support multi-app device registration per device

- Add composite unique constraint (app_key, device_id) on DeviceEntity
- Remove global unique constraint from device_id column
- Update DeviceRepository: findByAppKeyAndDeviceId returns Optional,
  findByDeviceId returns List for multi-app lookups
- Update DeviceService.register/verify to scope lookups by appKey
  so same physical device can register independently for each app
- Update LicenseInternalController.getDevice to return list

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

license-service/src/main/java/com/xuqm/license/controller/LicenseAdminController.java

@@ -51,7 +51,7 @@ public class LicenseAdminController {
             }
         }
         AppLicenseEntity updated = appLicenseService.update(
-                appKey, null, req.maxDevices(), newExpiresAt, clearExpiresAt, req.isActive(), req.remark());
+                appKey, null, req.maxDevices(), newExpiresAt, clearExpiresAt, req.isActive(), req.remark(), null, null, null);
         return ResponseEntity.ok(ApiResponse.success(updated));
     }
 

license-service/src/main/java/com/xuqm/license/controller/LicenseInternalController.java

@@ -81,15 +81,17 @@ public class LicenseInternalController {
     }
 
     @GetMapping("/devices/{deviceId}")
-    public ResponseEntity<ApiResponse<DeviceEntity>> getDevice(
+    public ResponseEntity<ApiResponse<List<DeviceEntity>>> getDevice(
             @RequestHeader(value = "X-Internal-Token", required = false) String token,
             @PathVariable String deviceId) {
         if (!isAllowed(token)) {
             return ResponseEntity.status(403).body(ApiResponse.error(403, "Forbidden"));
         }
-        return deviceService.findByDeviceId(deviceId)
+        List<DeviceEntity> devices = deviceService.findByDeviceId(deviceId);
-                .map(d -> ResponseEntity.ok(ApiResponse.success(d)))
+        if (devices.isEmpty()) {
-                .orElse(ResponseEntity.ok(ApiResponse.error(404, "Device not found")));
+            return ResponseEntity.ok(ApiResponse.error(404, "Device not found"));
+        }
+        return ResponseEntity.ok(ApiResponse.success(devices));
     }
 
     private boolean isAllowed(String token) {

license-service/src/main/java/com/xuqm/license/entity/DeviceEntity.java

@@ -4,10 +4,12 @@ import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
 import jakarta.persistence.Id;
 import jakarta.persistence.Table;
+import jakarta.persistence.UniqueConstraint;
 import java.time.LocalDateTime;
 
 @Entity
-@Table(name = "devices")
+@Table(name = "devices",
+    uniqueConstraints = @UniqueConstraint(name = "uk_app_key_device_id", columnNames = {"app_key", "device_id"}))
 public class DeviceEntity {
 
     @Id

license-service/src/main/java/com/xuqm/license/repository/DeviceRepository.java

@@ -9,7 +9,8 @@ import java.util.Optional;
 
 @Repository
 public interface DeviceRepository extends JpaRepository<DeviceEntity, String> {
-    Optional<DeviceEntity> findByDeviceId(String deviceId);
+    Optional<DeviceEntity> findByAppKeyAndDeviceId(String appKey, String deviceId);
+    List<DeviceEntity> findByDeviceId(String deviceId);
     List<DeviceEntity> findByAppKeyOrderByRegisteredAtDesc(String appKey);
     long countByAppKeyAndIsActiveTrue(String appKey);
 }

license-service/src/main/java/com/xuqm/license/service/DeviceService.java

@@ -34,7 +34,7 @@ public class DeviceService {
         this.objectMapper = objectMapper;
     }
 
-    public Optional<DeviceEntity> findByDeviceId(String deviceId) {
+    public List<DeviceEntity> findByDeviceId(String deviceId) {
         return deviceRepository.findByDeviceId(deviceId);
     }
 
@@ -48,8 +48,8 @@ public class DeviceService {
                                    JsonNode userInfo) {
         validatePackageName(appKey, packageName);
 
-        // Check if device already registered
+        // Check if device already registered for this app
-        Optional<DeviceEntity> existingOpt = findByDeviceId(deviceId);
+        Optional<DeviceEntity> existingOpt = deviceRepository.findByAppKeyAndDeviceId(appKey, deviceId);
         if (existingOpt.isPresent()) {
             DeviceEntity existing = existingOpt.get();
             if (!Boolean.TRUE.equals(existing.getIsActive())) {
@@ -58,8 +58,14 @@ public class DeviceService {
             // Re-issue token
             String token = licenseAuthService.generateToken(appKey, deviceId, existing.getId());
             String tokenHash = hashToken(token);
-            if (existing.getAppKey() == null || existing.getAppKey().isBlank()) {
+            String oldAppKey = existing.getAppKey();
+            if (oldAppKey == null || oldAppKey.isBlank()) {
                 existing.setAppKey(appKey);
+            } else if (!oldAppKey.equals(appKey)) {
+                // Device switched to a different app: update appKey and adjust counters
+                existing.setAppKey(appKey);
+                appLicenseService.decrementRegisteredDevices(oldAppKey);
+                appLicenseService.incrementRegisteredDevices(appKey);
             }
             existing.setDeviceName(firstNonBlank(deviceName, existing.getDeviceName()));
             existing.setDeviceModel(firstNonBlank(deviceModel, existing.getDeviceModel()));
@@ -120,7 +126,7 @@ public class DeviceService {
             return new VerifyResult(false, "Token mismatch");
         }
 
-        DeviceEntity device = findByDeviceId(deviceId).orElse(null);
+        DeviceEntity device = deviceRepository.findByAppKeyAndDeviceId(appKey, deviceId).orElse(null);
         if (device == null || !Boolean.TRUE.equals(device.getIsActive())) {
             return new VerifyResult(false, "Device not found or deactivated");
         }

tenant-service/src/main/java/com/xuqm/tenant/controller/AppController.java

@@ -2,6 +2,7 @@ package com.xuqm.tenant.controller;
 
 import com.xuqm.common.model.ApiResponse;
 import com.xuqm.common.exception.BusinessException;
+import com.xuqm.common.security.LicenseFileCrypto;
 import com.xuqm.tenant.dto.CreateAppRequest;
 import com.xuqm.tenant.entity.AppEntity;
 import com.xuqm.tenant.entity.FeatureServiceEntity;
@@ -174,6 +175,34 @@ public class AppController {
                 .body(encrypted.getBytes(java.nio.charset.StandardCharsets.UTF_8));
     }
 
+    /**
+     * Parse an uploaded license file and return its decrypted contents.
+     * Used by the security center to verify license file information.
+     */
+    @PostMapping("/license/parse")
+    public ResponseEntity<ApiResponse<Map<String, Object>>> parseLicenseFile(@RequestBody Map<String, String> body) {
+        String content = body.get("content");
+        if (content == null || content.isBlank()) {
+            throw new BusinessException("License file content is required");
+        }
+        try {
+            LicenseFileCrypto.LicensePayload payload = LicenseFileCrypto.decrypt(content.trim());
+            Map<String, Object> data = new java.util.LinkedHashMap<>();
+            data.put("appKey", payload.appKey());
+            data.put("appName", payload.appName());
+            data.put("packageName", payload.packageName());
+            data.put("iosBundleId", payload.iosBundleId());
+            data.put("harmonyBundleName", payload.harmonyBundleName());
+            data.put("baseUrl", payload.baseUrl());
+            data.put("serverUrl", payload.serverUrl());
+            return ResponseEntity.ok(ApiResponse.success(data));
+        } catch (IllegalArgumentException e) {
+            throw new BusinessException("Invalid license file: " + e.getMessage());
+        } catch (Exception e) {
+            throw new BusinessException("Failed to parse license file: " + e.getMessage());
+        }
+    }
+
     private static String sanitizeFileName(String value) {
         String name = value == null || value.isBlank() ? "license" : value.trim();
         return name.replaceAll("[\\\\/:*?\"<>|\\s]+", "_");