fix(db): 修正 drizzle-kit 在 Bun SQLite 下的配置与脚本

refactor(api): signAndPackReport 直接返回签名 ZIP 文件
docs: 新增第三方 OpenAPI 对接指南
2026-03-05 16:59:25 +08:00 · 2026-03-05 16:58:59 +08:00 · 2026-03-05 16:44:01 +08:00 · 2026-03-05 16:43:53 +08:00 · 2026-03-05 16:32:49 +08:00 · 2026-03-05 16:32:41 +08:00
43 changed files with 3875 additions and 353 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,11 @@
 # Bun build
 *.bun-build
 # SQLite database files
 *.db
 *.db-wal
 *.db-shm
 # Turborepo
 .turbo/
--- a/apps/server/.env.example
+++ b/apps/server/.env.example
@@ -1 +1 @@
-DATABASE_URL=postgres://postgres:postgres@localhost:5432/postgres
+DATABASE_PATH=data.db
--- a/apps/server/drizzle.config.ts
+++ b/apps/server/drizzle.config.ts
@@ -1,11 +1,12 @@
 import { defineConfig } from 'drizzle-kit'
-import { env } from '@/env'
+
 const databasePath = process.env.DATABASE_PATH ?? 'data.db'
 export default defineConfig({
  out: './drizzle',
  schema: './src/server/db/schema/index.ts',
-  dialect: 'postgresql',
+  dialect: 'sqlite',
  dbCredentials: {
-    url: env.DATABASE_URL,
+    url: databasePath,
  },
 })
--- a/apps/server/package.json
+++ b/apps/server/package.json
@@ -14,15 +14,16 @@
    "compile:linux:x64": "bun compile.ts --target bun-linux-x64",
    "compile:windows": "bun run compile:windows:x64",
    "compile:windows:x64": "bun compile.ts --target bun-windows-x64",
-    "db:generate": "drizzle-kit generate",
+    "db:generate": "bun --bun drizzle-kit generate",
-    "db:migrate": "drizzle-kit migrate",
+    "db:migrate": "bun --bun drizzle-kit migrate",
-    "db:push": "drizzle-kit push",
+    "db:push": "bun --bun drizzle-kit push",
-    "db:studio": "drizzle-kit studio",
+    "db:studio": "bun --bun drizzle-kit studio",
    "dev": "bunx --bun vite dev",
    "fix": "biome check --write",
    "typecheck": "tsc --noEmit"
  },
  "dependencies": {
    "@furtherverse/crypto": "workspace:*",
    "@orpc/client": "catalog:",
    "@orpc/contract": "catalog:",
    "@orpc/openapi": "catalog:",
@@ -35,7 +36,7 @@
    "@tanstack/react-router-ssr-query": "catalog:",
    "@tanstack/react-start": "catalog:",
    "drizzle-orm": "catalog:",
-    "postgres": "catalog:",
+    "jszip": "catalog:",
    "react": "catalog:",
    "react-dom": "catalog:",
    "uuid": "catalog:",
--- a/apps/server/src/client/orpc.ts
+++ b/apps/server/src/client/orpc.ts
@@ -24,30 +24,4 @@ const getORPCClient = createIsomorphicFn()
 const client: RouterClient = getORPCClient()
-export const orpc = createTanstackQueryUtils(client, {
+export const orpc = createTanstackQueryUtils(client)
  experimental_defaults: {
    todo: {
      create: {
        mutationOptions: {
          onSuccess: (_, __, ___, ctx) => {
            ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
          },
        },
      },
      update: {
        mutationOptions: {
          onSuccess: (_, __, ___, ctx) => {
            ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
          },
        },
      },
      remove: {
        mutationOptions: {
          onSuccess: (_, __, ___, ctx) => {
            ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
          },
        },
      },
    },
  },
 })
--- a/apps/server/src/env.ts
+++ b/apps/server/src/env.ts
@@ -3,7 +3,7 @@ import { z } from 'zod'
 export const env = createEnv({
  server: {
-    DATABASE_URL: z.url(),
+    DATABASE_PATH: z.string().min(1).default('data.db'),
  },
  clientPrefix: 'VITE_',
  client: {
--- a/apps/server/src/routes/api/$.ts
+++ b/apps/server/src/routes/api/$.ts
@@ -16,6 +16,7 @@ const handler = new OpenAPIHandler(router, {
        info: {
          title: name,
          version,
          description: 'UX 授权服务 OpenAPI 文档：设备授权、任务解密、摘要加密与报告签名打包接口。',
        },
      },
      docsPath: '/docs',
--- a/apps/server/src/routes/index.tsx
+++ b/apps/server/src/routes/index.tsx
@@ -1,192 +1,20 @@
 import { useMutation, useSuspenseQuery } from '@tanstack/react-query'
 import { createFileRoute } from '@tanstack/react-router'
 import type { ChangeEventHandler, SubmitEventHandler } from 'react'
 import { useState } from 'react'
 import { orpc } from '@/client/orpc'
 export const Route = createFileRoute('/')({
-  component: Todos,
+  component: Home,
  loader: async ({ context }) => {
    await context.queryClient.ensureQueryData(orpc.todo.list.queryOptions())
  },
 })
-function Todos() {
+function Home() {
  const [newTodoTitle, setNewTodoTitle] = useState('')
  const listQuery = useSuspenseQuery(orpc.todo.list.queryOptions())
  const createMutation = useMutation(orpc.todo.create.mutationOptions())
  const updateMutation = useMutation(orpc.todo.update.mutationOptions())
  const deleteMutation = useMutation(orpc.todo.remove.mutationOptions())
  const handleCreateTodo: SubmitEventHandler<HTMLFormElement> = (e) => {
    e.preventDefault()
    if (newTodoTitle.trim()) {
      createMutation.mutate({ title: newTodoTitle.trim() })
      setNewTodoTitle('')
    }
  }
  const handleInputChange: ChangeEventHandler<HTMLInputElement> = (e) => {
    setNewTodoTitle(e.target.value)
  }
  const handleToggleTodo = (id: string, currentCompleted: boolean) => {
    updateMutation.mutate({
      id,
      data: { completed: !currentCompleted },
    })
  }
  const handleDeleteTodo = (id: string) => {
    deleteMutation.mutate({ id })
  }
  const todos = listQuery.data
  const completedCount = todos.filter((todo) => todo.completed).length
  const totalCount = todos.length
  const progress = totalCount > 0 ? (completedCount / totalCount) * 100 : 0
  return (
-    <div className="min-h-screen bg-slate-50 py-12 px-4 sm:px-6 font-sans">
+    <div className="min-h-screen bg-slate-50 flex items-center justify-center font-sans">
-      <div className="max-w-2xl mx-auto space-y-8">
+      <div className="text-center space-y-4">
-        {/* Header */}
+        <h1 className="text-3xl font-bold text-slate-900 tracking-tight">UX Server</h1>
-        <div className="flex items-end justify-between">
+        <p className="text-slate-500">
-          <div>
+          API:&nbsp;
-            <h1 className="text-3xl font-bold text-slate-900 tracking-tight">我的待办</h1>
+          <a href="/api" className="text-indigo-600 hover:text-indigo-700 underline">
-            <p className="text-slate-500 mt-1">保持专注，逐个击破</p>
+            /api
-          </div>
+          </a>
-          <div className="text-right">
+        </p>
            <div className="text-2xl font-semibold text-slate-900">
              {completedCount}
              <span className="text-slate-400 text-lg">/{totalCount}</span>
            </div>
            <div className="text-xs font-medium text-slate-400 uppercase tracking-wider">已完成</div>
          </div>
        </div>
        {/* Add Todo Form */}
        <form onSubmit={handleCreateTodo} className="relative group z-10">
          <div className="relative transform transition-all duration-200 focus-within:-translate-y-1">
            <input
              type="text"
              value={newTodoTitle}
              onChange={handleInputChange}
              placeholder="添加新任务..."
              className="w-full pl-6 pr-32 py-5 bg-white rounded-2xl shadow-[0_8px_30px_rgb(0,0,0,0.04)] border-0 ring-1 ring-slate-100 focus:ring-2 focus:ring-indigo-500/50 outline-none transition-all placeholder:text-slate-400 text-lg text-slate-700"
              disabled={createMutation.isPending}
            />
            <button
              type="submit"
              disabled={createMutation.isPending || !newTodoTitle.trim()}
              className="absolute right-3 top-3 bottom-3 px-6 bg-indigo-600 hover:bg-indigo-700 text-white rounded-xl font-medium transition-all shadow-md shadow-indigo-200 disabled:opacity-50 disabled:shadow-none hover:shadow-lg hover:shadow-indigo-300 active:scale-95"
            >
              {createMutation.isPending ? '添加中' : '添加'}
            </button>
          </div>
        </form>
        {/* Progress Bar (Only visible when there are tasks) */}
        {totalCount > 0 && (
          <div className="h-1.5 w-full bg-slate-200 rounded-full overflow-hidden">
            <div
              className="h-full bg-indigo-500 transition-all duration-500 ease-out rounded-full"
              style={{ width: `${progress}%` }}
            />
          </div>
        )}
        {/* Todo List */}
        <div className="space-y-3">
          {todos.length === 0 ? (
            <div className="py-20 text-center">
              <div className="inline-flex items-center justify-center w-16 h-16 rounded-full bg-slate-100 mb-4">
                <svg
                  className="w-8 h-8 text-slate-400"
                  fill="none"
                  viewBox="0 0 24 24"
                  stroke="currentColor"
                  aria-hidden="true"
                >
                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M12 6v6m0 0v6m0-6h6m-6 0H6" />
                </svg>
              </div>
              <p className="text-slate-500 text-lg font-medium">没有待办事项</p>
              <p className="text-slate-400 text-sm mt-1">输入上方内容添加您的第一个任务</p>
            </div>
          ) : (
            todos.map((todo) => (
              <div
                key={todo.id}
                className={`group relative flex items-center p-4 bg-white rounded-xl border border-slate-100 shadow-sm transition-all duration-200 hover:shadow-md hover:border-slate-200 ${
                  todo.completed ? 'bg-slate-50/50' : ''
                }`}
              >
                <button
                  type="button"
                  onClick={() => handleToggleTodo(todo.id, todo.completed)}
                  className={`flex-shrink-0 w-6 h-6 rounded-full border-2 transition-all duration-200 flex items-center justify-center mr-4 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-indigo-500 ${
                    todo.completed
                      ? 'bg-indigo-500 border-indigo-500'
                      : 'border-slate-300 hover:border-indigo-500 bg-white'
                  }`}
                >
                  {todo.completed && (
                    <svg
                      className="w-3.5 h-3.5 text-white"
                      fill="none"
                      viewBox="0 0 24 24"
                      stroke="currentColor"
                      strokeWidth={3}
                      aria-hidden="true"
                    >
                      <path strokeLinecap="round" strokeLinejoin="round" d="M5 13l4 4L19 7" />
                    </svg>
                  )}
                </button>
                <div className="flex-1 min-w-0">
                  <p
                    className={`text-lg transition-all duration-200 truncate ${
                      todo.completed
                        ? 'text-slate-400 line-through decoration-slate-300 decoration-2'
                        : 'text-slate-700'
                    }`}
                  >
                    {todo.title}
                  </p>
                </div>
                <div className="flex items-center opacity-0 group-hover:opacity-100 transition-opacity duration-200 absolute right-4 pl-4 bg-gradient-to-l from-white via-white to-transparent sm:static sm:bg-none">
                  <span className="text-xs text-slate-400 mr-3 hidden sm:inline-block">
                    {new Date(todo.createdAt).toLocaleDateString('zh-CN')}
                  </span>
                  <button
                    type="button"
                    onClick={() => handleDeleteTodo(todo.id)}
                    className="p-2 text-slate-400 hover:text-red-500 hover:bg-red-50 rounded-lg transition-colors focus:outline-none"
                    title="删除"
                  >
                    <svg
                      className="w-5 h-5"
                      fill="none"
                      viewBox="0 0 24 24"
                      stroke="currentColor"
                      strokeWidth={1.5}
                      aria-hidden="true"
                    >
                      <path
                        strokeLinecap="round"
                        strokeLinejoin="round"
                        d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16"
                      />
                    </svg>
                  </button>
                </div>
              </div>
            ))
          )}
        </div>
      </div>
    </div>
  )
--- a/apps/server/src/server/api/contracts/crypto.contract.ts
+++ b/apps/server/src/server/api/contracts/crypto.contract.ts
@@ -0,0 +1,99 @@
 import { oc } from '@orpc/contract'
 import { z } from 'zod'
 export const encryptDeviceInfo = oc
  .route({
    method: 'POST',
    path: '/crypto/encrypt-device-info',
    operationId: 'encryptDeviceInfo',
    summary: '生成设备授权密文',
    description:
      '按 deviceId 查询已注册设备，使用设备记录中的 platformPublicKey 对 {licence, fingerprint} 做 RSA-OAEP 加密，返回 Base64 密文。',
    tags: ['Crypto'],
  })
  .input(
    z.object({
      deviceId: z.string().min(1).describe('设备 ID'),
    }),
  )
  .output(
    z.object({
      encrypted: z.string().describe('Base64 密文（用于设备授权二维码）'),
    }),
  )
 export const decryptTask = oc
  .route({
    method: 'POST',
    path: '/crypto/decrypt-task',
    operationId: 'decryptTask',
    summary: '解密任务二维码',
    description:
      '按 deviceId 查询已注册设备，使用 UTF-8 编码下的 licence 与 fingerprint 直接拼接（无分隔符）后取 SHA256 作为 AES-256-GCM 密钥解密任务密文。',
    tags: ['Crypto'],
  })
  .input(
    z.object({
      deviceId: z.string().min(1).describe('设备 ID'),
      encryptedData: z.string().min(1).describe('任务二维码中的 Base64 密文'),
    }),
  )
  .output(
    z.object({
      taskId: z.string().describe('任务 ID'),
      enterpriseId: z.string().describe('企业 ID'),
      orgName: z.string().describe('单位名称'),
      inspectionId: z.string().describe('检查 ID'),
      inspectionPerson: z.string().describe('检查人'),
      issuedAt: z.number().describe('任务发布时间戳（毫秒）'),
    }),
  )
 export const encryptSummary = oc
  .route({
    method: 'POST',
    path: '/crypto/encrypt-summary',
    operationId: 'encryptSummary',
    summary: '加密摘要二维码内容',
    description: '按 deviceId 查询已注册设备，使用 HKDF-SHA256 + AES-256-GCM 加密摘要信息，返回二维码 JSON 字符串。',
    tags: ['Crypto'],
  })
  .input(
    z.object({
      deviceId: z.string().min(1).describe('设备 ID'),
      taskId: z.string().min(1).describe('任务 ID'),
      enterpriseId: z.string().min(1).describe('企业 ID'),
      inspectionId: z.string().min(1).describe('检查 ID'),
      summary: z.string().min(1).describe('摘要明文'),
    }),
  )
  .output(
    z.object({
      qrContent: z.string().describe('二维码内容 JSON：{"taskId":"...","encrypted":"..."}'),
    }),
  )
 export const signAndPackReport = oc
  .route({
    method: 'POST',
    path: '/crypto/sign-and-pack-report',
    operationId: 'signAndPackReport',
    summary: '签名并打包报告 ZIP',
    description:
      '接收原始 ZIP（multipart/form-data 文件字段 rawZip），由 UX 生成 summary.json、manifest.json、signature.asc，并直接返回签名后 ZIP 二进制文件。',
    tags: ['Crypto', 'Report'],
  })
  .input(
    z.object({
      deviceId: z.string().min(1).describe('设备 ID'),
      taskId: z.string().min(1).describe('任务 ID'),
      enterpriseId: z.string().min(1).describe('企业 ID'),
      inspectionId: z.string().min(1).describe('检查 ID'),
      summary: z.string().min(1).describe('检查摘要明文'),
      rawZip: z
        .file()
        .mime(['application/zip', 'application/x-zip-compressed'])
        .describe('原始报告 ZIP 文件（multipart/form-data 字段）'),
    }),
  )
  .output(z.file().describe('签名后报告 ZIP 文件（二进制响应）'))
--- a/apps/server/src/server/api/contracts/device.contract.ts
+++ b/apps/server/src/server/api/contracts/device.contract.ts
@@ -0,0 +1,46 @@
 import { oc } from '@orpc/contract'
 import { z } from 'zod'
 const deviceOutput = z.object({
  id: z.string().describe('设备主键 ID'),
  licence: z.string().describe('设备授权码 licence'),
  fingerprint: z.string().describe('UX 计算并持久化的设备指纹'),
  platformPublicKey: z.string().describe('平台公钥（Base64，SPKI DER）'),
  pgpPublicKey: z.string().nullable().describe('设备 OpenPGP 公钥（ASCII armored）'),
  createdAt: z.date().describe('记录创建时间'),
  updatedAt: z.date().describe('记录更新时间'),
 })
 export const register = oc
  .route({
    method: 'POST',
    path: '/device/register',
    operationId: 'deviceRegister',
    summary: '注册设备',
    description: '注册 licence 与平台公钥，指纹由 UX 本机计算，返回设备信息。',
    tags: ['Device'],
  })
  .input(
    z.object({
      licence: z.string().min(1).describe('设备授权码 licence'),
      platformPublicKey: z.string().min(1).describe('平台公钥（Base64，SPKI DER）'),
    }),
  )
  .output(deviceOutput)
 export const get = oc
  .route({
    method: 'POST',
    path: '/device/get',
    operationId: 'deviceGet',
    summary: '查询设备',
    description: '按 id 或 licence 查询设备信息。',
    tags: ['Device'],
  })
  .input(
    z.object({
      id: z.string().optional().describe('设备 ID，与 licence 二选一'),
      licence: z.string().optional().describe('设备授权码，与 id 二选一'),
    }),
  )
  .output(deviceOutput)
--- a/apps/server/src/server/api/contracts/index.ts
+++ b/apps/server/src/server/api/contracts/index.ts
@@ -1,7 +1,11 @@
-import * as todo from './todo.contract'
+import * as crypto from './crypto.contract'
 import * as device from './device.contract'
 import * as task from './task.contract'
 export const contract = {
-  todo,
+  device,
  crypto,
  task,
 }
 export type Contract = typeof contract
--- a/apps/server/src/server/api/contracts/task.contract.ts
+++ b/apps/server/src/server/api/contracts/task.contract.ts
@@ -0,0 +1,71 @@
 import { oc } from '@orpc/contract'
 import { z } from 'zod'
 const taskOutput = z.object({
  id: z.string().describe('任务记录 ID'),
  deviceId: z.string().describe('设备 ID'),
  taskId: z.string().describe('任务业务 ID'),
  enterpriseId: z.string().nullable().describe('企业 ID'),
  orgName: z.string().nullable().describe('单位名称'),
  inspectionId: z.string().nullable().describe('检查 ID'),
  inspectionPerson: z.string().nullable().describe('检查人'),
  issuedAt: z.date().nullable().describe('任务发布时间（ISO date-time；由毫秒时间戳转换后存储）'),
  status: z.enum(['pending', 'in_progress', 'done']).describe('任务状态'),
  createdAt: z.date().describe('记录创建时间'),
  updatedAt: z.date().describe('记录更新时间'),
 })
 export const save = oc
  .route({
    method: 'POST',
    path: '/task/save',
    operationId: 'taskSave',
    summary: '保存任务',
    description: '保存解密后的任务信息到 UX 数据库。',
    tags: ['Task'],
  })
  .input(
    z.object({
      deviceId: z.string().min(1).describe('设备 ID'),
      taskId: z.string().min(1).describe('任务 ID'),
      enterpriseId: z.string().optional().describe('企业 ID'),
      orgName: z.string().optional().describe('单位名称'),
      inspectionId: z.string().optional().describe('检查 ID'),
      inspectionPerson: z.string().optional().describe('检查人'),
      issuedAt: z.number().optional().describe('任务发布时间戳（毫秒）'),
    }),
  )
  .output(taskOutput)
 export const list = oc
  .route({
    method: 'POST',
    path: '/task/list',
    operationId: 'taskList',
    summary: '查询任务列表',
    description: '按设备 ID 查询任务列表。',
    tags: ['Task'],
  })
  .input(
    z.object({
      deviceId: z.string().min(1).describe('设备 ID'),
    }),
  )
  .output(z.array(taskOutput))
 export const updateStatus = oc
  .route({
    method: 'POST',
    path: '/task/update-status',
    operationId: 'taskUpdateStatus',
    summary: '更新任务状态',
    description: '按记录 ID 更新任务状态。',
    tags: ['Task'],
  })
  .input(
    z.object({
      id: z.string().min(1).describe('任务记录 ID'),
      status: z.enum(['pending', 'in_progress', 'done']).describe('目标状态'),
    }),
  )
  .output(taskOutput)
--- a/apps/server/src/server/api/contracts/todo.contract.ts
+++ b/apps/server/src/server/api/contracts/todo.contract.ts
@@ -1,32 +0,0 @@
 import { oc } from '@orpc/contract'
 import { createInsertSchema, createSelectSchema, createUpdateSchema } from 'drizzle-orm/zod'
 import { z } from 'zod'
 import { generatedFieldKeys } from '@/server/db/fields'
 import { todoTable } from '@/server/db/schema'
 const selectSchema = createSelectSchema(todoTable)
 const insertSchema = createInsertSchema(todoTable).omit(generatedFieldKeys)
 const updateSchema = createUpdateSchema(todoTable).omit(generatedFieldKeys)
 export const list = oc.input(z.void()).output(z.array(selectSchema))
 export const create = oc.input(insertSchema).output(selectSchema)
 export const update = oc
  .input(
    z.object({
      id: z.uuid(),
      data: updateSchema,
    }),
  )
  .output(selectSchema)
 export const remove = oc
  .input(
    z.object({
      id: z.uuid(),
    }),
  )
  .output(z.void())
--- a/apps/server/src/server/api/routers/crypto.router.ts
+++ b/apps/server/src/server/api/routers/crypto.router.ts
@@ -0,0 +1,307 @@
 import {
  aesGcmDecrypt,
  aesGcmEncrypt,
  hkdfSha256,
  hmacSha256Base64,
  pgpSignDetached,
  rsaOaepEncrypt,
  sha256,
  sha256Hex,
 } from '@furtherverse/crypto'
 import { ORPCError } from '@orpc/server'
 import type { JSZipObject } from 'jszip'
 import JSZip from 'jszip'
 import { z } from 'zod'
 import { db } from '../middlewares'
 import { os } from '../server'
 interface DeviceRow {
  id: string
  licence: string
  fingerprint: string
  platformPublicKey: string
  pgpPrivateKey: string | null
  pgpPublicKey: string | null
 }
 interface ReportFiles {
  assets: Uint8Array
  vulnerabilities: Uint8Array
  weakPasswords: Uint8Array
  reportHtml: Uint8Array
  reportHtmlName: string
 }
 const MAX_RAW_ZIP_BYTES = 50 * 1024 * 1024
 const MAX_SINGLE_FILE_BYTES = 20 * 1024 * 1024
 const MAX_TOTAL_UNCOMPRESSED_BYTES = 60 * 1024 * 1024
 const MAX_ZIP_ENTRIES = 32
 const taskPayloadSchema = z.object({
  taskId: z.string().min(1),
  enterpriseId: z.string().min(1),
  orgName: z.string().min(1),
  inspectionId: z.string().min(1),
  inspectionPerson: z.string().min(1),
  issuedAt: z.number(),
 })
 const normalizePath = (name: string): string => name.replaceAll('\\', '/')
 const isUnsafePath = (name: string): boolean => {
  const normalized = normalizePath(name)
  const segments = normalized.split('/')
  return (
    normalized.startsWith('/') ||
    normalized.includes('\u0000') ||
    segments.some((segment) => segment === '..' || segment.trim().length === 0)
  )
 }
 const getBaseName = (name: string): string => {
  const normalized = normalizePath(name)
  const parts = normalized.split('/')
  return parts.at(-1) ?? normalized
 }
 const getRequiredReportFiles = async (rawZip: JSZip): Promise<ReportFiles> => {
  let assets: Uint8Array | null = null
  let vulnerabilities: Uint8Array | null = null
  let weakPasswords: Uint8Array | null = null
  let reportHtml: Uint8Array | null = null
  let reportHtmlName: string | null = null
  const entries = Object.values(rawZip.files) as JSZipObject[]
  if (entries.length > MAX_ZIP_ENTRIES) {
    throw new ORPCError('BAD_REQUEST', {
      message: `Zip contains too many entries: ${entries.length}`,
    })
  }
  let totalUncompressedBytes = 0
  for (const entry of entries) {
    if (entry.dir) {
      continue
    }
    if (isUnsafePath(entry.name)) {
      throw new ORPCError('BAD_REQUEST', {
        message: `Zip contains unsafe entry path: ${entry.name}`,
      })
    }
    const content = await entry.async('uint8array')
    if (content.byteLength > MAX_SINGLE_FILE_BYTES) {
      throw new ORPCError('BAD_REQUEST', {
        message: `Zip entry too large: ${entry.name}`,
      })
    }
    totalUncompressedBytes += content.byteLength
    if (totalUncompressedBytes > MAX_TOTAL_UNCOMPRESSED_BYTES) {
      throw new ORPCError('BAD_REQUEST', {
        message: 'Zip total uncompressed content exceeds max size limit',
      })
    }
    const fileName = getBaseName(entry.name)
    const lowerFileName = fileName.toLowerCase()
    if (lowerFileName === 'assets.json') {
      if (assets) {
        throw new ORPCError('BAD_REQUEST', { message: 'Zip contains duplicate assets.json' })
      }
      assets = content
      continue
    }
    if (lowerFileName === 'vulnerabilities.json') {
      if (vulnerabilities) {
        throw new ORPCError('BAD_REQUEST', { message: 'Zip contains duplicate vulnerabilities.json' })
      }
      vulnerabilities = content
      continue
    }
    if (lowerFileName === 'weakpasswords.json') {
      if (weakPasswords) {
        throw new ORPCError('BAD_REQUEST', { message: 'Zip contains duplicate weakPasswords.json' })
      }
      weakPasswords = content
      continue
    }
    if (fileName.includes('漏洞评估报告') && lowerFileName.endsWith('.html')) {
      if (reportHtml) {
        throw new ORPCError('BAD_REQUEST', {
          message: 'Zip contains multiple 漏洞评估报告*.html files',
        })
      }
      reportHtml = content
      reportHtmlName = fileName
    }
  }
  if (!assets || !vulnerabilities || !weakPasswords || !reportHtml || !reportHtmlName) {
    throw new ORPCError('BAD_REQUEST', {
      message:
        'Zip missing required files. Required: assets.json, vulnerabilities.json, weakPasswords.json, and 漏洞评估报告*.html',
    })
  }
  return {
    assets,
    vulnerabilities,
    weakPasswords,
    reportHtml,
    reportHtmlName,
  }
 }
 const getDevice = async (
  context: {
    db: { query: { deviceTable: { findFirst: (args: { where: { id: string } }) => Promise<DeviceRow | undefined> } } }
  },
  deviceId: string,
 ): Promise<DeviceRow> => {
  const device = await context.db.query.deviceTable.findFirst({
    where: { id: deviceId },
  })
  if (!device) {
    throw new ORPCError('NOT_FOUND', { message: 'Device not found' })
  }
  return device
 }
 export const encryptDeviceInfo = os.crypto.encryptDeviceInfo.use(db).handler(async ({ context, input }) => {
  const device = await getDevice(context, input.deviceId)
  const deviceInfoJson = JSON.stringify({
    licence: device.licence,
    fingerprint: device.fingerprint,
  })
  const encrypted = rsaOaepEncrypt(deviceInfoJson, device.platformPublicKey)
  return { encrypted }
 })
 export const decryptTask = os.crypto.decryptTask.use(db).handler(async ({ context, input }) => {
  const device = await getDevice(context, input.deviceId)
  const key = sha256(device.licence + device.fingerprint)
  const decryptedJson = aesGcmDecrypt(input.encryptedData, key)
  const taskData = taskPayloadSchema.parse(JSON.parse(decryptedJson))
  return taskData
 })
 export const encryptSummary = os.crypto.encryptSummary.use(db).handler(async ({ context, input }) => {
  const device = await getDevice(context, input.deviceId)
  const ikm = device.licence + device.fingerprint
  const aesKey = hkdfSha256(ikm, input.taskId, 'inspection_report_encryption')
  const timestamp = Date.now()
  const plaintextJson = JSON.stringify({
    enterpriseId: input.enterpriseId,
    inspectionId: input.inspectionId,
    summary: input.summary,
    timestamp,
  })
  const encrypted = aesGcmEncrypt(plaintextJson, aesKey)
  const qrContent = JSON.stringify({
    taskId: input.taskId,
    encrypted,
  })
  return { qrContent }
 })
 export const signAndPackReport = os.crypto.signAndPackReport.use(db).handler(async ({ context, input }) => {
  const device = await getDevice(context, input.deviceId)
  const rawZipArrayBuffer = await input.rawZip.arrayBuffer()
  const rawZipBytes = Buffer.from(rawZipArrayBuffer)
  if (rawZipBytes.byteLength === 0 || rawZipBytes.byteLength > MAX_RAW_ZIP_BYTES) {
    throw new ORPCError('BAD_REQUEST', {
      message: 'rawZip is empty or exceeds max size limit',
    })
  }
  const rawZip = await JSZip.loadAsync(rawZipBytes, {
    checkCRC32: true,
  }).catch(() => {
    throw new ORPCError('BAD_REQUEST', {
      message: 'rawZip is not a valid zip file',
    })
  })
  const reportFiles = await getRequiredReportFiles(rawZip)
  const ikm = device.licence + device.fingerprint
  const signingKey = hkdfSha256(ikm, 'AUTH_V3_SALT', 'device_report_signature')
  const assetsHash = sha256Hex(Buffer.from(reportFiles.assets))
  const vulnerabilitiesHash = sha256Hex(Buffer.from(reportFiles.vulnerabilities))
  const weakPasswordsHash = sha256Hex(Buffer.from(reportFiles.weakPasswords))
  const reportHtmlHash = sha256Hex(Buffer.from(reportFiles.reportHtml))
  const signPayload =
    input.taskId + input.inspectionId + assetsHash + vulnerabilitiesHash + weakPasswordsHash + reportHtmlHash
  const deviceSignature = hmacSha256Base64(signingKey, signPayload)
  if (!device.pgpPrivateKey) {
    throw new ORPCError('PRECONDITION_FAILED', {
      message: 'Device does not have a PGP key pair. Re-register the device.',
    })
  }
  const summaryObject = {
    enterpriseId: input.enterpriseId,
    inspectionId: input.inspectionId,
    taskId: input.taskId,
    licence: device.licence,
    fingerprint: device.fingerprint,
    deviceSignature,
    summary: input.summary,
    timestamp: Date.now(),
  }
  const summaryBytes = Buffer.from(JSON.stringify(summaryObject), 'utf-8')
  const manifestObject = {
    files: {
      'summary.json': sha256Hex(summaryBytes),
      'assets.json': assetsHash,
      'vulnerabilities.json': vulnerabilitiesHash,
      'weakPasswords.json': weakPasswordsHash,
      [reportFiles.reportHtmlName]: reportHtmlHash,
    },
  }
  const manifestBytes = Buffer.from(JSON.stringify(manifestObject, null, 2), 'utf-8')
  const signatureAsc = await pgpSignDetached(manifestBytes, device.pgpPrivateKey)
  const signedZip = new JSZip()
  signedZip.file('summary.json', summaryBytes)
  signedZip.file('assets.json', reportFiles.assets)
  signedZip.file('vulnerabilities.json', reportFiles.vulnerabilities)
  signedZip.file('weakPasswords.json', reportFiles.weakPasswords)
  signedZip.file(reportFiles.reportHtmlName, reportFiles.reportHtml)
  signedZip.file('META-INF/manifest.json', manifestBytes)
  signedZip.file('META-INF/signature.asc', signatureAsc)
  const signedZipBytes = await signedZip.generateAsync({
    type: 'uint8array',
    compression: 'DEFLATE',
    compressionOptions: { level: 9 },
  })
  return new File([Buffer.from(signedZipBytes)], `${input.taskId}-signed-report.zip`, {
    type: 'application/zip',
  })
 })
--- a/apps/server/src/server/api/routers/device.router.ts
+++ b/apps/server/src/server/api/routers/device.router.ts
@@ -0,0 +1,54 @@
 import { generatePgpKeyPair } from '@furtherverse/crypto'
 import { ORPCError } from '@orpc/server'
 import { deviceTable } from '@/server/db/schema'
 import { computeDeviceFingerprint } from '@/server/device-fingerprint'
 import { db } from '../middlewares'
 import { os } from '../server'
 export const register = os.device.register.use(db).handler(async ({ context, input }) => {
  const existing = await context.db.query.deviceTable.findFirst({
    where: { licence: input.licence },
  })
  if (existing) {
    throw new ORPCError('CONFLICT', {
      message: `Device with licence "${input.licence}" already registered`,
    })
  }
  const pgpKeys = await generatePgpKeyPair(input.licence, `${input.licence}@ux.local`)
  const fingerprint = computeDeviceFingerprint()
  const rows = await context.db
    .insert(deviceTable)
    .values({
      licence: input.licence,
      fingerprint,
      platformPublicKey: input.platformPublicKey,
      pgpPrivateKey: pgpKeys.privateKey,
      pgpPublicKey: pgpKeys.publicKey,
    })
    .returning()
  return rows[0] as (typeof rows)[number]
 })
 export const get = os.device.get.use(db).handler(async ({ context, input }) => {
  if (!input.id && !input.licence) {
    throw new ORPCError('BAD_REQUEST', {
      message: 'Either id or licence must be provided',
    })
  }
  const device = input.id
    ? await context.db.query.deviceTable.findFirst({ where: { id: input.id } })
    : await context.db.query.deviceTable.findFirst({ where: { licence: input.licence } })
  if (!device) {
    throw new ORPCError('NOT_FOUND', {
      message: 'Device not found',
    })
  }
  return device
 })
--- a/apps/server/src/server/api/routers/index.ts
+++ b/apps/server/src/server/api/routers/index.ts
@@ -1,6 +1,10 @@
 import { os } from '../server'
-import * as todo from './todo.router'
+import * as crypto from './crypto.router'
 import * as device from './device.router'
 import * as task from './task.router'
 export const router = os.router({
-  todo,
+  device,
  crypto,
  task,
 })
--- a/apps/server/src/server/api/routers/task.router.ts
+++ b/apps/server/src/server/api/routers/task.router.ts
@@ -0,0 +1,44 @@
 import { ORPCError } from '@orpc/server'
 import { eq } from 'drizzle-orm'
 import { taskTable } from '@/server/db/schema'
 import { db } from '../middlewares'
 import { os } from '../server'
 export const save = os.task.save.use(db).handler(async ({ context, input }) => {
  const rows = await context.db
    .insert(taskTable)
    .values({
      deviceId: input.deviceId,
      taskId: input.taskId,
      enterpriseId: input.enterpriseId,
      orgName: input.orgName,
      inspectionId: input.inspectionId,
      inspectionPerson: input.inspectionPerson,
      issuedAt: input.issuedAt ? new Date(input.issuedAt) : null,
    })
    .returning()
  return rows[0] as (typeof rows)[number]
 })
 export const list = os.task.list.use(db).handler(async ({ context, input }) => {
  return await context.db.query.taskTable.findMany({
    where: { deviceId: input.deviceId },
    orderBy: { createdAt: 'desc' },
  })
 })
 export const updateStatus = os.task.updateStatus.use(db).handler(async ({ context, input }) => {
  const rows = await context.db
    .update(taskTable)
    .set({ status: input.status })
    .where(eq(taskTable.id, input.id))
    .returning()
  const updated = rows[0]
  if (!updated) {
    throw new ORPCError('NOT_FOUND', { message: 'Task not found' })
  }
  return updated
 })
--- a/apps/server/src/server/api/routers/todo.router.ts
+++ b/apps/server/src/server/api/routers/todo.router.ts
@@ -1,40 +0,0 @@
 import { ORPCError } from '@orpc/server'
 import { eq } from 'drizzle-orm'
 import { todoTable } from '@/server/db/schema'
 import { db } from '../middlewares'
 import { os } from '../server'
 export const list = os.todo.list.use(db).handler(async ({ context }) => {
  const todos = await context.db.query.todoTable.findMany({
    orderBy: { createdAt: 'desc' },
  })
  return todos
 })
 export const create = os.todo.create.use(db).handler(async ({ context, input }) => {
  const [newTodo] = await context.db.insert(todoTable).values(input).returning()
  if (!newTodo) {
    throw new ORPCError('INTERNAL_SERVER_ERROR', { message: 'Failed to create todo' })
  }
  return newTodo
 })
 export const update = os.todo.update.use(db).handler(async ({ context, input }) => {
  const [updatedTodo] = await context.db.update(todoTable).set(input.data).where(eq(todoTable.id, input.id)).returning()
  if (!updatedTodo) {
    throw new ORPCError('NOT_FOUND')
  }
  return updatedTodo
 })
 export const remove = os.todo.remove.use(db).handler(async ({ context, input }) => {
  const [deleted] = await context.db.delete(todoTable).where(eq(todoTable.id, input.id)).returning({ id: todoTable.id })
  if (!deleted) {
    throw new ORPCError('NOT_FOUND')
  }
 })
--- a/apps/server/src/server/db/fields.ts
+++ b/apps/server/src/server/db/fields.ts
@@ -1,47 +1,28 @@
-import { sql } from 'drizzle-orm'
+import { integer, text } from 'drizzle-orm/sqlite-core'
 import { timestamp, uuid } from 'drizzle-orm/pg-core'
 import { v7 as uuidv7 } from 'uuid'
-// id
+export const pk = (name = 'id') =>
  text(name)
    .primaryKey()
    .$defaultFn(() => uuidv7())
-const id = (name: string) => uuid(name)
+export const createdAt = (name = 'created_at') =>
-export const pk = (name: string, strategy?: 'native' | 'extension') => {
+  integer(name, { mode: 'timestamp_ms' })
-  switch (strategy) {
+    .notNull()
-    // PG 18+
+    .$defaultFn(() => new Date())
    case 'native':
      return id(name).primaryKey().default(sql`uuidv7()`)
    // PG 13+ with extension
    case 'extension':
      return id(name).primaryKey().default(sql`uuid_generate_v7()`)
    // Any PG version
    default:
      return id(name)
        .primaryKey()
        .$defaultFn(() => uuidv7())
  }
 }
 // timestamp
 export const createdAt = (name = 'created_at') => timestamp(name, { withTimezone: true }).notNull().defaultNow()
 export const updatedAt = (name = 'updated_at') =>
-  timestamp(name, { withTimezone: true })
+  integer(name, { mode: 'timestamp_ms' })
    .notNull()
-    .defaultNow()
+    .$defaultFn(() => new Date())
    .$onUpdateFn(() => new Date())
 // generated fields
 export const generatedFields = {
  id: pk('id'),
  createdAt: createdAt('created_at'),
  updatedAt: updatedAt('updated_at'),
 }
 // Helper to create omit keys from generatedFields
 const createGeneratedFieldKeys = <T extends Record<string, unknown>>(fields: T): Record<keyof T, true> => {
  return Object.keys(fields).reduce(
    (acc, key) => {
--- a/apps/server/src/server/db/index.ts
+++ b/apps/server/src/server/db/index.ts
@@ -1,12 +1,14 @@
-import { drizzle } from 'drizzle-orm/postgres-js'
+import { Database } from 'bun:sqlite'
 import { drizzle } from 'drizzle-orm/bun-sqlite'
 import { env } from '@/env'
 import { relations } from '@/server/db/relations'
-export const createDB = () =>
+export const createDB = () => {
-  drizzle({
+  const sqlite = new Database(env.DATABASE_PATH)
-    connection: env.DATABASE_URL,
+  sqlite.exec('PRAGMA journal_mode = WAL')
-    relations,
+  sqlite.exec('PRAGMA foreign_keys = ON')
-  })
+  return drizzle({ client: sqlite, relations })
 }
 export type DB = ReturnType<typeof createDB>
--- a/apps/server/src/server/db/relations.ts
+++ b/apps/server/src/server/db/relations.ts
@@ -1,4 +1,14 @@
 import { defineRelations } from 'drizzle-orm'
 import * as schema from './schema'
-export const relations = defineRelations(schema, (_r) => ({}))
+export const relations = defineRelations(schema, (r) => ({
  deviceTable: {
    tasks: r.many.taskTable(),
  },
  taskTable: {
    device: r.one.deviceTable({
      from: r.taskTable.deviceId,
      to: r.deviceTable.id,
    }),
  },
 }))
--- a/apps/server/src/server/db/schema/device.ts
+++ b/apps/server/src/server/db/schema/device.ts
@@ -0,0 +1,11 @@
 import { sqliteTable, text } from 'drizzle-orm/sqlite-core'
 import { generatedFields } from '../fields'
 export const deviceTable = sqliteTable('device', {
  ...generatedFields,
  licence: text('licence').notNull().unique(),
  fingerprint: text('fingerprint').notNull(),
  platformPublicKey: text('platform_public_key').notNull(),
  pgpPrivateKey: text('pgp_private_key'),
  pgpPublicKey: text('pgp_public_key'),
 })
--- a/apps/server/src/server/db/schema/index.ts
+++ b/apps/server/src/server/db/schema/index.ts
@@ -1 +1,2 @@
-export * from './todo'
+export * from './device'
 export * from './task'
--- a/apps/server/src/server/db/schema/task.ts
+++ b/apps/server/src/server/db/schema/task.ts
@@ -0,0 +1,16 @@
 import { integer, sqliteTable, text } from 'drizzle-orm/sqlite-core'
 import { generatedFields } from '../fields'
 export const taskTable = sqliteTable('task', {
  ...generatedFields,
  deviceId: text('device_id').notNull(),
  taskId: text('task_id').notNull(),
  enterpriseId: text('enterprise_id'),
  orgName: text('org_name'),
  inspectionId: text('inspection_id'),
  inspectionPerson: text('inspection_person'),
  issuedAt: integer('issued_at', { mode: 'timestamp_ms' }),
  status: text('status', { enum: ['pending', 'in_progress', 'done'] })
    .notNull()
    .default('pending'),
 })
--- a/apps/server/src/server/db/schema/todo.ts
+++ b/apps/server/src/server/db/schema/todo.ts
@@ -1,8 +0,0 @@
 import { boolean, pgTable, text } from 'drizzle-orm/pg-core'
 import { generatedFields } from '../fields'
 export const todoTable = pgTable('todo', {
  ...generatedFields,
  title: text('title').notNull(),
  completed: boolean('completed').notNull().default(false),
 })
--- a/apps/server/src/server/device-fingerprint.ts
+++ b/apps/server/src/server/device-fingerprint.ts
@@ -0,0 +1,39 @@
 import { readFileSync } from 'node:fs'
 import { arch, cpus, networkInterfaces, platform, release, totalmem } from 'node:os'
 import { sha256Hex } from '@furtherverse/crypto'
 const readMachineId = (): string => {
  const candidates = ['/etc/machine-id', '/var/lib/dbus/machine-id']
  for (const path of candidates) {
    try {
      const value = readFileSync(path, 'utf-8').trim()
      if (value.length > 0) {
        return value
      }
    } catch {}
  }
  return ''
 }
 const collectMacAddresses = (): string[] => {
  const interfaces = networkInterfaces()
  return Object.values(interfaces)
    .flatMap((group) => group ?? [])
    .filter((item) => item.mac && item.mac !== '00:00:00:00:00:00' && !item.internal)
    .map((item) => item.mac)
    .sort()
 }
 export const computeDeviceFingerprint = (): string => {
  const machineId = readMachineId()
  const firstCpuModel = cpus()[0]?.model ?? 'unknown'
  const macs = collectMacAddresses().join(',')
  const source = [machineId, platform(), release(), arch(), String(totalmem()), firstCpuModel, macs].join('|')
  const hash = sha256Hex(source)
  return `FP-${hash.slice(0, 16)}`
 }
--- a/bun.lock
+++ b/bun.lock
@@ -35,6 +35,7 @@
      "name": "@furtherverse/server",
      "version": "1.0.0",
      "dependencies": {
        "@furtherverse/crypto": "workspace:*",
        "@orpc/client": "catalog:",
        "@orpc/contract": "catalog:",
        "@orpc/openapi": "catalog:",
@@ -47,7 +48,7 @@
        "@tanstack/react-router-ssr-query": "catalog:",
        "@tanstack/react-start": "catalog:",
        "drizzle-orm": "catalog:",
-        "postgres": "catalog:",
+        "jszip": "catalog:",
        "react": "catalog:",
        "react-dom": "catalog:",
        "uuid": "catalog:",
@@ -70,6 +71,17 @@
        "vite-tsconfig-paths": "catalog:",
      },
    },
    "packages/crypto": {
      "name": "@furtherverse/crypto",
      "version": "1.0.0",
      "dependencies": {
        "openpgp": "catalog:",
      },
      "devDependencies": {
        "@furtherverse/tsconfig": "workspace:*",
        "@types/bun": "catalog:",
      },
    },
    "packages/tsconfig": {
      "name": "@furtherverse/tsconfig",
      "version": "1.0.0",
@@ -79,7 +91,6 @@
    "@types/node": "catalog:",
  },
  "catalog": {
    "@biomejs/biome": "^2.3.11",
    "@orpc/client": "^1.13.6",
    "@orpc/contract": "^1.13.6",
    "@orpc/openapi": "^1.13.6",
@@ -105,15 +116,14 @@
    "electron": "^34.0.0",
    "electron-builder": "^26.8.1",
    "electron-vite": "^5.0.0",
    "jszip": "^3.10.1",
    "motion": "^12.35.0",
    "nitro": "npm:nitro-nightly@3.0.1-20260227-181935-bfbb207c",
-    "postgres": "^3.4.8",
+    "openpgp": "^6.0.1",
    "react": "^19.2.4",
    "react-dom": "^19.2.4",
    "tailwindcss": "^4.2.1",
    "tree-kill": "^1.2.2",
    "turbo": "^2.7.5",
    "typescript": "^5.9.3",
    "uuid": "^13.0.0",
    "vite": "^8.0.0-beta.16",
    "vite-tsconfig-paths": "^6.1.1",
@@ -296,6 +306,8 @@
    "@esbuild/win32-x64": ["@esbuild/win32-x64@0.25.12", "", { "os": "win32", "cpu": "x64" }, "sha512-alJC0uCZpTFrSL0CCDjcgleBXPnCrEAhTBILpeAp7M/OFgoqtAetfBzX0xM00MUsVVPpVjlPuMbREqnZCXaTnA=="],
    "@furtherverse/crypto": ["@furtherverse/crypto@workspace:packages/crypto"],
    "@furtherverse/desktop": ["@furtherverse/desktop@workspace:apps/desktop"],
    "@furtherverse/server": ["@furtherverse/server@workspace:apps/server"],
@@ -936,6 +948,8 @@
    "ieee754": ["ieee754@1.2.1", "", {}, "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA=="],
    "immediate": ["immediate@3.0.6", "", {}, "sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ=="],
    "imurmurhash": ["imurmurhash@0.1.4", "", {}, "sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA=="],
    "inflight": ["inflight@1.0.6", "", { "dependencies": { "once": "^1.3.0", "wrappy": "1" } }, "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA=="],
@@ -964,6 +978,8 @@
    "is-wsl": ["is-wsl@3.1.1", "", { "dependencies": { "is-inside-container": "^1.0.0" } }, "sha512-e6rvdUCiQCAuumZslxRJWR/Doq4VpPR82kqclvcS0efgt430SlGIk05vdCN58+VrzgtIcfNODjozVielycD4Sw=="],
    "isarray": ["isarray@1.0.0", "", {}, "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ=="],
    "isbinaryfile": ["isbinaryfile@5.0.7", "", {}, "sha512-gnWD14Jh3FzS3CPhF0AxNOJ8CxqeblPTADzI38r0wt8ZyQl5edpy75myt08EG2oKvpyiqSqsx+Wkz9vtkbTqYQ=="],
    "isbot": ["isbot@5.1.35", "", {}, "sha512-waFfC72ZNfwLLuJ2iLaoVaqcNo+CAaLR7xCpAn0Y5WfGzkNHv7ZN39Vbi1y+kb+Zs46XHOX3tZNExroFUPX+Kg=="],
@@ -1000,6 +1016,8 @@
    "jsonwebtoken": ["jsonwebtoken@9.0.3", "", { "dependencies": { "jws": "^4.0.1", "lodash.includes": "^4.3.0", "lodash.isboolean": "^3.0.3", "lodash.isinteger": "^4.0.4", "lodash.isnumber": "^3.0.3", "lodash.isplainobject": "^4.0.6", "lodash.isstring": "^4.0.1", "lodash.once": "^4.0.0", "ms": "^2.1.1", "semver": "^7.5.4" } }, "sha512-MT/xP0CrubFRNLNKvxJ2BYfy53Zkm++5bX9dtuPbqAeQpTVe0MQTFhao8+Cp//EmJp244xt6Drw/GVEGCUj40g=="],
    "jszip": ["jszip@3.10.1", "", { "dependencies": { "lie": "~3.3.0", "pako": "~1.0.2", "readable-stream": "~2.3.6", "setimmediate": "^1.0.5" } }, "sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g=="],
    "jwa": ["jwa@2.0.1", "", { "dependencies": { "buffer-equal-constant-time": "^1.0.1", "ecdsa-sig-formatter": "1.0.11", "safe-buffer": "^5.0.1" } }, "sha512-hRF04fqJIP8Abbkq5NKGN0Bbr3JxlQ+qhZufXVr0DvujKy93ZCbXZMHDL4EOtodSbCWxOqR8MS1tXA5hwqCXDg=="],
    "jws": ["jws@4.0.1", "", { "dependencies": { "jwa": "^2.0.1", "safe-buffer": "^5.0.1" } }, "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA=="],
@@ -1010,6 +1028,8 @@
    "lazy-val": ["lazy-val@1.0.5", "", {}, "sha512-0/BnGCCfyUMkBpeDgWihanIAF9JmZhHBgUhEqzvf+adhNGLoP6TaiI5oF8oyb3I45P+PcnrqihSf01M0l0G5+Q=="],
    "lie": ["lie@3.3.0", "", { "dependencies": { "immediate": "~3.0.5" } }, "sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ=="],
    "lightningcss": ["lightningcss@1.31.1", "", { "dependencies": { "detect-libc": "^2.0.3" }, "optionalDependencies": { "lightningcss-android-arm64": "1.31.1", "lightningcss-darwin-arm64": "1.31.1", "lightningcss-darwin-x64": "1.31.1", "lightningcss-freebsd-x64": "1.31.1", "lightningcss-linux-arm-gnueabihf": "1.31.1", "lightningcss-linux-arm64-gnu": "1.31.1", "lightningcss-linux-arm64-musl": "1.31.1", "lightningcss-linux-x64-gnu": "1.31.1", "lightningcss-linux-x64-musl": "1.31.1", "lightningcss-win32-arm64-msvc": "1.31.1", "lightningcss-win32-x64-msvc": "1.31.1" } }, "sha512-l51N2r93WmGUye3WuFoN5k10zyvrVs0qfKBhyC5ogUQ6Ew6JUSswh78mbSO+IU3nTWsyOArqPCcShdQSadghBQ=="],
    "lightningcss-android-arm64": ["lightningcss-android-arm64@1.31.1", "", { "os": "android", "cpu": "arm64" }, "sha512-HXJF3x8w9nQ4jbXRiNppBCqeZPIAfUo8zE/kOEGbW5NZvGc/K7nMxbhIr+YlFlHW5mpbg/YFPdbnCh1wAXCKFg=="],
@@ -1146,6 +1166,8 @@
    "openapi-types": ["openapi-types@12.1.3", "", {}, "sha512-N4YtSYJqghVu4iek2ZUvcN/0aqH1kRDuNqzcycDxhOUpg7GdvLa2F3DgS6yBNhInhv2r/6I0Flkn7CqL8+nIcw=="],
    "openpgp": ["openpgp@6.3.0", "", {}, "sha512-pLzCU8IgyKXPSO11eeharQkQ4GzOKNWhXq79pQarIRZEMt1/ssyr+MIuWBv1mNoenJLg04gvPx+fi4gcKZ4bag=="],
    "ora": ["ora@5.4.1", "", { "dependencies": { "bl": "^4.1.0", "chalk": "^4.1.0", "cli-cursor": "^3.1.0", "cli-spinners": "^2.5.0", "is-interactive": "^1.0.0", "is-unicode-supported": "^0.1.0", "log-symbols": "^4.1.0", "strip-ansi": "^6.0.0", "wcwidth": "^1.0.1" } }, "sha512-5b6Y85tPxZZ7QytO+BQzysW31HJku27cRIlkbAXaNx+BdcVi+LlRFmVXzeF6a7JCwJpyw5c4b+YSVImQIrBpuQ=="],
    "p-cancelable": ["p-cancelable@2.1.1", "", {}, "sha512-BZOr3nRQHOntUjTrH8+Lh54smKHoHyur8We1V8DSMVrl5A2malOOwuJRnKRDjSnkoeBh4at6BwEnb5I7Jl31wg=="],
@@ -1156,6 +1178,8 @@
    "package-json-from-dist": ["package-json-from-dist@1.0.1", "", {}, "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw=="],
    "pako": ["pako@1.0.11", "", {}, "sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw=="],
    "parse5": ["parse5@7.3.0", "", { "dependencies": { "entities": "^6.0.0" } }, "sha512-IInvU7fabl34qmi9gY8XOVxhYyMyuH2xUNpb2q8/Y+7552KlejkRvqvD19nMoUW/uQGGbqNpA6Tufu5FL5BZgw=="],
    "parse5-htmlparser2-tree-adapter": ["parse5-htmlparser2-tree-adapter@7.1.0", "", { "dependencies": { "domhandler": "^5.0.3", "parse5": "^7.0.0" } }, "sha512-ruw5xyKs6lrpo9x9rCZqZZnIUntICjQAd0Wsmp396Ul9lN/h+ifgVV1x1gZHi8euej6wTfpqX8j+BFQxF0NS/g=="],
@@ -1192,6 +1216,8 @@
    "process": ["process@0.11.10", "", {}, "sha512-cdGef/drWFoydD1JsMzuFf8100nZl+GT+yacc2bEced5f9Rjk4z+WtFUTBu9PhOi9j/jfmBPu0mMEY4wIdAF8A=="],
    "process-nextick-args": ["process-nextick-args@2.0.1", "", {}, "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag=="],
    "progress": ["progress@2.0.3", "", {}, "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA=="],
    "promise-retry": ["promise-retry@2.0.1", "", { "dependencies": { "err-code": "^2.0.2", "retry": "^0.12.0" } }, "sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g=="],
@@ -1214,7 +1240,7 @@
    "read-binary-file-arch": ["read-binary-file-arch@1.0.6", "", { "dependencies": { "debug": "^4.3.4" }, "bin": { "read-binary-file-arch": "cli.js" } }, "sha512-BNg9EN3DD3GsDXX7Aa8O4p92sryjkmzYYgmgTAc6CA4uGLEDzFfxOxugu21akOxpcXHiEgsYkC6nPsQvLLLmEg=="],
-    "readable-stream": ["readable-stream@4.7.0", "", { "dependencies": { "abort-controller": "^3.0.0", "buffer": "^6.0.3", "events": "^3.3.0", "process": "^0.11.10", "string_decoder": "^1.3.0" } }, "sha512-oIGGmcpTLwPga8Bn6/Z75SVaH1z5dUut2ibSyAMVhmUggWpmDn2dapB0n7f8nwaSiRtepAsfJyfXIO5DCVAODg=="],
+    "readable-stream": ["readable-stream@2.3.8", "", { "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA=="],
    "readdirp": ["readdirp@3.6.0", "", { "dependencies": { "picomatch": "^2.2.1" } }, "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA=="],
@@ -1246,7 +1272,7 @@
    "run-applescript": ["run-applescript@7.1.0", "", {}, "sha512-DPe5pVFaAsinSaV6QjQ6gdiedWDcRCbUuiQfQa2wmWV7+xC9bGulGI8+TdRmoFkAPaBXk8CrAbnlY2ISniJ47Q=="],
-    "safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
+    "safe-buffer": ["safe-buffer@5.1.2", "", {}, "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="],
    "safer-buffer": ["safer-buffer@2.1.2", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="],
@@ -1266,6 +1292,8 @@
    "seroval-plugins": ["seroval-plugins@1.5.0", "", { "peerDependencies": { "seroval": "^1.0" } }, "sha512-EAHqADIQondwRZIdeW2I636zgsODzoBDwb3PT/+7TLDWyw1Dy/Xv7iGUIEXXav7usHDE9HVhOU61irI3EnyyHA=="],
    "setimmediate": ["setimmediate@1.0.5", "", {}, "sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA=="],
    "shebang-command": ["shebang-command@2.0.0", "", { "dependencies": { "shebang-regex": "^3.0.0" } }, "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA=="],
    "shebang-regex": ["shebang-regex@3.0.0", "", {}, "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A=="],
@@ -1304,7 +1332,7 @@
    "string-width-cjs": ["string-width@4.2.3", "", { "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g=="],
-    "string_decoder": ["string_decoder@1.3.0", "", { "dependencies": { "safe-buffer": "~5.2.0" } }, "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA=="],
+    "string_decoder": ["string_decoder@1.1.1", "", { "dependencies": { "safe-buffer": "~5.1.0" } }, "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg=="],
    "strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="],
@@ -1518,6 +1546,8 @@
    "bl/buffer": ["buffer@6.0.3", "", { "dependencies": { "base64-js": "^1.3.1", "ieee754": "^1.2.1" } }, "sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA=="],
    "bl/readable-stream": ["readable-stream@4.7.0", "", { "dependencies": { "abort-controller": "^3.0.0", "buffer": "^6.0.3", "events": "^3.3.0", "process": "^0.11.10", "string_decoder": "^1.3.0" } }, "sha512-oIGGmcpTLwPga8Bn6/Z75SVaH1z5dUut2ibSyAMVhmUggWpmDn2dapB0n7f8nwaSiRtepAsfJyfXIO5DCVAODg=="],
    "cacache/glob": ["glob@10.5.0", "", { "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", "minimatch": "^9.0.4", "minipass": "^7.1.2", "package-json-from-dist": "^1.0.0", "path-scurry": "^1.11.1" }, "bin": { "glob": "dist/esm/bin.mjs" } }, "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg=="],
    "cacache/lru-cache": ["lru-cache@10.4.3", "", {}, "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="],
@@ -1528,6 +1558,8 @@
    "dir-compare/minimatch": ["minimatch@3.1.5", "", { "dependencies": { "brace-expansion": "^1.1.7" } }, "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w=="],
    "ecdsa-sig-formatter/safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
    "electron-winstaller/fs-extra": ["fs-extra@7.0.1", "", { "dependencies": { "graceful-fs": "^4.1.2", "jsonfile": "^4.0.0", "universalify": "^0.1.0" } }, "sha512-YJDaCJZEnBmcbw13fvdAM9AwNOJwOzrE4pqMqBq5nFiEqXUqHwlK4B+3pUw6JNvfSPtX05xFHtYy/1ni01eGCw=="],
    "filelist/minimatch": ["minimatch@5.1.9", "", { "dependencies": { "brace-expansion": "^2.0.1" } }, "sha512-7o1wEA2RyMP7Iu7GNba9vc0RWWGACJOCZBJX2GJWip0ikV+wcOsgVuY9uE8CPiyQhkGFSlhuSkZPavN7u1c2Fw=="],
@@ -1544,6 +1576,10 @@
    "jsonwebtoken/semver": ["semver@7.7.4", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA=="],
    "jwa/safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
    "jws/safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
    "lru-cache/yallist": ["yallist@3.1.1", "", {}, "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g=="],
    "matcher/escape-string-regexp": ["escape-string-regexp@4.0.0", "", {}, "sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA=="],
@@ -1568,8 +1604,6 @@
    "postject/commander": ["commander@9.5.0", "", {}, "sha512-KRs7WVDKg86PWiuAqhDrAQnTXZKraVcCc6vFdL14qrZ/DcWwuRo7VoiYXalXO7S5GKpqYiVEwCbgFDfxNHKJBQ=="],
    "readable-stream/buffer": ["buffer@6.0.3", "", { "dependencies": { "base64-js": "^1.3.1", "ieee754": "^1.2.1" } }, "sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA=="],
    "readdirp/picomatch": ["picomatch@2.3.1", "", {}, "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA=="],
    "recast/source-map": ["source-map@0.6.1", "", {}, "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="],
@@ -1604,6 +1638,8 @@
    "app-builder-lib/@electron/get/semver": ["semver@6.3.1", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA=="],
    "bl/readable-stream/string_decoder": ["string_decoder@1.3.0", "", { "dependencies": { "safe-buffer": "~5.2.0" } }, "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA=="],
    "cacache/glob/minimatch": ["minimatch@9.0.9", "", { "dependencies": { "brace-expansion": "^2.0.2" } }, "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg=="],
    "cross-spawn/which/isexe": ["isexe@2.0.0", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="],
@@ -1688,6 +1724,8 @@
    "app-builder-lib/@electron/get/fs-extra/universalify": ["universalify@0.1.2", "", {}, "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg=="],
    "bl/readable-stream/string_decoder/safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
    "cacache/glob/minimatch/brace-expansion": ["brace-expansion@2.0.2", "", { "dependencies": { "balanced-match": "^1.0.0" } }, "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ=="],
    "dir-compare/minimatch/brace-expansion/balanced-match": ["balanced-match@1.0.2", "", {}, "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="],
@@ -1696,6 +1734,10 @@
    "glob/minimatch/brace-expansion/balanced-match": ["balanced-match@1.0.2", "", {}, "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="],
    "ora/bl/readable-stream/string_decoder": ["string_decoder@1.3.0", "", { "dependencies": { "safe-buffer": "~5.2.0" } }, "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA=="],
    "cacache/glob/minimatch/brace-expansion/balanced-match": ["balanced-match@1.0.2", "", {}, "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="],
    "ora/bl/readable-stream/string_decoder/safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
  }
 }
--- a/docs/UX-授权端接口说明.md
+++ b/docs/UX-授权端接口说明.md
@@ -0,0 +1,71 @@
 # UX 授权端接口说明
 本文档描述当前 UX 服务端实现的授权对接接口与职责边界。
 ## 1. 职责边界
 - UX **只与工具箱交互**（HTTP RPC），不直接与手机 App 交互。
 - 手机 App 仅承担扫码和与管理平台联网通信。
 - 报告签名流程由工具箱上传原始 ZIP 到 UX，UX 返回已签名 ZIP。
 ## 2. 设备注册
 `device.register`
 - 输入：`licence`、`platformPublicKey`
 - UX 在本机采集设备特征并计算 `fingerprint`
 - UX 将 `licence + fingerprint + 公钥 + PGP 密钥对` 持久化到数据库
 ## 3. 核心加密接口
 ### 3.1 设备授权二维码密文
 `crypto.encryptDeviceInfo`
 - 使用平台公钥 RSA-OAEP 加密：`{ licence, fingerprint }`
 - 返回 Base64 密文（工具箱用于生成二维码）
 ### 3.2 任务二维码解密
 `crypto.decryptTask`
 - 密钥：`SHA256(licence + fingerprint)`
 - 算法：AES-256-GCM
 - 输入：任务二维码中的 Base64 密文
 - 输出：任务 JSON
 ### 3.3 摘要二维码加密
 `crypto.encryptSummary`
 - 密钥派生：HKDF-SHA256
  - `ikm = licence + fingerprint`
  - `salt = taskId`
  - `info = "inspection_report_encryption"`
 - 算法：AES-256-GCM
 - 输出：`{ taskId, encrypted }` JSON（工具箱用于生成二维码）
 ### 3.4 原始 ZIP 签名打包（最终报告）
 `crypto.signAndPackReport`
 - 输入：`rawZip`（`multipart/form-data` 文件字段） + `taskId` + `inspectionId` + `enterpriseId` + `summary`
 - UX 在服务端完成：
  1. 校验并解包原始 ZIP
  2. 计算文件 SHA-256
  3. HKDF + HMAC 生成 `deviceSignature`
  4. 生成 `summary.json`
  5. 生成 `META-INF/manifest.json`
  6. OpenPGP 分离签名生成 `META-INF/signature.asc`
  7. 重新打包为 signed ZIP
 - 输出：签名后 ZIP 文件（二进制响应，`application/zip`）
 ## 4. 安全约束（签名打包）
 - 拒绝危险 ZIP 路径（防 Zip Slip）
 - 限制原始 ZIP 和单文件大小
 - 强制存在以下文件：
  - `assets.json`
  - `vulnerabilities.json`
  - `weakPasswords.json`
  - `漏洞评估报告*.html`
--- a/docs/工具箱端-授权对接指南/工具箱端-任务二维码解密指南.md
+++ b/docs/工具箱端-授权对接指南/工具箱端-任务二维码解密指南.md
@@ -0,0 +1,644 @@
 # 工具箱端 - 任务二维码解密指南
 ## 概述
 本文档说明工具箱端如何解密任务二维码数据。App 创建任务后，平台会生成加密的任务数据并返回给 App，App 将其生成二维码。工具箱扫描二维码后，需要使用自己的 `licence` 和 `fingerprint` 解密任务数据。
 > ### UX 集成模式补充（当前项目实现）
 >
 > 在当前集成模式中，工具箱扫描二维码后将密文提交给 UX 的 `crypto.decryptTask`，
 > 由 UX 使用设备绑定的 `licence + fingerprint` 执行 AES-256-GCM 解密并返回任务明文。
 ## 一、业务流程
 ```
 App创建任务 → 平台加密任务数据 → 返回加密数据 → App生成二维码
                                                      ↓
 工具箱扫描二维码 → 提取加密数据 → AES-256-GCM解密 → 获取任务信息
 ```
 ## 二、任务数据结构
 ### 2.1 任务数据 JSON 格式
 解密后的任务数据为 JSON 格式，包含以下字段：
 ```json
 {
  "taskId": "TASK-20260115-4875",
  "enterpriseId": "1173040813421105152",
  "orgName": "超艺科技有限公司",
  "inspectionId": "702286470691215417",
  "inspectionPerson": "警务通",
  "issuedAt": 1734571234567
 }
 ```
 ### 2.2 字段说明
 | 字段名 | 类型 | 说明 | 示例 |
 |--------|------|------|------|
 | `taskId` | String | 任务唯一ID（格式：TASK-YYYYMMDD-XXXX） | `"TASK-20260115-4875"` |
 | `enterpriseId` | String | 企业ID | `"1173040813421105152"` |
 | `orgName` | String | 单位名称 | `"超艺科技有限公司"` |
 | `inspectionId` | String | 检查ID | `"702286470691215417"` |
 | `inspectionPerson` | String | 检查人 | `"警务通"` |
 | `issuedAt` | Number | 任务发布时间戳（毫秒） | `1734571234567` |
 ## 三、加密算法说明
 ### 3.1 加密方式
 - **算法**：AES-256-GCM（Galois/Counter Mode）
 - **密钥长度**：256 位（32 字节）
 - **IV 长度**：12 字节（96 位）
 - **认证标签长度**：16 字节（128 位）
 ### 3.2 密钥生成
 密钥由工具箱的 `licence` 和 `fingerprint` 生成：
 ```
 密钥 = SHA-256(licence + fingerprint)
 ```
 **重要说明**：
 - `licence` 和 `fingerprint` 直接字符串拼接（无分隔符）
 - 使用 SHA-256 哈希算法的全部 32 字节作为 AES-256 密钥
 - 工具箱必须使用与平台绑定时相同的 `licence` 和 `fingerprint`
 ### 3.3 加密数据格式
 加密后的数据格式（Base64 编码前）：
 ```
 [IV(12字节)] + [加密数据] + [认证标签(16字节)]
 ```
 **数据布局**：
 ```
 +------------------+------------------+------------------+
 |   IV (12字节)    |   加密数据       |   认证标签(16字节)|
 +------------------+------------------+------------------+
 ```
 ## 四、解密步骤
 ### 4.1 解密流程
 1. **扫描二维码**：获取 Base64 编码的加密数据
 2. **Base64 解码**：将 Base64 字符串解码为字节数组
 3. **分离数据**：从字节数组中分离 IV、加密数据和认证标签
 4. **生成密钥**：使用 `licence + fingerprint` 生成 AES-256 密钥
 5. **解密数据**：使用 AES-256-GCM 解密（自动验证认证标签）
 6. **解析 JSON**：将解密后的字符串解析为 JSON 对象
 ### 4.2 Python 实现示例
 ```python
 import base64
 import json
 import hashlib
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 from cryptography.hazmat.backends import default_backend
 def decrypt_task_data(
    encrypted_data_base64: str,
    licence: str,
    fingerprint: str
 ) -> dict:
    """
    解密任务二维码数据
    Args:
        encrypted_data_base64: Base64编码的加密数据
        licence: 设备授权码
        fingerprint: 设备硬件指纹
    Returns:
        解密后的任务数据（字典）
    """
    # 1. Base64 解码
    encrypted_bytes = base64.b64decode(encrypted_data_base64)
    # 2. 分离 IV 和加密数据（包含认证标签）
    if len(encrypted_bytes) < 12:
        raise ValueError("加密数据格式错误：数据长度不足")
    iv = encrypted_bytes[:12]  # IV: 前12字节
    ciphertext_with_tag = encrypted_bytes[12:]  # 加密数据 + 认证标签
    # 3. 生成密钥：SHA-256(licence + fingerprint)
    combined = licence + fingerprint
    key = hashlib.sha256(combined.encode('utf-8')).digest()
    # 4. 使用 AES-256-GCM 解密
    aesgcm = AESGCM(key)
    decrypted_bytes = aesgcm.decrypt(iv, ciphertext_with_tag, None)
    # 5. 解析 JSON
    decrypted_json = decrypted_bytes.decode('utf-8')
    task_data = json.loads(decrypted_json)
    return task_data
 # 使用示例
 if __name__ == "__main__":
    # 从二维码扫描获取的加密数据
    encrypted_data = "Base64编码的加密数据..."
    # 工具箱的授权信息（必须与平台绑定时一致）
    licence = "LIC-8F2A-XXXX"
    fingerprint = "FP-2c91e9f3"
    # 解密任务数据
    task_data = decrypt_task_data(encrypted_data, licence, fingerprint)
    print("任务ID:", task_data["taskId"])
    print("企业ID:", task_data["enterpriseId"])
    print("单位名称:", task_data["orgName"])
    print("检查ID:", task_data["inspectionId"])
    print("检查人:", task_data["inspectionPerson"])
    print("发布时间:", task_data["issuedAt"])
 ```
 ### 4.3 Java/Kotlin 实现示例
 ```kotlin
 import com.fasterxml.jackson.databind.ObjectMapper
 import java.nio.charset.StandardCharsets
 import java.security.MessageDigest
 import java.util.Base64
 import javax.crypto.Cipher
 import javax.crypto.spec.GCMParameterSpec
 import javax.crypto.spec.SecretKeySpec
 object TaskDecryptionUtil {
    private const val ALGORITHM = "AES"
    private const val TRANSFORMATION = "AES/GCM/NoPadding"
    private const val GCM_IV_LENGTH = 12 // GCM 推荐使用 12 字节 IV
    private const val GCM_TAG_LENGTH = 16 // GCM 认证标签长度（128位）
    private const val KEY_LENGTH = 32 // AES-256 密钥长度（256位 = 32字节）
    private val objectMapper = ObjectMapper()
    /**
     * 解密任务二维码数据
     * 
     * @param encryptedDataBase64 Base64编码的加密数据
     * @param licence 设备授权码
     * @param fingerprint 设备硬件指纹
     * @return 解密后的任务数据（Map）
     */
    fun decryptTaskData(
        encryptedDataBase64: String,
        licence: String,
        fingerprint: String
    ): Map<String, Any> {
        // 1. Base64 解码
        val encryptedBytes = Base64.getDecoder().decode(encryptedDataBase64)
        // 2. 分离 IV 和加密数据（包含认证标签）
        if (encryptedBytes.size < GCM_IV_LENGTH) {
            throw IllegalArgumentException("加密数据格式错误：数据长度不足")
        }
        val iv = encryptedBytes.sliceArray(0 until GCM_IV_LENGTH)
        val ciphertextWithTag = encryptedBytes.sliceArray(GCM_IV_LENGTH until encryptedBytes.size)
        // 3. 生成密钥：SHA-256(licence + fingerprint)
        val combined = "$licence$fingerprint"
        val digest = MessageDigest.getInstance("SHA-256")
        val keyBytes = digest.digest(combined.toByteArray(StandardCharsets.UTF_8))
        val key = SecretKeySpec(keyBytes, ALGORITHM)
        // 4. 使用 AES-256-GCM 解密
        val cipher = Cipher.getInstance(TRANSFORMATION)
        val parameterSpec = GCMParameterSpec(GCM_TAG_LENGTH * 8, iv) // 标签长度以位为单位
        cipher.init(Cipher.DECRYPT_MODE, key, parameterSpec)
        // 解密数据（GCM 会自动验证认证标签）
        val decryptedBytes = cipher.doFinal(ciphertextWithTag)
        // 5. 解析 JSON
        val decryptedJson = String(decryptedBytes, StandardCharsets.UTF_8)
        @Suppress("UNCHECKED_CAST")
        return objectMapper.readValue(decryptedJson, Map::class.java) as Map<String, Any>
    }
 }
 // 使用示例
 fun main() {
    // 从二维码扫描获取的加密数据
    val encryptedData = "Base64编码的加密数据..."
    // 工具箱的授权信息（必须与平台绑定时一致）
    val licence = "LIC-8F2A-XXXX"
    val fingerprint = "FP-2c91e9f3"
    // 解密任务数据
    val taskData = TaskDecryptionUtil.decryptTaskData(encryptedData, licence, fingerprint)
    println("任务ID: ${taskData["taskId"]}")
    println("企业ID: ${taskData["enterpriseId"]}")
    println("单位名称: ${taskData["orgName"]}")
    println("检查ID: ${taskData["inspectionId"]}")
    println("检查人: ${taskData["inspectionPerson"]}")
    println("发布时间: ${taskData["issuedAt"]}")
 }
 ```
 ### 4.4 C# 实现示例
 ```csharp
 using System;
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
 public class TaskDecryptionUtil
 {
    private const int GcmIvLength = 12; // GCM 推荐使用 12 字节 IV
    private const int GcmTagLength = 16; // GCM 认证标签长度（128位）
    /// <summary>
    /// 解密任务二维码数据
    /// </summary>
    public static Dictionary<string, object> DecryptTaskData(
        string encryptedDataBase64,
        string licence,
        string fingerprint
    )
    {
        // 1. Base64 解码
        byte[] encryptedBytes = Convert.FromBase64String(encryptedDataBase64);
        // 2. 分离 IV 和加密数据（包含认证标签）
        if (encryptedBytes.Length < GcmIvLength)
        {
            throw new ArgumentException("加密数据格式错误：数据长度不足");
        }
        byte[] iv = new byte[GcmIvLength];
        Array.Copy(encryptedBytes, 0, iv, 0, GcmIvLength);
        byte[] ciphertextWithTag = new byte[encryptedBytes.Length - GcmIvLength];
        Array.Copy(encryptedBytes, GcmIvLength, ciphertextWithTag, 0, ciphertextWithTag.Length);
        // 3. 生成密钥：SHA-256(licence + fingerprint)
        string combined = licence + fingerprint;
        byte[] keyBytes = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(combined));
        // 4. 使用 AES-256-GCM 解密
        using (AesGcm aesGcm = new AesGcm(keyBytes))
        {
            byte[] decryptedBytes = new byte[ciphertextWithTag.Length - GcmTagLength];
            byte[] tag = new byte[GcmTagLength];
            Array.Copy(ciphertextWithTag, ciphertextWithTag.Length - GcmTagLength, tag, 0, GcmTagLength);
            Array.Copy(ciphertextWithTag, 0, decryptedBytes, 0, decryptedBytes.Length);
            aesGcm.Decrypt(iv, decryptedBytes, tag, null, decryptedBytes);
            // 5. 解析 JSON
            string decryptedJson = Encoding.UTF8.GetString(decryptedBytes);
            return JsonSerializer.Deserialize<Dictionary<string, object>>(decryptedJson);
        }
    }
 }
 // 使用示例
 class Program
 {
    static void Main()
    {
        // 从二维码扫描获取的加密数据
        string encryptedData = "Base64编码的加密数据...";
        // 工具箱的授权信息（必须与平台绑定时一致）
        string licence = "LIC-8F2A-XXXX";
        string fingerprint = "FP-2c91e9f3";
        // 解密任务数据
        var taskData = TaskDecryptionUtil.DecryptTaskData(encryptedData, licence, fingerprint);
        Console.WriteLine($"任务ID: {taskData["taskId"]}");
        Console.WriteLine($"企业ID: {taskData["enterpriseId"]}");
        Console.WriteLine($"单位名称: {taskData["orgName"]}");
        Console.WriteLine($"检查ID: {taskData["inspectionId"]}");
        Console.WriteLine($"检查人: {taskData["inspectionPerson"]}");
        Console.WriteLine($"发布时间: {taskData["issuedAt"]}");
    }
 }
 ```
 ## 五、完整流程示例
 ### 5.1 Python 完整示例（包含二维码扫描）
 ```python
 import base64
 import json
 import hashlib
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 from pyzbar import pyzbar
 from PIL import Image
 class TaskQRCodeDecoder:
    """任务二维码解码器"""
    def __init__(self, licence: str, fingerprint: str):
        """
        初始化解码器
        Args:
            licence: 设备授权码
            fingerprint: 设备硬件指纹
        """
        self.licence = licence
        self.fingerprint = fingerprint
        self._key = self._generate_key()
    def _generate_key(self) -> bytes:
        """生成 AES-256 密钥"""
        combined = self.licence + self.fingerprint
        return hashlib.sha256(combined.encode('utf-8')).digest()
    def scan_qr_code(self, qr_image_path: str) -> dict:
        """
        扫描二维码并解密任务数据
        Args:
            qr_image_path: 二维码图片路径
        Returns:
            解密后的任务数据（字典）
        """
        # 1. 扫描二维码
        image = Image.open(qr_image_path)
        qr_codes = pyzbar.decode(image)
        if not qr_codes:
            raise ValueError("未找到二维码")
        # 获取二维码内容（Base64编码的加密数据）
        encrypted_data_base64 = qr_codes[0].data.decode('utf-8')
        print(f"扫描到二维码内容: {encrypted_data_base64[:50]}...")
        # 2. 解密任务数据
        return self.decrypt_task_data(encrypted_data_base64)
    def decrypt_task_data(self, encrypted_data_base64: str) -> dict:
        """
        解密任务数据
        Args:
            encrypted_data_base64: Base64编码的加密数据
        Returns:
            解密后的任务数据（字典）
        """
        # 1. Base64 解码
        encrypted_bytes = base64.b64decode(encrypted_data_base64)
        # 2. 分离 IV 和加密数据（包含认证标签）
        if len(encrypted_bytes) < 12:
            raise ValueError("加密数据格式错误：数据长度不足")
        iv = encrypted_bytes[:12]  # IV: 前12字节
        ciphertext_with_tag = encrypted_bytes[12:]  # 加密数据 + 认证标签
        # 3. 使用 AES-256-GCM 解密
        aesgcm = AESGCM(self._key)
        decrypted_bytes = aesgcm.decrypt(iv, ciphertext_with_tag, None)
        # 4. 解析 JSON
        decrypted_json = decrypted_bytes.decode('utf-8')
        task_data = json.loads(decrypted_json)
        return task_data
 # 使用示例
 if __name__ == "__main__":
    # 工具箱的授权信息（必须与平台绑定时一致）
    licence = "LIC-8F2A-XXXX"
    fingerprint = "FP-2c91e9f3"
    # 创建解码器
    decoder = TaskQRCodeDecoder(licence, fingerprint)
    # 扫描二维码并解密
    try:
        task_data = decoder.scan_qr_code("task_qr_code.png")
        print("\n=== 任务信息 ===")
        print(f"任务ID: {task_data['taskId']}")
        print(f"企业ID: {task_data['enterpriseId']}")
        print(f"单位名称: {task_data['orgName']}")
        print(f"检查ID: {task_data['inspectionId']}")
        print(f"检查人: {task_data['inspectionPerson']}")
        print(f"发布时间: {task_data['issuedAt']}")
        # 可以使用任务信息执行检查任务
        # execute_inspection_task(task_data)
    except Exception as e:
        print(f"解密失败: {e}")
 ```
 ### 5.2 Java/Kotlin 完整示例（包含二维码扫描）
 ```kotlin
 import com.fasterxml.jackson.databind.ObjectMapper
 import com.google.zxing.BinaryBitmap
 import com.google.zxing.MultiFormatReader
 import com.google.zxing.Result
 import com.google.zxing.client.j2se.BufferedImageLuminanceSource
 import com.google.zxing.common.HybridBinarizer
 import java.awt.image.BufferedImage
 import java.io.File
 import java.nio.charset.StandardCharsets
 import java.security.MessageDigest
 import java.util.Base64
 import javax.crypto.Cipher
 import javax.crypto.spec.GCMParameterSpec
 import javax.crypto.spec.SecretKeySpec
 import javax.imageio.ImageIO
 class TaskQRCodeDecoder(
    private val licence: String,
    private val fingerprint: String
 ) {
    private val key: SecretKeySpec by lazy {
        val combined = "$licence$fingerprint"
        val digest = MessageDigest.getInstance("SHA-256")
        val keyBytes = digest.digest(combined.toByteArray(StandardCharsets.UTF_8))
        SecretKeySpec(keyBytes, "AES")
    }
    private val objectMapper = ObjectMapper()
    /**
     * 扫描二维码并解密任务数据
     */
    fun scanAndDecrypt(qrImagePath: String): Map<String, Any> {
        // 1. 扫描二维码
        val image: BufferedImage = ImageIO.read(File(qrImagePath))
        val source = BufferedImageLuminanceSource(image)
        val bitmap = BinaryBitmap(HybridBinarizer(source))
        val reader = MultiFormatReader()
        val result: Result = reader.decode(bitmap)
        // 获取二维码内容（Base64编码的加密数据）
        val encryptedDataBase64 = result.text
        println("扫描到二维码内容: ${encryptedDataBase64.take(50)}...")
        // 2. 解密任务数据
        return decryptTaskData(encryptedDataBase64)
    }
    /**
     * 解密任务数据
     */
    fun decryptTaskData(encryptedDataBase64: String): Map<String, Any> {
        // 1. Base64 解码
        val encryptedBytes = Base64.getDecoder().decode(encryptedDataBase64)
        // 2. 分离 IV 和加密数据（包含认证标签）
        if (encryptedBytes.size < 12) {
            throw IllegalArgumentException("加密数据格式错误：数据长度不足")
        }
        val iv = encryptedBytes.sliceArray(0 until 12)
        val ciphertextWithTag = encryptedBytes.sliceArray(12 until encryptedBytes.size)
        // 3. 使用 AES-256-GCM 解密
        val cipher = Cipher.getInstance("AES/GCM/NoPadding")
        val parameterSpec = GCMParameterSpec(16 * 8, iv) // 标签长度以位为单位
        cipher.init(Cipher.DECRYPT_MODE, key, parameterSpec)
        // 解密数据（GCM 会自动验证认证标签）
        val decryptedBytes = cipher.doFinal(ciphertextWithTag)
        // 4. 解析 JSON
        val decryptedJson = String(decryptedBytes, StandardCharsets.UTF_8)
        @Suppress("UNCHECKED_CAST")
        return objectMapper.readValue(decryptedJson, Map::class.java) as Map<String, Any>
    }
 }
 // 使用示例
 fun main() {
    // 工具箱的授权信息（必须与平台绑定时一致）
    val licence = "LIC-8F2A-XXXX"
    val fingerprint = "FP-2c91e9f3"
    // 创建解码器
    val decoder = TaskQRCodeDecoder(licence, fingerprint)
    // 扫描二维码并解密
    try {
        val taskData = decoder.scanAndDecrypt("task_qr_code.png")
        println("\n=== 任务信息 ===")
        println("任务ID: ${taskData["taskId"]}")
        println("企业ID: ${taskData["enterpriseId"]}")
        println("单位名称: ${taskData["orgName"]}")
        println("检查ID: ${taskData["inspectionId"]}")
        println("检查人: ${taskData["inspectionPerson"]}")
        println("发布时间: ${taskData["issuedAt"]}")
        // 可以使用任务信息执行检查任务
        // executeInspectionTask(taskData)
    } catch (e: Exception) {
        println("解密失败: ${e.message}")
    }
 }
 ```
 ## 六、常见错误和注意事项
 ### 6.1 解密失败
 **可能原因**：
 1. **密钥不匹配**：`licence` 或 `fingerprint` 与平台绑定时不一致
   - 确保使用与设备授权时相同的 `licence` 和 `fingerprint`
   - 检查字符串拼接是否正确（无分隔符）
 2. **数据格式错误**：Base64 编码或数据布局错误
   - 确保 Base64 解码正确
   - 确保 IV 长度正确（12 字节）
 3. **认证标签验证失败**：数据被篡改或损坏
   - GCM 模式会自动验证认证标签
   - 如果验证失败，说明数据被篡改或密钥错误
 4. **算法不匹配**：必须使用 `AES/GCM/NoPadding`
   - 确保使用正确的加密算法
   - 确保认证标签长度为 128 位（16 字节）
 ### 6.2 二维码扫描失败
 **可能原因**：
 1. **二维码图片质量差**：确保图片清晰，有足够的对比度
 2. **二维码内容过长**：如果加密数据过长，可能需要更高版本的二维码
 3. **扫描库不支持**：确保使用支持 Base64 字符串的二维码扫描库
 ### 6.3 JSON 解析失败
 **可能原因**：
 1. **字符编码错误**：确保使用 UTF-8 编码
 2. **JSON 格式错误**：确保解密后的字符串是有效的 JSON
 3. **字段缺失**：确保所有必需字段都存在
 ## 七、安全设计说明
 ### 7.1 为什么使用 AES-256-GCM
 1. **认证加密（AEAD）**：GCM 模式提供加密和认证，防止数据被篡改
 2. **强安全性**：AES-256 提供 256 位密钥强度
 3. **自动验证**：GCM 模式会自动验证认证标签，任何篡改都会导致解密失败
 ### 7.2 为什么第三方无法解密
 1. **密钥绑定**：只有拥有正确 `licence + fingerprint` 的工具箱才能生成正确的密钥
 2. **认证标签**：GCM 模式会验证认证标签，任何篡改都会导致解密失败
 3. **密钥唯一性**：每个设备的 `licence + fingerprint` 组合是唯一的
 ### 7.3 密钥生成的安全性
 1. **SHA-256 哈希**：使用强哈希算法生成密钥
 2. **密钥长度**：使用全部 32 字节作为 AES-256 密钥
 3. **密钥隔离**：每个设备的密钥是独立的，互不影响
 ## 八、测试建议
 1. **单元测试**：
   - 测试密钥生成是否正确
   - 测试解密功能是否正常
   - 测试 JSON 解析是否正确
 2. **集成测试**：
   - 使用真实平台生成的二维码进行测试
   - 测试不同长度的任务数据
   - 测试错误的密钥是否会导致解密失败
 3. **边界测试**：
   - 测试超长的任务数据
   - 测试特殊字符的处理
   - 测试错误的 Base64 格式
 ## 九、参考实现
 - **Python**：`cryptography` 库（AES-GCM 加密）、`pyzbar` 库（二维码扫描）
 - **Java/Kotlin**：JDK `javax.crypto`（AES-GCM 加密）、ZXing 库（二维码扫描）
 - **C#**：`System.Security.Cryptography`（AES-GCM 加密）、ZXing.Net 库（二维码扫描）
 ## 十、联系支持
 如有问题，请联系平台技术支持团队获取：
 - 测试环境地址
 - 技术支持
--- a/docs/工具箱端-授权对接指南/工具箱端-报告加密与签名生成指南.md
+++ b/docs/工具箱端-授权对接指南/工具箱端-报告加密与签名生成指南.md
@@ -0,0 +1,646 @@
 # 工具箱端 - 报告加密与签名生成指南
 ## 概述
 本文档说明工具箱端如何生成加密和签名的检查报告 ZIP 文件，以确保：
 1. **授权校验**：只有合法授权的工具箱才能生成有效的报告
 2. **防篡改校验**：确保报告内容在传输过程中未被篡改
 > ### UX 集成模式补充（当前项目实现）
 >
 > 在当前集成模式中，工具箱可将原始报告 ZIP 直接上传到 UX 的 `crypto.signAndPackReport`：
 >
 > 1. UX 校验 ZIP 并提取必需文件；
 > 2. UX 生成 `deviceSignature`、`summary.json`、`META-INF/manifest.json`、`META-INF/signature.asc`；
 > 3. UX 重新打包并返回签名后的 ZIP（二进制文件响应），工具箱再用于离线介质回传平台。
 ## 一、ZIP 文件结构要求
 工具箱生成的 ZIP 文件必须包含以下文件：
 ```
 report.zip
 ├── summary.json              # 摘要信息（必须包含授权和签名字段）
 ├── assets.json               # 资产信息（用于签名校验）
 ├── vulnerabilities.json      # 漏洞信息（用于签名校验）
 ├── weakPasswords.json        # 弱密码信息（用于签名校验）
 ├── 漏洞评估报告.html         # 漏洞评估报告（用于签名校验）
 └── META-INF/
    ├── manifest.json         # 文件清单（用于 OpenPGP 签名）
    └── signature.asc         # OpenPGP 签名文件（防篡改）
 ```
 ## 二、授权校验 - 设备签名（device_signature）
 ### 2.1 目的
 设备签名用于验证报告是由合法授权的工具箱生成的，防止第三方伪造扫描结果。
 ### 2.2 密钥派生
 使用 **HKDF-SHA256** 从设备的 `licence` 和 `fingerprint` 派生签名密钥：
 ```
 K = HKDF(
    input = licence + fingerprint,        # 输入密钥材料（字符串拼接）
    salt = "AUTH_V3_SALT",                # 固定盐值
    info = "device_report_signature",     # 固定信息参数
    hash = SHA-256,                       # 哈希算法
    length = 32                           # 输出密钥长度（32字节 = 256位）
 )
 ```
 **伪代码示例**：
 ```python
 import hkdf
 # 输入密钥材料
 ikm = licence + fingerprint  # 字符串直接拼接
 # HKDF 参数
 salt = "AUTH_V3_SALT"
 info = "device_report_signature"
 key_length = 32  # 32字节 = 256位
 # 派生密钥
 derived_key = hkdf.HKDF(
    algorithm=hashlib.sha256,
    length=key_length,
    salt=salt.encode('utf-8'),
    info=info.encode('utf-8'),
    ikm=ikm.encode('utf-8')
 ).derive()
 ```
 ### 2.3 签名数据组装（严格顺序）
 签名数据必须按照以下**严格顺序**组装：
 ```
 sign_payload = 
    taskId +                                    # 任务ID（字符串）
    inspectionId +                              # 检查ID（数字转字符串）
    SHA256(assets.json) +                      # assets.json 的 SHA256（hex字符串，小写）
    SHA256(vulnerabilities.json) +             # vulnerabilities.json 的 SHA256（hex字符串，小写）
    SHA256(weakPasswords.json) +               # weakPasswords.json 的 SHA256（hex字符串，小写）
    SHA256(漏洞评估报告.html)                   # 漏洞评估报告.html 的 SHA256（hex字符串，小写）
 ```
 **重要说明**：
 - 所有字符串直接拼接，**不添加任何分隔符**
 - SHA256 哈希值必须是 **hex 字符串（小写）**，例如：`a1b2c3d4...`
 - 文件内容必须是**原始字节**，不能进行任何编码转换
 - 顺序必须严格一致，任何顺序错误都会导致签名验证失败
 **伪代码示例**：
 ```python
 import hashlib
 # 1. 读取文件内容（原始字节）
 assets_content = read_file("assets.json")
 vulnerabilities_content = read_file("vulnerabilities.json")
 weak_passwords_content = read_file("weakPasswords.json")
 report_html_content = read_file("漏洞评估报告.html")
 # 2. 计算 SHA256（hex字符串，小写）
 def sha256_hex(content: bytes) -> str:
    return hashlib.sha256(content).hexdigest()
 assets_sha256 = sha256_hex(assets_content)
 vulnerabilities_sha256 = sha256_hex(vulnerabilities_content)
 weak_passwords_sha256 = sha256_hex(weak_passwords_content)
 report_html_sha256 = sha256_hex(report_html_content)
 # 3. 组装签名数据（严格顺序，直接拼接）
 sign_payload = (
    str(task_id) +
    str(inspection_id) +
    assets_sha256 +
    vulnerabilities_sha256 +
    weak_passwords_sha256 +
    report_html_sha256
 )
 ```
 ### 2.4 生成设备签名
 使用 **HMAC-SHA256** 计算签名：
 ```
 device_signature = Base64(HMAC-SHA256(key=K, data=sign_payload))
 ```
 **伪代码示例**：
 ```python
 import hmac
 import base64
 # 使用派生密钥计算 HMAC-SHA256
 mac = hmac.new(
    key=derived_key,                    # 派生密钥（32字节）
    msg=sign_payload.encode('utf-8'),  # 签名数据（UTF-8编码）
    digestmod=hashlib.sha256
 )
 # 计算签名
 signature_bytes = mac.digest()
 # Base64 编码
 device_signature = base64.b64encode(signature_bytes).decode('utf-8')
 ```
 ### 2.5 写入 summary.json
 将 `device_signature` 写入 `summary.json`：
 ```json
 {
  "orgId": 1173040813421105152,
  "checkId": 702286470691215417,
  "taskId": "TASK-20260115-4875",
  "licence": "LIC-8F2A-XXXX",
  "fingerprint": "FP-2c91e9f3",
  "deviceSignature": "Base64编码的签名值",
  "summary": "检查摘要信息",
  ...其他字段...
 }
 ```
 **必需字段**：
 - `licence`：设备授权码（字符串）
 - `fingerprint`：设备硬件指纹（字符串）
 - `taskId`：任务ID（字符串）
 - `deviceSignature`：设备签名（Base64字符串）
 - `checkId` 或 `inspectionId`：检查ID（数字）
 ## 三、防篡改校验 - OpenPGP 签名
 ### 3.1 目的
 OpenPGP 签名用于验证 ZIP 文件在传输过程中未被篡改，确保文件完整性。
 ### 3.2 生成 manifest.json
 创建 `META-INF/manifest.json` 文件，包含所有文件的 SHA-256 哈希值：
 ```json
 {
  "files": {
    "summary.json": "a1b2c3d4e5f6...",
    "assets.json": "b2c3d4e5f6a1...",
    "vulnerabilities.json": "c3d4e5f6a1b2...",
    "weakPasswords.json": "d4e5f6a1b2c3...",
    "漏洞评估报告.html": "e5f6a1b2c3d4..."
  }
 }
 ```
 **伪代码示例**：
 ```python
 import hashlib
 import json
 def calculate_sha256_hex(content: bytes) -> str:
    return hashlib.sha256(content).hexdigest()
 # 计算所有文件的 SHA256
 files_hashes = {
    "summary.json": calculate_sha256_hex(summary_content),
    "assets.json": calculate_sha256_hex(assets_content),
    "vulnerabilities.json": calculate_sha256_hex(vulnerabilities_content),
    "weakPasswords.json": calculate_sha256_hex(weak_passwords_content),
    "漏洞评估报告.html": calculate_sha256_hex(report_html_content)
 }
 # 生成 manifest.json
 manifest = {
    "files": files_hashes
 }
 manifest_json = json.dumps(manifest, ensure_ascii=False, indent=2)
 ```
 ### 3.3 生成 OpenPGP 签名
 使用工具箱的**私钥**对 `manifest.json` 进行 OpenPGP 签名，生成 `META-INF/signature.asc`：
 **伪代码示例（使用 Python gnupg）**：
 ```python
 import gnupg
 # 初始化 GPG
 gpg = gnupg.GPG()
 # 导入私钥（或使用已配置的密钥）
 # gpg.import_keys(private_key_data)
 # 对 manifest.json 进行签名
 with open('META-INF/manifest.json', 'rb') as f:
    signed_data = gpg.sign_file(
        f,
        detach=True,           # 分离式签名
        clearsign=False,      # 不使用明文签名
        output='META-INF/signature.asc'
    )
 ```
 **伪代码示例（使用 BouncyCastle - Java/Kotlin）**：
 ```kotlin
 import org.bouncycastle.openpgp.*
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPPrivateKey
 import java.io.ByteArrayOutputStream
 import java.io.FileOutputStream
 fun generatePGPSignature(
    manifestContent: ByteArray,
    privateKey: PGPPrivateKey,
    publicKey: PGPPublicKey
 ): ByteArray {
    val signatureGenerator = PGPSignatureGenerator(
        JcaPGPContentSignerBuilder(publicKey.algorithm, PGPUtil.SHA256)
    )
    signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey)
    signatureGenerator.update(manifestContent)
    val signature = signatureGenerator.generate()
    val signatureList = PGPSignatureList(signature)
    val out = ByteArrayOutputStream()
    val pgpOut = PGPObjectFactory(PGPUtil.getEncoderStream(out))
    signatureList.encode(out)
    return out.toByteArray()
 }
 ```
 ### 3.4 打包 ZIP 文件
 将所有文件打包成 ZIP 文件，确保包含：
 - 所有报告文件（summary.json、assets.json 等）
 - `META-INF/manifest.json`
 - `META-INF/signature.asc`
 **伪代码示例**：
 ```python
 import zipfile
 def create_signed_zip(output_path: str):
    with zipfile.ZipFile(output_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
        # 添加报告文件
        zipf.write('summary.json', 'summary.json')
        zipf.write('assets.json', 'assets.json')
        zipf.write('vulnerabilities.json', 'vulnerabilities.json')
        zipf.write('weakPasswords.json', 'weakPasswords.json')
        zipf.write('漏洞评估报告.html', '漏洞评估报告.html')
        # 添加签名文件
        zipf.write('META-INF/manifest.json', 'META-INF/manifest.json')
        zipf.write('META-INF/signature.asc', 'META-INF/signature.asc')
 ```
 ## 四、完整流程示例
 ### 4.1 Python 完整示例
 ```python
 import hashlib
 import hmac
 import base64
 import json
 import zipfile
 import hkdf
 import gnupg
 def generate_report_zip(
    licence: str,
    fingerprint: str,
    task_id: str,
    inspection_id: int,
    output_path: str
 ):
    """
    生成带签名和加密的检查报告 ZIP 文件
    """
    # ========== 1. 读取报告文件 ==========
    assets_content = read_file("assets.json")
    vulnerabilities_content = read_file("vulnerabilities.json")
    weak_passwords_content = read_file("weakPasswords.json")
    report_html_content = read_file("漏洞评估报告.html")
    # ========== 2. 生成设备签名 ==========
    # 2.1 密钥派生
    ikm = licence + fingerprint
    salt = "AUTH_V3_SALT"
    info = "device_report_signature"
    key_length = 32
    derived_key = hkdf.HKDF(
        algorithm=hashlib.sha256,
        length=key_length,
        salt=salt.encode('utf-8'),
        info=info.encode('utf-8'),
        ikm=ikm.encode('utf-8')
    ).derive()
    # 2.2 计算文件 SHA256
    def sha256_hex(content: bytes) -> str:
        return hashlib.sha256(content).hexdigest()
    assets_sha256 = sha256_hex(assets_content)
    vulnerabilities_sha256 = sha256_hex(vulnerabilities_content)
    weak_passwords_sha256 = sha256_hex(weak_passwords_content)
    report_html_sha256 = sha256_hex(report_html_content)
    # 2.3 组装签名数据（严格顺序）
    sign_payload = (
        str(task_id) +
        str(inspection_id) +
        assets_sha256 +
        vulnerabilities_sha256 +
        weak_passwords_sha256 +
        report_html_sha256
    )
    # 2.4 计算 HMAC-SHA256
    mac = hmac.new(
        key=derived_key,
        msg=sign_payload.encode('utf-8'),
        digestmod=hashlib.sha256
    )
    device_signature = base64.b64encode(mac.digest()).decode('utf-8')
    # 2.5 生成 summary.json
    summary = {
        "orgId": 1173040813421105152,
        "checkId": inspection_id,
        "taskId": task_id,
        "licence": licence,
        "fingerprint": fingerprint,
        "deviceSignature": device_signature,
        "summary": "检查摘要信息"
    }
    summary_content = json.dumps(summary, ensure_ascii=False).encode('utf-8')
    # ========== 3. 生成 OpenPGP 签名 ==========
    # 3.1 生成 manifest.json
    files_hashes = {
        "summary.json": sha256_hex(summary_content),
        "assets.json": assets_sha256,
        "vulnerabilities.json": vulnerabilities_sha256,
        "weakPasswords.json": weak_passwords_sha256,
        "漏洞评估报告.html": report_html_sha256
    }
    manifest = {"files": files_hashes}
    manifest_content = json.dumps(manifest, ensure_ascii=False, indent=2).encode('utf-8')
    # 3.2 生成 OpenPGP 签名
    gpg = gnupg.GPG()
    with open('META-INF/manifest.json', 'wb') as f:
        f.write(manifest_content)
    with open('META-INF/manifest.json', 'rb') as f:
        signed_data = gpg.sign_file(
            f,
            detach=True,
            output='META-INF/signature.asc'
        )
    # ========== 4. 打包 ZIP 文件 ==========
    with zipfile.ZipFile(output_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
        zipf.writestr('summary.json', summary_content)
        zipf.writestr('assets.json', assets_content)
        zipf.writestr('vulnerabilities.json', vulnerabilities_content)
        zipf.writestr('weakPasswords.json', weak_passwords_content)
        zipf.writestr('漏洞评估报告.html', report_html_content)
        zipf.writestr('META-INF/manifest.json', manifest_content)
        zipf.write('META-INF/signature.asc', 'META-INF/signature.asc')
    print(f"报告 ZIP 文件生成成功: {output_path}")
 ```
 ### 4.2 Java/Kotlin 完整示例
 ```kotlin
 import org.bouncycastle.crypto.digests.SHA256Digest
 import org.bouncycastle.crypto.generators.HKDFBytesGenerator
 import org.bouncycastle.crypto.params.HKDFParameters
 import java.security.MessageDigest
 import javax.crypto.Mac
 import javax.crypto.spec.SecretKeySpec
 import java.util.Base64
 import java.util.zip.ZipOutputStream
 import java.io.FileOutputStream
 fun generateReportZip(
    licence: String,
    fingerprint: String,
    taskId: String,
    inspectionId: Long,
    outputPath: String
 ) {
    // ========== 1. 读取报告文件 ==========
    val assetsContent = readFile("assets.json")
    val vulnerabilitiesContent = readFile("vulnerabilities.json")
    val weakPasswordsContent = readFile("weakPasswords.json")
    val reportHtmlContent = readFile("漏洞评估报告.html")
    // ========== 2. 生成设备签名 ==========
    // 2.1 密钥派生
    val ikm = (licence + fingerprint).toByteArray(Charsets.UTF_8)
    val salt = "AUTH_V3_SALT".toByteArray(Charsets.UTF_8)
    val info = "device_report_signature".toByteArray(Charsets.UTF_8)
    val keyLength = 32
    val hkdf = HKDFBytesGenerator(SHA256Digest())
    hkdf.init(HKDFParameters(ikm, salt, info))
    val derivedKey = ByteArray(keyLength)
    hkdf.generateBytes(derivedKey, 0, keyLength)
    // 2.2 计算文件 SHA256
    fun sha256Hex(content: ByteArray): String {
        val digest = MessageDigest.getInstance("SHA-256")
        val hashBytes = digest.digest(content)
        return hashBytes.joinToString("") { "%02x".format(it) }
    }
    val assetsSha256 = sha256Hex(assetsContent)
    val vulnerabilitiesSha256 = sha256Hex(vulnerabilitiesContent)
    val weakPasswordsSha256 = sha256Hex(weakPasswordsContent)
    val reportHtmlSha256 = sha256Hex(reportHtmlContent)
    // 2.3 组装签名数据（严格顺序）
    val signPayload = buildString {
        append(taskId)
        append(inspectionId)
        append(assetsSha256)
        append(vulnerabilitiesSha256)
        append(weakPasswordsSha256)
        append(reportHtmlSha256)
    }
    // 2.4 计算 HMAC-SHA256
    val mac = Mac.getInstance("HmacSHA256")
    val secretKey = SecretKeySpec(derivedKey, "HmacSHA256")
    mac.init(secretKey)
    val signatureBytes = mac.doFinal(signPayload.toByteArray(Charsets.UTF_8))
    val deviceSignature = Base64.getEncoder().encodeToString(signatureBytes)
    // 2.5 生成 summary.json
    val summary = mapOf(
        "orgId" to 1173040813421105152L,
        "checkId" to inspectionId,
        "taskId" to taskId,
        "licence" to licence,
        "fingerprint" to fingerprint,
        "deviceSignature" to deviceSignature,
        "summary" to "检查摘要信息"
    )
    val summaryContent = objectMapper.writeValueAsString(summary).toByteArray(Charsets.UTF_8)
    // ========== 3. 生成 OpenPGP 签名 ==========
    // 3.1 生成 manifest.json
    val filesHashes = mapOf(
        "summary.json" to sha256Hex(summaryContent),
        "assets.json" to assetsSha256,
        "vulnerabilities.json" to vulnerabilitiesSha256,
        "weakPasswords.json" to weakPasswordsSha256,
        "漏洞评估报告.html" to reportHtmlSha256
    )
    val manifest = mapOf("files" to filesHashes)
    val manifestContent = objectMapper.writeValueAsString(manifest).toByteArray(Charsets.UTF_8)
    // 3.2 生成 OpenPGP 签名（使用 BouncyCastle）
    val signatureAsc = generatePGPSignature(manifestContent, privateKey, publicKey)
    // ========== 4. 打包 ZIP 文件 ==========
    ZipOutputStream(FileOutputStream(outputPath)).use { zipOut ->
        zipOut.putNextEntry(ZipEntry("summary.json"))
        zipOut.write(summaryContent)
        zipOut.closeEntry()
        zipOut.putNextEntry(ZipEntry("assets.json"))
        zipOut.write(assetsContent)
        zipOut.closeEntry()
        zipOut.putNextEntry(ZipEntry("vulnerabilities.json"))
        zipOut.write(vulnerabilitiesContent)
        zipOut.closeEntry()
        zipOut.putNextEntry(ZipEntry("weakPasswords.json"))
        zipOut.write(weakPasswordsContent)
        zipOut.closeEntry()
        zipOut.putNextEntry(ZipEntry("漏洞评估报告.html"))
        zipOut.write(reportHtmlContent)
        zipOut.closeEntry()
        zipOut.putNextEntry(ZipEntry("META-INF/manifest.json"))
        zipOut.write(manifestContent)
        zipOut.closeEntry()
        zipOut.putNextEntry(ZipEntry("META-INF/signature.asc"))
        zipOut.write(signatureAsc)
        zipOut.closeEntry()
    }
    println("报告 ZIP 文件生成成功: $outputPath")
 }
 ```
 ## 五、平台端验证流程
 平台端会按以下顺序验证：
 1. **OpenPGP 签名验证**（防篡改）
   - 读取 `META-INF/manifest.json` 和 `META-INF/signature.asc`
   - 使用平台公钥验证签名
   - 验证所有文件的 SHA256 是否与 manifest.json 中的哈希值匹配
 2. **设备签名验证**（授权）
   - 从 `summary.json` 提取 `licence`、`fingerprint`、`taskId`、`deviceSignature`
   - 验证 `licence + fingerprint` 是否已绑定
   - 验证 `taskId` 是否存在且属于该设备
   - 使用相同的 HKDF 派生密钥
   - 重新计算签名并与 `deviceSignature` 比较
 ## 六、常见错误和注意事项
 ### 6.1 设备签名验证失败
 **可能原因**：
 1. **密钥派生错误**：确保使用正确的 `salt` 和 `info` 参数
 2. **签名数据顺序错误**：必须严格按照 `taskId + inspectionId + SHA256(...)` 的顺序
 3. **SHA256 格式错误**：必须是 hex 字符串（小写），不能包含分隔符
 4. **文件内容错误**：确保使用原始文件内容，不能进行编码转换
 5. **licence 或 fingerprint 不匹配**：确保与平台绑定的值一致
 ### 6.2 OpenPGP 签名验证失败
 **可能原因**：
 1. **私钥不匹配**：确保使用与平台公钥对应的私钥
 2. **manifest.json 格式错误**：确保 JSON 格式正确
 3. **文件哈希值错误**：确保 manifest.json 中的哈希值与实际文件匹配
 ### 6.3 文件缺失
 **必需文件**：
 - `summary.json`（必须包含授权字段）
 - `assets.json`
 - `vulnerabilities.json`
 - `weakPasswords.json`（文件名大小写不敏感）
 - `漏洞评估报告.html`（文件名包含"漏洞评估报告"且以".html"结尾）
 - `META-INF/manifest.json`
 - `META-INF/signature.asc`
 ## 七、安全设计说明
 ### 7.1 为什么第三方无法伪造
 1. **设备签名**：
   - 只有拥有正确 `licence + fingerprint` 的设备才能派生正确的签名密钥
   - 即使第三方获取了某个设备的签名，也无法用于其他任务（`taskId` 绑定）
   - 即使第三方修改了报告内容，签名也会失效（多个文件的 SHA256 绑定）
 2. **OpenPGP 签名**：
   - 只有拥有私钥的工具箱才能生成有效签名
   - 任何文件修改都会导致哈希值不匹配
 ### 7.2 密钥分离
 使用 HKDF 的 `info` 参数区分不同用途的密钥：
 - `device_report_signature`：用于设备签名
 - 其他用途可以使用不同的 `info` 值，确保密钥隔离
 ## 八、测试建议
 1. **单元测试**：
   - 测试密钥派生是否正确
   - 测试签名生成和验证是否匹配
   - 测试文件 SHA256 计算是否正确
 2. **集成测试**：
   - 使用真实数据生成 ZIP 文件
   - 上传到平台验证是否通过
   - 测试篡改文件后验证是否失败
 3. **边界测试**：
   - 测试文件缺失的情况
   - 测试签名数据顺序错误的情况
   - 测试错误的 `licence` 或 `fingerprint` 的情况
 ## 九、参考实现
 - **HKDF 实现**：BouncyCastle（Java/Kotlin）、`hkdf` 库（Python）
 - **HMAC-SHA256**：Java `javax.crypto.Mac`、Python `hmac`
 - **OpenPGP**：BouncyCastle（Java/Kotlin）、`gnupg` 库（Python）
 ## 十、联系支持
 如有问题，请联系平台技术支持团队。
--- a/docs/工具箱端-授权对接指南/工具箱端-摘要信息二维码生成指南.md
+++ b/docs/工具箱端-授权对接指南/工具箱端-摘要信息二维码生成指南.md
@@ -0,0 +1,756 @@
 # 工具箱端 - 摘要信息二维码生成指南
 ## 概述
 本文档说明工具箱端如何生成摘要信息二维码。工具箱完成检查任务后，需要将摘要信息加密并生成二维码，供 App 扫描后上传到平台。
 > ### UX 集成模式补充（当前项目实现）
 >
 > 在当前集成模式中，工具箱将摘要明文传给 UX 的 `crypto.encryptSummary`，
 > 由 UX 执行 HKDF + AES-256-GCM 加密并返回二维码内容 JSON（`taskId + encrypted`）。
 ## 一、业务流程
 ```
 工具箱完成检查 → 准备摘要信息 → HKDF派生密钥 → AES-256-GCM加密 → 组装二维码内容 → 生成二维码
                                                                                    ↓
 App扫描二维码 → 提取taskId和encrypted → 提交到平台 → 平台解密验证 → 保存摘要信息
 ```
 ## 二、二维码内容格式
 二维码内容为 JSON 格式，包含以下字段：
 ```json
 {
  "taskId": "TASK-20260115-4875",
  "encrypted": "uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nugESrB2jUSGASTf4+5E7cLlDOmtDw7QlqS+6Hb7sn3daMSOovcna07huchHeesrJCiHV8ntEDXdCCdQOEHfkZAvy5gS8jQY41x5Qcnmqbz3qqHTmceIihTj4uqRVyKOE8jxzY6ko76jx0gW239gyFysJUTrqSPiFAr+gToi2l9SWP8ISViBmYmCY2cQtKvPfTKXwxGMid0zE/nDmb9n38X1oR05nAP0v1KaVY7iPcjsWySDGqO2iIbPzV8tQzq5TNuYqn9gvxIX/oRTFECP+aosfmOD5I8H8rVFTebyTHw+ONV3KoN2IMRqnG+a2lucbhzwQk7/cX1hs9lYm+yapmp+0MbLCtf2KMWqJPdeZqTVZgi3R181BCxo3OIwcCFTnZ/b9pdw+q8ai6SJpso5mA0TpUCvqYlGlKMZde0nj07kmLpdAm3AOg3GtPezfJu8iHmsc4PTa8RDsPgTIxcdyxNSMqo1Ws3VLQXm6DHK/kma/vbvSA/N7upPzi7wLvboig=="
 }
 ```
 ### 2.1 字段说明
 | 字段名 | 类型 | 说明 | 示例 |
 |--------|------|------|------|
 | `taskId` | String | 任务ID（从任务二维码中获取） | `"TASK-20260115-4875"` |
 | `encrypted` | String | Base64编码的加密数据 | `"uWUcAmp6UQd0w3G3..."` |
 ## 三、摘要信息数据结构
 ### 3.1 明文数据 JSON 格式
 加密前的摘要信息为 JSON 格式，包含以下字段：
 ```json
 {
  "enterpriseId": "1173040813421105152",
  "inspectionId": "702286470691215417",
  "summary": "检查摘要信息",
  "timestamp": 1734571234567
 }
 ```
 ### 3.2 字段说明
 | 字段名 | 类型 | 说明 | 示例 |
 |--------|------|------|------|
 | `enterpriseId` | String | 企业ID（从任务数据中获取） | `"1173040813421105152"` |
 | `inspectionId` | String | 检查ID（从任务数据中获取） | `"702286470691215417"` |
 | `summary` | String | 检查摘要信息 | `"检查摘要信息"` |
 | `timestamp` | Number | 时间戳（毫秒） | `1734571234567` |
 ## 四、密钥派生（HKDF-SHA256）
 ### 4.1 密钥派生参数
 使用 **HKDF-SHA256** 从 `licence + fingerprint` 派生 AES 密钥：
 ```
 AES Key = HKDF(
    input = licence + fingerprint,              # 输入密钥材料（字符串拼接）
    salt = taskId,                              # Salt值（任务ID）
    info = "inspection_report_encryption",     # Info值（固定值）
    hash = SHA-256,                             # 哈希算法
    length = 32                                 # 输出密钥长度（32字节 = 256位）
 )
 ```
 **重要说明**：
 - `ikm`（输入密钥材料）= `licence + fingerprint`（直接字符串拼接，无分隔符）
 - `salt` = `taskId`（从任务二维码中获取的任务ID）
 - `info` = `"inspection_report_encryption"`（固定值，区分不同用途的密钥）
 - `length` = `32` 字节（AES-256 密钥长度）
 ### 4.2 Python 实现示例
 ```python
 import hashlib
 import hkdf
 def derive_aes_key(licence: str, fingerprint: str, task_id: str) -> bytes:
    """
    使用 HKDF-SHA256 派生 AES-256 密钥
    Args:
        licence: 设备授权码
        fingerprint: 设备硬件指纹
        task_id: 任务ID
    Returns:
        派生出的密钥（32字节）
    """
    # 输入密钥材料
    ikm = licence + fingerprint  # 直接字符串拼接
    # HKDF 参数
    salt = task_id
    info = "inspection_report_encryption"
    key_length = 32  # 32字节 = 256位
    # 派生密钥
    derived_key = hkdf.HKDF(
        algorithm=hashlib.sha256,
        length=key_length,
        salt=salt.encode('utf-8'),
        info=info.encode('utf-8'),
        ikm=ikm.encode('utf-8')
    ).derive()
    return derived_key
 ```
 ### 4.3 Java/Kotlin 实现示例
 ```kotlin
 import org.bouncycastle.crypto.digests.SHA256Digest
 import org.bouncycastle.crypto.generators.HKDFBytesGenerator
 import org.bouncycastle.crypto.params.HKDFParameters
 import java.nio.charset.StandardCharsets
 fun deriveAesKey(licence: String, fingerprint: String, taskId: String): ByteArray {
    // 输入密钥材料
    val ikm = (licence + fingerprint).toByteArray(StandardCharsets.UTF_8)
    // HKDF 参数
    val salt = taskId.toByteArray(StandardCharsets.UTF_8)
    val info = "inspection_report_encryption".toByteArray(StandardCharsets.UTF_8)
    val keyLength = 32  // 32字节 = 256位
    // 派生密钥
    val hkdf = HKDFBytesGenerator(SHA256Digest())
    val params = HKDFParameters(ikm, salt, info)
    hkdf.init(params)
    val derivedKey = ByteArray(keyLength)
    hkdf.generateBytes(derivedKey, 0, keyLength)
    return derivedKey
 }
 ```
 ## 五、AES-256-GCM 加密
 ### 5.1 加密算法
 - **算法**：AES-256-GCM（Galois/Counter Mode）
 - **密钥长度**：256 位（32 字节）
 - **IV 长度**：12 字节（96 位）
 - **认证标签长度**：16 字节（128 位）
 ### 5.2 加密数据格式
 加密后的数据格式（Base64 编码前）：
 ```
 [IV(12字节)] + [加密数据] + [认证标签(16字节)]
 ```
 **数据布局**：
 ```
 +------------------+------------------+------------------+
 |   IV (12字节)    |   加密数据       |   认证标签(16字节)|
 +------------------+------------------+------------------+
 ```
 ### 5.3 Python 实现示例
 ```python
 import base64
 import hashlib
 import hkdf
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 from cryptography.hazmat.backends import default_backend
 import json
 import time
 def encrypt_summary_data(
    enterprise_id: str,
    inspection_id: str,
    summary: str,
    licence: str,
    fingerprint: str,
    task_id: str
 ) -> str:
    """
    加密摘要信息数据
    Args:
        enterprise_id: 企业ID
        inspection_id: 检查ID
        summary: 摘要信息
        licence: 设备授权码
        fingerprint: 设备硬件指纹
        task_id: 任务ID
    Returns:
        Base64编码的加密数据
    """
    # 1. 组装明文数据（JSON格式）
    timestamp = int(time.time() * 1000)  # 毫秒时间戳
    plaintext_map = {
        "enterpriseId": str(enterprise_id),
        "inspectionId": str(inspection_id),
        "summary": summary,
        "timestamp": timestamp
    }
    plaintext = json.dumps(plaintext_map, ensure_ascii=False)
    # 2. 使用 HKDF-SHA256 派生 AES 密钥
    ikm = licence + fingerprint
    salt = task_id
    info = "inspection_report_encryption"
    key_length = 32
    aes_key = hkdf.HKDF(
        algorithm=hashlib.sha256,
        length=key_length,
        salt=salt.encode('utf-8'),
        info=info.encode('utf-8'),
        ikm=ikm.encode('utf-8')
    ).derive()
    # 3. 使用 AES-256-GCM 加密数据
    aesgcm = AESGCM(aes_key)
    iv = os.urandom(12)  # 生成12字节随机IV
    encrypted_bytes = aesgcm.encrypt(iv, plaintext.encode('utf-8'), None)
    # 4. 组装：IV + 加密数据（包含认证标签）
    # AESGCM.encrypt 返回的格式已经是：加密数据 + 认证标签
    combined = iv + encrypted_bytes
    # 5. Base64 编码
    encrypted_base64 = base64.b64encode(combined).decode('utf-8')
    return encrypted_base64
 ```
 ### 5.4 Java/Kotlin 实现示例
 ```kotlin
 import com.fasterxml.jackson.databind.ObjectMapper
 import org.bouncycastle.crypto.digests.SHA256Digest
 import org.bouncycastle.crypto.generators.HKDFBytesGenerator
 import org.bouncycastle.crypto.params.HKDFParameters
 import java.nio.charset.StandardCharsets
 import java.security.SecureRandom
 import java.util.Base64
 import javax.crypto.Cipher
 import javax.crypto.spec.GCMParameterSpec
 import javax.crypto.spec.SecretKeySpec
 object SummaryEncryptionUtil {
    private const val ALGORITHM = "AES"
    private const val TRANSFORMATION = "AES/GCM/NoPadding"
    private const val GCM_IV_LENGTH = 12 // 12 bytes = 96 bits
    private const val GCM_TAG_LENGTH = 16 // 16 bytes = 128 bits
    private const val GCM_TAG_LENGTH_BITS = GCM_TAG_LENGTH * 8 // 128 bits
    private val objectMapper = ObjectMapper()
    private val secureRandom = SecureRandom()
    /**
     * 加密摘要信息数据
     */
    fun encryptSummaryData(
        enterpriseId: String,
        inspectionId: String,
        summary: String,
        licence: String,
        fingerprint: String,
        taskId: String
    ): String {
        // 1. 组装明文数据（JSON格式）
        val timestamp = System.currentTimeMillis()
        val plaintextMap = mapOf(
            "enterpriseId" to enterpriseId,
            "inspectionId" to inspectionId,
            "summary" to summary,
            "timestamp" to timestamp
        )
        val plaintext = objectMapper.writeValueAsString(plaintextMap)
        // 2. 使用 HKDF-SHA256 派生 AES 密钥
        val ikm = (licence + fingerprint).toByteArray(StandardCharsets.UTF_8)
        val salt = taskId.toByteArray(StandardCharsets.UTF_8)
        val info = "inspection_report_encryption".toByteArray(StandardCharsets.UTF_8)
        val keyLength = 32
        val hkdf = HKDFBytesGenerator(SHA256Digest())
        val params = HKDFParameters(ikm, salt, info)
        hkdf.init(params)
        val aesKey = ByteArray(keyLength)
        hkdf.generateBytes(aesKey, 0, keyLength)
        // 3. 使用 AES-256-GCM 加密数据
        val iv = ByteArray(GCM_IV_LENGTH)
        secureRandom.nextBytes(iv)
        val secretKey = SecretKeySpec(aesKey, ALGORITHM)
        val gcmSpec = GCMParameterSpec(GCM_TAG_LENGTH_BITS, iv)
        val cipher = Cipher.getInstance(TRANSFORMATION)
        cipher.init(Cipher.ENCRYPT_MODE, secretKey, gcmSpec)
        val plaintextBytes = plaintext.toByteArray(StandardCharsets.UTF_8)
        val encryptedBytes = cipher.doFinal(plaintextBytes)
        // 4. 组装：IV + 加密数据（包含认证标签）
        // GCM 模式会将认证标签附加到密文末尾
        val ciphertext = encryptedBytes.sliceArray(0 until encryptedBytes.size - GCM_TAG_LENGTH)
        val tag = encryptedBytes.sliceArray(encryptedBytes.size - GCM_TAG_LENGTH until encryptedBytes.size)
        val combined = iv + ciphertext + tag
        // 5. Base64 编码
        return Base64.getEncoder().encodeToString(combined)
    }
 }
 ```
 ## 六、组装二维码内容
 ### 6.1 二维码内容 JSON
 将 `taskId` 和加密后的 `encrypted` 组装成 JSON 格式：
 ```json
 {
  "taskId": "TASK-20260115-4875",
  "encrypted": "Base64编码的加密数据"
 }
 ```
 ### 6.2 Python 实现示例
 ```python
 import json
 def generate_qr_code_content(task_id: str, encrypted: str) -> str:
    """
    生成二维码内容（JSON格式）
    Args:
        task_id: 任务ID
        encrypted: Base64编码的加密数据
    Returns:
        JSON格式的字符串
    """
    qr_content = {
        "taskId": task_id,
        "encrypted": encrypted
    }
    return json.dumps(qr_content, ensure_ascii=False)
 ```
 ## 七、完整流程示例
 ### 7.1 Python 完整示例
 ```python
 import base64
 import json
 import time
 import hashlib
 import hkdf
 import qrcode
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 import os
 class SummaryQRCodeGenerator:
    """摘要信息二维码生成器"""
    def __init__(self, licence: str, fingerprint: str):
        """
        初始化生成器
        Args:
            licence: 设备授权码
            fingerprint: 设备硬件指纹
        """
        self.licence = licence
        self.fingerprint = fingerprint
    def generate_summary_qr_code(
        self,
        task_id: str,
        enterprise_id: str,
        inspection_id: str,
        summary: str,
        output_path: str = "summary_qr.png"
    ) -> str:
        """
        生成摘要信息二维码
        Args:
            task_id: 任务ID（从任务二维码中获取）
            enterprise_id: 企业ID（从任务数据中获取）
            inspection_id: 检查ID（从任务数据中获取）
            summary: 摘要信息
            output_path: 二维码图片保存路径
        Returns:
            二维码内容（JSON字符串）
        """
        # 1. 组装明文数据（JSON格式）
        timestamp = int(time.time() * 1000)  # 毫秒时间戳
        plaintext_map = {
            "enterpriseId": str(enterprise_id),
            "inspectionId": str(inspection_id),
            "summary": summary,
            "timestamp": timestamp
        }
        plaintext = json.dumps(plaintext_map, ensure_ascii=False)
        print(f"明文数据: {plaintext}")
        # 2. 使用 HKDF-SHA256 派生 AES 密钥
        ikm = self.licence + self.fingerprint
        salt = task_id
        info = "inspection_report_encryption"
        key_length = 32
        aes_key = hkdf.HKDF(
            algorithm=hashlib.sha256,
            length=key_length,
            salt=salt.encode('utf-8'),
            info=info.encode('utf-8'),
            ikm=ikm.encode('utf-8')
        ).derive()
        print(f"密钥派生成功: {len(aes_key)} 字节")
        # 3. 使用 AES-256-GCM 加密数据
        aesgcm = AESGCM(aes_key)
        iv = os.urandom(12)  # 生成12字节随机IV
        encrypted_bytes = aesgcm.encrypt(iv, plaintext.encode('utf-8'), None)
        # 组装：IV + 加密数据（包含认证标签）
        combined = iv + encrypted_bytes
        # Base64 编码
        encrypted_base64 = base64.b64encode(combined).decode('utf-8')
        print(f"加密成功: {encrypted_base64[:50]}...")
        # 4. 组装二维码内容（JSON格式）
        qr_content = {
            "taskId": task_id,
            "encrypted": encrypted_base64
        }
        qr_content_json = json.dumps(qr_content, ensure_ascii=False)
        print(f"二维码内容: {qr_content_json[:100]}...")
        # 5. 生成二维码
        qr = qrcode.QRCode(
            version=1,
            error_correction=qrcode.constants.ERROR_CORRECT_M,
            box_size=10,
            border=4,
        )
        qr.add_data(qr_content_json)
        qr.make(fit=True)
        img = qr.make_image(fill_color="black", back_color="white")
        img.save(output_path)
        print(f"二维码已生成: {output_path}")
        return qr_content_json
 # 使用示例
 if __name__ == "__main__":
    # 工具箱的授权信息（必须与平台绑定时一致）
    licence = "LIC-8F2A-XXXX"
    fingerprint = "FP-2c91e9f3"
    # 创建生成器
    generator = SummaryQRCodeGenerator(licence, fingerprint)
    # 从任务二维码中获取的信息
    task_id = "TASK-20260115-4875"
    enterprise_id = "1173040813421105152"
    inspection_id = "702286470691215417"
    summary = "检查摘要信息：发现3个高危漏洞，5个中危漏洞"
    # 生成二维码
    qr_content = generator.generate_summary_qr_code(
        task_id=task_id,
        enterprise_id=enterprise_id,
        inspection_id=inspection_id,
        summary=summary,
        output_path="summary_qr_code.png"
    )
    print(f"\n二维码内容:\n{qr_content}")
 ```
 ### 7.2 Java/Kotlin 完整示例
 ```kotlin
 import com.fasterxml.jackson.databind.ObjectMapper
 import com.google.zxing.BarcodeFormat
 import com.google.zxing.EncodeHintType
 import com.google.zxing.qrcode.QRCodeWriter
 import com.google.zxing.qrcode.decoder.ErrorCorrectionLevel
 import org.bouncycastle.crypto.digests.SHA256Digest
 import org.bouncycastle.crypto.generators.HKDFBytesGenerator
 import org.bouncycastle.crypto.params.HKDFParameters
 import java.awt.image.BufferedImage
 import java.nio.charset.StandardCharsets
 import java.security.SecureRandom
 import java.util.Base64
 import javax.crypto.Cipher
 import javax.crypto.spec.GCMParameterSpec
 import javax.crypto.spec.SecretKeySpec
 import javax.imageio.ImageIO
 import java.io.File
 class SummaryQRCodeGenerator(
    private val licence: String,
    private val fingerprint: String
 ) {
    private const val ALGORITHM = "AES"
    private const val TRANSFORMATION = "AES/GCM/NoPadding"
    private const val GCM_IV_LENGTH = 12
    private const val GCM_TAG_LENGTH = 16
    private const val GCM_TAG_LENGTH_BITS = GCM_TAG_LENGTH * 8
    private val objectMapper = ObjectMapper()
    private val secureRandom = SecureRandom()
    /**
     * 生成摘要信息二维码
     */
    fun generateSummaryQRCode(
        taskId: String,
        enterpriseId: String,
        inspectionId: String,
        summary: String,
        outputPath: String = "summary_qr.png"
    ): String {
        // 1. 组装明文数据（JSON格式）
        val timestamp = System.currentTimeMillis()
        val plaintextMap = mapOf(
            "enterpriseId" to enterpriseId,
            "inspectionId" to inspectionId,
            "summary" to summary,
            "timestamp" to timestamp
        )
        val plaintext = objectMapper.writeValueAsString(plaintextMap)
        println("明文数据: $plaintext")
        // 2. 使用 HKDF-SHA256 派生 AES 密钥
        val ikm = (licence + fingerprint).toByteArray(StandardCharsets.UTF_8)
        val salt = taskId.toByteArray(StandardCharsets.UTF_8)
        val info = "inspection_report_encryption".toByteArray(StandardCharsets.UTF_8)
        val keyLength = 32
        val hkdf = HKDFBytesGenerator(SHA256Digest())
        val params = HKDFParameters(ikm, salt, info)
        hkdf.init(params)
        val aesKey = ByteArray(keyLength)
        hkdf.generateBytes(aesKey, 0, keyLength)
        println("密钥派生成功: ${aesKey.size} 字节")
        // 3. 使用 AES-256-GCM 加密数据
        val iv = ByteArray(GCM_IV_LENGTH)
        secureRandom.nextBytes(iv)
        val secretKey = SecretKeySpec(aesKey, ALGORITHM)
        val gcmSpec = GCMParameterSpec(GCM_TAG_LENGTH_BITS, iv)
        val cipher = Cipher.getInstance(TRANSFORMATION)
        cipher.init(Cipher.ENCRYPT_MODE, secretKey, gcmSpec)
        val plaintextBytes = plaintext.toByteArray(StandardCharsets.UTF_8)
        val encryptedBytes = cipher.doFinal(plaintextBytes)
        // 组装：IV + 加密数据（包含认证标签）
        val ciphertext = encryptedBytes.sliceArray(0 until encryptedBytes.size - GCM_TAG_LENGTH)
        val tag = encryptedBytes.sliceArray(encryptedBytes.size - GCM_TAG_LENGTH until encryptedBytes.size)
        val combined = iv + ciphertext + tag
        // Base64 编码
        val encryptedBase64 = Base64.getEncoder().encodeToString(combined)
        println("加密成功: ${encryptedBase64.take(50)}...")
        // 4. 组装二维码内容（JSON格式）
        val qrContent = mapOf(
            "taskId" to taskId,
            "encrypted" to encryptedBase64
        )
        val qrContentJson = objectMapper.writeValueAsString(qrContent)
        println("二维码内容: ${qrContentJson.take(100)}...")
        // 5. 生成二维码
        val hints = hashMapOf<EncodeHintType, Any>().apply {
            put(EncodeHintType.ERROR_CORRECTION, ErrorCorrectionLevel.M)
            put(EncodeHintType.CHARACTER_SET, "UTF-8")
            put(EncodeHintType.MARGIN, 1)
        }
        val writer = QRCodeWriter()
        val bitMatrix = writer.encode(qrContentJson, BarcodeFormat.QR_CODE, 300, 300, hints)
        val width = bitMatrix.width
        val height = bitMatrix.height
        val image = BufferedImage(width, height, BufferedImage.TYPE_INT_RGB)
        for (x in 0 until width) {
            for (y in 0 until height) {
                image.setRGB(x, y, if (bitMatrix[x, y]) 0x000000 else 0xFFFFFF)
            }
        }
        ImageIO.write(image, "PNG", File(outputPath))
        println("二维码已生成: $outputPath")
        return qrContentJson
    }
 }
 // 使用示例
 fun main() {
    // 工具箱的授权信息（必须与平台绑定时一致）
    val licence = "LIC-8F2A-XXXX"
    val fingerprint = "FP-2c91e9f3"
    // 创建生成器
    val generator = SummaryQRCodeGenerator(licence, fingerprint)
    // 从任务二维码中获取的信息
    val taskId = "TASK-20260115-4875"
    val enterpriseId = "1173040813421105152"
    val inspectionId = "702286470691215417"
    val summary = "检查摘要信息：发现3个高危漏洞，5个中危漏洞"
    // 生成二维码
    val qrContent = generator.generateSummaryQRCode(
        taskId = taskId,
        enterpriseId = enterpriseId,
        inspectionId = inspectionId,
        summary = summary,
        outputPath = "summary_qr_code.png"
    )
    println("\n二维码内容:\n$qrContent")
 }
 ```
 ## 八、平台端验证流程
 平台端会按以下流程验证：
 1. **接收请求**：App 扫描二维码后，将 `taskId` 和 `encrypted` 提交到平台
 2. **查询任务**：根据 `taskId` 查询任务记录，获取 `deviceLicenceId`
 3. **获取设备信息**：根据 `deviceLicenceId` 查询设备授权记录，获取 `licence` 和 `fingerprint`
 4. **密钥派生**：使用相同的 HKDF 参数派生 AES 密钥
 5. **解密数据**：使用 AES-256-GCM 解密（自动验证认证标签）
 6. **时间戳校验**：验证 `timestamp` 是否在合理范围内（防止重放攻击）
 7. **保存摘要**：将摘要信息保存到数据库
 ## 九、常见错误和注意事项
 ### 9.1 加密失败
 **可能原因**：
 1. **密钥派生错误**：确保使用正确的 HKDF 参数
   - `ikm` = `licence + fingerprint`（直接字符串拼接）
   - `salt` = `taskId`（必须与任务二维码中的 taskId 一致）
   - `info` = `"inspection_report_encryption"`（固定值）
   - `length` = `32` 字节
 2. **数据格式错误**：确保 JSON 格式正确
   - 字段名和类型必须匹配
   - 时间戳必须是数字类型（毫秒）
 3. **IV 生成错误**：确保使用安全的随机数生成器生成 12 字节 IV
 ### 9.2 平台验证失败
 **可能原因**：
 1. **taskId 不匹配**：确保二维码中的 `taskId` 与任务二维码中的 `taskId` 一致
 2. **密钥不匹配**：确保 `licence` 和 `fingerprint` 与平台绑定时一致
 3. **时间戳过期**：平台会验证时间戳，确保时间戳在合理范围内
 4. **认证标签验证失败**：数据被篡改或密钥错误
 ### 9.3 二维码生成失败
 **可能原因**：
 1. **内容过长**：如果加密数据过长，可能需要更高版本的二维码
 2. **JSON 格式错误**：确保 JSON 格式正确
 3. **字符编码错误**：确保使用 UTF-8 编码
 ## 十、安全设计说明
 ### 10.1 为什么使用 HKDF
 1. **密钥分离**：使用 `info` 参数区分不同用途的密钥
 2. **Salt 随机性**：使用 `taskId` 作为 salt，确保每个任务的密钥不同
 3. **密钥扩展**：HKDF 提供更好的密钥扩展性
 ### 10.2 为什么第三方无法伪造
 1. **密钥绑定**：只有拥有正确 `licence + fingerprint` 的工具箱才能生成正确的密钥
 2. **任务绑定**：使用 `taskId` 作为 salt，确保密钥与特定任务绑定
 3. **认证加密**：GCM 模式提供认证加密，任何篡改都会导致解密失败
 4. **时间戳校验**：平台会验证时间戳，防止重放攻击
 ### 10.3 密钥派生参数的重要性
 - **ikm**：`licence + fingerprint` 是设备唯一标识
 - **salt**：`taskId` 确保每个任务使用不同的密钥
 - **info**：`"inspection_report_encryption"` 区分不同用途的密钥
 - **length**：`32` 字节提供 256 位密钥强度
 ## 十一、测试建议
 1. **单元测试**：
   - 测试密钥派生是否正确
   - 测试加密和解密是否匹配
   - 测试 JSON 格式是否正确
 2. **集成测试**：
   - 使用真实任务数据生成二维码
   - App 扫描二维码并提交到平台
   - 验证平台是否能正确解密和验证
 3. **边界测试**：
   - 测试超长的摘要信息
   - 测试特殊字符的处理
   - 测试错误的 taskId 是否会导致解密失败
 ## 十二、参考实现
 - **Python**：`hkdf` 库（HKDF）、`cryptography` 库（AES-GCM）、`qrcode` 库（二维码生成）
 - **Java/Kotlin**：BouncyCastle（HKDF）、JDK `javax.crypto`（AES-GCM）、ZXing 库（二维码生成）
 - **C#**：BouncyCastle.Net（HKDF）、`System.Security.Cryptography`（AES-GCM）、ZXing.Net 库（二维码生成）
 ## 十三、联系支持
 如有问题，请联系平台技术支持团队获取：
 - 测试环境地址
 - 技术支持
--- a/docs/工具箱端-授权对接指南/工具箱端-设备授权二维码生成指南.md
+++ b/docs/工具箱端-授权对接指南/工具箱端-设备授权二维码生成指南.md
@@ -0,0 +1,601 @@
 # 工具箱端 - 设备授权二维码生成指南
 ## 概述
 本文档说明工具箱端如何生成设备授权二维码，用于设备首次授权和绑定。App 扫描二维码后，会将加密的设备信息提交到平台完成授权校验和绑定。
 > ### UX 集成模式补充（当前项目实现）
 >
 > 在当前集成模式中，工具箱不直接执行 RSA 加密，而是调用 UX 接口：
 >
 > 1. 工具箱先调用 `device.register` 传入 `licence` 与平台公钥，`fingerprint` 由 UX 本机计算并入库。
 > 2. 工具箱再调用 `crypto.encryptDeviceInfo` 获取加密后的 Base64 密文。
 > 3. 工具箱将该密文生成二维码供 App 扫码提交平台。
 ## 一、业务流程
 ```
 工具箱 → 生成设备信息 → RSA-OAEP加密 → Base64编码 → 生成二维码
                                                          ↓
 App扫描二维码 → 提取加密数据 → 调用平台接口 → 平台解密验证 → 授权成功
 ```
 ## 二、设备信息准备
 ### 2.1 设备信息字段
 工具箱需要准备以下设备信息：
 | 字段名 | 类型 | 说明 | 示例 |
 |--------|------|------|------|
 | `licence` | String | 设备授权码（工具箱唯一标识） | `"LIC-8F2A-XXXX"` |
 | `fingerprint` | String | 设备硬件指纹（设备唯一标识） | `"FP-2c91e9f3"` |
 ### 2.2 生成设备信息 JSON
 将设备信息组装成 JSON 格式：
 ```json
 {
  "licence": "LIC-8F2A-XXXX",
  "fingerprint": "FP-2c91e9f3"
 }
 ```
 **重要说明**：
 - `licence` 和 `fingerprint` 必须是字符串类型
 - JSON 格式必须正确，不能有多余的逗号或格式错误
 - 建议使用标准的 JSON 库生成，避免手动拼接
 **伪代码示例**：
 ```python
 import json
 device_info = {
    "licence": "LIC-8F2A-XXXX",      # 工具箱授权码
    "fingerprint": "FP-2c91e9f3"     # 设备硬件指纹
 }
 # 转换为 JSON 字符串
 device_info_json = json.dumps(device_info, ensure_ascii=False)
 # 结果: {"licence":"LIC-8F2A-XXXX","fingerprint":"FP-2c91e9f3"}
 ```
 ## 三、RSA-OAEP 加密
 ### 3.1 加密算法
 使用 **RSA-OAEP** 非对称加密算法：
 - **算法名称**：`RSA/ECB/OAEPWithSHA-256AndMGF1Padding`
 - **密钥长度**：2048 位（推荐）
 - **填充方式**：OAEP with SHA-256 and MGF1
 - **加密方向**：使用**平台公钥**加密，平台使用私钥解密
 ### 3.2 获取平台公钥
 平台公钥需要从平台获取，通常以 **Base64 编码**的字符串形式提供。
 **公钥格式**：
 - 格式：X.509 标准格式（DER 编码）
 - 存储：Base64 编码的字符串
 - 示例：`MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB`
 ### 3.3 加密步骤
 1. **加载平台公钥**：从 Base64 字符串加载公钥对象
 2. **初始化加密器**：使用 `RSA/ECB/OAEPWithSHA-256AndMGF1Padding` 算法
 3. **加密数据**：使用公钥加密设备信息 JSON 字符串（UTF-8 编码）
 4. **Base64 编码**：将加密后的字节数组进行 Base64 编码
 ### 3.4 Python 实现示例
 ```python
 import base64
 import json
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.backends import default_backend
 def encrypt_device_info(licence: str, fingerprint: str, platform_public_key_base64: str) -> str:
    """
    使用平台公钥加密设备信息
    Args:
        licence: 设备授权码
        fingerprint: 设备硬件指纹
        platform_public_key_base64: 平台公钥（Base64编码）
    Returns:
        Base64编码的加密数据
    """
    # 1. 组装设备信息 JSON
    device_info = {
        "licence": licence,
        "fingerprint": fingerprint
    }
    device_info_json = json.dumps(device_info, ensure_ascii=False)
    # 2. 加载平台公钥
    public_key_bytes = base64.b64decode(platform_public_key_base64)
    public_key = serialization.load_der_public_key(
        public_key_bytes,
        backend=default_backend()
    )
    # 3. 使用 RSA-OAEP 加密
    # OAEP padding with SHA-256 and MGF1
    encrypted_bytes = public_key.encrypt(
        device_info_json.encode('utf-8'),
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )
    # 4. Base64 编码
    encrypted_base64 = base64.b64encode(encrypted_bytes).decode('utf-8')
    return encrypted_base64
 ```
 ### 3.5 Java/Kotlin 实现示例
 ```kotlin
 import java.security.KeyFactory
 import java.security.PublicKey
 import java.security.spec.X509EncodedKeySpec
 import java.util.Base64
 import javax.crypto.Cipher
 import java.nio.charset.StandardCharsets
 object DeviceAuthorizationUtil {
    private const val CIPHER_ALGORITHM = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
    /**
     * 使用平台公钥加密设备信息
     * 
     * @param licence 设备授权码
     * @param fingerprint 设备硬件指纹
     * @param platformPublicKeyBase64 平台公钥（Base64编码）
     * @return Base64编码的加密数据
     */
    fun encryptDeviceInfo(
        licence: String,
        fingerprint: String,
        platformPublicKeyBase64: String
    ): String {
        // 1. 组装设备信息 JSON
        val deviceInfo = mapOf(
            "licence" to licence,
            "fingerprint" to fingerprint
        )
        val deviceInfoJson = objectMapper.writeValueAsString(deviceInfo)
        // 2. 加载平台公钥
        val publicKeyBytes = Base64.getDecoder().decode(platformPublicKeyBase64)
        val keySpec = X509EncodedKeySpec(publicKeyBytes)
        val keyFactory = KeyFactory.getInstance("RSA")
        val publicKey = keyFactory.generatePublic(keySpec)
        // 3. 使用 RSA-OAEP 加密
        val cipher = Cipher.getInstance(CIPHER_ALGORITHM)
        cipher.init(Cipher.ENCRYPT_MODE, publicKey)
        val encryptedBytes = cipher.doFinal(deviceInfoJson.toByteArray(StandardCharsets.UTF_8))
        // 4. Base64 编码
        return Base64.getEncoder().encodeToString(encryptedBytes)
    }
 }
 ```
 ### 3.6 C# 实现示例
 ```csharp
 using System;
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
 public class DeviceAuthorizationUtil
 {
    private const string CipherAlgorithm = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
    /// <summary>
    /// 使用平台公钥加密设备信息
    /// </summary>
    public static string EncryptDeviceInfo(
        string licence, 
        string fingerprint, 
        string platformPublicKeyBase64)
    {
        // 1. 组装设备信息 JSON
        var deviceInfo = new
        {
            licence = licence,
            fingerprint = fingerprint
        };
        var deviceInfoJson = JsonSerializer.Serialize(deviceInfo);
        // 2. 加载平台公钥
        var publicKeyBytes = Convert.FromBase64String(platformPublicKeyBase64);
        using var rsa = RSA.Create();
        rsa.ImportSubjectPublicKeyInfo(publicKeyBytes, out _);
        // 3. 使用 RSA-OAEP 加密
        var encryptedBytes = rsa.Encrypt(
            Encoding.UTF8.GetBytes(deviceInfoJson),
            RSAEncryptionPadding.OaepSHA256
        );
        // 4. Base64 编码
        return Convert.ToBase64String(encryptedBytes);
    }
 }
 ```
 ## 四、生成二维码
 ### 4.1 二维码内容
 二维码内容就是加密后的 **Base64 编码字符串**（不是 JSON 格式）。
 **示例**：
 ```
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB...
 ```
 ### 4.2 二维码生成
 使用标准的二维码生成库生成二维码图片。
 **Python 示例（使用 qrcode 库）**：
 ```python
 import qrcode
 from PIL import Image
 def generate_qr_code(encrypted_data: str, output_path: str = "device_qr.png"):
    """
    生成设备授权二维码
    Args:
        encrypted_data: Base64编码的加密数据
        output_path: 二维码图片保存路径
    """
    qr = qrcode.QRCode(
        version=1,                      # 控制二维码大小（1-40）
        error_correction=qrcode.constants.ERROR_CORRECT_M,  # 错误纠正级别
        box_size=10,                    # 每个小方块的像素数
        border=4,                       # 边框的厚度
    )
    qr.add_data(encrypted_data)
    qr.make(fit=True)
    # 创建二维码图片
    img = qr.make_image(fill_color="black", back_color="white")
    img.save(output_path)
    print(f"二维码已生成: {output_path}")
 ```
 **Java/Kotlin 示例（使用 ZXing 库）**：
 ```kotlin
 import com.google.zxing.BarcodeFormat
 import com.google.zxing.EncodeHintType
 import com.google.zxing.qrcode.QRCodeWriter
 import com.google.zxing.qrcode.decoder.ErrorCorrectionLevel
 import java.awt.image.BufferedImage
 import javax.imageio.ImageIO
 import java.io.File
 fun generateQRCode(encryptedData: String, outputPath: String = "device_qr.png") {
    val hints = hashMapOf<EncodeHintType, Any>().apply {
        put(EncodeHintType.ERROR_CORRECTION, ErrorCorrectionLevel.M)
        put(EncodeHintType.CHARACTER_SET, "UTF-8")
        put(EncodeHintType.MARGIN, 1)
    }
    val writer = QRCodeWriter()
    val bitMatrix = writer.encode(encryptedData, BarcodeFormat.QR_CODE, 300, 300, hints)
    val width = bitMatrix.width
    val height = bitMatrix.height
    val image = BufferedImage(width, height, BufferedImage.TYPE_INT_RGB)
    for (x in 0 until width) {
        for (y in 0 until height) {
            image.setRGB(x, y, if (bitMatrix[x, y]) 0x000000 else 0xFFFFFF)
        }
    }
    ImageIO.write(image, "PNG", File(outputPath))
    println("二维码已生成: $outputPath")
 }
 ```
 ## 五、完整流程示例
 ### 5.1 Python 完整示例
 ```python
 import json
 import base64
 import qrcode
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.backends import default_backend
 def generate_device_authorization_qr(
    licence: str,
    fingerprint: str,
    platform_public_key_base64: str,
    qr_output_path: str = "device_qr.png"
 ) -> str:
    """
    生成设备授权二维码
    Args:
        licence: 设备授权码
        fingerprint: 设备硬件指纹
        platform_public_key_base64: 平台公钥（Base64编码）
        qr_output_path: 二维码图片保存路径
    Returns:
        加密后的Base64字符串（二维码内容）
    """
    # 1. 组装设备信息 JSON
    device_info = {
        "licence": licence,
        "fingerprint": fingerprint
    }
    device_info_json = json.dumps(device_info, ensure_ascii=False)
    print(f"设备信息 JSON: {device_info_json}")
    # 2. 加载平台公钥
    public_key_bytes = base64.b64decode(platform_public_key_base64)
    public_key = serialization.load_der_public_key(
        public_key_bytes,
        backend=default_backend()
    )
    # 3. 使用 RSA-OAEP 加密
    encrypted_bytes = public_key.encrypt(
        device_info_json.encode('utf-8'),
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )
    # 4. Base64 编码
    encrypted_base64 = base64.b64encode(encrypted_bytes).decode('utf-8')
    print(f"加密后的 Base64: {encrypted_base64[:100]}...")  # 只显示前100个字符
    # 5. 生成二维码
    qr = qrcode.QRCode(
        version=1,
        error_correction=qrcode.constants.ERROR_CORRECT_M,
        box_size=10,
        border=4,
    )
    qr.add_data(encrypted_base64)
    qr.make(fit=True)
    img = qr.make_image(fill_color="black", back_color="white")
    img.save(qr_output_path)
    print(f"二维码已生成: {qr_output_path}")
    return encrypted_base64
 # 使用示例
 if __name__ == "__main__":
    # 平台公钥（示例，实际使用时需要从平台获取）
    platform_public_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB"
    # 设备信息
    licence = "LIC-8F2A-XXXX"
    fingerprint = "FP-2c91e9f3"
    # 生成二维码
    encrypted_data = generate_device_authorization_qr(
        licence=licence,
        fingerprint=fingerprint,
        platform_public_key_base64=platform_public_key,
        qr_output_path="device_authorization_qr.png"
    )
    print(f"\n二维码内容（加密后的Base64）:\n{encrypted_data}")
 ```
 ### 5.2 Java/Kotlin 完整示例
 ```kotlin
 import com.fasterxml.jackson.databind.ObjectMapper
 import com.google.zxing.BarcodeFormat
 import com.google.zxing.EncodeHintType
 import com.google.zxing.qrcode.QRCodeWriter
 import com.google.zxing.qrcode.decoder.ErrorCorrectionLevel
 import java.awt.image.BufferedImage
 import java.security.KeyFactory
 import java.security.PublicKey
 import java.security.spec.X509EncodedKeySpec
 import java.util.Base64
 import javax.crypto.Cipher
 import javax.imageio.ImageIO
 import java.io.File
 import java.nio.charset.StandardCharsets
 object DeviceAuthorizationQRGenerator {
    private const val CIPHER_ALGORITHM = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
    private val objectMapper = ObjectMapper()
    /**
     * 生成设备授权二维码
     */
    fun generateDeviceAuthorizationQR(
        licence: String,
        fingerprint: String,
        platformPublicKeyBase64: String,
        qrOutputPath: String = "device_qr.png"
    ): String {
        // 1. 组装设备信息 JSON
        val deviceInfo = mapOf(
            "licence" to licence,
            "fingerprint" to fingerprint
        )
        val deviceInfoJson = objectMapper.writeValueAsString(deviceInfo)
        println("设备信息 JSON: $deviceInfoJson")
        // 2. 加载平台公钥
        val publicKeyBytes = Base64.getDecoder().decode(platformPublicKeyBase64)
        val keySpec = X509EncodedKeySpec(publicKeyBytes)
        val keyFactory = KeyFactory.getInstance("RSA")
        val publicKey = keyFactory.generatePublic(keySpec)
        // 3. 使用 RSA-OAEP 加密
        val cipher = Cipher.getInstance(CIPHER_ALGORITHM)
        cipher.init(Cipher.ENCRYPT_MODE, publicKey)
        val encryptedBytes = cipher.doFinal(deviceInfoJson.toByteArray(StandardCharsets.UTF_8))
        // 4. Base64 编码
        val encryptedBase64 = Base64.getEncoder().encodeToString(encryptedBytes)
        println("加密后的 Base64: ${encryptedBase64.take(100)}...")
        // 5. 生成二维码
        val hints = hashMapOf<EncodeHintType, Any>().apply {
            put(EncodeHintType.ERROR_CORRECTION, ErrorCorrectionLevel.M)
            put(EncodeHintType.CHARACTER_SET, "UTF-8")
            put(EncodeHintType.MARGIN, 1)
        }
        val writer = QRCodeWriter()
        val bitMatrix = writer.encode(encryptedBase64, BarcodeFormat.QR_CODE, 300, 300, hints)
        val width = bitMatrix.width
        val height = bitMatrix.height
        val image = BufferedImage(width, height, BufferedImage.TYPE_INT_RGB)
        for (x in 0 until width) {
            for (y in 0 until height) {
                image.setRGB(x, y, if (bitMatrix[x, y]) 0x000000 else 0xFFFFFF)
            }
        }
        ImageIO.write(image, "PNG", File(qrOutputPath))
        println("二维码已生成: $qrOutputPath")
        return encryptedBase64
    }
 }
 // 使用示例
 fun main() {
    // 平台公钥（示例，实际使用时需要从平台获取）
    val platformPublicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB"
    // 设备信息
    val licence = "LIC-8F2A-XXXX"
    val fingerprint = "FP-2c91e9f3"
    // 生成二维码
    val encryptedData = DeviceAuthorizationQRGenerator.generateDeviceAuthorizationQR(
        licence = licence,
        fingerprint = fingerprint,
        platformPublicKeyBase64 = platformPublicKey,
        qrOutputPath = "device_authorization_qr.png"
    )
    println("\n二维码内容（加密后的Base64）:\n$encryptedData")
 }
 ```
 ## 六、平台端验证流程
 平台端会按以下流程验证：
 1. **接收请求**：App 扫描二维码后，将 `encryptedDeviceInfo` 和 `appid` 提交到平台
 2. **RSA-OAEP 解密**：使用平台私钥解密 `encryptedDeviceInfo`
 3. **提取设备信息**：从解密后的 JSON 中提取 `licence` 和 `fingerprint`
 4. **设备验证**：
   - 检查 `filing_device_licence` 表中是否存在该 `licence`
   - 如果存在，验证 `fingerprint` 是否匹配
   - 如果 `fingerprint` 不匹配，记录非法授权日志并返回错误
 5. **App 绑定**：检查 `filing_app_licence` 表中是否存在绑定关系
   - 如果不存在，创建新的绑定记录
   - 如果已存在，返回已绑定信息
 6. **返回响应**：返回 `deviceLicenceId` 和 `licence`
 ## 七、常见错误和注意事项
 ### 7.1 加密失败
 **可能原因**：
 1. **公钥格式错误**：确保使用正确的 Base64 编码的公钥
 2. **算法不匹配**：必须使用 `RSA/ECB/OAEPWithSHA-256AndMGF1Padding`
 3. **数据长度超限**：RSA-2048 最多加密 245 字节（设备信息 JSON 通常不会超过）
 4. **字符编码错误**：确保使用 UTF-8 编码
 ### 7.2 二维码扫描失败
 **可能原因**：
 1. **二维码内容过长**：如果加密后的数据过长，可能需要使用更高版本的二维码（version）
 2. **错误纠正级别过低**：建议使用 `ERROR_CORRECT_M` 或更高
 3. **二维码图片质量差**：确保二维码图片清晰，有足够的对比度
 ### 7.3 平台验证失败
 **可能原因**：
 1. **licence 已存在但 fingerprint 不匹配**：设备被替换或授权码被复用
 2. **JSON 格式错误**：确保 JSON 格式正确，字段名和类型匹配
 3. **加密数据损坏**：确保 Base64 编码和解码正确
 ## 八、安全设计说明
 ### 8.1 为什么使用 RSA-OAEP
 1. **非对称加密**：只有平台拥有私钥，可以解密数据
 2. **OAEP 填充**：提供更好的安全性，防止某些攻击
 3. **SHA-256**：使用强哈希算法，提供更好的安全性
 ### 8.2 为什么第三方无法伪造
 1. **只有平台能解密**：第三方无法获取平台私钥，无法解密数据
 2. **fingerprint 验证**：平台会验证硬件指纹，防止授权码被复用
 3. **非法授权日志**：平台会记录所有非法授权尝试
 ## 九、测试建议
 1. **单元测试**：
   - 测试 JSON 生成是否正确
   - 测试加密和解密是否匹配
   - 测试 Base64 编码和解码是否正确
 2. **集成测试**：
   - 使用真实平台公钥生成二维码
   - App 扫描二维码并提交到平台
   - 验证平台是否能正确解密和验证
 3. **边界测试**：
   - 测试超长的 licence 或 fingerprint
   - 测试特殊字符的处理
   - 测试错误的公钥格式
 ## 十、参考实现
 - **Python**：`cryptography` 库（RSA 加密）、`qrcode` 库（二维码生成）
 - **Java/Kotlin**：JDK `javax.crypto`（RSA 加密）、ZXing 库（二维码生成）
 - **C#**：`System.Security.Cryptography`（RSA 加密）、ZXing.Net 库（二维码生成）
 ## 十一、联系支持
 如有问题，请联系平台技术支持团队获取：
 - 平台公钥（Base64 编码）
 - 测试环境地址
 - 技术支持
--- a/docs/第三方-OpenAPI-对接指南.md
+++ b/docs/第三方-OpenAPI-对接指南.md
@@ -0,0 +1,98 @@
 # 第三方 OpenAPI 对接指南
 本文档用于第三方系统快速接入 UX 授权服务。
 ## 1. 文档入口
 - OpenAPI 文档（Scalar）：`/api/docs`
 - OpenAPI 规范（JSON）：`/api/spec.json`
 例如本地开发环境：
 - `http://localhost:3000/api/docs`
 - `http://localhost:3000/api/spec.json`
 ## 2. 接口分组
 OpenAPI 中已按 `tags` 分组：
 - `Device`：设备注册与查询
 - `Crypto`：授权加解密与二维码数据处理
 - `Report`：报告签名打包
 - `Task`：任务保存与状态管理
 ## 3. 核心接口一览
 ### Device
 - `POST /api/device/register`
  - 操作名：`deviceRegister`
  - 说明：注册设备，UX 计算并存储 fingerprint
 - `POST /api/device/get`
  - 操作名：`deviceGet`
  - 说明：按 `id` 或 `licence` 查询设备
 ### Crypto
 - `POST /api/crypto/encrypt-device-info`
  - 操作名：`encryptDeviceInfo`
  - 说明：生成设备授权二维码密文
 - `POST /api/crypto/decrypt-task`
  - 操作名：`decryptTask`
  - 说明：解密任务二维码数据
 - `POST /api/crypto/encrypt-summary`
  - 操作名：`encryptSummary`
  - 说明：加密摘要并返回二维码内容
 - `POST /api/crypto/sign-and-pack-report`
  - 操作名：`signAndPackReport`
  - 说明：上传原始 ZIP，返回签名后 ZIP
 ### Task
 - `POST /api/task/save`
  - 操作名：`taskSave`
 - `POST /api/task/list`
  - 操作名：`taskList`
 - `POST /api/task/update-status`
  - 操作名：`taskUpdateStatus`
 ## 4. 字段说明来源
 每个接口的字段定义、必填/可选、类型、以及业务描述，均在 OpenAPI 中由 oRPC 合约的 Zod schema 自动生成。
 你可以在 `/api/docs` 页面直接查看：
 1. 接口名称（operationId）
 2. 接口摘要（summary）
 3. 详细说明（description）
 4. 请求字段（含描述）
 5. 响应字段（含描述）
 ## 5. 文件上传接口注意事项
 `signAndPackReport` 使用 `multipart/form-data`，文件字段名为 `rawZip`。
 - 文件类型：`application/zip` 或 `application/x-zip-compressed`
 - 其他业务字段（如 `deviceId`、`taskId`）与文件一起提交
 - 接口响应为签名后 ZIP 文件（`application/zip`）
 示例（curl）：
 ```bash
 curl -X POST "http://localhost:3000/api/crypto/sign-and-pack-report" \
  -F "deviceId=dev_xxx" \
  -F "taskId=TASK-20260115-4875" \
  -F "enterpriseId=1173040813421105152" \
  -F "inspectionId=702286470691215417" \
  -F "summary=检查摘要信息" \
  -F "rawZip=@./report-raw.zip;type=application/zip" \
  --output signed-report.zip
 ```
 ## 6. 推荐接入方式
 第三方如需代码生成，建议直接消费 `/api/spec.json`：
 - Java：OpenAPI Generator
 - C#：NSwag / OpenAPI Generator
 - TypeScript：openapi-typescript / Orval
--- a/package.json
+++ b/package.json
@@ -52,9 +52,10 @@
    "electron": "^34.0.0",
    "electron-builder": "^26.8.1",
    "electron-vite": "^5.0.0",
    "jszip": "^3.10.1",
    "motion": "^12.35.0",
    "nitro": "npm:nitro-nightly@3.0.1-20260227-181935-bfbb207c",
-    "postgres": "^3.4.8",
+    "openpgp": "^6.0.1",
    "react": "^19.2.4",
    "react-dom": "^19.2.4",
    "tailwindcss": "^4.2.1",
--- a/packages/crypto/package.json
+++ b/packages/crypto/package.json
@@ -0,0 +1,16 @@
 {
  "name": "@furtherverse/crypto",
  "version": "1.0.0",
  "private": true,
  "type": "module",
  "exports": {
    ".": "./src/index.ts"
  },
  "dependencies": {
    "openpgp": "catalog:"
  },
  "devDependencies": {
    "@furtherverse/tsconfig": "workspace:*",
    "@types/bun": "catalog:"
  }
 }
--- a/packages/crypto/src/aes-gcm.ts
+++ b/packages/crypto/src/aes-gcm.ts
@@ -0,0 +1,53 @@
 import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'
 const GCM_IV_LENGTH = 12 // 96 bits
 const GCM_TAG_LENGTH = 16 // 128 bits
 const ALGORITHM = 'aes-256-gcm'
 /**
 * AES-256-GCM encrypt.
 *
 * Output format (before Base64): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
 *
 * @param plaintext - UTF-8 string to encrypt
 * @param key - 32-byte AES key
 * @returns Base64-encoded encrypted data
 */
 export const aesGcmEncrypt = (plaintext: string, key: Buffer): string => {
  const iv = randomBytes(GCM_IV_LENGTH)
  const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()])
  const tag = cipher.getAuthTag()
  // Layout: IV + ciphertext + tag
  const combined = Buffer.concat([iv, encrypted, tag])
  return combined.toString('base64')
 }
 /**
 * AES-256-GCM decrypt.
 *
 * Input format (after Base64 decode): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
 *
 * @param encryptedBase64 - Base64-encoded encrypted data
 * @param key - 32-byte AES key
 * @returns Decrypted UTF-8 string
 */
 export const aesGcmDecrypt = (encryptedBase64: string, key: Buffer): string => {
  const data = Buffer.from(encryptedBase64, 'base64')
  if (data.length < GCM_IV_LENGTH + GCM_TAG_LENGTH) {
    throw new Error('Encrypted data too short: must contain IV + tag at minimum')
  }
  const iv = data.subarray(0, GCM_IV_LENGTH)
  const tag = data.subarray(data.length - GCM_TAG_LENGTH)
  const ciphertext = data.subarray(GCM_IV_LENGTH, data.length - GCM_TAG_LENGTH)
  const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
  decipher.setAuthTag(tag)
  const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()])
  return decrypted.toString('utf-8')
 }
--- a/packages/crypto/src/hash.ts
+++ b/packages/crypto/src/hash.ts
@@ -0,0 +1,15 @@
 import { createHash } from 'node:crypto'
 /**
 * Compute SHA-256 hash and return raw Buffer.
 */
 export const sha256 = (data: string | Buffer): Buffer => {
  return createHash('sha256').update(data).digest()
 }
 /**
 * Compute SHA-256 hash and return lowercase hex string.
 */
 export const sha256Hex = (data: string | Buffer): string => {
  return createHash('sha256').update(data).digest('hex')
 }
--- a/packages/crypto/src/hkdf.ts
+++ b/packages/crypto/src/hkdf.ts
@@ -0,0 +1,15 @@
 import { hkdfSync } from 'node:crypto'
 /**
 * Derive a key using HKDF-SHA256.
 *
 * @param ikm - Input keying material (string, will be UTF-8 encoded)
 * @param salt - Salt value (string, will be UTF-8 encoded)
 * @param info - Info/context string (will be UTF-8 encoded)
 * @param length - Output key length in bytes (default: 32 for AES-256)
 * @returns Derived key as Buffer
 */
 export const hkdfSha256 = (ikm: string, salt: string, info: string, length = 32): Buffer => {
  const derived = hkdfSync('sha256', ikm, salt, info, length)
  return Buffer.from(derived)
 }
--- a/packages/crypto/src/hmac.ts
+++ b/packages/crypto/src/hmac.ts
@@ -0,0 +1,23 @@
 import { createHmac } from 'node:crypto'
 /**
 * Compute HMAC-SHA256 and return Base64-encoded signature.
 *
 * @param key - HMAC key (Buffer)
 * @param data - Data to sign (UTF-8 string)
 * @returns Base64-encoded HMAC-SHA256 signature
 */
 export const hmacSha256Base64 = (key: Buffer, data: string): string => {
  return createHmac('sha256', key).update(data, 'utf-8').digest('base64')
 }
 /**
 * Compute HMAC-SHA256 and return raw Buffer.
 *
 * @param key - HMAC key (Buffer)
 * @param data - Data to sign (UTF-8 string)
 * @returns HMAC-SHA256 digest as Buffer
 */
 export const hmacSha256 = (key: Buffer, data: string): Buffer => {
  return createHmac('sha256', key).update(data, 'utf-8').digest()
 }
--- a/packages/crypto/src/index.ts
+++ b/packages/crypto/src/index.ts
@@ -0,0 +1,6 @@
 export { aesGcmDecrypt, aesGcmEncrypt } from './aes-gcm'
 export { sha256, sha256Hex } from './hash'
 export { hkdfSha256 } from './hkdf'
 export { hmacSha256, hmacSha256Base64 } from './hmac'
 export { generatePgpKeyPair, pgpSignDetached, pgpVerifyDetached } from './pgp'
 export { rsaOaepEncrypt } from './rsa-oaep'
--- a/packages/crypto/src/pgp.ts
+++ b/packages/crypto/src/pgp.ts
@@ -0,0 +1,75 @@
 import * as openpgp from 'openpgp'
 /**
 * Generate an OpenPGP RSA key pair.
 *
 * @param name - User name for the key
 * @param email - User email for the key
 * @returns ASCII-armored private and public keys
 */
 export const generatePgpKeyPair = async (
  name: string,
  email: string,
 ): Promise<{ privateKey: string; publicKey: string }> => {
  const { privateKey, publicKey } = await openpgp.generateKey({
    type: 'rsa',
    rsaBits: 2048,
    userIDs: [{ name, email }],
    format: 'armored',
  })
  return { privateKey, publicKey }
 }
 /**
 * Create a detached OpenPGP signature for the given data.
 *
 * @param data - Raw data to sign (Buffer or Uint8Array)
 * @param armoredPrivateKey - ASCII-armored private key
 * @returns ASCII-armored detached signature (signature.asc content)
 */
 export const pgpSignDetached = async (data: Uint8Array, armoredPrivateKey: string): Promise<string> => {
  const privateKey = await openpgp.readPrivateKey({ armoredKey: armoredPrivateKey })
  const message = await openpgp.createMessage({ binary: data })
  const signature = await openpgp.sign({
    message,
    signingKeys: privateKey,
    detached: true,
    format: 'armored',
  })
  return signature as string
 }
 /**
 * Verify a detached OpenPGP signature.
 *
 * @param data - Original data (Buffer or Uint8Array)
 * @param armoredSignature - ASCII-armored detached signature
 * @param armoredPublicKey - ASCII-armored public key
 * @returns true if signature is valid
 */
 export const pgpVerifyDetached = async (
  data: Uint8Array,
  armoredSignature: string,
  armoredPublicKey: string,
 ): Promise<boolean> => {
  const publicKey = await openpgp.readKey({ armoredKey: armoredPublicKey })
  const signature = await openpgp.readSignature({ armoredSignature })
  const message = await openpgp.createMessage({ binary: data })
  const verificationResult = await openpgp.verify({
    message,
    signature,
    verificationKeys: publicKey,
  })
  const { verified } = verificationResult.signatures[0]!
  try {
    await verified
    return true
  } catch {
    return false
  }
 }
--- a/packages/crypto/src/rsa-oaep.ts
+++ b/packages/crypto/src/rsa-oaep.ts
@@ -0,0 +1,34 @@
 import { constants, createPublicKey, publicEncrypt } from 'node:crypto'
 /**
 * RSA-OAEP encrypt with platform public key.
 *
 * Algorithm: RSA/ECB/OAEPWithSHA-256AndMGF1Padding
 * - OAEP hash: SHA-256
 * - MGF1 hash: SHA-256
 *
 * @param plaintext - UTF-8 string to encrypt
 * @param publicKeyBase64 - Platform public key (X.509 DER, Base64 encoded)
 * @returns Base64-encoded ciphertext
 */
 export const rsaOaepEncrypt = (plaintext: string, publicKeyBase64: string): string => {
  // Load public key from Base64-encoded DER (X.509 / SubjectPublicKeyInfo)
  const publicKeyDer = Buffer.from(publicKeyBase64, 'base64')
  const publicKey = createPublicKey({
    key: publicKeyDer,
    format: 'der',
    type: 'spki',
  })
  // Encrypt with RSA-OAEP (SHA-256 for both OAEP hash and MGF1)
  const encrypted = publicEncrypt(
    {
      key: publicKey,
      padding: constants.RSA_PKCS1_OAEP_PADDING,
      oaepHash: 'sha256',
    },
    Buffer.from(plaintext, 'utf-8'),
  )
  return encrypted.toString('base64')
 }
--- a/packages/crypto/tsconfig.json
+++ b/packages/crypto/tsconfig.json
@@ -0,0 +1,7 @@
 {
  "extends": "@furtherverse/tsconfig/bun.json",
  "compilerOptions": {
    "rootDir": "src"
  },
  "include": ["src"]
 }
Author	SHA1	Message	Date
imbytecat	46e2c94faf	fix(db): 修正 drizzle-kit 在 Bun SQLite 下的配置与脚本	2026-03-05 16:59:25 +08:00
imbytecat	b1062a5aed	refactor(api): signAndPackReport 直接返回签名 ZIP 文件	2026-03-05 16:58:59 +08:00
imbytecat	b193759e90	docs: 新增第三方 OpenAPI 对接指南	2026-03-05 16:44:01 +08:00
imbytecat	eb941c06c0	docs(api): 补全 OpenAPI 元数据与字段描述	2026-03-05 16:43:53 +08:00
imbytecat	eb2f6554b2	docs: 更新 signAndPackReport 为 multipart 文件上传说明	2026-03-05 16:32:49 +08:00
imbytecat	58d57fa148	refactor(server): 使用 multipart File 替代报告 ZIP 的 base64 上传	2026-03-05 16:32:41 +08:00
imbytecat	509860bba8	docs: 补充 UX 集成模式与授权对接说明	2026-03-05 16:24:21 +08:00
imbytecat	4e7c4e1aa5	feat(server): 实现设备授权与报告 ZIP 签名打包接口	2026-03-05 16:24:10 +08:00
imbytecat	8261409d7d	refactor(server): 切换 SQLite 并重建设备/任务表结构	2026-03-05 16:23:30 +08:00
imbytecat	d2eb98d612	feat: 新增共享加密包并引入 ZIP/PGP 依赖	2026-03-05 16:23:13 +08:00
`@@ -1 +1 @@`
	`DATABASE_URL=postgres://postgres:postgres@localhost:5432/postgres`	`DATABASE_PATH=data.db`
`@@ -1 +1,2 @@`
	`export * from './todo'`	`export * from './device'`
		`export * from './task'`