@dtdyq/restbase 2.0.0 → 2.1.1

package/README.md

@@ -24,7 +24,7 @@ bun install -g @dtdyq/restbase
 安装后在任意目录使用 `restbase` 命令。所有配置通过 `.env` 文件读取：
 
 ```bash
-# 生成 .env 配置模板
+# 交互式配置 .env（已存在则用当前值作为默认）
 restbase env
 
 # 前台启动（读取当前目录 .env）
@@ -36,11 +36,11 @@ restbase start
 # 查看运行中的实例（含健康状态）
 restbase status
 
-# 查看某个实例的实时日志
-restbase log <pid>
+# 查看某个实例的实时日志（支持 PID 或 SVR_NAME）
+restbase log <pid|name>
 
-# 停止
-restbase stop <pid>        # 停止指定实例
+# 停止（支持 PID、SVR_NAME 或 all）
+restbase stop <pid|name>   # 停止指定实例
 restbase stop all          # 停止所有实例
 ```
 
@@ -60,9 +60,9 @@ bun run src/server.ts
 ### 验证
 
 ```bash
-# 健康检查（返回实例状态 + 资源占用）
+# 健康检查（返回实例状态 + 资源占用 + cwd + logFile）
 curl http://localhost:3333/api/health
-# → { "code": "OK", "data": { "status": "healthy", "port": 3333, "pid": 12345, "uptime": 60, "memory": {...}, "cpu": {...} } }
+# → { "code": "OK", "data": { "status": "healthy", "port": 3333, "pid": 12345, "cwd": "/path/to/dir", "uptime": 60, "memory": {...}, "cpu": {...} } }
 
 # Basic Auth 查询
 curl -u admin:admin http://localhost:3333/api/data/products
@@ -82,6 +82,10 @@ import RestBase, { gt } from "@dtdyq/restbase-client";
 const rb = new RestBase();  // 同源部署不传参
 await rb.auth.login("admin", "admin");
 const data = await rb.table("products").query().where(gt("price", 100)).data();
+
+// 多节点负载均衡（所有节点连同一 DB）
+const rb2 = new RestBase(["http://node1:3333", "http://node2:3333"]);
+await rb2.auth.login("admin", "admin"); // 一次登录，token 共享
 ```
 
 详见 [client/README.md](client/README.md)。
@@ -103,6 +107,7 @@ bun run build              # 编译为当前平台独立二进制
 | `SVR_PORT`                | 服务端口                       | `3333`              |
 | `SVR_STATIC`              | 静态文件目录（前端托管）               | 空                   |
 | `SVR_API_LIMIT`           | API 限流（每秒每接口请求数）           | `100`               |
+| `SVR_CORS_ORIGIN`        | CORS 允许的来源（逗号分隔，`*`=全部）  | `*`                 |
 | `DB_URL`                  | 数据库连接串                     | `sqlite://:memory:` |
 | `DB_AUTH_TABLE`           | 用户表名                       | `users`             |
 | `DB_AUTH_FIELD`           | owner 字段名                  | `owner`             |
@@ -139,28 +144,18 @@ restbase <command> [arguments]
 Commands:
   run              前台启动服务（读取当前目录 .env）
   start            后台启动（daemon 模式）
-  stop <pid|all>   停止后台实例
-  status           查看运行中的实例（含健康检查）
-  log <pid>        实时查看实例日志
-  env              在当前目录生成 .env 配置模板
+  stop <pid|name|all>  停止后台实例（支持 PID、SVR_NAME 或 all）
+  status               查看运行中的实例（含健康检查）
+  log <pid|name>       实时查看实例日志（支持 PID 或 SVR_NAME）
+  env              交互式 .env 配置（创建或重新配置）
   version          显示版本号
   help             显示帮助
 ```
 
 所有配置通过 `.env` 文件管理，可在 `.env` 中设置 `SVR_NAME` 为实例命名。
 
-实例元数据和默认日志存放在 `~/.restbase/`：
-
-```
-~/.restbase/
-├── instances/          # 实例元数据（name/port/pid/logPath）
-│   ├── 12345.json
-│   └── 23456.json
-└── logs/               # daemon 默认日志目录
-    ├── 3333.log
-    ├── 3333.out
-    └── 8080.log
-```
+实例管理完全无状态：通过 `ps` 自动发现运行中的实例，通过 `/api/health` 获取实例详情。
+daemon 模式默认日志存放在 `~/.restbase/logs/`。
 
 ## 文件结构
 

package/bin/restbase.ts

@@ -1,91 +1,74 @@
 #!/usr/bin/env bun
 /**
- * bin/restbase.ts — CLI entry point
+ * bin/restbase.ts — CLI entry point (stateless management)
  *
  * Commands:
  *   restbase run              Start server in foreground (reads .env)
  *   restbase start            Start server in background (daemon)
- *   restbase stop <pid|all>   Stop instance(s)
- *   restbase status           Show running instances (table + health check)
- *   restbase log <pid>        Tail log of a background instance
+ *   restbase stop <pid|name|all>  Stop instance(s) by PID, name or all
+ *   restbase status               Show running instances (table + health check)
+ *   restbase log <pid|name>       Tail log of a background instance
  *   restbase env              Generate .env template in current directory
  *   restbase version          Show version
  *   restbase help             Show help
  *
  * All configuration is read from .env in the current working directory.
- * Instance metadata is stored in ~/.restbase/ for global access.
+ *
+ * Instance discovery is stateless:
+ *   - `restbase start` spawns the child with a `--port=N` marker arg
+ *   - Management commands use `ps` to find processes matching `restbase.*--port=`
+ *   - Detailed info (name, logFile, cwd, uptime…) is fetched via /api/health
  */
 
-import {spawn} from "child_process";
+import {spawn, execSync} from "child_process";
 import {
+    closeSync,
     existsSync,
     mkdirSync,
-    readFileSync,
-    unlinkSync,
-    readdirSync,
     openSync,
     writeFileSync,
 } from "fs";
 import {resolve, join} from "path";
+import {readFileSync} from "fs";
 import {homedir} from "os";
+import * as p from "@clack/prompts";
 
 /* ═══════════ Global paths ═══════════ */
 
 const RESTBASE_HOME = resolve(homedir(), ".restbase");
-const INSTANCES_DIR = join(RESTBASE_HOME, "instances");
 const LOGS_DIR = join(RESTBASE_HOME, "logs");
 
-function ensureDirs() {
-    mkdirSync(INSTANCES_DIR, {recursive: true});
+function ensureLogDir() {
     mkdirSync(LOGS_DIR, {recursive: true});
 }
 
-/* ═══════════ Instance metadata ═══════════ */
+/* ═══════════ Process discovery via ps ═══════════ */
 
-interface InstanceMeta {
+interface PsInstance {
     pid: number;
-    name: string;
     port: number;
-    logPath: string;
-    cwd: string;
-    startedAt: string;
-}
-
-function instanceFile(pid: number) {
-    return join(INSTANCES_DIR, `${pid}.json`);
-}
-
-function saveInstance(meta: InstanceMeta) {
-    writeFileSync(instanceFile(meta.pid), JSON.stringify(meta, null, 2));
 }
 
-function loadInstance(pid: number): InstanceMeta | null {
-    const f = instanceFile(pid);
-    if (!existsSync(f)) return null;
+/**
+ * Scan running processes for `restbase.*--port=N` and extract PID + port.
+ * Works on macOS and Linux.
+ */
+function discoverInstances(): PsInstance[] {
     try {
-        return JSON.parse(readFileSync(f, "utf-8")) as InstanceMeta;
+        const out = execSync("ps -eo pid,args", {encoding: "utf-8"});
+        const results: PsInstance[] = [];
+        for (const line of out.split("\n")) {
+            const match = line.match(/^\s*(\d+)\s+.*restbase.*--port=(\d+)/);
+            if (match) {
+                results.push({pid: Number(match[1]), port: Number(match[2])});
+            }
+        }
+        return results;
     } catch {
-        return null;
+        return [];
     }
 }
 
-function loadAllInstances(): InstanceMeta[] {
-    ensureDirs();
-    const files = readdirSync(INSTANCES_DIR).filter((f) => f.endsWith(".json"));
-    const result: InstanceMeta[] = [];
-    for (const f of files) {
-        try {
-            result.push(JSON.parse(readFileSync(join(INSTANCES_DIR, f), "utf-8")));
-        } catch { /* corrupted, skip */ }
-    }
-    return result;
-}
-
-function removeInstance(pid: number) {
-    const f = instanceFile(pid);
-    if (existsSync(f)) unlinkSync(f);
-}
-
 /* ═══════════ Process helpers ═══════════ */
 
 function isAlive(pid: number): boolean {
@@ -102,6 +85,7 @@ interface HealthInfo {
     name?: string;
     port?: number;
     pid?: number;
+    cwd?: string;
     logFile?: string;
     startedAt?: string;
     uptime?: number;
@@ -141,31 +125,25 @@ async function cmdRun() {
 
 /** start — daemon mode */
 async function cmdStart() {
-    ensureDirs();
+    ensureLogDir();
 
     const port = Number(process.env.SVR_PORT) || 3333;
-    const name = process.env.SVR_NAME || "";
 
     // Reject if this port is already running
-    for (const inst of loadAllInstances()) {
-        if (inst.port === port && isAlive(inst.pid)) {
+    for (const inst of discoverInstances()) {
+        if (inst.port === port) {
             console.log(`RestBase already running on port ${port} (PID: ${inst.pid})`);
             return;
         }
     }
 
-    // Determine log path
-    const logPath = process.env.LOG_FILE
-        ? resolve(process.cwd(), process.env.LOG_FILE)
-        : join(LOGS_DIR, `${port}.log`);
-
-    // Build child env: silence console, ensure LOG_FILE
+    // Build child env: silence console, ensure LOG_FILE for daemon
     const env: Record<string, string> = {
         ...(process.env as Record<string, string>),
         LOG_CONSOLE: "false",
     };
     if (!process.env.LOG_FILE) {
-        env.LOG_FILE = logPath;
+        env.LOG_FILE = join(LOGS_DIR, `${port}.log`);
     }
 
     // stdout/stderr → separate crash log (safety net for non-pino output)
@@ -174,7 +152,7 @@ async function cmdStart() {
     const err = openSync(stdoutPath, "a");
 
     const self = getSelfCommand();
-    const child = spawn(self[0]!, [...self.slice(1), "run"], {
+    const child = spawn(self[0]!, [...self.slice(1), "run", `--port=${port}`], {
         detached: true,
         stdio: ["ignore", out, err],
         env,
@@ -182,52 +160,65 @@ async function cmdStart() {
     });
     child.unref();
 
-    // Save instance metadata
-    saveInstance({
-        pid: child.pid!,
-        name,
-        port,
-        logPath,
-        cwd: process.cwd(),
-        startedAt: new Date().toISOString(),
-    });
+    /* 父进程不再需要这些 fd，关闭防止泄漏 */
+    closeSync(out);
+    closeSync(err);
 
     console.log(`RestBase started (PID: ${child.pid}, port: ${port})`);
 }
 
-/** stop — by PID or "all" */
-function cmdStop(target: string) {
-    if (target === "all") {
-        const instances = loadAllInstances();
-        if (instances.length === 0) {
-            console.log("No RestBase instances found");
-            return;
-        }
-        for (const inst of instances) stopOne(inst.pid);
-        return;
+/**
+ * Resolve a target identifier to matching instances.
+ * Supports: "all", numeric PID, or SVR_NAME (fetched from health endpoint).
+ */
+async function resolveInstances(target: string): Promise<{ pid: number; port: number; name?: string }[]> {
+    const all = discoverInstances();
+    if (all.length === 0) return [];
+    if (target === "all") return all;
+
+    // Try numeric PID first
+    const num = parseInt(target, 10);
+    if (!isNaN(num)) {
+        const byPid = all.find((i) => i.pid === num);
+        if (byPid) return [byPid];
+        // Maybe it's a port number?
+        const byPort = all.find((i) => i.port === num);
+        if (byPort) return [byPort];
+        return [];
     }
 
-    const pid = parseInt(target, 10);
-    if (isNaN(pid)) {
-        console.error(`Invalid PID: ${target}`);
-        process.exit(1);
+    // Otherwise treat as SVR_NAME — need to fetch health for each to match
+    const matched: { pid: number; port: number; name?: string }[] = [];
+    for (const inst of all) {
+        const health = await fetchHealth(inst.port);
+        if (health?.name === target) {
+            matched.push({...inst, name: health.name});
+        }
     }
-    stopOne(pid);
+    return matched;
 }
 
-function stopOne(pid: number) {
-    const meta = loadInstance(pid);
-    if (!meta) {
-        console.log(`No instance found with PID ${pid}`);
+/** stop — by PID, name, or "all" */
+async function cmdStop(target: string) {
+    const instances = await resolveInstances(target);
+    if (instances.length === 0) {
+        console.log(target === "all" ? "No RestBase instances found" : `No instance found matching "${target}"`);
         return;
     }
+    for (const inst of instances) stopOne(inst.pid, inst.port, inst.name);
+}
+
+function stopOne(pid: number, port?: number, name?: string) {
+    const label = [name, port ? `port ${port}` : ""].filter(Boolean).join(", ");
     try {
-        if (isAlive(pid)) process.kill(pid, "SIGTERM");
-        removeInstance(pid);
-        console.log(`Stopped PID ${pid} (port ${meta.port})`);
+        if (isAlive(pid)) {
+            process.kill(pid, "SIGTERM");
+            console.log(`Stopped PID ${pid}${label ? ` (${label})` : ""}`);
+        } else {
+            console.log(`Process ${pid} is not running`);
+        }
     } catch {
-        removeInstance(pid);
-        console.log(`Process ${pid} already gone, cleaned up`);
+        console.log(`Failed to stop PID ${pid}`);
     }
 }
 
@@ -271,7 +262,7 @@ function fmtTime(iso: string): string {
 
 /** status — table with health check */
 async function cmdStatus() {
-    const instances = loadAllInstances();
+    const instances = discoverInstances();
     if (instances.length === 0) {
         console.log("No RestBase instances found");
         return;
@@ -294,24 +285,18 @@ async function cmdStatus() {
     console.log("─".repeat(nW + pW + sW + ptW + stW + uW + mW + cW + 30));
 
     for (const inst of instances) {
-        // Dead process → clean up silently
-        if (!isAlive(inst.pid)) {
-            removeInstance(inst.pid);
-            continue;
-        }
-
         // Fetch live info from health endpoint
         const health = await fetchHealth(inst.port);
 
-        const name = health?.name || inst.name || "-";
+        const name = health?.name || "-";
         const state = health?.status ?? "unreachable";
-        const started = health?.startedAt ? fmtTime(health.startedAt) : fmtTime(inst.startedAt);
+        const started = health?.startedAt ? fmtTime(health.startedAt) : "-";
         const uptime = health?.uptime !== undefined ? fmtUptime(health.uptime) : "-";
         const mem = health?.memory ? fmtBytes(health.memory.rss) : "-";
         const cpu = (health?.cpu && health?.uptime)
             ? fmtCpu(health.cpu.user, health.cpu.system, health.uptime)
             : "-";
-        const logPath = health?.logFile || inst.logPath;
+        const logPath = health?.logFile || "-";
 
         console.log(
             name.padEnd(nW) +
@@ -327,55 +312,36 @@ async function cmdStatus() {
     }
 }
 
-/**
- * Find the latest log file matching the base path.
- * pino-roll creates files like: app.2026-02-11.1.log (date + sequence inserted before extension)
- * So for base "log/app.log", we look for "app*.log" in "log/".
- */
-function findLatestLog(basePath: string): string | null {
-    // If exact file exists, use it
-    if (existsSync(basePath)) return basePath;
-
-    const dir = resolve(basePath, "..");
-    if (!existsSync(dir)) return null;
-
-    const base = basePath.split("/").pop()!;           // "app.log"
-    const dot = base.lastIndexOf(".");
-    const stem = dot > 0 ? base.slice(0, dot) : base;  // "app"
-    const ext = dot > 0 ? base.slice(dot) : "";         // ".log"
-
-    // Find all matching files, sort by mtime descending
-    const files = readdirSync(dir)
-        .filter((f) => f.startsWith(stem) && f.endsWith(ext) && f !== base)
-        .map((f) => ({name: f, mtime: Bun.file(join(dir, f)).lastModified}))
-        .sort((a, b) => b.mtime - a.mtime);
-
-    return files.length > 0 ? join(dir, files[0]!.name) : null;
-}
-
-/** log — tail -f the log file of an instance */
+/** log — tail -f the log file of an instance (by PID or name) */
 async function cmdLog(target: string) {
-    const pid = parseInt(target, 10);
-    if (isNaN(pid)) {
-        console.error(`Invalid PID: ${target}`);
+    const instances = await resolveInstances(target);
+    if (instances.length === 0) {
+        console.error(`No running RestBase instance found matching "${target}"`);
+        process.exit(1);
+    }
+    if (instances.length > 1) {
+        console.error(`Multiple instances match "${target}". Use PID to be specific:`);
+        for (const i of instances) console.error(`  PID ${i.pid} (port ${i.port})`);
         process.exit(1);
     }
 
-    const meta = loadInstance(pid);
-    if (!meta) {
-        console.error(`No instance found with PID ${pid}`);
+    const inst = instances[0]!;
+
+    // Fetch log file path from health endpoint (points to current.log symlink)
+    const health = await fetchHealth(inst.port);
+    if (!health?.logFile) {
+        console.error(`Cannot determine log file for PID ${inst.pid} (health endpoint unreachable or logFile not configured)`);
         process.exit(1);
     }
 
-    const logFile = findLatestLog(meta.logPath);
-    if (!logFile) {
-        console.error(`Log file not found for base path: ${meta.logPath}`);
+    if (!existsSync(health.logFile)) {
+        console.error(`Log file not found: ${health.logFile}`);
         process.exit(1);
     }
 
-    console.log(`Tailing ${logFile} (Ctrl+C to stop)\n`);
+    console.log(`Tailing ${health.logFile} (Ctrl+C to stop)\n`);
 
-    const tail = spawn("tail", ["-f", "-n", "100", logFile], {
+    const tail = spawn("tail", ["-f", "-n", "100", health.logFile], {
         stdio: "inherit",
     });
 
@@ -387,54 +353,202 @@ async function cmdLog(target: string) {
     await new Promise<void>((resolve) => tail.on("close", () => resolve()));
 }
 
-/** env — generate .env template */
-function cmdEnv() {
-    const envPath = resolve(process.cwd(), ".env");
-    if (existsSync(envPath)) {
-        console.log(`.env already exists at ${envPath}`);
-        console.log("Remove it first if you want to regenerate.");
-        return;
+/* ═══════════ Interactive env configuration ═══════════ */
+
+/** Parse an existing .env file into a key→value map */
+function parseEnvFile(path: string): Record<string, string> {
+    const map: Record<string, string> = {};
+    if (!existsSync(path)) return map;
+    for (const line of readFileSync(path, "utf-8").split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#")) continue;
+        const eq = trimmed.indexOf("=");
+        if (eq < 0) continue;
+        const key = trimmed.slice(0, eq).trim();
+        let val = trimmed.slice(eq + 1).trim();
+        // strip surrounding quotes
+        if ((val.startsWith('"') && val.endsWith('"')) || (val.startsWith("'") && val.endsWith("'"))) {
+            val = val.slice(1, -1);
+        }
+        map[key] = val;
     }
+    return map;
+}
 
-    const content = `# ═══════════════════════════════════════════════════════════
-# RestBase Configuration
-# ═══════════════════════════════════════════════════════════
-# Uncomment and modify the values you need.
-# All variables have sensible defaults — you can start with
-# an empty .env and only override what you need.
-# ═══════════════════════════════════════════════════════════
+/** Interactive env — prompt user for each config parameter */
+async function cmdEnv() {
+    const nodeEnv = process.env.NODE_ENV;
+    const envFile = nodeEnv ? `.env.${nodeEnv}` : ".env";
+    const envPath = resolve(process.cwd(), envFile);
+    const existing = parseEnvFile(envPath);
+    const isUpdate = Object.keys(existing).length > 0;
+
+    p.intro(isUpdate ? `Reconfigure ${envFile} (current values as defaults)` : `Initialize ${envFile} configuration`);
+
+    /* helper: get default — existing value > built-in default */
+    const d = (key: string, fallback: string) => existing[key] ?? fallback;
+
+    /* helper: wrap clack text — returns string (empty if user skipped) */
+    const ask = async (opts: { message: string; key: string; fallback: string; placeholder?: string }) => {
+        const result = await p.text({
+            message: opts.message,
+            initialValue: d(opts.key, opts.fallback),
+            placeholder: opts.placeholder,
+        });
+        if (p.isCancel(result)) { p.cancel("Cancelled"); process.exit(0); }
+        return (result as string).trim();
+    };
 
-# ── Server ────────────────────────────────────────────────
+    /* helper: select */
+    const choose = async (opts: { message: string; key: string; fallback: string; options: { value: string; label: string }[] }) => {
+        const result = await p.select({
+            message: opts.message,
+            initialValue: d(opts.key, opts.fallback),
+            options: opts.options,
+        });
+        if (p.isCancel(result)) { p.cancel("Cancelled"); process.exit(0); }
+        return result as string;
+    };
 
-# SVR_NAME=                         # Instance name (shown in 'restbase status')
-# SVR_PORT=3333                     # Server port
-# SVR_STATIC=                       # Static file directory for SPA hosting
-# SVR_API_LIMIT=100                 # Rate limit: max requests per second per API
+    // ── Server ──
+    p.log.step("Server");
 
-# ── Database ──────────────────────────────────────────────
+    const SVR_NAME = await ask({
+        message: "Instance name (shown in 'restbase status')",
+        key: "SVR_NAME", fallback: "", placeholder: "optional",
+    });
+    const SVR_PORT = await ask({
+        message: "Server port",
+        key: "SVR_PORT", fallback: "3333",
+    });
+    const SVR_STATIC = await ask({
+        message: "Static file directory for SPA hosting",
+        key: "SVR_STATIC", fallback: "", placeholder: "optional, e.g. dist",
+    });
+    const SVR_API_LIMIT = await ask({
+        message: "Rate limit (max requests per second per API, 0 = off)",
+        key: "SVR_API_LIMIT", fallback: "100",
+    });
+    const SVR_CORS_ORIGIN = await ask({
+        message: "CORS allowed origins (comma-separated, * = all)",
+        key: "SVR_CORS_ORIGIN", fallback: "*", placeholder: "e.g. https://example.com",
+    });
 
-# DB_URL=sqlite://:memory:          # sqlite://<path> or mysql://user:pass@host/db
-# DB_AUTH_TABLE=users                # Auth table name
-# DB_AUTH_FIELD=owner                # Owner field name for tenant isolation
-# DB_AUTH_FIELD_NULL_OPEN=false      # Treat owner=NULL rows as public data
-# DB_INIT_SQL=                       # SQL file to run on startup
+    // ── Database ──
+    p.log.step("Database");
 
-# ── Auth ──────────────────────────────────────────────────
+    const DB_URL = await ask({
+        message: "Database URL (sqlite://<path> or mysql://user:pass@host/db)",
+        key: "DB_URL", fallback: "sqlite://:memory:",
+    });
+    const DB_AUTH_TABLE = await ask({
+        message: "Auth table name",
+        key: "DB_AUTH_TABLE", fallback: "users",
+    });
+    const DB_AUTH_FIELD = await ask({
+        message: "Owner field name (tenant isolation)",
+        key: "DB_AUTH_FIELD", fallback: "owner",
+    });
+    const DB_AUTH_FIELD_NULL_OPEN = await choose({
+        message: "Treat owner=NULL rows as public data?",
+        key: "DB_AUTH_FIELD_NULL_OPEN", fallback: "false",
+        options: [
+            {value: "false", label: "false — NULL rows are hidden"},
+            {value: "true", label: "true — NULL rows are visible to everyone"},
+        ],
+    });
+    const DB_INIT_SQL = await ask({
+        message: "SQL file to run on startup",
+        key: "DB_INIT_SQL", fallback: "", placeholder: "optional, e.g. init.sql",
+    });
 
-# AUTH_JWT_SECRET=restbase           # JWT secret — CHANGE THIS IN PRODUCTION!
-# AUTH_JWT_EXP=43200                 # JWT expiry in seconds (default: 12 hours)
-# AUTH_BASIC_OPEN=true               # Enable Basic Auth
+    // ── Auth ──
+    p.log.step("Auth");
 
-# ── Logging ───────────────────────────────────────────────
+    const AUTH_JWT_SECRET = await ask({
+        message: "JWT secret (⚠ change in production!)",
+        key: "AUTH_JWT_SECRET", fallback: "restbase",
+    });
+    const AUTH_JWT_EXP = await ask({
+        message: "JWT expiry in seconds (default: 12 hours)",
+        key: "AUTH_JWT_EXP", fallback: "43200",
+    });
+    const AUTH_BASIC_OPEN = await choose({
+        message: "Enable Basic Auth?",
+        key: "AUTH_BASIC_OPEN", fallback: "true",
+        options: [
+            {value: "true", label: "true — Basic Auth enabled"},
+            {value: "false", label: "false — JWT only"},
+        ],
+    });
 
-# LOG_LEVEL=INFO                     # ERROR / INFO / DEBUG
-# LOG_CONSOLE=true                   # Console output (auto-disabled in daemon mode)
-# LOG_FILE=                          # Log file path (auto-configured in daemon mode)
-# LOG_RETAIN_DAYS=7                  # Log file retention days
-`;
+    // ── Logging ──
+    p.log.step("Logging");
+
+    const LOG_LEVEL = await choose({
+        message: "Log level",
+        key: "LOG_LEVEL", fallback: "INFO",
+        options: [
+            {value: "ERROR", label: "ERROR — errors only"},
+            {value: "INFO", label: "INFO — requests + errors"},
+            {value: "DEBUG", label: "DEBUG — verbose (headers, body, SQL)"},
+        ],
+    });
+    const LOG_CONSOLE = await choose({
+        message: "Console output? (auto-disabled in daemon mode)",
+        key: "LOG_CONSOLE", fallback: "true",
+        options: [
+            {value: "true", label: "true — print to console"},
+            {value: "false", label: "false — silent"},
+        ],
+    });
+    const LOG_FILE = await ask({
+        message: "Log file path (auto-configured in daemon mode)",
+        key: "LOG_FILE", fallback: "", placeholder: "optional, e.g. log/app.log",
+    });
+    const LOG_RETAIN_DAYS = await ask({
+        message: "Log file retention days",
+        key: "LOG_RETAIN_DAYS", fallback: "7",
+    });
 
-    writeFileSync(envPath, content);
-    console.log(`Created ${envPath}`);
+    // ── Build .env content ──
+    const line = (key: string, val: string, comment: string) =>
+        val ? `${key}=${val}${comment ? `  # ${comment}` : ""}` : `# ${key}=${comment ? `  # ${comment}` : ""}`;
+
+    const lines = [
+        "# ═══════════════════════════════════════════════════════════",
+        "# RestBase Configuration",
+        "# ═══════════════════════════════════════════════════════════",
+        "",
+        "# ── Server ────────────────────────────────────────────────",
+        line("SVR_NAME", SVR_NAME, "Instance name"),
+        line("SVR_PORT", SVR_PORT, "Server port"),
+        line("SVR_STATIC", SVR_STATIC, "Static file directory"),
+        line("SVR_API_LIMIT", SVR_API_LIMIT, "Rate limit per API"),
+        line("SVR_CORS_ORIGIN", SVR_CORS_ORIGIN, "CORS origins (* = all)"),
+        "",
+        "# ── Database ──────────────────────────────────────────────",
+        line("DB_URL", DB_URL, ""),
+        line("DB_AUTH_TABLE", DB_AUTH_TABLE, "Auth table name"),
+        line("DB_AUTH_FIELD", DB_AUTH_FIELD, "Owner field"),
+        line("DB_AUTH_FIELD_NULL_OPEN", DB_AUTH_FIELD_NULL_OPEN, ""),
+        line("DB_INIT_SQL", DB_INIT_SQL, "SQL file on startup"),
+        "",
+        "# ── Auth ──────────────────────────────────────────────────",
+        line("AUTH_JWT_SECRET", AUTH_JWT_SECRET, "⚠ change in production"),
+        line("AUTH_JWT_EXP", AUTH_JWT_EXP, "seconds"),
+        line("AUTH_BASIC_OPEN", AUTH_BASIC_OPEN, ""),
+        "",
+        "# ── Logging ───────────────────────────────────────────────",
+        line("LOG_LEVEL", LOG_LEVEL, "ERROR / INFO / DEBUG"),
+        line("LOG_CONSOLE", LOG_CONSOLE, ""),
+        line("LOG_FILE", LOG_FILE, "auto-configured in daemon mode"),
+        line("LOG_RETAIN_DAYS", LOG_RETAIN_DAYS, "days"),
+        "",
+    ];
+
+    writeFileSync(envPath, lines.join("\n"));
+    p.outro(`Saved to ${envPath}`);
 }
 
 /** version */
@@ -454,10 +568,10 @@ Usage:
 Commands:
   run              Start server in foreground (reads .env)
   start            Start server in background (daemon mode)
-  stop <pid|all>   Stop a background instance by PID, or stop all
-  status           Show all running background instances
-  log <pid>        Tail the log of a background instance
-  env              Generate a .env template in current directory
+  stop <pid|name|all>   Stop instance(s) by PID, SVR_NAME, or all
+  status                Show all running background instances
+  log <pid|name>        Tail the log of an instance by PID or SVR_NAME
+  env              Interactive .env configuration (create or reconfigure)
   version          Show version
   help             Show this help
 
@@ -465,16 +579,20 @@ Examples:
   restbase run                Start in foreground
   restbase start              Start in background (daemon)
   restbase status             List running instances with health status
-  restbase log 12345          Tail log for instance with PID 12345
-  restbase stop 12345         Stop instance with PID 12345
+  restbase log 12345          Tail log by PID
+  restbase log my-api         Tail log by SVR_NAME
+  restbase stop 12345         Stop instance by PID
+  restbase stop my-api        Stop instance by SVR_NAME
   restbase stop all           Stop all background instances
-  restbase env                Create a documented .env template
+  restbase env                Interactive .env setup (reconfigure if exists)
 
 Configuration:
   All settings are read from .env in the current working directory.
-  Run 'restbase env' to generate a documented template with all options.
+  Run 'restbase env' for interactive configuration (create or update .env).
 
-Instance data is stored in ~/.restbase/ (PID files, logs, metadata).
+Instance discovery:
+  Background instances are discovered via 'ps' — no PID files needed.
+  Instance details (name, log path, uptime…) are fetched from /api/health.
 `);
 }
 
@@ -495,10 +613,10 @@ switch (command) {
 
     case "stop":
         if (!arg1) {
-            console.error("Usage: restbase stop <pid|all>");
+            console.error("Usage: restbase stop <pid|name|all>");
             process.exit(1);
         }
-        cmdStop(arg1);
+        await cmdStop(arg1);
         process.exit(0);
         break;
 
@@ -509,14 +627,14 @@ switch (command) {
 
     case "log":
         if (!arg1) {
-            console.error("Usage: restbase log <pid>");
+            console.error("Usage: restbase log <pid|name>");
             process.exit(1);
         }
         await cmdLog(arg1);
         break;
 
     case "env":
-        cmdEnv();
+        await cmdEnv();
         process.exit(0);
         break;
 

package/client/README.md

@@ -51,7 +51,7 @@ import RestBase, {
 ```ts
 import RestBase, { eq, gt, or, agg, sel } from "@dtdyq/restbase-client";
 
-// 同源部署（Vite proxy / 静态托管）— 不需要传 endpoint
+// 同源部署 — 不需要传 endpoint
 const rb = new RestBase();
 
 // 或指定后端地址
@@ -67,6 +67,16 @@ const list = await products.query()
   .orderDesc("price")
   .page(1, 20)
   .data();
+
+// ── 多节点负载均衡 ──
+// 所有节点连同一个数据库，请求随机分发
+const rb2 = new RestBase([
+  "http://node1:3333",
+  "http://node2:3333",
+  "http://node3:3333",
+]);
+await rb2.auth.login("admin", "admin"); // 登录一次，token 共享
+const list2 = await rb2.table("products").query().data(); // 随机打到某个节点
 ```
 
 ---
@@ -74,20 +84,32 @@ const list = await products.query()
 ## RestBase — 主入口
 
 ```ts
-const rb = new RestBase();                           // 同源
-const rb = new RestBase("http://localhost:3333");     // 跨域
+// 同源部署（Vite proxy / 静态托管）
+const rb = new RestBase();
+
+// 单个 endpoint
+const rb = new RestBase("http://localhost:3333");
+
+// 多个 endpoint — 负载均衡（每次请求随机选一个节点）
+const rb = new RestBase([
+  "http://localhost:3333",
+  "http://localhost:8080",
+  "http://localhost:9090",
+]);
 ```
 
-| 方法                    | 返回类型                                      | 说明                        |
-|:----------------------|:------------------------------------------|:--------------------------|
-| `rb.auth`             | `AuthClient`                              | 鉴权客户端                     |
-| `rb.table<T>(name)`   | `TableClient<T>`                          | 获取表操作客户端（可指定泛型）           |
-| `rb.health()`         | `Promise<ApiResponse>`                    | 健康检查                      |
-| `rb.tables()`         | `Promise<ApiResponse<TableMeta[]>>`       | 获取所有表元数据（不含 users）        |
-| `rb.tableMeta(name)`  | `Promise<ApiResponse<TableMeta \| null>>` | 获取单表元数据（不存在返回 null）       |
-| `rb.syncMeta()`       | `Promise<ApiResponse<TableMeta[]>>`       | 运行时同步 DB 表结构              |
-| `rb.setHeader(k, v)`  | `this`                                    | 设置自定义请求头                  |
-| `rb.setRequestId(id)` | `this`                                    | 设置请求追踪 ID（`X-Request-Id`） |
+> 多 endpoint 模式要求所有服务端实例连接同一个数据库。客户端共享同一套 auth 状态（token / Basic Auth），每次请求随机分发到不同节点，分散单节点压力。
+
+| 方法                    | 返回类型                                      | 说明                                  |
+|:----------------------|:------------------------------------------|:------------------------------------|
+| `rb.auth`             | `AuthClient`                              | 鉴权客户端                               |
+| `rb.table<T>(name)`   | `TableClient<T>`                          | 获取表操作客户端                             |
+| `rb.health()`         | `Promise<ApiResponse>`                    | 健康检查（返回 name/port/pid/uptime/mem/cpu） |
+| `rb.tables()`         | `Promise<ApiResponse<TableMeta[]>>`       | 获取所有表元数据（不含 users）                   |
+| `rb.tableMeta(name)`  | `Promise<ApiResponse<TableMeta \| null>>` | 获取单表元数据                              |
+| `rb.syncMeta()`       | `Promise<ApiResponse<TableMeta[]>>`       | 运行时同步 DB 表结构                         |
+| `rb.setHeader(k, v)`  | `this`                                    | 设置自定义请求头                             |
+| `rb.setRequestId(id)` | `this`                                    | 设置请求追踪 ID（`X-Request-Id`）            |
 
 **TableMeta 结构：**
 

package/client/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@dtdyq/restbase-client",
-    "version": "1.0.1",
+    "version": "2.1.1",
     "description": "Type-safe, zero-dependency client for RestBase API — works in Browser / Node / Bun / Deno",
     "keywords": ["restbase", "rest", "api", "client", "typescript", "query-builder"],
     "license": "MIT",

package/client/restbase-client.ts

@@ -451,14 +451,20 @@ export class AuthClient {
    ══════════════════════════════════════════════════════════════ */
 
 class HttpClient {
-    private _baseUrl: string;
+    private _urls: string[];
     private _token: string | null = null;
     private _basicAuth: string | null = null;
     private _requestId?: string;
     private _headers: Record<string, string> = {};
 
-    constructor(baseUrl: string) {
-        this._baseUrl = baseUrl.replace(/\/+$/, "");
+    constructor(urls: string | string[]) {
+        const list = Array.isArray(urls) ? urls : [urls];
+        this._urls = list.map((u) => u.replace(/\/+$/, ""));
+    }
+
+    /** Pick a random base URL (load balancing) */
+    private _pickUrl(): string {
+        return this._urls[Math.floor(Math.random() * this._urls.length)]!;
     }
 
     setToken(token: string | null): void {
@@ -471,7 +477,11 @@ class HttpClient {
     }
 
     setBasicAuth(username: string, password: string): void {
-        this._basicAuth = btoa(`${username}:${password}`);
+        /* Unicode-safe base64: TextEncoder 处理非 ASCII 字符 */
+        const bytes = new TextEncoder().encode(`${username}:${password}`);
+        let binary = "";
+        for (const b of bytes) binary += String.fromCharCode(b);
+        this._basicAuth = btoa(binary);
         this._token = null;
     }
 
@@ -511,7 +521,7 @@ class HttpClient {
     }
 
     private async _fetch<T>(method: string, path: string, params?: Record<string, string>, body?: unknown): Promise<ApiResponse<T>> {
-        let url = `${this._baseUrl}${path}`;
+        let url = `${this._pickUrl()}${path}`;
         if (params && Object.keys(params).length > 0) {
             url += `?${new URLSearchParams(params).toString()}`;
         }
@@ -526,12 +536,35 @@ class HttpClient {
    RestBase — 主入口
    ══════════════════════════════════════════════════════════════ */
 
+/**
+ * RestBase — 前端客户端主入口
+ *
+ * 支持三种构造方式：
+ *
+ * ```ts
+ * // 1. 同源部署（无参数）
+ * const rb = new RestBase();
+ *
+ * // 2. 单个 endpoint
+ * const rb = new RestBase("http://localhost:3333");
+ *
+ * // 3. 多个 endpoint（负载均衡，每次请求随机选一个）
+ * const rb = new RestBase([
+ *   "http://localhost:3333",
+ *   "http://localhost:8080",
+ *   "http://localhost:9090",
+ * ]);
+ * ```
+ *
+ * 多 endpoint 模式下，所有服务端实例应连接同一个数据库。
+ * 客户端共享同一套 auth 状态，每次请求随机分发到不同节点。
+ */
 export class RestBase {
     readonly auth: AuthClient;
     private _http: HttpClient;
 
-    constructor(endpoint: string = "") {
-        this._http = new HttpClient(endpoint);
+    constructor(endpoint?: string | string[]) {
+        this._http = new HttpClient(endpoint ?? "");
         this.auth = new AuthClient(this._http);
     }
 
@@ -541,8 +574,8 @@ export class RestBase {
     }
 
     /** 健康检查 */
-    async health(): Promise<ApiResponse<{ status: string }>> {
-        return this._http.get<{ status: string }>("/api/health");
+    async health(): Promise<ApiResponse> {
+        return this._http.get("/api/health");
     }
 
     /** 获取所有表元数据（不含 users 表） */
@@ -560,13 +593,13 @@ export class RestBase {
         return this._http.get<TableMeta[]>("/api/meta/sync");
     }
 
-    /** 设置自定义请求头 */
+    /** 设置自定义请求头（当前 endpoint） */
     setHeader(key: string, value: string): this {
         this._http.setHeader(key, value);
         return this;
     }
 
-    /** 设置请求追踪 ID */
+    /** 设置请求追踪 ID（当前 endpoint） */
     setRequestId(id: string): this {
         this._http.setRequestId(id);
         return this;

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@dtdyq/restbase",
-    "version": "2.0.0",
+    "version": "2.1.1",
     "description": "Zero-code REST API server for SQLite / MySQL — CLI with daemon mode, health monitoring, built-in auth & tenant isolation",
     "keywords": ["rest", "api", "crud", "sqlite", "mysql", "hono", "bun", "zero-code", "cli", "daemon"],
     "license": "MIT",
@@ -18,10 +18,12 @@
     },
     "scripts": {
         "dev": "bun run --watch src/server.ts",
+        "start": "bun run src/server.ts",
         "test": "bun test src/rest.test.ts",
         "build": "bun build --compile --minify --sourcemap ./bin/restbase.ts --outfile restbase"
     },
     "dependencies": {
+        "@clack/prompts": "^1.0.0",
         "@hono/zod-validator": "^0.4.0",
         "hono": "^4.6.0",
         "pino": "^10.3.1",

package/src/auth.ts

@@ -51,7 +51,7 @@ export const authMiddleware = async (
                 const password = decoded.slice(sep + 1);
                 const user = await findUser(username);
                 if (user && user.password === password) {
-                    c.set("userId", user.id as number);
+                    c.set("userId", user.id);
                     c.set("username", username);
                     return next();
                 }
@@ -66,14 +66,20 @@ export const authMiddleware = async (
 
 /* ═══════════ 内部工具 ═══════════ */
 
-async function findUser(username: string) {
+interface AuthUser {
+    id: number;
+    username: string;
+    password: string;
+}
+
+async function findUser(username: string): Promise<AuthUser | null> {
     const rows = await run(
         `SELECT id, username, password
          FROM ${q(cfg.authTable)}
          WHERE username = $1`,
         [username],
     );
-    return rows.length > 0 ? (rows[0] as any) : null;
+    return rows.length > 0 ? (rows[0] as AuthUser) : null;
 }
 
 async function issueToken(uid: number, username: string): Promise<string> {
@@ -114,6 +120,7 @@ export function registerAuthRoutes(app: Hono<AppEnv>) {
                 [username, password],
             );
             const user = await findUser(username);
+            if (!user) throw new AppError("AUTH_ERROR", "Registration failed");
             return c.json(ok(await issueToken(user.id, username)));
         },
     );
@@ -128,9 +135,7 @@ export function registerAuthRoutes(app: Hono<AppEnv>) {
             [userId],
         );
         if (rows.length === 0) throw new AppError("AUTH_ERROR", "User not found");
-        const data = {...(rows[0] as any)};
-        delete data.id;
-        delete data.password;
+        const {id: _, password: _pw, ...data} = rows[0] as Record<string, unknown>;
         return c.json(ok(data));
     });
 

package/src/crud.ts

@@ -23,7 +23,7 @@ import {
     zodHook, bodyQuerySchema, bodyDeleteSchema, bodyDataSchema,
     type BodyQuery, type BodyWhereInput,
 } from "./types.ts";
-import {getTable, isAuthTable, run, type TblMeta} from "./db.ts";
+import {db, getTable, isAuthTable, run, type TblMeta} from "./db.ts";
 import {buildBodyDeleteSQL, buildBodyListSQL, buildDeleteSQL, buildListSQL} from "./query.ts";
 
 /* ═══════════ 注册路由 ═══════════ */
@@ -60,8 +60,7 @@ export function registerCrudRoutes(app: Hono<AppEnv>) {
         const body = c.req.valid("json")
 
         const {sql, values} = buildBodyDeleteSQL(tbl, body, userId);
-        const ids = await collectDeletedIds(tbl, sql, values);
-        await run(sql, values);
+        const ids = await transactionalDelete(tbl, sql, values);
         return c.json(ok({deleted: ids}));
     });
 
@@ -176,8 +175,7 @@ export function registerCrudRoutes(app: Hono<AppEnv>) {
         for (const [k, v] of url.searchParams.entries()) params[k] = v;
 
         const {sql, values} = buildDeleteSQL(tbl, params, userId);
-        const ids = await collectDeletedIds(tbl, sql, values);
-        await run(sql, values);
+        const ids = await transactionalDelete(tbl, sql, values);
         return c.json(ok({deleted: ids}));
     });
 
@@ -208,20 +206,31 @@ export function registerCrudRoutes(app: Hono<AppEnv>) {
 /* ═══════════ 内部工具 ═══════════ */
 
 /**
- * 在执行 DELETE 之前，先用相同 WHERE 条件 SELECT 出即将被删的主键列表。
+ * 在事务中先 SELECT 待删除的主键列表，再执行 DELETE，保证一致性。
  * 将 DELETE SQL 改写为 SELECT pk FROM ... WHERE ...
  */
-async function collectDeletedIds(
+async function transactionalDelete(
     tbl: TblMeta, deleteSql: string, values: unknown[],
 ): Promise<unknown[]> {
-    if (!tbl.pk) return [];
-    /* 把 "DELETE ... FROM ..." 替换为 "SELECT pk FROM ..."（SQL 模板可能含换行） */
+    if (!tbl.pk) {
+        await run(deleteSql, values);
+        return [];
+    }
     const selectSql = deleteSql.replace(
         /^DELETE\s+FROM/i,
         `SELECT ${q(tbl.pk)} FROM`,
     );
-    const rows = await run(selectSql, values);
-    return rows.map((r: any) => r[tbl.pk!]);
+    await db.unsafe("BEGIN");
+    try {
+        const rows = await run(selectSql, values);
+        const ids = rows.map((r: any) => r[tbl.pk!]);
+        await run(deleteSql, values);
+        await db.unsafe("COMMIT");
+        return ids;
+    } catch (err) {
+        await db.unsafe("ROLLBACK");
+        throw err;
+    }
 }
 
 /** 去掉 owner 字段 */

package/src/logger.ts

@@ -7,6 +7,8 @@
  *   - 日志保留天数（LOG_RETAIN_DAYS，默认 7）
  *   - 日志等级（LOG_LEVEL）
  *
+ * pino-roll 启用 symlink，当前日志始终通过 current.log 软链接访问。
+ *
  * 导出 log 实例，全局使用 log.info / log.debug / log.error / log.fatal
  */
 import pino from "pino";
@@ -57,7 +59,7 @@ if (cfg.logConsole) {
     });
 }
 
-/* 文件（pino-roll 滚动写入 NDJSON） */
+/* 文件（pino-roll 滚动写入 NDJSON，symlink 指向当前文件） */
 if (cfg.logFile) {
     const {default: buildRollStream} = await import("pino-roll");
     const rollStream = await buildRollStream({
@@ -67,6 +69,7 @@ if (cfg.logFile) {
         dateFormat: "yyyy-MM-dd",
         limit: {count: cfg.logRetainDays},
         mkdir: true,
+        symlink: true,
     });
 
     streams.push({

package/src/query.ts

@@ -238,10 +238,13 @@ function buildIn(
 
     /* BETWEEN: 12...20 */
     if (inner.includes("...")) {
-        const [lo, hi] = inner.split("...");
+        const parts = inner.split("...");
+        const lo = parts[0];
+        const hi = parts[parts.length - 1];
+        if (!lo || !hi) throw new AppError("QUERY_ERROR", "BETWEEN requires two values: lo...hi");
         return {
             sql: `${f} ${not}BETWEEN $${ctx.n++} AND $${ctx.n++}`,
-            values: [typed(lo!, col), typed(hi!, col)],
+            values: [typed(lo, col), typed(hi, col)],
         };
     }
 

package/src/server.ts

@@ -21,6 +21,7 @@ import {Hono} from "hono";
 import {requestId} from "hono/request-id";
 import {cors} from "hono/cors";
 import {serveStatic} from "hono/bun";
+import {resolve, dirname} from "path";
 import {type ApiRes, type AppEnv, AppError, cfg, ok, reqStore} from "./types.ts";
 import {log} from "./logger.ts";
 import {getTableMetaByName, getTablesMeta, initDb, syncTablesMeta} from "./db.ts";
@@ -50,7 +51,7 @@ const app = new Hono<AppEnv>();
 /* ═══════════ 3. CORS 中间件 ═══════════ */
 
 app.use("*", cors({
-    origin: "*",                     // 允许所有来源（生产环境可改为具体域名）
+    origin: cfg.corsOrigin === "*" ? "*" : cfg.corsOrigin.split(",").map((s) => s.trim()),
     allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
     allowHeaders: ["Content-Type", "Authorization", "X-Request-Id"],
     exposeHeaders: ["X-Request-Id"],
@@ -68,8 +69,26 @@ if (cfg.apiLimit > 0) {
     /** API 路径 → { tokens: 剩余令牌, lastRefill: 上次填充时间戳 } */
     const buckets = new Map<string, { tokens: number; lastRefill: number }>();
 
+    /**
+     * 归一化路径：只保留 /api/ 后前两段，截断更深的路径参数。
+     * 例如 /api/data/products/123 → /api/data/products
+     * 通用规则，新增接口无需修改。
+     */
+    function normalizePath(path: string): string {
+        const segs = path.split("/"); // ["", "api", "data", "products", "123"]
+        return segs.length > 4 ? segs.slice(0, 4).join("/") : path;
+    }
+
+    /** 定期清理超过 60 秒未使用的 bucket，防止内存泄漏 */
+    setInterval(() => {
+        const cutoff = Date.now() - 60_000;
+        for (const [key, bucket] of buckets) {
+            if (bucket.lastRefill < cutoff) buckets.delete(key);
+        }
+    }, 60_000).unref();
+
     app.use("/api/*", async (c, next) => {
-        const key = `${c.req.method} ${c.req.path}`;
+        const key = `${c.req.method} ${normalizePath(c.req.path)}`;
         const now = Date.now();
         let bucket = buckets.get(key);
 
@@ -173,7 +192,8 @@ app.get("/api/health", (c) => {
         name: cfg.name || undefined,
         port: cfg.port,
         pid: process.pid,
-        logFile: cfg.logFile || undefined,
+        cwd: process.cwd(),
+        logFile: cfg.logFile ? resolve(dirname(cfg.logFile), "current.log") : undefined,
         startedAt,
         uptime: uptimeSec,
         memory: {

package/src/types.ts

@@ -18,7 +18,9 @@ export const cfg = {
     /** 静态文件目录（相对路径，为空则不托管） */
     staticDir: Bun.env.SVR_STATIC ?? "",
     /** API 限流：每秒每个 API 接口允许的最大请求数（0 = 不限流） */
-    apiLimit: Number(Bun.env.SVR_API_LIMIT) || 100,
+    apiLimit: Bun.env.SVR_API_LIMIT !== undefined ? Number(Bun.env.SVR_API_LIMIT) : 100,
+    /** CORS 允许的来源（默认 *，生产环境建议改为具体域名，逗号分隔多个） */
+    corsOrigin: Bun.env.SVR_CORS_ORIGIN ?? "*",
     /** 数据库连接字符串 */
     db: _db,
     /** 是否 SQLite（非 mysql:// 则视为 SQLite） */