aicodeswitch 5.1.2 → 5.2.0

package/dist/server/main.js

@@ -21,6 +21,9 @@ const crypto_1 = require("crypto");
 const https_proxy_agent_1 = require("https-proxy-agent");
 const database_factory_1 = require("./database-factory");
 const proxy_server_1 = require("./proxy-server");
+const index_1 = require("./access-keys/index");
+const manager_1 = require("./access-keys/manager");
+const policy_manager_1 = require("./access-keys/policy-manager");
 const os_1 = __importDefault(require("os"));
 const auth_1 = require("./auth");
 const version_check_1 = require("./version-check");
@@ -33,6 +36,8 @@ const config_metadata_1 = require("./config-metadata");
 const config_merge_1 = require("./config-merge");
 const config_managed_fields_1 = require("./config-managed-fields");
 const config_1 = require("./config");
+const session_migration_1 = require("./session-migration");
+const session_launcher_1 = require("./session-launcher");
 const appDir = path_1.default.join(os_1.default.homedir(), '.aicodeswitch');
 const legacyDataDir = path_1.default.join(appDir, 'data');
 const dataDir = path_1.default.join(appDir, 'fs-db');
@@ -41,7 +46,7 @@ const upgradeHashFilePath = path_1.default.join(appDir, 'upgrade-hash');
 if (fs_1.default.existsSync(dotenvPath)) {
     dotenv_1.default.config({ path: dotenvPath });
 }
-const host = process.env.HOST || '127.0.0.1';
+const host = process.env.HOST || '0.0.0.0';
 const port = process.env.PORT ? parseInt(process.env.PORT, 10) : 4567;
 let globalProxyConfig = null;
 function updateProxyConfig(config) {
@@ -74,6 +79,112 @@ function getProxyAgent() {
         return null;
     }
 }
+// ============================================================================
+// 写入本地记录持久化
+// ============================================================================
+const getWriteLocalRecordsFile = () => path_1.default.join(dataDir, 'write-local-records.json');
+function loadWriteLocalRecords() {
+    try {
+        const filePath = getWriteLocalRecordsFile();
+        if (fs_1.default.existsSync(filePath)) {
+            return JSON.parse(fs_1.default.readFileSync(filePath, 'utf-8'));
+        }
+    }
+    catch ( /* ignore */_a) { /* ignore */ }
+    return [];
+}
+function saveWriteLocalRecords(records) {
+    const filePath = getWriteLocalRecordsFile();
+    if (!fs_1.default.existsSync(dataDir)) {
+        fs_1.default.mkdirSync(dataDir, { recursive: true });
+    }
+    (0, config_merge_1.atomicWriteFile)(filePath, JSON.stringify(records, null, 2));
+}
+function addWriteLocalRecord(accessKeyId, targets) {
+    const records = loadWriteLocalRecords();
+    const existing = records.find(r => r.accessKeyId === accessKeyId);
+    if (existing) {
+        for (const t of targets) {
+            if (!existing.targets.includes(t))
+                existing.targets.push(t);
+        }
+        existing.timestamp = Date.now();
+    }
+    else {
+        records.push({ accessKeyId, targets: [...targets], timestamp: Date.now() });
+    }
+    saveWriteLocalRecords(records);
+}
+function removeWriteLocalRecords(accessKeyId) {
+    const records = loadWriteLocalRecords().filter(r => r.accessKeyId !== accessKeyId);
+    saveWriteLocalRecords(records);
+}
+/**
+ * 从持久化记录中恢复已写入本地的 AccessKey
+ * 每次代理配置写入后调用，确保 AccessKey 不会被占位符覆盖
+ */
+function applyWriteLocalRecords(proxyServer) {
+    const accessKeyModule = proxyServer.getAccessKeyModule();
+    if (!accessKeyModule)
+        return;
+    const records = loadWriteLocalRecords();
+    if (records.length === 0)
+        return;
+    let changed = false;
+    const homeDir = os_1.default.homedir();
+    const remainingRecords = records.filter(record => {
+        const key = accessKeyModule.keyManager.get(record.accessKeyId);
+        if (!key || key.status !== 'active') {
+            changed = true;
+            return false; // 密钥已删除或停用，移除记录
+        }
+        for (const target of record.targets) {
+            try {
+                if (target === 'claude-code') {
+                    const claudeDir = path_1.default.join(homeDir, '.claude');
+                    const settingsPath = path_1.default.join(claudeDir, 'settings.json');
+                    if (!fs_1.default.existsSync(claudeDir)) {
+                        fs_1.default.mkdirSync(claudeDir, { recursive: true });
+                    }
+                    let settings = {};
+                    if (fs_1.default.existsSync(settingsPath)) {
+                        try {
+                            settings = JSON.parse(fs_1.default.readFileSync(settingsPath, 'utf-8'));
+                        }
+                        catch ( /* ignore */_a) { /* ignore */ }
+                    }
+                    if (!settings.env)
+                        settings.env = {};
+                    settings.env.ANTHROPIC_AUTH_TOKEN = key.apiKey;
+                    (0, config_merge_1.atomicWriteFile)(settingsPath, JSON.stringify(settings, null, 2));
+                }
+                else if (target === 'codex') {
+                    const codexDir = path_1.default.join(homeDir, '.codex');
+                    const authPath = path_1.default.join(codexDir, 'auth.json');
+                    if (!fs_1.default.existsSync(codexDir)) {
+                        fs_1.default.mkdirSync(codexDir, { recursive: true });
+                    }
+                    let auth = {};
+                    if (fs_1.default.existsSync(authPath)) {
+                        try {
+                            auth = JSON.parse(fs_1.default.readFileSync(authPath, 'utf-8'));
+                        }
+                        catch ( /* ignore */_b) { /* ignore */ }
+                    }
+                    auth.OPENAI_API_KEY = key.apiKey;
+                    (0, config_merge_1.atomicWriteFile)(authPath, JSON.stringify(auth, null, 2));
+                }
+            }
+            catch (error) {
+                console.error(`[WriteLocal] Failed to apply key ${record.accessKeyId} to ${target}:`, error);
+            }
+        }
+        return true;
+    });
+    if (changed) {
+        saveWriteLocalRecords(remainingRecords);
+    }
+}
 const app = (0, express_1.default)();
 app.use((0, cors_1.default)());
 app.use(express_1.default.json({ limit: 'Infinity' }));
@@ -114,12 +225,11 @@ const isClaudeEffortLevel = (value) => {
 const isValidAutocompactPct = (v) => {
     return typeof v === 'number' && Number.isInteger(v) && v >= 1 && v <= 100;
 };
-const writeClaudeConfig = (dbManager_1, enableAgentTeams_1, enableBypassPermissionsSupport_1, effortLevel_1, defaultModel_1, autocompactPctOverride_1, ...args_1) => __awaiter(void 0, [dbManager_1, enableAgentTeams_1, enableBypassPermissionsSupport_1, effortLevel_1, defaultModel_1, autocompactPctOverride_1, ...args_1], void 0, function* (dbManager, enableAgentTeams, enableBypassPermissionsSupport, effortLevel, defaultModel, autocompactPctOverride, options = {}) {
+const writeClaudeConfig = (_dbManager_1, enableAgentTeams_1, enableBypassPermissionsSupport_1, effortLevel_1, defaultModel_1, autocompactPctOverride_1, ...args_1) => __awaiter(void 0, [_dbManager_1, enableAgentTeams_1, enableBypassPermissionsSupport_1, effortLevel_1, defaultModel_1, autocompactPctOverride_1, ...args_1], void 0, function* (_dbManager, enableAgentTeams, enableBypassPermissionsSupport, effortLevel, defaultModel, autocompactPctOverride, options = {}) {
     var _a;
     try {
         const homeDir = os_1.default.homedir();
         const port = process.env.PORT ? parseInt(process.env.PORT, 10) : 4567;
-        const config = dbManager.getConfig();
         // Claude Code settings.json
         const claudeDir = path_1.default.join(homeDir, '.claude');
         const claudeSettingsPath = path_1.default.join(claudeDir, 'settings.json');
@@ -166,11 +276,11 @@ const writeClaudeConfig = (dbManager_1, enableAgentTeams_1, enableBypassPermissi
         }
         // 构建代理配置
         const claudeSettingsEnv = {
-            ANTHROPIC_AUTH_TOKEN: config.apiKey || "api_key",
-            ANTHROPIC_API_KEY: "",
+            ANTHROPIC_AUTH_TOKEN: "api_key",
             ANTHROPIC_BASE_URL: `http://${host}:${port}/claude-code`,
             API_TIMEOUT_MS: "3000000",
-            CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: 1
+            CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: 1,
+            CLAUDE_CODE_MAX_RETRIES: 3
         };
         // 如果启用Agent Teams功能，添加对应的环境变量
         if (enableAgentTeams) {
@@ -262,11 +372,10 @@ const DEFAULT_CODEX_REASONING_EFFORT = 'high';
 const isCodexReasoningEffort = (value) => {
     return typeof value === 'string' && VALID_CODEX_REASONING_EFFORTS.includes(value);
 };
-const writeCodexConfig = (dbManager_1, ...args_1) => __awaiter(void 0, [dbManager_1, ...args_1], void 0, function* (dbManager, modelReasoningEffort = DEFAULT_CODEX_REASONING_EFFORT, codexDefaultModel, options = {}) {
+const writeCodexConfig = (_dbManager_1, ...args_1) => __awaiter(void 0, [_dbManager_1, ...args_1], void 0, function* (_dbManager, modelReasoningEffort = DEFAULT_CODEX_REASONING_EFFORT, codexDefaultModel, options = {}) {
     var _a;
     try {
         const homeDir = os_1.default.homedir();
-        const config = dbManager.getConfig();
         // Codex config.toml
         const codexDir = path_1.default.join(homeDir, '.codex');
         const codexConfigPath = path_1.default.join(codexDir, 'config.toml');
@@ -324,7 +433,9 @@ const writeCodexConfig = (dbManager_1, ...args_1) => __awaiter(void 0, [dbManage
                 aicodeswitch: {
                     name: "aicodeswitch",
                     base_url: `http://${host}:${process.env.PORT ? parseInt(process.env.PORT, 10) : 4567}/codex`,
-                    wire_api: "responses"
+                    wire_api: "responses",
+                    stream_max_retries: 3,
+                    stream_retry_backoff: "fixed"
                 }
             }
         };
@@ -354,7 +465,7 @@ const writeCodexConfig = (dbManager_1, ...args_1) => __awaiter(void 0, [dbManage
         }
         // 构建代理配置
         const proxyAuth = {
-            OPENAI_API_KEY: config.apiKey || "api_key"
+            OPENAI_API_KEY: "api_key"
         };
         // 使用智能合并
         const mergedAuth = (0, config_merge_1.mergeJsonConfig)(proxyAuth, currentAuth, config_managed_fields_1.CODEX_AUTH_MANAGED_FIELDS);
@@ -388,6 +499,7 @@ const writeCodexConfig = (dbManager_1, ...args_1) => __awaiter(void 0, [dbManage
     }
 });
 const restoreClaudeConfig = () => __awaiter(void 0, void 0, void 0, function* () {
+    var _a, _b;
     try {
         const homeDir = os_1.default.homedir();
         let restoredAnyFile = false;
@@ -408,6 +520,14 @@ const restoreClaudeConfig = () => __awaiter(void 0, void 0, void 0, function* ()
                     console.warn('Failed to parse current settings.json during restore, using empty object:', error);
                 }
             }
+            // 防御性清理：移除 currentSettings 中 ANTHROPIC_API_KEY 的空值，
+            // 防止旧版本代理写入的空值覆盖 backup 中的真实 Key
+            if (((_a = currentSettings === null || currentSettings === void 0 ? void 0 : currentSettings.env) === null || _a === void 0 ? void 0 : _a.ANTHROPIC_API_KEY) === '' && ((_b = backupSettings === null || backupSettings === void 0 ? void 0 : backupSettings.env) === null || _b === void 0 ? void 0 : _b.ANTHROPIC_API_KEY)) {
+                delete currentSettings.env.ANTHROPIC_API_KEY;
+                if (Object.keys(currentSettings.env).length === 0) {
+                    delete currentSettings.env;
+                }
+            }
             // 生成合并后的配置（备份作为基础，合并当前的非管理字段）
             const mergedSettings = (0, config_merge_1.mergeJsonConfig)(backupSettings, currentSettings, config_managed_fields_1.CLAUDE_SETTINGS_MANAGED_FIELDS);
             // 原子性写入合并后的配置
@@ -925,6 +1045,21 @@ const listInstalledSkills = () => {
 const registerRoutes = (dbManager, proxyServer) => __awaiter(void 0, void 0, void 0, function* () {
     updateProxyConfig(dbManager.getConfig());
     app.get('/health', (_req, res) => res.json({ status: 'ok' }));
+    // 局域网访问控制中间件：当 enableLanDiscovery 关闭时，仅允许本机访问 /api/* 路由
+    app.use('/api', (req, res, next) => {
+        const config = dbManager.getConfig();
+        if (config.enableLanDiscovery) {
+            return next();
+        }
+        const clientIp = req.ip || req.socket.remoteAddress || '';
+        // 规范化 IPv4-mapped IPv6 地址 (::ffff:127.0.0.1 -> 127.0.0.1)
+        const normalizedIp = clientIp.replace(/^::ffff:/, '');
+        if (normalizedIp === '127.0.0.1' || normalizedIp === '::1' || normalizedIp === 'localhost') {
+            return next();
+        }
+        console.warn(`[LAN Guard] 拒绝非本机访问: ${clientIp} -> ${req.method} ${req.path}`);
+        res.status(403).json({ error: 'LAN access is disabled. Only local access is allowed.' });
+    });
     // 鉴权相关路由 - 公开访问
     app.get('/api/auth/status', (_req, res) => {
         const response = { enabled: (0, auth_1.isAuthEnabled)() };
@@ -945,10 +1080,10 @@ const registerRoutes = (dbManager, proxyServer) => __awaiter(void 0, void 0, voi
             res.status(401).json({ error: 'Invalid auth code' });
         }
     });
-    // 鉴权中间件 - 保护所有 /api/* 路由 (除了 /api/auth/*)
+    // 鉴权中间件 - 保护所有 /api/* 路由 (除了 /api/auth/* 和 /api/lan/discover)
     app.use('/api', (req, res, next) => {
-        if (req.path.startsWith('/auth/')) {
-            next(); // /api/auth/* 路由不需要鉴权
+        if (req.path.startsWith('/auth/') || req.path === '/lan/discover') {
+            next(); // /api/auth/* 和 /api/lan/discover 路由不需要鉴权
         }
         else {
             (0, auth_1.authMiddleware)(req, res, next);
@@ -1135,6 +1270,48 @@ const registerRoutes = (dbManager, proxyServer) => __awaiter(void 0, void 0, voi
         });
         res.json(allStatuses);
     })));
+    // SSE 端点：实时推送规则状态变更
+    app.get('/api/rules/status/stream', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        // 设置 SSE 响应头
+        res.writeHead(200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            'Connection': 'keep-alive',
+            'X-Accel-Buffering': 'no', // 防止 nginx 等代理缓冲
+        });
+        // 连接时立即发送完整快照（init 事件）
+        const allRules = dbManager.getRules();
+        const statusMap = rules_status_service_1.rulesStatusBroadcaster.getAllRuleStatuses();
+        const statusMapByRuleId = new Map(statusMap.map(status => [status.ruleId, status]));
+        const allStatuses = allRules.map(rule => {
+            const existingStatus = statusMapByRuleId.get(rule.id);
+            if (existingStatus) {
+                return existingStatus;
+            }
+            else {
+                return {
+                    ruleId: rule.id,
+                    status: 'idle',
+                    timestamp: Date.now(),
+                };
+            }
+        });
+        res.write(`data: ${JSON.stringify({ type: 'init', statuses: allStatuses })}\n\n`);
+        // 监听状态变更，推送增量更新
+        const onChange = (data) => {
+            res.write(`data: ${JSON.stringify({ type: 'update', status: data })}\n\n`);
+        };
+        rules_status_service_1.rulesStatusBroadcaster.on('statusChanged', onChange);
+        // 3 秒心跳，用于客户端检测连接存活状态
+        const heartbeat = setInterval(() => {
+            res.write(`data: ${JSON.stringify({ type: 'heartbeat', timestamp: Date.now() })}\n\n`);
+        }, 3000);
+        // 客户端断开时清理
+        req.on('close', () => {
+            rules_status_service_1.rulesStatusBroadcaster.off('statusChanged', onChange);
+            clearInterval(heartbeat);
+        });
+    })));
     // 清除规则的错误状态（广播 idle 状态给所有客户端）
     app.post('/api/rules/:id/clear-status', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
         const { id } = req.params;
@@ -1250,9 +1427,236 @@ const registerRoutes = (dbManager, proxyServer) => __awaiter(void 0, void 0, voi
             yield proxyServer.updateConfig(latestConfig);
             updateProxyConfig(latestConfig);
             yield syncConfigsOnGlobalConfigUpdate(dbManager);
+            applyWriteLocalRecords(proxyServer);
         }
         res.json(result);
     })));
+    // ===================== 局域网同步相关 =====================
+    // GET /api/lan/discover - 远端节点暴露配置数据（不受鉴权保护，由开关控制）
+    app.get('/api/lan/discover', (_req, res) => {
+        const config = dbManager.getConfig();
+        if (!config.enableLanDiscovery) {
+            res.status(404).json({ error: 'Not found' });
+            return;
+        }
+        try {
+            // 收集 Skills
+            const installedSkills = listInstalledSkills();
+            const skills = [];
+            for (const skill of installedSkills) {
+                const skillItem = {
+                    name: skill.name,
+                    description: skill.description,
+                    targets: skill.targets,
+                    githubUrl: skill.githubUrl,
+                    skillPath: skill.skillPath,
+                };
+                // 尝试读取 SKILL.md 内容
+                const skillDir = path_1.default.join(getCentralSkillsDir(), skill.id);
+                const skillMdPath = path_1.default.join(skillDir, 'SKILL.md');
+                if (fs_1.default.existsSync(skillMdPath)) {
+                    try {
+                        skillItem.instruction = fs_1.default.readFileSync(skillMdPath, 'utf-8');
+                    }
+                    catch ( /* ignore */_a) { /* ignore */ }
+                }
+                skills.push(skillItem);
+            }
+            // 收集 MCPs（脱敏 headers 和 env 中的敏感信息）
+            const SENSITIVE_KEY_PATTERN = /api_key|apikey|access_token|accesstoken|auth|key|token|secret|password|private_key|privatekey|credentials/i;
+            const allMcps = dbManager.getMCPs();
+            const mcps = allMcps.map(mcp => {
+                const sanitized = {
+                    name: mcp.name,
+                    description: mcp.description,
+                    type: mcp.type,
+                    command: mcp.command,
+                    args: mcp.args,
+                    targets: mcp.targets,
+                };
+                if (mcp.url)
+                    sanitized.url = mcp.url;
+                // 脱敏 env
+                if (mcp.env) {
+                    const sanitizedEnv = {};
+                    for (const [key, value] of Object.entries(mcp.env)) {
+                        if (SENSITIVE_KEY_PATTERN.test(key)) {
+                            sanitizedEnv[key] = '***';
+                        }
+                        else {
+                            sanitizedEnv[key] = value;
+                        }
+                    }
+                    sanitized.env = sanitizedEnv;
+                }
+                // 脱敏 headers
+                if (mcp.headers) {
+                    const sanitizedHeaders = {};
+                    for (const [key, value] of Object.entries(mcp.headers)) {
+                        if (SENSITIVE_KEY_PATTERN.test(key)) {
+                            sanitizedHeaders[key] = '***';
+                        }
+                        else {
+                            sanitizedHeaders[key] = value;
+                        }
+                    }
+                    sanitized.headers = sanitizedHeaders;
+                }
+                return sanitized;
+            });
+            // 读取版本号
+            let version = 'unknown';
+            try {
+                const pkgPath = path_1.default.join(__dirname, '..', 'package.json');
+                const pkg = JSON.parse(fs_1.default.readFileSync(pkgPath, 'utf-8'));
+                version = pkg.version || 'unknown';
+            }
+            catch ( /* ignore */_b) { /* ignore */ }
+            res.json({
+                node: {
+                    name: os_1.default.hostname(),
+                    version,
+                    port: process.env.PORT ? parseInt(process.env.PORT) : 4567,
+                },
+                skills,
+                mcps,
+            });
+        }
+        catch (error) {
+            console.error('[LAN Discover] 错误:', error);
+            res.status(500).json({ error: 'Internal server error' });
+        }
+    });
+    // GET /api/lan/scan - 获取本机局域网 IP 信息
+    app.get('/api/lan/scan', (_req, res) => {
+        const interfaces = os_1.default.networkInterfaces();
+        const port = process.env.PORT ? parseInt(process.env.PORT) : 4567;
+        // 收集所有非内部 IPv4 网络接口
+        const networkInterfaces = [];
+        let localIp = '127.0.0.1';
+        let subnet = '127.0.0';
+        for (const [ifaceName, entries] of Object.entries(interfaces)) {
+            if (!entries)
+                continue;
+            for (const entry of entries) {
+                if (entry.family === 'IPv4' && !entry.internal) {
+                    const entrySubnet = entry.address.split('.').slice(0, 3).join('.');
+                    networkInterfaces.push({
+                        name: ifaceName,
+                        address: entry.address,
+                        subnet: entrySubnet,
+                        netmask: entry.netmask,
+                    });
+                    // 兼容旧逻辑：取第一个非内部接口作为默认值
+                    if (localIp === '127.0.0.1') {
+                        localIp = entry.address;
+                        subnet = entrySubnet;
+                    }
+                }
+            }
+        }
+        res.json({ localIp, subnet, port, networkInterfaces });
+    });
+    // POST /api/lan/sync - 执行同步写入
+    app.post('/api/lan/sync', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const { remoteNode, skills, mcps, vendor } = req.body;
+        const result = {
+            skillsImported: 0,
+            mcpsImported: 0,
+            vendorCreated: false,
+            vendorName: '',
+            servicesCreated: 0,
+        };
+        // 1. 同步 Skills
+        const centralDir = getCentralSkillsDir();
+        if (!fs_1.default.existsSync(centralDir)) {
+            fs_1.default.mkdirSync(centralDir, { recursive: true });
+        }
+        const existingSkills = listInstalledSkills();
+        const existingSkillNames = new Set(existingSkills.map(s => s.name));
+        for (const skill of skills) {
+            if (existingSkillNames.has(skill.name))
+                continue; // 防御性跳过
+            const dirName = sanitizeDirName(skill.name);
+            const skillDir = path_1.default.join(centralDir, dirName);
+            if (!fs_1.default.existsSync(skillDir)) {
+                fs_1.default.mkdirSync(skillDir, { recursive: true });
+            }
+            // 写入 skill.json
+            const skillJson = {
+                id: dirName,
+                name: skill.name,
+                description: skill.description || '',
+                targets: skill.targets || [],
+                enabledTargets: [], // 不自动选中编程工具，由用户自行配置
+                githubUrl: skill.githubUrl,
+                skillPath: skill.skillPath,
+                installedAt: Date.now(),
+            };
+            fs_1.default.writeFileSync(path_1.default.join(skillDir, 'skill.json'), JSON.stringify(skillJson, null, 2));
+            // 写入 SKILL.md（如果有 instruction）
+            if (skill.instruction) {
+                fs_1.default.writeFileSync(path_1.default.join(skillDir, 'SKILL.md'), skill.instruction);
+            }
+            result.skillsImported++;
+        }
+        // 2. 同步 MCPs
+        const existingMcps = dbManager.getMCPs();
+        const existingMcpNames = new Set(existingMcps.map(m => m.name));
+        for (const mcp of mcps) {
+            if (existingMcpNames.has(mcp.name))
+                continue; // 防御性跳过
+            yield dbManager.createMCP({
+                name: mcp.name,
+                description: mcp.description,
+                type: mcp.type,
+                command: mcp.command,
+                args: mcp.args,
+                url: mcp.url,
+                headers: mcp.headers,
+                env: mcp.env,
+                targets: [], // 不自动选中编程工具，由用户自行配置
+            });
+            result.mcpsImported++;
+        }
+        // 3. 可选：创建供应商（将远端节点的代理路径映射为固定 API 服务）
+        if (vendor.enabled) {
+            const vendorName = `${remoteNode.name}@${remoteNode.ip}`;
+            const remoteBaseUrl = `http://${remoteNode.ip}:${remoteNode.port}`;
+            // 固定的代理路径到 API 服务映射
+            // 规则：Claude/Responses/Gemini 标准接口只填 baseurl，Chat Completions 需完整路径
+            const LAN_PROXY_SERVICES = [
+                { name: 'Claude Code', sourceType: 'claude', apiUrl: `${remoteBaseUrl}/claude-code` },
+                { name: 'Codex', sourceType: 'openai', apiUrl: `${remoteBaseUrl}/codex` },
+                { name: 'Claude 标准接口', sourceType: 'claude', apiUrl: remoteBaseUrl },
+                { name: 'Responses 标准接口', sourceType: 'openai', apiUrl: remoteBaseUrl },
+                { name: 'Chat Completions 标准接口', sourceType: 'openai-chat', apiUrl: `${remoteBaseUrl}/v1/chat/completions` },
+                { name: 'Gemini 标准接口', sourceType: 'gemini', apiUrl: remoteBaseUrl },
+            ];
+            // 检查供应商是否已存在
+            const existingVendor = dbManager.getVendors().find(v => v.name === vendorName);
+            if (!existingVendor) {
+                const services = LAN_PROXY_SERVICES.map(svc => ({
+                    name: svc.name,
+                    apiUrl: svc.apiUrl,
+                    apiKey: vendor.apiKey || '',
+                    sourceType: svc.sourceType,
+                    enableProxy: false,
+                    enableCodingPlan: false,
+                }));
+                yield dbManager.createVendor({
+                    name: vendorName,
+                    description: `从局域网节点 ${remoteNode.ip}:${remoteNode.port} 同步`,
+                    apiBaseUrl: remoteBaseUrl,
+                    services: services,
+                });
+                result.vendorCreated = true;
+                result.vendorName = vendorName;
+                result.servicesCreated = services.length;
+            }
+        }
+        res.json({ success: true, result });
+    })));
     // Skills 管理相关
     app.get('/api/skills/installed', (_req, res) => {
         const skills = listInstalledSkills();
@@ -1600,6 +2004,7 @@ ${instruction}
             ? requestedBypass
             : appConfig.enableBypassPermissionsSupport;
         const result = yield writeClaudeConfig(dbManager, enableAgentTeams, enableBypassPermissionsSupport, undefined, appConfig.claudeDefaultModel, appConfig.autocompactPctOverride);
+        applyWriteLocalRecords(proxyServer);
         res.json(result);
     })));
     app.post('/api/write-config/codex', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
@@ -1611,6 +2016,7 @@ ${instruction}
                 ? appConfig.codexModelReasoningEffort
                 : DEFAULT_CODEX_REASONING_EFFORT;
         const result = yield writeCodexConfig(dbManager, modelReasoningEffort, appConfig.codexDefaultModel);
+        applyWriteLocalRecords(proxyServer);
         res.json(result);
     })));
     // 兼容接口：更新全局 Agent Teams 配置
@@ -1623,6 +2029,7 @@ ${instruction}
             yield proxyServer.updateConfig(latestConfig);
             updateProxyConfig(latestConfig);
             yield syncConfigsOnGlobalConfigUpdate(dbManager);
+            applyWriteLocalRecords(proxyServer);
         }
         res.json(result);
     })));
@@ -1636,6 +2043,7 @@ ${instruction}
             yield proxyServer.updateConfig(latestConfig);
             updateProxyConfig(latestConfig);
             yield syncConfigsOnGlobalConfigUpdate(dbManager);
+            applyWriteLocalRecords(proxyServer);
         }
         res.json(result);
     })));
@@ -1652,6 +2060,7 @@ ${instruction}
             yield proxyServer.updateConfig(latestConfig);
             updateProxyConfig(latestConfig);
             yield syncConfigsOnGlobalConfigUpdate(dbManager);
+            applyWriteLocalRecords(proxyServer);
         }
         res.json(result);
     })));
@@ -1770,6 +2179,150 @@ ${instruction}
         dbManager.clearSessions();
         res.json(true);
     })));
+    // ─── Session Route Binding API ───
+    app.put('/api/sessions/:id/bind-route', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const sessionId = req.params.id;
+        const { routeId } = req.body || {};
+        if (!routeId) {
+            res.status(400).json({ success: false, error: 'routeId is required' });
+            return;
+        }
+        const session = dbManager.getSession(sessionId);
+        if (!session) {
+            res.status(404).json({ success: false, error: 'Session not found' });
+            return;
+        }
+        const updatedSession = yield dbManager.bindSessionRoute(sessionId, routeId);
+        if (!updatedSession) {
+            res.status(400).json({ success: false, error: 'Route not found' });
+            return;
+        }
+        res.json({ success: true, session: updatedSession });
+    })));
+    app.delete('/api/sessions/:id/bind-route', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const sessionId = req.params.id;
+        const session = dbManager.getSession(sessionId);
+        if (!session) {
+            res.status(404).json({ success: false, error: 'Session not found' });
+            return;
+        }
+        const result = yield dbManager.unbindSessionRoute(sessionId);
+        res.json({ success: result });
+    })));
+    app.get('/api/routes/:id/bound-sessions', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const routeId = req.params.id;
+        const route = dbManager.getRoute(routeId);
+        if (!route) {
+            res.status(404).json({ error: 'Route not found' });
+            return;
+        }
+        const sessions = dbManager.getBoundSessions(routeId);
+        res.json({
+            routeId,
+            sessions: sessions.map(s => ({
+                id: s.id,
+                title: s.title,
+                targetType: s.targetType,
+                requestCount: s.requestCount,
+                totalTokens: s.totalTokens,
+                lastRequestAt: s.lastRequestAt,
+            })),
+        });
+    })));
+    // ─── Session Migration API ───
+    app.post('/api/sessions/:id/migration-preview', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        var _a;
+        const sessionId = req.params.id;
+        const { targetTool, includeThinking, includeToolCalls, maxRounds } = req.body || {};
+        if (!targetTool || !['claude-code', 'codex'].includes(targetTool)) {
+            res.status(400).json({ error: 'Invalid targetTool. Must be "claude-code" or "codex".' });
+            return;
+        }
+        try {
+            const content = yield (0, session_migration_1.extractSessionContent)(dbManager, sessionId, {
+                sourceSessionId: sessionId,
+                targetTool,
+                includeThinking: includeThinking === true,
+                includeToolCalls: includeToolCalls !== false,
+                maxRounds: typeof maxRounds === 'number' ? maxRounds : 0,
+            });
+            const preview = (0, session_migration_1.previewMigration)(content, targetTool);
+            res.json(preview);
+        }
+        catch (err) {
+            if ((_a = err.message) === null || _a === void 0 ? void 0 : _a.includes('not found')) {
+                res.status(404).json({ error: err.message });
+            }
+            else {
+                res.status(500).json({ error: err.message || 'Migration preview failed' });
+            }
+        }
+    })));
+    app.post('/api/sessions/:id/migrate', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        var _a;
+        const sessionId = req.params.id;
+        const { targetTool, includeThinking, includeToolCalls, maxRounds, editedPrompt } = req.body || {};
+        if (!targetTool || !['claude-code', 'codex'].includes(targetTool)) {
+            res.status(400).json({ error: 'Invalid targetTool. Must be "claude-code" or "codex".' });
+            return;
+        }
+        try {
+            const content = yield (0, session_migration_1.extractSessionContent)(dbManager, sessionId, {
+                sourceSessionId: sessionId,
+                targetTool,
+                includeThinking: includeThinking === true,
+                includeToolCalls: includeToolCalls !== false,
+                maxRounds: typeof maxRounds === 'number' ? maxRounds : 0,
+            });
+            const result = (0, session_migration_1.migrateSession)(content, targetTool, editedPrompt);
+            res.json(result);
+        }
+        catch (err) {
+            if ((_a = err.message) === null || _a === void 0 ? void 0 : _a.includes('not found')) {
+                res.status(404).json({ error: err.message });
+            }
+            else {
+                res.status(500).json({ error: err.message || 'Migration failed' });
+            }
+        }
+    })));
+    app.post('/api/sessions/:id/migrate-launch', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        var _a;
+        const sessionId = req.params.id;
+        const { targetTool, includeThinking, includeToolCalls, maxRounds } = req.body || {};
+        if (!targetTool || !['claude-code', 'codex'].includes(targetTool)) {
+            res.status(400).json({ error: 'Invalid targetTool. Must be "claude-code" or "codex".' });
+            return;
+        }
+        try {
+            // First extract content and generate prompt
+            const content = yield (0, session_migration_1.extractSessionContent)(dbManager, sessionId, {
+                sourceSessionId: sessionId,
+                targetTool,
+                includeThinking: includeThinking === true,
+                includeToolCalls: includeToolCalls !== false,
+                maxRounds: typeof maxRounds === 'number' ? maxRounds : 0,
+            });
+            const { prompt } = (0, session_migration_1.migrateSession)(content, targetTool);
+            // Resolve the project directory from session metadata
+            const projectDir = (0, session_launcher_1.resolveProjectDir)(sessionId, content.sourceTool);
+            // Write prompt to temp file
+            const tempFilePath = (0, session_launcher_1.writePromptToTempFile)(prompt, sessionId);
+            // Try to launch the target tool with the resolved project directory
+            const result = yield (0, session_launcher_1.launchTargetWithFallback)(targetTool, tempFilePath, prompt, projectDir || undefined);
+            // Schedule cleanup
+            (0, session_launcher_1.cleanupTempFile)(tempFilePath);
+            res.json(result);
+        }
+        catch (err) {
+            if ((_a = err.message) === null || _a === void 0 ? void 0 : _a.includes('not found')) {
+                res.status(404).json({ error: err.message });
+            }
+            else {
+                res.status(500).json({ error: err.message || 'Launch migration failed' });
+            }
+        }
+    })));
     app.get('/api/docs/recommend-vendors', asyncHandler((_req, res) => __awaiter(void 0, void 0, void 0, function* () {
         const resp = yield fetch('https://unpkg.com/aicodeswitch/docs/vendors-recommand.md');
         if (!resp.ok) {
@@ -1918,6 +2471,572 @@ ${instruction}
         }
         res.json(result);
     })));
+    // ============================================================
+    // AccessKey 接入密钥 API
+    // ============================================================
+    // 获取密钥列表（支持分页和筛选）
+    app.get('/api/access-keys', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.json({ data: [], total: 0, page: 1, pageSize: 20 });
+            return;
+        }
+        const page = Math.max(1, parseInt(req.query.page) || 1);
+        const pageSize = Math.min(100, Math.max(1, parseInt(req.query.pageSize) || 20));
+        const status = req.query.status;
+        const policyId = req.query.policyId;
+        const search = req.query.search;
+        let keys = accessKeyModule.keyManager.list({ status, policyId, search });
+        // 附加策略名称和用量信息
+        const result = keys.map(key => {
+            const policy = key.policyId ? accessKeyModule.policyManager.get(key.policyId) : null;
+            return Object.assign(Object.assign({}, key), { apiKey: manager_1.AccessKeyManager.maskApiKey(key.apiKey), policyName: policy === null || policy === void 0 ? void 0 : policy.name });
+        });
+        const total = result.length;
+        const start = (page - 1) * pageSize;
+        const paged = result.slice(start, start + pageSize);
+        res.json({ data: paged, total, page, pageSize });
+    })));
+    // 创建密钥
+    app.post('/api/access-keys', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const { name, remark, policyId } = req.body;
+        if (!name || !name.trim()) {
+            res.status(400).json({ error: '名称不能为空' });
+            return;
+        }
+        const result = accessKeyModule.keyManager.create({ name: name.trim(), remark, policyId });
+        yield accessKeyModule.save();
+        res.json({
+            key: Object.assign(Object.assign({}, result.key), { apiKey: manager_1.AccessKeyManager.maskApiKey(result.key.apiKey) }),
+            apiKey: result.apiKey,
+        });
+    })));
+    // 获取密钥详情
+    app.get('/api/access-keys/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const key = accessKeyModule.keyManager.get(req.params.id);
+        if (!key) {
+            res.status(404).json({ error: '密钥不存在' });
+            return;
+        }
+        const policy = key.policyId ? accessKeyModule.policyManager.get(key.policyId) : null;
+        res.json(Object.assign(Object.assign({}, key), { apiKey: manager_1.AccessKeyManager.maskApiKey(key.apiKey), policyName: policy === null || policy === void 0 ? void 0 : policy.name }));
+    })));
+    // 编辑密钥
+    app.put('/api/access-keys/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const result = accessKeyModule.keyManager.update(req.params.id, req.body);
+        if (!result) {
+            res.status(404).json({ error: '密钥不存在' });
+            return;
+        }
+        yield accessKeyModule.save();
+        res.json(true);
+    })));
+    // 删除密钥
+    app.delete('/api/access-keys/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const result = accessKeyModule.keyManager.delete(req.params.id);
+        yield accessKeyModule.save();
+        removeWriteLocalRecords(req.params.id);
+        res.json(result);
+    })));
+    // 重新生成 API Key
+    app.post('/api/access-keys/:id/regenerate', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const result = accessKeyModule.keyManager.regenerate(req.params.id);
+        if (!result) {
+            res.status(404).json({ error: '密钥不存在' });
+            return;
+        }
+        yield accessKeyModule.save();
+        // 如果该密钥有写入本地记录，重新生成后自动重写
+        applyWriteLocalRecords(proxyServer);
+        res.json({ apiKey: result.apiKey });
+    })));
+    // 批量更新状态
+    app.put('/api/access-keys/batch/status', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const { keyIds, status } = req.body;
+        if (!Array.isArray(keyIds) || !status) {
+            res.status(400).json({ error: '参数错误' });
+            return;
+        }
+        const count = accessKeyModule.keyManager.batchUpdateStatus(keyIds, status);
+        yield accessKeyModule.save();
+        res.json({ count });
+    })));
+    // 批量绑定策略
+    app.put('/api/access-keys/batch/policy', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const { keyIds, policyId } = req.body;
+        if (!Array.isArray(keyIds) || !policyId) {
+            res.status(400).json({ error: '参数错误' });
+            return;
+        }
+        const count = accessKeyModule.keyManager.batchBindPolicy(keyIds, policyId);
+        yield accessKeyModule.save();
+        res.json({ count });
+    })));
+    // 批量删除
+    app.delete('/api/access-keys/batch', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const { keyIds } = req.body;
+        if (!Array.isArray(keyIds)) {
+            res.status(400).json({ error: '参数错误' });
+            return;
+        }
+        const count = accessKeyModule.keyManager.batchDelete(keyIds);
+        yield accessKeyModule.save();
+        for (const keyId of keyIds)
+            removeWriteLocalRecords(keyId);
+        res.json({ count });
+    })));
+    // Key 用量统计
+    app.get('/api/access-keys/:id/usage', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const usage = yield accessKeyModule.usageTracker.getUsage(req.params.id);
+        res.json(usage);
+    })));
+    // Key 用量趋势
+    app.get('/api/access-keys/:id/usage/trend', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const days = parseInt(req.query.days) || 30;
+        const trend = yield accessKeyModule.usageTracker.getTrend(req.params.id, days);
+        res.json(trend);
+    })));
+    // Key 日志
+    app.get('/api/access-keys/:id/logs', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const page = Math.max(1, parseInt(req.query.page) || 1);
+        const pageSize = Math.min(100, Math.max(1, parseInt(req.query.pageSize) || 50));
+        const startDate = req.query.startDate;
+        const endDate = req.query.endDate;
+        const contentType = req.query.contentType;
+        const search = req.query.search;
+        const result = yield accessKeyModule.keyLogger.getLogs(req.params.id, { page, pageSize, startDate, endDate, contentType, search });
+        res.json(result);
+    })));
+    // ========== AccessKey 会话 API ==========
+    // 获取密钥的会话列表
+    app.get('/api/access-keys/:id/sessions', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const page = Math.max(1, parseInt(req.query.page) || 1);
+        const pageSize = Math.min(100, Math.max(1, parseInt(req.query.pageSize) || 20));
+        const targetType = req.query.targetType;
+        const search = req.query.search;
+        const result = yield accessKeyModule.keySessionTracker.getSessions(req.params.id, {
+            page, pageSize, targetType, search,
+        });
+        res.json(result);
+    })));
+    // 获取密钥的会话总数
+    app.get('/api/access-keys/:id/sessions/count', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const targetType = req.query.targetType;
+        const count = yield accessKeyModule.keySessionTracker.getSessionsCount(req.params.id, targetType);
+        res.json({ count });
+    })));
+    // 获取密钥的单个会话
+    app.get('/api/access-keys/:id/sessions/:sessionId', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const session = yield accessKeyModule.keySessionTracker.getSession(req.params.id, req.params.sessionId);
+        if (!session) {
+            res.status(404).json({ error: '会话不存在' });
+            return;
+        }
+        res.json(session);
+    })));
+    // 获取密钥会话的日志
+    app.get('/api/access-keys/:id/sessions/:sessionId/logs', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const limit = Math.min(10000, Math.max(1, parseInt(req.query.limit) || 10000));
+        const logs = yield accessKeyModule.keyLogger.getLogsBySessionId(req.params.id, req.params.sessionId, limit);
+        res.json(logs);
+    })));
+    // 删除密钥的单个会话
+    app.delete('/api/access-keys/:id/sessions/:sessionId', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const deleted = yield accessKeyModule.keySessionTracker.deleteSession(req.params.id, req.params.sessionId);
+        if (!deleted) {
+            res.status(404).json({ error: '会话不存在' });
+            return;
+        }
+        res.json({ success: true });
+    })));
+    // 清空密钥的所有会话
+    app.delete('/api/access-keys/:id/sessions', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        yield accessKeyModule.keySessionTracker.clearSessions(req.params.id);
+        res.json({ success: true });
+    })));
+    // Key 接入指引
+    app.get('/api/access-keys/:id/guide', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const key = accessKeyModule.keyManager.get(req.params.id);
+        if (!key) {
+            res.status(404).json({ error: '密钥不存在' });
+            return;
+        }
+        const host = req.query.host || req.hostname || 'localhost';
+        const port = req.query.port || (req.socket.localAddress ? String(req.socket.localPort) : '4567');
+        const baseUrl = `http://${host}:${port}`;
+        const maskedKey = manager_1.AccessKeyManager.maskApiKey(key.apiKey);
+        res.json({
+            claudeCode: {
+                description: 'Claude Code 接入',
+                envVars: {
+                    ANTHROPIC_BASE_URL: `${baseUrl}/claude-code`,
+                    ANTHROPIC_AUTH_TOKEN: maskedKey,
+                },
+            },
+            codex: {
+                description: 'Codex 接入',
+                envVars: {
+                    OPENAI_API_KEY: maskedKey,
+                    OPENAI_BASE_URL: `${baseUrl}/codex`,
+                },
+            },
+            openai: {
+                description: 'OpenAI 兼容工具 (Cursor / Continue 等)',
+                envVars: {
+                    OPENAI_API_KEY: maskedKey,
+                    OPENAI_BASE_URL: `${baseUrl}/v1`,
+                },
+            },
+        });
+    })));
+    // 写入本地配置（将 AccessKey 写入 Claude Code / Codex 配置文件）
+    app.post('/api/access-keys/:id/write-local', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(400).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const key = accessKeyModule.keyManager.get(req.params.id);
+        if (!key) {
+            res.status(404).json({ error: '密钥不存在' });
+            return;
+        }
+        const targets = req.body.targets || [];
+        if (targets.length === 0) {
+            res.status(400).json({ error: '请选择至少一个目标' });
+            return;
+        }
+        const homeDir = os_1.default.homedir();
+        const results = {};
+        for (const target of targets) {
+            try {
+                if (target === 'claude-code') {
+                    // 写入 ~/.claude/settings.json 的 env.ANTHROPIC_AUTH_TOKEN
+                    const claudeDir = path_1.default.join(homeDir, '.claude');
+                    const settingsPath = path_1.default.join(claudeDir, 'settings.json');
+                    if (!fs_1.default.existsSync(claudeDir)) {
+                        fs_1.default.mkdirSync(claudeDir, { recursive: true });
+                    }
+                    let settings = {};
+                    if (fs_1.default.existsSync(settingsPath)) {
+                        try {
+                            settings = JSON.parse(fs_1.default.readFileSync(settingsPath, 'utf-8'));
+                        }
+                        catch ( /* ignore */_a) { /* ignore */ }
+                    }
+                    if (!settings.env)
+                        settings.env = {};
+                    settings.env.ANTHROPIC_AUTH_TOKEN = key.apiKey;
+                    (0, config_merge_1.atomicWriteFile)(settingsPath, JSON.stringify(settings, null, 2));
+                    results['claude-code'] = true;
+                }
+                else if (target === 'codex') {
+                    // 写入 ~/.codex/auth.json 的 OPENAI_API_KEY
+                    const codexDir = path_1.default.join(homeDir, '.codex');
+                    const authPath = path_1.default.join(codexDir, 'auth.json');
+                    if (!fs_1.default.existsSync(codexDir)) {
+                        fs_1.default.mkdirSync(codexDir, { recursive: true });
+                    }
+                    let auth = {};
+                    if (fs_1.default.existsSync(authPath)) {
+                        try {
+                            auth = JSON.parse(fs_1.default.readFileSync(authPath, 'utf-8'));
+                        }
+                        catch ( /* ignore */_b) { /* ignore */ }
+                    }
+                    auth.OPENAI_API_KEY = key.apiKey;
+                    (0, config_merge_1.atomicWriteFile)(authPath, JSON.stringify(auth, null, 2));
+                    results['codex'] = true;
+                }
+            }
+            catch (error) {
+                console.error(`Failed to write local config for ${target}:`, error);
+                results[target] = false;
+            }
+        }
+        // 持久化写入本地记录，确保服务重启后自动恢复
+        const successTargets = Object.entries(results)
+            .filter(([, v]) => v === true)
+            .map(([k]) => k);
+        if (successTargets.length > 0) {
+            addWriteLocalRecord(key.id, successTargets);
+        }
+        res.json({ success: true, results });
+    })));
+    // 查询写入本地记录（供 UI 显示标注）
+    app.get('/api/write-local-records', asyncHandler((_req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        res.json(loadWriteLocalRecords());
+    })));
+    // ============================================================
+    // Policy 策略 API
+    // ============================================================
+    // 策略列表
+    app.get('/api/policies', asyncHandler((_req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.json([]);
+            return;
+        }
+        const policies = accessKeyModule.policyManager.list();
+        const result = policies.map(p => (Object.assign(Object.assign({}, p), { keyCount: accessKeyModule.keyManager.countByPolicyId(p.id) })));
+        res.json(result);
+    })));
+    // 创建策略
+    app.post('/api/policies', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const policy = accessKeyModule.policyManager.create(req.body);
+        yield accessKeyModule.save();
+        res.json(policy);
+    })));
+    // 策略模板（必须在 /:id 之前注册，避免被当作 id 参数匹配）
+    app.get('/api/policies/templates', asyncHandler((_req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        res.json(policy_manager_1.PolicyManager.getTemplates());
+    })));
+    // 策略详情
+    app.get('/api/policies/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const policy = accessKeyModule.policyManager.get(req.params.id);
+        if (!policy) {
+            res.status(404).json({ error: '策略不存在' });
+            return;
+        }
+        res.json(policy);
+    })));
+    // 编辑策略
+    app.put('/api/policies/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const result = accessKeyModule.policyManager.update(req.params.id, req.body);
+        if (!result) {
+            res.status(404).json({ error: '策略不存在' });
+            return;
+        }
+        yield accessKeyModule.save();
+        res.json(true);
+    })));
+    // 删除策略
+    app.delete('/api/policies/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const keyCount = accessKeyModule.keyManager.countByPolicyId(req.params.id);
+        if (keyCount > 0) {
+            res.status(400).json({ error: `有 ${keyCount} 个密钥正在使用此策略，请先解除绑定` });
+            return;
+        }
+        const result = accessKeyModule.policyManager.delete(req.params.id);
+        yield accessKeyModule.save();
+        res.json(result);
+    })));
+    // 复制策略
+    app.post('/api/policies/:id/duplicate', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const result = accessKeyModule.policyManager.duplicate(req.params.id);
+        if (!result) {
+            res.status(404).json({ error: '策略不存在' });
+            return;
+        }
+        yield accessKeyModule.save();
+        res.json(result);
+    })));
+    // 使用策略的密钥列表
+    app.get('/api/policies/:id/keys', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.json([]);
+            return;
+        }
+        const keys = accessKeyModule.keyManager.listByPolicyId(req.params.id);
+        res.json(keys.map(k => (Object.assign(Object.assign({}, k), { apiKey: manager_1.AccessKeyManager.maskApiKey(k.apiKey) }))));
+    })));
+    // ============================================================
+    // AccessKey 全局统计 API
+    // ============================================================
+    // Key 用量排行
+    app.get('/api/statistics/access-keys', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.json([]);
+            return;
+        }
+        const keys = accessKeyModule.keyManager.list();
+        const result = yield Promise.all(keys.map((k) => __awaiter(void 0, void 0, void 0, function* () {
+            const usage = yield accessKeyModule.usageTracker.getUsage(k.id);
+            return {
+                keyId: k.id,
+                keyName: k.name,
+                totalTokens: usage.lifetime.totalTokens,
+                totalRequests: usage.lifetime.totalRequests,
+                lastActiveAt: k.lastActiveAt,
+            };
+        })));
+        // 排序
+        const sortBy = req.query.sortBy || 'totalTokens';
+        const order = req.query.order || 'desc';
+        result.sort((a, b) => {
+            const va = a[sortBy] || 0;
+            const vb = b[sortBy] || 0;
+            return order === 'desc' ? vb - va : va - vb;
+        });
+        const limit = Math.min(100, parseInt(req.query.limit) || 20);
+        res.json(result.slice(0, limit));
+    })));
+    // 配额告警
+    app.get('/api/statistics/quota-alerts', asyncHandler((_req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.json([]);
+            return;
+        }
+        const keys = accessKeyModule.keyManager.list({ status: 'active' });
+        const alerts = [];
+        for (const key of keys) {
+            if (!key.policyId)
+                continue;
+            const policy = accessKeyModule.policyManager.get(key.policyId);
+            if (!policy)
+                continue;
+            const usage = yield accessKeyModule.usageTracker.getUsage(key.id);
+            // 检查各维度
+            const checks = [];
+            if (policy.dailyTokenLimit) {
+                checks.push({ dimension: 'dailyTokenLimit', usage: usage.periods.daily.tokens, limit: policy.dailyTokenLimit * 1000 });
+            }
+            if (policy.monthlyTokenLimit) {
+                checks.push({ dimension: 'monthlyTokenLimit', usage: usage.periods.monthly.tokens, limit: policy.monthlyTokenLimit * 1000 });
+            }
+            if (policy.dailyRequestLimit) {
+                checks.push({ dimension: 'dailyRequestLimit', usage: usage.periods.daily.requests, limit: policy.dailyRequestLimit });
+            }
+            if (policy.monthlyRequestLimit) {
+                checks.push({ dimension: 'monthlyRequestLimit', usage: usage.periods.monthly.requests, limit: policy.monthlyRequestLimit });
+            }
+            for (const check of checks) {
+                if (check.limit <= 0)
+                    continue;
+                const pct = Math.round((check.usage / check.limit) * 100);
+                if (pct >= 80) {
+                    alerts.push({
+                        keyId: key.id,
+                        keyName: key.name,
+                        dimension: check.dimension,
+                        usage: check.usage,
+                        limit: check.limit,
+                        percentage: pct,
+                        level: pct >= 100 ? 'exceeded' : pct >= 95 ? 'critical' : 'warning',
+                    });
+                }
+            }
+        }
+        res.json(alerts);
+    })));
     // 写入MCP配置到Claude Code或Codex的全局配置文件
     const writeMCPConfig = (targetType) => __awaiter(void 0, void 0, void 0, function* () {
         try {
@@ -2148,7 +3267,28 @@ const start = () => __awaiter(void 0, void 0, void 0, function* () {
     catch (error) {
         console.error('[Server] Tool config sync failed:', error);
     }
+    // 清理旧的迁移临时文件
+    try {
+        (0, session_launcher_1.cleanupOldTempFiles)();
+    }
+    catch ( /* ignore */_a) { /* ignore */ }
     const proxyServer = new proxy_server_1.ProxyServer(dbManager, app);
+    // Initialize AccessKey module
+    const accessKeyModule = new index_1.AccessKeyModule(dataDir);
+    try {
+        yield accessKeyModule.initialize();
+        proxyServer.setAccessKeyModule(accessKeyModule);
+    }
+    catch (error) {
+        console.error('[Server] AccessKey module initialization failed:', error);
+    }
+    // 恢复已写入本地的 AccessKey（在代理配置写入之后、AccessKey 模块初始化之后）
+    try {
+        applyWriteLocalRecords(proxyServer);
+    }
+    catch (error) {
+        console.error('[Server] Failed to apply write-local records:', error);
+    }
     // Initialize proxy server and register proxy routes last
     proxyServer.initialize();
     // Register admin routes first
@@ -2223,7 +3363,16 @@ const start = () => __awaiter(void 0, void 0, void 0, function* () {
             catch (error) {
                 console.error('[Shutdown ...] Failed to restore Codex config:', error);
             }
+            // Shutdown AccessKey module
+            try {
+                yield accessKeyModule.shutdown();
+            }
+            catch (error) {
+                console.error('[Shutdown ...] AccessKey module shutdown failed:', error);
+            }
             dbManager.close();
+            // 清理规则状态广播器（关闭 SSE 连接）
+            rules_status_service_1.rulesStatusBroadcaster.destroy();
             yield Promise.race([
                 new Promise((resolve) => {
                     server.close(() => resolve());