@code2rich/jpage 1.5.0

package/test/integration/tokens.test.js

@@ -0,0 +1,89 @@
+// 令牌集成测试：创建 / 列表(viewable) / 查看明文 / 删除 / 鉴权边界
+const test = require('node:test');
+const assert = require('node:assert');
+const request = require('supertest');
+const { createTestEnv } = require('../helpers/setup');
+
+let env;
+let agent;
+
+test.before(async () => {
+  env = createTestEnv();
+  await env.ready();
+  agent = request.agent(env.app);
+  await agent.post('/api/auth/login').send({ username: 'admin', password: 'testpassword123' });
+});
+
+test.after(() => {
+  env.cleanup();
+});
+
+test('创建令牌 → 返回明文且带 jp_ 前缀', async () => {
+  const res = await agent.post('/api/tokens').send({ name: 'CI Token' });
+  assert.strictEqual(res.status, 200);
+  assert.ok(res.body.token.startsWith('jp_'));
+  assert.strictEqual(res.body.name, 'CI Token');
+  assert.ok(res.body.token_prefix);
+});
+
+test('列表包含 viewable=true（新建令牌有加密明文）', async () => {
+  const res = await agent.get('/api/tokens');
+  assert.strictEqual(res.status, 200);
+  assert.ok(res.body.tokens.length > 0);
+  const t = res.body.tokens[0];
+  assert.strictEqual(t.viewable, 1, '新建令牌应有可查看的加密明文');
+  // 列表不应返回明文或密文
+  assert.strictEqual(t.token, undefined);
+  assert.strictEqual(t.token_enc, undefined);
+});
+
+test('查看令牌明文 → 与创建时一致', async () => {
+  const create = await agent.post('/api/tokens').send({ name: 'Reveal Test' });
+  const createdToken = create.body.token;
+  const list = await agent.get('/api/tokens');
+  const item = list.body.tokens.find(t => t.name === 'Reveal Test');
+  assert.ok(item);
+
+  const reveal = await agent.post('/api/tokens/' + item.id + '/reveal');
+  assert.strictEqual(reveal.status, 200);
+  assert.strictEqual(reveal.body.token, createdToken, 'reveal 返回的明文应与创建时一致');
+});
+
+test('reveal 无效 ID → 400', async () => {
+  const res = await agent.post('/api/tokens/abc/reveal');
+  assert.strictEqual(res.status, 400);
+});
+
+test('reveal 不存在的令牌 → 404', async () => {
+  const res = await agent.post('/api/tokens/999999/reveal');
+  assert.strictEqual(res.status, 404);
+});
+
+test('未登录 reveal → 401', async () => {
+  const list = await agent.get('/api/tokens');
+  const item = list.body.tokens[0];
+  const res = await request(env.app).post('/api/tokens/' + item.id + '/reveal');
+  assert.strictEqual(res.status, 401);
+});
+
+test('删除令牌 → 200，之后 reveal 该令牌 → 404', async () => {
+  await agent.post('/api/tokens').send({ name: 'ToDelete' });
+  const list = await agent.get('/api/tokens');
+  const item = list.body.tokens.find(t => t.name === 'ToDelete');
+
+  const del = await agent.delete('/api/tokens/' + item.id);
+  assert.strictEqual(del.status, 200);
+
+  const reveal = await agent.post('/api/tokens/' + item.id + '/reveal');
+  assert.strictEqual(reveal.status, 404);
+});
+
+test('Bearer 鉴权用返回的明文可访问受保护端点', async () => {
+  const create = await agent.post('/api/tokens').send({ name: 'Bearer Test' });
+  const token = create.body.token;
+  // /api/files 由 requireAuth 保护，支持 session 与 Bearer
+  const res = await request(env.app)
+    .get('/api/files')
+    .set('Authorization', 'Bearer ' + token);
+  assert.strictEqual(res.status, 200);
+});

package/test/integration/users.test.js

@@ -0,0 +1,138 @@
+// 用户管理集成测试（仅 admin）：列表 / 创建 / 更新 / 删除 / 校验 / 权限边界。
+// 挂载点 /api/users，全部 requireAuth + requireAdmin。
+const test = require('node:test');
+const assert = require('node:assert');
+const request = require('supertest');
+const { createTestEnv } = require('../helpers/setup');
+
+let env;
+let adminAgent;
+
+test.before(async () => {
+  env = createTestEnv();
+  await env.ready();
+  adminAgent = request.agent(env.app);
+  await adminAgent.post('/api/auth/login').send({ username: 'admin', password: 'testpassword123' });
+});
+
+test.after(() => {
+  env.cleanup();
+});
+
+// --- 权限边界 ---
+test('未登录 GET /api/users → 401', async () => {
+  const res = await request(env.app).get('/api/users');
+  assert.strictEqual(res.status, 401);
+});
+
+test('普通用户 GET /api/users → 403', async () => {
+  await adminAgent.post('/api/users').send({ username: 'regular', password: 'regularpass123', role: 'user' });
+  const userAgent = request.agent(env.app);
+  await userAgent.post('/api/auth/login').send({ username: 'regular', password: 'regularpass123' });
+  const res = await userAgent.get('/api/users');
+  assert.strictEqual(res.status, 403);
+});
+
+// --- 列表 ---
+test('admin GET /api/users → 200，含 emailVerified 布尔', async () => {
+  const res = await adminAgent.get('/api/users');
+  assert.strictEqual(res.status, 200);
+  assert.ok(Array.isArray(res.body.users));
+  assert.ok(res.body.users.length > 0);
+  // admin 用户存在
+  assert.ok(res.body.users.some(u => u.username === 'admin'));
+  // emailVerified 字段存在且为布尔
+  assert.strictEqual(typeof res.body.users[0].emailVerified, 'boolean');
+});
+
+// --- 创建 + 校验 ---
+test('创建用户：用户名太短 → 400', async () => {
+  const res = await adminAgent.post('/api/users').send({ username: 'a', password: 'validpass123', role: 'user' });
+  assert.strictEqual(res.status, 400);
+});
+
+test('创建用户：密码 < 8 位 → 400', async () => {
+  const res = await adminAgent.post('/api/users').send({ username: 'newuser2', password: 'short', role: 'user' });
+  assert.strictEqual(res.status, 400);
+});
+
+test('创建用户：无效角色 → 400', async () => {
+  const res = await adminAgent.post('/api/users').send({ username: 'newuser3', password: 'validpass123', role: 'superadmin' });
+  assert.strictEqual(res.status, 400);
+});
+
+test('创建用户：缺用户名或密码 → 400', async () => {
+  const res = await adminAgent.post('/api/users').send({ username: 'noname' });
+  assert.strictEqual(res.status, 400);
+});
+
+test('创建用户：邮箱格式错误 → 400', async () => {
+  const res = await adminAgent.post('/api/users').send({ username: 'newuser4', password: 'validpass123', role: 'user', email: 'not-an-email' });
+  assert.strictEqual(res.status, 400);
+});
+
+test('创建用户：happy path → 200，返回 id', async () => {
+  const res = await adminAgent.post('/api/users').send({ username: 'happyuser', password: 'validpass123', role: 'user' });
+  assert.strictEqual(res.status, 200);
+  assert.ok(res.body.id);
+  assert.strictEqual(res.body.username, 'happyuser');
+  assert.strictEqual(res.body.role, 'user');
+});
+
+test('创建用户：用户名冲突 → 409', async () => {
+  // happyuser 已创建
+  const res = await adminAgent.post('/api/users').send({ username: 'happyuser', password: 'validpass123', role: 'user' });
+  assert.strictEqual(res.status, 409);
+});
+
+// --- 更新 ---
+test('更新用户：无更新字段 → 400', async () => {
+  const create = await adminAgent.post('/api/users').send({ username: 'updateable', password: 'validpass123', role: 'user' });
+  const res = await adminAgent.put(`/api/users/${create.body.id}`).send({});
+  assert.strictEqual(res.status, 400);
+});
+
+test('更新用户：重置密码 → 200', async () => {
+  const create = await adminAgent.post('/api/users').send({ username: 'pwdreset', password: 'validpass123', role: 'user' });
+  const res = await adminAgent.put(`/api/users/${create.body.id}`).send({ password: 'newpassword123' });
+  assert.strictEqual(res.status, 200);
+  assert.strictEqual(res.body.success, true);
+  // 用新密码能登录
+  const userAgent = request.agent(env.app);
+  const login = await userAgent.post('/api/auth/login').send({ username: 'pwdreset', password: 'newpassword123' });
+  assert.strictEqual(login.status, 200);
+});
+
+test('更新用户：角色切换 → 200', async () => {
+  const create = await adminAgent.post('/api/users').send({ username: 'roleswap', password: 'validpass123', role: 'user' });
+  const res = await adminAgent.put(`/api/users/${create.body.id}`).send({ role: 'admin' });
+  assert.strictEqual(res.status, 200);
+});
+
+test('更新用户：不存在 → 404', async () => {
+  const res = await adminAgent.put('/api/users/999999').send({ role: 'user' });
+  assert.strictEqual(res.status, 404);
+});
+
+// --- 删除 ---
+test('删除用户：删自己 → 400', async () => {
+  // admin 的 id 一般是 1
+  const list = await adminAgent.get('/api/users');
+  const admin = list.body.users.find(u => u.username === 'admin');
+  const res = await adminAgent.delete(`/api/users/${admin.id}`);
+  assert.strictEqual(res.status, 400);
+});
+
+test('删除用户：不存在 → 404', async () => {
+  const res = await adminAgent.delete('/api/users/999999');
+  assert.strictEqual(res.status, 404);
+});
+
+test('删除用户：happy path → 200', async () => {
+  const create = await adminAgent.post('/api/users').send({ username: 'deleteme', password: 'validpass123', role: 'user' });
+  const res = await adminAgent.delete(`/api/users/${create.body.id}`);
+  assert.strictEqual(res.status, 200);
+  // 再列不应有 deleteme
+  const list = await adminAgent.get('/api/users');
+  assert.ok(!list.body.users.some(u => u.username === 'deleteme'));
+});

package/test/mcp-harness.js

@@ -0,0 +1,152 @@
+// MCP 端到端验证：通过 /mcp 端点验证 tool 调用（走进程内 dispatcher，非 fetch 自调用）
+// 覆盖 list_files / upload_file / get_file_content / rename_file / get_file_url / delete_file
+// 以及资源 jpage://files
+const http = require('http');
+
+const PORT = parseInt(process.argv[2] || process.env.PORT || '8890', 10);
+const HOST = '127.0.0.1';
+const TOKEN = 'test-mcp-token-abc';
+
+let pass = 0, fail = 0;
+const failures = [];
+function check(name, cond, detail) {
+  if (cond) { pass++; console.log(`  ✓ ${name}`); }
+  else { fail++; failures.push(`${name}${detail ? ' :: ' + detail : ''}`); console.log(`  ✗ ${name}${detail ? ' :: ' + detail : ''}`); }
+}
+
+function rawReq(method, path, { headers = {}, body } = {}) {
+  return new Promise((resolve, reject) => {
+    const opts = { host: HOST, port: PORT, method, path, headers: { ...headers } };
+    const payload = body !== undefined ? JSON.stringify(body) : null;
+    if (payload) { opts.headers['Content-Type'] = 'application/json'; opts.headers['Content-Length'] = Buffer.byteLength(payload); }
+    const r = http.request(opts, res => {
+      const chunks = [];
+      res.on('data', c => chunks.push(c));
+      res.on('end', () => resolve({ status: res.statusCode, headers: res.headers, buf: Buffer.concat(chunks), text: Buffer.concat(chunks).toString('utf8') }));
+    });
+    r.on('error', reject);
+    if (payload) r.write(payload);
+    r.end();
+  });
+}
+
+// 从 SSE event-stream 文本里提取 data: {...} 的 JSON（按事件分组，拼接多行 data）
+function parseSseResult(text, id) {
+  const events = text.split(/\n\n/);
+  for (const ev of events) {
+    const dataLines = ev.split('\n').filter(l => l.startsWith('data: ')).map(l => l.slice(6));
+    if (!dataLines.length) continue;
+    try {
+      const obj = JSON.parse(dataLines.join('\n'));
+      if (obj.id === id) return obj;
+    } catch {}
+  }
+  return null;
+}
+
+let _callId = 100;
+async function callTool(headers, sessionId, name, args) {
+  const id = ++_callId;
+  const r = await rawReq('POST', '/mcp', {
+    headers: { ...headers, 'mcp-session-id': sessionId, 'Accept': 'application/json, text/event-stream' },
+    body: { jsonrpc: '2.0', id, method: 'tools/call', params: { name, arguments: args } },
+  });
+  const obj = parseSseResult(r.text, id);
+  return { status: r.status, obj, text: r.text };
+}
+
+async function run() {
+  console.log(`\n=== MCP 端到端验证 (port ${PORT}) ===\n`);
+  const headers = { Authorization: 'Bearer ' + TOKEN };
+
+  // 1. initialize 握手
+  let r = await rawReq('POST', '/mcp', {
+    headers: { ...headers, Accept: 'application/json, text/event-stream' },
+    body: { jsonrpc: '2.0', id: 1, method: 'initialize', params: { protocolVersion: '2024-11-05', capabilities: {}, clientInfo: { name: 'test', version: '1.0' } } },
+  });
+  check('initialize → 200', r.status === 200, `status=${r.status}`);
+  const initObj = parseSseResult(r.text, 1);
+  check('initialize 返回 serverInfo', !!(initObj && initObj.result && initObj.result.serverInfo), r.text.slice(0, 200));
+  const sessionId = r.headers['mcp-session-id'];
+  check('返回 mcp-session-id', !!sessionId, JSON.stringify(r.headers).slice(0, 200));
+  if (!sessionId) { console.log('无法继续：无 session'); process.exit(1); }
+
+  // notifications/initialized（规范要求）
+  await rawReq('POST', '/mcp', {
+    headers: { ...headers, 'mcp-session-id': sessionId, Accept: 'application/json, text/event-stream' },
+    body: { jsonrpc: '2.0', method: 'notifications/initialized' },
+  });
+
+  // 2. tools/list
+  r = await rawReq('POST', '/mcp', {
+    headers: { ...headers, 'mcp-session-id': sessionId, Accept: 'application/json, text/event-stream' },
+    body: { jsonrpc: '2.0', id: 2, method: 'tools/list', params: {} },
+  });
+  const toolsObj = parseSseResult(r.text, 2);
+  const toolNames = (toolsObj && toolsObj.result && toolsObj.result.tools || []).map(t => t.name);
+  check('tools/list 返回工具', toolNames.length >= 10, `got ${toolNames.length}: ${toolNames.join(',')}`);
+  check('含 list_files/upload_file/get_file_content', ['list_files', 'upload_file', 'get_file_content'].every(n => toolNames.includes(n)), toolNames.join(','));
+
+  // 3. upload_file（dispatcher 直调 upload-json）
+  const content = '# MCP 测试\n\n```js\nconsole.log("dispatcher");\n```\n\nmcp_unique_token_xyz';
+  r = await callTool(headers, sessionId, 'upload_file', { name: 'mcp-test.md', content, isPublic: true });
+  let uploadPayload = null;
+  try { uploadPayload = JSON.parse(r.obj.result.content[0].text); } catch {}
+  check('upload_file 成功', !!(uploadPayload && uploadPayload.id), r.text.slice(0, 300));
+  const fileId = uploadPayload && uploadPayload.id;
+  check('upload_file 返回 url', !!(uploadPayload && uploadPayload.url && uploadPayload.url.includes('/s/')), JSON.stringify(uploadPayload).slice(0, 200));
+
+  // 4. list_files（dispatcher 直调 /api/files）
+  r = await callTool(headers, sessionId, 'list_files', { limit: 100 });
+  let listPayload = null;
+  try { listPayload = JSON.parse(r.obj.result.content[0].text); } catch {}
+  check('list_files 成功', !!(listPayload && Array.isArray(listPayload.files)), r.text.slice(0, 200));
+  check('list_files 含刚上传文件', !!(listPayload && listPayload.files.some(f => f.id === fileId)), JSON.stringify(listPayload).slice(0, 200));
+
+  // 5. get_file_content（dispatcher 直调 /api/files/:id/content）
+  r = await callTool(headers, sessionId, 'get_file_content', { id: fileId });
+  let contentPayload = null;
+  try { contentPayload = JSON.parse(r.obj.result.content[0].text); } catch {}
+  check('get_file_content 返回内容', !!(contentPayload && contentPayload.content && contentPayload.content.includes('mcp_unique_token_xyz')), r.text.slice(0, 200));
+
+  // 6. rename_file（dispatcher 直调 PUT /api/files/:id）
+  r = await callTool(headers, sessionId, 'rename_file', { id: fileId, name: 'mcp-renamed.md' });
+  check('rename_file 成功', !!(r.obj && r.obj.result), r.text.slice(0, 200));
+
+  // 7. get_file_url（dispatcher 直调 GET /api/files/:id）
+  r = await callTool(headers, sessionId, 'get_file_url', { id: fileId });
+  let urlPayload = null;
+  try { urlPayload = JSON.parse(r.obj.result.content[0].text); } catch {}
+  check('get_file_url 返回短链', !!(urlPayload && urlPayload.url && urlPayload.url.includes('/s/')), JSON.stringify(urlPayload).slice(0, 200));
+
+  // 8. create_category + set_file_category（dispatcher）
+  r = await callTool(headers, sessionId, 'create_category', { name: 'mcp-cat' });
+  let catPayload = null;
+  try { catPayload = JSON.parse(r.obj.result.content[0].text); } catch {}
+  check('create_category 成功', !!(catPayload && catPayload.id), r.text.slice(0, 200));
+  if (catPayload && catPayload.id) {
+    r = await callTool(headers, sessionId, 'set_file_category', { fileId, categoryId: catPayload.id });
+    check('set_file_category 成功', !!(r.obj && r.obj.result), r.text.slice(0, 200));
+  }
+
+  // 9. delete_file（dispatcher 直调 DELETE）
+  r = await callTool(headers, sessionId, 'delete_file', { id: fileId });
+  check('delete_file 成功', !!(r.obj && r.obj.result), r.text.slice(0, 200));
+  // 确认真的删了
+  r = await callTool(headers, sessionId, 'get_file_content', { id: fileId });
+  check('删除后 get_file_content 失败（isError 或无内容）', !!(r.obj && (r.obj.result.isError || (r.obj.error))), r.text.slice(0, 200));
+
+  // 10. 资源 jpage://files
+  r = await rawReq('POST', '/mcp', {
+    headers: { ...headers, 'mcp-session-id': sessionId, Accept: 'application/json, text/event-stream' },
+    body: { jsonrpc: '2.0', id: 99, method: 'resources/read', params: { uri: 'jpage://files' } },
+  });
+  const resObj = parseSseResult(r.text, 99);
+  check('resources/read jpage://files 成功', !!(resObj && resObj.result && resObj.result.contents), r.text.slice(0, 200));
+
+  console.log(`\n=== MCP 结果: ${pass} 通过, ${fail} 失败 ===`);
+  if (fail > 0) { console.log('失败项:'); failures.forEach(f => console.log('  - ' + f)); process.exit(1); }
+  process.exit(0);
+}
+
+run().catch(e => { console.error('MCP 套件异常:', e); process.exit(2); });

package/test/perf-bench.js

@@ -0,0 +1,108 @@
+// 性能基准：量化优化的实际收益
+// 用法: node test/perf-bench.js [PORT]
+// 测量项：
+//   1) Markdown 渲染冷/热延迟（P0-3 渲染缓存）
+//   2) 文件列表延迟（P1-6 分类缓存）
+//   3) 静态资源缓存头（P0-2）
+//   4) 短链渲染并发吞吐（P0-1 WAL）
+const http = require('http');
+
+const PORT = parseInt(process.argv[2] || process.env.PORT || '8890', 10);
+const HOST = '127.0.0.1';
+
+function req(method, path, { body, headers = {} } = {}) {
+  return new Promise((resolve, reject) => {
+    const opts = { host: HOST, port: PORT, method, path, headers: { ...headers } };
+    const payload = body !== undefined ? JSON.stringify(body) : null;
+    if (payload) opts.headers['Content-Type'] = 'application/json', opts.headers['Content-Length'] = Buffer.byteLength(payload);
+    const start = process.hrtime.bigint();
+    const r = http.request(opts, res => {
+      const chunks = [];
+      res.on('data', c => chunks.push(c));
+      res.on('end', () => {
+        const ms = Number(process.hrtime.bigint() - start) / 1e6;
+        resolve({ status: res.statusCode, headers: res.headers, buf: Buffer.concat(chunks), text: Buffer.concat(chunks).toString('utf8'), ms });
+      });
+    });
+    r.on('error', reject);
+    if (payload) r.write(payload);
+    r.end();
+  });
+}
+
+async function login() {
+  const r = await req('POST', '/api/auth/login', { body: { username: 'admin', password: 'testpassword123' } });
+  const cookie = (r.headers['set-cookie'] || []).map(c => c.split(';')[0]).join('; ');
+  return { Cookie: cookie };
+}
+
+function pct(arr, p) {
+  const s = [...arr].sort((a, b) => a - b);
+  return s[Math.floor(s.length * p)] || s[s.length - 1];
+}
+function stats(arr) {
+  const sum = arr.reduce((a, b) => a + b, 0);
+  return { n: arr.length, mean: (sum / arr.length).toFixed(2), p50: pct(arr, 0.5).toFixed(2), p95: pct(arr, 0.95).toFixed(2), min: Math.min(...arr).toFixed(2), max: Math.max(...arr).toFixed(2) };
+}
+
+async function run() {
+  console.log(`\n=== jpage 性能基准 (port ${PORT}) ===\n`);
+  const auth = await login();
+
+  // 上传一篇含代码块+公式的 Markdown（渲染开销大）
+  const md = Array.from({ length: 60 }, (_, i) =>
+    `## 章节 ${i}\n\n\`\`\`js\nfunction f${i}(x){ return x*${i}; }\n\`\`\`\n\n公式 $E=mc^2$，块级 $$\\int_0^1 x^2 dx = \\frac{1}{3}$$\n`
+  ).join('\n');
+  let r = await req('POST', '/api/files/upload-json', { headers: auth, body: { name: 'bench.md', content: md, isPublic: true } });
+  const fileId = JSON.parse(r.text).id;
+
+  // --- 1) 渲染冷/热延迟 ---
+  // 先覆盖一次让缓存失效（cold），再连续测 warm
+  await req('POST', `/api/files/${fileId}/overwrite-json`, { headers: auth, body: { content: md + '\n<!-- cold -->' } });
+  const coldSamples = [];
+  for (let i = 0; i < 5; i++) {
+    // 每次覆盖以清缓存，测冷启动
+    await req('POST', `/api/files/${fileId}/overwrite-json`, { headers: auth, body: { content: md + `\n<!-- ${i} -->` } });
+    coldSamples.push((await req('GET', `/api/files/${fileId}/render`, { headers: auth })).ms);
+  }
+  // 热路径：不再覆盖，连续命中缓存
+  const warmSamples = [];
+  for (let i = 0; i < 50; i++) warmSamples.push((await req('GET', `/api/files/${fileId}/render`, { headers: auth })).ms);
+
+  console.log('1) Markdown 渲染延迟 (ms):');
+  console.log('   冷渲染 (每次新内容, 无缓存):', stats(coldSamples));
+  console.log('   热渲染 (命中缓存):          ', stats(warmSamples));
+  const coldMean = +stats(coldSamples).mean, warmMean = +stats(warmSamples).mean;
+  if (coldMean > 0) console.log(`   → 缓存带来 ${(100 * (1 - warmMean / coldMean)).toFixed(1)}% 延迟下降\n`);
+
+  // --- 2) 文件列表延迟 ---
+  // 预置一些文件让列表有数据
+  for (let i = 0; i < 10; i++) {
+    await req('POST', '/api/files/upload-json', { headers: auth, body: { name: `list-fill-${i}.md`, content: '# x' } });
+  }
+  const listSamples = [];
+  for (let i = 0; i < 50; i++) listSamples.push((await req('GET', '/api/files?limit=20', { headers: auth })).ms);
+  console.log('2) 文件列表延迟 (ms):', stats(listSamples), '\n');
+
+  // --- 3) 静态资源缓存头 ---
+  r = await req('GET', '/css/style.css?v=1.5.0');
+  console.log('3) 静态资源 Cache-Control:', JSON.stringify(r.headers['cache-control']));
+  console.log('   包含 immutable:', (r.headers['cache-control'] || '').includes('immutable'), '\n');
+
+  // --- 4) 短链渲染并发吞吐（WAL 下读写不互斥）---
+  const shareKey = (JSON.parse((await req('GET', `/api/files/${fileId}`, { headers: auth })).text)).share_key;
+  const N = 60;
+  const t0 = process.hrtime.bigint();
+  await Promise.all(Array.from({ length: N }, () => req('GET', `/s/${shareKey}`)));
+  const elapsedMs = Number(process.hrtime.bigint() - t0) / 1e6;
+  console.log(`4) 短链 /s/:key 并发 ${N} 次总耗时 ${elapsedMs.toFixed(1)}ms (并发吞吐 ~${(N / elapsedMs * 1000).toFixed(0)} req/s)\n`);
+
+  // 清理
+  for (let i = 0; i < 10; i++) await req('DELETE', `/api/files/${fileId + 1 + i}`, { headers: auth }).catch(() => {});
+  await req('DELETE', `/api/files/${fileId}`, { headers: auth }).catch(() => {});
+
+  console.log('=== 基准完成 ===');
+  process.exit(0);
+}
+
+run().catch(e => { console.error('bench 异常:', e); process.exit(2); });