cicy-desktop 2.1.77 → 2.1.78

package/src/backends/homepage-react/favicon.svg

@@ -0,0 +1,12 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 96" fill="none">
+  <defs>
+    <linearGradient id="cicyMark" x1="16" y1="12" x2="80" y2="84" gradientUnits="userSpaceOnUse">
+      <stop stop-color="#60A5FA"/>
+      <stop offset="0.55" stop-color="#2563EB"/>
+      <stop offset="1" stop-color="#1E3A8A"/>
+    </linearGradient>
+  </defs>
+  <path d="M48 11L39.5 33.3L16 29.5L31 48L16 66.5L39.5 62.7L48 85L56.5 62.7L80 66.5L65 48L80 29.5L56.5 33.3Z"
+        fill="url(#cicyMark)" stroke="url(#cicyMark)" stroke-width="8"
+        stroke-linejoin="round" stroke-linecap="round"/>
+</svg>

package/src/backends/homepage-react/index.html

@@ -3,9 +3,11 @@
 <head>
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <link rel="icon" type="image/svg+xml" href="./favicon.svg" />
+  <link rel="icon" type="image/png" sizes="256x256" href="./favicon-256.png" />
   <title>CiCy Desktop</title>
-  <script type="module" crossorigin src="./assets/index-DuWX0iug.js"></script>
-  <link rel="stylesheet" crossorigin href="./assets/index-CPH-S8uU.css">
+  <script type="module" crossorigin src="./assets/index-DLYMzgf5.js"></script>
+  <link rel="stylesheet" crossorigin href="./assets/index-DE9m6JTn.css">
 </head>
 <body>
   <div id="root"></div>

package/src/backends/local-teams.js

@@ -193,6 +193,10 @@ async function list({ refresh = false } = {}) {
       name: node.name || slug,
       base_url: baseUrl,
       api_token: node.api_token || "",
+      // Cloud-issued teamId (from name-sync register). The renderer maps it to
+      // the team's sk-cicy- gateway apiKey (via /api/teams) for the 账单 link —
+      // the local api_token is an MCP token the cloud can't bill on.
+      cloud_team_id: node.cloud_team_id || null,
       port,
       install_source: node.install_source || null,
       install_os: node.install_os || null,
@@ -392,6 +396,51 @@ function normaliseUrl(u) {
   } catch { return ""; }
 }
 
+// Sync THIS device's local team title to the cloud (desktop→cloud, one-way;
+// 主人 + w-10032 spec). Best-effort: a cloud failure NEVER blocks the local
+// create/rename. Persists the cloud-assigned teamId so later renames UPDATE the
+// same row (POST /api/team/register with teamId) instead of creating dupes.
+// Only local-origin teams sync — a custom remote team isn't "this device's
+// local team". No-op when logged out.
+async function syncNameToCloud(id) {
+  let cc;
+  try { cc = require("../cloud/cloud-client"); } catch { return; }
+  try {
+    if (!cc.loginToken || !cc.loginToken()) return; // not logged in
+    const node = readNodes()[id];
+    if (!node || !isLocalOrigin(node.base_url || "")) return;
+    const reg = await cc.registerTeam({ teamId: node.cloud_team_id || null, title: node.name || "" });
+    if (reg && reg.ok && reg.teamId && reg.teamId !== node.cloud_team_id) {
+      await writeNodes((nodes) => {
+        if (nodes[id]) nodes[id].cloud_team_id = reg.teamId;
+        return nodes;
+      });
+      log.info(`[local-teams] cloud name-sync ${id} → teamId=${reg.teamId}`);
+    } else if (reg && reg.ok) {
+      log.info(`[local-teams] cloud name-sync ${id} title updated (teamId=${node.cloud_team_id})`);
+    }
+  } catch (e) { log.warn(`[local-teams] cloud name-sync ${id} failed: ${e.message}`); }
+}
+
+// Sync EVERY existing local-origin team to cloud. Runs once at startup (after
+// login) so teams that were created BEFORE the cloud-client existed — or that
+// live on a freshly-deployed machine (e.g. a Windows box whose 本地团队 predates
+// this code) — register to cloud without needing a manual rename to trigger it.
+// create/rename still sync individually; this is the catch-up for the rest.
+// Best-effort, fully non-blocking, no-op when logged out.
+async function syncAllLocalTeams() {
+  try {
+    const cc = require("../cloud/cloud-client");
+    if (!cc.loginToken || !cc.loginToken()) return; // logged out → no-op
+    const nodes = readNodes();
+    const ids = Object.keys(nodes).filter((id) => isLocalOrigin(nodes[id]?.base_url || ""));
+    for (const id of ids) {
+      try { await syncNameToCloud(id); } catch {}
+    }
+    if (ids.length) log.info(`[local-teams] startup cloud-sync of ${ids.length} local team(s)`);
+  } catch (e) { log.warn(`[local-teams] startup cloud-sync failed: ${e.message}`); }
+}
+
 async function addTeam(spec) {
   if (!spec || typeof spec !== "object") return { ok: false, error: "spec required" };
   const baseUrlRaw = String(spec.base_url || "").trim();
@@ -474,6 +523,7 @@ async function addTeam(spec) {
   });
   log.info(`[local-teams] ${existingId ? "upsert" : "add"} ${id} → ${baseUrl} (source=${patch.install_source || "n/a"})`);
   const next = readNodes()[id] || {};
+  syncNameToCloud(id).catch(() => {}); // best-effort title sync (desktop→cloud)
   return { ok: true, id, upserted: !!existingId, team: { id, ...next, port } };
 }
 
@@ -527,6 +577,8 @@ async function updateTeam(id, patch) {
   });
   if (!existed) return { ok: false, error: "team not found" };
   log.info(`[local-teams] update ${id} → ${Object.keys(filtered).join(",")}`);
+  // Rename → push the new title to the cloud (best-effort, one-way).
+  if (filtered.name !== undefined) syncNameToCloud(id).catch(() => {});
   const next = readNodes()[id] || {};
   let port = null;
   try { port = parseInt(new URL(next.base_url || "").port, 10) || null; } catch {}
@@ -795,4 +847,4 @@ async function upgradeTeam(id) {
   return result;
 }
 
-module.exports = { list, openTeam, reloadTeam, closeLocalWindows, addTeam, removeTeam, updateTeam, upgradeTeam };
+module.exports = { list, openTeam, reloadTeam, closeLocalWindows, addTeam, removeTeam, updateTeam, upgradeTeam, syncAllLocalTeams };

package/src/backends/login-success.html

@@ -0,0 +1,96 @@
+<!doctype html>
+<html lang="zh-CN">
+<head>
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>登录成功 · CiCy</title>
+<style>
+  :root{
+    --bg-0:#0a0a0f; --bg-1:#13131b; --line:#23232e;
+    --txt:#e8e8f0; --dim:#9a9ab0;
+    --violet:#7c5cff; --cyan:#22d3ee;
+    --grad:linear-gradient(120deg,#7c5cff,#22d3ee);
+  }
+  *{box-sizing:border-box}
+  html,body{height:100%}
+  body{
+    margin:0; background:var(--bg-0); color:var(--txt);
+    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"PingFang SC","Microsoft YaHei",sans-serif;
+    display:grid; place-items:center; overflow:hidden; position:relative;
+  }
+  /* ambient glow */
+  body::before,body::after{
+    content:""; position:absolute; border-radius:50%; filter:blur(90px); opacity:.5; pointer-events:none;
+  }
+  body::before{width:480px;height:480px;background:radial-gradient(circle,#7c5cff55,transparent 70%);top:-140px;left:-120px}
+  body::after{width:520px;height:520px;background:radial-gradient(circle,#22d3ee44,transparent 70%);bottom:-180px;right:-140px}
+
+  .card{
+    position:relative; z-index:1; width:min(92vw,440px);
+    background:rgba(19,19,27,.7); backdrop-filter:blur(12px);
+    border:1px solid var(--line); border-radius:22px;
+    padding:46px 38px 34px; text-align:center;
+    box-shadow:0 24px 80px -24px #000;
+  }
+  .brand{display:flex;align-items:center;justify-content:center;gap:9px;margin-bottom:30px}
+  .brand-mark{width:30px;height:30px;border-radius:9px;background:var(--grad);display:grid;place-items:center;box-shadow:0 6px 20px -4px #7c5cff88}
+  .brand-name{font-weight:700;font-size:17px;letter-spacing:.3px}
+
+  .check{
+    width:84px;height:84px;margin:0 auto 22px;border-radius:50%;
+    display:grid;place-items:center;
+    background:radial-gradient(circle at 50% 38%, #7c5cff33, transparent 70%);
+    position:relative;
+  }
+  .check svg{width:84px;height:84px;display:block}
+  .check .ring{stroke:url(#g);stroke-width:3;fill:none;stroke-linecap:round;
+    stroke-dasharray:251;stroke-dashoffset:251;animation:draw .7s ease forwards}
+  .check .tick{stroke:#fff;stroke-width:4.5;fill:none;stroke-linecap:round;stroke-linejoin:round;
+    stroke-dasharray:48;stroke-dashoffset:48;animation:draw .45s .55s ease forwards}
+  @keyframes draw{to{stroke-dashoffset:0}}
+  @keyframes pop{0%{transform:scale(.7);opacity:0}60%{transform:scale(1.05)}100%{transform:scale(1);opacity:1}}
+  .check{animation:pop .5s ease both}
+
+  h1{font-size:23px;margin:0 0 10px;font-weight:700}
+  .grad-txt{background:var(--grad);-webkit-background-clip:text;background-clip:text;-webkit-text-fill-color:transparent}
+  p.sub{color:var(--dim);font-size:14.5px;line-height:1.7;margin:0 0 26px}
+  p.sub b{color:var(--txt);font-weight:600}
+
+  .hint{
+    display:inline-flex;align-items:center;gap:7px;
+    font-size:12.5px;color:var(--dim);
+    border:1px solid var(--line);border-radius:999px;padding:7px 14px;
+  }
+  .dot{width:7px;height:7px;border-radius:50%;background:var(--grad);box-shadow:0 0 10px #22d3ee}
+
+  .foot{margin-top:26px;font-size:12px;color:#5b5b6e}
+  .foot a{color:#8a8aa0;text-decoration:none}
+  .foot a:hover{color:var(--txt)}
+</style>
+</head>
+<body>
+  <div class="card">
+    <div class="brand">
+      <div class="brand-mark">
+        <svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="#0a0a0f" stroke-width="2.6" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12a9 9 0 1 1-3.5-7.1"/><path d="M21 3v6h-6"/></svg>
+      </div>
+      <div class="brand-name">CiCy</div>
+    </div>
+
+    <div class="check">
+      <svg viewBox="0 0 90 90">
+        <defs><linearGradient id="g" x1="0" y1="0" x2="1" y2="1"><stop offset="0" stop-color="#7c5cff"/><stop offset="1" stop-color="#22d3ee"/></linearGradient></defs>
+        <circle class="ring" cx="45" cy="45" r="40"/>
+        <path class="tick" d="M28 46 L40 58 L62 33"/>
+      </svg>
+    </div>
+
+    <h1>登录<span class="grad-txt">成功</span></h1>
+    <p class="sub">请回到 <b>CiCy Desktop</b> 继续使用。<br>此页面可以安全关闭。</p>
+
+    <span class="hint"><span class="dot"></span> 已安全连接到你的 CiCy 账户</span>
+
+    <div class="foot">仍停留在此页?可手动切回 CiCy Desktop · <a href="/dash">打开网页版团队台</a></div>
+  </div>
+</body>
+</html>

package/src/cloud/cloud-client.js

@@ -0,0 +1,239 @@
+// Cloud ⇄ cicy-desktop client (device / team / teams).
+//
+// Implements the contract agreed with the cloud side (w-10032), documented at
+// cicy-ai/cloud-device-team-api.md:
+//   ① POST /api/device/register  — on app launch, report this machine
+//   ② POST /api/team/register     — before a local team starts, get its gateway key
+//   ③ GET  /api/teams             — list the user's cloud + local teams
+//
+// Data model (主人定): user → many devices (win/mac distinguished by a stable
+// per-machine deviceId) → many local teams per device → one gateway key per team.
+//
+// Auth: every call carries `Authorization: Bearer <desktop login token>` — the
+// magic-link token persisted in global.json's `desktopAuth.token`. The cloud
+// resolves owner (= login email) from it. When the user is NOT logged in, every
+// entry point here is a no-op that returns { ok:false, reason:"not_logged_in" }
+// so callers can stay oblivious.
+//
+// All HTTP runs in the Electron MAIN process where global `fetch` has
+// unrestricted network access (no CORS, unlike the file:// renderer).
+
+const os = require("os");
+const path = require("path");
+const crypto = require("crypto");
+const log = require("electron-log");
+const { readGlobalConfig, updateGlobalConfig } = require("../utils/global-json");
+
+const CLOUD_BASE = process.env.CICY_CLOUD_BASE || "https://cicy-ai.com";
+const GATEWAY_URL = process.env.CICY_GATEWAY_URL || "https://gateway.cicy-ai.com";
+const GLOBAL_JSON = path.join(os.homedir(), "cicy-ai", "global.json");
+
+// The two provider slots the gateway key must land in, per the contract.
+const GATEWAY_PROVIDER_KEYS = {
+  defaultAnthropic: "anthropic",
+  defaultOpenAi: "openai",
+};
+
+// ── token / identity ────────────────────────────────────────────────────────
+
+// The desktop login (magic-link) bearer token, or "" when not logged in.
+function loginToken() {
+  try {
+    const c = readGlobalConfig(GLOBAL_JSON);
+    return (c && c.desktopAuth && c.desktopAuth.token) || "";
+  } catch (e) {
+    log.warn(`[cloud] read login token failed: ${e.message}`);
+    return "";
+  }
+}
+
+// Stable per-machine UUID. Generated once and persisted in global.json so the
+// SAME machine keeps one identity across restarts; a win box and a mac box each
+// get their own (the `platform` field reported alongside makes that explicit).
+function getDeviceId() {
+  const c = readGlobalConfig(GLOBAL_JSON);
+  if (c && typeof c.deviceId === "string" && c.deviceId) return c.deviceId;
+  const id = crypto.randomUUID();
+  updateGlobalConfig(GLOBAL_JSON, (cfg) => {
+    if (!cfg.deviceId) cfg.deviceId = id;
+    return cfg;
+  });
+  // Re-read in case a concurrent writer won the lock with a different id.
+  return readGlobalConfig(GLOBAL_JSON).deviceId || id;
+}
+
+// Best-effort public IP. Optional in the contract (cloud falls back to the peer
+// IP), so a failure here is non-fatal — we just send no publicIp.
+async function getPublicIp({ timeoutMs = 4000 } = {}) {
+  const services = [
+    "https://api.ipify.org?format=json", // { ip }
+    "https://ipinfo.io/json", // { ip, ... }
+  ];
+  for (const url of services) {
+    try {
+      const ctrl = new AbortController();
+      const t = setTimeout(() => ctrl.abort(), timeoutMs);
+      const r = await fetch(url, { signal: ctrl.signal, cache: "no-store" });
+      clearTimeout(t);
+      if (!r.ok) continue;
+      const j = await r.json();
+      if (j && typeof j.ip === "string" && j.ip) return j.ip;
+    } catch (_) {
+      /* try next */
+    }
+  }
+  return "";
+}
+
+// ── HTTP helper ─────────────────────────────────────────────────────────────
+
+async function cloudFetch(endpoint, { method = "GET", body = null } = {}) {
+  const token = loginToken();
+  if (!token) return { ok: false, status: 0, reason: "not_logged_in" };
+  const url = `${CLOUD_BASE}${endpoint}`;
+  const headers = { Authorization: `Bearer ${token}` };
+  if (body != null) headers["Content-Type"] = "application/json";
+  try {
+    const r = await fetch(url, {
+      method,
+      headers,
+      body: body != null ? JSON.stringify(body) : null,
+      cache: "no-store",
+    });
+    const text = await r.text();
+    let json = null;
+    try {
+      json = text ? JSON.parse(text) : null;
+    } catch (_) {
+      /* non-JSON body */
+    }
+    return { ok: r.ok, status: r.status, json, text };
+  } catch (e) {
+    log.warn(`[cloud] ${method} ${endpoint} failed: ${e.message}`);
+    return { ok: false, status: 0, reason: "network_error", error: e.message };
+  }
+}
+
+// ── ① device/register ───────────────────────────────────────────────────────
+
+async function registerDevice() {
+  const token = loginToken();
+  if (!token) return { ok: false, reason: "not_logged_in" };
+  const deviceId = getDeviceId();
+  const publicIp = await getPublicIp();
+  const body = {
+    deviceId,
+    platform: process.platform, // "win32" | "darwin" | "linux"
+    arch: process.arch, // "x64" | "arm64"
+  };
+  if (publicIp) body.publicIp = publicIp;
+  const res = await cloudFetch("/api/device/register", { method: "POST", body });
+  if (res.ok) {
+    log.info(`[cloud] device registered deviceId=${deviceId} platform=${body.platform}/${body.arch}`);
+  } else {
+    log.warn(`[cloud] device register failed status=${res.status} reason=${res.reason || ""}`);
+  }
+  return { ...res, deviceId };
+}
+
+// ── ② team/register ─────────────────────────────────────────────────────────
+
+// Register (or idempotently re-fetch) a local team's gateway key.
+//   teamId omitted → cloud creates a new team + key.
+//   teamId given   → cloud returns that team's existing key (no rotation).
+// Returns { ok, teamId, apiKey, gatewayUrl } on success.
+async function registerTeam({ teamId = null, title = "" } = {}) {
+  const token = loginToken();
+  if (!token) return { ok: false, reason: "not_logged_in" };
+  const deviceId = getDeviceId();
+  const body = { deviceId };
+  if (teamId != null) body.teamId = teamId;
+  if (title) body.title = title;
+  const res = await cloudFetch("/api/team/register", { method: "POST", body });
+  if (res.ok && res.json) {
+    return {
+      ok: true,
+      teamId: res.json.teamId,
+      apiKey: res.json.apiKey,
+      gatewayUrl: res.json.gatewayUrl || GATEWAY_URL,
+      protocols: res.json.protocols || ["anthropic", "openai"],
+    };
+  }
+  log.warn(`[cloud] team register failed status=${res.status} reason=${res.reason || ""}`);
+  return { ok: false, status: res.status, reason: res.reason, json: res.json };
+}
+
+// ── ③ teams ─────────────────────────────────────────────────────────────────
+
+async function listTeams({ deviceId = null, kind = null } = {}) {
+  const token = loginToken();
+  if (!token) return { ok: false, reason: "not_logged_in", teams: [] };
+  const qs = [];
+  if (deviceId) qs.push(`deviceId=${encodeURIComponent(deviceId)}`);
+  if (kind) qs.push(`kind=${encodeURIComponent(kind)}`);
+  const ep = `/api/teams${qs.length ? `?${qs.join("&")}` : ""}`;
+  const res = await cloudFetch(ep, { method: "GET" });
+  if (res.ok && res.json && Array.isArray(res.json.teams)) {
+    return { ok: true, teams: res.json.teams };
+  }
+  log.warn(`[cloud] teams list failed status=${res.status} reason=${res.reason || ""}`);
+  return { ok: false, status: res.status, reason: res.reason, teams: [] };
+}
+
+// ── gateway-key injection ─────────────────────────────────────────────────────
+
+// Write the per-team gateway apiKey + url into the team's global.json
+// providers.items entries keyed defaultAnthropic / defaultOpenAi. Existing
+// entries are updated in place (preserving model lists etc.); missing ones are
+// created minimally. `globalJsonPath` defaults to the user-global config, which
+// is also the local team's config home on this machine.
+function injectGatewayKey(apiKey, gatewayUrl = GATEWAY_URL, globalJsonPath = GLOBAL_JSON) {
+  if (!apiKey) throw new Error("injectGatewayKey: apiKey required");
+  return updateGlobalConfig(globalJsonPath, (cfg) => {
+    if (!cfg.providers || typeof cfg.providers !== "object") cfg.providers = {};
+    if (!Array.isArray(cfg.providers.items)) cfg.providers.items = [];
+    const items = cfg.providers.items;
+    for (const [key, protocol] of Object.entries(GATEWAY_PROVIDER_KEYS)) {
+      let item = items.find((it) => it && it.key === key);
+      if (!item) {
+        item = { key, protocol, name: "CiCyAi", url: gatewayUrl, apiKey };
+        items.push(item);
+      } else {
+        item.apiKey = apiKey;
+        item.url = gatewayUrl;
+        if (!item.protocol) item.protocol = protocol;
+      }
+    }
+    return cfg;
+  });
+}
+
+// Convenience: register a team and immediately wire its key into the local
+// team's global.json. `teamId` persists across calls so re-runs are idempotent
+// (no key rotation). Caller supplies a getter/setter for where teamId lives.
+async function registerTeamAndInjectKey({ teamId = null, title = "", globalJsonPath = GLOBAL_JSON } = {}) {
+  const reg = await registerTeam({ teamId, title });
+  if (!reg.ok) return reg;
+  try {
+    injectGatewayKey(reg.apiKey, reg.gatewayUrl, globalJsonPath);
+    log.info(`[cloud] gateway key injected into ${globalJsonPath} (teamId=${reg.teamId})`);
+  } catch (e) {
+    log.warn(`[cloud] key injection failed: ${e.message}`);
+    return { ...reg, injected: false, injectError: e.message };
+  }
+  return { ...reg, injected: true };
+}
+
+module.exports = {
+  CLOUD_BASE,
+  GATEWAY_URL,
+  GLOBAL_JSON,
+  loginToken,
+  getDeviceId,
+  getPublicIp,
+  registerDevice,
+  registerTeam,
+  listTeams,
+  injectGatewayKey,
+  registerTeamAndInjectKey,
+};

package/src/main.js

@@ -11,6 +11,7 @@ const { openWindowForBackend } = require("./backends/window-manager");
 const { Menu } = require("electron");
 const { dialog } = require("electron");
 const { setupAppIcons } = require("./tray");
+const { brandHostElectron } = require("./utils/brand-host-electron");
 const appUpdater = require("./app-updater");
 
 // 🎯 添加右键上下文菜单
@@ -604,6 +605,19 @@ function ensureAutoLaunch() {
 function ensureMacLoginItem(want) {
   const name = "CiCy Desktop";
   const appletPath = path.join(os.homedir(), "Desktop", "CiCy Desktop.app");
+  // Run the osascript ONLY when the desired state differs from what we last
+  // applied. Each `tell application "System Events"` triggers macOS's
+  // Automation-consent dialog, and because cicy-desktop is unpackaged/unsigned
+  // it has no stable TCC identity — so the grant can't be remembered and the
+  // dialog re-pops on EVERY launch. Persisting our own flag means we only touch
+  // System Events on first configuration (or an actual on↔off change), so the
+  // prompt appears at most once instead of every startup.
+  const prefs = readPrefs();
+  const state = want ? "on" : "off";
+  if (prefs.macLoginItem === state) {
+    log.info(`[autostart] mac login item already ${state} — skip (no re-prompt)`);
+    return;
+  }
   try {
     const { execFileSync } = require("child_process");
     const osa = (script) => execFileSync("osascript", ["-e", script], { stdio: "ignore" });
@@ -614,6 +628,10 @@ function ensureMacLoginItem(want) {
     } else {
       log.info(`[autostart] mac login item ${want ? "skipped (applet missing)" : "removed"}`);
     }
+    // Only persist the flag once the applet actually exists (so a first launch
+    // that races applet creation re-tries next time instead of latching "on"
+    // without ever registering).
+    if (!want || fs.existsSync(appletPath)) writePrefs({ ...prefs, macLoginItem: state });
   } catch (e) {
     log.warn(`[autostart] mac login item failed: ${e.message}`);
   }
@@ -627,6 +645,15 @@ function readPrefs() {
   return {};
 }
 
+function writePrefs(prefs) {
+  try {
+    const p = path.join(electronApp.getPath("userData"), "prefs.json");
+    fs.writeFileSync(p, JSON.stringify(prefs, null, 2), "utf8");
+  } catch (e) {
+    log.warn(`[prefs] write failed: ${e.message}`);
+  }
+}
+
 function ensureLinuxAutostart(want) {
   const dir = path.join(os.homedir(), ".config", "autostart");
   const file = path.join(dir, "cicy-desktop.desktop");
@@ -704,6 +731,10 @@ electronApp.whenReady().then(async () => {
     log.info(`[i18n] locale = ${i18n.i18next.language} (raw: ${realLocale})`);
   } catch (e) { log.warn(`[i18n] ready-time relocale failed: ${e.message}`); }
 
+  // Rebrand the host (unpackaged) Electron bundle → "CiCy Desktop" name + icon.
+  // May relaunch once on first run to apply the menu-bar name; everything after
+  // here is skipped on that one relaunch path, so keep it first.
+  brandHostElectron();
   setupAppIcons();
   ensureDesktopLauncher();
   ensureAutoLaunch();
@@ -762,7 +793,21 @@ electronApp.whenReady().then(async () => {
       try {
         await auth.startLogin({
           onResult: (payload) => {
-            if (payload && payload.token) saveDesktopAuth(payload);
+            if (payload && payload.token) {
+              saveDesktopAuth(payload);
+              // Now that we have a real owner-bound login token, report this
+              // machine to the cloud (best-effort; safe to call repeatedly —
+              // cloud upserts by (owner, deviceId)).
+              try {
+                require("./cloud/cloud-client")
+                  .registerDevice()
+                  .catch((e) => log.warn(`[cloud] device register (on login) failed: ${e.message}`));
+                // Fresh login → also register this device's local team(s).
+                require("./backends/local-teams")
+                  .syncAllLocalTeams()
+                  .catch((e) => log.warn(`[cloud] local-team sync (on login) failed: ${e.message}`));
+              } catch (e) { log.warn(`[cloud] device register hook failed: ${e.message}`); }
+            }
             const hw = require("./backends/homepage-window");
             const w = hw.getHomepageWindow && hw.getHomepageWindow();
             if (w && !w.isDestroyed()) {
@@ -829,6 +874,22 @@ electronApp.whenReady().then(async () => {
     });
   }
 
+  // Cloud device registration — if the user is already logged in, report this
+  // machine (stable deviceId + platform/arch/publicIp) to the cloud on launch.
+  // Best-effort and fully non-blocking; a no-op when not logged in (the login
+  // onResult hook above covers the log-in-later case).
+  try {
+    require("./cloud/cloud-client")
+      .registerDevice()
+      .catch((e) => log.warn(`[cloud] device register (on launch) failed: ${e.message}`));
+    // Catch-up sync of this device's local team(s) → cloud, so a box whose 本地
+    // team predates the cloud-client (e.g. a freshly-deployed Windows install)
+    // still shows up under 本地 without needing a rename. Non-blocking.
+    require("./backends/local-teams")
+      .syncAllLocalTeams()
+      .catch((e) => log.warn(`[cloud] startup local-team sync failed: ${e.message}`));
+  } catch (e) { log.warn(`[cloud] device register launch hook failed: ${e.message}`); }
+
   // Local-team discovery — reads ~/cicy-ai/global.json's cicyDesktopNodes
   // and probes each via /api/health. Pure local, never talks to the cloud
   // and never runs docker shells.