diff --git a/backend/app/Command/CleanRequestLogsCommand.php b/backend/app/Command/CleanRequestLogsCommand.php
index 45065e3..8eae19d 100644
--- a/backend/app/Command/CleanRequestLogsCommand.php
+++ b/backend/app/Command/CleanRequestLogsCommand.php
@@ -29,6 +29,12 @@ class CleanRequestLogsCommand extends HyperfCommand
     public function handle(): void
     {
         $days = (int) $this->input->getOption('days');
+
+        if ($days < 1) {
+            $this->error('保留天数必须大于 0');
+            return;
+        }
+
         $cutoff = Carbon::now()->subDays($days);
 
         $deleted = ApiRequestLog::query()
diff --git a/backend/app/Middleware/RequestLogMiddleware.php b/backend/app/Middleware/RequestLogMiddleware.php
index cc6c039..639226d 100644
--- a/backend/app/Middleware/RequestLogMiddleware.php
+++ b/backend/app/Middleware/RequestLogMiddleware.php
@@ -86,7 +86,10 @@ class RequestLogMiddleware implements MiddlewareInterface
      */
     public static function sanitizeBody(array $body): array
     {
-        $sensitive_keys = ['password', 'old_password', 'new_password', 'password_confirmation'];
+        $sensitive_keys = [
+            'password', 'old_password', 'new_password', 'password_confirmation',
+            'token', 'secret', 'api_key', 'access_token', 'refresh_token',
+        ];
 
         foreach ($body as $key => $value) {
             if (in_array($key, $sensitive_keys, true)) {
diff --git a/backend/test/Cases/Unit/Middleware/RequestLogMiddlewareTest.php b/backend/test/Cases/Unit/Middleware/RequestLogMiddlewareTest.php
index 1d2eb96..7986986 100644
--- a/backend/test/Cases/Unit/Middleware/RequestLogMiddlewareTest.php
+++ b/backend/test/Cases/Unit/Middleware/RequestLogMiddlewareTest.php
@@ -131,4 +131,43 @@ class RequestLogMiddlewareTest extends TestCase
         $ip = RequestLogMiddleware::getClientIp($request);
         $this->assertSame('192.168.1.1', $ip);
     }
+
+    public function test_get_client_ip_returns_null_when_no_ip_available(): void
+    {
+        $request = new ServerRequest('GET', '/test');
+
+        $ip = RequestLogMiddleware::getClientIp($request);
+        $this->assertNull($ip);
+    }
+
+    public function test_extract_response_code_handles_code_as_string(): void
+    {
+        $response = new Response(200, ['Content-Type' => 'application/json'], json_encode([
+            'code' => '200',
+            'message' => 'success',
+        ]));
+
+        $code = RequestLogMiddleware::extractResponseCode($response);
+        $this->assertSame(200, $code);
+    }
+
+    public function test_sanitize_body_handles_deeply_nested_structures(): void
+    {
+        $body = [
+            'level1' => [
+                'level2' => [
+                    'level3' => [
+                        'password' => 'deep_secret',
+                        'token' => 'deep_token',
+                        'name' => 'keep_this',
+                    ],
+                ],
+            ],
+        ];
+        $result = RequestLogMiddleware::sanitizeBody($body);
+
+        $this->assertSame('***', $result['level1']['level2']['level3']['password']);
+        $this->assertSame('***', $result['level1']['level2']['level3']['token']);
+        $this->assertSame('keep_this', $result['level1']['level2']['level3']['name']);
+    }
 }