chore: migrate CI from GitHub Actions to Gitea Actions

Replace GitHub Actions workflow with Gitea Actions, and switch container registry from GHCR to Docker Hub.
feat: inject build-time variables via Gradle processResources
2026-06-04 17:36:43 +08:00 · 2026-06-04 17:12:48 +08:00 · 2026-06-04 14:47:45 +08:00 · 2026-06-04 14:42:14 +08:00 · 2026-06-02 01:46:49 +08:00 · 2026-06-01 17:18:42 +08:00
106 changed files with 4538 additions and 79 deletions
@@ -1,4 +1,6 @@
 delta-force-guide-server.iml
 build/
+!.gitlab-ci.yml
+!build/libs/*.jar
 .idea/
 .gradle
@@ -0,0 +1,72 @@
+name: Build and Deploy
+
+on:
+  release:
+    types: [published]
+
+env:
+  APP_NAME: delta-force-guide-server
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 21 (Corretto)
+        uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: corretto
+          cache: gradle
+
+      - name: Build with Gradle
+        run: >
+          ./gradlew bootJar -x test
+          -PartefactVersion="${{ gitea.event.release.tag_name }}"
+          -PbuildChannel=stable
+
+      - name: Resolve JAR file path
+        id: jar
+        run: |
+          JAR_PATH=$(find build/libs -name '*.jar' | head -1)
+          echo "file=$JAR_PATH" >> "$GITHUB_OUTPUT"
+
+      - name: Upload JAR to Gitea Release
+        run: |
+          TAG="${{ gitea.event.release.tag_name }}"
+          FILE="${{ steps.jar.outputs.file }}"
+          ASSET_NAME="${APP_NAME}-${TAG}.jar"
+          curl -X POST \
+            -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
+            -H "Content-Type: multipart/form-data" \
+            -F "attachment=@${FILE};filename=${ASSET_NAME}" \
+            "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/releases/${{ gitea.event.release.id }}/assets?name=${ASSET_NAME}"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Generate image tags
+        id: meta
+        run: |
+          DOCKERHUB_USER="${{ secrets.DOCKER_HUB_USERNAME }}"
+          REPO_NAME=$(echo "${{ gitea.repository.name }}" | tr '[:upper:]' '[:lower:]')
+          echo "tag_version=${DOCKERHUB_USER}/${REPO_NAME}:${{ gitea.event.release.tag_name }}" >> "$GITHUB_OUTPUT"
+          echo "tag_latest=${DOCKERHUB_USER}/${REPO_NAME}:latest" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile.ci
+          build-args: JAR_FILE=${{ steps.jar.outputs.file }}
+          push: true
+          tags: |
+            ${{ steps.meta.outputs.tag_version }}
+            ${{ steps.meta.outputs.tag_latest }}
@@ -143,8 +143,20 @@ test/
 gradle-app.setting
 .gradletasknamecache

+### Claude Code
+.claude/settings.local.json
+.claude/memory/
+.claude/plans/
+.claude/worktrees/
+.claude/scheduled_tasks.json
+
 # Eclipse Gradle plugin generated files
 # Eclipse Core
 .project
 # JDT-specific (Eclipse Java Development Tools)
 .classpath
+
+gradle.properties
+
+# frp config
+frpc.toml
@@ -0,0 +1,34 @@
+variables:
+  GRADLE_OPTS: -Dorg.gradle.daemon=false
+  DOCKER_HOST: unix:///var/run/docker.sock
+
+stages:
+  - release
+
+release:
+  stage: release
+  image: amazoncorretto:21-alpine
+  cache:
+    key: gradle
+    paths:
+      - .gradle/wrapper
+      - .gradle/caches
+  before_script:
+    - chmod +x gradlew
+    - apk add --no-cache docker-cli
+  script:
+    - ./gradlew bootJar -x test -PartefactVersion="$CI_COMMIT_TAG"
+    - JAR_FILE=$(find build/libs -name '*.jar' | head -1)
+    - echo "Building Docker image for tag $CI_COMMIT_TAG with JAR $JAR_FILE"
+    - docker build
+        -f Dockerfile.ci
+        --build-arg JAR_FILE="$JAR_FILE"
+        -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"
+        .
+    - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG" "$CI_REGISTRY_IMAGE:latest"
+    - echo "Pushing image $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"
+    - docker login "$CI_REGISTRY" -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD"
+    - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"
+    - docker push "$CI_REGISTRY_IMAGE:latest"
+  rules:
+    - if: $CI_COMMIT_TAG
@@ -0,0 +1,109 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Coding Standards
+
+- **Style**: Follow the Google Java Coding Style as the foundation.
+- **Indentation**: Use 4 spaces — no tabs.
+- **Line length**: Maximum 100 characters per line.
+- **Comments**: All code comments must use British English spelling (e.g. "colour" not "color", "behaviour" not "behavior", "serialise" not "serialize", "analyse" not "analyze", "traveller" not "traveler").
+
+## Build & Test Commands
+
+```bash
+# Build the project (skip tests)
+./gradlew build -x test
+
+# Run all tests
+./gradlew test
+
+# Run a single test class
+./gradlew test --tests "com.onixbyte.deltaforceguide.service.PasswordEncoderTest"
+
+# Run a specific test method
+./gradlew test --tests "com.onixbyte.deltaforceguide.service.PasswordEncoderTest.generatePassword"
+
+# Build the full JAR
+./gradlew bootJar
+```
+
+The project uses Gradle with Java 21 (Amazon Corretto). Tests use JUnit 5 with the Spring Boot test framework, H2 in-memory database for test runtime, and Spring Security test support. Tests require an active `dev` profile.
+
+## Code Architecture
+
+**Delta Force Guide Server** — A REST API backend for managing Delta Force game firearm builds/modifications.
+
+### Package structure
+
+```
+com.onixbyte.deltaforceguide
+├── client/           # External service clients (TokenClient for JWT)
+├── config/           # Spring beans: Security, CORS, Cache/Redis, Jackson, MyBatis, Spring Data
+├── controller/       # REST controllers (Firearm, Modification, Tag, Auth)
+├── domain/
+│   ├── converter/    # JPA attribute converters (FirearmTypeConverter)
+│   ├── dto/          # Request/response records (FirearmRequest, ModificationResponse, etc.)
+│   └── entity/       # JPA entities (Firearm, Modification, User, Accessory, Tuning)
+├── enumeration/      # Enums (FirearmType)
+├── exeption/         # BizException (custom runtime exception with HTTP status)
+├── filter/           # TokenAuthenticationFilter (JWT auth via OncePerRequestFilter)
+├── manager/          # Thin @Transactional wrappers around repositories
+├── mapper/           # MyBatis mappers (configured but currently unused)
+├── properties/       # @ConfigurationProperties records (Cors, Token, Cookie)
+├── repository/       # Spring Data JPA repositories
+├── security/
+│   ├── authentication/  # Custom UsernamePasswordAuthentication impl
+│   └── provider/        # UsernamePasswordAuthenticationProvider
+├── service/          # Business logic layer (FirearmService, ModificationService, AuthService, etc.)
+├── shared/           # Constants and utility classes (CookieName, CredentialProvider, JacksonModules)
+└── utils/            # Helpers (DateTimeUtil)
+```
+
+### Key design decisions
+
+- **JPA + native queries**: Most CRUD uses Spring Data JPA. Native queries (in `ModificationRepository`) handle JSONB tag filtering with Postgres `@>` operator.
+- **Custom auth flow**: JWT tokens in httpOnly cookies (`AccessToken`). Spring Security with a custom `UsernamePasswordAuthenticationProvider` and `TokenAuthenticationFilter`. Tokens are auto-renewed within 5 min of expiry.
+- **JSONB storage**: `Modification.tags` and `Modification.accessories` (including nested `Tuning` objects) are stored as JSONB columns using Hypersistence Utils `JsonType`.
+- **Strict layering**: The call chain must follow `Controller → Service → Manager → Repository/Mapper`. Skipping layers (e.g. Controller calling Manager directly, Service calling Repository directly) is not permitted. Each layer has a distinct responsibility: Controller handles HTTP concerns, Service contains business logic, Manager manages `@Transactional` boundaries and data access coordination, Repository/Mapper handles raw data access.
+- **DTOs as Java records**: All request/response objects are immutable records with static `from()` factory methods for entity→DTO conversion.
+- **Flyway migrations**: SQL migrations in `src/main/resources/db/migration/` — V2 (init), V3 (bullet/damage fields), V4 (user), V5 (accessories JSONB column).
+
+### Data model
+
+- `firearm` table: id, name, type (int→FirearmType enum), level, calibre, fire_rate, armour_damage, body_damage, review
+- `modification` table: id, firearm_id (FK→firearm), name, code, tags (jsonb), accessories (jsonb), note, author, video_url
+- `app_user` table: id, username, email
+- `user_credential` table: user_id, provider, credential (hashed)
+
+### API endpoints
+
+| Path                          | Methods          | Auth                                 |
+|-------------------------------|------------------|--------------------------------------|
+| `/firearms`                   | GET, POST        | GET public, POST requires auth       |
+| `/firearms/{id}`              | GET, PUT, DELETE | GET public, PUT/DELETE requires auth |
+| `/modifications`              | GET, POST        | GET public, POST requires auth       |
+| `/modifications/{id}`         | GET, PUT, DELETE | GET public, PUT/DELETE requires auth |
+| `/modifications/batch`        | POST             | Requires auth                        |
+| `/modifications/batch-delete` | DELETE           | Requires auth                        |
+| `/tags`                       | GET              | Public                               |
+| `/auth/login`                 | POST             | Public                               |
+| `/auth/logout`                | POST             | Authenticated                        |
+
+### Commit convention
+
+Conventional commits: `feat:`, `chore:`, `fix:`. Messages are in English, present tense imperative style.
+
+### External dependencies
+
+- **DB**: PostgreSQL (via Flyway migrations), H2 in test
+- **Cache**: Redis (via Spring Cache + RedisTemplate with GenericJackson2JsonRedisSerializer)
+- **Auth**: java-jwt (auth0), BCrypt
+- **Docs**: springdoc-openapi (Swagger UI) on dev profile
+- **Onixbyte internal libs**: version-catalogue, tuple, common-toolbox, math-toolbox, identity-generator, captcha, regions
+- **AWS**: S3 SDK
+
+### Profiles
+
+- `dev`: Enables Swagger UI, connects to dev DB/Redis at `dfguide.onixbyte.cn`. Config in `config/application-dev.yaml`.
+- Default profile: Used for production, no Swagger, connects to production datasource.
@@ -0,0 +1,7 @@
+FROM amazoncorretto:21-alpine
+WORKDIR /app
+
+ARG JAR_FILE
+COPY ${JAR_FILE} app.jar
+
+ENTRYPOINT ["java", "-jar", "app.jar"]
@@ -0,0 +1,21 @@
+MIT Licence
+
+Copyright (c) 2026 OnixByte
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,150 @@
+# Delta Force Guide Server
+
+REST API backend for managing **Delta Force** game firearm builds and modifications. Provides endpoints to browse, create, and share weapon configurations including attachments, tuning setups, tags, and build reviews.
+
+
+## Tech Stack
+
+| Layer     | Technology                                                 |
+|-----------|------------------------------------------------------------|
+| Language  | Java 21 (Amazon Corretto)                                  |
+| Framework | Spring Boot 3.x (Web, Security, Data JPA, Cache, Actuator) |
+| Build     | Gradle (Kotlin DSL)                                        |
+| Database  | PostgreSQL (Flyway migrations, JSONB columns)              |
+| Cache     | Redis (2-hour TTL)                                         |
+| Auth      | Custom JWT via httpOnly cookies + BCrypt                   |
+| API Docs  | springdoc-openapi (Swagger UI, dev profile only)           |
+| Container | Multi-stage Docker image (Amazon Corretto 21 → Alpine)     |
+| CI/CD     | GitHub Actions — builds on release publish                 |
+
+
+## Quick Start
+
+### Prerequisites
+
+- JDK 21 (Amazon Corretto recommended)
+- PostgreSQL
+- Redis
+
+### Configure
+
+Copy and customise the development config:
+
+```bash
+cp config/application-prod.yaml.example \
+   config/application-dev.yaml
+```
+
+Fill in your datasource and Redis connection details, then place the production config at `config/`, then enable it by environment variable `SPRING_PROFILES_ACTIVE`.
+
+### Build
+
+```bash
+# Compile (skip tests)
+./gradlew build -x test
+
+# Run all tests
+./gradlew test
+
+# Build executable JAR
+./gradlew bootJar
+```
+
+### Run
+
+```bash
+SPRING_PROFILES_ACTIVE=prod java -jar build/libs/delta-force-guide-server-$version.jar
+```
+
+Swagger UI is available at `http://localhost:8080/swagger-ui.html` when the `dev` profile is active.
+
+## Data Model
+
+- **Firearm** — weapon base stats (name, type, level, calibre, fire rate, armour/body damage, review)
+- **Modification** — a build attached to a firearm, with name, code, tags (JSONB), accessories including nested tuning objects (JSONB), author notes, and video links
+- **App User** — registered user (username, email) with hashed credentials via BCrypt
+
+Tags and accessories are stored as PostgreSQL JSONB columns using [Hypersistence Utils](https://github.com/vladmihalcea/hypersistence-utils), enabling flexible per-build metadata and filtering with the `@>` operator.
+
+
+## Architecture
+
+```
+Controller  →  Service  →  Manager  →  Repository / Mapper
+   (HTTP)      (logic)     (@Transactional)  (data access)
+```
+
+The call chain is strictly enforced — skipping layers is not permitted. All request/response objects are Java records with static `from()` factory methods for entity-to-DTO conversion.
+
+
+## Docker
+
+```bash
+# Build image
+docker pull registry.onixbyte.cn/onixbyte/delta-force-guide-server:latest
+
+# Run container
+docker run -p 8080:8080 \
+  -v /path/to/config:/app/config \
+  -e SPRING_PROFILES_ACTIVE=$your_active_profiles
+  delta-force-guide-server
+```
+
+Pre-built images are published to **Self-hosted GitLab Container Registry** (`registry.onixbyte.cn/onixbyte/delta-force-guide-server`) on every release.
+
+
+## CI/CD
+
+GitLab CI triggers on **tags**. The pipeline:
+
+1. Builds the boot JAR with the release tag as the version
+2. Uploads the JAR as a release asset
+3. Builds and pushes a multi-arch Docker image to GHCR tagged with both `:latest` and `:<version>`
+
+No tests are run in CI by design — tests are expected to pass locally before a release is cut.
+
+
+## Profiles
+
+| Profile | Purpose                                                               |
+|---------|-----------------------------------------------------------------------|
+| `dev`   | Enables Swagger UI, connects to dev DB/Redis at `dfguide.onixbyte.cn` |
+| default | Production mode, no Swagger, uses production datasource               |
+
+
+## Project Structure
+
+```
+src/main/java/com/onixbyte/deltaforceguide/
+├── client/          External service HTTP clients
+├── config/          Spring bean definitions (Security, CORS, Cache, Jackson, MyBatis)
+├── controller/      REST controllers
+├── domain/
+│   ├── converter/   JPA attribute converters
+│   ├── dto/         Request/response records
+│   └── entity/      JPA entities
+├── enumeration/     Enums (FirearmType)
+├── exception/       Custom BizException with HTTP status mapping
+├── filter/          TokenAuthenticationFilter (JWT through OncePerRequestFilter)
+├── manager/         @Transactional wrappers around repositories
+├── mapper/          MyBatis mapper interfaces (reserved for future use)
+├── properties/      @ConfigurationProperties records
+├── repository/      Spring Data JPA repositories
+├── security/
+│   ├── authentication/  Custom UsernamePasswordAuthentication
+│   └── provider/        UsernamePasswordAuthenticationProvider
+├── service/         Business logic
+├── shared/          Constants and utility classes
+└── utils/           General-purpose helpers
+```
+
+
+## Versioning
+
+The application exposes its version at `/versions` (GET).
+
+
+## Licence
+
+This project is licensed under the [MIT Licence](LICENCE). Copyright &copy; 2026 OnixByte.
+
@@ -5,6 +5,8 @@ plugins {
 }

 val artefactVersion: String by project
+val buildChannel: String by project
+val vendor: String by project

 group = "com.onixbyte.helix"
 version = artefactVersion
@@ -36,6 +38,7 @@ dependencies {
    implementation(libs.onixbyte.identityGenerator)
    implementation(libs.onixbyte.captcha)
    implementation(libs.onixbyte.regions)
+    implementation(libs.onixbyte.cryptoToolbox)
    implementation(libs.jwt.core)
    implementation(libs.spring.boot.configurationProcessor)
    implementation(libs.spring.boot.actuator)
@@ -49,15 +52,27 @@ dependencies {
    implementation(libs.flyway.core)
    implementation(libs.flyway.postgresql)
    implementation(libs.jackson.jsr310)
-    implementation("org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.16")
+    implementation(libs.spring.boot.starter.doc)
+    implementation(libs.spring.boot.starter.security)
    testImplementation(libs.spring.boot.starter.test)
    testImplementation(libs.reactor.test)
    testImplementation(libs.mybatis.starter.test)
+    testImplementation(libs.spring.security.test)
    runtimeOnly(libs.postgres.driver)
    testRuntimeOnly(libs.h2.database)
    testRuntimeOnly(libs.junit.launcher)
 }

+tasks.processResources {
+    filesMatching("application.yaml") {
+        expand(
+            "appVersion" to artefactVersion,
+            "channel" to buildChannel,
+            "vendor" to vendor
+        )
+    }
+}
+
 tasks.test {
    useJUnitPlatform()
 }
@@ -0,0 +1,55 @@
+spring:
+  datasource:
+    url: jdbc:postgresql://localhost:5432/dfguide_dev
+    username: postgres
+    password: 123456
+    driver-class-name: org.postgresql.Driver
+  data:
+    redis:
+      host: localhost
+      port: 6379
+      database: 0
+      # password: 6hLFVqfGPviTYukn # Uncomment if password is necessary
+
+logging:
+  pattern:
+    # dateformat: dd MMM yyyy HH:mm:ss.SSS # Modify this for custom date format.
+
+app:
+  common:
+    version: 1.3.0.8-dev # Application version, you can change to any version you like, used for communication with frontend.
+  cors:
+    allowed-origins: # Cross-origin allowed origins
+      - "http://localhost:5173" # Dev server for vite.
+      - "http://localhost:4173" # Preview server for vite.
+    allow-credentials: true # Must be set to `true` since we are using cookie. You can change it only when you have modified how this application executing authentication.
+    allow-private-network: false
+    allowed-headers:
+      - "Content-Type"
+      - "Authorization"
+    allowed-methods:
+      - GET
+      - POST
+      - PUT
+      - PATCH
+      - DELETE
+    exposed-headers:
+      - "Content-Type"
+      - "Authorization"
+    max-age: PT2H
+  jwt:
+    issuer: dfguide.local # Issuer host
+    secret: qwertyuiopasdfghjklzxcvbnm123456 # JWT singing secret, a 32-byte long or longer string is recommended
+    valid-time: PT2H # JWT valid duration
+  cookie: # Cookie settings.
+    http-only: true
+    secure: false
+    same-site: lax
+    path: '/'
+    max-age: PT2H
+
+springdoc:
+  api-docs:
+    enabled: true # Set to `false` if you do not need api docs (recommended in production mode).
+  swagger-ui:
+    enabled: true # Set to `false` if you do not need swagger ui (recommended in production mode).
@@ -1 +0,0 @@
-artefactVersion = 1.0.0
@@ -4,10 +4,9 @@ javaJwtVersion = "4.5.1"
 postgresDriverVersion = "42.7.9"
 h2Version = "2.2.224"
 springBootVersion = "3.5.13"
-springSecurityVersion = "6.5.2"
 reactorVersion = "3.7.8"
 junitPlatformVersion = "1.12.2"
-onixbyteVersion = "3.3.0"
+onixbyteVersion = "3.4.0"
 onixbyteCaptcha = "1.1.0"
 onixbyteRegions = "2025.12.0"
 awsSdkVersion = "2.25.48"
@@ -18,6 +17,7 @@ mybatisVersion = "3.0.5"
 jacksonVersion = "2.19.2"
 hypersistenceVersion = "3.14.0"
 springDependencyManagementVersion = "1.1.7"
+springDocVersion = "2.8.16"

 [libraries]
 # General Utilities
@@ -31,6 +31,7 @@ jackson-jsr310 = { group = "com.fasterxml.jackson.datatype", name = "jackson-dat
 onixbyte-versionCatalogue = { group = "com.onixbyte", name = "version-catalogue", version.ref = "onixbyteVersion" }
 onixbyte-tuple = { group = "com.onixbyte", name = "tuple" }
 onixbyte-commonToolbox = { group = "com.onixbyte", name = "common-toolbox" }
+onixbyte-cryptoToolbox = { group = "com.onixbyte", name = "crypto-toolbox", version.ref = "onixbyteVersion" }
 onixbyte-mathToolbox = { group = "com.onixbyte", name = "math-toolbox" }
 onixbyte-identityGenerator = { group = "com.onixbyte", name = "identity-generator" }
 onixbyte-captcha = { group = "com.onixbyte", name = "captcha", version.ref = "onixbyteCaptcha" }
@@ -41,12 +42,10 @@ mybatis-starter-core = { group = "org.mybatis.spring.boot", name = "mybatis-spri
 spring-boot-starter-jpa = { group = "org.springframework.boot", name = "spring-boot-starter-data-jpa" }
 hypersistence-core = { group = "io.hypersistence", name = "hypersistence-utils-hibernate-63", version.ref = "hypersistenceVersion" }
 postgres-driver = { group = "org.postgresql", name = "postgresql", version.ref = "postgresDriverVersion" }
-mysql-driver = { group = "com.mysql", name = "mysql-connector-j" }
 h2-database = { group = "com.h2database", name = "h2", version.ref = "h2Version" }
 spring-boot-starter-redis = { group = "org.springframework.boot", name = "spring-boot-starter-data-redis", version.ref = "springBootVersion" }
 flyway-core = { group = "org.flywaydb", name = "flyway-core" }
 flyway-postgresql = { group = "org.flywaydb", name = "flyway-database-postgresql" }
-flyway-mysql = { group = "org.flywaydb", name = "flyway-mysql" }

 # Spring Boot Core & Web
 spring-boot-starter-web = { group = "org.springframework.boot", name = "spring-boot-starter-web" }
@@ -57,16 +56,19 @@ spring-boot-configurationProcessor = { group = "org.springframework.boot", name
 spring-boot-actuator = { group = "org.springframework.boot", name = "spring-boot-starter-actuator" }

 # Security & Auth
-spring-boot-starter-security = { group = "org.springframework.boot", name = "spring-boot-starter-security", version.ref = "springBootVersion" }
+spring-boot-starter-security = { group = "org.springframework.boot", name = "spring-boot-starter-security" }
 jwt-core = { group = "com.auth0", name = "java-jwt", version.ref = "javaJwtVersion" }

+# Spring Doc
+spring-boot-starter-doc = { group = "org.springdoc", name = "springdoc-openapi-starter-webmvc-ui", version.ref = "springDocVersion" }
+
 # Cloud Services
 aws-sdk-bom = { group = "software.amazon.awssdk", name = "bom", version.ref = "awsSdkVersion" }
 aws-sdk-s3 = { group = "software.amazon.awssdk", name = "s3" }

 # Testing
 spring-boot-starter-test = { group = "org.springframework.boot", name = "spring-boot-starter-test", version.ref = "springBootVersion" }
-spring-security-test = { group = "org.springframework.security", name = "spring-security-test", version.ref = "springSecurityVersion" }
+spring-security-test = { group = "org.springframework.security", name = "spring-security-test" }
 reactor-test = { group = "io.projectreactor", name = "reactor-test", version.ref = "reactorVersion" }
 junit-launcher = { group = "org.junit.platform", name = "junit-platform-launcher", version.ref = "junitPlatformVersion" }
 mybatis-starter-test = { group = "org.mybatis.spring.boot", name = "mybatis-spring-boot-starter-test", version.ref = "mybatisVersion" }
@@ -3,6 +3,11 @@ package com.onixbyte.deltaforceguide;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;

+/**
+ * Entry point for the Delta Force Guide Server application.
+ *
+ * @author zihluwang
+ */
@SpringBootApplication
 public class DeltaForceGuideApplication {

@@ -0,0 +1,75 @@
+package com.onixbyte.deltaforceguide.client;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import com.onixbyte.deltaforceguide.properties.TokenProperties;
+import com.onixbyte.deltaforceguide.utils.DateTimeUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import java.time.LocalDateTime;
+
+/**
+ * Client for generating and verifying JSON Web Tokens using the Auth0 java-jwt library.
+ *
+ * @author zihluwang
+ */
+@Component
+public class TokenClient {
+
+    private final Algorithm algorithm;
+    private final TokenProperties tokenProperties;
+    private final JWTVerifier verifier;
+
+    /**
+     * Constructs a new TokenClient with the necessary algorithm and token properties.
+     *
+     * @param algorithm       the signing algorithm used to secure the JWT
+     * @param tokenProperties the configuration properties for the token, such as issuer and
+     *                        validity period
+     */
+    @Autowired
+    public TokenClient(
+            Algorithm algorithm,
+            TokenProperties tokenProperties,
+            JWTVerifier verifier
+    ) {
+        this.algorithm = algorithm;
+        this.tokenProperties = tokenProperties;
+        this.verifier = verifier;
+    }
+
+    /**
+     * Generate a JSON Web Token to the current user.
+     *
+     * @param user the current user for whom the token is being generated
+     * @return a JWT string
+     */
+    public String generateToken(User user) {
+        var issuedAt = LocalDateTime.now();
+        var expiresAt = issuedAt.plus(tokenProperties.validTime());
+
+        return JWT.create()
+                .withSubject(user.getUsername())
+                .withIssuer(tokenProperties.issuer())
+                .withIssuedAt(DateTimeUtil.asInstant(issuedAt))
+                .withExpiresAt(DateTimeUtil.asInstant(expiresAt))
+                .sign(algorithm);
+    }
+
+    /**
+     * Verify and decode token.
+     *
+     * @param token a JWT token
+     * @return information included in the given token
+     * @throws com.auth0.jwt.exceptions.JWTVerificationException if the token is invalid, such as
+     *                                                           expired, or not signed by
+     *                                                           specific server
+     */
+    public DecodedJWT verifyToken(String token) {
+        return verifier.verify(token);
+    }
+}
@@ -0,0 +1,35 @@
+package com.onixbyte.deltaforceguide.config;
+
+import com.onixbyte.deltaforceguide.interceptor.GitHubWebhookInterceptor;
+import com.onixbyte.deltaforceguide.interceptor.TrafficInterceptor;
+import com.onixbyte.deltaforceguide.properties.AppProperties;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+@EnableConfigurationProperties(AppProperties.class)
+public class AppConfig implements WebMvcConfigurer {
+
+    private final TrafficInterceptor trafficInterceptor;
+
+    private final GitHubWebhookInterceptor gitHubWebhookInterceptor;
+
+    @Autowired
+    public AppConfig(
+            TrafficInterceptor trafficInterceptor,
+            GitHubWebhookInterceptor gitHubWebhookInterceptor
+    ) {
+        this.trafficInterceptor = trafficInterceptor;
+        this.gitHubWebhookInterceptor = gitHubWebhookInterceptor;
+    }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        registry.addInterceptor(trafficInterceptor);
+        registry.addInterceptor(gitHubWebhookInterceptor)
+                .addPathPatterns("/webhooks/github");
+    }
+}
@@ -2,46 +2,48 @@ package com.onixbyte.deltaforceguide.config;

 import com.onixbyte.deltaforceguide.properties.CorsProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
-import org.springframework.web.servlet.config.annotation.CorsRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

-import java.util.Optional;
+import java.util.List;
 import java.util.stream.Stream;

+/**
+ * Configuration for CORS (Cross-Origin Resource Sharing) policies.
+ *
+ * @author zihluwang
+ */
@Configuration
@EnableConfigurationProperties({CorsProperties.class})
-public class CorsConfig implements WebMvcConfigurer {
+public class CorsConfig {

-    private final CorsProperties properties;
-
-    public CorsConfig(CorsProperties properties) {
-        this.properties = properties;
-    }
-
-    @Override
-    public void addCorsMappings(CorsRegistry registry) {
-        registry.addMapping("/**")
-                .allowedOrigins(toSafeArray(properties.allowedOrigins()))
-                .allowedHeaders(toSafeArray(properties.allowedHeaders()))
-                .allowedMethods(toHttpMethodNames(properties.allowedMethods()))
-                .allowCredentials(properties.allowCredentials())
-                .maxAge(properties.maxAge().toSeconds())
-                .exposedHeaders(toSafeArray(properties.exposedHeaders()));
-    }
-
-    private static String[] toSafeArray(String[] values) {
-        return values == null ? new String[0] : values;
-    }
-
-    private static String[] toHttpMethodNames(HttpMethod[] methods) {
-        return Optional.ofNullable(methods)
-                .stream()
-                .flatMap(Stream::of)
+    /**
+     * Creates the CORS configuration source with properties from configuration.
+     *
+     * @param properties the CORS configuration properties
+     * @return the CORS configuration source
+     */
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource(
+            CorsProperties properties
+    ) {
+        var corsConfiguration = new CorsConfiguration();
+        corsConfiguration.setAllowCredentials(properties.allowCredentials());
+        corsConfiguration.setAllowedOrigins(List.of(properties.allowedOrigins()));
+        corsConfiguration.setAllowedHeaders(List.of(properties.allowedHeaders()));
+        corsConfiguration.setAllowedMethods(Stream.of(properties.allowedMethods())
                .map(HttpMethod::name)
-                .toList()
-                .toArray(String[]::new);
-    }
+                .toList());
+        corsConfiguration.setMaxAge(properties.maxAge());
+        corsConfiguration.setAllowPrivateNetwork(properties.allowPrivateNetwork());
+        corsConfiguration.setExposedHeaders(List.of(properties.exposedHeaders()));

+        var corsConfigurationSource = new UrlBasedCorsConfigurationSource();
+        corsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
+        return corsConfigurationSource;
+    }
 }
@@ -0,0 +1,21 @@
+package com.onixbyte.deltaforceguide.config;
+
+import com.onixbyte.deltaforceguide.filter.WebhookFilter;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class FilterConfig {
+
+    @Bean
+    public FilterRegistrationBean<WebhookFilter> webhookFilterBean(WebhookFilter webhookFilter) {
+        var registrationBean = new FilterRegistrationBean<WebhookFilter>();
+
+        registrationBean.setFilter(webhookFilter);
+        registrationBean.addUrlPatterns("/webhooks/*");
+        registrationBean.setOrder(1);
+
+        return registrationBean;
+    }
+}
@@ -6,6 +6,11 @@ import org.springframework.boot.autoconfigure.jackson.Jackson2ObjectMapperBuilde
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;

+/**
+ * Configuration for Jackson JSON serialisation and deserialisation settings.
+ *
+ * @author zihluwang
+ */
@Configuration
 public class JacksonConfig {

@@ -3,6 +3,11 @@ package com.onixbyte.deltaforceguide.config;
 import org.mybatis.spring.annotation.MapperScan;
 import org.springframework.context.annotation.Configuration;

+/**
+ * Configuration for MyBatis SQL mapping framework integration.
+ *
+ * @author zihluwang
+ */
@Configuration
@MapperScan(basePackages = {"com.onixbyte.deltaforceguide.mapper"})
 public class MyBatisConfig {
@@ -0,0 +1,26 @@
+package com.onixbyte.deltaforceguide.config;
+
+import io.swagger.v3.oas.annotations.OpenAPIDefinition;
+import io.swagger.v3.oas.annotations.info.Contact;
+import io.swagger.v3.oas.annotations.info.Info;
+import io.swagger.v3.oas.annotations.info.License;
+import org.springframework.context.annotation.Configuration;
+
+@OpenAPIDefinition(
+        info = @Info(
+                title = "Delta Force Guide Server",
+                description = "API for managing Delta Force game firearm builds",
+                version = "1.3.4",
+                contact = @Contact(
+                        name = "Zihlu Wang",
+                        email = "zihlu.wang@onixbyte.com"
+                ),
+                license = @License(
+                        name = "MIT",
+                        url = "https://git.onixbyte.cn/onixbyte/delta-force-guide-server/-/raw/main/LICENCE"
+                )
+        )
+)
+@Configuration
+public class OpenApiConfiguration {
+}
@@ -0,0 +1,96 @@
+package com.onixbyte.deltaforceguide.config;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.onixbyte.deltaforceguide.filter.TokenAuthenticationFilter;
+import com.onixbyte.deltaforceguide.properties.CookieProperties;
+import com.onixbyte.deltaforceguide.properties.TokenProperties;
+import com.onixbyte.deltaforceguide.security.provider.UsernamePasswordAuthenticationProvider;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.ExceptionTranslationFilter;
+import org.springframework.web.cors.CorsConfigurationSource;
+
+/**
+ * Spring Security configuration defining authentication, authorisation, and filter chains.
+ *
+ * @author zihluwang
+ */
+@Configuration
+@EnableWebSecurity
+@EnableMethodSecurity
+@EnableConfigurationProperties({TokenProperties.class, CookieProperties.class})
+public class SecurityConfig {
+
+    /**
+     * Configures the HTTP security filter chain including endpoint authorisation and JWT filter.
+     *
+     * @param http the HTTP security builder
+     * @return the configured security filter chain
+     */
+    @Bean
+    public SecurityFilterChain securityFilterChain(
+            HttpSecurity httpSecurity,
+            CorsConfigurationSource corsConfigurationSource,
+            TokenAuthenticationFilter tokenAuthenticationFilter
+    ) throws Exception {
+        return httpSecurity
+                .cors((cors) -> cors
+                        .configurationSource(corsConfigurationSource))
+                .csrf(AbstractHttpConfigurer::disable)
+                .sessionManagement((customiser) -> customiser
+                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .authorizeHttpRequests((customiser) -> customiser
+                        .anyRequest().permitAll()
+                )
+                .addFilterAfter(tokenAuthenticationFilter, ExceptionTranslationFilter.class)
+                .build();
+    }
+
+    /**
+     * Provides the BCrypt password encoder for credential hashing.
+     * @return the BCrypt password encoder
+     */
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    /**
+     * Provides the authentication manager for the security configuration.
+     *
+     * @return the authentication manager
+     */
+    @Bean
+    public AuthenticationManager authenticationManager(
+            UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProvider
+    ) {
+        return new ProviderManager(
+                usernamePasswordAuthenticationProvider
+        );
+    }
+
+    @Bean
+    public Algorithm algorithm(TokenProperties properties) {
+        return Algorithm.HMAC256(properties.secret());
+    }
+
+    @Bean
+    public JWTVerifier verifier(Algorithm algorithm, TokenProperties tokenProperties) {
+        return JWT.require(algorithm)
+                .withIssuer(tokenProperties.issuer())
+                .build();
+    }
+}
@@ -3,6 +3,11 @@ package com.onixbyte.deltaforceguide.config;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.data.jpa.repository.config.EnableJpaRepositories;

+/**
+ * Configuration for Spring Data JPA auditing and repository settings.
+ *
+ * @author zihluwang
+ */
@Configuration
@EnableJpaRepositories(basePackages = {"com.onixbyte.deltaforceguide.repository"})
 public class SpringDataConfig {
@@ -0,0 +1,10 @@
+package com.onixbyte.deltaforceguide.config;
+
+import com.onixbyte.deltaforceguide.properties.GitHubWebhookProperties;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@EnableConfigurationProperties({GitHubWebhookProperties.class})
+public class WebhookConfig {
+}
@@ -0,0 +1,66 @@
+package com.onixbyte.deltaforceguide.controller;
+
+import com.onixbyte.deltaforceguide.domain.dto.LoginRequest;
+import com.onixbyte.deltaforceguide.domain.dto.UserResponse;
+import com.onixbyte.deltaforceguide.client.TokenClient;
+import com.onixbyte.deltaforceguide.security.annotation.RequiresAuth;
+import com.onixbyte.deltaforceguide.service.AuthService;
+import com.onixbyte.deltaforceguide.service.CookieService;
+import com.onixbyte.deltaforceguide.shared.CookieName;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseEntity;
+import org.springframework.validation.annotation.Validated;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.time.Duration;
+import java.time.LocalDateTime;
+
+/**
+ * REST controller for user authentication endpoints (login, logout).
+ *
+ * @author zihluwang
+ */
+@Tag(name = "用户鉴权", description = "处理用户登录与退出功能")
+@RestController
+@RequestMapping("/auth")
+public class AuthController {
+
+    private final AuthService authService;
+    private final TokenClient tokenClient;
+    private final CookieService cookieService;
+
+    public AuthController(AuthService authService, TokenClient tokenClient, CookieService cookieService) {
+        this.authService = authService;
+        this.tokenClient = tokenClient;
+        this.cookieService = cookieService;
+    }
+
+    @Operation(description = "用户登录")
+    @PostMapping("/login")
+    public ResponseEntity<UserResponse> login(@Validated @RequestBody LoginRequest request) {
+        var user = authService.login(request);
+        var currentTime = LocalDateTime.now();
+        var accessToken = tokenClient.generateToken(user);
+        var accessTokenCookie = cookieService.buildCookie(CookieName.ACCESS_TOKEN, accessToken);
+        var cookieMaxAge = accessTokenCookie.getMaxAge();
+
+        return ResponseEntity.ok()
+                .header(HttpHeaders.SET_COOKIE, accessTokenCookie.toString())
+                .body(UserResponse.from(user, currentTime.plus(cookieMaxAge)));
+    }
+
+    @RequiresAuth
+    @Operation(description = "退出登录")
+    @PostMapping("/logout")
+    public ResponseEntity<Void> logout() {
+        var expiredCookie = cookieService.buildCookie(CookieName.ACCESS_TOKEN, "", Duration.ZERO);
+        return ResponseEntity.noContent()
+                .header(HttpHeaders.SET_COOKIE, expiredCookie.toString())
+                .build();
+    }
+}
@@ -0,0 +1,32 @@
+package com.onixbyte.deltaforceguide.controller;
+
+import com.onixbyte.deltaforceguide.domain.dto.DailyPasswordResponse;
+import com.onixbyte.deltaforceguide.service.DailyPasswordService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * REST controller for retrieving daily-generated passwords.
+ *
+ * @author zihluwang
+ */
+@Tag(name = "每日密码", description = "获取每日密码信息")
+@RestController
+@RequestMapping("/daily-passwords")
+public class DailyPasswordController {
+
+    private final DailyPasswordService dailyPasswordService;
+
+    public DailyPasswordController(DailyPasswordService dailyPasswordService) {
+        this.dailyPasswordService = dailyPasswordService;
+    }
+
+    @Operation(description = "获取当日的每日密码数据，该数据将被缓存一天")
+    @GetMapping
+    public DailyPasswordResponse getDailyPassword() {
+        return dailyPasswordService.getDailyPassword();
+    }
+}
@@ -1,21 +1,26 @@
 package com.onixbyte.deltaforceguide.controller;

+import com.onixbyte.deltaforceguide.domain.dto.FirearmRequest;
 import com.onixbyte.deltaforceguide.domain.dto.FirearmResponse;
 import com.onixbyte.deltaforceguide.domain.dto.PageResponse;
 import com.onixbyte.deltaforceguide.enumeration.FirearmType;
+import com.onixbyte.deltaforceguide.security.annotation.RequiresAuth;
 import com.onixbyte.deltaforceguide.service.FirearmService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.validation.constraints.Max;
 import jakarta.validation.constraints.Min;
 import org.springframework.data.domain.PageRequest;
 import org.springframework.data.domain.Sort;
 import org.springframework.validation.annotation.Validated;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.annotation.*;

-@Validated
+/**
+ * REST controller for firearm CRUD operations.
+ *
+ * @author zihluwang
+ */
+@Tag(name = "武器管理", description = "与武器有关的操作")
@RestController
@RequestMapping("/firearms")
 public class FirearmController {
@@ -26,6 +31,8 @@ public class FirearmController {
        this.firearmService = firearmService;
    }

+    @Operation(description = "获取分页武器数据")
+    @Validated
    @GetMapping
    public PageResponse<FirearmResponse> pageQuery(
            @RequestParam(defaultValue = "0") @Min(0) int page,
@@ -37,9 +44,29 @@ public class FirearmController {
        return firearmService.pageQuery(type, PageRequest.of(page, size, Sort.by(direction, sortBy)));
    }

+    @Operation(description = "获取指定武器的数据")
    @GetMapping("/{id}")
    public FirearmResponse queryById(@PathVariable Long id) {
        return firearmService.queryById(id);
    }
+
+    @RequiresAuth
+    @PostMapping
+    public FirearmResponse addFirearm(@Validated @RequestBody FirearmRequest request) {
+        return firearmService.addFirearm(request);
    }

+    @RequiresAuth
+    @Operation(description = "更新指定武器的数据")
+    @PutMapping("/{id}")
+    public FirearmResponse updateFirearm(@PathVariable Long id, @Validated @RequestBody FirearmRequest request) {
+        return firearmService.updateFirearm(id, request);
+    }
+
+    @RequiresAuth
+    @Operation(description = "删除指定武器的数据")
+    @DeleteMapping("/{id}")
+    public void deleteFirearm(@PathVariable Long id) {
+        firearmService.deleteFirearm(id);
+    }
+}
@@ -0,0 +1,43 @@
+package com.onixbyte.deltaforceguide.controller;
+
+import com.onixbyte.deltaforceguide.domain.dto.GitHubIssueRequest;
+import com.onixbyte.deltaforceguide.service.WebhookService;
+import com.onixbyte.deltaforceguide.shared.GitHubWebhookHeader;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/webhooks/github")
+public class GitHubWebhookController {
+
+    private static final Logger log = LoggerFactory.getLogger(GitHubWebhookController.class);
+
+    private final WebhookService webhookService;
+
+    public GitHubWebhookController(WebhookService webhookService) {
+        this.webhookService = webhookService;
+    }
+
+    @PostMapping
+    public ResponseEntity<Void> handleWebhook(
+            @RequestHeader(GitHubWebhookHeader.EVENT) String event,
+            @RequestBody GitHubIssueRequest request
+    ) {
+        if (!"issues".equals(event)) {
+            log.debug("Ignoring non-issue event: {}", event);
+            return ResponseEntity.ok().build();
+        }
+        if (!"opened".equals(request.action())) {
+            log.debug("Ignoring issue action: {}", request.action());
+            return ResponseEntity.ok().build();
+        }
+        webhookService.processIssueEvent(request);
+        return ResponseEntity.ok().build();
+    }
+}
@@ -0,0 +1,24 @@
+package com.onixbyte.deltaforceguide.controller;
+
+import com.onixbyte.deltaforceguide.domain.dto.ErrorResponse;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+
+/**
+ * Global exception handler that translates exceptions into standard error responses.
+ *
+ * @author zihluwang
+ */
+@RestControllerAdvice
+public class GlobalExceptionHandler {
+
+    @ExceptionHandler(BizException.class)
+    public ResponseEntity<ErrorResponse> handleBizException(BizException exception) {
+        var status = exception.getStatus();
+        return ResponseEntity.status(status)
+                .body(new ErrorResponse(exception.getMessage()));
+    }
+}
+
@@ -1,21 +1,38 @@
 package com.onixbyte.deltaforceguide.controller;

+import com.onixbyte.deltaforceguide.domain.dto.ModificationBatchCreateRequest;
+import com.onixbyte.deltaforceguide.domain.dto.ModificationRequest;
 import com.onixbyte.deltaforceguide.domain.dto.ModificationResponse;
 import com.onixbyte.deltaforceguide.domain.dto.PageResponse;
+import com.onixbyte.deltaforceguide.security.annotation.RequiresAuth;
 import com.onixbyte.deltaforceguide.service.ModificationService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.validation.Valid;
 import jakarta.validation.constraints.Max;
 import jakarta.validation.constraints.Min;
 import jakarta.validation.constraints.Positive;
 import org.springframework.data.domain.PageRequest;
 import org.springframework.data.domain.Sort;
 import org.springframework.validation.annotation.Validated;
+import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.PutMapping;
+import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;

-@Validated
+import java.util.List;
+
+/**
+ * REST controller for modification CRUD operations, including batch creation and deletion.
+ *
+ * @author zihluwang
+ */
+@Tag(name = "改装管理", description = "对枪械改装的管理")
@RestController
@RequestMapping("/modifications")
 public class ModificationController {
@@ -26,20 +43,59 @@ public class ModificationController {
        this.modificationService = modificationService;
    }

+    @Operation(description = "分页查询改装信息")
+    @Validated
    @GetMapping
    public PageResponse<ModificationResponse> pageQuery(
            @RequestParam(defaultValue = "0") @Min(0) int page,
            @RequestParam(defaultValue = "20") @Min(1) @Max(100) int size,
            @RequestParam(required = false) @Positive Long firearmId,
            @RequestParam(defaultValue = "id") String sortBy,
-            @RequestParam(defaultValue = "DESC") Sort.Direction direction
+            @RequestParam(defaultValue = "DESC") Sort.Direction direction,
+            @RequestParam(required = false) List<String> tags
    ) {
-        return modificationService.pageQuery(firearmId, PageRequest.of(page, size, Sort.by(direction, sortBy)));
+        return modificationService.pageQuery(firearmId, tags, PageRequest.of(page, size, Sort.by(direction, sortBy)));
    }

+    @Operation(description = "查询指定改装的信息")
    @GetMapping("/{id}")
    public ModificationResponse queryById(@PathVariable Long id) {
        return modificationService.queryById(id);
    }
+
+    @RequiresAuth
+    @Operation(description = "创建改装")
+    @PostMapping
+    public ModificationResponse create(@Valid @RequestBody ModificationRequest request) {
+        return modificationService.create(request);
    }

+    @RequiresAuth
+    @Operation(description = "批量创建改装")
+    @PostMapping("/batch")
+    public List<ModificationResponse> batchCreate(@Valid @RequestBody ModificationBatchCreateRequest request) {
+        return modificationService.batchCreate(request.modifications());
+    }
+
+    @RequiresAuth
+    @Operation(description = "修改指定改装")
+    @PutMapping("/{id}")
+    public ModificationResponse update(@PathVariable Long id, @Valid @RequestBody ModificationRequest request) {
+        return modificationService.update(id, request);
+    }
+
+    @RequiresAuth
+    @Operation(description = "删除指定改装")
+    @DeleteMapping("/{id}")
+    public void delete(@PathVariable Long id) {
+        modificationService.delete(id);
+    }
+
+    @RequiresAuth
+    @Operation(description = "批量删除改装")
+    @DeleteMapping("/batch-delete")
+    @Validated
+    public void batchDelete(@RequestParam List<@Positive Long> ids) {
+        modificationService.batchDelete(ids);
+    }
+}
@@ -0,0 +1,34 @@
+package com.onixbyte.deltaforceguide.controller;
+
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+import com.onixbyte.deltaforceguide.service.ModificationService;
+
+import java.util.List;
+
+/**
+ * REST controller for retrieving available modification tags.
+ *
+ * @author zihluwang
+ */
+@Tag(name = "标签管理", description = "管理标签信息")
+@RestController
+@RequestMapping("/tags")
+public class TagController {
+
+    private final ModificationService modificationService;
+
+    public TagController(ModificationService modificationService) {
+        this.modificationService = modificationService;
+    }
+
+    @Operation(description = "查询指定武器或所有武器的标签")
+    @GetMapping
+    public List<String> getTags(@RequestParam(required = false) Long firearmId) {
+        return modificationService.findAllTags(firearmId);
+    }
+}
@@ -0,0 +1,26 @@
+package com.onixbyte.deltaforceguide.controller;
+
+import com.onixbyte.deltaforceguide.service.AppService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@Tag(name = "版本信息")
+@RestController
+@RequestMapping("/versions")
+public class VersionController {
+
+    private final AppService appService;
+
+    public VersionController(AppService appService) {
+        this.appService = appService;
+    }
+
+    @Operation(description = "获取当前应用版本号")
+    @GetMapping
+    public String getVersion() {
+        return appService.getVersion();
+    }
+}
@@ -4,6 +4,11 @@ import com.onixbyte.deltaforceguide.enumeration.FirearmType;
 import jakarta.persistence.AttributeConverter;
 import jakarta.persistence.Converter;

+/**
+ * JPA attribute converter that maps {@link FirearmType} enum to/from its integer database representation.
+ *
+ * @author zihluwang
+ */
@Converter
 public class FirearmTypeConverter implements AttributeConverter<FirearmType, Integer> {

@@ -0,0 +1,25 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotBlank;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Request DTO for creating or updating an accessory attached to a modification.
+ *
+ * @author zihluwang
+ */
+public record AccessoryRequest(
+        @NotBlank(message = "插槽名称不能为空")
+        String slotName,
+        @NotBlank(message = "配件名称不能为空")
+        String accessoryName,
+        List<@Valid TuningRequest> tunings
+) {
+    public List<TuningRequest> tunings() {
+        return tunings == null ? new ArrayList<>() : tunings;
+    }
+}
+
@@ -0,0 +1,27 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.onixbyte.deltaforceguide.domain.entity.Accessory;
+
+import java.util.List;
+
+/**
+ * Response DTO for an accessory attached to a modification.
+ *
+ * @author zihluwang
+ */
+public record AccessoryResponse(
+        String slotName,
+        String accessoryName,
+        List<TuningResponse> tunings
+) {
+    public static AccessoryResponse from(Accessory accessory) {
+        return new AccessoryResponse(
+                accessory.getSlotName(),
+                accessory.getAccessoryName(),
+                accessory.getTunings() == null
+                        ? List.of()
+                        : accessory.getTunings().stream().map(TuningResponse::from).toList()
+        );
+    }
+}
+
@@ -0,0 +1,12 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+/**
+ * DTO representing a single daily-generated password for a map.
+ *
+ * @author zihluwang
+ */
+public record DailyPassword(
+        String mapName,
+        String password
+) {
+}
@@ -0,0 +1,19 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import java.time.LocalDateTime;
+import java.util.List;
+
+/**
+ * DTO containing daily password data including update information and password list.
+ *
+ * @author zihluwang
+ */
+public record DailyPasswordData(
+        String updateDate,
+        Integer totalCount,
+        List<DailyPassword> passwords,
+        String source,
+        LocalDateTime lastUpdated,
+        Long timestamp
+) {
+}
@@ -0,0 +1,12 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+/**
+ * DTO holding metadata about the daily password source and update tracking.
+ *
+ * @author zihluwang
+ */
+public record DailyPasswordMetadata(
+        String version,
+        String author
+) {
+}
@@ -0,0 +1,14 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+/**
+ * Response DTO wrapping daily password data with metadata.
+ *
+ * @author zihluwang
+ */
+public record DailyPasswordResponse(
+        String status,
+        String message,
+        DailyPasswordData data,
+        DailyPasswordMetadata metadata
+) {
+}
@@ -0,0 +1,12 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+/**
+ * Standard error response body returned on API failures.
+ *
+ * @author zihluwang
+ */
+public record ErrorResponse(
+        String message
+) {
+}
+
@@ -0,0 +1,20 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.onixbyte.deltaforceguide.enumeration.FirearmType;
+
+/**
+ * Request DTO for creating or updating a firearm.
+ *
+ * @author zihluwang
+ */
+public record FirearmRequest(
+        String name,
+        FirearmType type,
+        String level,
+        String calibre,
+        Integer fireRate,
+        Integer armourDamage,
+        Integer bodyDamage,
+        String review
+) {
+}
@@ -3,11 +3,20 @@ package com.onixbyte.deltaforceguide.domain.dto;
 import com.onixbyte.deltaforceguide.domain.entity.Firearm;
 import com.onixbyte.deltaforceguide.enumeration.FirearmType;

+/**
+ * Response DTO for a firearm record, including associated modifications.
+ *
+ * @author zihluwang
+ */
 public record FirearmResponse(
        Long id,
        String name,
        FirearmType type,
        String level,
+        String calibre,
+        Integer fireRate,
+        Integer armourDamage,
+        Integer bodyDamage,
        String review
 ) {
    public static FirearmResponse from(Firearm firearm) {
@@ -16,6 +25,10 @@ public record FirearmResponse(
                firearm.getName(),
                firearm.getType(),
                firearm.getLevel(),
+                firearm.getCalibre(),
+                firearm.getFireRate(),
+                firearm.getArmourDamage(),
+                firearm.getBodyDamage(),
                firearm.getReview()
        );
    }
@@ -0,0 +1,15 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+
+@JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record GitHubIssueRequest(
+        String action,
+        GitHubWebhookIssue issue,
+        GitHubWebhookRepository repository,
+        GitHubWebhookSender sender
+) {
+}
@@ -0,0 +1,20 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+
+import java.util.List;
+
+@JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record GitHubWebhookIssue(
+        String url,
+        Long id,
+        Long number,
+        String title,
+        String body,
+        List<GitHubWebhookLabel> labels
+) {
+
+}
@@ -0,0 +1,12 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+
+@JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record GitHubWebhookLabel(
+        String name
+) {
+}
@@ -0,0 +1,12 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+
+@JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record GitHubWebhookRepository(
+        String fullName
+) {
+}
@@ -0,0 +1,12 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+
+@JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record GitHubWebhookSender(
+        String login
+) {
+}
@@ -0,0 +1,20 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.validation.constraints.NotBlank;
+
+/**
+ * Login request containing principle (username/email) and credential (password).
+ *
+ * @author zihluwang
+ */
+@Schema(description = "登录请求")
+public record LoginRequest(
+        @NotBlank(message = "登录名称不能为空")
+        @Schema(description = "用户名或电子邮箱", requiredMode = Schema.RequiredMode.REQUIRED)
+        String principle,
+        @NotBlank(message = "登录口令不能为空")
+        @Schema(description = "密码", requiredMode = Schema.RequiredMode.REQUIRED)
+        String credential
+) {
+}
@@ -0,0 +1,18 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotEmpty;
+
+import java.util.List;
+
+/**
+ * Request DTO for batch creation of modifications.
+ *
+ * @author zihluwang
+ */
+public record ModificationBatchCreateRequest(
+        @NotEmpty(message = "批量创建列表不能为空")
+        List<@Valid ModificationRequest> modifications
+) {
+}
+
@@ -0,0 +1,18 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import jakarta.validation.constraints.NotEmpty;
+import jakarta.validation.constraints.Positive;
+
+import java.util.List;
+
+/**
+ * Request DTO for batch deletion of modifications by ID.
+ *
+ * @author zihluwang
+ */
+public record ModificationBatchDeleteRequest(
+        @NotEmpty(message = "批量删除ID列表不能为空")
+        List<@Positive(message = "ID必须为正数") Long> ids
+) {
+}
+
@@ -0,0 +1,38 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Positive;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Request DTO for creating or updating a modification.
+ *
+ * @author zihluwang
+ */
+public record ModificationRequest(
+        @NotNull(message = "武器ID不能为空")
+        @Positive(message = "武器ID必须为正数")
+        Long firearmId,
+        @NotBlank(message = "改装名称不能为空")
+        String name,
+        @NotBlank(message = "改装代码不能为空")
+        String code,
+        List<@NotBlank(message = "标签不能为空") String> tags,
+        List<@Valid AccessoryRequest> accessories,
+        String note,
+        String author,
+        String videoUrl
+) {
+    public List<String> tags() {
+        return tags == null ? new ArrayList<>() : tags;
+    }
+
+    public List<AccessoryRequest> accessories() {
+        return accessories == null ? new ArrayList<>() : accessories;
+    }
+}
+
@@ -4,12 +4,18 @@ import com.onixbyte.deltaforceguide.domain.entity.Modification;

 import java.util.List;

+/**
+ * Response DTO for a modification record including accessories and tags.
+ *
+ * @author zihluwang
+ */
 public record ModificationResponse(
        Long id,
        Long firearmId,
        String name,
        String code,
        List<String> tags,
+        List<AccessoryResponse> accessories,
        String note,
        String author,
        String videoUrl
@@ -21,6 +27,9 @@ public record ModificationResponse(
                modification.getName(),
                modification.getCode(),
                modification.getTags(),
+                modification.getAccessories() == null
+                        ? List.of()
+                        : modification.getAccessories().stream().map(AccessoryResponse::from).toList(),
                modification.getNote(),
                modification.getAuthor(),
                modification.getVideoUrl()
@@ -4,6 +4,11 @@ import org.springframework.data.domain.Page;

 import java.util.List;

+/**
+ * Generic paginated response wrapper for list endpoints.
+ *
+ * @author zihluwang
+ */
 public record PageResponse<T>(
        List<T> items,
        int page,
@@ -0,0 +1,18 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+
+/**
+ * Request DTO for a tuning adjustment on an accessory.
+ *
+ * @author zihluwang
+ */
+public record TuningRequest(
+        @NotBlank(message = "调校项名称不能为空")
+        String tuningName,
+        @NotNull(message = "调校值不能为空")
+        Double tuningValue
+) {
+}
+
@@ -0,0 +1,21 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.onixbyte.deltaforceguide.domain.entity.Tuning;
+
+/**
+ * Response DTO for a tuning adjustment on an accessory.
+ *
+ * @author zihluwang
+ */
+public record TuningResponse(
+        String tuningName,
+        Double tuningValue
+) {
+    public static TuningResponse from(Tuning tuning) {
+        return new TuningResponse(
+                tuning.getTuningName(),
+                tuning.getTuningValue()
+        );
+    }
+}
+
@@ -0,0 +1,26 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.onixbyte.deltaforceguide.domain.entity.User;
+
+import java.time.LocalDateTime;
+
+/**
+ * Response DTO for a user account, including associated credentials.
+ *
+ * @author zihluwang
+ */
+public record UserResponse(
+        Long id,
+        String username,
+        String email,
+        LocalDateTime expiration
+) {
+    public static UserResponse from(User user, LocalDateTime expiration) {
+        return new UserResponse(
+                user.getId(),
+                user.getUsername(),
+                user.getEmail(),
+                expiration
+        );
+    }
+}
@@ -0,0 +1,72 @@
+package com.onixbyte.deltaforceguide.domain.entity;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * Entity representing an accessory attached to a modification, stored as JSONB.
+ *
+ * @author zihluwang
+ */
+public class Accessory {
+
+    private String slotName;
+
+    private String accessoryName;
+
+    private List<Tuning> tunings = new ArrayList<>();
+
+    public Accessory() {
+    }
+
+    public String getSlotName() {
+        return slotName;
+    }
+
+    public void setSlotName(String slotName) {
+        this.slotName = slotName;
+    }
+
+    public String getAccessoryName() {
+        return accessoryName;
+    }
+
+    public void setAccessoryName(String accessoryName) {
+        this.accessoryName = accessoryName;
+    }
+
+    public List<Tuning> getTunings() {
+        return tunings;
+    }
+
+    public void setTunings(List<Tuning> tunings) {
+        this.tunings = tunings;
+    }
+
+    public void addTuning(Tuning tuning) {
+        this.tunings.add(tuning);
+    }
+
+    public void removeTuning(Tuning tuning) {
+        this.tunings.remove(tuning);
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (!(o instanceof Accessory accessory)) {
+            return false;
+        }
+        return Objects.equals(slotName, accessory.slotName)
+                && Objects.equals(accessoryName, accessory.accessoryName)
+                && Objects.equals(tunings, accessory.tunings);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(slotName, accessoryName, tunings);
+    }
+}
@@ -15,6 +15,11 @@ import jakarta.persistence.Table;
 import java.util.ArrayList;
 import java.util.List;

+/**
+ * Entity representing a firearm in the Delta Force game.
+ *
+ * @author zihluwang
+ */
@Entity
@Table(name = "firearm")
 public class Firearm {
@@ -36,6 +41,18 @@ public class Firearm {
    @Column(name = "review", columnDefinition = "TEXT")
    private String review;

+    @Column(name = "calibre")
+    private String calibre;
+
+    @Column(name = "fire_rate")
+    private Integer fireRate;
+
+    @Column(name = "armour_damage")
+    private Integer armourDamage;
+
+    @Column(name = "body_damage")
+    private Integer bodyDamage;
+
    @OneToMany(mappedBy = "firearm", cascade = CascadeType.ALL, orphanRemoval = true)
    private List<Modification> modifications = new ArrayList<>();

@@ -79,6 +96,38 @@ public class Firearm {
        this.review = review;
    }

+    public String getCalibre() {
+        return calibre;
+    }
+
+    public void setCalibre(String calibre) {
+        this.calibre = calibre;
+    }
+
+    public Integer getFireRate() {
+        return fireRate;
+    }
+
+    public void setFireRate(Integer fireRate) {
+        this.fireRate = fireRate;
+    }
+
+    public Integer getArmourDamage() {
+        return armourDamage;
+    }
+
+    public void setArmourDamage(Integer armourDamage) {
+        this.armourDamage = armourDamage;
+    }
+
+    public Integer getBodyDamage() {
+        return bodyDamage;
+    }
+
+    public void setBodyDamage(Integer bodyDamage) {
+        this.bodyDamage = bodyDamage;
+    }
+
    public List<Modification> getModifications() {
        return modifications;
    }
@@ -96,5 +145,88 @@ public class Firearm {
        this.modifications.remove(modification);
        modification.setFirearm(null);
    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static class Builder {
+
+        private Long id;
+        private String name;
+        private FirearmType type;
+        private String level;
+        private String review;
+        private String calibre;
+        private Integer fireRate;
+        private Integer armourDamage;
+        private Integer bodyDamage;
+        private List<Modification> modifications;
+
+        public Builder id(Long id) {
+            this.id = id;
+            return this;
+        }
+
+        public Builder name(String name) {
+            this.name = name;
+            return this;
+        }
+
+        public Builder type(FirearmType type) {
+            this.type = type;
+            return this;
+        }
+
+        public Builder level(String level) {
+            this.level = level;
+            return this;
+        }
+
+        public Builder review(String review) {
+            this.review = review;
+            return this;
+        }
+
+        public Builder calibre(String calibre) {
+            this.calibre = calibre;
+            return this;
+        }
+
+        public Builder fireRate(Integer fireRate) {
+            this.fireRate = fireRate;
+            return this;
+        }
+
+        public Builder armourDamage(Integer armourDamage) {
+            this.armourDamage = armourDamage;
+            return this;
+        }
+
+        public Builder bodyDamage(Integer bodyDamage) {
+            this.bodyDamage = bodyDamage;
+            return this;
+        }
+
+        public Builder modifications(List<Modification> modifications) {
+            this.modifications = modifications;
+            return this;
+        }
+
+        public Firearm build() {
+            Firearm firearm = new Firearm();
+            firearm.id = this.id;
+            firearm.name = this.name;
+            firearm.type = this.type;
+            firearm.level = this.level;
+            firearm.review = this.review;
+            firearm.calibre = this.calibre;
+            firearm.fireRate = this.fireRate;
+            firearm.armourDamage = this.armourDamage;
+            firearm.bodyDamage = this.bodyDamage;
+            firearm.modifications = this.modifications == null ? new ArrayList<>() : this.modifications;
+            return firearm;
+        }
+    }
 }

@@ -1,22 +1,17 @@
 package com.onixbyte.deltaforceguide.domain.entity;

 import io.hypersistence.utils.hibernate.type.json.JsonType;
-import jakarta.persistence.Column;
-import jakarta.persistence.Entity;
-import jakarta.persistence.FetchType;
-import jakarta.persistence.ForeignKey;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.GenerationType;
-import jakarta.persistence.Id;
-import jakarta.persistence.Index;
-import jakarta.persistence.JoinColumn;
-import jakarta.persistence.ManyToOne;
-import jakarta.persistence.Table;
+import jakarta.persistence.*;
 import org.hibernate.annotations.Type;

 import java.util.ArrayList;
 import java.util.List;

+/**
+ * Entity representing a firearm modification or build configuration.
+ *
+ * @author zihluwang
+ */
@Entity
@Table(
    name = "modification",
@@ -41,9 +36,13 @@ public class Modification {
    private String code;

    @Type(JsonType.class)
-    @Column(name = "tags", columnDefinition = "json")
+    @Column(name = "tags", columnDefinition = "jsonb")
    private List<String> tags = new ArrayList<>();

+    @Type(JsonType.class)
+    @Column(name = "accessories", columnDefinition = "jsonb")
+    private List<Accessory> accessories = new ArrayList<>();
+
    @Column(name = "note", columnDefinition = "TEXT")
    private String note;

@@ -93,6 +92,22 @@ public class Modification {
        this.tags = tags;
    }

+    public List<Accessory> getAccessories() {
+        return accessories;
+    }
+
+    public void setAccessories(List<Accessory> accessories) {
+        this.accessories = accessories;
+    }
+
+    public void addAccessory(Accessory modificationAccessory) {
+        this.accessories.add(modificationAccessory);
+    }
+
+    public void removeAccessory(Accessory modificationAccessory) {
+        this.accessories.remove(modificationAccessory);
+    }
+
    public String getNote() {
        return note;
    }
@@ -116,5 +131,81 @@ public class Modification {
    public void setVideoUrl(String videoUrl) {
        this.videoUrl = videoUrl;
    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static class Builder {
+
+        private Long id;
+        private Firearm firearm;
+        private String name;
+        private String code;
+        private List<String> tags;
+        private List<Accessory> accessories;
+        private String note;
+        private String author;
+        private String videoUrl;
+
+        public Builder id(Long id) {
+            this.id = id;
+            return this;
+        }
+
+        public Builder firearm(Firearm firearm) {
+            this.firearm = firearm;
+            return this;
+        }
+
+        public Builder name(String name) {
+            this.name = name;
+            return this;
+        }
+
+        public Builder code(String code) {
+            this.code = code;
+            return this;
+        }
+
+        public Builder tags(List<String> tags) {
+            this.tags = tags;
+            return this;
+        }
+
+        public Builder accessories(List<Accessory> accessories) {
+            this.accessories = accessories;
+            return this;
+        }
+
+        public Builder note(String note) {
+            this.note = note;
+            return this;
+        }
+
+        public Builder author(String author) {
+            this.author = author;
+            return this;
+        }
+
+        public Builder videoUrl(String videoUrl) {
+            this.videoUrl = videoUrl;
+            return this;
+        }
+
+        public Modification build() {
+            Modification modification = new Modification();
+            modification.id = this.id;
+            modification.firearm = this.firearm;
+            modification.name = this.name;
+            modification.code = this.code;
+            modification.tags = this.tags == null ? new ArrayList<>() : this.tags;
+            modification.accessories = this.accessories == null ? new ArrayList<>() : this.accessories;
+            modification.note = this.note;
+            modification.author = this.author;
+            modification.videoUrl = this.videoUrl;
+            return modification;
+        }
+    }
 }

@@ -0,0 +1,50 @@
+package com.onixbyte.deltaforceguide.domain.entity;
+
+import java.util.Objects;
+
+/**
+ * Entity representing a tuning adjustment for an accessory, stored as JSONB within Accessory.
+ *
+ * @author zihluwang
+ */
+public class Tuning {
+
+    private String tuningName;
+    private Double tuningValue;
+
+    public Tuning() {
+    }
+
+    public String getTuningName() {
+        return tuningName;
+    }
+
+    public void setTuningName(String tuningName) {
+        this.tuningName = tuningName;
+    }
+
+    public Double getTuningValue() {
+        return tuningValue;
+    }
+
+    public void setTuningValue(Double tuningValue) {
+        this.tuningValue = tuningValue;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (!(o instanceof Tuning tuning)) {
+            return false;
+        }
+        return Objects.equals(tuningName, tuning.tuningName)
+                && Objects.equals(tuningValue, tuning.tuningValue);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(tuningName, tuningValue);
+    }
+}
@@ -0,0 +1,119 @@
+package com.onixbyte.deltaforceguide.domain.entity;
+
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.OneToMany;
+import jakarta.persistence.Table;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Entity representing an application user with authentication credentials.
+ *
+ * @author zihluwang
+ */
+@Entity
+@Table(name = "app_user")
+public class User {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(name = "username", nullable = false)
+    private String username;
+
+    @Column(name = "email", nullable = false)
+    private String email;
+
+    @OneToMany(mappedBy = "user", cascade = CascadeType.ALL, orphanRemoval = true)
+    private List<UserCredential> credentials = new ArrayList<>();
+
+    public Long getId() {
+        return id;
+    }
+
+    public void setId(Long id) {
+        this.id = id;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public void setUsername(String username) {
+        this.username = username;
+    }
+
+    public String getEmail() {
+        return email;
+    }
+
+    public void setEmail(String email) {
+        this.email = email;
+    }
+
+    public List<UserCredential> getCredentials() {
+        return credentials;
+    }
+
+    public void setCredentials(List<UserCredential> credentials) {
+        this.credentials = credentials;
+    }
+
+    public void addCredential(UserCredential credential) {
+        this.credentials.add(credential);
+        credential.setUser(this);
+    }
+
+    public void removeCredential(UserCredential credential) {
+        this.credentials.remove(credential);
+        credential.setUser(null);
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static class Builder {
+
+        private Long id;
+        private String username;
+        private String email;
+        private List<UserCredential> credentials;
+
+        public Builder id(Long id) {
+            this.id = id;
+            return this;
+        }
+
+        public Builder username(String username) {
+            this.username = username;
+            return this;
+        }
+
+        public Builder email(String email) {
+            this.email = email;
+            return this;
+        }
+
+        public Builder credentials(List<UserCredential> credentials) {
+            this.credentials = credentials;
+            return this;
+        }
+
+        public User build() {
+            User user = new User();
+            user.id = this.id;
+            user.username = this.username;
+            user.email = this.email;
+            user.credentials = this.credentials == null ? new ArrayList<>() : this.credentials;
+            return user;
+        }
+    }
+}
@@ -0,0 +1,143 @@
+package com.onixbyte.deltaforceguide.domain.entity;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.AttributeOverride;
+import jakarta.persistence.AttributeOverrides;
+import jakarta.persistence.EmbeddedId;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.ForeignKey;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.MapsId;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+
+/**
+ * Entity representing a user credential linked to an authentication provider.
+ *
+ * @author zihluwang
+ */
+@Entity
+@Table(name = "app_user_credential")
+public class UserCredential {
+
+	@EmbeddedId
+	@AttributeOverrides({
+		@AttributeOverride(name = "userId", column = @Column(name = "user_id")),
+		@AttributeOverride(name = "provider", column = @Column(name = "provider"))
+	})
+	private UserCredentialId id = new UserCredentialId();
+
+	@MapsId("userId")
+	@ManyToOne(fetch = FetchType.LAZY, optional = false)
+	@JoinColumn(name = "user_id", nullable = false, foreignKey = @ForeignKey(name = "fk_user_credential_user"))
+	private User user;
+
+	@Column(name = "credential", nullable = false)
+	private String credential;
+
+	public UserCredentialId getId() {
+		return id;
+	}
+
+	public void setId(UserCredentialId id) {
+		this.id = id;
+	}
+
+	public User getUser() {
+		return user;
+	}
+
+	public void setUser(User user) {
+		this.user = user;
+		if (this.id == null) {
+			this.id = new UserCredentialId();
+		}
+		this.id.setUserId(user == null ? null : user.getId());
+	}
+
+	public Long getUserId() {
+		return id == null ? null : id.getUserId();
+	}
+
+	public void setUserId(Long userId) {
+		if (this.id == null) {
+			this.id = new UserCredentialId();
+		}
+		this.id.setUserId(userId);
+	}
+
+	public String getProvider() {
+		return id == null ? null : id.getProvider();
+	}
+
+	public void setProvider(String provider) {
+		if (this.id == null) {
+			this.id = new UserCredentialId();
+		}
+		this.id.setProvider(provider);
+	}
+
+	public String getCredential() {
+		return credential;
+	}
+
+	public void setCredential(String credential) {
+		this.credential = credential;
+	}
+
+	public static Builder builder() {
+		return new Builder();
+	}
+
+	public static class Builder {
+
+		private UserCredentialId id;
+		private User user;
+		private Long userId;
+		private String provider;
+		private String credential;
+
+		public Builder id(UserCredentialId id) {
+			this.id = id;
+			return this;
+		}
+
+		public Builder user(User user) {
+			this.user = user;
+			return this;
+		}
+
+		public Builder userId(Long userId) {
+			this.userId = userId;
+			return this;
+		}
+
+		public Builder provider(String provider) {
+			this.provider = provider;
+			return this;
+		}
+
+		public Builder credential(String credential) {
+			this.credential = credential;
+			return this;
+		}
+
+		public UserCredential build() {
+			UserCredential userCredential = new UserCredential();
+			userCredential.id = this.id == null ? new UserCredentialId() : this.id;
+			userCredential.user = this.user;
+			if (this.user != null) {
+				userCredential.id.setUserId(this.user.getId());
+			}
+			if (this.userId != null) {
+				userCredential.id.setUserId(this.userId);
+			}
+			if (this.provider != null) {
+				userCredential.id.setProvider(this.provider);
+			}
+			userCredential.credential = this.credential;
+			return userCredential;
+		}
+	}
+}
@@ -0,0 +1,81 @@
+package com.onixbyte.deltaforceguide.domain.entity;
+
+import jakarta.persistence.Embeddable;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+/**
+ * Composite key for the UserCredential entity, combining user ID and provider.
+ *
+ * @author zihluwang
+ */
+@Embeddable
+public class UserCredentialId implements Serializable {
+
+    private Long userId;
+
+    private String provider;
+
+    public Long getUserId() {
+        return userId;
+    }
+
+    public void setUserId(Long userId) {
+        this.userId = userId;
+    }
+
+    public String getProvider() {
+        return provider;
+    }
+
+    public void setProvider(String provider) {
+        this.provider = provider;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        UserCredentialId that = (UserCredentialId) o;
+        return Objects.equals(userId, that.userId) && Objects.equals(provider, that.provider);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(userId, provider);
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static class Builder {
+
+        private Long userId;
+        private String provider;
+
+        public Builder userId(Long userId) {
+            this.userId = userId;
+            return this;
+        }
+
+        public Builder provider(String provider) {
+            this.provider = provider;
+            return this;
+        }
+
+        public UserCredentialId build() {
+            UserCredentialId id = new UserCredentialId();
+            id.userId = this.userId;
+            id.provider = this.provider;
+            return id;
+        }
+    }
+}
+
+
@@ -1,5 +1,11 @@
 package com.onixbyte.deltaforceguide.enumeration;

+/**
+ * Enumeration of firearm types in the Delta Force game.
+ * Each type is associated with an integer code used for database persistence.
+ *
+ * @author zihluwang
+ */
 public enum FirearmType {

    RIFLE(0),
@@ -21,6 +27,13 @@ public enum FirearmType {
        return code;
    }

+    /**
+     * Resolve a FirearmType from its integer code.
+     *
+      * @param code the integer code, may be null
+     * @return the corresponding FirearmType, or null if the code is null
+     * @throws IllegalArgumentException if the code does not match any known type
+     */
    public static FirearmType fromCode(Integer code) {
        if (code == null) {
            return null;
@@ -0,0 +1,40 @@
+package com.onixbyte.deltaforceguide.exeption;
+
+import org.springframework.http.HttpStatus;
+
+/**
+ * Custom runtime exception that carries an HTTP status code for API error responses.
+ *
+ * @author zihluwang
+ */
+public class BizException extends RuntimeException {
+
+    /**
+     * The HTTP status code associated with this business exception.
+     * <p>
+     * This status code indicates the appropriate HTTP response status that should be returned to
+     * clients when this exception occurs. It enables consistent error handling across
+     * REST API endpoints.
+     */
+    private final HttpStatus status;
+
+    public BizException(String message) {
+        super(message);
+        this.status = HttpStatus.INTERNAL_SERVER_ERROR;
+    }
+
+    public BizException(HttpStatus status, String message) {
+        super(message);
+        this.status = status;
+    }
+
+    /**
+     * Returns the HTTP status code associated with this business exception.
+     *
+     * @return the HTTP status code that should be used in the error response
+     */
+    public HttpStatus getStatus() {
+        return status;
+    }
+}
+
@@ -0,0 +1,113 @@
+package com.onixbyte.deltaforceguide.filter;
+
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.onixbyte.deltaforceguide.client.TokenClient;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import com.onixbyte.deltaforceguide.manager.UserManager;
+import com.onixbyte.deltaforceguide.security.authentication.UsernamePasswordAuthentication;
+import com.onixbyte.deltaforceguide.service.CookieService;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.jspecify.annotations.NonNull;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.servlet.HandlerExceptionResolver;
+import org.springframework.web.util.WebUtils;
+
+import java.io.IOException;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Objects;
+import java.util.Optional;
+
+/**
+ * Servlet filter that extracts and validates JWT tokens from httpOnly cookies for each request.
+ *
+ * @author zihluwang
+ */
+@Component
+public class TokenAuthenticationFilter extends OncePerRequestFilter {
+
+    private final static Logger log = LoggerFactory.getLogger(TokenAuthenticationFilter.class);
+    private static final Duration ACCESS_TOKEN_RENEW_THRESHOLD = Duration.ofMinutes(5);
+
+    private final UserManager userManager;
+    private final TokenClient tokenClient;
+    private final CookieService cookieService;
+    private final HandlerExceptionResolver handlerExceptionResolver;
+
+    public TokenAuthenticationFilter(
+            UserManager userManager,
+            TokenClient tokenClient,
+            CookieService cookieService,
+            HandlerExceptionResolver handlerExceptionResolver
+    ) {
+        this.userManager = userManager;
+        this.tokenClient = tokenClient;
+        this.cookieService = cookieService;
+        this.handlerExceptionResolver = handlerExceptionResolver;
+    }
+
+    /**
+     * Extracts JWT from httpOnly cookie, validates it, and sets the security context.
+     *
+     * @param request the HTTP request
+     * @param response the HTTP response
+     * @param filterChain the filter chain
+     */
+    @Override
+    protected void doFilterInternal(
+            @NonNull HttpServletRequest request,
+            @NonNull HttpServletResponse response,
+            @NonNull FilterChain filterChain
+    ) throws ServletException, IOException {
+        var token = Optional.ofNullable(WebUtils.getCookie(request, "AccessToken"))
+                .map(Cookie::getValue)
+                .orElse(null);
+        if (Objects.isNull(token) || token.isBlank()) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+
+        try {
+            var decodedToken = tokenClient.verifyToken(token);
+            var username = decodedToken.getSubject();
+
+            var userWrapper = userManager.findByUsername(username);
+            if (userWrapper.isEmpty()) {
+                throw new BizException(HttpStatus.UNAUTHORIZED, "登录已过期，请重新登录");
+            }
+
+            var user = userWrapper.get();
+            var authentication = UsernamePasswordAuthentication.authenticated(user);
+            SecurityContextHolder.getContext().setAuthentication(authentication);
+
+            if (shouldRenew(decodedToken.getExpiresAt().toInstant())) {
+                var renewedToken = tokenClient.generateToken(user);
+                var renewedTokenCookie = cookieService.buildCookie("AccessToken", renewedToken);
+                response.addHeader(HttpHeaders.SET_COOKIE, renewedTokenCookie.toString());
+            }
+
+            filterChain.doFilter(request, response);
+        } catch (JWTVerificationException e) {
+            log.error("JWT verification failed.", e);
+            handlerExceptionResolver.resolveException(request, response, null,
+                    new BizException(HttpStatus.UNAUTHORIZED, "登录已过期，请重新登录"));
+        } catch (BizException e) {
+            handlerExceptionResolver.resolveException(request, response, null, e);
+        }
+    }
+
+    private boolean shouldRenew(Instant expiresAt) {
+        return Duration.between(Instant.now(), expiresAt).compareTo(ACCESS_TOKEN_RENEW_THRESHOLD) < 0;
+    }
+}
+
@@ -0,0 +1,22 @@
+package com.onixbyte.deltaforceguide.filter;
+
+import com.onixbyte.deltaforceguide.wrapper.RepeatedlyReadRequestWrapper;
+import jakarta.servlet.*;
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+
+@Component
+public class WebhookFilter implements Filter {
+    @Override
+    public void doFilter(
+            ServletRequest request,
+            ServletResponse response,
+            FilterChain chain
+    ) throws IOException, ServletException {
+        var httpRequest = (HttpServletRequest) request;
+        var wrappedRequest = new RepeatedlyReadRequestWrapper(httpRequest);
+        chain.doFilter(wrappedRequest, response);
+    }
+}
@@ -0,0 +1,83 @@
+package com.onixbyte.deltaforceguide.interceptor;
+
+import com.onixbyte.crypto.util.CryptoUtil;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import com.onixbyte.deltaforceguide.manager.WebhookManager;
+import com.onixbyte.deltaforceguide.shared.GitHubWebhookHeader;
+import com.onixbyte.deltaforceguide.wrapper.RepeatedlyReadRequestWrapper;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.jspecify.annotations.NonNull;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.HandlerInterceptor;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+/**
+ * Verifies GitHub webhook requests by validating the {@code X-Hub-Signature-256}
+ * header against the configured secret using HMAC-SHA256.
+ *
+ * <p>Verification is skipped when no secret is configured. The signature format is
+ * {@code sha256=<hex-digest>} as documented by GitHub.
+ */
+@Component
+public class GitHubWebhookInterceptor implements HandlerInterceptor {
+
+    private static final Logger log = LoggerFactory.getLogger(GitHubWebhookInterceptor.class);
+
+    private final WebhookManager webhookManager;
+
+    public GitHubWebhookInterceptor(WebhookManager webhookManager) {
+        this.webhookManager = webhookManager;
+    }
+
+    @Override
+    public boolean preHandle(
+            @NonNull HttpServletRequest request,
+            @NonNull HttpServletResponse response,
+            @NonNull Object handler
+    ) {
+        if (!(request instanceof RepeatedlyReadRequestWrapper req)) {
+            throw new BizException(HttpStatus.INTERNAL_SERVER_ERROR,
+                    "Request body is not readable");
+        }
+
+        var secret = webhookManager.secret();
+        if (secret == null || secret.isBlank()) {
+            log.debug("No GitHub webhook secret configured, skipping signature verification");
+            return true;
+        }
+
+        var signatureHeader = req.getHeader(GitHubWebhookHeader.SIGNATURE_256);
+        if (signatureHeader == null || signatureHeader.isBlank()) {
+            log.warn("Missing {} header from ip={}",
+                    GitHubWebhookHeader.SIGNATURE_256, request.getRemoteAddr());
+            throw new BizException(HttpStatus.UNAUTHORIZED,
+                    "Missing webhook signature header");
+        }
+
+        var body = req.getBodyString();
+        try {
+            var computed = "sha256=" + CryptoUtil.hmacSha256(body, secret);
+
+            if (!MessageDigest.isEqual(
+                    computed.getBytes(StandardCharsets.UTF_8),
+                    signatureHeader.getBytes(StandardCharsets.UTF_8))) {
+                log.warn("Invalid webhook signature from ip={}", request.getRemoteAddr());
+                throw new BizException(HttpStatus.UNAUTHORIZED, "Invalid webhook signature");
+            }
+
+            return true;
+        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+            log.error("Failed to compute HMAC-SHA256", e);
+            throw new BizException(HttpStatus.INTERNAL_SERVER_ERROR,
+                    "Failed to verify webhook signature");
+        }
+    }
+}
@@ -0,0 +1,46 @@
+package com.onixbyte.deltaforceguide.interceptor;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.jspecify.annotations.NonNull;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.HandlerInterceptor;
+
+@Component
+public class TrafficInterceptor implements HandlerInterceptor {
+
+    private static final Logger log = LoggerFactory.getLogger(TrafficInterceptor.class);
+
+    @Override
+    public boolean preHandle(
+            @NonNull HttpServletRequest request,
+            @NonNull HttpServletResponse response,
+            @NonNull Object handler
+    ) {
+        var ip = resolveClientIp(request);
+        var method = request.getMethod();
+        var uri = request.getRequestURI();
+        var query = request.getQueryString();
+        var contentType = request.getContentType();
+        var contentLength = request.getContentLength();
+        var userAgent = request.getHeader("User-Agent");
+
+        log.debug("Request method={}, uri={}, query={}, ip={}, content-type={}, content-length={}, user-agent={}",
+                method, uri, query, ip, contentType, contentLength, userAgent);
+        return true;
+    }
+
+    private String resolveClientIp(HttpServletRequest request) {
+        var xForwardedFor = request.getHeader("X-Forwarded-For");
+        if (xForwardedFor != null && !xForwardedFor.isBlank()) {
+            return xForwardedFor.split(",")[0].trim();
+        }
+        var xRealIp = request.getHeader("X-Real-IP");
+        if (xRealIp != null && !xRealIp.isBlank()) {
+            return xRealIp.trim();
+        }
+        return request.getRemoteAddr();
+    }
+}
@@ -0,0 +1,27 @@
+package com.onixbyte.deltaforceguide.manager;
+
+import com.onixbyte.deltaforceguide.properties.AppProperties;
+import org.springframework.stereotype.Component;
+
+@Component
+public class AppManager {
+
+    private final AppProperties appProperties;
+
+    public AppManager(AppProperties appProperties) {
+        this.appProperties = appProperties;
+    }
+
+    /**
+     * Retrieves the application version.
+     *
+     * @return the version string of this application
+     */
+    public String getVersion() {
+        return "v%s-%s by @%s".formatted(
+                appProperties.version(),
+                appProperties.channel(),
+                appProperties.vendor()
+        );
+    }
+}
@@ -0,0 +1,42 @@
+package com.onixbyte.deltaforceguide.manager;
+
+import com.onixbyte.deltaforceguide.properties.CookieProperties;
+import org.springframework.boot.web.server.Cookie;
+import org.springframework.stereotype.Component;
+
+import java.time.Duration;
+
+/**
+ * Manager providing cookie construction operations with configurable properties.
+ *
+ * @author zihluwang
+ */
+@Component
+public class CookieManager {
+
+    private final CookieProperties cookieProperties;
+
+    public CookieManager(CookieProperties cookieProperties) {
+        this.cookieProperties = cookieProperties;
+    }
+
+    public Boolean getHttpOnly() {
+        return cookieProperties.httpOnly();
+    }
+
+    public Boolean getSecure() {
+        return cookieProperties.secure();
+    }
+
+    public Cookie.SameSite getSameSite() {
+        return cookieProperties.sameSite();
+    }
+
+    public String getPath() {
+        return cookieProperties.path();
+    }
+
+    public Duration getMaxAge() {
+        return cookieProperties.maxAge();
+    }
+}
@@ -0,0 +1,85 @@
+package com.onixbyte.deltaforceguide.manager;
+
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.onixbyte.deltaforceguide.domain.dto.DailyPasswordResponse;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import com.onixbyte.deltaforceguide.shared.JacksonModules;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
+import org.springframework.stereotype.Component;
+import org.springframework.web.client.RestClient;
+
+import java.time.Duration;
+import java.time.LocalDate;
+import java.util.Objects;
+
+/**
+ * Manager for daily password data access and caching coordination.
+ *
+ * @author zihluwang
+ */
+@Component
+public class DailyPasswordManager {
+
+    private static final String CACHE_KEY_PREFIX = "daily-password:";
+
+    private final RestClient restClient;
+    private final RedisTemplate<String, Object> redisTemplate;
+
+    @Autowired
+    public DailyPasswordManager(
+            RestClient.Builder restClientBuilder,
+            RedisTemplate<String, Object> redisTemplate
+    ) {
+        var snakeCaseMapper = new ObjectMapper();
+        snakeCaseMapper.setPropertyNamingStrategy(
+                PropertyNamingStrategies.SnakeCaseStrategy.INSTANCE);
+        snakeCaseMapper.configure(
+                DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+        snakeCaseMapper.registerModule(JacksonModules.DATE_TIME_MODULE);
+
+        this.restClient = restClientBuilder
+                .baseUrl("https://tmini.net/api")
+                .messageConverters(converters -> {
+                    converters.removeIf(
+                            MappingJackson2HttpMessageConverter.class::isInstance);
+                    converters.add(
+                            new MappingJackson2HttpMessageConverter(snakeCaseMapper));
+                })
+                .build();
+        this.redisTemplate = redisTemplate;
+    }
+
+    /**
+     * Retrieves the daily password from cache or generates a new one.
+     * @return the daily password response
+     */
+    public DailyPasswordResponse getDailyPassword() {
+        var key = CACHE_KEY_PREFIX + LocalDate.now();
+
+        var cached = redisTemplate.opsForValue().get(key);
+        if (cached != null) {
+            return (DailyPasswordResponse) cached;
+        }
+
+        var response = restClient.get()
+                .uri((uriBuilder) -> uriBuilder
+                        .path("/sjzmm")
+                        .queryParam("ckey", "")
+                        .queryParam("type", "json")
+                        .build())
+                .retrieve()
+                .body(DailyPasswordResponse.class);
+
+        if (Objects.isNull(response)) {
+            throw new BizException(HttpStatus.INTERNAL_SERVER_ERROR, "暂无每日密码数据。");
+        }
+
+        redisTemplate.opsForValue().set(key, response, Duration.ofDays(1L));
+        return response;
+    }
+}
@@ -0,0 +1,130 @@
+package com.onixbyte.deltaforceguide.manager;
+
+import com.onixbyte.deltaforceguide.domain.entity.Accessory;
+import com.onixbyte.deltaforceguide.domain.entity.Firearm;
+import com.onixbyte.deltaforceguide.domain.entity.Modification;
+import com.onixbyte.deltaforceguide.domain.entity.Tuning;
+import com.onixbyte.deltaforceguide.domain.dto.AccessoryRequest;
+import com.onixbyte.deltaforceguide.domain.dto.ModificationRequest;
+import com.onixbyte.deltaforceguide.domain.dto.ModificationResponse;
+import com.onixbyte.deltaforceguide.domain.dto.TuningRequest;
+import com.onixbyte.deltaforceguide.repository.FirearmRepository;
+import com.onixbyte.deltaforceguide.repository.ModificationRepository;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.server.ResponseStatusException;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Map;
+
+@Component
+public class ModificationManager {
+
+    private final ModificationRepository modificationRepository;
+    private final FirearmRepository firearmRepository;
+
+    public ModificationManager(
+            ModificationRepository modificationRepository,
+            FirearmRepository firearmRepository
+    ) {
+        this.modificationRepository = modificationRepository;
+        this.firearmRepository = firearmRepository;
+    }
+
+    @Transactional
+    public ModificationResponse create(ModificationRequest request) {
+        var firearm = firearmRepository.findById(request.firearmId())
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND,
+                        "Firearm not found: " + request.firearmId()));
+        var modification = toEntity(request, firearm);
+        return ModificationResponse.from(modificationRepository.save(modification));
+    }
+
+    @Transactional
+    public List<ModificationResponse> batchCreate(List<ModificationRequest> requests) {
+        var firearmIds = requests.stream()
+                .map(ModificationRequest::firearmId)
+                .collect(java.util.stream.Collectors.toCollection(LinkedHashSet::new));
+
+        Map<Long, Firearm> firearmMap = new HashMap<>();
+        firearmRepository.findAllById(firearmIds)
+                .forEach(firearm -> firearmMap.put(firearm.getId(), firearm));
+
+        if (firearmMap.size() != firearmIds.size()) {
+            var missing = firearmIds.stream()
+                    .filter((id) -> !firearmMap.containsKey(id))
+                    .toList();
+            throw new ResponseStatusException(HttpStatus.NOT_FOUND,
+                    "Firearm not found: " + missing);
+        }
+
+        var modifications = requests.stream()
+                .map(req -> toEntity(req, firearmMap.get(req.firearmId())))
+                .toList();
+        return modificationRepository.saveAll(modifications)
+                .stream()
+                .map(ModificationResponse::from)
+                .toList();
+    }
+
+    public Long resolveFirearmId(Long firearmId, String firearmName) {
+        if (firearmId != null) {
+            return firearmId;
+        }
+        if (firearmName == null || firearmName.isBlank()) {
+            return null;
+        }
+        var matches = firearmRepository.findByName(firearmName);
+        if (matches.isEmpty()) {
+            throw new ResponseStatusException(HttpStatus.NOT_FOUND,
+                    "Firearm not found by name: " + firearmName);
+        }
+        return matches.getFirst().getId();
+    }
+
+    private Modification toEntity(ModificationRequest request, Firearm firearm) {
+        return Modification.builder()
+                .firearm(firearm)
+                .name(request.name())
+                .code(request.code())
+                .tags(request.tags())
+                .accessories(toAccessories(request.accessories()))
+                .note(request.note())
+                .author(request.author())
+                .videoUrl(request.videoUrl())
+                .build();
+    }
+
+    private List<Accessory> toAccessories(List<AccessoryRequest> requests) {
+        if (requests == null) {
+            return new ArrayList<>();
+        }
+        return requests.stream().map(this::toAccessory).toList();
+    }
+
+    private Accessory toAccessory(AccessoryRequest request) {
+        var accessory = new Accessory();
+        accessory.setSlotName(request.slotName());
+        accessory.setAccessoryName(request.accessoryName());
+        accessory.setTunings(toTunings(request.tunings()));
+        return accessory;
+    }
+
+    private List<Tuning> toTunings(List<TuningRequest> requests) {
+        if (requests == null) {
+            return new ArrayList<>();
+        }
+        return requests.stream().map(this::toTuning).toList();
+    }
+
+    private Tuning toTuning(TuningRequest request) {
+        var tuning = new Tuning();
+        tuning.setTuningName(request.tuningName());
+        tuning.setTuningValue(request.tuningValue());
+        return tuning;
+    }
+}
@@ -0,0 +1,76 @@
+package com.onixbyte.deltaforceguide.manager;
+
+import com.onixbyte.deltaforceguide.domain.entity.UserCredential;
+import com.onixbyte.deltaforceguide.repository.UserCredentialRepository;
+import org.springframework.stereotype.Component;
+
+import java.util.List;
+import java.util.Optional;
+
+/**
+ * Manager for user credential persistence and authentication data access.
+ *
+ * @author zihluwang
+ */
+@Component
+public class UserCredentialManager {
+
+    private final UserCredentialRepository userCredentialRepository;
+
+    public UserCredentialManager(UserCredentialRepository userCredentialRepository) {
+        this.userCredentialRepository = userCredentialRepository;
+    }
+
+    /**
+     * Finds all credentials belonging to a specific user.
+     *
+     * @param userId the user ID
+     * @return list of matching credentials
+     */
+    public List<UserCredential> findAllByUserId(Long userId) {
+        return userCredentialRepository.findAllByUserId(userId);
+    }
+
+    /**
+     * Finds a credential for a specific user and provider combination.
+     *
+     * @param userId the user ID
+     * @param provider the authentication provider
+     * @return the matching credential, if found
+     */
+    public Optional<UserCredential> findByUserIdAndProvider(Long userId, String provider) {
+        return userCredentialRepository.findByUserIdAndProvider(userId, provider);
+    }
+
+    /**
+     * Persists a new or updated credential.
+     *
+     * @param userCredential the credential to save
+     * @return the saved credential
+     */
+    public UserCredential save(UserCredential userCredential) {
+        return userCredentialRepository.save(userCredential);
+    }
+
+    /**
+     * Deletes a credential for a specific user and provider.
+     *
+     * @param userId the user ID
+     * @param provider the authentication provider
+     */
+    public void deleteByUserIdAndProvider(Long userId, String provider) {
+        userCredentialRepository.deleteByUserIdAndProvider(userId, provider);
+    }
+
+    /**
+     * Deletes all credentials belonging to a user.
+     *
+     * @param userId the user ID
+     */
+    public void deleteAllByUserId(Long userId) {
+        userCredentialRepository.deleteAllByUserId(userId);
+    }
+}
+
+
+
@@ -0,0 +1,87 @@
+package com.onixbyte.deltaforceguide.manager;
+
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import com.onixbyte.deltaforceguide.repository.UserRepository;
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
+
+import java.util.List;
+import java.util.Optional;
+
+/**
+ * Manager for user entity persistence and query operations.
+ *
+ * @author zihluwang
+ */
+@Component
+public class UserManager {
+
+    private final UserRepository userRepository;
+
+    public UserManager(UserRepository userRepository) {
+        this.userRepository = userRepository;
+    }
+
+    /**
+     * Finds a user by their ID.
+     *
+     * @param id the user ID
+     * @return the matching user, if found
+     */
+    public Optional<User> findById(Long id) {
+        return userRepository.findById(id);
+    }
+
+    /**
+     * Retrieves all registered users.
+     * @return list of all users
+     */
+    public List<User> findAll() {
+        return userRepository.findAll();
+    }
+
+    /**
+     * Finds a user by their username.
+     *
+     * @param username the username to search for
+     * @return the matching user, if found
+     */
+    public Optional<User> findByUsername(String username) {
+        return userRepository.findByUsername(username);
+    }
+
+    @Transactional(readOnly = true)
+    public Optional<User> findByEmail(String email) {
+        return userRepository.findByEmail(email);
+    }
+
+    /**
+     * Persists a new or updated user.
+     *
+     * @param user the user to save
+     * @return the saved user
+     */
+    public User save(User user) {
+        return userRepository.save(user);
+    }
+
+    /**
+     * Deletes a user by their ID.
+     *
+     * @param id the user ID to delete
+     */
+    public void deleteById(Long id) {
+        userRepository.deleteById(id);
+    }
+
+    /**
+     * Finds a user by their username or email address.
+     *
+     * @param principal the username or email to search for
+     * @return the matching user, if found
+     */
+    public Optional<User> findByUsernameOrEmail(String principal) {
+        return userRepository.findByUsernameOrEmail(principal);
+    }
+}
+
@@ -0,0 +1,24 @@
+package com.onixbyte.deltaforceguide.manager;
+
+import com.onixbyte.deltaforceguide.properties.GitHubWebhookProperties;
+import org.springframework.stereotype.Component;
+
+import java.util.List;
+
+@Component
+public class WebhookManager {
+
+    private final GitHubWebhookProperties gitHubWebhookProperties;
+
+    public WebhookManager(GitHubWebhookProperties gitHubWebhookProperties) {
+        this.gitHubWebhookProperties = gitHubWebhookProperties;
+    }
+
+    public String secret() {
+        return gitHubWebhookProperties.secret();
+    }
+
+    public List<String> allowedUsers() {
+        return gitHubWebhookProperties.allowedUsers();
+    }
+}
@@ -0,0 +1,11 @@
+package com.onixbyte.deltaforceguide.properties;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+@ConfigurationProperties(prefix = "app.common")
+public record AppProperties(
+        String version,
+        String channel,
+        String vendor
+) {
+}
@@ -0,0 +1,27 @@
+package com.onixbyte.deltaforceguide.properties;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.bind.DefaultValue;
+import org.springframework.boot.web.server.Cookie;
+
+import java.time.Duration;
+
+/**
+ * Configuration properties for HTTP cookies used in authentication, prefixed with "app.cookie".
+ *
+ * @param httpOnly  whether the cookie is httpOnly
+ * @param secure    whether the cookie is secure
+ * @param path      the cookie path
+ * @param maxAge    the maximum age of the cookie
+ * @param sameSite  the SameSite policy for the cookie
+ * @author zihluwang
+ */
+@ConfigurationProperties(prefix = "app.cookie")
+public record CookieProperties(
+        @DefaultValue("true") Boolean httpOnly,
+        @DefaultValue("true") Boolean secure,
+        @DefaultValue("/") String path,
+        @DefaultValue("PT2H") Duration maxAge,
+        @DefaultValue("LAX") Cookie.SameSite sameSite
+) {
+}
@@ -6,6 +6,18 @@ import org.springframework.http.HttpMethod;

 import java.time.Duration;

+/**
+ * Configuration properties for CORS settings, prefixed with "app.cors".
+ *
+ * @param allowedHeaders      headers allowed in CORS requests
+ * @param allowedMethods      HTTP methods allowed in CORS requests
+ * @param allowedOrigins      origins permitted to make cross-origin requests
+ * @param allowCredentials    whether credentials are allowed in CORS requests
+ * @param allowPrivateNetwork whether private network access is permitted
+ * @param maxAge              how long the CORS preflight response may be cached
+ * @param exposedHeaders      headers exposed to the client in CORS responses
+ * @author zihluwang
+ */
@ConfigurationProperties(prefix = "app.cors")
 public record CorsProperties(
        @DefaultValue({"Content-Type", "Authorization"})
@@ -0,0 +1,12 @@
+package com.onixbyte.deltaforceguide.properties;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+import java.util.List;
+
+@ConfigurationProperties(prefix = "app.webhook.github")
+public record GitHubWebhookProperties(
+        String secret,
+        List<String> allowedUsers
+) {
+}
@@ -0,0 +1,21 @@
+package com.onixbyte.deltaforceguide.properties;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+import java.time.Duration;
+
+/**
+ * Configuration properties for JWT token generation and validation, prefixed with "app.jwt".
+ *
+ * @param issuer    the JWT issuer claim
+ * @param secret    the signing secret for JWT tokens
+ * @param validTime the duration for which a token remains valid
+ * @author zihluwang
+ */
+@ConfigurationProperties(prefix = "app.jwt")
+public record TokenProperties(
+        String issuer,
+        String secret,
+        Duration validTime
+) {
+}
@@ -7,9 +7,18 @@ import org.springframework.data.domain.Pageable;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.stereotype.Repository;

+import java.util.List;
+
+/**
+ * Spring Data JPA repository for {@link Firearm} entity operations.
+ *
+ * @author zihluwang
+ */
@Repository
 public interface FirearmRepository extends JpaRepository<Firearm, Long> {

 	Page<Firearm> findAllByType(FirearmType type, Pageable pageable);
+
+	List<Firearm> findByName(String name);
 }

@@ -1,14 +1,24 @@
 package com.onixbyte.deltaforceguide.repository;

 import com.onixbyte.deltaforceguide.domain.entity.Modification;
+import org.jspecify.annotations.NonNull;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.jpa.repository.EntityGraph;
 import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
 import org.springframework.stereotype.Repository;

+import java.util.List;
 import java.util.Optional;

+/**
+ * Spring Data JPA repository for {@link Modification} entity operations,
+ * including native JSONB tag filtering for Postgres.
+ *
+ * @author zihluwang
+ */
@Repository
 public interface ModificationRepository extends JpaRepository<Modification, Long> {

@@ -20,7 +30,36 @@ public interface ModificationRepository extends JpaRepository<Modification, Long

    @Override
    @EntityGraph(attributePaths = {"firearm"})
-    Optional<Modification> findById(Long id);
+    @NonNull
+    Optional<Modification> findById(@NonNull Long id);
+
+    /**
+     * Page query modifications with optional firearm and JSONB tag filtering.
+     *
+     * @param firearmId optional firearm ID filter (nullable)
+     * @param tagsJson  optional JSON array of tags to match via Postgres {@code @>} operator (nullable)
+     * @param pageable  pagination information
+     * @return a page of matching modifications
+     */
+    @Query(value = """
+            SELECT * FROM modification m
+            WHERE (:firearmId IS NULL OR m.firearm_id = :firearmId)
+              AND (CAST(:tagsJson AS text) IS NULL OR cast(m.tags as jsonb) @> cast(CAST(:tagsJson AS text) as jsonb))
+            """,
+            countQuery = """
+            SELECT count(*) FROM modification m
+            WHERE (:firearmId IS NULL OR m.firearm_id = :firearmId)
+              AND (CAST(:tagsJson AS text) IS NULL OR cast(m.tags as jsonb) @> cast(CAST(:tagsJson AS text) as jsonb))
+            """,
+            nativeQuery = true)
+    Page<Modification> pageQueryByFirearmAndTags(@Param("firearmId") Long firearmId, @Param("tagsJson") String tagsJson, Pageable pageable);
+
+    /**
+     * Retrieve all distinct tag values from modifications, optionally filtered by firearm.
+     *
+     * @param firearmId optional firearm ID filter (nullable)
+     * @return list of distinct tag strings
+     */
+    @Query(value = "SELECT DISTINCT jsonb_array_elements_text(cast(tags as jsonb)) FROM modification WHERE (:firearmId IS NULL OR firearm_id = :firearmId)", nativeQuery = true)
+    List<String> findAllTags(@Param("firearmId") Long firearmId);
 }
-
-
@@ -0,0 +1,81 @@
+package com.onixbyte.deltaforceguide.repository;
+
+import com.onixbyte.deltaforceguide.domain.entity.UserCredential;
+import com.onixbyte.deltaforceguide.domain.entity.UserCredentialId;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.EntityGraph;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+import java.util.List;
+import java.util.Optional;
+
+/**
+ * Spring Data JPA repository for {@link UserCredential} entity operations.
+ *
+ * @author zihluwang
+ */
+@Repository
+public interface UserCredentialRepository extends JpaRepository<UserCredential, UserCredentialId> {
+
+    /**
+     * Find all credentials belonging to a given user.
+     *
+     * @param userId the user ID
+     * @return list of matching credentials
+     */
+    @EntityGraph(attributePaths = {"user"})
+    @Query("""
+            select uc
+            from UserCredential uc
+            where uc.user.id = :userId
+            """)
+    List<UserCredential> findAllByUserId(@Param("userId") Long userId);
+
+    /**
+     * Find a specific credential for a user by provider.
+     *
+     * @param userId   the user ID
+     * @param provider the authentication provider identifier
+     * @return an optional containing the matching credential, or empty if not found
+     */
+    @EntityGraph(attributePaths = {"user"})
+    @Query("""
+            select uc
+            from UserCredential uc
+            where uc.user.id = :userId
+              and uc.id.provider = :provider
+            """)
+    Optional<UserCredential> findByUserIdAndProvider(@Param("userId") Long userId, @Param("provider") String provider);
+
+    /**
+     * Delete a specific credential for a user by provider.
+     *
+     * @param userId   the user ID
+     * @param provider the authentication provider identifier
+     */
+    @Modifying
+    @Query("""
+            delete from UserCredential uc
+            where uc.user.id = :userId
+              and uc.id.provider = :provider
+            """)
+    void deleteByUserIdAndProvider(@Param("userId") Long userId, @Param("provider") String provider);
+
+    /**
+     * Delete all credentials for a given user.
+     *
+     * @param userId the user ID
+     */
+    @Modifying
+    @Query("""
+            delete from UserCredential uc
+            where uc.user.id = :userId
+            """)
+    void deleteAllByUserId(@Param("userId") Long userId);
+}
+
+
+
@@ -0,0 +1,51 @@
+package com.onixbyte.deltaforceguide.repository;
+
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import org.jspecify.annotations.NonNull;
+import org.springframework.data.jpa.repository.EntityGraph;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+import java.util.Optional;
+
+/**
+ * Spring Data JPA repository for {@link User} entity operations.
+ *
+ * @author zihluwang
+ */
+@Repository
+public interface UserRepository extends JpaRepository<User, Long> {
+
+    @Override
+    @EntityGraph(attributePaths = {"credentials"})
+    @NonNull
+    Optional<User> findById(@NonNull Long id);
+
+    @EntityGraph(attributePaths = {"credentials"})
+    Optional<User> findByUsername(String username);
+
+    @EntityGraph(attributePaths = {"credentials"})
+    Optional<User> findByEmail(String email);
+
+    boolean existsByUsername(String username);
+
+    boolean existsByEmail(String email);
+
+    /**
+     * Find a user by either username or email.
+     *
+     * @param principal the username or email to search for
+     * @return an optional containing the matching user, or empty if not found
+     */
+    @EntityGraph(attributePaths = {"credentials"})
+    @Query("""
+            select u
+            from User u
+            where u.username = :principal
+               or u.email = :principal
+            """)
+    Optional<User> findByUsernameOrEmail(@Param("principal") String principal);
+}
+
@@ -0,0 +1,19 @@
+package com.onixbyte.deltaforceguide.security.annotation;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Annotation to mark controller endpoints that require authentication.
+ *
+ * @author zihluwang
+ */
+@Target({ElementType.METHOD, ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@PreAuthorize("isAuthenticated()")
+public @interface RequiresAuth {
+}
@@ -0,0 +1,81 @@
+package com.onixbyte.deltaforceguide.security.authentication;
+
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.CredentialsContainer;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
+import java.util.List;
+
+/**
+ * Custom authentication token for username/password-based login flows.
+ *
+ * @author zihluwang
+ */
+public class UsernamePasswordAuthentication implements Authentication, CredentialsContainer {
+    private final String username;
+    private String password;
+    private boolean authenticated;
+    private User user;
+
+    private UsernamePasswordAuthentication(String username, String password, boolean authenticated, User user) {
+        this.username = username;
+        this.password = password;
+        this.authenticated = authenticated;
+        this.user = user;
+    }
+
+    public static UsernamePasswordAuthentication unauthenticated(String username, String password) {
+        return new UsernamePasswordAuthentication(username, password, false, null);
+    }
+
+    public static UsernamePasswordAuthentication authenticated(User user) {
+        return new UsernamePasswordAuthentication(user.getUsername(), null, true, user);
+    }
+
+    @Override
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return List.of();
+    }
+
+    @Override
+    public String getCredentials() {
+        return password;
+    }
+
+    @Override
+    public User getDetails() {
+        return user;
+    }
+
+    @Override
+    public String getPrincipal() {
+        return username;
+    }
+
+    @Override
+    public boolean isAuthenticated() {
+        return authenticated;
+    }
+
+    @Override
+    public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {
+        this.authenticated = authenticated;
+    }
+
+    @Override
+    public String getName() {
+        return username;
+    }
+
+    @Override
+    public void eraseCredentials() {
+        this.password = null;
+    }
+
+    public void setDetails(User user) {
+        this.user = user;
+    }
+}
+
@@ -0,0 +1,100 @@
+package com.onixbyte.deltaforceguide.security.provider;
+
+import com.onixbyte.deltaforceguide.domain.entity.UserCredential;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import com.onixbyte.deltaforceguide.manager.UserManager;
+import com.onixbyte.deltaforceguide.repository.UserCredentialRepository;
+import com.onixbyte.deltaforceguide.security.authentication.UsernamePasswordAuthentication;
+import com.onixbyte.deltaforceguide.shared.CredentialProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.domain.Example;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.stereotype.Component;
+
+/**
+ * Authentication provider that validates username/password credentials against stored BCrypt hashes.
+ *
+ * @author zihluwang
+ */
+@Component
+public class UsernamePasswordAuthenticationProvider implements AuthenticationProvider {
+
+    private static final Logger log = LoggerFactory.getLogger(UsernamePasswordAuthenticationProvider.class);
+    private final UserManager userManager;
+    private final PasswordEncoder passwordEncoder;
+    private final UserCredentialRepository userCredentialRepository;
+
+    @Autowired
+    public UsernamePasswordAuthenticationProvider(
+            UserManager userManager,
+            PasswordEncoder passwordEncoder,
+            UserCredentialRepository userCredentialRepository
+    ) {
+        this.userManager = userManager;
+        this.passwordEncoder = passwordEncoder;
+        this.userCredentialRepository = userCredentialRepository;
+    }
+
+    /**
+     * Validates the username/password credentials against stored BCrypt hashes.
+     *
+     * @param authentication the authentication request object
+     * @return a fully authenticated object including user details
+     */
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        if (!(authentication instanceof UsernamePasswordAuthentication usernamePasswordAuthentication)) {
+            throw new BizException(HttpStatus.INTERNAL_SERVER_ERROR, "用户认证失败，请稍后再试。");
+        }
+
+        // get userContainer from database
+        var userContainer = userManager.findByUsernameOrEmail(usernamePasswordAuthentication.getPrincipal());
+        if (userContainer.isEmpty()) {
+            log.error("User {} is trying to authenticate but no userContainer found.", usernamePasswordAuthentication.getPrincipal());
+            throw new BizException(HttpStatus.UNAUTHORIZED, "用户名或密码错误。");
+        }
+
+        var user = userContainer.get();
+
+        var userCredentialExample = new UserCredential();
+        userCredentialExample.setUserId(user.getId());
+        userCredentialExample.setProvider(CredentialProvider.LOCAL);
+
+        // get userContainer credentials from database
+        var userCredentials = userCredentialRepository.findOne(Example.of(userCredentialExample))
+                .orElseThrow(() -> new BizException(HttpStatus.UNAUTHORIZED, "您还没有配置密码，请联系管理员处理。"));
+
+        // validate password
+        if (!passwordEncoder.matches(usernamePasswordAuthentication.getCredentials(), userCredentials.getCredential())) {
+            log.error("User {} is trying to authenticate but password is incorrect.", usernamePasswordAuthentication.getPrincipal());
+            throw new BizException(HttpStatus.UNAUTHORIZED, "用户名或密码错误。");
+        }
+
+        // erase credentials
+        usernamePasswordAuthentication.eraseCredentials();
+
+        // set values
+        usernamePasswordAuthentication.setAuthenticated(true);
+        usernamePasswordAuthentication.setDetails(user);
+
+        return usernamePasswordAuthentication;
+    }
+
+    /**
+     * Checks if this provider supports the given authentication type.
+     *
+     * @param authentication the authentication class to check
+     * @return true if this provider supports the given type
+     */
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return UsernamePasswordAuthentication.class.isAssignableFrom(authentication);
+    }
+}
+
@@ -0,0 +1,18 @@
+package com.onixbyte.deltaforceguide.service;
+
+import com.onixbyte.deltaforceguide.manager.AppManager;
+import org.springframework.stereotype.Service;
+
+@Service
+public class AppService {
+
+    private final AppManager appManager;
+
+    public AppService(AppManager appManager) {
+        this.appManager = appManager;
+    }
+
+    public String getVersion() {
+        return appManager.getVersion();
+    }
+}
@@ -0,0 +1,52 @@
+package com.onixbyte.deltaforceguide.service;
+
+import com.onixbyte.deltaforceguide.domain.dto.LoginRequest;
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import com.onixbyte.deltaforceguide.security.authentication.UsernamePasswordAuthentication;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.stereotype.Service;
+
+/**
+ * Service handling user authentication, login, and session management.
+ *
+ * @author zihluwang
+ */
+@Service
+public class AuthService {
+
+    private static final Logger log = LoggerFactory.getLogger(AuthService.class);
+    private final AuthenticationManager authenticationManager;
+
+    public AuthService(AuthenticationManager authenticationManager) {
+        this.authenticationManager = authenticationManager;
+    }
+
+    /**
+     * Authenticates a user with the given login credentials.
+     * <p>
+     * Delegates authentication to Spring Security's {@link AuthenticationManager} and verifies
+     * that the result is of the expected {@link UsernamePasswordAuthentication} type.
+     *
+     * @param request the login credentials containing principle and password
+     * @return the authenticated {@link User}
+     * @throws BizException if authentication fails or the result type is unexpected
+     */
+    public User login(LoginRequest request) {
+        var _authentication = authenticationManager.authenticate(UsernamePasswordAuthentication
+                .unauthenticated(request.principle(), request.credential()));
+        if (!(_authentication instanceof UsernamePasswordAuthentication authentication)) {
+            log.error(
+                    "Type mismatched, required type is UsernamePasswordAuthentication but got {}.",
+                    _authentication.getClass()
+            );
+            throw new BizException(HttpStatus.INTERNAL_SERVER_ERROR, "登录服务异常，请稍后再试。");
+        }
+
+        return authentication.getDetails();
+    }
+
+}
@@ -0,0 +1,67 @@
+package com.onixbyte.deltaforceguide.service;
+
+import com.onixbyte.deltaforceguide.manager.CookieManager;
+import org.springframework.http.ResponseCookie;
+import org.springframework.stereotype.Service;
+
+import java.time.Duration;
+
+/**
+ * Service for building HTTP cookies with configurable properties.
+ *
+ * @author zihluwang
+ */
+@Service
+public class CookieService {
+
+    private final CookieManager cookieManager;
+
+    public CookieService(CookieManager cookieManager) {
+        this.cookieManager = cookieManager;
+    }
+
+    /**
+     * Builds a response cookie with the default max age from configuration.
+     *
+     * @param cookieName the cookie name
+     * @param value      the cookie value
+     * @return a configured ResponseCookie
+     */
+    public ResponseCookie buildCookie(String cookieName, String value) {
+        return buildCookieInternal(cookieName, value, cookieManager.getMaxAge());
+    }
+
+    /**
+     * Builds a response cookie with a custom valid duration.
+     *
+     * @param cookieName    the cookie name
+     * @param value         the cookie value
+     * @param validDuration the cookie's max age
+     * @return a configured ResponseCookie
+     */
+    public ResponseCookie buildCookie(String cookieName, String value, Duration validDuration) {
+        return buildCookieInternal(cookieName, value, validDuration);
+    }
+
+    /**
+     * Creates a response cookie builder with specified name, value and valid duration.
+     *
+     * @param name   name of the cookie
+     * @param value  value of the cookie
+     * @param maxAge valid duration of the cookie
+     * @return cookie builder
+     */
+    protected ResponseCookie buildCookieInternal(
+            String name,
+            String value,
+            Duration maxAge
+    ) {
+        return ResponseCookie.from(name, value)
+                .secure(cookieManager.getSecure())
+                .maxAge(maxAge)
+                .httpOnly(cookieManager.getHttpOnly())
+                .path(cookieManager.getPath())
+                .sameSite(cookieManager.getSameSite().attributeValue())
+                .build();
+    }
+}
@@ -0,0 +1,28 @@
+package com.onixbyte.deltaforceguide.service;
+
+import com.onixbyte.deltaforceguide.domain.dto.DailyPasswordResponse;
+import com.onixbyte.deltaforceguide.manager.DailyPasswordManager;
+import org.springframework.stereotype.Service;
+
+/**
+ * Service for generating and caching daily rotation passwords.
+ *
+ * @author zihluwang
+ */
+@Service
+public class DailyPasswordService {
+
+    private final DailyPasswordManager dailyPasswordManager;
+
+    public DailyPasswordService(DailyPasswordManager dailyPasswordManager) {
+        this.dailyPasswordManager = dailyPasswordManager;
+    }
+
+    /**
+     * Retrieves the daily password for the current day.
+     * @return the daily password response
+     */
+    public DailyPasswordResponse getDailyPassword() {
+        return dailyPasswordManager.getDailyPassword();
+    }
+}
@@ -1,17 +1,23 @@
 package com.onixbyte.deltaforceguide.service;

+import com.onixbyte.deltaforceguide.domain.dto.FirearmRequest;
 import com.onixbyte.deltaforceguide.domain.dto.FirearmResponse;
 import com.onixbyte.deltaforceguide.domain.dto.PageResponse;
 import com.onixbyte.deltaforceguide.domain.entity.Firearm;
 import com.onixbyte.deltaforceguide.enumeration.FirearmType;
+import com.onixbyte.deltaforceguide.exeption.BizException;
 import com.onixbyte.deltaforceguide.repository.FirearmRepository;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Service;
-import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.server.ResponseStatusException;

+/**
+ * Service handling firearm business logic including CRUD operations and queries.
+ *
+ * @author zihluwang
+ */
@Service
 public class FirearmService {

@@ -21,7 +27,13 @@ public class FirearmService {
        this.firearmRepository = firearmRepository;
    }

-    @Transactional(readOnly = true)
+    /**
+     * Queries firearms with optional type filter and pagination.
+     *
+     * @param type optional firearm type filter
+     * @param pageable pagination parameters
+     * @return a paginated response of firearm records
+     */
    public PageResponse<FirearmResponse> pageQuery(FirearmType type, Pageable pageable) {
        Page<Firearm> page = type == null
                ? firearmRepository.findAll(pageable)
@@ -30,11 +42,70 @@ public class FirearmService {
        return PageResponse.from(page.map(FirearmResponse::from));
    }

-    @Transactional(readOnly = true)
+    /**
+     * Finds a firearm by its ID.
+     *
+     * @param id the firearm ID
+     * @return the firearm response
+     */
    public FirearmResponse queryById(Long id) {
        return firearmRepository.findById(id)
                .map(FirearmResponse::from)
                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Firearm not found: " + id));
    }
+
+    /**
+     * Creates a new firearm from the provided request data.
+     *
+     * @param request the firearm creation request
+     * @return the created firearm response
+     */
+    public FirearmResponse addFirearm(FirearmRequest request) {
+        var firearm = firearmRepository.save(Firearm.builder()
+                .name(request.name())
+                .type(request.type())
+                .level(request.level())
+                .calibre(request.calibre())
+                .fireRate(request.fireRate())
+                .armourDamage(request.armourDamage())
+                .bodyDamage(request.bodyDamage())
+                .review(request.review())
+                .build());
+        
+        return FirearmResponse.from(firearm);
    }

+    /**
+     * Updates an existing firearm identified by ID.
+     *
+     * @param id the firearm ID
+     * @param request the updated firearm data
+     * @return the updated firearm response
+     */
+    public FirearmResponse updateFirearm(Long id, FirearmRequest request) {
+        var firearm = firearmRepository.findById(id)
+                .orElseThrow(() -> new BizException(HttpStatus.NOT_FOUND, "Firearm not found: " + id));
+
+        firearm.setName(request.name());
+        firearm.setType(request.type());
+        firearm.setLevel(request.level());
+        firearm.setCalibre(request.calibre());
+        firearm.setFireRate(request.fireRate());
+        firearm.setArmourDamage(request.armourDamage());
+        firearm.setBodyDamage(request.bodyDamage());
+        firearm.setReview(request.review());
+
+        return FirearmResponse.from(firearmRepository.save(firearm));
+    }
+
+    /**
+     * Deletes a firearm by its ID.
+     *
+     * @param id the firearm ID to delete
+     */
+    public void deleteFirearm(Long id) {
+        Firearm firearm = firearmRepository.findById(id)
+                .orElseThrow(() -> new BizException(HttpStatus.NOT_FOUND, "Firearm not found: " + id));
+        firearmRepository.delete(firearm);
+    }
+}
@@ -1,39 +1,219 @@
 package com.onixbyte.deltaforceguide.service;

+import com.onixbyte.deltaforceguide.domain.dto.AccessoryRequest;
+import com.onixbyte.deltaforceguide.domain.dto.ModificationRequest;
 import com.onixbyte.deltaforceguide.domain.dto.ModificationResponse;
 import com.onixbyte.deltaforceguide.domain.dto.PageResponse;
+import com.onixbyte.deltaforceguide.domain.dto.TuningRequest;
+import com.onixbyte.deltaforceguide.domain.entity.Accessory;
+import com.onixbyte.deltaforceguide.domain.entity.Firearm;
 import com.onixbyte.deltaforceguide.domain.entity.Modification;
+import com.onixbyte.deltaforceguide.domain.entity.Tuning;
+import com.onixbyte.deltaforceguide.manager.ModificationManager;
+import com.onixbyte.deltaforceguide.repository.FirearmRepository;
 import com.onixbyte.deltaforceguide.repository.ModificationRepository;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Service;
-import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.server.ResponseStatusException;

+import java.util.ArrayList;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * Service handling modification business logic including CRUD, batch operations, and tag filtering.
+ *
+ * @author zihluwang
+ */
@Service
 public class ModificationService {

    private final ModificationRepository modificationRepository;
+    private final FirearmRepository firearmRepository;
+    private final ModificationManager modificationManager;
+    private final ObjectMapper objectMapper;

-    public ModificationService(ModificationRepository modificationRepository) {
+    public ModificationService(
+            ModificationRepository modificationRepository,
+            FirearmRepository firearmRepository,
+            ModificationManager modificationManager,
+            ObjectMapper objectMapper
+    ) {
        this.modificationRepository = modificationRepository;
+        this.firearmRepository = firearmRepository;
+        this.modificationManager = modificationManager;
+        this.objectMapper = objectMapper;
    }

-    @Transactional(readOnly = true)
-    public PageResponse<ModificationResponse> pageQuery(Long firearmId, Pageable pageable) {
-        Page<Modification> page = firearmId == null
-                ? modificationRepository.findAllBy(pageable)
-                : modificationRepository.findAllByFirearm_Id(firearmId, pageable);
+    /**
+     * Queries modifications with optional firearm and tag filters.
+     *
+     * @param firearmId optional firearm ID filter
+     * @param tags optional tag list filter
+     * @param pageable pagination parameters
+     * @return a paginated response of modification records
+     */
+    public PageResponse<ModificationResponse> pageQuery(Long firearmId, List<String> tags, Pageable pageable) {
+        String tagsJson = null;
+        if (tags != null && !tags.isEmpty()) {
+            try {
+                tagsJson = objectMapper.writeValueAsString(tags);
+            } catch (JsonProcessingException e) {
+                throw new RuntimeException("Failed to serialize tags", e);
+            }
+        }
+        
+        Page<Modification> page;
+        if (tagsJson != null || firearmId != null) {
+            page = modificationRepository.pageQueryByFirearmAndTags(firearmId, tagsJson, pageable);
+        } else {
+            page = modificationRepository.findAllBy(pageable);
+        }

        return PageResponse.from(page.map(ModificationResponse::from));
    }

-    @Transactional(readOnly = true)
+    /**
+     * Finds a modification by its ID.
+     *
+     * @param id the modification ID
+     * @return the modification response
+     */
    public ModificationResponse queryById(Long id) {
        return modificationRepository.findById(id)
                .map(ModificationResponse::from)
                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Modification not found: " + id));
    }
+
+    /**
+     * Finds all unique tags across modifications, optionally scoped to a firearm.
+     *
+     * @param firearmId optional firearm ID to scope the tag search
+     * @return list of unique tag strings
+     */
+    public List<String> findAllTags(Long firearmId) {
+        return modificationRepository.findAllTags(firearmId);
    }

+    /**
+     * Creates a new modification for a given firearm.
+     *
+     * @param request the modification creation request
+     * @return the created modification response
+     */
+    public ModificationResponse create(ModificationRequest request) {
+        return modificationManager.create(request);
+    }
+
+    /**
+     * Creates multiple modifications in a single batch operation.
+     *
+     * @param requests list of modification creation requests
+     * @return list of created modification responses
+     */
+    public List<ModificationResponse> batchCreate(List<ModificationRequest> requests) {
+        return modificationManager.batchCreate(requests);
+    }
+
+    /**
+     * Updates an existing modification identified by ID.
+     *
+     * @param id the modification ID
+     * @param request the updated modification data
+     * @return the updated modification response
+     */
+    public ModificationResponse update(Long id, ModificationRequest request) {
+        Modification modification = modificationRepository.findById(id)
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Modification not found: " + id));
+        Firearm firearm = firearmRepository.findById(request.firearmId())
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Firearm not found: " + request.firearmId()));
+
+        modification.setFirearm(firearm);
+        modification.setName(request.name());
+        modification.setCode(request.code());
+        modification.setTags(safeTags(request.tags()));
+        modification.setAccessories(toAccessories(request.accessories()));
+        modification.setNote(request.note());
+        modification.setAuthor(request.author());
+        modification.setVideoUrl(request.videoUrl());
+
+        return ModificationResponse.from(modificationRepository.save(modification));
+    }
+
+    /**
+     * Deletes a modification by its ID.
+     *
+     * @param id the modification ID to delete
+     */
+    public void delete(Long id) {
+        Modification modification = modificationRepository.findById(id)
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Modification not found: " + id));
+        modificationRepository.delete(modification);
+    }
+
+    /**
+     * Deletes multiple modifications in a single batch operation.
+     *
+     * @param ids list of modification IDs to delete
+     */
+    public void batchDelete(List<Long> ids) {
+        Set<Long> uniqueIds = new LinkedHashSet<>(ids);
+        List<Modification> modifications = modificationRepository.findAllById(uniqueIds);
+
+        if (modifications.size() != uniqueIds.size()) {
+            Set<Long> foundIds = modifications.stream()
+                    .map(Modification::getId)
+                    .collect(java.util.stream.Collectors.toSet());
+            List<Long> missingIds = uniqueIds.stream()
+                    .filter(id -> !foundIds.contains(id))
+                    .toList();
+            throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Modification not found: " + missingIds);
+        }
+
+        modificationRepository.deleteAllInBatch(modifications);
+    }
+
+    private List<String> safeTags(List<String> tags) {
+        return tags == null ? new ArrayList<>() : tags;
+    }
+
+    private List<Accessory> toAccessories(List<AccessoryRequest> accessoryRequests) {
+        if (accessoryRequests == null) {
+            return new ArrayList<>();
+        }
+
+        return accessoryRequests.stream()
+                .map(this::toAccessory)
+                .toList();
+    }
+
+    private Accessory toAccessory(AccessoryRequest request) {
+        Accessory accessory = new Accessory();
+        accessory.setSlotName(request.slotName());
+        accessory.setAccessoryName(request.accessoryName());
+        accessory.setTunings(toTunings(request.tunings()));
+        return accessory;
+    }
+
+    private List<Tuning> toTunings(List<TuningRequest> tuningRequests) {
+        if (tuningRequests == null) {
+            return new ArrayList<>();
+        }
+
+        return tuningRequests.stream()
+                .map(this::toTuning)
+                .toList();
+    }
+
+    private Tuning toTuning(TuningRequest request) {
+        Tuning tuning = new Tuning();
+        tuning.setTuningName(request.tuningName());
+        tuning.setTuningValue(request.tuningValue());
+        return tuning;
+    }
+}
@@ -0,0 +1,155 @@
+package com.onixbyte.deltaforceguide.service;
+
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import com.onixbyte.deltaforceguide.domain.entity.UserCredential;
+import com.onixbyte.deltaforceguide.manager.UserCredentialManager;
+import com.onixbyte.deltaforceguide.manager.UserManager;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Service;
+import org.springframework.web.server.ResponseStatusException;
+
+import java.util.List;
+
+/**
+ * Service for user account management and profile operations.
+ *
+ * @author zihluwang
+ */
+@Service
+public class UserService {
+
+    private final UserManager userManager;
+    private final UserCredentialManager userCredentialManager;
+
+    public UserService(UserManager userManager, UserCredentialManager userCredentialManager) {
+        this.userManager = userManager;
+        this.userCredentialManager = userCredentialManager;
+    }
+
+    /**
+     * Retrieves all registered users.
+     *
+     * @return list of all users
+     */
+    public List<User> findAll() {
+        return userManager.findAll();
+    }
+
+    /**
+     * Finds a user by their ID.
+     *
+     * @param id the user ID
+     * @return the user
+     */
+    public User queryById(Long id) {
+        return userManager.findById(id)
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found: " + id));
+    }
+
+    /**
+     * Finds a user by their username.
+     *
+     * @param username the username to search for
+     * @return the user
+     */
+    public User queryByUsername(String username) {
+        return userManager.findByUsername(username)
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found: " + username));
+    }
+
+    /**
+     * Creates a new user account.
+     *
+     * @param user the user entity to persist
+     * @return the saved user entity
+     */
+    public User create(User user) {
+        return userManager.save(user);
+    }
+
+    /**
+     * Updates an existing user account.
+     *
+     * @param user the user entity with updated fields
+     * @return the saved user entity
+     */
+    public User update(User user) {
+        if (user.getId() == null || userManager.findById(user.getId()).isEmpty()) {
+            throw new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found: " + user.getId());
+        }
+        return userManager.save(user);
+    }
+
+    /**
+     * Finds all credentials associated with a user.
+     *
+     * @param userId the user ID
+     * @return list of user credentials
+     */
+    public List<UserCredential> findCredentials(Long userId) {
+        ensureUserExists(userId);
+        return userCredentialManager.findAllByUserId(userId);
+    }
+
+    /**
+     * Queries a specific credential for a user by provider.
+     *
+     * @param userId   the user ID
+     * @param provider the authentication provider
+     * @return the matching credential
+     */
+    public UserCredential queryCredential(Long userId, String provider) {
+        ensureUserExists(userId);
+        return userCredentialManager.findByUserIdAndProvider(userId, provider)
+                .orElseThrow(() -> new ResponseStatusException(
+                        HttpStatus.NOT_FOUND,
+                        "User credential not found: userId=" + userId + ", provider=" + provider));
+    }
+
+    /**
+     * Creates or updates a credential for a user and provider.
+     *
+     * @param userId     the user ID
+     * @param provider   the authentication provider
+     * @param credential the credential value
+     * @return the saved credential
+     */
+    public UserCredential upsertCredential(Long userId, String provider, String credential) {
+        User user = ensureUserExists(userId);
+        UserCredential userCredential = userCredentialManager.findByUserIdAndProvider(userId, provider)
+                .orElseGet(UserCredential::new);
+        userCredential.setUser(user);
+        userCredential.setProvider(provider);
+        userCredential.setCredential(credential);
+        return userCredentialManager.save(userCredential);
+    }
+
+    /**
+     * Deletes a specific credential for a user by provider.
+     *
+     * @param userId   the user ID
+     * @param provider the authentication provider
+     */
+    public void deleteCredential(Long userId, String provider) {
+        ensureUserExists(userId);
+        userCredentialManager.deleteByUserIdAndProvider(userId, provider);
+    }
+
+    /**
+     * Deletes a user and all associated credentials.
+     *
+     * @param id the user ID to delete
+     */
+    public void deleteById(Long id) {
+        ensureUserExists(id);
+        userCredentialManager.deleteAllByUserId(id);
+        userManager.deleteById(id);
+    }
+
+    private User ensureUserExists(Long userId) {
+        return userManager.findById(userId)
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found: " + userId));
+    }
+}
+
+
@@ -0,0 +1,219 @@
+package com.onixbyte.deltaforceguide.service;
+
+import com.onixbyte.deltaforceguide.domain.dto.*;
+import com.onixbyte.deltaforceguide.manager.ModificationManager;
+import com.onixbyte.deltaforceguide.manager.WebhookManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Service;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import org.yaml.snakeyaml.Yaml;
+
+import java.time.Duration;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.regex.Pattern;
+
+@Service
+public class WebhookService {
+
+    private static final Logger log = LoggerFactory.getLogger(WebhookService.class);
+    private static final String TRIGGER_LABEL = "weapon-mod";
+    private static final Duration DEDUP_TTL = Duration.ofHours(12);
+    private static final Pattern YAML_FENCE =
+            Pattern.compile("```ya?ml\\s*\\R(.*?)```", Pattern.DOTALL);
+
+    private final ModificationManager modificationManager;
+    private final RedisTemplate<String, Object> redisTemplate;
+    private final WebhookManager webhookManager;
+    private final Yaml yaml;
+
+    public WebhookService(
+            ModificationManager modificationManager,
+            RedisTemplate<String, Object> redisTemplate,
+            WebhookManager webhookManager
+    ) {
+        this.modificationManager = modificationManager;
+        this.redisTemplate = redisTemplate;
+        this.webhookManager = webhookManager;
+        this.yaml = new Yaml();
+    }
+
+    public void processIssueEvent(GitHubIssueRequest request) {
+        var issue = request.issue();
+        var repository = request.repository();
+        var sender = request.sender();
+
+        if (!isAllowedSender(sender)) {
+            log.info("Issue #{} sender={} not in allowed-users, skipping",
+                    issue.number(), sender != null ? sender.login() : "null");
+            return;
+        }
+
+        if (!hasTriggerLabel(issue.labels())) {
+            log.debug("Issue #{} lacks trigger label, skipping", issue.number());
+            return;
+        }
+
+        var dedupKey = "github:webhook:processed:%s:%d"
+                .formatted(repository.fullName(), issue.number());
+        var acquired = redisTemplate.opsForValue()
+                .setIfAbsent(dedupKey, "1", DEDUP_TTL);
+        if (acquired == null || !acquired) {
+            log.info("Issue #{} already processed, skipping", issue.number());
+            return;
+        }
+
+        var parsedYaml = extractYaml(issue.body());
+        if (parsedYaml == null) {
+            log.warn("No YAML block found in issue #{} body", issue.number());
+            return;
+        }
+
+        var data = yaml.<Map<String, Object>>load(parsedYaml);
+        if (data == null) {
+            log.warn("Empty YAML block in issue #{}", issue.number());
+            return;
+        }
+
+        if (data.containsKey("modifications")) {
+            processBatch(issue.number(), data);
+        } else {
+            processSingle(issue.number(), data);
+        }
+    }
+
+    private void processSingle(Long issueNumber, Map<String, Object> data) {
+        var request = mapToRequest(data);
+        log.info("Creating modification from issue #{}: name={}", issueNumber, request.name());
+        modificationManager.create(request);
+    }
+
+    @SuppressWarnings("unchecked")
+    private void processBatch(Long issueNumber, Map<String, Object> data) {
+        var list = (List<Map<String, Object>>) data.get("modifications");
+        if (list == null || list.isEmpty()) {
+            log.warn("Empty modifications list in issue #{}", issueNumber);
+            return;
+        }
+        var requests = list.stream()
+                .map(this::mapToRequest)
+                .toList();
+        log.info("Batch creating {} modifications from issue #{}", requests.size(), issueNumber);
+        modificationManager.batchCreate(requests);
+    }
+
+    private ModificationRequest mapToRequest(Map<String, Object> data) {
+        Long firearmId = modificationManager.resolveFirearmId(
+                toLong(data.get("firearmId")),
+                (String) data.get("firearmName"));
+        if (firearmId == null) {
+            throw new BizException(HttpStatus.BAD_REQUEST,
+                    "YAML must contain firearmId or firearmName");
+        }
+        String name = (String) data.get("name");
+        String code = (String) data.get("code");
+        List<String> tags = toStringList(data.get("tags"));
+        List<AccessoryRequest> accessories = mapAccessories(data.get("accessories"));
+        String note = (String) data.get("note");
+        String author = (String) data.get("author");
+        String videoUrl = (String) data.get("videoUrl");
+
+        return new ModificationRequest(firearmId, name, code, tags, accessories,
+                note, author, videoUrl);
+    }
+
+    private List<AccessoryRequest> mapAccessories(Object raw) {
+        if (!(raw instanceof List<?> list)) {
+            return new ArrayList<>();
+        }
+        var result = new ArrayList<AccessoryRequest>();
+        for (var item : list) {
+            if (item instanceof Map<?, ?> map) {
+                result.add(new AccessoryRequest(
+                        (String) map.get("slotName"),
+                        (String) map.get("accessoryName"),
+                        mapTunings(map.get("tunings"))
+                ));
+            }
+        }
+        return result;
+    }
+
+    private List<TuningRequest> mapTunings(Object raw) {
+        if (!(raw instanceof List<?> list)) {
+            return new ArrayList<>();
+        }
+        var result = new ArrayList<TuningRequest>();
+        for (var item : list) {
+            if (item instanceof Map<?, ?> map) {
+                result.add(new TuningRequest(
+                        (String) map.get("tuningName"),
+                        toDouble(map.get("tuningValue"))
+                ));
+            }
+        }
+        return result;
+    }
+
+    private List<String> toStringList(Object raw) {
+        if (raw instanceof List<?> list) {
+            return list.stream()
+                    .filter(String.class::isInstance)
+                    .map(String.class::cast)
+                    .toList();
+        }
+        return new ArrayList<>();
+    }
+
+    private boolean isAllowedSender(
+            GitHubWebhookSender sender
+    ) {
+        var allowedUsers = webhookManager.allowedUsers();
+        if (allowedUsers == null || allowedUsers.isEmpty()) {
+            return true;
+        }
+        if (sender == null || sender.login() == null) {
+            return false;
+        }
+        return allowedUsers.contains(sender.login());
+    }
+
+    private boolean hasTriggerLabel(List<GitHubWebhookLabel> labels) {
+        if (labels == null) {
+            return false;
+        }
+        return labels.stream().anyMatch(label -> TRIGGER_LABEL.equals(label.name()));
+    }
+
+    private String extractYaml(String body) {
+        if (body == null) {
+            return null;
+        }
+        var matcher = YAML_FENCE.matcher(body);
+        return matcher.find() ? matcher.group(1) : null;
+    }
+
+    private Long toLong(Object value) {
+        if (value instanceof Number num) {
+            return num.longValue();
+        }
+        if (value instanceof String s) {
+            return Long.parseLong(s);
+        }
+        return null;
+    }
+
+    private Double toDouble(Object value) {
+        if (value instanceof Number num) {
+            return num.doubleValue();
+        }
+        if (value instanceof String s) {
+            return Double.parseDouble(s);
+        }
+        return null;
+    }
+}
@@ -0,0 +1,11 @@
+package com.onixbyte.deltaforceguide.shared;
+
+/**
+ * Constants for HTTP cookie names used for authentication tokens.
+ *
+ * @author zihluwang
+ */
+public class CookieName {
+
+    public static final String ACCESS_TOKEN = "AccessToken";
+}
@@ -0,0 +1,11 @@
+package com.onixbyte.deltaforceguide.shared;
+
+/**
+ * Constants for supported authentication provider identifiers.
+ *
+ * @author zihluwang
+ */
+public class CredentialProvider {
+
+    public static final String LOCAL = "LOCAL";
+}
@@ -0,0 +1,56 @@
+package com.onixbyte.deltaforceguide.shared;
+
+/**
+ * This class lists the header names that GitHub sends in webhook requests.
+ *
+ * @author siujamo
+ */
+public class GitHubWebhookHeader {
+
+    /**
+     * The unique identifier of the webhook.
+     */
+    public static final String HOOK_ID = "X-GitHub-Hook-ID";
+
+    /**
+     * The name of the event that triggered the delivery.
+     */
+    public static final String EVENT = "X-GitHub-Event";
+
+    /**
+     * A globally unique identifier (GUID) to identify the event.
+     */
+    public static final String DELIVERY = "X-GitHub-Delivery";
+
+    /**
+     * This header is sent if the webhook is configured with a {@code secret}. This is the HMAC hex
+     * digest of the request body, and is generated using the SHA-1 hash function and the secret as
+     * the HMAC {@code key}. {@code X-Hub-Signature} is provided for compatibility with
+     * existing integrations. We recommend that you use the more secure
+     * {@code X-Hub-Signature-256} instead.
+     */
+    public static final String SIGNATURE = "X-Hub-Signature";
+
+    /**
+     * This header is sent if the webhook is configured with a {@code secret}. This is the HMAC hex
+     * digest of the request body, and is generated using the SHA-256 hash function and the
+     * {@code secret} as the HMAC key. For more information, see <a href="https://docs.github.com/en/webhooks/using-webhooks/securing-your-webhooks"
+     * >Validating webhook deliveries</a>.
+     */
+    public static final String SIGNATURE_256 = "X-Hub-Signature-256";
+
+    /**
+     * This header will always have the prefix {@code GitHub-Hookshot/}.
+     */
+    public static final String USER_AGENT = "User-Agent";
+
+    /**
+     * The type of resource where the webhook was created.
+     */
+    public static final String INSTALLATION_TARGET_TYPE = "X-GitHub-Hook-Installation-Target-Type";
+
+    /**
+     * The unique identifier of the resource where the webhook was created.
+     */
+    public static final String INSTALLATION_TARGET_ID = "X-GitHub-Hook-Installation-Target-ID";
+}
@@ -13,6 +13,12 @@ import java.time.LocalDate;
 import java.time.LocalDateTime;
 import java.time.LocalTime;

+/**
+ * Shared Jackson {@link com.fasterxml.jackson.databind.Module} instances for custom date/time
+ * serialisation and deserialisation across the application.
+ *
+ * @author zihluwang
+ */
 public class JacksonModules {

    public static final SimpleModule DATE_TIME_MODULE = initialiseDateTimeModule();
@@ -4,6 +4,12 @@ import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import org.springframework.data.redis.serializer.GenericJackson2JsonRedisSerializer;

+/**
+ * Singleton serialiser for Redis cache operations using
+ * {@link GenericJackson2JsonRedisSerializer} with JavaTime module support.
+ *
+ * @author zihluwang
+ */
 public class JacksonRedisSerialiser {

    public static final GenericJackson2JsonRedisSerializer INSTANCE = initialiseSerializer();
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
siujamo	a065b60cae	chore: migrate CI from GitHub Actions to Gitea Actions Replace GitHub Actions workflow with Gitea Actions, and switch container registry from GHCR to Docker Hub.	2026-06-04 17:36:43 +08:00
siujamo	17cd87c702	feat: inject build-time variables via Gradle processResources Replace hardcoded AppProperties values with Gradle ${} placeholders, allowing version/channel/vendor to be configured via gradle.properties or -P flags at build time. Also refactor webhook configuration to flatten the properties hierarchy by removing the intermediate WebhookProperties wrapper.	2026-06-04 17:12:48 +08:00
siujamo	4e2da0debc	feat: add expire time into login response	2026-06-04 14:47:45 +08:00
siujamo	0815d1d618	chore: optimise code style	2026-06-04 14:42:14 +08:00
zihluwang	d323e4f8f7	chore: change traffic interceptor log level from info to debug	2026-06-02 01:46:49 +08:00
siujamo	eb2d9b3369	fix: rename webhook filter bean to avoid name collision with WebhookFilter class	2026-06-01 17:18:42 +08:00
siujamo	a0d54cc12d	Merge pull request #2 from onixbyte/feature/github-webhook feat: GitHub webhook — create modifications from labelled issues	2026-06-01 17:04:21 +08:00
siujamo	4eafb3ade7	Merge branch 'develop' into feature/github-webhook	2026-06-01 17:03:48 +08:00
siujamo	9594efe716	fix: use BizException instead of ResponseStatusException for firearmId validation	2026-06-01 17:01:50 +08:00
siujamo	5b5062aae9	fix: validate firearmId is present before constructing ModificationRequest	2026-06-01 17:00:03 +08:00
siujamo	b0c41e08ea	fix: use \R instead of \n in YAML fence regex for cross-platform linebreaks	2026-06-01 16:59:47 +08:00
siujamo	ed2a0f4ae0	style: replace fully qualified type names and clean up imports	2026-06-01 16:59:40 +08:00
siujamo	de61e1feb7	refactor: remove redundant @Transactional from delegated service methods	2026-06-01 16:59:12 +08:00
siujamo	3616ad9eab	chore: remove unused imports in GitHubWebhookInterceptor	2026-06-01 16:59:08 +08:00
siujamo	20bc18d416	fix: rename misnamed loggingFilter bean to webhookFilter	2026-06-01 16:59:05 +08:00
siujamo	4ee741d307	feat: add firearm name lookup for webhook YAML parsing When firearmId is absent from the YAML block, resolveFirearmId falls back to firearmName lookup via FirearmRepository.findByName(). If both are present, firearmId takes precedence.	2026-06-01 16:34:37 +08:00
siujamo	0530c1f633	feat: add allowed-users sender filtering for GitHub webhook Only issues submitted by users in the allowed-users list are processed. An empty or null list allows all senders (no filtering). Checks sender.login from the webhook payload against the configured list.	2026-06-01 16:30:46 +08:00
siujamo	8a9cf110af	chore: remove deprecated GitLab webhook code GitLab webhook has been superseded by the GitHub webhook implementation. Remove WebhookController (formerly GitLabWebhookController), GitLabWebhookRequest DTO, and GitLabWebhookInterceptor.	2026-06-01 15:37:06 +08:00
siujamo	c30b5701e4	feat: implement GitHub webhook controller and processing service WebhookService parses YAML-fenced issue body, filters by "weapon-mod" label, deduplicates via Redis SETNX with 12h TTL, and delegates to ModificationManager for single/batch creation. GitHubWebhookController verifies X-GitHub-Event=issues and action=opened before delegating to the service. Register GitHubWebhookInterceptor for /webhooks/github in AppConfig.	2026-06-01 15:30:30 +08:00
siujamo	7fafa0d903	refactor: extract ModificationManager for modification creation Move create/batchCreate transactional logic from ModificationService into a dedicated ModificationManager. Both ModificationService and WebhookService delegate to the manager, respecting the Controller -> Service -> Manager layering rule.	2026-06-01 15:30:14 +08:00
siujamo	8c8ca58b74	feat: implement GitHub webhook HMAC-SHA256 signature verification Verify X-Hub-Signature-256 header using CryptoUtil.hmacSha256 from onixbyte crypto-toolbox. Signature check is skipped when no secret is configured. Uses MessageDigest.isEqual for constant-time comparison.	2026-06-01 15:29:32 +08:00
siujamo	12469f1b27	feat: replace GitLab webhook properties with GitHub webhook config Replace GitLabWebhookProperties with GitHubWebhookProperties (secret, allowed-users). Update WebhookProperties and WebhookManager to use GitHub-only configuration. Add app.webhook.github defaults to application.yaml.	2026-06-01 15:29:19 +08:00
siujamo	44271eeec4	feat: add GitHub webhook DTOs with snake_case mapping and header constants Replace GitHubIssueLabeledWebhookRequest with GitHubIssueRequest. Add number and repository fields for dedup key construction. Add Jackson @JsonNaming/@JsonIgnoreProperties for GitHub payload deserialisation. Add GitHubWebhookHeader constants for webhook header names.	2026-06-01 15:27:35 +08:00
siujamo	f9c210c8b3	chore: bump onixbyte toolbox to v3.4.0	2026-06-01 13:58:03 +08:00
siujamo	ce330bca87	feat: create GitHub Webhook request object	2026-05-29 15:10:48 +08:00
zihluwang	bd4fe65b03	Merge remote-tracking branch 'origin/develop' into develop	2026-05-29 00:42:34 +08:00
zihluwang	eb22b3c4bb	docs: add Javadocs	2026-05-29 00:42:27 +08:00
siujamo	7032343487	feat: update URI to match standard in GitLab issues	2026-05-28 15:35:22 +08:00
siujamo	243283b788	docs: reformatted javadocs	2026-05-28 15:28:53 +08:00
siujamo	4810ef2b1f	refactor: migrate properties accessing to access via manager	2026-05-28 15:24:42 +08:00
siujamo	72ec875802	docs: add Javadoc for GitLabWebhookInterceptor	2026-05-28 15:22:36 +08:00
siujamo	6240ec1016	Merge branch 'develop' into feature/gitlab-webhook # Conflicts: # src/main/java/com/onixbyte/deltaforceguide/config/AppConfig.java	2026-05-28 15:20:05 +08:00
siujamo	8d24b6082d	feat: add gitlab webhook http entrypoint	2026-05-28 15:18:25 +08:00
siujamo	9bc70d5370	feat: add web traffic logger	2026-05-28 15:17:36 +08:00
siujamo	d44f5f74fe	chore: ignore frp client config	2026-05-28 13:55:22 +08:00
siujamo	f866d93fb4	feat: add gitlab webhook verification	2026-05-28 13:54:30 +08:00
siujamo	66b37ec20d	fix: add equals and hashCode to Accessory and Tuning entities	2026-05-28 13:51:24 +08:00
siujamo	0d70b27653	feat: add OpenAPI definition with title, contact, and licence	2026-05-26 14:24:56 +08:00
siujamo	673ba03f2b	Merge remote-tracking branch 'origin/develop' into develop	2026-05-26 11:20:29 +08:00
siujamo	f6255d396c	Merge branch 'develop' into 'main' fix: revert CI branch guard, keep --provenance removal See merge request onixbyte/delta-force-guide-server!5	2026-05-26 11:00:16 +08:00
siujamo	26cea1db82	chore: add gradle.properties to .gitignore	2026-05-26 10:58:24 +08:00
siujamo	49f9b59b99	chore: add gradle.properties to .gitignore	2026-05-26 10:58:22 +08:00
siujamo	1f42921689	fix: revert CI branch guard, keep --provenance removal Revert the main-branch-only rule since $CI_COMMIT_BRANCH is unset for tag pipelines. The --provenance=false removal remains as the fix for legacy builder.	2026-05-26 10:56:51 +08:00
siujamo	8f102f54c7	Merge branch 'develop' into 'main' fix: restrict GitLab CI to main branch and drop --provenance flag See merge request onixbyte/delta-force-guide-server!4	2026-05-26 10:48:38 +08:00
siujamo	9fe292963c	fix: restrict GitLab CI to main branch and drop --provenance flag - Add main branch guard to pipeline rules - Remove unsupported --provenance=false flag incompatible with legacy builder	2026-05-26 10:47:28 +08:00
siujamo	d3681916b2	Merge branch 'develop' into 'main' v1.3.1: Versioning and Daily Password See merge request onixbyte/delta-force-guide-server!3	2026-05-26 10:43:12 +08:00
siujamo	d27f6455d8	docs: add README, LICENCE, and production config template - Add MIT LICENCE file - Add comprehensive README with tech stack, API overview, and architecture docs - Add example production configuration template - Remove gradle.properties in favour of build-time version injection @	2026-05-26 10:42:01 +08:00
siujamo	0671937ecd	feat: add versioning entrypoint	2026-05-26 10:18:27 +08:00
siujamo	e2a40795c5	chore: opt-in to Node.js 24 for GitHub Actions to clear deprecation warning Set the environment variable FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 to true to force the workflow and runner to execute all JavaScript actions using Node.js 24. This resolves the future deprecation warning for Node.js 20.	2026-05-25 16:01:19 +08:00
siujamo	a8ff1cabad	chore: rewrite GitHub Actions to build, publish release JAR, and push image to GHCR Update build-and-deploy.yml workflow to: 1. Run single job 'build-and-release' to bypass artifact transfers. 2. Build JAR with -PartefactVersion parameter. 3. Upload the compiled JAR asset directly into GitHub Releases. 4. Build and push the Docker image directly to GitHub Container Registry (ghcr.io).	2026-05-25 15:52:54 +08:00
siujamo	e4dca61f98	chore: merge CI stages into a single release job to optimize speed Merge build, package, and deploy stages into a single 'release' job. By building the jar and running docker commands in the same container using local docker socket, we completely bypass the need for GitLab artifact uploading/downloading. This significantly reduces network overhead and speeds up release deployment.	2026-05-25 15:43:23 +08:00
siujamo	e7da3a76b7	ci: recover artefact uploading	2026-05-25 14:45:26 +08:00
siujamo	5cea825bc0	chore: remove gitlab artifacts to avoid slow uploads Remove artifacts uploading from the build stage. Since we use a shared docker socket on the same runner host, the package stage can access the locally built jar file directly without needing gitlab coordinator upload/download.	2026-05-25 14:39:33 +08:00
siujamo	bd2748e25c	fix: disable provenance in docker build to fix GitLab Registry 0B display Add `--provenance=false` flag to `docker build` command. This stops Docker BuildKit from generating OCI Referrers/attestations, which are not correctly parsed by GitLab Container Registry and cause the UI to display 0B size and "missing manifest digest" errors.	2026-05-25 13:58:14 +08:00
siujamo	0f1093774f	fix: use GitLab predefined environment variables for container registry Replace custom registry variables with GitLab's predefined CI_REGISTRY, CI_REGISTRY_IMAGE, and CI_REGISTRY_USER to ensure the built-in CI_JOB_TOKEN has correct push permissions.	2026-05-25 11:47:22 +08:00
siujamo	d19b7f5563	fix: allow jar files to be copied in Docker build context Add '!build/libs/*.jar' to .dockerignore so that Docker build can access the build artifacts in the package stage.	2026-05-25 11:05:25 +08:00
siujamo	ea1456c5a5	Merge branch 'develop' into 'main' chore: switch CI to Docker socket binding and add artefact version parameter See merge request onixbyte/delta-force-guide-server!2	2026-05-25 10:20:50 +08:00
siujamo	b60cd36535	chore: switch CI to Docker socket binding and add artefact version parameter Replace DinD services with unix:///var/run/docker.sock socket binding to fix "Cannot connect to Docker daemon" errors. Add -PartefactVersion parameter to Gradle build for release version tracking.	2026-05-25 10:17:33 +08:00
siujamo	1115cd4527	Merge branch 'develop' into 'main' v1.3.0: Introduced Daily Password See merge request onixbyte/delta-force-guide-server!1	2026-05-25 09:11:13 +08:00
siujamo	491be4f4dd	chore: simplify GitLab CI to release-only workflow with tag-triggered pipeline Replace the full CI pipeline (build → image → push → SSH deploy on every branch) with a focused release workflow: build JAR on tag push, package Docker image tagged with the release tag, and push to registry.onixbyte.cn.	2026-05-25 09:05:13 +08:00
siujamo	b94a09691d	chore: add GitHub Actions workflow for release-based build and deploy	2026-05-19 10:38:11 +08:00
siujamo	24b7913908	chore: add GitLab CI pipeline with build, container registry push, and deploy stages	2026-05-18 17:07:34 +08:00
siujamo	20d2edc9b1	feat: use @RequiresAuth annotation instead of manual path listing in security config	2026-05-15 11:41:14 +08:00
siujamo	6d869d5145	docs: improve API endpoints table formatting in CLAUDE.md	2026-05-15 11:35:26 +08:00
siujamo	130d360556	feat: add daily password endpoint with Redis caching	2026-05-15 11:32:31 +08:00
siujamo	0ae23fa0cb	chore: add Claude Code local files to .gitignore	2026-05-15 10:41:46 +08:00
zihluwang	559ae34966	chore: remove legacy Groovy Gradle files and relocated converter build.gradle and settings.gradle superseded by build.gradle.kts and settings.gradle.kts. FirearmTypeConverter moved to domain/converter/ package. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 23:58:25 +08:00
zihluwang	70ae945cd2	chore: add CLAUDE.md with coding standards and build commands Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 23:56:48 +08:00
zihluwang	7fda77370e	chore: update artefactVersion to 1.2.0	2026-04-23 16:24:41 +08:00
zihluwang	384e17e79c	feat: add AccessoryResponse and TuningResponse DTOs for accessory and tuning data representation	2026-04-23 16:10:05 +08:00
zihluwang	353c05339e	feat: refactor batch delete endpoint to use request parameters and update SQL schema for firearm table	2026-04-22 16:35:39 +08:00
zihluwang	5ce8a994a4	feat: add modification creation and deletion endpoints, including batch operations and request DTOs	2026-04-21 23:39:05 +08:00
zihluwang	93dbd857e0	feat: add update and delete operations for Firearm, including error handling	2026-04-21 14:20:45 +08:00
zihluwang	dec7f3c7d2	feat: add Accessory and Tuning classes, update Modification to include accessories	2026-04-21 14:07:17 +08:00
zihluwang	17048104d9	feat: add logout operation description and update schema annotations in LoginRequest	2026-04-17 10:57:41 +08:00
zihluwang	f0a8006097	feat: add Swagger annotations for user authentication endpoints and update validation in LoginRequest	2026-04-17 10:55:39 +08:00
zihluwang	a58fefbd2d	feat: add addFirearm endpoint and FirearmRequest DTO for firearm creation	2026-04-16 09:52:55 +08:00
zihluwang	cb50892ffe	feat: add builder pattern for Firearm, Modification, User, UserCredential, and UserCredentialId classes	2026-04-15 11:14:19 +08:00
zihluwang	1fc7b932bc	feat: add logout endpoint and refactor cookie management in AuthController	2026-04-14 12:13:02 +08:00
zihluwang	8fbb73740c	feat: implement user authentication with login endpoint and cookie management	2026-04-13 17:25:34 +08:00
zihluwang	75abbb0a2a	feat: add Swagger annotations for Firearm, Modification, and Tag controllers	2026-04-13 14:38:50 +08:00
zihluwang	5e9b29c186	feat: implement JWT authentication with TokenClient, TokenAuthenticationFilter, and SecurityConfig	2026-04-13 14:32:34 +08:00
zihluwang	0a6813ceea	chore: add Spring Security to library	2026-04-12 05:37:24 +08:00
zihluwang	e65df08d1b	feat: implement User and UserCredential models with repository and service layers	2026-04-12 05:32:31 +08:00
zihluwang	6e6843c412	Merge pull request #1 from zihluwang/develop Enhance Firearm model and add tag filtering to queries	2026-04-09 17:53:28 +08:00
zihluwang	bd1f2441f3	feat: add calibre, fire rate, armour damage, and body damage fields to Firearm model and update related response and migration scripts	2026-04-09 13:28:28 +08:00
zihluwang	0992635391	feat: add nullability annotations to findById method in ModificationRepository	2026-04-09 11:37:02 +08:00
zihluwang	a28033ff4c	feat: add tag filtering to modification queries and implement tag retrieval endpoint	2026-04-07 11:58:46 +08:00
zihluwang	1a88cf37bc	chore: update artefact version to 1.1.0	2026-04-06 21:03:50 +08:00