@yina-npm/openrouterx 0.4.55 → 0.4.71

package/app/src/lib/oauth/services/qoder.js

@@ -0,0 +1,216 @@
+import {
+  QODER_DEVICE_TOKEN_URL,
+  QODER_LOGIN_URL,
+  QODER_USERINFO_URL,
+} from "../../qoder/constants.js";
+import crypto from "crypto";
+import { v4 as uuidv4 } from "uuid";
+
+/**
+ * Qoder OAuth Service
+ * Implements the device-token flow:
+ *   1. Generate PKCE pair + nonce + machine_id locally.
+ *   2. Open https://qoder.com/device/selectAccounts?challenge=...&nonce=...
+ *      in the user's browser.
+ *   3. Poll openapi.qoder.sh/api/v1/deviceToken/poll until the user authorizes
+ *      and the upstream returns a `dt-...` access token.
+ *
+ * Tokens live ~30 days; refresh is a no-op (the upstream refresh endpoint
+ * returns 403 for our flow). Users re-run login when expired.
+ *
+ * Mirrors the structure of KiroService — the COSY signing / WAF-bypass body
+ * encoding / chat protocol live separately in src/lib/qoder/ because they're
+ * used by every signed request, not just OAuth.
+ */
+
+// Timeout for OAuth helper calls. The OAuth modal polls every 2s for up to
+// 5 minutes; an individual request that stalls beyond this is treated as a
+// failed poll attempt and the next poll iteration retries.
+const FETCH_TIMEOUT_MS = 15_000;
+
+function base64Url(buf) {
+  return buf
+    .toString("base64")
+    .replace(/=/g, "")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_");
+}
+
+/**
+ * Wrap fetch with an AbortController-based timeout. Without this, a stalled
+ * upstream socket hangs on Node's default keepalive timeout (minutes) and
+ * abandoned polls accumulate hung sockets.
+ */
+async function fetchWithTimeout(url, init = {}) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort("timeout"), FETCH_TIMEOUT_MS);
+  try {
+    return await fetch(url, { ...init, signal: controller.signal });
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+export class QoderService {
+  /**
+   * Generate a PKCE verifier + S256 challenge pair.
+   * Uses 32 random bytes (matches qodercli/Veria).
+   */
+  generatePkcePair() {
+    const verifier = base64Url(crypto.randomBytes(32));
+    const challenge = base64Url(crypto.createHash("sha256").update(verifier).digest());
+    return { verifier, challenge };
+  }
+
+  /**
+   * Initiate the device flow. Returns the URL to open in a browser plus the
+   * verifier/nonce/machineId we'll need to poll and to sign future requests.
+   */
+  initiateDeviceFlow() {
+    const { verifier, challenge } = this.generatePkcePair();
+    const nonce = uuidv4();
+    const machineId = uuidv4();
+
+    const params = new URLSearchParams({
+      challenge,
+      challenge_method: "S256",
+      machine_id: machineId,
+      nonce,
+    });
+
+    return {
+      verificationUriComplete: `${QODER_LOGIN_URL}?${params.toString()}`,
+      codeVerifier: verifier,
+      nonce,
+      machineId,
+    };
+  }
+
+  /**
+   * Single poll attempt. Returns one of:
+   *   { status: "pending" }       — keep polling
+   *   { status: "ok", token, ... } — user authorized, tokens captured
+   *   throws Error                 — terminal failure
+   *
+   * Upstream returns 202/404 while waiting; 200 with a JSON body when done.
+   */
+  async pollDeviceToken({ nonce, codeVerifier }) {
+    if (!nonce || !codeVerifier) {
+      throw new Error("pollDeviceToken: missing nonce or code verifier");
+    }
+    const url = `${QODER_DEVICE_TOKEN_URL}?nonce=${encodeURIComponent(nonce)}&verifier=${encodeURIComponent(codeVerifier)}&challenge_method=S256`;
+
+    const response = await fetchWithTimeout(url, {
+      method: "GET",
+      headers: {
+        Accept: "application/json",
+        "User-Agent": "Go-http-client/2.0",
+      },
+    });
+
+    // Pending — server has registered the device code but the user hasn't
+    // finished the browser flow yet. Both 202 and 404 mean "keep polling".
+    if (response.status === 202 || response.status === 404) {
+      return { status: "pending" };
+    }
+
+    const text = await response.text();
+
+    if (!response.ok) {
+      let message = `Qoder device token poll failed: HTTP ${response.status}`;
+      try {
+        const body = JSON.parse(text);
+        if (body.message) message = `Qoder device token poll failed: ${body.message}`;
+      } catch {}
+      throw new Error(message);
+    }
+
+    let body;
+    try {
+      body = JSON.parse(text);
+    } catch (err) {
+      throw new Error(`Qoder device token poll: invalid JSON response (${err.message})`);
+    }
+
+    // Defensive: 200 + empty token means the upstream changed shape.
+    if (!body.token) {
+      throw new Error("Qoder device token poll returned 200 but no token");
+    }
+
+    const expireMs = QoderService.parseExpiry(body.expires_at, body.expires_in);
+
+    return {
+      status: "ok",
+      accessToken: body.token,
+      refreshToken: body.refresh_token || "",
+      userId: body.user_id || "",
+      expireTime: expireMs,
+      rawResponse: body,
+    };
+  }
+
+  /**
+   * Fetch profile info for the freshly-issued token. Best-effort — failures
+   * shouldn't block login; returning empty strings is fine.
+   */
+  async fetchUserInfo(accessToken) {
+    try {
+      const response = await fetchWithTimeout(QODER_USERINFO_URL, {
+        method: "GET",
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/json",
+          "User-Agent": "Go-http-client/2.0",
+        },
+      });
+      if (!response.ok) return { name: "", email: "" };
+      const body = await response.json();
+      return {
+        name: (body.name || body.username || "").trim(),
+        email: (body.email || "").trim(),
+        organizationId: (body.organization_id || "").trim(),
+      };
+    } catch {
+      return { name: "", email: "" };
+    }
+  }
+
+  /**
+   * Convert the upstream's expiry hint into a Unix-millisecond timestamp.
+   * Accepts:
+   *   - numeric (ms-epoch): returned as-is
+   *   - numeric string of ms-epoch: e.g. "1781594470000"
+   *   - RFC3339 string: e.g. "2026-06-16T07:15:04Z"
+   *   - seconds-from-now via expiresInSeconds (>= 0)
+   * Falls back to "now + 30 days" when both are missing.
+   *
+   * Order matters: try numeric (string or number) before Date.parse, since
+   * Date.parse accepts short numeric strings like "2026" as years and would
+   * otherwise return a misleading year-2026 timestamp instead of falling
+   * through to the integer branch.
+   *
+   * Static so callers (and tests) can use it without instantiating.
+   */
+  static parseExpiry(expiresAt, expiresInSeconds) {
+    if (typeof expiresAt === "number" && Number.isFinite(expiresAt) && expiresAt > 0) {
+      return expiresAt;
+    }
+    const trimmed = typeof expiresAt === "string" ? expiresAt.trim() : "";
+    if (trimmed) {
+      // Pure numeric string → ms-epoch (don't let Date.parse swallow short
+      // numerics as years).
+      if (/^\d+$/.test(trimmed)) {
+        const ms = Number.parseInt(trimmed, 10);
+        if (Number.isFinite(ms) && ms > 0) return ms;
+      }
+      const parsed = Date.parse(trimmed);
+      if (!Number.isNaN(parsed)) return parsed;
+    }
+    // expiresInSeconds === 0 means "already expired"; honor that by returning
+    // the current time rather than fabricating a 30-day default.
+    if (typeof expiresInSeconds === "number" && Number.isFinite(expiresInSeconds) && expiresInSeconds >= 0) {
+      return Date.now() + expiresInSeconds * 1000;
+    }
+    return Date.now() + 30 * 24 * 60 * 60 * 1000;
+  }
+}

package/app/src/lib/oauth/services/xai.js

@@ -0,0 +1,238 @@
+import open from "open";
+import { OAuthService } from "./oauth.js";
+import crypto from "crypto";
+import { XAI_CONFIG, XAI_PKCE_VERIFIER_BYTES } from "../constants/xai.js";
+import { startLocalServer } from "../utils/server.js";
+import { generateCodeVerifier, generateCodeChallenge, generateState } from "../utils/pkce.js";
+import { spinner as createSpinner } from "../utils/ui.js";
+
+/**
+ * xAI (Grok) OAuth Service
+ *
+ * Source of truth: router-for-me/CLIProxyAPI internal/auth/xai/xai.go
+ *
+ * Flow:
+ *  1. Discover endpoints from `${XAI_ISSUER}/.well-known/openid-configuration`
+ *  2. Bind loopback server on 127.0.0.1:56121, path /callback
+ *  3. PKCE S256 with 96-byte verifier
+ *  4. Exchange code with form-urlencoded body
+ *  5. id_token email decode (no signature verify, mirrors Go)
+ */
+
+const BASE64_BLOCK_SIZE = 4;
+
+let cachedDiscovery = null;
+
+export function validateOAuthEndpoint(rawUrl, field) {
+  const value = String(rawUrl || "").trim();
+  if (!value) throw new Error(`xai discovery ${field} is empty`);
+
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch (err) {
+    throw new Error(`xai discovery ${field} is invalid: ${err.message}`);
+  }
+
+  if (parsed.protocol !== "https:") {
+    throw new Error(`xai discovery ${field} must use https: ${value}`);
+  }
+
+  const host = parsed.hostname.toLowerCase().trim();
+  if (host !== "x.ai" && !host.endsWith(".x.ai")) {
+    throw new Error(`xai discovery ${field} host ${host} is not on x.ai`);
+  }
+
+  return value;
+}
+
+/**
+ * Discover authorization + token endpoints. Cached process-wide.
+ */
+export async function discoverEndpoints() {
+  if (cachedDiscovery) return cachedDiscovery;
+
+  try {
+    const res = await fetch(XAI_CONFIG.discoveryUrl, {
+      headers: { Accept: "application/json" },
+    });
+    if (res.ok) {
+      const data = await res.json();
+      cachedDiscovery = {
+        authorizeUrl: validateOAuthEndpoint(data.authorization_endpoint, "authorization_endpoint"),
+        tokenUrl: validateOAuthEndpoint(data.token_endpoint, "token_endpoint"),
+      };
+      return cachedDiscovery;
+    }
+  } catch {
+    // fall through to static fallback
+  }
+
+  cachedDiscovery = {
+    authorizeUrl: XAI_CONFIG.authorizeUrl,
+    tokenUrl: XAI_CONFIG.tokenUrl,
+  };
+  return cachedDiscovery;
+}
+
+/**
+ * Decode the `email` claim from an id_token JWT. No signature verification —
+ * mirrors CLIProxyAPI Go behavior. Returns undefined if not parseable.
+ */
+export function decodeIdTokenEmail(idToken) {
+  if (!idToken || typeof idToken !== "string") return undefined;
+  const parts = idToken.split(".");
+  if (parts.length !== 3) return undefined;
+  try {
+    const base64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const padding = (BASE64_BLOCK_SIZE - (base64.length % BASE64_BLOCK_SIZE)) % BASE64_BLOCK_SIZE;
+    const json = Buffer.from(base64 + "=".repeat(padding), "base64").toString("utf8");
+    const payload = JSON.parse(json);
+    return payload.email || payload.preferred_username || payload.sub || undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+export class XaiService extends OAuthService {
+  constructor() {
+    super(XAI_CONFIG);
+  }
+
+  /**
+   * Build xAI authorization URL. Spaces in scope are encoded as %20.
+   */
+  buildXaiAuthUrl(redirectUri, state, codeChallenge, authorizeUrl) {
+    const nonce = crypto.randomBytes(16).toString("hex");
+    const params = {
+      response_type: "code",
+      client_id: XAI_CONFIG.clientId,
+      redirect_uri: redirectUri,
+      scope: XAI_CONFIG.scope,
+      code_challenge: codeChallenge,
+      code_challenge_method: XAI_CONFIG.codeChallengeMethod,
+      state,
+      nonce,
+      plan: "generic",
+      referrer: "cli-proxy-api",
+    };
+    const qs = Object.entries(params)
+      .map(([k, v]) => `${k}=${encodeURIComponent(v)}`)
+      .join("&");
+    return `${authorizeUrl}?${qs}`;
+  }
+
+  /**
+   * Exchange authorization code for tokens.
+   * xAI is a public PKCE client — no client_secret.
+   */
+  async exchangeXaiCode({ tokenUrl, code, redirectUri, codeVerifier }) {
+    const res = await fetch(tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json",
+      },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        client_id: XAI_CONFIG.clientId,
+        code,
+        redirect_uri: redirectUri,
+        code_verifier: codeVerifier,
+      }),
+    });
+
+    if (!res.ok) {
+      const err = await res.text();
+      throw new Error(`xAI token exchange failed: ${err}`);
+    }
+    return await res.json();
+  }
+
+  /**
+   * Refresh an access token using a refresh_token.
+   */
+  async refreshAccessToken(refreshToken) {
+    const { tokenUrl } = await discoverEndpoints();
+    const res = await fetch(tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json",
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: XAI_CONFIG.clientId,
+        refresh_token: refreshToken,
+      }),
+    });
+    if (!res.ok) {
+      const err = await res.text();
+      throw new Error(`xAI token refresh failed: ${err}`);
+    }
+    return await res.json();
+  }
+
+  /**
+   * Complete xAI OAuth flow end-to-end (CLI entrypoint).
+   * Returns the raw token response plus extracted email.
+   */
+  async connect() {
+    const spinner = createSpinner("Starting xAI OAuth...").start();
+    try {
+      spinner.text = "Discovering xAI endpoints...";
+      const { authorizeUrl, tokenUrl } = await discoverEndpoints();
+
+      spinner.text = `Starting local server on port ${XAI_CONFIG.loopbackPort}...`;
+      let callbackParams = null;
+      const { port, close } = await startLocalServer((params) => {
+        callbackParams = params;
+      }, XAI_CONFIG.loopbackPort);
+      const redirectUri = `http://127.0.0.1:${port}${XAI_CONFIG.callbackPath}`;
+      spinner.succeed(`Local server started on port ${port}`);
+
+      const codeVerifier = generateCodeVerifier(XAI_PKCE_VERIFIER_BYTES);
+      const codeChallenge = generateCodeChallenge(codeVerifier);
+      const state = generateState();
+      const authUrl = this.buildXaiAuthUrl(redirectUri, state, codeChallenge, authorizeUrl);
+
+      console.log("\nOpening browser for xAI authentication...");
+      console.log(`If browser doesn't open, visit:\n${authUrl}\n`);
+      await open(authUrl);
+
+      spinner.start("Waiting for xAI authorization...");
+      await new Promise((resolve, reject) => {
+        const timeout = setTimeout(() => reject(new Error("Authentication timeout (5 minutes)")), 300000);
+        const iv = setInterval(() => {
+          if (callbackParams) {
+            clearInterval(iv);
+            clearTimeout(timeout);
+            resolve();
+          }
+        }, 100);
+      });
+      close();
+
+      if (callbackParams.error) {
+        throw new Error(callbackParams.error_description || callbackParams.error);
+      }
+      if (!callbackParams.code) throw new Error("No authorization code received");
+      if (callbackParams.state !== state) throw new Error("Invalid state parameter");
+
+      spinner.start("Exchanging code for tokens...");
+      const tokens = await this.exchangeXaiCode({
+        tokenUrl,
+        code: callbackParams.code,
+        redirectUri,
+        codeVerifier,
+      });
+
+      const email = decodeIdTokenEmail(tokens.id_token);
+      spinner.succeed("xAI connected successfully!");
+      return { tokens, email };
+    } catch (error) {
+      spinner.fail(`Failed: ${error.message}`);
+      throw error;
+    }
+  }
+}

package/app/src/lib/updater/updater.js

@@ -10,7 +10,6 @@ const fs = require("fs");
 const os = require("os");
 
 const packageName = process.env.UPDATER_PKG_NAME || "9router";
-const APP_DATA_DIR_NAME = "openrouterx";
 const port = parseInt(process.env.UPDATER_PORT || "20129", 10);
 const tailLines = parseInt(process.env.UPDATER_TAIL_LINES || "8", 10);
 const maxRetries = parseInt(process.env.UPDATER_RETRIES || "3", 10);
@@ -19,7 +18,7 @@ const lingerMs = parseInt(process.env.UPDATER_LINGER_MS || "30000", 10);
 const waitMinMs = parseInt(process.env.UPDATER_WAIT_MIN_MS || "3000", 10);
 const waitMaxMs = parseInt(process.env.UPDATER_WAIT_MAX_MS || "15000", 10);
 const waitCheckMs = parseInt(process.env.UPDATER_WAIT_CHECK_MS || "500", 10);
-const appPort = parseInt(process.env.UPDATER_APP_PORT || "20502", 10);
+const appPort = parseInt(process.env.UPDATER_APP_PORT || "20128", 10);
 
 // Data directory (match mitm/paths.js logic)
 function getDataDir() {
@@ -27,10 +26,10 @@ function getDataDir() {
   if (process.platform === "win32") {
     return path.join(
       process.env.APPDATA || path.join(os.homedir(), "AppData", "Roaming"),
-      APP_DATA_DIR_NAME
+      "9router"
     );
   }
-  return path.join(os.homedir(), `.${APP_DATA_DIR_NAME}`);
+  return path.join(os.homedir(), ".9router");
 }
 const updateDir = path.join(getDataDir(), "update");
 try { fs.mkdirSync(updateDir, { recursive: true }); } catch { /* best effort */ }

package/app/src/mitm/antigravityIdeVersion.js

@@ -0,0 +1,50 @@
+"use strict";
+
+// Rewrite Antigravity IDE markers so upstream AG 2.x backend accepts the request.
+// User-Agent header (antigravity/<old>) and body.metadata.ideVersion are forced
+// to a known-good IDE version. Hardcoded MVP — toggle/version configurable later.
+
+const ANTIGRAVITY_IDE_VERSION = "1.23.2";
+const ANTIGRAVITY_IDE_VERSION_OVERRIDE_ENABLED = true;
+
+function shouldRewriteMetadata(metadata) {
+  if (!metadata || typeof metadata !== "object" || Array.isArray(metadata)) return false;
+  if (String(metadata.ideName || "").toLowerCase() === "antigravity") return true;
+  if (String(metadata.ideType || "").toUpperCase() === "ANTIGRAVITY") return true;
+  return Object.prototype.hasOwnProperty.call(metadata, "ideVersion");
+}
+
+function rewriteAntigravityUserAgent(userAgent, version) {
+  if (typeof userAgent !== "string" || !userAgent.includes("antigravity/")) return userAgent;
+  return userAgent.replace(/antigravity\/[^\s]+/, `antigravity/${version}`);
+}
+
+function applyAntigravityIdeVersionOverride(bodyBuffer, headers) {
+  if (!ANTIGRAVITY_IDE_VERSION_OVERRIDE_ENABLED) {
+    return { bodyBuffer, headers, applied: false, version: ANTIGRAVITY_IDE_VERSION };
+  }
+
+  const nextHeaders = { ...headers };
+  const nextUserAgent = rewriteAntigravityUserAgent(nextHeaders["user-agent"], ANTIGRAVITY_IDE_VERSION);
+  const userAgentChanged = nextUserAgent !== nextHeaders["user-agent"];
+  if (userAgentChanged) nextHeaders["user-agent"] = nextUserAgent;
+
+  try {
+    const parsed = JSON.parse(bodyBuffer.toString());
+    if (!shouldRewriteMetadata(parsed?.metadata)) {
+      return { bodyBuffer, headers: nextHeaders, applied: userAgentChanged, version: ANTIGRAVITY_IDE_VERSION };
+    }
+
+    parsed.metadata.ideVersion = ANTIGRAVITY_IDE_VERSION;
+    const nextBodyBuffer = Buffer.from(JSON.stringify(parsed));
+    return { bodyBuffer: nextBodyBuffer, headers: nextHeaders, applied: true, version: ANTIGRAVITY_IDE_VERSION };
+  } catch {
+    return { bodyBuffer, headers: nextHeaders, applied: userAgentChanged, version: ANTIGRAVITY_IDE_VERSION };
+  }
+}
+
+module.exports = {
+  ANTIGRAVITY_IDE_VERSION,
+  applyAntigravityIdeVersionOverride,
+  rewriteAntigravityUserAgent,
+};

package/app/src/mitm/cert/install.js

@@ -4,14 +4,30 @@ const { exec } = require("child_process");
 const { execWithPassword, isSudoAvailable } = require("../dns/dnsConfig.js");
 const { runElevatedPowerShell, quotePs } = require("../winElevated.js");
 const { log, err } = require("../logger");
-const { ROOT_CA_CN } = require("./rootCA.js");
 
 const IS_WIN = process.platform === "win32";
 const IS_MAC = process.platform === "darwin";
-const LINUX_CERT_DIR = "/usr/local/share/ca-certificates";
-const LEGACY_ROOT_CA_CN = "9Router MITM Root CA";
-const LINUX_CERT_FILE = `${LINUX_CERT_DIR}/openrouterx-root-ca.crt`;
-const LEGACY_LINUX_CERT_FILE = `${LINUX_CERT_DIR}/9router-root-ca.crt`;
+const LINUX_CERT_PATHS = [
+  // Debian / Ubuntu
+  { dir: "/usr/local/share/ca-certificates", cmd: "update-ca-certificates" },
+  // Arch Linux / CachyOS / Manjaro
+  { dir: "/etc/ca-certificates/trust-source/anchors", cmd: "update-ca-trust" },
+  // Fedora / RHEL / CentOS
+  { dir: "/etc/pki/ca-trust/source/anchors", cmd: "update-ca-trust" },
+  // openSUSE
+  { dir: "/etc/pki/trust/anchors", cmd: "update-ca-certificates" }
+];
+
+function getLinuxCertConfig() {
+  for (const config of LINUX_CERT_PATHS) {
+    if (fs.existsSync(config.dir)) {
+      return config;
+    }
+  }
+  // Fallback to Debian default if none exist
+  return LINUX_CERT_PATHS[0];
+}
+const ROOT_CA_CN = "9Router MITM Root CA";
 
 // Get SHA1 fingerprint from cert file using Node.js crypto
 function getCertFingerprint(certPath) {
@@ -33,12 +49,14 @@ function checkCertInstalledMac(certPath) {
   return new Promise((resolve) => {
     try {
       const fingerprint = getCertFingerprint(certPath).replace(/:/g, "");
-      // security verify-cert returns 0 only if cert is trusted by system policy
-      exec(`security verify-cert -c "${certPath}" -p ssl -k /Library/Keychains/System.keychain 2>/dev/null`, { windowsHide: true }, (error) => {
-        if (!error) return resolve(true);
-        // Fallback: check if fingerprint appears in System keychain with trust
-        exec(`security dump-trust-settings -d 2>/dev/null | grep -i "${fingerprint}"`, { windowsHide: true }, (err2, stdout2) => {
-          resolve(!err2 && !!stdout2?.trim());
+      // Verify exact cert bytes match — same CN with different fingerprint = stale cert
+      exec(`security find-certificate -a -c "${ROOT_CA_CN}" -Z /Library/Keychains/System.keychain 2>/dev/null`, { windowsHide: true }, (error, stdout) => {
+        if (error || !stdout) return resolve(false);
+        const match = new RegExp(`SHA-1 hash:\\s*${fingerprint}`, "i").test(stdout);
+        if (!match) return resolve(false);
+        // Cert exists with matching fingerprint — confirm trust policy
+        exec(`security verify-cert -c "${certPath}" -p ssl -k /Library/Keychains/System.keychain 2>/dev/null`, { windowsHide: true }, (err2) => {
+          resolve(!err2);
         });
       });
     } catch {
@@ -87,10 +105,7 @@ async function installCert(sudoPassword, certPath) {
 
 async function installCertMac(sudoPassword, certPath) {
   // Remove all old certs with same name first to avoid duplicate/stale cert conflict
-  const deleteOld = [
-    `security delete-certificate -c "${LEGACY_ROOT_CA_CN}" /Library/Keychains/System.keychain 2>/dev/null || true`,
-    `security delete-certificate -c "${ROOT_CA_CN}" /Library/Keychains/System.keychain 2>/dev/null || true`,
-  ].join(" && ");
+  const deleteOld = `security delete-certificate -c "9Router MITM Root CA" /Library/Keychains/System.keychain 2>/dev/null || true`;
   const install = `security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${certPath}"`;
   try {
     await execWithPassword(`${deleteOld} && ${install}`, sudoPassword);
@@ -105,7 +120,6 @@ async function installCertWindows(certPath) {
   // Auto-elevate via UAC popup if not admin (zero popup if already admin).
   // Delete any stale cert with same CN before adding to avoid duplicates.
   const script = `
-    certutil -delstore Root ${quotePs(LEGACY_ROOT_CA_CN)} 2>$null | Out-Null
     certutil -delstore Root ${quotePs(ROOT_CA_CN)} 2>$null | Out-Null
     $exit = & certutil -addstore Root ${quotePs(certPath)} 2>&1
     if ($LASTEXITCODE -ne 0) { throw "certutil exit $LASTEXITCODE" }
@@ -160,7 +174,9 @@ async function uninstallCertWindows() {
 }
 
 function checkCertInstalledLinux() {
-  return Promise.resolve(fs.existsSync(LINUX_CERT_FILE));
+  const config = getLinuxCertConfig();
+  const certFile = `${config.dir}/9router-root-ca.crt`;
+  return Promise.resolve(fs.existsSync(certFile));
 }
 
 async function updateNssDatabases(certPath, action = 'add') {
@@ -214,9 +230,13 @@ async function installCertLinux(sudoPassword, certPath) {
     await updateNssDatabases(certPath, 'add');
     return;
   }
-  const destFile = LINUX_CERT_FILE;
-  // Try update-ca-certificates (Debian/Ubuntu), fallback to update-ca-trust (Fedora/RHEL)
-  const cmd = `rm -f "${LEGACY_LINUX_CERT_FILE}" && cp "${certPath}" "${destFile}" && (update-ca-certificates 2>/dev/null || update-ca-trust 2>/dev/null || true)`;
+  
+  const config = getLinuxCertConfig();
+  const destFile = `${config.dir}/9router-root-ca.crt`;
+  
+  // Copy to the discovered directory and execute the specific update command
+  const cmd = `cp "${certPath}" "${destFile}" && (${config.cmd} 2>/dev/null || true)`;
+  
   try {
     await execWithPassword(cmd, sudoPassword);
     await updateNssDatabases(certPath, 'add');
@@ -233,7 +253,11 @@ async function uninstallCertLinux(sudoPassword) {
   if (!isSudoAvailable()) {
     return;
   }
-  const cmd = `rm -f "${LINUX_CERT_FILE}" "${LEGACY_LINUX_CERT_FILE}" && (update-ca-certificates 2>/dev/null || update-ca-trust 2>/dev/null || true)`;
+  
+  const config = getLinuxCertConfig();
+  const destFile = `${config.dir}/9router-root-ca.crt`;
+  const cmd = `rm -f "${destFile}" && (${config.cmd} 2>/dev/null || true)`;
+  
   try {
     await execWithPassword(cmd, sudoPassword);
     log("🔐 Cert: ✅ uninstalled from Linux trust store and user browser databases");