fix: restore startup config integrity

Author: lius-new

.github/workflows/tauri-build-win-official.yml

@@ -140,7 +140,9 @@ jobs:
           Set-ConfigValue '^(updater_temp_dir\s*=\s*)".*"$' "${{ env.APP_UPDATER_TEMP_DIR }}"
           Set-ConfigValue '^(downlaod_url\s*=\s*)".*"$' "${{ env.APP_WEBVIEW_DOWNLOAD_URL }}"
 
-          Set-Content -Path $configPath -Value $content -NoNewline
+          $utf8NoBom = New-Object System.Text.UTF8Encoding($false)
+          $resolvedConfigPath = (Resolve-Path $configPath).Path
+          [System.IO.File]::WriteAllText($resolvedConfigPath, $content, $utf8NoBom)
 
       # 在 CI 构建期间使用 fixed 版本的 Tauri 配置
       # 先将 src-tauri/tauri.conf.fixed.json 覆盖为 src-tauri/tauri.conf.json，
@@ -173,15 +175,15 @@ jobs:
         run: node deploy/generate-latest-json.mjs
 
       - name: Publish GitHub release assets
-        if: github.event_name == 'push'
+        if: startsWith(github.ref, 'refs/tags/')
         env:
           GH_TOKEN: ${{ secrets.GT_TOKEN || github.token }}
           GH_REPO: ${{ github.repository }}
         run: node deploy/publish-github-release.mjs
 
       - name: Upload installer to R2 storage
         # tag push 时上传到 R2
-        if: github.event_name == 'push'
+        if: startsWith(github.ref, 'refs/tags/')
         shell: powershell
         run: |
           $ErrorActionPreference = "Stop"
@@ -215,7 +217,7 @@ jobs:
 
       - name: Upload latest.json to R2 root
         # tag push 时上传到 R2
-        if: github.event_name == 'push'
+        if: startsWith(github.ref, 'refs/tags/')
         shell: powershell
         run: |
           $ErrorActionPreference = "Stop"
@@ -244,7 +246,7 @@ jobs:
           path: latest.json
 
       - name: Publish version metadata
-        if: github.event_name == 'push'
+        if: startsWith(github.ref, 'refs/tags/')
         env:
           VERSION_API_URL: ${{ secrets.VERSION_API_URL }}
           VERSION_API_KEY: ${{ secrets.VERSION_API_KEY }}

.github/workflows/tauri-release-win.yml

@@ -86,7 +86,9 @@ jobs:
           Set-ConfigValue '^(updater_temp_dir\s*=\s*)".*"$' "${{ env.APP_UPDATER_TEMP_DIR }}"
           Set-ConfigValue '^(downlaod_url\s*=\s*)".*"$' "${{ env.APP_WEBVIEW_DOWNLOAD_URL }}"
 
-          Set-Content -Path $configPath -Value $content -NoNewline
+          $utf8NoBom = New-Object System.Text.UTF8Encoding($false)
+          $resolvedConfigPath = (Resolve-Path $configPath).Path
+          [System.IO.File]::WriteAllText($resolvedConfigPath, $content, $utf8NoBom)
 
       - name: Use fixed Tauri config
         shell: powershell

src-tauri/build.rs

@@ -385,6 +385,15 @@ mod config_encrypt {
             );
         });
 
+        std::str::from_utf8(&config_bytes).unwrap_or_else(|e| {
+            panic!(
+                "[BUILD ERROR] Config file '{}' is not valid UTF-8: {}\n\
+                 Please ensure workflow/local scripts write this file with UTF-8 encoding.",
+                config_path.display(),
+                e
+            );
+        });
+
         let encrypted = crypto::encrypt(&config_bytes).expect("Failed to encrypt config");
 
         let out_path = Path::new(&out_dir).join("config_encrypted.bin");

src-tauri/src/core/config/encryption/crypto.rs

@@ -78,14 +78,10 @@ fn pre_transform(data: &[u8], key: &[u8; 16]) -> Vec<u8> {
         result.push(byte ^ key[i % 16]);
     }
 
-    // 字节重排（简单的置换）
-    let mut permuted = vec![0u8; result.len()];
-    for (i, &byte) in result.iter().enumerate() {
-        let new_pos = (i.wrapping_mul(7).wrapping_add(13)) % result.len();
-        permuted[new_pos] = byte;
-    }
-
-    permuted
+    result.reverse();
+    let shift = transform_shift(result.len(), key);
+    result.rotate_left(shift);
+    result
 }
 
 /// 数据预变换的逆操作
@@ -94,12 +90,10 @@ fn pre_transform_reverse(data: &[u8], key: &[u8; 16]) -> Vec<u8> {
         return Vec::new();
     }
 
-    // 逆置换：对于每个原始位置 i，找到它在加密后的位置
-    let mut unpermuted = vec![0u8; data.len()];
-    for i in 0..data.len() {
-        let encrypted_pos = (i.wrapping_mul(7).wrapping_add(13)) % data.len();
-        unpermuted[i] = data[encrypted_pos];
-    }
+    let mut unpermuted = data.to_vec();
+    let shift = transform_shift(unpermuted.len(), key);
+    unpermuted.rotate_right(shift);
+    unpermuted.reverse();
 
     // 逆 XOR
     let mut result = Vec::with_capacity(unpermuted.len());
@@ -243,3 +237,44 @@ fn post_transform(data: &[u8], key: &[u8; 16]) -> Vec<u8> {
 fn post_transform_reverse(data: &[u8], key: &[u8; 16]) -> Vec<u8> {
     data.iter().enumerate().map(|(i, &b)| b.wrapping_sub(key[i % 16])).collect()
 }
+
+fn transform_shift(len: usize, key: &[u8; 16]) -> usize {
+    if len <= 1 {
+        return 0;
+    }
+
+    let seed = key
+        .iter()
+        .take(4)
+        .fold(0usize, |acc, byte| (acc << 8) | (*byte as usize));
+    (seed.wrapping_add(len).wrapping_add(13)) % len
+}
+
+#[cfg(test)]
+mod tests {
+    use super::{decrypt, encrypt};
+
+    #[test]
+    fn roundtrip_preserves_all_lengths_up_to_1024() {
+        for len in 0..=1024usize {
+            let input = (0..len)
+                .map(|index| ((index * 31 + 17) % 256) as u8)
+                .collect::<Vec<_>>();
+            let encrypted = encrypt(&input).expect("encrypt should succeed");
+            let decrypted = decrypt(&encrypted).expect("decrypt should succeed");
+            assert_eq!(decrypted, input, "roundtrip mismatch for len={len}");
+        }
+    }
+
+    #[test]
+    fn roundtrip_preserves_lengths_that_are_multiples_of_seven() {
+        for len in [7usize, 14, 497, 504, 4095, 4096, 4097] {
+            let input = (0..len)
+                .map(|index| ((index * 13 + 29) % 256) as u8)
+                .collect::<Vec<_>>();
+            let encrypted = encrypt(&input).expect("encrypt should succeed");
+            let decrypted = decrypt(&encrypted).expect("decrypt should succeed");
+            assert_eq!(decrypted, input, "roundtrip mismatch for len={len}");
+        }
+    }
+}