refactor(server): crypto 流程改用验证后的 licenceId

feat(server): 配置接口接入 licence 验签
refactor(server): 规范化 licence 持久化结构
2026-03-19 16:16:53 +08:00 · 2026-03-19 16:16:42 +08:00 · 2026-03-19 16:16:29 +08:00 · 2026-03-19 16:16:18 +08:00 · 2026-03-19 16:16:07 +08:00 · 2026-03-16 15:09:01 +08:00
129 changed files with 4939 additions and 1608 deletions
@@ -1,13 +0,0 @@
 node_modules/
 .output/
 .tanstack/
 out/
 .git/
 .env
 .env.*
 *.md
 *.tsbuildinfo
 *.bun-build
 .vscode/
@@ -1,6 +0,0 @@
 DATABASE_URL=postgres://postgres:postgres@localhost:5432/postgres
 # Optional logging knobs (defaults are usually fine):
 # LOG_LEVEL=info       # trace|debug|info|warning|error|fatal
 # LOG_FORMAT=pretty    # pretty|json — defaults to TTY ? pretty : json
 # LOG_DB=false         # true to log every Drizzle SQL query
@@ -1,23 +1,162 @@
-# Dependencies
+### Custom ###
 node_modules/
-# Build output
+# TanStack
 .output/
 .tanstack/
 .vite/
 out/
 *.bun-build
 *.tsbuildinfo
 vite.config.js.timestamp-*
 vite.config.ts.timestamp-*
-# Env
+# Nitro
 .output/
 # Bun build
 *.bun-build
 # SQLite database files
 *.db
 *.db-wal
 *.db-shm
 # Turborepo
 .turbo/
 ### Node ###
 # Logs
 logs
 *.log
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 lerna-debug.log*
 # Diagnostic reports (https://nodejs.org/api/report.html)
 report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
 # Runtime data
 pids
 *.pid
 *.seed
 *.pid.lock
 # Directory for instrumented libs generated by jscoverage/JSCover
 lib-cov
 # Coverage directory used by tools like istanbul
 coverage
 *.lcov
 # nyc test coverage
 .nyc_output
 # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
 .grunt
 # Bower dependency directory (https://bower.io/)
 bower_components
 # node-waf configuration
 .lock-wscript
 # Compiled binary addons (https://nodejs.org/api/addons.html)
 build/Release
 # Dependency directories
 node_modules/
 jspm_packages/
 # Snowpack dependency directory (https://snowpack.dev/)
 web_modules/
 # TypeScript cache
 *.tsbuildinfo
 # Optional npm cache directory
 .npm
 # Optional eslint cache
 .eslintcache
 # Optional stylelint cache
 .stylelintcache
 # Optional REPL history
 .node_repl_history
 # Output of 'npm pack'
 *.tgz
 # Yarn Integrity file
 .yarn-integrity
 # dotenv environment variable files
 .env
 .env.*
 !.env.example
-# Logs
+# parcel-bundler cache (https://parceljs.org/)
-*.log
+.cache
 .parcel-cache
-# OS
+# Next.js build output
-.DS_Store
+.next
 out
 # Nuxt.js build / generate output
 .nuxt
 dist
 .output
 # Gatsby files
 .cache/
 # Comment in the public line in if your project uses Gatsby and not Next.js
 # https://nextjs.org/blog/next-9-1#public-directory-support
 # public
 # vuepress build output
 .vuepress/dist
 # vuepress v2.x temp and cache directory
 .temp
 .cache
 # Sveltekit cache directory
 .svelte-kit/
 # vitepress build output
 **/.vitepress/dist
 # vitepress cache directory
 **/.vitepress/cache
 # Docusaurus cache and generated files
 .docusaurus
 # Serverless directories
 .serverless/
 # FuseBox cache
 .fusebox/
 # DynamoDB Local files
 .dynamodb/
 # Firebase cache directory
 .firebase/
 # TernJS port file
 .tern-port
 # Stores VSCode versions used for testing VSCode extensions
 .vscode-test
 # yarn v3
 .pnp.*
 .yarn/*
 !.yarn/patches
 !.yarn/plugins
 !.yarn/releases
 !.yarn/sdks
 !.yarn/versions
 # Vite files
 vite.config.js.timestamp-*
 vite.config.ts.timestamp-*
 .vite/
@@ -1,11 +1,9 @@
 {
  "recommendations": [
    "biomejs.biome",
    "codezombiech.gitignore",
    "hverlin.mise-vscode",
    "oven.bun-vscode",
    "redhat.vscode-yaml",
-    "tamasfe.even-better-toml",
+    "tamasfe.even-better-toml"
    "unional.vscode-sort-package-json"
  ]
 }
@@ -43,8 +43,6 @@
  "files.watcherExclude": {
    "**/routeTree.gen.ts": true
  },
  "js/ts.tsdk.path": "node_modules/typescript/lib",
  "js/ts.tsdk.promptToUseWorkspaceVersion": true,
  "search.exclude": {
    "**/routeTree.gen.ts": true
  }
@@ -1,232 +1,219 @@
-# AGENTS.md
+# AGENTS.md - AI Coding Agent Guidelines
-Compact, repo-specific notes for AI agents. Generic language/framework knowledge is omitted — only things that will bite you if you don't know. Pair this with `README.md` (user-facing quick-start + add-a-feature checklist + deploy flow).
+Guidelines for AI agents working in this Bun monorepo.
-## Stack & runtime
+## Project Overview
- **Bun-only** (`mise.toml` pins `bun = 1.3.13`). Never invoke `npm`/`npx`/`node`/`yarn`/`pnpm`. Use `bun run <script>` (bare `bun <script>` can collide with Bun built-in subcommands).
+> **This project uses [Bun](https://bun.sh) exclusively as both the JavaScript runtime and package manager. Do NOT use Node.js / npm / yarn / pnpm. All commands start with `bun` — use `bun install` for dependencies and `bun run <script>` for scripts. Always prefer `bun run <script>` over `bun <script>` to avoid conflicts with Bun built-in subcommands (e.g. `bun build` invokes Bun's bundler, NOT your package.json script). Never use `npm`, `npx`, or `node`.**
 - **Prefer Bun-native APIs over external packages and `node:*` polyfills.** UUIDv7 in app code → `Bun.randomUUIDv7()` (not the `uuid` package); DB primary keys are a separate matter — those go through PG18's `uuidv7()`, see "Drizzle" section. SHA-256 → `Bun.CryptoHasher.hash('sha256', s, 'hex')` (not `node:crypto.createHash`); short sleeps → `Bun.sleep(ms)` (not raw `setTimeout` with promise wrapping); file I/O in build scripts → `Bun.file` / `Bun.write` are fine. The runtime is Bun, the deployment target is Bun, the test runner is Bun — there is no "portability" concern that would justify dragging in npm packages or Node compat shims for things Bun ships natively.
 - TanStack Start (React 19 SSR, file-routed) + Vite 8 + Nitro (nightly, preset `bun`). Dev server defaults to Vite's port (3000); not pinned, override via `vite dev --port <n>` if you need to.
 - **PostgreSQL 18+ only** (`compose.yaml` pins `postgres:18-alpine`). The starter relies on PG18's built-in `uuidv7()` function for primary-key generation — see "Drizzle" section. Do not soften this to support older PG; if you need PG <18 compatibility, fork and reintroduce app-side UUIDv7 (e.g. `Bun.randomUUIDv7()` or the `uuid` package) yourself.
 - **Drizzle ORM `0.45.2` (0.x, NOT 1.0 beta)** — see "Drizzle" section, this matters a lot.
 - ORPC (contract-first), TanStack Query v5, Tailwind v4.
 - **Logging via [LogTape](https://logtape.org/)** (zero-dep, runtime-agnostic) — see "Logging" section. `console.*` is forbidden in business code.
-## Scripts
+- **Monorepo**: Bun workspaces + Turborepo orchestration
 - **Runtime**: Bun (see `mise.toml` for version) — **NOT Node.js**
 - **Package Manager**: Bun — **NOT npm / yarn / pnpm**
 - **Apps**:
  - `apps/server` - TanStack Start fullstack web app (see `apps/server/AGENTS.md`)
  - `apps/desktop` - Electron desktop shell, sidecar server pattern (see `apps/desktop/AGENTS.md`)
 - **Packages**: `packages/tsconfig` (shared TS configs)
 ## Build / Lint / Test Commands
 ### Root Commands (via Turbo)
 ```bash
-bun run dev          # bunx --bun vite dev  (localhost:3000)
+bun run dev              # Start all apps in dev mode
-bun run build        # bunx --bun vite build → .output/
+bun run build            # Build all apps
-bun run compile      # bun scripts/compile.ts → out/server-<target> (standalone CLI binary)
+bun run compile          # Compile server to standalone binary (current platform)
-bun run cli <cmd>    # bun src/bin.ts <cmd>  — run a CLI subcommand in source (dev)
+bun run compile:darwin   # Compile server for macOS (arm64 + x64)
-bun run typecheck    # tsc --noEmit
+bun run compile:linux    # Compile server for Linux (x64 + arm64)
-bun run test         # bun test  — runs all *.test.ts files (colocated with source)
+bun run compile:windows  # Compile server for Windows x64
-bun run fix          # biome check --write  (lint + format + organize imports)
+bun run dist             # Package desktop distributable (current platform)
-bun run db:push      # dev only — push schema to DB, no migration file
+bun run dist:linux       # Package desktop for Linux (x64 + arm64)
-bun run db:generate  # drizzle-kit generate && scripts/embed-migrations.ts (regenerates migrations.gen.ts)
+bun run dist:mac         # Package desktop for macOS (arm64 + x64)
-bun run db:embed     # scripts/embed-migrations.ts only — regenerate migrations.gen.ts from ./drizzle/
+bun run dist:win         # Package desktop for Windows x64
-bun run db:migrate   # apply migrations via drizzle-kit (local dev convenience; prod uses ./server migrate)
+bun run fix              # Lint + format (Biome auto-fix)
-bun run db:studio    # Drizzle Studio
+bun run typecheck        # TypeScript check across monorepo
 ```
-Cross-compile targets live under `compile:{linux,darwin,windows}[:arch]`. `scripts/compile.ts` accepts `--target bun-<os>-<arch>`; default derives from host.
+### Server App (`apps/server`)
 ```bash
 bun run dev                   # Vite dev server (localhost:3000)
 bun run build                 # Production build -> .output/
 bun run compile               # Compile to standalone binary (current platform)
 bun run compile:darwin        # Compile for macOS (arm64 + x64)
 bun run compile:darwin:arm64  # Compile for macOS arm64
 bun run compile:darwin:x64    # Compile for macOS x64
 bun run compile:linux         # Compile for Linux (x64 + arm64)
 bun run compile:linux:arm64   # Compile for Linux arm64
 bun run compile:linux:x64     # Compile for Linux x64
 bun run compile:windows       # Compile for Windows (default: x64)
 bun run compile:windows:x64   # Compile for Windows x64
 bun run fix                   # Biome auto-fix
 bun run typecheck             # TypeScript check
-Before committing: `bun run fix && bun run typecheck && bun run test`. No CI, no pre-commit hooks, no lint-staged — so these are on you.
+# Database (Drizzle)
-
+bun run db:generate           # Generate migrations from schema
-## Drizzle (v0.x — critical)
+bun run db:migrate            # Run migrations
-
+bun run db:push               # Push schema (dev only)
-**Why it matters:** the project was on 1.0 beta and was rolled back. Online docs default to 1.0 beta APIs that do NOT exist here. If typecheck complains, you are probably importing a 1.0 beta API.
+bun run db:studio             # Open Drizzle Studio
 - Driver: `drizzle-orm/postgres-js`. Do NOT use `drizzle-orm/bun-sql`.
 - `drizzle()` is called with `{ connection, schema }` where `schema = import * as schema from '@/server/db/schema'`. There is **no `relations.ts`** and **no `defineRelations`** in 0.x.
 - Zod generators live in the separate `drizzle-zod` package (`^0.8.3`). Import from `drizzle-zod`, **not** `drizzle-orm/zod` (that subpath only exists in 1.0 beta).
 - Relational queries use **RQB v1 callback syntax**:
  ```ts
  db.query.todoTable.findMany({
    orderBy: (t, { desc }) => desc(t.createdAt),
  })
  ```
  Do NOT use the v2 object form (`orderBy: { createdAt: 'desc' }`, `where: { id }`) — it won't type-check.
 - To add relations later: declare per-table with `relations()` from `drizzle-orm` and export them from the same file as the table; they get picked up automatically because `index.ts` does `drizzle({ schema })` via `import *`.
 - Every table must spread `...generatedFields` from `src/server/db/fields.ts` (`id uuid PRIMARY KEY DEFAULT uuidv7() NOT NULL` — **Postgres-side generation**, requires PG18+; `createdAt`, `updatedAt` with `$onUpdateFn`). The DB is the single source of UUIDv7 truth: monotonic per cluster, uses DB clock, no app-side round-trip. **Do not reintroduce `$defaultFn(() => Bun.randomUUIDv7())`** — the SQL default is what the migration emits and what `drizzle-zod` reads as "optional in insert schema". `generatedFieldKeys` is hand-written and uses `satisfies Record<keyof typeof generatedFields, true>` so any field-key drift fails typecheck; it feeds `createInsertSchema(...).omit(...)` / `createUpdateSchema(...).omit(...)`.
 - `src/server/db/index.ts` exports a module-level `const db = drizzle(...)` — not a lazy singleton. On Bun this is a long-lived process, so top-level side effects are fine and requested. Don't reintroduce `getDB/closeDB` ceremony; the Nitro shutdown plugin calls `db.$client.end()` directly. (Cloudflare Workers would need per-request init — we don't support that deployment target.)
 - `drizzle.config.ts` runs outside Vite — `@/*` path aliases do NOT resolve there. It currently does `import { env } from './src/env'` (relative). Preserve that.
 - **Migrations are embedded in the binary, not read from disk.** `bun run db:generate` chains `drizzle-kit generate && bun scripts/embed-migrations.ts`, which regenerates `src/server/db/migrations.gen.ts` (committed, AUTO-GENERATED header) by `import sql_<idx> from '#drizzle/<tag>.sql' with { type: 'text' }`. `src/cli/migrate.ts` reads `embeddedMigrations`, **validates SHA-256 hash of every already-applied migration against the embedded SQL** (rejects schema drift if anyone edited an applied migration), then applies pending entries via `db.execute(sql\`...\`)` + `db.transaction(...)` against the `drizzle.__drizzle_migrations` book-keeping table — public APIs only, no `db.dialect`/`db.session` (those are `@internal`). Each migration is split on `--> statement-breakpoint`; empty fragments are trimmed and skipped. Dev helpers `db:push` / `drizzle-kit migrate` still read `./drizzle/`.
 ## CLI & single-binary deploy
 `bun run compile` produces a single executable that dispatches subcommands via [citty](https://github.com/unjs/citty). Entry is `src/bin.ts`; subcommands live in `src/cli/`.
 ```
 ./server [serve]   # default — start the HTTP server
 ./server migrate   # apply embedded migrations
 ./server --help
 ```
-**Nitro side-effect pitfall (important).** Under the `bun` preset, `.output/server/index.mjs` has a top-level `serve(...)` call — merely importing it starts the HTTP server. `src/bin.ts` therefore must not eager-import any subcommand module, and `src/cli/serve.ts` reaches `.output/server/index.mjs` through the `src/cli/_serve-nitro.mjs` bridge (with `_serve-nitro.d.mts` for types, since `.output/` doesn't exist at typecheck time). Citty's `subCommands: { x: () => import('...') }` lazy-loader is what keeps `--help` and `migrate` from booting the server.
+### Desktop App (`apps/desktop`)
-
+```bash
-**Citty eager-loads subcommand modules for `--help`** to read each subcommand's `meta`. So every `src/cli/*.ts` module body must be side-effect-free: do NOT static-import `@/env`, `@/server/db/*`, or anything that reads env at module-load time. Use `await import('@/env')` inside `run()`. Otherwise `./server --help` (or any subcommand's help) will fail with env validation errors before printing.
+bun run dev                   # electron-vite dev mode (requires server dev running)
-
+bun run build                 # electron-vite build (main + preload)
-Add a subcommand: drop a file in `src/cli/` that default-exports `defineCommand({...})`, then register it in `src/bin.ts`'s `subCommands` with a `() => import(...)` thunk. Keep top-level imports limited to `citty` + Node built-ins; pull env / db / etc. via `await import(...)` inside `run()`.
+bun run dist                  # Build + package for current platform
-
+bun run dist:linux            # Build + package for Linux (x64 + arm64)
-**Deploy flow is always migrate-then-serve.** Migrations are embedded in the binary (see "Drizzle" section), so the binary is the only artifact — no `./drizzle/` directory at runtime. Dockerfile copies just `./server`. `compose.yaml` models the pattern with a one-shot `migrate` service that `app` `depends_on: service_completed_successfully`. On k8s, run `./server migrate` as an initContainer or a Helm `pre-upgrade` Job; run `./server` (= `./server serve`) as the main container.
+bun run dist:linux:x64        # Build + package for Linux x64
-
+bun run dist:linux:arm64      # Build + package for Linux arm64
-## Compile flags
+bun run dist:mac              # Build + package for macOS (arm64 + x64)
-
+bun run dist:mac:arm64        # Build + package for macOS arm64
-`scripts/compile.ts` builds with `--minify --bytecode --sourcemap=inline`:
+bun run dist:mac:x64          # Build + package for macOS x64
-
+bun run dist:win              # Build + package for Windows x64
- **`bytecode`** — pre-compiles JS to bytecode and embeds it in the binary; ~2x startup on app-sized binaries (Bun docs benchmark). Requires `--compile`; top-level `await` must live inside `async` functions (it already does in this repo).
+bun run fix                   # Biome auto-fix
- **`minify`** — shrinks the binary and the bytecode it derives from.
+bun run typecheck             # TypeScript check
 - **`sourcemap: 'inline'`** — embeds the source map in the binary so error stack traces stay decodable. Bun also writes a residual `out/bin.js.map` next to the output; `scripts/compile.ts` removes it so the binary is the only artifact.
 ## ORPC
 Contract → Router → Handler → Client, all type-safe from a single contract.
 - `os` is built in `src/server/api/server.ts` via `implement(contract).$context<BaseContext>()`. **Always import `os` from `@/server/api/server`**, never from `@orpc/server` directly. `ORPCError`, `onError`, `ValidationError` come from `@orpc/server`.
 - Contracts (`src/server/api/contracts/*.contract.ts`) generate Zod from Drizzle tables via `drizzle-zod`:
  ```ts
  const insertSchema = createInsertSchema(todoTable).omit(generatedFieldKeys)
  ```
  Barrel-aggregated in `contracts/index.ts` as `export const contract = { todo }`.
 - Routers (`src/server/api/routers/*.router.ts`) import `db` directly from `@/server/db` in their handlers. There is **no `middlewares/` directory** by default — `db` doesn't need one (module-level const). When you actually need per-request context (auth, tenant, rate-limit), create `src/server/api/middlewares/<name>.middleware.ts` with `os.middleware(...)` and extend `BaseContext` in `context.ts`.
 - **Interceptors are attached at the handler level, not in `server.ts` and not on `os`.** Both `src/routes/api/rpc.$.ts` (`RPCHandler`) and `src/routes/api/$.ts` (`OpenAPIHandler`) register `[onError(logError)]` (server) and `[onError(handleValidationError)]` (client). The validation interceptor rewrites `BAD_REQUEST + ValidationError` into `INPUT_VALIDATION_FAILED` (422) and output validation errors into `OUTPUT_VALIDATION_FAILED`. `logError` resolves a `getLogger(['api'])` LogTape category — never `console.*` directly. See "Logging" section.
 - OpenAPI/Scalar: docs at `/api/docs`, spec at `/api/spec.json` (handler prefix `/api`, plugin paths `/docs` and `/spec.json`).
 - **SSR isomorphism** (`src/client/orpc.ts`): `createIsomorphicFn().server(createRouterClient(...)).client(new RPCLink(...))`. Server branch reads `getRequestHeaders()` for context; client branch POSTs to `${origin}/api/rpc`.
 - **Mutation invalidation is colocated at the call site** via `mutationOptions({ onSuccess })`, not in `src/client/orpc.ts`. `orpc` in `src/client/orpc.ts` is a plain `createTanstackQueryUtils(client)` — no `experimental_defaults`. Per-feature query helpers live in `src/client/queries/<feature>.ts` (e.g. `useInvalidateTodos`); routes/components compose those hooks rather than holding query keys inline. See `src/client/queries/todo.ts` + `src/routes/index.tsx` for the canonical shape.
 - SSR prefetch in route loaders: `await context.queryClient.ensureQueryData(orpc.todo.list.queryOptions())`. Components use `useSuspenseQuery(orpc.feature.list.queryOptions())`.
 ## Code style (Biome)
 - 2-space, LF, single quotes, **semicolons as-needed** (omitted unless required), 120-col, arrow parens always, `useArrowFunction: "error"` (covers function *expressions* only). Also `noReactPropAssignments: "error"`.
 - Lint domains enabled (Biome 2.4): `types: "all"` (catches `noFloatingPromises`, `noMisusedPromises`, `useAwaitThenable`, `noUnnecessaryConditions` — TS-aware async/promise traps), `drizzle: "recommended"`, `react: "recommended"`. `noImportCycles` is on under `suspicious`.
 - **Route components use `function Foo()` declarations**, placed below the `Route` config so the file reads top-down (route on top, component below). This is the official TanStack Router/Start pattern and relies on hoisting — `const Foo = () => {}` would TDZ-error when referenced from `createFileRoute({ component: Foo })` above it. Inline arrows are fine for trivial leaf components (e.g. plain redirect routes). Non-route components (UI primitives in `src/components/`) use `const Foo = () => {}`.
 - Imports are auto-organized into two groups (external, then `@/*`), each alphabetical, with `import type` interleaved (NOT a separate group). `bun run fix` handles this; don't hand-sort.
 - Files: utils `kebab-case.ts`, components `PascalCase.tsx`.
 - `routeTree.gen.ts` is generated — ignored by Biome, never edit.
 ## Testing
 `bun test` runs all `*.test.ts` files. Tests are colocated next to the source they exercise (e.g. `src/server/api/contracts/todo.contract.test.ts`). Use `import { describe, expect, test } from 'bun:test'`. The `@/*` alias resolves in tests via tsconfig paths. No Vitest, no Jest, no separate test config — keep it that way unless you need a browser/JSDOM environment.
 ## Endpoints
 - `/` — Todos UI (file route).
 - `/health` — bare `GET` returning `ok` (200, `text/plain`). Liveness only — no DB check, so it stays green even when Postgres is down. Add a separate `/ready` if you ever need readiness.
 - `/api/rpc` — ORPC RPC handler (POST).
 - `/api/*` — ORPC OpenAPI handler. Docs at `/api/docs`, spec at `/api/spec.json`.
 ## TypeScript
 Strict mode, plus `noUncheckedIndexedAccess`, `verbatimModuleSyntax`, `erasableSyntaxOnly`, `noImplicitOverride`. No `as any` / `@ts-ignore` / `@ts-expect-error`.
 Path alias: `@/* → src/*`. For files outside `src/` use `@/../<file>` (example in the codebase: `src/routes/api/$.ts` imports `name, version` from `@/../package.json`).
 ## Env
 `src/env.ts` via `@t3-oss/env-core`. Server: `DATABASE_URL` (required, `z.url()`), `LOG_LEVEL` (`trace|debug|info|warning|error|fatal`, default `info`), `LOG_FORMAT` (`pretty|json`, default = TTY ? `pretty` : `json`), `LOG_DB` (`stringbool`, default `false` — flips on Drizzle SQL query logging). `client: {}` is empty by default — any client-side env must be `VITE_`-prefixed. Never commit `.env`.
 ## Logging
 All server-side logging goes through `src/server/logger.ts`, a thin wrapper over [LogTape](https://logtape.org/). The module configures LogTape on import (via `configureSync`, no top-level await — works under `--bytecode`) and re-exports `getLogger`.
 ```ts
 import { getLogger } from '@/server/logger'
 const logger = getLogger(['feature', 'subsystem'])
 logger.info('Created todo {id}', { id })
 logger.error('DB write failed', { error })
 ```
- Categories are hierarchical arrays — they show up as dot-paths in JSON output (`"logger":"feature.subsystem"`) and let you filter by prefix when shipping logs.
+### Testing
- The `{name}` placeholders are for **primitive** values you want rendered inline (numbers, short strings, IDs). For objects, errors, and anything multi-field, omit the placeholder and just pass the value in properties — `logger.error('Auth failed', { error, userId })` keeps the message clean while properties stay structured. Never string-concatenate or template-literal — that defeats structured logging.
+No test framework configured yet. When adding tests:
- Format is `pretty` (icons + ANSI) on TTY, `json` (one-line JSON) when piped — perfect for Loki/Datadog/CloudWatch ingestion. Override with `LOG_FORMAT`.
+```bash
- Drizzle SQL queries are logged at `info` under category `['db']` when `LOG_DB=true`, via `@logtape/drizzle-orm`'s `DrizzleLogger` adapter (constructed in `src/server/db/index.ts`). The `info` level is intentional: flipping `LOG_DB=true` alone is enough — no need to also lower `LOG_LEVEL`.
+bun test path/to/test.ts              # Run single test file
- `src/server/api/interceptors.ts` calls `getLogger(['api']).error(...)` from `logError`. CLI subcommands lazy-import the logger inside `run()` — they are still required to be side-effect-free at module top (citty eager-loads for `--help`).
+bun test -t "pattern"                 # Run tests matching pattern
 - Bun-specific: `process.env.NODE_ENV` is **inlined at build time** by `bun build --minify` — do NOT branch on it for logger config (use `process.stdout.isTTY` or `LOG_FORMAT` instead). pino is unusable here because its worker-thread transports crash inside the `/$bunfs/` virtual filesystem of compiled binaries; LogTape has zero workers and zero dynamic require, so it ships cleanly into the single binary.
 ## Docker / deploy
 - Multi-stage: `oven/bun:1.3.13` builds and runs `bun scripts/compile.ts`, then `gcr.io/distroless/cc-debian13:nonroot` runs the single `./server` binary. The `cc` (glibc) distroless variant is required because Bun's compiled binary links glibc.
 - `compose.yaml`: one-shot `migrate` service runs `./server migrate` with `restart: "no"`, then `app` starts (`depends_on: migrate: service_completed_successfully`). `DATABASE_URL=postgres://postgres:postgres@db:5432/postgres` for both.
 - Distroless has no shell, so any init-then-serve pattern must use exec-form `command: [...]`, not `sh -c`.
 ## Layout (non-obvious parts only)
 ```
 src/
 ├── bin.ts                      # citty entry — keep imports minimal (see "CLI" section)
 ├── client/
 │   ├── orpc.ts                 # isomorphic ORPC client + TanStack Query utils (no global invalidation defaults)
 │   └── queries/                # per-feature query hooks: keys, options, `useInvalidate<Feature>` helpers
 ├── cli/                        # CLI subcommands (loaded lazily by src/bin.ts via citty)
 │   ├── serve.ts                # `./server serve` — imports the Nitro bridge on demand
 │   ├── migrate.ts              # `./server migrate` — applies embedded migrations via public `db.execute(sql)` + `db.transaction()`
 │   ├── _serve-nitro.mjs        # bridge: `import('#server')` (subpath import → .output/server/index.mjs)
 │   └── _serve-nitro.d.mts      # types for the bridge (build output has no .d.ts)
 ├── routes/
 │   ├── __root.tsx              # root route + RootDocument shell
 │   ├── index.tsx               # Todos UI
 │   ├── health.ts               # GET /health → "ok" (no DB)
 │   └── api/
 │       ├── $.ts                # OpenAPI + Scalar; interceptors registered here
 │       └── rpc.$.ts            # RPC; interceptors registered here
 ├── server/
 │   ├── logger.ts               # LogTape `configureSync` + `getLogger` re-export — the only log entrypoint
 │   ├── api/
 │   │   ├── server.ts           # the ONLY place to build `os`
 │   │   ├── context.ts          # BaseContext (add per-request fields when you add middlewares)
 │   │   ├── interceptors.ts     # logError (→ logger), handleValidationError
 │   │   ├── types.ts            # Router{Client,Inputs,Outputs} derived from Contract
 │   │   ├── contracts/          # Zod schemas from Drizzle tables (barrel: contract); colocated *.test.ts
 │   │   └── routers/            # os.* handlers (barrel: router) — import db directly
 │   ├── db/
 │   │   ├── index.ts            # module-level `export const db = drizzle({...})`
 │   │   ├── fields.ts           # generatedFields (id/createdAt/updatedAt) + generatedFieldKeys
 │   │   ├── migrations.gen.ts   # AUTO-GENERATED by `bun run db:embed`; embeds ./drizzle/*.sql via `with { type: 'text' }`
 │   │   ├── sql.d.ts            # ambient `declare module '*.sql'` — load-bearing for `with { type: 'text' }` imports in migrations.gen.ts
 │   │   └── schema/             # pgTable definitions; also put `relations()` here when adding
 │   └── plugins/
 │       └── shutdown.ts         # SIGINT/SIGTERM → db.$client.end() with 500ms delay (prod only)
 ├── components/                 # non-route UI primitives (PascalCase, arrow const)
 ├── env.ts                      # t3-oss env validation
 ├── router.tsx                  # QueryClient + setupRouterSsrQueryIntegration
 ├── styles.css                  # Tailwind v4 entry
 └── routeTree.gen.ts            # auto-generated, do not edit
 scripts/
 ├── compile.ts                  # `bun build --compile` driver; resolves --target; sets minify/bytecode/sourcemap
 └── embed-migrations.ts         # codegen: scans ./drizzle/meta/_journal.json → src/server/db/migrations.gen.ts
 drizzle/                        # SQL migrations (source of truth for `db:generate`; not shipped in binary)
 ```
-Nitro plugins are wired in `vite.config.ts` (`nitro({ plugins: [...] })`), not via a Nitro config file.
+## Code Style (TypeScript)
-## Don'ts (specific, non-obvious)
+### Formatting (Biome)
 - **Indent**: 2 spaces | **Line endings**: LF
 - **Quotes**: Single `'` | **Semicolons**: Omit (ASI)
 - **Arrow parentheses**: Always `(x) => x`
- **Don't run `bun run db:generate` (or `drizzle-kit generate`) as an AI agent.** Migration generation is reserved for the human. Make schema changes in `src/server/db/schema/*` + `src/server/db/fields.ts`, push the code changes, and stop — the human will run `bun run db:generate` and commit the resulting `drizzle/*.sql` + `src/server/db/migrations.gen.ts` themselves. (`bun run db:embed` is also off-limits because it's the codegen tail of `db:generate`.)
+### Imports
- Don't edit `routeTree.gen.ts` or `src/server/db/migrations.gen.ts`.
+Biome auto-organizes. Order: 1) External packages → 2) Internal `@/*` aliases → 3) Type imports (`import type { ... }`)
 - Don't eager-import anything from `.output/` in `src/bin.ts` or any module it statically imports — it starts the HTTP server as a side effect. Subcommands must be lazy via citty's `() => import(...)` thunks.
 - Don't re-add an auto-migrate Nitro plugin. Migrations are an explicit deploy step via `./server migrate`.
 - Don't reach into `db.dialect`/`db.session` from `migrate.ts` — they're `@internal`. The current implementation uses public `db.execute(sql)` + `db.transaction(...)` against the documented `drizzle.__drizzle_migrations` schema.
 - Don't add `./drizzle/` back to the runtime image — migrations are embedded into the binary.
 - Don't reintroduce `getDB/closeDB` or any "lazy DB init" pattern — that's a Cloudflare Workers shape; we deploy on Bun processes.
 - Don't import `os` from `@orpc/server` in middleware/routers — always `@/server/api/server`.
 - Don't import from `drizzle-orm/zod` (1.0 beta only). Use `drizzle-zod`.
 - Don't use RQB v2 object syntax, `defineRelations`, or pass `relations` to `drizzle()`. All are 1.0 beta.
 - Don't use `drizzle-orm/bun-sql`.
 - Don't use `@/*` aliases in `drizzle.config.ts`.
 - Don't commit `.env`.
-## Room-to-grow rules (discipline for the first real feature)
+```typescript
 import { createFileRoute } from '@tanstack/react-router'
 import { z } from 'zod'
 import { db } from '@/server/db'
 import type { ReactNode } from 'react'
 ```
-These keep the starter from setting bad precedents as it grows. Append, don't restructure.
+### TypeScript Strictness
 - `strict: true`, `noUncheckedIndexedAccess: true`, `noImplicitOverride: true`, `verbatimModuleSyntax: true`
 - Use `@/*` path aliases (maps to `src/*`)
-1. Per-feature client query code — keys, options, `useInvalidate<Feature>` helpers — lives in `src/client/queries/<feature>.ts`. Routes/components compose these hooks; they don't hold query keys inline.
+### Naming Conventions
-2. Mutation invalidation stays explicit at the mutation call site (`mutationOptions({ onSuccess })`) or in a feature query helper. Do not reintroduce global `experimental_defaults` or any implicit cache policy.
+| Type | Convention | Example |
-3. Client state defaults to route/component local state. Create a store (zustand or equivalent) only when state is shared across routes or needs persistence.
+|------|------------|---------|
-4. Middlewares (`src/server/api/middlewares/<name>.middleware.ts`) derive request-scoped context or gate access. They do NOT orchestrate business flow, hold side effects, or replace handlers/services.
+| Files (utils) | kebab-case | `auth-utils.ts` |
-5. Interceptors (`src/server/api/interceptors.ts`) do cross-cutting error logging, transport normalization, and validation rewrites. They do NOT read business data.
+| Files (components) | PascalCase | `UserProfile.tsx` |
-6. One file per Drizzle table. Relations live in the same file and are exported as `<entity>Relations`. No global `relations.ts`.
+| Components | PascalCase arrow | `const Button = () => {}` |
-7. One router file per feature (`routers/<feature>.router.ts`). Only introduce `routers/<domain>/index.ts` when a domain grows past ~5 router files or needs shared domain helpers.
+| Functions | camelCase | `getUserById` |
-8. All server-side logging goes through `getLogger([...])` from `@/server/logger`. Use a hierarchical category (`['api']`, `['db']`, `['cli', 'migrate']`, etc.) — these become dot-paths in JSON output and let you filter by prefix. Use the `{name}` placeholder + properties form, not string interpolation. `console.*` is forbidden in business code.
+| Constants | UPPER_SNAKE | `MAX_RETRIES` |
-9. CLI subcommand modules keep top-level imports to `citty` + Node built-ins. Env, db, and server code are `await import(...)`-ed inside `run()` (see `src/bin.ts` comment for why).
+| Types/Interfaces | PascalCase | `UserProfile` |
-10. Every new business feature ships with at least one `bun test` covering a contract schema, a pure helper, or a router behavior.
+
 ### React Patterns
 - Components: arrow functions (enforced by Biome)
 - Routes: TanStack Router file conventions (`export const Route = createFileRoute(...)`)
 - Data fetching: `useSuspenseQuery(orpc.feature.list.queryOptions())`
 - Let React Compiler handle memoization (no manual `useMemo`/`useCallback`)
 ### Error Handling
 - Use `try-catch` for async operations; throw descriptive errors
 - ORPC: Use `ORPCError` with proper codes (`NOT_FOUND`, `INPUT_VALIDATION_FAILED`)
 - Never use empty catch blocks
 ## Database (Drizzle ORM v1 beta + postgres-js)
 - **ORM**: Drizzle ORM `1.0.0-beta` (RQBv2)
 - **Driver**: `drizzle-orm/postgres-js` (NOT `bun-sql`)
 - **Validation**: `drizzle-orm/zod` (built-in, NOT separate `drizzle-zod` package)
 - **Relations**: Defined via `defineRelations()` in `src/server/db/relations.ts` (contains schema info, so `drizzle()` only needs `{ relations }`)
 - **Query style**: RQBv2 object syntax (`orderBy: { createdAt: 'desc' }`, `where: { id: 1 }`)
 ```typescript
 export const myTable = pgTable('my_table', {
  id: uuid().primaryKey().default(sql`uuidv7()`),
  name: text().notNull(),
  createdAt: timestamp({ withTimezone: true }).notNull().defaultNow(),
  updatedAt: timestamp({ withTimezone: true }).notNull().defaultNow().$onUpdateFn(() => new Date()),
 })
 ```
 ## Environment Variables
 - Use `@t3-oss/env-core` with Zod validation in `src/env.ts`
 - Server vars: no prefix | Client vars: `VITE_` prefix required
 - Never commit `.env` files
 ## Dependency Management
 - All versions centralized in root `package.json` `catalog` field
 - Workspace packages use `"catalog:"` — never hardcode versions
 - Internal packages use `"workspace:*"` references
 ## Development Principles
 > **These principles apply to ALL code changes. Agents MUST follow them on every task.**
 1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks "just in case".
 2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart. This includes updating code snippets in docs when imports, APIs, or patterns change.
 3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns in the same codebase.
 ## Critical Rules
 **DO:**
 - Run `bun run fix` before committing
 - Use `@/*` path aliases (not relative imports)
 - Include `createdAt`/`updatedAt` on all tables
 - Use `catalog:` for dependency versions
 - Update `AGENTS.md` and other docs whenever code patterns change
 **DON'T:**
 - Use `npm`, `npx`, `node`, `yarn`, `pnpm` — always use `bun` / `bunx`
 - Edit `src/routeTree.gen.ts` (auto-generated)
 - Use `as any`, `@ts-ignore`, `@ts-expect-error`
 - Commit `.env` files
 - Use empty catch blocks `catch(e) {}`
 - Hardcode dependency versions in workspace packages
 - Leave docs out of sync with code changes
 ## Git Workflow
 1. Make changes following style guide
 2. `bun run fix` - auto-format and lint
 3. `bun run typecheck` - verify types
 4. `bun run dev` - test locally
 5. Commit with descriptive message
 ## Directory Structure
 ```
 .
 ├── apps/
 │   ├── server/           # TanStack Start fullstack app
 │   │   ├── src/
 │   │   │   ├── client/   # ORPC client + TanStack Query utils
 │   │   │   ├── components/
 │   │   │   ├── routes/   # File-based routing
 │   │   │   └── server/   # API layer + database
 │   │   │       ├── api/  # ORPC contracts, routers, middlewares
 │   │   │       └── db/   # Drizzle schema
 │   │   └── AGENTS.md
 │   └── desktop/          # Electron desktop shell
 │       ├── src/
 │       │   ├── main/
 │       │   │   └── index.ts       # Main process entry
 │       │   └── preload/
 │       │       └── index.ts       # Preload script
 │       ├── electron.vite.config.ts
 │       ├── electron-builder.yml   # Packaging config
 │       └── AGENTS.md
 ├── packages/
 │   └── tsconfig/         # Shared TS configs
 ├── biome.json            # Linting/formatting config
 ├── turbo.json            # Turbo task orchestration
 └── package.json          # Workspace root + dependency catalog
 ```
 ## See Also
 - `apps/server/AGENTS.md` - Detailed TanStack Start / ORPC patterns
 - `apps/desktop/AGENTS.md` - Electron desktop development guide
@@ -1,21 +0,0 @@
 FROM oven/bun:1.3.13 AS build
 WORKDIR /app
 COPY package.json bun.lock ./
 RUN bun install --frozen-lockfile
 COPY . .
 RUN bun run build \
    && bun run compile \
    && mv out/server-* out/server
 FROM gcr.io/distroless/cc-debian13:nonroot
 WORKDIR /app
 COPY --from=build --chown=nonroot:nonroot /app/out/server ./server
 ENV HOST=0.0.0.0
 EXPOSE 3000
 CMD ["./server"]
@@ -1,112 +0,0 @@
 # fullstack-starter
 一个**单二进制**的全栈应用 starter——`bun run compile` 出来的 `./server` 文件就是你要部署的全部产物，自带 HTTP 服务、SSR、API、嵌入式 SQL 迁移，运行时不依赖 Node、不依赖源码、不依赖外部 migration 目录。
 技术栈：Bun · TanStack Start (React 19 SSR) · ORPC（契约优先 API）· Drizzle ORM · PostgreSQL 18+ · Tailwind v4 · Biome。
 ## 为什么用这个
 - **部署最简**：发布只拷一个二进制文件。先 `./server migrate` 再 `./server`，完事。
 - **契约优先**：在 `*.contract.ts` 用 Zod 定义一次，前端、后端、OpenAPI 文档自动同步。
 - **类型严格**：TypeScript strict，杜绝 `any` / `@ts-ignore` / `as any` 等类型逃逸。
 - **开箱可跑**：路径别名、文件路由、ORPC 接线、Tailwind、热重载、错误页全部预接好。
 ## 快速开始
 > **需要 PostgreSQL 18+**——schema 用 PG 原生的 `uuidv7()` 生成主键（`compose.yaml` 已锁 `postgres:18-alpine`）。要兼容更老的 PG，把 `src/server/db/fields.ts` 里的 `default(sql\`uuidv7()\`)` 换成 `$defaultFn(() => Bun.randomUUIDv7())`，再跑 `bun run db:generate`。
 ```bash
 cp .env.example .env        # 把里面的 DATABASE_URL 改成你的 Postgres
 bun install
 bun run db:push             # 开发期：把 schema 直接同步到 DB（不写 migration 文件）
 bun run dev                 # http://localhost:3000
 ```
 打开浏览器：
 - `http://localhost:3000/` — Todo 示例页
 - `http://localhost:3000/api/docs` — Scalar 渲染的 API 文档
 ## 目录结构（你需要关心的部分）
 ```
 src/
 ├── routes/                 # 文件路由：页面 + API 端点
 ├── server/
 │   ├── api/
 │   │   ├── contracts/      # Zod 契约（client / server 共享）
 │   │   └── routers/        # 业务实现
 │   └── db/                 # Drizzle schema + 嵌入式 migrations
 ├── client/                 # 前端 hooks、ORPC 客户端
 └── components/             # UI 组件
 ```
 ## 加一个功能（以 `post` 为例）
 每一步都很短，按顺序填即可：
 1. **建表**：`src/server/db/schema/post.ts` 定义 `postTable`，记得展开 `...generatedFields`（自动注入 `id` / `createdAt` / `updatedAt`）。
 2. **导出表**：在 `src/server/db/schema/index.ts` 加 `export * from './post'`。
 3. **写契约**：`src/server/api/contracts/post.contract.ts` 用 `drizzle-zod` 从表派生 Zod schema。
 4. **挂契约**：在 `src/server/api/contracts/index.ts` 把 `post` 加进 `contract` 对象。
 5. **写实现**：`src/server/api/routers/post.router.ts` 实现 `os.post.*.handler(...)`。
 6. **挂路由**：在 `src/server/api/routers/index.ts` 把 `post` 加进 `router` 对象。
 7. **写前端 hook**：`src/client/queries/post.ts` 导出 `useInvalidatePosts` 等失效辅助。
 8. **写页面**：`src/routes/<page>.tsx` 用 `useSuspenseQuery` 读、`mutate` 写；mutation 的 `onSuccess` 调用第 7 步的 helper。
 9. **生成 migration**：`bun run db:generate` 把 SQL 写到 `./drizzle/` 并嵌入二进制。
 完工。`bun run dev` 已自动热重载。
 ## 部署
 **永远先 migrate 再 serve**。Migration 已嵌入二进制；部署只发一个 `./server` 文件。
 ```bash
 ./server migrate            # 应用嵌入式 migration（用 $DATABASE_URL）
 ./server                    # 启动 HTTP 服务（默认子命令）
 ./server --help             # 列出所有子命令
 ```
 仓库自带 `compose.yaml`（一次性 `migrate` 服务先跑完，再启动 `app`）：
 ```bash
 docker compose up --build
 ```
 Kubernetes 上：把 `./server migrate` 放进 initContainer 或 Helm `pre-upgrade` Job，主容器跑 `./server`。
 ## 脚本一览
 | 命令 | 作用 |
 | --- | --- |
 | `bun run dev` | Vite 开发服务器（默认端口 3000） |
 | `bun run build` | 构建到 `.output/`（`bun run compile` 会用到） |
 | `bun run compile` | 生成单二进制 `out/server-<target>` |
 | `bun run typecheck` | TypeScript 类型检查 |
 | `bun run test` | 运行所有 `*.test.ts` |
 | `bun run fix` | Biome 格式化 + lint + 整理 imports |
 | `bun run db:push` | 开发期：直接同步 schema 到 DB（不写 migration 文件） |
 | `bun run db:generate` | 写 SQL migration 到 `./drizzle/` 并嵌入二进制 |
 | `bun run db:embed` | 仅重生 `migrations.gen.ts`（手改了 `./drizzle/*.sql` 后用） |
 | `bun run db:migrate` | 通过 drizzle-kit 在本地应用 migration（开发便利） |
 | `bun run db:studio` | Drizzle Studio（可视化 DB） |
 跨平台编译：`bun run compile:{linux,darwin,windows}[:arch]`。
 ## 端点
 | 路径 | 用途 |
 | --- | --- |
 | `/` | Todo 示例 UI |
 | `/health` | 存活探针（不查 DB，纯文本 `ok`） |
 | `/api/rpc` | ORPC RPC 端点（client 直连） |
 | `/api/docs` | Scalar 渲染的 API 文档 |
 | `/api/spec.json` | OpenAPI spec |
 ## 提交前
 ```bash
 bun run fix && bun run typecheck && bun run test
 ```
 没有 CI、没有 pre-commit hook——上面三条由你自觉跑。
@@ -0,0 +1,3 @@
 # electron-vite build output
 out/
 dist/
@@ -0,0 +1,95 @@
 # AGENTS.md - Desktop App Guidelines
 Thin Electron shell hosting the fullstack server app.
 ## Tech Stack
 > **⚠️ This project uses Bun as the package manager. Runtime is Electron (Node.js). Always use `bun run <script>` (not `bun <script>`) to avoid conflicts with Bun built-in subcommands. Never use `npm`, `npx`, `yarn`, or `pnpm`.**
 - **Type**: Electron desktop shell
 - **Design**: Server-driven desktop (thin native window hosting web app)
 - **Runtime**: Electron (Main/Renderer) + Sidecar server binary (Bun-compiled)
 - **Build Tool**: electron-vite (Vite-based, handles main + preload builds)
 - **Packager**: electron-builder (installers, signing, auto-update)
 - **Orchestration**: Turborepo
 ## Architecture
 - **Server-driven design**: The desktop app is a "thin" native shell. It does not contain UI or business logic; it opens a BrowserWindow pointing to the `apps/server` TanStack Start application.
 - **Dev mode**: Opens a BrowserWindow pointing to `localhost:3000`. Requires `apps/server` to be running separately (Turbo handles this).
 - **Production mode**: Spawns a compiled server binary (from `resources/`) as a sidecar process, waits for readiness, then loads its URL.
 ## Commands
 ```bash
 bun run dev                    # electron-vite dev (requires server dev running)
 bun run build                  # electron-vite build (main + preload)
 bun run dist                   # Build + package for current platform
 bun run dist:linux             # Build + package for Linux (x64 + arm64)
 bun run dist:linux:x64         # Build + package for Linux x64
 bun run dist:linux:arm64       # Build + package for Linux arm64
 bun run dist:mac               # Build + package for macOS (arm64 + x64)
 bun run dist:mac:arm64         # Build + package for macOS arm64
 bun run dist:mac:x64           # Build + package for macOS x64
 bun run dist:win               # Build + package for Windows x64
 bun run fix                    # Biome auto-fix
 bun run typecheck              # TypeScript check
 ```
 ## Directory Structure
 ```
 .
 ├── src/
 │   ├── main/
 │   │   └── index.ts       # Main process (server lifecycle + BrowserWindow)
 │   └── preload/
 │       └── index.ts       # Preload script (security isolation)
 ├── resources/             # Sidecar binaries (gitignored, copied from server build)
 ├── out/                   # electron-vite build output (gitignored)
 ├── electron.vite.config.ts
 ├── electron-builder.yml   # Packaging configuration
 ├── package.json
 ├── turbo.json
 └── AGENTS.md
 ```
 ## Development Workflow
 1. **Start server**: `bun run dev` in `apps/server` (or use root `bun run dev` via Turbo).
 2. **Start desktop**: `bun run dev` in `apps/desktop`.
 3. **Connection**: Main process polls `localhost:3000` until responsive, then opens BrowserWindow.
 ## Production Build Workflow
 From monorepo root, run `bun run dist` to execute the full pipeline automatically (via Turbo task dependencies):
 1. **Build server**: `apps/server` → `vite build` → `.output/`
 2. **Compile server**: `apps/server` → `bun compile.ts --target ...` → `out/server-{os}-{arch}`
 3. **Package desktop**: `apps/desktop` → `electron-vite build` + `electron-builder` → distributable
 The `electron-builder.yml` `extraResources` config reads binaries directly from `../server/out/`, no manual copy needed.
 To build for a specific platform explicitly, use `bun run dist:linux` / `bun run dist:mac` / `bun run dist:win` in `apps/desktop`.
 For single-arch output, use `bun run dist:linux:x64`, `bun run dist:linux:arm64`, `bun run dist:mac:x64`, or `bun run dist:mac:arm64`.
 ## Development Principles
 > **These principles apply to ALL code changes. Agents MUST follow them on every task.**
 1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks.
 2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart.
 3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns.
 ## Critical Rules
 **DO:**
 - Use arrow functions for all utility functions.
 - Keep the desktop app as a thin shell — no UI or business logic.
 - Use `catalog:` for all dependency versions in `package.json`.
 **DON'T:**
 - Use `npm`, `npx`, `yarn`, or `pnpm`. Use `bun` for package management.
 - Include UI components or business logic in the desktop app.
 - Use `as any` or `@ts-ignore`.
 - Leave docs out of sync with code changes.
@@ -0,0 +1,9 @@
 {
  "$schema": "../../node_modules/@biomejs/biome/configuration_schema.json",
  "extends": "//",
  "css": {
    "parser": {
      "tailwindDirectives": true
    }
  }
 }
@@ -0,0 +1,48 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/electron-userland/electron-builder/refs/heads/master/packages/app-builder-lib/scheme.json
 appId: com.furtherverse.desktop
 productName: Furtherverse
 executableName: furtherverse
 npmRebuild: false
 asarUnpack:
  - resources/**
 files:
  - "!**/.vscode/*"
  - "!src/*"
  - "!electron.vite.config.{js,ts,mjs,cjs}"
  - "!{.env,.env.*,bun.lock}"
  - "!{tsconfig.json,tsconfig.node.json}"
  - "!{AGENTS.md,README.md,CHANGELOG.md}"
 # macOS
 mac:
  target:
    - dmg
  category: public.app-category.productivity
  extraResources:
    - from: ../server/out/server-darwin-${arch}
      to: server
 dmg:
  artifactName: ${productName}-${version}-${os}-${arch}.${ext}
 # Windows
 win:
  target:
    - portable
  extraResources:
    - from: ../server/out/server-windows-${arch}.exe
      to: server.exe
 portable:
  artifactName: ${productName}-${version}-${os}-${arch}-Portable.${ext}
 # Linux
 linux:
  target:
    - AppImage
  category: Utility
  extraResources:
    - from: ../server/out/server-linux-${arch}
      to: server
 appImage:
  artifactName: ${productName}-${version}-${os}-${arch}.${ext}
@@ -0,0 +1,11 @@
 import tailwindcss from '@tailwindcss/vite'
 import react from '@vitejs/plugin-react'
 import { defineConfig } from 'electron-vite'
 export default defineConfig({
  main: {},
  preload: {},
  renderer: {
    plugins: [react(), tailwindcss()],
  },
 })
@@ -0,0 +1,37 @@
 {
  "name": "@furtherverse/desktop",
  "version": "1.0.0",
  "private": true,
  "main": "out/main/index.js",
  "scripts": {
    "build": "electron-vite build",
    "dev": "electron-vite dev --watch",
    "dist": "electron-builder",
    "dist:linux": "bun run dist:linux:x64 && bun run dist:linux:arm64",
    "dist:linux:arm64": "electron-builder --linux --arm64",
    "dist:linux:x64": "electron-builder --linux --x64",
    "dist:mac": "bun run dist:mac:arm64 && bun run dist:mac:x64",
    "dist:mac:arm64": "electron-builder --mac --arm64",
    "dist:mac:x64": "electron-builder --mac --x64",
    "dist:win": "electron-builder --win --x64",
    "fix": "biome check --write",
    "typecheck": "tsc -b"
  },
  "dependencies": {
    "motion": "catalog:",
    "react": "catalog:",
    "react-dom": "catalog:",
    "tree-kill": "catalog:"
  },
  "devDependencies": {
    "@furtherverse/tsconfig": "workspace:*",
    "@tailwindcss/vite": "catalog:",
    "@types/node": "catalog:",
    "@vitejs/plugin-react": "catalog:",
    "electron": "catalog:",
    "electron-builder": "catalog:",
    "electron-vite": "catalog:",
    "tailwindcss": "catalog:",
    "vite": "catalog:"
  }
 }
@@ -0,0 +1,198 @@
 import { join } from 'node:path'
 import { app, BrowserWindow, dialog, session, shell } from 'electron'
 import { createSidecarRuntime } from './sidecar'
 const DEV_SERVER_URL = 'http://localhost:3000'
 const SAFE_EXTERNAL_PROTOCOLS = new Set(['https:', 'http:', 'mailto:'])
 let mainWindow: BrowserWindow | null = null
 let windowCreationPromise: Promise<void> | null = null
 let isQuitting = false
 const showErrorAndQuit = (title: string, detail: string) => {
  if (isQuitting) {
    return
  }
  dialog.showErrorBox(title, detail)
  app.quit()
 }
 const sidecar = createSidecarRuntime({
  devServerUrl: DEV_SERVER_URL,
  isPackaged: app.isPackaged,
  resourcesPath: process.resourcesPath,
  isQuitting: () => isQuitting,
  onUnexpectedStop: (detail) => {
    showErrorAndQuit('Service Stopped', detail)
  },
 })
 const toErrorMessage = (error: unknown): string => (error instanceof Error ? error.message : String(error))
 const canOpenExternally = (url: string): boolean => {
  try {
    const parsed = new URL(url)
    return SAFE_EXTERNAL_PROTOCOLS.has(parsed.protocol)
  } catch {
    return false
  }
 }
 const loadSplash = async (windowRef: BrowserWindow) => {
  if (process.env.ELECTRON_RENDERER_URL) {
    await windowRef.loadURL(process.env.ELECTRON_RENDERER_URL)
    return
  }
  await windowRef.loadFile(join(__dirname, '../renderer/index.html'))
 }
 const createWindow = async () => {
  if (mainWindow && !mainWindow.isDestroyed()) {
    mainWindow.focus()
    return
  }
  const windowRef = new BrowserWindow({
    width: 1200,
    height: 800,
    show: false,
    webPreferences: {
      preload: join(__dirname, '../preload/index.js'),
      sandbox: true,
      contextIsolation: true,
      nodeIntegration: false,
    },
  })
  mainWindow = windowRef
  windowRef.webContents.setWindowOpenHandler(({ url }) => {
    if (!canOpenExternally(url)) {
      if (!app.isPackaged) {
        console.warn(`Blocked external URL: ${url}`)
      }
      return { action: 'deny' }
    }
    void shell.openExternal(url)
    return { action: 'deny' }
  })
  windowRef.webContents.on('will-navigate', (event, url) => {
    const allowed = [DEV_SERVER_URL, sidecar.lastResolvedUrl].filter((v): v is string => v != null)
    const isAllowed = allowed.some((origin) => url.startsWith(origin))
    if (!isAllowed) {
      event.preventDefault()
      if (canOpenExternally(url)) {
        void shell.openExternal(url)
      } else if (!app.isPackaged) {
        console.warn(`Blocked navigation to: ${url}`)
      }
    }
  })
  windowRef.on('closed', () => {
    if (mainWindow === windowRef) {
      mainWindow = null
    }
  })
  try {
    await loadSplash(windowRef)
  } catch (error) {
    if (mainWindow === windowRef) {
      mainWindow = null
    }
    if (!windowRef.isDestroyed()) {
      windowRef.destroy()
    }
    throw error
  }
  if (!windowRef.isDestroyed()) {
    windowRef.show()
  }
  const targetUrl = await sidecar.resolveUrl()
  if (isQuitting || windowRef.isDestroyed()) {
    return
  }
  try {
    await windowRef.loadURL(targetUrl)
  } catch (error) {
    if (mainWindow === windowRef) {
      mainWindow = null
    }
    if (!windowRef.isDestroyed()) {
      windowRef.destroy()
    }
    throw error
  }
 }
 const ensureWindow = async () => {
  if (windowCreationPromise) {
    return windowCreationPromise
  }
  windowCreationPromise = createWindow().finally(() => {
    windowCreationPromise = null
  })
  return windowCreationPromise
 }
 const beginQuit = () => {
  isQuitting = true
  sidecar.stop()
 }
 const handleWindowCreationError = (error: unknown, context: string) => {
  console.error(`${context}:`, error)
  showErrorAndQuit(
    "App Couldn't Start",
    app.isPackaged
      ? 'A required component failed to start. Please reinstall the app.'
      : `${context}: ${toErrorMessage(error)}`,
  )
 }
 app
  .whenReady()
  .then(() => {
    session.defaultSession.setPermissionRequestHandler((_webContents, _permission, callback) => {
      callback(false)
    })
    return ensureWindow()
  })
  .catch((error) => {
    handleWindowCreationError(error, 'Failed to create window')
  })
 app.on('window-all-closed', () => {
  if (process.platform !== 'darwin') {
    app.quit()
  }
 })
 app.on('activate', () => {
  if (isQuitting || BrowserWindow.getAllWindows().length > 0) {
    return
  }
  ensureWindow().catch((error) => {
    handleWindowCreationError(error, 'Failed to re-create window')
  })
 })
 app.on('before-quit', beginQuit)
@@ -0,0 +1,256 @@
 import { type ChildProcess, spawn } from 'node:child_process'
 import { existsSync } from 'node:fs'
 import { createServer } from 'node:net'
 import { join } from 'node:path'
 import killProcessTree from 'tree-kill'
 const SERVER_HOST = '127.0.0.1'
 const SERVER_READY_TIMEOUT_MS = 10_000
 const SERVER_REQUEST_TIMEOUT_MS = 1_500
 const SERVER_POLL_INTERVAL_MS = 250
 const SERVER_PROBE_PATHS = ['/api/health', '/']
 type SidecarState = {
  process: ChildProcess | null
  startup: Promise<string> | null
  url: string | null
 }
 type SidecarRuntimeOptions = {
  devServerUrl: string
  isPackaged: boolean
  resourcesPath: string
  isQuitting: () => boolean
  onUnexpectedStop: (detail: string) => void
 }
 type SidecarRuntime = {
  resolveUrl: () => Promise<string>
  stop: () => void
  lastResolvedUrl: string | null
 }
 const sleep = (ms: number): Promise<void> => new Promise((resolve) => setTimeout(resolve, ms))
 const isProcessAlive = (processToCheck: ChildProcess | null): processToCheck is ChildProcess => {
  if (!processToCheck || !processToCheck.pid) {
    return false
  }
  return processToCheck.exitCode === null && !processToCheck.killed
 }
 const getAvailablePort = (): Promise<number> =>
  new Promise((resolve, reject) => {
    const server = createServer()
    server.listen(0, () => {
      const addr = server.address()
      if (!addr || typeof addr === 'string') {
        server.close()
        reject(new Error('Failed to resolve port'))
        return
      }
      server.close(() => resolve(addr.port))
    })
    server.on('error', reject)
  })
 const isServerReady = async (url: string): Promise<boolean> => {
  for (const probePath of SERVER_PROBE_PATHS) {
    try {
      const probeUrl = new URL(probePath, `${url}/`)
      const response = await fetch(probeUrl, {
        method: 'GET',
        cache: 'no-store',
        signal: AbortSignal.timeout(SERVER_REQUEST_TIMEOUT_MS),
      })
      if (response.status < 500) {
        if (probePath === '/api/health' && response.status === 404) {
          continue
        }
        return true
      }
    } catch {
      // Expected: probe request fails while server is still starting up
    }
  }
  return false
 }
 const waitForServer = async (url: string, isQuitting: () => boolean, processRef?: ChildProcess): Promise<boolean> => {
  const start = Date.now()
  while (Date.now() - start < SERVER_READY_TIMEOUT_MS && !isQuitting()) {
    if (processRef && processRef.exitCode !== null) {
      return false
    }
    if (await isServerReady(url)) {
      return true
    }
    await sleep(SERVER_POLL_INTERVAL_MS)
  }
  return false
 }
 const resolveBinaryPath = (resourcesPath: string): string => {
  const binaryName = process.platform === 'win32' ? 'server.exe' : 'server'
  return join(resourcesPath, binaryName)
 }
 const formatUnexpectedStopMessage = (
  isPackaged: boolean,
  code: number | null,
  signal: NodeJS.Signals | null,
 ): string => {
  if (isPackaged) {
    return 'The background service stopped unexpectedly. Please restart the app.'
  }
  return `Server process exited unexpectedly (code ${code ?? 'unknown'}, signal ${signal ?? 'none'}).`
 }
 export const createSidecarRuntime = (options: SidecarRuntimeOptions): SidecarRuntime => {
  const state: SidecarState = {
    process: null,
    startup: null,
    url: null,
  }
  const resetState = (processRef?: ChildProcess) => {
    if (processRef && state.process !== processRef) {
      return
    }
    state.process = null
    state.url = null
  }
  const stop = () => {
    const runningServer = state.process
    resetState()
    if (!runningServer?.pid || runningServer.exitCode !== null) {
      return
    }
    killProcessTree(runningServer.pid, 'SIGTERM', (error?: Error) => {
      if (error) {
        console.error('Failed to stop server process:', error)
      }
    })
  }
  const attachLifecycleHandlers = (processRef: ChildProcess) => {
    processRef.on('error', (error) => {
      if (state.process !== processRef) {
        return
      }
      const hadReadyServer = state.url !== null
      resetState(processRef)
      if (!options.isQuitting() && hadReadyServer) {
        options.onUnexpectedStop('The background service crashed unexpectedly. Please restart the app.')
        return
      }
      console.error('Failed to start server process:', error)
    })
    processRef.on('exit', (code, signal) => {
      if (state.process !== processRef) {
        return
      }
      const hadReadyServer = state.url !== null
      resetState(processRef)
      if (!options.isQuitting() && hadReadyServer) {
        options.onUnexpectedStop(formatUnexpectedStopMessage(options.isPackaged, code, signal))
      }
    })
  }
  const startPackagedServer = async (): Promise<string> => {
    if (state.url && isProcessAlive(state.process)) {
      return state.url
    }
    if (state.startup) {
      return state.startup
    }
    state.startup = (async () => {
      const binaryPath = resolveBinaryPath(options.resourcesPath)
      if (!existsSync(binaryPath)) {
        throw new Error(`Sidecar server binary is missing: ${binaryPath}`)
      }
      if (options.isQuitting()) {
        throw new Error('Application is shutting down.')
      }
      const port = await getAvailablePort()
      const nextServerUrl = `http://${SERVER_HOST}:${port}`
      const processRef = spawn(binaryPath, [], {
        env: {
          ...process.env,
          HOST: SERVER_HOST,
          PORT: String(port),
        },
        stdio: 'ignore',
        windowsHide: true,
      })
      processRef.unref()
      state.process = processRef
      attachLifecycleHandlers(processRef)
      const ready = await waitForServer(nextServerUrl, options.isQuitting, processRef)
      if (ready && isProcessAlive(processRef)) {
        state.url = nextServerUrl
        return nextServerUrl
      }
      const failureReason =
        processRef.exitCode !== null
          ? `The service exited early (code ${processRef.exitCode}).`
          : `The service did not respond at ${nextServerUrl} within 10 seconds.`
      stop()
      throw new Error(failureReason)
    })().finally(() => {
      state.startup = null
    })
    return state.startup
  }
  const resolveUrl = async (): Promise<string> => {
    if (options.isPackaged) {
      return startPackagedServer()
    }
    const ready = await waitForServer(options.devServerUrl, options.isQuitting)
    if (!ready) {
      throw new Error('Dev server not responding. Run `bun dev` in apps/server first.')
    }
    state.url = options.devServerUrl
    return options.devServerUrl
  }
  return {
    resolveUrl,
    stop,
    get lastResolvedUrl() {
      return state.url
    },
  }
 }
@@ -0,0 +1 @@
 export {}
@@ -0,0 +1,33 @@
 import { motion } from 'motion/react'
 import logoImage from '../assets/logo.png'
 export const SplashApp = () => {
  return (
    <main className="m-0 flex h-screen w-screen cursor-default select-none items-center justify-center overflow-hidden bg-white font-sans antialiased">
      <motion.section
        animate={{ opacity: 1, y: 0 }}
        className="flex flex-col items-center gap-8"
        initial={{ opacity: 0, y: 4 }}
        transition={{
          duration: 1,
          ease: [0.16, 1, 0.3, 1],
        }}
      >
        <img alt="Logo" className="h-20 w-auto object-contain" draggable={false} src={logoImage} />
        <div className="relative h-[4px] w-36 overflow-hidden rounded-full bg-zinc-100">
          <motion.div
            animate={{ x: '100%' }}
            className="h-full w-full bg-zinc-800"
            initial={{ x: '-100%' }}
            transition={{
              duration: 2,
              ease: [0.4, 0, 0.2, 1],
              repeat: Infinity,
            }}
          />
        </div>
      </motion.section>
    </main>
  )
 }
@@ -0,0 +1,12 @@
 <!doctype html>
 <html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Furtherverse</title>
  </head>
  <body>
    <div id="root"></div>
    <script type="module" src="./main.tsx"></script>
  </body>
 </html>
@@ -0,0 +1,11 @@
 import { StrictMode } from 'react'
 import { createRoot } from 'react-dom/client'
 import { SplashApp } from './components/SplashApp'
 import './styles.css'
 // biome-ignore lint/style/noNonNullAssertion: 一定存在
 createRoot(document.getElementById('root')!).render(
  <StrictMode>
    <SplashApp />
  </StrictMode>,
 )
@@ -0,0 +1,8 @@
 {
  "extends": "@furtherverse/tsconfig/react.json",
  "compilerOptions": {
    "composite": true,
    "types": ["vite/client"]
  },
  "include": ["src/renderer/**/*"]
 }
@@ -0,0 +1,11 @@
 {
  "files": [],
  "references": [
    {
      "path": "./tsconfig.app.json"
    },
    {
      "path": "./tsconfig.node.json"
    }
  ]
 }
@@ -0,0 +1,8 @@
 {
  "extends": "@furtherverse/tsconfig/base.json",
  "compilerOptions": {
    "composite": true,
    "types": ["node"]
  },
  "include": ["src/main/**/*", "src/preload/**/*", "electron.vite.config.ts"]
 }
@@ -0,0 +1,41 @@
 {
  "$schema": "../../node_modules/turbo/schema.json",
  "extends": ["//"],
  "tasks": {
    "build": {
      "outputs": ["out/**"]
    },
    "dist": {
      "dependsOn": ["build", "@furtherverse/server#compile"],
      "outputs": ["dist/**"]
    },
    "dist:linux": {
      "dependsOn": ["build", "@furtherverse/server#compile:linux:arm64", "@furtherverse/server#compile:linux:x64"],
      "outputs": ["dist/**"]
    },
    "dist:linux:arm64": {
      "dependsOn": ["build", "@furtherverse/server#compile:linux:arm64"],
      "outputs": ["dist/**"]
    },
    "dist:linux:x64": {
      "dependsOn": ["build", "@furtherverse/server#compile:linux:x64"],
      "outputs": ["dist/**"]
    },
    "dist:mac": {
      "dependsOn": ["build", "@furtherverse/server#compile:darwin:arm64", "@furtherverse/server#compile:darwin:x64"],
      "outputs": ["dist/**"]
    },
    "dist:mac:arm64": {
      "dependsOn": ["build", "@furtherverse/server#compile:darwin:arm64"],
      "outputs": ["dist/**"]
    },
    "dist:mac:x64": {
      "dependsOn": ["build", "@furtherverse/server#compile:darwin:x64"],
      "outputs": ["dist/**"]
    },
    "dist:win": {
      "dependsOn": ["build", "@furtherverse/server#compile:windows:x64"],
      "outputs": ["dist/**"]
    }
  }
 }
@@ -0,0 +1 @@
 DATABASE_PATH=data.db
@@ -0,0 +1,279 @@
 # AGENTS.md - Server App Guidelines
 TanStack Start fullstack web app with ORPC (contract-first RPC).
 ## Tech Stack
 > **⚠️ This project uses Bun — NOT Node.js / npm. All commands use `bun`. Always use `bun run <script>` (not `bun <script>`) to avoid conflicts with Bun built-in subcommands. Never use `npm`, `npx`, or `node`.**
 - **Framework**: TanStack Start (React 19 SSR, file-based routing)
 - **Runtime**: Bun — **NOT Node.js**
 - **Package Manager**: Bun — **NOT npm / yarn / pnpm**
 - **Language**: TypeScript (strict mode)
 - **Styling**: Tailwind CSS v4
 - **Database**: PostgreSQL + Drizzle ORM v1 beta (`drizzle-orm/postgres-js`, RQBv2)
 - **State**: TanStack Query v5
 - **RPC**: ORPC (contract-first, type-safe)
 - **Build**: Vite + Nitro
 ## Commands
 ```bash
 # Development
 bun run dev                    # Vite dev server (localhost:3000)
 bun run db:studio              # Drizzle Studio GUI
 # Build
 bun run build                  # Production build → .output/
 bun run compile                # Compile to standalone binary (current platform, depends on build)
 bun run compile:darwin         # Compile for macOS (arm64 + x64)
 bun run compile:darwin:arm64   # Compile for macOS arm64
 bun run compile:darwin:x64     # Compile for macOS x64
 bun run compile:linux          # Compile for Linux (x64 + arm64)
 bun run compile:linux:arm64    # Compile for Linux arm64
 bun run compile:linux:x64      # Compile for Linux x64
 bun run compile:windows        # Compile for Windows (default: x64)
 bun run compile:windows:x64    # Compile for Windows x64
 # Code Quality
 bun run fix                    # Biome auto-fix
 bun run typecheck              # TypeScript check
 # Database
 bun run db:generate            # Generate migrations from schema
 bun run db:migrate             # Run migrations
 bun run db:push                # Push schema directly (dev only)
 # Testing (not yet configured)
 bun test path/to/test.ts       # Run single test
 bun test -t "pattern"          # Run tests matching pattern
 ```
 ## Directory Structure
 ```
 src/
 ├── client/                # Client-side code
 │   └── orpc.ts            # ORPC client + TanStack Query utils (single entry point)
 ├── components/            # React components
 ├── routes/                # TanStack Router file routes
 │   ├── __root.tsx         # Root layout
 │   ├── index.tsx          # Home page
 │   └── api/
 │       ├── $.ts           # OpenAPI handler + Scalar docs
 │       ├── health.ts      # Health check endpoint
 │       └── rpc.$.ts       # ORPC RPC handler
 ├── server/                # Server-side code
 │   ├── api/               # ORPC layer
 │   │   ├── contracts/     # Input/output schemas (Zod)
 │   │   ├── middlewares/   # Middleware (db provider, auth)
 │   │   ├── routers/       # Handler implementations
 │   │   ├── interceptors.ts # Shared error interceptors
 │   │   ├── context.ts     # Request context
 │   │   ├── server.ts      # ORPC server instance
 │   │   └── types.ts       # Type exports
 │   └── db/
 │       ├── schema/        # Drizzle table definitions
 │       ├── fields.ts      # Shared field builders (id, createdAt, updatedAt)
 │       ├── relations.ts   # Drizzle relations (defineRelations, RQBv2)
 │       └── index.ts       # Database instance (postgres-js driver)
 ├── env.ts                 # Environment variable validation
 ├── router.tsx             # Router configuration
 ├── routeTree.gen.ts       # Auto-generated (DO NOT EDIT)
 └── styles.css             # Tailwind entry
 ```
 ## ORPC Pattern
 ### 1. Define Contract (`src/server/api/contracts/feature.contract.ts`)
 ```typescript
 import { oc } from '@orpc/contract'
 import { createSelectSchema } from 'drizzle-orm/zod'
 import { z } from 'zod'
 import { featureTable } from '@/server/db/schema'
 const selectSchema = createSelectSchema(featureTable)
 export const list = oc.input(z.void()).output(z.array(selectSchema))
 export const create = oc.input(insertSchema).output(selectSchema)
 ```
 ### 2. Implement Router (`src/server/api/routers/feature.router.ts`)
 ```typescript
 import { ORPCError } from '@orpc/server'
 import { db } from '../middlewares'
 import { os } from '../server'
 export const list = os.feature.list.use(db).handler(async ({ context }) => {
  return await context.db.query.featureTable.findMany({
    orderBy: { createdAt: 'desc' },
  })
 })
 ```
 ### 3. Register in Index Files
 ```typescript
 // src/server/api/contracts/index.ts
 import * as feature from './feature.contract'
 export const contract = { feature }
 // src/server/api/routers/index.ts
 import * as feature from './feature.router'
 export const router = os.router({ feature })
 ```
 ### 4. Use in Components
 ```typescript
 import { useSuspenseQuery, useMutation } from '@tanstack/react-query'
 import { orpc } from '@/client/orpc'
 const { data } = useSuspenseQuery(orpc.feature.list.queryOptions())
 const mutation = useMutation(orpc.feature.create.mutationOptions())
 ```
 ## Database (Drizzle ORM v1 beta)
 - **Driver**: `drizzle-orm/postgres-js` (NOT `bun-sql`)
 - **Validation**: `drizzle-orm/zod` (built-in, NOT separate `drizzle-zod` package)
 - **Relations**: Defined via `defineRelations()` in `src/server/db/relations.ts`
 - **Query**: RQBv2 — use `db.query.tableName.findMany()` with object-style `orderBy` and `where`
 ### Schema Definition
 ```typescript
 import { pgTable, text, timestamp, uuid } from 'drizzle-orm/pg-core'
 import { sql } from 'drizzle-orm'
 export const myTable = pgTable('my_table', {
  id: uuid().primaryKey().default(sql`uuidv7()`),
  name: text().notNull(),
  createdAt: timestamp({ withTimezone: true }).notNull().defaultNow(),
  updatedAt: timestamp({ withTimezone: true }).notNull().defaultNow().$onUpdateFn(() => new Date()),
 })
 ```
 ### Relations (RQBv2)
 ```typescript
 // src/server/db/relations.ts
 import { defineRelations } from 'drizzle-orm'
 import * as schema from './schema'
 export const relations = defineRelations(schema, (r) => ({
  // Define relations here using r.one / r.many / r.through
 }))
 ```
 ### DB Instance
 ```typescript
 // src/server/db/index.ts
 import { drizzle } from 'drizzle-orm/postgres-js'
 import { relations } from '@/server/db/relations'
 // In RQBv2, relations already contain schema info — no separate schema import needed
 const db = drizzle({
  connection: env.DATABASE_URL,
  relations,
 })
 ```
 ### RQBv2 Query Examples
 ```typescript
 // Object-style orderBy (NOT callback style)
 const todos = await db.query.todoTable.findMany({
  orderBy: { createdAt: 'desc' },
 })
 // Object-style where
 const todo = await db.query.todoTable.findFirst({
  where: { id: someId },
 })
 ```
 ## Code Style
 ### Formatting (Biome)
 - **Indent**: 2 spaces
 - **Quotes**: Single `'`
 - **Semicolons**: Omit (ASI)
 - **Arrow parens**: Always `(x) => x`
 ### Imports
 Biome auto-organizes:
 1. External packages
 2. Internal `@/*` aliases
 3. Type imports (`import type { ... }`)
 ```typescript
 import { createFileRoute } from '@tanstack/react-router'
 import { z } from 'zod'
 import { db } from '@/server/db'
 import type { ReactNode } from 'react'
 ```
 ### TypeScript
 - `strict: true`
 - `noUncheckedIndexedAccess: true` - array access returns `T | undefined`
 - Use `@/*` path aliases (maps to `src/*`)
 ### Naming
 | Type | Convention | Example |
 |------|------------|---------|
 | Files (utils) | kebab-case | `auth-utils.ts` |
 | Files (components) | PascalCase | `UserProfile.tsx` |
 | Components | PascalCase arrow | `const Button = () => {}` |
 | Functions | camelCase | `getUserById` |
 | Types | PascalCase | `UserProfile` |
 ### React
 - Use arrow functions for components (Biome enforced)
 - Use `useSuspenseQuery` for guaranteed data
 - Let React Compiler handle memoization (no manual `useMemo`/`useCallback`)
 ## Environment Variables
 ```typescript
 // src/env.ts - using @t3-oss/env-core
 import { createEnv } from '@t3-oss/env-core'
 import { z } from 'zod'
 export const env = createEnv({
  server: {
    DATABASE_URL: z.string().url(),
  },
  clientPrefix: 'VITE_',
  client: {
    VITE_API_URL: z.string().optional(),
  },
 })
 ```
 ## Development Principles
 > **These principles apply to ALL code changes. Agents MUST follow them on every task.**
 1. **No backward compatibility** — This project is in rapid iteration. Always use the latest API and patterns. Never keep deprecated code paths or old API fallbacks.
 2. **Always sync documentation** — When code changes, immediately update all related documentation (`AGENTS.md`, `README.md`, inline code examples). Code and docs must never drift apart.
 3. **Forward-only migration** — When upgrading dependencies, fully adopt the new API. Don't mix old and new patterns.
 ## Critical Rules
 **DO:**
 - Run `bun run fix` before committing
 - Use `@/*` path aliases
 - Include `createdAt`/`updatedAt` on all tables
 - Use `ORPCError` with proper codes
 - Use `drizzle-orm/zod` (NOT `drizzle-zod`) for schema validation
 - Use RQBv2 object syntax for `orderBy` and `where`
 - Update `AGENTS.md` and other docs whenever code patterns change
 **DON'T:**
 - Use `npm`, `npx`, `node`, `yarn`, `pnpm` — always use `bun` / `bunx`
 - Edit `src/routeTree.gen.ts` (auto-generated)
 - Use `as any`, `@ts-ignore`, `@ts-expect-error`
 - Commit `.env` files
 - Use empty catch blocks
 - Import from `drizzle-zod` (use `drizzle-orm/zod` instead)
 - Use RQBv1 callback-style `orderBy` / old `relations()` API
 - Use `drizzle-orm/bun-sql` driver (use `drizzle-orm/postgres-js`)
 - Pass `schema` to `drizzle()` constructor (only `relations` is needed in RQBv2)
 - Import `os` from `@orpc/server` in middleware — use `@/server/api/server` (the local typed instance)
 - Leave docs out of sync with code changes
@@ -0,0 +1,12 @@
 {
  "$schema": "../../node_modules/@biomejs/biome/configuration_schema.json",
  "extends": "//",
  "files": {
    "includes": ["**", "!**/routeTree.gen.ts"]
  },
  "css": {
    "parser": {
      "tailwindDirectives": true
    }
  }
 }
@@ -1,8 +1,7 @@
 import { mkdir, rm } from 'node:fs/promises'
 import { basename } from 'node:path'
 import { parseArgs } from 'node:util'
-const ENTRYPOINT = 'src/bin.ts'
+const ENTRYPOINT = '.output/server/index.mjs'
 const OUTDIR = 'out'
 const SUPPORTED_TARGETS: readonly Bun.Build.CompileTarget[] = [
@@ -13,9 +12,8 @@ const SUPPORTED_TARGETS: readonly Bun.Build.CompileTarget[] = [
  'bun-linux-arm64',
 ]
-const SUPPORTED_TARGET_SET: ReadonlySet<string> = new Set(SUPPORTED_TARGETS)
+const isSupportedTarget = (value: string): value is Bun.Build.CompileTarget =>
-
+  (SUPPORTED_TARGETS as readonly string[]).includes(value)
 const isSupportedTarget = (value: string): value is Bun.Build.CompileTarget => SUPPORTED_TARGET_SET.has(value)
 const { values } = parseArgs({
  options: { target: { type: 'string' } },
@@ -50,20 +48,13 @@ const main = async () => {
  const result = await Bun.build({
    entrypoints: [ENTRYPOINT],
    outdir: OUTDIR,
-    // autoloadDotenv: false — produce a deterministic binary; it must not silently consume a .env from cwd.
+    compile: { outfile, target },
    compile: { outfile, target, autoloadDotenv: false },
    minify: true,
    bytecode: true,
    sourcemap: 'inline',
  })
  if (!result.success) {
    throw new Error(result.logs.map(String).join('\n'))
  }
  // Bun bundler still writes *.js.map next to the binary even with inline sourcemap.
  await rm(`${OUTDIR}/${basename(ENTRYPOINT, '.ts')}.js.map`, { force: true })
  console.log(`✓ ${target} → ${OUTDIR}/${outfile}`)
 }
@@ -1,11 +1,12 @@
 import { defineConfig } from 'drizzle-kit'
-import { env } from './src/env'
+
 const databasePath = process.env.DATABASE_PATH ?? 'data.db'
 export default defineConfig({
  out: './drizzle',
  schema: './src/server/db/schema/index.ts',
-  dialect: 'postgresql',
+  dialect: 'sqlite',
  dbCredentials: {
-    url: env.DATABASE_URL,
+    url: databasePath,
  },
 })
@@ -0,0 +1,63 @@
 {
  "name": "@furtherverse/server",
  "version": "1.0.0",
  "private": true,
  "type": "module",
  "scripts": {
    "build": "bunx --bun vite build",
    "compile": "bun compile.ts",
    "compile:darwin": "bun run compile:darwin:arm64 && bun run compile:darwin:x64",
    "compile:darwin:arm64": "bun compile.ts --target bun-darwin-arm64",
    "compile:darwin:x64": "bun compile.ts --target bun-darwin-x64",
    "compile:linux": "bun run compile:linux:x64 && bun run compile:linux:arm64",
    "compile:linux:arm64": "bun compile.ts --target bun-linux-arm64",
    "compile:linux:x64": "bun compile.ts --target bun-linux-x64",
    "compile:windows": "bun run compile:windows:x64",
    "compile:windows:x64": "bun compile.ts --target bun-windows-x64",
    "db:generate": "bun --bun drizzle-kit generate",
    "db:migrate": "bun --bun drizzle-kit migrate",
    "db:push": "bun --bun drizzle-kit push",
    "db:studio": "bun --bun drizzle-kit studio",
    "dev": "bunx --bun vite dev",
    "fix": "biome check --write",
    "typecheck": "tsc --noEmit"
  },
  "dependencies": {
    "@furtherverse/crypto": "workspace:*",
    "@orpc/client": "catalog:",
    "@orpc/contract": "catalog:",
    "@orpc/openapi": "catalog:",
    "@orpc/server": "catalog:",
    "@orpc/tanstack-query": "catalog:",
    "@orpc/zod": "catalog:",
    "@t3-oss/env-core": "catalog:",
    "@tanstack/react-query": "catalog:",
    "@tanstack/react-router": "catalog:",
    "@tanstack/react-router-ssr-query": "catalog:",
    "@tanstack/react-start": "catalog:",
    "drizzle-orm": "catalog:",
    "jszip": "catalog:",
    "lossless-json": "catalog:",
    "react": "catalog:",
    "react-dom": "catalog:",
    "systeminformation": "catalog:",
    "uuid": "catalog:",
    "zod": "catalog:"
  },
  "devDependencies": {
    "@furtherverse/tsconfig": "workspace:*",
    "@tailwindcss/vite": "catalog:",
    "@tanstack/devtools-vite": "catalog:",
    "@tanstack/react-devtools": "catalog:",
    "@tanstack/react-query-devtools": "catalog:",
    "@tanstack/react-router-devtools": "catalog:",
    "@types/bun": "catalog:",
    "@vitejs/plugin-react": "catalog:",
    "babel-plugin-react-compiler": "catalog:",
    "drizzle-kit": "catalog:",
    "nitro": "catalog:",
    "tailwindcss": "catalog:",
    "vite": "catalog:",
    "vite-tsconfig-paths": "catalog:"
  }
 }
@@ -0,0 +1,3 @@
 # https://www.robotstxt.org/robotstxt.html
 User-agent: *
 Disallow:
@@ -0,0 +1,3 @@
 export function ErrorComponent() {
  return <div>An unhandled error happened!</div>
 }
@@ -0,0 +1,3 @@
 export function NotFoundComponent() {
  return <div>404 - Not Found</div>
 }
@@ -0,0 +1,14 @@
 import { createEnv } from '@t3-oss/env-core'
 import { z } from 'zod'
 export const env = createEnv({
  server: {
    DATABASE_PATH: z.string().min(1).default('data.db'),
  },
  clientPrefix: 'VITE_',
  client: {
    VITE_APP_TITLE: z.string().min(1).optional(),
  },
  runtimeEnv: process.env,
  emptyStringAsUndefined: true,
 })
@@ -9,21 +9,21 @@
 // Additionally, you should also exclude this file from your linter and/or formatter to prevent it from being checked or modified.
 import { Route as rootRouteImport } from './routes/__root'
 import { Route as HealthRouteImport } from './routes/health'
 import { Route as IndexRouteImport } from './routes/index'
 import { Route as ApiHealthRouteImport } from './routes/api/health'
 import { Route as ApiSplatRouteImport } from './routes/api/$'
 import { Route as ApiRpcSplatRouteImport } from './routes/api/rpc.$'
 const HealthRoute = HealthRouteImport.update({
  id: '/health',
  path: '/health',
  getParentRoute: () => rootRouteImport,
 } as any)
 const IndexRoute = IndexRouteImport.update({
  id: '/',
  path: '/',
  getParentRoute: () => rootRouteImport,
 } as any)
 const ApiHealthRoute = ApiHealthRouteImport.update({
  id: '/api/health',
  path: '/api/health',
  getParentRoute: () => rootRouteImport,
 } as any)
 const ApiSplatRoute = ApiSplatRouteImport.update({
  id: '/api/$',
  path: '/api/$',
@@ -37,47 +37,40 @@ const ApiRpcSplatRoute = ApiRpcSplatRouteImport.update({
 export interface FileRoutesByFullPath {
  '/': typeof IndexRoute
  '/health': typeof HealthRoute
  '/api/$': typeof ApiSplatRoute
  '/api/health': typeof ApiHealthRoute
  '/api/rpc/$': typeof ApiRpcSplatRoute
 }
 export interface FileRoutesByTo {
  '/': typeof IndexRoute
  '/health': typeof HealthRoute
  '/api/$': typeof ApiSplatRoute
  '/api/health': typeof ApiHealthRoute
  '/api/rpc/$': typeof ApiRpcSplatRoute
 }
 export interface FileRoutesById {
  __root__: typeof rootRouteImport
  '/': typeof IndexRoute
  '/health': typeof HealthRoute
  '/api/$': typeof ApiSplatRoute
  '/api/health': typeof ApiHealthRoute
  '/api/rpc/$': typeof ApiRpcSplatRoute
 }
 export interface FileRouteTypes {
  fileRoutesByFullPath: FileRoutesByFullPath
-  fullPaths: '/' | '/health' | '/api/$' | '/api/rpc/$'
+  fullPaths: '/' | '/api/$' | '/api/health' | '/api/rpc/$'
  fileRoutesByTo: FileRoutesByTo
-  to: '/' | '/health' | '/api/$' | '/api/rpc/$'
+  to: '/' | '/api/$' | '/api/health' | '/api/rpc/$'
-  id: '__root__' | '/' | '/health' | '/api/$' | '/api/rpc/$'
+  id: '__root__' | '/' | '/api/$' | '/api/health' | '/api/rpc/$'
  fileRoutesById: FileRoutesById
 }
 export interface RootRouteChildren {
  IndexRoute: typeof IndexRoute
  HealthRoute: typeof HealthRoute
  ApiSplatRoute: typeof ApiSplatRoute
  ApiHealthRoute: typeof ApiHealthRoute
  ApiRpcSplatRoute: typeof ApiRpcSplatRoute
 }
 declare module '@tanstack/react-router' {
  interface FileRoutesByPath {
    '/health': {
      id: '/health'
      path: '/health'
      fullPath: '/health'
      preLoaderRoute: typeof HealthRouteImport
      parentRoute: typeof rootRouteImport
    }
    '/': {
      id: '/'
      path: '/'
@@ -85,6 +78,13 @@ declare module '@tanstack/react-router' {
      preLoaderRoute: typeof IndexRouteImport
      parentRoute: typeof rootRouteImport
    }
    '/api/health': {
      id: '/api/health'
      path: '/api/health'
      fullPath: '/api/health'
      preLoaderRoute: typeof ApiHealthRouteImport
      parentRoute: typeof rootRouteImport
    }
    '/api/$': {
      id: '/api/$'
      path: '/api/$'
@@ -104,8 +104,8 @@ declare module '@tanstack/react-router' {
 const rootRouteChildren: RootRouteChildren = {
  IndexRoute: IndexRoute,
  HealthRoute: HealthRoute,
  ApiSplatRoute: ApiSplatRoute,
  ApiHealthRoute: ApiHealthRoute,
  ApiRpcSplatRoute: ApiRpcSplatRoute,
 }
 export const routeTree = rootRouteImport
@@ -4,7 +4,6 @@ import { ReactQueryDevtoolsPanel } from '@tanstack/react-query-devtools'
 import { createRootRouteWithContext, HeadContent, Scripts } from '@tanstack/react-router'
 import { TanStackRouterDevtoolsPanel } from '@tanstack/react-router-devtools'
 import type { ReactNode } from 'react'
 import { name } from '#package'
 import { ErrorComponent } from '@/components/Error'
 import { NotFoundComponent } from '@/components/NotFound'
 import appCss from '@/styles.css?url'
@@ -24,7 +23,7 @@ export const Route = createRootRouteWithContext<RouterContext>()({
        content: 'width=device-width, initial-scale=1',
      },
      {
-        title: name,
+        title: 'Furtherverse',
      },
    ],
    links: [
@@ -35,8 +34,8 @@ export const Route = createRootRouteWithContext<RouterContext>()({
    ],
  }),
  shellComponent: RootDocument,
-  errorComponent: ErrorComponent,
+  errorComponent: () => <ErrorComponent />,
-  notFoundComponent: NotFoundComponent,
+  notFoundComponent: () => <NotFoundComponent />,
 })
 function RootDocument({ children }: Readonly<{ children: ReactNode }>) {
@@ -3,7 +3,7 @@ import { OpenAPIReferencePlugin } from '@orpc/openapi/plugins'
 import { onError } from '@orpc/server'
 import { ZodToJsonSchemaConverter } from '@orpc/zod/zod4'
 import { createFileRoute } from '@tanstack/react-router'
-import { name, version } from '#package'
+import { name, version } from '@/../package.json'
 import { handleValidationError, logError } from '@/server/api/interceptors'
 import { router } from '@/server/api/routers'
@@ -16,6 +16,8 @@ const handler = new OpenAPIHandler(router, {
        info: {
          title: name,
          version,
          description:
            'UX 授权服务 OpenAPI 文档。该服务用于工具箱侧本地身份初始化与密码学能力调用，覆盖设备授权密文生成、任务二维码解密、摘要信息加密、报告签名打包等流程。\n\n推荐调用顺序：\n1) 写入平台公钥；\n2) 写入已签名 licence JSON；\n3) 写入 OpenPGP 私钥；\n4) 读取本机身份状态进行前置校验；\n5) 执行加密/解密与签名接口。\n\n说明：除文件下载接口外，返回体均为 JSON；字段示例已提供，便于联调和 Mock。',
        },
      },
      docsPath: '/docs',
@@ -0,0 +1,27 @@
 import { createFileRoute } from '@tanstack/react-router'
 import { name, version } from '@/../package.json'
 const createHealthResponse = (): Response =>
  Response.json(
    {
      status: 'ok',
      service: name,
      version,
      timestamp: new Date().toISOString(),
    },
    {
      status: 200,
      headers: {
        'cache-control': 'no-store',
      },
    },
  )
 export const Route = createFileRoute('/api/health')({
  server: {
    handlers: {
      GET: async () => createHealthResponse(),
      HEAD: async () => new Response(null, { status: 200 }),
    },
  },
 })
@@ -0,0 +1,21 @@
 import { createFileRoute } from '@tanstack/react-router'
 export const Route = createFileRoute('/')({
  component: Home,
 })
 function Home() {
  return (
    <div className="min-h-screen bg-slate-50 flex items-center justify-center font-sans">
      <div className="text-center space-y-4">
        <h1 className="text-3xl font-bold text-slate-900 tracking-tight">UX Server</h1>
        <p className="text-slate-500">
          API:&nbsp;
          <a href="/api" className="text-indigo-600 hover:text-indigo-700 underline">
            /api
          </a>
        </p>
      </div>
    </div>
  )
 }
@@ -0,0 +1,25 @@
 import type { DB } from '@/server/db'
 /**
 * 基础 Context - 所有请求都包含的上下文
 */
 export interface BaseContext {
  headers: Headers
 }
 /**
 * 数据库 Context - 通过 db middleware 扩展
 */
 export interface DBContext extends BaseContext {
  db: DB
 }
 /**
 * 认证 Context - 通过 auth middleware 扩展（未来使用）
 *
 * @example
 * export interface AuthContext extends DBContext {
 *   userId: string
 *   user: User
 * }
 */
@@ -0,0 +1,127 @@
 import { oc } from '@orpc/contract'
 import { z } from 'zod'
 import { licenceEnvelopeSchema } from '@/server/licence'
 const licenceOutput = z
  .object({
    licenceId: z.string().describe('验签通过后的 licence 标识'),
    expireTime: z.string().describe('授权到期日，格式为 YYYY-MM-DD'),
    isExpired: z.boolean().describe('当前 licence 是否已过期（按 UTC 自然日计算）'),
  })
  .describe('当前已安装 licence 的验证后元数据')
 const configOutput = z
  .object({
    licence: licenceOutput.nullable().describe('当前本地已验证 licence 的元数据，未设置时为 null'),
    fingerprint: z.string().describe('UX 本机计算得到的设备特征码（SHA-256）'),
    hasPlatformPublicKey: z.boolean().describe('是否已配置平台公钥'),
    hasPgpPrivateKey: z.boolean().describe('是否已配置 OpenPGP 私钥'),
  })
  .describe('本地身份配置快照，用于判断设备授权初始化是否完成')
  .meta({
    examples: [
      {
        licence: {
          licenceId: 'LIC-20260319-0025',
          expireTime: '2027-03-19',
          isExpired: false,
        },
        fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
        hasPlatformPublicKey: true,
        hasPgpPrivateKey: true,
      },
      {
        licence: null,
        fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
        hasPlatformPublicKey: false,
        hasPgpPrivateKey: false,
      },
    ],
  })
 export const get = oc
  .route({
    method: 'POST',
    path: '/config/get',
    operationId: 'configGet',
    summary: '读取本机身份配置',
    description:
      '查询 UX 当前本地身份配置状态。\n\n典型用途：页面初始化时检测授权状态、验签前检查平台公钥、签名前检查私钥是否就绪。\n\n返回内容：\n- licence：当前已验证 licence 的元数据，未设置时为 null；\n- fingerprint：设备特征码（本机自动计算）；\n- hasPlatformPublicKey：是否已写入平台公钥；\n- hasPgpPrivateKey：是否已写入 OpenPGP 私钥。',
    tags: ['Config'],
  })
  .input(z.object({}).describe('空请求体，仅触发读取当前配置'))
  .output(configOutput)
 export const setLicence = oc
  .route({
    method: 'POST',
    path: '/config/set-licence',
    operationId: 'configSetLicence',
    summary: '写入本地 licence',
    description:
      '写入或更新本机持久化 licence。\n\n调用时机：设备首次激活、授权码变更、授权修复。\n\n约束与行为：\n- 接收 `.lic` 文件内容对应的 JSON 信封，而不是文件上传；\n- 使用已配置的平台公钥对 payload 原始字符串做 SHA256withRSA 验签；\n- 仅在验签通过且 expire_time 未过期时持久化；\n- fingerprint 由本机自动计算，不允许外部覆盖；\n- 成功后返回最新配置快照，便于前端立即刷新授权状态。',
    tags: ['Config'],
  })
  .input(
    licenceEnvelopeSchema.meta({
      examples: [
        {
          payload: 'eyJsaWNlbmNlX2lkIjoiTElDLTIwMjYwMzE5LTAwMjUiLCJleHBpcmVfdGltZSI6IjIwMjctMDMtMTkifQ==',
          signature:
            'aLd+wwpz1W5AS0jgE/IstSNjCAQ5estQYIMqeLXRWMIsnKxjZpCvC8O5q/G5LEBBLJXnbTk8N6IMTUx295nf2HQYlXNtJkWiBeUXQ6/uzs0RbhCeRAWK2Hx4kSsmiEv4AHGLb4ozI2XekTc+40+ApJQYqaWbDu/NU99TmDm3/da1VkKpQxH60BhSQVwBtU67w9Vp3SpWm8y1faQ7ci5WDtJf1JZaS70kPXoGeA5018rPeMFlEzUp10yDlGW6RcrT7Dm+r7zFyrFznLK+evBEvTf9mMGWwZZP3q9vJtC/wFt1t5zNHdkb27cTwc9yyqGMWdelXQAQDnoisn2Jzi06KA==',
        },
      ],
    }),
  )
  .output(configOutput)
 export const setPgpPrivateKey = oc
  .route({
    method: 'POST',
    path: '/config/set-pgp-private-key',
    operationId: 'configSetPgpPrivateKey',
    summary: '写入本地 OpenPGP 私钥',
    description:
      '写入或更新本机持久化 OpenPGP 私钥（ASCII armored）。\n\n调用时机：首次导入签名私钥、私钥轮换。\n\n约束与行为：\n- 仅接收 ASCII armored 私钥文本；\n- 私钥保存在本地，后续报告签名接口会自动读取；\n- 成功后返回最新配置快照，可用于确认 hasPgpPrivateKey 状态。',
    tags: ['Config'],
  })
  .input(
    z
      .object({
        pgpPrivateKey: z.string().min(1).describe('OpenPGP 私钥（ASCII armored 格式）'),
      })
      .meta({
        examples: [
          {
            pgpPrivateKey: '-----BEGIN PGP PRIVATE KEY BLOCK-----\n\nxcMGBGd...\n-----END PGP PRIVATE KEY BLOCK-----',
          },
        ],
      }),
  )
  .output(configOutput)
 export const setPlatformPublicKey = oc
  .route({
    method: 'POST',
    path: '/config/set-platform-public-key',
    operationId: 'configSetPlatformPublicKey',
    summary: '写入本地平台公钥',
    description:
      '写入或更新本机持久化平台公钥（Base64 编码 SPKI DER）。\n\n调用时机：设备授权初始化、平台公钥轮换。\n\n约束与行为：\n- 仅接收可解析的平台 RSA 公钥文本；\n- 公钥保存在本地，设备授权密文接口和 licence 验签都会自动读取，无需每次传参；\n- 若平台公钥发生变化，已安装 licence 会被清空，需要重新安装已签名 licence；\n- 成功后返回最新配置快照，可用于确认 hasPlatformPublicKey 状态。',
    tags: ['Config'],
  })
  .input(
    z
      .object({
        platformPublicKey: z.string().min(1).describe('平台公钥（Base64 编码 SPKI DER）'),
      })
      .meta({
        examples: [
          {
            platformPublicKey:
              'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB',
          },
        ],
      }),
  )
  .output(configOutput)
@@ -0,0 +1,163 @@
 import { oc } from '@orpc/contract'
 import { z } from 'zod'
 export const encryptDeviceInfo = oc
  .route({
    method: 'POST',
    path: '/crypto/encrypt-device-info',
    operationId: 'encryptDeviceInfo',
    summary: '生成设备授权二维码密文',
    description:
      '生成设备授权流程所需的二维码密文。\n\n处理流程：\n- 读取本机已验证的 licenceId、fingerprint 与本地持久化的平台公钥；\n- 组装为授权载荷 JSON；\n- 使用平台公钥执行 RSA-OAEP(SHA-256) 加密；\n- 返回 Base64 密文供前端生成二维码。\n\n适用场景：设备授权申请、重新授权。\n\n前置条件：需先调用 config.setPlatformPublicKey 写入平台公钥，并通过 config.setLicence 安装已签名 licence。',
    tags: ['Crypto'],
  })
  .input(z.object({}).describe('空请求体。平台公钥由本地配置自动读取'))
  .output(
    z
      .object({
        encrypted: z.string().describe('Base64 密文（可直接用于设备授权二维码内容）'),
      })
      .describe('设备授权密文生成结果')
      .meta({
        examples: [
          {
            encrypted: 'dGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVkIFJTQS1PQUVQIGVuY3J5cHRlZCBkZXZpY2UgaW5mby4uLg==',
          },
        ],
      }),
  )
 export const decryptTask = oc
  .route({
    method: 'POST',
    path: '/crypto/decrypt-task',
    operationId: 'decryptTask',
    summary: '解密任务二维码数据',
    description:
      '解密 App 下发的任务二维码密文。\n\n处理流程：\n- 基于本机已验证的 licenceId + fingerprint 派生 AES-256-GCM 密钥；\n- 对二维码中的 Base64 密文进行解密；\n- 返回任务明文 JSON 字符串。\n\n适用场景：扫码接收任务后解析任务详情。',
    tags: ['Crypto'],
  })
  .input(
    z
      .object({
        encryptedData: z.string().min(1).describe('Base64 编码的 AES-256-GCM 密文（来自任务二维码扫描结果）'),
      })
      .describe('任务二维码解密请求')
      .meta({
        examples: [
          {
            encryptedData: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
          },
        ],
      }),
  )
  .output(
    z
      .object({
        decrypted: z.string().describe('解密后的任务信息 JSON 字符串（可进一步反序列化）'),
      })
      .describe('任务二维码解密结果')
      .meta({
        examples: [
          {
            decrypted:
              '{"taskId":"TASK-20260115-4875","enterpriseId":"1173040813421105152","orgName":"超艺科技有限公司","inspectionId":"702286470691215417","inspectionPerson":"警务通","issuedAt":1734571234567}',
          },
        ],
      }),
  )
 export const encryptSummary = oc
  .route({
    method: 'POST',
    path: '/crypto/encrypt-summary',
    operationId: 'encryptSummary',
    summary: '加密摘要信息',
    description:
      '加密检查摘要信息并产出二维码密文。\n\n处理流程：\n- 使用已验证的 licenceId + fingerprint 结合 taskId(salt) 通过 HKDF-SHA256 派生密钥；\n- 使用 AES-256-GCM 加密摘要明文；\n- 返回 Base64 密文用于摘要二维码生成。\n\n适用场景：任务执行后提交摘要信息。',
    tags: ['Crypto'],
  })
  .input(
    z
      .object({
        salt: z.string().min(1).describe('HKDF salt（通常为 taskId，需与任务上下文一致）'),
        plaintext: z.string().min(1).describe('待加密的摘要信息 JSON 明文字符串'),
      })
      .describe('摘要信息加密请求')
      .meta({
        examples: [
          {
            salt: 'TASK-20260115-4875',
            plaintext:
              '{"enterpriseId":"1173040813421105152","inspectionId":"702286470691215417","summary":{"orgId":"1","orgName":"超艺科技有限公司","checkId":"1","vcheckId":"1","task":{"startTime":"2022-01-01 00:00:00","endTime":"2022-01-01 00:00:00"},"asset":{"count":183},"weakPwd":{"count":5},"vul":{"emergency":13,"high":34,"medium":45,"low":12,"info":3}},"timestamp":1734571234567}',
          },
        ],
      }),
  )
  .output(
    z
      .object({
        encrypted: z.string().describe('Base64 密文（用于摘要信息二维码内容）'),
      })
      .describe('摘要信息加密结果')
      .meta({
        examples: [
          {
            encrypted: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
          },
        ],
      }),
  )
 export const signAndPackReport = oc
  .route({
    method: 'POST',
    path: '/crypto/sign-and-pack-report',
    operationId: 'signAndPackReport',
    summary: '签名并打包检查报告',
    description:
      '对原始报告执行设备签名与 OpenPGP 签名并重新打包。\n\n处理流程：\n- 解析上传 ZIP 并提取 summary.json；\n- 用已验证的 licenceId/fingerprint 计算 deviceSignature(HKDF + HMAC-SHA256) 并回写 summary.json；\n- 生成 META-INF/manifest.json；\n- 使用本地 OpenPGP 私钥生成 detached signature(`META-INF/signature.asc`)；\n- 返回签名后 ZIP。\n\n适用场景：检查结果归档、可追溯签名分发。',
    tags: ['Report'],
    spec: (current) => {
      const multipartContent =
        current.requestBody && !('$ref' in current.requestBody)
          ? (current.requestBody.content?.['multipart/form-data'] ?? current.requestBody.content?.['application/json'])
          : undefined
      return {
        ...current,
        requestBody:
          multipartContent && current.requestBody && !('$ref' in current.requestBody)
            ? {
                ...current.requestBody,
                content: {
                  'multipart/form-data': multipartContent,
                },
              }
            : current.requestBody,
      }
    },
  })
  .input(
    z
      .object({
        rawZip: z
          .file()
          .mime(['application/zip', 'application/x-zip-compressed'])
          .describe(
            '原始报告 ZIP 文件（必须包含 summary.json，以及 assets.json、vulnerabilities.json、weakPasswords.json、漏洞评估报告.html 等报告文件）',
          ),
        outputFileName: z
          .string()
          .min(1)
          .optional()
          .describe('返回 ZIP 文件名（可选，默认 signed-report.zip）')
          .meta({ examples: ['signed-report.zip'] }),
      })
      .describe('报告签名与打包请求'),
  )
  .output(
    z
      .file()
      .describe('签名后报告 ZIP 文件（二进制响应，包含 summary.json、META-INF/manifest.json、META-INF/signature.asc）'),
  )
@@ -0,0 +1,9 @@
 import * as config from './config.contract'
 import * as crypto from './crypto.contract'
 export const contract = {
  config,
  crypto,
 }
 export type Contract = typeof contract
@@ -1,19 +1,13 @@
 import { ORPCError, ValidationError } from '@orpc/server'
 import { z } from 'zod'
 import { getLogger } from '@/server/logger'
 const logger = getLogger(['api'])
 export const logError = (error: unknown) => {
-  logger.error('Unhandled error in ORPC handler', { error })
+  console.error(error)
 }
 export const handleValidationError = (error: unknown) => {
-  if (!(error instanceof ORPCError) || !(error.cause instanceof ValidationError)) return
+  if (error instanceof ORPCError && error.code === 'BAD_REQUEST' && error.cause instanceof ValidationError) {
-
+    // If you only use Zod you can safely cast to ZodIssue[] (per ORPC official docs)
  if (error.code === 'BAD_REQUEST') {
    // ORPC widens issues to the Standard Schema shape; every contract here is built from Zod/drizzle-zod,
    // so the runtime objects are Zod issues. Rehydrate to reuse z.prettifyError / z.flattenError.
    const zodError = new z.ZodError(error.cause.issues as z.core.$ZodIssue[])
    throw new ORPCError('INPUT_VALIDATION_FAILED', {
@@ -24,7 +18,7 @@ export const handleValidationError = (error: unknown) => {
    })
  }
-  if (error.code === 'INTERNAL_SERVER_ERROR') {
+  if (error instanceof ORPCError && error.code === 'INTERNAL_SERVER_ERROR' && error.cause instanceof ValidationError) {
    throw new ORPCError('OUTPUT_VALIDATION_FAILED', {
      cause: error.cause,
    })
@@ -0,0 +1,11 @@
 import { os } from '@/server/api/server'
 import { getDB } from '@/server/db'
 export const db = os.middleware(async ({ context, next }) => {
  return next({
    context: {
      ...context,
      db: getDB(),
    },
  })
 })
@@ -0,0 +1 @@
 export * from './db.middleware'
@@ -0,0 +1,81 @@
 import { validatePgpPrivateKey, validateRsaPublicKey } from '@furtherverse/crypto'
 import { ORPCError } from '@orpc/server'
 import { isLicenceExpired, verifyAndDecodeLicenceEnvelope } from '@/server/licence'
 import { ensureUxConfig, setUxLicence, setUxPgpPrivateKey, setUxPlatformPublicKey } from '@/server/ux-config'
 import { db } from '../middlewares'
 import { os } from '../server'
 const toConfigOutput = (config: {
  licenceId: string | null
  licenceExpireTime: string | null
  fingerprint: string
  platformPublicKey: string | null
  pgpPrivateKey: string | null
 }) => ({
  licence:
    config.licenceId && config.licenceExpireTime
      ? {
          licenceId: config.licenceId,
          expireTime: config.licenceExpireTime,
          isExpired: isLicenceExpired(config.licenceExpireTime),
        }
      : null,
  fingerprint: config.fingerprint,
  hasPlatformPublicKey: config.platformPublicKey != null,
  hasPgpPrivateKey: config.pgpPrivateKey != null,
 })
 export const get = os.config.get.use(db).handler(async ({ context }) => {
  const config = await ensureUxConfig(context.db)
  return toConfigOutput(config)
 })
 export const setLicence = os.config.setLicence.use(db).handler(async ({ context, input }) => {
  const currentConfig = await ensureUxConfig(context.db)
  if (!currentConfig.platformPublicKey) {
    throw new ORPCError('PRECONDITION_FAILED', {
      message: 'Platform public key is not configured. Call config.setPlatformPublicKey first.',
    })
  }
  const payload = verifyAndDecodeLicenceEnvelope(input, currentConfig.platformPublicKey)
  if (isLicenceExpired(payload.expire_time)) {
    throw new ORPCError('BAD_REQUEST', {
      message: 'licence has expired',
    })
  }
  const config = await setUxLicence(context.db, {
    payload: input.payload,
    signature: input.signature,
    licenceId: payload.licence_id,
    expireTime: payload.expire_time,
  })
  return toConfigOutput(config)
 })
 export const setPgpPrivateKey = os.config.setPgpPrivateKey.use(db).handler(async ({ context, input }) => {
  await validatePgpPrivateKey(input.pgpPrivateKey).catch((error) => {
    throw new ORPCError('BAD_REQUEST', {
      message: `Invalid PGP private key: ${error instanceof Error ? error.message : 'unable to parse'}`,
    })
  })
  const config = await setUxPgpPrivateKey(context.db, input.pgpPrivateKey)
  return toConfigOutput(config)
 })
 export const setPlatformPublicKey = os.config.setPlatformPublicKey.use(db).handler(async ({ context, input }) => {
  try {
    validateRsaPublicKey(input.platformPublicKey)
  } catch (error) {
    throw new ORPCError('BAD_REQUEST', {
      message: `Invalid platform public key: ${error instanceof Error ? error.message : 'unable to parse'}`,
    })
  }
  const config = await setUxPlatformPublicKey(context.db, input.platformPublicKey)
  return toConfigOutput(config)
 })
@@ -0,0 +1,219 @@
 import {
  aesGcmDecrypt,
  aesGcmEncrypt,
  hkdfSha256,
  hmacSha256Base64,
  pgpSignDetached,
  rsaOaepEncrypt,
  sha256,
  sha256Hex,
 } from '@furtherverse/crypto'
 import { ORPCError } from '@orpc/server'
 import JSZip from 'jszip'
 import {
  isInteger,
  isSafeNumber,
  LosslessNumber,
  parse as losslessParse,
  stringify as losslessStringify,
 } from 'lossless-json'
 import { z } from 'zod'
 import { isLicenceExpired } from '@/server/licence'
 import { extractSafeZipFiles, ZipValidationError } from '@/server/safe-zip'
 import { getUxConfig } from '@/server/ux-config'
 import { db } from '../middlewares'
 import { os } from '../server'
 const safeNumberParser = (value: string): number | string => {
  if (isSafeNumber(value)) return Number(value)
  if (isInteger(value)) return value
  return Number(value)
 }
 const toLosslessNumber = (value: string): LosslessNumber | string =>
  value !== '' && /^-?\d+$/.test(value) ? new LosslessNumber(value) : value
 const summaryPayloadSchema = z
  .object({
    taskId: z.string().min(1, 'summary.json must contain a non-empty taskId'),
    checkId: z.union([z.string(), z.number()]).optional(),
    inspectionId: z.union([z.string(), z.number()]).optional(),
    orgId: z.union([z.string(), z.number()]).optional(),
    enterpriseId: z.union([z.string(), z.number()]).optional(),
    summary: z.string().optional(),
  })
  .loose()
 const requireIdentity = async (dbInstance: Parameters<typeof getUxConfig>[0]) => {
  const config = await getUxConfig(dbInstance)
  if (!config || !config.licenceId || !config.licenceExpireTime) {
    throw new ORPCError('PRECONDITION_FAILED', {
      message: 'Local identity is not initialized. Call config.get and then config.setLicence first.',
    })
  }
  if (isLicenceExpired(config.licenceExpireTime)) {
    throw new ORPCError('PRECONDITION_FAILED', {
      message: 'Local licence has expired. Install a new signed licence before calling crypto APIs.',
    })
  }
  return config as typeof config & { licenceId: string; licenceExpireTime: string }
 }
 export const encryptDeviceInfo = os.crypto.encryptDeviceInfo.use(db).handler(async ({ context }) => {
  const config = await requireIdentity(context.db)
  if (!config.platformPublicKey) {
    throw new ORPCError('PRECONDITION_FAILED', {
      message: 'Platform public key is not configured. Call config.setPlatformPublicKey first.',
    })
  }
  const deviceInfoJson = JSON.stringify({
    licence: config.licenceId,
    fingerprint: config.fingerprint,
  })
  const encrypted = rsaOaepEncrypt(deviceInfoJson, config.platformPublicKey)
  return { encrypted }
 })
 export const decryptTask = os.crypto.decryptTask.use(db).handler(async ({ context, input }) => {
  const config = await requireIdentity(context.db)
  const key = sha256(config.licenceId + config.fingerprint)
  const decrypted = aesGcmDecrypt(input.encryptedData, key)
  return { decrypted }
 })
 export const encryptSummary = os.crypto.encryptSummary.use(db).handler(async ({ context, input }) => {
  const config = await requireIdentity(context.db)
  const ikm = config.licenceId + config.fingerprint
  const aesKey = hkdfSha256(ikm, input.salt, 'inspection_report_encryption')
  const encrypted = aesGcmEncrypt(input.plaintext, aesKey)
  return { encrypted }
 })
 export const signAndPackReport = os.crypto.signAndPackReport.use(db).handler(async ({ context, input }) => {
  const config = await requireIdentity(context.db)
  if (!config.pgpPrivateKey) {
    throw new ORPCError('PRECONDITION_FAILED', {
      message: 'PGP private key is not configured. Call config.setPgpPrivateKey first.',
    })
  }
  const rawZipBytes = Buffer.from(await input.rawZip.arrayBuffer())
  const zipFiles = await extractSafeZipFiles(rawZipBytes).catch((error) => {
    if (error instanceof ZipValidationError) {
      throw new ORPCError('BAD_REQUEST', { message: error.message })
    }
    throw error
  })
  // Extract and validate summary.json from the ZIP
  const summaryFile = zipFiles.find((f) => f.name === 'summary.json')
  if (!summaryFile) {
    throw new ORPCError('BAD_REQUEST', {
      message: 'rawZip must contain a summary.json file',
    })
  }
  let rawJson: unknown
  try {
    rawJson = losslessParse(Buffer.from(summaryFile.bytes).toString('utf-8'), undefined, safeNumberParser)
  } catch {
    throw new ORPCError('BAD_REQUEST', {
      message: 'summary.json in the ZIP is not valid JSON',
    })
  }
  const parsed = summaryPayloadSchema.safeParse(rawJson)
  if (!parsed.success) {
    throw new ORPCError('BAD_REQUEST', {
      message: `Invalid summary.json: ${z.prettifyError(parsed.error)}`,
    })
  }
  const summaryPayload = parsed.data
  const checkId = String(summaryPayload.checkId ?? summaryPayload.inspectionId ?? '')
  const orgId = summaryPayload.orgId ?? summaryPayload.enterpriseId ?? ''
  // Helper: find file in ZIP and compute its SHA256 hash
  const requireFileHash = (name: string): string => {
    const file = zipFiles.find((f) => f.name === name)
    if (!file) {
      throw new ORPCError('BAD_REQUEST', { message: `rawZip must contain ${name}` })
    }
    return sha256Hex(Buffer.from(file.bytes))
  }
  // Compute SHA256 of each content file (fixed order, matching Kotlin reference)
  const assetsSha256 = requireFileHash('assets.json')
  const vulnerabilitiesSha256 = requireFileHash('vulnerabilities.json')
  const weakPasswordsSha256 = requireFileHash('weakPasswords.json')
  const reportHtmlSha256 = requireFileHash('漏洞评估报告.html')
  // Compute device signature
  // signPayload = taskId + inspectionId + assetsSha256 + vulnerabilitiesSha256 + weakPasswordsSha256 + reportHtmlSha256
  // (plain concatenation, no separators, fixed order — matching Kotlin reference)
  const ikm = config.licenceId + config.fingerprint
  const signingKey = hkdfSha256(ikm, 'AUTH_V3_SALT', 'device_report_signature')
  const signPayload = `${summaryPayload.taskId}${checkId}${assetsSha256}${vulnerabilitiesSha256}${weakPasswordsSha256}${reportHtmlSha256}`
  const deviceSignature = hmacSha256Base64(signingKey, signPayload)
  // Build final summary.json with flat structure (matching Kotlin reference)
  const finalSummary = {
    orgId: toLosslessNumber(String(orgId)),
    checkId: toLosslessNumber(checkId),
    taskId: summaryPayload.taskId,
    licence: config.licenceId,
    fingerprint: config.fingerprint,
    deviceSignature,
    summary: summaryPayload.summary ?? '',
  }
  const summaryJson = losslessStringify(finalSummary)
  if (!summaryJson) {
    throw new ORPCError('INTERNAL_SERVER_ERROR', {
      message: 'Failed to serialize summary.json',
    })
  }
  const summaryBytes = Buffer.from(summaryJson, 'utf-8')
  // Build manifest.json (fixed file list, matching Kotlin reference)
  const manifestFiles: Record<string, string> = {
    'summary.json': sha256Hex(summaryBytes),
    'assets.json': assetsSha256,
    'vulnerabilities.json': vulnerabilitiesSha256,
    'weakPasswords.json': weakPasswordsSha256,
    '漏洞评估报告.html': reportHtmlSha256,
  }
  const manifestBytes = Buffer.from(JSON.stringify({ files: manifestFiles }, null, 2), 'utf-8')
  const signatureAsc = await pgpSignDetached(manifestBytes, config.pgpPrivateKey)
  // Pack signed ZIP
  const signedZip = new JSZip()
  signedZip.file('summary.json', summaryBytes)
  for (const item of zipFiles) {
    if (item.name !== 'summary.json') {
      signedZip.file(item.name, item.bytes)
    }
  }
  signedZip.file('META-INF/manifest.json', manifestBytes)
  signedZip.file('META-INF/signature.asc', signatureAsc)
  const signedZipBytes = await signedZip.generateAsync({
    type: 'uint8array',
    compression: 'DEFLATE',
    compressionOptions: { level: 9 },
  })
  return new File([Buffer.from(signedZipBytes)], input.outputFileName ?? 'signed-report.zip', {
    type: 'application/zip',
  })
 })
@@ -0,0 +1,8 @@
 import { os } from '../server'
 import * as config from './config.router'
 import * as crypto from './crypto.router'
 export const router = os.router({
  config,
  crypto,
 })
@@ -0,0 +1,6 @@
 import type { ContractRouterClient, InferContractRouterInputs, InferContractRouterOutputs } from '@orpc/contract'
 import type { Contract } from './contracts'
 export type RouterClient = ContractRouterClient<Contract>
 export type RouterInputs = InferContractRouterInputs<Contract>
 export type RouterOutputs = InferContractRouterOutputs<Contract>
@@ -0,0 +1,36 @@
 import { integer, text } from 'drizzle-orm/sqlite-core'
 import { v7 as uuidv7 } from 'uuid'
 export const pk = (name = 'id') =>
  text(name)
    .primaryKey()
    .$defaultFn(() => uuidv7())
 export const createdAt = (name = 'created_at') =>
  integer(name, { mode: 'timestamp_ms' })
    .notNull()
    .$defaultFn(() => new Date())
 export const updatedAt = (name = 'updated_at') =>
  integer(name, { mode: 'timestamp_ms' })
    .notNull()
    .$defaultFn(() => new Date())
    .$onUpdateFn(() => new Date())
 export const generatedFields = {
  id: pk('id'),
  createdAt: createdAt('created_at'),
  updatedAt: updatedAt('updated_at'),
 }
 const createGeneratedFieldKeys = <T extends Record<string, unknown>>(fields: T): Record<keyof T, true> => {
  return Object.keys(fields).reduce(
    (acc, key) => {
      acc[key as keyof T] = true
      return acc
    },
    {} as Record<keyof T, true>,
  )
 }
 export const generatedFieldKeys = createGeneratedFieldKeys(generatedFields)
@@ -0,0 +1,26 @@
 import { Database } from 'bun:sqlite'
 import { drizzle } from 'drizzle-orm/bun-sqlite'
 import { env } from '@/env'
 import { relations } from '@/server/db/relations'
 export const createDB = () => {
  const sqlite = new Database(env.DATABASE_PATH)
  sqlite.exec('PRAGMA journal_mode = WAL')
  sqlite.exec('PRAGMA foreign_keys = ON')
  return drizzle({ client: sqlite, relations })
 }
 export type DB = ReturnType<typeof createDB>
 export const getDB = (() => {
  let db: DB | null = null
  return (singleton = true): DB => {
    if (!singleton) {
      return createDB()
    }
    db ??= createDB()
    return db
  }
 })()
@@ -0,0 +1,4 @@
 import { defineRelations } from 'drizzle-orm'
 import * as schema from './schema'
 export const relations = defineRelations(schema, () => ({}))
@@ -0,0 +1 @@
 export * from './ux-config'
@@ -0,0 +1,14 @@
 import { sqliteTable, text } from 'drizzle-orm/sqlite-core'
 import { generatedFields } from '../fields'
 export const uxConfigTable = sqliteTable('ux_config', {
  ...generatedFields,
  singletonKey: text('singleton_key').notNull().unique().default('default'),
  licencePayload: text('licence_payload'),
  licenceSignature: text('licence_signature'),
  licenceId: text('licence_id'),
  licenceExpireTime: text('licence_expire_time'),
  fingerprint: text('fingerprint').notNull(),
  platformPublicKey: text('platform_public_key'),
  pgpPrivateKey: text('pgp_private_key'),
 })
@@ -0,0 +1,10 @@
 import { sha256Hex } from '@furtherverse/crypto'
 import { system } from 'systeminformation'
 export const computeDeviceFingerprint = async (): Promise<string> => {
  const { uuid, serial, model, manufacturer } = await system()
  const source = [uuid, serial, model, manufacturer].join('|')
  const hash = sha256Hex(source)
  return hash
 }
@@ -0,0 +1,32 @@
 import { describe, expect, it } from 'bun:test'
 import { constants, createSign, generateKeyPairSync } from 'node:crypto'
 import { decodeLicencePayload, isLicenceExpired, verifyAndDecodeLicenceEnvelope } from './licence'
 describe('licence helpers', () => {
  it('verifies payload signatures and decodes payload JSON', () => {
    const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
    const payloadJson = JSON.stringify({ licence_id: 'LIC-20260319-0025', expire_time: '2027-03-19' })
    const payload = Buffer.from(payloadJson, 'utf-8').toString('base64')
    const signer = createSign('RSA-SHA256')
    signer.update(Buffer.from(payload, 'utf-8'))
    signer.end()
    const signature = signer.sign({ key: privateKey, padding: constants.RSA_PKCS1_PADDING }).toString('base64')
    const publicKeyBase64 = publicKey.export({ format: 'der', type: 'spki' }).toString('base64')
    expect(verifyAndDecodeLicenceEnvelope({ payload, signature }, publicKeyBase64)).toEqual({
      licence_id: 'LIC-20260319-0025',
      expire_time: '2027-03-19',
    })
  })
  it('treats expire_time as valid through the end of the UTC day', () => {
    expect(isLicenceExpired('2027-03-19', new Date('2027-03-19T23:59:59.999Z'))).toBe(false)
    expect(isLicenceExpired('2027-03-19', new Date('2027-03-20T00:00:00.000Z'))).toBe(true)
  })
  it('rejects malformed payloads', () => {
    expect(() => decodeLicencePayload('not-base64')).toThrow('payload must be valid Base64')
  })
 })
@@ -0,0 +1,94 @@
 import { rsaVerifySignature } from '@furtherverse/crypto'
 import { z } from 'zod'
 const BASE64_PATTERN = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/
 const DATE_PATTERN = /^(\d{4})-(\d{2})-(\d{2})$/
 export const licenceEnvelopeSchema = z.object({
  payload: z.string().min(1).max(8192).describe('Base64 编码的 licence payload 原文'),
  signature: z.string().min(1).max(8192).describe('对 payload 字符串 UTF-8 字节做 SHA256withRSA 后得到的 Base64 签名'),
 })
 export const licencePayloadSchema = z
  .object({
    licence_id: z.string().min(1).describe('验签通过后的 licence 标识'),
    expire_time: z
      .string()
      .regex(DATE_PATTERN, 'expire_time must use YYYY-MM-DD')
      .describe('授权到期日，格式为 YYYY-MM-DD（按 UTC 自然日末尾失效）'),
  })
  .loose()
 export type LicenceEnvelope = z.infer<typeof licenceEnvelopeSchema>
 export type LicencePayload = z.infer<typeof licencePayloadSchema>
 const decodeBase64 = (value: string, fieldName: string): Buffer => {
  if (!BASE64_PATTERN.test(value)) {
    throw new Error(`${fieldName} must be valid Base64`)
  }
  return Buffer.from(value, 'base64')
 }
 const parseUtcDate = (value: string): Date => {
  const match = DATE_PATTERN.exec(value)
  if (!match) {
    throw new Error('expire_time must use YYYY-MM-DD')
  }
  const [, yearText, monthText, dayText] = match
  const year = Number(yearText)
  const month = Number(monthText)
  const day = Number(dayText)
  const parsed = new Date(Date.UTC(year, month - 1, day))
  if (
    Number.isNaN(parsed.getTime()) ||
    parsed.getUTCFullYear() !== year ||
    parsed.getUTCMonth() !== month - 1 ||
    parsed.getUTCDate() !== day
  ) {
    throw new Error('expire_time is not a valid calendar date')
  }
  return parsed
 }
 export const isLicenceExpired = (expireTime: string, now = new Date()): boolean => {
  const expireDate = parseUtcDate(expireTime)
  const expiresAt = Date.UTC(expireDate.getUTCFullYear(), expireDate.getUTCMonth(), expireDate.getUTCDate() + 1)
  return now.getTime() >= expiresAt
 }
 export const decodeLicencePayload = (payloadBase64: string): LicencePayload => {
  const decodedJson = decodeBase64(payloadBase64, 'payload').toString('utf-8')
  let rawPayload: unknown
  try {
    rawPayload = JSON.parse(decodedJson)
  } catch {
    throw new Error('payload must decode to valid JSON')
  }
  const parsedPayload = licencePayloadSchema.safeParse(rawPayload)
  if (!parsedPayload.success) {
    throw new Error(z.prettifyError(parsedPayload.error))
  }
  return parsedPayload.data
 }
 export const verifyLicenceEnvelopeSignature = (envelope: LicenceEnvelope, publicKeyBase64: string): void => {
  const signatureBytes = decodeBase64(envelope.signature, 'signature')
  const isValid = rsaVerifySignature(Buffer.from(envelope.payload, 'utf-8'), signatureBytes, publicKeyBase64)
  if (!isValid) {
    throw new Error('licence signature is invalid')
  }
 }
 export const verifyAndDecodeLicenceEnvelope = (envelope: LicenceEnvelope, publicKeyBase64: string): LicencePayload => {
  verifyLicenceEnvelopeSignature(envelope, publicKeyBase64)
  return decodeLicencePayload(envelope.payload)
 }
@@ -0,0 +1,96 @@
 import type { JSZipObject } from 'jszip'
 import JSZip from 'jszip'
 export class ZipValidationError extends Error {
  override name = 'ZipValidationError'
 }
 export interface ZipFileItem {
  name: string
  bytes: Uint8Array
 }
 export interface SafeZipOptions {
  maxRawBytes?: number
  maxEntries?: number
  maxSingleFileBytes?: number
  maxTotalUncompressedBytes?: number
 }
 const DEFAULTS = {
  maxRawBytes: 50 * 1024 * 1024,
  maxEntries: 64,
  maxSingleFileBytes: 20 * 1024 * 1024,
  maxTotalUncompressedBytes: 60 * 1024 * 1024,
 } satisfies Required<SafeZipOptions>
 const normalizePath = (name: string): string => name.replaceAll('\\', '/')
 const isUnsafePath = (name: string): boolean => {
  const normalized = normalizePath(name)
  const segments = normalized.split('/')
  return (
    normalized.startsWith('/') ||
    normalized.includes('\0') ||
    segments.some((segment) => segment === '..' || segment.trim().length === 0)
  )
 }
 export const extractSafeZipFiles = async (
  rawBytes: Uint8Array | Buffer,
  options?: SafeZipOptions,
 ): Promise<ZipFileItem[]> => {
  const opts = { ...DEFAULTS, ...options }
  if (rawBytes.byteLength === 0 || rawBytes.byteLength > opts.maxRawBytes) {
    throw new ZipValidationError('ZIP is empty or exceeds max size limit')
  }
  const zip = await JSZip.loadAsync(rawBytes, { checkCRC32: true }).catch(() => {
    throw new ZipValidationError('Not a valid ZIP file')
  })
  const entries = Object.values(zip.files) as JSZipObject[]
  if (entries.length > opts.maxEntries) {
    throw new ZipValidationError(`ZIP contains too many entries: ${entries.length}`)
  }
  let totalUncompressedBytes = 0
  const files: ZipFileItem[] = []
  const seen = new Set<string>()
  for (const entry of entries) {
    if (entry.dir) {
      continue
    }
    if (isUnsafePath(entry.name)) {
      throw new ZipValidationError(`ZIP contains unsafe entry path: ${entry.name}`)
    }
    const normalizedName = normalizePath(entry.name)
    if (seen.has(normalizedName)) {
      throw new ZipValidationError(`ZIP contains duplicate entry: ${normalizedName}`)
    }
    seen.add(normalizedName)
    const content = await entry.async('uint8array')
    if (content.byteLength > opts.maxSingleFileBytes) {
      throw new ZipValidationError(`ZIP entry too large: ${normalizedName}`)
    }
    totalUncompressedBytes += content.byteLength
    if (totalUncompressedBytes > opts.maxTotalUncompressedBytes) {
      throw new ZipValidationError('ZIP total uncompressed content exceeds max size limit')
    }
    files.push({ name: normalizedName, bytes: content })
  }
  if (files.length === 0) {
    throw new ZipValidationError('ZIP has no file entries')
  }
  return files
 }
@@ -0,0 +1,99 @@
 import { eq } from 'drizzle-orm'
 import type { DB } from '@/server/db'
 import { uxConfigTable } from '@/server/db/schema'
 import { computeDeviceFingerprint } from './device-fingerprint'
 const UX_CONFIG_KEY = 'default'
 export const getUxConfig = async (db: DB) => {
  return await db.query.uxConfigTable.findFirst({
    where: { singletonKey: UX_CONFIG_KEY },
  })
 }
 export const ensureUxConfig = async (db: DB) => {
  const fingerprint = await computeDeviceFingerprint()
  const existing = await getUxConfig(db)
  if (existing) {
    if (existing.fingerprint !== fingerprint) {
      const rows = await db
        .update(uxConfigTable)
        .set({ fingerprint })
        .where(eq(uxConfigTable.id, existing.id))
        .returning()
      return rows[0] as (typeof rows)[number]
    }
    return existing
  }
  const rows = await db
    .insert(uxConfigTable)
    .values({
      singletonKey: UX_CONFIG_KEY,
      fingerprint,
      licencePayload: null,
      licenceSignature: null,
      licenceId: null,
      licenceExpireTime: null,
    })
    .returning()
  return rows[0] as (typeof rows)[number]
 }
 export const setUxLicence = async (
  db: DB,
  licence: {
    payload: string
    signature: string
    licenceId: string
    expireTime: string
  },
 ) => {
  const config = await ensureUxConfig(db)
  const rows = await db
    .update(uxConfigTable)
    .set({
      licencePayload: licence.payload,
      licenceSignature: licence.signature,
      licenceId: licence.licenceId,
      licenceExpireTime: licence.expireTime,
    })
    .where(eq(uxConfigTable.id, config.id))
    .returning()
  return rows[0] as (typeof rows)[number]
 }
 export const setUxPgpPrivateKey = async (db: DB, pgpPrivateKey: string) => {
  const config = await ensureUxConfig(db)
  const rows = await db.update(uxConfigTable).set({ pgpPrivateKey }).where(eq(uxConfigTable.id, config.id)).returning()
  return rows[0] as (typeof rows)[number]
 }
 export const setUxPlatformPublicKey = async (db: DB, platformPublicKey: string) => {
  const config = await ensureUxConfig(db)
  const shouldClearLicence = config.platformPublicKey !== platformPublicKey
  const rows = await db
    .update(uxConfigTable)
    .set({
      platformPublicKey,
      ...(shouldClearLicence
        ? {
            licencePayload: null,
            licenceSignature: null,
            licenceId: null,
            licenceExpireTime: null,
          }
        : {}),
    })
    .where(eq(uxConfigTable.id, config.id))
    .returning()
  return rows[0] as (typeof rows)[number]
 }
@@ -0,0 +1 @@
@import "tailwindcss";
@@ -0,0 +1,9 @@
 {
  "extends": "@furtherverse/tsconfig/react.json",
  "compilerOptions": {
    "baseUrl": ".",
    "paths": {
      "@/*": ["./src/*"]
    }
  }
 }
@@ -0,0 +1,47 @@
 {
  "$schema": "../../node_modules/turbo/schema.json",
  "extends": ["//"],
  "tasks": {
    "build": {
      "env": ["NODE_ENV", "VITE_*"],
      "inputs": ["src/**", "public/**", "package.json", "tsconfig.json", "vite.config.ts"],
      "outputs": [".output/**"]
    },
    "compile": {
      "dependsOn": ["build"],
      "outputs": ["out/**"]
    },
    "compile:darwin": {
      "dependsOn": ["build"],
      "outputs": ["out/**"]
    },
    "compile:darwin:arm64": {
      "dependsOn": ["build"],
      "outputs": ["out/**"]
    },
    "compile:darwin:x64": {
      "dependsOn": ["build"],
      "outputs": ["out/**"]
    },
    "compile:linux": {
      "dependsOn": ["build"],
      "outputs": ["out/**"]
    },
    "compile:linux:arm64": {
      "dependsOn": ["build"],
      "outputs": ["out/**"]
    },
    "compile:linux:x64": {
      "dependsOn": ["build"],
      "outputs": ["out/**"]
    },
    "compile:windows": {
      "dependsOn": ["build"],
      "outputs": ["out/**"]
    },
    "compile:windows:x64": {
      "dependsOn": ["build"],
      "outputs": ["out/**"]
    }
  }
 }
@@ -4,21 +4,27 @@ import { tanstackStart } from '@tanstack/react-start/plugin/vite'
 import react from '@vitejs/plugin-react'
 import { nitro } from 'nitro/vite'
 import { defineConfig } from 'vite'
 import tsconfigPaths from 'vite-tsconfig-paths'
 export default defineConfig({
  clearScreen: false,
  plugins: [
    tanstackDevtools(),
    tailwindcss(),
    tsconfigPaths(),
    tanstackStart(),
-    react(),
+    react({
      babel: {
        plugins: ['babel-plugin-react-compiler'],
      },
    }),
    nitro({
      preset: 'bun',
      serveStatic: 'inline',
      plugins: ['./src/server/plugins/shutdown.ts'],
    }),
  ],
-  resolve: {
+  server: {
-    tsconfigPaths: true,
+    port: 3000,
    strictPort: true,
  },
 })
@@ -6,8 +6,7 @@
    "useIgnoreFile": true
  },
  "files": {
-    "ignoreUnknown": false,
+    "ignoreUnknown": false
    "includes": ["**", "!**/routeTree.gen.ts", "!**/migrations.gen.ts"]
  },
  "formatter": {
    "enabled": true,
@@ -17,11 +16,6 @@
  },
  "linter": {
    "enabled": true,
    "domains": {
      "drizzle": "recommended",
      "react": "recommended",
      "types": "all"
    },
    "rules": {
      "recommended": true,
      "complexity": {
@@ -29,14 +23,6 @@
      },
      "correctness": {
        "noReactPropAssignments": "error"
      },
      "style": {
        "noNonNullAssertion": "error"
      },
      "suspicious": {
        "noExplicitAny": "error",
        "noImportCycles": "error",
        "noTsIgnore": "error"
      }
    }
  },
@@ -47,11 +33,6 @@
      "arrowParentheses": "always"
    }
  },
  "css": {
    "parser": {
      "tailwindDirectives": true
    }
  },
  "assist": {
    "enabled": true,
    "actions": {
@@ -0,0 +1,2 @@
 [install]
 publicHoistPattern = ["@types/*", "bun-types", "nitro*"]
@@ -1,39 +0,0 @@
 services:
  migrate:
    build: .
    depends_on:
      db:
        condition: service_healthy
    environment:
      - DATABASE_URL=postgres://postgres:postgres@db:5432/postgres
    command: ["./server", "migrate"]
    restart: "no"
  app:
    build: .
    depends_on:
      db:
        condition: service_healthy
      migrate:
        condition: service_completed_successfully
    ports:
      - "3000:3000"
    environment:
      - DATABASE_URL=postgres://postgres:postgres@db:5432/postgres
  db:
    image: postgres:18-alpine
    volumes:
      - postgres_data:/var/lib/postgresql
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
      POSTGRES_DB: postgres
    healthcheck:
      test: [ "CMD", "pg_isready", "-U", "postgres" ]
      interval: 10s
      timeout: 5s
      retries: 5
 volumes:
  postgres_data:
@@ -0,0 +1,432 @@
 package top.tangyh.lamp.filing.controller.compress
 import com.fasterxml.jackson.databind.ObjectMapper
 import io.swagger.annotations.Api
 import io.swagger.annotations.ApiOperation
 import io.swagger.annotations.ApiParam
 import org.springframework.validation.annotation.Validated
 import org.springframework.web.bind.annotation.*
 import top.tangyh.basic.annotation.log.WebLog
 import top.tangyh.basic.base.R
 import top.tangyh.lamp.filing.dto.management.UploadInspectionFileV2Request
 import top.tangyh.lamp.filing.utils.AesGcmUtil
 import top.tangyh.lamp.filing.utils.HkdfUtil
 import top.tangyh.lamp.filing.utils.PgpSignatureUtil
 import java.util.*
 /**
 * 加密测试工具类
 * 
 * 用于生成加密后的 encrypted 数据，测试 uploadInspectionFileV2Encrypted 接口
 * 
 * 使用说明：
 * 1. 调用 /compression/test/generateEncrypted 接口
 * 2. 传入 licence、fingerprint、taskId 和明文数据
 * 3. 获取加密后的 Base64 字符串
 * 4. 使用返回的 encrypted 数据测试 uploadInspectionFileV2Encrypted 接口
 */
@Validated
@RestController
@RequestMapping("/compression/test")
@Api(value = "EncryptionTest", tags = ["加密测试工具"])
 class EncryptionTestController {
    private val objectMapper = ObjectMapper()
    companion object {
        private const val DEFAULT_PGP_PRIVATE_KEY = """-----BEGIN PGP PRIVATE KEY BLOCK-----
 lFgEaSZqXBYJKwYBBAHaRw8BAQdARzZ5JXreuTeTgMFwYcw0Ju7aCWmXuUMmQyff
 5vmN8RQAAP4nli0R/MTNtgx9+g5ZPyAj8XSAnjHaW9u2UJQxYhMIYw8XtBZpdHRj
 PGl0dGNAaXR0Yy5zaC5jbj6IkwQTFgoAOxYhBG8IkI1kmkNpEu8iuqWu91t6SEzN
 BQJpJmpcAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEKWu91t6SEzN
 dSQBAPM5llVG0X6SBa4YM90Iqyb2jWvlNjstoF8jjPVny1CiAP4hIOUvb686oSA0
 OrS3AuICi7X/r+JnSo1Z7pngUA3VC5xdBGkmalwSCisGAQQBl1UBBQEBB0BouQlG
 hIL0bq7EbaB55s+ygLVFOfhjFA8E4fwFBFJGVAMBCAcAAP98ZXRGgzld1XUa5ZGx
 cTE+1qGZY4E4BVIeqkVxdg5tqA64iHgEGBYKACAWIQRvCJCNZJpDaRLvIrqlrvdb
 ekhMzQUCaSZqXAIbDAAKCRClrvdbekhMzcaSAQDB/4pvDuc7SploQg1fBYobFm5P
 vxguByr8I+PrYWKKOQEAnaeXT4ipi1nICXFiigztsIl2xTth3D77XG6pZUU/Zw8=
 =/k1H
 -----END PGP PRIVATE KEY BLOCK-----"""
        private const val DEFAULT_PGP_PASSPHRASE = ""
    }
    /**
     * 生成加密数据请求 DTO
     */
    data class GenerateEncryptedRequest(
        @ApiParam(value = "授权码", required = true)
        val licence: String,
        @ApiParam(value = "硬件指纹", required = true)
        val fingerprint: String,
        @ApiParam(value = "任务ID", required = true)
        val taskId: String,
        @ApiParam(value = "企业ID", required = true)
        val enterpriseId: Long,
        @ApiParam(value = "检查ID", required = true)
        val inspectionId: Long,
        @ApiParam(value = "摘要信息", required = true)
        val summary: String
    )
    /**
     * 生成加密数据响应 DTO
     */
    data class GenerateEncryptedResponse(
        val encrypted: String,
        val requestBody: UploadInspectionFileV2Request,
        val plaintext: String,
        val keyDerivationInfo: KeyDerivationInfo
    )
    /**
     * 密钥派生信息
     */
    data class KeyDerivationInfo(
        val ikm: String,
        val salt: String,
        val info: String,
        val keyLength: Int,
        val keyHex: String
    )
    /**
     * 生成加密数据
     * 
     * 模拟工具箱端的加密逻辑：
     * 1. 使用 HKDF-SHA256 派生 AES 密钥
     *    - ikm = licence + fingerprint
     *    - salt = taskId
     *    - info = "inspection_report_encryption"
     *    - length = 32 bytes
     * 
     * 2. 使用 AES-256-GCM 加密数据
     *    - 格式：IV (12字节) + Ciphertext + Tag (16字节)
     *    - Base64 编码返回
     * 
     * @param request 生成加密数据请求
     * @return 加密后的数据和完整的请求体
     */
    @ApiOperation(value = "生成加密数据", notes = "生成加密后的 encrypted 数据，用于测试 uploadInspectionFileV2Encrypted 接口")
    @PostMapping("/generateEncrypted")
    @WebLog(value = "'生成加密数据:'", request = false)
    fun generateEncrypted(
        @RequestBody request: GenerateEncryptedRequest
    ): R<GenerateEncryptedResponse> {
        return try {
            // 1. 组装明文数据（JSON格式）
            val timestamp = System.currentTimeMillis()
            val plaintextMap = mapOf(
                "enterpriseId" to request.enterpriseId.toString(),
                "inspectionId" to request.inspectionId.toString(),
                "summary" to request.summary,
                "timestamp" to timestamp
            )
            val plaintext = objectMapper.writeValueAsString(plaintextMap)
            // 2. 使用 HKDF-SHA256 派生 AES 密钥
            // ikm = licence + fingerprint
            // salt = taskId（工具箱从二维码获取，平台从请求获取）
            // info = "inspection_report_encryption"（固定值）
            // length = 32 bytes
            val ikm = "${request.licence}${request.fingerprint}"
            val salt = request.taskId.toString()
            val info = "inspection_report_encryption"
            val keyLength = 32
            val aesKey = HkdfUtil.deriveKey(ikm, salt, info, keyLength)
            // 3. 使用 AES-256-GCM 加密数据
            val encrypted = AesGcmUtil.encrypt(plaintext, aesKey)
            // 4. 组装完整的请求体（appid 需要前端自己赋值）
            val requestBody = UploadInspectionFileV2Request().apply {
                this.appid = "test-appid" // 测试用的 appid，实际使用时前端会赋值
                this.taskId = request.taskId
                this.encrypted = encrypted
            }
            // 5. 返回加密数据和密钥派生信息
            val response = GenerateEncryptedResponse(
                encrypted = encrypted,
                requestBody = requestBody,
                plaintext = plaintext,
                keyDerivationInfo = KeyDerivationInfo(
                    ikm = ikm,
                    salt = salt,
                    info = info,
                    keyLength = keyLength,
                    keyHex = aesKey.joinToString("") { "%02x".format(it) }
                )
            )
            R.success(response, "加密数据生成成功")
        } catch (e: Exception) {
            R.fail("生成加密数据失败: ${e.message}")
        }
    }
    /**
     * 快速生成测试数据（使用默认值）
     * 
     * @return 加密后的数据和完整的请求体
     */
    @ApiOperation(value = "快速生成测试数据", notes = "使用默认值快速生成加密数据，用于快速测试")
    @GetMapping("/generateTestData")
    @WebLog(value = "'快速生成测试数据:'", request = false)
    fun generateTestData(): R<GenerateEncryptedResponse> {
        return try {
            // 使用默认测试数据
            val request = GenerateEncryptedRequest(
                licence = "TEST-LICENCE-001",
                fingerprint = "TEST-FINGERPRINT-001",
                taskId = "TASK-20260115-4875",
                enterpriseId = 1173040813421105152L,
                inspectionId = 702286470691215417L,
                summary = "测试摘要信息"
            )
            generateEncrypted(request).data?.let {
                R.success(it, "测试数据生成成功")
            } ?: R.fail("生成测试数据失败")
        } catch (e: Exception) {
            R.fail("生成测试数据失败: ${e.message}")
        }
    }
    /**
     * 验证加密数据（解密测试）
     * 
     * 用于验证生成的加密数据是否能正确解密
     * 
     * @param encrypted 加密后的 Base64 字符串
     * @param licence 授权码
     * @param fingerprint 硬件指纹
     * @param taskId 任务ID
     * @return 解密后的明文数据
     */
    @ApiOperation(value = "验证加密数据", notes = "解密加密数据，验证加密是否正确")
    @PostMapping("/verifyEncrypted")
    @WebLog(value = "'验证加密数据:'", request = false)
    fun verifyEncrypted(
        @ApiParam(value = "加密后的 Base64 字符串", required = true)
        @RequestParam encrypted: String,
        @ApiParam(value = "授权码", required = true)
        @RequestParam licence: String,
        @ApiParam(value = "硬件指纹", required = true)
        @RequestParam fingerprint: String,
        @ApiParam(value = "任务ID", required = true)
        @RequestParam taskId: String
    ): R<Map<String, Any>> {
        return try {
            // 1. 使用相同的密钥派生规则派生密钥
            val ikm = "$licence$fingerprint"
            val salt = taskId.toString()
            val info = "inspection_report_encryption"
            val aesKey = HkdfUtil.deriveKey(ikm, salt, info, 32)
            // 2. 解密数据
            val decrypted = AesGcmUtil.decrypt(encrypted, aesKey)
            // 3. 解析 JSON
            @Suppress("UNCHECKED_CAST")
            val dataMap = objectMapper.readValue(decrypted, Map::class.java) as Map<String, Any>
            R.success(dataMap, "解密成功")
        } catch (e: Exception) {
            R.fail("解密失败: ${e.message}")
        }
    }
    /**
     * 生成加密报告 ZIP 文件请求 DTO
     */
    data class GenerateEncryptedZipRequest(
        @ApiParam(value = "授权码", required = true)
        val licence: String,
        @ApiParam(value = "硬件指纹", required = true)
        val fingerprint: String,
        @ApiParam(value = "任务ID", required = true)
        val taskId: String,
        @ApiParam(value = "企业ID", required = true)
        val enterpriseId: Long,
        @ApiParam(value = "检查ID", required = true)
        val inspectionId: Long,
        @ApiParam(value = "摘要信息", required = true)
        val summary: String,
        @ApiParam(value = "资产信息 JSON", required = true)
        val assetsJson: String,
        @ApiParam(value = "漏洞信息 JSON", required = true)
        val vulnerabilitiesJson: String,
        @ApiParam(value = "弱密码信息 JSON", required = true)
        val weakPasswordsJson: String,
        @ApiParam(value = "漏洞评估报告 HTML", required = true)
        val reportHtml: String,
        @ApiParam(value = "PGP 私钥（可选，不提供则跳过 PGP 签名）", required = false)
        val pgpPrivateKey: String? = null,
        @ApiParam(value = "PGP 私钥密码（可选）", required = false)
        val pgpPassphrase: String? = null
    )
    /**
     * 生成加密报告 ZIP 文件
     * 
     * 按照文档《工具箱端-报告加密与签名生成指南.md》生成加密报告 ZIP 文件
     * 
     * @param request 生成请求
     * @return ZIP 文件（二进制流）
     */
    @ApiOperation(value = "生成加密报告 ZIP", notes = "生成带设备签名的加密报告 ZIP 文件，可被 uploadInspectionFileV2 接口解密")
    @PostMapping("/generateEncryptedZip")
    @WebLog(value = "'生成加密报告 ZIP:'", request = false)
    fun generateEncryptedZip(
        @RequestBody request: GenerateEncryptedZipRequest,
        response: javax.servlet.http.HttpServletResponse
    ) {
        try {
            // 1. 准备文件内容
            val assetsContent = request.assetsJson.toByteArray(Charsets.UTF_8)
            val vulnerabilitiesContent = request.vulnerabilitiesJson.toByteArray(Charsets.UTF_8)
            val weakPasswordsContent = request.weakPasswordsJson.toByteArray(Charsets.UTF_8)
            val reportHtmlContent = request.reportHtml.toByteArray(Charsets.UTF_8)
            // 2. 生成设备签名
            // 2.1 密钥派生
            val ikm = "${request.licence}${request.fingerprint}"
            val salt = "AUTH_V3_SALT"
            val info = "device_report_signature"
            val derivedKey = HkdfUtil.deriveKey(ikm, salt, info, 32)
            // 2.2 计算文件 SHA256
            fun sha256Hex(content: ByteArray): String {
                val digest = java.security.MessageDigest.getInstance("SHA-256")
                return digest.digest(content).joinToString("") { "%02x".format(it) }
            }
            val assetsSha256 = sha256Hex(assetsContent)
            val vulnerabilitiesSha256 = sha256Hex(vulnerabilitiesContent)
            val weakPasswordsSha256 = sha256Hex(weakPasswordsContent)
            val reportHtmlSha256 = sha256Hex(reportHtmlContent)
            // 2.3 组装签名数据（严格顺序）
            val signPayload = buildString {
                append(request.taskId)
                append(request.inspectionId)
                append(assetsSha256)
                append(vulnerabilitiesSha256)
                append(weakPasswordsSha256)
                append(reportHtmlSha256)
            }
            // 2.4 计算 HMAC-SHA256
            val mac = javax.crypto.Mac.getInstance("HmacSHA256")
            val secretKey = javax.crypto.spec.SecretKeySpec(derivedKey, "HmacSHA256")
            mac.init(secretKey)
            val signatureBytes = mac.doFinal(signPayload.toByteArray(Charsets.UTF_8))
            val deviceSignature = Base64.getEncoder().encodeToString(signatureBytes)
            // 2.5 生成 summary.json
            val summaryMap = mapOf(
                "orgId" to request.enterpriseId,
                "checkId" to request.inspectionId,
                "taskId" to request.taskId,
                "licence" to request.licence,
                "fingerprint" to request.fingerprint,
                "deviceSignature" to deviceSignature,
                "summary" to request.summary
            )
            val summaryContent = objectMapper.writeValueAsString(summaryMap).toByteArray(Charsets.UTF_8)
            // 3. 生成 manifest.json
            val filesHashes = mapOf(
                "summary.json" to sha256Hex(summaryContent),
                "assets.json" to assetsSha256,
                "vulnerabilities.json" to vulnerabilitiesSha256,
                "weakPasswords.json" to weakPasswordsSha256,
                "漏洞评估报告.html" to reportHtmlSha256
            )
            val manifest = mapOf("files" to filesHashes)
            val manifestContent = objectMapper.writeValueAsString(manifest).toByteArray(Charsets.UTF_8)
            // 4. 生成 signature.asc
            val privateKey = request.pgpPrivateKey?.takeIf { it.isNotBlank() } ?: DEFAULT_PGP_PRIVATE_KEY
            val passphrase = request.pgpPassphrase ?: DEFAULT_PGP_PASSPHRASE
            val signatureAsc = try {
                PgpSignatureUtil.generateDetachedSignature(
                    manifestContent,
                    privateKey,
                    passphrase
                )
            } catch (e: Exception) {
                throw RuntimeException("生成 PGP 签名失败: ${e.message}", e)
            }
            // 5. 打包 ZIP 文件到内存
            val baos = java.io.ByteArrayOutputStream()
            java.util.zip.ZipOutputStream(baos).use { zipOut ->
                zipOut.putNextEntry(java.util.zip.ZipEntry("summary.json"))
                zipOut.write(summaryContent)
                zipOut.closeEntry()
                zipOut.putNextEntry(java.util.zip.ZipEntry("assets.json"))
                zipOut.write(assetsContent)
                zipOut.closeEntry()
                zipOut.putNextEntry(java.util.zip.ZipEntry("vulnerabilities.json"))
                zipOut.write(vulnerabilitiesContent)
                zipOut.closeEntry()
                zipOut.putNextEntry(java.util.zip.ZipEntry("weakPasswords.json"))
                zipOut.write(weakPasswordsContent)
                zipOut.closeEntry()
                zipOut.putNextEntry(java.util.zip.ZipEntry("漏洞评估报告.html"))
                zipOut.write(reportHtmlContent)
                zipOut.closeEntry()
                zipOut.putNextEntry(java.util.zip.ZipEntry("META-INF/manifest.json"))
                zipOut.write(manifestContent)
                zipOut.closeEntry()
                zipOut.putNextEntry(java.util.zip.ZipEntry("META-INF/signature.asc"))
                zipOut.write(signatureAsc)
                zipOut.closeEntry()
            }
            val zipBytes = baos.toByteArray()
            // 6. 设置响应头并输出
            response.contentType = "application/octet-stream"
            response.setHeader("Content-Disposition", "attachment; filename=\"report_${request.taskId}.zip\"")
            response.setHeader("Content-Length", zipBytes.size.toString())
            response.outputStream.write(zipBytes)
            response.outputStream.flush()
        } catch (e: Exception) {
            response.reset()
            response.contentType = "application/json; charset=UTF-8"
            response.writer.write("{\"code\": 500, \"msg\": \"生成 ZIP 文件失败: ${e.message}\"}")
        }
    }
 }
@@ -1,7 +0,0 @@
 CREATE TABLE "todo" (
 	"id" uuid PRIMARY KEY NOT NULL,
 	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
 	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
 	"title" text NOT NULL,
 	"completed" boolean DEFAULT false NOT NULL
 );
@@ -1,65 +0,0 @@
 {
  "id": "4ece5479-57bf-473d-b806-c1176c972e7f",
  "prevId": "00000000-0000-0000-0000-000000000000",
  "version": "7",
  "dialect": "postgresql",
  "tables": {
    "public.todo": {
      "name": "todo",
      "schema": "",
      "columns": {
        "id": {
          "name": "id",
          "type": "uuid",
          "primaryKey": true,
          "notNull": true
        },
        "created_at": {
          "name": "created_at",
          "type": "timestamp with time zone",
          "primaryKey": false,
          "notNull": true,
          "default": "now()"
        },
        "updated_at": {
          "name": "updated_at",
          "type": "timestamp with time zone",
          "primaryKey": false,
          "notNull": true,
          "default": "now()"
        },
        "title": {
          "name": "title",
          "type": "text",
          "primaryKey": false,
          "notNull": true
        },
        "completed": {
          "name": "completed",
          "type": "boolean",
          "primaryKey": false,
          "notNull": true,
          "default": false
        }
      },
      "indexes": {},
      "foreignKeys": {},
      "compositePrimaryKeys": {},
      "uniqueConstraints": {},
      "policies": {},
      "checkConstraints": {},
      "isRLSEnabled": false
    }
  },
  "enums": {},
  "schemas": {},
  "sequences": {},
  "roles": {},
  "policies": {},
  "views": {},
  "_meta": {
    "columns": {},
    "schemas": {},
    "tables": {}
  }
 }
@@ -1,13 +0,0 @@
 {
  "version": "7",
  "dialect": "postgresql",
  "entries": [
    {
      "idx": 0,
      "version": "7",
      "when": 1777096386609,
      "tag": "0000_loving_thunderbird",
      "breakpoints": true
    }
  ]
 }
@@ -1,2 +1,3 @@
 [tools]
-bun = "1.3.13"
+bun = "1"
 node = "24"
@@ -0,0 +1,13 @@
 {
  "$schema": "https://opencode.ai/config.json",
  "mcp": {
    "shadcn": {
      "type": "local",
      "command": ["bunx", "--bun", "shadcn", "mcp"]
    },
    "tanstack": {
      "type": "remote",
      "url": "https://tanstack.com/api/mcp"
    }
  }
 }
@@ -1,71 +1,73 @@
 {
-  "name": "fullstack-starter",
+  "name": "@furtherverse/monorepo",
  "version": "1.0.0",
  "private": true,
  "type": "module",
-  "imports": {
+  "workspaces": [
-    "#drizzle/*.sql": "./drizzle/*.sql",
+    "apps/*",
-    "#package": "./package.json",
+    "packages/*"
-    "#server": "./.output/server/index.mjs"
+  ],
  },
  "scripts": {
-    "build": "bunx --bun vite build",
+    "build": "turbo run build",
-    "cli": "bun src/bin.ts",
+    "compile": "turbo run compile",
-    "compile": "bun scripts/compile.ts",
+    "compile:darwin": "turbo run compile:darwin",
-    "compile:darwin": "bun run compile:darwin:arm64 && bun run compile:darwin:x64",
+    "compile:linux": "turbo run compile:linux",
-    "compile:darwin:arm64": "bun scripts/compile.ts --target bun-darwin-arm64",
+    "compile:windows": "turbo run compile:windows",
-    "compile:darwin:x64": "bun scripts/compile.ts --target bun-darwin-x64",
+    "dev": "turbo run dev",
-    "compile:linux": "bun run compile:linux:x64 && bun run compile:linux:arm64",
+    "dist": "turbo run dist",
-    "compile:linux:arm64": "bun scripts/compile.ts --target bun-linux-arm64",
+    "dist:linux": "turbo run dist:linux",
-    "compile:linux:x64": "bun scripts/compile.ts --target bun-linux-x64",
+    "dist:mac": "turbo run dist:mac",
-    "compile:windows": "bun run compile:windows:x64",
+    "dist:win": "turbo run dist:win",
-    "compile:windows:x64": "bun scripts/compile.ts --target bun-windows-x64",
+    "fix": "turbo run fix",
-    "db:embed": "bun scripts/embed-migrations.ts",
+    "typecheck": "turbo run typecheck"
    "db:generate": "drizzle-kit generate && bun scripts/embed-migrations.ts",
    "db:migrate": "drizzle-kit migrate",
    "db:push": "drizzle-kit push",
    "db:studio": "drizzle-kit studio",
    "dev": "bunx --bun vite dev",
    "fix": "biome check --write",
    "test": "bun test",
    "typecheck": "tsc --noEmit"
  },
  "dependencies": {
    "@logtape/drizzle-orm": "^2.0.5",
    "@logtape/logtape": "^2.0.5",
    "@logtape/pretty": "^2.0.5",
    "@orpc/client": "^1.14.0",
    "@orpc/contract": "^1.14.0",
    "@orpc/openapi": "^1.14.0",
    "@orpc/server": "^1.14.0",
    "@orpc/tanstack-query": "^1.14.0",
    "@orpc/zod": "^1.14.0",
    "@t3-oss/env-core": "^0.13.11",
    "@tanstack/react-query": "^5.100.1",
    "@tanstack/react-router": "^1.168.24",
    "@tanstack/react-router-ssr-query": "^1.166.11",
    "@tanstack/react-start": "^1.167.48",
    "citty": "^0.2.2",
    "drizzle-orm": "0.45.2",
    "drizzle-zod": "^0.8.3",
    "postgres": "^3.4.9",
    "react": "^19.2.5",
    "react-dom": "^19.2.5",
    "zod": "^4.3.6"
  },
  "devDependencies": {
-    "@biomejs/biome": "^2.4.13",
+    "@biomejs/biome": "^2.4.7",
-    "@tailwindcss/vite": "^4.2.4",
+    "turbo": "^2.8.17",
-    "@tanstack/devtools-vite": "^0.6.0",
+    "typescript": "^5.9.3"
-    "@tanstack/react-devtools": "^0.10.2",
+  },
-    "@tanstack/react-query-devtools": "^5.100.1",
+  "catalog": {
-    "@tanstack/react-router-devtools": "^1.166.13",
+    "@orpc/client": "^1.13.7",
-    "@types/bun": "^1.3.13",
+    "@orpc/contract": "^1.13.7",
-    "@vitejs/plugin-react": "^6.0.1",
+    "@orpc/openapi": "^1.13.7",
-    "drizzle-kit": "0.31.10",
+    "@orpc/server": "^1.13.7",
-    "nitro": "npm:nitro-nightly@3.0.1-20260424-182106-f8cf6ccc",
+    "@orpc/tanstack-query": "^1.13.7",
-    "tailwindcss": "^4.2.4",
+    "@orpc/zod": "^1.13.7",
-    "typescript": "^6.0.3",
+    "@t3-oss/env-core": "^0.13.10",
-    "vite": "^8.0.10"
+    "@tailwindcss/vite": "^4.2.1",
    "@tanstack/devtools-vite": "^0.5.5",
    "@tanstack/react-devtools": "^0.9.13",
    "@tanstack/react-query": "^5.90.21",
    "@tanstack/react-query-devtools": "^5.91.3",
    "@tanstack/react-router": "^1.167.3",
    "@tanstack/react-router-devtools": "^1.166.9",
    "@tanstack/react-router-ssr-query": "^1.166.9",
    "@tanstack/react-start": "^1.166.14",
    "@types/bun": "^1.3.10",
    "@types/node": "^24.12.0",
    "@vitejs/plugin-react": "^5.2.0",
    "babel-plugin-react-compiler": "^1.0.0",
    "drizzle-kit": "1.0.0-beta.15-859cf75",
    "drizzle-orm": "1.0.0-beta.15-859cf75",
    "electron": "^34.0.0",
    "electron-builder": "^26.8.1",
    "electron-vite": "^5.0.0",
    "jszip": "^3.10.1",
    "lossless-json": "^4.3.0",
    "motion": "^12.36.0",
    "nitro": "npm:nitro-nightly@3.0.1-20260315-195328-c31268c6",
    "openpgp": "^6.0.1",
    "react": "^19.2.4",
    "react-dom": "^19.2.4",
    "tailwindcss": "^4.2.1",
    "tree-kill": "^1.2.2",
    "uuid": "^13.0.0",
    "vite": "^8.0.0",
    "vite-tsconfig-paths": "^6.1.1",
    "systeminformation": "^5.31.4",
    "zod": "^4.3.6"
  },
  "overrides": {
    "@types/node": "catalog:"
  }
 }
@@ -0,0 +1,18 @@
 {
  "name": "@furtherverse/crypto",
  "version": "1.0.0",
  "private": true,
  "type": "module",
  "exports": {
    ".": "./src/index.ts"
  },
  "dependencies": {
    "node-forge": "^1.3.3",
    "openpgp": "catalog:"
  },
  "devDependencies": {
    "@furtherverse/tsconfig": "workspace:*",
    "@types/bun": "catalog:",
    "@types/node-forge": "^1.3.14"
  }
 }
@@ -0,0 +1,53 @@
 import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'
 const GCM_IV_LENGTH = 12 // 96 bits
 const GCM_TAG_LENGTH = 16 // 128 bits
 const ALGORITHM = 'aes-256-gcm'
 /**
 * AES-256-GCM encrypt.
 *
 * Output format (before Base64): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
 *
 * @param plaintext - UTF-8 string to encrypt
 * @param key - 32-byte AES key
 * @returns Base64-encoded encrypted data
 */
 export const aesGcmEncrypt = (plaintext: string, key: Buffer): string => {
  const iv = randomBytes(GCM_IV_LENGTH)
  const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()])
  const tag = cipher.getAuthTag()
  // Layout: IV + ciphertext + tag
  const combined = Buffer.concat([iv, encrypted, tag])
  return combined.toString('base64')
 }
 /**
 * AES-256-GCM decrypt.
 *
 * Input format (after Base64 decode): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
 *
 * @param encryptedBase64 - Base64-encoded encrypted data
 * @param key - 32-byte AES key
 * @returns Decrypted UTF-8 string
 */
 export const aesGcmDecrypt = (encryptedBase64: string, key: Buffer): string => {
  const data = Buffer.from(encryptedBase64, 'base64')
  if (data.length < GCM_IV_LENGTH + GCM_TAG_LENGTH) {
    throw new Error('Encrypted data too short: must contain IV + tag at minimum')
  }
  const iv = data.subarray(0, GCM_IV_LENGTH)
  const tag = data.subarray(data.length - GCM_TAG_LENGTH)
  const ciphertext = data.subarray(GCM_IV_LENGTH, data.length - GCM_TAG_LENGTH)
  const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
  decipher.setAuthTag(tag)
  const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()])
  return decrypted.toString('utf-8')
 }
@@ -0,0 +1,15 @@
 import { createHash } from 'node:crypto'
 /**
 * Compute SHA-256 hash and return raw Buffer.
 */
 export const sha256 = (data: string | Buffer): Buffer => {
  return createHash('sha256').update(data).digest()
 }
 /**
 * Compute SHA-256 hash and return lowercase hex string.
 */
 export const sha256Hex = (data: string | Buffer): string => {
  return createHash('sha256').update(data).digest('hex')
 }
@@ -0,0 +1,15 @@
 import { hkdfSync } from 'node:crypto'
 /**
 * Derive a key using HKDF-SHA256.
 *
 * @param ikm - Input keying material (string, will be UTF-8 encoded)
 * @param salt - Salt value (string, will be UTF-8 encoded)
 * @param info - Info/context string (will be UTF-8 encoded)
 * @param length - Output key length in bytes (default: 32 for AES-256)
 * @returns Derived key as Buffer
 */
 export const hkdfSha256 = (ikm: string, salt: string, info: string, length = 32): Buffer => {
  const derived = hkdfSync('sha256', ikm, salt, info, length)
  return Buffer.from(derived)
 }
@@ -0,0 +1,23 @@
 import { createHmac } from 'node:crypto'
 /**
 * Compute HMAC-SHA256 and return Base64-encoded signature.
 *
 * @param key - HMAC key (Buffer)
 * @param data - Data to sign (UTF-8 string)
 * @returns Base64-encoded HMAC-SHA256 signature
 */
 export const hmacSha256Base64 = (key: Buffer, data: string): string => {
  return createHmac('sha256', key).update(data, 'utf-8').digest('base64')
 }
 /**
 * Compute HMAC-SHA256 and return raw Buffer.
 *
 * @param key - HMAC key (Buffer)
 * @param data - Data to sign (UTF-8 string)
 * @returns HMAC-SHA256 digest as Buffer
 */
 export const hmacSha256 = (key: Buffer, data: string): Buffer => {
  return createHmac('sha256', key).update(data, 'utf-8').digest()
 }
@@ -0,0 +1,7 @@
 export { aesGcmDecrypt, aesGcmEncrypt } from './aes-gcm'
 export { sha256, sha256Hex } from './hash'
 export { hkdfSha256 } from './hkdf'
 export { hmacSha256, hmacSha256Base64 } from './hmac'
 export { generatePgpKeyPair, pgpSignDetached, pgpVerifyDetached, validatePgpPrivateKey } from './pgp'
 export { rsaOaepEncrypt } from './rsa-oaep'
 export { rsaVerifySignature, validateRsaPublicKey } from './rsa-signature'
@@ -0,0 +1,79 @@
 import * as openpgp from 'openpgp'
 /**
 * Generate an OpenPGP RSA key pair.
 *
 * @param name - User name for the key
 * @param email - User email for the key
 * @returns ASCII-armored private and public keys
 */
 export const generatePgpKeyPair = async (
  name: string,
  email: string,
 ): Promise<{ privateKey: string; publicKey: string }> => {
  const { privateKey, publicKey } = await openpgp.generateKey({
    type: 'rsa',
    rsaBits: 2048,
    userIDs: [{ name, email }],
    format: 'armored',
  })
  return { privateKey, publicKey }
 }
 /**
 * Create a detached OpenPGP signature for the given data.
 *
 * @param data - Raw data to sign (Buffer or Uint8Array)
 * @param armoredPrivateKey - ASCII-armored private key
 * @returns ASCII-armored detached signature (signature.asc content)
 */
 export const validatePgpPrivateKey = async (armoredKey: string): Promise<void> => {
  await openpgp.readPrivateKey({ armoredKey })
 }
 export const pgpSignDetached = async (data: Uint8Array, armoredPrivateKey: string): Promise<string> => {
  const privateKey = await openpgp.readPrivateKey({ armoredKey: armoredPrivateKey })
  const message = await openpgp.createMessage({ binary: data })
  const signature = await openpgp.sign({
    message,
    signingKeys: privateKey,
    detached: true,
    format: 'armored',
  })
  return signature as string
 }
 /**
 * Verify a detached OpenPGP signature.
 *
 * @param data - Original data (Buffer or Uint8Array)
 * @param armoredSignature - ASCII-armored detached signature
 * @param armoredPublicKey - ASCII-armored public key
 * @returns true if signature is valid
 */
 export const pgpVerifyDetached = async (
  data: Uint8Array,
  armoredSignature: string,
  armoredPublicKey: string,
 ): Promise<boolean> => {
  const publicKey = await openpgp.readKey({ armoredKey: armoredPublicKey })
  const signature = await openpgp.readSignature({ armoredSignature })
  const message = await openpgp.createMessage({ binary: data })
  const verificationResult = await openpgp.verify({
    message,
    signature,
    verificationKeys: publicKey,
  })
  const { verified } = verificationResult.signatures[0]!
  try {
    await verified
    return true
  } catch {
    return false
  }
 }
@@ -0,0 +1,32 @@
 import forge from 'node-forge'
 /**
 * RSA-OAEP encrypt with platform public key.
 *
 * Matches Java's {@code Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding")}
 * with **default SunJCE parameters**:
 *
 * | Parameter | Value  |
 * |-----------|--------|
 * | OAEP hash | SHA-256|
 * | MGF1 hash | SHA-1  |
 *
 * Node.js `crypto.publicEncrypt({ oaepHash })` ties both hashes together,
 * so we use `node-forge` which allows independent configuration.
 *
 * @param plaintext - UTF-8 string to encrypt
 * @param publicKeyBase64 - Platform RSA public key (X.509 / SPKI DER, Base64)
 * @returns Base64-encoded ciphertext
 */
 export const rsaOaepEncrypt = (plaintext: string, publicKeyBase64: string): string => {
  const derBytes = forge.util.decode64(publicKeyBase64)
  const asn1 = forge.asn1.fromDer(derBytes)
  const publicKey = forge.pki.publicKeyFromAsn1(asn1) as forge.pki.rsa.PublicKey
  const encrypted = publicKey.encrypt(plaintext, 'RSA-OAEP', {
    md: forge.md.sha256.create(),
    mgf1: { md: forge.md.sha1.create() },
  })
  return forge.util.encode64(encrypted)
 }
@@ -0,0 +1,24 @@
 import { describe, expect, it } from 'bun:test'
 import { constants, createSign, generateKeyPairSync } from 'node:crypto'
 import { rsaVerifySignature, validateRsaPublicKey } from './rsa-signature'
 describe('rsaVerifySignature', () => {
  it('verifies SHA256withRSA signatures over raw payload bytes', () => {
    const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
    const payload = Buffer.from('eyJsaWNlbmNlX2lkIjoiTElDLTAwMSIsImV4cGlyZV90aW1lIjoiMjAyNy0wMy0xOSJ9', 'utf-8')
    const signer = createSign('RSA-SHA256')
    signer.update(payload)
    signer.end()
    const signature = signer.sign({ key: privateKey, padding: constants.RSA_PKCS1_PADDING })
    const publicKeyBase64 = publicKey.export({ format: 'der', type: 'spki' }).toString('base64')
    expect(rsaVerifySignature(payload, signature, publicKeyBase64)).toBe(true)
    expect(rsaVerifySignature(Buffer.from(`${payload}x`, 'utf-8'), signature, publicKeyBase64)).toBe(false)
  })
  it('rejects malformed SPKI public keys', () => {
    expect(() => validateRsaPublicKey('not-a-public-key')).toThrow()
  })
 })
@@ -0,0 +1,19 @@
 import { constants, createPublicKey, verify } from 'node:crypto'
 const createSpkiPublicKey = (publicKeyBase64: string) => {
  return createPublicKey({
    key: Buffer.from(publicKeyBase64, 'base64'),
    format: 'der',
    type: 'spki',
  })
 }
 export const validateRsaPublicKey = (publicKeyBase64: string): void => {
  createSpkiPublicKey(publicKeyBase64)
 }
 export const rsaVerifySignature = (data: Uint8Array, signature: Uint8Array, publicKeyBase64: string): boolean => {
  const publicKey = createSpkiPublicKey(publicKeyBase64)
  return verify('RSA-SHA256', data, { key: publicKey, padding: constants.RSA_PKCS1_PADDING }, signature)
 }
@@ -0,0 +1,7 @@
 {
  "extends": "@furtherverse/tsconfig/bun.json",
  "compilerOptions": {
    "rootDir": "src"
  },
  "include": ["src"]
 }
@@ -1,8 +1,9 @@
 {
  "$schema": "https://json.schemastore.org/tsconfig",
  "display": "Base",
  "compilerOptions": {
    "target": "esnext",
-    "lib": ["ESNext", "DOM", "DOM.Iterable"],
+    "lib": ["ESNext"],
    "module": "preserve",
    "skipLibCheck": true,
@@ -19,14 +20,7 @@
    "noFallthroughCasesInSwitch": true,
    "noUncheckedSideEffectImports": true,
    "noUncheckedIndexedAccess": true,
-    "noImplicitOverride": true,
+    "noImplicitOverride": true
    "jsx": "react-jsx",
    "types": ["bun"],
    "paths": {
      "@/*": ["./src/*"]
    }
  },
-  "exclude": ["node_modules", ".output", "out"]
+  "exclude": ["node_modules"]
 }
@@ -0,0 +1,8 @@
 {
  "$schema": "https://json.schemastore.org/tsconfig",
  "display": "Bun",
  "extends": "./base.json",
  "compilerOptions": {
    "types": ["bun-types"]
  }
 }
@@ -0,0 +1,11 @@
 {
  "name": "@furtherverse/tsconfig",
  "version": "1.0.0",
  "private": true,
  "type": "module",
  "exports": {
    "./base.json": "./base.json",
    "./bun.json": "./bun.json",
    "./react.json": "./react.json"
  }
 }
@@ -0,0 +1,9 @@
 {
  "$schema": "https://json.schemastore.org/tsconfig",
  "display": "React",
  "extends": "./base.json",
  "compilerOptions": {
    "lib": ["ESNext", "DOM", "DOM.Iterable"],
    "jsx": "react-jsx"
  }
 }
@@ -1,2 +0,0 @@
 User-agent: *
 Disallow:
@@ -1,51 +0,0 @@
 import { existsSync } from 'node:fs'
 import { readFile, writeFile } from 'node:fs/promises'
 import { z } from 'zod'
 const JOURNAL = './drizzle/meta/_journal.json'
 const OUTPUT = './src/server/db/migrations.gen.ts'
 const journalEntrySchema = z.object({
  idx: z.number().int().nonnegative(),
  tag: z.string().regex(/^\d{4}_[a-z0-9_]+$/),
  when: z.number().int().nonnegative(),
  breakpoints: z.boolean(),
 })
 const journalSchema = z.object({ entries: z.array(journalEntrySchema).default([]) })
 type JournalEntry = z.infer<typeof journalEntrySchema>
 const readJournalEntries = async (): Promise<JournalEntry[]> => {
  if (!existsSync(JOURNAL)) {
    return []
  }
  const raw: unknown = JSON.parse(await readFile(JOURNAL, 'utf-8'))
  return journalSchema.parse(raw).entries.sort((a, b) => a.idx - b.idx)
 }
 const main = async () => {
  const entries = await readJournalEntries()
  const imports = entries
    .map((e) => `import sql_${e.idx} from '#drizzle/${e.tag}.sql' with { type: 'text' }`)
    .join('\n')
  const arrayBody = entries.length
    ? `[\n${entries.map((e) => `  { tag: '${e.tag}', sql: sql_${e.idx}, when: ${e.when}, breakpoints: ${e.breakpoints} },`).join('\n')}\n]`
    : '[]'
  const out = `// AUTO-GENERATED by \`bun run db:embed\`. Do not edit.
 ${imports ? `${imports}\n` : ''}
 export type EmbeddedMigration = { tag: string; sql: string; when: number; breakpoints: boolean }
 export const embeddedMigrations: readonly EmbeddedMigration[] = ${arrayBody}
 `
  await writeFile(OUTPUT, out)
  console.log(`✓ ${OUTPUT} (${entries.length} migration${entries.length === 1 ? '' : 's'})`)
 }
 main().catch((err) => {
  console.error('❌', err instanceof Error ? err.message : err)
  process.exit(1)
 })
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
imbytecat	0f344b5847	refactor(server): crypto 流程改用验证后的 licenceId	2026-03-19 16:16:53 +08:00
imbytecat	403eec3e12	feat(server): 配置接口接入 licence 验签	2026-03-19 16:16:42 +08:00
imbytecat	84c935d4bd	refactor(server): 规范化 licence 持久化结构	2026-03-19 16:16:29 +08:00
imbytecat	e5fed81db5	feat(server): 新增 signed licence 校验工具	2026-03-19 16:16:18 +08:00
imbytecat	e3e3caed6a	feat(crypto): 新增 RSA 验签工具	2026-03-19 16:16:07 +08:00
imbytecat	b5490085bd	chore(deps): bump dependencies to latest versions	2026-03-16 15:09:01 +08:00
imbytecat	713ee5b79f	docs(server): update encryptSummary example summary structure	2026-03-10 16:58:28 +08:00
imbytecat	d7d6b06e35	fix(server): simplify report tag and hide platformPublicKey in config output	2026-03-10 16:35:00 +08:00
imbytecat	1997655875	feat(server): persist platform public key and enrich OpenAPI docs	2026-03-10 16:20:49 +08:00
imbytecat	9a2bd5c43a	fix(server): 使用 lossless-json 无损处理 summary.json Long 精度	2026-03-10 16:10:25 +08:00
imbytecat	42bc8605b4	docs: 添加摘要+ZIP 加密测试控制器参考	2026-03-10 15:09:11 +08:00
imbytecat	04ff718f47	docs: 移除旧版工具箱端授权对接指南文档	2026-03-10 15:08:36 +08:00
imbytecat	da82403f7f	refactor(server): signAndPackReport 对齐 Kotlin 参考实现的摘要与签名结构	2026-03-10 15:08:12 +08:00
imbytecat	4a5dd437fa	fix(server): setPgpPrivateKey 接口增加私钥格式校验	2026-03-10 15:07:31 +08:00
imbytecat	1945417f28	feat(crypto): 新增 validatePgpPrivateKey 校验函数	2026-03-10 15:07:07 +08:00
imbytecat	8be32bf15b	refactor(server): extract ZIP security checks into reusable safe-zip module	2026-03-06 16:51:33 +08:00
imbytecat	1110edc974	docs: remove outdated UX API docs (superseded by OpenAPI /api/docs)	2026-03-06 16:41:15 +08:00
imbytecat	a5fd9c1833	fix(crypto): replace deprecated .passthrough() with .loose() (Zod 4)	2026-03-06 16:40:46 +08:00
imbytecat	3d27f8ccfa	refactor(crypto): use Zod safeParse for summary.json validation instead of manual checks	2026-03-06 16:39:38 +08:00
imbytecat	4d64cfb93d	docs: 添加管理平台标准加密算法 Kotlin 参考实现	2026-03-06 15:34:04 +08:00
imbytecat	2651ec0835	fix(crypto): 修复 RSA-OAEP 加密与 Java SunJCE 的 MGF1 哈希不兼容问题 Node.js publicEncrypt({ oaepHash }) 会将 OAEP hash 和 MGF1 hash 绑定为同一算法，而 Java OAEPWithSHA-256AndMGF1Padding 默认使用 SHA-256(OAEP) + SHA-1(MGF1)。改用 node-forge 独立配置两个哈希，确保密文可被管理平台正确解密。	2026-03-06 15:33:07 +08:00
imbytecat	122dead202	refactor(server): 简化 signAndPackReport 接口，PGP 私钥本地存储、summary.json 从 ZIP 提取 - DB schema 新增 pgpPrivateKey 字段 - 新增 config.setPgpPrivateKey 接口，私钥与设备绑定 - signAndPackReport 只需传 rawZip，signingContext 自动从 summary.json 派生 - configOutput 新增 hasPgpPrivateKey 字段 - 抽取 requireIdentity 减少重复校验代码	2026-03-06 14:55:12 +08:00
imbytecat	ec41a4cfc7	docs(contract): 为所有 API 的 input/output 添加 OpenAPI examples，便于厂商测试	2026-03-06 14:37:50 +08:00
imbytecat	86754f73c1	docs(contract): 优化 API summary/description，对齐工具箱端对接指南文档	2026-03-06 14:30:09 +08:00
imbytecat	9296ab31e4	fix(server): 每次启动重新计算设备特征码，环境变化时自动更新	2026-03-06 11:28:14 +08:00
imbytecat	72d1727eb6	refactor(server): 设备特征码直接使用完整 SHA-256，移除 FP- 前缀和截断	2026-03-06 11:23:52 +08:00
imbytecat	aabd60e619	refactor(server): 使用 systeminformation 替代手动采集生成设备特征码硬件级 SMBIOS 标识（uuid/serial/model/manufacturer）跨平台稳定，不再依赖 Linux 独有的 machine-id 和易变的 OS release/内存/MAC 地址。	2026-03-06 11:16:17 +08:00
imbytecat	cdb3298f6d	refactor(db): 删除去业务化后残留的 device/task 表定义	2026-03-06 10:39:09 +08:00
imbytecat	060ddd8e12	docs: 更新 UX 本地身份配置流程与对接说明	2026-03-06 10:02:56 +08:00
imbytecat	b50d2eaf10	refactor(server): 重构为本地身份配置 + 底层 crypto 能力接口	2026-03-06 10:02:26 +08:00
imbytecat	46e2c94faf	fix(db): 修正 drizzle-kit 在 Bun SQLite 下的配置与脚本	2026-03-05 16:59:25 +08:00
imbytecat	b1062a5aed	refactor(api): signAndPackReport 直接返回签名 ZIP 文件	2026-03-05 16:58:59 +08:00
imbytecat	b193759e90	docs: 新增第三方 OpenAPI 对接指南	2026-03-05 16:44:01 +08:00
imbytecat	eb941c06c0	docs(api): 补全 OpenAPI 元数据与字段描述	2026-03-05 16:43:53 +08:00
imbytecat	eb2f6554b2	docs: 更新 signAndPackReport 为 multipart 文件上传说明	2026-03-05 16:32:49 +08:00
imbytecat	58d57fa148	refactor(server): 使用 multipart File 替代报告 ZIP 的 base64 上传	2026-03-05 16:32:41 +08:00
imbytecat	509860bba8	docs: 补充 UX 集成模式与授权对接说明	2026-03-05 16:24:21 +08:00
imbytecat	4e7c4e1aa5	feat(server): 实现设备授权与报告 ZIP 签名打包接口	2026-03-05 16:24:10 +08:00
imbytecat	8261409d7d	refactor(server): 切换 SQLite 并重建设备/任务表结构	2026-03-05 16:23:30 +08:00
imbytecat	d2eb98d612	feat: 新增共享加密包并引入 ZIP/PGP 依赖	2026-03-05 16:23:13 +08:00
		`@@ -0,0 +1,2 @@`
							`[install]`
							`publicHoistPattern = ["@types/", "bun-types", "nitro"]`