npm - aicodeswitch - Versions diffs - 5.1.3 → 5.2.0 - Mend

aicodeswitch 5.1.3 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/README.md +1 -0
package/bin/restore.js +14 -7
package/bin/utils/managed-fields.js +62 -0
package/dist/server/access-keys/index.js +173 -0
package/dist/server/access-keys/key-logger.js +358 -0
package/dist/server/access-keys/key-resolver.js +51 -0
package/dist/server/access-keys/key-session-tracker.js +217 -0
package/dist/server/access-keys/manager.js +206 -0
package/dist/server/access-keys/policy-manager.js +144 -0
package/dist/server/access-keys/quota-checker.js +197 -0
package/dist/server/access-keys/usage-tracker.js +279 -0
package/dist/server/auth.js +16 -4
package/dist/server/config-managed-fields.js +2 -0
package/dist/server/fs-database.js +14 -1
package/dist/server/main.js +1011 -13
package/dist/server/proxy-server.js +605 -134
package/dist/server/rules-status-service.js +16 -3
package/dist/server/transformers/model-rewrite-transform.js +128 -0
package/dist/ui/assets/index-Cws89pD2.js +828 -0
package/dist/ui/assets/index-CzfKxImD.css +1 -0
package/dist/ui/index.html +2 -2
package/package.json +1 -1
package/dist/ui/assets/index-CMoQtBmK.css +0 -1
package/dist/ui/assets/index-CXdNTFiX.js +0 -532

package/dist/server/main.js CHANGED Viewed

@@ -21,6 +21,9 @@ const crypto_1 = require("crypto");
 const https_proxy_agent_1 = require("https-proxy-agent");
 const database_factory_1 = require("./database-factory");
 const proxy_server_1 = require("./proxy-server");
+const index_1 = require("./access-keys/index");
+const manager_1 = require("./access-keys/manager");
+const policy_manager_1 = require("./access-keys/policy-manager");
 const os_1 = __importDefault(require("os"));
 const auth_1 = require("./auth");
 const version_check_1 = require("./version-check");
@@ -43,7 +46,7 @@ const upgradeHashFilePath = path_1.default.join(appDir, 'upgrade-hash');
 if (fs_1.default.existsSync(dotenvPath)) {
     dotenv_1.default.config({ path: dotenvPath });
 }
-const host = process.env.HOST || '127.0.0.1';
+const host = process.env.HOST || '0.0.0.0';
 const port = process.env.PORT ? parseInt(process.env.PORT, 10) : 4567;
 let globalProxyConfig = null;
 function updateProxyConfig(config) {
@@ -76,6 +79,112 @@ function getProxyAgent() {
         return null;
     }
 }
+// ============================================================================
+// 写入本地记录持久化
+// ============================================================================
+const getWriteLocalRecordsFile = () => path_1.default.join(dataDir, 'write-local-records.json');
+function loadWriteLocalRecords() {
+    try {
+        const filePath = getWriteLocalRecordsFile();
+        if (fs_1.default.existsSync(filePath)) {
+            return JSON.parse(fs_1.default.readFileSync(filePath, 'utf-8'));
+        }
+    }
+    catch ( /* ignore */_a) { /* ignore */ }
+    return [];
+}
+function saveWriteLocalRecords(records) {
+    const filePath = getWriteLocalRecordsFile();
+    if (!fs_1.default.existsSync(dataDir)) {
+        fs_1.default.mkdirSync(dataDir, { recursive: true });
+    }
+    (0, config_merge_1.atomicWriteFile)(filePath, JSON.stringify(records, null, 2));
+}
+function addWriteLocalRecord(accessKeyId, targets) {
+    const records = loadWriteLocalRecords();
+    const existing = records.find(r => r.accessKeyId === accessKeyId);
+    if (existing) {
+        for (const t of targets) {
+            if (!existing.targets.includes(t))
+                existing.targets.push(t);
+        }
+        existing.timestamp = Date.now();
+    }
+    else {
+        records.push({ accessKeyId, targets: [...targets], timestamp: Date.now() });
+    }
+    saveWriteLocalRecords(records);
+}
+function removeWriteLocalRecords(accessKeyId) {
+    const records = loadWriteLocalRecords().filter(r => r.accessKeyId !== accessKeyId);
+    saveWriteLocalRecords(records);
+}
+/**
+ * 从持久化记录中恢复已写入本地的 AccessKey
+ * 每次代理配置写入后调用，确保 AccessKey 不会被占位符覆盖
+ */
+function applyWriteLocalRecords(proxyServer) {
+    const accessKeyModule = proxyServer.getAccessKeyModule();
+    if (!accessKeyModule)
+        return;
+    const records = loadWriteLocalRecords();
+    if (records.length === 0)
+        return;
+    let changed = false;
+    const homeDir = os_1.default.homedir();
+    const remainingRecords = records.filter(record => {
+        const key = accessKeyModule.keyManager.get(record.accessKeyId);
+        if (!key || key.status !== 'active') {
+            changed = true;
+            return false; // 密钥已删除或停用，移除记录
+        }
+        for (const target of record.targets) {
+            try {
+                if (target === 'claude-code') {
+                    const claudeDir = path_1.default.join(homeDir, '.claude');
+                    const settingsPath = path_1.default.join(claudeDir, 'settings.json');
+                    if (!fs_1.default.existsSync(claudeDir)) {
+                        fs_1.default.mkdirSync(claudeDir, { recursive: true });
+                    }
+                    let settings = {};
+                    if (fs_1.default.existsSync(settingsPath)) {
+                        try {
+                            settings = JSON.parse(fs_1.default.readFileSync(settingsPath, 'utf-8'));
+                        }
+                        catch ( /* ignore */_a) { /* ignore */ }
+                    }
+                    if (!settings.env)
+                        settings.env = {};
+                    settings.env.ANTHROPIC_AUTH_TOKEN = key.apiKey;
+                    (0, config_merge_1.atomicWriteFile)(settingsPath, JSON.stringify(settings, null, 2));
+                }
+                else if (target === 'codex') {
+                    const codexDir = path_1.default.join(homeDir, '.codex');
+                    const authPath = path_1.default.join(codexDir, 'auth.json');
+                    if (!fs_1.default.existsSync(codexDir)) {
+                        fs_1.default.mkdirSync(codexDir, { recursive: true });
+                    }
+                    let auth = {};
+                    if (fs_1.default.existsSync(authPath)) {
+                        try {
+                            auth = JSON.parse(fs_1.default.readFileSync(authPath, 'utf-8'));
+                        }
+                        catch ( /* ignore */_b) { /* ignore */ }
+                    }
+                    auth.OPENAI_API_KEY = key.apiKey;
+                    (0, config_merge_1.atomicWriteFile)(authPath, JSON.stringify(auth, null, 2));
+                }
+            }
+            catch (error) {
+                console.error(`[WriteLocal] Failed to apply key ${record.accessKeyId} to ${target}:`, error);
+            }
+        }
+        return true;
+    });
+    if (changed) {
+        saveWriteLocalRecords(remainingRecords);
+    }
+}
 const app = (0, express_1.default)();
 app.use((0, cors_1.default)());
 app.use(express_1.default.json({ limit: 'Infinity' }));
@@ -116,12 +225,11 @@ const isClaudeEffortLevel = (value) => {
 const isValidAutocompactPct = (v) => {
     return typeof v === 'number' && Number.isInteger(v) && v >= 1 && v <= 100;
 };
-const writeClaudeConfig = (dbManager_1, enableAgentTeams_1, enableBypassPermissionsSupport_1, effortLevel_1, defaultModel_1, autocompactPctOverride_1, ...args_1) => __awaiter(void 0, [dbManager_1, enableAgentTeams_1, enableBypassPermissionsSupport_1, effortLevel_1, defaultModel_1, autocompactPctOverride_1, ...args_1], void 0, function* (dbManager, enableAgentTeams, enableBypassPermissionsSupport, effortLevel, defaultModel, autocompactPctOverride, options = {}) {
+const writeClaudeConfig = (_dbManager_1, enableAgentTeams_1, enableBypassPermissionsSupport_1, effortLevel_1, defaultModel_1, autocompactPctOverride_1, ...args_1) => __awaiter(void 0, [_dbManager_1, enableAgentTeams_1, enableBypassPermissionsSupport_1, effortLevel_1, defaultModel_1, autocompactPctOverride_1, ...args_1], void 0, function* (_dbManager, enableAgentTeams, enableBypassPermissionsSupport, effortLevel, defaultModel, autocompactPctOverride, options = {}) {
     var _a;
     try {
         const homeDir = os_1.default.homedir();
         const port = process.env.PORT ? parseInt(process.env.PORT, 10) : 4567;
-        const config = dbManager.getConfig();
         // Claude Code settings.json
         const claudeDir = path_1.default.join(homeDir, '.claude');
         const claudeSettingsPath = path_1.default.join(claudeDir, 'settings.json');
@@ -168,11 +276,11 @@ const writeClaudeConfig = (dbManager_1, enableAgentTeams_1, enableBypassPermissi
         }
         // 构建代理配置
         const claudeSettingsEnv = {
-            ANTHROPIC_AUTH_TOKEN: config.apiKey || "api_key",
-            ANTHROPIC_API_KEY: "",
+            ANTHROPIC_AUTH_TOKEN: "api_key",
             ANTHROPIC_BASE_URL: `http://${host}:${port}/claude-code`,
             API_TIMEOUT_MS: "3000000",
-            CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: 1
+            CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: 1,
+            CLAUDE_CODE_MAX_RETRIES: 3
         };
         // 如果启用Agent Teams功能，添加对应的环境变量
         if (enableAgentTeams) {
@@ -264,11 +372,10 @@ const DEFAULT_CODEX_REASONING_EFFORT = 'high';
 const isCodexReasoningEffort = (value) => {
     return typeof value === 'string' && VALID_CODEX_REASONING_EFFORTS.includes(value);
 };
-const writeCodexConfig = (dbManager_1, ...args_1) => __awaiter(void 0, [dbManager_1, ...args_1], void 0, function* (dbManager, modelReasoningEffort = DEFAULT_CODEX_REASONING_EFFORT, codexDefaultModel, options = {}) {
+const writeCodexConfig = (_dbManager_1, ...args_1) => __awaiter(void 0, [_dbManager_1, ...args_1], void 0, function* (_dbManager, modelReasoningEffort = DEFAULT_CODEX_REASONING_EFFORT, codexDefaultModel, options = {}) {
     var _a;
     try {
         const homeDir = os_1.default.homedir();
-        const config = dbManager.getConfig();
         // Codex config.toml
         const codexDir = path_1.default.join(homeDir, '.codex');
         const codexConfigPath = path_1.default.join(codexDir, 'config.toml');
@@ -326,7 +433,9 @@ const writeCodexConfig = (dbManager_1, ...args_1) => __awaiter(void 0, [dbManage
                 aicodeswitch: {
                     name: "aicodeswitch",
                     base_url: `http://${host}:${process.env.PORT ? parseInt(process.env.PORT, 10) : 4567}/codex`,
-                    wire_api: "responses"
+                    wire_api: "responses",
+                    stream_max_retries: 3,
+                    stream_retry_backoff: "fixed"
                 }
             }
         };
@@ -356,7 +465,7 @@ const writeCodexConfig = (dbManager_1, ...args_1) => __awaiter(void 0, [dbManage
         }
         // 构建代理配置
         const proxyAuth = {
-            OPENAI_API_KEY: config.apiKey || "api_key"
+            OPENAI_API_KEY: "api_key"
         };
         // 使用智能合并
         const mergedAuth = (0, config_merge_1.mergeJsonConfig)(proxyAuth, currentAuth, config_managed_fields_1.CODEX_AUTH_MANAGED_FIELDS);
@@ -390,6 +499,7 @@ const writeCodexConfig = (dbManager_1, ...args_1) => __awaiter(void 0, [dbManage
     }
 });
 const restoreClaudeConfig = () => __awaiter(void 0, void 0, void 0, function* () {
+    var _a, _b;
     try {
         const homeDir = os_1.default.homedir();
         let restoredAnyFile = false;
@@ -410,6 +520,14 @@ const restoreClaudeConfig = () => __awaiter(void 0, void 0, void 0, function* ()
                     console.warn('Failed to parse current settings.json during restore, using empty object:', error);
                 }
             }
+            // 防御性清理：移除 currentSettings 中 ANTHROPIC_API_KEY 的空值，
+            // 防止旧版本代理写入的空值覆盖 backup 中的真实 Key
+            if (((_a = currentSettings === null || currentSettings === void 0 ? void 0 : currentSettings.env) === null || _a === void 0 ? void 0 : _a.ANTHROPIC_API_KEY) === '' && ((_b = backupSettings === null || backupSettings === void 0 ? void 0 : backupSettings.env) === null || _b === void 0 ? void 0 : _b.ANTHROPIC_API_KEY)) {
+                delete currentSettings.env.ANTHROPIC_API_KEY;
+                if (Object.keys(currentSettings.env).length === 0) {
+                    delete currentSettings.env;
+                }
+            }
             // 生成合并后的配置（备份作为基础，合并当前的非管理字段）
             const mergedSettings = (0, config_merge_1.mergeJsonConfig)(backupSettings, currentSettings, config_managed_fields_1.CLAUDE_SETTINGS_MANAGED_FIELDS);
             // 原子性写入合并后的配置
@@ -927,6 +1045,21 @@ const listInstalledSkills = () => {
 const registerRoutes = (dbManager, proxyServer) => __awaiter(void 0, void 0, void 0, function* () {
     updateProxyConfig(dbManager.getConfig());
     app.get('/health', (_req, res) => res.json({ status: 'ok' }));
+    // 局域网访问控制中间件：当 enableLanDiscovery 关闭时，仅允许本机访问 /api/* 路由
+    app.use('/api', (req, res, next) => {
+        const config = dbManager.getConfig();
+        if (config.enableLanDiscovery) {
+            return next();
+        }
+        const clientIp = req.ip || req.socket.remoteAddress || '';
+        // 规范化 IPv4-mapped IPv6 地址 (::ffff:127.0.0.1 -> 127.0.0.1)
+        const normalizedIp = clientIp.replace(/^::ffff:/, '');
+        if (normalizedIp === '127.0.0.1' || normalizedIp === '::1' || normalizedIp === 'localhost') {
+            return next();
+        }
+        console.warn(`[LAN Guard] 拒绝非本机访问: ${clientIp} -> ${req.method} ${req.path}`);
+        res.status(403).json({ error: 'LAN access is disabled. Only local access is allowed.' });
+    });
     // 鉴权相关路由 - 公开访问
     app.get('/api/auth/status', (_req, res) => {
         const response = { enabled: (0, auth_1.isAuthEnabled)() };
@@ -947,10 +1080,10 @@ const registerRoutes = (dbManager, proxyServer) => __awaiter(void 0, void 0, voi
             res.status(401).json({ error: 'Invalid auth code' });
         }
     });
-    // 鉴权中间件 - 保护所有 /api/* 路由 (除了 /api/auth/*)
+    // 鉴权中间件 - 保护所有 /api/* 路由 (除了 /api/auth/* 和 /api/lan/discover)
     app.use('/api', (req, res, next) => {
-        if (req.path.startsWith('/auth/')) {
-            next(); // /api/auth/* 路由不需要鉴权
+        if (req.path.startsWith('/auth/') || req.path === '/lan/discover') {
+            next(); // /api/auth/* 和 /api/lan/discover 路由不需要鉴权
         }
         else {
             (0, auth_1.authMiddleware)(req, res, next);
@@ -1137,6 +1270,48 @@ const registerRoutes = (dbManager, proxyServer) => __awaiter(void 0, void 0, voi
         });
         res.json(allStatuses);
     })));
+    // SSE 端点：实时推送规则状态变更
+    app.get('/api/rules/status/stream', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        // 设置 SSE 响应头
+        res.writeHead(200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            'Connection': 'keep-alive',
+            'X-Accel-Buffering': 'no', // 防止 nginx 等代理缓冲
+        });
+        // 连接时立即发送完整快照（init 事件）
+        const allRules = dbManager.getRules();
+        const statusMap = rules_status_service_1.rulesStatusBroadcaster.getAllRuleStatuses();
+        const statusMapByRuleId = new Map(statusMap.map(status => [status.ruleId, status]));
+        const allStatuses = allRules.map(rule => {
+            const existingStatus = statusMapByRuleId.get(rule.id);
+            if (existingStatus) {
+                return existingStatus;
+            }
+            else {
+                return {
+                    ruleId: rule.id,
+                    status: 'idle',
+                    timestamp: Date.now(),
+                };
+            }
+        });
+        res.write(`data: ${JSON.stringify({ type: 'init', statuses: allStatuses })}\n\n`);
+        // 监听状态变更，推送增量更新
+        const onChange = (data) => {
+            res.write(`data: ${JSON.stringify({ type: 'update', status: data })}\n\n`);
+        };
+        rules_status_service_1.rulesStatusBroadcaster.on('statusChanged', onChange);
+        // 3 秒心跳，用于客户端检测连接存活状态
+        const heartbeat = setInterval(() => {
+            res.write(`data: ${JSON.stringify({ type: 'heartbeat', timestamp: Date.now() })}\n\n`);
+        }, 3000);
+        // 客户端断开时清理
+        req.on('close', () => {
+            rules_status_service_1.rulesStatusBroadcaster.off('statusChanged', onChange);
+            clearInterval(heartbeat);
+        });
+    })));
     // 清除规则的错误状态（广播 idle 状态给所有客户端）
     app.post('/api/rules/:id/clear-status', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
         const { id } = req.params;
@@ -1252,9 +1427,236 @@ const registerRoutes = (dbManager, proxyServer) => __awaiter(void 0, void 0, voi
             yield proxyServer.updateConfig(latestConfig);
             updateProxyConfig(latestConfig);
             yield syncConfigsOnGlobalConfigUpdate(dbManager);
+            applyWriteLocalRecords(proxyServer);
         }
         res.json(result);
     })));
+    // ===================== 局域网同步相关 =====================
+    // GET /api/lan/discover - 远端节点暴露配置数据（不受鉴权保护，由开关控制）
+    app.get('/api/lan/discover', (_req, res) => {
+        const config = dbManager.getConfig();
+        if (!config.enableLanDiscovery) {
+            res.status(404).json({ error: 'Not found' });
+            return;
+        }
+        try {
+            // 收集 Skills
+            const installedSkills = listInstalledSkills();
+            const skills = [];
+            for (const skill of installedSkills) {
+                const skillItem = {
+                    name: skill.name,
+                    description: skill.description,
+                    targets: skill.targets,
+                    githubUrl: skill.githubUrl,
+                    skillPath: skill.skillPath,
+                };
+                // 尝试读取 SKILL.md 内容
+                const skillDir = path_1.default.join(getCentralSkillsDir(), skill.id);
+                const skillMdPath = path_1.default.join(skillDir, 'SKILL.md');
+                if (fs_1.default.existsSync(skillMdPath)) {
+                    try {
+                        skillItem.instruction = fs_1.default.readFileSync(skillMdPath, 'utf-8');
+                    }
+                    catch ( /* ignore */_a) { /* ignore */ }
+                }
+                skills.push(skillItem);
+            }
+            // 收集 MCPs（脱敏 headers 和 env 中的敏感信息）
+            const SENSITIVE_KEY_PATTERN = /api_key|apikey|access_token|accesstoken|auth|key|token|secret|password|private_key|privatekey|credentials/i;
+            const allMcps = dbManager.getMCPs();
+            const mcps = allMcps.map(mcp => {
+                const sanitized = {
+                    name: mcp.name,
+                    description: mcp.description,
+                    type: mcp.type,
+                    command: mcp.command,
+                    args: mcp.args,
+                    targets: mcp.targets,
+                };
+                if (mcp.url)
+                    sanitized.url = mcp.url;
+                // 脱敏 env
+                if (mcp.env) {
+                    const sanitizedEnv = {};
+                    for (const [key, value] of Object.entries(mcp.env)) {
+                        if (SENSITIVE_KEY_PATTERN.test(key)) {
+                            sanitizedEnv[key] = '***';
+                        }
+                        else {
+                            sanitizedEnv[key] = value;
+                        }
+                    }
+                    sanitized.env = sanitizedEnv;
+                }
+                // 脱敏 headers
+                if (mcp.headers) {
+                    const sanitizedHeaders = {};
+                    for (const [key, value] of Object.entries(mcp.headers)) {
+                        if (SENSITIVE_KEY_PATTERN.test(key)) {
+                            sanitizedHeaders[key] = '***';
+                        }
+                        else {
+                            sanitizedHeaders[key] = value;
+                        }
+                    }
+                    sanitized.headers = sanitizedHeaders;
+                }
+                return sanitized;
+            });
+            // 读取版本号
+            let version = 'unknown';
+            try {
+                const pkgPath = path_1.default.join(__dirname, '..', 'package.json');
+                const pkg = JSON.parse(fs_1.default.readFileSync(pkgPath, 'utf-8'));
+                version = pkg.version || 'unknown';
+            }
+            catch ( /* ignore */_b) { /* ignore */ }
+            res.json({
+                node: {
+                    name: os_1.default.hostname(),
+                    version,
+                    port: process.env.PORT ? parseInt(process.env.PORT) : 4567,
+                },
+                skills,
+                mcps,
+            });
+        }
+        catch (error) {
+            console.error('[LAN Discover] 错误:', error);
+            res.status(500).json({ error: 'Internal server error' });
+        }
+    });
+    // GET /api/lan/scan - 获取本机局域网 IP 信息
+    app.get('/api/lan/scan', (_req, res) => {
+        const interfaces = os_1.default.networkInterfaces();
+        const port = process.env.PORT ? parseInt(process.env.PORT) : 4567;
+        // 收集所有非内部 IPv4 网络接口
+        const networkInterfaces = [];
+        let localIp = '127.0.0.1';
+        let subnet = '127.0.0';
+        for (const [ifaceName, entries] of Object.entries(interfaces)) {
+            if (!entries)
+                continue;
+            for (const entry of entries) {
+                if (entry.family === 'IPv4' && !entry.internal) {
+                    const entrySubnet = entry.address.split('.').slice(0, 3).join('.');
+                    networkInterfaces.push({
+                        name: ifaceName,
+                        address: entry.address,
+                        subnet: entrySubnet,
+                        netmask: entry.netmask,
+                    });
+                    // 兼容旧逻辑：取第一个非内部接口作为默认值
+                    if (localIp === '127.0.0.1') {
+                        localIp = entry.address;
+                        subnet = entrySubnet;
+                    }
+                }
+            }
+        }
+        res.json({ localIp, subnet, port, networkInterfaces });
+    });
+    // POST /api/lan/sync - 执行同步写入
+    app.post('/api/lan/sync', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const { remoteNode, skills, mcps, vendor } = req.body;
+        const result = {
+            skillsImported: 0,
+            mcpsImported: 0,
+            vendorCreated: false,
+            vendorName: '',
+            servicesCreated: 0,
+        };
+        // 1. 同步 Skills
+        const centralDir = getCentralSkillsDir();
+        if (!fs_1.default.existsSync(centralDir)) {
+            fs_1.default.mkdirSync(centralDir, { recursive: true });
+        }
+        const existingSkills = listInstalledSkills();
+        const existingSkillNames = new Set(existingSkills.map(s => s.name));
+        for (const skill of skills) {
+            if (existingSkillNames.has(skill.name))
+                continue; // 防御性跳过
+            const dirName = sanitizeDirName(skill.name);
+            const skillDir = path_1.default.join(centralDir, dirName);
+            if (!fs_1.default.existsSync(skillDir)) {
+                fs_1.default.mkdirSync(skillDir, { recursive: true });
+            }
+            // 写入 skill.json
+            const skillJson = {
+                id: dirName,
+                name: skill.name,
+                description: skill.description || '',
+                targets: skill.targets || [],
+                enabledTargets: [], // 不自动选中编程工具，由用户自行配置
+                githubUrl: skill.githubUrl,
+                skillPath: skill.skillPath,
+                installedAt: Date.now(),
+            };
+            fs_1.default.writeFileSync(path_1.default.join(skillDir, 'skill.json'), JSON.stringify(skillJson, null, 2));
+            // 写入 SKILL.md（如果有 instruction）
+            if (skill.instruction) {
+                fs_1.default.writeFileSync(path_1.default.join(skillDir, 'SKILL.md'), skill.instruction);
+            }
+            result.skillsImported++;
+        }
+        // 2. 同步 MCPs
+        const existingMcps = dbManager.getMCPs();
+        const existingMcpNames = new Set(existingMcps.map(m => m.name));
+        for (const mcp of mcps) {
+            if (existingMcpNames.has(mcp.name))
+                continue; // 防御性跳过
+            yield dbManager.createMCP({
+                name: mcp.name,
+                description: mcp.description,
+                type: mcp.type,
+                command: mcp.command,
+                args: mcp.args,
+                url: mcp.url,
+                headers: mcp.headers,
+                env: mcp.env,
+                targets: [], // 不自动选中编程工具，由用户自行配置
+            });
+            result.mcpsImported++;
+        }
+        // 3. 可选：创建供应商（将远端节点的代理路径映射为固定 API 服务）
+        if (vendor.enabled) {
+            const vendorName = `${remoteNode.name}@${remoteNode.ip}`;
+            const remoteBaseUrl = `http://${remoteNode.ip}:${remoteNode.port}`;
+            // 固定的代理路径到 API 服务映射
+            // 规则：Claude/Responses/Gemini 标准接口只填 baseurl，Chat Completions 需完整路径
+            const LAN_PROXY_SERVICES = [
+                { name: 'Claude Code', sourceType: 'claude', apiUrl: `${remoteBaseUrl}/claude-code` },
+                { name: 'Codex', sourceType: 'openai', apiUrl: `${remoteBaseUrl}/codex` },
+                { name: 'Claude 标准接口', sourceType: 'claude', apiUrl: remoteBaseUrl },
+                { name: 'Responses 标准接口', sourceType: 'openai', apiUrl: remoteBaseUrl },
+                { name: 'Chat Completions 标准接口', sourceType: 'openai-chat', apiUrl: `${remoteBaseUrl}/v1/chat/completions` },
+                { name: 'Gemini 标准接口', sourceType: 'gemini', apiUrl: remoteBaseUrl },
+            ];
+            // 检查供应商是否已存在
+            const existingVendor = dbManager.getVendors().find(v => v.name === vendorName);
+            if (!existingVendor) {
+                const services = LAN_PROXY_SERVICES.map(svc => ({
+                    name: svc.name,
+                    apiUrl: svc.apiUrl,
+                    apiKey: vendor.apiKey || '',
+                    sourceType: svc.sourceType,
+                    enableProxy: false,
+                    enableCodingPlan: false,
+                }));
+                yield dbManager.createVendor({
+                    name: vendorName,
+                    description: `从局域网节点 ${remoteNode.ip}:${remoteNode.port} 同步`,
+                    apiBaseUrl: remoteBaseUrl,
+                    services: services,
+                });
+                result.vendorCreated = true;
+                result.vendorName = vendorName;
+                result.servicesCreated = services.length;
+            }
+        }
+        res.json({ success: true, result });
+    })));
     // Skills 管理相关
     app.get('/api/skills/installed', (_req, res) => {
         const skills = listInstalledSkills();
@@ -1602,6 +2004,7 @@ ${instruction}
             ? requestedBypass
             : appConfig.enableBypassPermissionsSupport;
         const result = yield writeClaudeConfig(dbManager, enableAgentTeams, enableBypassPermissionsSupport, undefined, appConfig.claudeDefaultModel, appConfig.autocompactPctOverride);
+        applyWriteLocalRecords(proxyServer);
         res.json(result);
     })));
     app.post('/api/write-config/codex', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
@@ -1613,6 +2016,7 @@ ${instruction}
                 ? appConfig.codexModelReasoningEffort
                 : DEFAULT_CODEX_REASONING_EFFORT;
         const result = yield writeCodexConfig(dbManager, modelReasoningEffort, appConfig.codexDefaultModel);
+        applyWriteLocalRecords(proxyServer);
         res.json(result);
     })));
     // 兼容接口：更新全局 Agent Teams 配置
@@ -1625,6 +2029,7 @@ ${instruction}
             yield proxyServer.updateConfig(latestConfig);
             updateProxyConfig(latestConfig);
             yield syncConfigsOnGlobalConfigUpdate(dbManager);
+            applyWriteLocalRecords(proxyServer);
         }
         res.json(result);
     })));
@@ -1638,6 +2043,7 @@ ${instruction}
             yield proxyServer.updateConfig(latestConfig);
             updateProxyConfig(latestConfig);
             yield syncConfigsOnGlobalConfigUpdate(dbManager);
+            applyWriteLocalRecords(proxyServer);
         }
         res.json(result);
     })));
@@ -1654,6 +2060,7 @@ ${instruction}
             yield proxyServer.updateConfig(latestConfig);
             updateProxyConfig(latestConfig);
             yield syncConfigsOnGlobalConfigUpdate(dbManager);
+            applyWriteLocalRecords(proxyServer);
         }
         res.json(result);
     })));
@@ -2064,6 +2471,572 @@ ${instruction}
         }
         res.json(result);
     })));
+    // ============================================================
+    // AccessKey 接入密钥 API
+    // ============================================================
+    // 获取密钥列表（支持分页和筛选）
+    app.get('/api/access-keys', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.json({ data: [], total: 0, page: 1, pageSize: 20 });
+            return;
+        }
+        const page = Math.max(1, parseInt(req.query.page) || 1);
+        const pageSize = Math.min(100, Math.max(1, parseInt(req.query.pageSize) || 20));
+        const status = req.query.status;
+        const policyId = req.query.policyId;
+        const search = req.query.search;
+        let keys = accessKeyModule.keyManager.list({ status, policyId, search });
+        // 附加策略名称和用量信息
+        const result = keys.map(key => {
+            const policy = key.policyId ? accessKeyModule.policyManager.get(key.policyId) : null;
+            return Object.assign(Object.assign({}, key), { apiKey: manager_1.AccessKeyManager.maskApiKey(key.apiKey), policyName: policy === null || policy === void 0 ? void 0 : policy.name });
+        });
+        const total = result.length;
+        const start = (page - 1) * pageSize;
+        const paged = result.slice(start, start + pageSize);
+        res.json({ data: paged, total, page, pageSize });
+    })));
+    // 创建密钥
+    app.post('/api/access-keys', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const { name, remark, policyId } = req.body;
+        if (!name || !name.trim()) {
+            res.status(400).json({ error: '名称不能为空' });
+            return;
+        }
+        const result = accessKeyModule.keyManager.create({ name: name.trim(), remark, policyId });
+        yield accessKeyModule.save();
+        res.json({
+            key: Object.assign(Object.assign({}, result.key), { apiKey: manager_1.AccessKeyManager.maskApiKey(result.key.apiKey) }),
+            apiKey: result.apiKey,
+        });
+    })));
+    // 获取密钥详情
+    app.get('/api/access-keys/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const key = accessKeyModule.keyManager.get(req.params.id);
+        if (!key) {
+            res.status(404).json({ error: '密钥不存在' });
+            return;
+        }
+        const policy = key.policyId ? accessKeyModule.policyManager.get(key.policyId) : null;
+        res.json(Object.assign(Object.assign({}, key), { apiKey: manager_1.AccessKeyManager.maskApiKey(key.apiKey), policyName: policy === null || policy === void 0 ? void 0 : policy.name }));
+    })));
+    // 编辑密钥
+    app.put('/api/access-keys/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const result = accessKeyModule.keyManager.update(req.params.id, req.body);
+        if (!result) {
+            res.status(404).json({ error: '密钥不存在' });
+            return;
+        }
+        yield accessKeyModule.save();
+        res.json(true);
+    })));
+    // 删除密钥
+    app.delete('/api/access-keys/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const result = accessKeyModule.keyManager.delete(req.params.id);
+        yield accessKeyModule.save();
+        removeWriteLocalRecords(req.params.id);
+        res.json(result);
+    })));
+    // 重新生成 API Key
+    app.post('/api/access-keys/:id/regenerate', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const result = accessKeyModule.keyManager.regenerate(req.params.id);
+        if (!result) {
+            res.status(404).json({ error: '密钥不存在' });
+            return;
+        }
+        yield accessKeyModule.save();
+        // 如果该密钥有写入本地记录，重新生成后自动重写
+        applyWriteLocalRecords(proxyServer);
+        res.json({ apiKey: result.apiKey });
+    })));
+    // 批量更新状态
+    app.put('/api/access-keys/batch/status', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const { keyIds, status } = req.body;
+        if (!Array.isArray(keyIds) || !status) {
+            res.status(400).json({ error: '参数错误' });
+            return;
+        }
+        const count = accessKeyModule.keyManager.batchUpdateStatus(keyIds, status);
+        yield accessKeyModule.save();
+        res.json({ count });
+    })));
+    // 批量绑定策略
+    app.put('/api/access-keys/batch/policy', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const { keyIds, policyId } = req.body;
+        if (!Array.isArray(keyIds) || !policyId) {
+            res.status(400).json({ error: '参数错误' });
+            return;
+        }
+        const count = accessKeyModule.keyManager.batchBindPolicy(keyIds, policyId);
+        yield accessKeyModule.save();
+        res.json({ count });
+    })));
+    // 批量删除
+    app.delete('/api/access-keys/batch', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const { keyIds } = req.body;
+        if (!Array.isArray(keyIds)) {
+            res.status(400).json({ error: '参数错误' });
+            return;
+        }
+        const count = accessKeyModule.keyManager.batchDelete(keyIds);
+        yield accessKeyModule.save();
+        for (const keyId of keyIds)
+            removeWriteLocalRecords(keyId);
+        res.json({ count });
+    })));
+    // Key 用量统计
+    app.get('/api/access-keys/:id/usage', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const usage = yield accessKeyModule.usageTracker.getUsage(req.params.id);
+        res.json(usage);
+    })));
+    // Key 用量趋势
+    app.get('/api/access-keys/:id/usage/trend', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const days = parseInt(req.query.days) || 30;
+        const trend = yield accessKeyModule.usageTracker.getTrend(req.params.id, days);
+        res.json(trend);
+    })));
+    // Key 日志
+    app.get('/api/access-keys/:id/logs', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const page = Math.max(1, parseInt(req.query.page) || 1);
+        const pageSize = Math.min(100, Math.max(1, parseInt(req.query.pageSize) || 50));
+        const startDate = req.query.startDate;
+        const endDate = req.query.endDate;
+        const contentType = req.query.contentType;
+        const search = req.query.search;
+        const result = yield accessKeyModule.keyLogger.getLogs(req.params.id, { page, pageSize, startDate, endDate, contentType, search });
+        res.json(result);
+    })));
+    // ========== AccessKey 会话 API ==========
+    // 获取密钥的会话列表
+    app.get('/api/access-keys/:id/sessions', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const page = Math.max(1, parseInt(req.query.page) || 1);
+        const pageSize = Math.min(100, Math.max(1, parseInt(req.query.pageSize) || 20));
+        const targetType = req.query.targetType;
+        const search = req.query.search;
+        const result = yield accessKeyModule.keySessionTracker.getSessions(req.params.id, {
+            page, pageSize, targetType, search,
+        });
+        res.json(result);
+    })));
+    // 获取密钥的会话总数
+    app.get('/api/access-keys/:id/sessions/count', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const targetType = req.query.targetType;
+        const count = yield accessKeyModule.keySessionTracker.getSessionsCount(req.params.id, targetType);
+        res.json({ count });
+    })));
+    // 获取密钥的单个会话
+    app.get('/api/access-keys/:id/sessions/:sessionId', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const session = yield accessKeyModule.keySessionTracker.getSession(req.params.id, req.params.sessionId);
+        if (!session) {
+            res.status(404).json({ error: '会话不存在' });
+            return;
+        }
+        res.json(session);
+    })));
+    // 获取密钥会话的日志
+    app.get('/api/access-keys/:id/sessions/:sessionId/logs', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const limit = Math.min(10000, Math.max(1, parseInt(req.query.limit) || 10000));
+        const logs = yield accessKeyModule.keyLogger.getLogsBySessionId(req.params.id, req.params.sessionId, limit);
+        res.json(logs);
+    })));
+    // 删除密钥的单个会话
+    app.delete('/api/access-keys/:id/sessions/:sessionId', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const deleted = yield accessKeyModule.keySessionTracker.deleteSession(req.params.id, req.params.sessionId);
+        if (!deleted) {
+            res.status(404).json({ error: '会话不存在' });
+            return;
+        }
+        res.json({ success: true });
+    })));
+    // 清空密钥的所有会话
+    app.delete('/api/access-keys/:id/sessions', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        yield accessKeyModule.keySessionTracker.clearSessions(req.params.id);
+        res.json({ success: true });
+    })));
+    // Key 接入指引
+    app.get('/api/access-keys/:id/guide', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const key = accessKeyModule.keyManager.get(req.params.id);
+        if (!key) {
+            res.status(404).json({ error: '密钥不存在' });
+            return;
+        }
+        const host = req.query.host || req.hostname || 'localhost';
+        const port = req.query.port || (req.socket.localAddress ? String(req.socket.localPort) : '4567');
+        const baseUrl = `http://${host}:${port}`;
+        const maskedKey = manager_1.AccessKeyManager.maskApiKey(key.apiKey);
+        res.json({
+            claudeCode: {
+                description: 'Claude Code 接入',
+                envVars: {
+                    ANTHROPIC_BASE_URL: `${baseUrl}/claude-code`,
+                    ANTHROPIC_AUTH_TOKEN: maskedKey,
+                },
+            },
+            codex: {
+                description: 'Codex 接入',
+                envVars: {
+                    OPENAI_API_KEY: maskedKey,
+                    OPENAI_BASE_URL: `${baseUrl}/codex`,
+                },
+            },
+            openai: {
+                description: 'OpenAI 兼容工具 (Cursor / Continue 等)',
+                envVars: {
+                    OPENAI_API_KEY: maskedKey,
+                    OPENAI_BASE_URL: `${baseUrl}/v1`,
+                },
+            },
+        });
+    })));
+    // 写入本地配置（将 AccessKey 写入 Claude Code / Codex 配置文件）
+    app.post('/api/access-keys/:id/write-local', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(400).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const key = accessKeyModule.keyManager.get(req.params.id);
+        if (!key) {
+            res.status(404).json({ error: '密钥不存在' });
+            return;
+        }
+        const targets = req.body.targets || [];
+        if (targets.length === 0) {
+            res.status(400).json({ error: '请选择至少一个目标' });
+            return;
+        }
+        const homeDir = os_1.default.homedir();
+        const results = {};
+        for (const target of targets) {
+            try {
+                if (target === 'claude-code') {
+                    // 写入 ~/.claude/settings.json 的 env.ANTHROPIC_AUTH_TOKEN
+                    const claudeDir = path_1.default.join(homeDir, '.claude');
+                    const settingsPath = path_1.default.join(claudeDir, 'settings.json');
+                    if (!fs_1.default.existsSync(claudeDir)) {
+                        fs_1.default.mkdirSync(claudeDir, { recursive: true });
+                    }
+                    let settings = {};
+                    if (fs_1.default.existsSync(settingsPath)) {
+                        try {
+                            settings = JSON.parse(fs_1.default.readFileSync(settingsPath, 'utf-8'));
+                        }
+                        catch ( /* ignore */_a) { /* ignore */ }
+                    }
+                    if (!settings.env)
+                        settings.env = {};
+                    settings.env.ANTHROPIC_AUTH_TOKEN = key.apiKey;
+                    (0, config_merge_1.atomicWriteFile)(settingsPath, JSON.stringify(settings, null, 2));
+                    results['claude-code'] = true;
+                }
+                else if (target === 'codex') {
+                    // 写入 ~/.codex/auth.json 的 OPENAI_API_KEY
+                    const codexDir = path_1.default.join(homeDir, '.codex');
+                    const authPath = path_1.default.join(codexDir, 'auth.json');
+                    if (!fs_1.default.existsSync(codexDir)) {
+                        fs_1.default.mkdirSync(codexDir, { recursive: true });
+                    }
+                    let auth = {};
+                    if (fs_1.default.existsSync(authPath)) {
+                        try {
+                            auth = JSON.parse(fs_1.default.readFileSync(authPath, 'utf-8'));
+                        }
+                        catch ( /* ignore */_b) { /* ignore */ }
+                    }
+                    auth.OPENAI_API_KEY = key.apiKey;
+                    (0, config_merge_1.atomicWriteFile)(authPath, JSON.stringify(auth, null, 2));
+                    results['codex'] = true;
+                }
+            }
+            catch (error) {
+                console.error(`Failed to write local config for ${target}:`, error);
+                results[target] = false;
+            }
+        }
+        // 持久化写入本地记录，确保服务重启后自动恢复
+        const successTargets = Object.entries(results)
+            .filter(([, v]) => v === true)
+            .map(([k]) => k);
+        if (successTargets.length > 0) {
+            addWriteLocalRecord(key.id, successTargets);
+        }
+        res.json({ success: true, results });
+    })));
+    // 查询写入本地记录（供 UI 显示标注）
+    app.get('/api/write-local-records', asyncHandler((_req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        res.json(loadWriteLocalRecords());
+    })));
+    // ============================================================
+    // Policy 策略 API
+    // ============================================================
+    // 策略列表
+    app.get('/api/policies', asyncHandler((_req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.json([]);
+            return;
+        }
+        const policies = accessKeyModule.policyManager.list();
+        const result = policies.map(p => (Object.assign(Object.assign({}, p), { keyCount: accessKeyModule.keyManager.countByPolicyId(p.id) })));
+        res.json(result);
+    })));
+    // 创建策略
+    app.post('/api/policies', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const policy = accessKeyModule.policyManager.create(req.body);
+        yield accessKeyModule.save();
+        res.json(policy);
+    })));
+    // 策略模板（必须在 /:id 之前注册，避免被当作 id 参数匹配）
+    app.get('/api/policies/templates', asyncHandler((_req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        res.json(policy_manager_1.PolicyManager.getTemplates());
+    })));
+    // 策略详情
+    app.get('/api/policies/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(404).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const policy = accessKeyModule.policyManager.get(req.params.id);
+        if (!policy) {
+            res.status(404).json({ error: '策略不存在' });
+            return;
+        }
+        res.json(policy);
+    })));
+    // 编辑策略
+    app.put('/api/policies/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const result = accessKeyModule.policyManager.update(req.params.id, req.body);
+        if (!result) {
+            res.status(404).json({ error: '策略不存在' });
+            return;
+        }
+        yield accessKeyModule.save();
+        res.json(true);
+    })));
+    // 删除策略
+    app.delete('/api/policies/:id', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const keyCount = accessKeyModule.keyManager.countByPolicyId(req.params.id);
+        if (keyCount > 0) {
+            res.status(400).json({ error: `有 ${keyCount} 个密钥正在使用此策略，请先解除绑定` });
+            return;
+        }
+        const result = accessKeyModule.policyManager.delete(req.params.id);
+        yield accessKeyModule.save();
+        res.json(result);
+    })));
+    // 复制策略
+    app.post('/api/policies/:id/duplicate', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.status(500).json({ error: 'AccessKey 功能未启用' });
+            return;
+        }
+        const result = accessKeyModule.policyManager.duplicate(req.params.id);
+        if (!result) {
+            res.status(404).json({ error: '策略不存在' });
+            return;
+        }
+        yield accessKeyModule.save();
+        res.json(result);
+    })));
+    // 使用策略的密钥列表
+    app.get('/api/policies/:id/keys', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.json([]);
+            return;
+        }
+        const keys = accessKeyModule.keyManager.listByPolicyId(req.params.id);
+        res.json(keys.map(k => (Object.assign(Object.assign({}, k), { apiKey: manager_1.AccessKeyManager.maskApiKey(k.apiKey) }))));
+    })));
+    // ============================================================
+    // AccessKey 全局统计 API
+    // ============================================================
+    // Key 用量排行
+    app.get('/api/statistics/access-keys', asyncHandler((req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.json([]);
+            return;
+        }
+        const keys = accessKeyModule.keyManager.list();
+        const result = yield Promise.all(keys.map((k) => __awaiter(void 0, void 0, void 0, function* () {
+            const usage = yield accessKeyModule.usageTracker.getUsage(k.id);
+            return {
+                keyId: k.id,
+                keyName: k.name,
+                totalTokens: usage.lifetime.totalTokens,
+                totalRequests: usage.lifetime.totalRequests,
+                lastActiveAt: k.lastActiveAt,
+            };
+        })));
+        // 排序
+        const sortBy = req.query.sortBy || 'totalTokens';
+        const order = req.query.order || 'desc';
+        result.sort((a, b) => {
+            const va = a[sortBy] || 0;
+            const vb = b[sortBy] || 0;
+            return order === 'desc' ? vb - va : va - vb;
+        });
+        const limit = Math.min(100, parseInt(req.query.limit) || 20);
+        res.json(result.slice(0, limit));
+    })));
+    // 配额告警
+    app.get('/api/statistics/quota-alerts', asyncHandler((_req, res) => __awaiter(void 0, void 0, void 0, function* () {
+        const accessKeyModule = proxyServer.getAccessKeyModule();
+        if (!accessKeyModule) {
+            res.json([]);
+            return;
+        }
+        const keys = accessKeyModule.keyManager.list({ status: 'active' });
+        const alerts = [];
+        for (const key of keys) {
+            if (!key.policyId)
+                continue;
+            const policy = accessKeyModule.policyManager.get(key.policyId);
+            if (!policy)
+                continue;
+            const usage = yield accessKeyModule.usageTracker.getUsage(key.id);
+            // 检查各维度
+            const checks = [];
+            if (policy.dailyTokenLimit) {
+                checks.push({ dimension: 'dailyTokenLimit', usage: usage.periods.daily.tokens, limit: policy.dailyTokenLimit * 1000 });
+            }
+            if (policy.monthlyTokenLimit) {
+                checks.push({ dimension: 'monthlyTokenLimit', usage: usage.periods.monthly.tokens, limit: policy.monthlyTokenLimit * 1000 });
+            }
+            if (policy.dailyRequestLimit) {
+                checks.push({ dimension: 'dailyRequestLimit', usage: usage.periods.daily.requests, limit: policy.dailyRequestLimit });
+            }
+            if (policy.monthlyRequestLimit) {
+                checks.push({ dimension: 'monthlyRequestLimit', usage: usage.periods.monthly.requests, limit: policy.monthlyRequestLimit });
+            }
+            for (const check of checks) {
+                if (check.limit <= 0)
+                    continue;
+                const pct = Math.round((check.usage / check.limit) * 100);
+                if (pct >= 80) {
+                    alerts.push({
+                        keyId: key.id,
+                        keyName: key.name,
+                        dimension: check.dimension,
+                        usage: check.usage,
+                        limit: check.limit,
+                        percentage: pct,
+                        level: pct >= 100 ? 'exceeded' : pct >= 95 ? 'critical' : 'warning',
+                    });
+                }
+            }
+        }
+        res.json(alerts);
+    })));
     // 写入MCP配置到Claude Code或Codex的全局配置文件
     const writeMCPConfig = (targetType) => __awaiter(void 0, void 0, void 0, function* () {
         try {
@@ -2300,6 +3273,22 @@ const start = () => __awaiter(void 0, void 0, void 0, function* () {
     }
     catch ( /* ignore */_a) { /* ignore */ }
     const proxyServer = new proxy_server_1.ProxyServer(dbManager, app);
+    // Initialize AccessKey module
+    const accessKeyModule = new index_1.AccessKeyModule(dataDir);
+    try {
+        yield accessKeyModule.initialize();
+        proxyServer.setAccessKeyModule(accessKeyModule);
+    }
+    catch (error) {
+        console.error('[Server] AccessKey module initialization failed:', error);
+    }
+    // 恢复已写入本地的 AccessKey（在代理配置写入之后、AccessKey 模块初始化之后）
+    try {
+        applyWriteLocalRecords(proxyServer);
+    }
+    catch (error) {
+        console.error('[Server] Failed to apply write-local records:', error);
+    }
     // Initialize proxy server and register proxy routes last
     proxyServer.initialize();
     // Register admin routes first
@@ -2374,7 +3363,16 @@ const start = () => __awaiter(void 0, void 0, void 0, function* () {
             catch (error) {
                 console.error('[Shutdown ...] Failed to restore Codex config:', error);
             }
+            // Shutdown AccessKey module
+            try {
+                yield accessKeyModule.shutdown();
+            }
+            catch (error) {
+                console.error('[Shutdown ...] AccessKey module shutdown failed:', error);
+            }
             dbManager.close();
+            // 清理规则状态广播器（关闭 SSE 连接）
+            rules_status_service_1.rulesStatusBroadcaster.destroy();
             yield Promise.race([
                 new Promise((resolve) => {
                     server.close(() => resolve());