Deploy updated SCU course catcher

.dockerignore

@@ -0,0 +1,13 @@
+.git
+.venv
+__pycache__
+*.pyc
+*.pyo
+*.pyd
+data
+build
+dist
+course_catcher
+core/database.py
+core/course_runner.py
+templates/admin.html

.gitattributes

@@ -33,3 +33,5 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+favicon.ico filter=lfs diff=lfs merge=lfs -text
+ocr_provider/captcha_model.onnx.data filter=lfs diff=lfs merge=lfs -text

.github/workflows/linux-tests.yml

@@ -0,0 +1,25 @@
+name: linux-tests
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  unittest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Run unit tests
+        run: python -m unittest discover -s tests -v

.gitignore

@@ -0,0 +1,13 @@
+user_data.json
+build
+main.spec
+__pycache__
+setting.json
+.idea
+.venv
+dist
+data/
+runtime/
+*.db
+*.sqlite3
+tests/.tmp/

.python-version

@@ -0,0 +1 @@
+3.11

Dockerfile

@@ -0,0 +1,34 @@
+FROM python:3.11-slim
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=1 \
+    HOME=/home/user \
+    PATH=/home/user/.local/bin:$PATH \
+    CHROME_BIN=/usr/bin/chromium \
+    CHROMEDRIVER_PATH=/usr/bin/chromedriver \
+    DATA_DIR=/data
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    chromium \
+    chromium-driver \
+    fonts-noto-cjk \
+    fonts-noto-color-emoji \
+    ca-certificates \
+    && useradd -m -u 1000 user \
+    && mkdir -p /data \
+    && chmod 777 /data \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR ${HOME}/app
+USER user
+
+COPY --chown=user requirements.txt ./
+RUN pip install --upgrade --user pip && pip install --user -r requirements.txt
+
+COPY --chown=user . .
+RUN mkdir -p ${HOME}/app/data
+
+EXPOSE 7860
+
+CMD ["sh", "-c", "gunicorn --bind 0.0.0.0:${PORT:-7860} --workers 1 --threads 8 --timeout 180 app:app"]

LICENSE

@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.

README.md

@@ -1,11 +1,222 @@
 ---
-title: SACC
-emoji: 🏆
-colorFrom: red
-colorTo: green
+title: Advanced SCU Course Catcher
+emoji: 🐳
+colorFrom: green
+colorTo: yellow
 sdk: docker
+app_port: 7860
 pinned: false
-short_description: SCU Auto Course Catcher
 ---
 
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+# Advanced SCU Course Catcher
+
+这是一个面向 Hugging Face Space 的四川大学选课系统 Web 版抢课面板。当前版本已经从单机脚本改造成了可部署、可并行、可多用户管理的 Flask + Selenium 服务，支持普通用户端和管理员端分离运行。
+
+## 当前能力
+
+- 普通用户入口：`/login`
+  用户使用 `学号 + 密码` 登录，只能看到自己的课程、任务状态和实时日志。
+- 管理员入口：`/admin`
+  管理员使用 `账号 + 密码` 登录。此入口不会在用户登录页展示。
+- 多管理员体系
+  支持多位普通管理员，支持 1 位超级管理员。超级管理员账号和密码由环境变量 `ADMIN`、`PASSWORD` 提供。
+- 多用户管理
+  管理员可以手动录入用户账号、重置密码、启用/禁用用户、查看所有课程目标。
+- 课程录入
+  用户自己填写 `课程号` 和 `课序号`，管理员可见全部内容，也可以代为录入和修改。
+- 实时日志
+  用户和管理员都可以实时看到程序日志，前端通过 SSE 持续推送。
+- 并行调度
+  多用户任务由后台任务调度器并行执行，管理员可以在后台动态设置并行数。
+- Hugging Face Space 适配
+  使用 Docker Space 运行，内置 Chromium、chromedriver、中文字体和无头浏览器配置。
+- 登录验证码与提交验证码 OCR
+  登录阶段和提交选课阶段都支持验证码 OCR 自动识别。
+- Selenium 自恢复
+  单个 Selenium 会话连续错误达到 5 次时，会自动重建浏览器；连续重建 5 个会话仍失败时，任务才会终止。
+
+## 运行结构
+
+当前实际运行入口和核心模块如下：
+
+- `app.py`
+  Hugging Face / gunicorn 使用的 WSGI 入口。
+- `space_app.py`
+  Flask 路由、页面渲染、登录鉴权、SSE 日志流。
+- `core/config.py`
+  运行配置与内部密钥管理。
+- `core/db.py`
+  SQLite 数据层。
+- `core/task_manager.py`
+  并行调度、任务生命周期管理。
+- `core/course_bot.py`
+  Selenium 抢课核心逻辑、验证码识别、重试与重建策略。
+- `webdriver_utils.py`
+  Chromium / chromedriver 初始化。
+- `templates/` + `static/`
+  用户端、管理员端和响应式前端页面。
+
+## 环境变量
+
+为了减少 Space 配置复杂度，当前只保留少量必要环境变量。
+
+### 必填
+
+- `ADMIN`
+  超级管理员账号。
+- `PASSWORD`
+  超级管理员密码。
+
+### 可选
+
+- `DATA_DIR`
+  数据目录，默认会使用仓库下的 `data/`。在 Hugging Face Space 中建议保持为 `/data`。
+- `CHROME_BIN`
+  自定义 Chromium 路径。默认会自动尝试 `/usr/bin/chromium`。
+- `CHROMEDRIVER_PATH`
+  自定义 chromedriver 路径。默认会自动尝试 `/usr/bin/chromedriver`。
+
+### 不需要再手动配置的内容
+
+以下内容已经改为自动生成或写入程序默认值，不需要再手工配置环境变量：
+
+- Flask session secret
+- 用户密码加密密钥
+- 默认并行数
+- 登录重试次数
+- Selenium 会话错误阈值
+- Selenium 会话重建阈值
+- 提交验证码重试次数
+- 页面超时时间
+- 日志页容量
+
+程序会在 `DATA_DIR/.app_secrets.json` 中自动持久化内部密钥。这样即使以后修改 `ADMIN` 或 `PASSWORD`，也不会导致历史用户密码全部失效。
+
+## Hugging Face Space 部署
+
+### 1. 创建 Space
+
+在 Hugging Face 上创建一个新的 Space：
+
+- SDK 选择 `Docker`
+- 端口使用 `7860`
+- 仓库内容直接推送本项目即可
+
+本仓库根目录已经提供好 `README.md` 的 Space metadata 和 `Dockerfile`。
+
+### 2. 设置 Space Secrets
+
+进入 `Settings -> Variables and secrets`，至少配置：
+
+- `ADMIN=你的超级管理员账号`
+- `PASSWORD=你的超级管理员密码`
+
+通常不需要再设置其他环境变量。
+
+如果你想显式指定数据目录，也可以增加：
+
+- `DATA_DIR=/data`
+
+### 3. 开启持久化存储
+
+如果你希望以下数据在 Space 重启后仍然保留，建议在 Space 设置里开启 Persistent Storage：
+
+- 用户账号
+- 管理员账号
+- 课程目标
+- 任务历史
+- 运行日志
+- 自动生成的内部密钥文件
+
+当前 Dockerfile 已按 `/data` 目录进行适配，并预先处理了目录权限，方便在 Space 中直接持久化。
+
+### 4. 推送部署
+
+如果你使用 git 推送到 Hugging Face Space，可以参考：
+
+```bash
+git remote add space https://huggingface.co/spaces/<your-name>/<your-space>
+git push space main
+```
+
+### 5. 启动方式
+
+容器启动命令已经写入 `Dockerfile`：
+
+```bash
+gunicorn --bind 0.0.0.0:${PORT:-7860} --workers 1 --threads 8 --timeout 180 app:app
+```
+
+这里使用 `1` 个 gunicorn worker，是为了避免多进程情况下每个进程都各自启动一套本地任务调度器。并发能力由应用内部的线程调度和管理员可配置的任务并行数控制。
+
+## Space 端建议配置
+
+推荐的初始运行策略：
+
+- 后台并行数先设置为 `1` 或 `2`
+- 只有在 Space CPU / 内存足够稳定时，再逐步提升
+- 在真实高峰前，先做一次小规模联调
+
+对于 CPU 较小的 Space，同时拉起过多 Chromium 会明显增加失败率，因此管理员后台提供了并行数动态调整功能。
+
+## 管理员联调清单
+
+部署到 Space 后，建议按以下顺序联调：
+
+1. 访问 `/admin`，使用 `ADMIN` / `PASSWORD` 登录超级管理员。
+2. 在管理员后台创建 1 个普通管理员、2 个测试用户。
+3. 为两个测试用户分别录入不同课程号和课序号。
+4. 将并行数设置为 `2`。
+5. 分别触发两个用户任务，确认两条任务都能进入队列，并按并行数启动。
+6. 在管理员日志面板确认日志持续刷新，且可以看到不同学号的执行记录。
+7. 使用用户账号访问 `/login`，确认用户只能看到自己的课程和日志。
+8. 在任务运行过程中测试停止任务，确认状态能变为“停止中”并最终收敛。
+9. 如果学校页面出现提交验证码，确认日志中能看到提交阶段验证码识别提示。
+
+## 自动化测试
+
+仓库当前已补充以下自动化测试：
+
+- `tests/test_config.py`
+  验证内部密钥在超级管理员账号变更后依然保持稳定。
+- `tests/test_course_bot.py`
+  验证 Selenium 会话错误累计后会触发浏览器重建，并验证提交阶段验证码分支。
+- `tests/test_task_manager.py`
+  验证任务调度器会严格遵守管理员设置的并行上限。
+- `.github/workflows/linux-tests.yml`
+  在 `ubuntu-latest` 上自动运行上述测试，避免关键逻辑只在 Windows 本地验证。
+
+本地运行测试：
+
+```bash
+python -m unittest discover -s tests -v
+```
+
+## 本地运行
+
+### 直接运行
+
+```bash
+pip install -r requirements.txt
+set ADMIN=admin
+set PASSWORD=change-me
+python main.py
+```
+
+### Docker 运行
+
+```bash
+docker build -t advanced-scu-course-catcher .
+docker run --rm -p 7860:7860 \
+  -e ADMIN=admin \
+  -e PASSWORD=change-me \
+  advanced-scu-course-catcher
+```
+
+## 重要说明
+
+- 本项目当前的任务模型是“持续轮询直到成功、手动停止或达到错误上限”。
+- 用户密码会以应用内部密钥加密后保存在数据库中，用于后台自动登录教务系统。
+- 管理员可以看到全部用户、课程和日志，请在实际使用前明确权限边界。
+- 如果学校选课页面 DOM 结构变化较大，需要同步更新 `core/course_bot.py` 中的选择器以及 `javascript/` 下的辅助脚本。
+- `course_catcher/` 目录是仓库中保留的旧实现，当前运行链路以 `space_app.py + core/*` 为准。

app.py

@@ -0,0 +1 @@
+from space_app import app

build_exe.py

@@ -0,0 +1,33 @@
+import os
+import sys
+from PyInstaller.__main__ import run as pyinstaller_run
+
+def main():
+    os.chdir(os.path.dirname(os.path.abspath(__file__)))
+    
+    pyinstaller_run([
+        'main.py',
+        '--name=SCU_Course_Catcher',
+        '--onefile',
+        #'--windowed', #need console
+        '--icon=favicon.ico',
+        '--add-data=javascript;javascript',
+        '--add-data=ocr_provider;ocr_provider',
+        '--add-data=webdriver_utils.py;.',
+        '--add-data=type_defs.py;.',
+        '--add-data=ensure_package_exist.py;.',
+        '--add-data=initialize.py;.',
+        '--add-data=onnx_inference.py;.',
+        '--hidden-import=selenium',
+        '--hidden-import=fake_useragent',
+        '--hidden-import=dataclasses_json',
+        '--hidden-import=onnxruntime',
+        '--collect-data=fake_useragent',
+        '--collect-submodules=fake_useragent',
+        '--collect-data=onnxruntime',
+        '--collect-submodules=onnxruntime',
+        '--clean',
+    ])
+
+if __name__ == '__main__':
+    main()

core/__init__.py

@@ -0,0 +1 @@
+"""Core application package for the Hugging Face Space web service."""

core/config.py

@@ -0,0 +1,142 @@
+from __future__ import annotations
+
+import json
+import os
+import secrets
+import shutil
+from dataclasses import dataclass
+from pathlib import Path
+
+from cryptography.fernet import Fernet
+
+
+DEFAULT_PARALLEL_LIMIT = 2
+POLL_INTERVAL_SECONDS = 10
+LOGIN_RETRY_LIMIT = 6
+TASK_BACKOFF_SECONDS = 6
+BROWSER_PAGE_TIMEOUT = 40
+LOGS_PAGE_SIZE = 180
+SELENIUM_ERROR_LIMIT = 5
+SELENIUM_RESTART_LIMIT = 5
+SUBMIT_CAPTCHA_RETRY_LIMIT = 5
+
+
+def _pick_binary(env_name: str, *fallbacks: str) -> str:
+    env_value = os.getenv(env_name)
+    if env_value:
+        return env_value
+    for candidate in fallbacks:
+        if not candidate:
+            continue
+        if Path(candidate).exists():
+            return candidate
+        resolved = shutil.which(candidate)
+        if resolved:
+            return resolved
+    return fallbacks[0] if fallbacks else ""
+
+
+def _load_or_create_internal_secrets(data_dir: Path) -> tuple[str, str]:
+    secret_file = data_dir / ".app_secrets.json"
+    payload: dict[str, str] = {}
+
+    if secret_file.exists():
+        try:
+            raw_payload = json.loads(secret_file.read_text(encoding="utf-8"))
+            if isinstance(raw_payload, dict):
+                payload = {
+                    str(key): str(value)
+                    for key, value in raw_payload.items()
+                    if isinstance(value, str)
+                }
+        except (OSError, json.JSONDecodeError):
+            payload = {}
+
+    session_secret = payload.get("session_secret", "").strip()
+    encryption_key = payload.get("encryption_key", "").strip()
+    changed = False
+
+    if not session_secret:
+        session_secret = secrets.token_hex(32)
+        changed = True
+    if not encryption_key:
+        encryption_key = Fernet.generate_key().decode("utf-8")
+        changed = True
+
+    if changed or not secret_file.exists():
+        secret_file.write_text(
+            json.dumps(
+                {
+                    "session_secret": session_secret,
+                    "encryption_key": encryption_key,
+                },
+                ensure_ascii=False,
+                indent=2,
+            ),
+            encoding="utf-8",
+        )
+
+    return session_secret, encryption_key
+
+
+@dataclass(slots=True)
+class AppConfig:
+    root_dir: Path
+    data_dir: Path
+    db_path: Path
+    session_secret: str
+    encryption_key: str
+    super_admin_username: str
+    super_admin_password: str
+    default_parallel_limit: int
+    poll_interval_seconds: int
+    login_retry_limit: int
+    task_backoff_seconds: int
+    browser_page_timeout: int
+    logs_page_size: int
+    selenium_error_limit: int
+    selenium_restart_limit: int
+    submit_captcha_retry_limit: int
+    chrome_binary: str
+    chromedriver_path: str
+
+    @classmethod
+    def load(cls) -> "AppConfig":
+        root_dir = Path(__file__).resolve().parent.parent
+        data_dir = Path(os.getenv("DATA_DIR", str(root_dir / "data"))).resolve()
+        data_dir.mkdir(parents=True, exist_ok=True)
+
+        super_admin_username = os.getenv("ADMIN", "superadmin")
+        super_admin_password = os.getenv("PASSWORD", "change-me-in-hf-space")
+        session_secret, encryption_key = _load_or_create_internal_secrets(data_dir)
+
+        return cls(
+            root_dir=root_dir,
+            data_dir=data_dir,
+            db_path=data_dir / "course_catcher.db",
+            session_secret=session_secret,
+            encryption_key=encryption_key,
+            super_admin_username=super_admin_username,
+            super_admin_password=super_admin_password,
+            default_parallel_limit=DEFAULT_PARALLEL_LIMIT,
+            poll_interval_seconds=POLL_INTERVAL_SECONDS,
+            login_retry_limit=LOGIN_RETRY_LIMIT,
+            task_backoff_seconds=TASK_BACKOFF_SECONDS,
+            browser_page_timeout=BROWSER_PAGE_TIMEOUT,
+            logs_page_size=LOGS_PAGE_SIZE,
+            selenium_error_limit=SELENIUM_ERROR_LIMIT,
+            selenium_restart_limit=SELENIUM_RESTART_LIMIT,
+            submit_captcha_retry_limit=SUBMIT_CAPTCHA_RETRY_LIMIT,
+            chrome_binary=_pick_binary(
+                "CHROME_BIN",
+                "/usr/bin/chromium",
+                "/usr/bin/chromium-browser",
+                "chromium",
+                "chromium-browser",
+            ),
+            chromedriver_path=_pick_binary(
+                "CHROMEDRIVER_PATH",
+                "/usr/bin/chromedriver",
+                "chromedriver",
+            ),
+        )

core/course_bot.py

@@ -0,0 +1,507 @@
+from __future__ import annotations
+
+import base64
+import json
+import re
+import time
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Callable
+
+from selenium.common.exceptions import NoSuchElementException, TimeoutException, WebDriverException
+from selenium.webdriver.common.by import By
+from selenium.webdriver.remote.webdriver import WebDriver
+from selenium.webdriver.support.wait import WebDriverWait
+
+import onnx_inference
+import webdriver_utils
+from core.db import Database
+
+
+URL_LOGIN = "http://id.scu.edu.cn/enduser/sp/sso/scdxplugin_jwt23?enterpriseId=scdx&target_url=index"
+URL_SELECT_COURSE = "http://zhjw.scu.edu.cn/student/courseSelect/courseSelect/index"
+LOGIN_SUCCESS_PREFIXES = (
+    "http://zhjw.scu.edu.cn/index",
+    "http://zhjw.scu.edu.cn/",
+    "https://zhjw.scu.edu.cn/index",
+    "https://zhjw.scu.edu.cn/",
+)
+CATEGORY_META = {
+    "plan": {"label": "方案选课", "tab_id": "faxk"},
+    "free": {"label": "自由选课", "tab_id": "zyxk"},
+}
+
+LOGIN_STUDENT_SELECTORS = [
+    (By.XPATH, "//*[@id='app']//form//input[@type='text']"),
+    (By.XPATH, "//*[@id='app']/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[1]/div/div/div[2]/div/input"),
+]
+LOGIN_PASSWORD_SELECTORS = [
+    (By.XPATH, "//*[@id='app']//form//input[@type='password']"),
+    (By.XPATH, "//*[@id='app']/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[2]/div/div/div[2]/div/input"),
+]
+LOGIN_CAPTCHA_INPUT_SELECTORS = [
+    (By.XPATH, "//*[@id='app']/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[3]//input"),
+    (By.XPATH, "//*[@id='app']//form//input[contains(@placeholder, '验证码')]"),
+]
+LOGIN_CAPTCHA_IMAGE_SELECTORS = [
+    (By.XPATH, "//*[@id='app']/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[3]//img"),
+    (By.XPATH, "//*[@id='app']//form//img"),
+]
+LOGIN_BUTTON_SELECTORS = [
+    (By.XPATH, "//*[@id='app']//form//button"),
+    (By.XPATH, "//*[@id='app']/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[4]/div/button"),
+]
+SUBMIT_CAPTCHA_IMAGE_SELECTORS = [
+    (By.XPATH, "//div[contains(@class,'dialog') or contains(@class,'modal') or contains(@class,'popup')]//img[contains(@src,'base64') or contains(translate(@src,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz'),'captcha')]"),
+    (By.XPATH, "//img[contains(@src,'base64')]"),
+    (By.XPATH, "//img[contains(translate(@alt,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz'),'captcha') or contains(translate(@class,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz'),'captcha')]"),
+]
+SUBMIT_CAPTCHA_INPUT_SELECTORS = [
+    (By.XPATH, "//input[contains(@placeholder,'验证码')]"),
+    (By.XPATH, "//input[contains(translate(@id,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz'),'captcha')]"),
+    (By.XPATH, "//input[contains(translate(@name,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz'),'captcha')]"),
+]
+SUBMIT_CAPTCHA_BUTTON_SELECTORS = [
+    (By.XPATH, "//button[contains(.,'确定') or contains(.,'提交') or contains(.,'确认') or contains(.,'验证')]"),
+    (By.XPATH, "//input[(@type='button' or @type='submit') and (contains(@value,'确定') or contains(@value,'提交') or contains(@value,'确认') or contains(@value,'验证'))]"),
+]
+
+
+class FatalCredentialsError(Exception):
+    pass
+
+
+class RecoverableAutomationError(Exception):
+    pass
+
+
+@dataclass(slots=True)
+class TaskResult:
+    status: str
+    error: str = ""
+
+
+class CourseBot:
+    def __init__(
+        self,
+        *,
+        config,
+        store: Database,
+        task_id: int,
+        user: dict,
+        password: str,
+        logger: Callable[[str, str], None],
+    ) -> None:
+        self.config = config
+        self.store = store
+        self.task_id = task_id
+        self.user = user
+        self.password = password
+        self.logger = logger
+        self.root_dir = Path(__file__).resolve().parent.parent
+        self.select_course_js = (self.root_dir / "javascript" / "select_course.js").read_text(encoding="utf-8")
+        self.check_result_js = (self.root_dir / "javascript" / "check_result.js").read_text(encoding="utf-8")
+        self.captcha_solver = onnx_inference.CaptchaONNXInference(
+            model_path=str(self.root_dir / "ocr_provider" / "captcha_model.onnx")
+        )
+
+    def run(self, stop_event) -> TaskResult:
+        exhausted_sessions = 0
+        while not stop_event.is_set():
+            courses = self.store.list_courses_for_user(self.user["id"])
+            if not courses:
+                self.logger("INFO", "当前没有待抢课程，任务自动结束。")
+                return TaskResult(status="completed")
+
+            driver: WebDriver | None = None
+            session_ready = False
+            session_error_count = 0
+            try:
+                self.logger(
+                    "INFO",
+                    f"启动新的 Selenium 会话。��计已重建 {exhausted_sessions}/{self.config.selenium_restart_limit} 次。",
+                )
+                driver = webdriver_utils.configure_browser(
+                    chrome_binary=self.config.chrome_binary,
+                    chromedriver_path=self.config.chromedriver_path,
+                    page_timeout=self.config.browser_page_timeout,
+                )
+                wait = WebDriverWait(driver, self.config.browser_page_timeout, 0.5)
+
+                while not stop_event.is_set():
+                    try:
+                        if not session_ready:
+                            self._login(driver, wait)
+                            session_ready = True
+
+                        current_courses = self.store.list_courses_for_user(self.user["id"])
+                        if not current_courses:
+                            self.logger("INFO", "所有目标课程都已经从队列中移除，任务完成。")
+                            return TaskResult(status="completed")
+
+                        if not self._goto_select_course(driver, wait):
+                            session_error_count = 0
+                            self._sleep_with_cancel(stop_event, self.config.poll_interval_seconds, "当前不是选课时段，等待下一轮检查。")
+                            continue
+
+                        attempts = 0
+                        successes = 0
+                        grouped_courses = {"plan": [], "free": []}
+                        for course in current_courses:
+                            grouped_courses[course["category"]].append(course)
+
+                        for category, items in grouped_courses.items():
+                            if not items:
+                                continue
+                            for course in items:
+                                if stop_event.is_set():
+                                    break
+                                attempts += 1
+                                if self._attempt_single_course(driver, wait, course):
+                                    successes += 1
+
+                        if attempts == 0:
+                            self.logger("INFO", "没有可执行的课程项目，下一轮将自动重试。")
+                        elif successes == 0:
+                            self.logger("INFO", "本轮没有抢到目标课程，准备稍后重试。")
+                        else:
+                            self.logger("INFO", f"本轮处理 {attempts} 门课程，成功更新 {successes} 门。")
+
+                        session_error_count = 0
+                        if exhausted_sessions:
+                            self.logger("INFO", "当前 Selenium 会话已恢复稳定，浏览器重建错误计数已清零。")
+                            exhausted_sessions = 0
+
+                        if not self.store.list_courses_for_user(self.user["id"]):
+                            self.logger("INFO", "全部课程均已处理完成。")
+                            return TaskResult(status="completed")
+
+                        self._sleep_with_cancel(stop_event, self.config.poll_interval_seconds, "等待下一轮刷新。")
+                    except FatalCredentialsError as exc:
+                        self.logger("ERROR", str(exc))
+                        return TaskResult(status="failed", error=str(exc))
+                    except RecoverableAutomationError as exc:
+                        session_ready = False
+                        session_error_count += 1
+                        self.logger(
+                            "WARNING",
+                            f"当前 Selenium 会话第 {session_error_count}/{self.config.selenium_error_limit} 次可恢复错误: {exc}",
+                        )
+                        if session_error_count < self.config.selenium_error_limit:
+                            self._sleep_with_cancel(
+                                stop_event,
+                                self.config.task_backoff_seconds,
+                                "将在当前 Selenium 会话内继续重试",
+                            )
+                            continue
+
+                        exhausted_sessions += 1
+                        if exhausted_sessions >= self.config.selenium_restart_limit:
+                            message = (
+                                f"Selenium 会话连续达到错误上限并已重建 {exhausted_sessions} 次，任务终止。"
+                                f"最后错误: {exc}"
+                            )
+                            self.logger("ERROR", message)
+                            return TaskResult(status="failed", error=message)
+
+                        self.logger(
+                            "WARNING",
+                            f"当前 Selenium 会话连续错误达到 {self.config.selenium_error_limit} 次，准备重建浏览器。"
+                            f"已耗尽 {exhausted_sessions}/{self.config.selenium_restart_limit} 个会话。",
+                        )
+                        break
+                    except Exception as exc:  # pragma: no cover - defensive fallback
+                        session_ready = False
+                        session_error_count += 1
+                        self.logger(
+                            "WARNING",
+                            f"当前 Selenium 会话第 {session_error_count}/{self.config.selenium_error_limit} 次未知错误: {exc}",
+                        )
+                        if session_error_count < self.config.selenium_error_limit:
+                            self._sleep_with_cancel(
+                                stop_event,
+                                self.config.task_backoff_seconds,
+                                "当前会话发生未知错误，稍后重试",
+                            )
+                            continue
+
+                        exhausted_sessions += 1
+                        if exhausted_sessions >= self.config.selenium_restart_limit:
+                            message = (
+                                f"Selenium 会话连续达到错误上限并已重建 {exhausted_sessions} 次，任务终止。"
+                                f"最后错误: {exc}"
+                            )
+                            self.logger("ERROR", message)
+                            return TaskResult(status="failed", error=message)
+
+                        self.logger(
+                            "WARNING",
+                            f"未知错误累计达到上限，准备重建 Selenium 会话。"
+                            f"已耗尽 {exhausted_sessions}/{self.config.selenium_restart_limit} 个会话。",
+                        )
+                        break
+            finally:
+                if driver is not None:
+                    try:
+                        driver.quit()
+                    except Exception:
+                        pass
+
+        self.logger("INFO", "收到停止信号，任务已结束。")
+        return TaskResult(status="stopped")
+
+    def _login(self, driver: WebDriver, wait: WebDriverWait) -> None:
+        for attempt in range(1, self.config.login_retry_limit + 1):
+            driver.get(URL_LOGIN)
+            webdriver_utils.wait_for_ready(wait)
+
+            std_id_box = self._find_first_visible(driver, LOGIN_STUDENT_SELECTORS, "登录学号输入框", timeout=6)
+            password_box = self._find_first_visible(driver, LOGIN_PASSWORD_SELECTORS, "登录密码输入框", timeout=6)
+            captcha_box = self._find_first_visible(driver, LOGIN_CAPTCHA_INPUT_SELECTORS, "登录验证码输入框", timeout=6)
+            login_button = self._find_first_visible(driver, LOGIN_BUTTON_SELECTORS, "登录按钮", timeout=6)
+            captcha_image = self._find_first_visible(driver, LOGIN_CAPTCHA_IMAGE_SELECTORS, "登录验证码图片", timeout=6)
+
+            captcha_text = self.captcha_solver.classification(self._extract_image_bytes(captcha_image))
+
+            std_id_box.clear()
+            std_id_box.send_keys(self.user["student_id"])
+            password_box.clear()
+            password_box.send_keys(self.password)
+            captcha_box.clear()
+            captcha_box.send_keys(captcha_text)
+            login_button.click()
+            time.sleep(1.2)
+
+            if any(driver.current_url.startswith(prefix) for prefix in LOGIN_SUCCESS_PREFIXES):
+                self.logger("INFO", f"登录成功，耗费 {attempt} 次尝试。")
+                return
+
+            error_message = self._read_login_error(driver)
+            if any(token in error_message for token in ("用户名或密码错误", "密码错误", "账号或密码错误", "用户不存在")):
+                raise FatalCredentialsError("学号或密码错误，任务已停止，请在面板中更新后重新启动。")
+            if error_message:
+                self.logger("WARNING", f"登录失败，第 {attempt} 次尝试: {error_message}")
+            else:
+                self.logger("WARNING", f"登录失败，第 {attempt} 次尝试，未读取到明确错误提示。")
+
+        raise RecoverableAutomationError("连续多次登录失败，系统将稍后自动重试。")
+
+    def _goto_select_course(self, driver: WebDriver, wait: WebDriverWait) -> bool:
+        driver.get(URL_SELECT_COURSE)
+        webdriver_utils.wait_for_ready(wait)
+        body_text = self._find(driver, By.TAG_NAME, "body").text
+        if "非选课" in body_text or "未到选课时间" in body_text:
+            self.logger("INFO", body_text.strip() or "当前不是选课时段。")
+            return False
+        return True
+
+    def _attempt_single_course(self, driver: WebDriver, wait: WebDriverWait, course: dict) -> bool:
+        category_name = CATEGORY_META[course["category"]]["label"]
+        course_key = f'{course["course_id"]}_{course["course_index"]}'
+        self.logger("INFO", f"开始尝试 {category_name} {course_key}。")
+
+        if not self._goto_select_course(driver, wait):
+            self.logger("INFO", f"跳过 {course_key}，当前系统暂时不在可选课页面。")
+            return False
+        self._open_category_tab(driver, wait, course["category"])
+
+        try:
+            wait.until(lambda current_driver: current_driver.find_element(By.ID, "ifra"))
+            driver.switch_to.frame("ifra")
+            course_id_box = self._find(driver, By.ID, "kch")
+            search_button = self._find(driver, By.ID, "queryButton")
+            course_id_box.clear()
+            course_id_box.send_keys(course["course_id"])
+            search_button.click()
+            wait.until(
+                lambda current_driver: current_driver.execute_script(
+                    "return document.getElementById('queryButton').innerText.indexOf('正在') === -1"
+                )
+            )
+        except TimeoutException as exc:
+            raise RecoverableAutomationError("课程查询超时，页面可能暂时无响应。") from exc
+        finally:
+            driver.switch_to.default_content()
+
+        time.sleep(0.2)
+        found_target = driver.execute_script(self.select_course_js, course_key) == "yes"
+        if not found_target:
+            self.logger("INFO", f"本轮未找到目标课程 {course_key}。")
+            return False
+
+        self.logger("INFO", f"已勾选目标课程 {course_key}，准备提交。")
+        results = self._submit_with_optional_captcha(driver, wait, course_key)
+        if not results:
+            self.logger("WARNING", f"提交 {course_key} 后没有读取到结果列表。")
+            return False
+
+        satisfied = False
+        for result in results:
+            detail = (result.get("detail") or "").strip()
+            subject = (result.get("subject") or course_key).strip()
+            if result.get("result"):
+                self.logger("SUCCESS", f"成功抢到课程: {subject}")
+                satisfied = True
+            elif any(token in detail for token in ("已选", "已选择", "已经选", "已在已选课程")):
+                self.logger("INFO", f"课程已在系统中存在，自动从队列移除: {subject}")
+                satisfied = True
+            else:
+                self.logger("WARNING", f"课程 {subject} 抢课失败: {detail or '未知原因'}")
+
+        if satisfied:
+            self.store.remove_course_by_identity(
+                self.user["id"],
+                course["category"],
+                course["course_id"],
+                course["course_index"],
+            )
+            return True
+        return False
+
+    def _submit_with_optional_captcha(self, driver: WebDriver, wait: WebDriverWait, course_key: str) -> list[dict]:
+        submit_button = self._find(driver, By.ID, "submitButton")
+        submit_button.click()
+
+        for attempt in range(1, self.config.submit_captcha_retry_limit + 1):
+            state = self._wait_for_submit_state(driver, wait)
+            if state == "result":
+                return self._read_result_page(driver, wait)
+            if state == "captcha":
+                self.logger("INFO", f"提交 {course_key} 时检测到验证码，第 {attempt} 次自动识别。")
+                if not self._solve_visible_submit_captcha(driver):
+                    raise RecoverableAutomationError("提交选课时检测到验证码，但未能自动完成识别与提交。")
+                continue
+            self.logger("WARNING", f"提交 {course_key} 后页面未返回结果，也未检测到验证码。")
+
+        raise RecoverableAutomationError("提交选课后连续多次遇到验证码或未返回结果。")
+
+    def _wait_for_submit_state(self, driver: WebDriver, wait: WebDriverWait) -> str:
+        script = """
+            const visible = (el) => {
+                if (!el) return false;
+                const style = window.getComputedStyle(el);
+                const rect = el.getBoundingClientRect();
+                return style.display !== 'none' && style.visibility !== 'hidden' && rect.width > 0 && rect.height > 0;
+            };
+            if (document.querySelector('#xkresult tbody tr')) return 'result';
+            const input = Array.from(document.querySelectorAll('input')).find((el) => {
+                const text = `${el.placeholder || ''} ${el.id || ''} ${el.name || ''} ${el.className || ''}`;
+                return visible(el) && /验证码|captcha/i.test(text);
+            });
+            const img = Array.from(document.querySelectorAll('img')).find((el) => {
+                const text = `${el.src || ''} ${el.id || ''} ${el.alt || ''} ${el.className || ''}`;
+                return visible(el) && (/captcha/i.test(text) || (el.src || '').includes('base64') || (el.naturalWidth >= 50 && el.naturalWidth <= 240 && el.naturalHeight >= 20 && el.naturalHeight <= 120));
+            });
+            const button = Array.from(document.querySelectorAll('button, input[type="button"], input[type="submit"]')).find((el) => {
+                const text = `${el.innerText || ''} ${el.value || ''}`;
+                return visible(el) && /确定|提交|确认|验证/.test(text);
+            });
+            if (input && img && button) return 'captcha';
+            return 'pending';
+        """
+        try:
+            wait.until(lambda current_driver: current_driver.execute_script(script) != "pending")
+        except TimeoutException:
+            return "pending"
+        return str(driver.execute_script(script))
+
+    def _solve_visible_submit_captcha(self, driver: WebDriver) -> bool:
+        image = self._find_first_visible_optional(driver, SUBMIT_CAPTCHA_IMAGE_SELECTORS, timeout=3)
+        input_box = self._find_first_visible_optional(driver, SUBMIT_CAPTCHA_INPUT_SELECTORS, timeout=3)
+        button = self._find_first_visible_optional(driver, SUBMIT_CAPTCHA_BUTTON_SELECTORS, timeout=3)
+        if not image or not input_box or not button:
+            return False
+
+        captcha_text = self.captcha_solver.classification(self._extract_image_bytes(image))
+        self.logger("INFO", f"提交验证码 OCR 输出: {captcha_text}")
+        input_box.clear()
+        input_box.send_keys(captcha_text)
+        button.click()
+        time.sleep(1.0)
+        return True
+
+    def _open_category_tab(self, driver: WebDriver, wait: WebDriverWait, category: str) -> None:
+        tab_id = CATEGORY_META[category]["tab_id"]
+        tab = self._find(driver, By.ID, tab_id)
+        tab.click()
+        webdriver_utils.wait_for_ready(wait)
+        time.sleep(0.2)
+
+    def _read_result_page(self, driver: WebDriver, wait: WebDriverWait) -> list[dict]:
+        try:
+            webdriver_utils.wait_for_ready(wait)
+            wait.until(
+                lambda current_driver: current_driver.execute_script(
+                    """
+                    const node = document.querySelector('#xkresult tbody tr');
+                    return Boolean(node);
+                    """
+                )
+            )
+            return json.loads(driver.execute_script(self.check_result_js))
+        except Exception as exc:
+            raise RecoverableAutomationError("读取选课结果失败，页面结构可能发生变化。") from exc
+
+    def _read_login_error(self, driver: WebDriver) -> str:
+        script = """
+            const nodes = Array.from(document.querySelectorAll('body span, body div'));
+            for (const node of nodes) {
+                const text = (node.innerText || '').trim();
+                if (!text) continue;
+                if (/验证码|密码|用户|账号/.test(text)) return text;
+            }
+            return '';
+        """
+        raw_message = driver.execute_script(script) or ""
+        message = re.sub(r"\s+", " ", str(raw_message)).strip()
+        return message
+
+    @staticmethod
+    def _extract_image_bytes(image_element) -> bytes:
+        source = image_element.get_attribute("src") or ""
+        if "base64," in source:
+            return base64.b64decode(source.split("base64,", 1)[1])
+        return image_element.screenshot_as_png
+
+    def _find_first_visible(self, driver: WebDriver, selectors: list[tuple[str, str]], label: str, timeout: int = 0):
+        element = self._find_first_visible_optional(driver, selectors, timeout=timeout)
+        if element is None:
+            raise RecoverableAutomationError(f"页面元素未找到: {label}")
+        return element
+
+    @staticmethod
+    def _find_first_visible_optional(driver: WebDriver, selectors: list[tuple[str, str]], timeout: int = 0):
+        deadline = time.monotonic() + max(0, timeout)
+        while True:
+            for by, value in selectors:
+                try:
+                    elements = driver.find_elements(by, value)
+                except WebDriverException:
+                    continue
+                for element in elements:
+                    try:
+                        if element.is_displayed():
+                            return element
+                    except WebDriverException:
+                        continue
+            if timeout <= 0 or time.monotonic() >= deadline:
+                return None
+            time.sleep(0.2)
+
+    @staticmethod
+    def _find(driver: WebDriver, by: str, value: str):
+        try:
+            return driver.find_element(by, value)
+        except NoSuchElementException as exc:
+            raise RecoverableAutomationError(f"页面元素未找到: {value}") from exc
+        except WebDriverException as exc:
+            raise RecoverableAutomationError(f"浏览器操作失败: {value}") from exc
+
+    def _sleep_with_cancel(self, stop_event, seconds: int, reason: str) -> None:
+        if seconds <= 0:
+            return
+        self.logger("INFO", f"{reason} 大约 {seconds} 秒。")
+        for _ in range(seconds):
+            if stop_event.is_set():
+                return
+            time.sleep(1)

core/course_runner.py

@@ -0,0 +1,303 @@
+from __future__ import annotations
+
+import base64
+import json
+import re
+import time
+from dataclasses import dataclass
+
+from selenium.common.exceptions import NoSuchElementException, WebDriverException
+from selenium.webdriver.common.by import By
+from selenium.webdriver.support.wait import WebDriverWait
+
+import onnx_inference
+import webdriver_utils
+from core.config import CAPTCHA_MODEL_PATH, CHECK_RESULT_JS_PATH, CONFIG, SELECT_COURSE_JS_PATH
+from core.database import Database
+from core.security import decrypt_secret
+
+
+URL_LOGIN = 'http://id.scu.edu.cn/enduser/sp/sso/scdxplugin_jwt23?enterpriseId=scdx&target_url=index'
+URL_SELECT_COURSE = 'http://zhjw.scu.edu.cn/student/courseSelect/courseSelect/index'
+LOGIN_SUCCESS_PREFIXES = (
+    'http://zhjw.scu.edu.cn/index',
+    'http://zhjw.scu.edu.cn/',
+    'https://zhjw.scu.edu.cn/index',
+    'https://zhjw.scu.edu.cn/',
+)
+
+
+class TaskStoppedError(RuntimeError):
+    """Raised when a running task is stopped by the user or the service."""
+
+
+@dataclass(frozen=True)
+class CourseTarget:
+    course_id: str
+    course_index: str
+
+
+class CourseTaskRunner:
+    def __init__(self, database: Database, context):
+        self.database = database
+        self.context = context
+        self.driver = None
+        self.web_wait: WebDriverWait | None = None
+        self.select_course_js = SELECT_COURSE_JS_PATH.read_text(encoding='utf-8')
+        self.check_result_js = CHECK_RESULT_JS_PATH.read_text(encoding='utf-8')
+        self.captcha_solver = onnx_inference.CaptchaONNXInference(model_path=str(CAPTCHA_MODEL_PATH))
+
+    def run(self) -> None:
+        task = self.database.get_task(self.context.task_id)
+        if not task:
+            raise RuntimeError('任务不存在，无法启动。')
+        user = self.database.get_user_by_id(task['user_id'])
+        if not user:
+            raise RuntimeError('用户不存在，无法执行选课任务。')
+
+        payload = json.loads(task['task_payload'])
+        courses = [CourseTarget(**item) for item in payload.get('courses', [])]
+        if not courses:
+            self.database.set_task_status(self.context.task_id, 'failed', last_error='没有可执行的课程。')
+            return
+
+        plain_password = decrypt_secret(user['encrypted_password'])
+        self.context.log('info', f'任务启动，目标课程 {len(courses)} 门。')
+        self.context.log('info', '正在启动浏览器环境。')
+        self.driver = webdriver_utils.configure_browser()
+        self.web_wait = WebDriverWait(self.driver, CONFIG.page_ready_timeout, 0.4)
+
+        try:
+            self._login(student_id=user['student_id'], password=plain_password)
+            self._catch_courses(courses)
+        finally:
+            if self.driver:
+                try:
+                    self.driver.quit()
+                except WebDriverException:
+                    pass
+
+    def _login(self, *, student_id: str, password: str) -> None:
+        assert self.driver and self.web_wait
+        self.context.log('info', '正在登录川大统一认证。')
+        captcha_failures = 0
+        other_failures = 0
+
+        while True:
+            self._raise_if_stopped()
+            self.driver.get(URL_LOGIN)
+            webdriver_utils.wait_for_ready(self.web_wait)
+            std_box, password_box, captcha_box, login_button = self._get_login_fields()
+            std_box.clear()
+            std_box.send_keys(student_id)
+            password_box.clear()
+            password_box.send_keys(password)
+
+            captcha_raw, captcha_b64 = self._read_captcha_image()
+            if captcha_failures >= CONFIG.captcha_auto_attempts:
+                self.context.log('warning', '自动验证码识别已到阈值，等待人工输入。')
+                captcha_text = self.context.request_captcha(captcha_b64)
+                if not captcha_text:
+                    raise RuntimeError('验证码等待超时，登录已终止。')
+                self.context.log('info', '收到人工验证码，继续登录。')
+            else:
+                captcha_text = self.captcha_solver.classification(captcha_raw)
+                self.context.log('debug', f'验证码模型输出：{captcha_text}')
+
+            captcha_box.clear()
+            captcha_box.send_keys(captcha_text)
+            login_button.click()
+
+            if self._wait_for_login_success():
+                self.context.log('info', '登录成功。')
+                return
+
+            error_text = self._read_login_error_text()
+            if error_text:
+                self.context.log('warning', f'登录返回：{error_text}')
+            else:
+                self.context.log('warning', '未捕获到明确登录错误，准备重试。')
+
+            if '密码错误' in error_text or '用户名或密码错误' in error_text or '用户不存在' in error_text:
+                raise RuntimeError('学号或密码错误，请先在后台或用户页更新账号信息。')
+
+            if '验证码' in error_text:
+                captcha_failures += 1
+            else:
+                other_failures += 1
+
+            if other_failures >= 8:
+                raise RuntimeError('登录多次失败，当前无法稳定进入教务系统。')
+
+            time.sleep(1.0)
+
+    def _get_login_fields(self):
+        assert self.driver
+        return (
+            self.driver.find_element(
+                By.XPATH,
+                '//*[@id="app"]/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[1]/div/div/div[2]/div/input',
+            ),
+            self.driver.find_element(
+                By.XPATH,
+                '//*[@id="app"]/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[2]/div/div/div[2]/div/input',
+            ),
+            self.driver.find_element(
+                By.XPATH,
+                '//*[@id="app"]/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[3]/div/div/div/div/input',
+            ),
+            self.driver.find_element(
+                By.XPATH,
+                '//*[@id="app"]/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[4]/div/button',
+            ),
+        )
+
+    def _read_captcha_image(self) -> tuple[bytes, str]:
+        assert self.driver
+        source = self.driver.find_element(
+            By.XPATH,
+            '//*[@id="app"]/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[3]/div/div/img',
+        ).get_attribute('src')
+        if 'base64,' not in source:
+            raise RuntimeError('未能读取验证码图片。')
+        encoded = source.split('base64,', 1)[1]
+        return base64.b64decode(encoded), encoded
+
+    def _wait_for_login_success(self) -> bool:
+        assert self.driver
+        for _ in range(10):
+            current_url = self.driver.current_url
+            if any(current_url.startswith(prefix) for prefix in LOGIN_SUCCESS_PREFIXES):
+                return True
+            time.sleep(0.5)
+        return False
+
+    def _read_login_error_text(self) -> str:
+        assert self.driver
+        try:
+            error_box = self.driver.find_element(By.XPATH, '/html/body/div[2]')
+            return error_box.text.strip()
+        except NoSuchElementException:
+            return ''
+
+    def _goto_select_course(self) -> None:
+        assert self.driver and self.web_wait
+        self.driver.get(URL_SELECT_COURSE)
+        webdriver_utils.wait_for_ready(self.web_wait)
+        body_text = self.driver.find_element(By.TAG_NAME, 'body').text
+        if '非选课' in body_text:
+            raise RuntimeError('当前不在选课时间，教务系统返回了非选课页面。')
+
+    def _catch_courses(self, courses: list[CourseTarget]) -> None:
+        remaining = {(course.course_id, course.course_index) for course in courses}
+        round_index = 0
+        while remaining:
+            self._raise_if_stopped()
+            round_index += 1
+            self.context.log('info', f'开始第 {round_index} 轮检索，剩余 {len(remaining)} 门课程。')
+            round_successes = 0
+            for tab_name, tab_id in (('方案选课', 'faxk'), ('自由选课', 'zyxk')):
+                if not remaining:
+                    break
+                round_successes += self._process_tab(tab_name, tab_id, remaining)
+
+            if not remaining:
+                self.context.log('info', '所有目标课程已完成。')
+                self.database.set_task_status(
+                    self.context.task_id,
+                    'success',
+                    completed_count=len(courses),
+                    last_error='',
+                )
+                return
+
+            if round_successes == 0:
+                self.context.log('debug', f'本轮未命中课程，{CONFIG.task_poll_interval:.1f}s 后继续。')
+                self._sleep_with_stop(CONFIG.task_poll_interval)
+
+    def _process_tab(self, tab_name: str, tab_id: str, remaining: set[tuple[str, str]]) -> int:
+        assert self.driver and self.web_wait
+        self._goto_select_course()
+        self.driver.find_element(By.XPATH, f'//*[@id="{tab_id}"]').click()
+        webdriver_utils.wait_for_ready(self.web_wait)
+
+        selected_targets: list[tuple[str, str]] = []
+        for course_id, course_index in list(remaining):
+            self._raise_if_stopped()
+            if self._search_and_mark_current_tab(course_id, course_index):
+                selected_targets.append((course_id, course_index))
+                self.context.log('info', f'{tab_name} 命中课程 {course_id}_{course_index}，已勾选。')
+
+        if not selected_targets:
+            return 0
+
+        self.driver.find_element(By.XPATH, '//*[@id="submitButton"]').click()
+        results = self._read_submit_results()
+        successes = 0
+        for result in results:
+            course_key = self._extract_course_key(result['subject'])
+            if result['result'] and course_key in remaining:
+                remaining.remove(course_key)
+                successes += 1
+                completed = self._current_completed_count(remaining)
+                self.database.update_task_progress(self.context.task_id, completed)
+                self.context.log('info', f"选课成功：{result['subject']}")
+            elif result['result']:
+                self.context.log('info', f"选课成功，但未能精确匹配目标项：{result['subject']}")
+            else:
+                self.context.log('warning', f"选课失败：{result['subject']}，原因：{result['detail']}")
+        return successes
+
+    def _search_and_mark_current_tab(self, course_id: str, course_index: str) -> bool:
+        assert self.driver and self.web_wait
+        self.driver.switch_to.frame('ifra')
+        try:
+            course_id_box = self.driver.find_element(By.XPATH, '//*[@id="kch"]')
+            query_button = self.driver.find_element(By.XPATH, '//*[@id="queryButton"]')
+            course_id_box.clear()
+            course_id_box.send_keys(course_id)
+            query_button.click()
+            self.web_wait.until(
+                lambda driver: driver.execute_script(
+                    "return document.getElementById('queryButton').innerText.indexOf('正在') === -1"
+                )
+            )
+        finally:
+            self.driver.switch_to.default_content()
+
+        self.web_wait.until(lambda driver: driver.execute_script("return document.getElementById('ifra') != null"))
+        time.sleep(0.15)
+        return self.driver.execute_script(self.select_course_js, f'{course_id}_{course_index}') == 'yes'
+
+    def _read_submit_results(self) -> list[dict]:
+        assert self.driver and self.web_wait
+        self.web_wait.until(
+            lambda driver: driver.execute_script("return document.getElementById('xkresult') != null")
+        )
+        time.sleep(0.3)
+        raw = self.driver.execute_script(self.check_result_js)
+        return json.loads(raw)
+
+    def _extract_course_key(self, subject: str) -> tuple[str, str]:
+        match = re.search(r'(\d{5,})_(\d{2})', subject)
+        if match:
+            return (match.group(1), match.group(2))
+        numbers = re.findall(r'\d+', subject)
+        if len(numbers) >= 2:
+            return (numbers[-2], numbers[-1].zfill(2))
+        return ('', '')
+
+    def _current_completed_count(self, remaining: set[tuple[str, str]]) -> int:
+        task = self.database.get_task(self.context.task_id)
+        total = int(task['total_count']) if task else 0
+        return max(0, total - len(remaining))
+
+    def _sleep_with_stop(self, seconds: float) -> None:
+        deadline = time.monotonic() + seconds
+        while time.monotonic() < deadline:
+            self._raise_if_stopped()
+            time.sleep(0.2)
+
+    def _raise_if_stopped(self) -> None:
+        if self.context.should_stop():
+            raise TaskStoppedError()

core/database.py

@@ -0,0 +1,482 @@
+from __future__ import annotations
+
+import json
+import sqlite3
+import uuid
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Any
+
+
+TERMINAL_TASK_STATUSES = {'success', 'failed', 'stopped', 'interrupted'}
+ACTIVE_TASK_STATUSES = {'queued', 'running', 'waiting_captcha'}
+
+
+def utc_now() -> str:
+    return datetime.now(timezone.utc).isoformat(timespec='seconds')
+
+
+class Database:
+    def __init__(self, db_path: Path):
+        self.db_path = Path(db_path)
+        self.db_path.parent.mkdir(parents=True, exist_ok=True)
+
+    def _connect(self) -> sqlite3.Connection:
+        connection = sqlite3.connect(self.db_path, check_same_thread=False)
+        connection.row_factory = sqlite3.Row
+        connection.execute('PRAGMA foreign_keys = ON')
+        return connection
+
+    def initialize(self) -> None:
+        with self._connect() as connection:
+            connection.execute('PRAGMA journal_mode = WAL')
+            connection.executescript(
+                """
+                CREATE TABLE IF NOT EXISTS users (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    student_id TEXT NOT NULL UNIQUE,
+                    display_name TEXT NOT NULL DEFAULT '',
+                    encrypted_password TEXT NOT NULL,
+                    created_at TEXT NOT NULL,
+                    updated_at TEXT NOT NULL
+                );
+
+                CREATE TABLE IF NOT EXISTS admins (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    username TEXT NOT NULL UNIQUE,
+                    password_hash TEXT NOT NULL,
+                    created_at TEXT NOT NULL,
+                    updated_at TEXT NOT NULL
+                );
+
+                CREATE TABLE IF NOT EXISTS courses (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    user_id INTEGER NOT NULL,
+                    course_id TEXT NOT NULL,
+                    course_index TEXT NOT NULL,
+                    created_at TEXT NOT NULL,
+                    UNIQUE(user_id, course_id, course_index),
+                    FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE
+                );
+
+                CREATE TABLE IF NOT EXISTS tasks (
+                    id TEXT PRIMARY KEY,
+                    user_id INTEGER NOT NULL,
+                    status TEXT NOT NULL,
+                    created_at TEXT NOT NULL,
+                    started_at TEXT,
+                    finished_at TEXT,
+                    requested_by_role TEXT NOT NULL,
+                    requested_by_identity TEXT NOT NULL,
+                    stop_requested INTEGER NOT NULL DEFAULT 0,
+                    last_error TEXT NOT NULL DEFAULT '',
+                    total_count INTEGER NOT NULL DEFAULT 0,
+                    completed_count INTEGER NOT NULL DEFAULT 0,
+                    task_payload TEXT NOT NULL,
+                    FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE
+                );
+
+                CREATE TABLE IF NOT EXISTS task_logs (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    task_id TEXT NOT NULL,
+                    level TEXT NOT NULL,
+                    message TEXT NOT NULL,
+                    created_at TEXT NOT NULL,
+                    FOREIGN KEY(task_id) REFERENCES tasks(id) ON DELETE CASCADE
+                );
+
+                CREATE TABLE IF NOT EXISTS settings (
+                    key TEXT PRIMARY KEY,
+                    value TEXT NOT NULL
+                );
+
+                CREATE INDEX IF NOT EXISTS idx_courses_user_id ON courses(user_id);
+                CREATE INDEX IF NOT EXISTS idx_tasks_user_id ON tasks(user_id);
+                CREATE INDEX IF NOT EXISTS idx_tasks_status ON tasks(status);
+                CREATE INDEX IF NOT EXISTS idx_task_logs_task_id ON task_logs(task_id, id);
+                """
+            )
+            connection.execute(
+                'INSERT OR IGNORE INTO settings(key, value) VALUES (?, ?)',
+                ('max_parallel_tasks', '2'),
+            )
+            connection.execute(
+                """
+                UPDATE tasks
+                SET status = 'interrupted',
+                    finished_at = ?,
+                    last_error = CASE
+                        WHEN COALESCE(last_error, '') = '' THEN '应用重启，上一轮任务被中断。'
+                        ELSE last_error
+                    END
+                WHERE status IN ('queued', 'running', 'waiting_captcha')
+                """,
+                (utc_now(),),
+            )
+
+    def get_setting(self, key: str, default: str = '') -> str:
+        with self._connect() as connection:
+            row = connection.execute('SELECT value FROM settings WHERE key = ?', (key,)).fetchone()
+            return row['value'] if row else default
+
+    def set_setting(self, key: str, value: str) -> None:
+        with self._connect() as connection:
+            connection.execute(
+                """
+                INSERT INTO settings(key, value) VALUES (?, ?)
+                ON CONFLICT(key) DO UPDATE SET value = excluded.value
+                """,
+                (key, value),
+            )
+
+    def get_max_parallel_tasks(self) -> int:
+        raw = self.get_setting('max_parallel_tasks', '2')
+        try:
+            return max(1, min(8, int(raw)))
+        except ValueError:
+            return 2
+
+    def create_user(self, student_id: str, encrypted_password: str, display_name: str = '') -> int:
+        now = utc_now()
+        with self._connect() as connection:
+            cursor = connection.execute(
+                """
+                INSERT INTO users(student_id, display_name, encrypted_password, created_at, updated_at)
+                VALUES (?, ?, ?, ?, ?)
+                """,
+                (student_id, display_name, encrypted_password, now, now),
+            )
+            return int(cursor.lastrowid)
+
+    def update_user(
+        self,
+        user_id: int,
+        *,
+        student_id: str | None = None,
+        encrypted_password: str | None = None,
+        display_name: str | None = None,
+    ) -> None:
+        fields: list[str] = []
+        values: list[Any] = []
+        if student_id is not None:
+            fields.append('student_id = ?')
+            values.append(student_id)
+        if encrypted_password is not None:
+            fields.append('encrypted_password = ?')
+            values.append(encrypted_password)
+        if display_name is not None:
+            fields.append('display_name = ?')
+            values.append(display_name)
+        if not fields:
+            return
+        fields.append('updated_at = ?')
+        values.append(utc_now())
+        values.append(user_id)
+        with self._connect() as connection:
+            connection.execute(f"UPDATE users SET {', '.join(fields)} WHERE id = ?", values)
+
+    def delete_user(self, user_id: int) -> None:
+        with self._connect() as connection:
+            connection.execute('DELETE FROM users WHERE id = ?', (user_id,))
+
+    def get_user_by_student_id(self, student_id: str) -> dict[str, Any] | None:
+        with self._connect() as connection:
+            row = connection.execute('SELECT * FROM users WHERE student_id = ?', (student_id,)).fetchone()
+            return dict(row) if row else None
+
+    def get_user_by_id(self, user_id: int) -> dict[str, Any] | None:
+        with self._connect() as connection:
+            row = connection.execute('SELECT * FROM users WHERE id = ?', (user_id,)).fetchone()
+            return dict(row) if row else None
+
+    def list_users(self) -> list[dict[str, Any]]:
+        with self._connect() as connection:
+            rows = connection.execute(
+                """
+                SELECT
+                    u.*,
+                    COUNT(c.id) AS course_count,
+                    (
+                        SELECT t.status
+                        FROM tasks t
+                        WHERE t.user_id = u.id
+                        ORDER BY t.created_at DESC
+                        LIMIT 1
+                    ) AS latest_task_status
+                FROM users u
+                LEFT JOIN courses c ON c.user_id = u.id
+                GROUP BY u.id
+                ORDER BY u.created_at ASC
+                """
+            ).fetchall()
+            return [dict(row) for row in rows]
+
+    def list_courses_for_user(self, user_id: int) -> list[dict[str, Any]]:
+        with self._connect() as connection:
+            rows = connection.execute(
+                """
+                SELECT id, course_id, course_index, created_at
+                FROM courses
+                WHERE user_id = ?
+                ORDER BY created_at ASC, id ASC
+                """,
+                (user_id,),
+            ).fetchall()
+            return [dict(row) for row in rows]
+
+    def add_course(self, user_id: int, course_id: str, course_index: str) -> None:
+        with self._connect() as connection:
+            connection.execute(
+                """
+                INSERT OR IGNORE INTO courses(user_id, course_id, course_index, created_at)
+                VALUES (?, ?, ?, ?)
+                """,
+                (user_id, course_id, course_index, utc_now()),
+            )
+
+    def delete_course(self, course_row_id: int, user_id: int | None = None) -> None:
+        with self._connect() as connection:
+            if user_id is None:
+                connection.execute('DELETE FROM courses WHERE id = ?', (course_row_id,))
+            else:
+                connection.execute('DELETE FROM courses WHERE id = ? AND user_id = ?', (course_row_id, user_id))
+
+    def list_admins(self) -> list[dict[str, Any]]:
+        with self._connect() as connection:
+            rows = connection.execute('SELECT id, username, created_at, updated_at FROM admins ORDER BY created_at ASC').fetchall()
+            return [dict(row) for row in rows]
+
+    def get_admin_by_username(self, username: str) -> dict[str, Any] | None:
+        with self._connect() as connection:
+            row = connection.execute('SELECT * FROM admins WHERE username = ?', (username,)).fetchone()
+            return dict(row) if row else None
+
+    def create_admin(self, username: str, password_hash: str) -> int:
+        now = utc_now()
+        with self._connect() as connection:
+            cursor = connection.execute(
+                """
+                INSERT INTO admins(username, password_hash, created_at, updated_at)
+                VALUES (?, ?, ?, ?)
+                """,
+                (username, password_hash, now, now),
+            )
+            return int(cursor.lastrowid)
+
+    def update_admin_password(self, admin_id: int, password_hash: str) -> None:
+        with self._connect() as connection:
+            connection.execute(
+                'UPDATE admins SET password_hash = ?, updated_at = ? WHERE id = ?',
+                (password_hash, utc_now(), admin_id),
+            )
+
+    def delete_admin(self, admin_id: int) -> None:
+        with self._connect() as connection:
+            connection.execute('DELETE FROM admins WHERE id = ?', (admin_id,))
+
+    def find_active_task_for_user(self, user_id: int) -> dict[str, Any] | None:
+        with self._connect() as connection:
+            row = connection.execute(
+                """
+                SELECT * FROM tasks
+                WHERE user_id = ? AND status IN ('queued', 'running', 'waiting_captcha')
+                ORDER BY created_at DESC
+                LIMIT 1
+                """,
+                (user_id,),
+            ).fetchone()
+            return dict(row) if row else None
+
+    def create_task(
+        self,
+        *,
+        user_id: int,
+        requested_by_role: str,
+        requested_by_identity: str,
+        payload: dict[str, Any],
+    ) -> str:
+        task_id = str(uuid.uuid4())
+        now = utc_now()
+        with self._connect() as connection:
+            connection.execute(
+                """
+                INSERT INTO tasks(
+                    id,
+                    user_id,
+                    status,
+                    created_at,
+                    requested_by_role,
+                    requested_by_identity,
+                    total_count,
+                    completed_count,
+                    task_payload
+                )
+                VALUES (?, ?, 'queued', ?, ?, ?, ?, 0, ?)
+                """,
+                (
+                    task_id,
+                    user_id,
+                    now,
+                    requested_by_role,
+                    requested_by_identity,
+                    len(payload.get('courses', [])),
+                    json.dumps(payload, ensure_ascii=False),
+                ),
+            )
+            return task_id
+
+    def claim_next_queued_task(self) -> dict[str, Any] | None:
+        with self._connect() as connection:
+            row = connection.execute("SELECT id FROM tasks WHERE status = 'queued' ORDER BY created_at ASC LIMIT 1").fetchone()
+            if not row:
+                return None
+            updated = connection.execute(
+                """
+                UPDATE tasks
+                SET status = 'running', started_at = ?, last_error = ''
+                WHERE id = ? AND status = 'queued'
+                """,
+                (utc_now(), row['id']),
+            ).rowcount
+            if not updated:
+                return None
+            claimed = connection.execute('SELECT * FROM tasks WHERE id = ?', (row['id'],)).fetchone()
+            return dict(claimed) if claimed else None
+
+    def get_task(self, task_id: str) -> dict[str, Any] | None:
+        with self._connect() as connection:
+            row = connection.execute('SELECT * FROM tasks WHERE id = ?', (task_id,)).fetchone()
+            return dict(row) if row else None
+
+    def get_task_with_user(self, task_id: str) -> dict[str, Any] | None:
+        with self._connect() as connection:
+            row = connection.execute(
+                """
+                SELECT
+                    t.*,
+                    u.student_id,
+                    u.display_name
+                FROM tasks t
+                JOIN users u ON u.id = t.user_id
+                WHERE t.id = ?
+                """,
+                (task_id,),
+            ).fetchone()
+            return dict(row) if row else None
+
+    def list_recent_tasks_for_user(self, user_id: int, limit: int = 12) -> list[dict[str, Any]]:
+        with self._connect() as connection:
+            rows = connection.execute(
+                """
+                SELECT id, user_id, status, created_at, started_at, finished_at, stop_requested,
+                       last_error, total_count, completed_count
+                FROM tasks
+                WHERE user_id = ?
+                ORDER BY created_at DESC
+                LIMIT ?
+                """,
+                (user_id, limit),
+            ).fetchall()
+            return [dict(row) for row in rows]
+
+    def list_recent_tasks(self, limit: int = 20) -> list[dict[str, Any]]:
+        with self._connect() as connection:
+            rows = connection.execute(
+                """
+                SELECT
+                    t.id,
+                    t.user_id,
+                    t.status,
+                    t.created_at,
+                    t.started_at,
+                    t.finished_at,
+                    t.stop_requested,
+                    t.last_error,
+                    t.total_count,
+                    t.completed_count,
+                    u.student_id,
+                    u.display_name
+                FROM tasks t
+                JOIN users u ON u.id = t.user_id
+                ORDER BY t.created_at DESC
+                LIMIT ?
+                """,
+                (limit,),
+            ).fetchall()
+            return [dict(row) for row in rows]
+
+    def set_task_status(
+        self,
+        task_id: str,
+        status: str,
+        *,
+        last_error: str | None = None,
+        completed_count: int | None = None,
+    ) -> None:
+        assignments = ['status = ?']
+        values: list[Any] = [status]
+        if last_error is not None:
+            assignments.append('last_error = ?')
+            values.append(last_error)
+        if completed_count is not None:
+            assignments.append('completed_count = ?')
+            values.append(completed_count)
+        if status == 'running':
+            assignments.append('started_at = COALESCE(started_at, ?)')
+            values.append(utc_now())
+        if status in TERMINAL_TASK_STATUSES:
+            assignments.append('finished_at = ?')
+            values.append(utc_now())
+        values.append(task_id)
+        with self._connect() as connection:
+            connection.execute(f"UPDATE tasks SET {', '.join(assignments)} WHERE id = ?", values)
+
+    def update_task_progress(self, task_id: str, completed_count: int) -> None:
+        with self._connect() as connection:
+            connection.execute('UPDATE tasks SET completed_count = ? WHERE id = ?', (completed_count, task_id))
+
+    def request_task_stop(self, task_id: str) -> None:
+        with self._connect() as connection:
+            connection.execute('UPDATE tasks SET stop_requested = 1 WHERE id = ?', (task_id,))
+
+    def is_task_stop_requested(self, task_id: str) -> bool:
+        with self._connect() as connection:
+            row = connection.execute('SELECT stop_requested FROM tasks WHERE id = ?', (task_id,)).fetchone()
+            return bool(row and row['stop_requested'])
+
+    def append_task_log(self, task_id: str, level: str, message: str) -> int:
+        with self._connect() as connection:
+            cursor = connection.execute(
+                """
+                INSERT INTO task_logs(task_id, level, message, created_at)
+                VALUES (?, ?, ?, ?)
+                """,
+                (task_id, level, message, utc_now()),
+            )
+            return int(cursor.lastrowid)
+
+    def list_task_logs(self, task_id: str, after_id: int = 0, limit: int = 200) -> list[dict[str, Any]]:
+        with self._connect() as connection:
+            rows = connection.execute(
+                """
+                SELECT id, level, message, created_at
+                FROM task_logs
+                WHERE task_id = ? AND id > ?
+                ORDER BY id ASC
+                LIMIT ?
+                """,
+                (task_id, after_id, limit),
+            ).fetchall()
+            return [dict(row) for row in rows]
+
+    def get_system_snapshot(self) -> dict[str, Any]:
+        with self._connect() as connection:
+            return {
+                'users': connection.execute('SELECT COUNT(*) FROM users').fetchone()[0],
+                'admins': connection.execute('SELECT COUNT(*) FROM admins').fetchone()[0],
+                'queued': connection.execute("SELECT COUNT(*) FROM tasks WHERE status = 'queued'").fetchone()[0],
+                'running': connection.execute(
+                    "SELECT COUNT(*) FROM tasks WHERE status IN ('running', 'waiting_captcha')"
+                ).fetchone()[0],
+                'max_parallel_tasks': self.get_max_parallel_tasks(),
+            }

core/db.py

@@ -0,0 +1,551 @@
+from __future__ import annotations
+
+import sqlite3
+from contextlib import contextmanager
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Any, Iterator
+
+
+ACTIVE_TASK_STATUSES = {"pending", "running", "cancel_requested"}
+
+
+def utc_now() -> str:
+    return datetime.now(timezone.utc).isoformat(timespec="seconds")
+
+
+class Database:
+    def __init__(self, path: Path, default_parallel_limit: int = 2) -> None:
+        self.path = Path(path)
+        self.default_parallel_limit = default_parallel_limit
+        self.path.parent.mkdir(parents=True, exist_ok=True)
+
+    def _connect(self) -> sqlite3.Connection:
+        connection = sqlite3.connect(self.path, timeout=30)
+        connection.row_factory = sqlite3.Row
+        connection.execute("PRAGMA foreign_keys = ON")
+        connection.execute("PRAGMA journal_mode = WAL")
+        return connection
+
+    @contextmanager
+    def _cursor(self) -> Iterator[tuple[sqlite3.Connection, sqlite3.Cursor]]:
+        connection = self._connect()
+        try:
+            cursor = connection.cursor()
+            yield connection, cursor
+            connection.commit()
+        finally:
+            connection.close()
+
+    @staticmethod
+    def _rows_to_dicts(rows: list[sqlite3.Row]) -> list[dict[str, Any]]:
+        return [dict(row) for row in rows]
+
+    def init_db(self) -> None:
+        with self._cursor() as (_connection, cursor):
+            cursor.executescript(
+                """
+                CREATE TABLE IF NOT EXISTS users (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    student_id TEXT NOT NULL UNIQUE,
+                    password_encrypted TEXT NOT NULL,
+                    display_name TEXT NOT NULL DEFAULT '',
+                    is_active INTEGER NOT NULL DEFAULT 1,
+                    created_at TEXT NOT NULL,
+                    updated_at TEXT NOT NULL
+                );
+
+                CREATE TABLE IF NOT EXISTS course_targets (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    user_id INTEGER NOT NULL,
+                    category TEXT NOT NULL DEFAULT 'free',
+                    course_id TEXT NOT NULL,
+                    course_index TEXT NOT NULL,
+                    created_at TEXT NOT NULL,
+                    UNIQUE(user_id, category, course_id, course_index),
+                    FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE
+                );
+
+                CREATE TABLE IF NOT EXISTS admins (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    username TEXT NOT NULL UNIQUE,
+                    password_hash TEXT NOT NULL,
+                    created_at TEXT NOT NULL,
+                    updated_at TEXT NOT NULL
+                );
+
+                CREATE TABLE IF NOT EXISTS app_settings (
+                    key TEXT PRIMARY KEY,
+                    value TEXT NOT NULL,
+                    updated_at TEXT NOT NULL
+                );
+
+                CREATE TABLE IF NOT EXISTS tasks (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    user_id INTEGER NOT NULL,
+                    status TEXT NOT NULL,
+                    requested_by TEXT NOT NULL,
+                    requested_by_role TEXT NOT NULL,
+                    last_error TEXT NOT NULL DEFAULT '',
+                    created_at TEXT NOT NULL,
+                    started_at TEXT,
+                    finished_at TEXT,
+                    updated_at TEXT NOT NULL,
+                    FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE
+                );
+
+                CREATE TABLE IF NOT EXISTS logs (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    task_id INTEGER,
+                    user_id INTEGER,
+                    scope TEXT NOT NULL,
+                    level TEXT NOT NULL,
+                    message TEXT NOT NULL,
+                    created_at TEXT NOT NULL,
+                    FOREIGN KEY(task_id) REFERENCES tasks(id) ON DELETE CASCADE,
+                    FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE
+                );
+                """
+            )
+
+        if self.get_setting("parallel_limit") is None:
+            self.set_setting("parallel_limit", str(self.default_parallel_limit))
+
+    def get_setting(self, key: str) -> str | None:
+        with self._cursor() as (_connection, cursor):
+            row = cursor.execute("SELECT value FROM app_settings WHERE key = ?", (key,)).fetchone()
+            return None if row is None else str(row["value"])
+
+    def set_setting(self, key: str, value: str) -> None:
+        now = utc_now()
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                INSERT INTO app_settings (key, value, updated_at)
+                VALUES (?, ?, ?)
+                ON CONFLICT(key) DO UPDATE SET
+                    value = excluded.value,
+                    updated_at = excluded.updated_at
+                """,
+                (key, value, now),
+            )
+
+    def get_parallel_limit(self) -> int:
+        raw_value = self.get_setting("parallel_limit")
+        if raw_value is None:
+            return self.default_parallel_limit
+        try:
+            return max(1, int(raw_value))
+        except ValueError:
+            return self.default_parallel_limit
+
+    def set_parallel_limit(self, limit: int) -> None:
+        self.set_setting("parallel_limit", str(max(1, limit)))
+
+    def create_user(self, student_id: str, password_encrypted: str, display_name: str = "") -> int:
+        now = utc_now()
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                INSERT INTO users (student_id, password_encrypted, display_name, is_active, created_at, updated_at)
+                VALUES (?, ?, ?, 1, ?, ?)
+                """,
+                (student_id.strip(), password_encrypted, display_name.strip(), now, now),
+            )
+            return int(cursor.lastrowid)
+
+    def update_user(
+        self,
+        user_id: int,
+        *,
+        password_encrypted: str | None = None,
+        display_name: str | None = None,
+        is_active: bool | None = None,
+    ) -> None:
+        assignments: list[str] = []
+        values: list[Any] = []
+        if password_encrypted is not None:
+            assignments.append("password_encrypted = ?")
+            values.append(password_encrypted)
+        if display_name is not None:
+            assignments.append("display_name = ?")
+            values.append(display_name.strip())
+        if is_active is not None:
+            assignments.append("is_active = ?")
+            values.append(1 if is_active else 0)
+        if not assignments:
+            return
+
+        assignments.append("updated_at = ?")
+        values.append(utc_now())
+        values.append(user_id)
+
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(f"UPDATE users SET {', '.join(assignments)} WHERE id = ?", tuple(values))
+
+    def toggle_user_active(self, user_id: int) -> dict[str, Any] | None:
+        user = self.get_user(user_id)
+        if not user:
+            return None
+        self.update_user(user_id, is_active=not bool(user["is_active"]))
+        return self.get_user(user_id)
+
+    def get_user(self, user_id: int) -> dict[str, Any] | None:
+        with self._cursor() as (_connection, cursor):
+            row = cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,)).fetchone()
+            return None if row is None else dict(row)
+
+    def get_user_by_student_id(self, student_id: str) -> dict[str, Any] | None:
+        with self._cursor() as (_connection, cursor):
+            row = cursor.execute("SELECT * FROM users WHERE student_id = ?", (student_id.strip(),)).fetchone()
+            return None if row is None else dict(row)
+
+    def list_users(self) -> list[dict[str, Any]]:
+        with self._cursor() as (_connection, cursor):
+            rows = cursor.execute(
+                """
+                SELECT
+                    u.*,
+                    COUNT(c.id) AS course_count,
+                    (
+                        SELECT t.status
+                        FROM tasks t
+                        WHERE t.user_id = u.id
+                        ORDER BY t.created_at DESC
+                        LIMIT 1
+                    ) AS latest_task_status,
+                    (
+                        SELECT t.updated_at
+                        FROM tasks t
+                        WHERE t.user_id = u.id
+                        ORDER BY t.created_at DESC
+                        LIMIT 1
+                    ) AS latest_task_updated_at
+                FROM users u
+                LEFT JOIN course_targets c ON c.user_id = u.id
+                GROUP BY u.id
+                ORDER BY u.student_id ASC
+                """
+            ).fetchall()
+            return self._rows_to_dicts(rows)
+
+    def add_course(self, user_id: int, category: str, course_id: str, course_index: str) -> int | None:
+        now = utc_now()
+        normalized_category = "plan" if category == "plan" else "free"
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                INSERT OR IGNORE INTO course_targets (user_id, category, course_id, course_index, created_at)
+                VALUES (?, ?, ?, ?, ?)
+                """,
+                (user_id, normalized_category, course_id.strip(), course_index.strip(), now),
+            )
+            return int(cursor.lastrowid) if cursor.lastrowid else None
+
+    def delete_course(self, course_target_id: int) -> None:
+        with self._cursor() as (_connection, cursor):
+            cursor.execute("DELETE FROM course_targets WHERE id = ?", (course_target_id,))
+
+    def remove_course_by_identity(self, user_id: int, category: str, course_id: str, course_index: str) -> None:
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                DELETE FROM course_targets
+                WHERE user_id = ? AND category = ? AND course_id = ? AND course_index = ?
+                """,
+                (user_id, category, course_id, course_index),
+            )
+
+    def list_courses_for_user(self, user_id: int) -> list[dict[str, Any]]:
+        with self._cursor() as (_connection, cursor):
+            rows = cursor.execute(
+                """
+                SELECT *
+                FROM course_targets
+                WHERE user_id = ?
+                ORDER BY category ASC, course_id ASC, course_index ASC
+                """,
+                (user_id,),
+            ).fetchall()
+            return self._rows_to_dicts(rows)
+
+    def create_admin(self, username: str, password_hash: str) -> int:
+        now = utc_now()
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                INSERT INTO admins (username, password_hash, created_at, updated_at)
+                VALUES (?, ?, ?, ?)
+                """,
+                (username.strip(), password_hash, now, now),
+            )
+            return int(cursor.lastrowid)
+
+    def get_admin_by_username(self, username: str) -> dict[str, Any] | None:
+        with self._cursor() as (_connection, cursor):
+            row = cursor.execute("SELECT * FROM admins WHERE username = ?", (username.strip(),)).fetchone()
+            return None if row is None else dict(row)
+
+    def list_admins(self) -> list[dict[str, Any]]:
+        with self._cursor() as (_connection, cursor):
+            rows = cursor.execute(
+                "SELECT id, username, created_at, updated_at FROM admins ORDER BY username ASC"
+            ).fetchall()
+            return self._rows_to_dicts(rows)
+
+    def find_active_task_for_user(self, user_id: int) -> dict[str, Any] | None:
+        with self._cursor() as (_connection, cursor):
+            row = cursor.execute(
+                """
+                SELECT *
+                FROM tasks
+                WHERE user_id = ? AND status IN ('pending', 'running', 'cancel_requested')
+                ORDER BY created_at DESC
+                LIMIT 1
+                """,
+                (user_id,),
+            ).fetchone()
+            return None if row is None else dict(row)
+
+    def create_task(self, user_id: int, requested_by: str, requested_by_role: str) -> int:
+        now = utc_now()
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                INSERT INTO tasks (user_id, status, requested_by, requested_by_role, created_at, updated_at)
+                VALUES (?, 'pending', ?, ?, ?, ?)
+                """,
+                (user_id, requested_by, requested_by_role, now, now),
+            )
+            return int(cursor.lastrowid)
+
+    def get_task(self, task_id: int) -> dict[str, Any] | None:
+        with self._cursor() as (_connection, cursor):
+            row = cursor.execute(
+                """
+                SELECT
+                    t.*,
+                    u.student_id,
+                    u.display_name
+                FROM tasks t
+                JOIN users u ON u.id = t.user_id
+                WHERE t.id = ?
+                """,
+                (task_id,),
+            ).fetchone()
+            return None if row is None else dict(row)
+
+    def get_latest_task_for_user(self, user_id: int) -> dict[str, Any] | None:
+        with self._cursor() as (_connection, cursor):
+            row = cursor.execute(
+                """
+                SELECT
+                    t.*,
+                    u.student_id,
+                    u.display_name
+                FROM tasks t
+                JOIN users u ON u.id = t.user_id
+                WHERE t.user_id = ?
+                ORDER BY t.created_at DESC
+                LIMIT 1
+                """,
+                (user_id,),
+            ).fetchone()
+            return None if row is None else dict(row)
+
+    def list_pending_tasks(self, limit: int) -> list[dict[str, Any]]:
+        with self._cursor() as (_connection, cursor):
+            rows = cursor.execute(
+                """
+                SELECT
+                    t.*,
+                    u.student_id,
+                    u.display_name,
+                    u.password_encrypted,
+                    u.is_active
+                FROM tasks t
+                JOIN users u ON u.id = t.user_id
+                WHERE t.status = 'pending'
+                ORDER BY t.created_at ASC
+                LIMIT ?
+                """,
+                (limit,),
+            ).fetchall()
+            return self._rows_to_dicts(rows)
+
+    def list_recent_tasks(self, limit: int = 20) -> list[dict[str, Any]]:
+        with self._cursor() as (_connection, cursor):
+            rows = cursor.execute(
+                """
+                SELECT
+                    t.*,
+                    u.student_id,
+                    u.display_name
+                FROM tasks t
+                JOIN users u ON u.id = t.user_id
+                ORDER BY t.created_at DESC
+                LIMIT ?
+                """,
+                (limit,),
+            ).fetchall()
+            return self._rows_to_dicts(rows)
+
+    def mark_task_running(self, task_id: int) -> None:
+        now = utc_now()
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                UPDATE tasks
+                SET status = 'running',
+                    started_at = COALESCE(started_at, ?),
+                    updated_at = ?,
+                    last_error = ''
+                WHERE id = ?
+                """,
+                (now, now, task_id),
+            )
+
+    def finish_task(self, task_id: int, status: str, last_error: str = "") -> None:
+        now = utc_now()
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                UPDATE tasks
+                SET status = ?,
+                    finished_at = ?,
+                    updated_at = ?,
+                    last_error = ?
+                WHERE id = ?
+                """,
+                (status, now, now, last_error, task_id),
+            )
+
+    def update_task_status(self, task_id: int, status: str, last_error: str = "") -> None:
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                UPDATE tasks
+                SET status = ?, updated_at = ?, last_error = ?
+                WHERE id = ?
+                """,
+                (status, utc_now(), last_error, task_id),
+            )
+
+    def request_task_stop(self, task_id: int) -> bool:
+        task = self.get_task(task_id)
+        if not task or task["status"] not in ACTIVE_TASK_STATUSES:
+            return False
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                UPDATE tasks
+                SET status = 'cancel_requested', updated_at = ?
+                WHERE id = ?
+                """,
+                (utc_now(), task_id),
+            )
+        return True
+
+    def reset_inflight_tasks(self) -> None:
+        now = utc_now()
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                UPDATE tasks
+                SET status = 'stopped',
+                    finished_at = COALESCE(finished_at, ?),
+                    updated_at = ?
+                WHERE status IN ('pending', 'running', 'cancel_requested')
+                """,
+                (now, now),
+            )
+
+    def add_log(self, task_id: int | None, user_id: int | None, scope: str, level: str, message: str) -> int:
+        now = utc_now()
+        with self._cursor() as (_connection, cursor):
+            cursor.execute(
+                """
+                INSERT INTO logs (task_id, user_id, scope, level, message, created_at)
+                VALUES (?, ?, ?, ?, ?, ?)
+                """,
+                (task_id, user_id, scope, level.upper(), message, now),
+            )
+            return int(cursor.lastrowid)
+
+    def list_recent_logs(self, *, user_id: int | None = None, limit: int = 120) -> list[dict[str, Any]]:
+        if user_id is None:
+            query = """
+                SELECT
+                    l.*,
+                    u.student_id,
+                    u.display_name
+                FROM logs l
+                LEFT JOIN users u ON u.id = l.user_id
+                ORDER BY l.id DESC
+                LIMIT ?
+            """
+            params = (limit,)
+        else:
+            query = """
+                SELECT
+                    l.*,
+                    u.student_id,
+                    u.display_name
+                FROM logs l
+                LEFT JOIN users u ON u.id = l.user_id
+                WHERE l.user_id = ?
+                ORDER BY l.id DESC
+                LIMIT ?
+            """
+            params = (user_id, limit)
+
+        with self._cursor() as (_connection, cursor):
+            rows = cursor.execute(query, params).fetchall()
+            return list(reversed(self._rows_to_dicts(rows)))
+
+    def list_logs_after(self, after_id: int, *, user_id: int | None = None, limit: int = 100) -> list[dict[str, Any]]:
+        if user_id is None:
+            query = """
+                SELECT
+                    l.*,
+                    u.student_id,
+                    u.display_name
+                FROM logs l
+                LEFT JOIN users u ON u.id = l.user_id
+                WHERE l.id > ?
+                ORDER BY l.id ASC
+                LIMIT ?
+            """
+            params = (after_id, limit)
+        else:
+            query = """
+                SELECT
+                    l.*,
+                    u.student_id,
+                    u.display_name
+                FROM logs l
+                LEFT JOIN users u ON u.id = l.user_id
+                WHERE l.id > ? AND l.user_id = ?
+                ORDER BY l.id ASC
+                LIMIT ?
+            """
+            params = (after_id, user_id, limit)
+
+        with self._cursor() as (_connection, cursor):
+            rows = cursor.execute(query, params).fetchall()
+            return self._rows_to_dicts(rows)
+
+    def get_admin_stats(self) -> dict[str, int]:
+        with self._cursor() as (_connection, cursor):
+            users_count = cursor.execute("SELECT COUNT(*) AS total FROM users").fetchone()["total"]
+            courses_count = cursor.execute("SELECT COUNT(*) AS total FROM course_targets").fetchone()["total"]
+            admins_count = cursor.execute("SELECT COUNT(*) AS total FROM admins").fetchone()["total"]
+            running_count = cursor.execute("SELECT COUNT(*) AS total FROM tasks WHERE status = 'running'").fetchone()["total"]
+            pending_count = cursor.execute("SELECT COUNT(*) AS total FROM tasks WHERE status = 'pending'").fetchone()["total"]
+            return {
+                "users_count": int(users_count),
+                "courses_count": int(courses_count),
+                "admins_count": int(admins_count) + 1,
+                "running_count": int(running_count),
+                "pending_count": int(pending_count),
+            }

core/security.py

@@ -0,0 +1,23 @@
+from __future__ import annotations
+
+from cryptography.fernet import Fernet
+from werkzeug.security import check_password_hash, generate_password_hash
+
+
+class SecretBox:
+    def __init__(self, encryption_key: str) -> None:
+        self._fernet = Fernet(encryption_key.encode("utf-8"))
+
+    def encrypt(self, value: str) -> str:
+        return self._fernet.encrypt(value.encode("utf-8")).decode("utf-8")
+
+    def decrypt(self, value: str) -> str:
+        return self._fernet.decrypt(value.encode("utf-8")).decode("utf-8")
+
+
+def hash_password(password: str) -> str:
+    return generate_password_hash(password)
+
+
+def verify_password(password_hash: str, password: str) -> bool:
+    return check_password_hash(password_hash, password)

core/task_manager.py

@@ -0,0 +1,154 @@
+from __future__ import annotations
+
+import threading
+import time
+from dataclasses import dataclass
+
+from core.course_bot import CourseBot, TaskResult
+from core.db import Database
+from core.security import SecretBox
+
+
+@dataclass(slots=True)
+class RunningTask:
+    task_id: int
+    thread: threading.Thread
+    stop_event: threading.Event
+
+
+class TaskManager:
+    def __init__(self, *, config, store: Database, secret_box: SecretBox) -> None:
+        self.config = config
+        self.store = store
+        self.secret_box = secret_box
+        self._started = False
+        self._startup_lock = threading.Lock()
+        self._running_lock = threading.Lock()
+        self._shutdown_event = threading.Event()
+        self._dispatcher_thread: threading.Thread | None = None
+        self._running: dict[int, RunningTask] = {}
+
+    def start(self) -> None:
+        with self._startup_lock:
+            if self._started:
+                return
+            self.store.reset_inflight_tasks()
+            self._dispatcher_thread = threading.Thread(target=self._dispatch_loop, name="task-dispatcher", daemon=True)
+            self._dispatcher_thread.start()
+            self._started = True
+
+    def shutdown(self) -> None:
+        self._shutdown_event.set()
+        with self._running_lock:
+            for running_task in self._running.values():
+                running_task.stop_event.set()
+
+    def queue_task(self, user_id: int, requested_by: str, requested_by_role: str) -> tuple[dict, bool]:
+        active_task = self.store.find_active_task_for_user(user_id)
+        if active_task is not None:
+            return self.store.get_task(active_task["id"]) or active_task, False
+
+        task_id = self.store.create_task(user_id, requested_by, requested_by_role)
+        self._log(task_id, user_id, "SYSTEM", "INFO", f"任务已进入队列，触发者: {requested_by_role}:{requested_by}")
+        return self.store.get_task(task_id), True
+
+    def stop_task(self, task_id: int) -> bool:
+        requested = self.store.request_task_stop(task_id)
+        if not requested:
+            return False
+        self._log(task_id, None, "SYSTEM", "INFO", "收到停止请求，任务会在安全节点退出。")
+        with self._running_lock:
+            running_task = self._running.get(task_id)
+            if running_task is not None:
+                running_task.stop_event.set()
+        return True
+
+    def _dispatch_loop(self) -> None:
+        while not self._shutdown_event.is_set():
+            self._cleanup_running_registry()
+            parallel_limit = self.store.get_parallel_limit()
+            running_count = self._running_count()
+            available_slots = max(0, parallel_limit - running_count)
+            if available_slots > 0:
+                pending_tasks = self.store.list_pending_tasks(available_slots)
+                for task in pending_tasks:
+                    if self._shutdown_event.is_set():
+                        break
+                    if not task["is_active"]:
+                        self.store.finish_task(task["id"], "failed", "该用户已被禁用，任务未执行。")
+                        self._log(task["id"], task["user_id"], "SYSTEM", "WARNING", "用户已禁用，队列中的任务被取消。")
+                        continue
+                    self._launch_task(task["id"])
+            time.sleep(1)
+
+    def _launch_task(self, task_id: int) -> None:
+        with self._running_lock:
+            if task_id in self._running:
+                return
+            stop_event = threading.Event()
+            thread = threading.Thread(target=self._run_task, args=(task_id, stop_event), name=f"task-{task_id}", daemon=True)
+            self._running[task_id] = RunningTask(task_id=task_id, thread=thread, stop_event=stop_event)
+            thread.start()
+
+    def _run_task(self, task_id: int, stop_event: threading.Event) -> None:
+        task = self.store.get_task(task_id)
+        if task is None:
+            self._remove_running(task_id)
+            return
+
+        user = self.store.get_user(task["user_id"])
+        if user is None:
+            self.store.finish_task(task_id, "failed", "用户不存在。")
+            self._remove_running(task_id)
+            return
+
+        self.store.mark_task_running(task_id)
+        self._log(task_id, user["id"], "SYSTEM", "INFO", "任务开始执行。")
+
+        try:
+            password = self.secret_box.decrypt(user["password_encrypted"])
+            bot = CourseBot(
+                config=self.config,
+                store=self.store,
+                task_id=task_id,
+                user=user,
+                password=password,
+                logger=lambda level, message: self._log(task_id, user["id"], "RUNNER", level, message),
+            )
+            result = bot.run(stop_event)
+        except Exception as exc:  # pragma: no cover - defensive fallback
+            result = TaskResult(status="failed", error=str(exc))
+            self._log(task_id, user["id"], "SYSTEM", "ERROR", f"任务初始化失败: {exc}")
+
+        current_task = self.store.get_task(task_id)
+        final_status = result.status
+        if current_task and current_task["status"] == "cancel_requested" and result.status != "completed":
+            final_status = "stopped"
+        elif stop_event.is_set() and result.status != "completed":
+            final_status = "stopped"
+
+        self.store.finish_task(task_id, final_status, result.error)
+        final_text = result.error or f"任务已结束，状态: {final_status}"
+        level = "ERROR" if final_status == "failed" else "INFO"
+        self._log(task_id, user["id"], "SYSTEM", level, final_text)
+        self._remove_running(task_id)
+
+    def _log(self, task_id: int | None, user_id: int | None, scope: str, level: str, message: str) -> None:
+        self.store.add_log(task_id, user_id, scope, level, message)
+
+    def _running_count(self) -> int:
+        with self._running_lock:
+            return len(self._running)
+
+    def _cleanup_running_registry(self) -> None:
+        finished_ids: list[int] = []
+        with self._running_lock:
+            for task_id, running_task in self._running.items():
+                if not running_task.thread.is_alive():
+                    finished_ids.append(task_id)
+            for task_id in finished_ids:
+                self._running.pop(task_id, None)
+
+    def _remove_running(self, task_id: int) -> None:
+        with self._running_lock:
+            self._running.pop(task_id, None)

course_catcher/__init__.py

@@ -0,0 +1,5 @@
+from course_catcher.web import create_app
+
+app = create_app()
+
+__all__ = ["app", "create_app"]

course_catcher/automation.py

@@ -0,0 +1,399 @@
+from __future__ import annotations
+
+import base64
+import json
+import re
+import time
+from pathlib import Path
+from typing import Callable
+
+import onnx_inference
+from selenium import webdriver
+from selenium.common.exceptions import NoSuchElementException, TimeoutException, WebDriverException
+from selenium.webdriver.chrome.service import Service
+from selenium.webdriver.common.by import By
+from selenium.webdriver.remote.webdriver import WebDriver
+from selenium.webdriver.support import expected_conditions as EC
+from selenium.webdriver.support.ui import WebDriverWait
+
+from course_catcher.config import AppConfig
+
+SCU_LOGIN_URL = (
+    "http://id.scu.edu.cn/enduser/sp/sso/scdxplugin_jwt23?enterpriseId=scdx&target_url=index"
+)
+SCU_SELECT_URL = "http://zhjw.scu.edu.cn/student/courseSelect/courseSelect/index"
+TAB_IDS = {"plan": "faxk", "free": "zyxk"}
+ALREADY_SELECTED_KEYWORDS = ("已选", "已选择", "已修读")
+
+
+class AutomationError(Exception):
+    pass
+
+
+class CredentialsError(AutomationError):
+    pass
+
+
+class SessionExpiredError(AutomationError):
+    pass
+
+
+class TemporaryAutomationError(AutomationError):
+    pass
+
+
+class CourseAutomation:
+    def __init__(self, config: AppConfig) -> None:
+        self.config = config
+        self.select_course_js = Path("javascript/select_course.js").read_text(encoding="utf-8")
+        self.check_result_js = Path("javascript/check_result.js").read_text(encoding="utf-8")
+        self.captcha_solver = onnx_inference.CaptchaONNXInference(
+            model_path=str(Path("ocr_provider") / "captcha_model.onnx")
+        )
+
+    def run_until_stopped(
+        self,
+        task_id: int,
+        user_credentials: dict,
+        db,
+        should_stop: Callable[[], bool],
+        log: Callable[[str, str], None],
+    ) -> tuple[str, str]:
+        driver: WebDriver | None = None
+        last_error = ""
+        try:
+            while True:
+                if should_stop():
+                    log("INFO", "收到停止请求，准备安全退出任务。")
+                    return "stopped", ""
+
+                pending_courses = db.list_pending_courses(user_credentials["id"])
+                if not pending_courses:
+                    log("SUCCESS", "所有待抢课程都已完成，本轮任务结束。")
+                    return "completed", ""
+
+                db.increment_task_attempt(task_id)
+                if driver is None:
+                    log("INFO", "正在启动浏览器会话并登录教务系统。")
+                    driver = self._build_driver()
+                    self._login(driver, user_credentials["student_id"], user_credentials["password"], log)
+                    self._goto_select_course(driver, log)
+
+                try:
+                    self._run_single_cycle(driver, user_credentials["id"], pending_courses, db, log)
+                    last_error = ""
+                except SessionExpiredError as exc:
+                    last_error = str(exc)
+                    log("WARNING", f"{exc}，将重新建立会话。")
+                    self._safe_quit(driver)
+                    driver = None
+                    time.sleep(2)
+                    continue
+                except TemporaryAutomationError as exc:
+                    last_error = str(exc)
+                    log("WARNING", f"{exc}，稍后重试。")
+                    self._safe_quit(driver)
+                    driver = None
+                except CredentialsError:
+                    raise
+                except Exception as exc:  # pragma: no cover - defensive path
+                    last_error = str(exc)
+                    log("ERROR", f"本轮执行发生异常：{exc}")
+                    self._safe_quit(driver)
+                    driver = None
+
+                if should_stop():
+                    log("INFO", "收到停止请求，准备安全退出任务。")
+                    return "stopped", ""
+
+                time.sleep(db.get_setting_float("loop_interval_seconds", self.config.loop_interval_seconds))
+        except CredentialsError as exc:
+            return "failed", str(exc)
+        finally:
+            self._safe_quit(driver)
+
+    def _build_driver(self) -> WebDriver:
+        options = webdriver.ChromeOptions()
+        options.add_argument("--headless=new")
+        options.add_argument("--no-sandbox")
+        options.add_argument("--disable-dev-shm-usage")
+        options.add_argument("--disable-gpu")
+        options.add_argument("--disable-blink-features=AutomationControlled")
+        options.add_argument("--window-size=1440,1600")
+        options.add_argument("--lang=zh-CN")
+        options.add_argument(
+            "--user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
+            "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
+        )
+
+        chrome_binary = Path(self.config.chrome_binary)
+        if chrome_binary.exists():
+            options.binary_location = str(chrome_binary)
+
+        service = None
+        chromedriver_binary = Path(self.config.chromedriver_binary)
+        if chromedriver_binary.exists():
+            service = Service(executable_path=str(chromedriver_binary))
+
+        driver = webdriver.Chrome(service=service, options=options) if service else webdriver.Chrome(options=options)
+        driver.set_page_load_timeout(self.config.request_timeout_seconds)
+        driver.implicitly_wait(5)
+        return driver
+
+    def _login(self, driver: WebDriver, student_id: str, password: str, log: Callable[[str, str], None]) -> None:
+        for attempt in range(1, self.config.login_retry_limit + 1):
+            driver.get(SCU_LOGIN_URL)
+            self._wait_ready(driver)
+
+            student_box = self._find_first(
+                driver,
+                [
+                    (By.XPATH, "//*[@id='app']//form//input[@type='text']"),
+                    (
+                        By.XPATH,
+                        "//*[@id='app']/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[1]/div/div/div[2]/div/input",
+                    ),
+                ],
+            )
+            password_box = self._find_first(
+                driver,
+                [
+                    (By.XPATH, "//*[@id='app']//form//input[@type='password']"),
+                    (
+                        By.XPATH,
+                        "//*[@id='app']/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[2]/div/div/div[2]/div/input",
+                    ),
+                ],
+            )
+            captcha_box = self._find_first(
+                driver,
+                [
+                    (
+                        By.XPATH,
+                        "//*[@id='app']/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[3]//input",
+                    ),
+                    (By.XPATH, "//*[@id='app']//form//input[contains(@placeholder, '验证码')]"),
+                ],
+            )
+            login_button = self._find_first(
+                driver,
+                [
+                    (By.XPATH, "//*[@id='app']//form//button"),
+                    (
+                        By.XPATH,
+                        "//*[@id='app']/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[4]/div/button",
+                    ),
+                ],
+            )
+
+            student_box.clear()
+            student_box.send_keys(student_id)
+            password_box.clear()
+            password_box.send_keys(password)
+            captcha_box.clear()
+            captcha_box.send_keys(self._solve_captcha(driver))
+            login_button.click()
+
+            if self._wait_for_login_success(driver):
+                log("SUCCESS", "教务系统登录成功。")
+                return
+
+            error_message = self._read_login_error(driver)
+            if error_message:
+                log("WARNING", f"第 {attempt} 次登录失败：{error_message}")
+                if "用户名或密码错误" in error_message or "密码错误" in error_message:
+                    raise CredentialsError("学生账号或密码错误，请在用户面板更新后重新启动任务。")
+                if "验证码" not in error_message and attempt >= 2:
+                    raise TemporaryAutomationError(error_message)
+            else:
+                log("WARNING", f"第 {attempt} 次登录失败，未捕获到明确错误提示。")
+
+        raise TemporaryAutomationError("连续多次登录失败，可能是验证码识别失败或当前系统不可用。")
+
+    def _wait_for_login_success(self, driver: WebDriver) -> bool:
+        try:
+            WebDriverWait(driver, 8, 0.5).until(
+                lambda current: current.current_url in {"http://zhjw.scu.edu.cn/index", "http://zhjw.scu.edu.cn/"}
+                or current.current_url.startswith("http://zhjw.scu.edu.cn/index")
+            )
+            return True
+        except TimeoutException:
+            return False
+
+    def _read_login_error(self, driver: WebDriver) -> str:
+        candidates = [
+            "/html/body/div[2]",
+            "//div[contains(@class, 'el-message') or contains(@class, 'message')]",
+        ]
+        for xpath in candidates:
+            try:
+                element = driver.find_element(By.XPATH, xpath)
+                text = element.text.strip()
+                if text:
+                    return text
+            except NoSuchElementException:
+                continue
+        return ""
+
+    def _solve_captcha(self, driver: WebDriver) -> str:
+        captcha_img = self._find_first(
+            driver,
+            [
+                (
+                    By.XPATH,
+                    "//*[@id='app']/div[1]/div/div[2]/div/div[1]/div[2]/div[2]/div/form/div[3]/div/div/img",
+                ),
+                (By.XPATH, "//*[@id='app']//form//img"),
+            ],
+        )
+        src = captcha_img.get_attribute("src") or ""
+        if "base64," in src:
+            image_bytes = base64.b64decode(src.split("base64,", 1)[1])
+        else:
+            image_bytes = captcha_img.screenshot_as_png
+        return self.captcha_solver.classification(image_bytes)
+
+    def _goto_select_course(self, driver: WebDriver, log: Callable[[str, str], None]) -> None:
+        driver.get(SCU_SELECT_URL)
+        self._wait_ready(driver)
+        body_text = driver.find_element(By.TAG_NAME, "body").text
+        if "非选课" in body_text:
+            raise TemporaryAutomationError("当前不是可选课时段，教务系统已返回非选课提示")
+        if "登录" in body_text and "学号" in body_text:
+            raise SessionExpiredError("当前会话已失效，需要重新登录")
+        log("INFO", "已进入选课页面。")
+
+    def _run_single_cycle(
+        self,
+        driver: WebDriver,
+        user_id: int,
+        pending_courses: list[dict],
+        db,
+        log: Callable[[str, str], None],
+    ) -> None:
+        self._goto_select_course(driver, log)
+        for tab_name in ("plan", "free"):
+            current_pending = db.list_pending_courses(user_id)
+            if not current_pending:
+                return
+            results = self._attempt_tab(driver, tab_name, current_pending, log)
+            for result in results:
+                parsed = self._extract_course_pair(result["subject"])
+                if not parsed:
+                    log("WARNING", f"无法从结果文本中解析课程号：{result['subject']}")
+                    continue
+                course_id, course_index = parsed
+                status = "selected" if self._is_selected_result(result) else "pending"
+                db.mark_course_result(user_id, course_id, course_index, status, result["detail"])
+                level = "SUCCESS" if status == "selected" else "INFO"
+                log(level, f"{course_id}_{course_index}: {result['detail']}")
+            if results:
+                self._goto_select_course(driver, log)
+
+    def _attempt_tab(
+        self,
+        driver: WebDriver,
+        tab_name: str,
+        courses: list[dict],
+        log: Callable[[str, str], None],
+    ) -> list[dict]:
+        tab_id = TAB_IDS[tab_name]
+        self._find_first(driver, [(By.ID, tab_id)]).click()
+        self._wait_ready(driver)
+        selected_any = False
+
+        for course in courses:
+            self._wait_for_iframe(driver)
+            driver.switch_to.frame("ifra")
+            try:
+                course_input = self._find_first(driver, [(By.ID, "kch")], timeout=10)
+                query_button = self._find_first(driver, [(By.ID, "queryButton")], timeout=10)
+                course_input.clear()
+                course_input.send_keys(course["course_id"])
+                query_button.click()
+                WebDriverWait(driver, 20, 0.3).until(
+                    lambda current: "正在" not in current.find_element(By.ID, "queryButton").text
+                )
+            finally:
+                driver.switch_to.default_content()
+
+            self._wait_for_iframe(driver)
+            found = (
+                driver.execute_script(
+                    self.select_course_js,
+                    f"{course['course_id']}_{course['course_index']}",
+                )
+                == "yes"
+            )
+            if found:
+                selected_any = True
+                log("INFO", f"[{tab_name}] 已勾选课程 {course['course_id']}_{course['course_index']}。")
+            else:
+                log("INFO", f"[{tab_name}] 未找到课程 {course['course_id']}_{course['course_index']}。")
+
+        if not selected_any:
+            return []
+
+        submit_button = self._find_first(driver, [(By.ID, "submitButton")], timeout=10)
+        submit_button.click()
+        return self._collect_results(driver)
+
+    def _collect_results(self, driver: WebDriver) -> list[dict]:
+        WebDriverWait(driver, 20, 0.5).until(
+            lambda current: current.execute_script("return document.getElementById('xkresult') !== null")
+        )
+        raw_result = driver.execute_script(self.check_result_js)
+        if isinstance(raw_result, str):
+            return json.loads(raw_result)
+        return raw_result
+
+    def _is_selected_result(self, result: dict) -> bool:
+        detail = result.get("detail", "")
+        return bool(result.get("result")) or any(keyword in detail for keyword in ALREADY_SELECTED_KEYWORDS)
+
+    def _extract_course_pair(self, subject: str) -> tuple[str, str] | None:
+        strict_match = re.findall(r"(\d{5,})_(\d{2})", subject)
+        if strict_match:
+            return strict_match[-1]
+        loose_match = re.findall(r"(\d+)", subject)
+        if len(loose_match) >= 2:
+            return loose_match[-2], loose_match[-1].zfill(2)[-2:]
+        return None
+
+    def _wait_for_iframe(self, driver: WebDriver) -> None:
+        try:
+            WebDriverWait(driver, 15, 0.5).until(EC.frame_to_be_available_and_switch_to_it((By.ID, "ifra")))
+        except TimeoutException as exc:
+            raise SessionExpiredError("选课 iframe 未能正常加载") from exc
+        finally:
+            driver.switch_to.default_content()
+
+    def _wait_ready(self, driver: WebDriver) -> None:
+        WebDriverWait(driver, self.config.request_timeout_seconds, 0.5).until(
+            lambda current: current.execute_script("return document.readyState") == "complete"
+        )
+
+    def _find_first(self, driver: WebDriver, selectors: list[tuple[str, str]], timeout: int | None = None):
+        timeout = timeout or self.config.request_timeout_seconds
+
+        def locate(current: WebDriver):
+            for by, value in selectors:
+                try:
+                    return current.find_element(by, value)
+                except NoSuchElementException:
+                    continue
+            return False
+
+        try:
+            return WebDriverWait(driver, timeout, 0.5).until(locate)
+        except TimeoutException as exc:
+            selectors_text = ", ".join(f"{by}:{value}" for by, value in selectors)
+            raise TemporaryAutomationError(f"未找到页面元素：{selectors_text}") from exc
+
+    def _safe_quit(self, driver: WebDriver | None) -> None:
+        if not driver:
+            return
+        try:
+            driver.quit()
+        except WebDriverException:
+            pass

course_catcher/config.py

@@ -0,0 +1,57 @@
+from __future__ import annotations
+
+import hashlib
+import os
+from dataclasses import dataclass
+from pathlib import Path
+
+
+def _default_data_dir() -> Path:
+    persistent_root = Path("/data")
+    if persistent_root.exists():
+        return persistent_root / "scu-course-catcher"
+    return Path("runtime")
+
+
+@dataclass(frozen=True)
+class AppConfig:
+    admin_username: str
+    admin_password: str
+    secret_key: str
+    data_dir: Path
+    database_path: Path
+    chrome_binary: str
+    chromedriver_binary: str
+    default_parallelism: int
+    loop_interval_seconds: float
+    login_retry_limit: int
+    request_timeout_seconds: int
+    debug: bool
+
+
+def load_config() -> AppConfig:
+    admin_username = os.getenv("ADMIN", "admin")
+    admin_password = os.getenv("PASSWORD", "change-me-now")
+
+    derived_secret = hashlib.sha256(
+        f"{admin_username}:{admin_password}:scu-course-catcher".encode("utf-8")
+    ).hexdigest()
+    secret_key = os.getenv("APP_SECRET", derived_secret)
+
+    data_dir = Path(os.getenv("APP_DATA_DIR", str(_default_data_dir()))).resolve()
+    data_dir.mkdir(parents=True, exist_ok=True)
+
+    return AppConfig(
+        admin_username=admin_username,
+        admin_password=admin_password,
+        secret_key=secret_key,
+        data_dir=data_dir,
+        database_path=data_dir / "app.db",
+        chrome_binary=os.getenv("CHROME_BIN", "/usr/bin/chromium"),
+        chromedriver_binary=os.getenv("CHROMEDRIVER_BIN", "/usr/bin/chromedriver"),
+        default_parallelism=max(1, int(os.getenv("DEFAULT_PARALLELISM", "1"))),
+        loop_interval_seconds=max(1.0, float(os.getenv("LOOP_INTERVAL_SECONDS", "3"))),
+        login_retry_limit=max(1, int(os.getenv("LOGIN_RETRY_LIMIT", "6"))),
+        request_timeout_seconds=max(15, int(os.getenv("REQUEST_TIMEOUT_SECONDS", "30"))),
+        debug=os.getenv("DEBUG", "").lower() in {"1", "true", "yes", "on"},
+    )

course_catcher/db.py

@@ -0,0 +1,625 @@
+from __future__ import annotations
+
+import sqlite3
+import threading
+from contextlib import contextmanager
+from datetime import datetime
+from pathlib import Path
+from typing import Any
+
+from course_catcher.security import CredentialCipher, hash_password, verify_password
+
+
+def utc_now() -> str:
+    return datetime.utcnow().replace(microsecond=0).isoformat() + "Z"
+
+
+class Database:
+    def __init__(self, db_path: Path, cipher: CredentialCipher, default_parallelism: int) -> None:
+        self.db_path = Path(db_path)
+        self.db_path.parent.mkdir(parents=True, exist_ok=True)
+        self.cipher = cipher
+        self.default_parallelism = default_parallelism
+        self._write_lock = threading.RLock()
+        self._initialize()
+
+    @contextmanager
+    def connect(self) -> sqlite3.Connection:
+        connection = sqlite3.connect(self.db_path, timeout=30, check_same_thread=False)
+        connection.row_factory = sqlite3.Row
+        connection.execute("PRAGMA foreign_keys = ON")
+        connection.execute("PRAGMA busy_timeout = 30000")
+        try:
+            yield connection
+            connection.commit()
+        finally:
+            connection.close()
+
+    def _initialize(self) -> None:
+        with self._write_lock, self.connect() as connection:
+            connection.executescript(
+                """
+                CREATE TABLE IF NOT EXISTS users (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    student_id TEXT NOT NULL UNIQUE,
+                    password_hash TEXT NOT NULL,
+                    password_encrypted TEXT NOT NULL,
+                    created_at TEXT NOT NULL,
+                    updated_at TEXT NOT NULL,
+                    last_login_at TEXT
+                );
+
+                CREATE TABLE IF NOT EXISTS admins (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    username TEXT NOT NULL UNIQUE,
+                    password_hash TEXT NOT NULL,
+                    role TEXT NOT NULL CHECK(role IN ('admin', 'superadmin')),
+                    created_at TEXT NOT NULL,
+                    updated_at TEXT NOT NULL,
+                    last_login_at TEXT
+                );
+
+                CREATE TABLE IF NOT EXISTS courses (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    user_id INTEGER NOT NULL,
+                    course_id TEXT NOT NULL,
+                    course_index TEXT NOT NULL,
+                    status TEXT NOT NULL DEFAULT 'pending',
+                    last_result TEXT NOT NULL DEFAULT '',
+                    created_at TEXT NOT NULL,
+                    updated_at TEXT NOT NULL,
+                    UNIQUE(user_id, course_id, course_index),
+                    FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE
+                );
+
+                CREATE TABLE IF NOT EXISTS tasks (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    user_id INTEGER NOT NULL,
+                    status TEXT NOT NULL CHECK(status IN ('queued', 'running', 'completed', 'failed', 'stopped')),
+                    requested_by_type TEXT NOT NULL,
+                    requested_by_name TEXT NOT NULL,
+                    stop_requested INTEGER NOT NULL DEFAULT 0,
+                    attempt_count INTEGER NOT NULL DEFAULT 0,
+                    last_error TEXT NOT NULL DEFAULT '',
+                    created_at TEXT NOT NULL,
+                    updated_at TEXT NOT NULL,
+                    started_at TEXT,
+                    finished_at TEXT,
+                    FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE
+                );
+
+                CREATE TABLE IF NOT EXISTS settings (
+                    key TEXT PRIMARY KEY,
+                    value TEXT NOT NULL
+                );
+
+                CREATE TABLE IF NOT EXISTS logs (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    task_id INTEGER,
+                    user_id INTEGER,
+                    created_at TEXT NOT NULL,
+                    level TEXT NOT NULL,
+                    actor TEXT NOT NULL,
+                    message TEXT NOT NULL,
+                    FOREIGN KEY(task_id) REFERENCES tasks(id) ON DELETE SET NULL,
+                    FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE
+                );
+                """
+            )
+            connection.execute(
+                "INSERT OR IGNORE INTO settings(key, value) VALUES (?, ?)",
+                ("max_parallel_tasks", str(self.default_parallelism)),
+            )
+            connection.execute(
+                "INSERT OR IGNORE INTO settings(key, value) VALUES (?, ?)",
+                ("loop_interval_seconds", "3"),
+            )
+
+    def ensure_superadmin(self, username: str, password: str) -> None:
+        now = utc_now()
+        password_hash = hash_password(password)
+        with self._write_lock, self.connect() as connection:
+            row = connection.execute(
+                "SELECT id FROM admins WHERE role = 'superadmin' ORDER BY id LIMIT 1"
+            ).fetchone()
+            if row:
+                connection.execute(
+                    """
+                    UPDATE admins
+                    SET username = ?, password_hash = ?, updated_at = ?
+                    WHERE id = ?
+                    """,
+                    (username, password_hash, now, row["id"]),
+                )
+            else:
+                connection.execute(
+                    """
+                    INSERT INTO admins(username, password_hash, role, created_at, updated_at)
+                    VALUES (?, ?, 'superadmin', ?, ?)
+                    """,
+                    (username, password_hash, now, now),
+                )
+
+    def get_setting_int(self, key: str, fallback: int) -> int:
+        with self.connect() as connection:
+            row = connection.execute("SELECT value FROM settings WHERE key = ?", (key,)).fetchone()
+            if not row:
+                return fallback
+            try:
+                return int(row["value"])
+            except (TypeError, ValueError):
+                return fallback
+
+    def get_setting_float(self, key: str, fallback: float) -> float:
+        with self.connect() as connection:
+            row = connection.execute("SELECT value FROM settings WHERE key = ?", (key,)).fetchone()
+            if not row:
+                return fallback
+            try:
+                return float(row["value"])
+            except (TypeError, ValueError):
+                return fallback
+
+    def set_setting(self, key: str, value: str) -> None:
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                """
+                INSERT INTO settings(key, value) VALUES (?, ?)
+                ON CONFLICT(key) DO UPDATE SET value = excluded.value
+                """,
+                (key, value),
+            )
+
+    def list_admins(self) -> list[dict[str, Any]]:
+        with self.connect() as connection:
+            rows = connection.execute(
+                "SELECT id, username, role, created_at, updated_at, last_login_at FROM admins ORDER BY role DESC, username ASC"
+            ).fetchall()
+        return [dict(row) for row in rows]
+
+    def create_admin(self, username: str, password: str) -> dict[str, Any]:
+        now = utc_now()
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                """
+                INSERT INTO admins(username, password_hash, role, created_at, updated_at)
+                VALUES (?, ?, 'admin', ?, ?)
+                """,
+                (username, hash_password(password), now, now),
+            )
+            row = connection.execute(
+                "SELECT id, username, role, created_at, updated_at, last_login_at FROM admins WHERE username = ?",
+                (username,),
+            ).fetchone()
+        return dict(row)
+
+    def verify_admin_login(self, username: str, password: str) -> dict[str, Any] | None:
+        with self.connect() as connection:
+            row = connection.execute("SELECT * FROM admins WHERE username = ?", (username,)).fetchone()
+            if not row or not verify_password(row["password_hash"], password):
+                return None
+            connection.execute(
+                "UPDATE admins SET last_login_at = ?, updated_at = ? WHERE id = ?",
+                (utc_now(), utc_now(), row["id"]),
+            )
+            refreshed = connection.execute(
+                "SELECT id, username, role, created_at, updated_at, last_login_at FROM admins WHERE id = ?",
+                (row["id"],),
+            ).fetchone()
+        return dict(refreshed)
+
+    def get_admin_by_id(self, admin_id: int) -> dict[str, Any] | None:
+        with self.connect() as connection:
+            row = connection.execute(
+                "SELECT id, username, role, created_at, updated_at, last_login_at FROM admins WHERE id = ?",
+                (admin_id,),
+            ).fetchone()
+        return dict(row) if row else None
+
+    def get_user_by_id(self, user_id: int, include_password: bool = False) -> dict[str, Any] | None:
+        fields = "id, student_id, created_at, updated_at, last_login_at"
+        if include_password:
+            fields += ", password_hash, password_encrypted"
+        with self.connect() as connection:
+            row = connection.execute(f"SELECT {fields} FROM users WHERE id = ?", (user_id,)).fetchone()
+        return dict(row) if row else None
+
+    def get_user_by_student_id(self, student_id: str, include_password: bool = False) -> dict[str, Any] | None:
+        fields = "id, student_id, created_at, updated_at, last_login_at"
+        if include_password:
+            fields += ", password_hash, password_encrypted"
+        with self.connect() as connection:
+            row = connection.execute(
+                f"SELECT {fields} FROM users WHERE student_id = ?",
+                (student_id,),
+            ).fetchone()
+        return dict(row) if row else None
+
+    def create_user(self, student_id: str, password: str) -> dict[str, Any]:
+        now = utc_now()
+        encrypted = self.cipher.encrypt(password)
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                """
+                INSERT INTO users(student_id, password_hash, password_encrypted, created_at, updated_at)
+                VALUES (?, ?, ?, ?, ?)
+                """,
+                (student_id, hash_password(password), encrypted, now, now),
+            )
+            row = connection.execute(
+                "SELECT id, student_id, created_at, updated_at, last_login_at FROM users WHERE student_id = ?",
+                (student_id,),
+            ).fetchone()
+        return dict(row)
+
+    def create_or_update_user(self, student_id: str, password: str) -> dict[str, Any]:
+        existing = self.get_user_by_student_id(student_id)
+        if existing:
+            self.update_user_password(existing["id"], password)
+            return self.get_user_by_id(existing["id"]) or existing
+        return self.create_user(student_id, password)
+
+    def verify_or_create_user_login(self, student_id: str, password: str) -> tuple[dict[str, Any] | None, bool]:
+        user = self.get_user_by_student_id(student_id, include_password=True)
+        if not user:
+            created = self.create_user(student_id, password)
+            return created, True
+        if not verify_password(user["password_hash"], password):
+            return None, False
+        now = utc_now()
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                "UPDATE users SET last_login_at = ?, updated_at = ? WHERE id = ?",
+                (now, now, user["id"]),
+            )
+            refreshed = connection.execute(
+                "SELECT id, student_id, created_at, updated_at, last_login_at FROM users WHERE id = ?",
+                (user["id"],),
+            ).fetchone()
+        return dict(refreshed), False
+
+    def update_user_password(self, user_id: int, password: str) -> None:
+        now = utc_now()
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                """
+                UPDATE users
+                SET password_hash = ?, password_encrypted = ?, updated_at = ?
+                WHERE id = ?
+                """,
+                (hash_password(password), self.cipher.encrypt(password), now, user_id),
+            )
+
+    def get_user_runtime_credentials(self, user_id: int) -> dict[str, Any] | None:
+        with self.connect() as connection:
+            row = connection.execute(
+                "SELECT id, student_id, password_encrypted FROM users WHERE id = ?",
+                (user_id,),
+            ).fetchone()
+        if not row:
+            return None
+        data = dict(row)
+        data["password"] = self.cipher.decrypt(data["password_encrypted"])
+        return data
+
+    def list_courses(self, user_id: int) -> list[dict[str, Any]]:
+        with self.connect() as connection:
+            rows = connection.execute(
+                """
+                SELECT id, user_id, course_id, course_index, status, last_result, created_at, updated_at
+                FROM courses
+                WHERE user_id = ?
+                ORDER BY status DESC, course_id ASC, course_index ASC
+                """,
+                (user_id,),
+            ).fetchall()
+        return [dict(row) for row in rows]
+
+    def list_pending_courses(self, user_id: int) -> list[dict[str, Any]]:
+        with self.connect() as connection:
+            rows = connection.execute(
+                """
+                SELECT id, user_id, course_id, course_index, status, last_result, created_at, updated_at
+                FROM courses
+                WHERE user_id = ? AND status != 'selected'
+                ORDER BY course_id ASC, course_index ASC
+                """,
+                (user_id,),
+            ).fetchall()
+        return [dict(row) for row in rows]
+
+    def add_course(self, user_id: int, course_id: str, course_index: str) -> None:
+        now = utc_now()
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                """
+                INSERT INTO courses(user_id, course_id, course_index, status, last_result, created_at, updated_at)
+                VALUES (?, ?, ?, 'pending', '', ?, ?)
+                ON CONFLICT(user_id, course_id, course_index)
+                DO UPDATE SET status = 'pending', updated_at = excluded.updated_at
+                """,
+                (user_id, course_id, course_index, now, now),
+            )
+
+    def delete_course(self, course_id: int, user_id: int) -> None:
+        with self._write_lock, self.connect() as connection:
+            connection.execute("DELETE FROM courses WHERE id = ? AND user_id = ?", (course_id, user_id))
+
+    def mark_course_result(
+        self,
+        user_id: int,
+        course_id: str,
+        course_index: str,
+        status: str,
+        detail: str,
+    ) -> None:
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                """
+                UPDATE courses
+                SET status = ?, last_result = ?, updated_at = ?
+                WHERE user_id = ? AND course_id = ? AND course_index = ?
+                """,
+                (status, detail, utc_now(), user_id, course_id, course_index),
+            )
+
+    def list_users_with_summary(self) -> list[dict[str, Any]]:
+        with self.connect() as connection:
+            rows = connection.execute(
+                """
+                SELECT
+                    u.id,
+                    u.student_id,
+                    u.created_at,
+                    u.updated_at,
+                    u.last_login_at,
+                    COALESCE(course_stats.course_count, 0) AS course_count,
+                    COALESCE(course_stats.selected_count, 0) AS selected_count,
+                    active_task.id AS active_task_id,
+                    active_task.status AS active_task_status
+                FROM users u
+                LEFT JOIN (
+                    SELECT
+                        user_id,
+                        COUNT(*) AS course_count,
+                        SUM(CASE WHEN status = 'selected' THEN 1 ELSE 0 END) AS selected_count
+                    FROM courses
+                    GROUP BY user_id
+                ) AS course_stats ON course_stats.user_id = u.id
+                LEFT JOIN (
+                    SELECT t1.*
+                    FROM tasks t1
+                    JOIN (
+                        SELECT user_id, MAX(id) AS id
+                        FROM tasks
+                        WHERE status IN ('queued', 'running')
+                        GROUP BY user_id
+                    ) latest ON latest.id = t1.id
+                ) AS active_task ON active_task.user_id = u.id
+                ORDER BY u.updated_at DESC, u.student_id ASC
+                """
+            ).fetchall()
+        return [dict(row) for row in rows]
+
+    def get_user_dashboard_state(self, user_id: int) -> dict[str, Any]:
+        with self.connect() as connection:
+            counts = connection.execute(
+                """
+                SELECT
+                    COUNT(*) AS total_courses,
+                    SUM(CASE WHEN status = 'selected' THEN 1 ELSE 0 END) AS selected_courses,
+                    SUM(CASE WHEN status != 'selected' THEN 1 ELSE 0 END) AS pending_courses
+                FROM courses
+                WHERE user_id = ?
+                """,
+                (user_id,),
+            ).fetchone()
+            task = connection.execute(
+                """
+                SELECT id, status, attempt_count, updated_at, started_at, finished_at
+                FROM tasks
+                WHERE user_id = ?
+                ORDER BY id DESC
+                LIMIT 1
+                """,
+                (user_id,),
+            ).fetchone()
+        return {
+            "total_courses": counts["total_courses"] or 0,
+            "selected_courses": counts["selected_courses"] or 0,
+            "pending_courses": counts["pending_courses"] or 0,
+            "task": dict(task) if task else None,
+        }
+
+    def get_admin_summary(self) -> dict[str, Any]:
+        with self.connect() as connection:
+            users = connection.execute("SELECT COUNT(*) AS total FROM users").fetchone()["total"]
+            running_tasks = connection.execute(
+                "SELECT COUNT(*) AS total FROM tasks WHERE status = 'running'"
+            ).fetchone()["total"]
+            queued_tasks = connection.execute(
+                "SELECT COUNT(*) AS total FROM tasks WHERE status = 'queued'"
+            ).fetchone()["total"]
+            pending_courses = connection.execute(
+                "SELECT COUNT(*) AS total FROM courses WHERE status != 'selected'"
+            ).fetchone()["total"]
+        return {
+            "users": users,
+            "running_tasks": running_tasks,
+            "queued_tasks": queued_tasks,
+            "pending_courses": pending_courses,
+            "parallelism": self.get_setting_int("max_parallel_tasks", self.default_parallelism),
+        }
+
+    def create_task(self, user_id: int, requested_by_type: str, requested_by_name: str) -> dict[str, Any]:
+        with self._write_lock, self.connect() as connection:
+            existing = connection.execute(
+                """
+                SELECT *
+                FROM tasks
+                WHERE user_id = ? AND status IN ('queued', 'running')
+                ORDER BY id DESC
+                LIMIT 1
+                """,
+                (user_id,),
+            ).fetchone()
+            if existing:
+                return dict(existing)
+            now = utc_now()
+            connection.execute(
+                """
+                INSERT INTO tasks(
+                    user_id, status, requested_by_type, requested_by_name, stop_requested,
+                    attempt_count, last_error, created_at, updated_at
+                )
+                VALUES (?, 'queued', ?, ?, 0, 0, '', ?, ?)
+                """,
+                (user_id, requested_by_type, requested_by_name, now, now),
+            )
+            created = connection.execute(
+                "SELECT * FROM tasks WHERE id = last_insert_rowid()"
+            ).fetchone()
+        return dict(created)
+
+    def get_task(self, task_id: int) -> dict[str, Any] | None:
+        with self.connect() as connection:
+            row = connection.execute("SELECT * FROM tasks WHERE id = ?", (task_id,)).fetchone()
+        return dict(row) if row else None
+
+    def fetch_queued_tasks(self, limit: int) -> list[dict[str, Any]]:
+        with self.connect() as connection:
+            rows = connection.execute(
+                """
+                SELECT *
+                FROM tasks
+                WHERE status = 'queued'
+                ORDER BY created_at ASC, id ASC
+                LIMIT ?
+                """,
+                (limit,),
+            ).fetchall()
+        return [dict(row) for row in rows]
+
+    def mark_task_running(self, task_id: int) -> None:
+        now = utc_now()
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                """
+                UPDATE tasks
+                SET status = 'running', updated_at = ?, started_at = COALESCE(started_at, ?)
+                WHERE id = ?
+                """,
+                (now, now, task_id),
+            )
+
+    def increment_task_attempt(self, task_id: int) -> None:
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                """
+                UPDATE tasks
+                SET attempt_count = attempt_count + 1, updated_at = ?
+                WHERE id = ?
+                """,
+                (utc_now(), task_id),
+            )
+
+    def request_stop_task(self, user_id: int) -> None:
+        now = utc_now()
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                """
+                UPDATE tasks
+                SET stop_requested = 1, updated_at = ?
+                WHERE user_id = ? AND status = 'running'
+                """,
+                (now, user_id),
+            )
+            connection.execute(
+                """
+                UPDATE tasks
+                SET status = 'stopped', stop_requested = 1, updated_at = ?, finished_at = ?
+                WHERE user_id = ? AND status = 'queued'
+                """,
+                (now, now, user_id),
+            )
+
+    def is_stop_requested(self, task_id: int) -> bool:
+        with self.connect() as connection:
+            row = connection.execute(
+                "SELECT stop_requested FROM tasks WHERE id = ?",
+                (task_id,),
+            ).fetchone()
+        return bool(row and row["stop_requested"])
+
+    def finish_task(self, task_id: int, status: str, last_error: str = "") -> None:
+        now = utc_now()
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                """
+                UPDATE tasks
+                SET status = ?, last_error = ?, updated_at = ?, finished_at = ?
+                WHERE id = ?
+                """,
+                (status, last_error, now, now, task_id),
+            )
+
+    def add_log(self, task_id: int | None, user_id: int | None, actor: str, level: str, message: str) -> None:
+        with self._write_lock, self.connect() as connection:
+            connection.execute(
+                """
+                INSERT INTO logs(task_id, user_id, created_at, level, actor, message)
+                VALUES (?, ?, ?, ?, ?, ?)
+                """,
+                (task_id, user_id, utc_now(), level.upper(), actor, message),
+            )
+
+    def get_logs_after(self, last_id: int, user_id: int | None = None, limit: int = 200) -> list[dict[str, Any]]:
+        query = """
+            SELECT
+                logs.id,
+                logs.task_id,
+                logs.user_id,
+                logs.created_at,
+                logs.level,
+                logs.actor,
+                logs.message,
+                users.student_id
+            FROM logs
+            LEFT JOIN users ON users.id = logs.user_id
+            WHERE logs.id > ?
+        """
+        params: list[Any] = [last_id]
+        if user_id is not None:
+            query += " AND logs.user_id = ?"
+            params.append(user_id)
+        query += " ORDER BY logs.id ASC LIMIT ?"
+        params.append(limit)
+        with self.connect() as connection:
+            rows = connection.execute(query, params).fetchall()
+        return [dict(row) for row in rows]
+
+    def get_recent_logs(self, user_id: int | None = None, limit: int = 120) -> list[dict[str, Any]]:
+        query = """
+            SELECT
+                logs.id,
+                logs.task_id,
+                logs.user_id,
+                logs.created_at,
+                logs.level,
+                logs.actor,
+                logs.message,
+                users.student_id
+            FROM logs
+            LEFT JOIN users ON users.id = logs.user_id
+        """
+        params: list[Any] = []
+        if user_id is not None:
+            query += " WHERE logs.user_id = ?"
+            params.append(user_id)
+        query += " ORDER BY logs.id DESC LIMIT ?"
+        params.append(limit)
+        with self.connect() as connection:
+            rows = connection.execute(query, params).fetchall()
+        items = [dict(row) for row in rows]
+        items.reverse()
+        return items

course_catcher/security.py

@@ -0,0 +1,33 @@
+from __future__ import annotations
+
+import base64
+import hashlib
+
+from cryptography.fernet import Fernet
+from werkzeug.security import check_password_hash, generate_password_hash
+
+
+class CredentialCipher:
+    def __init__(self, secret_key: str) -> None:
+        digest = hashlib.sha256(secret_key.encode("utf-8")).digest()
+        self._fernet = Fernet(base64.urlsafe_b64encode(digest))
+
+    def encrypt(self, value: str) -> str:
+        return self._fernet.encrypt(value.encode("utf-8")).decode("utf-8")
+
+    def decrypt(self, value: str) -> str:
+        return self._fernet.decrypt(value.encode("utf-8")).decode("utf-8")
+
+
+def hash_password(password: str) -> str:
+    return generate_password_hash(password)
+
+
+def verify_password(password_hash: str, password: str) -> bool:
+    return check_password_hash(password_hash, password)
+
+
+def mask_secret(secret: str) -> str:
+    if len(secret) <= 4:
+        return "*" * len(secret)
+    return f"{secret[:2]}{'*' * (len(secret) - 4)}{secret[-2:]}"

course_catcher/task_manager.py

@@ -0,0 +1,98 @@
+from __future__ import annotations
+
+import threading
+from typing import Callable
+
+from course_catcher.automation import CourseAutomation
+from course_catcher.config import AppConfig
+from course_catcher.db import Database
+
+
+class TaskManager:
+    def __init__(self, db: Database, config: AppConfig) -> None:
+        self.db = db
+        self.config = config
+        self.automation = CourseAutomation(config)
+        self._workers: dict[int, threading.Thread] = {}
+        self._lock = threading.RLock()
+        self._stop_event = threading.Event()
+        self._scheduler_thread: threading.Thread | None = None
+
+    def start(self) -> None:
+        with self._lock:
+            if self._scheduler_thread and self._scheduler_thread.is_alive():
+                return
+            self._scheduler_thread = threading.Thread(
+                target=self._scheduler_loop,
+                name="task-scheduler",
+                daemon=True,
+            )
+            self._scheduler_thread.start()
+
+    def stop(self) -> None:
+        self._stop_event.set()
+
+    def _scheduler_loop(self) -> None:
+        while not self._stop_event.is_set():
+            self._reap_workers()
+            parallelism = self.db.get_setting_int("max_parallel_tasks", self.config.default_parallelism)
+            available_slots = max(0, parallelism - len(self._workers))
+            if available_slots > 0:
+                queued_tasks = self.db.fetch_queued_tasks(available_slots)
+                for task in queued_tasks:
+                    task_id = task["id"]
+                    with self._lock:
+                        if task_id in self._workers:
+                            continue
+                        self.db.mark_task_running(task_id)
+                        worker = threading.Thread(
+                            target=self._run_task,
+                            args=(task_id,),
+                            name=f"task-{task_id}",
+                            daemon=True,
+                        )
+                        self._workers[task_id] = worker
+                        worker.start()
+            self._stop_event.wait(1)
+
+    def _reap_workers(self) -> None:
+        with self._lock:
+            finished = [task_id for task_id, worker in self._workers.items() if not worker.is_alive()]
+            for task_id in finished:
+                self._workers.pop(task_id, None)
+
+    def _run_task(self, task_id: int) -> None:
+        task = self.db.get_task(task_id)
+        if not task:
+            return
+
+        user_id = task["user_id"]
+
+        def log(level: str, message: str) -> None:
+            self.db.add_log(task_id=task_id, user_id=user_id, actor="runner", level=level, message=message)
+
+        try:
+            credentials = self.db.get_user_runtime_credentials(user_id)
+            if not credentials:
+                self.db.finish_task(task_id, "failed", "关联用户不存在")
+                log("ERROR", "任务关联的用户记录不存在。")
+                return
+
+            log("INFO", f"任务已启动，当前用户 {credentials['student_id']}。")
+            final_status, last_error = self.automation.run_until_stopped(
+                task_id=task_id,
+                user_credentials=credentials,
+                db=self.db,
+                should_stop=lambda: self.db.is_stop_requested(task_id) or self._stop_event.is_set(),
+                log=log,
+            )
+            self.db.finish_task(task_id, final_status, last_error)
+            if final_status == "completed":
+                log("SUCCESS", "任务完成，所有待抢课程均已处理。")
+            elif final_status == "stopped":
+                log("INFO", "任务已停止。")
+            else:
+                log("ERROR", f"任务失败：{last_error}")
+        except Exception as exc:  # pragma: no cover - defensive path
+            self.db.finish_task(task_id, "failed", str(exc))
+            log("ERROR", f"任务崩溃：{exc}")

course_catcher/web.py

@@ -0,0 +1,457 @@
+from __future__ import annotations
+
+import json
+import time
+from functools import wraps
+from typing import Any, Callable
+
+from flask import (
+    Flask,
+    Response,
+    flash,
+    jsonify,
+    redirect,
+    render_template,
+    request,
+    session,
+    stream_with_context,
+    url_for,
+)
+
+from course_catcher.config import AppConfig, load_config
+from course_catcher.db import Database
+from course_catcher.security import CredentialCipher, mask_secret
+from course_catcher.task_manager import TaskManager
+
+
+def create_app() -> Flask:
+    config = load_config()
+    cipher = CredentialCipher(config.secret_key)
+    db = Database(config.database_path, cipher, config.default_parallelism)
+    db.ensure_superadmin(config.admin_username, config.admin_password)
+    task_manager = TaskManager(db, config)
+    task_manager.start()
+
+    app = Flask(
+        __name__,
+        template_folder="../templates",
+        static_folder="../static",
+    )
+    app.config["SECRET_KEY"] = config.secret_key
+    app.extensions["app_config"] = config
+    app.extensions["db"] = db
+    app.extensions["task_manager"] = task_manager
+
+    def current_user() -> dict[str, Any] | None:
+        user_id = session.get("user_id")
+        if not user_id:
+            return None
+        return db.get_user_by_id(int(user_id))
+
+    def current_admin() -> dict[str, Any] | None:
+        admin_id = session.get("admin_id")
+        if not admin_id:
+            return None
+        return db.get_admin_by_id(int(admin_id))
+
+    def require_user(view: Callable):
+        @wraps(view)
+        def wrapped(*args, **kwargs):
+            user = current_user()
+            if not user:
+                return redirect(url_for("login"))
+            return view(user, *args, **kwargs)
+
+        return wrapped
+
+    def require_admin(view: Callable):
+        @wraps(view)
+        def wrapped(*args, **kwargs):
+            admin = current_admin()
+            if not admin:
+                return redirect(url_for("admin_login"))
+            return view(admin, *args, **kwargs)
+
+        return wrapped
+
+    def require_superadmin(view: Callable):
+        @wraps(view)
+        def wrapped(*args, **kwargs):
+            admin = current_admin()
+            if not admin or admin["role"] != "superadmin":
+                flash("只有超级管理员可以执行该操作。", "error")
+                return redirect(url_for("admin_panel"))
+            return view(admin, *args, **kwargs)
+
+        return wrapped
+
+    def normalize_student_id(student_id: str) -> str:
+        return (student_id or "").strip()
+
+    def normalize_course_pair(course_id: str, course_index: str) -> tuple[str, str]:
+        return (course_id or "").strip(), (course_index or "").strip().zfill(2)
+
+    def validate_student_login_form(student_id: str, password: str) -> str | None:
+        if not student_id.isdigit():
+            return "学号必须为纯数字。"
+        if len(student_id) < 8:
+            return "学号长度看起来不正确。"
+        if not password:
+            return "密码不能为空。"
+        return None
+
+    def validate_course_form(course_id: str, course_index: str) -> str | None:
+        if not course_id.isdigit():
+            return "课程号必须为纯数字。"
+        if not course_index.isdigit():
+            return "课序号必须为纯数字。"
+        if len(course_index) != 2:
+            return "课序号必须是两位数字。"
+        return None
+
+    def build_user_view_model(user: dict[str, Any]) -> dict[str, Any]:
+        dashboard_state = db.get_user_dashboard_state(user["id"])
+        courses = db.list_courses(user["id"])
+        logs = db.get_recent_logs(user_id=user["id"])
+        return {
+            "user": user,
+            "dashboard_state": dashboard_state,
+            "courses": courses,
+            "logs": logs,
+            "masked_password": mask_secret("******"),
+        }
+
+    def build_admin_view_model(admin: dict[str, Any]) -> dict[str, Any]:
+        summary = db.get_admin_summary()
+        users = db.list_users_with_summary()
+        users_with_courses: list[dict[str, Any]] = []
+        for user in users:
+            entry = dict(user)
+            entry["courses"] = db.list_courses(user["id"])
+            entry["dashboard_state"] = db.get_user_dashboard_state(user["id"])
+            users_with_courses.append(entry)
+        return {
+            "admin": admin,
+            "summary": summary,
+            "users": users_with_courses,
+            "admins": db.list_admins(),
+            "logs": db.get_recent_logs(),
+        }
+
+    def event_stream(log_scope_user_id: int | None = None):
+        last_id = int(request.args.get("last_id", "0") or 0)
+        while True:
+            items = db.get_logs_after(last_id=last_id, user_id=log_scope_user_id)
+            if items:
+                for item in items:
+                    last_id = item["id"]
+                    yield f"id: {item['id']}\n"
+                    yield "event: log\n"
+                    yield f"data: {json.dumps(item, ensure_ascii=False)}\n\n"
+            else:
+                yield ": keepalive\n\n"
+            time.sleep(1)
+
+    @app.context_processor
+    def inject_session_context():
+        return {
+            "session_user": current_user(),
+            "session_admin": current_admin(),
+        }
+
+    @app.get("/")
+    def index():
+        if current_user():
+            return redirect(url_for("dashboard"))
+        if current_admin():
+            return redirect(url_for("admin_panel"))
+        return redirect(url_for("login"))
+
+    @app.route("/login", methods=["GET", "POST"])
+    def login():
+        if current_user():
+            return redirect(url_for("dashboard"))
+        if request.method == "POST":
+            student_id = normalize_student_id(request.form.get("student_id", ""))
+            password = request.form.get("password", "")
+            error = validate_student_login_form(student_id, password)
+            if error:
+                flash(error, "error")
+                return render_template("login.html")
+
+            user, created = db.verify_or_create_user_login(student_id, password)
+            if not user:
+                flash("学号或密码错误。", "error")
+                return render_template("login.html")
+
+            session.clear()
+            session["user_id"] = user["id"]
+            flash("首次登录已自动创建账户。" if created else "登录成功。", "success")
+            return redirect(url_for("dashboard"))
+        return render_template("login.html")
+
+    @app.post("/logout")
+    def logout():
+        session.clear()
+        flash("已退出登录。", "success")
+        return redirect(url_for("login"))
+
+    @app.route("/admin", methods=["GET", "POST"])
+    def admin_login():
+        if current_admin():
+            return redirect(url_for("admin_panel"))
+        if request.method == "POST":
+            username = (request.form.get("username") or "").strip()
+            password = request.form.get("password") or ""
+            if not username or not password:
+                flash("管理员账号和密码不能为空。", "error")
+                return render_template("admin_login.html")
+
+            admin = db.verify_admin_login(username, password)
+            if not admin:
+                flash("管理员账号或密码错误。", "error")
+                return render_template("admin_login.html")
+
+            session.clear()
+            session["admin_id"] = admin["id"]
+            flash("管理员登录成功。", "success")
+            return redirect(url_for("admin_panel"))
+        return render_template("admin_login.html")
+
+    @app.post("/admin/logout")
+    def admin_logout():
+        session.clear()
+        flash("管理员已退出登录。", "success")
+        return redirect(url_for("admin_login"))
+
+    @app.get("/dashboard")
+    @require_user
+    def dashboard(user: dict[str, Any]):
+        return render_template("dashboard.html", **build_user_view_model(user))
+
+    @app.post("/dashboard/password")
+    @require_user
+    def update_user_password(user: dict[str, Any]):
+        password = request.form.get("password", "")
+        if not password:
+            flash("密码不能为空。", "error")
+            return redirect(url_for("dashboard"))
+        db.update_user_password(user["id"], password)
+        db.add_log(None, user["id"], "user", "INFO", "用户已更新自己的登录密码。")
+        flash("密码已更新。", "success")
+        return redirect(url_for("dashboard"))
+
+    @app.post("/dashboard/courses")
+    @require_user
+    def add_user_course(user: dict[str, Any]):
+        course_id, course_index = normalize_course_pair(
+            request.form.get("course_id", ""),
+            request.form.get("course_index", ""),
+        )
+        error = validate_course_form(course_id, course_index)
+        if error:
+            flash(error, "error")
+            return redirect(url_for("dashboard"))
+
+        db.add_course(user["id"], course_id, course_index)
+        db.add_log(None, user["id"], "user", "INFO", f"新增课程 {course_id}_{course_index}。")
+        flash("课程已添加。", "success")
+        return redirect(url_for("dashboard"))
+
+    @app.post("/dashboard/courses/<int:course_record_id>/delete")
+    @require_user
+    def delete_user_course(user: dict[str, Any], course_record_id: int):
+        db.delete_course(course_record_id, user["id"])
+        db.add_log(None, user["id"], "user", "INFO", f"删除课程记录 #{course_record_id}。")
+        flash("课程已删除。", "success")
+        return redirect(url_for("dashboard"))
+
+    @app.post("/dashboard/tasks/start")
+    @require_user
+    def start_user_task(user: dict[str, Any]):
+        task = db.create_task(user["id"], "user", user["student_id"])
+        db.add_log(task["id"], user["id"], "user", "INFO", "用户发起了新的选课任务。")
+        flash("任务已加入队列。", "success")
+        return redirect(url_for("dashboard"))
+
+    @app.post("/dashboard/tasks/stop")
+    @require_user
+    def stop_user_task(user: dict[str, Any]):
+        db.request_stop_task(user["id"])
+        db.add_log(None, user["id"], "user", "INFO", "用户请求停止当前任务。")
+        flash("停止请求已提交。", "success")
+        return redirect(url_for("dashboard"))
+
+    @app.get("/api/dashboard/status")
+    @require_user
+    def dashboard_status(user: dict[str, Any]):
+        return jsonify(db.get_user_dashboard_state(user["id"]))
+
+    @app.get("/events/logs/user")
+    @require_user
+    def user_log_stream(user: dict[str, Any]):
+        response = Response(stream_with_context(event_stream(log_scope_user_id=user["id"])))
+        response.headers["Content-Type"] = "text/event-stream"
+        response.headers["Cache-Control"] = "no-cache"
+        response.headers["X-Accel-Buffering"] = "no"
+        return response
+
+    @app.get("/admin/panel")
+    @require_admin
+    def admin_panel(admin: dict[str, Any]):
+        return render_template("admin.html", **build_admin_view_model(admin))
+
+    @app.post("/admin/panel/settings/parallelism")
+    @require_admin
+    def update_parallelism(admin: dict[str, Any]):
+        raw_value = request.form.get("parallelism", "1")
+        try:
+            parallelism = max(1, min(8, int(raw_value)))
+        except ValueError:
+            flash("并行数必须是数字。", "error")
+            return redirect(url_for("admin_panel"))
+
+        db.set_setting("max_parallel_tasks", str(parallelism))
+        db.add_log(None, None, "admin", "INFO", f"管理员 {admin['username']} 将并行数设置为 {parallelism}。")
+        flash("并行数已更新。", "success")
+        return redirect(url_for("admin_panel"))
+
+    @app.post("/admin/panel/users")
+    @require_admin
+    def create_or_update_user_from_admin(admin: dict[str, Any]):
+        student_id = normalize_student_id(request.form.get("student_id", ""))
+        password = request.form.get("password", "")
+        error = validate_student_login_form(student_id, password)
+        if error:
+            flash(error, "error")
+            return redirect(url_for("admin_panel"))
+
+        user = db.create_or_update_user(student_id, password)
+        db.add_log(None, user["id"], "admin", "INFO", f"管理员 {admin['username']} 录入或更新了用户账号。")
+
+        initial_course_id, initial_course_index = normalize_course_pair(
+            request.form.get("course_id", ""),
+            request.form.get("course_index", ""),
+        )
+        if initial_course_id or initial_course_index:
+            course_error = validate_course_form(initial_course_id, initial_course_index)
+            if course_error:
+                flash(course_error, "error")
+                return redirect(url_for("admin_panel"))
+            db.add_course(user["id"], initial_course_id, initial_course_index)
+            db.add_log(
+                None,
+                user["id"],
+                "admin",
+                "INFO",
+                f"管理员 {admin['username']} 为用户新增课程 {initial_course_id}_{initial_course_index}。",
+            )
+
+        flash("用户信息已保存。", "success")
+        return redirect(url_for("admin_panel"))
+
+    @app.post("/admin/panel/users/<int:user_id>/password")
+    @require_admin
+    def update_user_password_from_admin(admin: dict[str, Any], user_id: int):
+        password = request.form.get("password", "")
+        if not password:
+            flash("密码不能为空。", "error")
+            return redirect(url_for("admin_panel"))
+        db.update_user_password(user_id, password)
+        db.add_log(None, user_id, "admin", "INFO", f"管理员 {admin['username']} 更新了用户密码。")
+        flash("用户密码已更新。", "success")
+        return redirect(url_for("admin_panel"))
+
+    @app.post("/admin/panel/users/<int:user_id>/courses")
+    @require_admin
+    def add_user_course_from_admin(admin: dict[str, Any], user_id: int):
+        course_id, course_index = normalize_course_pair(
+            request.form.get("course_id", ""),
+            request.form.get("course_index", ""),
+        )
+        error = validate_course_form(course_id, course_index)
+        if error:
+            flash(error, "error")
+            return redirect(url_for("admin_panel"))
+        db.add_course(user_id, course_id, course_index)
+        db.add_log(
+            None,
+            user_id,
+            "admin",
+            "INFO",
+            f"管理员 {admin['username']} 为用户新增课程 {course_id}_{course_index}。",
+        )
+        flash("课程已添加到目标用户。", "success")
+        return redirect(url_for("admin_panel"))
+
+    @app.post("/admin/panel/users/<int:user_id>/courses/<int:course_record_id>/delete")
+    @require_admin
+    def delete_user_course_from_admin(admin: dict[str, Any], user_id: int, course_record_id: int):
+        db.delete_course(course_record_id, user_id)
+        db.add_log(
+            None,
+            user_id,
+            "admin",
+            "INFO",
+            f"管理员 {admin['username']} 删除了课程记录 #{course_record_id}。",
+        )
+        flash("课程已删除。", "success")
+        return redirect(url_for("admin_panel"))
+
+    @app.post("/admin/panel/users/<int:user_id>/tasks/start")
+    @require_admin
+    def start_user_task_from_admin(admin: dict[str, Any], user_id: int):
+        user = db.get_user_by_id(user_id)
+        if not user:
+            flash("用户不存在。", "error")
+            return redirect(url_for("admin_panel"))
+        task = db.create_task(user_id, "admin", admin["username"])
+        db.add_log(
+            task["id"],
+            user_id,
+            "admin",
+            "INFO",
+            f"管理员 {admin['username']} 启动了用户 {user['student_id']} 的任务。",
+        )
+        flash("任务已加入队列。", "success")
+        return redirect(url_for("admin_panel"))
+
+    @app.post("/admin/panel/users/<int:user_id>/tasks/stop")
+    @require_admin
+    def stop_user_task_from_admin(admin: dict[str, Any], user_id: int):
+        db.request_stop_task(user_id)
+        db.add_log(None, user_id, "admin", "INFO", f"管理员 {admin['username']} 请求停止用户任务。")
+        flash("停止请求已提交。", "success")
+        return redirect(url_for("admin_panel"))
+
+    @app.post("/admin/panel/admins")
+    @require_superadmin
+    def create_admin_account(admin: dict[str, Any]):
+        username = (request.form.get("username") or "").strip()
+        password = request.form.get("password") or ""
+        if not username or not password:
+            flash("管理员账号和密码不能为空。", "error")
+            return redirect(url_for("admin_panel"))
+        try:
+            db.create_admin(username, password)
+            db.add_log(None, None, "admin", "INFO", f"超级管理员 {admin['username']} 创建了管理员 {username}。")
+            flash("管理员已创建。", "success")
+        except Exception as exc:
+            flash(f"管理员创建失败：{exc}", "error")
+        return redirect(url_for("admin_panel"))
+
+    @app.get("/api/admin/status")
+    @require_admin
+    def admin_status(admin: dict[str, Any]):
+        return jsonify(db.get_admin_summary())
+
+    @app.get("/events/logs/admin")
+    @require_admin
+    def admin_log_stream(admin: dict[str, Any]):
+        response = Response(stream_with_context(event_stream(log_scope_user_id=None)))
+        response.headers["Content-Type"] = "text/event-stream"
+        response.headers["Cache-Control"] = "no-cache"
+        response.headers["X-Accel-Buffering"] = "no"
+        return response
+
+    return app

ensure_package_exist.py

@@ -0,0 +1,29 @@
+"""
+确保所有依赖项都已安装
+"""
+import os
+
+
+def ensure_package_exist():
+    """
+    确保所有依赖项都已安装
+    """
+    try:
+        import initialize
+        from selenium import webdriver
+        import type_defs as types
+        from fake_useragent import UserAgent
+    except:
+        print("警告:你似乎还没有安装完全这些依赖项")
+        op=input("输入y以自动安装，或者输入uv使用uv pip:")
+        if op == "y":
+            os.system("pip install -i https://pypi.tuna.tsinghua.edu.cn/simple -r requirements.txt")
+            print("安装完成！")
+        elif op == "uv":
+            os.system("uv pip install -i https://pypi.tuna.tsinghua.edu.cn/simple -r requirements.txt")
+            print("安装完成！")
+        else:
+            print("缺少必要依赖项")
+            print("程序无法运行，即将退出")
+            input("Press Enter to Continue...")
+            exit()

initialize.py

@@ -0,0 +1,135 @@
+#This program will save your information for quicker catching
+#The data will only save locally.
+import ensure_package_exist
+ensure_package_exist.ensure_package_exist()
+import json,re
+from type_defs import Course, CourseData, UserData
+
+
+def save_user_date(user_data:UserData):
+    with open("user_data.json",mode="w",encoding="utf-8") as file:
+        json.dump(user_data.to_dict(),file,indent=2)
+
+def main()->UserData:
+    user_data = UserData(
+        std_id=input("Input your Student ID: "),
+        password=input("Input your password: ")
+    )
+
+    while True:
+        source=""
+        while source not in ["a","b","q"]:
+            source = input("输入课程来源(a.方案选课/b.自由选课/q.停止添加)(输入a或b即可): ")
+        if(source == "q"):
+            break
+        course_id = input("输入课程号: ")
+        course_index = input("输入课序号(必须为两位数，如:01、33): ")
+        try:
+            int(course_id),int(course_index)
+            if len(course_index) != 2:
+                raise Exception
+            new_course = Course(course_id=course_id, course_index=course_index)
+            if source == "a":
+                user_data.course.a.append(new_course)
+            else:
+                user_data.course.b.append(new_course)
+        except:
+            print("Invaild course!Failed to add the course!")
+            continue
+
+    save_user_date(user_data)
+    print("Done!")
+    return user_data
+
+def show_user_data(user_data:UserData) -> None:
+    print("User information:")
+    print("Student ID:%s"%(user_data.std_id),"Password:%s"%(user_data.password),sep="\n")
+    print("Your courses:")
+    print("-"*20)
+    print("Plan courses:")
+    print("\n".join(map(lambda x:"Course %s_%s"%(x.course_id,x.course_index),user_data.course.a)))
+    print("-"*20)
+    print("Free courses:")
+    print("\n".join(map(lambda x:"Course %s_%s"%(x.course_id,x.course_index),user_data.course.b)))
+    print("-"*20)
+
+def update(user_data:UserData) -> UserData:
+    show_user_data(user_data)
+
+    operate = ""
+    while True:
+        while operate not in ["i","p","a","b","q"]:
+            operate = input("请输入更新指令(i.更改学号/p.更改密码/a.更改方案选课/b.更改自由选课/s.展示当前信息/q.保存并退出)(输入前面的字母即可):")
+        if operate == "q":
+            return user_data
+        elif operate == "i":
+            user_data.std_id = input("Input the new std_id:")
+            print("Student ID has been updated!")
+        elif operate == "p":
+            new_passwd = input("Input the new password:")
+            if new_passwd == input("Input the new password again:"):
+                user_data.password = new_passwd
+                print("Password has been updated!")
+            else:
+                print("The passwords entered did not match.Failed to update the password!")
+        elif operate in ["a","b"]:
+            order,args = "",[]
+            name = "方案选课" if operate == "a" else "自由选课"
+            en_name = "Plan courses" if operate == "a" else "Free courses"
+            course_list = user_data.course.a if operate == "a" else user_data.course.b
+            while True:
+                print("%s:"%(en_name))
+                print("\n".join(map(lambda x:"%d.%s"%(x[0],x[1]),enumerate(map(lambda x:"Course %s_%s"%(x.course_id,x.course_index),course_list),1))))
+                while order not in ["a","d","q"]:
+                    manage = input("请输入更改%s的指令(a [课程号] [课序号].添加新的课程/d [序号].删除第[序号]条课程/q.退出方案选课更新)(输入指令并带上参数):"%(name))
+                    order = manage.split(" ")[0]
+                    args = re.findall(r"\d+",manage)
+                if order == "q":
+                    break
+                elif order == "a":
+                    if len(args) == 2:
+                        try:
+                            numbers = [int(i) for i in args]
+                            if len(args[1]) != 2:
+                                raise Exception
+                            new_course = Course(course_id=args[0], course_index=args[1])
+                            if not new_course in course_list:
+                                course_list.append(new_course)
+                                print("Successfully added Course %s_%s!"%(args[0],args[1]))
+                            else:
+                                print("Course %s_%s has already existed!"%(args[0],args[1]))
+                        except:
+                            print("Invaild arguments type!Failed to add the course!")
+                    else:
+                        print("Invaild number of arguments!Failed to add the course!")
+                elif order == "d":
+                    if len(args) == 1:
+                        try:
+                            pos = int(args[0])
+                            try:
+                                if pos <= 0:
+                                    raise Exception
+                                target = course_list[pos-1]
+                                del course_list[pos-1]
+                                print("Successfully deleted the Course %s_%s!"%(target.course_id,target.course_index))
+                            except:
+                                print("Invaild position!Failed to delete the course!")
+                        except:
+                            print("Invaild argument type!Failed to delete the course!")
+                    else:
+                        print("Invaild number of arguments!Failed to add the course!")
+                order,args = "",[]
+        elif operate == "s":
+            show_user_data(user_data)
+        operate = ""
+
+if __name__ == "__main__":
+    try:
+        with open("user_data.json",mode="r") as file:
+            new_json = update(UserData.from_dict(json.load(file)))
+        save_user_date(new_json)
+        print("Update finished!")
+    except:
+        main()
+
+    

initialize_plus.pyw

@@ -0,0 +1,349 @@
+import json,copy
+from tkinter import *
+from tkinter import messagebox
+from type_defs import UserData, Setting, Course, CourseData
+import ensure_package_exist
+ensure_package_exist.ensure_package_exist()
+
+def save(user_data:UserData,setting:Setting):
+    with open("user_data.json",mode="w") as file:
+        json.dump(user_data.to_dict(),file,indent=2)
+    with open("setting.json",mode="w") as file:
+        json.dump(setting.to_dict(),file,indent=2)
+
+def window_quit():
+    if old_user_data != new_user_data or old_setting_data != new_setting_data:
+        if messagebox.askyesno("Exit","Do you want to save your data?"):
+            save(new_user_data,new_setting_data)
+    window.destroy()
+
+def click_save_button():
+    global old_user_data,old_setting_data
+    try:
+        save(new_user_data,new_setting_data)
+        old_user_data = copy.deepcopy(new_user_data)
+        old_setting_data = copy.deepcopy(new_setting_data)
+        messagebox.showinfo("Message","Save data successfully")
+    except:
+        messagebox.showerror("Error","Failed to save data,please check your json files!")
+
+def show_passwd():
+    global passwd_show
+    passwd_show = not passwd_show
+    if passwd_show:
+        passwd_entry_box.configure(show="")
+        passwd_show_button.configure(text="Hide")
+    else:
+        passwd_entry_box.configure(show="*")
+        passwd_show_button.configure(text="Show")
+
+def user_ok():
+    std_id,passwd = id_entry_box.get(),passwd_entry_box.get()
+    if not std_id.isdigit() or len(id_entry_box.get()) != 13:
+        messagebox.showerror("Invalid student ID","Your student ID should only consist of 13 numbers!")
+        id_entry_box.delete(0,END)
+        id_entry_box.insert(0,new_user_data.std_id)
+    else:
+        new_user_data.std_id = std_id
+        new_user_data.password = passwd
+        messagebox.showinfo("Message","Enter your user information successfully")
+
+def plan_course():
+    main_interface()
+    course_name_label.configure(text="Plan courses")
+    course_list_box.delete(0,END)
+    for course in new_user_data.course.a:
+        course_list_box.insert(END,"%s_%s"%(course.course_id,course.course_index))
+    no_select()
+
+def free_course():
+    main_interface()
+    course_name_label.configure(text="Free courses")
+    course_list_box.delete(0,END)
+    for course in new_user_data.course.b:
+        course_list_box.insert(END,"%s_%s"%(course.course_id,course.course_index))
+    no_select()
+
+def course_select(event):
+    course_id,course_index = event.widget.get(event.widget.curselection()).split("_")
+    course_id_entry_box.delete(0,END)
+    course_index_entry_box.delete(0,END)
+    course_id_entry_box.insert(0,course_id)
+    course_index_entry_box.insert(0,course_index)
+    cancel_button.configure(state=NORMAL)
+    delete_button.configure(state=NORMAL)
+    manage_button.configure(text="Update",command=update_course)
+
+def no_select(event=None):
+    course_list_box.selection_clear(0, END)
+    course_id_entry_box.delete(0,END)
+    course_index_entry_box.delete(0,END)
+    cancel_button.configure(state=DISABLED)
+    delete_button.configure(state=DISABLED)
+    manage_button.configure(text="Add",command=add_course)
+
+def listbox_locate(listbox:Listbox,scrollbar:Scrollbar,index:int):
+    height,size = listbox.cget("height"),listbox.size()
+    first = index if index + height <= size else size - height
+    last = first + height
+    listbox.yview_moveto(first/size)
+    scrollbar.set(first=first/size,last=last/size)
+
+def add_course():
+    course_id,course_index = course_id_entry_box.get(),course_index_entry_box.get()
+    course_list = new_user_data.course.a if course_name_label.cget("text") == "Plan courses" else new_user_data.course.b
+    index = -1
+    for i in range(len(course_list)):
+        if course_list[i].course_id == course_id:
+            index = i
+            break
+    if not course_id or not course_index:
+        messagebox.showerror("Empty course","Please input the course information first!")
+    elif not course_id.isdigit() or not course_index.isdigit():
+        messagebox.showerror("Invalid course","Please enter the right course data that consists of only numbers!")
+        if not course_id.isdigit():
+            course_id_entry_box.delete(0,END)
+        if not course_index.isdigit():
+            course_index_entry_box.delete(0,END)
+    elif len(course_index) != 2:
+        messagebox.showerror("Invalid index","Please enter the right index that consists of only 2 numbers!")
+        course_index_entry_box.delete(0,END)
+    elif index != -1:
+        course_list_box.select_set(index)
+        listbox_locate(course_list_box,course_list_box_scroll,index)
+        old_course = course_list_box.get(index)
+        if course_list[index].course_index != course_index and messagebox.askyesno("Update a already existing course","You already have the course %s\nWould you want to update it?(New:%s_%s)"%(old_course,course_id,course_index)):
+            course_list_box.delete(index)
+            course_list_box.insert(index,"%s_%s"%(course_id,course_index))
+            course_list_box.select_set(index)
+            course_list[index].course_index = course_index
+            course_index_entry_box.delete(0,END)
+            course_index_entry_box.insert(0,course_index)
+        cancel_button.configure(state=NORMAL)
+        delete_button.configure(state=NORMAL)
+        manage_button.configure(text="Update",command=update_course)
+    else:
+        course_list_box.insert(END,"%s_%s"%(course_id,course_index))
+        course_list.append(Course(course_id=course_id,course_index=course_index))
+        course_id_entry_box.delete(0,END)
+        course_index_entry_box.delete(0,END)
+
+def update_course():
+    index = course_list_box.curselection()[0]
+    old_id,old_index = course_list_box.get(index).split("_")
+    new_id,new_index = course_id_entry_box.get(),course_index_entry_box.get()
+    course_list = new_user_data.course.a if course_name_label.cget("text") == "Plan courses" else new_user_data.course.b
+    if not new_id or not new_index:
+        messagebox.showerror("Empty course","Please input the course information first!")
+        if not new_id:
+            course_id_entry_box.insert(0,old_id)
+        if not new_index:
+            course_index_entry_box.insert(0,old_index)
+    elif not new_id.isdigit() or not new_index.isdigit():
+        messagebox.showerror("Invalid course","Please enter the right course data that consists of only numbers!")
+        if not new_id.isdigit():
+            course_id_entry_box.delete(0,END)
+            course_id_entry_box.insert(0,old_id)
+        if not new_index.isdigit():
+            course_index_entry_box.delete(0,END)
+            course_index_entry_box.insert(0,old_index)
+    elif len(new_index) != 2:
+        messagebox.showerror("Invalid index","Please enter the right index that consists of only 2 numbers!")
+        course_index_entry_box.delete(0,END)
+        course_index_entry_box.insert(0,old_index)
+    else:
+        course_list_box.delete(index)
+        course_list_box.insert(index,"%s_%s"%(new_id,new_index))
+        course = course_list[index]
+        course.course_id,course.course_index = new_id,new_index
+
+def delete_course():
+    index = course_list_box.curselection()[0]
+    course_id,course_index = course_list_box.get(index).split("_")
+    if messagebox.askyesno("Confirm","Are you sure you want to delete the course %s_%s?"%(course_id,course_index)):
+        course_list_box.delete(index)
+        course_id_entry_box.delete(0,END)
+        course_index_entry_box.delete(0,END)
+        course_list = new_user_data.course.a if course_name_label.cget("text") == "Plan courses" else new_user_data.course.b
+        course_list.remove(Course(course_id=course_id,course_index=course_index))
+
+def manual_login_click():
+    if manual_login_button.cget("text") == "Disable":
+        if messagebox.askyesno("Disable manual login","It\'ll significantly accelerate the login, but it also usually leads to the incapability of the login when the server is busy (especially during peak course selection periods).\nAre you sure to disable?"):
+            try:
+                new_setting_data.manual_login = False
+                manual_login_button.configure(text="Enable")
+                manual_login_state.configure(text="Disabled",fg="red")
+                messagebox.showinfo("Message","Disable manual login successfully")
+            except:
+                messagebox.showwarning("Error","Failed to disable manual login!")
+    else:
+        if messagebox.askyesno("Enable manual login","It\'ll significantly stabilize the login (especially during peak course selection periods), but it\'ll also significantly slow the login down.\nAre you sure to enable?"):
+            try:
+                new_setting_data.manual_login = True
+                manual_login_button.configure(text="Disable")
+                manual_login_state.configure(text="Enabled",fg="green")
+                messagebox.showinfo("Message","Enable manual login successfully")
+            except:
+                messagebox.showwarning("Error","Failed to enable manual login!")
+
+def browser_click():
+    if new_setting_data.browser == "edge":
+        new_setting_data.browser = "chrome"
+        browser_state.configure(text="Chrome",fg="blue")
+        browser_button.configure(text="Switch to Edge")
+    else:
+        new_setting_data.browser = "edge"
+        browser_state.configure(text="Edge",fg="green")
+        browser_button.configure(text="Switch to Chrome")
+
+def main_interface():
+    for widget in window.winfo_children():
+        widget.place_forget()
+
+    id_label.place(x=size[0]-290,y=50)
+    id_entry_box.place(x=size[0]-220,y=50)
+    passwd_label.place(x=size[0]-285,y=85)
+    passwd_entry_box.place(x=size[0]-220,y=85)
+    passwd_show_button.place(x=size[0]-70,y=80)
+    user_ok_button.place(x=size[0]-175,y=125)
+    save_button.place(x=size[0]-225,y=size[1]-110)
+    course_name_label.place(x=50,y=5)
+    course_list_box.place(x=50,y=30)
+    course_list_box_scroll.place(x=295,y=30,height=380)
+    course_id_label.place(x=size[0]-290,y=200)
+    course_index_label.place(x=size[0]-310,y=235)
+    course_id_entry_box.place(x=size[0]-220,y=200)
+    course_index_entry_box.place(x=size[0]-220,y=235)
+    cancel_button.place(x=size[0]-230,y=280)
+    manage_button.place(x=size[0]-180,y=325)
+    delete_button.place(x=size[0]-130,y=280)
+
+def setting_interface():
+    for widget in window.winfo_children():
+        widget.place_forget()
+
+    save_button.place(x=size[0]-225,y=size[1]-110)
+    manual_login_label.place(x=50,y=20)
+    manual_login_state.place(x=280,y=23)
+    manual_login_button.place(x=500,y=20)
+    browser_label.place(x=50,y=60)
+    browser_state.place(x=280,y=63)
+    browser_button.place(x=500,y=60)
+
+#load the data,if it exists
+try:
+    old_user_data = UserData.from_file("user_data.json")
+    old_setting_data = Setting.from_file("setting.json")
+except Exception as e:
+    print(e)
+    old_user_data = UserData(std_id="", password="", course=CourseData())
+    old_setting_data = Setting(manual_login=False)
+
+new_user_data = copy.deepcopy(old_user_data)
+new_setting_data = copy.deepcopy(old_setting_data)
+passwd_show = False
+size = [640,480]
+
+#Create a gui
+window = Tk()
+window.title("Initialize")
+window.iconbitmap("favicon.ico")
+window.geometry("%dx%d"%(size[0],size[1]))
+window.protocol("WM_DELETE_WINDOW",window_quit)
+
+#Labels
+id_label = Label(window,text="Student ID")
+passwd_label = Label(window,text="Password")
+course_id_label = Label(window,text="Course ID")
+course_index_label = Label(window,text="Course Index")
+course_name_label = Label(window,font=("consolas",15))
+
+manual_login_label = Label(window,text="Manual login")
+manual_login_state = Label(window)
+
+browser_label = Label(window,text="Browser")
+browser_state = Label(window)
+
+#initialize the state
+if new_setting_data.manual_login:
+    manual_login_state.configure(text="Enabled",fg="green")
+else:
+    manual_login_state.configure(text="Disabled",fg="red")
+
+#Entries
+id_entry_box = Entry(window,width=20)
+passwd_entry_box = Entry(window,width=20,show="*")
+course_id_entry_box = Entry(window,width=20)
+course_index_entry_box = Entry(window,width=20)
+
+#Buttons
+passwd_show_button = Button(window,text="Show",command=show_passwd)
+save_button = Button(window,text="Save",width=20,height=2,command=click_save_button)
+user_ok_button = Button(window,text="OK",width=7,height=1,command=user_ok)
+cancel_button = Button(window,text="Cancel",width=7,height=1,state=DISABLED,command=no_select)
+manage_button = Button(window,text="Add",width=7,height=1,command=add_course)
+delete_button = Button(window,text="Delete",width=7,height=1,state=DISABLED,command=delete_course)
+
+manual_login_button = Button(window,width=7,height=1,command=manual_login_click)
+
+browser_button = Button(window,width=15,height=1,command=browser_click)
+
+#initialize the setting button
+if new_setting_data.manual_login:
+    manual_login_button.configure(text="Disable")
+else:
+    manual_login_button.configure(text="Enable")
+
+#initialize the browser state
+if new_setting_data.browser == "edge":
+    browser_state.configure(text="Edge",fg="green")
+    browser_button.configure(text="Switch to Chrome")
+else:
+    browser_state.configure(text="Chrome",fg="blue")
+    browser_button.configure(text="Switch to Edge")
+
+#Listbox
+course_list_box_scroll = Scrollbar(window,width=20)
+course_list_box = Listbox(window,height=15,font=("consolas",16),yscrollcommand=course_list_box_scroll.set,exportselection=False)
+course_list_box.bind("<Button-3>",no_select)
+course_list_box.bind("<<ListboxSelect>>",course_select)
+course_list_box_scroll.config(command=course_list_box.yview)
+
+#Menus
+window_menu = Menu(window)
+window_menu_list = Menu(window_menu,tearoff=False)
+window_menu.add_cascade(label="Course type",menu=window_menu_list)
+window_menu_list.add_command(label="Plan course",command=plan_course)
+window_menu_list.add_command(label="Free course",command=free_course)
+window_menu.add_command(label="Settings",command=setting_interface)
+
+#Insert
+id_entry_box.insert(0,new_user_data.std_id)
+passwd_entry_box.insert(0,new_user_data.password)
+
+"""
+#Place
+id_label.place(x=size[0]-290,y=50)
+id_entry_box.place(x=size[0]-220,y=50)
+passwd_label.place(x=size[0]-285,y=85)
+passwd_entry_box.place(x=size[0]-220,y=85)
+passwd_show_button.place(x=size[0]-70,y=80)
+user_ok_button.place(x=size[0]-175,y=125)
+save_button.place(x=size[0]-225,y=size[1]-110)
+course_name_label.place(x=50,y=5)
+course_list_box.place(x=50,y=30)
+course_list_box_scroll.place(x=295,y=30,height=380)
+course_id_label.place(x=size[0]-290,y=200)
+course_index_label.place(x=size[0]-310,y=235)
+course_id_entry_box.place(x=size[0]-220,y=200)
+course_index_entry_box.place(x=size[0]-220,y=235)
+cancel_button.place(x=size[0]-230,y=280)
+manage_button.place(x=size[0]-180,y=325)
+delete_button.place(x=size[0]-130,y=280)
+"""
+window.config(menu=window_menu)
+plan_course()
+
+#keep the gui active
+window.mainloop()

javascript/check_result.js

@@ -0,0 +1,13 @@
+const rows = Array.from(document.querySelectorAll("#xkresult tbody tr"));
+const items = rows.map((row) => {
+  const subjectCell = row.querySelector("td");
+  const statusNode = row.querySelector("span");
+  const detailText = statusNode ? statusNode.innerText.trim() : "";
+  return {
+    subject: subjectCell ? subjectCell.innerText.trim() : "",
+    result: statusNode ? !statusNode.className.includes("danger") : false,
+    detail: detailText,
+  };
+});
+
+return JSON.stringify(items);

javascript/select_course.js

@@ -0,0 +1,32 @@
+const target = arguments[0];
+const iframe = document.getElementById("ifra");
+
+if (!iframe) {
+  return "no";
+}
+
+const iframeDoc = iframe.contentDocument || iframe.contentWindow.document;
+if (!iframeDoc) {
+  return "no";
+}
+
+const rows = iframeDoc.querySelectorAll("#xirxkxkbody tr");
+for (const row of rows) {
+  const cells = row.querySelectorAll("td");
+  if (cells.length < 3) {
+    continue;
+  }
+
+  const rowText = cells[2].innerText.trim();
+  if (!rowText.includes(target)) {
+    continue;
+  }
+
+  const picker = cells[0].querySelector("input");
+  if (picker) {
+    picker.click();
+    return "yes";
+  }
+}
+
+return "no";

main.py

@@ -0,0 +1,15 @@
+from __future__ import annotations
+
+import os
+
+from app import app
+
+
+def main() -> None:
+    host = os.getenv("HOST", "0.0.0.0")
+    port = int(os.getenv("PORT", "7860"))
+    app.run(host=host, port=port, debug=False, threaded=True, use_reloader=False)
+
+
+if __name__ == "__main__":
+    main()

ocr_provider/captcha_model.onnx

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7db2b56ef35d351f97fb2dbf2ffef63426d1d17dbe7bb227582bc7e175f2312d
+size 4450

ocr_provider/captcha_model.onnx.data

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ae70953fc6ca2f39ed9b2fccb221a4371aa9b6b34a0a0bd2819d0ca558ebdea2
+size 452696

onnx_inference.py

@@ -0,0 +1,57 @@
+import onnxruntime as ort
+import numpy as np
+from PIL import Image
+from io import BytesIO
+
+num2char = {
+    k:v for k,v in enumerate("0123456789abcdefghijklmnopqrstuvwxyz")
+}
+char_length = len(num2char)
+
+class CaptchaONNXInference:
+    def __init__(self, model_path, providers=None):
+        if providers is None:
+            providers = ['CPUExecutionProvider']
+        self.session = ort.InferenceSession(model_path, providers=providers)
+        self.input_name = self.session.get_inputs()[0].name
+        self.output_name = self.session.get_outputs()[0].name
+        
+    def preprocess_array(self, img_array):
+        if img_array.max() > 1:
+            img_array = img_array.astype(np.float32) / 255.0
+        if len(img_array.shape) == 3:
+            img_array = np.expand_dims(img_array, axis=0)
+        return img_array
+    
+    def predict(self, input_data):
+        outputs = self.session.run([self.output_name], {self.input_name: input_data})
+        output = outputs[0]
+        result = []
+        for i in range(4):
+            char_logits = output[0, i * char_length:(i + 1) * char_length]
+            char_index = np.argmax(char_logits)
+            result.append(num2char[char_index])
+        return "".join(result)
+    
+    def classification(self,img_bytes):
+        img = Image.open(BytesIO(img_bytes)).convert('RGB')
+        img = img.resize((80, 26))
+        img_array = np.array(img).astype(np.float32) / 255.0
+        img_array = np.transpose(img_array, (2, 0, 1))
+        img_array = np.transpose(img_array, (1, 2, 0))
+        img_array = np.expand_dims(img_array, axis=0)
+        return self.predict(img_array)
+    
+    def predict_batch(self, input_data):
+        outputs = self.session.run([self.output_name], {self.input_name: input_data})
+        output = outputs[0]
+        batch_size = output.shape[0]
+        results = []
+        for b in range(batch_size):
+            result = []
+            for i in range(4):
+                char_logits = output[b, i * char_length:(i + 1) * char_length]
+                char_index = np.argmax(char_logits)
+                result.append(num2char[char_index])
+            results.append("".join(result))
+        return results

pyproject.toml

@@ -0,0 +1,15 @@
+[project]
+name = "advanced-scu-course-catcher"
+version = "2.0.0"
+description = "SCU course catcher web app for Hugging Face Spaces"
+readme = "README.md"
+requires-python = ">=3.11"
+dependencies = [
+    "Flask>=3.0.0",
+    "gunicorn>=23.0.0",
+    "selenium>=4.35.0",
+    "onnxruntime>=1.18.0",
+    "numpy>=1.24.0",
+    "Pillow>=10.0.0",
+    "cryptography>=43.0.0",
+]

requirements.txt

@@ -0,0 +1,7 @@
+Flask>=3.0.0
+gunicorn>=23.0.0
+selenium>=4.35.0
+onnxruntime>=1.18.0
+numpy>=1.24.0
+Pillow>=10.0.0
+cryptography>=43.0.0

space_app.py

@@ -0,0 +1,520 @@
+from __future__ import annotations
+
+import atexit
+import json
+import time
+from functools import wraps
+from typing import Callable
+
+from flask import Flask, Response, flash, jsonify, redirect, render_template, request, session, stream_with_context, url_for
+
+from core.config import AppConfig
+from core.db import Database
+from core.security import SecretBox, hash_password, verify_password
+from core.task_manager import TaskManager
+
+
+config = AppConfig.load()
+store = Database(config.db_path, default_parallel_limit=config.default_parallel_limit)
+store.init_db()
+secret_box = SecretBox(config.encryption_key)
+task_manager = TaskManager(config=config, store=store, secret_box=secret_box)
+
+
+def _seed_legacy_user() -> None:
+    if store.list_users():
+        return
+
+    legacy_path = config.root_dir / "user_data.json"
+    if not legacy_path.exists():
+        return
+
+    try:
+        payload = json.loads(legacy_path.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError):
+        return
+
+    student_id = str(payload.get("std_id", "")).strip()
+    password = str(payload.get("password", "")).strip()
+    if not student_id or not password:
+        return
+
+    user_id = store.create_user(student_id, secret_box.encrypt(password), "Legacy User")
+    for source_key, category in (("a", "plan"), ("b", "free")):
+        for course in payload.get("course", {}).get(source_key, []):
+            course_id = str(course.get("course_id", "")).strip()
+            course_index = str(course.get("course_index", "")).strip()
+            if course_id and course_index:
+                store.add_course(user_id, category, course_id, course_index)
+
+
+_seed_legacy_user()
+task_manager.start()
+atexit.register(task_manager.shutdown)
+
+app = Flask(__name__, template_folder="templates", static_folder="static")
+app.secret_key = config.session_secret
+app.config.update(SESSION_COOKIE_HTTPONLY=True, SESSION_COOKIE_SAMESITE="Lax")
+
+CATEGORY_LABELS = {
+    "plan": "方案选课",
+    "free": "自由选课",
+}
+TASK_LABELS = {
+    "pending": "排队中",
+    "running": "执行中",
+    "cancel_requested": "停止中",
+    "completed": "已完成",
+    "stopped": "已停止",
+    "failed": "失败",
+}
+
+
+@app.context_processor
+def inject_globals() -> dict:
+    return {
+        "category_labels": CATEGORY_LABELS,
+        "task_labels": TASK_LABELS,
+        "session_role": session.get("role", "guest"),
+    }
+
+
+def _login_required(role: str) -> Callable:
+    def decorator(view: Callable) -> Callable:
+        @wraps(view)
+        def wrapped(*args, **kwargs):
+            current_role = session.get("role")
+            if role == "user" and current_role != "user":
+                flash("请先登录学生账号。", "warning")
+                return redirect(url_for("login"))
+            if role == "admin" and current_role != "admin":
+                flash("请先登录管理员账号。", "warning")
+                return redirect(url_for("admin_login"))
+            return view(*args, **kwargs)
+
+        return wrapped
+
+    return decorator
+
+
+def _get_current_user() -> dict | None:
+    user_id = session.get("user_id")
+    if not user_id:
+        return None
+    return store.get_user(int(user_id))
+
+
+def _get_admin_identity() -> dict:
+    return {
+        "username": session.get("admin_username", ""),
+        "is_super_admin": bool(session.get("is_super_admin", False)),
+    }
+
+
+def _user_owns_course(user_id: int, course_target_id: int) -> bool:
+    return any(course["id"] == course_target_id for course in store.list_courses_for_user(user_id))
+
+
+def _build_user_dashboard_context(user: dict) -> dict:
+    return {
+        "current_user": user,
+        "courses": store.list_courses_for_user(user["id"]),
+        "task": store.get_latest_task_for_user(user["id"]),
+        "recent_logs": store.list_recent_logs(user_id=user["id"], limit=config.logs_page_size),
+    }
+
+
+def _build_admin_dashboard_context() -> dict:
+    users = store.list_users()
+    for user in users:
+        user["courses"] = store.list_courses_for_user(user["id"])
+        user["latest_task"] = store.get_latest_task_for_user(user["id"])
+    admin_identity = _get_admin_identity()
+    return {
+        "users": users,
+        "admins": store.list_admins(),
+        "stats": store.get_admin_stats(),
+        "recent_tasks": store.list_recent_tasks(limit=18),
+        "recent_logs": store.list_recent_logs(limit=config.logs_page_size),
+        "parallel_limit": store.get_parallel_limit(),
+        "is_super_admin": admin_identity["is_super_admin"],
+        "admin_identity": admin_identity,
+    }
+
+
+def _queue_task_for_user(user: dict, *, requested_by: str, requested_by_role: str) -> tuple[dict, bool]:
+    return task_manager.queue_task(user["id"], requested_by=requested_by, requested_by_role=requested_by_role)
+
+
+def _latest_log_id(logs: list[dict]) -> int:
+    if not logs:
+        return 0
+    return int(logs[-1]["id"])
+
+
+@app.get("/")
+def index():
+    if session.get("role") == "user":
+        return redirect(url_for("dashboard"))
+    if session.get("role") == "admin":
+        return redirect(url_for("admin_dashboard"))
+    return redirect(url_for("login"))
+
+
+@app.route("/login", methods=["GET", "POST"])
+def login():
+    if request.method == "POST":
+        student_id = request.form.get("student_id", "").strip()
+        password = request.form.get("password", "")
+        user = store.get_user_by_student_id(student_id)
+        if user is None:
+            flash("没有找到该学号对应的账号，请联系管理员录入。", "danger")
+            return render_template("login.html")
+        if not user["is_active"]:
+            flash("该账号已被管理员禁用。", "danger")
+            return render_template("login.html")
+        try:
+            stored_password = secret_box.decrypt(user["password_encrypted"])
+        except Exception:
+            flash("账号数据损坏，请联系管理员重置密码。", "danger")
+            return render_template("login.html")
+        if stored_password != password:
+            flash("学号或密码不正确。", "danger")
+            return render_template("login.html")
+
+        session.clear()
+        session["role"] = "user"
+        session["user_id"] = user["id"]
+        return redirect(url_for("dashboard"))
+
+    return render_template("login.html")
+
+
+@app.post("/logout")
+def logout():
+    session.clear()
+    return redirect(url_for("login"))
+
+
+@app.route("/admin", methods=["GET", "POST"])
+def admin_login():
+    if request.method == "POST":
+        username = request.form.get("username", "").strip()
+        password = request.form.get("password", "")
+        is_super_admin = username == config.super_admin_username and password == config.super_admin_password
+        admin_row = store.get_admin_by_username(username)
+        is_regular_admin = bool(admin_row and verify_password(admin_row["password_hash"], password))
+        if not is_super_admin and not is_regular_admin:
+            flash("管理员账号或密码错误。", "danger")
+            return render_template("admin_login.html")
+
+        session.clear()
+        session["role"] = "admin"
+        session["admin_username"] = username
+        session["is_super_admin"] = is_super_admin
+        return redirect(url_for("admin_dashboard"))
+
+    return render_template("admin_login.html")
+
+
+@app.post("/admin/logout")
+def admin_logout():
+    session.clear()
+    return redirect(url_for("admin_login"))
+
+
+@app.get("/dashboard")
+@_login_required("user")
+def dashboard():
+    user = _get_current_user()
+    if user is None:
+        session.clear()
+        return redirect(url_for("login"))
+    return render_template("dashboard.html", **_build_user_dashboard_context(user))
+
+
+@app.post("/dashboard/profile")
+@_login_required("user")
+def update_profile():
+    user = _get_current_user()
+    if user is None:
+        session.clear()
+        return redirect(url_for("login"))
+
+    password = request.form.get("password", "").strip()
+    display_name = request.form.get("display_name", "").strip()
+    if not password:
+        flash("密码不能为空。", "danger")
+        return redirect(url_for("dashboard"))
+
+    store.update_user(user["id"], password_encrypted=secret_box.encrypt(password), display_name=display_name)
+    flash("账号信息已更新。", "success")
+    return redirect(url_for("dashboard"))
+
+
+@app.post("/dashboard/courses")
+@_login_required("user")
+def add_course():
+    user = _get_current_user()
+    if user is None:
+        session.clear()
+        return redirect(url_for("login"))
+
+    category = request.form.get("category", "free")
+    course_id = request.form.get("course_id", "").strip()
+    course_index = request.form.get("course_index", "").strip()
+    if not course_id.isdigit() or not course_index.isdigit() or len(course_index) != 2:
+        flash("课程号必须为数字，课序号必须是 2 位数字。", "danger")
+        return redirect(url_for("dashboard"))
+
+    store.add_course(user["id"], category, course_id, course_index)
+    flash("课程已加入任务列表。", "success")
+    return redirect(url_for("dashboard"))
+
+
+@app.post("/dashboard/courses/<int:course_target_id>/delete")
+@_login_required("user")
+def delete_course(course_target_id: int):
+    user = _get_current_user()
+    if user is None:
+        session.clear()
+        return redirect(url_for("login"))
+    if not _user_owns_course(user["id"], course_target_id):
+        flash("不能删除不属于当前账号的课程。", "danger")
+        return redirect(url_for("dashboard"))
+    store.delete_course(course_target_id)
+    flash("课程已移除。", "success")
+    return redirect(url_for("dashboard"))
+
+
+@app.post("/dashboard/task/start")
+@_login_required("user")
+def start_task():
+    user = _get_current_user()
+    if user is None:
+        session.clear()
+        return redirect(url_for("login"))
+    task, created = _queue_task_for_user(user, requested_by=user["student_id"], requested_by_role="user")
+    flash("任务已启动。" if created else f"已有任务处于 {TASK_LABELS.get(task['status'], task['status'])} 状态。", "success" if created else "warning")
+    return redirect(url_for("dashboard"))
+
+
+@app.post("/dashboard/task/stop")
+@_login_required("user")
+def stop_task():
+    user = _get_current_user()
+    if user is None:
+        session.clear()
+        return redirect(url_for("login"))
+    active_task = store.find_active_task_for_user(user["id"])
+    if active_task and task_manager.stop_task(active_task["id"]):
+        flash("停止请求已发送。", "success")
+    else:
+        flash("当前没有可停止的任务。", "warning")
+    return redirect(url_for("dashboard"))
+
+
+@app.get("/admin/dashboard")
+@_login_required("admin")
+def admin_dashboard():
+    return render_template("admin_dashboard.html", **_build_admin_dashboard_context())
+
+
+@app.post("/admin/settings/parallel-limit")
+@_login_required("admin")
+def update_parallel_limit():
+    try:
+        parallel_limit = max(1, min(8, int(request.form.get("parallel_limit", "2"))))
+    except ValueError:
+        flash("并行数必须是 1 到 8 的整数。", "danger")
+        return redirect(url_for("admin_dashboard"))
+    store.set_parallel_limit(parallel_limit)
+    flash(f"并行数已更新为 {parallel_limit}。", "success")
+    return redirect(url_for("admin_dashboard"))
+
+
+@app.post("/admin/users")
+@_login_required("admin")
+def create_user():
+    student_id = request.form.get("student_id", "").strip()
+    password = request.form.get("password", "").strip()
+    display_name = request.form.get("display_name", "").strip()
+    if not student_id.isdigit() or not password:
+        flash("请填写有效的学号和密码。", "danger")
+        return redirect(url_for("admin_dashboard"))
+    if store.get_user_by_student_id(student_id):
+        flash("该学号已经存在。", "warning")
+        return redirect(url_for("admin_dashboard"))
+    store.create_user(student_id, secret_box.encrypt(password), display_name)
+    flash("用户已创建。", "success")
+    return redirect(url_for("admin_dashboard"))
+
+
+@app.post("/admin/users/<int:user_id>/update")
+@_login_required("admin")
+def update_user(user_id: int):
+    user = store.get_user(user_id)
+    if user is None:
+        flash("用户不存在。", "danger")
+        return redirect(url_for("admin_dashboard"))
+    display_name = request.form.get("display_name", user["display_name"]).strip()
+    password = request.form.get("password", "").strip()
+    if password:
+        store.update_user(user_id, display_name=display_name, password_encrypted=secret_box.encrypt(password))
+    else:
+        store.update_user(user_id, display_name=display_name)
+    flash("用户信息已更新。", "success")
+    return redirect(url_for("admin_dashboard"))
+
+
+@app.post("/admin/users/<int:user_id>/toggle")
+@_login_required("admin")
+def toggle_user(user_id: int):
+    updated = store.toggle_user_active(user_id)
+    if updated is None:
+        flash("用户不存在。", "danger")
+    else:
+        flash("用户状态已切换。", "success")
+    return redirect(url_for("admin_dashboard"))
+
+
+@app.post("/admin/users/<int:user_id>/courses")
+@_login_required("admin")
+def admin_add_course(user_id: int):
+    if store.get_user(user_id) is None:
+        flash("用户不存在。", "danger")
+        return redirect(url_for("admin_dashboard"))
+    category = request.form.get("category", "free")
+    course_id = request.form.get("course_id", "").strip()
+    course_index = request.form.get("course_index", "").strip()
+    if not course_id.isdigit() or not course_index.isdigit() or len(course_index) != 2:
+        flash("课程号必须为数字，课序号必须是 2 位数字。", "danger")
+        return redirect(url_for("admin_dashboard"))
+    store.add_course(user_id, category, course_id, course_index)
+    flash("课程已添加到对应用户。", "success")
+    return redirect(url_for("admin_dashboard"))
+
+
+@app.post("/admin/courses/<int:course_target_id>/delete")
+@_login_required("admin")
+def admin_delete_course(course_target_id: int):
+    store.delete_course(course_target_id)
+    flash("课程已删除。", "success")
+    return redirect(url_for("admin_dashboard"))
+
+
+@app.post("/admin/users/<int:user_id>/task/start")
+@_login_required("admin")
+def admin_start_user_task(user_id: int):
+    user = store.get_user(user_id)
+    if user is None:
+        flash("用户不存在。", "danger")
+        return redirect(url_for("admin_dashboard"))
+    admin_identity = _get_admin_identity()
+    task, created = _queue_task_for_user(user, requested_by=admin_identity["username"], requested_by_role="admin")
+    flash("任务已加入队列。" if created else f"该用户已有任务处于 {TASK_LABELS.get(task['status'], task['status'])} 状态。", "success" if created else "warning")
+    return redirect(url_for("admin_dashboard"))
+
+
+@app.post("/admin/users/<int:user_id>/task/stop")
+@_login_required("admin")
+def admin_stop_user_task(user_id: int):
+    active_task = store.find_active_task_for_user(user_id)
+    if active_task and task_manager.stop_task(active_task["id"]):
+        flash("已发送停止请求。", "success")
+    else:
+        flash("当前没有可停止任务。", "warning")
+    return redirect(url_for("admin_dashboard"))
+
+
+@app.post("/admin/admins")
+@_login_required("admin")
+def create_admin():
+    if not session.get("is_super_admin", False):
+        flash("只有超级管理员可以新增管理员。", "danger")
+        return redirect(url_for("admin_dashboard"))
+    username = request.form.get("username", "").strip()
+    password = request.form.get("password", "").strip()
+    if not username or not password:
+        flash("请填写管理员账号和密码。", "danger")
+        return redirect(url_for("admin_dashboard"))
+    if username == config.super_admin_username or store.get_admin_by_username(username):
+        flash("该管理员账号已存在。", "warning")
+        return redirect(url_for("admin_dashboard"))
+    store.create_admin(username, hash_password(password))
+    flash("管理员已创建。", "success")
+    return redirect(url_for("admin_dashboard"))
+
+
+@app.get("/api/user/status")
+@_login_required("user")
+def user_status():
+    user = _get_current_user()
+    if user is None:
+        return jsonify({"ok": False}), 401
+    task = store.get_latest_task_for_user(user["id"])
+    return jsonify({"ok": True, "task": task, "courses": store.list_courses_for_user(user["id"])})
+
+
+@app.get("/api/admin/status")
+@_login_required("admin")
+def admin_status():
+    return jsonify(
+        {
+            "ok": True,
+            "stats": store.get_admin_stats(),
+            "parallel_limit": store.get_parallel_limit(),
+            "recent_tasks": store.list_recent_tasks(limit=12),
+        }
+    )
+
+
+@app.get("/api/user/logs/stream")
+@_login_required("user")
+def stream_user_logs():
+    user = _get_current_user()
+    if user is None:
+        return jsonify({"ok": False}), 401
+    last_id = int(request.args.get("last_id", _latest_log_id(store.list_recent_logs(user_id=user["id"], limit=1))))
+
+    @stream_with_context
+    def generate():
+        current_last_id = last_id
+        while True:
+            logs = store.list_logs_after(current_last_id, user_id=user["id"], limit=60)
+            if logs:
+                for log in logs:
+                    current_last_id = int(log["id"])
+                    yield f"id: {log['id']}\ndata: {json.dumps(log, ensure_ascii=False)}\n\n"
+            else:
+                yield ": keep-alive\n\n"
+            time.sleep(1)
+
+    response = Response(generate(), mimetype="text/event-stream")
+    response.headers["Cache-Control"] = "no-cache"
+    response.headers["X-Accel-Buffering"] = "no"
+    return response
+
+
+@app.get("/api/admin/logs/stream")
+@_login_required("admin")
+def stream_admin_logs():
+    last_id = int(request.args.get("last_id", _latest_log_id(store.list_recent_logs(limit=1))))
+
+    @stream_with_context
+    def generate():
+        current_last_id = last_id
+        while True:
+            logs = store.list_logs_after(current_last_id, limit=80)
+            if logs:
+                for log in logs:
+                    current_last_id = int(log["id"])
+                    yield f"id: {log['id']}\ndata: {json.dumps(log, ensure_ascii=False)}\n\n"
+            else:
+                yield ": keep-alive\n\n"
+            time.sleep(1)
+
+    response = Response(generate(), mimetype="text/event-stream")
+    response.headers["Cache-Control"] = "no-cache"
+    response.headers["X-Accel-Buffering"] = "no"
+    return response

static/app.js

@@ -0,0 +1,127 @@
+(function () {
+    const statusLabels = {
+        pending: "排队中",
+        running: "执行中",
+        cancel_requested: "停止中",
+        completed: "已完成",
+        stopped: "已停止",
+        failed: "失败",
+        idle: "未启动"
+    };
+
+    function renderLogLine(log) {
+        const line = document.createElement("div");
+        const level = (log.level || "INFO").toLowerCase();
+        line.className = `log-line level-${level}`;
+
+        const meta = document.createElement("span");
+        meta.className = "log-meta";
+        const owner = log.student_id || "system";
+        meta.textContent = `${log.created_at} · ${owner} · ${log.scope} · ${log.level}`;
+
+        const message = document.createElement("span");
+        message.textContent = log.message || "";
+
+        line.append(meta, message);
+        return line;
+    }
+
+    function bindLogStream() {
+        const shell = document.querySelector("[data-log-stream-url]");
+        const consoleNode = document.getElementById("log-console");
+        if (!shell || !consoleNode || !window.EventSource) {
+            return;
+        }
+
+        const streamUrl = shell.getAttribute("data-log-stream-url");
+        const eventSource = new EventSource(streamUrl);
+
+        eventSource.onmessage = function (event) {
+            try {
+                const payload = JSON.parse(event.data);
+                if (consoleNode.querySelector(".muted")) {
+                    consoleNode.innerHTML = "";
+                }
+                consoleNode.appendChild(renderLogLine(payload));
+                while (consoleNode.children.length > 360) {
+                    consoleNode.removeChild(consoleNode.firstChild);
+                }
+                consoleNode.scrollTop = consoleNode.scrollHeight;
+            } catch (_error) {
+                // Ignore malformed frames and keep the stream alive.
+            }
+        };
+    }
+
+    function updateUserStatus(data) {
+        const taskText = document.getElementById("task-status-text");
+        const taskPill = document.getElementById("task-status-pill");
+        const courseCount = document.getElementById("course-count");
+        const status = (data.task && data.task.status) || "idle";
+        if (taskText) {
+            taskText.textContent = statusLabels[status] || status;
+        }
+        if (taskPill) {
+            taskPill.className = `status-pill status-${status}`;
+            taskPill.textContent = statusLabels[status] || status;
+        }
+        if (courseCount && Array.isArray(data.courses)) {
+            courseCount.textContent = String(data.courses.length);
+        }
+    }
+
+    function updateAdminStatus(data) {
+        const users = document.getElementById("stat-users");
+        const running = document.getElementById("stat-running");
+        const pending = document.getElementById("stat-pending");
+        const parallel = document.getElementById("parallel-limit-input");
+        if (users) {
+            users.textContent = String(data.stats.users_count || 0);
+        }
+        if (running) {
+            running.textContent = String(data.stats.running_count || 0);
+        }
+        if (pending) {
+            pending.textContent = String(data.stats.pending_count || 0);
+        }
+        if (parallel) {
+            parallel.value = String(data.parallel_limit || parallel.value);
+        }
+    }
+
+    function bindStatusPolling() {
+        const shell = document.querySelector("[data-status-url]");
+        if (!shell) {
+            return;
+        }
+
+        const statusUrl = shell.getAttribute("data-status-url");
+        const isAdmin = shell.classList.contains("admin-dashboard");
+
+        async function refresh() {
+            try {
+                const response = await fetch(statusUrl, { headers: { "X-Requested-With": "fetch" } });
+                if (!response.ok) {
+                    return;
+                }
+                const payload = await response.json();
+                if (!payload.ok) {
+                    return;
+                }
+                if (isAdmin) {
+                    updateAdminStatus(payload);
+                } else {
+                    updateUserStatus(payload);
+                }
+            } catch (_error) {
+                // Leave the current UI state as-is if polling fails.
+            }
+        }
+
+        refresh();
+        window.setInterval(refresh, 7000);
+    }
+
+    bindLogStream();
+    bindStatusPolling();
+})();

static/style.css

@@ -0,0 +1,704 @@
+:root {
+    --bg: #07131d;
+    --bg-2: #0d2030;
+    --panel: rgba(10, 24, 36, 0.82);
+    --panel-strong: rgba(8, 18, 28, 0.94);
+    --line: rgba(151, 204, 213, 0.18);
+    --text: #eef6f6;
+    --muted: #9ab7bd;
+    --primary: #2ed3ad;
+    --primary-deep: #109a88;
+    --secondary: #ffb648;
+    --danger: #ff6f61;
+    --shadow: 0 24px 70px rgba(0, 0, 0, 0.36);
+    --radius-lg: 28px;
+    --radius-md: 20px;
+    --radius-sm: 14px;
+    --font-display: "Space Grotesk", sans-serif;
+    --font-body: "Noto Sans SC", sans-serif;
+}
+
+* {
+    box-sizing: border-box;
+}
+
+html {
+    scroll-behavior: smooth;
+}
+
+body {
+    margin: 0;
+    min-height: 100vh;
+    font-family: var(--font-body);
+    color: var(--text);
+    background:
+        radial-gradient(circle at top left, rgba(20, 110, 116, 0.34), transparent 34%),
+        radial-gradient(circle at top right, rgba(255, 182, 72, 0.16), transparent 28%),
+        linear-gradient(135deg, #041019 0%, #07131d 36%, #0d2030 100%);
+}
+
+button,
+input,
+select {
+    font: inherit;
+}
+
+code {
+    padding: 0.15rem 0.45rem;
+    border-radius: 999px;
+    background: rgba(255, 255, 255, 0.08);
+    color: #fff5dd;
+}
+
+.app-body {
+    position: relative;
+    overflow-x: hidden;
+}
+
+.bg-orb {
+    position: fixed;
+    width: 28rem;
+    height: 28rem;
+    border-radius: 50%;
+    filter: blur(20px);
+    opacity: 0.42;
+    pointer-events: none;
+    animation: drift 14s ease-in-out infinite;
+}
+
+.bg-orb-a {
+    top: -10rem;
+    left: -6rem;
+    background: radial-gradient(circle, rgba(46, 211, 173, 0.48), transparent 68%);
+}
+
+.bg-orb-b {
+    right: -8rem;
+    bottom: -10rem;
+    background: radial-gradient(circle, rgba(255, 182, 72, 0.32), transparent 68%);
+    animation-delay: -6s;
+}
+
+.bg-grid {
+    position: fixed;
+    inset: 0;
+    background-image:
+        linear-gradient(rgba(255, 255, 255, 0.03) 1px, transparent 1px),
+        linear-gradient(90deg, rgba(255, 255, 255, 0.03) 1px, transparent 1px);
+    background-size: 42px 42px;
+    mask-image: radial-gradient(circle at center, black 42%, transparent 100%);
+    pointer-events: none;
+}
+
+.page-shell {
+    position: relative;
+    z-index: 1;
+    width: min(1240px, calc(100% - 2rem));
+    margin: 0 auto;
+    padding: 2rem 0 3rem;
+}
+
+.flash-stack {
+    display: grid;
+    gap: 0.75rem;
+    margin-bottom: 1rem;
+}
+
+.flash {
+    border: 1px solid rgba(255, 255, 255, 0.12);
+    border-radius: var(--radius-sm);
+    padding: 0.9rem 1rem;
+    backdrop-filter: blur(10px);
+    box-shadow: 0 14px 30px rgba(0, 0, 0, 0.18);
+}
+
+.flash-success {
+    background: rgba(46, 211, 173, 0.16);
+}
+
+.flash-warning {
+    background: rgba(255, 182, 72, 0.16);
+}
+
+.flash-danger {
+    background: rgba(255, 111, 97, 0.16);
+}
+
+.auth-layout,
+.dashboard-shell {
+    display: grid;
+    gap: 1.4rem;
+}
+
+.auth-layout {
+    min-height: calc(100vh - 7rem);
+    align-items: center;
+    grid-template-columns: 1.15fr 0.9fr;
+}
+
+.hero-panel,
+.auth-card,
+.card,
+.metric-card,
+.user-card,
+.empty-state-card {
+    position: relative;
+    border: 1px solid var(--line);
+    border-radius: var(--radius-lg);
+    background: var(--panel);
+    backdrop-filter: blur(18px);
+    box-shadow: var(--shadow);
+}
+
+.hero-panel,
+.auth-card,
+.card,
+.empty-state-card {
+    padding: 1.7rem;
+}
+
+.hero-panel {
+    overflow: hidden;
+}
+
+.hero-panel::after,
+.card::after,
+.auth-card::after {
+    content: "";
+    position: absolute;
+    inset: 0;
+    border-radius: inherit;
+    background: linear-gradient(120deg, rgba(255, 255, 255, 0.12), transparent 22%, transparent 78%, rgba(255, 255, 255, 0.05));
+    pointer-events: none;
+}
+
+.eyebrow,
+.kicker {
+    display: inline-flex;
+    align-items: center;
+    gap: 0.5rem;
+    font-family: var(--font-display);
+    letter-spacing: 0.12em;
+    text-transform: uppercase;
+    font-size: 0.75rem;
+    color: #9fe8da;
+}
+
+.hero-panel h1,
+.topbar h1,
+.card-head h2,
+.auth-card h2 {
+    margin: 0.5rem 0 0;
+    font-family: var(--font-display);
+    line-height: 1.05;
+}
+
+.hero-panel h1 {
+    max-width: 13ch;
+    font-size: clamp(2.8rem, 6vw, 5rem);
+}
+
+.hero-panel p,
+.card-head p,
+.topbar p,
+.auth-card p,
+.metric-card small,
+.auth-footnote {
+    color: var(--muted);
+    line-height: 1.7;
+}
+
+.hero-metrics {
+    display: grid;
+    grid-template-columns: repeat(3, minmax(0, 1fr));
+    gap: 1rem;
+    margin-top: 2rem;
+}
+
+.hero-metrics article {
+    padding: 1rem;
+    border-radius: var(--radius-md);
+    background: rgba(255, 255, 255, 0.05);
+    border: 1px solid rgba(255, 255, 255, 0.08);
+}
+
+.hero-metrics strong,
+.metric-card strong {
+    display: block;
+    font-family: var(--font-display);
+    font-size: 1.2rem;
+    margin-bottom: 0.25rem;
+}
+
+.auth-card {
+    max-width: 520px;
+    justify-self: end;
+}
+
+.card-head {
+    display: grid;
+    gap: 0.35rem;
+    margin-bottom: 1.2rem;
+}
+
+.card-head.compact {
+    margin-bottom: 1rem;
+}
+
+.card-head.split,
+.topbar {
+    display: flex;
+    align-items: flex-start;
+    justify-content: space-between;
+    gap: 1rem;
+}
+
+.form-grid {
+    display: grid;
+    gap: 1rem;
+}
+
+.form-grid-compact {
+    grid-template-columns: repeat(2, minmax(0, 1fr));
+}
+
+.slim-form {
+    margin-top: 1rem;
+}
+
+.field {
+    display: grid;
+    gap: 0.45rem;
+}
+
+.field span {
+    color: #d4ece6;
+    font-size: 0.92rem;
+}
+
+.field input,
+.field select {
+    width: 100%;
+    border: 1px solid rgba(255, 255, 255, 0.08);
+    border-radius: 16px;
+    padding: 0.95rem 1rem;
+    background: rgba(5, 14, 22, 0.66);
+    color: var(--text);
+    outline: none;
+    transition: border-color 180ms ease, transform 180ms ease, box-shadow 180ms ease;
+}
+
+.field input:focus,
+.field select:focus {
+    border-color: rgba(46, 211, 173, 0.85);
+    box-shadow: 0 0 0 4px rgba(46, 211, 173, 0.12);
+    transform: translateY(-1px);
+}
+
+.span-2 {
+    grid-column: span 2;
+}
+
+.btn {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    gap: 0.55rem;
+    min-height: 48px;
+    border: 0;
+    border-radius: 999px;
+    padding: 0 1.2rem;
+    cursor: pointer;
+    transition: transform 180ms ease, box-shadow 180ms ease, opacity 180ms ease;
+    text-decoration: none;
+}
+
+.btn:hover {
+    transform: translateY(-2px);
+    box-shadow: 0 14px 30px rgba(0, 0, 0, 0.24);
+}
+
+.btn-primary {
+    background: linear-gradient(135deg, var(--primary) 0%, #4be9c3 100%);
+    color: #052119;
+    font-weight: 800;
+}
+
+.btn-secondary {
+    background: linear-gradient(135deg, var(--secondary) 0%, #ffd07a 100%);
+    color: #24160a;
+    font-weight: 800;
+}
+
+.btn-ghost {
+    background: rgba(255, 255, 255, 0.06);
+    color: var(--text);
+    border: 1px solid rgba(255, 255, 255, 0.09);
+}
+
+.btn-ghost.danger {
+    color: #ffd0ca;
+    border-color: rgba(255, 111, 97, 0.34);
+}
+
+.btn-lg {
+    min-height: 54px;
+}
+
+.auth-footnote {
+    margin-top: 1rem;
+    padding-top: 1rem;
+    border-top: 1px solid rgba(255, 255, 255, 0.08);
+}
+
+.topbar {
+    padding: 1rem 0 0.3rem;
+}
+
+.metric-grid {
+    display: grid;
+    grid-template-columns: repeat(4, minmax(0, 1fr));
+    gap: 1rem;
+}
+
+.metric-card {
+    padding: 1.25rem;
+}
+
+.metric-card span {
+    color: var(--muted);
+    font-size: 0.92rem;
+}
+
+.metric-card strong {
+    font-size: clamp(1.4rem, 4vw, 2.2rem);
+    margin: 0.35rem 0;
+}
+
+.content-grid {
+    display: grid;
+    gap: 1rem;
+}
+
+.dashboard-grid {
+    grid-template-columns: repeat(2, minmax(0, 1fr));
+}
+
+.admin-grid {
+    grid-template-columns: repeat(2, minmax(0, 1fr));
+}
+
+.status-strip,
+.button-row,
+.chip-row,
+.course-chip-row {
+    display: flex;
+    align-items: center;
+    gap: 0.7rem;
+    flex-wrap: wrap;
+}
+
+.wrap-row {
+    margin-top: 1rem;
+}
+
+.status-strip {
+    margin-bottom: 1rem;
+    color: var(--muted);
+}
+
+.status-pill,
+.chip,
+.live-dot {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    border-radius: 999px;
+    padding: 0.45rem 0.9rem;
+    font-size: 0.84rem;
+    border: 1px solid rgba(255, 255, 255, 0.1);
+}
+
+.status-idle,
+.chip {
+    background: rgba(255, 255, 255, 0.05);
+}
+
+.status-running,
+.status-completed,
+.highlight,
+.live-dot {
+    background: rgba(46, 211, 173, 0.14);
+    color: #96f2dd;
+}
+
+.status-pending,
+.status-cancel_requested {
+    background: rgba(255, 182, 72, 0.14);
+    color: #ffd48d;
+}
+
+.status-stopped,
+.status-failed,
+.danger {
+    background: rgba(255, 111, 97, 0.14);
+    color: #ffcec7;
+}
+
+.live-dot {
+    position: relative;
+    gap: 0.4rem;
+    font-family: var(--font-display);
+    letter-spacing: 0.08em;
+}
+
+.live-dot::before {
+    content: "";
+    width: 8px;
+    height: 8px;
+    border-radius: 50%;
+    background: currentColor;
+    box-shadow: 0 0 0 0 rgba(150, 242, 221, 0.65);
+    animation: pulse 2.1s infinite;
+}
+
+.course-table-wrap {
+    overflow-x: auto;
+}
+
+.data-table {
+    width: 100%;
+    border-collapse: collapse;
+}
+
+.data-table th,
+.data-table td {
+    text-align: left;
+    padding: 0.95rem 0.85rem;
+    border-bottom: 1px solid rgba(255, 255, 255, 0.08);
+}
+
+.data-table th {
+    color: #b8d4d4;
+    font-size: 0.9rem;
+}
+
+.inline-action {
+    border: 0;
+    background: transparent;
+    color: #ffd0ca;
+    cursor: pointer;
+    padding: 0;
+}
+
+.empty-cell,
+.empty-mini,
+.empty-state-card {
+    color: var(--muted);
+}
+
+.log-console {
+    min-height: 360px;
+    max-height: 540px;
+    overflow: auto;
+    padding: 1rem;
+    border-radius: 22px;
+    background: rgba(4, 10, 16, 0.92);
+    border: 1px solid rgba(255, 255, 255, 0.06);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", monospace;
+}
+
+.log-line {
+    display: grid;
+    gap: 0.25rem;
+    padding: 0.8rem 0;
+    border-bottom: 1px dashed rgba(255, 255, 255, 0.08);
+    font-size: 0.92rem;
+}
+
+.log-line:last-child {
+    border-bottom: 0;
+}
+
+.log-meta {
+    color: #7ea4aa;
+    font-size: 0.78rem;
+}
+
+.level-error {
+    color: #ffb5ac;
+}
+
+.level-warning {
+    color: #ffd59a;
+}
+
+.level-info {
+    color: #d8ece9;
+}
+
+.level-success {
+    color: #97f4dd;
+}
+
+.muted {
+    color: var(--muted);
+}
+
+.user-card-grid {
+    display: grid;
+    gap: 1rem;
+}
+
+.user-card {
+    padding: 1.25rem;
+}
+
+.user-card-head {
+    display: flex;
+    align-items: flex-start;
+    justify-content: space-between;
+    gap: 1rem;
+}
+
+.user-card h3 {
+    margin: 0;
+    font-family: var(--font-display);
+}
+
+.user-card p {
+    margin: 0.35rem 0 0;
+    color: var(--muted);
+}
+
+.course-list {
+    display: grid;
+    gap: 0.65rem;
+    margin-top: 1rem;
+}
+
+.course-chip-row {
+    justify-content: space-between;
+    padding: 0.8rem 0.95rem;
+    border-radius: 16px;
+    background: rgba(255, 255, 255, 0.05);
+}
+
+.chip-row.tight {
+    margin-top: 0.85rem;
+}
+
+.accent-amber {
+    box-shadow: 0 24px 70px rgba(255, 182, 72, 0.16);
+}
+
+.reveal-up {
+    opacity: 0;
+    transform: translateY(22px);
+    animation: revealUp 0.7s cubic-bezier(0.16, 1, 0.3, 1) forwards;
+}
+
+.delay-1 {
+    animation-delay: 0.08s;
+}
+
+.delay-2 {
+    animation-delay: 0.16s;
+}
+
+.delay-3 {
+    animation-delay: 0.24s;
+}
+
+.delay-4 {
+    animation-delay: 0.32s;
+}
+
+@keyframes revealUp {
+    to {
+        opacity: 1;
+        transform: translateY(0);
+    }
+}
+
+@keyframes drift {
+    0%,
+    100% {
+        transform: translate3d(0, 0, 0) scale(1);
+    }
+    50% {
+        transform: translate3d(16px, -18px, 0) scale(1.05);
+    }
+}
+
+@keyframes pulse {
+    0% {
+        box-shadow: 0 0 0 0 rgba(150, 242, 221, 0.65);
+    }
+    70% {
+        box-shadow: 0 0 0 14px rgba(150, 242, 221, 0);
+    }
+    100% {
+        box-shadow: 0 0 0 0 rgba(150, 242, 221, 0);
+    }
+}
+
+@media (max-width: 1100px) {
+    .auth-layout,
+    .dashboard-grid,
+    .admin-grid,
+    .metric-grid,
+    .hero-metrics {
+        grid-template-columns: 1fr;
+    }
+
+    .auth-card {
+        justify-self: stretch;
+        max-width: none;
+    }
+
+    .span-2 {
+        grid-column: auto;
+    }
+}
+
+@media (max-width: 760px) {
+    .page-shell {
+        width: min(100% - 1rem, 100%);
+        padding-top: 1rem;
+        padding-bottom: 2rem;
+    }
+
+    .hero-panel,
+    .auth-card,
+    .card,
+    .user-card,
+    .empty-state-card {
+        padding: 1.2rem;
+        border-radius: 22px;
+    }
+
+    .card-head.split,
+    .topbar,
+    .user-card-head {
+        flex-direction: column;
+    }
+
+    .form-grid-compact {
+        grid-template-columns: 1fr;
+    }
+
+    .button-row form,
+    .button-row .btn,
+    .btn {
+        width: 100%;
+    }
+
+    .button-row {
+        width: 100%;
+    }
+
+    .log-console {
+        min-height: 280px;
+    }
+}

templates/admin.html

@@ -0,0 +1,227 @@
+{% extends "base.html" %}
+
+{% block title %}管理员后台{% endblock %}
+
+{% block header_actions %}
+  <span class="status-pill status-live">{{ admin.role }} · {{ admin.username }}</span>
+  <form method="post" action="{{ url_for('admin_logout') }}">
+    <button type="submit" class="button button-ghost">退出后台</button>
+  </form>
+{% endblock %}
+
+{% block content %}
+<section class="hero-card">
+  <div class="hero-copy-block">
+    <div class="eyebrow">管理员后台</div>
+    <h1>统一管理用户、并发调度与全局实时日志。</h1>
+    <p class="hero-copy">
+      用户提交的课程配置会集中展示在这里。管理员可以手动录入用户信息、代为启动任务，并根据 Hugging Face Space 资源调整并行数。
+    </p>
+  </div>
+  <div class="stat-grid admin-stat-grid">
+    <div class="stat-card">
+      <span>用户数</span>
+      <strong id="admin-users">{{ summary.users }}</strong>
+    </div>
+    <div class="stat-card">
+      <span>运行中任务</span>
+      <strong id="admin-running">{{ summary.running_tasks }}</strong>
+    </div>
+    <div class="stat-card">
+      <span>排队任务</span>
+      <strong id="admin-queued">{{ summary.queued_tasks }}</strong>
+    </div>
+    <div class="stat-card">
+      <span>并行数</span>
+      <strong id="admin-parallelism">{{ summary.parallelism }}</strong>
+    </div>
+  </div>
+</section>
+
+<section class="content-grid content-grid-admin">
+  <article class="panel">
+    <div class="panel-head">
+      <div>
+        <div class="section-kicker">系统设置</div>
+        <h2>并行调度</h2>
+      </div>
+      <span class="status-pill status-pending">资源敏感</span>
+    </div>
+    <form method="post" action="{{ url_for('update_parallelism') }}" class="form-grid form-grid-inline">
+      <label class="field">
+        <span>最大并行任务数</span>
+        <input type="number" name="parallelism" min="1" max="8" value="{{ summary.parallelism }}" required>
+      </label>
+      <button type="submit" class="button button-primary">保存并行数</button>
+    </form>
+    <p class="muted-note">建议根据 Space 资源从 1 开始逐步增加。每个任务都会独立启动一个无头浏览器实例。</p>
+  </article>
+
+  <article class="panel">
+    <div class="panel-head">
+      <div>
+        <div class="section-kicker">用户录入</div>
+        <h2>手动添加或更新用户</h2>
+      </div>
+      <span class="status-pill status-live">管理员可写</span>
+    </div>
+    <form method="post" action="{{ url_for('create_or_update_user_from_admin') }}" class="form-grid">
+      <label class="field">
+        <span>学号</span>
+        <input type="text" name="student_id" inputmode="numeric" placeholder="学生学号" required>
+      </label>
+      <label class="field">
+        <span>密码</span>
+        <input type="password" name="password" placeholder="学生密码" required>
+      </label>
+      <label class="field">
+        <span>初始课程号</span>
+        <input type="text" name="course_id" inputmode="numeric" placeholder="可选">
+      </label>
+      <label class="field">
+        <span>初始课序号</span>
+        <input type="text" name="course_index" inputmode="numeric" maxlength="2" placeholder="可选">
+      </label>
+      <button type="submit" class="button button-primary">保存用户</button>
+    </form>
+  </article>
+
+  {% if admin.role == "superadmin" %}
+  <article class="panel">
+    <div class="panel-head">
+      <div>
+        <div class="section-kicker">权限管理</div>
+        <h2>创建普通管理员</h2>
+      </div>
+      <span class="status-pill status-live">仅超级管理员</span>
+    </div>
+    <form method="post" action="{{ url_for('create_admin_account') }}" class="form-grid form-grid-inline">
+      <label class="field">
+        <span>管理员账号</span>
+        <input type="text" name="username" placeholder="admin-ops" required>
+      </label>
+      <label class="field">
+        <span>管理员密码</span>
+        <input type="password" name="password" placeholder="管理员密码" required>
+      </label>
+      <button type="submit" class="button button-ghost">创建管理员</button>
+    </form>
+    <div class="chip-wrap">
+      {% for item in admins %}
+        <span class="feature-pill">{{ item.username }} · {{ item.role }}</span>
+      {% endfor %}
+    </div>
+  </article>
+  {% endif %}
+</section>
+
+<section class="panel">
+  <div class="panel-head">
+    <div>
+      <div class="section-kicker">用户列表</div>
+      <h2>多用户管理</h2>
+    </div>
+    <span class="status-pill status-live">管理员全量可见</span>
+  </div>
+
+  <div class="user-grid">
+    {% if users %}
+      {% for item in users %}
+        <article class="user-card">
+          <div class="user-card-head">
+            <div>
+              <div class="user-code">{{ item.student_id }}</div>
+              <div class="user-meta-text">已选 {{ item.selected_count }}/{{ item.course_count }} · 最近登录 {{ item.last_login_at or "尚未登录" }}</div>
+            </div>
+            <span class="status-pill status-{{ item.active_task_status or 'idle' }}">{{ item.active_task_status or "idle" }}</span>
+          </div>
+
+          <div class="button-row compact">
+            <form method="post" action="{{ url_for('start_user_task_from_admin', user_id=item.id) }}">
+              <button type="submit" class="button button-primary button-small">启动</button>
+            </form>
+            <form method="post" action="{{ url_for('stop_user_task_from_admin', user_id=item.id) }}">
+              <button type="submit" class="button button-secondary button-small">停止</button>
+            </form>
+          </div>
+
+          <form method="post" action="{{ url_for('update_user_password_from_admin', user_id=item.id) }}" class="form-grid">
+            <label class="field">
+              <span>重置密码</span>
+              <input type="password" name="password" placeholder="输入新密码" required>
+            </label>
+            <button type="submit" class="button button-ghost button-small">更新</button>
+          </form>
+
+          <form method="post" action="{{ url_for('add_user_course_from_admin', user_id=item.id) }}" class="form-grid form-grid-inline">
+            <label class="field">
+              <span>课程号</span>
+              <input type="text" name="course_id" inputmode="numeric" placeholder="课程号" required>
+            </label>
+            <label class="field">
+              <span>课序号</span>
+              <input type="text" name="course_index" inputmode="numeric" maxlength="2" placeholder="01" required>
+            </label>
+            <button type="submit" class="button button-primary button-small">新增课程</button>
+          </form>
+
+          <div class="course-chip-grid">
+            {% if item.courses %}
+              {% for course in item.courses %}
+                <div class="course-chip course-chip-{{ course.status }}">
+                  <div>
+                    <strong>{{ course.course_id }}_{{ course.course_index }}</strong>
+                    <p>{{ course.last_result or "等待执行" }}</p>
+                  </div>
+                  <form method="post" action="{{ url_for('delete_user_course_from_admin', user_id=item.id, course_record_id=course.id) }}">
+                    <button type="submit" class="button button-danger button-small">删</button>
+                  </form>
+                </div>
+              {% endfor %}
+            {% else %}
+              <div class="empty-state small">这个用户还没有课程记录。</div>
+            {% endif %}
+          </div>
+        </article>
+      {% endfor %}
+    {% else %}
+      <div class="empty-state">当前还没有任何用户，先在上方录入用户信息。</div>
+    {% endif %}
+  </div>
+</section>
+
+<section class="panel console-panel">
+  <div class="panel-head">
+    <div>
+      <div class="section-kicker">全局日志</div>
+      <h2>管理员实时控制台</h2>
+    </div>
+    <span class="status-pill status-live">Live</span>
+  </div>
+  <div
+    class="log-console"
+    id="admin-log-stream"
+    data-last-id="{{ logs[-1].id if logs else 0 }}"
+    data-empty="当前还没有系统日志。"
+  >
+    {% if logs %}
+      {% for log in logs %}
+        <div class="log-line log-{{ log.level|lower }}">
+          <span class="log-time">{{ log.created_at }}</span>
+          <span class="log-actor">{{ log.student_id or log.actor }}</span>
+          <span class="log-message">{{ log.message }}</span>
+        </div>
+      {% endfor %}
+    {% else %}
+      <div class="log-placeholder">当前还没有系统日志。</div>
+    {% endif %}
+  </div>
+</section>
+
+<script>
+  window.addEventListener("DOMContentLoaded", () => {
+    SCUApp.initLogStream("admin-log-stream", "{{ url_for('admin_log_stream') }}");
+    SCUApp.initAdminStatus("{{ url_for('admin_status') }}");
+  });
+</script>
+{% endblock %}

templates/admin_dashboard.html

@@ -0,0 +1,262 @@
+{% extends "base.html" %}
+{% block title %}管理后台 | SCU 选课控制台{% endblock %}
+{% block body_class %}admin-theme{% endblock %}
+{% block content %}
+<section class="dashboard-shell admin-dashboard" data-log-stream-url="{{ url_for('stream_admin_logs', last_id=recent_logs[-1].id if recent_logs else 0) }}" data-status-url="{{ url_for('admin_status') }}">
+    <header class="topbar reveal-up">
+        <div>
+            <span class="eyebrow">Admin Console</span>
+            <h1>管理员后台</h1>
+            <p>当前管理员：{{ admin_identity.username }}{% if is_super_admin %} · 超级管理员{% endif %}</p>
+        </div>
+        <form method="post" action="{{ url_for('admin_logout') }}">
+            <button type="submit" class="btn btn-ghost">退出后台</button>
+        </form>
+    </header>
+
+    <section class="metric-grid reveal-up delay-1">
+        <article class="metric-card">
+            <span>用户数</span>
+            <strong id="stat-users">{{ stats.users_count }}</strong>
+            <small>已录入的学生账号</small>
+        </article>
+        <article class="metric-card">
+            <span>运行中任务</span>
+            <strong id="stat-running">{{ stats.running_count }}</strong>
+            <small>排队中：<span id="stat-pending">{{ stats.pending_count }}</span></small>
+        </article>
+        <article class="metric-card">
+            <span>总课程目标</span>
+            <strong>{{ stats.courses_count }}</strong>
+            <small>管理员可见全部课程号与课序号</small>
+        </article>
+        <article class="metric-card">
+            <span>管理员总数</span>
+            <strong>{{ stats.admins_count }}</strong>
+            <small>包含 1 位超级管理员</small>
+        </article>
+    </section>
+
+    <section class="content-grid admin-grid">
+        <article class="card reveal-up delay-2">
+            <div class="card-head">
+                <span class="kicker">调度设置</span>
+                <h2>并行数</h2>
+                <p>建议根据 Hugging Face Space 的 CPU 与内存情况控制在较低范围。</p>
+            </div>
+            <form method="post" action="{{ url_for('update_parallel_limit') }}" class="form-grid form-grid-compact">
+                <label class="field">
+                    <span>当前并行数</span>
+                    <input type="number" id="parallel-limit-input" name="parallel_limit" min="1" max="8" value="{{ parallel_limit }}" required>
+                </label>
+                <button type="submit" class="btn btn-primary">更新并行数</button>
+            </form>
+        </article>
+
+        <article class="card reveal-up delay-2">
+            <div class="card-head">
+                <span class="kicker">新增用户</span>
+                <h2>手动录入用户信息</h2>
+                <p>管理员可以直接创建学生账号，普通用户随后即可用学号和密码登录。</p>
+            </div>
+            <form method="post" action="{{ url_for('create_user') }}" class="form-grid form-grid-compact">
+                <label class="field">
+                    <span>学号</span>
+                    <input type="text" name="student_id" inputmode="numeric" placeholder="13 位学号" required>
+                </label>
+                <label class="field">
+                    <span>显示名称</span>
+                    <input type="text" name="display_name" placeholder="可选备注">
+                </label>
+                <label class="field span-2">
+                    <span>密码</span>
+                    <input type="password" name="password" placeholder="教务系统密码" required>
+                </label>
+                <button type="submit" class="btn btn-secondary">创建用户</button>
+            </form>
+        </article>
+
+        {% if is_super_admin %}
+        <article class="card reveal-up delay-2">
+            <div class="card-head">
+                <span class="kicker">管理员管理</span>
+                <h2>新增管理员</h2>
+                <p>只有超级管理员可以继续创建普通管理员。</p>
+            </div>
+            <form method="post" action="{{ url_for('create_admin') }}" class="form-grid form-grid-compact">
+                <label class="field">
+                    <span>管理员账号</span>
+                    <input type="text" name="username" placeholder="输入管理员账号" required>
+                </label>
+                <label class="field">
+                    <span>管理员密码</span>
+                    <input type="password" name="password" placeholder="输入管理员密码" required>
+                </label>
+                <button type="submit" class="btn btn-ghost">创建管理员</button>
+            </form>
+            <div class="chip-row">
+                <span class="chip highlight">超级管理员：{{ admin_identity.username }}</span>
+                {% for admin in admins %}
+                    <span class="chip">{{ admin.username }}</span>
+                {% endfor %}
+            </div>
+        </article>
+        {% endif %}
+
+        <article class="card reveal-up delay-3 span-2">
+            <div class="card-head split">
+                <div>
+                    <span class="kicker">任务总览</span>
+                    <h2>最近任务</h2>
+                    <p>用于快速确认任务是否正在排队、执行、停止或失败。</p>
+                </div>
+                <span class="status-pill status-running">实时刷新</span>
+            </div>
+            <div class="course-table-wrap">
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>任务</th>
+                            <th>学号</th>
+                            <th>状态</th>
+                            <th>触发者</th>
+                            <th>更新时间</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        {% if recent_tasks %}
+                            {% for task in recent_tasks %}
+                                <tr>
+                                    <td>#{{ task.id }}</td>
+                                    <td>{{ task.student_id }}</td>
+                                    <td><span class="status-pill status-{{ task.status }}">{{ task_labels.get(task.status, task.status) }}</span></td>
+                                    <td>{{ task.requested_by_role }}:{{ task.requested_by }}</td>
+                                    <td>{{ task.updated_at }}</td>
+                                </tr>
+                            {% endfor %}
+                        {% else %}
+                            <tr>
+                                <td colspan="5" class="empty-cell">还没有任务记录。</td>
+                            </tr>
+                        {% endif %}
+                    </tbody>
+                </table>
+            </div>
+        </article>
+
+        <article class="card reveal-up delay-3 span-2">
+            <div class="card-head split">
+                <div>
+                    <span class="kicker">全局日志</span>
+                    <h2>所有用户的运行日志</h2>
+                    <p>日志会持续流入，便于管理员确认浏览器登录、查课、提交结果与错误信息。</p>
+                </div>
+                <span class="live-dot">LIVE</span>
+            </div>
+            <div class="log-console" id="log-console">
+                {% if recent_logs %}
+                    {% for log in recent_logs %}
+                        <div class="log-line level-{{ log.level|lower }}">
+                            <span class="log-meta">{{ log.created_at }} · {{ log.student_id or 'system' }} · {{ log.scope }} · {{ log.level }}</span>
+                            <span>{{ log.message }}</span>
+                        </div>
+                    {% endfor %}
+                {% else %}
+                    <div class="log-line level-info muted">暂无日志，用户启动任务后这里会自动刷新。</div>
+                {% endif %}
+            </div>
+        </article>
+
+        <article class="card reveal-up delay-4 span-2">
+            <div class="card-head">
+                <span class="kicker">用户清单</span>
+                <h2>所有用户与课程详情</h2>
+                <p>可以直接修改用户信息、增减课程，或代替用户启动和停止任务。</p>
+            </div>
+            <div class="user-card-grid">
+                {% for user in users %}
+                    <section class="user-card">
+                        <div class="user-card-head">
+                            <div>
+                                <h3>{{ user.display_name or user.student_id }}</h3>
+                                <p>{{ user.student_id }}</p>
+                            </div>
+                            <span class="status-pill status-{{ user.latest_task.status if user.latest_task else 'idle' }}">
+                                {{ task_labels.get(user.latest_task.status, '未启动') if user.latest_task else '未启动' }}
+                            </span>
+                        </div>
+
+                        <div class="chip-row tight">
+                            <span class="chip {% if user.is_active %}highlight{% endif %}">{{ '启用中' if user.is_active else '已禁用' }}</span>
+                            <span class="chip">课程 {{ user.course_count }}</span>
+                            <span class="chip">最近任务 {{ user.latest_task.id if user.latest_task else '--' }}</span>
+                        </div>
+
+                        <form method="post" action="{{ url_for('update_user', user_id=user.id) }}" class="form-grid form-grid-compact slim-form">
+                            <label class="field span-2">
+                                <span>显示名称</span>
+                                <input type="text" name="display_name" value="{{ user.display_name }}" placeholder="备注名称">
+                            </label>
+                            <label class="field span-2">
+                                <span>重置密码</span>
+                                <input type="password" name="password" placeholder="留空表示不修改">
+                            </label>
+                            <button type="submit" class="btn btn-ghost">保存用户</button>
+                        </form>
+
+                        <div class="button-row wrap-row">
+                            <form method="post" action="{{ url_for('toggle_user', user_id=user.id) }}">
+                                <button type="submit" class="btn btn-ghost {% if not user.is_active %}danger{% endif %}">{{ '禁用' if user.is_active else '启用' }}</button>
+                            </form>
+                            <form method="post" action="{{ url_for('admin_start_user_task', user_id=user.id) }}">
+                                <button type="submit" class="btn btn-primary">代启动任务</button>
+                            </form>
+                            <form method="post" action="{{ url_for('admin_stop_user_task', user_id=user.id) }}">
+                                <button type="submit" class="btn btn-ghost danger">代停止任务</button>
+                            </form>
+                        </div>
+
+                        <form method="post" action="{{ url_for('admin_add_course', user_id=user.id) }}" class="form-grid form-grid-compact slim-form">
+                            <label class="field">
+                                <span>类型</span>
+                                <select name="category">
+                                    <option value="free">自由选课</option>
+                                    <option value="plan">方案选课</option>
+                                </select>
+                            </label>
+                            <label class="field">
+                                <span>课程号</span>
+                                <input type="text" name="course_id" placeholder="课程号" required>
+                            </label>
+                            <label class="field">
+                                <span>课序号</span>
+                                <input type="text" name="course_index" placeholder="01" maxlength="2" required>
+                            </label>
+                            <button type="submit" class="btn btn-secondary">为该用户加课</button>
+                        </form>
+
+                        <div class="course-list">
+                            {% if user.courses %}
+                                {% for course in user.courses %}
+                                    <div class="course-chip-row">
+                                        <span>{{ category_labels.get(course.category, course.category) }} · {{ course.course_id }}_{{ course.course_index }}</span>
+                                        <form method="post" action="{{ url_for('admin_delete_course', course_target_id=course.id) }}">
+                                            <button type="submit" class="inline-action">删除</button>
+                                        </form>
+                                    </div>
+                                {% endfor %}
+                            {% else %}
+                                <div class="empty-mini">当前没有课程目标。</div>
+                            {% endif %}
+                        </div>
+                    </section>
+                {% else %}
+                    <div class="empty-state-card">
+                        还没有录入任何用户，请先通过上方表单创建。
+                    </div>
+                {% endfor %}
+            </div>
+        </article>
+    </section>
+</section>
+{% endblock %}

templates/admin_login.html

@@ -0,0 +1,50 @@
+{% extends "base.html" %}
+{% block title %}管理员登录 | SCU 选课控制台{% endblock %}
+{% block body_class %}auth-body admin-theme{% endblock %}
+{% block content %}
+<section class="auth-layout admin-layout">
+    <div class="hero-panel reveal-up">
+        <span class="eyebrow">Admin Console</span>
+        <h1>统一查看所有用户、任务队列、并行数和实时日志。</h1>
+        <p>
+            管理员可以手动录入用户账号、查看全部课程目标、控制任务启停，并根据 Hugging Face Space 的资源情况调整并行数。
+        </p>
+        <div class="hero-metrics">
+            <article>
+                <strong>多位管理员</strong>
+                <span>超级管理员可继续创建普通管理员</span>
+            </article>
+            <article>
+                <strong>并发可控</strong>
+                <span>任务并行度支持后台动态调整</span>
+            </article>
+            <article>
+                <strong>全量透视</strong>
+                <span>用户数据、任务结果和日志全部可见</span>
+            </article>
+        </div>
+    </div>
+
+    <div class="auth-card reveal-up delay-1 accent-amber">
+        <div class="card-head compact">
+            <span class="kicker">管理入口</span>
+            <h2>管理员登录</h2>
+            <p>超级管理员账号密码来自环境变量 <code>ADMIN</code> 与 <code>PASSWORD</code>。</p>
+        </div>
+        <form method="post" class="form-grid">
+            <label class="field">
+                <span>管理员账号</span>
+                <input type="text" name="username" autocomplete="username" placeholder="输入管理员账号" required>
+            </label>
+            <label class="field">
+                <span>管理员密码</span>
+                <input type="password" name="password" autocomplete="current-password" placeholder="输入管理员密码" required>
+            </label>
+            <button type="submit" class="btn btn-secondary btn-lg">进入管理后台</button>
+        </form>
+        <div class="auth-footnote">
+            普通学生无法从用户登录页看到此入口，管理员地址需单独访问。
+        </div>
+    </div>
+</section>
+{% endblock %}

templates/base.html

@@ -0,0 +1,34 @@
+<!doctype html>
+<html lang="zh-CN">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>{% block title %}SCU 选课控制台{% endblock %}</title>
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=Noto+Sans+SC:wght@400;500;700;800&family=Space+Grotesk:wght@500;700&display=swap" rel="stylesheet">
+    <link rel="stylesheet" href="{{ url_for('static', filename='style.css') }}">
+</head>
+<body class="app-body {% block body_class %}{% endblock %}">
+    <div class="bg-orb bg-orb-a"></div>
+    <div class="bg-orb bg-orb-b"></div>
+    <div class="bg-grid"></div>
+
+    <main class="page-shell">
+        {% with messages = get_flashed_messages(with_categories=true) %}
+            {% if messages %}
+                <section class="flash-stack">
+                    {% for category, message in messages %}
+                        <article class="flash flash-{{ category }}">{{ message }}</article>
+                    {% endfor %}
+                </section>
+            {% endif %}
+        {% endwith %}
+
+        {% block content %}{% endblock %}
+    </main>
+
+    <script src="{{ url_for('static', filename='app.js') }}"></script>
+    {% block scripts %}{% endblock %}
+</body>
+</html>

templates/dashboard.html

@@ -0,0 +1,159 @@
+{% extends "base.html" %}
+{% block title %}用户控制台 | SCU 选课控制台{% endblock %}
+{% block content %}
+<section class="dashboard-shell" data-log-stream-url="{{ url_for('stream_user_logs', last_id=recent_logs[-1].id if recent_logs else 0) }}" data-status-url="{{ url_for('user_status') }}">
+    <header class="topbar reveal-up">
+        <div>
+            <span class="eyebrow">User Console</span>
+            <h1>{{ current_user.display_name or current_user.student_id }} 的选课面板</h1>
+            <p>登录账号：{{ current_user.student_id }}，你的课程目标与运行日志会实时同步到这里。</p>
+        </div>
+        <form method="post" action="{{ url_for('logout') }}">
+            <button type="submit" class="btn btn-ghost">退出登录</button>
+        </form>
+    </header>
+
+    <section class="metric-grid reveal-up delay-1">
+        <article class="metric-card">
+            <span>当前任务</span>
+            <strong id="task-status-text">{{ task_labels.get(task.status, '未启动') if task else '未启动' }}</strong>
+            <small>最近更新时间：{{ task.updated_at if task else '暂无' }}</small>
+        </article>
+        <article class="metric-card">
+            <span>待选课程</span>
+            <strong id="course-count">{{ courses|length }}</strong>
+            <small>管理员可看到全部课程内容</small>
+        </article>
+        <article class="metric-card">
+            <span>最近任务编号</span>
+            <strong>{{ task.id if task else '--' }}</strong>
+            <small>{{ task.last_error if task and task.last_error else '当前没有错误提示' }}</small>
+        </article>
+    </section>
+
+    <section class="content-grid dashboard-grid">
+        <article class="card reveal-up delay-2">
+            <div class="card-head">
+                <span class="kicker">个人信息</span>
+                <h2>更新登录信息</h2>
+                <p>密码会用于后台登录教务系统，请保持为最新有效密码。</p>
+            </div>
+            <form method="post" action="{{ url_for('update_profile') }}" class="form-grid">
+                <label class="field">
+                    <span>显示名称</span>
+                    <input type="text" name="display_name" value="{{ current_user.display_name }}" placeholder="可选昵称">
+                </label>
+                <label class="field">
+                    <span>教务密码</span>
+                    <input type="password" name="password" value="" placeholder="重新输入当前有效密码" required>
+                </label>
+                <button type="submit" class="btn btn-primary">保存账号信息</button>
+            </form>
+        </article>
+
+        <article class="card reveal-up delay-2">
+            <div class="card-head">
+                <span class="kicker">课程目标</span>
+                <h2>添加课程号与课序号</h2>
+                <p>支持方案选课与自由选课，管理员会看到你录入的全部内容。</p>
+            </div>
+            <form method="post" action="{{ url_for('add_course') }}" class="form-grid form-grid-compact">
+                <label class="field">
+                    <span>选课类型</span>
+                    <select name="category">
+                        <option value="free">自由选课</option>
+                        <option value="plan">方案选课</option>
+                    </select>
+                </label>
+                <label class="field">
+                    <span>课程号</span>
+                    <input type="text" name="course_id" inputmode="numeric" placeholder="课程号" required>
+                </label>
+                <label class="field">
+                    <span>课序号</span>
+                    <input type="text" name="course_index" inputmode="numeric" placeholder="例如 01" maxlength="2" required>
+                </label>
+                <button type="submit" class="btn btn-secondary">加入抢课队列</button>
+            </form>
+        </article>
+
+        <article class="card reveal-up delay-3 span-2">
+            <div class="card-head split">
+                <div>
+                    <span class="kicker">执行控制</span>
+                    <h2>启动与停止任务</h2>
+                    <p>后台会按照管理员设置的并行数进行排队和执行。</p>
+                </div>
+                <div class="button-row">
+                    <form method="post" action="{{ url_for('start_task') }}">
+                        <button type="submit" class="btn btn-primary">启动任务</button>
+                    </form>
+                    <form method="post" action="{{ url_for('stop_task') }}">
+                        <button type="submit" class="btn btn-ghost danger">停止任务</button>
+                    </form>
+                </div>
+            </div>
+            <div class="status-strip">
+                <span class="status-pill status-{{ task.status if task else 'idle' }}" id="task-status-pill">{{ task_labels.get(task.status, '未启动') if task else '未启动' }}</span>
+                <span>创建时间：{{ task.created_at if task else '暂无任务' }}</span>
+                <span>触发者：{{ task.requested_by if task else '暂无' }}</span>
+            </div>
+            <div class="course-table-wrap">
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>类型</th>
+                            <th>课程号</th>
+                            <th>课序号</th>
+                            <th>操作</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        {% if courses %}
+                            {% for course in courses %}
+                                <tr>
+                                    <td>{{ category_labels.get(course.category, course.category) }}</td>
+                                    <td>{{ course.course_id }}</td>
+                                    <td>{{ course.course_index }}</td>
+                                    <td>
+                                        <form method="post" action="{{ url_for('delete_course', course_target_id=course.id) }}">
+                                            <button type="submit" class="inline-action">移除</button>
+                                        </form>
+                                    </td>
+                                </tr>
+                            {% endfor %}
+                        {% else %}
+                            <tr>
+                                <td colspan="4" class="empty-cell">还没有课程目标，先添加课程号和课序号吧。</td>
+                            </tr>
+                        {% endif %}
+                    </tbody>
+                </table>
+            </div>
+        </article>
+
+        <article class="card reveal-up delay-3 span-2">
+            <div class="card-head split">
+                <div>
+                    <span class="kicker">实时日志</span>
+                    <h2>后台运行日志</h2>
+                    <p>这里会持续显示程序执行时的关键步骤、错误与结果。</p>
+                </div>
+                <span class="live-dot">LIVE</span>
+            </div>
+            <div class="log-console" id="log-console">
+                {% if recent_logs %}
+                    {% for log in recent_logs %}
+                        <div class="log-line level-{{ log.level|lower }}">
+                            <span class="log-meta">{{ log.created_at }} · {{ log.scope }} · {{ log.level }}</span>
+                            <span>{{ log.message }}</span>
+                        </div>
+                    {% endfor %}
+                {% else %}
+                    <div class="log-line level-info muted">暂无日志，启动任务后这里会自动刷新。</div>
+                {% endif %}
+            </div>
+        </article>
+    </section>
+</section>
+{% endblock %}

templates/login.html

@@ -0,0 +1,50 @@
+{% extends "base.html" %}
+{% block title %}用户登录 | SCU 选课控制台{% endblock %}
+{% block body_class %}auth-body{% endblock %}
+{% block content %}
+<section class="auth-layout">
+    <div class="hero-panel reveal-up">
+        <span class="eyebrow">Advanced SCU Course Catcher</span>
+        <h1>把抢课任务变成一个稳定、可并行、可追踪的个人控制台。</h1>
+        <p>
+            使用学号与教务密码登录后，你可以自行维护课程号与课序号，查看后台运行状态，并实时看到程序日志。
+        </p>
+        <div class="hero-metrics">
+            <article>
+                <strong>多用户隔离</strong>
+                <span>每位用户独立队列与日志流</span>
+            </article>
+            <article>
+                <strong>实时可见</strong>
+                <span>浏览器执行日志会持续推送</span>
+            </article>
+            <article>
+                <strong>HF Space 友好</strong>
+                <span>无头浏览器任务可直接部署</span>
+            </article>
+        </div>
+    </div>
+
+    <div class="auth-card reveal-up delay-1">
+        <div class="card-head compact">
+            <span class="kicker">学生入口</span>
+            <h2>用户登录</h2>
+            <p>此页面不展示管理员入口，管理员请直接访问 <code>/admin</code>。</p>
+        </div>
+        <form method="post" class="form-grid">
+            <label class="field">
+                <span>学号</span>
+                <input type="text" name="student_id" inputmode="numeric" autocomplete="username" placeholder="例如 2023XXXXXXXXX" required>
+            </label>
+            <label class="field">
+                <span>密码</span>
+                <input type="password" name="password" autocomplete="current-password" placeholder="输入教务系统密码" required>
+            </label>
+            <button type="submit" class="btn btn-primary btn-lg">进入用户控制台</button>
+        </form>
+        <div class="auth-footnote">
+            管理员可以在后台手动录入用户信息，普通用户登录后只会看到自己的课程数据与日志。
+        </div>
+    </div>
+</section>
+{% endblock %}

tests/__init__.py

@@ -0,0 +1 @@
+

tests/helpers.py

@@ -0,0 +1,19 @@
+from __future__ import annotations
+
+import shutil
+import uuid
+from contextlib import contextmanager
+from pathlib import Path
+from typing import Iterator
+
+
+@contextmanager
+def workspace_tempdir(prefix: str) -> Iterator[Path]:
+    base_dir = Path(__file__).resolve().parent.parent / "data" / "test-artifacts"
+    base_dir.mkdir(parents=True, exist_ok=True)
+    temp_dir = base_dir / f"{prefix}{uuid.uuid4().hex}"
+    temp_dir.mkdir(parents=True, exist_ok=True)
+    try:
+        yield temp_dir
+    finally:
+        shutil.rmtree(temp_dir, ignore_errors=True)

tests/test_config.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+import os
+import unittest
+from unittest.mock import patch
+
+from core.config import AppConfig
+from tests.helpers import workspace_tempdir
+
+
+class AppConfigTests(unittest.TestCase):
+    def test_internal_secrets_persist_when_admin_credentials_change(self) -> None:
+        with workspace_tempdir("config-") as temp_dir:
+            base_env = {
+                "DATA_DIR": str(temp_dir),
+                "ADMIN": "root-one",
+                "PASSWORD": "pass-one",
+            }
+            with patch.dict(os.environ, base_env, clear=False):
+                first = AppConfig.load()
+
+            changed_env = {
+                "DATA_DIR": str(temp_dir),
+                "ADMIN": "root-two",
+                "PASSWORD": "pass-two",
+            }
+            with patch.dict(os.environ, changed_env, clear=False):
+                second = AppConfig.load()
+
+            self.assertEqual(first.session_secret, second.session_secret)
+            self.assertEqual(first.encryption_key, second.encryption_key)
+            self.assertEqual(second.super_admin_username, "root-two")
+            self.assertEqual(second.super_admin_password, "pass-two")
+
+
+if __name__ == "__main__":
+    unittest.main()

tests/test_course_bot.py

@@ -0,0 +1,128 @@
+from __future__ import annotations
+
+import threading
+import unittest
+from pathlib import Path
+from types import SimpleNamespace
+from unittest.mock import patch
+
+from core.course_bot import CourseBot, RecoverableAutomationError
+from core.db import Database
+from tests.helpers import workspace_tempdir
+
+
+class FakeDriver:
+    def __init__(self) -> None:
+        self.quit_called = False
+
+    def quit(self) -> None:
+        self.quit_called = True
+
+
+class FakeButton:
+    def __init__(self) -> None:
+        self.click_count = 0
+
+    def click(self) -> None:
+        self.click_count += 1
+
+
+class CourseBotTests(unittest.TestCase):
+    def _make_store(self, temp_dir: Path) -> tuple[Database, dict]:
+        store = Database(temp_dir / "test.db", default_parallel_limit=2)
+        store.init_db()
+        user_id = store.create_user("2023000000001", "encrypted", "Test User")
+        store.add_course(user_id, "free", "1001001", "01")
+        user = store.get_user(user_id)
+        self.assertIsNotNone(user)
+        return store, user
+
+    def _make_config(self) -> SimpleNamespace:
+        return SimpleNamespace(
+            login_retry_limit=2,
+            poll_interval_seconds=0,
+            task_backoff_seconds=0,
+            browser_page_timeout=1,
+            selenium_error_limit=2,
+            selenium_restart_limit=3,
+            submit_captcha_retry_limit=3,
+            chrome_binary="/usr/bin/chromium",
+            chromedriver_path="/usr/bin/chromedriver",
+        )
+
+    def _make_bot(self, store: Database, user: dict, config: SimpleNamespace, logs: list[tuple[str, str]]) -> CourseBot:
+        with patch("core.course_bot.onnx_inference.CaptchaONNXInference") as solver_cls:
+            solver_cls.return_value = SimpleNamespace(classification=lambda _image: "1234")
+            return CourseBot(
+                config=config,
+                store=store,
+                task_id=1,
+                user=user,
+                password="pw",
+                logger=lambda level, message: logs.append((level, message)),
+            )
+
+    def test_restart_browser_after_repeated_session_errors(self) -> None:
+        with workspace_tempdir("course-bot-") as temp_dir:
+            store, user = self._make_store(temp_dir)
+            config = self._make_config()
+            logs: list[tuple[str, str]] = []
+            drivers: list[FakeDriver] = []
+
+            def fake_configure_browser(**_kwargs):
+                driver = FakeDriver()
+                drivers.append(driver)
+                return driver
+
+            bot = self._make_bot(store, user, config, logs)
+            stop_event = threading.Event()
+
+            with patch("core.course_bot.webdriver_utils.configure_browser", side_effect=fake_configure_browser), patch.object(
+                CourseBot,
+                "_login",
+                return_value=None,
+            ), patch.object(
+                CourseBot,
+                "_goto_select_course",
+                side_effect=RecoverableAutomationError("page unavailable"),
+            ):
+                result = bot.run(stop_event)
+
+            self.assertEqual(result.status, "failed")
+            self.assertIn("任务终止", result.error)
+            self.assertEqual(len(drivers), config.selenium_restart_limit)
+            self.assertTrue(all(driver.quit_called for driver in drivers))
+            self.assertTrue(any("重建浏览器" in message or "重建 Selenium 会话" in message for _level, message in logs))
+
+    def test_submit_captcha_flow_uses_ocr_branch(self) -> None:
+        with workspace_tempdir("submit-captcha-") as temp_dir:
+            store, user = self._make_store(temp_dir)
+            config = self._make_config()
+            logs: list[tuple[str, str]] = []
+            bot = self._make_bot(store, user, config, logs)
+            fake_button = FakeButton()
+            fake_results = [{"result": True, "subject": "1001001_01", "detail": ""}]
+
+            with patch.object(bot, "_find", return_value=fake_button), patch.object(
+                bot,
+                "_wait_for_submit_state",
+                side_effect=["captcha", "result"],
+            ), patch.object(
+                bot,
+                "_solve_visible_submit_captcha",
+                return_value=True,
+            ) as solve_mock, patch.object(
+                bot,
+                "_read_result_page",
+                return_value=fake_results,
+            ):
+                results = bot._submit_with_optional_captcha(object(), object(), "1001001_01")
+
+            self.assertEqual(results, fake_results)
+            self.assertEqual(fake_button.click_count, 1)
+            solve_mock.assert_called_once()
+            self.assertTrue(any("检测到验证码" in message for _level, message in logs))
+
+
+if __name__ == "__main__":
+    unittest.main()