Deploy codex-console to HF Space

.dockerignore

@@ -0,0 +1,18 @@
+.git
+.github
+.pytest_cache
+__pycache__
+*.py[cod]
+.venv
+venv
+build
+dist
+tests
+tmp_*.js
+codex_register.spec
+docker-compose.yml
+build.bat
+build.sh
+.env
+.env.*
+!.env.example

.gitattributes

@@ -1,35 +1,2 @@
-*.7z filter=lfs diff=lfs merge=lfs -text
-*.arrow filter=lfs diff=lfs merge=lfs -text
-*.bin filter=lfs diff=lfs merge=lfs -text
-*.bz2 filter=lfs diff=lfs merge=lfs -text
-*.ckpt filter=lfs diff=lfs merge=lfs -text
-*.ftz filter=lfs diff=lfs merge=lfs -text
-*.gz filter=lfs diff=lfs merge=lfs -text
-*.h5 filter=lfs diff=lfs merge=lfs -text
-*.joblib filter=lfs diff=lfs merge=lfs -text
-*.lfs.* filter=lfs diff=lfs merge=lfs -text
-*.mlmodel filter=lfs diff=lfs merge=lfs -text
-*.model filter=lfs diff=lfs merge=lfs -text
-*.msgpack filter=lfs diff=lfs merge=lfs -text
-*.npy filter=lfs diff=lfs merge=lfs -text
-*.npz filter=lfs diff=lfs merge=lfs -text
-*.onnx filter=lfs diff=lfs merge=lfs -text
-*.ot filter=lfs diff=lfs merge=lfs -text
-*.parquet filter=lfs diff=lfs merge=lfs -text
-*.pb filter=lfs diff=lfs merge=lfs -text
-*.pickle filter=lfs diff=lfs merge=lfs -text
-*.pkl filter=lfs diff=lfs merge=lfs -text
-*.pt filter=lfs diff=lfs merge=lfs -text
-*.pth filter=lfs diff=lfs merge=lfs -text
-*.rar filter=lfs diff=lfs merge=lfs -text
-*.safetensors filter=lfs diff=lfs merge=lfs -text
-saved_model/**/* filter=lfs diff=lfs merge=lfs -text
-*.tar.* filter=lfs diff=lfs merge=lfs -text
-*.tar filter=lfs diff=lfs merge=lfs -text
-*.tflite filter=lfs diff=lfs merge=lfs -text
-*.tgz filter=lfs diff=lfs merge=lfs -text
-*.wasm filter=lfs diff=lfs merge=lfs -text
-*.xz filter=lfs diff=lfs merge=lfs -text
-*.zip filter=lfs diff=lfs merge=lfs -text
-*.zst filter=lfs diff=lfs merge=lfs -text
-*tfevents* filter=lfs diff=lfs merge=lfs -text
+* text=auto eol=lf
+*.bat text eol=crlf

.gitignore

@@ -0,0 +1,58 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Virtual Environment
+.venv/
+venv/
+ENV/
+env/
+uv.lock
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# Data and Logs
+data/
+logs/
+*.db
+*.sqlite
+*.sqlite3
+
+# Token files
+token_*.json
+
+# Environment
+.env
+.env.local
+*.local
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Project specific
+backups/
+/out/

Dockerfile

@@ -0,0 +1,27 @@
+FROM python:3.11-slim
+
+WORKDIR /app
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    APP_HOST=0.0.0.0 \
+    APP_PORT=1455 \
+    LOG_LEVEL=info \
+    DEBUG=0
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        bash \
+        gcc \
+        python3-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir --upgrade pip \
+    && pip install --no-cache-dir -r requirements.txt
+
+COPY . .
+
+EXPOSE 7860
+
+CMD ["bash", "/app/deploy/huggingface/start.sh"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,11 +1,212 @@
----
-title: Codex Console
-emoji: 🏢
-colorFrom: pink
-colorTo: gray
-sdk: docker
-pinned: false
-license: apache-2.0
----
-
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+# codex-console
+
+基于 [cnlimiter/codex-manager](https://github.com/cnlimiter/codex-manager) 持续修复和维护的增强版本。
+
+这个版本的目标很直接: 把近期 OpenAI 注册链路里那些“昨天还能跑，今天突然翻车”的坑补上，让注册、登录、拿 token、打包运行都更稳一点。
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![Python](https://img.shields.io/badge/Python-3.10%2B-blue.svg)](https://www.python.org/)
+
+## QQ群
+
+- 交流群: https://qm.qq.com/q/ZTCKxawxeo
+
+## 致谢
+
+首先感谢上游项目作者 [cnlimiter](https://github.com/cnlimiter) 提供的优秀基础工程。
+
+本仓库是在原项目思路和结构之上进行兼容性修复、流程调整和体验优化，适合作为一个“当前可用的修复维护版”继续使用。
+
+## 这个分支修了什么
+
+为适配当前注册链路，这个分支重点补了下面几个问题:
+
+1. 新增 Sentinel POW 求解逻辑  
+   OpenAI 现在会强制校验 Sentinel POW，原先直接传空值已经不行了，这里补上了实际求解流程。
+
+2. 注册和登录拆成两段  
+   现在注册完成后通常不会直接返回可用 token，而是跳转到绑定手机或后续页面。  
+   本分支改成“先注册成功，再单独走一次登录流程拿 token”，避免卡死在旧逻辑里。
+
+3. 去掉重复发送验证码  
+   登录流程里服务端本身会自动发送验证码邮件，旧逻辑再手动发一次，容易让新旧验证码打架。  
+   现在改成直接等待系统自动发来的那封验证码邮件。
+
+4. 修复重新登录流程的页面判断问题  
+   针对重新登录时页面流转变化，调整了登录入口和密码提交逻辑，减少卡在错误页面的情况。
+
+5. 优化终端和 Web UI 提示文案  
+   保留可读性的前提下，把一些提示改得更友好一点，出错时至少不至于像在挨骂。
+
+## 核心能力
+
+- Web UI 管理注册任务和账号数据
+- 支持批量注册、日志实时查看、基础任务管理
+- 支持多种邮箱服务接码
+- 支持 SQLite 和远程 PostgreSQL
+- 支持打包为 Windows/Linux/macOS 可执行文件
+- 更适配当前 OpenAI 注册与登录链路
+
+## 环境要求
+
+- Python 3.10+
+- `uv`（推荐）或 `pip`
+
+## 安装依赖
+
+```bash
+# 使用 uv（推荐）
+uv sync
+
+# 或使用 pip
+pip install -r requirements.txt
+```
+
+## 环境变量配置
+
+可选。复制 `.env.example` 为 `.env` 后按需修改:
+
+```bash
+cp .env.example .env
+```
+
+常用变量如下:
+
+| 变量 | 说明 | 默认值 |
+| --- | --- | --- |
+| `APP_HOST` | 监听主机 | `0.0.0.0` |
+| `APP_PORT` | 监听端口 | `8000` |
+| `APP_ACCESS_PASSWORD` | Web UI 访问密钥 | `admin123` |
+| `APP_DATABASE_URL` | 数据库连接字符串 | `data/database.db` |
+
+优先级:
+
+`命令行参数 > 环境变量(.env) > 数据库设置 > 默认值`
+
+## 启动 Web UI
+
+```bash
+# 默认启动（127.0.0.1:8000）
+python webui.py
+
+# 指定地址和端口
+python webui.py --host 0.0.0.0 --port 8080
+
+# 调试模式（热重载）
+python webui.py --debug
+
+# 设置 Web UI 访问密钥
+python webui.py --access-password mypassword
+
+# 组合参数
+python webui.py --host 0.0.0.0 --port 8080 --access-password mypassword
+```
+
+说明:
+
+- `--access-password` 的优先级高于数据库中的密钥设置
+- 该参数只对本次启动生效
+- 打包后的 exe 也支持这个参数
+
+例如:
+
+```bash
+codex-console.exe --access-password mypassword
+```
+
+启动后访问:
+
+[http://127.0.0.1:8000](http://127.0.0.1:8000)
+
+## Docker 部署
+
+### 使用 docker-compose
+
+```bash
+docker-compose up -d
+```
+
+你可以在 `docker-compose.yml` 中修改环境变量，比如端口和访问密码。
+
+### 使用 docker run
+
+```bash
+docker run -d \
+  -p 1455:1455 \
+  -e WEBUI_HOST=0.0.0.0 \
+  -e WEBUI_PORT=1455 \
+  -e WEBUI_ACCESS_PASSWORD=your_secure_password \
+  -v $(pwd)/data:/app/data \
+  --name codex-console \
+  ghcr.io/<yourname>/codex-console:latest
+```
+
+说明:
+
+- `WEBUI_HOST`: 监听主机，默认 `0.0.0.0`
+- `WEBUI_PORT`: 监听端口，默认 `1455`
+- `WEBUI_ACCESS_PASSWORD`: Web UI 访问密码
+- `DEBUG`: 设为 `1` 或 `true` 可开启调试模式
+- `LOG_LEVEL`: 日志级别，例如 `info`、`debug`
+
+注意:
+
+`-v $(pwd)/data:/app/data` 很重要，这会把数据库和账号数据持久化到宿主机。否则容器一重启，数据也可能跟着表演消失术。
+
+## 使用远程 PostgreSQL
+
+```bash
+export APP_DATABASE_URL="postgresql://user:password@host:5432/dbname"
+python webui.py
+```
+
+也支持 `DATABASE_URL`，但优先级低于 `APP_DATABASE_URL`。
+
+## 打包为可执行文件
+
+```bash
+# Windows
+build.bat
+
+# Linux/macOS
+bash build.sh
+```
+
+Windows 打包完成后，默认会在 `dist/` 目录生成类似下面的文件:
+
+```text
+dist/codex-console-windows-X64.exe
+```
+
+如果打包失败，优先检查:
+
+- Python 是否已加入 PATH
+- 依赖是否安装完整
+- 杀毒软件是否拦截了 PyInstaller 产物
+- 终端里是否有更具体的报错日志
+
+## 项目定位
+
+这个仓库更适合作为:
+
+- 原项目的修复增强版
+- 当前注册链路的兼容维护版
+- 自己二次开发的基础版本
+
+如果你准备公开发布，建议在仓库描述里明确写上:
+
+`Forked and fixed from cnlimiter/codex-manager`
+
+这样既方便别人理解来源，也对上游作者更尊重。
+
+## 仓库命名
+
+当前仓库名:
+
+`codex-console`
+
+## 免责声明
+
+本项目仅供学习、研究和技术交流使用，请遵守相关平台和服务条款，不要用于违规、滥用或非法用途。
+
+因使用本项目产生的任何风险和后果，由使用者自行承担。

deploy/huggingface/start.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+APP_ROOT="/app"
+
+effective_host="${APP_HOST:-${WEBUI_HOST:-0.0.0.0}}"
+effective_port="${APP_PORT:-${WEBUI_PORT:-${PORT:-1455}}}"
+effective_password="${APP_ACCESS_PASSWORD:-${WEBUI_ACCESS_PASSWORD:-${SPACE_PASSWORD:-}}}"
+
+if [[ -n "${APP_DATA_DIR:-}" ]]; then
+  data_dir="${APP_DATA_DIR}"
+elif [[ -d "/data" ]]; then
+  data_dir="/data"
+else
+  data_dir="${APP_ROOT}/data"
+fi
+
+export APP_HOST="${effective_host}"
+export APP_PORT="${effective_port}"
+export APP_DATA_DIR="${data_dir}"
+export APP_LOGS_DIR="${APP_LOGS_DIR:-${data_dir}/logs}"
+
+mkdir -p "${APP_DATA_DIR}" "${APP_LOGS_DIR}"
+
+if [[ -z "${APP_DATABASE_URL:-}" && -z "${DATABASE_URL:-}" ]]; then
+  export APP_DATABASE_URL="sqlite:///${APP_DATA_DIR}/database.db"
+fi
+
+if [[ -n "${effective_password}" ]]; then
+  export APP_ACCESS_PASSWORD="${effective_password}"
+fi
+
+echo "[hf-space] starting codex-console"
+echo "[hf-space] listen: ${APP_HOST}:${APP_PORT}"
+echo "[hf-space] data dir: ${APP_DATA_DIR}"
+echo "[hf-space] logs dir: ${APP_LOGS_DIR}"
+if [[ -n "${APP_ACCESS_PASSWORD:-}" ]]; then
+  echo "[hf-space] access password: configured"
+else
+  echo "[hf-space] access password: not set"
+fi
+
+cmd=(python webui.py --host "${APP_HOST}" --port "${APP_PORT}")
+if [[ -n "${APP_ACCESS_PASSWORD:-}" ]]; then
+  cmd+=(--access-password "${APP_ACCESS_PASSWORD}")
+fi
+
+exec "${cmd[@]}"

pyproject.toml

@@ -0,0 +1,43 @@
+[project]
+name = "codex-console"
+version = "1.0.4"
+description = "OpenAI account management console"
+requires-python = ">=3.10"
+dependencies = [
+    "curl-cffi>=0.14.0",
+    "fastapi>=0.100.0",
+    "uvicorn>=0.23.0",
+    "jinja2>=3.1.0",
+    "python-multipart>=0.0.6",
+    "pydantic>=2.0.0",
+    "pydantic-settings>=2.0.0",
+    "sqlalchemy>=2.0.0",
+    "aiosqlite>=0.19.0",
+    "psycopg[binary]>=3.1.18",
+    "websockets>=16.0",
+    "path>=17.1.1",
+]
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=7.0.0",
+    "httpx>=0.24.0",
+]
+payment = [
+    "playwright>=1.40.0",
+]
+
+[project.scripts]
+codex-console = "webui:main"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src"]
+
+[dependency-groups]
+dev = [
+    "pyinstaller>=6.19.0",
+]

requirements.txt

@@ -0,0 +1,16 @@
+certifi>=2024.0.0
+cffi>=1.16.0
+curl_cffi>=0.14.0
+pycparser>=1.21
+pydantic>=2.0.0
+pydantic-settings>=2.0.0
+fastapi>=0.100.0
+uvicorn[standard]>=0.23.0
+jinja2>=3.1.0
+python-multipart>=0.0.6
+requests>=2.32.5
+sqlalchemy>=2.0.0
+aiosqlite>=0.19.0
+psycopg[binary]>=3.1.18
+# 可选：无痕打开支付页需要 playwright（pip install playwright && playwright install chromium）
+# playwright>=1.40.0

src/__init__.py

@@ -0,0 +1,24 @@
+"""
+OpenAI/Codex CLI 自动注册系统
+"""
+
+from .config import get_settings, EmailServiceType
+from .database import get_db, Account, EmailService, RegistrationTask
+from .core import RegistrationEngine, RegistrationResult
+from .services import EmailServiceFactory, BaseEmailService
+
+__version__ = "2.0.0"
+__author__ = "Yasal"
+
+__all__ = [
+    'get_settings',
+    'EmailServiceType',
+    'get_db',
+    'Account',
+    'EmailService',
+    'RegistrationTask',
+    'RegistrationEngine',
+    'RegistrationResult',
+    'EmailServiceFactory',
+    'BaseEmailService',
+]

src/config/__init__.py

@@ -0,0 +1,53 @@
+"""
+配置模块
+"""
+
+from .settings import (
+    Settings,
+    get_settings,
+    update_settings,
+    get_database_url,
+    init_default_settings,
+    get_setting_definition,
+    get_all_setting_definitions,
+    SETTING_DEFINITIONS,
+    SettingCategory,
+    SettingDefinition,
+)
+from .constants import (
+    AccountStatus,
+    TaskStatus,
+    EmailServiceType,
+    APP_NAME,
+    APP_VERSION,
+    OTP_CODE_PATTERN,
+    DEFAULT_PASSWORD_LENGTH,
+    PASSWORD_CHARSET,
+    DEFAULT_USER_INFO,
+    generate_random_user_info,
+    OPENAI_API_ENDPOINTS,
+)
+
+__all__ = [
+    'Settings',
+    'get_settings',
+    'update_settings',
+    'get_database_url',
+    'init_default_settings',
+    'get_setting_definition',
+    'get_all_setting_definitions',
+    'SETTING_DEFINITIONS',
+    'SettingCategory',
+    'SettingDefinition',
+    'AccountStatus',
+    'TaskStatus',
+    'EmailServiceType',
+    'APP_NAME',
+    'APP_VERSION',
+    'OTP_CODE_PATTERN',
+    'DEFAULT_PASSWORD_LENGTH',
+    'PASSWORD_CHARSET',
+    'DEFAULT_USER_INFO',
+    'generate_random_user_info',
+    'OPENAI_API_ENDPOINTS',
+]

src/config/constants.py

@@ -0,0 +1,408 @@
+"""
+常量定义
+"""
+
+import random
+from datetime import datetime
+from enum import Enum
+from typing import Dict, List, Tuple
+
+
+# ============================================================================
+# 枚举类型
+# ============================================================================
+
+class AccountStatus(str, Enum):
+    """账户状态"""
+    ACTIVE = "active"
+    EXPIRED = "expired"
+    BANNED = "banned"
+    FAILED = "failed"
+
+
+class TaskStatus(str, Enum):
+    """任务状态"""
+    PENDING = "pending"
+    RUNNING = "running"
+    COMPLETED = "completed"
+    FAILED = "failed"
+    CANCELLED = "cancelled"
+
+
+class EmailServiceType(str, Enum):
+    """邮箱服务类型"""
+    TEMPMAIL = "tempmail"
+    OUTLOOK = "outlook"
+    MOE_MAIL = "moe_mail"
+    TEMP_MAIL = "temp_mail"
+    DUCK_MAIL = "duck_mail"
+    FREEMAIL = "freemail"
+    IMAP_MAIL = "imap_mail"
+    CLOUD_MAIL = "cloud_mail"
+
+
+# ============================================================================
+# 应用常量
+# ============================================================================
+
+APP_NAME = "OpenAI/Codex CLI 自动注册系统"
+APP_VERSION = "2.0.0"
+APP_DESCRIPTION = "自动注册 OpenAI/Codex CLI 账号的系统"
+
+# ============================================================================
+# OpenAI OAuth 相关常量
+# ============================================================================
+
+# OAuth 参数
+OAUTH_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann"
+OAUTH_AUTH_URL = "https://auth.openai.com/oauth/authorize"
+OAUTH_TOKEN_URL = "https://auth.openai.com/oauth/token"
+OAUTH_REDIRECT_URI = "http://localhost:1455/auth/callback"
+OAUTH_SCOPE = "openid email profile offline_access"
+
+# OpenAI API 端点
+OPENAI_API_ENDPOINTS = {
+    "sentinel": "https://sentinel.openai.com/backend-api/sentinel/req",
+    "signup": "https://auth.openai.com/api/accounts/authorize/continue",
+    "register": "https://auth.openai.com/api/accounts/user/register",
+    "password_verify": "https://auth.openai.com/api/accounts/password/verify",
+    "send_otp": "https://auth.openai.com/api/accounts/email-otp/send",
+    "validate_otp": "https://auth.openai.com/api/accounts/email-otp/validate",
+    "create_account": "https://auth.openai.com/api/accounts/create_account",
+    "select_workspace": "https://auth.openai.com/api/accounts/workspace/select",
+}
+
+# OpenAI 页面类型（用于判断账号状态）
+OPENAI_PAGE_TYPES = {
+    "EMAIL_OTP_VERIFICATION": "email_otp_verification",  # 已注册账号，需要 OTP 验证
+    "PASSWORD_REGISTRATION": "create_account_password",  # 新账号，需要设置密码
+    "LOGIN_PASSWORD": "login_password",  # 登录流程，需要输入密码
+}
+
+# ============================================================================
+# 邮箱服务相关常量
+# ============================================================================
+
+# Tempmail.lol API 端点
+TEMPMAIL_API_ENDPOINTS = {
+    "create_inbox": "/inbox/create",
+    "get_inbox": "/inbox",
+}
+
+# 自定义域名邮箱 API 端点
+CUSTOM_DOMAIN_API_ENDPOINTS = {
+    "get_config": "/api/config",
+    "create_email": "/api/emails/generate",
+    "list_emails": "/api/emails",
+    "get_email_messages": "/api/emails/{emailId}",
+    "delete_email": "/api/emails/{emailId}",
+    "get_message": "/api/emails/{emailId}/{messageId}",
+}
+
+# 邮箱服务默认配置
+EMAIL_SERVICE_DEFAULTS = {
+    "tempmail": {
+        "base_url": "https://api.tempmail.lol/v2",
+        "timeout": 30,
+        "max_retries": 3,
+    },
+    "outlook": {
+        "imap_server": "outlook.office365.com",
+        "imap_port": 993,
+        "smtp_server": "smtp.office365.com",
+        "smtp_port": 587,
+        "timeout": 30,
+    },
+    "moe_mail": {
+        "base_url": "",  # 需要用户配置
+        "api_key_header": "X-API-Key",
+        "timeout": 30,
+        "max_retries": 3,
+    },
+    "duck_mail": {
+        "base_url": "",
+        "default_domain": "",
+        "password_length": 12,
+        "timeout": 30,
+        "max_retries": 3,
+    },
+    "freemail": {
+        "base_url": "",
+        "admin_token": "",
+        "domain": "",
+        "timeout": 30,
+        "max_retries": 3,
+    },
+    "imap_mail": {
+        "host": "",
+        "port": 993,
+        "use_ssl": True,
+        "email": "",
+        "password": "",
+        "timeout": 30,
+        "max_retries": 3,
+    },
+    "cloud_mail": {
+        "base_url": "",
+        "admin_email": "",
+        "admin_password": "",
+        "domain": "",
+        "timeout": 30,
+        "max_retries": 3,
+    }
+}
+
+# ============================================================================
+# 注册流程相关常量
+# ============================================================================
+
+# 验证码相关
+OTP_CODE_PATTERN = r"(?<!\d)(\d{6})(?!\d)"
+OTP_MAX_ATTEMPTS = 40  # 最大轮询次数
+
+# 验证码提取正则（增强版）
+# 简单匹配：任意 6 位数字
+OTP_CODE_SIMPLE_PATTERN = r"(?<!\d)(\d{6})(?!\d)"
+# 语义匹配：带上下文的验证码（如 "code is 123456", "验证码 123456"）
+OTP_CODE_SEMANTIC_PATTERN = r'(?:code\s+is|验证码[是为]?\s*[:：]?\s*)(\d{6})'
+
+# OpenAI 验证邮件发件人
+OPENAI_EMAIL_SENDERS = [
+    "noreply@openai.com",
+    "no-reply@openai.com",
+    "@openai.com",     # 精确域名匹配
+    ".openai.com",     # 子域名匹配（如 otp@tm1.openai.com）
+]
+
+# OpenAI 验证邮件关键词
+OPENAI_VERIFICATION_KEYWORDS = [
+    "verify your email",
+    "verification code",
+    "验证码",
+    "your openai code",
+    "code is",
+    "one-time code",
+]
+
+# 密码生成
+PASSWORD_CHARSET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+DEFAULT_PASSWORD_LENGTH = 12
+
+# 用户信息生成（用于注册）
+
+# 常用英文名
+FIRST_NAMES = [
+    "James", "John", "Robert", "Michael", "William", "David", "Richard", "Joseph", "Thomas", "Charles",
+    "Emma", "Olivia", "Ava", "Isabella", "Sophia", "Mia", "Charlotte", "Amelia", "Harper", "Evelyn",
+    "Alex", "Jordan", "Taylor", "Morgan", "Casey", "Riley", "Jamie", "Avery", "Quinn", "Skyler",
+    "Liam", "Noah", "Ethan", "Lucas", "Mason", "Oliver", "Elijah", "Aiden", "Henry", "Sebastian",
+    "Grace", "Lily", "Chloe", "Zoey", "Nora", "Aria", "Hazel", "Aurora", "Stella", "Ivy"
+]
+
+def generate_random_user_info() -> dict:
+    """
+    生成随机用户信息
+
+    Returns:
+        包含 name 和 birthdate 的字典
+    """
+    # 随机选择名字
+    name = random.choice(FIRST_NAMES)
+
+    # 生成随机生日（18-45岁）
+    current_year = datetime.now().year
+    birth_year = random.randint(current_year - 45, current_year - 18)
+    birth_month = random.randint(1, 12)
+    # 根据月份确定天数
+    if birth_month in [1, 3, 5, 7, 8, 10, 12]:
+        birth_day = random.randint(1, 31)
+    elif birth_month in [4, 6, 9, 11]:
+        birth_day = random.randint(1, 30)
+    else:
+        # 2月，简化处理
+        birth_day = random.randint(1, 28)
+
+    birthdate = f"{birth_year}-{birth_month:02d}-{birth_day:02d}"
+
+    return {
+        "name": name,
+        "birthdate": birthdate
+    }
+
+# 保留默认值供兼容
+DEFAULT_USER_INFO = {
+    "name": "Neo",
+    "birthdate": "2000-02-20",
+}
+
+# ============================================================================
+# 代理相关常量
+# ============================================================================
+
+PROXY_TYPES = ["http", "socks5", "socks5h"]
+DEFAULT_PROXY_CONFIG = {
+    "enabled": False,
+    "type": "http",
+    "host": "127.0.0.1",
+    "port": 7890,
+}
+
+# ============================================================================
+# 数据库相关常量
+# ============================================================================
+
+# 数据库表名
+DB_TABLE_NAMES = {
+    "accounts": "accounts",
+    "email_services": "email_services",
+    "registration_tasks": "registration_tasks",
+    "settings": "settings",
+}
+
+# 默认设置
+DEFAULT_SETTINGS = [
+    # (key, value, description, category)
+    ("system.name", APP_NAME, "系统名称", "general"),
+    ("system.version", APP_VERSION, "系统版本", "general"),
+    ("logs.retention_days", "30", "日志保留天数", "general"),
+    ("openai.client_id", OAUTH_CLIENT_ID, "OpenAI OAuth Client ID", "openai"),
+    ("openai.auth_url", OAUTH_AUTH_URL, "OpenAI 认证地址", "openai"),
+    ("openai.token_url", OAUTH_TOKEN_URL, "OpenAI Token 地址", "openai"),
+    ("openai.redirect_uri", OAUTH_REDIRECT_URI, "OpenAI 回调地址", "openai"),
+    ("openai.scope", OAUTH_SCOPE, "OpenAI 权限范围", "openai"),
+    ("proxy.enabled", "false", "是否启用代理", "proxy"),
+    ("proxy.type", "http", "代理类型 (http/socks5)", "proxy"),
+    ("proxy.host", "127.0.0.1", "代理主机", "proxy"),
+    ("proxy.port", "7890", "代理端口", "proxy"),
+    ("registration.max_retries", "3", "最大重试次数", "registration"),
+    ("registration.timeout", "120", "超时时间（秒）", "registration"),
+    ("registration.default_password_length", "12", "默认密码长度", "registration"),
+    ("webui.host", "0.0.0.0", "Web UI 监听主机", "webui"),
+    ("webui.port", "8000", "Web UI 监听端口", "webui"),
+    ("webui.debug", "true", "调试模式", "webui"),
+]
+
+# ============================================================================
+# Web UI 相关常量
+# ============================================================================
+
+# WebSocket 事件
+WEBSOCKET_EVENTS = {
+    "CONNECT": "connect",
+    "DISCONNECT": "disconnect",
+    "LOG": "log",
+    "STATUS": "status",
+    "ERROR": "error",
+    "COMPLETE": "complete",
+}
+
+# API 响应状态码
+API_STATUS_CODES = {
+    "SUCCESS": 200,
+    "CREATED": 201,
+    "BAD_REQUEST": 400,
+    "UNAUTHORIZED": 401,
+    "FORBIDDEN": 403,
+    "NOT_FOUND": 404,
+    "CONFLICT": 409,
+    "INTERNAL_ERROR": 500,
+}
+
+# 分页
+DEFAULT_PAGE_SIZE = 20
+MAX_PAGE_SIZE = 100
+
+# ============================================================================
+# 错误消息
+# ============================================================================
+
+ERROR_MESSAGES = {
+    # 通用错误
+    "DATABASE_ERROR": "数据库操作失败",
+    "CONFIG_ERROR": "配置错误",
+    "NETWORK_ERROR": "网络连接失败",
+    "TIMEOUT": "操作超时",
+    "VALIDATION_ERROR": "参数验证失败",
+
+    # 邮箱服务错误
+    "EMAIL_SERVICE_UNAVAILABLE": "邮箱服务不可用",
+    "EMAIL_CREATION_FAILED": "创建邮箱失败",
+    "OTP_NOT_RECEIVED": "未收到验证码",
+    "OTP_INVALID": "验证码无效",
+
+    # OpenAI 相关错误
+    "OPENAI_AUTH_FAILED": "OpenAI 认证失败",
+    "OPENAI_RATE_LIMIT": "OpenAI 接口限流",
+    "OPENAI_CAPTCHA": "遇到验证码",
+
+    # 代理错误
+    "PROXY_FAILED": "代理连接失败",
+    "PROXY_AUTH_FAILED": "代理认证失败",
+
+    # 账户错误
+    "ACCOUNT_NOT_FOUND": "账户不存在",
+    "ACCOUNT_ALREADY_EXISTS": "账户已存在",
+    "ACCOUNT_INVALID": "账户无效",
+
+    # 任务错误
+    "TASK_NOT_FOUND": "任务不存在",
+    "TASK_ALREADY_RUNNING": "任务已在运行中",
+    "TASK_CANCELLED": "任务已取消",
+}
+
+# ============================================================================
+# 正则表达式
+# ============================================================================
+
+REGEX_PATTERNS = {
+    "EMAIL": r"^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$",
+    "URL": r"https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+",
+    "IP_ADDRESS": r"\b(?:\d{1,3}\.){3}\d{1,3}\b",
+    "OTP_CODE": OTP_CODE_PATTERN,
+}
+
+# ============================================================================
+# 时间常量
+# ============================================================================
+
+TIME_CONSTANTS = {
+    "SECOND": 1,
+    "MINUTE": 60,
+    "HOUR": 3600,
+    "DAY": 86400,
+    "WEEK": 604800,
+}
+
+
+# ============================================================================
+# Microsoft/Outlook 相关常量
+# ============================================================================
+
+# Microsoft OAuth2 Token 端点
+MICROSOFT_TOKEN_ENDPOINTS = {
+    # 旧版 IMAP 使用的端点
+    "LIVE": "https://login.live.com/oauth20_token.srf",
+    # 新版 IMAP 使用的端点（需要特定 scope）
+    "CONSUMERS": "https://login.microsoftonline.com/consumers/oauth2/v2.0/token",
+    # Graph API 使用的端点
+    "COMMON": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+}
+
+# IMAP 服务器配置
+OUTLOOK_IMAP_SERVERS = {
+    "OLD": "outlook.office365.com",  # 旧版 IMAP
+    "NEW": "outlook.live.com",       # 新版 IMAP
+}
+
+# Microsoft OAuth2 Scopes
+MICROSOFT_SCOPES = {
+    # 旧版 IMAP 不需要特定 scope
+    "IMAP_OLD": "",
+    # 新版 IMAP 需要的 scope
+    "IMAP_NEW": "https://outlook.office.com/IMAP.AccessAsUser.All offline_access",
+    # Graph API 需要的 scope
+    "GRAPH_API": "https://graph.microsoft.com/.default",
+}
+
+# Outlook 提供者默认优先级
+OUTLOOK_PROVIDER_PRIORITY = ["imap_new", "imap_old", "graph_api"]

src/config/settings.py

@@ -0,0 +1,767 @@
+"""
+配置管理 - 完全基于数据库存储
+所有配置都从数据库读取，不再使用环境变量或 .env 文件
+"""
+
+import os
+from typing import Optional, Dict, Any, Type, List
+from enum import Enum
+from pydantic import BaseModel, field_validator
+from pydantic.types import SecretStr
+from dataclasses import dataclass
+
+
+class SettingCategory(str, Enum):
+    """设置分类"""
+    GENERAL = "general"
+    DATABASE = "database"
+    WEBUI = "webui"
+    LOG = "log"
+    OPENAI = "openai"
+    PROXY = "proxy"
+    REGISTRATION = "registration"
+    EMAIL = "email"
+    TEMPMAIL = "tempmail"
+    CUSTOM_DOMAIN = "moe_mail"
+    SECURITY = "security"
+    CPA = "cpa"
+
+
+@dataclass
+class SettingDefinition:
+    """设置定义"""
+    db_key: str
+    default_value: Any
+    category: SettingCategory
+    description: str = ""
+    is_secret: bool = False
+
+
+# 所有配置项定义（包含数据库键名、默认值、分类、描述）
+SETTING_DEFINITIONS: Dict[str, SettingDefinition] = {
+    # 应用信息
+    "app_name": SettingDefinition(
+        db_key="app.name",
+        default_value="OpenAI/Codex CLI 自动注册系统",
+        category=SettingCategory.GENERAL,
+        description="应用名称"
+    ),
+    "app_version": SettingDefinition(
+        db_key="app.version",
+        default_value="2.0.0",
+        category=SettingCategory.GENERAL,
+        description="应用版本"
+    ),
+    "debug": SettingDefinition(
+        db_key="app.debug",
+        default_value=False,
+        category=SettingCategory.GENERAL,
+        description="调试模式"
+    ),
+
+    # 数据库配置
+    "database_url": SettingDefinition(
+        db_key="database.url",
+        default_value="data/database.db",
+        category=SettingCategory.DATABASE,
+        description="数据库路径或连接字符串"
+    ),
+
+    # Web UI 配置
+    "webui_host": SettingDefinition(
+        db_key="webui.host",
+        default_value="0.0.0.0",
+        category=SettingCategory.WEBUI,
+        description="Web UI 监听地址"
+    ),
+    "webui_port": SettingDefinition(
+        db_key="webui.port",
+        default_value=8000,
+        category=SettingCategory.WEBUI,
+        description="Web UI 监听端口"
+    ),
+    "webui_secret_key": SettingDefinition(
+        db_key="webui.secret_key",
+        default_value="your-secret-key-change-in-production",
+        category=SettingCategory.WEBUI,
+        description="Web UI 密钥",
+        is_secret=True
+    ),
+    "webui_access_password": SettingDefinition(
+        db_key="webui.access_password",
+        default_value="admin123",
+        category=SettingCategory.WEBUI,
+        description="Web UI 访问密码",
+        is_secret=True
+    ),
+
+    # 日志配置
+    "log_level": SettingDefinition(
+        db_key="log.level",
+        default_value="INFO",
+        category=SettingCategory.LOG,
+        description="日志级别"
+    ),
+    "log_file": SettingDefinition(
+        db_key="log.file",
+        default_value="logs/app.log",
+        category=SettingCategory.LOG,
+        description="日志文件路径"
+    ),
+    "log_retention_days": SettingDefinition(
+        db_key="log.retention_days",
+        default_value=30,
+        category=SettingCategory.LOG,
+        description="日志保留天数"
+    ),
+
+    # OpenAI 配置
+    "openai_client_id": SettingDefinition(
+        db_key="openai.client_id",
+        default_value="app_EMoamEEZ73f0CkXaXp7hrann",
+        category=SettingCategory.OPENAI,
+        description="OpenAI OAuth 客户端 ID"
+    ),
+    "openai_auth_url": SettingDefinition(
+        db_key="openai.auth_url",
+        default_value="https://auth.openai.com/oauth/authorize",
+        category=SettingCategory.OPENAI,
+        description="OpenAI OAuth 授权 URL"
+    ),
+    "openai_token_url": SettingDefinition(
+        db_key="openai.token_url",
+        default_value="https://auth.openai.com/oauth/token",
+        category=SettingCategory.OPENAI,
+        description="OpenAI OAuth Token URL"
+    ),
+    "openai_redirect_uri": SettingDefinition(
+        db_key="openai.redirect_uri",
+        default_value="http://localhost:1455/auth/callback",
+        category=SettingCategory.OPENAI,
+        description="OpenAI OAuth 回调 URI"
+    ),
+    "openai_scope": SettingDefinition(
+        db_key="openai.scope",
+        default_value="openid email profile offline_access",
+        category=SettingCategory.OPENAI,
+        description="OpenAI OAuth 权限范围"
+    ),
+
+    # 代理配置
+    "proxy_enabled": SettingDefinition(
+        db_key="proxy.enabled",
+        default_value=False,
+        category=SettingCategory.PROXY,
+        description="是否启用代理"
+    ),
+    "proxy_type": SettingDefinition(
+        db_key="proxy.type",
+        default_value="http",
+        category=SettingCategory.PROXY,
+        description="代理类型 (http/socks5)"
+    ),
+    "proxy_host": SettingDefinition(
+        db_key="proxy.host",
+        default_value="127.0.0.1",
+        category=SettingCategory.PROXY,
+        description="代理服务器地址"
+    ),
+    "proxy_port": SettingDefinition(
+        db_key="proxy.port",
+        default_value=7890,
+        category=SettingCategory.PROXY,
+        description="代理服务器端口"
+    ),
+    "proxy_username": SettingDefinition(
+        db_key="proxy.username",
+        default_value="",
+        category=SettingCategory.PROXY,
+        description="代理用户名"
+    ),
+    "proxy_password": SettingDefinition(
+        db_key="proxy.password",
+        default_value="",
+        category=SettingCategory.PROXY,
+        description="代理密码",
+        is_secret=True
+    ),
+    "proxy_dynamic_enabled": SettingDefinition(
+        db_key="proxy.dynamic_enabled",
+        default_value=False,
+        category=SettingCategory.PROXY,
+        description="是否启用动态代理"
+    ),
+    "proxy_dynamic_api_url": SettingDefinition(
+        db_key="proxy.dynamic_api_url",
+        default_value="",
+        category=SettingCategory.PROXY,
+        description="动态代理 API 地址，返回代理 URL 字符串"
+    ),
+    "proxy_dynamic_api_key": SettingDefinition(
+        db_key="proxy.dynamic_api_key",
+        default_value="",
+        category=SettingCategory.PROXY,
+        description="动态代理 API 密钥（可选）",
+        is_secret=True
+    ),
+    "proxy_dynamic_api_key_header": SettingDefinition(
+        db_key="proxy.dynamic_api_key_header",
+        default_value="X-API-Key",
+        category=SettingCategory.PROXY,
+        description="动态代理 API 密钥请求头名称"
+    ),
+    "proxy_dynamic_result_field": SettingDefinition(
+        db_key="proxy.dynamic_result_field",
+        default_value="",
+        category=SettingCategory.PROXY,
+        description="从 JSON 响应中提取代理 URL 的字段路径（留空则使用响应原文）"
+    ),
+
+    # 注册配置
+    "registration_max_retries": SettingDefinition(
+        db_key="registration.max_retries",
+        default_value=3,
+        category=SettingCategory.REGISTRATION,
+        description="注册最大重试次数"
+    ),
+    "registration_timeout": SettingDefinition(
+        db_key="registration.timeout",
+        default_value=120,
+        category=SettingCategory.REGISTRATION,
+        description="注册超时时间（秒）"
+    ),
+    "registration_default_password_length": SettingDefinition(
+        db_key="registration.default_password_length",
+        default_value=12,
+        category=SettingCategory.REGISTRATION,
+        description="默认密码长度"
+    ),
+    "registration_sleep_min": SettingDefinition(
+        db_key="registration.sleep_min",
+        default_value=5,
+        category=SettingCategory.REGISTRATION,
+        description="注册间隔最小值（秒）"
+    ),
+    "registration_sleep_max": SettingDefinition(
+        db_key="registration.sleep_max",
+        default_value=30,
+        category=SettingCategory.REGISTRATION,
+        description="注册间隔最大值（秒）"
+    ),
+
+    # 邮箱服务配置
+    "email_service_priority": SettingDefinition(
+        db_key="email.service_priority",
+        default_value={"tempmail": 0, "outlook": 1, "moe_mail": 2},
+        category=SettingCategory.EMAIL,
+        description="邮箱服务优先级"
+    ),
+
+    # Tempmail.lol 配置
+    "tempmail_base_url": SettingDefinition(
+        db_key="tempmail.base_url",
+        default_value="https://api.tempmail.lol/v2",
+        category=SettingCategory.TEMPMAIL,
+        description="Tempmail API 地址"
+    ),
+    "tempmail_timeout": SettingDefinition(
+        db_key="tempmail.timeout",
+        default_value=30,
+        category=SettingCategory.TEMPMAIL,
+        description="Tempmail 超时时间（秒）"
+    ),
+    "tempmail_max_retries": SettingDefinition(
+        db_key="tempmail.max_retries",
+        default_value=3,
+        category=SettingCategory.TEMPMAIL,
+        description="Tempmail 最大重试次数"
+    ),
+
+    # 自定义域名邮箱配置
+    "custom_domain_base_url": SettingDefinition(
+        db_key="custom_domain.base_url",
+        default_value="",
+        category=SettingCategory.CUSTOM_DOMAIN,
+        description="自定义域名 API 地址"
+    ),
+    "custom_domain_api_key": SettingDefinition(
+        db_key="custom_domain.api_key",
+        default_value="",
+        category=SettingCategory.CUSTOM_DOMAIN,
+        description="自定义域名 API 密钥",
+        is_secret=True
+    ),
+
+    # 安全配置
+    "encryption_key": SettingDefinition(
+        db_key="security.encryption_key",
+        default_value="your-encryption-key-change-in-production",
+        category=SettingCategory.SECURITY,
+        description="加密密钥",
+        is_secret=True
+    ),
+
+    # Team Manager 配置
+    "tm_enabled": SettingDefinition(
+        db_key="tm.enabled",
+        default_value=False,
+        category=SettingCategory.GENERAL,
+        description="是否启用 Team Manager 上传"
+    ),
+    "tm_api_url": SettingDefinition(
+        db_key="tm.api_url",
+        default_value="",
+        category=SettingCategory.GENERAL,
+        description="Team Manager API 地址"
+    ),
+    "tm_api_key": SettingDefinition(
+        db_key="tm.api_key",
+        default_value="",
+        category=SettingCategory.GENERAL,
+        description="Team Manager API Key",
+        is_secret=True
+    ),
+
+    # CPA 上传配置
+    "cpa_enabled": SettingDefinition(
+        db_key="cpa.enabled",
+        default_value=False,
+        category=SettingCategory.CPA,
+        description="是否启用 CPA 上传"
+    ),
+    "cpa_api_url": SettingDefinition(
+        db_key="cpa.api_url",
+        default_value="",
+        category=SettingCategory.CPA,
+        description="CPA API 地址"
+    ),
+    "cpa_api_token": SettingDefinition(
+        db_key="cpa.api_token",
+        default_value="",
+        category=SettingCategory.CPA,
+        description="CPA API Token",
+        is_secret=True
+    ),
+
+    # 验证码配置
+    "email_code_timeout": SettingDefinition(
+        db_key="email_code.timeout",
+        default_value=30,
+        category=SettingCategory.EMAIL,
+        description="验证码等待超时时间（秒）"
+    ),
+    "email_code_poll_interval": SettingDefinition(
+        db_key="email_code.poll_interval",
+        default_value=3,
+        category=SettingCategory.EMAIL,
+        description="验证码轮询间隔（秒）"
+    ),
+
+    # Outlook 配置
+    "outlook_provider_priority": SettingDefinition(
+        db_key="outlook.provider_priority",
+        default_value=["imap_old", "imap_new", "graph_api"],
+        category=SettingCategory.EMAIL,
+        description="Outlook 提供者优先级"
+    ),
+    "outlook_health_failure_threshold": SettingDefinition(
+        db_key="outlook.health_failure_threshold",
+        default_value=5,
+        category=SettingCategory.EMAIL,
+        description="Outlook 提供者连续失败次数阈值"
+    ),
+    "outlook_health_disable_duration": SettingDefinition(
+        db_key="outlook.health_disable_duration",
+        default_value=60,
+        category=SettingCategory.EMAIL,
+        description="Outlook 提供者禁用时长（秒）"
+    ),
+    "outlook_default_client_id": SettingDefinition(
+        db_key="outlook.default_client_id",
+        default_value="24d9a0ed-8787-4584-883c-2fd79308940a",
+        category=SettingCategory.EMAIL,
+        description="Outlook OAuth 默认 Client ID"
+    ),
+}
+
+# 属性名到数据库键名的映射（用于向后兼容）
+DB_SETTING_KEYS = {name: defn.db_key for name, defn in SETTING_DEFINITIONS.items()}
+
+# 类型定义映射
+SETTING_TYPES: Dict[str, Type] = {
+    "debug": bool,
+    "webui_port": int,
+    "log_retention_days": int,
+    "proxy_enabled": bool,
+    "proxy_port": int,
+    "proxy_dynamic_enabled": bool,
+    "registration_max_retries": int,
+    "registration_timeout": int,
+    "registration_default_password_length": int,
+    "registration_sleep_min": int,
+    "registration_sleep_max": int,
+    "email_service_priority": dict,
+    "tempmail_timeout": int,
+    "tempmail_max_retries": int,
+    "tm_enabled": bool,
+    "cpa_enabled": bool,
+    "email_code_timeout": int,
+    "email_code_poll_interval": int,
+    "outlook_provider_priority": list,
+    "outlook_health_failure_threshold": int,
+    "outlook_health_disable_duration": int,
+}
+
+# 需要作为 SecretStr 处理的字段
+SECRET_FIELDS = {name for name, defn in SETTING_DEFINITIONS.items() if defn.is_secret}
+
+
+def _convert_value(attr_name: str, value: str) -> Any:
+    """将数据库字符串值转换为正确的类型"""
+    if attr_name in SECRET_FIELDS:
+        return SecretStr(value) if value else SecretStr("")
+
+    target_type = SETTING_TYPES.get(attr_name, str)
+
+    if target_type == bool:
+        if isinstance(value, bool):
+            return value
+        return str(value).lower() in ("true", "1", "yes", "on")
+    elif target_type == int:
+        if isinstance(value, int):
+            return value
+        return int(value) if value else 0
+    elif target_type == dict:
+        if isinstance(value, dict):
+            return value
+        if not value:
+            return {}
+        import json
+        import ast
+        try:
+            return json.loads(value)
+        except (json.JSONDecodeError, ValueError):
+            try:
+                return ast.literal_eval(value)
+            except Exception:
+                return {}
+    elif target_type == list:
+        if isinstance(value, list):
+            return value
+        if not value:
+            return []
+        import json
+        import ast
+        try:
+            return json.loads(value)
+        except (json.JSONDecodeError, ValueError):
+            try:
+                return ast.literal_eval(value)
+            except Exception:
+                return []
+    else:
+        return value
+
+
+def _normalize_database_url(url: str) -> str:
+    if url.startswith("postgres://"):
+        return "postgresql+psycopg://" + url[len("postgres://"):]
+    if url.startswith("postgresql://"):
+        return "postgresql+psycopg://" + url[len("postgresql://"):]
+    return url
+
+
+def _value_to_string(value: Any) -> str:
+    """将值转换为数据库存储的字符串"""
+    if isinstance(value, SecretStr):
+        return value.get_secret_value()
+    elif isinstance(value, bool):
+        return "true" if value else "false"
+    elif isinstance(value, (dict, list)):
+        import json
+        return json.dumps(value)
+    elif value is None:
+        return ""
+    else:
+        return str(value)
+
+
+def init_default_settings() -> None:
+    """
+    初始化数据库中的默认设置
+    如果设置项不存在，则创建并设置默认值
+    """
+    try:
+        from ..database.session import get_db
+        from ..database.crud import get_setting, set_setting
+
+        with get_db() as db:
+            for attr_name, defn in SETTING_DEFINITIONS.items():
+                existing = get_setting(db, defn.db_key)
+                if not existing:
+                    default_value = defn.default_value
+                    if attr_name == "database_url":
+                        env_url = os.environ.get("APP_DATABASE_URL") or os.environ.get("DATABASE_URL")
+                        if env_url:
+                            default_value = _normalize_database_url(env_url)
+                    default_value = _value_to_string(default_value)
+                    set_setting(
+                        db,
+                        defn.db_key,
+                        default_value,
+                        category=defn.category.value,
+                        description=defn.description
+                    )
+                    print(f"[Settings] 初始化默认设置: {defn.db_key} = {default_value if not defn.is_secret else '***'}")
+    except Exception as e:
+        if "未初始化" not in str(e):
+            print(f"[Settings] 初始化默认设置失败: {e}")
+
+
+def _load_settings_from_db() -> Dict[str, Any]:
+    """从数据库加载所有设置"""
+    try:
+        from ..database.session import get_db
+        from ..database.crud import get_setting
+
+        settings_dict = {}
+        with get_db() as db:
+            for attr_name, defn in SETTING_DEFINITIONS.items():
+                db_setting = get_setting(db, defn.db_key)
+                if db_setting:
+                    settings_dict[attr_name] = _convert_value(attr_name, db_setting.value)
+                else:
+                    # 数据库中没有此设置，使用默认值
+                    settings_dict[attr_name] = _convert_value(attr_name, _value_to_string(defn.default_value))
+            env_url = os.environ.get("APP_DATABASE_URL") or os.environ.get("DATABASE_URL")
+            if env_url:
+                settings_dict["database_url"] = _normalize_database_url(env_url)
+            env_host = os.environ.get("APP_HOST")
+            if env_host:
+                settings_dict["webui_host"] = env_host
+            env_port = os.environ.get("APP_PORT")
+            if env_port:
+                try:
+                    settings_dict["webui_port"] = int(env_port)
+                except ValueError:
+                    pass
+            env_password = os.environ.get("APP_ACCESS_PASSWORD")
+            if env_password:
+                settings_dict["webui_access_password"] = env_password
+        return settings_dict
+    except Exception as e:
+        if "未初始化" not in str(e):
+            print(f"[Settings] 从数据库加载设置失败: {e}，使用默认值")
+        return {name: defn.default_value for name, defn in SETTING_DEFINITIONS.items()}
+
+
+def _save_settings_to_db(**kwargs) -> None:
+    """保存设置到数据库"""
+    try:
+        from ..database.session import get_db
+        from ..database.crud import set_setting
+
+        with get_db() as db:
+            for attr_name, value in kwargs.items():
+                if attr_name in SETTING_DEFINITIONS:
+                    defn = SETTING_DEFINITIONS[attr_name]
+                    str_value = _value_to_string(value)
+                    set_setting(
+                        db,
+                        defn.db_key,
+                        str_value,
+                        category=defn.category.value,
+                        description=defn.description
+                    )
+    except Exception as e:
+        if "未初始化" not in str(e):
+            print(f"[Settings] 保存设置到数据库失败: {e}")
+
+
+class Settings(BaseModel):
+    """
+    应用配置 - 完全基于数据库存储
+    """
+
+    # 应用信息
+    app_name: str = "OpenAI/Codex CLI 自动注册系统"
+    app_version: str = "2.0.0"
+    debug: bool = False
+
+    # 数据库配置
+    database_url: str = "data/database.db"
+
+    @field_validator('database_url', mode='before')
+    @classmethod
+    def validate_database_url(cls, v):
+        if isinstance(v, str):
+            if v.startswith(("postgres://", "postgresql://")):
+                return _normalize_database_url(v)
+            if v.startswith(("postgresql+psycopg://", "postgresql+psycopg2://")):
+                return v
+        if isinstance(v, str) and v.startswith("sqlite:///"):
+            return v
+        if isinstance(v, str) and not v.startswith(("sqlite:///", "postgresql://", "postgresql+psycopg://", "postgresql+psycopg2://", "mysql://")):
+            # 如果是文件路径，转换为 SQLite URL
+            if os.path.isabs(v) or ":/" not in v:
+                return f"sqlite:///{v}"
+        return v
+
+    # Web UI 配置
+    webui_host: str = "0.0.0.0"
+    webui_port: int = 8000
+    webui_secret_key: SecretStr = SecretStr("your-secret-key-change-in-production")
+    webui_access_password: SecretStr = SecretStr("admin123")
+
+    # 日志配置
+    log_level: str = "INFO"
+    log_file: str = "logs/app.log"
+    log_retention_days: int = 30
+
+    # OpenAI 配置
+    openai_client_id: str = "app_EMoamEEZ73f0CkXaXp7hrann"
+    openai_auth_url: str = "https://auth.openai.com/oauth/authorize"
+    openai_token_url: str = "https://auth.openai.com/oauth/token"
+    openai_redirect_uri: str = "http://localhost:1455/auth/callback"
+    openai_scope: str = "openid email profile offline_access"
+
+    # 代理配置
+    proxy_enabled: bool = False
+    proxy_type: str = "http"
+    proxy_host: str = "127.0.0.1"
+    proxy_port: int = 7890
+    proxy_username: Optional[str] = None
+    proxy_password: Optional[SecretStr] = None
+    proxy_dynamic_enabled: bool = False
+    proxy_dynamic_api_url: str = ""
+    proxy_dynamic_api_key: Optional[SecretStr] = None
+    proxy_dynamic_api_key_header: str = "X-API-Key"
+    proxy_dynamic_result_field: str = ""
+
+    @property
+    def proxy_url(self) -> Optional[str]:
+        """获取完整的代理 URL"""
+        if not self.proxy_enabled:
+            return None
+
+        if self.proxy_type == "http":
+            scheme = "http"
+        elif self.proxy_type == "socks5":
+            scheme = "socks5"
+        else:
+            return None
+
+        auth = ""
+        if self.proxy_username and self.proxy_password:
+            auth = f"{self.proxy_username}:{self.proxy_password.get_secret_value()}@"
+
+        return f"{scheme}://{auth}{self.proxy_host}:{self.proxy_port}"
+
+    # 注册配置
+    registration_max_retries: int = 3
+    registration_timeout: int = 120
+    registration_default_password_length: int = 12
+    registration_sleep_min: int = 5
+    registration_sleep_max: int = 30
+
+    # 邮箱服务配置
+    email_service_priority: Dict[str, int] = {"tempmail": 0, "outlook": 1, "moe_mail": 2}
+
+    # Tempmail.lol 配置
+    tempmail_base_url: str = "https://api.tempmail.lol/v2"
+    tempmail_timeout: int = 30
+    tempmail_max_retries: int = 3
+
+    # 自定义域名邮箱配置
+    custom_domain_base_url: str = ""
+    custom_domain_api_key: Optional[SecretStr] = None
+
+    # 安全配置
+    encryption_key: SecretStr = SecretStr("your-encryption-key-change-in-production")
+
+    # Team Manager 配置
+    tm_enabled: bool = False
+    tm_api_url: str = ""
+    tm_api_key: Optional[SecretStr] = None
+
+    # CPA 上传配置
+    cpa_enabled: bool = False
+    cpa_api_url: str = ""
+    cpa_api_token: SecretStr = SecretStr("")
+
+    # 验证码配置
+    email_code_timeout: int = 30
+    email_code_poll_interval: int = 3
+
+    # Outlook 配置
+    outlook_provider_priority: List[str] = ["imap_old", "imap_new", "graph_api"]
+    outlook_health_failure_threshold: int = 5
+    outlook_health_disable_duration: int = 60
+    outlook_default_client_id: str = "24d9a0ed-8787-4584-883c-2fd79308940a"
+
+
+# 全局配置实例
+_settings: Optional[Settings] = None
+
+
+def get_settings() -> Settings:
+    """
+    获取全局配置实例（单例模式）
+    完全从数据库加载配置
+    """
+    global _settings
+    if _settings is None:
+        # 先初始化默认设置（如果数据库中没有的话）
+        init_default_settings()
+        # 从数据库加载所有设置
+        settings_dict = _load_settings_from_db()
+        _settings = Settings(**settings_dict)
+    return _settings
+
+
+def update_settings(**kwargs) -> Settings:
+    """
+    更新配置并保存到数据库
+    """
+    global _settings
+    if _settings is None:
+        _settings = get_settings()
+
+    # 创建新的配置实例
+    updated_data = _settings.model_dump()
+    updated_data.update(kwargs)
+    _settings = Settings(**updated_data)
+
+    # 保存到数据库
+    _save_settings_to_db(**kwargs)
+
+    return _settings
+
+
+def get_database_url() -> str:
+    """
+    获取数据库 URL（处理相对路径）
+    """
+    settings = get_settings()
+    url = settings.database_url
+
+    # 如果 URL 是相对路径，转换为绝对路径
+    if url.startswith("sqlite:///"):
+        path = url[10:]  # 移除 "sqlite:///"
+        if not os.path.isabs(path):
+            # 转换为相对于项目根目录的路径
+            project_root = os.path.dirname(os.path.dirname(os.path.dirname(__file__)))
+            abs_path = os.path.join(project_root, path)
+            return f"sqlite:///{abs_path}"
+
+    return url
+
+
+def get_setting_definition(attr_name: str) -> Optional[SettingDefinition]:
+    """获取设置项的定义信息"""
+    return SETTING_DEFINITIONS.get(attr_name)
+
+
+def get_all_setting_definitions() -> Dict[str, SettingDefinition]:
+    """获取所有设置项的定义"""
+    return SETTING_DEFINITIONS.copy()

src/core/__init__.py

@@ -0,0 +1,32 @@
+"""
+核心功能模块
+"""
+
+from .openai.oauth import OAuthManager, OAuthStart, generate_oauth_url, submit_callback_url
+from .http_client import (
+    OpenAIHTTPClient,
+    HTTPClient,
+    HTTPClientError,
+    RequestConfig,
+    create_http_client,
+    create_openai_client,
+)
+from .register import RegistrationEngine, RegistrationResult
+from .utils import setup_logging, get_data_dir
+
+__all__ = [
+    'OAuthManager',
+    'OAuthStart',
+    'generate_oauth_url',
+    'submit_callback_url',
+    'OpenAIHTTPClient',
+    'HTTPClient',
+    'HTTPClientError',
+    'RequestConfig',
+    'create_http_client',
+    'create_openai_client',
+    'RegistrationEngine',
+    'RegistrationResult',
+    'setup_logging',
+    'get_data_dir',
+]

src/core/dynamic_proxy.py

@@ -0,0 +1,118 @@
+"""
+动态代理获取模块
+支持通过外部 API 获取动态代理 URL
+"""
+
+import logging
+import re
+from typing import Optional
+
+logger = logging.getLogger(__name__)
+
+
+def fetch_dynamic_proxy(api_url: str, api_key: str = "", api_key_header: str = "X-API-Key", result_field: str = "") -> Optional[str]:
+    """
+    从代理 API 获取代理 URL
+
+    Args:
+        api_url: 代理 API 地址，响应应为代理 URL 字符串或含代理 URL 的 JSON
+        api_key: API 密钥（可选）
+        api_key_header: API 密钥请求头名称
+        result_field: 从 JSON 响应中提取代理 URL 的字段路径，支持点号分隔（如 "data.proxy"），留空则使用响应原文
+
+    Returns:
+        代理 URL 字符串（如 http://user:pass@host:port），失败返回 None
+    """
+    try:
+        from curl_cffi import requests as cffi_requests
+
+        headers = {}
+        if api_key:
+            headers[api_key_header] = api_key
+
+        response = cffi_requests.get(
+            api_url,
+            headers=headers,
+            timeout=10,
+            impersonate="chrome110"
+        )
+
+        if response.status_code != 200:
+            logger.warning(f"动态代理 API 返回错误状态码: {response.status_code}")
+            return None
+
+        text = response.text.strip()
+
+        # 尝试解析 JSON
+        if result_field or text.startswith("{") or text.startswith("["):
+            try:
+                import json
+                data = json.loads(text)
+                if result_field:
+                    # 按点号路径逐层提取
+                    for key in result_field.split("."):
+                        if isinstance(data, dict):
+                            data = data.get(key)
+                        elif isinstance(data, list) and key.isdigit():
+                            data = data[int(key)]
+                        else:
+                            data = None
+                        if data is None:
+                            break
+                    proxy_url = str(data).strip() if data is not None else None
+                else:
+                    # 无指定字段，尝试常见键名
+                    for key in ("proxy", "url", "proxy_url", "data", "ip"):
+                        val = data.get(key) if isinstance(data, dict) else None
+                        if val:
+                            proxy_url = str(val).strip()
+                            break
+                    else:
+                        proxy_url = text
+            except (ValueError, AttributeError):
+                proxy_url = text
+        else:
+            proxy_url = text
+
+        if not proxy_url:
+            logger.warning("动态代理 API 返回空代理 URL")
+            return None
+
+        # 若未包含协议头，默认加 http://
+        if not re.match(r'^(http|socks5)://', proxy_url):
+            proxy_url = "http://" + proxy_url
+
+        logger.info(f"动态代理获取成功: {proxy_url[:40]}..." if len(proxy_url) > 40 else f"动态代理获取成功: {proxy_url}")
+        return proxy_url
+
+    except Exception as e:
+        logger.error(f"获取动态代理失败: {e}")
+        return None
+
+
+def get_proxy_url_for_task() -> Optional[str]:
+    """
+    为注册任务获取代理 URL。
+    优先使用动态代理（若启用），否则使用静态代理配置。
+
+    Returns:
+        代理 URL 或 None
+    """
+    from ..config.settings import get_settings
+    settings = get_settings()
+
+    # 优先使用动态代理
+    if settings.proxy_dynamic_enabled and settings.proxy_dynamic_api_url:
+        api_key = settings.proxy_dynamic_api_key.get_secret_value() if settings.proxy_dynamic_api_key else ""
+        proxy_url = fetch_dynamic_proxy(
+            api_url=settings.proxy_dynamic_api_url,
+            api_key=api_key,
+            api_key_header=settings.proxy_dynamic_api_key_header,
+            result_field=settings.proxy_dynamic_result_field,
+        )
+        if proxy_url:
+            return proxy_url
+        logger.warning("动态代理获取失败，回退到静态代理")
+
+    # 使用静态代理
+    return settings.proxy_url

src/core/http_client.py

@@ -0,0 +1,429 @@
+"""
+HTTP 客户端封装
+基于 curl_cffi 的 HTTP 请求封装，支持代理和错误处理
+"""
+
+import time
+import json
+from typing import Optional, Dict, Any, Union, Tuple
+from dataclasses import dataclass
+import logging
+
+from curl_cffi import requests as cffi_requests
+from curl_cffi.requests import Session, Response
+
+from ..config.constants import ERROR_MESSAGES
+from ..config.settings import get_settings
+from .openai.sentinel import SentinelPOWError, build_sentinel_pow_token
+
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class RequestConfig:
+    """HTTP 请求配置"""
+    timeout: int = 30
+    max_retries: int = 3
+    retry_delay: float = 1.0
+    impersonate: str = "chrome"
+    verify_ssl: bool = True
+    follow_redirects: bool = True
+
+
+class HTTPClientError(Exception):
+    """HTTP 客户端异常"""
+    pass
+
+
+class HTTPClient:
+    """
+    HTTP 客户端封装
+    支持代理、重试、错误处理和会话管理
+    """
+
+    def __init__(
+        self,
+        proxy_url: Optional[str] = None,
+        config: Optional[RequestConfig] = None,
+        session: Optional[Session] = None
+    ):
+        """
+        初始化 HTTP 客户端
+
+        Args:
+            proxy_url: 代理 URL，如 "http://127.0.0.1:7890"
+            config: 请求配置
+            session: 可重用的会话对象
+        """
+        self.proxy_url = proxy_url
+        self.config = config or RequestConfig()
+        self._session = session
+
+    @property
+    def proxies(self) -> Optional[Dict[str, str]]:
+        """获取代理配置"""
+        if not self.proxy_url:
+            return None
+        return {
+            "http": self.proxy_url,
+            "https": self.proxy_url,
+        }
+
+    @property
+    def session(self) -> Session:
+        """获取会话对象（单例）"""
+        if self._session is None:
+            self._session = Session(
+                proxies=self.proxies,
+                impersonate=self.config.impersonate,
+                verify=self.config.verify_ssl,
+                timeout=self.config.timeout
+            )
+        return self._session
+
+    def request(
+        self,
+        method: str,
+        url: str,
+        **kwargs
+    ) -> Response:
+        """
+        发送 HTTP 请求
+
+        Args:
+            method: HTTP 方法 (GET, POST, PUT, DELETE, etc.)
+            url: 请求 URL
+            **kwargs: 其他请求参数
+
+        Returns:
+            Response 对象
+
+        Raises:
+            HTTPClientError: 请求失败
+        """
+        # 设置默认参数
+        kwargs.setdefault("timeout", self.config.timeout)
+        kwargs.setdefault("allow_redirects", self.config.follow_redirects)
+
+        # 添加代理配置
+        if self.proxies and "proxies" not in kwargs:
+            kwargs["proxies"] = self.proxies
+
+        last_exception = None
+        for attempt in range(self.config.max_retries):
+            try:
+                response = self.session.request(method, url, **kwargs)
+
+                # 检查响应状态码
+                if response.status_code >= 400:
+                    logger.warning(
+                        f"HTTP {response.status_code} for {method} {url}"
+                        f" (attempt {attempt + 1}/{self.config.max_retries})"
+                    )
+
+                    # 如果是服务器错误，重试
+                    if response.status_code >= 500 and attempt < self.config.max_retries - 1:
+                        time.sleep(self.config.retry_delay * (attempt + 1))
+                        continue
+
+                return response
+
+            except (cffi_requests.RequestsError, ConnectionError, TimeoutError) as e:
+                last_exception = e
+                logger.warning(
+                    f"请求失败: {method} {url} (attempt {attempt + 1}/{self.config.max_retries}): {e}"
+                )
+
+                if attempt < self.config.max_retries - 1:
+                    time.sleep(self.config.retry_delay * (attempt + 1))
+                else:
+                    break
+
+        raise HTTPClientError(
+            f"请求失败，最大重试次数已达: {method} {url} - {last_exception}"
+        )
+
+    def get(self, url: str, **kwargs) -> Response:
+        """发送 GET 请求"""
+        return self.request("GET", url, **kwargs)
+
+    def post(self, url: str, data: Any = None, json: Any = None, **kwargs) -> Response:
+        """发送 POST 请求"""
+        return self.request("POST", url, data=data, json=json, **kwargs)
+
+    def put(self, url: str, data: Any = None, json: Any = None, **kwargs) -> Response:
+        """发送 PUT 请求"""
+        return self.request("PUT", url, data=data, json=json, **kwargs)
+
+    def delete(self, url: str, **kwargs) -> Response:
+        """发送 DELETE 请求"""
+        return self.request("DELETE", url, **kwargs)
+
+    def head(self, url: str, **kwargs) -> Response:
+        """发送 HEAD 请求"""
+        return self.request("HEAD", url, **kwargs)
+
+    def options(self, url: str, **kwargs) -> Response:
+        """发送 OPTIONS 请求"""
+        return self.request("OPTIONS", url, **kwargs)
+
+    def patch(self, url: str, data: Any = None, json: Any = None, **kwargs) -> Response:
+        """发送 PATCH 请求"""
+        return self.request("PATCH", url, data=data, json=json, **kwargs)
+
+    def download_file(self, url: str, filepath: str, chunk_size: int = 8192) -> None:
+        """
+        下载文件
+
+        Args:
+            url: 文件 URL
+            filepath: 保存路径
+            chunk_size: 块大小
+
+        Raises:
+            HTTPClientError: 下载失败
+        """
+        try:
+            response = self.get(url, stream=True)
+            response.raise_for_status()
+
+            with open(filepath, 'wb') as f:
+                for chunk in response.iter_content(chunk_size=chunk_size):
+                    if chunk:
+                        f.write(chunk)
+
+        except Exception as e:
+            raise HTTPClientError(f"下载文件失败: {url} - {e}")
+
+    def check_proxy(self, test_url: str = "https://httpbin.org/ip") -> bool:
+        """
+        检查代理是否可用
+
+        Args:
+            test_url: 测试 URL
+
+        Returns:
+            bool: 代理是否可用
+        """
+        if not self.proxy_url:
+            return False
+
+        try:
+            response = self.get(test_url, timeout=10)
+            return response.status_code == 200
+        except Exception:
+            return False
+
+    def close(self):
+        """关闭会话"""
+        if self._session:
+            self._session.close()
+            self._session = None
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        self.close()
+
+
+class OpenAIHTTPClient(HTTPClient):
+    """
+    OpenAI 专用 HTTP 客户端
+    包含 OpenAI API 特定的请求方法
+    """
+
+    def __init__(
+        self,
+        proxy_url: Optional[str] = None,
+        config: Optional[RequestConfig] = None
+    ):
+        """
+        初始化 OpenAI HTTP 客户端
+
+        Args:
+            proxy_url: 代理 URL
+            config: 请求配置
+        """
+        super().__init__(proxy_url, config)
+
+        # OpenAI 特定的默认配置
+        if config is None:
+            self.config.timeout = 30
+            self.config.max_retries = 3
+
+        # 默认请求头
+        self.default_headers = {
+            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 "
+                         "(KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+            "Accept": "application/json",
+            "Accept-Language": "en-US,en;q=0.9",
+            "Accept-Encoding": "gzip, deflate, br",
+            "Connection": "keep-alive",
+            "Sec-Fetch-Dest": "empty",
+            "Sec-Fetch-Mode": "cors",
+            "Sec-Fetch-Site": "same-site",
+        }
+
+    def check_ip_location(self) -> Tuple[bool, Optional[str]]:
+        """
+        检查 IP 地理位置
+
+        Returns:
+            Tuple[是否支持, 位置信息]
+        """
+        try:
+            response = self.get("https://cloudflare.com/cdn-cgi/trace", timeout=10)
+            trace_text = response.text
+
+            # 解析位置信息
+            import re
+            loc_match = re.search(r"loc=([A-Z]+)", trace_text)
+            loc = loc_match.group(1) if loc_match else None
+
+            # 检查是否支持
+            if loc in ["CN", "HK", "MO", "TW"]:
+                return False, loc
+            return True, loc
+
+        except Exception as e:
+            logger.error(f"检查 IP 地理位置失败: {e}")
+            return False, None
+
+    def send_openai_request(
+        self,
+        endpoint: str,
+        method: str = "POST",
+        data: Optional[Dict[str, Any]] = None,
+        json_data: Optional[Dict[str, Any]] = None,
+        headers: Optional[Dict[str, str]] = None,
+        **kwargs
+    ) -> Dict[str, Any]:
+        """
+        发送 OpenAI API 请求
+
+        Args:
+            endpoint: API 端点
+            method: HTTP 方法
+            data: 表单数据
+            json_data: JSON 数据
+            headers: 请求头
+            **kwargs: 其他参数
+
+        Returns:
+            响应 JSON 数据
+
+        Raises:
+            HTTPClientError: 请求失败
+        """
+        # 合并请求头
+        request_headers = self.default_headers.copy()
+        if headers:
+            request_headers.update(headers)
+
+        # 设置 Content-Type
+        if json_data is not None and "Content-Type" not in request_headers:
+            request_headers["Content-Type"] = "application/json"
+        elif data is not None and "Content-Type" not in request_headers:
+            request_headers["Content-Type"] = "application/x-www-form-urlencoded"
+
+        try:
+            response = self.request(
+                method,
+                endpoint,
+                data=data,
+                json=json_data,
+                headers=request_headers,
+                **kwargs
+            )
+
+            # 检查响应状态码
+            response.raise_for_status()
+
+            # 尝试解析 JSON
+            try:
+                return response.json()
+            except json.JSONDecodeError:
+                return {"raw_response": response.text}
+
+        except cffi_requests.RequestsError as e:
+            raise HTTPClientError(f"OpenAI 请求失败: {endpoint} - {e}")
+
+    def check_sentinel(self, did: str, proxies: Optional[Dict] = None) -> Optional[str]:
+        """
+        检查 Sentinel 拦截
+
+        Args:
+            did: Device ID
+            proxies: 代理配置
+
+        Returns:
+            Sentinel token 或 None
+        """
+        from ..config.constants import OPENAI_API_ENDPOINTS
+
+        try:
+            pow_token = build_sentinel_pow_token(self.default_headers.get("User-Agent", ""))
+            sen_req_body = json.dumps({
+                "p": pow_token,
+                "id": did,
+                "flow": "authorize_continue",
+            }, separators=(",", ":"))
+
+            response = self.post(
+                OPENAI_API_ENDPOINTS["sentinel"],
+                headers={
+                    "origin": "https://sentinel.openai.com",
+                    "referer": "https://sentinel.openai.com/backend-api/sentinel/frame.html?sv=20260219f9f6",
+                    "content-type": "text/plain;charset=UTF-8",
+                },
+                data=sen_req_body,
+            )
+
+            if response.status_code == 200:
+                return response.json().get("token")
+            else:
+                logger.warning(f"Sentinel 检查失败: {response.status_code}")
+                return None
+
+        except SentinelPOWError as e:
+            logger.error(f"Sentinel POW 求解失败: {e}")
+            return None
+        except Exception as e:
+            logger.error(f"Sentinel 检查异常: {e}")
+            return None
+
+
+def create_http_client(
+    proxy_url: Optional[str] = None,
+    config: Optional[RequestConfig] = None
+) -> HTTPClient:
+    """
+    创建 HTTP 客户端工厂函数
+
+    Args:
+        proxy_url: 代理 URL
+        config: 请求配置
+
+    Returns:
+        HTTPClient 实例
+    """
+    return HTTPClient(proxy_url, config)
+
+
+def create_openai_client(
+    proxy_url: Optional[str] = None,
+    config: Optional[RequestConfig] = None
+) -> OpenAIHTTPClient:
+    """
+    创建 OpenAI HTTP 客户端工厂函数
+
+    Args:
+        proxy_url: 代理 URL
+        config: 请求配置
+
+    Returns:
+        OpenAIHTTPClient 实例
+    """
+    return OpenAIHTTPClient(proxy_url, config)

src/core/openai/__init__.py

@@ -0,0 +1,3 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# @Time : 2026/3/18 19:55

src/core/openai/oauth.py

@@ -0,0 +1,370 @@
+"""
+OpenAI OAuth 授权模块
+从 main.py 中提取的 OAuth 相关函数
+"""
+
+import base64
+import hashlib
+import json
+import secrets
+import time
+import urllib.parse
+from dataclasses import dataclass
+from typing import Any, Dict, Optional
+
+from curl_cffi import requests as cffi_requests
+
+from ...config.constants import (
+    OAUTH_CLIENT_ID,
+    OAUTH_AUTH_URL,
+    OAUTH_TOKEN_URL,
+    OAUTH_REDIRECT_URI,
+    OAUTH_SCOPE,
+)
+
+
+def _b64url_no_pad(raw: bytes) -> str:
+    """Base64 URL 编码（无填充）"""
+    return base64.urlsafe_b64encode(raw).decode("ascii").rstrip("=")
+
+
+def _sha256_b64url_no_pad(s: str) -> str:
+    """SHA256 哈希后 Base64 URL 编码"""
+    return _b64url_no_pad(hashlib.sha256(s.encode("ascii")).digest())
+
+
+def _random_state(nbytes: int = 16) -> str:
+    """生成随机 state"""
+    return secrets.token_urlsafe(nbytes)
+
+
+def _pkce_verifier() -> str:
+    """生成 PKCE code_verifier"""
+    return secrets.token_urlsafe(64)
+
+
+def _parse_callback_url(callback_url: str) -> Dict[str, str]:
+    """解析回调 URL"""
+    candidate = callback_url.strip()
+    if not candidate:
+        return {"code": "", "state": "", "error": "", "error_description": ""}
+
+    if "://" not in candidate:
+        if candidate.startswith("?"):
+            candidate = f"http://localhost{candidate}"
+        elif any(ch in candidate for ch in "/?#") or ":" in candidate:
+            candidate = f"http://{candidate}"
+        elif "=" in candidate:
+            candidate = f"http://localhost/?{candidate}"
+
+    parsed = urllib.parse.urlparse(candidate)
+    query = urllib.parse.parse_qs(parsed.query, keep_blank_values=True)
+    fragment = urllib.parse.parse_qs(parsed.fragment, keep_blank_values=True)
+
+    for key, values in fragment.items():
+        if key not in query or not query[key] or not (query[key][0] or "").strip():
+            query[key] = values
+
+    def get1(k: str) -> str:
+        v = query.get(k, [""])
+        return (v[0] or "").strip()
+
+    code = get1("code")
+    state = get1("state")
+    error = get1("error")
+    error_description = get1("error_description")
+
+    if code and not state and "#" in code:
+        code, state = code.split("#", 1)
+
+    if not error and error_description:
+        error, error_description = error_description, ""
+
+    return {
+        "code": code,
+        "state": state,
+        "error": error,
+        "error_description": error_description,
+    }
+
+
+def _jwt_claims_no_verify(id_token: str) -> Dict[str, Any]:
+    """解析 JWT ID Token（不验证签名）"""
+    if not id_token or id_token.count(".") < 2:
+        return {}
+    payload_b64 = id_token.split(".")[1]
+    pad = "=" * ((4 - (len(payload_b64) % 4)) % 4)
+    try:
+        payload = base64.urlsafe_b64decode((payload_b64 + pad).encode("ascii"))
+        return json.loads(payload.decode("utf-8"))
+    except Exception:
+        return {}
+
+
+def _decode_jwt_segment(seg: str) -> Dict[str, Any]:
+    """解码 JWT 片段"""
+    raw = (seg or "").strip()
+    if not raw:
+        return {}
+    pad = "=" * ((4 - (len(raw) % 4)) % 4)
+    try:
+        decoded = base64.urlsafe_b64decode((raw + pad).encode("ascii"))
+        return json.loads(decoded.decode("utf-8"))
+    except Exception:
+        return {}
+
+
+def _to_int(v: Any) -> int:
+    """转换为整数"""
+    try:
+        return int(v)
+    except (TypeError, ValueError):
+        return 0
+
+
+def _post_form(
+    url: str,
+    data: Dict[str, str],
+    timeout: int = 30,
+    proxy_url: Optional[str] = None
+) -> Dict[str, Any]:
+    """
+    发送 POST 表单请求
+
+    Args:
+        url: 请求 URL
+        data: 表单数据
+        timeout: 超时时间
+        proxy_url: 代理 URL
+
+    Returns:
+        响应 JSON 数据
+    """
+    # 构建代理配置
+    proxies = None
+    if proxy_url:
+        proxies = {
+            "http": proxy_url,
+            "https": proxy_url,
+        }
+
+    headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Accept": "application/json",
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 "
+                     "(KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+    }
+
+    try:
+        # 使用 curl_cffi 发送请求，支持代理和浏览器指纹
+        response = cffi_requests.post(
+            url,
+            data=data,
+            headers=headers,
+            timeout=timeout,
+            proxies=proxies,
+            impersonate="chrome"
+        )
+
+        if response.status_code != 200:
+            raise RuntimeError(
+                f"token exchange failed: {response.status_code}: {response.text}"
+            )
+
+        return response.json()
+
+    except cffi_requests.RequestsError as e:
+        raise RuntimeError(f"token exchange failed: network error: {e}") from e
+
+
+@dataclass(frozen=True)
+class OAuthStart:
+    """OAuth 开始信息"""
+    auth_url: str
+    state: str
+    code_verifier: str
+    redirect_uri: str
+
+
+def generate_oauth_url(
+    *,
+    redirect_uri: str = OAUTH_REDIRECT_URI,
+    scope: str = OAUTH_SCOPE,
+    client_id: str = OAUTH_CLIENT_ID
+) -> OAuthStart:
+    """
+    生成 OAuth 授权 URL
+
+    Args:
+        redirect_uri: 回调地址
+        scope: 权限范围
+        client_id: OpenAI Client ID
+
+    Returns:
+        OAuthStart 对象，包含授权 URL 和必要参数
+    """
+    state = _random_state()
+    code_verifier = _pkce_verifier()
+    code_challenge = _sha256_b64url_no_pad(code_verifier)
+
+    params = {
+        "client_id": client_id,
+        "response_type": "code",
+        "redirect_uri": redirect_uri,
+        "scope": scope,
+        "state": state,
+        "code_challenge": code_challenge,
+        "code_challenge_method": "S256",
+        "prompt": "login",
+        "id_token_add_organizations": "true",
+        "codex_cli_simplified_flow": "true",
+    }
+    auth_url = f"{OAUTH_AUTH_URL}?{urllib.parse.urlencode(params)}"
+    return OAuthStart(
+        auth_url=auth_url,
+        state=state,
+        code_verifier=code_verifier,
+        redirect_uri=redirect_uri,
+    )
+
+
+def submit_callback_url(
+    *,
+    callback_url: str,
+    expected_state: str,
+    code_verifier: str,
+    redirect_uri: str = OAUTH_REDIRECT_URI,
+    client_id: str = OAUTH_CLIENT_ID,
+    token_url: str = OAUTH_TOKEN_URL,
+    proxy_url: Optional[str] = None
+) -> str:
+    """
+    处理 OAuth 回调 URL，获取访问令牌
+
+    Args:
+        callback_url: 回调 URL
+        expected_state: 预期的 state 值
+        code_verifier: PKCE code_verifier
+        redirect_uri: 回调地址
+        client_id: OpenAI Client ID
+        token_url: Token 交换地址
+        proxy_url: 代理 URL
+
+    Returns:
+        包含访问令牌等信息的 JSON 字符串
+
+    Raises:
+        RuntimeError: OAuth 错误
+        ValueError: 缺少必要参数或 state 不匹配
+    """
+    cb = _parse_callback_url(callback_url)
+    if cb["error"]:
+        desc = cb["error_description"]
+        raise RuntimeError(f"oauth error: {cb['error']}: {desc}".strip())
+
+    if not cb["code"]:
+        raise ValueError("callback url missing ?code=")
+    if not cb["state"]:
+        raise ValueError("callback url missing ?state=")
+    if cb["state"] != expected_state:
+        raise ValueError("state mismatch")
+
+    token_resp = _post_form(
+        token_url,
+        {
+            "grant_type": "authorization_code",
+            "client_id": client_id,
+            "code": cb["code"],
+            "redirect_uri": redirect_uri,
+            "code_verifier": code_verifier,
+        },
+        proxy_url=proxy_url
+    )
+
+    access_token = (token_resp.get("access_token") or "").strip()
+    refresh_token = (token_resp.get("refresh_token") or "").strip()
+    id_token = (token_resp.get("id_token") or "").strip()
+    expires_in = _to_int(token_resp.get("expires_in"))
+
+    claims = _jwt_claims_no_verify(id_token)
+    email = str(claims.get("email") or "").strip()
+    auth_claims = claims.get("https://api.openai.com/auth") or {}
+    account_id = str(auth_claims.get("chatgpt_account_id") or "").strip()
+
+    now = int(time.time())
+    expired_rfc3339 = time.strftime(
+        "%Y-%m-%dT%H:%M:%SZ", time.gmtime(now + max(expires_in, 0))
+    )
+    now_rfc3339 = time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime(now))
+
+    config = {
+        "id_token": id_token,
+        "access_token": access_token,
+        "refresh_token": refresh_token,
+        "account_id": account_id,
+        "last_refresh": now_rfc3339,
+        "email": email,
+        "type": "codex",
+        "expired": expired_rfc3339,
+    }
+
+    return json.dumps(config, ensure_ascii=False, separators=(",", ":"))
+
+
+class OAuthManager:
+    """OAuth 管理器"""
+
+    def __init__(
+        self,
+        client_id: str = OAUTH_CLIENT_ID,
+        auth_url: str = OAUTH_AUTH_URL,
+        token_url: str = OAUTH_TOKEN_URL,
+        redirect_uri: str = OAUTH_REDIRECT_URI,
+        scope: str = OAUTH_SCOPE,
+        proxy_url: Optional[str] = None
+    ):
+        self.client_id = client_id
+        self.auth_url = auth_url
+        self.token_url = token_url
+        self.redirect_uri = redirect_uri
+        self.scope = scope
+        self.proxy_url = proxy_url
+
+    def start_oauth(self) -> OAuthStart:
+        """开始 OAuth 流程"""
+        return generate_oauth_url(
+            redirect_uri=self.redirect_uri,
+            scope=self.scope,
+            client_id=self.client_id
+        )
+
+    def handle_callback(
+        self,
+        callback_url: str,
+        expected_state: str,
+        code_verifier: str
+    ) -> Dict[str, Any]:
+        """处理 OAuth 回调"""
+        result_json = submit_callback_url(
+            callback_url=callback_url,
+            expected_state=expected_state,
+            code_verifier=code_verifier,
+            redirect_uri=self.redirect_uri,
+            client_id=self.client_id,
+            token_url=self.token_url,
+            proxy_url=self.proxy_url
+        )
+        return json.loads(result_json)
+
+    def extract_account_info(self, id_token: str) -> Dict[str, Any]:
+        """从 ID Token 中提取账户信息"""
+        claims = _jwt_claims_no_verify(id_token)
+        email = str(claims.get("email") or "").strip()
+        auth_claims = claims.get("https://api.openai.com/auth") or {}
+        account_id = str(auth_claims.get("chatgpt_account_id") or "").strip()
+
+        return {
+            "email": email,
+            "account_id": account_id,
+            "claims": claims
+        }

src/core/openai/payment.py

@@ -0,0 +1,261 @@
+"""
+支付核心逻辑 — 生成 Plus/Team 支付链接、无痕打开浏览器、检测订阅状态
+"""
+
+import logging
+import subprocess
+import sys
+from typing import Optional
+
+from curl_cffi import requests as cffi_requests
+
+from ...database.models import Account
+
+logger = logging.getLogger(__name__)
+
+PAYMENT_CHECKOUT_URL = "https://chatgpt.com/backend-api/payments/checkout"
+TEAM_CHECKOUT_BASE_URL = "https://chatgpt.com/checkout/openai_llc/"
+
+
+def _build_proxies(proxy: Optional[str]) -> Optional[dict]:
+    if proxy:
+        return {"http": proxy, "https": proxy}
+    return None
+
+
+_COUNTRY_CURRENCY_MAP = {
+    "SG": "SGD",
+    "US": "USD",
+    "TR": "TRY",
+    "JP": "JPY",
+    "HK": "HKD",
+    "GB": "GBP",
+    "EU": "EUR",
+    "AU": "AUD",
+    "CA": "CAD",
+    "IN": "INR",
+    "BR": "BRL",
+    "MX": "MXN",
+}
+
+
+def _extract_oai_did(cookies_str: str) -> Optional[str]:
+    """从 cookie 字符串中提取 oai-device-id"""
+    for part in cookies_str.split(";"):
+        part = part.strip()
+        if part.startswith("oai-did="):
+            return part[len("oai-did="):].strip()
+    return None
+
+
+def _parse_cookie_str(cookies_str: str, domain: str) -> list:
+    """将 'key=val; key2=val2' 格式解析为 Playwright cookie 列表"""
+    cookies = []
+    for part in cookies_str.split(";"):
+        part = part.strip()
+        if "=" not in part:
+            continue
+        name, _, value = part.partition("=")
+        cookies.append({
+            "name": name.strip(),
+            "value": value.strip(),
+            "domain": domain,
+            "path": "/",
+        })
+    return cookies
+
+
+def _open_url_system_browser(url: str) -> bool:
+    """回退方案：调用系统浏览器以无痕模式打开"""
+    platform = sys.platform
+    try:
+        if platform == "win32":
+            for browser, flag in [("chrome", "--incognito"), ("msedge", "--inprivate")]:
+                try:
+                    subprocess.Popen(f'start {browser} {flag} "{url}"', shell=True)
+                    return True
+                except Exception:
+                    continue
+        elif platform == "darwin":
+            subprocess.Popen(["open", "-a", "Google Chrome", "--args", "--incognito", url])
+            return True
+        else:
+            for binary in ["google-chrome", "chromium-browser", "chromium"]:
+                try:
+                    subprocess.Popen([binary, "--incognito", url])
+                    return True
+                except FileNotFoundError:
+                    continue
+    except Exception as e:
+        logger.warning(f"系统浏览器无痕打开失败: {e}")
+    return False
+
+
+def generate_plus_link(
+    account: Account,
+    proxy: Optional[str] = None,
+    country: str = "SG",
+) -> str:
+    """生成 Plus 支付链接（后端携带账号 cookie 发请求）"""
+    if not account.access_token:
+        raise ValueError("账号缺少 access_token")
+
+    currency = _COUNTRY_CURRENCY_MAP.get(country, "USD")
+    headers = {
+        "Authorization": f"Bearer {account.access_token}",
+        "Content-Type": "application/json",
+        "oai-language": "zh-CN",
+    }
+    if account.cookies:
+        headers["cookie"] = account.cookies
+        oai_did = _extract_oai_did(account.cookies)
+        if oai_did:
+            headers["oai-device-id"] = oai_did
+
+    payload = {
+        "plan_name": "chatgptplusplan",
+        "billing_details": {"country": country, "currency": currency},
+        "promo_campaign": {
+            "promo_campaign_id": "plus-1-month-free",
+            "is_coupon_from_query_param": False,
+        },
+        "checkout_ui_mode": "custom",
+    }
+
+    resp = cffi_requests.post(
+        PAYMENT_CHECKOUT_URL,
+        headers=headers,
+        json=payload,
+        proxies=_build_proxies(proxy),
+        timeout=30,
+        impersonate="chrome110",
+    )
+    resp.raise_for_status()
+    data = resp.json()
+    if "checkout_session_id" in data:
+        return TEAM_CHECKOUT_BASE_URL + data["checkout_session_id"]
+    raise ValueError(data.get("detail", "API 未返回 checkout_session_id"))
+
+
+def generate_team_link(
+    account: Account,
+    workspace_name: str = "MyTeam",
+    price_interval: str = "month",
+    seat_quantity: int = 5,
+    proxy: Optional[str] = None,
+    country: str = "SG",
+) -> str:
+    """生成 Team 支付链接（后端携带账号 cookie 发请求）"""
+    if not account.access_token:
+        raise ValueError("账号缺少 access_token")
+
+    currency = _COUNTRY_CURRENCY_MAP.get(country, "USD")
+    headers = {
+        "Authorization": f"Bearer {account.access_token}",
+        "Content-Type": "application/json",
+        "oai-language": "zh-CN",
+    }
+    if account.cookies:
+        headers["cookie"] = account.cookies
+        oai_did = _extract_oai_did(account.cookies)
+        if oai_did:
+            headers["oai-device-id"] = oai_did
+
+    payload = {
+        "plan_name": "chatgptteamplan",
+        "team_plan_data": {
+            "workspace_name": workspace_name,
+            "price_interval": price_interval,
+            "seat_quantity": seat_quantity,
+        },
+        "billing_details": {"country": country, "currency": currency},
+        "promo_campaign": {
+            "promo_campaign_id": "team-1-month-free",
+            "is_coupon_from_query_param": True,
+        },
+        "cancel_url": "https://chatgpt.com/#pricing",
+        "checkout_ui_mode": "custom",
+    }
+
+    resp = cffi_requests.post(
+        PAYMENT_CHECKOUT_URL,
+        headers=headers,
+        json=payload,
+        proxies=_build_proxies(proxy),
+        timeout=30,
+        impersonate="chrome110",
+    )
+    resp.raise_for_status()
+    data = resp.json()
+    if "checkout_session_id" in data:
+        return TEAM_CHECKOUT_BASE_URL + data["checkout_session_id"]
+    raise ValueError(data.get("detail", "API 未返回 checkout_session_id"))
+
+
+def open_url_incognito(url: str, cookies_str: Optional[str] = None) -> bool:
+    """用 Playwright 以无痕模式打开 URL，可注入 cookie"""
+    import threading
+    try:
+        from playwright.sync_api import sync_playwright
+    except ImportError:
+        logger.warning("playwright 未安装，回退到系统浏览器")
+        return _open_url_system_browser(url)
+
+    def _launch():
+        try:
+            with sync_playwright() as p:
+                browser = p.chromium.launch(headless=False, args=["--incognito"])
+                ctx = browser.new_context()
+                if cookies_str:
+                    ctx.add_cookies(_parse_cookie_str(cookies_str, "chatgpt.com"))
+                page = ctx.new_page()
+                page.goto(url)
+                # 保持窗口打开直到用户关闭
+                page.wait_for_timeout(300_000)  # 最多等待 5 分钟
+        except Exception as e:
+            logger.warning(f"Playwright 无痕打开失败: {e}")
+
+    threading.Thread(target=_launch, daemon=True).start()
+    return True
+
+
+def check_subscription_status(account: Account, proxy: Optional[str] = None) -> str:
+    """
+    检测账号当前订阅状态。
+
+    Returns:
+        'free' / 'plus' / 'team'
+    """
+    if not account.access_token:
+        raise ValueError("账号缺少 access_token")
+
+    headers = {
+        "Authorization": f"Bearer {account.access_token}",
+        "Content-Type": "application/json",
+    }
+
+    resp = cffi_requests.get(
+        "https://chatgpt.com/backend-api/me",
+        headers=headers,
+        proxies=_build_proxies(proxy),
+        timeout=20,
+        impersonate="chrome110",
+    )
+    resp.raise_for_status()
+    data = resp.json()
+
+    # 解析订阅类型
+    plan = data.get("plan_type") or ""
+    if "team" in plan.lower():
+        return "team"
+    if "plus" in plan.lower():
+        return "plus"
+
+    # 尝试从 orgs 或 workspace 信息判断
+    orgs = data.get("orgs", {}).get("data", [])
+    for org in orgs:
+        settings_ = org.get("settings", {})
+        if settings_.get("workspace_plan_type") in ("team", "enterprise"):
+            return "team"
+
+    return "free"

src/core/openai/sentinel.py

@@ -0,0 +1,98 @@
+"""Helpers for OpenAI Sentinel proof-of-work tokens."""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import json
+import random
+import time
+import uuid
+from datetime import datetime, timedelta, timezone
+from typing import Sequence
+
+
+DEFAULT_SENTINEL_DIFF = "0fffff"
+DEFAULT_MAX_ITERATIONS = 500_000
+_SCREEN_SIGNATURES = (3000, 3120, 4000, 4160)
+_LANGUAGE_SIGNATURE = "en-US,es-US,en,es"
+_NAVIGATOR_KEYS = ("location", "ontransitionend", "onprogress")
+_WINDOW_KEYS = ("window", "document", "navigator")
+
+
+class SentinelPOWError(RuntimeError):
+    """Raised when a Sentinel proof-of-work token cannot be solved."""
+
+
+def _format_browser_time() -> str:
+    """Match the browser-style timestamp used by public Sentinel solvers."""
+    browser_now = datetime.now(timezone(timedelta(hours=-5)))
+    return browser_now.strftime("%a %b %d %Y %H:%M:%S") + " GMT-0500 (Eastern Standard Time)"
+
+
+def build_sentinel_config(user_agent: str) -> list:
+    """Build a browser-like fingerprint payload for the Sentinel PoW solver."""
+    perf_ms = time.perf_counter() * 1000
+    epoch_ms = (time.time() * 1000) - perf_ms
+    return [
+        random.choice(_SCREEN_SIGNATURES),
+        _format_browser_time(),
+        4294705152,
+        0,
+        user_agent,
+        "",
+        "",
+        "en-US",
+        _LANGUAGE_SIGNATURE,
+        0,
+        random.choice(_NAVIGATOR_KEYS),
+        "location",
+        random.choice(_WINDOW_KEYS),
+        perf_ms,
+        str(uuid.uuid4()),
+        "",
+        8,
+        epoch_ms,
+    ]
+
+
+def _encode_pow_payload(config: Sequence[object], nonce: int) -> bytes:
+    prefix = (json.dumps(config[:3], separators=(",", ":"), ensure_ascii=False)[:-1] + ",").encode("utf-8")
+    middle = (
+        "," + json.dumps(config[4:9], separators=(",", ":"), ensure_ascii=False)[1:-1] + ","
+    ).encode("utf-8")
+    suffix = ("," + json.dumps(config[10:], separators=(",", ":"), ensure_ascii=False)[1:]).encode("utf-8")
+    body = prefix + str(nonce).encode("ascii") + middle + str(nonce >> 1).encode("ascii") + suffix
+    return base64.b64encode(body)
+
+
+def solve_sentinel_pow(
+    seed: str,
+    difficulty: str,
+    config: Sequence[object],
+    max_iterations: int = DEFAULT_MAX_ITERATIONS,
+) -> str:
+    """Solve the Sentinel PoW challenge and return the base64 payload."""
+    seed_bytes = seed.encode("utf-8")
+    target = bytes.fromhex(difficulty)
+    prefix_length = len(target)
+
+    for nonce in range(max_iterations):
+        encoded = _encode_pow_payload(config, nonce)
+        digest = hashlib.sha3_512(seed_bytes + encoded).digest()
+        if digest[:prefix_length] <= target:
+            return encoded.decode("ascii")
+
+    raise SentinelPOWError(f"failed to solve sentinel pow after {max_iterations} attempts")
+
+
+def build_sentinel_pow_token(
+    user_agent: str,
+    difficulty: str = DEFAULT_SENTINEL_DIFF,
+    max_iterations: int = DEFAULT_MAX_ITERATIONS,
+) -> str:
+    """Build the `p` token required by the Sentinel request endpoint."""
+    config = build_sentinel_config(user_agent)
+    seed = format(random.random())
+    solution = solve_sentinel_pow(seed, difficulty, config, max_iterations=max_iterations)
+    return f"gAAAAAC{solution}"

src/core/openai/token_refresh.py

@@ -0,0 +1,332 @@
+"""
+Token 刷新模块
+支持 Session Token 和 OAuth Refresh Token 两种刷新方式
+"""
+
+import logging
+import json
+import time
+from typing import Optional, Dict, Any, Tuple
+from dataclasses import dataclass
+from datetime import datetime, timedelta
+
+from curl_cffi import requests as cffi_requests
+
+from ...config.settings import get_settings
+from ...database.session import get_db
+from ...database import crud
+from ...database.models import Account
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class TokenRefreshResult:
+    """Token 刷新结果"""
+    success: bool
+    access_token: str = ""
+    refresh_token: str = ""
+    expires_at: Optional[datetime] = None
+    error_message: str = ""
+
+
+class TokenRefreshManager:
+    """
+    Token 刷新管理器
+    支持两种刷新方式：
+    1. Session Token 刷新（优先）
+    2. OAuth Refresh Token 刷新
+    """
+
+    # OpenAI OAuth 端点
+    SESSION_URL = "https://chatgpt.com/api/auth/session"
+    TOKEN_URL = "https://auth.openai.com/oauth/token"
+
+    def __init__(self, proxy_url: Optional[str] = None):
+        """
+        初始化 Token 刷新管理器
+
+        Args:
+            proxy_url: 代理 URL
+        """
+        self.proxy_url = proxy_url
+        self.settings = get_settings()
+
+    def _create_session(self) -> cffi_requests.Session:
+        """创建 HTTP 会话"""
+        session = cffi_requests.Session(impersonate="chrome120", proxy=self.proxy_url)
+        return session
+
+    def refresh_by_session_token(self, session_token: str) -> TokenRefreshResult:
+        """
+        使用 Session Token 刷新
+
+        Args:
+            session_token: 会话令牌
+
+        Returns:
+            TokenRefreshResult: 刷新结果
+        """
+        result = TokenRefreshResult(success=False)
+
+        try:
+            session = self._create_session()
+
+            # 设置会话 Cookie
+            session.cookies.set(
+                "__Secure-next-auth.session-token",
+                session_token,
+                domain=".chatgpt.com",
+                path="/"
+            )
+
+            # 请求会话端点
+            response = session.get(
+                self.SESSION_URL,
+                headers={
+                    "accept": "application/json",
+                    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
+                },
+                timeout=30
+            )
+
+            if response.status_code != 200:
+                result.error_message = f"Session token 刷新失败: HTTP {response.status_code}"
+                logger.warning(result.error_message)
+                return result
+
+            data = response.json()
+
+            # 提取 access_token
+            access_token = data.get("accessToken")
+            if not access_token:
+                result.error_message = "Session token 刷新失败: 未找到 accessToken"
+                logger.warning(result.error_message)
+                return result
+
+            # 提取过期时间
+            expires_at = None
+            expires_str = data.get("expires")
+            if expires_str:
+                try:
+                    expires_at = datetime.fromisoformat(expires_str.replace("Z", "+00:00"))
+                except:
+                    pass
+
+            result.success = True
+            result.access_token = access_token
+            result.expires_at = expires_at
+
+            logger.info(f"Session token 刷新成功，过期时间: {expires_at}")
+            return result
+
+        except Exception as e:
+            result.error_message = f"Session token 刷新异常: {str(e)}"
+            logger.error(result.error_message)
+            return result
+
+    def refresh_by_oauth_token(
+        self,
+        refresh_token: str,
+        client_id: Optional[str] = None
+    ) -> TokenRefreshResult:
+        """
+        使用 OAuth Refresh Token 刷新
+
+        Args:
+            refresh_token: OAuth 刷新令牌
+            client_id: OAuth Client ID
+
+        Returns:
+            TokenRefreshResult: 刷新结果
+        """
+        result = TokenRefreshResult(success=False)
+
+        try:
+            session = self._create_session()
+
+            # 使用配置的 client_id 或默认值
+            client_id = client_id or self.settings.openai_client_id
+
+            # 构建请求体
+            token_data = {
+                "client_id": client_id,
+                "grant_type": "refresh_token",
+                "refresh_token": refresh_token,
+                "redirect_uri": self.settings.openai_redirect_uri
+            }
+
+            response = session.post(
+                self.TOKEN_URL,
+                headers={
+                    "content-type": "application/x-www-form-urlencoded",
+                    "accept": "application/json"
+                },
+                data=token_data,
+                timeout=30
+            )
+
+            if response.status_code != 200:
+                result.error_message = f"OAuth token 刷新失败: HTTP {response.status_code}"
+                logger.warning(f"{result.error_message}, 响应: {response.text[:200]}")
+                return result
+
+            data = response.json()
+
+            # 提取令牌
+            access_token = data.get("access_token")
+            new_refresh_token = data.get("refresh_token", refresh_token)
+            expires_in = data.get("expires_in", 3600)
+
+            if not access_token:
+                result.error_message = "OAuth token 刷新失败: 未找到 access_token"
+                logger.warning(result.error_message)
+                return result
+
+            # 计算过期时间
+            expires_at = datetime.utcnow() + timedelta(seconds=expires_in)
+
+            result.success = True
+            result.access_token = access_token
+            result.refresh_token = new_refresh_token
+            result.expires_at = expires_at
+
+            logger.info(f"OAuth token 刷新成功，过期时间: {expires_at}")
+            return result
+
+        except Exception as e:
+            result.error_message = f"OAuth token 刷新异常: {str(e)}"
+            logger.error(result.error_message)
+            return result
+
+    def refresh_account(self, account: Account) -> TokenRefreshResult:
+        """
+        刷新账号的 Token
+
+        优先级：
+        1. Session Token 刷新
+        2. OAuth Refresh Token 刷新
+
+        Args:
+            account: 账号对象
+
+        Returns:
+            TokenRefreshResult: 刷新结果
+        """
+        # 优先尝试 Session Token
+        if account.session_token:
+            logger.info(f"尝试使用 Session Token 刷新账号 {account.email}")
+            result = self.refresh_by_session_token(account.session_token)
+            if result.success:
+                return result
+            logger.warning(f"Session Token 刷新失败，尝试 OAuth 刷新")
+
+        # 尝试 OAuth Refresh Token
+        if account.refresh_token:
+            logger.info(f"尝试使用 OAuth Refresh Token 刷新账号 {account.email}")
+            result = self.refresh_by_oauth_token(
+                refresh_token=account.refresh_token,
+                client_id=account.client_id
+            )
+            return result
+
+        # 无可用刷新方式
+        return TokenRefreshResult(
+            success=False,
+            error_message="账号没有可用的刷新方式（缺少 session_token 和 refresh_token）"
+        )
+
+    def validate_token(self, access_token: str) -> Tuple[bool, Optional[str]]:
+        """
+        验证 Access Token 是否有效
+
+        Args:
+            access_token: 访问令牌
+
+        Returns:
+            Tuple[bool, Optional[str]]: (是否有效, 错误信息)
+        """
+        try:
+            session = self._create_session()
+
+            # 调用 OpenAI API 验证 token
+            response = session.get(
+                "https://chatgpt.com/backend-api/me",
+                headers={
+                    "authorization": f"Bearer {access_token}",
+                    "accept": "application/json"
+                },
+                timeout=30
+            )
+
+            if response.status_code == 200:
+                return True, None
+            elif response.status_code == 401:
+                return False, "Token 无效或已过期"
+            elif response.status_code == 403:
+                return False, "账号可能被封禁"
+            else:
+                return False, f"验证失败: HTTP {response.status_code}"
+
+        except Exception as e:
+            return False, f"验证异常: {str(e)}"
+
+
+def refresh_account_token(account_id: int, proxy_url: Optional[str] = None) -> TokenRefreshResult:
+    """
+    刷新指定账号的 Token 并更新数据库
+
+    Args:
+        account_id: 账号 ID
+        proxy_url: 代理 URL
+
+    Returns:
+        TokenRefreshResult: 刷新结果
+    """
+    with get_db() as db:
+        account = crud.get_account_by_id(db, account_id)
+        if not account:
+            return TokenRefreshResult(success=False, error_message="账号不存在")
+
+        manager = TokenRefreshManager(proxy_url=proxy_url)
+        result = manager.refresh_account(account)
+
+        if result.success:
+            # 更新数据库
+            update_data = {
+                "access_token": result.access_token,
+                "last_refresh": datetime.utcnow()
+            }
+
+            if result.refresh_token:
+                update_data["refresh_token"] = result.refresh_token
+
+            if result.expires_at:
+                update_data["expires_at"] = result.expires_at
+
+            crud.update_account(db, account_id, **update_data)
+
+        return result
+
+
+def validate_account_token(account_id: int, proxy_url: Optional[str] = None) -> Tuple[bool, Optional[str]]:
+    """
+    验证指定账号的 Token 是否有效
+
+    Args:
+        account_id: 账号 ID
+        proxy_url: ���理 URL
+
+    Returns:
+        Tuple[bool, Optional[str]]: (是否有效, 错误信息)
+    """
+    with get_db() as db:
+        account = crud.get_account_by_id(db, account_id)
+        if not account:
+            return False, "账号不存在"
+
+        if not account.access_token:
+            return False, "账号没有 access_token"
+
+        manager = TokenRefreshManager(proxy_url=proxy_url)
+        return manager.validate_token(account.access_token)

src/core/register.py

@@ -0,0 +1,1009 @@
+"""
+注册流程引擎
+从 main.py 中提取并重构的注册流程
+"""
+
+import re
+import json
+import time
+import logging
+import secrets
+import string
+from typing import Optional, Dict, Any, Tuple, Callable
+from dataclasses import dataclass
+from datetime import datetime
+
+from curl_cffi import requests as cffi_requests
+
+from .openai.oauth import OAuthManager, OAuthStart
+from .http_client import OpenAIHTTPClient, HTTPClientError
+from ..services import EmailServiceFactory, BaseEmailService, EmailServiceType
+from ..database import crud
+from ..database.session import get_db
+from ..config.constants import (
+    OPENAI_API_ENDPOINTS,
+    OPENAI_PAGE_TYPES,
+    generate_random_user_info,
+    OTP_CODE_PATTERN,
+    DEFAULT_PASSWORD_LENGTH,
+    PASSWORD_CHARSET,
+    AccountStatus,
+    TaskStatus,
+)
+from ..config.settings import get_settings
+
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class RegistrationResult:
+    """注册结果"""
+    success: bool
+    email: str = ""
+    password: str = ""  # 注册密码
+    account_id: str = ""
+    workspace_id: str = ""
+    access_token: str = ""
+    refresh_token: str = ""
+    id_token: str = ""
+    session_token: str = ""  # 会话令牌
+    error_message: str = ""
+    logs: list = None
+    metadata: dict = None
+    source: str = "register"  # 'register' 或 'login'，区分账号来源
+
+    def to_dict(self) -> Dict[str, Any]:
+        """转换为字典"""
+        return {
+            "success": self.success,
+            "email": self.email,
+            "password": self.password,
+            "account_id": self.account_id,
+            "workspace_id": self.workspace_id,
+            "access_token": self.access_token[:20] + "..." if self.access_token else "",
+            "refresh_token": self.refresh_token[:20] + "..." if self.refresh_token else "",
+            "id_token": self.id_token[:20] + "..." if self.id_token else "",
+            "session_token": self.session_token[:20] + "..." if self.session_token else "",
+            "error_message": self.error_message,
+            "logs": self.logs or [],
+            "metadata": self.metadata or {},
+            "source": self.source,
+        }
+
+
+@dataclass
+class SignupFormResult:
+    """提交注册表单的结果"""
+    success: bool
+    page_type: str = ""  # 响应中的 page.type 字段
+    is_existing_account: bool = False  # 是否为已注册账号
+    response_data: Dict[str, Any] = None  # 完整的响应数据
+    error_message: str = ""
+
+
+class RegistrationEngine:
+    """
+    注册引擎
+    负责协调邮箱服务、OAuth 流程和 OpenAI API 调用
+    """
+
+    def __init__(
+        self,
+        email_service: BaseEmailService,
+        proxy_url: Optional[str] = None,
+        callback_logger: Optional[Callable[[str], None]] = None,
+        task_uuid: Optional[str] = None
+    ):
+        """
+        初始化注册引擎
+
+        Args:
+            email_service: 邮箱服务实例
+            proxy_url: 代理 URL
+            callback_logger: 日志回调函数
+            task_uuid: 任务 UUID（用于数据库记录）
+        """
+        self.email_service = email_service
+        self.proxy_url = proxy_url
+        self.callback_logger = callback_logger or (lambda msg: logger.info(msg))
+        self.task_uuid = task_uuid
+
+        # 创建 HTTP 客户端
+        self.http_client = OpenAIHTTPClient(proxy_url=proxy_url)
+
+        # 创建 OAuth 管理器
+        settings = get_settings()
+        self.oauth_manager = OAuthManager(
+            client_id=settings.openai_client_id,
+            auth_url=settings.openai_auth_url,
+            token_url=settings.openai_token_url,
+            redirect_uri=settings.openai_redirect_uri,
+            scope=settings.openai_scope,
+            proxy_url=proxy_url  # 传递代理配置
+        )
+
+        # 状态变量
+        self.email: Optional[str] = None
+        self.password: Optional[str] = None  # 注册密码
+        self.email_info: Optional[Dict[str, Any]] = None
+        self.oauth_start: Optional[OAuthStart] = None
+        self.session: Optional[cffi_requests.Session] = None
+        self.session_token: Optional[str] = None  # 会话令牌
+        self.logs: list = []
+        self._otp_sent_at: Optional[float] = None  # OTP 发送时间戳
+        self._is_existing_account: bool = False  # 是否为已注册账号（用于自动登录）
+        self._token_acquisition_requires_login: bool = False  # 新注册账号需要二次登录拿 token
+
+    def _log(self, message: str, level: str = "info"):
+        """记录日志"""
+        timestamp = datetime.now().strftime("%H:%M:%S")
+        log_message = f"[{timestamp}] {message}"
+
+        # 添加到日志列表
+        self.logs.append(log_message)
+
+        # 调用回调函数
+        if self.callback_logger:
+            self.callback_logger(log_message)
+
+        # 记录到数据库（如果有关联任务）
+        if self.task_uuid:
+            try:
+                with get_db() as db:
+                    crud.append_task_log(db, self.task_uuid, log_message)
+            except Exception as e:
+                logger.warning(f"记录任务日志失败: {e}")
+
+        # 根据级别记录到日志系统
+        if level == "error":
+            logger.error(message)
+        elif level == "warning":
+            logger.warning(message)
+        else:
+            logger.info(message)
+
+    def _generate_password(self, length: int = DEFAULT_PASSWORD_LENGTH) -> str:
+        """生成随机密码"""
+        return ''.join(secrets.choice(PASSWORD_CHARSET) for _ in range(length))
+
+    def _check_ip_location(self) -> Tuple[bool, Optional[str]]:
+        """检查 IP 地理位置"""
+        try:
+            return self.http_client.check_ip_location()
+        except Exception as e:
+            self._log(f"检查 IP 地理位置失败: {e}", "error")
+            return False, None
+
+    def _create_email(self) -> bool:
+        """创建邮箱"""
+        try:
+            self._log(f"正在创建 {self.email_service.service_type.value} 邮箱，先给新账号整个收件箱...")
+            self.email_info = self.email_service.create_email()
+
+            if not self.email_info or "email" not in self.email_info:
+                self._log("创建邮箱失败: 返回信息不完整", "error")
+                return False
+
+            self.email = self.email_info["email"]
+            self._log(f"邮箱已就位，地址新鲜出炉: {self.email}")
+            return True
+
+        except Exception as e:
+            self._log(f"创建邮箱失败: {e}", "error")
+            return False
+
+    def _start_oauth(self) -> bool:
+        """开始 OAuth 流程"""
+        try:
+            self._log("开始 OAuth 授权流程，去门口刷个脸...")
+            self.oauth_start = self.oauth_manager.start_oauth()
+            self._log(f"OAuth URL 已备好，通道已经打开: {self.oauth_start.auth_url[:80]}...")
+            return True
+        except Exception as e:
+            self._log(f"生成 OAuth URL 失败: {e}", "error")
+            return False
+
+    def _init_session(self) -> bool:
+        """初始化会话"""
+        try:
+            self.session = self.http_client.session
+            return True
+        except Exception as e:
+            self._log(f"初始化会话失败: {e}", "error")
+            return False
+
+    def _get_device_id(self) -> Optional[str]:
+        """获取 Device ID"""
+        if not self.oauth_start:
+            return None
+
+        max_attempts = 3
+        for attempt in range(1, max_attempts + 1):
+            try:
+                if not self.session:
+                    self.session = self.http_client.session
+
+                response = self.session.get(
+                    self.oauth_start.auth_url,
+                    timeout=20
+                )
+                did = self.session.cookies.get("oai-did")
+
+                if did:
+                    self._log(f"Device ID: {did}")
+                    return did
+
+                self._log(
+                    f"获取 Device ID 失败: 未返回 oai-did Cookie (HTTP {response.status_code}, 第 {attempt}/{max_attempts} 次)",
+                    "warning" if attempt < max_attempts else "error"
+                )
+            except Exception as e:
+                self._log(
+                    f"获取 Device ID 失败: {e} (第 {attempt}/{max_attempts} 次)",
+                    "warning" if attempt < max_attempts else "error"
+                )
+
+            if attempt < max_attempts:
+                time.sleep(attempt)
+                self.http_client.close()
+                self.session = self.http_client.session
+
+        return None
+
+    def _check_sentinel(self, did: str) -> Optional[str]:
+        """检查 Sentinel 拦截"""
+        try:
+            sen_token = self.http_client.check_sentinel(did)
+            if sen_token:
+                self._log(f"Sentinel token 获取成功")
+                return sen_token
+            self._log("Sentinel 检查失败: 未获取到 token", "warning")
+            return None
+
+        except Exception as e:
+            self._log(f"Sentinel 检查异常: {e}", "warning")
+            return None
+
+    def _submit_auth_start(
+        self,
+        did: str,
+        sen_token: Optional[str],
+        *,
+        screen_hint: str,
+        referer: str,
+        log_label: str,
+        record_existing_account: bool = True,
+    ) -> SignupFormResult:
+        """
+        提交授权入口表单
+
+        Returns:
+            SignupFormResult: 提交结果，包含账号状态判断
+        """
+        try:
+            request_body = json.dumps({
+                "username": {
+                    "value": self.email,
+                    "kind": "email",
+                },
+                "screen_hint": screen_hint,
+            })
+
+            headers = {
+                "referer": referer,
+                "accept": "application/json",
+                "content-type": "application/json",
+            }
+
+            if sen_token:
+                sentinel = json.dumps({
+                    "p": "",
+                    "t": "",
+                    "c": sen_token,
+                    "id": did,
+                    "flow": "authorize_continue",
+                })
+                headers["openai-sentinel-token"] = sentinel
+
+            response = self.session.post(
+                OPENAI_API_ENDPOINTS["signup"],
+                headers=headers,
+                data=request_body,
+            )
+
+            self._log(f"{log_label}状态: {response.status_code}")
+
+            if response.status_code != 200:
+                return SignupFormResult(
+                    success=False,
+                    error_message=f"HTTP {response.status_code}: {response.text[:200]}"
+                )
+
+            # 解析响应判断账号状态
+            try:
+                response_data = response.json()
+                page_type = response_data.get("page", {}).get("type", "")
+                self._log(f"响应页面类型: {page_type}")
+
+                is_existing = page_type == OPENAI_PAGE_TYPES["EMAIL_OTP_VERIFICATION"]
+
+                if is_existing:
+                    self._otp_sent_at = time.time()
+                    if record_existing_account:
+                        self._log(f"检测到已注册账号，将自动切换到登录流程")
+                        self._is_existing_account = True
+                    else:
+                        self._log("登录流程已触发，等待系统自动发送的验证码")
+
+                return SignupFormResult(
+                    success=True,
+                    page_type=page_type,
+                    is_existing_account=is_existing,
+                    response_data=response_data
+                )
+
+            except Exception as parse_error:
+                self._log(f"解析响应失败: {parse_error}", "warning")
+                # 无法解析，默认成功
+                return SignupFormResult(success=True)
+
+        except Exception as e:
+            self._log(f"{log_label}失败: {e}", "error")
+            return SignupFormResult(success=False, error_message=str(e))
+
+    def _submit_signup_form(
+        self,
+        did: str,
+        sen_token: Optional[str],
+        *,
+        record_existing_account: bool = True,
+    ) -> SignupFormResult:
+        """提交注册入口表单。"""
+        return self._submit_auth_start(
+            did,
+            sen_token,
+            screen_hint="signup",
+            referer="https://auth.openai.com/create-account",
+            log_label="提交注册表单",
+            record_existing_account=record_existing_account,
+        )
+
+    def _submit_login_start(self, did: str, sen_token: Optional[str]) -> SignupFormResult:
+        """提交登录入口表单。"""
+        return self._submit_auth_start(
+            did,
+            sen_token,
+            screen_hint="login",
+            referer="https://auth.openai.com/log-in",
+            log_label="提交登录入口",
+            record_existing_account=False,
+        )
+
+    def _submit_login_password(self) -> SignupFormResult:
+        """提交登录密码，进入邮箱验证码页面。"""
+        try:
+            response = self.session.post(
+                OPENAI_API_ENDPOINTS["password_verify"],
+                headers={
+                    "referer": "https://auth.openai.com/log-in/password",
+                    "accept": "application/json",
+                    "content-type": "application/json",
+                },
+                data=json.dumps({"password": self.password}),
+            )
+
+            self._log(f"提交登录密码状态: {response.status_code}")
+
+            if response.status_code != 200:
+                return SignupFormResult(
+                    success=False,
+                    error_message=f"HTTP {response.status_code}: {response.text[:200]}"
+                )
+
+            response_data = response.json()
+            page_type = response_data.get("page", {}).get("type", "")
+            self._log(f"登录密码响应页面类型: {page_type}")
+
+            is_existing = page_type == OPENAI_PAGE_TYPES["EMAIL_OTP_VERIFICATION"]
+            if is_existing:
+                self._otp_sent_at = time.time()
+                self._log("登录密码校验通过，等待系统自动发送的验证码")
+
+            return SignupFormResult(
+                success=True,
+                page_type=page_type,
+                is_existing_account=is_existing,
+                response_data=response_data,
+            )
+
+        except Exception as e:
+            self._log(f"提交登录密码失败: {e}", "error")
+            return SignupFormResult(success=False, error_message=str(e))
+
+    def _reset_auth_flow(self) -> None:
+        """重置会话，准备重新发起 OAuth 流程。"""
+        self.http_client.close()
+        self.session = None
+        self.oauth_start = None
+        self.session_token = None
+        self._otp_sent_at = None
+
+    def _prepare_authorize_flow(self, label: str) -> Tuple[Optional[str], Optional[str]]:
+        """初始化当前阶段的授权流程，返回 device id 和 sentinel token。"""
+        self._log(f"{label}: 先把会话热热身...")
+        if not self._init_session():
+            return None, None
+
+        self._log(f"{label}: OAuth 流程准备开跑，系好鞋带...")
+        if not self._start_oauth():
+            return None, None
+
+        self._log(f"{label}: 领取 Device ID 通行证...")
+        did = self._get_device_id()
+        if not did:
+            return None, None
+
+        self._log(f"{label}: 解一道 Sentinel POW 小题，答对才给进...")
+        sen_token = self._check_sentinel(did)
+        if not sen_token:
+            return did, None
+
+        self._log(f"{label}: Sentinel 点头放行，继续前进")
+        return did, sen_token
+
+    def _complete_token_exchange(self, result: RegistrationResult) -> bool:
+        """在登录态已建立后，继续完成 workspace 和 OAuth token 获取。"""
+        self._log("等待登录验证码到场，最后这位嘉宾还在路上...")
+        code = self._get_verification_code()
+        if not code:
+            result.error_message = "获取验证码失败"
+            return False
+
+        self._log("核对登录验证码，验明正身一下...")
+        if not self._validate_verification_code(code):
+            result.error_message = "验证码校验失败"
+            return False
+
+        self._log("摸一下 Workspace ID，看看该坐哪桌...")
+        workspace_id = self._get_workspace_id()
+        if not workspace_id:
+            result.error_message = "获取 Workspace ID 失败"
+            return False
+
+        result.workspace_id = workspace_id
+
+        self._log("选择 Workspace，安排个靠谱座位...")
+        continue_url = self._select_workspace(workspace_id)
+        if not continue_url:
+            result.error_message = "选择 Workspace 失败"
+            return False
+
+        self._log("顺着重定向面包屑往前走，别跟丢了...")
+        callback_url = self._follow_redirects(continue_url)
+        if not callback_url:
+            result.error_message = "跟随重定向链失败"
+            return False
+
+        self._log("处理 OAuth 回调，准备把 token 请出来...")
+        token_info = self._handle_oauth_callback(callback_url)
+        if not token_info:
+            result.error_message = "处理 OAuth 回调失败"
+            return False
+
+        result.account_id = token_info.get("account_id", "")
+        result.access_token = token_info.get("access_token", "")
+        result.refresh_token = token_info.get("refresh_token", "")
+        result.id_token = token_info.get("id_token", "")
+        result.password = self.password or ""
+        result.source = "login" if self._is_existing_account else "register"
+
+        session_cookie = self.session.cookies.get("__Secure-next-auth.session-token")
+        if session_cookie:
+            self.session_token = session_cookie
+            result.session_token = session_cookie
+            self._log("Session Token 也捞到了，今天这网没白连")
+
+        return True
+
+    def _restart_login_flow(self) -> Tuple[bool, str]:
+        """新注册账号完成建号后，重新发起一次登录流程拿 token。"""
+        self._token_acquisition_requires_login = True
+        self._log("注册这边忙完了，再走一趟登录把 token 请出来，收个尾...")
+        self._reset_auth_flow()
+
+        did, sen_token = self._prepare_authorize_flow("重新登录")
+        if not did:
+            return False, "重新登录时获取 Device ID 失败"
+        if not sen_token:
+            return False, "重新登录时 Sentinel POW 验证失败"
+
+        login_start_result = self._submit_login_start(did, sen_token)
+        if not login_start_result.success:
+            return False, f"重新登录提交邮箱失败: {login_start_result.error_message}"
+        if login_start_result.page_type != OPENAI_PAGE_TYPES["LOGIN_PASSWORD"]:
+            return False, f"重新登录未进入密码页面: {login_start_result.page_type or 'unknown'}"
+
+        password_result = self._submit_login_password()
+        if not password_result.success:
+            return False, f"重新登录提交密码失败: {password_result.error_message}"
+        if not password_result.is_existing_account:
+            return False, f"重新登录未进入验证码页面: {password_result.page_type or 'unknown'}"
+        return True, ""
+
+    def _register_password(self) -> Tuple[bool, Optional[str]]:
+        """注册密码"""
+        try:
+            # 生成密码
+            password = self._generate_password()
+            self.password = password  # 保存密码到实例变量
+            self._log(f"生成密码: {password}")
+
+            # 提交密码注册
+            register_body = json.dumps({
+                "password": password,
+                "username": self.email
+            })
+
+            response = self.session.post(
+                OPENAI_API_ENDPOINTS["register"],
+                headers={
+                    "referer": "https://auth.openai.com/create-account/password",
+                    "accept": "application/json",
+                    "content-type": "application/json",
+                },
+                data=register_body,
+            )
+
+            self._log(f"提交密码状态: {response.status_code}")
+
+            if response.status_code != 200:
+                error_text = response.text[:500]
+                self._log(f"密码注册失败: {error_text}", "warning")
+
+                # 解析错误信息，判断是否是邮箱已注册
+                try:
+                    error_json = response.json()
+                    error_msg = error_json.get("error", {}).get("message", "")
+                    error_code = error_json.get("error", {}).get("code", "")
+
+                    # 检测邮箱已注册的情况
+                    if "already" in error_msg.lower() or "exists" in error_msg.lower() or error_code == "user_exists":
+                        self._log(f"邮箱 {self.email} 可能已在 OpenAI 注册过", "error")
+                        # 标记此邮箱为已注册状态
+                        self._mark_email_as_registered()
+                except Exception:
+                    pass
+
+                return False, None
+
+            return True, password
+
+        except Exception as e:
+            self._log(f"密码注册失败: {e}", "error")
+            return False, None
+
+    def _mark_email_as_registered(self):
+        """标记邮箱为已注册状态（用于防止重复尝试）"""
+        try:
+            with get_db() as db:
+                # 检查是否已存在该邮箱的记录
+                existing = crud.get_account_by_email(db, self.email)
+                if not existing:
+                    # 创建一个失败记录，标记该邮箱已注册过
+                    crud.create_account(
+                        db,
+                        email=self.email,
+                        password="",  # 空密码表示未成功注册
+                        email_service=self.email_service.service_type.value,
+                        email_service_id=self.email_info.get("service_id") if self.email_info else None,
+                        status="failed",
+                        extra_data={"register_failed_reason": "email_already_registered_on_openai"}
+                    )
+                    self._log(f"已在数据库中标记邮箱 {self.email} 为已注册状态")
+        except Exception as e:
+            logger.warning(f"标记邮箱状态失败: {e}")
+
+    def _send_verification_code(self) -> bool:
+        """发送验证码"""
+        try:
+            # 记录发送时间戳
+            self._otp_sent_at = time.time()
+
+            response = self.session.get(
+                OPENAI_API_ENDPOINTS["send_otp"],
+                headers={
+                    "referer": "https://auth.openai.com/create-account/password",
+                    "accept": "application/json",
+                },
+            )
+
+            self._log(f"验证码发送状态: {response.status_code}")
+            return response.status_code == 200
+
+        except Exception as e:
+            self._log(f"发送验证码失败: {e}", "error")
+            return False
+
+    def _get_verification_code(self) -> Optional[str]:
+        """获取验证码"""
+        try:
+            self._log(f"正在等待邮箱 {self.email} 的验证码...")
+
+            email_id = self.email_info.get("service_id") if self.email_info else None
+            code = self.email_service.get_verification_code(
+                email=self.email,
+                email_id=email_id,
+                timeout=30,
+                pattern=OTP_CODE_PATTERN,
+                otp_sent_at=self._otp_sent_at,
+            )
+
+            if code:
+                self._log(f"成功获取验证码: {code}")
+                return code
+            else:
+                self._log("等待验证码超时", "error")
+                return None
+
+        except Exception as e:
+            self._log(f"获取验证码失败: {e}", "error")
+            return None
+
+    def _validate_verification_code(self, code: str) -> bool:
+        """验证验证码"""
+        try:
+            code_body = f'{{"code":"{code}"}}'
+
+            response = self.session.post(
+                OPENAI_API_ENDPOINTS["validate_otp"],
+                headers={
+                    "referer": "https://auth.openai.com/email-verification",
+                    "accept": "application/json",
+                    "content-type": "application/json",
+                },
+                data=code_body,
+            )
+
+            self._log(f"验证码校验状态: {response.status_code}")
+            return response.status_code == 200
+
+        except Exception as e:
+            self._log(f"验证验证码失败: {e}", "error")
+            return False
+
+    def _create_user_account(self) -> bool:
+        """创建用户账户"""
+        try:
+            user_info = generate_random_user_info()
+            self._log(f"生成用户信息: {user_info['name']}, 生日: {user_info['birthdate']}")
+            create_account_body = json.dumps(user_info)
+
+            response = self.session.post(
+                OPENAI_API_ENDPOINTS["create_account"],
+                headers={
+                    "referer": "https://auth.openai.com/about-you",
+                    "accept": "application/json",
+                    "content-type": "application/json",
+                },
+                data=create_account_body,
+            )
+
+            self._log(f"账户创建状态: {response.status_code}")
+
+            if response.status_code != 200:
+                self._log(f"账户创建失败: {response.text[:200]}", "warning")
+                return False
+
+            return True
+
+        except Exception as e:
+            self._log(f"创建账户失败: {e}", "error")
+            return False
+
+    def _get_workspace_id(self) -> Optional[str]:
+        """获取 Workspace ID"""
+        try:
+            auth_cookie = self.session.cookies.get("oai-client-auth-session")
+            if not auth_cookie:
+                self._log("未能获取到授权 Cookie", "error")
+                return None
+
+            # 解码 JWT
+            import base64
+            import json as json_module
+
+            try:
+                segments = auth_cookie.split(".")
+                if len(segments) < 1:
+                    self._log("授权 Cookie 格式错误", "error")
+                    return None
+
+                # 解码第一个 segment
+                payload = segments[0]
+                pad = "=" * ((4 - (len(payload) % 4)) % 4)
+                decoded = base64.urlsafe_b64decode((payload + pad).encode("ascii"))
+                auth_json = json_module.loads(decoded.decode("utf-8"))
+
+                workspaces = auth_json.get("workspaces") or []
+                if not workspaces:
+                    self._log("授权 Cookie 里没有 workspace 信息", "error")
+                    return None
+
+                workspace_id = str((workspaces[0] or {}).get("id") or "").strip()
+                if not workspace_id:
+                    self._log("无法解析 workspace_id", "error")
+                    return None
+
+                self._log(f"Workspace ID: {workspace_id}")
+                return workspace_id
+
+            except Exception as e:
+                self._log(f"解析授权 Cookie 失败: {e}", "error")
+                return None
+
+        except Exception as e:
+            self._log(f"获取 Workspace ID 失败: {e}", "error")
+            return None
+
+    def _select_workspace(self, workspace_id: str) -> Optional[str]:
+        """选择 Workspace"""
+        try:
+            select_body = f'{{"workspace_id":"{workspace_id}"}}'
+
+            response = self.session.post(
+                OPENAI_API_ENDPOINTS["select_workspace"],
+                headers={
+                    "referer": "https://auth.openai.com/sign-in-with-chatgpt/codex/consent",
+                    "content-type": "application/json",
+                },
+                data=select_body,
+            )
+
+            if response.status_code != 200:
+                self._log(f"选择 workspace 失败: {response.status_code}", "error")
+                self._log(f"响应: {response.text[:200]}", "warning")
+                return None
+
+            continue_url = str((response.json() or {}).get("continue_url") or "").strip()
+            if not continue_url:
+                self._log("workspace/select 响应里缺少 continue_url", "error")
+                return None
+
+            self._log(f"Continue URL: {continue_url[:100]}...")
+            return continue_url
+
+        except Exception as e:
+            self._log(f"选择 Workspace 失败: {e}", "error")
+            return None
+
+    def _follow_redirects(self, start_url: str) -> Optional[str]:
+        """跟随重定向链，寻找回调 URL"""
+        try:
+            current_url = start_url
+            max_redirects = 6
+
+            for i in range(max_redirects):
+                self._log(f"重定向 {i+1}/{max_redirects}: {current_url[:100]}...")
+
+                response = self.session.get(
+                    current_url,
+                    allow_redirects=False,
+                    timeout=15
+                )
+
+                location = response.headers.get("Location") or ""
+
+                # 如果不是重定向状态码，停止
+                if response.status_code not in [301, 302, 303, 307, 308]:
+                    self._log(f"非重定向状态码: {response.status_code}")
+                    break
+
+                if not location:
+                    self._log("重定向响应缺少 Location 头")
+                    break
+
+                # 构建下一个 URL
+                import urllib.parse
+                next_url = urllib.parse.urljoin(current_url, location)
+
+                # 检查是否包含回调参数
+                if "code=" in next_url and "state=" in next_url:
+                    self._log(f"找到回调 URL: {next_url[:100]}...")
+                    return next_url
+
+                current_url = next_url
+
+            self._log("未能在重定向链中找到回调 URL", "error")
+            return None
+
+        except Exception as e:
+            self._log(f"跟随重定向失败: {e}", "error")
+            return None
+
+    def _handle_oauth_callback(self, callback_url: str) -> Optional[Dict[str, Any]]:
+        """处理 OAuth 回调"""
+        try:
+            if not self.oauth_start:
+                self._log("OAuth 流程未初始化", "error")
+                return None
+
+            self._log("处理 OAuth 回调，最后一哆嗦，稳住别抖...")
+            token_info = self.oauth_manager.handle_callback(
+                callback_url=callback_url,
+                expected_state=self.oauth_start.state,
+                code_verifier=self.oauth_start.code_verifier
+            )
+
+            self._log("OAuth 授权成功，通关文牒到手")
+            return token_info
+
+        except Exception as e:
+            self._log(f"处理 OAuth 回调失败: {e}", "error")
+            return None
+
+    def run(self) -> RegistrationResult:
+        """
+        执行完整的注册流程
+
+        支持已注册账号自动登录：
+        - 如果检测到邮箱已注册，自动切换到登录流程
+        - 已注册账号跳过：设置密码、发送验证码、创建用户账户
+        - 共用步骤：获取验证码、验证验证码、Workspace 和 OAuth 回调
+
+        Returns:
+            RegistrationResult: 注册结果
+        """
+        result = RegistrationResult(success=False, logs=self.logs)
+
+        try:
+            self._is_existing_account = False
+            self._token_acquisition_requires_login = False
+            self._otp_sent_at = None
+
+            self._log("=" * 60)
+            self._log("注册流程启动，开始替你敲门")
+            self._log("=" * 60)
+
+            # 1. 检查 IP 地理位置
+            self._log("1. 先看看这条网络从哪儿来，别一开局就站错片场...")
+            ip_ok, location = self._check_ip_location()
+            if not ip_ok:
+                result.error_message = f"IP 地理位置不支持: {location}"
+                self._log(f"IP 检查失败: {location}", "error")
+                return result
+
+            self._log(f"IP 位置: {location}")
+
+            # 2. 创建邮箱
+            self._log("2. 开个新邮箱，准备收信...")
+            if not self._create_email():
+                result.error_message = "创建邮箱失败"
+                return result
+
+            result.email = self.email
+
+            # 3. 准备首轮授权流程
+            did, sen_token = self._prepare_authorize_flow("首次授权")
+            if not did:
+                result.error_message = "获取 Device ID 失败"
+                return result
+            if not sen_token:
+                result.error_message = "Sentinel POW 验证失败"
+                return result
+
+            # 4. 提交注册入口邮箱
+            self._log("4. 递上邮箱，看看 OpenAI 这球怎么接...")
+            signup_result = self._submit_signup_form(did, sen_token)
+            if not signup_result.success:
+                result.error_message = f"提交注册表单失败: {signup_result.error_message}"
+                return result
+
+            if self._is_existing_account:
+                self._log("检测到这是老朋友账号，直接切去登录拿 token，不走弯路")
+            else:
+                self._log("5. 设置密码，别让小偷偷笑...")
+                password_ok, _ = self._register_password()
+                if not password_ok:
+                    result.error_message = "注册密码失败"
+                    return result
+
+                self._log("6. 催一下注册验证码出门，邮差该冲刺了...")
+                if not self._send_verification_code():
+                    result.error_message = "发送验证码失败"
+                    return result
+
+                self._log("7. 等验证码飞来，邮箱请注意查收...")
+                code = self._get_verification_code()
+                if not code:
+                    result.error_message = "获取验证码失败"
+                    return result
+
+                self._log("8. 对一下验证码，看看是不是本人...")
+                if not self._validate_verification_code(code):
+                    result.error_message = "验证验证码失败"
+                    return result
+
+                self._log("9. 给账号办个正式户口，名字写档案里...")
+                if not self._create_user_account():
+                    result.error_message = "创建用户账户失败"
+                    return result
+
+                login_ready, login_error = self._restart_login_flow()
+                if not login_ready:
+                    result.error_message = login_error
+                    return result
+
+            if not self._complete_token_exchange(result):
+                return result
+
+            # 10. 完成
+            self._log("=" * 60)
+            if self._is_existing_account:
+                self._log("登录成功，老朋友顺利回家")
+            else:
+                self._log("注册成功，账号已经稳稳落地，可以开香槟了")
+            self._log(f"邮箱: {result.email}")
+            self._log(f"Account ID: {result.account_id}")
+            self._log(f"Workspace ID: {result.workspace_id}")
+            self._log("=" * 60)
+
+            result.success = True
+            result.metadata = {
+                "email_service": self.email_service.service_type.value,
+                "proxy_used": self.proxy_url,
+                "registered_at": datetime.now().isoformat(),
+                "is_existing_account": self._is_existing_account,
+                "token_acquired_via_relogin": self._token_acquisition_requires_login,
+            }
+
+            return result
+
+        except Exception as e:
+            self._log(f"注册过程中发生未预期错误: {e}", "error")
+            result.error_message = str(e)
+            return result
+
+    def save_to_database(self, result: RegistrationResult) -> bool:
+        """
+        保存注册结果到数据库
+
+        Args:
+            result: 注册结果
+
+        Returns:
+            是否保存成功
+        """
+        if not result.success:
+            return False
+
+        try:
+            # 获取默认 client_id
+            settings = get_settings()
+
+            with get_db() as db:
+                # 保存账户信息
+                account = crud.create_account(
+                    db,
+                    email=result.email,
+                    password=result.password,
+                    client_id=settings.openai_client_id,
+                    session_token=result.session_token,
+                    email_service=self.email_service.service_type.value,
+                    email_service_id=self.email_info.get("service_id") if self.email_info else None,
+                    account_id=result.account_id,
+                    workspace_id=result.workspace_id,
+                    access_token=result.access_token,
+                    refresh_token=result.refresh_token,
+                    id_token=result.id_token,
+                    proxy_used=self.proxy_url,
+                    extra_data=result.metadata,
+                    source=result.source
+                )
+
+                self._log(f"账户已存进数据库，落袋为安，ID: {account.id}")
+                return True
+
+        except Exception as e:
+            self._log(f"保存到数据库失败: {e}", "error")
+            return False

src/core/upload/__init__.py

@@ -0,0 +1,3 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# @Time : 2026/3/18 19:54

src/core/upload/cpa_upload.py

@@ -0,0 +1,312 @@
+"""
+CPA (Codex Protocol API) 上传功能
+"""
+
+import json
+import logging
+from typing import List, Dict, Any, Tuple, Optional
+from datetime import datetime
+from urllib.parse import quote
+
+from curl_cffi import requests as cffi_requests
+from curl_cffi import CurlMime
+
+from ...database.session import get_db
+from ...database.models import Account
+from ...config.settings import get_settings
+
+logger = logging.getLogger(__name__)
+
+
+def _normalize_cpa_auth_files_url(api_url: str) -> str:
+    """将用户填写的 CPA 地址规范化为 auth-files 接口地址。"""
+    normalized = (api_url or "").strip().rstrip("/")
+    lower_url = normalized.lower()
+
+    if not normalized:
+        return ""
+
+    if lower_url.endswith("/auth-files"):
+        return normalized
+
+    if lower_url.endswith("/v0/management") or lower_url.endswith("/management"):
+        return f"{normalized}/auth-files"
+
+    if lower_url.endswith("/v0"):
+        return f"{normalized}/management/auth-files"
+
+    return f"{normalized}/v0/management/auth-files"
+
+
+def _build_cpa_headers(api_token: str, content_type: Optional[str] = None) -> dict:
+    headers = {
+        "Authorization": f"Bearer {api_token}",
+    }
+    if content_type:
+        headers["Content-Type"] = content_type
+    return headers
+
+
+def _extract_cpa_error(response) -> str:
+    error_msg = f"上传失败: HTTP {response.status_code}"
+    try:
+        error_detail = response.json()
+        if isinstance(error_detail, dict):
+            error_msg = error_detail.get("message", error_msg)
+    except Exception:
+        error_msg = f"{error_msg} - {response.text[:200]}"
+    return error_msg
+
+
+def _post_cpa_auth_file_multipart(upload_url: str, filename: str, file_content: bytes, api_token: str):
+    mime = CurlMime()
+    mime.addpart(
+        name="file",
+        data=file_content,
+        filename=filename,
+        content_type="application/json",
+    )
+
+    return cffi_requests.post(
+        upload_url,
+        multipart=mime,
+        headers=_build_cpa_headers(api_token),
+        proxies=None,
+        timeout=30,
+        impersonate="chrome110",
+    )
+
+
+def _post_cpa_auth_file_raw_json(upload_url: str, filename: str, file_content: bytes, api_token: str):
+    raw_upload_url = f"{upload_url}?name={quote(filename)}"
+    return cffi_requests.post(
+        raw_upload_url,
+        data=file_content,
+        headers=_build_cpa_headers(api_token, content_type="application/json"),
+        proxies=None,
+        timeout=30,
+        impersonate="chrome110",
+    )
+
+
+def generate_token_json(account: Account) -> dict:
+    """
+    生成 CPA 格式的 Token JSON
+
+    Args:
+        account: 账号模型实例
+
+    Returns:
+        CPA 格式的 Token 字典
+    """
+    return {
+        "type": "codex",
+        "email": account.email,
+        "expired": account.expires_at.strftime("%Y-%m-%dT%H:%M:%S+08:00") if account.expires_at else "",
+        "id_token": account.id_token or "",
+        "account_id": account.account_id or "",
+        "access_token": account.access_token or "",
+        "last_refresh": account.last_refresh.strftime("%Y-%m-%dT%H:%M:%S+08:00") if account.last_refresh else "",
+        "refresh_token": account.refresh_token or "",
+    }
+
+
+def upload_to_cpa(
+    token_data: dict,
+    proxy: str = None,
+    api_url: str = None,
+    api_token: str = None,
+) -> Tuple[bool, str]:
+    """
+    上传单个账号到 CPA 管理平台（不走代理）
+
+    Args:
+        token_data: Token JSON 数据
+        proxy: 保留参数，不使用（CPA 上传始终直连）
+        api_url: 指定 CPA API URL（优先于全局配置）
+        api_token: 指定 CPA API Token（优先于全局配置）
+
+    Returns:
+        (成功标志, 消息或错误信息)
+    """
+    settings = get_settings()
+
+    # 优先使用传入的参数，否则退回全局配置
+    effective_url = api_url or settings.cpa_api_url
+    effective_token = api_token or (settings.cpa_api_token.get_secret_value() if settings.cpa_api_token else "")
+
+    # 仅当未指定服务时才检查全局启用开关
+    if not api_url and not settings.cpa_enabled:
+        return False, "CPA 上传未启用"
+
+    if not effective_url:
+        return False, "CPA API URL 未配置"
+
+    if not effective_token:
+        return False, "CPA API Token 未配置"
+
+    upload_url = _normalize_cpa_auth_files_url(effective_url)
+
+    filename = f"{token_data['email']}.json"
+    file_content = json.dumps(token_data, ensure_ascii=False, indent=2).encode("utf-8")
+
+    try:
+        response = _post_cpa_auth_file_multipart(
+            upload_url,
+            filename,
+            file_content,
+            effective_token,
+        )
+
+        if response.status_code in (200, 201):
+            return True, "上传成功"
+
+        if response.status_code in (404, 405, 415):
+            logger.warning("CPA multipart 上传失败，尝试原始 JSON 回退: %s", response.status_code)
+            fallback_response = _post_cpa_auth_file_raw_json(
+                upload_url,
+                filename,
+                file_content,
+                effective_token,
+            )
+            if fallback_response.status_code in (200, 201):
+                return True, "上传成功"
+            response = fallback_response
+
+        return False, _extract_cpa_error(response)
+
+    except Exception as e:
+        logger.error(f"CPA 上传异常: {e}")
+        return False, f"上传异常: {str(e)}"
+
+
+def batch_upload_to_cpa(
+    account_ids: List[int],
+    proxy: str = None,
+    api_url: str = None,
+    api_token: str = None,
+) -> dict:
+    """
+    批量上传账号到 CPA 管理平台
+
+    Args:
+        account_ids: 账号 ID 列表
+        proxy: 可选的代理 URL
+        api_url: 指定 CPA API URL（优先于全局配置）
+        api_token: 指定 CPA API Token（优先于全局配置）
+
+    Returns:
+        包含成功/失败统计和详情的字典
+    """
+    results = {
+        "success_count": 0,
+        "failed_count": 0,
+        "skipped_count": 0,
+        "details": []
+    }
+
+    with get_db() as db:
+        for account_id in account_ids:
+            account = db.query(Account).filter(Account.id == account_id).first()
+
+            if not account:
+                results["failed_count"] += 1
+                results["details"].append({
+                    "id": account_id,
+                    "email": None,
+                    "success": False,
+                    "error": "账号不存在"
+                })
+                continue
+
+            # 检查是否已有 Token
+            if not account.access_token:
+                results["skipped_count"] += 1
+                results["details"].append({
+                    "id": account_id,
+                    "email": account.email,
+                    "success": False,
+                    "error": "缺少 Token"
+                })
+                continue
+
+            # 生成 Token JSON
+            token_data = generate_token_json(account)
+
+            # 上传
+            success, message = upload_to_cpa(token_data, proxy, api_url=api_url, api_token=api_token)
+
+            if success:
+                # 更新数据库状态
+                account.cpa_uploaded = True
+                account.cpa_uploaded_at = datetime.utcnow()
+                db.commit()
+
+                results["success_count"] += 1
+                results["details"].append({
+                    "id": account_id,
+                    "email": account.email,
+                    "success": True,
+                    "message": message
+                })
+            else:
+                results["failed_count"] += 1
+                results["details"].append({
+                    "id": account_id,
+                    "email": account.email,
+                    "success": False,
+                    "error": message
+                })
+
+    return results
+
+
+def test_cpa_connection(api_url: str, api_token: str, proxy: str = None) -> Tuple[bool, str]:
+    """
+    测试 CPA 连接（不走代理）
+
+    Args:
+        api_url: CPA API URL
+        api_token: CPA API Token
+        proxy: 保留参数，不使用（CPA 始终直连）
+
+    Returns:
+        (成功标志, 消息)
+    """
+    if not api_url:
+        return False, "API URL 不能为空"
+
+    if not api_token:
+        return False, "API Token 不能为空"
+
+    test_url = _normalize_cpa_auth_files_url(api_url)
+    headers = _build_cpa_headers(api_token)
+
+    try:
+        response = cffi_requests.get(
+            test_url,
+            headers=headers,
+            proxies=None,
+            timeout=10,
+            impersonate="chrome110",
+        )
+
+        if response.status_code == 200:
+            return True, "CPA 连接测试成功"
+        if response.status_code == 401:
+            return False, "连接成功，但 API Token 无效"
+        if response.status_code == 403:
+            return False, "连接成功，但服务端未启用远程管理或当前 Token 无权限"
+        if response.status_code == 404:
+            return False, "未找到 CPA auth-files 接口，请检查 API URL 是否填写为根地址、/v0/management 或完整 auth-files 地址"
+        if response.status_code == 503:
+            return False, "连接成功，但服务端认证管理器不可用"
+
+        return False, f"服务器返回异常状态码: {response.status_code}"
+
+    except cffi_requests.exceptions.ConnectionError as e:
+        return False, f"无法连接到服务器: {str(e)}"
+    except cffi_requests.exceptions.Timeout:
+        return False, "连接超时，请检查网络配置"
+    except Exception as e:
+        return False, f"连接测试失败: {str(e)}"

src/core/upload/sub2api_upload.py

@@ -0,0 +1,224 @@
+"""
+Sub2API 账号上传功能
+将账号以 sub2api-data 格式批量导入到 Sub2API 平台
+"""
+
+import json
+import logging
+from datetime import datetime, timezone
+from typing import List, Tuple, Optional
+
+from curl_cffi import requests as cffi_requests
+
+from ...database.session import get_db
+from ...database.models import Account
+
+logger = logging.getLogger(__name__)
+
+
+def upload_to_sub2api(
+    accounts: List[Account],
+    api_url: str,
+    api_key: str,
+    concurrency: int = 3,
+    priority: int = 50,
+) -> Tuple[bool, str]:
+    """
+    上传账号列表到 Sub2API 平台（不走代理）
+
+    Args:
+        accounts: 账号模型实例列表
+        api_url: Sub2API 地址，如 http://host
+        api_key: Admin API Key（x-api-key header）
+        concurrency: 账号并发数，默认 3
+        priority: 账号优先级，默认 50
+
+    Returns:
+        (成功标志, 消息)
+    """
+    if not accounts:
+        return False, "无可上传的账号"
+
+    if not api_url:
+        return False, "Sub2API URL 未配置"
+
+    if not api_key:
+        return False, "Sub2API API Key 未配置"
+
+    exported_at = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+    account_items = []
+    for acc in accounts:
+        if not acc.access_token:
+            continue
+        expires_at = int(acc.expires_at.timestamp()) if acc.expires_at else 0
+        account_items.append({
+            "name": acc.email,
+            "platform": "openai",
+            "type": "oauth",
+            "credentials": {
+                "access_token": acc.access_token,
+                "chatgpt_account_id": acc.account_id or "",
+                "chatgpt_user_id": "",
+                "client_id": acc.client_id or "",
+                "expires_at": expires_at,
+                "expires_in": 863999,
+                "model_mapping": {
+                    "gpt-5.1": "gpt-5.1",
+                    "gpt-5.1-codex": "gpt-5.1-codex",
+                    "gpt-5.1-codex-max": "gpt-5.1-codex-max",
+                    "gpt-5.1-codex-mini": "gpt-5.1-codex-mini",
+                    "gpt-5.2": "gpt-5.2",
+                    "gpt-5.2-codex": "gpt-5.2-codex",
+                    "gpt-5.3": "gpt-5.3",
+                    "gpt-5.3-codex": "gpt-5.3-codex",
+                    "gpt-5.4": "gpt-5.4"
+                },
+                "organization_id": acc.workspace_id or "",
+                "refresh_token": acc.refresh_token or "",
+            },
+            "extra": {},
+            "concurrency": concurrency,
+            "priority": priority,
+            "rate_multiplier": 1,
+            "auto_pause_on_expired": True,
+        })
+
+    if not account_items:
+        return False, "所有账号均缺少 access_token，无法上传"
+
+    payload = {
+        "data": {
+            "type": "sub2api-data",
+            "version": 1,
+            "exported_at": exported_at,
+            "proxies": [],
+            "accounts": account_items,
+        },
+        "skip_default_group_bind": True,
+    }
+
+    url = api_url.rstrip("/") + "/api/v1/admin/accounts/data"
+    headers = {
+        "Content-Type": "application/json",
+        "x-api-key": api_key,
+        "Idempotency-Key": f"import-{exported_at}",
+    }
+
+    try:
+        response = cffi_requests.post(
+            url,
+            json=payload,
+            headers=headers,
+            proxies=None,
+            timeout=30,
+            impersonate="chrome110",
+        )
+
+        if response.status_code in (200, 201):
+            return True, f"成功上传 {len(account_items)} 个账号"
+
+        error_msg = f"上传失败: HTTP {response.status_code}"
+        try:
+            detail = response.json()
+            if isinstance(detail, dict):
+                error_msg = detail.get("message", error_msg)
+        except Exception:
+            error_msg = f"{error_msg} - {response.text[:200]}"
+        return False, error_msg
+
+    except Exception as e:
+        logger.error(f"Sub2API 上传异常: {e}")
+        return False, f"上传异常: {str(e)}"
+
+
+def batch_upload_to_sub2api(
+    account_ids: List[int],
+    api_url: str,
+    api_key: str,
+    concurrency: int = 3,
+    priority: int = 50,
+) -> dict:
+    """
+    批量上传指定 ID 的账号到 Sub2API 平台
+
+    Returns:
+        包含成功/失败/跳过统计和详情的字典
+    """
+    results = {
+        "success_count": 0,
+        "failed_count": 0,
+        "skipped_count": 0,
+        "details": []
+    }
+
+    with get_db() as db:
+        accounts = []
+        for account_id in account_ids:
+            acc = db.query(Account).filter(Account.id == account_id).first()
+            if not acc:
+                results["failed_count"] += 1
+                results["details"].append({"id": account_id, "email": None, "success": False, "error": "账号不存在"})
+                continue
+            if not acc.access_token:
+                results["skipped_count"] += 1
+                results["details"].append({"id": account_id, "email": acc.email, "success": False, "error": "缺少 access_token"})
+                continue
+            accounts.append(acc)
+
+        if not accounts:
+            return results
+
+        success, message = upload_to_sub2api(accounts, api_url, api_key, concurrency, priority)
+
+        if success:
+            for acc in accounts:
+                results["success_count"] += 1
+                results["details"].append({"id": acc.id, "email": acc.email, "success": True, "message": message})
+        else:
+            for acc in accounts:
+                results["failed_count"] += 1
+                results["details"].append({"id": acc.id, "email": acc.email, "success": False, "error": message})
+
+    return results
+
+
+def test_sub2api_connection(api_url: str, api_key: str) -> Tuple[bool, str]:
+    """
+    测试 Sub2API 连接（GET /api/v1/admin/accounts/data 探活）
+
+    Returns:
+        (成功标志, 消息)
+    """
+    if not api_url:
+        return False, "API URL 不能为空"
+    if not api_key:
+        return False, "API Key 不能为空"
+
+    url = api_url.rstrip("/") + "/api/v1/admin/accounts/data"
+    headers = {"x-api-key": api_key}
+
+    try:
+        response = cffi_requests.get(
+            url,
+            headers=headers,
+            proxies=None,
+            timeout=10,
+            impersonate="chrome110",
+        )
+
+        if response.status_code in (200, 201, 204, 405):
+            return True, "Sub2API 连接测试成功"
+        if response.status_code == 401:
+            return False, "连接成功，但 API Key 无效"
+        if response.status_code == 403:
+            return False, "连接成功，但权限不足"
+
+        return False, f"服务器返回异常状态码: {response.status_code}"
+
+    except cffi_requests.exceptions.ConnectionError as e:
+        return False, f"无法连接到服务器: {str(e)}"
+    except cffi_requests.exceptions.Timeout:
+        return False, "连接超时，请检查网络配置"
+    except Exception as e:
+        return False, f"连接测试失败: {str(e)}"

src/core/upload/team_manager_upload.py

@@ -0,0 +1,204 @@
+"""
+Team Manager 上传功能
+参照 CPA 上传模式，直连不走代理
+"""
+
+import logging
+from typing import List, Tuple
+
+from curl_cffi import requests as cffi_requests
+
+from ...database.models import Account
+from ...database.session import get_db
+
+logger = logging.getLogger(__name__)
+
+
+def upload_to_team_manager(
+    account: Account,
+    api_url: str,
+    api_key: str,
+) -> Tuple[bool, str]:
+    """
+    上传单账号到 Team Manager（直连，不走代理）
+
+    Returns:
+        (成功标志, 消息)
+    """
+    if not api_url:
+        return False, "Team Manager API URL 未配置"
+    if not api_key:
+        return False, "Team Manager API Key 未配置"
+    if not account.access_token:
+        return False, "账号缺少 access_token"
+
+    url = api_url.rstrip("/") + "/admin/teams/import"
+    headers = {
+        "X-API-Key": api_key,
+        "Content-Type": "application/json",
+    }
+    payload = {
+        "import_type": "single",
+        "email": account.email,
+        "access_token": account.access_token or "",
+        "session_token": account.session_token or "",
+        "refresh_token": account.refresh_token or "",
+        "client_id": account.client_id or "",
+        "account_id": account.account_id or "",
+    }
+
+    try:
+        resp = cffi_requests.post(
+            url,
+            headers=headers,
+            json=payload,
+            proxies=None,
+            timeout=30
+        )
+        if resp.status_code in (200, 201):
+            return True, "上传成功"
+        error_msg = f"上传失败: HTTP {resp.status_code}"
+        try:
+            detail = resp.json()
+            if isinstance(detail, dict):
+                error_msg = detail.get("message", error_msg)
+        except Exception:
+            error_msg = f"{error_msg} - {resp.text[:200]}"
+        return False, error_msg
+    except Exception as e:
+        logger.error(f"Team Manager 上传异常: {e}")
+        return False, f"上传异常: {str(e)}"
+
+
+def batch_upload_to_team_manager(
+    account_ids: List[int],
+    api_url: str,
+    api_key: str,
+) -> dict:
+    """
+    批量上传账号到 Team Manager（使用 batch 模式，一次请求提交所有账号）
+
+    Returns:
+        包含成功/失败统计和详情的字典
+    """
+    results = {
+        "success_count": 0,
+        "failed_count": 0,
+        "skipped_count": 0,
+        "details": [],
+    }
+
+    with get_db() as db:
+        lines = []
+        valid_accounts = []
+        for account_id in account_ids:
+            account = db.query(Account).filter(Account.id == account_id).first()
+            if not account:
+                results["failed_count"] += 1
+                results["details"].append(
+                    {"id": account_id, "email": None, "success": False, "error": "账号不存在"}
+                )
+                continue
+            if not account.access_token:
+                results["skipped_count"] += 1
+                results["details"].append(
+                    {"id": account_id, "email": account.email, "success": False, "error": "缺少 Token"}
+                )
+                continue
+            # 格式：邮箱,AT,RT,ST,ClientID
+            lines.append(",".join([
+                account.email or "",
+                account.access_token or "",
+                account.refresh_token or "",
+                account.session_token or "",
+                account.client_id or "",
+            ]))
+            valid_accounts.append(account)
+
+        if not valid_accounts:
+            return results
+
+        url = api_url.rstrip("/") + "/admin/teams/import"
+        headers = {
+            "X-API-Key": api_key,
+            "Content-Type": "application/json",
+        }
+        payload = {
+            "import_type": "batch",
+            "content": "\n".join(lines),
+        }
+
+        try:
+            resp = cffi_requests.post(
+                url,
+                headers=headers,
+                json=payload,
+                proxies=None,
+                timeout=60,
+                impersonate="chrome110",
+            )
+            if resp.status_code in (200, 201):
+                for account in valid_accounts:
+                    results["success_count"] += 1
+                    results["details"].append(
+                        {"id": account.id, "email": account.email, "success": True, "message": "批量上传成功"}
+                    )
+            else:
+                error_msg = f"批量上传失败: HTTP {resp.status_code}"
+                try:
+                    detail = resp.json()
+                    if isinstance(detail, dict):
+                        error_msg = detail.get("message", error_msg)
+                except Exception:
+                    error_msg = f"{error_msg} - {resp.text[:200]}"
+                for account in valid_accounts:
+                    results["failed_count"] += 1
+                    results["details"].append(
+                        {"id": account.id, "email": account.email, "success": False, "error": error_msg}
+                    )
+        except Exception as e:
+            logger.error(f"Team Manager 批量上传异常: {e}")
+            error_msg = f"上传异常: {str(e)}"
+            for account in valid_accounts:
+                results["failed_count"] += 1
+                results["details"].append(
+                    {"id": account.id, "email": account.email, "success": False, "error": error_msg}
+                )
+
+    return results
+
+
+def test_team_manager_connection(api_url: str, api_key: str) -> Tuple[bool, str]:
+    """
+    测试 Team Manager 连接（直连）
+
+    Returns:
+        (成功标志, 消息)
+    """
+    if not api_url:
+        return False, "API URL 不能为空"
+    if not api_key:
+        return False, "API Key 不能为空"
+
+    url = api_url.rstrip("/") + "/admin/teams/import"
+    headers = {"X-API-Key": api_key}
+
+    try:
+        resp = cffi_requests.options(
+            url,
+            headers=headers,
+            proxies=None,
+            timeout=10,
+            impersonate="chrome110",
+        )
+        if resp.status_code in (200, 204, 401, 403, 405):
+            if resp.status_code == 401:
+                return False, "连接成功，但 API Key 无效"
+            return True, "Team Manager 连接测试成功"
+        return False, f"服务器返回异常状态码: {resp.status_code}"
+    except cffi_requests.exceptions.ConnectionError as e:
+        return False, f"无法连接到服务器: {str(e)}"
+    except cffi_requests.exceptions.Timeout:
+        return False, "连接超时，请检查网络配置"
+    except Exception as e:
+        return False, f"连接测试失败: {str(e)}"

src/core/utils.py

@@ -0,0 +1,570 @@
+"""
+通用工具函数
+"""
+
+import os
+import sys
+import json
+import time
+import random
+import string
+import secrets
+import hashlib
+import logging
+import base64
+import re
+import uuid
+from datetime import datetime, timedelta
+from typing import Any, Dict, List, Optional, Union, Callable
+from pathlib import Path
+
+from ..config.constants import PASSWORD_CHARSET, DEFAULT_PASSWORD_LENGTH
+from ..config.settings import get_settings
+
+
+def setup_logging(
+    log_level: str = "INFO",
+    log_file: Optional[str] = None,
+    log_format: str = "%(asctime)s [%(levelname)s] %(name)s: %(message)s"
+) -> logging.Logger:
+    """
+    配置日志系统
+
+    Args:
+        log_level: 日志级别 (DEBUG, INFO, WARNING, ERROR, CRITICAL)
+        log_file: 日志文件路径，如果不指定则只输出到控制台
+        log_format: 日志格式
+
+    Returns:
+        根日志记录器
+    """
+    # 设置日志级别
+    numeric_level = getattr(logging, log_level.upper(), None)
+    if not isinstance(numeric_level, int):
+        numeric_level = logging.INFO
+
+    # 配置根日志记录器
+    root_logger = logging.getLogger()
+    root_logger.setLevel(numeric_level)
+
+    # 清除现有的处理器
+    root_logger.handlers.clear()
+
+    # 创建格式化器
+    formatter = logging.Formatter(log_format)
+
+    # 控制台处理器
+    console_handler = logging.StreamHandler(sys.stdout)
+    console_handler.setFormatter(formatter)
+    console_handler.setLevel(numeric_level)
+    root_logger.addHandler(console_handler)
+
+    # 文件处理器（如果指定了日志文件）
+    if log_file:
+        # 确保日志目录存在
+        log_dir = os.path.dirname(log_file)
+        if log_dir:
+            os.makedirs(log_dir, exist_ok=True)
+
+        file_handler = logging.FileHandler(log_file, encoding="utf-8")
+        file_handler.setFormatter(formatter)
+        file_handler.setLevel(numeric_level)
+        root_logger.addHandler(file_handler)
+
+    return root_logger
+
+
+def generate_password(length: int = DEFAULT_PASSWORD_LENGTH) -> str:
+    """
+    生成随机密码
+
+    Args:
+        length: 密码长度
+
+    Returns:
+        随机密码字符串
+    """
+    if length < 4:
+        length = 4
+
+    # 确保密码包含至少一个大写字母、一个小写字母和一个数字
+    password = [
+        secrets.choice(string.ascii_lowercase),
+        secrets.choice(string.ascii_uppercase),
+        secrets.choice(string.digits),
+    ]
+
+    # 添加剩余字符
+    password.extend(secrets.choice(PASSWORD_CHARSET) for _ in range(length - 3))
+
+    # 随机打乱
+    secrets.SystemRandom().shuffle(password)
+
+    return ''.join(password)
+
+
+def generate_random_string(length: int = 8) -> str:
+    """
+    生成随机字符串（仅字母）
+
+    Args:
+        length: 字符串长度
+
+    Returns:
+        随机字符串
+    """
+    chars = string.ascii_letters
+    return ''.join(secrets.choice(chars) for _ in range(length))
+
+
+def generate_uuid() -> str:
+    """生成 UUID 字符串"""
+    return str(uuid.uuid4())
+
+
+def get_timestamp() -> int:
+    """获取当前时间戳（秒）"""
+    return int(time.time())
+
+
+def format_datetime(dt: Optional[datetime] = None, fmt: str = "%Y-%m-%d %H:%M:%S") -> str:
+    """
+    格式化日期时间
+
+    Args:
+        dt: 日期时间对象，如果为 None 则使用当前时间
+        fmt: 格式字符串
+
+    Returns:
+        格式化后的字符串
+    """
+    if dt is None:
+        dt = datetime.now()
+    return dt.strftime(fmt)
+
+
+def parse_datetime(dt_str: str, fmt: str = "%Y-%m-%d %H:%M:%S") -> Optional[datetime]:
+    """
+    解析日期时间字符串
+
+    Args:
+        dt_str: 日期时间字符串
+        fmt: 格式字符串
+
+    Returns:
+        日期时间对象，如果解析失败返回 None
+    """
+    try:
+        return datetime.strptime(dt_str, fmt)
+    except (ValueError, TypeError):
+        return None
+
+
+def human_readable_size(size_bytes: int) -> str:
+    """
+    将字节大小转换为人类可读的格式
+
+    Args:
+        size_bytes: 字节大小
+
+    Returns:
+        人类可读的字符串
+    """
+    if size_bytes < 0:
+        return "0 B"
+
+    units = ["B", "KB", "MB", "GB", "TB", "PB"]
+    unit_index = 0
+
+    while size_bytes >= 1024 and unit_index < len(units) - 1:
+        size_bytes /= 1024
+        unit_index += 1
+
+    return f"{size_bytes:.2f} {units[unit_index]}"
+
+
+def retry_with_backoff(
+    func: Callable,
+    max_retries: int = 3,
+    base_delay: float = 1.0,
+    max_delay: float = 30.0,
+    backoff_factor: float = 2.0,
+    exceptions: tuple = (Exception,)
+) -> Any:
+    """
+    带有指数退避的重试装饰器/函数
+
+    Args:
+        func: 要重试的函数
+        max_retries: 最大重试次数
+        base_delay: 基础延迟（秒）
+        max_delay: 最大延迟（秒）
+        backoff_factor: 退避因子
+        exceptions: 要捕获的异常类型
+
+    Returns:
+        函数的返回值
+
+    Raises:
+        最后一次尝试的异常
+    """
+    last_exception = None
+
+    for attempt in range(max_retries + 1):
+        try:
+            return func()
+        except exceptions as e:
+            last_exception = e
+
+            # 如果是最后一次尝试，直接抛出异常
+            if attempt == max_retries:
+                break
+
+            # 计算延迟时间
+            delay = min(base_delay * (backoff_factor ** attempt), max_delay)
+
+            # 添加随机抖动
+            delay *= (0.5 + random.random())
+
+            # 记录日志
+            logger = logging.getLogger(__name__)
+            logger.warning(
+                f"尝试 {func.__name__} 失败 (attempt {attempt + 1}/{max_retries + 1}): {e}. "
+                f"等待 {delay:.2f} 秒后重试..."
+            )
+
+            time.sleep(delay)
+
+    # 所有重试都失败，抛出最后一个异常
+    raise last_exception
+
+
+class RetryDecorator:
+    """重试装饰器类"""
+
+    def __init__(
+        self,
+        max_retries: int = 3,
+        base_delay: float = 1.0,
+        max_delay: float = 30.0,
+        backoff_factor: float = 2.0,
+        exceptions: tuple = (Exception,)
+    ):
+        self.max_retries = max_retries
+        self.base_delay = base_delay
+        self.max_delay = max_delay
+        self.backoff_factor = backoff_factor
+        self.exceptions = exceptions
+
+    def __call__(self, func: Callable) -> Callable:
+        """装饰器调用"""
+        def wrapper(*args, **kwargs):
+            def func_to_retry():
+                return func(*args, **kwargs)
+
+            return retry_with_backoff(
+                func_to_retry,
+                max_retries=self.max_retries,
+                base_delay=self.base_delay,
+                max_delay=self.max_delay,
+                backoff_factor=self.backoff_factor,
+                exceptions=self.exceptions
+            )
+
+        return wrapper
+
+
+def validate_email(email: str) -> bool:
+    """
+    验证邮箱地址格式
+
+    Args:
+        email: 邮箱地址
+
+    Returns:
+        是否有效
+    """
+    pattern = r"^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$"
+    return bool(re.match(pattern, email))
+
+
+def validate_url(url: str) -> bool:
+    """
+    验证 URL 格式
+
+    Args:
+        url: URL
+
+    Returns:
+        是否有效
+    """
+    pattern = r"^https?://[^\s/$.?#].[^\s]*$"
+    return bool(re.match(pattern, url))
+
+
+def sanitize_filename(filename: str) -> str:
+    """
+    清理文件名，移除不安全的字符
+
+    Args:
+        filename: 原始文件名
+
+    Returns:
+        清理后的文件名
+    """
+    # 移除危险字符
+    filename = re.sub(r'[<>:"/\\|?*]', '_', filename)
+    # 移除控制字符
+    filename = ''.join(char for char in filename if ord(char) >= 32)
+    # 限制长度
+    if len(filename) > 255:
+        name, ext = os.path.splitext(filename)
+        filename = name[:255 - len(ext)] + ext
+    return filename
+
+
+def read_json_file(filepath: str) -> Optional[Dict[str, Any]]:
+    """
+    读取 JSON 文件
+
+    Args:
+        filepath: 文件路径
+
+    Returns:
+        JSON 数据，如果读取失败返回 None
+    """
+    try:
+        with open(filepath, 'r', encoding='utf-8') as f:
+            return json.load(f)
+    except (FileNotFoundError, json.JSONDecodeError, IOError) as e:
+        logging.getLogger(__name__).warning(f"读取 JSON 文件失败: {filepath} - {e}")
+        return None
+
+
+def write_json_file(filepath: str, data: Dict[str, Any], indent: int = 2) -> bool:
+    """
+    写入 JSON 文件
+
+    Args:
+        filepath: 文件路径
+        data: 要写入的数据
+        indent: 缩进空格数
+
+    Returns:
+        是否成功
+    """
+    try:
+        # 确保目录存在
+        os.makedirs(os.path.dirname(filepath), exist_ok=True)
+
+        with open(filepath, 'w', encoding='utf-8') as f:
+            json.dump(data, f, ensure_ascii=False, indent=indent)
+
+        return True
+    except (IOError, TypeError) as e:
+        logging.getLogger(__name__).error(f"写入 JSON 文件失败: {filepath} - {e}")
+        return False
+
+
+def get_project_root() -> Path:
+    """
+    获取项目根目录
+
+    Returns:
+        项目根目录 Path 对象
+    """
+    # 当前文件所在目录
+    current_dir = Path(__file__).parent
+
+    # 向上查找直到找到项目根目录（包含 pyproject.toml 或 setup.py）
+    for parent in [current_dir] + list(current_dir.parents):
+        if (parent / "pyproject.toml").exists() or (parent / "setup.py").exists():
+            return parent
+
+    # 如果找不到，返回当前目录的父目录
+    return current_dir.parent
+
+
+def get_data_dir() -> Path:
+    """
+    获取数据目录
+
+    Returns:
+        数据目录 Path 对象
+    """
+    settings = get_settings()
+    if not settings.database_url.startswith("sqlite"):
+        data_dir = Path(os.environ.get("APP_DATA_DIR", "data"))
+        data_dir.mkdir(parents=True, exist_ok=True)
+        return data_dir
+    data_dir = Path(settings.database_url).parent
+
+    # 如果 database_url 是 SQLite URL，提取路径
+    if settings.database_url.startswith("sqlite:///"):
+        db_path = settings.database_url[10:]  # 移除 "sqlite:///"
+        data_dir = Path(db_path).parent
+
+    # 确保目录存在
+    data_dir.mkdir(parents=True, exist_ok=True)
+
+    return data_dir
+
+
+def get_logs_dir() -> Path:
+    """
+    获取日志目录
+
+    Returns:
+        日志目录 Path 对象
+    """
+    settings = get_settings()
+    log_file = Path(settings.log_file)
+    log_dir = log_file.parent
+
+    # 确保目录存在
+    log_dir.mkdir(parents=True, exist_ok=True)
+
+    return log_dir
+
+
+def format_duration(seconds: int) -> str:
+    """
+    格式化持续时间
+
+    Args:
+        seconds: 秒数
+
+    Returns:
+        格式化的持续时间字符串
+    """
+    if seconds < 60:
+        return f"{seconds}秒"
+
+    minutes, seconds = divmod(seconds, 60)
+    if minutes < 60:
+        return f"{minutes}分{seconds}秒"
+
+    hours, minutes = divmod(minutes, 60)
+    if hours < 24:
+        return f"{hours}小时{minutes}分"
+
+    days, hours = divmod(hours, 24)
+    return f"{days}天{hours}小时"
+
+
+def mask_sensitive_data(data: Union[str, Dict, List], mask_char: str = "*") -> Union[str, Dict, List]:
+    """
+    掩码敏感数据
+
+    Args:
+        data: 要掩码的数据
+        mask_char: 掩码字符
+
+    Returns:
+        掩码后的数据
+    """
+    if isinstance(data, str):
+        # 如果是邮箱，掩码中间部分
+        if "@" in data:
+            local, domain = data.split("@", 1)
+            if len(local) > 2:
+                masked_local = local[0] + mask_char * (len(local) - 2) + local[-1]
+            else:
+                masked_local = mask_char * len(local)
+            return f"{masked_local}@{domain}"
+
+        # 如果是 token 或密钥，掩码大部分内容
+        if len(data) > 10:
+            return data[:4] + mask_char * (len(data) - 8) + data[-4:]
+        return mask_char * len(data)
+
+    elif isinstance(data, dict):
+        masked_dict = {}
+        for key, value in data.items():
+            # 敏感字段名
+            sensitive_keys = ["password", "token", "secret", "key", "auth", "credential"]
+            if any(sensitive in key.lower() for sensitive in sensitive_keys):
+                masked_dict[key] = mask_sensitive_data(value, mask_char)
+            else:
+                masked_dict[key] = value
+        return masked_dict
+
+    elif isinstance(data, list):
+        return [mask_sensitive_data(item, mask_char) for item in data]
+
+    return data
+
+
+def calculate_md5(data: Union[str, bytes]) -> str:
+    """
+    计算 MD5 哈希
+
+    Args:
+        data: 要哈希的数据
+
+    Returns:
+        MD5 哈希字符串
+    """
+    if isinstance(data, str):
+        data = data.encode('utf-8')
+
+    return hashlib.md5(data).hexdigest()
+
+
+def calculate_sha256(data: Union[str, bytes]) -> str:
+    """
+    计算 SHA256 哈希
+
+    Args:
+        data: 要哈希的数据
+
+    Returns:
+        SHA256 哈希字符串
+    """
+    if isinstance(data, str):
+        data = data.encode('utf-8')
+
+    return hashlib.sha256(data).hexdigest()
+
+
+def base64_encode(data: Union[str, bytes]) -> str:
+    """Base64 编码"""
+    if isinstance(data, str):
+        data = data.encode('utf-8')
+
+    return base64.b64encode(data).decode('utf-8')
+
+
+def base64_decode(data: str) -> str:
+    """Base64 解码"""
+    try:
+        decoded = base64.b64decode(data)
+        return decoded.decode('utf-8')
+    except (base64.binascii.Error, UnicodeDecodeError):
+        return ""
+
+
+class Timer:
+    """计时器上下文管理器"""
+
+    def __init__(self, name: str = "操作"):
+        self.name = name
+        self.start_time = None
+        self.elapsed = None
+
+    def __enter__(self):
+        self.start_time = time.time()
+        return self
+
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        self.elapsed = time.time() - self.start_time
+        logger = logging.getLogger(__name__)
+        logger.debug(f"{self.name} 耗时: {self.elapsed:.2f} 秒")
+
+    def get_elapsed(self) -> float:
+        """获取经过的时间（秒）"""
+        if self.elapsed is not None:
+            return self.elapsed
+        if self.start_time is not None:
+            return time.time() - self.start_time
+        return 0.0

src/database/__init__.py

@@ -0,0 +1,20 @@
+"""
+数据库模块
+"""
+
+from .models import Base, Account, EmailService, RegistrationTask, Setting
+from .session import get_db, init_database, get_session_manager, DatabaseSessionManager
+from . import crud
+
+__all__ = [
+    'Base',
+    'Account',
+    'EmailService',
+    'RegistrationTask',
+    'Setting',
+    'get_db',
+    'init_database',
+    'get_session_manager',
+    'DatabaseSessionManager',
+    'crud',
+]

src/database/crud.py

@@ -0,0 +1,714 @@
+"""
+数据库 CRUD 操作
+"""
+
+from typing import List, Optional, Dict, Any, Union
+from datetime import datetime, timedelta
+from sqlalchemy.orm import Session
+from sqlalchemy import and_, or_, desc, asc, func
+
+from .models import Account, EmailService, RegistrationTask, Setting, Proxy, CpaService, Sub2ApiService
+
+
+# ============================================================================
+# 账户 CRUD
+# ============================================================================
+
+def create_account(
+    db: Session,
+    email: str,
+    email_service: str,
+    password: Optional[str] = None,
+    client_id: Optional[str] = None,
+    session_token: Optional[str] = None,
+    email_service_id: Optional[str] = None,
+    account_id: Optional[str] = None,
+    workspace_id: Optional[str] = None,
+    access_token: Optional[str] = None,
+    refresh_token: Optional[str] = None,
+    id_token: Optional[str] = None,
+    proxy_used: Optional[str] = None,
+    expires_at: Optional['datetime'] = None,
+    extra_data: Optional[Dict[str, Any]] = None,
+    status: Optional[str] = None,
+    source: Optional[str] = None
+) -> Account:
+    """创建新账户"""
+    db_account = Account(
+        email=email,
+        password=password,
+        client_id=client_id,
+        session_token=session_token,
+        email_service=email_service,
+        email_service_id=email_service_id,
+        account_id=account_id,
+        workspace_id=workspace_id,
+        access_token=access_token,
+        refresh_token=refresh_token,
+        id_token=id_token,
+        proxy_used=proxy_used,
+        expires_at=expires_at,
+        extra_data=extra_data or {},
+        status=status or 'active',
+        source=source or 'register',
+        registered_at=datetime.utcnow()
+    )
+    db.add(db_account)
+    db.commit()
+    db.refresh(db_account)
+    return db_account
+
+
+def get_account_by_id(db: Session, account_id: int) -> Optional[Account]:
+    """根据 ID 获取账户"""
+    return db.query(Account).filter(Account.id == account_id).first()
+
+
+def get_account_by_email(db: Session, email: str) -> Optional[Account]:
+    """根据邮箱获取账户"""
+    return db.query(Account).filter(Account.email == email).first()
+
+
+def get_accounts(
+    db: Session,
+    skip: int = 0,
+    limit: int = 100,
+    email_service: Optional[str] = None,
+    status: Optional[str] = None,
+    search: Optional[str] = None
+) -> List[Account]:
+    """获取账户列表（支持分页、筛选）"""
+    query = db.query(Account)
+
+    if email_service:
+        query = query.filter(Account.email_service == email_service)
+
+    if status:
+        query = query.filter(Account.status == status)
+
+    if search:
+        search_filter = or_(
+            Account.email.ilike(f"%{search}%"),
+            Account.account_id.ilike(f"%{search}%"),
+            Account.workspace_id.ilike(f"%{search}%")
+        )
+        query = query.filter(search_filter)
+
+    query = query.order_by(desc(Account.created_at)).offset(skip).limit(limit)
+    return query.all()
+
+
+def update_account(
+    db: Session,
+    account_id: int,
+    **kwargs
+) -> Optional[Account]:
+    """更新账户信息"""
+    db_account = get_account_by_id(db, account_id)
+    if not db_account:
+        return None
+
+    for key, value in kwargs.items():
+        if hasattr(db_account, key) and value is not None:
+            setattr(db_account, key, value)
+
+    db.commit()
+    db.refresh(db_account)
+    return db_account
+
+
+def delete_account(db: Session, account_id: int) -> bool:
+    """删除账户"""
+    db_account = get_account_by_id(db, account_id)
+    if not db_account:
+        return False
+
+    db.delete(db_account)
+    db.commit()
+    return True
+
+
+def delete_accounts_batch(db: Session, account_ids: List[int]) -> int:
+    """批量删除账户"""
+    result = db.query(Account).filter(Account.id.in_(account_ids)).delete(synchronize_session=False)
+    db.commit()
+    return result
+
+
+def get_accounts_count(
+    db: Session,
+    email_service: Optional[str] = None,
+    status: Optional[str] = None
+) -> int:
+    """获取账户数量"""
+    query = db.query(func.count(Account.id))
+
+    if email_service:
+        query = query.filter(Account.email_service == email_service)
+
+    if status:
+        query = query.filter(Account.status == status)
+
+    return query.scalar()
+
+
+# ============================================================================
+# 邮箱服务 CRUD
+# ============================================================================
+
+def create_email_service(
+    db: Session,
+    service_type: str,
+    name: str,
+    config: Dict[str, Any],
+    enabled: bool = True,
+    priority: int = 0
+) -> EmailService:
+    """创建邮箱服务配置"""
+    db_service = EmailService(
+        service_type=service_type,
+        name=name,
+        config=config,
+        enabled=enabled,
+        priority=priority
+    )
+    db.add(db_service)
+    db.commit()
+    db.refresh(db_service)
+    return db_service
+
+
+def get_email_service_by_id(db: Session, service_id: int) -> Optional[EmailService]:
+    """根据 ID 获取邮箱服务"""
+    return db.query(EmailService).filter(EmailService.id == service_id).first()
+
+
+def get_email_services(
+    db: Session,
+    service_type: Optional[str] = None,
+    enabled: Optional[bool] = None,
+    skip: int = 0,
+    limit: int = 100
+) -> List[EmailService]:
+    """获取邮箱服务列表"""
+    query = db.query(EmailService)
+
+    if service_type:
+        query = query.filter(EmailService.service_type == service_type)
+
+    if enabled is not None:
+        query = query.filter(EmailService.enabled == enabled)
+
+    query = query.order_by(
+        asc(EmailService.priority),
+        desc(EmailService.last_used)
+    ).offset(skip).limit(limit)
+
+    return query.all()
+
+
+def update_email_service(
+    db: Session,
+    service_id: int,
+    **kwargs
+) -> Optional[EmailService]:
+    """更新邮箱服务配置"""
+    db_service = get_email_service_by_id(db, service_id)
+    if not db_service:
+        return None
+
+    for key, value in kwargs.items():
+        if hasattr(db_service, key) and value is not None:
+            setattr(db_service, key, value)
+
+    db.commit()
+    db.refresh(db_service)
+    return db_service
+
+
+def delete_email_service(db: Session, service_id: int) -> bool:
+    """删除邮箱服务配置"""
+    db_service = get_email_service_by_id(db, service_id)
+    if not db_service:
+        return False
+
+    db.delete(db_service)
+    db.commit()
+    return True
+
+
+# ============================================================================
+# 注册任务 CRUD
+# ============================================================================
+
+def create_registration_task(
+    db: Session,
+    task_uuid: str,
+    email_service_id: Optional[int] = None,
+    proxy: Optional[str] = None
+) -> RegistrationTask:
+    """创建注册任务"""
+    db_task = RegistrationTask(
+        task_uuid=task_uuid,
+        email_service_id=email_service_id,
+        proxy=proxy,
+        status='pending'
+    )
+    db.add(db_task)
+    db.commit()
+    db.refresh(db_task)
+    return db_task
+
+
+def get_registration_task_by_uuid(db: Session, task_uuid: str) -> Optional[RegistrationTask]:
+    """根据 UUID 获取注册任务"""
+    return db.query(RegistrationTask).filter(RegistrationTask.task_uuid == task_uuid).first()
+
+
+def get_registration_tasks(
+    db: Session,
+    status: Optional[str] = None,
+    skip: int = 0,
+    limit: int = 100
+) -> List[RegistrationTask]:
+    """获取注册任务列表"""
+    query = db.query(RegistrationTask)
+
+    if status:
+        query = query.filter(RegistrationTask.status == status)
+
+    query = query.order_by(desc(RegistrationTask.created_at)).offset(skip).limit(limit)
+    return query.all()
+
+
+def update_registration_task(
+    db: Session,
+    task_uuid: str,
+    **kwargs
+) -> Optional[RegistrationTask]:
+    """更新注册任务状态"""
+    db_task = get_registration_task_by_uuid(db, task_uuid)
+    if not db_task:
+        return None
+
+    for key, value in kwargs.items():
+        if hasattr(db_task, key):
+            setattr(db_task, key, value)
+
+    db.commit()
+    db.refresh(db_task)
+    return db_task
+
+
+def append_task_log(db: Session, task_uuid: str, log_message: str) -> bool:
+    """追加任务日志"""
+    db_task = get_registration_task_by_uuid(db, task_uuid)
+    if not db_task:
+        return False
+
+    if db_task.logs:
+        db_task.logs += f"\n{log_message}"
+    else:
+        db_task.logs = log_message
+
+    db.commit()
+    return True
+
+
+def delete_registration_task(db: Session, task_uuid: str) -> bool:
+    """删除注册任务"""
+    db_task = get_registration_task_by_uuid(db, task_uuid)
+    if not db_task:
+        return False
+
+    db.delete(db_task)
+    db.commit()
+    return True
+
+
+# 为 API 路由添加别名
+get_account = get_account_by_id
+get_registration_task = get_registration_task_by_uuid
+
+
+# ============================================================================
+# 设置 CRUD
+# ============================================================================
+
+def get_setting(db: Session, key: str) -> Optional[Setting]:
+    """获取设置"""
+    return db.query(Setting).filter(Setting.key == key).first()
+
+
+def get_settings_by_category(db: Session, category: str) -> List[Setting]:
+    """根据分类获取设置"""
+    return db.query(Setting).filter(Setting.category == category).all()
+
+
+def set_setting(
+    db: Session,
+    key: str,
+    value: str,
+    description: Optional[str] = None,
+    category: str = 'general'
+) -> Setting:
+    """设置或更新配置项"""
+    db_setting = get_setting(db, key)
+    if db_setting:
+        db_setting.value = value
+        db_setting.description = description or db_setting.description
+        db_setting.category = category
+        db_setting.updated_at = datetime.utcnow()
+    else:
+        db_setting = Setting(
+            key=key,
+            value=value,
+            description=description,
+            category=category
+        )
+        db.add(db_setting)
+
+    db.commit()
+    db.refresh(db_setting)
+    return db_setting
+
+
+def delete_setting(db: Session, key: str) -> bool:
+    """删除设置"""
+    db_setting = get_setting(db, key)
+    if not db_setting:
+        return False
+
+    db.delete(db_setting)
+    db.commit()
+    return True
+
+
+# ============================================================================
+# 代理 CRUD
+# ============================================================================
+
+def create_proxy(
+    db: Session,
+    name: str,
+    type: str,
+    host: str,
+    port: int,
+    username: Optional[str] = None,
+    password: Optional[str] = None,
+    enabled: bool = True,
+    priority: int = 0
+) -> Proxy:
+    """创建代理配置"""
+    db_proxy = Proxy(
+        name=name,
+        type=type,
+        host=host,
+        port=port,
+        username=username,
+        password=password,
+        enabled=enabled,
+        priority=priority
+    )
+    db.add(db_proxy)
+    db.commit()
+    db.refresh(db_proxy)
+    return db_proxy
+
+
+def get_proxy_by_id(db: Session, proxy_id: int) -> Optional[Proxy]:
+    """根据 ID 获取代理"""
+    return db.query(Proxy).filter(Proxy.id == proxy_id).first()
+
+
+def get_proxies(
+    db: Session,
+    enabled: Optional[bool] = None,
+    skip: int = 0,
+    limit: int = 100
+) -> List[Proxy]:
+    """获取代理列表"""
+    query = db.query(Proxy)
+
+    if enabled is not None:
+        query = query.filter(Proxy.enabled == enabled)
+
+    query = query.order_by(desc(Proxy.created_at)).offset(skip).limit(limit)
+    return query.all()
+
+
+def get_enabled_proxies(db: Session) -> List[Proxy]:
+    """获取所有启用的代理"""
+    return db.query(Proxy).filter(Proxy.enabled == True).all()
+
+
+def update_proxy(
+    db: Session,
+    proxy_id: int,
+    **kwargs
+) -> Optional[Proxy]:
+    """更新代理配置"""
+    db_proxy = get_proxy_by_id(db, proxy_id)
+    if not db_proxy:
+        return None
+
+    for key, value in kwargs.items():
+        if hasattr(db_proxy, key):
+            setattr(db_proxy, key, value)
+
+    db.commit()
+    db.refresh(db_proxy)
+    return db_proxy
+
+
+def delete_proxy(db: Session, proxy_id: int) -> bool:
+    """删除代理配置"""
+    db_proxy = get_proxy_by_id(db, proxy_id)
+    if not db_proxy:
+        return False
+
+    db.delete(db_proxy)
+    db.commit()
+    return True
+
+
+def update_proxy_last_used(db: Session, proxy_id: int) -> bool:
+    """更新代理最后使用时间"""
+    db_proxy = get_proxy_by_id(db, proxy_id)
+    if not db_proxy:
+        return False
+
+    db_proxy.last_used = datetime.utcnow()
+    db.commit()
+    return True
+
+
+def get_random_proxy(db: Session) -> Optional[Proxy]:
+    """随机获取一个启用的代理，优先返回 is_default=True 的代理"""
+    import random
+    # 优先返回默认代理
+    default_proxy = db.query(Proxy).filter(Proxy.enabled == True, Proxy.is_default == True).first()
+    if default_proxy:
+        return default_proxy
+    proxies = get_enabled_proxies(db)
+    if not proxies:
+        return None
+    return random.choice(proxies)
+
+
+def set_proxy_default(db: Session, proxy_id: int) -> Optional[Proxy]:
+    """将指定代理设为默认，同时清除其他代理的默认标记"""
+    # 清除所有默认标记
+    db.query(Proxy).filter(Proxy.is_default == True).update({"is_default": False})
+    # 设置新的默认代理
+    proxy = db.query(Proxy).filter(Proxy.id == proxy_id).first()
+    if proxy:
+        proxy.is_default = True
+        db.commit()
+        db.refresh(proxy)
+    return proxy
+
+
+def get_proxies_count(db: Session, enabled: Optional[bool] = None) -> int:
+    """获取代理数量"""
+    query = db.query(func.count(Proxy.id))
+    if enabled is not None:
+        query = query.filter(Proxy.enabled == enabled)
+    return query.scalar()
+
+
+# ============================================================================
+# CPA 服务 CRUD
+# ============================================================================
+
+def create_cpa_service(
+    db: Session,
+    name: str,
+    api_url: str,
+    api_token: str,
+    enabled: bool = True,
+    priority: int = 0
+) -> CpaService:
+    """创建 CPA 服务配置"""
+    db_service = CpaService(
+        name=name,
+        api_url=api_url,
+        api_token=api_token,
+        enabled=enabled,
+        priority=priority
+    )
+    db.add(db_service)
+    db.commit()
+    db.refresh(db_service)
+    return db_service
+
+
+def get_cpa_service_by_id(db: Session, service_id: int) -> Optional[CpaService]:
+    """根据 ID 获取 CPA 服务"""
+    return db.query(CpaService).filter(CpaService.id == service_id).first()
+
+
+def get_cpa_services(
+    db: Session,
+    enabled: Optional[bool] = None
+) -> List[CpaService]:
+    """获取 CPA 服务列表"""
+    query = db.query(CpaService)
+    if enabled is not None:
+        query = query.filter(CpaService.enabled == enabled)
+    return query.order_by(asc(CpaService.priority), asc(CpaService.id)).all()
+
+
+def update_cpa_service(
+    db: Session,
+    service_id: int,
+    **kwargs
+) -> Optional[CpaService]:
+    """更新 CPA 服务配置"""
+    db_service = get_cpa_service_by_id(db, service_id)
+    if not db_service:
+        return None
+    for key, value in kwargs.items():
+        if hasattr(db_service, key):
+            setattr(db_service, key, value)
+    db.commit()
+    db.refresh(db_service)
+    return db_service
+
+
+def delete_cpa_service(db: Session, service_id: int) -> bool:
+    """删除 CPA 服务配置"""
+    db_service = get_cpa_service_by_id(db, service_id)
+    if not db_service:
+        return False
+    db.delete(db_service)
+    db.commit()
+    return True
+
+
+# ============================================================================
+# Sub2API 服务 CRUD
+# ============================================================================
+
+def create_sub2api_service(
+    db: Session,
+    name: str,
+    api_url: str,
+    api_key: str,
+    enabled: bool = True,
+    priority: int = 0
+) -> Sub2ApiService:
+    """创建 Sub2API 服务配置"""
+    svc = Sub2ApiService(
+        name=name,
+        api_url=api_url,
+        api_key=api_key,
+        enabled=enabled,
+        priority=priority,
+    )
+    db.add(svc)
+    db.commit()
+    db.refresh(svc)
+    return svc
+
+
+def get_sub2api_service_by_id(db: Session, service_id: int) -> Optional[Sub2ApiService]:
+    """按 ID 获取 Sub2API 服务"""
+    return db.query(Sub2ApiService).filter(Sub2ApiService.id == service_id).first()
+
+
+def get_sub2api_services(
+    db: Session,
+    enabled: Optional[bool] = None
+) -> List[Sub2ApiService]:
+    """获取 Sub2API 服务列表"""
+    query = db.query(Sub2ApiService)
+    if enabled is not None:
+        query = query.filter(Sub2ApiService.enabled == enabled)
+    return query.order_by(asc(Sub2ApiService.priority), asc(Sub2ApiService.id)).all()
+
+
+def update_sub2api_service(db: Session, service_id: int, **kwargs) -> Optional[Sub2ApiService]:
+    """更新 Sub2API 服务配置"""
+    svc = get_sub2api_service_by_id(db, service_id)
+    if not svc:
+        return None
+    for key, value in kwargs.items():
+        setattr(svc, key, value)
+    db.commit()
+    db.refresh(svc)
+    return svc
+
+
+def delete_sub2api_service(db: Session, service_id: int) -> bool:
+    """删除 Sub2API 服务配置"""
+    svc = get_sub2api_service_by_id(db, service_id)
+    if not svc:
+        return False
+    db.delete(svc)
+    db.commit()
+    return True
+
+
+# ============================================================================
+# Team Manager 服务 CRUD
+# ============================================================================
+
+def create_tm_service(
+    db: Session,
+    name: str,
+    api_url: str,
+    api_key: str,
+    enabled: bool = True,
+    priority: int = 0,
+):
+    """创建 Team Manager 服务配置"""
+    from .models import TeamManagerService
+    svc = TeamManagerService(
+        name=name,
+        api_url=api_url,
+        api_key=api_key,
+        enabled=enabled,
+        priority=priority,
+    )
+    db.add(svc)
+    db.commit()
+    db.refresh(svc)
+    return svc
+
+
+def get_tm_service_by_id(db: Session, service_id: int):
+    """按 ID 获取 Team Manager 服务"""
+    from .models import TeamManagerService
+    return db.query(TeamManagerService).filter(TeamManagerService.id == service_id).first()
+
+
+def get_tm_services(db: Session, enabled=None):
+    """获取 Team Manager 服务列表"""
+    from .models import TeamManagerService
+    q = db.query(TeamManagerService)
+    if enabled is not None:
+        q = q.filter(TeamManagerService.enabled == enabled)
+    return q.order_by(TeamManagerService.priority.asc(), TeamManagerService.id.asc()).all()
+
+
+def update_tm_service(db: Session, service_id: int, **kwargs):
+    """更新 Team Manager 服务配置"""
+    svc = get_tm_service_by_id(db, service_id)
+    if not svc:
+        return None
+    for k, v in kwargs.items():
+        setattr(svc, k, v)
+    db.commit()
+    db.refresh(svc)
+    return svc
+
+
+def delete_tm_service(db: Session, service_id: int) -> bool:
+    """删除 Team Manager 服务配置"""
+    svc = get_tm_service_by_id(db, service_id)
+    if not svc:
+        return False
+    db.delete(svc)
+    db.commit()
+    return True

src/database/init_db.py

@@ -0,0 +1,86 @@
+"""
+数据库初始化和初始化数据
+"""
+
+from .session import init_database
+from .models import Base
+
+
+def initialize_database(database_url: str = None):
+    """
+    初始化数据库
+    创建所有表并设置默认配置
+    """
+    # 初始化数据库连接和表
+    db_manager = init_database(database_url)
+
+    # 创建表
+    db_manager.create_tables()
+
+    # 初始化默认设置（从 settings 模块导入以避免循环导入）
+    from ..config.settings import init_default_settings
+    init_default_settings()
+
+    return db_manager
+
+
+def reset_database(database_url: str = None):
+    """
+    重置数据库（删除所有表并重新创建）
+    警告：会丢失所有数据！
+    """
+    db_manager = init_database(database_url)
+
+    # 删除所有表
+    db_manager.drop_tables()
+    print("已删除所有表")
+
+    # 重新创建所有表
+    db_manager.create_tables()
+    print("已重新创建所有表")
+
+    # 初始化默认设置
+    from ..config.settings import init_default_settings
+    init_default_settings()
+
+    print("数据库重置完成")
+    return db_manager
+
+
+def check_database_connection(database_url: str = None) -> bool:
+    """
+    检查数据库连接是否正常
+    """
+    try:
+        db_manager = init_database(database_url)
+        with db_manager.get_db() as db:
+            # 尝试执行一个简单的查询
+            db.execute("SELECT 1")
+        print("数据库连接正常")
+        return True
+    except Exception as e:
+        print(f"数据库连接失败: {e}")
+        return False
+
+
+if __name__ == "__main__":
+    # 当直接运行此脚本时，初始化数据库
+    import argparse
+
+    parser = argparse.ArgumentParser(description="数据库初始化脚本")
+    parser.add_argument("--reset", action="store_true", help="重置数据库（删除所有数据）")
+    parser.add_argument("--check", action="store_true", help="检查数据库连接")
+    parser.add_argument("--url", help="数据库连接字符串")
+
+    args = parser.parse_args()
+
+    if args.check:
+        check_database_connection(args.url)
+    elif args.reset:
+        confirm = input("警告：这将删除所有数据！确认重置？(y/N): ")
+        if confirm.lower() == 'y':
+            reset_database(args.url)
+        else:
+            print("操作已取消")
+    else:
+        initialize_database(args.url)

src/database/models.py

@@ -0,0 +1,229 @@
+"""
+SQLAlchemy ORM 模型定义
+"""
+
+from datetime import datetime
+from typing import Optional, Dict, Any
+import json
+from sqlalchemy import Column, Integer, String, Text, Boolean, DateTime, ForeignKey
+from sqlalchemy.ext.declarative import declarative_base
+from sqlalchemy.types import TypeDecorator
+from sqlalchemy.orm import relationship
+
+Base = declarative_base()
+
+
+class JSONEncodedDict(TypeDecorator):
+    """JSON 编码字典类型"""
+    impl = Text
+
+    def process_bind_param(self, value: Optional[Dict[str, Any]], dialect):
+        if value is None:
+            return None
+        return json.dumps(value, ensure_ascii=False)
+
+    def process_result_value(self, value: Optional[str], dialect):
+        if value is None:
+            return None
+        return json.loads(value)
+
+
+class Account(Base):
+    """已注册账号表"""
+    __tablename__ = 'accounts'
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    email = Column(String(255), nullable=False, unique=True, index=True)
+    password = Column(String(255))  # 注册密码（明文存储）
+    access_token = Column(Text)
+    refresh_token = Column(Text)
+    id_token = Column(Text)
+    session_token = Column(Text)  # 会话令牌（优先刷新方式）
+    client_id = Column(String(255))  # OAuth Client ID
+    account_id = Column(String(255))
+    workspace_id = Column(String(255))
+    email_service = Column(String(50), nullable=False)  # 'tempmail', 'outlook', 'moe_mail'
+    email_service_id = Column(String(255))  # 邮箱服务中的ID
+    proxy_used = Column(String(255))
+    registered_at = Column(DateTime, default=datetime.utcnow)
+    last_refresh = Column(DateTime)  # 最后刷新时间
+    expires_at = Column(DateTime)  # Token 过期时间
+    status = Column(String(20), default='active')  # 'active', 'expired', 'banned', 'failed'
+    extra_data = Column(JSONEncodedDict)  # 额外信息存储
+    cpa_uploaded = Column(Boolean, default=False)  # 是否已上传到 CPA
+    cpa_uploaded_at = Column(DateTime)  # 上传时间
+    source = Column(String(20), default='register')  # 'register' 或 'login'，区分账号来源
+    subscription_type = Column(String(20))  # None / 'plus' / 'team'
+    subscription_at = Column(DateTime)  # 订阅开通时间
+    cookies = Column(Text)  # 完整 cookie 字符串，用于支付请求
+    created_at = Column(DateTime, default=datetime.utcnow)
+    updated_at = Column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+    def to_dict(self) -> Dict[str, Any]:
+        """转换为字典"""
+        return {
+            'id': self.id,
+            'email': self.email,
+            'password': self.password,
+            'client_id': self.client_id,
+            'email_service': self.email_service,
+            'account_id': self.account_id,
+            'workspace_id': self.workspace_id,
+            'registered_at': self.registered_at.isoformat() if self.registered_at else None,
+            'last_refresh': self.last_refresh.isoformat() if self.last_refresh else None,
+            'expires_at': self.expires_at.isoformat() if self.expires_at else None,
+            'status': self.status,
+            'proxy_used': self.proxy_used,
+            'cpa_uploaded': self.cpa_uploaded,
+            'cpa_uploaded_at': self.cpa_uploaded_at.isoformat() if self.cpa_uploaded_at else None,
+            'source': self.source,
+            'subscription_type': self.subscription_type,
+            'subscription_at': self.subscription_at.isoformat() if self.subscription_at else None,
+            'created_at': self.created_at.isoformat() if self.created_at else None,
+            'updated_at': self.updated_at.isoformat() if self.updated_at else None
+        }
+
+
+class EmailService(Base):
+    """邮箱服务配置表"""
+    __tablename__ = 'email_services'
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    service_type = Column(String(50), nullable=False)  # 'outlook', 'moe_mail'
+    name = Column(String(100), nullable=False)
+    config = Column(JSONEncodedDict, nullable=False)  # 服务配置（加密存储）
+    enabled = Column(Boolean, default=True)
+    priority = Column(Integer, default=0)  # 使用优先级
+    last_used = Column(DateTime)
+    created_at = Column(DateTime, default=datetime.utcnow)
+    updated_at = Column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+
+class RegistrationTask(Base):
+    """注册任务表"""
+    __tablename__ = 'registration_tasks'
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    task_uuid = Column(String(36), unique=True, nullable=False, index=True)  # 任务唯一标识
+    status = Column(String(20), default='pending')  # 'pending', 'running', 'completed', 'failed', 'cancelled'
+    email_service_id = Column(Integer, ForeignKey('email_services.id'), index=True)  # 使用的邮箱服务
+    proxy = Column(String(255))  # 使用的代理
+    logs = Column(Text)  # 注册过程日志
+    result = Column(JSONEncodedDict)  # 注册���果
+    error_message = Column(Text)
+    created_at = Column(DateTime, default=datetime.utcnow)
+    started_at = Column(DateTime)
+    completed_at = Column(DateTime)
+
+    # 关系
+    email_service = relationship('EmailService')
+
+
+class Setting(Base):
+    """系统设置表"""
+    __tablename__ = 'settings'
+
+    key = Column(String(100), primary_key=True)
+    value = Column(Text)
+    description = Column(Text)
+    category = Column(String(50), default='general')  # 'general', 'email', 'proxy', 'openai'
+    updated_at = Column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+
+class CpaService(Base):
+    """CPA 服务配置表"""
+    __tablename__ = 'cpa_services'
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    name = Column(String(100), nullable=False)  # 服务名称
+    api_url = Column(String(500), nullable=False)  # API URL
+    api_token = Column(Text, nullable=False)  # API Token
+    enabled = Column(Boolean, default=True)
+    priority = Column(Integer, default=0)  # 优先级
+    created_at = Column(DateTime, default=datetime.utcnow)
+    updated_at = Column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+
+class Sub2ApiService(Base):
+    """Sub2API 服务配置表"""
+    __tablename__ = 'sub2api_services'
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    name = Column(String(100), nullable=False)  # 服务名称
+    api_url = Column(String(500), nullable=False)  # API URL (host)
+    api_key = Column(Text, nullable=False)  # x-api-key
+    enabled = Column(Boolean, default=True)
+    priority = Column(Integer, default=0)  # 优先级
+    created_at = Column(DateTime, default=datetime.utcnow)
+    updated_at = Column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+
+class TeamManagerService(Base):
+    """Team Manager 服务配置表"""
+    __tablename__ = 'tm_services'
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    name = Column(String(100), nullable=False)  # 服务名称
+    api_url = Column(String(500), nullable=False)  # API URL
+    api_key = Column(Text, nullable=False)  # X-API-Key
+    enabled = Column(Boolean, default=True)
+    priority = Column(Integer, default=0)  # 优先级
+    created_at = Column(DateTime, default=datetime.utcnow)
+    updated_at = Column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+
+class Proxy(Base):
+    """代理列表表"""
+    __tablename__ = 'proxies'
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    name = Column(String(100), nullable=False)  # 代理名称
+    type = Column(String(20), nullable=False, default='http')  # http, socks5
+    host = Column(String(255), nullable=False)
+    port = Column(Integer, nullable=False)
+    username = Column(String(100))
+    password = Column(String(255))
+    enabled = Column(Boolean, default=True)
+    is_default = Column(Boolean, default=False)  # 是否为默认代理
+    priority = Column(Integer, default=0)  # 优先级（保留字段）
+    last_used = Column(DateTime)  # 最后使用时间
+    created_at = Column(DateTime, default=datetime.utcnow)
+    updated_at = Column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+    def to_dict(self, include_password: bool = False) -> Dict[str, Any]:
+        """转换为字典"""
+        result = {
+            'id': self.id,
+            'name': self.name,
+            'type': self.type,
+            'host': self.host,
+            'port': self.port,
+            'username': self.username,
+            'enabled': self.enabled,
+            'is_default': self.is_default or False,
+            'priority': self.priority,
+            'last_used': self.last_used.isoformat() if self.last_used else None,
+            'created_at': self.created_at.isoformat() if self.created_at else None,
+            'updated_at': self.updated_at.isoformat() if self.updated_at else None,
+        }
+        if include_password:
+            result['password'] = self.password
+        else:
+            result['has_password'] = bool(self.password)
+        return result
+
+    @property
+    def proxy_url(self) -> str:
+        """获取完整的代理 URL"""
+        if self.type == "http":
+            scheme = "http"
+        elif self.type == "socks5":
+            scheme = "socks5"
+        else:
+            scheme = self.type
+
+        auth = ""
+        if self.username and self.password:
+            auth = f"{self.username}:{self.password}@"
+
+        return f"{scheme}://{auth}{self.host}:{self.port}"

src/database/session.py

@@ -0,0 +1,182 @@
+"""
+数据库会话管理
+"""
+
+from contextlib import contextmanager
+from typing import Generator
+from sqlalchemy import create_engine, text
+from sqlalchemy.orm import sessionmaker, Session
+from sqlalchemy.exc import SQLAlchemyError
+import os
+import logging
+
+from .models import Base
+
+logger = logging.getLogger(__name__)
+
+
+def _build_sqlalchemy_url(database_url: str) -> str:
+    if database_url.startswith("postgresql://"):
+        return "postgresql+psycopg://" + database_url[len("postgresql://"):]
+    if database_url.startswith("postgres://"):
+        return "postgresql+psycopg://" + database_url[len("postgres://"):]
+    return database_url
+
+
+class DatabaseSessionManager:
+    """数据库会话管理器"""
+
+    def __init__(self, database_url: str = None):
+        if database_url is None:
+            env_url = os.environ.get("APP_DATABASE_URL") or os.environ.get("DATABASE_URL")
+            if env_url:
+                database_url = env_url
+            else:
+                # 优先使用 APP_DATA_DIR 环境变量（PyInstaller 打包后由 webui.py 设置）
+                data_dir = os.environ.get('APP_DATA_DIR') or os.path.join(
+                    os.path.dirname(os.path.dirname(os.path.dirname(__file__))),
+                    'data'
+                )
+                db_path = os.path.join(data_dir, 'database.db')
+                # 确保目录存在
+                os.makedirs(data_dir, exist_ok=True)
+                database_url = f"sqlite:///{db_path}"
+
+        self.database_url = _build_sqlalchemy_url(database_url)
+        self.engine = create_engine(
+            self.database_url,
+            connect_args={"check_same_thread": False} if self.database_url.startswith("sqlite") else {},
+            echo=False,  # 设置为 True 可以查看所有 SQL 语句
+            pool_pre_ping=True  # 连接池预检查
+        )
+        self.SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=self.engine)
+
+    def get_db(self) -> Generator[Session, None, None]:
+        """
+        获取数据库会话的上下文管理器
+        使用示例:
+            with get_db() as db:
+                # 使用 db 进行数据库操作
+                pass
+        """
+        db = self.SessionLocal()
+        try:
+            yield db
+        finally:
+            db.close()
+
+    @contextmanager
+    def session_scope(self) -> Generator[Session, None, None]:
+        """
+        事务作用域上下文管理器
+        使用示例:
+            with session_scope() as session:
+                # 数据库操作
+                pass
+        """
+        session = self.SessionLocal()
+        try:
+            yield session
+            session.commit()
+        except Exception as e:
+            session.rollback()
+            raise e
+        finally:
+            session.close()
+
+    def create_tables(self):
+        """创建所有表"""
+        Base.metadata.create_all(bind=self.engine)
+
+    def drop_tables(self):
+        """删除所有表（谨慎使用）"""
+        Base.metadata.drop_all(bind=self.engine)
+
+    def migrate_tables(self):
+        """
+        数据库迁移 - 添加缺失的列
+        用于在不删除数据的情况下更新表结构
+        """
+        if not self.database_url.startswith("sqlite"):
+            logger.info("非 SQLite 数据库，跳过自动迁移")
+            return
+
+        # 需要检查和添加的新列
+        migrations = [
+            # (表名, 列名, 列类型)
+            ("accounts", "cpa_uploaded", "BOOLEAN DEFAULT 0"),
+            ("accounts", "cpa_uploaded_at", "DATETIME"),
+            ("accounts", "source", "VARCHAR(20) DEFAULT 'register'"),
+            ("accounts", "subscription_type", "VARCHAR(20)"),
+            ("accounts", "subscription_at", "DATETIME"),
+            ("accounts", "cookies", "TEXT"),
+            ("proxies", "is_default", "BOOLEAN DEFAULT 0"),
+        ]
+
+        # 确保新表存在（create_tables 已处理，此处兜底）
+        Base.metadata.create_all(bind=self.engine)
+
+        with self.engine.connect() as conn:
+            # 数据迁移：将旧的 custom_domain 记录统一为 moe_mail
+            try:
+                conn.execute(text("UPDATE email_services SET service_type='moe_mail' WHERE service_type='custom_domain'"))
+                conn.execute(text("UPDATE accounts SET email_service='moe_mail' WHERE email_service='custom_domain'"))
+                conn.commit()
+            except Exception as e:
+                logger.warning(f"迁移 custom_domain -> moe_mail 时出错: {e}")
+
+            for table_name, column_name, column_type in migrations:
+                try:
+                    # 检查列是否存在
+                    result = conn.execute(text(
+                        f"SELECT * FROM pragma_table_info('{table_name}') WHERE name='{column_name}'"
+                    ))
+                    if result.fetchone() is None:
+                        # 列不存在，添加它
+                        logger.info(f"添加列 {table_name}.{column_name}")
+                        conn.execute(text(
+                            f"ALTER TABLE {table_name} ADD COLUMN {column_name} {column_type}"
+                        ))
+                        conn.commit()
+                        logger.info(f"成功添加列 {table_name}.{column_name}")
+                except Exception as e:
+                    logger.warning(f"迁移列 {table_name}.{column_name} 时出错: {e}")
+
+
+# 全局数据库会话管理器实例
+_db_manager: DatabaseSessionManager = None
+
+
+def init_database(database_url: str = None) -> DatabaseSessionManager:
+    """
+    初始化数据库会话管理器
+    """
+    global _db_manager
+    if _db_manager is None:
+        _db_manager = DatabaseSessionManager(database_url)
+        _db_manager.create_tables()
+        # 执行数据库迁移
+        _db_manager.migrate_tables()
+    return _db_manager
+
+
+def get_session_manager() -> DatabaseSessionManager:
+    """
+    获取数据库会话管理器
+    """
+    if _db_manager is None:
+        raise RuntimeError("数据库未初始化，请先调用 init_database()")
+    return _db_manager
+
+
+@contextmanager
+def get_db() -> Generator[Session, None, None]:
+    """
+    获取数据库会话的快捷函数
+    """
+    manager = get_session_manager()
+    db = manager.SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()

src/services/__init__.py

@@ -0,0 +1,76 @@
+"""
+邮箱服务模块
+"""
+
+from .base import (
+    BaseEmailService,
+    EmailServiceError,
+    EmailServiceStatus,
+    EmailServiceFactory,
+    create_email_service,
+    EmailServiceType
+)
+from .tempmail import TempmailService
+from .outlook import OutlookService
+from .moe_mail import MeoMailEmailService
+from .temp_mail import TempMailService
+from .duck_mail import DuckMailService
+from .freemail import FreemailService
+from .imap_mail import ImapMailService
+from .cloud_mail import CloudMailService
+
+# 注册服务
+EmailServiceFactory.register(EmailServiceType.TEMPMAIL, TempmailService)
+EmailServiceFactory.register(EmailServiceType.OUTLOOK, OutlookService)
+EmailServiceFactory.register(EmailServiceType.MOE_MAIL, MeoMailEmailService)
+EmailServiceFactory.register(EmailServiceType.TEMP_MAIL, TempMailService)
+EmailServiceFactory.register(EmailServiceType.DUCK_MAIL, DuckMailService)
+EmailServiceFactory.register(EmailServiceType.FREEMAIL, FreemailService)
+EmailServiceFactory.register(EmailServiceType.IMAP_MAIL, ImapMailService)
+EmailServiceFactory.register(EmailServiceType.CLOUD_MAIL, CloudMailService)
+
+# 导出 Outlook 模块的额外内容
+from .outlook.base import (
+    ProviderType,
+    EmailMessage,
+    TokenInfo,
+    ProviderHealth,
+    ProviderStatus,
+)
+from .outlook.account import OutlookAccount
+from .outlook.providers import (
+    OutlookProvider,
+    IMAPOldProvider,
+    IMAPNewProvider,
+    GraphAPIProvider,
+)
+
+__all__ = [
+    # 基类
+    'BaseEmailService',
+    'EmailServiceError',
+    'EmailServiceStatus',
+    'EmailServiceFactory',
+    'create_email_service',
+    'EmailServiceType',
+    # 服务类
+    'TempmailService',
+    'OutlookService',
+    'MeoMailEmailService',
+    'TempMailService',
+    'DuckMailService',
+    'FreemailService',
+    'ImapMailService',
+    'CloudMailService',
+    # Outlook 模块
+    'ProviderType',
+    'EmailMessage',
+    'TokenInfo',
+    'ProviderHealth',
+    'ProviderStatus',
+    'OutlookAccount',
+    'OutlookProvider',
+    'IMAPOldProvider',
+    'IMAPNewProvider',
+    'GraphAPIProvider',
+]

src/services/base.py

@@ -0,0 +1,386 @@
+"""
+邮箱服务抽象基类
+所有邮箱服务实现的基类
+"""
+
+import abc
+import logging
+from typing import Optional, Dict, Any, List
+from enum import Enum
+
+from ..config.constants import EmailServiceType
+
+
+logger = logging.getLogger(__name__)
+
+
+class EmailServiceError(Exception):
+    """邮箱服务异常"""
+    pass
+
+
+class EmailServiceStatus(Enum):
+    """邮箱服务状态"""
+    HEALTHY = "healthy"
+    DEGRADED = "degraded"
+    UNAVAILABLE = "unavailable"
+
+
+class BaseEmailService(abc.ABC):
+    """
+    邮箱服务抽象基类
+
+    所有邮箱服务必须实现此接口
+    """
+
+    def __init__(self, service_type: EmailServiceType, name: str = None):
+        """
+        初始化邮箱服务
+
+        Args:
+            service_type: 服务类型
+            name: 服务名称
+        """
+        self.service_type = service_type
+        self.name = name or f"{service_type.value}_service"
+        self._status = EmailServiceStatus.HEALTHY
+        self._last_error = None
+
+    @property
+    def status(self) -> EmailServiceStatus:
+        """获取服务状态"""
+        return self._status
+
+    @property
+    def last_error(self) -> Optional[str]:
+        """获取最后一次错误信息"""
+        return self._last_error
+
+    @abc.abstractmethod
+    def create_email(self, config: Dict[str, Any] = None) -> Dict[str, Any]:
+        """
+        创建新邮箱地址
+
+        Args:
+            config: 配置参数，如邮箱前缀、域名等
+
+        Returns:
+            包含邮箱信息的字典，至少包含:
+            - email: 邮箱地址
+            - service_id: 邮箱服务中的 ID
+            - token/credentials: 访问凭证（如果需要）
+
+        Raises:
+            EmailServiceError: 创建失败
+        """
+        pass
+
+    @abc.abstractmethod
+    def get_verification_code(
+        self,
+        email: str,
+        email_id: str = None,
+        timeout: int = 120,
+        pattern: str = r"(?<!\d)(\d{6})(?!\d)",
+        otp_sent_at: Optional[float] = None,
+    ) -> Optional[str]:
+        """
+        获取验证码
+
+        Args:
+            email: 邮箱地址
+            email_id: 邮箱服务中的 ID（如果需要）
+            timeout: 超时时间（秒）
+            pattern: 验证码正则表达式
+            otp_sent_at: OTP 发送时间戳，用于过滤旧邮件
+
+        Returns:
+            验证码字符串，如果超时或未找到返回 None
+
+        Raises:
+            EmailServiceError: 服务错误
+        """
+        pass
+
+    @abc.abstractmethod
+    def list_emails(self, **kwargs) -> List[Dict[str, Any]]:
+        """
+        列出所有邮箱（如果服务支持）
+
+        Args:
+            **kwargs: 其他参数
+
+        Returns:
+            邮箱列表
+
+        Raises:
+            EmailServiceError: 服务错误
+        """
+        pass
+
+    @abc.abstractmethod
+    def delete_email(self, email_id: str) -> bool:
+        """
+        删除邮箱
+
+        Args:
+            email_id: 邮箱服务中的 ID
+
+        Returns:
+            是否删除成功
+
+        Raises:
+            EmailServiceError: 服务错误
+        """
+        pass
+
+    @abc.abstractmethod
+    def check_health(self) -> bool:
+        """
+        检查服务健康状态
+
+        Returns:
+            服务是否健康
+
+        Note:
+            此方法不应抛出异常，应捕获异常并返回 False
+        """
+        pass
+
+    def get_email_info(self, email_id: str) -> Optional[Dict[str, Any]]:
+        """
+        获取邮箱信息（可选实现）
+
+        Args:
+            email_id: 邮箱服务中的 ID
+
+        Returns:
+            邮箱信息字典，如果不存在返回 None
+        """
+        # 默认实现：遍历列表查找
+        for email_info in self.list_emails():
+            if email_info.get("id") == email_id:
+                return email_info
+        return None
+
+    def wait_for_email(
+        self,
+        email: str,
+        email_id: str = None,
+        timeout: int = 120,
+        check_interval: int = 3,
+        expected_sender: str = None,
+        expected_subject: str = None
+    ) -> Optional[Dict[str, Any]]:
+        """
+        等待并获取邮件（可选实现）
+
+        Args:
+            email: 邮箱地址
+            email_id: 邮箱服务中的 ID
+            timeout: 超时时间（秒）
+            check_interval: 检查间隔（秒）
+            expected_sender: 期望的发件人（包含检查）
+            expected_subject: 期望的主题（包含检查）
+
+        Returns:
+            邮件信息字典，如果超时返回 None
+        """
+        import time
+        from datetime import datetime
+
+        start_time = time.time()
+        last_email_id = None
+
+        while time.time() - start_time < timeout:
+            try:
+                emails = self.list_emails()
+                for email_info in emails:
+                    email_data = email_info.get("email", {})
+                    current_email_id = email_info.get("id")
+
+                    # 检查是否是新的邮件
+                    if last_email_id and current_email_id == last_email_id:
+                        continue
+
+                    # 检查邮箱地址
+                    if email_data.get("address") != email:
+                        continue
+
+                    # 获取邮件列表
+                    messages = self.get_email_messages(email_id or current_email_id)
+                    for message in messages:
+                        # 检查发件人
+                        if expected_sender and expected_sender not in message.get("from", ""):
+                            continue
+
+                        # 检查主题
+                        if expected_subject and expected_subject not in message.get("subject", ""):
+                            continue
+
+                        # 返回邮件信息
+                        return {
+                            "id": message.get("id"),
+                            "from": message.get("from"),
+                            "subject": message.get("subject"),
+                            "content": message.get("content"),
+                            "received_at": message.get("received_at"),
+                            "email_info": email_info
+                        }
+
+                    # 更新最后检查的邮件 ID
+                    if messages:
+                        last_email_id = current_email_id
+
+            except Exception as e:
+                logger.warning(f"等待邮件时出错: {e}")
+
+            time.sleep(check_interval)
+
+        return None
+
+    def get_email_messages(self, email_id: str, **kwargs) -> List[Dict[str, Any]]:
+        """
+        获取邮箱中的邮件列表（可选实现）
+
+        Args:
+            email_id: 邮箱服务中的 ID
+            **kwargs: 其他参数
+
+        Returns:
+            邮件列表
+
+        Note:
+            这是可选方法，某些服务可能不支持
+        """
+        raise NotImplementedError("此邮箱服务不支持获取邮件列表")
+
+    def get_message_content(self, email_id: str, message_id: str) -> Optional[Dict[str, Any]]:
+        """
+        获取邮件内容（可选实现）
+
+        Args:
+            email_id: 邮箱服务中的 ID
+            message_id: 邮件 ID
+
+        Returns:
+            邮件内容字典
+
+        Note:
+            这是可选方法，某些服务可能不支持
+        """
+        raise NotImplementedError("此邮箱服务不支持获取邮件内容")
+
+    def update_status(self, success: bool, error: Exception = None):
+        """
+        更新服务状态
+
+        Args:
+            success: 操作是否成功
+            error: 错误信息
+        """
+        if success:
+            self._status = EmailServiceStatus.HEALTHY
+            self._last_error = None
+        else:
+            self._status = EmailServiceStatus.DEGRADED
+            if error:
+                self._last_error = str(error)
+
+    def __str__(self) -> str:
+        """字符串表示"""
+        return f"{self.name} ({self.service_type.value})"
+
+
+class EmailServiceFactory:
+    """邮箱服务工厂"""
+
+    _registry: Dict[EmailServiceType, type] = {}
+
+    @classmethod
+    def register(cls, service_type: EmailServiceType, service_class: type):
+        """
+        注册邮箱服务类
+
+        Args:
+            service_type: 服务类型
+            service_class: 服务类
+        """
+        if not issubclass(service_class, BaseEmailService):
+            raise TypeError(f"{service_class} 必须是 BaseEmailService 的子类")
+        cls._registry[service_type] = service_class
+        logger.info(f"注册邮箱服务: {service_type.value} -> {service_class.__name__}")
+
+    @classmethod
+    def create(
+        cls,
+        service_type: EmailServiceType,
+        config: Dict[str, Any],
+        name: str = None
+    ) -> BaseEmailService:
+        """
+        创建邮箱服务实例
+
+        Args:
+            service_type: 服务类型
+            config: 服务配置
+            name: 服务名称
+
+        Returns:
+            邮箱服务实例
+
+        Raises:
+            ValueError: 服务类型未注册或配置无效
+        """
+        if service_type not in cls._registry:
+            raise ValueError(f"未注册的服务类型: {service_type.value}")
+
+        service_class = cls._registry[service_type]
+        try:
+            instance = service_class(config, name)
+            return instance
+        except Exception as e:
+            raise ValueError(f"创建邮箱服务失败: {e}")
+
+    @classmethod
+    def get_available_services(cls) -> List[EmailServiceType]:
+        """
+        获取所有已注册的服务类型
+
+        Returns:
+            已注册的服务类型列表
+        """
+        return list(cls._registry.keys())
+
+    @classmethod
+    def get_service_class(cls, service_type: EmailServiceType) -> Optional[type]:
+        """
+        获取服务类
+
+        Args:
+            service_type: 服务类型
+
+        Returns:
+            服务类，如果未注册返回 None
+        """
+        return cls._registry.get(service_type)
+
+
+# 简化的工厂函数
+def create_email_service(
+    service_type: EmailServiceType,
+    config: Dict[str, Any],
+    name: str = None
+) -> BaseEmailService:
+    """
+    创建邮箱服务（简化工厂函数）
+
+    Args:
+        service_type: 服务类型
+        config: 服务配置
+        name: 服务名称
+
+    Returns:
+        邮箱服务实例
+    """
+    return EmailServiceFactory.create(service_type, config, name)

src/services/cloud_mail.py

@@ -0,0 +1,529 @@
+"""
+Cloud Mail 邮箱服务实现
+基于 Cloudflare Workers 的邮箱服务 (https://doc.skymail.ink)
+"""
+
+import re
+import sys
+import time
+import logging
+import random
+import string
+import requests
+from typing import Optional, Dict, Any, List
+from datetime import datetime
+
+from .base import BaseEmailService, EmailServiceError, EmailServiceType
+from ..config.constants import OTP_CODE_PATTERN
+
+logger = logging.getLogger(__name__)
+
+
+class CloudMailService(BaseEmailService):
+    """
+    Cloud Mail 邮箱服务
+    基于 Cloudflare Workers 的自部署邮箱服务
+    """
+    
+    # 类变量：所有实例共享token（按base_url区分）
+    _shared_tokens: Dict[str, tuple] = {}  # {base_url: (token, expires_at)}
+    _token_lock = None  # 延迟初始化
+    _seen_ids_lock = None  # seen_email_ids 的锁
+    _shared_seen_email_ids: Dict[str, set] = {}  # 所有实例共享已处理的邮件ID（按邮箱地址区分）
+
+    def __init__(self, config: Dict[str, Any] = None, name: str = None):
+        """
+        初始化 Cloud Mail 服务
+
+        Args:
+            config: 配置字典，支持以下键:
+                - base_url: API 基础地址 (必需)
+                - admin_email: 管理员邮箱 (必需)
+                - admin_password: 管理员密码 (必需)
+                - domain: 邮箱域名 (可选，用于生成邮箱地址)
+                - subdomain: 子域名 (可选)，会插入到 @ 和域名之间，例如 subdomain="test" 会生成 xxx@test.example.com
+                - timeout: 请求超时时间，默认 30
+                - max_retries: 最大重试次数，默认 3
+                - proxy_url: 代理地址 (可选)
+            name: 服务名称
+        """
+        super().__init__(EmailServiceType.CLOUD_MAIL, name)
+
+        required_keys = ["base_url", "admin_email", "admin_password"]
+        missing_keys = [key for key in required_keys if not (config or {}).get(key)]
+        if missing_keys:
+            raise ValueError(f"缺少必需配置: {missing_keys}")
+
+        default_config = {
+            "timeout": 30,
+            "max_retries": 3,
+            "proxy_url": None,
+        }
+        self.config = {**default_config, **(config or {})}
+        self.config["base_url"] = self.config["base_url"].rstrip("/")
+
+        # 创建 requests session
+        self.session = requests.Session()
+        self.session.headers.update({
+            "Accept": "application/json",
+            "Content-Type": "application/json",
+        })
+        
+        # 初始化类级别的锁（线程安全）
+        if CloudMailService._token_lock is None:
+            import threading
+            CloudMailService._token_lock = threading.Lock()
+            CloudMailService._seen_ids_lock = threading.Lock()
+
+        # 缓存邮箱信息（实例级别）
+        self._created_emails: Dict[str, Dict[str, Any]] = {}
+
+    def _generate_token(self) -> str:
+        """
+        生成身份令牌
+
+        Returns:
+            token 字符串
+
+        Raises:
+            EmailServiceError: 生成失败
+        """
+        url = f"{self.config['base_url']}/api/public/genToken"
+        payload = {
+            "email": self.config["admin_email"],
+            "password": self.config["admin_password"]
+        }
+
+        try:
+            response = self.session.post(
+                url, 
+                json=payload, 
+                timeout=self.config["timeout"]
+            )
+
+            if response.status_code >= 400:
+                error_msg = f"生成 token 失败: {response.status_code}"
+                try:
+                    error_data = response.json()
+                    error_msg = f"{error_msg} - {error_data}"
+                except Exception:
+                    error_msg = f"{error_msg} - {response.text[:200]}"
+                raise EmailServiceError(error_msg)
+
+            data = response.json()
+            if data.get("code") != 200:
+                raise EmailServiceError(f"生成 token 失败: {data.get('message', 'Unknown error')}")
+
+            token = data.get("data", {}).get("token")
+            if not token:
+                raise EmailServiceError("生成 token 失败: 未返回 token")
+
+            return token
+
+        except requests.RequestException as e:
+            self.update_status(False, e)
+            raise EmailServiceError(f"生成 token 失败: {e}")
+        except Exception as e:
+            self.update_status(False, e)
+            if isinstance(e, EmailServiceError):
+                raise
+            raise EmailServiceError(f"生成 token 失败: {e}")
+
+    def _get_token(self, force_refresh: bool = False) -> str:
+        """
+        获取有效的 token（带缓存，所有实例共享）
+
+        Args:
+            force_refresh: 是否强制刷新
+
+        Returns:
+            token 字符串
+        """
+        base_url = self.config["base_url"]
+        
+        with CloudMailService._token_lock:
+            # 检查共享缓存���token 有效期设为 1 小时）
+            if not force_refresh and base_url in CloudMailService._shared_tokens:
+                token, expires_at = CloudMailService._shared_tokens[base_url]
+                if time.time() < expires_at:
+                    return token
+
+            # 生成新 token
+            token = self._generate_token()
+            expires_at = time.time() + 3600  # 1 小时后过期
+            CloudMailService._shared_tokens[base_url] = (token, expires_at)
+            return token
+
+    def _get_headers(self, token: Optional[str] = None) -> Dict[str, str]:
+        """构造请求头"""
+        if token is None:
+            token = self._get_token()
+
+        return {
+            "Authorization": token,
+            "Content-Type": "application/json",
+            "Accept": "application/json",
+        }
+
+    def _make_request(
+        self,
+        method: str,
+        path: str,
+        retry_on_auth_error: bool = True,
+        **kwargs
+    ) -> Any:
+        """
+        发送请求并返回 JSON 数据
+
+        Args:
+            method: HTTP 方法
+            path: 请求路径（以 / 开头）
+            retry_on_auth_error: 认证失败时是否重试
+            **kwargs: 传递给 requests 的额外参数
+
+        Returns:
+            响应 JSON 数据
+
+        Raises:
+            EmailServiceError: 请求失败
+        """
+        url = f"{self.config['base_url']}{path}"
+        kwargs.setdefault("headers", {})
+        kwargs["headers"].update(self._get_headers())
+        kwargs.setdefault("timeout", self.config["timeout"])
+
+        try:
+            response = self.session.request(method, url, **kwargs)
+
+            if response.status_code >= 400:
+                # 如果是认证错误且允许重试，刷新 token 后重试一次
+                if response.status_code == 401 and retry_on_auth_error:
+                    logger.warning("Cloud Mail 认证失败，尝试刷新 token")
+                    kwargs["headers"].update(self._get_headers(self._get_token(force_refresh=True)))
+                    response = self.session.request(method, url, **kwargs)
+
+                if response.status_code >= 400:
+                    error_msg = f"请求失败: {response.status_code}"
+                    try:
+                        error_data = response.json()
+                        error_msg = f"{error_msg} - {error_data}"
+                    except Exception:
+                        error_msg = f"{error_msg} - {response.text[:200]}"
+                    self.update_status(False, EmailServiceError(error_msg))
+                    raise EmailServiceError(error_msg)
+
+            try:
+                return response.json()
+            except Exception:
+                return {"raw_response": response.text}
+
+        except requests.RequestException as e:
+            self.update_status(False, e)
+            raise EmailServiceError(f"请求失败: {method} {path} - {e}")
+        except Exception as e:
+            self.update_status(False, e)
+            if isinstance(e, EmailServiceError):
+                raise
+            raise EmailServiceError(f"请求失败: {method} {path} - {e}")
+
+    def _generate_email_address(self, prefix: Optional[str] = None, domain: Optional[str] = None, subdomain: Optional[str] = None) -> str:
+        """
+        生成邮箱地址
+
+        Args:
+            prefix: 邮箱前缀，如果不提供则随机生成
+            domain: 指定域名，如果不提供则从配置中选择
+            subdomain: 子域名，可选参数，会插入到 @ 和域名之间
+
+        Returns:
+            完整的邮箱地址
+        """
+        if not prefix:
+            # 生成随机前缀：首字母 + 9位随机字符（共10位）
+            first = random.choice(string.ascii_lowercase)
+            rest = "".join(random.choices(string.ascii_lowercase + string.digits, k=9))
+            prefix = f"{first}{rest}"
+
+        # 如果没有指定域名，从配置中获取
+        if not domain:
+            domain_config = self.config.get("domain")
+            if not domain_config:
+                raise EmailServiceError("未配置邮箱域名，无法生成邮箱地址")
+            
+            # 支持多个域名（列表）或单个域名（字符串）
+            if isinstance(domain_config, list):
+                if not domain_config:
+                    raise EmailServiceError("域名列表为空")
+                # 随机选择一个域名
+                domain = random.choice(domain_config)
+            else:
+                domain = domain_config
+
+        # 如果提供了子域，插入到域名前面
+        if subdomain:
+            domain = f"{subdomain}.{domain}"
+
+        return f"{prefix}@{domain}"
+
+    def _generate_password(self, length: int = 12) -> str:
+        """生成随机密码"""
+        alphabet = string.ascii_letters + string.digits
+        return "".join(random.choices(alphabet, k=length))
+
+    def create_email(self, config: Dict[str, Any] = None) -> Dict[str, Any]:
+        """
+        创建新邮箱地址
+
+        Args:
+            config: 配置参数:
+                - name: 邮箱前缀（可选）
+                - password: 邮箱密码（可选，不提供则自动生成）
+                - domain: 邮箱域名（可选，覆盖默认域名）
+                - subdomain: 子域名（可选），会插入到 @ 和域名之间，例如 subdomain="test" 会生成 xxx@test.example.com
+
+        Returns:
+            包含邮箱信息的字典:
+            - email: 邮箱地址
+            - service_id: 邮箱地址（用作标识）
+            - password: 邮箱密码
+        """
+        req_config = config or {}
+
+        # 生成邮箱地址
+        prefix = req_config.get("name")
+        specified_domain = req_config.get("domain")
+        subdomain = req_config.get("subdomain") or self.config.get("subdomain")
+        
+        if specified_domain:
+            email_address = self._generate_email_address(prefix, specified_domain, subdomain)
+        else:
+            email_address = self._generate_email_address(prefix, subdomain=subdomain)
+
+        # 生成或使用提供的密码
+        password = req_config.get("password") or self._generate_password()
+
+        # 直接生成邮箱信息（catch-all 域名无需预先创建）
+        email_info = {
+            "email": email_address,
+            "service_id": email_address,
+            "id": email_address,
+            "password": password,
+            "created_at": time.time(),
+        }
+
+        # 缓存邮箱信息
+        self._created_emails[email_address] = email_info
+        self.update_status(True)
+        
+        logger.info(f"生成 CloudMail 邮箱: {email_address}")
+        return email_info
+
+    def get_verification_code(
+        self,
+        email: str,
+        email_id: str = None,
+        timeout: int = 120,
+        pattern: str = OTP_CODE_PATTERN,
+        otp_sent_at: Optional[float] = None,
+    ) -> Optional[str]:
+        """
+        从 Cloud Mail 邮箱获取验证码
+
+        Args:
+            email: 邮箱地址
+            email_id: 未使用，保留接口兼容
+            timeout: 超时时间（秒）
+            pattern: 验证码正则
+            otp_sent_at: OTP 发送时间戳
+
+        Returns:
+            验证码字符串，超时返回 None
+        """
+        start_time = time.time()
+        
+        # 每次调用时，记录本次查询开始前已存在的邮件ID
+        # 这样可以支持同一个邮箱多次接收验证码（注册+OAuth）
+        initial_seen_ids = set()
+        with CloudMailService._seen_ids_lock:
+            if email not in CloudMailService._shared_seen_email_ids:
+                CloudMailService._shared_seen_email_ids[email] = set()
+            else:
+                # 记录本次查询开始前的已处理邮件
+                initial_seen_ids = CloudMailService._shared_seen_email_ids[email].copy()
+        
+        # 本次查询中新处理的邮件ID（仅在本次查询中有效）
+        current_seen_ids = set()
+        
+        check_count = 0
+
+        while time.time() - start_time < timeout:
+            try:
+                check_count += 1
+                
+                # 查询邮件列表
+                url_path = "/api/public/emailList"
+                payload = {
+                    "toEmail": email,
+                    "timeSort": "desc"  # 最新的邮件优先
+                }
+
+                result = self._make_request("POST", url_path, json=payload)
+
+                if result.get("code") != 200:
+                    time.sleep(3)
+                    continue
+
+                emails = result.get("data", [])
+                if not isinstance(emails, list):
+                    time.sleep(3)
+                    continue
+
+                for email_item in emails:
+                    email_id = email_item.get("emailId")
+                    
+                    if not email_id:
+                        continue
+                    
+                    # 跳过本次查询开始前已存在的邮件
+                    if email_id in initial_seen_ids:
+                        continue
+                    
+                    # 跳过本次查询中已处理的邮件（防止同一轮查询重复处理）
+                    if email_id in current_seen_ids:
+                        continue
+                    
+                    # 标记为本次已处理
+                    current_seen_ids.add(email_id)
+                    
+                    # 同时更新全局已处理列表（防止其他并发任务重复处理）
+                    with CloudMailService._seen_ids_lock:
+                        CloudMailService._shared_seen_email_ids[email].add(email_id)
+                    
+                    sender_email = str(email_item.get("sendEmail", "")).lower()
+                    sender_name = str(email_item.get("sendName", "")).lower()
+                    subject = str(email_item.get("subject", ""))
+                    to_email = email_item.get("toEmail", "")
+                    
+                    # 检查收件人是否匹配
+                    if to_email != email:
+                        continue
+                    
+                    if "openai" not in sender_email and "openai" not in sender_name:
+                        continue
+
+                    # 从主题提取
+                    match = re.search(pattern, subject)
+                    if match:
+                        code = match.group(1)
+                        self.update_status(True)
+                        return code
+
+                    # 从内容提取
+                    content = str(email_item.get("content", ""))
+                    if content:
+                        clean_content = re.sub(r"<[^>]+>", " ", content)
+                        email_pattern = r"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}"
+                        clean_content = re.sub(email_pattern, "", clean_content)
+                        
+                        match = re.search(pattern, clean_content)
+                        if match:
+                            code = match.group(1)
+                            self.update_status(True)
+                            return code
+
+            except Exception as e:
+                # 如果是认证错误，强制刷新token
+                if "401" in str(e) or "认证" in str(e):
+                    try:
+                        self._get_token(force_refresh=True)
+                    except Exception:
+                        pass
+                logger.error(f"检查邮件时出错: {e}", exc_info=True)
+
+            time.sleep(3)
+
+        # 超时
+        logger.warning(f"等待验证码超时: {email}")
+        return None
+
+    def list_emails(self, **kwargs) -> List[Dict[str, Any]]:
+        """
+        列出已创建的邮箱（从缓存中获取）
+
+        Returns:
+            邮箱列表
+        """
+        return list(self._created_emails.values())
+
+    def delete_email(self, email_id: str) -> bool:
+        """
+        删除邮箱（Cloud Mail API 不支持删除用户，仅从缓存中移除）
+
+        Args:
+            email_id: 邮箱地址
+
+        Returns:
+            是否删除成功
+        """
+        if email_id in self._created_emails:
+            del self._created_emails[email_id]
+            return True
+
+        return False
+
+    def check_health(self) -> bool:
+        """检查服务健康状态"""
+        try:
+            # 尝试生成 token
+            self._get_token(force_refresh=True)
+            self.update_status(True)
+            return True
+        except Exception as e:
+            logger.warning(f"Cloud Mail 健康检查失败: {e}")
+            self.update_status(False, e)
+            return False
+
+    def get_email_messages(self, email_id: str, **kwargs) -> List[Dict[str, Any]]:
+        """
+        获取邮箱中的邮件列表
+
+        Args:
+            email_id: 邮箱地址
+            **kwargs: 额外参数（如 timeSort）
+
+        Returns:
+            邮件列表
+        """
+        try:
+            url_path = "/api/public/emailList"
+            payload = {
+                "toEmail": email_id,
+                "timeSort": kwargs.get("timeSort", "desc")
+            }
+
+            result = self._make_request("POST", url_path, json=payload)
+
+            if result.get("code") != 200:
+                logger.warning(f"获取邮件列表失败: {result.get('message')}")
+                return []
+
+            self.update_status(True)
+            return result.get("data", [])
+
+        except Exception as e:
+            logger.error(f"获取 Cloud Mail 邮件列表失败: {email_id} - {e}")
+            self.update_status(False, e)
+            return []
+
+    def get_service_info(self) -> Dict[str, Any]:
+        """获取服务信息"""
+        return {
+            "service_type": self.service_type.value,
+            "name": self.name,
+            "base_url": self.config["base_url"],
+            "admin_email": self.config["admin_email"],
+            "domain": self.config.get("domain"),
+            "subdomain": self.config.get("subdomain"),
+            "cached_emails_count": len(self._created_emails),
+            "status": self.status.value,
+        }

src/services/duck_mail.py

@@ -0,0 +1,366 @@
+"""
+DuckMail 邮箱服务实现
+兼容 DuckMail 的 accounts/token/messages 接口模型
+"""
+
+import logging
+import random
+import re
+import string
+import time
+from datetime import datetime, timezone
+from html import unescape
+from typing import Any, Dict, List, Optional
+
+from .base import BaseEmailService, EmailServiceError, EmailServiceType
+from ..config.constants import OTP_CODE_PATTERN
+from ..core.http_client import HTTPClient, RequestConfig
+
+
+logger = logging.getLogger(__name__)
+
+
+class DuckMailService(BaseEmailService):
+    """DuckMail 邮箱服务"""
+
+    def __init__(self, config: Dict[str, Any] = None, name: str = None):
+        super().__init__(EmailServiceType.DUCK_MAIL, name)
+
+        required_keys = ["base_url", "default_domain"]
+        missing_keys = [key for key in required_keys if not (config or {}).get(key)]
+        if missing_keys:
+            raise ValueError(f"缺少必需配置: {missing_keys}")
+
+        default_config = {
+            "api_key": "",
+            "password_length": 12,
+            "expires_in": None,
+            "timeout": 30,
+            "max_retries": 3,
+            "proxy_url": None,
+        }
+        self.config = {**default_config, **(config or {})}
+        self.config["base_url"] = str(self.config["base_url"]).rstrip("/")
+        self.config["default_domain"] = str(self.config["default_domain"]).strip().lstrip("@")
+
+        http_config = RequestConfig(
+            timeout=self.config["timeout"],
+            max_retries=self.config["max_retries"],
+        )
+        self.http_client = HTTPClient(
+            proxy_url=self.config.get("proxy_url"),
+            config=http_config,
+        )
+
+        self._accounts_by_id: Dict[str, Dict[str, Any]] = {}
+        self._accounts_by_email: Dict[str, Dict[str, Any]] = {}
+
+    def _build_headers(
+        self,
+        token: Optional[str] = None,
+        use_api_key: bool = False,
+        extra_headers: Optional[Dict[str, str]] = None,
+    ) -> Dict[str, str]:
+        headers = {
+            "Accept": "application/json",
+            "Content-Type": "application/json",
+        }
+
+        auth_token = token
+        if not auth_token and use_api_key and self.config.get("api_key"):
+            auth_token = self.config["api_key"]
+
+        if auth_token:
+            headers["Authorization"] = f"Bearer {auth_token}"
+
+        if extra_headers:
+            headers.update(extra_headers)
+
+        return headers
+
+    def _make_request(
+        self,
+        method: str,
+        path: str,
+        token: Optional[str] = None,
+        use_api_key: bool = False,
+        **kwargs,
+    ) -> Dict[str, Any]:
+        url = f"{self.config['base_url']}{path}"
+        kwargs["headers"] = self._build_headers(
+            token=token,
+            use_api_key=use_api_key,
+            extra_headers=kwargs.get("headers"),
+        )
+
+        try:
+            response = self.http_client.request(method, url, **kwargs)
+            if response.status_code >= 400:
+                error_message = f"API 请求失败: {response.status_code}"
+                try:
+                    error_payload = response.json()
+                    error_message = f"{error_message} - {error_payload}"
+                except Exception:
+                    error_message = f"{error_message} - {response.text[:200]}"
+                raise EmailServiceError(error_message)
+
+            try:
+                return response.json()
+            except Exception:
+                return {"raw_response": response.text}
+        except Exception as e:
+            self.update_status(False, e)
+            if isinstance(e, EmailServiceError):
+                raise
+            raise EmailServiceError(f"请求失败: {method} {path} - {e}")
+
+    def _generate_local_part(self) -> str:
+        first = random.choice(string.ascii_lowercase)
+        rest = "".join(random.choices(string.ascii_lowercase + string.digits, k=7))
+        return f"{first}{rest}"
+
+    def _generate_password(self) -> str:
+        length = max(6, int(self.config.get("password_length") or 12))
+        alphabet = string.ascii_letters + string.digits
+        return "".join(random.choices(alphabet, k=length))
+
+    def _cache_account(self, account_info: Dict[str, Any]) -> None:
+        account_id = str(account_info.get("account_id") or account_info.get("service_id") or "").strip()
+        email = str(account_info.get("email") or "").strip().lower()
+
+        if account_id:
+            self._accounts_by_id[account_id] = account_info
+        if email:
+            self._accounts_by_email[email] = account_info
+
+    def _get_account_info(self, email: Optional[str] = None, email_id: Optional[str] = None) -> Optional[Dict[str, Any]]:
+        if email_id:
+            cached = self._accounts_by_id.get(str(email_id))
+            if cached:
+                return cached
+
+        if email:
+            cached = self._accounts_by_email.get(str(email).strip().lower())
+            if cached:
+                return cached
+
+        return None
+
+    def _strip_html(self, html_content: Any) -> str:
+        if isinstance(html_content, list):
+            html_content = "\n".join(str(item) for item in html_content if item)
+        text = str(html_content or "")
+        return unescape(re.sub(r"<[^>]+>", " ", text))
+
+    def _parse_message_time(self, value: Optional[str]) -> Optional[float]:
+        if not value:
+            return None
+        try:
+            normalized = value.replace("Z", "+00:00")
+            return datetime.fromisoformat(normalized).astimezone(timezone.utc).timestamp()
+        except Exception:
+            return None
+
+    def _message_search_text(self, summary: Dict[str, Any], detail: Dict[str, Any]) -> str:
+        sender = summary.get("from") or detail.get("from") or {}
+        if isinstance(sender, dict):
+            sender_text = " ".join(
+                str(sender.get(key) or "") for key in ("name", "address")
+            ).strip()
+        else:
+            sender_text = str(sender)
+
+        subject = str(summary.get("subject") or detail.get("subject") or "")
+        text_body = str(detail.get("text") or "")
+        html_body = self._strip_html(detail.get("html"))
+        return "\n".join(part for part in [sender_text, subject, text_body, html_body] if part).strip()
+
+    def create_email(self, config: Dict[str, Any] = None) -> Dict[str, Any]:
+        request_config = config or {}
+        local_part = str(request_config.get("name") or self._generate_local_part()).strip()
+        domain = str(request_config.get("default_domain") or request_config.get("domain") or self.config["default_domain"]).strip().lstrip("@")
+        address = f"{local_part}@{domain}"
+        password = self._generate_password()
+
+        payload: Dict[str, Any] = {
+            "address": address,
+            "password": password,
+        }
+
+        expires_in = request_config.get("expiresIn", request_config.get("expires_in", self.config.get("expires_in")))
+        if expires_in is not None:
+            payload["expiresIn"] = expires_in
+
+        account_response = self._make_request(
+            "POST",
+            "/accounts",
+            json=payload,
+            use_api_key=bool(self.config.get("api_key")),
+        )
+        token_response = self._make_request(
+            "POST",
+            "/token",
+            json={
+                "address": account_response.get("address", address),
+                "password": password,
+            },
+        )
+
+        account_id = str(account_response.get("id") or token_response.get("id") or "").strip()
+        resolved_address = str(account_response.get("address") or address).strip()
+        token = str(token_response.get("token") or "").strip()
+
+        if not account_id or not resolved_address or not token:
+            raise EmailServiceError("DuckMail 返回数据不完整")
+
+        email_info = {
+            "email": resolved_address,
+            "service_id": account_id,
+            "id": account_id,
+            "account_id": account_id,
+            "token": token,
+            "password": password,
+            "created_at": time.time(),
+            "raw_account": account_response,
+        }
+
+        self._cache_account(email_info)
+        self.update_status(True)
+        return email_info
+
+    def get_verification_code(
+        self,
+        email: str,
+        email_id: str = None,
+        timeout: int = 120,
+        pattern: str = OTP_CODE_PATTERN,
+        otp_sent_at: Optional[float] = None,
+    ) -> Optional[str]:
+        account_info = self._get_account_info(email=email, email_id=email_id)
+        if not account_info:
+            logger.warning(f"DuckMail 未找到邮箱缓存: {email}, {email_id}")
+            return None
+
+        token = account_info.get("token")
+        if not token:
+            logger.warning(f"DuckMail 邮箱缺少访问 token: {email}")
+            return None
+
+        start_time = time.time()
+        seen_message_ids = set()
+
+        while time.time() - start_time < timeout:
+            try:
+                response = self._make_request(
+                    "GET",
+                    "/messages",
+                    token=token,
+                    params={"page": 1},
+                )
+                messages = response.get("hydra:member", [])
+
+                for message in messages:
+                    message_id = str(message.get("id") or "").strip()
+                    if not message_id or message_id in seen_message_ids:
+                        continue
+
+                    created_at = self._parse_message_time(message.get("createdAt"))
+                    if otp_sent_at and created_at and created_at + 1 < otp_sent_at:
+                        continue
+
+                    seen_message_ids.add(message_id)
+                    detail = self._make_request(
+                        "GET",
+                        f"/messages/{message_id}",
+                        token=token,
+                    )
+
+                    content = self._message_search_text(message, detail)
+                    if "openai" not in content.lower():
+                        continue
+
+                    match = re.search(pattern, content)
+                    if match:
+                        self.update_status(True)
+                        return match.group(1)
+            except Exception as e:
+                logger.debug(f"DuckMail 轮询验证码失败: {e}")
+
+            time.sleep(3)
+
+        return None
+
+    def list_emails(self, **kwargs) -> List[Dict[str, Any]]:
+        return list(self._accounts_by_email.values())
+
+    def delete_email(self, email_id: str) -> bool:
+        account_info = self._get_account_info(email_id=email_id) or self._get_account_info(email=email_id)
+        if not account_info:
+            return False
+
+        token = account_info.get("token")
+        account_id = account_info.get("account_id") or account_info.get("service_id")
+        if not token or not account_id:
+            return False
+
+        try:
+            self._make_request(
+                "DELETE",
+                f"/accounts/{account_id}",
+                token=token,
+            )
+            self._accounts_by_id.pop(str(account_id), None)
+            self._accounts_by_email.pop(str(account_info.get("email") or "").lower(), None)
+            self.update_status(True)
+            return True
+        except Exception as e:
+            logger.warning(f"DuckMail 删除邮箱失败: {e}")
+            self.update_status(False, e)
+            return False
+
+    def check_health(self) -> bool:
+        try:
+            self._make_request(
+                "GET",
+                "/domains",
+                params={"page": 1},
+                use_api_key=bool(self.config.get("api_key")),
+            )
+            self.update_status(True)
+            return True
+        except Exception as e:
+            logger.warning(f"DuckMail 健康检查失败: {e}")
+            self.update_status(False, e)
+            return False
+
+    def get_email_messages(self, email_id: str, **kwargs) -> List[Dict[str, Any]]:
+        account_info = self._get_account_info(email_id=email_id) or self._get_account_info(email=email_id)
+        if not account_info or not account_info.get("token"):
+            return []
+        response = self._make_request(
+            "GET",
+            "/messages",
+            token=account_info["token"],
+            params={"page": kwargs.get("page", 1)},
+        )
+        return response.get("hydra:member", [])
+
+    def get_message_detail(self, email_id: str, message_id: str) -> Optional[Dict[str, Any]]:
+        account_info = self._get_account_info(email_id=email_id) or self._get_account_info(email=email_id)
+        if not account_info or not account_info.get("token"):
+            return None
+        return self._make_request(
+            "GET",
+            f"/messages/{message_id}",
+            token=account_info["token"],
+        )
+
+    def get_service_info(self) -> Dict[str, Any]:
+        return {
+            "service_type": self.service_type.value,
+            "name": self.name,
+            "base_url": self.config["base_url"],
+            "default_domain": self.config["default_domain"],
+            "cached_accounts": len(self._accounts_by_email),
+            "status": self.status.value,
+        }

src/services/freemail.py

@@ -0,0 +1,324 @@
+"""
+Freemail 邮箱服务实现
+基于自部署 Cloudflare Worker 临时邮箱服务 (https://github.com/idinging/freemail)
+"""
+
+import re
+import time
+import logging
+import random
+import string
+from typing import Optional, Dict, Any, List
+
+from .base import BaseEmailService, EmailServiceError, EmailServiceType
+from ..core.http_client import HTTPClient, RequestConfig
+from ..config.constants import OTP_CODE_PATTERN
+
+logger = logging.getLogger(__name__)
+
+
+class FreemailService(BaseEmailService):
+    """
+    Freemail 邮箱服务
+    基于自部署 Cloudflare Worker 的临时邮箱
+    """
+
+    def __init__(self, config: Dict[str, Any] = None, name: str = None):
+        """
+        初始化 Freemail 服务
+
+        Args:
+            config: 配置字典，支持以下键:
+                - base_url: Worker 域名地址 (必需)
+                - admin_token: Admin Token，对应 JWT_TOKEN (必需)
+                - domain: 邮箱域名，如 example.com
+                - timeout: 请求超时时间，默认 30
+                - max_retries: 最大重试次数，默认 3
+            name: 服务名称
+        """
+        super().__init__(EmailServiceType.FREEMAIL, name)
+
+        required_keys = ["base_url", "admin_token"]
+        missing_keys = [key for key in required_keys if not (config or {}).get(key)]
+        if missing_keys:
+            raise ValueError(f"缺少必需配置: {missing_keys}")
+
+        default_config = {
+            "timeout": 30,
+            "max_retries": 3,
+        }
+        self.config = {**default_config, **(config or {})}
+        self.config["base_url"] = self.config["base_url"].rstrip("/")
+
+        http_config = RequestConfig(
+            timeout=self.config["timeout"],
+            max_retries=self.config["max_retries"],
+        )
+        self.http_client = HTTPClient(proxy_url=None, config=http_config)
+
+        # 缓存 domain 列表
+        self._domains = []
+
+    def _get_headers(self) -> Dict[str, str]:
+        """构造 admin 请求头"""
+        return {
+            "Authorization": f"Bearer {self.config['admin_token']}",
+            "Content-Type": "application/json",
+            "Accept": "application/json",
+        }
+
+    def _make_request(self, method: str, path: str, **kwargs) -> Any:
+        """
+        发送请求并返回 JSON 数据
+
+        Args:
+            method: HTTP 方法
+            path: 请求路径（以 / 开头）
+            **kwargs: 传递给 http_client.request 的额外参数
+
+        Returns:
+            响应 JSON 数据
+
+        Raises:
+            EmailServiceError: 请求失败
+        """
+        url = f"{self.config['base_url']}{path}"
+        kwargs.setdefault("headers", {})
+        kwargs["headers"].update(self._get_headers())
+
+        try:
+            response = self.http_client.request(method, url, **kwargs)
+
+            if response.status_code >= 400:
+                error_msg = f"请求失败: {response.status_code}"
+                try:
+                    error_data = response.json()
+                    error_msg = f"{error_msg} - {error_data}"
+                except Exception:
+                    error_msg = f"{error_msg} - {response.text[:200]}"
+                self.update_status(False, EmailServiceError(error_msg))
+                raise EmailServiceError(error_msg)
+
+            try:
+                return response.json()
+            except Exception:
+                return {"raw_response": response.text}
+
+        except Exception as e:
+            self.update_status(False, e)
+            if isinstance(e, EmailServiceError):
+                raise
+            raise EmailServiceError(f"请求失败: {method} {path} - {e}")
+
+    def _ensure_domains(self):
+        """获取并缓存可用域名列表"""
+        if not self._domains:
+            try:
+                domains = self._make_request("GET", "/api/domains")
+                if isinstance(domains, list):
+                    self._domains = domains
+            except Exception as e:
+                logger.warning(f"获取 Freemail 域名列表失败: {e}")
+
+    def create_email(self, config: Dict[str, Any] = None) -> Dict[str, Any]:
+        """
+        通过 API 创建临时邮箱
+
+        Returns:
+            包含邮箱信息的字典:
+            - email: 邮箱地址
+            - service_id: 同 email（用作标识）
+        """
+        self._ensure_domains()
+        
+        req_config = config or {}
+        domain_index = 0
+        target_domain = req_config.get("domain") or self.config.get("domain")
+        
+        if target_domain and self._domains:
+            for i, d in enumerate(self._domains):
+                if d == target_domain:
+                    domain_index = i
+                    break
+                    
+        prefix = req_config.get("name")
+        try:
+            if prefix:
+                body = {
+                    "local": prefix,
+                    "domainIndex": domain_index
+                }
+                resp = self._make_request("POST", "/api/create", json=body)
+            else:
+                params = {"domainIndex": domain_index}
+                length = req_config.get("length")
+                if length:
+                    params["length"] = length
+                resp = self._make_request("GET", "/api/generate", params=params)
+
+            email = resp.get("email")
+            if not email:
+                raise EmailServiceError(f"创建邮箱失败，未返回邮箱地址: {resp}")
+
+            email_info = {
+                "email": email,
+                "service_id": email,
+                "id": email,
+                "created_at": time.time(),
+            }
+
+            logger.info(f"成功创建 Freemail 邮箱: {email}")
+            self.update_status(True)
+            return email_info
+
+        except Exception as e:
+            self.update_status(False, e)
+            if isinstance(e, EmailServiceError):
+                raise
+            raise EmailServiceError(f"创建邮箱失败: {e}")
+
+    def get_verification_code(
+        self,
+        email: str,
+        email_id: str = None,
+        timeout: int = 120,
+        pattern: str = OTP_CODE_PATTERN,
+        otp_sent_at: Optional[float] = None,
+    ) -> Optional[str]:
+        """
+        从 Freemail 邮箱获取验证码
+
+        Args:
+            email: 邮箱地址
+            email_id: 未使用，保留接口兼容
+            timeout: 超时时间（秒）
+            pattern: 验证码正则
+            otp_sent_at: OTP 发送时间戳（暂未使用）
+
+        Returns:
+            验证码字符串，超时返回 None
+        """
+        logger.info(f"正在从 Freemail 邮箱 {email} 获取验证码...")
+
+        start_time = time.time()
+        seen_mail_ids: set = set()
+
+        while time.time() - start_time < timeout:
+            try:
+                mails = self._make_request("GET", "/api/emails", params={"mailbox": email, "limit": 20})
+                if not isinstance(mails, list):
+                    time.sleep(3)
+                    continue
+
+                for mail in mails:
+                    mail_id = mail.get("id")
+                    if not mail_id or mail_id in seen_mail_ids:
+                        continue
+
+                    seen_mail_ids.add(mail_id)
+
+                    sender = str(mail.get("sender", "")).lower()
+                    subject = str(mail.get("subject", ""))
+                    preview = str(mail.get("preview", ""))
+                    
+                    content = f"{sender}\n{subject}\n{preview}"
+                    
+                    if "openai" not in content.lower():
+                        continue
+
+                    # 尝试直接使用 Freemail 提取的验证码
+                    v_code = mail.get("verification_code")
+                    if v_code:
+                        logger.info(f"从 Freemail 邮箱 {email} 找到验证码: {v_code}")
+                        self.update_status(True)
+                        return v_code
+
+                    # 如果没有直接提供，通过正则匹配 preview
+                    match = re.search(pattern, content)
+                    if match:
+                        code = match.group(1)
+                        logger.info(f"从 Freemail 邮箱 {email} 找到验证码: {code}")
+                        self.update_status(True)
+                        return code
+
+                    # 如果依然未找到，获取邮件详情进行匹配
+                    try:
+                        detail = self._make_request("GET", f"/api/email/{mail_id}")
+                        full_content = str(detail.get("content", "")) + "\n" + str(detail.get("html_content", ""))
+                        match = re.search(pattern, full_content)
+                        if match:
+                            code = match.group(1)
+                            logger.info(f"从 Freemail 邮箱 {email} 找到验证码: {code}")
+                            self.update_status(True)
+                            return code
+                    except Exception as e:
+                        logger.debug(f"获取 Freemail 邮件详情失败: {e}")
+
+            except Exception as e:
+                logger.debug(f"检查 Freemail 邮件时出错: {e}")
+
+            time.sleep(3)
+
+        logger.warning(f"等待 Freemail 验证码超时: {email}")
+        return None
+
+    def list_emails(self, **kwargs) -> List[Dict[str, Any]]:
+        """
+        列出邮箱
+
+        Args:
+            **kwargs: 额外查询参数
+
+        Returns:
+            邮箱列表
+        """
+        try:
+            params = {
+                "limit": kwargs.get("limit", 100),
+                "offset": kwargs.get("offset", 0)
+            }
+            resp = self._make_request("GET", "/api/mailboxes", params=params)
+            
+            emails = []
+            if isinstance(resp, list):
+                for mail in resp:
+                    address = mail.get("address")
+                    if address:
+                        emails.append({
+                            "id": address,
+                            "service_id": address,
+                            "email": address,
+                            "created_at": mail.get("created_at"),
+                            "raw_data": mail
+                        })
+            self.update_status(True)
+            return emails
+        except Exception as e:
+            logger.warning(f"列出 Freemail 邮箱失败: {e}")
+            self.update_status(False, e)
+            return []
+
+    def delete_email(self, email_id: str) -> bool:
+        """
+        删除邮箱
+        """
+        try:
+            self._make_request("DELETE", "/api/mailboxes", params={"address": email_id})
+            logger.info(f"已删除 Freemail 邮箱: {email_id}")
+            self.update_status(True)
+            return True
+        except Exception as e:
+            logger.warning(f"删除 Freemail 邮箱失败: {e}")
+            self.update_status(False, e)
+            return False
+
+    def check_health(self) -> bool:
+        """检查服务健康状态"""
+        try:
+            self._make_request("GET", "/api/domains")
+            self.update_status(True)
+            return True
+        except Exception as e:
+            logger.warning(f"Freemail 健康检查失败: {e}")
+            self.update_status(False, e)
+            return False

src/services/imap_mail.py

@@ -0,0 +1,217 @@
+"""
+IMAP 邮箱服务
+支持 Gmail / QQ / 163 / Yahoo / Outlook 等标准 IMAP 协议邮件服务商。
+仅用于接收验证码，强制直连（imaplib 不支持代理）。
+"""
+
+import imaplib
+import email
+import re
+import time
+import logging
+from email.header import decode_header
+from typing import Any, Dict, Optional
+
+from .base import BaseEmailService, EmailServiceError
+from ..config.constants import (
+    EmailServiceType,
+    OPENAI_EMAIL_SENDERS,
+    OTP_CODE_SEMANTIC_PATTERN,
+    OTP_CODE_PATTERN,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class ImapMailService(BaseEmailService):
+    """标准 IMAP 邮箱服务（仅接收验证码，强制直连）"""
+
+    def __init__(self, config: Dict[str, Any] = None, name: str = None):
+        super().__init__(EmailServiceType.IMAP_MAIL, name)
+
+        cfg = config or {}
+        required_keys = ["host", "email", "password"]
+        missing_keys = [k for k in required_keys if not cfg.get(k)]
+        if missing_keys:
+            raise ValueError(f"缺少必需配置: {missing_keys}")
+
+        self.host: str = str(cfg["host"]).strip()
+        self.port: int = int(cfg.get("port", 993))
+        self.use_ssl: bool = bool(cfg.get("use_ssl", True))
+        self.email_addr: str = str(cfg["email"]).strip()
+        self.password: str = str(cfg["password"])
+        self.timeout: int = int(cfg.get("timeout", 30))
+        self.max_retries: int = int(cfg.get("max_retries", 3))
+
+    def _connect(self) -> imaplib.IMAP4:
+        """建立 IMAP 连接并登录，返回 mail 对象"""
+        if self.use_ssl:
+            mail = imaplib.IMAP4_SSL(self.host, self.port)
+        else:
+            mail = imaplib.IMAP4(self.host, self.port)
+            mail.starttls()
+        mail.login(self.email_addr, self.password)
+        return mail
+
+    def _decode_str(self, value) -> str:
+        """解码邮件头部字段"""
+        if value is None:
+            return ""
+        parts = decode_header(value)
+        decoded = []
+        for part, charset in parts:
+            if isinstance(part, bytes):
+                decoded.append(part.decode(charset or "utf-8", errors="replace"))
+            else:
+                decoded.append(str(part))
+        return " ".join(decoded)
+
+    def _get_text_body(self, msg) -> str:
+        """提取邮件纯文本内容"""
+        body = ""
+        if msg.is_multipart():
+            for part in msg.walk():
+                if part.get_content_type() == "text/plain":
+                    charset = part.get_content_charset() or "utf-8"
+                    payload = part.get_payload(decode=True)
+                    if payload:
+                        body += payload.decode(charset, errors="replace")
+        else:
+            charset = msg.get_content_charset() or "utf-8"
+            payload = msg.get_payload(decode=True)
+            if payload:
+                body = payload.decode(charset, errors="replace")
+        return body
+
+    def _is_openai_sender(self, from_addr: str) -> bool:
+        """判断发件人是否为 OpenAI"""
+        from_lower = from_addr.lower()
+        for sender in OPENAI_EMAIL_SENDERS:
+            if sender.startswith("@") or sender.startswith("."):
+                if sender in from_lower:
+                    return True
+            else:
+                if sender in from_lower:
+                    return True
+        return False
+
+    def _extract_otp(self, text: str) -> Optional[str]:
+        """从文本中提取 6 位验证码，优先语义匹配，回退简单匹配"""
+        match = re.search(OTP_CODE_SEMANTIC_PATTERN, text, re.IGNORECASE)
+        if match:
+            return match.group(1)
+        match = re.search(OTP_CODE_PATTERN, text)
+        if match:
+            return match.group(1)
+        return None
+
+    def create_email(self, config: Dict[str, Any] = None) -> Dict[str, Any]:
+        """IMAP 模式不创建新邮箱，直接返回配置中的固定地址"""
+        self.update_status(True)
+        return {
+            "email": self.email_addr,
+            "service_id": self.email_addr,
+            "id": self.email_addr,
+        }
+
+    def get_verification_code(
+        self,
+        email: str,
+        email_id: str = None,
+        timeout: int = 60,
+        pattern: str = None,
+        otp_sent_at: Optional[float] = None,
+    ) -> Optional[str]:
+        """轮询 IMAP 收件箱，获取 OpenAI 验证码"""
+        start_time = time.time()
+        seen_ids: set = set()
+        mail = None
+
+        try:
+            mail = self._connect()
+            mail.select("INBOX")
+
+            while time.time() - start_time < timeout:
+                try:
+                    # 搜索所有未读邮件
+                    status, data = mail.search(None, "UNSEEN")
+                    if status != "OK" or not data or not data[0]:
+                        time.sleep(3)
+                        continue
+
+                    msg_ids = data[0].split()
+                    for msg_id in reversed(msg_ids):  # 最新的优先
+                        id_str = msg_id.decode()
+                        if id_str in seen_ids:
+                            continue
+                        seen_ids.add(id_str)
+
+                        # 获取邮件
+                        status, msg_data = mail.fetch(msg_id, "(RFC822)")
+                        if status != "OK" or not msg_data:
+                            continue
+
+                        raw = msg_data[0][1]
+                        msg = email.message_from_bytes(raw)
+
+                        # 检查发件人
+                        from_addr = self._decode_str(msg.get("From", ""))
+                        if not self._is_openai_sender(from_addr):
+                            continue
+
+                        # 提取验证码
+                        body = self._get_text_body(msg)
+                        code = self._extract_otp(body)
+                        if code:
+                            # 标记已读
+                            mail.store(msg_id, "+FLAGS", "\\Seen")
+                            self.update_status(True)
+                            logger.info(f"IMAP 获取验证码成功: {code}")
+                            return code
+
+                except imaplib.IMAP4.error as e:
+                    logger.debug(f"IMAP 搜索邮件失败: {e}")
+                    # 尝试重新连接
+                    try:
+                        mail.select("INBOX")
+                    except Exception:
+                        pass
+
+                time.sleep(3)
+
+        except Exception as e:
+            logger.warning(f"IMAP 连接/轮询失败: {e}")
+            self.update_status(False, str(e))
+        finally:
+            if mail:
+                try:
+                    mail.logout()
+                except Exception:
+                    pass
+
+        return None
+
+    def check_health(self) -> bool:
+        """尝试 IMAP 登录并选择收件箱"""
+        mail = None
+        try:
+            mail = self._connect()
+            status, _ = mail.select("INBOX")
+            return status == "OK"
+        except Exception as e:
+            logger.warning(f"IMAP 健康检查失败: {e}")
+            return False
+        finally:
+            if mail:
+                try:
+                    mail.logout()
+                except Exception:
+                    pass
+
+    def list_emails(self, **kwargs) -> list:
+        """IMAP 单账号模式，返回固定地址"""
+        return [{"email": self.email_addr, "id": self.email_addr}]
+
+    def delete_email(self, email_id: str) -> bool:
+        """IMAP 模式无需删除逻辑"""
+        return True

src/services/moe_mail.py

@@ -0,0 +1,556 @@
+"""
+自定义域名邮箱服务实现
+基于 email.md 中的 REST API 接口
+"""
+
+import re
+import time
+import json
+import logging
+from typing import Optional, Dict, Any, List
+from urllib.parse import urljoin
+
+from .base import BaseEmailService, EmailServiceError, EmailServiceType
+from ..core.http_client import HTTPClient, RequestConfig
+from ..config.constants import OTP_CODE_PATTERN
+
+
+logger = logging.getLogger(__name__)
+
+
+class MeoMailEmailService(BaseEmailService):
+    """
+    自定义域名邮箱服务
+    基于 REST API 接口
+    """
+
+    def __init__(self, config: Dict[str, Any] = None, name: str = None):
+        """
+        初始化自定义域名邮箱服务
+
+        Args:
+            config: 配置字典，支持以下键:
+                - base_url: API 基础地址 (必需)
+                - api_key: API 密钥 (必需)
+                - api_key_header: API 密钥请求头名称 (默认: X-API-Key)
+                - timeout: 请求超时时间 (默认: 30)
+                - max_retries: 最大重试次数 (默认: 3)
+                - proxy_url: 代理 URL
+                - default_domain: 默认域名
+                - default_expiry: 默认过期时间（毫秒）
+            name: 服务名称
+        """
+        super().__init__(EmailServiceType.MOE_MAIL, name)
+
+        # 必需配置检查
+        required_keys = ["base_url", "api_key"]
+        missing_keys = [key for key in required_keys if key not in (config or {})]
+
+        if missing_keys:
+            raise ValueError(f"缺少必需配置: {missing_keys}")
+
+        # 默认配置
+        default_config = {
+            "base_url": "",
+            "api_key": "",
+            "api_key_header": "X-API-Key",
+            "timeout": 30,
+            "max_retries": 3,
+            "proxy_url": None,
+            "default_domain": None,
+            "default_expiry": 3600000,  # 1小时
+        }
+
+        self.config = {**default_config, **(config or {})}
+
+        # 创建 HTTP 客户端
+        http_config = RequestConfig(
+            timeout=self.config["timeout"],
+            max_retries=self.config["max_retries"],
+        )
+        self.http_client = HTTPClient(
+            proxy_url=self.config.get("proxy_url"),
+            config=http_config
+        )
+
+        # 状态变量
+        self._emails_cache: Dict[str, Dict[str, Any]] = {}
+        self._last_config_check: float = 0
+        self._cached_config: Optional[Dict[str, Any]] = None
+
+    def _get_headers(self) -> Dict[str, str]:
+        """获取 API 请求头"""
+        headers = {
+            "Accept": "application/json",
+            "Content-Type": "application/json",
+        }
+
+        # 添加 API 密钥
+        api_key_header = self.config.get("api_key_header", "X-API-Key")
+        headers[api_key_header] = self.config["api_key"]
+
+        return headers
+
+    def _make_request(self, method: str, endpoint: str, **kwargs) -> Dict[str, Any]:
+        """
+        发送 API 请求
+
+        Args:
+            method: HTTP 方法
+            endpoint: API 端点
+            **kwargs: 请求参数
+
+        Returns:
+            响应 JSON 数据
+
+        Raises:
+            EmailServiceError: 请求失败
+        """
+        url = urljoin(self.config["base_url"], endpoint)
+
+        # 添加默认请求头
+        kwargs.setdefault("headers", {})
+        kwargs["headers"].update(self._get_headers())
+
+        try:
+            # POST 请求禁用自动重定向，手动处理以保持 POST 方法（避免 HTTP→HTTPS 重定向时被转为 GET）
+            if method.upper() == "POST":
+                kwargs["allow_redirects"] = False
+                response = self.http_client.request(method, url, **kwargs)
+                # 处理重定向
+                max_redirects = 5
+                redirect_count = 0
+                while response.status_code in (301, 302, 303, 307, 308) and redirect_count < max_redirects:
+                    location = response.headers.get("Location", "")
+                    if not location:
+                        break
+                    import urllib.parse as _urlparse
+                    redirect_url = _urlparse.urljoin(url, location)
+                    # 307/308 保持 POST，其余（301/302/303）转为 GET
+                    if response.status_code in (307, 308):
+                        redirect_method = method
+                        redirect_kwargs = kwargs
+                    else:
+                        redirect_method = "GET"
+                        # GET 不传 body
+                        redirect_kwargs = {k: v for k, v in kwargs.items() if k not in ("json", "data")}
+                    response = self.http_client.request(redirect_method, redirect_url, **redirect_kwargs)
+                    url = redirect_url
+                    redirect_count += 1
+            else:
+                response = self.http_client.request(method, url, **kwargs)
+
+            if response.status_code >= 400:
+                error_msg = f"API 请求失败: {response.status_code}"
+                try:
+                    error_data = response.json()
+                    error_msg = f"{error_msg} - {error_data}"
+                except:
+                    error_msg = f"{error_msg} - {response.text[:200]}"
+
+                self.update_status(False, EmailServiceError(error_msg))
+                raise EmailServiceError(error_msg)
+
+            # 解析响应
+            try:
+                return response.json()
+            except json.JSONDecodeError:
+                return {"raw_response": response.text}
+
+        except Exception as e:
+            self.update_status(False, e)
+            if isinstance(e, EmailServiceError):
+                raise
+            raise EmailServiceError(f"API 请求失败: {method} {endpoint} - {e}")
+
+    def get_config(self, force_refresh: bool = False) -> Dict[str, Any]:
+        """
+        获取系统配置
+
+        Args:
+            force_refresh: 是否强制刷新缓存
+
+        Returns:
+            配置信息
+        """
+        # 检查缓存
+        if not force_refresh and self._cached_config and time.time() - self._last_config_check < 300:
+            return self._cached_config
+
+        try:
+            response = self._make_request("GET", "/api/config")
+            self._cached_config = response
+            self._last_config_check = time.time()
+            self.update_status(True)
+            return response
+        except Exception as e:
+            logger.warning(f"获取配置失败: {e}")
+            return {}
+
+    def create_email(self, config: Dict[str, Any] = None) -> Dict[str, Any]:
+        """
+        创建临时邮箱
+
+        Args:
+            config: 配置参数:
+                - name: 邮箱前缀（可选）
+                - expiryTime: 有效期（毫秒）（可选）
+                - domain: 邮箱域名（可选）
+
+        Returns:
+            包含邮箱信息的字典:
+            - email: 邮箱地址
+            - service_id: 邮箱 ID
+            - id: 邮箱 ID（同 service_id）
+            - expiry: 过期时间信息
+        """
+        # 获取默认配置
+        sys_config = self.get_config()
+        default_domain = self.config.get("default_domain")
+        if not default_domain and sys_config.get("emailDomains"):
+            # 使用系统配置的第一个域名
+            domains = sys_config["emailDomains"].split(",")
+            default_domain = domains[0].strip() if domains else None
+
+        # 构建请求参数
+        request_config = config or {}
+        create_data = {
+            "name": request_config.get("name", ""),
+            "expiryTime": request_config.get("expiryTime", self.config.get("default_expiry", 3600000)),
+            "domain": request_config.get("domain", default_domain),
+        }
+
+        # 移除空值
+        create_data = {k: v for k, v in create_data.items() if v is not None and v != ""}
+
+        try:
+            response = self._make_request("POST", "/api/emails/generate", json=create_data)
+
+            email = response.get("email", "").strip()
+            email_id = response.get("id", "").strip()
+
+            if not email or not email_id:
+                raise EmailServiceError("API 返回数据不完整")
+
+            email_info = {
+                "email": email,
+                "service_id": email_id,
+                "id": email_id,
+                "created_at": time.time(),
+                "expiry": create_data.get("expiryTime"),
+                "domain": create_data.get("domain"),
+                "raw_response": response,
+            }
+
+            # 缓存邮箱信息
+            self._emails_cache[email_id] = email_info
+
+            logger.info(f"成功创建自定义域名邮箱: {email} (ID: {email_id})")
+            self.update_status(True)
+            return email_info
+
+        except Exception as e:
+            self.update_status(False, e)
+            if isinstance(e, EmailServiceError):
+                raise
+            raise EmailServiceError(f"创建邮箱失败: {e}")
+
+    def get_verification_code(
+        self,
+        email: str,
+        email_id: str = None,
+        timeout: int = 120,
+        pattern: str = OTP_CODE_PATTERN,
+        otp_sent_at: Optional[float] = None,
+    ) -> Optional[str]:
+        """
+        从自定义域名邮箱获取验证码
+
+        Args:
+            email: 邮箱地址
+            email_id: 邮箱 ID（如果不提供，从缓存中查找）
+            timeout: 超时时间（秒）
+            pattern: 验证码正则表达式
+            otp_sent_at: OTP 发送时间戳（自定义域名服务暂不使用此参数）
+
+        Returns:
+            验证码字符串，如果超时或未找到返回 None
+        """
+        # 查找邮箱 ID
+        target_email_id = email_id
+        if not target_email_id:
+            # 从缓存中查找
+            for eid, info in self._emails_cache.items():
+                if info.get("email") == email:
+                    target_email_id = eid
+                    break
+
+        if not target_email_id:
+            logger.warning(f"未找到邮箱 {email} 的 ID，无法获取验证码")
+            return None
+
+        logger.info(f"正在从自定义域名邮箱 {email} 获取验证码...")
+
+        start_time = time.time()
+        seen_message_ids = set()
+
+        while time.time() - start_time < timeout:
+            try:
+                # 获取邮件列表
+                response = self._make_request("GET", f"/api/emails/{target_email_id}")
+
+                messages = response.get("messages", [])
+                if not isinstance(messages, list):
+                    time.sleep(3)
+                    continue
+
+                for message in messages:
+                    message_id = message.get("id")
+                    if not message_id or message_id in seen_message_ids:
+                        continue
+
+                    seen_message_ids.add(message_id)
+
+                    # 检查是否是目标邮件
+                    sender = str(message.get("from_address", "")).lower()
+                    subject = str(message.get("subject", ""))
+
+                    # 获取邮件内容
+                    message_content = self._get_message_content(target_email_id, message_id)
+                    if not message_content:
+                        continue
+
+                    content = f"{sender} {subject} {message_content}"
+
+                    # 检查是否是 OpenAI 邮件
+                    if "openai" not in sender and "openai" not in content.lower():
+                        continue
+
+                    # 提取验证码 过滤掉邮箱
+                    email_pattern = r"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}"
+                    match = re.search(pattern, re.sub(email_pattern, "", content))
+                    if match:
+                        code = match.group(1)
+                        logger.info(f"从自定义域名邮箱 {email} 找到验证码: {code}")
+                        self.update_status(True)
+                        return code
+
+            except Exception as e:
+                logger.debug(f"检查邮件时出错: {e}")
+
+            # 等待一段时间再检查
+            time.sleep(3)
+
+        logger.warning(f"等待验证码超时: {email}")
+        return None
+
+    def _get_message_content(self, email_id: str, message_id: str) -> Optional[str]:
+        """获取邮件内容"""
+        try:
+            response = self._make_request("GET", f"/api/emails/{email_id}/{message_id}")
+            message = response.get("message", {})
+
+            # 优先使用纯文本内容，其次使用 HTML 内容
+            content = message.get("content", "")
+            if not content:
+                html = message.get("html", "")
+                if html:
+                    # 简单去除 HTML 标签
+                    content = re.sub(r"<[^>]+>", " ", html)
+
+            return content
+        except Exception as e:
+            logger.debug(f"获取邮件内容失败: {e}")
+            return None
+
+    def list_emails(self, cursor: str = None, **kwargs) -> List[Dict[str, Any]]:
+        """
+        列出所有邮箱
+
+        Args:
+            cursor: 分页游标
+            **kwargs: 其他参数
+
+        Returns:
+            邮箱列表
+        """
+        params = {}
+        if cursor:
+            params["cursor"] = cursor
+
+        try:
+            response = self._make_request("GET", "/api/emails", params=params)
+            emails = response.get("emails", [])
+
+            # 更新缓存
+            for email_info in emails:
+                email_id = email_info.get("id")
+                if email_id:
+                    self._emails_cache[email_id] = email_info
+
+            self.update_status(True)
+            return emails
+        except Exception as e:
+            logger.warning(f"列出邮箱失败: {e}")
+            self.update_status(False, e)
+            return []
+
+    def delete_email(self, email_id: str) -> bool:
+        """
+        删除邮箱
+
+        Args:
+            email_id: 邮箱 ID
+
+        Returns:
+            是否删除成功
+        """
+        try:
+            response = self._make_request("DELETE", f"/api/emails/{email_id}")
+            success = response.get("success", False)
+
+            if success:
+                # 从缓存中移除
+                self._emails_cache.pop(email_id, None)
+                logger.info(f"成功删除邮箱: {email_id}")
+            else:
+                logger.warning(f"删除邮箱失败: {email_id}")
+
+            self.update_status(success)
+            return success
+
+        except Exception as e:
+            logger.error(f"删除邮箱失败: {email_id} - {e}")
+            self.update_status(False, e)
+            return False
+
+    def check_health(self) -> bool:
+        """检查自定义域名邮箱服务是否可用"""
+        try:
+            # 尝试获取配置
+            config = self.get_config(force_refresh=True)
+            if config:
+                logger.debug(f"自定义域名邮箱服务健康检查通过，配置: {config.get('defaultRole', 'N/A')}")
+                self.update_status(True)
+                return True
+            else:
+                logger.warning("自定义域名邮箱服务健康检查失败：获取配置为空")
+                self.update_status(False, EmailServiceError("获取配置为空"))
+                return False
+        except Exception as e:
+            logger.warning(f"自定义域名邮箱服务健康检查失败: {e}")
+            self.update_status(False, e)
+            return False
+
+    def get_email_messages(self, email_id: str, cursor: str = None) -> List[Dict[str, Any]]:
+        """
+        获取邮箱中的邮件列表
+
+        Args:
+            email_id: 邮箱 ID
+            cursor: 分页游标
+
+        Returns:
+            邮件列表
+        """
+        params = {}
+        if cursor:
+            params["cursor"] = cursor
+
+        try:
+            response = self._make_request("GET", f"/api/emails/{email_id}", params=params)
+            messages = response.get("messages", [])
+            self.update_status(True)
+            return messages
+        except Exception as e:
+            logger.error(f"获取邮件列表失败: {email_id} - {e}")
+            self.update_status(False, e)
+            return []
+
+    def get_message_detail(self, email_id: str, message_id: str) -> Optional[Dict[str, Any]]:
+        """
+        获取邮件详情
+
+        Args:
+            email_id: 邮箱 ID
+            message_id: 邮件 ID
+
+        Returns:
+            邮件详情
+        """
+        try:
+            response = self._make_request("GET", f"/api/emails/{email_id}/{message_id}")
+            message = response.get("message")
+            self.update_status(True)
+            return message
+        except Exception as e:
+            logger.error(f"获取邮件详情失败: {email_id}/{message_id} - {e}")
+            self.update_status(False, e)
+            return None
+
+    def create_email_share(self, email_id: str, expires_in: int = 86400000) -> Optional[Dict[str, Any]]:
+        """
+        创建邮箱分享链接
+
+        Args:
+            email_id: 邮箱 ID
+            expires_in: 有效期（毫秒）
+
+        Returns:
+            分享信息
+        """
+        try:
+            response = self._make_request(
+                "POST",
+                f"/api/emails/{email_id}/share",
+                json={"expiresIn": expires_in}
+            )
+            self.update_status(True)
+            return response
+        except Exception as e:
+            logger.error(f"创建邮箱分享链接失败: {email_id} - {e}")
+            self.update_status(False, e)
+            return None
+
+    def create_message_share(
+        self,
+        email_id: str,
+        message_id: str,
+        expires_in: int = 86400000
+    ) -> Optional[Dict[str, Any]]:
+        """
+        创建邮件分享链接
+
+        Args:
+            email_id: 邮箱 ID
+            message_id: 邮件 ID
+            expires_in: 有效期（毫秒）
+
+        Returns:
+            分享信息
+        """
+        try:
+            response = self._make_request(
+                "POST",
+                f"/api/emails/{email_id}/messages/{message_id}/share",
+                json={"expiresIn": expires_in}
+            )
+            self.update_status(True)
+            return response
+        except Exception as e:
+            logger.error(f"创建邮件分享链接失败: {email_id}/{message_id} - {e}")
+            self.update_status(False, e)
+            return None
+
+    def get_service_info(self) -> Dict[str, Any]:
+        """获取服务信息"""
+        config = self.get_config()
+        return {
+            "service_type": self.service_type.value,
+            "name": self.name,
+            "base_url": self.config["base_url"],
+            "default_domain": self.config.get("default_domain"),
+            "system_config": config,
+            "cached_emails_count": len(self._emails_cache),
+            "status": self.status.value,
+        }

src/services/outlook/__init__.py

@@ -0,0 +1,8 @@
+"""
+Outlook 邮箱服务模块
+支持多种 IMAP/API 连接方式，自动故障切换
+"""
+
+from .service import OutlookService
+
+__all__ = ['OutlookService']

src/services/outlook/account.py

@@ -0,0 +1,51 @@
+"""
+Outlook 账户数据类
+"""
+
+from dataclasses import dataclass
+from typing import Dict, Any, Optional
+
+
+@dataclass
+class OutlookAccount:
+    """Outlook 账户信息"""
+    email: str
+    password: str = ""
+    client_id: str = ""
+    refresh_token: str = ""
+
+    @classmethod
+    def from_config(cls, config: Dict[str, Any]) -> "OutlookAccount":
+        """从配置创建账户"""
+        return cls(
+            email=config.get("email", ""),
+            password=config.get("password", ""),
+            client_id=config.get("client_id", ""),
+            refresh_token=config.get("refresh_token", "")
+        )
+
+    def has_oauth(self) -> bool:
+        """是否支持 OAuth2"""
+        return bool(self.client_id and self.refresh_token)
+
+    def validate(self) -> bool:
+        """验证账户信息是否有效"""
+        return bool(self.email and self.password) or self.has_oauth()
+
+    def to_dict(self, include_sensitive: bool = False) -> Dict[str, Any]:
+        """转换为字典"""
+        result = {
+            "email": self.email,
+            "has_oauth": self.has_oauth(),
+        }
+        if include_sensitive:
+            result.update({
+                "password": self.password,
+                "client_id": self.client_id,
+                "refresh_token": self.refresh_token[:20] + "..." if self.refresh_token else "",
+            })
+        return result
+
+    def __str__(self) -> str:
+        """字符串表示"""
+        return f"OutlookAccount({self.email})"

src/services/outlook/base.py

@@ -0,0 +1,153 @@
+"""
+Outlook 服务基础定义
+包含枚举类型和数据类
+"""
+
+from dataclasses import dataclass, field
+from datetime import datetime
+from enum import Enum
+from typing import Optional, Dict, Any, List
+
+
+class ProviderType(str, Enum):
+    """Outlook 提供者类型"""
+    IMAP_OLD = "imap_old"      # 旧版 IMAP (outlook.office365.com)
+    IMAP_NEW = "imap_new"      # 新版 IMAP (outlook.live.com)
+    GRAPH_API = "graph_api"    # Microsoft Graph API
+
+
+class TokenEndpoint(str, Enum):
+    """Token 端点"""
+    LIVE = "https://login.live.com/oauth20_token.srf"
+    CONSUMERS = "https://login.microsoftonline.com/consumers/oauth2/v2.0/token"
+    COMMON = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
+
+
+class IMAPServer(str, Enum):
+    """IMAP 服务器"""
+    OLD = "outlook.office365.com"
+    NEW = "outlook.live.com"
+
+
+class ProviderStatus(str, Enum):
+    """提供者状态"""
+    HEALTHY = "healthy"        # 健康
+    DEGRADED = "degraded"      # 降级
+    DISABLED = "disabled"      # 禁用
+
+
+@dataclass
+class EmailMessage:
+    """邮件消息数据类"""
+    id: str                                    # 消息 ID
+    subject: str                               # 主题
+    sender: str                                # 发件人
+    recipients: List[str] = field(default_factory=list)  # 收件人列表
+    body: str = ""                             # 正文内容
+    body_preview: str = ""                     # 正文预览
+    received_at: Optional[datetime] = None     # 接收时间
+    received_timestamp: int = 0                # 接收时间戳
+    is_read: bool = False                      # 是否已读
+    has_attachments: bool = False              # 是否有附件
+    raw_data: Optional[bytes] = None           # 原始数据（用于调试）
+
+    def to_dict(self) -> Dict[str, Any]:
+        """转换为字典"""
+        return {
+            "id": self.id,
+            "subject": self.subject,
+            "sender": self.sender,
+            "recipients": self.recipients,
+            "body": self.body,
+            "body_preview": self.body_preview,
+            "received_at": self.received_at.isoformat() if self.received_at else None,
+            "received_timestamp": self.received_timestamp,
+            "is_read": self.is_read,
+            "has_attachments": self.has_attachments,
+        }
+
+
+@dataclass
+class TokenInfo:
+    """Token 信息数据类"""
+    access_token: str
+    expires_at: float              # 过期时间戳
+    token_type: str = "Bearer"
+    scope: str = ""
+    refresh_token: Optional[str] = None
+
+    def is_expired(self, buffer_seconds: int = 120) -> bool:
+        """检查 Token 是否已过期"""
+        import time
+        return time.time() >= (self.expires_at - buffer_seconds)
+
+    @classmethod
+    def from_response(cls, data: Dict[str, Any], scope: str = "") -> "TokenInfo":
+        """从 API 响应创建"""
+        import time
+        return cls(
+            access_token=data.get("access_token", ""),
+            expires_at=time.time() + data.get("expires_in", 3600),
+            token_type=data.get("token_type", "Bearer"),
+            scope=scope or data.get("scope", ""),
+            refresh_token=data.get("refresh_token"),
+        )
+
+
+@dataclass
+class ProviderHealth:
+    """提供者健康状态"""
+    provider_type: ProviderType
+    status: ProviderStatus = ProviderStatus.HEALTHY
+    failure_count: int = 0                       # 连续失败次数
+    last_success: Optional[datetime] = None      # 最后成功时间
+    last_failure: Optional[datetime] = None      # 最后失败时间
+    last_error: str = ""                         # 最后错误信息
+    disabled_until: Optional[datetime] = None    # 禁用截止时间
+
+    def record_success(self):
+        """记录成功"""
+        self.status = ProviderStatus.HEALTHY
+        self.failure_count = 0
+        self.last_success = datetime.now()
+        self.disabled_until = None
+
+    def record_failure(self, error: str):
+        """记录失败"""
+        self.failure_count += 1
+        self.last_failure = datetime.now()
+        self.last_error = error
+
+    def should_disable(self, threshold: int = 3) -> bool:
+        """判断是否应该禁用"""
+        return self.failure_count >= threshold
+
+    def is_disabled(self) -> bool:
+        """检查是否被禁用"""
+        if self.disabled_until and datetime.now() < self.disabled_until:
+            return True
+        return False
+
+    def disable(self, duration_seconds: int = 300):
+        """禁用提供者"""
+        from datetime import timedelta
+        self.status = ProviderStatus.DISABLED
+        self.disabled_until = datetime.now() + timedelta(seconds=duration_seconds)
+
+    def enable(self):
+        """启用提供者"""
+        self.status = ProviderStatus.HEALTHY
+        self.disabled_until = None
+        self.failure_count = 0
+
+    def to_dict(self) -> Dict[str, Any]:
+        """转换为字典"""
+        return {
+            "provider_type": self.provider_type.value,
+            "status": self.status.value,
+            "failure_count": self.failure_count,
+            "last_success": self.last_success.isoformat() if self.last_success else None,
+            "last_failure": self.last_failure.isoformat() if self.last_failure else None,
+            "last_error": self.last_error,
+            "disabled_until": self.disabled_until.isoformat() if self.disabled_until else None,
+        }

src/services/outlook/email_parser.py

@@ -0,0 +1,228 @@
+"""
+邮件解析和验证码提取
+"""
+
+import logging
+import re
+from typing import Optional, List, Dict, Any
+
+from ...config.constants import (
+    OTP_CODE_SIMPLE_PATTERN,
+    OTP_CODE_SEMANTIC_PATTERN,
+    OPENAI_EMAIL_SENDERS,
+    OPENAI_VERIFICATION_KEYWORDS,
+)
+from .base import EmailMessage
+
+
+logger = logging.getLogger(__name__)
+
+
+class EmailParser:
+    """
+    邮件解析器
+    用于识别 OpenAI 验证邮件并提取验证码
+    """
+
+    def __init__(self):
+        # 编译正则表达式
+        self._simple_pattern = re.compile(OTP_CODE_SIMPLE_PATTERN)
+        self._semantic_pattern = re.compile(OTP_CODE_SEMANTIC_PATTERN, re.IGNORECASE)
+
+    def is_openai_verification_email(
+        self,
+        email: EmailMessage,
+        target_email: Optional[str] = None,
+    ) -> bool:
+        """
+        判断是否为 OpenAI 验证邮件
+
+        Args:
+            email: 邮件对象
+            target_email: 目标邮箱地址（用于验证收件人）
+
+        Returns:
+            是否为 OpenAI 验证邮件
+        """
+        sender = email.sender.lower()
+
+        # 1. 发件人必须是 OpenAI
+        if not any(s in sender for s in OPENAI_EMAIL_SENDERS):
+            logger.debug(f"邮件发件人非 OpenAI: {sender}")
+            return False
+
+        # 2. 主题或正文包含验证关键词
+        subject = email.subject.lower()
+        body = email.body.lower()
+        combined = f"{subject} {body}"
+
+        if not any(kw in combined for kw in OPENAI_VERIFICATION_KEYWORDS):
+            logger.debug(f"邮件未包含验证关键词: {subject[:50]}")
+            return False
+
+        # 3. 收件人检查已移除：别名邮件的 IMAP 头中收件人可能不匹配，只靠发件人+关键词判断
+        logger.debug(f"识别为 OpenAI 验证邮件: {subject[:50]}")
+        return True
+
+    def extract_verification_code(
+        self,
+        email: EmailMessage,
+    ) -> Optional[str]:
+        """
+        从邮件中提取验证码
+
+        优先级：
+        1. 从主题提取（6位数字）
+        2. 从正文用语义正则提取（如 "code is 123456"）
+        3. 兜底：任意 6 位数字
+
+        Args:
+            email: 邮件对象
+
+        Returns:
+            验证码字符串，如果未找到返回 None
+        """
+        # 1. 主题优先
+        code = self._extract_from_subject(email.subject)
+        if code:
+            logger.debug(f"从主题提取验证码: {code}")
+            return code
+
+        # 2. 正文语义匹配
+        code = self._extract_semantic(email.body)
+        if code:
+            logger.debug(f"从正文语义提取验证码: {code}")
+            return code
+
+        # 3. 兜底：正文任意 6 位数字
+        code = self._extract_simple(email.body)
+        if code:
+            logger.debug(f"从正文兜底提取验证码: {code}")
+            return code
+
+        return None
+
+    def _extract_from_subject(self, subject: str) -> Optional[str]:
+        """从主题提取验证码"""
+        match = self._simple_pattern.search(subject)
+        if match:
+            return match.group(1)
+        return None
+
+    def _extract_semantic(self, body: str) -> Optional[str]:
+        """语义匹配提取验证码"""
+        match = self._semantic_pattern.search(body)
+        if match:
+            return match.group(1)
+        return None
+
+    def _extract_simple(self, body: str) -> Optional[str]:
+        """简单匹配提取验证码"""
+        match = self._simple_pattern.search(body)
+        if match:
+            return match.group(1)
+        return None
+
+    def find_verification_code_in_emails(
+        self,
+        emails: List[EmailMessage],
+        target_email: Optional[str] = None,
+        min_timestamp: int = 0,
+        used_codes: Optional[set] = None,
+    ) -> Optional[str]:
+        """
+        从邮件列表中查找验证码
+
+        Args:
+            emails: 邮件列表
+            target_email: 目标邮箱地址
+            min_timestamp: 最小时间戳（用于过滤旧邮件）
+            used_codes: 已使用的验证码集合（用于去重）
+
+        Returns:
+            验证码字符串，如果未找到返回 None
+        """
+        used_codes = used_codes or set()
+
+        for email in emails:
+            # 时间戳过滤
+            if min_timestamp > 0 and email.received_timestamp > 0:
+                if email.received_timestamp < min_timestamp:
+                    logger.debug(f"跳过旧邮件: {email.subject[:50]}")
+                    continue
+
+            # 检查是否是 OpenAI 验证邮件
+            if not self.is_openai_verification_email(email, target_email):
+                continue
+
+            # 提取验证码
+            code = self.extract_verification_code(email)
+            if code:
+                # 去重检查
+                if code in used_codes:
+                    logger.debug(f"跳过已使用的验证码: {code}")
+                    continue
+
+                logger.info(
+                    f"[{target_email or 'unknown'}] 找到验证码: {code}, "
+                    f"邮件主题: {email.subject[:30]}"
+                )
+                return code
+
+        return None
+
+    def filter_emails_by_sender(
+        self,
+        emails: List[EmailMessage],
+        sender_patterns: List[str],
+    ) -> List[EmailMessage]:
+        """
+        按发件人过滤邮件
+
+        Args:
+            emails: 邮件列表
+            sender_patterns: 发件人匹配模式列表
+
+        Returns:
+            过滤后的邮件列表
+        """
+        filtered = []
+        for email in emails:
+            sender = email.sender.lower()
+            if any(pattern.lower() in sender for pattern in sender_patterns):
+                filtered.append(email)
+        return filtered
+
+    def filter_emails_by_subject(
+        self,
+        emails: List[EmailMessage],
+        keywords: List[str],
+    ) -> List[EmailMessage]:
+        """
+        按主题关键词过滤邮件
+
+        Args:
+            emails: 邮件列表
+            keywords: 关键词列表
+
+        Returns:
+            过滤后的邮件列表
+        """
+        filtered = []
+        for email in emails:
+            subject = email.subject.lower()
+            if any(kw.lower() in subject for kw in keywords):
+                filtered.append(email)
+        return filtered
+
+
+# 全局解析器实例
+_parser: Optional[EmailParser] = None
+
+
+def get_email_parser() -> EmailParser:
+    """获取全局邮件解析器实例"""
+    global _parser
+    if _parser is None:
+        _parser = EmailParser()
+    return _parser

src/services/outlook/health_checker.py

@@ -0,0 +1,312 @@
+"""
+健康检查和故障切换管理
+"""
+
+import logging
+import threading
+import time
+from datetime import datetime, timedelta
+from typing import Dict, List, Optional, Any
+
+from .base import ProviderType, ProviderHealth, ProviderStatus
+from .providers.base import OutlookProvider
+
+
+logger = logging.getLogger(__name__)
+
+
+class HealthChecker:
+    """
+    健康检查管理器
+    跟踪各提供者的健康状态，管理故障切换
+    """
+
+    def __init__(
+        self,
+        failure_threshold: int = 3,
+        disable_duration: int = 300,
+        recovery_check_interval: int = 60,
+    ):
+        """
+        初始化健康检查器
+
+        Args:
+            failure_threshold: 连续失败次数阈值，超过后禁用
+            disable_duration: 禁用时长（秒）
+            recovery_check_interval: 恢复检查间隔（秒）
+        """
+        self.failure_threshold = failure_threshold
+        self.disable_duration = disable_duration
+        self.recovery_check_interval = recovery_check_interval
+
+        # 提供者健康状态: ProviderType -> ProviderHealth
+        self._health_status: Dict[ProviderType, ProviderHealth] = {}
+        self._lock = threading.Lock()
+
+        # 初始化所有提供者的健康状态
+        for provider_type in ProviderType:
+            self._health_status[provider_type] = ProviderHealth(
+                provider_type=provider_type
+            )
+
+    def get_health(self, provider_type: ProviderType) -> ProviderHealth:
+        """获取提供者的健康状态"""
+        with self._lock:
+            return self._health_status.get(provider_type, ProviderHealth(provider_type=provider_type))
+
+    def record_success(self, provider_type: ProviderType):
+        """记录成功操作"""
+        with self._lock:
+            health = self._health_status.get(provider_type)
+            if health:
+                health.record_success()
+                logger.debug(f"{provider_type.value} 记录成功")
+
+    def record_failure(self, provider_type: ProviderType, error: str):
+        """记录失败操作"""
+        with self._lock:
+            health = self._health_status.get(provider_type)
+            if health:
+                health.record_failure(error)
+
+                # 检查是否需要禁用
+                if health.should_disable(self.failure_threshold):
+                    health.disable(self.disable_duration)
+                    logger.warning(
+                        f"{provider_type.value} 已禁用 {self.disable_duration} 秒，"
+                        f"原因: {error}"
+                    )
+
+    def is_available(self, provider_type: ProviderType) -> bool:
+        """
+        检查提供者是否可用
+
+        Args:
+            provider_type: 提供者类型
+
+        Returns:
+            是否可用
+        """
+        health = self.get_health(provider_type)
+
+        # 检查是否被禁用
+        if health.is_disabled():
+            remaining = (health.disabled_until - datetime.now()).total_seconds()
+            logger.debug(
+                f"{provider_type.value} 已被禁用，剩余 {int(remaining)} 秒"
+            )
+            return False
+
+        return health.status != ProviderStatus.DISABLED
+
+    def get_available_providers(
+        self,
+        priority_order: Optional[List[ProviderType]] = None,
+    ) -> List[ProviderType]:
+        """
+        获取可用的提供者列表
+
+        Args:
+            priority_order: 优先级顺序，默认为 [IMAP_NEW, IMAP_OLD, GRAPH_API]
+
+        Returns:
+            可用的提供者列表
+        """
+        if priority_order is None:
+            priority_order = [
+                ProviderType.IMAP_NEW,
+                ProviderType.IMAP_OLD,
+                ProviderType.GRAPH_API,
+            ]
+
+        available = []
+        for provider_type in priority_order:
+            if self.is_available(provider_type):
+                available.append(provider_type)
+
+        return available
+
+    def get_next_available_provider(
+        self,
+        priority_order: Optional[List[ProviderType]] = None,
+    ) -> Optional[ProviderType]:
+        """
+        获取下一个可用的提供者
+
+        Args:
+            priority_order: 优先级顺序
+
+        Returns:
+            可用的提供者类型，如果没有返回 None
+        """
+        available = self.get_available_providers(priority_order)
+        return available[0] if available else None
+
+    def force_disable(self, provider_type: ProviderType, duration: Optional[int] = None):
+        """
+        强制禁用提供者
+
+        Args:
+            provider_type: 提供者类型
+            duration: 禁用时长（秒），默认使用配置值
+        """
+        with self._lock:
+            health = self._health_status.get(provider_type)
+            if health:
+                health.disable(duration or self.disable_duration)
+                logger.warning(f"{provider_type.value} 已强制禁用")
+
+    def force_enable(self, provider_type: ProviderType):
+        """
+        强制启用提供者
+
+        Args:
+            provider_type: 提供者类型
+        """
+        with self._lock:
+            health = self._health_status.get(provider_type)
+            if health:
+                health.enable()
+                logger.info(f"{provider_type.value} 已启用")
+
+    def get_all_health_status(self) -> Dict[str, Any]:
+        """
+        获取所有提供者的健康状态
+
+        Returns:
+            健康状态字典
+        """
+        with self._lock:
+            return {
+                provider_type.value: health.to_dict()
+                for provider_type, health in self._health_status.items()
+            }
+
+    def check_and_recover(self):
+        """
+        检查并恢复被禁用的提供者
+
+        如果禁用时间已过，自动恢复提供者
+        """
+        with self._lock:
+            for provider_type, health in self._health_status.items():
+                if health.is_disabled():
+                    # 检查是否可以恢复
+                    if health.disabled_until and datetime.now() >= health.disabled_until:
+                        health.enable()
+                        logger.info(f"{provider_type.value} 已自动恢复")
+
+    def reset_all(self):
+        """重置所有提供者的健康状态"""
+        with self._lock:
+            for provider_type in ProviderType:
+                self._health_status[provider_type] = ProviderHealth(
+                    provider_type=provider_type
+                )
+            logger.info("已重置所有提供者的健康状态")
+
+
+class FailoverManager:
+    """
+    故障切换管理器
+    管理提供者之间的自动切换
+    """
+
+    def __init__(
+        self,
+        health_checker: HealthChecker,
+        priority_order: Optional[List[ProviderType]] = None,
+    ):
+        """
+        初始化故障切换管理器
+
+        Args:
+            health_checker: 健康检查器
+            priority_order: 提供者优先级顺序
+        """
+        self.health_checker = health_checker
+        self.priority_order = priority_order or [
+            ProviderType.IMAP_NEW,
+            ProviderType.IMAP_OLD,
+            ProviderType.GRAPH_API,
+        ]
+
+        # 当前使用的提供者索引
+        self._current_index = 0
+        self._lock = threading.Lock()
+
+    def get_current_provider(self) -> Optional[ProviderType]:
+        """
+        获取当前提供者
+
+        Returns:
+            当前提供者类型，如果没有可用的返回 None
+        """
+        available = self.health_checker.get_available_providers(self.priority_order)
+        if not available:
+            return None
+
+        with self._lock:
+            # 尝试使用当前索引
+            if self._current_index < len(available):
+                return available[self._current_index]
+            return available[0]
+
+    def switch_to_next(self) -> Optional[ProviderType]:
+        """
+        切换到下一个提供者
+
+        Returns:
+            下一个提供者类型，如果没有可用的返回 None
+        """
+        available = self.health_checker.get_available_providers(self.priority_order)
+        if not available:
+            return None
+
+        with self._lock:
+            self._current_index = (self._current_index + 1) % len(available)
+            next_provider = available[self._current_index]
+            logger.info(f"切换到提供者: {next_provider.value}")
+            return next_provider
+
+    def on_provider_success(self, provider_type: ProviderType):
+        """
+        提供者成功时调用
+
+        Args:
+            provider_type: 提供者类型
+        """
+        self.health_checker.record_success(provider_type)
+
+        # 重置索引到成功的提供者
+        with self._lock:
+            available = self.health_checker.get_available_providers(self.priority_order)
+            if provider_type in available:
+                self._current_index = available.index(provider_type)
+
+    def on_provider_failure(self, provider_type: ProviderType, error: str):
+        """
+        提供者失败时调用
+
+        Args:
+            provider_type: 提供者类型
+            error: 错误信息
+        """
+        self.health_checker.record_failure(provider_type, error)
+
+    def get_status(self) -> Dict[str, Any]:
+        """
+        获取故障切换状态
+
+        Returns:
+            状态字典
+        """
+        current = self.get_current_provider()
+        return {
+            "current_provider": current.value if current else None,
+            "priority_order": [p.value for p in self.priority_order],
+            "available_providers": [
+                p.value for p in self.health_checker.get_available_providers(self.priority_order)
+            ],
+            "health_status": self.health_checker.get_all_health_status(),
+        }

src/services/outlook/providers/__init__.py

@@ -0,0 +1,29 @@
+"""
+Outlook 提供者模块
+"""
+
+from .base import OutlookProvider, ProviderConfig
+from .imap_old import IMAPOldProvider
+from .imap_new import IMAPNewProvider
+from .graph_api import GraphAPIProvider
+
+__all__ = [
+    'OutlookProvider',
+    'ProviderConfig',
+    'IMAPOldProvider',
+    'IMAPNewProvider',
+    'GraphAPIProvider',
+]
+
+
+# 提供者注册表
+PROVIDER_REGISTRY = {
+    'imap_old': IMAPOldProvider,
+    'imap_new': IMAPNewProvider,
+    'graph_api': GraphAPIProvider,
+}
+
+
+def get_provider_class(provider_type: str):
+    """获取提供者类"""
+    return PROVIDER_REGISTRY.get(provider_type)

src/services/outlook/providers/base.py

@@ -0,0 +1,180 @@
+"""
+Outlook 提供者抽象基类
+"""
+
+import abc
+import logging
+from dataclasses import dataclass
+from typing import Dict, Any, List, Optional
+
+from ..base import ProviderType, EmailMessage, ProviderHealth, ProviderStatus
+from ..account import OutlookAccount
+
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class ProviderConfig:
+    """提供者配置"""
+    timeout: int = 30
+    max_retries: int = 3
+    proxy_url: Optional[str] = None
+
+    # 健康检查配置
+    health_failure_threshold: int = 3
+    health_disable_duration: int = 300  # 秒
+
+
+class OutlookProvider(abc.ABC):
+    """
+    Outlook 提供者抽象基类
+    定义所有提供者必须实现的接口
+    """
+
+    def __init__(
+        self,
+        account: OutlookAccount,
+        config: Optional[ProviderConfig] = None,
+    ):
+        """
+        初始化提供者
+
+        Args:
+            account: Outlook 账户
+            config: 提供者配置
+        """
+        self.account = account
+        self.config = config or ProviderConfig()
+
+        # 健康状态
+        self._health = ProviderHealth(provider_type=self.provider_type)
+
+        # 连接状态
+        self._connected = False
+        self._last_error: Optional[str] = None
+
+    @property
+    @abc.abstractmethod
+    def provider_type(self) -> ProviderType:
+        """获取提供者类型"""
+        pass
+
+    @property
+    def health(self) -> ProviderHealth:
+        """获取健康状态"""
+        return self._health
+
+    @property
+    def is_healthy(self) -> bool:
+        """检查是否健康"""
+        return (
+            self._health.status == ProviderStatus.HEALTHY
+            and not self._health.is_disabled()
+        )
+
+    @property
+    def is_connected(self) -> bool:
+        """检查是否已连接"""
+        return self._connected
+
+    @abc.abstractmethod
+    def connect(self) -> bool:
+        """
+        连接到服务
+
+        Returns:
+            是否连接成功
+        """
+        pass
+
+    @abc.abstractmethod
+    def disconnect(self):
+        """断开连接"""
+        pass
+
+    @abc.abstractmethod
+    def get_recent_emails(
+        self,
+        count: int = 20,
+        only_unseen: bool = True,
+    ) -> List[EmailMessage]:
+        """
+        获取最近的邮件
+
+        Args:
+            count: 获取数量
+            only_unseen: 是否只获取未读
+
+        Returns:
+            邮件列表
+        """
+        pass
+
+    @abc.abstractmethod
+    def test_connection(self) -> bool:
+        """
+        测试连接是否正常
+
+        Returns:
+            连接是否正常
+        """
+        pass
+
+    def record_success(self):
+        """记录成功操作"""
+        self._health.record_success()
+        self._last_error = None
+        logger.debug(f"[{self.account.email}] {self.provider_type.value} 操作成功")
+
+    def record_failure(self, error: str):
+        """记录失败操作"""
+        self._health.record_failure(error)
+        self._last_error = error
+
+        # 检查是否需要禁用
+        if self._health.should_disable(self.config.health_failure_threshold):
+            self._health.disable(self.config.health_disable_duration)
+            logger.warning(
+                f"[{self.account.email}] {self.provider_type.value} 已禁用 "
+                f"{self.config.health_disable_duration} 秒，原因: {error}"
+            )
+        else:
+            logger.warning(
+                f"[{self.account.email}] {self.provider_type.value} 操作失败 "
+                f"({self._health.failure_count}/{self.config.health_failure_threshold}): {error}"
+            )
+
+    def check_health(self) -> bool:
+        """
+        检查健康状态
+
+        Returns:
+            是否健康可用
+        """
+        # 检查是否被禁用
+        if self._health.is_disabled():
+            logger.debug(
+                f"[{self.account.email}] {self.provider_type.value} 已被禁用，"
+                f"将在 {self._health.disabled_until} 后恢复"
+            )
+            return False
+
+        return self._health.status in (ProviderStatus.HEALTHY, ProviderStatus.DEGRADED)
+
+    def __enter__(self):
+        """上下文管理器入口"""
+        self.connect()
+        return self
+
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        """上下文管理器出口"""
+        self.disconnect()
+        return False
+
+    def __str__(self) -> str:
+        """字符串表示"""
+        return f"{self.__class__.__name__}({self.account.email})"
+
+    def __repr__(self) -> str:
+        return self.__str__()

src/services/outlook/providers/graph_api.py

@@ -0,0 +1,250 @@
+"""
+Graph API 提供者
+使用 Microsoft Graph REST API
+"""
+
+import json
+import logging
+from typing import List, Optional
+from datetime import datetime
+
+from curl_cffi import requests as _requests
+
+from ..base import ProviderType, EmailMessage
+from ..account import OutlookAccount
+from ..token_manager import TokenManager
+from .base import OutlookProvider, ProviderConfig
+
+
+logger = logging.getLogger(__name__)
+
+
+class GraphAPIProvider(OutlookProvider):
+    """
+    Graph API 提供者
+    使用 Microsoft Graph REST API 获取邮件
+    需要 graph.microsoft.com/.default scope
+    """
+
+    # Graph API 端点
+    GRAPH_API_BASE = "https://graph.microsoft.com/v1.0"
+    MESSAGES_ENDPOINT = "/me/mailFolders/inbox/messages"
+
+    @property
+    def provider_type(self) -> ProviderType:
+        return ProviderType.GRAPH_API
+
+    def __init__(
+        self,
+        account: OutlookAccount,
+        config: Optional[ProviderConfig] = None,
+    ):
+        super().__init__(account, config)
+
+        # Token 管理器
+        self._token_manager: Optional[TokenManager] = None
+
+        # 注意：Graph API 必须使用 OAuth2
+        if not account.has_oauth():
+            logger.warning(
+                f"[{self.account.email}] Graph API 提供者需要 OAuth2 配置 "
+                f"(client_id + refresh_token)"
+            )
+
+    def connect(self) -> bool:
+        """
+        验证连接（获取 Token）
+
+        Returns:
+            是否连接成功
+        """
+        if not self.account.has_oauth():
+            error = "Graph API 需要 OAuth2 配置"
+            self.record_failure(error)
+            logger.error(f"[{self.account.email}] {error}")
+            return False
+
+        if not self._token_manager:
+            self._token_manager = TokenManager(
+                self.account,
+                ProviderType.GRAPH_API,
+                self.config.proxy_url,
+                self.config.timeout,
+            )
+
+        # 尝试获取 Token
+        token = self._token_manager.get_access_token()
+        if token:
+            self._connected = True
+            self.record_success()
+            logger.info(f"[{self.account.email}] Graph API 连接成功")
+            return True
+
+        return False
+
+    def disconnect(self):
+        """断开连接（清除状态）"""
+        self._connected = False
+
+    def get_recent_emails(
+        self,
+        count: int = 20,
+        only_unseen: bool = True,
+    ) -> List[EmailMessage]:
+        """
+        获取最近的邮件
+
+        Args:
+            count: 获取数量
+            only_unseen: 是否只获取未读
+
+        Returns:
+            邮件列表
+        """
+        if not self._connected:
+            if not self.connect():
+                return []
+
+        try:
+            # 获取 Access Token
+            token = self._token_manager.get_access_token()
+            if not token:
+                self.record_failure("无法获取 Access Token")
+                return []
+
+            # 构建 API 请求
+            url = f"{self.GRAPH_API_BASE}{self.MESSAGES_ENDPOINT}"
+
+            params = {
+                "$top": count,
+                "$select": "id,subject,from,toRecipients,receivedDateTime,isRead,hasAttachments,bodyPreview,body",
+                "$orderby": "receivedDateTime desc",
+            }
+
+            # 只获取未读邮件
+            if only_unseen:
+                params["$filter"] = "isRead eq false"
+
+            # 构建代理配置
+            proxies = None
+            if self.config.proxy_url:
+                proxies = {"http": self.config.proxy_url, "https": self.config.proxy_url}
+
+            # 发送请求（curl_cffi 自动对 params 进行 URL 编码）
+            resp = _requests.get(
+                url,
+                params=params,
+                headers={
+                    "Authorization": f"Bearer {token}",
+                    "Accept": "application/json",
+                    "Prefer": "outlook.body-content-type='text'",
+                },
+                proxies=proxies,
+                timeout=self.config.timeout,
+                impersonate="chrome110",
+            )
+
+            if resp.status_code == 401:
+                # Token 无 Graph 权限（client_id 未授权），清除缓存但不记录健康失败
+                # 避免因权限不足导致健康检查器禁用该提供者，影响其他账户
+                if self._token_manager:
+                    self._token_manager.clear_cache()
+                self._connected = False
+                logger.warning(f"[{self.account.email}] Graph API 返回 401，client_id 可能无 Graph 权限，跳过")
+                return []
+
+            if resp.status_code != 200:
+                error_body = resp.text[:200]
+                self.record_failure(f"HTTP {resp.status_code}: {error_body}")
+                logger.error(f"[{self.account.email}] Graph API 请求失败: HTTP {resp.status_code}")
+                return []
+
+            data = resp.json()
+
+            # 解析邮件
+            messages = data.get("value", [])
+            emails = []
+
+            for msg in messages:
+                try:
+                    email_msg = self._parse_graph_message(msg)
+                    if email_msg:
+                        emails.append(email_msg)
+                except Exception as e:
+                    logger.warning(f"[{self.account.email}] 解析 Graph API 邮件失败: {e}")
+
+            self.record_success()
+            return emails
+
+        except Exception as e:
+            self.record_failure(str(e))
+            logger.error(f"[{self.account.email}] Graph API 获取邮件失败: {e}")
+            return []
+
+    def _parse_graph_message(self, msg: dict) -> Optional[EmailMessage]:
+        """
+        解析 Graph API 消息
+
+        Args:
+            msg: Graph API 消息对象
+
+        Returns:
+            EmailMessage 对象
+        """
+        # 解析发件人
+        from_info = msg.get("from", {})
+        sender_info = from_info.get("emailAddress", {})
+        sender = sender_info.get("address", "")
+
+        # 解析收件人
+        recipients = []
+        for recipient in msg.get("toRecipients", []):
+            addr_info = recipient.get("emailAddress", {})
+            addr = addr_info.get("address", "")
+            if addr:
+                recipients.append(addr)
+
+        # 解析日期
+        received_at = None
+        received_timestamp = 0
+        try:
+            date_str = msg.get("receivedDateTime", "")
+            if date_str:
+                # ISO 8601 格式
+                received_at = datetime.fromisoformat(date_str.replace("Z", "+00:00"))
+                received_timestamp = int(received_at.timestamp())
+        except Exception:
+            pass
+
+        # 获取正文
+        body_info = msg.get("body", {})
+        body = body_info.get("content", "")
+        body_preview = msg.get("bodyPreview", "")
+
+        return EmailMessage(
+            id=msg.get("id", ""),
+            subject=msg.get("subject", ""),
+            sender=sender,
+            recipients=recipients,
+            body=body,
+            body_preview=body_preview,
+            received_at=received_at,
+            received_timestamp=received_timestamp,
+            is_read=msg.get("isRead", False),
+            has_attachments=msg.get("hasAttachments", False),
+        )
+
+    def test_connection(self) -> bool:
+        """
+        测试 Graph API 连接
+
+        Returns:
+            连接是否正常
+        """
+        try:
+            # 尝试获取一封邮件来测试连接
+            emails = self.get_recent_emails(count=1, only_unseen=False)
+            return True
+        except Exception as e:
+            logger.warning(f"[{self.account.email}] Graph API 连接测试失败: {e}")
+            return False

src/services/outlook/providers/imap_new.py

@@ -0,0 +1,231 @@
+"""
+新版 IMAP 提供者
+使用 outlook.live.com 服务器和 login.microsoftonline.com/consumers Token 端点
+"""
+
+import email
+import imaplib
+import logging
+from email.header import decode_header
+from email.utils import parsedate_to_datetime
+from typing import List, Optional
+
+from ..base import ProviderType, EmailMessage
+from ..account import OutlookAccount
+from ..token_manager import TokenManager
+from .base import OutlookProvider, ProviderConfig
+from .imap_old import IMAPOldProvider
+
+
+logger = logging.getLogger(__name__)
+
+
+class IMAPNewProvider(OutlookProvider):
+    """
+    新版 IMAP 提供者
+    使用 outlook.live.com:993 和 login.microsoftonline.com/consumers Token 端点
+    需要 IMAP.AccessAsUser.All scope
+    """
+
+    # IMAP 服务器配置
+    IMAP_HOST = "outlook.live.com"
+    IMAP_PORT = 993
+
+    @property
+    def provider_type(self) -> ProviderType:
+        return ProviderType.IMAP_NEW
+
+    def __init__(
+        self,
+        account: OutlookAccount,
+        config: Optional[ProviderConfig] = None,
+    ):
+        super().__init__(account, config)
+
+        # IMAP 连接
+        self._conn: Optional[imaplib.IMAP4_SSL] = None
+
+        # Token 管理器
+        self._token_manager: Optional[TokenManager] = None
+
+        # 注意：新版 IMAP 必须使用 OAuth2
+        if not account.has_oauth():
+            logger.warning(
+                f"[{self.account.email}] 新版 IMAP 提供者需要 OAuth2 配置 "
+                f"(client_id + refresh_token)"
+            )
+
+    def connect(self) -> bool:
+        """
+        连接到 IMAP 服务器
+
+        Returns:
+            是否连接成功
+        """
+        if self._connected and self._conn:
+            try:
+                self._conn.noop()
+                return True
+            except Exception:
+                self.disconnect()
+
+        # 新版 IMAP 必须使用 OAuth2，无 OAuth 时静默跳过，不记录健康失败
+        if not self.account.has_oauth():
+            logger.debug(f"[{self.account.email}] 跳过 IMAP_NEW（无 OAuth）")
+            return False
+
+        try:
+            logger.debug(f"[{self.account.email}] 正在连接 IMAP ({self.IMAP_HOST})...")
+
+            # 创建连接
+            self._conn = imaplib.IMAP4_SSL(
+                self.IMAP_HOST,
+                self.IMAP_PORT,
+                timeout=self.config.timeout,
+            )
+
+            # XOAUTH2 认证
+            if self._authenticate_xoauth2():
+                self._connected = True
+                self.record_success()
+                logger.info(f"[{self.account.email}] 新版 IMAP 连接成功 (XOAUTH2)")
+                return True
+
+            return False
+
+        except Exception as e:
+            self.disconnect()
+            self.record_failure(str(e))
+            logger.error(f"[{self.account.email}] 新版 IMAP 连接失败: {e}")
+            return False
+
+    def _authenticate_xoauth2(self) -> bool:
+        """
+        使用 XOAUTH2 认证
+
+        Returns:
+            是否认证成功
+        """
+        if not self._token_manager:
+            self._token_manager = TokenManager(
+                self.account,
+                ProviderType.IMAP_NEW,
+                self.config.proxy_url,
+                self.config.timeout,
+            )
+
+        # 获取 Access Token
+        token = self._token_manager.get_access_token()
+        if not token:
+            logger.error(f"[{self.account.email}] 获取 IMAP Token 失败")
+            return False
+
+        try:
+            # 构建 XOAUTH2 认证字符串
+            auth_string = f"user={self.account.email}\x01auth=Bearer {token}\x01\x01"
+            self._conn.authenticate("XOAUTH2", lambda _: auth_string.encode("utf-8"))
+            return True
+        except Exception as e:
+            logger.error(f"[{self.account.email}] XOAUTH2 认证异常: {e}")
+            # 清除缓存的 Token
+            self._token_manager.clear_cache()
+            return False
+
+    def disconnect(self):
+        """断开 IMAP 连接"""
+        if self._conn:
+            try:
+                self._conn.close()
+            except Exception:
+                pass
+            try:
+                self._conn.logout()
+            except Exception:
+                pass
+            self._conn = None
+
+        self._connected = False
+
+    def get_recent_emails(
+        self,
+        count: int = 20,
+        only_unseen: bool = True,
+    ) -> List[EmailMessage]:
+        """
+        获取最近的邮件
+
+        Args:
+            count: 获取数量
+            only_unseen: 是否只获取未读
+
+        Returns:
+            邮件列表
+        """
+        if not self._connected:
+            if not self.connect():
+                return []
+
+        try:
+            # 选择收件箱
+            self._conn.select("INBOX", readonly=True)
+
+            # 搜索邮件
+            flag = "UNSEEN" if only_unseen else "ALL"
+            status, data = self._conn.search(None, flag)
+
+            if status != "OK" or not data or not data[0]:
+                return []
+
+            # 获取最新的邮件 ID
+            ids = data[0].split()
+            recent_ids = ids[-count:][::-1]
+
+            emails = []
+            for msg_id in recent_ids:
+                try:
+                    email_msg = self._fetch_email(msg_id)
+                    if email_msg:
+                        emails.append(email_msg)
+                except Exception as e:
+                    logger.warning(f"[{self.account.email}] 解析邮件失败 (ID: {msg_id}): {e}")
+
+            return emails
+
+        except Exception as e:
+            self.record_failure(str(e))
+            logger.error(f"[{self.account.email}] 获取邮件失败: {e}")
+            return []
+
+    def _fetch_email(self, msg_id: bytes) -> Optional[EmailMessage]:
+        """获取并解析单封邮件"""
+        status, data = self._conn.fetch(msg_id, "(RFC822)")
+        if status != "OK" or not data or not data[0]:
+            return None
+
+        raw = b""
+        for part in data:
+            if isinstance(part, tuple) and len(part) > 1:
+                raw = part[1]
+                break
+
+        if not raw:
+            return None
+
+        return self._parse_email(raw)
+
+    @staticmethod
+    def _parse_email(raw: bytes) -> EmailMessage:
+        """解析原始邮件"""
+        # 使用旧版提供者的解析方法
+        return IMAPOldProvider._parse_email(raw)
+
+    def test_connection(self) -> bool:
+        """测试 IMAP 连接"""
+        try:
+            with self:
+                self._conn.select("INBOX", readonly=True)
+                self._conn.search(None, "ALL")
+            return True
+        except Exception as e:
+            logger.warning(f"[{self.account.email}] 新版 IMAP 连接测试失败: {e}")
+            return False

src/services/outlook/providers/imap_old.py

@@ -0,0 +1,345 @@
+"""
+旧版 IMAP 提供者
+使用 outlook.office365.com 服务器和 login.live.com Token 端点
+"""
+
+import email
+import imaplib
+import logging
+from email.header import decode_header
+from email.utils import parsedate_to_datetime
+from typing import List, Optional
+
+from ..base import ProviderType, EmailMessage
+from ..account import OutlookAccount
+from ..token_manager import TokenManager
+from .base import OutlookProvider, ProviderConfig
+
+
+logger = logging.getLogger(__name__)
+
+
+class IMAPOldProvider(OutlookProvider):
+    """
+    旧版 IMAP 提供者
+    使用 outlook.office365.com:993 和 login.live.com Token 端点
+    """
+
+    # IMAP 服务器配置
+    IMAP_HOST = "outlook.office365.com"
+    IMAP_PORT = 993
+
+    @property
+    def provider_type(self) -> ProviderType:
+        return ProviderType.IMAP_OLD
+
+    def __init__(
+        self,
+        account: OutlookAccount,
+        config: Optional[ProviderConfig] = None,
+    ):
+        super().__init__(account, config)
+
+        # IMAP 连接
+        self._conn: Optional[imaplib.IMAP4_SSL] = None
+
+        # Token 管理器
+        self._token_manager: Optional[TokenManager] = None
+
+    def connect(self) -> bool:
+        """
+        连接到 IMAP 服务器
+
+        Returns:
+            是否连接成功
+        """
+        if self._connected and self._conn:
+            # 检查现有连接
+            try:
+                self._conn.noop()
+                return True
+            except Exception:
+                self.disconnect()
+
+        try:
+            logger.debug(f"[{self.account.email}] 正在连接 IMAP ({self.IMAP_HOST})...")
+
+            # 创建连接
+            self._conn = imaplib.IMAP4_SSL(
+                self.IMAP_HOST,
+                self.IMAP_PORT,
+                timeout=self.config.timeout,
+            )
+
+            # 尝试 XOAUTH2 认证
+            if self.account.has_oauth():
+                if self._authenticate_xoauth2():
+                    self._connected = True
+                    self.record_success()
+                    logger.info(f"[{self.account.email}] IMAP 连接成功 (XOAUTH2)")
+                    return True
+                else:
+                    logger.warning(f"[{self.account.email}] XOAUTH2 认证失败，尝试密码认证")
+
+            # 密码认证
+            if self.account.password:
+                self._conn.login(self.account.email, self.account.password)
+                self._connected = True
+                self.record_success()
+                logger.info(f"[{self.account.email}] IMAP 连接成功 (密码认证)")
+                return True
+
+            raise ValueError("没有可用的认证方式")
+
+        except Exception as e:
+            self.disconnect()
+            self.record_failure(str(e))
+            logger.error(f"[{self.account.email}] IMAP 连接失败: {e}")
+            return False
+
+    def _authenticate_xoauth2(self) -> bool:
+        """
+        使用 XOAUTH2 认证
+
+        Returns:
+            是否认证成功
+        """
+        if not self._token_manager:
+            self._token_manager = TokenManager(
+                self.account,
+                ProviderType.IMAP_OLD,
+                self.config.proxy_url,
+                self.config.timeout,
+            )
+
+        # 获取 Access Token
+        token = self._token_manager.get_access_token()
+        if not token:
+            return False
+
+        try:
+            # 构建 XOAUTH2 认证字符串
+            auth_string = f"user={self.account.email}\x01auth=Bearer {token}\x01\x01"
+            self._conn.authenticate("XOAUTH2", lambda _: auth_string.encode("utf-8"))
+            return True
+        except Exception as e:
+            logger.debug(f"[{self.account.email}] XOAUTH2 认证异常: {e}")
+            # 清除缓存的 Token
+            self._token_manager.clear_cache()
+            return False
+
+    def disconnect(self):
+        """断开 IMAP 连接"""
+        if self._conn:
+            try:
+                self._conn.close()
+            except Exception:
+                pass
+            try:
+                self._conn.logout()
+            except Exception:
+                pass
+            self._conn = None
+
+        self._connected = False
+
+    def get_recent_emails(
+        self,
+        count: int = 20,
+        only_unseen: bool = True,
+    ) -> List[EmailMessage]:
+        """
+        获取最近的邮件
+
+        Args:
+            count: 获取数量
+            only_unseen: 是否只获取未读
+
+        Returns:
+            邮件列表
+        """
+        if not self._connected:
+            if not self.connect():
+                return []
+
+        try:
+            # 选择收件箱
+            self._conn.select("INBOX", readonly=True)
+
+            # 搜索邮件
+            flag = "UNSEEN" if only_unseen else "ALL"
+            status, data = self._conn.search(None, flag)
+
+            if status != "OK" or not data or not data[0]:
+                return []
+
+            # 获取最新的邮件 ID
+            ids = data[0].split()
+            recent_ids = ids[-count:][::-1]  # 倒序，最新的在前
+
+            emails = []
+            for msg_id in recent_ids:
+                try:
+                    email_msg = self._fetch_email(msg_id)
+                    if email_msg:
+                        emails.append(email_msg)
+                except Exception as e:
+                    logger.warning(f"[{self.account.email}] 解析邮件失败 (ID: {msg_id}): {e}")
+
+            return emails
+
+        except Exception as e:
+            self.record_failure(str(e))
+            logger.error(f"[{self.account.email}] 获取邮件失败: {e}")
+            return []
+
+    def _fetch_email(self, msg_id: bytes) -> Optional[EmailMessage]:
+        """
+        获取并解析单封邮件
+
+        Args:
+            msg_id: 邮件 ID
+
+        Returns:
+            EmailMessage 对象，失败返回 None
+        """
+        status, data = self._conn.fetch(msg_id, "(RFC822)")
+        if status != "OK" or not data or not data[0]:
+            return None
+
+        # 获取原始邮件内容
+        raw = b""
+        for part in data:
+            if isinstance(part, tuple) and len(part) > 1:
+                raw = part[1]
+                break
+
+        if not raw:
+            return None
+
+        return self._parse_email(raw)
+
+    @staticmethod
+    def _parse_email(raw: bytes) -> EmailMessage:
+        """
+        解析原始邮件
+
+        Args:
+            raw: 原始邮件数据
+
+        Returns:
+            EmailMessage 对象
+        """
+        # 移除 BOM
+        if raw.startswith(b"\xef\xbb\xbf"):
+            raw = raw[3:]
+
+        msg = email.message_from_bytes(raw)
+
+        # 解析邮件头
+        subject = IMAPOldProvider._decode_header(msg.get("Subject", ""))
+        sender = IMAPOldProvider._decode_header(msg.get("From", ""))
+        to = IMAPOldProvider._decode_header(msg.get("To", ""))
+        delivered_to = IMAPOldProvider._decode_header(msg.get("Delivered-To", ""))
+        x_original_to = IMAPOldProvider._decode_header(msg.get("X-Original-To", ""))
+        date_str = IMAPOldProvider._decode_header(msg.get("Date", ""))
+
+        # 提取正文
+        body = IMAPOldProvider._extract_body(msg)
+
+        # 解析日期
+        received_timestamp = 0
+        received_at = None
+        try:
+            if date_str:
+                received_at = parsedate_to_datetime(date_str)
+                received_timestamp = int(received_at.timestamp())
+        except Exception:
+            pass
+
+        # 构建收件人列表
+        recipients = [r for r in [to, delivered_to, x_original_to] if r]
+
+        return EmailMessage(
+            id=msg.get("Message-ID", ""),
+            subject=subject,
+            sender=sender,
+            recipients=recipients,
+            body=body,
+            received_at=received_at,
+            received_timestamp=received_timestamp,
+            is_read=False,  # 搜索的是未读邮件
+            raw_data=raw[:500] if len(raw) > 500 else raw,
+        )
+
+    @staticmethod
+    def _decode_header(header: str) -> str:
+        """解码邮件头"""
+        if not header:
+            return ""
+
+        parts = []
+        for chunk, encoding in decode_header(header):
+            if isinstance(chunk, bytes):
+                try:
+                    decoded = chunk.decode(encoding or "utf-8", errors="replace")
+                    parts.append(decoded)
+                except Exception:
+                    parts.append(chunk.decode("utf-8", errors="replace"))
+            else:
+                parts.append(str(chunk))
+
+        return "".join(parts).strip()
+
+    @staticmethod
+    def _extract_body(msg) -> str:
+        """提取邮件正文"""
+        import html as html_module
+        import re
+
+        texts = []
+        parts = msg.walk() if msg.is_multipart() else [msg]
+
+        for part in parts:
+            content_type = part.get_content_type()
+            if content_type not in ("text/plain", "text/html"):
+                continue
+
+            payload = part.get_payload(decode=True)
+            if not payload:
+                continue
+
+            charset = part.get_content_charset() or "utf-8"
+            try:
+                text = payload.decode(charset, errors="replace")
+            except LookupError:
+                text = payload.decode("utf-8", errors="replace")
+
+            # 如果是 HTML，移除标签
+            if "<html" in text.lower():
+                text = re.sub(r"<[^>]+>", " ", text)
+
+            texts.append(text)
+
+        # 合并并清理文本
+        combined = " ".join(texts)
+        combined = html_module.unescape(combined)
+        combined = re.sub(r"\s+", " ", combined).strip()
+
+        return combined
+
+    def test_connection(self) -> bool:
+        """
+        测试 IMAP 连接
+
+        Returns:
+            连接是否正常
+        """
+        try:
+            with self:
+                self._conn.select("INBOX", readonly=True)
+                self._conn.search(None, "ALL")
+            return True
+        except Exception as e:
+            logger.warning(f"[{self.account.email}] IMAP 连接测试失败: {e}")
+            return False

src/services/outlook/service.py

@@ -0,0 +1,487 @@
+"""
+Outlook 邮箱服务主类
+支持多种 IMAP/API 连接方式，自动故障切换
+"""
+
+import logging
+import threading
+import time
+from typing import Optional, Dict, Any, List
+
+from ..base import BaseEmailService, EmailServiceError, EmailServiceStatus, EmailServiceType
+from ...config.constants import EmailServiceType as ServiceType
+from ...config.settings import get_settings
+from .account import OutlookAccount
+from .base import ProviderType, EmailMessage
+from .email_parser import EmailParser, get_email_parser
+from .health_checker import HealthChecker, FailoverManager
+from .providers.base import OutlookProvider, ProviderConfig
+from .providers.imap_old import IMAPOldProvider
+from .providers.imap_new import IMAPNewProvider
+from .providers.graph_api import GraphAPIProvider
+
+
+logger = logging.getLogger(__name__)
+
+
+# 默认提供者优先级
+# IMAP_OLD 最兼容（只需 login.live.com token），IMAP_NEW 次之，Graph API 最后
+# 原因：部分 client_id 没有 Graph API 权限，但有 IMAP 权限
+DEFAULT_PROVIDER_PRIORITY = [
+    ProviderType.IMAP_OLD,
+    ProviderType.IMAP_NEW,
+    ProviderType.GRAPH_API,
+]
+
+
+def get_email_code_settings() -> dict:
+    """获取验证码等待配置"""
+    settings = get_settings()
+    return {
+        "timeout": settings.email_code_timeout,
+        "poll_interval": settings.email_code_poll_interval,
+    }
+
+
+class OutlookService(BaseEmailService):
+    """
+    Outlook 邮箱服务
+    支持多种 IMAP/API 连接方式，自动故障切换
+    """
+
+    def __init__(self, config: Dict[str, Any] = None, name: str = None):
+        """
+        初始化 Outlook 服务
+
+        Args:
+            config: 配置字典，支持以下键:
+                - accounts: Outlook 账户列表
+                - provider_priority: 提供者优先级列表
+                - health_failure_threshold: 连续失败次数阈值
+                - health_disable_duration: 禁用时长（秒）
+                - timeout: 请求超时时间
+                - proxy_url: 代理 URL
+            name: 服务名称
+        """
+        super().__init__(ServiceType.OUTLOOK, name)
+
+        # 默认配置
+        default_config = {
+            "accounts": [],
+            "provider_priority": [p.value for p in DEFAULT_PROVIDER_PRIORITY],
+            "health_failure_threshold": 5,
+            "health_disable_duration": 60,
+            "timeout": 30,
+            "proxy_url": None,
+        }
+
+        self.config = {**default_config, **(config or {})}
+
+        # 解析提供者优先级
+        self.provider_priority = [
+            ProviderType(p) for p in self.config.get("provider_priority", [])
+        ]
+        if not self.provider_priority:
+            self.provider_priority = DEFAULT_PROVIDER_PRIORITY
+
+        # 提供者配置
+        self.provider_config = ProviderConfig(
+            timeout=self.config.get("timeout", 30),
+            proxy_url=self.config.get("proxy_url"),
+            health_failure_threshold=self.config.get("health_failure_threshold", 3),
+            health_disable_duration=self.config.get("health_disable_duration", 300),
+        )
+
+        # 获取默认 client_id（供无 client_id 的账户使用）
+        try:
+            _default_client_id = get_settings().outlook_default_client_id
+        except Exception:
+            _default_client_id = "24d9a0ed-8787-4584-883c-2fd79308940a"
+
+        # 解析账户
+        self.accounts: List[OutlookAccount] = []
+        self._current_account_index = 0
+        self._account_lock = threading.Lock()
+
+        # 支持两种配置格式
+        if "email" in self.config and "password" in self.config:
+            account = OutlookAccount.from_config(self.config)
+            if not account.client_id and _default_client_id:
+                account.client_id = _default_client_id
+            if account.validate():
+                self.accounts.append(account)
+        else:
+            for account_config in self.config.get("accounts", []):
+                account = OutlookAccount.from_config(account_config)
+                if not account.client_id and _default_client_id:
+                    account.client_id = _default_client_id
+                if account.validate():
+                    self.accounts.append(account)
+
+        if not self.accounts:
+            logger.warning("未配置有效的 Outlook 账户")
+
+        # 健康检查器和故障切换管理器
+        self.health_checker = HealthChecker(
+            failure_threshold=self.provider_config.health_failure_threshold,
+            disable_duration=self.provider_config.health_disable_duration,
+        )
+        self.failover_manager = FailoverManager(
+            health_checker=self.health_checker,
+            priority_order=self.provider_priority,
+        )
+
+        # 邮件解析器
+        self.email_parser = get_email_parser()
+
+        # 提供者实例缓存: (email, provider_type) -> OutlookProvider
+        self._providers: Dict[tuple, OutlookProvider] = {}
+        self._provider_lock = threading.Lock()
+
+        # IMAP 连接限制（防止限流）
+        self._imap_semaphore = threading.Semaphore(5)
+
+        # 验证码去重机制
+        self._used_codes: Dict[str, set] = {}
+
+    def _get_provider(
+        self,
+        account: OutlookAccount,
+        provider_type: ProviderType,
+    ) -> OutlookProvider:
+        """
+        获取或创建提供者实例
+
+        Args:
+            account: Outlook 账户
+            provider_type: 提供者类型
+
+        Returns:
+            提供者实例
+        """
+        cache_key = (account.email.lower(), provider_type)
+
+        with self._provider_lock:
+            if cache_key not in self._providers:
+                provider = self._create_provider(account, provider_type)
+                self._providers[cache_key] = provider
+
+            return self._providers[cache_key]
+
+    def _create_provider(
+        self,
+        account: OutlookAccount,
+        provider_type: ProviderType,
+    ) -> OutlookProvider:
+        """
+        创建提供者实例
+
+        Args:
+            account: Outlook 账户
+            provider_type: 提供者类型
+
+        Returns:
+            提供者实例
+        """
+        if provider_type == ProviderType.IMAP_OLD:
+            return IMAPOldProvider(account, self.provider_config)
+        elif provider_type == ProviderType.IMAP_NEW:
+            return IMAPNewProvider(account, self.provider_config)
+        elif provider_type == ProviderType.GRAPH_API:
+            return GraphAPIProvider(account, self.provider_config)
+        else:
+            raise ValueError(f"未知的提供者类型: {provider_type}")
+
+    def _get_provider_priority_for_account(self, account: OutlookAccount) -> List[ProviderType]:
+        """根据账户是否有 OAuth，返回适合的提供者优先级列表"""
+        if account.has_oauth():
+            return self.provider_priority
+        else:
+            # 无 OAuth，直接走旧版 IMAP（密码认证），跳过需要 OAuth 的提供者
+            return [ProviderType.IMAP_OLD]
+
+    def _try_providers_for_emails(
+        self,
+        account: OutlookAccount,
+        count: int = 20,
+        only_unseen: bool = True,
+    ) -> List[EmailMessage]:
+        """
+        尝试多个提供者获取邮件
+
+        Args:
+            account: Outlook 账户
+            count: 获取数量
+            only_unseen: 是否只获取未读
+
+        Returns:
+            邮件列表
+        """
+        errors = []
+
+        # 根据账户类型选择合适的提供者优先级
+        priority = self._get_provider_priority_for_account(account)
+
+        # 按优先级尝试各提供者
+        for provider_type in priority:
+            # 检查提供者是否可用
+            if not self.health_checker.is_available(provider_type):
+                logger.debug(
+                    f"[{account.email}] {provider_type.value} 不可用，跳过"
+                )
+                continue
+
+            try:
+                provider = self._get_provider(account, provider_type)
+
+                with self._imap_semaphore:
+                    with provider:
+                        emails = provider.get_recent_emails(count, only_unseen)
+
+                        if emails:
+                            # 成功获取邮件
+                            self.health_checker.record_success(provider_type)
+                            logger.debug(
+                                f"[{account.email}] {provider_type.value} 获取到 {len(emails)} 封邮件"
+                            )
+                            return emails
+
+            except Exception as e:
+                error_msg = str(e)
+                errors.append(f"{provider_type.value}: {error_msg}")
+                self.health_checker.record_failure(provider_type, error_msg)
+                logger.warning(
+                    f"[{account.email}] {provider_type.value} 获取邮件失败: {e}"
+                )
+
+        logger.error(
+            f"[{account.email}] 所有提供者都失败: {'; '.join(errors)}"
+        )
+        return []
+
+    def create_email(self, config: Dict[str, Any] = None) -> Dict[str, Any]:
+        """
+        选择可用的 Outlook 账户
+
+        Args:
+            config: 配置参数（未使用）
+
+        Returns:
+            包含邮箱信息的字典
+        """
+        if not self.accounts:
+            self.update_status(False, EmailServiceError("没有可用的 Outlook 账户"))
+            raise EmailServiceError("没有可用的 Outlook 账户")
+
+        # 轮询选择账户
+        with self._account_lock:
+            account = self.accounts[self._current_account_index]
+            self._current_account_index = (self._current_account_index + 1) % len(self.accounts)
+
+        email_info = {
+            "email": account.email,
+            "service_id": account.email,
+            "account": {
+                "email": account.email,
+                "has_oauth": account.has_oauth()
+            }
+        }
+
+        logger.info(f"选择 Outlook 账户: {account.email}")
+        self.update_status(True)
+        return email_info
+
+    def get_verification_code(
+        self,
+        email: str,
+        email_id: str = None,
+        timeout: int = None,
+        pattern: str = None,
+        otp_sent_at: Optional[float] = None,
+    ) -> Optional[str]:
+        """
+        从 Outlook 邮箱获取验证码
+
+        Args:
+            email: 邮箱地址
+            email_id: 未使用
+            timeout: 超时时间（秒）
+            pattern: 验证码正则表达式（未使用）
+            otp_sent_at: OTP 发送时间戳
+
+        Returns:
+            验证码字符串
+        """
+        # 查找对应的账户
+        account = None
+        for acc in self.accounts:
+            if acc.email.lower() == email.lower():
+                account = acc
+                break
+
+        if not account:
+            self.update_status(False, EmailServiceError(f"未找到邮箱对应的账户: {email}"))
+            return None
+
+        # 获取验证码等待配置
+        code_settings = get_email_code_settings()
+        actual_timeout = timeout or code_settings["timeout"]
+        poll_interval = code_settings["poll_interval"]
+
+        logger.info(
+            f"[{email}] 开始获取验证码，超时 {actual_timeout}s，"
+            f"提供者优先级: {[p.value for p in self.provider_priority]}"
+        )
+
+        # 初始化验证码去重集合
+        if email not in self._used_codes:
+            self._used_codes[email] = set()
+        used_codes = self._used_codes[email]
+
+        # 计算最小时间戳（留出 60 秒时钟偏差）
+        min_timestamp = (otp_sent_at - 60) if otp_sent_at else 0
+
+        start_time = time.time()
+        poll_count = 0
+
+        while time.time() - start_time < actual_timeout:
+            poll_count += 1
+
+            # 渐进式邮件检查：前 3 次只检查未读
+            only_unseen = poll_count <= 3
+
+            try:
+                # 尝试多个提供者获取邮件
+                emails = self._try_providers_for_emails(
+                    account,
+                    count=15,
+                    only_unseen=only_unseen,
+                )
+
+                if emails:
+                    logger.debug(
+                        f"[{email}] 第 {poll_count} 次轮询获取到 {len(emails)} 封邮件"
+                    )
+
+                    # 从邮件中查找验证码
+                    code = self.email_parser.find_verification_code_in_emails(
+                        emails,
+                        target_email=email,
+                        min_timestamp=min_timestamp,
+                        used_codes=used_codes,
+                    )
+
+                    if code:
+                        used_codes.add(code)
+                        elapsed = int(time.time() - start_time)
+                        logger.info(
+                            f"[{email}] 找到验证码: {code}，"
+                            f"总耗时 {elapsed}s，轮询 {poll_count} 次"
+                        )
+                        self.update_status(True)
+                        return code
+
+            except Exception as e:
+                logger.warning(f"[{email}] 检查出错: {e}")
+
+            # 等待下次轮询
+            time.sleep(poll_interval)
+
+        elapsed = int(time.time() - start_time)
+        logger.warning(f"[{email}] 验证码超时 ({actual_timeout}s)，共轮询 {poll_count} 次")
+        return None
+
+    def list_emails(self, **kwargs) -> List[Dict[str, Any]]:
+        """列出所有可用的 Outlook 账户"""
+        return [
+            {
+                "email": account.email,
+                "id": account.email,
+                "has_oauth": account.has_oauth(),
+                "type": "outlook"
+            }
+            for account in self.accounts
+        ]
+
+    def delete_email(self, email_id: str) -> bool:
+        """删除邮箱（Outlook 不支持删除账户）"""
+        logger.warning(f"Outlook 服务不支持删除账户: {email_id}")
+        return False
+
+    def check_health(self) -> bool:
+        """检查 Outlook 服务是否可用"""
+        if not self.accounts:
+            self.update_status(False, EmailServiceError("没有配置的账户"))
+            return False
+
+        # 测试第一个账户的连接
+        test_account = self.accounts[0]
+
+        # 尝试任一提供者连接
+        for provider_type in self.provider_priority:
+            try:
+                provider = self._get_provider(test_account, provider_type)
+                if provider.test_connection():
+                    self.update_status(True)
+                    return True
+            except Exception as e:
+                logger.warning(
+                    f"Outlook 健康检查失败 ({test_account.email}, {provider_type.value}): {e}"
+                )
+
+        self.update_status(False, EmailServiceError("健康检查失败"))
+        return False
+
+    def get_provider_status(self) -> Dict[str, Any]:
+        """获取提供者状态"""
+        return self.failover_manager.get_status()
+
+    def get_account_stats(self) -> Dict[str, Any]:
+        """获取账户统计信息"""
+        total = len(self.accounts)
+        oauth_count = sum(1 for acc in self.accounts if acc.has_oauth())
+
+        return {
+            "total_accounts": total,
+            "oauth_accounts": oauth_count,
+            "password_accounts": total - oauth_count,
+            "accounts": [acc.to_dict() for acc in self.accounts],
+            "provider_status": self.get_provider_status(),
+        }
+
+    def add_account(self, account_config: Dict[str, Any]) -> bool:
+        """添加新的 Outlook 账户"""
+        try:
+            account = OutlookAccount.from_config(account_config)
+            if not account.validate():
+                return False
+
+            self.accounts.append(account)
+            logger.info(f"添加 Outlook 账户: {account.email}")
+            return True
+        except Exception as e:
+            logger.error(f"添加 Outlook 账户失败: {e}")
+            return False
+
+    def remove_account(self, email: str) -> bool:
+        """移除 Outlook 账户"""
+        for i, acc in enumerate(self.accounts):
+            if acc.email.lower() == email.lower():
+                self.accounts.pop(i)
+                logger.info(f"移除 Outlook 账户: {email}")
+                return True
+        return False
+
+    def reset_provider_health(self):
+        """重置所有提供者的健康状态"""
+        self.health_checker.reset_all()
+        logger.info("已重置所有提供者的健康状态")
+
+    def force_provider(self, provider_type: ProviderType):
+        """强制使用指定的提供者"""
+        self.health_checker.force_enable(provider_type)
+        # 禁用其他提供者
+        for pt in ProviderType:
+            if pt != provider_type:
+                self.health_checker.force_disable(pt, 60)
+        logger.info(f"已强制使用提供者: {provider_type.value}")