cicy-desktop 2.1.78 → 2.1.79

package/src/utils/cookie-logins.js

@@ -0,0 +1,58 @@
+// Shared "which sites is this session logged into?" summarizer for BOTH backends.
+//
+// Input: an array of cookies, each with at least { name, domain }. Both
+// CDP Storage.getCookies (Chrome) and Electron session.cookies.get() return
+// that shape, so the same rollup serves chrome + electron tools identically.
+//
+// Output: per-registrable-domain counts, flagging domains that carry an
+// auth/session-looking cookie. That flag is a STRONG SIGNAL, not proof — a
+// session cookie can be present while the account is signed out / expired
+// (e.g. github keeping `logged_out` cookies). Confirm by loading the site.
+
+// Cookie names that typically indicate an authenticated/session state.
+const AUTH_RE = /sid|session|auth|token|login|sapisid|__secure|remember|passport|csrf/i;
+
+// Cheap registrable-domain: last two labels. Good enough for grouping/display;
+// not a full Public Suffix List (e.g. foo.co.uk collapses to co.uk).
+function registrableDomain(host) {
+  const h = String(host || "").replace(/^\./, "").toLowerCase();
+  if (!h) return "";
+  const parts = h.split(".");
+  return parts.length <= 2 ? h : parts.slice(-2).join(".");
+}
+
+function summarizeCookieLogins(cookies) {
+  const list = Array.isArray(cookies) ? cookies : [];
+  const byDomain = new Map();
+  for (const c of list) {
+    const d = registrableDomain(c && c.domain);
+    if (!d) continue;
+    let e = byDomain.get(d);
+    if (!e) {
+      e = { domain: d, cookies: 0, authCookies: [] };
+      byDomain.set(d, e);
+    }
+    e.cookies += 1;
+    if (c && c.name && AUTH_RE.test(c.name) && !e.authCookies.includes(c.name)) {
+      e.authCookies.push(c.name);
+    }
+  }
+  const sites = [...byDomain.values()]
+    .map((e) => ({
+      domain: e.domain,
+      cookies: e.cookies,
+      loggedIn: e.authCookies.length > 0,
+      authCookies: e.authCookies,
+    }))
+    .sort((a, b) => b.cookies - a.cookies);
+
+  return {
+    totalCookies: list.length,
+    domains: sites.length,
+    loggedIn: sites.filter((s) => s.loggedIn).map((s) => s.domain),
+    sites,
+    note: "loggedIn = 该域名带会话 cookie，强信号但非确证（cookie 在≠一定登录），可打开站点确认",
+  };
+}
+
+module.exports = { summarizeCookieLogins, AUTH_RE, registrableDomain };

package/src/utils/ip-probe.js

@@ -0,0 +1,50 @@
+// Per-profile egress IP + geo probe. Fetches an IP-info API THROUGH a given
+// Electron session (so the result reflects that profile's proxy egress), in the
+// main process via net.request (no browser launch needed). Returns
+// { ip, area } — area is "country · region · city" (blank parts dropped).
+//
+// NOTE: the opposite of cloud-client's detectIpGeo (which deliberately goes
+// DIRECT for the *machine's* egress). Here we WANT the proxy path, per profile.
+const { net } = require("electron");
+
+function fetchJsonViaSession(url, ses, timeoutMs = 7000) {
+  return new Promise((resolve) => {
+    let done = false;
+    const finish = (v) => { if (!done) { done = true; resolve(v); } };
+    try {
+      const req = net.request({ url, session: ses, useSessionCookies: false });
+      const to = setTimeout(() => { try { req.abort(); } catch (_) {} finish(null); }, timeoutMs);
+      let body = "";
+      req.on("response", (res) => {
+        res.on("data", (d) => { body += d; });
+        res.on("end", () => { clearTimeout(to); try { finish(JSON.parse(body)); } catch (_) { finish(null); } });
+        res.on("error", () => { clearTimeout(to); finish(null); });
+      });
+      req.on("error", () => { clearTimeout(to); finish(null); });
+      req.end();
+    } catch (_) { finish(null); }
+  });
+}
+
+const joinArea = (...parts) => parts.filter((p) => typeof p === "string" && p.trim()).join(" · ");
+
+// Probe egress IP + geo via the given session. Primary: api.myip.com
+// ({ ip, country, cc }) — same endpoint as `agent-chrome ip`. Falls back to
+// ip-api.com (adds region/city) then ipify (ip only). Never throws.
+async function probeIpViaSession(ses) {
+  let j = await fetchJsonViaSession("https://api.myip.com", ses);
+  if (j && typeof j.ip === "string" && j.ip) {
+    return { ip: j.ip, area: joinArea(j.cc, j.country) };
+  }
+  j = await fetchJsonViaSession("http://ip-api.com/json", ses);
+  if (j && typeof j.query === "string" && j.query) {
+    return { ip: j.query, area: joinArea(j.country, j.regionName, j.city) };
+  }
+  j = await fetchJsonViaSession("https://api.ipify.org?format=json", ses);
+  if (j && typeof j.ip === "string" && j.ip) {
+    return { ip: j.ip, area: "" };
+  }
+  return { ip: "", area: "" };
+}
+
+module.exports = { probeIpViaSession, fetchJsonViaSession };

package/src/utils/rpc-audit.js

@@ -0,0 +1,53 @@
+// RPC audit log — an append-only record of (a) every electronRPC tool call and
+// (b) every authorization decision (including the TEMPORARY ones — "本次允许" /
+// "允许一次" / "本页面内允许" — which otherwise live only in memory and leave no
+// trace), plus trusted-origin allowlist add/remove. Written as JSONL to
+// ~/cicy-ai/db/rpc-audit.log (mode 0600), rotated at 5 MB.
+//
+// Security intent: the RPC bridge can run host code / read-write files, so who
+// authorized what, when, and which calls actually ran must be reviewable after
+// the fact — not just gated by an in-the-moment modal.
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+
+const LOG = path.join(os.homedir(), "cicy-ai", "db", "rpc-audit.log");
+const MAX_BYTES = 5 * 1024 * 1024; // rotate to .1 past this
+
+function rotateIfNeeded() {
+  try {
+    const st = fs.statSync(LOG);
+    if (st.size > MAX_BYTES) {
+      try { fs.renameSync(LOG, LOG + ".1"); } catch {}
+    }
+  } catch {} // missing file → nothing to rotate
+}
+
+// Append one record as a JSON line. NEVER throws — auditing must not break RPC.
+function audit(entry) {
+  try {
+    fs.mkdirSync(path.dirname(LOG), { recursive: true });
+    rotateIfNeeded();
+    const rec = { ts: new Date().toISOString(), ...entry };
+    fs.appendFileSync(LOG, JSON.stringify(rec) + "\n", { mode: 0o600 });
+    try { fs.chmodSync(LOG, 0o600); } catch {}
+  } catch {}
+}
+
+// Short, secret-light preview of args for exec_*/file_* (same fields the consent
+// dialog surfaces). Other tools log no args.
+function argsPreview(tool, args) {
+  try {
+    if (/^exec_/.test(tool)) {
+      const c = args && (args.command || args.code || args.script || args.cmd);
+      if (c) return String(c).slice(0, 240);
+    }
+    if (/^file_/.test(tool)) {
+      const p = args && (args.path || args.filename || args.file);
+      if (p) return String(p).slice(0, 240);
+    }
+  } catch {}
+  return "";
+}
+
+module.exports = { LOG, audit, argsPreview };

package/src/utils/rpc-guard.js

@@ -0,0 +1,189 @@
+// RPC capability gate (security hole #3 — "trusted source XSS ≠ RCE").
+//
+// The renderer electronRPC bridge can invoke ANY registered tool, including host
+// code/file execution (exec_*, file_*). The homepage is first-party system UI and
+// keeps the unguarded "rpc" channel. EVERY OTHER renderer surface (team-helper
+// <webview>, trusted remote pages, dom-ready injected scripts) is wired to the
+// "rpc:guarded" channel: a *dangerous* tool there requires an explicit, page-
+// scoped user grant. So a trusted origin that gets XSS'd cannot silently run a
+// command — the user sees a consent dialog naming the origin + operation. Normal
+// (non-dangerous) tools pass straight through.
+//
+// NOTE: this gate is only *enforceable* for renderers that have NO direct Node
+// access (contextIsolation:true, no nodeIntegration) — e.g. the team-helper
+// webview and the sandboxed tab-browser trusted tabs. A renderer created with
+// nodeIntegration:true (the legacy createWindow trusted path) can `require()`
+// child_process directly and bypass any IPC gate; closing that requires dropping
+// its nodeIntegration, tracked separately.
+const { dialog, BrowserWindow } = require("electron");
+const { audit } = require("./rpc-audit");
+
+// Host code-exec + host filesystem tools = the RCE surface.
+const DANGEROUS_TOOLS = new Set([
+  "exec_shell", "exec_python", "exec_node",
+  "exec_shell_file", "exec_python_file", "exec_node_file",
+  "file_read", "file_write", "file_upload", "file_download",
+]);
+function isDangerousTool(t) { return DANGEROUS_TOOLS.has(t); }
+
+// webContents.id -> granted origin (page-scoped; cleared on cross-doc nav / destroy).
+const _grants = new Map();
+
+function originOf(wc) {
+  try { return new URL(wc.getURL()).origin; } catch { return wc.getURL() || "(unknown)"; }
+}
+
+function previewArgs(tool, args) {
+  try {
+    if (/^exec_/.test(tool)) {
+      const c = args && (args.command || args.code || args.script || args.cmd);
+      if (c) return `命令: ${String(c).slice(0, 240)}`;
+    }
+    if (/^file_/.test(tool)) {
+      const p = args && (args.path || args.filename || args.file);
+      if (p) return `路径: ${String(p).slice(0, 240)}`;
+    }
+  } catch {}
+  return "";
+}
+
+// Returns true if the dangerous call is allowed (granted now or earlier for this
+// page), false if the user denied it.
+async function ensureRpcGrant(event, toolName, args) {
+  const wc = event && event.sender;
+  if (!wc || wc.isDestroyed()) return false;
+  const origin = originOf(wc);
+  if (_grants.get(wc.id) === origin) return true; // already allowed for this page
+
+  const win = BrowserWindow.fromWebContents(wc) || BrowserWindow.getFocusedWindow() || null;
+  const detail = [`来源: ${origin}`, `操作: ${toolName}`];
+  const pv = previewArgs(toolName, args);
+  if (pv) detail.push(pv);
+  detail.push("", "该站点请求在你的电脑上执行命令 / 读写文件。只有你完全信任它时才允许。");
+
+  let choice;
+  try {
+    choice = await dialog.showMessageBox(win, {
+      type: "warning",
+      noLink: true,
+      buttons: ["拒绝", "允许一次", "本页面内允许"],
+      defaultId: 0,
+      cancelId: 0,
+      title: "敏感操作请求",
+      message: "站点要在本机执行敏感操作",
+      detail: detail.join("\n"),
+    });
+  } catch { return false; }
+
+  const response = choice && choice.response;
+  if (response === 2) { // remember for this page
+    _grants.set(wc.id, origin);
+    if (!wc.__rpcGuardWired) {
+      wc.__rpcGuardWired = true;
+      const clear = () => _grants.delete(wc.id);
+      wc.on("did-start-navigation", (_e, _url, isInPlace, isMainFrame) => { if (isMainFrame && !isInPlace) clear(); });
+      wc.once("destroyed", clear);
+    }
+    audit({ kind: "auth", gate: "dangerous-tool", origin, tool: toolName, decision: "page-allow", temporary: true, args: pv });
+    return true;
+  }
+  audit({ kind: "auth", gate: "dangerous-tool", origin, tool: toolName, decision: response === 1 ? "allow-once" : "deny", temporary: true, args: pv });
+  return response === 1; // allow once
+}
+
+// ── Origin allowlist gate (domain-level trust-on-demand) ──────────────────────
+// Distinct from the per-tool DANGEROUS gate above: this decides whether a page's
+// ORIGIN may use the electronRPC bridge AT ALL. The bridge is now injected into
+// every profile-0 tab, but it stays inert until the origin is authorized: a
+// non-allowlisted origin's first rpc:guarded call pops a consent modal where the
+// user can deny, allow for this run only, or add the domain to the persistent
+// trusted-origins allowlist (so it's never asked again). This replaces the old
+// "no bridge unless pre-trusted" behaviour with explicit, on-demand consent.
+const _sessionOrigins = new Set(); // origin -> "本次允许" for this process lifetime
+const _deniedOrigins = new Set();  // origin -> "拒绝" — sticky so a page can't spam modals
+const _pendingByOrigin = new Map(); // origin -> in-flight modal promise (dedup races)
+
+// Synchronous verdict for an origin WITHOUT prompting: "allow" | "deny" | "unknown".
+// Lets a non-blocking caller (agent/skill, see main.js) decide instantly whether to
+// proceed, refuse, or return a PENDING sentinel while the modal runs in the bg.
+function originDecision(event) {
+  const wc = event && event.sender;
+  if (!wc || wc.isDestroyed()) return "deny";
+  const url = wc.getURL();
+  let isTrustedUrl;
+  try { ({ isTrustedUrl } = require("./window-utils")); } catch {}
+  if (isTrustedUrl && isTrustedUrl(url)) return "allow"; // on the allowlist
+  const origin = originOf(wc);
+  if (_sessionOrigins.has(origin)) return "allow"; // "本次允许" earlier
+  if (_deniedOrigins.has(origin)) return "deny";   // blocked — settings = escape hatch
+  return "unknown";
+}
+
+// Ensure the consent modal is running for this origin (deduped per origin). Returns
+// the in-flight promise (resolves true/false). Safe to fire-and-forget: it records
+// the outcome in _sessionOrigins/_deniedOrigins/the allowlist so a later
+// originDecision() resolves it — that's how the agent's poll eventually succeeds.
+function startOriginModal(event) {
+  const wc = event && event.sender;
+  if (!wc || wc.isDestroyed()) return Promise.resolve(false);
+  const origin = originOf(wc);
+  if (_pendingByOrigin.has(origin)) return _pendingByOrigin.get(origin); // dedup
+  let host = "";
+  try { host = new URL(wc.getURL()).hostname; } catch {}
+  let refreshTrustedOrigins;
+  try { ({ refreshTrustedOrigins } = require("./window-utils")); } catch {}
+
+  const p = (async () => {
+    const win = BrowserWindow.fromWebContents(wc) || BrowserWindow.getFocusedWindow() || null;
+    let choice;
+    try {
+      choice = await dialog.showMessageBox(win, {
+        type: "warning",
+        noLink: true,
+        buttons: ["拒绝", "本次允许", "信任此站点（加入白名单）"],
+        defaultId: 0,
+        cancelId: 0,
+        title: "站点请求桌面 RPC 授权",
+        message: "是否授权该站点使用桌面 RPC？",
+        detail: [
+          `来源: ${origin}`,
+          "",
+          "授权后，该站点可通过 electronRPC 调用本机工具（执行命令 / 读写文件等）。",
+          "只有你完全信任它时才授权。",
+          "「信任此站点」会把该域名加入白名单，以后不再询问。",
+        ].join("\n"),
+      });
+    } catch { return false; }
+    const r = choice && choice.response;
+    if (r === 1) { // 本次允许 — temporary (process lifetime), record it so it isn't trace-less
+      _sessionOrigins.add(origin);
+      audit({ kind: "auth", gate: "origin", origin, decision: "session-allow", temporary: true });
+      return true;
+    }
+    if (r === 2 && host) { // 加入白名单（持久）— trusted-origins-store.add() logs the allowlist change
+      try {
+        const res = require("../profiles/trusted-origins-store").add(host);
+        if (!res || res.ok === false) return false;
+        if (refreshTrustedOrigins) refreshTrustedOrigins();
+        _sessionOrigins.add(origin);
+        return true;
+      } catch { return false; }
+    }
+    _deniedOrigins.add(origin); // 拒绝 / 关闭 — sticky for the session
+    audit({ kind: "auth", gate: "origin", origin, decision: "deny", temporary: true });
+    return false;
+  })();
+  _pendingByOrigin.set(origin, p);
+  p.finally(() => _pendingByOrigin.delete(origin));
+  return p;
+}
+
+// Blocking gate (in-page callers): resolve the verdict, prompting if undecided.
+async function ensureOriginAuthorized(event) {
+  const d = originDecision(event);
+  if (d === "allow") return true;
+  if (d === "deny") return false;
+  return await startOriginModal(event);
+}
+
+module.exports = { DANGEROUS_TOOLS, isDangerousTool, ensureRpcGrant, ensureOriginAuthorized, originDecision, startOriginModal };

package/src/utils/window-monitor.js

@@ -3,7 +3,6 @@ const path = require("path");
 const os = require("os");
 const beautify = require("js-beautify");
 const log = require("electron-log");
-const { maybeRegisterArtifact } = require("../cluster/artifact-registry");
 
 // 存储每个窗口的日志和请求
 const windowLogs = new Map();
@@ -197,20 +196,11 @@ function saveDataToFile(winId, url, content, type, contentType, isBinary, dataSi
       fs.writeFileSync(filepath, formattedContent);
     }
 
-    return maybeRegisterArtifact(
-      {
-        __file: filepath,
-        __size: dataSize,
-        __binary: isBinary,
-      },
-      {
-        kind: type,
-        url,
-        winId,
-        contentType,
-        timestamp: ts,
-      }
-    );
+    return {
+      __file: filepath,
+      __size: dataSize,
+      __binary: isBinary,
+    };
   } catch (error) {
     // 文件保存失败，返回错误信息
     log.error(`[Window ${winId}] Failed to save file for ${url}:`, error.message);

package/src/utils/window-registry.js

@@ -0,0 +1,210 @@
+// Persistent window registry.
+//
+// Background: every window list in the app (get_windows tool, /ui/windows,
+// local-agent-registry) is a LIVE enumeration of BrowserWindow.getAllWindows()
+// with NO persistence, and close_window/destroy() drops the window from that
+// only source. So a closed window leaves no trace and nothing survives a
+// restart.
+//
+// This module adds a durable structure on disk (~/cicy-ai/db/windows.json):
+//   - open  → upsert an entry (status:"open"), deduped by accountIdx + url
+//   - close → KEEP the entry, just flip status:"closed" (never delete)
+//   - restart → the list reloads; windows that were still open when the app
+//     QUIT come back (auto-reopen), windows the user closed stay "closed".
+//
+// Identity: each entry has an immutable windowKey (uuid). The live
+// BrowserWindow.id is ephemeral (reassigned every session) so we keep a
+// runtime-only liveId↔windowKey map and never trust the persisted liveId
+// across restarts (load() clears it).
+
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+const crypto = require("crypto");
+const log = require("electron-log");
+
+const DB_DIR = path.join(os.homedir(), "cicy-ai", "db");
+const REGISTRY_PATH = path.join(DB_DIR, "windows.json");
+
+// { windows: { [windowKey]: entry } }
+let _cache = null;
+// runtime-only: live BrowserWindow.id -> windowKey (rebuilt every process)
+const liveIdToKey = new Map();
+
+function ensureDir() {
+  try {
+    if (!fs.existsSync(DB_DIR)) fs.mkdirSync(DB_DIR, { recursive: true });
+  } catch {}
+}
+
+function nowIso() {
+  return new Date().toISOString();
+}
+
+// Normalize for dedup: drop hash, strip trailing slash, lowercase.
+function normalizeUrl(url) {
+  if (!url) return "";
+  try {
+    const u = new URL(url);
+    u.hash = "";
+    let s = u.toString();
+    if (s.endsWith("/")) s = s.slice(0, -1);
+    return s.toLowerCase();
+  } catch {
+    return String(url).trim().replace(/\/+$/, "").toLowerCase();
+  }
+}
+
+function load() {
+  if (_cache) return _cache;
+  try {
+    if (fs.existsSync(REGISTRY_PATH)) {
+      const raw = JSON.parse(fs.readFileSync(REGISTRY_PATH, "utf8"));
+      _cache = raw && typeof raw === "object" && raw.windows ? raw : { windows: {} };
+    } else {
+      _cache = { windows: {} };
+    }
+  } catch (e) {
+    log.error("[WindowRegistry] load failed:", e.message);
+    _cache = { windows: {} };
+  }
+  // Process restarted → no window is live yet. The persisted liveId is stale;
+  // clear it so registerOpen() reuses the existing slot instead of orphaning it.
+  for (const k of Object.keys(_cache.windows)) _cache.windows[k].liveId = null;
+  return _cache;
+}
+
+function persist() {
+  ensureDir();
+  try {
+    const tmp = REGISTRY_PATH + ".tmp";
+    fs.writeFileSync(tmp, JSON.stringify(_cache, null, 2), "utf8");
+    fs.renameSync(tmp, REGISTRY_PATH);
+  } catch (e) {
+    log.error("[WindowRegistry] persist failed:", e.message);
+  }
+}
+
+function findEntry(accountIdx, url) {
+  const reg = load();
+  const norm = normalizeUrl(url);
+  for (const key of Object.keys(reg.windows)) {
+    const e = reg.windows[key];
+    if (e.accountIdx === accountIdx && normalizeUrl(e.url) === norm) return e;
+  }
+  return null;
+}
+
+// A real BrowserWindow was created/opened. Upsert its entry (dedup by
+// accountIdx+url) and bind it to the live id. Returns the entry.
+function registerOpen({ accountIdx = 0, url = "", title = "", bounds = null, liveId }) {
+  const reg = load();
+  let entry = findEntry(accountIdx, url);
+  // Don't collapse two distinct live windows into one slot: if the matching
+  // entry is already bound to a DIFFERENT live window, start a fresh entry.
+  if (entry && entry.liveId != null && entry.liveId !== liveId) entry = null;
+
+  if (!entry) {
+    const windowKey = crypto.randomUUID();
+    entry = {
+      windowKey,
+      accountIdx,
+      url: url || "",
+      title: title || "",
+      bounds: bounds || null,
+      status: "open",
+      createdAt: nowIso(),
+      updatedAt: nowIso(),
+      openedAt: nowIso(),
+      closedAt: null,
+      liveId: liveId ?? null,
+    };
+    reg.windows[windowKey] = entry;
+  } else {
+    entry.status = "open";
+    if (url) entry.url = url;
+    if (title) entry.title = title;
+    if (bounds) entry.bounds = bounds;
+    entry.openedAt = nowIso();
+    entry.updatedAt = nowIso();
+    entry.closedAt = null;
+    entry.liveId = liveId ?? entry.liveId;
+  }
+  if (liveId != null) liveIdToKey.set(liveId, entry.windowKey);
+  persist();
+  return entry;
+}
+
+// Keep a live window's record fresh (url/title/bounds change).
+function touch({ liveId, url, title, bounds }) {
+  const key = liveIdToKey.get(liveId);
+  if (!key) return;
+  const reg = load();
+  const e = reg.windows[key];
+  if (!e) return;
+  let changed = false;
+  if (url && e.url !== url) {
+    e.url = url;
+    changed = true;
+  }
+  if (title && e.title !== title) {
+    e.title = title;
+    changed = true;
+  }
+  if (bounds) {
+    e.bounds = bounds;
+    changed = true;
+  }
+  if (changed) {
+    e.updatedAt = nowIso();
+    persist();
+  }
+}
+
+// User/agent closed a window → keep the record, flip to "closed".
+function markClosed(liveId) {
+  const key = liveIdToKey.get(liveId);
+  if (!key) return;
+  const reg = load();
+  const e = reg.windows[key];
+  if (e) {
+    e.status = "closed";
+    e.closedAt = nowIso();
+    e.updatedAt = nowIso();
+    e.liveId = null;
+    persist();
+  }
+  liveIdToKey.delete(liveId);
+}
+
+function list() {
+  return Object.values(load().windows);
+}
+
+function keyForLiveId(liveId) {
+  return liveIdToKey.get(liveId) || null;
+}
+
+function getByKey(windowKey) {
+  return load().windows[windowKey] || null;
+}
+
+// Entries that should auto-reopen on startup: status "open" with no live
+// binding (i.e. they were open when the app last quit). liveId is cleared by
+// load() at process start, so at startup these are exactly the survivors.
+function staleOpenEntries() {
+  return list().filter((e) => e.status === "open" && e.liveId == null);
+}
+
+module.exports = {
+  REGISTRY_PATH,
+  normalizeUrl,
+  registerOpen,
+  touch,
+  markClosed,
+  list,
+  keyForLiveId,
+  getByKey,
+  staleOpenEntries,
+  load,
+};