@lightharu/krouter 1.8.0

package/dist-web/favicon.svg

@@ -0,0 +1,9 @@
+<svg width="96" height="96" viewBox="0 0 96 96" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <rect x="8" y="8" width="80" height="80" rx="22" fill="#0B1220"/>
+  <path d="M28 68V28h10v16.8L54.2 28H67L49.8 45.5 68.5 68H55.4L42.9 52.7 38 57.7V68H28Z" fill="#FFFFFF"/>
+  <path d="M63 28h5v5h-5v-5Z" fill="#22C55E"/>
+  <path d="M69 34h5v5h-5v-5Z" fill="#38BDF8"/>
+  <path d="M63 40h5v5h-5v-5Z" fill="#F59E0B"/>
+  <path d="M62.5 32.5 49.5 45.5M68.5 36.5 52 52M62.5 42.5 55.5 56" stroke="#94A3B8" stroke-width="2" stroke-linecap="round"/>
+  <circle cx="48" cy="48" r="5" fill="#38BDF8"/>
+</svg>

package/dist-web/icon.svg

@@ -0,0 +1,9 @@
+<svg width="96" height="96" viewBox="0 0 96 96" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <rect x="8" y="8" width="80" height="80" rx="22" fill="#0B1220"/>
+  <path d="M28 68V28h10v16.8L54.2 28H67L49.8 45.5 68.5 68H55.4L42.9 52.7 38 57.7V68H28Z" fill="#FFFFFF"/>
+  <path d="M63 28h5v5h-5v-5Z" fill="#22C55E"/>
+  <path d="M69 34h5v5h-5v-5Z" fill="#38BDF8"/>
+  <path d="M63 40h5v5h-5v-5Z" fill="#F59E0B"/>
+  <path d="M62.5 32.5 49.5 45.5M68.5 36.5 52 52M62.5 42.5 55.5 56" stroke="#94A3B8" stroke-width="2" stroke-linecap="round"/>
+  <circle cx="48" cy="48" r="5" fill="#38BDF8"/>
+</svg>

package/dist-web/index.html

@@ -0,0 +1,19 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="UTF-8" />
+    <title>Krouter</title>
+    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+    <!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP -->
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:"
+    />
+    <script type="module" crossorigin src="/assets/index-DCslvfUR.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-CM4-0adf.css">
+  </head>
+
+  <body>
+    <div id="root"></div>
+  </body>
+</html>

package/out-server/main/kiroAuthSync.js

@@ -0,0 +1,249 @@
+"use strict";
+// Kiro IDE Auth Token 同步层
+//
+// Kiro IDE 桌面端把 token 持久化在 ~/.aws/sso/cache/kiro-auth-token.json，
+// 并对该文件做 fs.watchFile 监听 + 内部 refresh loop。
+//
+// 反代和 IDE 必须以这个文件作为 single source of truth，否则会出现：
+//   反代 store 里 refreshToken_v2，磁盘里 refreshToken_v1（已被服务端轮换作废）
+//   → IDE 一小时后用 v1 调 OIDC → 401 → logoutAndForget()
+//
+// 本模块提供：
+//   writeKiroAuthTokenFile  — 以 Kiro IDE 兼容格式写入 token 文件（+ IdC 客户端注册）
+//   readKiroAuthTokenFile   — 读取当前磁盘 token
+//   parseAccessTokenClaims  — 解 accessToken 的 JWT 拿到 sub/email，用于反向匹配账号
+//   watchKiroAuthTokenFile  — 监听文件变化（IDE 自己 refresh 时用于反向同步到反代 store）
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KIRO_SOCIAL_PROFILE_ARN = exports.KIRO_BUILDER_ID_PLACEHOLDER_ARN = exports.KIRO_AUTH_TOKEN_PATH = exports.KIRO_SSO_CACHE_DIR = void 0;
+exports.isPlaceholderProfileArn = isPlaceholderProfileArn;
+exports.resolveProfileArnForWrite = resolveProfileArnForWrite;
+exports.writeKiroAuthTokenFile = writeKiroAuthTokenFile;
+exports.readKiroAuthTokenFile = readKiroAuthTokenFile;
+exports.parseAccessTokenClaims = parseAccessTokenClaims;
+exports.watchKiroAuthTokenFile = watchKiroAuthTokenFile;
+const fs = __importStar(require("fs/promises"));
+const fsSync = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const crypto = __importStar(require("crypto"));
+exports.KIRO_SSO_CACHE_DIR = path.join(os.homedir(), '.aws', 'sso', 'cache');
+exports.KIRO_AUTH_TOKEN_PATH = path.join(exports.KIRO_SSO_CACHE_DIR, 'kiro-auth-token.json');
+const KIRO_DEFAULT_START_URL = 'https://view.awsapps.com/start';
+const KIRO_OIDC_SCOPES = [
+    'codewhisperer:completions',
+    'codewhisperer:analysis',
+    'codewhisperer:conversations',
+    'codewhisperer:transformations',
+    'codewhisperer:taskassist'
+];
+// =============== profileArn 决策中心 ===============
+//
+// 占位符 ARN：Kiro IDE 源码 FixedProfileArns 里给 BuilderId 硬编码的值。
+// Kiro IDE 内部逻辑依赖该字段存在，移除会导致 IDE 功能异常。
+exports.KIRO_BUILDER_ID_PLACEHOLDER_ARN = 'arn:aws:codewhisperer:us-east-1:638616132270:profile/AAAACCCCXXXX';
+// Social 登录（Github/Google）共用的 Kiro 后端固定 profileArn
+exports.KIRO_SOCIAL_PROFILE_ARN = 'arn:aws:codewhisperer:us-east-1:699475941385:profile/EHGA3GRVQMUK';
+const PLACEHOLDER_PROFILE_ARNS = new Set([exports.KIRO_BUILDER_ID_PLACEHOLDER_ARN]);
+/** 检查给定 ARN 是不是已知占位符（旧版反代 / Kiro IDE 自身可能写入的脏数据） */
+function isPlaceholderProfileArn(arn) {
+    if (!arn)
+        return false;
+    return PLACEHOLDER_PROFILE_ARNS.has(arn);
+}
+/**
+ * 写入 token 文件前对 profileArn 的"应该写啥"做统一决策。
+ *
+ * 规则（优先级）：
+ *   1. 调用方显式给出 profileArn 且非已知占位符 → 直接用
+ *   2. social/Github/Google → 用固定 Kiro Social profileArn
+ *   3. BuilderId / 其它 → 使用 Kiro IDE 官方占位符 ARN（IDE 内部逻辑依赖此字段存在）
+ */
+function resolveProfileArnForWrite(input) {
+    if (input.profileArn && !isPlaceholderProfileArn(input.profileArn)) {
+        return input.profileArn;
+    }
+    if (input.authMethod === 'social' || input.provider === 'Github' || input.provider === 'Google') {
+        return exports.KIRO_SOCIAL_PROFILE_ARN;
+    }
+    return exports.KIRO_BUILDER_ID_PLACEHOLDER_ARN;
+}
+function computeClientIdHash(startUrl) {
+    return crypto
+        .createHash('sha1')
+        .update(JSON.stringify({ startUrl: startUrl || KIRO_DEFAULT_START_URL }))
+        .digest('hex');
+}
+/**
+ * 以与 Kiro IDE 完全兼容的格式写入 ~/.aws/sso/cache/kiro-auth-token.json
+ * - mode 0o600：与 IDE 保持一致（writeTokenToDisk 用 0o600 即 384）
+ * - social 与 IdC 字段顺序对齐 Kiro IDE 序列化结果，便于人工 diff
+ * - IdC 同时写客户端注册文件 {clientIdHash}.json
+ */
+async function writeKiroAuthTokenFile(input) {
+    await fs.mkdir(exports.KIRO_SSO_CACHE_DIR, { recursive: true });
+    const clientIdHash = computeClientIdHash(input.startUrl);
+    const tokenData = input.authMethod === 'social'
+        ? {
+            accessToken: input.accessToken,
+            refreshToken: input.refreshToken,
+            profileArn: input.profileArn,
+            expiresAt: input.expiresAtIso,
+            authMethod: input.authMethod,
+            provider: input.provider
+        }
+        : {
+            accessToken: input.accessToken,
+            refreshToken: input.refreshToken,
+            expiresAt: input.expiresAtIso,
+            clientIdHash,
+            authMethod: input.authMethod,
+            provider: input.provider,
+            region: input.region || 'us-east-1',
+            profileArn: input.profileArn
+        };
+    await fs.writeFile(exports.KIRO_AUTH_TOKEN_PATH, JSON.stringify(tokenData, null, 2), {
+        mode: 0o600
+    });
+    // Windows 上 chmod 对 0o600 是 no-op 但不抛错；Linux/macOS 上保证权限正确
+    try {
+        await fs.chmod(exports.KIRO_AUTH_TOKEN_PATH, 0o600);
+    }
+    catch {
+        /* ignore */
+    }
+    let clientRegPath;
+    if (input.authMethod !== 'social' && input.clientId && input.clientSecret) {
+        clientRegPath = path.join(exports.KIRO_SSO_CACHE_DIR, `${clientIdHash}.json`);
+        // IDE 客户端注册有效期 90 天（Kiro IDE 原版做法），格式为去掉 Z 的 ISO 字符串
+        const clientExpiresAt = new Date(Date.now() + 90 * 24 * 3600 * 1000).toISOString().replace('Z', '');
+        const clientData = {
+            clientId: input.clientId,
+            clientSecret: input.clientSecret,
+            expiresAt: clientExpiresAt,
+            scopes: KIRO_OIDC_SCOPES
+        };
+        await fs.writeFile(clientRegPath, JSON.stringify(clientData, null, 2), { mode: 0o600 });
+        try {
+            await fs.chmod(clientRegPath, 0o600);
+        }
+        catch {
+            /* ignore */
+        }
+    }
+    return { tokenPath: exports.KIRO_AUTH_TOKEN_PATH, clientRegPath };
+}
+async function readKiroAuthTokenFile() {
+    try {
+        const content = await fs.readFile(exports.KIRO_AUTH_TOKEN_PATH, 'utf-8');
+        const parsed = JSON.parse(content);
+        if (!parsed.accessToken || !parsed.refreshToken)
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+function parseAccessTokenClaims(accessToken) {
+    if (!accessToken)
+        return null;
+    const parts = accessToken.split('.');
+    if (parts.length < 2)
+        return null;
+    try {
+        let b64 = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+        while (b64.length % 4)
+            b64 += '=';
+        const json = Buffer.from(b64, 'base64').toString('utf-8');
+        const claims = JSON.parse(json);
+        const audRaw = claims.aud;
+        const aud = typeof audRaw === 'string' ? audRaw : Array.isArray(audRaw) && typeof audRaw[0] === 'string' ? audRaw[0] : undefined;
+        return {
+            sub: typeof claims.sub === 'string' ? claims.sub : undefined,
+            email: typeof claims.email === 'string' ? claims.email : undefined,
+            aud,
+            preferredUsername: typeof claims['preferred_username'] === 'string'
+                ? claims['preferred_username']
+                : undefined
+        };
+    }
+    catch {
+        return null;
+    }
+}
+function watchKiroAuthTokenFile(onChange, intervalMs = 2000) {
+    let debounceTimer = null;
+    let lastSeenSig = '';
+    let disposed = false;
+    const tick = async () => {
+        if (disposed)
+            return;
+        try {
+            const token = await readKiroAuthTokenFile();
+            if (!token)
+                return;
+            const sig = `${token.accessToken}|${token.refreshToken}`;
+            if (sig === lastSeenSig)
+                return;
+            lastSeenSig = sig;
+            await onChange(token);
+        }
+        catch (e) {
+            // 静默：watcher 不应该 throw 影响主进程
+            console.warn('[kiroAuthSync] watcher tick failed:', e);
+        }
+    };
+    const listener = () => {
+        if (debounceTimer)
+            clearTimeout(debounceTimer);
+        debounceTimer = setTimeout(() => {
+            debounceTimer = null;
+            void tick();
+        }, 600);
+    };
+    // 先做一次基线读，避免启动后第一次"虚假变更"
+    void readKiroAuthTokenFile().then((t) => {
+        if (t)
+            lastSeenSig = `${t.accessToken}|${t.refreshToken}`;
+    });
+    fsSync.watchFile(exports.KIRO_AUTH_TOKEN_PATH, { interval: intervalMs }, listener);
+    return () => {
+        disposed = true;
+        if (debounceTimer)
+            clearTimeout(debounceTimer);
+        fsSync.unwatchFile(exports.KIRO_AUTH_TOKEN_PATH, listener);
+    };
+}

package/out-server/main/kproxy/certManager.js

@@ -0,0 +1,262 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertManager = void 0;
+exports.createCertManager = createCertManager;
+// K-Proxy CA 证书管理
+const forge = __importStar(require("node-forge"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const crypto = __importStar(require("crypto"));
+const CA_CERT_FILENAME = 'kproxy-ca.crt';
+const CA_KEY_FILENAME = 'kproxy-ca.key';
+const CERT_CACHE_DIR = 'kproxy-certs';
+// 证书缓存（避免重复生成）
+const certCache = new Map();
+/**
+ * CA 证书管理器
+ */
+class CertManager {
+    dataPath;
+    caCert = null;
+    caKey = null;
+    caInfo = null;
+    constructor(dataPath) {
+        this.dataPath = dataPath;
+    }
+    /**
+     * 初始化 CA 证书（加载或生成）
+     */
+    async initialize() {
+        const certPath = path.join(this.dataPath, CA_CERT_FILENAME);
+        const keyPath = path.join(this.dataPath, CA_KEY_FILENAME);
+        // 确保证书缓存目录存在
+        const cachePath = path.join(this.dataPath, CERT_CACHE_DIR);
+        if (!fs.existsSync(cachePath)) {
+            fs.mkdirSync(cachePath, { recursive: true });
+        }
+        // 尝试加载现有证书
+        if (fs.existsSync(certPath) && fs.existsSync(keyPath)) {
+            try {
+                const certPem = fs.readFileSync(certPath, 'utf8');
+                const keyPem = fs.readFileSync(keyPath, 'utf8');
+                this.caCert = forge.pki.certificateFromPem(certPem);
+                this.caKey = forge.pki.privateKeyFromPem(keyPem);
+                // 检查证书是否过期
+                const now = new Date();
+                if (this.caCert.validity.notAfter > now) {
+                    this.caInfo = this.extractCertInfo(certPath, keyPath, certPem, keyPem);
+                    console.log('[CertManager] Loaded existing CA certificate');
+                    return this.caInfo;
+                }
+                console.log('[CertManager] CA certificate expired, regenerating...');
+            }
+            catch (error) {
+                console.error('[CertManager] Failed to load CA certificate:', error);
+            }
+        }
+        // 生成新的 CA 证书
+        return this.generateCACert(certPath, keyPath);
+    }
+    /**
+     * 生成 CA 证书
+     */
+    generateCACert(certPath, keyPath) {
+        console.log('[CertManager] Generating new CA certificate...');
+        // 生成 RSA 密钥对
+        const keys = forge.pki.rsa.generateKeyPair(2048);
+        // 创建证书
+        const cert = forge.pki.createCertificate();
+        cert.publicKey = keys.publicKey;
+        cert.serialNumber = this.generateSerialNumber();
+        // 设置有效期（10年）
+        cert.validity.notBefore = new Date();
+        cert.validity.notAfter = new Date();
+        cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 10);
+        // 设置证书属性
+        const attrs = [
+            { name: 'commonName', value: 'K-Proxy CA' },
+            { name: 'organizationName', value: 'Krouter' },
+            { name: 'countryName', value: 'CN' }
+        ];
+        cert.setSubject(attrs);
+        cert.setIssuer(attrs);
+        // 设置 CA 扩展
+        cert.setExtensions([
+            {
+                name: 'basicConstraints',
+                cA: true,
+                critical: true
+            },
+            {
+                name: 'keyUsage',
+                keyCertSign: true,
+                cRLSign: true,
+                critical: true
+            },
+            {
+                name: 'subjectKeyIdentifier'
+            }
+        ]);
+        // 自签名
+        cert.sign(keys.privateKey, forge.md.sha256.create());
+        // 转换为 PEM 格式
+        const certPem = forge.pki.certificateToPem(cert);
+        const keyPem = forge.pki.privateKeyToPem(keys.privateKey);
+        // 保存到文件
+        fs.writeFileSync(certPath, certPem);
+        fs.writeFileSync(keyPath, keyPem);
+        this.caCert = cert;
+        this.caKey = keys.privateKey;
+        this.caInfo = this.extractCertInfo(certPath, keyPath, certPem, keyPem);
+        console.log('[CertManager] CA certificate generated successfully');
+        return this.caInfo;
+    }
+    /**
+     * 为指定域名生成证书
+     */
+    generateCertForHost(hostname) {
+        // 检查缓存
+        const cached = certCache.get(hostname);
+        if (cached) {
+            return cached;
+        }
+        if (!this.caCert || !this.caKey) {
+            throw new Error('CA certificate not initialized');
+        }
+        // 生成密钥对
+        const keys = forge.pki.rsa.generateKeyPair(2048);
+        // 创建证书
+        const cert = forge.pki.createCertificate();
+        cert.publicKey = keys.publicKey;
+        cert.serialNumber = this.generateSerialNumber();
+        // 设置有效期（1年）
+        cert.validity.notBefore = new Date();
+        cert.validity.notAfter = new Date();
+        cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);
+        // 设置证书属性
+        const attrs = [
+            { name: 'commonName', value: hostname },
+            { name: 'organizationName', value: 'K-Proxy' }
+        ];
+        cert.setSubject(attrs);
+        cert.setIssuer(this.caCert.subject.attributes);
+        // 设置扩展
+        cert.setExtensions([
+            {
+                name: 'basicConstraints',
+                cA: false
+            },
+            {
+                name: 'keyUsage',
+                digitalSignature: true,
+                keyEncipherment: true
+            },
+            {
+                name: 'extKeyUsage',
+                serverAuth: true
+            },
+            {
+                name: 'subjectAltName',
+                altNames: [
+                    { type: 2, value: hostname }, // DNS
+                    { type: 2, value: '*.' + hostname } // 通配符
+                ]
+            }
+        ]);
+        // 使用 CA 私钥签名
+        cert.sign(this.caKey, forge.md.sha256.create());
+        const result = {
+            cert: forge.pki.certificateToPem(cert),
+            key: forge.pki.privateKeyToPem(keys.privateKey)
+        };
+        // 缓存证书
+        certCache.set(hostname, result);
+        return result;
+    }
+    /**
+     * 获取 CA 证书信息
+     */
+    getCACertInfo() {
+        return this.caInfo;
+    }
+    /**
+     * 获取 CA 证书 PEM
+     */
+    getCACertPem() {
+        return this.caInfo?.certPem || null;
+    }
+    /**
+     * 清除证书缓存
+     */
+    clearCache() {
+        certCache.clear();
+    }
+    /**
+     * 生成序列号
+     */
+    generateSerialNumber() {
+        return crypto.randomBytes(16).toString('hex');
+    }
+    /**
+     * 提取证书信息
+     */
+    extractCertInfo(certPath, keyPath, certPem, keyPem) {
+        const cert = forge.pki.certificateFromPem(certPem);
+        const fingerprint = forge.md.sha256.create()
+            .update(forge.asn1.toDer(forge.pki.certificateToAsn1(cert)).getBytes())
+            .digest()
+            .toHex()
+            .match(/.{2}/g)
+            .join(':')
+            .toUpperCase();
+        return {
+            certPath,
+            keyPath,
+            certPem,
+            keyPem,
+            fingerprint,
+            validFrom: cert.validity.notBefore,
+            validTo: cert.validity.notAfter
+        };
+    }
+}
+exports.CertManager = CertManager;
+/**
+ * 创建证书管理器实例
+ */
+function createCertManager(dataPath) {
+    return new CertManager(dataPath);
+}