npm - @mseep/anything-analyzer - Versions diffs - 3.6.50 - Mend

@mseep/anything-analyzer 3.6.50

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (172) hide show

package/.codeartsdoer/.codebaseignore +0 -0
package/.codeartsdoer/AGENTS.md +12 -0
package/.github/workflows/build.yml +146 -0
package/README.en.md +264 -0
package/README.md +276 -0
package/RELEASE_NOTES.md +16 -0
package/USAGE.md +490 -0
package/color-preview-r3.html +414 -0
package/color-preview.html +414 -0
package/dev-app-update.yml +3 -0
package/electron-builder.yml +36 -0
package/electron.vite.config.ts +40 -0
package/package.json +53 -0
package/report-2026-04-13-copilot-claude-sonnet-4.6.md +955 -0
package/resources/doloffer-logo.png +0 -0
package/resources/entitlements.mac.plist +12 -0
package/resources/icon.ico +0 -0
package/resources/icon.png +0 -0
package/src/main/ai/ai-analyzer.ts +517 -0
package/src/main/ai/crypto-script-extractor.ts +206 -0
package/src/main/ai/data-assembler.ts +205 -0
package/src/main/ai/llm-router.ts +1120 -0
package/src/main/ai/prompt-builder.ts +349 -0
package/src/main/ai/scene-detector.ts +302 -0
package/src/main/capture/capture-engine.ts +130 -0
package/src/main/capture/interaction-recorder.ts +171 -0
package/src/main/capture/js-injector.ts +57 -0
package/src/main/capture/replay-engine.ts +256 -0
package/src/main/capture/storage-collector.ts +76 -0
package/src/main/cdp/cdp-manager.ts +233 -0
package/src/main/db/database.ts +41 -0
package/src/main/db/migrations.ts +235 -0
package/src/main/db/repositories.ts +574 -0
package/src/main/fingerprint/http-spoofing.ts +48 -0
package/src/main/fingerprint/presets.ts +173 -0
package/src/main/fingerprint/profile-generator.ts +115 -0
package/src/main/fingerprint/profile-store.ts +52 -0
package/src/main/index.ts +260 -0
package/src/main/ipc.ts +856 -0
package/src/main/logger.ts +42 -0
package/src/main/mcp/mcp-config.ts +66 -0
package/src/main/mcp/mcp-manager.ts +155 -0
package/src/main/mcp/mcp-server.ts +1038 -0
package/src/main/prompt-templates.ts +170 -0
package/src/main/proxy/ca-manager.ts +204 -0
package/src/main/proxy/cert-download-page.ts +171 -0
package/src/main/proxy/cert-installer.ts +242 -0
package/src/main/proxy/mitm-proxy-config.ts +37 -0
package/src/main/proxy/mitm-proxy-server.ts +1085 -0
package/src/main/proxy/system-proxy.ts +248 -0
package/src/main/session/session-manager.ts +724 -0
package/src/main/tab-manager.ts +582 -0
package/src/main/updater.ts +111 -0
package/src/main/window.ts +235 -0
package/src/preload/hook-script.ts +270 -0
package/src/preload/index.ts +211 -0
package/src/preload/interaction-hook.ts +286 -0
package/src/preload/stealth-script.ts +302 -0
package/src/preload/target-preload.ts +15 -0
package/src/renderer/App.tsx +656 -0
package/src/renderer/components/AiLogDetail.tsx +173 -0
package/src/renderer/components/AiLogList.tsx +101 -0
package/src/renderer/components/AiLogView.module.css +364 -0
package/src/renderer/components/AiLogView.tsx +86 -0
package/src/renderer/components/AnalyzeBar.module.css +79 -0
package/src/renderer/components/AnalyzeBar.tsx +104 -0
package/src/renderer/components/BrowserPanel.module.css +67 -0
package/src/renderer/components/BrowserPanel.tsx +90 -0
package/src/renderer/components/ControlBar.module.css +47 -0
package/src/renderer/components/ControlBar.tsx +205 -0
package/src/renderer/components/HookLog.tsx +132 -0
package/src/renderer/components/InteractionLog.tsx +183 -0
package/src/renderer/components/MCPServerModal.tsx +427 -0
package/src/renderer/components/PromptTemplateModal.tsx +254 -0
package/src/renderer/components/ReportView.module.css +413 -0
package/src/renderer/components/ReportView.tsx +429 -0
package/src/renderer/components/RequestDetail.module.css +191 -0
package/src/renderer/components/RequestDetail.tsx +202 -0
package/src/renderer/components/RequestLog.module.css +69 -0
package/src/renderer/components/RequestLog.tsx +208 -0
package/src/renderer/components/SessionList.module.css +245 -0
package/src/renderer/components/SessionList.tsx +247 -0
package/src/renderer/components/SettingsModal.tsx +100 -0
package/src/renderer/components/StatusBar.module.css +44 -0
package/src/renderer/components/StatusBar.tsx +102 -0
package/src/renderer/components/StorageView.module.css +41 -0
package/src/renderer/components/StorageView.tsx +178 -0
package/src/renderer/components/TabBar.module.css +88 -0
package/src/renderer/components/TabBar.tsx +70 -0
package/src/renderer/components/Titlebar.module.css +254 -0
package/src/renderer/components/Titlebar.tsx +169 -0
package/src/renderer/components/settings/FingerprintSection.tsx +198 -0
package/src/renderer/components/settings/GeneralSection.tsx +164 -0
package/src/renderer/components/settings/LLMSection.tsx +148 -0
package/src/renderer/components/settings/MCPServerSection.tsx +136 -0
package/src/renderer/components/settings/MitmProxySection.tsx +320 -0
package/src/renderer/components/settings/ProxySection.tsx +110 -0
package/src/renderer/css-modules.d.ts +4 -0
package/src/renderer/hooks/useCapture.ts +383 -0
package/src/renderer/hooks/useConfirm.tsx +91 -0
package/src/renderer/hooks/useSession.ts +136 -0
package/src/renderer/hooks/useTabs.ts +103 -0
package/src/renderer/i18n/en.ts +167 -0
package/src/renderer/i18n/index.ts +47 -0
package/src/renderer/i18n/zh.ts +170 -0
package/src/renderer/index.html +12 -0
package/src/renderer/main.tsx +15 -0
package/src/renderer/styles/global.css +144 -0
package/src/renderer/styles/themes/ayu-dark.css +59 -0
package/src/renderer/styles/themes/catppuccin.css +59 -0
package/src/renderer/styles/themes/discord.css +59 -0
package/src/renderer/styles/themes/dracula.css +59 -0
package/src/renderer/styles/themes/github-dark.css +59 -0
package/src/renderer/styles/themes/gruvbox.css +59 -0
package/src/renderer/styles/themes/index.css +11 -0
package/src/renderer/styles/themes/light.css +59 -0
package/src/renderer/styles/themes/nord.css +59 -0
package/src/renderer/styles/themes/one-dark.css +59 -0
package/src/renderer/styles/themes/tokyo-night.css +59 -0
package/src/renderer/styles/tokens.css +137 -0
package/src/renderer/theme.ts +31 -0
package/src/renderer/ui/Badge.module.css +38 -0
package/src/renderer/ui/Badge.tsx +36 -0
package/src/renderer/ui/Button.module.css +142 -0
package/src/renderer/ui/Button.tsx +46 -0
package/src/renderer/ui/Collapse.module.css +49 -0
package/src/renderer/ui/Collapse.tsx +57 -0
package/src/renderer/ui/CopyableBlock.module.css +56 -0
package/src/renderer/ui/CopyableBlock.tsx +42 -0
package/src/renderer/ui/Empty.module.css +19 -0
package/src/renderer/ui/Empty.tsx +34 -0
package/src/renderer/ui/Icons.tsx +346 -0
package/src/renderer/ui/Input.module.css +103 -0
package/src/renderer/ui/Input.tsx +94 -0
package/src/renderer/ui/InputNumber.module.css +68 -0
package/src/renderer/ui/InputNumber.tsx +104 -0
package/src/renderer/ui/Modal.module.css +83 -0
package/src/renderer/ui/Modal.tsx +67 -0
package/src/renderer/ui/Popconfirm.module.css +73 -0
package/src/renderer/ui/Popconfirm.tsx +74 -0
package/src/renderer/ui/Progress.module.css +35 -0
package/src/renderer/ui/Progress.tsx +30 -0
package/src/renderer/ui/Select.module.css +91 -0
package/src/renderer/ui/Select.tsx +100 -0
package/src/renderer/ui/Spinner.module.css +44 -0
package/src/renderer/ui/Spinner.tsx +27 -0
package/src/renderer/ui/Switch.module.css +39 -0
package/src/renderer/ui/Switch.tsx +43 -0
package/src/renderer/ui/Tabs.module.css +76 -0
package/src/renderer/ui/Tabs.tsx +53 -0
package/src/renderer/ui/Tag.module.css +66 -0
package/src/renderer/ui/Tag.tsx +47 -0
package/src/renderer/ui/Timeline.module.css +42 -0
package/src/renderer/ui/Timeline.tsx +29 -0
package/src/renderer/ui/Toast.module.css +99 -0
package/src/renderer/ui/Toast.tsx +90 -0
package/src/renderer/ui/Tooltip.module.css +26 -0
package/src/renderer/ui/Tooltip.tsx +23 -0
package/src/renderer/ui/VirtualTable.module.css +230 -0
package/src/renderer/ui/VirtualTable.tsx +416 -0
package/src/renderer/ui/index.ts +55 -0
package/src/shared/types.ts +695 -0
package/tests/main/ai/crypto-script-extractor.test.ts +281 -0
package/tests/main/ai/llm-router.test.ts +1537 -0
package/tests/main/ai/prompt-builder.test.ts +178 -0
package/tests/main/ai/scene-detector.test.ts +212 -0
package/tests/main/db/migrations.test.ts +134 -0
package/tests/main/release-workflow.test.ts +59 -0
package/tsconfig.json +7 -0
package/tsconfig.node.json +23 -0
package/tsconfig.web.json +24 -0
package/vitest.config.ts +13 -0

package/src/main/prompt-templates.ts ADDED Viewed

@@ -0,0 +1,170 @@
+import { readFileSync, writeFileSync, existsSync } from "fs";
+import { join } from "path";
+import { app } from "electron";
+import type { PromptTemplate } from "@shared/types";
+// Default system prompt shared by all built-in templates
+const DEFAULT_SYSTEM_PROMPT = `你是一位网站协议分析专家。你的任务是分析用户在网站上的操作过程中产生的HTTP请求、JS调用和存储变化，识别其业务场景，并生成结构化的协议分析报告。Be precise and technical. Output in Chinese (Simplified).`;
+/**
+ * Built-in template definitions — used as defaults and for reset.
+ */
+function getDefaultTemplates(): PromptTemplate[] {
+  return [
+    {
+      id: "auto",
+      name: "自动识别",
+      description: "默认 — AI 自动检测场景并生成通用分析",
+      systemPrompt: DEFAULT_SYSTEM_PROMPT,
+      requirements: `1. 场景识别：判断用户执行了什么操作（注册、登录、AI对话、支付等）
+2. 交互流程概述：按时间顺序描述完整交互链路
+3. API端点清单：列出所有关键API，标注方法、路径、用途
+4. 鉴权机制分析：认证方式、凭据获取流程、凭据传递方式
+5. 流式通信分析（如检测到SSE/WebSocket）：协议类型、端点、请求/响应格式
+6. 存储使用分析：Cookie/localStorage/sessionStorage 的关键变化
+7. 关键依赖关系：请求之间的依赖和时序关系
+8. 复现建议：用代码伪逻辑描述如何复现整个流程`,
+      isBuiltin: true,
+      isModified: false,
+    },
+    {
+      id: "reverse-api",
+      name: "逆向 API 协议",
+      description: "聚焦 API 端点、请求/响应模式、鉴权流程、数据模型、复现代码",
+      systemPrompt: DEFAULT_SYSTEM_PROMPT,
+      requirements: `1. 完整 API 端点清单：列出所有 API 的方法、路径、请求参数、响应 JSON 结构
+2. 鉴权流程：Token/Cookie 获取、刷新、传递机制的完整链路
+3. 请求依赖链：哪些请求的响应是后续请求的必要输入
+4. 数据模型推断：从 API 响应结构推断后端数据模型
+5. 复现代码：用 Python requests 库写出可直接运行的完整 API 调用流程`,
+      isBuiltin: true,
+      isModified: false,
+    },
+    {
+      id: "security-audit",
+      name: "安全审计",
+      description: "聚焦认证安全、敏感数据暴露、CSRF/XSS 风险、权限控制",
+      systemPrompt: DEFAULT_SYSTEM_PROMPT,
+      requirements: `1. 认证安全：分析认证方式的安全性，是否存在弱口令、明文传输、Token 泄露风险
+2. 敏感数据暴露：检查响应中是否包含不必要的敏感信息（密码、密钥、PII）
+3. CSRF/XSS 风险：分析请求是否缺少 CSRF Token，响应头是否缺少安全头（CSP, X-Frame-Options 等）
+4. 权限控制：分析是否存在越权访问的可能（水平/垂直越权）
+5. 安全建议：针对发现的问题给出具体修复建议`,
+      isBuiltin: true,
+      isModified: false,
+    },
+    {
+      id: "performance",
+      name: "性能分析",
+      description: "聚焦请求时序、冗余请求、资源加载、缓存策略",
+      systemPrompt: DEFAULT_SYSTEM_PROMPT,
+      requirements: `1. 请求时序分析：分析请求的串行/并行关系，识别阻塞链路
+2. 冗余请求：识别重复或不必要的请求
+3. 资源优化：分析资源加载顺序，识别可优化的静态资源
+4. 缓存策略：分析 Cache-Control、ETag 等缓存头的使用情况
+5. 性能建议：给出具体的性能优化建议和预期收益`,
+      isBuiltin: true,
+      isModified: false,
+    },
+    {
+      id: "crypto-reverse",
+      name: "JS加密逆向",
+      description: "聚焦JS加密算法识别、加密流程还原、密钥分析、Python复现代码",
+      systemPrompt: DEFAULT_SYSTEM_PROMPT,
+      requirements: `1. 加密算法识别：识别所有使用的加密/签名/哈希算法（AES、RSA、SHA、HMAC、SM2/3/4 等），标注具体库和方法名
+2. 加密流程还原：完整描述每个请求参数的加密 pipeline（明文 → 各步骤 → 密文），画出数据流转图
+3. 密钥管理分析：密钥来源（硬编码/动态/协商）、密钥格式（Hex/Base64/PEM）、密钥长度
+4. 签名/校验机制：请求签名的生成算法、参与签名的参数排序规则、时间戳/nonce 机制
+5. 复现代码：用 Python 写出完整的加密/签名/请求复现代码，确保可直接运行，包含所有必要的密钥和参数`,
+      isBuiltin: true,
+      isModified: false,
+    },
+  ];
+}
+function getTemplatesPath(): string {
+  return join(app.getPath("userData"), "prompt-templates.json");
+}
+/**
+ * Load templates from disk. Initializes with defaults if file does not exist.
+ */
+export function loadTemplates(): PromptTemplate[] {
+  const path = getTemplatesPath();
+  if (!existsSync(path)) {
+    const defaults = getDefaultTemplates();
+    writeFileSync(path, JSON.stringify(defaults, null, 2), "utf-8");
+    return defaults;
+  }
+  try {
+    return JSON.parse(readFileSync(path, "utf-8")) as PromptTemplate[];
+  } catch {
+    const defaults = getDefaultTemplates();
+    writeFileSync(path, JSON.stringify(defaults, null, 2), "utf-8");
+    return defaults;
+  }
+}
+function persistTemplates(templates: PromptTemplate[]): void {
+  writeFileSync(getTemplatesPath(), JSON.stringify(templates, null, 2), "utf-8");
+}
+/**
+ * Save (create or update) a template.
+ */
+export function saveTemplate(template: PromptTemplate): void {
+  const templates = loadTemplates();
+  const idx = templates.findIndex((t) => t.id === template.id);
+  if (idx >= 0) {
+    // Update existing — mark builtin as modified
+    if (templates[idx].isBuiltin) {
+      template.isBuiltin = true;
+      template.isModified = true;
+    }
+    templates[idx] = template;
+  } else {
+    // New custom template
+    template.isBuiltin = false;
+    template.isModified = false;
+    templates.push(template);
+  }
+  persistTemplates(templates);
+}
+/**
+ * Delete a custom template. Builtin templates cannot be deleted.
+ */
+export function deleteTemplate(id: string): void {
+  const templates = loadTemplates();
+  const target = templates.find((t) => t.id === id);
+  if (target?.isBuiltin) {
+    throw new Error("Cannot delete builtin template");
+  }
+  persistTemplates(templates.filter((t) => t.id !== id));
+}
+/**
+ * Reset a builtin template to its default values.
+ */
+export function resetTemplate(id: string): void {
+  const templates = loadTemplates();
+  const defaults = getDefaultTemplates();
+  const defaultTemplate = defaults.find((t) => t.id === id);
+  if (!defaultTemplate) {
+    throw new Error(`No builtin default for template: ${id}`);
+  }
+  const idx = templates.findIndex((t) => t.id === id);
+  if (idx >= 0) {
+    templates[idx] = { ...defaultTemplate };
+  } else {
+    templates.push({ ...defaultTemplate });
+  }
+  persistTemplates(templates);
+}
+/**
+ * Find a template by ID. Returns undefined if not found.
+ */
+export function findTemplate(id: string): PromptTemplate | undefined {
+  return loadTemplates().find((t) => t.id === id);
+}

package/src/main/proxy/ca-manager.ts ADDED Viewed

@@ -0,0 +1,204 @@
+import * as forge from "node-forge";
+import * as tls from "tls";
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+const CA_KEY_FILE = "ca-key.pem";
+const CA_CERT_FILE = "ca-cert.pem";
+const CA_VALIDITY_YEARS = 10;
+const LEAF_VALIDITY_DAYS = 825; // Apple max
+const CACHE_MAX_SIZE = 500;
+/**
+ * CaManager — Generates and caches a root CA certificate,
+ * then issues per-host leaf certificates on demand for MITM TLS interception.
+ */
+export class CaManager {
+  private caKey: forge.pki.rsa.KeyPair | null = null;
+  private caCert: forge.pki.Certificate | null = null;
+  /** LRU-ish cache: hostname → tls.SecureContext */
+  private contextCache = new Map<string, tls.SecureContext>();
+  constructor(private certsDir: string) {}
+  /**
+   * Load existing CA from disk, or generate a new one.
+   */
+  async init(): Promise<void> {
+    if (!existsSync(this.certsDir)) {
+      mkdirSync(this.certsDir, { recursive: true });
+    }
+    const keyPath = join(this.certsDir, CA_KEY_FILE);
+    const certPath = join(this.certsDir, CA_CERT_FILE);
+    if (existsSync(keyPath) && existsSync(certPath)) {
+      const keyPem = readFileSync(keyPath, "utf-8");
+      const certPem = readFileSync(certPath, "utf-8");
+      const privateKey = forge.pki.privateKeyFromPem(keyPem);
+      this.caKey = {
+        privateKey,
+        publicKey: forge.pki.setRsaPublicKey(privateKey.n, privateKey.e),
+      } as forge.pki.rsa.KeyPair;
+      this.caCert = forge.pki.certificateFromPem(certPem);
+    } else {
+      await this.generate();
+    }
+  }
+  isInitialized(): boolean {
+    return this.caCert !== null && this.caKey !== null;
+  }
+  getCaCertPath(): string {
+    return join(this.certsDir, CA_CERT_FILE);
+  }
+  /**
+   * Get the CA certificate in DER (binary) format for mobile download.
+   */
+  getCaCertDer(): Buffer {
+    if (!this.caCert) throw new Error("CA not initialized");
+    const asn1 = forge.pki.certificateToAsn1(this.caCert);
+    const der = forge.asn1.toDer(asn1);
+    return Buffer.from(der.getBytes(), "binary");
+  }
+  /**
+   * Get (or create) a TLS SecureContext for the given hostname.
+   */
+  getSecureContextForHost(hostname: string): tls.SecureContext {
+    const cached = this.contextCache.get(hostname);
+    if (cached) return cached;
+    // Evict oldest if cache full
+    if (this.contextCache.size >= CACHE_MAX_SIZE) {
+      const oldest = this.contextCache.keys().next().value!;
+      this.contextCache.delete(oldest);
+    }
+    const { key, cert } = this.issueLeafCert(hostname);
+    const ctx = tls.createSecureContext({
+      key,
+      cert,
+      ca: forge.pki.certificateToPem(this.caCert!),
+    });
+    this.contextCache.set(hostname, ctx);
+    return ctx;
+  }
+  /**
+   * Delete existing CA, generate a new one, clear cache.
+   */
+  async regenerate(): Promise<void> {
+    this.contextCache.clear();
+    await this.generate();
+  }
+  // ---- Private ----
+  private async generate(): Promise<void> {
+    const keys = forge.pki.rsa.generateKeyPair({ bits: 2048 });
+    this.caKey = keys;
+    const cert = forge.pki.createCertificate();
+    cert.publicKey = keys.publicKey;
+    cert.serialNumber = this.randomSerial();
+    const now = new Date();
+    cert.validity.notBefore = now;
+    cert.validity.notAfter = new Date(
+      now.getFullYear() + CA_VALIDITY_YEARS,
+      now.getMonth(),
+      now.getDate(),
+    );
+    const attrs: forge.pki.CertificateField[] = [
+      { shortName: "CN", value: "Anything Analyzer CA" },
+      { shortName: "O", value: "Anything Analyzer" },
+    ];
+    cert.setSubject(attrs);
+    cert.setIssuer(attrs);
+    cert.setExtensions([
+      { name: "basicConstraints", cA: true, critical: true },
+      {
+        name: "keyUsage",
+        keyCertSign: true,
+        cRLSign: true,
+        critical: true,
+      },
+      {
+        name: "subjectKeyIdentifier",
+      },
+    ]);
+    cert.sign(keys.privateKey, forge.md.sha256.create());
+    this.caCert = cert;
+    // Persist
+    const keyPem = forge.pki.privateKeyToPem(keys.privateKey);
+    const certPem = forge.pki.certificateToPem(cert);
+    writeFileSync(join(this.certsDir, CA_KEY_FILE), keyPem, "utf-8");
+    writeFileSync(join(this.certsDir, CA_CERT_FILE), certPem, "utf-8");
+  }
+  private issueLeafCert(hostname: string): { key: string; cert: string } {
+    if (!this.caKey || !this.caCert) {
+      throw new Error("CA not initialized");
+    }
+    const keys = forge.pki.rsa.generateKeyPair({ bits: 2048 });
+    const cert = forge.pki.createCertificate();
+    cert.publicKey = keys.publicKey;
+    cert.serialNumber = this.randomSerial();
+    const now = new Date();
+    cert.validity.notBefore = now;
+    cert.validity.notAfter = new Date(
+      now.getFullYear(),
+      now.getMonth(),
+      now.getDate() + LEAF_VALIDITY_DAYS,
+    );
+    cert.setSubject([{ shortName: "CN", value: hostname }]);
+    cert.setIssuer(this.caCert.subject.attributes);
+    // SAN: support both DNS name and IP address
+    const isIP = /^[\d.]+$/.test(hostname) || hostname.includes(":");
+    const altNames: { type: number; value?: string; ip?: string }[] = isIP
+      ? [{ type: 7, ip: hostname }]
+      : [{ type: 2, value: hostname }];
+    cert.setExtensions([
+      { name: "basicConstraints", cA: false },
+      {
+        name: "keyUsage",
+        digitalSignature: true,
+        keyEncipherment: true,
+      },
+      { name: "extKeyUsage", serverAuth: true },
+      { name: "subjectAltName", altNames },
+      { name: "subjectKeyIdentifier" },
+      {
+        name: "authorityKeyIdentifier",
+        keyIdentifier: true,
+      },
+    ]);
+    cert.sign(this.caKey.privateKey, forge.md.sha256.create());
+    // Include CA cert in chain so mobile clients can verify
+    const leafPem = forge.pki.certificateToPem(cert);
+    const caPem = forge.pki.certificateToPem(this.caCert!);
+    return {
+      key: forge.pki.privateKeyToPem(keys.privateKey),
+      cert: leafPem + caPem,
+    };
+  }
+  private randomSerial(): string {
+    return forge.util.bytesToHex(forge.random.getBytesSync(16));
+  }
+}

package/src/main/proxy/cert-download-page.ts ADDED Viewed

@@ -0,0 +1,171 @@
+import { readFileSync } from "fs";
+import type { CaManager } from "./ca-manager";
+/** Magic hostname that triggers the cert download page */
+export const CERT_DOWNLOAD_HOST = "cert.anything.test";
+export const CERT_DOWNLOAD_FALLBACK_HOST = "cert.anything.local";
+export function isCertDownloadHost(host: string): boolean {
+  const normalized = host.trim().toLowerCase().replace(/\.$/, "");
+  return normalized === CERT_DOWNLOAD_HOST || normalized === CERT_DOWNLOAD_FALLBACK_HOST;
+}
+/**
+ * Detect platform from User-Agent string.
+ */
+function detectPlatform(ua: string): "ios" | "android" | "desktop" {
+  if (/iPhone|iPad|iPod/i.test(ua)) return "ios";
+  if (/Android/i.test(ua)) return "android";
+  return "desktop";
+}
+/**
+ * Generate the HTML certificate download page.
+ * @param ua User-Agent string for platform detection
+ * @param overrideHost Optional host (ip:port or hostname:port) to use for the download link.
+ *                     When a LAN device accesses the proxy directly by IP, this ensures the
+ *                     download link points back to the same accessible address.
+ */
+export function generateCertPage(ua: string, overrideHost?: string): string {
+  const platform = detectPlatform(ua);
+  const defaultHost = platform === "ios" ? CERT_DOWNLOAD_HOST : CERT_DOWNLOAD_FALLBACK_HOST;
+  const downloadHost = overrideHost || defaultHost;
+  return `<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Anything Analyzer - 安装 CA 证书</title>
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;background:#0f172a;color:#e2e8f0;min-height:100vh;display:flex;align-items:center;justify-content:center;padding:20px}
+.card{background:#1e293b;border-radius:16px;padding:32px 28px;max-width:420px;width:100%;box-shadow:0 25px 50px rgba(0,0,0,.4)}
+.logo{text-align:center;margin-bottom:24px}
+.logo svg{width:48px;height:48px}
+h1{font-size:20px;text-align:center;margin-bottom:8px;color:#f8fafc}
+.subtitle{text-align:center;font-size:14px;color:#94a3b8;margin-bottom:28px}
+.download-btn{display:block;width:100%;padding:14px;border:none;border-radius:12px;font-size:16px;font-weight:600;cursor:pointer;text-align:center;text-decoration:none;transition:all .2s;margin-bottom:16px}
+.download-btn.primary{background:linear-gradient(135deg,#3b82f6,#6366f1);color:#fff}
+.download-btn.primary:active{transform:scale(.98);opacity:.9}
+.platform-tag{display:inline-block;background:#334155;color:#94a3b8;padding:3px 10px;border-radius:20px;font-size:12px;margin-bottom:20px}
+.steps{background:#0f172a;border-radius:12px;padding:20px;margin-top:4px}
+.steps h2{font-size:15px;margin-bottom:14px;color:#f1f5f9}
+.step{display:flex;gap:12px;margin-bottom:14px;font-size:13px;line-height:1.6;color:#cbd5e1}
+.step:last-child{margin-bottom:0}
+.step-num{flex-shrink:0;width:22px;height:22px;border-radius:50%;background:#334155;color:#60a5fa;font-size:12px;font-weight:700;display:flex;align-items:center;justify-content:center;margin-top:1px}
+.note{margin-top:20px;padding:14px;background:rgba(234,179,8,.08);border:1px solid rgba(234,179,8,.2);border-radius:10px;font-size:12px;color:#fbbf24;line-height:1.6}
+.note strong{color:#fcd34d}
+.tabs{display:flex;gap:8px;margin-bottom:16px}
+.tab{flex:1;padding:8px;border:1px solid #334155;border-radius:8px;background:transparent;color:#94a3b8;font-size:13px;cursor:pointer;text-align:center;transition:all .2s}
+.tab.active{background:#334155;color:#f1f5f9;border-color:#475569}
+.tab-content{display:none}
+.tab-content.active{display:block}
+</style>
+</head>
+<body>
+<div class="card">
+  <div class="logo">
+    <svg viewBox="0 0 48 48" fill="none"><circle cx="24" cy="24" r="22" stroke="#3b82f6" stroke-width="2"/><path d="M24 12v10l7 7" stroke="#60a5fa" stroke-width="2.5" stroke-linecap="round"/><circle cx="24" cy="24" r="4" fill="#3b82f6"/></svg>
+  </div>
+  <h1>安装 CA 证书</h1>
+  <p class="subtitle">Anything Analyzer 需要安装根证书以解密 HTTPS 流量</p>
+  <div style="text-align:center"><span class="platform-tag" id="platformTag">${platform === "ios" ? "🍎 iOS" : platform === "android" ? "🤖 Android" : "💻 桌面端"}</span></div>
+  <a class="download-btn primary" href="http://${downloadHost}/cert.cer" id="downloadBtn">⬇ 下载证书</a>
+  <div class="tabs">
+    <button class="tab${platform === "ios" ? " active" : ""}" onclick="showTab('ios', this)">iOS</button>
+    <button class="tab${platform === "android" ? " active" : ""}" onclick="showTab('android', this)">Android</button>
+    <button class="tab${platform === "desktop" ? " active" : ""}" onclick="showTab('desktop', this)">桌面端</button>
+  </div>
+  <div id="tab-ios" class="tab-content${platform === "ios" ? " active" : ""}">
+    <div class="steps">
+      <h2>iOS 安装步骤</h2>
+      <div class="step"><span class="step-num">1</span><span>确保 iPhone/iPad 与电脑连接在<strong>同一局域网</strong>下</span></div>
+      <div class="step"><span class="step-num">2</span><span>打开 iPhone 的「设置」→「Wi-Fi」→ 点击当前连接的 Wi-Fi 名称右侧的 <strong>ⓘ</strong> 按钮</span></div>
+      <div class="step"><span class="step-num">3</span><span>滚动到底部，点击「配置代理」→ 选择「手动」→ 填写服务器为<strong>电脑的 IP 地址</strong>，端口为 <strong>代理端口号</strong>（默认 8888）→ 点击「存储」</span></div>
+      <div class="step"><span class="step-num">4</span><span>打开 Safari 浏览器（<strong>必须用 Safari</strong>，其他浏览器无法触发描述文件安装），访问本页面并点击上方「下载证书」按钮</span></div>
+      <div class="step"><span class="step-num">5</span><span>弹出「此网站正尝试下载一个配置描述文件，要允许吗？」→ 点击「允许」</span></div>
+      <div class="step"><span class="step-num">6</span><span>提示「已下载描述文件」后，打开「设置」→「通用」→「VPN 与设备管理」（或「描述文件与设备管理」）</span></div>
+      <div class="step"><span class="step-num">7</span><span>找到「Anything Analyzer CA」描述文件，点击进入 → 点击右上角「安装」→ 输入<strong>锁屏密码</strong> → 再次点击「安装」确认</span></div>
+      <div class="step"><span class="step-num">8</span><span><strong>⚠ 关键步骤：</strong>前往「设置」→「通用」→「关于本机」→ 滚动到最底部 → 点击「证书信任设置」</span></div>
+      <div class="step"><span class="step-num">9</span><span>在「针对根证书启用完全信任」列表中，找到「Anything Analyzer CA」→ <strong>打开右侧开关</strong> → 弹出警告框点击「继续」</span></div>
+      <div class="step"><span class="step-num">10</span><span>✅ 安装完成！打开 Safari 访问任意 HTTPS 网站，验证地址栏无证书警告即为成功</span></div>
+    </div>
+    <div class="note"><strong>⚠ 常见问题：</strong><br>
+    • <strong>找不到「VPN 与设备管理」？</strong> → 不同 iOS 版本名称不同，可能叫「描述文件」或「描述文件与设备管理」<br>
+    • <strong>安装后仍报证书错误？</strong> → 99% 是因为没有执行第 8-9 步的「证书信任设置」，这是 iOS 的硬性要求<br>
+    • <strong>非 Safari 浏览器下载无反应？</strong> → iOS 仅允许 Safari 安装描述文件，请切换到 Safari 重新下载<br>
+    • <strong>使用完毕后</strong> → 记得回到 Wi-Fi 设置将代理改回「关闭」或「自动」</div>
+  </div>
+  <div id="tab-android" class="tab-content${platform === "android" ? " active" : ""}">
+    <div class="steps">
+      <h2>Android 安装步骤</h2>
+      <div class="step"><span class="step-num">1</span><span>确保手机与电脑连接在<strong>同一局域网</strong>下</span></div>
+      <div class="step"><span class="step-num">2</span><span>打开「设置」→「WLAN」→ <strong>长按</strong>当前连接的 Wi-Fi（或点击齿轮图标）→ 选择「修改网络」</span></div>
+      <div class="step"><span class="step-num">3</span><span>展开「高级选项」→ 代理选择「手动」→ 主机名填<strong>电脑的 IP 地址</strong>，端口填 <strong>代理端口号</strong>（默认 8888）→ 保存</span></div>
+      <div class="step"><span class="step-num">4</span><span>打开任意浏览器，访问本页面并点击上方「下载证书」按钮，将 .cer 文件保存到手机</span></div>
+      <div class="step"><span class="step-num">5</span><span><strong>方式一（推荐）：</strong>打开「设置」→「安全」（或「安全和隐私」）→「更多安全设置」→「加密与凭据」→「安装证书」→ 选择「<strong>CA 证书</strong>」</span></div>
+      <div class="step"><span class="step-num">6</span><span>系统会弹出安全警告「安装 CA 证书可能允许第三方监控流量...」→ 点击「<strong>仍然安装</strong>」→ 验证指纹/密码/PIN</span></div>
+      <div class="step"><span class="step-num">7</span><span>在文件选择器中找到刚下载的 <code>anything-analyzer-ca.cer</code> 文件（通常在 Download 文件夹）→ 点击选择</span></div>
+      <div class="step"><span class="step-num">8</span><span>提示「已安装 CA 证书」即为成功</span></div>
+    </div>
+    <div class="steps" style="margin-top:12px">
+      <h2>⚡ 验证证书是否安装成功</h2>
+      <div class="step"><span class="step-num">1</span><span>前往「设置」→「安全」→「加密与凭据」→「信任的凭据」→ 切换到「用户」选项卡</span></div>
+      <div class="step"><span class="step-num">2</span><span>应能看到「Anything Analyzer CA」→ 点击可查看证书详情和有效期</span></div>
+    </div>
+    <div class="steps" style="margin-top:12px">
+      <h2>🔧 不同 Android 品牌的设置路径</h2>
+      <div class="step"><span class="step-num">•</span><span><strong>小米/Redmi (MIUI/HyperOS)：</strong>设置 → 密码与安全 → 系统安全 → 加密与凭据 → 安装证书 → CA 证书</span></div>
+      <div class="step"><span class="step-num">•</span><span><strong>华为/荣耀 (HarmonyOS)：</strong>设置 → 安全 → 更多安全设置 → 加密和凭据 → 从存储设备安装 → CA 证书</span></div>
+      <div class="step"><span class="step-num">•</span><span><strong>OPPO/realme (ColorOS)：</strong>设置 → 密码与安全 → 系统安全 → 安装证书 → CA 证书</span></div>
+      <div class="step"><span class="step-num">•</span><span><strong>vivo (OriginOS/FuntouchOS)：</strong>设置 → 安全与隐私 → 更多安全设置 → 加密与凭据 → 安装证书</span></div>
+      <div class="step"><span class="step-num">•</span><span><strong>三星 (One UI)：</strong>设置 → 生物识别和安全 → 其他安全设置 → 安装证书 → CA 证书</span></div>
+      <div class="step"><span class="step-num">•</span><span><strong>Google Pixel (原生)：</strong>设置 → 安全 → 加密与凭据 → 安装证书 → CA 证书</span></div>
+      <div class="step"><span class="step-num">•</span><span><strong>找不到入口？</strong>在设置中搜索「<strong>证书</strong>」或「<strong>凭据</strong>」关键词即可快速定位</span></div>
+    </div>
+    <div class="note"><strong>⚠ Android 特别说明：</strong><br>
+    • <strong>Android 7.0+ 限制：</strong>用户安装的 CA 证书默认只对<strong>浏览器</strong>有效，大部分 App 不信任用户 CA。这是 Google 的安全策略，属于正常现象<br>
+    • <strong>如需让所有 App 信任：</strong>需要 Root 权限 + 将证书移入系统证书目录（/system/etc/security/cacerts/），或使用 Magisk + MoveUserCertificates 模块<br>
+    • <strong>安装时要求设置锁屏？</strong>这是 Android 安全要求，安装 CA 证书必须设置 PIN/密码/图案锁屏<br>
+    • <strong>使用完毕后</strong> → 记得回到 Wi-Fi 设置将代理改回「无」</div>
+  </div>
+  <div id="tab-desktop" class="tab-content${platform === "desktop" ? " active" : ""}">
+    <div class="steps">
+      <h2>桌面端安装步骤</h2>
+      <div class="step"><span class="step-num">1</span><span>推荐直接在 Anything Analyzer 应用内点击「安装证书」按钮一键安装</span></div>
+      <div class="step"><span class="step-num">2</span><span>或下载证书后手动双击安装到系统信任存储中（Windows 选择「受信任的根证书颁发机构」）</span></div>
+      <div class="step"><span class="step-num">3</span><span>macOS 用户需在「钥匙串访问」中找到证书 → 双击 → 展开「信任」→ 设为「始终信任」</span></div>
+    </div>
+  </div>
+</div>
+<script>
+function showTab(name, el){
+  document.querySelectorAll('.tab-content').forEach(e=>e.classList.remove('active'));
+  document.querySelectorAll('.tab').forEach(e=>e.classList.remove('active'));
+  document.getElementById('tab-'+name).classList.add('active');
+  if (el) el.classList.add('active');
+}
+</script>
+</body>
+</html>`;
+}
+/**
+ * Get the CA certificate content as PEM-encoded Buffer for download.
+ */
+export function getCertFileContent(caManager: CaManager): Buffer {
+  const certPath = caManager.getCaCertPath();
+  return readFileSync(certPath);
+}
+/**
+ * Get the CA certificate content as DER-encoded Buffer for mobile download (.cer).
+ */
+export function getCertDerContent(caManager: CaManager): Buffer {
+  return caManager.getCaCertDer();
+}