docs: 添加摘要+ZIP 加密测试控制器参考

Node.js publicEncrypt({ oaepHash }) 会将 OAEP hash 和 MGF1 hash
绑定为同一算法，而 Java OAEPWithSHA-256AndMGF1Padding 默认使用
SHA-256(OAEP) + SHA-1(MGF1)。改用 node-forge 独立配置两个哈希，
确保密文可被管理平台正确解密。

.gitignore

@@ -9,6 +9,11 @@
 # Bun build
 *.bun-build
 
+# SQLite database files
+*.db
+*.db-wal
+*.db-shm
+
 # Turborepo
 .turbo/
 

apps/server/.env.example

@@ -1 +1 @@
-DATABASE_URL=postgres://postgres:postgres@localhost:5432/postgres
+DATABASE_PATH=data.db

apps/server/drizzle.config.ts

@@ -1,11 +1,12 @@
 import { defineConfig } from 'drizzle-kit'
-import { env } from '@/env'
+
+const databasePath = process.env.DATABASE_PATH ?? 'data.db'
 
 export default defineConfig({
   out: './drizzle',
   schema: './src/server/db/schema/index.ts',
-  dialect: 'postgresql',
+  dialect: 'sqlite',
   dbCredentials: {
-    url: env.DATABASE_URL,
+    url: databasePath,
   },
 })

apps/server/package.json

@@ -14,15 +14,16 @@
     "compile:linux:x64": "bun compile.ts --target bun-linux-x64",
     "compile:windows": "bun run compile:windows:x64",
     "compile:windows:x64": "bun compile.ts --target bun-windows-x64",
-    "db:generate": "drizzle-kit generate",
-    "db:migrate": "drizzle-kit migrate",
-    "db:push": "drizzle-kit push",
-    "db:studio": "drizzle-kit studio",
+    "db:generate": "bun --bun drizzle-kit generate",
+    "db:migrate": "bun --bun drizzle-kit migrate",
+    "db:push": "bun --bun drizzle-kit push",
+    "db:studio": "bun --bun drizzle-kit studio",
     "dev": "bunx --bun vite dev",
     "fix": "biome check --write",
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
+    "@furtherverse/crypto": "workspace:*",
     "@orpc/client": "catalog:",
     "@orpc/contract": "catalog:",
     "@orpc/openapi": "catalog:",
@@ -35,9 +36,10 @@
     "@tanstack/react-router-ssr-query": "catalog:",
     "@tanstack/react-start": "catalog:",
     "drizzle-orm": "catalog:",
-    "postgres": "catalog:",
+    "jszip": "catalog:",
     "react": "catalog:",
     "react-dom": "catalog:",
+    "systeminformation": "catalog:",
     "uuid": "catalog:",
     "zod": "catalog:"
   },
@@ -54,6 +56,7 @@
     "drizzle-kit": "catalog:",
     "nitro": "catalog:",
     "tailwindcss": "catalog:",
-    "vite": "catalog:"
+    "vite": "catalog:",
+    "vite-tsconfig-paths": "catalog:"
   }
 }

apps/server/src/client/orpc.ts

@@ -24,30 +24,4 @@ const getORPCClient = createIsomorphicFn()
 
 const client: RouterClient = getORPCClient()
 
-export const orpc = createTanstackQueryUtils(client, {
-  experimental_defaults: {
-    todo: {
-      create: {
-        mutationOptions: {
-          onSuccess: (_, __, ___, ctx) => {
-            ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
-          },
-        },
-      },
-      update: {
-        mutationOptions: {
-          onSuccess: (_, __, ___, ctx) => {
-            ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
-          },
-        },
-      },
-      remove: {
-        mutationOptions: {
-          onSuccess: (_, __, ___, ctx) => {
-            ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
-          },
-        },
-      },
-    },
-  },
-})
+export const orpc = createTanstackQueryUtils(client)

apps/server/src/env.ts

@@ -3,7 +3,7 @@ import { z } from 'zod'
 
 export const env = createEnv({
   server: {
-    DATABASE_URL: z.url(),
+    DATABASE_PATH: z.string().min(1).default('data.db'),
   },
   clientPrefix: 'VITE_',
   client: {

apps/server/src/routes/api/$.ts

@@ -16,6 +16,7 @@ const handler = new OpenAPIHandler(router, {
         info: {
           title: name,
           version,
+          description: 'UX 授权服务 OpenAPI 文档：设备授权、任务解密、摘要加密与报告签名打包接口。',
         },
       },
       docsPath: '/docs',

apps/server/src/routes/index.tsx

@@ -1,192 +1,20 @@
-import { useMutation, useSuspenseQuery } from '@tanstack/react-query'
 import { createFileRoute } from '@tanstack/react-router'
-import type { ChangeEventHandler, SubmitEventHandler } from 'react'
-import { useState } from 'react'
-import { orpc } from '@/client/orpc'
 
 export const Route = createFileRoute('/')({
-  component: Todos,
-  loader: async ({ context }) => {
-    await context.queryClient.ensureQueryData(orpc.todo.list.queryOptions())
-  },
+  component: Home,
 })
 
-function Todos() {
-  const [newTodoTitle, setNewTodoTitle] = useState('')
-
-  const listQuery = useSuspenseQuery(orpc.todo.list.queryOptions())
-  const createMutation = useMutation(orpc.todo.create.mutationOptions())
-  const updateMutation = useMutation(orpc.todo.update.mutationOptions())
-  const deleteMutation = useMutation(orpc.todo.remove.mutationOptions())
-
-  const handleCreateTodo: SubmitEventHandler<HTMLFormElement> = (e) => {
-    e.preventDefault()
-    if (newTodoTitle.trim()) {
-      createMutation.mutate({ title: newTodoTitle.trim() })
-      setNewTodoTitle('')
-    }
-  }
-
-  const handleInputChange: ChangeEventHandler<HTMLInputElement> = (e) => {
-    setNewTodoTitle(e.target.value)
-  }
-
-  const handleToggleTodo = (id: string, currentCompleted: boolean) => {
-    updateMutation.mutate({
-      id,
-      data: { completed: !currentCompleted },
-    })
-  }
-
-  const handleDeleteTodo = (id: string) => {
-    deleteMutation.mutate({ id })
-  }
-
-  const todos = listQuery.data
-  const completedCount = todos.filter((todo) => todo.completed).length
-  const totalCount = todos.length
-  const progress = totalCount > 0 ? (completedCount / totalCount) * 100 : 0
-
+function Home() {
   return (
-    <div className="min-h-screen bg-slate-50 py-12 px-4 sm:px-6 font-sans">
-      <div className="max-w-2xl mx-auto space-y-8">
-        {/* Header */}
-        <div className="flex items-end justify-between">
-          <div>
-            <h1 className="text-3xl font-bold text-slate-900 tracking-tight">我的待办</h1>
-            <p className="text-slate-500 mt-1">保持专注，逐个击破</p>
-          </div>
-          <div className="text-right">
-            <div className="text-2xl font-semibold text-slate-900">
-              {completedCount}
-              <span className="text-slate-400 text-lg">/{totalCount}</span>
-            </div>
-            <div className="text-xs font-medium text-slate-400 uppercase tracking-wider">已完成</div>
-          </div>
-        </div>
-
-        {/* Add Todo Form */}
-        <form onSubmit={handleCreateTodo} className="relative group z-10">
-          <div className="relative transform transition-all duration-200 focus-within:-translate-y-1">
-            <input
-              type="text"
-              value={newTodoTitle}
-              onChange={handleInputChange}
-              placeholder="添加新任务..."
-              className="w-full pl-6 pr-32 py-5 bg-white rounded-2xl shadow-[0_8px_30px_rgb(0,0,0,0.04)] border-0 ring-1 ring-slate-100 focus:ring-2 focus:ring-indigo-500/50 outline-none transition-all placeholder:text-slate-400 text-lg text-slate-700"
-              disabled={createMutation.isPending}
-            />
-            <button
-              type="submit"
-              disabled={createMutation.isPending || !newTodoTitle.trim()}
-              className="absolute right-3 top-3 bottom-3 px-6 bg-indigo-600 hover:bg-indigo-700 text-white rounded-xl font-medium transition-all shadow-md shadow-indigo-200 disabled:opacity-50 disabled:shadow-none hover:shadow-lg hover:shadow-indigo-300 active:scale-95"
-            >
-              {createMutation.isPending ? '添加中' : '添加'}
-            </button>
-          </div>
-        </form>
-
-        {/* Progress Bar (Only visible when there are tasks) */}
-        {totalCount > 0 && (
-          <div className="h-1.5 w-full bg-slate-200 rounded-full overflow-hidden">
-            <div
-              className="h-full bg-indigo-500 transition-all duration-500 ease-out rounded-full"
-              style={{ width: `${progress}%` }}
-            />
-          </div>
-        )}
-
-        {/* Todo List */}
-        <div className="space-y-3">
-          {todos.length === 0 ? (
-            <div className="py-20 text-center">
-              <div className="inline-flex items-center justify-center w-16 h-16 rounded-full bg-slate-100 mb-4">
-                <svg
-                  className="w-8 h-8 text-slate-400"
-                  fill="none"
-                  viewBox="0 0 24 24"
-                  stroke="currentColor"
-                  aria-hidden="true"
-                >
-                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M12 6v6m0 0v6m0-6h6m-6 0H6" />
-                </svg>
-              </div>
-              <p className="text-slate-500 text-lg font-medium">没有待办事项</p>
-              <p className="text-slate-400 text-sm mt-1">输入上方内容添加您的第一个任务</p>
-            </div>
-          ) : (
-            todos.map((todo) => (
-              <div
-                key={todo.id}
-                className={`group relative flex items-center p-4 bg-white rounded-xl border border-slate-100 shadow-sm transition-all duration-200 hover:shadow-md hover:border-slate-200 ${
-                  todo.completed ? 'bg-slate-50/50' : ''
-                }`}
-              >
-                <button
-                  type="button"
-                  onClick={() => handleToggleTodo(todo.id, todo.completed)}
-                  className={`flex-shrink-0 w-6 h-6 rounded-full border-2 transition-all duration-200 flex items-center justify-center mr-4 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-indigo-500 ${
-                    todo.completed
-                      ? 'bg-indigo-500 border-indigo-500'
-                      : 'border-slate-300 hover:border-indigo-500 bg-white'
-                  }`}
-                >
-                  {todo.completed && (
-                    <svg
-                      className="w-3.5 h-3.5 text-white"
-                      fill="none"
-                      viewBox="0 0 24 24"
-                      stroke="currentColor"
-                      strokeWidth={3}
-                      aria-hidden="true"
-                    >
-                      <path strokeLinecap="round" strokeLinejoin="round" d="M5 13l4 4L19 7" />
-                    </svg>
-                  )}
-                </button>
-
-                <div className="flex-1 min-w-0">
-                  <p
-                    className={`text-lg transition-all duration-200 truncate ${
-                      todo.completed
-                        ? 'text-slate-400 line-through decoration-slate-300 decoration-2'
-                        : 'text-slate-700'
-                    }`}
-                  >
-                    {todo.title}
-                  </p>
-                </div>
-
-                <div className="flex items-center opacity-0 group-hover:opacity-100 transition-opacity duration-200 absolute right-4 pl-4 bg-gradient-to-l from-white via-white to-transparent sm:static sm:bg-none">
-                  <span className="text-xs text-slate-400 mr-3 hidden sm:inline-block">
-                    {new Date(todo.createdAt).toLocaleDateString('zh-CN')}
-                  </span>
-                  <button
-                    type="button"
-                    onClick={() => handleDeleteTodo(todo.id)}
-                    className="p-2 text-slate-400 hover:text-red-500 hover:bg-red-50 rounded-lg transition-colors focus:outline-none"
-                    title="删除"
-                  >
-                    <svg
-                      className="w-5 h-5"
-                      fill="none"
-                      viewBox="0 0 24 24"
-                      stroke="currentColor"
-                      strokeWidth={1.5}
-                      aria-hidden="true"
-                    >
-                      <path
-                        strokeLinecap="round"
-                        strokeLinejoin="round"
-                        d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16"
-                      />
-                    </svg>
-                  </button>
-                </div>
-              </div>
-            ))
-          )}
-        </div>
+    <div className="min-h-screen bg-slate-50 flex items-center justify-center font-sans">
+      <div className="text-center space-y-4">
+        <h1 className="text-3xl font-bold text-slate-900 tracking-tight">UX Server</h1>
+        <p className="text-slate-500">
+          API:&nbsp;
+          <a href="/api" className="text-indigo-600 hover:text-indigo-700 underline">
+            /api
+          </a>
+        </p>
       </div>
     </div>
   )

apps/server/src/server/api/contracts/config.contract.ts

@@ -0,0 +1,82 @@
+import { oc } from '@orpc/contract'
+import { z } from 'zod'
+
+const configOutput = z
+  .object({
+    licence: z.string().nullable().describe('当前本地 licence，未设置时为 null'),
+    fingerprint: z.string().describe('UX 本机计算得到的设备特征码（SHA-256）'),
+    hasPgpPrivateKey: z.boolean().describe('是否已配置 OpenPGP 私钥'),
+  })
+  .meta({
+    examples: [
+      {
+        licence: 'LIC-8F2A-XXXX',
+        fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
+        hasPgpPrivateKey: true,
+      },
+      {
+        licence: null,
+        fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
+        hasPgpPrivateKey: false,
+      },
+    ],
+  })
+
+export const get = oc
+  .route({
+    method: 'POST',
+    path: '/config/get',
+    operationId: 'configGet',
+    summary: '读取本机身份配置',
+    description:
+      '返回 UX 本地持久化的 licence、本机设备特征码（fingerprint）以及 OpenPGP 私钥配置状态。工具箱端可据此判断是否已完成本地身份初始化。',
+    tags: ['Config'],
+  })
+  .input(z.object({}))
+  .output(configOutput)
+
+export const setLicence = oc
+  .route({
+    method: 'POST',
+    path: '/config/set-licence',
+    operationId: 'configSetLicence',
+    summary: '写入本地 licence',
+    description:
+      '写入或更新本机持久化的 licence。设备特征码（fingerprint）始终由 UX 本机自动计算，无需外部传入。此接口应在设备授权流程前调用。',
+    tags: ['Config'],
+  })
+  .input(
+    z
+      .object({
+        licence: z.string().min(1).describe('本地持久化的 licence'),
+      })
+      .meta({
+        examples: [{ licence: 'LIC-8F2A-XXXX' }],
+      }),
+  )
+  .output(configOutput)
+
+export const setPgpPrivateKey = oc
+  .route({
+    method: 'POST',
+    path: '/config/set-pgp-private-key',
+    operationId: 'configSetPgpPrivateKey',
+    summary: '写入本地 OpenPGP 私钥',
+    description:
+      '写入或更新本机持久化的 OpenPGP 私钥（ASCII armored 格式），用于报告签名。私钥与设备绑定，调用报告签名接口时 UX 自动读取，无需每次传入。',
+    tags: ['Config'],
+  })
+  .input(
+    z
+      .object({
+        pgpPrivateKey: z.string().min(1).describe('OpenPGP 私钥（ASCII armored 格式）'),
+      })
+      .meta({
+        examples: [
+          {
+            pgpPrivateKey: '-----BEGIN PGP PRIVATE KEY BLOCK-----\n\nxcMGBGd...\n-----END PGP PRIVATE KEY BLOCK-----',
+          },
+        ],
+      }),
+  )
+  .output(configOutput)

apps/server/src/server/api/contracts/crypto.contract.ts

@@ -0,0 +1,150 @@
+import { oc } from '@orpc/contract'
+import { z } from 'zod'
+
+export const encryptDeviceInfo = oc
+  .route({
+    method: 'POST',
+    path: '/crypto/encrypt-device-info',
+    operationId: 'encryptDeviceInfo',
+    summary: '生成设备授权二维码密文',
+    description:
+      '将本机 licence 与 fingerprint 组装为 JSON，使用平台 RSA 公钥（RSA-OAEP + SHA-256）加密后返回 Base64 密文，供工具箱生成设备授权二维码。参见《工具箱端 - 设备授权二维码生成指南》。',
+    tags: ['Crypto'],
+  })
+  .input(
+    z
+      .object({
+        platformPublicKey: z.string().min(1).describe('平台公钥（Base64，SPKI DER）'),
+      })
+      .meta({
+        examples: [
+          {
+            platformPublicKey:
+              'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB',
+          },
+        ],
+      }),
+  )
+  .output(
+    z
+      .object({
+        encrypted: z.string().describe('Base64 密文（用于设备授权二维码）'),
+      })
+      .meta({
+        examples: [
+          {
+            encrypted: 'dGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVkIFJTQS1PQUVQIGVuY3J5cHRlZCBkZXZpY2UgaW5mby4uLg==',
+          },
+        ],
+      }),
+  )
+
+export const decryptTask = oc
+  .route({
+    method: 'POST',
+    path: '/crypto/decrypt-task',
+    operationId: 'decryptTask',
+    summary: '解密任务二维码数据',
+    description:
+      '使用本机 licence 与 fingerprint 派生 AES-256-GCM 密钥（SHA-256），解密 App 任务二维码中的 Base64 密文，返回任务信息明文。参见《工具箱端 - 任务二维码解密指南》。',
+    tags: ['Crypto'],
+  })
+  .input(
+    z
+      .object({
+        encryptedData: z.string().min(1).describe('Base64 编码的 AES-256-GCM 密文（来自任务二维码扫描结果）'),
+      })
+      .meta({
+        examples: [
+          {
+            encryptedData: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
+          },
+        ],
+      }),
+  )
+  .output(
+    z
+      .object({
+        decrypted: z.string().describe('解密后的任务信息 JSON 字符串'),
+      })
+      .meta({
+        examples: [
+          {
+            decrypted:
+              '{"taskId":"TASK-20260115-4875","enterpriseId":"1173040813421105152","orgName":"超艺科技有限公司","inspectionId":"702286470691215417","inspectionPerson":"警务通","issuedAt":1734571234567}',
+          },
+        ],
+      }),
+  )
+
+export const encryptSummary = oc
+  .route({
+    method: 'POST',
+    path: '/crypto/encrypt-summary',
+    operationId: 'encryptSummary',
+    summary: '加密摘要信息',
+    description:
+      '使用本机 licence 与 fingerprint 通过 HKDF-SHA256 派生密钥，以 AES-256-GCM 加密检查摘要明文并返回 Base64 密文，供工具箱生成摘要信息二维码。参见《工具箱端 - 摘要信息二维码生成指南》。',
+    tags: ['Crypto'],
+  })
+  .input(
+    z
+      .object({
+        salt: z.string().min(1).describe('HKDF salt（即 taskId，从任务二维码中获取）'),
+        plaintext: z.string().min(1).describe('待加密的摘要信息 JSON 明文'),
+      })
+      .meta({
+        examples: [
+          {
+            salt: 'TASK-20260115-4875',
+            plaintext:
+              '{"enterpriseId":"1173040813421105152","inspectionId":"702286470691215417","summary":"检查摘要信息：发现3个高危漏洞，5个中危漏洞","timestamp":1734571234567}',
+          },
+        ],
+      }),
+  )
+  .output(
+    z
+      .object({
+        encrypted: z.string().describe('Base64 密文（用于摘要信息二维码）'),
+      })
+      .meta({
+        examples: [
+          {
+            encrypted: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
+          },
+        ],
+      }),
+  )
+
+export const signAndPackReport = oc
+  .route({
+    method: 'POST',
+    path: '/crypto/sign-and-pack-report',
+    operationId: 'signAndPackReport',
+    summary: '签名并打包检查报告',
+    description:
+      '上传包含 summary.json 的原始报告 ZIP，UX 自动从 ZIP 中提取 summary.json，使用本地存储的 licence/fingerprint 计算设备签名（HKDF + HMAC-SHA256），并使用本地 OpenPGP 私钥生成分离式签名。返回包含 summary.json（含 deviceSignature）、META-INF/manifest.json、META-INF/signature.asc 的签名报告 ZIP。参见《工具箱端 - 报告加密与签名生成指南》。',
+    tags: ['Crypto', 'Report'],
+  })
+  .input(
+    z.object({
+      rawZip: z
+        .file()
+        .mime(['application/zip', 'application/x-zip-compressed'])
+        .describe(
+          '原始报告 ZIP 文件（必须包含 summary.json，以及 assets.json、vulnerabilities.json、weakPasswords.json、漏洞评估报告.html 等报告文件）',
+        ),
+      outputFileName: z
+        .string()
+        .min(1)
+        .optional()
+        .describe('返回 ZIP 文件名（可选，默认 signed-report.zip）')
+        .meta({ examples: ['signed-report.zip'] }),
+    }),
+  )
+  .output(
+    z
+      .file()
+      .describe('签名后报告 ZIP 文件（二进制响应，包含 summary.json、META-INF/manifest.json、META-INF/signature.asc）'),
+  )

apps/server/src/server/api/contracts/index.ts

@@ -1,7 +1,9 @@
-import * as todo from './todo.contract'
+import * as config from './config.contract'
+import * as crypto from './crypto.contract'
 
 export const contract = {
-  todo,
+  config,
+  crypto,
 }
 
 export type Contract = typeof contract

apps/server/src/server/api/contracts/todo.contract.ts

@@ -1,32 +0,0 @@
-import { oc } from '@orpc/contract'
-import { createInsertSchema, createSelectSchema, createUpdateSchema } from 'drizzle-orm/zod'
-import { z } from 'zod'
-import { generatedFieldKeys } from '@/server/db/fields'
-import { todoTable } from '@/server/db/schema'
-
-const selectSchema = createSelectSchema(todoTable)
-
-const insertSchema = createInsertSchema(todoTable).omit(generatedFieldKeys)
-
-const updateSchema = createUpdateSchema(todoTable).omit(generatedFieldKeys)
-
-export const list = oc.input(z.void()).output(z.array(selectSchema))
-
-export const create = oc.input(insertSchema).output(selectSchema)
-
-export const update = oc
-  .input(
-    z.object({
-      id: z.uuid(),
-      data: updateSchema,
-    }),
-  )
-  .output(selectSchema)
-
-export const remove = oc
-  .input(
-    z.object({
-      id: z.uuid(),
-    }),
-  )
-  .output(z.void())

apps/server/src/server/api/routers/config.router.ts

@@ -0,0 +1,32 @@
+import { validatePgpPrivateKey } from '@furtherverse/crypto'
+import { ORPCError } from '@orpc/server'
+import { ensureUxConfig, setUxLicence, setUxPgpPrivateKey } from '@/server/ux-config'
+import { db } from '../middlewares'
+import { os } from '../server'
+
+const toConfigOutput = (config: { licence: string | null; fingerprint: string; pgpPrivateKey: string | null }) => ({
+  licence: config.licence,
+  fingerprint: config.fingerprint,
+  hasPgpPrivateKey: config.pgpPrivateKey != null,
+})
+
+export const get = os.config.get.use(db).handler(async ({ context }) => {
+  const config = await ensureUxConfig(context.db)
+  return toConfigOutput(config)
+})
+
+export const setLicence = os.config.setLicence.use(db).handler(async ({ context, input }) => {
+  const config = await setUxLicence(context.db, input.licence)
+  return toConfigOutput(config)
+})
+
+export const setPgpPrivateKey = os.config.setPgpPrivateKey.use(db).handler(async ({ context, input }) => {
+  await validatePgpPrivateKey(input.pgpPrivateKey).catch((error) => {
+    throw new ORPCError('BAD_REQUEST', {
+      message: `Invalid PGP private key: ${error instanceof Error ? error.message : 'unable to parse'}`,
+    })
+  })
+
+  const config = await setUxPgpPrivateKey(context.db, input.pgpPrivateKey)
+  return toConfigOutput(config)
+})

apps/server/src/server/api/routers/crypto.router.ts

@@ -0,0 +1,183 @@
+import {
+  aesGcmDecrypt,
+  aesGcmEncrypt,
+  hkdfSha256,
+  hmacSha256Base64,
+  pgpSignDetached,
+  rsaOaepEncrypt,
+  sha256,
+  sha256Hex,
+} from '@furtherverse/crypto'
+import { ORPCError } from '@orpc/server'
+import JSZip from 'jszip'
+import { z } from 'zod'
+import { extractSafeZipFiles, ZipValidationError } from '@/server/safe-zip'
+import { getUxConfig } from '@/server/ux-config'
+import { db } from '../middlewares'
+import { os } from '../server'
+
+const summaryPayloadSchema = z
+  .object({
+    taskId: z.string().min(1, 'summary.json must contain a non-empty taskId'),
+    checkId: z.union([z.string(), z.number()]).optional(),
+    inspectionId: z.union([z.string(), z.number()]).optional(),
+    orgId: z.union([z.string(), z.number()]).optional(),
+    enterpriseId: z.union([z.string(), z.number()]).optional(),
+    summary: z.string().optional(),
+  })
+  .loose()
+
+const requireIdentity = async (dbInstance: Parameters<typeof getUxConfig>[0]) => {
+  const config = await getUxConfig(dbInstance)
+  if (!config || !config.licence) {
+    throw new ORPCError('PRECONDITION_FAILED', {
+      message: 'Local identity is not initialized. Call config.get and then config.setLicence first.',
+    })
+  }
+  return config as typeof config & { licence: string }
+}
+
+export const encryptDeviceInfo = os.crypto.encryptDeviceInfo.use(db).handler(async ({ context, input }) => {
+  const config = await requireIdentity(context.db)
+
+  const deviceInfoJson = JSON.stringify({
+    licence: config.licence,
+    fingerprint: config.fingerprint,
+  })
+
+  const encrypted = rsaOaepEncrypt(deviceInfoJson, input.platformPublicKey)
+  return { encrypted }
+})
+
+export const decryptTask = os.crypto.decryptTask.use(db).handler(async ({ context, input }) => {
+  const config = await requireIdentity(context.db)
+
+  const key = sha256(config.licence + config.fingerprint)
+  const decrypted = aesGcmDecrypt(input.encryptedData, key)
+  return { decrypted }
+})
+
+export const encryptSummary = os.crypto.encryptSummary.use(db).handler(async ({ context, input }) => {
+  const config = await requireIdentity(context.db)
+
+  const ikm = config.licence + config.fingerprint
+  const aesKey = hkdfSha256(ikm, input.salt, 'inspection_report_encryption')
+  const encrypted = aesGcmEncrypt(input.plaintext, aesKey)
+  return { encrypted }
+})
+
+export const signAndPackReport = os.crypto.signAndPackReport.use(db).handler(async ({ context, input }) => {
+  const config = await requireIdentity(context.db)
+
+  if (!config.pgpPrivateKey) {
+    throw new ORPCError('PRECONDITION_FAILED', {
+      message: 'PGP private key is not configured. Call config.setPgpPrivateKey first.',
+    })
+  }
+
+  const rawZipBytes = Buffer.from(await input.rawZip.arrayBuffer())
+
+  const zipFiles = await extractSafeZipFiles(rawZipBytes).catch((error) => {
+    if (error instanceof ZipValidationError) {
+      throw new ORPCError('BAD_REQUEST', { message: error.message })
+    }
+    throw error
+  })
+
+  // Extract and validate summary.json from the ZIP
+  const summaryFile = zipFiles.find((f) => f.name === 'summary.json')
+  if (!summaryFile) {
+    throw new ORPCError('BAD_REQUEST', {
+      message: 'rawZip must contain a summary.json file',
+    })
+  }
+
+  let rawJson: unknown
+  try {
+    rawJson = JSON.parse(Buffer.from(summaryFile.bytes).toString('utf-8'))
+  } catch {
+    throw new ORPCError('BAD_REQUEST', {
+      message: 'summary.json in the ZIP is not valid JSON',
+    })
+  }
+
+  const parsed = summaryPayloadSchema.safeParse(rawJson)
+  if (!parsed.success) {
+    throw new ORPCError('BAD_REQUEST', {
+      message: `Invalid summary.json: ${z.prettifyError(parsed.error)}`,
+    })
+  }
+
+  const summaryPayload = parsed.data
+  const checkId = String(summaryPayload.checkId ?? summaryPayload.inspectionId ?? '')
+  const orgId = summaryPayload.orgId ?? summaryPayload.enterpriseId ?? ''
+
+  // Helper: find file in ZIP and compute its SHA256 hash
+  const requireFileHash = (name: string): string => {
+    const file = zipFiles.find((f) => f.name === name)
+    if (!file) {
+      throw new ORPCError('BAD_REQUEST', { message: `rawZip must contain ${name}` })
+    }
+    return sha256Hex(Buffer.from(file.bytes))
+  }
+
+  // Compute SHA256 of each content file (fixed order, matching Kotlin reference)
+  const assetsSha256 = requireFileHash('assets.json')
+  const vulnerabilitiesSha256 = requireFileHash('vulnerabilities.json')
+  const weakPasswordsSha256 = requireFileHash('weakPasswords.json')
+  const reportHtmlSha256 = requireFileHash('漏洞评估报告.html')
+
+  // Compute device signature
+  // signPayload = taskId + inspectionId + assetsSha256 + vulnerabilitiesSha256 + weakPasswordsSha256 + reportHtmlSha256
+  // (plain concatenation, no separators, fixed order — matching Kotlin reference)
+  const ikm = config.licence + config.fingerprint
+  const signingKey = hkdfSha256(ikm, 'AUTH_V3_SALT', 'device_report_signature')
+
+  const signPayload = `${summaryPayload.taskId}${checkId}${assetsSha256}${vulnerabilitiesSha256}${weakPasswordsSha256}${reportHtmlSha256}`
+  const deviceSignature = hmacSha256Base64(signingKey, signPayload)
+
+  // Build final summary.json with flat structure (matching Kotlin reference)
+  const finalSummary = {
+    orgId,
+    checkId,
+    taskId: summaryPayload.taskId,
+    licence: config.licence,
+    fingerprint: config.fingerprint,
+    deviceSignature,
+    summary: summaryPayload.summary ?? '',
+  }
+  const summaryBytes = Buffer.from(JSON.stringify(finalSummary), 'utf-8')
+
+  // Build manifest.json (fixed file list, matching Kotlin reference)
+  const manifestFiles: Record<string, string> = {
+    'summary.json': sha256Hex(summaryBytes),
+    'assets.json': assetsSha256,
+    'vulnerabilities.json': vulnerabilitiesSha256,
+    'weakPasswords.json': weakPasswordsSha256,
+    '漏洞评估报告.html': reportHtmlSha256,
+  }
+
+  const manifestBytes = Buffer.from(JSON.stringify({ files: manifestFiles }, null, 2), 'utf-8')
+  const signatureAsc = await pgpSignDetached(manifestBytes, config.pgpPrivateKey)
+
+  // Pack signed ZIP
+  const signedZip = new JSZip()
+  signedZip.file('summary.json', summaryBytes)
+  for (const item of zipFiles) {
+    if (item.name !== 'summary.json') {
+      signedZip.file(item.name, item.bytes)
+    }
+  }
+  signedZip.file('META-INF/manifest.json', manifestBytes)
+  signedZip.file('META-INF/signature.asc', signatureAsc)
+
+  const signedZipBytes = await signedZip.generateAsync({
+    type: 'uint8array',
+    compression: 'DEFLATE',
+    compressionOptions: { level: 9 },
+  })
+
+  return new File([Buffer.from(signedZipBytes)], input.outputFileName ?? 'signed-report.zip', {
+    type: 'application/zip',
+  })
+})

apps/server/src/server/api/routers/index.ts

@@ -1,6 +1,8 @@
 import { os } from '../server'
-import * as todo from './todo.router'
+import * as config from './config.router'
+import * as crypto from './crypto.router'
 
 export const router = os.router({
-  todo,
+  config,
+  crypto,
 })

apps/server/src/server/api/routers/todo.router.ts

@@ -1,40 +0,0 @@
-import { ORPCError } from '@orpc/server'
-import { eq } from 'drizzle-orm'
-import { todoTable } from '@/server/db/schema'
-import { db } from '../middlewares'
-import { os } from '../server'
-
-export const list = os.todo.list.use(db).handler(async ({ context }) => {
-  const todos = await context.db.query.todoTable.findMany({
-    orderBy: { createdAt: 'desc' },
-  })
-  return todos
-})
-
-export const create = os.todo.create.use(db).handler(async ({ context, input }) => {
-  const [newTodo] = await context.db.insert(todoTable).values(input).returning()
-
-  if (!newTodo) {
-    throw new ORPCError('INTERNAL_SERVER_ERROR', { message: 'Failed to create todo' })
-  }
-
-  return newTodo
-})
-
-export const update = os.todo.update.use(db).handler(async ({ context, input }) => {
-  const [updatedTodo] = await context.db.update(todoTable).set(input.data).where(eq(todoTable.id, input.id)).returning()
-
-  if (!updatedTodo) {
-    throw new ORPCError('NOT_FOUND')
-  }
-
-  return updatedTodo
-})
-
-export const remove = os.todo.remove.use(db).handler(async ({ context, input }) => {
-  const [deleted] = await context.db.delete(todoTable).where(eq(todoTable.id, input.id)).returning({ id: todoTable.id })
-
-  if (!deleted) {
-    throw new ORPCError('NOT_FOUND')
-  }
-})

apps/server/src/server/db/fields.ts

@@ -1,47 +1,28 @@
-import { sql } from 'drizzle-orm'
-import { timestamp, uuid } from 'drizzle-orm/pg-core'
+import { integer, text } from 'drizzle-orm/sqlite-core'
 import { v7 as uuidv7 } from 'uuid'
 
-// id
+export const pk = (name = 'id') =>
+  text(name)
+    .primaryKey()
+    .$defaultFn(() => uuidv7())
 
-const id = (name: string) => uuid(name)
-export const pk = (name: string, strategy?: 'native' | 'extension') => {
-  switch (strategy) {
-    // PG 18+
-    case 'native':
-      return id(name).primaryKey().default(sql`uuidv7()`)
-
-    // PG 13+ with extension
-    case 'extension':
-      return id(name).primaryKey().default(sql`uuid_generate_v7()`)
-
-    // Any PG version
-    default:
-      return id(name)
-        .primaryKey()
-        .$defaultFn(() => uuidv7())
-  }
-}
-
-// timestamp
-
-export const createdAt = (name = 'created_at') => timestamp(name, { withTimezone: true }).notNull().defaultNow()
+export const createdAt = (name = 'created_at') =>
+  integer(name, { mode: 'timestamp_ms' })
+    .notNull()
+    .$defaultFn(() => new Date())
 
 export const updatedAt = (name = 'updated_at') =>
-  timestamp(name, { withTimezone: true })
+  integer(name, { mode: 'timestamp_ms' })
     .notNull()
-    .defaultNow()
+    .$defaultFn(() => new Date())
     .$onUpdateFn(() => new Date())
 
-// generated fields
-
 export const generatedFields = {
   id: pk('id'),
   createdAt: createdAt('created_at'),
   updatedAt: updatedAt('updated_at'),
 }
 
-// Helper to create omit keys from generatedFields
 const createGeneratedFieldKeys = <T extends Record<string, unknown>>(fields: T): Record<keyof T, true> => {
   return Object.keys(fields).reduce(
     (acc, key) => {

apps/server/src/server/db/index.ts

@@ -1,12 +1,14 @@
-import { drizzle } from 'drizzle-orm/postgres-js'
+import { Database } from 'bun:sqlite'
+import { drizzle } from 'drizzle-orm/bun-sqlite'
 import { env } from '@/env'
 import { relations } from '@/server/db/relations'
 
-export const createDB = () =>
-  drizzle({
-    connection: env.DATABASE_URL,
-    relations,
-  })
+export const createDB = () => {
+  const sqlite = new Database(env.DATABASE_PATH)
+  sqlite.exec('PRAGMA journal_mode = WAL')
+  sqlite.exec('PRAGMA foreign_keys = ON')
+  return drizzle({ client: sqlite, relations })
+}
 
 export type DB = ReturnType<typeof createDB>
 

apps/server/src/server/db/relations.ts

@@ -1,4 +1,4 @@
 import { defineRelations } from 'drizzle-orm'
 import * as schema from './schema'
 
-export const relations = defineRelations(schema, (_r) => ({}))
+export const relations = defineRelations(schema, () => ({}))

apps/server/src/server/db/schema/index.ts

@@ -1 +1 @@
-export * from './todo'
+export * from './ux-config'

apps/server/src/server/db/schema/todo.ts

@@ -1,8 +0,0 @@
-import { boolean, pgTable, text } from 'drizzle-orm/pg-core'
-import { generatedFields } from '../fields'
-
-export const todoTable = pgTable('todo', {
-  ...generatedFields,
-  title: text('title').notNull(),
-  completed: boolean('completed').notNull().default(false),
-})

apps/server/src/server/db/schema/ux-config.ts

@@ -0,0 +1,10 @@
+import { sqliteTable, text } from 'drizzle-orm/sqlite-core'
+import { generatedFields } from '../fields'
+
+export const uxConfigTable = sqliteTable('ux_config', {
+  ...generatedFields,
+  singletonKey: text('singleton_key').notNull().unique().default('default'),
+  licence: text('licence'),
+  fingerprint: text('fingerprint').notNull(),
+  pgpPrivateKey: text('pgp_private_key'),
+})

apps/server/src/server/device-fingerprint.ts

@@ -0,0 +1,10 @@
+import { sha256Hex } from '@furtherverse/crypto'
+import { system } from 'systeminformation'
+
+export const computeDeviceFingerprint = async (): Promise<string> => {
+  const { uuid, serial, model, manufacturer } = await system()
+  const source = [uuid, serial, model, manufacturer].join('|')
+  const hash = sha256Hex(source)
+
+  return hash
+}

apps/server/src/server/safe-zip.ts

@@ -0,0 +1,96 @@
+import type { JSZipObject } from 'jszip'
+import JSZip from 'jszip'
+
+export class ZipValidationError extends Error {
+  override name = 'ZipValidationError'
+}
+
+export interface ZipFileItem {
+  name: string
+  bytes: Uint8Array
+}
+
+export interface SafeZipOptions {
+  maxRawBytes?: number
+  maxEntries?: number
+  maxSingleFileBytes?: number
+  maxTotalUncompressedBytes?: number
+}
+
+const DEFAULTS = {
+  maxRawBytes: 50 * 1024 * 1024,
+  maxEntries: 64,
+  maxSingleFileBytes: 20 * 1024 * 1024,
+  maxTotalUncompressedBytes: 60 * 1024 * 1024,
+} satisfies Required<SafeZipOptions>
+
+const normalizePath = (name: string): string => name.replaceAll('\\', '/')
+
+const isUnsafePath = (name: string): boolean => {
+  const normalized = normalizePath(name)
+  const segments = normalized.split('/')
+
+  return (
+    normalized.startsWith('/') ||
+    normalized.includes('\0') ||
+    segments.some((segment) => segment === '..' || segment.trim().length === 0)
+  )
+}
+
+export const extractSafeZipFiles = async (
+  rawBytes: Uint8Array | Buffer,
+  options?: SafeZipOptions,
+): Promise<ZipFileItem[]> => {
+  const opts = { ...DEFAULTS, ...options }
+
+  if (rawBytes.byteLength === 0 || rawBytes.byteLength > opts.maxRawBytes) {
+    throw new ZipValidationError('ZIP is empty or exceeds max size limit')
+  }
+
+  const zip = await JSZip.loadAsync(rawBytes, { checkCRC32: true }).catch(() => {
+    throw new ZipValidationError('Not a valid ZIP file')
+  })
+
+  const entries = Object.values(zip.files) as JSZipObject[]
+  if (entries.length > opts.maxEntries) {
+    throw new ZipValidationError(`ZIP contains too many entries: ${entries.length}`)
+  }
+
+  let totalUncompressedBytes = 0
+  const files: ZipFileItem[] = []
+  const seen = new Set<string>()
+
+  for (const entry of entries) {
+    if (entry.dir) {
+      continue
+    }
+
+    if (isUnsafePath(entry.name)) {
+      throw new ZipValidationError(`ZIP contains unsafe entry path: ${entry.name}`)
+    }
+
+    const normalizedName = normalizePath(entry.name)
+    if (seen.has(normalizedName)) {
+      throw new ZipValidationError(`ZIP contains duplicate entry: ${normalizedName}`)
+    }
+    seen.add(normalizedName)
+
+    const content = await entry.async('uint8array')
+    if (content.byteLength > opts.maxSingleFileBytes) {
+      throw new ZipValidationError(`ZIP entry too large: ${normalizedName}`)
+    }
+
+    totalUncompressedBytes += content.byteLength
+    if (totalUncompressedBytes > opts.maxTotalUncompressedBytes) {
+      throw new ZipValidationError('ZIP total uncompressed content exceeds max size limit')
+    }
+
+    files.push({ name: normalizedName, bytes: content })
+  }
+
+  if (files.length === 0) {
+    throw new ZipValidationError('ZIP has no file entries')
+  }
+
+  return files
+}

apps/server/src/server/ux-config.ts

@@ -0,0 +1,56 @@
+import { eq } from 'drizzle-orm'
+import type { DB } from '@/server/db'
+import { uxConfigTable } from '@/server/db/schema'
+import { computeDeviceFingerprint } from './device-fingerprint'
+
+const UX_CONFIG_KEY = 'default'
+
+export const getUxConfig = async (db: DB) => {
+  return await db.query.uxConfigTable.findFirst({
+    where: { singletonKey: UX_CONFIG_KEY },
+  })
+}
+
+export const ensureUxConfig = async (db: DB) => {
+  const fingerprint = await computeDeviceFingerprint()
+  const existing = await getUxConfig(db)
+
+  if (existing) {
+    if (existing.fingerprint !== fingerprint) {
+      const rows = await db
+        .update(uxConfigTable)
+        .set({ fingerprint })
+        .where(eq(uxConfigTable.id, existing.id))
+        .returning()
+      return rows[0] as (typeof rows)[number]
+    }
+    return existing
+  }
+
+  const rows = await db
+    .insert(uxConfigTable)
+    .values({
+      singletonKey: UX_CONFIG_KEY,
+      fingerprint,
+      licence: null,
+    })
+    .returning()
+
+  return rows[0] as (typeof rows)[number]
+}
+
+export const setUxLicence = async (db: DB, licence: string) => {
+  const config = await ensureUxConfig(db)
+
+  const rows = await db.update(uxConfigTable).set({ licence }).where(eq(uxConfigTable.id, config.id)).returning()
+
+  return rows[0] as (typeof rows)[number]
+}
+
+export const setUxPgpPrivateKey = async (db: DB, pgpPrivateKey: string) => {
+  const config = await ensureUxConfig(db)
+
+  const rows = await db.update(uxConfigTable).set({ pgpPrivateKey }).where(eq(uxConfigTable.id, config.id)).returning()
+
+  return rows[0] as (typeof rows)[number]
+}

apps/server/vite.config.ts

@@ -4,12 +4,14 @@ import { tanstackStart } from '@tanstack/react-start/plugin/vite'
 import react from '@vitejs/plugin-react'
 import { nitro } from 'nitro/vite'
 import { defineConfig } from 'vite'
+import tsconfigPaths from 'vite-tsconfig-paths'
 
 export default defineConfig({
   clearScreen: false,
   plugins: [
     tanstackDevtools(),
     tailwindcss(),
+    tsconfigPaths(),
     tanstackStart(),
     react({
       babel: {
@@ -21,9 +23,6 @@ export default defineConfig({
       serveStatic: 'inline',
     }),
   ],
-  resolve: {
-    tsconfigPaths: true,
-  },
   server: {
     port: 3000,
     strictPort: true,

docs/摘要+zip/EncryptionTestController.kt

@@ -0,0 +1,432 @@
+package top.tangyh.lamp.filing.controller.compress
+
+import com.fasterxml.jackson.databind.ObjectMapper
+import io.swagger.annotations.Api
+import io.swagger.annotations.ApiOperation
+import io.swagger.annotations.ApiParam
+import org.springframework.validation.annotation.Validated
+import org.springframework.web.bind.annotation.*
+import top.tangyh.basic.annotation.log.WebLog
+import top.tangyh.basic.base.R
+import top.tangyh.lamp.filing.dto.management.UploadInspectionFileV2Request
+import top.tangyh.lamp.filing.utils.AesGcmUtil
+import top.tangyh.lamp.filing.utils.HkdfUtil
+import top.tangyh.lamp.filing.utils.PgpSignatureUtil
+import java.util.*
+
+/**
+ * 加密测试工具类
+ * 
+ * 用于生成加密后的 encrypted 数据，测试 uploadInspectionFileV2Encrypted 接口
+ * 
+ * 使用说明：
+ * 1. 调用 /compression/test/generateEncrypted 接口
+ * 2. 传入 licence、fingerprint、taskId 和明文数据
+ * 3. 获取加密后的 Base64 字符串
+ * 4. 使用返回的 encrypted 数据测试 uploadInspectionFileV2Encrypted 接口
+ */
+@Validated
+@RestController
+@RequestMapping("/compression/test")
+@Api(value = "EncryptionTest", tags = ["加密测试工具"])
+class EncryptionTestController {
+
+    private val objectMapper = ObjectMapper()
+    
+    companion object {
+        private const val DEFAULT_PGP_PRIVATE_KEY = """-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lFgEaSZqXBYJKwYBBAHaRw8BAQdARzZ5JXreuTeTgMFwYcw0Ju7aCWmXuUMmQyff
+5vmN8RQAAP4nli0R/MTNtgx9+g5ZPyAj8XSAnjHaW9u2UJQxYhMIYw8XtBZpdHRj
+PGl0dGNAaXR0Yy5zaC5jbj6IkwQTFgoAOxYhBG8IkI1kmkNpEu8iuqWu91t6SEzN
+BQJpJmpcAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEKWu91t6SEzN
+dSQBAPM5llVG0X6SBa4YM90Iqyb2jWvlNjstoF8jjPVny1CiAP4hIOUvb686oSA0
+OrS3AuICi7X/r+JnSo1Z7pngUA3VC5xdBGkmalwSCisGAQQBl1UBBQEBB0BouQlG
+hIL0bq7EbaB55s+ygLVFOfhjFA8E4fwFBFJGVAMBCAcAAP98ZXRGgzld1XUa5ZGx
+cTE+1qGZY4E4BVIeqkVxdg5tqA64iHgEGBYKACAWIQRvCJCNZJpDaRLvIrqlrvdb
+ekhMzQUCaSZqXAIbDAAKCRClrvdbekhMzcaSAQDB/4pvDuc7SploQg1fBYobFm5P
+vxguByr8I+PrYWKKOQEAnaeXT4ipi1nICXFiigztsIl2xTth3D77XG6pZUU/Zw8=
+=/k1H
+-----END PGP PRIVATE KEY BLOCK-----"""
+        
+        private const val DEFAULT_PGP_PASSPHRASE = ""
+    }
+
+    /**
+     * 生成加密数据请求 DTO
+     */
+    data class GenerateEncryptedRequest(
+        @ApiParam(value = "授权码", required = true)
+        val licence: String,
+        
+        @ApiParam(value = "硬件指纹", required = true)
+        val fingerprint: String,
+        
+        @ApiParam(value = "任务ID", required = true)
+        val taskId: String,
+        
+        @ApiParam(value = "企业ID", required = true)
+        val enterpriseId: Long,
+        
+        @ApiParam(value = "检查ID", required = true)
+        val inspectionId: Long,
+        
+        @ApiParam(value = "摘要信息", required = true)
+        val summary: String
+    )
+
+    /**
+     * 生成加密数据响应 DTO
+     */
+    data class GenerateEncryptedResponse(
+        val encrypted: String,
+        val requestBody: UploadInspectionFileV2Request,
+        val plaintext: String,
+        val keyDerivationInfo: KeyDerivationInfo
+    )
+
+    /**
+     * 密钥派生信息
+     */
+    data class KeyDerivationInfo(
+        val ikm: String,
+        val salt: String,
+        val info: String,
+        val keyLength: Int,
+        val keyHex: String
+    )
+
+    /**
+     * 生成加密数据
+     * 
+     * 模拟工具箱端的加密逻辑：
+     * 1. 使用 HKDF-SHA256 派生 AES 密钥
+     *    - ikm = licence + fingerprint
+     *    - salt = taskId
+     *    - info = "inspection_report_encryption"
+     *    - length = 32 bytes
+     * 
+     * 2. 使用 AES-256-GCM 加密数据
+     *    - 格式：IV (12字节) + Ciphertext + Tag (16字节)
+     *    - Base64 编码返回
+     * 
+     * @param request 生成加密数据请求
+     * @return 加密后的数据和完整的请求体
+     */
+    @ApiOperation(value = "生成加密数据", notes = "生成加密后的 encrypted 数据，用于测试 uploadInspectionFileV2Encrypted 接口")
+    @PostMapping("/generateEncrypted")
+    @WebLog(value = "'生成加密数据:'", request = false)
+    fun generateEncrypted(
+        @RequestBody request: GenerateEncryptedRequest
+    ): R<GenerateEncryptedResponse> {
+        return try {
+            // 1. 组装明文数据（JSON格式）
+            val timestamp = System.currentTimeMillis()
+            val plaintextMap = mapOf(
+                "enterpriseId" to request.enterpriseId.toString(),
+                "inspectionId" to request.inspectionId.toString(),
+                "summary" to request.summary,
+                "timestamp" to timestamp
+            )
+            val plaintext = objectMapper.writeValueAsString(plaintextMap)
+
+            // 2. 使用 HKDF-SHA256 派生 AES 密钥
+            // ikm = licence + fingerprint
+            // salt = taskId（工具箱从二维码获取，平台从请求获取）
+            // info = "inspection_report_encryption"（固定值）
+            // length = 32 bytes
+            val ikm = "${request.licence}${request.fingerprint}"
+            val salt = request.taskId.toString()
+            val info = "inspection_report_encryption"
+            val keyLength = 32
+
+            val aesKey = HkdfUtil.deriveKey(ikm, salt, info, keyLength)
+
+            // 3. 使用 AES-256-GCM 加密数据
+            val encrypted = AesGcmUtil.encrypt(plaintext, aesKey)
+
+            // 4. 组装完整的请求体（appid 需要前端自己赋值）
+            val requestBody = UploadInspectionFileV2Request().apply {
+                this.appid = "test-appid" // 测试用的 appid，实际使用时前端会赋值
+                this.taskId = request.taskId
+                this.encrypted = encrypted
+            }
+
+            // 5. 返回加密数据和密钥派生信息
+            val response = GenerateEncryptedResponse(
+                encrypted = encrypted,
+                requestBody = requestBody,
+                plaintext = plaintext,
+                keyDerivationInfo = KeyDerivationInfo(
+                    ikm = ikm,
+                    salt = salt,
+                    info = info,
+                    keyLength = keyLength,
+                    keyHex = aesKey.joinToString("") { "%02x".format(it) }
+                )
+            )
+
+            R.success(response, "加密数据生成成功")
+        } catch (e: Exception) {
+            R.fail("生成加密数据失败: ${e.message}")
+        }
+    }
+
+    /**
+     * 快速生成测试数据（使用默认值）
+     * 
+     * @return 加密后的数据和完整的请求体
+     */
+    @ApiOperation(value = "快速生成测试数据", notes = "使用默认值快速生成加密数据，用于快速测试")
+    @GetMapping("/generateTestData")
+    @WebLog(value = "'快速生成测试数据:'", request = false)
+    fun generateTestData(): R<GenerateEncryptedResponse> {
+        return try {
+            // 使用默认测试数据
+            val request = GenerateEncryptedRequest(
+                licence = "TEST-LICENCE-001",
+                fingerprint = "TEST-FINGERPRINT-001",
+                taskId = "TASK-20260115-4875",
+                enterpriseId = 1173040813421105152L,
+                inspectionId = 702286470691215417L,
+                summary = "测试摘要信息"
+            )
+
+            generateEncrypted(request).data?.let {
+                R.success(it, "测试数据生成成功")
+            } ?: R.fail("生成测试数据失败")
+        } catch (e: Exception) {
+            R.fail("生成测试数据失败: ${e.message}")
+        }
+    }
+
+    /**
+     * 验证加密数据（解密测试）
+     * 
+     * 用于验证生成的加密数据是否能正确解密
+     * 
+     * @param encrypted 加密后的 Base64 字符串
+     * @param licence 授权码
+     * @param fingerprint 硬件指纹
+     * @param taskId 任务ID
+     * @return 解密后的明文数据
+     */
+    @ApiOperation(value = "验证加密数据", notes = "解密加密数据，验证加密是否正确")
+    @PostMapping("/verifyEncrypted")
+    @WebLog(value = "'验证加密数据:'", request = false)
+    fun verifyEncrypted(
+        @ApiParam(value = "加密后的 Base64 字符串", required = true)
+        @RequestParam encrypted: String,
+        
+        @ApiParam(value = "授权码", required = true)
+        @RequestParam licence: String,
+        
+        @ApiParam(value = "硬件指纹", required = true)
+        @RequestParam fingerprint: String,
+        
+        @ApiParam(value = "任务ID", required = true)
+        @RequestParam taskId: String
+    ): R<Map<String, Any>> {
+        return try {
+            // 1. 使用相同的密钥派生规则派生密钥
+            val ikm = "$licence$fingerprint"
+            val salt = taskId.toString()
+            val info = "inspection_report_encryption"
+            val aesKey = HkdfUtil.deriveKey(ikm, salt, info, 32)
+
+            // 2. 解密数据
+            val decrypted = AesGcmUtil.decrypt(encrypted, aesKey)
+
+            // 3. 解析 JSON
+            @Suppress("UNCHECKED_CAST")
+            val dataMap = objectMapper.readValue(decrypted, Map::class.java) as Map<String, Any>
+
+            R.success(dataMap, "解密成功")
+        } catch (e: Exception) {
+            R.fail("解密失败: ${e.message}")
+        }
+    }
+
+    /**
+     * 生成加密报告 ZIP 文件请求 DTO
+     */
+    data class GenerateEncryptedZipRequest(
+        @ApiParam(value = "授权码", required = true)
+        val licence: String,
+        
+        @ApiParam(value = "硬件指纹", required = true)
+        val fingerprint: String,
+        
+        @ApiParam(value = "任务ID", required = true)
+        val taskId: String,
+        
+        @ApiParam(value = "企业ID", required = true)
+        val enterpriseId: Long,
+        
+        @ApiParam(value = "检查ID", required = true)
+        val inspectionId: Long,
+        
+        @ApiParam(value = "摘要信息", required = true)
+        val summary: String,
+        
+        @ApiParam(value = "资产信息 JSON", required = true)
+        val assetsJson: String,
+        
+        @ApiParam(value = "漏洞信息 JSON", required = true)
+        val vulnerabilitiesJson: String,
+        
+        @ApiParam(value = "弱密码信息 JSON", required = true)
+        val weakPasswordsJson: String,
+        
+        @ApiParam(value = "漏洞评估报告 HTML", required = true)
+        val reportHtml: String,
+        
+        @ApiParam(value = "PGP 私钥（可选，不提供则跳过 PGP 签名）", required = false)
+        val pgpPrivateKey: String? = null,
+        
+        @ApiParam(value = "PGP 私钥密码（可选）", required = false)
+        val pgpPassphrase: String? = null
+    )
+
+    /**
+     * 生成加密报告 ZIP 文件
+     * 
+     * 按照文档《工具箱端-报告加密与签名生成指南.md》生成加密报告 ZIP 文件
+     * 
+     * @param request 生成请求
+     * @return ZIP 文件（二进制流）
+     */
+    @ApiOperation(value = "生成加密报告 ZIP", notes = "生成带设备签名的加密报告 ZIP 文件，可被 uploadInspectionFileV2 接口解密")
+    @PostMapping("/generateEncryptedZip")
+    @WebLog(value = "'生成加密报告 ZIP:'", request = false)
+    fun generateEncryptedZip(
+        @RequestBody request: GenerateEncryptedZipRequest,
+        response: javax.servlet.http.HttpServletResponse
+    ) {
+        try {
+            // 1. 准备文件内容
+            val assetsContent = request.assetsJson.toByteArray(Charsets.UTF_8)
+            val vulnerabilitiesContent = request.vulnerabilitiesJson.toByteArray(Charsets.UTF_8)
+            val weakPasswordsContent = request.weakPasswordsJson.toByteArray(Charsets.UTF_8)
+            val reportHtmlContent = request.reportHtml.toByteArray(Charsets.UTF_8)
+
+            // 2. 生成设备签名
+            // 2.1 密钥派生
+            val ikm = "${request.licence}${request.fingerprint}"
+            val salt = "AUTH_V3_SALT"
+            val info = "device_report_signature"
+            val derivedKey = HkdfUtil.deriveKey(ikm, salt, info, 32)
+
+            // 2.2 计算文件 SHA256
+            fun sha256Hex(content: ByteArray): String {
+                val digest = java.security.MessageDigest.getInstance("SHA-256")
+                return digest.digest(content).joinToString("") { "%02x".format(it) }
+            }
+
+            val assetsSha256 = sha256Hex(assetsContent)
+            val vulnerabilitiesSha256 = sha256Hex(vulnerabilitiesContent)
+            val weakPasswordsSha256 = sha256Hex(weakPasswordsContent)
+            val reportHtmlSha256 = sha256Hex(reportHtmlContent)
+
+            // 2.3 组装签名数据（严格顺序）
+            val signPayload = buildString {
+                append(request.taskId)
+                append(request.inspectionId)
+                append(assetsSha256)
+                append(vulnerabilitiesSha256)
+                append(weakPasswordsSha256)
+                append(reportHtmlSha256)
+            }
+
+            // 2.4 计算 HMAC-SHA256
+            val mac = javax.crypto.Mac.getInstance("HmacSHA256")
+            val secretKey = javax.crypto.spec.SecretKeySpec(derivedKey, "HmacSHA256")
+            mac.init(secretKey)
+            val signatureBytes = mac.doFinal(signPayload.toByteArray(Charsets.UTF_8))
+            val deviceSignature = Base64.getEncoder().encodeToString(signatureBytes)
+
+            // 2.5 生成 summary.json
+            val summaryMap = mapOf(
+                "orgId" to request.enterpriseId,
+                "checkId" to request.inspectionId,
+                "taskId" to request.taskId,
+                "licence" to request.licence,
+                "fingerprint" to request.fingerprint,
+                "deviceSignature" to deviceSignature,
+                "summary" to request.summary
+            )
+            val summaryContent = objectMapper.writeValueAsString(summaryMap).toByteArray(Charsets.UTF_8)
+
+            // 3. 生成 manifest.json
+            val filesHashes = mapOf(
+                "summary.json" to sha256Hex(summaryContent),
+                "assets.json" to assetsSha256,
+                "vulnerabilities.json" to vulnerabilitiesSha256,
+                "weakPasswords.json" to weakPasswordsSha256,
+                "漏洞评估报告.html" to reportHtmlSha256
+            )
+            val manifest = mapOf("files" to filesHashes)
+            val manifestContent = objectMapper.writeValueAsString(manifest).toByteArray(Charsets.UTF_8)
+
+            // 4. 生成 signature.asc
+            val privateKey = request.pgpPrivateKey?.takeIf { it.isNotBlank() } ?: DEFAULT_PGP_PRIVATE_KEY
+            val passphrase = request.pgpPassphrase ?: DEFAULT_PGP_PASSPHRASE
+            
+            val signatureAsc = try {
+                PgpSignatureUtil.generateDetachedSignature(
+                    manifestContent,
+                    privateKey,
+                    passphrase
+                )
+            } catch (e: Exception) {
+                throw RuntimeException("生成 PGP 签名失败: ${e.message}", e)
+            }
+
+            // 5. 打包 ZIP 文件到内存
+            val baos = java.io.ByteArrayOutputStream()
+            java.util.zip.ZipOutputStream(baos).use { zipOut ->
+                zipOut.putNextEntry(java.util.zip.ZipEntry("summary.json"))
+                zipOut.write(summaryContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("assets.json"))
+                zipOut.write(assetsContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("vulnerabilities.json"))
+                zipOut.write(vulnerabilitiesContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("weakPasswords.json"))
+                zipOut.write(weakPasswordsContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("漏洞评估报告.html"))
+                zipOut.write(reportHtmlContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("META-INF/manifest.json"))
+                zipOut.write(manifestContent)
+                zipOut.closeEntry()
+
+                zipOut.putNextEntry(java.util.zip.ZipEntry("META-INF/signature.asc"))
+                zipOut.write(signatureAsc)
+                zipOut.closeEntry()
+            }
+
+            val zipBytes = baos.toByteArray()
+
+            // 6. 设置响应头并输出
+            response.contentType = "application/octet-stream"
+            response.setHeader("Content-Disposition", "attachment; filename=\"report_${request.taskId}.zip\"")
+            response.setHeader("Content-Length", zipBytes.size.toString())
+            response.outputStream.write(zipBytes)
+            response.outputStream.flush()
+        } catch (e: Exception) {
+            response.reset()
+            response.contentType = "application/json; charset=UTF-8"
+            response.writer.write("{\"code\": 500, \"msg\": \"生成 ZIP 文件失败: ${e.message}\"}")
+        }
+    }
+}
+

package.json

@@ -22,45 +22,48 @@
     "typecheck": "turbo run typecheck"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.4.8",
-    "turbo": "^2.8.20",
+    "@biomejs/biome": "^2.4.5",
+    "turbo": "^2.8.13",
     "typescript": "^5.9.3"
   },
   "catalog": {
-    "@orpc/client": "^1.13.9",
-    "@orpc/contract": "^1.13.9",
-    "@orpc/openapi": "^1.13.9",
-    "@orpc/server": "^1.13.9",
-    "@orpc/tanstack-query": "^1.13.9",
-    "@orpc/zod": "^1.13.9",
+    "@orpc/client": "^1.13.6",
+    "@orpc/contract": "^1.13.6",
+    "@orpc/openapi": "^1.13.6",
+    "@orpc/server": "^1.13.6",
+    "@orpc/tanstack-query": "^1.13.6",
+    "@orpc/zod": "^1.13.6",
     "@t3-oss/env-core": "^0.13.10",
-    "@tailwindcss/vite": "^4.2.2",
-    "@tanstack/devtools-vite": "^0.5.5",
-    "@tanstack/react-devtools": "^0.9.13",
-    "@tanstack/react-query": "^5.94.4",
-    "@tanstack/react-query-devtools": "^5.94.4",
-    "@tanstack/react-router": "^1.168.1",
-    "@tanstack/react-router-devtools": "^1.166.10",
-    "@tanstack/react-router-ssr-query": "^1.166.10",
-    "@tanstack/react-start": "^1.167.2",
-    "@types/bun": "^1.3.11",
-    "@types/node": "^24.12.0",
-    "@vitejs/plugin-react": "^5.2.0",
+    "@tailwindcss/vite": "^4.2.1",
+    "@tanstack/devtools-vite": "^0.5.3",
+    "@tanstack/react-devtools": "^0.9.9",
+    "@tanstack/react-query": "^5.90.21",
+    "@tanstack/react-query-devtools": "^5.91.3",
+    "@tanstack/react-router": "^1.166.2",
+    "@tanstack/react-router-devtools": "^1.166.2",
+    "@tanstack/react-router-ssr-query": "^1.166.2",
+    "@tanstack/react-start": "^1.166.2",
+    "@types/bun": "^1.3.10",
+    "@types/node": "^24.11.0",
+    "@vitejs/plugin-react": "^5.1.4",
     "babel-plugin-react-compiler": "^1.0.0",
     "drizzle-kit": "1.0.0-beta.15-859cf75",
     "drizzle-orm": "1.0.0-beta.15-859cf75",
     "electron": "^34.0.0",
     "electron-builder": "^26.8.1",
     "electron-vite": "^5.0.0",
-    "motion": "^12.38.0",
-    "nitro": "npm:nitro-nightly@3.0.1-20260320-182900-2218d454",
-    "postgres": "^3.4.8",
+    "jszip": "^3.10.1",
+    "motion": "^12.35.0",
+    "nitro": "npm:nitro-nightly@3.0.1-20260227-181935-bfbb207c",
+    "openpgp": "^6.0.1",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
-    "tailwindcss": "^4.2.2",
+    "tailwindcss": "^4.2.1",
     "tree-kill": "^1.2.2",
     "uuid": "^13.0.0",
-    "vite": "^8.0.1",
+    "vite": "^8.0.0-beta.16",
+    "vite-tsconfig-paths": "^6.1.1",
+    "systeminformation": "^5.31.3",
     "zod": "^4.3.6"
   },
   "overrides": {

packages/crypto/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "@furtherverse/crypto",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "exports": {
+    ".": "./src/index.ts"
+  },
+  "dependencies": {
+    "node-forge": "^1.3.3",
+    "openpgp": "catalog:"
+  },
+  "devDependencies": {
+    "@furtherverse/tsconfig": "workspace:*",
+    "@types/bun": "catalog:",
+    "@types/node-forge": "^1.3.14"
+  }
+}

packages/crypto/src/aes-gcm.ts

@@ -0,0 +1,53 @@
+import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'
+
+const GCM_IV_LENGTH = 12 // 96 bits
+const GCM_TAG_LENGTH = 16 // 128 bits
+const ALGORITHM = 'aes-256-gcm'
+
+/**
+ * AES-256-GCM encrypt.
+ *
+ * Output format (before Base64): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
+ *
+ * @param plaintext - UTF-8 string to encrypt
+ * @param key - 32-byte AES key
+ * @returns Base64-encoded encrypted data
+ */
+export const aesGcmEncrypt = (plaintext: string, key: Buffer): string => {
+  const iv = randomBytes(GCM_IV_LENGTH)
+  const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
+
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()])
+  const tag = cipher.getAuthTag()
+
+  // Layout: IV + ciphertext + tag
+  const combined = Buffer.concat([iv, encrypted, tag])
+  return combined.toString('base64')
+}
+
+/**
+ * AES-256-GCM decrypt.
+ *
+ * Input format (after Base64 decode): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
+ *
+ * @param encryptedBase64 - Base64-encoded encrypted data
+ * @param key - 32-byte AES key
+ * @returns Decrypted UTF-8 string
+ */
+export const aesGcmDecrypt = (encryptedBase64: string, key: Buffer): string => {
+  const data = Buffer.from(encryptedBase64, 'base64')
+
+  if (data.length < GCM_IV_LENGTH + GCM_TAG_LENGTH) {
+    throw new Error('Encrypted data too short: must contain IV + tag at minimum')
+  }
+
+  const iv = data.subarray(0, GCM_IV_LENGTH)
+  const tag = data.subarray(data.length - GCM_TAG_LENGTH)
+  const ciphertext = data.subarray(GCM_IV_LENGTH, data.length - GCM_TAG_LENGTH)
+
+  const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
+  decipher.setAuthTag(tag)
+
+  const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()])
+  return decrypted.toString('utf-8')
+}

packages/crypto/src/hash.ts

@@ -0,0 +1,15 @@
+import { createHash } from 'node:crypto'
+
+/**
+ * Compute SHA-256 hash and return raw Buffer.
+ */
+export const sha256 = (data: string | Buffer): Buffer => {
+  return createHash('sha256').update(data).digest()
+}
+
+/**
+ * Compute SHA-256 hash and return lowercase hex string.
+ */
+export const sha256Hex = (data: string | Buffer): string => {
+  return createHash('sha256').update(data).digest('hex')
+}

packages/crypto/src/hkdf.ts

@@ -0,0 +1,15 @@
+import { hkdfSync } from 'node:crypto'
+
+/**
+ * Derive a key using HKDF-SHA256.
+ *
+ * @param ikm - Input keying material (string, will be UTF-8 encoded)
+ * @param salt - Salt value (string, will be UTF-8 encoded)
+ * @param info - Info/context string (will be UTF-8 encoded)
+ * @param length - Output key length in bytes (default: 32 for AES-256)
+ * @returns Derived key as Buffer
+ */
+export const hkdfSha256 = (ikm: string, salt: string, info: string, length = 32): Buffer => {
+  const derived = hkdfSync('sha256', ikm, salt, info, length)
+  return Buffer.from(derived)
+}

packages/crypto/src/hmac.ts

@@ -0,0 +1,23 @@
+import { createHmac } from 'node:crypto'
+
+/**
+ * Compute HMAC-SHA256 and return Base64-encoded signature.
+ *
+ * @param key - HMAC key (Buffer)
+ * @param data - Data to sign (UTF-8 string)
+ * @returns Base64-encoded HMAC-SHA256 signature
+ */
+export const hmacSha256Base64 = (key: Buffer, data: string): string => {
+  return createHmac('sha256', key).update(data, 'utf-8').digest('base64')
+}
+
+/**
+ * Compute HMAC-SHA256 and return raw Buffer.
+ *
+ * @param key - HMAC key (Buffer)
+ * @param data - Data to sign (UTF-8 string)
+ * @returns HMAC-SHA256 digest as Buffer
+ */
+export const hmacSha256 = (key: Buffer, data: string): Buffer => {
+  return createHmac('sha256', key).update(data, 'utf-8').digest()
+}

packages/crypto/src/index.ts

@@ -0,0 +1,6 @@
+export { aesGcmDecrypt, aesGcmEncrypt } from './aes-gcm'
+export { sha256, sha256Hex } from './hash'
+export { hkdfSha256 } from './hkdf'
+export { hmacSha256, hmacSha256Base64 } from './hmac'
+export { generatePgpKeyPair, pgpSignDetached, pgpVerifyDetached, validatePgpPrivateKey } from './pgp'
+export { rsaOaepEncrypt } from './rsa-oaep'

packages/crypto/src/pgp.ts

@@ -0,0 +1,79 @@
+import * as openpgp from 'openpgp'
+
+/**
+ * Generate an OpenPGP RSA key pair.
+ *
+ * @param name - User name for the key
+ * @param email - User email for the key
+ * @returns ASCII-armored private and public keys
+ */
+export const generatePgpKeyPair = async (
+  name: string,
+  email: string,
+): Promise<{ privateKey: string; publicKey: string }> => {
+  const { privateKey, publicKey } = await openpgp.generateKey({
+    type: 'rsa',
+    rsaBits: 2048,
+    userIDs: [{ name, email }],
+    format: 'armored',
+  })
+
+  return { privateKey, publicKey }
+}
+
+/**
+ * Create a detached OpenPGP signature for the given data.
+ *
+ * @param data - Raw data to sign (Buffer or Uint8Array)
+ * @param armoredPrivateKey - ASCII-armored private key
+ * @returns ASCII-armored detached signature (signature.asc content)
+ */
+export const validatePgpPrivateKey = async (armoredKey: string): Promise<void> => {
+  await openpgp.readPrivateKey({ armoredKey })
+}
+
+export const pgpSignDetached = async (data: Uint8Array, armoredPrivateKey: string): Promise<string> => {
+  const privateKey = await openpgp.readPrivateKey({ armoredKey: armoredPrivateKey })
+  const message = await openpgp.createMessage({ binary: data })
+
+  const signature = await openpgp.sign({
+    message,
+    signingKeys: privateKey,
+    detached: true,
+    format: 'armored',
+  })
+
+  return signature as string
+}
+
+/**
+ * Verify a detached OpenPGP signature.
+ *
+ * @param data - Original data (Buffer or Uint8Array)
+ * @param armoredSignature - ASCII-armored detached signature
+ * @param armoredPublicKey - ASCII-armored public key
+ * @returns true if signature is valid
+ */
+export const pgpVerifyDetached = async (
+  data: Uint8Array,
+  armoredSignature: string,
+  armoredPublicKey: string,
+): Promise<boolean> => {
+  const publicKey = await openpgp.readKey({ armoredKey: armoredPublicKey })
+  const signature = await openpgp.readSignature({ armoredSignature })
+  const message = await openpgp.createMessage({ binary: data })
+
+  const verificationResult = await openpgp.verify({
+    message,
+    signature,
+    verificationKeys: publicKey,
+  })
+
+  const { verified } = verificationResult.signatures[0]!
+  try {
+    await verified
+    return true
+  } catch {
+    return false
+  }
+}

packages/crypto/src/rsa-oaep.ts

@@ -0,0 +1,32 @@
+import forge from 'node-forge'
+
+/**
+ * RSA-OAEP encrypt with platform public key.
+ *
+ * Matches Java's {@code Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding")}
+ * with **default SunJCE parameters**:
+ *
+ * | Parameter | Value  |
+ * |-----------|--------|
+ * | OAEP hash | SHA-256|
+ * | MGF1 hash | SHA-1  |
+ *
+ * Node.js `crypto.publicEncrypt({ oaepHash })` ties both hashes together,
+ * so we use `node-forge` which allows independent configuration.
+ *
+ * @param plaintext - UTF-8 string to encrypt
+ * @param publicKeyBase64 - Platform RSA public key (X.509 / SPKI DER, Base64)
+ * @returns Base64-encoded ciphertext
+ */
+export const rsaOaepEncrypt = (plaintext: string, publicKeyBase64: string): string => {
+  const derBytes = forge.util.decode64(publicKeyBase64)
+  const asn1 = forge.asn1.fromDer(derBytes)
+  const publicKey = forge.pki.publicKeyFromAsn1(asn1) as forge.pki.rsa.PublicKey
+
+  const encrypted = publicKey.encrypt(plaintext, 'RSA-OAEP', {
+    md: forge.md.sha256.create(),
+    mgf1: { md: forge.md.sha1.create() },
+  })
+
+  return forge.util.encode64(encrypted)
+}

packages/crypto/tsconfig.json

@@ -0,0 +1,7 @@
+{
+  "extends": "@furtherverse/tsconfig/bun.json",
+  "compilerOptions": {
+    "rootDir": "src"
+  },
+  "include": ["src"]
+}