@code2rich/jpage 1.5.0

package/routes/categories.js

@@ -0,0 +1,90 @@
+// 分类 + 模板元数据路由。从 server.js 提取，行为保持不变。
+// 挂载点：/api（内部路径 /categories、/categories/:id、/templates）
+// 注：/api/files/:id/category 归 routes/files.js（同为 /api/files 前缀）。
+
+const express = require('express');
+const { dbAll, dbGet, dbRun } = require('../lib/db');
+const { requireAuth, requireAdmin } = require('../lib/middleware/auth');
+const { clientIp } = require('../lib/util');
+const { reloadCategoryNameCache } = require('../lib/categories');
+const logger = require('../logger');
+
+const router = express.Router();
+
+// --- 模板列表（渲染样式模板，区别于内容模板市场 content-templates）---
+router.get('/templates', requireAuth, async (req, res) => {
+  try {
+    const templates = await dbAll('SELECT * FROM templates ORDER BY is_builtin DESC, name ASC');
+    res.json({ templates });
+  } catch (e) {
+    res.status(500).json({ error: '获取模板列表失败' });
+  }
+});
+
+// --- 分类管理 ---
+
+router.get('/categories', requireAuth, async (req, res) => {
+  try {
+    const role = req.userRole;
+    const userId = req.userId;
+    let categories;
+    if (role === 'admin') {
+      categories = await dbAll(`
+        SELECT c.id, c.name, c.created_at, COUNT(f.id) AS file_count
+        FROM categories c LEFT JOIN files f ON f.category_id = c.id
+        GROUP BY c.id ORDER BY c.created_at ASC
+      `);
+    } else {
+      categories = await dbAll(`
+        SELECT c.id, c.name, c.created_at, COUNT(f.id) AS file_count
+        FROM categories c LEFT JOIN files f ON f.category_id = c.id AND f.uploaded_by = ?
+        GROUP BY c.id ORDER BY c.created_at ASC
+      `, [userId]);
+    }
+    res.json({ categories });
+  } catch (e) {
+    res.status(500).json({ error: '获取分类失败' });
+  }
+});
+
+router.post('/categories', requireAuth, async (req, res) => {
+  const { name } = req.body || {};
+  if (!name || !name.trim()) return res.status(400).json({ error: '分类名不能为空' });
+  try {
+    const existing = await dbGet('SELECT id, name, created_at FROM categories WHERE name = ?', [name.trim()]);
+    if (existing) return res.json(existing);
+    const result = await dbRun('INSERT INTO categories (name, user_id) VALUES (?, ?)', [name.trim(), req.userId]);
+    await reloadCategoryNameCache();
+    logger.audit('category.create', { categoryId: result.lastID, name: name.trim(), ip: clientIp(req) });
+    res.json({ id: result.lastID, name: name.trim() });
+  } catch (e) {
+    res.status(500).json({ error: '创建分类失败' });
+  }
+});
+
+router.put('/categories/:id', requireAuth, requireAdmin, async (req, res) => {
+  const { name } = req.body || {};
+  if (!name || !name.trim()) return res.status(400).json({ error: '分类名不能为空' });
+  try {
+    await dbRun('UPDATE categories SET name = ? WHERE id = ?', [name.trim(), req.params.id]);
+    await reloadCategoryNameCache();
+    logger.audit('category.rename', { categoryId: req.params.id, name: name.trim(), ip: clientIp(req) });
+    res.json({ success: true });
+  } catch (e) {
+    res.status(500).json({ error: '重命名分类失败' });
+  }
+});
+
+router.delete('/categories/:id', requireAuth, requireAdmin, async (req, res) => {
+  try {
+    await dbRun('UPDATE files SET category_id = NULL WHERE category_id = ?', [req.params.id]);
+    await dbRun('DELETE FROM categories WHERE id = ?', [req.params.id]);
+    await reloadCategoryNameCache();
+    logger.audit('category.delete', { categoryId: req.params.id, ip: clientIp(req) });
+    res.json({ success: true });
+  } catch (e) {
+    res.status(500).json({ error: '删除分类失败' });
+  }
+});
+
+module.exports = router;

package/routes/content-templates.js

@@ -0,0 +1,215 @@
+// 内容模板市场路由。从 server.js 提取，行为保持不变。
+// 挂载点：/api/content-templates
+
+const express = require('express');
+const { dbGet, dbRun, dbAll } = require('../lib/db');
+const { requireAuth } = require('../lib/middleware/auth');
+const { clientIp } = require('../lib/util');
+const logger = require('../logger');
+
+const router = express.Router();
+
+const CONTENT_TEMPLATE_MAX_SIZE = 512000; // 500KB
+const CONTENT_TEMPLATE_SCENES = ['dashboard', 'report', 'resume', 'landing', 'note', 'presentation', 'card', 'email', 'other'];
+
+// 公开模板列表（无需登录）
+router.get('/public', async (req, res) => {
+  try {
+    const page = Math.max(1, parseInt(req.query.page) || 1);
+    const limit = Math.min(20, Math.max(1, parseInt(req.query.limit) || 8));
+    const offset = (page - 1) * limit;
+    const { scene } = req.query;
+
+    const conditions = ['ct.is_public = 1'];
+    const params = [];
+    if (scene) { conditions.push('ct.scene = ?'); params.push(scene); }
+    const where = 'WHERE ' + conditions.join(' AND ');
+
+    const total = await dbGet(`SELECT COUNT(*) as count FROM content_templates ct ${where}`, params);
+    const templates = await dbAll(
+      `SELECT ct.id, ct.title, ct.description, ct.file_type, ct.scene, ct.style_tags, ct.use_count
+       FROM content_templates ct
+       ${where} ORDER BY ct.use_count DESC LIMIT ? OFFSET ?`,
+      [...params, limit, offset]
+    );
+    res.json({
+      templates,
+      pagination: { page, limit, total: total.count, totalPages: Math.ceil(total.count / limit) }
+    });
+  } catch (e) {
+    logger.error({ type: 'app', msg: '获取公开模板列表失败', error: e.message });
+    res.status(500).json({ error: '获取模板列表失败' });
+  }
+});
+
+// 公开模板预览（无需登录）
+router.get('/public/:id/preview', async (req, res) => {
+  try {
+    const t = await dbGet(
+      'SELECT id, title, file_type, content FROM content_templates WHERE id = ? AND is_public = 1',
+      [req.params.id]
+    );
+    if (!t) return res.status(404).json({ error: '模板不存在' });
+    res.json({ id: t.id, title: t.title, file_type: t.file_type, content: t.content });
+  } catch (e) {
+    res.status(500).json({ error: '获取模板预览失败' });
+  }
+});
+
+router.get('/', requireAuth, async (req, res) => {
+  try {
+    const page = Math.max(1, parseInt(req.query.page) || 1);
+    const limit = Math.min(20, Math.max(1, parseInt(req.query.limit) || 10));
+    const offset = (page - 1) * limit;
+    const { scene, keyword, fileType, sort } = req.query;
+
+    const conditions = [];
+    const params = [];
+    if (req.userRole !== 'admin') {
+      conditions.push('(ct.is_public = 1 OR ct.uploaded_by = ?)');
+      params.push(req.userId);
+    }
+    if (scene) { conditions.push('ct.scene = ?'); params.push(scene); }
+    if (fileType) { conditions.push('ct.file_type = ?'); params.push(fileType); }
+    if (keyword) {
+      conditions.push('(ct.title LIKE ? OR ct.description LIKE ?)');
+      params.push(`%${keyword}%`, `%${keyword}%`);
+    }
+    const where = conditions.length ? 'WHERE ' + conditions.join(' AND ') : '';
+    const orderBy = sort === 'created_at' ? 'ct.created_at DESC' : 'ct.use_count DESC';
+
+    const total = await dbGet(`SELECT COUNT(*) as count FROM content_templates ct ${where}`, params);
+    const templates = await dbAll(
+      `SELECT ct.id, ct.title, ct.description, ct.file_type, ct.scene, ct.style_tags,
+              ct.uploaded_by, ct.use_count, ct.is_public, ct.created_at, ct.updated_at,
+              u.username as uploader_name
+       FROM content_templates ct LEFT JOIN users u ON ct.uploaded_by = u.id
+       ${where} ORDER BY ${orderBy} LIMIT ? OFFSET ?`,
+      [...params, limit, offset]
+    );
+    res.json({
+      templates,
+      pagination: { page, limit, total: total.count, totalPages: Math.ceil(total.count / limit) }
+    });
+  } catch (e) {
+    logger.error({ type: 'app', msg: '获取内容模板列表失败', error: e.message });
+    res.status(500).json({ error: '获取内容模板列表失败' });
+  }
+});
+
+router.get('/scenes', requireAuth, async (req, res) => {
+  res.json({ scenes: CONTENT_TEMPLATE_SCENES });
+});
+
+router.get('/:id', requireAuth, async (req, res) => {
+  try {
+    const t = await dbGet(
+      `SELECT ct.id, ct.title, ct.description, ct.file_type, ct.scene, ct.style_tags,
+              ct.uploaded_by, ct.use_count, ct.is_public, ct.created_at, ct.updated_at,
+              u.username as uploader_name
+       FROM content_templates ct LEFT JOIN users u ON ct.uploaded_by = u.id
+       WHERE ct.id = ?`, [req.params.id]
+    );
+    if (!t) return res.status(404).json({ error: '模板不存在' });
+    if (!t.is_public && req.userRole !== 'admin' && t.uploaded_by !== req.userId) {
+      return res.status(403).json({ error: '无权访问' });
+    }
+    res.json(t);
+  } catch (e) {
+    res.status(500).json({ error: '获取模板详情失败' });
+  }
+});
+
+router.get('/:id/content', requireAuth, async (req, res) => {
+  try {
+    const t = await dbGet('SELECT id, title, file_type, content, is_public, uploaded_by FROM content_templates WHERE id = ?', [req.params.id]);
+    if (!t) return res.status(404).json({ error: '模板不存在' });
+    if (!t.is_public && req.userRole !== 'admin' && t.uploaded_by !== req.userId) {
+      return res.status(403).json({ error: '无权访问' });
+    }
+    res.json({ id: t.id, title: t.title, file_type: t.file_type, content: t.content });
+  } catch (e) {
+    res.status(500).json({ error: '获取模板内容失败' });
+  }
+});
+
+router.post('/', requireAuth, async (req, res) => {
+  const { title, description, fileType, scene, styleTags, content, isPublic } = req.body || {};
+  if (!title || !title.trim()) return res.status(400).json({ error: '模板标题不能为空' });
+  if (!content) return res.status(400).json({ error: '样例内容不能为空' });
+  if (Buffer.byteLength(content, 'utf-8') > CONTENT_TEMPLATE_MAX_SIZE) {
+    return res.status(400).json({ error: '样例内容不能超过 500KB' });
+  }
+  const ft = fileType || 'html';
+  if (ft !== 'html' && ft !== 'markdown') return res.status(400).json({ error: '文件类型仅支持 html 或 markdown' });
+  try {
+    const result = await dbRun(
+      `INSERT INTO content_templates (title, description, file_type, scene, style_tags, content, uploaded_by, is_public) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+      [title.trim(), description || null, ft, scene || null, styleTags || null, content, req.userId, isPublic !== false ? 1 : 0]
+    );
+    logger.audit('content_template.create', { templateId: result.lastID, title: title.trim(), scene, ip: clientIp(req) });
+    res.json({ id: result.lastID, title: title.trim() });
+  } catch (e) {
+    logger.error({ type: 'app', msg: '创建内容模板失败', error: e.message });
+    res.status(500).json({ error: '创建内容模板失败' });
+  }
+});
+
+router.put('/:id', requireAuth, async (req, res) => {
+  try {
+    const t = await dbGet('SELECT id, uploaded_by FROM content_templates WHERE id = ?', [req.params.id]);
+    if (!t) return res.status(404).json({ error: '模板不存在' });
+    if (req.userRole !== 'admin' && t.uploaded_by !== req.userId) return res.status(403).json({ error: '无权操作' });
+
+    const { title, description, scene, styleTags, content, isPublic } = req.body || {};
+    const sets = [];
+    const params = [];
+    if (title !== undefined) { sets.push('title = ?'); params.push(title.trim()); }
+    if (description !== undefined) { sets.push('description = ?'); params.push(description); }
+    if (scene !== undefined) { sets.push('scene = ?'); params.push(scene); }
+    if (styleTags !== undefined) { sets.push('style_tags = ?'); params.push(styleTags); }
+    if (content !== undefined) {
+      if (Buffer.byteLength(content, 'utf-8') > CONTENT_TEMPLATE_MAX_SIZE) {
+        return res.status(400).json({ error: '样例内容不能超过 500KB' });
+      }
+      sets.push('content = ?'); params.push(content);
+    }
+    if (isPublic !== undefined) { sets.push('is_public = ?'); params.push(isPublic ? 1 : 0); }
+    if (sets.length === 0) return res.json({ success: true });
+
+    sets.push("updated_at = datetime('now')");
+    params.push(req.params.id);
+    await dbRun(`UPDATE content_templates SET ${sets.join(', ')} WHERE id = ?`, params);
+    logger.audit('content_template.update', { templateId: parseInt(req.params.id), ip: clientIp(req) });
+    res.json({ success: true });
+  } catch (e) {
+    logger.error({ type: 'app', msg: '更新内容模板失败', error: e.message });
+    res.status(500).json({ error: '更新内容模板失败' });
+  }
+});
+
+router.delete('/:id', requireAuth, async (req, res) => {
+  try {
+    const t = await dbGet('SELECT id, uploaded_by FROM content_templates WHERE id = ?', [req.params.id]);
+    if (!t) return res.status(404).json({ error: '模板不存在' });
+    if (req.userRole !== 'admin' && t.uploaded_by !== req.userId) return res.status(403).json({ error: '无权操作' });
+    await dbRun('DELETE FROM content_templates WHERE id = ?', [req.params.id]);
+    logger.audit('content_template.delete', { templateId: parseInt(req.params.id), ip: clientIp(req) });
+    res.json({ success: true });
+  } catch (e) {
+    logger.error({ type: 'app', msg: '删除内容模板失败', error: e.message });
+    res.status(500).json({ error: '删除内容模板失败' });
+  }
+});
+
+router.post('/:id/use', requireAuth, async (req, res) => {
+  try {
+    await dbRun('UPDATE content_templates SET use_count = use_count + 1 WHERE id = ?', [req.params.id]);
+    const t = await dbGet('SELECT use_count FROM content_templates WHERE id = ?', [req.params.id]);
+    res.json({ success: true, use_count: t ? t.use_count : 0 });
+  } catch (e) {
+    res.status(500).json({ error: '记录使用失败' });
+  }
+});
+
+module.exports = router;

package/routes/files/_shared.js

@@ -0,0 +1,112 @@
+// 文件路由的共享层：上传配置（multer/限流）+ 版本备份序列 + 下载头 + 路径守卫。
+// 由 routes/files/ 下各子模块按需 require，避免重复定义。
+//
+// 设计原则：只放「真正安全、零行为差异」的提取项。权限校验、行级 enrichment 等
+// 涉及行为语义的逻辑仍留在各路由文件内，不在本轮重构中改动。
+
+const express = require('express');
+const multer = require('multer');
+const rateLimit = require('express-rate-limit');
+const path = require('path');
+const { dbGet, dbRun } = require('../../lib/db');
+const { now } = require('../../lib/util');
+const { decodeFilename } = require('../../lib/util');
+const { UPLOAD_DIR } = require('../../lib/paths');
+
+// --- 常量 ---
+const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50MB
+const ALLOWED_UPLOAD_EXTS = ['.html', '.htm', '.md', '.markdown', '.zip']; // 上传（含 ZIP）
+const ALLOWED_TEXT_EXTS = ['.html', '.htm', '.md', '.markdown'];          // JSON 上传（无 ZIP）
+
+// --- 上传限流 ---
+const uploadLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 50,
+  message: { error: '上传请求过于频繁，请稍后再试' }
+});
+
+// --- multer 配置（multipart 上传用） ---
+const storage = multer.diskStorage({
+  destination: (req, file, cb) => {
+    cb(null, UPLOAD_DIR);
+  },
+  filename: (req, file, cb) => {
+    const decoded = decodeFilename(file.originalname);
+    const ext = path.extname(decoded);
+    cb(null, generateStoredName(ext));
+  }
+});
+
+const upload = multer({
+  storage,
+  limits: { fileSize: MAX_FILE_SIZE },
+  fileFilter: (req, file, cb) => {
+    const decoded = decodeFilename(file.originalname);
+    const ext = path.extname(decoded).toLowerCase();
+    if (ALLOWED_UPLOAD_EXTS.includes(ext)) return cb(null, true);
+    cb(new Error('仅支持 HTML、Markdown 和 ZIP 文件'));
+  }
+});
+
+// JSON body 解析器：上传类端点需要放宽到 50MB（全局默认 1MB）
+const largeJson = express.json({ limit: '50mb' });
+
+// --- 文件名生成：替换原先散落在 5 处的 Date.now()+'-'+Math.round(...)+ext ---
+function generateStoredName(ext) {
+  return Date.now() + '-' + Math.round(Math.random() * 1e9) + ext;
+}
+
+// --- 版本备份 + 主记录更新序列 ---
+// 原先在 upload/upload-json/overwrite/overwrite-json/restore 共 5 处重复。
+// 行为零差异：读 nextVer → INSERT 旧版本到 file_versions → UPDATE files 主记录。
+//
+// @param {object} file       - 旧 files 行（含 stored_name/size/id）
+// @param {object} next       - 新版本数据 { storedName, size }
+// @param {number} recordedBy - 写入 file_versions.uploaded_by 的用户 id
+//                              （upload/overwrite 各处用 file.uploaded_by；restore 用 currentUserId）
+// @returns {Promise<{ version: number }>} 返回新版本号（nextVer + 1，对齐审计日志语义）
+async function backupAndApplyVersion(file, next, recordedBy) {
+  const verRow = await dbGet(
+    'SELECT COALESCE(MAX(version), 0) + 1 AS nextVer FROM file_versions WHERE file_id = ?',
+    [file.id]
+  );
+  const nextVer = verRow.nextVer;
+  await dbRun(
+    'INSERT INTO file_versions (file_id, version, stored_name, size, uploaded_by) VALUES (?, ?, ?, ?, ?)',
+    [file.id, nextVer, file.stored_name, file.size, recordedBy]
+  );
+  await dbRun(
+    'UPDATE files SET stored_name = ?, size = ?, updated_at = ? WHERE id = ?',
+    [next.storedName, next.size, now(), file.id]
+  );
+  return { version: nextVer + 1 };
+}
+
+// --- 下载 Content-Disposition 头（UTF-8 文件名） ---
+// 替换 download 路由两处重复的 encoded + filename*=UTF-8'' 拼接。
+function setDownloadHeaders(res, name) {
+  const encoded = encodeURIComponent(name);
+  res.setHeader('Content-Disposition', "attachment; filename=\"" + encoded + "\"; filename*=UTF-8''" + encoded);
+}
+
+// --- bundle 路径穿越守卫 ---
+// 替换 content/asset 路由的 path.resolve + startsWith 重复校验。
+// 返回 true 表示安全（路径落在 bundleDir 内）。
+function isWithinBundle(absPath, bundleDir) {
+  const resolvedDir = path.resolve(bundleDir) + path.sep;
+  const resolved = path.resolve(absPath);
+  return resolved.startsWith(resolvedDir) || resolved === path.resolve(bundleDir);
+}
+
+module.exports = {
+  MAX_FILE_SIZE,
+  ALLOWED_UPLOAD_EXTS,
+  ALLOWED_TEXT_EXTS,
+  uploadLimiter,
+  upload,
+  largeJson,
+  generateStoredName,
+  backupAndApplyVersion,
+  setDownloadHeaders,
+  isWithinBundle,
+};

package/routes/files/associations.js

@@ -0,0 +1,94 @@
+// 标签关联 / 收藏 / 分类设置 / 访问统计 路由。
+// 从 routes/files.js 提取，行为保持不变。挂在共享 router 上。
+
+const { dbGet, dbRun, dbAll } = require('../../lib/db');
+const { requireAuth } = require('../../lib/middleware/auth');
+const { checkFileOwnership } = require('../../lib/middleware/files');
+const { clientIp } = require('../../lib/util');
+const { getPendingViewCount } = require('../../lib/view-counts');
+const logger = require('../../logger');
+
+function registerAssociations(router) {
+  // --- 标签关联（替换文件的全部标签） ---
+  router.put('/:id/tags', requireAuth, async (req, res) => {
+    try {
+      const file = await dbGet('SELECT id FROM files WHERE id = ?', [req.params.id]);
+      if (!file) return res.status(404).json({ error: '文件不存在' });
+      if (!checkFileOwnership(req, file)) return res.status(403).json({ error: '无权操作此文件' });
+      const { tagIds } = req.body || {};
+      if (!Array.isArray(tagIds)) return res.status(400).json({ error: 'tagIds 必须是数组' });
+      await dbRun('DELETE FROM file_tags WHERE file_id = ?', [req.params.id]);
+      for (const tid of tagIds) {
+        await dbRun('INSERT OR IGNORE INTO file_tags (file_id, tag_id) VALUES (?, ?)', [req.params.id, tid]);
+      }
+      res.json({ success: true });
+      logger.audit('file.updateTags', { fileId: req.params.id, tagIds, ip: clientIp(req) });
+    } catch (e) {
+      res.status(500).json({ error: '更新标签失败' });
+    }
+  });
+
+  // --- 收藏 ---
+  router.post('/:id/star', requireAuth, async (req, res) => {
+    try {
+      const file = await dbGet('SELECT id FROM files WHERE id = ?', [req.params.id]);
+      if (!file) return res.status(404).json({ error: '文件不存在' });
+      await dbRun('INSERT OR IGNORE INTO starred_files (user_id, file_id) VALUES (?, ?)', [req.userId, req.params.id]);
+      res.json({ success: true });
+    } catch (e) {
+      res.status(500).json({ error: '收藏失败' });
+    }
+  });
+
+  router.delete('/:id/star', requireAuth, async (req, res) => {
+    try {
+      await dbRun('DELETE FROM starred_files WHERE user_id = ? AND file_id = ?', [req.userId, req.params.id]);
+      res.json({ success: true });
+    } catch (e) {
+      res.status(500).json({ error: '取消收藏失败' });
+    }
+  });
+
+  // --- 分类设置 ---
+  router.put('/:id/category', requireAuth, async (req, res) => {
+    const { categoryId } = req.body || {};
+    try {
+      const file = await dbGet('SELECT id, uploaded_by FROM files WHERE id = ?', [req.params.id]);
+      if (!file) return res.status(404).json({ error: '文件不存在' });
+      if (req.userRole !== 'admin' && file.uploaded_by !== req.userId) {
+        return res.status(403).json({ error: '无权操作' });
+      }
+      await dbRun('UPDATE files SET category_id = ? WHERE id = ?', [categoryId || null, req.params.id]);
+      logger.audit('file.setCategory', { fileId: parseInt(req.params.id), categoryId: categoryId || null, ip: clientIp(req) });
+      res.json({ success: true });
+    } catch (e) {
+      res.status(500).json({ error: '设置分类失败' });
+    }
+  });
+
+  // --- 访问统计 ---
+  router.get('/:id/stats', requireAuth, async (req, res) => {
+    try {
+      const file = await dbGet('SELECT id, uploaded_by, view_count FROM files WHERE id = ?', [req.params.id]);
+      if (!file) return res.status(404).json({ error: '文件不存在' });
+      if (req.userRole !== 'admin' && file.uploaded_by !== req.userId) {
+        return res.status(403).json({ error: '无权访问' });
+      }
+      const [daily7, daily30] = await Promise.all([
+        dbAll(
+          "SELECT date(visited_at) as date, COUNT(*) as count FROM link_visits WHERE file_id = ? AND visited_at > datetime('now','-7 days') GROUP BY date(visited_at) ORDER BY date",
+          [file.id]
+        ),
+        dbAll(
+          "SELECT date(visited_at) as date, COUNT(*) as count FROM link_visits WHERE file_id = ? AND visited_at > datetime('now','-30 days') GROUP BY date(visited_at) ORDER BY date",
+          [file.id]
+        )
+      ]);
+      res.json({ viewCount: (file.view_count || 0) + getPendingViewCount(file.id), daily7, daily30 });
+    } catch (e) {
+      res.status(500).json({ error: '获取统计失败' });
+    }
+  });
+}
+
+module.exports = { registerAssociations };

package/routes/files/crud.js

@@ -0,0 +1,139 @@
+// 更新 / 删除 / 批量操作路由。
+// 从 routes/files.js 提取，行为保持不变。挂在共享 router 上。
+
+const fs = require('fs');
+const path = require('path');
+const { dbGet, dbRun, dbAll } = require('../../lib/db');
+const { requireAuth } = require('../../lib/middleware/auth');
+const { unlinkQuiet, clientIp } = require('../../lib/util');
+const { UPLOAD_DIR } = require('../../lib/paths');
+const { deleteFileIndex } = require('../../lib/fts');
+const { invalidateRenderCache } = require('../../lib/render-cache');
+const { checkFileOwnership } = require('../../lib/middleware/files');
+const logger = require('../../logger');
+
+function registerCrud(router) {
+  // --- 更新 ---
+  router.put('/:id', requireAuth, async (req, res) => {
+    const { name, isPublic, templateId } = req.body || {};
+    if (name === undefined && isPublic === undefined && templateId === undefined) {
+      return res.status(400).json({ error: '无更新字段' });
+    }
+    try {
+      const file = await dbGet('SELECT * FROM files WHERE id = ?', [req.params.id]);
+      if (!file) return res.status(404).json({ error: '文件不存在' });
+      if (!checkFileOwnership(req, file)) return res.status(403).json({ error: '无权操作此文件' });
+      if (name !== undefined) {
+        if (typeof name !== 'string' || !name.trim()) return res.status(400).json({ error: '文件名不能为空' });
+        await dbRun('UPDATE files SET original_name = ? WHERE id = ?', [name.trim(), req.params.id]);
+      }
+      if (isPublic !== undefined) {
+        await dbRun('UPDATE files SET is_public = ? WHERE id = ?', [isPublic ? 1 : 0, req.params.id]);
+      }
+      if (templateId !== undefined) {
+        const tid = templateId ? parseInt(templateId) : null;
+        if (tid) {
+          const tpl = await dbGet('SELECT id FROM templates WHERE id = ?', [tid]);
+          if (!tpl) return res.status(400).json({ error: '模板不存在' });
+        }
+        await dbRun('UPDATE files SET template_id = ? WHERE id = ?', [tid, req.params.id]);
+      }
+      logger.audit('file.update', { fileId: req.params.id, changes: { name, isPublic, templateId }, ip: clientIp(req) });
+      res.json({ success: true });
+    } catch (e) {
+      res.status(500).json({ error: '更新失败' });
+    }
+  });
+
+  // --- 删除 ---
+  router.delete('/:id', requireAuth, async (req, res) => {
+    try {
+      const file = await dbGet('SELECT * FROM files WHERE id = ?', [req.params.id]);
+      if (!file) return res.status(404).json({ error: '文件不存在' });
+      if (!checkFileOwnership(req, file)) return res.status(403).json({ error: '无权操作此文件' });
+
+      // 清理关联数据
+      await dbRun('DELETE FROM file_tags WHERE file_id = ?', [req.params.id]);
+      await dbRun('DELETE FROM starred_files WHERE file_id = ?', [req.params.id]);
+      await deleteFileIndex(req.params.id);
+
+      // 清理版本记录及对应磁盘文件
+      const versions = await dbAll('SELECT stored_name FROM file_versions WHERE file_id = ?', [req.params.id]);
+      for (const v of versions) {
+        const p = path.join(UPLOAD_DIR, v.stored_name);
+        if (fs.existsSync(p)) await unlinkQuiet(p);
+      }
+      await dbRun('DELETE FROM file_versions WHERE file_id = ?', [req.params.id]);
+
+      // 删除主文件
+      const filePath = path.join(UPLOAD_DIR, file.stored_name);
+      if (fs.existsSync(filePath)) await unlinkQuiet(filePath);
+      await dbRun('DELETE FROM files WHERE id = ?', [req.params.id]);
+      invalidateRenderCache(req.params.id);
+      logger.audit('file.delete', { fileId: req.params.id, fileName: file.original_name, ip: clientIp(req) });
+      res.json({ success: true });
+    } catch (e) {
+      res.status(500).json({ error: '删除失败' });
+    }
+  });
+
+  // --- 批量操作 ---
+  router.post('/batch', requireAuth, async (req, res) => {
+    try {
+      const { action, ids, data } = req.body;
+      if (!action || !Array.isArray(ids) || !ids.length) {
+        return res.status(400).json({ error: '缺少 action 或 ids 参数' });
+      }
+      if (ids.length > 200) return res.status(400).json({ error: '单次最多操作 200 个文件' });
+      const validActions = ['delete', 'setPublic', 'setPrivate', 'setCategory'];
+      if (!validActions.includes(action)) return res.status(400).json({ error: '不支持的操作: ' + action });
+
+      const placeholders = ids.map(() => '?').join(',');
+      const files = await dbAll(`SELECT * FROM files WHERE id IN (${placeholders})`, ids);
+      if (!files.length) return res.json({ success: true, affected: 0 });
+      for (const f of files) {
+        if (!checkFileOwnership(req, f)) return res.status(403).json({ error: '无权操作部分文件' });
+      }
+
+      const fileIds = files.map(f => f.id);
+      const idPlaceholders = fileIds.map(() => '?').join(',');
+
+      if (action === 'delete') {
+        await dbRun('BEGIN');
+        try {
+          await dbRun(`DELETE FROM file_tags WHERE file_id IN (${idPlaceholders})`, fileIds);
+          await dbRun(`DELETE FROM starred_files WHERE file_id IN (${idPlaceholders})`, fileIds);
+          const versions = await dbAll(`SELECT stored_name FROM file_versions WHERE file_id IN (${idPlaceholders})`, fileIds);
+          for (const v of versions) {
+            await unlinkQuiet(path.join(UPLOAD_DIR, v.stored_name));
+          }
+          await dbRun(`DELETE FROM file_versions WHERE file_id IN (${idPlaceholders})`, fileIds);
+          for (const f of files) {
+            await unlinkQuiet(path.join(UPLOAD_DIR, f.stored_name));
+          }
+          await dbRun(`DELETE FROM files WHERE id IN (${idPlaceholders})`, fileIds);
+          await dbRun('COMMIT');
+        } catch (e) {
+          await dbRun('ROLLBACK');
+          throw e;
+        }
+        logger.audit('file.batchDelete', { count: fileIds.length, ip: clientIp(req) });
+      } else if (action === 'setPublic' || action === 'setPrivate') {
+        const isPublic = action === 'setPublic' ? 1 : 0;
+        await dbRun(`UPDATE files SET is_public = ? WHERE id IN (${idPlaceholders})`, [isPublic, ...fileIds]);
+        logger.audit('file.batchSetPrivacy', { action, count: fileIds.length, ip: clientIp(req) });
+      } else if (action === 'setCategory') {
+        const categoryId = data && data.categoryId ? data.categoryId : null;
+        await dbRun(`UPDATE files SET category_id = ? WHERE id IN (${idPlaceholders})`, [categoryId, ...fileIds]);
+        logger.audit('file.batchSetCategory', { categoryId, count: fileIds.length, ip: clientIp(req) });
+      }
+
+      res.json({ success: true, affected: fileIds.length });
+    } catch (e) {
+      logger.error({ type: 'app', action: 'file.batch', error: e.message });
+      res.status(500).json({ error: '批量操作失败' });
+    }
+  });
+}
+
+module.exports = { registerCrud };