引入openspec管理

openspec/specs/nfr.yaml

@@ -0,0 +1,102 @@
+version: 1
+id: nfr
+title: Non-Functional Requirements
+sources:
+  project_md:
+    path: openspec/project.md
+    lines: "67-70"
+  middleware:
+    - api/middlewares/index.ts
+  database:
+    - api/database/index.ts
+
+security:
+  password_handling:
+    status: not_compliant
+    current_state:
+      storage: "明文存储在 users.password（SQLite）"
+      transmission: "前后端请求体中直接传输 password 字段"
+      evidence:
+        - api/models/user.ts:18
+        - api/controllers/userController.ts:81
+        - openspec/project.md:69
+    required_state:
+      storage: "使用强哈希算法存储（例如 bcrypt/scrypt/argon2），不存明文"
+      transmission: "避免回传密码；日志与导出不得包含敏感字段"
+    constraints:
+      - "当前实现未满足 required_state，属于待整改项"
+
+  admin_authentication:
+    status: not_compliant
+    current_state:
+      admin_login_token: "固定值 admin-token"
+      route_guard: "adminAuth 中间件放行"
+      evidence:
+        - api/controllers/adminController.ts:1
+        - api/middlewares/index.ts:57
+        - openspec/project.md:68
+    required_state:
+      token_validation: "生产环境需实现真实鉴权（例如 JWT 校验）并在前后端一致落地"
+    constraints:
+      - "当前管理接口在后端层面不具备访问控制"
+
+  logging_sensitivity:
+    status: partial
+    current_state:
+      request_logging: "记录 method/path/statusCode/duration"
+      evidence:
+        - api/middlewares/index.ts:65
+    constraints:
+      - "应避免在日志中输出密码、token、导出数据等敏感信息（当前需持续自查）"
+
+reliability:
+  database_initialization:
+    status: implemented
+    behavior: "仅当 users 表不存在时执行 init.sql"
+    evidence:
+      - api/database/index.ts:109
+    constraints:
+      - "若数据库存在但缺少部分表/列（例如用户组、selection_config），当前不会自动迁移"
+
+performance:
+  limits:
+    request_body_max_bytes:
+      status: implemented
+      value: 10485760
+      evidence:
+        - api/server.ts:30
+    upload_max_bytes:
+      status: implemented
+      value: 10485760
+      evidence:
+        - api/middlewares/index.ts:7
+  database_characteristics:
+    status: implemented
+    notes: "SQLite 适合单机/轻量；并发与事务能力有限。"
+    evidence:
+      - openspec/project.md:70
+
+compliance:
+  data_minimization:
+    status: partial
+    stored_personal_data:
+      - field: users.name
+      - field: users.phone
+    constraints:
+      - "当前未见用户数据保留期限/删除流程的实现"
+  gdpr_like_rights:
+    status: not_implemented
+    requirements:
+      - "数据导出：提供用户个人数据导出能力（当前仅管理员数据导出，且范围为业务数据）"
+      - "数据删除：支持按合规要求删除用户数据并处理关联记录"
+    constraints:
+      - "以上为合规目标要求；当前代码中未实现对应流程"
+
+operability:
+  configuration:
+    status: implemented
+    mechanism: "dotenv + system_configs 表"
+    evidence:
+      - openspec/project.md:25
+      - api/models/systemConfig.ts:1
+