cicy-desktop 2.1.65 → 2.1.67

package/src/sidecar/runtime.js

@@ -0,0 +1,256 @@
+// Runtime Bundle v1 — versioned component store for everything cicy-desktop
+// runs locally (cicy-code, mihomo, and on Windows the slim MSYS2 tree).
+//
+// Layout:
+//   ~/cicy-ai/runtime/
+//     versions.json                  { "<comp>": { "current": "<ver>" }, ... }
+//     cicy-code/<ver>/cicy-code(.exe)
+//     mihomo/<ver>/mihomo(.exe)
+//     msys2/<ver>/usr/bin/bash.exe   (win32 only, directory component)
+//
+// Sourcing order:
+//   1. first run: copy out of cicy-desktop's own node_modules — the platform
+//      subpackages are optionalDependencies, so `npm i -g cicy-desktop`
+//      already delivered the right binaries. First start = ZERO network,
+//      ZERO npx (主人指令).
+//   2. upgrades: `npm pack <pkg>@<ver>` (npmmirror default) → extract into
+//      runtime/<comp>/<ver>/ → caller verifies health → switchCurrent().
+//      The previous version stays on disk for instant rollback.
+//
+// The `current` pointer lives in versions.json (NOT a symlink — Windows
+// junction/symlink permissions are a minefield; a JSON pointer is identical
+// on every platform).
+const { execFile } = require("child_process");
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+
+const RUNTIME_DIR = path.join(os.homedir(), "cicy-ai", "runtime");
+const VERSIONS_JSON = path.join(RUNTIME_DIR, "versions.json");
+const REGISTRY = process.env.CICY_NPM_REGISTRY || "https://registry.npmmirror.com";
+const IS_WIN = process.platform === "win32";
+
+function plat() {
+  const osStr = IS_WIN ? "win32" : process.platform === "darwin" ? "darwin" : "linux";
+  const archStr = process.arch === "arm64" ? "arm64" : "x64";
+  return `${osStr}-${archStr}`;
+}
+
+// kind "bin": single executable at the package root.
+// kind "dir": a directory tree (msys2) — `check` is the file proving it's intact.
+const COMPONENTS = {
+  "cicy-code": {
+    kind: "bin",
+    pkg: () => `cicy-code-${plat()}`,
+    bin: () => (IS_WIN ? "cicy-code.exe" : "cicy-code"),
+  },
+  "mihomo": {
+    kind: "bin",
+    // npm spam filter 403s new names containing 'win32' → windows-* naming
+    pkg: () => `cicy-mihomo-${plat().replace("win32", "windows")}`,
+    bin: () => (IS_WIN ? "mihomo.exe" : "mihomo"),
+  },
+  "msys2": {
+    kind: "dir",
+    winOnly: true,
+    pkg: () => "cicy-msys2-windows-x64",
+    check: path.join("usr", "bin", "bash.exe"),
+  },
+};
+
+function readVersions() {
+  try { return JSON.parse(fs.readFileSync(VERSIONS_JSON, "utf8")); } catch { return {}; }
+}
+
+function writeVersions(updater) {
+  fs.mkdirSync(RUNTIME_DIR, { recursive: true });
+  const next = updater(readVersions()) || {};
+  const tmp = VERSIONS_JSON + ".tmp";
+  fs.writeFileSync(tmp, JSON.stringify(next, null, 2));
+  fs.renameSync(tmp, VERSIONS_JSON);
+  return next;
+}
+
+function currentVersion(comp) {
+  return readVersions()[comp]?.current || null;
+}
+
+function versionDir(comp, ver) {
+  return path.join(RUNTIME_DIR, comp, ver);
+}
+
+// Absolute path of the component's current payload — the executable for "bin"
+// components, the root dir for "dir" components. null when not installed.
+function binPath(comp) {
+  const c = COMPONENTS[comp];
+  const ver = currentVersion(comp);
+  if (!c || !ver) return null;
+  const p = c.kind === "dir" ? versionDir(comp, ver) : path.join(versionDir(comp, ver), c.bin());
+  const probe = c.kind === "dir" ? path.join(p, c.check) : p;
+  return fs.existsSync(probe) ? p : null;
+}
+
+function cpDirSync(src, dst) {
+  fs.cpSync(src, dst, { recursive: true });
+}
+
+// Install a payload directory as <comp>@<ver> and return the version dir.
+// Payload = the npm package dir (or node_modules/<pkg>). Atomic-ish: extract
+// to .staging then rename.
+function installPayload(comp, ver, payloadDir) {
+  const c = COMPONENTS[comp];
+  const dst = versionDir(comp, ver);
+  if (fs.existsSync(dst)) return dst; // already installed — idempotent
+  const staging = dst + ".staging";
+  fs.rmSync(staging, { recursive: true, force: true });
+  fs.mkdirSync(staging, { recursive: true });
+  if (c.kind === "dir") {
+    cpDirSync(payloadDir, staging);
+    if (!fs.existsSync(path.join(staging, c.check))) {
+      // the tree may be nested one level (package/msys64/usr/...)
+      const sub = fs.readdirSync(staging).find((d) =>
+        fs.existsSync(path.join(staging, d, c.check)));
+      if (!sub) { fs.rmSync(staging, { recursive: true, force: true }); throw new Error(`${comp}: ${c.check} missing in package`); }
+      fs.renameSync(path.join(staging, sub), staging + ".inner");
+      fs.rmSync(staging, { recursive: true, force: true });
+      fs.renameSync(staging + ".inner", staging);
+    }
+  } else {
+    const src = path.join(payloadDir, c.bin());
+    if (!fs.existsSync(src)) { fs.rmSync(staging, { recursive: true, force: true }); throw new Error(`${comp}: ${c.bin()} missing in package`); }
+    fs.copyFileSync(src, path.join(staging, c.bin()));
+    if (!IS_WIN) fs.chmodSync(path.join(staging, c.bin()), 0o755);
+  }
+  fs.renameSync(staging, dst);
+  return dst;
+}
+
+function switchCurrent(comp, ver) {
+  writeVersions((v) => { v[comp] = { ...(v[comp] || {}), current: ver, switched_at: new Date().toISOString() }; return v; });
+}
+
+// Keep current + previous; GC everything older.
+function gc(comp) {
+  const cur = currentVersion(comp);
+  const dir = path.join(RUNTIME_DIR, comp);
+  let entries = [];
+  try { entries = fs.readdirSync(dir).filter((d) => !d.endsWith(".staging")); } catch { return; }
+  const prev = readVersions()[comp]?.previous;
+  for (const e of entries) {
+    if (e !== cur && e !== prev) {
+      try { fs.rmSync(path.join(dir, e), { recursive: true, force: true }); } catch {}
+    }
+  }
+}
+
+// Locate the platform subpackage inside cicy-desktop's own install (it's an
+// optionalDependency, delivered by the same `npm i -g cicy-desktop`).
+function bundledPkgDir(comp) {
+  const c = COMPONENTS[comp];
+  const candidates = [
+    path.join(__dirname, "..", "..", "node_modules", c.pkg()),          // npm install layout
+    path.join(process.resourcesPath || "", "runtime-pkgs", c.pkg()),    // packaged (NSIS/dmg) layout
+  ];
+  for (const p of candidates) {
+    try {
+      if (fs.existsSync(path.join(p, "package.json"))) return p;
+    } catch {}
+  }
+  return null;
+}
+
+// First-run seeding: make sure SOME version of `comp` is installed + current,
+// sourcing from the bundled subpackage. Never touches the network.
+function ensureFromBundle(comp) {
+  const c = COMPONENTS[comp];
+  if (!c || (c.winOnly && !IS_WIN)) return null;
+  const existing = binPath(comp);
+  if (existing) return existing;
+  const pkgDir = bundledPkgDir(comp);
+  if (!pkgDir) return null; // not bundled (e.g. dev tree) — caller may npm-install
+  const ver = JSON.parse(fs.readFileSync(path.join(pkgDir, "package.json"), "utf8")).version;
+  installPayload(comp, ver, pkgDir);
+  if (!currentVersion(comp)) switchCurrent(comp, ver);
+  return binPath(comp);
+}
+
+function npmExec(args, { timeout = 600000 } = {}) {
+  return new Promise((resolve, reject) => {
+    execFile("npm", args, { windowsHide: true, timeout, shell: IS_WIN }, (err, stdout, stderr) =>
+      err ? reject(new Error(String(stderr || err.message).slice(0, 300))) : resolve(String(stdout)));
+  });
+}
+
+// Latest published version of the component's npm package.
+async function checkUpdate(comp) {
+  const c = COMPONENTS[comp];
+  const out = await npmExec(["view", c.pkg(), "version", `--registry=${REGISTRY}`], { timeout: 30000 });
+  const latest = out.trim();
+  const current = currentVersion(comp);
+  return { current, latest, updateAvailable: !!latest && latest !== current };
+}
+
+// Download <pkg>@<ver> via `npm pack` (pacote verifies sha512 integrity),
+// extract, install as a runtime version. Does NOT switch `current` — the
+// caller health-checks first, then calls switchCurrent()/rollback.
+async function fetchVersion(comp, ver, { emit } = {}) {
+  const c = COMPONENTS[comp];
+  const e = emit || (() => {});
+  if (fs.existsSync(versionDir(comp, ver))) {
+    e({ phase: "download", status: "skip", message: `${comp} ${ver} 已在本地，跳过下载` });
+    return versionDir(comp, ver);
+  }
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), `cicy-rt-${comp}-`));
+  try {
+    e({ phase: "download", status: "running", message: `下载 ${comp} ${ver}…` });
+    const out = await npmExec(["pack", `${c.pkg()}@${ver}`, `--registry=${REGISTRY}`, "--pack-destination", tmp]);
+    const tgz = path.join(tmp, out.trim().split("\n").pop().trim());
+    await new Promise((resolve, reject) => {
+      execFile("tar", ["-xzf", tgz, "-C", tmp], { windowsHide: true, timeout: 120000 },
+        (err) => (err ? reject(err) : resolve()));
+    });
+    const dir = installPayload(comp, ver, path.join(tmp, "package"));
+    e({ phase: "download", status: "done", message: `${comp} ${ver} 就绪` });
+    return dir;
+  } finally {
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+}
+
+// Full upgrade: fetch latest → caller's stop/start hooks around the pointer
+// switch → health verify → rollback on failure. Returns { ok, from, to }.
+async function upgrade(comp, { emit, stop, start, verify } = {}) {
+  const e = emit || (() => {});
+  const from = currentVersion(comp);
+  const { latest } = await checkUpdate(comp);
+  if (!latest) throw new Error(`registry has no ${COMPONENTS[comp].pkg()}`);
+  if (latest === from) {
+    e({ phase: "done", status: "done", message: `已是最新 ${latest}` });
+    return { ok: true, from, to: latest, noop: true };
+  }
+  await fetchVersion(comp, latest, { emit });
+  e({ phase: "swap", status: "running", message: "停止当前版本…" });
+  if (stop) await stop();
+  writeVersions((v) => { v[comp] = { ...(v[comp] || {}), previous: from }; return v; });
+  switchCurrent(comp, latest);
+  e({ phase: "swap", status: "running", message: `切换到 ${latest}，启动…` });
+  try {
+    if (start) await start();
+    if (verify && !(await verify())) throw new Error("health check failed");
+  } catch (err) {
+    // rollback: pointer back, restart old version
+    e({ phase: "swap", status: "error", message: `新版本异常（${err.message}），回滚到 ${from}` });
+    switchCurrent(comp, from);
+    if (start) { try { await start(); } catch {} }
+    return { ok: false, from, to: latest, rolledBack: true, error: err.message };
+  }
+  gc(comp);
+  e({ phase: "done", status: "done", message: `已更新 ${from || "(无)"} → ${latest}` });
+  return { ok: true, from, to: latest };
+}
+
+module.exports = {
+  RUNTIME_DIR, COMPONENTS,
+  binPath, currentVersion, ensureFromBundle, fetchVersion, switchCurrent,
+  checkUpdate, upgrade, gc, readVersions,
+};

package/workers/render/src/App.css

@@ -733,3 +733,84 @@ body {
   font-size: 11.5px; color: #9ca3af;
   word-break: break-word;
 }
+
+/* live op progress on the local team card (更新 download %/phase stream) */
+.bcard__prog {
+  display: flex; flex-direction: column; gap: 4px;
+  margin-top: 6px; font-size: 12px; line-height: 1.35;
+  color: var(--text-dim, #9da7b3);
+}
+.bcard__prog[data-status="error"] .bcard__progmsg { color: #f87171; }
+.bcard__prog[data-status="done"] .bcard__progmsg { color: #4ade80; }
+.bcard__progbar {
+  display: block; height: 4px; border-radius: 2px;
+  background: rgba(125, 135, 150, 0.25); overflow: hidden;
+}
+.bcard__progbar > span {
+  display: block; height: 100%; border-radius: 2px;
+  background: var(--accent, #3b82f6);
+  transition: width 0.25s ease;
+}
+
+/* HTTPS 审计 CA 授权卡片 (合规 opt-in) */
+.mitm-card {
+  border: 1px solid rgba(125, 135, 150, 0.22);
+  border-radius: 12px;
+  padding: 14px 16px;
+  margin-bottom: 14px;
+  background: rgba(30, 36, 46, 0.4);
+}
+.mitm-card--on { border-color: rgba(74, 222, 128, 0.35); background: rgba(22, 40, 30, 0.4); }
+.mitm-card__head { display: flex; align-items: center; gap: 8px; margin-bottom: 6px; }
+.mitm-card__dot { width: 8px; height: 8px; border-radius: 50%; background: #9da7b3; flex: 0 0 auto; }
+.mitm-card__dot[data-state="on"]   { background: #4ade80; box-shadow: 0 0 6px rgba(74, 222, 128, 0.6); }
+.mitm-card__dot[data-state="warn"] { background: #fbbf24; }
+.mitm-card__dot[data-state="off"]  { background: #60a5fa; }
+.mitm-card__title { font-size: 14px; font-weight: 600; color: var(--text, #e6edf3); }
+.mitm-card__desc { font-size: 12.5px; line-height: 1.5; color: var(--text-dim, #9da7b3); margin: 0 0 10px; }
+.mitm-card__note { color: #fbbf24; }
+.mitm-card__error { font-size: 12px; color: #f87171; margin-bottom: 8px; }
+.mitm-card__actions { display: flex; gap: 8px; }
+.mitm-card__btn {
+  font-size: 13px; padding: 7px 16px; border-radius: 8px; border: none; cursor: pointer;
+  background: var(--accent, #3b82f6); color: #fff; font-weight: 500;
+}
+.mitm-card__btn:disabled { opacity: 0.6; cursor: default; }
+.mitm-card__btn--ghost { background: transparent; border: 1px solid rgba(125, 135, 150, 0.35); color: var(--text-dim, #9da7b3); }
+.mitm-card__sub { color: var(--text-dim, #9da7b3); opacity: 0.8; font-size: 11.5px; }
+
+/* 首启门控条款页 (合规第一道整体同意) */
+.terms-gate { display: flex; align-items: center; justify-content: center; padding: 24px; }
+.terms-gate__panel {
+  position: relative; z-index: 1; width: min(680px, 94vw); max-height: 90vh;
+  display: flex; flex-direction: column;
+  background: rgba(20, 25, 33, 0.92); border: 1px solid rgba(125, 135, 150, 0.22);
+  border-radius: 16px; padding: 28px 30px; box-shadow: 0 24px 60px rgba(0,0,0,0.5);
+}
+.terms-gate__title { font-size: 20px; font-weight: 700; margin: 0 0 4px; color: var(--text, #e6edf3); }
+.terms-gate__subtitle { font-size: 13px; color: var(--text-dim, #9da7b3); margin: 0 0 16px; }
+.terms-gate__body {
+  overflow-y: auto; flex: 1 1 auto; min-height: 0; padding-right: 8px;
+  border-top: 1px solid rgba(125,135,150,0.15); border-bottom: 1px solid rgba(125,135,150,0.15);
+  padding-top: 14px; padding-bottom: 14px;
+}
+.terms-gate__h2 { font-size: 14px; font-weight: 600; margin: 0 0 10px; color: var(--text, #e6edf3); }
+.terms-gate__summary { margin: 0 0 14px; padding-left: 20px; }
+.terms-gate__summary li { font-size: 13px; line-height: 1.6; color: var(--text-dim, #c2cbd6); margin-bottom: 8px; }
+.terms-gate__viewfull {
+  background: none; border: none; color: var(--accent, #3b82f6); cursor: pointer;
+  font-size: 13px; padding: 4px 0; text-decoration: underline;
+}
+.terms-gate__fulltext {
+  white-space: pre-wrap; word-break: break-word; font-size: 12px; line-height: 1.6;
+  color: var(--text-dim, #b3bcc8); background: rgba(0,0,0,0.2); border-radius: 8px;
+  padding: 14px; margin: 10px 0 0; font-family: inherit;
+}
+.terms-gate__scrollhint { font-size: 12px; color: #fbbf24; text-align: center; margin: 12px 0 0; }
+.terms-gate__actions { display: flex; gap: 12px; justify-content: flex-end; margin-top: 18px; }
+.terms-gate__btn {
+  font-size: 14px; padding: 10px 22px; border-radius: 9px; border: none; cursor: pointer;
+  background: var(--accent, #3b82f6); color: #fff; font-weight: 600;
+}
+.terms-gate__btn:disabled { opacity: 0.45; cursor: not-allowed; }
+.terms-gate__btn--ghost { background: transparent; border: 1px solid rgba(125,135,150,0.35); color: var(--text-dim, #9da7b3); font-weight: 500; }

package/workers/render/src/App.jsx

@@ -1,5 +1,6 @@
 import { useEffect, useState, useCallback, useMemo, useRef } from "react";
 import "./App.css";
+import { TERMS_VERSION, TERMS_FULL } from "./termsText";
 
 // i18n bridge exposed by homepage-preload (window.cicyI18n.t, locale from
 // app.getLocale()). Returns the localized string, or `fallback` when the key
@@ -15,6 +16,17 @@ const USER_ID_KEY = "cicy_user_id";
 const CLOUD_BASE = "https://cicy-ai.com";
 
 export default function App() {
+  // First-run terms gate (合规第一道整体同意) — blocks the whole UI until
+  // accepted. undefined = checking, false = must show gate, true = past it.
+  // Distinct from the MITM CA opt-in; accepting terms never enables audit.
+  const [termsOk, setTermsOk] = useState(undefined);
+  useEffect(() => {
+    if (!window.cicy?.terms?.status) { setTermsOk(true); return; } // no bridge (dev) → don't block
+    window.cicy.terms.status(TERMS_VERSION)
+      .then((r) => setTermsOk(!!r?.accepted))
+      .catch(() => setTermsOk(true));
+  }, []);
+
   // sk-xxx (LLM API). Used by /v1/chat/completions etc.
   const [token, setToken] = useState(() => safeGet(TOKEN_KEY));
   // Console-API bearer. Used by /api/user/self, /api/teams, etc.
@@ -268,6 +280,20 @@ export default function App() {
     setProfileError("");
   }
 
+  // First-run terms gate takes precedence over everything (even login) —
+  // accepting the terms is a precondition to using the software at all.
+  if (termsOk === undefined) {
+    return (
+      <div className="shell" data-id="TermsCheckingSplash">
+        <div className="glow" aria-hidden />
+        <div className="card"><Brand /><div className="spinner-row"><Spinner /></div></div>
+      </div>
+    );
+  }
+  if (!termsOk) {
+    return <FirstRunTermsGate onAgree={() => setTermsOk(true)} />;
+  }
+
   // Still checking the durable store — show a minimal splash, not the login
   // card, so we never flash "please log in" before restore completes.
   if (!token && authRestoring) {
@@ -358,6 +384,7 @@ export default function App() {
         </div>
 
         {showLocal && <DockerSetup onReady={fetchLocalTeams} />}
+        {showLocal && localList.length > 0 && <MitmConsentCard team={localList[0]} />}
 
         {profileError && (
           <div className="error" style={{ marginBottom: 12 }}>
@@ -449,6 +476,175 @@ const DOCKER_STEPS = [
   { key: "health",         label: "本地团队就绪" },
 ];
 
+// 首启门控:整体条款的第一道同意。未同意不进主界面;读到底部才解锁"同意"。
+// 与 MitmConsentCard(HTTPS 审计第二道同意)完全独立 —— 同意条款 ≠ 开启审计。
+function FirstRunTermsGate({ onAgree }) {
+  const [scrolledEnd, setScrolledEnd] = useState(false);
+  const [showFull, setShowFull] = useState(false);
+  const [busy, setBusy] = useState(false);
+  const locale = (window.cicyI18n?.locale || "en").startsWith("zh") ? "zh-CN" : "en";
+  const t = (k, fb) => tr(`firstRunTerms.${k}`, fb);
+  const summaries = [1, 2, 3, 4, 5, 6].map((i) => t(`summary${i}`, ""));
+
+  const onScroll = (e) => {
+    const el = e.currentTarget;
+    if (el.scrollHeight - el.scrollTop - el.clientHeight < 24) setScrolledEnd(true);
+  };
+  // Short content that never scrolls → unlock immediately.
+  const bodyRef = useRef(null);
+  useEffect(() => {
+    const el = bodyRef.current;
+    if (el && el.scrollHeight <= el.clientHeight + 24) setScrolledEnd(true);
+  }, [showFull]);
+
+  const agree = async () => {
+    if (busy || !scrolledEnd) return;
+    setBusy(true);
+    try { await window.cicy?.terms?.agree?.(TERMS_VERSION); onAgree?.(); }
+    catch { onAgree?.(); } // never trap the user; main also persists
+  };
+  const decline = () => { try { window.cicy?.terms?.decline?.(); } catch {} };
+
+  return (
+    <div className="shell terms-gate" data-id="FirstRunTermsGate">
+      <div className="glow" aria-hidden />
+      <div className="terms-gate__panel">
+        <h1 className="terms-gate__title" data-id="FirstRunTermsGate-title">{t("title", "用户协议与授权说明")}</h1>
+        <p className="terms-gate__subtitle">{t("subtitle", "使用 CiCy Desktop 前,请阅读并同意以下条款")}</p>
+
+        <div className="terms-gate__body" ref={bodyRef} onScroll={onScroll} data-id="FirstRunTermsGate-body">
+          <h2 className="terms-gate__h2">{t("summaryTitle", "一眼看懂")}</h2>
+          <ol className="terms-gate__summary">
+            {summaries.filter(Boolean).map((s, i) => <li key={i}>{s}</li>)}
+          </ol>
+          {!showFull ? (
+            <button className="terms-gate__viewfull" data-id="FirstRunTermsGate-viewfull"
+              onClick={() => setShowFull(true)}>{t("viewFull", "查看完整条款")}</button>
+          ) : (
+            <pre className="terms-gate__fulltext" data-id="FirstRunTermsGate-fulltext">{TERMS_FULL[locale] || TERMS_FULL.en}</pre>
+          )}
+        </div>
+
+        {!scrolledEnd && <div className="terms-gate__scrollhint" data-id="FirstRunTermsGate-scrollhint">{t("scrollHint", "请阅读至底部以继续")}</div>}
+        <div className="terms-gate__actions">
+          <button data-id="FirstRunTermsGate-decline" className="terms-gate__btn terms-gate__btn--ghost" onClick={decline}>
+            {t("decline", "不同意并退出")}
+          </button>
+          <button data-id="FirstRunTermsGate-agree" className="terms-gate__btn" disabled={!scrolledEnd || busy}
+            title={!scrolledEnd ? t("mustAgree", "未同意则无法使用本软件。") : ""} onClick={agree}>
+            {t("agree", "同意并继续")}
+          </button>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+// HTTPS 审计 CA 授权卡片 (合规 opt-in)。绝不首启静默装根证书 (Superfish 红线) —
+// 用户在此显式同意后,才由 cicy-code 写入系统根信任库。三态:未授权 / 已授权(可撤销) /
+// 处理中。同意走 POST /api/mitm/consent;need_elevation 回退 exec 自提权 install-ca。
+function MitmConsentCard({ team }) {
+  const [status, setStatus] = useState(undefined); // undefined=loading, null=endpoint absent, {generated,trusted,consent}
+  const [busy, setBusy] = useState("");            // "" | enable | disable
+  const [error, setError] = useState("");
+
+  const base = (team?.base_url || "").replace(/\/$/, "");
+  const token = team?.api_token || "";
+
+  const caFetch = useCallback(async (path, opts = {}) => {
+    if (!window.cicy?.cloud?.fetch) throw new Error("bridge missing");
+    const r = await window.cicy.cloud.fetch(`${base}${path}`, {
+      ...opts,
+      headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json", ...(opts.headers || {}) },
+    });
+    let json = null; try { json = JSON.parse(r.body); } catch {}
+    return { ok: r.ok, status: r.status, json };
+  }, [base, token]);
+
+  const refresh = useCallback(async () => {
+    try {
+      const r = await caFetch("/api/mitm/ca-status");
+      // 404 / not-ok → endpoint not present (older cicy-code) → hide card.
+      setStatus(r.ok && r.json ? r.json : null);
+    } catch { setStatus(null); }
+  }, [caFetch]);
+  useEffect(() => { if (base && token) refresh(); }, [base, token, refresh]);
+
+  // Hide until we know the CA exists. No CA generated (MITM off) → nothing to consent to.
+  if (status === undefined) return null;          // still loading
+  if (!status || !status.generated) return null;  // endpoint absent or no CA
+
+  const enable = async () => {
+    if (busy) return;
+    setBusy("enable"); setError("");
+    try {
+      const r = await caFetch("/api/mitm/consent", { method: "POST", body: JSON.stringify({ enable: true }) });
+      if (r.ok && r.json?.ok && r.json?.trusted) { await refresh(); }
+      else if (r.json?.error === "need_elevation" || (!r.ok && r.status === 403)) {
+        // fall back to the self-elevating CLI (OS prompt = the second consent)
+        const ex = await window.cicy?.mitm?.caExec?.("install");
+        if (ex?.ok) await refresh();
+        else setError(/cancel/i.test(ex?.stderr || "") ? tr("mitmConsent.errorAdminDenied", "未获得管理员授权,已取消。") : (ex?.stderr || tr("mitmConsent.errorTitle", "提权失败,请从管理员控制台运行")));
+      } else {
+        setError(r.json?.error || `失败 (HTTP ${r.status})`);
+      }
+    } catch (e) { setError(String(e?.message || e)); }
+    finally { setBusy(""); }
+  };
+
+  const disable = async () => {
+    if (busy) return;
+    setBusy("disable"); setError("");
+    try {
+      const r = await caFetch("/api/mitm/consent", { method: "POST", body: JSON.stringify({ enable: false }) });
+      if (r.ok && r.json?.ok) await refresh();
+      else {
+        const ex = await window.cicy?.mitm?.caExec?.("uninstall");
+        if (ex?.ok) await refresh(); else setError(ex?.stderr || r.json?.error || "撤销失败");
+      }
+    } catch (e) { setError(String(e?.message || e)); }
+    finally { setBusy(""); }
+  };
+
+  const granted = status.consent && status.trusted;
+  const partial = status.consent && !status.trusted; // consented but not (re)installed
+  const t = (k, fb) => tr(`mitmConsent.${k}`, fb);
+
+  return (
+    <div data-id="MitmConsentCard" className={`mitm-card${granted ? " mitm-card--on" : ""}`}>
+      <div className="mitm-card__head">
+        <span className="mitm-card__dot" data-state={granted ? "on" : partial ? "warn" : "off"} />
+        <span className="mitm-card__title" data-id="MitmConsentCard-title">
+          {busy ? t("stateProcessingTitle", "处理中…")
+            : granted ? t("stateGrantedTitle", "已启用")
+            : `${t("cardTitle", "HTTPS 流量本地审计")}${partial ? " — " + t("retry", "重试") : ""}`}
+        </span>
+      </div>
+      <p className="mitm-card__desc" data-id="MitmConsentCard-desc">
+        {granted ? t("grantedDesc", "HTTPS 审计已开启;可随时撤销并卸载证书。") : t("body", "启用后,本机到 AI 厂商(Claude / OpenAI / DeepSeek / Gemini)的 HTTPS 将被本地审计解密,数据留本地,可随时关闭。")}
+        {!granted && <>
+          <br /><span className="mitm-card__note">{t("adminNote", "需写入系统根证书信任库,需要管理员授权。")}</span>
+          <br /><span className="mitm-card__sub">{t("scopeNote", "仅解密上述 AI 厂商域名,其余一切流量不被解密、不被读取。")}</span>
+        </>}
+      </p>
+      {error && <div className="mitm-card__error" data-id="MitmConsentCard-error">{t("errorTitle", "操作失败")}: {error}</div>}
+      <div className="mitm-card__actions">
+        {granted ? (
+          <button data-id="MitmConsentCard-revoke" className="mitm-card__btn mitm-card__btn--ghost"
+            disabled={!!busy} onClick={() => { if (window.confirm(t("revokeConfirm", "撤销后将卸载证书、停止解密,并清除同意标记。确定?"))) disable(); }}>
+            {busy === "disable" ? t("processingRevoke", "正在卸载证书…") : t("revoke", "撤销")}
+          </button>
+        ) : (
+          <button data-id="MitmConsentCard-enable" className="mitm-card__btn"
+            disabled={!!busy} onClick={enable}>
+            {busy === "enable" ? t("processingEnable", "正在安装证书…") : partial ? t("retry", "重试") : t("enable", "同意并启用")}
+          </button>
+        )}
+      </div>
+    </div>
+  );
+}
+
 function DockerSetup({ onReady }) {
   const [status, setStatus] = useState(null);  // {platform, installed, imagePresent, running}
   const [phases, setPhases] = useState({});    // key -> { status, message, progress }
@@ -543,6 +739,7 @@ function LocalTeamCard({ team, onOpen, onRename, onRefresh }) {
   const running = team.status === "running";
   const [busy, setBusy] = useState("");   // "" | start | restart | update | stop
   const [opMsg, setOpMsg] = useState("");
+  const [opProg, setOpProg] = useState(null); // live {message, progress?, status} during 更新
   const [menuOpen, setMenuOpen] = useState(false);
   const [latest, setLatest] = useState(null); // newest cicy-code on the registry
   const [checking, setChecking] = useState(false);
@@ -610,7 +807,15 @@ function LocalTeamCard({ team, onOpen, onRename, onRefresh }) {
   const runOp = async (kind, fn, doneText) => {
     setMenuOpen(false);
     if (busy) return;
-    setBusy(kind); setOpMsg("");
+    setBusy(kind); setOpMsg(""); setOpProg(null);
+    // 更新 streams real phase/percent events from the main process — surface
+    // them live on the card so the user SEES the download/swap happening.
+    let unsub = null;
+    if (kind === "update" && window.cicy?.sidecar?.onOpProgress) {
+      unsub = window.cicy.sidecar.onOpProgress((ev) => {
+        if (ev?.op === "update") setOpProg(ev);
+      });
+    }
     try {
       const r = await fn();
       setOpMsg(r?.ok
@@ -619,8 +824,10 @@ function LocalTeamCard({ team, onOpen, onRename, onRefresh }) {
     } catch (err) {
       setOpMsg(tr("sidecar.failed", "操作失败") + `: ${err?.message || err}`);
     } finally {
-      setBusy("");
+      try { unsub && unsub(); } catch {}
+      setBusy(""); setOpProg(null);
       onRefresh?.(); // re-probe so the status dot/chip catches up
+      setTimeout(() => setOpMsg(""), 5000); // result line is transient
     }
   };
   const BUSY_LABEL = { start: "启动中…", restart: "重启中…", update: "更新中…", stop: "停止中…" };
@@ -771,6 +978,22 @@ function LocalTeamCard({ team, onOpen, onRename, onRefresh }) {
             <span className="bcard__ver" data-id="LocalTeamCard-version">v{team.version}</span>
           )}
         </div>
+        {busy && (
+          <div className="bcard__prog" data-id="LocalTeamCard-progress" data-status={opProg?.status || "running"}>
+            <span className="bcard__progmsg">
+              {opProg?.message || BUSY_LABEL[busy] || `${busy}…`}
+              {Number.isFinite(opProg?.progress) ? ` ${opProg.progress}%` : ""}
+            </span>
+            {Number.isFinite(opProg?.progress) && (
+              <span className="bcard__progbar"><span style={{ width: `${Math.min(100, opProg.progress)}%` }} /></span>
+            )}
+          </div>
+        )}
+        {!busy && opMsg && (
+          <div className="bcard__prog" data-id="LocalTeamCard-progress" data-status={/失败|error/i.test(opMsg) ? "error" : "done"}>
+            <span className="bcard__progmsg">{opMsg}</span>
+          </div>
+        )}
       </div>
       <button
         type="button"
@@ -779,8 +1002,8 @@ function LocalTeamCard({ team, onOpen, onRename, onRefresh }) {
         disabled={!!busy || !team.base_url}
         onClick={handleOpen}
       >
-        {busy === "start" ? <Spinner /> : <ArrowIcon />}
-        <span>{openLabel}</span>
+        {busy && busy !== "stop" ? <Spinner /> : <ArrowIcon />}
+        <span>{busy ? (BUSY_LABEL[busy] || openLabel) : openLabel}</span>
       </button>
     </div>
   );