From ab255412007d4aa9909b0c278aefb36faed9f0a1 Mon Sep 17 00:00:00 2001
From: aiyimickey <39365912+aiyimickey@users.noreply.github.com>
Date: Mon, 18 May 2026 16:57:07 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E9=82=AE=E4=BB=B6=20Resend=20API=20+?=
 =?UTF-8?q?=20=E5=AF=86=E7=A0=81=E8=AE=BE=E7=BD=AE=E9=93=BE=E6=8E=A5=20+?=
 =?UTF-8?q?=20=E9=82=AE=E7=AE=B1=E7=AE=A1=E7=90=86=20+=20UI=20=E9=87=8D?=
 =?UTF-8?q?=E8=AE=BE=E8=AE=A1=20+=20=E6=97=B6=E5=8C=BA=E4=BF=AE=E5=A4=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 邮件：163 SMTP → Resend API，发件人 noreply@tlyq.ai
- 安全：创建用户发密码设置链接（24h有效），不再明文发密码
- 新增：/setup-password 密码设置页 + setup-token 工具
- 新增：个人信息页 + 权限管理页 显示/修改邮箱
- 修复：创建用户存储真实邮箱（不再拼接 {username}@tlyq.ai）
- 修复：全站 toISOString / datetime('now') → UTC+8
- 设计：用户管理页全宽重设计，Header 1440px 统一
- 调整：用户列表创建时间精确到秒
---
 CHANGELOG.md                               |  14 +
 docker-compose.yml                         |   6 +-
 package-lock.json                          |  82 ++++--
 package.json                               |   3 +-
 src/app/admin/create-user/page.tsx         | 289 ++++++++++-----------
 src/app/admin/create-user/role-manager.tsx | 188 +++++++-------
 src/app/api/admin/create-user/route.ts     |  16 +-
 src/app/api/admin/user-roles/route.ts      |  16 +-
 src/app/api/admin/users/route.ts           |  29 +++
 src/app/api/auth/me/route.ts               |  54 +++-
 src/app/api/auth/setup-password/route.ts   |  54 ++++
 src/app/profile/email-editor.tsx           |  94 +++++++
 src/app/profile/page.tsx                   |   4 +
 src/app/setup-password/page.tsx            | 246 ++++++++++++++++++
 src/components/HeaderUI.tsx                |   2 +-
 src/lib/email.ts                           |  49 ++--
 src/lib/setup-token.ts                     |  48 ++++
 src/middleware.ts                          |   4 +-
 18 files changed, 875 insertions(+), 323 deletions(-)
 create mode 100644 src/app/api/auth/setup-password/route.ts
 create mode 100644 src/app/profile/email-editor.tsx
 create mode 100644 src/app/setup-password/page.tsx
 create mode 100644 src/lib/setup-token.ts

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 79c28a7..62947cd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,19 @@
 # 变更日志
 
+## 2026-05-18
+
+- [安全] 邮件发送从 163 企业邮箱 SMTP → Resend API（Sending Access 权限），凭证从邮箱完整密码降级为仅可发信的 API Key
+- [安全] 创建用户不再邮件发送明文密码，改为发送一次性密码设置链接（JWT token，24 小时有效），密码全程只有用户自己知道
+- [新增] `/setup-password` 密码设置页（公开，通过邮件链接访问）+ `/api/auth/setup-password` API
+- [新增] `src/lib/setup-token.ts` 一次性密码设置 token 签发/验证
+- [新增] 个人信息页 显示/修改邮箱（EmailEditor 客户端组件，inline 编辑）
+- [新增] 权限管理页 邮箱列 + admin 编辑任意用户邮箱
+- [修复] 创建用户时 LLDAP 存储真实邮箱（不再自动拼接 `{username}@tlyq.ai`）
+- [修复] 全站时区统一 UTC+8：修复 4 处 `toISOString()` + 1 处 `datetime('now')` 无偏移
+- [设计] 用户管理页全宽重设计：顶部 Tab 条 + 表格化列表 + toast 通知 + Header 宽度 1440px 统一
+- [调整] 用户列表创建时间精确到秒
+- [调整] 邮件模板移除 163 管理员联系方式
+
 ## 2026-05-14
 
 - [新增] 管理员权限接入 LLDAP `lldap_admin` 组：`isLldapAdmin()` 通过 LDAP 查询组成员决定管理权限，不再硬编码 `username === 'admin'`；将用户加入该组即可获得 OA 管理权限
diff --git a/docker-compose.yml b/docker-compose.yml
index 72899c5..66c2fc1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,11 +13,7 @@ services:
       - TZ=Asia/Shanghai
       - ASSETS_DB_PATH=/data/other-sites/assets/assets.db
       - ISSUE_DB_PATH=/data/other-sites/issue/issue.db
-      - SMTP_HOST=smtphz.qiye.163.com
-      - SMTP_PORT=465
-      - SMTP_USER=gxp@qx002575.com
-      - SMTP_PASS=qhQcTaR6rAzCnHQk
-      - SMTP_FROM=gxp@qx002575.com
+      - RESEND_API_KEY=${RESEND_API_KEY}
     volumes:
       - ./.next:/app/.next
       - /var/run/docker.sock:/var/run/docker.sock
diff --git a/package-lock.json b/package-lock.json
index 8a07e9f..c2fe864 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -10,13 +10,12 @@
       "dependencies": {
         "ldapts": "^6.0.0",
         "next": "^15.0.0",
-        "nodemailer": "^8.0.7",
         "react": "^19.0.0",
-        "react-dom": "^19.0.0"
+        "react-dom": "^19.0.0",
+        "resend": "^6.0.3"
       },
       "devDependencies": {
         "@types/node": "^22.0.0",
-        "@types/nodemailer": "^8.0.0",
         "@types/react": "^19.0.0",
         "typescript": "^5.0.0"
       }
@@ -691,6 +690,12 @@
         "node": ">= 10"
       }
     },
+    "node_modules/@stablelib/base64": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@stablelib/base64/-/base64-1.0.1.tgz",
+      "integrity": "sha512-1bnPQqSxSuc3Ii6MhBysoWCg58j97aUjuCSZrGSmDxNqtytIi0k8utUenAwTZN4V5mXXYGsVUI9zeBqy+jBOSQ==",
+      "license": "MIT"
+    },
     "node_modules/@swc/helpers": {
       "version": "0.5.15",
       "resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.5.15.tgz",
@@ -718,16 +723,6 @@
         "undici-types": "~6.21.0"
       }
     },
-    "node_modules/@types/nodemailer": {
-      "version": "8.0.0",
-      "resolved": "https://registry.npmjs.org/@types/nodemailer/-/nodemailer-8.0.0.tgz",
-      "integrity": "sha512-fyf8jWULsCo0d0BuoQ75i6IeoHs47qcqxWc7yUdUcV0pOZGjUTTOvwdG1PRXUDqN/8A64yQdQdnA2pZgcdi+cA==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/node": "*"
-      }
-    },
     "node_modules/@types/react": {
       "version": "19.2.14",
       "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz",
@@ -813,6 +808,12 @@
         "node": ">=8"
       }
     },
+    "node_modules/fast-sha256": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/fast-sha256/-/fast-sha256-1.3.0.tgz",
+      "integrity": "sha512-n11RGP/lrWEFI/bWdygLxhI+pVeo1ZYIVwvvPkW7azl/rOy+F3HYRZ2K5zeE9mmkhQppyv9sQFx0JM9UabnpPQ==",
+      "license": "Unlicense"
+    },
     "node_modules/ldapts": {
       "version": "6.0.0",
       "resolved": "https://registry.npmjs.org/ldapts/-/ldapts-6.0.0.tgz",
@@ -907,21 +908,18 @@
         }
       }
     },
-    "node_modules/nodemailer": {
-      "version": "8.0.7",
-      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.7.tgz",
-      "integrity": "sha512-pkjE4mkBzQjdJT4/UmlKl3pX0rC9fZmjh7c6C9o7lv66Ac6w9WCnzPzhbPNxwZAzlF4mdq4CSWB5+FbK6FWCow==",
-      "license": "MIT-0",
-      "engines": {
-        "node": ">=6.0.0"
-      }
-    },
     "node_modules/picocolors": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
       "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
       "license": "ISC"
     },
+    "node_modules/postal-mime": {
+      "version": "2.7.4",
+      "resolved": "https://registry.npmjs.org/postal-mime/-/postal-mime-2.7.4.tgz",
+      "integrity": "sha512-0WdnFQYUrPGGTFu1uOqD2s7omwua8xaeYGdO6rb88oD5yJ/4pPHDA4sdWqfD8wQVfCny563n/HQS7zTFft+f/g==",
+      "license": "MIT-0"
+    },
     "node_modules/postcss": {
       "version": "8.4.31",
       "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz",
@@ -971,6 +969,27 @@
         "react": "^19.2.6"
       }
     },
+    "node_modules/resend": {
+      "version": "6.12.3",
+      "resolved": "https://registry.npmjs.org/resend/-/resend-6.12.3.tgz",
+      "integrity": "sha512-FkEi6YPnVL96/LvH8+QP7NaeaBy5brYXwlRqUCqZZeNL0/iyKij18IPmyPXYauT/2ODn1JG04qKz+qlJfzqzTw==",
+      "license": "MIT",
+      "dependencies": {
+        "postal-mime": "2.7.4",
+        "svix": "1.92.2"
+      },
+      "engines": {
+        "node": ">=20"
+      },
+      "peerDependencies": {
+        "@react-email/render": "*"
+      },
+      "peerDependenciesMeta": {
+        "@react-email/render": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/safer-buffer": {
       "version": "2.1.2",
       "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
@@ -1050,6 +1069,16 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/standardwebhooks": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/standardwebhooks/-/standardwebhooks-1.0.0.tgz",
+      "integrity": "sha512-BbHGOQK9olHPMvQNHWul6MYlrRTAOKn03rOe4A8O3CLWhNf4YHBqq2HJKKC+sfqpxiBY52pNeesD6jIiLDz8jg==",
+      "license": "MIT",
+      "dependencies": {
+        "@stablelib/base64": "^1.0.0",
+        "fast-sha256": "^1.3.0"
+      }
+    },
     "node_modules/strict-event-emitter-types": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/strict-event-emitter-types/-/strict-event-emitter-types-2.0.0.tgz",
@@ -1079,6 +1108,15 @@
         }
       }
     },
+    "node_modules/svix": {
+      "version": "1.92.2",
+      "resolved": "https://registry.npmjs.org/svix/-/svix-1.92.2.tgz",
+      "integrity": "sha512-ZmuA3UVvlnF9EgxlzmPtF7CKjQb64Z6OFlyfdDfU0sdcC7dJa+3aOYX5B9mA+RS6ch1AxBa4UP/l6KmqfGtWBQ==",
+      "license": "MIT",
+      "dependencies": {
+        "standardwebhooks": "1.0.0"
+      }
+    },
     "node_modules/tslib": {
       "version": "2.8.1",
       "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
diff --git a/package.json b/package.json
index fa4f89d..c3079d6 100644
--- a/package.json
+++ b/package.json
@@ -10,13 +10,12 @@
   "dependencies": {
     "ldapts": "^6.0.0",
     "next": "^15.0.0",
-    "nodemailer": "^8.0.7",
+    "resend": "^6.0.3",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",
-    "@types/nodemailer": "^8.0.0",
     "@types/react": "^19.0.0",
     "typescript": "^5.0.0"
   }
diff --git a/src/app/admin/create-user/page.tsx b/src/app/admin/create-user/page.tsx
index a6cb798..2c443d9 100644
--- a/src/app/admin/create-user/page.tsx
+++ b/src/app/admin/create-user/page.tsx
@@ -6,6 +6,25 @@ import RoleManager from './role-manager'
 
 interface Role { name: string; display_name: string }
 interface LdapUser { username: string; email: string; displayName: string; createdAt: string }
+
+const s = {
+  wrap: { minHeight: '100vh', background: 'var(--bg)' } as React.CSSProperties,
+  main: { padding: '32px 40px', maxWidth: 1440 } as React.CSSProperties,
+  tabBar: { display: 'flex', gap: 0, borderBottom: '1px solid var(--border)', marginBottom: 32 } as React.CSSProperties,
+  content: {} as React.CSSProperties,
+  grid2: { display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 20 } as React.CSSProperties,
+  field: { marginBottom: 20 } as React.CSSProperties,
+  label: { display: 'block', fontSize: 13, fontWeight: 500, color: 'var(--text-secondary)', marginBottom: 6 } as React.CSSProperties,
+  input: { width: '100%', height: 44, padding: '0 14px', border: '1px solid var(--border)', borderRadius: 8, background: 'var(--bg-card)', color: 'var(--text)', fontSize: 14, outline: 'none', boxSizing: 'border-box' as any },
+  select: { width: '100%', height: 44, padding: '0 14px', border: '1px solid var(--border)', borderRadius: 8, background: 'var(--bg-card)', color: 'var(--text)', fontSize: 14, outline: 'none', cursor: 'pointer', boxSizing: 'border-box' as any },
+  btn: { width: '100%', height: 46, background: '#2563eb', color: '#fff', border: 'none', borderRadius: 8, fontSize: 15, fontWeight: 600, cursor: 'pointer' },
+  table: { width: '100%', borderCollapse: 'collapse' as any } as React.CSSProperties,
+  th: { textAlign: 'left' as any, fontSize: 11, fontWeight: 600, color: 'var(--text-muted)', padding: '10px 12px', borderBottom: '2px solid var(--border)', textTransform: 'uppercase' as any, letterSpacing: '0.05em' } as React.CSSProperties,
+  td: { padding: '14px 12px', borderBottom: '1px solid var(--border)', fontSize: 13, color: 'var(--text)' } as React.CSSProperties,
+  toast: { position: 'fixed', bottom: 24, right: 24, zIndex: 100, padding: '12px 20px', borderRadius: 10, fontSize: 13, fontWeight: 500, boxShadow: '0 4px 24px rgba(0,0,0,0.12)', animation: 'slideUp 0.3s ease', maxWidth: 400 } as React.CSSProperties,
+  badge: { display: 'inline-block', padding: '2px 10px', borderRadius: 10, fontSize: 11, fontWeight: 500 } as React.CSSProperties,
+}
+
 export default function AdminUsersPage() {
   const [tab, setTab] = useState<'create' | 'manage' | 'roles'>('create')
   const [username, setUsername] = useState('')
@@ -22,8 +41,6 @@ export default function AdminUsersPage() {
   const [loginUser, setLoginUser] = useState('')
   const [loginDisplayName, setLoginDisplayName] = useState('')
   const [isAdmin, setIsAdmin] = useState(false)
-
-  // 密码弹窗
   const [showPwd, setShowPwd] = useState(false)
   const [generatedPwd, setGeneratedPwd] = useState('')
   const [pwdUser, setPwdUser] = useState('')
@@ -46,62 +63,36 @@ export default function AdminUsersPage() {
     try {
       const res = await fetch('/api/auth/me')
       const d = await res.json()
-      if (d.user) {
-        setLoginUser(d.user.username || '')
-        setLoginDisplayName(d.user.displayName || d.user.username || '')
-        setIsAdmin(d.user.isAdmin || false)
-      }
+      if (d.user) { setLoginUser(d.user.username || ''); setLoginDisplayName(d.user.displayName || d.user.username || ''); setIsAdmin(d.user.isAdmin || false) }
     } catch {}
   }, [])
 
   useEffect(() => { fetchRoles(); fetchLoginUser() }, [fetchRoles, fetchLoginUser])
 
   async function refreshUsers() {
-    try {
-      const u = await fetch('/api/admin/users').then(r => r.json())
-      if (u.users?.length) setUsers(u.users)
-    } catch {}
+    try { const u = await fetch('/api/admin/users').then(r => r.json()); if (u.users?.length) setUsers(u.users) } catch {}
   }
 
+  function showResult(ok: boolean, msg: string) { setResult({ ok, msg }); setTimeout(() => setResult(null), 4000) }
+
   async function handleCreate(e: React.FormEvent) {
     e.preventDefault()
-    setResult(null); setLoading(true)
+    setLoading(true)
     try {
-      const res = await fetch('/api/admin/create-user', {
-        method: 'POST', headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ username, displayName, assetsRole, issueRole, email: email || undefined }),
-      })
+      const res = await fetch('/api/admin/create-user', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ username, displayName, assetsRole, issueRole, email: email || undefined }) })
       const d = await res.json()
       if (res.ok) {
-        if (d.password) {
-          setGeneratedPwd(d.password); setPwdUser(username); setPwdName(displayName || username); setShowPwd(true); setCopied(false)
-        }
+        if (d.password) { setGeneratedPwd(d.password); setPwdUser(username); setPwdName(displayName || username); setShowPwd(true); setCopied(false) }
         setUsername(''); setDisplayName(''); setEmail('')
         refreshUsers()
       }
-      setResult({ ok: res.ok, msg: d.message || d.error || '操作完成' })
-    } catch { setResult({ ok: false, msg: '网络错误' }) }
+      showResult(res.ok, d.message || d.error || '操作完成')
+    } catch { showResult(false, '网络错误') }
     finally { setLoading(false) }
   }
 
   async function handleCopy() {
-    const text = `您好，${pwdName}：
-
-您的 OA 统一门户账号已创建，请使用以下信息登录：
-
-  用户名：${pwdUser}
-  密  码：${generatedPwd}
-
-登录地址：https://oa.tlyq.ai
-
-⚠ 请注意：
-修改密码只能通过 OA 统一门户（oa.tlyq.ai），无法在子站点（assets、issue 等）中修改密码。
-请登录 OA 后在个人资料页修改密码。
-
-请在首次登录后及时修改密码。
-
-此邮件由系统自动发送，请勿回复。
-如有疑问，请联系管理员：gxp@qx002575.com`
+    const text = `您好，${pwdName}：\n\n您的 OA 统一门户账号已创建，请使用以下信息登录：\n\n  用户名：${pwdUser}\n  密  码：${generatedPwd}\n\n登录地址：https://oa.tlyq.ai\n\n请在首次登录后及时修改密码。`
     try { await navigator.clipboard.writeText(text); setCopied(true); setTimeout(() => setCopied(false), 2000) } catch {}
   }
 
@@ -109,157 +100,151 @@ export default function AdminUsersPage() {
     if (!confirm(`确定删除用户「${target}」？\n\n将从 LLDAP 及所有站点中永久删除，不可撤销。`)) return
     setDeleting(target)
     try {
-      const res = await fetch('/api/admin/users', {
-        method: 'DELETE', headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ username: target }),
-      })
+      const res = await fetch('/api/admin/users', { method: 'DELETE', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ username: target }) })
       const d = await res.json()
-      setResult({ ok: res.ok, msg: res.ok ? `已删除 ${target}` : (d.error || '删除失败') })
       if (res.ok) setUsers(users.filter(u => u.username !== target))
-    } catch { setResult({ ok: false, msg: '网络错误' }) }
+      showResult(res.ok, res.ok ? `已删除 ${target}` : (d.error || '删除失败'))
+    } catch { showResult(false, '网络错误') }
     finally { setDeleting(null) }
   }
 
-  const inputStyle: React.CSSProperties = {
-    width: '100%', height: 42, padding: '0 12px',
-    background: 'var(--bg-card)', border: '1px solid var(--border)', borderRadius: 8,
-    fontSize: 14, outline: 'none', boxSizing: 'border-box', color: 'var(--text)',
-  }
-  const tabStyle = (t: string): React.CSSProperties => ({
-    padding: '10px 20px', border: 'none', background: tab === t ? 'var(--bg-card)' : 'transparent',
-    color: tab === t ? '#2563eb' : 'var(--text-secondary)', cursor: 'pointer',
-    fontSize: 14, fontWeight: tab === t ? 600 : 400,
-    borderBottom: tab === t ? '2px solid #2563eb' : '2px solid transparent',
-    transition: 'all 0.15s',
-  })
-
+  const tabItem = (t: string, label: string) => (
+    <button onClick={() => { setTab(t as any); setResult(null) }} style={{
+      padding: '14px 28px', border: 'none', background: 'transparent',
+      color: tab === t ? '#2563eb' : 'var(--text-secondary)',
+      fontSize: 14, fontWeight: tab === t ? 700 : 500, cursor: 'pointer',
+      borderBottom: tab === t ? '3px solid #2563eb' : '3px solid transparent',
+      marginBottom: -1, transition: 'all 0.15s',
+    }}>{label}</button>
+  )
 
   return (
-    <div style={{ minHeight: '100vh', background: 'var(--bg)' }}>
+    <div style={s.wrap}>
       <HeaderUI displayName={loginDisplayName || loginUser} isAdmin={isAdmin} backLabel="用户管理" />
 
-      {/* 密码弹窗 */}
       {showPwd && (
         <div style={{ position: 'fixed', inset: 0, zIndex: 200, display: 'flex', alignItems: 'center', justifyContent: 'center', background: 'rgba(0,0,0,0.4)', backdropFilter: 'blur(4px)' }} onClick={() => setShowPwd(false)}>
           <div style={{ background: 'var(--bg-card)', borderRadius: 16, padding: '36px 40px', boxShadow: '0 20px 60px rgba(0,0,0,0.2)', textAlign: 'center', maxWidth: 420, width: '90%', border: '1px solid var(--border)' }} onClick={e => e.stopPropagation()}>
             <div style={{ fontSize: 32, marginBottom: 12 }}>&#128273;</div>
             <h2 style={{ fontSize: 18, fontWeight: 700, margin: '0 0 6px', color: 'var(--text)' }}>用户创建成功</h2>
-            <p style={{ fontSize: 13, color: 'var(--text-muted)', margin: '0 0 16px' }}>
-              {pwdName !== pwdUser ? `${pwdName}（${pwdUser}）` : pwdUser}
-            </p>
+            <p style={{ fontSize: 13, color: 'var(--text-muted)', margin: '0 0 16px' }}>{pwdName !== pwdUser ? `${pwdName}（${pwdUser}）` : pwdUser}</p>
             <div style={{ background: 'var(--bg)', border: '1px solid var(--border)', borderRadius: 10, padding: '14px 20px', fontSize: 22, fontWeight: 700, fontFamily: 'monospace', letterSpacing: '0.05em', color: '#2563eb', marginBottom: 8, wordBreak: 'break-all', userSelect: 'all' }}>{generatedPwd}</div>
             <p style={{ fontSize: 11, color: 'var(--text-muted)', margin: '0 0 20px' }}>初始密码，请妥善保存</p>
             <div style={{ display: 'flex', gap: 10 }}>
-              <button onClick={handleCopy} style={{ flex: 1, height: 42, borderRadius: 8, border: 'none', cursor: 'pointer', background: copied ? '#f0fdf4' : '#2563eb', color: copied ? '#16a34a' : '#fff', fontSize: 14, fontWeight: 500, transition: 'all 0.2s' }}>{copied ? '✓ 已复制' : '复制信息'}</button>
+              <button onClick={handleCopy} style={{ flex: 1, height: 42, borderRadius: 8, border: 'none', cursor: 'pointer', background: copied ? '#f0fdf4' : '#2563eb', color: copied ? '#16a34a' : '#fff', fontSize: 14, fontWeight: 500 }}>{copied ? '✓ 已复制' : '复制信息'}</button>
               <button onClick={() => setShowPwd(false)} style={{ flex: 1, height: 42, borderRadius: 8, border: '1px solid var(--border)', background: 'var(--bg-card)', color: 'var(--text-secondary)', fontSize: 14, cursor: 'pointer' }}>关闭</button>
             </div>
           </div>
         </div>
       )}
 
-      <div style={{ display: 'flex', justifyContent: 'center', paddingTop: 60, paddingBottom: 60 }}>
-        <div style={{ width: 680 }}>
+      {/* Toast */}
+      {result && (
+        <div style={{ ...s.toast, background: result.ok ? '#f0fdf4' : '#fef2f2', color: result.ok ? '#16a34a' : '#dc2626', border: result.ok ? '1px solid #bbf7d0' : '1px solid #fecaca' }}>
+          {result.msg}
+        </div>
+      )}
 
-          {/* Tab */}
-          <div style={{ display: 'flex', gap: 0, marginBottom: 0 }}>
-            <button onClick={() => { setTab('create'); setResult(null) }} style={tabStyle('create')}>创建用户</button>
-            <button onClick={() => { setTab('manage'); setResult(null) }} style={tabStyle('manage')}>删除用户</button>
-            <button onClick={() => { setTab('roles'); setResult(null) }} style={tabStyle('roles')}>权限管理</button>
-          </div>
+      <div style={s.main}>
+        {/* Tab Bar */}
+        <div style={s.tabBar}>
+          {tabItem('create', '创建用户')}
+          {tabItem('manage', '删除用户')}
+          {tabItem('roles', '权限管理')}
+        </div>
 
-          <div style={{ background: 'var(--bg-card)', border: '1px solid var(--border)', borderTop: 'none', borderRadius: '0 0 12px 12px', padding: '28px 30px', boxShadow: '0 1px 3px rgba(0,0,0,0.06)' }}>
-
-            {result && (
-              <div style={{ padding: '10px 14px', borderRadius: 8, marginBottom: 18, fontSize: 13, background: result.ok ? '#f0fdf4' : '#fef2f2', color: result.ok ? '#16a34a' : '#dc2626' }}>
-                {result.msg}
+        <div style={s.content}>
+          {/* ====== 创建用户 ====== */}
+          {tab === 'create' && (
+            <form onSubmit={handleCreate}>
+              <div style={s.grid2}>
+                <div style={s.field}>
+                  <label style={s.label}>用户名</label>
+                  <input type="text" value={username} onChange={e => setUsername(e.target.value)} placeholder="英文用户名" required style={s.input} />
+                </div>
+                <div style={s.field}>
+                  <label style={s.label}>显示名</label>
+                  <input type="text" value={displayName} onChange={e => setDisplayName(e.target.value)} placeholder="可选，留空同用户名" style={s.input} />
+                </div>
               </div>
-            )}
+              <div style={s.field}>
+                <label style={s.label}>邮箱地址 <span style={{ fontSize: 11, color: 'var(--text-muted)', fontWeight: 400 }}>（选填，填写后将发送密码设置链接至此邮箱）</span></label>
+                <input type="email" value={email} onChange={e => setEmail(e.target.value)} placeholder="user@example.com" style={s.input} />
+              </div>
+              <div style={{ borderTop: '1px solid var(--border)', paddingTop: 24, marginBottom: 20 }}>
+                <div style={{ fontSize: 14, fontWeight: 600, color: 'var(--text)', marginBottom: 16 }}>各站点角色</div>
+                <div style={s.grid2}>
+                  <div style={s.field}>
+                    <label style={s.label}>资产管理</label>
+                    <select value={assetsRole} onChange={e => setAssetsRole(e.target.value)} style={s.select}>
+                      {assetsRoles.map(r => <option key={r.name} value={r.name}>{r.display_name}（{r.name}）</option>)}
+                    </select>
+                  </div>
+                  <div style={s.field}>
+                    <label style={s.label}>工单跟踪</label>
+                    <select value={issueRole} onChange={e => setIssueRole(e.target.value)} style={s.select}>
+                      {issueRoles.map(r => <option key={r.name} value={r.name}>{r.display_name}（{r.name}）</option>)}
+                    </select>
+                  </div>
+                </div>
+              </div>
+              <button type="submit" disabled={loading} style={{ ...s.btn, background: loading ? '#93c5fd' : '#2563eb', cursor: loading ? 'not-allowed' : 'pointer' }}>
+                {loading ? '创建中...' : '创建用户'}
+              </button>
+            </form>
+          )}
 
-            {/* ====== 创建用户 ====== */}
-            {tab === 'create' && (
-              <form onSubmit={handleCreate}>
-                <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 14, marginBottom: 18 }}>
-                  <div>
-                    <div style={{ fontSize: 13, fontWeight: 500, color: 'var(--text-secondary)', marginBottom: 6 }}>用户名</div>
-                    <input type="text" value={username} onChange={e => setUsername(e.target.value)} placeholder="英文用户名" required style={inputStyle} />
-                  </div>
-                  <div>
-                    <div style={{ fontSize: 13, fontWeight: 500, color: 'var(--text-secondary)', marginBottom: 6 }}>显示名</div>
-                    <input type="text" value={displayName} onChange={e => setDisplayName(e.target.value)} placeholder="可选" style={inputStyle} />
-                  </div>
-                </div>
-                <div style={{ marginBottom: 18 }}>
-                  <div style={{ fontSize: 13, fontWeight: 500, color: 'var(--text-secondary)', marginBottom: 6 }}>邮箱地址 <span style={{ fontSize: 11, color: 'var(--text-muted)', fontWeight: 400 }}>（选填，填写后将密码发送至此邮箱）</span></div>
-                  <input type="email" value={email} onChange={e => setEmail(e.target.value)} placeholder="user@example.com" style={inputStyle} />
-                </div>
-                <div style={{ borderTop: '1px solid var(--border)', paddingTop: 16, marginBottom: 18 }}>
-                  <div style={{ fontSize: 14, fontWeight: 600, color: 'var(--text)', marginBottom: 12 }}>各站点角色</div>
-                  <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 14 }}>
-                    <div>
-                      <div style={{ fontSize: 13, fontWeight: 500, color: 'var(--text-secondary)', marginBottom: 6 }}>资产管理</div>
-                      <select value={assetsRole} onChange={e => setAssetsRole(e.target.value)} style={{ ...inputStyle, cursor: 'pointer', appearance: 'auto' as any }}>
-                        {assetsRoles.map(r => <option key={r.name} value={r.name}>{r.display_name}（{r.name}）</option>)}
-                      </select>
-                    </div>
-                    <div>
-                      <div style={{ fontSize: 13, fontWeight: 500, color: 'var(--text-secondary)', marginBottom: 6 }}>工单跟踪</div>
-                      <select value={issueRole} onChange={e => setIssueRole(e.target.value)} style={{ ...inputStyle, cursor: 'pointer', appearance: 'auto' as any }}>
-                        {issueRoles.map(r => <option key={r.name} value={r.name}>{r.display_name}（{r.name}）</option>)}
-                      </select>
-                    </div>
-                  </div>
-                </div>
-                <button type="submit" disabled={loading} style={{
-                  width: '100%', height: 44, background: loading ? '#60a5fa' : '#2563eb', color: '#fff',
-                  border: 'none', borderRadius: 8, fontSize: 15, fontWeight: 500, cursor: loading ? 'not-allowed' : 'pointer',
-                }}>{loading ? '创建中...' : '创建用户'}</button>
-                <p style={{ fontSize: 12, color: 'var(--text-muted)', marginTop: 12, textAlign: 'center' }}>密码自动生成，创建成功后弹窗显示</p>
-              </form>
-            )}
-
-            {/* ====== 用户管理 ====== */}
-            {tab === 'manage' && (
-              <div>
-                <p style={{ fontSize: 12, color: 'var(--text-muted)', marginBottom: 16 }}>LLDAP 不支持禁用用户，如需停用请删除。已登录用户在删除后下次操作自动退出。</p>
-                {users.length === 0 ? (
-                  <p style={{ fontSize: 13, color: 'var(--text-muted)', textAlign: 'center', padding: 20 }}>加载中...</p>
-                ) : (
-                  <div style={{ display: 'flex', flexDirection: 'column' }}>
+          {/* ====== 删除用户 ====== */}
+          {tab === 'manage' && (
+            <div>
+              {users.length === 0 ? (
+                <p style={{ fontSize: 13, color: 'var(--text-muted)', textAlign: 'center', padding: 40 }}>加载中...</p>
+              ) : (
+                <table style={s.table}>
+                  <thead>
+                    <tr>
+                      <th style={s.th}>用户名</th>
+                      <th style={s.th}>显示名</th>
+                      <th style={s.th}>邮箱</th>
+                      <th style={s.th}>创建时间</th>
+                      <th style={{ ...s.th, textAlign: 'right' as any }}>操作</th>
+                    </tr>
+                  </thead>
+                  <tbody>
                     {users.map(u => (
-                      <div key={u.username} style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', padding: '12px 0', borderBottom: '1px solid var(--border)' }}>
-                        <div>
-                          <span style={{ fontSize: 14, fontWeight: 500, color: 'var(--text)' }}>{u.username}</span>
-                          {u.displayName !== u.username && <span style={{ fontSize: 12, color: 'var(--text-secondary)', marginLeft: 8 }}>{u.displayName}</span>}
-                        </div>
-                        <div style={{ display: 'flex', alignItems: 'center', gap: 10 }}>
-                          <span style={{ fontSize: 11, color: 'var(--text-muted)' }}>{u.createdAt?.substring(0, 10)}</span>
+                      <tr key={u.username} style={{ transition: 'background 0.15s' }}
+                        onMouseEnter={e => (e.currentTarget.style.background = 'var(--bg-hover)')}
+                        onMouseLeave={e => (e.currentTarget.style.background = 'transparent')}>
+                        <td style={{ ...s.td, fontWeight: 500 }}>{u.username}</td>
+                        <td style={{ ...s.td, color: (u.displayName === u.username || !u.displayName) ? 'var(--text-muted)' : 'var(--text)' }}>
+                          {(u.displayName && u.displayName !== u.username) ? u.displayName : '—'}
+                        </td>
+                        <td style={{ ...s.td, color: u.email ? 'var(--text-secondary)' : 'var(--text-muted)', fontSize: 12 }}>
+                          {u.email || '未设置'}
+                        </td>
+                        <td style={{ ...s.td, color: 'var(--text-muted)', fontSize: 12 }}>{u.createdAt?.substring(0, 19)}</td>
+                        <td style={{ ...s.td, textAlign: 'right' as any }}>
                           {(u.username === 'admin' || u.username === 'localadmin') ? (
-                            <span style={{ fontSize: 11, color: 'var(--text-muted)', padding: '2px 10px', background: 'var(--bg-hover)', borderRadius: 10 }}>系统保留</span>
+                            <span style={{ ...s.badge, background: 'var(--bg-hover)', color: 'var(--text-muted)' }}>系统保留</span>
                           ) : (
                             <button onClick={() => handleDelete(u.username)} disabled={deleting === u.username} style={{
-                              padding: '4px 14px', borderRadius: 6, border: 'none', cursor: 'pointer',
+                              padding: '6px 18px', borderRadius: 6, border: 'none', cursor: 'pointer',
                               background: deleting === u.username ? '#fecaca' : '#fef2f2',
                               color: deleting === u.username ? '#fca5a5' : '#dc2626',
-                              fontSize: 12, fontWeight: 500,
+                              fontSize: 12, fontWeight: 500, transition: 'all 0.15s',
                             }}>{deleting === u.username ? '...' : '删除'}</button>
                           )}
-                        </div>
-                      </div>
+                        </td>
+                      </tr>
                     ))}
-                  </div>
-                )}
-              </div>
-            )}
+                  </tbody>
+                </table>
+              )}
+            </div>
+          )}
 
-            {/* ====== 角色管理 ====== */}
-            {tab === 'roles' && (
-              <RoleManager
-                inputStyle={inputStyle}
-                setResult={setResult}
-              />
-            )}
-
-          </div>
+          {/* ====== 权限管理 ====== */}
+          {tab === 'roles' && <RoleManager setResult={showResult} />}
         </div>
       </div>
     </div>
diff --git a/src/app/admin/create-user/role-manager.tsx b/src/app/admin/create-user/role-manager.tsx
index 1dd2e18..8d15763 100644
--- a/src/app/admin/create-user/role-manager.tsx
+++ b/src/app/admin/create-user/role-manager.tsx
@@ -6,161 +6,147 @@ interface SiteUser { username: string; display_name: string; role: string }
 interface RoleData {
   assetsUsers: SiteUser[]; issueUsers: SiteUser[]
   assetsRoles: string[]; issueRoles: string[]
+  emails: Record<string, string>
 }
 
-interface Props {
-  inputStyle: React.CSSProperties
-  setResult: (r: { ok: boolean; msg: string } | null) => void
+interface Props { setResult: (ok: boolean, msg: string) => void }
+
+const ss = {
+  bar: { display: 'flex', justifyContent: 'space-between', alignItems: 'center', marginBottom: 20 } as React.CSSProperties,
+  hint: { fontSize: 13, color: 'var(--text-muted)', margin: 0 } as React.CSSProperties,
+  saveBtn: (active: boolean) => ({ padding: '10px 24px', borderRadius: 8, border: 'none', cursor: active ? 'pointer' : 'not-allowed', background: active ? '#d97706' : 'var(--bg-hover)', color: active ? '#fff' : 'var(--text-muted)', fontSize: 13, fontWeight: 600, transition: 'all 0.2s' } as React.CSSProperties),
+  table: { width: '100%', borderCollapse: 'collapse' as any } as React.CSSProperties,
+  th: { textAlign: 'left' as any, fontSize: 11, fontWeight: 600, color: 'var(--text-muted)', padding: '10px 12px', borderBottom: '2px solid var(--border)', textTransform: 'uppercase' as any, letterSpacing: '0.05em' } as React.CSSProperties,
+  td: { padding: '12px 12px', borderBottom: '1px solid var(--border)', fontSize: 13, color: 'var(--text)' } as React.CSSProperties,
+  roleSelect: (changed: boolean) => ({ height: 34, padding: '0 10px', borderRadius: 6, fontSize: 12, cursor: 'pointer', border: changed ? '1px solid #d97706' : '1px solid var(--border)', background: changed ? 'rgba(217,119,6,0.06)' : 'var(--bg-card)', color: 'var(--text)', outline: 'none', minWidth: 110 } as React.CSSProperties),
+  emailInput: { height: 30, padding: '0 8px', borderRadius: 5, border: '1px solid var(--border)', background: 'var(--bg-card)', color: 'var(--text)', fontSize: 12, width: 160, outline: 'none' } as React.CSSProperties,
+  miniBtn: (primary: boolean) => ({ padding: '4px 12px', borderRadius: 5, border: primary ? 'none' : '1px solid var(--border)', background: primary ? '#2563eb' : 'var(--bg-card)', color: primary ? '#fff' : 'var(--text-secondary)', fontSize: 11, cursor: 'pointer', fontWeight: 500 } as React.CSSProperties),
 }
 
-export default function RoleManager({ inputStyle, setResult }: Props) {
+export default function RoleManager({ setResult }: Props) {
   const [roleData, setRoleData] = useState<RoleData | null>(null)
   const [pending, setPending] = useState<Record<string, { site: string; newRole: string }>>({})
   const [saving, setSaving] = useState(false)
+  const [editingEmail, setEditingEmail] = useState<string | null>(null)
+  const [editEmailValue, setEditEmailValue] = useState('')
+  const [savingEmail, setSavingEmail] = useState(false)
 
   const fetchRoleData = useCallback(async () => {
     try {
-      const res = await fetch('/api/admin/user-roles')
-      const d = await res.json()
-      if (d.users) setRoleData({
-        assetsUsers: d.users.assets || [],
-        issueUsers: d.users.issue || [],
-        assetsRoles: d.assetsRoles || [],
-        issueRoles: d.issueRoles || [],
-      })
+      const res = await fetch('/api/admin/user-roles'); const d = await res.json()
+      if (d.users) setRoleData({ assetsUsers: d.users.assets || [], issueUsers: d.users.issue || [], assetsRoles: d.assetsRoles || [], issueRoles: d.issueRoles || [], emails: d.emails || {} })
     } catch {}
   }, [])
 
   useEffect(() => { fetchRoleData() }, [fetchRoleData])
 
+  async function handleEditEmail(target: string) {
+    if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(editEmailValue)) { setResult(false, '邮箱格式不合法'); return }
+    setSavingEmail(true)
+    try {
+      const res = await fetch('/api/admin/users', { method: 'PATCH', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ username: target, email: editEmailValue }) })
+      const d = await res.json()
+      if (res.ok) {
+        setRoleData(prev => prev ? { ...prev, emails: { ...prev.emails, [target]: d.email } } : null)
+        setEditingEmail(null); setResult(true, `${target} 邮箱已更新`)
+      } else { setResult(false, d.error || '修改失败') }
+    } catch { setResult(false, '网络错误') }
+    finally { setSavingEmail(false) }
+  }
+
   function handleSelect(site: string, username: string, newRole: string, originalRole: string) {
-    if (newRole === originalRole) {
-      // 改回原值，清除 pending
-      const next = { ...pending }
-      delete next[`${site}:${username}`]
-      setPending(next)
-    } else {
-      setPending({ ...pending, [`${site}:${username}`]: { site, newRole } })
-    }
+    if (newRole === originalRole) { const next = { ...pending }; delete next[`${site}:${username}`]; setPending(next) }
+    else { setPending({ ...pending, [`${site}:${username}`]: { site, newRole } }) }
   }
 
   function getCurrentRole(site: string, username: string, originalRole: string): string {
-    const key = `${site}:${username}`
-    return pending[key]?.newRole || originalRole
+    return pending[`${site}:${username}`]?.newRole || originalRole
   }
 
   async function handleSave() {
     if (Object.keys(pending).length === 0) return
     if (!confirm(`确定保存 ${Object.keys(pending).length} 项角色修改？`)) return
-
-    setSaving(true)
-    let ok = 0; let fail = 0
+    setSaving(true); let ok = 0; let fail = 0
     for (const [key, { site, newRole }] of Object.entries(pending)) {
       const username = key.split(':')[1]
       try {
-        const res = await fetch('/api/admin/user-roles', {
-          method: 'PUT', headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({ username, site, role: newRole }),
-        })
+        const res = await fetch('/api/admin/user-roles', { method: 'PUT', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ username, site, role: newRole }) })
         if (res.ok) ok++; else fail++
       } catch { fail++ }
     }
-
-    setResult({ ok: fail === 0, msg: `已保存：${ok} 项成功${fail > 0 ? `，${fail} 项失败` : ''}` })
-    setPending({})
-    if (fail === 0) fetchRoleData()
-    setSaving(false)
+    setResult(fail === 0, `已保存：${ok} 项成功${fail > 0 ? `，${fail} 项失败` : ''}`)
+    setPending({}); if (fail === 0) fetchRoleData(); setSaving(false)
   }
 
-  if (!roleData) return <p style={{ fontSize: 13, color: 'var(--text-muted)', textAlign: 'center', padding: 20 }}>加载中...</p>
+  if (!roleData) return <p style={{ fontSize: 13, color: 'var(--text-muted)', textAlign: 'center', padding: 40 }}>加载中...</p>
 
-  // 合并两个站点用户
-  const userMap = new Map<string, { displayName: string; assetsRole: string; issueRole: string }>()
-  roleData.assetsUsers.forEach(u => userMap.set(u.username, { displayName: u.display_name, assetsRole: u.role, issueRole: '—' }))
-  roleData.issueUsers.forEach(u => {
-    const e = userMap.get(u.username)
-    if (e) e.issueRole = u.role
-    else userMap.set(u.username, { displayName: u.display_name, assetsRole: '—', issueRole: u.role })
-  })
+  const userMap = new Map<string, { displayName: string; email: string; assetsRole: string; issueRole: string }>()
+  roleData.assetsUsers.forEach(u => userMap.set(u.username, { displayName: u.display_name, email: roleData.emails[u.username] || '', assetsRole: u.role, issueRole: '—' }))
+  roleData.issueUsers.forEach(u => { const e = userMap.get(u.username); if (e) e.issueRole = u.role; else userMap.set(u.username, { displayName: u.display_name, email: roleData.emails[u.username] || '', assetsRole: '—', issueRole: u.role }) })
   const users = Array.from(userMap.entries())
   const changed = Object.keys(pending).length
 
   return (
     <div>
-      <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'center', marginBottom: 16 }}>
-        <p style={{ fontSize: 12, color: 'var(--text-muted)', margin: 0 }}>
-          修改角色后点击「保存修改」统一提交
-          {changed > 0 && <span style={{ color: '#d97706', fontWeight: 600, marginLeft: 8 }}>（{changed} 项待保存）</span>}
-        </p>
-        <button
-          onClick={handleSave}
-          disabled={changed === 0 || saving}
-          style={{
-            padding: '8px 20px', borderRadius: 8, border: 'none', cursor: changed > 0 ? 'pointer' : 'not-allowed',
-            background: changed > 0 ? '#d97706' : 'var(--bg-hover)',
-            color: changed > 0 ? '#fff' : 'var(--text-muted)',
-            fontSize: 13, fontWeight: 500, transition: 'all 0.2s',
-          }}
-        >
+      <div style={ss.bar}>
+        <p style={ss.hint}>修改角色后点击「保存修改」统一提交{changed > 0 && <span style={{ color: '#d97706', fontWeight: 700, marginLeft: 10 }}>（{changed} 项待保存）</span>}</p>
+        <button onClick={handleSave} disabled={changed === 0 || saving} style={ss.saveBtn(changed > 0)}>
           {saving ? '保存中...' : `保存修改${changed > 0 ? ` (${changed})` : ''}`}
         </button>
       </div>
 
-      <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr 1fr 1fr', gap: 12, padding: '0 0 10px', borderBottom: '2px solid var(--border)', fontSize: 12, fontWeight: 600, color: 'var(--text-muted)' }}>
-        <div>用户名</div><div>显示名</div><div>资产管理</div><div>工单跟踪</div>
-      </div>
-
-      {users.map(([uname, info]) => (
-        <div key={uname} style={{ display: 'grid', gridTemplateColumns: '1fr 1fr 1fr 1fr', gap: 12, alignItems: 'center', padding: '12px 0', borderBottom: '1px solid var(--border)' }}>
-          <div style={{ fontSize: 14, fontWeight: 500, color: 'var(--text)' }}>{uname}</div>
-          <div style={{ fontSize: 13, color: 'var(--text-secondary)' }}>{info.displayName}</div>
-          {/* 资产管理 */}
-          <RoleCell
-            site="assets" username={uname} originalRole={info.assetsRole}
-            roles={roleData.assetsRoles} pending={pending}
-            inputStyle={inputStyle} onSelect={handleSelect} getCurrentRole={getCurrentRole}
-          />
-          {/* 工单跟踪 */}
-          <RoleCell
-            site="issue" username={uname} originalRole={info.issueRole}
-            roles={roleData.issueRoles} pending={pending}
-            inputStyle={inputStyle} onSelect={handleSelect} getCurrentRole={getCurrentRole}
-          />
-        </div>
-      ))}
+      <table style={ss.table}>
+        <thead>
+          <tr>
+            <th style={ss.th}>用户名</th><th style={ss.th}>显示名</th><th style={ss.th}>邮箱</th><th style={ss.th}>资产管理</th><th style={ss.th}>工单跟踪</th>
+          </tr>
+        </thead>
+        <tbody>
+          {users.map(([uname, info]) => (
+            <tr key={uname} style={{ transition: 'background 0.15s' }}
+              onMouseEnter={e => (e.currentTarget.style.background = 'var(--bg-hover)')}
+              onMouseLeave={e => (e.currentTarget.style.background = 'transparent')}>
+              <td style={{ ...ss.td, fontWeight: 500 }}>{uname}</td>
+              <td style={{ ...ss.td, color: info.displayName === uname ? 'var(--text-muted)' : 'var(--text)' }}>{info.displayName}</td>
+              <td style={ss.td}>
+                {editingEmail === uname ? (
+                  <span style={{ display: 'flex', alignItems: 'center', gap: 6 }}>
+                    <input type="email" value={editEmailValue} onChange={e => setEditEmailValue(e.target.value)} placeholder="user@example.com" style={ss.emailInput} />
+                    <button onClick={() => handleEditEmail(uname)} disabled={savingEmail} style={ss.miniBtn(true)}>{savingEmail ? '..' : '保存'}</button>
+                    <button onClick={() => setEditingEmail(null)} style={ss.miniBtn(false)}>取消</button>
+                  </span>
+                ) : (
+                  <span style={{ fontSize: 12, color: info.email ? 'var(--text-secondary)' : 'var(--text-muted)' }}>
+                    {info.email || '未设置'}
+                    {(uname !== 'admin' && uname !== 'localadmin') && (
+                      <button onClick={() => { setEditingEmail(uname); setEditEmailValue(info.email || '') }} style={{ background: 'none', border: 'none', color: '#2563eb', fontSize: 11, cursor: 'pointer', padding: '0 0 0 6px' }}>编辑</button>
+                    )}
+                  </span>
+                )}
+              </td>
+              <td style={ss.td}><RoleCell site="assets" username={uname} originalRole={info.assetsRole} roles={roleData.assetsRoles} pending={pending} onSelect={handleSelect} getCurrentRole={getCurrentRole} /></td>
+              <td style={ss.td}><RoleCell site="issue" username={uname} originalRole={info.issueRole} roles={roleData.issueRoles} pending={pending} onSelect={handleSelect} getCurrentRole={getCurrentRole} /></td>
+            </tr>
+          ))}
+        </tbody>
+      </table>
     </div>
   )
 }
 
-function RoleCell({ site, username, originalRole, roles, pending, inputStyle, onSelect, getCurrentRole }: {
+function RoleCell({ site, username, originalRole, roles, pending, onSelect, getCurrentRole }: {
   site: string; username: string; originalRole: string; roles: string[]
   pending: Record<string, { site: string; newRole: string }>
-  inputStyle: React.CSSProperties
   onSelect: (site: string, username: string, newRole: string, originalRole: string) => void
   getCurrentRole: (site: string, username: string, originalRole: string) => string
 }) {
   const isReserved = username === 'admin' || username === 'localadmin'
-  const key = `${site}:${username}`
-  const changed = !!pending[key]
+  const changed = !!pending[`${site}:${username}`]
   const currentRole = getCurrentRole(site, username, originalRole)
-
-  if (isReserved) {
-    return <span style={{ fontSize: 12, color: 'var(--text-muted)' }}>{currentRole}</span>
-  }
-  if (originalRole === '—' && !changed) {
-    return <span style={{ fontSize: 11, color: 'var(--text-muted)' }}>未同步</span>
-  }
+  if (isReserved) return <span style={{ fontSize: 12, color: 'var(--text-muted)' }}>{currentRole}</span>
+  if (originalRole === '—' && !changed) return <span style={{ fontSize: 11, color: 'var(--text-muted)' }}>未同步</span>
   return (
-    <select
-      value={currentRole}
-      onChange={e => onSelect(site, username, e.target.value, originalRole)}
-      style={{
-        ...inputStyle, height: 34, fontSize: 12, cursor: 'pointer', appearance: 'auto' as any,
-        width: 'auto', minWidth: 110,
-        border: changed ? '1px solid #d97706' : '1px solid var(--border)',
-        background: changed ? 'rgba(217,119,6,0.06)' : 'var(--bg-card)',
-      }}
-    >
+    <select value={currentRole} onChange={e => onSelect(site, username, e.target.value, originalRole)} style={ss.roleSelect(changed)}>
       {roles.map(r => <option key={r} value={r}>{r}</option>)}
     </select>
   )
diff --git a/src/app/api/admin/create-user/route.ts b/src/app/api/admin/create-user/route.ts
index adeee67..76ad81f 100644
--- a/src/app/api/admin/create-user/route.ts
+++ b/src/app/api/admin/create-user/route.ts
@@ -4,7 +4,8 @@ import { exec } from 'child_process'
 import { promisify } from 'util'
 import { verifySharedJwt } from '@/lib/jwt'
 import { isLldapAdmin } from '@/lib/ldap'
-import { sendCredentialsEmail } from '@/lib/email'
+import { sendSetupLinkEmail } from '@/lib/email'
+import { signSetupToken } from '@/lib/setup-token'
 
 const execAsync = promisify(exec)
 
@@ -84,8 +85,9 @@ export async function POST(request: Request) {
 
     const safeName = (displayName || username).replace(/'/g, "'\\''")
     const safeUser = username.replace(/'/g, "'\\''")
-    const lldapEmail = `${username}@tlyq.ai`
-    const now = new Date().toISOString().replace('T', ' ').substring(0, 19)
+    const lldapEmail = email || ''
+    const d = new Date()
+    const now = `${d.getFullYear()}-${String(d.getMonth()+1).padStart(2,'0')}-${String(d.getDate()).padStart(2,'0')} ${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')}:${String(d.getSeconds()).padStart(2,'0')}`
     const userUuid = crypto.randomUUID()
 
     // 1. LLDAP SQLite 插入用户
@@ -119,11 +121,13 @@ export async function POST(request: Request) {
       try { await execAsync(setRoleSQL(issueDb, username, ir), { timeout: 3000 }); roleResults.issue = true } catch {}
     }
 
-    // 5. 如果提供了邮箱，发送凭证邮件
+    // 5. 如果提供了邮箱，发送密码设置链接（不再在邮件中发送明文密码）
     let emailSent = false
     if (email && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
       try {
-        await sendCredentialsEmail(email, username, password, displayName || username)
+        const setupToken = signSetupToken(username)
+        const setupUrl = `https://oa.tlyq.ai/setup-password?token=${setupToken}`
+        await sendSetupLinkEmail(email, username, setupUrl, displayName || username)
         emailSent = true
       } catch (e) {
         console.error('发送邮件失败:', e)
@@ -137,7 +141,7 @@ export async function POST(request: Request) {
       roles: { assets: ar, issue: ir, applied: roleResults },
       emailSent,
       message: emailSent
-        ? `用户已创建，密码已发送至 ${email}`
+        ? `用户已创建，密码设置链接已发送至 ${email}`
         : '用户已创建并同步至所有站点',
     })
   } catch (e) {
diff --git a/src/app/api/admin/user-roles/route.ts b/src/app/api/admin/user-roles/route.ts
index 4b4673f..3b14859 100644
--- a/src/app/api/admin/user-roles/route.ts
+++ b/src/app/api/admin/user-roles/route.ts
@@ -54,10 +54,24 @@ export async function GET() {
       getSiteUsers(process.env.ISSUE_DB_PATH || '/Users/niuniu/programs/docker/issue-ai/data/issue.db', issueRoles),
     ])
 
+    // 从 LLDAP 获取所有用户邮箱
+    let emails: Record<string, string> = {}
+    try {
+      const { stdout } = await execAsync(
+        `docker exec lldap /bin/sh -c "echo 'SELECT user_id, email FROM users;' | sqlite3 /data/users.db"`,
+        { timeout: 3000 }
+      )
+      stdout.trim().split('\n').filter(Boolean).forEach(line => {
+        const [uid, e] = line.split('|')
+        emails[uid] = e || ''
+      })
+    } catch {}
+
     return NextResponse.json({
       assetsRoles,
       issueRoles,
       users: { assets: assetsUsers, issue: issueUsers },
+      emails,
     })
   } catch (e) {
     return NextResponse.json({ error: '查询失败' }, { status: 500 })
@@ -81,7 +95,7 @@ export async function PUT(request: Request) {
     const roles = await fetchRoles(`http://localhost:${site === 'assets' ? 6177 : 6176}`)
     if (!roles.includes(role)) return NextResponse.json({ error: '无效的角色' }, { status: 400 })
 
-    await execAsync(`sqlite3 "${dbPath}" "UPDATE users SET role='${role}', updated_at=datetime('now') WHERE username='${username}';"`, { timeout: 3000 })
+    await execAsync(`sqlite3 "${dbPath}" "UPDATE users SET role='${role}', updated_at=datetime('now', '+8 hours') WHERE username='${username}';"`, { timeout: 3000 })
 
     return NextResponse.json({ success: true })
   } catch (e) {
diff --git a/src/app/api/admin/users/route.ts b/src/app/api/admin/users/route.ts
index 5f90b7e..14a2f97 100644
--- a/src/app/api/admin/users/route.ts
+++ b/src/app/api/admin/users/route.ts
@@ -75,3 +75,32 @@ export async function DELETE(request: Request) {
     return NextResponse.json({ error: '删除失败' }, { status: 500 })
   }
 }
+
+// PATCH — 修改用户邮箱（admin 权限）
+export async function PATCH(request: Request) {
+  const isAdmin = await checkAdmin()()
+  if (!isAdmin) return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+
+  try {
+    const { username, email } = await request.json()
+    if (!username) return NextResponse.json({ error: '用户名不能为空' }, { status: 400 })
+    if (email !== '' && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+      return NextResponse.json({ error: '邮箱格式不合法' }, { status: 400 })
+    }
+
+    const safeUser = username.replace(/'/g, "''")
+    const safeEmail = (email || '').replace(/'/g, "''")
+    const d = new Date()
+    const now = `${d.getFullYear()}-${String(d.getMonth()+1).padStart(2,'0')}-${String(d.getDate()).padStart(2,'0')} ${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')}:${String(d.getSeconds()).padStart(2,'0')}`
+
+    const updateSQL = `UPDATE users SET email = '${safeEmail}', lowercase_email = LOWER('${safeEmail}'), modified_date = '${now}' WHERE user_id = '${safeUser}';`
+    await execAsync(
+      `docker exec lldap /bin/sh -c "cat > /tmp/uea.sql <<'EOSQL'\n${updateSQL}\nEOSQL\nsqlite3 /data/users.db < /tmp/uea.sql"`,
+      { timeout: 5000 }
+    )
+
+    return NextResponse.json({ success: true, username, email: email || '' })
+  } catch (e) {
+    return NextResponse.json({ error: '修改失败' }, { status: 500 })
+  }
+}
diff --git a/src/app/api/auth/me/route.ts b/src/app/api/auth/me/route.ts
index 5937f7b..a7943df 100644
--- a/src/app/api/auth/me/route.ts
+++ b/src/app/api/auth/me/route.ts
@@ -1,8 +1,23 @@
 import { NextResponse } from 'next/server'
 import { cookies } from 'next/headers'
+import { exec } from 'child_process'
+import { promisify } from 'util'
 import { verifySharedJwt } from '@/lib/jwt'
 import { isLldapAdmin } from '@/lib/ldap'
 
+const execAsync = promisify(exec)
+
+async function getLldapEmail(username: string): Promise<string> {
+  try {
+    const safeUser = username.replace(/'/g, "''")
+    const { stdout } = await execAsync(
+      `docker exec lldap /bin/sh -c "echo 'SELECT email FROM users WHERE user_id='\\''${safeUser}'\\'';' | sqlite3 /data/users.db"`,
+      { timeout: 3000 }
+    )
+    return stdout.trim() || ''
+  } catch { return '' }
+}
+
 export async function GET() {
   try {
     const cookieStore = await cookies()
@@ -12,12 +27,47 @@ export async function GET() {
     const payload = verifySharedJwt(token)
     if (!payload) return NextResponse.json({ error: '会话已过期' }, { status: 401 })
 
-    const admin = await isLldapAdmin(payload.username)
+    const [admin, email] = await Promise.all([
+      isLldapAdmin(payload.username),
+      getLldapEmail(payload.username),
+    ])
 
     return NextResponse.json({
-      user: { username: payload.username, displayName: payload.displayName, isAdmin: admin },
+      user: { username: payload.username, displayName: payload.displayName, email, isAdmin: admin },
     })
   } catch {
     return NextResponse.json({ error: '获取用户信息失败' }, { status: 500 })
   }
 }
+
+export async function PUT(request: Request) {
+  try {
+    const cookieStore = await cookies()
+    const token = cookieStore.get('tlyq_session')?.value
+    if (!token) return NextResponse.json({ error: '未登录' }, { status: 401 })
+
+    const payload = verifySharedJwt(token)
+    if (!payload) return NextResponse.json({ error: '会话已过期' }, { status: 401 })
+
+    const { email } = await request.json()
+    if (email !== '' && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+      return NextResponse.json({ error: '邮箱格式不合法' }, { status: 400 })
+    }
+
+    const safeUser = payload.username.replace(/'/g, "''")
+    const safeEmail = (email || '').replace(/'/g, "''")
+    const d = new Date()
+    const now = `${d.getFullYear()}-${String(d.getMonth()+1).padStart(2,'0')}-${String(d.getDate()).padStart(2,'0')} ${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')}:${String(d.getSeconds()).padStart(2,'0')}`
+
+    const updateSQL = `UPDATE users SET email = '${safeEmail}', lowercase_email = LOWER('${safeEmail}'), modified_date = '${now}' WHERE user_id = '${safeUser}';`
+    await execAsync(
+      `docker exec lldap /bin/sh -c "cat > /tmp/ue.sql <<'EOSQL'\n${updateSQL}\nEOSQL\nsqlite3 /data/users.db < /tmp/ue.sql"`,
+      { timeout: 5000 }
+    )
+
+    return NextResponse.json({ success: true, email: email || '' })
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : '修改失败'
+    return NextResponse.json({ error: msg }, { status: 500 })
+  }
+}
diff --git a/src/app/api/auth/setup-password/route.ts b/src/app/api/auth/setup-password/route.ts
new file mode 100644
index 0000000..312dfe2
--- /dev/null
+++ b/src/app/api/auth/setup-password/route.ts
@@ -0,0 +1,54 @@
+import { NextResponse } from 'next/server'
+import { exec } from 'child_process'
+import { promisify } from 'util'
+import { verifySetupToken } from '@/lib/setup-token'
+
+const execAsync = promisify(exec)
+
+export async function POST(request: Request) {
+  try {
+    const { token, password } = await request.json()
+    if (!token || !password) {
+      return NextResponse.json({ error: '参数不完整' }, { status: 400 })
+    }
+
+    const payload = verifySetupToken(token)
+    if (!payload) {
+      return NextResponse.json({ error: '链接已过期或无效，请联系管理员重新创建账号' }, { status: 403 })
+    }
+
+    if (password.length < 8) {
+      return NextResponse.json({ error: '密码至少 8 位' }, { status: 400 })
+    }
+    const hasUpper = /[A-Z]/.test(password)
+    const hasLower = /[a-z]/.test(password)
+    const hasDigit = /[0-9]/.test(password)
+    const hasSpecial = /[^A-Za-z0-9]/.test(password)
+    const score = [hasUpper, hasLower, hasDigit, hasSpecial].filter(Boolean).length
+    if (score < 3) {
+      return NextResponse.json({ error: '密码需包含大写字母、小写字母、数字、特殊字符中至少 3 种' }, { status: 400 })
+    }
+
+    const { stdout: adminPassOut } = await execAsync(
+      'docker exec lldap printenv LLDAP_ADMIN_PASSWORD', { timeout: 3000 }
+    )
+    const adminPass = (adminPassOut.trim() || 'admin123').replace(/'/g, "'\\''")
+
+    const safeUser = payload.username.replace(/'/g, "'\\''")
+    const safePass = password.replace(/'/g, "'\\''")
+    const cmd = `docker exec lldap ./lldap_set_password --base-url http://localhost:17170 --admin-username admin --admin-password '${adminPass}' --username '${safeUser}' --password '${safePass}'`
+
+    const { stderr } = await execAsync(cmd, { timeout: 10000 })
+    if (stderr && !stderr.includes('Successfully')) {
+      return NextResponse.json({ error: stderr.trim() || '设置失败' }, { status: 500 })
+    }
+
+    return NextResponse.json({ success: true })
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : '设置失败'
+    if (msg.includes('command not found') || msg.includes('No such container')) {
+      return NextResponse.json({ error: '密码服务不可用' }, { status: 503 })
+    }
+    return NextResponse.json({ error: msg }, { status: 500 })
+  }
+}
diff --git a/src/app/profile/email-editor.tsx b/src/app/profile/email-editor.tsx
new file mode 100644
index 0000000..b8ebdbc
--- /dev/null
+++ b/src/app/profile/email-editor.tsx
@@ -0,0 +1,94 @@
+'use client'
+
+import { useState, useEffect } from 'react'
+
+export default function EmailEditor() {
+  const [email, setEmail] = useState('')
+  const [editing, setEditing] = useState(false)
+  const [value, setValue] = useState('')
+  const [saving, setSaving] = useState(false)
+  const [message, setMessage] = useState('')
+  const [error, setError] = useState('')
+
+  useEffect(() => {
+    fetch('/api/auth/me')
+      .then(r => r.json())
+      .then(d => { if (d.user) setEmail(d.user.email || '') })
+      .catch(() => {})
+  }, [])
+
+  async function handleSave() {
+    setMessage(''); setError('')
+    if (value && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value)) {
+      setError('邮箱格式不合法')
+      return
+    }
+    setSaving(true)
+    try {
+      const res = await fetch('/api/auth/me', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ email: value }),
+      })
+      const d = await res.json()
+      if (res.ok) {
+        setEmail(d.email)
+        setMessage('邮箱已更新')
+        setEditing(false)
+      } else {
+        setError(d.error || '修改失败')
+      }
+    } catch {
+      setError('网络错误')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  return (
+    <div>
+      <div style={{ fontSize: 12, color: 'var(--text-muted)', marginBottom: 3 }}>邮箱</div>
+
+      {!editing ? (
+        <div style={{ display: 'flex', alignItems: 'center', gap: 10 }}>
+          <span style={{ fontSize: 14, fontWeight: 500, color: email ? 'var(--text)' : 'var(--text-muted)' }}>
+            {email || '未设置'}
+          </span>
+          <button onClick={() => { setValue(email); setEditing(true); setMessage(''); setError('') }} style={{
+            background: 'none', border: 'none', color: '#2563eb', fontSize: 12, cursor: 'pointer', padding: 0,
+          }}>编辑</button>
+        </div>
+      ) : (
+        <div>
+          <div style={{ display: 'flex', gap: 8, alignItems: 'center' }}>
+            <input
+              type="email"
+              value={value}
+              onChange={e => setValue(e.target.value)}
+              placeholder="user@example.com"
+              style={{
+                height: 34, padding: '0 10px', borderRadius: 6,
+                border: error ? '1px solid #dc2626' : '1px solid var(--border)',
+                background: 'var(--bg-card)', color: 'var(--text)',
+                fontSize: 13, outline: 'none', flex: 1,
+              }}
+            />
+            <button onClick={handleSave} disabled={saving} style={{
+              height: 34, padding: '0 14px', borderRadius: 6, border: 'none',
+              background: saving ? '#93c5fd' : '#2563eb', color: '#fff',
+              fontSize: 12, fontWeight: 500, cursor: saving ? 'not-allowed' : 'pointer',
+              whiteSpace: 'nowrap',
+            }}>{saving ? '...' : '保存'}</button>
+            <button onClick={() => { setEditing(false); setError('') }} style={{
+              height: 34, padding: '0 10px', borderRadius: 6,
+              border: '1px solid var(--border)', background: 'var(--bg-card)',
+              color: 'var(--text-secondary)', fontSize: 12, cursor: 'pointer',
+            }}>取消</button>
+          </div>
+          {message && <p style={{ color: '#16a34a', fontSize: 12, marginTop: 4 }}>{message}</p>}
+          {error && <p style={{ color: '#dc2626', fontSize: 12, marginTop: 4 }}>{error}</p>}
+        </div>
+      )}
+    </div>
+  )
+}
diff --git a/src/app/profile/page.tsx b/src/app/profile/page.tsx
index 0573fe7..93e4646 100644
--- a/src/app/profile/page.tsx
+++ b/src/app/profile/page.tsx
@@ -3,6 +3,7 @@ import { redirect } from 'next/navigation'
 import { verifySharedJwt } from '@/lib/jwt'
 import Header from '@/components/Header'
 import ChangePasswordForm from './change-password-form'
+import EmailEditor from './email-editor'
 
 export default async function ProfilePage() {
   const cookieStore = await cookies()
@@ -38,6 +39,9 @@ export default async function ProfilePage() {
                 <div style={{ fontSize: 14, fontWeight: 500, color: 'var(--text)' }}>{(() => { const d = new Date(session.exp * 1000); return `${d.getFullYear()}-${String(d.getMonth()+1).padStart(2,'0')}-${String(d.getDate()).padStart(2,'0')} ${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')}:${String(d.getSeconds()).padStart(2,'0')}` })()}</div>
               </div>
             </div>
+            <div style={{ marginTop: 18, paddingTop: 18, borderTop: '1px solid var(--border)' }}>
+              <EmailEditor />
+            </div>
           </div>
           <ChangePasswordForm />
         </div>
diff --git a/src/app/setup-password/page.tsx b/src/app/setup-password/page.tsx
new file mode 100644
index 0000000..d1e70e9
--- /dev/null
+++ b/src/app/setup-password/page.tsx
@@ -0,0 +1,246 @@
+'use client'
+
+import { Suspense, useState, useMemo } from 'react'
+import { useSearchParams } from 'next/navigation'
+
+interface PasswordStrength {
+  minLength: boolean
+  hasUpper: boolean
+  hasLower: boolean
+  hasDigit: boolean
+  hasSpecial: boolean
+  score: number
+}
+
+function checkPassword(pw: string): PasswordStrength {
+  const minLength = pw.length >= 8
+  const hasUpper = /[A-Z]/.test(pw)
+  const hasLower = /[a-z]/.test(pw)
+  const hasDigit = /[0-9]/.test(pw)
+  const hasSpecial = /[^A-Za-z0-9]/.test(pw)
+  const score = [hasUpper, hasLower, hasDigit, hasSpecial].filter(Boolean).length
+  return { minLength, hasUpper, hasLower, hasDigit, hasSpecial, score }
+}
+
+const checks: { key: keyof PasswordStrength; label: string }[] = [
+  { key: 'minLength', label: '至少 8 位字符' },
+  { key: 'hasUpper', label: '包含大写字母' },
+  { key: 'hasLower', label: '包含小写字母' },
+  { key: 'hasDigit', label: '包含数字' },
+  { key: 'hasSpecial', label: '包含特殊字符' },
+]
+
+function SetupPasswordForm() {
+  const searchParams = useSearchParams()
+  const token = searchParams.get('token') || ''
+  const [password, setPassword] = useState('')
+  const [confirm, setConfirm] = useState('')
+  const [error, setError] = useState('')
+  const [success, setSuccess] = useState(false)
+  const [loading, setLoading] = useState(false)
+
+  const strength = useMemo(() => checkPassword(password), [password])
+  const isStrong = strength.minLength && strength.score >= 3
+  const passwordMismatch = confirm.length > 0 && password !== confirm
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault()
+    setError('')
+
+    if (!isStrong) {
+      setError('请先满足密码复杂度要求')
+      return
+    }
+    if (password !== confirm) {
+      setError('两次输入的密码不一致')
+      return
+    }
+
+    setLoading(true)
+    try {
+      const res = await fetch('/api/auth/setup-password', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ token, password }),
+      })
+      const data = await res.json()
+      if (!res.ok) {
+        setError(data.error || '设置失败')
+      } else {
+        setSuccess(true)
+      }
+    } catch {
+      setError('网络错误，请重试')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  if (!token) {
+    return (
+      <div style={styles.container}>
+        <div style={styles.card}>
+          <h1 style={styles.title}>链接无效</h1>
+          <p style={styles.text}>缺少设置密码所需的 token，请检查链接是否完整。</p>
+          <a href="/login" style={styles.link}>返回登录</a>
+        </div>
+      </div>
+    )
+  }
+
+  if (success) {
+    return (
+      <div style={styles.container}>
+        <div style={styles.card}>
+          <h1 style={{ ...styles.title, color: '#16a34a' }}>密码已设置</h1>
+          <p style={styles.text}>您的密码已成功设置，现在可以使用新密码登录。</p>
+          <a href="/login" style={styles.link}>前往登录</a>
+        </div>
+      </div>
+    )
+  }
+
+  return (
+    <div style={styles.container}>
+      <form onSubmit={handleSubmit} style={styles.card}>
+        <h1 style={styles.title}>设置登录密码</h1>
+        <p style={styles.text}>请为您的 OA 账号设置登录密码。</p>
+
+        {error && <div style={styles.error}>{error}</div>}
+
+        <label style={styles.label}>
+          新密码
+          <input
+            type="password"
+            value={password}
+            onChange={(e) => setPassword(e.target.value)}
+            style={styles.input}
+            placeholder="至少 8 位，大写/小写/数字/特殊字符 4 选 3"
+            autoFocus
+          />
+
+          {password.length > 0 && (
+            <div style={styles.complexityPanel}>
+              <p style={styles.complexityHint}>需满足至少 8 位 + 以下 3 项：</p>
+              {checks.map(c => {
+                const ok = c.key === 'minLength' ? strength.minLength : strength[c.key]
+                return (
+                  <div key={c.key} style={styles.checkItem}>
+                    <span style={{
+                      display: 'inline-flex', width: 18, height: 18, borderRadius: '50%',
+                      background: ok ? '#dcfce7' : '#f1f5f9',
+                      color: ok ? '#16a34a' : '#94a3b8',
+                      alignItems: 'center', justifyContent: 'center',
+                      fontSize: 11, fontWeight: 700, flexShrink: 0,
+                    }}>
+                      {ok ? '✓' : '—'}
+                    </span>
+                    <span style={{ color: ok ? '#16a34a' : '#64748b' }}>{c.label}</span>
+                  </div>
+                )
+              })}
+              <p style={{ fontSize: 12, marginTop: 6, color: isStrong ? '#16a34a' : '#d97706' }}>
+                {isStrong ? '密码强度符合要求' : `已满足 ${strength.score} 项（需至少 3 项）${strength.minLength ? '' : '，长度不足 8 位'}`}
+              </p>
+            </div>
+          )}
+        </label>
+
+        <label style={styles.label}>
+          确认密码
+          <input
+            type="password"
+            value={confirm}
+            onChange={(e) => setConfirm(e.target.value)}
+            style={{
+              ...styles.input,
+              borderColor: passwordMismatch ? '#dc2626' : '#cbd5e1',
+            }}
+            placeholder="再次输入新密码"
+          />
+          {passwordMismatch && (
+            <p style={{ color: '#dc2626', fontSize: 12, marginTop: 6 }}>两次输入的密码不一致</p>
+          )}
+        </label>
+
+        <button
+          type="submit"
+          disabled={loading || !isStrong || passwordMismatch}
+          style={{
+            ...styles.btn,
+            background: loading || !isStrong || passwordMismatch ? '#cbd5e1' : '#2563eb',
+            cursor: loading || !isStrong || passwordMismatch ? 'not-allowed' : 'pointer',
+          }}
+        >
+          {loading ? '设置中...' : passwordMismatch ? '请确认密码一致' : !isStrong ? '请满足密码复杂度要求' : '设置密码'}
+        </button>
+      </form>
+    </div>
+  )
+}
+
+export default function SetupPasswordPage() {
+  return (
+    <Suspense fallback={<div style={styles.loadingFallback}>加载中...</div>}>
+      <SetupPasswordForm />
+    </Suspense>
+  )
+}
+
+const styles: Record<string, React.CSSProperties> = {
+  container: {
+    display: 'flex', justifyContent: 'center', alignItems: 'center',
+    minHeight: '100vh', padding: '20px',
+    background: '#f1f5f9',
+  },
+  loadingFallback: {
+    display: 'flex', justifyContent: 'center', alignItems: 'center',
+    minHeight: '100vh', color: '#64748b', fontSize: '14px',
+  },
+  card: {
+    background: '#fff', borderRadius: '12px',
+    padding: '40px', maxWidth: '420px', width: '100%',
+    boxShadow: '0 2px 12px rgba(0,0,0,0.08)',
+  },
+  title: {
+    fontSize: '22px', fontWeight: 700, margin: '0 0 12px',
+    color: '#0f172a',
+  },
+  text: {
+    fontSize: '14px', color: '#475569', margin: '0 0 24px', lineHeight: 1.6,
+  },
+  label: {
+    display: 'block', marginBottom: '16px',
+    fontSize: '13px', fontWeight: 500, color: '#334155',
+  },
+  input: {
+    display: 'block', width: '100%', marginTop: '6px',
+    padding: '10px 14px', borderRadius: '8px',
+    border: '1px solid #cbd5e1', background: '#fff',
+    color: '#0f172a', fontSize: '14px', boxSizing: 'border-box' as any,
+    outline: 'none',
+  },
+  complexityPanel: {
+    marginTop: 10, display: 'flex', flexDirection: 'column', gap: 4,
+  },
+  complexityHint: {
+    fontSize: 12, color: '#64748b', margin: '0 0 2px',
+  },
+  checkItem: {
+    display: 'flex', alignItems: 'center', gap: 6, fontSize: 12,
+  },
+  btn: {
+    width: '100%', padding: '12px', background: '#2563eb',
+    color: '#fff', border: 'none', borderRadius: '8px',
+    fontSize: '15px', fontWeight: 600,
+    marginTop: '8px',
+  },
+  error: {
+    background: '#fef2f2', color: '#dc2626', fontSize: '13px',
+    padding: '10px 14px', borderRadius: '8px', marginBottom: '16px',
+  },
+  link: {
+    display: 'inline-block', marginTop: '16px', color: '#2563eb',
+    textDecoration: 'none', fontSize: '14px', fontWeight: 500,
+  },
+}
diff --git a/src/components/HeaderUI.tsx b/src/components/HeaderUI.tsx
index 4cc5ab3..db74203 100644
--- a/src/components/HeaderUI.tsx
+++ b/src/components/HeaderUI.tsx
@@ -12,7 +12,7 @@ export default function HeaderUI({ displayName, isAdmin, backLabel }: Props) {
       position: 'sticky', top: 0, zIndex: 50, height: 56,
       background: 'var(--bg-card)', borderBottom: '1px solid var(--border)',
     }}>
-      <div style={{ maxWidth: 1160, height: '100%', margin: '0 auto', padding: '0 28px', display: 'flex', alignItems: 'center', justifyContent: 'space-between' }}>
+      <div style={{ height: '100%', padding: '0 40px', display: 'flex', alignItems: 'center', justifyContent: 'space-between', maxWidth: 1440, margin: '0 auto' }}>
         {/* 左侧 */}
         {backLabel ? (
           <a href="/" style={{ display: 'flex', alignItems: 'center', gap: 8, textDecoration: 'none', color: 'var(--text-secondary)', fontSize: 15 }}>
diff --git a/src/lib/email.ts b/src/lib/email.ts
index 6f7a881..a71cf4d 100644
--- a/src/lib/email.ts
+++ b/src/lib/email.ts
@@ -1,19 +1,11 @@
-import nodemailer from 'nodemailer'
+import { Resend } from 'resend'
 
-const transporter = nodemailer.createTransport({
-  host: process.env.SMTP_HOST || 'smtphz.qiye.163.com',
-  port: Number(process.env.SMTP_PORT) || 465,
-  secure: true,
-  auth: {
-    user: process.env.SMTP_USER || 'gxp@qx002575.com',
-    pass: process.env.SMTP_PASS || '',
-  },
-})
+const resend = new Resend(process.env.RESEND_API_KEY)
 
-export async function sendCredentialsEmail(
+export async function sendSetupLinkEmail(
   to: string,
   username: string,
-  password: string,
+  setupUrl: string,
   displayName: string,
 ) {
   const name = displayName || username
@@ -29,18 +21,21 @@ export async function sendCredentialsEmail(
   </td></tr>
   <tr><td style="padding:32px;">
     <p style="margin:0 0 16px;font-size:14px;color:#334155;">您好，<strong>${name}</strong>：</p>
-    <p style="margin:0 0 24px;font-size:14px;color:#475569;line-height:1.7;">您的 OA 统一门户账号已创建，请使用以下信息登录：</p>
+    <p style="margin:0 0 24px;font-size:14px;color:#475569;line-height:1.7;">您的 OA 统一门户账号已创建，请点击下方按钮设置登录密码：</p>
+    <table width="100%" cellpadding="0" cellspacing="0" style="margin-bottom:24px;">
+      <tr><td align="center">
+        <a href="${setupUrl}" style="display:inline-block;padding:14px 40px;background:#2563eb;color:#fff;text-decoration:none;border-radius:8px;font-size:16px;font-weight:600;">设置登录密码</a>
+      </td></tr>
+    </table>
     <table width="100%" cellpadding="0" cellspacing="0" style="background:#f8fafc;border:1px solid #e2e8f0;border-radius:8px;">
       <tr><td style="padding:9px 16px;width:80px;font-size:13px;color:#64748b;">用户名</td><td style="padding:9px 16px;font-size:14px;font-weight:600;color:#0f172a;">${username}</td></tr>
-      <tr><td style="padding:9px 16px;font-size:13px;color:#64748b;border-top:1px solid #e2e8f0;">密&nbsp;&nbsp;码</td><td style="padding:9px 16px;font-size:14px;font-weight:700;font-family:monospace;color:#2563eb;border-top:1px solid #e2e8f0;letter-spacing:0.05em;">${password}</td></tr>
     </table>
-    <p style="margin:20px 0 0;font-size:14px;color:#475569;">登录地址：<a href="https://oa.tlyq.ai" style="color:#2563eb;text-decoration:none;">https://oa.tlyq.ai</a></p>
     <div style="margin-top:24px;padding:14px 16px;background:#fffbeb;border:1px solid #fde68a;border-radius:8px;">
       <p style="margin:0;font-size:13px;color:#92400e;line-height:1.6;"><strong>&#9888; 请注意：</strong></p>
-      <p style="margin:6px 0 0;font-size:13px;color:#92400e;line-height:1.6;">修改密码只能通过 OA 统一门户（oa.tlyq.ai），无法在子站点（assets、issue 等）中修改密码。请登录 OA 后在个人资料页修改。</p>
-      <p style="margin:6px 0 0;font-size:13px;color:#92400e;line-height:1.6;">请在首次登录后及时修改密码。</p>
+      <p style="margin:6px 0 0;font-size:13px;color:#92400e;line-height:1.6;">此链接 <strong>24 小时内有效</strong>，过期后需联系管理员重新创建账号。</p>
+      <p style="margin:6px 0 0;font-size:13px;color:#92400e;line-height:1.6;">修改密码只能通过 OA 统一门户（oa.tlyq.ai），无法在子站点（assets、issue 等）中修改密码。</p>
     </div>
-    <p style="margin:24px 0 0;font-size:12px;color:#94a3b8;">此邮件由系统自动发送，请勿回复。<br>如有疑问，请联系管理员：gxp@qx002575.com</p>
+    <p style="margin:24px 0 0;font-size:12px;color:#94a3b8;">此邮件由系统自动发送，请勿回复。<br>如有疑问，请联系管理员。</p>
   </td></tr>
 </table>
 </td></tr>
@@ -50,24 +45,20 @@ export async function sendCredentialsEmail(
 
   const text = `您好，${name}：
 
-您的 OA 统一门户账号已创建，请使用以下信息登录：
+您的 OA 统一门户账号已创建，请点击以下链接设置登录密码：
 
-  用户名：${username}
-  密  码：${password}
+${setupUrl}
 
-登录地址：https://oa.tlyq.ai
+用户名：${username}
 
 ⚠ 请注意：
+此链接 24 小时内有效，过期后需联系管理员重新创建账号。
 修改密码只能通过 OA 统一门户（oa.tlyq.ai），无法在子站点（assets、issue 等）中修改密码。
-请登录 OA 后在个人资料页修改密码。
 
-请在首次登录后及时修改密码。
+此邮件由系统自动发送，请勿回复。`
 
-此邮件由系统自动发送，请勿回复。
-如有疑问，请联系管理员：gxp@qx002575.com`
-
-  await transporter.sendMail({
-    from: process.env.SMTP_FROM || 'gxp@qx002575.com',
+  await resend.emails.send({
+    from: 'OA 统一门户 <noreply@tlyq.ai>',
     to,
     subject: '您的 OA 统一门户账号已创建',
     text,
diff --git a/src/lib/setup-token.ts b/src/lib/setup-token.ts
new file mode 100644
index 0000000..1201b68
--- /dev/null
+++ b/src/lib/setup-token.ts
@@ -0,0 +1,48 @@
+import crypto from 'crypto'
+
+const JWT_SECRET = process.env.JWT_SECRET || 'change-me-same-across-all-sites'
+
+function base64url(str: string): string {
+  return Buffer.from(str).toString('base64url')
+}
+
+export interface SetupTokenPayload {
+  username: string
+  purpose: 'password-setup'
+  iat: number
+  exp: number
+}
+
+export function signSetupToken(username: string, expiresIn: number = 24 * 60 * 60): string {
+  const header = { alg: 'HS256', typ: 'JWT' }
+  const now = Math.floor(Date.now() / 1000)
+  const body: Omit<SetupTokenPayload, 'exp'> & { exp: number } = {
+    username,
+    purpose: 'password-setup',
+    iat: now,
+    exp: now + expiresIn,
+  }
+  const segments = [base64url(JSON.stringify(header)), base64url(JSON.stringify(body))]
+  const signingInput = segments.join('.')
+  segments.push(
+    crypto.createHmac('sha256', JWT_SECRET).update(signingInput).digest('base64url')
+  )
+  return segments.join('.')
+}
+
+export function verifySetupToken(token: string): { username: string } | null {
+  try {
+    const parts = token.split('.')
+    if (parts.length !== 3) return null
+    const signingInput = parts.slice(0, 2).join('.')
+    const expectedSig = crypto.createHmac('sha256', JWT_SECRET)
+      .update(signingInput).digest('base64url')
+    if (parts[2] !== expectedSig) return null
+    const payload: SetupTokenPayload = JSON.parse(
+      Buffer.from(parts[1], 'base64url').toString()
+    )
+    if (payload.purpose !== 'password-setup') return null
+    if (payload.exp < Math.floor(Date.now() / 1000)) return null
+    return { username: payload.username }
+  } catch { return null }
+}
diff --git a/src/middleware.ts b/src/middleware.ts
index 0fe9d03..fcd7c53 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -24,8 +24,8 @@ function noCache(response: NextResponse) {
 export function middleware(request: NextRequest) {
   const { pathname } = request.nextUrl
 
-  // 登录/退出/API 路径放行（API 路由自行验证）
-  if (pathname === '/login' || pathname.startsWith('/api/auth/') || pathname.startsWith('/api/admin/')) {
+  // 登录/设置密码/API 路径放行（API 路由自行验证）
+  if (pathname === '/login' || pathname === '/setup-password' || pathname.startsWith('/api/auth/') || pathname.startsWith('/api/admin/')) {
     return NextResponse.next()
   }
   // /admin 管理页面需要认证