diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..464e2b4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+secrets.txt
diff --git a/Bookworm-Setup.sh b/Bookworm-Setup.sh
index 4c6570e..bdaf6cf 100644
--- a/Bookworm-Setup.sh
+++ b/Bookworm-Setup.sh
@@ -292,7 +292,7 @@ parse_authcode() {
     echo "EXPIRED"
     return
   fi
-  echo "${token_upper,,}"  # bash4+ 转小写
+  echo "$token_upper" | tr '[:upper:]' '[:lower:]'  # 兼容 bash 3.2 (macOS 默认)
 }
 
 # 先尝试缓存
@@ -301,17 +301,19 @@ if load_cached_secrets 2>/dev/null; then
 elif [ -f "$SECRETS_ENC" ]; then
   DECRYPTED=""
   valid_attempts=0
-  while [ $valid_attempts -lt 3 ]; do
+  total_attempts=0
+  while [ $valid_attempts -lt 3 ] && [ $total_attempts -lt 10 ]; do
     echo ""
     read -p "  输入授权码 (BW-YYYYMMDD-XXXXXX, 第 $((valid_attempts+1))/3 次): " AUTH_CODE
+    total_attempts=$((total_attempts + 1))
     TOKEN=$(parse_authcode "$AUTH_CODE")
     AUTH_CODE=""
     if [ "$TOKEN" = "EXPIRED" ]; then
       warn "授权码已过期, 请联系管理员获取新授权码"
-      continue  # 不消耗尝试次数
+      continue  # 不消耗有效次数
     elif [ -z "$TOKEN" ]; then
-      warn "授权码格式错误 (格式: BW-YYYYMMDD-24位字母数字)"
-      continue  # 不消耗尝试次数
+      warn "授权码格式错误 (格式: BW-YYYYMMDD-XXXXXXXXXXXXXXXXXXXXXXXX)"
+      continue  # 不消耗有效次数
     fi
     valid_attempts=$((valid_attempts + 1))
     DECRYPTED=$(_decrypt_secrets "$TOKEN" "$SECRETS_ENC") || true
diff --git a/auto-setup.ps1 b/auto-setup.ps1
index 35e7896..76282cc 100644
--- a/auto-setup.ps1
+++ b/auto-setup.ps1
@@ -72,7 +72,7 @@ function Show-AuthCodeDialog($attempt = 1, $maxAttempts = 3) {
     $label = New-Object System.Windows.Forms.Label
     $label.Location = New-Object System.Drawing.Point(20, 18)
     $label.Size = New-Object System.Drawing.Size(440, 36)
-    $label.Text = "请输入管理员提供的授权码:`n格式: BW-YYYYMMDD-XXXXXXXXXXXXXXXXXXXX XXXX"
+    $label.Text = "请输入管理员提供的授权码:`n格式: BW-YYYYMMDD-XXXXXXXXXXXXXXXXXXXXXXXX"
     $label.Font = New-Object System.Drawing.Font("Segoe UI", 9)
     $form.Controls.Add($label)
 
@@ -626,7 +626,7 @@ elseif (Test-Path $SecretsEnc) {
             continue
         }
         if (-not $token) {
-            Show-MsgBox "格式错误。`n正确格式: BW-YYYYMMDD-XXXXXXXXXXXXXXXXXXXX XXXX`n`n请检查后重新粘贴。" "格式错误" "OK" "Warning"
+            Show-MsgBox "格式错误。`n正确格式: BW-YYYYMMDD-XXXXXXXXXXXXXXXXXXXXXXXX`n`n请检查后重新粘贴。" "格式错误" "OK" "Warning"
             continue
         }
         $validAttempts++
diff --git a/install.ps1 b/install.ps1
index f78884e..6334435 100644
--- a/install.ps1
+++ b/install.ps1
@@ -202,7 +202,7 @@ function Parse-AuthCode {
     $code = $code.Trim()
     # 格式: BW-YYYYMMDD-24位HexToken
     if ($code -notmatch '^BW-(\d{8})-([A-Fa-f0-9]{24})$') {
-        Write-Host "  [!!] 格式错误，应为 BW-YYYYMMDD-XXXXXXXXXXXXXXXXXXXX XXXX" -ForegroundColor Red
+        Write-Host "  [!!] 格式错误，应为 BW-YYYYMMDD-XXXXXXXXXXXXXXXXXXXXXXXX" -ForegroundColor Red
         return $null
     }
     $expiryStr = $Matches[1]
@@ -231,38 +231,33 @@ function Decrypt-Secrets {
     }
     $cryptoHelper = Join-Path $ScriptDir "crypto-helper.js"
 
-    $maxRetries = 3
-    for ($attempt = 1; $attempt -le $maxRetries; $attempt++) {
-        $label = if ($attempt -gt 1) { "  重新输入授权码 (第 $attempt/$maxRetries 次)" } else { "  输入授权码 (格式: BW-YYYYMMDD-...)" }
+    $validAttempts = 0
+    $totalAttempts = 0
+    while ($validAttempts -lt 3 -and $totalAttempts -lt 10) {
+        $totalAttempts++
+        $label = if ($validAttempts -gt 0) { "  重新输入授权码 (第 $($validAttempts+1)/3 次)" } else { "  输入授权码 (格式: BW-YYYYMMDD-...)" }
         $authCodeRaw = Read-Host $label
         $plainPwd = Parse-AuthCode $authCodeRaw
         if (-not $plainPwd) {
-            # 格式错误或已过期: 不计入密码重试, 直接继续
-            $attempt--
-            $maxRetries--  # 最多给 3 次有效尝试
-            if ($maxRetries -lt 1) { break }
+            # 格式错误或已过期: 不计入有效重试次数
             continue
         }
+        $validAttempts++
 
         $prevEAP = $ErrorActionPreference
         $ErrorActionPreference = "Continue"
 
         if ($useNode) {
-            # Node.js 解密 (跨平台一致)
             $decrypted = & node $cryptoHelper decrypt $plainPwd $SecretsEnc 2>&1
             $decExit = $LASTEXITCODE
         } else {
-            # openssl 回退
             $decrypted = $plainPwd | & $opensslCmd enc -aes-256-cbc -d -pbkdf2 -iter 600000 -md sha256 -in $SecretsEnc -pass stdin 2>&1
             $decExit = $LASTEXITCODE
         }
         $ErrorActionPreference = $prevEAP
-
-        # 清除内存中的 token
         $plainPwd = $null
 
         if ($decExit -eq 0 -and $decrypted -and $decrypted -notmatch 'PASSWORD_ERROR|FORMAT_ERROR|bad decrypt') {
-            # 解密成功，注入环境变量
             $decrypted -split "`n" | ForEach-Object {
                 $line = $_.Trim()
                 if ($line -and $line.Contains('=')) {
@@ -276,18 +271,15 @@ function Decrypt-Secrets {
             return
         }
 
-        # 解密失败
-        $remaining = $maxRetries - $attempt
+        $remaining = 3 - $validAttempts
         if ($remaining -gt 0) {
-            Write-Host "  [!!] 密码错误，剩余重试: $remaining 次" -ForegroundColor Red
+            Write-Host "  [!!] 授权码无效 (解密失败)，剩余重试: $remaining 次" -ForegroundColor Red
         }
     }
 
-    # 3次全部失败
     Write-Host ""
-    Write-Host "  [ABORT] 3 次密码均错误" -ForegroundColor Red
-    Write-Host "  请确认主密码是否正确 (区分大小写)" -ForegroundColor Yellow
-    Write-Host "  如忘记密码，请联系管理员重新生成 secrets.enc" -ForegroundColor Yellow
+    Write-Host "  [ABORT] 3 次授权码均无效，凭证未解密" -ForegroundColor Red
+    Write-Host "  请确认授权码是否正确，或联系管理员重新生成" -ForegroundColor Yellow
     exit 1
 }