feat: 구매/안전 시스템 전면 개편 — tkpurchase 개편 + tksafety 신규 + 권한 보강

Phase 1: tkuser 협력업체 CRUD 이관 (읽기전용 → 전체 CRUD) Phase 2: tkpurchase 개편 — 일용공 신청/확정, 작업일정, 업무현황, 계정관리, 협력업체 포털 Phase 3: tksafety 신규 시스템 — 방문관리 + 안전교육 신고 Phase 4: SSO 인증 보강 (partner_company_id JWT, 만료일 체크), 권한 테이블 기반 접근 제어 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 17:42:59 +09:00
parent a195dd1d50
commit b800792152
63 changed files with 5548 additions and 262 deletions
--- a/tksafety/api/Dockerfile
+++ b/tksafety/api/Dockerfile
@@ -0,0 +1,11 @@
+FROM node:18-alpine
+WORKDIR /usr/src/app
+COPY package*.json ./
+RUN npm install --omit=dev
+COPY . .
+RUN chown -R node:node /usr/src/app
+USER node
+EXPOSE 3000
+HEALTHCHECK --interval=30s --timeout=3s --start-period=20s --retries=3 \
+  CMD node -e "require('http').get('http://localhost:3000/health', (res) => { process.exit(res.statusCode === 200 ? 0 : 1); })"
+CMD ["node", "index.js"]
--- a/tksafety/api/controllers/dailyVisitController.js
+++ b/tksafety/api/controllers/dailyVisitController.js
@@ -0,0 +1,136 @@
+const dailyVisitModel = require('../models/dailyVisitModel');
+
+const PURPOSE_LABELS = {
+  day_labor: '일용공', equipment_repair: '설비수리', inspection: '검사',
+  delivery: '납품/배송', safety_audit: '안전점검', client_audit: '고객심사',
+  construction: '공사', other: '기타'
+};
+
+async function today(req, res) {
+  try {
+    const [visits, stats] = await Promise.all([
+      dailyVisitModel.findToday(),
+      dailyVisitModel.getTodayStats()
+    ]);
+    res.json({ success: true, data: { visits, stats } });
+  } catch (err) {
+    console.error('Today visits error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function list(req, res) {
+  try {
+    const rows = await dailyVisitModel.findAll(req.query);
+    res.json({ success: true, data: rows });
+  } catch (err) {
+    console.error('Visit list error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function create(req, res) {
+  try {
+    const { visitor_name, purpose, company_id, company_name } = req.body;
+    if (!visitor_name || !visitor_name.trim()) {
+      return res.status(400).json({ success: false, error: '방문자명은 필수입니다' });
+    }
+    if (!purpose) {
+      return res.status(400).json({ success: false, error: '방문 목적은 필수입니다' });
+    }
+    if (!company_id && (!company_name || !company_name.trim())) {
+      return res.status(400).json({ success: false, error: '업체를 선택하거나 업체명을 입력해주세요' });
+    }
+    const userId = req.user.user_id || req.user.id;
+    const visit = await dailyVisitModel.create({ ...req.body, registered_by: userId });
+    res.status(201).json({ success: true, data: visit });
+  } catch (err) {
+    console.error('Visit create error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function update(req, res) {
+  try {
+    const visit = await dailyVisitModel.update(req.params.id, req.body);
+    if (!visit) return res.status(404).json({ success: false, error: '방문 기록을 찾을 수 없습니다' });
+    res.json({ success: true, data: visit });
+  } catch (err) {
+    console.error('Visit update error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function checkout(req, res) {
+  try {
+    const visit = await dailyVisitModel.checkout(req.params.id, req.body.checkout_note);
+    if (!visit) return res.status(404).json({ success: false, error: '방문 기록을 찾을 수 없습니다' });
+    res.json({ success: true, data: visit });
+  } catch (err) {
+    console.error('Checkout error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function bulkCheckout(req, res) {
+  try {
+    const result = await dailyVisitModel.bulkCheckout();
+    res.json({ success: true, data: { affected: result.affectedRows } });
+  } catch (err) {
+    console.error('Bulk checkout error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function deleteVisit(req, res) {
+  try {
+    await dailyVisitModel.deleteVisit(req.params.id);
+    res.json({ success: true, message: '삭제 완료' });
+  } catch (err) {
+    console.error('Visit delete error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function stats(req, res) {
+  try {
+    const data = await dailyVisitModel.getStats(req.query);
+    res.json({ success: true, data });
+  } catch (err) {
+    console.error('Stats error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function exportCsv(req, res) {
+  try {
+    const rows = await dailyVisitModel.exportCsv(req.query);
+    const BOM = '\uFEFF';
+    const header = '방문일,업체,방문자,인원,목적,상세,작업장,안전교육,차량번호,체크인,체크아웃,상태,담당부서,비고';
+    const lines = rows.map(r => [
+      r.visit_date ? String(r.visit_date).substring(0, 10) : '',
+      `"${(r.company || '').replace(/"/g, '""')}"`,
+      `"${(r.visitor_name || '').replace(/"/g, '""')}"`,
+      r.visitor_count || 1,
+      PURPOSE_LABELS[r.purpose] || r.purpose,
+      `"${(r.purpose_detail || '').replace(/"/g, '""')}"`,
+      `"${(r.workplace_name || '').replace(/"/g, '""')}"`,
+      r.safety_education_yn ? 'Y' : 'N',
+      r.vehicle_number || '',
+      r.check_in_time || '',
+      r.check_out_time || '',
+      r.status,
+      r.managing_department || '',
+      `"${(r.notes || '').replace(/"/g, '""')}"`
+    ].join(','));
+
+    res.setHeader('Content-Type', 'text/csv; charset=utf-8');
+    res.setHeader('Content-Disposition', 'attachment; filename=visits.csv');
+    res.send(BOM + header + '\n' + lines.join('\n'));
+  } catch (err) {
+    console.error('Export error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+module.exports = { today, list, create, update, checkout, bulkCheckout, deleteVisit, stats, exportCsv };
--- a/tksafety/api/controllers/educationController.js
+++ b/tksafety/api/controllers/educationController.js
@@ -0,0 +1,70 @@
+const educationModel = require('../models/educationModel');
+
+async function list(req, res) {
+  try {
+    const rows = await educationModel.findAll(req.query);
+    res.json({ success: true, data: rows });
+  } catch (err) {
+    console.error('Education list error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function getById(req, res) {
+  try {
+    const row = await educationModel.findById(req.params.id);
+    if (!row) return res.status(404).json({ success: false, error: '교육 기록을 찾을 수 없습니다' });
+    res.json({ success: true, data: row });
+  } catch (err) {
+    console.error('Education getById error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function create(req, res) {
+  try {
+    const { education_date } = req.body;
+    if (!education_date) {
+      return res.status(400).json({ success: false, error: '교육일은 필수입니다' });
+    }
+    const userId = req.user.user_id || req.user.id;
+    const report = await educationModel.create({ ...req.body, registered_by: userId });
+    res.status(201).json({ success: true, data: report });
+  } catch (err) {
+    console.error('Education create error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function update(req, res) {
+  try {
+    const report = await educationModel.update(req.params.id, req.body);
+    if (!report) return res.status(404).json({ success: false, error: '교육 기록을 찾을 수 없습니다' });
+    res.json({ success: true, data: report });
+  } catch (err) {
+    console.error('Education update error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function deleteReport(req, res) {
+  try {
+    await educationModel.deleteReport(req.params.id);
+    res.json({ success: true, message: '삭제 완료' });
+  } catch (err) {
+    console.error('Education delete error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+async function stats(req, res) {
+  try {
+    const data = await educationModel.getStats(req.query);
+    res.json({ success: true, data });
+  } catch (err) {
+    console.error('Education stats error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+}
+
+module.exports = { list, getById, create, update, deleteReport, stats };
--- a/tksafety/api/index.js
+++ b/tksafety/api/index.js
@@ -0,0 +1,86 @@
+const express = require('express');
+const cors = require('cors');
+const cron = require('node-cron');
+const dailyVisitRoutes = require('./routes/dailyVisitRoutes');
+const educationRoutes = require('./routes/educationRoutes');
+const dailyVisitModel = require('./models/dailyVisitModel');
+const { requireAuth } = require('./middleware/auth');
+
+const app = express();
+const PORT = process.env.PORT || 3000;
+
+const allowedOrigins = [
+  'https://tkfb.technicalkorea.net',
+  'https://tkreport.technicalkorea.net',
+  'https://tkqc.technicalkorea.net',
+  'https://tkuser.technicalkorea.net',
+  'https://tkpurchase.technicalkorea.net',
+  'https://tksafety.technicalkorea.net',
+];
+if (process.env.NODE_ENV === 'development') {
+  allowedOrigins.push('http://localhost:30080', 'http://localhost:30580');
+}
+app.use(cors({
+  origin: function(origin, cb) {
+    if (!origin || allowedOrigins.includes(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
+    cb(new Error('CORS blocked: ' + origin));
+  },
+  credentials: true
+}));
+app.use(express.json());
+
+// Health check
+app.get('/health', (req, res) => {
+  res.json({ status: 'ok', service: 'tksafety-api', timestamp: new Date().toISOString() });
+});
+
+// Routes
+app.use('/api/daily-visits', dailyVisitRoutes);
+app.use('/api/education', educationRoutes);
+
+// Partner search (autocomplete)
+app.get('/api/partners/search', requireAuth, async (req, res) => {
+  try {
+    const q = req.query.q || '';
+    if (!q.trim()) return res.json({ success: true, data: [] });
+    const db = dailyVisitModel.getPool();
+    const [rows] = await db.query(
+      'SELECT id, company_name, business_number FROM partner_companies WHERE is_active = TRUE AND company_name LIKE ? ORDER BY company_name LIMIT 20',
+      [`%${q}%`]
+    );
+    res.json({ success: true, data: rows });
+  } catch (err) {
+    console.error('Partner search error:', err);
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+// 404
+app.use((req, res) => {
+  res.status(404).json({ success: false, error: 'Not Found' });
+});
+
+// Error handler
+app.use((err, req, res, next) => {
+  console.error('tksafety-api Error:', err.message);
+  res.status(err.status || 500).json({
+    success: false,
+    error: err.message || 'Internal Server Error'
+  });
+});
+
+// 자정 자동 체크아웃 (매일 23:59 KST)
+cron.schedule('59 23 * * *', async () => {
+  try {
+    const result = await dailyVisitModel.autoCheckoutAll();
+    console.log(`Auto checkout: ${result.affectedRows} visits`);
+  } catch (e) {
+    console.error('Auto checkout failed:', e);
+  }
+}, { timezone: 'Asia/Seoul' });
+
+app.listen(PORT, () => {
+  console.log(`tksafety-api running on port ${PORT}`);
+});
+
+module.exports = app;
--- a/tksafety/api/middleware/auth.js
+++ b/tksafety/api/middleware/auth.js
@@ -0,0 +1,101 @@
+const jwt = require('jsonwebtoken');
+const mysql = require('mysql2/promise');
+
+const JWT_SECRET = process.env.SSO_JWT_SECRET;
+
+let pool;
+function getPool() {
+  if (!pool) {
+    pool = mysql.createPool({
+      host: process.env.DB_HOST || 'mariadb',
+      port: parseInt(process.env.DB_PORT) || 3306,
+      user: process.env.DB_USER || 'hyungi_user',
+      password: process.env.DB_PASSWORD,
+      database: process.env.DB_NAME || 'hyungi',
+      waitForConnections: true,
+      connectionLimit: 5,
+      queueLimit: 0
+    });
+  }
+  return pool;
+}
+
+function extractToken(req) {
+  const authHeader = req.headers['authorization'];
+  if (authHeader && authHeader.startsWith('Bearer ')) {
+    return authHeader.split(' ')[1];
+  }
+  if (req.cookies && req.cookies.sso_token) {
+    return req.cookies.sso_token;
+  }
+  return null;
+}
+
+function requireAuth(req, res, next) {
+  const token = extractToken(req);
+  if (!token) {
+    return res.status(401).json({ success: false, error: '인증이 필요합니다' });
+  }
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET);
+    req.user = decoded;
+    next();
+  } catch {
+    return res.status(401).json({ success: false, error: '유효하지 않은 토큰입니다' });
+  }
+}
+
+function requireAdmin(req, res, next) {
+  const token = extractToken(req);
+  if (!token) {
+    return res.status(401).json({ success: false, error: '인증이 필요합니다' });
+  }
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET);
+    if (!['admin', 'system'].includes((decoded.role || '').toLowerCase())) {
+      return res.status(403).json({ success: false, error: '관리자 권한이 필요합니다' });
+    }
+    req.user = decoded;
+    next();
+  } catch {
+    return res.status(401).json({ success: false, error: '유효하지 않은 토큰입니다' });
+  }
+}
+
+function requirePage(pageName) {
+  return async (req, res, next) => {
+    const userId = req.user.user_id || req.user.id;
+    const role = (req.user.role || '').toLowerCase();
+    if (role === 'admin' || role === 'system') return next();
+
+    try {
+      const db = getPool();
+      // 1. 개인 권한
+      const [rows] = await db.query(
+        'SELECT can_access FROM user_page_permissions WHERE user_id = ? AND page_name = ?',
+        [userId, pageName]
+      );
+      if (rows.length > 0) {
+        return rows[0].can_access ? next() : res.status(403).json({ success: false, error: '접근 권한이 없습니다' });
+      }
+      // 2. 부서 권한
+      const [userRows] = await db.query('SELECT department_id FROM sso_users WHERE user_id = ?', [userId]);
+      if (userRows.length > 0 && userRows[0].department_id) {
+        const [deptRows] = await db.query(
+          'SELECT can_access FROM department_page_permissions WHERE department_id = ? AND page_name = ?',
+          [userRows[0].department_id, pageName]
+        );
+        if (deptRows.length > 0) {
+          return deptRows[0].can_access ? next() : res.status(403).json({ success: false, error: '접근 권한이 없습니다' });
+        }
+      }
+      // 3. 기본 거부
+      return res.status(403).json({ success: false, error: '접근 권한이 없습니다' });
+    } catch (err) {
+      console.error('Permission check error:', err);
+      return res.status(500).json({ success: false, error: '권한 확인 실패' });
+    }
+  };
+}
+
+module.exports = { getPool, extractToken, requireAuth, requireAdmin, requirePage };
--- a/tksafety/api/models/dailyVisitModel.js
+++ b/tksafety/api/models/dailyVisitModel.js
@@ -0,0 +1,198 @@
+const mysql = require('mysql2/promise');
+
+let pool;
+function getPool() {
+  if (!pool) {
+    pool = mysql.createPool({
+      host: process.env.DB_HOST || 'mariadb',
+      port: parseInt(process.env.DB_PORT) || 3306,
+      user: process.env.DB_USER || 'hyungi_user',
+      password: process.env.DB_PASSWORD,
+      database: process.env.DB_NAME || 'hyungi',
+      waitForConnections: true,
+      connectionLimit: 10,
+      queueLimit: 0
+    });
+  }
+  return pool;
+}
+
+async function findToday() {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT dv.*, pc.company_name AS partner_company_name
+     FROM daily_visits dv
+     LEFT JOIN partner_companies pc ON dv.company_id = pc.id
+     WHERE dv.visit_date = CURDATE()
+     ORDER BY dv.check_in_time DESC`
+  );
+  return rows;
+}
+
+async function getTodayStats() {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT
+       COUNT(*) AS total,
+       SUM(CASE WHEN status = 'checked_in' THEN 1 ELSE 0 END) AS checked_in,
+       SUM(CASE WHEN status IN ('checked_out','auto_checkout') THEN 1 ELSE 0 END) AS checked_out,
+       SUM(CASE WHEN status = 'cancelled' THEN 1 ELSE 0 END) AS cancelled,
+       SUM(visitor_count) AS total_visitors
+     FROM daily_visits WHERE visit_date = CURDATE()`
+  );
+  return rows[0];
+}
+
+async function findAll({ visit_date, date_from, date_to, company_id, purpose, status, page = 1, limit = 50 } = {}) {
+  const db = getPool();
+  let sql = `SELECT dv.*, pc.company_name AS partner_company_name
+             FROM daily_visits dv
+             LEFT JOIN partner_companies pc ON dv.company_id = pc.id WHERE 1=1`;
+  const params = [];
+  if (visit_date) { sql += ' AND dv.visit_date = ?'; params.push(visit_date); }
+  if (date_from) { sql += ' AND dv.visit_date >= ?'; params.push(date_from); }
+  if (date_to) { sql += ' AND dv.visit_date <= ?'; params.push(date_to); }
+  if (company_id) { sql += ' AND dv.company_id = ?'; params.push(company_id); }
+  if (purpose) { sql += ' AND dv.purpose = ?'; params.push(purpose); }
+  if (status) { sql += ' AND dv.status = ?'; params.push(status); }
+  sql += ' ORDER BY dv.visit_date DESC, dv.check_in_time DESC';
+  const offset = (page - 1) * limit;
+  sql += ' LIMIT ? OFFSET ?';
+  params.push(limit, offset);
+  const [rows] = await db.query(sql, params);
+  return rows;
+}
+
+async function findById(id) {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT dv.*, pc.company_name AS partner_company_name
+     FROM daily_visits dv
+     LEFT JOIN partner_companies pc ON dv.company_id = pc.id
+     WHERE dv.id = ?`,
+    [id]
+  );
+  return rows[0] || null;
+}
+
+async function create(data) {
+  const db = getPool();
+  const [result] = await db.query(
+    `INSERT INTO daily_visits (visit_date, company_id, company_name, visitor_name, visitor_count,
+      purpose, purpose_detail, workplace_name, safety_education_yn, vehicle_number,
+      check_in_time, notes, managing_department, registered_by)
+     VALUES (CURDATE(), ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?)`,
+    [data.company_id || null, data.company_name || null, data.visitor_name, data.visitor_count || 1,
+     data.purpose, data.purpose_detail || null, data.workplace_name || null,
+     data.safety_education_yn || false, data.vehicle_number || null,
+     data.notes || null, data.managing_department || null, data.registered_by]
+  );
+  // 개별 인원 명단 (선택)
+  if (data.workers && data.workers.length > 0) {
+    for (const w of data.workers) {
+      await db.query(
+        'INSERT INTO daily_visit_workers (daily_visit_id, partner_worker_id, worker_name) VALUES (?, ?, ?)',
+        [result.insertId, w.partner_worker_id || null, w.worker_name]
+      );
+    }
+  }
+  return findById(result.insertId);
+}
+
+async function update(id, data) {
+  const db = getPool();
+  const fields = [];
+  const values = [];
+  if (data.company_id !== undefined) { fields.push('company_id = ?'); values.push(data.company_id || null); }
+  if (data.company_name !== undefined) { fields.push('company_name = ?'); values.push(data.company_name || null); }
+  if (data.visitor_name !== undefined) { fields.push('visitor_name = ?'); values.push(data.visitor_name); }
+  if (data.visitor_count !== undefined) { fields.push('visitor_count = ?'); values.push(data.visitor_count); }
+  if (data.purpose !== undefined) { fields.push('purpose = ?'); values.push(data.purpose); }
+  if (data.purpose_detail !== undefined) { fields.push('purpose_detail = ?'); values.push(data.purpose_detail || null); }
+  if (data.workplace_name !== undefined) { fields.push('workplace_name = ?'); values.push(data.workplace_name || null); }
+  if (data.safety_education_yn !== undefined) { fields.push('safety_education_yn = ?'); values.push(data.safety_education_yn); }
+  if (data.vehicle_number !== undefined) { fields.push('vehicle_number = ?'); values.push(data.vehicle_number || null); }
+  if (data.notes !== undefined) { fields.push('notes = ?'); values.push(data.notes || null); }
+  if (data.managing_department !== undefined) { fields.push('managing_department = ?'); values.push(data.managing_department || null); }
+  if (data.status !== undefined) { fields.push('status = ?'); values.push(data.status); }
+  if (fields.length === 0) return findById(id);
+  values.push(id);
+  await db.query(`UPDATE daily_visits SET ${fields.join(', ')} WHERE id = ?`, values);
+  return findById(id);
+}
+
+async function checkout(id, note) {
+  const db = getPool();
+  await db.query(
+    `UPDATE daily_visits SET status = 'checked_out', check_out_time = NOW(), checkout_note = ? WHERE id = ? AND status = 'checked_in'`,
+    [note || null, id]
+  );
+  return findById(id);
+}
+
+async function bulkCheckout() {
+  const db = getPool();
+  const [result] = await db.query(
+    `UPDATE daily_visits SET status = 'checked_out', check_out_time = NOW() WHERE visit_date = CURDATE() AND status = 'checked_in'`
+  );
+  return result;
+}
+
+async function autoCheckoutAll() {
+  const db = getPool();
+  const [result] = await db.query(
+    `UPDATE daily_visits SET status = 'auto_checkout', check_out_time = NOW() WHERE visit_date = CURDATE() AND status = 'checked_in'`
+  );
+  return result;
+}
+
+async function deleteVisit(id) {
+  const db = getPool();
+  await db.query('DELETE FROM daily_visit_workers WHERE daily_visit_id = ?', [id]);
+  await db.query('DELETE FROM daily_visits WHERE id = ?', [id]);
+}
+
+async function getStats({ date_from, date_to } = {}) {
+  const db = getPool();
+  const params = [];
+  let dateFilter = '';
+  if (date_from) { dateFilter += ' AND visit_date >= ?'; params.push(date_from); }
+  if (date_to) { dateFilter += ' AND visit_date <= ?'; params.push(date_to); }
+
+  const [byPurpose] = await db.query(
+    `SELECT purpose, COUNT(*) AS cnt, SUM(visitor_count) AS total_visitors FROM daily_visits WHERE 1=1 ${dateFilter} GROUP BY purpose ORDER BY cnt DESC`,
+    params
+  );
+  const [byCompany] = await db.query(
+    `SELECT COALESCE(pc.company_name, dv.company_name, '미등록') AS company, COUNT(*) AS cnt, SUM(dv.visitor_count) AS total_visitors
+     FROM daily_visits dv LEFT JOIN partner_companies pc ON dv.company_id = pc.id WHERE 1=1 ${dateFilter} GROUP BY company ORDER BY cnt DESC LIMIT 20`,
+    params
+  );
+  const [byDate] = await db.query(
+    `SELECT visit_date, COUNT(*) AS cnt, SUM(visitor_count) AS total_visitors FROM daily_visits WHERE 1=1 ${dateFilter} GROUP BY visit_date ORDER BY visit_date DESC LIMIT 30`,
+    params
+  );
+  return { byPurpose, byCompany, byDate };
+}
+
+async function exportCsv({ date_from, date_to, company_id, purpose } = {}) {
+  const db = getPool();
+  let sql = `SELECT dv.visit_date, COALESCE(pc.company_name, dv.company_name, '') AS company,
+    dv.visitor_name, dv.visitor_count, dv.purpose, dv.purpose_detail, dv.workplace_name,
+    dv.safety_education_yn, dv.vehicle_number, dv.check_in_time, dv.check_out_time,
+    dv.status, dv.managing_department, dv.notes
+    FROM daily_visits dv LEFT JOIN partner_companies pc ON dv.company_id = pc.id WHERE 1=1`;
+  const params = [];
+  if (date_from) { sql += ' AND dv.visit_date >= ?'; params.push(date_from); }
+  if (date_to) { sql += ' AND dv.visit_date <= ?'; params.push(date_to); }
+  if (company_id) { sql += ' AND dv.company_id = ?'; params.push(company_id); }
+  if (purpose) { sql += ' AND dv.purpose = ?'; params.push(purpose); }
+  sql += ' ORDER BY dv.visit_date DESC, dv.check_in_time DESC';
+  const [rows] = await db.query(sql, params);
+  return rows;
+}
+
+module.exports = {
+  getPool, findToday, getTodayStats, findAll, findById, create, update,
+  checkout, bulkCheckout, autoCheckoutAll, deleteVisit, getStats, exportCsv
+};
--- a/tksafety/api/models/educationModel.js
+++ b/tksafety/api/models/educationModel.js
@@ -0,0 +1,80 @@
+const { getPool } = require('./dailyVisitModel');
+
+async function findAll({ date_from, date_to, target_type, status, page = 1, limit = 50 } = {}) {
+  const db = getPool();
+  let sql = 'SELECT * FROM safety_education_reports WHERE 1=1';
+  const params = [];
+  if (date_from) { sql += ' AND education_date >= ?'; params.push(date_from); }
+  if (date_to) { sql += ' AND education_date <= ?'; params.push(date_to); }
+  if (target_type) { sql += ' AND target_type = ?'; params.push(target_type); }
+  if (status) { sql += ' AND status = ?'; params.push(status); }
+  sql += ' ORDER BY education_date DESC';
+  const offset = (page - 1) * limit;
+  sql += ' LIMIT ? OFFSET ?';
+  params.push(limit, offset);
+  const [rows] = await db.query(sql, params);
+  return rows;
+}
+
+async function findById(id) {
+  const db = getPool();
+  const [rows] = await db.query('SELECT * FROM safety_education_reports WHERE id = ?', [id]);
+  return rows[0] || null;
+}
+
+async function create(data) {
+  const db = getPool();
+  const attendeesStr = data.attendees ? (typeof data.attendees === 'string' ? data.attendees : JSON.stringify(data.attendees)) : null;
+  const [result] = await db.query(
+    `INSERT INTO safety_education_reports (target_type, target_id, education_date, educator, attendees, status, notes, registered_by)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+    [data.target_type, data.target_id || null, data.education_date, data.educator || null,
+     attendeesStr, data.status || 'planned', data.notes || null, data.registered_by]
+  );
+  return findById(result.insertId);
+}
+
+async function update(id, data) {
+  const db = getPool();
+  const fields = [];
+  const values = [];
+  if (data.target_type !== undefined) { fields.push('target_type = ?'); values.push(data.target_type); }
+  if (data.education_date !== undefined) { fields.push('education_date = ?'); values.push(data.education_date); }
+  if (data.educator !== undefined) { fields.push('educator = ?'); values.push(data.educator || null); }
+  if (data.attendees !== undefined) {
+    const attendeesStr = data.attendees ? (typeof data.attendees === 'string' ? data.attendees : JSON.stringify(data.attendees)) : null;
+    fields.push('attendees = ?');
+    values.push(attendeesStr);
+  }
+  if (data.status !== undefined) { fields.push('status = ?'); values.push(data.status); }
+  if (data.notes !== undefined) { fields.push('notes = ?'); values.push(data.notes || null); }
+  if (fields.length === 0) return findById(id);
+  values.push(id);
+  await db.query(`UPDATE safety_education_reports SET ${fields.join(', ')} WHERE id = ?`, values);
+  return findById(id);
+}
+
+async function deleteReport(id) {
+  const db = getPool();
+  await db.query('DELETE FROM safety_education_reports WHERE id = ?', [id]);
+}
+
+async function getStats({ date_from, date_to } = {}) {
+  const db = getPool();
+  const params = [];
+  let dateFilter = '';
+  if (date_from) { dateFilter += ' AND education_date >= ?'; params.push(date_from); }
+  if (date_to) { dateFilter += ' AND education_date <= ?'; params.push(date_to); }
+
+  const [rows] = await db.query(
+    `SELECT target_type, COUNT(*) AS cnt,
+       SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) AS completed,
+       SUM(CASE WHEN status = 'planned' THEN 1 ELSE 0 END) AS planned,
+       SUM(CASE WHEN status = 'cancelled' THEN 1 ELSE 0 END) AS cancelled
+     FROM safety_education_reports WHERE 1=1 ${dateFilter} GROUP BY target_type`,
+    params
+  );
+  return rows;
+}
+
+module.exports = { findAll, findById, create, update, deleteReport, getStats };
--- a/tksafety/api/package.json
+++ b/tksafety/api/package.json
@@ -0,0 +1,17 @@
+{
+  "name": "tksafety-api",
+  "version": "1.0.0",
+  "description": "TK Factory Services - 안전 관리 서비스",
+  "main": "index.js",
+  "scripts": {
+    "start": "node index.js",
+    "dev": "node --watch index.js"
+  },
+  "dependencies": {
+    "cors": "^2.8.5",
+    "express": "^4.18.2",
+    "jsonwebtoken": "^9.0.0",
+    "mysql2": "^3.14.1",
+    "node-cron": "^3.0.3"
+  }
+}
--- a/tksafety/api/routes/dailyVisitRoutes.js
+++ b/tksafety/api/routes/dailyVisitRoutes.js
@@ -0,0 +1,18 @@
+const express = require('express');
+const router = express.Router();
+const { requireAuth, requirePage } = require('../middleware/auth');
+const ctrl = require('../controllers/dailyVisitController');
+
+router.use(requireAuth);
+
+router.get('/today', ctrl.today);
+router.get('/export', ctrl.exportCsv);
+router.get('/stats', ctrl.stats);
+router.get('/', ctrl.list);
+router.post('/', requirePage('safety_visit'), ctrl.create);
+router.post('/bulk-checkout', requirePage('safety_visit'), ctrl.bulkCheckout);
+router.put('/:id', requirePage('safety_visit'), ctrl.update);
+router.put('/:id/checkout', requirePage('safety_visit'), ctrl.checkout);
+router.delete('/:id', requirePage('safety_visit'), ctrl.deleteVisit);
+
+module.exports = router;
--- a/tksafety/api/routes/educationRoutes.js
+++ b/tksafety/api/routes/educationRoutes.js
@@ -0,0 +1,15 @@
+const express = require('express');
+const router = express.Router();
+const { requireAuth, requirePage } = require('../middleware/auth');
+const ctrl = require('../controllers/educationController');
+
+router.use(requireAuth);
+
+router.get('/', ctrl.list);
+router.get('/stats', ctrl.stats);
+router.get('/:id', ctrl.getById);
+router.post('/', requirePage('safety_education'), ctrl.create);
+router.put('/:id', requirePage('safety_education'), ctrl.update);
+router.delete('/:id', requirePage('safety_education'), ctrl.deleteReport);
+
+module.exports = router;