feat(web): render auth pages without app shell

feat(web): polish sidebar shell and authentication UI
feat(web-ui): use project icon as favicon
2026-04-05 17:09:17 +08:00 · 2026-04-05 16:57:52 +08:00 · 2026-04-05 15:47:32 +08:00 · 2026-04-05 15:44:13 +08:00 · 2026-04-05 15:05:51 +08:00 · 2026-04-05 14:57:27 +08:00
58 changed files with 12396 additions and 97 deletions
@@ -71,23 +71,23 @@

 > 状态说明：`[x]` 已完成，`[ ]` 进行中/未开始（请随开发进度更新）

-| 顺序 | 功能实现项（用户视角） | 你会看到的效果 | 状态 |
-|---|---|---|---|
-| 1 | 明确产品能力与交互流程 | 确认 TodoList 的核心使用方式与页面路径 | [x] |
-| 2 | 实现基础登录（邮箱验证码） | 可以注册/登录并进入主页面 | [ ] |
-| 3 | 实现任务基础能力（增删改查） | 可以创建、编辑、删除、完成任务 | [ ] |
-| 4 | 实现富文本与媒体内容 | 任务详情可插入图片、视频、链接等内容 | [ ] |
-| 5 | 实现本地离线存储（Dexie） | 无网时仍可打开并编辑任务 | [ ] |
-| 6 | 实现云端同步与冲突处理 | 恢复网络后自动同步，冲突按规则合并 | [ ] |
-| 7 | 实现提醒系统（邮件） | DDL 临近时收到邮件提醒 | [ ] |
-| 8 | 实现 AI 问答（用户自带 Key） | 可直接用自己的 AI API Key 获取建议 | [ ] |
-| 9 | 实现 Astrbot Provider 接入 | 可复用 Astrbot 内配置的 AI 提供商 | [ ] |
-| 10 | 实现公共 AI 通道（可开关） | 管理员开启后，用户可直接使用站点公共 AI | [ ] |
-| 11 | 实现 Astrbot Skill 对接 | 可通过 QQ 机器人添加/修改任务与获取建议 | [ ] |
-| 12 | 实现完整账号安全（2FA + OAuth） | 支持 2FA、QQ/微信/GitHub 登录 | [ ] |
-| 13 | 实现 PWA 安装与离线体验优化 | 支持“添加到桌面”，像本地 App 一样使用 | [ ] |
-| 14 | 实现管理后台（配额/日志/系统配置） | 管理员可管理用户配额、站点信息、日志 | [ ] |
-| 15 | 上线前安全与性能收尾 | 使用更稳定、更安全，核心链路可观测 | [ ] |
+| 顺序 | 功能实现项（用户视角）             | 你会看到的效果                          | 状态 |
+| ---- | ---------------------------------- | --------------------------------------- | ---- |
+| 1    | 明确产品能力与交互流程             | 确认 TodoList 的核心使用方式与页面路径  | [x]  |
+| 2    | 实现基础登录（邮箱验证码）         | 可以注册/登录并进入主页面               | [ ]  |
+| 3    | 实现任务基础能力（增删改查）       | 可以创建、编辑、删除、完成任务          | [ ]  |
+| 4    | 实现富文本与媒体内容               | 任务详情可插入图片、视频、链接等内容    | [ ]  |
+| 5    | 实现本地离线存储（Dexie）          | 无网时仍可打开并编辑任务                | [ ]  |
+| 6    | 实现云端同步与冲突处理             | 恢复网络后自动同步，冲突按规则合并      | [ ]  |
+| 7    | 实现提醒系统（邮件）               | DDL 临近时收到邮件提醒                  | [ ]  |
+| 8    | 实现 AI 问答（用户自带 Key）       | 可直接用自己的 AI API Key 获取建议      | [ ]  |
+| 9    | 实现 Astrbot Provider 接入         | 可复用 Astrbot 内配置的 AI 提供商       | [ ]  |
+| 10   | 实现公共 AI 通道（可开关）         | 管理员开启后，用户可直接使用站点公共 AI | [ ]  |
+| 11   | 实现 Astrbot Skill 对接            | 可通过 QQ 机器人添加/修改任务与获取建议 | [ ]  |
+| 12   | 实现完整账号安全（2FA + OAuth）    | 支持 2FA、QQ/微信/GitHub 登录           | [ ]  |
+| 13   | 实现 PWA 安装与离线体验优化        | 支持“添加到桌面”，像本地 App 一样使用   | [ ]  |
+| 14   | 实现管理后台（配额/日志/系统配置） | 管理员可管理用户配额、站点信息、日志    | [ ]  |
+| 15   | 上线前安全与性能收尾               | 使用更稳定、更安全，核心链路可观测      | [ ]  |

 ---

@@ -151,6 +151,97 @@ TodoList/

 ---

+## 部署与使用
+
+### 1. 环境要求
+
+- Node.js `20.x`
+- pnpm `9.15.2`
+- PostgreSQL `14+`（本地或远程都可）
+- 可选：MinIO / S3（附件上传功能使用）
+
+### 2. 安装依赖
+
+```bash
+pnpm install
+```
+
+### 3. 后端环境变量配置
+
+1. 复制环境变量示例文件：
+
+```bash
+cp apps/api/.env.example apps/api/.env
+# PowerShell:
+# Copy-Item apps/api/.env.example apps/api/.env
+```
+
+2. 至少修改以下配置：
+
+- `DATABASE_URL`：你的 PostgreSQL 连接串
+- `AUTH_ACCESS_SECRET`：生产环境请改为高强度随机值
+- `MAIL_SMTP_*`：邮件服务器配置（验证码/提醒邮件）
+- `OAUTH_*`：第三方登录配置（未接入可先保留示例值）
+- `S3_*`：对象存储配置（未启用附件可后续再配）
+
+### 4. 初始化数据库
+
+```bash
+pnpm --filter @todolist/api exec prisma db push
+```
+
+### 5. 本地开发启动
+
+1. 启动后端（默认端口 `3000`）：
+
+```bash
+pnpm --filter @todolist/api start:dev
+```
+
+2. 启动前端（默认端口 `5173`）：
+
+```bash
+pnpm --filter web dev
+```
+
+3. 若前端需连接非默认后端地址，可设置：
+
+```bash
+VITE_API_BASE_URL=http://localhost:3000
+```
+
+### 6. 生产构建与运行
+
+1. 构建：
+
+```bash
+pnpm run build
+```
+
+2. 运行 API（需先构建）：
+
+```bash
+pnpm --filter @todolist/api start
+```
+
+3. 发布 Web：
+
+- `apps/web/dist` 为静态资源产物，建议使用 Nginx/静态托管服务发布。
+
+### 7. CI/CD 说明（当前仓库）
+
+- PR 质量检查：`.github/workflows/pr-quality.yml`
+- Web 部署模板：`.github/workflows/deploy-web.yml`
+- Admin 部署模板：`.github/workflows/deploy-admin.yml`
+- API 镜像构建：`.github/workflows/api-docker-image.yml`
+
+说明：
+
+- Web/Admin 工作流通过 Webhook 触发真实部署，需在仓库 Secrets 配置：
+  - `WEB_DEPLOY_WEBHOOK_URL`
+  - `ADMIN_DEPLOY_WEBHOOK_URL`
+- API 镜像工作流仅在存在 `apps/api/Dockerfile` 时执行镜像构建与推送。
+
 ## License

 本项目遵循 [GNUv3](./LICENSE)。
@@ -1,19 +1,65 @@
+# -----------------------------------------------------------------------------
+# TodoList API 环境变量示例
+# 用法：
+# 1) 复制为 apps/api/.env
+# 2) 按实际环境替换值（尤其是密钥、密码、令牌）
+# -----------------------------------------------------------------------------
+
+# [数据库] PostgreSQL 连接串
+# 格式：postgresql://<user>:<password>@<host>:<port>/<db>?schema=public
 DATABASE_URL="postgresql://postgres:postgres@localhost:5432/todolist?schema=public"
+
+# [鉴权] Access Token 签名密钥（生产环境必须使用高强度随机值）
 AUTH_ACCESS_SECRET="dev-access-secret"
+# [鉴权] Access Token 有效期（秒），默认 15 分钟
 AUTH_ACCESS_EXPIRES_IN_SECONDS="900"
+# [鉴权] Refresh Token 有效期（秒），默认 30 天
 AUTH_REFRESH_EXPIRES_IN_SECONDS="2592000"
+# [鉴权] 邮箱验证码有效期（秒），默认 5 分钟
 AUTH_EMAIL_CODE_TTL_SECONDS="300"
+# [2FA] TOTP 签发方名称（会显示在验证器 App 中）
 AUTH_TOTP_ISSUER="TodoList"
+
+# [OAuth - GitHub] 第三方登录配置
 OAUTH_GITHUB_CLIENT_ID="github-client-id"
 OAUTH_GITHUB_CLIENT_SECRET="github-client-secret"
 OAUTH_GITHUB_CALLBACK_URL="http://localhost:3000/auth/oauth/github/callback"
+
+# [OAuth - QQ] 第三方登录配置
 OAUTH_QQ_CLIENT_ID="qq-client-id"
 OAUTH_QQ_CLIENT_SECRET="qq-client-secret"
 OAUTH_QQ_CALLBACK_URL="http://localhost:3000/auth/oauth/qq/callback"
 OAUTH_QQ_AUTH_URL="https://graph.qq.com/oauth2.0/authorize"
 OAUTH_QQ_TOKEN_URL="https://graph.qq.com/oauth2.0/token"
+
+# [OAuth - 微信] 第三方登录配置
 OAUTH_WECHAT_CLIENT_ID="wechat-client-id"
 OAUTH_WECHAT_CLIENT_SECRET="wechat-client-secret"
 OAUTH_WECHAT_CALLBACK_URL="http://localhost:3000/auth/oauth/wechat/callback"
 OAUTH_WECHAT_AUTH_URL="https://open.weixin.qq.com/connect/qrconnect"
 OAUTH_WECHAT_TOKEN_URL="https://api.weixin.qq.com/sns/oauth2/access_token"
+
+# [对象存储] S3/MinIO 配置（附件上传）
+# 本地开发可使用 MinIO，生产可切换到云厂商 S3 兼容服务
+S3_ENDPOINT="http://127.0.0.1:9000"
+S3_REGION="us-east-1"
+S3_BUCKET="todolist"
+S3_ACCESS_KEY_ID="minioadmin"
+S3_SECRET_ACCESS_KEY="minioadmin"
+# MinIO 常用 true；AWS S3 常用 false
+S3_FORCE_PATH_STYLE="true"
+# 预签名上传 URL 的有效期（秒）
+S3_PRESIGN_EXPIRES_SECONDS="900"
+# 对外访问附件的基础地址（用于拼接公开 URL）
+S3_PUBLIC_BASE_URL="http://127.0.0.1:9000"
+
+# [邮件] SMTP 配置（验证码/DDL 提醒邮件）
+MAIL_SMTP_HOST="smtp.example.com"
+MAIL_SMTP_PORT="465"
+# 465 通常为 true（SSL），587 通常为 false（STARTTLS）
+MAIL_SMTP_SECURE="true"
+MAIL_SMTP_USER="no-reply@example.com"
+MAIL_SMTP_PASS="replace-with-smtp-password"
+# 发件人显示名称与地址
+MAIL_FROM_NAME="TodoList"
+MAIL_FROM_ADDRESS="no-reply@example.com"
@@ -0,0 +1,11 @@
+/** @type {import('jest').Config} */
+module.exports = {
+  rootDir: ".",
+  testEnvironment: "node",
+  clearMocks: true,
+  testMatch: ["<rootDir>/test/**/*.spec.ts"],
+  moduleFileExtensions: ["ts", "js", "json"],
+  transform: {
+    "^.+\\.(t|j)s$": ["ts-jest", { tsconfig: "<rootDir>/tsconfig.spec.json" }]
+  }
+};
@@ -6,35 +6,54 @@
    "prisma:generate": "prisma generate",
    "prisma:format": "prisma format",
    "prisma:validate": "prisma validate",
+    "prebuild": "pnpm run prisma:generate",
+    "pretypecheck": "pnpm run prisma:generate",
+    "pretest": "pnpm run prisma:generate",
    "start": "node dist/main.js",
    "start:dev": "ts-node-dev --respawn --transpile-only src/main.ts",
    "build": "tsc -p tsconfig.build.json",
    "typecheck": "tsc --noEmit -p tsconfig.json",
-    "test": "echo api tests pending"
+    "test": "jest --config jest.config.cjs --runInBand"
  },
  "license": "GPL-3.0-or-later",
  "devDependencies": {
+    "@nestjs/testing": "^11.1.18",
+    "@types/jest": "^30.0.0",
    "@types/node": "^25.5.2",
+    "@types/nodemailer": "^8.0.0",
    "@types/passport-github2": "^1.2.9",
    "@types/passport-oauth2": "^1.8.0",
+    "@types/supertest": "^7.2.0",
    "dotenv": "^16.6.1",
+    "jest": "^30.3.0",
    "prisma": "^7.6.0",
+    "supertest": "^7.2.2",
+    "ts-jest": "^29.4.9",
    "ts-node": "^10.9.2",
    "ts-node-dev": "^2.0.0",
    "typescript": "^5.9.3"
  },
  "private": true,
  "dependencies": {
+    "@aws-sdk/client-s3": "^3.1024.0",
+    "@aws-sdk/s3-request-presigner": "^3.1024.0",
    "@nestjs/common": "^11.1.18",
    "@nestjs/config": "^4.0.3",
    "@nestjs/core": "^11.1.18",
    "@nestjs/jwt": "^11.0.2",
+    "@nestjs/passport": "^11.0.5",
    "@nestjs/platform-express": "^11.1.18",
    "@otplib/preset-default": "^12.0.1",
+    "@prisma/adapter-pg": "^7.6.0",
    "@prisma/client": "^7.6.0",
    "class-transformer": "^0.5.1",
    "class-validator": "^0.15.1",
+    "nodemailer": "^8.0.4",
    "otplib": "^13.4.0",
+    "passport": "^0.7.0",
+    "passport-github2": "^0.1.12",
+    "passport-oauth2": "^1.8.0",
+    "pg": "^8.20.0",
    "reflect-metadata": "^0.2.2",
    "rxjs": "^7.8.2"
  }
@@ -1,6 +1,9 @@
 import { Module } from "@nestjs/common";
 import { ConfigModule } from "@nestjs/config";
+import { AttachmentModule } from "./attachment/attachment.module";
 import { AuthModule } from "./auth/auth.module";
+import { PrismaModule } from "./prisma/prisma.module";
+import { TaskModule } from "./task/task.module";

@Module({
  imports: [
@@ -8,7 +11,10 @@ import { AuthModule } from "./auth/auth.module";
      isGlobal: true,
      envFilePath: ".env"
    }),
-    AuthModule
+    PrismaModule,
+    AuthModule,
+    TaskModule,
+    AttachmentModule
  ]
 })
 export class AppModule {}
@@ -0,0 +1,38 @@
+import { Body, Controller, Headers, Post, UnauthorizedException } from "@nestjs/common";
+import {
+  AttachmentResponse,
+  AttachmentService,
+  PresignAttachmentResponse
+} from "./attachment.service";
+import { CompleteAttachmentDto } from "./dto/complete-attachment.dto";
+import { PresignAttachmentDto } from "./dto/presign-attachment.dto";
+
+@Controller("attachments")
+export class AttachmentController {
+  constructor(private readonly attachmentService: AttachmentService) {}
+
+  @Post("presign")
+  async presignAttachment(
+    @Headers("x-user-id") userIdHeader: string | string[] | undefined,
+    @Body() body: PresignAttachmentDto
+  ): Promise<PresignAttachmentResponse> {
+    return this.attachmentService.presignAttachment(this.resolveUserId(userIdHeader), body);
+  }
+
+  @Post("complete")
+  async completeAttachment(
+    @Headers("x-user-id") userIdHeader: string | string[] | undefined,
+    @Body() body: CompleteAttachmentDto
+  ): Promise<AttachmentResponse> {
+    return this.attachmentService.completeAttachment(this.resolveUserId(userIdHeader), body);
+  }
+
+  private resolveUserId(userIdHeader: string | string[] | undefined): string {
+    const userId = Array.isArray(userIdHeader) ? userIdHeader[0] : userIdHeader;
+    if (!userId) {
+      throw new UnauthorizedException("缺少用户上下文");
+    }
+
+    return userId;
+  }
+}
@@ -0,0 +1,11 @@
+import { Module } from "@nestjs/common";
+import { PrismaModule } from "../prisma/prisma.module";
+import { AttachmentController } from "./attachment.controller";
+import { AttachmentService } from "./attachment.service";
+
+@Module({
+  imports: [PrismaModule],
+  controllers: [AttachmentController],
+  providers: [AttachmentService]
+})
+export class AttachmentModule {}
@@ -0,0 +1,282 @@
+import { randomUUID } from "node:crypto";
+import { Injectable, NotFoundException, PayloadTooLargeException } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { PutObjectCommand, S3Client } from "@aws-sdk/client-s3";
+import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
+import { AttachmentType } from "../../generated/prisma/client";
+import { PrismaService } from "../prisma/prisma.service";
+import { CompleteAttachmentDto } from "./dto/complete-attachment.dto";
+import { PresignAttachmentDto } from "./dto/presign-attachment.dto";
+
+type QuotaInfo = {
+  totalBytes: bigint;
+  usedBytes: bigint;
+};
+
+export type PresignAttachmentResponse = {
+  method: "PUT";
+  uploadUrl: string;
+  bucket: string;
+  objectKey: string;
+  objectUrl: string;
+  expiresInSeconds: number;
+  quota: {
+    totalBytes: string;
+    usedBytes: string;
+    remainingBytes: string;
+  };
+  headers: {
+    "Content-Type": string;
+  };
+};
+
+export type AttachmentResponse = {
+  id: string;
+  taskId: string | null;
+  type: AttachmentType;
+  url: string;
+  mimeType: string | null;
+  fileName: string | null;
+  fileSize: number;
+  width: number | null;
+  height: number | null;
+  durationMs: number | null;
+  checksum: string | null;
+  createdAt: string;
+  updatedAt: string;
+};
+
+@Injectable()
+export class AttachmentService {
+  private s3Client: S3Client | null = null;
+
+  constructor(
+    private readonly configService: ConfigService,
+    private readonly prismaService: PrismaService
+  ) {}
+
+  async presignAttachment(
+    userId: string,
+    body: PresignAttachmentDto
+  ): Promise<PresignAttachmentResponse> {
+    const quotaInfo = await this.getQuotaSnapshot(userId);
+    this.assertQuotaAvailable(quotaInfo.totalBytes, quotaInfo.usedBytes, body.fileSize);
+
+    if (body.taskId) {
+      await this.ensureTaskOwnership(userId, body.taskId);
+    }
+
+    const bucket = this.getDefaultBucket();
+    const objectKey = this.generateObjectKey(userId, body.fileName);
+    const objectUrl = this.resolveObjectUrl(bucket, objectKey);
+    const expiresInSeconds = this.getPresignExpiresInSeconds();
+
+    const command = new PutObjectCommand({
+      Bucket: bucket,
+      Key: objectKey,
+      ContentType: body.mimeType,
+      ContentLength: body.fileSize
+    });
+
+    const uploadUrl = await getSignedUrl(this.getS3Client(), command, {
+      expiresIn: expiresInSeconds
+    });
+
+    return {
+      method: "PUT",
+      uploadUrl,
+      bucket,
+      objectKey,
+      objectUrl,
+      expiresInSeconds,
+      quota: {
+        totalBytes: quotaInfo.totalBytes.toString(),
+        usedBytes: quotaInfo.usedBytes.toString(),
+        remainingBytes: (quotaInfo.totalBytes - quotaInfo.usedBytes).toString()
+      },
+      headers: {
+        "Content-Type": body.mimeType
+      }
+    };
+  }
+
+  async completeAttachment(
+    userId: string,
+    body: CompleteAttachmentDto
+  ): Promise<AttachmentResponse> {
+    if (body.taskId) {
+      await this.ensureTaskOwnership(userId, body.taskId);
+    }
+
+    const bucket = body.bucket ?? this.getDefaultBucket();
+    const objectUrl = this.resolveObjectUrl(bucket, body.objectKey);
+
+    const attachment = await this.prismaService.$transaction(async (tx) => {
+      const quotaInfo = await this.getQuotaSnapshot(userId, tx);
+      this.assertQuotaAvailable(quotaInfo.totalBytes, quotaInfo.usedBytes, body.fileSize);
+
+      const uploadBytes = BigInt(body.fileSize);
+      const maxUsedBeforeUpload = quotaInfo.totalBytes - uploadBytes;
+      const updatedUser = await tx.user.updateMany({
+        where: {
+          id: userId,
+          usedStorageBytes: {
+            lte: maxUsedBeforeUpload
+          }
+        },
+        data: {
+          usedStorageBytes: {
+            increment: uploadBytes
+          }
+        }
+      });
+      if (updatedUser.count === 0) {
+        throw new PayloadTooLargeException("存储配额不足");
+      }
+
+      return tx.attachment.create({
+        data: {
+          userId,
+          taskId: body.taskId ?? null,
+          type: body.type ?? this.resolveAttachmentType(body.mimeType),
+          url: objectUrl,
+          mimeType: body.mimeType,
+          fileName: body.fileName,
+          fileSize: body.fileSize,
+          width: body.width ?? null,
+          height: body.height ?? null,
+          durationMs: body.durationMs ?? null,
+          checksum: body.checksum ?? null
+        }
+      });
+    });
+
+    return {
+      id: attachment.id,
+      taskId: attachment.taskId,
+      type: attachment.type,
+      url: attachment.url,
+      mimeType: attachment.mimeType,
+      fileName: attachment.fileName,
+      fileSize: attachment.fileSize,
+      width: attachment.width,
+      height: attachment.height,
+      durationMs: attachment.durationMs,
+      checksum: attachment.checksum,
+      createdAt: attachment.createdAt.toISOString(),
+      updatedAt: attachment.updatedAt.toISOString()
+    };
+  }
+
+  private getS3Client(): S3Client {
+    if (this.s3Client) {
+      return this.s3Client;
+    }
+
+    const endpoint = this.configService.get<string>("S3_ENDPOINT") ?? "http://127.0.0.1:9000";
+    const region = this.configService.get<string>("S3_REGION") ?? "us-east-1";
+    const forcePathStyle =
+      this.configService.get<string>("S3_FORCE_PATH_STYLE")?.toLowerCase() !== "false";
+
+    this.s3Client = new S3Client({
+      endpoint,
+      region,
+      forcePathStyle,
+      credentials: {
+        accessKeyId: this.configService.get<string>("S3_ACCESS_KEY_ID") ?? "minioadmin",
+        secretAccessKey: this.configService.get<string>("S3_SECRET_ACCESS_KEY") ?? "minioadmin"
+      }
+    });
+
+    return this.s3Client;
+  }
+
+  private getDefaultBucket(): string {
+    return this.configService.get<string>("S3_BUCKET") ?? "todolist";
+  }
+
+  private getPresignExpiresInSeconds(): number {
+    const configValue = Number(this.configService.get<string>("S3_PRESIGN_EXPIRES_SECONDS") ?? 900);
+    if (!Number.isFinite(configValue) || configValue <= 0) {
+      return 900;
+    }
+
+    return Math.min(configValue, 604800);
+  }
+
+  private generateObjectKey(userId: string, fileName: string): string {
+    const safeFileName = fileName.replace(/[^\w.-]+/g, "_");
+    const datePrefix = new Date().toISOString().slice(0, 10);
+    return `${userId}/${datePrefix}/${randomUUID()}-${safeFileName}`;
+  }
+
+  private resolveObjectUrl(bucket: string, objectKey: string): string {
+    const publicBaseUrl = this.configService.get<string>("S3_PUBLIC_BASE_URL");
+    if (publicBaseUrl) {
+      return `${publicBaseUrl.replace(/\/+$/, "")}/${bucket}/${objectKey}`;
+    }
+
+    const endpoint = this.configService.get<string>("S3_ENDPOINT") ?? "http://127.0.0.1:9000";
+    return `${endpoint.replace(/\/+$/, "")}/${bucket}/${objectKey}`;
+  }
+
+  private resolveAttachmentType(mimeType: string): AttachmentType {
+    if (mimeType.startsWith("image/")) {
+      return AttachmentType.IMAGE;
+    }
+
+    if (mimeType.startsWith("video/")) {
+      return AttachmentType.VIDEO;
+    }
+
+    return AttachmentType.FILE;
+  }
+
+  private async ensureTaskOwnership(userId: string, taskId: string): Promise<void> {
+    const task = await this.prismaService.task.findFirst({
+      where: {
+        id: taskId,
+        userId
+      },
+      select: {
+        id: true
+      }
+    });
+
+    if (!task) {
+      throw new NotFoundException("任务不存在");
+    }
+  }
+
+  private async getQuotaSnapshot(
+    userId: string,
+    tx: Pick<PrismaService, "user"> = this.prismaService
+  ): Promise<QuotaInfo> {
+    const user = await tx.user.findUnique({
+      where: {
+        id: userId
+      },
+      select: {
+        id: true,
+        defaultStorageQuotaMb: true,
+        usedStorageBytes: true
+      }
+    });
+
+    if (!user) {
+      throw new NotFoundException("用户不存在");
+    }
+
+    return {
+      totalBytes: BigInt(user.defaultStorageQuotaMb) * 1024n * 1024n,
+      usedBytes: user.usedStorageBytes
+    };
+  }
+
+  private assertQuotaAvailable(totalBytes: bigint, usedBytes: bigint, fileSize: number): void {
+    const uploadBytes = BigInt(fileSize);
+    if (uploadBytes > totalBytes || usedBytes + uploadBytes > totalBytes) {
+      throw new PayloadTooLargeException("存储配额不足");
+    }
+  }
+}
@@ -0,0 +1,89 @@
+import { Transform, Type } from "class-transformer";
+import {
+  IsEnum,
+  IsInt,
+  IsOptional,
+  IsString,
+  Max,
+  MaxLength,
+  Min,
+  MinLength
+} from "class-validator";
+import { AttachmentType } from "../../../generated/prisma/client";
+
+function normalizeString(value: unknown): unknown {
+  if (typeof value !== "string") {
+    return value;
+  }
+
+  return value.trim();
+}
+
+export class CompleteAttachmentDto {
+  @Transform(({ value }) => normalizeString(value))
+  @IsString()
+  @MinLength(1)
+  @MaxLength(255)
+  objectKey!: string;
+
+  @Transform(({ value }) => normalizeString(value))
+  @IsOptional()
+  @IsString()
+  @MaxLength(100)
+  bucket?: string;
+
+  @Transform(({ value }) => normalizeString(value))
+  @IsString()
+  @MinLength(1)
+  @MaxLength(255)
+  fileName!: string;
+
+  @Transform(({ value }) => normalizeString(value))
+  @IsString()
+  @MinLength(1)
+  @MaxLength(255)
+  mimeType!: string;
+
+  @Type(() => Number)
+  @IsInt()
+  @Min(1)
+  @Max(1073741824)
+  fileSize!: number;
+
+  @IsOptional()
+  @IsEnum(AttachmentType)
+  type?: AttachmentType;
+
+  @Transform(({ value }) => normalizeString(value))
+  @IsOptional()
+  @IsString()
+  @MaxLength(255)
+  taskId?: string;
+
+  @Transform(({ value }) => normalizeString(value))
+  @IsOptional()
+  @IsString()
+  @MaxLength(128)
+  checksum?: string;
+
+  @Type(() => Number)
+  @IsOptional()
+  @IsInt()
+  @Min(1)
+  @Max(100000)
+  width?: number;
+
+  @Type(() => Number)
+  @IsOptional()
+  @IsInt()
+  @Min(1)
+  @Max(100000)
+  height?: number;
+
+  @Type(() => Number)
+  @IsOptional()
+  @IsInt()
+  @Min(1)
+  @Max(86400000)
+  durationMs?: number;
+}
@@ -0,0 +1,35 @@
+import { Transform } from "class-transformer";
+import { IsInt, IsOptional, IsString, Max, MaxLength, Min, MinLength } from "class-validator";
+
+function normalizeString(value: unknown): unknown {
+  if (typeof value !== "string") {
+    return value;
+  }
+
+  return value.trim();
+}
+
+export class PresignAttachmentDto {
+  @Transform(({ value }) => normalizeString(value))
+  @IsString()
+  @MinLength(1)
+  @MaxLength(255)
+  fileName!: string;
+
+  @Transform(({ value }) => normalizeString(value))
+  @IsString()
+  @MinLength(1)
+  @MaxLength(255)
+  mimeType!: string;
+
+  @IsInt()
+  @Min(1)
+  @Max(1073741824)
+  fileSize!: number;
+
+  @Transform(({ value }) => normalizeString(value))
+  @IsOptional()
+  @IsString()
+  @MaxLength(255)
+  taskId?: string;
+}
@@ -0,0 +1,131 @@
+import {
+  Injectable,
+  InternalServerErrorException,
+  Logger,
+  ServiceUnavailableException
+} from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { createTransport, type Transporter } from "nodemailer";
+
+type MailRuntimeConfig = {
+  host: string;
+  port: number;
+  secure: boolean;
+  user: string;
+  pass: string;
+  fromName: string;
+  fromAddress: string;
+};
+
+@Injectable()
+export class AuthMailService {
+  private readonly logger = new Logger(AuthMailService.name);
+  private cachedConfig: MailRuntimeConfig | null = null;
+  private transporter: Transporter | null = null;
+
+  constructor(private readonly configService: ConfigService) {}
+
+  async sendLoginCode(email: string, code: string, ttlSeconds: number): Promise<void> {
+    const config = this.getRuntimeConfig();
+    const transporter = this.getTransporter(config);
+
+    try {
+      await transporter.sendMail({
+        from: this.resolveFromField(config),
+        to: email,
+        subject: "TodoList 登录验证码",
+        text: `你的验证码是 ${code}，${ttlSeconds} 秒内有效。`,
+        html: `<p>你的验证码是 <strong>${code}</strong>，${ttlSeconds} 秒内有效。</p>`
+      });
+    } catch (error) {
+      this.logger.error(
+        `验证码邮件发送失败: ${email}`,
+        error instanceof Error ? error.stack : undefined
+      );
+      throw new ServiceUnavailableException("验证码邮件发送失败，请稍后重试");
+    }
+  }
+
+  private getTransporter(config: MailRuntimeConfig): Transporter {
+    if (this.transporter) {
+      return this.transporter;
+    }
+
+    this.transporter = createTransport({
+      host: config.host,
+      port: config.port,
+      secure: config.secure,
+      auth: {
+        user: config.user,
+        pass: config.pass
+      }
+    });
+
+    return this.transporter;
+  }
+
+  private getRuntimeConfig(): MailRuntimeConfig {
+    if (this.cachedConfig) {
+      return this.cachedConfig;
+    }
+
+    const host = this.getRequiredString("MAIL_SMTP_HOST");
+    const port = this.getRequiredNumber("MAIL_SMTP_PORT");
+    const secure = this.getBoolean("MAIL_SMTP_SECURE", port === 465);
+    const user = this.getRequiredString("MAIL_SMTP_USER");
+    const pass = this.getRequiredString("MAIL_SMTP_PASS");
+    const fromName = this.configService.get<string>("MAIL_FROM_NAME")?.trim() || "TodoList";
+    const fromAddress = this.configService.get<string>("MAIL_FROM_ADDRESS")?.trim() || user;
+
+    const config: MailRuntimeConfig = {
+      host,
+      port,
+      secure,
+      user,
+      pass,
+      fromName,
+      fromAddress
+    };
+
+    this.cachedConfig = config;
+    return config;
+  }
+
+  private getRequiredString(key: string): string {
+    const value = this.configService.get<string>(key)?.trim();
+    if (!value) {
+      throw new InternalServerErrorException(`邮件配置缺失: ${key}`);
+    }
+
+    return value;
+  }
+
+  private getRequiredNumber(key: string): number {
+    const rawValue = this.configService.get<string>(key)?.trim();
+    if (!rawValue) {
+      throw new InternalServerErrorException(`邮件配置缺失: ${key}`);
+    }
+
+    const parsedValue = Number(rawValue);
+    if (!Number.isFinite(parsedValue)) {
+      throw new InternalServerErrorException(`邮件配置格式错误: ${key}`);
+    }
+
+    return parsedValue;
+  }
+
+  private getBoolean(key: string, fallback: boolean): boolean {
+    const rawValue = this.configService.get<string>(key);
+    if (!rawValue) {
+      return fallback;
+    }
+
+    const normalizedValue = rawValue.trim().toLowerCase();
+    return normalizedValue === "true" || normalizedValue === "1";
+  }
+
+  private resolveFromField(config: MailRuntimeConfig): string {
+    const sanitizedName = config.fromName.replace(/"/g, "");
+    return `"${sanitizedName}" <${config.fromAddress}>`;
+  }
+}
@@ -14,7 +14,7 @@ export class AuthController {
  @Post("email/send-code")
  async sendEmailCode(
    @Body() body: SendEmailCodeDto
-  ): Promise<{ success: boolean; expiresInSeconds: number; debugCode: string }> {
+  ): Promise<{ success: boolean; expiresInSeconds: number }> {
    return this.authService.sendEmailCode(body.email);
  }

@@ -3,6 +3,7 @@ import { ConfigModule, ConfigService } from "@nestjs/config";
 import { JwtModule } from "@nestjs/jwt";
 import { PassportModule } from "@nestjs/passport";
 import { AuthController } from "./auth.controller";
+import { AuthMailService } from "./auth-mail.service";
 import { AuthService } from "./auth.service";
 import { GithubStrategy } from "./strategies/github.strategy";
 import { QqStrategy } from "./strategies/qq.strategy";
@@ -27,6 +28,6 @@ import { WechatStrategy } from "./strategies/wechat.strategy";
    })
  ],
  controllers: [AuthController],
-  providers: [AuthService, GithubStrategy, QqStrategy, WechatStrategy]
+  providers: [AuthService, AuthMailService, GithubStrategy, QqStrategy, WechatStrategy]
 })
 export class AuthModule {}
@@ -3,6 +3,8 @@ import { ConfigService } from "@nestjs/config";
 import { JwtService } from "@nestjs/jwt";
 import { randomUUID } from "node:crypto";
 import { authenticator } from "@otplib/preset-default";
+import { AuthMailService } from "./auth-mail.service";
+import { PrismaService } from "../prisma/prisma.service";

 type EmailCodeEntry = {
  code: string;
@@ -14,17 +16,6 @@ type AuthUser = {
  email: string;
 };

-type RefreshTokenEntry = {
-  userId: string;
-  expiresAt: number;
-  revokedAt?: number;
-};
-
-type TwoFactorEntry = {
-  secret: string;
-  enabled: boolean;
-};
-
 type AuthTokenResult = {
  accessToken: string;
  tokenType: "Bearer";
@@ -37,29 +28,26 @@ type AuthTokenResult = {
@Injectable()
 export class AuthService {
  private readonly emailCodeStore = new Map<string, EmailCodeEntry>();
-  private readonly userStoreByEmail = new Map<string, AuthUser>();
-  private readonly userStoreById = new Map<string, AuthUser>();
-  private readonly refreshTokenStore = new Map<string, RefreshTokenEntry>();
-  private readonly twoFactorStore = new Map<string, TwoFactorEntry>();

  constructor(
    private readonly configService: ConfigService,
-    private readonly jwtService: JwtService
+    private readonly jwtService: JwtService,
+    private readonly authMailService: AuthMailService,
+    private readonly prismaService: PrismaService
  ) {}

-  async sendEmailCode(
-    email: string
-  ): Promise<{ success: boolean; expiresInSeconds: number; debugCode: string }> {
+  async sendEmailCode(email: string): Promise<{ success: boolean; expiresInSeconds: number }> {
    const ttlSeconds = Number(this.configService.get("AUTH_EMAIL_CODE_TTL_SECONDS") ?? 300);
    const code = this.generateCode();
    const expiresAt = Date.now() + ttlSeconds * 1000;
+    const normalizedEmail = email.toLowerCase();

-    this.emailCodeStore.set(email.toLowerCase(), { code, expiresAt });
+    await this.authMailService.sendLoginCode(normalizedEmail, code, ttlSeconds);
+    this.emailCodeStore.set(normalizedEmail, { code, expiresAt });

    return {
      success: true,
-      expiresInSeconds: ttlSeconds,
-      debugCode: code
+      expiresInSeconds: ttlSeconds
    };
  }

@@ -82,53 +70,92 @@ export class AuthService {

    this.emailCodeStore.delete(lowerEmail);

-    const user = this.getOrCreateUser(lowerEmail);
+    const user = await this.getOrCreateUser(lowerEmail);
    return this.issueTokens(user);
  }

  async refreshTokens(refreshToken: string): Promise<AuthTokenResult> {
-    const entry = this.refreshTokenStore.get(refreshToken);
+    const entry = await this.prismaService.refreshToken.findUnique({
+      where: {
+        tokenHash: refreshToken
+      },
+      include: {
+        user: {
+          select: {
+            id: true,
+            email: true
+          }
+        }
+      }
+    });
+
    if (!entry) {
      throw new UnauthorizedException("刷新令牌不存在");
    }
+
    if (entry.revokedAt) {
      throw new UnauthorizedException("刷新令牌已注销");
    }
-    if (entry.expiresAt < Date.now()) {
-      this.refreshTokenStore.delete(refreshToken);
+
+    if (entry.expiresAt.getTime() < Date.now()) {
+      await this.prismaService.refreshToken.update({
+        where: {
+          id: entry.id
+        },
+        data: {
+          revokedAt: new Date()
+        }
+      });
      throw new UnauthorizedException("刷新令牌已过期");
    }

-    const user = this.userStoreById.get(entry.userId);
-    if (!user) {
-      throw new UnauthorizedException("用户不存在");
-    }
+    await this.prismaService.refreshToken.update({
+      where: {
+        id: entry.id
+      },
+      data: {
+        revokedAt: new Date()
+      }
+    });

-    entry.revokedAt = Date.now();
-    return this.issueTokens(user);
+    return this.issueTokens(entry.user);
  }

  async revokeRefreshToken(refreshToken: string): Promise<{ success: boolean }> {
-    const entry = this.refreshTokenStore.get(refreshToken);
-    if (!entry) {
-      return { success: true };
-    }
+    await this.prismaService.refreshToken.updateMany({
+      where: {
+        tokenHash: refreshToken,
+        revokedAt: null
+      },
+      data: {
+        revokedAt: new Date()
+      }
+    });

-    entry.revokedAt = Date.now();
    return { success: true };
  }

  async enrollTwoFactor(
    email: string
  ): Promise<{ userId: string; secret: string; otpauthUrl: string; enabled: boolean }> {
-    const user = this.getOrCreateUser(email.toLowerCase());
+    const user = await this.getOrCreateUser(email.toLowerCase());
    const secret = authenticator.generateSecret();
    const issuer = this.configService.get<string>("AUTH_TOTP_ISSUER") ?? "TodoList";
    const otpauthUrl = authenticator.keyuri(user.email, issuer, secret);

-    this.twoFactorStore.set(user.id, {
-      secret,
-      enabled: false
+    await this.prismaService.userSecurity.upsert({
+      where: {
+        userId: user.id
+      },
+      update: {
+        twoFactorSecret: secret,
+        twoFactorEnabled: false
+      },
+      create: {
+        userId: user.id,
+        twoFactorSecret: secret,
+        twoFactorEnabled: false
+      }
    });

    return {
@@ -143,38 +170,54 @@ export class AuthService {
    email: string,
    token: string
  ): Promise<{ success: boolean; enabled: boolean }> {
-    const user = this.getOrCreateUser(email.toLowerCase());
-    const entry = this.twoFactorStore.get(user.id);
-    if (!entry) {
+    const user = await this.getOrCreateUser(email.toLowerCase());
+    const security = await this.prismaService.userSecurity.findUnique({
+      where: {
+        userId: user.id
+      },
+      select: {
+        twoFactorSecret: true
+      }
+    });
+
+    if (!security?.twoFactorSecret) {
      throw new UnauthorizedException("尚未启用两步验证");
    }

-    const valid = authenticator.check(token, entry.secret);
+    const valid = authenticator.check(token, security.twoFactorSecret);
    if (!valid) {
      throw new UnauthorizedException("两步验证码错误");
    }

-    entry.enabled = true;
+    await this.prismaService.userSecurity.update({
+      where: {
+        userId: user.id
+      },
+      data: {
+        twoFactorEnabled: true
+      }
+    });
+
    return {
      success: true,
      enabled: true
    };
  }

-  private getOrCreateUser(email: string): AuthUser {
-    const existingUser = this.userStoreByEmail.get(email);
-    if (existingUser) {
-      return existingUser;
-    }
-
-    const newUser = {
-      id: randomUUID(),
-      email
-    };
-    this.userStoreByEmail.set(email, newUser);
-    this.userStoreById.set(newUser.id, newUser);
-
-    return newUser;
+  private async getOrCreateUser(email: string): Promise<AuthUser> {
+    return this.prismaService.user.upsert({
+      where: {
+        email
+      },
+      update: {},
+      create: {
+        email
+      },
+      select: {
+        id: true,
+        email: true
+      }
+    });
  }

  private generateCode(): string {
@@ -194,9 +237,12 @@ export class AuthService {
    });
    const refreshToken = `${randomUUID()}${randomUUID()}`;

-    this.refreshTokenStore.set(refreshToken, {
-      userId: user.id,
-      expiresAt: Date.now() + refreshExpiresInSeconds * 1000
+    await this.prismaService.refreshToken.create({
+      data: {
+        userId: user.id,
+        tokenHash: refreshToken,
+        expiresAt: new Date(Date.now() + refreshExpiresInSeconds * 1000)
+      }
    });

    return {
@@ -5,6 +5,10 @@ import { AppModule } from "./app.module";

 async function bootstrap(): Promise<void> {
  const app = await NestFactory.create(AppModule);
+  app.enableCors({
+    origin: true,
+    credentials: true
+  });
  app.useGlobalPipes(
    new ValidationPipe({
      transform: true,
@@ -0,0 +1,9 @@
+import { Global, Module } from "@nestjs/common";
+import { PrismaService } from "./prisma.service";
+
+@Global()
+@Module({
+  providers: [PrismaService],
+  exports: [PrismaService]
+})
+export class PrismaModule {}
@@ -0,0 +1,28 @@
+import { Injectable, OnModuleDestroy, OnModuleInit } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { PrismaPg } from "@prisma/adapter-pg";
+import { PrismaClient } from "../../generated/prisma/client";
+
+@Injectable()
+export class PrismaService extends PrismaClient implements OnModuleInit, OnModuleDestroy {
+  constructor(configService: ConfigService) {
+    const connectionString = configService.get<string>("DATABASE_URL");
+    if (!connectionString) {
+      throw new Error("缺少数据库连接配置 DATABASE_URL");
+    }
+
+    super({
+      adapter: new PrismaPg({
+        connectionString
+      })
+    });
+  }
+
+  async onModuleInit(): Promise<void> {
+    await this.$connect();
+  }
+
+  async onModuleDestroy(): Promise<void> {
+    await this.$disconnect();
+  }
+}
@@ -0,0 +1,64 @@
+import { Transform } from "class-transformer";
+import {
+  IsArray,
+  IsDateString,
+  IsEnum,
+  IsObject,
+  IsOptional,
+  IsString,
+  MaxLength,
+  MinLength
+} from "class-validator";
+import { TaskPriority, TaskStatus } from "../../../generated/prisma/client";
+
+function normalizeString(value: unknown): unknown {
+  if (typeof value !== "string") {
+    return value;
+  }
+
+  return value.trim();
+}
+
+export class CreateTaskDto {
+  @Transform(({ value }) => normalizeString(value))
+  @IsString()
+  @MinLength(1)
+  @MaxLength(120)
+  title!: string;
+
+  @IsOptional()
+  @IsObject()
+  contentJson?: Record<string, unknown>;
+
+  @Transform(({ value }) => normalizeString(value))
+  @IsOptional()
+  @IsString()
+  @MaxLength(20000)
+  contentText?: string;
+
+  @IsOptional()
+  @IsEnum(TaskPriority)
+  priority?: TaskPriority;
+
+  @IsOptional()
+  @IsEnum(TaskStatus)
+  status?: TaskStatus;
+
+  @IsOptional()
+  @IsDateString()
+  ddl?: string;
+
+  @Transform(({ value }) => {
+    if (!Array.isArray(value)) {
+      return value;
+    }
+
+    return value.map((item) => normalizeString(item));
+  })
+  @IsOptional()
+  @IsArray()
+  @IsString({ each: true })
+  @MinLength(1, { each: true })
+  @MaxLength(30, { each: true })
+  tagNames?: string[];
+}
@@ -0,0 +1,92 @@
+import { Transform, Type } from "class-transformer";
+import { IsArray, IsEnum, IsInt, IsOptional, IsString, Max, MaxLength, Min } from "class-validator";
+import { TaskPriority, TaskStatus } from "../../../generated/prisma/client";
+
+export enum TaskSortBy {
+  CREATED_AT = "createdAt",
+  UPDATED_AT = "updatedAt",
+  DDL = "ddl"
+}
+
+export enum TaskSortOrder {
+  ASC = "asc",
+  DESC = "desc"
+}
+
+function normalizeString(value: unknown): string | undefined {
+  if (typeof value !== "string") {
+    return undefined;
+  }
+
+  const normalized = value.trim();
+  if (!normalized) {
+    return undefined;
+  }
+
+  return normalized;
+}
+
+export class ListTasksQueryDto {
+  @IsOptional()
+  @IsEnum(TaskStatus)
+  status?: TaskStatus;
+
+  @IsOptional()
+  @IsEnum(TaskPriority)
+  priority?: TaskPriority;
+
+  @Transform(({ value }) => {
+    if (value === undefined || value === null || value === "") {
+      return undefined;
+    }
+
+    if (Array.isArray(value)) {
+      const normalized = value
+        .map((item) => normalizeString(item))
+        .filter((item): item is string => item !== undefined);
+      return normalized.length > 0 ? normalized : undefined;
+    }
+
+    if (typeof value === "string") {
+      const normalized = value
+        .split(",")
+        .map((item) => normalizeString(item))
+        .filter((item): item is string => item !== undefined);
+      return normalized.length > 0 ? normalized : undefined;
+    }
+
+    return undefined;
+  })
+  @IsOptional()
+  @IsArray()
+  @IsString({ each: true })
+  @MaxLength(30, { each: true })
+  tags?: string[];
+
+  @Transform(({ value }) => normalizeString(value))
+  @IsOptional()
+  @IsString()
+  @MaxLength(120)
+  keyword?: string;
+
+  @Type(() => Number)
+  @IsOptional()
+  @IsInt()
+  @Min(1)
+  page?: number;
+
+  @Type(() => Number)
+  @IsOptional()
+  @IsInt()
+  @Min(1)
+  @Max(100)
+  pageSize?: number;
+
+  @IsOptional()
+  @IsEnum(TaskSortBy)
+  sortBy?: TaskSortBy;
+
+  @IsOptional()
+  @IsEnum(TaskSortOrder)
+  sortOrder?: TaskSortOrder;
+}
@@ -0,0 +1,65 @@
+import { Transform } from "class-transformer";
+import {
+  IsArray,
+  IsDateString,
+  IsEnum,
+  IsObject,
+  IsOptional,
+  IsString,
+  MaxLength,
+  MinLength
+} from "class-validator";
+import { TaskPriority, TaskStatus } from "../../../generated/prisma/client";
+
+function normalizeString(value: unknown): unknown {
+  if (typeof value !== "string") {
+    return value;
+  }
+
+  return value.trim();
+}
+
+export class UpdateTaskDto {
+  @Transform(({ value }) => normalizeString(value))
+  @IsOptional()
+  @IsString()
+  @MinLength(1)
+  @MaxLength(120)
+  title?: string;
+
+  @IsOptional()
+  @IsObject()
+  contentJson?: Record<string, unknown>;
+
+  @Transform(({ value }) => normalizeString(value))
+  @IsOptional()
+  @IsString()
+  @MaxLength(20000)
+  contentText?: string;
+
+  @IsOptional()
+  @IsEnum(TaskPriority)
+  priority?: TaskPriority;
+
+  @IsOptional()
+  @IsEnum(TaskStatus)
+  status?: TaskStatus;
+
+  @IsOptional()
+  @IsDateString()
+  ddl?: string;
+
+  @Transform(({ value }) => {
+    if (!Array.isArray(value)) {
+      return value;
+    }
+
+    return value.map((item) => normalizeString(item));
+  })
+  @IsOptional()
+  @IsArray()
+  @IsString({ each: true })
+  @MinLength(1, { each: true })
+  @MaxLength(30, { each: true })
+  tagNames?: string[];
+}
@@ -0,0 +1,71 @@
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Headers,
+  Param,
+  Patch,
+  Post,
+  Query,
+  UnauthorizedException
+} from "@nestjs/common";
+import { CreateTaskDto } from "./dto/create-task.dto";
+import { ListTasksQueryDto } from "./dto/list-tasks-query.dto";
+import { UpdateTaskDto } from "./dto/update-task.dto";
+import { ListTasksResponse, TaskResponse, TaskService } from "./task.service";
+
+@Controller("tasks")
+export class TaskController {
+  constructor(private readonly taskService: TaskService) {}
+
+  @Get()
+  async listTasks(
+    @Headers("x-user-id") userIdHeader: string | string[] | undefined,
+    @Query() query: ListTasksQueryDto
+  ): Promise<ListTasksResponse> {
+    return this.taskService.listTasks(this.resolveUserId(userIdHeader), query);
+  }
+
+  @Get(":taskId")
+  async getTaskById(
+    @Headers("x-user-id") userIdHeader: string | string[] | undefined,
+    @Param("taskId") taskId: string
+  ): Promise<TaskResponse> {
+    return this.taskService.getTaskById(this.resolveUserId(userIdHeader), taskId);
+  }
+
+  @Post()
+  async createTask(
+    @Headers("x-user-id") userIdHeader: string | string[] | undefined,
+    @Body() body: CreateTaskDto
+  ): Promise<TaskResponse> {
+    return this.taskService.createTask(this.resolveUserId(userIdHeader), body);
+  }
+
+  @Patch(":taskId")
+  async updateTask(
+    @Headers("x-user-id") userIdHeader: string | string[] | undefined,
+    @Param("taskId") taskId: string,
+    @Body() body: UpdateTaskDto
+  ): Promise<TaskResponse> {
+    return this.taskService.updateTask(this.resolveUserId(userIdHeader), taskId, body);
+  }
+
+  @Delete(":taskId")
+  async deleteTask(
+    @Headers("x-user-id") userIdHeader: string | string[] | undefined,
+    @Param("taskId") taskId: string
+  ): Promise<{ success: boolean }> {
+    return this.taskService.deleteTask(this.resolveUserId(userIdHeader), taskId);
+  }
+
+  private resolveUserId(userIdHeader: string | string[] | undefined): string {
+    const userId = Array.isArray(userIdHeader) ? userIdHeader[0] : userIdHeader;
+    if (!userId) {
+      throw new UnauthorizedException("缺少用户上下文");
+    }
+
+    return userId;
+  }
+}
@@ -0,0 +1,11 @@
+import { Module } from "@nestjs/common";
+import { PrismaModule } from "../prisma/prisma.module";
+import { TaskController } from "./task.controller";
+import { TaskService } from "./task.service";
+
+@Module({
+  imports: [PrismaModule],
+  controllers: [TaskController],
+  providers: [TaskService]
+})
+export class TaskModule {}
@@ -0,0 +1,390 @@
+import { Injectable, NotFoundException } from "@nestjs/common";
+import { Prisma, TaskPriority, TaskStatus } from "../../generated/prisma/client";
+import { PrismaService } from "../prisma/prisma.service";
+import { CreateTaskDto } from "./dto/create-task.dto";
+import { ListTasksQueryDto, TaskSortBy, TaskSortOrder } from "./dto/list-tasks-query.dto";
+import { UpdateTaskDto } from "./dto/update-task.dto";
+
+type TaskEntity = Prisma.TaskGetPayload<{
+  include: {
+    taskTags: {
+      include: {
+        tag: {
+          select: {
+            name: true;
+          };
+        };
+      };
+    };
+  };
+}>;
+
+export type TaskResponse = {
+  id: string;
+  title: string;
+  contentJson: unknown | null;
+  contentText: string | null;
+  priority: TaskPriority;
+  status: TaskStatus;
+  ddl: string | null;
+  completedAt: string | null;
+  version: number;
+  tags: string[];
+  createdAt: string;
+  updatedAt: string;
+};
+
+export type ListTasksResponse = {
+  items: TaskResponse[];
+  page: number;
+  pageSize: number;
+  total: number;
+};
+
+@Injectable()
+export class TaskService {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async listTasks(userId: string, query: ListTasksQueryDto): Promise<ListTasksResponse> {
+    const page = query.page ?? 1;
+    const pageSize = query.pageSize ?? 20;
+    const skip = (page - 1) * pageSize;
+
+    const where = this.buildWhereInput(userId, query);
+    const orderBy = this.buildOrderByInput(query);
+
+    const [items, total] = await Promise.all([
+      this.prismaService.task.findMany({
+        where,
+        orderBy,
+        skip,
+        take: pageSize,
+        include: {
+          taskTags: {
+            include: {
+              tag: {
+                select: {
+                  name: true
+                }
+              }
+            }
+          }
+        }
+      }),
+      this.prismaService.task.count({ where })
+    ]);
+
+    return {
+      items: items.map((item) => this.serializeTask(item)),
+      page,
+      pageSize,
+      total
+    };
+  }
+
+  async getTaskById(userId: string, taskId: string): Promise<TaskResponse> {
+    const task = await this.prismaService.task.findFirst({
+      where: {
+        id: taskId,
+        userId
+      },
+      include: {
+        taskTags: {
+          include: {
+            tag: {
+              select: {
+                name: true
+              }
+            }
+          }
+        }
+      }
+    });
+
+    if (!task) {
+      throw new NotFoundException("任务不存在");
+    }
+
+    return this.serializeTask(task);
+  }
+
+  async createTask(userId: string, body: CreateTaskDto): Promise<TaskResponse> {
+    const tagNames = this.normalizeTagNames(body.tagNames);
+    const nextStatus = body.status ?? TaskStatus.TODO;
+    const contentJson =
+      body.contentJson !== undefined ? (body.contentJson as Prisma.InputJsonValue) : undefined;
+
+    const task = await this.prismaService.$transaction(async (tx) => {
+      const createdTask = await tx.task.create({
+        data: {
+          userId,
+          title: body.title,
+          contentJson,
+          contentText: body.contentText ?? null,
+          priority: body.priority ?? TaskPriority.MEDIUM,
+          status: nextStatus,
+          ddl: body.ddl ? new Date(body.ddl) : null,
+          completedAt: nextStatus === TaskStatus.DONE ? new Date() : null
+        }
+      });
+
+      await this.replaceTaskTags(tx, userId, createdTask.id, tagNames);
+
+      return tx.task.findUniqueOrThrow({
+        where: { id: createdTask.id },
+        include: {
+          taskTags: {
+            include: {
+              tag: {
+                select: {
+                  name: true
+                }
+              }
+            }
+          }
+        }
+      });
+    });
+
+    return this.serializeTask(task);
+  }
+
+  async updateTask(userId: string, taskId: string, body: UpdateTaskDto): Promise<TaskResponse> {
+    const currentTask = await this.prismaService.task.findFirst({
+      where: {
+        id: taskId,
+        userId
+      },
+      select: {
+        id: true,
+        status: true
+      }
+    });
+
+    if (!currentTask) {
+      throw new NotFoundException("任务不存在");
+    }
+
+    const data: Prisma.TaskUpdateInput = {
+      version: {
+        increment: 1
+      }
+    };
+
+    if (body.title !== undefined) {
+      data.title = body.title;
+    }
+    if (body.contentJson !== undefined) {
+      data.contentJson = body.contentJson as Prisma.InputJsonValue;
+    }
+    if (body.contentText !== undefined) {
+      data.contentText = body.contentText;
+    }
+    if (body.priority !== undefined) {
+      data.priority = body.priority;
+    }
+    if (body.status !== undefined) {
+      data.status = body.status;
+      if (body.status === TaskStatus.DONE && currentTask.status !== TaskStatus.DONE) {
+        data.completedAt = new Date();
+      } else if (body.status !== TaskStatus.DONE) {
+        data.completedAt = null;
+      }
+    }
+    if (body.ddl !== undefined) {
+      data.ddl = body.ddl ? new Date(body.ddl) : null;
+    }
+
+    const shouldReplaceTags = body.tagNames !== undefined;
+    const nextTagNames = this.normalizeTagNames(body.tagNames);
+
+    const task = await this.prismaService.$transaction(async (tx) => {
+      await tx.task.update({
+        where: { id: taskId },
+        data
+      });
+
+      if (shouldReplaceTags) {
+        await this.replaceTaskTags(tx, userId, taskId, nextTagNames);
+      }
+
+      return tx.task.findUniqueOrThrow({
+        where: { id: taskId },
+        include: {
+          taskTags: {
+            include: {
+              tag: {
+                select: {
+                  name: true
+                }
+              }
+            }
+          }
+        }
+      });
+    });
+
+    return this.serializeTask(task);
+  }
+
+  async deleteTask(userId: string, taskId: string): Promise<{ success: boolean }> {
+    const deleted = await this.prismaService.task.deleteMany({
+      where: {
+        id: taskId,
+        userId
+      }
+    });
+
+    if (deleted.count === 0) {
+      throw new NotFoundException("任务不存在");
+    }
+
+    return { success: true };
+  }
+
+  private buildWhereInput(userId: string, query: ListTasksQueryDto): Prisma.TaskWhereInput {
+    const where: Prisma.TaskWhereInput = {
+      userId
+    };
+
+    if (query.status !== undefined) {
+      where.status = query.status;
+    }
+
+    if (query.priority !== undefined) {
+      where.priority = query.priority;
+    }
+
+    if (query.tags !== undefined && query.tags.length > 0) {
+      where.taskTags = {
+        some: {
+          tag: {
+            name: {
+              in: query.tags
+            }
+          }
+        }
+      };
+    }
+
+    if (query.keyword !== undefined && query.keyword.length > 0) {
+      where.OR = [
+        {
+          title: {
+            contains: query.keyword,
+            mode: "insensitive"
+          }
+        },
+        {
+          contentText: {
+            contains: query.keyword,
+            mode: "insensitive"
+          }
+        }
+      ];
+    }
+
+    return where;
+  }
+
+  private buildOrderByInput(query: ListTasksQueryDto): Prisma.TaskOrderByWithRelationInput {
+    const order: Prisma.SortOrder =
+      query.sortOrder === TaskSortOrder.ASC ? Prisma.SortOrder.asc : Prisma.SortOrder.desc;
+
+    if (query.sortBy === TaskSortBy.CREATED_AT) {
+      return { createdAt: order };
+    }
+
+    if (query.sortBy === TaskSortBy.DDL) {
+      return { ddl: order };
+    }
+
+    return { updatedAt: order };
+  }
+
+  private normalizeTagNames(tagNames: string[] | undefined): string[] {
+    if (!tagNames) {
+      return [];
+    }
+
+    const result: string[] = [];
+    const uniqueNames = new Set<string>();
+
+    for (const rawTagName of tagNames) {
+      const normalized = rawTagName.trim();
+      if (!normalized) {
+        continue;
+      }
+
+      const uniqueKey = normalized.toLocaleLowerCase();
+      if (uniqueNames.has(uniqueKey)) {
+        continue;
+      }
+
+      uniqueNames.add(uniqueKey);
+      result.push(normalized);
+    }
+
+    return result;
+  }
+
+  private async replaceTaskTags(
+    tx: Prisma.TransactionClient,
+    userId: string,
+    taskId: string,
+    tagNames: string[]
+  ): Promise<void> {
+    await tx.taskTag.deleteMany({
+      where: {
+        taskId
+      }
+    });
+
+    if (tagNames.length === 0) {
+      return;
+    }
+
+    const tags = await Promise.all(
+      tagNames.map((name) =>
+        tx.tag.upsert({
+          where: {
+            userId_name: {
+              userId,
+              name
+            }
+          },
+          update: {},
+          create: {
+            userId,
+            name
+          }
+        })
+      )
+    );
+
+    await tx.taskTag.createMany({
+      data: tags.map((tag) => ({
+        taskId,
+        tagId: tag.id
+      })),
+      skipDuplicates: true
+    });
+  }
+
+  private serializeTask(task: TaskEntity): TaskResponse {
+    return {
+      id: task.id,
+      title: task.title,
+      contentJson: task.contentJson,
+      contentText: task.contentText,
+      priority: task.priority,
+      status: task.status,
+      ddl: task.ddl?.toISOString() ?? null,
+      completedAt: task.completedAt?.toISOString() ?? null,
+      version: task.version,
+      tags: task.taskTags.map((taskTag) => taskTag.tag.name),
+      createdAt: task.createdAt.toISOString(),
+      updatedAt: task.updatedAt.toISOString()
+    };
+  }
+}
@@ -0,0 +1,464 @@
+import request from "supertest";
+import { INestApplication, ValidationPipe } from "@nestjs/common";
+import { Test, TestingModule } from "@nestjs/testing";
+import { PrismaService } from "../src/prisma/prisma.service";
+import { TaskController } from "../src/task/task.controller";
+import { TaskService } from "../src/task/task.service";
+import { TaskPriority, TaskStatus } from "../generated/prisma/client";
+
+type TaskRecord = {
+  id: string;
+  userId: string;
+  title: string;
+  contentJson: unknown | null;
+  contentText: string | null;
+  priority: TaskPriority;
+  status: TaskStatus;
+  ddl: Date | null;
+  completedAt: Date | null;
+  version: number;
+  createdAt: Date;
+  updatedAt: Date;
+};
+
+type TagRecord = {
+  id: string;
+  userId: string;
+  name: string;
+};
+
+type TaskTagRecord = {
+  taskId: string;
+  tagId: string;
+};
+
+type ListWhereInput = {
+  userId?: string;
+  status?: TaskStatus;
+  priority?: TaskPriority;
+  taskTags?: {
+    some: {
+      tag: {
+        name: {
+          in: string[];
+        };
+      };
+    };
+  };
+  OR?: Array<{
+    title?: {
+      contains: string;
+      mode?: "insensitive";
+    };
+    contentText?: {
+      contains: string;
+      mode?: "insensitive";
+    };
+  }>;
+};
+
+class InMemoryPrismaService {
+  private taskIdSequence = 1;
+  private tagIdSequence = 1;
+  private tasks: TaskRecord[] = [];
+  private tags: TagRecord[] = [];
+  private taskTags: TaskTagRecord[] = [];
+
+  readonly task = {
+    findMany: async (args: {
+      where?: ListWhereInput;
+      orderBy?: { createdAt?: "asc" | "desc"; updatedAt?: "asc" | "desc"; ddl?: "asc" | "desc" };
+      skip?: number;
+      take?: number;
+    }) => {
+      const where = args.where;
+      const skip = args.skip ?? 0;
+      const take = args.take ?? 20;
+      let filtered = [...this.tasks];
+
+      if (where?.userId) {
+        filtered = filtered.filter((task) => task.userId === where.userId);
+      }
+      if (where?.status) {
+        filtered = filtered.filter((task) => task.status === where.status);
+      }
+      if (where?.priority) {
+        filtered = filtered.filter((task) => task.priority === where.priority);
+      }
+      if (where?.taskTags?.some.tag.name.in) {
+        const expectedTags = new Set(where.taskTags.some.tag.name.in);
+        filtered = filtered.filter((task) => {
+          const taskTagNames = this.getTaskTagNames(task.id);
+          return taskTagNames.some((tagName) => expectedTags.has(tagName));
+        });
+      }
+      if (where?.OR && where.OR.length > 0) {
+        filtered = filtered.filter((task) =>
+          where.OR!.some((orCondition) => {
+            if (orCondition.title?.contains) {
+              return task.title.toLowerCase().includes(orCondition.title.contains.toLowerCase());
+            }
+            if (orCondition.contentText?.contains) {
+              return (
+                task.contentText
+                  ?.toLowerCase()
+                  .includes(orCondition.contentText.contains.toLowerCase()) ?? false
+              );
+            }
+            return false;
+          })
+        );
+      }
+
+      if (args.orderBy) {
+        const [orderField, orderDirection] = Object.entries(args.orderBy)[0] as [
+          "createdAt" | "updatedAt" | "ddl",
+          "asc" | "desc"
+        ];
+        filtered.sort((left, right) => {
+          const leftValue = left[orderField];
+          const rightValue = right[orderField];
+
+          if (leftValue === null && rightValue === null) {
+            return 0;
+          }
+          if (leftValue === null) {
+            return 1;
+          }
+          if (rightValue === null) {
+            return -1;
+          }
+
+          const diff = leftValue.getTime() - rightValue.getTime();
+          return orderDirection === "asc" ? diff : -diff;
+        });
+      }
+
+      return filtered.slice(skip, skip + take).map((task) => this.toTaskWithTags(task));
+    },
+
+    count: async (args: { where?: ListWhereInput }) => {
+      const results = await this.task.findMany({
+        where: args.where,
+        skip: 0,
+        take: Number.MAX_SAFE_INTEGER
+      });
+      return results.length;
+    },
+
+    findFirst: async (args: {
+      where: {
+        id?: string;
+        userId?: string;
+      };
+      select?: {
+        id?: boolean;
+        status?: boolean;
+      };
+    }) => {
+      const task = this.tasks.find(
+        (item) =>
+          (args.where.id === undefined || item.id === args.where.id) &&
+          (args.where.userId === undefined || item.userId === args.where.userId)
+      );
+      if (!task) {
+        return null;
+      }
+
+      if (args.select) {
+        return {
+          id: args.select.id ? task.id : undefined,
+          status: args.select.status ? task.status : undefined
+        };
+      }
+
+      return this.toTaskWithTags(task);
+    },
+
+    create: async (args: {
+      data: {
+        userId: string;
+        title: string;
+        contentJson?: unknown;
+        contentText: string | null;
+        priority: TaskPriority;
+        status: TaskStatus;
+        ddl: Date | null;
+        completedAt: Date | null;
+      };
+    }) => {
+      const now = new Date();
+      const task: TaskRecord = {
+        id: `task_${this.taskIdSequence++}`,
+        userId: args.data.userId,
+        title: args.data.title,
+        contentJson: args.data.contentJson ?? null,
+        contentText: args.data.contentText,
+        priority: args.data.priority,
+        status: args.data.status,
+        ddl: args.data.ddl,
+        completedAt: args.data.completedAt,
+        version: 1,
+        createdAt: now,
+        updatedAt: now
+      };
+      this.tasks.push(task);
+      return task;
+    },
+
+    update: async (args: {
+      where: {
+        id: string;
+      };
+      data: {
+        title?: string;
+        contentJson?: unknown;
+        contentText?: string | null;
+        priority?: TaskPriority;
+        status?: TaskStatus;
+        ddl?: Date | null;
+        completedAt?: Date | null;
+        version?: {
+          increment: number;
+        };
+      };
+    }) => {
+      const task = this.tasks.find((item) => item.id === args.where.id);
+      if (!task) {
+        throw new Error("task not found");
+      }
+
+      if (args.data.title !== undefined) {
+        task.title = args.data.title;
+      }
+      if (args.data.contentJson !== undefined) {
+        task.contentJson = args.data.contentJson;
+      }
+      if (args.data.contentText !== undefined) {
+        task.contentText = args.data.contentText;
+      }
+      if (args.data.priority !== undefined) {
+        task.priority = args.data.priority;
+      }
+      if (args.data.status !== undefined) {
+        task.status = args.data.status;
+      }
+      if (args.data.ddl !== undefined) {
+        task.ddl = args.data.ddl;
+      }
+      if (args.data.completedAt !== undefined) {
+        task.completedAt = args.data.completedAt;
+      }
+      if (args.data.version !== undefined) {
+        task.version += args.data.version.increment;
+      }
+      task.updatedAt = new Date();
+
+      return task;
+    },
+
+    deleteMany: async (args: {
+      where: {
+        id: string;
+        userId: string;
+      };
+    }) => {
+      const beforeCount = this.tasks.length;
+      this.tasks = this.tasks.filter(
+        (task) => !(task.id === args.where.id && task.userId === args.where.userId)
+      );
+      this.taskTags = this.taskTags.filter((taskTag) => taskTag.taskId !== args.where.id);
+      return {
+        count: beforeCount - this.tasks.length
+      };
+    },
+
+    findUniqueOrThrow: async (args: {
+      where: {
+        id: string;
+      };
+    }) => {
+      const task = this.tasks.find((item) => item.id === args.where.id);
+      if (!task) {
+        throw new Error("task not found");
+      }
+
+      return this.toTaskWithTags(task);
+    }
+  };
+
+  readonly tag = {
+    upsert: async (args: {
+      where: {
+        userId_name: {
+          userId: string;
+          name: string;
+        };
+      };
+      create: {
+        userId: string;
+        name: string;
+      };
+    }) => {
+      const existing = this.tags.find(
+        (tag) =>
+          tag.userId === args.where.userId_name.userId && tag.name === args.where.userId_name.name
+      );
+      if (existing) {
+        return existing;
+      }
+
+      const createdTag: TagRecord = {
+        id: `tag_${this.tagIdSequence++}`,
+        userId: args.create.userId,
+        name: args.create.name
+      };
+      this.tags.push(createdTag);
+      return createdTag;
+    }
+  };
+
+  readonly taskTag = {
+    deleteMany: async (args: {
+      where: {
+        taskId: string;
+      };
+    }) => {
+      const beforeCount = this.taskTags.length;
+      this.taskTags = this.taskTags.filter((taskTag) => taskTag.taskId !== args.where.taskId);
+      return {
+        count: beforeCount - this.taskTags.length
+      };
+    },
+
+    createMany: async (args: {
+      data: Array<{
+        taskId: string;
+        tagId: string;
+      }>;
+    }) => {
+      for (const row of args.data) {
+        const existing = this.taskTags.find(
+          (taskTag) => taskTag.taskId === row.taskId && taskTag.tagId === row.tagId
+        );
+        if (!existing) {
+          this.taskTags.push(row);
+        }
+      }
+      return {
+        count: args.data.length
+      };
+    }
+  };
+
+  async $transaction<T>(runner: (tx: InMemoryPrismaService) => Promise<T>): Promise<T> {
+    return runner(this);
+  }
+
+  private toTaskWithTags(
+    task: TaskRecord
+  ): TaskRecord & { taskTags: Array<{ tag: { name: string } }> } {
+    return {
+      ...task,
+      taskTags: this.taskTags
+        .filter((taskTag) => taskTag.taskId === task.id)
+        .map((taskTag) => this.tags.find((tag) => tag.id === taskTag.tagId))
+        .filter((tag): tag is TagRecord => tag !== undefined)
+        .map((tag) => ({
+          tag: {
+            name: tag.name
+          }
+        }))
+    };
+  }
+
+  private getTaskTagNames(taskId: string): string[] {
+    return this.taskTags
+      .filter((taskTag) => taskTag.taskId === taskId)
+      .map((taskTag) => this.tags.find((tag) => tag.id === taskTag.tagId))
+      .filter((tag): tag is TagRecord => tag !== undefined)
+      .map((tag) => tag.name);
+  }
+}
+
+describe("TaskController (integration)", () => {
+  let app: INestApplication;
+  const prismaService = new InMemoryPrismaService();
+
+  beforeAll(async () => {
+    const moduleRef: TestingModule = await Test.createTestingModule({
+      controllers: [TaskController],
+      providers: [
+        TaskService,
+        { provide: PrismaService, useValue: prismaService as unknown as PrismaService }
+      ]
+    }).compile();
+
+    app = moduleRef.createNestApplication();
+    app.useGlobalPipes(
+      new ValidationPipe({
+        transform: true,
+        whitelist: true,
+        forbidNonWhitelisted: true
+      })
+    );
+
+    await app.init();
+  });
+
+  afterAll(async () => {
+    await app.close();
+  });
+
+  it("should create, query, update and delete a task", async () => {
+    const createResponse = await request(app.getHttpServer())
+      .post("/tasks")
+      .set("x-user-id", "user_1")
+      .send({
+        title: "准备周会",
+        contentText: "整理本周进度",
+        priority: "HIGH",
+        tagNames: ["工作", "会议"]
+      })
+      .expect(201);
+
+    expect(createResponse.body.id).toBeDefined();
+    expect(createResponse.body.tags).toEqual(["工作", "会议"]);
+    const taskId = createResponse.body.id as string;
+
+    const listResponse = await request(app.getHttpServer())
+      .get("/tasks")
+      .set("x-user-id", "user_1")
+      .query({ tags: "会议" })
+      .expect(200);
+
+    expect(listResponse.body.total).toBe(1);
+    expect(listResponse.body.items[0].id).toBe(taskId);
+
+    const updateResponse = await request(app.getHttpServer())
+      .patch(`/tasks/${taskId}`)
+      .set("x-user-id", "user_1")
+      .send({
+        status: "DONE"
+      })
+      .expect(200);
+
+    expect(updateResponse.body.status).toBe("DONE");
+    expect(updateResponse.body.completedAt).toBeTruthy();
+    expect(updateResponse.body.version).toBe(2);
+
+    await request(app.getHttpServer())
+      .delete(`/tasks/${taskId}`)
+      .set("x-user-id", "user_1")
+      .expect(200)
+      .expect({
+        success: true
+      });
+
+    const listAfterDeleteResponse = await request(app.getHttpServer())
+      .get("/tasks")
+      .set("x-user-id", "user_1")
+      .expect(200);
+    expect(listAfterDeleteResponse.body.total).toBe(0);
+  });
+});
@@ -2,9 +2,9 @@
  "$schema": "https://json.schemastore.org/tsconfig",
  "extends": "../../packages/tsconfig/nest-app.json",
  "compilerOptions": {
-    "rootDir": "src",
+    "rootDir": ".",
    "outDir": "dist"
  },
-  "include": ["src/**/*.ts"],
+  "include": ["src/**/*.ts", "generated/prisma/**/*.ts"],
  "exclude": ["dist", "node_modules"]
 }
@@ -0,0 +1,9 @@
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "types": ["node", "jest"]
+  },
+  "include": ["src/**/*.ts", "generated/prisma/**/*.ts", "test/**/*.ts"],
+  "exclude": ["dist", "node_modules"]
+}
@@ -0,0 +1,24 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+lerna-debug.log*
+
+node_modules
+dist
+dist-ssr
+*.local
+
+# Editor directories and files
+.vscode/*
+!.vscode/extensions.json
+.idea
+.DS_Store
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
+*.sw?
@@ -0,0 +1,57 @@
+# TodoList Web 前端
+
+这是 TodoList 的用户端前端应用（SPA + PWA），基于 `React + TypeScript + Vite`。
+
+## 技术栈
+
+- React
+- TypeScript
+- Vite
+- Tailwind CSS
+- shadcn/ui
+
+## 本地开发
+
+在仓库根目录执行：
+
+```bash
+pnpm install
+pnpm --filter web dev
+```
+
+默认开发地址：
+
+- `http://localhost:5173`
+
+## 后端接口地址
+
+前端默认请求：
+
+- `http://localhost:3000`
+
+如需自定义，请在运行前设置环境变量：
+
+```bash
+VITE_API_BASE_URL=http://localhost:3000
+```
+
+## 构建与预览
+
+```bash
+pnpm --filter web build
+pnpm --filter web preview
+```
+
+## 当前功能进度（阶段性）
+
+- 邮箱验证码登录页面
+- OAuth 回调页面
+- 会话本地缓存与启动恢复
+- 基础工作台页面骨架
+
+## 目录说明
+
+- `src/pages`：页面组件
+- `src/components`：通用 UI 组件
+- `src/services`：接口请求与会话处理
+- `src/lib`：工具函数
@@ -0,0 +1,25 @@
+{
+  "$schema": "https://ui.shadcn.com/schema.json",
+  "style": "base-nova",
+  "rsc": false,
+  "tsx": true,
+  "tailwind": {
+    "config": "tailwind.config.js",
+    "css": "src/index.css",
+    "baseColor": "neutral",
+    "cssVariables": true,
+    "prefix": ""
+  },
+  "iconLibrary": "lucide",
+  "rtl": false,
+  "aliases": {
+    "components": "@/components",
+    "utils": "@/lib/utils",
+    "ui": "@/components/ui",
+    "lib": "@/lib",
+    "hooks": "@/hooks"
+  },
+  "menuColor": "default",
+  "menuAccent": "subtle",
+  "registries": {}
+}
@@ -0,0 +1,23 @@
+import js from "@eslint/js";
+import globals from "globals";
+import reactHooks from "eslint-plugin-react-hooks";
+import reactRefresh from "eslint-plugin-react-refresh";
+import tseslint from "typescript-eslint";
+import { defineConfig, globalIgnores } from "eslint/config";
+
+export default defineConfig([
+  globalIgnores(["dist"]),
+  {
+    files: ["**/*.{ts,tsx}"],
+    extends: [
+      js.configs.recommended,
+      tseslint.configs.recommended,
+      reactHooks.configs.flat.recommended,
+      reactRefresh.configs.vite
+    ],
+    languageOptions: {
+      ecmaVersion: 2020,
+      globals: globals.browser
+    }
+  }
+]);
@@ -0,0 +1,14 @@
+<!doctype html>
+<html lang="zh-CN">
+  <head>
+    <meta charset="UTF-8" />
+    <link rel="icon" type="image/png" href="/favicon.png" />
+    <link rel="apple-touch-icon" href="/favicon.png" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>TodoList</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>
@@ -0,0 +1,42 @@
+{
+  "name": "web",
+  "private": true,
+  "version": "0.0.0",
+  "type": "module",
+  "scripts": {
+    "dev": "vite",
+    "build": "tsc -b && vite build",
+    "lint": "eslint .",
+    "preview": "vite preview"
+  },
+  "dependencies": {
+    "@base-ui/react": "^1.3.0",
+    "@fontsource-variable/geist": "^5.2.8",
+    "class-variance-authority": "^0.7.1",
+    "clsx": "^2.1.1",
+    "lucide-react": "^1.7.0",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "react-router-dom": "^7.14.0",
+    "shadcn": "^4.1.2",
+    "tailwind-merge": "^3.5.0",
+    "tw-animate-css": "^1.4.0"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.39.4",
+    "@types/node": "^24.12.0",
+    "@types/react": "^19.2.14",
+    "@types/react-dom": "^19.2.3",
+    "@vitejs/plugin-react": "^6.0.1",
+    "autoprefixer": "^10.4.27",
+    "eslint": "^9.39.4",
+    "eslint-plugin-react-hooks": "^7.0.1",
+    "eslint-plugin-react-refresh": "^0.5.2",
+    "globals": "^17.4.0",
+    "postcss": "^8.5.8",
+    "tailwindcss": "^3.4.17",
+    "typescript": "~5.9.3",
+    "typescript-eslint": "^8.57.0",
+    "vite": "^8.0.1"
+  }
+}
@@ -0,0 +1,6 @@
+export default {
+  plugins: {
+    tailwindcss: {},
+    autoprefixer: {}
+  }
+};
@@ -0,0 +1,24 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+  <symbol id="bluesky-icon" viewBox="0 0 16 17">
+    <g clip-path="url(#bluesky-clip)"><path fill="#08060d" d="M7.75 7.735c-.693-1.348-2.58-3.86-4.334-5.097-1.68-1.187-2.32-.981-2.74-.79C.188 2.065.1 2.812.1 3.251s.241 3.602.398 4.13c.52 1.744 2.367 2.333 4.07 2.145-2.495.37-4.71 1.278-1.805 4.512 3.196 3.309 4.38-.71 4.987-2.746.608 2.036 1.307 5.91 4.93 2.746 2.72-2.746.747-4.143-1.747-4.512 1.702.189 3.55-.4 4.07-2.145.156-.528.397-3.691.397-4.13s-.088-1.186-.575-1.406c-.42-.19-1.06-.395-2.741.79-1.755 1.24-3.64 3.752-4.334 5.099"/></g>
+    <defs><clipPath id="bluesky-clip"><path fill="#fff" d="M.1.85h15.3v15.3H.1z"/></clipPath></defs>
+  </symbol>
+  <symbol id="discord-icon" viewBox="0 0 20 19">
+    <path fill="#08060d" d="M16.224 3.768a14.5 14.5 0 0 0-3.67-1.153c-.158.286-.343.67-.47.976a13.5 13.5 0 0 0-4.067 0c-.128-.306-.317-.69-.476-.976A14.4 14.4 0 0 0 3.868 3.77C1.546 7.28.916 10.703 1.231 14.077a14.7 14.7 0 0 0 4.5 2.306q.545-.748.965-1.587a9.5 9.5 0 0 1-1.518-.74q.191-.14.372-.293c2.927 1.369 6.107 1.369 8.999 0q.183.152.372.294-.723.437-1.52.74.418.838.963 1.588a14.6 14.6 0 0 0 4.504-2.308c.37-3.911-.63-7.302-2.644-10.309m-9.13 8.234c-.878 0-1.599-.82-1.599-1.82 0-.998.705-1.82 1.6-1.82.894 0 1.614.82 1.599 1.82.001 1-.705 1.82-1.6 1.82m5.91 0c-.878 0-1.599-.82-1.599-1.82 0-.998.705-1.82 1.6-1.82.893 0 1.614.82 1.599 1.82 0 1-.706 1.82-1.6 1.82"/>
+  </symbol>
+  <symbol id="documentation-icon" viewBox="0 0 21 20">
+    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="m15.5 13.333 1.533 1.322c.645.555.967.833.967 1.178s-.322.623-.967 1.179L15.5 18.333m-3.333-5-1.534 1.322c-.644.555-.966.833-.966 1.178s.322.623.966 1.179l1.534 1.321"/>
+    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M17.167 10.836v-4.32c0-1.41 0-2.117-.224-2.68-.359-.906-1.118-1.621-2.08-1.96-.599-.21-1.349-.21-2.848-.21-2.623 0-3.935 0-4.983.369-1.684.591-3.013 1.842-3.641 3.428C3 6.449 3 7.684 3 10.154v2.122c0 2.558 0 3.838.706 4.726q.306.383.713.671c.76.536 1.79.64 3.581.66"/>
+    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M3 10a2.78 2.78 0 0 1 2.778-2.778c.555 0 1.209.097 1.748-.047.48-.129.854-.503.982-.982.145-.54.048-1.194.048-1.749a2.78 2.78 0 0 1 2.777-2.777"/>
+  </symbol>
+  <symbol id="github-icon" viewBox="0 0 19 19">
+    <path fill="#08060d" fill-rule="evenodd" d="M9.356 1.85C5.05 1.85 1.57 5.356 1.57 9.694a7.84 7.84 0 0 0 5.324 7.44c.387.079.528-.168.528-.376 0-.182-.013-.805-.013-1.454-2.165.467-2.616-.935-2.616-.935-.349-.91-.864-1.143-.864-1.143-.71-.48.051-.48.051-.48.787.051 1.2.805 1.2.805.695 1.194 1.817.857 2.268.649.064-.507.27-.857.49-1.052-1.728-.182-3.545-.857-3.545-3.87 0-.857.31-1.558.8-2.104-.078-.195-.349-1 .077-2.078 0 0 .657-.208 2.14.805a7.5 7.5 0 0 1 1.946-.26c.657 0 1.328.092 1.946.26 1.483-1.013 2.14-.805 2.14-.805.426 1.078.155 1.883.078 2.078.502.546.799 1.247.799 2.104 0 3.013-1.818 3.675-3.558 3.87.284.247.528.714.528 1.454 0 1.052-.012 1.896-.012 2.156 0 .208.142.455.528.377a7.84 7.84 0 0 0 5.324-7.441c.013-4.338-3.48-7.844-7.773-7.844" clip-rule="evenodd"/>
+  </symbol>
+  <symbol id="social-icon" viewBox="0 0 20 20">
+    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M12.5 6.667a4.167 4.167 0 1 0-8.334 0 4.167 4.167 0 0 0 8.334 0"/>
+    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M2.5 16.667a5.833 5.833 0 0 1 8.75-5.053m3.837.474.513 1.035c.07.144.257.282.414.309l.93.155c.596.1.736.536.307.965l-.723.73a.64.64 0 0 0-.152.531l.207.903c.164.715-.213.991-.84.618l-.872-.52a.63.63 0 0 0-.577 0l-.872.52c-.624.373-1.003.094-.84-.618l.207-.903a.64.64 0 0 0-.152-.532l-.723-.729c-.426-.43-.289-.864.306-.964l.93-.156a.64.64 0 0 0 .412-.31l.513-1.034c.28-.562.735-.562 1.012 0"/>
+  </symbol>
+  <symbol id="x-icon" viewBox="0 0 19 19">
+    <path fill="#08060d" fill-rule="evenodd" d="M1.893 1.98c.052.072 1.245 1.769 2.653 3.77l2.892 4.114c.183.261.333.48.333.486s-.068.089-.152.183l-.522.593-.765.867-3.597 4.087c-.375.426-.734.834-.798.905a1 1 0 0 0-.118.148c0 .01.236.017.664.017h.663l.729-.83c.4-.457.796-.906.879-.999a692 692 0 0 0 1.794-2.038c.034-.037.301-.34.594-.675l.551-.624.345-.392a7 7 0 0 1 .34-.374c.006 0 .93 1.306 2.052 2.903l2.084 2.965.045.063h2.275c1.87 0 2.273-.003 2.266-.021-.008-.02-1.098-1.572-3.894-5.547-2.013-2.862-2.28-3.246-2.273-3.266.008-.019.282-.332 2.085-2.38l2-2.274 1.567-1.782c.022-.028-.016-.03-.65-.03h-.674l-.3.342a871 871 0 0 1-1.782 2.025c-.067.075-.405.458-.75.852a100 100 0 0 1-.803.91c-.148.172-.299.344-.99 1.127-.304.343-.32.358-.345.327-.015-.019-.904-1.282-1.976-2.808L6.365 1.85H1.8zm1.782.91 8.078 11.294c.772 1.08 1.413 1.973 1.425 1.984.016.017.241.02 1.05.017l1.03-.004-2.694-3.766L7.796 5.75 5.722 2.852l-1.039-.004-1.039-.004z" clip-rule="evenodd"/>
+  </symbol>
+</svg>
@@ -0,0 +1,184 @@
+.counter {
+  font-size: 16px;
+  padding: 5px 10px;
+  border-radius: 5px;
+  color: var(--accent);
+  background: var(--accent-bg);
+  border: 2px solid transparent;
+  transition: border-color 0.3s;
+  margin-bottom: 24px;
+
+  &:hover {
+    border-color: var(--accent-border);
+  }
+  &:focus-visible {
+    outline: 2px solid var(--accent);
+    outline-offset: 2px;
+  }
+}
+
+.hero {
+  position: relative;
+
+  .base,
+  .framework,
+  .vite {
+    inset-inline: 0;
+    margin: 0 auto;
+  }
+
+  .base {
+    width: 170px;
+    position: relative;
+    z-index: 0;
+  }
+
+  .framework,
+  .vite {
+    position: absolute;
+  }
+
+  .framework {
+    z-index: 1;
+    top: 34px;
+    height: 28px;
+    transform: perspective(2000px) rotateZ(300deg) rotateX(44deg) rotateY(39deg)
+      scale(1.4);
+  }
+
+  .vite {
+    z-index: 0;
+    top: 107px;
+    height: 26px;
+    width: auto;
+    transform: perspective(2000px) rotateZ(300deg) rotateX(40deg) rotateY(39deg)
+      scale(0.8);
+  }
+}
+
+#center {
+  display: flex;
+  flex-direction: column;
+  gap: 25px;
+  place-content: center;
+  place-items: center;
+  flex-grow: 1;
+
+  @media (max-width: 1024px) {
+    padding: 32px 20px 24px;
+    gap: 18px;
+  }
+}
+
+#next-steps {
+  display: flex;
+  border-top: 1px solid var(--border);
+  text-align: left;
+
+  & > div {
+    flex: 1 1 0;
+    padding: 32px;
+    @media (max-width: 1024px) {
+      padding: 24px 20px;
+    }
+  }
+
+  .icon {
+    margin-bottom: 16px;
+    width: 22px;
+    height: 22px;
+  }
+
+  @media (max-width: 1024px) {
+    flex-direction: column;
+    text-align: center;
+  }
+}
+
+#docs {
+  border-right: 1px solid var(--border);
+
+  @media (max-width: 1024px) {
+    border-right: none;
+    border-bottom: 1px solid var(--border);
+  }
+}
+
+#next-steps ul {
+  list-style: none;
+  padding: 0;
+  display: flex;
+  gap: 8px;
+  margin: 32px 0 0;
+
+  .logo {
+    height: 18px;
+  }
+
+  a {
+    color: var(--text-h);
+    font-size: 16px;
+    border-radius: 6px;
+    background: var(--social-bg);
+    display: flex;
+    padding: 6px 12px;
+    align-items: center;
+    gap: 8px;
+    text-decoration: none;
+    transition: box-shadow 0.3s;
+
+    &:hover {
+      box-shadow: var(--shadow);
+    }
+    .button-icon {
+      height: 18px;
+      width: 18px;
+    }
+  }
+
+  @media (max-width: 1024px) {
+    margin-top: 20px;
+    flex-wrap: wrap;
+    justify-content: center;
+
+    li {
+      flex: 1 1 calc(50% - 8px);
+    }
+
+    a {
+      width: 100%;
+      justify-content: center;
+      box-sizing: border-box;
+    }
+  }
+}
+
+#spacer {
+  height: 88px;
+  border-top: 1px solid var(--border);
+  @media (max-width: 1024px) {
+    height: 48px;
+  }
+}
+
+.ticks {
+  position: relative;
+  width: 100%;
+
+  &::before,
+  &::after {
+    content: '';
+    position: absolute;
+    top: -4.5px;
+    border: 5px solid transparent;
+  }
+
+  &::before {
+    left: 0;
+    border-left-color: var(--border);
+  }
+  &::after {
+    right: 0;
+    border-right-color: var(--border);
+  }
+}
@@ -0,0 +1,318 @@
+import { useEffect, useState } from "react";
+import type { LucideIcon } from "lucide-react";
+import {
+  Bell,
+  ChevronLeft,
+  ChevronRight,
+  LayoutDashboard,
+  ListTodo,
+  LogOut,
+  Menu,
+  Moon,
+  Settings,
+  Sparkles,
+  Sun,
+  X
+} from "lucide-react";
+import { Navigate, Route, Routes, useLocation, useNavigate } from "react-router-dom";
+import { Button } from "@/components/ui/button";
+import { cn } from "@/lib/utils";
+import { EmailLoginPage } from "@/pages/email-login-page";
+import { OAuthCallbackPage } from "@/pages/oauth-callback-page";
+import { TodoShellPage } from "@/pages/todo-shell-page";
+import { revokeRefreshToken, type EmailLoginResult } from "@/services/auth-api";
+import {
+  clearSession,
+  loadSession,
+  saveSession,
+  type WebSession
+} from "@/services/session-storage";
+import {
+  applyThemeMode,
+  loadThemeMode,
+  saveThemeMode,
+  type ThemeMode
+} from "@/services/theme-storage";
+
+type SidebarItem = {
+  key: string;
+  label: string;
+  icon: LucideIcon;
+};
+
+const SIDEBAR_ITEMS: SidebarItem[] = [
+  { key: "dashboard", label: "概览面板", icon: LayoutDashboard },
+  { key: "todo", label: "待办事项", icon: ListTodo },
+  { key: "ai", label: "AI 建议", icon: Sparkles },
+  { key: "notice", label: "提醒中心", icon: Bell },
+  { key: "settings", label: "系统设置", icon: Settings }
+];
+
+function toWebSession(payload: EmailLoginResult): WebSession {
+  return {
+    accessToken: payload.accessToken,
+    refreshToken: payload.refreshToken,
+    user: {
+      id: payload.user.id,
+      email: payload.user.email
+    }
+  };
+}
+
+function App() {
+  const [session, setSession] = useState<WebSession | null>(() => loadSession());
+  const [loggingOut, setLoggingOut] = useState(false);
+  const [themeMode, setThemeMode] = useState<ThemeMode>(() => loadThemeMode());
+  const [sidebarCollapsed, setSidebarCollapsed] = useState(false);
+  const [mobileSidebarOpen, setMobileSidebarOpen] = useState(false);
+  const navigate = useNavigate();
+  const location = useLocation();
+
+  const isAuthPage =
+    location.pathname === "/login/email" || location.pathname.startsWith("/auth/callback/");
+
+  useEffect(() => {
+    applyThemeMode(themeMode);
+    saveThemeMode(themeMode);
+  }, [themeMode]);
+
+  async function handleLogout(): Promise<void> {
+    if (!session || loggingOut) {
+      return;
+    }
+
+    try {
+      setLoggingOut(true);
+      await revokeRefreshToken(session.refreshToken);
+    } catch {
+      // 无论接口成功与否，都要清理本地会话，避免页面卡在登录态。
+    } finally {
+      clearSession();
+      setSession(null);
+      setLoggingOut(false);
+      setMobileSidebarOpen(false);
+      navigate("/login/email", { replace: true });
+    }
+  }
+
+  function handleToggleTheme(): void {
+    setThemeMode((currentTheme) => (currentTheme === "dark" ? "light" : "dark"));
+  }
+
+  function handleLoginSuccess(payload: EmailLoginResult): void {
+    const nextSession = toWebSession(payload);
+    saveSession(nextSession);
+    setSession(nextSession);
+    setMobileSidebarOpen(false);
+    navigate("/", { replace: true });
+  }
+
+  function handleBootstrapSession(nextSession: WebSession): void {
+    setSession(nextSession);
+    setMobileSidebarOpen(false);
+  }
+
+  function renderSidebarContent(options: { collapsed: boolean; mobile: boolean }) {
+    const { collapsed, mobile } = options;
+
+    return (
+      <div className="flex h-full min-h-0 flex-col">
+        {mobile ? (
+          <div className="flex h-14 shrink-0 items-center justify-end border-b border-border/70 px-3">
+            <Button
+              type="button"
+              size="icon-sm"
+              variant="ghost"
+              className="text-muted-foreground"
+              onClick={() => setMobileSidebarOpen(false)}
+              aria-label="关闭侧边栏"
+            >
+              <X className="size-4" />
+            </Button>
+          </div>
+        ) : null}
+
+        <div className="min-h-0 flex-1 overflow-y-auto p-2">
+          <nav className="space-y-1">
+            {SIDEBAR_ITEMS.map((item) => {
+              const ItemIcon = item.icon;
+              return (
+                <button
+                  key={item.key}
+                  type="button"
+                  className={cn(
+                    "group flex w-full items-center rounded-xl border border-transparent px-3 py-2.5 text-left transition-colors",
+                    "gap-3 hover:border-primary/25 hover:bg-primary/10"
+                  )}
+                >
+                  <ItemIcon className="size-5 shrink-0 text-primary" />
+                  {collapsed ? null : (
+                    <>
+                      <span className="text-sm whitespace-nowrap text-foreground">
+                        {item.label}
+                      </span>
+                      <span className="ml-auto whitespace-nowrap rounded-full border border-border bg-card px-2 py-0.5 text-[10px] text-muted-foreground">
+                        即将上线
+                      </span>
+                    </>
+                  )}
+                </button>
+              );
+            })}
+          </nav>
+        </div>
+
+        <div className="shrink-0 space-y-2 border-t border-border/70 p-2">
+          <Button
+            type="button"
+            variant="outline"
+            className="w-full justify-start gap-2 border-primary/25 px-3 text-primary hover:bg-primary/10"
+            onClick={handleToggleTheme}
+          >
+            {themeMode === "dark" ? <Sun className="size-4" /> : <Moon className="size-4" />}
+            {collapsed ? null : (
+              <span className="whitespace-nowrap">
+                {themeMode === "dark" ? "浅色模式" : "深色模式"}
+              </span>
+            )}
+          </Button>
+
+          <Button
+            type="button"
+            variant="outline"
+            className="w-full justify-start gap-2 border-primary/25 px-3 text-primary hover:bg-primary/10"
+            onClick={handleLogout}
+            disabled={!session || loggingOut}
+          >
+            <LogOut className="size-4" />
+            {collapsed ? null : (
+              <span className="whitespace-nowrap">{loggingOut ? "退出中..." : "退出登录"}</span>
+            )}
+          </Button>
+        </div>
+      </div>
+    );
+  }
+
+  if (isAuthPage) {
+    return (
+      <div className="min-h-dvh bg-background text-foreground md:min-h-screen">
+        <main className="flex min-h-dvh items-center justify-center px-4 py-8 md:min-h-screen md:px-6">
+          <div className="w-full max-w-md">
+            <Routes>
+              <Route
+                path="/login/email"
+                element={<EmailLoginPage onLoginSuccess={handleLoginSuccess} />}
+              />
+              <Route
+                path="/auth/callback/:provider"
+                element={<OAuthCallbackPage onBootstrapSession={handleBootstrapSession} />}
+              />
+              <Route path="*" element={<Navigate to={session ? "/" : "/login/email"} replace />} />
+            </Routes>
+          </div>
+        </main>
+      </div>
+    );
+  }
+
+  return (
+    <div className="h-dvh overflow-hidden bg-background text-foreground md:h-screen">
+      <header className="relative z-50 shrink-0 border-b border-border/70 bg-background/80 backdrop-blur-xl">
+        <div className="flex h-16 items-center justify-between px-4 md:px-6">
+          <div className="flex items-center gap-3">
+            <button
+              type="button"
+              className="text-primary md:hidden"
+              onClick={() => setMobileSidebarOpen(true)}
+              aria-label="打开侧边栏"
+            >
+              <Menu className="size-12" />
+            </button>
+            <img
+              src="/favicon.png"
+              alt="TodoList"
+              className="h-9 w-9 shrink-0 rounded-xl shadow-sm"
+            />
+            <span className="text-base font-semibold tracking-tight text-foreground">TodoList</span>
+          </div>
+          <span className="hidden max-w-[280px] truncate text-sm text-muted-foreground md:block">
+            {session ? session.user.email : "未登录"}
+          </span>
+        </div>
+      </header>
+
+      {mobileSidebarOpen ? (
+        <button
+          type="button"
+          className="fixed inset-x-0 bottom-0 top-16 z-30 bg-black/40 backdrop-blur-[2px] md:hidden"
+          aria-label="关闭侧边栏遮罩"
+          onClick={() => setMobileSidebarOpen(false)}
+        />
+      ) : null}
+
+      <aside
+        className={cn(
+          "fixed bottom-0 left-0 top-16 z-40 w-72 border-r border-border/80 bg-card/95 backdrop-blur-xl transition-transform duration-300 md:hidden",
+          mobileSidebarOpen ? "translate-x-0" : "-translate-x-full"
+        )}
+      >
+        {renderSidebarContent({ collapsed: false, mobile: true })}
+      </aside>
+
+      <div className="flex h-[calc(100dvh-4rem)] min-h-0 md:h-[calc(100vh-4rem)]">
+        <aside
+          className={cn(
+            "relative hidden h-full border-r border-border/80 bg-card/88 backdrop-blur-xl transition-[width] duration-300 md:flex md:flex-col",
+            sidebarCollapsed ? "md:w-14" : "md:w-72"
+          )}
+        >
+          {renderSidebarContent({ collapsed: sidebarCollapsed, mobile: false })}
+          <Button
+            type="button"
+            size="icon-sm"
+            variant="outline"
+            className={cn(
+              "absolute left-full top-1/2 z-20 -ml-px h-14 w-6 -translate-y-1/2 rounded-none border border-border/80",
+              "bg-card/88 text-muted-foreground backdrop-blur-xl transition-colors duration-200 hover:bg-muted/80 hover:text-foreground",
+              "focus-visible:ring-2 focus-visible:ring-ring/45 focus-visible:ring-offset-0"
+            )}
+            onClick={() => setSidebarCollapsed((current) => !current)}
+            aria-label={sidebarCollapsed ? "展开侧边栏" : "收起侧边栏"}
+          >
+            {sidebarCollapsed ? (
+              <ChevronRight className="size-4" />
+            ) : (
+              <ChevronLeft className="size-4" />
+            )}
+          </Button>
+        </aside>
+
+        <div className="flex min-h-0 min-w-0 flex-1 flex-col">
+          <main className="min-h-0 flex-1 overflow-y-auto px-4 py-6 md:px-6 md:py-8">
+            <div className="mx-auto w-full max-w-6xl">
+              <Routes>
+                <Route
+                  path="/"
+                  element={
+                    session ? (
+                      <TodoShellPage session={session} />
+                    ) : (
+                      <Navigate to="/login/email" replace />
+                    )
+                  }
+                />
+                <Route
+                  path="*"
+                  element={<Navigate to={session ? "/" : "/login/email"} replace />}
+                />
+              </Routes>
+            </div>
+          </main>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+export default App;
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="35.93" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 228"><path fill="#00D8FF" d="M210.483 73.824a171.49 171.49 0 0 0-8.24-2.597c.465-1.9.893-3.777 1.273-5.621c6.238-30.281 2.16-54.676-11.769-62.708c-13.355-7.7-35.196.329-57.254 19.526a171.23 171.23 0 0 0-6.375 5.848a155.866 155.866 0 0 0-4.241-3.917C100.759 3.829 77.587-4.822 63.673 3.233C50.33 10.957 46.379 33.89 51.995 62.588a170.974 170.974 0 0 0 1.892 8.48c-3.28.932-6.445 1.924-9.474 2.98C17.309 83.498 0 98.307 0 113.668c0 15.865 18.582 31.778 46.812 41.427a145.52 145.52 0 0 0 6.921 2.165a167.467 167.467 0 0 0-2.01 9.138c-5.354 28.2-1.173 50.591 12.134 58.266c13.744 7.926 36.812-.22 59.273-19.855a145.567 145.567 0 0 0 5.342-4.923a168.064 168.064 0 0 0 6.92 6.314c21.758 18.722 43.246 26.282 56.54 18.586c13.731-7.949 18.194-32.003 12.4-61.268a145.016 145.016 0 0 0-1.535-6.842c1.62-.48 3.21-.974 4.76-1.488c29.348-9.723 48.443-25.443 48.443-41.52c0-15.417-17.868-30.326-45.517-39.844Zm-6.365 70.984c-1.4.463-2.836.91-4.3 1.345c-3.24-10.257-7.612-21.163-12.963-32.432c5.106-11 9.31-21.767 12.459-31.957c2.619.758 5.16 1.557 7.61 2.4c23.69 8.156 38.14 20.213 38.14 29.504c0 9.896-15.606 22.743-40.946 31.14Zm-10.514 20.834c2.562 12.94 2.927 24.64 1.23 33.787c-1.524 8.219-4.59 13.698-8.382 15.893c-8.067 4.67-25.32-1.4-43.927-17.412a156.726 156.726 0 0 1-6.437-5.87c7.214-7.889 14.423-17.06 21.459-27.246c12.376-1.098 24.068-2.894 34.671-5.345a134.17 134.17 0 0 1 1.386 6.193ZM87.276 214.515c-7.882 2.783-14.16 2.863-17.955.675c-8.075-4.657-11.432-22.636-6.853-46.752a156.923 156.923 0 0 1 1.869-8.499c10.486 2.32 22.093 3.988 34.498 4.994c7.084 9.967 14.501 19.128 21.976 27.15a134.668 134.668 0 0 1-4.877 4.492c-9.933 8.682-19.886 14.842-28.658 17.94ZM50.35 144.747c-12.483-4.267-22.792-9.812-29.858-15.863c-6.35-5.437-9.555-10.836-9.555-15.216c0-9.322 13.897-21.212 37.076-29.293c2.813-.98 5.757-1.905 8.812-2.773c3.204 10.42 7.406 21.315 12.477 32.332c-5.137 11.18-9.399 22.249-12.634 32.792a134.718 134.718 0 0 1-6.318-1.979Zm12.378-84.26c-4.811-24.587-1.616-43.134 6.425-47.789c8.564-4.958 27.502 2.111 47.463 19.835a144.318 144.318 0 0 1 3.841 3.545c-7.438 7.987-14.787 17.08-21.808 26.988c-12.04 1.116-23.565 2.908-34.161 5.309a160.342 160.342 0 0 1-1.76-7.887Zm110.427 27.268a347.8 347.8 0 0 0-7.785-12.803c8.168 1.033 15.994 2.404 23.343 4.08c-2.206 7.072-4.956 14.465-8.193 22.045a381.151 381.151 0 0 0-7.365-13.322Zm-45.032-43.861c5.044 5.465 10.096 11.566 15.065 18.186a322.04 322.04 0 0 0-30.257-.006c4.974-6.559 10.069-12.652 15.192-18.18ZM82.802 87.83a323.167 323.167 0 0 0-7.227 13.238c-3.184-7.553-5.909-14.98-8.134-22.152c7.304-1.634 15.093-2.97 23.209-3.984a321.524 321.524 0 0 0-7.848 12.897Zm8.081 65.352c-8.385-.936-16.291-2.203-23.593-3.793c2.26-7.3 5.045-14.885 8.298-22.6a321.187 321.187 0 0 0 7.257 13.246c2.594 4.48 5.28 8.868 8.038 13.147Zm37.542 31.03c-5.184-5.592-10.354-11.779-15.403-18.433c4.902.192 9.899.29 14.978.29c5.218 0 10.376-.117 15.453-.343c-4.985 6.774-10.018 12.97-15.028 18.486Zm52.198-57.817c3.422 7.8 6.306 15.345 8.596 22.52c-7.422 1.694-15.436 3.058-23.88 4.071a382.417 382.417 0 0 0 7.859-13.026a347.403 347.403 0 0 0 7.425-13.565Zm-16.898 8.101a358.557 358.557 0 0 1-12.281 19.815a329.4 329.4 0 0 1-23.444.823c-7.967 0-15.716-.248-23.178-.732a310.202 310.202 0 0 1-12.513-19.846h.001a307.41 307.41 0 0 1-10.923-20.627a310.278 310.278 0 0 1 10.89-20.637l-.001.001a307.318 307.318 0 0 1 12.413-19.761c7.613-.576 15.42-.876 23.31-.876H128c7.926 0 15.743.303 23.354.883a329.357 329.357 0 0 1 12.335 19.695a358.489 358.489 0 0 1 11.036 20.54a329.472 329.472 0 0 1-11 20.722Zm22.56-122.124c8.572 4.944 11.906 24.881 6.52 51.026c-.344 1.668-.73 3.367-1.15 5.09c-10.622-2.452-22.155-4.275-34.23-5.408c-7.034-10.017-14.323-19.124-21.64-27.008a160.789 160.789 0 0 1 5.888-5.4c18.9-16.447 36.564-22.941 44.612-18.3ZM128 90.808c12.625 0 22.86 10.235 22.86 22.86s-10.235 22.86-22.86 22.86s-22.86-10.235-22.86-22.86s10.235-22.86 22.86-22.86Z"></path></svg>
@@ -0,0 +1,59 @@
+/* eslint-disable react-refresh/only-export-components */
+import { Button as ButtonPrimitive } from "@base-ui/react/button";
+import { cva, type VariantProps } from "class-variance-authority";
+
+import { cn } from "@/lib/utils";
+
+const buttonVariants = cva(
+  "group/button inline-flex shrink-0 items-center justify-center rounded-lg border border-transparent bg-clip-padding text-sm font-medium whitespace-nowrap transition-all outline-none select-none focus-visible:border-ring focus-visible:ring-3 focus-visible:ring-ring/50 active:not-aria-[haspopup]:translate-y-px disabled:pointer-events-none disabled:opacity-50 aria-invalid:border-destructive aria-invalid:ring-3 aria-invalid:ring-destructive/20 dark:aria-invalid:border-destructive/50 dark:aria-invalid:ring-destructive/40 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+  {
+    variants: {
+      variant: {
+        default: "bg-primary text-primary-foreground [a]:hover:bg-primary/80",
+        outline:
+          "border-border bg-background hover:bg-muted hover:text-foreground aria-expanded:bg-muted aria-expanded:text-foreground dark:border-input dark:bg-input/30 dark:hover:bg-input/50",
+        secondary:
+          "bg-secondary text-secondary-foreground hover:bg-secondary/80 aria-expanded:bg-secondary aria-expanded:text-secondary-foreground",
+        ghost:
+          "hover:bg-muted hover:text-foreground aria-expanded:bg-muted aria-expanded:text-foreground dark:hover:bg-muted/50",
+        destructive:
+          "bg-destructive/10 text-destructive hover:bg-destructive/20 focus-visible:border-destructive/40 focus-visible:ring-destructive/20 dark:bg-destructive/20 dark:hover:bg-destructive/30 dark:focus-visible:ring-destructive/40",
+        link: "text-primary underline-offset-4 hover:underline"
+      },
+      size: {
+        default:
+          "h-8 gap-1.5 px-2.5 has-data-[icon=inline-end]:pr-2 has-data-[icon=inline-start]:pl-2",
+        xs: "h-6 gap-1 rounded-[min(var(--radius-md),10px)] px-2 text-xs in-data-[slot=button-group]:rounded-lg has-data-[icon=inline-end]:pr-1.5 has-data-[icon=inline-start]:pl-1.5 [&_svg:not([class*='size-'])]:size-3",
+        sm: "h-7 gap-1 rounded-[min(var(--radius-md),12px)] px-2.5 text-[0.8rem] in-data-[slot=button-group]:rounded-lg has-data-[icon=inline-end]:pr-1.5 has-data-[icon=inline-start]:pl-1.5 [&_svg:not([class*='size-'])]:size-3.5",
+        lg: "h-9 gap-1.5 px-2.5 has-data-[icon=inline-end]:pr-2 has-data-[icon=inline-start]:pl-2",
+        icon: "size-8",
+        "icon-xs":
+          "size-6 rounded-[min(var(--radius-md),10px)] in-data-[slot=button-group]:rounded-lg [&_svg:not([class*='size-'])]:size-3",
+        "icon-sm":
+          "size-7 rounded-[min(var(--radius-md),12px)] in-data-[slot=button-group]:rounded-lg",
+        "icon-lg": "size-9"
+      }
+    },
+    defaultVariants: {
+      variant: "default",
+      size: "default"
+    }
+  }
+);
+
+function Button({
+  className,
+  variant = "default",
+  size = "default",
+  ...props
+}: ButtonPrimitive.Props & VariantProps<typeof buttonVariants>) {
+  return (
+    <ButtonPrimitive
+      data-slot="button"
+      className={cn(buttonVariants({ variant, size, className }))}
+      {...props}
+    />
+  );
+}
+
+export { Button, buttonVariants };
@@ -0,0 +1,77 @@
+@import "@fontsource-variable/geist";
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
+
+html {
+  height: 100%;
+  font-size: 120%;
+}
+
+:root {
+  --radius: 0.9rem;
+  --background: 246 100% 98%;
+  --foreground: 248 40% 18%;
+  --card: 0 0% 100%;
+  --border: 248 53% 89%;
+  --input: 248 48% 84%;
+  --ring: 246 53% 53%;
+  --primary: 246 53% 53%;
+  --primary-foreground: 0 0% 100%;
+  --secondary: 250 70% 94%;
+  --secondary-foreground: 248 40% 25%;
+  --muted: 249 78% 95%;
+  --muted-foreground: 248 17% 45%;
+  --accent: 173 56% 66%;
+  --accent-foreground: 248 40% 25%;
+  --destructive: 343 40% 50%;
+  --destructive-foreground: 0 0% 100%;
+  color-scheme: light;
+  font-family: "Geist Variable", "Noto Sans SC", sans-serif;
+}
+
+.dark {
+  --background: 248 46% 10%;
+  --foreground: 240 44% 96%;
+  --card: 249 41% 15%;
+  --border: 249 24% 30%;
+  --input: 249 23% 28%;
+  --ring: 246 76% 68%;
+  --primary: 246 76% 68%;
+  --primary-foreground: 248 43% 12%;
+  --secondary: 249 30% 24%;
+  --secondary-foreground: 240 38% 92%;
+  --muted: 249 29% 20%;
+  --muted-foreground: 247 16% 74%;
+  --accent: 173 52% 58%;
+  --accent-foreground: 248 43% 12%;
+  --destructive: 343 64% 58%;
+  --destructive-foreground: 0 0% 100%;
+  color-scheme: dark;
+}
+
+body {
+  margin: 0;
+  height: 100%;
+  overflow: hidden;
+  background:
+    radial-gradient(
+      1100px 620px at -12% -25%,
+      hsl(var(--primary) / 0.2),
+      hsl(var(--primary) / 0) 60%
+    ),
+    radial-gradient(
+      900px 540px at 112% -14%,
+      hsl(var(--accent) / 0.35),
+      hsl(var(--accent) / 0) 58%
+    ),
+    hsl(var(--background));
+  color: hsl(var(--foreground));
+  transition:
+    background-color 220ms ease,
+    color 220ms ease;
+}
+
+#root {
+  height: 100%;
+}
@@ -0,0 +1,6 @@
+import { clsx, type ClassValue } from "clsx";
+import { twMerge } from "tailwind-merge";
+
+export function cn(...inputs: ClassValue[]) {
+  return twMerge(clsx(inputs));
+}
@@ -0,0 +1,16 @@
+import { StrictMode } from "react";
+import { createRoot } from "react-dom/client";
+import { BrowserRouter } from "react-router-dom";
+import "./index.css";
+import App from "./App.tsx";
+import { applyThemeMode, loadThemeMode } from "@/services/theme-storage";
+
+applyThemeMode(loadThemeMode());
+
+createRoot(document.getElementById("root")!).render(
+  <StrictMode>
+    <BrowserRouter>
+      <App />
+    </BrowserRouter>
+  </StrictMode>
+);
@@ -0,0 +1,175 @@
+import { useMemo, useState } from "react";
+import type { FormEvent } from "react";
+import { Button } from "@/components/ui/button";
+import { loginWithEmailCode, sendEmailCode, type EmailLoginResult } from "@/services/auth-api";
+
+type EmailLoginPageProps = {
+  onLoginSuccess: (payload: EmailLoginResult) => void;
+};
+
+const DEFAULT_API_BASE_URL = "http://localhost:3000";
+
+function resolveApiBaseUrl(): string {
+  const envBaseUrl = import.meta.env.VITE_API_BASE_URL as string | undefined;
+  if (!envBaseUrl) {
+    return DEFAULT_API_BASE_URL;
+  }
+
+  return envBaseUrl.replace(/\/+$/, "");
+}
+
+export function EmailLoginPage({ onLoginSuccess }: EmailLoginPageProps) {
+  const [email, setEmail] = useState("");
+  const [code, setCode] = useState("");
+  const [sendingCode, setSendingCode] = useState(false);
+  const [loggingIn, setLoggingIn] = useState(false);
+  const [codeCooldown, setCodeCooldown] = useState(0);
+  const [message, setMessage] = useState<string | null>(null);
+  const [error, setError] = useState<string | null>(null);
+
+  const canSendCode = useMemo(() => {
+    return email.trim().length > 0 && !sendingCode && codeCooldown <= 0;
+  }, [codeCooldown, email, sendingCode]);
+
+  const canLogin = useMemo(() => {
+    return email.trim().length > 0 && code.trim().length === 6 && !loggingIn;
+  }, [code, email, loggingIn]);
+
+  async function handleSendCode(event: FormEvent<HTMLFormElement>): Promise<void> {
+    event.preventDefault();
+    if (!canSendCode) {
+      return;
+    }
+
+    try {
+      setSendingCode(true);
+      setError(null);
+      setMessage(null);
+      const result = await sendEmailCode(email.trim());
+      setMessage(`验证码已发送，有效期 ${result.expiresInSeconds} 秒。`);
+
+      let remain = 60;
+      setCodeCooldown(remain);
+      const timer = window.setInterval(() => {
+        remain -= 1;
+        setCodeCooldown(remain);
+        if (remain <= 0) {
+          window.clearInterval(timer);
+        }
+      }, 1000);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "发送验证码失败");
+    } finally {
+      setSendingCode(false);
+    }
+  }
+
+  async function handleLogin(event: FormEvent<HTMLFormElement>): Promise<void> {
+    event.preventDefault();
+    if (!canLogin) {
+      return;
+    }
+
+    try {
+      setLoggingIn(true);
+      setError(null);
+      setMessage(null);
+      const result = await loginWithEmailCode(email.trim(), code.trim());
+      onLoginSuccess(result);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "登录失败");
+    } finally {
+      setLoggingIn(false);
+    }
+  }
+
+  return (
+    <div className="mx-auto w-full max-w-md rounded-2xl border border-border bg-card/92 p-6 shadow-[0_24px_60px_-36px_hsl(var(--primary)/0.65)] backdrop-blur">
+      <div className="mb-4 flex items-center gap-3">
+        <img src="/favicon.png" alt="TodoList" className="h-10 w-10 rounded-xl shadow-sm" />
+        <div>
+          <h1 className="text-2xl font-semibold text-foreground">邮箱验证码登录</h1>
+        </div>
+      </div>
+
+      <form className="mt-6 space-y-3" onSubmit={handleSendCode}>
+        <label className="block text-sm font-medium text-secondary-foreground" htmlFor="email">
+          邮箱
+        </label>
+        <div className="flex items-stretch gap-2">
+          <input
+            id="email"
+            type="email"
+            className="min-w-0 flex-1 rounded-lg border border-input bg-background px-3 py-2 text-sm text-foreground outline-none focus:border-primary focus:ring-3 focus:ring-ring/25"
+            placeholder="you@example.com"
+            value={email}
+            onChange={(event) => setEmail(event.target.value)}
+          />
+          <Button
+            type="submit"
+            disabled={!canSendCode}
+            className="shrink-0 bg-primary px-4 text-primary-foreground hover:bg-primary/90"
+          >
+            {sendingCode ? "发送中..." : codeCooldown > 0 ? `${codeCooldown}s` : "发送验证码"}
+          </Button>
+        </div>
+      </form>
+
+      <form className="mt-4 space-y-3" onSubmit={handleLogin}>
+        <label className="block text-sm font-medium text-secondary-foreground" htmlFor="code">
+          验证码
+        </label>
+        <input
+          id="code"
+          type="text"
+          inputMode="numeric"
+          maxLength={6}
+          className="w-full rounded-lg border border-input bg-background px-3 py-2 text-sm text-foreground outline-none focus:border-primary focus:ring-3 focus:ring-ring/25"
+          placeholder="6位数字验证码"
+          value={code}
+          onChange={(event) => setCode(event.target.value)}
+        />
+        <Button
+          type="submit"
+          disabled={!canLogin}
+          className="w-full bg-gradient-to-r from-primary to-accent text-primary-foreground hover:opacity-95"
+        >
+          {loggingIn ? "登录中..." : "立即登录"}
+        </Button>
+      </form>
+
+      <div className="mt-6 grid grid-cols-1 gap-2">
+        <a href={`${resolveApiBaseUrl()}/auth/oauth/github`}>
+          <Button
+            type="button"
+            variant="outline"
+            className="w-full border-border bg-card text-foreground"
+          >
+            使用 GitHub 登录
+          </Button>
+        </a>
+        <a href={`${resolveApiBaseUrl()}/auth/oauth/qq`}>
+          <Button
+            type="button"
+            variant="outline"
+            className="w-full border-border bg-card text-foreground"
+          >
+            使用 QQ 登录
+          </Button>
+        </a>
+        <a href={`${resolveApiBaseUrl()}/auth/oauth/wechat`}>
+          <Button
+            type="button"
+            variant="outline"
+            className="w-full border-border bg-card text-foreground"
+          >
+            使用微信登录
+          </Button>
+        </a>
+      </div>
+
+      {message ? <p className="mt-4 text-sm text-primary">{message}</p> : null}
+      {error ? <p className="mt-2 text-sm text-destructive">{error}</p> : null}
+    </div>
+  );
+}
@@ -0,0 +1,68 @@
+import { useMemo } from "react";
+import { useNavigate, useSearchParams } from "react-router-dom";
+import { Button } from "@/components/ui/button";
+import { saveSession, type WebSession } from "@/services/session-storage";
+
+type OAuthCallbackPageProps = {
+  onBootstrapSession: (session: WebSession) => void;
+};
+
+export function OAuthCallbackPage({ onBootstrapSession }: OAuthCallbackPageProps) {
+  const [searchParams] = useSearchParams();
+  const navigate = useNavigate();
+
+  const parseResult = useMemo(() => {
+    const accessToken = searchParams.get("accessToken");
+    const refreshToken = searchParams.get("refreshToken");
+    const userId = searchParams.get("userId");
+    const email = searchParams.get("email");
+
+    if (!accessToken || !refreshToken || !userId || !email) {
+      return {
+        ok: false as const,
+        reason: "回调参数不完整，暂时无法建立会话。"
+      };
+    }
+
+    return {
+      ok: true as const,
+      session: {
+        accessToken,
+        refreshToken,
+        user: {
+          id: userId,
+          email
+        }
+      }
+    };
+  }, [searchParams]);
+
+  function handleContinue(): void {
+    if (!parseResult.ok) {
+      navigate("/login/email", { replace: true });
+      return;
+    }
+
+    saveSession(parseResult.session);
+    onBootstrapSession(parseResult.session);
+    navigate("/", { replace: true });
+  }
+
+  return (
+    <div className="mx-auto w-full max-w-md rounded-2xl border border-border bg-card/92 p-6 shadow-[0_24px_60px_-36px_hsl(var(--primary)/0.55)] backdrop-blur">
+      <div className="mb-4 flex items-center gap-3">
+        <img src="/favicon.png" alt="TodoList" className="h-10 w-10 rounded-xl shadow-sm" />
+        <h1 className="text-2xl font-semibold text-foreground">OAuth 回调处理中</h1>
+      </div>
+      <p className="mt-2 text-sm text-muted-foreground">
+        {parseResult.ok ? "已收到回调参数，点击继续进入工作台。" : parseResult.reason}
+      </p>
+      <Button
+        className="mt-6 w-full bg-gradient-to-r from-primary to-accent text-primary-foreground hover:opacity-95"
+        onClick={handleContinue}
+      >
+        {parseResult.ok ? "继续" : "返回邮箱登录"}
+      </Button>
+    </div>
+  );
+}
@@ -0,0 +1,33 @@
+import type { WebSession } from "@/services/session-storage";
+
+type TodoShellPageProps = {
+  session: WebSession | null;
+};
+
+export function TodoShellPage({ session }: TodoShellPageProps) {
+  return (
+    <div className="rounded-2xl border border-border bg-card/90 p-6 shadow-[0_24px_70px_-42px_hsl(var(--primary)/0.6)] backdrop-blur">
+      <h1 className="text-2xl font-semibold text-foreground">TodoList 工作台</h1>
+      <p className="mt-2 text-sm text-muted-foreground">
+        {session ? `当前登录邮箱：${session.user.email}` : "当前未建立登录会话，请先完成登录。"}
+      </p>
+      <div className="mt-6 grid gap-3 sm:grid-cols-3">
+        <div className="rounded-xl border border-border bg-muted/40 p-4">
+          <p className="text-xs text-muted-foreground">今日重点</p>
+          <p className="mt-2 text-lg font-semibold text-foreground">待接入</p>
+        </div>
+        <div className="rounded-xl border border-border bg-muted/40 p-4">
+          <p className="text-xs text-muted-foreground">临近截止</p>
+          <p className="mt-2 text-lg font-semibold text-foreground">待接入</p>
+        </div>
+        <div className="rounded-xl border border-border bg-muted/40 p-4">
+          <p className="text-xs text-muted-foreground">任务分析</p>
+          <p className="mt-2 text-lg font-semibold text-foreground">待接入</p>
+        </div>
+      </div>
+      <p className="mt-4 text-xs text-muted-foreground">
+        当前为界面阶段，统计卡片将在任务数据接入后显示真实结果。
+      </p>
+    </div>
+  );
+}
@@ -0,0 +1,98 @@
+export type SendEmailCodeResult = {
+  success: boolean;
+  expiresInSeconds: number;
+};
+
+export type EmailLoginResult = {
+  accessToken: string;
+  tokenType: "Bearer";
+  expiresInSeconds: number;
+  refreshToken: string;
+  refreshExpiresInSeconds: number;
+  user: {
+    id: string;
+    email: string;
+  };
+};
+
+type RevokeRefreshTokenResult = {
+  success: boolean;
+};
+
+const DEFAULT_API_BASE_URL = "http://localhost:3000";
+
+function resolveApiBaseUrl(): string {
+  const envBaseUrl = import.meta.env.VITE_API_BASE_URL as string | undefined;
+  if (!envBaseUrl) {
+    return DEFAULT_API_BASE_URL;
+  }
+
+  return envBaseUrl.replace(/\/+$/, "");
+}
+
+async function parseErrorMessage(response: Response): Promise<string> {
+  try {
+    const body = (await response.json()) as { message?: string | string[] };
+    if (Array.isArray(body.message)) {
+      return body.message.join("，");
+    }
+    if (typeof body.message === "string" && body.message.trim()) {
+      return body.message;
+    }
+  } catch {
+    return `请求失败（${response.status}）`;
+  }
+
+  return `请求失败（${response.status}）`;
+}
+
+export async function sendEmailCode(email: string): Promise<SendEmailCodeResult> {
+  const response = await fetch(`${resolveApiBaseUrl()}/auth/email/send-code`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ email })
+  });
+
+  if (!response.ok) {
+    throw new Error(await parseErrorMessage(response));
+  }
+
+  const body = (await response.json()) as SendEmailCodeResult;
+  return body;
+}
+
+export async function loginWithEmailCode(email: string, code: string): Promise<EmailLoginResult> {
+  const response = await fetch(`${resolveApiBaseUrl()}/auth/email/login`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ email, code })
+  });
+
+  if (!response.ok) {
+    throw new Error(await parseErrorMessage(response));
+  }
+
+  const body = (await response.json()) as EmailLoginResult;
+  return body;
+}
+
+export async function revokeRefreshToken(refreshToken: string): Promise<RevokeRefreshTokenResult> {
+  const response = await fetch(`${resolveApiBaseUrl()}/auth/token/revoke`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ refreshToken })
+  });
+
+  if (!response.ok) {
+    throw new Error(await parseErrorMessage(response));
+  }
+
+  const body = (await response.json()) as RevokeRefreshTokenResult;
+  return body;
+}
@@ -0,0 +1,67 @@
+import type { EmailLoginResult } from "@/services/auth-api";
+
+const SESSION_STORAGE_KEY = "todolist.web.session";
+
+export type WebSession = {
+  accessToken: string;
+  refreshToken: string;
+  user: {
+    id: string;
+    email: string;
+  };
+};
+
+function isValidSession(payload: unknown): payload is WebSession {
+  if (!payload || typeof payload !== "object") {
+    return false;
+  }
+
+  const data = payload as {
+    accessToken?: unknown;
+    refreshToken?: unknown;
+    user?: {
+      id?: unknown;
+      email?: unknown;
+    };
+  };
+
+  return (
+    typeof data.accessToken === "string" &&
+    typeof data.refreshToken === "string" &&
+    typeof data.user?.id === "string" &&
+    typeof data.user?.email === "string"
+  );
+}
+
+export function loadSession(): WebSession | null {
+  const raw = window.localStorage.getItem(SESSION_STORAGE_KEY);
+  if (!raw) {
+    return null;
+  }
+
+  try {
+    const parsed = JSON.parse(raw) as unknown;
+    if (!isValidSession(parsed)) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+
+export function saveSession(payload: EmailLoginResult | WebSession): void {
+  const session: WebSession = {
+    accessToken: payload.accessToken,
+    refreshToken: payload.refreshToken,
+    user: {
+      id: payload.user.id,
+      email: payload.user.email
+    }
+  };
+  window.localStorage.setItem(SESSION_STORAGE_KEY, JSON.stringify(session));
+}
+
+export function clearSession(): void {
+  window.localStorage.removeItem(SESSION_STORAGE_KEY);
+}
@@ -0,0 +1,29 @@
+const THEME_STORAGE_KEY = "todolist.web.theme";
+
+export type ThemeMode = "light" | "dark";
+
+function isThemeMode(value: string | null): value is ThemeMode {
+  return value === "light" || value === "dark";
+}
+
+export function loadThemeMode(): ThemeMode {
+  const savedTheme = window.localStorage.getItem(THEME_STORAGE_KEY);
+  if (isThemeMode(savedTheme)) {
+    return savedTheme;
+  }
+
+  if (window.matchMedia("(prefers-color-scheme: dark)").matches) {
+    return "dark";
+  }
+
+  return "light";
+}
+
+export function saveThemeMode(mode: ThemeMode): void {
+  window.localStorage.setItem(THEME_STORAGE_KEY, mode);
+}
+
+export function applyThemeMode(mode: ThemeMode): void {
+  document.documentElement.classList.toggle("dark", mode === "dark");
+  document.documentElement.style.colorScheme = mode;
+}
@@ -0,0 +1,43 @@
+/** @type {import('tailwindcss').Config} */
+export default {
+  darkMode: "class",
+  content: ["./index.html", "./src/**/*.{ts,tsx}"],
+  theme: {
+    extend: {
+      colors: {
+        border: "hsl(var(--border) / <alpha-value>)",
+        input: "hsl(var(--input) / <alpha-value>)",
+        ring: "hsl(var(--ring) / <alpha-value>)",
+        background: "hsl(var(--background) / <alpha-value>)",
+        foreground: "hsl(var(--foreground) / <alpha-value>)",
+        primary: {
+          DEFAULT: "hsl(var(--primary) / <alpha-value>)",
+          foreground: "hsl(var(--primary-foreground) / <alpha-value>)"
+        },
+        secondary: {
+          DEFAULT: "hsl(var(--secondary) / <alpha-value>)",
+          foreground: "hsl(var(--secondary-foreground) / <alpha-value>)"
+        },
+        muted: {
+          DEFAULT: "hsl(var(--muted) / <alpha-value>)",
+          foreground: "hsl(var(--muted-foreground) / <alpha-value>)"
+        },
+        accent: {
+          DEFAULT: "hsl(var(--accent) / <alpha-value>)",
+          foreground: "hsl(var(--accent-foreground) / <alpha-value>)"
+        },
+        destructive: {
+          DEFAULT: "hsl(var(--destructive) / <alpha-value>)",
+          foreground: "hsl(var(--destructive-foreground) / <alpha-value>)"
+        },
+        card: "hsl(var(--card) / <alpha-value>)"
+      },
+      borderRadius: {
+        lg: "var(--radius)",
+        md: "calc(var(--radius) - 2px)",
+        sm: "calc(var(--radius) - 4px)"
+      }
+    }
+  },
+  plugins: []
+};
@@ -0,0 +1,32 @@
+{
+  "compilerOptions": {
+    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.app.tsbuildinfo",
+    "target": "ES2023",
+    "useDefineForClassFields": true,
+    "lib": ["ES2023", "DOM", "DOM.Iterable"],
+    "module": "ESNext",
+    "types": ["vite/client"],
+    "skipLibCheck": true,
+
+    /* Bundler mode */
+    "moduleResolution": "bundler",
+    "baseUrl": ".",
+    "paths": {
+      "@/*": ["./src/*"]
+    },
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "moduleDetection": "force",
+    "noEmit": true,
+    "jsx": "react-jsx",
+
+    /* Linting */
+    "strict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "erasableSyntaxOnly": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedSideEffectImports": true
+  },
+  "include": ["src"]
+}
@@ -0,0 +1,10 @@
+{
+  "compilerOptions": {
+    "baseUrl": ".",
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  },
+  "files": [],
+  "references": [{ "path": "./tsconfig.app.json" }, { "path": "./tsconfig.node.json" }]
+}
@@ -0,0 +1,26 @@
+{
+  "compilerOptions": {
+    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.node.tsbuildinfo",
+    "target": "ES2023",
+    "lib": ["ES2023"],
+    "module": "ESNext",
+    "types": ["node"],
+    "skipLibCheck": true,
+
+    /* Bundler mode */
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "moduleDetection": "force",
+    "noEmit": true,
+
+    /* Linting */
+    "strict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "erasableSyntaxOnly": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedSideEffectImports": true
+  },
+  "include": ["vite.config.ts"]
+}
@@ -0,0 +1,13 @@
+import path from "node:path";
+import { defineConfig } from "vite";
+import react from "@vitejs/plugin-react";
+
+// https://vite.dev/config/
+export default defineConfig({
+  plugins: [react()],
+  resolve: {
+    alias: {
+      "@": path.resolve(__dirname, "./src")
+    }
+  }
+});
Author	SHA1	Message	Date
yaosanqi137	aff645bc5d	feat(web): render auth pages without app shell	2026-04-05 17:09:17 +08:00
yaosanqi137	e8dd85ee65	feat(web): polish sidebar shell and authentication UI	2026-04-05 16:57:52 +08:00
yaosanqi137	eeee62c4e8	feat(web-ui): use project icon as favicon	2026-04-05 15:47:32 +08:00
yaosanqi137	e4c2095004	fix(ci): add nodemailer type declarations for api typecheck	2026-04-05 15:44:13 +08:00
yaosanqi137	95c10eca77	feat(web-auth): implement logout with token revoke and session clear	2026-04-05 15:05:51 +08:00
yaosanqi137	25857abf26	docs(web): localize web README to Chinese	2026-04-05 14:57:27 +08:00
yaosanqi137	352b3c1b3c	feat(api-auth): persist users and auth state in postgres	2026-04-05 14:48:57 +08:00
yaosanqi137	ec1a4f7478	feat(api-auth): send email login codes via SMTP	2026-04-05 14:40:52 +08:00
yaosanqi137	7192cda20f	fix(api): enable CORS for browser client requests	2026-04-05 14:30:13 +08:00
yaosanqi137	aae03b6b0d	docs(readme): add deployment and usage guide	2026-04-05 14:28:25 +08:00
yaosanqi137	48b69793ce	docs(api-env): improve .env.example comments and grouping	2026-04-05 14:28:13 +08:00
yaosanqi137	4b47d3bda7	feat(web-auth): add oauth callbacks and session bootstrap	2026-04-05 02:54:50 +08:00
yaosanqi137	fe4f7909e3	feat(web-auth): implement email code login pages	2026-04-05 02:35:55 +08:00
yaosanqi137	579d63d39d	feat(web): bootstrap react vite tailwind shadcn stack	2026-04-05 02:31:18 +08:00
Yaosanqi137	d7f27eaf1e	Merge pull request #6 from Yaosanqi137/feature/p2-api-task-attachment Feature/p2 api task attachment	2026-04-05 02:15:40 +08:00
yaosanqi137	99e5622234	fix(ci): ensure prisma client generation and auth deps for typecheck	2026-04-05 02:14:20 +08:00
yaosanqi137	e84bef07b4	fix(api-prisma): initialize prisma client with pg adapter	2026-04-05 01:07:05 +08:00
yaosanqi137	3a9b5fb000	test(api-task): add integration tests for task endpoints	2026-04-05 00:13:19 +08:00
yaosanqi137	32022c1437	feat(api-quota): enforce user storage quota checks	2026-04-05 00:08:27 +08:00
yaosanqi137	bd3241504f	feat(api-attachment): add minio presigned upload flow	2026-04-05 00:05:39 +08:00
yaosanqi137	8f6ff38a32	feat(api-task): implement task crud with tag filters	2026-04-05 00:01:28 +08:00
Yaosanqi137	be15494ecd	Merge pull request #2 from Yaosanqi137/feature/p1-repo-bootstrap Feature/p1 repo bootstrap	2026-04-04 12:17:58 +08:00
				`@@ -0,0 +1 @@`
				<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="35.93" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 228"><path fill="#00D8FF" d="M210.483 73.824a171.49 171.49 0 0 0-8.24-2.597c.465-1.9.893-3.777 1.273-5.621c6.238-30.281 2.16-54.676-11.769-62.708c-13.355-7.7-35.196.329-57.254 19.526a171.23 171.23 0 0 0-6.375 5.848a155.866 155.866 0 0 0-4.241-3.917C100.759 3.829 77.587-4.822 63.673 3.233C50.33 10.957 46.379 33.89 51.995 62.588a170.974 170.974 0 0 0 1.892 8.48c-3.28.932-6.445 1.924-9.474 2.98C17.309 83.498 0 98.307 0 113.668c0 15.865 18.582 31.778 46.812 41.427a145.52 145.52 0 0 0 6.921 2.165a167.467 167.467 0 0 0-2.01 9.138c-5.354 28.2-1.173 50.591 12.134 58.266c13.744 7.926 36.812-.22 59.273-19.855a145.567 145.567 0 0 0 5.342-4.923a168.064 168.064 0 0 0 6.92 6.314c21.758 18.722 43.246 26.282 56.54 18.586c13.731-7.949 18.194-32.003 12.4-61.268a145.016 145.016 0 0 0-1.535-6.842c1.62-.48 3.21-.974 4.76-1.488c29.348-9.723 48.443-25.443 48.443-41.52c0-15.417-17.868-30.326-45.517-39.844Zm-6.365 70.984c-1.4.463-2.836.91-4.3 1.345c-3.24-10.257-7.612-21.163-12.963-32.432c5.106-11 9.31-21.767 12.459-31.957c2.619.758 5.16 1.557 7.61 2.4c23.69 8.156 38.14 20.213 38.14 29.504c0 9.896-15.606 22.743-40.946 31.14Zm-10.514 20.834c2.562 12.94 2.927 24.64 1.23 33.787c-1.524 8.219-4.59 13.698-8.382 15.893c-8.067 4.67-25.32-1.4-43.927-17.412a156.726 156.726 0 0 1-6.437-5.87c7.214-7.889 14.423-17.06 21.459-27.246c12.376-1.098 24.068-2.894 34.671-5.345a134.17 134.17 0 0 1 1.386 6.193ZM87.276 214.515c-7.882 2.783-14.16 2.863-17.955.675c-8.075-4.657-11.432-22.636-6.853-46.752a156.923 156.923 0 0 1 1.869-8.499c10.486 2.32 22.093 3.988 34.498 4.994c7.084 9.967 14.501 19.128 21.976 27.15a134.668 134.668 0 0 1-4.877 4.492c-9.933 8.682-19.886 14.842-28.658 17.94ZM50.35 144.747c-12.483-4.267-22.792-9.812-29.858-15.863c-6.35-5.437-9.555-10.836-9.555-15.216c0-9.322 13.897-21.212 37.076-29.293c2.813-.98 5.757-1.905 8.812-2.773c3.204 10.42 7.406 21.315 12.477 32.332c-5.137 11.18-9.399 22.249-12.634 32.792a134.718 134.718 0 0 1-6.318-1.979Zm12.378-84.26c-4.811-24.587-1.616-43.134 6.425-47.789c8.564-4.958 27.502 2.111 47.463 19.835a144.318 144.318 0 0 1 3.841 3.545c-7.438 7.987-14.787 17.08-21.808 26.988c-12.04 1.116-23.565 2.908-34.161 5.309a160.342 160.342 0 0 1-1.76-7.887Zm110.427 27.268a347.8 347.8 0 0 0-7.785-12.803c8.168 1.033 15.994 2.404 23.343 4.08c-2.206 7.072-4.956 14.465-8.193 22.045a381.151 381.151 0 0 0-7.365-13.322Zm-45.032-43.861c5.044 5.465 10.096 11.566 15.065 18.186a322.04 322.04 0 0 0-30.257-.006c4.974-6.559 10.069-12.652 15.192-18.18ZM82.802 87.83a323.167 323.167 0 0 0-7.227 13.238c-3.184-7.553-5.909-14.98-8.134-22.152c7.304-1.634 15.093-2.97 23.209-3.984a321.524 321.524 0 0 0-7.848 12.897Zm8.081 65.352c-8.385-.936-16.291-2.203-23.593-3.793c2.26-7.3 5.045-14.885 8.298-22.6a321.187 321.187 0 0 0 7.257 13.246c2.594 4.48 5.28 8.868 8.038 13.147Zm37.542 31.03c-5.184-5.592-10.354-11.779-15.403-18.433c4.902.192 9.899.29 14.978.29c5.218 0 10.376-.117 15.453-.343c-4.985 6.774-10.018 12.97-15.028 18.486Zm52.198-57.817c3.422 7.8 6.306 15.345 8.596 22.52c-7.422 1.694-15.436 3.058-23.88 4.071a382.417 382.417 0 0 0 7.859-13.026a347.403 347.403 0 0 0 7.425-13.565Zm-16.898 8.101a358.557 358.557 0 0 1-12.281 19.815a329.4 329.4 0 0 1-23.444.823c-7.967 0-15.716-.248-23.178-.732a310.202 310.202 0 0 1-12.513-19.846h.001a307.41 307.41 0 0 1-10.923-20.627a310.278 310.278 0 0 1 10.89-20.637l-.001.001a307.318 307.318 0 0 1 12.413-19.761c7.613-.576 15.42-.876 23.31-.876H128c7.926 0 15.743.303 23.354.883a329.357 329.357 0 0 1 12.335 19.695a358.489 358.489 0 0 1 11.036 20.54a329.472 329.472 0 0 1-11 20.722Zm22.56-122.124c8.572 4.944 11.906 24.881 6.52 51.026c-.344 1.668-.73 3.367-1.15 5.09c-10.622-2.452-22.155-4.275-34.23-5.408c-7.034-10.017-14.323-19.124-21.64-27.008a160.789 160.789 0 0 1 5.888-5.4c18.9-16.447 36.564-22.941 44.612-18.3ZM128 90.808c12.625 0 22.86 10.235 22.86 22.86s-10.235 22.86-22.86 22.86s-22.86-10.235-22.86-22.86s10.235-22.86 22.86-22.86Z"></path></svg>