v4.3 安全修复+代码质量+测试体系+护城河验证

## 安全修复 (5项)
- CRITICAL JWT 硬编码 fallback（jwt.strategy / app.module / user.module）
- HIGH seed_admin.js MongoDB 凭据泄漏
- MEDIUM 邮箱验证码泄漏
- MEDIUM 支付订单查询 IDOR
- MEDIUM 管理后台 NoSQL 注入

## 代码质量 (14处)
- console.log→Logger（user.service.ts）
- as any 类型化（11处跨7个文件）
- Schema 联合类型修复（progress.schema）
- Module 依赖缺失修复（progress.module）

## 测试体系 (61项)
- 后端单元测试 Jest（43项）：BenchmarkService/UserService/PaymentController
- 后端集成测试 Supertest（11项）：API 认证/支付/进度/管理
- 前端单元测试 Vitest（7项）：配置文件/API端点
- 浏览器自动化 Playwright（7项）：API smoke test
- 覆盖率报告 + e2e 配置

## 护城河 P0-P5 启动验证通过 + 编译通过

zhiyin-app/src/config.spec.ts

@@ -0,0 +1,51 @@
+import { describe, it, expect } from 'vitest'
+
+describe('APP_CONFIG', () => {
+  it('should have APP_NAME', async () => {
+    const { APP_CONFIG } = await import('./config')
+    expect(APP_CONFIG.APP_NAME).toBeTruthy()
+  })
+
+  it('should have storage keys', async () => {
+    const { APP_CONFIG } = await import('./config')
+    expect(APP_CONFIG.STORAGE_KEYS.TOKEN).toBe('token')
+    expect(APP_CONFIG.STORAGE_KEYS.USER_ID).toBe('userId')
+  })
+
+  it('should have page routes', async () => {
+    const { APP_CONFIG } = await import('./config')
+    expect(APP_CONFIG.PAGES.INDEX).toBe('/pages/index/index')
+    expect(APP_CONFIG.PAGES.LOGIN).toBe('/pages/login/login')
+    expect(APP_CONFIG.PAGES.MEMBER).toBe('/pages/member/member')
+  })
+})
+
+describe('API_ENDPOINTS', () => {
+  it('should have all endpoint groups', async () => {
+    const { API_ENDPOINTS } = await import('./config')
+    expect(API_ENDPOINTS.USER).toBeDefined()
+    expect(API_ENDPOINTS.INTERVIEW).toBeDefined()
+    expect(API_ENDPOINTS.PAYMENT).toBeDefined()
+    expect(API_ENDPOINTS.PROGRESS).toBeDefined()
+    expect(API_ENDPOINTS.CONTRIBUTION).toBeDefined()
+    expect(API_ENDPOINTS.MEMBER).toBeDefined()
+  })
+
+  it('should have user endpoints', async () => {
+    const { API_ENDPOINTS } = await import('./config')
+    expect(API_ENDPOINTS.USER.SEND_CODE).toBe('/user/send-code')
+    expect(API_ENDPOINTS.USER.LOGIN).toBe('/user/login')
+    expect(API_ENDPOINTS.USER.INFO).toBe('/user/info')
+  })
+
+  it('should generate dynamic interview endpoints', async () => {
+    const { API_ENDPOINTS } = await import('./config')
+    expect(API_ENDPOINTS.INTERVIEW.ANSWER('abc')).toBe('/interview/abc/answer')
+    expect(API_ENDPOINTS.INTERVIEW.GET('xyz')).toBe('/interview/xyz')
+  })
+
+  it('should generate dynamic payment check endpoint', async () => {
+    const { API_ENDPOINTS } = await import('./config')
+    expect(API_ENDPOINTS.PAYMENT.CHECK('ORD123')).toBe('/payment/check/ORD123')
+  })
+})

zhiyin-app/src/pages/report/report.vue

@@ -24,6 +24,21 @@
         <text class="info-value">{{ report.questionCount }} 题</text>
       </view>
 
+      <view class="section" v-if="report.dimensions">
+        <view class="section-title">📊 四维能力评估</view>
+        <view class="dim-grid">
+          <view class="dim-item" v-for="dim in dimList" :key="dim.key">
+            <view class="dim-header">
+              <text class="dim-name">{{ dim.label }}</text>
+              <text class="dim-score">{{ dim.value }}分</text>
+            </view>
+            <view class="dim-bar-bg">
+              <view class="dim-bar-fill" :style="{ width: dim.value + '%', background: dim.color }"></view>
+            </view>
+          </view>
+        </view>
+      </view>
+
       <view class="section" v-if="report.summary">
         <view class="section-title">📝 评估总结</view>
         <text class="summary-text">{{ report.summary }}</text>
@@ -40,22 +55,36 @@
       </view>
 
       <view class="actions">
-        <button class="btn-primary" @click="retryInterview">再面一次</button>
-        <button class="btn-outline" @click="goHistory">返回记录</button>
+        <button class="btn-primary" @click="generateCard">📸 生成分享卡片</button>
+        <button class="btn-outline" @click="retryInterview">再面一次</button>
+        <button class="btn-ghost" @click="goHistory">返回记录</button>
       </view>
     </view>
 
     <view v-else class="empty-box"><text>暂无报告数据</text></view>
+
+    <!-- Share card canvas (hidden) -->
+    <canvas canvas-id="shareCard" class="hidden-canvas" :style="{ width: cardWidth + 'px', height: cardHeight + 'px' }"></canvas>
   </view>
 </template>
 
 <script setup>
-import { ref } from 'vue'
+import { ref, nextTick } from 'vue'
 import { onLoad } from '@dcloudio/uni-app'
 import { api } from '../../config'
 
 const loading = ref(true)
 const report = ref(null)
+const dimList = ref([])
+const cardWidth = 600
+const cardHeight = 900
+
+const dimDefs = [
+  { key: 'logic', label: '逻辑思维', color: '#6366F1' },
+  { key: 'expression', label: '表达能力', color: '#10B981' },
+  { key: 'professionalism', label: '专业度', color: '#F59E0B' },
+  { key: 'stability', label: '稳定性', color: '#EF4444' },
+]
 
 onLoad(async (options) => {
   const interviewId = options?.interviewId || ''
@@ -65,7 +94,6 @@ onLoad(async (options) => {
     const token = uni.getStorageSync('token') || ''
     if (!token) { loading.value = false; return }
 
-    // Get interview details
     const res = await uni.request({
       url: api(`/interview/${interviewId}`),
       method: 'GET',
@@ -73,14 +101,45 @@ onLoad(async (options) => {
     })
     if (res.statusCode === 200) {
       const data = res.data
+      const rawSummary = data.summary || ''
+
+      // Try to parse summary JSON for structured display
+      let summaryText = rawSummary
+      let dimensions = null
+      try {
+        const parsed = JSON.parse(rawSummary)
+        dimensions = {
+          logic: parsed['逻辑思维'] || 0,
+          expression: parsed['表达能力'] || 0,
+          professionalism: parsed['专业度'] || 0,
+          stability: parsed['稳定性'] || 0,
+        }
+        const parts = []
+        if (parsed['优点']) parts.push('✅ 优点：' + parsed['优点'].join('、'))
+        if (parsed['不足']) parts.push('⚠️ 不足：' + parsed['不足'].join('、'))
+        if (parsed['建议']) parts.push('💡 建议：' + parsed['建议'].join('、'))
+        summaryText = parts.join('\n')
+      } catch {}
+
+      // Use backend dimensions if available, else parsed
+      const dims = data.dimensions || dimensions
+      if (dims) {
+        dimList.value = dimDefs.map(d => ({
+          ...d,
+          value: Math.min(100, Math.max(0, Math.round(dims[d.key] || 0))),
+        }))
+      }
+
       report.value = {
         position: data.position || '通用岗位',
         totalScore: data.totalScore || 0,
         questionCount: data.questionCount || 0,
-        summary: data.summary || '',
+        summary: summaryText,
         messages: data.messages || [],
+        dimensions: dims,
+        interviewId,
       }
-      // Auto-complete if in progress
+
       if (data.status === 'in_progress') {
         uni.request({
           url: api(`/interview/${interviewId}/complete`),
@@ -90,6 +149,12 @@ onLoad(async (options) => {
           if (c.statusCode === 200 && c.data) {
             report.value.totalScore = c.data.totalScore || report.value.totalScore
             report.value.summary = c.data.summary || report.value.summary
+            if (c.data.dimensions) {
+              dimList.value = dimDefs.map(d => ({
+                ...d,
+                value: Math.min(100, Math.max(0, Math.round(c.data.dimensions[d.key] || 0))),
+              }))
+            }
           }
         }).catch(() => {})
       }
@@ -101,10 +166,160 @@ onLoad(async (options) => {
 const scoreLevel = (s) => { if (s >= 80) return 'good'; if (s >= 60) return 'medium'; return 'poor' }
 const retryInterview = () => uni.switchTab({ url: '/pages/index/index' })
 const goHistory = () => uni.switchTab({ url: '/pages/history/history' })
+
+async function generateCard() {
+  if (!report.value) return
+  uni.showLoading({ title: '生成中...' })
+  await nextTick()
+
+  const ctx = uni.createCanvasContext('shareCard')
+  const w = cardWidth
+  const h = cardHeight
+  const r = dimList.value
+  const total = report.value.totalScore
+  const pos = report.value.position
+  const date = new Date().toLocaleDateString('zh-CN')
+
+  // Background gradient
+  const gradient = ctx.createLinearGradient(0, 0, 0, h)
+  gradient.addColorStop(0, '#1E1B4B')
+  gradient.addColorStop(0.5, '#312E81')
+  gradient.addColorStop(1, '#1E1B4B')
+  ctx.setFillStyle(gradient)
+  ctx.fillRect(0, 0, w, h)
+
+  // Border decoration
+  ctx.setStrokeStyle('#4F46E5')
+  ctx.setLineWidth(4)
+  ctx.strokeRect(16, 16, w - 32, h - 32)
+
+  // Title
+  ctx.setFillStyle('#FFFFFF')
+  ctx.setFontSize(36)
+  ctx.setTextAlign('center')
+  ctx.fillText('🎯 模拟面试报告', w / 2, 80)
+
+  // Position
+  ctx.setFontSize(24)
+  ctx.setFillStyle('#A5B4FC')
+  ctx.fillText(pos + ' | ' + date, w / 2, 120)
+
+  // Total score circle
+  const cx = w / 2
+  const cy = 220
+  const radius = 72
+
+  // Glow effect
+  ctx.setStrokeStyle('rgba(99,102,241,0.3)')
+  ctx.setLineWidth(16)
+  ctx.beginPath()
+  ctx.arc(cx, cy, radius + 10, 0, Math.PI * 2)
+  ctx.stroke()
+
+  // Circle background
+  ctx.setFillStyle('#2D2A6E')
+  ctx.beginPath()
+  ctx.arc(cx, cy, radius, 0, Math.PI * 2)
+  ctx.fill()
+
+  // Total score text
+  ctx.setFillStyle(total >= 80 ? '#34D399' : total >= 60 ? '#FBBF24' : '#F87171')
+  ctx.setFontSize(52)
+  ctx.setTextAlign('center')
+  ctx.fillText(String(total), cx, cy - 8)
+
+  ctx.setFontSize(16)
+  ctx.setFillStyle('#A5B4FC')
+  ctx.fillText('总分', cx, cy + 34)
+
+  // Dimension bars
+  const barColors = ['#6366F1', '#10B981', '#F59E0B', '#EF4444']
+  const barStartY = 330
+  const barH = 36
+  const barGap = 16
+  const barMaxW = 380
+  const barX = 130
+
+  for (let i = 0; i < r.length; i++) {
+    const d = r[i]
+    const y = barStartY + i * (barH + barGap)
+    const v = d.value
+
+    // Label
+    ctx.setFontSize(20)
+    ctx.setFillStyle('#A5B4FC')
+    ctx.setTextAlign('left')
+    ctx.fillText(d.label, 40, y + 26)
+
+    // Bar background
+    ctx.setFillStyle('rgba(255,255,255,0.08)')
+    ctx.beginPath()
+    ctx.roundRect ? ctx.roundRect(barX, y, barMaxW, barH, barH / 2) : ctx.rect(barX, y, barMaxW, barH)
+    ctx.fill()
+
+    // Bar fill
+    ctx.setFillStyle(barColors[i])
+    ctx.beginPath()
+    const fillW = Math.max(0, (v / 100) * barMaxW)
+    ctx.roundRect ? ctx.roundRect(barX, y, fillW, barH, barH / 2) : ctx.rect(barX, y, fillW, barH)
+    ctx.fill()
+
+    // Score text
+    ctx.setFontSize(20)
+    ctx.setFillStyle('#FFFFFF')
+    ctx.setTextAlign('right')
+    ctx.fillText(v + '分', w - 40, y + 26)
+  }
+
+  // Divider line
+  ctx.setStrokeStyle('rgba(165,180,252,0.3)')
+  ctx.setLineWidth(1)
+  ctx.beginPath()
+  ctx.moveTo(40, 600)
+  ctx.lineTo(w - 40, 600)
+  ctx.stroke()
+
+  // Bottom info
+  ctx.setFontSize(20)
+  ctx.setFillStyle('#A5B4FC')
+  ctx.setTextAlign('center')
+  ctx.fillText('「职引」- AI 模拟面试助手', w / 2, 650)
+  ctx.setFontSize(16)
+  ctx.setFillStyle('rgba(165,180,252,0.5)')
+  ctx.fillText('扫码开始你的模拟面试 → 在微信搜索"职引"小程序', w / 2, 690)
+
+  // QR code hint (simulated)
+  ctx.setFillStyle('#FFFFFF')
+  ctx.setFontSize(12)
+  ctx.setTextAlign('center')
+  ctx.fillText('⬛ ⬛ ⬛ ⬛ ⬛', w / 2, 760)
+  ctx.fillText('⬛ ⬛ ⬛ ⬛ ⬛', w / 2, 780)
+  ctx.fillText('⬛ ⬛ ⬛ ⬛ ⬛', w / 2, 800)
+  ctx.fillText('⬛ ⬛ ⬛ ⬛ ⬛', w / 2, 820)
+  ctx.fillText('微信小程序', w / 2, 855)
+
+  ctx.draw(false, async () => {
+    try {
+      const tempRes = await uni.canvasToTempFilePath({ canvasId: 'shareCard' })
+      uni.hideLoading()
+      uni.showActionSheet({
+        itemList: ['保存到相册', '分享给好友'],
+        success: (res) => {
+          if (res.tapIndex === 0) {
+            uni.saveImageToPhotosAlbum({ filePath: tempRes.tempFilePath })
+          }
+        },
+      })
+    } catch (e) {
+      uni.hideLoading()
+      uni.showToast({ title: '卡片生成失败', icon: 'none' })
+    }
+  })
+}
 </script>
 
 <style scoped>
-.page {  background: #F3F4F6; }
+.page { background: #F3F4F6; min-height: 100vh; }
 .header {
   background: linear-gradient(135deg, var(--color-gradient-start) 0%, var(--color-gradient-mid) 50%, var(--color-gradient-end) 100%);
   padding: 48rpx 32rpx 72rpx; border-radius: 0 0 48rpx 48rpx; min-height: 90rpx;
@@ -140,8 +355,16 @@ const goHistory = () => uni.switchTab({ url: '/pages/history/history' })
 .msg-item.user { background: #EEF2FF; border-left: 4rpx solid #818CF8; }
 .msg-label { font-size: 20rpx; font-weight: 600; color: #4F46E5; margin-bottom: 8rpx; }
 .msg-content { font-size: 24rpx; color: #111827; line-height: 1.7; white-space: pre-wrap; }
-.actions { display: flex; gap: 20rpx; margin-top: 32rpx; }
-.btn-primary { flex: 1; background: linear-gradient(135deg,#4F46E5,#7C3AED); color: #FFFFFF; border-radius: 16rpx; height: 88rpx; line-height: 88rpx; font-size: 28rpx; font-weight: 600; }
-.btn-outline { flex: 1; background: #FFFFFF; color: #4F46E5; border-radius: 16rpx; height: 88rpx; line-height: 88rpx; font-size: 28rpx; border: 2rpx solid #4F46E5; }
+.actions { display: flex; flex-direction: column; gap: 16rpx; margin-top: 32rpx; }
+.btn-primary { background: linear-gradient(135deg,#4F46E5,#7C3AED); color: #FFFFFF; border-radius: 16rpx; height: 88rpx; line-height: 88rpx; font-size: 28rpx; font-weight: 600; }
+.btn-outline { background: #FFFFFF; color: #4F46E5; border-radius: 16rpx; height: 88rpx; line-height: 88rpx; font-size: 28rpx; border: 2rpx solid #4F46E5; }
+.btn-ghost { background: transparent; color: #6B7280; border-radius: 16rpx; height: 72rpx; line-height: 72rpx; font-size: 24rpx; }
 .empty-box { padding: 200rpx 0; text-align: center; color: #9CA3AF; font-size: 28rpx; }
+.hidden-canvas { position: fixed; left: -9999px; top: -9999px; pointer-events: none; }
+.dim-grid { display: flex; flex-direction: column; gap: 20rpx; }
+.dim-header { display: flex; justify-content: space-between; margin-bottom: 8rpx; }
+.dim-name { font-size: 24rpx; color: #374151; }
+.dim-score { font-size: 24rpx; color: #4F46E5; font-weight: 600; }
+.dim-bar-bg { height: 20rpx; background: #F3F4F6; border-radius: 10rpx; overflow: hidden; }
+.dim-bar-fill { height: 100%; border-radius: 10rpx; transition: width 0.6s ease; }
 </style>