Update coffee bot prize image instructions

Add coffee bot lottery poster and schedule

.env.example

@@ -0,0 +1,119 @@
+# === Core Service Ports ===
+SERVER_PORT=8080
+FRONTEND_PORT=3000
+WEBSOCKET_PORT=8082
+OPENISLE_MCP_PORT=8085
+MYSQL_PORT=3306
+REDIS_PORT=6379
+RABBITMQ_PORT=5672
+RABBITMQ_MANAGEMENT_PORT=15672
+
+# === OpenSearch Configuration ===
+OPENSEARCH_PORT=9200
+OPENSEARCH_METRICS_PORT=9600
+OPENSEARCH_DASHBOARDS_PORT=5601
+OPENSEARCH_ENABLED=true
+OPENSEARCH_SCHEME=http
+OPENSEARCH_USERNAME=
+OPENSEARCH_PASSWORD=
+OPENSEARCH_HOST=opensearch
+
+# === Database Configuration ===
+MYSQL_DATABASE=openisle
+MYSQL_ROOT_PASSWORD=openisle
+MYSQL_USER=openisle
+MYSQL_PASSWORD=openisle
+MYSQL_HOST=mysql
+
+# === Redis Configuration ===
+REDIS_HOST=redis
+REDIS_DATABASE=0
+
+# === RabbitMQ Configuration ===
+RABBITMQ_HOST=rabbitmq
+RABBITMQ_USERNAME=nagisa
+RABBITMQ_PASSWORD=nagisa
+
+# === Backend Application Secrets ===
+JWT_SECRET=change-me-jwt-secret
+JWT_REASON_SECRET=change-me-jwt-reason-secret
+JWT_RESET_SECRET=change-me-jwt-reset-secret
+JWT_INVITE_SECRET=change-me-jwt-invite-secret
+JWT_EXPIRATION=2592000000
+PASSWORD_STRENGTH=LOW
+POST_PUBLISH_MODE=DIRECT
+REGISTER_MODE=WHITELIST
+UPLOAD_CHECK_TYPE=true
+UPLOAD_MAX_SIZE=5242880
+AVATAR_STYLE=pixel-art-neutral
+AVATAR_SIZE=128
+AVATAR_BASE_URL=https://api.dicebear.com/6.x
+USER_POSTS_LIMIT=10
+USER_REPLIES_LIMIT=50
+SNIPPET_LENGTH=200
+SEARCH_INDEX_PREFIX=openisle
+SEARCH_HIGHLIGHT_FRAGMENT_SIZE=200
+SEARCH_REINDEX_ON_STARTUP=true
+SEARCH_REINDEX_BATCH_SIZE=500
+CAPTCHA_ENABLED=false
+RECAPTCHA_SECRET_KEY=
+CAPTCHA_REGISTER_ENABLED=false
+CAPTCHA_LOGIN_ENABLED=false
+CAPTCHA_POST_ENABLED=false
+CAPTCHA_COMMENT_ENABLED=false
+RESEND_API_KEY=
+RESEND_FROM_EMAIL=
+COS_BASE_URL=https://<你的cos>.cos.accelerate.myqcloud.com
+COS_SECRET_ID=
+COS_SECRET_KEY=
+COS_REGION=ap-guangzhou
+COS_BUCKET_NAME=
+GITHUB_CLIENT_SECRET=
+DISCORD_CLIENT_SECRET=
+TWITTER_CLIENT_SECRET=
+TELEGRAM_BOT_TOKEN=
+OPENAI_API_KEY=
+OPENAI_MODEL=gpt-4o
+AI_FORMAT_LIMIT=3
+WEBSITE_URL=http://localhost:3000
+WEBPUSH_PUBLIC_KEY=
+WEBPUSH_PRIVATE_KEY=
+LOG_LEVEL=INFO
+
+# === Frontend (Nuxt) ===
+# 本地开发
+NUXT_PUBLIC_API_BASE_URL=http://localhost:8080
+# 线上环境
+# NUXT_PUBLIC_API_BASE_URL=https://www.open-isle.com
+# 测试环境
+# NUXT_PUBLIC_API_BASE_URL=https://www.staging.open-isle.com
+
+# 本地开发
+NUXT_PUBLIC_WEBSOCKET_URL=http://localhost:8082
+# 线上环境
+# NUXT_PUBLIC_WEBSOCKET_URL=https://www.open-isle.com/websocket
+# 测试环境 
+# NUXT_PUBLIC_WEBSOCKET_URL=https://www.staging.open-isle.com/websocket
+
+# 本地开发
+NUXT_PUBLIC_WEBSITE_BASE_URL=http://localhost:3000
+# 线上 & 测试 (www.staging.open-isle.com) & 本地均可使用
+NUXT_PUBLIC_GOOGLE_CLIENT_ID=777830451304-nt8afkkap18gui4f9entcha99unal744.apps.googleusercontent.com
+# 线上
+NUXT_PUBLIC_GITHUB_CLIENT_ID=Ov23liVkO1NPAX5JyWxJ
+# 测试环境 (www.staging.open-isle.com)
+# NUXT_PUBLIC_GITHUB_CLIENT_ID=Ov23li6GHPxx4MwipWnM
+# 本地
+# NUXT_PUBLIC_GITHUB_CLIENT_ID=Ov23liOlrZnPKRF7s7NN
+
+# 线上 & 本地均可使用
+NUXT_PUBLIC_DISCORD_CLIENT_ID=1394985417044000779
+
+# 线上 & 本地均可使用
+NUXT_PUBLIC_TWITTER_CLIENT_ID=ZTRTU05KSk9KTTJrTTdrVC1tc1E6MTpjaQ
+
+# 线上
+NUXT_PUBLIC_TELEGRAM_BOT_ID=8450237135
+# 测试环境 (www.staging.open-isle.com)
+# NUXT_PUBLIC_TELEGRAM_BOT_ID=7832207011
+

.github/ISSUE_TEMPLATE/新功能建议.md

@@ -0,0 +1,19 @@
+---
+name: 新功能建议
+about: 请为该项目提出一个想法
+title: ""
+labels: ""
+assignees: ""
+---
+
+**你的功能请求是否与某个问题相关？请描述。**
+请清晰、简洁地说明问题。例如：“我经常因为……而感到困扰。”
+
+**你期望的解决方案**
+请清晰、简洁地描述你希望发生的事情/功能如何工作。
+
+**你考虑过的替代方案**
+请清晰、简洁地说明你已考虑过的其他解决方案或功能。
+
+**其他上下文**
+在此添加与功能请求相关的其他信息或截图。

.github/ISSUE_TEMPLATE/错误-bug报告.md

@@ -0,0 +1,40 @@
+---
+name: 错误/Bug报告
+about: 创建报告以帮助我们改进
+title: ""
+labels: ""
+assignees: ""
+---
+
+**描述 Bug**
+对该 Bug 进行清晰简明的描述。
+
+**复现步骤**
+复现该问题的步骤：
+
+1. 进入 '...'
+2. 点击 '...'
+3. 下拉到 '...'
+4. 看到错误
+
+**预期行为**
+清晰简明地描述你期望发生的情况。
+
+**截图**
+如果适用，请添加截图以帮助解释问题。
+
+**桌面端（请完成以下信息）：**
+
+- 操作系统：\[例如 iOS]
+- 浏览器：\[例如 Chrome、Safari]
+- 版本：\[例如 22]
+
+**移动端（请完成以下信息）：**
+
+- 设备：\[例如 iPhone6]
+- 操作系统：\[例如 iOS8.1]
+- 浏览器：\[例如 系统自带浏览器、Safari]
+- 版本：\[例如 22]
+
+**附加上下文**
+在此添加与问题相关的其他上下文信息。

.github/workflows/coffee-bot.yml

@@ -0,0 +1,29 @@
+name: Coffee Bot
+
+on:
+  schedule:
+    - cron: "0 1 * * *"
+  workflow_dispatch:
+
+jobs:
+  run-coffee-bot:
+    environment: Bots
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm install --no-save @openai/agents tsx typescript
+
+      - name: Run coffee bot
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          OPENISLE_TOKEN: ${{ secrets.OPENISLE_TOKEN }}
+        run: npx tsx bots/instance/coffee_bot.ts

.github/workflows/deploy-docs.yml

@@ -0,0 +1,52 @@
+name: Deploy Documentation
+
+on:
+  workflow_call:
+    inputs:
+      build-id:
+        required: false
+        type: string
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+# 文档发布自己的排队锁，不影响服务器部署
+concurrency:
+  group: openisle-docs
+  cancel-in-progress: false
+
+jobs:
+  build-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Log build
+        run: echo "Running documentation deployment from build ${{ inputs.build-id }}"
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+        with:
+          bun-version: latest
+
+      - name: Install Bun dependencies
+        run: bun install
+        working-directory: ./docs
+
+      - name: Generate API MDX
+        run: bun run generate
+        working-directory: ./docs
+
+      - name: Build documentation
+        run: bun run build
+        working-directory: ./docs
+
+      - name: Deploy to GitHub Pages
+        uses: JamesIves/github-pages-deploy-action@v4
+        with:
+          branch: gh-pages
+          folder: ./docs/out

.github/workflows/deploy-staging.yml

@@ -0,0 +1,39 @@
+name: Staging CI & CD
+
+on:
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+# 与生产部署共用同一把锁，确保服务器上始终串行（跨工作流也互斥）
+concurrency:
+  group: openisle-server
+  cancel-in-progress: false
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    environment: Deploy
+    if: ${{ !github.event.repository.fork }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Deploy to Server (staging)
+        uses: appleboy/ssh-action@v1.0.3
+        with:
+          host: ${{ secrets.SSH_HOST }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: bash /opt/openisle/OpenIsle/deploy/deploy_staging.sh
+
+  deploy-docs:
+    needs: build-and-deploy
+    if: ${{ success() }}
+    uses: ./.github/workflows/deploy-docs.yml
+    secrets: inherit
+    with:
+      build-id: ${{ github.run_id }}

.github/workflows/deploy.yml

@@ -1,9 +1,14 @@
 name: CI & CD
 
 on:
-  push:
-    branches: [main]
   workflow_dispatch:
+  schedule:
+    - cron: "0 19 * * *" # 每天 UTC 19:00（北京 03:00）
+
+# 与 Staging 共用同一把锁，避免两边同时在 8G 服务器上跑
+concurrency:
+  group: openisle-server
+  cancel-in-progress: false
 
 jobs:
   build-and-deploy:
@@ -11,29 +16,12 @@ jobs:
     environment: Deploy
 
     steps:
-    - uses: actions/checkout@v4
-
-    # - uses: actions/setup-java@v4
-    #   with:
-    #     java-version: '17'
-    #     distribution: 'temurin'
-
-    # - run: mvn -B clean package -DskipTests
-
-    # - uses: actions/setup-node@v4
-    #   with:
-    #     node-version: '20'
-
-    # - run: |
-    #     cd open-isle-cli
-    #     npm ci
-    #     npm run build
-
-    - name: Deploy to Server
-      uses: appleboy/ssh-action@v1.0.3
-      with:
-        host:   ${{ secrets.SSH_HOST }}
-        username: root
-        key:     ${{ secrets.SSH_KEY }}
-        script:  bash /opt/openisle/deploy.sh
+      - uses: actions/checkout@v4
 
+      - name: Deploy to Server (prod)
+        uses: appleboy/ssh-action@v1.0.3
+        with:
+          host: ${{ secrets.SSH_HOST }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: bash /opt/openisle/OpenIsle/deploy/deploy.sh

.github/workflows/reply-bots.yml

@@ -0,0 +1,29 @@
+name: Reply Bots
+
+on:
+  schedule:
+    - cron: "*/30 * * * *"
+  workflow_dispatch:
+
+jobs:
+  run-reply-bot:
+    environment: Bots
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm install --no-save @openai/agents tsx typescript
+
+      - name: Run reply bot
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          OPENISLE_TOKEN: ${{ secrets.OPENISLE_TOKEN }}
+        run: npx tsx bots/instance/reply_bot.ts

.gitignore

@@ -1,5 +1,32 @@
+# IDE
 .idea
 target
-openisle.iml
+
+# log
+logs
+
+# deps
 node_modules
-dist
+
+# test & build
+coverage
+out/
+build
+dist
+*.tsbuildinfo
+
+# misc
+.DS_Store
+*.pem
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-lock.yaml
+pnpm-workspace.yaml
+
+# env
+*.env
+.env*.local
+
+# others
+openisle.iml

.husky/pre-commit

@@ -0,0 +1 @@
+npx lint-staged

CODE_OF_CONDUCT.md

@@ -0,0 +1,32 @@
+# OpenIsle Code of Conduct
+
+Like the technical community as a whole, the OpenIsle team and community is made up of a mixture of professionals and volunteers from all over the world, working on every aspect of the mission - including mentorship, teaching, and connecting people.
+
+Diversity is one of our huge strengths, but it can also lead to communication issues and unhappiness. To that end, we have a few ground rules that we ask people to adhere to. This code applies equally to founders, mentors and those seeking help and guidance.
+
+This isn’t an exhaustive list of things that you can’t do. Rather, take it in the spirit in which it’s intended - a guide to make it easier to enrich all of us and the technical communities in which we participate.
+
+This code of conduct applies to all spaces managed by the OpenIsle project or . This includes IRC, the mailing lists, the issue tracker, DSF events, and any other forums created by the project team which the community uses for communication. In addition, violations of this code outside these spaces may affect a person's ability to participate within them.
+
+If you believe someone is violating the code of conduct, we ask that you report it by emailing [](mailto:). For more details please see our
+
+- **Be friendly and patient.**
+- **Be welcoming.** We strive to be a community that welcomes and supports people of all backgrounds and identities. This includes, but is not limited to members of any race, ethnicity, culture, national origin, colour, immigration status, social and economic class, educational level, sex, sexual orientation, gender identity and expression, age, size, family status, political belief, religion, and mental and physical ability.
+- **Be considerate.** Your work will be used by other people, and you in turn will depend on the work of others. Any decision you take will affect users and colleagues, and you should take those consequences into account when making decisions. Remember that we're a world-wide community, so you might not be communicating in someone else's primary language.
+- **Be respectful.** Not all of us will agree all the time, but disagreement is no excuse for poor behavior and poor manners. We might all experience some frustration now and then, but we cannot allow that frustration to turn into a personal attack. It’s important to remember that a community where people feel uncomfortable or threatened is not a productive one. Members of the OpenIsle community should be respectful when dealing with other members as well as with people outside the OpenIsle community.
+- **Be careful in the words that you choose.** We are a community of professionals, and we conduct ourselves professionally. Be kind to others. Do not insult or put down other participants. Harassment and other exclusionary behavior aren't acceptable. This includes, but is not limited to:
+- Violent threats or language directed against another person.
+- Discriminatory jokes and language.
+- Posting sexually explicit or violent material.
+- Posting (or threatening to post) other people's personally identifying information ("doxing").
+- Personal insults, especially those using racist or sexist terms.
+- Unwelcome sexual attention.
+- Advocating for, or encouraging, any of the above behavior.
+- Repeated harassment of others. In general, if someone asks you to stop, then stop.
+- **When we disagree, try to understand why.** Disagreements, both social and technical, happen all the time and OpenIsle is no exception. It is important that we resolve disagreements and differing views constructively. Remember that we’re different. The strength of OpenIsle comes from its varied community, people from a wide range of backgrounds. Different people have different perspectives on issues. Being unable to understand why someone holds a viewpoint doesn’t mean that they’re wrong. Don’t forget that it is human to err and blaming each other doesn’t get us anywhere. Instead, focus on helping to resolve issues and learning from mistakes.
+
+Original text courtesy of the [Speak Up! project](http://web.archive.org/web/20141109123859/http://speakup.io/coc.html).
+
+## Questions?
+
+If you have questions, please see . If that doesn't answer your questions, feel free to [contact us](mailto:).

CONTRIBUTING.md

@@ -0,0 +1,263 @@
+- [前置工作](#前置工作)
+- [前端极速调试（Docker 全量环境）](#前端极速调试docker-全量环境)
+  - [dev 与 dev_local_backend 巡航指南](#dev-dev_local_backend-guide)
+- [启动后端服务](#启动后端服务)
+  - [本地 IDEA](#本地-idea)
+    - [配置环境变量](#配置环境变量)
+    - [配置 IDEA 参数](#配置-idea-参数)
+- [启动前端服务](#启动前端服务)
+  - [连接预发或正式环境](#连接预发或正式环境)
+- [其他配置](#其他配置)
+  - [配置第三方登录以GitHub为例](#配置第三方登录以github为例)
+  - [配置Resend邮箱服务](#配置resend邮箱服务)
+- [API文档](#api文档)
+  - [OpenAPI文档](#openapi文档)
+  - [部署时间线以及文档时效性](#部署时间线以及文档时效性)
+  - [OpenAPI文档使用](#openapi文档使用)
+  - [OpenAPI文档应用场景](#openapi文档应用场景)
+
+## 前置工作
+
+先克隆仓库：
+
+```shell
+git clone https://github.com/nagisa77/OpenIsle.git
+cd OpenIsle
+```
+
+- 后端开发环境
+  - JDK 17+
+- 前端开发环境
+  - Node.JS 20+
+
+## 前端极速调试（Docker 全量环境）
+
+想要最快速地同时体验前端和后端，可直接使用仓库提供的 Docker Compose。该方案会一次性拉起数据库、消息队列、搜索、后端、WebSocket 以及前端 Dev Server，适合需要全链路联调的场景。
+
+1. 准备环境变量文件：
+   ```shell
+   cp .env.example .env
+   ```
+   `.env.example` 是模板，可在 `.env` 中按需覆盖如端口、密钥等配置。确保 `NUXT_PUBLIC_API_BASE_URL`、`NUXT_PUBLIC_WEBSOCKET_URL` 等仍指向 `localhost`，方便前端直接访问容器映射端口。
+2. 启动 Dev Profile：
+   ```shell
+   docker compose \
+     -f docker/docker-compose.yaml \
+     --env-file .env \
+     --profile dev up -d
+   ```
+   该命令会创建名为 `frontend_dev` 的容器并运行 `npm run dev`，浏览器访问 http://127.0.0.1:3000 即可查看页面。
+   修改前端代码，页面会热更新。
+   如果修改后端代码，可以重启后端容器, 或是环境变量中指向IDEA，采用IDEA编译运行也可以哦。
+
+   ```shell
+   docker compose \
+     -f docker/docker-compose.yaml \
+     --env-file .env \
+     --profile dev up -d --force-recreate
+   ```
+
+3. 查看服务状态：
+   ```shell
+   docker compose -f docker/docker-compose.yaml --env-file .env ps
+   docker compose -f docker/docker-compose.yaml --env-file .env logs -f frontend_dev
+   ```
+4. 停止所有容器：
+   ```shell
+   docker compose -f docker/docker-compose.yaml --env-file .env --profile dev down
+   ```
+
+5. 开发时若需要**重置所有容器及其挂载的数据卷**，可以执行：
+   ```shell
+   docker compose -f docker/docker-compose.yaml --env-file .env --profile dev down -v
+   ```
+   `-v` 参数会在关闭容器的同时移除通过 `volumes` 声明的挂载卷，适用于希望清理数据库、缓存等持久化数据，确保下一次启动时获得全新环境的场景。
+
+如需自定义 Node 依赖缓存、数据库持久化等，可参考 `docker/docker-compose.yaml` 中各卷的定义进行调整。
+
+<a id="dev-dev_local_backend-guide"></a>
+
+### 🧭 dev 与 dev_local_backend 巡航指南
+
+在需要本地 IDE 启动后端、而容器只提供 MySQL、Redis、RabbitMQ、OpenSearch 等依赖时，可切换到 `dev_local_backend` Profile：
+
+```bash
+docker compose \
+  -f docker/docker-compose.yaml \
+  --env-file .env \
+  --profile dev_local_backend up -d
+```
+
+> [!TIP]
+> 该 Profile 不会启动 Docker 内的 Spring Boot 服务，`frontend_dev_local_backend` 会通过 `host.docker.internal` 访问你本机正在运行的后端。非常适合用 IDEA/VS Code 调试 Java 服务的场景！
+
+| 想要的体验 | 推荐 Profile | 会启动的关键容器 | 备注 |
+| --- | --- | --- | --- |
+| 🚀 一键启动前后端 | `dev` | `springboot`、`frontend_dev`、`mysql`… | 纯容器内跑全链路，省心省力 |
+| 🛠️ IDE 启动后端 + 容器托管依赖 | `dev_local_backend` | `frontend_dev_local_backend`、`mysql`、`redis`… | 记得本地后端监听 `8080`/`8082` 等端口 |
+
+切换 Profile 时，请先停掉当前组合再启动另一组，避免端口占用或容器命名冲突：
+
+```bash
+docker compose -f docker/docker-compose.yaml --env-file .env --profile dev down
+# 或者
+docker compose -f docker/docker-compose.yaml --env-file .env --profile dev_local_backend down
+```
+
+常见小贴士：
+
+- 🧹 需要彻底清理依赖时，别忘了追加 `-v` 清除持久化数据卷。
+- 🪄 仅切换 Profile 时通常无需重新 `build`，除非你更新了镜像依赖。
+- 🧪 如需确认前端容器访问的是本机后端，可在 IDE 控制台查看请求日志或执行 `curl http://localhost:8080/actuator/health` 进行自检。
+
+## 启动后端服务
+
+启动后端服务有多种方式，选择一种即可。
+
+> [!IMPORTANT]
+> 仅想修改前端的朋友可不用部署后端服务。转到 [启动前端服务](#启动前端服务) 章节。
+
+### 本地 IDEA
+
+```shell
+cd backend/
+```
+
+IDEA 打开 `backend/` 文件夹。
+
+#### 配置环境变量
+
+1. 生成环境变量文件：
+   ```shell
+   cp open-isle.env.example open-isle.env
+   ```
+   `open-isle.env` 才是实际被读取的文件。可在其中补充数据库、第三方服务等配置，`open-isle.env` 已被 Git 忽略，放心修改。
+2. 在 IDEA 中配置「Environment file」：将 `Run/Debug Configuration` 的 `Environment variables` 指向刚刚复制的 `open-isle.env`，即可让 IDE 读取该文件。
+3. 需要调整端口或功能开关时，优先修改 `open-isle.env`，例如：
+   ```ini
+   SERVER_PORT=8081
+   LOG_LEVEL=DEBUG
+   ```
+
+> [!WARNING]
+> 如果你通过 `dev_local_backend` Profile 启动了数据库/缓存等依赖，却让后端由 IDEA 在宿主机运行，请务必将 `open-isle.env`（或 IDEA 的环境变量面板）中的主机名改成 `localhost`：
+>
+> ```ini
+> MYSQL_HOST=localhost
+> REDIS_HOST=localhost
+> RABBITMQ_HOST=localhost
+> ```
+>
+> 对应的容器端口均已映射到宿主机，无需额外配置。若仍保留默认的 `mysql`、`redis`、`rabbitmq`，IDEA 将尝试解析容器网络内的别名而导致连接失败。
+
+也可以修改 `src/main/resources/application.properties`，但该文件会被 Git 追踪，通常不推荐。
+
+![配置数据库](assets/contributing/backend_img_5.png)
+
+#### 配置 IDEA 参数
+
+- 设置 JDK 版本为 Java 17。
+- 设置 VM Option，最好运行在其他端口（例如 `8081`）。若已经在 `open-isle.env` 中调整端口，可省略此步骤。
+  ```shell
+  -Dserver.port=8081
+  ```
+
+![配置1](assets/contributing/backend_img_3.png)
+
+![配置2](assets/contributing/backend_img_2.png)
+
+完成环境变量和运行参数设置后，即可启动 Spring Boot 应用。
+
+![运行画面](assets/contributing/backend_img_4.png)
+
+## 前端连接预发或正式环境
+
+前端默认读取 `.env` 中的接口地址，可通过修改以下变量快速切换到预发或正式环境：
+
+1. 按需覆盖关键变量：
+
+   ```ini
+   NUXT_PUBLIC_API_BASE_URL=https://www.staging.open-isle.com
+   NUXT_PUBLIC_WEBSOCKET_URL=https://www.staging.open-isle.com
+   ```
+   将 `staging` 替换为 `www` 即可连接正式环境。其他变量（如 OAuth Client ID、站点地址等）可根据需求调整。
+
+
+## 其他配置
+
+### 配置第三方登录以GitHub为例
+
+- 修改 `application.properties` 配置
+
+  ![后端配置](assets/contributing/backend_img.png)
+
+- 修改 `.env` 配置
+
+  ![前端](assets/contributing/fontend_img.png)
+
+- 配置第三方登录回调地址
+
+  ![github配置](assets/contributing/github_img.png)
+
+  ![github配置2](assets/contributing/github_img_2.png)
+
+### 配置Resend邮箱服务
+
+https://resend.com/emails 创建账号并登录
+
+- `Domains` -> `Add Domain`
+  ![image-20250906150459400](assets/contributing/image-20250906150459400.png)
+
+- 填写域名
+  ![image-20250906150541817](assets/contributing/image-20250906150541817.png)
+
+- 等待一段时间后解析成功，创建 key
+  `API Keys` -> `Create API Key`，输入名称，设置 `Permission` 为 `Sending access`
+  **Key 只能查看一次，务必保存下来**
+  ![image-20250906150811572](assets/contributing/image-20250906150811572.png)
+  ![image-20250906150924975](assets/contributing/image-20250906150924975.png)
+  ![image-20250906150944130](assets/contributing/image-20250906150944130.png)
+- 修改 `.env` 配置中的 `RESEND_API_KEY` 和 `RESEND_FROM_EMAIL`
+  `RESEND_FROM_EMAIL`： **noreply@域名**
+  `RESEND_API_KEY`：**刚刚复制的 Key**
+  ![image-20250906151218330](assets/contributing/image-20250906151218330.png)
+
+## API文档
+
+### OpenAPI文档
+https://docs.open-isle.com
+
+### 部署时间线以及文档时效性
+
+我已经将API Docs的部署融合进本站CI & CD中，目前如下
+
+- 每次合入main之后，都会构建预发环境 http://staging.open-isle.com/ ,现在文档是紧随其后进行部署，也就是说代码合入main之后，如果是新增后台接口，就可以立即通过OpenAPI文档页面进行查看和调试，但是如果想通过OpenAPI调试需要选择预发环境的
+- 每日凌晨三点会构建并重新部署正式环境，届时当日合入main的新后台API也可以通过OpenAPI文档页面调试
+
+![CleanShot 2025-09-10 at 12 .04.48@2x.png](https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/168303009f4047ca828344957e911ff1.png)
+
+👆如图是合入main之后构建预发+docs的情形，总大约耗时4分钟左右
+
+### OpenAPI文档使用
+
+- 预发环境/正式环境切换，以通过如下位置切换API环境
+
+![CleanShot 2025-09-10 at 12 .08.00@2x.png](https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/f9fb7a0f020d4a0e94159d7820783224.png)
+
+- API分两种，一种是需要鉴权（需登录后的token），另一种是直接访问，可以直接访问的GET请求，直接点击Send即可调试，如下👇，比如本站的推荐流rss: /api/rss: https://docs.open-isle.com/openapi/feed
+
+![CleanShot 2025-09-10 at 12 .09.48@2x.png](https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/2afb42e0c96340559dd42854905ca5fc.png)
+
+- 需要登陆的API，比如关注，取消关注，发帖等，则需要提供token，目前在“API与调试”可获取自身token，可点击link看看👉 https://www.open-isle.com/about?tab=api
+
+![CleanShot 2025-09-10 at 12 .11.07@2x.png](https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/74033f1b9cc14f2fab3cbe3b7fe306d8.png)
+
+copy完token之后，粘贴到Bear之后, 即可发送调试， 如下👇，大家亦可自行尝试：https://docs.open-isle.com/openapi/me
+
+![CleanShot 2025-09-10 at 12 .13.00@2x.png](https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/63913fe2e70541a486651e35c723765e.png)
+
+#### OpenAPI文档应用场景
+
+- 方便大部分前端调试的需求，如果有只想做前端/客户端的同学参与本项目，该平台会大大提高效率
+- 自动化：有自动化发帖/自动化操作的需求，亦可通过该平台实现或调试
+- API文档: https://docs.open-isle.com/openapi

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Tim
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,28 +1,23 @@
 <p align="center">
   <img alt="OpenIsle" src="https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png" width="200">
-  <br><br>
-  高效的开源社区前后端端平台
-  <br><br>
-  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square"></a>
+  <br>
+  高效的开源社区前后端平台
+  <br><br><br>
+  <img alt="Image" src="https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/22752cfac5a04a9c90c41995b9f55fed.png" width="1200">
+    <br><br><br>
+  <a href="https://hellogithub.com/repository/nagisa77/OpenIsle" target="_blank"><img src="https://abroad.hellogithub.com/v1/widgets/recommend.svg?rid=8605546658d94cbab45182af2a02e4c8&claim_uid=p5GNFTtZl6HBAYQ" alt="Featured｜HelloGitHub" style="width: 250px; height: 54px;" width="250" height="54" /></a>
 </p>
 
 ## 💡 简介
 
 OpenIsle 是一个使用 Spring Boot 和 Vue 3 构建的全栈开源社区平台，提供用户注册、登录、贴文发布、评论交互等完整功能，可用于项目社区或直接打造自主社区站点。
 
-## 🚀 部署
+## 🚧 开发 & 部署
 
-### 后端
-1. 确保安装 JDK 17 及 Maven
-2. 信息配置修改 `src/main/resources/application.properties`，或通过环境变量设置数据库等参数
-3. 执行 `mvn clean package` 生成包，之后使用 `java -jar target/openisle-0.0.1-SNAPSHOT.jar`启动，或在开发时直接使用 `mvn spring-boot:run`
-
-### 前端
-1. `cd open-isle-cli`
-2. 执行 `npm install`
-3. `npm run serve`可在本地启动开发服务，产品环境使用 `npm run build`生成 `dist/` 文件，配合线上网站方式部署
+详细见 [Contributing](https://github.com/nagisa77/OpenIsle?tab=contributing-ov-file)
 
 ## ✨ 项目特点
+
 - JWT 认证以及 Google、GitHub、Discord、Twitter 等多种 OAuth 登录
 - 支持分类、标签的贴文管理以及草稿保存功能
 - 嵌套评论、指定贴文或评论的点赞/抖弹系统
@@ -31,14 +26,18 @@ OpenIsle 是一个使用 Spring Boot 和 Vue 3 构建的全栈开源社区平台
 - 集成 OpenAI 提供的 Markdown 格式化功能
 - 通过环境变量可调整密码强度、登录方式、保护码等多种配置
 - 支持图片上传，默认使用腾讯云 COS 扩展
+- 默认头像使用 DiceBear Avatars，可通过 `AVATAR_STYLE` 和 `AVATAR_SIZE` 环境变量自定义主题和大小
+- 浏览器推送通知，离开网站也能及时收到提醒
 
 ## 🌟 项目优势
+
 - 全面开源，便于二次开发和自定义扩展
 - Spring Boot + Vue 3 成熟技术栈，学习起点低，社区资源丰富
 - 支持多种登录方式和角色权限，容易展展到不同场景
 - 模块化设计，代码结构清晰，维护成本低
 - REST API 可接入任意前端框架，兼容多端平台
 - 配置简单，通过环境变量快速调整和部署
+- 如需推送通知，请设置 `WEBPUSH_PUBLIC_KEY` 和 `WEBPUSH_PRIVATE_KEY` 环境变量
 
 ## 🏘️ 社区
 
@@ -49,6 +48,7 @@ OpenIsle 是一个使用 Spring Boot 和 Vue 3 构建的全栈开源社区平台
 本项目以 MIT License 发布，欢迎自由使用与修改。
 
 ## 🙏 鼓赞
+
 - [Spring Boot](https://spring.io/projects/spring-boot)
 - [JJWT](https://github.com/jwtk/jjwt)
 - [Lombok](https://github.com/projectlombok/lombok)

SECURITY.md

@@ -0,0 +1,176 @@
+# Security Policy
+
+## Supported Versions
+
+We take the security of OpenIsle seriously. The following versions are currently being supported with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.0.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
+
+### How to Report a Security Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them via one of the following methods:
+
+1. **Email**: Send a detailed report to the project maintainer (check the repository for contact information)
+2. **GitHub Security Advisory**: Use GitHub's private vulnerability reporting feature at https://github.com/nagisa77/OpenIsle/security/advisories/new
+
+### What to Include in Your Report
+
+To help us better understand the nature and scope of the issue, please include as much of the following information as possible:
+
+- Type of issue (e.g., SQL injection, XSS, authentication bypass, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit it
+
+### Response Timeline
+
+- **Initial Response**: We will acknowledge your report within 48 hours
+- **Status Updates**: We will provide status updates at least every 5 business days
+- **Resolution**: We aim to resolve critical vulnerabilities within 30 days of disclosure
+
+### What to Expect
+
+After you submit a report:
+
+1. We will confirm receipt of your vulnerability report and may ask for additional information
+2. We will investigate the issue and determine its impact and severity
+3. We will work on a fix and coordinate disclosure timing with you
+4. Once the fix is ready, we will release it and publicly acknowledge your contribution (unless you prefer to remain anonymous)
+
+## Security Considerations for Deployment
+
+### Authentication & Authorization
+
+- **JWT Tokens**: Ensure `JWT_SECRET` environment variable is set to a strong, random value (minimum 256 bits)
+- **OAuth Credentials**: Keep OAuth client secrets secure and never commit them to version control
+- **Session Management**: Configure appropriate session timeout values
+
+### Database Security
+
+- Use strong database passwords
+- Never expose database ports publicly
+- Use database connection encryption when available
+- Regularly backup your database
+
+### API Security
+
+- Enable rate limiting to prevent abuse
+- Validate all user inputs on both client and server side
+- Use HTTPS in production environments
+- Configure CORS properly to restrict origins
+
+### Environment Variables
+
+The following sensitive environment variables should be kept secure:
+
+- `JWT_SECRET` - JWT signing key
+- `GOOGLE_CLIENT_SECRET` - Google OAuth credentials
+- `GITHUB_CLIENT_SECRET` - GitHub OAuth credentials
+- `DISCORD_CLIENT_SECRET` - Discord OAuth credentials
+- `TWITTER_CLIENT_SECRET` - Twitter OAuth credentials
+- `WEBPUSH_PRIVATE_KEY` - Web push notification private key
+- Database connection strings and credentials
+- Cloud storage credentials (Tencent COS)
+
+**Never commit these values to version control or expose them in logs.**
+
+### File Upload Security
+
+- Validate file types and sizes
+- Scan uploaded files for malware
+- Store uploaded files outside the web root
+- Use cloud storage with proper access controls
+
+### Password Security
+
+- Configure password strength requirements via environment variables
+- Use bcrypt or similar strong hashing algorithms (already implemented in Spring Security)
+- Implement account lockout after failed login attempts
+
+### Web Push Notifications
+
+- Keep `WEBPUSH_PRIVATE_KEY` secret and secure
+- Only send notifications to users who have explicitly opted in
+- Validate notification payloads
+
+### Dependency Management
+
+- Regularly update dependencies to patch known vulnerabilities
+- Run `mvn dependency-check:check` to scan for vulnerable dependencies
+- Monitor GitHub security advisories for this project
+
+### Production Deployment Checklist
+
+- [ ] Use HTTPS/TLS for all connections
+- [ ] Set strong, unique secrets for all environment variables
+- [ ] Enable CSRF protection
+- [ ] Configure secure headers (CSP, X-Frame-Options, etc.)
+- [ ] Disable debug mode and verbose error messages
+- [ ] Set up proper logging and monitoring
+- [ ] Implement rate limiting and DDoS protection
+- [ ] Regular security updates and patches
+- [ ] Database backups and disaster recovery plan
+- [ ] Restrict admin access to trusted IPs when possible
+
+## Known Security Features
+
+OpenIsle includes the following security features:
+
+- JWT-based authentication with configurable expiration
+- OAuth 2.0 integration with major providers
+- Password strength validation
+- Protection codes for sensitive operations
+- Input validation and sanitization
+- SQL injection prevention through ORM (JPA/Hibernate)
+- XSS protection in Vue.js templates
+- CSRF protection (Spring Security)
+
+## Security Best Practices for Contributors
+
+- Never commit credentials, API keys, or secrets
+- Follow secure coding practices (OWASP Top 10)
+- Validate and sanitize all user inputs
+- Use parameterized queries for database operations
+- Implement proper error handling without exposing sensitive information
+- Write security tests for new features
+- Review code for security issues before submitting PRs
+
+## Disclosure Policy
+
+When we receive a security bug report, we will:
+
+1. Confirm the problem and determine affected versions
+2. Audit code to find any similar problems
+3. Prepare fixes for all supported versions
+4. Release patches as soon as possible
+
+We appreciate your help in keeping OpenIsle and its users safe!
+
+## Attribution
+
+We believe in recognizing security researchers who help improve OpenIsle's security. With your permission, we will acknowledge your contribution in:
+
+- Security advisory
+- Release notes
+- A security hall of fame (if established)
+
+If you prefer to remain anonymous, we will respect your wishes.
+
+## Contact
+
+For any security-related questions or concerns, please reach out through the channels mentioned above.
+
+---
+
+Thank you for helping keep OpenIsle secure!

backend/.prettierrc

@@ -0,0 +1,23 @@
+{
+  "printWidth": 100,
+  "tabWidth": 2,
+  "useTabs": false,
+  "semi": false,
+  "singleQuote": true,
+  "trailingComma": "all",
+  "endOfLine": "lf",
+  "proseWrap": "preserve",
+  "plugins": ["prettier-plugin-java"],
+  "overrides": [
+    {
+      "files": "*.java",
+      "options": {
+        "printWidth": 100,
+        "tabWidth": 2,
+        "semi": true,
+        "singleQuote": false,
+        "trailingComma": "es5"
+      }
+    }
+  ]
+}

backend/open-isle.env.example

@@ -0,0 +1,58 @@
+# 所有环境变量已集中在仓库根目录的 .env.*.example 文件。
+# 此文件保留作参考用途，如需在 Docker 之外手动配置，可按需复制。
+
+# === Spring Boot ===
+SERVER_PORT=8080
+
+# === Database ===
+MYSQL_URL=jdbc:mysql://<数据库地址>:<数据库端口>/<数据库名>?useUnicode=yes&characterEncoding=UTF-8&useInformationSchema=true&useSSL=false&serverTimezone=UTC
+MYSQL_USER=<数据库用户名>
+MYSQL_PASSWORD=<数据库密码>
+
+# === JWT ===
+JWT_SECRET=<jwt secret>
+JWT_REASON_SECRET=<jwt reason secret>
+JWT_RESET_SECRET=<jwt reset secret>
+JWT_INVITE_SECRET=<jwt invite secret>
+JWT_EXPIRATION=2592000000
+
+# === Redis ===
+REDIS_HOST=<Redis 地址>
+REDIS_PORT=<Redis 端口>
+REDIS_PASS=<Redis 密码>
+
+# === Resend ===
+RESEND_API_KEY=<你的resend-api-key>
+RESEND_FROM_EMAIL=<你的 resend 发送邮箱>
+
+# === COS ===
+# COS_BASE_URL=https://<你的cos>.cos.ap-guangzhou.myqcloud.com
+COS_BASE_URL=https://<你的cos>.cos.accelerate.myqcloud.com
+COS_SECRET_ID=<你的cos-secret-id>
+COS_SECRET_KEY=<你的cos-secret-key>
+COS_BUCKET_NAME=<你的cos-bucket-name>
+
+# === OAuth ===
+GOOGLE_CLIENT_ID=<你的google-client-id>
+GITHUB_CLIENT_ID=<你的github-client-id>
+GITHUB_CLIENT_SECRET=<你的github-client-secret>
+TWITTER_CLIENT_ID=<你的twitter-client-id>
+TWITTER_CLIENT_SECRET=<你的-twitter-client-secret>
+DISCORD_CLIENT_ID=<你的discord-client-id>
+DISCORD_CLIENT_SECRET=<你的discord-client-secret>
+TELEGRAM_BOT_TOKEN=<你的telegram-bot-token>
+
+# === OPENAI ===
+OPENAI_API_KEY=<你的openai-api-key>
+
+# === Webpush ===
+WEBPUSH_PUBLIC_KEY=<你的webpush-public-key>
+WEBPUSH_PRIVATE_KEY=<你的webpush-private-key>
+
+# === RabbitMQ ===
+RABBITMQ_HOST=<你的rabbitmq_host>
+RABBITMQ_PORT=<你的rabbitmq_port>
+RABBITMQ_USERNAME=<你的rabbitmq_username>
+RABBITMQ_PASSWORD=<你的rabbitmq_password>
+
+# LOG_LEVEL=DEBUG

backend/pom.xml

@@ -26,6 +26,23 @@
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-web</artifactId>
     </dependency>
+    <dependency>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-amqp</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-data-redis</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.datatype</groupId>
+      <artifactId>jackson-datatype-jsr310</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.datatype</groupId>
+      <artifactId>jackson-datatype-hibernate6</artifactId>
+      <version>2.20.0</version>
+    </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>
@@ -38,6 +55,16 @@
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-security</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.vladsch.flexmark</groupId>
+      <artifactId>flexmark-all</artifactId>
+      <version>0.64.8</version>
+    </dependency>
+    <dependency>
+      <groupId>org.jsoup</groupId>
+      <artifactId>jsoup</artifactId>
+      <version>1.17.2</version>
+    </dependency>
     <dependency>
       <groupId>com.mysql</groupId>
       <artifactId>mysql-connector-j</artifactId>
@@ -90,6 +117,38 @@
       <artifactId>spring-boot-starter-test</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>nl.martijndwars</groupId>
+      <artifactId>web-push</artifactId>
+      <version>5.1.1</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk15on</artifactId>
+      <version>1.70</version>
+    </dependency>
+    <dependency>
+      <groupId>org.springdoc</groupId>
+      <artifactId>springdoc-openapi-starter-webmvc-api</artifactId>
+      <version>2.2.0</version>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-actuator</artifactId>
+    </dependency>
+    <!-- 高阶 Java 客户端 -->
+    <dependency>
+      <groupId>org.opensearch.client</groupId>
+      <artifactId>opensearch-java</artifactId>
+      <version>3.2.0</version>
+    </dependency>
+
+    <!-- 低阶 RestClient，提供 org.opensearch.client.RestClient 给你的 RestClientTransport 用 -->
+    <dependency>
+      <groupId>org.opensearch.client</groupId>
+      <artifactId>opensearch-rest-client</artifactId>
+      <version>3.2.0</version>
+    </dependency>
   </dependencies>
 
   <build>
@@ -117,6 +176,26 @@
           </annotationProcessorPaths>
         </configuration>
       </plugin>
+
+      <plugin>
+        <!-- https://github.com/OpenAPITools/openapi-generator/blob/master/modules/openapi-generator-maven-plugin/README.md -->
+        <groupId>org.springdoc</groupId>
+        <artifactId>springdoc-openapi-maven-plugin</artifactId>
+        <version>1.4</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>generate</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <!-- 此处为硬编码，应优化为 env 的配置 -->
+          <apiDocsUrl>http://localhost:8080/api/v3/api-docs</apiDocsUrl>
+          <outputFileName>openapi.json</outputFileName>
+          <outputDir>${project.build.directory}</outputDir>
+        </configuration>
+      </plugin>
     </plugins>
   </build>
 </project>

backend/src/main/java/com/openisle/OpenIsleApplication.java

@@ -0,0 +1,14 @@
+package com.openisle;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.scheduling.annotation.EnableScheduling;
+
+@SpringBootApplication
+@EnableScheduling
+public class OpenIsleApplication {
+
+  public static void main(String[] args) {
+    SpringApplication.run(OpenIsleApplication.class, args);
+  }
+}

backend/src/main/java/com/openisle/config/ActivityInitializer.java

@@ -0,0 +1,42 @@
+package com.openisle.config;
+
+import com.openisle.model.Activity;
+import com.openisle.model.ActivityType;
+import com.openisle.repository.ActivityRepository;
+import java.time.LocalDate;
+import java.time.LocalDateTime;
+import lombok.RequiredArgsConstructor;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.stereotype.Component;
+
+@Component
+@RequiredArgsConstructor
+public class ActivityInitializer implements CommandLineRunner {
+
+  private final ActivityRepository activityRepository;
+
+  @Override
+  public void run(String... args) {
+    if (activityRepository.findByType(ActivityType.MILK_TEA) == null) {
+      Activity a = new Activity();
+      a.setTitle("🎡建站送奶茶活动");
+      a.setType(ActivityType.MILK_TEA);
+      a.setIcon("https://icons.veryicon.com/png/o/food--drinks/delicious-food-1/coffee-36.png");
+      a.setContent(
+        "为了有利于建站推广以及激励发布内容，我们推出了建站送奶茶的活动，前50名达到level 1的用户，可以联系站长获取奶茶/咖啡一杯"
+      );
+      activityRepository.save(a);
+    }
+
+    if (activityRepository.findByType(ActivityType.INVITE_POINTS) == null) {
+      Activity a = new Activity();
+      a.setTitle("🎁邀请码送积分活动");
+      a.setType(ActivityType.INVITE_POINTS);
+      a.setIcon("https://img.icons8.com/color/96/gift.png");
+      a.setContent("使用邀请码注册或邀请好友即可获得积分奖励，快来参与吧！");
+      a.setStartTime(LocalDateTime.now());
+      a.setEndTime(LocalDate.of(LocalDate.now().getYear(), 10, 1).atStartOfDay());
+      activityRepository.save(a);
+    }
+  }
+}

backend/src/main/java/com/openisle/config/AsyncConfig.java

@@ -0,0 +1,23 @@
+package com.openisle.config;
+
+import java.util.concurrent.Executor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.scheduling.annotation.EnableAsync;
+import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor;
+
+@Configuration
+@EnableAsync
+public class AsyncConfig {
+
+  @Bean(name = "notificationExecutor")
+  public Executor notificationExecutor() {
+    ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
+    executor.setCorePoolSize(2);
+    executor.setMaxPoolSize(10);
+    executor.setQueueCapacity(100);
+    executor.setThreadNamePrefix("notification-");
+    executor.initialize();
+    return executor;
+  }
+}

backend/src/main/java/com/openisle/config/CachingConfig.java

@@ -0,0 +1,139 @@
+package com.openisle.config;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import com.fasterxml.jackson.annotation.PropertyAccessor;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.jsontype.impl.LaissezFaireSubTypeValidator;
+import com.fasterxml.jackson.datatype.hibernate6.Hibernate6Module;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import java.time.Duration;
+import java.util.HashMap;
+import java.util.Map;
+import org.springframework.cache.CacheManager;
+import org.springframework.cache.annotation.EnableCaching;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Primary;
+import org.springframework.data.redis.cache.RedisCacheConfiguration;
+import org.springframework.data.redis.cache.RedisCacheManager;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.data.redis.serializer.GenericJackson2JsonRedisSerializer;
+import org.springframework.data.redis.serializer.RedisSerializationContext;
+import org.springframework.data.redis.serializer.RedisSerializer;
+import org.springframework.data.redis.serializer.StringRedisSerializer;
+
+/**
+ * Redis 缓存配置类
+ * @author smallclover
+ * @since 2025-09-04
+ */
+@Configuration
+@EnableCaching
+public class CachingConfig {
+
+  // 标签缓存名
+  public static final String TAG_CACHE_NAME = "openisle_tags";
+  // 分类缓存名
+  public static final String CATEGORY_CACHE_NAME = "openisle_categories";
+  // 在线人数缓存名
+  public static final String ONLINE_CACHE_NAME = "openisle_online";
+  // 注册验证码
+  public static final String VERIFY_CACHE_NAME = "openisle_verify";
+  // 发帖频率限制
+  public static final String LIMIT_CACHE_NAME = "openisle_limit";
+  // 用户访问统计
+  public static final String VISIT_CACHE_NAME = "openisle_visit";
+  // 文章缓存
+  public static final String POST_CACHE_NAME = "openisle_posts";
+
+  /**
+   * 自定义Redis的序列化器
+   * @return
+   */
+  @Bean
+  @Primary
+  public RedisSerializer<Object> redisSerializer() {
+    // 注册 JavaTimeModule 來支持 Java 8 的日期和时间 API,否则回报一下错误，同时还要引入jsr310
+
+    // org.springframework.data.redis.serializer.SerializationException: Could not write JSON: Java 8 date/time type `java.time.LocalDateTime` not supported by default:
+    // add Module "com.fasterxml.jackson.datatype:jackson-datatype-jsr310" to enable handling
+    // (through reference chain: java.util.ArrayList[0]->com.openisle.dto.TagDto["createdAt"])
+    // 设置可见性，允许序列化所有元素
+    ObjectMapper objectMapper = new ObjectMapper();
+    objectMapper.registerModule(new JavaTimeModule());
+    // Hibernate6Module 可以自动处理懒加载代理对象。
+    // Tag对象的creator是FetchType.LAZY
+    objectMapper.registerModule(
+      new Hibernate6Module()
+        .disable(Hibernate6Module.Feature.USE_TRANSIENT_ANNOTATION)
+        // 将 Hibernate 特有的集合类型转换为标准 Java 集合类型
+        // 避免序列化时出现 org.hibernate.collection.spi.PersistentSet 这样的类型信息
+        .configure(Hibernate6Module.Feature.REPLACE_PERSISTENT_COLLECTIONS, true)
+    );
+    // service的时候带上类型信息
+    // 启用类型信息，避免 LinkedHashMap 问题
+    objectMapper.activateDefaultTyping(
+      LaissezFaireSubTypeValidator.instance,
+      ObjectMapper.DefaultTyping.NON_FINAL,
+      JsonTypeInfo.As.PROPERTY
+    );
+    objectMapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
+    return new GenericJackson2JsonRedisSerializer(objectMapper);
+  }
+
+  /**
+   * 配置 Spring Cache 使用 RedisCacheManager
+   */
+  @Bean
+  public CacheManager cacheManager(
+    RedisConnectionFactory connectionFactory,
+    RedisSerializer<Object> redisSerializer
+  ) {
+    RedisCacheConfiguration config = RedisCacheConfiguration.defaultCacheConfig()
+      .entryTtl(Duration.ZERO) // 默认缓存不过期
+      .serializeKeysWith(
+        RedisSerializationContext.SerializationPair.fromSerializer(new StringRedisSerializer())
+      )
+      .serializeValuesWith(
+        RedisSerializationContext.SerializationPair.fromSerializer(redisSerializer)
+      )
+      .disableCachingNullValues(); // 禁止缓存 null 值
+
+    // 个别缓存单独设置 TTL 时间
+    Map<String, RedisCacheConfiguration> cacheConfigs = new HashMap<>();
+    RedisCacheConfiguration oneHourConfig = config.entryTtl(Duration.ofHours(1));
+    RedisCacheConfiguration tenMinutesConfig = config.entryTtl(Duration.ofMinutes(10));
+    cacheConfigs.put(TAG_CACHE_NAME, oneHourConfig);
+    cacheConfigs.put(CATEGORY_CACHE_NAME, oneHourConfig);
+    cacheConfigs.put(POST_CACHE_NAME, tenMinutesConfig);
+
+    return RedisCacheManager.builder(connectionFactory)
+      .cacheDefaults(config)
+      .withInitialCacheConfigurations(cacheConfigs)
+      .build();
+  }
+
+  /**
+   * 配置 RedisTemplate，支持直接操作 Redis
+   */
+  @Bean
+  public RedisTemplate<String, Object> redisTemplate(
+    RedisConnectionFactory connectionFactory,
+    RedisSerializer<Object> redisSerializer
+  ) {
+    RedisTemplate<String, Object> template = new RedisTemplate<>();
+    template.setConnectionFactory(connectionFactory);
+
+    // key 和 hashKey 使用 String 序列化
+    template.setKeySerializer(new StringRedisSerializer());
+    template.setHashKeySerializer(new StringRedisSerializer());
+
+    // value 和 hashValue 使用 JSON 序列化
+    template.setValueSerializer(redisSerializer);
+    template.setHashValueSerializer(redisSerializer);
+
+    return template;
+  }
+}

backend/src/main/java/com/openisle/config/ChannelInitializer.java

@@ -0,0 +1,37 @@
+package com.openisle.config;
+
+import com.openisle.model.MessageConversation;
+import com.openisle.repository.MessageConversationRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.stereotype.Component;
+
+@Component
+@RequiredArgsConstructor
+public class ChannelInitializer implements CommandLineRunner {
+
+  private final MessageConversationRepository conversationRepository;
+
+  @Override
+  public void run(String... args) {
+    if (conversationRepository.countByChannelTrue() == 0) {
+      MessageConversation chat = new MessageConversation();
+      chat.setChannel(true);
+      chat.setName("吹水群");
+      chat.setDescription("吹水聊天");
+      chat.setAvatar(
+        "https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/32647273e2334d14adfd4a6ce9db0643.jpeg"
+      );
+      conversationRepository.save(chat);
+
+      MessageConversation tech = new MessageConversation();
+      tech.setChannel(true);
+      tech.setName("技术讨论群");
+      tech.setDescription("讨论技术相关话题");
+      tech.setAvatar(
+        "https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/5edde9a5864e471caa32491dbcdaa8b2.png"
+      );
+      conversationRepository.save(tech);
+    }
+  }
+}

backend/src/main/java/com/openisle/config/CustomAccessDeniedHandler.java

@@ -3,23 +3,25 @@ package com.openisle.config;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.stereotype.Component;
 
-import java.io.IOException;
-
 /**
  * Returns 401 Unauthorized when an authenticated user lacks required privileges.
  */
 @Component
 public class CustomAccessDeniedHandler implements AccessDeniedHandler {
-    @Override
-    public void handle(HttpServletRequest request,
-                       HttpServletResponse response,
-                       AccessDeniedException accessDeniedException) throws IOException, ServletException {
-        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-        response.setContentType("application/json");
-        response.getWriter().write("{\"error\": \"Unauthorized\"}");
-    }
+
+  @Override
+  public void handle(
+    HttpServletRequest request,
+    HttpServletResponse response,
+    AccessDeniedException accessDeniedException
+  ) throws IOException, ServletException {
+    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+    response.setContentType("application/json");
+    response.getWriter().write("{\"error\": \"Unauthorized\"}");
+  }
 }

backend/src/main/java/com/openisle/config/OpenApiConfig.java

@@ -0,0 +1,58 @@
+package com.openisle.config;
+
+import io.swagger.v3.oas.models.Components;
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.info.Info;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import io.swagger.v3.oas.models.security.SecurityScheme;
+import io.swagger.v3.oas.models.servers.Server;
+import java.util.List;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@RequiredArgsConstructor
+public class OpenApiConfig {
+
+  private final SpringDocProperties springDocProperties;
+
+  @Value("${springdoc.info.title}")
+  private String title;
+
+  @Value("${springdoc.info.description}")
+  private String description;
+
+  @Value("${springdoc.info.version}")
+  private String version;
+
+  @Value("${springdoc.info.scheme}")
+  private String scheme;
+
+  @Value("${springdoc.info.header}")
+  private String header;
+
+  @Bean
+  public OpenAPI openAPI() {
+    SecurityScheme securityScheme = new SecurityScheme()
+      .type(SecurityScheme.Type.HTTP)
+      .scheme(scheme.toLowerCase())
+      .bearerFormat("JWT")
+      .in(SecurityScheme.In.HEADER)
+      .name(header);
+
+    List<Server> servers = springDocProperties
+      .getServers()
+      .stream()
+      .map(s -> new Server().url(s.getUrl()).description(s.getDescription()))
+      .collect(Collectors.toList());
+
+    return new OpenAPI()
+      .servers(servers)
+      .info(new Info().title(title).description(description).version(version))
+      .components(new Components().addSecuritySchemes("JWT", securityScheme))
+      .addSecurityItem(new SecurityRequirement().addList("JWT"));
+  }
+}

backend/src/main/java/com/openisle/config/PointGoodInitializer.java

@@ -0,0 +1,36 @@
+package com.openisle.config;
+
+import com.openisle.model.PointGood;
+import com.openisle.repository.PointGoodRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.stereotype.Component;
+
+/** Initialize default point mall goods. */
+@Component
+@RequiredArgsConstructor
+public class PointGoodInitializer implements CommandLineRunner {
+
+  private final PointGoodRepository pointGoodRepository;
+
+  @Override
+  public void run(String... args) {
+    if (pointGoodRepository.count() == 0) {
+      PointGood g1 = new PointGood();
+      g1.setName("GPT Plus 1 个月");
+      g1.setCost(20000);
+      g1.setImage(
+        "https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/icons/chatgpt.png"
+      );
+      pointGoodRepository.save(g1);
+
+      PointGood g2 = new PointGood();
+      g2.setName("奶茶");
+      g2.setCost(5000);
+      g2.setImage(
+        "https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/icons/coffee.png"
+      );
+      pointGoodRepository.save(g2);
+    }
+  }
+}

backend/src/main/java/com/openisle/config/RabbitMQConfig.java

@@ -0,0 +1,219 @@
+package com.openisle.config;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.annotation.PostConstruct;
+import java.util.ArrayList;
+import java.util.List;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.amqp.core.Binding;
+import org.springframework.amqp.core.BindingBuilder;
+import org.springframework.amqp.core.Queue;
+import org.springframework.amqp.core.TopicExchange;
+import org.springframework.amqp.rabbit.connection.ConnectionFactory;
+import org.springframework.amqp.rabbit.core.RabbitAdmin;
+import org.springframework.amqp.rabbit.core.RabbitTemplate;
+import org.springframework.amqp.support.converter.Jackson2JsonMessageConverter;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.DependsOn;
+
+@Configuration
+@RequiredArgsConstructor
+@Slf4j
+public class RabbitMQConfig {
+
+  public static final String EXCHANGE_NAME = "openisle-exchange";
+  // 保持向后兼容的常量
+  public static final String QUEUE_NAME = "notifications-queue";
+  public static final String ROUTING_KEY = "notifications.routingkey";
+
+  // 硬编码为16以匹配ShardingStrategy中的十六进制分片逻辑
+  private final int queueCount = 16;
+
+  @Value("${rabbitmq.queue.durable}")
+  private boolean queueDurable;
+
+  @PostConstruct
+  public void init() {
+    log.info("RabbitMQ配置初始化: 队列数量={}, 持久化={}", queueCount, queueDurable);
+  }
+
+  @Bean
+  public TopicExchange exchange() {
+    return new TopicExchange(EXCHANGE_NAME);
+  }
+
+  /**
+   * 创建所有分片队列, 使用十六进制后缀 (0-f)
+   */
+  @Bean
+  public List<Queue> shardedQueues() {
+    log.info("开始创建分片队列 Bean...");
+
+    List<Queue> queues = new ArrayList<>();
+    for (int i = 0; i < queueCount; i++) {
+      String shardKey = Integer.toHexString(i);
+      String queueName = "notifications-queue-" + shardKey;
+      Queue queue = new Queue(queueName, queueDurable);
+      queues.add(queue);
+    }
+
+    log.info("分片队列 Bean 创建完成，总数: {}", queues.size());
+    return queues;
+  }
+
+  /**
+   * 创建所有分片绑定, 使用十六进制路由键 (notifications.shard.0 - notifications.shard.f)
+   */
+  @Bean
+  public List<Binding> shardedBindings(
+    TopicExchange exchange,
+    @Qualifier("shardedQueues") List<Queue> shardedQueues
+  ) {
+    log.info("开始创建分片绑定 Bean...");
+    List<Binding> bindings = new ArrayList<>();
+    if (shardedQueues != null) {
+      for (Queue queue : shardedQueues) {
+        String queueName = queue.getName();
+        String shardKey = queueName.substring("notifications-queue-".length());
+        String routingKey = "notifications.shard." + shardKey;
+        Binding binding = BindingBuilder.bind(queue).to(exchange).with(routingKey);
+        bindings.add(binding);
+      }
+    }
+
+    log.info("分片绑定 Bean 创建完成，总数: {}", bindings.size());
+    return bindings;
+  }
+
+  /**
+   * 保持向后兼容的单队列配置（可选）
+   */
+  @Bean
+  public Queue legacyQueue() {
+    return new Queue(QUEUE_NAME, queueDurable);
+  }
+
+  /**
+   * 保持向后兼容的单队列绑定（可选）
+   */
+  @Bean
+  public Binding legacyBinding(Queue legacyQueue, TopicExchange exchange) {
+    return BindingBuilder.bind(legacyQueue).to(exchange).with(ROUTING_KEY);
+  }
+
+  @Bean
+  public Jackson2JsonMessageConverter messageConverter() {
+    ObjectMapper objectMapper = new ObjectMapper();
+    objectMapper.registerModule(new com.fasterxml.jackson.datatype.jsr310.JavaTimeModule());
+    objectMapper.disable(
+      com.fasterxml.jackson.databind.SerializationFeature.WRITE_DATES_AS_TIMESTAMPS
+    );
+    return new Jackson2JsonMessageConverter(objectMapper);
+  }
+
+  @Bean
+  public RabbitAdmin rabbitAdmin(ConnectionFactory connectionFactory) {
+    return new RabbitAdmin(connectionFactory);
+  }
+
+  @Bean
+  public RabbitTemplate rabbitTemplate(ConnectionFactory connectionFactory) {
+    RabbitTemplate template = new RabbitTemplate(connectionFactory);
+    template.setMessageConverter(messageConverter());
+    return template;
+  }
+
+  /**
+   * 使用 CommandLineRunner 确保在应用完全启动后声明队列到 RabbitMQ
+   * 这样可以确保 RabbitAdmin 和所有 Bean 都已正确初始化
+   */
+  @Bean
+  @DependsOn({ "rabbitAdmin", "shardedQueues", "exchange" })
+  public CommandLineRunner queueDeclarationRunner(
+    RabbitAdmin rabbitAdmin,
+    @Qualifier("shardedQueues") List<Queue> shardedQueues,
+    TopicExchange exchange,
+    Queue legacyQueue,
+    @Qualifier("shardedBindings") List<Binding> shardedBindings,
+    Binding legacyBinding
+  ) {
+    return args -> {
+      log.info("=== 开始主动声明 RabbitMQ 组件 ===");
+
+      try {
+        // 声明交换
+        rabbitAdmin.declareExchange(exchange);
+
+        // 声明分片队列 - 检查存在性
+        log.info("开始检查并声明 {} 个分片队列...", shardedQueues.size());
+        int successCount = 0;
+        int skippedCount = 0;
+
+        for (Queue queue : shardedQueues) {
+          String queueName = queue.getName();
+          try {
+            // 使用 declareQueue 的返回值判断队列是否已存在
+            // 如果队列已存在且配置匹配，declareQueue 会返回现有队列信息
+            // 如果不匹配或不存在，会创建新队列
+            rabbitAdmin.declareQueue(queue);
+            successCount++;
+          } catch (org.springframework.amqp.AmqpIOException e) {
+            if (
+              e.getMessage().contains("PRECONDITION_FAILED") && e.getMessage().contains("durable")
+            ) {
+              skippedCount++;
+            }
+          } catch (Exception e) {
+            log.error("队列声明失败: {}, 错误: {}", queueName, e.getMessage());
+          }
+        }
+        log.info(
+          "分片队列处理完成: 成功 {}, 跳过 {}, 总数 {}",
+          successCount,
+          skippedCount,
+          shardedQueues.size()
+        );
+
+        // 声明分片绑定
+        log.info("开始声明 {} 个分片绑定...", shardedBindings.size());
+        int bindingSuccessCount = 0;
+        for (Binding binding : shardedBindings) {
+          try {
+            rabbitAdmin.declareBinding(binding);
+            bindingSuccessCount++;
+          } catch (Exception e) {
+            log.error("绑定声明失败: {}", e.getMessage());
+          }
+        }
+        log.info("分片绑定声明完成: 成功 {}/{}", bindingSuccessCount, shardedBindings.size());
+
+        // 声明遗留队列和绑定 - 检查存在性
+        try {
+          rabbitAdmin.declareQueue(legacyQueue);
+          rabbitAdmin.declareBinding(legacyBinding);
+          log.info("遗留队列和绑定就绪: {} (已存在或新创建)", QUEUE_NAME);
+        } catch (org.springframework.amqp.AmqpIOException e) {
+          if (
+            e.getMessage().contains("PRECONDITION_FAILED") && e.getMessage().contains("durable")
+          ) {
+            log.warn("遗留队列已存在但 durable 设置不匹配: {}, 保持现有队列", QUEUE_NAME);
+          } else {
+            log.error("遗留队列声明失败: {}, 错误: {}", QUEUE_NAME, e.getMessage());
+          }
+        } catch (Exception e) {
+          log.error("遗留队列声明失败: {}, 错误: {}", QUEUE_NAME, e.getMessage());
+        }
+
+        log.info("=== RabbitMQ 组件声明完成 ===");
+        log.info("请检查 RabbitMQ 管理界面确认队列已正确创建");
+      } catch (Exception e) {
+        log.error("RabbitMQ 组件声明过程中发生严重错误", e);
+      }
+    };
+  }
+}

backend/src/main/java/com/openisle/config/RedisConnectionLogger.java

@@ -0,0 +1,35 @@
+package com.openisle.config;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory;
+import org.springframework.stereotype.Component;
+
+/**
+ * Logs a message when a Redis connection is successfully established.
+ */
+@Component
+@Slf4j
+public class RedisConnectionLogger implements InitializingBean {
+
+  private final RedisConnectionFactory connectionFactory;
+
+  public RedisConnectionLogger(RedisConnectionFactory connectionFactory) {
+    this.connectionFactory = connectionFactory;
+  }
+
+  @Override
+  public void afterPropertiesSet() {
+    try (var connection = connectionFactory.getConnection()) {
+      connection.ping();
+      if (connectionFactory instanceof LettuceConnectionFactory lettuce) {
+        log.info("Redis connection established at {}:{}", lettuce.getHostName(), lettuce.getPort());
+      } else {
+        log.info("Redis connection established");
+      }
+    } catch (Exception e) {
+      log.error("Failed to connect to Redis", e);
+    }
+  }
+}

backend/src/main/java/com/openisle/config/SchedulerConfig.java

@@ -0,0 +1,21 @@
+package com.openisle.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.scheduling.TaskScheduler;
+import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
+
+@Configuration
+@EnableScheduling
+public class SchedulerConfig {
+
+  @Bean
+  public TaskScheduler taskScheduler() {
+    ThreadPoolTaskScheduler scheduler = new ThreadPoolTaskScheduler();
+    scheduler.setPoolSize(2);
+    scheduler.setThreadNamePrefix("lottery-");
+    scheduler.initialize();
+    return scheduler;
+  }
+}

backend/src/main/java/com/openisle/config/SecurityConfig.java

@@ -0,0 +1,302 @@
+package com.openisle.config;
+
+import com.openisle.repository.UserRepository;
+import com.openisle.service.JwtService;
+import com.openisle.service.UserVisitService;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.time.LocalDate;
+import java.util.List;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+@Configuration
+@RequiredArgsConstructor
+public class SecurityConfig {
+
+  private final JwtService jwtService;
+  private final UserRepository userRepository;
+  private final AccessDeniedHandler customAccessDeniedHandler;
+  private final UserVisitService userVisitService;
+
+  @Value("${app.website-url}")
+  private String websiteUrl;
+
+  private final RedisTemplate redisTemplate;
+
+  @Bean
+  public PasswordEncoder passwordEncoder() {
+    return new BCryptPasswordEncoder();
+  }
+
+  @Bean
+  public UserDetailsService userDetailsService() {
+    return username ->
+      userRepository
+        .findByUsername(username)
+        .<UserDetails>map(user ->
+          org.springframework.security.core.userdetails.User.withUsername(user.getUsername())
+            .password(user.getPassword())
+            .authorities(user.getRole().name())
+            .build()
+        )
+        .orElseThrow(() -> new UsernameNotFoundException("User not found"));
+  }
+
+  @Bean
+  public AuthenticationManager authenticationManager(
+    HttpSecurity http,
+    PasswordEncoder passwordEncoder,
+    UserDetailsService userDetailsService
+  ) throws Exception {
+    return http
+      .getSharedObject(AuthenticationManagerBuilder.class)
+      .userDetailsService(userDetailsService)
+      .passwordEncoder(passwordEncoder)
+      .and()
+      .build();
+  }
+
+  @Bean
+  public CorsConfigurationSource corsConfigurationSource() {
+    CorsConfiguration cfg = new CorsConfiguration();
+    cfg.setAllowedOrigins(
+      List.of(
+        "http://127.0.0.1:8080",
+        "http://127.0.0.1:8081",
+        "http://127.0.0.1:8082",
+        "http://127.0.0.1:3000",
+        "http://127.0.0.1:3001",
+        "http://127.0.0.1",
+        "http://localhost:8080",
+        "http://localhost:8081",
+        "http://localhost:8082",
+        "http://localhost:3000",
+        "http://frontend_dev:3000",
+        "http://frontend_service:3000",
+        "http://localhost:3001",
+        "http://localhost",
+        "http://30.211.97.238:3000",
+        "http://30.211.97.238",
+        "http://192.168.7.90",
+        "http://192.168.7.90:3000",
+        "https://petstore.swagger.io",
+        // 允许自建OpenAPI地址
+        "https://docs.open-isle.com",
+        "https://www.docs.open-isle.com",
+        websiteUrl,
+        websiteUrl.replace("://www.", "://")
+      )
+    );
+    cfg.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
+    cfg.setAllowedHeaders(List.of("*"));
+    cfg.setAllowCredentials(true);
+    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+    source.registerCorsConfiguration("/api/**", cfg);
+    return source;
+  }
+
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http
+      .csrf(csrf -> csrf.disable())
+      .cors(Customizer.withDefaults())
+      .headers(h -> h.frameOptions(f -> f.sameOrigin()))
+      .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+      .exceptionHandling(eh -> eh.accessDeniedHandler(customAccessDeniedHandler))
+      .authorizeHttpRequests(auth ->
+        auth
+          .requestMatchers(HttpMethod.OPTIONS, "/**")
+          .permitAll()
+          .requestMatchers("/api/ws/**", "/api/sockjs/**")
+          .permitAll()
+          .requestMatchers("/api/v3/api-docs/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.POST, "/api/auth/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/posts/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/comments/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/categories/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/tags/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/config/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.POST, "/api/auth/google")
+          .permitAll()
+          .requestMatchers(HttpMethod.POST, "/api/auth/reason")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/search/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/users/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/medals/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/push/public-key")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/reaction-types")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/activities/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/sitemap.xml")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/channels")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/rss")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/online/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.POST, "/api/online/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.GET, "/api/point-goods")
+          .permitAll()
+          .requestMatchers(HttpMethod.POST, "/api/point-goods")
+          .permitAll()
+          .requestMatchers("/actuator/**")
+          .permitAll()
+          .requestMatchers(HttpMethod.POST, "/api/categories/**")
+          .hasAuthority("ADMIN")
+          .requestMatchers(HttpMethod.POST, "/api/tags/**")
+          .authenticated()
+          .requestMatchers(HttpMethod.DELETE, "/api/categories/**")
+          .hasAuthority("ADMIN")
+          .requestMatchers(HttpMethod.DELETE, "/api/tags/**")
+          .hasAuthority("ADMIN")
+          .requestMatchers(HttpMethod.GET, "/api/stats/**")
+          .hasAuthority("ADMIN")
+          .requestMatchers("/api/admin/**")
+          .hasAuthority("ADMIN")
+          .anyRequest()
+          .authenticated()
+      )
+      .addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
+      .addFilterAfter(userVisitFilter(), UsernamePasswordAuthenticationFilter.class);
+    return http.build();
+  }
+
+  @Bean
+  public OncePerRequestFilter jwtAuthenticationFilter() {
+    return new OncePerRequestFilter() {
+      @Override
+      protected void doFilterInternal(
+        HttpServletRequest request,
+        HttpServletResponse response,
+        FilterChain filterChain
+      ) throws ServletException, IOException {
+        // 让预检请求直接通过
+        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
+          filterChain.doFilter(request, response);
+          return;
+        }
+        String authHeader = request.getHeader("Authorization");
+        String uri = request.getRequestURI();
+
+        boolean publicGet =
+          "GET".equalsIgnoreCase(request.getMethod()) &&
+          (uri.startsWith("/api/posts") ||
+            uri.startsWith("/api/comments") ||
+            uri.startsWith("/api/categories") ||
+            uri.startsWith("/api/tags") ||
+            uri.startsWith("/api/search") ||
+            uri.startsWith("/api/users") ||
+            uri.startsWith("/api/reaction-types") ||
+            uri.startsWith("/api/config") ||
+            uri.startsWith("/api/activities") ||
+            uri.startsWith("/api/push/public-key") ||
+            uri.startsWith("/api/point-goods") ||
+            uri.startsWith("/api/channels") ||
+            uri.startsWith("/api/sitemap.xml") ||
+            uri.startsWith("/api/medals") ||
+            uri.startsWith("/actuator") ||
+            uri.startsWith("/api/rss"));
+
+        if (authHeader != null && authHeader.startsWith("Bearer ")) {
+          String token = authHeader.substring(7);
+          try {
+            String username = jwtService.validateAndGetSubject(token);
+            UserDetails userDetails = userDetailsService().loadUserByUsername(username);
+            UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(
+              userDetails,
+              null,
+              userDetails.getAuthorities()
+            );
+            org.springframework.security.core.context.SecurityContextHolder.getContext().setAuthentication(
+              authToken
+            );
+          } catch (Exception e) {
+            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            response.setContentType("application/json");
+            response.getWriter().write("{\"error\": \"Invalid or expired token\"}");
+            return;
+          }
+        } else if (
+          !uri.startsWith("/api/auth") &&
+          !publicGet &&
+          !uri.startsWith("/api/ws") &&
+          !uri.startsWith("/api/sockjs") &&
+          !uri.startsWith("/api/v3/api-docs") &&
+          !uri.startsWith("/api/online")
+        ) {
+          response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+          response.setContentType("application/json");
+          response.getWriter().write("{\"error\": \"Missing token\"}");
+          return;
+        }
+
+        filterChain.doFilter(request, response);
+      }
+    };
+  }
+
+  @Bean
+  public OncePerRequestFilter userVisitFilter() {
+    return new OncePerRequestFilter() {
+      @Override
+      protected void doFilterInternal(
+        HttpServletRequest request,
+        HttpServletResponse response,
+        FilterChain filterChain
+      ) throws ServletException, IOException {
+        var auth =
+          org.springframework.security.core.context.SecurityContextHolder.getContext().getAuthentication();
+        if (
+          auth != null &&
+          auth.isAuthenticated() &&
+          !(auth instanceof
+              org.springframework.security.authentication.AnonymousAuthenticationToken)
+        ) {
+          String key = CachingConfig.VISIT_CACHE_NAME + ":" + LocalDate.now();
+          redisTemplate.opsForSet().add(key, auth.getName());
+        }
+        filterChain.doFilter(request, response);
+      }
+    };
+  }
+}

backend/src/main/java/com/openisle/config/ShardInfo.java

@@ -0,0 +1,15 @@
+package com.openisle.config;
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+@Data
+@AllArgsConstructor
+@NoArgsConstructor
+public class ShardInfo {
+
+  private int shardIndex;
+  private String queueName;
+  private String routingKey;
+}

backend/src/main/java/com/openisle/config/ShardingStrategy.java

@@ -0,0 +1,87 @@
+package com.openisle.config;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicLong;
+import java.util.stream.Collectors;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+@Component
+@Slf4j
+public class ShardingStrategy {
+
+  // 固定为16以匹配RabbitMQConfig中的十六进制分片逻辑
+  private static final int QUEUE_COUNT = 16;
+
+  // 分片分布统计
+  private final Map<Integer, AtomicLong> shardCounts = new ConcurrentHashMap<>();
+
+  /**
+   * 根据用户名获取分片信息（基于哈希值首字符）
+   */
+  public ShardInfo getShardInfo(String username) {
+    if (username == null || username.isEmpty()) {
+      // 空用户名默认分到第0个分片
+      return getShardInfoByIndex(0);
+    }
+
+    // 计算用户名的哈希值并转为十六进制字符串
+    String hash = Integer.toHexString(Math.abs(username.hashCode()));
+
+    // 取哈希值的第一个字符 (0-9, a-f)
+    char firstChar = hash.charAt(0);
+
+    // 十六进制字符映射到队列
+    int shard = getShardFromHexChar(firstChar);
+    recordShardUsage(shard);
+
+    log.debug(
+      "Username '{}' -> hash '{}' -> firstChar '{}' -> shard {}",
+      username,
+      hash,
+      firstChar,
+      shard
+    );
+
+    return getShardInfoByIndex(shard);
+  }
+
+  /**
+   * 将十六进制字符映射到分片索引
+   */
+  private int getShardFromHexChar(char hexChar) {
+    int charValue;
+    if (hexChar >= '0' && hexChar <= '9') {
+      charValue = hexChar - '0'; // 0-9
+    } else if (hexChar >= 'a' && hexChar <= 'f') {
+      charValue = hexChar - 'a' + 10; // 10-15
+    } else {
+      // 异常情况，默认为0
+      charValue = 0;
+    }
+
+    // 映射到队列数量范围内
+    return charValue % QUEUE_COUNT;
+  }
+
+  /**
+   * 根据分片索引获取分片信息
+   */
+  private ShardInfo getShardInfoByIndex(int shard) {
+    String shardKey = Integer.toHexString(shard);
+    return new ShardInfo(
+      shard,
+      "notifications-queue-" + shardKey,
+      "notifications.shard." + shardKey
+    );
+  }
+
+  /**
+   * 记录分片使用统计
+   */
+  private void recordShardUsage(int shard) {
+    shardCounts.computeIfAbsent(shard, k -> new AtomicLong(0)).incrementAndGet();
+  }
+}

backend/src/main/java/com/openisle/config/SpringDocProperties.java

@@ -0,0 +1,22 @@
+package com.openisle.config;
+
+import java.util.ArrayList;
+import java.util.List;
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.stereotype.Component;
+
+@Data
+@Component
+@ConfigurationProperties(prefix = "springdoc.api-docs")
+public class SpringDocProperties {
+
+  private List<ServerConfig> servers = new ArrayList<>();
+
+  @Data
+  public static class ServerConfig {
+
+    private String url;
+    private String description;
+  }
+}

backend/src/main/java/com/openisle/config/SystemUserInitializer.java

@@ -0,0 +1,40 @@
+package com.openisle.config;
+
+import com.openisle.model.Role;
+import com.openisle.model.User;
+import com.openisle.repository.UserRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.stereotype.Component;
+
+/**
+ * Ensure a dedicated "system" user exists for internal operations.
+ */
+@Component
+@RequiredArgsConstructor
+public class SystemUserInitializer implements CommandLineRunner {
+
+  private final UserRepository userRepository;
+  private final PasswordEncoder passwordEncoder;
+
+  @Override
+  public void run(String... args) {
+    userRepository
+      .findByUsername("system")
+      .orElseGet(() -> {
+        User system = new User();
+        system.setUsername("system");
+        system.setEmail("system@openisle.local");
+        // todo(tim): raw password 采用环境变量
+        system.setPassword(passwordEncoder.encode("system"));
+        system.setRole(Role.USER);
+        system.setVerified(true);
+        system.setApproved(true);
+        system.setAvatar(
+          "https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png"
+        );
+        return userRepository.save(system);
+      });
+  }
+}

backend/src/main/java/com/openisle/controller/ActivityController.java

@@ -0,0 +1,83 @@
+package com.openisle.controller;
+
+import com.openisle.dto.ActivityDto;
+import com.openisle.dto.MilkTeaInfoDto;
+import com.openisle.dto.MilkTeaRedeemRequest;
+import com.openisle.mapper.ActivityMapper;
+import com.openisle.model.Activity;
+import com.openisle.model.ActivityType;
+import com.openisle.model.User;
+import com.openisle.service.ActivityService;
+import com.openisle.service.UserService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.List;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/activities")
+@RequiredArgsConstructor
+public class ActivityController {
+
+  private final ActivityService activityService;
+  private final UserService userService;
+  private final ActivityMapper activityMapper;
+
+  @GetMapping
+  @Operation(summary = "List activities", description = "Retrieve all activities")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of activities",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = ActivityDto.class)))
+  )
+  public List<ActivityDto> list() {
+    return activityService.list().stream().map(activityMapper::toDto).collect(Collectors.toList());
+  }
+
+  @GetMapping("/milk-tea")
+  @Operation(summary = "Milk tea info", description = "Get milk tea activity information")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Milk tea info",
+    content = @Content(schema = @Schema(implementation = MilkTeaInfoDto.class))
+  )
+  public MilkTeaInfoDto milkTea() {
+    Activity a = activityService.getByType(ActivityType.MILK_TEA);
+    long count = activityService.countParticipants(a);
+    if (!a.isEnded() && count >= 50) {
+      activityService.end(a);
+    }
+    MilkTeaInfoDto info = new MilkTeaInfoDto();
+    info.setRedeemCount(count);
+    info.setEnded(a.isEnded());
+    return info;
+  }
+
+  @PostMapping("/milk-tea/redeem")
+  @Operation(summary = "Redeem milk tea", description = "Redeem milk tea activity reward")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Redeem result",
+    content = @Content(schema = @Schema(implementation = java.util.Map.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public java.util.Map<String, String> redeemMilkTea(
+    @RequestBody MilkTeaRedeemRequest req,
+    Authentication auth
+  ) {
+    User user = userService.findByIdentifier(auth.getName()).orElseThrow();
+    Activity a = activityService.getByType(ActivityType.MILK_TEA);
+    boolean first = activityService.redeem(a, user, req.getContact());
+    if (first) {
+      return java.util.Map.of("message", "redeemed");
+    }
+    return java.util.Map.of("message", "updated");
+  }
+}

backend/src/main/java/com/openisle/controller/AdminCommentController.java

@@ -0,0 +1,49 @@
+package com.openisle.controller;
+
+import com.openisle.dto.CommentDto;
+import com.openisle.mapper.CommentMapper;
+import com.openisle.service.CommentService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+/**
+ * Endpoints for administrators to manage comments.
+ */
+@RestController
+@RequestMapping("/api/admin/comments")
+@RequiredArgsConstructor
+public class AdminCommentController {
+
+  private final CommentService commentService;
+  private final CommentMapper commentMapper;
+
+  @PostMapping("/{id}/pin")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Pin comment", description = "Pin a comment by its id")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Pinned comment",
+    content = @Content(schema = @Schema(implementation = CommentDto.class))
+  )
+  public CommentDto pin(@PathVariable Long id, Authentication auth) {
+    return commentMapper.toDto(commentService.pinComment(auth.getName(), id));
+  }
+
+  @PostMapping("/{id}/unpin")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Unpin comment", description = "Remove pin from a comment")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Unpinned comment",
+    content = @Content(schema = @Schema(implementation = CommentDto.class))
+  )
+  public CommentDto unpin(@PathVariable Long id, Authentication auth) {
+    return commentMapper.toDto(commentService.unpinComment(auth.getName(), id));
+  }
+}

backend/src/main/java/com/openisle/controller/AdminConfigController.java

@@ -0,0 +1,72 @@
+package com.openisle.controller;
+
+import com.openisle.dto.ConfigDto;
+import com.openisle.service.AiUsageService;
+import com.openisle.service.PasswordValidator;
+import com.openisle.service.PostService;
+import com.openisle.service.RegisterModeService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import lombok.RequiredArgsConstructor;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/admin/config")
+@RequiredArgsConstructor
+public class AdminConfigController {
+
+  private final PostService postService;
+  private final PasswordValidator passwordValidator;
+  private final AiUsageService aiUsageService;
+  private final RegisterModeService registerModeService;
+
+  @GetMapping
+  @SecurityRequirement(name = "JWT")
+  @Operation(
+    summary = "Get configuration",
+    description = "Retrieve application configuration settings"
+  )
+  @ApiResponse(
+    responseCode = "200",
+    description = "Current configuration",
+    content = @Content(schema = @Schema(implementation = ConfigDto.class))
+  )
+  public ConfigDto getConfig() {
+    ConfigDto dto = new ConfigDto();
+    dto.setPublishMode(postService.getPublishMode());
+    dto.setPasswordStrength(passwordValidator.getStrength());
+    dto.setAiFormatLimit(aiUsageService.getFormatLimit());
+    dto.setRegisterMode(registerModeService.getRegisterMode());
+    return dto;
+  }
+
+  @PostMapping
+  @SecurityRequirement(name = "JWT")
+  @Operation(
+    summary = "Update configuration",
+    description = "Update application configuration settings"
+  )
+  @ApiResponse(
+    responseCode = "200",
+    description = "Updated configuration",
+    content = @Content(schema = @Schema(implementation = ConfigDto.class))
+  )
+  public ConfigDto updateConfig(@RequestBody ConfigDto dto) {
+    if (dto.getPublishMode() != null) {
+      postService.setPublishMode(dto.getPublishMode());
+    }
+    if (dto.getPasswordStrength() != null) {
+      passwordValidator.setStrength(dto.getPasswordStrength());
+    }
+    if (dto.getAiFormatLimit() != null) {
+      aiUsageService.setFormatLimit(dto.getAiFormatLimit());
+    }
+    if (dto.getRegisterMode() != null) {
+      registerModeService.setRegisterMode(dto.getRegisterMode());
+    }
+    return getConfig();
+  }
+}

backend/src/main/java/com/openisle/controller/AdminController.java

@@ -0,0 +1,29 @@
+package com.openisle.controller;
+
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.Map;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * Simple admin demo endpoint.
+ */
+@RestController
+public class AdminController {
+
+  @GetMapping("/api/admin/hello")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Admin greeting", description = "Returns a greeting for admin users")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Greeting payload",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public Map<String, String> adminHello() {
+    return Map.of("message", "Hello, Admin User");
+  }
+}

backend/src/main/java/com/openisle/controller/AdminPostController.java

@@ -0,0 +1,129 @@
+package com.openisle.controller;
+
+import com.openisle.dto.PostSummaryDto;
+import com.openisle.mapper.PostMapper;
+import com.openisle.service.PostService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.List;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.web.bind.annotation.*;
+
+/**
+ * Endpoints for administrators to manage posts.
+ */
+@RestController
+@RequestMapping("/api/admin/posts")
+@RequiredArgsConstructor
+public class AdminPostController {
+
+  private final PostService postService;
+  private final PostMapper postMapper;
+
+  @GetMapping("/pending")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "List pending posts", description = "Retrieve posts awaiting approval")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Pending posts",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
+    )
+  )
+  public List<PostSummaryDto> pendingPosts() {
+    return postService
+      .listPendingPosts()
+      .stream()
+      .map(postMapper::toSummaryDto)
+      .collect(Collectors.toList());
+  }
+
+  @PostMapping("/{id}/approve")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Approve post", description = "Approve a pending post")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Approved post",
+    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
+  )
+  public PostSummaryDto approve(@PathVariable Long id) {
+    return postMapper.toSummaryDto(postService.approvePost(id));
+  }
+
+  @PostMapping("/{id}/reject")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Reject post", description = "Reject a pending post")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Rejected post",
+    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
+  )
+  public PostSummaryDto reject(@PathVariable Long id) {
+    return postMapper.toSummaryDto(postService.rejectPost(id));
+  }
+
+  @PostMapping("/{id}/pin")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Pin post", description = "Pin a post to the top")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Pinned post",
+    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
+  )
+  public PostSummaryDto pin(
+    @PathVariable Long id,
+    org.springframework.security.core.Authentication auth
+  ) {
+    return postMapper.toSummaryDto(postService.pinPost(id, auth.getName()));
+  }
+
+  @PostMapping("/{id}/unpin")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Unpin post", description = "Remove a post from the top")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Unpinned post",
+    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
+  )
+  public PostSummaryDto unpin(
+    @PathVariable Long id,
+    org.springframework.security.core.Authentication auth
+  ) {
+    return postMapper.toSummaryDto(postService.unpinPost(id, auth.getName()));
+  }
+
+  @PostMapping("/{id}/rss-exclude")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Exclude from RSS", description = "Exclude a post from RSS feed")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Updated post",
+    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
+  )
+  public PostSummaryDto excludeFromRss(
+    @PathVariable Long id,
+    org.springframework.security.core.Authentication auth
+  ) {
+    return postMapper.toSummaryDto(postService.excludeFromRss(id, auth.getName()));
+  }
+
+  @PostMapping("/{id}/rss-include")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Include in RSS", description = "Include a post in the RSS feed")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Updated post",
+    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
+  )
+  public PostSummaryDto includeInRss(
+    @PathVariable Long id,
+    org.springframework.security.core.Authentication auth
+  ) {
+    return postMapper.toSummaryDto(postService.includeInRss(id, auth.getName()));
+  }
+}

backend/src/main/java/com/openisle/controller/AdminTagController.java

@@ -0,0 +1,57 @@
+package com.openisle.controller;
+
+import com.openisle.dto.TagDto;
+import com.openisle.mapper.TagMapper;
+import com.openisle.model.Tag;
+import com.openisle.service.PostService;
+import com.openisle.service.TagService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.List;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/admin/tags")
+@RequiredArgsConstructor
+public class AdminTagController {
+
+  private final TagService tagService;
+  private final PostService postService;
+  private final TagMapper tagMapper;
+
+  @GetMapping("/pending")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "List pending tags", description = "Retrieve tags awaiting approval")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Pending tags",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class)))
+  )
+  public List<TagDto> pendingTags() {
+    return tagService
+      .listPendingTags()
+      .stream()
+      .map(t -> tagMapper.toDto(t, postService.countPostsByTag(t.getId())))
+      .collect(Collectors.toList());
+  }
+
+  @PostMapping("/{id}/approve")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Approve tag", description = "Approve a pending tag")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Approved tag",
+    content = @Content(schema = @Schema(implementation = TagDto.class))
+  )
+  public TagDto approve(@PathVariable Long id) {
+    Tag tag = tagService.approveTag(id);
+    long count = postService.countPostsByTag(tag.getId());
+    return tagMapper.toDto(tag, count);
+  }
+}

backend/src/main/java/com/openisle/controller/AdminUserController.java

@@ -0,0 +1,73 @@
+package com.openisle.controller;
+
+import com.openisle.model.Notification;
+import com.openisle.model.NotificationType;
+import com.openisle.model.User;
+import com.openisle.repository.NotificationRepository;
+import com.openisle.repository.UserRepository;
+import com.openisle.service.EmailSender;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/admin/users")
+@RequiredArgsConstructor
+public class AdminUserController {
+
+  private final UserRepository userRepository;
+  private final NotificationRepository notificationRepository;
+  private final EmailSender emailSender;
+
+  @Value("${app.website-url}")
+  private String websiteUrl;
+
+  @PostMapping("/{id}/approve")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Approve user", description = "Approve a pending user registration")
+  @ApiResponse(responseCode = "200", description = "User approved")
+  public ResponseEntity<?> approve(@PathVariable Long id) {
+    User user = userRepository.findById(id).orElseThrow();
+    user.setApproved(true);
+    userRepository.save(user);
+    markRegisterRequestNotificationsRead(user);
+    emailSender.sendEmail(
+      user.getEmail(),
+      "您的注册已审核通过",
+      "🎉您的注册已经审核通过, 点击以访问网站: " + websiteUrl
+    );
+    return ResponseEntity.ok().build();
+  }
+
+  @PostMapping("/{id}/reject")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Reject user", description = "Reject a pending user registration")
+  @ApiResponse(responseCode = "200", description = "User rejected")
+  public ResponseEntity<?> reject(@PathVariable Long id) {
+    User user = userRepository.findById(id).orElseThrow();
+    user.setApproved(false);
+    userRepository.save(user);
+    markRegisterRequestNotificationsRead(user);
+    emailSender.sendEmail(
+      user.getEmail(),
+      "您的注册已被管理员拒绝",
+      "您的注册被管理员拒绝, 点击链接可以重新填写理由申请: " + websiteUrl
+    );
+    return ResponseEntity.ok().build();
+  }
+
+  private void markRegisterRequestNotificationsRead(User applicant) {
+    java.util.List<Notification> notifs = notificationRepository.findByTypeAndFromUser(
+      NotificationType.REGISTER_REQUEST,
+      applicant
+    );
+    for (Notification n : notifs) {
+      n.setRead(true);
+    }
+    notificationRepository.saveAll(notifs);
+  }
+}

backend/src/main/java/com/openisle/controller/AiController.java

@@ -0,0 +1,54 @@
+package com.openisle.controller;
+
+import com.openisle.service.AiUsageService;
+import com.openisle.service.OpenAiService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.Map;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/api/ai")
+@RequiredArgsConstructor
+public class AiController {
+
+  private final OpenAiService openAiService;
+  private final AiUsageService aiUsageService;
+
+  @PostMapping("/format")
+  @Operation(summary = "Format markdown", description = "Format text via AI")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Formatted content",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<Map<String, String>> format(
+    @RequestBody Map<String, String> req,
+    Authentication auth
+  ) {
+    String text = req.get("text");
+    if (text == null) {
+      return ResponseEntity.badRequest().build();
+    }
+    int limit = aiUsageService.getFormatLimit();
+    int used = aiUsageService.getCount(auth.getName());
+    if (limit > 0 && used >= limit) {
+      return ResponseEntity.status(429).build();
+    }
+    aiUsageService.incrementAndGetCount(auth.getName());
+    return openAiService
+      .formatMarkdown(text)
+      .map(t -> ResponseEntity.ok(Map.of("content", t)))
+      .orElse(ResponseEntity.status(500).build());
+  }
+}

backend/src/main/java/com/openisle/controller/AuthController.java

@@ -0,0 +1,710 @@
+package com.openisle.controller;
+
+import com.openisle.config.CachingConfig;
+import com.openisle.dto.*;
+import com.openisle.exception.FieldException;
+import com.openisle.model.RegisterMode;
+import com.openisle.model.User;
+import com.openisle.repository.UserRepository;
+import com.openisle.service.*;
+import com.openisle.util.VerifyType;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.Map;
+import java.util.Optional;
+import java.util.concurrent.TimeUnit;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/auth")
+@RequiredArgsConstructor
+public class AuthController {
+
+  private final UserService userService;
+  private final JwtService jwtService;
+  private final EmailSender emailService;
+  private final CaptchaService captchaService;
+  private final GoogleAuthService googleAuthService;
+  private final GithubAuthService githubAuthService;
+  private final DiscordAuthService discordAuthService;
+  private final TwitterAuthService twitterAuthService;
+  private final TelegramAuthService telegramAuthService;
+  private final RegisterModeService registerModeService;
+  private final NotificationService notificationService;
+  private final UserRepository userRepository;
+  private final InviteService inviteService;
+
+  @Value("${app.captcha.enabled:false}")
+  private boolean captchaEnabled;
+
+  @Value("${app.captcha.register-enabled:false}")
+  private boolean registerCaptchaEnabled;
+
+  @Value("${app.captcha.login-enabled:false}")
+  private boolean loginCaptchaEnabled;
+
+  @PostMapping("/register")
+  @Operation(summary = "Register user", description = "Register a new user account")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Registration result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> register(@RequestBody RegisterRequest req) {
+    if (captchaEnabled && registerCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
+      return ResponseEntity.badRequest().body(Map.of("error", "Invalid captcha"));
+    }
+    if (req.getInviteToken() != null && !req.getInviteToken().isEmpty()) {
+      InviteService.InviteValidateResult result = inviteService.validate(req.getInviteToken());
+      if (!result.isValidate()) {
+        return ResponseEntity.badRequest().body(Map.of("error", "邀请码使用次数过多"));
+      }
+      try {
+        User user = userService.registerWithInvite(
+          req.getUsername(),
+          req.getEmail(),
+          req.getPassword()
+        );
+        inviteService.consume(req.getInviteToken(), user.getUsername());
+        // 发送确认邮件
+        userService.sendVerifyMail(user, VerifyType.REGISTER);
+        return ResponseEntity.ok(
+          Map.of(
+            "token",
+            jwtService.generateToken(user.getUsername()),
+            "reason_code",
+            "INVITE_APPROVED"
+          )
+        );
+      } catch (FieldException e) {
+        return ResponseEntity.badRequest().body(
+          Map.of("field", e.getField(), "error", e.getMessage())
+        );
+      }
+    }
+    User user = userService.register(
+      req.getUsername(),
+      req.getEmail(),
+      req.getPassword(),
+      "",
+      registerModeService.getRegisterMode()
+    );
+    // 发送确认邮件
+    userService.sendVerifyMail(user, VerifyType.REGISTER);
+    if (!user.isApproved()) {
+      notificationService.createRegisterRequestNotifications(user, user.getRegisterReason());
+    }
+    return ResponseEntity.ok(Map.of("message", "Verification code sent"));
+  }
+
+  @PostMapping("/verify")
+  @Operation(summary = "Verify account", description = "Verify registration code")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Verification result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> verify(@RequestBody VerifyRequest req) {
+    Optional<User> userOpt = userService.findByUsername(req.getUsername());
+    if (userOpt.isEmpty()) {
+      return ResponseEntity.badRequest().body(Map.of("error", "Invalid credentials"));
+    }
+    boolean ok = userService.verifyCode(userOpt.get(), req.getCode(), VerifyType.REGISTER);
+    if (ok) {
+      User user = userOpt.get();
+
+      if (user.isApproved()) {
+        return ResponseEntity.ok(
+          Map.of(
+            "message",
+            "Verified and isApproved",
+            "reason_code",
+            "VERIFIED_AND_APPROVED",
+            "token",
+            jwtService.generateToken(req.getUsername())
+          )
+        );
+      } else {
+        return ResponseEntity.ok(
+          Map.of(
+            "message",
+            "Verified",
+            "reason_code",
+            "VERIFIED",
+            "token",
+            jwtService.generateReasonToken(req.getUsername())
+          )
+        );
+      }
+    }
+    return ResponseEntity.badRequest().body(Map.of("error", "Invalid verification code"));
+  }
+
+  @PostMapping("/login")
+  @Operation(summary = "Login", description = "Authenticate with username/email and password")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Authentication result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> login(@RequestBody LoginRequest req) {
+    if (captchaEnabled && loginCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
+      return ResponseEntity.badRequest().body(Map.of("error", "Invalid captcha"));
+    }
+    Optional<User> userOpt = userService.findByUsername(req.getUsername());
+    if (userOpt.isEmpty()) {
+      userOpt = userService.findByEmail(req.getUsername());
+    }
+    if (userOpt.isEmpty() || !userService.matchesPassword(userOpt.get(), req.getPassword())) {
+      return ResponseEntity.badRequest().body(
+        Map.of("error", "Invalid credentials", "reason_code", "INVALID_CREDENTIALS")
+      );
+    }
+    User user = userOpt.get();
+    if (!user.isVerified()) {
+      user = userService.register(
+        user.getUsername(),
+        user.getEmail(),
+        user.getPassword(),
+        user.getRegisterReason(),
+        registerModeService.getRegisterMode()
+      );
+      userService.sendVerifyMail(user, VerifyType.REGISTER);
+      return ResponseEntity.badRequest().body(
+        Map.of(
+          "error",
+          "User not verified",
+          "reason_code",
+          "NOT_VERIFIED",
+          "user_name",
+          user.getUsername()
+        )
+      );
+    }
+    if (
+      RegisterMode.WHITELIST.equals(registerModeService.getRegisterMode()) && !user.isApproved()
+    ) {
+      if (user.getRegisterReason() != null && !user.getRegisterReason().isEmpty()) {
+        return ResponseEntity.badRequest().body(
+          Map.of("error", "Account awaiting approval", "reason_code", "IS_APPROVING")
+        );
+      }
+      return ResponseEntity.badRequest().body(
+        Map.of(
+          "error",
+          "Register reason not approved",
+          "reason_code",
+          "NOT_APPROVED",
+          "token",
+          jwtService.generateReasonToken(user.getUsername())
+        )
+      );
+    }
+    return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.getUsername())));
+  }
+
+  @PostMapping("/google")
+  @Operation(summary = "Login with Google", description = "Authenticate using Google account")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Authentication result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> loginWithGoogle(@RequestBody GoogleLoginRequest req) {
+    boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
+    InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(
+      req.getInviteToken()
+    );
+    if (viaInvite && !inviteValidateResult.isValidate()) {
+      return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
+    }
+    Optional<AuthResult> resultOpt = googleAuthService.authenticate(
+      req.getIdToken(),
+      registerModeService.getRegisterMode(),
+      viaInvite
+    );
+    if (resultOpt.isPresent()) {
+      AuthResult result = resultOpt.get();
+      if (viaInvite && result.isNewUser()) {
+        inviteService.consume(
+          req.getInviteToken(),
+          inviteValidateResult.getInviteToken().getInviter().getUsername()
+        );
+        return ResponseEntity.ok(
+          Map.of(
+            "token",
+            jwtService.generateToken(result.getUser().getUsername()),
+            "reason_code",
+            "INVITE_APPROVED"
+          )
+        );
+      }
+      if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
+        return ResponseEntity.ok(
+          Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
+        );
+      }
+      if (!result.getUser().isApproved()) {
+        if (
+          result.getUser().getRegisterReason() != null &&
+          !result.getUser().getRegisterReason().isEmpty()
+        ) {
+          return ResponseEntity.badRequest().body(
+            Map.of(
+              "error",
+              "Account awaiting approval",
+              "reason_code",
+              "IS_APPROVING",
+              "token",
+              jwtService.generateReasonToken(result.getUser().getUsername())
+            )
+          );
+        }
+        return ResponseEntity.badRequest().body(
+          Map.of(
+            "error",
+            "Account awaiting approval",
+            "reason_code",
+            "NOT_APPROVED",
+            "token",
+            jwtService.generateReasonToken(result.getUser().getUsername())
+          )
+        );
+      }
+
+      return ResponseEntity.ok(
+        Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
+      );
+    }
+    return ResponseEntity.badRequest().body(
+      Map.of("error", "Invalid google token", "reason_code", "INVALID_CREDENTIALS")
+    );
+  }
+
+  @PostMapping("/reason")
+  @Operation(
+    summary = "Submit register reason",
+    description = "Submit registration reason for approval"
+  )
+  @ApiResponse(
+    responseCode = "200",
+    description = "Submission result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> reason(@RequestBody MakeReasonRequest req) {
+    String username = jwtService.validateAndGetSubjectForReason(req.getToken());
+    Optional<User> userOpt = userService.findByUsername(username);
+    if (userOpt.isEmpty()) {
+      return ResponseEntity.badRequest().body(
+        Map.of("error", "Invalid token, Please re-login", "reason_code", "INVALID_CREDENTIALS")
+      );
+    }
+
+    if (req.getReason() == null || req.getReason().trim().length() <= 20) {
+      return ResponseEntity.badRequest().body(
+        Map.of("error", "Reason's length must longer than 20", "reason_code", "INVALID_CREDENTIALS")
+      );
+    }
+
+    User user = userOpt.get();
+    if (user.isApproved() || registerModeService.getRegisterMode() == RegisterMode.DIRECT) {
+      return ResponseEntity.ok().body(Map.of("valid", true));
+    }
+
+    user = userService.updateReason(user.getUsername(), req.getReason());
+    notificationService.createRegisterRequestNotifications(user, req.getReason());
+    return ResponseEntity.ok().body(Map.of("valid", true));
+  }
+
+  @PostMapping("/github")
+  @Operation(summary = "Login with GitHub", description = "Authenticate using GitHub account")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Authentication result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> loginWithGithub(@RequestBody GithubLoginRequest req) {
+    boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
+    InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(
+      req.getInviteToken()
+    );
+    if (viaInvite && !inviteValidateResult.isValidate()) {
+      return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
+    }
+    Optional<AuthResult> resultOpt = githubAuthService.authenticate(
+      req.getCode(),
+      registerModeService.getRegisterMode(),
+      req.getRedirectUri(),
+      viaInvite
+    );
+    if (resultOpt.isPresent()) {
+      AuthResult result = resultOpt.get();
+      if (viaInvite && result.isNewUser()) {
+        inviteService.consume(
+          req.getInviteToken(),
+          inviteValidateResult.getInviteToken().getInviter().getUsername()
+        );
+        return ResponseEntity.ok(
+          Map.of(
+            "token",
+            jwtService.generateToken(result.getUser().getUsername()),
+            "reason_code",
+            "INVITE_APPROVED"
+          )
+        );
+      }
+      if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
+        return ResponseEntity.ok(
+          Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
+        );
+      }
+      if (!result.getUser().isApproved()) {
+        if (
+          result.getUser().getRegisterReason() != null &&
+          !result.getUser().getRegisterReason().isEmpty()
+        ) {
+          // 已填写注册理由
+          return ResponseEntity.badRequest().body(
+            Map.of(
+              "error",
+              "Account awaiting approval",
+              "reason_code",
+              "IS_APPROVING",
+              "token",
+              jwtService.generateReasonToken(result.getUser().getUsername())
+            )
+          );
+        }
+        return ResponseEntity.badRequest().body(
+          Map.of(
+            "error",
+            "Account awaiting approval",
+            "reason_code",
+            "NOT_APPROVED",
+            "token",
+            jwtService.generateReasonToken(result.getUser().getUsername())
+          )
+        );
+      }
+
+      return ResponseEntity.ok(
+        Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
+      );
+    }
+    return ResponseEntity.badRequest().body(
+      Map.of("error", "Invalid github code", "reason_code", "INVALID_CREDENTIALS")
+    );
+  }
+
+  @PostMapping("/discord")
+  @Operation(summary = "Login with Discord", description = "Authenticate using Discord account")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Authentication result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> loginWithDiscord(@RequestBody DiscordLoginRequest req) {
+    boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
+    InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(
+      req.getInviteToken()
+    );
+    if (viaInvite && !inviteValidateResult.isValidate()) {
+      return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
+    }
+    Optional<AuthResult> resultOpt = discordAuthService.authenticate(
+      req.getCode(),
+      registerModeService.getRegisterMode(),
+      req.getRedirectUri(),
+      viaInvite
+    );
+    if (resultOpt.isPresent()) {
+      AuthResult result = resultOpt.get();
+      if (viaInvite && result.isNewUser()) {
+        inviteService.consume(
+          req.getInviteToken(),
+          inviteValidateResult.getInviteToken().getInviter().getUsername()
+        );
+        return ResponseEntity.ok(
+          Map.of(
+            "token",
+            jwtService.generateToken(result.getUser().getUsername()),
+            "reason_code",
+            "INVITE_APPROVED"
+          )
+        );
+      }
+      if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
+        return ResponseEntity.ok(
+          Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
+        );
+      }
+      if (!result.getUser().isApproved()) {
+        if (
+          result.getUser().getRegisterReason() != null &&
+          !result.getUser().getRegisterReason().isEmpty()
+        ) {
+          return ResponseEntity.badRequest().body(
+            Map.of(
+              "error",
+              "Account awaiting approval",
+              "reason_code",
+              "IS_APPROVING",
+              "token",
+              jwtService.generateReasonToken(result.getUser().getUsername())
+            )
+          );
+        }
+        return ResponseEntity.badRequest().body(
+          Map.of(
+            "error",
+            "Account awaiting approval",
+            "reason_code",
+            "NOT_APPROVED",
+            "token",
+            jwtService.generateReasonToken(result.getUser().getUsername())
+          )
+        );
+      }
+
+      return ResponseEntity.ok(
+        Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
+      );
+    }
+    return ResponseEntity.badRequest().body(
+      Map.of("error", "Invalid discord code", "reason_code", "INVALID_CREDENTIALS")
+    );
+  }
+
+  @PostMapping("/twitter")
+  @Operation(summary = "Login with Twitter", description = "Authenticate using Twitter account")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Authentication result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> loginWithTwitter(@RequestBody TwitterLoginRequest req) {
+    boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
+    InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(
+      req.getInviteToken()
+    );
+    if (viaInvite && !inviteValidateResult.isValidate()) {
+      return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
+    }
+    Optional<AuthResult> resultOpt = twitterAuthService.authenticate(
+      req.getCode(),
+      req.getCodeVerifier(),
+      registerModeService.getRegisterMode(),
+      req.getRedirectUri(),
+      viaInvite
+    );
+    if (resultOpt.isPresent()) {
+      AuthResult result = resultOpt.get();
+      if (viaInvite && result.isNewUser()) {
+        inviteService.consume(
+          req.getInviteToken(),
+          inviteValidateResult.getInviteToken().getInviter().getUsername()
+        );
+        return ResponseEntity.ok(
+          Map.of(
+            "token",
+            jwtService.generateToken(result.getUser().getUsername()),
+            "reason_code",
+            "INVITE_APPROVED"
+          )
+        );
+      }
+      if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
+        return ResponseEntity.ok(
+          Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
+        );
+      }
+      if (!result.getUser().isApproved()) {
+        if (
+          result.getUser().getRegisterReason() != null &&
+          !result.getUser().getRegisterReason().isEmpty()
+        ) {
+          return ResponseEntity.badRequest().body(
+            Map.of(
+              "error",
+              "Account awaiting approval",
+              "reason_code",
+              "IS_APPROVING",
+              "token",
+              jwtService.generateReasonToken(result.getUser().getUsername())
+            )
+          );
+        }
+        return ResponseEntity.badRequest().body(
+          Map.of(
+            "error",
+            "Account awaiting approval",
+            "reason_code",
+            "NOT_APPROVED",
+            "token",
+            jwtService.generateReasonToken(result.getUser().getUsername())
+          )
+        );
+      }
+
+      return ResponseEntity.ok(
+        Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
+      );
+    }
+    return ResponseEntity.badRequest().body(
+      Map.of("error", "Invalid twitter code", "reason_code", "INVALID_CREDENTIALS")
+    );
+  }
+
+  @PostMapping("/telegram")
+  @Operation(summary = "Login with Telegram", description = "Authenticate using Telegram data")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Authentication result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> loginWithTelegram(@RequestBody TelegramLoginRequest req) {
+    boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
+    InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(
+      req.getInviteToken()
+    );
+    if (viaInvite && !inviteValidateResult.isValidate()) {
+      return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
+    }
+    Optional<AuthResult> resultOpt = telegramAuthService.authenticate(
+      req,
+      registerModeService.getRegisterMode(),
+      viaInvite
+    );
+    if (resultOpt.isPresent()) {
+      AuthResult result = resultOpt.get();
+      if (viaInvite && result.isNewUser()) {
+        inviteService.consume(
+          req.getInviteToken(),
+          inviteValidateResult.getInviteToken().getInviter().getUsername()
+        );
+        return ResponseEntity.ok(
+          Map.of(
+            "token",
+            jwtService.generateToken(result.getUser().getUsername()),
+            "reason_code",
+            "INVITE_APPROVED"
+          )
+        );
+      }
+      if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
+        return ResponseEntity.ok(
+          Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
+        );
+      }
+      if (!result.getUser().isApproved()) {
+        if (
+          result.getUser().getRegisterReason() != null &&
+          !result.getUser().getRegisterReason().isEmpty()
+        ) {
+          return ResponseEntity.badRequest().body(
+            Map.of(
+              "error",
+              "Account awaiting approval",
+              "reason_code",
+              "IS_APPROVING",
+              "token",
+              jwtService.generateReasonToken(result.getUser().getUsername())
+            )
+          );
+        }
+        return ResponseEntity.badRequest().body(
+          Map.of(
+            "error",
+            "Account awaiting approval",
+            "reason_code",
+            "NOT_APPROVED",
+            "token",
+            jwtService.generateReasonToken(result.getUser().getUsername())
+          )
+        );
+      }
+      return ResponseEntity.ok(
+        Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
+      );
+    }
+    return ResponseEntity.badRequest().body(
+      Map.of("error", "Invalid telegram data", "reason_code", "INVALID_CREDENTIALS")
+    );
+  }
+
+  @GetMapping("/check")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Check token", description = "Validate JWT token")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Token valid",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> checkToken() {
+    return ResponseEntity.ok(Map.of("valid", true));
+  }
+
+  @PostMapping("/forgot/send")
+  @Operation(summary = "Send reset code", description = "Send verification code for password reset")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Sending result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> sendReset(@RequestBody ForgotPasswordRequest req) {
+    Optional<User> userOpt = userService.findByEmail(req.getEmail());
+    if (userOpt.isEmpty()) {
+      return ResponseEntity.badRequest().body(Map.of("error", "User not found"));
+    }
+    userService.sendVerifyMail(userOpt.get(), VerifyType.RESET_PASSWORD);
+    return ResponseEntity.ok(Map.of("message", "Verification code sent"));
+  }
+
+  @PostMapping("/forgot/verify")
+  @Operation(summary = "Verify reset code", description = "Verify password reset code")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Verification result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> verifyReset(@RequestBody VerifyForgotRequest req) {
+    Optional<User> userOpt = userService.findByEmail(req.getEmail());
+    if (userOpt.isEmpty()) {
+      return ResponseEntity.badRequest().body(Map.of("error", "User not found"));
+    }
+    boolean ok = userService.verifyCode(userOpt.get(), req.getCode(), VerifyType.RESET_PASSWORD);
+    if (ok) {
+      String username = userService.findByEmail(req.getEmail()).get().getUsername();
+      return ResponseEntity.ok(Map.of("token", jwtService.generateResetToken(username)));
+    }
+    return ResponseEntity.badRequest().body(Map.of("error", "Invalid verification code"));
+  }
+
+  @PostMapping("/forgot/reset")
+  @Operation(summary = "Reset password", description = "Reset user password after verification")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Reset result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> resetPassword(@RequestBody ResetPasswordRequest req) {
+    String username = jwtService.validateAndGetSubjectForReset(req.getToken());
+    try {
+      userService.updatePassword(username, req.getPassword());
+      return ResponseEntity.ok(Map.of("message", "Password updated"));
+    } catch (FieldException e) {
+      return ResponseEntity.badRequest().body(
+        Map.of("field", e.getField(), "error", e.getMessage())
+      );
+    }
+  }
+
+  // DTO classes moved to com.openisle.dto package
+}

backend/src/main/java/com/openisle/controller/CategoryController.java

@@ -0,0 +1,127 @@
+package com.openisle.controller;
+
+import com.openisle.dto.CategoryDto;
+import com.openisle.dto.CategoryRequest;
+import com.openisle.dto.PostSummaryDto;
+import com.openisle.mapper.CategoryMapper;
+import com.openisle.mapper.PostMapper;
+import com.openisle.model.Category;
+import com.openisle.service.CategoryService;
+import com.openisle.service.PostService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/categories")
+@RequiredArgsConstructor
+public class CategoryController {
+
+  private final CategoryService categoryService;
+  private final PostService postService;
+  private final PostMapper postMapper;
+  private final CategoryMapper categoryMapper;
+
+  @PostMapping
+  @Operation(summary = "Create category", description = "Create a new category")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Created category",
+    content = @Content(schema = @Schema(implementation = CategoryDto.class))
+  )
+  public CategoryDto create(@RequestBody CategoryRequest req) {
+    Category c = categoryService.createCategory(
+      req.getName(),
+      req.getDescription(),
+      req.getIcon(),
+      req.getSmallIcon()
+    );
+    long count = postService.countPostsByCategory(c.getId());
+    return categoryMapper.toDto(c, count);
+  }
+
+  @PutMapping("/{id}")
+  @Operation(summary = "Update category", description = "Update an existing category")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Updated category",
+    content = @Content(schema = @Schema(implementation = CategoryDto.class))
+  )
+  public CategoryDto update(@PathVariable Long id, @RequestBody CategoryRequest req) {
+    Category c = categoryService.updateCategory(
+      id,
+      req.getName(),
+      req.getDescription(),
+      req.getIcon(),
+      req.getSmallIcon()
+    );
+    long count = postService.countPostsByCategory(c.getId());
+    return categoryMapper.toDto(c, count);
+  }
+
+  @DeleteMapping("/{id}")
+  @Operation(summary = "Delete category", description = "Remove a category by id")
+  @ApiResponse(responseCode = "200", description = "Category deleted")
+  public void delete(@PathVariable Long id) {
+    categoryService.deleteCategory(id);
+  }
+
+  @GetMapping
+  @Operation(summary = "List categories", description = "Get all categories")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of categories",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = CategoryDto.class)))
+  )
+  public List<CategoryDto> list() {
+    List<Category> all = categoryService.listCategories();
+    List<Long> ids = all.stream().map(Category::getId).toList();
+    Map<Long, Long> postsCntByCategoryIds = postService.countPostsByCategoryIds(ids);
+    return all
+      .stream()
+      .map(c -> categoryMapper.toDto(c, postsCntByCategoryIds.getOrDefault(c.getId(), 0L)))
+      .sorted((a, b) -> Long.compare(b.getCount(), a.getCount()))
+      .collect(Collectors.toList());
+  }
+
+  @GetMapping("/{id}")
+  @Operation(summary = "Get category", description = "Get category by id")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Category detail",
+    content = @Content(schema = @Schema(implementation = CategoryDto.class))
+  )
+  public CategoryDto get(@PathVariable Long id) {
+    Category c = categoryService.getCategory(id);
+    long count = postService.countPostsByCategory(c.getId());
+    return categoryMapper.toDto(c, count);
+  }
+
+  @GetMapping("/{id}/posts")
+  @Operation(summary = "List posts by category", description = "Get posts under a category")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of posts",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
+    )
+  )
+  public List<PostSummaryDto> listPostsByCategory(
+    @PathVariable Long id,
+    @RequestParam(value = "page", required = false) Integer page,
+    @RequestParam(value = "pageSize", required = false) Integer pageSize
+  ) {
+    return postService
+      .listPostsByCategories(java.util.List.of(id), page, pageSize)
+      .stream()
+      .map(postMapper::toSummaryDto)
+      .collect(Collectors.toList());
+  }
+}

backend/src/main/java/com/openisle/controller/ChannelController.java

@@ -0,0 +1,70 @@
+package com.openisle.controller;
+
+import com.openisle.dto.ChannelDto;
+import com.openisle.model.User;
+import com.openisle.repository.UserRepository;
+import com.openisle.service.ChannelService;
+import com.openisle.service.MessageService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.List;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/channels")
+@RequiredArgsConstructor
+public class ChannelController {
+
+  private final ChannelService channelService;
+  private final MessageService messageService;
+  private final UserRepository userRepository;
+
+  private Long getCurrentUserId(Authentication auth) {
+    User user = userRepository
+      .findByUsername(auth.getName())
+      .orElseThrow(() -> new IllegalArgumentException("User not found"));
+    return user.getId();
+  }
+
+  @GetMapping
+  @Operation(summary = "List channels", description = "List channels for the current user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Channels",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = ChannelDto.class)))
+  )
+  @SecurityRequirement(name = "JWT")
+  public List<ChannelDto> listChannels(Authentication auth) {
+    return channelService.listChannels(getCurrentUserId(auth));
+  }
+
+  @PostMapping("/{channelId}/join")
+  @Operation(summary = "Join channel", description = "Join a channel")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Joined channel",
+    content = @Content(schema = @Schema(implementation = ChannelDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ChannelDto joinChannel(@PathVariable Long channelId, Authentication auth) {
+    return channelService.joinChannel(channelId, getCurrentUserId(auth));
+  }
+
+  @GetMapping("/unread-count")
+  @Operation(summary = "Unread count", description = "Get unread channel count")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Unread count",
+    content = @Content(schema = @Schema(implementation = Long.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public long unreadCount(Authentication auth) {
+    return messageService.getUnreadChannelCount(getCurrentUserId(auth));
+  }
+}

backend/src/main/java/com/openisle/controller/CommentController.java

@@ -0,0 +1,256 @@
+package com.openisle.controller;
+
+import com.openisle.dto.CommentContextDto;
+import com.openisle.dto.CommentDto;
+import com.openisle.dto.CommentRequest;
+import com.openisle.dto.PostChangeLogDto;
+import com.openisle.dto.TimelineItemDto;
+import com.openisle.mapper.CommentMapper;
+import com.openisle.mapper.PostChangeLogMapper;
+import com.openisle.mapper.PostMapper;
+import com.openisle.model.Comment;
+import com.openisle.model.CommentSort;
+import com.openisle.service.*;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.time.LocalDateTime;
+import java.util.ArrayList;
+import java.util.Comparator;
+import java.util.List;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api")
+@RequiredArgsConstructor
+@Slf4j
+public class CommentController {
+
+  private final CommentService commentService;
+  private final LevelService levelService;
+  private final CaptchaService captchaService;
+  private final CommentMapper commentMapper;
+  private final PointService pointService;
+  private final PostChangeLogService changeLogService;
+  private final PostChangeLogMapper postChangeLogMapper;
+  private final PostMapper postMapper;
+
+  @Value("${app.captcha.enabled:false}")
+  private boolean captchaEnabled;
+
+  @Value("${app.captcha.comment-enabled:false}")
+  private boolean commentCaptchaEnabled;
+
+  @PostMapping("/posts/{postId}/comments")
+  @Operation(summary = "Create comment", description = "Add a comment to a post")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Created comment",
+    content = @Content(schema = @Schema(implementation = CommentDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<CommentDto> createComment(
+    @PathVariable Long postId,
+    @RequestBody CommentRequest req,
+    Authentication auth
+  ) {
+    log.debug("createComment called by user {} for post {}", auth.getName(), postId);
+    if (captchaEnabled && commentCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
+      log.debug("Captcha verification failed for user {} on post {}", auth.getName(), postId);
+      return ResponseEntity.badRequest().build();
+    }
+    Comment comment = commentService.addComment(auth.getName(), postId, req.getContent());
+    CommentDto dto = commentMapper.toDto(comment);
+    dto.setReward(levelService.awardForComment(auth.getName()));
+    dto.setPointReward(pointService.awardForComment(auth.getName(), postId, comment.getId()));
+    log.debug("createComment succeeded for comment {}", comment.getId());
+    return ResponseEntity.ok(dto);
+  }
+
+  @PostMapping("/comments/{commentId}/replies")
+  @Operation(summary = "Reply to comment", description = "Reply to an existing comment")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Reply created",
+    content = @Content(schema = @Schema(implementation = CommentDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<CommentDto> replyComment(
+    @PathVariable Long commentId,
+    @RequestBody CommentRequest req,
+    Authentication auth
+  ) {
+    log.debug("replyComment called by user {} for comment {}", auth.getName(), commentId);
+    if (captchaEnabled && commentCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
+      log.debug("Captcha verification failed for user {} on comment {}", auth.getName(), commentId);
+      return ResponseEntity.badRequest().build();
+    }
+    Comment comment = commentService.addReply(auth.getName(), commentId, req.getContent());
+    CommentDto dto = commentMapper.toDto(comment);
+    dto.setReward(levelService.awardForComment(auth.getName()));
+    log.debug("replyComment succeeded for comment {}", comment.getId());
+    return ResponseEntity.ok(dto);
+  }
+
+  @GetMapping("/posts/{postId}/comments")
+  @Operation(summary = "List comments", description = "List comments for a post")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Comments",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = TimelineItemDto.class))
+    )
+  )
+  public List<TimelineItemDto<?>> listComments(
+    @PathVariable Long postId,
+    @RequestParam(value = "sort", required = false, defaultValue = "OLDEST") CommentSort sort
+  ) {
+    log.debug("listComments called for post {} with sort {}", postId, sort);
+    List<CommentDto> commentDtoList = commentService
+      .getCommentsForPost(postId, sort)
+      .stream()
+      .map(commentMapper::toDtoWithReplies)
+      .collect(Collectors.toList());
+    List<PostChangeLogDto> postChangeLogDtoList = changeLogService
+      .listLogs(postId)
+      .stream()
+      .map(postChangeLogMapper::toDto)
+      .collect(Collectors.toList());
+    List<TimelineItemDto<?>> itemDtoList = new ArrayList<>();
+
+    itemDtoList.addAll(
+      commentDtoList
+        .stream()
+        .map(c ->
+          new TimelineItemDto<>(
+            c.getId(),
+            "comment",
+            c.getCreatedAt(),
+            c.getPinnedAt(),
+            c // payload 是 CommentDto
+          )
+        )
+        .toList()
+    );
+
+    itemDtoList.addAll(
+      postChangeLogDtoList
+        .stream()
+        .map(l ->
+          new TimelineItemDto<>(
+            l.getId(),
+            "log",
+            l.getTime(), // 注意字段名不一样
+            null,
+            l // payload 是 PostChangeLogDto
+          )
+        )
+        .toList()
+    );
+    // 排序
+    Comparator<TimelineItemDto<?>> pinnedOrderComparator = (a, b) -> {
+      LocalDateTime aPinned = a.getPinnedAt();
+      LocalDateTime bPinned = b.getPinnedAt();
+      if (aPinned == null && bPinned == null) {
+        return 0;
+      }
+      if (aPinned == null) {
+        return 1;
+      }
+      if (bPinned == null) {
+        return -1;
+      }
+      return bPinned.compareTo(aPinned);
+    };
+
+    Comparator<TimelineItemDto<?>> comparator = Comparator.<TimelineItemDto<?>, Boolean>comparing(
+      item -> item.getPinnedAt() == null
+    ).thenComparing(pinnedOrderComparator);
+
+    Comparator<TimelineItemDto<?>> createdAtComparator = Comparator.comparing(
+      TimelineItemDto::getCreatedAt
+    );
+    if (CommentSort.NEWEST.equals(sort)) {
+      createdAtComparator = createdAtComparator.reversed();
+    }
+    itemDtoList.sort(comparator.thenComparing(createdAtComparator));
+    log.debug("listComments returning {} comments", itemDtoList.size());
+    return itemDtoList;
+  }
+
+  @GetMapping("/comments/{commentId}/context")
+  @Operation(
+    summary = "Comment context",
+    description = "Get a comment along with its previous comments and related post"
+  )
+  @ApiResponse(
+    responseCode = "200",
+    description = "Comment context",
+    content = @Content(schema = @Schema(implementation = CommentContextDto.class))
+  )
+  public ResponseEntity<CommentContextDto> getCommentContext(@PathVariable Long commentId) {
+    log.debug("getCommentContext called for comment {}", commentId);
+    Comment comment = commentService.getComment(commentId);
+    CommentContextDto dto = new CommentContextDto();
+    dto.setPost(postMapper.toSummaryDto(comment.getPost()));
+    dto.setTargetComment(commentMapper.toDtoWithReplies(comment));
+    dto.setPreviousComments(
+      commentService
+        .getCommentsBefore(comment)
+        .stream()
+        .map(commentMapper::toDtoWithReplies)
+        .collect(Collectors.toList())
+    );
+    log.debug(
+      "getCommentContext returning {} previous comments for comment {}",
+      dto.getPreviousComments().size(),
+      commentId
+    );
+    return ResponseEntity.ok(dto);
+  }
+
+  @DeleteMapping("/comments/{id}")
+  @Operation(summary = "Delete comment", description = "Delete a comment")
+  @ApiResponse(responseCode = "200", description = "Deleted")
+  @SecurityRequirement(name = "JWT")
+  public void deleteComment(@PathVariable Long id, Authentication auth) {
+    log.debug("deleteComment called by user {} for comment {}", auth.getName(), id);
+    commentService.deleteComment(auth.getName(), id);
+    log.debug("deleteComment completed for comment {}", id);
+  }
+
+  @PostMapping("/comments/{id}/pin")
+  @Operation(summary = "Pin comment", description = "Pin a comment")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Pinned comment",
+    content = @Content(schema = @Schema(implementation = CommentDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public CommentDto pinComment(@PathVariable Long id, Authentication auth) {
+    log.debug("pinComment called by user {} for comment {}", auth.getName(), id);
+    return commentMapper.toDto(commentService.pinComment(auth.getName(), id));
+  }
+
+  @PostMapping("/comments/{id}/unpin")
+  @Operation(summary = "Unpin comment", description = "Unpin a comment")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Unpinned comment",
+    content = @Content(schema = @Schema(implementation = CommentDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public CommentDto unpinComment(@PathVariable Long id, Authentication auth) {
+    log.debug("unpinComment called by user {} for comment {}", auth.getName(), id);
+    return commentMapper.toDto(commentService.unpinComment(auth.getName(), id));
+  }
+}

backend/src/main/java/com/openisle/controller/ConfigController.java

@@ -0,0 +1,57 @@
+package com.openisle.controller;
+
+import com.openisle.dto.SiteConfigDto;
+import com.openisle.service.RegisterModeService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/api")
+@lombok.RequiredArgsConstructor
+public class ConfigController {
+
+  @Value("${app.captcha.enabled:false}")
+  private boolean captchaEnabled;
+
+  @Value("${app.captcha.register-enabled:false}")
+  private boolean registerCaptchaEnabled;
+
+  @Value("${app.captcha.login-enabled:false}")
+  private boolean loginCaptchaEnabled;
+
+  @Value("${app.captcha.post-enabled:false}")
+  private boolean postCaptchaEnabled;
+
+  @Value("${app.captcha.comment-enabled:false}")
+  private boolean commentCaptchaEnabled;
+
+  @Value("${app.ai.format-limit:3}")
+  private int aiFormatLimit;
+
+  private final RegisterModeService registerModeService;
+
+  @GetMapping("/config")
+  @Operation(summary = "Site config", description = "Get site configuration")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Site configuration",
+    content = @Content(schema = @Schema(implementation = SiteConfigDto.class))
+  )
+  public SiteConfigDto getConfig() {
+    SiteConfigDto resp = new SiteConfigDto();
+    resp.setCaptchaEnabled(captchaEnabled);
+    resp.setRegisterCaptchaEnabled(registerCaptchaEnabled);
+    resp.setLoginCaptchaEnabled(loginCaptchaEnabled);
+    resp.setPostCaptchaEnabled(postCaptchaEnabled);
+    resp.setCommentCaptchaEnabled(commentCaptchaEnabled);
+    resp.setAiFormatLimit(aiFormatLimit);
+    resp.setRegisterMode(registerModeService.getRegisterMode());
+    return resp;
+  }
+}

backend/src/main/java/com/openisle/controller/DraftController.java

@@ -0,0 +1,68 @@
+package com.openisle.controller;
+
+import com.openisle.dto.DraftDto;
+import com.openisle.dto.DraftRequest;
+import com.openisle.mapper.DraftMapper;
+import com.openisle.model.Draft;
+import com.openisle.service.DraftService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/drafts")
+@RequiredArgsConstructor
+public class DraftController {
+
+  private final DraftService draftService;
+  private final DraftMapper draftMapper;
+
+  @PostMapping
+  @Operation(summary = "Save draft", description = "Save a draft for current user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Draft saved",
+    content = @Content(schema = @Schema(implementation = DraftDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<DraftDto> saveDraft(@RequestBody DraftRequest req, Authentication auth) {
+    Draft draft = draftService.saveDraft(
+      auth.getName(),
+      req.getCategoryId(),
+      req.getTitle(),
+      req.getContent(),
+      req.getTagIds()
+    );
+    return ResponseEntity.ok(draftMapper.toDto(draft));
+  }
+
+  @GetMapping("/me")
+  @Operation(summary = "Get my draft", description = "Get current user's draft")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Draft details",
+    content = @Content(schema = @Schema(implementation = DraftDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<DraftDto> getMyDraft(Authentication auth) {
+    return draftService
+      .getDraft(auth.getName())
+      .map(d -> ResponseEntity.ok(draftMapper.toDto(d)))
+      .orElseGet(() -> ResponseEntity.noContent().build());
+  }
+
+  @DeleteMapping("/me")
+  @Operation(summary = "Delete my draft", description = "Delete current user's draft")
+  @ApiResponse(responseCode = "200", description = "Draft deleted")
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<?> deleteMyDraft(Authentication auth) {
+    draftService.deleteDraft(auth.getName());
+    return ResponseEntity.ok().build();
+  }
+}

backend/src/main/java/com/openisle/controller/GlobalExceptionHandler.java

@@ -0,0 +1,39 @@
+package com.openisle.controller;
+
+import com.openisle.exception.FieldException;
+import com.openisle.exception.NotFoundException;
+import com.openisle.exception.RateLimitException;
+import java.util.Map;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+
+@RestControllerAdvice
+public class GlobalExceptionHandler {
+
+  @ExceptionHandler(FieldException.class)
+  public ResponseEntity<?> handleFieldException(FieldException ex) {
+    return ResponseEntity.badRequest().body(
+      Map.of("error", ex.getMessage(), "field", ex.getField())
+    );
+  }
+
+  @ExceptionHandler(NotFoundException.class)
+  public ResponseEntity<?> handleNotFoundException(NotFoundException ex) {
+    return ResponseEntity.status(404).body(Map.of("error", ex.getMessage()));
+  }
+
+  @ExceptionHandler(RateLimitException.class)
+  public ResponseEntity<?> handleRateLimitException(RateLimitException ex) {
+    return ResponseEntity.status(429).body(Map.of("error", ex.getMessage()));
+  }
+
+  @ExceptionHandler(Exception.class)
+  public ResponseEntity<?> handleException(Exception ex) {
+    String message = ex.getMessage();
+    if (message == null) {
+      message = ex.getClass().getSimpleName();
+    }
+    return ResponseEntity.badRequest().body(Map.of("error", message));
+  }
+}

backend/src/main/java/com/openisle/controller/HelloController.java

@@ -0,0 +1,26 @@
+package com.openisle.controller;
+
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.Map;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class HelloController {
+
+  @GetMapping("/api/hello")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Hello endpoint", description = "Returns a greeting for authenticated users")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Greeting payload",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public Map<String, String> hello() {
+    return Map.of("message", "Hello, Authenticated User");
+  }
+}

backend/src/main/java/com/openisle/controller/InviteController.java

@@ -0,0 +1,35 @@
+package com.openisle.controller;
+
+import com.openisle.service.InviteService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.Map;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/api/invite")
+@RequiredArgsConstructor
+public class InviteController {
+
+  private final InviteService inviteService;
+
+  @PostMapping("/generate")
+  @Operation(summary = "Generate invite", description = "Generate an invite token")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Invite token",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public Map<String, String> generate(Authentication auth) {
+    String token = inviteService.generate(auth.getName());
+    return Map.of("token", token);
+  }
+}

backend/src/main/java/com/openisle/controller/MedalController.java

@@ -0,0 +1,51 @@
+package com.openisle.controller;
+
+import com.openisle.dto.MedalDto;
+import com.openisle.dto.MedalSelectRequest;
+import com.openisle.service.MedalService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.List;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/medals")
+@RequiredArgsConstructor
+public class MedalController {
+
+  private final MedalService medalService;
+
+  @GetMapping
+  @Operation(summary = "List medals", description = "List medals for user or globally")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of medals",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = MedalDto.class)))
+  )
+  public List<MedalDto> getMedals(@RequestParam(value = "userId", required = false) Long userId) {
+    return medalService.getMedals(userId);
+  }
+
+  @PostMapping("/select")
+  @Operation(summary = "Select medal", description = "Select a medal for current user")
+  @ApiResponse(responseCode = "200", description = "Medal selected")
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<Void> selectMedal(
+    @RequestBody MedalSelectRequest req,
+    Authentication auth
+  ) {
+    try {
+      medalService.selectMedal(auth.getName(), req.getType());
+      return ResponseEntity.ok().build();
+    } catch (IllegalArgumentException e) {
+      return ResponseEntity.badRequest().build();
+    }
+  }
+}

backend/src/main/java/com/openisle/controller/MessageController.java

@@ -0,0 +1,229 @@
+package com.openisle.controller;
+
+import com.openisle.dto.ConversationDetailDto;
+import com.openisle.dto.ConversationDto;
+import com.openisle.dto.CreateConversationRequest;
+import com.openisle.dto.CreateConversationResponse;
+import com.openisle.dto.MessageDto;
+import com.openisle.model.Message;
+import com.openisle.model.MessageConversation;
+import com.openisle.model.User;
+import com.openisle.repository.UserRepository;
+import com.openisle.service.MessageService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.List;
+import lombok.RequiredArgsConstructor;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.data.domain.Pageable;
+import org.springframework.data.domain.Sort;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/messages")
+@RequiredArgsConstructor
+public class MessageController {
+
+  private final MessageService messageService;
+  private final UserRepository userRepository;
+
+  // This is a placeholder for getting the current user's ID
+  private Long getCurrentUserId(Authentication auth) {
+    User user = userRepository
+      .findByUsername(auth.getName())
+      .orElseThrow(() -> new IllegalArgumentException("Sender not found"));
+    // In a real application, you would get this from the Authentication object
+    return user.getId();
+  }
+
+  @GetMapping("/conversations")
+  @Operation(summary = "List conversations", description = "Get all conversations of current user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of conversations",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = ConversationDto.class))
+    )
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<List<ConversationDto>> getConversations(Authentication auth) {
+    List<ConversationDto> conversations = messageService.getConversations(getCurrentUserId(auth));
+    return ResponseEntity.ok(conversations);
+  }
+
+  @GetMapping("/conversations/{conversationId}")
+  @Operation(summary = "Get conversation", description = "Get messages of a conversation")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Conversation detail",
+    content = @Content(schema = @Schema(implementation = ConversationDetailDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<ConversationDetailDto> getMessages(
+    @PathVariable Long conversationId,
+    @RequestParam(defaultValue = "0") int page,
+    @RequestParam(defaultValue = "20") int size,
+    Authentication auth
+  ) {
+    Pageable pageable = PageRequest.of(page, size, Sort.by("createdAt").descending());
+    ConversationDetailDto conversationDetails = messageService.getConversationDetails(
+      conversationId,
+      getCurrentUserId(auth),
+      pageable
+    );
+    return ResponseEntity.ok(conversationDetails);
+  }
+
+  @PostMapping
+  @Operation(summary = "Send message", description = "Send a direct message to a user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Message sent",
+    content = @Content(schema = @Schema(implementation = MessageDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<MessageDto> sendMessage(
+    @RequestBody MessageRequest req,
+    Authentication auth
+  ) {
+    Message message = messageService.sendMessage(
+      getCurrentUserId(auth),
+      req.getRecipientId(),
+      req.getContent(),
+      req.getReplyToId()
+    );
+    return ResponseEntity.ok(messageService.toDto(message));
+  }
+
+  @PostMapping("/conversations/{conversationId}/messages")
+  @Operation(summary = "Send message to conversation", description = "Reply within a conversation")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Message sent",
+    content = @Content(schema = @Schema(implementation = MessageDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<MessageDto> sendMessageToConversation(
+    @PathVariable Long conversationId,
+    @RequestBody ChannelMessageRequest req,
+    Authentication auth
+  ) {
+    Message message = messageService.sendMessageToConversation(
+      getCurrentUserId(auth),
+      conversationId,
+      req.getContent(),
+      req.getReplyToId()
+    );
+    return ResponseEntity.ok(messageService.toDto(message));
+  }
+
+  @PostMapping("/conversations/{conversationId}/read")
+  @Operation(
+    summary = "Mark conversation read",
+    description = "Mark messages in conversation as read"
+  )
+  @ApiResponse(responseCode = "200", description = "Marked as read")
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<Void> markAsRead(@PathVariable Long conversationId, Authentication auth) {
+    messageService.markConversationAsRead(conversationId, getCurrentUserId(auth));
+    return ResponseEntity.ok().build();
+  }
+
+  @PostMapping("/conversations")
+  @Operation(
+    summary = "Find or create conversation",
+    description = "Find existing or create new conversation with recipient"
+  )
+  @ApiResponse(
+    responseCode = "200",
+    description = "Conversation id",
+    content = @Content(schema = @Schema(implementation = CreateConversationResponse.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<CreateConversationResponse> findOrCreateConversation(
+    @RequestBody CreateConversationRequest req,
+    Authentication auth
+  ) {
+    MessageConversation conversation = messageService.findOrCreateConversation(
+      getCurrentUserId(auth),
+      req.getRecipientId()
+    );
+    return ResponseEntity.ok(new CreateConversationResponse(conversation.getId()));
+  }
+
+  @GetMapping("/unread-count")
+  @Operation(
+    summary = "Unread message count",
+    description = "Get unread message count for current user"
+  )
+  @ApiResponse(
+    responseCode = "200",
+    description = "Unread count",
+    content = @Content(schema = @Schema(implementation = Long.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<Long> getUnreadCount(Authentication auth) {
+    return ResponseEntity.ok(messageService.getUnreadMessageCount(getCurrentUserId(auth)));
+  }
+
+  // A simple request DTO
+  static class MessageRequest {
+
+    private Long recipientId;
+    private String content;
+    private Long replyToId;
+
+    public Long getRecipientId() {
+      return recipientId;
+    }
+
+    public void setRecipientId(Long recipientId) {
+      this.recipientId = recipientId;
+    }
+
+    public String getContent() {
+      return content;
+    }
+
+    public void setContent(String content) {
+      this.content = content;
+    }
+
+    public Long getReplyToId() {
+      return replyToId;
+    }
+
+    public void setReplyToId(Long replyToId) {
+      this.replyToId = replyToId;
+    }
+  }
+
+  static class ChannelMessageRequest {
+
+    private String content;
+    private Long replyToId;
+
+    public String getContent() {
+      return content;
+    }
+
+    public void setContent(String content) {
+      this.content = content;
+    }
+
+    public Long getReplyToId() {
+      return replyToId;
+    }
+
+    public void setReplyToId(Long replyToId) {
+      this.replyToId = replyToId;
+    }
+  }
+}

backend/src/main/java/com/openisle/controller/NotificationController.java

@@ -0,0 +1,159 @@
+package com.openisle.controller;
+
+import com.openisle.dto.NotificationDto;
+import com.openisle.dto.NotificationMarkReadRequest;
+import com.openisle.dto.NotificationPreferenceDto;
+import com.openisle.dto.NotificationPreferenceUpdateRequest;
+import com.openisle.dto.NotificationUnreadCountDto;
+import com.openisle.mapper.NotificationMapper;
+import com.openisle.service.NotificationService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.List;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+/** Endpoints for user notifications. */
+@RestController
+@RequestMapping("/api/notifications")
+@RequiredArgsConstructor
+public class NotificationController {
+
+  private final NotificationService notificationService;
+  private final NotificationMapper notificationMapper;
+
+  @GetMapping
+  @Operation(
+    summary = "List notifications",
+    description = "Retrieve notifications for the current user"
+  )
+  @ApiResponse(
+    responseCode = "200",
+    description = "Notifications",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = NotificationDto.class))
+    )
+  )
+  @SecurityRequirement(name = "JWT")
+  public List<NotificationDto> list(
+    @RequestParam(value = "page", defaultValue = "0") int page,
+    @RequestParam(value = "size", defaultValue = "30") int size,
+    Authentication auth
+  ) {
+    return notificationService
+      .listNotifications(auth.getName(), null, page, size)
+      .stream()
+      .map(notificationMapper::toDto)
+      .collect(Collectors.toList());
+  }
+
+  @GetMapping("/unread")
+  @Operation(
+    summary = "List unread notifications",
+    description = "Retrieve unread notifications for the current user"
+  )
+  @ApiResponse(
+    responseCode = "200",
+    description = "Unread notifications",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = NotificationDto.class))
+    )
+  )
+  @SecurityRequirement(name = "JWT")
+  public List<NotificationDto> listUnread(
+    @RequestParam(value = "page", defaultValue = "0") int page,
+    @RequestParam(value = "size", defaultValue = "30") int size,
+    Authentication auth
+  ) {
+    return notificationService
+      .listNotifications(auth.getName(), false, page, size)
+      .stream()
+      .map(notificationMapper::toDto)
+      .collect(Collectors.toList());
+  }
+
+  @GetMapping("/unread-count")
+  @Operation(summary = "Unread count", description = "Get count of unread notifications")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Unread count",
+    content = @Content(schema = @Schema(implementation = NotificationUnreadCountDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public NotificationUnreadCountDto unreadCount(Authentication auth) {
+    long count = notificationService.countUnread(auth.getName());
+    NotificationUnreadCountDto uc = new NotificationUnreadCountDto();
+    uc.setCount(count);
+    return uc;
+  }
+
+  @PostMapping("/read")
+  @Operation(summary = "Mark notifications read", description = "Mark notifications as read")
+  @ApiResponse(responseCode = "200", description = "Marked read")
+  @SecurityRequirement(name = "JWT")
+  public void markRead(@RequestBody NotificationMarkReadRequest req, Authentication auth) {
+    notificationService.markRead(auth.getName(), req.getIds());
+  }
+
+  @GetMapping("/prefs")
+  @Operation(summary = "List preferences", description = "List notification preferences")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Preferences",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = NotificationPreferenceDto.class))
+    )
+  )
+  @SecurityRequirement(name = "JWT")
+  public List<NotificationPreferenceDto> prefs(Authentication auth) {
+    return notificationService.listPreferences(auth.getName());
+  }
+
+  @PostMapping("/prefs")
+  @Operation(summary = "Update preference", description = "Update notification preference")
+  @ApiResponse(responseCode = "200", description = "Preference updated")
+  @SecurityRequirement(name = "JWT")
+  public void updatePref(
+    @RequestBody NotificationPreferenceUpdateRequest req,
+    Authentication auth
+  ) {
+    notificationService.updatePreference(auth.getName(), req.getType(), req.isEnabled());
+  }
+
+  @GetMapping("/email-prefs")
+  @Operation(
+    summary = "List email preferences",
+    description = "List email notification preferences"
+  )
+  @ApiResponse(
+    responseCode = "200",
+    description = "Email preferences",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = NotificationPreferenceDto.class))
+    )
+  )
+  @SecurityRequirement(name = "JWT")
+  public List<NotificationPreferenceDto> emailPrefs(Authentication auth) {
+    return notificationService.listEmailPreferences(auth.getName());
+  }
+
+  @PostMapping("/email-prefs")
+  @Operation(
+    summary = "Update email preference",
+    description = "Update email notification preference"
+  )
+  @ApiResponse(responseCode = "200", description = "Email preference updated")
+  @SecurityRequirement(name = "JWT")
+  public void updateEmailPref(
+    @RequestBody NotificationPreferenceUpdateRequest req,
+    Authentication auth
+  ) {
+    notificationService.updateEmailPreference(auth.getName(), req.getType(), req.isEnabled());
+  }
+}

backend/src/main/java/com/openisle/controller/OnlineController.java

@@ -0,0 +1,44 @@
+package com.openisle.controller;
+
+import com.openisle.config.CachingConfig;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import java.time.Duration;
+import lombok.RequiredArgsConstructor;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.data.redis.core.StringRedisTemplate;
+import org.springframework.web.bind.annotation.*;
+
+/**
+ * @author smallclover
+ * @since 2025-09-05
+ * 统计在线人数
+ */
+@RestController
+@RequestMapping("/api/online")
+@RequiredArgsConstructor
+public class OnlineController {
+
+  private final RedisTemplate redisTemplate;
+  private static final String ONLINE_KEY = CachingConfig.ONLINE_CACHE_NAME + ":";
+
+  @PostMapping("/heartbeat")
+  @Operation(summary = "Heartbeat", description = "Record user heartbeat")
+  @ApiResponse(responseCode = "200", description = "Heartbeat recorded")
+  public void ping(@RequestParam String userId) {
+    redisTemplate.opsForValue().set(ONLINE_KEY + userId, "1", Duration.ofSeconds(150));
+  }
+
+  @GetMapping("/count")
+  @Operation(summary = "Online count", description = "Get current online user count")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Online count",
+    content = @Content(schema = @Schema(implementation = Long.class))
+  )
+  public long count() {
+    return redisTemplate.keys(ONLINE_KEY + "*").size();
+  }
+}

backend/src/main/java/com/openisle/controller/PointHistoryController.java

@@ -0,0 +1,62 @@
+package com.openisle.controller;
+
+import com.openisle.dto.PointHistoryDto;
+import com.openisle.mapper.PointHistoryMapper;
+import com.openisle.service.PointService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/api/point-histories")
+@RequiredArgsConstructor
+public class PointHistoryController {
+
+  private final PointService pointService;
+  private final PointHistoryMapper pointHistoryMapper;
+
+  @GetMapping
+  @Operation(summary = "Point history", description = "List point history for current user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of point histories",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PointHistoryDto.class))
+    )
+  )
+  @SecurityRequirement(name = "JWT")
+  public List<PointHistoryDto> list(Authentication auth) {
+    return pointService
+      .listHistory(auth.getName())
+      .stream()
+      .map(pointHistoryMapper::toDto)
+      .collect(Collectors.toList());
+  }
+
+  @GetMapping("/trend")
+  @Operation(summary = "Point trend", description = "Get point trend data for current user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Trend data",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class)))
+  )
+  @SecurityRequirement(name = "JWT")
+  public List<Map<String, Object>> trend(
+    Authentication auth,
+    @RequestParam(value = "days", defaultValue = "30") int days
+  ) {
+    return pointService.trend(auth.getName(), days);
+  }
+}

backend/src/main/java/com/openisle/controller/PointMallController.java

@@ -0,0 +1,60 @@
+package com.openisle.controller;
+
+import com.openisle.dto.PointGoodDto;
+import com.openisle.dto.PointRedeemRequest;
+import com.openisle.mapper.PointGoodMapper;
+import com.openisle.model.User;
+import com.openisle.service.PointMallService;
+import com.openisle.service.UserService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+/** REST controller for point mall. */
+@RestController
+@RequestMapping("/api/point-goods")
+@RequiredArgsConstructor
+public class PointMallController {
+
+  private final PointMallService pointMallService;
+  private final UserService userService;
+  private final PointGoodMapper pointGoodMapper;
+
+  @GetMapping
+  @Operation(summary = "List goods", description = "List all point goods")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of goods",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = PointGoodDto.class)))
+  )
+  public List<PointGoodDto> list() {
+    return pointMallService
+      .listGoods()
+      .stream()
+      .map(pointGoodMapper::toDto)
+      .collect(Collectors.toList());
+  }
+
+  @PostMapping("/redeem")
+  @Operation(summary = "Redeem good", description = "Redeem a point good")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Remaining points",
+    content = @Content(schema = @Schema(implementation = java.util.Map.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public Map<String, Integer> redeem(@RequestBody PointRedeemRequest req, Authentication auth) {
+    User user = userService.findByIdentifier(auth.getName()).orElseThrow();
+    int point = pointMallService.redeem(user, req.getGoodId(), req.getContact());
+    return Map.of("point", point);
+  }
+}

backend/src/main/java/com/openisle/controller/PostChangeLogController.java

@@ -0,0 +1,36 @@
+package com.openisle.controller;
+
+import com.openisle.dto.PostChangeLogDto;
+import com.openisle.mapper.PostChangeLogMapper;
+import com.openisle.service.PostChangeLogService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import java.util.List;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/posts")
+@RequiredArgsConstructor
+public class PostChangeLogController {
+
+  private final PostChangeLogService changeLogService;
+  private final PostChangeLogMapper mapper;
+
+  @GetMapping("/{id}/change-logs")
+  @Operation(summary = "Post change logs", description = "List change logs for a post")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Change logs",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostChangeLogDto.class))
+    )
+  )
+  public List<PostChangeLogDto> listLogs(@PathVariable Long id) {
+    return changeLogService.listLogs(id).stream().map(mapper::toDto).collect(Collectors.toList());
+  }
+}

backend/src/main/java/com/openisle/controller/PostController.java

@@ -0,0 +1,342 @@
+package com.openisle.controller;
+
+import com.openisle.config.CachingConfig;
+import com.openisle.dto.PollDto;
+import com.openisle.dto.PostDetailDto;
+import com.openisle.dto.PostRequest;
+import com.openisle.dto.PostSummaryDto;
+import com.openisle.mapper.PostMapper;
+import com.openisle.model.Post;
+import com.openisle.service.*;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.List;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.cache.annotation.Cacheable;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/posts")
+@RequiredArgsConstructor
+public class PostController {
+
+  private final PostService postService;
+  private final CategoryService categoryService;
+  private final TagService tagService;
+  private final LevelService levelService;
+  private final CaptchaService captchaService;
+  private final DraftService draftService;
+  private final UserVisitService userVisitService;
+  private final PostMapper postMapper;
+  private final PointService pointService;
+
+  @Value("${app.captcha.enabled:false}")
+  private boolean captchaEnabled;
+
+  @Value("${app.captcha.post-enabled:false}")
+  private boolean postCaptchaEnabled;
+
+  @PostMapping
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Create post", description = "Create a new post")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Created post",
+    content = @Content(schema = @Schema(implementation = PostDetailDto.class))
+  )
+  public ResponseEntity<PostDetailDto> createPost(
+    @RequestBody PostRequest req,
+    Authentication auth
+  ) {
+    if (captchaEnabled && postCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
+      return ResponseEntity.badRequest().build();
+    }
+    Post post = postService.createPost(
+      auth.getName(),
+      req.getCategoryId(),
+      req.getTitle(),
+      req.getContent(),
+      req.getTagIds(),
+      req.getType(),
+      req.getPostVisibleScopeType(),
+      req.getPrizeDescription(),
+      req.getPrizeIcon(),
+      req.getPrizeCount(),
+      req.getPointCost(),
+      req.getStartTime(),
+      req.getEndTime(),
+      req.getOptions(),
+      req.getMultiple(),
+      req.getProposedName(),
+      req.getProposalDescription()
+    );
+    draftService.deleteDraft(auth.getName());
+    PostDetailDto dto = postMapper.toDetailDto(post, auth.getName());
+    dto.setReward(levelService.awardForPost(auth.getName()));
+    dto.setPointReward(pointService.awardForPost(auth.getName(), post.getId()));
+    return ResponseEntity.ok(dto);
+  }
+
+  @PutMapping("/{id}")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Update post", description = "Update an existing post")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Updated post",
+    content = @Content(schema = @Schema(implementation = PostDetailDto.class))
+  )
+  public ResponseEntity<PostDetailDto> updatePost(
+    @PathVariable Long id,
+    @RequestBody PostRequest req,
+    Authentication auth
+  ) {
+    Post post = postService.updatePost(
+      id,
+      auth.getName(),
+      req.getCategoryId(),
+      req.getTitle(),
+      req.getContent(),
+      req.getTagIds(),
+      req.getPostVisibleScopeType()
+    );
+    return ResponseEntity.ok(postMapper.toDetailDto(post, auth.getName()));
+  }
+
+  @DeleteMapping("/{id}")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Delete post", description = "Delete a post")
+  @ApiResponse(responseCode = "200", description = "Post deleted")
+  public void deletePost(@PathVariable Long id, Authentication auth) {
+    postService.deletePost(id, auth.getName());
+  }
+
+  @PostMapping("/{id}/close")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Close post", description = "Close a post to prevent further replies")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Closed post",
+    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
+  )
+  public PostSummaryDto close(@PathVariable Long id, Authentication auth) {
+    return postMapper.toSummaryDto(postService.closePost(id, auth.getName()));
+  }
+
+  @PostMapping("/{id}/reopen")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Reopen post", description = "Reopen a closed post")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Reopened post",
+    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
+  )
+  public PostSummaryDto reopen(@PathVariable Long id, Authentication auth) {
+    return postMapper.toSummaryDto(postService.reopenPost(id, auth.getName()));
+  }
+
+  @GetMapping("/{id}")
+  @Operation(summary = "Get post", description = "Get post details by id")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Post detail",
+    content = @Content(schema = @Schema(implementation = PostDetailDto.class))
+  )
+  public ResponseEntity<PostDetailDto> getPost(@PathVariable Long id, Authentication auth) {
+    String viewer = auth != null ? auth.getName() : null;
+    Post post = postService.viewPost(id, viewer);
+    return ResponseEntity.ok(postMapper.toDetailDto(post, viewer));
+  }
+
+  @PostMapping("/{id}/lottery/join")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Join lottery", description = "Join a lottery for the post")
+  @ApiResponse(responseCode = "200", description = "Joined lottery")
+  public ResponseEntity<Void> joinLottery(@PathVariable Long id, Authentication auth) {
+    postService.joinLottery(id, auth.getName());
+    return ResponseEntity.ok().build();
+  }
+
+  @GetMapping("/{id}/poll/progress")
+  @Operation(summary = "Poll progress", description = "Get poll progress for a post")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Poll progress",
+    content = @Content(schema = @Schema(implementation = PollDto.class))
+  )
+  public ResponseEntity<PollDto> pollProgress(@PathVariable Long id) {
+    return ResponseEntity.ok(postMapper.toSummaryDto(postService.getPoll(id)).getPoll());
+  }
+
+  @PostMapping("/{id}/poll/vote")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Vote poll", description = "Vote on a poll option")
+  @ApiResponse(responseCode = "200", description = "Vote recorded")
+  public ResponseEntity<Void> vote(
+    @PathVariable Long id,
+    @RequestParam("option") List<Integer> option,
+    Authentication auth
+  ) {
+    postService.votePoll(id, auth.getName(), option);
+    return ResponseEntity.ok().build();
+  }
+
+  @GetMapping
+  @Operation(summary = "List posts", description = "List posts by various filters")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of posts",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
+    )
+  )
+  @Cacheable(
+    value = CachingConfig.POST_CACHE_NAME,
+    key = "new org.springframework.cache.interceptor.SimpleKey('default', #categoryId, #categoryIds, #tagId, #tagIds, #page, #pageSize)"
+  )
+  public List<PostSummaryDto> listPosts(
+    @RequestParam(value = "categoryId", required = false) Long categoryId,
+    @RequestParam(value = "categoryIds", required = false) List<Long> categoryIds,
+    @RequestParam(value = "tagId", required = false) Long tagId,
+    @RequestParam(value = "tagIds", required = false) List<Long> tagIds,
+    @RequestParam(value = "page", required = false) Integer page,
+    @RequestParam(value = "pageSize", required = false) Integer pageSize,
+    Authentication auth
+  ) {
+    List<Long> ids = categoryService.getSearchCategoryIds(categoryIds, categoryId);
+    List<Long> tids = tagService.getSearchTagIds(tagIds, tagId);
+    // 只需要在请求的一开始统计一次
+    //        if (auth != null) {
+    //            userVisitService.recordVisit(auth.getName());
+    //        }
+
+    return postService
+      .defaultListPosts(ids, tids, page, pageSize)
+      .stream()
+      .map(postMapper::toSummaryDto)
+      .collect(Collectors.toList());
+  }
+
+  @GetMapping("/recent")
+  @Operation(
+    summary = "Recent posts",
+    description = "List posts created within the specified number of minutes"
+  )
+  @ApiResponse(
+    responseCode = "200",
+    description = "Recent posts",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
+    )
+  )
+  public List<PostSummaryDto> recentPosts(@RequestParam("minutes") int minutes) {
+    return postService
+      .listRecentPosts(minutes)
+      .stream()
+      .map(postMapper::toSummaryDto)
+      .collect(Collectors.toList());
+  }
+
+  @GetMapping("/ranking")
+  @Operation(summary = "Ranking posts", description = "List posts by view rankings")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Ranked posts",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
+    )
+  )
+  public List<PostSummaryDto> rankingPosts(
+    @RequestParam(value = "categoryId", required = false) Long categoryId,
+    @RequestParam(value = "categoryIds", required = false) List<Long> categoryIds,
+    @RequestParam(value = "tagId", required = false) Long tagId,
+    @RequestParam(value = "tagIds", required = false) List<Long> tagIds,
+    @RequestParam(value = "page", required = false) Integer page,
+    @RequestParam(value = "pageSize", required = false) Integer pageSize,
+    Authentication auth
+  ) {
+    List<Long> ids = categoryService.getSearchCategoryIds(categoryIds, categoryId);
+    List<Long> tids = tagService.getSearchTagIds(tagIds, tagId);
+    // 只需要在请求的一开始统计一次
+    //        if (auth != null) {
+    //            userVisitService.recordVisit(auth.getName());
+    //        }
+
+    return postService
+      .listPostsByViews(ids, tids, page, pageSize)
+      .stream()
+      .map(postMapper::toSummaryDto)
+      .collect(Collectors.toList());
+  }
+
+  @GetMapping("/latest-reply")
+  @Operation(summary = "Latest reply posts", description = "List posts by latest replies")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Posts sorted by latest reply",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
+    )
+  )
+  @Cacheable(
+    value = CachingConfig.POST_CACHE_NAME,
+    key = "new org.springframework.cache.interceptor.SimpleKey('latest_reply', #categoryId, #categoryIds, #tagIds, #page, #pageSize)"
+  )
+  public List<PostSummaryDto> latestReplyPosts(
+    @RequestParam(value = "categoryId", required = false) Long categoryId,
+    @RequestParam(value = "categoryIds", required = false) List<Long> categoryIds,
+    @RequestParam(value = "tagId", required = false) Long tagId,
+    @RequestParam(value = "tagIds", required = false) List<Long> tagIds,
+    @RequestParam(value = "page", required = false) Integer page,
+    @RequestParam(value = "pageSize", required = false) Integer pageSize,
+    Authentication auth
+  ) {
+    List<Long> ids = categoryService.getSearchCategoryIds(categoryIds, categoryId);
+    List<Long> tids = tagService.getSearchTagIds(tagIds, tagId);
+    // 只需要在请求的一开始统计一次
+    //        if (auth != null) {
+    //            userVisitService.recordVisit(auth.getName());
+    //        }
+
+    List<Post> posts = postService.listPostsByLatestReply(ids, tids, page, pageSize);
+    return posts.stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
+  }
+
+  @GetMapping("/featured")
+  @Operation(summary = "Featured posts", description = "List featured posts")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Featured posts",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
+    )
+  )
+  public List<PostSummaryDto> featuredPosts(
+    @RequestParam(value = "categoryId", required = false) Long categoryId,
+    @RequestParam(value = "categoryIds", required = false) List<Long> categoryIds,
+    @RequestParam(value = "tagId", required = false) Long tagId,
+    @RequestParam(value = "tagIds", required = false) List<Long> tagIds,
+    @RequestParam(value = "page", required = false) Integer page,
+    @RequestParam(value = "pageSize", required = false) Integer pageSize,
+    Authentication auth
+  ) {
+    List<Long> ids = categoryService.getSearchCategoryIds(categoryIds, categoryId);
+    List<Long> tids = tagService.getSearchTagIds(tagIds, tagId);
+    // 只需要在请求的一开始统计一次
+    //        if (auth != null) {
+    //            userVisitService.recordVisit(auth.getName());
+    //        }
+    return postService
+      .listFeaturedPosts(ids, tids, page, pageSize)
+      .stream()
+      .map(postMapper::toSummaryDto)
+      .collect(Collectors.toList());
+  }
+}

backend/src/main/java/com/openisle/controller/PostDonationController.java

@@ -0,0 +1,43 @@
+package com.openisle.controller;
+
+import com.openisle.dto.DonationRequest;
+import com.openisle.dto.DonationResponse;
+import com.openisle.service.PointService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/api/posts/{postId}/donations")
+@RequiredArgsConstructor
+public class PostDonationController {
+
+  private final PointService pointService;
+
+  @GetMapping
+  @Operation(summary = "List donations", description = "Get recent donations for a post")
+  @ApiResponse(responseCode = "200", description = "Donation summary")
+  public DonationResponse list(@PathVariable Long postId) {
+    return pointService.getPostDonations(postId);
+  }
+
+  @PostMapping
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Donate", description = "Donate points to the post author")
+  @ApiResponse(responseCode = "200", description = "Donation result")
+  public DonationResponse donate(
+    @PathVariable Long postId,
+    @RequestBody DonationRequest req,
+    Authentication auth
+  ) {
+    return pointService.donateToPost(auth.getName(), postId, req.getAmount());
+  }
+}

backend/src/main/java/com/openisle/controller/PushSubscriptionController.java

@@ -0,0 +1,51 @@
+package com.openisle.controller;
+
+import com.openisle.dto.PushPublicKeyDto;
+import com.openisle.dto.PushSubscriptionRequest;
+import com.openisle.service.PushSubscriptionService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/push")
+@RequiredArgsConstructor
+public class PushSubscriptionController {
+
+  private final PushSubscriptionService pushSubscriptionService;
+
+  @Value("${app.webpush.public-key}")
+  private String publicKey;
+
+  @GetMapping("/public-key")
+  @Operation(summary = "Get public key", description = "Retrieve web push public key")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Public key",
+    content = @Content(schema = @Schema(implementation = PushPublicKeyDto.class))
+  )
+  public PushPublicKeyDto getPublicKey() {
+    PushPublicKeyDto r = new PushPublicKeyDto();
+    r.setKey(publicKey);
+    return r;
+  }
+
+  @PostMapping("/subscribe")
+  @Operation(summary = "Subscribe", description = "Subscribe to push notifications")
+  @ApiResponse(responseCode = "200", description = "Subscribed")
+  @SecurityRequirement(name = "JWT")
+  public void subscribe(@RequestBody PushSubscriptionRequest req, Authentication auth) {
+    pushSubscriptionService.saveSubscription(
+      auth.getName(),
+      req.getEndpoint(),
+      req.getP256dh(),
+      req.getAuth()
+    );
+  }
+}

backend/src/main/java/com/openisle/controller/ReactionController.java

@@ -0,0 +1,114 @@
+package com.openisle.controller;
+
+import com.openisle.dto.ReactionDto;
+import com.openisle.dto.ReactionRequest;
+import com.openisle.mapper.ReactionMapper;
+import com.openisle.model.Reaction;
+import com.openisle.model.ReactionType;
+import com.openisle.service.LevelService;
+import com.openisle.service.PointService;
+import com.openisle.service.ReactionService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api")
+@RequiredArgsConstructor
+public class ReactionController {
+
+  private final ReactionService reactionService;
+  private final LevelService levelService;
+  private final ReactionMapper reactionMapper;
+  private final PointService pointService;
+
+  /**
+   * Get all available reaction types.
+   */
+  @GetMapping("/reaction-types")
+  @Operation(summary = "List reaction types", description = "Get all available reaction types")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Reaction types",
+    content = @Content(schema = @Schema(implementation = ReactionType[].class))
+  )
+  public ReactionType[] listReactionTypes() {
+    return ReactionType.values();
+  }
+
+  @PostMapping("/posts/{postId}/reactions")
+  @Operation(summary = "React to post", description = "React to a post")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Reaction result",
+    content = @Content(schema = @Schema(implementation = ReactionDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<ReactionDto> reactToPost(
+    @PathVariable Long postId,
+    @RequestBody ReactionRequest req,
+    Authentication auth
+  ) {
+    Reaction reaction = reactionService.reactToPost(auth.getName(), postId, req.getType());
+    if (reaction == null) {
+      pointService.deductForReactionOfPost(auth.getName(), postId);
+      return ResponseEntity.noContent().build();
+    }
+    ReactionDto dto = reactionMapper.toDto(reaction);
+    dto.setReward(levelService.awardForReaction(auth.getName()));
+    pointService.awardForReactionOfPost(auth.getName(), postId);
+    return ResponseEntity.ok(dto);
+  }
+
+  @PostMapping("/comments/{commentId}/reactions")
+  @Operation(summary = "React to comment", description = "React to a comment")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Reaction result",
+    content = @Content(schema = @Schema(implementation = ReactionDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<ReactionDto> reactToComment(
+    @PathVariable Long commentId,
+    @RequestBody ReactionRequest req,
+    Authentication auth
+  ) {
+    Reaction reaction = reactionService.reactToComment(auth.getName(), commentId, req.getType());
+    if (reaction == null) {
+      pointService.deductForReactionOfComment(auth.getName(), commentId);
+      return ResponseEntity.noContent().build();
+    }
+    ReactionDto dto = reactionMapper.toDto(reaction);
+    dto.setReward(levelService.awardForReaction(auth.getName()));
+    pointService.awardForReactionOfComment(auth.getName(), commentId);
+    return ResponseEntity.ok(dto);
+  }
+
+  @PostMapping("/messages/{messageId}/reactions")
+  @Operation(summary = "React to message", description = "React to a message")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Reaction result",
+    content = @Content(schema = @Schema(implementation = ReactionDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public ResponseEntity<ReactionDto> reactToMessage(
+    @PathVariable Long messageId,
+    @RequestBody ReactionRequest req,
+    Authentication auth
+  ) {
+    Reaction reaction = reactionService.reactToMessage(auth.getName(), messageId, req.getType());
+    if (reaction == null) {
+      return ResponseEntity.noContent().build();
+    }
+    ReactionDto dto = reactionMapper.toDto(reaction);
+    dto.setReward(levelService.awardForReaction(auth.getName()));
+    return ResponseEntity.ok(dto);
+  }
+}

backend/src/main/java/com/openisle/controller/RssController.java

@@ -0,0 +1,406 @@
+package com.openisle.controller;
+
+import com.openisle.model.Comment;
+import com.openisle.model.CommentSort;
+import com.openisle.model.Post;
+import com.openisle.service.CommentService;
+import com.openisle.service.PostService;
+import com.vladsch.flexmark.ext.autolink.AutolinkExtension;
+import com.vladsch.flexmark.ext.gfm.strikethrough.StrikethroughExtension;
+import com.vladsch.flexmark.ext.gfm.tasklist.TaskListExtension;
+import com.vladsch.flexmark.ext.tables.TablesExtension;
+import com.vladsch.flexmark.html.HtmlRenderer;
+import com.vladsch.flexmark.parser.Parser;
+import com.vladsch.flexmark.util.data.MutableDataSet;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import java.net.URI;
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
+import java.util.*;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import lombok.RequiredArgsConstructor;
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.nodes.Element;
+import org.jsoup.safety.Safelist;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequiredArgsConstructor
+public class RssController {
+
+  private final PostService postService;
+  private final CommentService commentService;
+
+  @Value("${app.website-url:https://www.open-isle.com}")
+  private String websiteUrl;
+
+  // 兼容 Markdown/HTML 两类图片写法（用于 enclosure）
+  private static final Pattern MD_IMAGE = Pattern.compile("!\\[[^\\]]*\\]\\(([^)]+)\\)");
+  private static final Pattern HTML_IMAGE = Pattern.compile(
+    "<BaseImage[^>]+src=[\"']?([^\"'>]+)[\"']?[^>]*>"
+  );
+
+  private static final DateTimeFormatter RFC1123 = DateTimeFormatter.RFC_1123_DATE_TIME;
+
+  // flexmark：Markdown -> HTML
+  private static final Parser MD_PARSER;
+  private static final HtmlRenderer MD_RENDERER;
+
+  static {
+    MutableDataSet opts = new MutableDataSet();
+    opts.set(
+      Parser.EXTENSIONS,
+      Arrays.asList(
+        TablesExtension.create(),
+        AutolinkExtension.create(),
+        StrikethroughExtension.create(),
+        TaskListExtension.create()
+      )
+    );
+    // 允许内联 HTML（下游再做 sanitize）
+    opts.set(Parser.HTML_BLOCK_PARSER, true);
+    MD_PARSER = Parser.builder(opts).build();
+    MD_RENDERER = HtmlRenderer.builder(opts).escapeHtml(false).build();
+  }
+
+  @GetMapping(value = "/api/rss", produces = "application/rss+xml;charset=UTF-8")
+  @Operation(summary = "RSS feed", description = "Generate RSS feed for latest posts")
+  @ApiResponse(
+    responseCode = "200",
+    description = "RSS XML",
+    content = @Content(schema = @Schema(implementation = String.class))
+  )
+  public String feed() {
+    // 建议 20；你现在是 10，这里保留你的 10
+    List<Post> posts = postService.listLatestRssPosts(10);
+    String base = trimTrailingSlash(websiteUrl);
+
+    StringBuilder sb = new StringBuilder(4096);
+    sb.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>");
+    sb.append("<rss version=\"2.0\" xmlns:content=\"http://purl.org/rss/1.0/modules/content/\">");
+    sb.append("<channel>");
+    elem(sb, "title", cdata("OpenIsle RSS"));
+    elem(sb, "link", base + "/");
+    elem(sb, "description", cdata("Latest posts"));
+    ZonedDateTime updated = posts
+      .stream()
+      .map(p -> p.getCreatedAt().atZone(ZoneId.systemDefault()))
+      .max(Comparator.naturalOrder())
+      .orElse(ZonedDateTime.now());
+    // channel lastBuildDate（GMT）
+    elem(sb, "lastBuildDate", toRfc1123Gmt(updated));
+
+    for (Post p : posts) {
+      String link = base + "/posts/" + p.getId();
+
+      // 1) Markdown -> HTML
+      String html = renderMarkdown(p.getContent());
+
+      // 2) Sanitize（白名单增强）
+      String safeHtml = sanitizeHtml(html);
+
+      // 3) 绝对化 href/src + 强制 rel/target
+      String absHtml = absolutifyHtml(safeHtml, base);
+
+      // 4) 纯文本摘要（用于 <description>）
+      String plain = textSummary(absHtml, 180);
+
+      // 5) enclosure（首图，已绝对化）
+      String enclosure = firstImage(p.getContent());
+      if (enclosure == null) {
+        // 如果 Markdown 没有图，尝试从渲染后的 HTML 再抓一次
+        enclosure = firstImage(absHtml);
+      }
+      if (enclosure != null) {
+        enclosure = absolutifyUrl(enclosure, base);
+      }
+
+      // 6) 构造优雅的附加区块（原文链接 + 精选评论），编入 <content:encoded>
+      List<Comment> topComments = commentService.getCommentsForPost(
+        p.getId(),
+        CommentSort.MOST_INTERACTIONS
+      );
+      topComments = topComments.subList(0, Math.min(10, topComments.size()));
+      String footerHtml = buildFooterHtml(base, link, topComments);
+
+      sb.append("<item>");
+      elem(sb, "title", cdata(nullSafe(p.getTitle())));
+      elem(sb, "link", link);
+      sb.append("<guid isPermaLink=\"true\">").append(link).append("</guid>");
+      elem(sb, "pubDate", toRfc1123Gmt(p.getCreatedAt().atZone(ZoneId.systemDefault())));
+      // 摘要
+      elem(sb, "description", cdata(plain));
+      // 全文（HTML）：正文 + 优雅的 Markdown 区块（已转 HTML）
+      sb
+        .append("<content:encoded><![CDATA[")
+        .append(absHtml)
+        .append(footerHtml)
+        .append("]]></content:encoded>");
+      // 首图 enclosure（图片类型）
+      if (enclosure != null) {
+        sb
+          .append("<enclosure url=\"")
+          .append(escapeXml(enclosure))
+          .append("\" type=\"")
+          .append(getMimeType(enclosure))
+          .append("\" />");
+      }
+      sb.append("</item>");
+    }
+
+    sb.append("</channel></rss>");
+    return sb.toString();
+  }
+
+  /* ===================== Markdown → HTML ===================== */
+
+  private static String renderMarkdown(String md) {
+    if (md == null || md.isEmpty()) return "";
+    return MD_RENDERER.render(MD_PARSER.parse(md));
+  }
+
+  /* ===================== Sanitize & 绝对化 ===================== */
+
+  private static String sanitizeHtml(String html) {
+    if (html == null) return "";
+    Safelist wl = Safelist.relaxed()
+      .addTags(
+        "pre",
+        "code",
+        "figure",
+        "figcaption",
+        "picture",
+        "source",
+        "table",
+        "thead",
+        "tbody",
+        "tr",
+        "th",
+        "td",
+        "h1",
+        "h2",
+        "h3",
+        "h4",
+        "h5",
+        "h6",
+        "hr",
+        "blockquote"
+      )
+      .addAttributes("a", "href", "title", "target", "rel")
+      .addAttributes("img", "src", "alt", "title", "width", "height")
+      .addAttributes("source", "srcset", "type", "media")
+      .addAttributes("code", "class")
+      .addAttributes("pre", "class")
+      .addProtocols("a", "href", "http", "https", "mailto")
+      .addProtocols("img", "src", "http", "https", "data")
+      .addProtocols("source", "srcset", "http", "https");
+    // 清除所有 on* 事件、style（避免阅读器环境差异）
+    return Jsoup.clean(html, wl);
+  }
+
+  private static String absolutifyHtml(String html, String baseUrl) {
+    if (html == null || html.isEmpty()) return "";
+    Document doc = Jsoup.parseBodyFragment(html, baseUrl);
+    // a[href]
+    for (Element a : doc.select("a[href]")) {
+      String href = a.attr("href");
+      String abs = absolutifyUrl(href, baseUrl);
+      a.attr("href", abs);
+      // 强制外链安全属性
+      a.attr("rel", "noopener noreferrer nofollow");
+      a.attr("target", "_blank");
+    }
+    // img[src]
+    for (Element img : doc.select("img[src]")) {
+      String src = img.attr("src");
+      String abs = absolutifyUrl(src, baseUrl);
+      img.attr("src", abs);
+    }
+    // source[srcset] （picture/webp）
+    for (Element s : doc.select("source[srcset]")) {
+      String srcset = s.attr("srcset");
+      s.attr("srcset", absolutifySrcset(srcset, baseUrl));
+    }
+    return doc.body().html();
+  }
+
+  private static String absolutifyUrl(String url, String baseUrl) {
+    if (url == null || url.isEmpty()) return url;
+    String u = url.trim();
+    if (u.startsWith("//")) {
+      return "https:" + u;
+    }
+    if (u.startsWith("#")) {
+      // 保留页面内锚点：拼接到首页（也可拼接到当前帖子的 link，但此处无上下文）
+      return baseUrl + "/" + u;
+    }
+    try {
+      URI base = URI.create(ensureTrailingSlash(baseUrl));
+      URI abs = base.resolve(u);
+      return abs.toString();
+    } catch (Exception e) {
+      return url;
+    }
+  }
+
+  private static String absolutifySrcset(String srcset, String baseUrl) {
+    if (srcset == null || srcset.isEmpty()) return srcset;
+    String[] parts = srcset.split(",");
+    List<String> out = new ArrayList<>(parts.length);
+    for (String part : parts) {
+      String p = part.trim();
+      if (p.isEmpty()) continue;
+      String[] seg = p.split("\\s+");
+      String url = seg[0];
+      String size = seg.length > 1 ? seg[1] : "";
+      out.add(absolutifyUrl(url, baseUrl) + (size.isEmpty() ? "" : " " + size));
+    }
+    return String.join(", ", out);
+  }
+
+  /* ===================== 摘要 & enclosure ===================== */
+
+  private static String textSummary(String html, int maxLen) {
+    if (html == null) return "";
+    String text = Jsoup.parse(html).text().replaceAll("\\s+", " ").trim();
+    if (text.length() <= maxLen) return text;
+    return text.substring(0, maxLen) + "…";
+  }
+
+  private String firstImage(String content) {
+    if (content == null) return null;
+    Matcher m = MD_IMAGE.matcher(content);
+    if (m.find()) return m.group(1);
+    m = HTML_IMAGE.matcher(content);
+    if (m.find()) return m.group(1);
+    // 再从纯 HTML 里解析一次（如果传入的是渲染后的）
+    try {
+      Document doc = Jsoup.parse(content);
+      Element img = doc.selectFirst("img[src]");
+      if (img != null) return img.attr("src");
+    } catch (Exception ignored) {}
+    return null;
+  }
+
+  private static String getMimeType(String url) {
+    String lower = url == null ? "" : url.toLowerCase(Locale.ROOT);
+    if (lower.endsWith(".png")) return "image/png";
+    if (lower.endsWith(".gif")) return "image/gif";
+    if (lower.endsWith(".webp")) return "image/webp";
+    if (lower.endsWith(".svg")) return "image/svg+xml";
+    if (lower.endsWith(".avif")) return "image/avif";
+    if (lower.endsWith(".jpg") || lower.endsWith(".jpeg")) return "image/jpeg";
+    // 默认兜底
+    return "image/jpeg";
+  }
+
+  /* ===================== 附加区块（原文链接 + 精选评论） ===================== */
+
+  /**
+   * 将“原文链接 + 精选评论（最多 10 条）”以优雅的 Markdown 形式渲染为 HTML，
+   * 并做 sanitize + 绝对化，然后拼入 content:encoded 尾部。
+   */
+  private static String buildFooterHtml(
+    String baseUrl,
+    String originalLink,
+    List<Comment> topComments
+  ) {
+    StringBuilder md = new StringBuilder(256);
+
+    // 分割线
+    md.append("\n\n---\n\n");
+
+    // 原文链接（强调 + 可点击）
+    md
+      .append("**原文链接：** ")
+      .append("[")
+      .append(originalLink)
+      .append("](")
+      .append(originalLink)
+      .append(")")
+      .append("\n\n");
+
+    // 精选评论（仅当有评论时展示）
+    if (topComments != null && !topComments.isEmpty()) {
+      md.append("### 精选评论（Top ").append(Math.min(10, topComments.size())).append("）\n\n");
+      for (Comment c : topComments) {
+        String author = usernameOf(c);
+        String content = nullSafe(c.getContent()).replace("\r", "");
+        // 使用引用样式展示，提升可读性
+        md.append("> @").append(author).append(": ").append(content).append("\n\n");
+      }
+    }
+
+    // 渲染为 HTML，并保持和正文一致的处理流程
+    String html = renderMarkdown(md.toString());
+    String safe = sanitizeHtml(html);
+    return absolutifyHtml(safe, baseUrl);
+  }
+
+  private static String usernameOf(Comment c) {
+    if (c == null) return "匿名";
+    try {
+      Object authorObj = c.getAuthor();
+      if (authorObj == null) return "匿名";
+      // 反射避免直接依赖实体字段名变化（也可直接强转到具体类型）
+      String username;
+      try {
+        username = (String) authorObj.getClass().getMethod("getUsername").invoke(authorObj);
+      } catch (Exception e) {
+        username = null;
+      }
+      if (username == null || username.isEmpty()) return "匿名";
+      return username;
+    } catch (Exception ignored) {
+      return "匿名";
+    }
+  }
+
+  /* ===================== 时间/字符串/XML ===================== */
+
+  private static String toRfc1123Gmt(ZonedDateTime zdt) {
+    return zdt.withZoneSameInstant(ZoneId.of("GMT")).format(RFC1123);
+  }
+
+  private static String cdata(String s) {
+    if (s == null) return "<![CDATA[]]>";
+    // 防止出现 "]]>" 终止标记破坏 CDATA
+    return "<![CDATA[" + s.replace("]]>", "]]]]><![CDATA[>") + "]]>";
+  }
+
+  private static void elem(StringBuilder sb, String name, String value) {
+    sb.append('<').append(name).append('>').append(value).append("</").append(name).append('>');
+  }
+
+  private static String escapeXml(String s) {
+    if (s == null) return "";
+    return s
+      .replace("&", "&amp;")
+      .replace("<", "&lt;")
+      .replace(">", "&gt;")
+      .replace("\"", "&quot;")
+      .replace("'", "&apos;");
+  }
+
+  private static String trimTrailingSlash(String s) {
+    if (s == null) return "";
+    return s.endsWith("/") ? s.substring(0, s.length() - 1) : s;
+  }
+
+  private static String ensureTrailingSlash(String s) {
+    if (s == null || s.isEmpty()) return "/";
+    return s.endsWith("/") ? s : s + "/";
+  }
+
+  private static String nullSafe(String s) {
+    return s == null ? "" : s;
+  }
+}

backend/src/main/java/com/openisle/controller/SearchController.java

@@ -0,0 +1,125 @@
+package com.openisle.controller;
+
+import com.openisle.dto.PostSummaryDto;
+import com.openisle.dto.SearchResultDto;
+import com.openisle.dto.UserDto;
+import com.openisle.mapper.PostMapper;
+import com.openisle.mapper.UserMapper;
+import com.openisle.service.SearchService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import java.util.List;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/api/search")
+@RequiredArgsConstructor
+public class SearchController {
+
+  private final SearchService searchService;
+  private final UserMapper userMapper;
+  private final PostMapper postMapper;
+
+  @GetMapping("/users")
+  @Operation(summary = "Search users", description = "Search users by keyword")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of users",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class)))
+  )
+  public List<UserDto> searchUsers(@RequestParam String keyword) {
+    return searchService
+      .searchUsers(keyword)
+      .stream()
+      .map(userMapper::toDto)
+      .collect(Collectors.toList());
+  }
+
+  @GetMapping("/posts")
+  @Operation(summary = "Search posts", description = "Search posts by keyword")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of posts",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
+    )
+  )
+  public List<PostSummaryDto> searchPosts(@RequestParam String keyword) {
+    return searchService
+      .searchPosts(keyword)
+      .stream()
+      .map(postMapper::toSummaryDto)
+      .collect(Collectors.toList());
+  }
+
+  @GetMapping("/posts/content")
+  @Operation(summary = "Search posts by content", description = "Search posts by content keyword")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of posts",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
+    )
+  )
+  public List<PostSummaryDto> searchPostsByContent(@RequestParam String keyword) {
+    return searchService
+      .searchPostsByContent(keyword)
+      .stream()
+      .map(postMapper::toSummaryDto)
+      .collect(Collectors.toList());
+  }
+
+  @GetMapping("/posts/title")
+  @Operation(summary = "Search posts by title", description = "Search posts by title keyword")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of posts",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
+    )
+  )
+  public List<PostSummaryDto> searchPostsByTitle(@RequestParam String keyword) {
+    return searchService
+      .searchPostsByTitle(keyword)
+      .stream()
+      .map(postMapper::toSummaryDto)
+      .collect(Collectors.toList());
+  }
+
+  @GetMapping("/global")
+  @Operation(summary = "Global search", description = "Search users and posts globally")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Search results",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = SearchResultDto.class))
+    )
+  )
+  public List<SearchResultDto> global(@RequestParam String keyword) {
+    return searchService
+      .globalSearch(keyword)
+      .stream()
+      .map(r -> {
+        SearchResultDto dto = new SearchResultDto();
+        dto.setType(r.type());
+        dto.setId(r.id());
+        dto.setText(r.text());
+        dto.setSubText(r.subText());
+        dto.setExtra(r.extra());
+        dto.setPostId(r.postId());
+        dto.setHighlightedText(r.highlightedText());
+        dto.setHighlightedSubText(r.highlightedSubText());
+        dto.setHighlightedExtra(r.highlightedExtra());
+        return dto;
+      })
+      .collect(Collectors.toList());
+  }
+}

backend/src/main/java/com/openisle/controller/SitemapController.java

@@ -0,0 +1,69 @@
+package com.openisle.controller;
+
+import com.openisle.model.Post;
+import com.openisle.model.PostStatus;
+import com.openisle.repository.PostRepository;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import java.util.List;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * Controller for dynamic sitemap generation.
+ */
+@RestController
+@RequiredArgsConstructor
+@RequestMapping("/api")
+public class SitemapController {
+
+  private final PostRepository postRepository;
+
+  @Value("${app.website-url}")
+  private String websiteUrl;
+
+  @GetMapping(value = "/sitemap.xml", produces = MediaType.APPLICATION_XML_VALUE)
+  @Operation(summary = "Sitemap", description = "Generate sitemap xml")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Sitemap xml",
+    content = @Content(schema = @Schema(implementation = String.class))
+  )
+  public ResponseEntity<String> sitemap() {
+    List<Post> posts = postRepository.findByStatus(PostStatus.PUBLISHED);
+
+    StringBuilder body = new StringBuilder();
+    body.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
+    body.append("<urlset xmlns=\"http://www.sitemaps.org/schemas/sitemap/0.9\">\n");
+
+    List<String> staticRoutes = List.of("/", "/about", "/activities", "/login", "/signup");
+
+    for (String path : staticRoutes) {
+      body.append("  <url><loc>").append(websiteUrl).append(path).append("</loc></url>\n");
+    }
+
+    for (Post p : posts) {
+      body
+        .append("  <url>\n")
+        .append("    <loc>")
+        .append(websiteUrl)
+        .append("/posts/")
+        .append(p.getId())
+        .append("</loc>\n")
+        .append("    <lastmod>")
+        .append(p.getCreatedAt().toLocalDate())
+        .append("</lastmod>\n")
+        .append("  </url>\n");
+    }
+
+    body.append("</urlset>");
+    return ResponseEntity.ok().contentType(MediaType.APPLICATION_XML).body(body.toString());
+  }
+}

backend/src/main/java/com/openisle/controller/StatController.java

@@ -0,0 +1,127 @@
+package com.openisle.controller;
+
+import com.openisle.service.StatService;
+import com.openisle.service.UserVisitService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import java.time.LocalDate;
+import java.util.List;
+import java.util.Map;
+import lombok.RequiredArgsConstructor;
+import org.springframework.format.annotation.DateTimeFormat;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/api/stats")
+@RequiredArgsConstructor
+public class StatController {
+
+  private final UserVisitService userVisitService;
+  private final StatService statService;
+
+  @GetMapping("/dau")
+  @Operation(summary = "Daily active users", description = "Get daily active user count")
+  @ApiResponse(
+    responseCode = "200",
+    description = "DAU count",
+    content = @Content(schema = @Schema(implementation = java.util.Map.class))
+  )
+  public Map<String, Long> dau(
+    @RequestParam(value = "date", required = false) @DateTimeFormat(
+      iso = DateTimeFormat.ISO.DATE
+    ) LocalDate date
+  ) {
+    long count = userVisitService.countDau(date);
+    return Map.of("dau", count);
+  }
+
+  @GetMapping("/dau-range")
+  @Operation(summary = "DAU range", description = "Get daily active users over range of days")
+  @ApiResponse(
+    responseCode = "200",
+    description = "DAU data",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class)))
+  )
+  public List<Map<String, Object>> dauRange(
+    @RequestParam(value = "days", defaultValue = "30") int days
+  ) {
+    if (days < 1) days = 1;
+    LocalDate end = LocalDate.now();
+    LocalDate start = end.minusDays(days - 1L);
+    var data = userVisitService.countDauRange(start, end);
+    return data
+      .entrySet()
+      .stream()
+      .map(e -> Map.<String, Object>of("date", e.getKey().toString(), "value", e.getValue()))
+      .toList();
+  }
+
+  @GetMapping("/new-users-range")
+  @Operation(summary = "New users range", description = "Get new users over range of days")
+  @ApiResponse(
+    responseCode = "200",
+    description = "New user data",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class)))
+  )
+  public List<Map<String, Object>> newUsersRange(
+    @RequestParam(value = "days", defaultValue = "30") int days
+  ) {
+    if (days < 1) days = 1;
+    LocalDate end = LocalDate.now();
+    LocalDate start = end.minusDays(days - 1L);
+    var data = statService.countNewUsersRange(start, end);
+    return data
+      .entrySet()
+      .stream()
+      .map(e -> Map.<String, Object>of("date", e.getKey().toString(), "value", e.getValue()))
+      .toList();
+  }
+
+  @GetMapping("/posts-range")
+  @Operation(summary = "Posts range", description = "Get posts count over range of days")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Post data",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class)))
+  )
+  public List<Map<String, Object>> postsRange(
+    @RequestParam(value = "days", defaultValue = "30") int days
+  ) {
+    if (days < 1) days = 1;
+    LocalDate end = LocalDate.now();
+    LocalDate start = end.minusDays(days - 1L);
+    var data = statService.countPostsRange(start, end);
+    return data
+      .entrySet()
+      .stream()
+      .map(e -> Map.<String, Object>of("date", e.getKey().toString(), "value", e.getValue()))
+      .toList();
+  }
+
+  @GetMapping("/comments-range")
+  @Operation(summary = "Comments range", description = "Get comments count over range of days")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Comment data",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class)))
+  )
+  public List<Map<String, Object>> commentsRange(
+    @RequestParam(value = "days", defaultValue = "30") int days
+  ) {
+    if (days < 1) days = 1;
+    LocalDate end = LocalDate.now();
+    LocalDate start = end.minusDays(days - 1L);
+    var data = statService.countCommentsRange(start, end);
+    return data
+      .entrySet()
+      .stream()
+      .map(e -> Map.<String, Object>of("date", e.getKey().toString(), "value", e.getValue()))
+      .toList();
+  }
+}

backend/src/main/java/com/openisle/controller/SubscriptionController.java

@@ -0,0 +1,66 @@
+package com.openisle.controller;
+
+import com.openisle.service.SubscriptionService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+/** Endpoints for subscribing to posts, comments and users. */
+@RestController
+@RequestMapping("/api/subscriptions")
+@RequiredArgsConstructor
+public class SubscriptionController {
+
+  private final SubscriptionService subscriptionService;
+
+  @PostMapping("/posts/{postId}")
+  @Operation(summary = "Subscribe post", description = "Subscribe to a post")
+  @ApiResponse(responseCode = "200", description = "Subscribed")
+  @SecurityRequirement(name = "JWT")
+  public void subscribePost(@PathVariable Long postId, Authentication auth) {
+    subscriptionService.subscribePost(auth.getName(), postId);
+  }
+
+  @DeleteMapping("/posts/{postId}")
+  @Operation(summary = "Unsubscribe post", description = "Unsubscribe from a post")
+  @ApiResponse(responseCode = "200", description = "Unsubscribed")
+  @SecurityRequirement(name = "JWT")
+  public void unsubscribePost(@PathVariable Long postId, Authentication auth) {
+    subscriptionService.unsubscribePost(auth.getName(), postId);
+  }
+
+  @PostMapping("/comments/{commentId}")
+  @Operation(summary = "Subscribe comment", description = "Subscribe to a comment")
+  @ApiResponse(responseCode = "200", description = "Subscribed")
+  @SecurityRequirement(name = "JWT")
+  public void subscribeComment(@PathVariable Long commentId, Authentication auth) {
+    subscriptionService.subscribeComment(auth.getName(), commentId);
+  }
+
+  @DeleteMapping("/comments/{commentId}")
+  @Operation(summary = "Unsubscribe comment", description = "Unsubscribe from a comment")
+  @ApiResponse(responseCode = "200", description = "Unsubscribed")
+  @SecurityRequirement(name = "JWT")
+  public void unsubscribeComment(@PathVariable Long commentId, Authentication auth) {
+    subscriptionService.unsubscribeComment(auth.getName(), commentId);
+  }
+
+  @PostMapping("/users/{username}")
+  @Operation(summary = "Subscribe user", description = "Subscribe to a user")
+  @ApiResponse(responseCode = "200", description = "Subscribed")
+  @SecurityRequirement(name = "JWT")
+  public void subscribeUser(@PathVariable String username, Authentication auth) {
+    subscriptionService.subscribeUser(auth.getName(), username);
+  }
+
+  @DeleteMapping("/users/{username}")
+  @Operation(summary = "Unsubscribe user", description = "Unsubscribe from a user")
+  @ApiResponse(responseCode = "200", description = "Unsubscribed")
+  @SecurityRequirement(name = "JWT")
+  public void unsubscribeUser(@PathVariable String username, Authentication auth) {
+    subscriptionService.unsubscribeUser(auth.getName(), username);
+  }
+}

backend/src/main/java/com/openisle/controller/TagController.java

@@ -0,0 +1,166 @@
+package com.openisle.controller;
+
+import com.openisle.dto.PostSummaryDto;
+import com.openisle.dto.TagDto;
+import com.openisle.dto.TagRequest;
+import com.openisle.mapper.PostMapper;
+import com.openisle.mapper.TagMapper;
+import com.openisle.model.PublishMode;
+import com.openisle.model.Role;
+import com.openisle.model.Tag;
+import com.openisle.repository.UserRepository;
+import com.openisle.service.PostService;
+import com.openisle.service.TagService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import lombok.RequiredArgsConstructor;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/tags")
+@RequiredArgsConstructor
+public class TagController {
+
+  private final TagService tagService;
+  private final PostService postService;
+  private final UserRepository userRepository;
+  private final PostMapper postMapper;
+  private final TagMapper tagMapper;
+
+  @PostMapping
+  @Operation(summary = "Create tag", description = "Create a new tag")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Created tag",
+    content = @Content(schema = @Schema(implementation = TagDto.class))
+  )
+  @SecurityRequirement(name = "JWT")
+  public TagDto create(
+    @RequestBody TagRequest req,
+    org.springframework.security.core.Authentication auth
+  ) {
+    boolean approved = true;
+    if (postService.getPublishMode() == PublishMode.REVIEW && auth != null) {
+      com.openisle.model.User user = userRepository.findByUsername(auth.getName()).orElseThrow();
+      if (user.getRole() != Role.ADMIN) {
+        approved = false;
+      }
+    }
+    Tag tag = tagService.createTag(
+      req.getName(),
+      req.getDescription(),
+      req.getIcon(),
+      req.getSmallIcon(),
+      approved,
+      auth != null ? auth.getName() : null
+    );
+    long count = postService.countPostsByTag(tag.getId());
+    return tagMapper.toDto(tag, count);
+  }
+
+  @PutMapping("/{id}")
+  @Operation(summary = "Update tag", description = "Update an existing tag")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Updated tag",
+    content = @Content(schema = @Schema(implementation = TagDto.class))
+  )
+  public TagDto update(@PathVariable Long id, @RequestBody TagRequest req) {
+    Tag tag = tagService.updateTag(
+      id,
+      req.getName(),
+      req.getDescription(),
+      req.getIcon(),
+      req.getSmallIcon()
+    );
+    long count = postService.countPostsByTag(tag.getId());
+    return tagMapper.toDto(tag, count);
+  }
+
+  @DeleteMapping("/{id}")
+  @Operation(summary = "Delete tag", description = "Delete a tag by id")
+  @ApiResponse(responseCode = "200", description = "Tag deleted")
+  public void delete(@PathVariable Long id) {
+    tagService.deleteTag(id);
+  }
+
+  @GetMapping
+  @Operation(summary = "List tags", description = "List tags with optional keyword")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of tags",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class)))
+  )
+  public List<TagDto> list(
+    @RequestParam(value = "keyword", required = false) String keyword,
+    @RequestParam(value = "page", required = false) Integer page,
+    @RequestParam(value = "pageSize", required = false) Integer pageSize,
+    @RequestParam(value = "limit", required = false) Integer limit
+  ) {
+    List<Tag> tags = tagService.searchTags(keyword);
+    List<Long> tagIds = tags.stream().map(Tag::getId).toList();
+    Map<Long, Long> postCntByTagIds = postService.countPostsByTagIds(tagIds);
+    if (postCntByTagIds == null) {
+      postCntByTagIds = java.util.Collections.emptyMap();
+    }
+    Map<Long, Long> finalPostCntByTagIds = postCntByTagIds;
+    List<TagDto> dtos = tags
+      .stream()
+      .map(t -> tagMapper.toDto(t, finalPostCntByTagIds.getOrDefault(t.getId(), 0L)))
+      .sorted((a, b) -> Long.compare(b.getCount(), a.getCount()))
+      .collect(Collectors.toList());
+    if (page != null && pageSize != null && page >= 0 && pageSize > 0) {
+      int fromIndex = page * pageSize;
+      if (fromIndex >= dtos.size()) {
+        return java.util.Collections.emptyList();
+      }
+      int toIndex = Math.min(fromIndex + pageSize, dtos.size());
+      return new java.util.ArrayList<>(dtos.subList(fromIndex, toIndex));
+    }
+    if (limit != null && limit > 0 && dtos.size() > limit) {
+      return new java.util.ArrayList<>(dtos.subList(0, limit));
+    }
+    return dtos;
+  }
+
+  @GetMapping("/{id}")
+  @Operation(summary = "Get tag", description = "Get tag by id")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Tag detail",
+    content = @Content(schema = @Schema(implementation = TagDto.class))
+  )
+  public TagDto get(@PathVariable Long id) {
+    Tag tag = tagService.getTag(id);
+    long count = postService.countPostsByTag(tag.getId());
+    return tagMapper.toDto(tag, count);
+  }
+
+  @GetMapping("/{id}/posts")
+  @Operation(summary = "List posts by tag", description = "Get posts with specific tag")
+  @ApiResponse(
+    responseCode = "200",
+    description = "List of posts",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
+    )
+  )
+  public List<PostSummaryDto> listPostsByTag(
+    @PathVariable Long id,
+    @RequestParam(value = "page", required = false) Integer page,
+    @RequestParam(value = "pageSize", required = false) Integer pageSize
+  ) {
+    return postService
+      .listPostsByTags(java.util.List.of(id), page, pageSize)
+      .stream()
+      .map(postMapper::toSummaryDto)
+      .collect(Collectors.toList());
+  }
+}

backend/src/main/java/com/openisle/controller/UploadController.java

@@ -0,0 +1,99 @@
+package com.openisle.controller;
+
+import com.openisle.service.ImageUploader;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.net.URLConnection;
+import java.util.Map;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.multipart.MultipartFile;
+
+@RestController
+@RequestMapping("/api/upload")
+@RequiredArgsConstructor
+public class UploadController {
+
+  private final ImageUploader imageUploader;
+
+  @Value("${app.upload.check-type:true}")
+  private boolean checkImageType;
+
+  @Value("${app.upload.max-size:5242880}")
+  private long maxUploadSize;
+
+  @PostMapping
+  @Operation(summary = "Upload file", description = "Upload image file")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Upload result",
+    content = @Content(schema = @Schema(implementation = java.util.Map.class))
+  )
+  public ResponseEntity<?> upload(@RequestParam("file") MultipartFile file) {
+    if (
+      checkImageType &&
+      (file.getContentType() == null || !file.getContentType().startsWith("image/"))
+    ) {
+      return ResponseEntity.badRequest().body(Map.of("code", 1, "msg", "File is not an image"));
+    }
+    if (file.getSize() > maxUploadSize) {
+      return ResponseEntity.badRequest().body(Map.of("code", 2, "msg", "File too large"));
+    }
+    String url;
+    try {
+      url = imageUploader.upload(file.getBytes(), file.getOriginalFilename()).join();
+    } catch (IOException e) {
+      return ResponseEntity.internalServerError().body(Map.of("code", 3, "msg", "Upload failed"));
+    }
+    return ResponseEntity.ok(Map.of("code", 0, "msg", "ok", "data", Map.of("url", url)));
+  }
+
+  @PostMapping("/url")
+  @Operation(summary = "Upload from URL", description = "Upload image from remote URL")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Upload result",
+    content = @Content(schema = @Schema(implementation = java.util.Map.class))
+  )
+  public ResponseEntity<?> uploadUrl(@RequestBody Map<String, String> body) {
+    String link = body.get("url");
+    if (link == null || link.isBlank()) {
+      return ResponseEntity.badRequest().body(Map.of("code", 1, "msg", "Missing url"));
+    }
+    try {
+      URL u = URI.create(link).toURL();
+      byte[] data = u.openStream().readAllBytes();
+      if (data.length > maxUploadSize) {
+        return ResponseEntity.badRequest().body(Map.of("code", 2, "msg", "File too large"));
+      }
+      String filename = link.substring(link.lastIndexOf('/') + 1);
+      String contentType = URLConnection.guessContentTypeFromStream(new ByteArrayInputStream(data));
+      if (checkImageType && (contentType == null || !contentType.startsWith("image/"))) {
+        return ResponseEntity.badRequest().body(Map.of("code", 1, "msg", "File is not an image"));
+      }
+      String url = imageUploader.upload(data, filename).join();
+      return ResponseEntity.ok(Map.of("code", 0, "msg", "ok", "data", Map.of("url", url)));
+    } catch (Exception e) {
+      return ResponseEntity.internalServerError().body(Map.of("code", 3, "msg", "Upload failed"));
+    }
+  }
+
+  @GetMapping("/presign")
+  @Operation(summary = "Presign upload", description = "Get presigned upload URL")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Presigned URL",
+    content = @Content(schema = @Schema(implementation = java.util.Map.class))
+  )
+  public java.util.Map<String, String> presign(@RequestParam("filename") String filename) {
+    return imageUploader.presignUpload(filename);
+  }
+}

backend/src/main/java/com/openisle/controller/UserController.java

@@ -0,0 +1,379 @@
+package com.openisle.controller;
+
+import com.openisle.dto.*;
+import com.openisle.exception.NotFoundException;
+import com.openisle.mapper.TagMapper;
+import com.openisle.mapper.UserMapper;
+import com.openisle.model.User;
+import com.openisle.service.*;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.io.IOException;
+import java.util.Map;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.multipart.MultipartFile;
+
+@RestController
+@RequestMapping("/api/users")
+@RequiredArgsConstructor
+public class UserController {
+
+  private final UserService userService;
+  private final ImageUploader imageUploader;
+  private final PostService postService;
+  private final CommentService commentService;
+  private final ReactionService reactionService;
+  private final TagService tagService;
+  private final SubscriptionService subscriptionService;
+  private final LevelService levelService;
+  private final JwtService jwtService;
+  private final UserMapper userMapper;
+  private final TagMapper tagMapper;
+
+  @Value("${app.upload.check-type:true}")
+  private boolean checkImageType;
+
+  @Value("${app.upload.max-size:5242880}")
+  private long maxUploadSize;
+
+  @Value("${app.user.posts-limit:10}")
+  private int defaultPostsLimit;
+
+  @Value("${app.user.replies-limit:50}")
+  private int defaultRepliesLimit;
+
+  @Value("${app.user.tags-limit:50}")
+  private int defaultTagsLimit;
+
+  @GetMapping("/me")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Current user", description = "Get current authenticated user information")
+  @ApiResponse(
+    responseCode = "200",
+    description = "User detail",
+    content = @Content(schema = @Schema(implementation = UserDto.class))
+  )
+  public ResponseEntity<UserDto> me(Authentication auth) {
+    User user = userService.findByUsername(auth.getName()).orElseThrow();
+    return ResponseEntity.ok(userMapper.toDto(user, auth));
+  }
+
+  @PostMapping("/me/avatar")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Upload avatar", description = "Upload avatar for current user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Upload result",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> uploadAvatar(
+    @RequestParam("file") MultipartFile file,
+    Authentication auth
+  ) {
+    if (
+      checkImageType &&
+      (file.getContentType() == null || !file.getContentType().startsWith("image/"))
+    ) {
+      return ResponseEntity.badRequest().body(Map.of("error", "File is not an image"));
+    }
+    if (file.getSize() > maxUploadSize) {
+      return ResponseEntity.badRequest().body(Map.of("error", "File too large"));
+    }
+    String url = null;
+    try {
+      url = imageUploader.upload(file.getBytes(), file.getOriginalFilename()).join();
+    } catch (IOException e) {
+      return ResponseEntity.internalServerError().body(Map.of("url", url));
+    }
+    userService.updateAvatar(auth.getName(), url);
+    return ResponseEntity.ok(Map.of("url", url));
+  }
+
+  @PutMapping("/me")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Update profile", description = "Update current user's profile")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Updated profile",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public ResponseEntity<?> updateProfile(@RequestBody UpdateProfileDto dto, Authentication auth) {
+    User user = userService.updateProfile(auth.getName(), dto.getUsername(), dto.getIntroduction());
+    return ResponseEntity.ok(
+      Map.of(
+        "token",
+        jwtService.generateToken(user.getUsername()),
+        "user",
+        userMapper.toDto(user, auth)
+      )
+    );
+  }
+
+  // 这个方法似乎没有使用？
+  @PostMapping("/me/signin")
+  @SecurityRequirement(name = "JWT")
+  @Operation(summary = "Daily sign in", description = "Sign in to receive rewards")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Sign in reward",
+    content = @Content(schema = @Schema(implementation = Map.class))
+  )
+  public Map<String, Integer> signIn(Authentication auth) {
+    int reward = levelService.awardForSignin(auth.getName());
+    return Map.of("reward", reward);
+  }
+
+  @GetMapping("/{identifier}")
+  @Operation(summary = "Get user", description = "Get user by identifier")
+  @ApiResponse(
+    responseCode = "200",
+    description = "User detail",
+    content = @Content(schema = @Schema(implementation = UserDto.class))
+  )
+  public ResponseEntity<UserDto> getUser(
+    @PathVariable("identifier") String identifier,
+    Authentication auth
+  ) {
+    User user = userService
+      .findByIdentifier(identifier)
+      .orElseThrow(() -> new NotFoundException("User not found"));
+    return ResponseEntity.ok(userMapper.toDto(user, auth));
+  }
+
+  @GetMapping("/{identifier}/posts")
+  @Operation(summary = "User posts", description = "Get recent posts by user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "User posts",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostMetaDto.class)))
+  )
+  public java.util.List<PostMetaDto> userPosts(
+    @PathVariable("identifier") String identifier,
+    @RequestParam(value = "limit", required = false) Integer limit
+  ) {
+    int l = limit != null ? limit : defaultPostsLimit;
+    User user = userService.findByIdentifier(identifier).orElseThrow();
+    return postService
+      .getRecentPostsByUser(user.getUsername(), l)
+      .stream()
+      .map(userMapper::toMetaDto)
+      .collect(java.util.stream.Collectors.toList());
+  }
+
+  @GetMapping("/{identifier}/subscribed-posts")
+  @Operation(summary = "Subscribed posts", description = "Get posts the user subscribed to")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Subscribed posts",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostMetaDto.class)))
+  )
+  public java.util.List<PostMetaDto> subscribedPosts(
+    @PathVariable("identifier") String identifier,
+    @RequestParam(value = "limit", required = false) Integer limit
+  ) {
+    int l = limit != null ? limit : defaultPostsLimit;
+    User user = userService.findByIdentifier(identifier).orElseThrow();
+    return subscriptionService
+      .getSubscribedPosts(user.getUsername())
+      .stream()
+      .limit(l)
+      .map(userMapper::toMetaDto)
+      .collect(java.util.stream.Collectors.toList());
+  }
+
+  @GetMapping("/{identifier}/replies")
+  @Operation(summary = "User replies", description = "Get recent replies by user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "User replies",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = CommentInfoDto.class))
+    )
+  )
+  public java.util.List<CommentInfoDto> userReplies(
+    @PathVariable("identifier") String identifier,
+    @RequestParam(value = "limit", required = false) Integer limit
+  ) {
+    int l = limit != null ? limit : defaultRepliesLimit;
+    User user = userService.findByIdentifier(identifier).orElseThrow();
+    return commentService
+      .getRecentCommentsByUser(user.getUsername(), l)
+      .stream()
+      .map(userMapper::toCommentInfoDto)
+      .collect(java.util.stream.Collectors.toList());
+  }
+
+  @GetMapping("/{identifier}/hot-posts")
+  @Operation(summary = "User hot posts", description = "Get most reacted posts by user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Hot posts",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostMetaDto.class)))
+  )
+  public java.util.List<PostMetaDto> hotPosts(
+    @PathVariable("identifier") String identifier,
+    @RequestParam(value = "limit", required = false) Integer limit
+  ) {
+    int l = limit != null ? limit : 10;
+    User user = userService.findByIdentifier(identifier).orElseThrow();
+    java.util.List<Long> ids = reactionService.topPostIds(user.getUsername(), l);
+    return postService
+      .getPostsByIds(ids)
+      .stream()
+      .map(userMapper::toMetaDto)
+      .collect(java.util.stream.Collectors.toList());
+  }
+
+  @GetMapping("/{identifier}/hot-replies")
+  @Operation(summary = "User hot replies", description = "Get most reacted replies by user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Hot replies",
+    content = @Content(
+      array = @ArraySchema(schema = @Schema(implementation = CommentInfoDto.class))
+    )
+  )
+  public java.util.List<CommentInfoDto> hotReplies(
+    @PathVariable("identifier") String identifier,
+    @RequestParam(value = "limit", required = false) Integer limit
+  ) {
+    int l = limit != null ? limit : 10;
+    User user = userService.findByIdentifier(identifier).orElseThrow();
+    java.util.List<Long> ids = reactionService.topCommentIds(user.getUsername(), l);
+    return commentService
+      .getCommentsByIds(ids)
+      .stream()
+      .map(userMapper::toCommentInfoDto)
+      .collect(java.util.stream.Collectors.toList());
+  }
+
+  @GetMapping("/{identifier}/hot-tags")
+  @Operation(summary = "User hot tags", description = "Get tags frequently used by user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Hot tags",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class)))
+  )
+  public java.util.List<TagDto> hotTags(
+    @PathVariable("identifier") String identifier,
+    @RequestParam(value = "limit", required = false) Integer limit
+  ) {
+    int l = limit != null ? limit : 10;
+    User user = userService.findByIdentifier(identifier).orElseThrow();
+    return tagService
+      .getTagsByUser(user.getUsername())
+      .stream()
+      .map(t -> tagMapper.toDto(t, postService.countPostsByTag(t.getId())))
+      .sorted((a, b) -> Long.compare(b.getCount(), a.getCount()))
+      .limit(l)
+      .collect(java.util.stream.Collectors.toList());
+  }
+
+  @GetMapping("/{identifier}/tags")
+  @Operation(summary = "User tags", description = "Get recent tags used by user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "User tags",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class)))
+  )
+  public java.util.List<TagDto> userTags(
+    @PathVariable("identifier") String identifier,
+    @RequestParam(value = "limit", required = false) Integer limit
+  ) {
+    int l = limit != null ? limit : defaultTagsLimit;
+    User user = userService.findByIdentifier(identifier).orElseThrow();
+    return tagService
+      .getRecentTagsByUser(user.getUsername(), l)
+      .stream()
+      .map(t -> tagMapper.toDto(t, postService.countPostsByTag(t.getId())))
+      .collect(java.util.stream.Collectors.toList());
+  }
+
+  @GetMapping("/{identifier}/following")
+  @Operation(summary = "Following users", description = "Get users that this user is following")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Following list",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class)))
+  )
+  public java.util.List<UserDto> following(@PathVariable("identifier") String identifier) {
+    User user = userService.findByIdentifier(identifier).orElseThrow();
+    return subscriptionService
+      .getSubscribedUsers(user.getUsername())
+      .stream()
+      .map(userMapper::toDto)
+      .collect(java.util.stream.Collectors.toList());
+  }
+
+  @GetMapping("/{identifier}/followers")
+  @Operation(summary = "Followers", description = "Get followers of this user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Followers list",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class)))
+  )
+  public java.util.List<UserDto> followers(@PathVariable("identifier") String identifier) {
+    User user = userService.findByIdentifier(identifier).orElseThrow();
+    return subscriptionService
+      .getSubscribers(user.getUsername())
+      .stream()
+      .map(userMapper::toDto)
+      .collect(java.util.stream.Collectors.toList());
+  }
+
+  @GetMapping("/admins")
+  @Operation(summary = "Admin users", description = "List administrator users")
+  @ApiResponse(
+    responseCode = "200",
+    description = "Admin users",
+    content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class)))
+  )
+  public java.util.List<UserDto> admins() {
+    return userService
+      .getAdmins()
+      .stream()
+      .map(userMapper::toDto)
+      .collect(java.util.stream.Collectors.toList());
+  }
+
+  @GetMapping("/{identifier}/all")
+  @Operation(summary = "User aggregate", description = "Get aggregate information for user")
+  @ApiResponse(
+    responseCode = "200",
+    description = "User aggregate",
+    content = @Content(schema = @Schema(implementation = UserAggregateDto.class))
+  )
+  public ResponseEntity<UserAggregateDto> userAggregate(
+    @PathVariable("identifier") String identifier,
+    @RequestParam(value = "postsLimit", required = false) Integer postsLimit,
+    @RequestParam(value = "repliesLimit", required = false) Integer repliesLimit,
+    Authentication auth
+  ) {
+    User user = userService.findByIdentifier(identifier).orElseThrow();
+    int pLimit = postsLimit != null ? postsLimit : defaultPostsLimit;
+    int rLimit = repliesLimit != null ? repliesLimit : defaultRepliesLimit;
+    java.util.List<PostMetaDto> posts = postService
+      .getRecentPostsByUser(user.getUsername(), pLimit)
+      .stream()
+      .map(userMapper::toMetaDto)
+      .collect(java.util.stream.Collectors.toList());
+    java.util.List<CommentInfoDto> replies = commentService
+      .getRecentCommentsByUser(user.getUsername(), rLimit)
+      .stream()
+      .map(userMapper::toCommentInfoDto)
+      .collect(java.util.stream.Collectors.toList());
+    UserAggregateDto dto = new UserAggregateDto();
+    dto.setUser(userMapper.toDto(user, auth));
+    dto.setPosts(posts);
+    dto.setReplies(replies);
+    return ResponseEntity.ok(dto);
+  }
+}

backend/src/main/java/com/openisle/dto/ActivityDto.java

@@ -0,0 +1,21 @@
+package com.openisle.dto;
+
+import com.openisle.model.ActivityType;
+import java.time.LocalDateTime;
+import lombok.Data;
+
+/**
+ * DTO representing an activity without participant details.
+ */
+@Data
+public class ActivityDto {
+
+  private Long id;
+  private String title;
+  private String icon;
+  private String content;
+  private LocalDateTime startTime;
+  private LocalDateTime endTime;
+  private ActivityType type;
+  private boolean ended;
+}

backend/src/main/java/com/openisle/dto/AuthorDto.java

@@ -0,0 +1,16 @@
+package com.openisle.dto;
+
+import com.openisle.model.MedalType;
+import lombok.Data;
+
+/**
+ * DTO representing a post or comment author.
+ */
+@Data
+public class AuthorDto {
+
+  private Long id;
+  private String username;
+  private String avatar;
+  private MedalType displayMedal;
+}

backend/src/main/java/com/openisle/dto/CategoryDto.java

@@ -0,0 +1,17 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/**
+ * DTO representing a post category.
+ */
+@Data
+public class CategoryDto {
+
+  private Long id;
+  private String name;
+  private String description;
+  private String icon;
+  private String smallIcon;
+  private Long count;
+}

backend/src/main/java/com/openisle/dto/CategoryRequest.java

@@ -0,0 +1,13 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request body for creating or updating a category. */
+@Data
+public class CategoryRequest {
+
+  private String name;
+  private String description;
+  private String icon;
+  private String smallIcon;
+}

backend/src/main/java/com/openisle/dto/ChannelDto.java

@@ -0,0 +1,18 @@
+package com.openisle.dto;
+
+import lombok.Getter;
+import lombok.Setter;
+
+@Getter
+@Setter
+public class ChannelDto {
+
+  private Long id;
+  private String name;
+  private String description;
+  private String avatar;
+  private MessageDto lastMessage;
+  private long memberCount;
+  private boolean joined;
+  private long unreadCount;
+}

backend/src/main/java/com/openisle/dto/CommentContextDto.java

@@ -0,0 +1,15 @@
+package com.openisle.dto;
+
+import java.util.List;
+import lombok.Data;
+
+/**
+ * DTO representing the context of a comment including its post and previous comments.
+ */
+@Data
+public class CommentContextDto {
+
+  private PostSummaryDto post;
+  private CommentDto targetComment;
+  private List<CommentDto> previousComments;
+}

backend/src/main/java/com/openisle/dto/CommentDto.java

@@ -0,0 +1,22 @@
+package com.openisle.dto;
+
+import java.time.LocalDateTime;
+import java.util.List;
+import lombok.Data;
+
+/**
+ * DTO representing a comment and its nested replies.
+ */
+@Data
+public class CommentDto {
+
+  private Long id;
+  private String content;
+  private LocalDateTime createdAt;
+  private LocalDateTime pinnedAt;
+  private AuthorDto author;
+  private List<CommentDto> replies;
+  private List<ReactionDto> reactions;
+  private int reward;
+  private int pointReward;
+}

backend/src/main/java/com/openisle/dto/CommentInfoDto.java

@@ -0,0 +1,15 @@
+package com.openisle.dto;
+
+import java.time.LocalDateTime;
+import lombok.Data;
+
+/** DTO for comment information in user profiles. */
+@Data
+public class CommentInfoDto {
+
+  private Long id;
+  private String content;
+  private LocalDateTime createdAt;
+  private PostMetaDto post;
+  private ParentCommentDto parentComment;
+}

backend/src/main/java/com/openisle/dto/CommentMedalDto.java

@@ -0,0 +1,12 @@
+package com.openisle.dto;
+
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+
+@Data
+@EqualsAndHashCode(callSuper = true)
+public class CommentMedalDto extends MedalDto {
+
+  private long currentCommentCount;
+  private long targetCommentCount;
+}

backend/src/main/java/com/openisle/dto/CommentRequest.java

@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request body for creating or replying to a comment. */
+@Data
+public class CommentRequest {
+
+  private String content;
+  private String captcha;
+}

backend/src/main/java/com/openisle/dto/ConfigDto.java

@@ -0,0 +1,16 @@
+package com.openisle.dto;
+
+import com.openisle.model.PasswordStrength;
+import com.openisle.model.PublishMode;
+import com.openisle.model.RegisterMode;
+import lombok.Data;
+
+/** DTO for site configuration. */
+@Data
+public class ConfigDto {
+
+  private PublishMode publishMode;
+  private PasswordStrength passwordStrength;
+  private Integer aiFormatLimit;
+  private RegisterMode registerMode;
+}

backend/src/main/java/com/openisle/dto/ContributorMedalDto.java

@@ -0,0 +1,12 @@
+package com.openisle.dto;
+
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+
+@Data
+@EqualsAndHashCode(callSuper = true)
+public class ContributorMedalDto extends MedalDto {
+
+  private long currentContributionLines;
+  private long targetContributionLines;
+}

backend/src/main/java/com/openisle/dto/ConversationDetailDto.java

@@ -0,0 +1,16 @@
+package com.openisle.dto;
+
+import java.util.List;
+import lombok.Data;
+import org.springframework.data.domain.Page;
+
+@Data
+public class ConversationDetailDto {
+
+  private Long id;
+  private String name;
+  private boolean channel;
+  private String avatar;
+  private List<UserSummaryDto> participants;
+  private Page<MessageDto> messages;
+}