From 637c3c150b05a061ad5f6a541063fded3e0e61a8 Mon Sep 17 00:00:00 2001
From: arthurcai <arthurcai@sjtu.edu.cn>
Date: Mon, 9 Mar 2026 13:15:02 +0800
Subject: [PATCH 01/17] fix: harden authentication and authorization security

- Remove password reset token from API response to prevent token leak
- Replace wildcard CORS with explicit origin allowlist from config
- Strengthen AdminRequired middleware with DB-backed role verification
- Add token revocation via in-memory blacklist and /logout endpoint
- Remove cookie-based auth to prevent CSRF attacks (Bearer-only)
- Increase minimum password length from 6 to 8 characters
- Add CORS_ORIGINS and DB_LOG_LEVEL config fields
---
 backend/cmd/server/main.go                    |  3 +-
 backend/internal/config/config.go             |  8 +++
 backend/internal/dto/auth.go                  |  6 +--
 backend/internal/handler/admin.go             |  9 ++++
 backend/internal/handler/auth.go              | 27 +++++++++-
 backend/internal/middleware/auth.go           | 28 +++++++----
 backend/internal/middleware/cors.go           | 11 +++-
 backend/internal/middleware/tokenblacklist.go | 50 +++++++++++++++++++
 backend/internal/router/router.go             | 33 +++++++-----
 backend/internal/service/auth.go              |  4 ++
 10 files changed, 149 insertions(+), 30 deletions(-)
 create mode 100644 backend/internal/middleware/tokenblacklist.go

diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go
index fcfa4151..e051f4af 100644
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -117,12 +117,13 @@ func main() {
 	// Setup Gin
 	r := gin.New()
 	r.Use(middleware.Recovery())
-	r.Use(middleware.CORS())
+	r.Use(middleware.CORS(cfg))
 	r.Use(gin.Logger())
 
 	// Register routes
 	router.Setup(
 		r, cfg,
+		adminHandler.IsAdmin,
 		authHandler, questionHandler, answerHandler,
 		commentHandler, interactionHandler, tagHandler,
 		chatHandler, echoHandler, userHandler, adminHandler,
diff --git a/backend/internal/config/config.go b/backend/internal/config/config.go
index 761fbe40..d3390962 100644
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -30,6 +30,12 @@ type Config struct {
 	// Server
 	Port string
 
+	// CORS
+	CORSOrigins string
+
+	// Logging
+	DBLogLevel string
+
 	// Admin
 	AdminUsername string
 	AdminEmail    string
@@ -53,6 +59,8 @@ func Load() *Config {
 		FirecrawlAPIKey:           getEnv("FIRECRAWL_API_KEY", ""),
 		ImageModel:                getEnv("IMAGE_MODEL", ""),
 		Port:                      getEnv("PORT", "8000"),
+		CORSOrigins:               getEnv("CORS_ORIGINS", "http://localhost:5173,http://localhost:8000,http://localhost:3000"),
+		DBLogLevel:                getEnv("DB_LOG_LEVEL", "warn"),
 		AdminUsername:             getEnv("ADMIN_USERNAME", ""),
 		AdminEmail:                getEnv("ADMIN_EMAIL", ""),
 		AdminPassword:             getEnv("ADMIN_PASSWORD", ""),
diff --git a/backend/internal/dto/auth.go b/backend/internal/dto/auth.go
index 2b2e3504..f9133357 100644
--- a/backend/internal/dto/auth.go
+++ b/backend/internal/dto/auth.go
@@ -6,7 +6,7 @@ import "time"
 type RegisterRequest struct {
 	Username string `json:"username" binding:"required,min=3,max=50"`
 	Email    string `json:"email" binding:"required,email"`
-	Password string `json:"password" binding:"required,min=6"`
+	Password string `json:"password" binding:"required,min=8"`
 	Nickname string `json:"nickname" binding:"required,min=1,max=50"`
 	Role     string `json:"role" binding:"omitempty,oneof=mom dad family"`
 }
@@ -48,7 +48,7 @@ type UserResponse struct {
 // ChangePasswordRequest is the request body for changing password
 type ChangePasswordRequest struct {
 	OldPassword string `json:"old_password" binding:"required"`
-	NewPassword string `json:"new_password" binding:"required,min=6"`
+	NewPassword string `json:"new_password" binding:"required,min=8"`
 }
 
 // ForgotPasswordRequest is the request body for forgot password
@@ -59,7 +59,7 @@ type ForgotPasswordRequest struct {
 // ResetPasswordRequest is the request body for resetting password
 type ResetPasswordRequest struct {
 	Token       string `json:"token" binding:"required"`
-	NewPassword string `json:"new_password" binding:"required,min=6"`
+	NewPassword string `json:"new_password" binding:"required,min=8"`
 }
 
 // UpdateRoleRequest is the request body for updating user role
diff --git a/backend/internal/handler/admin.go b/backend/internal/handler/admin.go
index 33bc6222..5d10e8e7 100644
--- a/backend/internal/handler/admin.go
+++ b/backend/internal/handler/admin.go
@@ -22,6 +22,15 @@ func NewAdminHandler(adminService *service.AdminService, authService *service.Au
 	}
 }
 
+// IsAdmin checks if the given user is an admin. Used as middleware.AdminChecker.
+func (h *AdminHandler) IsAdmin(userID string) bool {
+	user, err := h.authService.GetUserByID(userID)
+	if err != nil {
+		return false
+	}
+	return user.IsAdmin
+}
+
 // requireAdmin checks if the current user is an admin
 func (h *AdminHandler) requireAdmin(c *gin.Context) (string, bool) {
 	userID := middleware.GetUserID(c)
diff --git a/backend/internal/handler/auth.go b/backend/internal/handler/auth.go
index 25c4538c..e5b7d46d 100644
--- a/backend/internal/handler/auth.go
+++ b/backend/internal/handler/auth.go
@@ -2,11 +2,13 @@ package handler
 
 import (
 	"net/http"
+	"strings"
 
 	"github.com/gin-gonic/gin"
 	"github.com/momshell/backend/internal/dto"
 	"github.com/momshell/backend/internal/middleware"
 	"github.com/momshell/backend/internal/service"
+	pkgjwt "github.com/momshell/backend/pkg/jwt"
 )
 
 type AuthHandler struct {
@@ -102,6 +104,27 @@ func (h *AuthHandler) ChangePassword(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{"message": "密码修改成功"})
 }
 
+// POST /api/v1/auth/logout
+func (h *AuthHandler) Logout(c *gin.Context) {
+	tokenStr := ""
+	auth := c.GetHeader("Authorization")
+	if strings.HasPrefix(auth, "Bearer ") {
+		tokenStr = strings.TrimPrefix(auth, "Bearer ")
+	}
+	if tokenStr == "" {
+		tokenStr = c.GetHeader("X-Access-Token")
+	}
+
+	if tokenStr != "" {
+		claims, err := pkgjwt.ParseToken(tokenStr, h.authService.GetJWTSecret())
+		if err == nil && claims.ExpiresAt != nil {
+			middleware.TokenBlacklist.Add(tokenStr, claims.ExpiresAt.Time)
+		}
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "已退出登录"})
+}
+
 // POST /api/v1/auth/forgot-password
 func (h *AuthHandler) ForgotPassword(c *gin.Context) {
 	var req dto.ForgotPasswordRequest
@@ -117,10 +140,10 @@ func (h *AuthHandler) ForgotPassword(c *gin.Context) {
 		return
 	}
 
-	// In production, send email instead of returning token
+	// TODO: In production, send email with reset link instead of logging
+	_ = token // token would be sent via email
 	c.JSON(http.StatusOK, gin.H{
 		"message": "如果该邮箱已注册，将收到重置密码邮件",
-		"token":   token, // For development only
 	})
 }
 
diff --git a/backend/internal/middleware/auth.go b/backend/internal/middleware/auth.go
index df9364e1..ffda4b5d 100644
--- a/backend/internal/middleware/auth.go
+++ b/backend/internal/middleware/auth.go
@@ -13,6 +13,9 @@ const (
 	ContextUserID = "user_id"
 )
 
+// AdminChecker is a function that checks if a user is an admin.
+type AdminChecker func(userID string) bool
+
 // AuthRequired requires a valid JWT token
 func AuthRequired(cfg *config.Config) gin.HandlerFunc {
 	return func(c *gin.Context) {
@@ -37,17 +40,21 @@ func AuthOptional(cfg *config.Config) gin.HandlerFunc {
 	}
 }
 
-// AdminRequired requires a valid JWT token and admin role
-// Note: actual role check is done in handler with user lookup
-func AdminRequired(cfg *config.Config) gin.HandlerFunc {
+// AdminRequired requires a valid JWT token and verifies admin role via the checker function.
+func AdminRequired(cfg *config.Config, isAdmin AdminChecker) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		userID, err := extractUserID(c, cfg)
 		if err != nil || userID == "" {
 			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "未授权，请先登录"})
 			return
 		}
+
+		if !isAdmin(userID) {
+			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "需要管理员权限"})
+			return
+		}
+
 		c.Set(ContextUserID, userID)
-		// Admin role check will be done in the handler after fetching the user
 		c.Next()
 	}
 }
@@ -66,17 +73,18 @@ func extractUserID(c *gin.Context, cfg *config.Config) (string, error) {
 		tokenStr = c.GetHeader("X-Access-Token")
 	}
 
-	// 3. Cookie
-	if tokenStr == "" {
-		if cookie, err := c.Cookie("access_token"); err == nil {
-			tokenStr = cookie
-		}
-	}
+	// Note: Cookie-based auth removed to prevent CSRF attacks.
+	// All auth must be via explicit headers.
 
 	if tokenStr == "" {
 		return "", nil
 	}
 
+	// Check token blacklist (revoked tokens)
+	if TokenBlacklist.IsBlacklisted(tokenStr) {
+		return "", pkgjwt.ErrInvalidToken
+	}
+
 	claims, err := pkgjwt.ParseToken(tokenStr, cfg.JWTSecretKey)
 	if err != nil {
 		return "", err
diff --git a/backend/internal/middleware/cors.go b/backend/internal/middleware/cors.go
index 58a0a704..2d567623 100644
--- a/backend/internal/middleware/cors.go
+++ b/backend/internal/middleware/cors.go
@@ -1,15 +1,22 @@
 package middleware
 
 import (
+	"strings"
 	"time"
 
 	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
+	"github.com/momshell/backend/internal/config"
 )
 
-func CORS() gin.HandlerFunc {
+func CORS(cfg *config.Config) gin.HandlerFunc {
+	origins := strings.Split(cfg.CORSOrigins, ",")
+	for i := range origins {
+		origins[i] = strings.TrimSpace(origins[i])
+	}
+
 	return cors.New(cors.Config{
-		AllowAllOrigins:  true,
+		AllowOrigins:     origins,
 		AllowMethods:     []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
 		AllowHeaders:     []string{"Origin", "Content-Type", "Accept", "Authorization", "X-Access-Token"},
 		ExposeHeaders:    []string{"Content-Length"},
diff --git a/backend/internal/middleware/tokenblacklist.go b/backend/internal/middleware/tokenblacklist.go
new file mode 100644
index 00000000..61d9db63
--- /dev/null
+++ b/backend/internal/middleware/tokenblacklist.go
@@ -0,0 +1,50 @@
+package middleware
+
+import (
+	"sync"
+	"time"
+)
+
+// TokenBlacklist is an in-memory blacklist for revoked JWT tokens.
+var TokenBlacklist = &tokenBlacklistStore{
+	tokens: make(map[string]time.Time),
+}
+
+type tokenBlacklistStore struct {
+	mu     sync.RWMutex
+	tokens map[string]time.Time
+}
+
+// Add blacklists a token until its expiry time.
+func (b *tokenBlacklistStore) Add(token string, expiry time.Time) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.tokens[token] = expiry
+}
+
+// IsBlacklisted checks if a token has been revoked.
+func (b *tokenBlacklistStore) IsBlacklisted(token string) bool {
+	b.mu.RLock()
+	defer b.mu.RUnlock()
+	_, exists := b.tokens[token]
+	return exists
+}
+
+func init() {
+	go TokenBlacklist.cleanup()
+}
+
+func (b *tokenBlacklistStore) cleanup() {
+	ticker := time.NewTicker(5 * time.Minute)
+	defer ticker.Stop()
+	for range ticker.C {
+		b.mu.Lock()
+		now := time.Now()
+		for token, expiry := range b.tokens {
+			if now.After(expiry) {
+				delete(b.tokens, token)
+			}
+		}
+		b.mu.Unlock()
+	}
+}
diff --git a/backend/internal/router/router.go b/backend/internal/router/router.go
index 58de2fb5..568ef1e6 100644
--- a/backend/internal/router/router.go
+++ b/backend/internal/router/router.go
@@ -1,6 +1,8 @@
 package router
 
 import (
+	"time"
+
 	"github.com/gin-gonic/gin"
 	"github.com/momshell/backend/internal/config"
 	"github.com/momshell/backend/internal/handler"
@@ -10,6 +12,7 @@ import (
 func Setup(
 	r *gin.Engine,
 	cfg *config.Config,
+	isAdmin middleware.AdminChecker,
 	authHandler *handler.AuthHandler,
 	questionHandler *handler.QuestionHandler,
 	answerHandler *handler.AnswerHandler,
@@ -24,6 +27,11 @@ func Setup(
 	whisperHandler *handler.WhisperHandler,
 	taskHandler *handler.TaskHandler,
 ) {
+	// Rate limiters
+	authLimiter := middleware.RateLimit(10, 1*time.Minute)     // 10 req/min for auth
+	aiLimiter := middleware.RateLimit(20, 1*time.Minute)       // 20 req/min for AI endpoints
+	generalLimiter := middleware.RateLimit(120, 1*time.Minute) // 120 req/min general
+
 	// Health check
 	r.GET("/health", func(c *gin.Context) {
 		c.JSON(200, gin.H{"status": "ok"})
@@ -35,22 +43,23 @@ func Setup(
 	// Admin panel (HTML page, no auth required for serving the page)
 	r.GET("/admin", adminHandler.ServeAdminPage)
 
-	api := r.Group("/api/v1")
+	api := r.Group("/api/v1", generalLimiter)
 
 	// ==================== Auth ====================
 	auth := api.Group("/auth")
 	{
-		auth.POST("/register", authHandler.Register)
-		auth.POST("/login", authHandler.Login)
-		auth.POST("/refresh", authHandler.Refresh)
-		auth.POST("/forgot-password", authHandler.ForgotPassword)
-		auth.POST("/reset-password", authHandler.ResetPassword)
+		auth.POST("/register", authLimiter, authHandler.Register)
+		auth.POST("/login", authLimiter, authHandler.Login)
+		auth.POST("/refresh", authLimiter, authHandler.Refresh)
+		auth.POST("/forgot-password", authLimiter, authHandler.ForgotPassword)
+		auth.POST("/reset-password", authLimiter, authHandler.ResetPassword)
 
 		authRequired := auth.Group("", middleware.AuthRequired(cfg))
 		{
 			authRequired.POST("/change-password", authHandler.ChangePassword)
 			authRequired.GET("/me", authHandler.GetMe)
 			authRequired.PATCH("/me/role", authHandler.UpdateRole)
+			authRequired.POST("/logout", authHandler.Logout)
 		}
 	}
 
@@ -114,7 +123,7 @@ func Setup(
 		{
 			tags.GET("", tagHandler.List)
 			tags.GET("/hot", tagHandler.ListHot)
-			tags.POST("", middleware.AdminRequired(cfg), tagHandler.Create)
+			tags.POST("", middleware.AdminRequired(cfg, isAdmin), tagHandler.Create)
 		}
 
 		// User profile (community context)
@@ -134,7 +143,7 @@ func Setup(
 	// ==================== Companion (AI Chat) ====================
 	companion := api.Group("/companion")
 	{
-		companion.POST("/chat", middleware.AuthOptional(cfg), chatHandler.Chat)
+		companion.POST("/chat", aiLimiter, middleware.AuthOptional(cfg), chatHandler.Chat)
 		companion.GET("/profile", middleware.AuthOptional(cfg), chatHandler.GetProfile)
 	}
 
@@ -145,7 +154,7 @@ func Setup(
 		echo.DELETE("/identity-tags/:id", echoHandler.DeleteIdentityTag)
 
 		echo.GET("/memoirs", echoHandler.GetMemoirs)
-		echo.POST("/memoirs/generate", echoHandler.GenerateMemoir)
+		echo.POST("/memoirs/generate", aiLimiter, echoHandler.GenerateMemoir)
 		echo.POST("/memoirs/:id/rate", echoHandler.RateMemoir)
 	}
 
@@ -154,7 +163,7 @@ func Setup(
 	{
 		photos.GET("", photoHandler.List)
 		photos.POST("/upload", photoHandler.Upload)
-		photos.POST("/generate", photoHandler.Generate)
+		photos.POST("/generate", aiLimiter, photoHandler.Generate)
 		photos.PUT("/wall", photoHandler.BatchUpdateWall)
 		photos.PUT("/:id", photoHandler.Update)
 		photos.DELETE("/:id", photoHandler.Delete)
@@ -166,7 +175,7 @@ func Setup(
 	{
 		whisper.POST("", whisperHandler.Create)
 		whisper.GET("", whisperHandler.List)
-		whisper.GET("/tips", whisperHandler.Tips)
+		whisper.GET("/tips", aiLimiter, whisperHandler.Tips)
 	}
 
 	// ==================== Tasks ====================
@@ -181,7 +190,7 @@ func Setup(
 	}
 
 	// ==================== Admin ====================
-	adminAPI := api.Group("/admin", middleware.AdminRequired(cfg))
+	adminAPI := api.Group("/admin", middleware.AdminRequired(cfg, isAdmin))
 	{
 		adminAPI.GET("/stats", adminHandler.GetStats)
 		adminAPI.GET("/users", adminHandler.ListUsers)
diff --git a/backend/internal/service/auth.go b/backend/internal/service/auth.go
index 1c215b4b..8aa0453d 100644
--- a/backend/internal/service/auth.go
+++ b/backend/internal/service/auth.go
@@ -184,6 +184,10 @@ func (s *AuthService) GetUserByID(userID string) (*model.User, error) {
 	return s.userRepo.FindByID(userID)
 }
 
+func (s *AuthService) GetJWTSecret() string {
+	return s.cfg.JWTSecretKey
+}
+
 func (s *AuthService) generateTokens(userID string) (*dto.TokenResponse, error) {
 	accessToken, err := pkgjwt.CreateAccessToken(userID, s.cfg.JWTSecretKey, s.cfg.JWTAccessTokenExpireMin)
 	if err != nil {

From f44eb53bc87fcc7fdac47bbde4def0856c6efb71 Mon Sep 17 00:00:00 2001
From: arthurcai <arthurcai@sjtu.edu.cn>
Date: Mon, 9 Mar 2026 13:15:17 +0800
Subject: [PATCH 02/17] feat: add sliding window rate limiting to API endpoints

- Add per-IP sliding window rate limiter middleware
- Auth endpoints: 10 req/min, AI endpoints: 20 req/min, general: 120 req/min
- Auto-cleanup of expired entries every 5 minutes
---
 backend/internal/middleware/ratelimit.go | 80 ++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 backend/internal/middleware/ratelimit.go

diff --git a/backend/internal/middleware/ratelimit.go b/backend/internal/middleware/ratelimit.go
new file mode 100644
index 00000000..829b6ae4
--- /dev/null
+++ b/backend/internal/middleware/ratelimit.go
@@ -0,0 +1,80 @@
+package middleware
+
+import (
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+type visitor struct {
+	count   int
+	resetAt time.Time
+}
+
+type rateLimiter struct {
+	mu       sync.Mutex
+	visitors map[string]*visitor
+	rate     int
+	window   time.Duration
+}
+
+func newRateLimiter(rate int, window time.Duration) *rateLimiter {
+	rl := &rateLimiter{
+		visitors: make(map[string]*visitor),
+		rate:     rate,
+		window:   window,
+	}
+	go rl.cleanup()
+	return rl
+}
+
+func (rl *rateLimiter) cleanup() {
+	ticker := time.NewTicker(rl.window)
+	defer ticker.Stop()
+	for range ticker.C {
+		rl.mu.Lock()
+		now := time.Now()
+		for ip, v := range rl.visitors {
+			if now.After(v.resetAt) {
+				delete(rl.visitors, ip)
+			}
+		}
+		rl.mu.Unlock()
+	}
+}
+
+func (rl *rateLimiter) allow(ip string) bool {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+
+	v, exists := rl.visitors[ip]
+	if !exists || time.Now().After(v.resetAt) {
+		rl.visitors[ip] = &visitor{
+			count:   1,
+			resetAt: time.Now().Add(rl.window),
+		}
+		return true
+	}
+
+	v.count++
+	return v.count <= rl.rate
+}
+
+// RateLimit returns a middleware that limits requests per IP.
+// rate: max requests allowed within the window.
+// window: time window for the rate limit.
+func RateLimit(rate int, window time.Duration) gin.HandlerFunc {
+	limiter := newRateLimiter(rate, window)
+	return func(c *gin.Context) {
+		ip := c.ClientIP()
+		if !limiter.allow(ip) {
+			c.AbortWithStatusJSON(http.StatusTooManyRequests, gin.H{
+				"error": "请求过于频繁，请稍后再试",
+			})
+			return
+		}
+		c.Next()
+	}
+}

From d363a2c4e959732452807d8b264c81455f538e44 Mon Sep 17 00:00:00 2001
From: arthurcai <arthurcai@sjtu.edu.cn>
Date: Mon, 9 Mar 2026 13:15:34 +0800
Subject: [PATCH 03/17] fix: harden input validation and data protection

- Add io.LimitReader on OpenAI (1MB/10MB) and Firecrawl (1MB) responses
- Remove raw response body from log output to prevent data exposure
- Add magic byte content-type validation on photo and avatar uploads
- Add SSRF prevention with URL validation and private IP blocking
- Fix path traversal in photo deletion with filepath.Clean
- Add guest chat session eviction to prevent memory leak (max 1000)
- Use configurable DB log level (default: warn instead of info)
- Pin admin panel CDN versions (Tailwind 3.4.17, Alpine.js 3.14.8)
---
 backend/internal/admin/admin.html     |  4 +--
 backend/internal/database/database.go | 15 +++++++-
 backend/internal/handler/photo.go     | 16 ++++++++-
 backend/internal/handler/user.go      | 13 +++++++
 backend/internal/service/chat.go      | 21 +++++++++++
 backend/internal/service/photo.go     | 51 +++++++++++++++++++++++++--
 backend/pkg/firecrawl/client.go       |  2 +-
 backend/pkg/openai/client.go          | 27 +++++++-------
 8 files changed, 129 insertions(+), 20 deletions(-)

diff --git a/backend/internal/admin/admin.html b/backend/internal/admin/admin.html
index 2db5bdf6..c0402b1b 100644
--- a/backend/internal/admin/admin.html
+++ b/backend/internal/admin/admin.html
@@ -4,8 +4,8 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>MomShell 管理面板</title>
-    <script src="https://cdn.tailwindcss.com"></script>
-    <script defer src="https://cdn.jsdelivr.net/npm/alpinejs@3.x.x/dist/cdn.min.js"></script>
+    <script src="https://cdn.tailwindcss.com/3.4.17"></script>
+    <script defer src="https://cdn.jsdelivr.net/npm/alpinejs@3.14.8/dist/cdn.min.js"></script>
     <style>
         [x-cloak] { display: none !important; }
         .fade-in { animation: fadeIn 0.2s ease-in; }
diff --git a/backend/internal/database/database.go b/backend/internal/database/database.go
index 6bfee090..81fa972e 100644
--- a/backend/internal/database/database.go
+++ b/backend/internal/database/database.go
@@ -2,6 +2,7 @@ package database
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/momshell/backend/internal/config"
 	"gorm.io/driver/postgres"
@@ -10,8 +11,20 @@ import (
 )
 
 func Connect(cfg *config.Config) (*gorm.DB, error) {
+	logLevel := logger.Warn
+	switch strings.ToLower(cfg.DBLogLevel) {
+	case "silent":
+		logLevel = logger.Silent
+	case "error":
+		logLevel = logger.Error
+	case "warn":
+		logLevel = logger.Warn
+	case "info":
+		logLevel = logger.Info
+	}
+
 	db, err := gorm.Open(postgres.Open(cfg.DatabaseURL), &gorm.Config{
-		Logger: logger.Default.LogMode(logger.Info),
+		Logger: logger.Default.LogMode(logLevel),
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to database: %w", err)
diff --git a/backend/internal/handler/photo.go b/backend/internal/handler/photo.go
index fd7b3e7f..c1c8de0d 100644
--- a/backend/internal/handler/photo.go
+++ b/backend/internal/handler/photo.go
@@ -71,6 +71,20 @@ func (h *PhotoHandler) Upload(c *gin.Context) {
 		return
 	}
 
+	// Validate actual file content via magic bytes
+	buf := make([]byte, 512)
+	n, _ := file.Read(buf)
+	detectedType := http.DetectContentType(buf[:n])
+	if !allowedPhotoTypes[detectedType] {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "文件内容与格式不匹配"})
+		return
+	}
+	// Reset reader position for SaveUploadedFile
+	if _, err := file.Seek(0, 0); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "上传失败"})
+		return
+	}
+
 	ext := ".jpg"
 	switch contentType {
 	case "image/png":
@@ -161,7 +175,7 @@ func (h *PhotoHandler) Delete(c *gin.Context) {
 		return
 	}
 
-	c.JSON(http.StatusNoContent, nil)
+	c.Status(http.StatusNoContent)
 }
 
 // PUT /api/v1/photos/:id/wall
diff --git a/backend/internal/handler/user.go b/backend/internal/handler/user.go
index cc155791..8cbd8dfe 100644
--- a/backend/internal/handler/user.go
+++ b/backend/internal/handler/user.go
@@ -82,6 +82,19 @@ func (h *UserHandler) UploadAvatar(c *gin.Context) {
 		return
 	}
 
+	// Validate actual file content via magic bytes
+	buf := make([]byte, 512)
+	n, _ := file.Read(buf)
+	detectedType := http.DetectContentType(buf[:n])
+	if !allowedImageTypes[detectedType] {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "文件内容与格式不匹配"})
+		return
+	}
+	if _, err := file.Seek(0, 0); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "上传失败"})
+		return
+	}
+
 	ext := ".jpg"
 	switch contentType {
 	case "image/png":
diff --git a/backend/internal/service/chat.go b/backend/internal/service/chat.go
index 94f99746..cfacdf3f 100644
--- a/backend/internal/service/chat.go
+++ b/backend/internal/service/chat.go
@@ -55,6 +55,10 @@ const companionSystemPrompt = `你是「小石光」，一位「曾走过这段
 
 记住：你的存在不是为了「解决她的问题」，而是让她感到——在这一刻，她并不孤单。`
 
+const (
+	maxGuestSessions = 1000 // Maximum number of guest sessions in memory
+)
+
 type ChatService struct {
 	client    *openai.Client
 	chatRepo  *repository.ChatRepo
@@ -137,6 +141,23 @@ func (s *ChatService) chatGuest(ctx context.Context, msg dto.UserMessage) (*dto.
 
 	s.mu.Lock()
 	if _, ok := s.guestMemory[sessionID]; !ok {
+		// Evict oldest sessions if at capacity
+		if len(s.guestMemory) >= maxGuestSessions {
+			// Delete ~10% of sessions to avoid evicting on every new request
+			toDelete := maxGuestSessions / 10
+			if toDelete < 1 {
+				toDelete = 1
+			}
+			deleted := 0
+			for k := range s.guestMemory {
+				delete(s.guestMemory, k)
+				delete(s.guestProfiles, k)
+				deleted++
+				if deleted >= toDelete {
+					break
+				}
+			}
+		}
 		s.guestMemory[sessionID] = nil
 		s.guestProfiles[sessionID] = make(map[string]interface{})
 	}
diff --git a/backend/internal/service/photo.go b/backend/internal/service/photo.go
index f3b995e1..4f72a33e 100644
--- a/backend/internal/service/photo.go
+++ b/backend/internal/service/photo.go
@@ -7,9 +7,12 @@ import (
 	"fmt"
 	"io"
 	"math"
+	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/google/uuid"
@@ -176,8 +179,11 @@ func (s *PhotoService) DeletePhoto(id, userID string) error {
 
 	// Remove file from disk if it's a local upload
 	if photo.ImageURL != "" {
-		localPath := "." + photo.ImageURL
-		_ = os.Remove(localPath)
+		localPath := filepath.Clean("." + photo.ImageURL)
+		// Ensure the path is under the uploads directory to prevent path traversal
+		if strings.HasPrefix(localPath, "uploads"+string(filepath.Separator)) {
+			_ = os.Remove(localPath)
+		}
 	}
 
 	return s.photoRepo.Delete(id, userID)
@@ -272,6 +278,11 @@ func (s *PhotoService) downloadGeneratedImage(imgResp *openai.ImageResponse) (st
 }
 
 func (s *PhotoService) downloadFromURL(imageURL, savePath string) (string, error) {
+	// Validate URL to prevent SSRF
+	if err := validateExternalURL(imageURL); err != nil {
+		return "", fmt.Errorf("invalid image URL: %w", err)
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 
@@ -296,7 +307,7 @@ func (s *PhotoService) downloadFromURL(imageURL, savePath string) (string, error
 	}
 	defer func() { _ = out.Close() }()
 
-	if _, err := io.Copy(out, resp.Body); err != nil {
+	if _, err := io.Copy(out, io.LimitReader(resp.Body, 20<<20)); err != nil { // 20 MB max
 		return "", fmt.Errorf("failed to write file: %w", err)
 	}
 
@@ -333,3 +344,37 @@ func truncate(s string, maxLen int) string {
 	}
 	return s
 }
+
+// validateExternalURL checks that a URL is safe to fetch (prevents SSRF).
+func validateExternalURL(rawURL string) error {
+	u, err := url.Parse(rawURL)
+	if err != nil {
+		return fmt.Errorf("invalid URL")
+	}
+
+	if u.Scheme != "https" && u.Scheme != "http" {
+		return fmt.Errorf("unsupported scheme: %s", u.Scheme)
+	}
+
+	host := u.Hostname()
+
+	// Block obvious internal hostnames
+	if host == "localhost" || host == "127.0.0.1" || host == "::1" ||
+		host == "0.0.0.0" || strings.HasSuffix(host, ".local") ||
+		strings.HasSuffix(host, ".internal") {
+		return fmt.Errorf("internal host not allowed")
+	}
+
+	// Resolve and check IP ranges
+	ips, err := net.LookupIP(host)
+	if err != nil {
+		return fmt.Errorf("DNS resolution failed: %w", err)
+	}
+	for _, ip := range ips {
+		if ip.IsLoopback() || ip.IsPrivate() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+			return fmt.Errorf("internal IP not allowed")
+		}
+	}
+
+	return nil
+}
diff --git a/backend/pkg/firecrawl/client.go b/backend/pkg/firecrawl/client.go
index defe97ae..56eaec8c 100644
--- a/backend/pkg/firecrawl/client.go
+++ b/backend/pkg/firecrawl/client.go
@@ -61,7 +61,7 @@ func (c *Client) Search(ctx context.Context, query string, limit int) ([]SearchR
 	}
 	defer func() { _ = resp.Body.Close() }()
 
-	respBody, err := io.ReadAll(resp.Body)
+	respBody, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20)) // 1 MB max
 	if err != nil {
 		return nil, fmt.Errorf("failed to read response: %w", err)
 	}
diff --git a/backend/pkg/openai/client.go b/backend/pkg/openai/client.go
index da1da289..068c73a8 100644
--- a/backend/pkg/openai/client.go
+++ b/backend/pkg/openai/client.go
@@ -11,6 +11,11 @@ import (
 	"time"
 )
 
+const (
+	maxChatResponseSize  = 1 << 20  // 1 MB
+	maxImageResponseSize = 10 << 20 // 10 MB
+)
+
 type Client struct {
 	apiKey  string
 	baseURL string
@@ -81,14 +86,14 @@ func (c *Client) Chat(ctx context.Context, messages []Message) (string, error) {
 	}
 	defer func() { _ = resp.Body.Close() }()
 
-	respBody, err := io.ReadAll(resp.Body)
+	respBody, err := io.ReadAll(io.LimitReader(resp.Body, maxChatResponseSize))
 	if err != nil {
 		return "", fmt.Errorf("failed to read response: %w", err)
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("openai chat completion failed: error, status code: %d, status: %s, message: %s",
-			resp.StatusCode, resp.Status, string(respBody))
+		return "", fmt.Errorf("openai chat completion failed: status %d, body: %.500s",
+			resp.StatusCode, string(respBody))
 	}
 
 	var chatResp chatResponse
@@ -104,9 +109,7 @@ func (c *Client) Chat(ctx context.Context, messages []Message) (string, error) {
 		return "", fmt.Errorf("openai returned no choices")
 	}
 
-	content := chatResp.Choices[0].Message.Content
-	log.Printf("[Chat] raw response (first 500 chars): %.500s", content)
-	return content, nil
+	return chatResp.Choices[0].Message.Content, nil
 }
 
 type imageRequest struct {
@@ -159,16 +162,16 @@ func (c *Client) GenerateImage(ctx context.Context, model, prompt string) (*Imag
 	}
 	defer func() { _ = resp.Body.Close() }()
 
-	respBody, err := io.ReadAll(resp.Body)
+	respBody, err := io.ReadAll(io.LimitReader(resp.Body, maxImageResponseSize))
 	if err != nil {
 		return nil, fmt.Errorf("failed to read image response: %w", err)
 	}
 
-	log.Printf("[ImageGen] model=%s POST status=%d body_len=%d body_preview=%.500s", model, resp.StatusCode, len(respBody), string(respBody))
+	log.Printf("[ImageGen] model=%s POST status=%d body_len=%d", model, resp.StatusCode, len(respBody))
 
 	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusAccepted {
-		return nil, fmt.Errorf("image generation failed: status code: %d, message: %s",
-			resp.StatusCode, string(respBody))
+		return nil, fmt.Errorf("image generation failed: status code: %d, body_len: %d",
+			resp.StatusCode, len(respBody))
 	}
 
 	// Try parsing as an async task response (ModelScope returns task_id for polling)
@@ -281,13 +284,13 @@ func (c *Client) pollImageTask(ctx context.Context, taskID string) (*ImageRespon
 			continue
 		}
 
-		respBody, err := io.ReadAll(resp.Body)
+		respBody, err := io.ReadAll(io.LimitReader(resp.Body, maxImageResponseSize))
 		_ = resp.Body.Close()
 		if err != nil {
 			continue
 		}
 
-		log.Printf("[ImageGen] poll #%d status=%d body_len=%d body_preview=%.500s", i+1, resp.StatusCode, len(respBody), string(respBody))
+		log.Printf("[ImageGen] poll #%d status=%d body_len=%d", i+1, resp.StatusCode, len(respBody))
 
 		var status taskStatusResponse
 		if err := json.Unmarshal(respBody, &status); err != nil {

From 887fcdd99c44848e16fc9c8afc60381ac44dc7ee Mon Sep 17 00:00:00 2001
From: arthurcai <arthurcai@sjtu.edu.cn>
Date: Mon, 9 Mar 2026 13:15:51 +0800
Subject: [PATCH 04/17] fix: resolve Copilot review issues from PR #129
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Gate AI auto-reply behind @小石光 mention check to prevent spam
- Clean up orphaned comment likes on question and answer deletion
- Fix wall position collision by using lowest free slot (0-8)
- Replace blocking alert() with inline toast in CommunityPanel
- Fix HTTP 204 response sending unnecessary JSON body
- Fix unreliable postgresql@* wildcard in dev-setup.sh
---
 backend/internal/handler/question.go          |  4 +-
 backend/internal/service/community.go         | 12 +++++
 backend/internal/service/community_ai.go      |  5 ++
 frontend/src/components/overlay/CarPage.vue   | 13 ++++-
 .../src/components/overlay/CommunityPanel.vue | 48 ++++++++++++++++---
 scripts/dev-setup.sh                          |  2 +-
 6 files changed, 73 insertions(+), 11 deletions(-)

diff --git a/backend/internal/handler/question.go b/backend/internal/handler/question.go
index bb9a8e59..e5cb7619 100644
--- a/backend/internal/handler/question.go
+++ b/backend/internal/handler/question.go
@@ -124,8 +124,8 @@ func (h *QuestionHandler) Create(c *gin.Context) {
 		return
 	}
 
-	// Trigger AI reply for every new published question
-	if h.communityAI != nil && question.Status == model.StatusPublished {
+	// Trigger AI reply only when question mentions @小石光
+	if h.communityAI != nil && question.Status == model.StatusPublished && h.communityAI.IsMentioned(req.Content) {
 		go h.communityAI.HandleNewQuestion(question.ID)
 	}
 
diff --git a/backend/internal/service/community.go b/backend/internal/service/community.go
index b2a6b764..82f66e3f 100644
--- a/backend/internal/service/community.go
+++ b/backend/internal/service/community.go
@@ -374,6 +374,12 @@ func (s *CommunityService) DeleteQuestion(questionID string, user *model.User) e
 	// Clean up related data
 	answerIDs, _ := s.answerRepo.FindIDsByQuestionID(questionID)
 	for _, aid := range answerIDs {
+		// Delete likes on comments before deleting the comments themselves
+		if comments, cErr := s.commentRepo.FindByAnswerID(aid); cErr == nil {
+			for _, c := range comments {
+				_ = s.interactionRepo.DeleteLikesByTarget("comment", c.ID)
+			}
+		}
 		_ = s.commentRepo.DeleteByAnswerID(aid)
 		_ = s.interactionRepo.DeleteLikesByTarget("answer", aid)
 	}
@@ -534,6 +540,12 @@ func (s *CommunityService) DeleteAnswer(answerID string, user *model.User) error
 		return errors.New("无权删除此回答")
 	}
 
+	// Delete likes on comments before deleting the comments themselves
+	if comments, cErr := s.commentRepo.FindByAnswerID(answerID); cErr == nil {
+		for _, c := range comments {
+			_ = s.interactionRepo.DeleteLikesByTarget("comment", c.ID)
+		}
+	}
 	_ = s.commentRepo.DeleteByAnswerID(answerID)
 	_ = s.interactionRepo.DeleteLikesByTarget("answer", answerID)
 	_ = s.questionRepo.DecrementAnswerCount(a.QuestionID)
diff --git a/backend/internal/service/community_ai.go b/backend/internal/service/community_ai.go
index 815f7f15..af8b22e3 100644
--- a/backend/internal/service/community_ai.go
+++ b/backend/internal/service/community_ai.go
@@ -48,6 +48,11 @@ func ContainsMention(content string) bool {
 	return mentionPattern.MatchString(content)
 }
 
+// IsMentioned checks if the given content mentions @小石光.
+func (s *CommunityAIService) IsMentioned(content string) bool {
+	return ContainsMention(content)
+}
+
 // ShouldReplyToComment returns true if AI should reply to this comment:
 // - comment mentions @小石光, OR
 // - comment is on an AI-authored answer, OR
diff --git a/frontend/src/components/overlay/CarPage.vue b/frontend/src/components/overlay/CarPage.vue
index ad2e8ad7..6511217c 100644
--- a/frontend/src/components/overlay/CarPage.vue
+++ b/frontend/src/components/overlay/CarPage.vue
@@ -727,7 +727,18 @@ async function onToggleWall(photo: Photo) {
 
   let position: number | undefined
   if (newIsOnWall) {
-    position = wallCount
+    // Find the lowest free slot (0-8) to avoid position collisions
+    const usedPositions = new Set(
+      allPhotos.value
+        .filter((p) => p.is_on_wall && p.id !== photo.id)
+        .map((p) => p.wall_position),
+    )
+    for (let i = 0; i <= 8; i++) {
+      if (!usedPositions.has(i)) {
+        position = i
+        break
+      }
+    }
   }
 
   try {
diff --git a/frontend/src/components/overlay/CommunityPanel.vue b/frontend/src/components/overlay/CommunityPanel.vue
index e4e93cf4..a03f8732 100644
--- a/frontend/src/components/overlay/CommunityPanel.vue
+++ b/frontend/src/components/overlay/CommunityPanel.vue
@@ -216,6 +216,9 @@
         </div>
       </div>
     </div>
+    <Transition name="toast">
+      <div v-if="panelError" class="panel-toast-error">{{ panelError }}</div>
+    </Transition>
   </OverlayPanel>
 </template>
 
@@ -283,6 +286,14 @@ const editingQuestion = ref(false)
 const editQuestionData = ref({ title: '', content: '' })
 const editingAnswerId = ref<string | null>(null)
 const editAnswerContent = ref('')
+const panelError = ref('')
+
+function showPanelError(msg: string) {
+  panelError.value = msg
+  setTimeout(() => {
+    panelError.value = ''
+  }, 4000)
+}
 
 function canModify(authorId: string) {
   return authStore.user?.id === authorId || authStore.user?.is_admin
@@ -409,7 +420,7 @@ async function onCreatePost() {
     selectedTagIds.value = []
     await fetchQuestions(1)
   } catch (e) {
-    alert(getErrorMessage(e))
+    showPanelError(getErrorMessage(e))
   } finally {
     posting.value = false
   }
@@ -512,7 +523,7 @@ async function onSubmitReply() {
       }
     }
   } catch (e) {
-    alert(getErrorMessage(e))
+    showPanelError(getErrorMessage(e))
   }
 }
 
@@ -589,7 +600,7 @@ async function onSaveQuestion() {
     )
     editingQuestion.value = false
   } catch (e) {
-    alert(getErrorMessage(e))
+    showPanelError(getErrorMessage(e))
   }
 }
 
@@ -600,7 +611,7 @@ async function onDeleteQuestion() {
     questions.value = questions.value.filter((q) => q.id !== selectedDetail.value!.id)
     closeDetail()
   } catch (e) {
-    alert(getErrorMessage(e))
+    showPanelError(getErrorMessage(e))
   }
 }
 
@@ -619,7 +630,7 @@ async function onSaveAnswer() {
     editingAnswerId.value = null
     editAnswerContent.value = ''
   } catch (e) {
-    alert(getErrorMessage(e))
+    showPanelError(getErrorMessage(e))
   }
 }
 
@@ -635,7 +646,7 @@ async function onDeleteAnswer(a: AnswerListItem) {
       }
     }
   } catch (e) {
-    alert(getErrorMessage(e))
+    showPanelError(getErrorMessage(e))
   }
 }
 
@@ -649,7 +660,7 @@ async function onDeleteComment(c: CommentListItem, answerId: string) {
       a.id === answerId ? { ...a, comment_count: Math.max(0, a.comment_count - 1) } : a,
     )
   } catch (e) {
-    alert(getErrorMessage(e))
+    showPanelError(getErrorMessage(e))
   }
 }
 
@@ -659,6 +670,29 @@ function clearCommentTarget() {
 </script>
 
 <style scoped>
+.panel-toast-error {
+  position: fixed;
+  bottom: 24px;
+  left: 50%;
+  transform: translateX(-50%);
+  background: rgba(220, 53, 69, 0.92);
+  color: #fff;
+  padding: 10px 24px;
+  border-radius: 8px;
+  font-size: 14px;
+  z-index: 9999;
+  pointer-events: none;
+}
+.toast-enter-active,
+.toast-leave-active {
+  transition: opacity 0.3s, transform 0.3s;
+}
+.toast-enter-from,
+.toast-leave-to {
+  opacity: 0;
+  transform: translateX(-50%) translateY(8px);
+}
+
 .community-panel {
   padding: 32px 24px;
   min-height: 100vh;
diff --git a/scripts/dev-setup.sh b/scripts/dev-setup.sh
index 4d01845c..66bbc9d8 100755
--- a/scripts/dev-setup.sh
+++ b/scripts/dev-setup.sh
@@ -175,7 +175,7 @@ if pg_isready -q 2>/dev/null; then
 else
     warn "PostgreSQL is not running, attempting to start..."
     if [[ "$OSTYPE" == darwin* ]]; then
-        brew services start postgresql 2>/dev/null || brew services start postgresql@* 2>/dev/null
+        brew services start postgresql 2>/dev/null || brew services start "$(brew list --formula | grep -m1 '^postgresql@')" 2>/dev/null
     else
         sudo systemctl start postgresql 2>/dev/null
     fi

From b2d1606102eaafb52f8aac065ddaf59e5ca958f7 Mon Sep 17 00:00:00 2001
From: arthurcai <arthurcai@sjtu.edu.cn>
Date: Mon, 9 Mar 2026 13:29:43 +0800
Subject: [PATCH 05/17] fix: remove response body from openai error message to
 prevent data exposure

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 backend/pkg/openai/client.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/pkg/openai/client.go b/backend/pkg/openai/client.go
index 068c73a8..06239cc7 100644
--- a/backend/pkg/openai/client.go
+++ b/backend/pkg/openai/client.go
@@ -92,8 +92,8 @@ func (c *Client) Chat(ctx context.Context, messages []Message) (string, error) {
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("openai chat completion failed: status %d, body: %.500s",
-			resp.StatusCode, string(respBody))
+		return "", fmt.Errorf("openai chat completion failed: status %d, body_len: %d",
+			resp.StatusCode, len(respBody))
 	}
 
 	var chatResp chatResponse

From e378b6d9f3a9edbe6284e22eb3df3f55c0825e34 Mon Sep 17 00:00:00 2001
From: arthurcai <arthurcai@sjtu.edu.cn>
Date: Mon, 9 Mar 2026 16:46:17 +0800
Subject: [PATCH 06/17] fix: harden security across backend infrastructure

- Add HTTP client timeouts (60s openai, 30s firecrawl) to prevent goroutine hangs
- Add security headers middleware (X-Frame-Options, X-Content-Type-Options, etc.)
- Set trusted proxies to nil so rate limiter uses RemoteAddr, not X-Forwarded-For
- Cap token blacklist at 100k entries with emergency cleanup to prevent OOM
- Add double-check against ".." in photo deletion path to prevent traversal
- Remove response body from firecrawl error message to prevent data leak
- Cap echo handler pagination limit to 100
- Add max length constraints to question/answer/comment content DTOs
- Fully mask DATABASE_URL in admin config endpoint
---
 backend/cmd/server/main.go                    |  2 ++
 backend/internal/dto/answer.go                |  4 ++--
 backend/internal/dto/comment.go               |  2 +-
 backend/internal/dto/question.go              |  4 ++--
 backend/internal/handler/echo.go              |  3 +++
 backend/internal/middleware/security.go       | 15 +++++++++++++++
 backend/internal/middleware/tokenblacklist.go | 15 +++++++++++++++
 backend/internal/service/admin.go             |  2 +-
 backend/internal/service/photo.go             |  5 +++--
 backend/pkg/firecrawl/client.go               |  5 +++--
 backend/pkg/openai/client.go                  |  2 +-
 11 files changed, 48 insertions(+), 11 deletions(-)
 create mode 100644 backend/internal/middleware/security.go

diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go
index e051f4af..5b35b4b0 100644
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -116,7 +116,9 @@ func main() {
 
 	// Setup Gin
 	r := gin.New()
+	_ = r.SetTrustedProxies(nil) // Don't trust any proxy headers by default
 	r.Use(middleware.Recovery())
+	r.Use(middleware.SecurityHeaders())
 	r.Use(middleware.CORS(cfg))
 	r.Use(gin.Logger())
 
diff --git a/backend/internal/dto/answer.go b/backend/internal/dto/answer.go
index 99cd6aac..a4c66c10 100644
--- a/backend/internal/dto/answer.go
+++ b/backend/internal/dto/answer.go
@@ -4,13 +4,13 @@ import "time"
 
 // AnswerCreate is the request body for creating an answer
 type AnswerCreate struct {
-	Content   string   `json:"content" binding:"required,min=1"`
+	Content   string   `json:"content" binding:"required,min=1,max=50000"`
 	ImageURLs []string `json:"image_urls"`
 }
 
 // AnswerUpdate is the request body for updating an answer
 type AnswerUpdate struct {
-	Content *string `json:"content" binding:"omitempty,min=1"`
+	Content *string `json:"content" binding:"omitempty,min=1,max=50000"`
 }
 
 // AnswerListParams holds query parameters for listing answers
diff --git a/backend/internal/dto/comment.go b/backend/internal/dto/comment.go
index ae936163..7ee543ff 100644
--- a/backend/internal/dto/comment.go
+++ b/backend/internal/dto/comment.go
@@ -4,7 +4,7 @@ import "time"
 
 // CommentCreate is the request body for creating a comment
 type CommentCreate struct {
-	Content  string  `json:"content" binding:"required,min=1"`
+	Content  string  `json:"content" binding:"required,min=1,max=10000"`
 	ParentID *string `json:"parent_id"`
 }
 
diff --git a/backend/internal/dto/question.go b/backend/internal/dto/question.go
index a82e29e0..45f95b37 100644
--- a/backend/internal/dto/question.go
+++ b/backend/internal/dto/question.go
@@ -5,7 +5,7 @@ import "time"
 // QuestionCreate is the request body for creating a question
 type QuestionCreate struct {
 	Title     string   `json:"title" binding:"required,min=1,max=200"`
-	Content   string   `json:"content" binding:"required,min=1"`
+	Content   string   `json:"content" binding:"required,min=1,max=50000"`
 	Channel   string   `json:"channel" binding:"required,oneof=professional experience"`
 	ImageURLs []string `json:"image_urls"`
 	TagIDs    []string `json:"tag_ids"`
@@ -14,7 +14,7 @@ type QuestionCreate struct {
 // QuestionUpdate is the request body for updating a question
 type QuestionUpdate struct {
 	Title   *string  `json:"title" binding:"omitempty,min=1,max=200"`
-	Content *string  `json:"content" binding:"omitempty,min=1"`
+	Content *string  `json:"content" binding:"omitempty,min=1,max=50000"`
 	TagIDs  []string `json:"tag_ids"`
 }
 
diff --git a/backend/internal/handler/echo.go b/backend/internal/handler/echo.go
index 650ab62c..5424d610 100644
--- a/backend/internal/handler/echo.go
+++ b/backend/internal/handler/echo.go
@@ -76,6 +76,9 @@ func (h *EchoHandler) GetMemoirs(c *gin.Context) {
 			c.JSON(http.StatusBadRequest, gin.H{"error": "invalid limit"})
 			return
 		}
+		if parsed > 100 {
+			parsed = 100
+		}
 		limit = parsed
 	}
 
diff --git a/backend/internal/middleware/security.go b/backend/internal/middleware/security.go
new file mode 100644
index 00000000..b0ce6c46
--- /dev/null
+++ b/backend/internal/middleware/security.go
@@ -0,0 +1,15 @@
+package middleware
+
+import "github.com/gin-gonic/gin"
+
+// SecurityHeaders adds standard security headers to all responses.
+func SecurityHeaders() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("X-Frame-Options", "DENY")
+		c.Header("X-Content-Type-Options", "nosniff")
+		c.Header("X-XSS-Protection", "1; mode=block")
+		c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
+		c.Header("Permissions-Policy", "camera=(), microphone=(), geolocation=()")
+		c.Next()
+	}
+}
diff --git a/backend/internal/middleware/tokenblacklist.go b/backend/internal/middleware/tokenblacklist.go
index 61d9db63..1aeb2ec1 100644
--- a/backend/internal/middleware/tokenblacklist.go
+++ b/backend/internal/middleware/tokenblacklist.go
@@ -10,6 +10,8 @@ var TokenBlacklist = &tokenBlacklistStore{
 	tokens: make(map[string]time.Time),
 }
 
+const maxBlacklistSize = 100000
+
 type tokenBlacklistStore struct {
 	mu     sync.RWMutex
 	tokens map[string]time.Time
@@ -19,6 +21,19 @@ type tokenBlacklistStore struct {
 func (b *tokenBlacklistStore) Add(token string, expiry time.Time) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
+	if len(b.tokens) >= maxBlacklistSize {
+		// Emergency cleanup: remove expired tokens immediately
+		now := time.Now()
+		for t, exp := range b.tokens {
+			if now.After(exp) {
+				delete(b.tokens, t)
+			}
+		}
+	}
+	// If still at capacity after cleanup, skip adding (token will simply not be blacklisted)
+	if len(b.tokens) >= maxBlacklistSize {
+		return
+	}
 	b.tokens[token] = expiry
 }
 
diff --git a/backend/internal/service/admin.go b/backend/internal/service/admin.go
index 84e3b12f..328d8ca0 100644
--- a/backend/internal/service/admin.go
+++ b/backend/internal/service/admin.go
@@ -251,7 +251,7 @@ func (s *AdminService) GetConfig() []dto.ConfigItem {
 
 	return []dto.ConfigItem{
 		// Read-only
-		{Key: "DATABASE_URL", Value: maskString(s.cfg.DatabaseURL, 15, 0), Editable: false},
+		{Key: "DATABASE_URL", Value: maskString(s.cfg.DatabaseURL, 0, 0), Editable: false},
 		{Key: "JWT_ALGORITHM", Value: s.cfg.JWTAlgorithm, Editable: false},
 		{Key: "PORT", Value: s.cfg.Port, Editable: false},
 		// Editable
diff --git a/backend/internal/service/photo.go b/backend/internal/service/photo.go
index 4f72a33e..8a6f80b6 100644
--- a/backend/internal/service/photo.go
+++ b/backend/internal/service/photo.go
@@ -180,8 +180,9 @@ func (s *PhotoService) DeletePhoto(id, userID string) error {
 	// Remove file from disk if it's a local upload
 	if photo.ImageURL != "" {
 		localPath := filepath.Clean("." + photo.ImageURL)
-		// Ensure the path is under the uploads directory to prevent path traversal
-		if strings.HasPrefix(localPath, "uploads"+string(filepath.Separator)) {
+		// Strict validation: must be under uploads/photos/ and match expected pattern
+		if strings.HasPrefix(localPath, "uploads"+string(filepath.Separator)) &&
+			!strings.Contains(localPath, "..") {
 			_ = os.Remove(localPath)
 		}
 	}
diff --git a/backend/pkg/firecrawl/client.go b/backend/pkg/firecrawl/client.go
index 56eaec8c..acf20577 100644
--- a/backend/pkg/firecrawl/client.go
+++ b/backend/pkg/firecrawl/client.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"time"
 )
 
 type Client struct {
@@ -17,7 +18,7 @@ type Client struct {
 func NewClient(apiKey string) *Client {
 	return &Client{
 		apiKey: apiKey,
-		http:   &http.Client{},
+		http:   &http.Client{Timeout: 30 * time.Second},
 	}
 }
 
@@ -67,7 +68,7 @@ func (c *Client) Search(ctx context.Context, query string, limit int) ([]SearchR
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("firecrawl search failed: status %d, body: %s", resp.StatusCode, string(respBody))
+		return nil, fmt.Errorf("firecrawl search failed: status %d", resp.StatusCode)
 	}
 
 	var searchResp searchResponse
diff --git a/backend/pkg/openai/client.go b/backend/pkg/openai/client.go
index 06239cc7..c2e94ff0 100644
--- a/backend/pkg/openai/client.go
+++ b/backend/pkg/openai/client.go
@@ -31,7 +31,7 @@ func NewClient(apiKey, baseURL, model string) *Client {
 		apiKey:  apiKey,
 		baseURL: baseURL,
 		model:   model,
-		http:    &http.Client{},
+		http:    &http.Client{Timeout: 60 * time.Second},
 	}
 }
 

From dd31ad7a202120d5bf1bf5c0c5f0ab9a048e73c3 Mon Sep 17 00:00:00 2001
From: arthurcai <arthurcai@sjtu.edu.cn>
Date: Mon, 9 Mar 2026 17:35:03 +0800
Subject: [PATCH 07/17] feat: migrate auth tokens from localStorage to httpOnly
 cookies

Backend:
- Login/refresh endpoints now set refresh token as httpOnly cookie
  (Secure, SameSite=Lax, Path=/api/v1/auth)
- Refresh endpoint reads token from cookie first, falls back to JSON body
- Logout clears the refresh cookie
- New AccessTokenResponse DTO (only access_token in response body)
- AuthHandler now accepts config for cookie settings

Frontend:
- Access token stored in memory only (Vue ref + module variable)
- Removed all localStorage/sessionStorage token management
- Removed X-Access-Token redundant header
- apiClient uses withCredentials:true to send cookies
- Auth store syncs in-memory token via watch()
- Session restored on page load via /auth/refresh (cookie auto-sent)

Security improvement: XSS can no longer steal refresh tokens since
they are invisible to JavaScript (httpOnly). Access tokens are
short-lived and memory-only.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 backend/cmd/server/main.go       |  2 +-
 backend/internal/dto/auth.go     |  8 ++++-
 backend/internal/handler/auth.go | 58 +++++++++++++++++++++++++++-----
 frontend/src/lib/apiClient.ts    | 42 +++++++++++------------
 frontend/src/lib/auth.ts         | 57 +++++++++----------------------
 frontend/src/stores/auth.ts      | 55 +++++++++++++-----------------
 6 files changed, 117 insertions(+), 105 deletions(-)

diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go
index 5b35b4b0..fc476749 100644
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -100,7 +100,7 @@ func main() {
 	adminService := service.NewAdminService(cfg, adminRepo, userRepo)
 
 	// Initialize handlers
-	authHandler := handler.NewAuthHandler(authService)
+	authHandler := handler.NewAuthHandler(authService, cfg)
 	questionHandler := handler.NewQuestionHandler(communityService, authService, communityAIService)
 	answerHandler := handler.NewAnswerHandler(communityService, authService, communityAIService)
 	commentHandler := handler.NewCommentHandler(communityService, authService, communityAIService)
diff --git a/backend/internal/dto/auth.go b/backend/internal/dto/auth.go
index f9133357..f2204ba7 100644
--- a/backend/internal/dto/auth.go
+++ b/backend/internal/dto/auth.go
@@ -17,13 +17,19 @@ type LoginRequest struct {
 	Password string `json:"password" binding:"required"`
 }
 
-// TokenResponse is the response body for login/refresh
+// TokenResponse is the response body for login/refresh (internal use)
 type TokenResponse struct {
 	AccessToken  string `json:"access_token"`
 	RefreshToken string `json:"refresh_token"`
 	ExpiresIn    int    `json:"expires_in"` // seconds
 }
 
+// AccessTokenResponse is the response body sent to clients (refresh token in cookie only)
+type AccessTokenResponse struct {
+	AccessToken string `json:"access_token"`
+	ExpiresIn   int    `json:"expires_in"` // seconds
+}
+
 // RefreshRequest is the request body for token refresh
 type RefreshRequest struct {
 	RefreshToken string `json:"refresh_token" binding:"required"`
diff --git a/backend/internal/handler/auth.go b/backend/internal/handler/auth.go
index e5b7d46d..b391ec2c 100644
--- a/backend/internal/handler/auth.go
+++ b/backend/internal/handler/auth.go
@@ -5,18 +5,36 @@ import (
 	"strings"
 
 	"github.com/gin-gonic/gin"
+	"github.com/momshell/backend/internal/config"
 	"github.com/momshell/backend/internal/dto"
 	"github.com/momshell/backend/internal/middleware"
 	"github.com/momshell/backend/internal/service"
 	pkgjwt "github.com/momshell/backend/pkg/jwt"
 )
 
+const (
+	refreshTokenCookie = "momshell_refresh_token"
+	refreshCookiePath  = "/api/v1/auth"
+)
+
 type AuthHandler struct {
 	authService *service.AuthService
+	cfg         *config.Config
+}
+
+func NewAuthHandler(authService *service.AuthService, cfg *config.Config) *AuthHandler {
+	return &AuthHandler{authService: authService, cfg: cfg}
 }
 
-func NewAuthHandler(authService *service.AuthService) *AuthHandler {
-	return &AuthHandler{authService: authService}
+func (h *AuthHandler) setRefreshCookie(c *gin.Context, refreshToken string, maxAge int) {
+	secure := !strings.Contains(h.cfg.CORSOrigins, "localhost")
+	c.SetCookie(refreshTokenCookie, refreshToken, maxAge, refreshCookiePath, "", secure, true)
+	c.SetSameSite(http.SameSiteLaxMode)
+}
+
+func (h *AuthHandler) clearRefreshCookie(c *gin.Context) {
+	secure := !strings.Contains(h.cfg.CORSOrigins, "localhost")
+	c.SetCookie(refreshTokenCookie, "", -1, refreshCookiePath, "", secure, true)
 }
 
 // POST /api/v1/auth/register
@@ -54,24 +72,45 @@ func (h *AuthHandler) Login(c *gin.Context) {
 		return
 	}
 
-	c.JSON(http.StatusOK, resp)
+	// Set refresh token as httpOnly cookie
+	maxAge := h.cfg.JWTRefreshTokenExpireDays * 86400
+	h.setRefreshCookie(c, resp.RefreshToken, maxAge)
+
+	// Return only access token in response body
+	c.JSON(http.StatusOK, dto.AccessTokenResponse{
+		AccessToken: resp.AccessToken,
+		ExpiresIn:   resp.ExpiresIn,
+	})
 }
 
 // POST /api/v1/auth/refresh
 func (h *AuthHandler) Refresh(c *gin.Context) {
-	var req dto.RefreshRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
+	// Read refresh token from httpOnly cookie first, fall back to JSON body
+	refreshToken, _ := c.Cookie(refreshTokenCookie)
+	if refreshToken == "" {
+		var req dto.RefreshRequest
+		if err := c.ShouldBindJSON(&req); err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "missing refresh token"})
+			return
+		}
+		refreshToken = req.RefreshToken
 	}
 
-	resp, err := h.authService.RefreshToken(req.RefreshToken)
+	resp, err := h.authService.RefreshToken(refreshToken)
 	if err != nil {
+		h.clearRefreshCookie(c)
 		c.JSON(http.StatusUnauthorized, gin.H{"error": err.Error()})
 		return
 	}
 
-	c.JSON(http.StatusOK, resp)
+	// Rotate refresh token cookie
+	maxAge := h.cfg.JWTRefreshTokenExpireDays * 86400
+	h.setRefreshCookie(c, resp.RefreshToken, maxAge)
+
+	c.JSON(http.StatusOK, dto.AccessTokenResponse{
+		AccessToken: resp.AccessToken,
+		ExpiresIn:   resp.ExpiresIn,
+	})
 }
 
 // GET /api/v1/auth/me
@@ -122,6 +161,7 @@ func (h *AuthHandler) Logout(c *gin.Context) {
 		}
 	}
 
+	h.clearRefreshCookie(c)
 	c.JSON(http.StatusOK, gin.H{"message": "已退出登录"})
 }
 
diff --git a/frontend/src/lib/apiClient.ts b/frontend/src/lib/apiClient.ts
index a80d25ee..0d9ebf5a 100644
--- a/frontend/src/lib/apiClient.ts
+++ b/frontend/src/lib/apiClient.ts
@@ -3,19 +3,25 @@ import axios, {
   type AxiosError,
   type InternalAxiosRequestConfig,
 } from "axios";
-import {
-  getAccessToken,
-  getRefreshToken,
-  saveTokens,
-  clearTokens,
-  apiRefresh,
-} from "./auth";
+import { apiRefresh } from "./auth";
 
 const API_BASE = import.meta.env.VITE_API_BASE_URL || "";
 
+// In-memory access token — not stored in localStorage
+let currentAccessToken: string | null = null;
+
+export function setAccessToken(token: string | null) {
+  currentAccessToken = token;
+}
+
+export function getAccessToken(): string | null {
+  return currentAccessToken;
+}
+
 const apiClient: AxiosInstance = axios.create({
   baseURL: API_BASE,
   headers: { "Content-Type": "application/json" },
+  withCredentials: true, // Send cookies for refresh token
 });
 
 let isRefreshing = false;
@@ -34,10 +40,8 @@ function processQueue(error: Error | null, token: string | null = null) {
 
 apiClient.interceptors.request.use(
   (config: InternalAxiosRequestConfig) => {
-    const token = getAccessToken();
-    if (token && config.headers) {
-      config.headers.Authorization = `Bearer ${token}`;
-      config.headers["X-Access-Token"] = token;
+    if (currentAccessToken && config.headers) {
+      config.headers.Authorization = `Bearer ${currentAccessToken}`;
     }
     // Let browser set Content-Type with boundary for FormData
     if (config.data instanceof FormData) {
@@ -56,9 +60,6 @@ apiClient.interceptors.response.use(
     };
 
     if (error.response?.status === 401 && !originalRequest._retry) {
-      const currentRefreshToken = getRefreshToken();
-      if (!currentRefreshToken) return Promise.reject(error);
-
       if (isRefreshing) {
         return new Promise((resolve, reject) => {
           failedQueue.push({ resolve, reject });
@@ -76,20 +77,19 @@ apiClient.interceptors.response.use(
       isRefreshing = true;
 
       try {
-        const tokens = await apiRefresh(currentRefreshToken);
-        const rememberMe =
-          localStorage.getItem("momshell_remember_me") === "true";
-        saveTokens(tokens, rememberMe);
+        // Refresh token is sent automatically via httpOnly cookie
+        const resp = await apiRefresh();
+        currentAccessToken = resp.access_token;
 
         if (originalRequest.headers) {
-          originalRequest.headers.Authorization = `Bearer ${tokens.access_token}`;
+          originalRequest.headers.Authorization = `Bearer ${resp.access_token}`;
         }
 
-        processQueue(null, tokens.access_token);
+        processQueue(null, resp.access_token);
         return apiClient(originalRequest);
       } catch (refreshError) {
         processQueue(refreshError as Error, null);
-        clearTokens();
+        currentAccessToken = null;
         return Promise.reject(refreshError);
       } finally {
         isRefreshing = false;
diff --git a/frontend/src/lib/auth.ts b/frontend/src/lib/auth.ts
index 7f0d786a..6304d231 100644
--- a/frontend/src/lib/auth.ts
+++ b/frontend/src/lib/auth.ts
@@ -16,10 +16,8 @@ export interface User {
   created_at: string;
 }
 
-export interface TokenResponse {
+export interface AccessTokenResponse {
   access_token: string;
-  refresh_token: string;
-  token_type: string;
   expires_in: number;
 }
 
@@ -47,6 +45,7 @@ async function fetchJson<T>(url: string, init?: RequestInit): Promise<T> {
   const response = await fetch(url, {
     ...init,
     headers: mergedHeaders,
+    credentials: "include", // Send cookies (for refresh token)
   });
   if (!response.ok) {
     const err = await response.json().catch(() => ({}));
@@ -76,17 +75,17 @@ export function apiRegister(params: RegisterParams): Promise<User> {
   });
 }
 
-export function apiLogin(params: LoginParams): Promise<TokenResponse> {
-  return fetchJson<TokenResponse>(`${AUTH_API}/login`, {
+export function apiLogin(params: LoginParams): Promise<AccessTokenResponse> {
+  return fetchJson<AccessTokenResponse>(`${AUTH_API}/login`, {
     method: "POST",
     body: JSON.stringify(params),
   });
 }
 
-export function apiRefresh(refresh_token: string): Promise<TokenResponse> {
-  return fetchJson<TokenResponse>(`${AUTH_API}/refresh`, {
+// Refresh token is sent automatically via httpOnly cookie
+export function apiRefresh(): Promise<AccessTokenResponse> {
+  return fetchJson<AccessTokenResponse>(`${AUTH_API}/refresh`, {
     method: "POST",
-    body: JSON.stringify({ refresh_token }),
   });
 }
 
@@ -95,7 +94,6 @@ export function apiGetMe(accessToken: string): Promise<User> {
     headers: {
       "Content-Type": "application/json",
       Authorization: `Bearer ${accessToken}`,
-      "X-Access-Token": accessToken,
     },
   });
 }
@@ -109,42 +107,17 @@ export function apiSetRole(
     headers: {
       "Content-Type": "application/json",
       Authorization: `Bearer ${accessToken}`,
-      "X-Access-Token": accessToken,
     },
     body: JSON.stringify({ role }),
   });
 }
 
-// Token storage
-const ACCESS_TOKEN_KEY = "momshell_access_token";
-const REFRESH_TOKEN_KEY = "momshell_refresh_token";
-const REMEMBER_ME_KEY = "momshell_remember_me";
-
-export function saveTokens(tokens: TokenResponse, rememberMe: boolean): void {
-  localStorage.setItem(REMEMBER_ME_KEY, rememberMe.toString());
-  const storage = rememberMe ? localStorage : sessionStorage;
-  storage.setItem(ACCESS_TOKEN_KEY, tokens.access_token);
-  storage.setItem(REFRESH_TOKEN_KEY, tokens.refresh_token);
-}
-
-export function getAccessToken(): string | null {
-  return (
-    localStorage.getItem(ACCESS_TOKEN_KEY) ||
-    sessionStorage.getItem(ACCESS_TOKEN_KEY)
-  );
-}
-
-export function getRefreshToken(): string | null {
-  return (
-    localStorage.getItem(REFRESH_TOKEN_KEY) ||
-    sessionStorage.getItem(REFRESH_TOKEN_KEY)
-  );
-}
-
-export function clearTokens(): void {
-  localStorage.removeItem(ACCESS_TOKEN_KEY);
-  localStorage.removeItem(REFRESH_TOKEN_KEY);
-  localStorage.removeItem(REMEMBER_ME_KEY);
-  sessionStorage.removeItem(ACCESS_TOKEN_KEY);
-  sessionStorage.removeItem(REFRESH_TOKEN_KEY);
+export function apiLogout(accessToken: string): Promise<void> {
+  return fetch(`${AUTH_API}/logout`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+    },
+    credentials: "include",
+  }).then(() => undefined);
 }
diff --git a/frontend/src/stores/auth.ts b/frontend/src/stores/auth.ts
index 8052acf9..3e527416 100644
--- a/frontend/src/stores/auth.ts
+++ b/frontend/src/stores/auth.ts
@@ -1,5 +1,5 @@
 import { defineStore } from "pinia";
-import { ref, computed } from "vue";
+import { ref, computed, watch } from "vue";
 import {
   type User,
   type LoginParams,
@@ -9,11 +9,9 @@ import {
   apiGetMe,
   apiRefresh,
   apiSetRole,
-  saveTokens,
-  getAccessToken,
-  getRefreshToken,
-  clearTokens,
+  apiLogout,
 } from "@/lib/auth";
+import { setAccessToken } from "@/lib/apiClient";
 
 export const useAuthStore = defineStore("auth", () => {
   const user = ref<User | null>(null);
@@ -23,26 +21,25 @@ export const useAuthStore = defineStore("auth", () => {
 
   const isAuthenticated = computed(() => !!user.value && !!accessToken.value);
 
+  // Keep apiClient's in-memory token in sync with the store
+  watch(accessToken, (token) => {
+    setAccessToken(token);
+  });
+
   async function init() {
-    const storedToken = getAccessToken();
-    if (storedToken) {
-      try {
-        const userInfo = await apiGetMe(storedToken);
-        user.value = userInfo;
-        accessToken.value = storedToken;
-      } catch {
-        const refreshed = await refreshAuth();
-        if (!refreshed) clearTokens();
-      }
+    // Try to restore session via httpOnly refresh cookie
+    const refreshed = await refreshAuth();
+    if (!refreshed) {
+      user.value = null;
+      accessToken.value = null;
     }
     isLoading.value = false;
   }
 
-  async function login(params: LoginParams, rememberMe = true) {
-    const tokens = await apiLogin(params);
-    saveTokens(tokens, rememberMe);
-    accessToken.value = tokens.access_token;
-    const userInfo = await apiGetMe(tokens.access_token);
+  async function login(params: LoginParams) {
+    const resp = await apiLogin(params);
+    accessToken.value = resp.access_token;
+    const userInfo = await apiGetMe(resp.access_token);
     user.value = userInfo;
     isGuest.value = false;
   }
@@ -61,7 +58,9 @@ export const useAuthStore = defineStore("auth", () => {
   }
 
   function logout() {
-    clearTokens();
+    if (accessToken.value) {
+      apiLogout(accessToken.value).catch(() => {});
+    }
     user.value = null;
     accessToken.value = null;
     isGuest.value = false;
@@ -72,20 +71,14 @@ export const useAuthStore = defineStore("auth", () => {
   }
 
   async function refreshAuth(): Promise<boolean> {
-    const currentRefreshToken = getRefreshToken();
-    if (!currentRefreshToken) return false;
-
     try {
-      const tokens = await apiRefresh(currentRefreshToken);
-      const rememberMe =
-        localStorage.getItem("momshell_remember_me") === "true";
-      saveTokens(tokens, rememberMe);
-      accessToken.value = tokens.access_token;
-      const userInfo = await apiGetMe(tokens.access_token);
+      // Refresh token is sent automatically via httpOnly cookie
+      const resp = await apiRefresh();
+      accessToken.value = resp.access_token;
+      const userInfo = await apiGetMe(resp.access_token);
       user.value = userInfo;
       return true;
     } catch {
-      clearTokens();
       user.value = null;
       accessToken.value = null;
       return false;

From 98d1856d7a8c09d8b22d4b46824505fb9b753118 Mon Sep 17 00:00:00 2001
From: arthurcai <arthurcai@sjtu.edu.cn>
Date: Mon, 9 Mar 2026 18:15:05 +0800
Subject: [PATCH 08/17] fix: add missing autocomplete attribute to nickname
 input

Resolves Chrome DevTools DOM warning about missing autocomplete
attribute on the registration nickname input field.
---
 frontend/src/components/overlay/AuthPanel.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/components/overlay/AuthPanel.vue b/frontend/src/components/overlay/AuthPanel.vue
index a40fa2e5..15a9ae75 100644
--- a/frontend/src/components/overlay/AuthPanel.vue
+++ b/frontend/src/components/overlay/AuthPanel.vue
@@ -57,7 +57,7 @@
         </label>
         <label class="auth-label">
           <span>昵称</span>
-          <input v-model="regForm.nickname" type="text" class="auth-input" required maxlength="50" />
+          <input v-model="regForm.nickname" type="text" class="auth-input" required maxlength="50" autocomplete="nickname" />
         </label>
         <label class="auth-label">
           <span>密码</span>

From 814c609a12203e43b24f0387bf65c6020323d2fa Mon Sep 17 00:00:00 2001
From: arthurcai <arthurcai@sjtu.edu.cn>
Date: Mon, 9 Mar 2026 19:46:54 +0800
Subject: [PATCH 09/17] feat: add photo lifecycle management with auto-cleanup
 and admin control
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add background scheduler that deletes off-wall photos older than 30
  days, including disk files (6h interval, batch processing)
- Add admin photo API: GET /admin/photos (paginated, filtered),
  DELETE /admin/photos/:id (with disk file removal)
- Add photo stats (total_photos, wall_photos) to admin dashboard
- Add "照片管理" tab to admin HTML panel with filters, pagination,
  delete confirmation modal, and "返回主站" navigation link
- Adapt AI image generation protagonist gender based on user role:
  dad (守护者) defaults to male, mom (溯源者) defaults to female
---
 backend/cmd/server/main.go                  |   8 +-
 backend/internal/admin/admin.html           | 187 +++++++++++++++++++-
 backend/internal/dto/admin.go               |  23 +++
 backend/internal/handler/admin.go           |  36 ++++
 backend/internal/repository/admin.go        |   9 +
 backend/internal/repository/photo.go        |  46 +++++
 backend/internal/router/router.go           |   2 +
 backend/internal/scheduler/photo_cleanup.go |  74 ++++++++
 backend/internal/service/admin.go           |  58 +++++-
 backend/internal/service/photo.go           |  34 +++-
 10 files changed, 469 insertions(+), 8 deletions(-)
 create mode 100644 backend/internal/scheduler/photo_cleanup.go

diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go
index fc476749..bdb1ed3a 100644
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -12,6 +12,7 @@ import (
 	"github.com/momshell/backend/internal/model"
 	"github.com/momshell/backend/internal/repository"
 	"github.com/momshell/backend/internal/router"
+	"github.com/momshell/backend/internal/scheduler"
 	"github.com/momshell/backend/internal/service"
 	"github.com/momshell/backend/pkg/firecrawl"
 	"github.com/momshell/backend/pkg/openai"
@@ -75,7 +76,7 @@ func main() {
 
 	chatService := service.NewChatService(chatClient, chatRepo, firecrawlClient)
 	echoService := service.NewEchoService(chatClient, echoRepo, userRepo)
-	photoService := service.NewPhotoService(photoRepo, chatClient, cfg.ImageModel)
+	photoService := service.NewPhotoService(photoRepo, userRepo, chatClient, cfg.ImageModel)
 	whisperService := service.NewWhisperService(whisperRepo, userRepo, chatClient)
 	taskService := service.NewTaskService(taskRepo, userRepo)
 
@@ -97,7 +98,10 @@ func main() {
 
 	// Initialize admin layer
 	adminRepo := repository.NewAdminRepo(db)
-	adminService := service.NewAdminService(cfg, adminRepo, userRepo)
+	adminService := service.NewAdminService(cfg, adminRepo, userRepo, photoRepo)
+
+	// Start background schedulers
+	scheduler.StartPhotoCleanup(photoRepo)
 
 	// Initialize handlers
 	authHandler := handler.NewAuthHandler(authService, cfg)
diff --git a/backend/internal/admin/admin.html b/backend/internal/admin/admin.html
index c0402b1b..3528ed29 100644
--- a/backend/internal/admin/admin.html
+++ b/backend/internal/admin/admin.html
@@ -22,6 +22,9 @@
                     <h1 class="text-3xl font-bold text-gray-800">MomShell</h1>
                     <p class="text-gray-500 mt-2">管理员登录</p>
                 </div>
+                <div class="mb-4">
+                    <a href="/" class="text-sm text-blue-600 hover:text-blue-800 font-medium">← 返回主站</a>
+                </div>
                 <div class="space-y-4">
                     <div>
                         <label class="block text-sm font-medium text-gray-700 mb-1">用户名 / 邮箱</label>
@@ -75,8 +78,16 @@ <h1 class="text-xl font-bold text-gray-800">MomShell</h1>
                             class="w-full text-left px-4 py-2.5 rounded-lg text-sm font-medium transition">
                         ⚙️ 系统配置
                     </button>
+                    <button @click="currentPage = 'photos'; loadPhotos()"
+                            :class="currentPage === 'photos' ? 'bg-blue-50 text-blue-700' : 'text-gray-600 hover:bg-gray-50'"
+                            class="w-full text-left px-4 py-2.5 rounded-lg text-sm font-medium transition">
+                        📷 照片管理
+                    </button>
                 </nav>
-                <div class="p-4 border-t border-gray-200">
+                <div class="p-4 border-t border-gray-200 space-y-1">
+                    <a href="/" class="block w-full text-left px-4 py-2 rounded-lg text-sm text-blue-600 hover:bg-blue-50 transition font-medium">
+                        ← 返回主站
+                    </a>
                     <button @click="logout()" class="w-full text-left px-4 py-2 rounded-lg text-sm text-gray-500 hover:bg-gray-50 transition">
                         🚪 退出登录
                     </button>
@@ -110,7 +121,7 @@ <h2 class="text-2xl font-bold text-gray-800 mb-6">仪表盘</h2>
                     </div>
 
                     <!-- Content Stats -->
-                    <div class="grid grid-cols-1 md:grid-cols-3 gap-6 mb-8">
+                    <div class="grid grid-cols-1 md:grid-cols-5 gap-6 mb-8">
                         <div class="bg-white rounded-xl shadow-sm border border-gray-200 p-6">
                             <p class="text-sm text-gray-500">问题总数</p>
                             <p class="text-2xl font-bold text-gray-800 mt-1" x-text="stats.total_questions || 0"></p>
@@ -123,6 +134,14 @@ <h2 class="text-2xl font-bold text-gray-800 mb-6">仪表盘</h2>
                             <p class="text-sm text-gray-500">认证总数</p>
                             <p class="text-2xl font-bold text-gray-800 mt-1" x-text="stats.total_certifications || 0"></p>
                         </div>
+                        <div class="bg-white rounded-xl shadow-sm border border-gray-200 p-6">
+                            <p class="text-sm text-gray-500">总照片数</p>
+                            <p class="text-2xl font-bold text-indigo-600 mt-1" x-text="stats.total_photos || 0"></p>
+                        </div>
+                        <div class="bg-white rounded-xl shadow-sm border border-gray-200 p-6">
+                            <p class="text-sm text-gray-500">上墙照片数</p>
+                            <p class="text-2xl font-bold text-pink-600 mt-1" x-text="stats.wall_photos || 0"></p>
+                        </div>
                     </div>
 
                     <!-- Role Distribution -->
@@ -278,6 +297,93 @@ <h2 class="text-2xl font-bold text-gray-800 mb-6">系统配置</h2>
                         </div>
                     </div>
                 </div>
+
+                <!-- Photos Page -->
+                <div x-show="currentPage === 'photos'" class="p-8 fade-in">
+                    <h2 class="text-2xl font-bold text-gray-800 mb-6">照片管理</h2>
+
+                    <!-- Filters -->
+                    <div class="bg-white rounded-xl shadow-sm border border-gray-200 p-4 mb-6">
+                        <div class="flex flex-wrap gap-4 items-center">
+                            <input type="text" x-model="photoFilters.search"
+                                   @input.debounce.300ms="photoFilters.page = 1; loadPhotos()"
+                                   placeholder="搜索标题..."
+                                   class="px-4 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-blue-500 focus:border-transparent outline-none w-64">
+                            <input type="text" x-model="photoFilters.user_id"
+                                   @input.debounce.300ms="photoFilters.page = 1; loadPhotos()"
+                                   placeholder="用户ID..."
+                                   class="px-4 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-blue-500 focus:border-transparent outline-none w-64">
+                            <select x-model="photoFilters.source" @change="photoFilters.page = 1; loadPhotos()"
+                                    class="px-4 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-blue-500 focus:border-transparent outline-none">
+                                <option value="">全部来源</option>
+                                <option value="upload">上传</option>
+                                <option value="ai_generated">AI 生成</option>
+                            </select>
+                            <select x-model="photoFilters.on_wall" @change="photoFilters.page = 1; loadPhotos()"
+                                    class="px-4 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-blue-500 focus:border-transparent outline-none">
+                                <option value="">全部状态</option>
+                                <option value="true">已上墙</option>
+                                <option value="false">未上墙</option>
+                            </select>
+                        </div>
+                    </div>
+
+                    <!-- Photos Table -->
+                    <div class="bg-white rounded-xl shadow-sm border border-gray-200 overflow-hidden">
+                        <table class="w-full">
+                            <thead class="bg-gray-50 border-b border-gray-200">
+                                <tr>
+                                    <th class="text-left px-6 py-3 text-xs font-medium text-gray-500 uppercase">预览</th>
+                                    <th class="text-left px-6 py-3 text-xs font-medium text-gray-500 uppercase">标题</th>
+                                    <th class="text-left px-6 py-3 text-xs font-medium text-gray-500 uppercase">用户</th>
+                                    <th class="text-left px-6 py-3 text-xs font-medium text-gray-500 uppercase">来源</th>
+                                    <th class="text-left px-6 py-3 text-xs font-medium text-gray-500 uppercase">上墙</th>
+                                    <th class="text-left px-6 py-3 text-xs font-medium text-gray-500 uppercase">创建时间</th>
+                                    <th class="text-right px-6 py-3 text-xs font-medium text-gray-500 uppercase">操作</th>
+                                </tr>
+                            </thead>
+                            <tbody class="divide-y divide-gray-200">
+                                <template x-for="photo in photos" :key="photo.id">
+                                    <tr class="hover:bg-gray-50 transition">
+                                        <td class="px-6 py-4">
+                                            <img :src="photo.image_url" class="w-12 h-12 rounded object-cover" alt="">
+                                        </td>
+                                        <td class="px-6 py-4 text-sm text-gray-800 max-w-[200px] truncate" x-text="photo.title || '-'"></td>
+                                        <td class="px-6 py-4 text-sm text-gray-600" x-text="photo.username || photo.user_id"></td>
+                                        <td class="px-6 py-4">
+                                            <span class="px-2 py-1 rounded-full text-xs font-medium"
+                                                  :class="photo.source === 'upload' ? 'bg-blue-100 text-blue-700' : 'bg-purple-100 text-purple-700'"
+                                                  x-text="photo.source === 'upload' ? '上传' : 'AI 生成'"></span>
+                                        </td>
+                                        <td class="px-6 py-4">
+                                            <span x-show="photo.is_on_wall" class="px-2 py-1 rounded-full text-xs font-medium bg-green-100 text-green-700">已上墙</span>
+                                            <span x-show="!photo.is_on_wall" class="px-2 py-1 rounded-full text-xs font-medium bg-gray-100 text-gray-500">未上墙</span>
+                                        </td>
+                                        <td class="px-6 py-4 text-sm text-gray-500" x-text="formatDate(photo.created_at)"></td>
+                                        <td class="px-6 py-4 text-right">
+                                            <button @click="confirmDeletePhoto(photo)" class="text-red-600 hover:text-red-800 text-sm font-medium">删除</button>
+                                        </td>
+                                    </tr>
+                                </template>
+                                <template x-if="photos.length === 0">
+                                    <tr><td colspan="7" class="px-6 py-12 text-center text-gray-400">暂无数据</td></tr>
+                                </template>
+                            </tbody>
+                        </table>
+
+                        <!-- Pagination -->
+                        <div class="px-6 py-4 border-t border-gray-200 flex items-center justify-between bg-gray-50">
+                            <p class="text-sm text-gray-500">共 <span x-text="photoPagination.total"></span> 条</p>
+                            <div class="flex items-center gap-2">
+                                <button @click="photoFilters.page--; loadPhotos()" :disabled="photoFilters.page <= 1"
+                                        class="px-3 py-1 border border-gray-300 rounded text-sm disabled:opacity-50 hover:bg-white transition">上一页</button>
+                                <span class="text-sm text-gray-600" x-text="photoFilters.page + ' / ' + photoPagination.totalPages"></span>
+                                <button @click="photoFilters.page++; loadPhotos()" :disabled="photoFilters.page >= photoPagination.totalPages"
+                                        class="px-3 py-1 border border-gray-300 rounded text-sm disabled:opacity-50 hover:bg-white transition">下一页</button>
+                            </div>
+                        </div>
+                    </div>
+                </div>
             </main>
         </div>
     </template>
@@ -376,6 +482,31 @@ <h3 class="text-lg font-bold text-gray-800 mb-2">确认删除</h3>
         </div>
     </template>
 
+    <!-- Delete Photo Confirm Modal -->
+    <template x-if="showDeletePhotoModal">
+        <div class="fixed inset-0 bg-black/40 flex items-center justify-center z-50" @click.self="showDeletePhotoModal = false">
+            <div class="bg-white rounded-2xl shadow-xl w-full max-w-sm p-6 fade-in">
+                <h3 class="text-lg font-bold text-gray-800 mb-2">确认删除照片</h3>
+                <p class="text-sm text-gray-600 mb-4">确定要删除这张照片吗？此操作不可恢复。</p>
+                <template x-if="deletingPhoto">
+                    <img :src="deletingPhoto.image_url" class="w-full h-32 object-cover rounded-lg mb-4" alt="">
+                </template>
+                <template x-if="deletePhotoError">
+                    <p class="text-red-500 text-sm mb-4" x-text="deletePhotoError"></p>
+                </template>
+                <div class="flex justify-end gap-3">
+                    <button @click="showDeletePhotoModal = false"
+                            class="px-4 py-2 border border-gray-300 rounded-lg text-sm text-gray-600 hover:bg-gray-50 transition">取消</button>
+                    <button @click="deleteAdminPhoto()" :disabled="deletePhotoLoading"
+                            class="px-4 py-2 bg-red-600 text-white rounded-lg text-sm hover:bg-red-700 transition disabled:opacity-50">
+                        <span x-show="!deletePhotoLoading">删除</span>
+                        <span x-show="deletePhotoLoading">删除中...</span>
+                    </button>
+                </div>
+            </div>
+        </div>
+    </template>
+
     <!-- Toast -->
     <template x-if="toast.show">
         <div class="fixed top-6 right-6 z-50 fade-in">
@@ -423,6 +554,15 @@ <h3 class="text-lg font-bold text-gray-800 mb-2">确认删除</h3>
         configEdits: {},
         configSaving: false,
 
+        // Photos
+        photos: [],
+        photoFilters: { search: '', user_id: '', source: '', on_wall: '', page: 1, page_size: 20 },
+        photoPagination: { total: 0, totalPages: 0 },
+        showDeletePhotoModal: false,
+        deletingPhoto: null,
+        deletePhotoError: '',
+        deletePhotoLoading: false,
+
         // Toast
         toast: { show: false, message: '', type: 'success' },
 
@@ -650,6 +790,49 @@ <h3 class="text-lg font-bold text-gray-800 mb-2">确认删除</h3>
             }
         },
 
+        // --- Photos ---
+        async loadPhotos() {
+            try {
+                const params = new URLSearchParams();
+                params.set('page', this.photoFilters.page);
+                params.set('page_size', this.photoFilters.page_size);
+                if (this.photoFilters.search) params.set('search', this.photoFilters.search);
+                if (this.photoFilters.user_id) params.set('user_id', this.photoFilters.user_id);
+                if (this.photoFilters.source) params.set('source', this.photoFilters.source);
+                if (this.photoFilters.on_wall) params.set('on_wall', this.photoFilters.on_wall);
+
+                const data = await this.api('GET', '/admin/photos?' + params.toString());
+                this.photos = data.items || [];
+                this.photoPagination.total = data.total;
+                this.photoPagination.totalPages = data.total_pages;
+            } catch (e) {
+                if (e.message.includes('未授权') || e.message.includes('权限')) {
+                    this.logout();
+                }
+            }
+        },
+
+        confirmDeletePhoto(photo) {
+            this.deletingPhoto = photo;
+            this.deletePhotoError = '';
+            this.showDeletePhotoModal = true;
+        },
+
+        async deleteAdminPhoto() {
+            this.deletePhotoError = '';
+            this.deletePhotoLoading = true;
+            try {
+                await this.api('DELETE', '/admin/photos/' + this.deletingPhoto.id);
+                this.showToast('照片已删除');
+                this.showDeletePhotoModal = false;
+                this.loadPhotos();
+            } catch (e) {
+                this.deletePhotoError = e.message;
+            } finally {
+                this.deletePhotoLoading = false;
+            }
+        },
+
         // --- Helpers ---
         roleLabel(role) {
             const map = {
diff --git a/backend/internal/dto/admin.go b/backend/internal/dto/admin.go
index 37c9d03c..19cc7dc7 100644
--- a/backend/internal/dto/admin.go
+++ b/backend/internal/dto/admin.go
@@ -77,6 +77,8 @@ type DashboardStats struct {
 	TotalQuestions      int64            `json:"total_questions"`
 	TotalAnswers        int64            `json:"total_answers"`
 	TotalCertifications int64            `json:"total_certifications"`
+	TotalPhotos         int64            `json:"total_photos"`
+	WallPhotos          int64            `json:"wall_photos"`
 }
 
 // ConfigItem represents a single configuration item
@@ -90,3 +92,24 @@ type ConfigItem struct {
 type ConfigUpdateRequest struct {
 	Items map[string]string `json:"items" binding:"required"`
 }
+
+// AdminPhotoListParams holds query parameters for admin photo listing
+type AdminPhotoListParams struct {
+	PaginationParams
+	Search string `form:"search"`
+	UserID string `form:"user_id"`
+	Source string `form:"source"`
+	OnWall string `form:"on_wall"`
+}
+
+// AdminPhotoListItem is a photo row in admin photo list
+type AdminPhotoListItem struct {
+	ID        string    `json:"id"`
+	UserID    string    `json:"user_id"`
+	Username  string    `json:"username"`
+	Title     string    `json:"title"`
+	ImageURL  string    `json:"image_url"`
+	IsOnWall  bool      `json:"is_on_wall"`
+	Source    string    `json:"source"`
+	CreatedAt time.Time `json:"created_at"`
+}
diff --git a/backend/internal/handler/admin.go b/backend/internal/handler/admin.go
index 5d10e8e7..e0a8a5a7 100644
--- a/backend/internal/handler/admin.go
+++ b/backend/internal/handler/admin.go
@@ -199,3 +199,39 @@ func (h *AdminHandler) UpdateConfig(c *gin.Context) {
 
 	c.JSON(http.StatusOK, gin.H{"message": "配置已更新"})
 }
+
+// ListPhotos returns paginated photo list for admin
+func (h *AdminHandler) ListPhotos(c *gin.Context) {
+	if _, ok := h.requireAdmin(c); !ok {
+		return
+	}
+
+	var params dto.AdminPhotoListParams
+	if err := c.ShouldBindQuery(&params); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "参数错误"})
+		return
+	}
+
+	resp, err := h.adminService.ListPhotos(params)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, resp)
+}
+
+// DeletePhoto deletes a photo by ID (admin)
+func (h *AdminHandler) DeletePhoto(c *gin.Context) {
+	if _, ok := h.requireAdmin(c); !ok {
+		return
+	}
+
+	id := c.Param("id")
+	if err := h.adminService.DeletePhoto(id); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "照片已删除"})
+}
diff --git a/backend/internal/repository/admin.go b/backend/internal/repository/admin.go
index 9a7a30e2..888b8381 100644
--- a/backend/internal/repository/admin.go
+++ b/backend/internal/repository/admin.go
@@ -113,3 +113,12 @@ func (r *AdminRepo) CountCertifications() (int64, error) {
 	err := r.db.Model(&model.UserCertification{}).Count(&count).Error
 	return count, err
 }
+
+// CountPhotos returns total photo count and wall photo count
+func (r *AdminRepo) CountPhotos() (total, wall int64, err error) {
+	if err = r.db.Model(&model.Photo{}).Count(&total).Error; err != nil {
+		return
+	}
+	err = r.db.Model(&model.Photo{}).Where("is_on_wall = ?", true).Count(&wall).Error
+	return
+}
diff --git a/backend/internal/repository/photo.go b/backend/internal/repository/photo.go
index ae1f622f..d4bfd213 100644
--- a/backend/internal/repository/photo.go
+++ b/backend/internal/repository/photo.go
@@ -1,6 +1,8 @@
 package repository
 
 import (
+	"time"
+
 	"github.com/momshell/backend/internal/model"
 	"gorm.io/gorm"
 )
@@ -101,3 +103,47 @@ type WallUpdate struct {
 	PhotoID  string
 	Position int
 }
+
+// FindExpiredOffWall returns photos not on the wall created before the given time.
+func (r *PhotoRepo) FindExpiredOffWall(before time.Time, limit int) ([]model.Photo, error) {
+	var photos []model.Photo
+	err := r.db.Where("is_on_wall = ? AND created_at < ?", false, before).
+		Order("created_at asc").Limit(limit).Find(&photos).Error
+	return photos, err
+}
+
+// DeleteByID deletes a photo by ID without user scoping (admin use).
+func (r *PhotoRepo) DeleteByID(id string) error {
+	return r.db.Where("id = ?", id).Delete(&model.Photo{}).Error
+}
+
+// FindAllPaginated returns all photos with optional filters for admin listing.
+func (r *PhotoRepo) FindAllPaginated(search, userID, source, onWall string, limit, offset int) ([]model.Photo, int64, error) {
+	query := r.db.Model(&model.Photo{}).Preload("User")
+
+	if search != "" {
+		like := "%" + search + "%"
+		query = query.Where("title ILIKE ?", like)
+	}
+	if userID != "" {
+		query = query.Where("user_id = ?", userID)
+	}
+	if source != "" {
+		query = query.Where("source = ?", source)
+	}
+	switch onWall {
+	case "true":
+		query = query.Where("is_on_wall = ?", true)
+	case "false":
+		query = query.Where("is_on_wall = ?", false)
+	}
+
+	var total int64
+	if err := query.Count(&total).Error; err != nil {
+		return nil, 0, err
+	}
+
+	var photos []model.Photo
+	err := query.Order("created_at DESC").Offset(offset).Limit(limit).Find(&photos).Error
+	return photos, total, err
+}
diff --git a/backend/internal/router/router.go b/backend/internal/router/router.go
index 568ef1e6..d2629802 100644
--- a/backend/internal/router/router.go
+++ b/backend/internal/router/router.go
@@ -200,5 +200,7 @@ func Setup(
 		adminAPI.DELETE("/users/:id", adminHandler.DeleteUser)
 		adminAPI.GET("/config", adminHandler.GetConfig)
 		adminAPI.PATCH("/config", adminHandler.UpdateConfig)
+		adminAPI.GET("/photos", adminHandler.ListPhotos)
+		adminAPI.DELETE("/photos/:id", adminHandler.DeletePhoto)
 	}
 }
diff --git a/backend/internal/scheduler/photo_cleanup.go b/backend/internal/scheduler/photo_cleanup.go
new file mode 100644
index 00000000..41811f03
--- /dev/null
+++ b/backend/internal/scheduler/photo_cleanup.go
@@ -0,0 +1,74 @@
+package scheduler
+
+import (
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/momshell/backend/internal/repository"
+)
+
+const (
+	cleanupInterval = 6 * time.Hour
+	expireAge       = 365 * 24 * time.Hour
+	batchSize       = 100
+)
+
+// StartPhotoCleanup launches a background goroutine that periodically deletes
+// photos with is_on_wall=false older than 30 days, including their disk files.
+func StartPhotoCleanup(photoRepo *repository.PhotoRepo) {
+	go func() {
+		log.Println("photo cleanup scheduler started")
+
+		// Run immediately on start, then every 6 hours.
+		runCleanup(photoRepo)
+
+		ticker := time.NewTicker(cleanupInterval)
+		defer ticker.Stop()
+		for range ticker.C {
+			runCleanup(photoRepo)
+		}
+	}()
+}
+
+func runCleanup(photoRepo *repository.PhotoRepo) {
+	cutoff := time.Now().Add(-expireAge)
+	totalDeleted := 0
+
+	for {
+		photos, err := photoRepo.FindExpiredOffWall(cutoff, batchSize)
+		if err != nil {
+			log.Printf("photo cleanup: query error: %v", err)
+			break
+		}
+		if len(photos) == 0 {
+			break
+		}
+
+		for _, p := range photos {
+			removePhotoFile(p.ImageURL)
+			if err := photoRepo.DeleteByID(p.ID); err != nil {
+				log.Printf("photo cleanup: delete error id=%s: %v", p.ID, err)
+				continue
+			}
+			totalDeleted++
+		}
+	}
+
+	if totalDeleted > 0 {
+		log.Printf("photo cleanup: deleted %d expired photos", totalDeleted)
+	}
+}
+
+func removePhotoFile(imageURL string) {
+	if imageURL == "" {
+		return
+	}
+	localPath := filepath.Clean("." + imageURL)
+	if strings.HasPrefix(localPath, "uploads"+string(filepath.Separator)) &&
+		!strings.Contains(localPath, "..") {
+		_ = os.Remove(localPath)
+	}
+}
diff --git a/backend/internal/service/admin.go b/backend/internal/service/admin.go
index 328d8ca0..e0b2d093 100644
--- a/backend/internal/service/admin.go
+++ b/backend/internal/service/admin.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"sync"
@@ -19,14 +20,16 @@ type AdminService struct {
 	cfg       *config.Config
 	adminRepo *repository.AdminRepo
 	userRepo  *repository.UserRepo
+	photoRepo *repository.PhotoRepo
 	mu        sync.RWMutex
 }
 
-func NewAdminService(cfg *config.Config, adminRepo *repository.AdminRepo, userRepo *repository.UserRepo) *AdminService {
+func NewAdminService(cfg *config.Config, adminRepo *repository.AdminRepo, userRepo *repository.UserRepo, photoRepo *repository.PhotoRepo) *AdminService {
 	return &AdminService{
 		cfg:       cfg,
 		adminRepo: adminRepo,
 		userRepo:  userRepo,
+		photoRepo: photoRepo,
 	}
 }
 
@@ -57,6 +60,11 @@ func (s *AdminService) GetDashboardStats() (*dto.DashboardStats, error) {
 		return nil, fmt.Errorf("统计认证失败: %w", err)
 	}
 
+	totalPhotos, wallPhotos, err := s.adminRepo.CountPhotos()
+	if err != nil {
+		return nil, fmt.Errorf("统计照片失败: %w", err)
+	}
+
 	return &dto.DashboardStats{
 		TotalUsers:          total,
 		ActiveUsers:         active,
@@ -66,6 +74,8 @@ func (s *AdminService) GetDashboardStats() (*dto.DashboardStats, error) {
 		TotalQuestions:      questions,
 		TotalAnswers:        answers,
 		TotalCertifications: certifications,
+		TotalPhotos:         totalPhotos,
+		WallPhotos:          wallPhotos,
 	}, nil
 }
 
@@ -227,6 +237,52 @@ func (s *AdminService) DeleteUser(id, adminID string) error {
 	return s.adminRepo.DeleteUser(id)
 }
 
+// ListPhotos returns a paginated list of all photos for admin
+func (s *AdminService) ListPhotos(params dto.AdminPhotoListParams) (*dto.PaginatedResponse, error) {
+	offset := params.GetOffset()
+	limit := params.GetPageSize()
+
+	photos, total, err := s.photoRepo.FindAllPaginated(params.Search, params.UserID, params.Source, params.OnWall, limit, offset)
+	if err != nil {
+		return nil, fmt.Errorf("查询照片列表失败: %w", err)
+	}
+
+	items := make([]dto.AdminPhotoListItem, len(photos))
+	for i, p := range photos {
+		items[i] = dto.AdminPhotoListItem{
+			ID:        p.ID,
+			UserID:    p.UserID,
+			Username:  p.User.Username,
+			Title:     p.Title,
+			ImageURL:  p.ImageURL,
+			IsOnWall:  p.IsOnWall,
+			Source:    p.Source,
+			CreatedAt: p.CreatedAt,
+		}
+	}
+
+	resp := dto.NewPaginatedResponse(items, total, params.GetPage(), params.GetPageSize())
+	return &resp, nil
+}
+
+// DeletePhoto deletes a photo by ID (admin, no user scope) and removes the disk file.
+func (s *AdminService) DeletePhoto(id string) error {
+	photo, err := s.photoRepo.FindByID(id)
+	if err != nil {
+		return errors.New("照片不存在")
+	}
+
+	if photo.ImageURL != "" {
+		localPath := filepath.Clean("." + photo.ImageURL)
+		if strings.HasPrefix(localPath, "uploads"+string(filepath.Separator)) &&
+			!strings.Contains(localPath, "..") {
+			_ = os.Remove(localPath)
+		}
+	}
+
+	return s.photoRepo.DeleteByID(id)
+}
+
 // maskString masks a string, showing first n and last m characters
 func maskString(s string, showPrefix, showSuffix int) string {
 	if len(s) <= showPrefix+showSuffix {
diff --git a/backend/internal/service/photo.go b/backend/internal/service/photo.go
index 8a6f80b6..4eed6bd1 100644
--- a/backend/internal/service/photo.go
+++ b/backend/internal/service/photo.go
@@ -23,19 +23,21 @@ import (
 )
 
 const (
-	maxPhotosPerUser = 50
+	maxPhotosPerUser = 25
 	maxWallPhotos    = 9
 )
 
 type PhotoService struct {
 	photoRepo  *repository.PhotoRepo
+	userRepo   *repository.UserRepo
 	aiClient   *openai.Client
 	imageModel string
 }
 
-func NewPhotoService(photoRepo *repository.PhotoRepo, aiClient *openai.Client, imageModel string) *PhotoService {
+func NewPhotoService(photoRepo *repository.PhotoRepo, userRepo *repository.UserRepo, aiClient *openai.Client, imageModel string) *PhotoService {
 	return &PhotoService{
 		photoRepo:  photoRepo,
+		userRepo:   userRepo,
 		aiClient:   aiClient,
 		imageModel: imageModel,
 	}
@@ -117,7 +119,13 @@ func (s *PhotoService) GeneratePhoto(ctx context.Context, userID string, req dto
 		return nil, fmt.Errorf("photo limit reached (max %d)", maxPhotosPerUser)
 	}
 
-	imgResp, err := s.aiClient.GenerateImage(ctx, s.imageModel, req.Prompt)
+	var userRole string
+	if user, err := s.userRepo.FindByID(userID); err == nil {
+		userRole = string(user.Role)
+	}
+
+	styledPrompt := buildImagePrompt(req.Prompt, userRole)
+	imgResp, err := s.aiClient.GenerateImage(ctx, s.imageModel, styledPrompt)
 	if err != nil {
 		return nil, fmt.Errorf("image generation failed: %w", err)
 	}
@@ -346,6 +354,26 @@ func truncate(s string, maxLen int) string {
 	return s
 }
 
+// buildImagePrompt wraps the user's content description with style guidance.
+// Rules:
+//  1. Use flat cartoon / warm illustration style
+//  2. Treat the user input as scene content, not a literal title
+//  3. Default protagonist gender is based on user role: dad → male, otherwise female
+func buildImagePrompt(userContent, userRole string) string {
+	genderHint := "depict the person as a young woman"
+	if userRole == "dad" {
+		genderHint = "depict the person as a young man"
+	}
+
+	return fmt.Sprintf(
+		"Flat cartoon style, warm pastel color illustration, soft lighting, cozy atmosphere. "+
+			"Scene description: %s. "+
+			"If the scene includes a person and no gender is specified, %s. "+
+			"No text, no watermark, no signature.",
+		userContent, genderHint,
+	)
+}
+
 // validateExternalURL checks that a URL is safe to fetch (prevents SSRF).
 func validateExternalURL(rawURL string) error {
 	u, err := url.Parse(rawURL)

From 26a83b1d8fb4dbdeb54eb4a84f5396836430cf2e Mon Sep 17 00:00:00 2001
From: arthurcai <arthurcai@sjtu.edu.cn>
Date: Mon, 9 Mar 2026 19:47:41 +0800
Subject: [PATCH 10/17] feat: expose admin panel through frontend with
 navigation

- Add /admin proxy rule in Vite dev server config
- Add admin panel entry button in CarPage settings (visible to admins only)
- Links navigate in same tab instead of opening new window
---
 frontend/src/components/overlay/CarPage.vue |  8 +++++++
 frontend/vite.config.ts                     | 26 ++++++++++++---------
 2 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/frontend/src/components/overlay/CarPage.vue b/frontend/src/components/overlay/CarPage.vue
index 6511217c..d0c2b73f 100644
--- a/frontend/src/components/overlay/CarPage.vue
+++ b/frontend/src/components/overlay/CarPage.vue
@@ -471,6 +471,14 @@
                   <p class="settings-hint">{{ backgroundMusicStatusText }}</p>
                 </div>
 
+                <div v-if="isAdmin" class="settings-section">
+                  <h3 class="settings-heading">管理面板</h3>
+                  <p class="settings-hint">进入后台管理系统，管理用户、照片和系统配置。</p>
+                  <a href="/admin" class="submit-btn" style="display: inline-block; text-align: center; text-decoration: none;">
+                    打开管理面板
+                  </a>
+                </div>
+
                 <div class="settings-section">
                   <button class="logout-btn" @click="onLogout">退出登录</button>
                 </div>
diff --git a/frontend/vite.config.ts b/frontend/vite.config.ts
index 1fbed955..13777a0e 100644
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -1,7 +1,7 @@
-import { defineConfig } from 'vite'
-import vue from '@vitejs/plugin-vue'
-import react from '@vitejs/plugin-react'
-import { fileURLToPath, URL } from 'node:url'
+import { defineConfig } from "vite";
+import vue from "@vitejs/plugin-vue";
+import react from "@vitejs/plugin-react";
+import { fileURLToPath, URL } from "node:url";
 
 export default defineConfig({
   plugins: [
@@ -10,19 +10,23 @@ export default defineConfig({
   ],
   resolve: {
     alias: {
-      '@': fileURLToPath(new URL('./src', import.meta.url)),
-    }
+      "@": fileURLToPath(new URL("./src", import.meta.url)),
+    },
   },
   server: {
     proxy: {
-      '/api': {
-        target: 'http://localhost:8000',
+      "/api": {
+        target: "http://localhost:8000",
+        changeOrigin: true,
+      },
+      "/uploads": {
+        target: "http://localhost:8000",
         changeOrigin: true,
       },
-      '/uploads': {
-        target: 'http://localhost:8000',
+      "/admin": {
+        target: "http://localhost:8000",
         changeOrigin: true,
       },
     },
   },
-})
+});

From 19678497c63ab32bbe7473969a265d017318eb14 Mon Sep 17 00:00:00 2001
From: arthurcai <arthurcai@sjtu.edu.cn>
Date: Mon, 9 Mar 2026 19:49:21 +0800
Subject: [PATCH 11/17] feat: add memoir text editing and image regeneration in
 memory panel

- Allow editing memoir title and content after generation
- Add regenerate image button to retry AI photo generation
- Clean up previous photo on regeneration to avoid orphaned files
---
 .../src/components/overlay/MemoryPanel.vue    | 168 +++++++++++++++---
 1 file changed, 148 insertions(+), 20 deletions(-)

diff --git a/frontend/src/components/overlay/MemoryPanel.vue b/frontend/src/components/overlay/MemoryPanel.vue
index f7518531..4f78f31a 100644
--- a/frontend/src/components/overlay/MemoryPanel.vue
+++ b/frontend/src/components/overlay/MemoryPanel.vue
@@ -41,8 +41,24 @@
       <div v-if="result" class="result-card">
         <div v-if="generatingImage" class="result-img-loading">图片生成中...</div>
         <img v-else-if="generatedImageUrl" :src="generatedImageUrl" alt="" class="result-img" />
-        <h3 class="result-title">{{ result.title }}</h3>
-        <p class="result-content">{{ result.content }}</p>
+        <div class="result-body">
+          <h3 v-if="!editingResult" class="result-title">{{ result.title }}</h3>
+          <input v-else v-model="editTitle" class="result-title-input" placeholder="标题" />
+          <p v-if="!editingResult" class="result-content">{{ result.content }}</p>
+          <textarea v-else v-model="editContent" class="result-content-input" placeholder="内容" />
+          <div class="result-actions">
+            <template v-if="!editingResult">
+              <button class="result-action-btn" @click="startEdit">编辑文字</button>
+              <button class="result-action-btn accent" :disabled="generatingImage" @click="onRegenerateImage">
+                {{ generatingImage ? '生成中...' : '重新生成图片' }}
+              </button>
+            </template>
+            <template v-else>
+              <button class="result-action-btn accent" @click="confirmEdit">确认</button>
+              <button class="result-action-btn" @click="editingResult = false">取消</button>
+            </template>
+          </div>
+        </div>
       </div>
     </div>
   </OverlayPanel>
@@ -59,7 +75,7 @@ import {
   type IdentityTagList,
   type Memoir,
 } from '@/lib/api/echo'
-import { generatePhoto } from '@/lib/api/photo'
+import { generatePhoto, deletePhoto } from '@/lib/api/photo'
 import { getErrorMessage } from '@/lib/apiClient'
 
 const uiStore = useUiStore()
@@ -71,8 +87,12 @@ const inputText = ref('')
 const generating = ref(false)
 const generatingImage = ref(false)
 const generatedImageUrl = ref('')
+const generatedPhotoId = ref<string | null>(null)
 const result = ref<Memoir | null>(null)
 const error = ref('')
+const editingResult = ref(false)
+const editTitle = ref('')
+const editContent = ref('')
 
 const allTags = computed<IdentityTag[]>(() => {
   if (!tags.value) return []
@@ -118,32 +138,63 @@ async function onGenerate() {
   generating.value = true
   generatingImage.value = false
   generatedImageUrl.value = ''
+  generatedPhotoId.value = null
   result.value = null
   try {
     const memoir = await generateMemoir(theme || undefined)
     result.value = memoir
+    editingResult.value = false
 
-    // Generate an AI photo based on the memoir, show it in the result card
-    const photoPrompt = memoir.title
-      ? `${memoir.title} - ${theme || '温暖的记忆'}`
-      : theme || '记忆贴纸'
-    generatingImage.value = true
-    generatePhoto(photoPrompt)
-      .then((photo) => {
-        generatedImageUrl.value = photo.image_url
-      })
-      .catch(() => {
-        // Photo generation failed; leave image area empty
-      })
-      .finally(() => {
-        generatingImage.value = false
-      })
+    // Generate an AI photo based on the memoir content
+    triggerImageGeneration(memoir.content || memoir.title || theme || '记忆贴纸')
   } catch (e) {
     error.value = getErrorMessage(e)
   } finally {
     generating.value = false
   }
 }
+
+function triggerImageGeneration(prompt: string) {
+  generatingImage.value = true
+  generatedImageUrl.value = ''
+
+  // Delete old generated photo if exists
+  const oldId = generatedPhotoId.value
+  if (oldId) {
+    deletePhoto(oldId).catch(() => {})
+    generatedPhotoId.value = null
+  }
+
+  generatePhoto(prompt)
+    .then((photo) => {
+      generatedImageUrl.value = photo.image_url
+      generatedPhotoId.value = photo.id
+    })
+    .catch(() => {
+      // Photo generation failed; leave image area empty
+    })
+    .finally(() => {
+      generatingImage.value = false
+    })
+}
+
+function startEdit() {
+  if (!result.value) return
+  editTitle.value = result.value.title
+  editContent.value = result.value.content
+  editingResult.value = true
+}
+
+function confirmEdit() {
+  if (!result.value) return
+  result.value = { ...result.value, title: editTitle.value, content: editContent.value }
+  editingResult.value = false
+}
+
+function onRegenerateImage() {
+  if (!result.value) return
+  triggerImageGeneration(result.value.content || result.value.title || '记忆贴纸')
+}
 </script>
 
 <style scoped>
@@ -286,20 +337,97 @@ async function onGenerate() {
   50% { opacity: 1; }
 }
 
+.result-body {
+  padding: 16px 18px 18px;
+}
+
 .result-title {
-  padding: 16px 18px 4px;
   font-size: 17px;
   font-weight: 600;
   color: var(--text-primary);
+  margin-bottom: 4px;
 }
 
 .result-content {
-  padding: 4px 18px 18px;
   font-size: 14px;
   color: var(--text-secondary);
   line-height: 1.6;
 }
 
+.result-title-input {
+  width: 100%;
+  padding: 8px 12px;
+  margin-bottom: 8px;
+  background: rgba(255, 255, 255, 0.08);
+  border: 1px solid rgba(255, 255, 255, 0.2);
+  border-radius: 10px;
+  color: var(--text-primary);
+  font-size: 17px;
+  font-weight: 600;
+  outline: none;
+  font-family: inherit;
+}
+
+.result-title-input:focus {
+  border-color: rgba(255, 255, 255, 0.35);
+}
+
+.result-content-input {
+  width: 100%;
+  min-height: 120px;
+  padding: 10px 12px;
+  background: rgba(255, 255, 255, 0.08);
+  border: 1px solid rgba(255, 255, 255, 0.2);
+  border-radius: 10px;
+  color: var(--text-secondary);
+  font-size: 14px;
+  line-height: 1.6;
+  outline: none;
+  resize: vertical;
+  font-family: inherit;
+}
+
+.result-content-input:focus {
+  border-color: rgba(255, 255, 255, 0.35);
+}
+
+.result-actions {
+  display: flex;
+  gap: 8px;
+  margin-top: 12px;
+}
+
+.result-action-btn {
+  padding: 8px 16px;
+  background: rgba(255, 255, 255, 0.08);
+  border: 1px solid rgba(255, 255, 255, 0.12);
+  border-radius: 10px;
+  color: var(--text-primary);
+  font-size: 13px;
+  font-weight: 500;
+  cursor: pointer;
+  transition: background 0.2s;
+}
+
+.result-action-btn:hover:not(:disabled) {
+  background: rgba(255, 255, 255, 0.15);
+}
+
+.result-action-btn:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.result-action-btn.accent {
+  background: var(--accent-warm);
+  border-color: var(--accent-warm);
+  color: #fff;
+}
+
+.result-action-btn.accent:hover:not(:disabled) {
+  background: var(--accent-warm-hover);
+}
+
 .loading-state {
   text-align: center;
   padding: 20px;

From 216d649b67d118f283e6c5d4f8f6bf4e730b19d5 Mon Sep 17 00:00:00 2001
From: Kanye-Est <keast3731@gmail.com>
Date: Mon, 9 Mar 2026 12:17:53 +0800
Subject: [PATCH 12/17] chores

---
 frontend/src/App.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/App.vue b/frontend/src/App.vue
index b47ed11f..86a70786 100644
--- a/frontend/src/App.vue
+++ b/frontend/src/App.vue
@@ -1,4 +1,4 @@
-<template>
+f<template>
   <BeachScene />
   <LandingOverlay />
   <AuthPanel />

From 92381fd27ca5bc384039d2871eaf3b8beb5e92d5 Mon Sep 17 00:00:00 2001
From: Kanye-Est <keast3731@gmail.com>
Date: Mon, 9 Mar 2026 13:36:47 +0800
Subject: [PATCH 13/17] feat(scene): move beach shell sprites to the right

---
 frontend/src/constants/sprites.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/frontend/src/constants/sprites.ts b/frontend/src/constants/sprites.ts
index b27c4372..cc600efb 100644
--- a/frontend/src/constants/sprites.ts
+++ b/frontend/src/constants/sprites.ts
@@ -33,10 +33,10 @@ export const SPRITES: SpriteData[] = [
     width: '6vw',
   },
 
-  { id: 'shell', src: shellImg, left: '48%', top: '45%', width: '5vw', rotate: 0 },
+  { id: 'shell', src: shellImg, left: '52.5%', top: '45%', width: '5vw', rotate: 0 },
 
-  { id: 'star', src: starImg, left: '50%', top: '75%', width: '5vw', rotate: 0 },
+  { id: 'star', src: starImg, left: '54.5%', top: '75%', width: '5vw', rotate: 0 },
 
-  { id: 'conque', src: conqueImg, left: '52.5%', top: '48%', width: '5vw', rotate: 0 },
+  { id: 'conque', src: conqueImg, left: '57%', top: '48%', width: '5vw', rotate: 0 },
 
 ]

From e52372783f72b29958ce3047800be20c8e8c53ba Mon Sep 17 00:00:00 2001
From: Kanye-Est <keast3731@gmail.com>
Date: Mon, 9 Mar 2026 13:44:02 +0800
Subject: [PATCH 14/17] fix(picwall): hide camera preview

---
 frontend/src/components/react/PearlShell.tsx | 51 +++-----------------
 1 file changed, 8 insertions(+), 43 deletions(-)

diff --git a/frontend/src/components/react/PearlShell.tsx b/frontend/src/components/react/PearlShell.tsx
index 3b4b2042..21a03592 100644
--- a/frontend/src/components/react/PearlShell.tsx
+++ b/frontend/src/components/react/PearlShell.tsx
@@ -1086,49 +1086,14 @@ export default function PearlShell({
       )}
 
 
-      {/* Camera preview */}
-      <div
-        style={{
-          position: 'absolute',
-          bottom: 12,
-          right: 12,
-          width: isFullscreen ? 160 : 100,
-          height: isFullscreen ? 120 : 75,
-          background: 'rgba(0,0,0,0.3)',
-          borderRadius: 12,
-          overflow: 'hidden',
-          border: '1px solid rgba(255,255,255,0.2)',
-          backdropFilter: 'blur(8px)',
-          zIndex: 10,
-          pointerEvents: 'none',
-        }}
-      >
-        <video
-          ref={videoRef}
-          style={{
-            width: '100%',
-            height: '100%',
-            objectFit: 'cover',
-            transform: 'scaleX(-1)',
-          }}
-          playsInline
-          autoPlay
-          muted
-        />
-        <div
-          style={{
-            position: 'absolute',
-            bottom: 2,
-            left: 4,
-            fontSize: 8,
-            color: 'rgba(255,255,255,0.6)',
-            textTransform: 'uppercase',
-            letterSpacing: 1,
-          }}
-        >
-          Camera
-        </div>
-      </div>
+      {/* Hidden video element for MediaPipe hand tracking */}
+      <video
+        ref={videoRef}
+        style={{ display: 'none' }}
+        playsInline
+        autoPlay
+        muted
+      />
     </div>
   );
 }

From 681075a91ac3f70df7702f8f71f69b16f15701eb Mon Sep 17 00:00:00 2001
From: Kanye-Est <keast3731@gmail.com>
Date: Mon, 9 Mar 2026 17:59:15 +0800
Subject: [PATCH 15/17] fix(car): adjust pearl shell layout positioning

---
 frontend/src/components/overlay/CarPage.vue | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/frontend/src/components/overlay/CarPage.vue b/frontend/src/components/overlay/CarPage.vue
index d0c2b73f..752ccd63 100644
--- a/frontend/src/components/overlay/CarPage.vue
+++ b/frontend/src/components/overlay/CarPage.vue
@@ -1186,13 +1186,14 @@ watch(activeTab, (tab) => {
 .car-layout {
   display: flex;
   height: 100%;
-  padding: 5vh 5vw;
+  padding: 5vh 5vw 5vh 9vw;
   gap: 4vw;
   align-items: center;
 }
 
 /* ── Photo Wall (Left) ── */
 .photo-wall {
+  position: relative;
   flex: 1;
   display: flex;
   align-items: center;
@@ -2293,12 +2294,14 @@ watch(activeTab, (tab) => {
 
 /* ── PearlShell ── */
 .pearl-shell-embedded {
-  position: relative;
-  width: 100%;
+  position: absolute;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -50%);
   width: 936px;
-  height:544px;
-  margin-top: -34px;
-  margin-left: 215px;
+  height: 544px;
+  margin-top: -17px;
+  margin-left: 108px;
   border-radius: 2px;
   overflow: hidden;
 }

From 50aa90b46d3c1c4b2dba772ec04eab34f84a92c7 Mon Sep 17 00:00:00 2001
From: Kanye-Est <keast3731@gmail.com>
Date: Mon, 9 Mar 2026 19:19:38 +0800
Subject: [PATCH 16/17] fix(car): use all photos in pearl shell

---
 frontend/src/components/overlay/CarPage.vue | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/frontend/src/components/overlay/CarPage.vue b/frontend/src/components/overlay/CarPage.vue
index 752ccd63..c6e1e346 100644
--- a/frontend/src/components/overlay/CarPage.vue
+++ b/frontend/src/components/overlay/CarPage.vue
@@ -25,7 +25,7 @@
           <!-- Embedded PearlShell -->
           <div v-if="showPearlShell && !pearlShellFullscreen" class="pearl-shell-embedded">
             <PearlShellWrapper
-              :photo-urls="memoirPhotoUrls"
+              :photo-urls="allPhotoUrls"
               :is-fullscreen="false"
               @request-fullscreen="handleRequestFullscreen"
             />
@@ -61,7 +61,7 @@
       <Transition name="pearl-fullscreen">
         <div v-if="pearlShellFullscreen" class="pearl-shell-fullscreen">
           <PearlShellWrapper
-            :photo-urls="memoirPhotoUrls"
+            :photo-urls="allPhotoUrls"
             :is-fullscreen="true"
             @exit-fullscreen="handleExitFullscreen"
           />
@@ -518,7 +518,6 @@ import {
   type MyAnswerListItem,
 } from '@/lib/api/user'
 import { getErrorMessage } from '@/lib/apiClient'
-import { getMemoirs, type Memoir } from '@/lib/api/echo'
 import { useBackgroundMusicControls } from '@/composables/useBackgroundMusicLoop'
 
 import avatarFrame from '@/assets/images/frame.png'
@@ -538,12 +537,6 @@ const modalOrigin = ref<Record<string, string>>({})
 // ── PearlShell state ──
 const showPearlShell = ref(false)
 const pearlShellFullscreen = ref(false)
-const memoirs = ref<Memoir[]>([])
-
-const memoirPhotoUrls = computed(() =>
-  memoirs.value.filter(m => m.cover_image_url).map(m => m.cover_image_url!),
-)
-
 const visible = computed(() => uiStore.activePanel === 'car')
 
 const wallPhotos = computed(() =>
@@ -553,6 +546,10 @@ const wallPhotos = computed(() =>
     .slice(0, 9),
 )
 
+const allPhotoUrls = computed(() =>
+  allPhotos.value.map((p) => p.image_url),
+)
+
 const emptySlots = computed(() => Math.max(0, 9 - wallPhotos.value.length))
 
 // ── Photo management state ──
@@ -1120,12 +1117,10 @@ watch(visible, async (isVisible) => {
     showPearlShell.value = false
     pearlShellFullscreen.value = false
     try {
-      const [, memoirRes] = await Promise.all([
+      await Promise.all([
         fetchPhotos(),
-        getMemoirs(50, 0),
         fetchProfile(),
       ])
-      memoirs.value = memoirRes.memoirs
     } catch {
       // silent
     }

From a18af80e47faed4a7c35c14308187a12c9cc95d2 Mon Sep 17 00:00:00 2001
From: Koishi <koishi510@sjtu.edu.cn>
Date: Tue, 10 Mar 2026 00:25:02 +0800
Subject: [PATCH 17/17] fix: remove stray character in App.vue template

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 frontend/package-lock.json | 15 ++++++++++++++-
 frontend/src/App.vue       |  2 +-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index b296c20e..fca1bb25 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -67,6 +67,7 @@
       "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.29.0",
         "@babel/generator": "^7.29.0",
@@ -1509,6 +1510,7 @@
       "integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "csstype": "^3.2.2"
       }
@@ -1609,6 +1611,7 @@
       "integrity": "sha512-klQbnPAAiGYFyI02+znpBRLyjL4/BrBd0nyWkdC0s/6xFLkXYQ8OoRrSkqacS1ddVxf/LDyODIKbQ5TgKAf/Fg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.56.1",
         "@typescript-eslint/types": "8.56.1",
@@ -2030,6 +2033,7 @@
       "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -2334,6 +2338,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "baseline-browser-mapping": "^2.9.0",
         "caniuse-lite": "^1.0.30001759",
@@ -2610,7 +2615,8 @@
       "resolved": "https://registry.npmjs.org/devtools-protocol/-/devtools-protocol-0.0.1581282.tgz",
       "integrity": "sha512-nv7iKtNZQshSW2hKzYNr46nM/Cfh5SEvE2oV0/SEGgc9XupIY5ggf84Cz8eJIkBce7S3bmTAauFD6aysMpnqsQ==",
       "dev": true,
-      "license": "BSD-3-Clause"
+      "license": "BSD-3-Clause",
+      "peer": true
     },
     "node_modules/dunder-proto": {
       "version": "1.0.1",
@@ -2820,6 +2826,7 @@
       "integrity": "sha512-COV33RzXZkqhG9P2rZCFl9ZmJ7WL+gQSCRzE7RhkbclbQPtLAWReL7ysA0Sh4c8Im2U9ynybdR56PV0XcKvqaQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.2",
@@ -3980,6 +3987,7 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -4163,6 +4171,7 @@
       "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
       "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -4531,6 +4540,7 @@
       "integrity": "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "esbuild": "~0.27.0",
         "get-tsconfig": "^4.7.5"
@@ -4571,6 +4581,7 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "devOptional": true,
       "license": "Apache-2.0",
+      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -4664,6 +4675,7 @@
       "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "esbuild": "^0.27.0",
         "fdir": "^6.5.0",
@@ -4745,6 +4757,7 @@
       "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.29.tgz",
       "integrity": "sha512-BZqN4Ze6mDQVNAni0IHeMJ5mwr8VAJ3MQC9FmprRhcBYENw+wOAAjRj8jfmN6FLl0j96OXbR+CjWhmAmM+QGnA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@vue/compiler-dom": "3.5.29",
         "@vue/compiler-sfc": "3.5.29",
diff --git a/frontend/src/App.vue b/frontend/src/App.vue
index 86a70786..b47ed11f 100644
--- a/frontend/src/App.vue
+++ b/frontend/src/App.vue
@@ -1,4 +1,4 @@
-f<template>
+<template>
   <BeachScene />
   <LandingOverlay />
   <AuthPanel />