diff --git a/XMOJ.user.js b/XMOJ.user.js
index d8c8c077..b68a45a0 100644
--- a/XMOJ.user.js
+++ b/XMOJ.user.js
@@ -6,6 +6,8 @@
 // @namespace    https://github/langningchen
 // @match        *://*.xmoj.tech/*
 // @match        *://116.62.212.172/*
+// @match        *://xmoj-bbs.me/messages.html
+// @match        *://www.xmoj-bbs.me/messages.html
 // @require      https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js
 // @require      https://cdnjs.cloudflare.com/ajax/libs/codemirror/6.65.7/codemirror.min.js
 // @require      https://cdnjs.cloudflare.com/ajax/libs/codemirror/6.65.7/mode/clike/clike.min.js
@@ -25,6 +27,7 @@
 // @supportURL   https://support.xmoj-bbs.me/form/8050213e-c806-4680-b414-0d1c48263677
 // @connect      api.xmoj-bbs.tech
 // @connect      api.xmoj-bbs.me
+// @connect      www.xmoj.tech
 // @connect      challenges.cloudflare.com
 // @connect      cppinsights.io
 // @connect      cdnjs.cloudflare.com
@@ -437,9 +440,7 @@ let UtilityEnabled = (Name) => {
         return localStorage.getItem("UserScript-Setting-" + Name) == "true";
     } catch (e) {
         console.error(e);
-        if (UtilityEnabled("DebugMode")) {
-            SmartAlert("XMOJ-Script internal error!\n\n" + e + "\n\n" + "If you see this message, please report it to the developer.\nDon't forget to include console logs and a way to reproduce the error!\n\nDon't want to see this message? Disable DebugMode.");
-        }
+        return false; // Cannot call UtilityEnabled recursively here
     }
 };
 let storeCredential = async (username, password) => {
@@ -858,6 +859,83 @@ GM_registerMenuCommand("重置数据", () => {
     }
 });
 
+// === Short Messages WebUI helper — runs ONLY on xmoj-bbs.me/messages.html ===
+// On that page the rest of the userscript must not execute (no xmoj.tech DOM present).
+if (/(?:^|\.)xmoj-bbs\.me$/.test(location.hostname) && location.pathname === '/messages.html') {
+    // Try to auto-fill the stored session from the user's active xmoj.tech cookie.
+    // Runs only when localStorage has no saved credentials yet.
+    (function () {
+        var hasStoredSession = !!(localStorage.getItem('xmoj-msg-username')
+            && localStorage.getItem('xmoj-msg-phpsessid'));
+        if (hasStoredSession) return;
+
+        // Check both hostname variants: www.xmoj.tech and the raw IP (116.62.212.172)
+        Promise.all([
+            GM.cookie.list({ name: 'PHPSESSID', domain: 'www.xmoj.tech' }).catch(function () { return []; }),
+            GM.cookie.list({ name: 'PHPSESSID', domain: '116.62.212.172' }).catch(function () { return []; })
+        ]).then(function (results) {
+            var cookies = (results[0] || []).concat(results[1] || []);
+            {
+                var sessionCookie = cookies.find(function (c) {
+                    return c.name === 'PHPSESSID';
+                });
+                if (!sessionCookie || !sessionCookie.value) {
+                    // Not logged in — prompt the user after the page has rendered
+                    setTimeout(function () {
+                        var uEl = document.getElementById('manual-username');
+                        var pEl = document.getElementById('manual-phpsessid');
+                        if (!(uEl && uEl.value.trim()) && !(pEl && pEl.value.trim())) {
+                            window.dispatchEvent(new CustomEvent('xmoj-show-toast', {
+                                detail: { message: '请先登录 xmoj.tech，再使用短消息 WebUI' }
+                            }));
+                        }
+                    }, 800);
+                    return;
+                }
+                var phpsessid = sessionCookie.value;
+                // Fetch xmoj.tech home page to resolve the username from #profile
+                GM_xmlhttpRequest({
+                    method: 'GET',
+                    url: 'https://www.xmoj.tech/',
+                    onload: function (resp) {
+                        var parser = new DOMParser();
+                        var doc = parser.parseFromString(resp.responseText, 'text/html');
+                        var profileEl = doc.querySelector('#profile');
+                        var username = profileEl
+                            ? profileEl.innerText.replace(/[^a-zA-Z0-9]/g, '') : '';
+                        if (username) {
+                            window.dispatchEvent(new CustomEvent('xmoj-autofill-session', {
+                                detail: { username: username, phpsessid: phpsessid }
+                            }));
+                        } else {
+                            // Got the cookie but couldn't parse username — pre-fill the field
+                            var pEl = document.getElementById('manual-phpsessid');
+                            if (pEl) pEl.value = phpsessid;
+                            window.dispatchEvent(new CustomEvent('xmoj-show-toast', {
+                                detail: { message: '已填入会话，请输入用户名完成登录' }
+                            }));
+                        }
+                    },
+                    onerror: function () {
+                        var pEl = document.getElementById('manual-phpsessid');
+                        if (pEl) pEl.value = phpsessid;
+                        window.dispatchEvent(new CustomEvent('xmoj-show-toast', {
+                            detail: { message: '已填入 PHPSESSID，请手动输入用户名' }
+                        }));
+                    }
+                });
+            }
+        }).catch(function () {
+            setTimeout(function () {
+                window.dispatchEvent(new CustomEvent('xmoj-show-toast', {
+                    detail: { message: '请先登录 xmoj.tech，再使用短消息 WebUI' }
+                }));
+            }, 800);
+        });
+    })();
+    return; // Do not execute the rest of the userscript on xmoj-bbs.me
+}
+
 //otherwise CurrentUsername might be undefined
 if (UtilityEnabled("AutoLogin") && document.querySelector("body > a:nth-child(1)") != null && document.querySelector("body > a:nth-child(1)").innerText == "请登录后继续操作") {
     localStorage.setItem("UserScript-LastPage", location.pathname + location.search);
@@ -865,9 +943,13 @@ if (UtilityEnabled("AutoLogin") && document.querySelector("body > a:nth-child(1)
 }
 
 let SearchParams = new URLSearchParams(location.search);
-let ServerURL = (UtilityEnabled("DebugMode") ? "https://ghpages.xmoj-bbs.me/" : "https://www.xmoj-bbs.me")
+let ServerURL = (UtilityEnabled("DebugMode") ? "https://ghpages.xmoj-bbs.me/" : "https://www.xmoj-bbs.me");
 if (document.querySelector("#profile") === null) {
-    location.href = "https://www.xmoj.tech/loginpage.php";
+    // Do not redirect when running on xmoj-bbs.me/messages.html (no xmoj.tech DOM).
+    if (!/(?:^|\.)xmoj-bbs\.me$/.test(location.hostname)) {
+        location.href = "https://www.xmoj.tech/loginpage.php";
+    }
+    return;
 }
 let CurrentUsername = document.querySelector("#profile").innerText;
 CurrentUsername = CurrentUsername.replaceAll(/[^a-zA-Z0-9]/g, "");
@@ -4801,7 +4883,7 @@ int main()
                                                 "Image": Reader.result
                                             }, (ResponseData) => {
                                                 if (ResponseData.Success) {
-                                                    Content.value = Before + `![](https://assets.xmoj-bbs.me/GetImage?ImageID=${ResponseData.Data.ImageID})` + After;
+                                                    Content.value = Before + `![](https://api.xmoj-bbs.me/GetImage?ImageID=${ResponseData.Data.ImageID})` + After;
                                                     Content.dispatchEvent(new Event("input"));
                                                 } else {
                                                     Content.value = Before + `![上传失败！` + ResponseData.Message + `]()` + After;
@@ -5057,7 +5139,7 @@ int main()
                                                     "Image": Reader.result
                                                 }, (ResponseData) => {
                                                     if (ResponseData.Success) {
-                                                        ContentElement.value = Before + `![](https://assets.xmoj-bbs.me/GetImage?ImageID=${ResponseData.Data.ImageID})` + After;
+                                                        ContentElement.value = Before + `![](https://api.xmoj-bbs.me/GetImage?ImageID=${ResponseData.Data.ImageID})` + After;
                                                         ContentElement.dispatchEvent(new Event("input"));
                                                     } else {
                                                         ContentElement.value = Before + `![上传失败！]()` + After;
@@ -5065,8 +5147,7 @@ int main()
                                                     }
                                                 });
                                             };
-                                        }
-                                    }
+                                        }                                    }
                                 }
                             });
                             SubmitElement.addEventListener("click", async () => {
@@ -5230,7 +5311,7 @@ int main()
                                                         "Image": Reader.result
                                                     }, (ResponseData) => {
                                                         if (ResponseData.Success) {
-                                                            ContentElement.value = Before + `![](https://assets.xmoj-bbs.me/GetImage?ImageID=${ResponseData.Data.ImageID})` + After;
+                                                            ContentElement.value = Before + `![](https://api.xmoj-bbs.me/GetImage?ImageID=${ResponseData.Data.ImageID})` + After;
                                                             ContentElement.dispatchEvent(new Event("input"));
                                                         } else {
                                                             ContentElement.value = Before + `![上传失败！]()` + After;
@@ -5488,7 +5569,7 @@ int main()
                                                                         "Image": Reader.result
                                                                     }, (ResponseData) => {
                                                                         if (ResponseData.Success) {
-                                                                            ContentEditor.value = Before + `![](https://assets.xmoj-bbs.me/GetImage?ImageID=${ResponseData.Data.ImageID})` + After;
+                                                                            ContentEditor.value = Before + `![](https://api.xmoj-bbs.me/GetImage?ImageID=${ResponseData.Data.ImageID})` + After;
                                                                             ContentEditor.dispatchEvent(new Event("input"));
                                                                         } else {
                                                                             ContentEditor.value = Before + `![上传失败！]()` + After;
diff --git a/functions/api-proxy/[[path]].js b/functions/api-proxy/[[path]].js
new file mode 100644
index 00000000..ca4c64b1
--- /dev/null
+++ b/functions/api-proxy/[[path]].js
@@ -0,0 +1,91 @@
+/**
+ * Cloudflare Pages Function — CORS proxy for api.xmoj-bbs.me
+ *
+ * All fetch() calls in messages.html are directed here (same-origin, so no
+ * CORS preflight is ever blocked).  This function forwards the POST body
+ * server-side to https://api.xmoj-bbs.me/, adds CORS response headers, and
+ * streams the reply back to the client.
+ *
+ * Security:
+ *  • Only POST and OPTIONS (CORS preflight) methods are handled.
+ *  • The constructed target URL is verified to still start with API_TARGET
+ *    before the upstream request is made, preventing SSRF via absolute-URL
+ *    injection in the path parameter.
+ *  • Only a fixed allow-list of request headers is forwarded upstream.
+ */
+
+const API_TARGET = 'https://api.xmoj-bbs.me/';
+
+// Headers from the client that we forward to the upstream API.
+const FORWARD_REQUEST_HEADERS = [
+    'content-type',
+    'cache-control',
+    'xmoj-userid',
+    'xmoj-script-version',
+];
+
+const CORS_HEADERS = {
+    'Access-Control-Allow-Origin':  '*',
+    'Access-Control-Allow-Methods': 'POST, OPTIONS',
+    'Access-Control-Allow-Headers': 'Content-Type, Cache-Control, XMOJ-UserID, XMOJ-Script-Version',
+    'Access-Control-Max-Age':       '86400',
+};
+
+/** Handle CORS preflight. */
+export async function onRequestOptions() {
+    return new Response(null, { status: 204, headers: CORS_HEADERS });
+}
+
+/** Proxy POST requests to api.xmoj-bbs.me. */
+export async function onRequestPost({ request, params }) {
+    // Build the path from the catch-all route parameter.
+    const pathSegments = Array.isArray(params.path)
+        ? params.path
+        : (params.path ? [params.path] : []);
+    const path = pathSegments.join('/');
+
+    // Resolve the target URL. new URL() normalises path traversal
+    // (e.g. "../../" stays within the same origin), but an absolute-URL
+    // payload would override the base — the guard below catches that.
+    let targetUrl;
+    try {
+        targetUrl = new URL(path, API_TARGET).href;
+    } catch (_) {
+        return new Response('Bad Request', { status: 400, headers: CORS_HEADERS });
+    }
+
+    // SSRF guard: the resolved URL must still point at api.xmoj-bbs.me.
+    if (!targetUrl.startsWith(API_TARGET)) {
+        return new Response('Forbidden', { status: 403, headers: CORS_HEADERS });
+    }
+
+    // Forward only the allow-listed headers to avoid leaking cookies etc.
+    const forwardHeaders = new Headers();
+    for (const name of FORWARD_REQUEST_HEADERS) {
+        const value = request.headers.get(name);
+        if (value) forwardHeaders.set(name, value);
+    }
+
+    let upstream;
+    try {
+        upstream = await fetch(targetUrl, {
+            method:  'POST',
+            headers: forwardHeaders,
+            body:    request.body,
+        });
+    } catch (err) {
+        return new Response(
+            JSON.stringify({ Success: false, Message: 'Proxy upstream error: ' + err.message }),
+            { status: 502, headers: { 'Content-Type': 'application/json', ...CORS_HEADERS } }
+        );
+    }
+
+    const responseHeaders = new Headers(CORS_HEADERS);
+    const ct = upstream.headers.get('content-type');
+    if (ct) responseHeaders.set('Content-Type', ct);
+
+    return new Response(upstream.body, {
+        status:  upstream.status,
+        headers: responseHeaders,
+    });
+}
diff --git a/index.html b/index.html
index 268a37b2..285adc73 100644
--- a/index.html
+++ b/index.html
@@ -47,6 +47,12 @@
                     <li class="nav-item">
                         <a class="nav-link" href="#About">关于</a>
                     </li>
+                    <li class="nav-item">
+                        <a class="nav-link" href="messages.html">
+                            短消息 WebUI
+                            <span class="badge bg-warning text-dark ms-1">Alpha</span>
+                        </a>
+                    </li>
                 </ul>
             </div>
         </div>
@@ -129,7 +135,9 @@ <h2>介绍</h2>
             <ul class="list-group">
                 <li class="list-group-item"><b>比赛ACM排名与下载功能</b>：允许用户查看比赛的ACM排名，并提供下载选项，方便离线查阅。</li>
                 <li class="list-group-item"><b>讨论区</b>：我们自行搭建了一个讨论服务，你可以在里面发表你的声音。</li>
-                <li class="list-group-item"><b>短消息</b>：我们自行搭建了一个短消息服务，你可以在这里和你最好的伙伴交流。</li>
+                <li class="list-group-item"><b>短消息</b>：我们自行搭建了一个短消息服务，你可以在这里和你最好的伙伴交流。
+                    <a href="messages.html" class="ms-2">短消息 WebUI <span class="badge bg-warning text-dark">Alpha</span></a>
+                    — 无需安装脚本，支持 iOS/iPadOS 等移动设备直接访问。</li>
                 <li class="list-group-item"><b>查看更多标程</b>：展示更多的标准程序代码，帮助用户更好地理解题目要求和正确解法。</li>
                 <li class="list-group-item"><b>获取别人的测试点数据</b>：允许用户获取其他人的测试点数据，用于分析问题和优化代码。</li>
                 <li class="list-group-item"><b>自动刷新比赛列表与排名</b>：使比赛列表和排名页面自动定时刷新，获取最新信息。</li>
diff --git a/messages.html b/messages.html
new file mode 100644
index 00000000..335e75bb
--- /dev/null
+++ b/messages.html
@@ -0,0 +1,1020 @@
+<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+    <meta charset="UTF-8">
+    <link rel="icon" href="favicon.ico">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>XMOJ 短消息</title>
+    <link href="https://cdn.bootcdn.net/ajax/libs/twitter-bootstrap/5.2.3/css/bootstrap.min.css" rel="stylesheet">
+    <script src="https://cdn.bootcdn.net/ajax/libs/twitter-bootstrap/5.2.3/js/bootstrap.bundle.min.js"></script>
+    <script src="https://cdn.bootcdn.net/ajax/libs/marked/9.1.6/marked.min.js"></script>
+    <script src="https://cdn.bootcdn.net/ajax/libs/dompurify/3.0.6/purify.min.js"></script>
+    <style>
+        /* ── Reset ───────────────────────────────────────── */
+        html, body { height: 100%; }
+        body {
+            padding-top: 56px;
+            background: #f8f9fa;
+        }
+
+        /* ── Split-pane app layout ───────────────────────── */
+        #screen-app {
+            height: calc(100dvh - 56px);
+            overflow: hidden;
+        }
+        .app-layout {
+            display: flex;
+            height: 100%;
+            overflow: hidden;
+        }
+        .app-sidebar {
+            width: 300px;
+            min-width: 240px;
+            flex-shrink: 0;
+            border-right: 1px solid #dee2e6;
+            background: #fff;
+            display: flex;
+            flex-direction: column;
+            overflow: hidden;
+        }
+        .sidebar-header {
+            padding: 10px 12px;
+            border-bottom: 1px solid #dee2e6;
+            flex-shrink: 0;
+        }
+        .sidebar-list {
+            flex: 1;
+            overflow-y: auto;
+        }
+        .app-main {
+            flex: 1;
+            display: flex;
+            flex-direction: column;
+            min-width: 0;
+            overflow: hidden;
+            background: #fff;
+        }
+        .thread-header {
+            padding: 10px 16px;
+            border-bottom: 1px solid #dee2e6;
+            flex-shrink: 0;
+            background: #fff;
+            display: flex;
+            align-items: center;
+            gap: 8px;
+        }
+        #thread-messages {
+            flex: 1;
+            overflow-y: auto;
+            padding: 12px 16px;
+            display: flex;
+            flex-direction: column;
+            gap: 8px;
+        }
+        .compose-area {
+            flex-shrink: 0;
+            border-top: 1px solid #dee2e6;
+            padding: 10px 16px 12px;
+            background: #fff;
+        }
+        .thread-loading-area {
+            flex: 1;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+        }
+        .thread-welcome {
+            flex: 1;
+            display: flex;
+            flex-direction: column;
+            align-items: center;
+            justify-content: center;
+            color: #6c757d;
+            gap: 8px;
+            user-select: none;
+        }
+
+        /* ── Mobile ──────────────────────────────────────── */
+        @media (max-width: 767.98px) {
+            .app-layout { position: relative; }
+            .app-sidebar {
+                width: 100%;
+                position: absolute;
+                inset: 0;
+                z-index: 1;
+            }
+            .app-main {
+                width: 100%;
+                position: absolute;
+                inset: 0;
+                z-index: 2;
+                transform: translateX(100%);
+                transition: transform 0.2s ease;
+            }
+            .thread-active .app-main { transform: translateX(0); }
+        }
+
+        /* ── Message bubbles ─────────────────────────────── */
+        .msg-bubble-self {
+            background-color: #0d6efd;
+            color: #fff;
+            border-radius: 18px 18px 4px;
+            padding: 8px 14px;
+            max-width: 75%;
+            word-break: break-word;
+        }
+        .msg-bubble-other {
+            background-color: #e9ecef;
+            color: #212529;
+            border-radius: 18px 18px 18px 4px;
+            padding: 8px 14px;
+            max-width: 75%;
+            word-break: break-word;
+        }
+        .msg-bubble-self .msg-content p:last-child,
+        .msg-bubble-other .msg-content p:last-child { margin-bottom: 0; }
+        .msg-bubble-self .msg-content img,
+        .msg-bubble-other .msg-content img {
+            max-width: 200px;
+            max-height: 200px;
+            border-radius: 8px;
+            cursor: pointer;
+            display: block;
+            margin-top: 4px;
+        }
+        .msg-bubble-self  a    { color: #cfe2ff; }
+        .msg-bubble-other a    { color: #0d6efd; }
+        .msg-bubble-self  code { background: rgba(255,255,255,.2); border-radius:4px; padding:1px 4px; color:#fff; }
+        .msg-bubble-other code { background: rgba(0,0,0,.08); border-radius:4px; padding:1px 4px; }
+        .msg-bubble-self  pre  { background: rgba(255,255,255,.15); border-radius:6px; padding:8px; color:#fff; margin-bottom:0; }
+        .msg-bubble-other pre  { background: rgba(0,0,0,.06); border-radius:6px; padding:8px; margin-bottom:0; }
+
+        /* ── List items ──────────────────────────────────── */
+        .conv-item { cursor: pointer; }
+        .conv-item:hover    { background: #f0f4ff !important; }
+        .conv-item.is-active { background: #e8f0fe !important; border-left: 3px solid #0d6efd; }
+
+        /* ── Misc ────────────────────────────────────────── */
+        .unread-badge  { font-size: .7em; }
+        .nav-brand-img { height: 28px; }
+        #screen-login .card { border: none; box-shadow: 0 2px 8px rgba(0,0,0,.08); }
+        .bookmarklet-link   { word-break: break-all; }
+    </style>
+</head>
+<body>
+
+    <!-- Navbar -->
+    <nav class="navbar navbar-expand-lg bg-body-tertiary fixed-top border-bottom" style="z-index:1030;">
+        <div class="container-fluid">
+            <a class="navbar-brand d-flex align-items-center gap-2" href="index.html">
+                <img src="XMOJ.png" class="nav-brand-img" alt="">
+                XMOJ 短消息
+                <span class="badge bg-warning text-dark" style="font-size:.65em;">Alpha</span>
+            </a>
+            <div class="ms-auto d-flex align-items-center gap-2">
+                <span id="nav-username" class="text-muted small" style="display:none;"></span>
+                <button id="nav-logout" class="btn btn-sm btn-outline-danger" style="display:none;"
+                    onclick="logout()">退出登录</button>
+            </div>
+        </div>
+    </nav>
+
+    <!-- Login Screen -->
+    <div id="screen-login" class="container py-4" style="display:none;">
+        <div class="row justify-content-center">
+            <div class="col-12 col-md-7 col-lg-5">
+                <h4 class="mb-4 fw-bold">登录 XMOJ 短消息</h4>
+                <ul class="nav nav-tabs mb-0" role="tablist">
+                    <li class="nav-item">
+                        <button class="nav-link active" data-bs-toggle="tab"
+                            data-bs-target="#tab-bookmarklet" type="button">
+                            书签登录 <span class="badge bg-success ms-1">推荐</span>
+                        </button>
+                    </li>
+                    <li class="nav-item">
+                        <button class="nav-link" data-bs-toggle="tab"
+                            data-bs-target="#tab-manual" type="button">手动输入</button>
+                    </li>
+                </ul>
+                <div class="tab-content">
+                    <!-- Bookmarklet tab -->
+                    <div class="tab-pane fade show active" id="tab-bookmarklet" role="tabpanel">
+                        <div class="card rounded-top-0">
+                            <div class="card-body">
+                                <p class="text-muted mb-3">通过授权书签一键登录，无需手动查找 Cookie。</p>
+                                <ol class="mb-3">
+                                    <li>将下方链接<strong>拖拽</strong>到浏览器书签栏（或复制后手动添加）。</li>
+                                    <li>在 <a href="https://www.xmoj.tech/" target="_blank" rel="noopener">xmoj.tech</a> 上<strong>先完成登录</strong>。</li>
+                                    <li>点击该书签，自动跳转回本页面并完成登录。</li>
+                                </ol>
+                                <div class="d-flex gap-2 align-items-center mb-2">
+                                    <a id="bookmarklet-link" href="#"
+                                        class="btn btn-outline-primary btn-sm"
+                                        onclick="return false;">🔖 XMOJ 一键登录</a>
+                                    <button class="btn btn-outline-secondary btn-sm"
+                                        onclick="copyBookmarklet()">复制代码</button>
+                                </div>
+                                <textarea id="bookmarklet-code"
+                                    class="form-control form-control-sm font-monospace bookmarklet-link"
+                                    rows="3" readonly style="font-size:.72em;resize:none;"></textarea>
+                                <div class="form-text mt-1">
+                                    iOS / iPadOS：在 Safari 书签管理中新建书签，将 URL 替换为上方代码。
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                    <!-- Manual tab -->
+                    <div class="tab-pane fade" id="tab-manual" role="tabpanel">
+                        <div class="card rounded-top-0">
+                            <div class="card-body">
+                                <div class="mb-3">
+                                    <label class="form-label" for="manual-username">用户名</label>
+                                    <input type="text" id="manual-username" class="form-control"
+                                        placeholder="XMOJ 用户名"
+                                        autocomplete="username" autocapitalize="none" autocorrect="off">
+                                </div>
+                                <div class="mb-3">
+                                    <label class="form-label" for="manual-phpsessid">PHPSESSID</label>
+                                    <input type="text" id="manual-phpsessid"
+                                        class="form-control font-monospace"
+                                        placeholder="粘贴 Cookie 中的 PHPSESSID"
+                                        autocomplete="off" autocapitalize="none" autocorrect="off">
+                                    <div class="form-text">
+                                        在 xmoj.tech 的浏览器开发者工具 →「应用」→「Cookie」中找到
+                                        <code>PHPSESSID</code> 的值。
+                                    </div>
+                                </div>
+                                <button class="btn btn-primary w-100" onclick="manualLogin()">登录</button>
+                                <div id="manual-error" class="alert alert-danger mt-2 py-2"
+                                    style="display:none;"></div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <!-- App Screen (split-pane) -->
+    <div id="screen-app" style="display:none;">
+        <div class="app-layout" id="app-layout">
+
+            <!-- LEFT: conversation list -->
+            <div class="app-sidebar">
+                <div class="sidebar-header d-flex justify-content-between align-items-center">
+                    <span class="fw-semibold">📬 收件箱</span>
+                    <div class="d-flex gap-1">
+                        <button class="btn btn-outline-secondary btn-sm"
+                            onclick="loadMailList()" title="刷新列表">&#8635;</button>
+                        <button class="btn btn-primary btn-sm"
+                            onclick="toggleNewMessage()">✉️ 新消息</button>
+                    </div>
+                </div>
+
+                <!-- New message panel -->
+                <div id="new-msg-panel" class="border-bottom p-2" style="display:none;">
+                    <div class="mb-2">
+                        <input type="text" id="new-msg-to" class="form-control form-control-sm"
+                            placeholder="收件人用户名"
+                            autocapitalize="none" autocorrect="off">
+                    </div>
+                    <div class="mb-2">
+                        <textarea id="new-msg-body" class="form-control form-control-sm" rows="3"
+                            placeholder="消息内容（支持 Markdown）"></textarea>
+                    </div>
+                    <div class="d-flex gap-2">
+                        <button class="btn btn-primary btn-sm" id="new-msg-send-btn"
+                            onclick="sendNewMessage()">发送</button>
+                        <button class="btn btn-outline-secondary btn-sm"
+                            onclick="toggleNewMessage()">取消</button>
+                    </div>
+                    <div id="new-msg-error" class="alert alert-danger mt-2 py-2 mb-0"
+                        style="display:none;"></div>
+                </div>
+
+                <!-- List content -->
+                <div class="sidebar-list">
+                    <div id="list-loading" class="text-center py-5">
+                        <div class="spinner-border text-primary" role="status">
+                            <span class="visually-hidden">加载中...</span>
+                        </div>
+                    </div>
+                    <div id="list-error" class="alert alert-danger m-2" style="display:none;"></div>
+                    <div id="list-empty" class="text-center text-muted py-5" style="display:none;">
+                        <div class="fs-1">💌</div>
+                        <div>暂无消息</div>
+                        <div class="small mt-1">点击「新消息」开始对话</div>
+                    </div>
+                    <div id="list-container" class="list-group list-group-flush"
+                        style="display:none;"></div>
+                </div>
+            </div>
+
+            <!-- RIGHT: thread view -->
+            <div class="app-main">
+                <!-- Thread header -->
+                <div class="thread-header" id="thread-header" style="display:none;">
+                    <button class="btn btn-outline-secondary btn-sm d-md-none"
+                        onclick="backToList()">&#8592; 返回</button>
+                    <span class="fw-semibold flex-grow-1 text-truncate" id="thread-title">对话</span>
+                    <button class="btn btn-sm btn-outline-primary"
+                        onclick="loadThread()" title="刷新">&#8635;</button>
+                </div>
+
+                <!-- Thread loading state -->
+                <div class="thread-loading-area" id="thread-loading" style="display:none;">
+                    <div class="spinner-border text-primary" role="status">
+                        <span class="visually-hidden">加载中...</span>
+                    </div>
+                </div>
+
+                <!-- Thread error state -->
+                <div id="thread-error" class="alert alert-danger m-3" style="display:none;"></div>
+
+                <!-- Messages -->
+                <div id="thread-messages" style="display:none;"></div>
+
+                <!-- Compose area -->
+                <div class="compose-area" id="compose-area" style="display:none;">
+                    <div class="mb-2">
+                        <textarea id="msg-input" class="form-control" rows="3"
+                            placeholder="输入消息（支持 Markdown，Ctrl+Enter 发送，可粘贴图片）"
+                            onkeydown="handleInputKeydown(event)"></textarea>
+                    </div>
+                    <div class="d-flex align-items-center justify-content-between">
+                        <label class="btn btn-outline-secondary btn-sm mb-0"
+                            for="img-file-input" title="上传图片">
+                            📎 图片
+                            <input type="file" id="img-file-input" accept="image/*"
+                                style="display:none;" onchange="handleFileUpload(event)">
+                        </label>
+                        <div class="d-flex gap-2 align-items-center">
+                            <span id="upload-indicator" class="text-muted small"
+                                style="display:none;">上传中…</span>
+                            <button class="btn btn-primary btn-sm" id="send-btn"
+                                onclick="sendMessage()">发送</button>
+                        </div>
+                    </div>
+                    <div id="send-error" class="alert alert-danger mt-2 py-2 mb-0"
+                        style="display:none;"></div>
+                </div>
+
+                <!-- Welcome state -->
+                <div class="thread-welcome" id="thread-welcome">
+                    <div style="font-size:3rem;">💬</div>
+                    <div>从左侧选择一个对话</div>
+                    <div class="small">或点击「新消息」发起对话</div>
+                </div>
+            </div>
+
+        </div>
+    </div>
+
+    <!-- Toast -->
+    <div class="toast-container position-fixed bottom-0 end-0 p-3" style="z-index:2000;">
+        <div id="main-toast" class="toast align-items-center" role="alert" aria-live="assertive">
+            <div class="d-flex">
+                <div class="toast-body" id="toast-body"></div>
+                <button type="button" class="btn-close me-2 m-auto"
+                    data-bs-dismiss="toast"></button>
+            </div>
+        </div>
+    </div>
+
+    <!-- Image viewer modal -->
+    <div class="modal fade" id="img-viewer-modal" tabindex="-1" aria-hidden="true">
+        <div class="modal-dialog modal-dialog-centered modal-xl">
+            <div class="modal-content bg-transparent border-0">
+                <div class="modal-body p-0 text-center">
+                    <img id="img-viewer-src" src="" class="img-fluid rounded"
+                        style="max-height:85vh;" alt="">
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <script>
+        'use strict';
+
+        // =========================================================
+        //  CONSTANTS
+        // =========================================================
+        // All API calls go through the same-origin Cloudflare Pages Function
+        // at /api-proxy/ which forwards to https://api.xmoj-bbs.me/ server-side,
+        // eliminating CORS issues from any deployment domain.
+        const API_BASE = '/api-proxy/';
+        const WEBUI_VERSION = '1.0.0';
+        const STORAGE_USER    = 'xmoj-msg-username';
+        const STORAGE_SESSION = 'xmoj-msg-phpsessid';
+        const SCROLL_BOTTOM_THRESHOLD    = 60;    // px
+        const THREAD_REFRESH_INTERVAL_MS = 10000; // 10 s
+        const LIST_REFRESH_INTERVAL_MS   = 30000; // 30 s background list refresh
+        const RATE_LIMIT_MAX             = 5;
+        const RATE_LIMIT_WINDOW_MS       = 60000; // 60 s
+
+        // =========================================================
+        //  STATE
+        // =========================================================
+        let currentUser   = null;
+        let currentThread = null;
+        let threadRefreshTimer = null;
+        let listRefreshTimer   = null;
+        let sendTimestamps     = [];
+
+        // =========================================================
+        //  SESSION
+        // =========================================================
+        function saveSession(username, phpsessid) {
+            localStorage.setItem(STORAGE_USER,    username);
+            localStorage.setItem(STORAGE_SESSION, phpsessid);
+            currentUser = { username, phpsessid };
+            updateNavbar();
+        }
+
+        function loadSession() {
+            const username  = localStorage.getItem(STORAGE_USER);
+            const phpsessid = localStorage.getItem(STORAGE_SESSION);
+            if (username && phpsessid) {
+                currentUser = { username, phpsessid };
+                updateNavbar();
+                return true;
+            }
+            return false;
+        }
+
+        function logout() {
+            localStorage.removeItem(STORAGE_USER);
+            localStorage.removeItem(STORAGE_SESSION);
+            currentUser   = null;
+            currentThread = null;
+            stopAllTimers();
+            updateNavbar();
+            showLoginScreen();
+        }
+
+        function updateNavbar() {
+            const el  = document.getElementById('nav-username');
+            const btn = document.getElementById('nav-logout');
+            if (currentUser) {
+                el.textContent    = currentUser.username;
+                el.style.display  = '';
+                btn.style.display = '';
+            } else {
+                el.style.display  = 'none';
+                btn.style.display = 'none';
+            }
+        }
+
+        // =========================================================
+        //  SCREEN / PANE MANAGEMENT
+        // =========================================================
+        function showLoginScreen() {
+            document.getElementById('screen-login').style.display = '';
+            document.getElementById('screen-app').style.display   = 'none';
+        }
+
+        function showAppScreen() {
+            document.getElementById('screen-login').style.display = 'none';
+            document.getElementById('screen-app').style.display   = '';
+        }
+
+        function showThreadPane() {
+            document.getElementById('app-layout').classList.add('thread-active');
+        }
+
+        function backToList() {
+            document.getElementById('app-layout').classList.remove('thread-active');
+        }
+
+        function setThreadVisible(visible) {
+            document.getElementById('thread-header').style.display   = visible ? '' : 'none';
+            document.getElementById('thread-messages').style.display  = visible ? '' : 'none';
+            document.getElementById('compose-area').style.display     = visible ? '' : 'none';
+            document.getElementById('thread-welcome').style.display   = visible ? 'none' : '';
+            document.getElementById('thread-loading').style.display   = 'none';
+            document.getElementById('thread-error').style.display     = 'none';
+        }
+
+        function stopAllTimers() {
+            if (threadRefreshTimer) { clearInterval(threadRefreshTimer); threadRefreshTimer = null; }
+            if (listRefreshTimer)   { clearInterval(listRefreshTimer);   listRefreshTimer   = null; }
+        }
+
+        // =========================================================
+        //  API
+        // =========================================================
+        async function apiCall(action, data) {
+            if (!currentUser) throw new Error('未登录');
+            const body = JSON.stringify({
+                Authentication: {
+                    SessionID: currentUser.phpsessid,
+                    Username:  currentUser.username
+                },
+                Data:      data,
+                Version:   WEBUI_VERSION,
+                DebugMode: false
+            });
+            const response = await fetch(API_BASE + action, {
+                method:  'POST',
+                headers: {
+                    'Content-Type':        'application/json',
+                    'Cache-Control':       'no-cache',
+                    'XMOJ-UserID':         currentUser.username,
+                    'XMOJ-Script-Version': WEBUI_VERSION
+                },
+                body
+            });
+            if (!response.ok) throw new Error('服务器返回 HTTP ' + response.status);
+            return response.json();
+        }
+
+        function isAuthError(result) {
+            if (!result.Success && result.Message) {
+                const m = result.Message.toLowerCase();
+                return m.includes('session') || m.includes('auth')
+                    || m.includes('login')   || m.includes('unauthorized')
+                    || m.includes('invalid');
+            }
+            return false;
+        }
+
+        // =========================================================
+        //  HELPERS
+        // =========================================================
+        function escapeHtml(str) {
+            return String(str)
+                .replace(/&/g, '&amp;').replace(/</g, '&lt;')
+                .replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+        }
+
+        function formatRelativeTime(ts) {
+            if (!ts) return '';
+            const diff = Math.floor((Date.now() - Number(ts)) / 1000);
+            if (diff < 60)    return '刚刚';
+            if (diff < 3600)  return Math.floor(diff / 60) + ' 分钟前';
+            if (diff < 86400) return Math.floor(diff / 3600) + ' 小时前';
+            if (diff < 604800) return Math.floor(diff / 86400) + ' 天前';
+            return new Date(Number(ts)).toLocaleDateString('zh-CN');
+        }
+
+        function renderMarkdown(content) {
+            if (!content) return '';
+            const html = marked.parse(String(content));
+            return DOMPurify.sanitize(html, {
+                ADD_ATTR: ['target', 'rel'],
+                ALLOWED_TAGS: [
+                    'p','br','strong','em','del','code','pre',
+                    'ul','ol','li','a','img','blockquote',
+                    'h1','h2','h3','h4','h5','h6',
+                    'hr','table','thead','tbody','tr','th','td'
+                ],
+                ALLOWED_URI_REGEXP: /^(?:https?|ftp):\/\//i
+            });
+        }
+
+        function stripMarkdown(content) {
+            if (!content) return '';
+            return String(content)
+                .replace(/!\[.*?\]\(.*?\)/g, '[图片]')
+                .replace(/\[([^\]]+)\]\([^)]+\)/g, '$1')
+                .replace(/[*_`#>]/g, '')
+                .trim();
+        }
+
+        function showToast(msg) {
+            document.getElementById('toast-body').textContent = msg;
+            bootstrap.Toast.getOrCreateInstance(
+                document.getElementById('main-toast'), { delay: 3000 }
+            ).show();
+        }
+
+        // =========================================================
+        //  RATE LIMITING
+        // =========================================================
+        function checkSendRateLimit() {
+            const now = Date.now();
+            sendTimestamps = sendTimestamps.filter(ts => now - ts < RATE_LIMIT_WINDOW_MS);
+            if (sendTimestamps.length >= RATE_LIMIT_MAX) {
+                const waitSecs = Math.ceil(
+                    (RATE_LIMIT_WINDOW_MS - (now - sendTimestamps[0])) / 1000
+                );
+                return { ok: false, waitSecs };
+            }
+            sendTimestamps.push(now);
+            return { ok: true };
+        }
+
+        // =========================================================
+        //  LOGIN
+        // =========================================================
+        function generateBookmarklet() {
+            const returnUrl = window.location.origin + window.location.pathname;
+            return `javascript:(function(){`
+                + `if(!location.hostname.match(/xmoj\\.tech|116\\.62\\.212\\.172/)){`
+                + `alert('\\u8bf7\\u5728 xmoj.tech \\u4e0a\\u4f7f\\u7528\\u6b64\\u4e66\\u7b3e\\uff01');return;}`
+                + `var m=document.cookie.match(/(?:^|;\\s*)PHPSESSID=([^;]+)/);`
+                + `if(!m){alert('\\u8bf7\\u5148\\u767b\\u5f55 xmoj.tech\\uff01');return;}`
+                + `var p=m[1];`
+                + `var el=document.querySelector('#profile');`
+                + `var u=el?el.innerText.replace(/[^a-zA-Z0-9]/g,''):'';`
+                + `if(!u)u=prompt('\\u8bf7\\u8f93\\u5165\\u60a8\\u7684 XMOJ \\u7528\\u6237\\u540d:')||'';`
+                + `if(!u)return;`
+                + `location.href='${returnUrl}#session='+encodeURIComponent(u)+':'+encodeURIComponent(p);`
+                + `})()`;
+        }
+
+        function copyBookmarklet() {
+            const code = document.getElementById('bookmarklet-code').value;
+            navigator.clipboard.writeText(code)
+                .then(() => showToast('已复制到剪贴板'))
+                .catch(() => showToast('复制失败，请手动选中并复制'));
+        }
+
+        function manualLogin() {
+            const username  = (document.getElementById('manual-username').value  || '').trim();
+            const phpsessid = (document.getElementById('manual-phpsessid').value || '').trim();
+            const errEl = document.getElementById('manual-error');
+            if (!username)  { errEl.textContent = '请输入用户名';      errEl.style.display = ''; return; }
+            if (!phpsessid) { errEl.textContent = '请输入 PHPSESSID'; errEl.style.display = ''; return; }
+            errEl.style.display = 'none';
+            saveSession(username, phpsessid);
+            startApp();
+        }
+
+        // =========================================================
+        //  APP ENTRY
+        // =========================================================
+        function startApp() {
+            showAppScreen();
+            setThreadVisible(false);
+            loadMailList();
+            if (listRefreshTimer) clearInterval(listRefreshTimer);
+            listRefreshTimer = setInterval(loadMailList, LIST_REFRESH_INTERVAL_MS);
+        }
+
+        // =========================================================
+        //  MAIL LIST
+        // =========================================================
+        async function loadMailList() {
+            const loading   = document.getElementById('list-loading');
+            const errEl     = document.getElementById('list-error');
+            const emptyEl   = document.getElementById('list-empty');
+            const container = document.getElementById('list-container');
+
+            if (container.children.length === 0) loading.style.display = '';
+            errEl.style.display = 'none';
+
+            try {
+                const result = await apiCall('GetMailList', {});
+                loading.style.display = 'none';
+
+                if (!result.Success) {
+                    if (isAuthError(result)) { logout(); showToast('会话已过期，请重新登录'); return; }
+                    errEl.textContent   = result.Message || '加载收件箱失败';
+                    errEl.style.display = '';
+                    return;
+                }
+
+                const list = (result.Data && result.Data.MailList) || [];
+                if (list.length === 0) {
+                    emptyEl.style.display   = '';
+                    container.style.display = 'none';
+                    container.innerHTML     = '';
+                } else {
+                    emptyEl.style.display = 'none';
+                    container.innerHTML   = '';
+                    list.forEach(item => {
+                        const a = document.createElement('a');
+                        a.href      = '#';
+                        a.className = 'list-group-item list-group-item-action py-3 conv-item'
+                            + (item.OtherUser === currentThread ? ' is-active' : '');
+                        a.addEventListener('click', e => { e.preventDefault(); openThread(item.OtherUser); });
+                        const preview = stripMarkdown(item.LastsMessage);
+                        const short   = preview.length > 60 ? preview.substring(0, 60) + '\u2026' : preview;
+                        const badge   = item.UnreadCount > 0
+                            ? `<span class="badge bg-danger unread-badge ms-1">${item.UnreadCount}</span>` : '';
+                        a.innerHTML = `
+                            <div class="d-flex justify-content-between align-items-start">
+                                <div class="fw-semibold">${escapeHtml(item.OtherUser)}${badge}</div>
+                                <small class="text-muted text-nowrap ms-2">${formatRelativeTime(item.SendTime)}</small>
+                            </div>
+                            <small class="text-muted">${escapeHtml(short)}</small>`;
+                        container.appendChild(a);
+                    });
+                    container.style.display = '';
+                }
+            } catch (err) {
+                loading.style.display = 'none';
+                errEl.innerHTML = `\u8fde\u63a5\u5931\u8d25\uff1a${escapeHtml(err.message)}`
+                    + `<br><small class="text-muted">\u8bf7\u786e\u8ba4\u5df2\u767b\u5f55\uff0c\u4e14\u7f51\u7edc/\u670d\u52a1\u6b63\u5e38\u3002</small>`;
+                errEl.style.display = '';
+            }
+        }
+
+        function toggleNewMessage() {
+            const panel   = document.getElementById('new-msg-panel');
+            const isHidden = panel.style.display === 'none';
+            panel.style.display = isHidden ? '' : 'none';
+            if (isHidden) {
+                document.getElementById('new-msg-to').focus();
+            } else {
+                document.getElementById('new-msg-to').value   = '';
+                document.getElementById('new-msg-body').value = '';
+                document.getElementById('new-msg-error').style.display = 'none';
+            }
+        }
+
+        async function sendNewMessage() {
+            const toUser  = (document.getElementById('new-msg-to').value  || '').trim();
+            const content = (document.getElementById('new-msg-body').value || '').trim();
+            const errEl   = document.getElementById('new-msg-error');
+            const sendBtn = document.getElementById('new-msg-send-btn');
+            if (!toUser)  { errEl.textContent = '\u8bf7\u8f93\u5165\u6536\u4ef6\u4eba\u7528\u6237\u540d'; errEl.style.display = ''; return; }
+            if (!content) { errEl.textContent = '\u8bf7\u8f93\u5165\u6d88\u606f\u5185\u5bb9';             errEl.style.display = ''; return; }
+            errEl.style.display = 'none';
+            sendBtn.disabled    = true;
+            const origHTML      = sendBtn.innerHTML;
+            sendBtn.innerHTML   = '<span class="spinner-border spinner-border-sm" role="status"></span>';
+            try {
+                const result = await apiCall('SendMail', { ToUser: toUser, Content: content });
+                if (result.Success) {
+                    toggleNewMessage();
+                    openThread(toUser);
+                } else {
+                    errEl.textContent   = result.Message || '\u53d1\u9001\u5931\u8d25';
+                    errEl.style.display = '';
+                }
+            } catch (err) {
+                errEl.textContent   = '\u53d1\u9001\u5931\u8d25\uff1a' + err.message;
+                errEl.style.display = '';
+            } finally {
+                sendBtn.disabled  = false;
+                sendBtn.innerHTML = origHTML;
+            }
+        }
+
+        // =========================================================
+        //  THREAD
+        // =========================================================
+        async function openThread(otherUser) {
+            if (threadRefreshTimer) { clearInterval(threadRefreshTimer); threadRefreshTimer = null; }
+
+            currentThread = otherUser;
+            document.getElementById('thread-title').textContent     = '\u4e0e ' + otherUser + ' \u7684\u5bf9\u8bdd';
+            document.getElementById('msg-input').value              = '';
+            document.getElementById('send-error').style.display     = 'none';
+            document.getElementById('thread-messages').innerHTML    = '';
+            setThreadVisible(true);
+            showThreadPane();
+
+            document.querySelectorAll('#list-container .conv-item').forEach(el => {
+                const nameEl = el.querySelector('.fw-semibold');
+                const name   = nameEl ? nameEl.firstChild.textContent.trim() : '';
+                el.classList.toggle('is-active', name === otherUser);
+            });
+
+            apiCall('ReadUserMailMention', { UserID: otherUser }).catch(() => {});
+
+            await loadThread();
+            threadRefreshTimer = setInterval(loadThread, THREAD_REFRESH_INTERVAL_MS);
+            loadMailList();
+        }
+
+        async function loadThread() {
+            if (!currentThread) return;
+
+            const loading    = document.getElementById('thread-loading');
+            const errEl      = document.getElementById('thread-error');
+            const messagesEl = document.getElementById('thread-messages');
+            const isFirst    = messagesEl.children.length === 0;
+
+            if (isFirst) loading.style.display = '';
+            errEl.style.display = 'none';
+
+            try {
+                const result = await apiCall('GetMail', { OtherUser: currentThread });
+                loading.style.display = 'none';
+
+                if (!result.Success) {
+                    if (isAuthError(result)) {
+                        if (threadRefreshTimer) { clearInterval(threadRefreshTimer); threadRefreshTimer = null; }
+                        logout();
+                        showToast('\u4f1a\u8bdd\u5df2\u8fc7\u671f\uff0c\u8bf7\u91cd\u65b0\u767b\u5f55');
+                        return;
+                    }
+                    errEl.textContent   = result.Message || '\u52a0\u8f7d\u6d88\u606f\u5931\u8d25';
+                    errEl.style.display = '';
+                    return;
+                }
+
+                const mails     = (result.Data && result.Data.Mail) || [];
+                const wasAtBot  = messagesEl.scrollHeight - messagesEl.scrollTop
+                    <= messagesEl.clientHeight + SCROLL_BOTTOM_THRESHOLD;
+
+                messagesEl.innerHTML = '';
+                mails.forEach(msg => {
+                    const isSelf  = msg.FromUser === currentUser.username;
+                    const wrapper = document.createElement('div');
+                    wrapper.className = 'd-flex ' + (isSelf ? 'justify-content-end' : 'justify-content-start');
+
+                    const bubble = document.createElement('div');
+                    bubble.className = isSelf ? 'msg-bubble-self' : 'msg-bubble-other';
+
+                    const contentEl = document.createElement('div');
+                    contentEl.className = 'msg-content';
+                    contentEl.innerHTML = renderMarkdown(msg.Content);
+                    contentEl.querySelectorAll('img').forEach(img => {
+                        img.addEventListener('click', () => viewImage(img.src));
+                        img.setAttribute('loading', 'lazy');
+                    });
+                    contentEl.querySelectorAll('a').forEach(a => {
+                        a.setAttribute('target', '_blank');
+                        a.setAttribute('rel',    'noopener noreferrer');
+                    });
+
+                    const timeEl = document.createElement('div');
+                    timeEl.style.cssText = 'font-size:.7em;margin-top:4px;opacity:.7;';
+                    timeEl.textContent   = formatRelativeTime(msg.SendTime);
+
+                    bubble.appendChild(contentEl);
+                    bubble.appendChild(timeEl);
+                    wrapper.appendChild(bubble);
+                    messagesEl.appendChild(wrapper);
+                });
+
+                if (isFirst || wasAtBot) messagesEl.scrollTop = messagesEl.scrollHeight;
+            } catch (err) {
+                loading.style.display = 'none';
+                errEl.innerHTML       = `\u8fde\u63a5\u5931\u8d25\uff1a${escapeHtml(err.message)}`;
+                errEl.style.display   = '';
+            }
+        }
+
+        // =========================================================
+        //  SEND MESSAGE
+        // =========================================================
+        function handleInputKeydown(e) {
+            if (e.key === 'Enter' && (e.ctrlKey || e.metaKey)) {
+                e.preventDefault();
+                sendMessage();
+            }
+        }
+
+        async function sendMessage() {
+            const input   = document.getElementById('msg-input');
+            const sendBtn = document.getElementById('send-btn');
+            const errEl   = document.getElementById('send-error');
+            const content = (input.value || '').trim();
+            if (!content || !currentThread) return;
+
+            const rateCheck = checkSendRateLimit();
+            if (!rateCheck.ok) {
+                errEl.textContent   = `\u53d1\u9001\u8fc7\u4e8e\u9891\u7e41\uff0c\u8bf7\u7b49\u5f85 ${rateCheck.waitSecs} \u79d2\u540e\u518d\u8bd5`;
+                errEl.style.display = '';
+                return;
+            }
+            errEl.style.display = 'none';
+            sendBtn.disabled    = true;
+            const origHTML      = sendBtn.innerHTML;
+            sendBtn.innerHTML   = '<span class="spinner-border spinner-border-sm" role="status"></span>';
+            try {
+                const result = await apiCall('SendMail', { ToUser: currentThread, Content: content });
+                if (result.Success) {
+                    input.value = '';
+                    await loadThread();
+                } else {
+                    errEl.textContent   = result.Message || '\u53d1\u9001\u5931\u8d25';
+                    errEl.style.display = '';
+                }
+            } catch (err) {
+                errEl.textContent   = '\u53d1\u9001\u5931\u8d25\uff1a' + err.message;
+                errEl.style.display = '';
+            } finally {
+                sendBtn.disabled  = false;
+                sendBtn.innerHTML = origHTML;
+            }
+        }
+
+        // =========================================================
+        //  IMAGE UPLOAD
+        // =========================================================
+        async function uploadImageData(base64DataUrl) {
+            const indicator = document.getElementById('upload-indicator');
+            indicator.style.display = '';
+            try {
+                const result = await apiCall('UploadImage', { Image: base64DataUrl });
+                indicator.style.display = 'none';
+                if (result.Success) {
+                    return `https://api.xmoj-bbs.me/GetImage?ImageID=${result.Data.ImageID}`;
+                }
+                showToast('\u56fe\u7247\u4e0a\u4f20\u5931\u8d25\uff1a' + (result.Message || '\u672a\u77e5\u9519\u8bef'));
+                return null;
+            } catch (err) {
+                indicator.style.display = 'none';
+                showToast('\u56fe\u7247\u4e0a\u4f20\u5931\u8d25\uff1a' + err.message);
+                return null;
+            }
+        }
+
+        let _uploadCounter = 0;
+
+        async function insertImageIntoInput(file) {
+            const input    = document.getElementById('msg-input');
+            const selStart = input.selectionStart;
+            const selEnd   = input.selectionEnd;
+            const uid      = ++_uploadCounter;
+            const ph       = `![\u4e0a\u4f20\u4e2d\u2026_${uid}]()`;
+            input.value    = input.value.substring(0, selStart) + ph + input.value.substring(selEnd);
+            input.setSelectionRange(selStart, selStart + ph.length);
+
+            const reader = new FileReader();
+            reader.readAsDataURL(file);
+            reader.onload = async () => {
+                const url   = await uploadImageData(reader.result);
+                input.value = input.value.replace(ph, url ? `![\u56fe\u7247](${url})` : '');
+            };
+        }
+
+        function handleFileUpload(e) {
+            const file = e.target.files && e.target.files[0];
+            if (file) insertImageIntoInput(file);
+            e.target.value = '';
+        }
+
+        function viewImage(src) {
+            document.getElementById('img-viewer-src').src = src;
+            bootstrap.Modal.getOrCreateInstance(
+                document.getElementById('img-viewer-modal')
+            ).show();
+        }
+
+        // =========================================================
+        //  INITIALIZATION
+        // =========================================================
+        document.addEventListener('DOMContentLoaded', () => {
+
+            // Paste image into compose
+            document.getElementById('msg-input').addEventListener('paste', e => {
+                const items = (e.clipboardData || {}).items || [];
+                for (let i = 0; i < items.length; i++) {
+                    if (items[i].type.startsWith('image/')) {
+                        e.preventDefault();
+                        insertImageIntoInput(items[i].getAsFile());
+                        break;
+                    }
+                }
+            });
+
+            // Populate bookmarklet
+            const bmCode = generateBookmarklet();
+            document.getElementById('bookmarklet-link').href  = bmCode;
+            document.getElementById('bookmarklet-code').value = bmCode;
+
+            // Handle bookmarklet redirect (#session=user:phpsessid)
+            const hash = window.location.hash;
+            if (hash.startsWith('#session=')) {
+                const payload  = hash.substring(9);
+                const colonIdx = payload.indexOf(':');
+                if (colonIdx > 0) {
+                    try {
+                        const username  = decodeURIComponent(payload.substring(0, colonIdx));
+                        const phpsessid = decodeURIComponent(payload.substring(colonIdx + 1));
+                        if (username && phpsessid) {
+                            saveSession(username, phpsessid);
+                            history.replaceState(null, '',
+                                window.location.pathname + window.location.search);
+                            const toUser = new URLSearchParams(window.location.search).get('to_user');
+                            startApp();
+                            if (toUser) openThread(toUser);
+                            return;
+                        }
+                    } catch (_e) { /* fall through */ }
+                }
+            }
+
+            // Restore session from localStorage
+            if (loadSession()) {
+                const toUser = new URLSearchParams(window.location.search).get('to_user');
+                startApp();
+                if (toUser) openThread(toUser);
+            } else {
+                showLoginScreen();
+            }
+
+            // Userscript integration (Tampermonkey on xmoj-bbs.me)
+            window.addEventListener('xmoj-autofill-session', e => {
+                if (e.detail && e.detail.username && e.detail.phpsessid) {
+                    saveSession(e.detail.username, e.detail.phpsessid);
+                    showToast('\u2705 \u5df2\u901a\u8fc7 XMOJ \u811a\u672c\u81ea\u52a8\u767b\u5f55');
+                    if (document.getElementById('screen-login').style.display !== 'none') {
+                        startApp();
+                    }
+                }
+            });
+            window.addEventListener('xmoj-show-toast', e => {
+                if (e.detail && e.detail.message) showToast(e.detail.message);
+            });
+        });
+    </script>
+</body>
+</html>