npm - @kitecd/cli - Versions diffs - 1.1.0 → 1.3.0 - Mend

@kitecd/cli 1.1.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/dist/doctor.js +181 -0
package/dist/export.js +144 -0
package/dist/ignore.js +38 -0
package/dist/import.js +333 -0
package/dist/index.js +213 -3
package/dist/ops.js +338 -0
package/dist/pack.js +15 -5
package/dist/serve.js +27 -1
package/dist/server/index.js +17231 -5610
package/dist/upload.js +11 -3
package/dist/verify.js +161 -0
package/dist/web/assets/AuditLog-BO9BJdsk.js +1 -0
package/dist/web/assets/ConfirmDialog-CikXU818.js +1 -0
package/dist/web/assets/ConfirmDialog-D8avT8FJ.css +1 -0
package/dist/web/assets/Dashboard-ho157_Gr.js +1 -0
package/dist/web/assets/DefaultLayout-Y_852d55.js +1 -0
package/dist/web/assets/DefaultLayout-lj5NNciV.css +1 -0
package/dist/web/assets/FileExplorer-oxT6ZdHt.js +1 -0
package/dist/web/assets/FolderPickerDialog-CDO-yrvE.css +1 -0
package/dist/web/assets/FolderPickerDialog-CKohwBIP.js +1 -0
package/dist/web/assets/LogBoard-DkvHTXcb.js +6 -0
package/dist/web/assets/LogBoard-Dx8yNofc.css +1 -0
package/dist/web/assets/LogTail-CuaBDDKf.js +9 -0
package/dist/web/assets/Login-kcvq2T9U.js +1 -0
package/dist/web/assets/Migration-C_M_Exzf.js +1 -0
package/dist/web/assets/ProjectDetail-BTOfo71A.js +1 -0
package/dist/web/assets/ProjectDetail-ia6-z1kZ.css +1 -0
package/dist/web/assets/ProjectList-D_PoTDT9.js +1 -0
package/dist/web/assets/ProjectList-YJlvRRNh.css +1 -0
package/dist/web/assets/ProjectTagsEditor-zXN_5rwP.js +1 -0
package/dist/web/assets/Settings-BL4hNZpU.js +1 -0
package/dist/web/assets/Storage-B-pZjj08.js +1 -0
package/dist/web/assets/Storage-CFbfZtA5.css +1 -0
package/dist/web/assets/Terminal-Bh7bM6Bb.css +1 -0
package/dist/web/assets/Terminal-fTZlKf2Y.js +7 -0
package/dist/web/assets/{activity-DItEGOtI.js → activity-DZCOq6kQ.js} +1 -1
package/dist/web/assets/archive-MB1JcYug.js +1 -0
package/dist/web/assets/arrow-left-CsZYc3XK.js +1 -0
package/dist/web/assets/{circle-alert-Bfrn_ovD.js → circle-alert-kmcvMchB.js} +1 -1
package/dist/web/assets/clock-DIBzfDoY.js +1 -0
package/dist/web/assets/constants-m1eFfRMw.js +1 -0
package/dist/web/assets/copy-CNXWZJbC.js +1 -0
package/dist/web/assets/createLucideIcon-BmsTm7z-.js +1 -0
package/dist/web/assets/database-D6rC_24l.js +1 -0
package/dist/web/assets/eye-off-BNUfzp8P.js +1 -0
package/dist/web/assets/eye-vRDqRzR9.js +1 -0
package/dist/web/assets/file-text-BxWt6is5.js +1 -0
package/dist/web/assets/folder-CYPJgLMr.js +1 -0
package/dist/web/assets/folder-open-DQz0XviI.js +1 -0
package/dist/web/assets/hard-drive-DBiQxkNS.js +1 -0
package/dist/web/assets/history-dkZbN_TB.js +1 -0
package/dist/web/assets/house-D9JIOKIs.js +1 -0
package/dist/web/assets/index-BZU6i5nw.js +2 -0
package/dist/web/assets/index-BrlC5Hdt.css +1 -0
package/dist/web/assets/loader-circle-OwtRa1dp.js +1 -0
package/dist/web/assets/pencil-BTFuj0gA.js +1 -0
package/dist/web/assets/plus-CcefsCv_.js +1 -0
package/dist/web/assets/refresh-cw-OqaxwQhF.js +1 -0
package/dist/web/assets/rotate-ccw-D8C0iiAw.js +1 -0
package/dist/web/assets/save-D0NTjP8Q.js +1 -0
package/dist/web/assets/scroll-text-6UwJwqap.js +1 -0
package/dist/web/assets/{server-C33taHNn.js → server-DFHpqwVn.js} +1 -1
package/dist/web/assets/square-terminal-C1oJyHEG.js +1 -0
package/dist/web/assets/sun-Cg6PdQms.js +1 -0
package/dist/web/assets/terminal-CUz5b_ol.js +1 -0
package/dist/web/assets/trash-2-20ikd6fk.js +1 -0
package/dist/web/assets/useIntervalRaf-CXWU2lqg.js +1 -0
package/dist/web/index.html +3 -3
package/package.json +11 -7
package/scripts/postinstall.js +53 -0
package/dist/web/assets/Dashboard-7wBCpwzp.js +0 -1
package/dist/web/assets/DefaultLayout-Bj8fPWym.css +0 -1
package/dist/web/assets/DefaultLayout-LaPhlICp.js +0 -1
package/dist/web/assets/FileExplorer-DvzkxXvZ.js +0 -1
package/dist/web/assets/LogBoard-BWAPesBz.js +0 -6
package/dist/web/assets/LogBoard-DzW-cEqH.css +0 -1
package/dist/web/assets/Login-BhNdUJs0.js +0 -1
package/dist/web/assets/ProjectDetail-DZwMOEto.js +0 -1
package/dist/web/assets/ProjectList-Czr-438J.js +0 -1
package/dist/web/assets/Settings-OmPvcQbD.js +0 -1
package/dist/web/assets/clock-BPXGSCIV.js +0 -1
package/dist/web/assets/constants-iI5LEC2F.js +0 -1
package/dist/web/assets/createLucideIcon-Cgv1AIRL.js +0 -1
package/dist/web/assets/folder-open-jX-_Q7bA.js +0 -1
package/dist/web/assets/index-C9LiRc31.css +0 -1
package/dist/web/assets/index-eyx6wNyQ.js +0 -2
package/dist/web/assets/project-BFuaDcvV.js +0 -1
package/dist/web/assets/refresh-cw-DWmqwQRn.js +0 -1
package/dist/web/assets/save-BkiMrL9q.js +0 -1
package/dist/web/assets/settings-CrCWmNyB.js +0 -1
package/dist/web/assets/square-terminal-C8toRwjx.js +0 -1

package/dist/ops.js ADDED Viewed

@@ -0,0 +1,338 @@
+import chalk from 'chalk';
+import readline from 'readline/promises';
+import { stdin as input, stdout as output } from 'process';
+import { randomUUID } from 'crypto';
+import { readGlobalConfig, readLocalEnv, resolveProjectConfig, envTokenKey, listProjectEnvs, } from './home.js';
+export function resolveOpsAuth(opts = {}) {
+    const globalCfg = readGlobalConfig();
+    const localEnv = readLocalEnv();
+    const serverUrl = opts.server ||
+        process.env.KITE_SERVER_URL ||
+        localEnv.KITE_SERVER_URL ||
+        globalCfg.serverUrl;
+    if (!serverUrl) {
+        throw new Error('Server URL not configured. Use --server <url> or run `kite config:set serverUrl <url> --global`.');
+    }
+    if (opts.token) {
+        return { serverUrl, token: opts.token, source: 'cli flag' };
+    }
+    if (opts.requireAdmin) {
+        const adminTok = process.env.KITE_TOKEN || globalCfg.token;
+        if (!adminTok) {
+            throw new Error('Admin token required. Run `kite config:set token <admin> --global` or pass --token.');
+        }
+        return { serverUrl, token: adminTok, source: 'global admin token' };
+    }
+    const envTok = process.env.KITE_TOKEN || process.env.KITE_DEPLOY_TOKEN || localEnv.KITE_TOKEN || localEnv.KITE_DEPLOY_TOKEN;
+    if (envTok)
+        return { serverUrl, token: envTok, source: 'env var' };
+    const allEnvs = listProjectEnvs();
+    let resolved = null;
+    if (opts.env) {
+        resolved = resolveProjectConfig(opts.env);
+    }
+    else if (allEnvs.length === 1) {
+        resolved = allEnvs[0];
+    }
+    if (resolved?.config?.projectId) {
+        const key = envTokenKey(resolved.config.projectId, resolved.env);
+        const projTok = globalCfg.projectToken?.[key];
+        if (projTok)
+            return { serverUrl, token: projTok, source: `project token (${key})` };
+    }
+    if (globalCfg.token) {
+        return { serverUrl, token: globalCfg.token, source: 'global admin token' };
+    }
+    throw new Error('Token not found. Configure via `kite config:set token <value>` (project) or `kite config:set token <admin> --global`.');
+}
+async function readJson(res) {
+    const text = await res.text();
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return { error: text };
+    }
+}
+async function expectOk(res, label) {
+    if (res.status === 401)
+        throw new Error(`Unauthorized: invalid token (${label})`);
+    if (res.status === 404) {
+        const body = await readJson(res);
+        throw new Error(`Not found: ${body.error || label}`);
+    }
+    if (!res.ok) {
+        const body = await readJson(res);
+        throw new Error(`[${res.status}] ${body.error || label}`);
+    }
+    return readJson(res);
+}
+function statusColor(status) {
+    switch (status) {
+        case 'success': return chalk.green(status);
+        case 'failed': return chalk.red(status);
+        case 'running': return chalk.yellow(status);
+        case 'idle': return chalk.gray(status);
+        default: return chalk.gray(status || '-');
+    }
+}
+function padCell(text, width) {
+    const visible = text.replace(/\x1b\[[0-9;]*m/g, '');
+    if (visible.length >= width)
+        return text;
+    return text + ' '.repeat(width - visible.length);
+}
+function printTable(rows, headers) {
+    const cols = headers.length;
+    const widths = new Array(cols).fill(0);
+    for (const r of [headers, ...rows]) {
+        for (let i = 0; i < cols; i++) {
+            const visible = (r[i] || '').replace(/\x1b\[[0-9;]*m/g, '');
+            if (visible.length > widths[i])
+                widths[i] = visible.length;
+        }
+    }
+    const headerLine = headers.map((h, i) => padCell(chalk.bold(h), widths[i])).join('  ');
+    console.log(headerLine);
+    console.log(chalk.gray(widths.map((w) => '-'.repeat(w)).join('  ')));
+    for (const r of rows) {
+        console.log(r.map((c, i) => padCell(c, widths[i])).join('  '));
+    }
+}
+export async function runList(opts) {
+    const auth = resolveOpsAuth({ ...opts, requireAdmin: true });
+    const res = await fetch(`${auth.serverUrl.replace(/\/$/, '')}/api/projects`, {
+        headers: { Authorization: `Bearer ${auth.token}` },
+    });
+    const projects = await expectOk(res, 'GET /api/projects');
+    let filtered = projects;
+    if (opts.env)
+        filtered = projects.filter((p) => (p.env || '') === opts.env);
+    if (opts.json) {
+        process.stdout.write(JSON.stringify(filtered, null, 2) + '\n');
+        return 0;
+    }
+    if (filtered.length === 0) {
+        console.log(chalk.gray('No projects found.'));
+        return 0;
+    }
+    const rows = filtered.map((p) => [
+        p.id,
+        p.name,
+        p.env || chalk.gray('-'),
+        statusColor(p.status),
+        chalk.gray(p.updatedAt ? new Date(p.updatedAt).toISOString().slice(0, 19).replace('T', ' ') : '-'),
+    ]);
+    printTable(rows, ['ID', 'NAME', 'ENV', 'STATUS', 'UPDATED']);
+    console.log(chalk.gray(`\n${filtered.length} project(s)`));
+    return 0;
+}
+export async function runStatus(projectIdArg, opts) {
+    const auth = resolveOpsAuth({ ...opts, requireAdmin: true });
+    const limit = Math.min(Math.max(Number(opts.limit) || 5, 1), 50);
+    let projectId = projectIdArg;
+    if (!projectId) {
+        const all = listProjectEnvs();
+        const resolved = opts.env ? resolveProjectConfig(opts.env) : (all.length === 1 ? all[0] : null);
+        if (resolved?.config?.projectId) {
+            projectId = resolved.config.projectId;
+        }
+    }
+    if (!projectId) {
+        throw new Error('projectId required. Pass <projectId> or run inside a project directory with kite.config*.json');
+    }
+    const base = auth.serverUrl.replace(/\/$/, '');
+    const [projectRes, logsRes] = await Promise.all([
+        fetch(`${base}/api/projects/${projectId}`, { headers: { Authorization: `Bearer ${auth.token}` } }),
+        fetch(`${base}/api/logs`, { headers: { Authorization: `Bearer ${auth.token}` } }),
+    ]);
+    const project = await expectOk(projectRes, `GET /api/projects/${projectId}`);
+    const logs = await expectOk(logsRes, 'GET /api/logs');
+    const projectLogs = logs
+        .filter((l) => l.projectId === projectId)
+        .sort((a, b) => (b.startTime || '').localeCompare(a.startTime || ''))
+        .slice(0, limit);
+    if (opts.json) {
+        process.stdout.write(JSON.stringify({ project, deployments: projectLogs }, null, 2) + '\n');
+        return 0;
+    }
+    console.log(chalk.bold(`Project: ${project.name}`) + chalk.gray(`  (${project.id})`));
+    console.log(chalk.gray(`Status: `) + statusColor(project.status));
+    console.log('');
+    if (projectLogs.length === 0) {
+        console.log(chalk.gray('No deployments yet.'));
+        return 0;
+    }
+    const rows = projectLogs.map((d) => [
+        d.id.slice(0, 12),
+        statusColor(d.status),
+        d.triggerSource,
+        chalk.gray(d.startTime ? d.startTime.slice(0, 19).replace('T', ' ') : '-'),
+        d.duration || chalk.gray('-'),
+        d.rollbackOf ? chalk.gray(`← ${d.rollbackOf.slice(0, 8)}`) : '',
+    ]);
+    printTable(rows, ['DEPLOY ID', 'STATUS', 'TRIGGER', 'STARTED', 'DURATION', 'ROLLBACK OF']);
+    return 0;
+}
+const STATUS_EXIT = { success: 0, failed: 1, running: 0 };
+export async function runLogs(deployId, opts) {
+    const auth = resolveOpsAuth({ ...opts, requireAdmin: true });
+    const base = auth.serverUrl.replace(/\/$/, '');
+    if (!opts.follow) {
+        const res = await fetch(`${base}/api/logs/${deployId}`, {
+            headers: { Authorization: `Bearer ${auth.token}` },
+        });
+        const log = await expectOk(res, `GET /api/logs/${deployId}`);
+        if (opts.json) {
+            process.stdout.write(JSON.stringify(log, null, 2) + '\n');
+            return STATUS_EXIT[log.status] ?? 1;
+        }
+        console.log(chalk.bold(`Deployment ${log.id.slice(0, 12)}`) + chalk.gray(`  (${log.projectName})`));
+        console.log(chalk.gray('Status: ') + statusColor(log.status) + chalk.gray(`  duration=${log.duration || '-'}  trigger=${log.triggerSource}`));
+        console.log('');
+        if (log.output)
+            process.stdout.write(log.output);
+        if (!log.output?.endsWith('\n'))
+            process.stdout.write('\n');
+        return STATUS_EXIT[log.status] ?? 1;
+    }
+    const res = await fetch(`${base}/api/logs/${deployId}/stream`, {
+        headers: {
+            Authorization: `Bearer ${auth.token}`,
+            Accept: 'text/event-stream',
+        },
+    });
+    if (res.status === 401)
+        throw new Error('Unauthorized: invalid token');
+    if (res.status === 404)
+        throw new Error('Deployment not found');
+    if (!res.ok || !res.body)
+        throw new Error(`SSE failed: HTTP ${res.status}`);
+    const reader = res.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = '';
+    let lastStatus = null;
+    let printedOutputLen = 0;
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        buffer += decoder.decode(value, { stream: true });
+        const events = buffer.split('\n\n');
+        buffer = events.pop();
+        for (const block of events) {
+            if (!block.trim())
+                continue;
+            let event = 'message';
+            let data = '';
+            for (const line of block.split('\n')) {
+                if (line.startsWith('event: '))
+                    event = line.slice(7).trim();
+                else if (line.startsWith('data: '))
+                    data += line.slice(6);
+            }
+            let parsed = data;
+            try {
+                parsed = JSON.parse(data);
+            }
+            catch { }
+            if (event === 'log') {
+                // First log event from server contains the full historical output.
+                // Subsequent events are incremental lines.
+                if (printedOutputLen === 0 && typeof parsed === 'string' && parsed.includes('\n')) {
+                    process.stdout.write(parsed);
+                    if (!parsed.endsWith('\n'))
+                        process.stdout.write('\n');
+                    printedOutputLen = parsed.length;
+                }
+                else {
+                    process.stdout.write(parsed + '\n');
+                }
+            }
+            else if (event === 'status') {
+                let payload = parsed;
+                if (typeof payload === 'string') {
+                    try {
+                        payload = JSON.parse(payload);
+                    }
+                    catch { }
+                }
+                lastStatus = payload?.status || null;
+                const dur = payload?.duration || '-';
+                console.log(chalk.gray(`\n[Kite Logs] Deployment finished: `) + statusColor(lastStatus) + chalk.gray(`  duration=${dur}`));
+                try {
+                    reader.cancel();
+                }
+                catch { }
+                break;
+            }
+        }
+        if (lastStatus)
+            break;
+    }
+    return STATUS_EXIT[lastStatus || ''] ?? 0;
+}
+export async function runRollback(projectIdArg, opts) {
+    const auth = resolveOpsAuth({ ...opts, requireAdmin: true });
+    const base = auth.serverUrl.replace(/\/$/, '');
+    let projectId = projectIdArg;
+    if (!projectId) {
+        const all = listProjectEnvs();
+        const resolved = opts.env ? resolveProjectConfig(opts.env) : (all.length === 1 ? all[0] : null);
+        if (resolved?.config?.projectId)
+            projectId = resolved.config.projectId;
+    }
+    if (!projectId)
+        throw new Error('projectId required for rollback.');
+    let targetDeployId = opts.to;
+    if (!targetDeployId) {
+        const logsRes = await fetch(`${base}/api/logs`, { headers: { Authorization: `Bearer ${auth.token}` } });
+        const logs = await expectOk(logsRes, 'GET /api/logs');
+        const candidates = logs
+            .filter((l) => l.projectId === projectId && l.status === 'success' && !!l.artifactPath && l.triggerSource !== 'rollback')
+            .sort((a, b) => (b.startTime || '').localeCompare(a.startTime || ''));
+        if (candidates.length === 0) {
+            throw new Error('No successful deployment with archived artifact found. Pass --to <deployId> explicitly.');
+        }
+        targetDeployId = candidates[0].id;
+        console.log(chalk.gray(`Selected latest success deploy: ${targetDeployId.slice(0, 12)}  (${candidates[0].startTime.slice(0, 19).replace('T', ' ')})`));
+    }
+    if (!opts.yes) {
+        if (!process.stdin.isTTY) {
+            throw new Error('Refusing to rollback in non-TTY mode without --yes. Add --yes to confirm.');
+        }
+        const rl = readline.createInterface({ input, output });
+        const answer = await rl.question(chalk.yellow(`About to rollback project ${projectId} to deploy ${targetDeployId.slice(0, 12)}. Proceed? [y/N] `));
+        rl.close();
+        if (!/^y(es)?$/i.test(answer.trim())) {
+            console.log(chalk.gray('Rollback cancelled.'));
+            return 1;
+        }
+    }
+    const traceId = randomUUID();
+    const res = await fetch(`${base}/api/deployments/${targetDeployId}/rollback`, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${auth.token}`,
+            'X-Kite-Trace-Id': traceId,
+        },
+    });
+    const body = await readJson(res);
+    if (res.status === 401)
+        throw new Error('Unauthorized: invalid token');
+    if (res.status === 404)
+        throw new Error(body?.error || 'Deployment or artifact not found');
+    if (!res.ok || !body?.success) {
+        throw new Error(body?.error || `Rollback failed: HTTP ${res.status}`);
+    }
+    if (opts.json) {
+        process.stdout.write(JSON.stringify(body, null, 2) + '\n');
+        return 0;
+    }
+    console.log(chalk.green(`Rollback succeeded.`));
+    console.log(chalk.gray(`  new deployId : ${body.deployId}`));
+    console.log(chalk.gray(`  rolled back  : ${body.rollbackOf}`));
+    console.log(chalk.gray(`  duration     : ${body.duration}`));
+    console.log(chalk.gray(`  traceId      : ${body.traceId}`));
+    return 0;
+}

package/dist/pack.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import archiver from 'archiver';
 import fs from 'fs';
 import path from 'path';
-const IGNORED = ['node_modules/**', '.git/**', '*.zip', '.env*'];
+import { mergeIgnore } from './ignore.js';
 /**
  * 将路径列表折叠：如果一个目录下的所有文件都在列表中，则只展示目录
  */
@@ -78,9 +78,19 @@ function collapseEntries(rawEntries) {
  * 将指定目录或文件打包为 zip 文件
  * @param sourceDir 要打包的源目录
  * @param destZip 目标 zip 文件的路径
- * @param files 允许上传的特定文件或目录列表（可选，如果提供则仅打包这些内容）
+ * @param filesOrOptions 兼容旧签名 string[]，或新版 PackOptions
+ *
+ * 忽略规则语义：
+ *   - 显式 files 条目命中真实路径（archive.file / archive.directory）→ 不应用 ignore，
+ *     用户明确指定即表示需要。
+ *   - glob 通配（archive.glob 含默认全量）→ 应用 mergeIgnore({ custom, ignoreBuiltin })。
  */
-export async function packProject(sourceDir, destZip, files) {
+export async function packProject(sourceDir, destZip, filesOrOptions) {
+    const opts = Array.isArray(filesOrOptions)
+        ? { files: filesOrOptions }
+        : (filesOrOptions || {});
+    const files = opts.files;
+    const ignoreList = mergeIgnore({ custom: opts.ignore, ignoreBuiltin: opts.ignoreBuiltin });
     return new Promise((resolve, reject) => {
         const output = fs.createWriteStream(destZip);
         const archive = archiver('zip', {
@@ -125,12 +135,12 @@ export async function packProject(sourceDir, destZip, files) {
                     }
                 }
                 else {
-                    archive.glob(pattern, { cwd: sourceDir, ignore: IGNORED });
+                    archive.glob(pattern, { cwd: sourceDir, ignore: ignoreList });
                 }
             });
         }
         else {
-            archive.glob('**/*', { cwd: sourceDir, ignore: IGNORED });
+            archive.glob('**/*', { cwd: sourceDir, ignore: ignoreList });
         }
         archive.finalize();
     });

package/dist/serve.js CHANGED Viewed

@@ -34,6 +34,17 @@ function detectRuntime(preferred) {
         process.exit(1);
     });
 }
+function isWeakAdminToken(token) {
+    if (typeof token !== 'string')
+        return { weak: true, reason: 'token 必须是字符串' };
+    if (token.length < 24)
+        return { weak: true, reason: '长度不足 24' };
+    if (!/[A-Za-z]/.test(token) || !/[0-9]/.test(token))
+        return { weak: true, reason: '需同时包含字母和数字' };
+    if (new Set(token).size < 8)
+        return { weak: true, reason: '字符多样性不足（去重 < 8）' };
+    return { weak: false };
+}
 function ensureAdminToken() {
     const localEnv = readLocalEnv();
     if (localEnv.KITE_DEPLOY_TOKEN) {
@@ -46,7 +57,12 @@ function ensureAdminToken() {
         const content = fs.readFileSync(envPath, 'utf-8');
         const match = content.match(/^ADMIN_TOKEN=(.+)$/m);
         if (match) {
-            return match[1].replace(/^['"]|['"]$/g, '');
+            const existing = match[1].replace(/^['"]|['"]$/g, '');
+            const check = isWeakAdminToken(existing);
+            if (check.weak) {
+                console.warn(chalk.yellow(`[warn] 当前 ADMIN_TOKEN 强度不足（${check.reason}），建议执行 kite rotate-token 或在 .env.local 中替换为长度 ≥ 24 且包含字母和数字、去重字符 ≥ 8 的随机字符串。`));
+            }
+            return existing;
         }
     }
     // Generate a new admin token
@@ -66,6 +82,14 @@ function buildServerEnv(options, adminToken) {
         KITE_SERVER_VERSION: cliPkg.version || '1.0.0',
     };
 }
+function isLocalHost(host) {
+    return host === '127.0.0.1' || host === 'localhost' || host === '::1';
+}
+function warnRemoteHost(host) {
+    if (!isLocalHost(host)) {
+        console.warn(chalk.yellow(`[warn] 当前监听 host=${host}，将对外网络暴露 Kite 管理端。请确保已在前置代理（Nginx/Caddy）配置 TLS 与限速，否则建议使用 --host 127.0.0.1。`));
+    }
+}
 function startForeground(options, env, runtime) {
     const bundlePath = getServerBundlePath();
     if (!fs.existsSync(bundlePath)) {
@@ -81,6 +105,7 @@ function startForeground(options, env, runtime) {
     console.log(chalk.gray(`  DB Dir: ${env.KITE_DB_DIR}`));
     console.log(chalk.yellow(`  Admin Token: ${env.ADMIN_TOKEN}`));
     console.log();
+    warnRemoteHost(options.host);
     const args = runtime.name === 'bun' ? ['run', bundlePath] : [bundlePath];
     const child = spawn(runtime.name, args, {
         stdio: 'inherit',
@@ -181,6 +206,7 @@ function startPm2(options, env, runtime) {
     console.log(chalk.gray('  pm2 logs kite-server    # View logs'));
     console.log(chalk.gray('  pm2 status              # Check status'));
     console.log(chalk.gray('  kite serve --pm2 stop   # Stop server'));
+    warnRemoteHost(options.host);
 }
 function stopPm2() {
     const result = spawnSync('pm2', ['delete', 'kite-server'], { stdio: 'inherit' });