version: 1
id: nfr
title: Non-Functional Requirements
sources:
  project_md:
    path: openspec/project.md
    lines: "67-70"
  middleware:
    - api/middlewares/index.ts
  database:
    - api/database/index.ts

security:
  password_handling:
    status: not_compliant
    current_state:
      storage: "明文存储在 users.password（SQLite）"
      transmission: "前后端请求体中直接传输 password 字段"
      evidence:
        - api/models/user.ts:18
        - api/controllers/userController.ts:81
        - openspec/project.md:69
    required_state:
      storage: "使用强哈希算法存储（例如 bcrypt/scrypt/argon2），不存明文"
      transmission: "避免回传密码；日志与导出不得包含敏感字段"
    constraints:
      - "当前实现未满足 required_state，属于待整改项"

  admin_authentication:
    status: not_compliant
    current_state:
      admin_login_token: "固定值 admin-token"
      route_guard: "adminAuth 中间件放行"
      evidence:
        - api/controllers/adminController.ts:1
        - api/middlewares/index.ts:57
        - openspec/project.md:68
    required_state:
      token_validation: "生产环境需实现真实鉴权（例如 JWT 校验）并在前后端一致落地"
    constraints:
      - "当前管理接口在后端层面不具备访问控制"

  logging_sensitivity:
    status: partial
    current_state:
      request_logging: "记录 method/path/statusCode/duration"
      evidence:
        - api/middlewares/index.ts:65
    constraints:
      - "应避免在日志中输出密码、token、导出数据等敏感信息（当前需持续自查）"

reliability:
  database_initialization:
    status: implemented
    behavior: "仅当 users 表不存在时执行 init.sql"
    evidence:
      - api/database/index.ts:109
    constraints:
      - "若数据库存在但缺少部分表/列（例如用户组、selection_config），当前不会自动迁移"

performance:
  limits:
    request_body_max_bytes:
      status: implemented
      value: 10485760
      evidence:
        - api/server.ts:30
    upload_max_bytes:
      status: implemented
      value: 10485760
      evidence:
        - api/middlewares/index.ts:7
  database_characteristics:
    status: implemented
    notes: "SQLite 适合单机/轻量；并发与事务能力有限。"
    evidence:
      - openspec/project.md:70

compliance:
  data_minimization:
    status: partial
    stored_personal_data:
      - field: users.name
      - field: users.phone
    constraints:
      - "当前未见用户数据保留期限/删除流程的实现"
  gdpr_like_rights:
    status: not_implemented
    requirements:
      - "数据导出：提供用户个人数据导出能力（当前仅管理员数据导出，且范围为业务数据）"
      - "数据删除：支持按合规要求删除用户数据并处理关联记录"
    constraints:
      - "以上为合规目标要求；当前代码中未实现对应流程"

operability:
  configuration:
    status: implemented
    mechanism: "dotenv + system_configs 表"
    evidence:
      - openspec/project.md:25
      - api/models/systemConfig.ts:1