Build music-quiz installer and management site per spec

Implements the full spec described in README.md:

Management site (Node + TypeScript + Express + EJS):
- Public main page lists packs registered in manifest.json.
- /op login (account.json, internal-only), /op/dashboard manages packs
  with horizontal-scroll cards, add/select-and-delete flow, and the
  /op/dashboard/:packName editor (Mojang release dropdown, dynamic
  mods/resourcepacks lists, platform/RAM fields, file rename).
- Routes for /manifest.json (public) and /file/* (server pack files).
- Middleware blocks /account.json and /manifest/* directory access.

Installer (Electron):
- Five page renderer driven by IPC (preload contextBridge API):
  pack pick → single/multi → server install (path no-Korean check, JDK
  detect, file download, EULA, RAM gating, local web config editor,
  UPnP/port-forward check) → client install (.mc_custom mods +
  resourcepacks + launcher_profiles.json gameDir/javaArgs) → finish
  toggles (server folder, shortcut, server start, launcher start).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/server/app.ts

@@ -0,0 +1,61 @@
+import express from 'express'
+import session from 'express-session'
+import path from 'node:path'
+import { manifestRootPath, fileDirPath, viewsDirPath, publicDirPath } from '../shared/paths'
+import { indexRouter } from './routes/index'
+import { opRouter } from './routes/op'
+
+const PORT = Number(process.env.PORT ?? 3000)
+const HOST = process.env.HOST ?? '0.0.0.0'
+
+const app = express()
+
+app.set('view engine', 'ejs')
+app.set('views', viewsDirPath)
+app.set('trust proxy', 1)
+
+app.use(express.urlencoded({ extended: true }))
+app.use(express.json())
+
+app.use(session({
+  secret: process.env.SESSION_SECRET ?? 'music-quiz-installer-dev-secret',
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    httpOnly: true,
+    sameSite: 'lax',
+    maxAge: 1000 * 60 * 60 * 8
+  }
+}))
+
+// 외부에서 account.json, /manifest 폴더 등에 절대 접근 불가하도록 가장 먼저 차단한다.
+app.use((req, res, next) => {
+  if (/^\/account\.json/i.test(req.path) || /^\/manifest\//i.test(req.path)) {
+    res.status(404).send('Not Found')
+    return
+  }
+  next()
+})
+
+app.use('/static', express.static(publicDirPath))
+
+// 외부 노출이 필요한 정적 자원만 화이트리스트로 라우팅한다.
+app.get('/manifest.json', (_req, res) => {
+  res.sendFile(manifestRootPath)
+})
+
+app.use('/file', express.static(fileDirPath, { fallthrough: true, index: false }))
+
+app.use('/', indexRouter)
+app.use('/', opRouter)
+
+app.use((err: unknown, _req: express.Request, res: express.Response, _next: express.NextFunction) => {
+  console.error(err)
+  const message = err instanceof Error ? err.message : '알 수 없는 오류'
+  res.status(500).send(`서버 오류: ${message}`)
+})
+
+app.listen(PORT, HOST, () => {
+  console.log(`[server] http://${HOST}:${PORT}`)
+  console.log(`[server] views: ${path.relative(process.cwd(), viewsDirPath)}`)
+})

src/server/middleware/auth.ts

@@ -0,0 +1,19 @@
+import type { Request, Response, NextFunction } from 'express'
+
+declare module 'express-session' {
+  interface SessionData {
+    userId?: string
+  }
+}
+
+export function requireAuth(req: Request, res: Response, next: NextFunction): void {
+  if (req.session?.userId) {
+    next()
+    return
+  }
+  if (req.method === 'GET') {
+    res.redirect('/op')
+    return
+  }
+  res.status(401).send('인증이 필요합니다.')
+}

src/server/routes/index.ts

@@ -0,0 +1,23 @@
+import { Router } from 'express'
+import { listPackKeys, loadPackDefinition, readManifest } from '../../shared/store'
+
+export const indexRouter = Router()
+
+indexRouter.get('/', async (_req, res, next) => {
+  try {
+    const manifest = await readManifest()
+    const definitionMap = new Map<string, Awaited<ReturnType<typeof loadPackDefinition>>>()
+    const keys = await listPackKeys()
+    for (const key of keys) {
+      definitionMap.set(key, await loadPackDefinition(key))
+    }
+    const packs = manifest.packs.map((entry) => ({
+      name: entry.name,
+      file: entry.file,
+      definition: definitionMap.get(entry.file) ?? null
+    }))
+    res.render('index', { packs })
+  } catch (error) {
+    next(error)
+  }
+})

src/server/routes/op.ts

@@ -0,0 +1,163 @@
+import { Router } from 'express'
+import {
+  createPack,
+  deletePackKeys,
+  listPackKeys,
+  loadPackDefinition,
+  normalizePackDefinition,
+  readAccounts,
+  renamePack,
+  sanitizePackKey
+} from '../../shared/store'
+import { fetchReleaseVersions } from '../../shared/mojang'
+import { requireAuth } from '../middleware/auth'
+import type { PackDefinition } from '../../shared/types'
+
+export const opRouter = Router()
+
+function pickFirstValue(value: unknown): string {
+  if (Array.isArray(value)) return typeof value[0] === 'string' ? value[0] : ''
+  return typeof value === 'string' ? value : ''
+}
+
+function pickStringArray(value: unknown): string[] {
+  if (Array.isArray(value)) {
+    return value.filter((item): item is string => typeof item === 'string')
+  }
+  if (typeof value === 'string') return [value]
+  return []
+}
+
+opRouter.get('/op', (req, res) => {
+  if (req.session?.userId) {
+    res.redirect('/op/dashboard')
+    return
+  }
+  res.render('op/login', { error: null })
+})
+
+opRouter.post('/op', async (req, res, next) => {
+  try {
+    const id = pickFirstValue(req.body.id).trim()
+    const password = pickFirstValue(req.body.password)
+    const accounts = await readAccounts()
+    const matched = accounts.find((entry) => entry.id === id && entry.password === password)
+    if (!matched) {
+      res.status(401).render('op/login', { error: '아이디 또는 비밀번호가 올바르지 않습니다.' })
+      return
+    }
+    req.session.userId = matched.id
+    res.redirect('/op/dashboard')
+  } catch (error) {
+    next(error)
+  }
+})
+
+opRouter.post('/op/logout', (req, res) => {
+  req.session.destroy(() => {
+    res.redirect('/op')
+  })
+})
+
+opRouter.get('/op/dashboard', requireAuth, async (req, res, next) => {
+  try {
+    const keys = await listPackKeys()
+    const items = await Promise.all(keys.map(async (key) => ({
+      key,
+      definition: await loadPackDefinition(key)
+    })))
+    res.render('op/dashboard', {
+      userId: req.session.userId,
+      items
+    })
+  } catch (error) {
+    next(error)
+  }
+})
+
+opRouter.post('/op/dashboard/create', requireAuth, async (_req, res, next) => {
+  try {
+    const { key } = await createPack()
+    res.redirect(`/op/dashboard/${key}`)
+  } catch (error) {
+    next(error)
+  }
+})
+
+opRouter.post('/op/dashboard/delete', requireAuth, async (req, res, next) => {
+  try {
+    const keys = pickStringArray(req.body.targetKey)
+      .map((key) => sanitizePackKey(key))
+      .filter((key) => key.length > 0)
+    if (keys.length > 0) {
+      await deletePackKeys(keys)
+    }
+    res.redirect('/op/dashboard')
+  } catch (error) {
+    next(error)
+  }
+})
+
+opRouter.get('/op/dashboard/:packName', requireAuth, async (req, res, next) => {
+  try {
+    const packKey = sanitizePackKey(pickFirstValue(req.params.packName))
+    const definition = await loadPackDefinition(packKey)
+    if (!definition) {
+      res.status(404).send('해당 음악퀴즈를 찾을 수 없습니다.')
+      return
+    }
+    const releases = await fetchReleaseVersions()
+    res.render('op/editor', {
+      userId: req.session.userId,
+      packKey,
+      pack: definition,
+      releases
+    })
+  } catch (error) {
+    next(error)
+  }
+})
+
+opRouter.post('/op/dashboard/:packName', requireAuth, async (req, res, next) => {
+  try {
+    const packKey = sanitizePackKey(pickFirstValue(req.params.packName))
+    const requestedKey = sanitizePackKey(pickFirstValue(req.body.fileName)) || packKey
+
+    const modNames = pickStringArray(req.body['modName']).map((value) => value.trim())
+    const modUrls = pickStringArray(req.body['modUrl']).map((value) => value.trim())
+    const mods = modNames.map((name, index) => ({ name, downloadUrl: modUrls[index] ?? '' }))
+
+    const resourceNames = pickStringArray(req.body['resourceName']).map((value) => value.trim())
+    const resourceUrls = pickStringArray(req.body['resourceUrl']).map((value) => value.trim())
+    const resourcepacks = resourceNames.map((name, index) => ({ name, downloadUrl: resourceUrls[index] ?? '' }))
+
+    const platformType = pickFirstValue(req.body.platformType)
+    const platformDownloadUrl = pickFirstValue(req.body.platformDownloadUrl).trim()
+
+    const partial: Partial<PackDefinition> & Record<string, unknown> = {
+      name: pickFirstValue(req.body.displayName),
+      mcVersion: pickFirstValue(req.body.mcVersion),
+      platform: {
+        type: (platformType as PackDefinition['platform']['type']) || 'vanilla',
+        downloadUrl: platformDownloadUrl.length > 0 ? platformDownloadUrl : undefined
+      },
+      mods,
+      resourcepacks,
+      serverMinRam: Number(pickFirstValue(req.body.serverMinRam)),
+      serverMaxRam: Number(pickFirstValue(req.body.serverMaxRam)),
+      clientMinRam: Number(pickFirstValue(req.body.clientMinRam)),
+      clientRecommendedRam: Number(pickFirstValue(req.body.clientRecommendedRam)),
+      packPath: pickFirstValue(req.body.packPath)
+    }
+
+    const normalized = normalizePackDefinition(partial)
+    if (normalized.clientMinRam > normalized.clientRecommendedRam) {
+      res.status(400).send('clientMinRam은 clientRecommendedRam보다 클 수 없습니다.')
+      return
+    }
+    const finalKey = await renamePack(packKey, requestedKey, normalized)
+    res.redirect(`/op/dashboard/${finalKey}`)
+  } catch (error) {
+    next(error)
+  }
+})