xinyu-pro 0.21.0

package/app/api/plugins/resources/route.ts

@@ -0,0 +1,109 @@
+// app/api/plugins/resources/route.ts - 插件资源文件 HTTP 访问
+
+import { NextRequest, NextResponse } from 'next/server';
+import { ensureDb } from '@/lib/db-init';
+import { getDbPool } from '@/lib/db';
+import path from 'path';
+import { promises as fs } from 'fs';
+
+/** 常见 MIME 类型映射 */
+const MIME_TYPES: Record<string, string> = {
+  '.png': 'image/png',
+  '.jpg': 'image/jpeg',
+  '.jpeg': 'image/jpeg',
+  '.gif': 'image/gif',
+  '.svg': 'image/svg+xml',
+  '.webp': 'image/webp',
+  '.mp3': 'audio/mpeg',
+  '.wav': 'audio/wav',
+  '.ogg': 'audio/ogg',
+  '.mp4': 'video/mp4',
+  '.webm': 'video/webm',
+  '.json': 'application/json',
+  '.css': 'text/css',
+  '.html': 'text/html',
+  '.txt': 'text/plain',
+  '.md': 'text/markdown',
+  '.pdf': 'application/pdf',
+  '.woff': 'font/woff',
+  '.woff2': 'font/woff2',
+  '.ttf': 'font/ttf',
+  '.eot': 'application/vnd.ms-fontobject',
+};
+
+function getMimeType(filePath: string): string {
+  const ext = path.extname(filePath).toLowerCase();
+  return MIME_TYPES[ext] || 'application/octet-stream';
+}
+
+/** 校验插件 ID 合法性 */
+function isValidPluginId(id: string): boolean {
+  return /^[a-zA-Z0-9._-]+$/.test(id) && id.length <= 200 && !id.includes('..');
+}
+
+/** 校验文件路径安全性 */
+function isSafePath(filePath: string): boolean {
+  const normalized = path.normalize(filePath);
+  return !normalized.includes('..') && !path.isAbsolute(normalized) && normalized !== '';
+}
+
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const pluginId = searchParams.get('pluginId');
+    const filePath = searchParams.get('path');
+
+    if (!pluginId || !filePath) {
+      return NextResponse.json({ error: '缺少 pluginId 或 path 参数' }, { status: 400 });
+    }
+
+    if (!isValidPluginId(pluginId)) {
+      return NextResponse.json({ error: '非法插件 ID' }, { status: 400 });
+    }
+
+    if (!isSafePath(filePath)) {
+      return NextResponse.json({ error: '非法文件路径' }, { status: 400 });
+    }
+
+    // 验证插件存在
+    await ensureDb();
+    const db = getDbPool();
+    const [rows] = await db.execute(
+      'SELECT id FROM extensions WHERE id = ?',
+      [pluginId]
+    ) as [Array<{ id: string }>, unknown];
+
+    if (rows.length === 0) {
+      return NextResponse.json({ error: '插件不存在' }, { status: 404 });
+    }
+
+    // 构建文件绝对路径
+    const absolutePath = path.join(process.cwd(), 'data', 'plugins', pluginId, filePath);
+
+    // 安全检查：确保路径在插件目录内
+    const pluginDir = path.join(process.cwd(), 'data', 'plugins', pluginId);
+    const resolvedPath = path.resolve(absolutePath);
+    const resolvedDir = path.resolve(pluginDir);
+    if (!resolvedPath.startsWith(resolvedDir + path.sep) && resolvedPath !== resolvedDir) {
+      return NextResponse.json({ error: '非法文件路径' }, { status: 403 });
+    }
+
+    // 读取文件
+    try {
+      const fileBuffer = await fs.readFile(absolutePath);
+      const mimeType = getMimeType(filePath);
+      return new NextResponse(fileBuffer, {
+        headers: {
+          'Content-Type': mimeType,
+          'Cache-Control': 'public, max-age=3600',
+          'Content-Disposition': `inline; filename="${path.basename(filePath)}"`,
+        },
+      });
+    } catch {
+      return NextResponse.json({ error: '文件不存在' }, { status: 404 });
+    }
+  } catch (e) {
+    console.error('读取插件资源失败:', e);
+    return NextResponse.json({ error: '读取资源失败' }, { status: 500 });
+  }
+}

package/app/api/plugins/route.ts

@@ -0,0 +1,308 @@
+// app/api/plugins/route.ts - 插件 CRUD API
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getDbPool } from '@/lib/db';
+import { ensureDb } from '@/lib/db-init';
+import { writePluginCode, deletePluginCode, getPluginDir } from '@/lib/plugin-files';
+import path from 'path';
+import { promises as fs } from 'fs';
+
+/** 解析 JSON 字段 */
+function parseJsonField<T>(value: unknown): T {
+  if (typeof value === 'string') {
+    try { return JSON.parse(value) as T; } catch { return value as unknown as T; }
+  }
+  return value as T;
+}
+
+/** 解析权限字段（兼容旧格式 uiPermissions 数组和新格式对象） */
+function parsePermissions(value: unknown): {
+  commonPermissions?: string[];
+  exclusivePermissions?: string[];
+  requiredPermissions?: string[];
+} {
+  const raw = parseJsonField<unknown>(value);
+  if (Array.isArray(raw)) {
+    // 旧格式：uiPermissions 数组 → 映射为 commonPermissions
+    return { commonPermissions: raw };
+  }
+  if (raw && typeof raw === 'object') {
+    const perms = raw as Record<string, unknown>;
+    return {
+      commonPermissions: (perms.commonPermissions as string[]) || [],
+      exclusivePermissions: (perms.exclusivePermissions as string[]) || [],
+      requiredPermissions: (perms.requiredPermissions as string[]) || [],
+    };
+  }
+  return {};
+}
+
+/** 行数据转换为插件对象（不含 code，需异步填充） */
+function rowToPlugin(row: Record<string, unknown>) {
+  const perms = parsePermissions(row.ui_permissions);
+  return {
+    id: row.id,
+    name: row.name,
+    version: row.version,
+    description: row.description,
+    author: row.author,
+    type: row.type,
+    icon: row.icon,
+    minAppVersion: row.min_app_version,
+    code: '', // 将由 fillPluginCode 异步填充
+    codePath: (row.code_path as string) || '', // 入口代码文件路径（如 data/plugins/x.y/index.js）
+    configSchema: parseJsonField(row.config_schema),
+    uiSlots: parseJsonField(row.ui_slots),
+    ...perms,
+    publicExports: parseJsonField(row.public_exports),
+    dependencies: parseJsonField(row.dependencies),
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+/** 异步填充插件代码（从文件读取） */
+async function fillPluginCode(plugin: ReturnType<typeof rowToPlugin>): Promise<typeof plugin> {
+  try {
+    // 从 code_path 提取文件名（如 data/plugins/x.y/index.js → index.js）
+    const codeFileName = plugin.codePath ? (plugin.codePath.split('/').pop() || 'plugin.js') : 'plugin.js';
+    const pluginDir = getPluginDir(plugin.id as string);
+    const filePath = path.join(pluginDir, codeFileName);
+    plugin.code = await fs.readFile(filePath, 'utf-8');
+  } catch {
+    plugin.code = '';
+  }
+  return plugin;
+}
+
+// GET: 获取所有插件或单个插件
+export async function GET(request: NextRequest) {
+  try {
+    await ensureDb();
+    const db = getDbPool();
+    const { searchParams } = new URL(request.url);
+    const id = searchParams.get('id');
+    const type = searchParams.get('type');
+
+    if (id) {
+      const [rows] = await db.execute(
+        'SELECT * FROM extensions WHERE id = ?',
+        [id]
+      ) as [Record<string, unknown>[], unknown];
+      if (rows.length === 0) {
+        return NextResponse.json({ error: '插件不存在' }, { status: 404 });
+      }
+      const plugin = await fillPluginCode(rowToPlugin(rows[0]));
+      return NextResponse.json(plugin);
+    }
+
+    let query = 'SELECT * FROM extensions';
+    const params: (string | number | null)[] = [];
+
+    if (type) {
+      query += ' WHERE type = ?';
+      params.push(type);
+    }
+
+    query += ' ORDER BY updated_at DESC';
+    const [rows] = await db.execute(query, params) as [Record<string, unknown>[], unknown];
+    const plugins = await Promise.all(rows.map(r => fillPluginCode(rowToPlugin(r))));
+    return NextResponse.json(plugins);
+  } catch (e) {
+    console.error('获取插件失败:', e);
+    return NextResponse.json({ error: '获取插件失败' }, { status: 500 });
+  }
+}
+
+// POST: 创建插件
+export async function POST(request: NextRequest) {
+  try {
+    await ensureDb();
+    const db = getDbPool();
+    const body = await request.json();
+    const { id, name, version, description, author, type, icon, minAppVersion, code, configSchema, uiSlots, commonPermissions, exclusivePermissions, requiredPermissions, publicExports, dependencies } = body;
+
+    if (!id || !name || !version || !type || !code) {
+      return NextResponse.json({ error: '缺少必填字段 (id, name, version, type, code)' }, { status: 400 });
+    }
+
+    // 将代码写入文件
+    const codePath = await writePluginCode(id, code);
+
+    const permissionsJson = JSON.stringify({
+      commonPermissions: commonPermissions || [],
+      exclusivePermissions: exclusivePermissions || [],
+      requiredPermissions: requiredPermissions || [],
+    });
+
+    await db.execute(
+      `INSERT INTO extensions (id, name, version, description, author, type, icon, min_app_version, code_path, config_schema, ui_slots, ui_permissions, public_exports, dependencies)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+       ON DUPLICATE KEY UPDATE
+       name = VALUES(name), version = VALUES(version), description = VALUES(description),
+       author = VALUES(author), type = VALUES(type), icon = VALUES(icon),
+       min_app_version = VALUES(min_app_version), code_path = VALUES(code_path),
+       config_schema = VALUES(config_schema), ui_slots = VALUES(ui_slots),
+       ui_permissions = VALUES(ui_permissions),
+       public_exports = VALUES(public_exports), dependencies = VALUES(dependencies)`,
+      [id, name, version, description || '', author || '', type, icon || '', minAppVersion || '', codePath,
+       JSON.stringify(configSchema || []), JSON.stringify(uiSlots || []),
+       permissionsJson,
+       JSON.stringify(publicExports || null), JSON.stringify(dependencies || null)]
+    );
+
+    return NextResponse.json({ success: true, id });
+  } catch (e) {
+    console.error('创建插件失败:', e);
+    return NextResponse.json({ error: '创建插件失败' }, { status: 500 });
+  }
+}
+
+// PUT: 更新插件
+export async function PUT(request: NextRequest) {
+  try {
+    await ensureDb();
+    const db = getDbPool();
+    const body = await request.json();
+    const { id, newId, ...fields } = body;
+
+    if (!id) {
+      return NextResponse.json({ error: '缺少插件 ID' }, { status: 400 });
+    }
+
+    // 处理 ID 变更
+    if (newId && newId !== id) {
+      // 检查新 ID 是否已存在
+      const [existing] = await db.execute('SELECT id FROM extensions WHERE id = ?', [newId]) as [Record<string, unknown>[], unknown];
+      if (existing.length > 0) {
+        return NextResponse.json({ error: `插件 ID「${newId}」已存在` }, { status: 409 });
+      }
+      // 临时禁用外键检查，同时更新父表和子表的 ID，再恢复
+      await db.execute('SET FOREIGN_KEY_CHECKS = 0');
+      try {
+        await db.execute('UPDATE extensions SET id = ? WHERE id = ?', [newId, id]);
+        await db.execute('UPDATE extension_bindings SET extension_id = ? WHERE extension_id = ?', [newId, id]);
+      } finally {
+        await db.execute('SET FOREIGN_KEY_CHECKS = 1');
+      }
+      // 后续字段更新使用新 ID
+      fields.id = newId;
+      // 重命名插件目录（data/plugins/{oldId}/ → data/plugins/{newId}/）
+      const oldDir = getPluginDir(id);
+      const newDir = getPluginDir(newId);
+      try {
+        await fs.rename(oldDir, newDir);
+      } catch (e) {
+        console.error(`重命名插件目录失败: ${oldDir} → ${newDir}`, e);
+        // 回滚数据库
+        await db.execute('UPDATE extensions SET id = ? WHERE id = ?', [id, newId]);
+        await db.execute('UPDATE extension_bindings SET extension_id = ? WHERE extension_id = ?', [id, newId]);
+        return NextResponse.json({ error: '重命名插件目录失败' }, { status: 500 });
+      }
+      // 更新 code_path 中的目录名
+      const [codePathRows] = await db.execute('SELECT code_path FROM extensions WHERE id = ?', [newId]) as [Record<string, string>[], unknown];
+      if (codePathRows.length > 0 && codePathRows[0].code_path) {
+        const oldCodePath = codePathRows[0].code_path;
+        const newCodePath = oldCodePath.replace(`data/plugins/${id}/`, `data/plugins/${newId}/`);
+        if (newCodePath !== oldCodePath) {
+          await db.execute('UPDATE extensions SET code_path = ? WHERE id = ?', [newCodePath, newId]);
+        }
+      }
+    }
+
+    const updates: string[] = [];
+    const params: (string | number | null)[] = [];
+
+    const allowedFields = ['name', 'version', 'description', 'author', 'type', 'icon', 'minAppVersion', 'code', 'configSchema', 'uiSlots', 'commonPermissions', 'exclusivePermissions', 'requiredPermissions', 'publicExports', 'dependencies', 'id'];
+    const columnMap: Record<string, string> = {
+      minAppVersion: 'min_app_version',
+      configSchema: 'config_schema',
+      uiSlots: 'ui_slots',
+      commonPermissions: 'ui_permissions',
+      exclusivePermissions: 'ui_permissions',
+      requiredPermissions: 'ui_permissions',
+      publicExports: 'public_exports',
+      dependencies: 'dependencies',
+    };
+
+    // code 字段特殊处理：写入文件，数据库存路径
+    const targetId = newId || id;
+    if (fields.code !== undefined) {
+      // 从当前 code_path 提取入口文件名（如 data/plugins/x.y/index.js → index.js）
+      const [existingRows] = await db.execute('SELECT code_path FROM extensions WHERE id = ?', [targetId]) as [Record<string, string>[], unknown];
+      const currentCodePath = existingRows.length > 0 ? existingRows[0].code_path : null;
+      const entryFile = currentCodePath ? currentCodePath.split('/').pop() : undefined;
+      const codePath = await writePluginCode(targetId, String(fields.code), entryFile);
+      updates.push('code_path = ?');
+      params.push(codePath);
+      delete fields.code; // 不再作为普通字段处理
+    }
+
+    // 权限字段需要合并更新
+    const permFields = ['commonPermissions', 'exclusivePermissions', 'requiredPermissions'];
+    const hasPermUpdate = permFields.some(f => fields[f] !== undefined);
+
+    if (hasPermUpdate) {
+      // 先读取当前权限
+      const [rows] = await db.execute('SELECT ui_permissions FROM extensions WHERE id = ?', [targetId]) as [Record<string, unknown>[], unknown];
+      const currentPerms = rows.length > 0 ? parsePermissions(rows[0].ui_permissions) : {};
+      const newPerms = {
+        commonPermissions: fields.commonPermissions !== undefined ? fields.commonPermissions : (currentPerms.commonPermissions || []),
+        exclusivePermissions: fields.exclusivePermissions !== undefined ? fields.exclusivePermissions : (currentPerms.exclusivePermissions || []),
+        requiredPermissions: fields.requiredPermissions !== undefined ? fields.requiredPermissions : (currentPerms.requiredPermissions || []),
+      };
+      updates.push('ui_permissions = ?');
+      params.push(JSON.stringify(newPerms));
+    }
+
+    for (const field of allowedFields) {
+      if (permFields.includes(field)) continue; // 权限字段已单独处理
+      if (field === 'id') continue; // ID 已单独处理
+      if (fields[field] !== undefined) {
+        const col = columnMap[field] || field;
+        updates.push(`${col} = ?`);
+        if (field === 'configSchema' || field === 'uiSlots' || field === 'publicExports' || field === 'dependencies') {
+          params.push(JSON.stringify(fields[field]));
+        } else {
+          params.push(fields[field]);
+        }
+      }
+    }
+
+    if (updates.length === 0) {
+      return NextResponse.json({ success: true, id: targetId });
+    }
+
+    params.push(targetId);
+    await db.execute(
+      `UPDATE extensions SET ${updates.join(', ')} WHERE id = ?`,
+      params
+    );
+
+    return NextResponse.json({ success: true, id: targetId });
+  } catch (e) {
+    console.error('更新插件失败:', e);
+    return NextResponse.json({ error: '更新插件失败' }, { status: 500 });
+  }
+}
+
+// DELETE: 删除插件
+export async function DELETE(request: NextRequest) {
+  try {
+    await ensureDb();
+    const db = getDbPool();
+    const { searchParams } = new URL(request.url);
+    const id = searchParams.get('id');
+
+    if (!id) {
+      return NextResponse.json({ error: '缺少插件 ID' }, { status: 400 });
+    }
+
+    await db.execute('DELETE FROM extensions WHERE id = ?', [id]);
+    await deletePluginCode(id);
+    return NextResponse.json({ success: true, id });
+  } catch (e) {
+    console.error('删除插件失败:', e);
+    return NextResponse.json({ error: '删除插件失败' }, { status: 500 });
+  }
+}

package/app/api/plugins/scan/route.ts

@@ -0,0 +1,280 @@
+// app/api/plugins/scan/route.ts - AI 安全检测 API
+
+import { NextRequest, NextResponse } from 'next/server';
+
+interface ScanRequest {
+  code: string;
+  manifest?: {
+    name?: string;
+    author?: string;
+    type?: string;
+  };
+}
+
+interface Finding {
+  level: 'info' | 'warning' | 'danger';
+  category: string;
+  description: string;
+  code?: string;
+  recommendation: string;
+}
+
+interface ScanResult {
+  riskLevel: 'low' | 'medium' | 'high' | 'critical';
+  score: number;
+  summary: string;
+  findings: Finding[];
+  recommendation: string;
+}
+
+/** 静态代码分析（不依赖 AI API 的基础检测） */
+function staticAnalysis(code: string, manifest?: ScanRequest['manifest']): ScanResult {
+  const findings: Finding[] = [];
+  let riskScore = 100;
+
+  // 1. 网络请求检测
+  const fetchPatterns = [
+    /fetch\s*\(/g,
+    /XMLHttpRequest/g,
+    /\.ajax\s*\(/g,
+    /new\s+WebSocket/g,
+  ];
+  for (const pattern of fetchPatterns) {
+    const matches = code.match(pattern);
+    if (matches) {
+      findings.push({
+        level: 'warning',
+        category: 'network',
+        description: `插件包含 ${matches.length} 处网络请求调用`,
+        recommendation: '确认请求目标地址是否可信，避免数据泄露',
+      });
+      riskScore -= matches.length * 5;
+    }
+  }
+
+  // 2. DOM 操作检测
+  const domPatterns = [
+    /document\.(querySelector|getElementById|getElementsBy|createElement|write)/g,
+    /window\.(document|location|navigator)/g,
+    /\.innerHTML\s*=/g,
+    /\.outerHTML\s*=/g,
+  ];
+  for (const pattern of domPatterns) {
+    const matches = code.match(pattern);
+    if (matches) {
+      findings.push({
+        level: 'info',
+        category: 'dom',
+        description: `插件包含 ${matches.length} 处 DOM 操作`,
+        recommendation: '确认 DOM 操作是否必要，避免破坏页面结构',
+      });
+      riskScore -= matches.length * 2;
+    }
+  }
+
+  // 3. 数据访问检测
+  const storagePatterns = [
+    /localStorage\.(getItem|setItem|removeItem)/g,
+    /sessionStorage\.(getItem|setItem|removeItem)/g,
+    /document\.cookie/g,
+  ];
+  for (const pattern of storagePatterns) {
+    const matches = code.match(pattern);
+    if (matches) {
+      findings.push({
+        level: 'warning',
+        category: 'storage',
+        description: `插件访问浏览器存储 ${matches.length} 次`,
+        recommendation: '确认数据访问的必要性，避免读取敏感信息',
+      });
+      riskScore -= matches.length * 5;
+    }
+  }
+
+  // 4. 代码执行检测
+  const evalPatterns = [
+    /eval\s*\(/g,
+    /new\s+Function\s*\(/g,
+    /setTimeout\s*\(\s*['"`]/g,
+    /setInterval\s*\(\s*['"`]/g,
+  ];
+  for (const pattern of evalPatterns) {
+    const matches = code.match(pattern);
+    if (matches) {
+      findings.push({
+        level: 'danger',
+        category: 'execution',
+        description: `插件使用动态代码执行 ${matches.length} 次 (eval/Function)`,
+        code: matches[0],
+        recommendation: '动态代码执行存在严重安全风险，建议避免使用',
+      });
+      riskScore -= matches.length * 15;
+    }
+  }
+
+  // 5. 恶意模式检测
+  const maliciousPatterns = [
+    { pattern: /key(?:down|up|press)/g, desc: '键盘事件监听', level: 'warning' as const, cat: 'keylogger' },
+    { pattern: /addEventListener\s*\(\s*['"`](?:mouse|pointer|touch)/g, desc: '鼠标/触摸事件监听', level: 'info' as const, cat: 'tracking' },
+    { pattern: /navigator\.(sendBeacon|geolocation|clipboard)/g, desc: '浏览器敏感 API 调用', level: 'warning' as const, cat: 'privacy' },
+    { pattern: /new\s+Image\s*\(\s*\)\s*\.src\s*=/g, desc: '图片追踪（可能的像素追踪）', level: 'warning' as const, cat: 'tracking' },
+  ];
+  for (const { pattern, desc, level, cat } of maliciousPatterns) {
+    const matches = code.match(pattern);
+    if (matches) {
+      findings.push({
+        level,
+        category: cat,
+        description: `检测到${desc} (${matches.length} 处)`,
+        recommendation: '确认这些操作是否为插件功能所必需',
+      });
+      riskScore -= matches.length * (level === 'warning' ? 8 : 3);
+    }
+  }
+
+  // 6. 代码混淆检测
+  const obfuscationPatterns = [
+    { pattern: /\\u[0-9a-fA-F]{4}/g, desc: 'Unicode 转义序列' },
+    { pattern: /\\x[0-9a-fA-F]{2}/g, desc: '十六进制转义序列' },
+    { pattern: /\[\s*['"][a-zA-Z]['"]\s*\+\s*['"][a-zA-Z]['"]\s*\]/g, desc: '字符串拼接混淆' },
+  ];
+  for (const { pattern, desc } of obfuscationPatterns) {
+    const matches = code.match(pattern);
+    if (matches && matches.length > 3) {
+      findings.push({
+        level: 'warning',
+        category: 'obfuscation',
+        description: `检测到可能的代码混淆 (${desc}, ${matches.length} 处)`,
+        recommendation: '混淆代码可能隐藏恶意行为，建议审查源码',
+      });
+      riskScore -= 10;
+    }
+  }
+
+  // 限制分数范围
+  riskScore = Math.max(0, Math.min(100, riskScore));
+
+  // 确定风险等级
+  let riskLevel: 'low' | 'medium' | 'high' | 'critical';
+  if (riskScore >= 80) riskLevel = 'low';
+  else if (riskScore >= 60) riskLevel = 'medium';
+  else if (riskScore >= 30) riskLevel = 'high';
+  else riskLevel = 'critical';
+
+  // 生成摘要
+  const pluginName = manifest?.name || '未知插件';
+  const dangerCount = findings.filter(f => f.level === 'danger').length;
+  const warningCount = findings.filter(f => f.level === 'warning').length;
+
+  let summary: string;
+  if (dangerCount > 0) {
+    summary = `插件"${pluginName}"存在 ${dangerCount} 个高危项和 ${warningCount} 个警告项，请谨慎安装。`;
+  } else if (warningCount > 0) {
+    summary = `插件"${pluginName}"存在 ${warningCount} 个警告项，建议安装前审查代码。`;
+  } else if (findings.length > 0) {
+    summary = `插件"${pluginName}"未发现明显安全风险，仅有少量信息提示。`;
+  } else {
+    summary = `插件"${pluginName}"未发现安全风险，可以安全安装。`;
+  }
+
+  let recommendation: string;
+  if (riskLevel === 'critical') recommendation = '不建议安装，存在严重安全风险';
+  else if (riskLevel === 'high') recommendation = '建议谨慎安装，请仔细审查代码';
+  else if (riskLevel === 'medium') recommendation = '可以安装，建议关注警告项';
+  else recommendation = '可以安全安装';
+
+  return { riskLevel, score: riskScore, summary, findings, recommendation };
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const body: ScanRequest = await request.json();
+    const { code, manifest } = body;
+
+    if (!code) {
+      return NextResponse.json({ error: '缺少插件代码' }, { status: 400 });
+    }
+
+    // 尝试使用 AI API 进行深度分析
+    const aiResult = await aiAnalysis(code, manifest);
+    if (aiResult) {
+      return NextResponse.json(aiResult);
+    }
+
+    // 回退到静态分析
+    const result = staticAnalysis(code, manifest);
+    return NextResponse.json(result);
+  } catch (e) {
+    console.error('安全检测失败:', e);
+    return NextResponse.json({ error: '安全检测失败' }, { status: 500 });
+  }
+}
+
+/** 尝试使用 AI API 进行深度分析 */
+async function aiAnalysis(code: string, manifest?: ScanRequest['manifest']): Promise<ScanResult | null> {
+  try {
+    // 从数据库获取 API 设置
+    const { getDbPool } = await import('@/lib/db');
+    const { ensureDb } = await import('@/lib/db-init');
+    await ensureDb();
+    const db = getDbPool();
+    const [rows] = await db.execute('SELECT `value` FROM app_settings WHERE `key` = ?', ['app_settings']) as [Record<string, unknown>[], unknown];
+
+    let apiKey = process.env.AI_API_KEY || '';
+    let apiBase = process.env.AI_API_BASE || 'https://api.openai.com/v1';
+    let model = process.env.AI_MODEL || 'gpt-4o';
+
+    if (rows.length > 0 && rows[0].value) {
+      const settings = typeof rows[0].value === 'string' ? JSON.parse(rows[0].value) : rows[0].value;
+      if (settings.aiApiKey) apiKey = settings.aiApiKey;
+      if (settings.aiApiBase) apiBase = settings.aiApiBase;
+      if (settings.aiModel) model = settings.aiModel;
+    }
+
+    if (!apiKey) return null;
+
+    const systemPrompt = `你是一个代码安全分析专家。分析以下插件代码的安全性，返回 JSON 格式的安全报告。
+JSON 格式：
+{
+  "riskLevel": "low|medium|high|critical",
+  "score": 0-100,
+  "summary": "一句话总结",
+  "findings": [{ "level": "info|warning|danger", "category": "类别", "description": "描述", "code": "相关代码片段（可选）", "recommendation": "建议" }],
+  "recommendation": "安装建议"
+}
+
+检测维度：网络请求、DOM 操作、数据访问、代码执行(eval/Function)、恶意模式、权限需求。`;
+
+    const response = await fetch(`${apiBase}/chat/completions`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${apiKey}`,
+      },
+      body: JSON.stringify({
+        model,
+        messages: [
+          { role: 'system', content: systemPrompt },
+          { role: 'user', content: `插件信息：${JSON.stringify(manifest || {})}\n\n插件代码：\n${code}` },
+        ],
+        temperature: 0.3,
+        max_tokens: 2000,
+      }),
+    });
+
+    if (!response.ok) return null;
+
+    const data = await response.json();
+    const content = data.choices?.[0]?.message?.content;
+    if (!content) return null;
+
+    // 尝试从 AI 回复中提取 JSON
+    const jsonMatch = content.match(/\{[\s\S]*\}/);
+    if (jsonMatch) {
+      return JSON.parse(jsonMatch[0]) as ScanResult;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}