@code2rich/jpage 1.5.0

package/test/integration/files-security.test.js

@@ -0,0 +1,248 @@
+// 文件路由安全关键路径集成测试：ZIP 上传（安全校验）/ CSP 分级下发 / 权限隔离。
+// 与 files.test.js 共用同一套 helper（隔离 SQLite 数据目录 + admin agent）。
+
+const test = require('node:test');
+const assert = require('node:assert');
+const request = require('supertest');
+const JSZip = require('jszip');
+const { createTestEnv } = require('../helpers/setup');
+
+let env;
+let admin;        // admin agent
+let user;         // 普通用户 agent
+let otherUser;    // 另一个普通用户 agent
+
+// 用 JSZip 构造 ZIP buffer（同步拼装，上传时转 base64）
+async function makeZip(files) {
+  const zip = new JSZip();
+  for (const [name, content] of Object.entries(files)) {
+    zip.file(name, content);
+  }
+  return zip.generateAsync({ type: 'nodebuffer' });
+}
+
+test.before(async () => {
+  env = createTestEnv();
+  await env.ready();
+
+  admin = request.agent(env.app);
+  await admin.post('/api/auth/login').send({ username: 'admin', password: 'testpassword123' });
+
+  // admin 创建两个普通用户
+  await admin.post('/api/users').send({ username: 'alice', password: 'alicepass123', role: 'user' });
+  await admin.post('/api/users').send({ username: 'bob', password: 'bobpass123', role: 'user' });
+
+  user = request.agent(env.app);
+  await user.post('/api/auth/login').send({ username: 'alice', password: 'alicepass123' });
+  otherUser = request.agent(env.app);
+  await otherUser.post('/api/auth/login').send({ username: 'bob', password: 'bobpass123' });
+});
+
+test.after(() => {
+  env.cleanup();
+});
+
+// ====================== ZIP 上传安全 ======================
+
+test('ZIP bundle 上传：index.html + 子目录资源 → is_bundle=1', async () => {
+  const buf = await makeZip({
+    'index.html': '<!DOCTYPE html><html><body><h1>bundle</h1></body></html>',
+    'css/style.css': 'body{color:red}',
+    'img/logo.svg': '<svg></svg>',
+  });
+  const res = await user.post('/api/files/upload-zip-base64').send({
+    name: 'site.zip',
+    content: buf.toString('base64'),
+    isPublic: false,
+  });
+  assert.strictEqual(res.status, 200);
+  assert.strictEqual(res.body.is_bundle, 1);
+  assert.ok(res.body.entry_path);
+  assert.strictEqual(res.body.file_type, 'html');
+});
+
+test('ZIP batch 上传：多个根目录 HTML → type=batch', async () => {
+  const buf = await makeZip({
+    'a.html': '<p>a</p>',
+    'b.html': '<p>b</p>',
+  });
+  const res = await user.post('/api/files/upload-zip-base64').send({
+    name: 'batch.zip',
+    content: buf.toString('base64'),
+    isPublic: false,
+  });
+  assert.strictEqual(res.status, 200);
+  assert.strictEqual(res.body.type, 'batch');
+  assert.ok(res.body.count >= 2);
+});
+
+test('ZIP 穿越防护：上传带 ../ 的 ZIP 不会写出越界文件', async () => {
+  // JSZip 在生成阶段会把真实 ../ 规范化掉，所以这里无法通过 HTTP 端点
+  // 触发 validateZipEntries 的目录穿越分支（该分支由 test/unit/zip.test.js
+  // 直接注入恶意 normalizedPath 覆盖）。本用例验证端到端的最终保证：
+  // 即便 zip 里有 ../ 前缀条目，服务端也不会在 UPLOAD_DIR 之外创建文件。
+  const zip = new JSZip();
+  zip.file('../escape-attempt.txt', 'evil'); // 生成后会被规范化为 escape-attempt.txt
+  zip.file('index.html', '<p>ok</p>');
+  const buf = await zip.generateAsync({ type: 'nodebuffer' });
+  const res = await user.post('/api/files/upload-zip-base64').send({
+    name: 'traversal.zip',
+    content: buf.toString('base64'),
+  });
+  // 上传成功（被规范化为合法 bundle），但越界文件绝不能存在
+  assert.strictEqual(res.status, 200);
+  const dataDir = env.dataDir;
+  const uploadsDir = require('path').join(dataDir, 'uploads');
+  const walk = (dir) => {
+    const found = [];
+    for (const e of require('fs').readdirSync(dir, { withFileTypes: true })) {
+      const full = require('path').join(dir, e.name);
+      if (e.isDirectory()) found.push(...walk(full));
+      else found.push(full);
+    }
+    return found;
+  };
+  const allFiles = walk(uploadsDir);
+  // UPLOAD_DIR 之外不应出现 escape-attempt.txt
+  const escaped = allFiles.filter(f => !f.startsWith(uploadsDir));
+  assert.strictEqual(escaped.length, 0, '不应有文件写到 UPLOAD_DIR 之外');
+  // 也不应有真正叫 escape-attempt.txt 的越界文件（规范化后落在 bundle 目录内才算正常）
+  assert.ok(!allFiles.some(f => f.endsWith('../escape-attempt.txt')));
+});
+
+test('ZIP 无任何 HTML/Markdown → 400', async () => {
+  const buf = await makeZip({
+    'a.css': 'body{}',
+    'b.js': 'console.log(1)',
+  });
+  const res = await user.post('/api/files/upload-zip-base64').send({
+    name: 'nohtml.zip',
+    content: buf.toString('base64'),
+  });
+  assert.strictEqual(res.status, 400);
+});
+
+test('upload-zip-base64 非 zip 扩展名 → 400', async () => {
+  const res = await user.post('/api/files/upload-zip-base64').send({
+    name: 'notzip.txt',
+    content: 'aGVsbG8=',
+  });
+  assert.strictEqual(res.status, 400);
+});
+
+// ====================== CSP 分级下发 ======================
+
+test('Markdown 渲染页下发严格 CSP（含 nonce，无 unsafe-inline script）', async () => {
+  const up = await admin.post('/api/files/upload-json').send({
+    name: 'csp-md.md',
+    content: '# 标题\n\n```mermaid\ngraph LR;A-->B\n```',
+    isPublic: true,
+  });
+  const res = await admin.get(`/api/files/${up.body.id}/render`);
+  assert.strictEqual(res.status, 200);
+  const csp = res.headers['content-security-policy'] || '';
+  // 必须有 script-src 且含 nonce（不能是 unsafe-inline）
+  assert.match(csp, /script-src[^;]*'nonce-/);
+  assert.ok(!/script-src[^;]*'unsafe-inline'/.test(csp), 'Markdown 页不应放开 script unsafe-inline');
+});
+
+test('HTML 渲染页下发宽松 CSP（允许 inline script + https）', async () => {
+  const up = await admin.post('/api/files/upload-json').send({
+    name: 'csp-html.html',
+    content: '<!DOCTYPE html><html><body><script>console.log(1)</script></body></html>',
+    isPublic: true,
+  });
+  const res = await admin.get(`/api/files/${up.body.id}/render`);
+  assert.strictEqual(res.status, 200);
+  const csp = res.headers['content-security-policy'] || '';
+  assert.match(csp, /script-src[^;]*'unsafe-inline'/);
+  assert.match(csp, /script-src[^;]*https:/);
+});
+
+test('管理界面 API 下发严格 CSP（无 unsafe-inline script）', async () => {
+  // files 列表走 APP_CSP（非渲染端点）
+  const res = await admin.get('/api/files');
+  assert.strictEqual(res.status, 200);
+  const csp = res.headers['content-security-policy'] || '';
+  assert.match(csp, /script-src[^;]*'self'/);
+  assert.ok(!/script-src[^;]*'unsafe-inline'/.test(csp), '管理界面不应放开 script unsafe-inline');
+  // 管理界面 frame-ancestors none
+  assert.match(csp, /frame-ancestors 'none'/);
+});
+
+// ====================== 权限隔离 ======================
+
+test('普通用户上传的私有文件，其他普通用户访问 → 403', async () => {
+  // alice 上传私有文件
+  const up = await user.post('/api/files/upload-json').send({
+    name: 'alice-private.md',
+    content: '# secret',
+    isPublic: false,
+  });
+  assert.strictEqual(up.body.is_public, 0);
+  // bob 尝试读取详情 → 403
+  const detail = await otherUser.get(`/api/files/${up.body.id}`);
+  assert.strictEqual(detail.status, 403);
+  // bob 尝试读取原文 → 403
+  const content = await otherUser.get(`/api/files/${up.body.id}/content`);
+  assert.strictEqual(content.status, 403);
+  // bob 尝试渲染 → 403
+  const render = await otherUser.get(`/api/files/${up.body.id}/render`);
+  assert.strictEqual(render.status, 403);
+});
+
+test('普通用户不能修改/删除他人私有文件 → 403', async () => {
+  const up = await user.post('/api/files/upload-json').send({
+    name: 'alice-no-edit.md',
+    content: 'x',
+    isPublic: false,
+  });
+  // bob 尝试改名
+  const rename = await otherUser.put(`/api/files/${up.body.id}`).send({ name: 'hacked.md' });
+  assert.strictEqual(rename.status, 403);
+  // bob 尝试删除
+  const del = await otherUser.delete(`/api/files/${up.body.id}`);
+  assert.strictEqual(del.status, 403);
+});
+
+test('普通用户不能批量删除他人文件 → 403', async () => {
+  const up = await user.post('/api/files/upload-json').send({
+    name: 'alice-batch.md',
+    content: 'x',
+    isPublic: false,
+  });
+  const res = await otherUser.post('/api/files/batch').send({ action: 'delete', ids: [up.body.id] });
+  assert.strictEqual(res.status, 403);
+});
+
+test('公开文件任何登录用户都能访问', async () => {
+  const up = await user.post('/api/files/upload-json').send({
+    name: 'alice-public.md',
+    content: '# public',
+    isPublic: true,
+  });
+  const detail = await otherUser.get(`/api/files/${up.body.id}`);
+  assert.strictEqual(detail.status, 200);
+});
+
+test('admin 可访问任意用户的私有文件', async () => {
+  const up = await user.post('/api/files/upload-json').send({
+    name: 'alice-admin-can-see.md',
+    content: 'private',
+    isPublic: false,
+  });
+  const detail = await admin.get(`/api/files/${up.body.id}`);
+  assert.strictEqual(detail.status, 200);
+});
+
+test('短链 /s/:key 私有文件未登录 → 重定向', async () => {
+  const up = await user.post('/api/files/upload-json').send({
+    name: 'short-private.md',
+    content: '# private shortlink',
+    isPublic: false,
+  });
+  const key = up.body.share_key;
+  const res = await request(env.app).get(`/s/${key}`);
+  // 私有文件未登录访问：302 重定向到 /
+  assert.strictEqual(res.status, 302);
+});

package/test/integration/files.test.js

@@ -0,0 +1,139 @@
+// 文件管理集成测试：上传(json) / 列表 / 渲染 / 详情 / 删除 / 版本
+const test = require('node:test');
+const assert = require('node:assert');
+const request = require('supertest');
+const { createTestEnv } = require('../helpers/setup');
+
+let env;
+let agent;
+
+test.before(async () => {
+  env = createTestEnv();
+  await env.ready();
+  agent = request.agent(env.app);
+  await agent.post('/api/auth/login').send({ username: 'admin', password: 'testpassword123' });
+});
+
+test.after(() => {
+  env.cleanup();
+});
+
+test('upload-json 上传 Markdown → 200，返回 id + share_key', async () => {
+  const res = await agent.post('/api/files/upload-json').send({
+    name: 'test-doc.md',
+    content: '# 标题\n\n这是一段 **Markdown** 内容。\n\n```js\nconsole.log("hi");\n```',
+    isPublic: true,
+  });
+  assert.strictEqual(res.status, 200);
+  assert.ok(res.body.id);
+  assert.ok(res.body.share_key);
+  assert.strictEqual(res.body.file_type, 'markdown');
+  assert.strictEqual(res.body.is_public, 1);
+});
+
+test('upload-json 缺少 name → 400', async () => {
+  const res = await agent.post('/api/files/upload-json').send({ content: 'x' });
+  assert.strictEqual(res.status, 400);
+});
+
+test('upload-json 不支持的扩展名 → 400', async () => {
+  const res = await agent.post('/api/files/upload-json').send({ name: 'a.txt', content: 'x' });
+  assert.strictEqual(res.status, 400);
+});
+
+test('列表包含已上传文件', async () => {
+  const res = await agent.get('/api/files');
+  assert.strictEqual(res.status, 200);
+  assert.ok(Array.isArray(res.body.files));
+  assert.ok(res.body.files.length > 0);
+  assert.ok(res.body.pagination);
+  // 每个文件含 tags 数组
+  assert.ok(Array.isArray(res.body.files[0].tags));
+});
+
+test('详情 GET /api/files/:id', async () => {
+  const up = await agent.post('/api/files/upload-json').send({ name: 'detail.md', content: '# 详情' });
+  const res = await agent.get(`/api/files/${up.body.id}`);
+  assert.strictEqual(res.status, 200);
+  assert.strictEqual(res.body.original_name, 'detail.md');
+  assert.ok(Array.isArray(res.body.tags));
+  assert.strictEqual(typeof res.body.starred, 'boolean');
+});
+
+test('详情不存在 → 404', async () => {
+  const res = await agent.get('/api/files/999999');
+  assert.strictEqual(res.status, 404);
+});
+
+test('原文 GET /api/files/:id/content', async () => {
+  const up = await agent.post('/api/files/upload-json').send({ name: 'content.md', content: '# 原文测试' });
+  const res = await agent.get(`/api/files/${up.body.id}/content`);
+  assert.strictEqual(res.status, 200);
+  assert.strictEqual(res.body.content, '# 原文测试');
+});
+
+test('渲染 GET /api/files/:id/render → HTML', async () => {
+  const up = await agent.post('/api/files/upload-json').send({ name: 'render.md', content: '# 渲染\n\n$E=mc^2$' });
+  const res = await agent.get(`/api/files/${up.body.id}/render`);
+  assert.strictEqual(res.status, 200);
+  assert.match(res.headers['content-type'] || '', /text\/html/);
+  assert.ok(res.text.includes('<h1>'));
+});
+
+test('同名覆盖上传 → overwritten: true + 版本号递增', async () => {
+  await agent.post('/api/files/upload-json').send({ name: 'versioned.md', content: 'v1' });
+  const res = await agent.post('/api/files/upload-json').send({ name: 'versioned.md', content: 'v2' });
+  assert.strictEqual(res.status, 200);
+  assert.strictEqual(res.body.overwritten, true);
+  assert.ok(res.body.version >= 2);
+});
+
+test('版本列表 GET /api/files/:id/versions', async () => {
+  const up = await agent.post('/api/files/upload-json').send({ name: 'ver-list.md', content: 'a' });
+  await agent.post('/api/files/upload-json').send({ name: 'ver-list.md', content: 'b' });
+  const res = await agent.get(`/api/files/${up.body.id}/versions`);
+  assert.strictEqual(res.status, 200);
+  assert.ok(Array.isArray(res.body.versions));
+  assert.ok(res.body.versions.length >= 1);
+});
+
+test('更新文件名 PUT /api/files/:id', async () => {
+  const up = await agent.post('/api/files/upload-json').send({ name: 'rename.md', content: 'x' });
+  const res = await agent.put(`/api/files/${up.body.id}`).send({ name: 'renamed.md' });
+  assert.strictEqual(res.status, 200);
+});
+
+test('删除文件 DELETE /api/files/:id', async () => {
+  const up = await agent.post('/api/files/upload-json').send({ name: 'delete-me.md', content: 'x' });
+  const res = await agent.delete(`/api/files/${up.body.id}`);
+  assert.strictEqual(res.status, 200);
+  // 再查应 404
+  const gone = await agent.get(`/api/files/${up.body.id}`);
+  assert.strictEqual(gone.status, 404);
+});
+
+test('FTS 搜索命中内容', async () => {
+  await agent.post('/api/files/upload-json').send({ name: 'searchable.md', content: '这是一个 uniquekeyword 标记的文档' });
+  const res = await agent.get('/api/files/search').query({ q: 'uniquekeyword' });
+  assert.strictEqual(res.status, 200);
+  assert.ok(res.body.files.length > 0);
+});
+
+test('标签：创建 + 关联到文件', async () => {
+  const tagRes = await agent.post('/api/tags').send({ name: '测试标签' });
+  assert.ok(tagRes.status === 200 || tagRes.status === 201);
+  const tagId = tagRes.body.id;
+
+  const up = await agent.post('/api/files/upload-json').send({ name: 'tagged.md', content: 'x' });
+  const linkRes = await agent.put(`/api/files/${up.body.id}/tags`).send({ tagIds: [tagId] });
+  assert.strictEqual(linkRes.status, 200);
+
+  const detail = await agent.get(`/api/files/${up.body.id}`);
+  assert.ok(detail.body.tags.some(t => t.id === tagId));
+});
+
+test('收藏文件', async () => {
+  const up = await agent.post('/api/files/upload-json').send({ name: 'star.md', content: 'x' });
+  const starRes = await agent.post(`/api/files/${up.body.id}/star`);
+  assert.strictEqual(starRes.status, 200);
+});

package/test/integration/share.test.js

@@ -0,0 +1,79 @@
+// 短链分享集成测试：/s/:key 公开/私有访问控制
+const test = require('node:test');
+const assert = require('node:assert');
+const request = require('supertest');
+const { createTestEnv } = require('../helpers/setup');
+
+let env;
+let agent;
+
+test.before(async () => {
+  env = createTestEnv();
+  await env.ready();
+  agent = request.agent(env.app);
+  await agent.post('/api/auth/login').send({ username: 'admin', password: 'testpassword123' });
+});
+
+test.after(() => {
+  env.cleanup();
+});
+
+test('公开文件：匿名访问短链 /s/:key → 200', async () => {
+  const up = await agent.post('/api/files/upload-json').send({
+    name: 'public.md',
+    content: '# 公开文档',
+    isPublic: true,
+  });
+  const res = await request(env.app).get(`/s/${up.body.share_key}`);
+  assert.strictEqual(res.status, 200);
+  assert.match(res.headers['content-type'] || '', /text\/html/);
+});
+
+test('私有文件：匿名访问短链 /s/:key → 重定向到首页', async () => {
+  const up = await agent.post('/api/files/upload-json').send({
+    name: 'private.md',
+    content: '# 私有文档',
+    isPublic: false,
+  });
+  const res = await request(env.app).get(`/s/${up.body.share_key}`);
+  assert.strictEqual(res.status, 302);
+  assert.strictEqual(res.headers.location, '/');
+});
+
+test('不存在的短链 → 404', async () => {
+  const res = await request(env.app).get('/s/NOTEXIST');
+  assert.strictEqual(res.status, 404);
+});
+
+test('公开文件渲染端点 /api/files/:id/render 匿名可访问', async () => {
+  const up = await agent.post('/api/files/upload-json').send({
+    name: 'pub-render.md',
+    content: '# 渲染',
+    isPublic: true,
+  });
+  const res = await request(env.app).get(`/api/files/${up.body.id}/render`);
+  assert.strictEqual(res.status, 200);
+});
+
+test('私有文件：匿名访问 /api/files/:id → 401', async () => {
+  const up = await agent.post('/api/files/upload-json').send({
+    name: 'priv2.md',
+    content: '# 私有',
+    isPublic: false,
+  });
+  const res = await request(env.app).get(`/api/files/${up.body.id}`);
+  assert.strictEqual(res.status, 401);
+});
+
+test('健康检查 /health → 200', async () => {
+  const res = await request(env.app).get('/health');
+  assert.strictEqual(res.status, 200);
+  assert.strictEqual(res.body.status, 'ok');
+  assert.ok(res.body.db === true);
+});
+
+test('SPA 兜底 / → 返回 HTML', async () => {
+  const res = await request(env.app).get('/');
+  assert.strictEqual(res.status, 200);
+  assert.match(res.headers['content-type'] || '', /text\/html/);
+});

package/test/integration/skills.test.js

@@ -0,0 +1,104 @@
+// Skills 集成测试：列表 / 详情 / 下载 zip / mcp/config 结构。全部 requireAuth。
+// 挂载点 /api（/skills、/skills/:name、/skills/:name/download、/mcp/config）。
+// 依赖仓库内 skills/jpage-upload/SKILL.md（内置 skill）。
+const test = require('node:test');
+const assert = require('node:assert');
+const request = require('supertest');
+const { createTestEnv } = require('../helpers/setup');
+
+// supertest 二进制响应解析器：skills download 是流式 zip，需 buffer(true).parse 才能拿到字节。
+function binaryParser(res, cb) {
+  const data = [];
+  res.on('data', chunk => data.push(chunk));
+  res.on('end', () => cb(null, Buffer.concat(data)));
+}
+
+let env;
+let agent;
+
+test.before(async () => {
+  env = createTestEnv();
+  await env.ready();
+  agent = request.agent(env.app);
+  await agent.post('/api/auth/login').send({ username: 'admin', password: 'testpassword123' });
+});
+
+test.after(() => {
+  env.cleanup();
+});
+
+// --- 权限 ---
+test('未登录 GET /api/skills → 401', async () => {
+  const res = await request(env.app).get('/api/skills');
+  assert.strictEqual(res.status, 401);
+});
+
+// --- 列表 ---
+test('GET /api/skills → 200，含内置 jpage-upload skill', async () => {
+  const res = await agent.get('/api/skills');
+  assert.strictEqual(res.status, 200);
+  assert.ok(Array.isArray(res.body.skills));
+  // 仓库内置 jpage-upload skill 应被发现
+  assert.ok(res.body.skills.some(s => s.name === 'jpage-upload'), '应含 jpage-upload skill');
+});
+
+// --- 详情 ---
+test('GET /api/skills/jpage-upload → 200', async () => {
+  const res = await agent.get('/api/skills/jpage-upload');
+  assert.strictEqual(res.status, 200);
+  assert.strictEqual(res.body.name, 'jpage-upload');
+});
+
+test('GET /api/skills/不存在 → 404', async () => {
+  const res = await agent.get('/api/skills/no-such-skill-xyz');
+  assert.strictEqual(res.status, 404);
+});
+
+// --- 下载 ---
+test('GET /api/skills/jpage-upload/download → 200，application/zip', async () => {
+  const res = await agent.get('/api/skills/jpage-upload/download').buffer(true).parse(binaryParser);
+  assert.strictEqual(res.status, 200);
+  assert.match(res.headers['content-type'] || '', /application\/zip/);
+  // Content-Disposition 是附件
+  assert.match(res.headers['content-disposition'] || '', /attachment/);
+  // zip 魔数 PK
+  assert.ok(Buffer.isBuffer(res.body));
+  assert.ok(res.body.length > 4);
+  assert.strictEqual(res.body[0], 0x50); // 'P'
+});
+
+test('GET /api/skills/不存在/download → 404', async () => {
+  const res = await agent.get('/api/skills/no-such-skill-xyz/download');
+  assert.strictEqual(res.status, 404);
+});
+
+// --- mcp/config ---
+test('GET /api/mcp/config → 200，含 config.mcpServers.jpage', async () => {
+  const res = await agent.get('/api/mcp/config');
+  assert.strictEqual(res.status, 200);
+  assert.ok(res.body.config);
+  assert.ok(res.body.config.mcpServers);
+  assert.ok(res.body.config.mcpServers.jpage);
+  assert.ok(res.body.config.mcpServers.jpage.url);
+  assert.strictEqual(res.body.config.mcpServers.jpage.type, 'http');
+  // tokens 是当前用户的 token 列表
+  assert.ok(Array.isArray(res.body.tokens));
+});
+
+test('GET /api/mcp/config → 200，含多客户端 configs 数组', async () => {
+  const res = await agent.get('/api/mcp/config');
+  assert.strictEqual(res.status, 200);
+  assert.ok(Array.isArray(res.body.configs));
+  // 5 个客户端：claude-code / claude-desktop / cursor / zcode / generic
+  assert.strictEqual(res.body.configs.length, 5);
+  const ids = res.body.configs.map(c => c.id);
+  for (const id of ['claude-code', 'claude-desktop', 'cursor', 'zcode', 'generic']) {
+    assert.ok(ids.includes(id), `configs 应包含 ${id}`);
+  }
+  // 每项含 label / path / config.mcpServers.jpage
+  res.body.configs.forEach(c => {
+    assert.ok(c.label, `${c.id} 应有 label`);
+    assert.ok('path' in c, `${c.id} 应有 path`);
+    assert.ok(c.config && c.config.mcpServers && c.config.mcpServers.jpage, `${c.id} config 应含 mcpServers.jpage`);
+  });
+});

package/test/integration/tags.test.js

@@ -0,0 +1,84 @@
+// 标签集成测试：创建（重复返回现有）/ 列表（role 区分 file_count）/ 删除（级联 file_tags）/ 边界。
+// 挂载点 /api/tags，全部 requireAuth。
+const test = require('node:test');
+const assert = require('node:assert');
+const request = require('supertest');
+const { createTestEnv } = require('../helpers/setup');
+
+let env;
+let agent;
+
+test.before(async () => {
+  env = createTestEnv();
+  await env.ready();
+  agent = request.agent(env.app);
+  await agent.post('/api/auth/login').send({ username: 'admin', password: 'testpassword123' });
+});
+
+test.after(() => {
+  env.cleanup();
+});
+
+// --- 权限边界 ---
+test('未登录 GET /api/tags → 401', async () => {
+  const res = await request(env.app).get('/api/tags');
+  assert.strictEqual(res.status, 401);
+});
+
+// --- 创建 ---
+test('创建标签：空名 → 400', async () => {
+  const res = await agent.post('/api/tags').send({ name: '  ' });
+  assert.strictEqual(res.status, 400);
+});
+
+test('创建标签：happy path → 200，返回 id', async () => {
+  const res = await agent.post('/api/tags').send({ name: '前端' });
+  assert.strictEqual(res.status, 200);
+  assert.ok(res.body.id);
+  assert.strictEqual(res.body.name, '前端');
+});
+
+test('创建标签：重名返回现有（不报错）→ 200，id 相同', async () => {
+  const first = await agent.post('/api/tags').send({ name: '重复标签' });
+  const second = await agent.post('/api/tags').send({ name: '重复标签' });
+  assert.strictEqual(second.status, 200);
+  assert.strictEqual(first.body.id, second.body.id);
+});
+
+// --- 列表 ---
+test('列表 GET /api/tags → 200，含 file_count', async () => {
+  const res = await agent.get('/api/tags');
+  assert.strictEqual(res.status, 200);
+  assert.ok(Array.isArray(res.body.tags));
+  assert.ok(res.body.tags.length > 0);
+  // 每项含 file_count
+  assert.strictEqual(typeof res.body.tags[0].file_count, 'number');
+});
+
+// --- 删除 + 级联 ---
+test('删除标签：happy path → 200，列表中消失', async () => {
+  const create = await agent.post('/api/tags').send({ name: '待删除' });
+  const del = await agent.delete(`/api/tags/${create.body.id}`);
+  assert.strictEqual(del.status, 200);
+  assert.strictEqual(del.body.success, true);
+  const list = await agent.get('/api/tags');
+  assert.ok(!list.body.tags.some(t => t.id === create.body.id));
+});
+
+test('删除标签：不存在 → 404', async () => {
+  const res = await agent.delete('/api/tags/999999');
+  assert.strictEqual(res.status, 404);
+});
+
+test('删除标签后，文件-标签关联被级联清理', async () => {
+  // 建标签 + 建文件 + 关联
+  const tagRes = await agent.post('/api/tags').send({ name: '级联测试标签' });
+  const tagId = tagRes.body.id;
+  const up = await agent.post('/api/files/upload-json').send({ name: 'cascade.md', content: 'x' });
+  await agent.put(`/api/files/${up.body.id}/tags`).send({ tagIds: [tagId] });
+  // 删标签
+  await agent.delete(`/api/tags/${tagId}`);
+  // 文件详情里 tags 不应再含该标签
+  const detail = await agent.get(`/api/files/${up.body.id}`);
+  assert.ok(!detail.body.tags.some(t => t.id === tagId));
+});