graph TB
    subgraph "安全层级"
        subgraph "L1: 网络层"
            TLS[TLS/mTLS 加密]
            FP[证书指纹验证]
            CWE[CWE-319 防护<br/>禁止明文WS到非回环]
        end

        subgraph "L2: 认证层"
            DEV[设备认证<br/>Ed25519 签名]
            TOKEN[设备 Token<br/>长期访问令牌]
            OAUTH[OAuth 集成<br/>Google/Discord 等]
            PWD[密码认证<br/>本地网关备选]
        end

        subgraph "L3: 授权层"
            SCOPE[操作域 Scopes]
            PAIR[设备配对审批]
            ROLE[Owner vs User 角色]
        end

        subgraph "L4: 执行层"
            APPROVE[工具审批门<br/>危险操作拦截]
            SANDBOX[沙箱策略<br/>inherit/require/forbidden]
            AUDIT[审计日志]
            SCAN[危险工具扫描]
        end
    end

    TLS --> DEV --> SCOPE --> APPROVE
    FP --> TOKEN --> PAIR --> SANDBOX
    CWE --> OAUTH --> ROLE --> AUDIT
    PWD --> SCAN