in RQBv2)
在实现硬件指纹功能时,曾误判 `ohash` 不适合用于硬件指纹识别。经深入研究发现: - Import `os` from `@orpc/server` in middleware — use `@/server/api/server` (the local typed instance)
- Leave docs out of sync with code changes
**事实**
- `ohash` 内部使用**完整的 SHA-256** 算法256 位)
- 输出 43 字符 Base64URL 编码(等价于 64 字符 Hex
- 碰撞概率与 `crypto.createHash('sha256')` **完全相同**2^128
- 自动处理对象序列化,代码更简洁
**对比**
```typescript
// ohash - 推荐用于对象哈希
import { hash } from 'ohash'
const fingerprint = hash(systemInfo) // 一行搞定
// crypto - 需要手动序列化
import { createHash } from 'node:crypto'
const fingerprint = createHash('sha256')
.update(JSON.stringify(systemInfo))
.digest('base64url')
```
**结论**
-`ohash` 完全适合硬件指纹场景(数据来自系统 API非用户输入
- ✅ 两者安全性等价,选择取决于代码风格偏好
- ⚠️ ohash 文档警告的"序列化安全性"仅针对**用户输入**场景
**经验教训**
- 不要仅凭名称("短哈希")判断库的实现
- 深入研究文档和源码再做技术决策
- 区分"用户输入场景"和"系统数据场景"的安全要求
### 缓存库选择:@isaacs/ttlcache
**决策时间**: 2026-01-26
**背景**
硬件指纹功能最初使用手动实现的 TTL 缓存module-level 变量 + 手动过期检查)。为提高代码可维护性,迁移到专业缓存库。
**选型**
- **选择**: `@isaacs/ttlcache` v2.1.4
- **理由**:
- 专为 TTL 场景优化,无需 LRU 追踪开销
- 零依赖6M+ 周下载量
- 内置 TypeScript 类型
- 自动过期管理,无需手动定时器
- API 简洁: `new TTLCache({ ttl, max })`
**实现细节**
- 保留 `inFlight` Promise 模式用于并发请求去重TTLCache 不提供此功能)
- 使用单一缓存键 `'fingerprint'`单服务器场景opts 不影响输出)
- 默认 TTL: 10 分钟(可通过 `cacheTtlMs` 参数覆盖)
**对比手动实现**
- ✅ 更少自定义代码
- ✅ 更清晰的 TTL 语义
- ✅ 经过充分测试的库
- ⚠️ 仍需手动处理并发去重
**经验教训**
- 专业库不一定解决所有问题(如并发去重)
- 对于简单场景,手动实现 vs 库的选择主要取决于可维护性而非功能
### SQLite 数据库使用说明
**技术栈**:
- **驱动**: `better-sqlite3` v11.8.1 (原生模块,跨平台)
- **类型定义**: `@types/better-sqlite3` v7.6.12
- **数据库文件**: `./data/app.db`
**数据类型策略**:
- **主键**: TEXT 存储 UUIDv7 (36 字符字符串,全局唯一)
- **时间戳**: INTEGER 存储 Unix 毫秒时间戳 (`integer({ mode: 'timestamp_ms' })`)
- Drizzle 自动转换 `Date``number`
- **布尔值**: INTEGER 存储 0/1 (`integer({ mode: 'boolean' })`)
- Drizzle 自动转换 `boolean``0/1`
**数据库连接**:
```typescript
import { drizzle } from 'drizzle-orm/better-sqlite3'
import Database from 'better-sqlite3'
import { mkdirSync } from 'node:fs'
import { dirname } from 'node:path'
export const createDB = () => {
const dbPath = env.DATABASE_URL
if (dbPath !== ':memory:') {
mkdirSync(dirname(dbPath), { recursive: true })
}
const sqlite = new Database(dbPath)
return drizzle(sqlite, { schema })
}
```
**注意事项**:
- SQLite 是文件数据库,适合嵌入环境和单实例应用
- 不支持多进程并发写入
- 数据库文件和 WAL 文件 (`.db-shm`, `.db-wal`) 已添加到 `.gitignore`
- `better-sqlite3` 是原生模块,构建时需匹配生产环境 OS 和架构
### AGENTS.md 文档维护原则
**核心原则**AGENTS.md 只记录当前项目状态,不记录重构历史
1. **当前状态优先**:只描述项目当前使用的技术栈、架构和最佳实践
2. **无需向后兼容**:不保留旧技术栈的文档,重构后直接更新为新状态
3. **避免历史记录**:不记录"从 X 迁移到 Y"的过程,只记录"当前使用 Y"
4. **保持简洁**:删除过时信息,避免上下文过长影响 AI 理解
5. **及时同步**:架构变更后立即更新文档,确保文档与代码一致
**何时更新 AGENTS.md**
- 更换技术栈(如数据库、框架)
- 修改项目架构或目录结构
- 添加/移除重要依赖
- 发现重要的最佳实践或经验教训
**何时不更新 AGENTS.md**
- 日常功能开发
- Bug 修复
- 代码重构(不涉及架构变更)
- 临时实验或 POC
---
**最后更新**: 2026-01-26
**项目版本**: 基于 package.json 依赖版本

5
apps/server/biome.json
View File

@@ -3,5 +3,10 @@
"extends": "//", "extends": "//",
"files": { "files": {
"includes": ["**", "!**/routeTree.gen.ts"] "includes": ["**", "!**/routeTree.gen.ts"]
},
"css": {
"parser": {
"tailwindDirectives": true
}
} }
} }

289
apps/server/build.ts
View File

@@ -1,289 +0,0 @@
import { Schema } from '@effect/schema'
import { $ } from 'bun'
import { Console, Context, Data, Effect, Layer } from 'effect'
// ============================================================================
// Domain Models & Schema
// ============================================================================
const BunTargetSchema = Schema.Literal(
'bun-windows-x64',
'bun-darwin-arm64',
'bun-darwin-x64',
'bun-linux-x64',
'bun-linux-arm64',
)
/**
* 将 bun target 转换为文件后缀 (去掉 'bun-' 前缀)
*/
const getTargetSuffix = (target: BunTarget): string => {
return target.replace('bun-', '')
}
type BunTarget = Schema.Schema.Type<typeof BunTargetSchema>
const BuildConfigSchema = Schema.Struct({
entrypoint: Schema.String.pipe(Schema.nonEmptyString()),
outputDir: Schema.String.pipe(Schema.nonEmptyString()),
outfile: Schema.String.pipe(Schema.nonEmptyString()),
targets: Schema.Array(BunTargetSchema).pipe(Schema.minItems(1)),
})
type BuildConfig = Schema.Schema.Type<typeof BuildConfigSchema>
const BuildResultSchema = Schema.Struct({
target: BunTargetSchema,
outputs: Schema.Array(Schema.String),
})
type BuildResult = Schema.Schema.Type<typeof BuildResultSchema>
// ============================================================================
// Error Models (使用 Data.TaggedError)
// ============================================================================
class CleanError extends Data.TaggedError('CleanError')<{
readonly dir: string
readonly cause: unknown
}> {}
class BuildError extends Data.TaggedError('BuildError')<{
readonly target: BunTarget
readonly cause: unknown
}> {}
class ConfigError extends Data.TaggedError('ConfigError')<{
readonly message: string
readonly cause: unknown
}> {}
// ============================================================================
// Services
// ============================================================================
/**
* 配置服务
*/
class BuildConfigService extends Context.Tag('BuildConfigService')<
BuildConfigService,
BuildConfig
>() {
/**
* 从原始数据创建并验证配置
*/
static fromRaw = (raw: unknown) =>
Effect.gen(function* () {
const decoded = yield* Schema.decodeUnknown(BuildConfigSchema)(raw)
return decoded
}).pipe(
Effect.catchAll((error) =>
Effect.fail(
new ConfigError({
message: '配置验证失败',
cause: error,
}),
),
),
)
/**
* 默认配置 Layer
*/
static readonly Live = Layer.effect(
BuildConfigService,
BuildConfigService.fromRaw({
entrypoint: '.output/server/index.mjs',
outputDir: 'out',
outfile: 'server',
targets: ['bun-windows-x64', 'bun-darwin-arm64', 'bun-linux-x64'],
} satisfies BuildConfig),
)
}
/**
* 文件系统服务
*/
class FileSystemService extends Context.Tag('FileSystemService')<
FileSystemService,
{
readonly cleanDir: (dir: string) => Effect.Effect<void, CleanError>
}
>() {
static readonly Live = Layer.succeed(FileSystemService, {
cleanDir: (dir: string) =>
Effect.tryPromise({
try: async () => {
await $`rm -rf ${dir}`
},
catch: (cause: unknown) =>
new CleanError({
dir,
cause,
}),
}),
})
}
/**
* 构建服务
*/
class BuildService extends Context.Tag('BuildService')<
BuildService,
{
readonly buildForTarget: (
config: BuildConfig,
target: BunTarget,
) => Effect.Effect<BuildResult, BuildError>
readonly buildAll: (
config: BuildConfig,
) => Effect.Effect<ReadonlyArray<BuildResult>, BuildError>
}
>() {
static readonly Live = Layer.succeed(BuildService, {
buildForTarget: (config: BuildConfig, target: BunTarget) =>
Effect.gen(function* () {
yield* Console.log(`🔨 开始构建: ${target}`)
const output = yield* Effect.tryPromise({
try: () =>
Bun.build({
entrypoints: [config.entrypoint],
compile: {
outfile: `${config.outfile}-${getTargetSuffix(target)}`,
target: target,
},
outdir: config.outputDir,
}),
catch: (cause: unknown) =>
new BuildError({
target,
cause,
}),
})
const paths = output.outputs.map((item: { path: string }) => item.path)
return {
target,
outputs: paths,
} satisfies BuildResult
}),
buildAll: (config: BuildConfig) =>
Effect.gen(function* () {
const effects = config.targets.map((target) =>
Effect.gen(function* () {
yield* Console.log(`🔨 开始构建: ${target}`)
const output = yield* Effect.tryPromise({
try: () =>
Bun.build({
entrypoints: [config.entrypoint],
compile: {
outfile: `${config.outfile}-${getTargetSuffix(target)}`,
target: target,
},
outdir: config.outputDir,
}),
catch: (cause: unknown) =>
new BuildError({
target,
cause,
}),
})
const paths = output.outputs.map(
(item: { path: string }) => item.path,
)
return {
target,
outputs: paths,
} satisfies BuildResult
}),
)
return yield* Effect.all(effects, { concurrency: 'unbounded' })
}),
})
}
/**
* 报告服务
*/
class ReporterService extends Context.Tag('ReporterService')<
ReporterService,
{
readonly printSummary: (
results: ReadonlyArray<BuildResult>,
) => Effect.Effect<void>
}
>() {
static readonly Live = Layer.succeed(ReporterService, {
printSummary: (results: ReadonlyArray<BuildResult>) =>
Effect.gen(function* () {
yield* Console.log('\n📦 构建完成:')
for (const result of results) {
yield* Console.log(` ${result.target}:`)
for (const path of result.outputs) {
yield* Console.log(` - ${path}`)
}
}
}),
})
}
// ============================================================================
// Main Program
// ============================================================================
const program = Effect.gen(function* () {
const config = yield* BuildConfigService
const fs = yield* FileSystemService
const builder = yield* BuildService
const reporter = yield* ReporterService
// 1. 清理输出目录
yield* fs.cleanDir(config.outputDir)
yield* Console.log(`✓ 已清理输出目录: ${config.outputDir}`)
// 2. 并行构建所有目标
const results = yield* builder.buildAll(config)
// 3. 输出构建摘要
yield* reporter.printSummary(results)
return results
})
// ============================================================================
// Layer Composition
// ============================================================================
const MainLayer = Layer.mergeAll(
BuildConfigService.Live,
FileSystemService.Live,
BuildService.Live,
ReporterService.Live,
)
// ============================================================================
// Runner
// ============================================================================
const runnable = program.pipe(
Effect.provide(MainLayer),
Effect.catchTags({
CleanError: (error) =>
Console.error(`❌ 清理目录失败: ${error.dir}`, error.cause),
BuildError: (error) =>
Console.error(`❌ 构建失败 [${error.target}]:`, error.cause),
ConfigError: (error) =>
Console.error(`❌ 配置错误: ${error.message}`, error.cause),
}),
Effect.tapErrorCause((cause) => Console.error('❌ 未预期的错误:', cause)),
)
Effect.runPromise(runnable).catch(() => {
process.exit(1)
})

64
apps/server/compile.ts Normal file
View File

@@ -0,0 +1,64 @@
import { mkdir, rm } from 'node:fs/promises'
import { parseArgs } from 'node:util'
const ENTRYPOINT = '.output/server/index.mjs'
const OUTDIR = 'out'
const SUPPORTED_TARGETS: readonly Bun.Build.CompileTarget[] = [
'bun-windows-x64',
'bun-darwin-arm64',
'bun-darwin-x64',
'bun-linux-x64',
'bun-linux-arm64',
]
const isSupportedTarget = (value: string): value is Bun.Build.CompileTarget =>
(SUPPORTED_TARGETS as readonly string[]).includes(value)
const { values } = parseArgs({
options: { target: { type: 'string' } },
strict: true,
allowPositionals: false,
})
const resolveTarget = (): Bun.Build.CompileTarget => {
if (values.target !== undefined) {
if (!isSupportedTarget(values.target)) {
throw new Error(`Invalid target: ${values.target}\nAllowed: ${SUPPORTED_TARGETS.join(', ')}`)
}
return values.target
}
const os = process.platform === 'win32' ? 'windows' : process.platform
const candidate = `bun-${os}-${process.arch}`
if (!isSupportedTarget(candidate)) {
throw new Error(`Unsupported host: ${process.platform}-${process.arch}`)
}
return candidate
}
const main = async () => {
const target = resolveTarget()
const suffix = target.replace('bun-', '')
const outfile = `server-${suffix}`
await mkdir(OUTDIR, { recursive: true })
await Promise.all([rm(`${OUTDIR}/${outfile}`, { force: true }), rm(`${OUTDIR}/${outfile}.exe`, { force: true })])
const result = await Bun.build({
entrypoints: [ENTRYPOINT],
outdir: OUTDIR,
compile: { outfile, target },
})
if (!result.success) {
throw new Error(result.logs.map(String).join('\n'))
}
console.log(`${target}${OUTDIR}/${outfile}`)
}
main().catch((err) => {
console.error('❌', err instanceof Error ? err.message : err)
process.exit(1)
})

2
apps/server/drizzle.config.ts
View File

@@ -6,6 +6,6 @@ export default defineConfig({
schema: './src/server/db/schema/index.ts', schema: './src/server/db/schema/index.ts',
dialect: 'sqlite', dialect: 'sqlite',
dbCredentials: { dbCredentials: {
url: env.DATABASE_URL, url: env.DATABASE_PATH,
}, },
}) })

18
apps/server/drizzle/0000_messy_goliath.sql
View File

@@ -1,18 +0,0 @@
CREATE TABLE `device_info` (
`id` text PRIMARY KEY NOT NULL,
`created_at` integer NOT NULL,
`updated_at` integer NOT NULL,
`fingerprint` text NOT NULL,
`fingerprint_quality` text NOT NULL,
`license` text,
`license_activated_at` integer
);
--> statement-breakpoint
CREATE UNIQUE INDEX `device_info_fingerprint_unique` ON `device_info` (`fingerprint`);--> statement-breakpoint
CREATE TABLE `todo` (
`id` text PRIMARY KEY NOT NULL,
`created_at` integer NOT NULL,
`updated_at` integer NOT NULL,
`title` text NOT NULL,
`completed` integer DEFAULT false NOT NULL
);

10
apps/server/drizzle/0001_watery_mongu.sql
View File

@@ -1,10 +0,0 @@
CREATE TABLE `license_activation` (
`id` text PRIMARY KEY NOT NULL,
`created_at` integer NOT NULL,
`updated_at` integer NOT NULL,
`fingerprint` text NOT NULL,
`license` text,
`license_activated_at` integer
);
--> statement-breakpoint
CREATE UNIQUE INDEX `license_activation_fingerprint_unique` ON `license_activation` (`fingerprint`);

2
apps/server/drizzle/0002_dizzy_kingpin.sql
View File

@@ -1,2 +0,0 @@
DROP TABLE `device_info`;--> statement-breakpoint
DROP TABLE `todo`;

129
apps/server/drizzle/meta/0000_snapshot.json
View File

@@ -1,129 +0,0 @@
{
"version": "6",
"dialect": "sqlite",
"id": "09c29147-479a-4490-8223-db64c71c910f",
"prevId": "00000000-0000-0000-0000-000000000000",
"tables": {
"device_info": {
"name": "device_info",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint": {
"name": "fingerprint",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint_quality": {
"name": "fingerprint_quality",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"license": {
"name": "license",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"license_activated_at": {
"name": "license_activated_at",
"type": "integer",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"device_info_fingerprint_unique": {
"name": "device_info_fingerprint_unique",
"columns": ["fingerprint"],
"isUnique": true
}
},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"todo": {
"name": "todo",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"title": {
"name": "title",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"completed": {
"name": "completed",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false,
"default": false
}
},
"indexes": {},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
}
},
"views": {},
"enums": {},
"_meta": {
"schemas": {},
"tables": {},
"columns": {}
},
"internal": {
"indexes": {}
}
}

187
apps/server/drizzle/meta/0001_snapshot.json
View File

@@ -1,187 +0,0 @@
{
"version": "6",
"dialect": "sqlite",
"id": "14bad572-1fc5-489d-90f2-7560a7cad1f4",
"prevId": "09c29147-479a-4490-8223-db64c71c910f",
"tables": {
"device_info": {
"name": "device_info",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint": {
"name": "fingerprint",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint_quality": {
"name": "fingerprint_quality",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"license": {
"name": "license",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"license_activated_at": {
"name": "license_activated_at",
"type": "integer",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"device_info_fingerprint_unique": {
"name": "device_info_fingerprint_unique",
"columns": ["fingerprint"],
"isUnique": true
}
},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"license_activation": {
"name": "license_activation",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint": {
"name": "fingerprint",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"license": {
"name": "license",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"license_activated_at": {
"name": "license_activated_at",
"type": "integer",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"license_activation_fingerprint_unique": {
"name": "license_activation_fingerprint_unique",
"columns": ["fingerprint"],
"isUnique": true
}
},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"todo": {
"name": "todo",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"title": {
"name": "title",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"completed": {
"name": "completed",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false,
"default": false
}
},
"indexes": {},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
}
},
"views": {},
"enums": {},
"_meta": {
"schemas": {},
"tables": {},
"columns": {}
},
"internal": {
"indexes": {}
}
}

76
apps/server/drizzle/meta/0002_snapshot.json
View File

@@ -1,76 +0,0 @@
{
"version": "6",
"dialect": "sqlite",
"id": "2bdd10cc-8e14-4843-931a-37b1d00f21a6",
"prevId": "14bad572-1fc5-489d-90f2-7560a7cad1f4",
"tables": {
"license_activation": {
"name": "license_activation",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"created_at": {
"name": "created_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"updated_at": {
"name": "updated_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"fingerprint": {
"name": "fingerprint",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"license": {
"name": "license",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"license_activated_at": {
"name": "license_activated_at",
"type": "integer",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"license_activation_fingerprint_unique": {
"name": "license_activation_fingerprint_unique",
"columns": ["fingerprint"],
"isUnique": true
}
},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
}
},
"views": {},
"enums": {},
"_meta": {
"schemas": {},
"tables": {},
"columns": {}
},
"internal": {
"indexes": {}
}
}

27
apps/server/drizzle/meta/_journal.json
View File

@@ -1,27 +0,0 @@
{
"version": "7",
"dialect": "sqlite",
"entries": [
{
"idx": 0,
"version": "6",
"when": 1769409553227,
"tag": "0000_messy_goliath",
"breakpoints": true
},
{
"idx": 1,
"version": "6",
"when": 1769409970060,
"tag": "0001_watery_mongu",
"breakpoints": true
},
{
"idx": 2,
"version": "6",
"when": 1769412006512,
"tag": "0002_dizzy_kingpin",
"breakpoints": true
}
]
}

28
apps/server/package.json
View File

@@ -4,18 +4,26 @@
"private": true, "private": true,
"type": "module", "type": "module",
"scripts": { "scripts": {
"build": "vite build", "build": "bunx --bun vite build",
"compile": "bun build.ts", "compile": "bun compile.ts",
"compile:darwin": "bun run compile:darwin:arm64 && bun run compile:darwin:x64",
"compile:darwin:arm64": "bun compile.ts --target bun-darwin-arm64",
"compile:darwin:x64": "bun compile.ts --target bun-darwin-x64",
"compile:linux": "bun run compile:linux:x64 && bun run compile:linux:arm64",
"compile:linux:arm64": "bun compile.ts --target bun-linux-arm64",
"compile:linux:x64": "bun compile.ts --target bun-linux-x64",
"compile:windows": "bun run compile:windows:x64",
"compile:windows:x64": "bun compile.ts --target bun-windows-x64",
"db:generate": "drizzle-kit generate", "db:generate": "drizzle-kit generate",
"db:migrate": "drizzle-kit migrate", "db:migrate": "drizzle-kit migrate",
"db:push": "drizzle-kit push", "db:push": "drizzle-kit push",
"db:studio": "drizzle-kit studio", "db:studio": "drizzle-kit studio",
"dev": "vite dev", "dev": "bunx --bun vite dev",
"fix": "biome check --write .", "fix": "biome check --write",
"typecheck": "tsc --noEmit" "typecheck": "tsc --noEmit"
}, },
"dependencies": { "dependencies": {
"@isaacs/ttlcache": "catalog:", "@furtherverse/crypto": "workspace:*",
"@orpc/client": "catalog:", "@orpc/client": "catalog:",
"@orpc/contract": "catalog:", "@orpc/contract": "catalog:",
"@orpc/openapi": "catalog:", "@orpc/openapi": "catalog:",
@@ -28,33 +36,25 @@
"@tanstack/react-router-ssr-query": "catalog:", "@tanstack/react-router-ssr-query": "catalog:",
"@tanstack/react-start": "catalog:", "@tanstack/react-start": "catalog:",
"drizzle-orm": "catalog:", "drizzle-orm": "catalog:",
"drizzle-zod": "catalog:", "jszip": "catalog:",
"ohash": "catalog:",
"better-sqlite3": "catalog:",
"react": "catalog:", "react": "catalog:",
"react-dom": "catalog:", "react-dom": "catalog:",
"systeminformation": "catalog:",
"uuid": "catalog:", "uuid": "catalog:",
"zod": "catalog:" "zod": "catalog:"
}, },
"devDependencies": { "devDependencies": {
"@effect/platform": "catalog:",
"@effect/schema": "catalog:",
"@furtherverse/tsconfig": "workspace:*", "@furtherverse/tsconfig": "workspace:*",
"@tailwindcss/vite": "catalog:", "@tailwindcss/vite": "catalog:",
"@tanstack/devtools-vite": "catalog:", "@tanstack/devtools-vite": "catalog:",
"@tanstack/react-devtools": "catalog:", "@tanstack/react-devtools": "catalog:",
"@tanstack/react-query-devtools": "catalog:", "@tanstack/react-query-devtools": "catalog:",
"@tanstack/react-router-devtools": "catalog:", "@tanstack/react-router-devtools": "catalog:",
"@types/better-sqlite3": "catalog:",
"@types/bun": "catalog:", "@types/bun": "catalog:",
"@vitejs/plugin-react": "catalog:", "@vitejs/plugin-react": "catalog:",
"babel-plugin-react-compiler": "catalog:", "babel-plugin-react-compiler": "catalog:",
"drizzle-kit": "catalog:", "drizzle-kit": "catalog:",
"effect": "catalog:",
"nitro": "catalog:", "nitro": "catalog:",
"tailwindcss": "catalog:", "tailwindcss": "catalog:",
"typescript": "catalog:",
"vite": "catalog:", "vite": "catalog:",
"vite-tsconfig-paths": "catalog:" "vite-tsconfig-paths": "catalog:"
} }

5
apps/server/src/client/orpc.client.ts → apps/server/src/client/orpc.ts
View File

@@ -1,6 +1,7 @@
import { createORPCClient } from '@orpc/client' import { createORPCClient } from '@orpc/client'
import { RPCLink } from '@orpc/client/fetch' import { RPCLink } from '@orpc/client/fetch'
import { createRouterClient } from '@orpc/server' import { createRouterClient } from '@orpc/server'
import { createTanstackQueryUtils } from '@orpc/tanstack-query'
import { createIsomorphicFn } from '@tanstack/react-start' import { createIsomorphicFn } from '@tanstack/react-start'
import { getRequestHeaders } from '@tanstack/react-start/server' import { getRequestHeaders } from '@tanstack/react-start/server'
import { router } from '@/server/api/routers' import { router } from '@/server/api/routers'
@@ -21,4 +22,6 @@ const getORPCClient = createIsomorphicFn()
return createORPCClient<RouterClient>(link) return createORPCClient<RouterClient>(link)
}) })
export const orpc: RouterClient = getORPCClient() const client: RouterClient = getORPCClient()
export const orpc = createTanstackQueryUtils(client)

6
apps/server/src/client/query-client.ts
View File

@@ -1,6 +0,0 @@
import { createTanstackQueryUtils } from '@orpc/tanstack-query'
import { orpc as orpcClient } from './orpc.client'
export const orpc = createTanstackQueryUtils(orpcClient, {
experimental_defaults: {},
})

0
apps/server/src/components/NotFount.tsx → apps/server/src/components/NotFound.tsx
View File

2
apps/server/src/env.ts
View File

@@ -3,7 +3,7 @@ import { z } from 'zod'
export const env = createEnv({ export const env = createEnv({
server: { server: {
DATABASE_URL: z.string().min(1), DATABASE_PATH: z.string().min(1).default('data.db'),
}, },
clientPrefix: 'VITE_', clientPrefix: 'VITE_',
client: { client: {

109
apps/server/src/lib/crypto.ts
View File

@@ -1,109 +0,0 @@
import {
constants,
createPrivateKey,
createPublicKey,
privateDecrypt,
publicEncrypt,
} from 'node:crypto'
// 对应 Java: RSA/ECB/OAEPWithSHA-256AndMGF1Padding
const OAEP_HASH = 'sha256'
/**
* 使用 Base64 编码的公钥加密明文
*
* 加密标准: RSA/ECB/OAEPWithSHA-256AndMGF1Padding (兼容 Java)
* 公钥格式: SPKI/DER (对应 Java X509EncodedKeySpec)
*
* @param plainText - 待加密的明文字符串
* @param publicKeyBase64 - Base64 编码的公钥 (DER/SPKI 格式)
* @returns Base64 编码的加密数据
* @throws {Error} 加密失败时抛出错误
*
* @example
* ```typescript
* const publicKey = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...'
* const encrypted = encrypt('sensitive data', publicKey)
* console.log(encrypted) // "a3f5e8c2d1b4..."
* ```
*/
export function encrypt(plainText: string, publicKeyBase64: string): string {
const buffer = Buffer.from(plainText, 'utf-8')
const keyBuffer = Buffer.from(publicKeyBase64, 'base64')
try {
// 1. 先创建 KeyObject在这里指定密钥的格式 (DER/SPKI)
const publicKey = createPublicKey({
key: keyBuffer,
format: 'der',
type: 'spki', // 对应 Java X509EncodedKeySpec
})
// 2. 使用 KeyObject 进行加密,在这里指定 Padding 模式
const encrypted = publicEncrypt(
{
key: publicKey,
padding: constants.RSA_PKCS1_OAEP_PADDING,
oaepHash: OAEP_HASH,
},
buffer,
)
return encrypted.toString('base64')
} catch (error) {
throw new Error(
`Encryption failed: ${error instanceof Error ? error.message : String(error)}`,
)
}
}
/**
* 使用 Base64 编码的私钥解密数据
*
* 解密标准: RSA/ECB/OAEPWithSHA-256AndMGF1Padding (兼容 Java)
* 私钥格式: PKCS8/DER (对应 Java PKCS8EncodedKeySpec)
*
* @param encryptedData - Base64 编码的加密数据
* @param privateKeyBase64 - Base64 编码的私钥 (DER/PKCS8 格式)
* @returns 解密后的明文字符串
* @throws {Error} 解密失败时抛出错误
*
* @example
* ```typescript
* const privateKey = 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASC...'
* const decrypted = decrypt('a3f5e8c2d1b4...', privateKey)
* console.log(decrypted) // "sensitive data"
* ```
*/
export function decrypt(
encryptedData: string,
privateKeyBase64: string,
): string {
const buffer = Buffer.from(encryptedData, 'base64')
const keyBuffer = Buffer.from(privateKeyBase64, 'base64')
try {
// 1. 先创建 KeyObject在这里指定密钥的格式 (DER/PKCS8)
const privateKey = createPrivateKey({
key: keyBuffer,
format: 'der',
type: 'pkcs8', // 对应 Java PKCS8EncodedKeySpec
})
// 2. 使用 KeyObject 进行解密
const decrypted = privateDecrypt(
{
key: privateKey,
padding: constants.RSA_PKCS1_OAEP_PADDING,
oaepHash: OAEP_HASH,
},
buffer,
)
return decrypted.toString('utf-8')
} catch (error) {
throw new Error(
`Decryption failed: ${error instanceof Error ? error.message : String(error)}`,
)
}
}

233
apps/server/src/lib/fingerprint.ts
View File

@@ -1,233 +0,0 @@
import { TTLCache } from '@isaacs/ttlcache'
import { hash } from 'ohash'
import si from 'systeminformation'
/**
* 硬件指纹质量等级
* - strong: 2+ 个强标识符可用(推荐用于生产授权)
* - medium: 1 个强标识符可用(可用但不理想)
* - weak: 无强标识符(仅适合开发/测试)
*/
export type FingerprintQuality = 'strong' | 'medium' | 'weak'
/**
* 标准化的系统信息(用于机器码生成)
*/
export type NormalizedSystemInfo = {
/** 系统 UUID(最稳定的硬件标识符) */
systemUuid: string | null
/** 系统序列号 */
systemSerial: string | null
/** 主板序列号 */
baseboardSerial: string | null
/** 主板制造商 */
baseboardManufacturer: string | null
/** BIOS 版本 */
biosVersion: string | null
/** BIOS 供应商 */
biosVendor: string | null
/** CPU 品牌标识(用于质量评估) */
cpuBrand: string | null
/** 主硬盘序列号(可选,高稳定性) */
primaryDiskSerial?: string | null
}
/**
* 硬件指纹配置选项
*/
export type HardwareFingerprintOptions = {
/**
* 缓存 TTL(毫秒),默认 10 分钟
* 硬件信息变化频率极低,缓存可大幅提升性能
*/
cacheTtlMs?: number
/**
* 是否包含主硬盘序列号(默认 true)
* 注意:在容器/虚拟机环境可能获取失败
*/
includePrimaryDisk?: boolean
}
/**
* 硬件指纹响应
*/
export type HardwareFingerprintResult = {
/** 机器码(HMAC-SHA256 哈希,64 字符十六进制) */
fingerprint: string
/** 指纹质量等级 */
quality: FingerprintQuality
/** 可用的强标识符数量 */
strongIdentifiersCount: number
/** 生成时间戳 */
timestamp: number
}
// 缓存实例
const cache = new TTLCache<'fingerprint', HardwareFingerprintResult>({
ttl: 10 * 60 * 1000, // 10 minutes default
max: 1, // Only one fingerprint cached
})
// 防止并发重复请求
let inFlight: Promise<HardwareFingerprintResult> | null = null
/**
* 计算指纹质量
*/
function computeQuality(info: NormalizedSystemInfo): {
quality: FingerprintQuality
count: number
} {
const strongKeys = [
info.systemUuid,
info.systemSerial,
info.baseboardSerial,
info.primaryDiskSerial,
].filter(Boolean).length
if (strongKeys >= 2) return { quality: 'strong', count: strongKeys }
if (strongKeys === 1) return { quality: 'medium', count: strongKeys }
return { quality: 'weak', count: 0 }
}
/**
* 安全地收集标准化系统信息(容错处理)
*/
async function collectNormalizedInfo(
opts: HardwareFingerprintOptions,
): Promise<NormalizedSystemInfo> {
// 使用 Promise.allSettled 避免单点失败
const tasks = await Promise.allSettled([
si.uuid(),
si.system(),
si.baseboard(),
si.bios(),
si.cpu(),
opts.includePrimaryDisk !== false ? si.diskLayout() : Promise.resolve([]),
])
const [uuidRes, systemRes, baseboardRes, biosRes, cpuRes, diskRes] = tasks
const uuid = uuidRes.status === 'fulfilled' ? uuidRes.value : null
const system = systemRes.status === 'fulfilled' ? systemRes.value : null
const baseboard =
baseboardRes.status === 'fulfilled' ? baseboardRes.value : null
const bios = biosRes.status === 'fulfilled' ? biosRes.value : null
const cpu = cpuRes.status === 'fulfilled' ? cpuRes.value : null
// 提取主硬盘序列号(通常是第一个物理磁盘)
let primaryDiskSerial: string | null = null
if (diskRes.status === 'fulfilled' && Array.isArray(diskRes.value)) {
const disks = diskRes.value as Array<{ serialNum?: string; type?: string }>
const physicalDisk = disks.find(
(d) => d.type !== 'USB' && d.serialNum && d.serialNum.trim(),
)
primaryDiskSerial = physicalDisk?.serialNum?.trim() || null
}
return {
// 系统级标识符(最稳定)
systemUuid: (system?.uuid ?? uuid?.hardware ?? null) || null,
systemSerial: (system?.serial ?? null) || null,
// 主板标识符(次稳定)
baseboardSerial: (baseboard?.serial ?? null) || null,
baseboardManufacturer: (baseboard?.manufacturer ?? null) || null,
// BIOS 信息(辅助识别)
biosVersion: (bios?.version ?? null) || null,
biosVendor: (bios?.vendor ?? null) || null,
// CPU 信息(辅助识别)
cpuBrand: (cpu?.brand ?? null) || null,
// 磁盘序列号(可选,高稳定性)
...(opts.includePrimaryDisk !== false ? { primaryDiskSerial } : {}),
}
}
/**
/**
* 获取硬件指纹(机器码)
*
* 适用场景:客户端部署的软件授权、机器绑定
*
* 安全说明:
* - 返回 SHA-256 哈希(Base64URL 编码,43 字符),不可逆推原始硬件信息
* - 使用 ohash 自动处理对象序列化和哈希
* - 客户端部署场景:客户可以看到代码,无法使用密钥加密
* - 安全性依赖硬件信息本身的不可伪造性(来自操作系统)
* - 自动缓存减少系统调用开销
*
* 稳定性:
* - 优先使用系统 UUID、序列号等不易变更的标识符
* - 避免网络接口等易变信息
* - 容错处理,部分信息缺失不影响生成
*
* @example
* ```typescript
* const result = await getHardwareFingerprint({
* cacheTtlMs: 600000, // 10 分钟
* includePrimaryDisk: true,
* })
*
* console.log(result.fingerprint) // "a3f5e8c2d1b4..."
* console.log(result.quality) // "strong"
* ```
*/
export async function getHardwareFingerprint(
opts: HardwareFingerprintOptions,
): Promise<HardwareFingerprintResult> {
const ttl = opts.cacheTtlMs ?? 10 * 60 * 1000
const now = Date.now()
// 返回缓存结果
const cached = cache.get('fingerprint')
if (cached) {
return cached
}
// 防止并发重复请求
if (inFlight) {
return inFlight
}
inFlight = (async () => {
// 收集标准化信息
const info = await collectNormalizedInfo(opts)
// 计算质量
const { quality, count } = computeQuality(info)
// 使用 ohash 生成指纹(自动序列化 + SHA-256 + Base64URL)
const fingerprint = hash({
v: 1, // 版本号,未来如需变更采集策略可递增
info,
})
const result: HardwareFingerprintResult = {
fingerprint,
quality,
strongIdentifiersCount: count,
timestamp: now,
}
// 更新缓存
cache.set('fingerprint', result, { ttl })
return result
})().finally(() => {
inFlight = null
})
return inFlight
}
/**
* 清除指纹缓存(用于测试或强制刷新)
*/
export function clearFingerprintCache(): void {
cache.clear()
inFlight = null
}

40
apps/server/src/lib/license-init.ts
View File

@@ -1,40 +0,0 @@
import { getDB } from '@/server/db'
import { licenseActivationTable } from '@/server/db/schema'
import { getHardwareFingerprint } from './fingerprint'
let initPromise: Promise<void> | null = null
export async function ensureLicenseActivationInitialized(): Promise<void> {
if (initPromise) return initPromise
initPromise = (async () => {
try {
const db = getDB()
const result = await getHardwareFingerprint({
cacheTtlMs: 10 * 60 * 1000,
includePrimaryDisk: true,
})
await db
.insert(licenseActivationTable)
.values({
fingerprint: result.fingerprint,
license: null,
licenseActivatedAt: null,
})
.onConflictDoUpdate({
target: licenseActivationTable.fingerprint,
set: {
updatedAt: new Date(),
},
})
} catch (error) {
console.error('Failed to initialize license activation:', error)
// 重置 promise 以便下次重试
initPromise = null
throw error
}
})()
return initPromise
}

60
apps/server/src/routeTree.gen.ts
View File

@@ -9,27 +9,21 @@
// Additionally, you should also exclude this file from your linter and/or formatter to prevent it from being checked or modified. // Additionally, you should also exclude this file from your linter and/or formatter to prevent it from being checked or modified.
import { Route as rootRouteImport } from './routes/__root' import { Route as rootRouteImport } from './routes/__root'
import { Route as LicenseRouteImport } from './routes/license'
import { Route as FingerprintRouteImport } from './routes/fingerprint'
import { Route as IndexRouteImport } from './routes/index' import { Route as IndexRouteImport } from './routes/index'
import { Route as ApiHealthRouteImport } from './routes/api/health'
import { Route as ApiSplatRouteImport } from './routes/api/$' import { Route as ApiSplatRouteImport } from './routes/api/$'
import { Route as ApiRpcSplatRouteImport } from './routes/api/rpc.$' import { Route as ApiRpcSplatRouteImport } from './routes/api/rpc.$'
const LicenseRoute = LicenseRouteImport.update({
id: '/license',
path: '/license',
getParentRoute: () => rootRouteImport,
} as any)
const FingerprintRoute = FingerprintRouteImport.update({
id: '/fingerprint',
path: '/fingerprint',
getParentRoute: () => rootRouteImport,
} as any)
const IndexRoute = IndexRouteImport.update({ const IndexRoute = IndexRouteImport.update({
id: '/', id: '/',
path: '/', path: '/',
getParentRoute: () => rootRouteImport, getParentRoute: () => rootRouteImport,
} as any) } as any)
const ApiHealthRoute = ApiHealthRouteImport.update({
id: '/api/health',
path: '/api/health',
getParentRoute: () => rootRouteImport,
} as any)
const ApiSplatRoute = ApiSplatRouteImport.update({ const ApiSplatRoute = ApiSplatRouteImport.update({
id: '/api/$', id: '/api/$',
path: '/api/$', path: '/api/$',
@@ -43,58 +37,40 @@ const ApiRpcSplatRoute = ApiRpcSplatRouteImport.update({
export interface FileRoutesByFullPath { export interface FileRoutesByFullPath {
'/': typeof IndexRoute '/': typeof IndexRoute
'/fingerprint': typeof FingerprintRoute
'/license': typeof LicenseRoute
'/api/$': typeof ApiSplatRoute '/api/$': typeof ApiSplatRoute
'/api/health': typeof ApiHealthRoute
'/api/rpc/$': typeof ApiRpcSplatRoute '/api/rpc/$': typeof ApiRpcSplatRoute
} }
export interface FileRoutesByTo { export interface FileRoutesByTo {
'/': typeof IndexRoute '/': typeof IndexRoute
'/fingerprint': typeof FingerprintRoute
'/license': typeof LicenseRoute
'/api/$': typeof ApiSplatRoute '/api/$': typeof ApiSplatRoute
'/api/health': typeof ApiHealthRoute
'/api/rpc/$': typeof ApiRpcSplatRoute '/api/rpc/$': typeof ApiRpcSplatRoute
} }
export interface FileRoutesById { export interface FileRoutesById {
__root__: typeof rootRouteImport __root__: typeof rootRouteImport
'/': typeof IndexRoute '/': typeof IndexRoute
'/fingerprint': typeof FingerprintRoute
'/license': typeof LicenseRoute
'/api/$': typeof ApiSplatRoute '/api/$': typeof ApiSplatRoute
'/api/health': typeof ApiHealthRoute
'/api/rpc/$': typeof ApiRpcSplatRoute '/api/rpc/$': typeof ApiRpcSplatRoute
} }
export interface FileRouteTypes { export interface FileRouteTypes {
fileRoutesByFullPath: FileRoutesByFullPath fileRoutesByFullPath: FileRoutesByFullPath
fullPaths: '/' | '/fingerprint' | '/license' | '/api/$' | '/api/rpc/$' fullPaths: '/' | '/api/$' | '/api/health' | '/api/rpc/$'
fileRoutesByTo: FileRoutesByTo fileRoutesByTo: FileRoutesByTo
to: '/' | '/fingerprint' | '/license' | '/api/$' | '/api/rpc/$' to: '/' | '/api/$' | '/api/health' | '/api/rpc/$'
id: '__root__' | '/' | '/fingerprint' | '/license' | '/api/$' | '/api/rpc/$' id: '__root__' | '/' | '/api/$' | '/api/health' | '/api/rpc/$'
fileRoutesById: FileRoutesById fileRoutesById: FileRoutesById
} }
export interface RootRouteChildren { export interface RootRouteChildren {
IndexRoute: typeof IndexRoute IndexRoute: typeof IndexRoute
FingerprintRoute: typeof FingerprintRoute
LicenseRoute: typeof LicenseRoute
ApiSplatRoute: typeof ApiSplatRoute ApiSplatRoute: typeof ApiSplatRoute
ApiHealthRoute: typeof ApiHealthRoute
ApiRpcSplatRoute: typeof ApiRpcSplatRoute ApiRpcSplatRoute: typeof ApiRpcSplatRoute
} }
declare module '@tanstack/react-router' { declare module '@tanstack/react-router' {
interface FileRoutesByPath { interface FileRoutesByPath {
'/license': {
id: '/license'
path: '/license'
fullPath: '/license'
preLoaderRoute: typeof LicenseRouteImport
parentRoute: typeof rootRouteImport
}
'/fingerprint': {
id: '/fingerprint'
path: '/fingerprint'
fullPath: '/fingerprint'
preLoaderRoute: typeof FingerprintRouteImport
parentRoute: typeof rootRouteImport
}
'/': { '/': {
id: '/' id: '/'
path: '/' path: '/'
@@ -102,6 +78,13 @@ declare module '@tanstack/react-router' {
preLoaderRoute: typeof IndexRouteImport preLoaderRoute: typeof IndexRouteImport
parentRoute: typeof rootRouteImport parentRoute: typeof rootRouteImport
} }
'/api/health': {
id: '/api/health'
path: '/api/health'
fullPath: '/api/health'
preLoaderRoute: typeof ApiHealthRouteImport
parentRoute: typeof rootRouteImport
}
'/api/$': { '/api/$': {
id: '/api/$' id: '/api/$'
path: '/api/$' path: '/api/$'
@@ -121,9 +104,8 @@ declare module '@tanstack/react-router' {
const rootRouteChildren: RootRouteChildren = { const rootRouteChildren: RootRouteChildren = {
IndexRoute: IndexRoute, IndexRoute: IndexRoute,
FingerprintRoute: FingerprintRoute,
LicenseRoute: LicenseRoute,
ApiSplatRoute: ApiSplatRoute, ApiSplatRoute: ApiSplatRoute,
ApiHealthRoute: ApiHealthRoute,
ApiRpcSplatRoute: ApiRpcSplatRoute, ApiRpcSplatRoute: ApiRpcSplatRoute,
} }
export const routeTree = rootRouteImport export const routeTree = rootRouteImport

9
apps/server/src/router.tsx
View File

@@ -5,7 +5,14 @@ import type { RouterContext } from './routes/__root'
import { routeTree } from './routeTree.gen' import { routeTree } from './routeTree.gen'
export const getRouter = () => { export const getRouter = () => {
const queryClient = new QueryClient() const queryClient = new QueryClient({
defaultOptions: {
queries: {
staleTime: 30 * 1000,
retry: 1,
},
},
})
const router = createRouter({ const router = createRouter({
routeTree, routeTree,

10
apps/server/src/routes/__root.tsx
View File

@@ -1,15 +1,11 @@
import { TanStackDevtools } from '@tanstack/react-devtools' import { TanStackDevtools } from '@tanstack/react-devtools'
import type { QueryClient } from '@tanstack/react-query' import type { QueryClient } from '@tanstack/react-query'
import { ReactQueryDevtoolsPanel } from '@tanstack/react-query-devtools' import { ReactQueryDevtoolsPanel } from '@tanstack/react-query-devtools'
import { import { createRootRouteWithContext, HeadContent, Scripts } from '@tanstack/react-router'
createRootRouteWithContext,
HeadContent,
Scripts,
} from '@tanstack/react-router'
import { TanStackRouterDevtoolsPanel } from '@tanstack/react-router-devtools' import { TanStackRouterDevtoolsPanel } from '@tanstack/react-router-devtools'
import type { ReactNode } from 'react' import type { ReactNode } from 'react'
import { ErrorComponent } from '@/components/Error' import { ErrorComponent } from '@/components/Error'
import { NotFoundComponent } from '@/components/NotFount' import { NotFoundComponent } from '@/components/NotFound'
import appCss from '@/styles.css?url' import appCss from '@/styles.css?url'
export interface RouterContext { export interface RouterContext {
@@ -50,6 +46,7 @@ function RootDocument({ children }: Readonly<{ children: ReactNode }>) {
</head> </head>
<body> <body>
{children} {children}
{import.meta.env.DEV && (
<TanStackDevtools <TanStackDevtools
config={{ config={{
position: 'bottom-right', position: 'bottom-right',
@@ -65,6 +62,7 @@ function RootDocument({ children }: Readonly<{ children: ReactNode }>) {
}, },
]} ]}
/> />
)}
<Scripts /> <Scripts />
</body> </body>
</html> </html>

50
apps/server/src/routes/api/$.ts
View File

@@ -1,10 +1,10 @@
import { OpenAPIHandler } from '@orpc/openapi/fetch' import { OpenAPIHandler } from '@orpc/openapi/fetch'
import { OpenAPIReferencePlugin } from '@orpc/openapi/plugins' import { OpenAPIReferencePlugin } from '@orpc/openapi/plugins'
import { ORPCError, onError, ValidationError } from '@orpc/server' import { onError } from '@orpc/server'
import { ZodToJsonSchemaConverter } from '@orpc/zod/zod4' import { ZodToJsonSchemaConverter } from '@orpc/zod/zod4'
import { createFileRoute } from '@tanstack/react-router' import { createFileRoute } from '@tanstack/react-router'
import { z } from 'zod'
import { name, version } from '@/../package.json' import { name, version } from '@/../package.json'
import { handleValidationError, logError } from '@/server/api/interceptors'
import { router } from '@/server/api/routers' import { router } from '@/server/api/routers'
const handler = new OpenAPIHandler(router, { const handler = new OpenAPIHandler(router, {
@@ -17,55 +17,13 @@ const handler = new OpenAPIHandler(router, {
title: name, title: name,
version, version,
}, },
// components: {
// securitySchemes: {
// bearerAuth: {
// type: 'http',
// scheme: 'bearer',
// },
// },
// },
}, },
docsPath: '/docs', docsPath: '/docs',
specPath: '/spec.json', specPath: '/spec.json',
}), }),
], ],
interceptors: [ interceptors: [onError(logError)],
onError((error) => { clientInterceptors: [onError(handleValidationError)],
console.error(error)
}),
],
clientInterceptors: [
onError((error) => {
if (
error instanceof ORPCError &&
error.code === 'BAD_REQUEST' &&
error.cause instanceof ValidationError
) {
// If you only use Zod you can safely cast to ZodIssue[]
const zodError = new z.ZodError(
error.cause.issues as z.core.$ZodIssue[],
)
throw new ORPCError('INPUT_VALIDATION_FAILED', {
status: 422,
message: z.prettifyError(zodError),
data: z.flattenError(zodError),
cause: error.cause,
})
}
if (
error instanceof ORPCError &&
error.code === 'INTERNAL_SERVER_ERROR' &&
error.cause instanceof ValidationError
) {
throw new ORPCError('OUTPUT_VALIDATION_FAILED', {
cause: error.cause,
})
}
}),
],
}) })
export const Route = createFileRoute('/api/$')({ export const Route = createFileRoute('/api/$')({

27
apps/server/src/routes/api/health.ts Normal file
View File

@@ -0,0 +1,27 @@
import { createFileRoute } from '@tanstack/react-router'
import { name, version } from '@/../package.json'
const createHealthResponse = (): Response =>
Response.json(
{
status: 'ok',
service: name,
version,
timestamp: new Date().toISOString(),
},
{
status: 200,
headers: {
'cache-control': 'no-store',
},
},
)
export const Route = createFileRoute('/api/health')({
server: {
handlers: {
GET: async () => createHealthResponse(),
HEAD: async () => new Response(null, { status: 200 }),
},
},
})

42
apps/server/src/routes/api/rpc.$.ts
View File

@@ -1,46 +1,12 @@
import { ORPCError, onError, ValidationError } from '@orpc/server' import { onError } from '@orpc/server'
import { RPCHandler } from '@orpc/server/fetch' import { RPCHandler } from '@orpc/server/fetch'
import { createFileRoute } from '@tanstack/react-router' import { createFileRoute } from '@tanstack/react-router'
import { z } from 'zod' import { handleValidationError, logError } from '@/server/api/interceptors'
import { router } from '@/server/api/routers' import { router } from '@/server/api/routers'
const handler = new RPCHandler(router, { const handler = new RPCHandler(router, {
interceptors: [ interceptors: [onError(logError)],
onError((error) => { clientInterceptors: [onError(handleValidationError)],
console.error(error)
}),
],
clientInterceptors: [
onError((error) => {
if (
error instanceof ORPCError &&
error.code === 'BAD_REQUEST' &&
error.cause instanceof ValidationError
) {
// If you only use Zod you can safely cast to ZodIssue[]
const zodError = new z.ZodError(
error.cause.issues as z.core.$ZodIssue[],
)
throw new ORPCError('INPUT_VALIDATION_FAILED', {
status: 422,
message: z.prettifyError(zodError),
data: z.flattenError(zodError),
cause: error.cause,
})
}
if (
error instanceof ORPCError &&
error.code === 'INTERNAL_SERVER_ERROR' &&
error.cause instanceof ValidationError
) {
throw new ORPCError('OUTPUT_VALIDATION_FAILED', {
cause: error.cause,
})
}
}),
],
}) })
export const Route = createFileRoute('/api/rpc/$')({ export const Route = createFileRoute('/api/rpc/$')({

301
apps/server/src/routes/fingerprint.tsx
View File

@@ -1,301 +0,0 @@
import { useSuspenseQuery } from '@tanstack/react-query'
import { createFileRoute } from '@tanstack/react-router'
import { useEffect, useState } from 'react'
import { orpc } from '@/client/query-client'
export const Route = createFileRoute('/fingerprint')({
component: FingerprintPage,
loader: async ({ context }) => {
await context.queryClient.ensureQueryData(
orpc.fingerprint.get.queryOptions(),
)
},
})
function FingerprintPage() {
const query = useSuspenseQuery(orpc.fingerprint.get.queryOptions())
const [copied, setCopied] = useState(false)
const data = query.data
useEffect(() => {
if (copied) {
const timer = setTimeout(() => setCopied(false), 2000)
return () => clearTimeout(timer)
}
}, [copied])
const handleCopy = async () => {
await navigator.clipboard.writeText(data.fingerprint)
setCopied(true)
}
const qualityConfig = {
strong: {
label: '强',
color: 'text-green-600',
bg: 'bg-green-50',
border: 'border-green-200',
icon: '✓',
description: '推荐用于生产授权',
},
medium: {
label: '中',
color: 'text-yellow-600',
bg: 'bg-yellow-50',
border: 'border-yellow-200',
icon: '!',
description: '可用但不理想',
},
weak: {
label: '弱',
color: 'text-red-600',
bg: 'bg-red-50',
border: 'border-red-200',
icon: '×',
description: '仅适合开发/测试',
},
}
const config = qualityConfig[data.quality]
return (
<div className="min-h-screen bg-gradient-to-br from-slate-50 via-blue-50 to-slate-50 py-12 px-4 sm:px-6 font-sans">
<div className="max-w-4xl mx-auto space-y-8">
{/* Header */}
<div className="text-center space-y-3">
<h1 className="text-4xl font-bold text-slate-900 tracking-tight">
</h1>
<p className="text-slate-500 text-lg"></p>
</div>
{/* Main Card */}
<div className="bg-white rounded-3xl shadow-xl border border-slate-100 overflow-hidden">
{/* Quality Badge */}
<div className={`px-8 py-6 border-b ${config.bg} ${config.border}`}>
<div className="flex items-center justify-between">
<div className="flex items-center gap-3">
<div
className={`w-12 h-12 rounded-full ${config.bg} border-2 ${config.border} flex items-center justify-center text-2xl font-bold ${config.color}`}
>
{config.icon}
</div>
<div>
<div className="flex items-center gap-2">
<span className="text-sm font-medium text-slate-600">
</span>
<span
className={`px-3 py-1 rounded-full text-sm font-semibold ${config.bg} ${config.color} border ${config.border}`}
>
{config.label}
</span>
</div>
<p className="text-xs text-slate-500 mt-1">
{config.description}
</p>
</div>
</div>
<div className="text-right">
<div className="text-3xl font-bold text-slate-900">
{data.strongIdentifiersCount}
</div>
<div className="text-xs font-medium text-slate-400 uppercase tracking-wider">
</div>
</div>
</div>
</div>
{/* Fingerprint Display */}
<div className="px-8 py-8">
<div className="space-y-4">
<div className="flex items-center justify-between">
<div className="text-sm font-semibold text-slate-700 uppercase tracking-wider">
</div>
<button
type="button"
onClick={handleCopy}
className={`px-4 py-2 rounded-lg font-medium text-sm transition-all ${
copied
? 'bg-green-100 text-green-700 border-2 border-green-300'
: 'bg-slate-100 text-slate-700 hover:bg-slate-200 border-2 border-slate-200'
}`}
>
{copied ? '已复制 ✓' : '复制'}
</button>
</div>
<div className="relative group">
<div className="absolute inset-0 bg-gradient-to-r from-blue-500 to-purple-500 rounded-xl blur-sm opacity-0 group-hover:opacity-20 transition-opacity" />
<div className="relative bg-slate-900 rounded-xl p-6 font-mono text-sm break-all leading-relaxed text-slate-100 shadow-inner border-2 border-slate-800">
{data.fingerprint}
</div>
</div>
<div className="flex items-center gap-2 text-xs text-slate-500">
<svg
className="w-4 h-4"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
aria-hidden="true"
>
<title></title>
<path
strokeLinecap="round"
strokeLinejoin="round"
strokeWidth={2}
d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
/>
</svg>
<span>SHA-256 43 Base64URL </span>
</div>
</div>
</div>
{/* Metadata */}
<div className="px-8 py-6 bg-slate-50 border-t border-slate-100">
<div className="grid grid-cols-1 md:grid-cols-2 gap-6">
<div className="space-y-2">
<div className="text-xs font-semibold text-slate-500 uppercase tracking-wider">
</div>
<div className="text-lg font-medium text-slate-900">
{new Date(data.timestamp).toLocaleString('zh-CN', {
year: 'numeric',
month: '2-digit',
day: '2-digit',
hour: '2-digit',
minute: '2-digit',
second: '2-digit',
})}
</div>
</div>
<div className="space-y-2">
<div className="text-xs font-semibold text-slate-500 uppercase tracking-wider">
</div>
<div className="flex items-center gap-2">
<div className="w-2 h-2 rounded-full bg-green-500 animate-pulse" />
<span className="text-lg font-medium text-slate-900">
10
</span>
</div>
</div>
</div>
</div>
</div>
{/* Info Cards */}
<div className="grid grid-cols-1 md:grid-cols-3 gap-6">
<div className="bg-white rounded-2xl shadow-md border border-slate-100 p-6 space-y-3">
<div className="w-10 h-10 rounded-lg bg-blue-100 flex items-center justify-center">
<svg
className="w-6 h-6 text-blue-600"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
aria-hidden="true"
>
<title></title>
<path
strokeLinecap="round"
strokeLinejoin="round"
strokeWidth={2}
d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z"
/>
</svg>
</div>
<h3 className="font-semibold text-slate-900"></h3>
<p className="text-sm text-slate-600 leading-relaxed">
使 HMAC-SHA256
</p>
</div>
<div className="bg-white rounded-2xl shadow-md border border-slate-100 p-6 space-y-3">
<div className="w-10 h-10 rounded-lg bg-purple-100 flex items-center justify-center">
<svg
className="w-6 h-6 text-purple-600"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
aria-hidden="true"
>
<title></title>
<path
strokeLinecap="round"
strokeLinejoin="round"
strokeWidth={2}
d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z"
/>
</svg>
</div>
<h3 className="font-semibold text-slate-900"></h3>
<p className="text-sm text-slate-600 leading-relaxed">
UUID
</p>
</div>
<div className="bg-white rounded-2xl shadow-md border border-slate-100 p-6 space-y-3">
<div className="w-10 h-10 rounded-lg bg-green-100 flex items-center justify-center">
<svg
className="w-6 h-6 text-green-600"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
aria-hidden="true"
>
<title></title>
<path
strokeLinecap="round"
strokeLinejoin="round"
strokeWidth={2}
d="M13 10V3L4 14h7v7l9-11h-7z"
/>
</svg>
</div>
<h3 className="font-semibold text-slate-900"></h3>
<p className="text-sm text-slate-600 leading-relaxed">
</p>
</div>
</div>
{/* Usage Hint */}
<div className="bg-blue-50 border-2 border-blue-200 rounded-2xl p-6">
<div className="flex gap-4">
<div className="flex-shrink-0">
<svg
className="w-6 h-6 text-blue-600"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
aria-hidden="true"
>
<title></title>
<path
strokeLinecap="round"
strokeLinejoin="round"
strokeWidth={2}
d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
/>
</svg>
</div>
<div className="space-y-2">
<h4 className="font-semibold text-blue-900">使</h4>
<ul className="text-sm text-blue-800 space-y-1 list-disc list-inside">
<li></li>
<li></li>
<li>便</li>
</ul>
</div>
</div>
</div>
</div>
</div>
)
}

43
apps/server/src/routes/index.tsx
View File

@@ -1,4 +1,4 @@
import { createFileRoute, Link } from '@tanstack/react-router' import { createFileRoute } from '@tanstack/react-router'
export const Route = createFileRoute('/')({ export const Route = createFileRoute('/')({
component: Home, component: Home,
@@ -6,40 +6,15 @@ export const Route = createFileRoute('/')({
function Home() { function Home() {
return ( return (
<div className="min-h-screen bg-slate-50 py-12 px-4 sm:px-6 font-sans"> <div className="min-h-screen bg-slate-50 flex items-center justify-center font-sans">
<div className="max-w-2xl mx-auto space-y-8 text-center"> <div className="text-center space-y-4">
<h1 className="text-4xl font-bold text-slate-900 tracking-tight"> <h1 className="text-3xl font-bold text-slate-900 tracking-tight">UX Server</h1>
License <p className="text-slate-500">
</h1> API:&nbsp;
<p className="text-slate-500 text-lg"> <a href="/api" className="text-indigo-600 hover:text-indigo-700 underline">
使 TanStack Start + ORPC License /api
</a>
</p> </p>
<div className="grid grid-cols-1 sm:grid-cols-2 gap-4 mt-8">
<Link
to="/fingerprint"
className="p-6 bg-white rounded-2xl shadow-sm border border-slate-100 hover:shadow-md hover:border-indigo-500/50 transition-all text-left group"
>
<h2 className="text-xl font-semibold text-slate-900 group-hover:text-indigo-600 transition-colors">
</h2>
<p className="text-slate-500 mt-2 text-sm">
License
</p>
</Link>
<Link
to="/license"
className="p-6 bg-white rounded-2xl shadow-sm border border-slate-100 hover:shadow-md hover:border-indigo-500/50 transition-all text-left group"
>
<h2 className="text-xl font-semibold text-slate-900 group-hover:text-indigo-600 transition-colors">
License
</h2>
<p className="text-slate-500 mt-2 text-sm">
License
</p>
</Link>
</div>
</div> </div>
</div> </div>
) )

463
apps/server/src/routes/license.tsx
View File

@@ -1,463 +0,0 @@
import {
useMutation,
useQueryClient,
useSuspenseQuery,
} from '@tanstack/react-query'
import { createFileRoute } from '@tanstack/react-router'
import { useState } from 'react'
import { orpc } from '@/client/query-client'
export const Route = createFileRoute('/license')({
component: License,
})
function License() {
const [licenseInput, setLicenseInput] = useState('')
const [copySuccess, setCopySuccess] = useState(false)
const [showDeactivateConfirm, setShowDeactivateConfirm] = useState(false)
const queryClient = useQueryClient()
// 获取激活状态
const { data } = useSuspenseQuery(orpc.license.getActivation.queryOptions())
// 激活 mutation
const activateMutation = useMutation({
...orpc.license.activate.mutationOptions(),
onSuccess: () => {
// 刷新数据
queryClient.invalidateQueries({
queryKey: orpc.license.getActivation.key(),
})
// 清空输入
setLicenseInput('')
},
})
// 反激活 mutation
const deactivateMutation = useMutation({
...orpc.license.deactivate.mutationOptions(),
onSuccess: () => {
queryClient.invalidateQueries({
queryKey: orpc.license.getActivation.key(),
})
setShowDeactivateConfirm(false)
},
})
const handleActivate = () => {
if (!licenseInput.trim()) return
activateMutation.mutate({ license: licenseInput.trim() })
}
const handleDeactivate = () => {
deactivateMutation.mutate()
}
const handleCopyFingerprint = async () => {
try {
await navigator.clipboard.writeText(data.fingerprint)
setCopySuccess(true)
setTimeout(() => setCopySuccess(false), 2000)
} catch (err) {
console.error('Failed to copy fingerprint:', err)
}
}
const isActivated = !!data.license
return (
<div className="min-h-screen bg-gray-50 flex items-center justify-center p-4 font-sans">
<div className="w-full max-w-2xl space-y-6">
{/* 页面标题 */}
<div className="text-center mb-8">
<h1 className="text-3xl font-bold text-gray-900 tracking-tight">
License
</h1>
<p className="text-gray-500 mt-2"></p>
</div>
{/* 设备信息卡片 */}
<div className="bg-white rounded-xl shadow-sm border border-gray-100 overflow-hidden">
<div className="p-6">
<h2 className="text-lg font-semibold text-gray-900 mb-4 flex items-center gap-2">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="20"
height="20"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className="text-blue-500"
>
<rect x="4" y="4" width="16" height="16" rx="2" ry="2"></rect>
<rect x="9" y="9" width="6" height="6"></rect>
<line x1="9" y1="1" x2="9" y2="4"></line>
<line x1="15" y1="1" x2="15" y2="4"></line>
<line x1="9" y1="20" x2="9" y2="23"></line>
<line x1="15" y1="20" x2="15" y2="23"></line>
<line x1="20" y1="9" x2="23" y2="9"></line>
<line x1="20" y1="14" x2="23" y2="14"></line>
<line x1="1" y1="9" x2="4" y2="9"></line>
<line x1="1" y1="14" x2="4" y2="14"></line>
</svg>
</h2>
<div className="bg-gray-50 rounded-lg p-4 border border-gray-100">
<p className="text-sm text-gray-500 mb-1">
(Device Fingerprint)
</p>
<div className="flex items-center gap-3">
<code className="flex-1 font-mono text-sm text-gray-700 break-all select-all">
{data.fingerprint}
</code>
<button
type="button"
onClick={handleCopyFingerprint}
className={`px-3 py-1.5 rounded-md text-sm font-medium transition-colors flex items-center gap-1.5 ${
copySuccess
? 'bg-green-100 text-green-700 hover:bg-green-200'
: 'bg-white border border-gray-200 text-gray-700 hover:bg-gray-50 hover:text-gray-900'
}`}
>
{copySuccess ? (
<>
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="14"
height="14"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
>
<polyline points="20 6 9 17 4 12"></polyline>
</svg>
</>
) : (
<>
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="14"
height="14"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
>
<rect
x="9"
y="9"
width="13"
height="13"
rx="2"
ry="2"
></rect>
<path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1"></path>
</svg>
</>
)}
</button>
</div>
</div>
</div>
</div>
{/* License 激活卡片 */}
<div className="bg-white rounded-xl shadow-sm border border-gray-100 overflow-hidden">
<div className="p-6">
<h2 className="text-lg font-semibold text-gray-900 mb-4 flex items-center gap-2">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="20"
height="20"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className="text-purple-500"
>
<rect x="3" y="11" width="18" height="11" rx="2" ry="2"></rect>
<path d="M7 11V7a5 5 0 0 1 10 0v4"></path>
</svg>
License
</h2>
<div className="space-y-4">
<div>
<label
htmlFor="license-key"
className="block text-sm font-medium text-gray-700 mb-1"
>
License Key
</label>
<input
id="license-key"
type="text"
value={licenseInput}
onChange={(e) => setLicenseInput(e.target.value)}
disabled={isActivated || activateMutation.isPending}
placeholder={
isActivated ? '已激活,无需输入' : '请输入您的 License Key'
}
className="w-full px-4 py-2.5 bg-white border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500/20 focus:border-purple-500 outline-none transition-all disabled:bg-gray-100 disabled:text-gray-500 placeholder:text-gray-400"
/>
</div>
{activateMutation.isError && (
<div className="p-3 bg-red-50 border border-red-100 rounded-lg text-red-600 text-sm flex items-start gap-2">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="16"
height="16"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className="mt-0.5 shrink-0"
>
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="8" x2="12" y2="12"></line>
<line x1="12" y1="16" x2="12.01" y2="16"></line>
</svg>
<span>激活失败: 请检查 License </span>
</div>
)}
<button
type="button"
onClick={handleActivate}
disabled={
isActivated ||
activateMutation.isPending ||
!licenseInput.trim()
}
className={`w-full px-6 py-2.5 rounded-lg font-medium text-white shadow-sm transition-all focus:outline-none focus:ring-2 focus:ring-offset-2 ${
isActivated
? 'bg-gray-300 cursor-not-allowed'
: activateMutation.isPending
? 'bg-purple-500 opacity-80 cursor-wait'
: 'bg-purple-600 hover:bg-purple-700 hover:shadow-md active:scale-[0.99] focus:ring-purple-500'
}`}
>
{activateMutation.isPending ? (
<span className="flex items-center justify-center gap-2">
<svg
aria-hidden="true"
className="animate-spin h-4 w-4 text-white"
xmlns="http://www.w3.org/2000/svg"
fill="none"
viewBox="0 0 24 24"
>
<circle
className="opacity-25"
cx="12"
cy="12"
r="10"
stroke="currentColor"
strokeWidth="4"
></circle>
<path
className="opacity-75"
fill="currentColor"
d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
></path>
</svg>
...
</span>
) : isActivated ? (
'已完成激活'
) : (
'立即激活'
)}
</button>
</div>
</div>
</div>
{/* 激活状态卡片 */}
<div
className={`rounded-xl shadow-sm border overflow-hidden transition-colors ${
isActivated
? 'bg-green-50/50 border-green-100'
: 'bg-white border-gray-100'
}`}
>
<div className="p-6">
<h2 className="text-lg font-semibold text-gray-900 mb-4 flex items-center gap-2">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="20"
height="20"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className={isActivated ? 'text-green-500' : 'text-gray-400'}
>
<path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"></path>
<polyline points="22 4 12 14.01 9 11.01"></polyline>
</svg>
</h2>
{isActivated ? (
<div className="space-y-3">
<div className="flex items-center gap-2 text-green-700 font-medium text-lg">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="24"
height="24"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className="text-green-500"
>
<path d="M12 22c5.523 0 10-4.477 10-10S17.523 2 12 2 2 6.477 2 12s4.477 10 10 10z"></path>
<path d="M9 12l2 2 4-4"></path>
</svg>
<span>License </span>
</div>
<div className="pl-8 space-y-1">
<p className="text-gray-600 text-sm">
<span className="font-medium text-gray-700">
License:{' '}
</span>
<span className="font-mono">{data.license}</span>
</p>
{data.licenseActivatedAt && (
<p className="text-gray-500 text-sm">
<span className="font-medium text-gray-700">
:{' '}
</span>
{new Date(data.licenseActivatedAt).toLocaleString(
'zh-CN',
{
year: 'numeric',
month: '2-digit',
day: '2-digit',
hour: '2-digit',
minute: '2-digit',
second: '2-digit',
},
)}
</p>
)}
</div>
{!showDeactivateConfirm ? (
<button
type="button"
onClick={() => setShowDeactivateConfirm(true)}
className="mt-4 px-4 py-2 bg-red-500 text-white rounded-lg text-sm font-medium hover:bg-red-600 transition-colors shadow-sm"
>
</button>
) : (
<div className="mt-4 p-4 bg-red-50 rounded-lg border border-red-200">
<p className="text-red-700 text-sm mb-3 flex items-center gap-2">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="16"
height="16"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
>
<path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3Z" />
<path d="M12 9v4" />
<path d="M12 17h.01" />
</svg>
License
</p>
<div className="flex gap-2">
<button
type="button"
onClick={handleDeactivate}
disabled={deactivateMutation.isPending}
className="px-4 py-2 bg-red-600 text-white rounded-md text-sm font-medium hover:bg-red-700 disabled:bg-gray-300 transition-colors"
>
{deactivateMutation.isPending
? '反激活中...'
: '确认反激活'}
</button>
<button
type="button"
onClick={() => setShowDeactivateConfirm(false)}
className="px-4 py-2 bg-gray-200 text-gray-700 rounded-md text-sm font-medium hover:bg-gray-300 transition-colors"
>
</button>
</div>
{deactivateMutation.isError && (
<p className="text-red-500 mt-2 text-xs">
</p>
)}
</div>
)}
</div>
) : (
<div className="flex items-start gap-3">
<svg
aria-hidden="true"
xmlns="http://www.w3.org/2000/svg"
width="24"
height="24"
viewBox="0 0 24 24"
fill="none"
stroke="currentColor"
strokeWidth="2"
strokeLinecap="round"
strokeLinejoin="round"
className="text-orange-500 shrink-0 mt-0.5"
>
<path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z"></path>
<line x1="12" y1="9" x2="12" y2="13"></line>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<div>
<p className="text-orange-700 font-medium text-lg mb-1">
</p>
<p className="text-gray-500 text-sm">
License Key
</p>
</div>
</div>
)}
</div>
</div>
</div>
</div>
)
}

66
apps/server/src/server/api/contracts/crypto.contract.ts Normal file
View File

@@ -0,0 +1,66 @@
import { oc } from '@orpc/contract'
import { z } from 'zod'
export const encryptDeviceInfo = oc
.input(
z.object({
deviceId: z.string().min(1),
}),
)
.output(
z.object({
encrypted: z.string(),
}),
)
export const decryptTask = oc
.input(
z.object({
deviceId: z.string().min(1),
encryptedData: z.string().min(1),
}),
)
.output(
z.object({
taskId: z.string(),
enterpriseId: z.string(),
orgName: z.string(),
inspectionId: z.string(),
inspectionPerson: z.string(),
issuedAt: z.number(),
}),
)
export const encryptSummary = oc
.input(
z.object({
deviceId: z.string().min(1),
taskId: z.string().min(1),
enterpriseId: z.string().min(1),
inspectionId: z.string().min(1),
summary: z.string().min(1),
}),
)
.output(
z.object({
qrContent: z.string(),
}),
)
export const signAndPackReport = oc
.input(
z.object({
deviceId: z.string().min(1),
taskId: z.string().min(1),
enterpriseId: z.string().min(1),
inspectionId: z.string().min(1),
summary: z.string().min(1),
rawZip: z.file().mime(['application/zip', 'application/x-zip-compressed']),
}),
)
.output(
z.object({
deviceSignature: z.string(),
signedZipBase64: z.string(),
}),
)

30
apps/server/src/server/api/contracts/device.contract.ts Normal file
View File

@@ -0,0 +1,30 @@
import { oc } from '@orpc/contract'
import { z } from 'zod'
const deviceOutput = z.object({
id: z.string(),
licence: z.string(),
fingerprint: z.string(),
platformPublicKey: z.string(),
pgpPublicKey: z.string().nullable(),
createdAt: z.date(),
updatedAt: z.date(),
})
export const register = oc
.input(
z.object({
licence: z.string().min(1),
platformPublicKey: z.string().min(1),
}),
)
.output(deviceOutput)
export const get = oc
.input(
z.object({
id: z.string().optional(),
licence: z.string().optional(),
}),
)
.output(deviceOutput)

26
apps/server/src/server/api/contracts/fingerprint.contract.ts
View File

@@ -1,26 +0,0 @@
import { oc } from '@orpc/contract'
import { z } from 'zod'
/**
* 硬件指纹质量等级
*/
const fingerprintQualitySchema = z.enum(['strong', 'medium', 'weak'])
/**
* 硬件指纹响应 Schema
*/
const fingerprintResultSchema = z.object({
/** 机器码HMAC-SHA256 哈希) */
fingerprint: z.string(),
/** 指纹质量等级 */
quality: fingerprintQualitySchema,
/** 可用的强标识符数量 */
strongIdentifiersCount: z.number(),
/** 生成时间戳 */
timestamp: z.number(),
})
/**
* 获取硬件指纹契约
*/
export const get = oc.input(z.void()).output(fingerprintResultSchema)

10
apps/server/src/server/api/contracts/index.ts
View File

@@ -1,9 +1,11 @@
import * as fingerprint from './fingerprint.contract' import * as crypto from './crypto.contract'
import * as license from './license.contract' import * as device from './device.contract'
import * as task from './task.contract'
export const contract = { export const contract = {
fingerprint, device,
license, crypto,
task,
} }
export type Contract = typeof contract export type Contract = typeof contract

18
apps/server/src/server/api/contracts/license.contract.ts
View File

@@ -1,18 +0,0 @@
import { oc } from '@orpc/contract'
import { z } from 'zod'
export const getActivation = oc.input(z.void()).output(
z.object({
fingerprint: z.string(),
license: z.string().nullable(),
licenseActivatedAt: z.number().nullable(),
}),
)
export const activate = oc
.input(z.object({ license: z.string().min(1) }))
.output(z.object({ success: z.boolean() }))
export const deactivate = oc
.input(z.void())
.output(z.object({ success: z.boolean() }))

47
apps/server/src/server/api/contracts/task.contract.ts Normal file
View File

@@ -0,0 +1,47 @@
import { oc } from '@orpc/contract'
import { z } from 'zod'
const taskOutput = z.object({
id: z.string(),
deviceId: z.string(),
taskId: z.string(),
enterpriseId: z.string().nullable(),
orgName: z.string().nullable(),
inspectionId: z.string().nullable(),
inspectionPerson: z.string().nullable(),
issuedAt: z.date().nullable(),
status: z.enum(['pending', 'in_progress', 'done']),
createdAt: z.date(),
updatedAt: z.date(),
})
export const save = oc
.input(
z.object({
deviceId: z.string().min(1),
taskId: z.string().min(1),
enterpriseId: z.string().optional(),
orgName: z.string().optional(),
inspectionId: z.string().optional(),
inspectionPerson: z.string().optional(),
issuedAt: z.number().optional(),
}),
)
.output(taskOutput)
export const list = oc
.input(
z.object({
deviceId: z.string().min(1),
}),
)
.output(z.array(taskOutput))
export const updateStatus = oc
.input(
z.object({
id: z.string().min(1),
status: z.enum(['pending', 'in_progress', 'done']),
}),
)
.output(taskOutput)

26
apps/server/src/server/api/interceptors.ts Normal file
View File

@@ -0,0 +1,26 @@
import { ORPCError, ValidationError } from '@orpc/server'
import { z } from 'zod'
export const logError = (error: unknown) => {
console.error(error)
}
export const handleValidationError = (error: unknown) => {
if (error instanceof ORPCError && error.code === 'BAD_REQUEST' && error.cause instanceof ValidationError) {
// If you only use Zod you can safely cast to ZodIssue[] (per ORPC official docs)
const zodError = new z.ZodError(error.cause.issues as z.core.$ZodIssue[])
throw new ORPCError('INPUT_VALIDATION_FAILED', {
status: 422,
message: z.prettifyError(zodError),
data: z.flattenError(zodError),
cause: error.cause,
})
}
if (error instanceof ORPCError && error.code === 'INTERNAL_SERVER_ERROR' && error.cause instanceof ValidationError) {
throw new ORPCError('OUTPUT_VALIDATION_FAILED', {
cause: error.cause,
})
}
}

8
apps/server/src/server/api/middlewares/db.middleware.ts
View File

@@ -1,9 +1,7 @@
import { os } from '@orpc/server' import { os } from '@/server/api/server'
import { ensureLicenseActivationInitialized } from '@/lib/license-init'
import { getDB } from '@/server/db' import { getDB } from '@/server/db'
export const dbProvider = os.middleware(async ({ context, next }) => { export const db = os.middleware(async ({ context, next }) => {
await ensureLicenseActivationInitialized()
return next({ return next({
context: { context: {
...context, ...context,
@@ -11,5 +9,3 @@ export const dbProvider = os.middleware(async ({ context, next }) => {
}, },
}) })
}) })
export const db = dbProvider

307
apps/server/src/server/api/routers/crypto.router.ts Normal file
View File

@@ -0,0 +1,307 @@
import {
aesGcmDecrypt,
aesGcmEncrypt,
hkdfSha256,
hmacSha256Base64,
pgpSignDetached,
rsaOaepEncrypt,
sha256,
sha256Hex,
} from '@furtherverse/crypto'
import { ORPCError } from '@orpc/server'
import type { JSZipObject } from 'jszip'
import JSZip from 'jszip'
import { z } from 'zod'
import { db } from '../middlewares'
import { os } from '../server'
interface DeviceRow {
id: string
licence: string
fingerprint: string
platformPublicKey: string
pgpPrivateKey: string | null
pgpPublicKey: string | null
}
interface ReportFiles {
assets: Uint8Array
vulnerabilities: Uint8Array
weakPasswords: Uint8Array
reportHtml: Uint8Array
reportHtmlName: string
}
const MAX_RAW_ZIP_BYTES = 50 * 1024 * 1024
const MAX_SINGLE_FILE_BYTES = 20 * 1024 * 1024
const MAX_TOTAL_UNCOMPRESSED_BYTES = 60 * 1024 * 1024
const MAX_ZIP_ENTRIES = 32
const taskPayloadSchema = z.object({
taskId: z.string().min(1),
enterpriseId: z.string().min(1),
orgName: z.string().min(1),
inspectionId: z.string().min(1),
inspectionPerson: z.string().min(1),
issuedAt: z.number(),
})
const normalizePath = (name: string): string => name.replaceAll('\\', '/')
const isUnsafePath = (name: string): boolean => {
const normalized = normalizePath(name)
const segments = normalized.split('/')
return (
normalized.startsWith('/') ||
normalized.includes('\u0000') ||
segments.some((segment) => segment === '..' || segment.trim().length === 0)
)
}
const getBaseName = (name: string): string => {
const normalized = normalizePath(name)
const parts = normalized.split('/')
return parts.at(-1) ?? normalized
}
const getRequiredReportFiles = async (rawZip: JSZip): Promise<ReportFiles> => {
let assets: Uint8Array | null = null
let vulnerabilities: Uint8Array | null = null
let weakPasswords: Uint8Array | null = null
let reportHtml: Uint8Array | null = null
let reportHtmlName: string | null = null
const entries = Object.values(rawZip.files) as JSZipObject[]
if (entries.length > MAX_ZIP_ENTRIES) {
throw new ORPCError('BAD_REQUEST', {
message: `Zip contains too many entries: ${entries.length}`,
})
}
let totalUncompressedBytes = 0
for (const entry of entries) {
if (entry.dir) {
continue
}
if (isUnsafePath(entry.name)) {
throw new ORPCError('BAD_REQUEST', {
message: `Zip contains unsafe entry path: ${entry.name}`,
})
}
const content = await entry.async('uint8array')
if (content.byteLength > MAX_SINGLE_FILE_BYTES) {
throw new ORPCError('BAD_REQUEST', {
message: `Zip entry too large: ${entry.name}`,
})
}
totalUncompressedBytes += content.byteLength
if (totalUncompressedBytes > MAX_TOTAL_UNCOMPRESSED_BYTES) {
throw new ORPCError('BAD_REQUEST', {
message: 'Zip total uncompressed content exceeds max size limit',
})
}
const fileName = getBaseName(entry.name)
const lowerFileName = fileName.toLowerCase()
if (lowerFileName === 'assets.json') {
if (assets) {
throw new ORPCError('BAD_REQUEST', { message: 'Zip contains duplicate assets.json' })
}
assets = content
continue
}
if (lowerFileName === 'vulnerabilities.json') {
if (vulnerabilities) {
throw new ORPCError('BAD_REQUEST', { message: 'Zip contains duplicate vulnerabilities.json' })
}
vulnerabilities = content
continue
}
if (lowerFileName === 'weakpasswords.json') {
if (weakPasswords) {
throw new ORPCError('BAD_REQUEST', { message: 'Zip contains duplicate weakPasswords.json' })
}
weakPasswords = content
continue
}
if (fileName.includes('漏洞评估报告') && lowerFileName.endsWith('.html')) {
if (reportHtml) {
throw new ORPCError('BAD_REQUEST', {
message: 'Zip contains multiple 漏洞评估报告*.html files',
})
}
reportHtml = content
reportHtmlName = fileName
}
}
if (!assets || !vulnerabilities || !weakPasswords || !reportHtml || !reportHtmlName) {
throw new ORPCError('BAD_REQUEST', {
message:
'Zip missing required files. Required: assets.json, vulnerabilities.json, weakPasswords.json, and 漏洞评估报告*.html',
})
}
return {
assets,
vulnerabilities,
weakPasswords,
reportHtml,
reportHtmlName,
}
}
const getDevice = async (
context: {
db: { query: { deviceTable: { findFirst: (args: { where: { id: string } }) => Promise<DeviceRow | undefined> } } }
},
deviceId: string,
): Promise<DeviceRow> => {
const device = await context.db.query.deviceTable.findFirst({
where: { id: deviceId },
})
if (!device) {
throw new ORPCError('NOT_FOUND', { message: 'Device not found' })
}
return device
}
export const encryptDeviceInfo = os.crypto.encryptDeviceInfo.use(db).handler(async ({ context, input }) => {
const device = await getDevice(context, input.deviceId)
const deviceInfoJson = JSON.stringify({
licence: device.licence,
fingerprint: device.fingerprint,
})
const encrypted = rsaOaepEncrypt(deviceInfoJson, device.platformPublicKey)
return { encrypted }
})
export const decryptTask = os.crypto.decryptTask.use(db).handler(async ({ context, input }) => {
const device = await getDevice(context, input.deviceId)
const key = sha256(device.licence + device.fingerprint)
const decryptedJson = aesGcmDecrypt(input.encryptedData, key)
const taskData = taskPayloadSchema.parse(JSON.parse(decryptedJson))
return taskData
})
export const encryptSummary = os.crypto.encryptSummary.use(db).handler(async ({ context, input }) => {
const device = await getDevice(context, input.deviceId)
const ikm = device.licence + device.fingerprint
const aesKey = hkdfSha256(ikm, input.taskId, 'inspection_report_encryption')
const timestamp = Date.now()
const plaintextJson = JSON.stringify({
enterpriseId: input.enterpriseId,
inspectionId: input.inspectionId,
summary: input.summary,
timestamp,
})
const encrypted = aesGcmEncrypt(plaintextJson, aesKey)
const qrContent = JSON.stringify({
taskId: input.taskId,
encrypted,
})
return { qrContent }
})
export const signAndPackReport = os.crypto.signAndPackReport.use(db).handler(async ({ context, input }) => {
const device = await getDevice(context, input.deviceId)
const rawZipArrayBuffer = await input.rawZip.arrayBuffer()
const rawZipBytes = Buffer.from(rawZipArrayBuffer)
if (rawZipBytes.byteLength === 0 || rawZipBytes.byteLength > MAX_RAW_ZIP_BYTES) {
throw new ORPCError('BAD_REQUEST', {
message: 'rawZip is empty or exceeds max size limit',
})
}
const rawZip = await JSZip.loadAsync(rawZipBytes, {
checkCRC32: true,
}).catch(() => {
throw new ORPCError('BAD_REQUEST', {
message: 'rawZip is not a valid zip file',
})
})
const reportFiles = await getRequiredReportFiles(rawZip)
const ikm = device.licence + device.fingerprint
const signingKey = hkdfSha256(ikm, 'AUTH_V3_SALT', 'device_report_signature')
const assetsHash = sha256Hex(Buffer.from(reportFiles.assets))
const vulnerabilitiesHash = sha256Hex(Buffer.from(reportFiles.vulnerabilities))
const weakPasswordsHash = sha256Hex(Buffer.from(reportFiles.weakPasswords))
const reportHtmlHash = sha256Hex(Buffer.from(reportFiles.reportHtml))
const signPayload =
input.taskId + input.inspectionId + assetsHash + vulnerabilitiesHash + weakPasswordsHash + reportHtmlHash
const deviceSignature = hmacSha256Base64(signingKey, signPayload)
if (!device.pgpPrivateKey) {
throw new ORPCError('PRECONDITION_FAILED', {
message: 'Device does not have a PGP key pair. Re-register the device.',
})
}
const summaryObject = {
enterpriseId: input.enterpriseId,
inspectionId: input.inspectionId,
taskId: input.taskId,
licence: device.licence,
fingerprint: device.fingerprint,
deviceSignature,
summary: input.summary,
timestamp: Date.now(),
}
const summaryBytes = Buffer.from(JSON.stringify(summaryObject), 'utf-8')
const manifestObject = {
files: {
'summary.json': sha256Hex(summaryBytes),
'assets.json': assetsHash,
'vulnerabilities.json': vulnerabilitiesHash,
'weakPasswords.json': weakPasswordsHash,
[reportFiles.reportHtmlName]: reportHtmlHash,
},
}
const manifestBytes = Buffer.from(JSON.stringify(manifestObject, null, 2), 'utf-8')
const signatureAsc = await pgpSignDetached(manifestBytes, device.pgpPrivateKey)
const signedZip = new JSZip()
signedZip.file('summary.json', summaryBytes)
signedZip.file('assets.json', reportFiles.assets)
signedZip.file('vulnerabilities.json', reportFiles.vulnerabilities)
signedZip.file('weakPasswords.json', reportFiles.weakPasswords)
signedZip.file(reportFiles.reportHtmlName, reportFiles.reportHtml)
signedZip.file('META-INF/manifest.json', manifestBytes)
signedZip.file('META-INF/signature.asc', signatureAsc)
const signedZipBytes = await signedZip.generateAsync({
type: 'uint8array',
compression: 'DEFLATE',
compressionOptions: { level: 9 },
})
const signedZipBase64 = Buffer.from(signedZipBytes).toString('base64')
return { deviceSignature, signedZipBase64 }
})

54
apps/server/src/server/api/routers/device.router.ts Normal file
View File

@@ -0,0 +1,54 @@
import { generatePgpKeyPair } from '@furtherverse/crypto'
import { ORPCError } from '@orpc/server'
import { deviceTable } from '@/server/db/schema'
import { computeDeviceFingerprint } from '@/server/device-fingerprint'
import { db } from '../middlewares'
import { os } from '../server'
export const register = os.device.register.use(db).handler(async ({ context, input }) => {
const existing = await context.db.query.deviceTable.findFirst({
where: { licence: input.licence },
})
if (existing) {
throw new ORPCError('CONFLICT', {
message: `Device with licence "${input.licence}" already registered`,
})
}
const pgpKeys = await generatePgpKeyPair(input.licence, `${input.licence}@ux.local`)
const fingerprint = computeDeviceFingerprint()
const rows = await context.db
.insert(deviceTable)
.values({
licence: input.licence,
fingerprint,
platformPublicKey: input.platformPublicKey,
pgpPrivateKey: pgpKeys.privateKey,
pgpPublicKey: pgpKeys.publicKey,
})
.returning()
return rows[0] as (typeof rows)[number]
})
export const get = os.device.get.use(db).handler(async ({ context, input }) => {
if (!input.id && !input.licence) {
throw new ORPCError('BAD_REQUEST', {
message: 'Either id or licence must be provided',
})
}
const device = input.id
? await context.db.query.deviceTable.findFirst({ where: { id: input.id } })
: await context.db.query.deviceTable.findFirst({ where: { licence: input.licence } })
if (!device) {
throw new ORPCError('NOT_FOUND', {
message: 'Device not found',
})
}
return device
})

11
apps/server/src/server/api/routers/fingerprint.router.ts
View File

@@ -1,11 +0,0 @@
import { getHardwareFingerprint } from '@/lib/fingerprint'
import { os } from '../server'
export const get = os.fingerprint.get.handler(async () => {
const result = await getHardwareFingerprint({
cacheTtlMs: 10 * 60 * 1000, // 10 分钟缓存
includePrimaryDisk: true, // 包含主硬盘序列号以提高稳定性
})
return result
})

10
apps/server/src/server/api/routers/index.ts
View File

@@ -1,8 +1,10 @@
import { os } from '../server' import { os } from '../server'
import * as fingerprint from './fingerprint.router' import * as crypto from './crypto.router'
import * as license from './license.router' import * as device from './device.router'
import * as task from './task.router'
export const router = os.router({ export const router = os.router({
fingerprint, device,
license, crypto,
task,
}) })

67
apps/server/src/server/api/routers/license.router.ts
View File

@@ -1,67 +0,0 @@
import { eq } from 'drizzle-orm'
import { ensureLicenseActivationInitialized } from '@/lib/license-init'
import { licenseActivationTable } from '@/server/db/schema'
import { dbProvider } from '../middlewares'
import { os } from '../server'
export const getActivation = os.license.getActivation
.use(dbProvider)
.handler(async ({ context }) => {
await ensureLicenseActivationInitialized()
const record = await context.db.query.licenseActivationTable.findFirst()
if (!record) {
throw new Error('License activation record not found')
}
return {
fingerprint: record.fingerprint,
license: record.license,
licenseActivatedAt: record.licenseActivatedAt?.getTime() ?? null,
}
})
export const activate = os.license.activate
.use(dbProvider)
.handler(async ({ context, input }) => {
await ensureLicenseActivationInitialized()
const record = await context.db.query.licenseActivationTable.findFirst()
if (!record) {
throw new Error('License activation record not found')
}
await context.db
.update(licenseActivationTable)
.set({
license: input.license,
licenseActivatedAt: new Date(),
})
.where(eq(licenseActivationTable.id, record.id))
return { success: true }
})
export const deactivate = os.license.deactivate
.use(dbProvider)
.handler(async ({ context }) => {
await ensureLicenseActivationInitialized()
const record = await context.db.query.licenseActivationTable.findFirst()
if (!record) {
throw new Error('License activation record not found')
}
await context.db
.update(licenseActivationTable)
.set({
license: null,
licenseActivatedAt: null,
})
.where(eq(licenseActivationTable.id, record.id))
return { success: true }
})

44
apps/server/src/server/api/routers/task.router.ts Normal file
View File

@@ -0,0 +1,44 @@
import { ORPCError } from '@orpc/server'
import { eq } from 'drizzle-orm'
import { taskTable } from '@/server/db/schema'
import { db } from '../middlewares'
import { os } from '../server'
export const save = os.task.save.use(db).handler(async ({ context, input }) => {
const rows = await context.db
.insert(taskTable)
.values({
deviceId: input.deviceId,
taskId: input.taskId,
enterpriseId: input.enterpriseId,
orgName: input.orgName,
inspectionId: input.inspectionId,
inspectionPerson: input.inspectionPerson,
issuedAt: input.issuedAt ? new Date(input.issuedAt) : null,
})
.returning()
return rows[0] as (typeof rows)[number]
})
export const list = os.task.list.use(db).handler(async ({ context, input }) => {
return await context.db.query.taskTable.findMany({
where: { deviceId: input.deviceId },
orderBy: { createdAt: 'desc' },
})
})
export const updateStatus = os.task.updateStatus.use(db).handler(async ({ context, input }) => {
const rows = await context.db
.update(taskTable)
.set({ status: input.status })
.where(eq(taskTable.id, input.id))
.returning()
const updated = rows[0]
if (!updated) {
throw new ORPCError('NOT_FOUND', { message: 'Task not found' })
}
return updated
})

6
apps/server/src/server/api/types.ts
View File

@@ -1,8 +1,4 @@
import type { import type { ContractRouterClient, InferContractRouterInputs, InferContractRouterOutputs } from '@orpc/contract'
ContractRouterClient,
InferContractRouterInputs,
InferContractRouterOutputs,
} from '@orpc/contract'
import type { Contract } from './contracts' import type { Contract } from './contracts'
export type RouterClient = ContractRouterClient<Contract> export type RouterClient = ContractRouterClient<Contract>

16
apps/server/src/server/db/schema/utils/field.ts → apps/server/src/server/db/fields.ts
View File

@@ -1,16 +1,11 @@
import { integer, text } from 'drizzle-orm/sqlite-core' import { integer, text } from 'drizzle-orm/sqlite-core'
import { v7 as uuidv7 } from 'uuid' import { v7 as uuidv7 } from 'uuid'
// id export const pk = (name = 'id') =>
text(name)
export const id = (name: string) => text(name)
export const pk = (name: string) =>
id(name)
.primaryKey() .primaryKey()
.$defaultFn(() => uuidv7()) .$defaultFn(() => uuidv7())
// timestamp
export const createdAt = (name = 'created_at') => export const createdAt = (name = 'created_at') =>
integer(name, { mode: 'timestamp_ms' }) integer(name, { mode: 'timestamp_ms' })
.notNull() .notNull()
@@ -22,18 +17,13 @@ export const updatedAt = (name = 'updated_at') =>
.$defaultFn(() => new Date()) .$defaultFn(() => new Date())
.$onUpdateFn(() => new Date()) .$onUpdateFn(() => new Date())
// generated fields
export const generatedFields = { export const generatedFields = {
id: pk('id'), id: pk('id'),
createdAt: createdAt('created_at'), createdAt: createdAt('created_at'),
updatedAt: updatedAt('updated_at'), updatedAt: updatedAt('updated_at'),
} }
// Helper to create omit keys from generatedFields const createGeneratedFieldKeys = <T extends Record<string, unknown>>(fields: T): Record<keyof T, true> => {
const createGeneratedFieldKeys = <T extends Record<string, unknown>>(
fields: T,
): Record<keyof T, true> => {
return Object.keys(fields).reduce( return Object.keys(fields).reduce(
(acc, key) => { (acc, key) => {
acc[key as keyof T] = true acc[key as keyof T] = true

18
apps/server/src/server/db/index.ts
View File

@@ -1,17 +1,13 @@
import { mkdirSync } from 'node:fs' import { Database } from 'bun:sqlite'
import { dirname } from 'node:path' import { drizzle } from 'drizzle-orm/bun-sqlite'
import Database from 'better-sqlite3'
import { drizzle } from 'drizzle-orm/better-sqlite3'
import { env } from '@/env' import { env } from '@/env'
import * as schema from '@/server/db/schema' import { relations } from '@/server/db/relations'
export const createDB = () => { export const createDB = () => {
const dbPath = env.DATABASE_URL const sqlite = new Database(env.DATABASE_PATH)
if (dbPath !== ':memory:') { sqlite.exec('PRAGMA journal_mode = WAL')
mkdirSync(dirname(dbPath), { recursive: true }) sqlite.exec('PRAGMA foreign_keys = ON')
} return drizzle({ client: sqlite, relations })
const sqlite = new Database(dbPath)
return drizzle(sqlite, { schema })
} }
export type DB = ReturnType<typeof createDB> export type DB = ReturnType<typeof createDB>

14
apps/server/src/server/db/relations.ts Normal file
View File

@@ -0,0 +1,14 @@
import { defineRelations } from 'drizzle-orm'
import * as schema from './schema'
export const relations = defineRelations(schema, (r) => ({
deviceTable: {
tasks: r.many.taskTable(),
},
taskTable: {
device: r.one.deviceTable({
from: r.taskTable.deviceId,
to: r.deviceTable.id,
}),
},
}))

11
apps/server/src/server/db/schema/device.ts Normal file
View File

@@ -0,0 +1,11 @@
import { sqliteTable, text } from 'drizzle-orm/sqlite-core'
import { generatedFields } from '../fields'
export const deviceTable = sqliteTable('device', {
...generatedFields,
licence: text('licence').notNull().unique(),
fingerprint: text('fingerprint').notNull(),
platformPublicKey: text('platform_public_key').notNull(),
pgpPrivateKey: text('pgp_private_key'),
pgpPublicKey: text('pgp_public_key'),
})

3
apps/server/src/server/db/schema/index.ts
View File

@@ -1 +1,2 @@
export * from './license-activation' export * from './device'
export * from './task'

9
apps/server/src/server/db/schema/license-activation.ts
View File

@@ -1,9 +0,0 @@
import { integer, sqliteTable, text } from 'drizzle-orm/sqlite-core'
import { generatedFields } from './utils/field'
export const licenseActivationTable = sqliteTable('license_activation', {
...generatedFields,
fingerprint: text('fingerprint').notNull().unique(),
license: text('license'),
licenseActivatedAt: integer('license_activated_at', { mode: 'timestamp_ms' }),
})

16
apps/server/src/server/db/schema/task.ts Normal file
View File

@@ -0,0 +1,16 @@
import { integer, sqliteTable, text } from 'drizzle-orm/sqlite-core'
import { generatedFields } from '../fields'
export const taskTable = sqliteTable('task', {
...generatedFields,
deviceId: text('device_id').notNull(),
taskId: text('task_id').notNull(),
enterpriseId: text('enterprise_id'),
orgName: text('org_name'),
inspectionId: text('inspection_id'),
inspectionPerson: text('inspection_person'),
issuedAt: integer('issued_at', { mode: 'timestamp_ms' }),
status: text('status', { enum: ['pending', 'in_progress', 'done'] })
.notNull()
.default('pending'),
})

39
apps/server/src/server/device-fingerprint.ts Normal file
View File

@@ -0,0 +1,39 @@
import { readFileSync } from 'node:fs'
import { arch, cpus, networkInterfaces, platform, release, totalmem } from 'node:os'
import { sha256Hex } from '@furtherverse/crypto'
const readMachineId = (): string => {
const candidates = ['/etc/machine-id', '/var/lib/dbus/machine-id']
for (const path of candidates) {
try {
const value = readFileSync(path, 'utf-8').trim()
if (value.length > 0) {
return value
}
} catch {}
}
return ''
}
const collectMacAddresses = (): string[] => {
const interfaces = networkInterfaces()
return Object.values(interfaces)
.flatMap((group) => group ?? [])
.filter((item) => item.mac && item.mac !== '00:00:00:00:00:00' && !item.internal)
.map((item) => item.mac)
.sort()
}
export const computeDeviceFingerprint = (): string => {
const machineId = readMachineId()
const firstCpuModel = cpus()[0]?.model ?? 'unknown'
const macs = collectMacAddresses().join(',')
const source = [machineId, platform(), release(), arch(), String(totalmem()), firstCpuModel, macs].join('|')
const hash = sha256Hex(source)
return `FP-${hash.slice(0, 16)}`
}

37
apps/server/turbo.json
View File

@@ -2,9 +2,46 @@
"$schema": "../../node_modules/turbo/schema.json", "$schema": "../../node_modules/turbo/schema.json",
"extends": ["//"], "extends": ["//"],
"tasks": { "tasks": {
"build": {
"env": ["NODE_ENV", "VITE_*"],
"inputs": ["src/**", "public/**", "package.json", "tsconfig.json", "vite.config.ts"],
"outputs": [".output/**"]
},
"compile": { "compile": {
"dependsOn": ["build"], "dependsOn": ["build"],
"outputs": ["out/**"] "outputs": ["out/**"]
},
"compile:darwin": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:darwin:arm64": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:darwin:x64": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:linux": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:linux:arm64": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:linux:x64": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:windows": {
"dependsOn": ["build"],
"outputs": ["out/**"]
},
"compile:windows:x64": {
"dependsOn": ["build"],
"outputs": ["out/**"]
} }
} }
} }

13
apps/server/vite.config.ts
View File

@@ -10,24 +10,21 @@ export default defineConfig({
clearScreen: false, clearScreen: false,
plugins: [ plugins: [
tanstackDevtools(), tanstackDevtools(),
nitro({
preset: 'bun',
serveStatic: 'inline',
}),
tsconfigPaths(),
tailwindcss(), tailwindcss(),
tsconfigPaths(),
tanstackStart(), tanstackStart(),
react({ react({
babel: { babel: {
plugins: ['babel-plugin-react-compiler'], plugins: ['babel-plugin-react-compiler'],
}, },
}), }),
nitro({
preset: 'bun',
serveStatic: 'inline',
}),
], ],
server: { server: {
port: 3000, port: 3000,
strictPort: true, strictPort: true,
watch: {
ignored: ['**/src-tauri/**'],
},
}, },
}) })

3
biome.json
View File

@@ -11,7 +11,8 @@
"formatter": { "formatter": {
"enabled": true, "enabled": true,
"indentStyle": "space", "indentStyle": "space",
"lineEnding": "lf" "lineEnding": "lf",
"lineWidth": 120
}, },
"linter": { "linter": {
"enabled": true, "enabled": true,

1394
bun.lock
View File

File diff suppressed because it is too large Load Diff

71
docs/UX-授权端接口说明.md Normal file
View File

@@ -0,0 +1,71 @@
# UX 授权端接口说明
本文档描述当前 UX 服务端实现的授权对接接口与职责边界。
## 1. 职责边界
- UX **只与工具箱交互**HTTP RPC不直接与手机 App 交互。
- 手机 App 仅承担扫码和与管理平台联网通信。
- 报告签名流程由工具箱上传原始 ZIP 到 UXUX 返回已签名 ZIP。
## 2. 设备注册
`device.register`
- 输入:`licence``platformPublicKey`
- UX 在本机采集设备特征并计算 `fingerprint`
- UX 将 `licence + fingerprint + 公钥 + PGP 密钥对` 持久化到数据库
## 3. 核心加密接口
### 3.1 设备授权二维码密文
`crypto.encryptDeviceInfo`
- 使用平台公钥 RSA-OAEP 加密:`{ licence, fingerprint }`
- 返回 Base64 密文(工具箱用于生成二维码)
### 3.2 任务二维码解密
`crypto.decryptTask`
- 密钥:`SHA256(licence + fingerprint)`
- 算法AES-256-GCM
- 输入:任务二维码中的 Base64 密文
- 输出:任务 JSON
### 3.3 摘要二维码加密
`crypto.encryptSummary`
- 密钥派生HKDF-SHA256
- `ikm = licence + fingerprint`
- `salt = taskId`
- `info = "inspection_report_encryption"`
- 算法AES-256-GCM
- 输出:`{ taskId, encrypted }` JSON工具箱用于生成二维码
### 3.4 原始 ZIP 签名打包(最终报告)
`crypto.signAndPackReport`
- 输入:`rawZip``multipart/form-data` 文件字段) + `taskId` + `inspectionId` + `enterpriseId` + `summary`
- UX 在服务端完成:
1. 校验并解包原始 ZIP
2. 计算文件 SHA-256
3. HKDF + HMAC 生成 `deviceSignature`
4. 生成 `summary.json`
5. 生成 `META-INF/manifest.json`
6. OpenPGP 分离签名生成 `META-INF/signature.asc`
7. 重新打包为 signed ZIP
- 输出:`signedZipBase64``deviceSignature`
## 4. 安全约束(签名打包)
- 拒绝危险 ZIP 路径(防 Zip Slip
- 限制原始 ZIP 和单文件大小
- 强制存在以下文件:
- `assets.json`
- `vulnerabilities.json`
- `weakPasswords.json`
- `漏洞评估报告*.html`

644
docs/工具箱端-授权对接指南/工具箱端-任务二维码解密指南.md Normal file
View File

@@ -0,0 +1,644 @@
# 工具箱端 - 任务二维码解密指南
## 概述
本文档说明工具箱端如何解密任务二维码数据。App 创建任务后,平台会生成加密的任务数据并返回给 AppApp 将其生成二维码。工具箱扫描二维码后,需要使用自己的 `licence``fingerprint` 解密任务数据。
> ### UX 集成模式补充(当前项目实现)
>
> 在当前集成模式中,工具箱扫描二维码后将密文提交给 UX 的 `crypto.decryptTask`
> 由 UX 使用设备绑定的 `licence + fingerprint` 执行 AES-256-GCM 解密并返回任务明文。
## 一、业务流程
```
App创建任务 → 平台加密任务数据 → 返回加密数据 → App生成二维码
工具箱扫描二维码 → 提取加密数据 → AES-256-GCM解密 → 获取任务信息
```
## 二、任务数据结构
### 2.1 任务数据 JSON 格式
解密后的任务数据为 JSON 格式,包含以下字段:
```json
{
"taskId": "TASK-20260115-4875",
"enterpriseId": "1173040813421105152",
"orgName": "超艺科技有限公司",
"inspectionId": "702286470691215417",
"inspectionPerson": "警务通",
"issuedAt": 1734571234567
}
```
### 2.2 字段说明
| 字段名 | 类型 | 说明 | 示例 |
|--------|------|------|------|
| `taskId` | String | 任务唯一ID格式TASK-YYYYMMDD-XXXX | `"TASK-20260115-4875"` |
| `enterpriseId` | String | 企业ID | `"1173040813421105152"` |
| `orgName` | String | 单位名称 | `"超艺科技有限公司"` |
| `inspectionId` | String | 检查ID | `"702286470691215417"` |
| `inspectionPerson` | String | 检查人 | `"警务通"` |
| `issuedAt` | Number | 任务发布时间戳(毫秒) | `1734571234567` |
## 三、加密算法说明
### 3.1 加密方式
- **算法**AES-256-GCMGalois/Counter Mode
- **密钥长度**256 位32 字节)
- **IV 长度**12 字节96 位)
- **认证标签长度**16 字节128 位)
### 3.2 密钥生成
密钥由工具箱的 `licence``fingerprint` 生成:
```
密钥 = SHA-256(licence + fingerprint)
```
**重要说明**
- `licence``fingerprint` 直接字符串拼接(无分隔符)
- 使用 SHA-256 哈希算法的全部 32 字节作为 AES-256 密钥
- 工具箱必须使用与平台绑定时相同的 `licence``fingerprint`
### 3.3 加密数据格式
加密后的数据格式Base64 编码前):
```
[IV(12字节)] + [加密数据] + [认证标签(16字节)]
```
**数据布局**
```
+------------------+------------------+------------------+
| IV (12字节) | 加密数据 | 认证标签(16字节)|
+------------------+------------------+------------------+
```
## 四、解密步骤
### 4.1 解密流程
1. **扫描二维码**:获取 Base64 编码的加密数据
2. **Base64 解码**:将 Base64 字符串解码为字节数组
3. **分离数据**:从字节数组中分离 IV、加密数据和认证标签
4. **生成密钥**:使用 `licence + fingerprint` 生成 AES-256 密钥
5. **解密数据**:使用 AES-256-GCM 解密(自动验证认证标签)
6. **解析 JSON**:将解密后的字符串解析为 JSON 对象
### 4.2 Python 实现示例
```python
import base64
import json
import hashlib
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from cryptography.hazmat.backends import default_backend
def decrypt_task_data(
encrypted_data_base64: str,
licence: str,
fingerprint: str
) -> dict:
"""
解密任务二维码数据
Args:
encrypted_data_base64: Base64编码的加密数据
licence: 设备授权码
fingerprint: 设备硬件指纹
Returns:
解密后的任务数据(字典)
"""
# 1. Base64 解码
encrypted_bytes = base64.b64decode(encrypted_data_base64)
# 2. 分离 IV 和加密数据(包含认证标签)
if len(encrypted_bytes) < 12:
raise ValueError("加密数据格式错误:数据长度不足")
iv = encrypted_bytes[:12] # IV: 前12字节
ciphertext_with_tag = encrypted_bytes[12:] # 加密数据 + 认证标签
# 3. 生成密钥SHA-256(licence + fingerprint)
combined = licence + fingerprint
key = hashlib.sha256(combined.encode('utf-8')).digest()
# 4. 使用 AES-256-GCM 解密
aesgcm = AESGCM(key)
decrypted_bytes = aesgcm.decrypt(iv, ciphertext_with_tag, None)
# 5. 解析 JSON
decrypted_json = decrypted_bytes.decode('utf-8')
task_data = json.loads(decrypted_json)
return task_data
# 使用示例
if __name__ == "__main__":
# 从二维码扫描获取的加密数据
encrypted_data = "Base64编码的加密数据..."
# 工具箱的授权信息(必须与平台绑定时一致)
licence = "LIC-8F2A-XXXX"
fingerprint = "FP-2c91e9f3"
# 解密任务数据
task_data = decrypt_task_data(encrypted_data, licence, fingerprint)
print("任务ID:", task_data["taskId"])
print("企业ID:", task_data["enterpriseId"])
print("单位名称:", task_data["orgName"])
print("检查ID:", task_data["inspectionId"])
print("检查人:", task_data["inspectionPerson"])
print("发布时间:", task_data["issuedAt"])
```
### 4.3 Java/Kotlin 实现示例
```kotlin
import com.fasterxml.jackson.databind.ObjectMapper
import java.nio.charset.StandardCharsets
import java.security.MessageDigest
import java.util.Base64
import javax.crypto.Cipher
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec
object TaskDecryptionUtil {
private const val ALGORITHM = "AES"
private const val TRANSFORMATION = "AES/GCM/NoPadding"
private const val GCM_IV_LENGTH = 12 // GCM 推荐使用 12 字节 IV
private const val GCM_TAG_LENGTH = 16 // GCM 认证标签长度128位
private const val KEY_LENGTH = 32 // AES-256 密钥长度256位 = 32字节
private val objectMapper = ObjectMapper()
/**
* 解密任务二维码数据
*
* @param encryptedDataBase64 Base64编码的加密数据
* @param licence 设备授权码
* @param fingerprint 设备硬件指纹
* @return 解密后的任务数据Map
*/
fun decryptTaskData(
encryptedDataBase64: String,
licence: String,
fingerprint: String
): Map<String, Any> {
// 1. Base64 解码
val encryptedBytes = Base64.getDecoder().decode(encryptedDataBase64)
// 2. 分离 IV 和加密数据(包含认证标签)
if (encryptedBytes.size < GCM_IV_LENGTH) {
throw IllegalArgumentException("加密数据格式错误:数据长度不足")
}
val iv = encryptedBytes.sliceArray(0 until GCM_IV_LENGTH)
val ciphertextWithTag = encryptedBytes.sliceArray(GCM_IV_LENGTH until encryptedBytes.size)
// 3. 生成密钥SHA-256(licence + fingerprint)
val combined = "$licence$fingerprint"
val digest = MessageDigest.getInstance("SHA-256")
val keyBytes = digest.digest(combined.toByteArray(StandardCharsets.UTF_8))
val key = SecretKeySpec(keyBytes, ALGORITHM)
// 4. 使用 AES-256-GCM 解密
val cipher = Cipher.getInstance(TRANSFORMATION)
val parameterSpec = GCMParameterSpec(GCM_TAG_LENGTH * 8, iv) // 标签长度以位为单位
cipher.init(Cipher.DECRYPT_MODE, key, parameterSpec)
// 解密数据GCM 会自动验证认证标签)
val decryptedBytes = cipher.doFinal(ciphertextWithTag)
// 5. 解析 JSON
val decryptedJson = String(decryptedBytes, StandardCharsets.UTF_8)
@Suppress("UNCHECKED_CAST")
return objectMapper.readValue(decryptedJson, Map::class.java) as Map<String, Any>
}
}
// 使用示例
fun main() {
// 从二维码扫描获取的加密数据
val encryptedData = "Base64编码的加密数据..."
// 工具箱的授权信息(必须与平台绑定时一致)
val licence = "LIC-8F2A-XXXX"
val fingerprint = "FP-2c91e9f3"
// 解密任务数据
val taskData = TaskDecryptionUtil.decryptTaskData(encryptedData, licence, fingerprint)
println("任务ID: ${taskData["taskId"]}")
println("企业ID: ${taskData["enterpriseId"]}")
println("单位名称: ${taskData["orgName"]}")
println("检查ID: ${taskData["inspectionId"]}")
println("检查人: ${taskData["inspectionPerson"]}")
println("发布时间: ${taskData["issuedAt"]}")
}
```
### 4.4 C# 实现示例
```csharp
using System;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
public class TaskDecryptionUtil
{
private const int GcmIvLength = 12; // GCM 推荐使用 12 字节 IV
private const int GcmTagLength = 16; // GCM 认证标签长度128位
/// <summary>
/// 解密任务二维码数据
/// </summary>
public static Dictionary<string, object> DecryptTaskData(
string encryptedDataBase64,
string licence,
string fingerprint
)
{
// 1. Base64 解码
byte[] encryptedBytes = Convert.FromBase64String(encryptedDataBase64);
// 2. 分离 IV 和加密数据(包含认证标签)
if (encryptedBytes.Length < GcmIvLength)
{
throw new ArgumentException("加密数据格式错误:数据长度不足");
}
byte[] iv = new byte[GcmIvLength];
Array.Copy(encryptedBytes, 0, iv, 0, GcmIvLength);
byte[] ciphertextWithTag = new byte[encryptedBytes.Length - GcmIvLength];
Array.Copy(encryptedBytes, GcmIvLength, ciphertextWithTag, 0, ciphertextWithTag.Length);
// 3. 生成密钥SHA-256(licence + fingerprint)
string combined = licence + fingerprint;
byte[] keyBytes = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(combined));
// 4. 使用 AES-256-GCM 解密
using (AesGcm aesGcm = new AesGcm(keyBytes))
{
byte[] decryptedBytes = new byte[ciphertextWithTag.Length - GcmTagLength];
byte[] tag = new byte[GcmTagLength];
Array.Copy(ciphertextWithTag, ciphertextWithTag.Length - GcmTagLength, tag, 0, GcmTagLength);
Array.Copy(ciphertextWithTag, 0, decryptedBytes, 0, decryptedBytes.Length);
aesGcm.Decrypt(iv, decryptedBytes, tag, null, decryptedBytes);
// 5. 解析 JSON
string decryptedJson = Encoding.UTF8.GetString(decryptedBytes);
return JsonSerializer.Deserialize<Dictionary<string, object>>(decryptedJson);
}
}
}
// 使用示例
class Program
{
static void Main()
{
// 从二维码扫描获取的加密数据
string encryptedData = "Base64编码的加密数据...";
// 工具箱的授权信息(必须与平台绑定时一致)
string licence = "LIC-8F2A-XXXX";
string fingerprint = "FP-2c91e9f3";
// 解密任务数据
var taskData = TaskDecryptionUtil.DecryptTaskData(encryptedData, licence, fingerprint);
Console.WriteLine($"任务ID: {taskData["taskId"]}");
Console.WriteLine($"企业ID: {taskData["enterpriseId"]}");
Console.WriteLine($"单位名称: {taskData["orgName"]}");
Console.WriteLine($"检查ID: {taskData["inspectionId"]}");
Console.WriteLine($"检查人: {taskData["inspectionPerson"]}");
Console.WriteLine($"发布时间: {taskData["issuedAt"]}");
}
}
```
## 五、完整流程示例
### 5.1 Python 完整示例(包含二维码扫描)
```python
import base64
import json
import hashlib
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from pyzbar import pyzbar
from PIL import Image
class TaskQRCodeDecoder:
"""任务二维码解码器"""
def __init__(self, licence: str, fingerprint: str):
"""
初始化解码器
Args:
licence: 设备授权码
fingerprint: 设备硬件指纹
"""
self.licence = licence
self.fingerprint = fingerprint
self._key = self._generate_key()
def _generate_key(self) -> bytes:
"""生成 AES-256 密钥"""
combined = self.licence + self.fingerprint
return hashlib.sha256(combined.encode('utf-8')).digest()
def scan_qr_code(self, qr_image_path: str) -> dict:
"""
扫描二维码并解密任务数据
Args:
qr_image_path: 二维码图片路径
Returns:
解密后的任务数据(字典)
"""
# 1. 扫描二维码
image = Image.open(qr_image_path)
qr_codes = pyzbar.decode(image)
if not qr_codes:
raise ValueError("未找到二维码")
# 获取二维码内容Base64编码的加密数据
encrypted_data_base64 = qr_codes[0].data.decode('utf-8')
print(f"扫描到二维码内容: {encrypted_data_base64[:50]}...")
# 2. 解密任务数据
return self.decrypt_task_data(encrypted_data_base64)
def decrypt_task_data(self, encrypted_data_base64: str) -> dict:
"""
解密任务数据
Args:
encrypted_data_base64: Base64编码的加密数据
Returns:
解密后的任务数据(字典)
"""
# 1. Base64 解码
encrypted_bytes = base64.b64decode(encrypted_data_base64)
# 2. 分离 IV 和加密数据(包含认证标签)
if len(encrypted_bytes) < 12:
raise ValueError("加密数据格式错误:数据长度不足")
iv = encrypted_bytes[:12] # IV: 前12字节
ciphertext_with_tag = encrypted_bytes[12:] # 加密数据 + 认证标签
# 3. 使用 AES-256-GCM 解密
aesgcm = AESGCM(self._key)
decrypted_bytes = aesgcm.decrypt(iv, ciphertext_with_tag, None)
# 4. 解析 JSON
decrypted_json = decrypted_bytes.decode('utf-8')
task_data = json.loads(decrypted_json)
return task_data
# 使用示例
if __name__ == "__main__":
# 工具箱的授权信息(必须与平台绑定时一致)
licence = "LIC-8F2A-XXXX"
fingerprint = "FP-2c91e9f3"
# 创建解码器
decoder = TaskQRCodeDecoder(licence, fingerprint)
# 扫描二维码并解密
try:
task_data = decoder.scan_qr_code("task_qr_code.png")
print("\n=== 任务信息 ===")
print(f"任务ID: {task_data['taskId']}")
print(f"企业ID: {task_data['enterpriseId']}")
print(f"单位名称: {task_data['orgName']}")
print(f"检查ID: {task_data['inspectionId']}")
print(f"检查人: {task_data['inspectionPerson']}")
print(f"发布时间: {task_data['issuedAt']}")
# 可以使用任务信息执行检查任务
# execute_inspection_task(task_data)
except Exception as e:
print(f"解密失败: {e}")
```
### 5.2 Java/Kotlin 完整示例(包含二维码扫描)
```kotlin
import com.fasterxml.jackson.databind.ObjectMapper
import com.google.zxing.BinaryBitmap
import com.google.zxing.MultiFormatReader
import com.google.zxing.Result
import com.google.zxing.client.j2se.BufferedImageLuminanceSource
import com.google.zxing.common.HybridBinarizer
import java.awt.image.BufferedImage
import java.io.File
import java.nio.charset.StandardCharsets
import java.security.MessageDigest
import java.util.Base64
import javax.crypto.Cipher
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec
import javax.imageio.ImageIO
class TaskQRCodeDecoder(
private val licence: String,
private val fingerprint: String
) {
private val key: SecretKeySpec by lazy {
val combined = "$licence$fingerprint"
val digest = MessageDigest.getInstance("SHA-256")
val keyBytes = digest.digest(combined.toByteArray(StandardCharsets.UTF_8))
SecretKeySpec(keyBytes, "AES")
}
private val objectMapper = ObjectMapper()
/**
* 扫描二维码并解密任务数据
*/
fun scanAndDecrypt(qrImagePath: String): Map<String, Any> {
// 1. 扫描二维码
val image: BufferedImage = ImageIO.read(File(qrImagePath))
val source = BufferedImageLuminanceSource(image)
val bitmap = BinaryBitmap(HybridBinarizer(source))
val reader = MultiFormatReader()
val result: Result = reader.decode(bitmap)
// 获取二维码内容Base64编码的加密数据
val encryptedDataBase64 = result.text
println("扫描到二维码内容: ${encryptedDataBase64.take(50)}...")
// 2. 解密任务数据
return decryptTaskData(encryptedDataBase64)
}
/**
* 解密任务数据
*/
fun decryptTaskData(encryptedDataBase64: String): Map<String, Any> {
// 1. Base64 解码
val encryptedBytes = Base64.getDecoder().decode(encryptedDataBase64)
// 2. 分离 IV 和加密数据(包含认证标签)
if (encryptedBytes.size < 12) {
throw IllegalArgumentException("加密数据格式错误:数据长度不足")
}
val iv = encryptedBytes.sliceArray(0 until 12)
val ciphertextWithTag = encryptedBytes.sliceArray(12 until encryptedBytes.size)
// 3. 使用 AES-256-GCM 解密
val cipher = Cipher.getInstance("AES/GCM/NoPadding")
val parameterSpec = GCMParameterSpec(16 * 8, iv) // 标签长度以位为单位
cipher.init(Cipher.DECRYPT_MODE, key, parameterSpec)
// 解密数据GCM 会自动验证认证标签)
val decryptedBytes = cipher.doFinal(ciphertextWithTag)
// 4. 解析 JSON
val decryptedJson = String(decryptedBytes, StandardCharsets.UTF_8)
@Suppress("UNCHECKED_CAST")
return objectMapper.readValue(decryptedJson, Map::class.java) as Map<String, Any>
}
}
// 使用示例
fun main() {
// 工具箱的授权信息(必须与平台绑定时一致)
val licence = "LIC-8F2A-XXXX"
val fingerprint = "FP-2c91e9f3"
// 创建解码器
val decoder = TaskQRCodeDecoder(licence, fingerprint)
// 扫描二维码并解密
try {
val taskData = decoder.scanAndDecrypt("task_qr_code.png")
println("\n=== 任务信息 ===")
println("任务ID: ${taskData["taskId"]}")
println("企业ID: ${taskData["enterpriseId"]}")
println("单位名称: ${taskData["orgName"]}")
println("检查ID: ${taskData["inspectionId"]}")
println("检查人: ${taskData["inspectionPerson"]}")
println("发布时间: ${taskData["issuedAt"]}")
// 可以使用任务信息执行检查任务
// executeInspectionTask(taskData)
} catch (e: Exception) {
println("解密失败: ${e.message}")
}
}
```
## 六、常见错误和注意事项
### 6.1 解密失败
**可能原因**
1. **密钥不匹配**`licence``fingerprint` 与平台绑定时不一致
- 确保使用与设备授权时相同的 `licence``fingerprint`
- 检查字符串拼接是否正确(无分隔符)
2. **数据格式错误**Base64 编码或数据布局错误
- 确保 Base64 解码正确
- 确保 IV 长度正确12 字节)
3. **认证标签验证失败**:数据被篡改或损坏
- GCM 模式会自动验证认证标签
- 如果验证失败,说明数据被篡改或密钥错误
4. **算法不匹配**:必须使用 `AES/GCM/NoPadding`
- 确保使用正确的加密算法
- 确保认证标签长度为 128 位16 字节)
### 6.2 二维码扫描失败
**可能原因**
1. **二维码图片质量差**:确保图片清晰,有足够的对比度
2. **二维码内容过长**:如果加密数据过长,可能需要更高版本的二维码
3. **扫描库不支持**:确保使用支持 Base64 字符串的二维码扫描库
### 6.3 JSON 解析失败
**可能原因**
1. **字符编码错误**:确保使用 UTF-8 编码
2. **JSON 格式错误**:确保解密后的字符串是有效的 JSON
3. **字段缺失**:确保所有必需字段都存在
## 七、安全设计说明
### 7.1 为什么使用 AES-256-GCM
1. **认证加密AEAD**GCM 模式提供加密和认证,防止数据被篡改
2. **强安全性**AES-256 提供 256 位密钥强度
3. **自动验证**GCM 模式会自动验证认证标签,任何篡改都会导致解密失败
### 7.2 为什么第三方无法解密
1. **密钥绑定**:只有拥有正确 `licence + fingerprint` 的工具箱才能生成正确的密钥
2. **认证标签**GCM 模式会验证认证标签,任何篡改都会导致解密失败
3. **密钥唯一性**:每个设备的 `licence + fingerprint` 组合是唯一的
### 7.3 密钥生成的安全性
1. **SHA-256 哈希**:使用强哈希算法生成密钥
2. **密钥长度**:使用全部 32 字节作为 AES-256 密钥
3. **密钥隔离**:每个设备的密钥是独立的,互不影响
## 八、测试建议
1. **单元测试**
- 测试密钥生成是否正确
- 测试解密功能是否正常
- 测试 JSON 解析是否正确
2. **集成测试**
- 使用真实平台生成的二维码进行测试
- 测试不同长度的任务数据
- 测试错误的密钥是否会导致解密失败
3. **边界测试**
- 测试超长的任务数据
- 测试特殊字符的处理
- 测试错误的 Base64 格式
## 九、参考实现
- **Python**`cryptography`AES-GCM 加密)、`pyzbar` 库(二维码扫描)
- **Java/Kotlin**JDK `javax.crypto`AES-GCM 加密、ZXing 库(二维码扫描)
- **C#**`System.Security.Cryptography`AES-GCM 加密、ZXing.Net 库(二维码扫描)
## 十、联系支持
如有问题,请联系平台技术支持团队获取:
- 测试环境地址
- 技术支持

646
docs/工具箱端-授权对接指南/工具箱端-报告加密与签名生成指南.md Normal file
View File

@@ -0,0 +1,646 @@
# 工具箱端 - 报告加密与签名生成指南
## 概述
本文档说明工具箱端如何生成加密和签名的检查报告 ZIP 文件,以确保:
1. **授权校验**:只有合法授权的工具箱才能生成有效的报告
2. **防篡改校验**:确保报告内容在传输过程中未被篡改
> ### UX 集成模式补充(当前项目实现)
>
> 在当前集成模式中,工具箱可将原始报告 ZIP 直接上传到 UX 的 `crypto.signAndPackReport`
>
> 1. UX 校验 ZIP 并提取必需文件;
> 2. UX 生成 `deviceSignature`、`summary.json`、`META-INF/manifest.json`、`META-INF/signature.asc`
> 3. UX 重新打包并返回签名后的 ZIPBase64工具箱再用于离线介质回传平台。
## 一、ZIP 文件结构要求
工具箱生成的 ZIP 文件必须包含以下文件:
```
report.zip
├── summary.json # 摘要信息(必须包含授权和签名字段)
├── assets.json # 资产信息(用于签名校验)
├── vulnerabilities.json # 漏洞信息(用于签名校验)
├── weakPasswords.json # 弱密码信息(用于签名校验)
├── 漏洞评估报告.html # 漏洞评估报告(用于签名校验)
└── META-INF/
├── manifest.json # 文件清单(用于 OpenPGP 签名)
└── signature.asc # OpenPGP 签名文件(防篡改)
```
## 二、授权校验 - 设备签名device_signature
### 2.1 目的
设备签名用于验证报告是由合法授权的工具箱生成的,防止第三方伪造扫描结果。
### 2.2 密钥派生
使用 **HKDF-SHA256** 从设备的 `licence``fingerprint` 派生签名密钥:
```
K = HKDF(
input = licence + fingerprint, # 输入密钥材料(字符串拼接)
salt = "AUTH_V3_SALT", # 固定盐值
info = "device_report_signature", # 固定信息参数
hash = SHA-256, # 哈希算法
length = 32 # 输出密钥长度32字节 = 256位
)
```
**伪代码示例**
```python
import hkdf
# 输入密钥材料
ikm = licence + fingerprint # 字符串直接拼接
# HKDF 参数
salt = "AUTH_V3_SALT"
info = "device_report_signature"
key_length = 32 # 32字节 = 256位
# 派生密钥
derived_key = hkdf.HKDF(
algorithm=hashlib.sha256,
length=key_length,
salt=salt.encode('utf-8'),
info=info.encode('utf-8'),
ikm=ikm.encode('utf-8')
).derive()
```
### 2.3 签名数据组装(严格顺序)
签名数据必须按照以下**严格顺序**组装:
```
sign_payload =
taskId + # 任务ID字符串
inspectionId + # 检查ID数字转字符串
SHA256(assets.json) + # assets.json 的 SHA256hex字符串小写
SHA256(vulnerabilities.json) + # vulnerabilities.json 的 SHA256hex字符串小写
SHA256(weakPasswords.json) + # weakPasswords.json 的 SHA256hex字符串小写
SHA256(漏洞评估报告.html) # 漏洞评估报告.html 的 SHA256hex字符串小写
```
**重要说明**
- 所有字符串直接拼接,**不添加任何分隔符**
- SHA256 哈希值必须是 **hex 字符串(小写)**,例如:`a1b2c3d4...`
- 文件内容必须是**原始字节**,不能进行任何编码转换
- 顺序必须严格一致,任何顺序错误都会导致签名验证失败
**伪代码示例**
```python
import hashlib
# 1. 读取文件内容(原始字节)
assets_content = read_file("assets.json")
vulnerabilities_content = read_file("vulnerabilities.json")
weak_passwords_content = read_file("weakPasswords.json")
report_html_content = read_file("漏洞评估报告.html")
# 2. 计算 SHA256hex字符串小写
def sha256_hex(content: bytes) -> str:
return hashlib.sha256(content).hexdigest()
assets_sha256 = sha256_hex(assets_content)
vulnerabilities_sha256 = sha256_hex(vulnerabilities_content)
weak_passwords_sha256 = sha256_hex(weak_passwords_content)
report_html_sha256 = sha256_hex(report_html_content)
# 3. 组装签名数据(严格顺序,直接拼接)
sign_payload = (
str(task_id) +
str(inspection_id) +
assets_sha256 +
vulnerabilities_sha256 +
weak_passwords_sha256 +
report_html_sha256
)
```
### 2.4 生成设备签名
使用 **HMAC-SHA256** 计算签名:
```
device_signature = Base64(HMAC-SHA256(key=K, data=sign_payload))
```
**伪代码示例**
```python
import hmac
import base64
# 使用派生密钥计算 HMAC-SHA256
mac = hmac.new(
key=derived_key, # 派生密钥32字节
msg=sign_payload.encode('utf-8'), # 签名数据UTF-8编码
digestmod=hashlib.sha256
)
# 计算签名
signature_bytes = mac.digest()
# Base64 编码
device_signature = base64.b64encode(signature_bytes).decode('utf-8')
```
### 2.5 写入 summary.json
`device_signature` 写入 `summary.json`
```json
{
"orgId": 1173040813421105152,
"checkId": 702286470691215417,
"taskId": "TASK-20260115-4875",
"licence": "LIC-8F2A-XXXX",
"fingerprint": "FP-2c91e9f3",
"deviceSignature": "Base64编码的签名值",
"summary": "检查摘要信息",
......
}
```
**必需字段**
- `licence`:设备授权码(字符串)
- `fingerprint`:设备硬件指纹(字符串)
- `taskId`任务ID字符串
- `deviceSignature`设备签名Base64字符串
- `checkId``inspectionId`检查ID数字
## 三、防篡改校验 - OpenPGP 签名
### 3.1 目的
OpenPGP 签名用于验证 ZIP 文件在传输过程中未被篡改,确保文件完整性。
### 3.2 生成 manifest.json
创建 `META-INF/manifest.json` 文件,包含所有文件的 SHA-256 哈希值:
```json
{
"files": {
"summary.json": "a1b2c3d4e5f6...",
"assets.json": "b2c3d4e5f6a1...",
"vulnerabilities.json": "c3d4e5f6a1b2...",
"weakPasswords.json": "d4e5f6a1b2c3...",
"漏洞评估报告.html": "e5f6a1b2c3d4..."
}
}
```
**伪代码示例**
```python
import hashlib
import json
def calculate_sha256_hex(content: bytes) -> str:
return hashlib.sha256(content).hexdigest()
# 计算所有文件的 SHA256
files_hashes = {
"summary.json": calculate_sha256_hex(summary_content),
"assets.json": calculate_sha256_hex(assets_content),
"vulnerabilities.json": calculate_sha256_hex(vulnerabilities_content),
"weakPasswords.json": calculate_sha256_hex(weak_passwords_content),
"漏洞评估报告.html": calculate_sha256_hex(report_html_content)
}
# 生成 manifest.json
manifest = {
"files": files_hashes
}
manifest_json = json.dumps(manifest, ensure_ascii=False, indent=2)
```
### 3.3 生成 OpenPGP 签名
使用工具箱的**私钥**对 `manifest.json` 进行 OpenPGP 签名,生成 `META-INF/signature.asc`
**伪代码示例(使用 Python gnupg**
```python
import gnupg
# 初始化 GPG
gpg = gnupg.GPG()
# 导入私钥(或使用已配置的密钥)
# gpg.import_keys(private_key_data)
# 对 manifest.json 进行签名
with open('META-INF/manifest.json', 'rb') as f:
signed_data = gpg.sign_file(
f,
detach=True, # 分离式签名
clearsign=False, # 不使用明文签名
output='META-INF/signature.asc'
)
```
**伪代码示例(使用 BouncyCastle - Java/Kotlin**
```kotlin
import org.bouncycastle.openpgp.*
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPPrivateKey
import java.io.ByteArrayOutputStream
import java.io.FileOutputStream
fun generatePGPSignature(
manifestContent: ByteArray,
privateKey: PGPPrivateKey,
publicKey: PGPPublicKey
): ByteArray {
val signatureGenerator = PGPSignatureGenerator(
JcaPGPContentSignerBuilder(publicKey.algorithm, PGPUtil.SHA256)
)
signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey)
signatureGenerator.update(manifestContent)
val signature = signatureGenerator.generate()
val signatureList = PGPSignatureList(signature)
val out = ByteArrayOutputStream()
val pgpOut = PGPObjectFactory(PGPUtil.getEncoderStream(out))
signatureList.encode(out)
return out.toByteArray()
}
```
### 3.4 打包 ZIP 文件
将所有文件打包成 ZIP 文件,确保包含:
- 所有报告文件summary.json、assets.json 等)
- `META-INF/manifest.json`
- `META-INF/signature.asc`
**伪代码示例**
```python
import zipfile
def create_signed_zip(output_path: str):
with zipfile.ZipFile(output_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
# 添加报告文件
zipf.write('summary.json', 'summary.json')
zipf.write('assets.json', 'assets.json')
zipf.write('vulnerabilities.json', 'vulnerabilities.json')
zipf.write('weakPasswords.json', 'weakPasswords.json')
zipf.write('漏洞评估报告.html', '漏洞评估报告.html')
# 添加签名文件
zipf.write('META-INF/manifest.json', 'META-INF/manifest.json')
zipf.write('META-INF/signature.asc', 'META-INF/signature.asc')
```
## 四、完整流程示例
### 4.1 Python 完整示例
```python
import hashlib
import hmac
import base64
import json
import zipfile
import hkdf
import gnupg
def generate_report_zip(
licence: str,
fingerprint: str,
task_id: str,
inspection_id: int,
output_path: str
):
"""
生成带签名和加密的检查报告 ZIP 文件
"""
# ========== 1. 读取报告文件 ==========
assets_content = read_file("assets.json")
vulnerabilities_content = read_file("vulnerabilities.json")
weak_passwords_content = read_file("weakPasswords.json")
report_html_content = read_file("漏洞评估报告.html")
# ========== 2. 生成设备签名 ==========
# 2.1 密钥派生
ikm = licence + fingerprint
salt = "AUTH_V3_SALT"
info = "device_report_signature"
key_length = 32
derived_key = hkdf.HKDF(
algorithm=hashlib.sha256,
length=key_length,
salt=salt.encode('utf-8'),
info=info.encode('utf-8'),
ikm=ikm.encode('utf-8')
).derive()
# 2.2 计算文件 SHA256
def sha256_hex(content: bytes) -> str:
return hashlib.sha256(content).hexdigest()
assets_sha256 = sha256_hex(assets_content)
vulnerabilities_sha256 = sha256_hex(vulnerabilities_content)
weak_passwords_sha256 = sha256_hex(weak_passwords_content)
report_html_sha256 = sha256_hex(report_html_content)
# 2.3 组装签名数据(严格顺序)
sign_payload = (
str(task_id) +
str(inspection_id) +
assets_sha256 +
vulnerabilities_sha256 +
weak_passwords_sha256 +
report_html_sha256
)
# 2.4 计算 HMAC-SHA256
mac = hmac.new(
key=derived_key,
msg=sign_payload.encode('utf-8'),
digestmod=hashlib.sha256
)
device_signature = base64.b64encode(mac.digest()).decode('utf-8')
# 2.5 生成 summary.json
summary = {
"orgId": 1173040813421105152,
"checkId": inspection_id,
"taskId": task_id,
"licence": licence,
"fingerprint": fingerprint,
"deviceSignature": device_signature,
"summary": "检查摘要信息"
}
summary_content = json.dumps(summary, ensure_ascii=False).encode('utf-8')
# ========== 3. 生成 OpenPGP 签名 ==========
# 3.1 生成 manifest.json
files_hashes = {
"summary.json": sha256_hex(summary_content),
"assets.json": assets_sha256,
"vulnerabilities.json": vulnerabilities_sha256,
"weakPasswords.json": weak_passwords_sha256,
"漏洞评估报告.html": report_html_sha256
}
manifest = {"files": files_hashes}
manifest_content = json.dumps(manifest, ensure_ascii=False, indent=2).encode('utf-8')
# 3.2 生成 OpenPGP 签名
gpg = gnupg.GPG()
with open('META-INF/manifest.json', 'wb') as f:
f.write(manifest_content)
with open('META-INF/manifest.json', 'rb') as f:
signed_data = gpg.sign_file(
f,
detach=True,
output='META-INF/signature.asc'
)
# ========== 4. 打包 ZIP 文件 ==========
with zipfile.ZipFile(output_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
zipf.writestr('summary.json', summary_content)
zipf.writestr('assets.json', assets_content)
zipf.writestr('vulnerabilities.json', vulnerabilities_content)
zipf.writestr('weakPasswords.json', weak_passwords_content)
zipf.writestr('漏洞评估报告.html', report_html_content)
zipf.writestr('META-INF/manifest.json', manifest_content)
zipf.write('META-INF/signature.asc', 'META-INF/signature.asc')
print(f"报告 ZIP 文件生成成功: {output_path}")
```
### 4.2 Java/Kotlin 完整示例
```kotlin
import org.bouncycastle.crypto.digests.SHA256Digest
import org.bouncycastle.crypto.generators.HKDFBytesGenerator
import org.bouncycastle.crypto.params.HKDFParameters
import java.security.MessageDigest
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
import java.util.Base64
import java.util.zip.ZipOutputStream
import java.io.FileOutputStream
fun generateReportZip(
licence: String,
fingerprint: String,
taskId: String,
inspectionId: Long,
outputPath: String
) {
// ========== 1. 读取报告文件 ==========
val assetsContent = readFile("assets.json")
val vulnerabilitiesContent = readFile("vulnerabilities.json")
val weakPasswordsContent = readFile("weakPasswords.json")
val reportHtmlContent = readFile("漏洞评估报告.html")
// ========== 2. 生成设备签名 ==========
// 2.1 密钥派生
val ikm = (licence + fingerprint).toByteArray(Charsets.UTF_8)
val salt = "AUTH_V3_SALT".toByteArray(Charsets.UTF_8)
val info = "device_report_signature".toByteArray(Charsets.UTF_8)
val keyLength = 32
val hkdf = HKDFBytesGenerator(SHA256Digest())
hkdf.init(HKDFParameters(ikm, salt, info))
val derivedKey = ByteArray(keyLength)
hkdf.generateBytes(derivedKey, 0, keyLength)
// 2.2 计算文件 SHA256
fun sha256Hex(content: ByteArray): String {
val digest = MessageDigest.getInstance("SHA-256")
val hashBytes = digest.digest(content)
return hashBytes.joinToString("") { "%02x".format(it) }
}
val assetsSha256 = sha256Hex(assetsContent)
val vulnerabilitiesSha256 = sha256Hex(vulnerabilitiesContent)
val weakPasswordsSha256 = sha256Hex(weakPasswordsContent)
val reportHtmlSha256 = sha256Hex(reportHtmlContent)
// 2.3 组装签名数据(严格顺序)
val signPayload = buildString {
append(taskId)
append(inspectionId)
append(assetsSha256)
append(vulnerabilitiesSha256)
append(weakPasswordsSha256)
append(reportHtmlSha256)
}
// 2.4 计算 HMAC-SHA256
val mac = Mac.getInstance("HmacSHA256")
val secretKey = SecretKeySpec(derivedKey, "HmacSHA256")
mac.init(secretKey)
val signatureBytes = mac.doFinal(signPayload.toByteArray(Charsets.UTF_8))
val deviceSignature = Base64.getEncoder().encodeToString(signatureBytes)
// 2.5 生成 summary.json
val summary = mapOf(
"orgId" to 1173040813421105152L,
"checkId" to inspectionId,
"taskId" to taskId,
"licence" to licence,
"fingerprint" to fingerprint,
"deviceSignature" to deviceSignature,
"summary" to "检查摘要信息"
)
val summaryContent = objectMapper.writeValueAsString(summary).toByteArray(Charsets.UTF_8)
// ========== 3. 生成 OpenPGP 签名 ==========
// 3.1 生成 manifest.json
val filesHashes = mapOf(
"summary.json" to sha256Hex(summaryContent),
"assets.json" to assetsSha256,
"vulnerabilities.json" to vulnerabilitiesSha256,
"weakPasswords.json" to weakPasswordsSha256,
"漏洞评估报告.html" to reportHtmlSha256
)
val manifest = mapOf("files" to filesHashes)
val manifestContent = objectMapper.writeValueAsString(manifest).toByteArray(Charsets.UTF_8)
// 3.2 生成 OpenPGP 签名(使用 BouncyCastle
val signatureAsc = generatePGPSignature(manifestContent, privateKey, publicKey)
// ========== 4. 打包 ZIP 文件 ==========
ZipOutputStream(FileOutputStream(outputPath)).use { zipOut ->
zipOut.putNextEntry(ZipEntry("summary.json"))
zipOut.write(summaryContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("assets.json"))
zipOut.write(assetsContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("vulnerabilities.json"))
zipOut.write(vulnerabilitiesContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("weakPasswords.json"))
zipOut.write(weakPasswordsContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("漏洞评估报告.html"))
zipOut.write(reportHtmlContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("META-INF/manifest.json"))
zipOut.write(manifestContent)
zipOut.closeEntry()
zipOut.putNextEntry(ZipEntry("META-INF/signature.asc"))
zipOut.write(signatureAsc)
zipOut.closeEntry()
}
println("报告 ZIP 文件生成成功: $outputPath")
}
```
## 五、平台端验证流程
平台端会按以下顺序验证:
1. **OpenPGP 签名验证**(防篡改)
- 读取 `META-INF/manifest.json``META-INF/signature.asc`
- 使用平台公钥验证签名
- 验证所有文件的 SHA256 是否与 manifest.json 中的哈希值匹配
2. **设备签名验证**(授权)
-`summary.json` 提取 `licence``fingerprint``taskId``deviceSignature`
- 验证 `licence + fingerprint` 是否已绑定
- 验证 `taskId` 是否存在且属于该设备
- 使用相同的 HKDF 派生密钥
- 重新计算签名并与 `deviceSignature` 比较
## 六、常见错误和注意事项
### 6.1 设备签名验证失败
**可能原因**
1. **密钥派生错误**:确保使用正确的 `salt``info` 参数
2. **签名数据顺序错误**:必须严格按照 `taskId + inspectionId + SHA256(...)` 的顺序
3. **SHA256 格式错误**:必须是 hex 字符串(小写),不能包含分隔符
4. **文件内容错误**:确保使用原始文件内容,不能进行编码转换
5. **licence 或 fingerprint 不匹配**:确保与平台绑定的值一致
### 6.2 OpenPGP 签名验证失败
**可能原因**
1. **私钥不匹配**:确保使用与平台公钥对应的私钥
2. **manifest.json 格式错误**:确保 JSON 格式正确
3. **文件哈希值错误**:确保 manifest.json 中的哈希值与实际文件匹配
### 6.3 文件缺失
**必需文件**
- `summary.json`(必须包含授权字段)
- `assets.json`
- `vulnerabilities.json`
- `weakPasswords.json`(文件名大小写不敏感)
- `漏洞评估报告.html`(文件名包含"漏洞评估报告"且以".html"结尾)
- `META-INF/manifest.json`
- `META-INF/signature.asc`
## 七、安全设计说明
### 7.1 为什么第三方无法伪造
1. **设备签名**
- 只有拥有正确 `licence + fingerprint` 的设备才能派生正确的签名密钥
- 即使第三方获取了某个设备的签名,也无法用于其他任务(`taskId` 绑定)
- 即使第三方修改了报告内容,签名也会失效(多个文件的 SHA256 绑定)
2. **OpenPGP 签名**
- 只有拥有私钥的工具箱才能生成有效签名
- 任何文件修改都会导致哈希值不匹配
### 7.2 密钥分离
使用 HKDF 的 `info` 参数区分不同用途的密钥:
- `device_report_signature`:用于设备签名
- 其他用途可以使用不同的 `info` 值,确保密钥隔离
## 八、测试建议
1. **单元测试**
- 测试密钥派生是否正确
- 测试签名生成和验证是否匹配
- 测试文件 SHA256 计算是否正确
2. **集成测试**
- 使用真实数据生成 ZIP 文件
- 上传到平台验证是否通过
- 测试篡改文件后验证是否失败
3. **边界测试**
- 测试文件缺失的情况
- 测试签名数据顺序错误的情况
- 测试错误的 `licence``fingerprint` 的情况
## 九、参考实现
- **HKDF 实现**BouncyCastleJava/Kotlin`hkdf`Python
- **HMAC-SHA256**Java `javax.crypto.Mac`、Python `hmac`
- **OpenPGP**BouncyCastleJava/Kotlin`gnupg`Python
## 十、联系支持
如有问题,请联系平台技术支持团队。

756
docs/工具箱端-授权对接指南/工具箱端-摘要信息二维码生成指南.md Normal file
View File

@@ -0,0 +1,756 @@
# 工具箱端 - 摘要信息二维码生成指南
## 概述
本文档说明工具箱端如何生成摘要信息二维码。工具箱完成检查任务后,需要将摘要信息加密并生成二维码,供 App 扫描后上传到平台。
> ### UX 集成模式补充(当前项目实现)
>
> 在当前集成模式中,工具箱将摘要明文传给 UX 的 `crypto.encryptSummary`
> 由 UX 执行 HKDF + AES-256-GCM 加密并返回二维码内容 JSON`taskId + encrypted`)。
## 一、业务流程
```
工具箱完成检查 → 准备摘要信息 → HKDF派生密钥 → AES-256-GCM加密 → 组装二维码内容 → 生成二维码
App扫描二维码 → 提取taskId和encrypted → 提交到平台 → 平台解密验证 → 保存摘要信息
```
## 二、二维码内容格式
二维码内容为 JSON 格式,包含以下字段:
```json
{
"taskId": "TASK-20260115-4875",
"encrypted": "uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nugESrB2jUSGASTf4+5E7cLlDOmtDw7QlqS+6Hb7sn3daMSOovcna07huchHeesrJCiHV8ntEDXdCCdQOEHfkZAvy5gS8jQY41x5Qcnmqbz3qqHTmceIihTj4uqRVyKOE8jxzY6ko76jx0gW239gyFysJUTrqSPiFAr+gToi2l9SWP8ISViBmYmCY2cQtKvPfTKXwxGMid0zE/nDmb9n38X1oR05nAP0v1KaVY7iPcjsWySDGqO2iIbPzV8tQzq5TNuYqn9gvxIX/oRTFECP+aosfmOD5I8H8rVFTebyTHw+ONV3KoN2IMRqnG+a2lucbhzwQk7/cX1hs9lYm+yapmp+0MbLCtf2KMWqJPdeZqTVZgi3R181BCxo3OIwcCFTnZ/b9pdw+q8ai6SJpso5mA0TpUCvqYlGlKMZde0nj07kmLpdAm3AOg3GtPezfJu8iHmsc4PTa8RDsPgTIxcdyxNSMqo1Ws3VLQXm6DHK/kma/vbvSA/N7upPzi7wLvboig=="
}
```
### 2.1 字段说明
| 字段名 | 类型 | 说明 | 示例 |
|--------|------|------|------|
| `taskId` | String | 任务ID从任务二维码中获取 | `"TASK-20260115-4875"` |
| `encrypted` | String | Base64编码的加密数据 | `"uWUcAmp6UQd0w3G3..."` |
## 三、摘要信息数据结构
### 3.1 明文数据 JSON 格式
加密前的摘要信息为 JSON 格式,包含以下字段:
```json
{
"enterpriseId": "1173040813421105152",
"inspectionId": "702286470691215417",
"summary": "检查摘要信息",
"timestamp": 1734571234567
}
```
### 3.2 字段说明
| 字段名 | 类型 | 说明 | 示例 |
|--------|------|------|------|
| `enterpriseId` | String | 企业ID从任务数据中获取 | `"1173040813421105152"` |
| `inspectionId` | String | 检查ID从任务数据中获取 | `"702286470691215417"` |
| `summary` | String | 检查摘要信息 | `"检查摘要信息"` |
| `timestamp` | Number | 时间戳(毫秒) | `1734571234567` |
## 四、密钥派生HKDF-SHA256
### 4.1 密钥派生参数
使用 **HKDF-SHA256**`licence + fingerprint` 派生 AES 密钥:
```
AES Key = HKDF(
input = licence + fingerprint, # 输入密钥材料(字符串拼接)
salt = taskId, # Salt值任务ID
info = "inspection_report_encryption", # Info值固定值
hash = SHA-256, # 哈希算法
length = 32 # 输出密钥长度32字节 = 256位
)
```
**重要说明**
- `ikm`(输入密钥材料)= `licence + fingerprint`(直接字符串拼接,无分隔符)
- `salt` = `taskId`从任务二维码中获取的任务ID
- `info` = `"inspection_report_encryption"`(固定值,区分不同用途的密钥)
- `length` = `32` 字节AES-256 密钥长度)
### 4.2 Python 实现示例
```python
import hashlib
import hkdf
def derive_aes_key(licence: str, fingerprint: str, task_id: str) -> bytes:
"""
使用 HKDF-SHA256 派生 AES-256 密钥
Args:
licence: 设备授权码
fingerprint: 设备硬件指纹
task_id: 任务ID
Returns:
派生出的密钥32字节
"""
# 输入密钥材料
ikm = licence + fingerprint # 直接字符串拼接
# HKDF 参数
salt = task_id
info = "inspection_report_encryption"
key_length = 32 # 32字节 = 256位
# 派生密钥
derived_key = hkdf.HKDF(
algorithm=hashlib.sha256,
length=key_length,
salt=salt.encode('utf-8'),
info=info.encode('utf-8'),
ikm=ikm.encode('utf-8')
).derive()
return derived_key
```
### 4.3 Java/Kotlin 实现示例
```kotlin
import org.bouncycastle.crypto.digests.SHA256Digest
import org.bouncycastle.crypto.generators.HKDFBytesGenerator
import org.bouncycastle.crypto.params.HKDFParameters
import java.nio.charset.StandardCharsets
fun deriveAesKey(licence: String, fingerprint: String, taskId: String): ByteArray {
// 输入密钥材料
val ikm = (licence + fingerprint).toByteArray(StandardCharsets.UTF_8)
// HKDF 参数
val salt = taskId.toByteArray(StandardCharsets.UTF_8)
val info = "inspection_report_encryption".toByteArray(StandardCharsets.UTF_8)
val keyLength = 32 // 32字节 = 256位
// 派生密钥
val hkdf = HKDFBytesGenerator(SHA256Digest())
val params = HKDFParameters(ikm, salt, info)
hkdf.init(params)
val derivedKey = ByteArray(keyLength)
hkdf.generateBytes(derivedKey, 0, keyLength)
return derivedKey
}
```
## 五、AES-256-GCM 加密
### 5.1 加密算法
- **算法**AES-256-GCMGalois/Counter Mode
- **密钥长度**256 位32 字节)
- **IV 长度**12 字节96 位)
- **认证标签长度**16 字节128 位)
### 5.2 加密数据格式
加密后的数据格式Base64 编码前):
```
[IV(12字节)] + [加密数据] + [认证标签(16字节)]
```
**数据布局**
```
+------------------+------------------+------------------+
| IV (12字节) | 加密数据 | 认证标签(16字节)|
+------------------+------------------+------------------+
```
### 5.3 Python 实现示例
```python
import base64
import hashlib
import hkdf
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from cryptography.hazmat.backends import default_backend
import json
import time
def encrypt_summary_data(
enterprise_id: str,
inspection_id: str,
summary: str,
licence: str,
fingerprint: str,
task_id: str
) -> str:
"""
加密摘要信息数据
Args:
enterprise_id: 企业ID
inspection_id: 检查ID
summary: 摘要信息
licence: 设备授权码
fingerprint: 设备硬件指纹
task_id: 任务ID
Returns:
Base64编码的加密数据
"""
# 1. 组装明文数据JSON格式
timestamp = int(time.time() * 1000) # 毫秒时间戳
plaintext_map = {
"enterpriseId": str(enterprise_id),
"inspectionId": str(inspection_id),
"summary": summary,
"timestamp": timestamp
}
plaintext = json.dumps(plaintext_map, ensure_ascii=False)
# 2. 使用 HKDF-SHA256 派生 AES 密钥
ikm = licence + fingerprint
salt = task_id
info = "inspection_report_encryption"
key_length = 32
aes_key = hkdf.HKDF(
algorithm=hashlib.sha256,
length=key_length,
salt=salt.encode('utf-8'),
info=info.encode('utf-8'),
ikm=ikm.encode('utf-8')
).derive()
# 3. 使用 AES-256-GCM 加密数据
aesgcm = AESGCM(aes_key)
iv = os.urandom(12) # 生成12字节随机IV
encrypted_bytes = aesgcm.encrypt(iv, plaintext.encode('utf-8'), None)
# 4. 组装IV + 加密数据(包含认证标签)
# AESGCM.encrypt 返回的格式已经是:加密数据 + 认证标签
combined = iv + encrypted_bytes
# 5. Base64 编码
encrypted_base64 = base64.b64encode(combined).decode('utf-8')
return encrypted_base64
```
### 5.4 Java/Kotlin 实现示例
```kotlin
import com.fasterxml.jackson.databind.ObjectMapper
import org.bouncycastle.crypto.digests.SHA256Digest
import org.bouncycastle.crypto.generators.HKDFBytesGenerator
import org.bouncycastle.crypto.params.HKDFParameters
import java.nio.charset.StandardCharsets
import java.security.SecureRandom
import java.util.Base64
import javax.crypto.Cipher
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec
object SummaryEncryptionUtil {
private const val ALGORITHM = "AES"
private const val TRANSFORMATION = "AES/GCM/NoPadding"
private const val GCM_IV_LENGTH = 12 // 12 bytes = 96 bits
private const val GCM_TAG_LENGTH = 16 // 16 bytes = 128 bits
private const val GCM_TAG_LENGTH_BITS = GCM_TAG_LENGTH * 8 // 128 bits
private val objectMapper = ObjectMapper()
private val secureRandom = SecureRandom()
/**
* 加密摘要信息数据
*/
fun encryptSummaryData(
enterpriseId: String,
inspectionId: String,
summary: String,
licence: String,
fingerprint: String,
taskId: String
): String {
// 1. 组装明文数据JSON格式
val timestamp = System.currentTimeMillis()
val plaintextMap = mapOf(
"enterpriseId" to enterpriseId,
"inspectionId" to inspectionId,
"summary" to summary,
"timestamp" to timestamp
)
val plaintext = objectMapper.writeValueAsString(plaintextMap)
// 2. 使用 HKDF-SHA256 派生 AES 密钥
val ikm = (licence + fingerprint).toByteArray(StandardCharsets.UTF_8)
val salt = taskId.toByteArray(StandardCharsets.UTF_8)
val info = "inspection_report_encryption".toByteArray(StandardCharsets.UTF_8)
val keyLength = 32
val hkdf = HKDFBytesGenerator(SHA256Digest())
val params = HKDFParameters(ikm, salt, info)
hkdf.init(params)
val aesKey = ByteArray(keyLength)
hkdf.generateBytes(aesKey, 0, keyLength)
// 3. 使用 AES-256-GCM 加密数据
val iv = ByteArray(GCM_IV_LENGTH)
secureRandom.nextBytes(iv)
val secretKey = SecretKeySpec(aesKey, ALGORITHM)
val gcmSpec = GCMParameterSpec(GCM_TAG_LENGTH_BITS, iv)
val cipher = Cipher.getInstance(TRANSFORMATION)
cipher.init(Cipher.ENCRYPT_MODE, secretKey, gcmSpec)
val plaintextBytes = plaintext.toByteArray(StandardCharsets.UTF_8)
val encryptedBytes = cipher.doFinal(plaintextBytes)
// 4. 组装IV + 加密数据(包含认证标签)
// GCM 模式会将认证标签附加到密文末尾
val ciphertext = encryptedBytes.sliceArray(0 until encryptedBytes.size - GCM_TAG_LENGTH)
val tag = encryptedBytes.sliceArray(encryptedBytes.size - GCM_TAG_LENGTH until encryptedBytes.size)
val combined = iv + ciphertext + tag
// 5. Base64 编码
return Base64.getEncoder().encodeToString(combined)
}
}
```
## 六、组装二维码内容
### 6.1 二维码内容 JSON
`taskId` 和加密后的 `encrypted` 组装成 JSON 格式:
```json
{
"taskId": "TASK-20260115-4875",
"encrypted": "Base64编码的加密数据"
}
```
### 6.2 Python 实现示例
```python
import json
def generate_qr_code_content(task_id: str, encrypted: str) -> str:
"""
生成二维码内容JSON格式
Args:
task_id: 任务ID
encrypted: Base64编码的加密数据
Returns:
JSON格式的字符串
"""
qr_content = {
"taskId": task_id,
"encrypted": encrypted
}
return json.dumps(qr_content, ensure_ascii=False)
```
## 七、完整流程示例
### 7.1 Python 完整示例
```python
import base64
import json
import time
import hashlib
import hkdf
import qrcode
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
import os
class SummaryQRCodeGenerator:
"""摘要信息二维码生成器"""
def __init__(self, licence: str, fingerprint: str):
"""
初始化生成器
Args:
licence: 设备授权码
fingerprint: 设备硬件指纹
"""
self.licence = licence
self.fingerprint = fingerprint
def generate_summary_qr_code(
self,
task_id: str,
enterprise_id: str,
inspection_id: str,
summary: str,
output_path: str = "summary_qr.png"
) -> str:
"""
生成摘要信息二维码
Args:
task_id: 任务ID从任务二维码中获取
enterprise_id: 企业ID从任务数据中获取
inspection_id: 检查ID从任务数据中获取
summary: 摘要信息
output_path: 二维码图片保存路径
Returns:
二维码内容JSON字符串
"""
# 1. 组装明文数据JSON格式
timestamp = int(time.time() * 1000) # 毫秒时间戳
plaintext_map = {
"enterpriseId": str(enterprise_id),
"inspectionId": str(inspection_id),
"summary": summary,
"timestamp": timestamp
}
plaintext = json.dumps(plaintext_map, ensure_ascii=False)
print(f"明文数据: {plaintext}")
# 2. 使用 HKDF-SHA256 派生 AES 密钥
ikm = self.licence + self.fingerprint
salt = task_id
info = "inspection_report_encryption"
key_length = 32
aes_key = hkdf.HKDF(
algorithm=hashlib.sha256,
length=key_length,
salt=salt.encode('utf-8'),
info=info.encode('utf-8'),
ikm=ikm.encode('utf-8')
).derive()
print(f"密钥派生成功: {len(aes_key)} 字节")
# 3. 使用 AES-256-GCM 加密数据
aesgcm = AESGCM(aes_key)
iv = os.urandom(12) # 生成12字节随机IV
encrypted_bytes = aesgcm.encrypt(iv, plaintext.encode('utf-8'), None)
# 组装IV + 加密数据(包含认证标签)
combined = iv + encrypted_bytes
# Base64 编码
encrypted_base64 = base64.b64encode(combined).decode('utf-8')
print(f"加密成功: {encrypted_base64[:50]}...")
# 4. 组装二维码内容JSON格式
qr_content = {
"taskId": task_id,
"encrypted": encrypted_base64
}
qr_content_json = json.dumps(qr_content, ensure_ascii=False)
print(f"二维码内容: {qr_content_json[:100]}...")
# 5. 生成二维码
qr = qrcode.QRCode(
version=1,
error_correction=qrcode.constants.ERROR_CORRECT_M,
box_size=10,
border=4,
)
qr.add_data(qr_content_json)
qr.make(fit=True)
img = qr.make_image(fill_color="black", back_color="white")
img.save(output_path)
print(f"二维码已生成: {output_path}")
return qr_content_json
# 使用示例
if __name__ == "__main__":
# 工具箱的授权信息(必须与平台绑定时一致)
licence = "LIC-8F2A-XXXX"
fingerprint = "FP-2c91e9f3"
# 创建生成器
generator = SummaryQRCodeGenerator(licence, fingerprint)
# 从任务二维码中获取的信息
task_id = "TASK-20260115-4875"
enterprise_id = "1173040813421105152"
inspection_id = "702286470691215417"
summary = "检查摘要信息发现3个高危漏洞5个中危漏洞"
# 生成二维码
qr_content = generator.generate_summary_qr_code(
task_id=task_id,
enterprise_id=enterprise_id,
inspection_id=inspection_id,
summary=summary,
output_path="summary_qr_code.png"
)
print(f"\n二维码内容:\n{qr_content}")
```
### 7.2 Java/Kotlin 完整示例
```kotlin
import com.fasterxml.jackson.databind.ObjectMapper
import com.google.zxing.BarcodeFormat
import com.google.zxing.EncodeHintType
import com.google.zxing.qrcode.QRCodeWriter
import com.google.zxing.qrcode.decoder.ErrorCorrectionLevel
import org.bouncycastle.crypto.digests.SHA256Digest
import org.bouncycastle.crypto.generators.HKDFBytesGenerator
import org.bouncycastle.crypto.params.HKDFParameters
import java.awt.image.BufferedImage
import java.nio.charset.StandardCharsets
import java.security.SecureRandom
import java.util.Base64
import javax.crypto.Cipher
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec
import javax.imageio.ImageIO
import java.io.File
class SummaryQRCodeGenerator(
private val licence: String,
private val fingerprint: String
) {
private const val ALGORITHM = "AES"
private const val TRANSFORMATION = "AES/GCM/NoPadding"
private const val GCM_IV_LENGTH = 12
private const val GCM_TAG_LENGTH = 16
private const val GCM_TAG_LENGTH_BITS = GCM_TAG_LENGTH * 8
private val objectMapper = ObjectMapper()
private val secureRandom = SecureRandom()
/**
* 生成摘要信息二维码
*/
fun generateSummaryQRCode(
taskId: String,
enterpriseId: String,
inspectionId: String,
summary: String,
outputPath: String = "summary_qr.png"
): String {
// 1. 组装明文数据JSON格式
val timestamp = System.currentTimeMillis()
val plaintextMap = mapOf(
"enterpriseId" to enterpriseId,
"inspectionId" to inspectionId,
"summary" to summary,
"timestamp" to timestamp
)
val plaintext = objectMapper.writeValueAsString(plaintextMap)
println("明文数据: $plaintext")
// 2. 使用 HKDF-SHA256 派生 AES 密钥
val ikm = (licence + fingerprint).toByteArray(StandardCharsets.UTF_8)
val salt = taskId.toByteArray(StandardCharsets.UTF_8)
val info = "inspection_report_encryption".toByteArray(StandardCharsets.UTF_8)
val keyLength = 32
val hkdf = HKDFBytesGenerator(SHA256Digest())
val params = HKDFParameters(ikm, salt, info)
hkdf.init(params)
val aesKey = ByteArray(keyLength)
hkdf.generateBytes(aesKey, 0, keyLength)
println("密钥派生成功: ${aesKey.size} 字节")
// 3. 使用 AES-256-GCM 加密数据
val iv = ByteArray(GCM_IV_LENGTH)
secureRandom.nextBytes(iv)
val secretKey = SecretKeySpec(aesKey, ALGORITHM)
val gcmSpec = GCMParameterSpec(GCM_TAG_LENGTH_BITS, iv)
val cipher = Cipher.getInstance(TRANSFORMATION)
cipher.init(Cipher.ENCRYPT_MODE, secretKey, gcmSpec)
val plaintextBytes = plaintext.toByteArray(StandardCharsets.UTF_8)
val encryptedBytes = cipher.doFinal(plaintextBytes)
// 组装IV + 加密数据(包含认证标签)
val ciphertext = encryptedBytes.sliceArray(0 until encryptedBytes.size - GCM_TAG_LENGTH)
val tag = encryptedBytes.sliceArray(encryptedBytes.size - GCM_TAG_LENGTH until encryptedBytes.size)
val combined = iv + ciphertext + tag
// Base64 编码
val encryptedBase64 = Base64.getEncoder().encodeToString(combined)
println("加密成功: ${encryptedBase64.take(50)}...")
// 4. 组装二维码内容JSON格式
val qrContent = mapOf(
"taskId" to taskId,
"encrypted" to encryptedBase64
)
val qrContentJson = objectMapper.writeValueAsString(qrContent)
println("二维码内容: ${qrContentJson.take(100)}...")
// 5. 生成二维码
val hints = hashMapOf<EncodeHintType, Any>().apply {
put(EncodeHintType.ERROR_CORRECTION, ErrorCorrectionLevel.M)
put(EncodeHintType.CHARACTER_SET, "UTF-8")
put(EncodeHintType.MARGIN, 1)
}
val writer = QRCodeWriter()
val bitMatrix = writer.encode(qrContentJson, BarcodeFormat.QR_CODE, 300, 300, hints)
val width = bitMatrix.width
val height = bitMatrix.height
val image = BufferedImage(width, height, BufferedImage.TYPE_INT_RGB)
for (x in 0 until width) {
for (y in 0 until height) {
image.setRGB(x, y, if (bitMatrix[x, y]) 0x000000 else 0xFFFFFF)
}
}
ImageIO.write(image, "PNG", File(outputPath))
println("二维码已生成: $outputPath")
return qrContentJson
}
}
// 使用示例
fun main() {
// 工具箱的授权信息(必须与平台绑定时一致)
val licence = "LIC-8F2A-XXXX"
val fingerprint = "FP-2c91e9f3"
// 创建生成器
val generator = SummaryQRCodeGenerator(licence, fingerprint)
// 从任务二维码中获取的信息
val taskId = "TASK-20260115-4875"
val enterpriseId = "1173040813421105152"
val inspectionId = "702286470691215417"
val summary = "检查摘要信息发现3个高危漏洞5个中危漏洞"
// 生成二维码
val qrContent = generator.generateSummaryQRCode(
taskId = taskId,
enterpriseId = enterpriseId,
inspectionId = inspectionId,
summary = summary,
outputPath = "summary_qr_code.png"
)
println("\n二维码内容:\n$qrContent")
}
```
## 八、平台端验证流程
平台端会按以下流程验证:
1. **接收请求**App 扫描二维码后,将 `taskId``encrypted` 提交到平台
2. **查询任务**:根据 `taskId` 查询任务记录,获取 `deviceLicenceId`
3. **获取设备信息**:根据 `deviceLicenceId` 查询设备授权记录,获取 `licence``fingerprint`
4. **密钥派生**:使用相同的 HKDF 参数派生 AES 密钥
5. **解密数据**:使用 AES-256-GCM 解密(自动验证认证标签)
6. **时间戳校验**:验证 `timestamp` 是否在合理范围内(防止重放攻击)
7. **保存摘要**:将摘要信息保存到数据库
## 九、常见错误和注意事项
### 9.1 加密失败
**可能原因**
1. **密钥派生错误**:确保使用正确的 HKDF 参数
- `ikm` = `licence + fingerprint`(直接字符串拼接)
- `salt` = `taskId`(必须与任务二维码中的 taskId 一致)
- `info` = `"inspection_report_encryption"`(固定值)
- `length` = `32` 字节
2. **数据格式错误**:确保 JSON 格式正确
- 字段名和类型必须匹配
- 时间戳必须是数字类型(毫秒)
3. **IV 生成错误**:确保使用安全的随机数生成器生成 12 字节 IV
### 9.2 平台验证失败
**可能原因**
1. **taskId 不匹配**:确保二维码中的 `taskId` 与任务二维码中的 `taskId` 一致
2. **密钥不匹配**:确保 `licence``fingerprint` 与平台绑定时一致
3. **时间戳过期**:平台会验证时间戳,确保时间戳在合理范围内
4. **认证标签验证失败**:数据被篡改或密钥错误
### 9.3 二维码生成失败
**可能原因**
1. **内容过长**:如果加密数据过长,可能需要更高版本的二维码
2. **JSON 格式错误**:确保 JSON 格式正确
3. **字符编码错误**:确保使用 UTF-8 编码
## 十、安全设计说明
### 10.1 为什么使用 HKDF
1. **密钥分离**:使用 `info` 参数区分不同用途的密钥
2. **Salt 随机性**:使用 `taskId` 作为 salt确保每个任务的密钥不同
3. **密钥扩展**HKDF 提供更好的密钥扩展性
### 10.2 为什么第三方无法伪造
1. **密钥绑定**:只有拥有正确 `licence + fingerprint` 的工具箱才能生成正确的密钥
2. **任务绑定**:使用 `taskId` 作为 salt确保密钥与特定任务绑定
3. **认证加密**GCM 模式提供认证加密,任何篡改都会导致解密失败
4. **时间戳校验**:平台会验证时间戳,防止重放攻击
### 10.3 密钥派生参数的重要性
- **ikm**`licence + fingerprint` 是设备唯一标识
- **salt**`taskId` 确保每个任务使用不同的密钥
- **info**`"inspection_report_encryption"` 区分不同用途的密钥
- **length**`32` 字节提供 256 位密钥强度
## 十一、测试建议
1. **单元测试**
- 测试密钥派生是否正确
- 测试加密和解密是否匹配
- 测试 JSON 格式是否正确
2. **集成测试**
- 使用真实任务数据生成二维码
- App 扫描二维码并提交到平台
- 验证平台是否能正确解密和验证
3. **边界测试**
- 测试超长的摘要信息
- 测试特殊字符的处理
- 测试错误的 taskId 是否会导致解密失败
## 十二、参考实现
- **Python**`hkdf`HKDF`cryptography`AES-GCM`qrcode` 库(二维码生成)
- **Java/Kotlin**BouncyCastleHKDF、JDK `javax.crypto`AES-GCM、ZXing 库(二维码生成)
- **C#**BouncyCastle.NetHKDF`System.Security.Cryptography`AES-GCM、ZXing.Net 库(二维码生成)
## 十三、联系支持
如有问题,请联系平台技术支持团队获取:
- 测试环境地址
- 技术支持

601
docs/工具箱端-授权对接指南/工具箱端-设备授权二维码生成指南.md Normal file
View File

@@ -0,0 +1,601 @@
# 工具箱端 - 设备授权二维码生成指南
## 概述
本文档说明工具箱端如何生成设备授权二维码用于设备首次授权和绑定。App 扫描二维码后,会将加密的设备信息提交到平台完成授权校验和绑定。
> ### UX 集成模式补充(当前项目实现)
>
> 在当前集成模式中,工具箱不直接执行 RSA 加密,而是调用 UX 接口:
>
> 1. 工具箱先调用 `device.register` 传入 `licence` 与平台公钥,`fingerprint` 由 UX 本机计算并入库。
> 2. 工具箱再调用 `crypto.encryptDeviceInfo` 获取加密后的 Base64 密文。
> 3. 工具箱将该密文生成二维码供 App 扫码提交平台。
## 一、业务流程
```
工具箱 → 生成设备信息 → RSA-OAEP加密 → Base64编码 → 生成二维码
App扫描二维码 → 提取加密数据 → 调用平台接口 → 平台解密验证 → 授权成功
```
## 二、设备信息准备
### 2.1 设备信息字段
工具箱需要准备以下设备信息:
| 字段名 | 类型 | 说明 | 示例 |
|--------|------|------|------|
| `licence` | String | 设备授权码(工具箱唯一标识) | `"LIC-8F2A-XXXX"` |
| `fingerprint` | String | 设备硬件指纹(设备唯一标识) | `"FP-2c91e9f3"` |
### 2.2 生成设备信息 JSON
将设备信息组装成 JSON 格式:
```json
{
"licence": "LIC-8F2A-XXXX",
"fingerprint": "FP-2c91e9f3"
}
```
**重要说明**
- `licence``fingerprint` 必须是字符串类型
- JSON 格式必须正确,不能有多余的逗号或格式错误
- 建议使用标准的 JSON 库生成,避免手动拼接
**伪代码示例**
```python
import json
device_info = {
"licence": "LIC-8F2A-XXXX", # 工具箱授权码
"fingerprint": "FP-2c91e9f3" # 设备硬件指纹
}
# 转换为 JSON 字符串
device_info_json = json.dumps(device_info, ensure_ascii=False)
# 结果: {"licence":"LIC-8F2A-XXXX","fingerprint":"FP-2c91e9f3"}
```
## 三、RSA-OAEP 加密
### 3.1 加密算法
使用 **RSA-OAEP** 非对称加密算法:
- **算法名称**`RSA/ECB/OAEPWithSHA-256AndMGF1Padding`
- **密钥长度**2048 位(推荐)
- **填充方式**OAEP with SHA-256 and MGF1
- **加密方向**:使用**平台公钥**加密,平台使用私钥解密
### 3.2 获取平台公钥
平台公钥需要从平台获取,通常以 **Base64 编码**的字符串形式提供。
**公钥格式**
- 格式X.509 标准格式DER 编码)
- 存储Base64 编码的字符串
- 示例:`MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB`
### 3.3 加密步骤
1. **加载平台公钥**:从 Base64 字符串加载公钥对象
2. **初始化加密器**:使用 `RSA/ECB/OAEPWithSHA-256AndMGF1Padding` 算法
3. **加密数据**:使用公钥加密设备信息 JSON 字符串UTF-8 编码)
4. **Base64 编码**:将加密后的字节数组进行 Base64 编码
### 3.4 Python 实现示例
```python
import base64
import json
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
def encrypt_device_info(licence: str, fingerprint: str, platform_public_key_base64: str) -> str:
"""
使用平台公钥加密设备信息
Args:
licence: 设备授权码
fingerprint: 设备硬件指纹
platform_public_key_base64: 平台公钥Base64编码
Returns:
Base64编码的加密数据
"""
# 1. 组装设备信息 JSON
device_info = {
"licence": licence,
"fingerprint": fingerprint
}
device_info_json = json.dumps(device_info, ensure_ascii=False)
# 2. 加载平台公钥
public_key_bytes = base64.b64decode(platform_public_key_base64)
public_key = serialization.load_der_public_key(
public_key_bytes,
backend=default_backend()
)
# 3. 使用 RSA-OAEP 加密
# OAEP padding with SHA-256 and MGF1
encrypted_bytes = public_key.encrypt(
device_info_json.encode('utf-8'),
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None
)
)
# 4. Base64 编码
encrypted_base64 = base64.b64encode(encrypted_bytes).decode('utf-8')
return encrypted_base64
```
### 3.5 Java/Kotlin 实现示例
```kotlin
import java.security.KeyFactory
import java.security.PublicKey
import java.security.spec.X509EncodedKeySpec
import java.util.Base64
import javax.crypto.Cipher
import java.nio.charset.StandardCharsets
object DeviceAuthorizationUtil {
private const val CIPHER_ALGORITHM = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
/**
* 使用平台公钥加密设备信息
*
* @param licence 设备授权码
* @param fingerprint 设备硬件指纹
* @param platformPublicKeyBase64 平台公钥Base64编码
* @return Base64编码的加密数据
*/
fun encryptDeviceInfo(
licence: String,
fingerprint: String,
platformPublicKeyBase64: String
): String {
// 1. 组装设备信息 JSON
val deviceInfo = mapOf(
"licence" to licence,
"fingerprint" to fingerprint
)
val deviceInfoJson = objectMapper.writeValueAsString(deviceInfo)
// 2. 加载平台公钥
val publicKeyBytes = Base64.getDecoder().decode(platformPublicKeyBase64)
val keySpec = X509EncodedKeySpec(publicKeyBytes)
val keyFactory = KeyFactory.getInstance("RSA")
val publicKey = keyFactory.generatePublic(keySpec)
// 3. 使用 RSA-OAEP 加密
val cipher = Cipher.getInstance(CIPHER_ALGORITHM)
cipher.init(Cipher.ENCRYPT_MODE, publicKey)
val encryptedBytes = cipher.doFinal(deviceInfoJson.toByteArray(StandardCharsets.UTF_8))
// 4. Base64 编码
return Base64.getEncoder().encodeToString(encryptedBytes)
}
}
```
### 3.6 C# 实现示例
```csharp
using System;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
public class DeviceAuthorizationUtil
{
private const string CipherAlgorithm = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
/// <summary>
/// 使用平台公钥加密设备信息
/// </summary>
public static string EncryptDeviceInfo(
string licence,
string fingerprint,
string platformPublicKeyBase64)
{
// 1. 组装设备信息 JSON
var deviceInfo = new
{
licence = licence,
fingerprint = fingerprint
};
var deviceInfoJson = JsonSerializer.Serialize(deviceInfo);
// 2. 加载平台公钥
var publicKeyBytes = Convert.FromBase64String(platformPublicKeyBase64);
using var rsa = RSA.Create();
rsa.ImportSubjectPublicKeyInfo(publicKeyBytes, out _);
// 3. 使用 RSA-OAEP 加密
var encryptedBytes = rsa.Encrypt(
Encoding.UTF8.GetBytes(deviceInfoJson),
RSAEncryptionPadding.OaepSHA256
);
// 4. Base64 编码
return Convert.ToBase64String(encryptedBytes);
}
}
```
## 四、生成二维码
### 4.1 二维码内容
二维码内容就是加密后的 **Base64 编码字符串**(不是 JSON 格式)。
**示例**
```
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB...
```
### 4.2 二维码生成
使用标准的二维码生成库生成二维码图片。
**Python 示例(使用 qrcode 库)**
```python
import qrcode
from PIL import Image
def generate_qr_code(encrypted_data: str, output_path: str = "device_qr.png"):
"""
生成设备授权二维码
Args:
encrypted_data: Base64编码的加密数据
output_path: 二维码图片保存路径
"""
qr = qrcode.QRCode(
version=1, # 控制二维码大小1-40
error_correction=qrcode.constants.ERROR_CORRECT_M, # 错误纠正级别
box_size=10, # 每个小方块的像素数
border=4, # 边框的厚度
)
qr.add_data(encrypted_data)
qr.make(fit=True)
# 创建二维码图片
img = qr.make_image(fill_color="black", back_color="white")
img.save(output_path)
print(f"二维码已生成: {output_path}")
```
**Java/Kotlin 示例(使用 ZXing 库)**
```kotlin
import com.google.zxing.BarcodeFormat
import com.google.zxing.EncodeHintType
import com.google.zxing.qrcode.QRCodeWriter
import com.google.zxing.qrcode.decoder.ErrorCorrectionLevel
import java.awt.image.BufferedImage
import javax.imageio.ImageIO
import java.io.File
fun generateQRCode(encryptedData: String, outputPath: String = "device_qr.png") {
val hints = hashMapOf<EncodeHintType, Any>().apply {
put(EncodeHintType.ERROR_CORRECTION, ErrorCorrectionLevel.M)
put(EncodeHintType.CHARACTER_SET, "UTF-8")
put(EncodeHintType.MARGIN, 1)
}
val writer = QRCodeWriter()
val bitMatrix = writer.encode(encryptedData, BarcodeFormat.QR_CODE, 300, 300, hints)
val width = bitMatrix.width
val height = bitMatrix.height
val image = BufferedImage(width, height, BufferedImage.TYPE_INT_RGB)
for (x in 0 until width) {
for (y in 0 until height) {
image.setRGB(x, y, if (bitMatrix[x, y]) 0x000000 else 0xFFFFFF)
}
}
ImageIO.write(image, "PNG", File(outputPath))
println("二维码已生成: $outputPath")
}
```
## 五、完整流程示例
### 5.1 Python 完整示例
```python
import json
import base64
import qrcode
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
def generate_device_authorization_qr(
licence: str,
fingerprint: str,
platform_public_key_base64: str,
qr_output_path: str = "device_qr.png"
) -> str:
"""
生成设备授权二维码
Args:
licence: 设备授权码
fingerprint: 设备硬件指纹
platform_public_key_base64: 平台公钥Base64编码
qr_output_path: 二维码图片保存路径
Returns:
加密后的Base64字符串二维码内容
"""
# 1. 组装设备信息 JSON
device_info = {
"licence": licence,
"fingerprint": fingerprint
}
device_info_json = json.dumps(device_info, ensure_ascii=False)
print(f"设备信息 JSON: {device_info_json}")
# 2. 加载平台公钥
public_key_bytes = base64.b64decode(platform_public_key_base64)
public_key = serialization.load_der_public_key(
public_key_bytes,
backend=default_backend()
)
# 3. 使用 RSA-OAEP 加密
encrypted_bytes = public_key.encrypt(
device_info_json.encode('utf-8'),
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None
)
)
# 4. Base64 编码
encrypted_base64 = base64.b64encode(encrypted_bytes).decode('utf-8')
print(f"加密后的 Base64: {encrypted_base64[:100]}...") # 只显示前100个字符
# 5. 生成二维码
qr = qrcode.QRCode(
version=1,
error_correction=qrcode.constants.ERROR_CORRECT_M,
box_size=10,
border=4,
)
qr.add_data(encrypted_base64)
qr.make(fit=True)
img = qr.make_image(fill_color="black", back_color="white")
img.save(qr_output_path)
print(f"二维码已生成: {qr_output_path}")
return encrypted_base64
# 使用示例
if __name__ == "__main__":
# 平台公钥(示例,实际使用时需要从平台获取)
platform_public_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB"
# 设备信息
licence = "LIC-8F2A-XXXX"
fingerprint = "FP-2c91e9f3"
# 生成二维码
encrypted_data = generate_device_authorization_qr(
licence=licence,
fingerprint=fingerprint,
platform_public_key_base64=platform_public_key,
qr_output_path="device_authorization_qr.png"
)
print(f"\n二维码内容加密后的Base64:\n{encrypted_data}")
```
### 5.2 Java/Kotlin 完整示例
```kotlin
import com.fasterxml.jackson.databind.ObjectMapper
import com.google.zxing.BarcodeFormat
import com.google.zxing.EncodeHintType
import com.google.zxing.qrcode.QRCodeWriter
import com.google.zxing.qrcode.decoder.ErrorCorrectionLevel
import java.awt.image.BufferedImage
import java.security.KeyFactory
import java.security.PublicKey
import java.security.spec.X509EncodedKeySpec
import java.util.Base64
import javax.crypto.Cipher
import javax.imageio.ImageIO
import java.io.File
import java.nio.charset.StandardCharsets
object DeviceAuthorizationQRGenerator {
private const val CIPHER_ALGORITHM = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
private val objectMapper = ObjectMapper()
/**
* 生成设备授权二维码
*/
fun generateDeviceAuthorizationQR(
licence: String,
fingerprint: String,
platformPublicKeyBase64: String,
qrOutputPath: String = "device_qr.png"
): String {
// 1. 组装设备信息 JSON
val deviceInfo = mapOf(
"licence" to licence,
"fingerprint" to fingerprint
)
val deviceInfoJson = objectMapper.writeValueAsString(deviceInfo)
println("设备信息 JSON: $deviceInfoJson")
// 2. 加载平台公钥
val publicKeyBytes = Base64.getDecoder().decode(platformPublicKeyBase64)
val keySpec = X509EncodedKeySpec(publicKeyBytes)
val keyFactory = KeyFactory.getInstance("RSA")
val publicKey = keyFactory.generatePublic(keySpec)
// 3. 使用 RSA-OAEP 加密
val cipher = Cipher.getInstance(CIPHER_ALGORITHM)
cipher.init(Cipher.ENCRYPT_MODE, publicKey)
val encryptedBytes = cipher.doFinal(deviceInfoJson.toByteArray(StandardCharsets.UTF_8))
// 4. Base64 编码
val encryptedBase64 = Base64.getEncoder().encodeToString(encryptedBytes)
println("加密后的 Base64: ${encryptedBase64.take(100)}...")
// 5. 生成二维码
val hints = hashMapOf<EncodeHintType, Any>().apply {
put(EncodeHintType.ERROR_CORRECTION, ErrorCorrectionLevel.M)
put(EncodeHintType.CHARACTER_SET, "UTF-8")
put(EncodeHintType.MARGIN, 1)
}
val writer = QRCodeWriter()
val bitMatrix = writer.encode(encryptedBase64, BarcodeFormat.QR_CODE, 300, 300, hints)
val width = bitMatrix.width
val height = bitMatrix.height
val image = BufferedImage(width, height, BufferedImage.TYPE_INT_RGB)
for (x in 0 until width) {
for (y in 0 until height) {
image.setRGB(x, y, if (bitMatrix[x, y]) 0x000000 else 0xFFFFFF)
}
}
ImageIO.write(image, "PNG", File(qrOutputPath))
println("二维码已生成: $qrOutputPath")
return encryptedBase64
}
}
// 使用示例
fun main() {
// 平台公钥(示例,实际使用时需要从平台获取)
val platformPublicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB"
// 设备信息
val licence = "LIC-8F2A-XXXX"
val fingerprint = "FP-2c91e9f3"
// 生成二维码
val encryptedData = DeviceAuthorizationQRGenerator.generateDeviceAuthorizationQR(
licence = licence,
fingerprint = fingerprint,
platformPublicKeyBase64 = platformPublicKey,
qrOutputPath = "device_authorization_qr.png"
)
println("\n二维码内容加密后的Base64:\n$encryptedData")
}
```
## 六、平台端验证流程
平台端会按以下流程验证:
1. **接收请求**App 扫描二维码后,将 `encryptedDeviceInfo``appid` 提交到平台
2. **RSA-OAEP 解密**:使用平台私钥解密 `encryptedDeviceInfo`
3. **提取设备信息**:从解密后的 JSON 中提取 `licence``fingerprint`
4. **设备验证**
- 检查 `filing_device_licence` 表中是否存在该 `licence`
- 如果存在,验证 `fingerprint` 是否匹配
- 如果 `fingerprint` 不匹配,记录非法授权日志并返回错误
5. **App 绑定**:检查 `filing_app_licence` 表中是否存在绑定关系
- 如果不存在,创建新的绑定记录
- 如果已存在,返回已绑定信息
6. **返回响应**:返回 `deviceLicenceId``licence`
## 七、常见错误和注意事项
### 7.1 加密失败
**可能原因**
1. **公钥格式错误**:确保使用正确的 Base64 编码的公钥
2. **算法不匹配**:必须使用 `RSA/ECB/OAEPWithSHA-256AndMGF1Padding`
3. **数据长度超限**RSA-2048 最多加密 245 字节(设备信息 JSON 通常不会超过)
4. **字符编码错误**:确保使用 UTF-8 编码
### 7.2 二维码扫描失败
**可能原因**
1. **二维码内容过长**如果加密后的数据过长可能需要使用更高版本的二维码version
2. **错误纠正级别过低**:建议使用 `ERROR_CORRECT_M` 或更高
3. **二维码图片质量差**:确保二维码图片清晰,有足够的对比度
### 7.3 平台验证失败
**可能原因**
1. **licence 已存在但 fingerprint 不匹配**:设备被替换或授权码被复用
2. **JSON 格式错误**:确保 JSON 格式正确,字段名和类型匹配
3. **加密数据损坏**:确保 Base64 编码和解码正确
## 八、安全设计说明
### 8.1 为什么使用 RSA-OAEP
1. **非对称加密**:只有平台拥有私钥,可以解密数据
2. **OAEP 填充**:提供更好的安全性,防止某些攻击
3. **SHA-256**:使用强哈希算法,提供更好的安全性
### 8.2 为什么第三方无法伪造
1. **只有平台能解密**:第三方无法获取平台私钥,无法解密数据
2. **fingerprint 验证**:平台会验证硬件指纹,防止授权码被复用
3. **非法授权日志**:平台会记录所有非法授权尝试
## 九、测试建议
1. **单元测试**
- 测试 JSON 生成是否正确
- 测试加密和解密是否匹配
- 测试 Base64 编码和解码是否正确
2. **集成测试**
- 使用真实平台公钥生成二维码
- App 扫描二维码并提交到平台
- 验证平台是否能正确解密和验证
3. **边界测试**
- 测试超长的 licence 或 fingerprint
- 测试特殊字符的处理
- 测试错误的公钥格式
## 十、参考实现
- **Python**`cryptography`RSA 加密)、`qrcode` 库(二维码生成)
- **Java/Kotlin**JDK `javax.crypto`RSA 加密、ZXing 库(二维码生成)
- **C#**`System.Security.Cryptography`RSA 加密、ZXing.Net 库(二维码生成)
## 十一、联系支持
如有问题,请联系平台技术支持团队获取:
- 平台公钥Base64 编码)
- 测试环境地址
- 技术支持

3
mise.toml
View File

@@ -1,4 +1,3 @@
[tools] [tools]
node = "latest"
bun = "1" bun = "1"
rust = 'latest' node = "24"

86
package.json
View File

@@ -10,56 +10,62 @@
"scripts": { "scripts": {
"build": "turbo run build", "build": "turbo run build",
"compile": "turbo run compile", "compile": "turbo run compile",
"deploy": "turbo run deploy", "compile:darwin": "turbo run compile:darwin",
"compile:linux": "turbo run compile:linux",
"compile:windows": "turbo run compile:windows",
"dev": "turbo run dev", "dev": "turbo run dev",
"dist": "turbo run dist",
"dist:linux": "turbo run dist:linux",
"dist:mac": "turbo run dist:mac",
"dist:win": "turbo run dist:win",
"fix": "turbo run fix", "fix": "turbo run fix",
"typecheck": "turbo run typecheck" "typecheck": "turbo run typecheck"
}, },
"devDependencies": { "devDependencies": {
"@biomejs/biome": "^2.3.12", "@biomejs/biome": "^2.4.5",
"turbo": "^2.7.6" "turbo": "^2.8.13",
"typescript": "^5.9.3"
}, },
"catalog": { "catalog": {
"@biomejs/biome": "^2.3.11", "@orpc/client": "^1.13.6",
"@effect/platform": "^0.94.2", "@orpc/contract": "^1.13.6",
"@effect/schema": "^0.75.5", "@orpc/openapi": "^1.13.6",
"@isaacs/ttlcache": "^2.1.4", "@orpc/server": "^1.13.6",
"@orpc/client": "^1.13.4", "@orpc/tanstack-query": "^1.13.6",
"@orpc/contract": "^1.13.4", "@orpc/zod": "^1.13.6",
"@orpc/openapi": "^1.13.4",
"@orpc/server": "^1.13.4",
"@orpc/tanstack-query": "^1.13.4",
"@orpc/zod": "^1.13.4",
"@t3-oss/env-core": "^0.13.10", "@t3-oss/env-core": "^0.13.10",
"@tailwindcss/vite": "^4.1.18", "@tailwindcss/vite": "^4.2.1",
"@tanstack/devtools-vite": "^0.4.1", "@tanstack/devtools-vite": "^0.5.3",
"@tanstack/react-devtools": "^0.9.2", "@tanstack/react-devtools": "^0.9.9",
"@tanstack/react-query": "^5.90.20", "@tanstack/react-query": "^5.90.21",
"@tanstack/react-query-devtools": "^5.91.2", "@tanstack/react-query-devtools": "^5.91.3",
"@tanstack/react-router": "^1.157.14", "@tanstack/react-router": "^1.166.2",
"@tanstack/react-router-devtools": "^1.157.14", "@tanstack/react-router-devtools": "^1.166.2",
"@tanstack/react-router-ssr-query": "^1.157.14", "@tanstack/react-router-ssr-query": "^1.166.2",
"@tanstack/react-start": "^1.157.14", "@tanstack/react-start": "^1.166.2",
"@types/better-sqlite3": "^7.6.12", "@types/bun": "^1.3.10",
"@types/bun": "^1.3.6", "@types/node": "^24.11.0",
"@vitejs/plugin-react": "^5.1.2", "@vitejs/plugin-react": "^5.1.4",
"babel-plugin-react-compiler": "^1.0.0", "babel-plugin-react-compiler": "^1.0.0",
"drizzle-kit": "^0.31.8", "drizzle-kit": "1.0.0-beta.15-859cf75",
"drizzle-orm": "^0.45.1", "drizzle-orm": "1.0.0-beta.15-859cf75",
"drizzle-zod": "^0.8.3", "electron": "^34.0.0",
"effect": "^3.19.15", "electron-builder": "^26.8.1",
"nitro": "npm:nitro-nightly@3.0.1-20260125-215009-8882bc9e", "electron-vite": "^5.0.0",
"ohash": "^2.0.11", "jszip": "^3.10.1",
"better-sqlite3": "^11.8.1", "motion": "^12.35.0",
"react": "^19.2.3", "nitro": "npm:nitro-nightly@3.0.1-20260227-181935-bfbb207c",
"react-dom": "^19.2.3", "openpgp": "^6.0.1",
"tailwindcss": "^4.1.18", "react": "^19.2.4",
"turbo": "^2.7.5", "react-dom": "^19.2.4",
"typescript": "^5.9.3", "tailwindcss": "^4.2.1",
"tree-kill": "^1.2.2",
"uuid": "^13.0.0", "uuid": "^13.0.0",
"systeminformation": "^5.30.6", "vite": "^8.0.0-beta.16",
"vite": "^8.0.0-beta.10", "vite-tsconfig-paths": "^6.1.1",
"vite-tsconfig-paths": "^6.0.5",
"zod": "^4.3.6" "zod": "^4.3.6"
},
"overrides": {
"@types/node": "catalog:"
} }
} }

16
packages/crypto/package.json Normal file
View File

@@ -0,0 +1,16 @@
{
"name": "@furtherverse/crypto",
"version": "1.0.0",
"private": true,
"type": "module",
"exports": {
".": "./src/index.ts"
},
"dependencies": {
"openpgp": "catalog:"
},
"devDependencies": {
"@furtherverse/tsconfig": "workspace:*",
"@types/bun": "catalog:"
}
}

53
packages/crypto/src/aes-gcm.ts Normal file
View File

@@ -0,0 +1,53 @@
import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'
const GCM_IV_LENGTH = 12 // 96 bits
const GCM_TAG_LENGTH = 16 // 128 bits
const ALGORITHM = 'aes-256-gcm'
/**
* AES-256-GCM encrypt.
*
* Output format (before Base64): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
*
* @param plaintext - UTF-8 string to encrypt
* @param key - 32-byte AES key
* @returns Base64-encoded encrypted data
*/
export const aesGcmEncrypt = (plaintext: string, key: Buffer): string => {
const iv = randomBytes(GCM_IV_LENGTH)
const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()])
const tag = cipher.getAuthTag()
// Layout: IV + ciphertext + tag
const combined = Buffer.concat([iv, encrypted, tag])
return combined.toString('base64')
}
/**
* AES-256-GCM decrypt.
*
* Input format (after Base64 decode): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
*
* @param encryptedBase64 - Base64-encoded encrypted data
* @param key - 32-byte AES key
* @returns Decrypted UTF-8 string
*/
export const aesGcmDecrypt = (encryptedBase64: string, key: Buffer): string => {
const data = Buffer.from(encryptedBase64, 'base64')
if (data.length < GCM_IV_LENGTH + GCM_TAG_LENGTH) {
throw new Error('Encrypted data too short: must contain IV + tag at minimum')
}
const iv = data.subarray(0, GCM_IV_LENGTH)
const tag = data.subarray(data.length - GCM_TAG_LENGTH)
const ciphertext = data.subarray(GCM_IV_LENGTH, data.length - GCM_TAG_LENGTH)
const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
decipher.setAuthTag(tag)
const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()])
return decrypted.toString('utf-8')
}

15
packages/crypto/src/hash.ts Normal file
View File

@@ -0,0 +1,15 @@
import { createHash } from 'node:crypto'
/**
* Compute SHA-256 hash and return raw Buffer.
*/
export const sha256 = (data: string | Buffer): Buffer => {
return createHash('sha256').update(data).digest()
}
/**
* Compute SHA-256 hash and return lowercase hex string.
*/
export const sha256Hex = (data: string | Buffer): string => {
return createHash('sha256').update(data).digest('hex')
}

15
packages/crypto/src/hkdf.ts Normal file
View File

@@ -0,0 +1,15 @@
import { hkdfSync } from 'node:crypto'
/**
* Derive a key using HKDF-SHA256.
*
* @param ikm - Input keying material (string, will be UTF-8 encoded)
* @param salt - Salt value (string, will be UTF-8 encoded)
* @param info - Info/context string (will be UTF-8 encoded)
* @param length - Output key length in bytes (default: 32 for AES-256)
* @returns Derived key as Buffer
*/
export const hkdfSha256 = (ikm: string, salt: string, info: string, length = 32): Buffer => {
const derived = hkdfSync('sha256', ikm, salt, info, length)
return Buffer.from(derived)
}

23
packages/crypto/src/hmac.ts Normal file
View File

@@ -0,0 +1,23 @@
import { createHmac } from 'node:crypto'
/**
* Compute HMAC-SHA256 and return Base64-encoded signature.
*
* @param key - HMAC key (Buffer)
* @param data - Data to sign (UTF-8 string)
* @returns Base64-encoded HMAC-SHA256 signature
*/
export const hmacSha256Base64 = (key: Buffer, data: string): string => {
return createHmac('sha256', key).update(data, 'utf-8').digest('base64')
}
/**
* Compute HMAC-SHA256 and return raw Buffer.
*
* @param key - HMAC key (Buffer)
* @param data - Data to sign (UTF-8 string)
* @returns HMAC-SHA256 digest as Buffer
*/
export const hmacSha256 = (key: Buffer, data: string): Buffer => {
return createHmac('sha256', key).update(data, 'utf-8').digest()
}

6
packages/crypto/src/index.ts Normal file
View File

@@ -0,0 +1,6 @@
export { aesGcmDecrypt, aesGcmEncrypt } from './aes-gcm'
export { sha256, sha256Hex } from './hash'
export { hkdfSha256 } from './hkdf'
export { hmacSha256, hmacSha256Base64 } from './hmac'
export { generatePgpKeyPair, pgpSignDetached, pgpVerifyDetached } from './pgp'
export { rsaOaepEncrypt } from './rsa-oaep'

Some files were not shown because too many files have changed in this diff Show More