api-server/src/modules/auth/auth.service.ts

import * as crypto from 'crypto';
import { Injectable, UnauthorizedException } from '@nestjs/common';
import { JwtService } from '@nestjs/jwt';
import { ConfigService } from '@nestjs/config';
import { PrismaService } from '../../infrastructure/database/prisma.service';
import jwksClient from 'jwks-rsa';
import jwt from 'jsonwebtoken';

interface AppleIdTokenPayload {
  sub: string;
  email?: string;
  email_verified?: string | boolean;
  is_private_email?: string | boolean;
  aud: string;
  iss: string;
  exp: number;
  iat: number;
}

@Injectable()
export class AuthService {
  private jwks: jwksClient.JwksClient;

  constructor(
    private readonly nativeJwtService: JwtService,
    private readonly prisma: PrismaService,
    private readonly configService: ConfigService,
  ) {}

  async appleLogin(params: {
    identityToken: string;
    authorizationCode: string;
    user?: { name?: { firstName?: string; lastName?: string }; email?: string };
  }) {
    const appleUserId = await this.verifyAppleIdentity(
      params.identityToken,
      params.authorizationCode,
    );

    let account = await this.prisma.authAccount.findUnique({
      where: { provider_providerUserId: { provider: 'apple', providerUserId: appleUserId } },
      include: { user: true },
    });

    if (!account) {
      const displayName =
        params.user?.name
          ? `${params.user.name.lastName || ''}${params.user.name.firstName || ''}`
          : undefined;
      account = await this.prisma.authAccount.create({
        data: {
          provider: 'apple',
          providerUserId: appleUserId,
          email: params.user?.email,
          user: {
            create: {
              email: params.user?.email,
              nickname: displayName || undefined,
              status: 'active',
            },
          },
        },
        include: { user: true },
      });
    }

    const accessToken = await this.nativeJwtService.signAsync({
      sub: String(account.user.id),
      email: account.user.email,
    });

    const refreshToken = crypto.randomBytes(48).toString('hex');
    const refreshTokenHash = crypto
      .createHash('sha256')
      .update(refreshToken)
      .digest('hex');

    await this.prisma.refreshToken.create({
      data: {
        userId: account.user.id,
        tokenHash: refreshTokenHash,
        expiresAt: new Date(Date.now() + 7 * 86400000),
      },
    });

    return { accessToken, refreshToken, expiresIn: 3600 };
  }

  async refresh(refreshToken: string) {
    const hash = crypto.createHash('sha256').update(refreshToken).digest('hex');
    const stored = await this.prisma.refreshToken.findFirst({
      where: { tokenHash: hash, revokedAt: null },
      include: { user: true },
    });

    if (!stored || stored.expiresAt < new Date()) {
      throw new UnauthorizedException('刷新令牌无效或已过期');
    }

    await this.prisma.refreshToken.update({
      where: { id: stored.id },
      data: { revokedAt: new Date() },
    });

    const newRefreshToken = crypto.randomBytes(48).toString('hex');
    const newHash = crypto
      .createHash('sha256')
      .update(newRefreshToken)
      .digest('hex');

    await this.prisma.refreshToken.create({
      data: {
        userId: stored.userId,
        tokenHash: newHash,
        expiresAt: new Date(Date.now() + 7 * 86400000),
      },
    });

    const accessToken = await this.nativeJwtService.signAsync({
      sub: String(stored.user.id),
      email: stored.user.email,
    });

    return { accessToken, refreshToken: newRefreshToken, expiresIn: 3600 };
  }

  async logout(userId: number) {
    await this.prisma.refreshToken.updateMany({
      where: { userId, revokedAt: null },
      data: { revokedAt: new Date() },
    });
  }

  private async verifyAppleIdentity(
    identityToken: string,
    authorizationCode: string,
  ): Promise<string> {
    if (this.isMockMode()) {
      return this.verifyMockApple(identityToken);
    }
    return this.verifyRealApple(identityToken);
  }

  private isMockMode(): boolean {
    const bundleId = this.configService.get<string>('apple.bundleId');
    return !bundleId;
  }

  private verifyMockApple(identityToken: string): string {
    if (!identityToken || identityToken.trim().length < 4) {
      throw new UnauthorizedException('identityToken 无效');
    }
    return crypto
      .createHash('sha256')
      .update(`apple-mock:${identityToken}`)
      .digest('hex')
      .slice(0, 64);
  }

  private getJwksClient(): jwksClient.JwksClient {
    if (!this.jwks) {
      const jwksUrl = this.configService.get<string>(
        'apple.jwksUrl',
        'https://appleid.apple.com/auth/keys',
      );
      this.jwks = jwksClient({ jwksUri: jwksUrl, cache: true, rateLimit: true });
    }
    return this.jwks!;
  }

  private async verifyRealApple(identityToken: string): Promise<string> {
    const bundleId = this.configService.get<string>('apple.bundleId');
    const issuer = this.configService.get<string>('apple.issuer', 'https://appleid.apple.com');

    const decodedHeader = jwt.decode(identityToken, { complete: true });
    if (!decodedHeader || typeof decodedHeader === 'string') {
      throw new UnauthorizedException('无法解析 identityToken');
    }

    const kid = decodedHeader.header.kid;
    if (!kid) {
      throw new UnauthorizedException('identityToken 缺少 kid');
    }

    let publicKey: string;
    try {
      const client = this.getJwksClient();
      const key = await client.getSigningKey(kid);
      publicKey = key.getPublicKey();
    } catch {
      throw new UnauthorizedException('无法获取 Apple 公钥，请稍后重试');
    }

    let payload: AppleIdTokenPayload;
    try {
      payload = jwt.verify(identityToken, publicKey, {
        algorithms: ['RS256'],
        issuer,
        audience: bundleId,
      }) as AppleIdTokenPayload;
    } catch (err: any) {
      const msg = err.message || '';
      if (msg.includes('audience')) {
        throw new UnauthorizedException(
          `identityToken audience 不匹配，期望 ${bundleId}`,
        );
      }
      if (msg.includes('issuer')) {
        throw new UnauthorizedException('identityToken issuer 无效');
      }
      throw new UnauthorizedException('identityToken 验证失败');
    }

    return payload.sub;
  }
}
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`import * as crypto from 'crypto';`
			`import { Injectable, UnauthorizedException } from '@nestjs/common';`
			`import { JwtService } from '@nestjs/jwt';`
			`import { ConfigService } from '@nestjs/config';`
			`import { PrismaService } from '../../infrastructure/database/prisma.service';`
feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			`import jwksClient from 'jwks-rsa';`
			`import jwt from 'jsonwebtoken';`

			`interface AppleIdTokenPayload {`
			`sub: string;`
			`email?: string;`
			`email_verified?: string \| boolean;`
			`is_private_email?: string \| boolean;`
			`aud: string;`
			`iss: string;`
			`exp: number;`
			`iat: number;`
			`}`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00
			`@Injectable()`
			`export class AuthService {`
feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			`private jwks: jwksClient.JwksClient;`

feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`constructor(`
feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			`private readonly nativeJwtService: JwtService,`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`private readonly prisma: PrismaService,`
			`private readonly configService: ConfigService,`
			`) {}`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00
			`async appleLogin(params: {`
			`identityToken: string;`
			`authorizationCode: string;`
			`user?: { name?: { firstName?: string; lastName?: string }; email?: string };`
			`}) {`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`const appleUserId = await this.verifyAppleIdentity(`
			`params.identityToken,`
			`params.authorizationCode,`
			`);`

			`let account = await this.prisma.authAccount.findUnique({`
			`where: { provider_providerUserId: { provider: 'apple', providerUserId: appleUserId } },`
			`include: { user: true },`
			`});`

			`if (!account) {`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00			`const displayName =`
			`params.user?.name`
			? `${params.user.name.lastName \|\| ''}${params.user.name.firstName \|\| ''}`
			`: undefined;`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`account = await this.prisma.authAccount.create({`
			`data: {`
			`provider: 'apple',`
			`providerUserId: appleUserId,`
			`email: params.user?.email,`
			`user: {`
			`create: {`
			`email: params.user?.email,`
			`nickname: displayName \|\| undefined,`
			`status: 'active',`
			`},`
			`},`
			`},`
			`include: { user: true },`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00			`});`
			`}`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00
feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			`const accessToken = await this.nativeJwtService.signAsync({`
			`sub: String(account.user.id),`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`email: account.user.email,`
			`});`

			`const refreshToken = crypto.randomBytes(48).toString('hex');`
			`const refreshTokenHash = crypto`
			`.createHash('sha256')`
			`.update(refreshToken)`
			`.digest('hex');`

			`await this.prisma.refreshToken.create({`
			`data: {`
			`userId: account.user.id,`
			`tokenHash: refreshTokenHash,`
			`expiresAt: new Date(Date.now() + 7 * 86400000),`
			`},`
			`});`

feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00			`return { accessToken, refreshToken, expiresIn: 3600 };`
			`}`

			`async refresh(refreshToken: string) {`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`const hash = crypto.createHash('sha256').update(refreshToken).digest('hex');`
			`const stored = await this.prisma.refreshToken.findFirst({`
			`where: { tokenHash: hash, revokedAt: null },`
			`include: { user: true },`
			`});`

			`if (!stored \|\| stored.expiresAt < new Date()) {`
			`throw new UnauthorizedException('刷新令牌无效或已过期');`
			`}`

			`await this.prisma.refreshToken.update({`
			`where: { id: stored.id },`
			`data: { revokedAt: new Date() },`
			`});`

			`const newRefreshToken = crypto.randomBytes(48).toString('hex');`
			`const newHash = crypto`
			`.createHash('sha256')`
			`.update(newRefreshToken)`
			`.digest('hex');`

			`await this.prisma.refreshToken.create({`
			`data: {`
			`userId: stored.userId,`
			`tokenHash: newHash,`
			`expiresAt: new Date(Date.now() + 7 * 86400000),`
			`},`
			`});`

feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			`const accessToken = await this.nativeJwtService.signAsync({`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`sub: String(stored.user.id),`
			`email: stored.user.email,`
			`});`

feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			`return { accessToken, refreshToken: newRefreshToken, expiresIn: 3600 };`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`}`

			`async logout(userId: number) {`
			`await this.prisma.refreshToken.updateMany({`
			`where: { userId, revokedAt: null },`
			`data: { revokedAt: new Date() },`
			`});`
			`}`

			`private async verifyAppleIdentity(`
			`identityToken: string,`
			`authorizationCode: string,`
			`): Promise<string> {`
			`if (this.isMockMode()) {`
feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			`return this.verifyMockApple(identityToken);`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`}`
feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			`return this.verifyRealApple(identityToken);`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`}`

			`private isMockMode(): boolean {`
feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			`const bundleId = this.configService.get<string>('apple.bundleId');`
			`return !bundleId;`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`}`

feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			`private verifyMockApple(identityToken: string): string {`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`if (!identityToken \|\| identityToken.trim().length < 4) {`
			`throw new UnauthorizedException('identityToken 无效');`
			`}`
			`return crypto`
			`.createHash('sha256')`
feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			.update(`apple-mock:${identityToken}`)
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`.digest('hex')`
			`.slice(0, 64);`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00			`}`

feat: Apple 登录真实验签 - jwks-rsa + jsonwebtoken 验签 Apple identityToken 2026-05-13 15:35:41 +08:00			`private getJwksClient(): jwksClient.JwksClient {`
			`if (!this.jwks) {`
			`const jwksUrl = this.configService.get<string>(`
			`'apple.jwksUrl',`
			`'https://appleid.apple.com/auth/keys',`
			`);`
			`this.jwks = jwksClient({ jwksUri: jwksUrl, cache: true, rateLimit: true });`
			`}`
			`return this.jwks!;`
			`}`

			`private async verifyRealApple(identityToken: string): Promise<string> {`
			`const bundleId = this.configService.get<string>('apple.bundleId');`
			`const issuer = this.configService.get<string>('apple.issuer', 'https://appleid.apple.com');`

			`const decodedHeader = jwt.decode(identityToken, { complete: true });`
			`if (!decodedHeader \|\| typeof decodedHeader === 'string') {`
			`throw new UnauthorizedException('无法解析 identityToken');`
			`}`

			`const kid = decodedHeader.header.kid;`
			`if (!kid) {`
			`throw new UnauthorizedException('identityToken 缺少 kid');`
			`}`

			`let publicKey: string;`
			`try {`
			`const client = this.getJwksClient();`
			`const key = await client.getSigningKey(kid);`
			`publicKey = key.getPublicKey();`
			`} catch {`
			`throw new UnauthorizedException('无法获取 Apple 公钥，请稍后重试');`
			`}`

			`let payload: AppleIdTokenPayload;`
			`try {`
			`payload = jwt.verify(identityToken, publicKey, {`
			`algorithms: ['RS256'],`
			`issuer,`
			`audience: bundleId,`
			`}) as AppleIdTokenPayload;`
			`} catch (err: any) {`
			`const msg = err.message \|\| '';`
			`if (msg.includes('audience')) {`
			`throw new UnauthorizedException(`
			`identityToken audience 不匹配，期望 ${bundleId}`,
			`);`
			`}`
			`if (msg.includes('issuer')) {`
			`throw new UnauthorizedException('identityToken issuer 无效');`
			`}`
			`throw new UnauthorizedException('identityToken 验证失败');`
			`}`

			`return payload.sub;`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00			`}`
			`}`